introduce-separate-database-schemas-hs-booking-and-hosting (#106)
Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/106 Reviewed-by: Marc Sandlus <marc.sandlus@hostsharing.net>
This commit is contained in:
Michael Hoennig
@@ -233,6 +233,50 @@ $$;
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset michael.hoennig:rbac-base-IDNAME-FUNCTIONS endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
create or replace function rbac.findObjectUuidByIdName(objectTable varchar, objectIdName varchar)
|
||||
returns uuid
|
||||
returns null on null input
|
||||
language plpgsql as $$
|
||||
declare
|
||||
sql varchar;
|
||||
uuid uuid;
|
||||
begin
|
||||
objectTable := base.pureIdentifier(objectTable);
|
||||
objectIdName := base.pureIdentifier(objectIdName);
|
||||
sql := format('select * from %s_uuid_by_id_name(%L);', objectTable, objectIdName);
|
||||
begin
|
||||
execute sql into uuid;
|
||||
exception
|
||||
when others then
|
||||
raise exception 'function %_uuid_by_id_name(...) not found, add identity view support for table %', objectTable, objectTable;
|
||||
end;
|
||||
return uuid;
|
||||
end ; $$;
|
||||
|
||||
create or replace function rbac.findIdNameByObjectUuid(objectTable varchar, objectUuid uuid)
|
||||
returns varchar
|
||||
returns null on null input
|
||||
language plpgsql as $$
|
||||
declare
|
||||
sql varchar;
|
||||
idName varchar;
|
||||
begin
|
||||
objectTable := base.pureIdentifier(objectTable);
|
||||
sql := format('select * from %s_id_name_by_uuid(%L::uuid);', objectTable, objectUuid);
|
||||
begin
|
||||
execute sql into idName;
|
||||
exception
|
||||
when others then
|
||||
raise exception 'function %_id_name_by_uuid(...) not found, add identity view support for table %', objectTable, objectTable;
|
||||
end;
|
||||
return idName;
|
||||
end ; $$;
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset michael.hoennig:rbac-base-ROLE-FUNCTIONS endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
@@ -262,7 +306,7 @@ begin
|
||||
objectTableFromRoleIdName = split_part(roleParts, '#', 1);
|
||||
objectNameFromRoleIdName = split_part(roleParts, '#', 2);
|
||||
roleTypeFromRoleIdName = split_part(roleParts, '#', 3);
|
||||
objectUuidOfRole = base.findObjectUuidByIdName(objectTableFromRoleIdName, objectNameFromRoleIdName);
|
||||
objectUuidOfRole = rbac.findObjectUuidByIdName(objectTableFromRoleIdName, objectNameFromRoleIdName);
|
||||
|
||||
select uuid
|
||||
from rbac.role
|
||||
|
||||
@@ -55,7 +55,7 @@ begin
|
||||
objectNameToAssume = split_part(roleNameParts, '#', 2);
|
||||
roleTypeToAssume = split_part(roleNameParts, '#', 3);
|
||||
|
||||
objectUuidToAssume = base.findObjectUuidByIdName(objectTableToAssume, objectNameToAssume);
|
||||
objectUuidToAssume = rbac.findObjectUuidByIdName(objectTableToAssume, objectNameToAssume);
|
||||
if objectUuidToAssume is null then
|
||||
raise exception '[401] object % cannot be found in table % (from roleNameParts=%)', objectNameToAssume, objectTableToAssume, roleNameParts;
|
||||
end if;
|
||||
|
||||
@@ -13,7 +13,7 @@ select (objectTable || '#' || objectIdName || ':' || roleType) as roleIdName, *
|
||||
-- @formatter:off
|
||||
from (
|
||||
select r.*,
|
||||
o.objectTable, base.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
|
||||
o.objectTable, rbac.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
|
||||
from rbac.role as r
|
||||
join rbac.object as o on o.uuid = r.objectuuid
|
||||
) as unordered
|
||||
@@ -34,7 +34,7 @@ select *
|
||||
-- @formatter:off
|
||||
from (
|
||||
select r.*, o.objectTable,
