rename table rbac.grants -> rbac.grant for consistent naming #141
@ -1,7 +1,6 @@
|
|||||||
package net.hostsharing.hsadminng.hs.office.person;
|
package net.hostsharing.hsadminng.hs.office.person;
|
||||||
|
|
||||||
import lombok.*;
|
import lombok.*;
|
||||||
import lombok.experimental.FieldNameConstants;
|
|
||||||
import lombok.experimental.SuperBuilder;
|
import lombok.experimental.SuperBuilder;
|
||||||
import net.hostsharing.hsadminng.errors.DisplayAs;
|
import net.hostsharing.hsadminng.errors.DisplayAs;
|
||||||
import net.hostsharing.hsadminng.rbac.generator.RbacSpec;
|
import net.hostsharing.hsadminng.rbac.generator.RbacSpec;
|
||||||
@ -22,7 +21,6 @@ import static net.hostsharing.hsadminng.rbac.generator.RbacSpec.rbacViewFor;
|
|||||||
@Setter
|
@Setter
|
||||||
@NoArgsConstructor
|
@NoArgsConstructor
|
||||||
@SuperBuilder(toBuilder = true)
|
@SuperBuilder(toBuilder = true)
|
||||||
@FieldNameConstants
|
|
||||||
hsh-michaelhoennig marked this conversation as resolved
|
|||||||
@DisplayAs("RbacPerson")
|
@DisplayAs("RbacPerson")
|
||||||
public class HsOfficePersonRbacEntity extends HsOfficePerson<HsOfficePersonRbacEntity> {
|
public class HsOfficePersonRbacEntity extends HsOfficePerson<HsOfficePersonRbacEntity> {
|
||||||
|
|
||||||
|
@ -54,18 +54,18 @@ class RbacRbacSystemRebuildGenerator {
|
|||||||
grantsAfter numeric;
|
grantsAfter numeric;
|
||||||
grantsBefore numeric;
|
grantsBefore numeric;
|
||||||
BEGIN
|
BEGIN
|
||||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||||
|
|
||||||
FOR row IN SELECT * FROM ${rawTableName} LOOP
|
FOR row IN SELECT * FROM ${rawTableName} LOOP
|
||||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
DELETE FROM rbac.grants g
|
DELETE FROM rbac.grant g
|
||||||
WHERE g.grantedbytriggerof = row.uuid;
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
-- then build the grants according to the currently defined RBAC rules
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
CALL ${rawTableName}_build_rbac_system(row);
|
CALL ${rawTableName}_build_rbac_system(row);
|
||||||
END LOOP;
|
END LOOP;
|
||||||
|
|
||||||
select count(*) into grantsAfter from rbac.grants;
|
select count(*) into grantsAfter from rbac.grant;
|
||||||
|
|
||||||
-- print how the total count of grants has changed
|
-- print how the total count of grants has changed
|
||||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
@ -112,7 +112,7 @@ class RolesGrantsAndPermissionsGenerator {
|
|||||||
begin
|
begin
|
||||||
|
|
||||||
if ${updateConditions} then
|
if ${updateConditions} then
|
||||||
delete from rbac.grants g where g.grantedbytriggerof = OLD.uuid;
|
delete from rbac.grant g where g.grantedbytriggerof = OLD.uuid;
|
||||||
call ${rawTableQualifiedName}_build_rbac_system(NEW);
|
call ${rawTableQualifiedName}_build_rbac_system(NEW);
|
||||||
end if;
|
end if;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
@ -12,7 +12,7 @@ import java.util.List;
|
|||||||
import java.util.UUID;
|
import java.util.UUID;
|
||||||
|
|
||||||
@Entity
|
@Entity
|
||||||
@Table(schema = "rbac", name = "grants_ev")
|
@Table(schema = "rbac", name = "grant_ev")
|
||||||
@Getter
|
@Getter
|
||||||
@Setter
|
@Setter
|
||||||
@Builder
|
@Builder
|
||||||
|
@ -8,7 +8,7 @@ import jakarta.persistence.*;
|
|||||||
import java.util.UUID;
|
import java.util.UUID;
|
||||||
|
|
||||||
@Entity
|
@Entity
|
||||||
@Table(schema = "rbac", name = "grants_rv")
|
@Table(schema = "rbac", name = "grant_rv")
|
||||||
@IdClass(RbacGrantId.class)
|
@IdClass(RbacGrantId.class)
|
||||||
@Getter
|
@Getter
|
||||||
@Setter
|
@Setter
|
||||||
|
@ -360,7 +360,7 @@ create or replace function rbac.delete_grants_of_role_tf()
|
|||||||
strict as $$
|
strict as $$
|
||||||
begin
|
begin
|
||||||
if TG_OP = 'DELETE' then
|
if TG_OP = 'DELETE' then
|
||||||
delete from rbac.grants g where old.uuid in (g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid);
|
delete from rbac.grant g where old.uuid in (g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid);
|
||||||
else
|
else
|
||||||
raise exception 'invalid usage of TRIGGER BEFORE DELETE';
|
raise exception 'invalid usage of TRIGGER BEFORE DELETE';
|
||||||
end if;
|
end if;
|
||||||
@ -541,7 +541,7 @@ $$;
|
|||||||
/*
|
/*
|
||||||
Table to store grants / role- or permission assignments to subjects or roles.
|
Table to store grants / role- or permission assignments to subjects or roles.
