improved RBAC generators #26
@ -23,7 +23,7 @@ public class InsertTriggerGenerator {
|
|||||||
|
|
||||||
void generateTo(final StringWriter plPgSql) {
|
void generateTo(final StringWriter plPgSql) {
|
||||||
generateLiquibaseChangesetHeader(plPgSql);
|
generateLiquibaseChangesetHeader(plPgSql);
|
||||||
generateGrantInsertRoleToExistingCustomers(plPgSql);
|
generateGrantInsertRoleToExistingObjects(plPgSql);
|
||||||
generateInsertPermissionGrantTrigger(plPgSql);
|
generateInsertPermissionGrantTrigger(plPgSql);
|
||||||
generateInsertCheckTrigger(plPgSql);
|
generateInsertCheckTrigger(plPgSql);
|
||||||
plPgSql.writeLn("--//");
|
plPgSql.writeLn("--//");
|
||||||
@ -38,7 +38,7 @@ public class InsertTriggerGenerator {
|
|||||||
with("liquibaseTagPrefix", liquibaseTagPrefix));
|
with("liquibaseTagPrefix", liquibaseTagPrefix));
|
||||||
}
|
}
|
||||||
|
|
||||||
private void generateGrantInsertRoleToExistingCustomers(final StringWriter plPgSql) {
|
private void generateGrantInsertRoleToExistingObjects(final StringWriter plPgSql) {
|
||||||
getOptionalInsertSuperRole().ifPresent( superRoleDef -> {
|
getOptionalInsertSuperRole().ifPresent( superRoleDef -> {
|
||||||
plPgSql.writeLn("""
|
plPgSql.writeLn("""
|
||||||
/*
|
/*
|
||||||
@ -100,13 +100,7 @@ public class InsertTriggerGenerator {
|
|||||||
|
|
||||||
private void generateInsertCheckTrigger(final StringWriter plPgSql) {
|
private void generateInsertCheckTrigger(final StringWriter plPgSql) {
|
||||||
getOptionalInsertGrant().ifPresentOrElse(g -> {
|
getOptionalInsertGrant().ifPresentOrElse(g -> {
|
||||||
if (!g.getSuperRoleDef().getEntityAlias().isGlobal()) {
|
if (g.getSuperRoleDef().getEntityAlias().isGlobal()) {
|
||||||
if (rbacDef.isRootEntityAlias(g.getSuperRoleDef().getEntityAlias())) {
|
|
||||||
generateInsertPermissionTriggerAllowByDirectRole(plPgSql, g);
|
|
||||||
} else {
|
|
||||||
generateInsertPermissionTriggerAllowByIndirectRole(plPgSql, g);
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
switch (g.getSuperRoleDef().getRole()) {
|
switch (g.getSuperRoleDef().getRole()) {
|
||||||
case ADMIN -> {
|
case ADMIN -> {
|
||||||
generateInsertPermissionTriggerAllowOnlyGlobalAdmin(plPgSql);
|
generateInsertPermissionTriggerAllowOnlyGlobalAdmin(plPgSql);
|
||||||
@ -119,6 +113,12 @@ public class InsertTriggerGenerator {
|
|||||||
"invalid global role for INSERT permission: " + g.getSuperRoleDef().getRole());
|
"invalid global role for INSERT permission: " + g.getSuperRoleDef().getRole());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
if (rbacDef.isRootEntityAlias(g.getSuperRoleDef().getEntityAlias())) {
|
||||||
|
generateInsertPermissionTriggerAllowByDirectRole(plPgSql, g);
|
||||||
|
} else {
|
||||||
|
generateInsertPermissionTriggerAllowByIndirectRole(plPgSql, g);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
() -> {
|
() -> {
|
||||||
@ -139,7 +139,10 @@ public class InsertTriggerGenerator {
|
|||||||
private void generateInsertPermissionTriggerAllowByDirectRole(final StringWriter plPgSql, final RbacView.RbacGrantDefinition g) {
|
private void generateInsertPermissionTriggerAllowByDirectRole(final StringWriter plPgSql, final RbacView.RbacGrantDefinition g) {
|
||||||
plPgSql.writeLn("""
|
plPgSql.writeLn("""
|
||||||
/**
|
/**
|
||||||
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable}.
|
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable},
|
||||||
|
where the check is performed by a direct role.
|
||||||
|
|
||||||
|
A direct role is a role depending on a foreign key directly available in the NEW row.
|
||||||
*/
|
*/
|
||||||
create or replace function ${rawSubTable}_insert_permission_missing_tf()
|
create or replace function ${rawSubTable}_insert_permission_missing_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
@ -164,7 +167,10 @@ public class InsertTriggerGenerator {
|
|||||||
final RbacView.RbacGrantDefinition g) {
|
final RbacView.RbacGrantDefinition g) {
|
||||||
plPgSql.writeLn("""
|
plPgSql.writeLn("""
|
||||||
/**
|
/**
|
||||||
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable}.
|
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable},
|
||||||
|
where the check is performed by an indirect role.
|
||||||
|
|
||||||
|
An indirect role is a role FIXME.
