Skip to content

Commit

Permalink
remove capability_name reference from capabilities_http_grants, reimp…
Browse files Browse the repository at this point in the history 
…lement grant access function, adapt tests
  • Loading branch information
@leondutoit
leondutoit committed Jan 22, 2020
1 parent 244a1c6 commit b57128a
Show file tree
Hide file tree
Showing 3 changed files with 79 additions and 141 deletions.
73 changes: 33 additions & 40 deletions db_capabilities.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ create table if not exists capabilities_http(
capability_default_claims jsonb,
capability_required_groups text[],
capability_required_attributes jsonb,
capability_group_match_method text check (capability_group_match_method in ('exact', 'wildcard')),
capability_group_match_method text default 'wildcard' check (capability_group_match_method in ('exact', 'wildcard')),
capability_lifetime int not null check (capability_lifetime > 0), -- minutes
capability_description text not null,
capability_expiry_date date,
Expand Down Expand Up @@ -149,7 +149,6 @@ $$ language plpgsql;

create table if not exists capabilities_http_grants(
row_id uuid unique not null default gen_random_uuid(),
capability_name text references capabilities_http (capability_name) on delete cascade,
capability_grant_id uuid not null default gen_random_uuid() primary key,
capability_grant_hostname text not null,
capability_grant_namespace text not null,
Expand All @@ -164,8 +163,9 @@ create table if not exists capabilities_http_grants(
capability_grant_max_num_usages int,
capability_grant_group_existence_check boolean default 't',
capability_grant_metadata jsonb,
unique (capability_name, capability_grant_hostname,
capability_grant_namespace, capability_grant_http_method,
unique (capability_grant_hostname,
capability_grant_namespace,
capability_grant_http_method,
capability_grant_rank)
);

Expand All @@ -177,16 +177,14 @@ create or replace function generate_grant_rank()
declare num int;
declare new_rank int;
begin
-- check if first grant for (capability_name, host, namespace, method) combination
-- check if first grant for (host, namespace, method) combination
select count(*) from capabilities_http_grants
where capability_name = NEW.capability_name
and capability_grant_hostname = NEW.capability_grant_hostname
where capability_grant_hostname = NEW.capability_grant_hostname
and capability_grant_namespace = NEW.capability_grant_namespace
and capability_grant_http_method = NEW.capability_grant_http_method
into num;
select max(capability_grant_rank) from capabilities_http_grants
where capability_name = NEW.capability_name
and capability_grant_hostname = NEW.capability_grant_hostname
where capability_grant_hostname = NEW.capability_grant_hostname
and capability_grant_namespace = NEW.capability_grant_namespace
and capability_grant_http_method = NEW.capability_grant_http_method
into current_max;
Expand Down Expand Up @@ -254,7 +252,6 @@ create or replace function capability_grant_rank_set(grant_id text, new_grant_ra
returns boolean as $$
declare target_id uuid;
declare target_curr_rank int;
declare target_cap_name text;
declare target_hostname text;
declare target_namespace text;
declare target_http_method text;
Expand All @@ -271,12 +268,11 @@ create or replace function capability_grant_rank_set(grant_id text, new_grant_ra
if new_grant_rank = target_curr_rank then
return true;
end if;
select capability_name, capability_grant_hostname, capability_grant_namespace, capability_grant_http_method
select capability_grant_hostname, capability_grant_namespace, capability_grant_http_method
from capabilities_http_grants where capability_grant_id = target_id
into target_cap_name, target_hostname, target_namespace, target_http_method;
into target_hostname, target_namespace, target_http_method;
select max(capability_grant_rank) from capabilities_http_grants
where capability_name = target_cap_name
and capability_grant_hostname = target_hostname
where capability_grant_hostname = target_hostname
and capability_grant_namespace = target_namespace
and capability_grant_http_method = target_http_method
into current_max;
Expand All @@ -289,7 +285,6 @@ create or replace function capability_grant_rank_set(grant_id text, new_grant_ra
select capability_grant_id, capability_grant_rank from capabilities_http_grants
where capability_grant_rank >= new_grant_rank
and capability_grant_rank < target_curr_rank
and capability_name = target_cap_name
and capability_grant_hostname = target_hostname
and capability_grant_namespace = target_namespace
and capability_grant_http_method = target_http_method
Expand All @@ -304,7 +299,6 @@ create or replace function capability_grant_rank_set(grant_id text, new_grant_ra
select capability_grant_id, capability_grant_rank from capabilities_http_grants
where capability_grant_rank <= new_grant_rank
and capability_grant_rank > target_curr_rank
and capability_name = target_cap_name
and capability_grant_hostname = target_hostname
and capability_grant_namespace = target_namespace
and capability_grant_http_method = target_http_method
Expand All @@ -327,19 +321,17 @@ create or replace function capability_grant_delete(grant_id text)
returns boolean as $$
declare target_id uuid;
declare target_rank int;
declare target_cap_name text;
declare target_hostname text;
declare target_namespace text;
declare target_http_method text;
declare ans boolean;
begin
target_id := grant_id::uuid;
select capability_name, capability_grant_hostname, capability_grant_namespace, capability_grant_http_method
select capability_grant_hostname, capability_grant_namespace, capability_grant_http_method
from capabilities_http_grants where capability_grant_id = target_id
into target_cap_name, target_hostname, target_namespace, target_http_method;
into target_hostname, target_namespace, target_http_method;
select max(capability_grant_rank) from capabilities_http_grants
where capability_name = target_cap_name
and capability_grant_hostname = target_hostname
where capability_grant_hostname = target_hostname
and capability_grant_namespace = target_namespace
and capability_grant_http_method = target_http_method
into target_rank;
Expand All @@ -350,23 +342,6 @@ create or replace function capability_grant_delete(grant_id text)
$$ language plpgsql;


