handcoded multiple insert permission grants
This commit is contained in:
parent
66332b6de2
commit
09f7368d1f
@ -156,8 +156,7 @@ public class HsHostingAssetEntity implements Stringifyable, RbacObject {
|
|||||||
dependsOnColumn("parentAssetUuid"),
|
dependsOnColumn("parentAssetUuid"),
|
||||||
directlyFetchedByDependsOnColumn(),
|
directlyFetchedByDependsOnColumn(),
|
||||||
NULLABLE)
|
NULLABLE)
|
||||||
// TODO.rbac: implement multiple INSERT-rules, e.g. for Asset.bookingItem + Asset.parentAsset
|
.toRole("parentServer", ADMIN).grantPermission(INSERT)
|
||||||
//.toRole("parentServer", AGENT).grantPermission(INSERT)
|
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -175,6 +174,6 @@ public class HsHostingAssetEntity implements Stringifyable, RbacObject {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public static void main(String[] args) throws IOException {
|
public static void main(String[] args) throws IOException {
|
||||||
rbac().generateWithBaseFileName("7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac");
|
rbac().generateWithBaseFileName("7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-generated");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -19,7 +19,6 @@ import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.*;
|
|||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.CaseDef.inCaseOf;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.CaseDef.inCaseOf;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.CaseDef.inOtherCases;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.CaseDef.inOtherCases;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingCase;
|
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
|
||||||
|
@ -0,0 +1,16 @@
|
|||||||
|
--liquibase formatted sql
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
-- RAISE-FUNCTIONS
|
||||||
|
--changeset RAISE-FUNCTIONS:1 endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
/*
|
||||||
|
Like RAISE EXCEPTION ... just as an expression instead of a statement.
|
||||||
|
*/
|
||||||
|
create or replace function raiseException(msg text)
|
||||||
|
returns varchar
|
||||||
|
language plpgsql as $$
|
||||||
|
begin
|
||||||
|
raise exception using message = msg;
|
||||||
|
end; $$;
|
||||||
|
--//
|
@ -34,6 +34,55 @@ create table if not exists hs_hosting_asset
|
|||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset hosting-asset-HIERARCHY-CHECK:1 endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
create or replace function hs_hosting_asset_type_hierarchy_check_tf()
|
||||||
|
returns trigger
|
||||||
|
language plpgsql as $$
|
||||||
|
declare
|
||||||
|
actualParentType HsHostingAssetType;
|
||||||
|
expectedParentType HsHostingAssetType;
|
||||||
|
begin
|
||||||
|
if NEW.parentAssetUuid is not null then
|
||||||
|
actualParentType := (select type
|
||||||
|
from hs_hosting_asset
|
||||||
|
where NEW.parentAssetUuid = uuid);
|
||||||
|
end if;
|
||||||
|
|
||||||
|
expectedParentType := (select case NEW.type
|
||||||
|
when 'CLOUD_SERVER' then null
|
||||||
|
when 'MANAGED_SERVER' then null
|
||||||
|
when 'MANAGED_WEBSPACE' then 'MANAGED_SERVER'
|
||||||
|
when 'UNIX_USER' then 'MANAGED_WEBSPACE'
|
||||||
|
when 'DOMAIN_SETUP' then 'UNIX_USER'
|
||||||
|
when 'EMAIL_ALIAS' then 'MANAGED_WEBSPACE'
|
||||||
|
when 'EMAIL_ADDRESS' then 'DOMAIN_SETUP'
|
||||||
|
when 'PGSQL_USER' then 'MANAGED_WEBSPACE'
|
||||||
|
when 'PGSQL_DATABASE' then 'MANAGED_WEBSPACE'
|
||||||
|
when 'MARIADB_USER' then 'MANAGED_WEBSPACE'
