introduce-separate-database-schemas-hs-booking-and-hosting #106
@ -168,45 +168,6 @@ begin
|
||||
return cleanIdentifier;
|
||||
end; $$;
|
||||
|
||||
create or replace function base.findObjectUuidByIdName(objectTable varchar, objectIdName varchar)
|
||||
returns uuid
|
||||
returns null on null input
|
||||
language plpgsql as $$
|
||||
declare
|
||||
sql varchar;
|
||||
uuid uuid;
|
||||
begin
|
||||
objectTable := base.pureIdentifier(objectTable);
|
||||
objectIdName := base.pureIdentifier(objectIdName);
|
||||
sql := format('select * from %sUuidByIdName(%L);', objectTable, objectIdName);
|
||||
begin
|
||||
execute sql into uuid;
|
||||
exception
|
||||
when others then
|
||||
raise exception 'function %UuidByIdName(...) not found, add identity view support for table %', objectTable, objectTable;
|
||||
end;
|
||||
return uuid;
|
||||
end ; $$;
|
||||
|
||||
create or replace function base.findIdNameByObjectUuid(objectTable varchar, objectUuid uuid)
|
||||
returns varchar
|
||||
returns null on null input
|
||||
language plpgsql as $$
|
||||
declare
|
||||
sql varchar;
|
||||
idName varchar;
|
||||
begin
|
||||
objectTable := base.pureIdentifier(objectTable);
|
||||
sql := format('select * from %sIdNameByUuid(%L::uuid);', objectTable, objectUuid);
|
||||
begin
|
||||
execute sql into idName;
|
||||
exception
|
||||
when others then
|
||||
raise exception 'function %IdNameByUuid(...) not found, add identity view support for table %', objectTable, objectTable;
|
||||
end;
|
||||
return idName;
|
||||
end ; $$;
|
||||
|
||||
create or replace function base.currentSubjects()
|
||||
returns varchar(1023)[]
|
||||
stable -- leakproof
|
||||
|
||||
@ -233,6 +233,50 @@ $$;
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset michael.hoennig:rbac-base-IDNAME-FUNCTIONS endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
create or replace function rbac.findObjectUuidByIdName(objectTable varchar, objectIdName varchar)
|
||||
returns uuid
|
||||
returns null on null input
|
||||
language plpgsql as $$
|
||||
declare
|
||||
sql varchar;
|
||||
uuid uuid;
|
||||
begin
|
||||
objectTable := base.pureIdentifier(objectTable);
|
||||
objectIdName := base.pureIdentifier(objectIdName);
|
||||
sql := format('select * from %s_uuid_by_id_name(%L);', objectTable, objectIdName);
|
||||
begin
|
||||
execute sql into uuid;
|
||||
exception
|
||||
when others then
|
||||
raise exception 'function %_uuid_by_id_name(...) not found, add identity view support for table %', objectTable, objectTable;
|
||||
end;
|
||||
return uuid;
|
||||
end ; $$;
|
||||
|
||||
create or replace function rbac.findIdNameByObjectUuid(objectTable varchar, objectUuid uuid)
|
||||
returns varchar
|
||||
returns null on null input
|
||||
language plpgsql as $$
|
||||
declare
|
||||
sql varchar;
|
||||
idName varchar;
|
||||
begin
|
||||
objectTable := base.pureIdentifier(objectTable);
|
||||
sql := format('select * from %s_id_name_by_uuid(%L::uuid);', objectTable, objectUuid);
|
||||
begin
|
||||
execute sql into idName;
|
||||
exception
|
||||
when others then
|
||||
raise exception 'function %_id_name_by_uuid(...) not found, add identity view support for table %', objectTable, objectTable;
|
||||
end;
|
||||
return idName;
|
||||
end ; $$;
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset michael.hoennig:rbac-base-ROLE-FUNCTIONS endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
@ -262,7 +306,7 @@ begin
|
||||
objectTableFromRoleIdName = split_part(roleParts, '#', 1);
|
||||
objectNameFromRoleIdName = split_part(roleParts, '#', 2);
|
||||
roleTypeFromRoleIdName = split_part(roleParts, '#', 3);
|
||||
objectUuidOfRole = base.findObjectUuidByIdName(objectTableFromRoleIdName, objectNameFromRoleIdName);
|
||||
objectUuidOfRole = rbac.findObjectUuidByIdName(objectTableFromRoleIdName, objectNameFromRoleIdName);
|
||||
|
||||
select uuid
|
||||
from rbac.role
|
||||
|
||||
@ -55,7 +55,7 @@ begin
|
||||
objectNameToAssume = split_part(roleNameParts, '#', 2);
|
||||
roleTypeToAssume = split_part(roleNameParts, '#', 3);
|
||||
|
||||
objectUuidToAssume = base.findObjectUuidByIdName(objectTableToAssume, objectNameToAssume);
|
||||
objectUuidToAssume = rbac.findObjectUuidByIdName(objectTableToAssume, objectNameToAssume);
|
||||
if objectUuidToAssume is null then
|
||||
raise exception '[401] object % cannot be found in table % (from roleNameParts=%)', objectNameToAssume, objectTableToAssume, roleNameParts;
|
||||
end if;
|
||||
|
||||
@ -13,7 +13,7 @@ select (objectTable || '#' || objectIdName || ':' || roleType) as roleIdName, *
|
||||
-- @formatter:off
|
||||
from (
|
||||
select r.*,
|
||||
o.objectTable, base.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
|
||||
o.objectTable, rbac.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
|
||||
from rbac.role as r
|
||||
join rbac.object as o on o.uuid = r.objectuuid
|
||||
) as unordered
|
||||
@ -34,7 +34,7 @@ select *
|
||||
-- @formatter:off
|
||||
from (
|
||||
select r.*, o.objectTable,
|
||||
base.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
|
||||
rbac.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
|
||||
from rbac.role as r
|
||||
join rbac.object as o on o.uuid = r.objectuuid
|
||||
where rbac.isGranted(rbac.currentSubjectOrAssumedRolesUuids(), r.uuid)
|
||||
@ -57,7 +57,7 @@ create or replace view rbac.grants_ev as
|
||||
-- @formatter:off
|
||||
select x.grantUuid as uuid,
|
||||
x.grantedByTriggerOf as grantedByTriggerOf,
|
||||
go.objectTable || '#' || base.findIdNameByObjectUuid(go.objectTable, go.uuid) || ':' || r.roletype as grantedByRoleIdName,
|
||||
go.objectTable || '#' || rbac.findIdNameByObjectUuid(go.objectTable, go.uuid) || ':' || r.roletype as grantedByRoleIdName,
|
||||
x.ascendingIdName as ascendantIdName,
|
||||
x.descendingIdName as descendantIdName,
|
||||
x.grantedByRoleUuid,
|
||||
@ -72,15 +72,15 @@ create or replace view rbac.grants_ev as
|
||||
|
||||
coalesce(
|
||||
'user:' || au.name,
|
||||
'role:' || aro.objectTable || '#' || base.findIdNameByObjectUuid(aro.objectTable, aro.uuid) || ':' || ar.roletype
|
||||
'role:' || aro.objectTable || '#' || rbac.findIdNameByObjectUuid(aro.objectTable, aro.uuid) || ':' || ar.roletype
|
||||
) as ascendingIdName,
|
||||
aro.objectTable, aro.uuid,
|
||||
( case
|
||||
when dro is not null
|
||||
then ('role:' || dro.objectTable || '#' || base.findIdNameByObjectUuid(dro.objectTable, dro.uuid) || ':' || dr.roletype)
|
||||
then ('role:' || dro.objectTable || '#' || rbac.findIdNameByObjectUuid(dro.objectTable, dro.uuid) || ':' || dr.roletype)
|
||||
when dp.op = 'INSERT'
|
||||
then 'perm:' || dpo.objecttable || '#' || base.findIdNameByObjectUuid(dpo.objectTable, dpo.uuid) || ':' || dp.op || '>' || dp.opTableName
|
||||
else 'perm:' || dpo.objecttable || '#' || base.findIdNameByObjectUuid(dpo.objectTable, dpo.uuid) || ':' || dp.op
|
||||
then 'perm:' || dpo.objecttable || '#' || rbac.findIdNameByObjectUuid(dpo.objectTable, dpo.uuid) || ':' || dp.op || '>' || dp.opTableName
|
||||
else 'perm:' || dpo.objecttable || '#' || rbac.findIdNameByObjectUuid(dpo.objectTable, dpo.uuid) || ':' || dp.op
|
||||
end
|
||||
) as descendingIdName,
|
||||
dro.objectTable, dro.uuid,
|
||||
@ -114,14 +114,14 @@ create or replace view rbac.grants_ev as
|
||||
*/
|
||||
create or replace view rbac.grants_rv as