|
||||||
*/
|
*/
|
||||||
create table rbac.grants
|
create table rbac.grant
|
||||||
(
|
(
|
||||||
uuid uuid primary key default uuid_generate_v4(),
|
uuid uuid primary key default uuid_generate_v4(),
|
||||||
grantedByTriggerOf uuid references rbac.object (uuid) on delete cascade initially deferred ,
|
grantedByTriggerOf uuid references rbac.object (uuid) on delete cascade initially deferred ,
|
||||||
@ -551,21 +551,21 @@ create table rbac.grants
|
|||||||
assumed boolean not null default true, -- auto assumed (true) vs. needs assumeRoles (false)
|
assumed boolean not null default true, -- auto assumed (true) vs. needs assumeRoles (false)
|
||||||
unique (ascendantUuid, descendantUuid),
|
unique (ascendantUuid, descendantUuid),
|
||||||
constraint rbacGrant_createdBy check ( grantedByRoleUuid is null or grantedByTriggerOf is null) );
|
constraint rbacGrant_createdBy check ( grantedByRoleUuid is null or grantedByTriggerOf is null) );
|
||||||
create index on rbac.grants (ascendantUuid);
|
create index on rbac.grant (ascendantUuid);
|
||||||
create index on rbac.grants (descendantUuid);
|
create index on rbac.grant (descendantUuid);
|
||||||
|
|
||||||
call base.create_journal('rbac.grants');
|
call base.create_journal('rbac.grant');
|
||||||
create or replace function rbac.findGrantees(grantedId uuid)
|
create or replace function rbac.findGrantees(grantedId uuid)
|
||||||
returns setof rbac.reference
|
returns setof rbac.reference
|
||||||
returns null on null input
|
returns null on null input
|
||||||
language sql as $$
|
language sql as $$
|
||||||
with recursive grants as (
|
with recursive grants as (
|
||||||
select descendantUuid, ascendantUuid
|
select descendantUuid, ascendantUuid
|
||||||
from rbac.grants
|
from rbac.grant
|
||||||
where descendantUuid = grantedId
|
where descendantUuid = grantedId
|
||||||
union all
|
union all
|
||||||
select g.descendantUuid, g.ascendantUuid
|
select g.descendantUuid, g.ascendantUuid
|
||||||
from rbac.grants g
|
from rbac.grant g
|
||||||
inner join grants on grants.ascendantUuid = g.descendantUuid
|
inner join grants on grants.ascendantUuid = g.descendantUuid
|
||||||
)
|
)
|
||||||
select ref.*
|
select ref.*
|
||||||
@ -579,11 +579,11 @@ create or replace function rbac.isGranted(granteeIds uuid[], grantedId uuid)
|
|||||||
language sql as $$
|
language sql as $$
|
||||||
with recursive grants as (
|
with recursive grants as (
|
||||||
select descendantUuid, ascendantUuid
|
select descendantUuid, ascendantUuid
|
||||||
from rbac.grants
|
from rbac.grant
|
||||||
where descendantUuid = grantedId
|
where descendantUuid = grantedId
|
||||||
union all
|
union all
|
||||||
select "grant".descendantUuid, "grant".ascendantUuid
|
select "grant".descendantUuid, "grant".ascendantUuid
|
||||||
from rbac.grants "grant"
|
from rbac.grant "grant"
|
||||||
inner join grants recur on recur.ascendantUuid = "grant".descendantUuid
|
inner join grants recur on recur.ascendantUuid = "grant".descendantUuid
|
||||||
)
|
)
|
||||||
select exists (
|
select exists (
|
||||||
@ -605,11 +605,11 @@ create or replace function rbac.isPermissionGrantedToSubject(permissionId uuid,
|
|||||||
language sql as $$
|
language sql as $$
|
||||||
with recursive grants as (
|
with recursive grants as (
|
||||||
select descendantUuid, ascendantUuid
|
select descendantUuid, ascendantUuid
|
||||||
from rbac.grants
|
from rbac.grant
|
||||||
where descendantUuid = permissionId
|
where descendantUuid = permissionId
|
||||||
union all
|
union all
|
||||||
select g.descendantUuid, g.ascendantUuid
|
select g.descendantUuid, g.ascendantUuid
|
||||||
from rbac.grants g
|
from rbac.grant g
|
||||||
inner join grants on grants.ascendantUuid = g.descendantUuid
|
inner join grants on grants.ascendantUuid = g.descendantUuid
|
||||||
)
|
)
|
||||||
select exists(
|
select exists(
|
||||||
@ -637,7 +637,7 @@ create or replace function rbac.hasGlobalRoleGranted(forAscendantUuid uuid)
|
|||||||
language sql as $$
|
language sql as $$
|
||||||
select exists(
|
select exists(
|
||||||
select r.uuid
|
select r.uuid
|
||||||
from rbac.grants as g
|
from rbac.grant as g
|
||||||
join rbac.role as r on r.uuid = g.descendantuuid
|
join rbac.role as r on r.uuid = g.descendantuuid
|
||||||
join rbac.object as o on o.uuid = r.objectuuid
|
join rbac.object as o on o.uuid = r.objectuuid
|
||||||
where g.ascendantuuid = forAscendantUuid
|
where g.ascendantuuid = forAscendantUuid
|
||||||
@ -652,7 +652,7 @@ begin
|
|||||||
perform rbac.assertReferenceType('permissionId (descendant)', permissionUuid, 'rbac.permission');
|
perform rbac.assertReferenceType('permissionId (descendant)', permissionUuid, 'rbac.permission');
|
||||||
|
|
||||||
insert
|
insert
|
||||||
into rbac.grants (grantedByTriggerOf, ascendantUuid, descendantUuid, assumed)
|
into rbac.grant (grantedByTriggerOf, ascendantUuid, descendantUuid, assumed)
|
||||||
values (rbac.currentTriggerObjectUuid(), roleUuid, permissionUuid, true)
|
values (rbac.currentTriggerObjectUuid(), roleUuid, permissionUuid, true)
|
||||||
on conflict do nothing; -- allow granting multiple times
|
on conflict do nothing; -- allow granting multiple times
|
||||||
end;
|
end;
|
||||||
@ -676,7 +676,7 @@ begin
|
|||||||
end if;
|
end if;
|
||||||
|
|
||||||
insert
|
insert
|
||||||
into rbac.grants (grantedByTriggerOf, ascendantuuid, descendantUuid, assumed)
|
into rbac.grant (grantedByTriggerOf, ascendantuuid, descendantUuid, assumed)
|
||||||
values (rbac.currentTriggerObjectUuid(), superRoleId, subRoleId, doAssume)
|
values (rbac.currentTriggerObjectUuid(), superRoleId, subRoleId, doAssume)
|
||||||
on conflict do nothing; -- allow granting multiple times
|
on conflict do nothing; -- allow granting multiple times
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -704,7 +704,7 @@ begin
|
|||||||
end if;
|
end if;
|
||||||
|
|
||||||
insert
|
insert
|
||||||
into rbac.grants (grantedByTriggerOf, ascendantuuid, descendantUuid, assumed)
|
into rbac.grant (grantedByTriggerOf, ascendantuuid, descendantUuid, assumed)
|
||||||
values (rbac.currentTriggerObjectUuid(), superRoleId, subRoleId, doAssume)
|
values (rbac.currentTriggerObjectUuid(), superRoleId, subRoleId, doAssume)
|
||||||
on conflict do nothing; -- allow granting multiple times
|
on conflict do nothing; -- allow granting multiple times
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -722,7 +722,7 @@ begin
|
|||||||
perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role');
|
perform rbac.assertReferenceType('subRoleId (descendant)', subRoleId, 'rbac.role');
|
||||||
|
|
||||||
if (rbac.isGranted(superRoleId, subRoleId)) then
|
if (rbac.isGranted(superRoleId, subRoleId)) then
|
||||||
delete from rbac.grants where ascendantUuid = superRoleId and descendantUuid = subRoleId;
|
delete from rbac.grant where ascendantUuid = superRoleId and descendantUuid = subRoleId;
|
||||||
else
|
else
|
||||||
raise exception 'cannot revoke role % (%) from % (%) because it is not granted',
|
raise exception 'cannot revoke role % (%) from % (%) because it is not granted',
|
||||||
subRole, subRoleId, superRole, superRoleId;