drop function if exists capability_grants(text) cascade;
create or replace function capability_grants(capability_name text)
returns json as $$
declare data json;
begin
assert (select exists(select 1 from capabilities_http where capabilities_http.capability_name = $1)) = 't',
'capability_name does not exist';
select json_agg(json_build_object(
'http_method', capability_grant_http_method,
'uri_pattern', capability_grant_uri_pattern))
from capabilities_http_grants
where capabilities_http_grants.capability_name = $1 into data;
return json_build_object('capability_name', capability_name, 'capability_grants', data);
end;
$$ language plpgsql;


drop function if exists grp_cpbts(text, boolean) cascade;
create or replace function grp_cpbts(grp text, grants boolean default 'f')
returns json as $$
Expand All @@ -377,6 +352,9 @@ create or replace function grp_cpbts(grp text, grants boolean default 'f')
declare matches boolean;
declare grant_data json;
declare data json;
declare grnt_grp text[];
declare grnt_mthd text;
declare grnt_ptrn text;
begin
assert (select exists(select 1 from groups where group_name = grp)) = 't', 'group does not exist';
create temporary table if not exists cpb(ct text unique not null) on commit drop;
Expand Down Expand Up @@ -405,8 +383,23 @@ create or replace function grp_cpbts(grp text, grants boolean default 'f')
if grants = 'f' then
return json_build_object('group_name', grp, 'group_capabilities_http', data);
else
select json_agg(json_build_object(capability_name, capability_grants(capability_name)))
from capabilities_http where capability_name in (select * from cpb) into grant_data;
create temporary table if not exists grnts(method text, pattern text,
unique (method, pattern)) on commit drop;
for grnt_grp, grnt_mthd, grnt_ptrn in
select capability_grant_required_groups, capability_grant_http_method, capability_grant_uri_pattern
from capabilities_http_grants loop
for rgrp in select unnest(grnt_grp) loop
reg := '.*' || rgrp || '.*';
if grp ~ reg then
begin
insert into grnts values (grnt_mthd, grnt_ptrn);
exception when unique_violation then
null;
end;
end if;
end loop;
end loop;
select json_agg(json_build_object('method', method, 'pattern', pattern)) from grnts into grant_data;
return json_build_object('group_name', grp, 'group_capabilities_http', data, 'grants', grant_data);
end if;
end;
Expand Down
4 changes: 2 additions & 2 deletions db_identities_groups.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ create or replace function update_audit_log_relations()
parent := NEW.group_name;
child := NEW.group_moderator_name;
elsif table_name = 'capabilities_http_grants' then
parent := NEW.capability_name;
parent := NEW.capability_grant_id;
child := NEW.capability_grant_hostname || ','
|| NEW.capability_grant_namespace || ','
|| NEW.capability_grant_http_method || ','
Expand All @@ -133,7 +133,7 @@ create or replace function update_audit_log_relations()
parent := OLD.group_name;
child := OLD.group_moderator_name;
elsif table_name = 'capabilities_http_grants' then
parent := OLD.capability_name;
parent := OLD.capability_grant_id;
child := OLD.capability_grant_http_method || ',' || OLD.capability_grant_uri_pattern;
end if;
end if;
Expand Down
Loading

0 comments on commit b57128a

Please sign in to comment.