mikras_utils 0.1.0

data/tests/acl.sql

@@ -0,0 +1,132 @@
+\set ON_ERROR_STOP on
+
+drop schema if exists acl cascade;
+create schema acl;
+set search_path to acl;
+
+create view tables as
+  select distinct
+    schema_name,
+    table_name
+  from
+    meta.columns 
+  where
+    column_name like 'acl\_%'
+;
+
+\echo ACL_TABLES
+select * from tables where schema_name = 'app_portal';
+
+create view schemas as 
+  select distinct
+    schema_name
+  from
+    tables
+;
+
+-- Subset of meta.columns where both referencing and referenced tables are ACL tables
+drop view if exists links cascade;
+create view links as
+  select c.*
+  from tables tf
+  join meta.links c
+    on  c.schema_name = tf.schema_name
+    and c.table_name = tf.table_name
+  join tables tt 
+    on  tt.schema_name = c.ref_schema_name 
+    and tt.table_name = c.ref_table_name
+;
+
+\echo ACL_LINKS
+select * from links where schema_name = 'app_portal';
+
+-- Subset of meta.chains where first and last table are ACL tables
+drop view if exists chains cascade;
+create view chains as
+  select mc.*
+  from meta.chains mc
+  join tables src on
+        mc.src_schema_name = src.schema_name
+    and mc.src_table_name = src.table_name
+  join tables dst on
+        mc.dst_schema_name = dst.schema_name
+    and mc.dst_table_name = dst.table_name
+;
+
+\echo ACL_CHAINS
+--select * from chains where src_schema_name = 'app_portal';
+
+drop view if exists closures cascade;
+create view closures as
+  select
+    at.schema_name,
+    at.table_name,
+    coalesce(
+      array_agg(ac.src_schema_name || '.' || ac.src_table_name) filter (where ac.src_schema_name is not null),
+      array[]::varchar[]
+    ) as closure_uids
+  from 
+    tables at 
+    left join chains ac
+      on  ac.dst_schema_name = at.schema_name
+      and ac.dst_table_name = at.table_name
+  group by
+    at.schema_name,
+    at.table_name
+;
+
+\echo ACL_CLOSURES
+--select * from closures;
+
+drop view if exists paths cascade;
+create view paths as
+  with 
+    recursive search_path as (
+      with edges as (
+        select distinct
+        schema_name || '.' || table_name as "from_table",
+        ref_schema_name || '.' || ref_table_name as "to_table",
+        column_name as "from_column",
+        ref_column_name as "to_column"
+      from
+        acl.links
+      )
+
+      -- Anchor member: start from the initial node
+      select 
+        from_table as "start_table",
+        from_table, 
+        to_table,
+        array[from_table] as path, 
+        array[array[from_table || '.' || from_column, to_table || '.' || to_column]] as link,
+        false as cycle
+      from edges
+      
+      union all
+      
+      -- Recursive member: find the next links
+      select
+        sp.start_table,
+        e.from_table,
+        e.to_table,
+        sp.path || e.from_table as "path", 
+        sp.link || array[array[e.from_table || '.' || e.from_column, e.to_table || '.' || e.to_column]] as "link",
+        e.from_table = any(sp.path) as "cycle"
+      from search_path sp
+      join edges e on e.from_table = sp.to_table
+      where not sp.cycle
+    )
+  select 
+    start_table,
+    to_table as "stop_table",
+    path || to_table as "path",
+    link as "links"
+  from search_path
+  order by 
+    start_table,
+    "stop_table"
+;
+
+\echo ACL_PATHS
+--select * from paths;
+