|
subRole, subRoleId, superRole, superRoleId;
|
||||||
@ -743,10 +743,10 @@ begin
|
|||||||
perform rbac.assertReferenceType('permission (descendant)', permissionId, 'rbac.permission');
|
perform rbac.assertReferenceType('permission (descendant)', permissionId, 'rbac.permission');
|
||||||
|
|
||||||
if (rbac.isGranted(superRoleId, permissionId)) then
|
if (rbac.isGranted(superRoleId, permissionId)) then
|
||||||
delete from rbac.grants where ascendantUuid = superRoleId and descendantUuid = permissionId;
|
delete from rbac.grant where ascendantUuid = superRoleId and descendantUuid = permissionId;
|
||||||
else
|
else
|
||||||
select p.op, o.objectTable, o.uuid
|
select p.op, o.objectTable, o.uuid
|
||||||
from rbac.grants g
|
from rbac.grant g
|
||||||
join rbac.permission p on p.uuid=g.descendantUuid
|
join rbac.permission p on p.uuid=g.descendantUuid
|
||||||
join rbac.object o on o.uuid=p.objectUuid
|
join rbac.object o on o.uuid=p.objectUuid
|
||||||
where g.uuid=permissionId
|
where g.uuid=permissionId
|
||||||
@ -777,12 +777,12 @@ begin
|
|||||||
return query
|
return query
|
||||||
WITH RECURSIVE grants AS (
|
WITH RECURSIVE grants AS (
|
||||||
SELECT descendantUuid, ascendantUuid, 1 AS level
|
SELECT descendantUuid, ascendantUuid, 1 AS level
|
||||||
FROM rbac.grants
|
FROM rbac.grant
|
||||||
WHERE assumed
|
WHERE assumed
|
||||||
AND ascendantUuid = any(subjectIds)
|
AND ascendantUuid = any(subjectIds)
|
||||||
UNION ALL
|
UNION ALL
|
||||||
SELECT g.descendantUuid, g.ascendantUuid, grants.level + 1 AS level
|
SELECT g.descendantUuid, g.ascendantUuid, grants.level + 1 AS level
|
||||||
FROM rbac.grants g
|
FROM rbac.grant g
|
||||||
INNER JOIN grants ON grants.descendantUuid = g.ascendantUuid
|
INNER JOIN grants ON grants.descendantUuid = g.ascendantUuid
|
||||||
WHERE g.assumed
|
WHERE g.assumed
|
||||||
),
|
),
|
||||||
@ -821,11 +821,11 @@ create or replace function rbac.queryPermissionsGrantedToSubjectId(subjectId uui
|
|||||||
language sql as $$
|
language sql as $$
|
||||||
with recursive grants as (
|
with recursive grants as (
|
||||||
select descendantUuid, ascendantUuid
|
select descendantUuid, ascendantUuid
|
||||||
from rbac.grants
|
from rbac.grant
|
||||||
where ascendantUuid = subjectId
|
where ascendantUuid = subjectId
|
||||||
union all
|
union all
|
||||||
select g.descendantUuid, g.ascendantUuid
|
select g.descendantUuid, g.ascendantUuid
|
||||||
from rbac.grants g
|
from rbac.grant g
|
||||||
inner join grants on grants.descendantUuid = g.ascendantUuid
|
inner join grants on grants.descendantUuid = g.ascendantUuid
|
||||||
)
|
)
|
||||||
select perm.*
|
select perm.*
|
||||||
@ -855,11 +855,11 @@ select *
|
|||||||
-- @formatter:off
|
-- @formatter:off
|
||||||
with recursive grants as (
|
with recursive grants as (
|
||||||
select descendantUuid, ascendantUuid
|
select descendantUuid, ascendantUuid
|
||||||
from rbac.grants
|
from rbac.grant
|
||||||
where descendantUuid = objectId
|
where descendantUuid = objectId
|
||||||
union all
|
union all
|
||||||
select "grant".descendantUuid, "grant".ascendantUuid
|
select "grant".descendantUuid, "grant".ascendantUuid
|
||||||
from rbac.grants "grant"
|
from rbac.grant "grant"
|
||||||
inner join grants recur on recur.ascendantUuid = "grant".descendantUuid
|
inner join grants recur on recur.ascendantUuid = "grant".descendantUuid
|
||||||
)
|
)
|
||||||
-- @formatter:on
|
-- @formatter:on
|
||||||
|
@ -28,7 +28,7 @@ begin
|
|||||||
perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject');
|
perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject');
|
||||||
|
|
||||||
insert
|
insert
|
||||||
into rbac.grants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)
|
into rbac.grant (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)
|
||||||
values (grantedByRoleUuid, subjectUuid, grantedRoleUuid, doAssume)
|
values (grantedByRoleUuid, subjectUuid, grantedRoleUuid, doAssume)
|
||||||
-- TODO: check if grantedByRoleUuid+doAssume are the same, otherwise raise exception?
|
-- TODO: check if grantedByRoleUuid+doAssume are the same, otherwise raise exception?
|
||||||
on conflict do nothing; -- allow granting multiple times
|
on conflict do nothing; -- allow granting multiple times
|
||||||
@ -61,7 +61,7 @@ begin
|
|||||||
end if;
|
end if;
|
||||||
|
|
||||||
insert
|
insert
|
||||||
into rbac.grants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)
|
into rbac.grant (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)
|
||||||
values (grantedByRoleUuid, subjectUuid, grantedRoleUuid, doAssume);
|
values (grantedByRoleUuid, subjectUuid, grantedRoleUuid, doAssume);
|
||||||
-- TODO.impl: What should happen on multiple grants? What if options (doAssume) are not the same?
|
-- TODO.impl: What should happen on multiple grants? What if options (doAssume) are not the same?
|
||||||
-- Most powerful or latest grant wins? What about managed?
|
-- Most powerful or latest grant wins? What about managed?
|
||||||
@ -104,8 +104,8 @@ create or replace procedure rbac.revokeRoleFromSubject(grantedByRoleUuid uuid, g
|
|||||||
begin
|
begin
|
||||||
call rbac.checkRevokeRoleFromSubjectPreconditions(grantedByRoleUuid, grantedRoleUuid, subjectUuid);
|
call rbac.checkRevokeRoleFromSubjectPreconditions(grantedByRoleUuid, grantedRoleUuid, subjectUuid);
|
||||||
|
|
||||||
raise INFO 'delete from rbac.grants where ascendantUuid = % and descendantUuid = %', subjectUuid, grantedRoleUuid;
|
raise INFO 'delete from rbac.grant where ascendantUuid = % and descendantUuid = %', subjectUuid, grantedRoleUuid;
|
||||||
delete from rbac.grants as g
|
delete from rbac.grant as g
|
||||||
where g.ascendantUuid = subjectUuid and g.descendantUuid = grantedRoleUuid
|
where g.ascendantUuid = subjectUuid and g.descendantUuid = grantedRoleUuid
|
||||||
and g.grantedByRoleUuid = revokeRoleFromSubject.grantedByRoleUuid;
|
and g.grantedByRoleUuid = revokeRoleFromSubject.grantedByRoleUuid;
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -118,8 +118,8 @@ end; $$;
|
|||||||
create or replace procedure rbac.revokePermissionFromRole(permissionUuid uuid, superRoleUuid uuid)
|
create or replace procedure rbac.revokePermissionFromRole(permissionUuid uuid, superRoleUuid uuid)
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
begin
|
||||||
raise INFO 'delete from rbac.grants where ascendantUuid = % and descendantUuid = %', superRoleUuid, permissionUuid;
|
raise INFO 'delete from rbac.grant where ascendantUuid = % and descendantUuid = %', superRoleUuid, permissionUuid;
|
||||||
delete from rbac.grants as g
|
delete from rbac.grant as g
|
||||||
where g.ascendantUuid = superRoleUuid and g.descendantUuid = permissionUuid;
|
where g.ascendantUuid = superRoleUuid and g.descendantUuid = permissionUuid;
|
||||||
end; $$;
|
end; $$;
|
||||||
--//
|
--//
|
||||||
|
@ -52,8 +52,8 @@ grant all privileges on rbac.role_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME
|
|||||||
Creates a view to the grants table with additional columns
|
Creates a view to the grants table with additional columns
|
||||||
for easier human readability.
