diff --git a/src/main/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRbacEntity.java b/src/main/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRbacEntity.java index a257dc7d..628d10b2 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRbacEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRbacEntity.java @@ -1,7 +1,6 @@ package net.hostsharing.hsadminng.hs.office.person; import lombok.*; -import lombok.experimental.FieldNameConstants; import lombok.experimental.SuperBuilder; import net.hostsharing.hsadminng.errors.DisplayAs; import net.hostsharing.hsadminng.rbac.generator.RbacSpec; @@ -22,7 +21,6 @@ import static net.hostsharing.hsadminng.rbac.generator.RbacSpec.rbacViewFor; @Setter @NoArgsConstructor @SuperBuilder(toBuilder = true) -@FieldNameConstants @DisplayAs("RbacPerson") public class HsOfficePersonRbacEntity extends HsOfficePerson { diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/generator/RbacRbacSystemRebuildGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/generator/RbacRbacSystemRebuildGenerator.java index 945cb6c5..9b348341 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/generator/RbacRbacSystemRebuildGenerator.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/generator/RbacRbacSystemRebuildGenerator.java @@ -54,18 +54,18 @@ class RbacRbacSystemRebuildGenerator { grantsAfter numeric; grantsBefore numeric; BEGIN - SELECT count(*) INTO grantsBefore FROM rbac.grants; + SELECT count(*) INTO grantsBefore FROM rbac.grant; FOR row IN SELECT * FROM ${rawTableName} LOOP -- first delete all generated grants for this row from the previously defined RBAC system - DELETE FROM rbac.grants g + DELETE FROM rbac.grant g WHERE g.grantedbytriggerof = row.uuid; -- then build the grants according to the currently defined RBAC rules CALL ${rawTableName}_build_rbac_system(row); END LOOP; - select count(*) into grantsAfter from rbac.grants; + select count(*) into grantsAfter from rbac.grant; -- print how the total count of grants has changed raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/generator/RolesGrantsAndPermissionsGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/generator/RolesGrantsAndPermissionsGenerator.java index 67adbe72..d06681e7 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/generator/RolesGrantsAndPermissionsGenerator.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/generator/RolesGrantsAndPermissionsGenerator.java @@ -112,7 +112,7 @@ class RolesGrantsAndPermissionsGenerator { begin if ${updateConditions} then - delete from rbac.grants g where g.grantedbytriggerof = OLD.uuid; + delete from rbac.grant g where g.grantedbytriggerof = OLD.uuid; call ${rawTableQualifiedName}_build_rbac_system(NEW); end if; end; $$; diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/grant/RawRbacGrantEntity.java b/src/main/java/net/hostsharing/hsadminng/rbac/grant/RawRbacGrantEntity.java index f166bbe0..683bfcf1 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/grant/RawRbacGrantEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/grant/RawRbacGrantEntity.java @@ -12,7 +12,7 @@ import java.util.List; import java.util.UUID; @Entity -@Table(schema = "rbac", name = "grants_ev") +@Table(schema = "rbac", name = "grant_ev") @Getter @Setter @Builder diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/grant/RbacGrantEntity.java b/src/main/java/net/hostsharing/hsadminng/rbac/grant/RbacGrantEntity.java index 68152e59..1fa52683 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/grant/RbacGrantEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/grant/RbacGrantEntity.java @@ -8,7 +8,7 @@ import jakarta.persistence.*; import java.util.UUID; @Entity -@Table(schema = "rbac", name = "grants_rv") +@Table(schema = "rbac", name = "grant_rv") @IdClass(RbacGrantId.class) @Getter @Setter diff --git a/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql b/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql index e9ae48c4..d2a5c7cb 100644 --- a/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql +++ b/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql @@ -360,7 +360,7 @@ create or replace function rbac.delete_grants_of_role_tf() strict as $$ begin if TG_OP = 'DELETE' then - delete from rbac.grants g where old.uuid in (g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid); + delete from rbac.grant g where old.uuid in (g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid); else raise exception 'invalid usage of TRIGGER BEFORE DELETE'; end if; @@ -541,7 +541,7 @@ $$; /* Table to store grants / role- or permission assignments to subjects or roles. */ -create table rbac.grants +create table rbac.grant ( uuid uuid primary key default uuid_generate_v4(), grantedByTriggerOf uuid references rbac.object (uuid) on delete cascade initially deferred , @@ -551,21 +551,21 @@ create table rbac.grants assumed boolean not null default true, -- auto