hostsharing/hs.hsadmin.ng
1
0
Fork 0
Code Activity

use customer/package/unixuser only as test data structure (DB part)

Browse Source
This commit is contained in:
Michael Hoennig
2022-08-31 09:42:40 +02:00
parent 817c1a9e58
commit a33cb4ec29
33 changed files with 603 additions and 595 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/main/java/net/hostsharing/hsadminng/hs/hscustomer/CustomerEntity.java
View File

@ -9,7 +9,7 @@ import javax.persistence.*;
import java.util.UUID;
@Entity
@Table(name = "customer_rv")
@Table(name = "test_customer_rv")
@Getter
@Setter
@NoArgsConstructor

2
src/main/java/net/hostsharing/hsadminng/hs/hspackage/PackageEntity.java
View File

@ -10,7 +10,7 @@ import javax.persistence.*;
import java.util.UUID;
@Entity
@Table(name = "package_rv")
@Table(name = "test_package_rv")
@Getter
@Setter
@NoArgsConstructor

8
src/main/resources/db/changelog/010-context.sql
View File

@ -152,8 +152,14 @@ create or replace function pureIdentifier(rawIdentifier varchar)
returns varchar
returns null on null input
language plpgsql as $$
declare
cleanIdentifier varchar;
begin
return regexp_replace(rawIdentifier, '\W+', '');
cleanIdentifier := regexp_replace(rawIdentifier, '[^A-Za-z0-9\-._]+', '', 'g');
if cleanIdentifier != rawIdentifier then
raise exception 'identifier "%" contains invalid characters, maybe use "%"', rawIdentifier, cleanIdentifier;
end if;
return cleanIdentifier;
end; $$;
create or replace function findObjectUuidByIdName(objectTable varchar, objectIdName varchar)

3
src/main/resources/db/changelog/050-rbac-base.sql
View File

@ -228,6 +228,9 @@ begin
roleTypeFromRoleIdName = split_part(roleParts, '#', 3);
objectUuidOfRole = findObjectUuidByIdName(objectTableFromRoleIdName, objectNameFromRoleIdName);
raise notice $sql$findObjectUuidByIdName('%', '%') = %;$sql$, objectTableFromRoleIdName, objectNameFromRoleIdName, objectUuidOfRole;
raise notice 'finding %, % (%), %', objectTableFromRoleIdName, objectNameFromRoleIdName, objectUuidOfRole, roleTypeFromRoleIdName;
select uuid
from RbacRole
where objectUuid = objectUuidOfRole

36
src/main/resources/db/changelog/100-hs-base.sql → src/main/resources/db/changelog/100-test-base.sql
View File

@ -1,7 +1,7 @@
--liquibase formatted sql
-- ============================================================================
--changeset hs-base-GLOBAL-OBJECT:1 endDelimiter:--//
--changeset test-base-GLOBAL-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/**
@ -12,32 +12,32 @@ begin transaction;
insert
into RbacObject (objecttable) values ('global');
insert
into Global (uuid, name) values ((select uuid from RbacObject where objectTable = 'global'), 'hostsharing');
into Global (uuid, name) values ((select uuid from RbacObject where objectTable = 'global'), 'test-global');
commit;
--//
-- ============================================================================
--changeset hs-base-ADMIN-ROLE:1 endDelimiter:--//
--changeset test-base-ADMIN-ROLE:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
A global administrator role.
*/
create or replace function hostsharingAdmin()
returns RbacRoleDescriptor
returns null on null input
create or replace function testGlobalAdmin()
returns RbacRoleDescriptor
returns null on null input
stable leakproof
language sql as $$
select 'global', (select uuid from RbacObject where objectTable = 'global'), 'admin'::RbacRoleType;
$$;
begin transaction;
call defineContext('creating Hostsharing admin role', null, null, null);
select createRole(hostsharingAdmin());
call defineContext('creating test-global admin role', null, null, null);
select createRole(testGlobalAdmin());
commit;
-- ============================================================================
--changeset hs-base-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
--changeset test-base-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Create two users and assign both to the administrators role.
@ -46,18 +46,18 @@ do language plpgsql $$
declare
admins uuid ;
begin
call defineContext('creating fake Hostsharing admin users', null, null, null);
call defineContext('creating fake test-realm admin users', null, null, null);
admins = findRoleId(hostsharingAdmin());
call grantRoleToUserUnchecked(admins, admins, createRbacUser('mike@hostsharing.net'));
call grantRoleToUserUnchecked(admins, admins, createRbacUser('sven@hostsharing.net'));
admins = findRoleId(testGlobalAdmin());
call grantRoleToUserUnchecked(admins, admins, createRbacUser('mike@example.org'));
call grantRoleToUserUnchecked(admins, admins, createRbacUser('sven@example.org'));
end;
$$;
--//
-- ============================================================================
--changeset hs-base-hostsharing-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
--changeset test-base-hostsharing-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
@ -68,15 +68,15 @@ do language plpgsql $$
declare
userName varchar;
begin
call defineContext('testing currentUserUuid', null, 'sven@hostsharing.net', null);
call defineContext('testing currentUserUuid', null, 'sven@example.org', null);
select userName from RbacUser where uuid = currentUserUuid() into userName;
if userName <> 'sven@hostsharing.net' then
if userName <> 'sven@example.org' then
raise exception 'setting or fetching initial currentUser failed, got: %', userName;
end if;
call defineContext('testing currentUserUuid', null, 'mike@hostsharing.net', null);
call defineContext('testing currentUserUuid', null, 'mike@example.org', null);
select userName from RbacUser where uuid = currentUserUuid() into userName;
if userName = 'mike@hostsharing.net' then
if userName = 'mike@example.org' then
raise exception 'currentUser should not change in one transaction, but did change, got: %', userName;
end if;
end; $$;

