use customer/package/unixuser only as test data structure (DB part)
This commit is contained in:
Michael Hoennig
240
src/main/resources/db/changelog/113-test-customer-rbac.sql
Normal file
240
src/main/resources/db/changelog/113-test-customer-rbac.sql
Normal file
@@ -0,0 +1,240 @@
|
||||
--liquibase formatted sql
|
||||
|
||||
-- ============================================================================
|
||||
--changeset test-customer-rbac-CREATE-OBJECT:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/*
|
||||
Creates the related RbacObject through a BEFORE INSERT TRIGGER.
|
||||
*/
|
||||
drop trigger if exists createRbacObjectForCustomer_Trigger on test_customer;
|
||||
create trigger createRbacObjectForCustomer_Trigger
|
||||
before insert
|
||||
on test_customer
|
||||
for each row
|
||||
execute procedure createRbacObject();
|
||||
--//
|
||||
|
||||
-- ============================================================================
|
||||
--changeset test-customer-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
create or replace function testCustomerOwner(customer test_customer)
|
||||
returns RbacRoleDescriptor
|
||||
language plpgsql
|
||||
strict as $$
|
||||
begin
|
||||
return roleDescriptor('test_customer', customer.uuid, 'owner');
|
||||
end; $$;
|
||||
|
||||
create or replace function testCustomerAdmin(customer test_customer)
|
||||
returns RbacRoleDescriptor
|
||||
language plpgsql
|
||||
strict as $$
|
||||
begin
|
||||
return roleDescriptor('test_customer', customer.uuid, 'admin');
|
||||
end; $$;
|
||||
|
||||
create or replace function testCustomerTenant(customer test_customer)
|
||||
returns RbacRoleDescriptor
|
||||
language plpgsql
|
||||
strict as $$
|
||||
begin
|
||||
return roleDescriptor('test_customer', customer.uuid, 'tenant');
|
||||
end; $$;
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset test-customer-rbac-ROLES-CREATION:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/*
|
||||
Creates the roles and their assignments for a new customer for the AFTER INSERT TRIGGER.
|
||||
*/
|
||||
|
||||
create or replace function createRbacRolesForTestCustomer()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
declare
|
||||
testCustomerOwnerUuid uuid;
|
||||
customerAdminUuid uuid;
|
||||
begin
|
||||
if TG_OP <> 'INSERT' then
|
||||
raise exception 'invalid usage of TRIGGER AFTER INSERT';
|
||||
end if;
|
||||
|
||||
-- the owner role with full access for Hostsharing administrators
|
||||
testCustomerOwnerUuid = createRole(
|
||||
testCustomerOwner(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
||||
beneathRole(testGlobalAdmin())
|
||||
);
|
||||
|
||||
-- the admin role for the customer's admins, who can view and add products
|
||||
customerAdminUuid = createRole(
|
||||
testCustomerAdmin(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view', 'add-package']),
|
||||
-- NO auto assume for customer owner to avoid exploding permissions for administrators
|
||||
withUser(NEW.adminUserName, 'create'), -- implicitly ignored if null
|
||||
grantedByRole(testGlobalAdmin())
|
||||
);
|
||||
|
||||
-- allow the customer owner role (thus administrators) to assume the customer admin role
|
||||
call grantRoleToRole(customerAdminUuid, testCustomerOwnerUuid, false);
|
||||
|
||||
-- the tenant role which later can be used by owners+admins of sub-objects
|
||||
perform createRole(
|
||||
testCustomerTenant(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view'])
|
||||
);
|
||||
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
/*
|
||||
An AFTER INSERT TRIGGER which creates the role structure for a new customer.
|
||||
*/
|
||||
|
||||
drop trigger if exists createRbacRolesForTestCustomer_Trigger on test_customer;
|
||||
create trigger createRbacRolesForTestCustomer_Trigger
|
||||
after insert
|
||||
on test_customer
|
||||
for each row
|
||||
execute procedure createRbacRolesForTestCustomer();
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset test-customer-rbac-ROLES-REMOVAL:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/*
|
||||
Deletes the roles and their assignments of a deleted customer for the BEFORE DELETE TRIGGER.
