CREATE OR REPLACE FUNCTION admin_add_user_to_role(in_user TEXT, in_role TEXT) returns INT AS $$ declare stmt TEXT; a_role name; a_user name; BEGIN -- Issue the grant select rolname into a_role from pg_roles where rolname = in_role; IF NOT FOUND THEN RAISE EXCEPTION 'Cannot grant permissions of a non-existant role.'; END IF; select rolname into a_user from pg_roles where rolname = in_user; IF NOT FOUND THEN RAISE EXCEPTION 'Cannot grant permissions to a non-existant user.'; END IF; stmt := 'GRANT '|| in_role ||' to '|| in_user; EXECUTE stmt; return 1; END; $$ language 'plpgsql'; CREATE OR REPLACE FUNCTION admin_remove_user_from_role(in_user TEXT, in_role TEXT) returns INT AS $$ declare stmt TEXT; a_role name; a_user name; BEGIN -- Issue the grant select rolname into a_role from pg_roles where rolname = in_role; IF NOT FOUND THEN RAISE EXCEPTION 'Cannot revoke permissions of a non-existant role.'; END IF; select rolname into a_user from pg_roles where rolname = in_user; IF NOT FOUND THEN RAISE EXCEPTION 'Cannot revoke permissions from a non-existant user.'; END IF; stmt := 'REVOKE '|| in_role ||' FROM '|| in_user; EXECUTE stmt; return 1; END; $$ language 'plpgsql'; CREATE OR REPLACE FUNCTION admin_add_function_to_group(in_func TEXT, in_role TEXT) returns INT AS $$ declare stmt TEXT; a_role name; a_user name; BEGIN -- Issue the grant select rolname into a_role from pg_roles where rolname = in_role; IF NOT FOUND THEN RAISE EXCEPTION 'Cannot grant permissions of a non-existant role.'; END IF; select rolname into a_user from pg_roles where rolname = in_user; IF NOT FOUND THEN RAISE EXCEPTION 'Cannot grant permissions to a non-existant user.'; END IF; stmt := 'GRANT EXECUTE ON FUNCTION '|| in_func ||' to '|| in_role; EXECUTE stmt; return 1; END; $$ language 'plpgsql'; CREATE OR REPLACE FUNCTION admin_remove_function_from_group(in_func TEXT, in_role TEXT) returns INT AS $$ declare stmt TEXT; a_role name; a_user name; BEGIN -- Issue the grant select rolname into a_role from pg_roles where rolname = in_role; IF NOT FOUND THEN RAISE EXCEPTION 'Cannot revoke permissions of a non-existant role.'; END IF; select rolname into a_user from pg_roles where rolname = in_user; IF NOT FOUND THEN RAISE EXCEPTION 'Cannot revoke permissions from a non-existant function.'; END IF; stmt := 'REVOKE EXECUTE ON FUNCTION '|| in_func ||' FROM '|| in_role; EXECUTE stmt; return 1; END; $$ language 'plpgsql'; CREATE OR REPLACE FUNCTION admin_add_table_to_group(in_table TEXT, in_role TEXT, in_perm TEXT) returns INT AS $$ declare stmt TEXT; a_role name; a_user name; BEGIN -- Issue the grant select rolname into a_role from pg_roles where rolname = in_role; IF NOT FOUND THEN RAISE EXCEPTION 'Cannot grant permissions of a non-existant role.'; END IF; select table_name into a_table from information_schema.tables where table_schema NOT IN ('information_schema','pg_catalog','pg_toast') and table_type='BASE TABLE' and table_name = in_table; IF NOT FOUND THEN RAISE EXCEPTION 'Cannot grant permissions to a non-existant table.'; END IF; if lower(in_perm) not in ('select','insert','update','delete') THEN raise exception 'Cannot add unknown permission'; END IF; stmt := 'GRANT '|| in_perm|| 'ON TABLE '|| in_table ||' to '|| in_role; EXECUTE stmt; return 1; END; $$ language 'plpgsql'; CREATE OR REPLACE FUNCTION admin_remove_table_from_group(in_table TEXT, in_role TEXT) returns INT AS $$ declare stmt TEXT; a_role name; a_table text; BEGIN -- Issue the grant select rolname into a_role from pg_roles where rolname = in_role; IF NOT FOUND THEN RAISE EXCEPTION 'Cannot revoke permissions of a non-existant role.'; END IF; SELECT table_schema, table_name from select table_name into a_table from information_schema.tables where table_schema NOT IN ('information_schema','pg_catalog','pg_toast') and table_type='BASE TABLE' and table_name = in_table; IF NOT FOUND THEN RAISE EXCEPTION 'Cannot revoke permissions from a non-existant table.'; END IF; stmt := 'REVOKE '|| in_role ||' FROM '|| in_user; EXECUTE stmt; return 1; END; $$ language 'plpgsql'; create or replace function admin_get_user(in_user TEXT) returns setof user as $$ DECLARE a_user user; BEGIN select * into a_user from user where username = in_user; IF NOT FOUND THEN RAISE EXCEPTION 'cannot find user %', in_user; END IF; return a_user; END; $$ language plpgsql; create or replace function admin_get_roles_for_user(in_user TEXT) returns setof lsmb_roles as $$ declare u_role lsmb_roles; a_user user; begin select * into a_user from admin_get_user(in_user); FOR u_role IN select * from lsmb_roles WHERE user = a_user.id LOOP RETURN NEXT a_role; END LOOP; RETURN; end; $$ language 'plpgsql'; CREATE OR REPLACE FUNCTION admin_save_user( in_id int, in_username text, in_password TEXT, in_dbname TEXT, in_host TEXT, in_port TEXT ) returns int AS $$ DECLARE a_user user; v_entity_id int; p_id int; l_id int; stmt text; BEGIN select * into a_user from user where id = in_id; IF NOT FOUND THEN -- Insert cycle --- First, create an entity. if admin_is_user(in_username) then -- uhm, this is bad. RAISE EXCEPTION "Fatal exception: Username already exists in Postgres; not a valid lsmb user."; end if; v_entity_id := nextval('entity_id_seq'); INSERT INTO entity (id, name, entity_class) VALUES ( v_entity_id, in_first_name || ' ' || in_last_name, 3 ); -- create an actual user insert into users (name, entity_id) VALUES ( in_username, v_entity_id ); insert into user_connection (entity_id, database, host, port) VALUES ( v_entity_id, in_database, in_host, in_port ); -- Finally, issue the create user statement stmt := $$CREATE USER $$||in_username||$$WITH ENCRYPTED PASSWORD '$$||in_password||$$;'$$; execute stmt; return v_entity_id; ELSIF FOUND THEN -- update cycle -- Only update if it's changed. Wewt. UPDATE entity SET name = in_first_name || ' ' || in_last_name WHERE entity_id = a_user.entity_id and name <> in_first_name || ' ' || in_last_name; stmt := $$ alter user $$ || in_username || $$ with encrypted password $1$$$ || in_password || $$$1$ $$; execute stmt; update user_connection set database = in_database, host = in_host, port = in_port where database <> in_database OR host <> in_host OR port <> in_port; return a_user.id; END IF; END; $$ language 'plpgsql'; create view role_view as select * from pg_auth_members m join pg_authid a ON (m.roleid = a.oid); create or replace function admin_is_group(in_group_name text) returns bool as $$ DECLARE existant_role role_view; stmt text; BEGIN select * into role_view from role_view where rolname = in_group_name; if not found then return 'f'::bool; else return 't'::bool; end if; END; $$ language 'plpgsql'; CREATE OR REPLACE FUNCTION admin_create_group(in_group_name TEXT, in_dbname TEXT) RETURNS int as $$ DECLARE stmt text; BEGIN stmt := 'create role '||in_dbname||'_lsmb_$$' || in_group_name || '$$;'; execute stmt; return 1; END; $$ language 'plpgsql'; CREATE OR REPLACE FUNCTION admin_delete_user(in_username TEXT) returns INT as $$ DECLARE stmt text; a_user user; BEGIN select * into a_user from users where username = in_username; IF NOT FOUND THEN raise exception "User not found."; ELSIF FOUND THEN stmt := $$ drop user $$ || a_user.username ||; execute stmt; -- also gets user_connection delete from users where id = a_user.id; delete from entity where id = a_user.entity_id; END IF; END; $$ language 'plpgsql'; comment on function admin_delete_user(text) is $$ Drops the provided user, as well as deletes the entity and user configuration data. $$; CREATE OR REPLACE FUNCTION admin_delete_group (in_group_name TEXT) returns bool as $$ DECLARE stmt text; a_role role_view; BEGIN select * into a_role from role_view where rolname = in_group_name; if not found then return 'f'::bool; else stmt := 'drop role $dbname_lsmb_$$' || in_group_name || '$$;'; execute stmt; return 't'::bool; end if; END; $$ language 'plpgsql'; comment on function admin_delete_group(text) IS $$ Deletes the input group from the database. Not designed to be used to remove a login-capable user. $$; CREATE OR REPLACE FUNCTION admin_list_roles(in_username text) RETURNS SETOF text AS $$ DECLARE out_rolename RECORD; BEGIN FOR out_rolename IN SELECT rolname FROM pg_authid WHERE oid IN (SELECT id FROM connectby( '(SELECT m.member, m.roleid, r.oid FROM pg_authid r LEFT JOIN pg_auth_members m ON (r.oid = m.roleid)) a', 'oid', 'member', 'oid', '320461', '0', ',' ) c(id integer, parent integer, "level" integer, path text, list_order integer) ) LOOP RETURN NEXT out_rolename.rolname; END LOOP; END; $$ LANGUAGE PLPGSQL; -- TODO: Add admin user CREATE OR REPLACE FUNCTION admin_audit_log () returns int as $$ $$ language plpgsql;