-- ======================================================== -- EMailAddress example with RBAC -- -------------------------------------------------------- set session session authorization default; create table if not exists EMailAddress ( uuid uuid unique references RbacObject (uuid), localPart character varying(64), domainUuid uuid references domain (uuid) ); drop trigger if exists createRbacObjectForEMailAddress_Trigger on EMailAddress; create trigger createRbacObjectForEMailAddress_Trigger before insert on EMailAddress for each row execute procedure createRbacObject(); create or replace function emailAddressOwner(emAddr EMailAddress) returns RbacRoleDescriptor returns null on null input language plpgsql as $$ begin return roleDescriptor('emailaddress', emAddr.uuid, 'owner'); end; $$; create or replace function emailAddressAdmin(emAddr EMailAddress) returns RbacRoleDescriptor returns null on null input language plpgsql as $$ begin return roleDescriptor('emailaddress', emAddr.uuid, 'admin'); end; $$; create or replace function createRbacRulesForEMailAddress() returns trigger language plpgsql strict as $$ declare parentDomain Domain; eMailAddressOwnerRoleUuid uuid; begin if TG_OP <> 'INSERT' then raise exception 'invalid usage of TRIGGER AFTER INSERT'; end if; select d.* from domain d left join domain u on u.uuid = d.domainuuid where d.uuid = NEW.domainUuid into parentDomain; -- an owner role is created and assigned to the domains's admin group eMailAddressOwnerRoleUuid = createRole( emailAddressOwner(NEW), grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']), beneathRole(domainAdmin(parentDomain)) ); -- and an admin role is created and assigned to the domain owner as well perform createRole( emailAddressAdmin(NEW), grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']), beneathRole(eMailAddressOwnerRoleUuid), beingItselfA(domainTenant(parentDomain)) ); return NEW; end; $$; drop trigger if exists createRbacRulesForEMailAddress_Trigger on EMailAddress; create trigger createRbacRulesForEMailAddress_Trigger after insert on EMailAddress for each row execute procedure createRbacRulesForEMailAddress(); -- TODO: CREATE OR REPLACE FUNCTION deleteRbacRulesForEMailAddress() -- create RBAC-restricted view set session session authorization default; -- ALTER TABLE EMailAddress ENABLE ROW LEVEL SECURITY; drop view if exists EMailAddress_rv; create or replace view EMailAddress_rv as select target.* from EMailAddress as target where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'emailaddress', currentSubjectsUuids())); grant all privileges on EMailAddress_rv to restricted; -- generate EMailAddress test data do language plpgsql $$ declare dom record; pacAdmin varchar; currentTask varchar; begin set hsadminng.currentUser to ''; for dom in (select d.uuid, d.name, p.name as packageName from domain d join domain u on u.uuid = d.domainuuid join package p on u.packageuuid = p.uuid join customer c on p.customeruuid = c.uuid -- WHERE c.reference >= 18000 ) loop for t in 0..4 loop currentTask = 'creating RBAC test EMailAddress #' || t || ' for Domain ' || dom.name; raise notice 'task: %', currentTask; pacAdmin = 'admin@' || dom.packageName || '.example.com'; execute format('set local hsadminng.currentTask to %L', currentTask); execute format('set local hsadminng.currentUser to %L', pacAdmin); set local hsadminng.assumedRoles = ''; insert into EMailAddress (localPart, domainUuid) values ('local' || t, dom.uuid); commit; end loop; end loop; end; $$;