File: v10-gm-role_management-dynamic.sql

package info (click to toggle)
gnumed-server 16.17-1
  • links: PTS, VCS
  • area: main
  • in suites: wheezy
  • size: 42,064 kB
  • sloc: sql: 1,190,603; python: 11,850; sh: 1,082; makefile: 19
file content (288 lines) | stat: -rw-r--r-- 8,188 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
 
-- ==============================================================
-- GNUmed database schema change script
--
-- License: GPL v2 or later
-- Author: karsten.hilbert@gmx.net
-- 
-- ==============================================================
-- $Id: v10-gm-role_management-dynamic.sql,v 1.1 2008-12-01 12:09:41 ncq Exp $
-- $Revision: 1.1 $

-- --------------------------------------------------------------
--set default_transaction_read_only to off;
\set ON_ERROR_STOP 1

--set default_transaction_read_only to off;

-- --------------------------------------------------------------
create or replace function gm.transfer_users(text, text)
	returns boolean
	language 'plpgsql'
	as '
DECLARE
	_source_group alias for $1;
	_target_group alias for $2;
	member_ids int[];
	member_id int;
	member_name text;
	tmp text;
BEGIN
	-- source group exists ?
	perform 1 from pg_group where groname = _source_group;
	if not FOUND then
		raise exception ''gm_transfer_users(): source group [%] does not exist'', _source_group;
		return false;
	end if;

	-- target group exists ?
	perform 1 from pg_group where groname = _target_group;
	if not FOUND then
		raise exception ''gm_transfer_users(): target group [%] does not exist'', _target_group;
		return false;
	end if;

	-- loop over group member IDs
	select into member_ids grolist from pg_group where groname = _source_group;
	FOR idx IN coalesce(array_lower(member_ids, 1), 0) .. coalesce(array_upper(member_ids, 1), -1) LOOP
		member_id := member_ids[idx];
		select into member_name usename from pg_user where usesysid = member_id;
		tmp := ''gm_transfer_users(text): transferring "''
				|| member_name || ''" (''
				|| member_id || '') from group "''
				|| _source_group || ''" to group "''
				|| _target_group || ''"'';
		raise notice ''%'', tmp;
		-- satisfy "database = samegroup" in pg_hba.conf
		tmp := ''alter group '' || quote_ident(_target_group) || '' add user '' || quote_ident(member_name) || '';'';
		execute tmp;

	end LOOP;

	return true;
END;';


revoke all on function gm.transfer_users(text, text) from public;
grant execute on function gm.transfer_users(text, text) to "gm-dbo";


comment on function gm.transfer_users(text, text) is
'This function transfers adds users from the group role given in the
 argument to the group role corresponding to the current database
 name. This enables group membership based authentication as used
 in GNUmed. This operation is typically only run on database upgrade
 and is only available to gm-dbo.';


create or replace function gm.transfer_users(text)
	returns boolean
	language sql
	as 'select gm.transfer_users($1, current_database());';


revoke all on function gm.transfer_users(text) from public;
grant execute on function gm.transfer_users(text) to "gm-dbo";


\unset ON_ERROR_STOP
drop function public.gm_transfer_users(name, text) cascade;
\set ON_ERROR_STOP 1

-- --------------------------------------------------------------
create or replace function gm.create_user(name, text)
	returns boolean
	language 'plpgsql'
	as '
DECLARE
	_username alias for $1;
	_password alias for $2;
	_database text;
	_query text;
BEGIN
	perform 1 from pg_user where usename = _username;
	if not FOUND then
		_query := ''create user '' || quote_ident(_username)
					|| '' with password '' || quote_literal(_password)
					|| '';'';
		execute _query;
		perform 1 from pg_user where usename = _username;
		if not FOUND then
			raise exception ''cannot create user [%]'', _username;
			return false;
		end if;
	end if;

	_query := ''alter group "gm-logins" add user '' || quote_ident(_username) || '';'';
	execute _query;

	_query := ''alter group "gm-doctors" add user '' || quote_ident(_username) || '';'';
	execute _query;

	_query := ''alter group "gm-public" add user '' || quote_ident(_username) || '';'';
	execute _query;

