Skip to content

Commit

Permalink
add capability_hostnames array column to capabilities_http table
Browse files Browse the repository at this point in the history
  • Loading branch information
@leondutoit
leondutoit committed Feb 7, 2020
1 parent 7bab621 commit 81f6c33
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 19 deletions.
8 changes: 5 additions & 3 deletions db_capabilities.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ create table if not exists capabilities_http(
row_id uuid unique not null default gen_random_uuid(),
capability_id uuid unique not null default gen_random_uuid(),
capability_name text unique not null primary key,
capability_hostnames text[] not null,
capability_default_claims jsonb,
capability_required_groups text[],
capability_required_attributes jsonb,
Expand All @@ -47,16 +48,17 @@ create table if not exists capabilities_http(
);


drop function if exists ensure_unique_capability_groups() cascade;
create or replace function ensure_unique_capability_groups()
drop function if exists ensure_unique_capability_attributes() cascade;
create or replace function ensure_unique_capability_attributes()
returns trigger as $$
begin
perform assert_array_unique(NEW.capability_required_groups, 'capability_required_groups');
perform assert_array_unique(NEW.capability_hostnames, 'capability_hostnames');
return new;
end;
$$ language plpgsql;
create trigger capabilities_http_unique_groups before update or insert on capabilities_http
for each row execute procedure ensure_unique_capability_groups();
for each row execute procedure ensure_unique_capability_attributes();


create trigger capabilities_http_audit after update or insert or delete on capabilities_http
Expand Down
32 changes: 16 additions & 16 deletions tests.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -490,22 +490,22 @@ create or replace function test_capabilities_http()
declare grid3 uuid;
declare grid4 uuid;
begin
insert into capabilities_http (capability_name, capability_default_claims,
insert into capabilities_http (capability_name, capability_hostnames, capability_default_claims,
capability_required_groups, capability_group_match_method,
capability_lifetime, capability_description, capability_expiry_date)
values ('p11import', '{"role": "p11_import_user"}',
values ('p11import', '{api.com}', '{"role": "p11_import_user"}',
'{"p11-export-group", "p11-special-group"}', 'exact',
'123', 'bla', current_date);
insert into capabilities_http (capability_name, capability_default_claims,
insert into capabilities_http (capability_name, capability_hostnames, capability_default_claims,
capability_required_groups, capability_group_match_method,
capability_lifetime, capability_description, capability_expiry_date)
values ('export', '{"role": "export_user"}',
values ('export', '{api.com}', '{"role": "export_user"}',
'{"admin-group", "export-group"}', 'wildcard',
'123', 'bla', current_date);
insert into capabilities_http (capability_name, capability_default_claims,
insert into capabilities_http (capability_name, capability_hostnames, capability_default_claims,
capability_required_groups, capability_group_match_method,
capability_lifetime, capability_description, capability_expiry_date)
values ('admin', '{"role": "admin_user"}',
values ('admin', '{api.com}', '{"role": "admin_user"}',
'{"admin-group", "special-group"}', 'wildcard',
'123', 'bla', current_date);
-- immutability
Expand All @@ -523,10 +523,10 @@ create or replace function test_capabilities_http()
end;
-- uniqueness
begin
insert into capabilities_http (capability_name, capability_default_claims,
insert into capabilities_http (capability_name, capability_hostnames, capability_default_claims,
capability_required_groups, capability_group_match_method,
capability_lifetime, capability_description, capability_expiry_date)
values ('admin', '{"role": "admin_user"}',
values ('admin', '{api.com}', '{"role": "admin_user"}',
'{"admin-group", "special-group"}', 'wildcard',
'123', 'bla', current_date);
assert false;
Expand All @@ -541,22 +541,22 @@ create or replace function test_capabilities_http()
end;
-- referential constraints
begin
insert into capabilities_http (capability_name, capability_default_claims,
insert into capabilities_http (capability_name, capability_hostnames, capability_default_claims,
capability_required_groups, capability_group_match_method,
capability_lifetime, capability_description, capability_expiry_date)
values ('admin2', '{"role": "admin_user"}',
values ('admin2', '{api.com}', '{"role": "admin_user"}',
'{"admin2-group", "very-special-group"}', 'wildcard',
'123', 'bla', current_date);
assert false;
exception when assert_failure then
raise notice 'capabilities_http: group must exist to be referenced in new capability';
end;
-- ability to override group references
insert into capabilities_http (capability_name, capability_default_claims,
insert into capabilities_http (capability_name, capability_hostnames, capability_default_claims,
capability_required_groups, capability_group_match_method,
capability_lifetime, capability_description, capability_expiry_date,
capability_group_existence_check)
values ('admin2', '{"role": "admin_user"}',
values ('admin2', '{api.com}', '{"role": "admin_user"}',
'{"admin2-group", "very-special-group"}', 'wildcard',
'123', 'bla', current_date, 'f');
delete from capabilities_http where capability_name = 'admin2';
Expand Down Expand Up @@ -763,10 +763,10 @@ create or replace function test_capabilities_http()
assert array['self'] = (select capability_grant_required_groups from capabilities_http_grants
where capability_grant_name = 'allow_get'), 'capability_grant_group_remove issue';
-- test that deleting a capability_name automatically removes it from any references in capability_names_allowed
insert into capabilities_http (capability_name, capability_default_claims,
insert into capabilities_http (capability_name, capability_hostnames, capability_default_claims,
capability_required_groups, capability_group_match_method,
capability_lifetime, capability_description, capability_expiry_date)
values ('edit', '{"role": "editor"}',
values ('edit', '{api.com}', '{"role": "editor"}',
'{"p11-export-group", "p11-special-group"}', 'exact',
'123', 'bla', current_date);
insert into capabilities_http_grants (capability_names_allowed,
Expand Down Expand Up @@ -909,10 +909,10 @@ create or replace function test_funcs()
assert data->>'person_id' = pid::text, err;
-- person_capabilities
insert into capabilities_http (
capability_name, capability_default_claims,
capability_name, capability_hostnames, capability_default_claims,
capability_required_groups, capability_group_match_method,
capability_lifetime, capability_description, capability_expiry_date)
values ('p11-art', '{"role": "p11_art_user"}',
values ('p11-art', '{api.com}', '{"role": "p11_art_user"}',
'{"p11-surrealist-group", "p11-admin-group"}', 'exact',
'123', 'bla', current_date);
insert into capabilities_http_grants (capability_names_allowed,
Expand Down

0 comments on commit 81f6c33

Please sign in to comment.