|
||||
base.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
|
||||
rbac.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
|
||||
from rbac.role as r
|
||||
join rbac.object as o on o.uuid = r.objectuuid
|
||||
where rbac.isGranted(rbac.currentSubjectOrAssumedRolesUuids(), r.uuid)
|
||||
@@ -57,7 +57,7 @@ create or replace view rbac.grants_ev as
|
||||
-- @formatter:off
|
||||
select x.grantUuid as uuid,
|
||||
x.grantedByTriggerOf as grantedByTriggerOf,
|
||||
go.objectTable || '#' || base.findIdNameByObjectUuid(go.objectTable, go.uuid) || ':' || r.roletype as grantedByRoleIdName,
|
||||
go.objectTable || '#' || rbac.findIdNameByObjectUuid(go.objectTable, go.uuid) || ':' || r.roletype as grantedByRoleIdName,
|
||||
x.ascendingIdName as ascendantIdName,
|
||||
x.descendingIdName as descendantIdName,
|
||||
x.grantedByRoleUuid,
|
||||
@@ -72,15 +72,15 @@ create or replace view rbac.grants_ev as
|
||||
|
||||
coalesce(
|
||||
'user:' || au.name,
|
||||
'role:' || aro.objectTable || '#' || base.findIdNameByObjectUuid(aro.objectTable, aro.uuid) || ':' || ar.roletype
|
||||
'role:' || aro.objectTable || '#' || rbac.findIdNameByObjectUuid(aro.objectTable, aro.uuid) || ':' || ar.roletype
|
||||
) as ascendingIdName,
|
||||
aro.objectTable, aro.uuid,
|
||||
( case
|
||||
when dro is not null
|
||||
then ('role:' || dro.objectTable || '#' || base.findIdNameByObjectUuid(dro.objectTable, dro.uuid) || ':' || dr.roletype)
|
||||
then ('role:' || dro.objectTable || '#' || rbac.findIdNameByObjectUuid(dro.objectTable, dro.uuid) || ':' || dr.roletype)
|
||||
when dp.op = 'INSERT'
|
||||
then 'perm:' || dpo.objecttable || '#' || base.findIdNameByObjectUuid(dpo.objectTable, dpo.uuid) || ':' || dp.op || '>' || dp.opTableName
|
||||
else 'perm:' || dpo.objecttable || '#' || base.findIdNameByObjectUuid(dpo.objectTable, dpo.uuid) || ':' || dp.op
|
||||
then 'perm:' || dpo.objecttable || '#' || rbac.findIdNameByObjectUuid(dpo.objectTable, dpo.uuid) || ':' || dp.op || '>' || dp.opTableName
|
||||
else 'perm:' || dpo.objecttable || '#' || rbac.findIdNameByObjectUuid(dpo.objectTable, dpo.uuid) || ':' || dp.op
|
||||
end
|
||||
) as descendingIdName,
|
||||
dro.objectTable, dro.uuid,
|
||||
@@ -114,14 +114,14 @@ create or replace view rbac.grants_ev as
|
||||
*/
|
||||
create or replace view rbac.grants_rv as
|
||||
-- @formatter:off
|
||||
select o.objectTable || '#' || base.findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName,
|
||||
select o.objectTable || '#' || rbac.findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName,
|
||||
g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed,
|
||||
g.grantedByRoleUuid, g.descendantUuid as grantedRoleUuid, g.ascendantUuid as subjectUuid,
|
||||
g.objectTable, g.objectUuid, g.objectIdName, g.roleType as grantedRoleType
|
||||
from (
|
||||
select g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid, g.assumed,
|
||||
u.name as userName, o.objecttable, r.objectuuid, r.roletype,
|
||||
base.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
|
||||
rbac.findIdNameByObjectUuid(o.objectTable, o.uuid) as objectIdName
|
||||
from rbac.grants as g
|
||||
join rbac.role as r on r.uuid = g.descendantUuid
|
||||
join rbac.object o on o.uuid = r.objectuuid
|
||||
@@ -363,10 +363,10 @@ begin
|
||||
xp.permissionObjectTable, xp.permissionObjectIdName, xp.permissionObjectUuid
|
||||
from (select
|
||||
r.uuid as roleUuid, r.roletype, ro.objectTable as roleObjectTable,
|
||||
base.findIdNameByObjectUuid(ro.objectTable, ro.uuid) as roleObjectIdName,
|
||||
