From 0ea7e21d26833e337f6c0bf0a2e7e52b5e34924e Mon Sep 17 00:00:00 2001
From: TCHERNIATINSKY <philippe.tcherniatinsky@inrae.fr>
Date: Fri, 13 May 2022 14:56:07 +0200
Subject: [PATCH] =?UTF-8?q?Correction=20de=20la=20cr=C3=A9ation=20des=20au?=
=?UTF-8?q?thorizations?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- ajout d'un rôle writer pour l'application
- utilisation de ce rôle pour la création des authorizations
---
.../fr/inra/oresing/persistence/SqlPolicy.java | 2 ++
.../inra/oresing/persistence/SqlService.java | 16 +++++++++++++---
.../oresing/rest/AuthorizationService.java | 3 ++-
.../fr/inra/oresing/rest/OreSiService.java | 18 +++++++++++++++++-
4 files changed, 34 insertions(+), 5 deletions(-)
diff --git a/src/main/java/fr/inra/oresing/persistence/SqlPolicy.java b/src/main/java/fr/inra/oresing/persistence/SqlPolicy.java
index 4d31ceef8..fb208dffd 100644
--- a/src/main/java/fr/inra/oresing/persistence/SqlPolicy.java
+++ b/src/main/java/fr/inra/oresing/persistence/SqlPolicy.java
@@ -18,6 +18,8 @@ public class SqlPolicy implements WithSqlIdentifier {
String usingExpression;
+ String withCheckExpression;
+
@Override
public String getSqlIdentifier() {
return WithSqlIdentifier.escapeSqlIdentifier(id);
diff --git a/src/main/java/fr/inra/oresing/persistence/SqlService.java b/src/main/java/fr/inra/oresing/persistence/SqlService.java
index 6bddf6220..9051501b0 100644
--- a/src/main/java/fr/inra/oresing/persistence/SqlService.java
+++ b/src/main/java/fr/inra/oresing/persistence/SqlService.java
@@ -2,6 +2,7 @@ package fr.inra.oresing.persistence;
import fr.inra.oresing.persistence.roles.*;
import lombok.extern.slf4j.Slf4j;
+import org.assertj.core.util.Strings;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.jdbc.core.namedparam.EmptySqlParameterSource;
import org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate;
@@ -63,21 +64,30 @@ public class SqlService {
}
public void createPolicy(SqlPolicy sqlPolicy) {
+ dropPolicy(sqlPolicy);
+ String using = "", withCheck = "";
+ if(!Strings.isNullOrEmpty(sqlPolicy.getUsingExpression())){
+ using = String.format(" USING (%s)", sqlPolicy.getUsingExpression());
+ }
+ if(!Strings.isNullOrEmpty(sqlPolicy.getWithCheckExpression())){
+ using = String.format(" WITH CHECK (%s)", sqlPolicy.getWithCheckExpression());
+ }
String createPolicySql = String.format(
- "CREATE POLICY %s ON %s AS %s FOR %s TO %s USING (%s)",
+ "CREATE POLICY %s ON %s AS %s FOR %s TO %s %s %s",
sqlPolicy.getSqlIdentifier(),
sqlPolicy.getTable().getSqlIdentifier(),
sqlPolicy.getPermissiveOrRestrictive().name(),
sqlPolicy.getStatement().name(),
sqlPolicy.getRole().getSqlIdentifier(),
- sqlPolicy.getUsingExpression()
+ using,
+ withCheck
);
execute(createPolicySql);
}
public void dropPolicy(SqlPolicy sqlPolicy) {
String createPolicySql = String.format(
- "DROP POLICY %s ON %s",
+ "DROP POLICY IF EXISTS %s ON %s",
sqlPolicy.getSqlIdentifier(),
sqlPolicy.getTable().getSqlIdentifier()
);
diff --git a/src/main/java/fr/inra/oresing/rest/AuthorizationService.java b/src/main/java/fr/inra/oresing/rest/AuthorizationService.java
index 9e3ebe6e2..67fac7931 100644
--- a/src/main/java/fr/inra/oresing/rest/AuthorizationService.java
+++ b/src/main/java/fr/inra/oresing/rest/AuthorizationService.java
@@ -139,7 +139,8 @@ public class AuthorizationService {
SqlPolicy.PermissiveOrRestrictive.PERMISSIVE,
statement,
oreSiRightOnApplicationRole,
- usingExpression
+ usingExpression,
+ null
);
return sqlPolicy;
}
diff --git a/src/main/java/fr/inra/oresing/rest/OreSiService.java b/src/main/java/fr/inra/oresing/rest/OreSiService.java
index 3f6272b86..3776b3166 100644
--- a/src/main/java/fr/inra/oresing/rest/OreSiService.java
+++ b/src/main/java/fr/inra/oresing/rest/OreSiService.java
@@ -144,9 +144,12 @@ public class OreSiService {
OreSiRightOnApplicationRole adminOnApplicationRole = OreSiRightOnApplicationRole.adminOn(app);
OreSiRightOnApplicationRole readerOnApplicationRole = OreSiRightOnApplicationRole.readerOn(app);
+ OreSiRightOnApplicationRole writerOnApplicationRole = OreSiRightOnApplicationRole.writerOn(app);
db.createRole(adminOnApplicationRole);
db.createRole(readerOnApplicationRole);
+ db.createRole(writerOnApplicationRole);
+ db.addUserInRole(writerOnApplicationRole, readerOnApplicationRole);
db.createPolicy(new SqlPolicy(
String.join("_", adminOnApplicationRole.getAsSqlRole(), SqlPolicy.Statement.ALL.name()),
@@ -154,7 +157,8 @@ public class OreSiService {
SqlPolicy.PermissiveOrRestrictive.PERMISSIVE,
SqlPolicy.Statement.ALL,
adminOnApplicationRole,
- "name = '" + app.getName() + "'"
+ "name = '" + app.getName() + "'",
+ null
));
db.createPolicy(new SqlPolicy(
@@ -163,6 +167,18 @@ public class OreSiService {
SqlPolicy.PermissiveOrRestrictive.PERMISSIVE,
SqlPolicy.Statement.SELECT,
readerOnApplicationRole,
+ "name = '" + app.getName() + "'",
+ null
+ ));
+
+
+ db.createPolicy(new SqlPolicy(
+ String.join("_", writerOnApplicationRole.getAsSqlRole(), SqlPolicy.Statement.INSERT.name()),
+ SqlSchema.main().application(),
+ SqlPolicy.PermissiveOrRestrictive.PERMISSIVE,
+ SqlPolicy.Statement.INSERT,
+ writerOnApplicationRole,
+ null,
"name = '" + app.getName() + "'"
));
--
GitLab