hostsharing/hs.hsadmin.ng
1
0
Fork 0
Code Activity

introduce separate database-schemas base+rbac ()

Browse Source 
Co-authored-by: Michael Hoennig <michael@hoennig.de>
Co-authored-by: Michael Hönnig <michael@hoennig.de>
Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/103
Reviewed-by: Marc Sandlus <marc.sandlus@hostsharing.net>
This commit is contained in:
Michael Hoennig
2024-09-16 15:36:37 +02:00
parent 80d79de5f4
commit 1eed0e9b21
287 changed files with 3194 additions and 3454 deletions
README.md
bin
git-pull-and-if-origin-changed-run-tests
doc
adr
2022-07-18.row-level-security-mechanism.md
rbac-performance-analysis.mdrbac.md
sql
historization.sqlrbac-tests.sqlrbac-view-option-experiments.sqlrecursive-cte-experiments-for-accessible-uuids.sql
src
main
java
net
hostsharing
hsadminng
context
Context.java
hs
booking
item
HsBookingItem.javaHsBookingItemController.javaHsBookingItemRbacEntity.java
project
HsBookingProject.javaHsBookingProjectController.javaHsBookingProjectRbacEntity.java
hosting
asset
HsHostingAsset.javaHsHostingAssetController.javaHsHostingAssetRbacEntity.java
office
bankaccount
HsOfficeBankAccountController.javaHsOfficeBankAccountEntity.java
contact
HsOfficeContact.javaHsOfficeContactController.javaHsOfficeContactRbacEntity.java
coopassets
HsOfficeCoopAssetsTransactionController.javaHsOfficeCoopAssetsTransactionEntity.java
coopshares
HsOfficeCoopSharesTransactionController.javaHsOfficeCoopSharesTransactionEntity.java
debitor
HsOfficeDebitorController.javaHsOfficeDebitorEntity.java
membership
HsOfficeMembershipController.javaHsOfficeMembershipEntity.java
partner
HsOfficePartnerController.javaHsOfficePartnerDetailsEntity.javaHsOfficePartnerEntity.java
person
HsOfficePersonController.javaHsOfficePersonEntity.java
relation
HsOfficeRelation.javaHsOfficeRelationController.javaHsOfficeRelationRbacEntity.java
sepamandate
HsOfficeSepaMandateController.javaHsOfficeSepaMandateEntity.java
rbac
generator
InsertTriggerGenerator.javaPostgresTriggerReference.javaRbacIdentityViewGenerator.javaRbacObjectGenerator.javaRbacRestrictedViewGenerator.javaRbacRoleDescriptorsGenerator.javaRbacView.javaRbacViewMermaidFlowchartGenerator.javaRbacViewPostgresGenerator.javaRolesGrantsAndPermissionsGenerator.javaStringWriter.javapackage-info.java
grant
RawRbacGrantEntity.javaRawRbacGrantRepository.javaRbacGrantController.javaRbacGrantEntity.javaRbacGrantId.javaRbacGrantRepository.javaRbacGrantsDiagramService.java
object
BaseEntity.java
rbacuser
RbacUserRepository.java
role
RbacRoleController.javaRbacRoleEntity.javaRbacRoleRepository.javaRbacRoleType.java
subject
RbacSubjectController.javaRbacSubjectEntity.javaRbacSubjectPermission.javaRbacSubjectRepository.java
test
cust
TestCustomerController.javaTestCustomerEntity.java
dom
TestDomainEntity.java
pac
TestPackageController.javaTestPackageEntity.java
resources
api-definition
auth.yamlerror-responses.yaml
hs-booking
auth.yamlerror-responses.yamlhs-booking-items-with-uuid.yamlhs-booking-items.yamlhs-booking-projects-with-uuid.yamlhs-booking-projects.yaml
hs-hosting
auth.yamlerror-responses.yamlhs-hosting-assets-with-uuid.yamlhs-hosting-assets.yaml
hs-office
hs-office-bankaccounts-with-uuid.yamlhs-office-bankaccounts.yamlhs-office-contacts-with-uuid.yamlhs-office-contacts.yamlhs-office-coopassets-with-uuid.yamlhs-office-coopassets.yamlhs-office-coopshares-with-uuid.yamlhs-office-coopshares.yamlhs-office-debitors-with-uuid.yamlhs-office-debitors.yamlhs-office-memberships-with-uuid.yamlhs-office-memberships.yamlhs-office-partners-with-uuid.yamlhs-office-partners.yamlhs-office-persons-with-uuid.yamlhs-office-persons.yamlhs-office-relations-with-uuid.yamlhs-office-relations.yamlhs-office-sepamandates-with-uuid.yamlhs-office-sepamandates.yaml
rbac
rbac-grant-schemas.yamlrbac-grants-with-id.yamlrbac-grants.yamlrbac-roles.yamlrbac-subject-schemas.yamlrbac-subjects-with-id-permissions.yamlrbac-subjects-with-uuid.yamlrbac-subjects.yamlrbac.yaml
test
test-customers.yamltest-packages-uuid.yamltest-packages.yaml
db
changelog
0-base
000-base-schema.sql001-last-row-count.sql002-int-to-var.sql003-random-in-range.sql004-jsonb-changes-delta.sql005-uuid-ossp-extension.sql006-numeric-hash-functions.sql007-table-columns.sql008-raise-functions.sql009-check-environment.sql010-context.sql020-audit-log.sql030-historization.sql090-log-slow-queries-extensions.sql
1-rbac
1000-rbac-schema.sql1050-rbac-base.sql1051-rbac-subject-grant.sql1051-rbac-user-grant.sql1054-rbac-context.sql1055-rbac-views.sql1056-rbac-trigger-context.sql1057-rbac-role-builder.sql1058-rbac-generators.sql1059-rbac-statistics.sql1080-rbac-global.sql
2-test
201-test-customer
2010-test-customer.sql2013-test-customer-rbac.md2013-test-customer-rbac.sql2018-test-customer-test-data.sql
202-test-package
2020-test-package.sql2023-test-package-rbac.md2023-test-package-rbac.sql2028-test-package-test-data.sql
203-test-domain
2030-test-domain.sql2033-test-domain-rbac.md2033-test-domain-rbac.sql2038-test-domain-test-data.sql
5-hs-office
501-contact
5010-hs-office-contact.sql5013-hs-office-contact-rbac.md5013-hs-office-contact-rbac.sql5016-hs-office-contact-migration.sql5018-hs-office-contact-test-data.sql
502-person
5020-hs-office-person.sql5023-hs-office-person-rbac.md5023-hs-office-person-rbac.sql5028-hs-office-person-test-data.sql
503-relation
5030-hs-office-relation.sql5033-hs-office-relation-rbac-REPRESENTATIVE.md5033-hs-office-relation-rbac.md5033-hs-office-relation-rbac.sql5038-hs-office-relation-test-data.sql
504-partner
5040-hs-office-partner.sql5043-hs-office-partner-rbac.md5043-hs-office-partner-rbac.sql5044-hs-office-partner-details-rbac.md5044-hs-office-partner-details-rbac.sql5046-hs-office-partner-migration.sql5048-hs-office-partner-test-data.sql
505-bankaccount
5050-hs-office-bankaccount.sql5053-hs-office-bankaccount-rbac.md5053-hs-office-bankaccount-rbac.sql5058-hs-office-bankaccount-test-data.sql
506-debitor
5060-hs-office-debitor.sql5063-hs-office-debitor-rbac.md5063-hs-office-debitor-rbac.sql5068-hs-office-debitor-test-data.sql
507-sepamandate
5070-hs-office-sepamandate.sql5073-hs-office-sepamandate-rbac.md5073-hs-office-sepamandate-rbac.sql5076-hs-office-sepamandate-migration.sql5078-hs-office-sepamandate-test-data.sql
510-membership
5100-hs-office-membership.sql5103-hs-office-membership-rbac.md5103-hs-office-membership-rbac.sql5108-hs-office-membership-test-data.sql
511-coopshares
5110-hs-office-coopshares.sql5113-hs-office-coopshares-rbac.md5113-hs-office-coopshares-rbac.sql5116-hs-office-coopshares-migration.sql5118-hs-office-coopshares-test-data.sql
512-coopassets
5120-hs-office-coopassets.sql5123-hs-office-coopassets-rbac.md5123-hs-office-coopassets-rbac.sql5126-hs-office-coopassets-migration.sql5128-hs-office-coopassets-test-data.sql
6-hs-booking
610-booking-debitor
6100-hs-booking-debitor.sql
620-booking-project
6200-hs-booking-project.sql6203-hs-booking-project-rbac.md6203-hs-booking-project-rbac.sql6208-hs-booking-project-test-data.sql
630-booking-item
6203-hs-booking-item-rbac.md6203-hs-booking-item-rbac.sql6300-hs-booking-item.sql6303-hs-booking-item-rbac.md6303-hs-booking-item-rbac.sql6308-hs-booking-item-test-data.sql
7-hs-hosting
701-hosting-asset
7010-hs-hosting-asset.sql7013-hs-hosting-asset-rbac.md7013-hs-hosting-asset-rbac.sql7016-hs-hosting-asset-migration.sql7018-hs-hosting-asset-test-data.sql
9-hs-global
9000-statistics.sql
db.changelog-master.yaml
test
java
net
hostsharing
hsadminng
arch
ArchitectureTest.java
hs
booking
item
HsBookingItemControllerAcceptanceTest.javaHsBookingItemControllerRestTest.javaHsBookingItemRepositoryIntegrationTest.java
project
HsBookingProjectControllerAcceptanceTest.javaHsBookingProjectRepositoryIntegrationTest.java
hosting
asset
HsHostingAssetControllerAcceptanceTest.javaHsHostingAssetControllerRestTest.javaHsHostingAssetRepositoryIntegrationTest.java
migration
CsvDataImport.java
office
bankaccount
HsOfficeBankAccountControllerAcceptanceTest.javaHsOfficeBankAccountControllerRestTest.javaHsOfficeBankAccountRepositoryIntegrationTest.java
contact
HsOfficeContactControllerAcceptanceTest.javaHsOfficeContactRbacRepositoryIntegrationTest.java
coopassets
HsOfficeCoopAssetsTransactionControllerAcceptanceTest.javaHsOfficeCoopAssetsTransactionControllerRestTest.javaHsOfficeCoopAssetsTransactionRepositoryIntegrationTest.java
coopshares
HsOfficeCoopSharesTransactionControllerAcceptanceTest.javaHsOfficeCoopSharesTransactionControllerRestTest.javaHsOfficeCoopSharesTransactionRepositoryIntegrationTest.java
debitor
HsOfficeDebitorControllerAcceptanceTest.javaHsOfficeDebitorRepositoryIntegrationTest.java
membership
HsOfficeMembershipControllerAcceptanceTest.javaHsOfficeMembershipControllerRestTest.javaHsOfficeMembershipRepositoryIntegrationTest.java
partner
HsOfficePartnerControllerAcceptanceTest.javaHsOfficePartnerControllerRestTest.javaHsOfficePartnerRepositoryIntegrationTest.java
person
HsOfficePersonControllerAcceptanceTest.javaHsOfficePersonRepositoryIntegrationTest.java
relation
HsOfficeRelationControllerAcceptanceTest.javaHsOfficeRelationRepositoryIntegrationTest.java
sepamandate
HsOfficeSepaMandateControllerAcceptanceTest.javaHsOfficeSepaMandateRepositoryIntegrationTest.java
rbac
context
ContextBasedTest.javaContextIntegrationTests.javaContextUnitTest.java
grant
RbacGrantControllerAcceptanceTest.javaRbacGrantEntityUnitTest.javaRbacGrantRepositoryIntegrationTest.javaRbacGrantsDiagramServiceIntegrationTest.java
rbacuser
TestRbacUser.java
role
RawRbacObjectEntity.javaRawRbacObjectRepository.javaRawRbacRoleEntity.javaRawRbacRoleRepository.javaRbacRoleControllerAcceptanceTest.javaRbacRoleControllerRestTest.javaRbacRoleRepositoryIntegrationTest.javaTestRbacRole.java
subject
RbacSubjectControllerAcceptanceTest.javaRbacSubjectControllerRestTest.javaRbacSubjectEntityUnitTest.javaRbacSubjectRepositoryIntegrationTest.javaTestRbacSubject.java
test
ContextBasedTestWithCleanup.javaEntityList.javaPatchUnitTestBase.java
cust
TestCustomerControllerAcceptanceTest.javaTestCustomerEntityUnitTest.java
pac
TestPackageControllerAcceptanceTest.javaTestPackageEntityUnitTest.javaTestPackageRepositoryIntegrationTest.java

8
src/main/resources/db/changelog/5-hs-office/501-contact/5010-hs-office-contact.sql

@@ -1,12 +1,12 @@
--liquibase formatted sql
-- ============================================================================
--changeset hs-office-contact-MAIN-TABLE:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-contact-MAIN-TABLE endDelimiter:--//
-- ----------------------------------------------------------------------------
create table if not exists hs_office_contact
(
uuid uuid unique references RbacObject (uuid) initially deferred,
uuid uuid unique references rbac.object (uuid) initially deferred,
version int not null default 0,
caption varchar(128) not null,
postalAddress text,
@@ -17,8 +17,8 @@ create table if not exists hs_office_contact
-- ============================================================================
--changeset hs-office-contact-MAIN-TABLE-JOURNAL:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-contact-MAIN-TABLE-JOURNAL endDelimiter:--//
-- ----------------------------------------------------------------------------
call create_journal('hs_office_contact');
call base.create_journal('hs_office_contact');
--//