data/tests/acl_portal-functions.sql

@@ -0,0 +1,94 @@
+\set ON_ERROR_STOP on
+
+set search_path to acl_portal, public;
+
+drop function if exists delete_user_acl(_user_id integer) cascade;
+drop function if exists update_user_acl(_user_id integer) cascade;
+drop function if exists create_user_acl(_user_id integer) cascade;
+drop function if exists select_user_acl(_user_id integer) cascade;
+drop function if exists create_user_acls() cascade;
+
+-- Compute new ACLs for the given user and insert them into user_acls. It is an
+-- error if the user already has a record there
+create function create_user_acl(_user_id integer) returns integer[] as $$
+  with 
+    agg_domain_users as (
+      select
+        user_id as "role_id",
+        array_agg(domain_role_id) as "role_ids"
+      from acl_portal.domain_users
+      group by "role_id"
+    )
+  insert into user_acls (user_id, role_ids)
+    select
+      _user_id,
+      esr.system_role_ids || adu.role_ids as "role_ids"
+    from
+      agg.effective_system_roles esr
+      left join agg_domain_users adu on adu.role_id = esr.role_id
+    where esr.role_id = _user_id
+  returning role_ids;
+$$ language sql
+  set search_path from current;
+
+-- Remove a user's ACL record in user_acls. It is not an error if the record
+-- doesn't exist. The function can be used to immediately block a user from
+-- accessing the system without going through all the user's assignments
+create function delete_user_acl(_user_id integer) returns boolean as $$
+  delete from user_acls where user_id = _user_id returning true;
+$$ language sql
+  set search_path from current;
+
+-- Update a user's ACL record. It is not an error if the record doesn't exist
+create function update_user_acl(_user_id integer) returns boolean as $$
+  begin
+    perform delete_user_acl(_user_id);
+    perform create_user_acl(_user_id);
+    return true;
+  end;
+$$ language plpgsql
+  set search_path from current;
+
+-- Find a user's ACL list. If the record doesn't exist, it is created before
+-- the ACL list is returned to the caller. This function is also called from
+-- the various policy rules and matched against the current record's access ACL
+-- list so it has to be fast
+--
+-- It is marked 'stable' which is a blatant lie because it _does_ change the
+-- database but this is ok because it will only change on for access
+--
+create function select_user_acl(_user_id integer) returns integer[] as $$
+  declare 
+    _role_ids integer[];
+  begin
+    select role_ids
+      into _role_ids
+      from user_acls
+      where user_id = _user_id;
+
+    if not found then
+      select create_user_acl(_user_id)
+        into _role_ids
+      ;
+    end if;
+
+    return _role_ids;
+  end;
+$$ language plpgsql
+  stable
+  leakproof
+  security definer
+  set search_path from current;
+
+-- Create or update all user's ACL lists. It is used after import of Sagsys
+-- data
+create function update_user_acls() returns boolean as $$
+  begin
+    delete from user_acls;
+    perform create_user_acl(id) from auth.users;
+    return true;
+  end;
+$$ language plpgsql
+  set search_path from current;
+
+

data/tests/acl_portal-tables.sql

@@ -0,0 +1,23 @@
+\set ON_ERROR_STOP on
+
+drop table if exists acl_portal.attach_acls cascade;
+create table acl_portal.attach_acls (
+  id integer generated by default as identity primary key,
+  parent_table varchar not null,
+  parent_id integer not null,
+  child_table varchar not null,
+  child_field varchar not null,
+  acls integer[] not null,
+
+  unique (child_table, child_field, parent_table, parent_id, acls)
+);
+
+-- Acts as a materialized view. A user's record is updated whenever case_users
+-- or event_users are changed
+drop table if exists acl_portal.user_acls cascade;
+create table acl_portal.user_acls (
+  id integer generated by default as identity primary key,
+  user_id integer not null references auth.users(id) unique,
+  role_ids integer[] not null
+);
+

