hostsharing/hs.hsadmin.ng
1
0
Fork 0
Code Activity

add-customer and introducing JpaAttempt test helper

Browse Source
This commit is contained in:
Michael Hoennig
2022-08-02 11:51:36 +02:00
parent f58a68d1cc
commit 03ee2cfd62
10 changed files with 363 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files

93
src/main/resources/db/changelog/2022-07-28-005-rbac-base.sql
View File

@ -1,6 +1,8 @@
--liquibase formatted sql
--changeset rbac-base-reference:1 endDelimiter:--//
-- ============================================================================
--changeset rbac-base-REFERENCE:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
*/
@ -27,7 +29,9 @@ end; $$;
--//
--changeset rbac-base-user:1 endDelimiter:--//
-- ============================================================================
--changeset rbac-base-USER:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
*/
@ -86,7 +90,9 @@ $$;
--//
--changeset rbac-base-object:1 endDelimiter:--//
-- ============================================================================
--changeset rbac-base-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
*/
@ -119,7 +125,9 @@ end; $$;
--//
--changeset rbac-base-role:1 endDelimiter:--//
-- ============================================================================
--changeset rbac-base-ROLE:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
*/
@ -203,7 +211,9 @@ begin
end;
$$;
--changeset rbac-base-permission:1 endDelimiter:--//
-- ============================================================================
--changeset rbac-base-PERMISSION:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
*/
@ -217,7 +227,6 @@ create domain RbacOp as varchar(67)
or VALUE ~ '^add-[a-z]+$'
);
-- DROP TABLE IF EXISTS RbacPermission;
create table RbacPermission
(
uuid uuid primary key references RbacReference (uuid) on delete cascade,
@ -226,11 +235,7 @@ create table RbacPermission
unique (objectUuid, op)
);
-- SET SESSION SESSION AUTHORIZATION DEFAULT;
-- alter table rbacpermission add constraint rbacpermission_objectuuid_fkey foreign key (objectUuid) references rbacobject(uuid);
-- alter table rbacpermission drop constraint rbacpermission_objectuuid;
create or replace function hasPermission(forObjectUuid uuid, forOp RbacOp)
create or replace function permissionExists(forObjectUuid uuid, forOp RbacOp)
returns bool
language sql as $$
select exists(
@ -291,7 +296,9 @@ $$;
--//
--changeset rbac-base-grants:1 endDelimiter:--//
-- ============================================================================
--changeset rbac-base-GRANTS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
*/
@ -306,8 +313,6 @@ create index on RbacGrants (ascendantUuid);
create index on RbacGrants (descendantUuid);
--//
create or replace function findGrantees(grantedId uuid)
returns setof RbacReference
returns null on null input
@ -377,7 +382,8 @@ begin
insert
into RbacGrants (ascendantUuid, descendantUuid, follow)
values (roleUuid, permissionIds[i], true);
values (roleUuid, permissionIds[i], true)
on conflict do nothing; -- allow granting multiple times
end loop;
end;
$$;
@ -395,7 +401,7 @@ begin
insert
into RbacGrants (ascendantUuid, descendantUuid, follow)
values (superRoleId, subRoleId, doFollow)
on conflict do nothing; -- TODO: remove?
on conflict do nothing; -- allow granting multiple times
end; $$;
create or replace procedure revokeRoleFromRole(subRoleId uuid, superRoleId uuid)
@ -418,11 +424,13 @@ begin
insert
into RbacGrants (ascendantUuid, descendantUuid, follow)
values (userId, roleId, true)
on conflict do nothing; -- TODO: remove?
on conflict do nothing; -- allow granting multiple times
end; $$;
--//
--changeset rbac-base-query-accessible-object-uuids:1 endDelimiter:--//
-- ============================================================================
--changeset rbac-base-QUERY-ACCESSIBLE-OBJECT-UUIDS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
*/
@ -467,7 +475,9 @@ $$;
--//
--changeset rbac-base-query-granted-permissions:1 endDelimiter:--//
-- ============================================================================
--changeset rbac-base-QUERY-GRANTED-PERMISSIONS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
*/
@ -494,7 +504,9 @@ $$;
--//
--changeset rbac-base-query-users-with-permission-for-object:1 endDelimiter:--//
-- ============================================================================
--changeset rbac-base-QUERY-USERS-WITH-PERMISSION-FOR-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
*/
@ -520,7 +532,9 @@ $$;
--//
--changeset rbac-current-user:1 endDelimiter:--//
-- ============================================================================
--changeset rbac-CURRENT-USER:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
*/
@ -553,13 +567,16 @@ declare
begin
currentUser := currentUser();
currentUserId = (select uuid from RbacUser where name = currentUser);
if currentUserId is null then
raise exception 'hsadminng.currentUser defined as %, but does not exists', currentUser;
end if;
return currentUserId;
end; $$;
--//
--changeset rbac-assumed-roles:1 endDelimiter:--//
-- ============================================================================
--changeset rbac-ASSUMED-ROLES:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
*/
@ -595,7 +612,7 @@ create or replace function findUuidByIdName(objectTable varchar, objectIdName va
returns null on null input
language plpgsql as $$
declare
sql varchar;
sql varchar;
uuid uuid;
begin
objectTable := pureIdentifier(objectTable);
@ -604,10 +621,26 @@ begin
begin
raise notice 'sql: %', sql;
execute sql into uuid;
exception when OTHERS then
raise exception 'function %UuidByIdName(...) not found, add identity view support for table %', objectTable, objectTable;
exception
when others then
raise exception 'function %UuidByIdName(...) not found, add identity view support for table %', objectTable, objectTable;
end;
return uuid;
end ; $$;
create or replace function currentSubjects()
returns varchar(63)[]
stable leakproof
language plpgsql as $$
declare
assumedRoles varchar(63)[];
begin
assumedRoles := assumedRoles();
if array_length(assumedRoles(), 1) > 0 then
return assumedRoles();
else
return array[currentUser()]::varchar(63)[];
end if;
end; $$;
create or replace function currentSubjectIds()
@ -664,9 +697,8 @@ end; $$;
-- ============================================================================
-- PGSQL-ROLES
--changeset rbac-base-pgsql-roles:1 endDelimiter:--//
-- ------------------------------------------------------------------
--changeset rbac-base-PGSQL-ROLES:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create role admin;
grant all privileges on all tables in schema public to admin;
@ -675,3 +707,4 @@ create role restricted;
grant all privileges on all tables in schema public to restricted;
--//

