MINI MINI MANI MO
<?xml version="1.0"?>
<!--
Copyright (c) 2001, 2017, Oracle and/or its affiliates. All rights reserved.
NAME
kutsdsec.xsl
DESCRIPTION
XSLT stylesheet for XML => DDL conversion of ku$_xspolicy_t ADTs
(i.e., Triton Security Data Policies). Because there can be a large number
of realm and column constraints the policy is created first and then the
constraints are add/appended within a seperate anonymous PL/SQL
blocks.
EXAMPLE:
BEGIN
xs_data_security.create_policy(
name => '"SYS"."DSEC1"',
description => 'Data security 1 description',
realm_constraint_list => NULL);
END;
DECLARE
realmList sys.xs$realm_constraint_list;
BEGIN
realmList := sys.xs$realm_constraint_list(
sys.xs$realm_constraint_type(
parent_schema => 'TZXSDS',
parent_object =>'CUSTOMERS',
key_list => XS$KEY_LIST(
XS$KEY_TYPE('PKCUSTNO1', 'FKCUSTNO1', 1))),
sys.xs$realm_constraint_type(
realm => 'CUSTOMERNO IS NOT NULL',
acl_list => XS$NAME_LIST('"SYS"."ACL1A"', '"SYS"."ACL2A"')));
xs_data_security.append_realm_constraints(
policy => '"SYS"."DSEC1"', realm_constraint_list => realmList);
END;
NOTES
Do NOT modify this file under any circumstance. Copy the file
if you wish to use this stylesheet with an external XML/XSL parser
MODIFIED MM/DD/YY
mjangir 03/27/17 - 23181020: handle multi olap policy and avoid 1427
mjangir 04/23/16 - bug 22763372: resolve ORA-01427
rapayne 03/18/14 - bug 18405747: can not longer use singleQuote/force
template. Simply do quoting manually.
bwright 08/21/13 - Bug 17312600: Remove hard tabs from DP src code
rapayne 07/20/12 - Bug13823879: add constraints in separate exec blocks
rapayne 01/30/12 - bug 13646476: add policy_schema to xs_olap
rapayne 12/17/11 - Triton PRIVS are no longer schema based.
rapayne 10/24/11 - fix remap
rapayne 08/31/11 - Triton rename to Real Application Security (RAS).
Object names will be changed from TS_* to XS_*.
rapayne 07/17/11 - add support for schema base XSD objects.
rapayne 08/17/10 - Creation
-->
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<!-- Import required scripts -->
<xsl:import href="kucommon.xsl"/>
<!-- Top-level parameters -->
<xsl:param name="PRETTY">1</xsl:param>
<xsl:param name="SQLTERMINATOR">1</xsl:param>
<!-- params for parse -->
<xsl:param name="PRS_DDL">0</xsl:param>
<xsl:param name="PRS_DELIM">\{]`</xsl:param>
<xsl:param name="PRS_VERB">0</xsl:param>
<xsl:param name="PRS_OBJECT_TYPE">0</xsl:param>
<xsl:param name="PRS_SCHEMA">0</xsl:param>
<xsl:param name="PRS_NAME">0</xsl:param>
<xsl:param name="PRS_GRANTEE">0</xsl:param>
<xsl:param name="PRS_GRANTOR">0</xsl:param>
<xsl:param name="PRS_BASE_OBJECT_SCHEMA">0</xsl:param>
<xsl:param name="PRS_BASE_OBJECT_NAME">0</xsl:param>
<xsl:param name="PRS_BASE_OBJECT_TYPE">0</xsl:param>
<xsl:template match="XS_DATA_SECURITY_T">
<!-- *******************************************************************
Template: XS_DATA_SECURITY_T
Description: top-level template for Triton Security Data Security Policies
(XS_DATA_SECURITY_T objects). This template will potentially
generate multiple anonymous PL/SQL blocks which call apropriate
Triton Security API (e.g.., xs_data_security.create_data_security)
to create Triton Data Security Policy and add/append rules.
