hostsharing/hs.hsadmin.ng
6
0
Fork 0
Code Pull Requests 3 Activity

introduce separate database-schemas base+rbac #103

Merged
hsh-michaelhoennig merged 54 commits from introduce-separate-database-schemas-base-and-rbac into master 2024-09-16 15:36:38 +02:00
Conversation 0 Commits 54 Files Changed 287 +26 -26
2 changed files with 26 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 9ad92fdaab - Show all commits

22
sql/rbac-tests.sql
View File

@ -3,28 +3,28 @@
-- -------------------------------------------------------- -- --------------------------------------------------------
select rbac.isGranted(findRoleId('administrators'), findRoleId('test_package#aaa00:OWNER')); select rbac.isGranted(rbac.findRoleId('administrators'), rbac.findRoleId('test.package#aaa00:OWNER'));
select rbac.isGranted(findRoleId('test_package#aaa00:OWNER'), findRoleId('administrators')); select rbac.isGranted(rbac.findRoleId('test.package#aaa00:OWNER'), rbac.findRoleId('administrators'));
-- call rbac.grantRoleToRole(findRoleId('test_package#aaa00:OWNER'), findRoleId('administrators')); -- call rbac.grantRoleToRole(findRoleId('test.package#aaa00:OWNER'), findRoleId('administrators'));
-- call rbac.grantRoleToRole(findRoleId('administrators'), findRoleId('test_package#aaa00:OWNER')); -- call rbac.grantRoleToRole(findRoleId('administrators'), findRoleId('test.package#aaa00:OWNER'));
select count(*) select count(*)
FROM queryAllPermissionsOfSubjectIdForObjectUuids(findRbacSubject('superuser-fran@hostsharing.net'), FROM rbac.queryAllPermissionsOfSubjectIdForObjectUuids(rbac.findRbacSubject('superuser-fran@hostsharing.net'),
ARRAY(select uuid from customer where reference < 1100000)); ARRAY(select uuid from test.customer where reference < 1100000));
select count(*) select count(*)
FROM queryAllPermissionsOfSubjectId(findRbacSubject('superuser-fran@hostsharing.net')); FROM rbac.queryAllPermissionsOfSubjectId(findRbacSubject('superuser-fran@hostsharing.net'));
select * select *
FROM queryAllPermissionsOfSubjectId(findRbacSubject('alex@example.com')); FROM rbac.queryAllPermissionsOfSubjectId(findRbacSubject('alex@example.com'));
select * select *
FROM queryAllPermissionsOfSubjectId(findRbacSubject('rosa@example.com')); FROM rbac.queryAllPermissionsOfSubjectId(findRbacSubject('rosa@example.com'));
select * select *
FROM rbac.queryAllRbacSubjectsWithPermissionsFor(rbac.findEffectivePermissionId('customer', FROM rbac.queryAllRbacSubjectsWithPermissionsFor(rbac.findEffectivePermissionId('customer',
(SELECT uuid FROM RbacObject WHERE objectTable = 'customer' LIMIT 1), (SELECT uuid FROM rbac.RbacObject WHERE objectTable = 'customer' LIMIT 1),
'add-package')); 'add-package'));
select * select *
FROM rbac.queryAllRbacSubjectsWithPermissionsFor(rbac.findEffectivePermissionId('package', FROM rbac.queryAllRbacSubjectsWithPermissionsFor(rbac.findEffectivePermissionId('package',
(SELECT uuid FROM RbacObject WHERE objectTable = 'package' LIMIT 1), (SELECT uuid FROM rbac.RbacObject WHERE objectTable = 'package' LIMIT 1),
'DELETE')); 'DELETE'));
DO LANGUAGE plpgsql DO LANGUAGE plpgsql

