mikras_utils 0.1.0

data/tests/app_portal-views.sql

@@ -0,0 +1,203 @@
+\set ON_ERROR_STOP on
+
+set search_path to app_portal;
+
+-- Union of case_roles and event_roles
+drop view if exists acl_portal.domain_roles cascade;
+create view acl_portal.domain_roles as
+  select
+    id,
+    case_id as "domain_id",
+    role
+  from
+    app_portal.case_roles
+
+  union all
+
+  select
+    id,
+    event_id as "domain_id",
+    role
+  from
+    app_portal.event_roles
+;
+
+-- Union of case_users and event_users
+drop view if exists acl_portal.domain_users cascade;
+create view acl_portal.domain_users as 
+  select
+    case_role_id as "domain_role_id",
+    user_id
+  from
+    app_portal.case_users
+
+  union all
+    
+  select
+    event_role_id as "domain_role_id",
+    user_id
+  from
+    app_portal.event_users
+;
+
+-- Combines cases, case_roles, and case_users and also computes the virtual CLA
+-- and CTA roles from the event ELA and ETA roles and assigns the CLA role to
+-- RES users. Only ACL roles are included
+drop view if exists case_role_users cascade;
+create view case_role_users as
+  with
+    -- Base roles
+    roles as (
+      select 
+        cr.case_id,
+        cu.user_id,
+        cr.id as "role_id",
+        cr.role
+      from app_portal.role_kinds rk
+      join app_portal.case_roles cr on cr.role = rk.kind
+      join app_portal.case_users cu on cu.case_role_id = cr.id
+      where rk.acl
+    ),
+    -- RES user is also CLA
+    res_roles as (
+      select
+        r.case_id,
+        r.user_id,
+        cr.id as "role_id",
+        cr.role
+      from roles r
+      join case_roles cr on cr.case_id = r.case_id and cr.role = 'CLA'
+      where r.role = 'RES'
+    ),
+    -- Event roles ELA and ETA are translated to CLA and CTA case roles
+    eta_ela_roles as (
+      select
+        e.case_id,
+        eu.user_id,
+        cr.id,
+        cr.role
+      from
+        events e
+        join event_roles er on er.event_id = e.id
+        join event_users eu on eu.event_role_id = er.id
+        join case_roles cr on 
+          cr.case_id = e.case_id
+          and (
+              (cr.role = 'CTA' and er.role = 'ETA')
+          or  (cr.role = 'CLA' and er.role = 'ELA')
+          )
+      where not e.closed
+    )
+  select * from roles
+  union
+  select * from res_roles
+  union
+  select * from eta_ela_roles
+  order by case_id, user_id -- FIXME: Yt
+;
+
+-- Combines case_role_users with event_roles and event_users. It is the set of
+-- roles (case or event) that is associated with an event. Users that are no
+-- longer associated with the case are excluded
+drop view if exists event_role_users cascade;
+create view event_role_users as
+  -- Roles inherited from case
+  select 
+    e.id as "event_id",
+    cru.user_id,
+    cru.role_id,
+    cru.role
+  from
+    events e 
+    join case_role_users cru on cru.case_id = e.case_id
+  where
+    not e.closed
+
+  union all
+
+  -- Roles from event users. KON and AKK are duplicates
+  select
+    e.id as "event_id",
+    eu.user_id,
+    er.id as "role_id",
+    er.role
+  from
+    events e 
+    join event_roles er on er.event_id = e.id
+    join event_users eu on eu.event_role_id = er.id
+  where 
+    not e.closed
+
+  order by event_id -- FIXME Yt
+;
+
+drop view if exists domain_role_users cascade;
+create view domain_role_users as
+  select
+    case_id as "domain_id",
+    user_id,
+    role_id,
+    role
+  from
+    case_role_users
+
+  union all
+
+  select
+    event_id as "domain_id",
+    user_id,
+    role_id,
+    role
+  from
+    event_role_users
+;
+    
+drop view if exists agg.domain_role_users cascade;
+create view agg.domain_role_users as
+  select
+    domain_id,
+    user_id,
+    array_agg(role_id) as "role_ids",
+    array_agg(role) as "roles"
+  from
+    app_portal.domain_role_users
+  group by
+    domain_id,
+    user_id
+;
+
+drop view if exists name.domain_role_users cascade;
+create view name.domain_role_users as
+  select
+    dru.domain_id,
+    dru.user_id,
+    dru.role_id,
+    coalesce(c.ident, e.label) as "domain",
+    u.rolename as "username",
+    dru.role
+  from
+    domain_role_users dru
+    join auth.roles u on u.id = dru.user_id
+    left join cases c on c.id = dru.domain_id
+    left join events e on e.id = dru.domain_id
+;
+
+drop view if exists agg_name.domain_role_users cascade;
+create view agg_name.domain_role_users as 
+  select
+    domain_id,
+    user_id,
+    domain,
+    username,
+    array_agg(role_id) as "role_ids",
+    array_agg(role) as "roles"
+  from
+    name.domain_role_users
+  group by
+    domain_id,
+    user_id,
+    domain,
+    username
+order by domain_id, username
+;
+    