******************************************************************** -->
<!-- Bug 13823879: create the policy and then append the rules -->
<xsl:call-template name="CreatePolicy">
<xsl:with-param name="PolicyNode" select="XS_OBJ"/>
</xsl:call-template>
<!-- Add Realm Constraints if appropriate-->
<xsl:if test="INSTSET_LIST/INSTSET_LIST_ITEM">
<xsl:call-template name="AddRealmConstraints">
<xsl:with-param name="PolicyNode" select="XS_OBJ"/>
</xsl:call-template>
</xsl:if>
<!-- Add Column Constraints if appropriate-->
<xsl:if test="ATTR_SEC_LIST/ATTR_SEC_LIST_ITEM">
<xsl:call-template name="AddColConstraints">
<xsl:with-param name="PolicyNode" select="XS_OBJ"/>
</xsl:call-template>
</xsl:if>
</xsl:template>
<xsl:template name="CreatePolicy">
<xsl:param name="PolicyNode" select="''"/>
<!-- *******************************************************************
Template: CreatePolicy
Description: This template will simply creates a triton data policy
and if appropriate enables them. The associated rules will
be added afterwards in a piece meal fashion in seperate
plsql blocks.
Parameters:
PolicyNode - <XS_OBJ>
******************************************************************** -->
<xsl:variable name="PolicyOwner" select="$PolicyNode/OWNER_NAME"/>
<xsl:variable name="PolicyName" select="$PolicyNode/NAME"/>
<xsl:call-template name="DoParse">
<xsl:with-param name="Verb">CREATE</xsl:with-param>
<xsl:with-param name="ObjectType">XS_DATA_SECURITY</xsl:with-param>
<xsl:with-param name="NameNode" select="$PolicyName"/>
</xsl:call-template>
<xsl:text>
</xsl:text>
<xsl:text>BEGIN</xsl:text>
<xsl:text>
 </xsl:text>
<xsl:text>xs_data_security.create_policy(</xsl:text>
<xsl:text>
 </xsl:text>
<xsl:text>name => </xsl:text>
<xsl:call-template name="TSQuoteObject">
<xsl:with-param name="Schema" select="$PolicyOwner"/>
<xsl:with-param name="Object" select="$PolicyName"/>
</xsl:call-template>
<xsl:if test="DESCRIPTION">
<xsl:text>,
 description => </xsl:text>
<xsl:call-template name="SingleQuotedName">
<xsl:with-param name="NameNode" select="DESCRIPTION"/>
</xsl:call-template>
</xsl:if>
<xsl:text>,
 </xsl:text>
<!-- Bug 13823879: If there are REALM_CONSTRAINTS they will be appended after the
DATA_POLICY is created
-->
<xsl:text>realm_constraint_list => NULL);
</xsl:text>
<!-- Generate a call to enable the OLAP_POLICY if appropriate -->
<xsl:for-each select="OLAP_POLICY_LIST/OLAP_POLICY_LIST_ITEM">
<xsl:text>
 </xsl:text>
<xsl:text>dbms_xds.enable_olap_policy(</xsl:text>
<xsl:text>
 </xsl:text>
<xsl:text>schema_nm => </xsl:text>
<xsl:call-template name="SingleQuotedName">
<xsl:with-param name="NameNode" select="OLAP_SCHEMA"/>
</xsl:call-template>
<xsl:text>,
 logical_nm => </xsl:text>
<xsl:call-template name="SingleQuotedName">
<xsl:with-param name="NameNode" select="LOGICAL_NAME"/>
</xsl:call-template>
<xsl:text>,
 policy_nm => </xsl:text>
<xsl:call-template name="TSQuoteObject">
<xsl:with-param name="Schema" select="OWNER_NAME"/>
<xsl:with-param name="Object" select="NAME"/>
</xsl:call-template>
<xsl:if test="ENABLE='1'">
<xsl:text>,
 overwrite => TRUE</xsl:text>
</xsl:if>
<xsl:text>);
</xsl:text>
</xsl:for-each>
<xsl:for-each select="RLS_LIST/RLS_LIST_ITEM">
<xsl:text>
 </xsl:text>
<xsl:text>dbms_xds.enable_xds(</xsl:text>
<xsl:text>
 </xsl:text>
<xsl:text>object_schema => </xsl:text>
<xsl:call-template name="SingleQuotedName">
<xsl:with-param name="NameNode" select="BASE_OBJ/OWNER_NAME"/>
</xsl:call-template>
<xsl:text>,
 </xsl:text>
<xsl:text>object_name => </xsl:text>
<xsl:call-template name="SingleQuotedName">
<xsl:with-param name="NameNode" select="BASE_OBJ/NAME"/>
</xsl:call-template>
<xsl:text>,
 </xsl:text>
<xsl:text>policy_name => </xsl:text>
<xsl:call-template name="TSQuoteObject">
<xsl:with-param name="Schema" select="../../XS_OBJ/OWNER_NAME"/>
<xsl:with-param name="Object" select="../../XS_OBJ/NAME"/>
</xsl:call-template>
<xsl:text>);
</xsl:text>
</xsl:for-each>
<xsl:text>END;</xsl:text>
<!-- terminate the plsql block if appropriate -->
<xsl:if test="$SQLTERMINATOR=1">
<xsl:text>
</xsl:text>
<xsl:text>/</xsl:text>
</xsl:if>
</xsl:template>
<xsl:template name="AddRealmConstraints">
<xsl:param name="PolicyNode" select="''"/>
<!-- *******************************************************************
Template: AdddRealmConstraints
Description: This template will append all of the real constraints associated with this data policy.