rbac.findIdNameByObjectUuid(ro.objectTable, ro.uuid) as roleObjectIdName,
|
||||
p.uuid as permissionUuid, p.op, p.opTableName,
|
||||
po.objecttable as permissionObjectTable,
|
||||
base.findIdNameByObjectUuid(po.objectTable, po.uuid) as permissionObjectIdName,
|
||||
rbac.findIdNameByObjectUuid(po.objectTable, po.uuid) as permissionObjectIdName,
|
||||
po.uuid as permissionObjectUuid
|
||||
from rbac.queryPermissionsGrantedToSubjectId( targetSubjectUuid) as p
|
||||
join rbac.grants as g on g.descendantUuid = p.uuid
|
||||
|
||||
@@ -49,62 +49,62 @@ $$;
|
||||
--changeset michael.hoennig:rbac-generators-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
create procedure rbac.generateRbacRoleDescriptors(prefix text, targetTable text)
|
||||
create procedure rbac.generateRbacRoleDescriptors(targetTable text)
|
||||
language plpgsql as $$
|
||||
declare
|
||||
sql text;
|
||||
begin
|
||||
sql = format($sql$
|
||||
create or replace function %1$sOwner(entity %2$s, assumed boolean = true)
|
||||
create or replace function %1$s_OWNER(entity %1$s, assumed boolean = true)
|
||||
returns rbac.RoleDescriptor
|
||||
language plpgsql
|
||||
strict as $f$
|
||||
begin
|
||||
return rbac.roleDescriptorOf('%2$s', entity.uuid, 'OWNER', assumed);
|
||||
return rbac.roleDescriptorOf('%1$s', entity.uuid, 'OWNER', assumed);
|
||||
end; $f$;
|
||||
|
||||
create or replace function %1$sAdmin(entity %2$s, assumed boolean = true)
|
||||
create or replace function %1$s_ADMIN(entity %1$s, assumed boolean = true)
|
||||
returns rbac.RoleDescriptor
|
||||
language plpgsql
|
||||
strict as $f$
|
||||
begin
|
||||
return rbac.roleDescriptorOf('%2$s', entity.uuid, 'ADMIN', assumed);
|
||||
return rbac.roleDescriptorOf('%1$s', entity.uuid, 'ADMIN', assumed);
|
||||
end; $f$;
|
||||
|
||||
create or replace function %1$sAgent(entity %2$s, assumed boolean = true)
|
||||
create or replace function %1$s_AGENT(entity %1$s, assumed boolean = true)
|
||||
returns rbac.RoleDescriptor
|
||||
language plpgsql
|
||||
strict as $f$
|
||||
begin
|
||||
return rbac.roleDescriptorOf('%2$s', entity.uuid, 'AGENT', assumed);
|
||||
return rbac.roleDescriptorOf('%1$s', entity.uuid, 'AGENT', assumed);
|
||||
end; $f$;
|
||||
|
||||
create or replace function %1$sTenant(entity %2$s, assumed boolean = true)
|
||||
create or replace function %1$s_TENANT(entity %1$s, assumed boolean = true)
|
||||
returns rbac.RoleDescriptor
|
||||
language plpgsql
|
||||
strict as $f$
|
||||
begin
|
||||
return rbac.roleDescriptorOf('%2$s', entity.uuid, 'TENANT', assumed);
|
||||
return rbac.roleDescriptorOf('%1$s', entity.uuid, 'TENANT', assumed);
|
||||
end; $f$;
|
||||
|
||||
-- TODO: remove guest role
|
||||
create or replace function %1$sGuest(entity %2$s, assumed boolean = true)
|
||||
create or replace function %1$s_GUEST(entity %1$s, assumed boolean = true)
|
||||
returns rbac.RoleDescriptor
|
||||
language plpgsql
|
||||
strict as $f$
|
||||
begin
|
||||
return rbac.roleDescriptorOf('%2$s', entity.uuid, 'GUEST', assumed);
|
||||
return rbac.roleDescriptorOf('%1$s', entity.uuid, 'GUEST', assumed);
|
||||
end; $f$;
|
||||
|
||||
create or replace function %1$sReferrer(entity %2$s)
|
||||
create or replace function %1$s_REFERRER(entity %1$s)
|
||||
returns rbac.RoleDescriptor
|
||||
language plpgsql
|
||||
strict as $f$
|
||||
begin
|
||||
return rbac.roleDescriptorOf('%2$s', entity.uuid, 'REFERRER');
|
||||
return rbac.roleDescriptorOf('%1$s', entity.uuid, 'REFERRER');
|
||||
end; $f$;
|
||||
|
||||
$sql$, prefix, targetTable);
|
||||
$sql$, targetTable);
