use customer/package/unixuser only as test data structure (DB part)
This commit is contained in:
Michael Hoennig
@ -64,7 +64,7 @@ begin
|
||||
domainOwnerRoleUuid = createRole(
|
||||
domainOwner(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
||||
beneathRole(packageAdmin(parentPackage))
|
||||
beneathRole(testPackageAdmin(parentPackage))
|
||||
);
|
||||
|
||||
-- a domain admin role is created and assigned to the domain's owner role
|
||||
|
||||
@ -17,21 +17,21 @@ BEGIN
|
||||
|
||||
-- hostmaster accessing a single customer
|
||||
SET SESSION SESSION AUTHORIZATION restricted;
|
||||
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net';
|
||||
SET LOCAL hsadminng.currentUser = 'mike@example.org';
|
||||
SET LOCAL hsadminng.assumedRoles = '';
|
||||
-- SELECT *
|
||||
SELECT count(*) INTO resultCount
|
||||
from customer_rv c
|
||||
from test_customer_rv c
|
||||
where c.prefix='aab';
|
||||
call expectBetween(resultCount, 1, 1);
|
||||
|
||||
-- hostmaster listing all customers
|
||||
SET SESSION SESSION AUTHORIZATION restricted;
|
||||
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net';
|
||||
SET LOCAL hsadminng.currentUser = 'mike@example.org';
|
||||
SET LOCAL hsadminng.assumedRoles = '';
|
||||
-- SELECT *
|
||||
SELECT count(*) INTO resultCount
|
||||
FROM customer_rv;
|
||||
FROM test_customer_rv;
|
||||
call expectBetween(resultCount, 10, 20000);
|
||||
|
||||
-- customer admin listing all their packages
|
||||
@ -40,7 +40,7 @@ BEGIN
|
||||
SET LOCAL hsadminng.assumedRoles = '';
|
||||
-- SELECT *
|
||||
SELECT count(*) INTO resultCount
|
||||
FROM package_rv;
|
||||
FROM test_package_rv;
|
||||
call expectBetween(resultCount, 2, 10);
|
||||
|
||||
-- cutomer admin listing all their unix users
|
||||
@ -54,49 +54,49 @@ BEGIN
|
||||
|
||||
-- hostsharing admin assuming customer role and listing all accessible packages
|
||||
SET SESSION SESSION AUTHORIZATION restricted;
|
||||
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net';
|
||||
SET LOCAL hsadminng.assumedRoles = 'customer#aaa.admin;customer#aab.admin';
|
||||
SET LOCAL hsadminng.currentUser = 'mike@example.org';
|
||||
SET LOCAL hsadminng.assumedRoles = 'test_customer#aaa.admin;test_customer#aab.admin';
|
||||
-- SELECT *
|
||||
SELECT count(*) INTO resultCount
|
||||
FROM package_rv p;
|
||||
FROM test_package_rv p;
|
||||
call expectBetween(resultCount, 2, 10);
|
||||
|
||||
-- hostsharing admin assuming two customer admin roles and listing all accessible unixusers
|
||||
SET SESSION SESSION AUTHORIZATION restricted;
|
||||
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net';
|
||||
SET LOCAL hsadminng.assumedRoles = 'customer#aab.admin;customer#aac.admin';
|
||||
SET LOCAL hsadminng.currentUser = 'mike@example.org';
|
||||
SET LOCAL hsadminng.assumedRoles = 'test_customer#aab.admin;test_customer#aac.admin';
|
||||
-- SELECT c.prefix, c.reference, uu.*
|
||||
SELECT count(*) INTO resultCount
|
||||
FROM unixuser_rv uu
|
||||
JOIN package_rv p ON p.uuid = uu.packageuuid
|
||||
JOIN customer_rv c ON c.uuid = p.customeruuid;
|
||||
JOIN test_package_rv p ON p.uuid = uu.packageuuid
|
||||
JOIN test_customer_rv c ON c.uuid = p.customeruuid;
|
||||
call expectBetween(resultCount, 40, 60);
|
||||
|
||||
-- hostsharing admin assuming two customer admin roles and listing all accessible domains
