improved RBAC generators #26

Merged
hsh-michaelhoennig merged 17 commits from improved-rbac-generator into master 2024-03-26 11:25:18 +01:00
7 changed files with 34 additions and 31 deletions
Showing only changes of commit a991c45bc9 - Show all commits

View File

@ -23,7 +23,7 @@ public class InsertTriggerGenerator {
void generateTo(final StringWriter plPgSql) { void generateTo(final StringWriter plPgSql) {
generateLiquibaseChangesetHeader(plPgSql); generateLiquibaseChangesetHeader(plPgSql);
generateGrantInsertRoleToExistingCustomers(plPgSql); generateGrantInsertRoleToExistingObjects(plPgSql);
generateInsertPermissionGrantTrigger(plPgSql); generateInsertPermissionGrantTrigger(plPgSql);
generateInsertCheckTrigger(plPgSql); generateInsertCheckTrigger(plPgSql);
plPgSql.writeLn("--//"); plPgSql.writeLn("--//");
@ -38,7 +38,7 @@ public class InsertTriggerGenerator {
with("liquibaseTagPrefix", liquibaseTagPrefix)); with("liquibaseTagPrefix", liquibaseTagPrefix));
} }
private void generateGrantInsertRoleToExistingCustomers(final StringWriter plPgSql) { private void generateGrantInsertRoleToExistingObjects(final StringWriter plPgSql) {
getOptionalInsertSuperRole().ifPresent( superRoleDef -> { getOptionalInsertSuperRole().ifPresent( superRoleDef -> {
plPgSql.writeLn(""" plPgSql.writeLn("""
/* /*
@ -100,13 +100,7 @@ public class InsertTriggerGenerator {
private void generateInsertCheckTrigger(final StringWriter plPgSql) { private void generateInsertCheckTrigger(final StringWriter plPgSql) {
getOptionalInsertGrant().ifPresentOrElse(g -> { getOptionalInsertGrant().ifPresentOrElse(g -> {
if (!g.getSuperRoleDef().getEntityAlias().isGlobal()) { if (g.getSuperRoleDef().getEntityAlias().isGlobal()) {
if (rbacDef.isRootEntityAlias(g.getSuperRoleDef().getEntityAlias())) {
generateInsertPermissionTriggerAllowByDirectRole(plPgSql, g);
} else {
generateInsertPermissionTriggerAllowByIndirectRole(plPgSql, g);
}
} else {
switch (g.getSuperRoleDef().getRole()) { switch (g.getSuperRoleDef().getRole()) {
case ADMIN -> { case ADMIN -> {
generateInsertPermissionTriggerAllowOnlyGlobalAdmin(plPgSql); generateInsertPermissionTriggerAllowOnlyGlobalAdmin(plPgSql);
@ -119,6 +113,12 @@ public class InsertTriggerGenerator {
"invalid global role for INSERT permission: " + g.getSuperRoleDef().getRole()); "invalid global role for INSERT permission: " + g.getSuperRoleDef().getRole());
} }
} }
} else {
if (rbacDef.isRootEntityAlias(g.getSuperRoleDef().getEntityAlias())) {
generateInsertPermissionTriggerAllowByDirectRole(plPgSql, g);
} else {
generateInsertPermissionTriggerAllowByIndirectRole(plPgSql, g);
}
} }
}, },
() -> { () -> {
@ -139,7 +139,10 @@ public class InsertTriggerGenerator {
private void generateInsertPermissionTriggerAllowByDirectRole(final StringWriter plPgSql, final RbacView.RbacGrantDefinition g) { private void generateInsertPermissionTriggerAllowByDirectRole(final StringWriter plPgSql, final RbacView.RbacGrantDefinition g) {
plPgSql.writeLn(""" plPgSql.writeLn("""
/** /**
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable}. Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable},
where the check is performed by a direct role.
A direct role is a role depending on a foreign key directly available in the NEW row.
*/ */
create or replace function ${rawSubTable}_insert_permission_missing_tf() create or replace function ${rawSubTable}_insert_permission_missing_tf()
returns trigger returns trigger
@ -164,7 +167,10 @@ public class InsertTriggerGenerator {
final RbacView.RbacGrantDefinition g) { final RbacView.RbacGrantDefinition g) {
plPgSql.writeLn(""" plPgSql.writeLn("""
/** /**
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable}. Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable},
where the check is performed by an indirect role.
An indirect role is a role FIXME.
*/ */
create or replace function ${rawSubTable}_insert_permission_missing_tf() create or replace function ${rawSubTable}_insert_permission_missing_tf()
returns trigger returns trigger
@ -203,7 +209,8 @@ public class InsertTriggerGenerator {
private void generateInsertPermissionTriggerAllowOnlyGlobalAdmin(final StringWriter plPgSql) { private void generateInsertPermissionTriggerAllowOnlyGlobalAdmin(final StringWriter plPgSql) {
plPgSql.writeLn(""" plPgSql.writeLn("""
/** /**
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable}. Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable},
where only global-admin has that permission.
*/ */
create or replace function ${rawSubTable}_insert_permission_missing_tf() create or replace function ${rawSubTable}_insert_permission_missing_tf()
returns trigger returns trigger

