hostsharing/hs.hsadmin.ng
1
0
Fork 0
Code Activity

formatted SQL code

Browse Source
This commit is contained in:
Michael Hoennig
2022-07-29 08:46:04 +02:00
parent fb8862c37e
commit 4c403b0436
14 changed files with 1167 additions and 1116 deletions
Download Patch File Download Diff File Expand all files Collapse all files

167
src/main/resources/db/changelog/24-hs-domain.sql
View File

@ -1,144 +1,151 @@
-- ========================================================
-- Domain example with RBAC
-- --------------------------------------------------------
SET SESSION SESSION AUTHORIZATION DEFAULT ;
set session session authorization default;
CREATE TABLE IF NOT EXISTS Domain (
uuid uuid UNIQUE REFERENCES RbacObject(uuid),
name character varying(32),
unixUserUuid uuid REFERENCES unixuser(uuid)
create table if not exists Domain
(
uuid uuid unique references RbacObject (uuid),
name character varying(32),
unixUserUuid uuid references unixuser (uuid)
);
DROP TRIGGER IF EXISTS createRbacObjectForDomain_Trigger ON Domain;
CREATE TRIGGER createRbacObjectForDomain_Trigger
BEFORE INSERT ON Domain
FOR EACH ROW EXECUTE PROCEDURE createRbacObject();
drop trigger if exists createRbacObjectForDomain_Trigger on Domain;
create trigger createRbacObjectForDomain_Trigger
before insert
on Domain
for each row
execute procedure createRbacObject();
CREATE OR REPLACE FUNCTION domainOwner(dom Domain)
RETURNS RbacRoleDescriptor
RETURNS NULL ON NULL INPUT
LANGUAGE plpgsql AS $$
create or replace function domainOwner(dom Domain)
returns RbacRoleDescriptor
returns null on null input
language plpgsql as $$
begin
return roleDescriptor('domain', dom.uuid, 'owner');
end; $$;
CREATE OR REPLACE FUNCTION domainAdmin(dom Domain)
RETURNS RbacRoleDescriptor
RETURNS NULL ON NULL INPUT
LANGUAGE plpgsql AS $$
create or replace function domainAdmin(dom Domain)
returns RbacRoleDescriptor
returns null on null input
language plpgsql as $$
begin
return roleDescriptor('domain', dom.uuid, 'admin');
end; $$;
CREATE OR REPLACE FUNCTION domainTenant(dom Domain)
RETURNS RbacRoleDescriptor
RETURNS NULL ON NULL INPUT
LANGUAGE plpgsql AS $$
create or replace function domainTenant(dom Domain)
returns RbacRoleDescriptor
returns null on null input
language plpgsql as $$
begin
return roleDescriptor('domain', dom.uuid, 'tenant');
end; $$;
CREATE OR REPLACE FUNCTION createRbacRulesForDomain()
RETURNS trigger
LANGUAGE plpgsql STRICT AS $$
DECLARE
parentUser UnixUser;
parentPackage package;
create or replace function createRbacRulesForDomain()
returns trigger
language plpgsql
strict as $$
declare
parentUser UnixUser;
parentPackage package;
domainOwnerRoleUuid uuid;
domainAdminRoleUuid uuid;
BEGIN
IF TG_OP <> 'INSERT' THEN
RAISE EXCEPTION 'invalid usage of TRIGGER AFTER INSERT';
END IF;
begin
if TG_OP <> 'INSERT' then
raise exception 'invalid usage of TRIGGER AFTER INSERT';
end if;
SELECT * FROM UnixUser WHERE uuid=NEW.unixUserUuid into parentUser;
SELECT * FROM Package WHERE uuid=parentUser.packageuuid into parentPackage;
select * from UnixUser where uuid = NEW.unixUserUuid into parentUser;
select * from Package where uuid = parentUser.packageuuid into parentPackage;
-- a domain owner role is created and assigned to the unixuser's admin role
domainOwnerRoleUuid = createRole(
domainOwner(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => ARRAY['*']),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
beneathRole(packageAdmin(parentPackage))
);
-- a domain admin role is created and assigned to the domain's owner role
domainAdminRoleUuid = createRole(