|
for easier human readability.
|
||||||
*/
|
*/
|
||||||
drop view if exists rbac.grants_ev;
|
drop view if exists rbac.grant_ev;
|
||||||
create or replace view rbac.grants_ev as
|
create or replace view rbac.grant_ev as
|
||||||
-- @formatter:off
|
-- @formatter:off
|
||||||
select x.grantUuid as uuid,
|
select x.grantUuid as uuid,
|
||||||
x.grantedByTriggerOf as grantedByTriggerOf,
|
x.grantedByTriggerOf as grantedByTriggerOf,
|
||||||
@ -85,7 +85,7 @@ create or replace view rbac.grants_ev as
|
|||||||
) as descendingIdName,
|
) as descendingIdName,
|
||||||
dro.objectTable, dro.uuid,
|
dro.objectTable, dro.uuid,
|
||||||
dp.op, dp.optablename
|
dp.op, dp.optablename
|
||||||
from rbac.grants as g
|
from rbac.grant as g
|
||||||
|
|
||||||
left outer join rbac.role as ar on ar.uuid = g.ascendantUuid
|
left outer join rbac.role as ar on ar.uuid = g.ascendantUuid
|
||||||
left outer join rbac.object as aro on aro.uuid = ar.objectuuid
|
left outer join rbac.object as aro on aro.uuid = ar.objectuuid
|
||||||
@ -112,7 +112,7 @@ create or replace view rbac.grants_ev as
|
|||||||
Creates a view to the grants table with row-level limitation
|
Creates a view to the grants table with row-level limitation
|
||||||
based on the direct grants of the current user.
|
based on the direct grants of the current user.
|
||||||
*/
|
*/
|
||||||
create or replace view rbac.grants_rv as
|
create or replace view rbac.grant_rv as
|
||||||
-- @formatter:off
|
-- @formatter:off
|
||||||
select o.objectTable || '#' || rbac.findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName,
|
select o.objectTable || '#' || rbac.findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName,
|
||||||
g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed,
|
g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed,
|
||||||
@ -122,7 +122,7 @@ select o.objectTable || '#' || rbac.findIdNameByObjectUuid(o.objectTable, o.uuid
|
|||||||
select g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid, g.assumed,
|
select g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid, g.assumed,
|
||||||
u.name as userName, o.objecttable, r.objectuuid, r.roletype,
|
u.name as userName, o.objecttable, r.objectuuid, r.roletype,
|
||||||
rbac.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
|
rbac.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
|
||||||
from rbac.grants as g
|
from rbac.grant as g
|
||||||
join rbac.role as r on r.uuid = g.descendantUuid
|
join rbac.role as r on r.uuid = g.descendantUuid
|
||||||
join rbac.object o on o.uuid = r.objectuuid
|
join rbac.object o on o.uuid = r.objectuuid
|
||||||
left outer join rbac.subject u on u.uuid = g.ascendantuuid
|
left outer join rbac.subject u on u.uuid = g.ascendantuuid
|
||||||
@ -141,28 +141,28 @@ grant all privileges on rbac.role_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME
|
|||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Instead of insert trigger function for rbac.grants_rv.
|
Instead of insert trigger function for rbac.grant_rv.
|
||||||
*/
|
*/
|
||||||
create or replace function rbac.insert_grant_tf()
|
create or replace function rbac.insert_grant_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
newGrant rbac.grants_rv;
|
newGrant rbac.grant_rv;
|
||||||
begin
|
begin
|
||||||
call rbac.grantRoleToSubject(rbac.assumedRoleUuid(), new.grantedRoleUuid, new.subjectUuid, new.assumed);
|
call rbac.grantRoleToSubject(rbac.assumedRoleUuid(), new.grantedRoleUuid, new.subjectUuid, new.assumed);
|
||||||
select grv.*
|
select grv.*
|
||||||
from rbac.grants_rv grv
|
from rbac.grant_rv grv
|
||||||
where grv.subjectUuid=new.subjectUuid and grv.grantedRoleUuid=new.grantedRoleUuid
|
where grv.subjectUuid=new.subjectUuid and grv.grantedRoleUuid=new.grantedRoleUuid
|
||||||
into newGrant;
|
into newGrant;
|
||||||
return newGrant;
|
return newGrant;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates an instead of insert trigger for the rbac.grants_rv view.
|
Creates an instead of insert trigger for the rbac.grant_rv view.
|
||||||
*/
|
*/
|
||||||
create trigger insert_grant_tg
|
create trigger insert_grant_tg
|
||||||
instead of insert
|
instead of insert
|
||||||
on rbac.grants_rv
|
on rbac.grant_rv
|
||||||
for each row
|
for each row
|
||||||
execute function rbac.insert_grant_tf();
|
execute function rbac.insert_grant_tf();
|
||||||
--/
|
--/
|
||||||
@ -173,7 +173,7 @@ execute function rbac.insert_grant_tf();
|
|||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Instead of delete trigger function for rbac.grants_rv.
|
Instead of delete trigger function for rbac.grant_rv.
|
||||||
|
|
||||||
Checks if the current subject or assumed role have the permission to revoke the grant.
|
Checks if the current subject or assumed role have the permission to revoke the grant.
|
||||||
*/
|
*/
|
||||||
@ -186,11 +186,11 @@ begin
|
|||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates an instead of delete trigger for the rbac.grants_rv view.
|
Creates an instead of delete trigger for the rbac.grant_rv view.
