CactuseSecurity · tpurschke · Nov 3, 2025 · Nov 3, 2025 · Nov 5, 2025 · Nov 12, 2025
diff --git a/roles/database/files/sql/creation/fworch-create-constraints.sql b/roles/database/files/sql/creation/fworch-create-constraints.sql
@@ -14,6 +14,7 @@ Alter Table "changelog_service" add Constraint "alt_key_changelog_service" UNIQU
 Alter Table "changelog_user" add Constraint "alt_key_changelog_user" UNIQUE ("abs_change_id");
 Alter Table "import_changelog" add Constraint "Alter_Key14" UNIQUE ("import_changelog_nr","control_id");
 Alter Table "import_control" add Constraint "control_id_stop_time_unique" UNIQUE ("stop_time","control_id");
+ALTER TABLE ldap_connection ADD CONSTRAINT ldap_connection_server_unique UNIQUE (ldap_server, ldap_port, active);
 Alter Table "object" add Constraint "obj_altkey" UNIQUE ("mgm_id","zone_id","obj_uid","obj_create");
 ALTER TABLE object ADD CONSTRAINT object_obj_ip_is_host CHECK (is_single_ip(obj_ip));
 ALTER TABLE object ADD CONSTRAINT object_obj_ip_end_is_host CHECK (is_single_ip(obj_ip_end));

diff --git a/roles/database/files/sql/idempotent/fworch-api-funcs.sql b/roles/database/files/sql/idempotent/fworch-api-funcs.sql
@@ -608,27 +608,44 @@ $$ LANGUAGE 'plpgsql' STABLE;
 
 
 CREATE OR REPLACE FUNCTION public.get_rulebase_for_owner(rulebase_row rulebase, ownerid integer)
- RETURNS SETOF rule
- LANGUAGE plpgsql
- STABLE
-AS $function$
-    BEGIN
-        RETURN QUERY
-        SELECT r.* FROM rule r
-            LEFT JOIN rule_from rf ON (r.rule_id=rf.rule_id)
-            LEFT JOIN objgrp_flat rf_of ON (rf.obj_id=rf_of.objgrp_flat_id)
-            LEFT JOIN object rf_o ON (rf_of.objgrp_flat_member_id=rf_o.obj_id)
-            LEFT JOIN owner_network ON
-            (ip_ranges_overlap(rf_o.obj_ip, rf_o.obj_ip_end, ip, ip_end, rf.negated != r.rule_src_neg))
-        WHERE r.rulebase_id = rulebase_row.id AND owner_id = ownerid AND rule_head_text IS NULL
-        UNION
-        SELECT r.* FROM rule r
-            LEFT JOIN rule_to rt ON (r.rule_id=rt.rule_id)
-            LEFT JOIN objgrp_flat rt_of ON (rt.obj_id=rt_of.objgrp_flat_id)
-            LEFT JOIN object rt_o ON (rt_of.objgrp_flat_member_id=rt_o.obj_id)
-            LEFT JOIN owner_network ON
-            (ip_ranges_overlap(rt_o.obj_ip, rt_o.obj_ip_end, ip, ip_end, rt.negated != r.rule_dst_neg))
-        WHERE r.rulebase_id = rulebase_row.id AND owner_id = ownerid AND rule_head_text IS NULL
-        ORDER BY rule_name;
-    END;
-$function$
+RETURNS SETOF rule
+LANGUAGE sql
+STABLE
+AS $$
+  SELECT r.*
+  FROM rule r
+  WHERE r.rulebase_id = rulebase_row.id
+    AND r.rule_head_text IS NULL
+    AND (
+      r.rule_id IN (
+        SELECT rf.rule_id
+        FROM rule_from rf
+        JOIN objgrp_flat of1 ON of1.objgrp_flat_id = rf.obj_id
+        JOIN object      o1  ON o1.obj_id = of1.objgrp_flat_member_id
+        JOIN owner_network onet1 ON onet1.owner_id = ownerid
+        WHERE rf.rule_id = r.rule_id
+          AND ip_ranges_overlap(
+                o1.obj_ip, o1.obj_ip_end,
+                onet1.ip, onet1.ip_end,
+                rf.negated <> r.rule_src_neg
+              )
+      )
+      OR
+      r.rule_id IN (
+        SELECT rt.rule_id
+        FROM rule_to rt
+        JOIN objgrp_flat of2 ON of2.objgrp_flat_id = rt.obj_id
+        JOIN object      o2  ON o2.obj_id = of2.objgrp_flat_member_id
+        JOIN owner_network onet2 ON onet2.owner_id = ownerid
+        WHERE rt.rule_id = r.rule_id
+          AND ip_ranges_overlap(
+                o2.obj_ip, o2.obj_ip_end,
+                onet2.ip, onet2.ip_end,
+                rt.negated <> r.rule_dst_neg
+              )
+      )
+    )
+  ORDER BY r.rule_name ASC;
+$$;
+
+
diff --git a/roles/database/files/sql/idempotent/fworch-encryption.sql b/roles/database/files/sql/idempotent/fworch-encryption.sql
@@ -130,34 +130,59 @@ $$ LANGUAGE plpgsql;
 SELECT * FROM encryptPasswords (getMainKey());
 
