hostsharing/hs.hsadmin.ng
1
0
Fork 0
Code Activity

refactor to only a single global admin object global#global.admin

Browse Source
This commit is contained in:
Michael Hoennig
2022-09-06 13:48:30 +02:00
parent 87e2b05926
commit da793ee546
24 changed files with 211 additions and 295 deletions
Download Patch File Download Diff File Expand all files Collapse all files

86
src/main/resources/db/changelog/080-rbac-global.sql
View File

@ -16,7 +16,7 @@ create table Global
uuid uuid primary key references RbacObject (uuid) on delete cascade,
name varchar(63) unique
);
-- create unique index Global_Singleton on Global ((0));
create unique index Global_Singleton on Global ((0));
grant select on global to restricted;
--//
@ -70,3 +70,87 @@ create or replace function globalIdNameByUuid(uuid uuid)
select idName from global_iv iv where iv.uuid = globalIdNameByUuid.uuid;
$$;
--//
--liquibase formatted sql
-- ============================================================================
--changeset rbac-global-PSEUDO-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/**
A single row to be referenced as a global object.
*/
begin transaction;
call defineContext('initializing table "global"', null, null, null);
insert
into RbacObject (objecttable) values ('global');
insert
into Global (uuid, name) values ((select uuid from RbacObject where objectTable = 'global'), 'global');
commit;
--//
-- ============================================================================
--changeset rbac-global-ADMIN-ROLE:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
A global administrator role.
*/
create or replace function globalAdmin()
returns RbacRoleDescriptor
returns null on null input
stable leakproof
language sql as $$
select 'global', (select uuid from RbacObject where objectTable = 'global'), 'admin'::RbacRoleType;
$$;
begin transaction;
call defineContext('creating global admin role', null, null, null);
select createRole(globalAdmin());
commit;
-- ============================================================================
--changeset rbac-global-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Create two users and assign both to the administrators role.
*/
do language plpgsql $$
declare
admins uuid ;
begin
call defineContext('creating fake test-realm admin users', null, null, null);
admins = findRoleId(globalAdmin());
call grantRoleToUserUnchecked(admins, admins, createRbacUser('alex@hostsharing.net'));
call grantRoleToUserUnchecked(admins, admins, createRbacUser('fran@hostsharing.net'));
end;
$$;
--//
-- ============================================================================
--changeset rbac-global-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Tests if currentUserUuid() can fetch the user from the session variable.
*/
do language plpgsql $$
declare
userName varchar;
begin
call defineContext('testing currentUserUuid', null, 'fran@hostsharing.net', null);
select userName from RbacUser where uuid = currentUserUuid() into userName;
if userName <> 'fran@hostsharing.net' then
raise exception 'setting or fetching initial currentUser failed, got: %', userName;
end if;
call defineContext('testing currentUserUuid', null, 'alex@hostsharing.net', null);
select userName from RbacUser where uuid = currentUserUuid() into userName;
if userName = 'alex@hostsharing.net' then
raise exception 'currentUser should not change in one transaction, but did change, got: %', userName;
end if;
end; $$;
--//

83
src/main/resources/db/changelog/100-test-base.sql
View File

@ -1,83 +0,0 @@
--liquibase formatted sql
-- ============================================================================
--changeset test-base-GLOBAL-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/**
A single row to be referenced as a global object.
*/
begin transaction;
call defineContext('initializing table "global"', null, null, null);
insert
into RbacObject (objecttable) values ('global');
insert
into Global (uuid, name) values ((select uuid from RbacObject where objectTable = 'global'), 'test-global');
commit;
--//
-- ============================================================================
--changeset test-base-ADMIN-ROLE:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
A global administrator role.
*/
create or replace function testGlobalAdmin()
returns RbacRoleDescriptor
returns null on null input
stable leakproof
language sql as $$
select 'global', (select uuid from RbacObject where objectTable = 'global'), 'admin'::RbacRoleType;
$$;
begin transaction;
call defineContext('creating test-global admin role', null, null, null);
select createRole(testGlobalAdmin());
commit;
-- ============================================================================
--changeset test-base-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Create two users and assign both to the administrators role.
*/
do language plpgsql $$
declare
admins uuid ;
begin
call defineContext('creating fake test-realm admin users', null, null, null);
admins = findRoleId(testGlobalAdmin());
call grantRoleToUserUnchecked(admins, admins, createRbacUser('mike@example.org'));
call grantRoleToUserUnchecked(admins, admins, createRbacUser('sven@example.org'));
end;
$$;
--//
-- ============================================================================
--changeset test-base-hostsharing-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Tests if currentUserUuid() can fetch the user from the session variable.
*/
do language plpgsql $$
declare
userName varchar;
begin
call defineContext('testing currentUserUuid', null, 'sven@example.org', null);
select userName from RbacUser where uuid = currentUserUuid() into userName;
if userName <> 'sven@example.org' then
raise exception 'setting or fetching initial currentUser failed, got: %', userName;
end if;
call defineContext('testing currentUserUuid', null, 'mike@example.org', null);
select userName from RbacUser where uuid = currentUserUuid() into userName;
if userName = 'mike@example.org' then
raise exception 'currentUser should not change in one transaction, but did change, got: %', userName;
end if;
end; $$;
--//