4
src/main/resources/db/changelog/110-hs-customer.sql → src/main/resources/db/changelog/110-test-customer.sql
View File

@ -1,10 +1,10 @@
--liquibase formatted sql
-- ============================================================================
--changeset hs-customer-MAIN-TABLE:1 endDelimiter:--//
--changeset test-customer-MAIN-TABLE:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create table if not exists customer
create table if not exists test_customer
(
uuid uuid unique references RbacObject (uuid),
reference int not null unique check (reference between 10000 and 99999),

124
src/main/resources/db/changelog/113-hs-customer-rbac.sql → src/main/resources/db/changelog/113-test-customer-rbac.sql
View File

@ -1,64 +1,64 @@
--liquibase formatted sql
-- ============================================================================
--changeset hs-customer-rbac-CREATE-OBJECT:1 endDelimiter:--//
--changeset test-customer-rbac-CREATE-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Creates the related RbacObject through a BEFORE INSERT TRIGGER.
*/
drop trigger if exists createRbacObjectForCustomer_Trigger on customer;
drop trigger if exists createRbacObjectForCustomer_Trigger on test_customer;
create trigger createRbacObjectForCustomer_Trigger
before insert
on customer
on test_customer
for each row
execute procedure createRbacObject();
--//
-- ============================================================================
--changeset hs-customer-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
--changeset test-customer-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace function customerOwner(customer customer)
create or replace function testCustomerOwner(customer test_customer)
returns RbacRoleDescriptor
language plpgsql
strict as $$
begin
return roleDescriptor('customer', customer.uuid, 'owner');
return roleDescriptor('test_customer', customer.uuid, 'owner');
end; $$;
create or replace function customerAdmin(customer customer)
create or replace function testCustomerAdmin(customer test_customer)
returns RbacRoleDescriptor
language plpgsql
strict as $$
begin
return roleDescriptor('customer', customer.uuid, 'admin');
return roleDescriptor('test_customer', customer.uuid, 'admin');
end; $$;
create or replace function customerTenant(customer customer)
create or replace function testCustomerTenant(customer test_customer)
returns RbacRoleDescriptor
language plpgsql
strict as $$
begin
return roleDescriptor('customer', customer.uuid, 'tenant');
return roleDescriptor('test_customer', customer.uuid, 'tenant');
end; $$;
--//
-- ============================================================================
--changeset hs-customer-rbac-ROLES-CREATION:1 endDelimiter:--//
--changeset test-customer-rbac-ROLES-CREATION:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Creates the roles and their assignments for a new customer for the AFTER INSERT TRIGGER.
*/
create or replace function createRbacRolesForCustomer()
create or replace function createRbacRolesForTestCustomer()
returns trigger
language plpgsql
strict as $$
declare
customerOwnerUuid uuid;
testCustomerOwnerUuid uuid;
customerAdminUuid uuid;
begin
if TG_OP <> 'INSERT' then
@ -66,27 +66,27 @@ begin
end if;
-- the owner role with full access for Hostsharing administrators
customerOwnerUuid = createRole(
customerOwner(NEW),
testCustomerOwnerUuid = createRole(
testCustomerOwner(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
beneathRole(hostsharingAdmin())
beneathRole(testGlobalAdmin())
);
-- the admin role for the customer's admins, who can view and add products
customerAdminUuid = createRole(
customerAdmin(NEW),
testCustomerAdmin(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view', 'add-package']),
-- NO auto assume for customer owner to avoid exploding permissions for administrators
withUser(NEW.adminUserName, 'create'), -- implicitly ignored if null
grantedByRole(hostsharingAdmin())
grantedByRole(testGlobalAdmin())
);
-- allow the customer owner role (thus administrators) to assume the customer admin role
call grantRoleToRole(customerAdminUuid, customerOwnerUuid, false);
call grantRoleToRole(customerAdminUuid, testCustomerOwnerUuid, false);
-- the tenant role which later can be used by owners+admins of sub-objects
perform createRole(
customerTenant(NEW),
testCustomerTenant(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view'])
);
@ -97,32 +97,32 @@ end; $$;
An AFTER INSERT TRIGGER which creates the role structure for a new customer.
*/
drop trigger if exists createRbacRolesForCustomer_Trigger on customer;
create trigger createRbacRolesForCustomer_Trigger
drop trigger if exists createRbacRolesForTestCustomer_Trigger on test_customer;
create trigger createRbacRolesForTestCustomer_Trigger
after insert
on customer
on test_customer
for each row
execute procedure createRbacRolesForCustomer();
execute procedure createRbacRolesForTestCustomer();
--//
-- ============================================================================
--changeset hs-customer-rbac-ROLES-REMOVAL:1 endDelimiter:--//
--changeset test-customer-rbac-ROLES-REMOVAL:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Deletes the roles and their assignments of a deleted customer for the BEFORE DELETE TRIGGER.
*/
create or replace function deleteRbacRulesForCustomer()
create or replace function deleteRbacRulesForTestCustomer()
returns trigger
language plpgsql
strict as $$
begin
if TG_OP = 'DELETE' then
call deleteRole(findRoleId(customerOwner(OLD)));