 -- function for adding local ldap data with encrypted pwds into ldap_connection
+
+-- assumes ldap_connection(active boolean NOT NULL [DEFAULT true])
+
 CREATE OR REPLACE FUNCTION insertLocalLdapWithEncryptedPasswords(
-    serverName TEXT, 
-    port INTEGER,
-    userSearchPath TEXT,
-    roleSearchPath TEXT, 
-    groupSearchPath TEXT,
-    groupWritePath TEXT,
-    tenantLevel INTEGER,
-    searchUser TEXT,
-    searchUserPwd TEXT,
-    writeUser TEXT,
-    writeUserPwd TEXT,
-    ldapType INTEGER
-) RETURNS VOID AS $$
-DECLARE
-    t_key TEXT;
-    t_encryptedReadPwd TEXT;
-    t_encryptedWritePwd TEXT;
-BEGIN
-    IF NOT EXISTS (SELECT * FROM ldap_connection WHERE ldap_server = serverName)
-    THEN
-        SELECT INTO t_key * FROM getMainKey();
-        SELECT INTO t_encryptedReadPwd * FROM encryptText(searchUserPwd, t_key);
-        SELECT INTO t_encryptedWritePwd * FROM encryptText(writeUserPwd, t_key);
-        INSERT INTO ldap_connection
-            (ldap_server, ldap_port, ldap_searchpath_for_users, ldap_searchpath_for_roles, ldap_searchpath_for_groups, ldap_writepath_for_groups,
-            ldap_tenant_level, ldap_search_user, ldap_search_user_pwd, ldap_write_user, ldap_write_user_pwd, ldap_type)
-            VALUES (serverName, port, userSearchPath, roleSearchPath, groupSearchPath, groupWritePath, tenantLevel, searchUser, t_encryptedReadPwd, writeUser, t_encryptedWritePwd, ldapType);
-    END IF;
-END;
-$$ LANGUAGE plpgsql;
+    serverName       text, 
+    port             integer,
+    userSearchPath   text,
+    roleSearchPath   text, 
+    groupSearchPath  text,
+    groupWritePath   text,
+    tenantLevel      integer,
+    searchUser       text,
+    searchUserPwd    text,
+    writeUser        text,
+    writeUserPwd     text,
+    ldapType         integer,
+    activeFlag       boolean DEFAULT true   -- ← include active explicitly
+) RETURNS void
+LANGUAGE sql
+VOLATILE
+SECURITY DEFINER
+SET search_path = public
+AS $$
+WITH k AS (SELECT getMainKey() AS mk)
+INSERT INTO ldap_connection (
+  ldap_server,
+  ldap_port,
+  ldap_searchpath_for_users,
+  ldap_searchpath_for_roles,
+  ldap_searchpath_for_groups,
+  ldap_writepath_for_groups,
+  ldap_tenant_level,
+  ldap_search_user,
+  ldap_search_user_pwd,
+  ldap_write_user,
+  ldap_write_user_pwd,
+  ldap_type,
+  active
+)
+SELECT
+  serverName,
+  port,
+  userSearchPath,
+  roleSearchPath,
+  groupSearchPath,
+  groupWritePath,
+  tenantLevel,
+  searchUser,
+  encryptText(searchUserPwd, k.mk),
+  writeUser,
+  encryptText(writeUserPwd, k.mk),
+  ldapType,
+  activeFlag
+FROM k
+ON CONFLICT (ldap_server, ldap_port, active) DO NOTHING;
+$$;
diff --git a/roles/database/files/upgrade/9.0.sql b/roles/database/files/upgrade/9.0.sql
@@ -49,37 +49,66 @@ $$ LANGUAGE plpgsql VOLATILE;
 