Parameters:
PolicyNode - <XS_OBJ>
******************************************************************** -->
<xsl:for-each select="INSTSET_LIST/INSTSET_LIST_ITEM [position() mod 500 = 1]">
<xsl:call-template name="DoParse">
<xsl:with-param name="Verb">APPEND</xsl:with-param>
<xsl:with-param name="ObjectType">XS_DATA_SECURITY</xsl:with-param>
<xsl:with-param name="NameNode" select="$PolicyNode/NAME"/>
</xsl:call-template>
<xsl:text>
</xsl:text>
<xsl:text>DECLARE</xsl:text>
<xsl:text>
 realmList sys.xs$realm_constraint_list;</xsl:text>
<xsl:text>
 </xsl:text>
<xsl:text>BEGIN</xsl:text>
<xsl:text>
 </xsl:text>
<xsl:text>realmList := sys.xs$realm_constraint_list(</xsl:text>
<xsl:for-each select=". |following-sibling::*[not(position() >= 500)]">
<xsl:text>
 </xsl:text>
<xsl:choose>
<xsl:when test="TYPE='1'">
<xsl:call-template name="buildRuleSet">
<xsl:with-param name="InstRule" select="INSTRULE"/>
</xsl:call-template>
</xsl:when>
<xsl:when test="TYPE='2'">
<xsl:call-template name="buildKeySet">
<xsl:with-param name="inhList" select="INST_INH"/>
</xsl:call-template>
</xsl:when>
</xsl:choose>
<xsl:choose>
<xsl:when test="position()=last()">);</xsl:when>
<xsl:otherwise>,</xsl:otherwise>
</xsl:choose>
</xsl:for-each>
<xsl:text>
 </xsl:text>
<!-- Add/Append the REALM_LIST that was just constructed -->
<xsl:text>
 xs_data_security.append_realm_constraints(policy => </xsl:text>
<xsl:call-template name="TSQuoteObject">
<xsl:with-param name="Schema" select="$PolicyNode/OWNER_NAME"/>
<xsl:with-param name="Object" select="$PolicyNode/NAME"/>
</xsl:call-template>
<xsl:text>, realm_constraint_list => realmList);</xsl:text>
<xsl:text>
END;
</xsl:text>
<xsl:if test="$SQLTERMINATOR=1">
<xsl:text>/</xsl:text>
</xsl:if>
</xsl:for-each>
</xsl:template>
<xsl:template name="AddColConstraints">
<xsl:param name="PolicyNode" select="''"/>
<!-- *******************************************************************
Template: AddColConstraints
Description: This template will append all of the column constraints associated
with this data policy. These colum constraints are organized in typical
LIST_ITEM fashion (i.e., ATTR_SEC_LIST/ATTR_SEC_LIST_ITEMS...).
The items must first be grouped by like PRIV_NUMs to allow privs to be
added to a single constraint. Consequently, this makes it more difficult
to generate plsql blocks limited by the number of constraints - so we do
not do that for column constraints!!
Parameters:
PolicyNode - <XS_OBJ>
******************************************************************** -->
<!-- Grab a quick pointer to the policy owner/name as well as the
ATTR_SEC_LIST
-->
<xsl:variable name="PolicyOwner" select="$PolicyNode/OWNER_NAME"/>
<xsl:variable name="PolicyName" select="$PolicyNode/NAME"/>
<xsl:variable name="attrSecList" select="ATTR_SEC_LIST/ATTR_SEC_LIST_ITEM"/>
<!-- we are going to add the column_constraints seperately so we need
to call DoParse before creating the anonymous pl/sql block.