domainAdmin(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => ARRAY['edit', 'add-emailaddress']),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit', 'add-emailaddress']),
beneathRole(domainOwnerRoleUuid)
);
-- and a domain tenant role is created and assigned to the domain's admiin role
perform createRole(
domainTenant(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => ARRAY['*']),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
beneathRole(domainAdminRoleUuid),
beingItselfA(createUnixUserTenantRoleIfNotExists(parentUser))
);
RETURN NEW;
END; $$;
return NEW;
end; $$;
DROP TRIGGER IF EXISTS createRbacRulesForDomain_Trigger ON Domain;
CREATE TRIGGER createRbacRulesForDomain_Trigger
AFTER INSERT ON Domain
FOR EACH ROW EXECUTE PROCEDURE createRbacRulesForDomain();
drop trigger if exists createRbacRulesForDomain_Trigger on Domain;
create trigger createRbacRulesForDomain_Trigger
after insert
on Domain
for each row
execute procedure createRbacRulesForDomain();
-- TODO: CREATE OR REPLACE FUNCTION deleteRbacRulesForDomain()
-- create RBAC-restricted view
SET SESSION SESSION AUTHORIZATION DEFAULT;
set session session authorization default;
-- ALTER TABLE Domain ENABLE ROW LEVEL SECURITY;
DROP VIEW IF EXISTS domain_rv;
CREATE OR REPLACE VIEW domain_rv AS
SELECT DISTINCT target.*
FROM Domain AS target
WHERE target.uuid IN (SELECT queryAccessibleObjectUuidsOfSubjectIds( 'view', 'domain', currentSubjectIds()));
GRANT ALL PRIVILEGES ON domain_rv TO restricted;
drop view if exists domain_rv;
create or replace view domain_rv as
select distinct target.*
from Domain as target
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'domain', currentSubjectIds()));
grant all privileges on domain_rv to restricted;
-- generate Domain test data
DO LANGUAGE plpgsql $$
DECLARE
uu record;
pac package;
pacAdmin varchar;
do language plpgsql $$
declare
uu record;
pac package;
pacAdmin varchar;
currentTask varchar;
BEGIN
SET hsadminng.currentUser TO '';
begin
set hsadminng.currentUser to '';
FOR uu IN (
SELECT u.uuid, u.name, u.packageuuid, c.reference
FROM unixuser u
JOIN package p ON u.packageuuid = p.uuid
JOIN customer c ON p.customeruuid = c.uuid
-- WHERE c.reference >= 18000
) LOOP
IF ( random() < 0.3 ) THEN
FOR t IN 0..1 LOOP
currentTask = 'creating RBAC test Domain #' || t || ' for UnixUser ' || uu.name|| ' #' || uu.uuid;
RAISE NOTICE 'task: %', currentTask;
for uu in (select u.uuid, u.name, u.packageuuid, c.reference
from unixuser u
join package p on u.packageuuid = p.uuid
join customer c on p.customeruuid = c.uuid
-- WHERE c.reference >= 18000
)
loop
if (random() < 0.3) then
for t in 0..1
loop
currentTask = 'creating RBAC test Domain #' || t || ' for UnixUser ' || uu.name || ' #' || uu.uuid;
raise notice 'task: %', currentTask;
SELECT * FROM package WHERE uuid=uu.packageUuid INTO pac;
pacAdmin = 'admin@' || pac.name || '.example.com';
SET LOCAL hsadminng.currentUser TO pacAdmin;
SET LOCAL hsadminng.assumedRoles = '';
SET LOCAL hsadminng.currentTask TO currentTask;
select * from package where uuid = uu.packageUuid into pac;
pacAdmin = 'admin@' || pac.name || '.example.com';
set local hsadminng.currentUser to pacAdmin;
set local hsadminng.assumedRoles = '';
set local hsadminng.currentTask to currentTask;
INSERT INTO Domain (name, unixUserUuid)
VALUES ('dom-' || t || '.' || uu.name || '.example.org' , uu.uuid);
insert
into Domain (name, unixUserUuid)
values ('dom-' || t || '.' || uu.name || '.example.org', uu.uuid);
COMMIT;
END LOOP;
END IF;
END LOOP;
commit;
end loop;
end if;
end loop;
END;
end;
$$;