call deleteRole(findRoleId(customerAdmin(OLD)));
call deleteRole(findRoleId(customerTenant(OLD)));
call deleteRole(findRoleId(testCustomerOwner(OLD)));
call deleteRole(findRoleId(testCustomerAdmin(OLD)));
call deleteRole(findRoleId(testCustomerTenant(OLD)));
else
raise exception 'invalid usage of TRIGGER BEFORE DELETE';
end if;
@ -132,93 +132,93 @@ end; $$;
An BEFORE DELETE TRIGGER which deletes the role structure of a customer.
*/
drop trigger if exists deleteRbacRulesForCustomer_Trigger on customer;
create trigger deleteRbacRulesForCustomer_Trigger
drop trigger if exists deleteRbacRulesForTestCustomer_Trigger on test_customer;
create trigger deleteRbacRulesForTestCustomer_Trigger
before delete
on customer
on test_customer
for each row
execute procedure deleteRbacRulesForCustomer();
execute procedure deleteRbacRulesForTestCustomer();
--//
-- ============================================================================
--changeset hs-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--//
--changeset test-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Creates a view to the customer main table which maps the identifying name
(in this case, the prefix) to the objectUuid.
*/
drop view if exists customer_iv;
create or replace view customer_iv as
drop view if exists test_customer_iv;
create or replace view test_customer_iv as
select target.uuid, target.prefix as idName
from customer as target;
from test_customer as target;
-- TODO: Is it ok that everybody has access to this information?
grant all privileges on customer_iv to restricted;
grant all privileges on test_customer_iv to restricted;
/*
Returns the objectUuid for a given identifying name (in this case the prefix).
*/
create or replace function customerUuidByIdName(idName varchar)
create or replace function test_customerUuidByIdName(idName varchar)
returns uuid
language sql
strict as $$
select uuid from customer_iv iv where iv.idName = customerUuidByIdName.idName;
select uuid from test_customer_iv iv where iv.idName = test_customerUuidByIdName.idName;
$$;
/*
Returns the identifying name for a given objectUuid (in this case the prefix).
*/
create or replace function customerIdNameByUuid(uuid uuid)
create or replace function test_customerIdNameByUuid(uuid uuid)
returns varchar
language sql
strict as $$
select idName from customer_iv iv where iv.uuid = customerIdNameByUuid.uuid;
select idName from test_customer_iv iv where iv.uuid = test_customerIdNameByUuid.uuid;
$$;
--//
-- ============================================================================
--changeset hs-customer-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
--changeset test-customer-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Creates a view to the customer main table with row-level limitation
based on the 'view' permission of the current user or assumed roles.
*/
set session session authorization default;
drop view if exists customer_rv;
create or replace view customer_rv as
drop view if exists test_customer_rv;
create or replace view test_customer_rv as
select target.*
from customer as target
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'customer', currentSubjectsUuids()));
grant all privileges on customer_rv to restricted;
from test_customer as target
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'test_customer', currentSubjectsUuids()));
grant all privileges on test_customer_rv to restricted;
--//
-- ============================================================================
--changeset hs-customer-rbac-ADD-CUSTOMER:1 endDelimiter:--//
--changeset test-customer-rbac-ADD-CUSTOMER:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Creates a global permission for add-customer and assigns it to the hostsharing admins role.
*/
do language plpgsql $$
declare
addCustomerPermissions uuid[];
hostsharingObjectUuid uuid;
hsAdminRoleUuid uuid ;
addCustomerPermissions uuid[];
globalObjectUuid uuid;
globalAdminRoleUuid uuid ;
begin
call defineContext('granting global add-customer permission to Hostsharing admin role', null, null, null);
call defineContext('granting global add-customer permission to global admin role', null, null, null);
hsAdminRoleUuid := findRoleId(hostsharingAdmin());
hostsharingObjectUuid := (select uuid from global);
addCustomerPermissions := createPermissions(hostsharingObjectUuid, array ['add-customer']);
call grantPermissionsToRole(hsAdminRoleUuid, addCustomerPermissions);
globalAdminRoleUuid := findRoleId(testGlobalAdmin());
globalObjectUuid := (select uuid from global);
addCustomerPermissions := createPermissions(globalObjectUuid, array ['add-customer']);
call grantPermissionsToRole(globalAdminRoleUuid, addCustomerPermissions);
end;
$$;
/**
Used by the trigger to prevent the add-customer to current user respectively assumed roles.
*/
create or replace function addCustomerNotAllowedForCurrentSubjects()
create or replace function addTestCustomerNotAllowedForCurrentSubjects()
returns trigger
language PLPGSQL
as $$
@ -230,11 +230,11 @@ end; $$;
/**
Checks if the user or assumed roles are allowed to add a new customer.
*/
create trigger customer_insert_trigger
create trigger test_customer_insert_trigger
before insert
on customer
on test_customer
for each row
when ( currentUser() <> 'mike@hostsharing.net' or not hasGlobalPermission('add-customer') )
execute procedure addCustomerNotAllowedForCurrentSubjects();
when ( currentUser() <> 'mike@example.org' or not hasGlobalPermission('add-customer') )
execute procedure addTestCustomerNotAllowedForCurrentSubjects();
--//

