introduce separate database-schemas base+rbac #103

Merged
hsh-michaelhoennig merged 54 commits from introduce-separate-database-schemas-base-and-rbac into master 2024-09-16 15:36:38 +02:00
16 changed files with 31 additions and 31 deletions
Showing only changes of commit 6465a2457c - Show all commits

View File

@ -364,7 +364,7 @@ class RolesGrantsAndPermissionsGenerator {
System.out.println("null"); System.out.println("null");
} }
if (roleDef.getEntityAlias().isGlobal()) { if (roleDef.getEntityAlias().isGlobal()) {
return "globalAdmin()"; return "rbac.globalAdmin()";
} }
final String entityRefVar = entityRefVar(rootRefVar, roleDef.getEntityAlias()); final String entityRefVar = entityRefVar(rootRefVar, roleDef.getEntityAlias());
return roleDef.getEntityAlias().simpleName() + capitalize(roleDef.getRole().name()) return roleDef.getEntityAlias().simpleName() + capitalize(roleDef.getRole().name())

View File

@ -30,7 +30,7 @@ create or replace function rbac.isGlobalAdmin()
returns boolean returns boolean
language plpgsql as $$ language plpgsql as $$
begin begin
return isGranted(rbac.currentSubjectOrAssumedRolesUuids(), rbac.findRoleId(globalAdmin())); return isGranted(rbac.currentSubjectOrAssumedRolesUuids(), rbac.findRoleId(rbac.globalAdmin()));
end; $$; end; $$;
--// --//
@ -109,7 +109,7 @@ commit;
/* /*
A rbac.Global administrator role. A rbac.Global administrator role.
*/ */
create or replace function globalAdmin(assumed boolean = true) create or replace function rbac.globalAdmin(assumed boolean = true)
returns rbac.RoleDescriptor returns rbac.RoleDescriptor
returns null on null input returns null on null input
stable -- leakproof stable -- leakproof
@ -119,7 +119,7 @@ $$;
begin transaction; begin transaction;
call base.defineContext('creating role:rbac.global#global:ADMIN', null, null, null); call base.defineContext('creating role:rbac.global#global:ADMIN', null, null, null);
select rbac.createRole(globalAdmin()); select rbac.createRole(rbac.globalAdmin());
commit; commit;
--// --//
@ -130,7 +130,7 @@ commit;
/* /*
A rbac.Global guest role. A rbac.Global guest role.
*/ */
create or replace function globalGuest(assumed boolean = true) create or replace function rbac.globalglobalGuest(assumed boolean = true)
returns rbac.RoleDescriptor returns rbac.RoleDescriptor
returns null on null input returns null on null input
stable -- leakproof stable -- leakproof
@ -140,7 +140,7 @@ $$;
begin transaction; begin transaction;
call base.defineContext('creating role:rbac.global#global:guest', null, null, null); call base.defineContext('creating role:rbac.global#global:guest', null, null, null);
select rbac.createRole(globalGuest()); select rbac.createRole(rbac.globalglobalGuest());
commit; commit;
--// --//
@ -157,7 +157,7 @@ do language plpgsql $$
begin begin
call base.defineContext('creating fake test-realm admin users', null, null, null); call base.defineContext('creating fake test-realm admin users', null, null, null);
admins = rbac.findRoleId(globalAdmin()); admins = rbac.findRoleId(rbac.globalAdmin());
call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-alex@hostsharing.net')); call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-alex@hostsharing.net'));
call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-fran@hostsharing.net')); call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-fran@hostsharing.net'));
perform rbac.create_subject('selfregistered-user-drew@hostsharing.org'); perform rbac.create_subject('selfregistered-user-drew@hostsharing.org');