 Alter table "ldap_connection" ADD COLUMN IF NOT EXISTS "ldap_writepath_for_groups" Varchar;
 
+ALTER TABLE ldap_connection ADD CONSTRAINT ldap_connection_server_unique UNIQUE (ldap_server, ldap_port, active);
+
+-- assumes ldap_connection(active boolean NOT NULL [DEFAULT true])
+
+-- assumes ldap_connection(active boolean NOT NULL [DEFAULT true])
+
 CREATE OR REPLACE FUNCTION insertLocalLdapWithEncryptedPasswords(
-    serverName TEXT, 
-    port INTEGER,
-    userSearchPath TEXT,
-    roleSearchPath TEXT, 
-    groupSearchPath TEXT,
-    groupWritePath TEXT,
-    tenantLevel INTEGER,
-    searchUser TEXT,
-    searchUserPwd TEXT,
-    writeUser TEXT,
-    writeUserPwd TEXT,
-    ldapType INTEGER
-) RETURNS VOID AS $$
-DECLARE
-    t_key TEXT;
-    t_encryptedReadPwd TEXT;
-    t_encryptedWritePwd TEXT;
-BEGIN
-    IF NOT EXISTS (SELECT * FROM ldap_connection WHERE ldap_server = serverName)
-    THEN
-        SELECT INTO t_key * FROM getMainKey();
-        SELECT INTO t_encryptedReadPwd * FROM encryptText(searchUserPwd, t_key);
-        SELECT INTO t_encryptedWritePwd * FROM encryptText(writeUserPwd, t_key);
-        INSERT INTO ldap_connection
-            (ldap_server, ldap_port, ldap_searchpath_for_users, ldap_searchpath_for_roles, ldap_searchpath_for_groups, ldap_writepath_for_groups,
-            ldap_tenant_level, ldap_search_user, ldap_search_user_pwd, ldap_write_user, ldap_write_user_pwd, ldap_type)
-            VALUES (serverName, port, userSearchPath, roleSearchPath, groupSearchPath, groupWritePath, tenantLevel, searchUser, t_encryptedReadPwd, writeUser, t_encryptedWritePwd, ldapType);
-    END IF;
-END;
-$$ LANGUAGE plpgsql;
+    serverName       text, 
+    port             integer,
+    userSearchPath   text,
+    roleSearchPath   text, 
+    groupSearchPath  text,
+    groupWritePath   text,
+    tenantLevel      integer,
+    searchUser       text,
+    searchUserPwd    text,
+    writeUser        text,
+    writeUserPwd     text,
+    ldapType         integer,
+    activeFlag       boolean DEFAULT true   -- ← include active explicitly
+) RETURNS void
+LANGUAGE sql
+VOLATILE
+SECURITY DEFINER
+SET search_path = public
+AS $$
+WITH k AS (SELECT getMainKey() AS mk)
+INSERT INTO ldap_connection (
+  ldap_server,
+  ldap_port,
+  ldap_searchpath_for_users,
+  ldap_searchpath_for_roles,
+  ldap_searchpath_for_groups,
+  ldap_writepath_for_groups,
+  ldap_tenant_level,
+  ldap_search_user,
+  ldap_search_user_pwd,
+  ldap_write_user,
+  ldap_write_user_pwd,
+  ldap_type,
+  active
+)
+SELECT
+  serverName,
+  port,
+  userSearchPath,
+  roleSearchPath,
+  groupSearchPath,
+  groupWritePath,
+  tenantLevel,
+  searchUser,
+  encryptText(searchUserPwd, k.mk),
+  writeUser,
+  encryptText(writeUserPwd, k.mk),
+  ldapType,
+  activeFlag
+FROM k
+ON CONFLICT (ldap_server, ldap_port, active) DO NOTHING;
+$$;
+
 
 
 -- 8.7.2
@@ -463,8 +492,6 @@ Create table IF NOT EXISTS "rulebase"
 	"removed" BIGINT
 );
 
--- ALTER TABLE "rulebase" ADD COLUMN IF NOT EXISTS "uid" Varchar NOT NULL;
-
 ALTER TABLE "rulebase" DROP CONSTRAINT IF EXISTS "fk_rulebase_mgm_id" CASCADE;
 Alter table "rulebase" add CONSTRAINT fk_rulebase_mgm_id foreign key ("mgm_id") references "management" ("mgm_id") on update restrict on delete cascade;
 
