allow-multiple-insert-permission-grants #49

Merged
hsh-michaelhoennig merged 15 commits from allow-multiple-insert-permission-grants into master 2024-04-29 11:43:49 +02:00
Showing only changes of commit e2b90a7429 - Show all commits

View File

@ -164,6 +164,19 @@ public class InsertTriggerGenerator {
} }
private void generateInsertPermissionChecks(final StringWriter plPgSql) { private void generateInsertPermissionChecks(final StringWriter plPgSql) {
generateInsertPermissionsCheckHeader(plPgSql);
plPgSql.indented(1, () -> {
getInsertGrants().forEach(g -> {
generateInsertPermissionChecksForSingleGrant(plPgSql, g);
});
plPgSql.chopTail(" or\n");
});
generateInsertPermissionsChecksFooter(plPgSql);
}
private void generateInsertPermissionsCheckHeader(final StringWriter plPgSql) {
plPgSql.writeLn(""" plPgSql.writeLn("""
-- ============================================================================ -- ============================================================================
--changeset ${rawSubTable}-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--// --changeset ${rawSubTable}-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
@ -179,68 +192,67 @@ public class InsertTriggerGenerator {
superObjectUuid uuid; superObjectUuid uuid;
begin begin
""", """,
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName())); with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
plPgSql.chopEmptyLines(); plPgSql.chopEmptyLines();
}
plPgSql.indented(1, () -> { private void generateInsertPermissionChecksForSingleGrant(final StringWriter plPgSql, final RbacView.RbacGrantDefinition g) {
getInsertGrants().forEach(g -> { final RbacView.EntityAlias superRoleEntityAlias = g.getSuperRoleDef().getEntityAlias();
final RbacView.EntityAlias superRoleEntityAlias = g.getSuperRoleDef().getEntityAlias();
final var caseCondition = g.isConditional() final var caseCondition = g.isConditional()
? ("NEW.type in (" + toStringList(g.getForCases()) + ") and ") ? ("NEW.type in (" + toStringList(g.getForCases()) + ") and ")
: ""; : "";
if (g.getSuperRoleDef().isGlobal(GUEST)) { if (g.getSuperRoleDef().isGlobal(GUEST)) {
plPgSql.writeLn( plPgSql.writeLn(
""" """
-- check INSERT INSERT permission for global anyone -- check INSERT INSERT permission for global anyone
if ${caseCondition}true then if ${caseCondition}true then
return NEW; return NEW;
end if; end if;
""", """,
with("caseCondition", caseCondition)); with("caseCondition", caseCondition));
} else if (g.getSuperRoleDef().isGlobal(ADMIN)) { } else if (g.getSuperRoleDef().isGlobal(ADMIN)) {
plPgSql.writeLn( plPgSql.writeLn(
""" """
-- check INSERT INSERT if global ADMIN -- check INSERT INSERT if global ADMIN
if ${caseCondition}isGlobalAdmin() then if ${caseCondition}isGlobalAdmin() then
return NEW; return NEW;
end if; end if;
""", """,
with("caseCondition", caseCondition)); with("caseCondition", caseCondition));
} else if (g.getSuperRoleDef().getEntityAlias().isFetchedByDirectForeignKey()) { } else if (g.getSuperRoleDef().getEntityAlias().isFetchedByDirectForeignKey()) {
plPgSql.writeLn( plPgSql.writeLn(
""" """
-- check INSERT permission via direct foreign key: NEW.${refColumn} -- check INSERT permission via direct foreign key: NEW.${refColumn}
if ${caseCondition}hasInsertPermission(NEW.${refColumn}, '${rawSubTable}') then if ${caseCondition}hasInsertPermission(NEW.${refColumn}, '${rawSubTable}') then
return NEW; return NEW;
end if; end if;
""", """,
with("caseCondition", caseCondition), with("caseCondition", caseCondition),
with("refColumn", superRoleEntityAlias.dependsOnColumName()), with("refColumn", superRoleEntityAlias.dependsOnColumName()),
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName())); with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
} else { } else {
plPgSql.writeLn( plPgSql.writeLn(
""" """
-- check INSERT permission via indirect foreign key: NEW.${refColumn} -- check INSERT permission via indirect foreign key: NEW.${refColumn}
superObjectUuid := (${fetchSql}); superObjectUuid := (${fetchSql});
assert superObjectUuid is not null, 'object uuid fetched depending on ${rawSubTable}.${refColumn} must not be null, also check fetchSql in RBAC DSL'; assert superObjectUuid is not null, 'object uuid fetched depending on ${rawSubTable}.${refColumn} must not be null, also check fetchSql in RBAC DSL';
if ${caseCondition}hasInsertPermission(superObjectUuid, '${rawSubTable}') then if ${caseCondition}hasInsertPermission(superObjectUuid, '${rawSubTable}') then
return NEW; return NEW;
end if; end if;
""", """,
with("caseCondition", caseCondition), with("caseCondition", caseCondition),
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()), with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()),
with("refColumn", superRoleEntityAlias.dependsOnColumName()), with("refColumn", superRoleEntityAlias.dependsOnColumName()),
with("fetchSql", g.getSuperRoleDef().getEntityAlias().fetchSql().sql), with("fetchSql", g.getSuperRoleDef().getEntityAlias().fetchSql().sql),
with("columns", g.getSuperRoleDef().getEntityAlias().aliasName() + ".uuid"), with("columns", g.getSuperRoleDef().getEntityAlias().aliasName() + ".uuid"),
with("ref", NEW.name())); with("ref", NEW.name()));
} }
}); }
plPgSql.chopTail(" or\n");
}); private void generateInsertPermissionsChecksFooter(final StringWriter plPgSql) {
plPgSql.writeLn(); plPgSql.writeLn();
plPgSql.writeLn(""" plPgSql.writeLn("""
raise exception '[403] insert into ${rawSubTable} not allowed for current subjects % (%)', raise exception '[403] insert into ${rawSubTable} not allowed for current subjects % (%)',
currentSubjects(), currentSubjectsUuids(); currentSubjects(), currentSubjectsUuids();