	-- satisfy "database = samegroup" in pg_hba.conf
	select into _database current_database();
	_query := ''alter group '' || quote_ident(_database) || '' add user '' || quote_ident(_username) || '';'';
	execute _query;

	return true;
END;';


revoke all on function gm.create_user(name, text) from public;
grant execute on function gm.create_user(name, text) to "gm-dbo";


comment on function gm.create_user(name, text) is
'To create users one needs to have CREATEROLE rights.
 Only gm-dbo is GRANTed EXECUTE. This way users need
 to know the gm-dbo (GNUmed admin) password to execute
 the function.';


\unset ON_ERROR_STOP
drop function public.gm_create_user(name, text) cascade;
\set ON_ERROR_STOP 1

-- --------------------------------------------------------------
create or replace function gm.drop_user(name)
	returns boolean
	language 'plpgsql'
	as '
DECLARE
	_username alias for $1;
	_query text;
BEGIN
	perform 1 from pg_user where usename = _username;
	if not FOUND then
		return true;
	end if;
	_query := ''drop user '' || quote_ident(_username) || '';'';
	execute _query;
	perform 1 from pg_user where usename = _username;
	if FOUND then
		return false;
	end if;
	return true;
END;';


revoke all on function gm.drop_user(name) from public;
grant execute on function gm.drop_user(name) to "gm-dbo";


comment on function gm.drop_user(name) is
'To drop users one needs to have CREATEROLE rights.
 Only gm-dbo is GRANTed EXECUTE.
 This way users need to know the gm-dbo (GNUmed admin) password
 to execute the function.';


\unset ON_ERROR_STOP
drop function public.gm_drop_user(name, text) cascade;
\set ON_ERROR_STOP 1


-- --------------------------------------------------------------
create or replace function gm.disable_user(name)
	returns boolean
	language 'plpgsql'
	as '
DECLARE
	_username alias for $1;
	_query text;
BEGIN
	perform 1 from pg_user where usename = _username;
	if not FOUND then
		return true;
	end if;

	_query := ''alter group "gm-logins" drop user '' || quote_ident(_username) || '';'';
	execute _query;

	return true;
END;';


revoke all on function gm.disable_user(name) from public;
grant execute on function gm.disable_user(name) to "gm-dbo";


comment on function gm.disable_user(name) is
'To disable users one needs to have CREATEROLE rights.
 Only gm-dbo is GRANTed EXECUTE.
 This way users need to know the gm-dbo (GNUmed admin) password
 to execute the function.';


\unset ON_ERROR_STOP
drop function public.gm_disable_user(name, text) cascade;
\set ON_ERROR_STOP 1

-- --------------------------------------------------------------
create or replace function gm.get_users(name)
	returns text[]
	language 'plpgsql'
	as '
DECLARE
	_db alias for $1;
	_gm_users text[];
	_user text;
BEGIN

	_gm_users := ARRAY[''gm-logins'', ''gm-public'', ''gm-doctors'', _db];

	-- add members of groups gm-logins, gm-public, _db
	FOR _user in
		select distinct rolname from pg_roles where oid in (
			select member from pg_auth_members where roleid in (
				select oid from pg_roles where rolname in (''gm-logins'', ''gm-public'', _db)
			)
		)
	LOOP
		continue when _user = ''postgres'';
		continue when _user = any(_gm_users);
		_gm_users := _gm_users || _user;
	END LOOP;

	-- add *.modified_by entries
	FOR _user in select distinct modified_by from audit.audit_fields LOOP
		continue when _user = ''postgres'';
		continue when _user = any(_gm_users);
		_gm_users := _gm_users || _user;
	END LOOP;

	-- add dem.staff.db_user entries
	FOR _user in select distinct db_user from dem.staff LOOP
		continue when _user = ''postgres'';
		continue when _user = any(_gm_users);
		_gm_users := _gm_users || _user;
	END LOOP;

	return _gm_users;
END;';


revoke all on function gm.get_users(name) from public;
grant execute on function gm.get_users(name) to "gm-dbo";


create or replace function gm.get_users()
	returns text[]
	language sql
	as 'select gm.get_users(current_database());';


revoke all on function gm.get_users() from public;
grant execute on function gm.get_users() to "gm-dbo";

-- --------------------------------------------------------------
select gm.log_script_insertion('$RCSfile: v10-gm-role_management-dynamic.sql,v $', '$Revision: 1.1 $');

-- ==============================================================
-- $Log: v10-gm-role_management-dynamic.sql,v $
-- Revision 1.1  2008-12-01 12:09:41  ncq
-- - new
--
--