20
src/main/resources/db/changelog/118-hs-customer-test-data.sql → src/main/resources/db/changelog/118-test-customer-test-data.sql
View File

@ -2,7 +2,7 @@
-- ============================================================================
--changeset hs-customer-TEST-DATA-GENERATOR:1 endDelimiter:--//
--changeset test-customer-TEST-DATA-GENERATOR:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Generates a customer reference number for a given test data counter.
@ -19,7 +19,7 @@ end; $$;
/*
Creates a single customer test record with dist.
*/
create or replace procedure createCustomerTestData(
create or replace procedure createTestCustomerTestData(
custReference integer,
custPrefix varchar
)
@ -30,7 +30,7 @@ declare
custAdminName varchar;
begin
currentTask = 'creating RBAC test customer #' || custReference || '/' || custPrefix;
call defineContext(currentTask, null, 'mike@hostsharing.net', 'global#hostsharing.admin');
call defineContext(currentTask, null, 'mike@example.org', 'global#test-global.admin');
execute format('set local hsadminng.currentTask to %L', currentTask);
custRowId = uuid_generate_v4();
@ -38,7 +38,7 @@ begin
raise notice 'creating customer %:%', custReference, custPrefix;
insert
into customer (reference, prefix, adminUserName)
into test_customer (reference, prefix, adminUserName)
values (custReference, custPrefix, custAdminName);
end; $$;
--//
@ -46,7 +46,7 @@ end; $$;
/*
Creates a range of test customers for mass data generation.
*/
create or replace procedure createCustomerTestData(
create or replace procedure createTestCustomerTestData(
startCount integer, -- count of auto generated rows before the run
endCount integer -- count of auto generated rows after the run
)
@ -54,7 +54,7 @@ create or replace procedure createCustomerTestData(
begin
for t in startCount..endCount
loop
call createCustomerTestData(testCustomerReference(t), intToVarChar(t, 3));
call createTestCustomerTestData(testCustomerReference(t), intToVarChar(t, 3));
commit;
end loop;
end; $$;
@ -62,14 +62,14 @@ end; $$;
-- ============================================================================
--changeset hs-customer-TEST-DATA-GENERATION:1 context=dev,tc endDelimiter:--//
--changeset test-customer-TEST-DATA-GENERATION:1 context=dev,tc endDelimiter:--//
-- ----------------------------------------------------------------------------
do language plpgsql $$
begin
call createCustomerTestData(99901, 'xxx');
call createCustomerTestData(99902, 'yyy');
call createCustomerTestData(99903, 'zzz');
call createTestCustomerTestData(99901, 'xxx');
call createTestCustomerTestData(99902, 'yyy');
call createTestCustomerTestData(99903, 'zzz');
end;
$$;
--//

6
src/main/resources/db/changelog/120-hs-package.sql → src/main/resources/db/changelog/120-test-package.sql
View File

@ -1,14 +1,14 @@
--liquibase formatted sql
-- ============================================================================
--changeset hs-package-MAIN-TABLE:1 endDelimiter:--//
--changeset test-package-MAIN-TABLE:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create table if not exists package
create table if not exists test_package
(
uuid uuid unique references RbacObject (uuid),
version int not null default 0,
customerUuid uuid references customer (uuid),
customerUuid uuid references test_customer (uuid),
name varchar(5),
description varchar(96)
);

94
src/main/resources/db/changelog/123-hs-package-rbac.sql → src/main/resources/db/changelog/123-test-package-rbac.sql
View File