|
||||
*/
|
||||
|
||||
create or replace function deleteRbacRulesForTestCustomer()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
begin
|
||||
if TG_OP = 'DELETE' then
|
||||
call deleteRole(findRoleId(testCustomerOwner(OLD)));
|
||||
call deleteRole(findRoleId(testCustomerAdmin(OLD)));
|
||||
call deleteRole(findRoleId(testCustomerTenant(OLD)));
|
||||
else
|
||||
raise exception 'invalid usage of TRIGGER BEFORE DELETE';
|
||||
end if;
|
||||
end; $$;
|
||||
|
||||
/*
|
||||
An BEFORE DELETE TRIGGER which deletes the role structure of a customer.
|
||||
*/
|
||||
|
||||
drop trigger if exists deleteRbacRulesForTestCustomer_Trigger on test_customer;
|
||||
create trigger deleteRbacRulesForTestCustomer_Trigger
|
||||
before delete
|
||||
on test_customer
|
||||
for each row
|
||||
execute procedure deleteRbacRulesForTestCustomer();
|
||||
--//
|
||||
|
||||
-- ============================================================================
|
||||
--changeset test-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/*
|
||||
Creates a view to the customer main table which maps the identifying name
|
||||
(in this case, the prefix) to the objectUuid.
|
||||
*/
|
||||
drop view if exists test_customer_iv;
|
||||
create or replace view test_customer_iv as
|
||||
select target.uuid, target.prefix as idName
|
||||
from test_customer as target;
|
||||
-- TODO: Is it ok that everybody has access to this information?
|
||||
grant all privileges on test_customer_iv to restricted;
|
||||
|
||||
/*
|
||||
Returns the objectUuid for a given identifying name (in this case the prefix).
|
||||
*/
|
||||
create or replace function test_customerUuidByIdName(idName varchar)
|
||||
returns uuid
|
||||
language sql
|
||||
strict as $$
|
||||
select uuid from test_customer_iv iv where iv.idName = test_customerUuidByIdName.idName;
|
||||
$$;
|
||||
|
||||
/*
|
||||
Returns the identifying name for a given objectUuid (in this case the prefix).
|
||||
*/
|
||||
create or replace function test_customerIdNameByUuid(uuid uuid)
|
||||
returns varchar
|
||||
language sql
|
||||
strict as $$
|
||||
select idName from test_customer_iv iv where iv.uuid = test_customerIdNameByUuid.uuid;
|
||||
$$;
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset test-customer-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
Creates a view to the customer main table with row-level limitation
|
||||
based on the 'view' permission of the current user or assumed roles.
|
||||
*/
|
||||
set session session authorization default;
|
||||
drop view if exists test_customer_rv;
|
||||
create or replace view test_customer_rv as
|
||||
select target.*
|
||||
from test_customer as target
|
||||
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'test_customer', currentSubjectsUuids()));
|
||||
grant all privileges on test_customer_rv to restricted;
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset test-customer-rbac-ADD-CUSTOMER:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
Creates a global permission for add-customer and assigns it to the hostsharing admins role.
|
||||
*/
|
||||
do language plpgsql $$
|
||||
declare
|
||||
addCustomerPermissions uuid[];
|
||||
globalObjectUuid uuid;
|
||||
globalAdminRoleUuid uuid ;
|
||||
begin
|
||||
call defineContext('granting global add-customer permission to global admin role', null, null, null);
|
||||
|
||||
globalAdminRoleUuid := findRoleId(testGlobalAdmin());
|
||||
globalObjectUuid := (select uuid from global);
|
||||
addCustomerPermissions := createPermissions(globalObjectUuid, array ['add-customer']);
|
||||
call grantPermissionsToRole(globalAdminRoleUuid, addCustomerPermissions);
|
||||
end;
|
||||
$$;
|
||||
|
||||
/**
|
||||
Used by the trigger to prevent the add-customer to current user respectively assumed roles.
|
||||
*/
|
||||
create or replace function addTestCustomerNotAllowedForCurrentSubjects()
|
||||
returns trigger
|
||||
language PLPGSQL
|
||||
as $$
|
||||
begin
|
||||
raise exception '[403] add-customer not permitted for %',
|
||||
array_to_string(currentSubjects(), ';', 'null');
|
||||
end; $$;
|
||||
|
||||
/**
|
||||
Checks if the user or assumed roles are allowed to add a new customer.
|
||||
*/
|
||||
create trigger test_customer_insert_trigger
|
||||
before insert
|
||||
on test_customer
|
||||
for each row
|
||||
when ( currentUser() <> 'mike@example.org' or not hasGlobalPermission('add-customer') )
|
||||
execute procedure addTestCustomerNotAllowedForCurrentSubjects();
|
||||
--//
|
||||
|
||||
Reference in New Issue
Block a user