improved RBAC generators #26
src/main
java/net/hostsharing/hsadminng/rbac/rbacdef
resources/db/changelog
@ -23,7 +23,7 @@ public class InsertTriggerGenerator {
|
||||
|
||||
void generateTo(final StringWriter plPgSql) {
|
||||
generateLiquibaseChangesetHeader(plPgSql);
|
||||
generateGrantInsertRoleToExistingCustomers(plPgSql);
|
||||
generateGrantInsertRoleToExistingObjects(plPgSql);
|
||||
generateInsertPermissionGrantTrigger(plPgSql);
|
||||
generateInsertCheckTrigger(plPgSql);
|
||||
plPgSql.writeLn("--//");
|
||||
@ -38,7 +38,7 @@ public class InsertTriggerGenerator {
|
||||
with("liquibaseTagPrefix", liquibaseTagPrefix));
|
||||
}
|
||||
|
||||
private void generateGrantInsertRoleToExistingCustomers(final StringWriter plPgSql) {
|
||||
private void generateGrantInsertRoleToExistingObjects(final StringWriter plPgSql) {
|
||||
getOptionalInsertSuperRole().ifPresent( superRoleDef -> {
|
||||
plPgSql.writeLn("""
|
||||
/*
|
||||
@ -100,13 +100,7 @@ public class InsertTriggerGenerator {
|
||||
|
||||
private void generateInsertCheckTrigger(final StringWriter plPgSql) {
|
||||
getOptionalInsertGrant().ifPresentOrElse(g -> {
|
||||
if (!g.getSuperRoleDef().getEntityAlias().isGlobal()) {
|
||||
if (rbacDef.isRootEntityAlias(g.getSuperRoleDef().getEntityAlias())) {
|
||||
generateInsertPermissionTriggerAllowByDirectRole(plPgSql, g);
|
||||
} else {
|
||||
generateInsertPermissionTriggerAllowByIndirectRole(plPgSql, g);
|
||||
}
|
||||
} else {
|
||||
if (g.getSuperRoleDef().getEntityAlias().isGlobal()) {
|
||||
switch (g.getSuperRoleDef().getRole()) {
|
||||
case ADMIN -> {
|
||||
generateInsertPermissionTriggerAllowOnlyGlobalAdmin(plPgSql);
|
||||
@ -119,6 +113,12 @@ public class InsertTriggerGenerator {
|
||||
"invalid global role for INSERT permission: " + g.getSuperRoleDef().getRole());
|
||||
}
|
||||
}
|
||||
} else {
|
||||
if (rbacDef.isRootEntityAlias(g.getSuperRoleDef().getEntityAlias())) {
|
||||
generateInsertPermissionTriggerAllowByDirectRole(plPgSql, g);
|
||||
} else {
|
||||
generateInsertPermissionTriggerAllowByIndirectRole(plPgSql, g);
|
||||
}
|
||||
}
|
||||
},
|
||||
() -> {
|
||||
@ -139,7 +139,10 @@ public class InsertTriggerGenerator {
|
||||
private void generateInsertPermissionTriggerAllowByDirectRole(final StringWriter plPgSql, final RbacView.RbacGrantDefinition g) {
|
||||
plPgSql.writeLn("""
|
||||
/**
|
||||
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable}.
|
||||
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable},
|
||||
where the check is performed by a direct role.
|
||||
|
||||
A direct role is a role depending on a foreign key directly available in the NEW row.
|
||||
*/
|
||||
create or replace function ${rawSubTable}_insert_permission_missing_tf()
|
||||
returns trigger
|
||||
@ -164,7 +167,10 @@ public class InsertTriggerGenerator {
|
||||
final RbacView.RbacGrantDefinition g) {
|
||||
plPgSql.writeLn("""
|
||||
/**
|
||||
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable}.
|
||||
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable},
|
||||
where the check is performed by an indirect role.
|
||||
|
||||
An indirect role is a role FIXME.
|
||||
*/
|
||||
create or replace function ${rawSubTable}_insert_permission_missing_tf()
|
||||
returns trigger
|
||||
@ -203,7 +209,8 @@ public class InsertTriggerGenerator {
|
||||
private void generateInsertPermissionTriggerAllowOnlyGlobalAdmin(final StringWriter plPgSql) {
|
||||
plPgSql.writeLn("""
|
||||
/**
|
||||
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable}.