4
src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.md

@@ -32,7 +32,7 @@ end
user:creator ==> role:contact:OWNER
%% granting roles to roles
role:global:ADMIN ==> role:contact:OWNER
role:rbac.global:ADMIN ==> role:contact:OWNER
role:contact:OWNER ==> role:contact:ADMIN
role:contact:ADMIN ==> role:contact:REFERRER
@@ -40,6 +40,6 @@ role:contact:ADMIN ==> role:contact:REFERRER
role:contact:OWNER ==> perm:contact:DELETE
role:contact:ADMIN ==> perm:contact:UPDATE
role:contact:REFERRER ==> perm:contact:SELECT
role:global:GUEST ==> perm:contact:INSERT
role:rbac.global:GUEST ==> perm:contact:INSERT
```

32
src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql

@@ -3,21 +3,21 @@
-- ============================================================================
--changeset hs-office-contact-rbac-OBJECT:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-contact-rbac-OBJECT endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_contact');
call rbac.generateRelatedRbacObject('hs_office_contact');
--//
-- ============================================================================
--changeset hs-office-contact-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-contact-rbac-ROLE-DESCRIPTORS endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficeContact', 'hs_office_contact');
call rbac.generateRbacRoleDescriptors('hsOfficeContact', 'hs_office_contact');
--//
-- ============================================================================
--changeset hs-office-contact-rbac-insert-trigger:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-contact-rbac-insert-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@@ -32,28 +32,28 @@ create or replace procedure buildRbacSystemForHsOfficeContact(
declare
begin
call enterTriggerForObjectUuid(NEW.uuid);
call rbac.enterTriggerForObjectUuid(NEW.uuid);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeContactOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()],
userUuids => array[currentUserUuid()]
incomingSuperRoles => array[rbac.globalAdmin()],
subjectUuids => array[rbac.currentSubjectUuid()]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeContactADMIN(NEW),
permissions => array['UPDATE'],
incomingSuperRoles => array[hsOfficeContactOWNER(NEW)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeContactREFERRER(NEW),
permissions => array['SELECT'],
incomingSuperRoles => array[hsOfficeContactADMIN(NEW)]
);
call leaveTriggerForObjectUuid(NEW.uuid);
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$;
/*
@@ -77,10 +77,10 @@ execute procedure insertTriggerForHsOfficeContact_tf();
-- ============================================================================
--changeset hs-office-contact-rbac-IDENTITY-VIEW:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-contact-rbac-IDENTITY-VIEW endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_office_contact',
call rbac.generateRbacIdentityViewFromProjection('hs_office_contact',
$idName$
caption
$idName$);
@@ -88,9 +88,9 @@ call generateRbacIdentityViewFromProjection('hs_office_contact',
-- ============================================================================
--changeset hs-office-contact-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-contact-rbac-RESTRICTED-VIEW endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_contact',
call rbac.generateRbacRestrictedView('hs_office_contact',
$orderBy$
caption
$orderBy$,

14
src/main/resources/db/changelog/5-hs-office/501-contact/5016-hs-office-contact-migration.sql

@@ -4,7 +4,7 @@
-- Once we don't need the external remote views anymore, create revert changesets.
-- ============================================================================
--changeset hs-office-contact-MIGRATION-mapping:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-contact-MIGRATION-mapping endDelimiter:--//
-- ----------------------------------------------------------------------------
CREATE TABLE hs_office_contact_legacy_id
@@ -16,7 +16,7 @@ CREATE TABLE hs_office_contact_legacy_id
-- ============================================================================
--changeset hs-office-contact-MIGRATION-sequence:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-contact-MIGRATION-sequence endDelimiter:--//
-- ----------------------------------------------------------------------------
CREATE SEQUENCE IF NOT EXISTS hs_office_contact_legacy_id_seq
@@ -27,7 +27,7 @@ CREATE SEQUENCE IF NOT EXISTS hs_office_contact_legacy_id_seq
-- ============================================================================
--changeset hs-office-contact-MIGRATION-default:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-contact-MIGRATION-default endDelimiter:--//
-- ----------------------------------------------------------------------------
ALTER TABLE hs_office_contact_legacy_id
@@ -37,17 +37,17 @@ ALTER TABLE hs_office_contact_legacy_id
--/
-- ============================================================================
--changeset hs-office-contact-MIGRATION-insert:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-contact-MIGRATION-insert endDelimiter:--//
-- ----------------------------------------------------------------------------
CALL defineContext('schema-migration');
CALL base.defineContext('schema-migration');
INSERT INTO hs_office_contact_legacy_id(uuid, contact_id)
SELECT uuid, nextVal('hs_office_contact_legacy_id_seq') FROM hs_office_contact;
--/
-- ============================================================================
--changeset hs-office-contact-MIGRATION-insert-trigger:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-contact-MIGRATION-insert-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace function insertContactLegacyIdMapping()
returns trigger
@@ -72,7 +72,7 @@ create trigger createContactLegacyIdMapping
-- ============================================================================
--changeset hs-office-contact-MIGRATION-delete-trigger:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-contact-MIGRATION-delete-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace function deleteContactLegacyIdMapping()
returns trigger

14
src/main/resources/db/changelog/5-hs-office/501-contact/5018-hs-office-contact-test-data.sql

@@ -2,7 +2,7 @@
-- ============================================================================
--changeset hs-office-contact-TEST-DATA-GENERATOR:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-contact-TEST-DATA-GENERATOR endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@@ -14,10 +14,10 @@ declare
postalAddr varchar;
emailAddr varchar;
begin
emailAddr = 'contact-admin@' || cleanIdentifier(contCaption) || '.example.com';
call defineContext('creating contact test-data');
perform createRbacUser(emailAddr);
call defineContext('creating contact test-data', null, emailAddr);
emailAddr = 'contact-admin@' || base.cleanIdentifier(contCaption) || '.example.com';
call base.defineContext('creating contact test-data');
perform rbac.create_subject(emailAddr);
call base.defineContext('creating contact test-data', null, emailAddr);
postalAddr := E'Vorname Nachname\nStraße Hnr\nPLZ Stadt';
@@ -44,7 +44,7 @@ create or replace procedure createHsOfficeContactTestData(
begin
for t in startCount..endCount
loop
call createHsOfficeContactTestData(intToVarChar(t, 4) || '#' || t);
call createHsOfficeContactTestData(base.intToVarChar(t, 4) || '#' || t);
commit;
end loop;
end; $$;
@@ -52,7 +52,7 @@ end; $$;
-- ============================================================================
--changeset hs-office-contact-TEST-DATA-GENERATION:1 context=dev,tc endDelimiter:--//
--changeset michael.hoennig:hs-office-contact-TEST-DATA-GENERATION context=dev,tc endDelimiter:--//
-- ----------------------------------------------------------------------------
do language plpgsql $$

8
src/main/resources/db/changelog/5-hs-office/502-person/5020-hs-office-person.sql

@@ -1,7 +1,7 @@
--liquibase formatted sql
-- ============================================================================
--changeset hs-office-person-MAIN-TABLE:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-person-MAIN-TABLE endDelimiter:--//
-- ----------------------------------------------------------------------------
CREATE TYPE HsOfficePersonType AS ENUM (
@@ -16,7 +16,7 @@ CREATE CAST (character varying as HsOfficePersonType) WITH INOUT AS IMPLICIT;
create table if not exists hs_office_person
(
uuid uuid unique references RbacObject (uuid) initially deferred,
uuid uuid unique references rbac.object (uuid) initially deferred,
version int not null default 0,
personType HsOfficePersonType not null,
tradeName varchar(96),
@@ -28,8 +28,8 @@ create table if not exists hs_office_person
-- ============================================================================
--changeset hs-office-person-MAIN-TABLE-JOURNAL:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-person-MAIN-TABLE-JOURNAL endDelimiter:--//
-- ----------------------------------------------------------------------------
call create_journal('hs_office_person');
call base.create_journal('hs_office_person');
--//

4
src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.md

@@ -32,12 +32,12 @@ end
user:creator ==> role:person:OWNER
%% granting roles to roles
role:global:ADMIN ==> role:person:OWNER
role:rbac.global:ADMIN ==> role:person:OWNER
role:person:OWNER ==> role:person:ADMIN
role:person:ADMIN ==> role:person:REFERRER
%% granting permissions to roles
role:global:GUEST ==> perm:person:INSERT
role:rbac.global:GUEST ==> perm:person:INSERT
role:person:OWNER ==> perm:person:DELETE
role:person:ADMIN ==> perm:person:UPDATE
role:person:REFERRER ==> perm:person:SELECT

32
src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql

@@ -3,21 +3,21 @@
-- ============================================================================
--changeset hs-office-person-rbac-OBJECT:1 endDelimiter:--//
--changeset RbacObjectGenerator:hs-office-person-rbac-OBJECT endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_person');
call rbac.generateRelatedRbacObject('hs_office_person');
--//
-- ============================================================================
--changeset hs-office-person-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
--changeset RbacRoleDescriptorsGenerator:hs-office-person-rbac-ROLE-DESCRIPTORS endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficePerson', 'hs_office_person');
call rbac.generateRbacRoleDescriptors('hsOfficePerson', 'hs_office_person');
--//
-- ============================================================================
--changeset hs-office-person-rbac-insert-trigger:1 endDelimiter:--//
--changeset RolesGrantsAndPermissionsGenerator:hs-office-person-rbac-insert-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@@ -32,28 +32,28 @@ create or replace procedure buildRbacSystemForHsOfficePerson(
declare
begin
call enterTriggerForObjectUuid(NEW.uuid);
call rbac.enterTriggerForObjectUuid(NEW.uuid);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficePersonOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()],
userUuids => array[currentUserUuid()]
incomingSuperRoles => array[rbac.globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficePersonADMIN(NEW),
permissions => array['UPDATE'],
incomingSuperRoles => array[hsOfficePersonOWNER(NEW)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficePersonREFERRER(NEW),
permissions => array['SELECT'],
incomingSuperRoles => array[hsOfficePersonADMIN(NEW)]
);
call leaveTriggerForObjectUuid(NEW.uuid);
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$;
/*
@@ -77,10 +77,10 @@ execute procedure insertTriggerForHsOfficePerson_tf();
-- ============================================================================
--changeset hs-office-person-rbac-IDENTITY-VIEW:1 endDelimiter:--//
--changeset RbacIdentityViewGenerator:hs-office-person-rbac-IDENTITY-VIEW endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_office_person',
call rbac.generateRbacIdentityViewFromProjection('hs_office_person',
$idName$
concat(tradeName, familyName, givenName)
$idName$);
@@ -88,9 +88,9 @@ call generateRbacIdentityViewFromProjection('hs_office_person',
-- ============================================================================
--changeset hs-office-person-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
--changeset RbacRestrictedViewGenerator:hs-office-person-rbac-RESTRICTED-VIEW endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_person',
call rbac.generateRbacRestrictedView('hs_office_person',
$orderBy$
concat(tradeName, familyName, givenName)
$orderBy$,

14
src/main/resources/db/changelog/5-hs-office/502-person/5028-hs-office-person-test-data.sql

@@ -2,7 +2,7 @@
-- ============================================================================
--changeset hs-office-person-TEST-DATA-GENERATOR:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-person-TEST-DATA-GENERATOR endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@@ -20,10 +20,10 @@ declare
emailAddr varchar;
begin
fullName := concat_ws(', ', newTradeName, newFamilyName, newGivenName);
emailAddr = 'person-' || left(cleanIdentifier(fullName), 32) || '@example.com';
call defineContext('creating person test-data');
perform createRbacUser(emailAddr);
call defineContext('creating person test-data', null, emailAddr);
emailAddr = 'person-' || left(base.cleanIdentifier(fullName), 32) || '@example.com';
call base.defineContext('creating person test-data');
perform rbac.create_subject(emailAddr);
call base.defineContext('creating person test-data', null, emailAddr);
raise notice 'creating test person: % by %', fullName, emailAddr;
insert
@@ -43,7 +43,7 @@ create or replace procedure createTestPersonTestData(
begin
for t in startCount..endCount
loop
call createHsOfficePersonTestData('LP', intToVarChar(t, 4));
call createHsOfficePersonTestData('LP', base.intToVarChar(t, 4));
commit;
end loop;
end; $$;
@@ -51,7 +51,7 @@ end; $$;
-- ============================================================================
--changeset hs-office-person-TEST-DATA-GENERATION:1 context=dev,tc endDelimiter:--//
--changeset michael.hoennig:hs-office-person-TEST-DATA-GENERATION context=dev,tc endDelimiter:--//
-- ----------------------------------------------------------------------------
do language plpgsql $$

8
src/main/resources/db/changelog/5-hs-office/503-relation/5030-hs-office-relation.sql

@@ -1,7 +1,7 @@
--liquibase formatted sql
-- ============================================================================
--changeset hs-office-relation-MAIN-TABLE:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-relation-MAIN-TABLE endDelimiter:--//
-- ----------------------------------------------------------------------------
CREATE TYPE HsOfficeRelationType AS ENUM (
@@ -18,7 +18,7 @@ CREATE CAST (character varying as HsOfficeRelationType) WITH INOUT AS IMPLICIT;
create table if not exists hs_office_relation
(
uuid uuid unique references RbacObject (uuid) initially deferred, -- on delete cascade
uuid uuid unique references rbac.object (uuid) initially deferred, -- on delete cascade
version int not null default 0,
anchorUuid uuid not null references hs_office_person(uuid),
holderUuid uuid not null references hs_office_person(uuid),
@@ -30,8 +30,8 @@ create table if not exists hs_office_relation
-- ============================================================================
--changeset hs-office-relation-MAIN-TABLE-JOURNAL:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-relation-MAIN-TABLE-JOURNAL endDelimiter:--//
-- ----------------------------------------------------------------------------
call create_journal('hs_office_relation');
call base.create_journal('hs_office_relation');
--//

8
src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac-REPRESENTATIVE.md

@@ -72,16 +72,16 @@ end
user:creator ==> role:relation:OWNER
%% granting roles to roles
role:global:ADMIN -.-> role:anchorPerson:OWNER
role:rbac.global:ADMIN -.-> role:anchorPerson:OWNER
role:anchorPerson:OWNER -.-> role:anchorPerson:ADMIN
role:anchorPerson:ADMIN -.-> role:anchorPerson:REFERRER
role:global:ADMIN -.-> role:holderPerson:OWNER
role:rbac.global:ADMIN -.-> role:holderPerson:OWNER
role:holderPerson:OWNER -.-> role:holderPerson:ADMIN
role:holderPerson:ADMIN -.-> role:holderPerson:REFERRER
role:global:ADMIN -.-> role:contact:OWNER
role:rbac.global:ADMIN -.-> role:contact:OWNER
role:contact:OWNER -.-> role:contact:ADMIN
role:contact:ADMIN -.-> role:contact:REFERRER
role:global:ADMIN ==> role:relation:OWNER
role:rbac.global:ADMIN ==> role:relation:OWNER
role:holderPerson:ADMIN ==> role:relation:OWNER
role:relation:OWNER ==> role:relation:ADMIN
role:relation:ADMIN ==> role:anchorPerson:OWNER

8
src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.md

@@ -72,16 +72,16 @@ end
user:creator ==> role:relation:OWNER
%% granting roles to roles
role:global:ADMIN -.-> role:anchorPerson:OWNER
role:rbac.global:ADMIN -.-> role:anchorPerson:OWNER
role:anchorPerson:OWNER -.-> role:anchorPerson:ADMIN
role:anchorPerson:ADMIN -.-> role:anchorPerson:REFERRER
role:global:ADMIN -.-> role:holderPerson:OWNER
role:rbac.global:ADMIN -.-> role:holderPerson:OWNER
role:holderPerson:OWNER -.-> role:holderPerson:ADMIN
role:holderPerson:ADMIN -.-> role:holderPerson:REFERRER
role:global:ADMIN -.-> role:contact:OWNER
role:rbac.global:ADMIN -.-> role:contact:OWNER
role:contact:OWNER -.-> role:contact:ADMIN
role:contact:ADMIN -.-> role:contact:REFERRER
role:global:ADMIN ==> role:relation:OWNER
role:rbac.global:ADMIN ==> role:relation:OWNER
role:relation:OWNER ==> role:relation:ADMIN
role:relation:ADMIN ==> role:relation:AGENT
role:relation:AGENT ==> role:relation:TENANT

66
src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql

@@ -3,21 +3,21 @@
-- ============================================================================
--changeset hs-office-relation-rbac-OBJECT:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-relation-rbac-OBJECT endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_relation');
call rbac.generateRelatedRbacObject('hs_office_relation');
--//
-- ============================================================================
--changeset hs-office-relation-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-relation-rbac-ROLE-DESCRIPTORS endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficeRelation', 'hs_office_relation');
call rbac.generateRbacRoleDescriptors('hsOfficeRelation', 'hs_office_relation');
--//
-- ============================================================================
--changeset hs-office-relation-rbac-insert-trigger:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-relation-rbac-insert-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@@ -35,7 +35,7 @@ declare
newContact hs_office_contact;
begin
call enterTriggerForObjectUuid(NEW.uuid);
call rbac.enterTriggerForObjectUuid(NEW.uuid);
SELECT * FROM hs_office_person WHERE uuid = NEW.holderUuid INTO newHolderPerson;
assert newHolderPerson.uuid is not null, format('newHolderPerson must not be null for NEW.holderUuid = %s', NEW.holderUuid);
@@ -47,25 +47,25 @@ begin
assert newContact.uuid is not null, format('newContact must not be null for NEW.contactUuid = %s', NEW.contactUuid);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeRelationOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()],
userUuids => array[currentUserUuid()]
incomingSuperRoles => array[rbac.globalAdmin()],
subjectUuids => array[rbac.currentSubjectUuid()]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeRelationADMIN(NEW),
permissions => array['UPDATE'],
incomingSuperRoles => array[hsOfficeRelationOWNER(NEW)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeRelationAGENT(NEW),
incomingSuperRoles => array[hsOfficeRelationADMIN(NEW)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeRelationTENANT(NEW),
permissions => array['SELECT'],
incomingSuperRoles => array[
@@ -78,15 +78,15 @@ begin
);
IF NEW.type = 'REPRESENTATIVE' THEN
call grantRoleToRole(hsOfficePersonOWNER(newAnchorPerson), hsOfficeRelationADMIN(NEW));
call grantRoleToRole(hsOfficeRelationAGENT(NEW), hsOfficePersonADMIN(newAnchorPerson));