@ -1,62 +1,62 @@
--liquibase formatted sql
-- ============================================================================
--changeset hs-package-rbac-CREATE-OBJECT:1 endDelimiter:--//
--changeset test-package-rbac-CREATE-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Creates the related RbacObject through a BEFORE INSERT TRIGGER.
*/
drop trigger if exists createRbacObjectForPackage_Trigger on package;
drop trigger if exists createRbacObjectForPackage_Trigger on test_package;
create trigger createRbacObjectForPackage_Trigger
before insert
on package
on test_package
for each row
execute procedure createRbacObject();
--//
-- ============================================================================
--changeset hs-package-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
--changeset test-package-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace function packageOwner(pac package)
create or replace function testPackageOwner(pac test_package)
returns RbacRoleDescriptor
returns null on null input
language plpgsql as $$
begin
return roleDescriptor('package', pac.uuid, 'owner');
return roleDescriptor('test_package', pac.uuid, 'owner');
end; $$;
create or replace function packageAdmin(pac package)
create or replace function testPackageAdmin(pac test_package)
returns RbacRoleDescriptor
returns null on null input
language plpgsql as $$
begin
return roleDescriptor('package', pac.uuid, 'admin');
return roleDescriptor('test_package', pac.uuid, 'admin');
end; $$;
create or replace function packageTenant(pac package)
create or replace function testPackageTenant(pac test_package)
returns RbacRoleDescriptor
returns null on null input
language plpgsql as $$
begin
return roleDescriptor('package', pac.uuid, 'tenant');
return roleDescriptor('test_package', pac.uuid, 'tenant');
end; $$;
--//
-- ============================================================================
--changeset hs-package-rbac-ROLES-CREATION:1 endDelimiter:--//
--changeset test-package-rbac-ROLES-CREATION:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Creates the roles and their assignments for a new package for the AFTER INSERT TRIGGER.
*/
create or replace function createRbacRolesForPackage()
create or replace function createRbacRolesForTestPackage()
returns trigger
language plpgsql
strict as $$
declare
parentCustomer customer;
parentCustomer test_customer;
packageOwnerRoleUuid uuid;
packageAdminRoleUuid uuid;
begin
@ -64,28 +64,28 @@ begin
raise exception 'invalid usage of TRIGGER AFTER INSERT';
end if;
select * from customer as c where c.uuid = NEW.customerUuid into parentCustomer;
select * from test_customer as c where c.uuid = NEW.customerUuid into parentCustomer;
-- an owner role is created and assigned to the customer's admin role
packageOwnerRoleUuid = createRole(
packageOwner(NEW),
testPackageOwner(NEW),
withoutPermissions(),
beneathRole(customerAdmin(parentCustomer))
beneathRole(testCustomerAdmin(parentCustomer))
);
-- an owner role is created and assigned to the package owner role
packageAdminRoleUuid = createRole(
packageAdmin(NEW),
testPackageAdmin(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['add-unixuser', 'add-domain']),
beneathRole(packageOwnerRoleUuid)
);
-- and a package tenant role is created and assigned to the package admin as well
perform createRole(
packageTenant(NEW),
testPackageTenant(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']),
beneathRole(packageAdminRoleUuid),
beingItselfA(customerTenant(parentCustomer))
beingItselfA(testCustomerTenant(parentCustomer))
);
return NEW;
@ -95,31 +95,31 @@ end; $$;
An AFTER INSERT TRIGGER which creates the role structure for a new package.
*/
drop trigger if exists createRbacRolesForPackage_Trigger on package;
create trigger createRbacRolesForPackage_Trigger
drop trigger if exists createRbacRolesForTestPackage_Trigger on test_package;
create trigger createRbacRolesForTestPackage_Trigger
after insert
on package
on test_package
for each row
execute procedure createRbacRolesForPackage();
execute procedure createRbacRolesForTestPackage();
--//
-- ============================================================================
--changeset hs-package-rbac-ROLES-REMOVAL:1 endDelimiter:--//
--changeset test-package-rbac-ROLES-REMOVAL:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Deletes the roles and their assignments of a deleted package for the BEFORE DELETE TRIGGER.
*/
create or replace function deleteRbacRulesForPackage()
create or replace function deleteRbacRulesForTestPackage()
returns trigger
language plpgsql
strict as $$
begin
if TG_OP = 'DELETE' then
call deleteRole(findRoleId(packageOwner(OLD)));
call deleteRole(findRoleId(packageAdmin(OLD)));
call deleteRole(findRoleId(packageTenant(OLD)));
call deleteRole(findRoleId(testPackageOwner(OLD)));
call deleteRole(findRoleId(testPackageAdmin(OLD)));
call deleteRole(findRoleId(testPackageTenant(OLD)));
else
raise exception 'invalid usage of TRIGGER BEFORE DELETE';
end if;
@ -129,66 +129,66 @@ end; $$;
An BEFORE DELETE TRIGGER which deletes the role structure of a package.
*/
drop trigger if exists deleteRbacRulesForPackage_Trigger on package;
create trigger deleteRbacRulesForPackage_Trigger
drop trigger if exists deleteRbacRulesForTestPackage_Trigger on test_package;
create trigger deleteRbacRulesForTestPackage_Trigger
before delete
on package
on test_package
for each row
execute procedure deleteRbacRulesForPackage();
execute procedure deleteRbacRulesForTestPackage();
--//
-- ============================================================================
--changeset hs-package-rbac-IDENTITY-VIEW:1 endDelimiter:--//
--changeset test-package-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Creates a view to the package main table which maps the identifying name
(in this case, actually the column `name`) to the objectUuid.
*/
drop view if exists package_iv;
create or replace view package_iv as
drop view if exists test_package_iv;
create or replace view test_package_iv as
select distinct target.uuid, target.name as idName
from package as target;
from test_package as target;
-- TODO: Is it ok that everybody has access to this information?
grant all privileges on package_iv to restricted;
grant all privileges on test_package_iv to restricted;
/*
Returns the objectUuid for a given identifying name (in this case, actually the column `name`).
*/
create or replace function packageUuidByIdName(idName varchar)
create or replace function test_packageUuidByIdName(idName varchar)
returns uuid
language sql
strict as $$
select uuid from package_iv iv where iv.idName = packageUuidByIdName.idName;
select uuid from test_package_iv iv where iv.idName = test_packageUuidByIdName.idName;
$$;
/*
Returns the identifying name for a given objectUuid (in this case the name).
*/
create or replace function packageIdNameByUuid(uuid uuid)
create or replace function test_packageIdNameByUuid(uuid uuid)
returns varchar
stable leakproof
language sql
strict as $$
select idName from package_iv iv where iv.uuid = packageIdNameByUuid.uuid;
select idName from test_package_iv iv where iv.uuid = test_packageIdNameByUuid.uuid;
$$;
--//
-- ============================================================================
--changeset hs-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
--changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Creates a view to the customer main table which maps the identifying name
(in this case, the prefix) to the objectUuid.
*/
drop view if exists package_rv;
create or replace view package_rv as
drop view if exists test_package_rv;
create or replace view test_package_rv as
select target.*
from package as target
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'package', currentSubjectsUuids()))
from test_package as target
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'test_package', currentSubjectsUuids()))
order by target.name;
grant all privileges on package_rv to restricted;
grant all privileges on test_package_rv to restricted;
--//