-->
<xsl:call-template name="DoParse">
<xsl:with-param name="Verb">APPEND</xsl:with-param>
<xsl:with-param name="ObjectType">XS_DATA_SECURITY</xsl:with-param>
<xsl:with-param name="NameNode" select="$PolicyNode/NAME"/>
</xsl:call-template>
<xsl:text>
</xsl:text>
<xsl:text>DECLARE</xsl:text>
<xsl:text>
 attrList sys.xs$column_constraint_list;</xsl:text>
<xsl:text>
</xsl:text>
<xsl:text>BEGIN</xsl:text>
<xsl:text>
 </xsl:text>
<xsl:text>attrList := xs$column_constraint_list(</xsl:text>
<xsl:variable name="privList" select="$attrSecList/PRIV_NUM[not(.=following::PRIV_NUM)]"/>
<xsl:variable name="PrivNum" select="PRIV_NUM"/>
<!-- get a list of all of the differenct priv_num associated with this
security policy. This will be used to group privileges.
-->
<xsl:for-each select="$privList">
<xsl:call-template name="getAttrSecGroup">
<xsl:with-param name="attrSecList" select="$attrSecList"/>
<xsl:with-param name="privNum" select="."/>
</xsl:call-template>
<xsl:if test="position() != last()">
<xsl:text>,</xsl:text>
</xsl:if>
</xsl:for-each>
<xsl:text>);</xsl:text>
<xsl:text>
 </xsl:text>
<xsl:text>
 </xsl:text>
<xsl:text>xs_data_security.add_column_constraints(</xsl:text>
<xsl:text>
 policy => </xsl:text>
<xsl:call-template name="TSQuoteObject">
<xsl:with-param name="Schema" select="$PolicyOwner"/>
<xsl:with-param name="Object" select="$PolicyName"/>
</xsl:call-template>
<xsl:text>,
 column_constraint_list => attrList);</xsl:text>
<xsl:text>
 </xsl:text>
<xsl:text>
END;
</xsl:text>
<xsl:if test="$SQLTERMINATOR=1">
<xsl:text>/</xsl:text>
</xsl:if>
</xsl:template>
<xsl:template name="getAttrSecGroup">
<xsl:param name="attrSecList" select="''"/>
<xsl:param name="privNum" select="''"/>
<!-- *******************************************************************
Template: getAttrSecGroup - collect all of the ATTR_SEC_LIST_ITEM nodes
for this $privNum
Parameters:
attrSecList
privNum - current priv_num
lastFlg - last node in the group
******************************************************************** -->
<xsl:variable name="attrSecGroup" select="$attrSecList[PRIV_NUM=$privNum]"/>
<xsl:call-template name="addAttrSecType">
<xsl:with-param name="attrSecGrp" select="$attrSecGroup"/>
<xsl:with-param name="privNum" select="$privNum"/>
</xsl:call-template>
</xsl:template>
<xsl:template name="addAttrSecType">
<xsl:param name="attrSecGrp" select="''"/>
<xsl:param name="privNum" select="''"/>
<!-- *******************************************************************
Template: addAttrSecType
Parameters:
AttrSecNodes : <ATTR_SEC_LIST_ITEM[same PRIV_NUM]
Generates:
xs$attr_security_type(
xs$attr_security_type(XS$LIST('CUSTOMERNO','ORDERNO'),'PRIV_NAME1'),
xs$attr_security_type(XS$LIST('CUSTOMERNO','ORDERNO'),'PRIV_NAME2'))
******************************************************************** -->
<xsl:text>
 </xsl:text>
<xsl:text>xs$column_constraint_type(XS$LIST( </xsl:text>
<xsl:for-each select="$attrSecGrp">
<xsl:call-template name="SingleQuotedName">
<xsl:with-param name="NameNode" select="./NAME"/>
</xsl:call-template>
<xsl:choose>
<xsl:when test="position() = last()">
<xsl:text>),</xsl:text>
<!-- Triton PRIVILEGES do not have owners (i.e., unlike ACLs, SECURITY_CLASSes, etc).