|
||||||
*/
|
*/
|
||||||
create trigger delete_grant_tg
|
create trigger delete_grant_tg
|
||||||
instead of delete
|
instead of delete
|
||||||
on rbac.grants_rv
|
on rbac.grant_rv
|
||||||
for each row
|
for each row
|
||||||
execute function rbac.delete_grant_tf();
|
execute function rbac.delete_grant_tf();
|
||||||
--/
|
--/
|
||||||
@ -210,7 +210,7 @@ select distinct *
|
|||||||
from (
|
from (
|
||||||
select usersInRolesOfcurrentSubject.*
|
select usersInRolesOfcurrentSubject.*
|
||||||
from rbac.subject as usersInRolesOfcurrentSubject
|
from rbac.subject as usersInRolesOfcurrentSubject
|
||||||
join rbac.grants as g on g.ascendantuuid = usersInRolesOfcurrentSubject.uuid
|
join rbac.grant as g on g.ascendantuuid = usersInRolesOfcurrentSubject.uuid
|
||||||
join rbac.role_ev as r on r.uuid = g.descendantuuid
|
join rbac.role_ev as r on r.uuid = g.descendantuuid
|
||||||
union
|
union
|
||||||
select users.*
|
select users.*
|
||||||
@ -235,7 +235,7 @@ create or replace view rbac.subject_rv as
|
|||||||
from (
|
from (
|
||||||
select usersInRolesOfcurrentSubject.*
|
select usersInRolesOfcurrentSubject.*
|
||||||
from rbac.subject as usersInRolesOfcurrentSubject
|
from rbac.subject as usersInRolesOfcurrentSubject
|
||||||
join rbac.grants as g on g.ascendantuuid = usersInRolesOfcurrentSubject.uuid
|
join rbac.grant as g on g.ascendantuuid = usersInRolesOfcurrentSubject.uuid
|
||||||
join rbac.role_rv as r on r.uuid = g.descendantuuid
|
join rbac.role_rv as r on r.uuid = g.descendantuuid
|
||||||
union
|
union
|
||||||
select users.*
|
select users.*
|
||||||
@ -329,7 +329,7 @@ select r.uuid as roleuuid, p.uuid as permissionUuid,
|
|||||||
(r.objecttable || ':' || r.objectidname || ':' || r.roletype) as roleName, p.op,
|
(r.objecttable || ':' || r.objectidname || ':' || r.roletype) as roleName, p.op,
|
||||||
o.objecttable, r.objectidname, o.uuid as objectuuid
|
o.objecttable, r.objectidname, o.uuid as objectuuid
|
||||||
from rbac.role_rv r
|
from rbac.role_rv r
|
||||||
join rbac.grants g on g.ascendantuuid = r.uuid
|
join rbac.grant g on g.ascendantuuid = r.uuid
|
||||||
join rbac.permission p on p.uuid = g.descendantuuid
|
join rbac.permission p on p.uuid = g.descendantuuid
|
||||||
join rbac.object o on o.uuid = p.objectuuid;
|
join rbac.object o on o.uuid = p.objectuuid;
|
||||||
grant all privileges on rbac.own_granted_permissions_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
|
grant all privileges on rbac.own_granted_permissions_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
|
||||||
@ -369,7 +369,7 @@ begin
|
|||||||
rbac.findIdNameByObjectUuid(po.objectTable, po.uuid) as permissionObjectIdName,
|
rbac.findIdNameByObjectUuid(po.objectTable, po.uuid) as permissionObjectIdName,
|
||||||
po.uuid as permissionObjectUuid
|
po.uuid as permissionObjectUuid
|
||||||
from rbac.queryPermissionsGrantedToSubjectId( targetSubjectUuid) as p
|
from rbac.queryPermissionsGrantedToSubjectId( targetSubjectUuid) as p
|
||||||
join rbac.grants as g on g.descendantUuid = p.uuid
|
join rbac.grant as g on g.descendantUuid = p.uuid
|
||||||
join rbac.object as po on po.uuid = p.objectUuid
|
join rbac.object as po on po.uuid = p.objectUuid
|
||||||
join rbac.role_rv as r on r.uuid = g.ascendantUuid
|
join rbac.role_rv as r on r.uuid = g.ascendantUuid
|
||||||
join rbac.object as ro on ro.uuid = r.objectUuid
|
join rbac.object as ro on ro.uuid = r.objectUuid
|
||||||
|
@ -193,19 +193,19 @@ begin
|
|||||||
with accessible_uuids as (
|
with accessible_uuids as (
|
||||||
with recursive
|
with recursive
|
||||||
recursive_grants as
|
recursive_grants as
|
||||||
(select distinct rbac.grants.descendantuuid,
|
(select distinct rbac.grant.descendantuuid,
|
||||||
rbac.grants.ascendantuuid,
|
rbac.grant.ascendantuuid,
|
||||||
1 as level,
|
1 as level,
|
||||||
true
|
true
|
||||||
from rbac.grants
|
from rbac.grant
|
||||||
where rbac.grants.assumed
|
where rbac.grant.assumed
|
||||||
and (rbac.grants.ascendantuuid = any (rbac.currentSubjectOrAssumedRolesUuids()))
|
and (rbac.grant.ascendantuuid = any (rbac.currentSubjectOrAssumedRolesUuids()))
|
||||||
union all
|
union all
|
||||||
select distinct g.descendantuuid,
|
select distinct g.descendantuuid,
|
||||||
g.ascendantuuid,
|
g.ascendantuuid,
|
||||||
grants.level + 1 as level,
|
grants.level + 1 as level,
|
||||||
base.assertTrue(grants.level < 22, 'too many grant-levels: ' || grants.level)
|
base.assertTrue(grants.level < 22, 'too many grant-levels: ' || grants.level)
|
||||||
from rbac.grants g
|
from rbac.grant g
|
||||||
join recursive_grants grants on grants.descendantuuid = g.ascendantuuid
|
join recursive_grants grants on grants.descendantuuid = g.ascendantuuid
|
||||||
where g.assumed),
|
where g.assumed),
|
||||||
grant_count AS (
|
grant_count AS (
|
||||||
|
@ -20,7 +20,7 @@ select no, to_char("count", '9 999 999 999') as "count", "table"
|
|||||||
from rbac.reference
|
from rbac.reference
|
||||||
union
|
union
|
||||||
select 5 as no, count(*) as "count", 'grants' as "table"
|
select 5 as no, count(*) as "count", 'grants' as "table"
|
||||||
from rbac.grants
|
from rbac.grant
|
||||||
union
|
union
|
||||||
select 6 as no, count(*) as "count", 'objects' as "table"
|
select 6 as no, count(*) as "count", 'objects' as "table"
|
||||||
from rbac.object) as totals
|
from rbac.object) as totals
|
||||||
|
@ -212,18 +212,18 @@ DECLARE
|
|||||||
grantsAfter numeric;
|
grantsAfter numeric;
|
||||||
grantsBefore numeric;
|
grantsBefore numeric;
|
||||||
BEGIN
|
BEGIN
|
||||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||||
|
|
||||||
FOR row IN SELECT * FROM rbactest.customer LOOP
|
FOR row IN SELECT * FROM rbactest.customer LOOP
|
||||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
DELETE FROM rbac.grants g
|
DELETE FROM rbac.grant g
|
||||||
WHERE g.grantedbytriggerof = row.uuid;
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
-- then build the grants according to the currently defined RBAC rules
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
CALL rbactest.customer_build_rbac_system(row);
|
CALL rbactest.customer_build_rbac_system(row);
|
||||||
END LOOP;
|
END LOOP;
|
||||||
|
|
||||||
select count(*) into grantsAfter from rbac.grants;
|
select count(*) into grantsAfter from rbac.grant;
|
||||||
|
|
||||||
-- print how the total count of grants has changed
|
-- print how the total count of grants has changed
|
||||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
@ -277,18 +277,18 @@ DECLARE
|
|||||||
grantsAfter numeric;
|
grantsAfter numeric;
|
||||||
grantsBefore numeric;
|
grantsBefore numeric;
|
||||||
BEGIN
|
BEGIN
|
||||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||||
|
|
||||||
FOR row IN SELECT * FROM rbactest.package LOOP
|
FOR row IN SELECT * FROM rbactest.package LOOP
|
||||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
DELETE FROM rbac.grants g
|
DELETE FROM rbac.grant g
|
||||||
WHERE g.grantedbytriggerof = row.uuid;