|
||||||
|
when 'MARIADB_DATABASE' then 'MANAGED_WEBSPACE'
|
||||||
|
else raiseException(format('[400] unknown asset type %s', NEW.type::text))
|
||||||
|
end);
|
||||||
|
|
||||||
|
if expectedParentType is not null and actualParentType is null then
|
||||||
|
raise exception '[400] % must have % as parent, but got <NULL>',
|
||||||
|
NEW.type, expectedParentType;
|
||||||
|
elsif expectedParentType is not null and actualParentType <> expectedParentType then
|
||||||
|
raise exception '[400] % must have % as parent, but got %s',
|
||||||
|
NEW.type, expectedParentType, actualParentType;
|
||||||
|
end if;
|
||||||
|
return NEW;
|
||||||
|
end; $$;
|
||||||
|
|
||||||
|
create trigger hs_hosting_asset_type_hierarchy_check_tg
|
||||||
|
before insert on hs_hosting_asset
|
||||||
|
for each row
|
||||||
|
execute procedure hs_hosting_asset_type_hierarchy_check_tf();
|
||||||
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-hosting-asset-MAIN-TABLE-JOURNAL:1 endDelimiter:--//
|
--changeset hs-hosting-asset-MAIN-TABLE-JOURNAL:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
@ -49,6 +49,12 @@ end
|
|||||||
subgraph parentServer["`**parentServer**`"]
|
subgraph parentServer["`**parentServer**`"]
|
||||||
direction TB
|
direction TB
|
||||||
style parentServer fill:#99bcdb,stroke:#274d6e,stroke-width:8px
|
style parentServer fill:#99bcdb,stroke:#274d6e,stroke-width:8px
|
||||||
|
|
||||||
|
subgraph parentServer:roles[ ]
|
||||||
|
style parentServer:roles fill:#99bcdb,stroke:white
|
||||||
|
|
||||||
|
role:parentServer:ADMIN[[parentServer:ADMIN]]
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
subgraph parentServer.bookingItem.debitor.partnerRel.holderPerson["`**parentServer.bookingItem.debitor.partnerRel.holderPerson**`"]
|
subgraph parentServer.bookingItem.debitor.partnerRel.holderPerson["`**parentServer.bookingItem.debitor.partnerRel.holderPerson**`"]
|
||||||
@ -455,6 +461,7 @@ role:asset:TENANT ==> role:bookingItem:TENANT
|
|||||||
|
|
||||||
%% granting permissions to roles
|
%% granting permissions to roles
|
||||||
role:bookingItem:AGENT ==> perm:asset:INSERT
|
role:bookingItem:AGENT ==> perm:asset:INSERT
|
||||||
|
role:parentServer:ADMIN ==> perm:asset:INSERT
|
||||||
role:asset:OWNER ==> perm:asset:DELETE
|
role:asset:OWNER ==> perm:asset:DELETE
|
||||||
role:asset:ADMIN ==> perm:asset:UPDATE
|
role:asset:ADMIN ==> perm:asset:UPDATE
|
||||||
role:asset:TENANT ==> perm:asset:SELECT
|
role:asset:TENANT ==> perm:asset:SELECT
|
||||||
|
@ -49,6 +49,12 @@ end
|
|||||||
subgraph parentServer["`**parentServer**`"]
|
subgraph parentServer["`**parentServer**`"]
|
||||||
direction TB
|
direction TB
|
||||||
style parentServer fill:#99bcdb,stroke:#274d6e,stroke-width:8px
|
style parentServer fill:#99bcdb,stroke:#274d6e,stroke-width:8px
|
||||||
|
|
||||||
|
subgraph parentServer:roles[ ]
|
||||||
|
style parentServer:roles fill:#99bcdb,stroke:white
|
||||||
|
|
||||||
|
role:parentServer:ADMIN[[parentServer:ADMIN]]
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
subgraph parentServer.bookingItem.debitor.partnerRel.holderPerson["`**parentServer.bookingItem.debitor.partnerRel.holderPerson**`"]
|
subgraph parentServer.bookingItem.debitor.partnerRel.holderPerson["`**parentServer.bookingItem.debitor.partnerRel.holderPerson**`"]
|
||||||
@ -455,6 +461,7 @@ role:asset:TENANT ==> role:bookingItem:TENANT
|
|||||||
|
|
||||||
%% granting permissions to roles
|
%% granting permissions to roles
|
||||||
role:bookingItem:AGENT ==> perm:asset:INSERT