Simply don't pass the OWNER and TSQuoteObject should do the right thing
-->
<xsl:call-template name="TSQuoteObject">
<xsl:with-param name="Object" select="./PRIV_NAME"/>
</xsl:call-template>
<xsl:text>)</xsl:text>
</xsl:when>
<xsl:otherwise>
<xsl:text>, </xsl:text>
</xsl:otherwise>
</xsl:choose>
</xsl:for-each>
</xsl:template>
<xsl:template name="buildRuleSet">
<xsl:param name="InstRule" select="''"/>
<!-- *******************************************************************
Template: BuildRuleSet
Parameters:
InstRule -<INSTRULE>
******************************************************************** -->
<xsl:text>sys.xs$realm_constraint_type(</xsl:text>
<xsl:text>
 </xsl:text>
<!-- generate RULE arg
note: rule expression may contrain already '' quoted strings which
simply need leading/trailing apos.
-->
<xsl:text>realm => '</xsl:text>
<xsl:value-of select="INSTRULE/RULE"/>
<xsl:text>'</xsl:text>
<!-- is the Rule parameterized (default is NO) -->
<xsl:if test="$InstRule/FLAGS='1'">
<xsl:text>, 
 is_parameterized => TRUE</xsl:text>
</xsl:if>
<!-- is the Instance set Static (default is dynamic) -->
<xsl:if test="$InstRule/STATIC_FLG='1'">
<xsl:text>, 
 is_static => TRUE</xsl:text>
</xsl:if>
<!-- need to specify an acl_list even if NULL -->
<xsl:text>, 
 acl_list => </xsl:text>
<xsl:choose>
<xsl:when test="$InstRule/INSTACL_LIST/INSTACL_LIST_ITEM">
<xsl:call-template name="XSNameList">
<xsl:with-param name="nameList" select="$InstRule/INSTACL_LIST/INSTACL_LIST_ITEM"/>
</xsl:call-template>
</xsl:when>
<xsl:otherwise>
<xsl:text>NULL</xsl:text>
</xsl:otherwise>
</xsl:choose>
<!-- close realm_constraint_type -->
<xsl:text>)</xsl:text>
</xsl:template>
<xsl:template name="buildKeySet">
<xsl:param name="inhList" select="''"/>
<!-- *******************************************************************
Template: BuildKeySet
Parameters:
InstKey -<INSTRULE>
******************************************************************** -->
<xsl:for-each select="INST_INH/INST_INH_ITEM">
<xsl:text>sys.xs$realm_constraint_type(</xsl:text>
<xsl:text>
 parent_schema => </xsl:text>
<xsl:call-template name="SingleQuotedName">
<xsl:with-param name="NameNode" select="PARENT_OWNER"/>
</xsl:call-template>
<xsl:text>,
 parent_object =></xsl:text>
<xsl:call-template name="SingleQuotedName">
<xsl:with-param name="NameNode" select="PARENT_NAME"/>
</xsl:call-template>
<xsl:text>,
 key_list => </xsl:text>
<xsl:text>XS$KEY_LIST(</xsl:text>
<xsl:for-each select="INHKEY_LIST/INHKEY_LIST_ITEM">
<xsl:text>
 </xsl:text>
<xsl:text>XS$KEY_TYPE(</xsl:text>
<xsl:call-template name="SingleQuotedName">
<xsl:with-param name="NameNode" select="PKEY"/>
</xsl:call-template>
<xsl:text>, </xsl:text>
<xsl:call-template name="SingleQuotedName">
<xsl:with-param name="NameNode" select="FKEY"/>
</xsl:call-template>
<xsl:text>, </xsl:text>
<xsl:value-of select="FKEY_TYPE"/>
<xsl:text>)</xsl:text>
<xsl:choose>
<xsl:when test="position()=last()">
<xsl:text>)</xsl:text>
</xsl:when>
<xsl:otherwise>
<xsl:text>,</xsl:text>
</xsl:otherwise>
</xsl:choose>
</xsl:for-each>
<xsl:if test="WHEN_CL">
<xsl:text>,
 when_condition => </xsl:text>
<xsl:call-template name="SingleQuotedName">
<xsl:with-param name="NameNode" select="WHEN_CL"/>
</xsl:call-template>
</xsl:if>
<xsl:text>
 )</xsl:text>
<!-- End of for-each keytype item -->
</xsl:for-each>
<!-- End of for-each keylist item -->
<!-- end of type=key -->
</xsl:template>
</xsl:stylesheet>
OHA YOOOO