assumed (true) vs. needs assumeRoles (false) unique (ascendantUuid, descendantUuid), constraint rbacGrant_createdBy check ( grantedByRoleUuid is null or grantedByTriggerOf is null) ); -create index on rbac.grants (ascendantUuid); -create index on rbac.grants (descendantUuid); +create index on rbac.grant (ascendantUuid); +create index on rbac.grant (descendantUuid); -call base.create_journal('rbac.grants'); +call base.create_journal('rbac.grant'); create or replace function rbac.findGrantees(grantedId uuid) returns setof rbac.reference returns null on null input language sql as $$ with recursive grants as ( select descendantUuid, ascendantUuid - from rbac.grants + from rbac.grant where descendantUuid = grantedId union all select g.descendantUuid, g.ascendantUuid - from rbac.grants g + from rbac.grant g inner join grants on grants.ascendantUuid = g.descendantUuid ) select ref.* @@ -579,11 +579,11 @@ create or replace function rbac.isGranted(granteeIds uuid[], grantedId uuid) language sql as $$ with recursive grants as ( select descendantUuid, ascendantUuid - from rbac.grants + from rbac.grant where descendantUuid = grantedId union all select "grant".descendantUuid, "grant".ascendantUuid - from rbac.grants "grant" + from rbac.grant "grant" inner join grants recur on recur.ascendantUuid = "grant".descendantUuid ) select exists ( @@ -605,11 +605,11 @@ create or replace function rbac.isPermissionGrantedToSubject(permissionId uuid, language sql as $$ with recursive grants as ( select descendantUuid, ascendantUuid - from rbac.grants + from rbac.grant where descendantUuid = permissionId union all select g.descendantUuid, g.ascendantUuid - from rbac.grants g + from rbac.grant g inner join grants on grants.ascendantUuid = g.descendantUuid ) select exists( @@ -637,7 +637,7 @@ create or replace function rbac.hasGlobalRoleGranted(forAscendantUuid uuid) language sql as $$ select exists( select r.uuid - from rbac.grants as g + from rbac.grant as g join rbac.role as r on r.uuid = g.descendantuuid join rbac.object as o on o.uuid = r.objectuuid where g.ascendantuuid = forAscendantUuid @@ -652,7 +652,7 @@ begin perform rbac.assertReferenceType('permissionId (descendant)', permissionUuid, 'rbac.permission'); insert - into rbac.grants (grantedByTriggerOf, ascendantUuid, descendantUuid, assumed) + into rbac.grant (grantedByTriggerOf, ascendantUuid, descendantUuid, assumed) values (rbac.currentTriggerObjectUuid(), roleUuid, permissionUuid, true) on conflict do nothing; -- allow granting multiple times end; @@ -676,7 +676,7 @@ begin end if; insert - into rbac.grants (grantedByTriggerOf, ascendantuuid, descendantUuid, assumed) + into rbac.grant (grantedByTriggerOf, ascendantuuid, descendantUuid, assumed) values (rbac.currentTriggerObjectUuid(), superRoleId, subRoleId, doAssume) on conflict do nothing; -- allow granting multiple times end; $$; @@ -704,7 +704,7 @@ begin end if; insert - into rbac.grants (grantedByTriggerOf, ascendantuuid, descendantUuid, assumed) + into rbac.grant (grantedByTriggerOf, ascendantuuid, descendantUuid, assumed) values (rbac.currentTriggerObjectUuid(), superRoleId, subRoleId, doAssume) on conflict do nothing; -- allow granting multiple times end; $$; @@ -722,7 +722,7 @@ begin perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role'); if (rbac.isGranted(superRoleId, subRoleId)) then - delete from rbac.grants where ascendantUuid = superRoleId and descendantUuid = subRoleId; + delete from rbac.grant where ascendantUuid = superRoleId and descendantUuid = subRoleId; else raise exception 'cannot revoke role % (%) from % (%) because it is not granted', subRole, subRoleId, superRole, superRoleId; @@ -743,10 +743,10 @@ begin perform rbac.assertReferenceType('permission (descendant)', permissionId, 'rbac.permission'); if (rbac.isGranted(superRoleId, permissionId)) then - delete from rbac.grants where ascendantUuid = superRoleId and descendantUuid = permissionId; + delete from rbac.grant where ascendantUuid = superRoleId and descendantUuid = permissionId; else select p.op, o.objectTable, o.uuid - from rbac.grants g + from rbac.grant g join rbac.permission p on p.uuid=g.descendantUuid join rbac.object o on o.uuid=p.objectUuid where g.uuid=permissionId @@ -777,12 +777,12 @@ begin return query WITH RECURSIVE grants AS ( SELECT descendantUuid, ascendantUuid, 1 AS level - FROM rbac.grants + FROM rbac.grant WHERE assumed AND ascendantUuid = any(subjectIds) UNION ALL SELECT g.descendantUuid, g.ascendantUuid, grants.level + 1 AS level - FROM rbac.grants g + FROM rbac.grant g INNER JOIN grants ON grants.descendantUuid = g.ascendantUuid WHERE g.assumed ), @@ -821,11 +821,11 @@ create or replace function rbac.queryPermissionsGrantedToSubjectId(subjectId uui language sql as $$ with recursive grants as ( select descendantUuid, ascendantUuid - from rbac.grants + from rbac.grant where ascendantUuid = subjectId union all select g.descendantUuid, g.ascendantUuid - from rbac.grants g + from rbac.grant g inner join grants on grants.descendantUuid = g.ascendantUuid ) select perm.