allow-multiple-insert-permission-grants #49
@ -164,6 +164,19 @@ public class InsertTriggerGenerator {
|
|||||||
}
|
}
|
||||||
|
|
||||||
private void generateInsertPermissionChecks(final StringWriter plPgSql) {
|
private void generateInsertPermissionChecks(final StringWriter plPgSql) {
|
||||||
|
generateInsertPermissionsCheckHeader(plPgSql);
|
||||||
|
|
||||||
|
plPgSql.indented(1, () -> {
|
||||||
|
getInsertGrants().forEach(g -> {
|
||||||
|
generateInsertPermissionChecksForSingleGrant(plPgSql, g);
|
||||||
|
});
|
||||||
|
plPgSql.chopTail(" or\n");
|
||||||
|
});
|
||||||
|
|
||||||
|
generateInsertPermissionsChecksFooter(plPgSql);
|
||||||
|
}
|
||||||
|
|
||||||
|
private void generateInsertPermissionsCheckHeader(final StringWriter plPgSql) {
|
||||||
plPgSql.writeLn("""
|
plPgSql.writeLn("""
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset ${rawSubTable}-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
|
--changeset ${rawSubTable}-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
@ -179,68 +192,67 @@ public class InsertTriggerGenerator {
|
|||||||
superObjectUuid uuid;
|
superObjectUuid uuid;
|
||||||
begin
|
begin
|
||||||
""",
|
""",
|
||||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
|
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
|
||||||
plPgSql.chopEmptyLines();
|
plPgSql.chopEmptyLines();
|
||||||
|
}
|
||||||
|
|
||||||
plPgSql.indented(1, () -> {
|
private void generateInsertPermissionChecksForSingleGrant(final StringWriter plPgSql, final RbacView.RbacGrantDefinition g) {
|
||||||
getInsertGrants().forEach(g -> {
|
final RbacView.EntityAlias superRoleEntityAlias = g.getSuperRoleDef().getEntityAlias();
|
||||||
final RbacView.EntityAlias superRoleEntityAlias = g.getSuperRoleDef().getEntityAlias();
|
|
||||||
|
|
||||||
final var caseCondition = g.isConditional()
|
final var caseCondition = g.isConditional()
|
||||||
? ("NEW.type in (" + toStringList(g.getForCases()) + ") and ")
|
? ("NEW.type in (" + toStringList(g.getForCases()) + ") and ")
|
||||||
: "";
|
: "";
|
||||||
|
|
||||||
if (g.getSuperRoleDef().isGlobal(GUEST)) {
|
if (g.getSuperRoleDef().isGlobal(GUEST)) {
|
||||||
plPgSql.writeLn(
|
plPgSql.writeLn(
|
||||||
"""
|
"""
|
||||||
-- check INSERT INSERT permission for global anyone
|
-- check INSERT INSERT permission for global anyone
|
||||||
if ${caseCondition}true then
|
if ${caseCondition}true then
|
||||||
return NEW;
|
return NEW;
|
||||||
end if;
|
end if;
|
||||||
""",
|
""",
|
||||||
with("caseCondition", caseCondition));
|
with("caseCondition", caseCondition));
|
||||||
} else if (g.getSuperRoleDef().isGlobal(ADMIN)) {
|
} else if (g.getSuperRoleDef().isGlobal(ADMIN)) {
|
||||||
plPgSql.writeLn(
|
plPgSql.writeLn(
|
||||||
"""
|
"""
|
||||||
-- check INSERT INSERT if global ADMIN
|
-- check INSERT INSERT if global ADMIN
|
||||||
if ${caseCondition}isGlobalAdmin() then
|
if ${caseCondition}isGlobalAdmin() then
|
||||||
return NEW;
|
return NEW;
|
||||||
end if;
|
end if;
|
||||||
""",
|
""",
|
||||||
with("caseCondition", caseCondition));
|
with("caseCondition", caseCondition));
|
||||||
} else if (g.getSuperRoleDef().getEntityAlias().isFetchedByDirectForeignKey()) {
