hostsharing/hs.hsadmin.ng
1
0
Fork 0
Code Activity

add partner business object at repo level (WIP)

Browse Source
This commit is contained in:
Michael Hoennig
2022-09-09 17:43:43 +02:00
parent 2f0f18182c
commit 2c5ad094f1
12 changed files with 291 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/main/resources/db/changelog/057-rbac-role-builder.sql
View File

@ -114,6 +114,22 @@ begin
return beingItselfA(getRoleId(roleDescriptor, 'fail'));
end; $$;
create or replace function withSubRoles(roleDescriptors RbacRoleDescriptor[])
returns RbacSubRoles
language plpgsql
strict as $$
declare
subRoleDescriptor RbacRoleDescriptor;
subRoleUuids uuid[] := array []::uuid[];
begin
foreach subRoleDescriptor in array roleDescriptors
loop
subRoleUuids := subRoleUuids || getRoleId(subRoleDescriptor, 'fail');
end loop;
return row (subRoleUuids)::RbacSubRoles;
end; $$;
create or replace function withoutSubRoles()
returns RbacSubRoles
language plpgsql

14
src/main/resources/db/changelog/203-hs-admin-contact-rbac.sql
View File

@ -58,13 +58,14 @@ create or replace function createRbacRolesForHsAdminContact()
strict as $$
declare
ownerRole uuid;
adminRole uuid;
begin
if TG_OP <> 'INSERT' then
raise exception 'invalid usage of TRIGGER AFTER INSERT';
end if;
-- the owner role with full access for the creator assigned to the current user
ownerRole = createRole(
ownerRole := createRole(
hsAdminContactOwner(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
beneathRole(globalAdmin()),
@ -73,11 +74,18 @@ begin
grantedByRole(globalAdmin())
);
-- the tenant role for those related users who can view the data
adminRole := createRole(
hsAdminContactAdmin(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']),
beneathRole(ownerRole)
);
-- the tenant role for those related users who can view the data
perform createRole(
hsAdminContactTenant(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']),
beneathRole(ownerRole)
beneathRole(adminRole)
);
return NEW;
@ -221,7 +229,7 @@ create or replace function deleteHsAdminContact()
returns trigger
language plpgsql as $$
begin
if true or hasGlobalRoleGranted(currentUserUuid()) or
if hasGlobalRoleGranted(currentUserUuid()) or
old.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('delete', 'hs_admin_contact', currentSubjectsUuids())) then
delete from hs_admin_contact c where c.uuid = old.uuid;
return old;

5
src/main/resources/db/changelog/208-hs-admin-contact-test-data.sql
View File

@ -15,10 +15,12 @@ declare
emailAddr varchar;
begin
currentTask = 'creating RBAC test contact ' || contLabel;
call defineContext(currentTask, null, 'alex@hostsharing.net', 'global#global.admin');
execute format('set local hsadminng.currentTask to %L', currentTask);
emailAddr = 'customer-admin@' || cleanIdentifier(contLabel) || '.example.com';
call defineContext(currentTask);
perform createRbacUser(emailAddr);
call defineContext(currentTask, null, emailAddr);
raise notice 'creating test contact: %', contLabel;
insert
@ -58,6 +60,7 @@ do language plpgsql $$
call createHsAdminContactTestData('first contact');
call createHsAdminContactTestData('second contact');
call createHsAdminContactTestData('third contact');
call createHsAdminContactTestData('forth contact');
end;
$$;
--//

14
src/main/resources/db/changelog/213-hs-admin-person-rbac.sql
View File

@ -58,13 +58,14 @@ create or replace function createRbacRolesForHsAdminPerson()
strict as $$
declare
ownerRole uuid;
adminRole uuid;
begin
if TG_OP <> 'INSERT' then
raise exception 'invalid usage of TRIGGER AFTER INSERT';
end if;
-- the owner role with full access for the creator assigned to the current user
ownerRole = createRole(
ownerRole := createRole(
hsAdminPersonOwner(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
beneathRole(globalAdmin()),
@ -73,11 +74,18 @@ begin
grantedByRole(globalAdmin())
);
-- the tenant role for those related users who can view the data
adminRole := createRole(
hsAdminPersonAdmin(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']),
beneathRole(ownerRole)
);
-- the tenant role for those related users who can view the data
perform createRole(
hsAdminPersonTenant(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']),
beneathRole(ownerRole)
beneathRole(adminRole)
);
return NEW;
@ -221,7 +229,7 @@ create or replace function deleteHsAdminPerson()
returns trigger
language plpgsql as $$
begin
if true or hasGlobalRoleGranted(currentUserUuid()) or
if hasGlobalRoleGranted(currentUserUuid()) or
old.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('delete', 'hs_admin_person', currentSubjectsUuids())) then
delete from hs_admin_person c where c.uuid = old.uuid;
return old;

