132 lines
4.3 KiB
PL/PgSQL
132 lines
4.3 KiB
PL/PgSQL
-- ========================================================
|
|
-- EMailAddress example with RBAC
|
|
-- --------------------------------------------------------
|
|
|
|
set session session authorization default;
|
|
|
|
create table if not exists EMailAddress
|
|
(
|
|
uuid uuid unique references RbacObject (uuid),
|
|
localPart character varying(64),
|
|
domainUuid uuid references domain (uuid)
|
|
);
|
|
|
|
drop trigger if exists createRbacObjectForEMailAddress_Trigger on EMailAddress;
|
|
create trigger createRbacObjectForEMailAddress_Trigger
|
|
before insert
|
|
on EMailAddress
|
|
for each row
|
|
execute procedure createRbacObject();
|
|
|
|
create or replace function emailAddressOwner(emAddr EMailAddress)
|
|
returns RbacRoleDescriptor
|
|
returns null on null input
|
|
language plpgsql as $$
|
|
begin
|
|
return roleDescriptor('emailaddress', emAddr.uuid, 'owner');
|
|
end; $$;
|
|
|
|
create or replace function emailAddressAdmin(emAddr EMailAddress)
|
|
returns RbacRoleDescriptor
|
|
returns null on null input
|
|
language plpgsql as $$
|
|
begin
|
|
return roleDescriptor('emailaddress', emAddr.uuid, 'admin');
|
|
end; $$;
|
|
|
|
create or replace function createRbacRulesForEMailAddress()
|
|
returns trigger
|
|
language plpgsql
|
|
strict as $$
|
|
declare
|
|
parentDomain Domain;
|
|
eMailAddressOwnerRoleUuid uuid;
|
|
begin
|
|
if TG_OP <> 'INSERT' then
|
|
raise exception 'invalid usage of TRIGGER AFTER INSERT';
|
|
end if;
|
|
|
|
select d.*
|
|
from domain d
|
|
left join unixuser u on u.uuid = d.unixuseruuid
|
|
where d.uuid = NEW.domainUuid
|
|
into parentDomain;
|
|
|
|
-- an owner role is created and assigned to the domains's admin group
|
|
eMailAddressOwnerRoleUuid = createRole(
|
|
emailAddressOwner(NEW),
|
|
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
|
beneathRole(domainAdmin(parentDomain))
|
|
);
|
|
|
|
-- and an admin role is created and assigned to the unixuser owner as well
|
|
perform createRole(
|
|
emailAddressAdmin(NEW),
|
|
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']),
|
|
beneathRole(eMailAddressOwnerRoleUuid),
|
|
beingItselfA(domainTenant(parentDomain))
|
|
);
|
|
|
|
return NEW;
|
|
end; $$;
|
|
|
|
drop trigger if exists createRbacRulesForEMailAddress_Trigger on EMailAddress;
|
|
create trigger createRbacRulesForEMailAddress_Trigger
|
|
after insert
|
|
on EMailAddress
|
|
for each row
|
|
execute procedure createRbacRulesForEMailAddress();
|
|
|
|
-- TODO: CREATE OR REPLACE FUNCTION deleteRbacRulesForEMailAddress()
|
|
|
|
|
|
-- create RBAC-restricted view
|
|
set session session authorization default;
|
|
-- ALTER TABLE EMailAddress ENABLE ROW LEVEL SECURITY;
|
|
drop view if exists EMailAddress_rv;
|
|
create or replace view EMailAddress_rv as
|
|
select target.*
|
|
from EMailAddress as target
|
|
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'emailaddress', currentSubjectIds()));
|
|
grant all privileges on EMailAddress_rv to restricted;
|
|
|
|
-- generate EMailAddress test data
|
|
|
|
do language plpgsql $$
|
|
declare
|
|
dom record;
|
|
pacAdmin varchar;
|
|
currentTask varchar;
|
|
begin
|
|
set hsadminng.currentUser to '';
|
|
|
|
for dom in (select d.uuid, d.name, p.name as packageName
|
|
from domain d
|
|
join unixuser u on u.uuid = d.unixuseruuid
|
|
join package p on u.packageuuid = p.uuid
|
|
join customer c on p.customeruuid = c.uuid
|
|
-- WHERE c.reference >= 18000
|
|
)
|
|
loop
|
|
for t in 0..4
|
|
loop
|
|
currentTask = 'creating RBAC test EMailAddress #' || t || ' for Domain ' || dom.name;
|
|
raise notice 'task: %', currentTask;
|
|
|
|
pacAdmin = 'admin@' || dom.packageName || '.example.com';
|
|
execute format('set local hsadminng.currentTask to %L', currentTask);
|
|
execute format('set local hsadminng.currentUser to %L', pacAdmin);
|
|
set local hsadminng.assumedRoles = '';
|
|
|
|
insert
|
|
into EMailAddress (localPart, domainUuid)
|
|
values ('local' || t, dom.uuid);
|
|
|
|
commit;
|
|
end loop;
|
|
end loop;
|
|
end;
|
|
$$;
|
|
|
|
|