|
} else if (g.getSuperRoleDef().getEntityAlias().isFetchedByDirectForeignKey()) {
|
||||||
plPgSql.writeLn(
|
plPgSql.writeLn(
|
||||||
"""
|
"""
|
||||||
-- check INSERT permission via direct foreign key: NEW.${refColumn}
|
-- check INSERT permission via direct foreign key: NEW.${refColumn}
|
||||||
if ${caseCondition}hasInsertPermission(NEW.${refColumn}, '${rawSubTable}') then
|
if ${caseCondition}hasInsertPermission(NEW.${refColumn}, '${rawSubTable}') then
|
||||||
return NEW;
|
return NEW;
|
||||||
end if;
|
end if;
|
||||||
""",
|
""",
|
||||||
with("caseCondition", caseCondition),
|
with("caseCondition", caseCondition),
|
||||||
with("refColumn", superRoleEntityAlias.dependsOnColumName()),
|
with("refColumn", superRoleEntityAlias.dependsOnColumName()),
|
||||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
|
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()));
|
||||||
} else {
|
} else {
|
||||||
plPgSql.writeLn(
|
plPgSql.writeLn(
|
||||||
"""
|
"""
|
||||||
-- check INSERT permission via indirect foreign key: NEW.${refColumn}
|
-- check INSERT permission via indirect foreign key: NEW.${refColumn}
|
||||||
superObjectUuid := (${fetchSql});
|
superObjectUuid := (${fetchSql});
|
||||||
assert superObjectUuid is not null, 'object uuid fetched depending on ${rawSubTable}.${refColumn} must not be null, also check fetchSql in RBAC DSL';
|
assert superObjectUuid is not null, 'object uuid fetched depending on ${rawSubTable}.${refColumn} must not be null, also check fetchSql in RBAC DSL';
|
||||||
if ${caseCondition}hasInsertPermission(superObjectUuid, '${rawSubTable}') then
|
if ${caseCondition}hasInsertPermission(superObjectUuid, '${rawSubTable}') then
|
||||||
return NEW;
|
return NEW;
|
||||||
end if;
|
end if;
|
||||||
""",
|
""",
|
||||||
with("caseCondition", caseCondition),
|
with("caseCondition", caseCondition),
|
||||||
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()),
|
with("rawSubTable", rbacDef.getRootEntityAlias().getRawTableName()),
|
||||||
with("refColumn", superRoleEntityAlias.dependsOnColumName()),
|
with("refColumn", superRoleEntityAlias.dependsOnColumName()),
|
||||||
with("fetchSql", g.getSuperRoleDef().getEntityAlias().fetchSql().sql),
|
with("fetchSql", g.getSuperRoleDef().getEntityAlias().fetchSql().sql),
|
||||||
with("columns", g.getSuperRoleDef().getEntityAlias().aliasName() + ".uuid"),
|
with("columns", g.getSuperRoleDef().getEntityAlias().aliasName() + ".uuid"),
|
||||||
with("ref", NEW.name()));
|
with("ref", NEW.name()));
|
||||||
}
|
}
|
||||||
});
|
}
|
||||||
plPgSql.chopTail(" or\n");
|
|
||||||
});
|
private void generateInsertPermissionsChecksFooter(final StringWriter plPgSql) {
|
||||||
plPgSql.writeLn();
|
plPgSql.writeLn();
|
||||||
|
|
||||||
plPgSql.writeLn("""
|
plPgSql.writeLn("""
|
||||||
raise exception '[403] insert into ${rawSubTable} not allowed for current subjects % (%)',
|
raise exception '[403] insert into ${rawSubTable} not allowed for current subjects % (%)',
|
||||||
currentSubjects(), currentSubjectsUuids();
|
currentSubjects(), currentSubjectsUuids();
|
||||||
|
Loading…
Reference in New Issue
Block a user