14
src/main/resources/db/changelog/218-hs-admin-person-test-data.sql
View File

@ -9,10 +9,10 @@
Creates a single person test record.
*/
create or replace procedure createHsAdminPersonTestData(
personType HsAdminPersonType,
tradeName varchar,
familyName varchar = null,
givenName varchar = null
newPersonType HsAdminPersonType,
newTradeName varchar,
newFamilyName varchar = null,
newGivenName varchar = null
)
language plpgsql as $$
declare
@ -20,7 +20,7 @@ declare
currentTask varchar;
emailAddr varchar;
begin
fullName := concat_ws(', ', personType, tradename, familyName, givenName);
fullName := concat_ws(', ', newTradeName, newFamilyName, newGivenName);
currentTask = 'creating RBAC test person ' || fullName;
emailAddr = 'person-' || left(cleanIdentifier(fullName), 32) || '@example.com';
call defineContext(currentTask);
@ -31,7 +31,7 @@ begin
raise notice 'creating test person: %', fullName;
insert
into hs_admin_person (persontype, tradename, givenname, familyname)
values (personType, tradeName, givenName, familyName);
values (newPersonType, newTradeName, newGivenName, newFamilyName);
end; $$;
--//
@ -59,7 +59,7 @@ end; $$;
do language plpgsql $$
begin
call createHsAdminPersonTestData('LEGAL', 'first person');
call createHsAdminPersonTestData('LEGAL', 'First Impressions GmbH');
call createHsAdminPersonTestData('NATURAL', null, 'Peter', 'Smith');
call createHsAdminPersonTestData('LEGAL', 'Rockshop e.K.', 'Sandra', 'Miller');
call createHsAdminPersonTestData('SOLE_REPRESENTATION', 'Ostfriesische Kuhhandel OHG');

45
src/main/resources/db/changelog/223-hs-admin-partner-rbac.sql
View File

@ -52,18 +52,23 @@ end; $$;
Creates the roles and their assignments for a new partner for the AFTER INSERT TRIGGER.
*/
create or replace function createRbacRolesForHsAdminContact()
create or replace function createRbacRolesForHsAdminPartner()
returns trigger
language plpgsql
strict as $$
declare
ownerRole uuid;
adminRole uuid;
person hs_admin_person;
contact hs_admin_contact;
begin
if TG_OP <> 'INSERT' then
raise exception 'invalid usage of TRIGGER AFTER INSERT';
end if;
select * from hs_admin_person as p where p.uuid = NEW.personUuid into person;
select * from hs_admin_contact as c where c.uuid = NEW.contactUuid into contact;
-- the owner role with full access for the global admins
ownerRole = createRole(
hsAdminPartnerOwner(NEW),
@ -75,14 +80,15 @@ begin
adminRole = createRole(
hsAdminPartnerAdmin(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']),
beneathRole(globalAdmin())
beneathRole(ownerRole)
);
-- the tenant role for those related users who can view the data
perform createRole(
hsAdminPartnerTenant(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']),
beneathRole(ownerRole)
beneathRoles(array[hsAdminPartnerAdmin(NEW), hsAdminPersonAdmin(person), hsAdminContactAdmin(contact)]),
withSubRoles(array[hsAdminPersonTenant(person), hsAdminContactTenant(contact)])
);
return NEW;
@ -92,11 +98,11 @@ end; $$;
An AFTER INSERT TRIGGER which creates the role structure for a new customer.
*/
create trigger createRbacRolesForHsAdminContact_Trigger
create trigger createRbacRolesForHsAdminPartner_Trigger
after insert
on hs_admin_partner
for each row
execute procedure createRbacRolesForHsAdminContact();
execute procedure createRbacRolesForHsAdminPartner();
--//
@ -107,13 +113,14 @@ execute procedure createRbacRolesForHsAdminContact();
/*
Deletes the roles and their assignments of a deleted partner for the BEFORE DELETE TRIGGER.
*/
create or replace function deleteRbacRulesForHsAdminContact()
create or replace function deleteRbacRulesForHsAdminPartner()
returns trigger
language plpgsql
strict as $$
begin
if TG_OP = 'DELETE' then
call deleteRole(findRoleId(hsAdminPartnerOwner(OLD)));
call deleteRole(findRoleId(hsAdminPartnerAdmin(OLD)));
call deleteRole(findRoleId(hsAdminPartnerTenant(OLD)));
else
raise exception 'invalid usage of TRIGGER BEFORE DELETE';
@ -124,11 +131,11 @@ end; $$;
/*
An BEFORE DELETE TRIGGER which deletes the role structure of a partner.
*/
create trigger deleteRbacRulesForTestContact_Trigger
create trigger deleteRbacRulesForTestPartner_Trigger
before delete
on hs_admin_partner
for each row
execute procedure deleteRbacRulesForHsAdminContact();
execute procedure deleteRbacRulesForHsAdminPartner();
--//
-- ============================================================================
@ -142,9 +149,9 @@ execute procedure deleteRbacRulesForHsAdminContact();
create or replace view hs_admin_partner_iv as
select target.uuid,
cleanIdentifier(
(select idName from hs_admin_person_iv person where person.uuid = target.personuuid)
(select idName from hs_admin_person_iv p where p.uuid = target.personuuid)
|| '-' ||
(select idName from hs_admin_contact_iv contact where contact.uuid = target.contactuuid)
(select idName from hs_admin_contact_iv c where c.uuid = target.contactuuid)
)
as idName
from hs_admin_partner as target;
@ -197,7 +204,7 @@ grant all privileges on hs_admin_partner_rv to restricted;
/**
Instead of insert trigger function for hs_admin_partner_rv.
*/
create or replace function insertHsAdminContact()
create or replace function insertHsAdminPartner()
returns trigger
language plpgsql as $$
declare
@ -214,11 +221,11 @@ $$;
/*
Creates an instead of insert trigger for the hs_admin_partner_rv view.
*/
create trigger insertHsAdminContact_Trigger
create trigger insertHsAdminPartner_Trigger
instead of insert
on hs_admin_partner_rv
for each row
execute function insertHsAdminContact();
execute function insertHsAdminPartner();
--//
-- ============================================================================
@ -228,11 +235,11 @@ execute function insertHsAdminContact();
/**
Instead of delete trigger function for hs_admin_partner_rv.
*/
create or replace function deleteHsAdminContact()
create or replace function deleteHsAdminPartner()
returns trigger
language plpgsql as $$
begin
if true or hasGlobalRoleGranted(currentUserUuid()) or
if hasGlobalRoleGranted(currentUserUuid()) or
old.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('delete', 'hs_admin_partner', currentSubjectsUuids())) then
delete from hs_admin_partner c where c.uuid = old.uuid;
return old;
@ -243,11 +250,11 @@ end; $$;
/*
Creates an instead of delete trigger for the hs_admin_partner_rv view.
*/
create trigger deleteHsAdminContact_Trigger
create trigger deleteHsAdminPartner_Trigger
instead of delete
on hs_admin_partner_rv
for each row
execute function deleteHsAdminContact();
execute function deleteHsAdminPartner();
--/
-- ============================================================================
@ -274,7 +281,7 @@ $$;
/**
Used by the trigger to prevent the add-customer to current user respectively assumed roles.
*/
create or replace function addHsAdminContactNotAllowedForCurrentSubjects()
create or replace function addHsAdminPartnerNotAllowedForCurrentSubjects()
returns trigger
language PLPGSQL
as $$
@ -292,6 +299,6 @@ create trigger hs_admin_partner_insert_trigger
for each row
-- TODO.spec: who is allowed to create new partners
when ( not hasAssumedRole() )
execute procedure addHsAdminContactNotAllowedForCurrentSubjects();
execute procedure addHsAdminPartnerNotAllowedForCurrentSubjects();
--//

