Mercurial > gemma

diff auth.sql @ 96:d036e1bd5f00

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add roles, privileges and RLS policies. I'm afraid I need (TAP) tests to verify.
author Tom Gottfried <tom@intevation.de>
date Wed, 06 Jun 2018 17:08:09 +0200
parents
children 81a2b26bf16b
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/auth.sql	Wed Jun 06 17:08:09 2018 +0200
@@ -0,0 +1,94 @@
+BEGIN;
+
+--
+-- Roles, privileges and policies for the WAMOS database
+--
+SET search_path TO public, wamos, wamos_waterway, wamos_fairway;
+
+-- We do not want any users to be able to create any objects
+REVOKE CREATE ON SCHEMA public FROM PUBLIC;
+
+--
+-- Primary WAMOS roles (SRS table 3)
+--
+CREATE ROLE waterway_user;
+CREATE ROLE waterway_admin IN ROLE waterway_user;
+CREATE ROLE sys_admin CREATEROLE BYPASSRLS IN ROLE waterway_admin;
+
+--
+-- Privileges for waterway_user
+--
+GRANT USAGE ON SCHEMA wamos_waterway, wamos_fairway TO waterway_user;
+GRANT SELECT ON ALL TABLES IN SCHEMA wamos_waterway, wamos_fairway
+      TO waterway_user;
+GRANT SELECT ON templates, user_profiles TO waterway_user;
+
+--
+-- Extended privileges for waterway_admin
+--
+GRANT INSERT, UPDATE ON ALL TABLES IN SCHEMA wamos_waterway, wamos_fairway
+      TO waterway_admin;
+-- TODO: will there ever be UPDATEs or can we drop that due to historicisation?
+GRANT INSERT, UPDATE ON templates, user_templates TO waterway_admin;
+
+--
+-- Extended privileges for sys_admin
+--
+GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA wamos
+      TO sys_admin;
+
+--
+-- RLS policies for waterway_user
+--
+
+-- Staging area
+CREATE FUNCTION create_hide_staging_policy() RETURNS void AS $$
+DECLARE the_table varchar;
+BEGIN
+    FOREACH the_table IN ARRAY ARRAY[
+        'bottlenecks', 'sounding_results']
+    -- TODO: add all relevant tables here
+    LOOP
+        EXECUTE format('CREATE POLICY hide_staging ON %I '
+            'FOR SELECT TO waterway_user USING (staging_done)', the_table);
+        EXECUTE format('ALTER TABLE %I ENABLE ROW LEVEL SECURITY', the_table);
+    END LOOP;
+END;
+$$ LANGUAGE plpgsql;
+SELECT create_hide_staging_policy();
+DROP FUNCTION create_hide_staging_policy;
+
+CREATE POLICY see_yourself ON user_profiles FOR SELECT TO waterway_user
+       USING (username = current_user);
+ALTER TABLE user_profiles ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY own_templates ON templates FOR SELECT TO waterway_user
+       USING (id IN(SELECT t.id FROM templates t
+                    JOIN user_templates ut ON t.id = ut.template_id
+                    JOIN user_profiles p ON ut.username = p.username
+                    WHERE p.username = current_user));
+ALTER TABLE templates ENABLE ROW LEVEL SECURITY;
+
+--
+-- RLS policies for waterway_admin
+--
+
+-- Staging area
+-- TODO: add all relevant tables here
+CREATE POLICY responsibility_area ON bottlenecks FOR ALL TO waterway_admin
+       USING (ST_Within(area, (SELECT area FROM responsibility_areas
+           WHERE country = (SELECT country FROM user_profiles
+               WHERE username = current_user))));
+CREATE POLICY responsibility_area ON sounding_results FOR ALL TO waterway_admin
+       USING (ST_Within(area, (SELECT area FROM responsibility_areas
+           WHERE country = (SELECT country FROM user_profiles
+               WHERE username = current_user))));
+
+CREATE POLICY manage_templates ON templates FOR ALL TO waterway_admin
+       USING (id IN(SELECT t.id FROM templates t
+                    JOIN user_templates ut ON t.id = ut.template_id
+                    JOIN user_profiles p ON ut.username = p.username
+                    WHERE p.country = (SELECT country FROM user_profiles
+                        WHERE username = current_user)));
+
+COMMIT;