call grantRoleToRole(hsOfficeRelationOWNER(NEW), hsOfficePersonADMIN(newHolderPerson));
call rbac.grantRoleToRole(hsOfficePersonOWNER(newAnchorPerson), hsOfficeRelationADMIN(NEW));
call rbac.grantRoleToRole(hsOfficeRelationAGENT(NEW), hsOfficePersonADMIN(newAnchorPerson));
call rbac.grantRoleToRole(hsOfficeRelationOWNER(NEW), hsOfficePersonADMIN(newHolderPerson));
ELSE
call grantRoleToRole(hsOfficeRelationAGENT(NEW), hsOfficePersonADMIN(newHolderPerson));
call grantRoleToRole(hsOfficeRelationOWNER(NEW), hsOfficePersonADMIN(newAnchorPerson));
call rbac.grantRoleToRole(hsOfficeRelationAGENT(NEW), hsOfficePersonADMIN(newHolderPerson));
call rbac.grantRoleToRole(hsOfficeRelationOWNER(NEW), hsOfficePersonADMIN(newAnchorPerson));
END IF;
call leaveTriggerForObjectUuid(NEW.uuid);
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$;
/*
@@ -110,7 +110,7 @@ execute procedure insertTriggerForHsOfficeRelation_tf();
-- ============================================================================
--changeset hs-office-relation-rbac-update-trigger:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-relation-rbac-update-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@@ -125,7 +125,7 @@ create or replace procedure updateRbacRulesForHsOfficeRelation(
begin
if NEW.contactUuid is distinct from OLD.contactUuid then
delete from rbacgrants g where g.grantedbytriggerof = OLD.uuid;
delete from rbac.grants g where g.grantedbytriggerof = OLD.uuid;
call buildRbacSystemForHsOfficeRelation(NEW);
end if;
end; $$;
@@ -151,7 +151,7 @@ execute procedure updateTriggerForHsOfficeRelation_tf();
-- ============================================================================
--changeset hs-office-relation-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-relation-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--//
-- ----------------------------------------------------------------------------
-- granting INSERT permission to hs_office_person ----------------------------
@@ -163,13 +163,13 @@ do language plpgsql $$
declare
row hs_office_person;
begin
call defineContext('create INSERT INTO hs_office_relation permissions for pre-exising hs_office_person rows');
call base.defineContext('create INSERT INTO hs_office_relation permissions for pre-exising hs_office_person rows');
FOR row IN SELECT * FROM hs_office_person
-- unconditional for all rows in that table
LOOP
call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'hs_office_relation'),
call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_relation'),
hsOfficePersonADMIN(row));
END LOOP;
end;
@@ -184,8 +184,8 @@ create or replace function new_hs_office_relation_grants_insert_to_hs_office_per
strict as $$
begin
-- unconditional for all rows in that table
call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_office_relation'),
call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_relation'),
hsOfficePersonADMIN(NEW));
-- end.
return NEW;
@@ -199,7 +199,7 @@ execute procedure new_hs_office_relation_grants_insert_to_hs_office_person_tf();
-- ============================================================================
--changeset hs_office_relation-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
--changeset michael.hoennig:hs_office_relation-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
-- ----------------------------------------------------------------------------
/**
@@ -212,12 +212,12 @@ declare
superObjectUuid uuid;
begin
-- check INSERT permission via direct foreign key: NEW.anchorUuid
if hasInsertPermission(NEW.anchorUuid, 'hs_office_relation') then
if rbac.hasInsertPermission(NEW.anchorUuid, 'hs_office_relation') then
return NEW;
end if;
raise exception '[403] insert into hs_office_relation not allowed for current subjects % (%)',
currentSubjects(), currentSubjectsUuids();
base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end; $$;
create trigger hs_office_relation_insert_permission_check_tg
@@ -228,10 +228,10 @@ create trigger hs_office_relation_insert_permission_check_tg
-- ============================================================================
--changeset hs-office-relation-rbac-IDENTITY-VIEW:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-relation-rbac-IDENTITY-VIEW endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_office_relation',
call rbac.generateRbacIdentityViewFromProjection('hs_office_relation',
$idName$
(select idName from hs_office_person_iv p where p.uuid = anchorUuid)
|| '-with-' || target.type || '-'
@@ -241,9 +241,9 @@ call generateRbacIdentityViewFromProjection('hs_office_relation',
-- ============================================================================
--changeset hs-office-relation-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-relation-rbac-RESTRICTED-VIEW endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_relation',
call rbac.generateRbacRestrictedView('hs_office_relation',
$orderBy$
(select idName from hs_office_person_iv p where p.uuid = target.holderUuid)
$orderBy$,

12
src/main/resources/db/changelog/5-hs-office/503-relation/5038-hs-office-relation-test-data.sql

@@ -2,7 +2,7 @@
-- ============================================================================
--changeset hs-office-relation-TEST-DATA-GENERATOR:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-relation-TEST-DATA-GENERATOR endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@@ -22,7 +22,7 @@ declare
contact hs_office_contact;
begin
idName := cleanIdentifier( anchorPersonName || '-' || holderPersonName);
idName := base.cleanIdentifier( anchorPersonName || '-' || holderPersonName);
select p.*
into anchorPerson
@@ -69,8 +69,8 @@ declare
begin
for t in startCount..endCount
loop
select p.* from hs_office_person p where tradeName = intToVarChar(t, 4) into person;
select c.* from hs_office_contact c where c.caption = intToVarChar(t, 4) || '#' || t into contact;
select p.* from hs_office_person p where tradeName = base.intToVarChar(t, 4) into person;
select c.* from hs_office_contact c where c.caption = base.intToVarChar(t, 4) || '#' || t into contact;
call createHsOfficeRelationTestData(person.uuid, contact.uuid, 'REPRESENTATIVE');
commit;
@@ -80,12 +80,12 @@ end; $$;
-- ============================================================================
--changeset hs-office-relation-TEST-DATA-GENERATION:1 context=dev,tc endDelimiter:--//
--changeset michael.hoennig:hs-office-relation-TEST-DATA-GENERATION context=dev,tc endDelimiter:--//
-- ----------------------------------------------------------------------------
do language plpgsql $$
begin
call defineContext('creating relation test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
call base.defineContext('creating relation test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
call createHsOfficeRelationTestData('First GmbH', 'PARTNER', 'Hostsharing eG', 'first contact');
call createHsOfficeRelationTestData('Firby', 'REPRESENTATIVE', 'First GmbH', 'first contact');

18
src/main/resources/db/changelog/5-hs-office/504-partner/5040-hs-office-partner.sql

@@ -2,12 +2,12 @@
-- ============================================================================
--changeset hs-office-partner-DETAILS-TABLE:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-partner-DETAILS-TABLE endDelimiter:--//
-- ----------------------------------------------------------------------------
create table hs_office_partner_details
(
uuid uuid unique references RbacObject (uuid) initially deferred,
uuid uuid unique references rbac.object (uuid) initially deferred,
version int not null default 0,
registrationOffice varchar(96),
registrationNumber varchar(96),
@@ -20,19 +20,19 @@ create table hs_office_partner_details
-- ============================================================================
--changeset hs-office-partner-DETAILS-TABLE-JOURNAL:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-partner-DETAILS-TABLE-JOURNAL endDelimiter:--//
-- ----------------------------------------------------------------------------
call create_journal('hs_office_partner_details');
call base.create_journal('hs_office_partner_details');
--//
-- ============================================================================
--changeset hs-office-partner-MAIN-TABLE:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-partner-MAIN-TABLE endDelimiter:--//
-- ----------------------------------------------------------------------------
create table hs_office_partner
(
uuid uuid unique references RbacObject (uuid) initially deferred,
uuid uuid unique references rbac.object (uuid) initially deferred,
version int not null default 0,
partnerNumber numeric(5) unique not null,
partnerRelUuid uuid not null references hs_office_relation(uuid), -- deleted in after delete trigger
@@ -42,7 +42,7 @@ create table hs_office_partner
-- ============================================================================
--changeset hs-office-partner-DELETE-DEPENDENTS-TRIGGER:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-partner-DELETE-DEPENDENTS-TRIGGER endDelimiter:--//
-- ----------------------------------------------------------------------------
/**
@@ -80,8 +80,8 @@ create trigger hs_office_partner_delete_dependents_trigger
execute procedure deleteHsOfficeDependentsOnPartnerDelete();
-- ============================================================================
--changeset hs-office-partner-MAIN-TABLE-JOURNAL:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-partner-MAIN-TABLE-JOURNAL endDelimiter:--//
-- ----------------------------------------------------------------------------
call create_journal('hs_office_partner');
call base.create_journal('hs_office_partner');
--//

10
src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.md

@@ -87,16 +87,16 @@ subgraph partnerRel.holderPerson["`**partnerRel.holderPerson**`"]
end
%% granting roles to roles
role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
role:rbac.global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER
role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
role:rbac.global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER
role:global:ADMIN -.-> role:partnerRel.contact:OWNER
role:rbac.global:ADMIN -.-> role:partnerRel.contact:OWNER
role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
role:global:ADMIN -.-> role:partnerRel:OWNER
role:rbac.global:ADMIN -.-> role:partnerRel:OWNER
role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
role:partnerRel:AGENT -.-> role:partnerRel:TENANT
@@ -108,7 +108,7 @@ role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:OWNER
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
%% granting permissions to roles
role:global:ADMIN ==> perm:partner:INSERT
role:rbac.global:ADMIN ==> perm:partner:INSERT
role:partnerRel:OWNER ==> perm:partner:DELETE
role:partnerRel:ADMIN ==> perm:partner:UPDATE
role:partnerRel:TENANT ==> perm:partner:SELECT

104
src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql

@@ -3,21 +3,21 @@
-- ============================================================================
--changeset hs-office-partner-rbac-OBJECT:1 endDelimiter:--//
--changeset RbacObjectGenerator:hs-office-partner-rbac-OBJECT endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_partner');
call rbac.generateRelatedRbacObject('hs_office_partner');
--//
-- ============================================================================
--changeset hs-office-partner-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
--changeset RbacRoleDescriptorsGenerator:hs-office-partner-rbac-ROLE-DESCRIPTORS endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficePartner', 'hs_office_partner');
call rbac.generateRbacRoleDescriptors('hsOfficePartner', 'hs_office_partner');
--//
-- ============================================================================
--changeset hs-office-partner-rbac-insert-trigger:1 endDelimiter:--//
--changeset RolesGrantsAndPermissionsGenerator:hs-office-partner-rbac-insert-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@@ -34,7 +34,7 @@ declare
newPartnerDetails hs_office_partner_details;
begin
call enterTriggerForObjectUuid(NEW.uuid);
call rbac.enterTriggerForObjectUuid(NEW.uuid);
SELECT * FROM hs_office_relation WHERE uuid = NEW.partnerRelUuid INTO newPartnerRel;
assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerRelUuid = %s', NEW.partnerRelUuid);
@@ -42,14 +42,14 @@ begin
SELECT * FROM hs_office_partner_details WHERE uuid = NEW.detailsUuid INTO newPartnerDetails;
assert newPartnerDetails.uuid is not null, format('newPartnerDetails must not be null for NEW.detailsUuid = %s', NEW.detailsUuid);
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
call rbac.grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
call rbac.grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
call rbac.grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
call leaveTriggerForObjectUuid(NEW.uuid);
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$;
/*
@@ -73,7 +73,7 @@ execute procedure insertTriggerForHsOfficePartner_tf();
-- ============================================================================
--changeset hs-office-partner-rbac-update-trigger:1 endDelimiter:--//
--changeset RolesGrantsAndPermissionsGenerator:hs-office-partner-rbac-update-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@@ -93,7 +93,7 @@ declare
newPartnerDetails hs_office_partner_details;
begin
call enterTriggerForObjectUuid(NEW.uuid);
call rbac.enterTriggerForObjectUuid(NEW.uuid);
SELECT * FROM hs_office_relation WHERE uuid = OLD.partnerRelUuid INTO oldPartnerRel;
assert oldPartnerRel.uuid is not null, format('oldPartnerRel must not be null for OLD.partnerRelUuid = %s', OLD.partnerRelUuid);
@@ -110,27 +110,27 @@ begin
if NEW.partnerRelUuid <> OLD.partnerRelUuid then
call revokePermissionFromRole(getPermissionId(OLD.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
call rbac.revokePermissionFromRole(rbac.getPermissionId(OLD.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
call revokePermissionFromRole(getPermissionId(OLD.uuid, 'UPDATE'), hsOfficeRelationADMIN(oldPartnerRel));
call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
call rbac.revokePermissionFromRole(rbac.getPermissionId(OLD.uuid, 'UPDATE'), hsOfficeRelationADMIN(oldPartnerRel));
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
call revokePermissionFromRole(getPermissionId(OLD.uuid, 'SELECT'), hsOfficeRelationTENANT(oldPartnerRel));
call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
call rbac.revokePermissionFromRole(rbac.getPermissionId(OLD.uuid, 'SELECT'), hsOfficeRelationTENANT(oldPartnerRel));
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
call revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
call rbac.revokePermissionFromRole(rbac.getPermissionId(oldPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
call rbac.grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
call revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(oldPartnerRel));
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
call rbac.revokePermissionFromRole(rbac.getPermissionId(oldPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(oldPartnerRel));
call rbac.grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
call revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(oldPartnerRel));
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
call rbac.revokePermissionFromRole(rbac.getPermissionId(oldPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(oldPartnerRel));
call rbac.grantPermissionToRole(rbac.createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
end if;
call leaveTriggerForObjectUuid(NEW.uuid);
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$;
/*
@@ -154,26 +154,26 @@ execute procedure updateTriggerForHsOfficePartner_tf();
-- ============================================================================
--changeset hs-office-partner-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
--changeset InsertTriggerGenerator:hs-office-partner-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--//
-- ----------------------------------------------------------------------------
-- granting INSERT permission to global ----------------------------
-- granting INSERT permission to rbac.global ----------------------------
/*
Grants INSERT INTO hs_office_partner permissions to specified role of pre-existing global rows.
Grants INSERT INTO hs_office_partner permissions to specified role of pre-existing rbac.global rows.
*/
do language plpgsql $$
declare
row global;
row rbac.global;
begin
call defineContext('create INSERT INTO hs_office_partner permissions for pre-exising global rows');
call base.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising rbac.global rows');
FOR row IN SELECT * FROM global
FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table
LOOP
call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
globalADMIN());
call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner'),
rbac.globalADMIN());
END LOOP;
end;
$$;
@@ -181,28 +181,28 @@ $$;
/**
Grants hs_office_partner INSERT permission to specified role of new global rows.
*/
create or replace function new_hs_office_partner_grants_insert_to_global_tf()
create or replace function rbac.new_hsof_partner_grants_insert_to_global_tf()
returns trigger
language plpgsql
strict as $$
begin
-- unconditional for all rows in that table
call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
globalADMIN());
call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner'),
rbac.globalADMIN());
-- end.
return NEW;
end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_partner_grants_insert_to_global_tg
after insert on global
create trigger z_new_hs_office_partner_grants_after_insert_tg
after insert on rbac.global
for each row
execute procedure new_hs_office_partner_grants_insert_to_global_tf();
execute procedure rbac.new_hsof_partner_grants_insert_to_global_tf();
-- ============================================================================
--changeset hs_office_partner-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
--changeset InsertTriggerGenerator:hs_office_partner-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
-- ----------------------------------------------------------------------------
/**
@@ -214,13 +214,13 @@ create or replace function hs_office_partner_insert_permission_check_tf()
declare
superObjectUuid uuid;
begin
-- check INSERT INSERT if global ADMIN
if isGlobalAdmin() then
-- check INSERT INSERT if rbac.global ADMIN
if rbac.isGlobalAdmin() then
return NEW;
end if;
raise exception '[403] insert into hs_office_partner values(%) not allowed for current subjects % (%)',
NEW, currentSubjects(), currentSubjectsUuids();
NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end; $$;
create trigger hs_office_partner_insert_permission_check_tg
@@ -231,10 +231,10 @@ create trigger hs_office_partner_insert_permission_check_tg
-- ============================================================================
--changeset hs-office-partner-rbac-IDENTITY-VIEW:1 endDelimiter:--//
--changeset RbacIdentityViewGenerator:hs-office-partner-rbac-IDENTITY-VIEW endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_office_partner',
call rbac.generateRbacIdentityViewFromProjection('hs_office_partner',
$idName$
'P-' || partnerNumber
$idName$);
@@ -242,9 +242,9 @@ call generateRbacIdentityViewFromProjection('hs_office_partner',
-- ============================================================================
--changeset hs-office-partner-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
--changeset RbacRestrictedViewGenerator:hs-office-partner-rbac-RESTRICTED-VIEW endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_partner',
call rbac.generateRbacRestrictedView('hs_office_partner',
$orderBy$
'P-' || partnerNumber
$orderBy$,

2
src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.md

@@ -18,6 +18,6 @@ subgraph partnerDetails["`**partnerDetails**`"]
end
%% granting permissions to roles
role:global:ADMIN ==> perm:partnerDetails:INSERT
role:rbac.global:ADMIN ==> perm:partnerDetails:INSERT
```