22
src/main/resources/db/changelog/128-hs-package-test-data.sql → src/main/resources/db/changelog/128-test-package-test-data.sql
View File

@ -1,7 +1,7 @@
--liquibase formatted sql
-- ============================================================================
--changeset hs-package-TEST-DATA-GENERATOR:1 endDelimiter:--//
--changeset test-package-TEST-DATA-GENERATOR:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Creates the given number of test packages for the given customer.
@ -9,14 +9,14 @@
create or replace procedure createPackageTestData(customerPrefix varchar, pacCount int)
language plpgsql as $$
declare
cust customer;
cust test_customer;
custAdminUser varchar;
custAdminRole varchar;
pacName varchar;
currentTask varchar;
pac package;
pac test_package;
begin
select * from customer where customer.prefix = customerPrefix into cust;
select * from test_customer where test_customer.prefix = customerPrefix into cust;
for t in 0..(pacCount-1)
loop
@ -25,18 +25,18 @@ begin
cust.uuid;
custAdminUser = 'customer-admin@' || cust.prefix || '.example.com';
custAdminRole = 'customer#' || cust.prefix || '.admin';
custAdminRole = 'test_customer#' || cust.prefix || '.admin';
call defineContext(currentTask, null, custAdminUser, custAdminRole);
raise notice 'task: % by % as %', currentTask, custAdminUser, custAdminRole;
insert
into package (customerUuid, name, description)
into test_package (customerUuid, name, description)
values (cust.uuid, pacName, 'Here can add your own description of package ' || pacName || '.')
returning * into pac;
call grantRoleToUser(
getRoleId(customerAdmin(cust), 'fail'),
findRoleId(packageAdmin(pac)),
getRoleId(testCustomerAdmin(cust), 'fail'),
findRoleId(testPackageAdmin(pac)),
createRbacUser('pac-admin-' || pacName || '@' || cust.prefix || '.example.com'),
true);
@ -49,9 +49,9 @@ end; $$;
create or replace procedure createPackageTestData()
language plpgsql as $$
declare
cust customer;
cust test_customer;
begin
for cust in (select * from customer)
for cust in (select * from test_customer)
loop
continue when cust.reference >= 90000; -- reserved for functional testing
call createPackageTestData(cust.prefix, 3);
@ -64,7 +64,7 @@ $$;
-- ============================================================================
--changeset hs-package-TEST-DATA-GENERATION:1 context=dev,tc endDelimiter:--//
--changeset test-package-TEST-DATA-GENERATION:1 context=dev,tc endDelimiter:--//
-- ----------------------------------------------------------------------------
do language plpgsql $$

4
src/main/resources/db/changelog/130-hs-unixuser.sql → src/main/resources/db/changelog/130-test-unixuser.sql
View File

@ -4,10 +4,10 @@
--changeset hs-unixuser-MAIN-TABLE:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create table if not exists UnixUser
create table if not exists test_unixuser
(
uuid uuid unique references RbacObject (uuid),
packageUuid uuid references package (uuid),
packageUuid uuid references test_package (uuid),
name character varying(32),
description character varying(96)
);

98
src/main/resources/db/changelog/133-hs-unixuser-rbac.sql → src/main/resources/db/changelog/133-test-unixuser-rbac.sql
View File

