introduce separate database-schemas base+rbac #103

Merged
hsh-michaelhoennig merged 54 commits from introduce-separate-database-schemas-base-and-rbac into master 2024-09-16 15:36:38 +02:00
5 changed files with 15 additions and 15 deletions
Showing only changes of commit d5b708933c - Show all commits

View File

@ -110,7 +110,7 @@ end; $$;
/* /*
Returns the current user as defined by `basis.defineContext(...)`. Returns the current user as defined by `basis.defineContext(...)`.
*/ */
create or replace function currentUser() create or replace function basis.currentUser()
returns varchar(63) returns varchar(63)
stable -- leakproof stable -- leakproof
language plpgsql as $$ language plpgsql as $$
@ -134,7 +134,7 @@ end; $$;
Returns assumed role names as set in `hsadminng.assumedRoles` Returns assumed role names as set in `hsadminng.assumedRoles`
or empty array, if not set. or empty array, if not set.
*/ */
create or replace function assumedRoles() create or replace function basis.assumedRoles()
returns varchar(1023)[] returns varchar(1023)[]
stable -- leakproof stable -- leakproof
language plpgsql as $$ language plpgsql as $$
@ -213,11 +213,11 @@ create or replace function currentSubjects()
declare declare
assumedRoles varchar(1023)[]; assumedRoles varchar(1023)[];
begin begin
assumedRoles := assumedRoles(); assumedRoles := basis.assumedRoles();
if array_length(assumedRoles, 1) > 0 then if array_length(assumedRoles, 1) > 0 then
return assumedRoles; return assumedRoles;
else else
return array [currentUser()]::varchar(1023)[]; return array [basis.currentUser()]::varchar(1023)[];
end if; end if;
end; $$; end; $$;
@ -226,7 +226,7 @@ create or replace function hasAssumedRole()
stable -- leakproof stable -- leakproof
language plpgsql as $$ language plpgsql as $$
begin begin
return array_length(assumedRoles(), 1) > 0; return array_length(basis.assumedRoles(), 1) > 0;
end; $$; end; $$;
--// --//

View File

@ -84,7 +84,7 @@ begin
insert insert
into basis.tx_context (txId, txTimestamp, currentUser, assumedRoles, currentTask, currentRequest) into basis.tx_context (txId, txTimestamp, currentUser, assumedRoles, currentTask, currentRequest)
values ( curTxId, now(), values ( curTxId, now(),
currentUser(), assumedRoles(), curTask, basis.currentRequest()) basis.currentUser(), basis.assumedRoles(), curTask, basis.currentRequest())
on conflict do nothing; on conflict do nothing;
case tg_op case tg_op

View File

@ -12,8 +12,8 @@ declare
currentSubjectsUuids uuid[]; currentSubjectsUuids uuid[];
begin begin
-- exactly one role must be assumed, not none not more than one -- exactly one role must be assumed, not none not more than one
if cardinality(assumedRoles()) <> 1 then if cardinality(basis.assumedRoles()) <> 1 then
raise exception '[400] Granting roles to user is only possible if exactly one role is assumed, given: %', assumedRoles(); raise exception '[400] Granting roles to user is only possible if exactly one role is assumed, given: %', basis.assumedRoles();
end if; end if;
currentSubjectsUuids := currentSubjectsUuids(); currentSubjectsUuids := currentSubjectsUuids();

View File

@ -66,10 +66,10 @@ begin
and r.roleType = roleTypeToAssume and r.roleType = roleTypeToAssume
into roleUuidToAssume; into roleUuidToAssume;
if roleUuidToAssume is null then if roleUuidToAssume is null then
raise exception '[403] role % does not exist or is not accessible for user %', roleName, currentUser(); raise exception '[403] role % does not exist or is not accessible for user %', roleName, basis.currentUser();
end if; end if;
if not isGranted(currentUserUuid, roleUuidToAssume) then if not isGranted(currentUserUuid, roleUuidToAssume) then
raise exception '[403] user % has no permission to assume role %', currentUser(), roleName; raise exception '[403] user % has no permission to assume role %', basis.currentUser(), roleName;
end if; end if;
roleIdsToAssume := roleIdsToAssume || roleUuidToAssume; roleIdsToAssume := roleIdsToAssume || roleUuidToAssume;
end loop; end loop;
@ -132,7 +132,7 @@ begin
currentUserUuid := null; currentUserUuid := null;
end; end;
if (currentUserUuid is null or currentUserUuid = '') then if (currentUserUuid is null or currentUserUuid = '') then
currentUserName := currentUser(); currentUserName := basis.currentUser();
if (length(currentUserName) > 0) then if (length(currentUserName) > 0) then
raise exception '[401] currentUserUuid cannot be determined, unknown user name "%"', currentUserName; raise exception '[401] currentUserUuid cannot be determined, unknown user name "%"', currentUserName;
else else
@ -166,7 +166,7 @@ begin
currentSubjectsUuids := null; currentSubjectsUuids := null;
end; end;
if (currentSubjectsUuids is null or length(currentSubjectsUuids) = 0 ) then if (currentSubjectsUuids is null or length(currentSubjectsUuids) = 0 ) then
currentUserName := currentUser(); currentUserName := basis.currentUser();
if (length(currentUserName) > 0) then if (length(currentUserName) > 0) then
raise exception '[401] currentSubjectsUuids (%) cannot be determined, unknown user name "%"', currentSubjectsUuids, currentUserName; raise exception '[401] currentSubjectsUuids (%) cannot be determined, unknown user name "%"', currentSubjectsUuids, currentUserName;
else else

View File

@ -241,7 +241,7 @@ create or replace view RbacUser_rv as
union union
select users.* select users.*
from RbacUser as users from RbacUser as users
where cardinality(assumedRoles()) = 0 and where cardinality(basis.assumedRoles()) = 0 and
(currentUserUuid() = users.uuid or hasGlobalRoleGranted(currentUserUuid())) (currentUserUuid() = users.uuid or hasGlobalRoleGranted(currentUserUuid()))
) as unordered ) as unordered
@ -303,7 +303,7 @@ begin
delete from RbacUser where uuid = old.uuid; delete from RbacUser where uuid = old.uuid;
return old; return old;
end if; end if;
raise exception '[403] User % not allowed to delete user uuid %', currentUser(), old.uuid; raise exception '[403] User % not allowed to delete user uuid %', basis.currentUser(), old.uuid;
end; $$; end; $$;
/* /*
@ -354,7 +354,7 @@ begin
currentUserUuid := currentUserUuid(); currentUserUuid := currentUserUuid();
if hasGlobalRoleGranted(targetUserUuid) and not hasGlobalRoleGranted(currentUserUuid) then if hasGlobalRoleGranted(targetUserUuid) and not hasGlobalRoleGranted(currentUserUuid) then
raise exception '[403] permissions of user "%" are not accessible to user "%"', targetUserUuid, currentUser(); raise exception '[403] permissions of user "%" are not accessible to user "%"', targetUserUuid, basis.currentUser();
end if; end if;
return query select return query select