62
src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql

@@ -3,21 +3,21 @@
-- ============================================================================
--changeset hs-office-partner-details-rbac-OBJECT:1 endDelimiter:--//
--changeset RbacObjectGenerator:hs-office-partner-details-rbac-OBJECT endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_partner_details');
call rbac.generateRelatedRbacObject('hs_office_partner_details');
--//
-- ============================================================================
--changeset hs-office-partner-details-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
--changeset RbacRoleDescriptorsGenerator:hs-office-partner-details-rbac-ROLE-DESCRIPTORS endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficePartnerDetails', 'hs_office_partner_details');
call rbac.generateRbacRoleDescriptors('hsOfficePartnerDetails', 'hs_office_partner_details');
--//
-- ============================================================================
--changeset hs-office-partner-details-rbac-insert-trigger:1 endDelimiter:--//
--changeset RolesGrantsAndPermissionsGenerator:hs-office-partner-details-rbac-insert-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@@ -32,9 +32,9 @@ create or replace procedure buildRbacSystemForHsOfficePartnerDetails(
declare
begin
call enterTriggerForObjectUuid(NEW.uuid);
call rbac.enterTriggerForObjectUuid(NEW.uuid);
call leaveTriggerForObjectUuid(NEW.uuid);
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$;
/*
@@ -58,26 +58,26 @@ execute procedure insertTriggerForHsOfficePartnerDetails_tf();
-- ============================================================================
--changeset hs-office-partner-details-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
--changeset InsertTriggerGenerator:hs-office-partner-details-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--//
-- ----------------------------------------------------------------------------
-- granting INSERT permission to global ----------------------------
-- granting INSERT permission to rbac.global ----------------------------
/*
Grants INSERT INTO hs_office_partner_details permissions to specified role of pre-existing global rows.
Grants INSERT INTO hs_office_partner_details permissions to specified role of pre-existing rbac.global rows.
*/
do language plpgsql $$
declare
row global;
row rbac.global;
begin
call defineContext('create INSERT INTO hs_office_partner_details permissions for pre-exising global rows');
call base.defineContext('create INSERT INTO hs_office_partner_details permissions for pre-exising rbac.global rows');
FOR row IN SELECT * FROM global
FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table
LOOP
call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
globalADMIN());
call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
rbac.globalADMIN());
END LOOP;
end;
$$;
@@ -85,28 +85,28 @@ $$;
/**
Grants hs_office_partner_details INSERT permission to specified role of new global rows.
*/
create or replace function new_hs_office_partner_details_grants_insert_to_global_tf()
create or replace function rbac.new_hsof_partner_details_grants_insert_to_global_tf()
returns trigger
language plpgsql
strict as $$
begin
-- unconditional for all rows in that table
call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'),
globalADMIN());
call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_partner_details'),
rbac.globalADMIN());
-- end.
return NEW;
end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_partner_details_grants_insert_to_global_tg
after insert on global
create trigger z_new_hs_office_partner_details_grants_after_insert_tg
after insert on rbac.global
for each row
execute procedure new_hs_office_partner_details_grants_insert_to_global_tf();
execute procedure rbac.new_hsof_partner_details_grants_insert_to_global_tf();
-- ============================================================================
--changeset hs_office_partner_details-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
--changeset InsertTriggerGenerator:hs_office_partner_details-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
-- ----------------------------------------------------------------------------
/**
@@ -118,13 +118,13 @@ create or replace function hs_office_partner_details_insert_permission_check_tf(
declare
superObjectUuid uuid;
begin
-- check INSERT INSERT if global ADMIN
if isGlobalAdmin() then
-- check INSERT INSERT if rbac.global ADMIN
if rbac.isGlobalAdmin() then
return NEW;
end if;
raise exception '[403] insert into hs_office_partner_details values(%) not allowed for current subjects % (%)',
NEW, currentSubjects(), currentSubjectsUuids();
NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end; $$;
create trigger hs_office_partner_details_insert_permission_check_tg
@@ -135,10 +135,10 @@ create trigger hs_office_partner_details_insert_permission_check_tg
-- ============================================================================
--changeset hs-office-partner-details-rbac-IDENTITY-VIEW:1 endDelimiter:--//
--changeset RbacIdentityViewGenerator:hs-office-partner-details-rbac-IDENTITY-VIEW endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromQuery('hs_office_partner_details',
call rbac.generateRbacIdentityViewFromQuery('hs_office_partner_details',
$idName$
SELECT partnerDetails.uuid as uuid, partner_iv.idName as idName
FROM hs_office_partner_details AS partnerDetails
@@ -149,9 +149,9 @@ call generateRbacIdentityViewFromQuery('hs_office_partner_details',
-- ============================================================================
--changeset hs-office-partner-details-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
--changeset RbacRestrictedViewGenerator:hs-office-partner-details-rbac-RESTRICTED-VIEW endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_partner_details',
call rbac.generateRbacRestrictedView('hs_office_partner_details',
$orderBy$
uuid
$orderBy$,

14
src/main/resources/db/changelog/5-hs-office/504-partner/5046-hs-office-partner-migration.sql

@@ -4,7 +4,7 @@
-- Once we don't need the external remote views anymore, create revert changesets.
-- ============================================================================
--changeset hs-office-partner-MIGRATION-mapping:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-partner-MIGRATION-mapping endDelimiter:--//
-- ----------------------------------------------------------------------------
CREATE TABLE hs_office_partner_legacy_id
@@ -16,7 +16,7 @@ CREATE TABLE hs_office_partner_legacy_id
-- ============================================================================
--changeset hs-office-partner-MIGRATION-sequence:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-partner-MIGRATION-sequence endDelimiter:--//
-- ----------------------------------------------------------------------------
CREATE SEQUENCE IF NOT EXISTS hs_office_partner_legacy_id_seq
@@ -27,7 +27,7 @@ CREATE SEQUENCE IF NOT EXISTS hs_office_partner_legacy_id_seq
-- ============================================================================
--changeset hs-office-partner-MIGRATION-default:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-partner-MIGRATION-default endDelimiter:--//
-- ----------------------------------------------------------------------------
ALTER TABLE hs_office_partner_legacy_id
@@ -36,17 +36,17 @@ ALTER TABLE hs_office_partner_legacy_id
--/
-- ============================================================================
--changeset hs-office-partner-MIGRATION-insert:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-partner-MIGRATION-insert endDelimiter:--//
-- ----------------------------------------------------------------------------
CALL defineContext('schema-migration');
CALL base.defineContext('schema-migration');
INSERT INTO hs_office_partner_legacy_id(uuid, bp_id)
SELECT uuid, nextVal('hs_office_partner_legacy_id_seq') FROM hs_office_partner;
--/
-- ============================================================================
--changeset hs-office-partner-MIGRATION-insert-trigger:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-partner-MIGRATION-insert-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace function insertPartnerLegacyIdMapping()
returns trigger
@@ -71,7 +71,7 @@ create trigger createPartnerLegacyIdMapping
-- ============================================================================
--changeset hs-office-partner-MIGRATION-delete-trigger:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-partner-MIGRATION-delete-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace function deletePartnerLegacyIdMapping()
returns trigger

8
src/main/resources/db/changelog/5-hs-office/504-partner/5048-hs-office-partner-test-data.sql

@@ -2,7 +2,7 @@
-- ============================================================================
--changeset hs-office-partner-TEST-DATA-GENERATOR:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-partner-TEST-DATA-GENERATOR endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@@ -21,7 +21,7 @@ declare
relatedPerson hs_office_person;
relatedDetailsUuid uuid;
begin
idName := cleanIdentifier( partnerPersonName|| '-' || contactCaption);
idName := base.cleanIdentifier( partnerPersonName|| '-' || contactCaption);
select p.* from hs_office_person p
where p.tradeName = mandantTradeName
@@ -66,12 +66,12 @@ end; $$;
-- ============================================================================
--changeset hs-office-partner-TEST-DATA-GENERATION:1 context=dev,tc endDelimiter:--//
--changeset michael.hoennig:hs-office-partner-TEST-DATA-GENERATION context=dev,tc endDelimiter:--//
-- ----------------------------------------------------------------------------
do language plpgsql $$
begin
call defineContext('creating partner test-data ', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
call base.defineContext('creating partner test-data ', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
call createHsOfficePartnerTestData('Hostsharing eG', 10001, 'First GmbH', 'first contact');
call createHsOfficePartnerTestData('Hostsharing eG', 10002, 'Second e.K.', 'second contact');

8
src/main/resources/db/changelog/5-hs-office/505-bankaccount/5050-hs-office-bankaccount.sql

@@ -1,11 +1,11 @@
-- ============================================================================
--changeset hs-office-bankaccount-MAIN-TABLE:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-bankaccount-MAIN-TABLE endDelimiter:--//
-- ----------------------------------------------------------------------------
create table hs_office_bankaccount
(
uuid uuid unique references RbacObject (uuid) initially deferred,
uuid uuid unique references rbac.object (uuid) initially deferred,
version int not null default 0,
holder varchar(64) not null,
iban varchar(34) not null,
@@ -15,8 +15,8 @@ create table hs_office_bankaccount
-- ============================================================================
--changeset hs-office-bankaccount-MAIN-TABLE-JOURNAL:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-bankaccount-MAIN-TABLE-JOURNAL endDelimiter:--//
-- ----------------------------------------------------------------------------
call create_journal('hs_office_bankaccount');
call base.create_journal('hs_office_bankaccount');
--//

4
src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.md

@@ -32,12 +32,12 @@ end
user:creator ==> role:bankAccount:OWNER
%% granting roles to roles
role:global:ADMIN ==> role:bankAccount:OWNER
role:rbac.global:ADMIN ==> role:bankAccount:OWNER
role:bankAccount:OWNER ==> role:bankAccount:ADMIN
role:bankAccount:ADMIN ==> role:bankAccount:REFERRER
%% granting permissions to roles
role:global:GUEST ==> perm:bankAccount:INSERT
role:rbac.global:GUEST ==> perm:bankAccount:INSERT
role:bankAccount:OWNER ==> perm:bankAccount:DELETE
role:bankAccount:ADMIN ==> perm:bankAccount:UPDATE
role:bankAccount:REFERRER ==> perm:bankAccount:SELECT