16
src/main/resources/db/changelog/228-hs-admin-partner-test-data.sql
View File

@ -13,23 +13,23 @@ create or replace procedure createHsAdminPartnerTestData( personTradeName varcha
declare
currentTask varchar;
idName varchar;
person hs_admin_person;
contact hs_admin_contact;
relatedPerson hs_admin_person;
relatedContact hs_admin_contact;
begin
idName := cleanIdentifier( personTradeName|| '-' || contactLabel);
currentTask := 'creating RBAC test partner ' || idName;
call defineContext(currentTask, null, 'alex@hostsharing.net', 'global#global.admin');
execute format('set local hsadminng.currentTask to %L', currentTask);
select p.* from hs_admin_person p where p.tradeName = personTradeName into person;
select c.* from hs_admin_contact c where c.label = contactLabel into contact;
select p.* from hs_admin_person p where p.tradeName = personTradeName into relatedPerson;
select c.* from hs_admin_contact c where c.label = contactLabel into relatedContact;
raise notice 'creating test partner: %', idName;
raise notice '- using person (%): %', person.uuid, person;
raise notice '- using contact (%): %', contact.uuid, contact;
raise notice '- using person (%): %', relatedPerson.uuid, relatedPerson;
raise notice '- using contact (%): %', relatedContact.uuid, relatedContact;
insert
into hs_admin_partner (uuid, personuuid, contactuuid)
values (uuid_generate_v4(), person.uuid, contact.uuid);
values (uuid_generate_v4(), relatedPerson.uuid, relatedContact.uuid);
end; $$;
--//
@ -63,7 +63,7 @@ end; $$;
do language plpgsql $$
begin
-- call createHsAdminPartnerTestData('first person', 'first contact');
call createHsAdminPartnerTestData('First Impressions GmbH', 'first contact');
call createHsAdminPartnerTestData('Rockshop e.K.', 'second contact');