@@ -1034,31 +1061,46 @@ Alter Table "rule" ADD Constraint "rule_unique_mgm_id_rule_uid_rule_create_xlate
 
 -- rewrite get_rulebase_for_owner to work with rulebase instead of device
 CREATE OR REPLACE FUNCTION public.get_rulebase_for_owner(rulebase_row rulebase, ownerid integer)
- RETURNS SETOF rule
- LANGUAGE plpgsql
- STABLE
-AS 
-$function$
-    BEGIN
-        RETURN QUERY
-        SELECT r.* FROM rule r
-            LEFT JOIN rule_from rf ON (r.rule_id=rf.rule_id)
-            LEFT JOIN objgrp_flat rf_of ON (rf.obj_id=rf_of.objgrp_flat_id)
-            LEFT JOIN object rf_o ON (rf_of.objgrp_flat_member_id=rf_o.obj_id)
-            LEFT JOIN owner_network ON
-            (ip_ranges_overlap(rf_o.obj_ip, rf_o.obj_ip_end, ip, ip_end, rf.negated != r.rule_src_neg))
-        WHERE r.rulebase_id = rulebase_row.id AND owner_id = ownerid AND rule_head_text IS NULL
-        UNION
-        SELECT r.* FROM rule r
-            LEFT JOIN rule_to rt ON (r.rule_id=rt.rule_id)
-            LEFT JOIN objgrp_flat rt_of ON (rt.obj_id=rt_of.objgrp_flat_id)
-            LEFT JOIN object rt_o ON (rt_of.objgrp_flat_member_id=rt_o.obj_id)
-            LEFT JOIN owner_network ON
-            (ip_ranges_overlap(rt_o.obj_ip, rt_o.obj_ip_end, ip, ip_end, rt.negated != r.rule_dst_neg))
-        WHERE r.rulebase_id = rulebase_row.id AND owner_id = ownerid AND rule_head_text IS NULL
-        ORDER BY rule_name;
-    END;
-$function$;
+RETURNS SETOF rule
+LANGUAGE sql
+STABLE
+AS $$
+  SELECT r.*
+  FROM rule r
+  WHERE r.rulebase_id = rulebase_row.id
+    AND r.rule_head_text IS NULL
+    AND (
+      r.rule_id IN (
+        SELECT rf.rule_id
+        FROM rule_from rf
+        JOIN objgrp_flat of1 ON of1.objgrp_flat_id = rf.obj_id
+        JOIN object      o1  ON o1.obj_id = of1.objgrp_flat_member_id
+        JOIN owner_network onet1 ON onet1.owner_id = ownerid
+        WHERE rf.rule_id = r.rule_id
+          AND ip_ranges_overlap(
+                o1.obj_ip, o1.obj_ip_end,
+                onet1.ip, onet1.ip_end,
+                rf.negated <> r.rule_src_neg
+              )
+      )
+      OR
+      r.rule_id IN (
+        SELECT rt.rule_id
+        FROM rule_to rt
+        JOIN objgrp_flat of2 ON of2.objgrp_flat_id = rt.obj_id
+        JOIN object      o2  ON o2.obj_id = of2.objgrp_flat_member_id
+        JOIN owner_network onet2 ON onet2.owner_id = ownerid
+        WHERE rt.rule_id = r.rule_id
+          AND ip_ranges_overlap(
+                o2.obj_ip, o2.obj_ip_end,
+                onet2.ip, onet2.ip_end,
+                rt.negated <> r.rule_dst_neg
+              )
+      )
+    )
+  ORDER BY r.rule_name ASC;
+$$;
+
 
 -- drop only after migration
 

diff --git a/roles/lib/files/FWO.Api.Client/Queries/Queries.cs b/roles/lib/files/FWO.Api.Client/Queries/Queries.cs
@@ -6,7 +6,6 @@ namespace FWO.Api.Client.Queries
 {
     public class Queries
     {
-        // protected static readonly string QueryPath = AppDomain.CurrentDomain.BaseDirectory + "../../../../../../common/files/fwo-api-calls/";
         protected static readonly string QueryPath = GlobalConst.kFwoBaseDir + "/fwo-api-calls/";
 
         protected static string GetQueryText(string relativeQueryFileName)