|
||||
execute sql;
|
||||
end; $$;
|
||||
--//
|
||||
@@ -130,7 +130,7 @@ begin
|
||||
|
||||
-- creates a function which maps an idName to the objectUuid
|
||||
sql = format($sql$
|
||||
create or replace function %1$sUuidByIdName(givenIdName varchar)
|
||||
create or replace function %1$s_uuid_by_id_name(givenIdName varchar)
|
||||
returns uuid
|
||||
language plpgsql as $f$
|
||||
declare
|
||||
@@ -144,7 +144,7 @@ begin
|
||||
|
||||
-- creates a function which maps an objectUuid to the related idName
|
||||
sql = format($sql$
|
||||
create or replace function %1$sIdNameByUuid(givenUuid uuid)
|
||||
create or replace function %1$s_id_name_by_uuid(givenUuid uuid)
|
||||
returns varchar
|
||||
language sql
|
||||
strict as $f$
|
||||
|
||||
@@ -30,7 +30,7 @@ create or replace function rbac.isGlobalAdmin()
|
||||
returns boolean
|
||||
language plpgsql as $$
|
||||
begin
|
||||
return rbac.isGranted(rbac.currentSubjectOrAssumedRolesUuids(), rbac.findRoleId(rbac.globalAdmin()));
|
||||
return rbac.isGranted(rbac.currentSubjectOrAssumedRolesUuids(), rbac.findRoleId(rbac.global_ADMIN()));
|
||||
end; $$;
|
||||
--//
|
||||
|
||||
@@ -66,21 +66,21 @@ grant all privileges on rbac.global_iv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNA
|
||||
/*
|
||||
Returns the objectUuid for a given identifying name (in this case the idName).
|
||||
*/
|
||||
create or replace function rbac.globalUuidByIdName(idName varchar)
|
||||
create or replace function rbac.global_uuid_by_id_name(idName varchar)
|
||||
returns uuid
|
||||
language sql
|
||||
strict as $$
|
||||
select uuid from rbac.global_iv iv where iv.idName = globalUuidByIdName.idName;
|
||||
select uuid from rbac.global_iv iv where iv.idName = global_uuid_by_id_name.idName;
|
||||
$$;
|
||||
|
||||
/*
|
||||
Returns the identifying name for a given objectUuid (in this case the idName).
|
||||
*/
|
||||
create or replace function rbac.globalIdNameByUuid(uuid uuid)
|
||||
create or replace function rbac.global_id_name_by_uuid(uuid uuid)
|
||||
returns varchar
|
||||
language sql
|
||||
strict as $$
|
||||
select idName from rbac.global_iv iv where iv.uuid = globalIdNameByUuid.uuid;
|
||||
select idName from rbac.global_iv iv where iv.uuid = global_id_name_by_uuid.uuid;
|
||||
$$;
|
||||
--//
|
||||
|
||||
@@ -109,7 +109,7 @@ commit;
|
||||
/*
|
||||
A rbac.Global administrator role.
|
||||
*/
|
||||
create or replace function rbac.globalAdmin(assumed boolean = true)
|
||||
create or replace function rbac.global_ADMIN(assumed boolean = true)
|
||||
returns rbac.RoleDescriptor
|
||||
returns null on null input
|
||||
stable -- leakproof
|
||||
@@ -119,7 +119,7 @@ $$;
|
||||
|
||||
begin transaction;
|
||||
call base.defineContext('creating role:rbac.global#global:ADMIN', null, null, null);
|
||||
select rbac.createRole(rbac.globalAdmin());
|
||||
select rbac.createRole(rbac.global_ADMIN());
|
||||
commit;
|
||||
--//
|
||||
|
||||
@@ -157,7 +157,7 @@ do language plpgsql $$
|
||||
begin
|
||||
call base.defineContext('creating fake test-realm admin users', null, null, null);
|
||||
|
||||
admins = rbac.findRoleId(rbac.globalAdmin());
|
||||
admins = rbac.findRoleId(rbac.global_ADMIN());
|
||||
call rbac.grantRoleToSubjectUnchecked(admins, admins, rbac.create_subject('superuser-alex@hostsharing.net'));
|
||||
call rbac.grantRoleToSubjectUnchecked(admins, admins, rbac.create_subject('superuser-fran@hostsharing.net'));
|
||||
perform rbac.create_subject('selfregistered-user-drew@hostsharing.org');
|
||||
|
||||
Reference in New Issue
Block a user