@ -1,49 +1,49 @@
--liquibase formatted sql
-- ============================================================================
--changeset hs-package-rbac-CREATE-OBJECT:1 endDelimiter:--//
--changeset test-package-rbac-CREATE-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Creates the related RbacObject through a BEFORE INSERT TRIGGER.
*/
drop trigger if exists createRbacObjectForUnixUser_Trigger on UnixUser;
create trigger createRbacObjectForUnixUser_Trigger
drop trigger if exists createRbacObjectFortest_unixuser_Trigger on test_unixuser;
create trigger createRbacObjectFortest_unixuser_Trigger
before insert
on UnixUser
on test_unixuser
for each row
execute procedure createRbacObject();
--//
-- ============================================================================
--changeset hs-unixuser-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
--changeset test-unixuser-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace function unixUserOwner(uu UnixUser)
create or replace function testUnixUserOwner(uu test_unixuser)
returns RbacRoleDescriptor
returns null on null input
language plpgsql as $$
begin
return roleDescriptor('unixuser', uu.uuid, 'owner');
return roleDescriptor('test_unixuser', uu.uuid, 'owner');
end; $$;
create or replace function unixUserAdmin(uu UnixUser)
create or replace function testUnixUserAdmin(uu test_unixuser)
returns RbacRoleDescriptor
returns null on null input
language plpgsql as $$
begin
return roleDescriptor('unixuser', uu.uuid, 'admin');
return roleDescriptor('test_unixuser', uu.uuid, 'admin');
end; $$;
create or replace function unixUserTenant(uu UnixUser)
create or replace function testUnixUserTenant(uu test_unixuser)
returns RbacRoleDescriptor
returns null on null input
language plpgsql as $$
begin
return roleDescriptor('unixuser', uu.uuid, 'tenant');
return roleDescriptor('test_unixuser', uu.uuid, 'tenant');
end; $$;
create or replace function createUnixUserTenantRoleIfNotExists(unixUser UnixUser)
create or replace function createTestUnixUserTenantRoleIfNotExists(unixUser test_unixuser)
returns uuid
returns null on null input
language plpgsql as $$
@ -51,7 +51,7 @@ declare
unixUserTenantRoleDesc RbacRoleDescriptor;
unixUserTenantRoleUuid uuid;
begin
unixUserTenantRoleDesc = unixUserTenant(unixUser);
unixUserTenantRoleDesc = testUnixUserTenant(unixUser);
unixUserTenantRoleUuid = findRoleId(unixUserTenantRoleDesc);
if unixUserTenantRoleUuid is not null then
return unixUserTenantRoleUuid;
@ -60,25 +60,25 @@ begin
return createRole(
unixUserTenantRoleDesc,
grantingPermissions(forObjectUuid => unixUser.uuid, permitOps => array ['view']),
beneathRole(unixUserAdmin(unixUser))
beneathRole(testUnixUserAdmin(unixUser))
);
end; $$;
--//
-- ============================================================================
--changeset hs-unixuser-rbac-ROLES-CREATION:1 endDelimiter:--//
--changeset test-unixuser-rbac-ROLES-CREATION:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Creates the roles and their assignments for a new UnixUser for the AFTER INSERT TRIGGER.
*/
create or replace function createRbacRulesForUnixUser()
create or replace function createRbacRulesForTestUnixUser()
returns trigger
language plpgsql
strict as $$
declare
parentPackage package;
parentPackage test_package;
unixuserOwnerRoleId uuid;
unixuserAdminRoleId uuid;
begin
@ -86,21 +86,21 @@ begin
raise exception 'invalid usage of TRIGGER AFTER INSERT';
end if;
select * from package where uuid = NEW.packageUuid into parentPackage;
select * from test_package where uuid = NEW.packageUuid into parentPackage;
-- an owner role is created and assigned to the package's admin group
unixuserOwnerRoleId = createRole(
unixUserOwner(NEW),
testUnixUserOwner(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
beneathRole(packageAdmin(parentPackage))
beneathRole(testPackageAdmin(parentPackage))
);
-- and a unixuser admin role is created and assigned to the unixuser owner as well
unixuserAdminRoleId = createRole(
unixUserAdmin(NEW),
testUnixUserAdmin(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']),
beneathRole(unixuserOwnerRoleId),
beingItselfA(packageTenant(parentPackage))
beingItselfA(testPackageTenant(parentPackage))
);
-- a tenent role is only created on demand
@ -112,32 +112,32 @@ end; $$;
/*
An AFTER INSERT TRIGGER which creates the role structure for a new UnixUser.
*/
drop trigger if exists createRbacRulesForUnixUser_Trigger on UnixUser;
create trigger createRbacRulesForUnixUser_Trigger
drop trigger if exists createRbacRulesForTestUnixuser_Trigger on test_unixuser;
create trigger createRbacRulesForTestUnixuser_Trigger
after insert
on UnixUser
on test_unixuser
for each row
execute procedure createRbacRulesForUnixUser();
execute procedure createRbacRulesForTestUnixUser();
--//
-- ============================================================================
--changeset hs-unixuser-rbac-ROLES-REMOVAL:1 endDelimiter:--//
--changeset test-unixuser-rbac-ROLES-REMOVAL:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Deletes the roles and their assignments of a deleted UnixUser for the BEFORE DELETE TRIGGER.
*/
create or replace function deleteRbacRulesForUnixUser()
create or replace function deleteRbacRulesForTestUnixUser()
returns trigger
language plpgsql
strict as $$
begin
if TG_OP = 'DELETE' then
call deleteRole(findRoleId(unixUserOwner(OLD)));
call deleteRole(findRoleId(unixUserAdmin(OLD)));
call deleteRole(findRoleId(unixUserTenant(OLD)));
call deleteRole(findRoleId(testUnixUserOwner(OLD)));
call deleteRole(findRoleId(testUnixUserAdmin(OLD)));
call deleteRole(findRoleId(testUnixUserTenant(OLD)));
else
raise exception 'invalid usage of TRIGGER BEFORE DELETE';
end if;
@ -147,65 +147,65 @@ end; $$;
An BEFORE DELETE TRIGGER which deletes the role structure of a UnixUser.
*/
drop trigger if exists deleteRbacRulesForUnixUser_Trigger on package;
create trigger deleteRbacRulesForUnixUser_Trigger
drop trigger if exists deleteRbacRulesForTestUnixUser_Trigger on test_package;
create trigger deleteRbacRulesForTestUnixUser_Trigger
before delete
on UnixUser
on test_unixuser
for each row
execute procedure deleteRbacRulesForUnixUser();
execute procedure deleteRbacRulesForTestUnixUser();
--//
-- ============================================================================
--changeset hs-unixuser-rbac-IDENTITY-VIEW:1 endDelimiter:--//
--changeset test-unixuser-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Creates a view to the UnixUser main table which maps the identifying name
(in this case, actually the column `name`) to the objectUuid.
*/
drop view if exists UnixUser_iv;
create or replace view UnixUser_iv as
drop view if exists test_unixuser_iv;
create or replace view test_unixuser_iv as
select distinct target.uuid, target.name as idName
from UnixUser as target;
from test_unixuser as target;
-- TODO: Is it ok that everybody has access to this information?
grant all privileges on UnixUser_iv to restricted;
grant all privileges on test_unixuser_iv to restricted;
/*
Returns the objectUuid for a given identifying name (in this case, actually the column `name`).
*/
create or replace function unixUserUuidByIdName(idName varchar)
create or replace function test_unixUserUuidByIdName(idName varchar)
returns uuid
language sql
strict as $$
select uuid from UnixUser_iv iv where iv.idName = unixUserUuidByIdName.idName;
select uuid from test_unixuser_iv iv where iv.idName = test_unixUserUuidByIdName.idName;
$$;
/*
Returns the identifying name for a given objectUuid (in this case the name).
*/
create or replace function unixUserIdNameByUuid(uuid uuid)
create or replace function test_unixUserIdNameByUuid(uuid uuid)
returns varchar
stable leakproof
language sql
strict as $$
select idName from UnixUser_iv iv where iv.uuid = unixUserIdNameByUuid.uuid;
select idName from test_unixuser_iv iv where iv.uuid = test_unixUserIdNameByUuid.uuid;
$$;
--//
-- ============================================================================
--changeset hs-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
--changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Creates a view to the customer main table which maps the identifying name
(in this case, the prefix) to the objectUuid.
*/
drop view if exists unixuser_rv;
create or replace view unixuser_rv as
drop view if exists test_unixuser_rv;
create or replace view test_unixuser_rv as
select target.*
from unixuser as target
from test_unixuser as target
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'unixuser', currentSubjectsUuids()));
grant all privileges on unixuser_rv to restricted;
grant all privileges on test_unixuser_rv to restricted;
--//