data/tests/acl_portal-views.sql

@@ -0,0 +1,73 @@
+\set ON_ERROR_STOP on
+/*
+-- View of role kind id, domain id, role. Because case id and event id belongs
+-- to the same namespace you can simply do 
+--
+--    select * from domain_roles where id = ID' to get the roles of a domain object
+--
+drop view if exists acl_portal.domain_roles cascade;
+create view acl_portal.domain_roles as
+  with 
+    case_objects as (
+      select id, case_id as domain_id, role
+      from app_portal.case_roles cr
+      where role in ('CLA', 'CTA', 'KON', 'AKK')
+    ),
+    event_objects as (
+      select er.id, e.id as domain_id, er.role
+      from app_portal.event_roles er
+      join app_portal.events e on e.id = er.event_id
+      where er.role in ('ELA', 'ETA')
+    )
+  select * from case_objects
+  union
+  select * from event_objects
+  union
+    select co.id, eo.domain_id, co.role
+    from event_objects eo
+    join app_portal.events e on e.id = eo.domain_id
+    join case_objects co on co.domain_id = e.case_id
+  order by 
+    domain_id, 
+    role
+;
+
+\echo DOMAIN_ROLES
+select * from acl_portal.domain_roles;
+
+-- TODO A LOT (automatically detect CLA, CTA)
+drop view if exists acl_portal.domain_users cascade;
+create view acl_portal.domain_users as
+  with
+    case_role_users as (
+      select 
+        cr.id as "domain_role_id", 
+        cu.user_id,
+        cr.role
+      from app_portal.case_users cu
+      join app_portal.case_roles cr on cr.id = cu.case_role_id
+      join app_portal.cases c on c.id = cr.case_id
+      where (not c.closed or cr.role in ('CLA', 'ELA'))
+        and cr.role in ('CLA', 'CTA', 'KON', 'AKK')
+    ),
+    event_role_users as (
+      select 
+        er.id as "domain_role_id", 
+        eu.user_id,
+        er.role
+      from app_portal.event_users eu
+      join app_portal.event_roles er on er.id = eu.event_role_id
+      join app_portal.events e on e.id = er.event_id
+      where not e.closed or er.role in ('CLA', 'ELA')
+    )
+  select * from case_role_users
+  union
+  select * from event_role_users
+  order by
+    "domain_role_id",
+    "user_id"
+;
+
+\echo DOMAIN_USERS
+select * from acl_portal.domain_users;
+*/

data/tests/agg.sql

@@ -0,0 +1,25 @@
+\set ON_ERROR_STOP on
+
+drop schema if exists agg cascade;
+create schema agg;
+
+drop table if exists agg.effective_system_roles;
+create table agg.effective_system_roles (
+  role_id integer not null primary key,
+  system_role_ids integer[] not null
+);
+
+insert into agg.effective_system_roles(role_id, system_role_ids) values
+  (1, array[1]),
+  (2, array[2, 1]),
+  (3, array[3, 1]),
+  (4, array[4, 1]),
+  (5, array[5, 1000]),
+  (6, array[6, 2000]),
+  (7, array[7, 2001]),
+  (8, array[8, 2000]),
+  (9, array[9, 2001]),
+  (10, array[10, 2000]),
+  (11, array[11, 2001])
+;
+

data/tests/app.sql

@@ -0,0 +1,48 @@
+\set ON_ERROR_STOP on
+
+\i schemas.sql
+\i meta.sql
+\i acl.sql
+\i auth.sql
+\i agg.sql
+
+\i initial-functions.sql
+
+\i app_portal-tables.sql
+\i app_portal-views.sql
+\i acl_portal-tables.sql
+\i acl_portal-views.sql
+\i acl_portal-functions.sql
+\i app_portal-triggers.sql
+\i sys_portal.sql
+
+\i final-functions.sql
+
+set search_path to acl_portal, app_portal, sys_portal;
+
+/*
+\echo INCLUDING ACL-FUNCTIONS.SQL
+\i acl-functions.sql
+
+\echo INCLUDING ACL-META.SQL
+\i acl-meta.sql
+
+\echo INCLUDING ACL-ACL.sql
+\i acl-acl.sql
+
+\echo INCLUDING ACL-ACL_PORTAL.SQL
+\i acl-acl_portal.sql
+
+\echo INCLUDING ACL-SYS_PORTAL.SQL
+\i acl-sys_portal.sql
+
+\echo INCLUDING ACL-DOMAINS.SQL
+\i acl-domains.sql
+
+\echo INCLUDING ACL-FINAL_FUNCTIONS
+\i acl-final_functions.sql
+
+\echo ACLS
+select * from agg_acl_users;
+*/
+