data/tests/auth.sql

@@ -0,0 +1,12 @@
+\set ON_ERROR_STOP on
+
+create table auth.roles (
+  id integer generated by default as identity primary key,
+  rolename varchar not null
+);
+
+create table auth.users (
+  id integer generated by default as identity primary key,
+  rolename varchar not null
+);
+

data/tests/auth.users.sql

@@ -0,0 +1,5 @@
+-- FIXME
+/*
+delete from auth.users;
+insert into auth.users select * from auth.roles;
+*/

data/tests/build

@@ -0,0 +1,7 @@
+#!/usr/bin/bash
+
+. bash.include
+
+psql -f app.sql
+fox --delete=touched -r reflections.yml clr acl.fox | psql clr
+psql -f fox.sql

data/tests/final-functions.sql

@@ -0,0 +1,28 @@
+
+-- Returns an array of role IDs for the current user (from both auth and
+-- app_portal). This array is matched against the relevant ACL field in the RLS
+-- policies so performance is important (TODO)
+drop function if exists public.current_role_ids() cascade;
+create function public.current_role_ids() returns integer[] as $$
+  select acl_portal.select_user_acl(public.current_user_id());
+$$ language sql
+  stable
+  leakproof
+  security definer
+;
+
+-- Returns an array of app_portal role names (kind) for the current user in the
+-- given domain
+drop function if exists public.current_domain_roles(integer) cascade;
+create function public.current_domain_roles(_domain_id integer) returns text[] as $$
+  select coalesce(array_agg(dr.role), array[]::text[])
+  from acl_portal.domain_users du
+  join acl_portal.domain_roles dr on dr.id = du.domain_role_id
+  where du.user_id = public.current_user_id()
+    and dr.domain_id = _domain_id;
+$$ language sql
+  stable
+  leakproof
+  security definer
+;
+

data/tests/fox.sql

@@ -0,0 +1,158 @@
+\set ON_ERROR_STOP on
+
+/*
+delete from acl_portal.attach_acls;
+
+insert into acl_portal.attach_acls (parent_table, parent_id, child_table, child_field, acls) values
+  ('cases', 1, 'events', 'case_id', array[1]), -- case-hdj can create events on case 1
+  ('events', 3, 'visits', 'event_id', array[16]), -- event-hdj can create visits on event 3 of case 1
+  ('visits', 1, 'noncompliances', 'visit_id', array[16, 17]),
+  ('visits', 2, 'noncompliances', 'visit_id', array[16, 2]),
+  ('events', 3, 'bookings', 'event_id', array[16])
+;
+
+insert into acl_portal.attach_acls (parent_table, parent_id, child_table, child_field, acls)
+  select 
+    'case_roles' as "parent_table",
+    id as "parent_id",
+    'case_users' as "child_table",
+    'case_role_id' as "child_id",
+    array[2] -- hdj
+  from
+    app_portal.case_roles
+  where case_id = 1
+    and role = 'CLA'
+;
+*/
+
+delete from auth.users;
+insert into auth.users select * from auth.roles;
+
+select acl_portal.update_acls();
+select acl_portal.update_user_acls();
+
+/*
+drop schema if exists acl cascade;
+create schema acl;
+set search_path to acl;
+
+create view tables as
+  select distinct
+    schema_name,
+    table_name
+  from
+    meta.columns 
+  where
+    column_name like 'acl\_%'
+;
+
+\echo ACL_TABLES
+select * from tables where schema_name = 'app_portal';
+
+-- Subset of meta.columns where both referencing and referenced tables are ACL tables
+drop view if exists links cascade;
+create view links as
+  select c.*
+  from tables tf
+  join meta.links c
+    on  c.schema_name = tf.schema_name
+    and c.table_name = tf.table_name
+  join tables tt 
+    on  tt.schema_name = c.ref_schema_name 
+    and tt.table_name = c.ref_table_name
+;
+
+\echo ACL_LINKS
+select * from links where schema_name = 'app_portal';
+
+-- Subset of meta.chains where first and last table are ACL tables
+drop view if exists chains cascade;
+create view chains as
+  select mc.*
+  from meta.chains mc
+  join tables src on
+        mc.src_schema_name = src.schema_name
+    and mc.src_table_name = src.table_name
+  join tables dst on
+        mc.dst_schema_name = dst.schema_name
+    and mc.dst_table_name = dst.table_name
+;
+
+\echo ACL_CHAINS
+--select * from chains where src_schema_name = 'app_portal';
+
+drop view if exists closures cascade;
+create view closures as
+  select
+    at.schema_name,
+    at.table_name,
+    coalesce(
+      array_agg(ac.src_schema_name || '.' || ac.src_table_name) filter (where ac.src_schema_name is not null),
+      array[]::varchar[]
+    ) as closure_uids
+  from 
+    tables at 
+    left join chains ac
+      on  ac.dst_schema_name = at.schema_name
+      and ac.dst_table_name = at.table_name
+  group by
+    at.schema_name,
+    at.table_name
+;
+
+\echo ACL_CLOSURES
+--select * from closures;
+
+drop view if exists paths cascade;
+create view paths as
+  with 
+    recursive search_path as (
+      with edges as (
+        select distinct
+        schema_name || '.' || table_name as "from_table",
+        ref_schema_name || '.' || ref_table_name as "to_table",
+        column_name as "from_column",
+        ref_column_name as "to_column"
+      from
+        acl.links
+      )
+
+      -- Anchor member: start from the initial node
+      select 
+        from_table as "start_table",
+        from_table, 
+        to_table,
+        array[from_table] as path, 
+        array[array[from_table || '.' || from_column, to_table || '.' || to_column]] as link,
+        false as cycle
+      from edges
+      
+      union all
+      
+      -- Recursive member: find the next links
+      select
+        sp.start_table,
+        e.from_table,
+        e.to_table,
+        sp.path || e.from_table as "path", 
+        sp.link || array[array[e.from_table || '.' || e.from_column, e.to_table || '.' || e.to_column]] as "link",
+        e.from_table = any(sp.path) as "cycle"
+      from search_path sp
+      join edges e on e.from_table = sp.to_table
+      where not sp.cycle
+    )
+  select 
+    start_table,
+    to_table as "stop_table",
+    path || to_table as "path",
+    link as "links"
+  from search_path
+  order by 
+    start_table,
+    "stop_table"
+;
+
+\echo ACL_PATHS
+--select * from paths;
+
+*/

data/tests/initial-functions.sql

@@ -0,0 +1,6 @@
+
+drop function if exists public.current_user_id() cascade;
+create function public.current_user_id() returns integer as $$
+  select 2
+$$ language sql;
+

data/tests/meta.sql

@@ -0,0 +1,197 @@
+
+\set ON_ERROR_STOP on
+
+drop schema if exists meta cascade;
+create schema meta;
+set search_path to meta;
+
+create view schemas as 
+  select
+    nspname as "schema_name"
+  from
+    pg_namespace
+  where nspname <> 'information_schema'
+    and nspname not like 'pg\_%'
+    and nspname not like 'fdw\_%'
+    and nspname not in ('pgcrypto') -- array because more libraries may come
+;
+
+create view tables as
+  select 
+    relnamespace::regnamespace::varchar as "schema_name",
+    relname as "table_name"
+  from
+    pg_class
+  where
+    relkind = 'r'
+    and relnamespace::regnamespace::varchar <> 'information_schema'
+    and relnamespace::regnamespace::varchar not like 'pg\_%'
+    -- FIXME relation "fdw_webtoolpublished.publisheddata" does not exist
+    and relnamespace::regnamespace::varchar not like 'fdw\_%'
+;
+
+\echo META_TABLES
+select * 
+from tables
+where
+  schema_name = 'app_portal'
+;
+
+create view columns as
+  with 
+    referencing_fields as (
+      select 
+        tf.relnamespace::regnamespace::varchar as "schema_name",
+        tf.relname as "table_name", -- avoids qualified table name
+        af.attname as "column_name",
+        tt.relnamespace::regnamespace::varchar as "ref_schema_name",
+        tt.relname as "ref_table_name", -- avoids qualified table name
+        at.attname as "ref_column_name"
+      from 
+        pg_constraint as c
+        join pg_attribute as af on af.attnum = any(c.conkey) and af.attrelid = c.conrelid
+        join pg_attribute as at on at.attnum = any(c.confkey) and at.attrelid = c.confrelid
+        join pg_class tf on tf.oid = c.conrelid
+        join pg_class tt on tt.oid = c.confrelid
+      where 
+        c.contype = 'f'
+      order by
+        "schema_name",
+        "table_name",
+        "column_name"
+    )
+  select
+    t.schema_name,
+    t.table_name,
+    af.attname as "column_name",
+    at.ref_schema_name,
+    at.ref_table_name,
+    at.ref_column_name,
+    af.attnum as "ordinal"
+  from
+    tables t
+    join pg_attribute af
+      on  af.attrelid = (schema_name || '.' || table_name)::regclass
+      and af.attnum > 0
+    left join referencing_fields at
+      on  at.schema_name = t.schema_name
+      and at.table_name = t.table_name
+      and at.column_name = af.attname
+  order by
+    "schema_name",
+    "table_name",
+    "ordinal"
+;
+
+\echo META_COLUMNS
+/*
+select 
+  schema_name, table_name, column_name,
+  ref_schema_name, ref_table_name, ref_column_name
+from columns 
+where
+  schema_name = 'app_portal'
+;
+*/
+
+create view links as
+  select *
+  from columns
+  where ref_table_name is not null
+;
+
+\echo META_LINKS
+--select * from links;
+
+create view chains as
+  with 
+    recursive search_path as (
+      with 
+        edges as (
+          select distinct
+          schema_name || '.' || table_name as "from_table",
+          ref_schema_name || '.' || ref_table_name as "to_table",
+          column_name as "from_column",
+          ref_column_name as "to_column"
+        from
+          links
+        )
+