* @@ -855,11 +855,11 @@ select * -- @formatter:off with recursive grants as ( select descendantUuid, ascendantUuid - from rbac.grants + from rbac.grant where descendantUuid = objectId union all select "grant".descendantUuid, "grant".ascendantUuid - from rbac.grants "grant" + from rbac.grant "grant" inner join grants recur on recur.ascendantUuid = "grant".descendantUuid ) -- @formatter:on diff --git a/src/main/resources/db/changelog/1-rbac/1051-rbac-subject-grant.sql b/src/main/resources/db/changelog/1-rbac/1051-rbac-subject-grant.sql index 99c76ccc..b2877348 100644 --- a/src/main/resources/db/changelog/1-rbac/1051-rbac-subject-grant.sql +++ b/src/main/resources/db/changelog/1-rbac/1051-rbac-subject-grant.sql @@ -28,7 +28,7 @@ begin perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject'); insert - into rbac.grants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed) + into rbac.grant (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed) values (grantedByRoleUuid, subjectUuid, grantedRoleUuid, doAssume) -- TODO: check if grantedByRoleUuid+doAssume are the same, otherwise raise exception? on conflict do nothing; -- allow granting multiple times @@ -61,7 +61,7 @@ begin end if; insert - into rbac.grants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed) + into rbac.grant (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed) values (grantedByRoleUuid, subjectUuid, grantedRoleUuid, doAssume); -- TODO.impl: What should happen on multiple grants? What if options (doAssume) are not the same? -- Most powerful or latest grant wins? What about managed? @@ -104,8 +104,8 @@ create or replace procedure rbac.revokeRoleFromSubject(grantedByRoleUuid uuid, g begin call rbac.checkRevokeRoleFromSubjectPreconditions(grantedByRoleUuid, grantedRoleUuid, subjectUuid); - raise INFO 'delete from rbac.grants where ascendantUuid = % and descendantUuid = %', subjectUuid, grantedRoleUuid; - delete from rbac.grants as g + raise INFO 'delete from rbac.grant where ascendantUuid = % and descendantUuid = %', subjectUuid, grantedRoleUuid; + delete from rbac.grant as g where g.ascendantUuid = subjectUuid and g.descendantUuid = grantedRoleUuid and g.grantedByRoleUuid = revokeRoleFromSubject.grantedByRoleUuid; end; $$; @@ -118,8 +118,8 @@ end; $$; create or replace procedure rbac.revokePermissionFromRole(permissionUuid uuid, superRoleUuid uuid) language plpgsql as $$ begin - raise INFO 'delete from rbac.grants where ascendantUuid = % and descendantUuid = %', superRoleUuid, permissionUuid; - delete from rbac.grants as g + raise INFO 'delete from rbac.grant where ascendantUuid = % and descendantUuid = %', superRoleUuid, permissionUuid; + delete from rbac.grant as g where g.ascendantUuid = superRoleUuid and g.descendantUuid = permissionUuid; end; $$; --// diff --git a/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql b/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql index c68099dc..fa4e138a 100644 --- a/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql +++ b/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql @@ -52,8 +52,8 @@ grant all privileges on rbac.role_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME Creates a view to the grants table with additional columns for easier human readability. */ -drop view if exists rbac.grants_ev; -create or replace view rbac.grants_ev as +drop view if exists rbac.grant_ev; +create or replace view rbac.grant_ev as -- @formatter:off select x.grantUuid as uuid, x.grantedByTriggerOf as grantedByTriggerOf, @@ -85,7 +85,7 @@ create or replace view rbac.grants_ev as ) as descendingIdName, dro.objectTable, dro.uuid, dp.op, dp.optablename - from rbac.grants as g + from rbac.grant as g left outer join rbac.role as ar on ar.uuid = g.ascendantUuid left outer join rbac.object as aro on aro.uuid = ar.objectuuid @@ -112,7 +112,7 @@ create or replace view rbac.grants_ev as Creates a view to the grants table with row-level limitation based on the direct grants of the current user. */ -create or replace view rbac.grants_rv as +create or replace view rbac.grant_rv as -- @formatter:off select o.objectTable || '#' || rbac.findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName, g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed, @@ -122,7 +122,7 @@ select o.objectTable || '#' || rbac.findIdNameByObjectUuid(o.objectTable, o.uuid select g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid, g.assumed, u.name as userName, o.objecttable, r.objectuuid, r.roletype, rbac.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName - from rbac.grants as g + from rbac.grant as g join rbac.role as r on r.uuid = g.descendantUuid join rbac.object o on o.uuid = r.objectuuid left outer join rbac.subject u on u.uuid = g.ascendantuuid @@ -141,28 +141,28 @@ grant all privileges on rbac.role_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME -- ---------------------------------------------------------------------------- /** - Instead of insert trigger function for rbac.grants_rv. + Instead of insert trigger function for rbac.grant_rv. */ create or replace function rbac.insert_grant_tf() returns trigger language plpgsql as $$ declare - newGrant rbac.grants_rv; + newGrant rbac.grant_rv; begin call rbac.grantRoleToSubject(rbac.assumedRoleUuid(), new.grantedRoleUuid, new.subjectUuid, new.assumed); select grv.* - from rbac.grants_rv grv + from rbac.grant_rv grv where grv.subjectUuid=new.subjectUuid and grv.grantedRoleUuid=new.grantedRoleUuid into newGrant; return newGrant; end; $$; /* - Creates an instead of insert trigger for the rbac.grants_rv view. + Creates an instead of insert trigger for the rbac.grant_rv view. */ create trigger insert_grant_tg instead of insert - on rbac.grants_rv + on rbac.grant_rv for each row execute function rbac.insert_grant_tf(); --/ @@ -173,7 +173,7 @@ execute function rbac.insert_grant_tf(); -- ---------------------------------------------------------------------------- /** - Instead of delete trigger function for rbac.grants_rv. + Instead of delete trigger function for rbac.grant_rv. Checks if the current subject or assumed role have the permission to revoke the grant. */ @@ -186,11 +186,11 @@ begin end; $$; /* - Creates an instead of delete trigger for the rbac.grants_rv view. + Creates an instead of delete trigger for the rbac.grant_rv view. */ create trigger delete_grant_tg instead of delete - on rbac.grants_rv + on rbac.grant_rv for each row execute function rbac.delete_grant_tf(); --/ @@ -210,7 +210,7 @@ select distinct * from ( select usersInRolesOfcurrentSubject.* from rbac.subject as usersInRolesOfcurrentSubject - join rbac.grants as g on g.ascendantuuid = usersInRolesOfcurrentSubject.uuid + join rbac.grant as g on g.ascendantuuid = usersInRolesOfcurrentSubject.uuid join rbac.role_ev as r on r.uuid = g.descendantuuid union select users.* @@ -235,7 +235,7 @@ create or replace view rbac.subject_rv as from ( select usersInRolesOfcurrentSubject.* from rbac.subject as usersInRolesOfcurrentSubject - join rbac.grants as g on g.ascendantuuid = usersInRolesOfcurrentSubject.uuid + join rbac.grant as g on g.ascendantuuid = usersInRolesOfcurrentSubject.uuid join rbac.role_rv as r on r.uuid = g.descendantuuid union select users.* @@ -329,7 +329,7 @@ select r.uuid as roleuuid, p.uuid as permissionUuid, (r.objecttable || ':' || r.objectidname || ':' || r.roletype) as roleName, p.op, o.objecttable, r.objectidname, o.uuid as objectuuid from rbac.role_rv r - join rbac.grants g on g.ascendantuuid = r.uuid + join rbac.grant g on g.ascendantuuid = r.uuid join rbac.permission p on p.uuid = g.descendantuuid join rbac.object o on o.uuid = p.objectuuid; grant all privileges on rbac.own_granted_permissions_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME}; @@ -369,7 +369,7 @@ begin rbac.findIdNameByObjectUuid(po.objectTable, po.uuid) as permissionObjectIdName, po.uuid as permissionObjectUuid from rbac.queryPermissionsGrantedToSubjectId( targetSubjectUuid) as p - join rbac.grants as g on g.descendantUuid = p.uuid + join rbac.grant as g on g.descendantUuid = p.uuid join rbac.object as po on po.uuid = p.objectUuid join rbac.role_rv as r on r.uuid = g.ascendantUuid join rbac.object as ro on ro.uuid = r.objectUuid diff --git a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql index 547b0397..3bb57de8 100644 --- a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql +++ b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql @@ -193,19 +193,19 @@ begin with accessible_uuids as ( with recursive recursive_grants as - (select distinct rbac.grants.descendantuuid, - rbac.grants.ascendantuuid, + (select distinct rbac.grant.descendantuuid, + rbac.grant.ascendantuuid, 1 as level, true - from rbac.grants - where rbac.grants.assumed - and (rbac.grants.ascendantuuid = any (rbac.currentSubjectOrAssumedRolesUuids())) + from rbac.grant + where rbac.grant.assumed + and (rbac.grant.ascendantuuid = any (rbac.currentSubjectOrAssumedRolesUuids())) union all select distinct g.descendantuuid, g.ascendantuuid, grants.level + 1 as level, base.assertTrue(grants.level < 22, 'too many grant-levels: ' || grants.level) - from rbac.grants g + from rbac.grant g join recursive_grants grants on grants.descendantuuid = g.ascendantuuid where g.assumed), grant_count AS ( diff --git a/src/main/resources/db/changelog/1-rbac/1059-rbac-statistics.sql b/src/main/resources/db/changelog/1-rbac/1059-rbac-statistics.sql index cb8e35bf..76b5ff46 100644 --- a/src/main/resources/db/changelog/1-rbac/1059-rbac-statistics.sql +++ b/src/main/resources/db/changelog/1-rbac/1059-rbac-statistics.sql @@ -20,7 +20,7 @@ select no, to_char("count", '9 999 999 999') as "count", "table" from rbac.reference union select 5 as no, count(*) as "count", 'grants' as "table" - from rbac.grants + from rbac.grant union select 6 as no, count(*) as "count", 'objects' as "table" from rbac.object) as totals diff --git a/src/main/resources/db/changelog/2-rbactest/201-rbactest-customer/2013-rbactest-customer-rbac.sql b/src/main/resources/db/changelog/2-rbactest/201-rbactest-customer/2013-rbactest-customer-rbac.sql index 16faf552..9f05528a 100644 --- a/src/main/resources/db/changelog/2-rbactest/201-rbactest-customer/2013-rbactest-customer-rbac.sql +++ b/src/main/resources/db/changelog/2-rbactest/201-rbactest-customer/2013-rbactest-customer-rbac.sql @@ -212,18 +212,18 @@ DECLARE grantsAfter numeric; grantsBefore numeric; BEGIN - SELECT count(*) INTO grantsBefore FROM rbac.grants; + SELECT count(*) INTO grantsBefore FROM rbac.grant; FOR row IN SELECT * FROM rbactest.customer LOOP -- first delete all generated grants for this row from the previously defined RBAC system - DELETE FROM rbac.grants g + DELETE FROM rbac.grant g WHERE g.grantedbytriggerof = row.uuid; -- then build the grants according to the currently defined RBAC rules CALL rbactest.customer_build_rbac_system(row); END LOOP; - select count(*) into grantsAfter from rbac.grants; + select count(*) into grantsAfter from rbac.grant; -- print how the total count of grants has changed raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; diff --git a/src/main/resources/db/changelog/2-rbactest/202-rbactest-package/2023-rbactest-package-rbac.sql b/src/main/resources/db/changelog/2-rbactest/202-rbactest-package/2023-rbactest-package-rbac.sql index bfe9386a..b1855f47 100644 --- a/src/main/resources/db/changelog/2-rbactest/202-rbactest-package/2023-rbactest-package-rbac.sql +++ b/src/main/resources/db/changelog/2-rbactest/202-rbactest-package/2023-rbactest-package-rbac.sql @@ -277,18 +277,18 @@ DECLARE grantsAfter numeric; grantsBefore numeric; BEGIN - SELECT count(*) INTO grantsBefore FROM rbac.grants; + SELECT count(*) INTO grantsBefore FROM rbac.grant; FOR row IN SELECT * FROM rbactest.package LOOP -- first delete all generated grants for this row from the previously defined RBAC system - DELETE FROM rbac.grants g + DELETE FROM rbac.grant g WHERE g.grantedbytriggerof = row.uuid; -- then build the grants according to the currently defined RBAC rules CALL rbactest.package_build_rbac_system(row); END LOOP; - select count(*) into grantsAfter from rbac.grants; + select count(*) into grantsAfter from rbac.grant; -- print how the total count of grants has changed raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; diff --git a/src/main/resources/db/changelog/2-rbactest/203-rbactest-domain/2033-rbactest-domain-rbac.sql b/src/main/resources/db/changelog/2-rbactest/203-rbactest-domain/2033-rbactest-domain-rbac.sql index 3ebe2c33..7747cc28 100644 --- a/src/main/resources/db/changelog/2-rbactest/203-rbactest-domain/2033-rbactest-domain-rbac.sql +++ b/src/main/resources/db/changelog/2-rbactest/203-rbactest-domain/2033-rbactest-domain-rbac.sql @@ -276,18 +276,18 @@ DECLARE grantsAfter numeric; grantsBefore numeric; BEGIN - SELECT count(*) INTO grantsBefore FROM rbac.grants; + SELECT count(*) INTO grantsBefore FROM rbac.grant; FOR row IN SELECT * FROM rbactest.domain LOOP -- first delete all generated grants for this row from the previously defined RBAC system - DELETE FROM rbac.grants g + DELETE FROM rbac.grant g WHERE g.grantedbytriggerof = row.uuid; -- then build the grants according to the currently defined RBAC rules CALL rbactest.domain_build_rbac_system(row); END LOOP; - select count(*) into grantsAfter from rbac.grants; + select count(*) into grantsAfter from rbac.grant; -- print how the total count of grants has changed raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; diff --git a/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql b/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql index 6e34a9b5..6f5f1da7 100644 --- a/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql @@ -136,18 +136,18 @@ DECLARE grantsAfter numeric; grantsBefore numeric; BEGIN - SELECT count(*) INTO grantsBefore FROM rbac.grants; + SELECT count(*) INTO grantsBefore FROM rbac.grant; FOR row IN SELECT * FROM hs_office.contact LOOP -- first delete all generated grants for this row from the previously defined RBAC system - DELETE FROM rbac.grants g + DELETE FROM rbac.grant g WHERE g.grantedbytriggerof = row.uuid; -- then build the grants according to the currently defined RBAC rules CALL hs_office.contact_build_rbac_system(row); END LOOP; - select count(*) into grantsAfter from rbac.grants; + select count(*) into grantsAfter from rbac.grant; -- print how the total count of grants has changed raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; diff --git a/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql b/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql index fa08479c..9ca4132b 100644 --- a/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql @@ -138,18 +138,18 @@ DECLARE grantsAfter numeric; grantsBefore numeric; BEGIN - SELECT count(*) INTO grantsBefore FROM rbac.grants; + SELECT count(*) INTO grantsBefore FROM rbac.grant; FOR row IN SELECT * FROM hs_office.person LOOP -- first delete all generated grants for this row from the previously defined RBAC system - DELETE FROM rbac.grants g + DELETE FROM rbac.grant g WHERE g.grantedbytriggerof = row.uuid; -- then build the grants according to the currently defined RBAC rules CALL hs_office.person_build_rbac_system(row); END LOOP; - select count(*) into grantsAfter from rbac.grants; + select count(*) into grantsAfter from rbac.grant; -- print how the total count of grants has changed raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; diff --git a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql index ef6d9429..affcf836 100644 --- a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql @@ -125,7 +125,7 @@ create or replace procedure hs_office.relation_update_rbac_system( begin if NEW.contactUuid is distinct from OLD.contactUuid then - delete from rbac.grants g where g.grantedbytriggerof = OLD.uuid; + delete from rbac.grant g where g.grantedbytriggerof = OLD.uuid; call hs_office.relation_build_rbac_system(NEW); end if; end; $$; @@ -286,18 +286,18 @@ DECLARE grantsAfter numeric; grantsBefore numeric; BEGIN - SELECT count(*) INTO grantsBefore FROM rbac.grants; + SELECT count(*) INTO grantsBefore FROM rbac.grant; FOR row IN SELECT * FROM hs_office.relation LOOP -- first delete all generated grants for this row from the previously defined RBAC system - DELETE FROM rbac.grants g + DELETE FROM rbac.grant g WHERE g.grantedbytriggerof = row.uuid; -- then build the grants according to the currently defined RBAC rules CALL hs_office.relation_build_rbac_system(row); END LOOP; - select count(*) into grantsAfter from rbac.grants; + select count(*) into grantsAfter from rbac.grant; -- print how the total count of grants has changed raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql index fc11610e..ab56e655 100644 --- a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql @@ -287,18 +287,18 @@ DECLARE grantsAfter numeric; grantsBefore numeric; BEGIN - SELECT count(*) INTO grantsBefore FROM rbac.grants; + SELECT count(*) INTO grantsBefore FROM rbac.grant; FOR row IN SELECT * FROM hs_office.partner LOOP -- first delete all generated grants for this row from the previously defined RBAC system - DELETE FROM rbac.grants g + DELETE FROM rbac.grant g WHERE g.grantedbytriggerof = row.uuid; -- then build the grants according to the currently defined RBAC rules CALL hs_office.partner_build_rbac_system(row); END LOOP; - select count(*) into grantsAfter from rbac.grants; + select count(*) into grantsAfter from rbac.grant; -- print how the total count of grants has changed raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql b/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql index 01840910..94bf87d9 100644 --- a/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql @@ -199,18 +199,18 @@ DECLARE grantsAfter numeric; grantsBefore numeric; BEGIN - SELECT count(*) INTO grantsBefore FROM rbac.grants; + SELECT count(*) INTO grantsBefore FROM rbac.grant; FOR row IN SELECT * FROM hs_office.partner_details LOOP -- first delete all generated grants for this row from the previously defined RBAC system - DELETE FROM rbac.grants g + DELETE FROM rbac.grant g WHERE g.grantedbytriggerof = row.uuid; -- then build the grants according to the currently defined RBAC rules CALL hs_office.partner_details_build_rbac_system(row); END LOOP; - select count(*) into grantsAfter from rbac.grants; + select count(*) into grantsAfter from rbac.grant; -- print how the total count of grants has changed raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; diff --git a/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql b/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql index cb268a67..715f7270 100644 --- a/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql @@ -135,18 +135,18 @@ DECLARE grantsAfter numeric; grantsBefore numeric; BEGIN - SELECT count(*) INTO grantsBefore FROM rbac.grants; + SELECT count(*) INTO grantsBefore FROM rbac.grant; FOR row IN SELECT * FROM hs_office.bankaccount LOOP -- first delete all generated grants for this row from the previously defined RBAC system - DELETE FROM rbac.grants g + DELETE FROM rbac.grant g WHERE g.grantedbytriggerof = row.uuid; -- then build the grants according to the currently defined RBAC rules CALL hs_office.bankaccount_build_rbac_system(row); END LOOP; - select count(*) into grantsAfter from rbac.grants; + select count(*) into grantsAfter from rbac.grant; -- print how the total count of grants has changed raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; diff --git a/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql b/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql index 1fd6e130..3de6eaad 100644 --- a/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql @@ -101,7 +101,7 @@ begin if NEW.debitorRelUuid is distinct from OLD.debitorRelUuid or NEW.refundBankAccountUuid is distinct from OLD.refundBankAccountUuid then - delete from rbac.grants g where g.grantedbytriggerof = OLD.uuid; + delete from rbac.grant g where g.grantedbytriggerof = OLD.uuid; call hs_office.debitor_build_rbac_system(NEW); end if; end; $$; @@ -276,18 +276,18 @@ DECLARE grantsAfter numeric; grantsBefore numeric; BEGIN - SELECT count(*) INTO grantsBefore FROM rbac.grants; + SELECT count(*) INTO grantsBefore FROM rbac.grant; FOR row IN SELECT * FROM hs_office.debitor LOOP -- first delete all generated grants for this row from the previously defined RBAC system - DELETE FROM rbac.grants g + DELETE FROM rbac.grant g WHERE g.grantedbytriggerof = row.uuid; -- then build the grants according to the currently defined RBAC rules CALL hs_office.debitor_build_rbac_system(row); END LOOP; - select count(*) into grantsAfter from rbac.grants; + select count(*) into grantsAfter from rbac.grant; -- print how the total count of grants has changed raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; diff --git a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql index cba350a1..6785bb3f 100644 --- a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql @@ -245,18 +245,18 @@ DECLARE grantsAfter numeric; grantsBefore numeric; BEGIN - SELECT count(*) INTO grantsBefore FROM rbac.grants; + SELECT count(*) INTO grantsBefore FROM rbac.grant; FOR row IN SELECT * FROM hs_office.sepamandate LOOP -- first delete all generated grants for this row from the previously defined RBAC system - DELETE FROM rbac.grants g + DELETE FROM rbac.grant g WHERE g.grantedbytriggerof = row.uuid; -- then build the grants according to the currently defined RBAC rules CALL hs_office.sepamandate_build_rbac_system(row); END LOOP; - select count(*) into grantsAfter from rbac.grants; + select count(*) into grantsAfter from rbac.grant; -- print how the total count of grants has changed raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; diff --git a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql index ac82eab3..9a52003e 100644 --- a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql @@ -227,18 +227,18 @@ DECLARE grantsAfter numeric; grantsBefore numeric; BEGIN - SELECT count(*) INTO grantsBefore FROM rbac.grants; + SELECT count(*) INTO grantsBefore FROM rbac.grant; FOR row IN SELECT * FROM hs_office.membership LOOP -- first delete all generated grants for this row from the previously defined RBAC system - DELETE FROM rbac.grants g + DELETE FROM rbac.grant g WHERE g.grantedbytriggerof = row.uuid; -- then build the grants according to the currently defined RBAC rules CALL hs_office.membership_build_rbac_system(row); END LOOP; - select count(*) into grantsAfter from rbac.grants; + select count(*) into grantsAfter from rbac.grant; -- print how the total count of grants has changed raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; diff --git a/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql b/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql index 5cf1eed6..eb39dfd9 100644 --- a/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql @@ -198,18 +198,18 @@ DECLARE grantsAfter numeric; grantsBefore numeric; BEGIN - SELECT count(*) INTO grantsBefore FROM rbac.grants; + SELECT count(*) INTO grantsBefore FROM rbac.grant; FOR row IN SELECT * FROM hs_office.coopsharetx LOOP -- first delete all generated grants for this row from the previously defined RBAC system - DELETE FROM rbac.grants g + DELETE FROM rbac.grant g WHERE g.grantedbytriggerof = row.uuid; -- then build the grants according to the currently defined RBAC rules CALL hs_office.coopsharetx_build_rbac_system(row); END LOOP; - select count(*) into grantsAfter from rbac.grants; + select count(*) into grantsAfter from rbac.grant; -- print how the total count of grants has changed raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; diff --git a/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql b/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql index b4b08467..033792b6 100644 --- a/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql @@ -198,18 +198,18 @@ DECLARE grantsAfter numeric; grantsBefore numeric; BEGIN - SELECT count(*) INTO grantsBefore FROM rbac.grants; + SELECT count(*) INTO grantsBefore FROM rbac.grant; FOR row IN SELECT * FROM hs_office.coopassettx LOOP -- first delete all generated grants for this row from the previously defined RBAC system - DELETE FROM rbac.grants g + DELETE FROM rbac.grant g WHERE