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
-- then build the grants according to the currently defined RBAC rules
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
CALL rbactest.package_build_rbac_system(row);
|
CALL rbactest.package_build_rbac_system(row);
|
||||||
END LOOP;
|
END LOOP;
|
||||||
|
|
||||||
select count(*) into grantsAfter from rbac.grants;
|
select count(*) into grantsAfter from rbac.grant;
|
||||||
|
|
||||||
-- print how the total count of grants has changed
|
-- print how the total count of grants has changed
|
||||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
@ -276,18 +276,18 @@ DECLARE
|
|||||||
grantsAfter numeric;
|
grantsAfter numeric;
|
||||||
grantsBefore numeric;
|
grantsBefore numeric;
|
||||||
BEGIN
|
BEGIN
|
||||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||||
|
|
||||||
FOR row IN SELECT * FROM rbactest.domain LOOP
|
FOR row IN SELECT * FROM rbactest.domain LOOP
|
||||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
DELETE FROM rbac.grants g
|
DELETE FROM rbac.grant g
|
||||||
WHERE g.grantedbytriggerof = row.uuid;
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
-- then build the grants according to the currently defined RBAC rules
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
CALL rbactest.domain_build_rbac_system(row);
|
CALL rbactest.domain_build_rbac_system(row);
|
||||||
END LOOP;
|
END LOOP;
|
||||||
|
|
||||||
select count(*) into grantsAfter from rbac.grants;
|
select count(*) into grantsAfter from rbac.grant;
|
||||||
|
|
||||||
-- print how the total count of grants has changed
|
-- print how the total count of grants has changed
|
||||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
@ -136,18 +136,18 @@ DECLARE
|
|||||||
grantsAfter numeric;
|
grantsAfter numeric;
|
||||||
grantsBefore numeric;
|
grantsBefore numeric;
|
||||||
BEGIN
|
BEGIN
|
||||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||||
|
|
||||||
FOR row IN SELECT * FROM hs_office.contact LOOP
|
FOR row IN SELECT * FROM hs_office.contact LOOP
|
||||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
DELETE FROM rbac.grants g
|
DELETE FROM rbac.grant g
|
||||||
WHERE g.grantedbytriggerof = row.uuid;
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
-- then build the grants according to the currently defined RBAC rules
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
CALL hs_office.contact_build_rbac_system(row);
|
CALL hs_office.contact_build_rbac_system(row);
|
||||||
END LOOP;
|
END LOOP;
|
||||||
|
|
||||||
select count(*) into grantsAfter from rbac.grants;
|
select count(*) into grantsAfter from rbac.grant;
|
||||||
|
|
||||||
-- print how the total count of grants has changed
|
-- print how the total count of grants has changed
|
||||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
@ -138,18 +138,18 @@ DECLARE
|
|||||||
grantsAfter numeric;
|
grantsAfter numeric;
|
||||||
grantsBefore numeric;
|
grantsBefore numeric;
|
||||||
BEGIN
|
BEGIN
|
||||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||||
|
|
||||||
FOR row IN SELECT * FROM hs_office.person LOOP
|
FOR row IN SELECT * FROM hs_office.person LOOP
|
||||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
DELETE FROM rbac.grants g
|
DELETE FROM rbac.grant g
|
||||||
WHERE g.grantedbytriggerof = row.uuid;
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
-- then build the grants according to the currently defined RBAC rules
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
CALL hs_office.person_build_rbac_system(row);
|
CALL hs_office.person_build_rbac_system(row);
|
||||||
END LOOP;
|
END LOOP;
|
||||||
|
|
||||||
select count(*) into grantsAfter from rbac.grants;
|
select count(*) into grantsAfter from rbac.grant;
|
||||||
|
|
||||||
-- print how the total count of grants has changed
|
-- print how the total count of grants has changed
|
||||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
@ -125,7 +125,7 @@ create or replace procedure hs_office.relation_update_rbac_system(
|
|||||||
begin
|
begin
|
||||||
|
|
||||||
if NEW.contactUuid is distinct from OLD.contactUuid then
|
if NEW.contactUuid is distinct from OLD.contactUuid then
|
||||||
delete from rbac.grants g where g.grantedbytriggerof = OLD.uuid;
|
delete from rbac.grant g where g.grantedbytriggerof = OLD.uuid;
|
||||||
call hs_office.relation_build_rbac_system(NEW);
|
call hs_office.relation_build_rbac_system(NEW);
|
||||||
end if;
|
end if;
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -286,18 +286,18 @@ DECLARE
|
|||||||
grantsAfter numeric;
|
grantsAfter numeric;
|
||||||
grantsBefore numeric;
|
grantsBefore numeric;
|
||||||
BEGIN
|
BEGIN
|
||||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||||
|
|
||||||
FOR row IN SELECT * FROM hs_office.relation LOOP
|
FOR row IN SELECT * FROM hs_office.relation LOOP
|
||||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
DELETE FROM rbac.grants g
|
DELETE FROM rbac.grant g
|
||||||
WHERE g.grantedbytriggerof = row.uuid;
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
-- then build the grants according to the currently defined RBAC rules
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
CALL hs_office.relation_build_rbac_system(row);
|
CALL hs_office.relation_build_rbac_system(row);
|
||||||
END LOOP;
|
END LOOP;
|
||||||
|
|
||||||
select count(*) into grantsAfter from rbac.grants;
|
select count(*) into grantsAfter from rbac.grant;
|
||||||
|
|
||||||
-- print how the total count of grants has changed
|
-- print how the total count of grants has changed
|
||||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
@ -287,18 +287,18 @@ DECLARE
|
|||||||
grantsAfter numeric;
|
grantsAfter numeric;
|
||||||
grantsBefore numeric;
|
grantsBefore numeric;
|
||||||
BEGIN
|
BEGIN
|
||||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||||
|
|
||||||
FOR row IN SELECT * FROM hs_office.partner LOOP
|
FOR row IN SELECT * FROM hs_office.partner LOOP
|
||||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
DELETE FROM rbac.grants g
|
DELETE FROM rbac.grant g
|
||||||
WHERE g.grantedbytriggerof = row.uuid;
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
-- then build the grants according to the currently defined RBAC rules
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
CALL hs_office.partner_build_rbac_system(row);
|
CALL hs_office.partner_build_rbac_system(row);
|
||||||
END LOOP;
|
END LOOP;
|
||||||
|
|
||||||
select count(*) into grantsAfter from rbac.grants;
|
select count(*) into grantsAfter from rbac.grant;
|
||||||
|
|
||||||
-- print how the total count of grants has changed
|
-- print how the total count of grants has changed
|
||||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
@ -199,18 +199,18 @@ DECLARE
|
|||||||
grantsAfter numeric;
|
grantsAfter numeric;
|
||||||
grantsBefore numeric;
|
grantsBefore numeric;
|
||||||
BEGIN
|
BEGIN
|
||||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||||
|
|
||||||