10
src/main/resources/db/changelog/138-hs-unixuser-test-data.sql → src/main/resources/db/changelog/138-test-unixuser-test-data.sql
View File

@ -14,8 +14,8 @@ declare
currentTask varchar;
begin
select p.uuid, p.name, c.prefix as custPrefix
from package p
join customer c on p.customeruuid = c.uuid
from test_package p
join test_customer c on p.customeruuid = c.uuid
where p.name = packageName
into pac;
@ -27,7 +27,7 @@ begin
call defineContext(currentTask, null, pacAdmin, null);
insert
into unixuser (name, packageUuid)
into test_unixuser (name, packageUuid)
values (pac.name || '-' || intToVarChar(t, 4), pac.uuid);
end loop;
end; $$;
@ -44,8 +44,8 @@ declare
begin
for pac in
(select p.uuid, p.name
from package p
join customer c on p.customeruuid = c.uuid
from test_package p
join test_customer c on p.customeruuid = c.uuid
where c.reference < 90000) -- reserved for functional testing
loop
call createUnixUserTestData(pac.name, 2);

20
src/main/resources/db/changelog/db.changelog-master.yaml
View File

@ -28,24 +28,24 @@ databaseChangeLog:
- include:
file: db/changelog/080-rbac-global.sql
- include:
file: db/changelog/100-hs-base.sql
file: db/changelog/100-test-base.sql
- include:
file: db/changelog/110-hs-customer.sql
file: db/changelog/110-test-customer.sql
- include:
file: db/changelog/113-hs-customer-rbac.sql
file: db/changelog/113-test-customer-rbac.sql
- include:
file: db/changelog/118-hs-customer-test-data.sql
file: db/changelog/118-test-customer-test-data.sql
- include:
file: db/changelog/120-hs-package.sql
file: db/changelog/120-test-package.sql
- include:
file: db/changelog/123-hs-package-rbac.sql
file: db/changelog/123-test-package-rbac.sql
- include:
file: db/changelog/128-hs-package-test-data.sql
file: db/changelog/128-test-package-test-data.sql
- include:
file: db/changelog/130-hs-unixuser.sql
file: db/changelog/130-test-unixuser.sql
- include:
file: db/changelog/133-hs-unixuser-rbac.sql
file: db/changelog/133-test-unixuser-rbac.sql
- include:
file: db/changelog/138-hs-unixuser-test-data.sql
file: db/changelog/138-test-unixuser-test-data.sql