32
src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql

@@ -3,21 +3,21 @@
-- ============================================================================
--changeset hs-office-bankaccount-rbac-OBJECT:1 endDelimiter:--//
--changeset RbacObjectGenerator:hs-office-bankaccount-rbac-OBJECT endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_bankaccount');
call rbac.generateRelatedRbacObject('hs_office_bankaccount');
--//
-- ============================================================================
--changeset hs-office-bankaccount-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
--changeset RbacRoleDescriptorsGenerator:hs-office-bankaccount-rbac-ROLE-DESCRIPTORS endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficeBankAccount', 'hs_office_bankaccount');
call rbac.generateRbacRoleDescriptors('hsOfficeBankAccount', 'hs_office_bankaccount');
--//
-- ============================================================================
--changeset hs-office-bankaccount-rbac-insert-trigger:1 endDelimiter:--//
--changeset RolesGrantsAndPermissionsGenerator:hs-office-bankaccount-rbac-insert-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@@ -32,28 +32,28 @@ create or replace procedure buildRbacSystemForHsOfficeBankAccount(
declare
begin
call enterTriggerForObjectUuid(NEW.uuid);
call rbac.enterTriggerForObjectUuid(NEW.uuid);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeBankAccountOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()],
userUuids => array[currentUserUuid()]
incomingSuperRoles => array[rbac.globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeBankAccountADMIN(NEW),
permissions => array['UPDATE'],
incomingSuperRoles => array[hsOfficeBankAccountOWNER(NEW)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeBankAccountREFERRER(NEW),
permissions => array['SELECT'],
incomingSuperRoles => array[hsOfficeBankAccountADMIN(NEW)]
);
call leaveTriggerForObjectUuid(NEW.uuid);
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$;
/*
@@ -77,10 +77,10 @@ execute procedure insertTriggerForHsOfficeBankAccount_tf();
-- ============================================================================
--changeset hs-office-bankaccount-rbac-IDENTITY-VIEW:1 endDelimiter:--//
--changeset RbacIdentityViewGenerator:hs-office-bankaccount-rbac-IDENTITY-VIEW endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_office_bankaccount',
call rbac.generateRbacIdentityViewFromProjection('hs_office_bankaccount',
$idName$
iban
$idName$);
@@ -88,9 +88,9 @@ call generateRbacIdentityViewFromProjection('hs_office_bankaccount',
-- ============================================================================
--changeset hs-office-bankaccount-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
--changeset RbacRestrictedViewGenerator:hs-office-bankaccount-rbac-RESTRICTED-VIEW endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_bankaccount',
call rbac.generateRbacRestrictedView('hs_office_bankaccount',
$orderBy$
iban
$orderBy$,

12
src/main/resources/db/changelog/5-hs-office/505-bankaccount/5058-hs-office-bankaccount-test-data.sql

@@ -2,7 +2,7 @@
-- ============================================================================
--changeset hs-office-bankaccount-TEST-DATA-GENERATOR:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-bankaccount-TEST-DATA-GENERATOR endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@@ -13,9 +13,9 @@ create or replace procedure createHsOfficeBankAccountTestData(givenHolder varcha
declare
emailAddr varchar;
begin
emailAddr = 'bankaccount-admin@' || cleanIdentifier(givenHolder) || '.example.com';
perform createRbacUser(emailAddr);
call defineContext('creating bankaccount test-data', null, emailAddr);
emailAddr = 'bankaccount-admin@' || base.cleanIdentifier(givenHolder) || '.example.com';
perform rbac.create_subject(emailAddr);
call base.defineContext('creating bankaccount test-data', null, emailAddr);
raise notice 'creating test bankaccount: %', givenHolder;
insert
@@ -26,12 +26,12 @@ end; $$;
-- ============================================================================
--changeset hs-office-bankaccount-TEST-DATA-GENERATION:1 context=dev,tc endDelimiter:--//
--changeset michael.hoennig:hs-office-bankaccount-TEST-DATA-GENERATION context=dev,tc endDelimiter:--//
-- ----------------------------------------------------------------------------
do language plpgsql $$
begin
call defineContext('creating bankaccount test-data');
call base.defineContext('creating bankaccount test-data');
-- IBANs+BICs taken from https://ibanvalidieren.de/beispiele.html
call createHsOfficeBankAccountTestData('First GmbH', 'DE02120300000000202051', 'BYLADEM1001');

10
src/main/resources/db/changelog/5-hs-office/506-debitor/5060-hs-office-debitor.sql

@@ -1,12 +1,12 @@
--liquibase formatted sql
-- ============================================================================
--changeset hs-office-debitor-MAIN-TABLE:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-debitor-MAIN-TABLE endDelimiter:--//
-- ----------------------------------------------------------------------------
create table hs_office_debitor
(
uuid uuid unique references RbacObject (uuid) initially deferred,
uuid uuid unique references rbac.object (uuid) initially deferred,
version int not null default 0,
debitorNumberSuffix char(2) not null check (debitorNumberSuffix::text ~ '^[0-9][0-9]$'),
debitorRelUuid uuid not null references hs_office_relation(uuid),
@@ -25,7 +25,7 @@ create table hs_office_debitor
-- ============================================================================
--changeset hs-office-debitor-DELETE-DEPENDENTS-TRIGGER:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-debitor-DELETE-DEPENDENTS-TRIGGER endDelimiter:--//
-- ----------------------------------------------------------------------------
/**
@@ -58,8 +58,8 @@ execute procedure deleteHsOfficeDependentsOnDebitorDelete();
-- ============================================================================
--changeset hs-office-debitor-MAIN-TABLE-JOURNAL:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-debitor-MAIN-TABLE-JOURNAL endDelimiter:--//
-- ----------------------------------------------------------------------------
call create_journal('hs_office_debitor');
call base.create_journal('hs_office_debitor');
--//

20
src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.md

@@ -140,16 +140,16 @@ subgraph refundBankAccount["`**refundBankAccount**`"]
end
%% granting roles to roles
role:global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER
role:rbac.global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER
role:debitorRel.anchorPerson:OWNER -.-> role:debitorRel.anchorPerson:ADMIN
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel.anchorPerson:REFERRER
role:global:ADMIN -.-> role:debitorRel.holderPerson:OWNER
role:rbac.global:ADMIN -.-> role:debitorRel.holderPerson:OWNER
role:debitorRel.holderPerson:OWNER -.-> role:debitorRel.holderPerson:ADMIN
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel.holderPerson:REFERRER
role:global:ADMIN -.-> role:debitorRel.contact:OWNER
role:rbac.global:ADMIN -.-> role:debitorRel.contact:OWNER
role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN
role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER
role:global:ADMIN -.-> role:debitorRel:OWNER
role:rbac.global:ADMIN -.-> role:debitorRel:OWNER
role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
role:debitorRel:AGENT -.-> role:debitorRel:TENANT
@@ -159,21 +159,21 @@ role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:OWNER
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
role:global:ADMIN -.-> role:refundBankAccount:OWNER
role:rbac.global:ADMIN -.-> role:refundBankAccount:OWNER
role:refundBankAccount:OWNER -.-> role:refundBankAccount:ADMIN
role:refundBankAccount:ADMIN -.-> role:refundBankAccount:REFERRER
role:refundBankAccount:ADMIN ==> role:debitorRel:AGENT
role:debitorRel:AGENT ==> role:refundBankAccount:REFERRER
role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
role:rbac.global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER
role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
role:rbac.global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER
role:global:ADMIN -.-> role:partnerRel.contact:OWNER
role:rbac.global:ADMIN -.-> role:partnerRel.contact:OWNER
role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
role:global:ADMIN -.-> role:partnerRel:OWNER
role:rbac.global:ADMIN -.-> role:partnerRel:OWNER
role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
role:partnerRel:AGENT -.-> role:partnerRel:TENANT
@@ -188,7 +188,7 @@ role:partnerRel:AGENT ==> role:debitorRel:AGENT
role:debitorRel:AGENT ==> role:partnerRel:TENANT
%% granting permissions to roles
role:global:ADMIN ==> perm:debitor:INSERT
role:rbac.global:ADMIN ==> perm:debitor:INSERT
role:debitorRel:OWNER ==> perm:debitor:DELETE
role:debitorRel:ADMIN ==> perm:debitor:UPDATE
role:debitorRel:TENANT ==> perm:debitor:SELECT

82
src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql

@@ -3,21 +3,21 @@
-- ============================================================================
--changeset hs-office-debitor-rbac-OBJECT:1 endDelimiter:--//
--changeset RbacObjectGenerator:hs-office-debitor-rbac-OBJECT endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_debitor');
call rbac.generateRelatedRbacObject('hs_office_debitor');
--//
-- ============================================================================
--changeset hs-office-debitor-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
--changeset RbacRoleDescriptorsGenerator:hs-office-debitor-rbac-ROLE-DESCRIPTORS endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficeDebitor', 'hs_office_debitor');
call rbac.generateRbacRoleDescriptors('hsOfficeDebitor', 'hs_office_debitor');
--//
-- ============================================================================
--changeset hs-office-debitor-rbac-insert-trigger:1 endDelimiter:--//
--changeset RolesGrantsAndPermissionsGenerator:hs-office-debitor-rbac-insert-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@@ -35,7 +35,7 @@ declare
newRefundBankAccount hs_office_bankaccount;
begin
call enterTriggerForObjectUuid(NEW.uuid);
call rbac.enterTriggerForObjectUuid(NEW.uuid);
SELECT partnerRel.*
FROM hs_office_relation AS partnerRel
@@ -51,17 +51,17 @@ begin
SELECT * FROM hs_office_bankaccount WHERE uuid = NEW.refundBankAccountUuid INTO newRefundBankAccount;
call grantRoleToRole(hsOfficeBankAccountREFERRER(newRefundBankAccount), hsOfficeRelationAGENT(newDebitorRel));
call grantRoleToRole(hsOfficeRelationADMIN(newDebitorRel), hsOfficeRelationADMIN(newPartnerRel));
call grantRoleToRole(hsOfficeRelationAGENT(newDebitorRel), hsOfficeBankAccountADMIN(newRefundBankAccount));
call grantRoleToRole(hsOfficeRelationAGENT(newDebitorRel), hsOfficeRelationAGENT(newPartnerRel));
call grantRoleToRole(hsOfficeRelationTENANT(newPartnerRel), hsOfficeRelationAGENT(newDebitorRel));
call rbac.grantRoleToRole(hsOfficeBankAccountREFERRER(newRefundBankAccount), hsOfficeRelationAGENT(newDebitorRel));
call rbac.grantRoleToRole(hsOfficeRelationADMIN(newDebitorRel), hsOfficeRelationADMIN(newPartnerRel));
call rbac.grantRoleToRole(hsOfficeRelationAGENT(newDebitorRel), hsOfficeBankAccountADMIN(newRefundBankAccount));
call rbac.grantRoleToRole(hsOfficeRelationAGENT(newDebitorRel), hsOfficeRelationAGENT(newPartnerRel));
call rbac.grantRoleToRole(hsOfficeRelationTENANT(newPartnerRel), hsOfficeRelationAGENT(newDebitorRel));
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newDebitorRel));
call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newDebitorRel));
call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newDebitorRel));
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newDebitorRel));
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newDebitorRel));
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newDebitorRel));
call leaveTriggerForObjectUuid(NEW.uuid);
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$;
/*
@@ -85,7 +85,7 @@ execute procedure insertTriggerForHsOfficeDebitor_tf();
-- ============================================================================
--changeset hs-office-debitor-rbac-update-trigger:1 endDelimiter:--//
--changeset RolesGrantsAndPermissionsGenerator:hs-office-debitor-rbac-update-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@@ -101,7 +101,7 @@ begin
if NEW.debitorRelUuid is distinct from OLD.debitorRelUuid
or NEW.refundBankAccountUuid is distinct from OLD.refundBankAccountUuid then
delete from rbacgrants g where g.grantedbytriggerof = OLD.uuid;
delete from rbac.grants g where g.grantedbytriggerof = OLD.uuid;
call buildRbacSystemForHsOfficeDebitor(NEW);
end if;
end; $$;
@@ -127,26 +127,26 @@ execute procedure updateTriggerForHsOfficeDebitor_tf();
-- ============================================================================
--changeset hs-office-debitor-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
--changeset InsertTriggerGenerator:hs-office-debitor-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--//
-- ----------------------------------------------------------------------------
-- granting INSERT permission to global ----------------------------
-- granting INSERT permission to rbac.global ----------------------------
/*
Grants INSERT INTO hs_office_debitor permissions to specified role of pre-existing global rows.
Grants INSERT INTO hs_office_debitor permissions to specified role of pre-existing rbac.global rows.
*/
do language plpgsql $$
declare
row global;
row rbac.global;
begin
call defineContext('create INSERT INTO hs_office_debitor permissions for pre-exising global rows');
call base.defineContext('create INSERT INTO hs_office_debitor permissions for pre-exising rbac.global rows');
FOR row IN SELECT * FROM global
FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table
LOOP
call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
globalADMIN());
call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_debitor'),
rbac.globalADMIN());
END LOOP;
end;
$$;
@@ -154,28 +154,28 @@ $$;
/**
Grants hs_office_debitor INSERT permission to specified role of new global rows.
*/
create or replace function new_hs_office_debitor_grants_insert_to_global_tf()
create or replace function rbac.new_hsof_debitor_grants_insert_to_global_tf()
returns trigger
language plpgsql
strict as $$
begin
-- unconditional for all rows in that table
call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'),
globalADMIN());
call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_debitor'),
rbac.globalADMIN());
-- end.
return NEW;
end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_debitor_grants_insert_to_global_tg
after insert on global
create trigger z_new_hs_office_debitor_grants_after_insert_tg
after insert on rbac.global
for each row
execute procedure new_hs_office_debitor_grants_insert_to_global_tf();
execute procedure rbac.new_hsof_debitor_grants_insert_to_global_tf();
-- ============================================================================
--changeset hs_office_debitor-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
--changeset InsertTriggerGenerator:hs_office_debitor-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
-- ----------------------------------------------------------------------------
/**
@@ -187,13 +187,13 @@ create or replace function hs_office_debitor_insert_permission_check_tf()
declare
superObjectUuid uuid;
begin
-- check INSERT INSERT if global ADMIN
if isGlobalAdmin() then
-- check INSERT INSERT if rbac.global ADMIN
if rbac.isGlobalAdmin() then
return NEW;
end if;
raise exception '[403] insert into hs_office_debitor values(%) not allowed for current subjects % (%)',
NEW, currentSubjects(), currentSubjectsUuids();
NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end; $$;
create trigger hs_office_debitor_insert_permission_check_tg
@@ -204,10 +204,10 @@ create trigger hs_office_debitor_insert_permission_check_tg
-- ============================================================================
--changeset hs-office-debitor-rbac-IDENTITY-VIEW:1 endDelimiter:--//
--changeset RbacIdentityViewGenerator:hs-office-debitor-rbac-IDENTITY-VIEW endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromQuery('hs_office_debitor',
call rbac.generateRbacIdentityViewFromQuery('hs_office_debitor',
$idName$
SELECT debitor.uuid AS uuid,
'D-' || (SELECT partner.partnerNumber
@@ -224,9 +224,9 @@ call generateRbacIdentityViewFromQuery('hs_office_debitor',
-- ============================================================================
--changeset hs-office-debitor-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
--changeset RbacRestrictedViewGenerator:hs-office-debitor-rbac-RESTRICTED-VIEW endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_debitor',
call rbac.generateRbacRestrictedView('hs_office_debitor',
$orderBy$
defaultPrefix
$orderBy$,

8
src/main/resources/db/changelog/5-hs-office/506-debitor/5068-hs-office-debitor-test-data.sql

