152 lines
4.9 KiB
PL/PgSQL
152 lines
4.9 KiB
PL/PgSQL
-- ========================================================
|
|
-- Domain example with RBAC
|
|
-- --------------------------------------------------------
|
|
|
|
set session session authorization default;
|
|
|
|
create table if not exists Domain
|
|
(
|
|
uuid uuid unique references RbacObject (uuid),
|
|
name character varying(32),
|
|
domainUuid uuid references domain (uuid)
|
|
);
|
|
|
|
drop trigger if exists createRbacObjectForDomain_Trigger on Domain;
|
|
create trigger createRbacObjectForDomain_Trigger
|
|
before insert
|
|
on Domain
|
|
for each row
|
|
execute procedure createRbacObject();
|
|
|
|
create or replace function domainOwner(dom Domain)
|
|
returns RbacRoleDescriptor
|
|
returns null on null input
|
|
language plpgsql as $$
|
|
begin
|
|
return roleDescriptor('domain', dom.uuid, 'owner');
|
|
end; $$;
|
|
|
|
create or replace function domainAdmin(dom Domain)
|
|
returns RbacRoleDescriptor
|
|
returns null on null input
|
|
language plpgsql as $$
|
|
begin
|
|
return roleDescriptor('domain', dom.uuid, 'admin');
|
|
end; $$;
|
|
|
|
create or replace function domainTenant(dom Domain)
|
|
returns RbacRoleDescriptor
|
|
returns null on null input
|
|
language plpgsql as $$
|
|
begin
|
|
return roleDescriptor('domain', dom.uuid, 'tenant');
|
|
end; $$;
|
|
|
|
|
|
create or replace function createRbacRulesForDomain()
|
|
returns trigger
|
|
language plpgsql
|
|
strict as $$
|
|
declare
|
|
parentUser domain;
|
|
parentPackage package;
|
|
domainOwnerRoleUuid uuid;
|
|
domainAdminRoleUuid uuid;
|
|
begin
|
|
if TG_OP <> 'INSERT' then
|
|
raise exception 'invalid usage of TRIGGER AFTER INSERT';
|
|
end if;
|
|
|
|
select * from domain where uuid = NEW.domainUuid into parentUser;
|
|
select * from Package where uuid = parentUser.packageuuid into parentPackage;
|
|
|
|
-- a domain owner role is created and assigned to the domain's admin role
|
|
domainOwnerRoleUuid = createRole(
|
|
domainOwner(NEW),
|
|
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
|
beneathRole(testPackageAdmin(parentPackage))
|
|
);
|
|
|
|
-- a domain admin role is created and assigned to the domain's owner role
|
|
domainAdminRoleUuid = createRole(
|
|
domainAdmin(NEW),
|
|
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit', 'add-emailaddress']),
|
|
beneathRole(domainOwnerRoleUuid)
|
|
);
|
|
|
|
-- and a domain tenant role is created and assigned to the domain's admiin role
|
|
perform createRole(
|
|
domainTenant(NEW),
|
|
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
|
beneathRole(domainAdminRoleUuid),
|
|
beingItselfA(createdomainTenantRoleIfNotExists(parentUser))
|
|
);
|
|
|
|
return NEW;
|
|
end; $$;
|
|
|
|
drop trigger if exists createRbacRulesForDomain_Trigger on Domain;
|
|
create trigger createRbacRulesForDomain_Trigger
|
|
after insert
|
|
on Domain
|
|
for each row
|
|
execute procedure createRbacRulesForDomain();
|
|
|
|
-- TODO: CREATE OR REPLACE FUNCTION deleteRbacRulesForDomain()
|
|
|
|
|
|
-- create RBAC-restricted view
|
|
set session session authorization default;
|
|
-- ALTER TABLE Domain ENABLE ROW LEVEL SECURITY;
|
|
drop view if exists domain_rv;
|
|
create or replace view domain_rv as
|
|
select target.*
|
|
from Domain as target
|
|
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'domain', currentSubjectsUuids()));
|
|
grant all privileges on domain_rv to restricted;
|
|
|
|
|
|
-- generate Domain test data
|
|
|
|
do language plpgsql $$
|
|
declare
|
|
uu record;
|
|
pac package;
|
|
pacAdmin varchar;
|
|
currentTask varchar;
|
|
begin
|
|
set hsadminng.currentUser to '';
|
|
|
|
for uu in (select u.uuid, u.name, u.packageuuid, c.reference
|
|
from domain u
|
|
join package p on u.packageuuid = p.uuid
|
|
join customer c on p.customeruuid = c.uuid
|
|
-- WHERE c.reference >= 18000
|
|
)
|
|
loop
|
|
if (random() < 0.3) then
|
|
for t in 0..1
|
|
loop
|
|
currentTask = 'creating RBAC test Domain #' || t || ' for domain ' || uu.name || ' #' || uu.uuid;
|
|
raise notice 'task: %', currentTask;
|
|
|
|
select * from package where uuid = uu.packageUuid into pac;
|
|
pacAdmin = 'admin@' || pac.name || '.example.com';
|
|
execute format('set local hsadminng.currentTask to %L', currentTask);
|
|
execute format('set local hsadminng.currentUser to %L', pacAdmin);
|
|
set local hsadminng.assumedRoles = '';
|
|
|
|
insert
|
|
into Domain (name, domainUuid)
|
|
values ('dom-' || t || '.' || uu.name || '.example.org', uu.uuid);
|
|
|
|
commit;
|
|
end loop;
|
|
end if;
|
|
end loop;
|
|
|
|
end;
|
|
$$;
|
|
|
|
|