25
src/main/resources/db/changelog/2022-07-29-050-hs-base.sql
View File

@ -16,6 +16,8 @@ create table Global
);
create unique index Global_Singleton on Global ((0));
grant select on global to restricted;
/**
A single row to be referenced as a global object.
*/
@ -25,6 +27,23 @@ insert
into Global (uuid, name) values ((select uuid from RbacObject where objectTable = 'global'), 'hostsharing');
--//
-- ============================================================================
--changeset rhs-base-HAS-GLOBAL-PERMISSION:1 endDelimiter:--//
-- ------------------------------------------------------------------
create or replace function hasGlobalPermission(op RbacOp)
returns boolean
language sql as
$$
-- TODO: this could to be optimized
select (select uuid from global) in
(select queryAccessibleObjectUuidsOfSubjectIds(
op, 'global', currentSubjectIds()));
$$;
--//
-- ============================================================================
--changeset hs-base-GLOBAL-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
@ -34,7 +53,7 @@ insert
*/
drop view if exists global_iv;
create or replace view global_iv as
select distinct target.uuid, target.name as idName
select target.uuid, target.name as idName
from global as target;
grant all privileges on global_iv to restricted;
@ -65,7 +84,7 @@ $$;
select createRole(hostsharingAdmin());
-- ============================================================================
--changeset hs-base-ADMIN-USERS:1 context:dev,test,tc endDelimiter:--//
--changeset hs-base-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Create two users and assign both to the administrators role.
@ -83,7 +102,7 @@ $$;
-- ============================================================================
--changeset hs-base-hostsharing-TEST:1 context:dev,test,tc runAlways:true endDelimiter:--//
--changeset hs-base-hostsharing-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
-- ----------------------------------------------------------------------------
/*