30
sql/rbac-view-option-experiments.sql
View File

@ -20,7 +20,7 @@ CREATE POLICY customer_policy ON customer
TO restricted TO restricted
USING ( USING (
-- id=1000 -- id=1000
rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('test_customer', id, 'SELECT'), rbac.currentSubjectUuid()) rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('test.customer', id, 'SELECT'), rbac.currentSubjectUuid())
); );
SET SESSION AUTHORIZATION restricted; SET SESSION AUTHORIZATION restricted;
@ -31,28 +31,28 @@ SELECT * from customer;
SET SESSION SESSION AUTHORIZATION DEFAULT; SET SESSION SESSION AUTHORIZATION DEFAULT;
DROP VIEW cust_view; DROP VIEW cust_view;
CREATE VIEW cust_view AS CREATE VIEW cust_view AS
SELECT * FROM customer; SELECT * FROM test.customer;
CREATE OR REPLACE RULE "_RETURN" AS CREATE OR REPLACE RULE "_RETURN" AS
ON SELECT TO cust_view ON SELECT TO cust_view
DO INSTEAD DO INSTEAD
SELECT * FROM customer WHERE rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('test_customer', id, 'SELECT'), rbac.currentSubjectUuid()); SELECT * FROM test.customer WHERE rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('test.customer', id, 'SELECT'), rbac.currentSubjectUuid());
SELECT * from cust_view LIMIT 10; SELECT * from cust_view LIMIT 10;
select queryAllPermissionsOfSubjectId(findRbacSubject('superuser-alex@hostsharing.net')); select rbac.queryAllPermissionsOfSubjectId(findRbacSubject('superuser-alex@hostsharing.net'));
-- access control via view-rule with join to recursive permissions - really fast (38ms for 1 million rows) -- access control via view-rule with join to recursive permissions - really fast (38ms for 1 million rows)
SET SESSION SESSION AUTHORIZATION DEFAULT; SET SESSION SESSION AUTHORIZATION DEFAULT;
ALTER TABLE customer ENABLE ROW LEVEL SECURITY; ALTER TABLE test.customer ENABLE ROW LEVEL SECURITY;
DROP VIEW IF EXISTS cust_view; DROP VIEW IF EXISTS cust_view;
CREATE OR REPLACE VIEW cust_view AS CREATE OR REPLACE VIEW cust_view AS
SELECT * SELECT *
FROM customer; FROM test.customer;
CREATE OR REPLACE RULE "_RETURN" AS CREATE OR REPLACE RULE "_RETURN" AS
ON SELECT TO cust_view ON SELECT TO cust_view
DO INSTEAD DO INSTEAD
SELECT c.uuid, c.reference, c.prefix FROM customer AS c SELECT c.uuid, c.reference, c.prefix FROM test.customer AS c
JOIN queryAllPermissionsOfSubjectId(rbac.currentSubjectUuid()) AS p JOIN rbac.queryAllPermissionsOfSubjectId(rbac.currentSubjectUuid()) AS p
ON p.objectTable='test_customer' AND p.objectUuid=c.uuid; ON p.objectTable='test.customer' AND p.objectUuid=c.uuid;
GRANT ALL PRIVILEGES ON cust_view TO restricted; GRANT ALL PRIVILEGES ON cust_view TO restricted;
SET SESSION SESSION AUTHORIZATION restricted; SET SESSION SESSION AUTHORIZATION restricted;
@ -77,13 +77,13 @@ SET hsadminng.currentSubject TO 'superuser-alex@hostsharing.net';
-- SET hsadminng.currentSubject TO 'aaaaouq@example.com'; -- SET hsadminng.currentSubject TO 'aaaaouq@example.com';
SELECT * from cust_view where reference=1144150; SELECT * from cust_view where reference=1144150;
select rr.uuid, rr.type from RbacGrants g select rr.uuid, rr.type from rbac.RbacGrants g
join RbacReference RR on g.ascendantUuid = RR.uuid join rbac.RbacReference RR on g.ascendantUuid = RR.uuid
where g.descendantUuid in ( where g.descendantUuid in (
select uuid from queryAllPermissionsOfSubjectId(findRbacSubject('alex@example.com')) select uuid from rbac.queryAllPermissionsOfSubjectId(findRbacSubject('alex@example.com'))
where objectTable='test_customer'); where objectTable='test.customer');
call grantRoleToUser(findRoleId('test_customer#aaa:ADMIN'), findRbacSubject('aaaaouq@example.com')); call rbac.grantRoleToUser(rbac.findRoleId('test.customer#aaa:ADMIN'), rbac.findRbacSubject('aaaaouq@example.com'));
select queryAllPermissionsOfSubjectId(findRbacSubject('aaaaouq@example.com')); select rbac.queryAllPermissionsOfSubjectId(findRbacSubject('aaaaouq@example.com'));