|
||||
-- ABORT; START TRANSACTION;
|
||||
SET SESSION SESSION AUTHORIZATION restricted;
|
||||
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net';
|
||||
SET LOCAL hsadminng.assumedRoles = 'customer#aac.admin;customer#aad.admin';
|
||||
SET LOCAL hsadminng.currentUser = 'mike@example.org';
|
||||
SET LOCAL hsadminng.assumedRoles = 'test_customer#aac.admin;test_customer#aad.admin';
|
||||
-- SELECT p.name, uu.name, dom.name
|
||||
SELECT count(*) INTO resultCount
|
||||
FROM domain_rv dom
|
||||
JOIN unixuser_rv uu ON uu.uuid = dom.unixuseruuid
|
||||
JOIN package_rv p ON p.uuid = uu.packageuuid
|
||||
JOIN customer_rv c ON c.uuid = p.customeruuid;
|
||||
JOIN test_package_rv p ON p.uuid = uu.packageuuid
|
||||
JOIN test_customer_rv c ON c.uuid = p.customeruuid;
|
||||
call expectBetween(resultCount, 20, 40);
|
||||
|
||||
-- hostsharing admin assuming two customer admin roles and listing all accessible email addresses
|
||||
-- ABORT; START TRANSACTION;
|
||||
SET SESSION SESSION AUTHORIZATION restricted;
|
||||
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net';
|
||||
SET LOCAL hsadminng.assumedRoles = 'customer#aae.admin;customer#aaf.admin';
|
||||
SET LOCAL hsadminng.currentUser = 'mike@example.org';
|
||||
SET LOCAL hsadminng.assumedRoles = 'test_customer#aae.admin;test_customer#aaf.admin';
|
||||
-- SELECT c.prefix, p.name as "package", ema.localPart || '@' || dom.name as "email-address"
|
||||
SELECT count(*) INTO resultCount
|
||||
FROM emailaddress_rv ema
|
||||
JOIN domain_rv dom ON dom.uuid = ema.domainuuid
|
||||
JOIN unixuser_rv uu ON uu.uuid = dom.unixuseruuid
|
||||
JOIN package_rv p ON p.uuid = uu.packageuuid
|
||||
JOIN customer_rv c ON c.uuid = p.customeruuid;
|
||||
JOIN test_package_rv p ON p.uuid = uu.packageuuid
|
||||
JOIN test_customer_rv c ON c.uuid = p.customeruuid;
|
||||
call expectBetween(resultCount, 100, 300);
|
||||
|
||||
-- ~170ms
|
||||
|
||||
@ -3,16 +3,16 @@
|
||||
-- --------------------------------------------------------
|
||||
|
||||
|
||||
select isGranted(findRoleId('administrators'), findRoleId('package#aaa00.owner'));
|
||||
select isGranted(findRoleId('package#aaa00.owner'), findRoleId('administrators'));
|
||||
-- call grantRoleToRole(findRoleId('package#aaa00.owner'), findRoleId('administrators'));
|
||||
-- call grantRoleToRole(findRoleId('administrators'), findRoleId('package#aaa00.owner'));
|
||||
select isGranted(findRoleId('administrators'), findRoleId('test_package#aaa00.owner'));
|
||||
select isGranted(findRoleId('test_package#aaa00.owner'), findRoleId('administrators'));
|
||||
-- call grantRoleToRole(findRoleId('test_package#aaa00.owner'), findRoleId('administrators'));
|
||||
-- call grantRoleToRole(findRoleId('administrators'), findRoleId('test_package#aaa00.owner'));
|
||||
|
||||
select count(*)
|
||||
FROM queryAllPermissionsOfSubjectIdForObjectUuids(findRbacUser('sven@hostsharing.net'),
|
||||
FROM queryAllPermissionsOfSubjectIdForObjectUuids(findRbacUser('sven@example.org'),
|
||||
ARRAY(select uuid from customer where reference < 1100000));
|
||||
select count(*)
|
||||
FROM queryAllPermissionsOfSubjectId(findRbacUser('sven@hostsharing.net'));
|
||||
FROM queryAllPermissionsOfSubjectId(findRbacUser('sven@example.org'));
|
||||
select *
|
||||