@@ -2,7 +2,7 @@
-- ============================================================================
--changeset hs-office-debitor-TEST-DATA-GENERATOR:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-debitor-TEST-DATA-GENERATOR endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@@ -20,7 +20,7 @@ declare
relatedDebitorRelUuid uuid;
relatedBankAccountUuid uuid;
begin
idName := cleanIdentifier( forPartnerPersonName|| '-' || forBillingContactCaption);
idName := base.cleanIdentifier( forPartnerPersonName|| '-' || forBillingContactCaption);
select debitorRel.uuid
into relatedDebitorRelUuid
@@ -45,12 +45,12 @@ end; $$;
-- ============================================================================
--changeset hs-office-debitor-TEST-DATA-GENERATION:1 context=dev,tc endDelimiter:--//
--changeset michael.hoennig:hs-office-debitor-TEST-DATA-GENERATION context=dev,tc endDelimiter:--//
-- ----------------------------------------------------------------------------
do language plpgsql $$
begin
call defineContext('creating debitor test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
call base.defineContext('creating debitor test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
call createHsOfficeDebitorTestData(11, 'First GmbH', 'first contact', 'fir');
call createHsOfficeDebitorTestData(12, 'Second e.K.', 'second contact', 'sec');

8
src/main/resources/db/changelog/5-hs-office/507-sepamandate/5070-hs-office-sepamandate.sql

@@ -1,12 +1,12 @@
--liquibase formatted sql
-- ============================================================================
--changeset hs-office-sepamandate-MAIN-TABLE:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-sepamandate-MAIN-TABLE endDelimiter:--//
-- ----------------------------------------------------------------------------
create table if not exists hs_office_sepamandate
(
uuid uuid unique references RbacObject (uuid) initially deferred,
uuid uuid unique references rbac.object (uuid) initially deferred,
version int not null default 0,
debitorUuid uuid not null references hs_office_debitor(uuid),
bankAccountUuid uuid not null references hs_office_bankaccount(uuid),
@@ -18,8 +18,8 @@ create table if not exists hs_office_sepamandate
-- ============================================================================
--changeset hs-office-sepamandate-MAIN-TABLE-JOURNAL:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-sepamandate-MAIN-TABLE-JOURNAL endDelimiter:--//
-- ----------------------------------------------------------------------------
call create_journal('hs_office_sepamandate');
call base.create_journal('hs_office_sepamandate');
--//

12
src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.md

@@ -99,16 +99,16 @@ end
user:creator ==> role:sepaMandate:OWNER
%% granting roles to roles
role:global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER
role:rbac.global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER
role:debitorRel.anchorPerson:OWNER -.-> role:debitorRel.anchorPerson:ADMIN
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel.anchorPerson:REFERRER
role:global:ADMIN -.-> role:debitorRel.holderPerson:OWNER
role:rbac.global:ADMIN -.-> role:debitorRel.holderPerson:OWNER
role:debitorRel.holderPerson:OWNER -.-> role:debitorRel.holderPerson:ADMIN
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel.holderPerson:REFERRER
role:global:ADMIN -.-> role:debitorRel.contact:OWNER
role:rbac.global:ADMIN -.-> role:debitorRel.contact:OWNER
role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN
role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER
role:global:ADMIN -.-> role:debitorRel:OWNER
role:rbac.global:ADMIN -.-> role:debitorRel:OWNER
role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
role:debitorRel:AGENT -.-> role:debitorRel:TENANT
@@ -118,10 +118,10 @@ role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:OWNER
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
role:global:ADMIN -.-> role:bankAccount:OWNER
role:rbac.global:ADMIN -.-> role:bankAccount:OWNER
role:bankAccount:OWNER -.-> role:bankAccount:ADMIN
role:bankAccount:ADMIN -.-> role:bankAccount:REFERRER
role:global:ADMIN ==> role:sepaMandate:OWNER
role:rbac.global:ADMIN ==> role:sepaMandate:OWNER
role:sepaMandate:OWNER ==> role:sepaMandate:ADMIN
role:sepaMandate:ADMIN ==> role:sepaMandate:AGENT
role:sepaMandate:AGENT ==> role:bankAccount:REFERRER

58
src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql

@@ -3,21 +3,21 @@
-- ============================================================================
--changeset hs-office-sepamandate-rbac-OBJECT:1 endDelimiter:--//
--changeset RbacObjectGenerator:hs-office-sepamandate-rbac-OBJECT endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_sepamandate');
call rbac.generateRelatedRbacObject('hs_office_sepamandate');
--//
-- ============================================================================
--changeset hs-office-sepamandate-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
--changeset RbacRoleDescriptorsGenerator:hs-office-sepamandate-rbac-ROLE-DESCRIPTORS endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficeSepaMandate', 'hs_office_sepamandate');
call rbac.generateRbacRoleDescriptors('hsOfficeSepaMandate', 'hs_office_sepamandate');
--//
-- ============================================================================
--changeset hs-office-sepamandate-rbac-insert-trigger:1 endDelimiter:--//
--changeset RolesGrantsAndPermissionsGenerator:hs-office-sepamandate-rbac-insert-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@@ -34,7 +34,7 @@ declare
newDebitorRel hs_office_relation;
begin
call enterTriggerForObjectUuid(NEW.uuid);
call rbac.enterTriggerForObjectUuid(NEW.uuid);
SELECT * FROM hs_office_bankaccount WHERE uuid = NEW.bankAccountUuid INTO newBankAccount;
assert newBankAccount.uuid is not null, format('newBankAccount must not be null for NEW.bankAccountUuid = %s', NEW.bankAccountUuid);
@@ -47,20 +47,20 @@ begin
assert newDebitorRel.uuid is not null, format('newDebitorRel must not be null for NEW.debitorUuid = %s', NEW.debitorUuid);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeSepaMandateOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()],
userUuids => array[currentUserUuid()]
incomingSuperRoles => array[rbac.globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeSepaMandateADMIN(NEW),
permissions => array['UPDATE'],
incomingSuperRoles => array[hsOfficeSepaMandateOWNER(NEW)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeSepaMandateAGENT(NEW),
incomingSuperRoles => array[hsOfficeSepaMandateADMIN(NEW)],
outgoingSubRoles => array[
@@ -68,7 +68,7 @@ begin
hsOfficeRelationAGENT(newDebitorRel)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeSepaMandateREFERRER(NEW),
permissions => array['SELECT'],
incomingSuperRoles => array[
@@ -78,7 +78,7 @@ begin
outgoingSubRoles => array[hsOfficeRelationTENANT(newDebitorRel)]
);
call leaveTriggerForObjectUuid(NEW.uuid);
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$;
/*
@@ -102,7 +102,7 @@ execute procedure insertTriggerForHsOfficeSepaMandate_tf();
-- ============================================================================
--changeset hs-office-sepamandate-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
--changeset InsertTriggerGenerator:hs-office-sepamandate-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--//
-- ----------------------------------------------------------------------------
-- granting INSERT permission to hs_office_relation ----------------------------
@@ -114,13 +114,13 @@ do language plpgsql $$
declare
row hs_office_relation;
begin
call defineContext('create INSERT INTO hs_office_sepamandate permissions for pre-exising hs_office_relation rows');
call base.defineContext('create INSERT INTO hs_office_sepamandate permissions for pre-exising hs_office_relation rows');
FOR row IN SELECT * FROM hs_office_relation
WHERE type = 'DEBITOR'
LOOP
call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'hs_office_sepamandate'),
call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_sepamandate'),
hsOfficeRelationADMIN(row));
END LOOP;
end;
@@ -129,28 +129,28 @@ $$;
/**
Grants hs_office_sepamandate INSERT permission to specified role of new hs_office_relation rows.
*/
create or replace function new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tf()
create or replace function new_hsof_sepamandate_grants_insert_to_hsof_relation_tf()
returns trigger
language plpgsql
strict as $$
begin
if NEW.type = 'DEBITOR' then
call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'),
call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'),
hsOfficeRelationADMIN(NEW));
end if;
return NEW;
end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tg
create trigger z_new_hs_office_sepamandate_grants_after_insert_tg
after insert on hs_office_relation
for each row
execute procedure new_hs_office_sepamandate_grants_insert_to_hs_office_relation_tf();
execute procedure new_hsof_sepamandate_grants_insert_to_hsof_relation_tf();
-- ============================================================================
--changeset hs_office_sepamandate-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
--changeset InsertTriggerGenerator:hs_office_sepamandate-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
-- ----------------------------------------------------------------------------
/**
@@ -169,12 +169,12 @@ begin
WHERE debitor.uuid = NEW.debitorUuid
);
assert superObjectUuid is not null, 'object uuid fetched depending on hs_office_sepamandate.debitorUuid must not be null, also check fetchSql in RBAC DSL';
if hasInsertPermission(superObjectUuid, 'hs_office_sepamandate') then
if rbac.hasInsertPermission(superObjectUuid, 'hs_office_sepamandate') then
return NEW;
end if;
raise exception '[403] insert into hs_office_sepamandate values(%) not allowed for current subjects % (%)',
NEW, currentSubjects(), currentSubjectsUuids();
NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end; $$;
create trigger hs_office_sepamandate_insert_permission_check_tg
@@ -185,10 +185,10 @@ create trigger hs_office_sepamandate_insert_permission_check_tg
-- ============================================================================
--changeset hs-office-sepamandate-rbac-IDENTITY-VIEW:1 endDelimiter:--//
--changeset RbacIdentityViewGenerator:hs-office-sepamandate-rbac-IDENTITY-VIEW endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromQuery('hs_office_sepamandate',
call rbac.generateRbacIdentityViewFromQuery('hs_office_sepamandate',
$idName$
select sm.uuid as uuid, ba.iban || '-' || sm.validity as idName
from hs_office_sepamandate sm
@@ -198,9 +198,9 @@ call generateRbacIdentityViewFromQuery('hs_office_sepamandate',
-- ============================================================================
--changeset hs-office-sepamandate-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
--changeset RbacRestrictedViewGenerator:hs-office-sepamandate-rbac-RESTRICTED-VIEW endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_sepamandate',
call rbac.generateRbacRestrictedView('hs_office_sepamandate',
$orderBy$
validity
$orderBy$,

14
src/main/resources/db/changelog/5-hs-office/507-sepamandate/5076-hs-office-sepamandate-migration.sql

@@ -4,7 +4,7 @@
-- Once we don't need the external remote views anymore, create revert changesets.
-- ============================================================================
--changeset hs-office-sepamandate-MIGRATION-mapping:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-sepamandate-MIGRATION-mapping endDelimiter:--//
-- ----------------------------------------------------------------------------
CREATE TABLE hs_office_sepamandate_legacy_id
@@ -16,7 +16,7 @@ CREATE TABLE hs_office_sepamandate_legacy_id
-- ============================================================================
--changeset hs-office-sepamandate-MIGRATION-sequence:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-sepamandate-MIGRATION-sequence endDelimiter:--//
-- ----------------------------------------------------------------------------
CREATE SEQUENCE IF NOT EXISTS hs_office_sepamandate_legacy_id_seq
@@ -27,7 +27,7 @@ CREATE SEQUENCE IF NOT EXISTS hs_office_sepamandate_legacy_id_seq
-- ============================================================================
--changeset hs-office-sepamandate-MIGRATION-default:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-sepamandate-MIGRATION-default endDelimiter:--//
-- ----------------------------------------------------------------------------
ALTER TABLE hs_office_sepamandate_legacy_id
@@ -38,17 +38,17 @@ ALTER TABLE hs_office_sepamandate_legacy_id
-- ============================================================================
--changeset hs-office-sepamandate-MIGRATION-insert:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-sepamandate-MIGRATION-insert endDelimiter:--//
-- ----------------------------------------------------------------------------
CALL defineContext('schema-migration');
CALL base.defineContext('schema-migration');
INSERT INTO hs_office_sepamandate_legacy_id(uuid, sepa_mandate_id)
SELECT uuid, nextVal('hs_office_sepamandate_legacy_id_seq') FROM hs_office_sepamandate;
--/
-- ============================================================================
--changeset hs-office-sepamandate-MIGRATION-insert-trigger:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-sepamandate-MIGRATION-insert-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace function insertSepaMandateLegacyIdMapping()
returns trigger
@@ -73,7 +73,7 @@ create trigger createSepaMandateLegacyIdMapping
-- ============================================================================
--changeset hs-office-sepamandate-MIGRATION-delete-trigger:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-sepamandate-MIGRATION-delete-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace function deleteSepaMandateLegacyIdMapping()
returns trigger

6
src/main/resources/db/changelog/5-hs-office/507-sepamandate/5078-hs-office-sepamandate-test-data.sql

@@ -2,7 +2,7 @@
-- ============================================================================
--changeset hs-office-sepaMandate-TEST-DATA-GENERATOR:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-sepaMandate-TEST-DATA-GENERATOR endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@@ -38,12 +38,12 @@ end; $$;
-- ============================================================================
--changeset hs-office-sepaMandate-TEST-DATA-GENERATION:1 context=dev,tc endDelimiter:--//
--changeset michael.hoennig:hs-office-sepaMandate-TEST-DATA-GENERATION context=dev,tc endDelimiter:--//
-- ----------------------------------------------------------------------------
do language plpgsql $$
begin
call defineContext('creating SEPA-mandate test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
call base.defineContext('creating SEPA-mandate test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
call createHsOfficeSepaMandateTestData(10001, '11', 'DE02120300000000202051', 'ref-10001-11');
call createHsOfficeSepaMandateTestData(10002, '12', 'DE02100500000054540402', 'ref-10002-12');

8
src/main/resources/db/changelog/5-hs-office/510-membership/5100-hs-office-membership.sql

@@ -1,7 +1,7 @@
--liquibase formatted sql
-- ============================================================================
--changeset hs-office-membership-MAIN-TABLE:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-membership-MAIN-TABLE endDelimiter:--//
-- ----------------------------------------------------------------------------
CREATE TYPE HsOfficeMembershipStatus AS ENUM (
@@ -19,7 +19,7 @@ CREATE CAST (character varying as HsOfficeMembershipStatus) WITH INOUT AS IMPLIC
create table if not exists hs_office_membership
(
uuid uuid unique references RbacObject (uuid) initially deferred,
uuid uuid unique references rbac.object (uuid) initially deferred,
version int not null default 0,
partnerUuid uuid not null references hs_office_partner(uuid),
memberNumberSuffix char(2) not null check (memberNumberSuffix::text ~ '^[0-9][0-9]$'),
@@ -33,8 +33,8 @@ create table if not exists hs_office_membership
-- ============================================================================
--changeset hs-office-membership-MAIN-TABLE-JOURNAL:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-membership-MAIN-TABLE-JOURNAL endDelimiter:--//
-- ----------------------------------------------------------------------------
call create_journal('hs_office_membership');
call base.create_journal('hs_office_membership');
--//

10
src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.md

@@ -85,16 +85,16 @@ end
user:creator ==> role:membership:OWNER
%% granting roles to roles
role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
role:rbac.global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER
role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
role:rbac.global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER
role:global:ADMIN -.-> role:partnerRel.contact:OWNER
role:rbac.global:ADMIN -.-> role:partnerRel.contact:OWNER
role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
role:global:ADMIN -.-> role:partnerRel:OWNER
role:rbac.global:ADMIN -.-> role:partnerRel:OWNER
role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
role:partnerRel:AGENT -.-> role:partnerRel:TENANT
@@ -111,7 +111,7 @@ role:partnerRel:AGENT ==> role:membership:AGENT
role:membership:AGENT ==> role:partnerRel:TENANT
%% granting permissions to roles
role:global:ADMIN ==> perm:membership:INSERT
role:rbac.global:ADMIN ==> perm:membership:INSERT
role:membership:ADMIN ==> perm:membership:DELETE
role:membership:ADMIN ==> perm:membership:UPDATE
role:membership:AGENT ==> perm:membership:SELECT