|
||||||
*/
|
*/
|
||||||
create or replace function ${rawSubTable}_insert_permission_missing_tf()
|
create or replace function ${rawSubTable}_insert_permission_missing_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
@ -203,7 +209,8 @@ public class InsertTriggerGenerator {
|
|||||||
private void generateInsertPermissionTriggerAllowOnlyGlobalAdmin(final StringWriter plPgSql) {
|
private void generateInsertPermissionTriggerAllowOnlyGlobalAdmin(final StringWriter plPgSql) {
|
||||||
plPgSql.writeLn("""
|
plPgSql.writeLn("""
|
||||||
/**
|
/**
|
||||||
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable}.
|
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable},
|
||||||
|
where only global-admin has that permission.
|
||||||
*/
|
*/
|
||||||
create or replace function ${rawSubTable}_insert_permission_missing_tf()
|
create or replace function ${rawSubTable}_insert_permission_missing_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
### rbac customer
|
### rbac customer
|
||||||
|
|
||||||
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-21T09:53:18.451453701.
|
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-22T11:19:38.310302721.
|
||||||
|
|
||||||
```mermaid
|
```mermaid
|
||||||
%%{init:{'flowchart':{'htmlLabels':false}}}%%
|
%%{init:{'flowchart':{'htmlLabels':false}}}%%
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
--liquibase formatted sql
|
--liquibase formatted sql
|
||||||
-- This code generated was by RbacViewPostgresGenerator at 2024-03-21T09:53:18.467932975.
|
-- This code generated was by RbacViewPostgresGenerator at 2024-03-22T11:19:38.329089492.
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
@ -80,17 +80,7 @@ execute procedure insertTriggerForTestCustomer_tf();
|
|||||||
--changeset test-customer-rbac-INSERT:1 endDelimiter:--//
|
--changeset test-customer-rbac-INSERT:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/**
|
-- FIXME: Where is this case necessary?
|
||||||
Checks if the user or assumed roles are allowed to insert a row to test_customer.
|
|
||||||
*/
|
|
||||||
create or replace function test_customer_insert_permission_missing_tf()
|
|
||||||
returns trigger
|
|
||||||
language plpgsql as $$
|
|
||||||
begin
|
|
||||||
raise exception '[403] insert into test_customer not allowed for current subjects % (%)',
|
|
||||||
currentSubjects(), currentSubjectsUuids();
|
|
||||||
end; $$;
|
|
||||||
|
|
||||||
create trigger test_customer_insert_permission_check_tg
|
create trigger test_customer_insert_permission_check_tg
|
||||||
before insert on test_customer
|
before insert on test_customer
|
||||||
for each row
|
for each row
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
### rbac package
|
### rbac package
|
||||||
|
|
||||||
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-21T09:53:51.758424330.
|
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-22T11:19:38.365161640.
|
||||||
|
|
||||||
```mermaid
|
```mermaid
|
||||||
%%{init:{'flowchart':{'htmlLabels':false}}}%%
|
%%{init:{'flowchart':{'htmlLabels':false}}}%%
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
--liquibase formatted sql
|
--liquibase formatted sql
|
||||||
-- This code generated was by RbacViewPostgresGenerator at 2024-03-21T09:53:51.767062425.
|
-- This code generated was by RbacViewPostgresGenerator at 2024-03-22T11:19:38.365610181.
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
@ -194,7 +194,10 @@ create trigger z_test_package_test_customer_insert_tg
|
|||||||
execute procedure test_package_test_customer_insert_tf();
|
execute procedure test_package_test_customer_insert_tf();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Checks if the user or assumed roles are allowed to insert a row to test_package.
|
Checks if the user or assumed roles are allowed to insert a row to test_package,
|
||||||
|
where the check is performed by an indirect role.
|
||||||
|
|
||||||
|
An indirect role is a role FIXME.
|
||||||
*/
|
*/
|
||||||
create or replace function test_package_insert_permission_missing_tf()
|
create or replace function test_package_insert_permission_missing_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
### rbac domain
|
### rbac domain
|
||||||
|
|
||||||
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-21T09:53:31.860490657.
|
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-22T11:19:38.391784384.
|
||||||
|
|
||||||
```mermaid
|
```mermaid
|
||||||
%%{init:{'flowchart':{'htmlLabels':false}}}%%
|
%%{init:{'flowchart':{'htmlLabels':false}}}%%
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
--liquibase formatted sql
|
--liquibase formatted sql
|
||||||
-- This code generated was by RbacViewPostgresGenerator at 2024-03-21T09:53:31.873124905.
|
-- This code generated was by RbacViewPostgresGenerator at 2024-03-22T11:19:38.392306652.
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
@ -193,7 +193,10 @@ create trigger z_test_domain_test_package_insert_tg
|
|||||||
execute procedure test_domain_test_package_insert_tf();
|
execute procedure test_domain_test_package_insert_tf();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Checks if the user or assumed roles are allowed to insert a row to test_domain.
|
Checks if the user or assumed roles are allowed to insert a row to test_domain,
|
||||||
|
where the check is performed by an indirect role.
|
||||||
|
|
||||||
|
An indirect role is a role FIXME.
|
||||||
*/
|
*/
|
||||||
create or replace function test_domain_insert_permission_missing_tf()
|
create or replace function test_domain_insert_permission_missing_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
|
Loading…
Reference in New Issue
Block a user