FOR row IN SELECT * FROM hs_office.partner_details LOOP
|
FOR row IN SELECT * FROM hs_office.partner_details LOOP
|
||||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
DELETE FROM rbac.grants g
|
DELETE FROM rbac.grant g
|
||||||
WHERE g.grantedbytriggerof = row.uuid;
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
-- then build the grants according to the currently defined RBAC rules
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
CALL hs_office.partner_details_build_rbac_system(row);
|
CALL hs_office.partner_details_build_rbac_system(row);
|
||||||
END LOOP;
|
END LOOP;
|
||||||
|
|
||||||
select count(*) into grantsAfter from rbac.grants;
|
select count(*) into grantsAfter from rbac.grant;
|
||||||
|
|
||||||
-- print how the total count of grants has changed
|
-- print how the total count of grants has changed
|
||||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
@ -135,18 +135,18 @@ DECLARE
|
|||||||
grantsAfter numeric;
|
grantsAfter numeric;
|
||||||
grantsBefore numeric;
|
grantsBefore numeric;
|
||||||
BEGIN
|
BEGIN
|
||||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||||
|
|
||||||
FOR row IN SELECT * FROM hs_office.bankaccount LOOP
|
FOR row IN SELECT * FROM hs_office.bankaccount LOOP
|
||||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
DELETE FROM rbac.grants g
|
DELETE FROM rbac.grant g
|
||||||
WHERE g.grantedbytriggerof = row.uuid;
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
-- then build the grants according to the currently defined RBAC rules
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
CALL hs_office.bankaccount_build_rbac_system(row);
|
CALL hs_office.bankaccount_build_rbac_system(row);
|
||||||
END LOOP;
|
END LOOP;
|
||||||
|
|
||||||
select count(*) into grantsAfter from rbac.grants;
|
select count(*) into grantsAfter from rbac.grant;
|
||||||
|
|
||||||
-- print how the total count of grants has changed
|
-- print how the total count of grants has changed
|
||||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
@ -101,7 +101,7 @@ begin
|
|||||||
|
|
||||||
if NEW.debitorRelUuid is distinct from OLD.debitorRelUuid
|
if NEW.debitorRelUuid is distinct from OLD.debitorRelUuid
|
||||||
or NEW.refundBankAccountUuid is distinct from OLD.refundBankAccountUuid then
|
or NEW.refundBankAccountUuid is distinct from OLD.refundBankAccountUuid then
|
||||||
delete from rbac.grants g where g.grantedbytriggerof = OLD.uuid;
|
delete from rbac.grant g where g.grantedbytriggerof = OLD.uuid;
|
||||||
call hs_office.debitor_build_rbac_system(NEW);
|
call hs_office.debitor_build_rbac_system(NEW);
|
||||||
end if;
|
end if;
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -276,18 +276,18 @@ DECLARE
|
|||||||
grantsAfter numeric;
|
grantsAfter numeric;
|
||||||
grantsBefore numeric;
|
grantsBefore numeric;
|
||||||
BEGIN
|
BEGIN
|
||||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||||
|
|
||||||
FOR row IN SELECT * FROM hs_office.debitor LOOP
|
FOR row IN SELECT * FROM hs_office.debitor LOOP
|
||||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
DELETE FROM rbac.grants g
|
DELETE FROM rbac.grant g
|
||||||
WHERE g.grantedbytriggerof = row.uuid;
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
-- then build the grants according to the currently defined RBAC rules
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
CALL hs_office.debitor_build_rbac_system(row);
|
CALL hs_office.debitor_build_rbac_system(row);
|
||||||
END LOOP;
|
END LOOP;
|
||||||
|
|
||||||
select count(*) into grantsAfter from rbac.grants;
|
select count(*) into grantsAfter from rbac.grant;
|
||||||
|
|
||||||
-- print how the total count of grants has changed
|
-- print how the total count of grants has changed
|
||||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
@ -245,18 +245,18 @@ DECLARE
|
|||||||
grantsAfter numeric;
|
grantsAfter numeric;
|
||||||
grantsBefore numeric;
|
grantsBefore numeric;
|
||||||
BEGIN
|
BEGIN
|
||||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||||
|
|
||||||
FOR row IN SELECT * FROM hs_office.sepamandate LOOP
|
FOR row IN SELECT * FROM hs_office.sepamandate LOOP
|
||||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
DELETE FROM rbac.grants g
|
DELETE FROM rbac.grant g
|
||||||
WHERE g.grantedbytriggerof = row.uuid;
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
-- then build the grants according to the currently defined RBAC rules
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
CALL hs_office.sepamandate_build_rbac_system(row);
|
CALL hs_office.sepamandate_build_rbac_system(row);
|
||||||
END LOOP;
|
END LOOP;
|
||||||
|
|
||||||
select count(*) into grantsAfter from rbac.grants;
|
select count(*) into grantsAfter from rbac.grant;
|
||||||
|
|
||||||
-- print how the total count of grants has changed
|
-- print how the total count of grants has changed
|
||||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
@ -227,18 +227,18 @@ DECLARE
|
|||||||
grantsAfter numeric;
|
grantsAfter numeric;
|
||||||
grantsBefore numeric;
|
grantsBefore numeric;
|
||||||
BEGIN
|
BEGIN
|
||||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||||
|
|
||||||
FOR row IN SELECT * FROM hs_office.membership LOOP
|
FOR row IN SELECT * FROM hs_office.membership LOOP
|
||||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
DELETE FROM rbac.grants g
|
DELETE FROM rbac.grant g
|
||||||
WHERE g.grantedbytriggerof = row.uuid;
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
-- then build the grants according to the currently defined RBAC rules
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
CALL hs_office.membership_build_rbac_system(row);
|
CALL hs_office.membership_build_rbac_system(row);
|
||||||
END LOOP;
|
END LOOP;
|
||||||
|
|
||||||
select count(*) into grantsAfter from rbac.grants;
|
select count(*) into grantsAfter from rbac.grant;
|
||||||
|
|
||||||
-- print how the total count of grants has changed
|
-- print how the total count of grants has changed
|
||||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
@ -198,18 +198,18 @@ DECLARE
|
|||||||
grantsAfter numeric;
|
grantsAfter numeric;
|
||||||
grantsBefore numeric;
|
grantsBefore numeric;
|
||||||
BEGIN
|
BEGIN
|
||||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||||
|
|
||||||
FOR row IN SELECT * FROM hs_office.coopsharetx LOOP
|
FOR row IN SELECT * FROM hs_office.coopsharetx LOOP
|
||||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
DELETE FROM rbac.grants g
|
DELETE FROM rbac.grant g
|
||||||
WHERE g.grantedbytriggerof = row.uuid;
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
-- then build the grants according to the currently defined RBAC rules
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
CALL hs_office.coopsharetx_build_rbac_system(row);
|
CALL hs_office.coopsharetx_build_rbac_system(row);
|
||||||
END LOOP;
|
END LOOP;
|
||||||
|
|
||||||
select count(*) into grantsAfter from rbac.grants;
|
select count(*) into grantsAfter from rbac.grant;
|
||||||
|
|
||||||
