Commit e2c60350 authored by Sophie Herold's avatar Sophie Herold 🌼

Function grants

parent 202b05ec
Pipeline #1738 passed with stage
in 4 minutes and 28 seconds
......@@ -42,7 +42,13 @@ normalizeGrants prefix setup =
over (setupGrants . _Just . each) filterAndNormalizeRoles setup
where
setupGrants =
setupSchemaData . _Just . each . schemaTables . _Just . each . tableGrant
foldr1
(~&~)
[ setupSchemaData .
_Just . each . schemaTables . _Just . each . tableGrant
, setupSchemaData .
_Just . each . schemaFunctions . _Just . each . functionGrant
]
filterAndNormalizeRoles grant =
grant
{ grantRole =
......@@ -170,8 +176,8 @@ deployedTables schema = do
SELECT jsonb_build_object(
'role', ARRAY[pg_get_userbyid(grantee)],
'privilege', array_agg(privilege_type))
FROM aclexplode(relacl)
GROUP BY grantee
FROM aclexplode(relacl)
GROUP BY grantee
) AS privileges
FROM pg_catalog.pg_class
WHERE
......@@ -390,7 +396,7 @@ deployedFunctions schema = do
funs <- psqlQry qry (Only $ toSqlCode schema)
return $ map toFunction funs
where
toFunction ((proname, description, prorettype, proretset, owner, language, prosecdef, source) :. args) =
toFunction ((proname, description, prorettype, proretset, owner, language, prosecdef, source, privileges) :. args) =
Function
{ functionName = proname
, functionDescription = fromMaybe "" description
......@@ -400,7 +406,7 @@ deployedFunctions schema = do
, functionTemplates = Nothing
, functionTemplateData = Nothing
, functionVariables = Nothing
, functionPrivExecute = Nothing
, _functionGrant = presetEmpty $ fromPGArray privileges
, functionSecurityDefiner = preset False prosecdef
, functionOwner = owner
, functionLanguage = Just language
......@@ -435,6 +441,14 @@ deployedFunctions schema = do
lanname,
prosecdef,
prosrc,
-- grant
ARRAY(
SELECT jsonb_build_object(
'role', ARRAY[pg_get_userbyid(grantee)],
'privilege', array_agg(privilege_type))
FROM aclexplode(proacl)
GROUP BY grantee
) AS privileges,
-- function arguments
proargnames,
COALESCE(
......
......@@ -22,13 +22,20 @@ instance ToSqlStmts (SqlContext (Schema, Function)) where
toSqlStmts SetupContext {setupContextSetup = setup} obj@(SqlContext (s, f)) =
stmtCreateFunction :
sqlSetOwner (functionOwner f) :
stmtComment : maybeMap sqlStmtGrantExecute (functionPrivExecute f)
stmtComment :
[ sqlStmtGrant p r
| g <- fromMaybe [] (_functionGrant f)
, r <- grantRole g
, p <- grantPrivilege g
]
--maybeMap sqlStmtGrantExecute (functionPrivExecute f)
--name = schemaName m <.> functionName f
where
sqlStmtGrantExecute u = newSqlStmt SqlPriv obj $ sqlGrantExecute u
sqlGrantExecute u =
"GRANT EXECUTE ON FUNCTION \n" <>
sqlIdCode obj <> "\nTO " <> prefixedRole setup u
sqlStmtGrant p r = newSqlStmt SqlPriv obj $ sqlGrant p r
sqlGrant p r =
"GRANT " <>
p <>
" ON FUNCTION \n" <> sqlIdCode obj <> "\nTO " <> prefixedRole setup r
stmtCreateFunction =
newSqlStmt SqlCreateFunction obj $
--(maybeMap _variableType (_functionParameters f)) $
......
......@@ -27,6 +27,19 @@ instance FromJSON Variable where
instance ToJSON Variable where
toJSON = toYamSqlJson
data Grant =
Grant
{ grantRole :: [SqlName]
, grantPrivilege :: [Text]
}
deriving (Data, Generic, Show)
instance FromJSON Grant where
parseJSON = parseYamSql
instance ToJSON Grant where
toJSON = toYamSqlJson
data Abbr a b
= ShortForm a
| LongForm b
......
......@@ -25,9 +25,8 @@ data Function =
-- | variables that are defined (ignored if language is given)
, functionVariables :: Maybe [Variable]
-- | Role that has the privilege to execute the function
, functionPrivExecute :: Maybe [SqlName]
-- | If true, the function is executed with the privileges of the owner!
-- | Owner has to be given, if this is true (not implemented yet!)
, _functionGrant :: Maybe [Grant]
-- | If true, the function is executed with the privileges of the owner
, functionSecurityDefiner :: Maybe Bool
-- | owner of the function
, functionOwner :: Maybe SqlName
......@@ -97,7 +96,7 @@ data FunctionTpl =
-- variables are appended to the functions variables
, functiontplVariables :: Maybe [Variable]
-- defines priv_execute, can be overwritten by function definition
, functiontplPrivExecute :: Maybe [SqlName]
, functiontplGrant :: Maybe [Grant]
-- defines security_definer, can be overwritten by function definition
, functiontplSecurityDefiner :: Maybe Bool
-- defines owner, can be overwritten by function definition
......@@ -118,8 +117,7 @@ instance ToJSON FunctionTpl where
applyFunctionTpl :: FunctionTpl -> Function -> Function
applyFunctionTpl t f =
f
{ functionPrivExecute =
asum [functionPrivExecute f, functiontplPrivExecute t]
{ _functionGrant = asum [_functionGrant f, functiontplGrant t]
, functionSecurityDefiner =
asum [functionSecurityDefiner f, functiontplSecurityDefiner t]
, functionOwner = asum [functionOwner f, functiontplOwner t]
......
......@@ -34,19 +34,6 @@ data SQL_TABLE =
instance ToSqlCode SQL_TABLE where
toSqlCode = const "TABLE"
data Grant =
Grant
{ grantRole :: [SqlName]
, grantPrivilege :: [Text]
}
deriving (Data, Generic, Show)
instance FromJSON Grant where
parseJSON = parseYamSql
instance ToJSON Grant where
toJSON = toYamSqlJson
data TableTpl =
TableTpl
{ tabletplTemplate :: SqlName
......
......@@ -17,7 +17,7 @@
#
# resolver: ./custom-snapshot.yaml
# resolver: https://example.com/snapshots/2018-01-01.yaml
resolver: lts-14.6
resolver: lts-14.10
# User packages to be built.
# Various formats can be used as shown in the example below.
......
......@@ -2,6 +2,11 @@
name: f
description: Function f 1 arg
language: plpgsql
grant:
- role: [myrole]
privilege: [EXECUTE]
returns: int
parameters:
- name: x1
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment