improved RBAC generators #26

Merged
hsh-michaelhoennig merged 17 commits from improved-rbac-generator into master 2024-03-26 11:25:18 +01:00
7 changed files with 34 additions and 31 deletions
Showing only changes of commit a991c45bc9 - Show all commits

View File

@ -23,7 +23,7 @@ public class InsertTriggerGenerator {
void generateTo(final StringWriter plPgSql) {
generateLiquibaseChangesetHeader(plPgSql);
generateGrantInsertRoleToExistingCustomers(plPgSql);
generateGrantInsertRoleToExistingObjects(plPgSql);
generateInsertPermissionGrantTrigger(plPgSql);
generateInsertCheckTrigger(plPgSql);
plPgSql.writeLn("--//");
@ -38,7 +38,7 @@ public class InsertTriggerGenerator {
with("liquibaseTagPrefix", liquibaseTagPrefix));
}
private void generateGrantInsertRoleToExistingCustomers(final StringWriter plPgSql) {
private void generateGrantInsertRoleToExistingObjects(final StringWriter plPgSql) {
getOptionalInsertSuperRole().ifPresent( superRoleDef -> {
plPgSql.writeLn("""
/*
@ -100,13 +100,7 @@ public class InsertTriggerGenerator {
private void generateInsertCheckTrigger(final StringWriter plPgSql) {
getOptionalInsertGrant().ifPresentOrElse(g -> {
if (!g.getSuperRoleDef().getEntityAlias().isGlobal()) {
if (rbacDef.isRootEntityAlias(g.getSuperRoleDef().getEntityAlias())) {
generateInsertPermissionTriggerAllowByDirectRole(plPgSql, g);
} else {
generateInsertPermissionTriggerAllowByIndirectRole(plPgSql, g);
}
} else {
if (g.getSuperRoleDef().getEntityAlias().isGlobal()) {
switch (g.getSuperRoleDef().getRole()) {
case ADMIN -> {
generateInsertPermissionTriggerAllowOnlyGlobalAdmin(plPgSql);
@ -119,6 +113,12 @@ public class InsertTriggerGenerator {
"invalid global role for INSERT permission: " + g.getSuperRoleDef().getRole());
}
}
} else {
if (rbacDef.isRootEntityAlias(g.getSuperRoleDef().getEntityAlias())) {
generateInsertPermissionTriggerAllowByDirectRole(plPgSql, g);
} else {
generateInsertPermissionTriggerAllowByIndirectRole(plPgSql, g);
}
}
},
() -> {
@ -139,7 +139,10 @@ public class InsertTriggerGenerator {
private void generateInsertPermissionTriggerAllowByDirectRole(final StringWriter plPgSql, final RbacView.RbacGrantDefinition g) {
plPgSql.writeLn("""
/**
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable}.
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable},
where the check is performed by a direct role.
A direct role is a role depending on a foreign key directly available in the NEW row.
*/
create or replace function ${rawSubTable}_insert_permission_missing_tf()
returns trigger
@ -164,7 +167,10 @@ public class InsertTriggerGenerator {
final RbacView.RbacGrantDefinition g) {
plPgSql.writeLn("""
/**
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable}.
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable},
where the check is performed by an indirect role.
An indirect role is a role FIXME.
*/
create or replace function ${rawSubTable}_insert_permission_missing_tf()
returns trigger
@ -203,7 +209,8 @@ public class InsertTriggerGenerator {
private void generateInsertPermissionTriggerAllowOnlyGlobalAdmin(final StringWriter plPgSql) {
plPgSql.writeLn("""
/**
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable}.
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable},
where only global-admin has that permission.
*/
create or replace function ${rawSubTable}_insert_permission_missing_tf()
returns trigger

View File

@ -1,6 +1,6 @@
### rbac customer
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-21T09:53:18.451453701.
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-22T11:19:38.310302721.
```mermaid
%%{init:{'flowchart':{'htmlLabels':false}}}%%

View File

@ -1,5 +1,5 @@
--liquibase formatted sql
-- This code generated was by RbacViewPostgresGenerator at 2024-03-21T09:53:18.467932975.
-- This code generated was by RbacViewPostgresGenerator at 2024-03-22T11:19:38.329089492.
-- ============================================================================
@ -80,17 +80,7 @@ execute procedure insertTriggerForTestCustomer_tf();
--changeset test-customer-rbac-INSERT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/**
Checks if the user or assumed roles are allowed to insert a row to test_customer.
*/
create or replace function test_customer_insert_permission_missing_tf()
returns trigger
language plpgsql as $$
begin
raise exception '[403] insert into test_customer not allowed for current subjects % (%)',
currentSubjects(), currentSubjectsUuids();
end; $$;
-- FIXME: Where is this case necessary?
create trigger test_customer_insert_permission_check_tg
before insert on test_customer
for each row

View File

@ -1,6 +1,6 @@
### rbac package
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-21T09:53:51.758424330.
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-22T11:19:38.365161640.
```mermaid
%%{init:{'flowchart':{'htmlLabels':false}}}%%

View File

@ -1,5 +1,5 @@
--liquibase formatted sql
-- This code generated was by RbacViewPostgresGenerator at 2024-03-21T09:53:51.767062425.
-- This code generated was by RbacViewPostgresGenerator at 2024-03-22T11:19:38.365610181.
-- ============================================================================
@ -194,7 +194,10 @@ create trigger z_test_package_test_customer_insert_tg
execute procedure test_package_test_customer_insert_tf();
/**
Checks if the user or assumed roles are allowed to insert a row to test_package.
Checks if the user or assumed roles are allowed to insert a row to test_package,
where the check is performed by an indirect role.
An indirect role is a role FIXME.
*/
create or replace function test_package_insert_permission_missing_tf()
returns trigger

View File

@ -1,6 +1,6 @@
### rbac domain
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-21T09:53:31.860490657.
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-22T11:19:38.391784384.
```mermaid
%%{init:{'flowchart':{'htmlLabels':false}}}%%

View File

@ -1,5 +1,5 @@
--liquibase formatted sql
-- This code generated was by RbacViewPostgresGenerator at 2024-03-21T09:53:31.873124905.
-- This code generated was by RbacViewPostgresGenerator at 2024-03-22T11:19:38.392306652.
-- ============================================================================
@ -193,7 +193,10 @@ create trigger z_test_domain_test_package_insert_tg
execute procedure test_domain_test_package_insert_tf();
/**
Checks if the user or assumed roles are allowed to insert a row to test_domain.
Checks if the user or assumed roles are allowed to insert a row to test_domain,
where the check is performed by an indirect role.
An indirect role is a role FIXME.
*/
create or replace function test_domain_insert_permission_missing_tf()
returns trigger