-- print how the total count of grants has changed
|
-- print how the total count of grants has changed
|
||||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
@ -198,18 +198,18 @@ DECLARE
|
|||||||
grantsAfter numeric;
|
grantsAfter numeric;
|
||||||
grantsBefore numeric;
|
grantsBefore numeric;
|
||||||
BEGIN
|
BEGIN
|
||||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||||
|
|
||||||
FOR row IN SELECT * FROM hs_office.coopassettx LOOP
|
FOR row IN SELECT * FROM hs_office.coopassettx LOOP
|
||||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
DELETE FROM rbac.grants g
|
DELETE FROM rbac.grant g
|
||||||
WHERE g.grantedbytriggerof = row.uuid;
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
-- then build the grants according to the currently defined RBAC rules
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
CALL hs_office.coopassettx_build_rbac_system(row);
|
CALL hs_office.coopassettx_build_rbac_system(row);
|
||||||
END LOOP;
|
END LOOP;
|
||||||
|
|
||||||
select count(*) into grantsAfter from rbac.grants;
|
select count(*) into grantsAfter from rbac.grant;
|
||||||
|
|
||||||
-- print how the total count of grants has changed
|
-- print how the total count of grants has changed
|
||||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
@ -238,18 +238,18 @@ DECLARE
|
|||||||
grantsAfter numeric;
|
grantsAfter numeric;
|
||||||
grantsBefore numeric;
|
grantsBefore numeric;
|
||||||
BEGIN
|
BEGIN
|
||||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||||
|
|
||||||
FOR row IN SELECT * FROM hs_booking.project LOOP
|
FOR row IN SELECT * FROM hs_booking.project LOOP
|
||||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
DELETE FROM rbac.grants g
|
DELETE FROM rbac.grant g
|
||||||
WHERE g.grantedbytriggerof = row.uuid;
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
-- then build the grants according to the currently defined RBAC rules
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
CALL hs_booking.project_build_rbac_system(row);
|
CALL hs_booking.project_build_rbac_system(row);
|
||||||
END LOOP;
|
END LOOP;
|
||||||
|
|
||||||
select count(*) into grantsAfter from rbac.grants;
|
select count(*) into grantsAfter from rbac.grant;
|
||||||
|
|
||||||
-- print how the total count of grants has changed
|
-- print how the total count of grants has changed
|
||||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
@ -309,18 +309,18 @@ DECLARE
|
|||||||
grantsAfter numeric;
|
grantsAfter numeric;
|
||||||
grantsBefore numeric;
|
grantsBefore numeric;
|
||||||
BEGIN
|
BEGIN
|
||||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||||
|
|
||||||
FOR row IN SELECT * FROM hs_booking.item LOOP
|
FOR row IN SELECT * FROM hs_booking.item LOOP
|
||||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
DELETE FROM rbac.grants g
|
DELETE FROM rbac.grant g
|
||||||
WHERE g.grantedbytriggerof = row.uuid;
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
-- then build the grants according to the currently defined RBAC rules
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
CALL hs_booking.item_build_rbac_system(row);
|
CALL hs_booking.item_build_rbac_system(row);
|
||||||
END LOOP;
|
END LOOP;
|
||||||
|
|
||||||
select count(*) into grantsAfter from rbac.grants;
|
select count(*) into grantsAfter from rbac.grant;
|
||||||
|
|
||||||
-- print how the total count of grants has changed
|
-- print how the total count of grants has changed
|
||||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
@ -129,7 +129,7 @@ begin
|
|||||||
|
|
||||||
if NEW.assignedToAssetUuid is distinct from OLD.assignedToAssetUuid
|
if NEW.assignedToAssetUuid is distinct from OLD.assignedToAssetUuid
|
||||||
or NEW.alarmContactUuid is distinct from OLD.alarmContactUuid then
|
or NEW.alarmContactUuid is distinct from OLD.alarmContactUuid then
|
||||||
delete from rbac.grants g where g.grantedbytriggerof = OLD.uuid;
|
delete from rbac.grant g where g.grantedbytriggerof = OLD.uuid;
|
||||||
call hs_hosting.asset_build_rbac_system(NEW);
|
call hs_hosting.asset_build_rbac_system(NEW);
|
||||||
end if;
|
end if;
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -215,18 +215,18 @@ DECLARE
|
|||||||
grantsAfter numeric;
|
grantsAfter numeric;
|
||||||
grantsBefore numeric;
|
grantsBefore numeric;
|
||||||
BEGIN
|
BEGIN
|
||||||
SELECT count(*) INTO grantsBefore FROM rbac.grants;
|
SELECT count(*) INTO grantsBefore FROM rbac.grant;
|
||||||
|
|
||||||
FOR row IN SELECT * FROM hs_hosting.asset LOOP
|
FOR row IN SELECT * FROM hs_hosting.asset LOOP
|
||||||
-- first delete all generated grants for this row from the previously defined RBAC system
|
-- first delete all generated grants for this row from the previously defined RBAC system
|
||||||
DELETE FROM rbac.grants g
|
DELETE FROM rbac.grant g
|
||||||
WHERE g.grantedbytriggerof = row.uuid;
|
WHERE g.grantedbytriggerof = row.uuid;
|
||||||
|
|
||||||
-- then build the grants according to the currently defined RBAC rules
|
-- then build the grants according to the currently defined RBAC rules
|
||||||
CALL hs_hosting.asset_build_rbac_system(row);
|
CALL hs_hosting.asset_build_rbac_system(row);
|
||||||
END LOOP;
|
END LOOP;
|
||||||
|
|
||||||
select count(*) into grantsAfter from rbac.grants;
|
select count(*) into grantsAfter from rbac.grant;
|
||||||
|
|
||||||
-- print how the total count of grants has changed
|
-- print how the total count of grants has changed
|
||||||
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
raise notice 'total grant count before -> after: % -> %', grantsBefore, grantsAfter;
|
||||||
|
@ -295,14 +295,14 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void rebuildingTheRbacSystemWitSameRbacSpecDoesNotChangeGrantNorRoleCount() {
|
public void rebuildingTheRbacSystemWitSameRbacSpecDoesNotChangeGrantNorRoleCount() {
|
||||||
final var grantCountBefore = sql("SELECT COUNT(*) FROM rbac.grants");
|
final var grantCountBefore = sql("SELECT COUNT(*) FROM rbac.grant");
|
||||||
final var roleCountBefore = sql("SELECT COUNT(*) FROM rbac.role");
|
final var roleCountBefore = sql("SELECT COUNT(*) FROM rbac.role");
|
||||||
|
|
||||||
jpaAttempt.transacted(() ->
|
jpaAttempt.transacted(() ->
|
||||||
em.createNativeQuery("CALL rbactest.package_rebuild_rbac_system()")
|
em.createNativeQuery("CALL rbactest.package_rebuild_rbac_system()")
|
||||||
);
|
);
|
||||||
|
|
||||||
final var grantCountAfter = sql("SELECT COUNT(*) FROM rbac.grants");
|
final var grantCountAfter = sql("SELECT COUNT(*) FROM rbac.grant");
|
||||||
assertThat(grantCountBefore).as("grant count must not change").isEqualTo(grantCountAfter);
|
assertThat(grantCountBefore).as("grant count must not change").isEqualTo(grantCountAfter);
|
||||||
|
|
||||||
final var roleCountAfter = sql("SELECT COUNT(*) FROM rbac.role");
|
final var roleCountAfter = sql("SELECT COUNT(*) FROM rbac.role");
|
||||||
|
Loading…
Reference in New Issue
Block a user
das ist das einzige, wo es nicht um grants=>grant geht