47
src/main/resources/db/changelog/2022-07-29-061-hs-customer-rbac.sql
View File

@ -149,7 +149,7 @@ execute procedure deleteRbacRulesForCustomer();
*/
drop view if exists customer_iv;
create or replace view customer_iv as
select distinct target.uuid, target.prefix as idName
select target.uuid, target.prefix as idName
from customer as target;
-- TODO: Is it ok that everybody has access to this information?
grant all privileges on customer_iv to restricted;
@ -176,8 +176,51 @@ $$;
set session session authorization default;
drop view if exists customer_rv;
create or replace view customer_rv as
select distinct target.*
select target.*
from customer as target
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'customer', currentSubjectIds()));
grant all privileges on customer_rv to restricted;
--//
-- ============================================================================
--changeset hs-customer-rbac-ADD-CUSTOMER:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Creates a global permission for add-customer and assigns it to the hostsharing admins role.
*/
do language plpgsql $$
declare
addCustomerPermissions uuid[];
hostsharingObjectUuid uuid;
hsAdminRoleUuid uuid ;
begin
hsAdminRoleUuid := findRoleId(hostsharingAdmin());
hostsharingObjectUuid := (select uuid from global);
addCustomerPermissions := createPermissions(hostsharingObjectUuid, array ['add-customer']);
call grantPermissionsToRole(hsAdminRoleUuid, addCustomerPermissions);
end;
$$;
/**
Used by the trigger to prevent the add-customer to current user respectively assumed roles.
*/
create or replace function addCustomerNotAllowedForCurrentSubjects()
returns trigger
language PLPGSQL
as $$
begin
raise exception 'add-customer not permitted for %', array_to_string(currentSubjects());
end; $$;
/**
Checks if the user or assumed roles are allowed to add a new customer.
*/
create trigger customer_insert_trigger
before insert
on customer
for each row
when ( currentUser() <> 'mike@hostsharing.net' or not hasGlobalPermission('add-customer') )
execute procedure addCustomerNotAllowedForCurrentSubjects();
--//

2
src/main/resources/db/changelog/2022-07-29-070-hs-package-rbac.sql
View File

@ -175,7 +175,7 @@ $$;
*/
drop view if exists package_rv;
create or replace view package_rv as
select distinct target.*
select target.*
from package as target
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'package', currentSubjectIds()));
grant all privileges on package_rv to restricted;

2
src/main/resources/db/changelog/23-hs-unixuser.sql
View File

@ -115,7 +115,7 @@ set session session authorization default;
-- ALTER TABLE unixuser ENABLE ROW LEVEL SECURITY;
drop view if exists unixuser_rv;
create or replace view unixuser_rv as
select distinct target.*
select target.*
from unixuser as target
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'unixuser', currentSubjectIds()));
grant all privileges on unixuser_rv to restricted;

2
src/main/resources/db/changelog/24-hs-domain.sql
View File

@ -100,7 +100,7 @@ set session session authorization default;
-- ALTER TABLE Domain ENABLE ROW LEVEL SECURITY;
drop view if exists domain_rv;
create or replace view domain_rv as
select distinct target.*
select target.*
from Domain as target
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'domain', currentSubjectIds()));
grant all privileges on domain_rv to restricted;

2
src/main/resources/db/changelog/25-hs-emailaddress.sql
View File

@ -85,7 +85,7 @@ set session session authorization default;
-- ALTER TABLE EMailAddress ENABLE ROW LEVEL SECURITY;
drop view if exists EMailAddress_rv;
create or replace view EMailAddress_rv as
select distinct target.*
select target.*
from EMailAddress as target
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'emailaddress', currentSubjectIds()));
grant all privileges on EMailAddress_rv to restricted;