8
src/main/resources/db/changelog/113-test-customer-rbac.sql
View File

@ -69,7 +69,7 @@ begin
testCustomerOwnerUuid = createRole(
testCustomerOwner(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
beneathRole(testGlobalAdmin())
beneathRole(globalAdmin())
);
-- the admin role for the customer's admins, who can view and add products
@ -78,7 +78,7 @@ begin
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view', 'add-package']),
-- NO auto assume for customer owner to avoid exploding permissions for administrators
withUser(NEW.adminUserName, 'create'), -- implicitly ignored if null
grantedByRole(testGlobalAdmin())
grantedByRole(globalAdmin())
);
-- allow the customer owner role (thus administrators) to assume the customer admin role
@ -208,7 +208,7 @@ do language plpgsql $$
begin
call defineContext('granting global add-customer permission to global admin role', null, null, null);
globalAdminRoleUuid := findRoleId(testGlobalAdmin());
globalAdminRoleUuid := findRoleId(globalAdmin());
globalObjectUuid := (select uuid from global);
addCustomerPermissions := createPermissions(globalObjectUuid, array ['add-customer']);
call grantPermissionsToRole(globalAdminRoleUuid, addCustomerPermissions);
@ -234,7 +234,7 @@ create trigger test_customer_insert_trigger
before insert
on test_customer
for each row
when ( currentUser() <> 'mike@example.org' or not hasGlobalPermission('add-customer') )
when ( currentUser() <> 'alex@hostsharing.net' or not hasGlobalPermission('add-customer') )
execute procedure addTestCustomerNotAllowedForCurrentSubjects();
--//

2
src/main/resources/db/changelog/118-test-customer-test-data.sql
View File

@ -30,7 +30,7 @@ declare
custAdminName varchar;
begin
currentTask = 'creating RBAC test customer #' || custReference || '/' || custPrefix;
call defineContext(currentTask, null, 'mike@example.org', 'global#test-global.admin');
call defineContext(currentTask, null, 'alex@hostsharing.net', 'global#global.admin');
execute format('set local hsadminng.currentTask to %L', currentTask);
custRowId = uuid_generate_v4();

83
src/main/resources/db/changelog/200-hs-base.sql
View File

@ -1,83 +0,0 @@
--liquibase formatted sql
-- ============================================================================
--changeset hs-base-GLOBAL-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/**
A single row to be referenced as a global object.
*/
begin transaction;
call defineContext('initializing table "global"', null, null, null);
insert
into RbacObject (objecttable) values ('global');
insert
into Global (uuid, name) values ((select uuid from RbacObject where objectTable = 'global'), 'hostsharing');
commit;
--//
-- ============================================================================
--changeset hs-base-ADMIN-ROLE:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
A global administrator role.
*/
create or replace function hsHostsharingAdmin()
returns RbacRoleDescriptor
returns null on null input
stable leakproof
language sql as $$
select 'global', (select uuid from RbacObject where objectTable = 'global'), 'admin'::RbacRoleType;
$$;
begin transaction;
call defineContext('creating Hostsharing admin role', null, null, null);
select createRole(hsHostsharingAdmin());
commit;
-- ============================================================================
--changeset hs-base-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Create two users and assign both to the administrators role.
*/
do language plpgsql $$
declare
admins uuid ;
begin
call defineContext('creating fake Hostsharing admin users', null, null, null);
admins = findRoleId(hsHostsharingAdmin());
call grantRoleToUserUnchecked(admins, admins, createRbacUser('mike@hostsharing.net'));
call grantRoleToUserUnchecked(admins, admins, createRbacUser('sven@hostsharing.net'));
end;
$$;
--//
-- ============================================================================
--changeset hs-base-hostsharing-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Tests if currentUserUuid() can fetch the user from the session variable.
*/
do language plpgsql $$
declare
userName varchar;
begin
call defineContext('testing currentUserUuid', null, 'sven@hostsharing.net', null);
select userName from RbacUser where uuid = currentUserUuid() into userName;
if userName <> 'sven@hostsharing.net' then
raise exception 'setting or fetching initial currentUser failed, got: %', userName;
end if;
call defineContext('testing currentUserUuid', null, 'mike@hostsharing.net', null);
select userName from RbacUser where uuid = currentUserUuid() into userName;
if userName = 'mike@ehostsharing.net' then
raise exception 'currentUser should not change in one transaction, but did change, got: %', userName;
end if;
end; $$;
--//

2
src/main/resources/db/changelog/db.changelog-master.yaml
View File

@ -27,8 +27,6 @@ databaseChangeLog:
file: db/changelog/059-rbac-statistics.sql
- include:
file: db/changelog/080-rbac-global.sql
- include:
file: db/changelog/100-test-base.sql
- include:
file: db/changelog/110-test-customer.sql
- include: