hs.hsadmin.ng/sql/24-hs-domain.sql
2022-08-24 11:48:31 +02:00

152 lines
4.9 KiB
PL/PgSQL

-- ========================================================
-- Domain example with RBAC
-- --------------------------------------------------------
set session session authorization default;
create table if not exists Domain
(
uuid uuid unique references RbacObject (uuid),
name character varying(32),
unixUserUuid uuid references unixuser (uuid)
);
drop trigger if exists createRbacObjectForDomain_Trigger on Domain;
create trigger createRbacObjectForDomain_Trigger
before insert
on Domain
for each row
execute procedure createRbacObject();
create or replace function domainOwner(dom Domain)
returns RbacRoleDescriptor
returns null on null input
language plpgsql as $$
begin
return roleDescriptor('domain', dom.uuid, 'owner');
end; $$;
create or replace function domainAdmin(dom Domain)
returns RbacRoleDescriptor
returns null on null input
language plpgsql as $$
begin
return roleDescriptor('domain', dom.uuid, 'admin');
end; $$;
create or replace function domainTenant(dom Domain)
returns RbacRoleDescriptor
returns null on null input
language plpgsql as $$
begin
return roleDescriptor('domain', dom.uuid, 'tenant');
end; $$;
create or replace function createRbacRulesForDomain()
returns trigger
language plpgsql
strict as $$
declare
parentUser UnixUser;
parentPackage package;
domainOwnerRoleUuid uuid;
domainAdminRoleUuid uuid;
begin
if TG_OP <> 'INSERT' then
raise exception 'invalid usage of TRIGGER AFTER INSERT';
end if;
select * from UnixUser where uuid = NEW.unixUserUuid into parentUser;
select * from Package where uuid = parentUser.packageuuid into parentPackage;
-- a domain owner role is created and assigned to the unixuser's admin role
domainOwnerRoleUuid = createRole(
domainOwner(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
beneathRole(packageAdmin(parentPackage))
);
-- a domain admin role is created and assigned to the domain's owner role
domainAdminRoleUuid = createRole(
domainAdmin(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit', 'add-emailaddress']),
beneathRole(domainOwnerRoleUuid)
);
-- and a domain tenant role is created and assigned to the domain's admiin role
perform createRole(
domainTenant(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
beneathRole(domainAdminRoleUuid),
beingItselfA(createUnixUserTenantRoleIfNotExists(parentUser))
);
return NEW;
end; $$;
drop trigger if exists createRbacRulesForDomain_Trigger on Domain;
create trigger createRbacRulesForDomain_Trigger
after insert
on Domain
for each row
execute procedure createRbacRulesForDomain();
-- TODO: CREATE OR REPLACE FUNCTION deleteRbacRulesForDomain()
-- create RBAC-restricted view
set session session authorization default;
-- ALTER TABLE Domain ENABLE ROW LEVEL SECURITY;
drop view if exists domain_rv;
create or replace view domain_rv as
select target.*
from Domain as target
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'domain', currentSubjectIds()));
grant all privileges on domain_rv to restricted;
-- generate Domain test data
do language plpgsql $$
declare
uu record;
pac package;
pacAdmin varchar;
currentTask varchar;
begin
set hsadminng.currentUser to '';
for uu in (select u.uuid, u.name, u.packageuuid, c.reference
from unixuser u
join package p on u.packageuuid = p.uuid
join customer c on p.customeruuid = c.uuid
-- WHERE c.reference >= 18000
)
loop
if (random() < 0.3) then
for t in 0..1
loop
currentTask = 'creating RBAC test Domain #' || t || ' for UnixUser ' || uu.name || ' #' || uu.uuid;
raise notice 'task: %', currentTask;
select * from package where uuid = uu.packageUuid into pac;
pacAdmin = 'admin@' || pac.name || '.example.com';
execute format('set local hsadminng.currentTask to %L', currentTask);
execute format('set local hsadminng.currentUser to %L', pacAdmin);
set local hsadminng.assumedRoles = '';
insert
into Domain (name, unixUserUuid)
values ('dom-' || t || '.' || uu.name || '.example.org', uu.uuid);
commit;
end loop;
end if;
end loop;
end;
$$;