181 lines
5.7 KiB
PL/PgSQL
181 lines
5.7 KiB
PL/PgSQL
--liquibase formatted sql
|
|
-- This code generated was by RbacViewPostgresGenerator, do not amend manually.
|
|
|
|
|
|
-- ============================================================================
|
|
--changeset test-customer-rbac-OBJECT:1 endDelimiter:--//
|
|
-- ----------------------------------------------------------------------------
|
|
call rbac.generateRelatedRbacObject('test_customer');
|
|
--//
|
|
|
|
|
|
-- ============================================================================
|
|
--changeset test-customer-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
|
|
-- ----------------------------------------------------------------------------
|
|
call rbac.generateRbacRoleDescriptors('testCustomer', 'test_customer');
|
|
--//
|
|
|
|
|
|
-- ============================================================================
|
|
--changeset test-customer-rbac-insert-trigger:1 endDelimiter:--//
|
|
-- ----------------------------------------------------------------------------
|
|
|
|
/*
|
|
Creates the roles, grants and permission for the AFTER INSERT TRIGGER.
|
|
*/
|
|
|
|
create or replace procedure buildRbacSystemForTestCustomer(
|
|
NEW test_customer
|
|
)
|
|
language plpgsql as $$
|
|
|
|
declare
|
|
|
|
begin
|
|
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
|
|
|
perform rbac.defineRoleWithGrants(
|
|
testCustomerOWNER(NEW),
|
|
permissions => array['DELETE'],
|
|
incomingSuperRoles => array[rbac.globalADMIN(rbac.unassumed())],
|
|
subjectUuids => array[rbac.currentSubjectUuid()]
|
|
);
|
|
|
|
perform rbac.defineRoleWithGrants(
|
|
testCustomerADMIN(NEW),
|
|
permissions => array['UPDATE'],
|
|
incomingSuperRoles => array[testCustomerOWNER(NEW)]
|
|
);
|
|
|
|
perform rbac.defineRoleWithGrants(
|
|
testCustomerTENANT(NEW),
|
|
permissions => array['SELECT'],
|
|
incomingSuperRoles => array[testCustomerADMIN(NEW)]
|
|
);
|
|
|
|
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
|
|
end; $$;
|
|
|
|
/*
|
|
AFTER INSERT TRIGGER to create the role+grant structure for a new test_customer row.
|
|
*/
|
|
|
|
create or replace function insertTriggerForTestCustomer_tf()
|
|
returns trigger
|
|
language plpgsql
|
|
strict as $$
|
|
begin
|
|
call buildRbacSystemForTestCustomer(NEW);
|
|
return NEW;
|
|
end; $$;
|
|
|
|
create trigger insertTriggerForTestCustomer_tg
|
|
after insert on test_customer
|
|
for each row
|
|
execute procedure insertTriggerForTestCustomer_tf();
|
|
--//
|
|
|
|
|
|
-- ============================================================================
|
|
--changeset test-customer-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
|
-- ----------------------------------------------------------------------------
|
|
|
|
-- granting INSERT permission to rbac.global ----------------------------
|
|
|
|
/*
|
|
Grants INSERT INTO test_customer permissions to specified role of pre-existing rbac.global rows.
|
|
*/
|
|
do language plpgsql $$
|
|
declare
|
|
row rbac.global%ROWTYPE;
|
|
begin
|
|
call base.defineContext('create INSERT INTO test_customer permissions for pre-exising rbac.global rows');
|
|
|
|
FOR row IN SELECT * FROM rbac.global
|
|
-- unconditional for all rows in that table
|
|
LOOP
|
|
call rbac.grantPermissionToRole(
|
|
rbac.createPermission(row.uuid, 'INSERT', 'test_customer'),
|
|
rbac.globalAdmin());
|
|
END LOOP;
|
|
end;
|
|
$$;
|
|
|
|
/**
|
|
Grants test_customer INSERT permission to specified role of new rbac.global rows.
|
|
*/
|
|
create or replace function new_test_customer_grants_insert_to_global_tf()
|
|
returns trigger
|
|
language plpgsql
|
|
strict as $$
|
|
begin
|
|
-- unconditional for all rows in that table
|
|
call rbac.grantPermissionToRole(
|
|
rbac.createPermission(NEW.uuid, 'INSERT', 'test_customer'),
|
|
rbac.globalAdmin());
|
|
-- end.
|
|
return NEW;
|
|
end; $$;
|
|
|
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
|
create trigger z_new_test_customer_grants_insert_to_global_tg
|
|
after insert on rbac.global
|
|
for each row
|
|
execute procedure new_test_customer_grants_insert_to_global_tf();
|
|
|
|
|
|
-- ============================================================================
|
|
--changeset test_customer-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
|
|
-- ----------------------------------------------------------------------------
|
|
|
|
/**
|
|
Checks if the user respectively the assumed roles are allowed to insert a row to test_customer.
|
|
*/
|
|
create or replace function test_customer_insert_permission_check_tf()
|
|
returns trigger
|
|
language plpgsql as $$
|
|
declare
|
|
superObjectUuid uuid;
|
|
begin
|
|
-- check INSERT INSERT if rbac.global ADMIN
|
|
if rbac.isGlobalAdmin() then
|
|
return NEW;
|
|
end if;
|
|
|
|
raise exception '[403] insert into test_customer values(%) not allowed for current subjects % (%)',
|
|
NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
|
end; $$;
|
|
|
|
create trigger test_customer_insert_permission_check_tg
|
|
before insert on test_customer
|
|
for each row
|
|
execute procedure test_customer_insert_permission_check_tf();
|
|
--//
|
|
|
|
|
|
-- ============================================================================
|
|
--changeset test-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
|
-- ----------------------------------------------------------------------------
|
|
|
|
call rbac.generateRbacIdentityViewFromProjection('test_customer',
|
|
$idName$
|
|
prefix
|
|
$idName$);
|
|
--//
|
|
|
|
|
|
-- ============================================================================
|
|
--changeset test-customer-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
|
-- ----------------------------------------------------------------------------
|
|
call rbac.generateRbacRestrictedView('test_customer',
|
|
$orderBy$
|
|
reference
|
|
$orderBy$,
|
|
$updates$
|
|
reference = new.reference,
|
|
prefix = new.prefix,
|
|
adminUserName = new.adminUserName
|
|
$updates$);
|
|
--//
|
|
|