+      -- Anchor member: src from the initial node
+      select 
+        from_table as "src_table",
+        from_table, 
+        to_table,
+        array[from_table] as path, 
+        array[array[from_table || '.' || from_column, to_table || '.' || to_column]] as link,
+        false as cycle
+      from edges
+      
+      union all
+      
+      -- Recursive member: find the next links
+      select
+        sp.src_table,
+        e.from_table,
+        e.to_table,
+        sp.path || e.from_table as "path", 
+        sp.link || array[array[e.from_table || '.' || e.from_column, e.to_table || '.' || e.to_column]] as "link",
+        e.from_table = any(sp.path) as "cycle"
+      from search_path sp
+      join edges e on e.from_table = sp.to_table
+      where not sp.cycle
+    )
+  select 
+    regexp_replace(src_table, '\..*', '') as src_schema_name,
+    regexp_replace(src_table, '^.*\.', '') as src_table_name,
+    regexp_replace(to_table, '\..*', '') as dst_schema_name,
+    regexp_replace(to_table, '^.*\.', '') as dst_table_name,
+    path || to_table as "path",
+    link as "links"
+  from search_path
+  order by 
+    "src_schema_name",
+    "src_table_name",
+    "dst_schema_name",
+    "dst_table_name"
+;
+
+\echo META_CHAINS
+--select * from chains;
+
+create view closures as 
+  select
+    mt.schema_name,
+    mt.table_name,
+    coalesce(
+      array_agg(mc.src_schema_name || '.' || mc.src_table_name) filter (where mc.src_schema_name is not null),
+      array[]::varchar[]
+    ) as closure_uids
+  from 
+    tables mt 
+    left join chains mc
+      on  mc.dst_schema_name = mt.schema_name
+      and mc.dst_table_name = mt.table_name
+  group by
+    mt.schema_name,
+    mt.table_name
+;
+
+\echo META_CLOSURES
+--select * from closures;
+
+create view functions as
+  select
+    s.schema_name,
+    proname as "function_name",
+    string_to_array(pg_catalog.pg_get_function_identity_arguments(oid), ',') as arguments,
+    pg_catalog.format_type(prorettype, null) as return_type,
+    proconfig as "config"
+  from
+    meta.schemas s
+    join pg_proc p on p.pronamespace::regnamespace::varchar = s.schema_name
+  order by
+    s.schema_name,
+    "function_name"
+;
+

data/tests/reflections.yml

@@ -0,0 +1,5 @@
+---
+- match: app_portal.event_users.case_role_id
+  that: event_user
+- match: app_portal.event_users.user_id
+  that: event_role

data/tests/schemas.sql

@@ -0,0 +1,25 @@
+\set ON_ERROR_STOP on
+
+drop schema if exists app_portal cascade;
+drop schema if exists acl_portal cascade;
+drop schema if exists sys_portal cascade;
+
+drop schema if exists meta cascade;
+drop schema if exists acl cascade;
+
+drop schema if exists agg cascade;
+drop schema if exists name cascade;
+drop schema if exists agg_name cascade;
+
+drop schema if exists auth cascade;
+
+create schema auth;
+create schema app_portal;
+create schema acl_portal;
+create schema sys_portal;
+create schema meta;
+create schema acl;
+create schema agg;
+create schema name;
+create schema agg_name;
+

data/tests/setup.sql

@@ -0,0 +1,8 @@
+
+grant all on schema app_portal to alt;
+grant all on all tables in schema app_portal to alt;
+alter table cases enable row level security;
+alter table events enable row level security;
+alter table visits enable row level security;
+alter table noncompliances enable row level security;
+