|
||||
-- @formatter:off
|
||||
select o.objectTable || '#' || base.findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName,
|
||||
select o.objectTable || '#' || rbac.findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName,
|
||||
g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed,
|
||||
g.grantedByRoleUuid, g.descendantUuid as grantedRoleUuid, g.ascendantUuid as subjectUuid,
|
||||
g.objectTable, g.objectUuid, g.objectIdName, g.roleType as grantedRoleType
|
||||
from (
|
||||
select g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid, g.assumed,
|
||||
u.name as userName, o.objecttable, r.objectuuid, r.roletype,
|
||||
base.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
|
||||
rbac.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
|
||||
from rbac.grants as g
|
||||
join rbac.role as r on r.uuid = g.descendantUuid
|
||||
join rbac.object o on o.uuid = r.objectuuid
|
||||
@ -363,10 +363,10 @@ begin
|
||||
xp.permissionObjectTable, xp.permissionObjectIdName, xp.permissionObjectUuid
|
||||
from (select
|
||||
r.uuid as roleUuid, r.roletype, ro.objectTable as roleObjectTable,
|
||||
base.findIdNameByObjectUuid(ro.objectTable, ro.uuid) as roleObjectIdName,
|
||||
rbac.findIdNameByObjectUuid(ro.objectTable, ro.uuid) as roleObjectIdName,
|
||||
p.uuid as permissionUuid, p.op, p.opTableName,
|
||||
po.objecttable as permissionObjectTable,
|
||||
base.findIdNameByObjectUuid(po.objectTable, po.uuid) as permissionObjectIdName,
|
||||
rbac.findIdNameByObjectUuid(po.objectTable, po.uuid) as permissionObjectIdName,
|
||||
po.uuid as permissionObjectUuid
|
||||
from rbac.queryPermissionsGrantedToSubjectId( targetSubjectUuid) as p
|
||||
join rbac.grants as g on g.descendantUuid = p.uuid
|
||||
|
||||
@ -130,7 +130,7 @@ begin
|
||||
|
||||
-- creates a function which maps an idName to the objectUuid
|
||||
sql = format($sql$
|
||||
create or replace function %1$sUuidByIdName(givenIdName varchar)
|
||||
create or replace function %1$s_uuid_by_id_name(givenIdName varchar)
|
||||
returns uuid
|
||||
language plpgsql as $f$
|
||||
declare
|
||||
@ -144,7 +144,7 @@ begin
|
||||
|
||||
-- creates a function which maps an objectUuid to the related idName
|
||||
sql = format($sql$
|
||||
create or replace function %1$sIdNameByUuid(givenUuid uuid)
|
||||
create or replace function %1$s_id_name_by_uuid(givenUuid uuid)
|
||||
returns varchar
|
||||
language sql
|
||||
strict as $f$
|
||||
|
||||
@ -66,21 +66,21 @@ grant all privileges on rbac.global_iv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNA
|
||||
/*
|
||||
Returns the objectUuid for a given identifying name (in this case the idName).
|
||||
*/
|
||||
create or replace function rbac.globalUuidByIdName(idName varchar)
|
||||
create or replace function rbac.global_uuid_by_id_name(idName varchar)
|
||||
returns uuid
|
||||
language sql
|
||||
strict as $$
|
||||
select uuid from rbac.global_iv iv where iv.idName = globalUuidByIdName.idName;
|
||||
select uuid from rbac.global_iv iv where iv.idName = global_uuid_by_id_name.idName;
|
||||
$$;
|
||||
|
||||
/*
|
||||
Returns the identifying name for a given objectUuid (in this case the idName).
|
||||
*/
|
||||
create or replace function rbac.globalIdNameByUuid(uuid uuid)
|
||||
create or replace function rbac.global_id_name_by_uuid(uuid uuid)
|
||||
returns varchar
|
||||
language sql
|
||||
strict as $$
|
||||
select idName from rbac.global_iv iv where iv.uuid = globalIdNameByUuid.uuid;
|
||||
select idName from rbac.global_iv iv where iv.uuid = global_id_name_by_uuid.uuid;
|
||||
$$;
|
||||
--//
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user