|
||||
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable},
|
||||
where only global-admin has that permission.
|
||||
*/
|
||||
create or replace function ${rawSubTable}_insert_permission_missing_tf()
|
||||
returns trigger
|
||||
|
@ -1,6 +1,6 @@
|
||||
### rbac customer
|
||||
|
||||
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-21T09:53:18.451453701.
|
||||
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-22T11:19:38.310302721.
|
||||
|
||||
```mermaid
|
||||
%%{init:{'flowchart':{'htmlLabels':false}}}%%
|
||||
|
@ -1,5 +1,5 @@
|
||||
--liquibase formatted sql
|
||||
-- This code generated was by RbacViewPostgresGenerator at 2024-03-21T09:53:18.467932975.
|
||||
-- This code generated was by RbacViewPostgresGenerator at 2024-03-22T11:19:38.329089492.
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
@ -80,17 +80,7 @@ execute procedure insertTriggerForTestCustomer_tf();
|
||||
--changeset test-customer-rbac-INSERT:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/**
|
||||
Checks if the user or assumed roles are allowed to insert a row to test_customer.
|
||||
*/
|
||||
create or replace function test_customer_insert_permission_missing_tf()
|
||||
returns trigger
|
||||
language plpgsql as $$
|
||||
begin
|
||||
raise exception '[403] insert into test_customer not allowed for current subjects % (%)',
|
||||
currentSubjects(), currentSubjectsUuids();
|
||||
end; $$;
|
||||
|
||||
-- FIXME: Where is this case necessary?
|
||||
create trigger test_customer_insert_permission_check_tg
|
||||
before insert on test_customer
|
||||
for each row
|
||||
|
@ -1,6 +1,6 @@
|
||||
### rbac package
|
||||
|
||||
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-21T09:53:51.758424330.
|
||||
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-22T11:19:38.365161640.
|
||||
|
||||
```mermaid
|
||||
%%{init:{'flowchart':{'htmlLabels':false}}}%%
|
||||
|
@ -1,5 +1,5 @@
|
||||
--liquibase formatted sql
|
||||
-- This code generated was by RbacViewPostgresGenerator at 2024-03-21T09:53:51.767062425.
|
||||
-- This code generated was by RbacViewPostgresGenerator at 2024-03-22T11:19:38.365610181.
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
@ -194,7 +194,10 @@ create trigger z_test_package_test_customer_insert_tg
|
||||
execute procedure test_package_test_customer_insert_tf();
|
||||
|
||||
/**
|
||||
Checks if the user or assumed roles are allowed to insert a row to test_package.
|
||||
Checks if the user or assumed roles are allowed to insert a row to test_package,
|
||||
where the check is performed by an indirect role.
|
||||
|
||||
An indirect role is a role FIXME.
|
||||
*/
|
||||
create or replace function test_package_insert_permission_missing_tf()
|
||||
returns trigger
|
||||
|
@ -1,6 +1,6 @@
|
||||
### rbac domain
|
||||
|
||||
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-21T09:53:31.860490657.
|
||||
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-22T11:19:38.391784384.
|
||||
|
||||
```mermaid
|
||||
%%{init:{'flowchart':{'htmlLabels':false}}}%%
|
||||
|
@ -1,5 +1,5 @@
|
||||
--liquibase formatted sql
|
||||
-- This code generated was by RbacViewPostgresGenerator at 2024-03-21T09:53:31.873124905.
|
||||
-- This code generated was by RbacViewPostgresGenerator at 2024-03-22T11:19:38.392306652.
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
@ -193,7 +193,10 @@ create trigger z_test_domain_test_package_insert_tg
|
||||
execute procedure test_domain_test_package_insert_tf();
|
||||
|
||||
/**
|
||||
Checks if the user or assumed roles are allowed to insert a row to test_domain.
|
||||
Checks if the user or assumed roles are allowed to insert a row to test_domain,
|
||||
where the check is performed by an indirect role.
|
||||
|
||||
An indirect role is a role FIXME.
|
||||
*/
|
||||
create or replace function test_domain_insert_permission_missing_tf()
|
||||
returns trigger
|
||||
|
Loading…
Reference in New Issue
Block a user