70
src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql

@@ -3,21 +3,21 @@
-- ============================================================================
--changeset hs-office-membership-rbac-OBJECT:1 endDelimiter:--//
--changeset RbacObjectGenerator:hs-office-membership-rbac-OBJECT endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_membership');
call rbac.generateRelatedRbacObject('hs_office_membership');
--//
-- ============================================================================
--changeset hs-office-membership-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
--changeset RbacRoleDescriptorsGenerator:hs-office-membership-rbac-ROLE-DESCRIPTORS endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficeMembership', 'hs_office_membership');
call rbac.generateRbacRoleDescriptors('hsOfficeMembership', 'hs_office_membership');
--//
-- ============================================================================
--changeset hs-office-membership-rbac-insert-trigger:1 endDelimiter:--//
--changeset RolesGrantsAndPermissionsGenerator:hs-office-membership-rbac-insert-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@@ -33,7 +33,7 @@ declare
newPartnerRel hs_office_relation;
begin
call enterTriggerForObjectUuid(NEW.uuid);
call rbac.enterTriggerForObjectUuid(NEW.uuid);
SELECT partnerRel.*
FROM hs_office_partner AS partner
@@ -43,12 +43,12 @@ begin
assert newPartnerRel.uuid is not null, format('newPartnerRel must not be null for NEW.partnerUuid = %s', NEW.partnerUuid);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeMembershipOWNER(NEW),
userUuids => array[currentUserUuid()]
subjectUuids => array[rbac.currentSubjectUuid()]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeMembershipADMIN(NEW),
permissions => array['DELETE', 'UPDATE'],
incomingSuperRoles => array[
@@ -56,7 +56,7 @@ begin
hsOfficeRelationADMIN(newPartnerRel)]
);
perform createRoleWithGrants(
perform rbac.defineRoleWithGrants(
hsOfficeMembershipAGENT(NEW),
permissions => array['SELECT'],
incomingSuperRoles => array[
@@ -65,7 +65,7 @@ begin
outgoingSubRoles => array[hsOfficeRelationTENANT(newPartnerRel)]
);
call leaveTriggerForObjectUuid(NEW.uuid);
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$;
/*
@@ -89,26 +89,26 @@ execute procedure insertTriggerForHsOfficeMembership_tf();
-- ============================================================================
--changeset hs-office-membership-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
--changeset InsertTriggerGenerator:hs-office-membership-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--//
-- ----------------------------------------------------------------------------
-- granting INSERT permission to global ----------------------------
-- granting INSERT permission to rbac.global ----------------------------
/*
Grants INSERT INTO hs_office_membership permissions to specified role of pre-existing global rows.
Grants INSERT INTO hs_office_membership permissions to specified role of pre-existing rbac.global rows.
*/
do language plpgsql $$
declare
row global;
row rbac.global;
begin
call defineContext('create INSERT INTO hs_office_membership permissions for pre-exising global rows');
call base.defineContext('create INSERT INTO hs_office_membership permissions for pre-exising rbac.global rows');
FOR row IN SELECT * FROM global
FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table
LOOP
call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
globalADMIN());
call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_membership'),
rbac.globalADMIN());
END LOOP;
end;
$$;
@@ -116,28 +116,28 @@ $$;
/**
Grants hs_office_membership INSERT permission to specified role of new global rows.
*/
create or replace function new_hs_office_membership_grants_insert_to_global_tf()
create or replace function rbac.new_hsof_membership_grants_insert_to_global_tf()
returns trigger
language plpgsql
strict as $$
begin
-- unconditional for all rows in that table
call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'),
globalADMIN());
call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_membership'),
rbac.globalADMIN());
-- end.
return NEW;
end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_membership_grants_insert_to_global_tg
after insert on global
create trigger z_new_hs_office_membership_grants_after_insert_tg
after insert on rbac.global
for each row
execute procedure new_hs_office_membership_grants_insert_to_global_tf();
execute procedure rbac.new_hsof_membership_grants_insert_to_global_tf();
-- ============================================================================
--changeset hs_office_membership-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
--changeset InsertTriggerGenerator:hs_office_membership-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
-- ----------------------------------------------------------------------------
/**
@@ -149,13 +149,13 @@ create or replace function hs_office_membership_insert_permission_check_tf()
declare
superObjectUuid uuid;
begin
-- check INSERT INSERT if global ADMIN
if isGlobalAdmin() then
-- check INSERT INSERT if rbac.global ADMIN
if rbac.isGlobalAdmin() then
return NEW;
end if;
raise exception '[403] insert into hs_office_membership values(%) not allowed for current subjects % (%)',
NEW, currentSubjects(), currentSubjectsUuids();
NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end; $$;
create trigger hs_office_membership_insert_permission_check_tg
@@ -166,10 +166,10 @@ create trigger hs_office_membership_insert_permission_check_tg
-- ============================================================================
--changeset hs-office-membership-rbac-IDENTITY-VIEW:1 endDelimiter:--//
--changeset RbacIdentityViewGenerator:hs-office-membership-rbac-IDENTITY-VIEW endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromQuery('hs_office_membership',
call rbac.generateRbacIdentityViewFromQuery('hs_office_membership',
$idName$
SELECT m.uuid AS uuid,
'M-' || p.partnerNumber || m.memberNumberSuffix as idName
@@ -180,9 +180,9 @@ call generateRbacIdentityViewFromQuery('hs_office_membership',
-- ============================================================================
--changeset hs-office-membership-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
--changeset RbacRestrictedViewGenerator:hs-office-membership-rbac-RESTRICTED-VIEW endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_membership',
call rbac.generateRbacRestrictedView('hs_office_membership',
$orderBy$
validity
$orderBy$,

6
src/main/resources/db/changelog/5-hs-office/510-membership/5108-hs-office-membership-test-data.sql

@@ -2,7 +2,7 @@
-- ============================================================================
--changeset hs-office-membership-TEST-DATA-GENERATOR:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-membership-TEST-DATA-GENERATOR endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@@ -28,12 +28,12 @@ end; $$;
-- ============================================================================
--changeset hs-office-membership-TEST-DATA-GENERATION:1 context=dev,tc endDelimiter:--//
--changeset michael.hoennig:hs-office-membership-TEST-DATA-GENERATION context=dev,tc endDelimiter:--//
-- ----------------------------------------------------------------------------
do language plpgsql $$
begin
call defineContext('creating Membership test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
call base.defineContext('creating Membership test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
call createHsOfficeMembershipTestData(10001, '01');
call createHsOfficeMembershipTestData(10002, '02');

12
src/main/resources/db/changelog/5-hs-office/511-coopshares/5110-hs-office-coopshares.sql

@@ -1,7 +1,7 @@
--liquibase formatted sql
-- ============================================================================
--changeset hs-office-coopshares-MAIN-TABLE:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-coopshares-MAIN-TABLE endDelimiter:--//
-- ----------------------------------------------------------------------------
CREATE TYPE HsOfficeCoopSharesTransactionType AS ENUM ('ADJUSTMENT', 'SUBSCRIPTION', 'CANCELLATION');
@@ -10,7 +10,7 @@ CREATE CAST (character varying as HsOfficeCoopSharesTransactionType) WITH INOUT
create table if not exists hs_office_coopsharestransaction
(
uuid uuid unique references RbacObject (uuid) initially deferred,
uuid uuid unique references rbac.object (uuid) initially deferred,
version int not null default 0,
membershipUuid uuid not null references hs_office_membership(uuid),
transactionType HsOfficeCoopSharesTransactionType not null,
@@ -23,7 +23,7 @@ create table if not exists hs_office_coopsharestransaction
--//
-- ============================================================================
--changeset hs-office-coopshares-BUSINESS-RULES:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-coopshares-BUSINESS-RULES endDelimiter:--//
-- ----------------------------------------------------------------------------
alter table hs_office_coopsharestransaction
@@ -33,7 +33,7 @@ alter table hs_office_coopsharestransaction
--//
-- ============================================================================
--changeset hs-office-coopshares-SHARE-COUNT-CONSTRAINT:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-coopshares-SHARE-COUNT-CONSTRAINT endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace function checkSharesByMembershipUuid(forMembershipUuid UUID, newShareCount integer)
@@ -61,8 +61,8 @@ alter table hs_office_coopsharestransaction
--//
-- ============================================================================
--changeset hs-office-coopshares-MAIN-TABLE-JOURNAL:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-coopshares-MAIN-TABLE-JOURNAL endDelimiter:--//
-- ----------------------------------------------------------------------------
call create_journal('hs_office_coopsharestransaction');
call base.create_journal('hs_office_coopsharestransaction');
--//

8
src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.md

@@ -86,16 +86,16 @@ subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPers
end
%% granting roles to roles
role:global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER
role:rbac.global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER
role:membership.partnerRel.anchorPerson:OWNER -.-> role:membership.partnerRel.anchorPerson:ADMIN
role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel.anchorPerson:REFERRER
role:global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER
role:rbac.global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER
role:membership.partnerRel.holderPerson:OWNER -.-> role:membership.partnerRel.holderPerson:ADMIN
role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel.holderPerson:REFERRER
role:global:ADMIN -.-> role:membership.partnerRel.contact:OWNER
role:rbac.global:ADMIN -.-> role:membership.partnerRel.contact:OWNER
role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN
role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER
role:global:ADMIN -.-> role:membership.partnerRel:OWNER
role:rbac.global:ADMIN -.-> role:membership.partnerRel:OWNER
role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN
role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT
role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT

50
src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.sql

@@ -3,21 +3,21 @@
-- ============================================================================
--changeset hs-office-coopsharestransaction-rbac-OBJECT:1 endDelimiter:--//
--changeset RbacObjectGenerator:hs-office-coopsharestransaction-rbac-OBJECT endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_coopsharestransaction');
call rbac.generateRelatedRbacObject('hs_office_coopsharestransaction');
--//
-- ============================================================================
--changeset hs-office-coopsharestransaction-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
--changeset RbacRoleDescriptorsGenerator:hs-office-coopsharestransaction-rbac-ROLE-DESCRIPTORS endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficeCoopSharesTransaction', 'hs_office_coopsharestransaction');
call rbac.generateRbacRoleDescriptors('hsOfficeCoopSharesTransaction', 'hs_office_coopsharestransaction');
--//
-- ============================================================================
--changeset hs-office-coopsharestransaction-rbac-insert-trigger:1 endDelimiter:--//
--changeset RolesGrantsAndPermissionsGenerator:hs-office-coopsharestransaction-rbac-insert-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@@ -33,15 +33,15 @@ declare
newMembership hs_office_membership;
begin
call enterTriggerForObjectUuid(NEW.uuid);
call rbac.enterTriggerForObjectUuid(NEW.uuid);
SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid INTO newMembership;
assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
call leaveTriggerForObjectUuid(NEW.uuid);
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$;
/*
@@ -65,7 +65,7 @@ execute procedure insertTriggerForHsOfficeCoopSharesTransaction_tf();
-- ============================================================================
--changeset hs-office-coopsharestransaction-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
--changeset InsertTriggerGenerator:hs-office-coopsharestransaction-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--//
-- ----------------------------------------------------------------------------
-- granting INSERT permission to hs_office_membership ----------------------------
@@ -77,13 +77,13 @@ do language plpgsql $$
declare
row hs_office_membership;
begin
call defineContext('create INSERT INTO hs_office_coopsharestransaction permissions for pre-exising hs_office_membership rows');
call base.defineContext('create INSERT INTO hs_office_coopsharestransaction permissions for pre-exising hs_office_membership rows');
FOR row IN SELECT * FROM hs_office_membership
-- unconditional for all rows in that table
LOOP
call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
hsOfficeMembershipADMIN(row));
END LOOP;
end;
@@ -92,28 +92,28 @@ $$;
/**
Grants hs_office_coopsharestransaction INSERT permission to specified role of new hs_office_membership rows.
*/
create or replace function new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tf()
create or replace function new_hsof_coopsharetx_grants_insert_to_hsof_membership_tf()
returns trigger
language plpgsql
strict as $$
begin
-- unconditional for all rows in that table
call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_coopsharestransaction'),
hsOfficeMembershipADMIN(NEW));
-- end.
return NEW;
end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tg
create trigger z_new_hs_office_coopsharestransaction_grants_after_insert_tg
after insert on hs_office_membership
for each row
execute procedure new_hs_office_coopsharestransaction_grants_insert_to_hs_office_membership_tf();
execute procedure new_hsof_coopsharetx_grants_insert_to_hsof_membership_tf();
-- ============================================================================
--changeset hs_office_coopsharestransaction-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
--changeset InsertTriggerGenerator:hs_office_coopsharestransaction-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
-- ----------------------------------------------------------------------------
/**
@@ -126,12 +126,12 @@ declare
superObjectUuid uuid;
begin
-- check INSERT permission via direct foreign key: NEW.membershipUuid
if hasInsertPermission(NEW.membershipUuid, 'hs_office_coopsharestransaction') then
if rbac.hasInsertPermission(NEW.membershipUuid, 'hs_office_coopsharestransaction') then
return NEW;
end if;
raise exception '[403] insert into hs_office_coopsharestransaction values(%) not allowed for current subjects % (%)',
NEW, currentSubjects(), currentSubjectsUuids();
NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end; $$;
create trigger hs_office_coopsharestransaction_insert_permission_check_tg
@@ -142,10 +142,10 @@ create trigger hs_office_coopsharestransaction_insert_permission_check_tg
-- ============================================================================
--changeset hs-office-coopsharestransaction-rbac-IDENTITY-VIEW:1 endDelimiter:--//
--changeset RbacIdentityViewGenerator:hs-office-coopsharestransaction-rbac-IDENTITY-VIEW endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_office_coopsharestransaction',
call rbac.generateRbacIdentityViewFromProjection('hs_office_coopsharestransaction',
$idName$
reference
$idName$);
@@ -153,9 +153,9 @@ call generateRbacIdentityViewFromProjection('hs_office_coopsharestransaction',
-- ============================================================================
--changeset hs-office-coopsharestransaction-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
--changeset RbacRestrictedViewGenerator:hs-office-coopsharestransaction-rbac-RESTRICTED-VIEW endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_coopsharestransaction',
call rbac.generateRbacRestrictedView('hs_office_coopsharestransaction',
$orderBy$
reference
$orderBy$,

14
src/main/resources/db/changelog/5-hs-office/511-coopshares/5116-hs-office-coopshares-migration.sql