FROM queryAllPermissionsOfSubjectId(findRbacUser('alex@example.com'));
|
||||
select *
|
||||
@ -33,7 +33,7 @@ $$
|
||||
userId uuid;
|
||||
result bool;
|
||||
BEGIN
|
||||
userId = findRbacUser('mike@hostsharing.net');
|
||||
userId = findRbacUser('mike@example.org');
|
||||
result = (SELECT * FROM isPermissionGrantedToSubject(findPermissionId('package', 94928, 'add-package'), userId));
|
||||
IF (result) THEN
|
||||
RAISE EXCEPTION 'expected permission NOT to be granted, but it is';
|
||||
|
||||
@ -20,7 +20,7 @@ CREATE POLICY customer_policy ON customer
|
||||
TO restricted
|
||||
USING (
|
||||
-- id=1000
|
||||
isPermissionGrantedToSubject(findPermissionId('customer', id, 'view'), currentUserUuid())
|
||||
isPermissionGrantedToSubject(findPermissionId('test_customer', id, 'view'), currentUserUuid())
|
||||
);
|
||||
|
||||
SET SESSION AUTHORIZATION restricted;
|
||||
@ -35,10 +35,10 @@ SELECT * FROM customer;
|
||||
CREATE OR REPLACE RULE "_RETURN" AS
|
||||
ON SELECT TO cust_view
|
||||
DO INSTEAD
|
||||
SELECT * FROM customer WHERE isPermissionGrantedToSubject(findPermissionId('customer', id, 'view'), currentUserUuid());
|
||||
SELECT * FROM customer WHERE isPermissionGrantedToSubject(findPermissionId('test_customer', id, 'view'), currentUserUuid());
|
||||
SELECT * from cust_view LIMIT 10;
|
||||
|
||||
select queryAllPermissionsOfSubjectId(findRbacUser('mike@hostsharing.net'));
|
||||
select queryAllPermissionsOfSubjectId(findRbacUser('mike@example.org'));
|
||||
|
||||
-- access control via view-rule with join to recursive permissions - really fast (38ms for 1 million rows)
|
||||
SET SESSION SESSION AUTHORIZATION DEFAULT;
|
||||
@ -52,7 +52,7 @@ CREATE OR REPLACE RULE "_RETURN" AS
|
||||
DO INSTEAD
|
||||
SELECT c.uuid, c.reference, c.prefix FROM customer AS c
|
||||
JOIN queryAllPermissionsOfSubjectId(currentUserUuid()) AS p
|
||||
ON p.objectTable='customer' AND p.objectUuid=c.uuid AND p.op in ('*', 'view');
|
||||
ON p.objectTable='test_customer' AND p.objectUuid=c.uuid AND p.op in ('*', 'view');
|
||||
GRANT ALL PRIVILEGES ON cust_view TO restricted;
|
||||
|
||||
SET SESSION SESSION AUTHORIZATION restricted;
|
||||
@ -73,7 +73,7 @@ GRANT ALL PRIVILEGES ON cust_view TO restricted;
|
||||
|
||||
SET SESSION SESSION AUTHORIZATION restricted;
|
||||
-- SET hsadminng.currentUser TO 'alex@example.com';
|
||||
SET hsadminng.currentUser TO 'mike@hostsharing.net';
|
||||
SET hsadminng.currentUser TO 'mike@example.org';
|
||||
-- SET hsadminng.currentUser TO 'aaaaouq@example.com';
|
||||
SELECT * from cust_view where reference=1144150;
|
||||
|
||||
@ -81,9 +81,9 @@ select rr.uuid, rr.type from RbacGrants g
|
||||
join RbacReference RR on g.ascendantUuid = RR.uuid
|
||||
where g.descendantUuid in (
|
||||
select uuid from queryAllPermissionsOfSubjectId(findRbacUser('alex@example.com'))
|
||||
where objectTable='customer' and op in ('*', 'view'));
|
||||
where objectTable='test_customer' and op in ('*', 'view'));
|
||||
|
||||
call grantRoleToUser(findRoleId('customer#aaa.admin'), findRbacUser('aaaaouq@example.com'));
|
||||
call grantRoleToUser(findRoleId('test_customer#aaa.admin'), findRbacUser('aaaaouq@example.com'));
|
||||
|
||||
select queryAllPermissionsOfSubjectId(findRbacUser('aaaaouq@example.com'));
|
||||
|
||||
|
||||
Reference in New Issue
Block a user