data/tests/app_portal-tables.sql

@@ -0,0 +1,138 @@
+\set ON_ERROR_STOP on
+
+set search_path to app_portal;
+
+-- Abstract base table for cases and events
+create table abstract_domain_objects (
+  id integer generated by default as identity primary key
+);
+
+create table cases (
+  id integer not null references abstract_domain_objects(id) primary key,
+  name varchar,
+  ident varchar generated always as (name) stored,
+  closed boolean default false,
+  acl_select integer[],
+  acl_update integer[],
+  acl_delete integer[]
+);
+
+create table role_kinds (
+  id integer generated by default as identity primary key,
+  kind varchar not null unique,
+  acl boolean not null default false,
+  ordinal integer
+);
+
+-- Abstract base table for case_roles and event_roles
+create table abstract_roles (
+  id integer generated by default as identity primary key
+);
+
+create table case_role_templates (
+  id integer primary key references abstract_roles(id),
+  "role" varchar not null references role_kinds(kind)
+);
+
+create table case_roles (
+  id integer primary key references abstract_roles(id),
+  case_id integer not null references cases(id),
+  "role" varchar not null references role_kinds(kind),
+  acl_select integer[],
+  acl_update integer[],
+  acl_delete integer[],
+
+  unique (case_id, "role")
+);
+
+create table case_users (
+  id integer generated by default as identity primary key,
+  case_role_id integer not null references case_roles(id),
+  user_id integer not null references auth.roles(id),
+  acl_select integer[],
+  acl_update integer[],
+  acl_delete integer[]
+);
+
+create table events (
+  id integer not null references abstract_domain_objects(id) primary key,
+  case_id integer not null references cases(id),
+  name varchar,
+  label varchar generated always as (name) stored,
+  closed boolean default false,
+  deleted boolean default false,
+  acl_select integer[],
+  acl_update integer[],
+  acl_delete integer[]
+);
+
+create table event_role_templates (
+  id integer primary key references abstract_roles(id),
+  "role" varchar not null references role_kinds(kind)
+);
+
+create table event_roles (
+  id integer primary key references abstract_roles(id),
+  event_id integer not null references events(id),
+  "role" varchar not null references role_kinds(kind),
+  acl_select integer[],
+  acl_update integer[],
+  acl_delete integer[],
+
+  unique(event_id, "role")
+);
+
+create table event_users (
+  id integer generated by default as identity primary key,
+  event_role_id integer not null references event_roles(id),
+  user_id integer not null references auth.roles(id),
+  acl_select integer[],
+  acl_update integer[],
+  acl_delete integer[]
+);
+
+create table bookings (
+  id integer generated by default as identity primary key,
+  event_id integer not null references events(id),
+  acl_select integer[],
+  acl_update integer[],
+  acl_delete integer[]
+);
+
+create table user_bookings (
+  id integer generated by default as identity primary key,
+  user_id integer not null references auth.roles(id),
+  booking_id integer not null references bookings(id),
+  acl_select integer[],
+  acl_update integer[],
+  acl_delete integer[]
+);
+
+create table visits (
+  id integer generated by default as identity primary key,
+  event_id integer not null references events(id),
+  name varchar,
+  acl_select integer[],
+  acl_update integer[],
+  acl_delete integer[]
+);
+
+create table noncompliances (
+  id integer generated by default as identity primary key,
+  visit_id integer not null references visits(id),
+  name varchar,
+  acl_select integer[],
+  acl_update integer[],
+  acl_delete integer[]
+);
+
+create table noncompliance_uploads (
+  id integer generated by default as identity primary key,
+  noncompliance_id integer not null references noncompliances(id),
+  name varchar,
+  uploaded_by_id integer not null references auth.roles(id),
+  acl_select integer[],
+  acl_update integer[],
+  acl_delete integer[]
+);
+

data/tests/app_portal-triggers.sql

@@ -0,0 +1,23 @@
+
+--
+-- Triggers that maintains acl_portal.user_acls.
+-- 
+
+-- Call acl_portal.update_user_acl on any change to either case_users or
+-- event_users. Note that this function is both cross-table and cross
+-- insert/delete
+create function domain_users_aiud() returns trigger as $$
+  begin
+    perform acl_portal.update_user_acl(coalesce(NEW.user_id, OLD.user_id));
+    return null; -- works because this is an after-trigger
+  end;
+$$ language plpgsql;
+
+create trigger case_users_aiud_trg after insert or update or delete on app_portal.case_users
+  for each row execute function domain_users_aiud()
+;
+
+create trigger event_users_aiud_trg after insert or update or delete on app_portal.event_users
+  for each row execute function domain_users_aiud()
+;
+