hs.hsadmin.ng/sql/24-hs-domain.sql

99 lines
3.3 KiB
PL/PgSQL

-- ========================================================
-- Domain example with RBAC
-- --------------------------------------------------------
SET SESSION SESSION AUTHORIZATION DEFAULT ;
CREATE TABLE IF NOT EXISTS Domain (
uuid uuid UNIQUE REFERENCES RbacObject(uuid),
name character varying(32),
unixUserUuid uuid REFERENCES unixuser(uuid)
);
DROP TRIGGER IF EXISTS createRbacObjectForDomain_Trigger ON Domain;
CREATE TRIGGER createRbacObjectForDomain_Trigger
BEFORE INSERT ON Domain
FOR EACH ROW EXECUTE PROCEDURE createRbacObject();
CREATE OR REPLACE FUNCTION createRbacRulesForDomain()
RETURNS trigger
LANGUAGE plpgsql STRICT AS $$
DECLARE
parentUser unixuser;
domainOwnerRoleId uuid;
BEGIN
IF TG_OP <> 'INSERT' THEN
RAISE EXCEPTION 'invalid usage of TRIGGER AFTER INSERT';
END IF;
SELECT * FROM unixuser WHERE uuid=NEW.unixUserUuid into parentUser;
-- an owner role is created and assigned to the unix user admin
RAISE NOTICE 'creating domain owner role: %', 'domain#'||NEW.name||'.owner';
domainOwnerRoleId = getRoleId('domain#'||NEW.name||'.owner', 'create');
call grantRoleToRole(domainOwnerRoleId, getRoleId('unixuser#'||parentUser.name||'.admin', 'fail'));
-- ... and permissions for all ops are assigned
call grantPermissionsToRole(domainOwnerRoleId,
createPermissions(forObjectUuid => NEW.uuid, permitOps => ARRAY['*']));
RETURN NEW;
END; $$;
DROP TRIGGER IF EXISTS createRbacRulesForDomain_Trigger ON Domain;
CREATE TRIGGER createRbacRulesForDomain_Trigger
AFTER INSERT ON Domain
FOR EACH ROW EXECUTE PROCEDURE createRbacRulesForDomain();
-- TODO: CREATE OR REPLACE FUNCTION deleteRbacRulesForDomain()
-- create RBAC restricted view
SET SESSION SESSION AUTHORIZATION DEFAULT;
ALTER TABLE Domain ENABLE ROW LEVEL SECURITY;
DROP VIEW IF EXISTS domain_rv;
CREATE OR REPLACE VIEW domain_rv AS
SELECT DISTINCT target.*
FROM Domain AS target
JOIN queryAccessibleObjectUuidsOfSubjectIds( 'view', 'domain', currentSubjectIds()) AS allowedObjId
ON target.uuid = allowedObjId;
GRANT ALL PRIVILEGES ON domain_rv TO restricted;
-- generate Domain test data
DO LANGUAGE plpgsql $$
DECLARE
uu unixuser;
pac package;
pacAdmin varchar;
currentTask varchar;
BEGIN
SET hsadminng.currentUser TO '';
FOR uu IN (SELECT * FROM unixuser) LOOP
IF ( random() < 0.3 ) THEN
FOR t IN 0..2 LOOP
currentTask = 'creating RBAC test Domain #' || t || ' for UnixUser ' || uu.name|| ' #' || uu.uuid;
RAISE NOTICE 'task: %', currentTask;
SELECT * FROM package WHERE uuid=uu.packageUuid INTO pac;
pacAdmin = 'admin@' || pac.name || '.example.com';
SET LOCAL hsadminng.currentUser TO pacAdmin;
SET LOCAL hsadminng.assumedRoles = '';
SET LOCAL hsadminng.currentTask TO currentTask;
INSERT INTO Domain (name, unixUserUuid)
VALUES ('dom-' || t || '.' || pac.name || '.example.org' , uu.uuid);
COMMIT;
END LOOP;
END IF;
END LOOP;
END;
$$;