View File

@ -1,6 +1,6 @@
### rbac customer ### rbac customer
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-21T09:53:18.451453701. This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-22T11:19:38.310302721.
```mermaid ```mermaid
%%{init:{'flowchart':{'htmlLabels':false}}}%% %%{init:{'flowchart':{'htmlLabels':false}}}%%

View File

@ -1,5 +1,5 @@
--liquibase formatted sql --liquibase formatted sql
-- This code generated was by RbacViewPostgresGenerator at 2024-03-21T09:53:18.467932975. -- This code generated was by RbacViewPostgresGenerator at 2024-03-22T11:19:38.329089492.
-- ============================================================================ -- ============================================================================
@ -80,17 +80,7 @@ execute procedure insertTriggerForTestCustomer_tf();
--changeset test-customer-rbac-INSERT:1 endDelimiter:--// --changeset test-customer-rbac-INSERT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/** -- FIXME: Where is this case necessary?
Checks if the user or assumed roles are allowed to insert a row to test_customer.
*/
create or replace function test_customer_insert_permission_missing_tf()
returns trigger
language plpgsql as $$
begin
raise exception '[403] insert into test_customer not allowed for current subjects % (%)',
currentSubjects(), currentSubjectsUuids();
end; $$;
create trigger test_customer_insert_permission_check_tg create trigger test_customer_insert_permission_check_tg
before insert on test_customer before insert on test_customer
for each row for each row

View File

@ -1,6 +1,6 @@
### rbac package ### rbac package
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-21T09:53:51.758424330. This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-22T11:19:38.365161640.
```mermaid ```mermaid
%%{init:{'flowchart':{'htmlLabels':false}}}%% %%{init:{'flowchart':{'htmlLabels':false}}}%%

View File

@ -1,5 +1,5 @@
--liquibase formatted sql --liquibase formatted sql
-- This code generated was by RbacViewPostgresGenerator at 2024-03-21T09:53:51.767062425. -- This code generated was by RbacViewPostgresGenerator at 2024-03-22T11:19:38.365610181.
-- ============================================================================ -- ============================================================================
@ -194,7 +194,10 @@ create trigger z_test_package_test_customer_insert_tg
execute procedure test_package_test_customer_insert_tf(); execute procedure test_package_test_customer_insert_tf();
/** /**
Checks if the user or assumed roles are allowed to insert a row to test_package. Checks if the user or assumed roles are allowed to insert a row to test_package,
where the check is performed by an indirect role.
An indirect role is a role FIXME.
*/ */
create or replace function test_package_insert_permission_missing_tf() create or replace function test_package_insert_permission_missing_tf()
returns trigger returns trigger

View File

@ -1,6 +1,6 @@
### rbac domain ### rbac domain
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-21T09:53:31.860490657. This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-22T11:19:38.391784384.
```mermaid ```mermaid
%%{init:{'flowchart':{'htmlLabels':false}}}%% %%{init:{'flowchart':{'htmlLabels':false}}}%%

View File

@ -1,5 +1,5 @@
--liquibase formatted sql --liquibase formatted sql
-- This code generated was by RbacViewPostgresGenerator at 2024-03-21T09:53:31.873124905. -- This code generated was by RbacViewPostgresGenerator at 2024-03-22T11:19:38.392306652.
-- ============================================================================ -- ============================================================================
@ -193,7 +193,10 @@ create trigger z_test_domain_test_package_insert_tg
execute procedure test_domain_test_package_insert_tf(); execute procedure test_domain_test_package_insert_tf();
/** /**
Checks if the user or assumed roles are allowed to insert a row to test_domain. Checks if the user or assumed roles are allowed to insert a row to test_domain,
where the check is performed by an indirect role.
An indirect role is a role FIXME.
*/ */
create or replace function test_domain_insert_permission_missing_tf() create or replace function test_domain_insert_permission_missing_tf()
returns trigger returns trigger