View File

@ -37,7 +37,7 @@ begin
perform rbac.defineRoleWithGrants( perform rbac.defineRoleWithGrants(
testCustomerOWNER(NEW), testCustomerOWNER(NEW),
permissions => array['DELETE'], permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN(rbac.unassumed())], incomingSuperRoles => array[rbac.globalADMIN(rbac.unassumed())],
subjectUuids => array[rbac.currentSubjectUuid()] subjectUuids => array[rbac.currentSubjectUuid()]
); );
@ -96,7 +96,7 @@ do language plpgsql $$
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'test_customer'), rbac.createPermission(row.uuid, 'INSERT', 'test_customer'),
globalADMIN()); rbac.globalAdmin());
Review

globalAdmin statt globalADMIN?

globalAdmin statt globalADMIN?

ist nicht case-sensitiv, und da der Teil 'ADMIN' sich auf den Enum-Wert ADMIN von rbac.RoleType bezieht, ist sogar globalADMIN() passender - PostgreSQL speichert es als "globaladmin", da geht also die Groß-/Kleinschreibung ganz verloren, ich lasse das erst einmal so, vor allem weil ich sonst massig Merge-Probleme mit dem nächsten Branch habe

ist nicht case-sensitiv, und da der Teil 'ADMIN' sich auf den Enum-Wert ADMIN von rbac.RoleType bezieht, ist sogar globalADMIN() passender - PostgreSQL speichert es als "globaladmin", da geht also die Groß-/Kleinschreibung ganz verloren, ich lasse das erst einmal so, vor allem weil ich sonst massig Merge-Probleme mit dem nächsten Branch habe
END LOOP; END LOOP;
end; end;
$$; $$;
@ -112,7 +112,7 @@ begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'test_customer'), rbac.createPermission(NEW.uuid, 'INSERT', 'test_customer'),
globalADMIN()); rbac.globalAdmin());
-- end. -- end.
return NEW; return NEW;
end; $$; end; $$;

View File

@ -37,7 +37,7 @@ begin
perform rbac.defineRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficeContactOWNER(NEW), hsOfficeContactOWNER(NEW),
permissions => array['DELETE'], permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()], incomingSuperRoles => array[rbac.globalAdmin()],
subjectUuids => array[rbac.currentSubjectUuid()] subjectUuids => array[rbac.currentSubjectUuid()]
); );

View File

@ -37,7 +37,7 @@ begin
perform rbac.defineRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficePersonOWNER(NEW), hsOfficePersonOWNER(NEW),
permissions => array['DELETE'], permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()], incomingSuperRoles => array[rbac.globalAdmin()],
subjectUuids => array[rbac.currentSubjectUuid()] subjectUuids => array[rbac.currentSubjectUuid()]
); );

View File

@ -50,7 +50,7 @@ begin
perform rbac.defineRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficeRelationOWNER(NEW), hsOfficeRelationOWNER(NEW),
permissions => array['DELETE'], permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()], incomingSuperRoles => array[rbac.globalAdmin()],
subjectUuids => array[rbac.currentSubjectUuid()] subjectUuids => array[rbac.currentSubjectUuid()]
); );

View File

@ -173,7 +173,7 @@ do language plpgsql $$
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'), rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
globalADMIN()); rbac.globalAdmin());
END LOOP; END LOOP;
end; end;
$$; $$;
@ -189,7 +189,7 @@ begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
globalADMIN()); rbac.globalAdmin());
-- end. -- end.
return NEW; return NEW;
end; $$; end; $$;

View File

@ -77,7 +77,7 @@ begin
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'), rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
globalADMIN()); rbac.globalAdmin());
END LOOP; END LOOP;
end; end;
$$; $$;
@ -93,7 +93,7 @@ begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'),
globalADMIN()); rbac.globalAdmin());
-- end. -- end.
return NEW; return NEW;
end; $$; end; $$;

View File

@ -37,7 +37,7 @@ begin
perform rbac.defineRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficeBankAccountOWNER(NEW), hsOfficeBankAccountOWNER(NEW),
permissions => array['DELETE'], permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()], incomingSuperRoles => array[rbac.globalAdmin()],
subjectUuids => array[rbac.currentSubjectUuid()] subjectUuids => array[rbac.currentSubjectUuid()]
); );