@@ -4,7 +4,7 @@
-- Once we don't need the external remote views anymore, create revert changesets.
-- ============================================================================
--changeset hs-office-coopshares-MIGRATION-mapping:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-coopshares-MIGRATION-mapping endDelimiter:--//
-- ----------------------------------------------------------------------------
CREATE TABLE hs_office_coopsharestransaction_legacy_id
@@ -16,7 +16,7 @@ CREATE TABLE hs_office_coopsharestransaction_legacy_id
-- ============================================================================
--changeset hs-office-coopshares-MIGRATION-sequence:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-coopshares-MIGRATION-sequence endDelimiter:--//
-- ----------------------------------------------------------------------------
CREATE SEQUENCE IF NOT EXISTS hs_office_coopsharestransaction_legacy_id_seq
@@ -27,7 +27,7 @@ CREATE SEQUENCE IF NOT EXISTS hs_office_coopsharestransaction_legacy_id_seq
-- ============================================================================
--changeset hs-office-coopshares-MIGRATION-default:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-coopshares-MIGRATION-default endDelimiter:--//
-- ----------------------------------------------------------------------------
ALTER TABLE hs_office_coopsharestransaction_legacy_id
@@ -37,17 +37,17 @@ ALTER TABLE hs_office_coopsharestransaction_legacy_id
--/
-- ============================================================================
--changeset hs-office-coopshares-MIGRATION-insert:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-coopshares-MIGRATION-insert endDelimiter:--//
-- ----------------------------------------------------------------------------
CALL defineContext('schema-migration');
CALL base.defineContext('schema-migration');
INSERT INTO hs_office_coopsharestransaction_legacy_id(uuid, member_share_id)
SELECT uuid, nextVal('hs_office_coopsharestransaction_legacy_id_seq') FROM hs_office_coopsharestransaction;
--/
-- ============================================================================
--changeset hs-office-coopShares-MIGRATION-insert-trigger:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-coopShares-MIGRATION-insert-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace function insertCoopSharesLegacyIdMapping()
returns trigger
@@ -72,7 +72,7 @@ create trigger createCoopSharesLegacyIdMapping
-- ============================================================================
--changeset hs-office-coopShares-MIGRATION-delete-trigger:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-coopShares-MIGRATION-delete-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace function deleteCoopSharesLegacyIdMapping()
returns trigger

6
src/main/resources/db/changelog/5-hs-office/511-coopshares/5118-hs-office-coopshares-test-data.sql

@@ -2,7 +2,7 @@
-- ============================================================================
--changeset hs-office-coopSharesTransaction-TEST-DATA-GENERATOR:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-coopSharesTransaction-TEST-DATA-GENERATOR endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@@ -38,12 +38,12 @@ end; $$;
-- ============================================================================
--changeset hs-office-coopSharesTransaction-TEST-DATA-GENERATION:1 context=dev,tc endDelimiter:--//
--changeset michael.hoennig:hs-office-coopSharesTransaction-TEST-DATA-GENERATION context=dev,tc endDelimiter:--//
-- ----------------------------------------------------------------------------
do language plpgsql $$
begin
call defineContext('creating coopSharesTransaction test-data');
call base.defineContext('creating coopSharesTransaction test-data');
SET CONSTRAINTS ALL DEFERRED;
call createHsOfficeCoopSharesTransactionTestData(10001, '01');

12
src/main/resources/db/changelog/5-hs-office/512-coopassets/5120-hs-office-coopassets.sql

@@ -1,7 +1,7 @@
--liquibase formatted sql
-- ============================================================================
--changeset hs-office-coopassets-MAIN-TABLE:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-coopassets-MAIN-TABLE endDelimiter:--//
-- ----------------------------------------------------------------------------
CREATE TYPE HsOfficeCoopAssetsTransactionType AS ENUM ('ADJUSTMENT',
@@ -17,7 +17,7 @@ CREATE CAST (character varying as HsOfficeCoopAssetsTransactionType) WITH INOUT
create table if not exists hs_office_coopassetstransaction
(
uuid uuid unique references RbacObject (uuid) initially deferred,
uuid uuid unique references rbac.object (uuid) initially deferred,
version int not null default 0,
membershipUuid uuid not null references hs_office_membership(uuid),
transactionType HsOfficeCoopAssetsTransactionType not null,
@@ -31,7 +31,7 @@ create table if not exists hs_office_coopassetstransaction
-- ============================================================================
--changeset hs-office-coopassets-BUSINESS-RULES:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-coopassets-BUSINESS-RULES endDelimiter:--//
-- ----------------------------------------------------------------------------
alter table hs_office_coopassetstransaction
@@ -41,7 +41,7 @@ alter table hs_office_coopassetstransaction
--//
-- ============================================================================
--changeset hs-office-coopassets-ASSET-VALUE-CONSTRAINT:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-coopassets-ASSET-VALUE-CONSTRAINT endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace function checkAssetsByMembershipUuid(forMembershipUuid UUID, newAssetValue money)
@@ -69,8 +69,8 @@ alter table hs_office_coopassetstransaction
-- ============================================================================
--changeset hs-office-coopassets-MAIN-TABLE-JOURNAL:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-coopassets-MAIN-TABLE-JOURNAL endDelimiter:--//
-- ----------------------------------------------------------------------------
call create_journal('hs_office_coopassetstransaction');
call base.create_journal('hs_office_coopassetstransaction');
--//

8
src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.md

@@ -86,16 +86,16 @@ subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPers
end
%% granting roles to roles
role:global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER
role:rbac.global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER
role:membership.partnerRel.anchorPerson:OWNER -.-> role:membership.partnerRel.anchorPerson:ADMIN
role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel.anchorPerson:REFERRER
role:global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER
role:rbac.global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER
role:membership.partnerRel.holderPerson:OWNER -.-> role:membership.partnerRel.holderPerson:ADMIN
role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel.holderPerson:REFERRER
role:global:ADMIN -.-> role:membership.partnerRel.contact:OWNER
role:rbac.global:ADMIN -.-> role:membership.partnerRel.contact:OWNER
role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN
role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER
role:global:ADMIN -.-> role:membership.partnerRel:OWNER
role:rbac.global:ADMIN -.-> role:membership.partnerRel:OWNER
role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN
role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT
role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT

50
src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.sql

@@ -3,21 +3,21 @@
-- ============================================================================
--changeset hs-office-coopassetstransaction-rbac-OBJECT:1 endDelimiter:--//
--changeset RbacObjectGenerator:hs-office-coopassetstransaction-rbac-OBJECT endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRelatedRbacObject('hs_office_coopassetstransaction');
call rbac.generateRelatedRbacObject('hs_office_coopassetstransaction');
--//
-- ============================================================================
--changeset hs-office-coopassetstransaction-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
--changeset RbacRoleDescriptorsGenerator:hs-office-coopassetstransaction-rbac-ROLE-DESCRIPTORS endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRoleDescriptors('hsOfficeCoopAssetsTransaction', 'hs_office_coopassetstransaction');
call rbac.generateRbacRoleDescriptors('hsOfficeCoopAssetsTransaction', 'hs_office_coopassetstransaction');
--//
-- ============================================================================
--changeset hs-office-coopassetstransaction-rbac-insert-trigger:1 endDelimiter:--//
--changeset RolesGrantsAndPermissionsGenerator:hs-office-coopassetstransaction-rbac-insert-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@@ -33,15 +33,15 @@ declare
newMembership hs_office_membership;
begin
call enterTriggerForObjectUuid(NEW.uuid);
call rbac.enterTriggerForObjectUuid(NEW.uuid);
SELECT * FROM hs_office_membership WHERE uuid = NEW.membershipUuid INTO newMembership;
assert newMembership.uuid is not null, format('newMembership must not be null for NEW.membershipUuid = %s', NEW.membershipUuid);
call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'SELECT'), hsOfficeMembershipAGENT(newMembership));
call rbac.grantPermissionToRole(rbac.createPermission(NEW.uuid, 'UPDATE'), hsOfficeMembershipADMIN(newMembership));
call leaveTriggerForObjectUuid(NEW.uuid);
call rbac.leaveTriggerForObjectUuid(NEW.uuid);
end; $$;
/*
@@ -65,7 +65,7 @@ execute procedure insertTriggerForHsOfficeCoopAssetsTransaction_tf();
-- ============================================================================
--changeset hs-office-coopassetstransaction-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
--changeset InsertTriggerGenerator:hs-office-coopassetstransaction-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--//
-- ----------------------------------------------------------------------------
-- granting INSERT permission to hs_office_membership ----------------------------
@@ -77,13 +77,13 @@ do language plpgsql $$
declare
row hs_office_membership;
begin
call defineContext('create INSERT INTO hs_office_coopassetstransaction permissions for pre-exising hs_office_membership rows');
call base.defineContext('create INSERT INTO hs_office_coopassetstransaction permissions for pre-exising hs_office_membership rows');
FOR row IN SELECT * FROM hs_office_membership
-- unconditional for all rows in that table
LOOP
call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
call rbac.grantPermissionToRole(
rbac.createPermission(row.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
hsOfficeMembershipADMIN(row));
END LOOP;
end;
@@ -92,28 +92,28 @@ $$;
/**
Grants hs_office_coopassetstransaction INSERT permission to specified role of new hs_office_membership rows.
*/
create or replace function new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tf()
create or replace function new_hsof_coopassettx_grants_insert_to_hsof_membership_tf()
returns trigger
language plpgsql
strict as $$
begin
-- unconditional for all rows in that table
call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
call rbac.grantPermissionToRole(
rbac.createPermission(NEW.uuid, 'INSERT', 'hs_office_coopassetstransaction'),
hsOfficeMembershipADMIN(NEW));
-- end.
return NEW;
end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tg
create trigger z_new_hs_office_coopassetstransaction_grants_after_insert_tg
after insert on hs_office_membership
for each row
execute procedure new_hs_office_coopassetstransaction_grants_insert_to_hs_office_membership_tf();
execute procedure new_hsof_coopassettx_grants_insert_to_hsof_membership_tf();
-- ============================================================================
--changeset hs_office_coopassetstransaction-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
--changeset InsertTriggerGenerator:hs_office_coopassetstransaction-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
-- ----------------------------------------------------------------------------
/**
@@ -126,12 +126,12 @@ declare
superObjectUuid uuid;
begin
-- check INSERT permission via direct foreign key: NEW.membershipUuid
if hasInsertPermission(NEW.membershipUuid, 'hs_office_coopassetstransaction') then
if rbac.hasInsertPermission(NEW.membershipUuid, 'hs_office_coopassetstransaction') then
return NEW;
end if;
raise exception '[403] insert into hs_office_coopassetstransaction values(%) not allowed for current subjects % (%)',
NEW, currentSubjects(), currentSubjectsUuids();
NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
end; $$;
create trigger hs_office_coopassetstransaction_insert_permission_check_tg
@@ -142,10 +142,10 @@ create trigger hs_office_coopassetstransaction_insert_permission_check_tg
-- ============================================================================
--changeset hs-office-coopassetstransaction-rbac-IDENTITY-VIEW:1 endDelimiter:--//
--changeset RbacIdentityViewGenerator:hs-office-coopassetstransaction-rbac-IDENTITY-VIEW endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacIdentityViewFromProjection('hs_office_coopassetstransaction',
call rbac.generateRbacIdentityViewFromProjection('hs_office_coopassetstransaction',
$idName$
reference
$idName$);
@@ -153,9 +153,9 @@ call generateRbacIdentityViewFromProjection('hs_office_coopassetstransaction',
-- ============================================================================
--changeset hs-office-coopassetstransaction-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
--changeset RbacRestrictedViewGenerator:hs-office-coopassetstransaction-rbac-RESTRICTED-VIEW endDelimiter:--//
-- ----------------------------------------------------------------------------
call generateRbacRestrictedView('hs_office_coopassetstransaction',
call rbac.generateRbacRestrictedView('hs_office_coopassetstransaction',
$orderBy$
reference
$orderBy$,

14
src/main/resources/db/changelog/5-hs-office/512-coopassets/5126-hs-office-coopassets-migration.sql

@@ -4,7 +4,7 @@
-- Once we don't need the external remote views anymore, create revert changesets.
-- ============================================================================
--changeset hs-office-coopassets-MIGRATION-mapping:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-coopassets-MIGRATION-mapping endDelimiter:--//
-- ----------------------------------------------------------------------------
CREATE TABLE hs_office_coopassetstransaction_legacy_id
@@ -16,7 +16,7 @@ CREATE TABLE hs_office_coopassetstransaction_legacy_id
-- ============================================================================
--changeset hs-office-coopassets-MIGRATION-sequence:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-coopassets-MIGRATION-sequence endDelimiter:--//
-- ----------------------------------------------------------------------------
CREATE SEQUENCE IF NOT EXISTS hs_office_coopassetstransaction_legacy_id_seq
@@ -27,7 +27,7 @@ CREATE SEQUENCE IF NOT EXISTS hs_office_coopassetstransaction_legacy_id_seq
-- ============================================================================
--changeset hs-office-coopassets-MIGRATION-default:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-coopassets-MIGRATION-default endDelimiter:--//
-- ----------------------------------------------------------------------------
ALTER TABLE hs_office_coopassetstransaction_legacy_id
@@ -37,17 +37,17 @@ ALTER TABLE hs_office_coopassetstransaction_legacy_id
-- ============================================================================
--changeset hs-office-coopassets-MIGRATION-insert:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-coopassets-MIGRATION-insert endDelimiter:--//
-- ----------------------------------------------------------------------------
CALL defineContext('schema-migration');
CALL base.defineContext('schema-migration');
INSERT INTO hs_office_coopassetstransaction_legacy_id(uuid, member_asset_id)
SELECT uuid, nextVal('hs_office_coopassetstransaction_legacy_id_seq') FROM hs_office_coopassetstransaction;
--/
-- ============================================================================
--changeset hs-office-coopAssets-MIGRATION-insert-trigger:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-coopAssets-MIGRATION-insert-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace function insertCoopAssetsLegacyIdMapping()
returns trigger
@@ -72,7 +72,7 @@ create trigger createCoopAssetsLegacyIdMapping
-- ============================================================================
--changeset hs-office-coopAssets-MIGRATION-delete-trigger:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-coopAssets-MIGRATION-delete-trigger endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace function deleteCoopAssetsLegacyIdMapping()
returns trigger

6
src/main/resources/db/changelog/5-hs-office/512-coopassets/5128-hs-office-coopassets-test-data.sql

@@ -2,7 +2,7 @@
-- ============================================================================
--changeset hs-office-coopAssetsTransaction-TEST-DATA-GENERATOR:1 endDelimiter:--//
--changeset michael.hoennig:hs-office-coopAssetsTransaction-TEST-DATA-GENERATOR endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@@ -38,12 +38,12 @@ end; $$;
-- ============================================================================
--changeset hs-office-coopAssetsTransaction-TEST-DATA-GENERATION:1 context=dev,tc endDelimiter:--//
--changeset michael.hoennig:hs-office-coopAssetsTransaction-TEST-DATA-GENERATION context=dev,tc endDelimiter:--//
-- ----------------------------------------------------------------------------
do language plpgsql $$
begin
call defineContext('creating coopAssetsTransaction test-data');
call base.defineContext('creating coopAssetsTransaction test-data');
SET CONSTRAINTS ALL DEFERRED;
call createHsOfficeCoopAssetsTransactionTestData(10001, '01');