g.grantedbytriggerof = row.uuid; -- then build the grants according to the currently defined RBAC rules CALL hs_office.coopassettx_build_rbac_system(row); END LOOP; - select count(*) into grantsAfter from rbac.grants; + select count(*) into grantsAfter from rbac.grant; -- print how the total count of grants has changed raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; diff --git a/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql b/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql index 207bb740..58716ffe 100644 --- a/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql +++ b/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql @@ -238,18 +238,18 @@ DECLARE grantsAfter numeric; grantsBefore numeric; BEGIN - SELECT count(*) INTO grantsBefore FROM rbac.grants; + SELECT count(*) INTO grantsBefore FROM rbac.grant; FOR row IN SELECT * FROM hs_booking.project LOOP -- first delete all generated grants for this row from the previously defined RBAC system - DELETE FROM rbac.grants g + DELETE FROM rbac.grant g WHERE g.grantedbytriggerof = row.uuid; -- then build the grants according to the currently defined RBAC rules CALL hs_booking.project_build_rbac_system(row); END LOOP; - select count(*) into grantsAfter from rbac.grants; + select count(*) into grantsAfter from rbac.grant; -- print how the total count of grants has changed raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; diff --git a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql index 8010599c..c63edf90 100644 --- a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql +++ b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql @@ -309,18 +309,18 @@ DECLARE grantsAfter numeric; grantsBefore numeric; BEGIN - SELECT count(*) INTO grantsBefore FROM rbac.grants; + SELECT count(*) INTO grantsBefore FROM rbac.grant; FOR row IN SELECT * FROM hs_booking.item LOOP -- first delete all generated grants for this row from the previously defined RBAC system - DELETE FROM rbac.grants g + DELETE FROM rbac.grant g WHERE g.grantedbytriggerof = row.uuid; -- then build the grants according to the currently defined RBAC rules CALL hs_booking.item_build_rbac_system(row); END LOOP; - select count(*) into grantsAfter from rbac.grants; + select count(*) into grantsAfter from rbac.grant; -- print how the total count of grants has changed raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; diff --git a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql index 358fe7c5..2274f46b 100644 --- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql +++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql @@ -129,7 +129,7 @@ begin if NEW.assignedToAssetUuid is distinct from OLD.assignedToAssetUuid or NEW.alarmContactUuid is distinct from OLD.alarmContactUuid then - delete from rbac.grants g where g.grantedbytriggerof = OLD.uuid; + delete from rbac.grant g where g.grantedbytriggerof = OLD.uuid; call hs_hosting.asset_build_rbac_system(NEW); end if; end; $$; @@ -215,18 +215,18 @@ DECLARE grantsAfter numeric; grantsBefore numeric; BEGIN - SELECT count(*) INTO grantsBefore FROM rbac.grants; + SELECT count(*) INTO grantsBefore FROM rbac.grant; FOR row IN SELECT * FROM hs_hosting.asset LOOP -- first delete all generated grants for this row from the previously defined RBAC system - DELETE FROM rbac.grants g + DELETE FROM rbac.grant g WHERE g.grantedbytriggerof = row.uuid; -- then build the grants according to the currently defined RBAC rules CALL hs_hosting.asset_build_rbac_system(row); END LOOP; - select count(*) into grantsAfter from rbac.grants; + select count(*) into grantsAfter from rbac.grant; -- print how the total count of grants has changed raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter; diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/grant/RbacGrantRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/grant/RbacGrantRepositoryIntegrationTest.java index 05b3bc73..14075fe8 100644 --- a/src/test/java/net/hostsharing/hsadminng/rbac/grant/RbacGrantRepositoryIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/rbac/grant/RbacGrantRepositoryIntegrationTest.java @@ -295,14 +295,14 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest { @Test public void rebuildingTheRbacSystemWitSameRbacSpecDoesNotChangeGrantNorRoleCount() { - final var grantCountBefore = sql("SELECT COUNT(*) FROM rbac.grants"); + final var grantCountBefore = sql("SELECT COUNT(*) FROM rbac.grant"); final var roleCountBefore = sql("SELECT COUNT(*) FROM rbac.role"); jpaAttempt.transacted(() -> em.createNativeQuery("CALL rbactest.package_rebuild_rbac_system()") ); - final var grantCountAfter = sql("SELECT COUNT(*) FROM rbac.grants"); + final var grantCountAfter = sql("SELECT COUNT(*) FROM rbac.grant"); assertThat(grantCountBefore).as("grant count must not change").isEqualTo(grantCountAfter); final var roleCountAfter = sql("SELECT COUNT(*) FROM rbac.role");