View File

@ -146,7 +146,7 @@ do language plpgsql $$
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_debitor'), rbac.createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
globalADMIN()); rbac.globalAdmin());
END LOOP; END LOOP;
end; end;
$$; $$;
@ -162,7 +162,7 @@ begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'),
globalADMIN()); rbac.globalAdmin());
-- end. -- end.
return NEW; return NEW;
end; $$; end; $$;

View File

@ -50,7 +50,7 @@ begin
perform rbac.defineRoleWithGrants( perform rbac.defineRoleWithGrants(
hsOfficeSepaMandateOWNER(NEW), hsOfficeSepaMandateOWNER(NEW),
permissions => array['DELETE'], permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()], incomingSuperRoles => array[rbac.globalAdmin()],
subjectUuids => array[rbac.currentSubjectUuid()] subjectUuids => array[rbac.currentSubjectUuid()]
); );

View File

@ -108,7 +108,7 @@ do language plpgsql $$
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_membership'), rbac.createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
globalADMIN()); rbac.globalAdmin());
END LOOP; END LOOP;
end; end;
$$; $$;
@ -124,7 +124,7 @@ begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'),
globalADMIN()); rbac.globalAdmin());
-- end. -- end.
return NEW; return NEW;
end; $$; end; $$;

View File

@ -70,7 +70,7 @@ begin
outgoingSubRoles => array[hsOfficeRelationTENANT(newDebitorRel)] outgoingSubRoles => array[hsOfficeRelationTENANT(newDebitorRel)]
); );
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin()); call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin());
call rbac.leaveTriggerForObjectUuid(NEW.uuid); call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$; end; $$;

View File

@ -69,7 +69,7 @@ begin
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin()); call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin());
call rbac.leaveTriggerForObjectUuid(NEW.uuid); call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$; end; $$;
@ -114,7 +114,7 @@ do language plpgsql $$
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'), rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
globalADMIN()); rbac.globalAdmin());
END LOOP; END LOOP;
end; end;
$$; $$;
@ -130,7 +130,7 @@ begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
globalADMIN()); rbac.globalAdmin());
-- end. -- end.
return NEW; return NEW;
end; $$; end; $$;

View File

@ -69,7 +69,7 @@ begin
call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), globalAdmin()); call grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), rbac.globalAdmin());
call rbac.leaveTriggerForObjectUuid(NEW.uuid); call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$; end; $$;
@ -114,7 +114,7 @@ do language plpgsql $$
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'), rbac.createPermission(row.uuid, 'INSERT', 'hs_booking_item'),
globalADMIN()); rbac.globalAdmin());
END LOOP; END LOOP;
end; end;
$$; $$;
@ -130,7 +130,7 @@ begin
-- unconditional for all rows in that table -- unconditional for all rows in that table
call grantPermissionToRole( call grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'), rbac.createPermission(NEW.uuid, 'INSERT', 'hs_booking_item'),
globalADMIN()); rbac.globalAdmin());
-- end. -- end.
return NEW; return NEW;
end; $$; end; $$;

View File

@ -50,7 +50,7 @@ begin
hsHostingAssetOWNER(NEW), hsHostingAssetOWNER(NEW),
permissions => array['DELETE'], permissions => array['DELETE'],
incomingSuperRoles => array[ incomingSuperRoles => array[
globalADMIN(rbac.unassumed()), rbac.globalADMIN(rbac.unassumed()),
hsBookingItemADMIN(newBookingItem), hsBookingItemADMIN(newBookingItem),
hsHostingAssetADMIN(newParentAsset)], hsHostingAssetADMIN(newParentAsset)],
subjectUuids => array[rbac.currentSubjectUuid()] subjectUuids => array[rbac.currentSubjectUuid()]