|
role:bookingItem:AGENT ==> perm:asset:INSERT
|
||||||
|
role:parentServer:ADMIN ==> perm:asset:INSERT
|
||||||
role:asset:OWNER ==> perm:asset:DELETE
|
role:asset:OWNER ==> perm:asset:DELETE
|
||||||
role:asset:ADMIN ==> perm:asset:UPDATE
|
role:asset:ADMIN ==> perm:asset:UPDATE
|
||||||
role:asset:TENANT ==> perm:asset:SELECT
|
role:asset:TENANT ==> perm:asset:SELECT
|
||||||
|
@ -49,6 +49,12 @@ end
|
|||||||
subgraph parentServer["`**parentServer**`"]
|
subgraph parentServer["`**parentServer**`"]
|
||||||
direction TB
|
direction TB
|
||||||
style parentServer fill:#99bcdb,stroke:#274d6e,stroke-width:8px
|
style parentServer fill:#99bcdb,stroke:#274d6e,stroke-width:8px
|
||||||
|
|
||||||
|
subgraph parentServer:roles[ ]
|
||||||
|
style parentServer:roles fill:#99bcdb,stroke:white
|
||||||
|
|
||||||
|
role:parentServer:ADMIN[[parentServer:ADMIN]]
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
subgraph parentServer.bookingItem.debitor.partnerRel.holderPerson["`**parentServer.bookingItem.debitor.partnerRel.holderPerson**`"]
|
subgraph parentServer.bookingItem.debitor.partnerRel.holderPerson["`**parentServer.bookingItem.debitor.partnerRel.holderPerson**`"]
|
||||||
@ -461,6 +467,7 @@ role:asset:TENANT ==> role:bookingItem:TENANT
|
|||||||
|
|
||||||
%% granting permissions to roles
|
%% granting permissions to roles
|
||||||
role:bookingItem:AGENT ==> perm:asset:INSERT
|
role:bookingItem:AGENT ==> perm:asset:INSERT
|
||||||
|
role:parentServer:ADMIN ==> perm:asset:INSERT
|
||||||
role:asset:OWNER ==> perm:asset:DELETE
|
role:asset:OWNER ==> perm:asset:DELETE
|
||||||
role:asset:ADMIN ==> perm:asset:UPDATE
|
role:asset:ADMIN ==> perm:asset:UPDATE
|
||||||
role:asset:TENANT ==> perm:asset:SELECT
|
role:asset:TENANT ==> perm:asset:SELECT
|
||||||
|
@ -90,46 +90,90 @@ execute procedure insertTriggerForHsHostingAsset_tf();
|
|||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-hosting-asset-rbac-INSERT:1 endDelimiter:--//
|
--changeset hs-hosting-asset-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
-- ---------------------------------------------------------------------------------------
|
||||||
|
-- to hs_booking_item
|
||||||
|
-- ---------------------------------------------------------------------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates INSERT INTO hs_hosting_asset permissions for the related hs_booking_item rows.
|
Grants INSERT INTO hs_hosting_asset permissions to specified role of pre-existing hs_booking_item rows.
|
||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row hs_booking_item;
|
hsBookingItem hs_booking_item;
|
||||||
begin
|
begin
|
||||||
call defineContext('create INSERT INTO hs_hosting_asset permissions for the related hs_booking_item rows');
|
call defineContext('create INSERT INTO hs_hosting_asset permissions for pre-exising hs_booking_item rows');
|
||||||
|
|
||||||
FOR row IN SELECT * FROM hs_booking_item
|
FOR hsBookingItem IN SELECT * FROM hs_booking_item
|
||||||
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'hs_hosting_asset'),
|
createPermission(hsBookingItem.uuid, 'INSERT', 'hs_hosting_asset'),
|
||||||
hsBookingItemAGENT(row));
|
hsBookingItemAGENT(hsBookingItem));
|
||||||
END LOOP;
|
END LOOP;
|
||||||
END;
|
end;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Adds hs_hosting_asset INSERT permission to specified role of new hs_booking_item rows.
|
Grants hs_hosting_asset INSERT permission to specified role of new hs_booking_item rows.
|
||||||
*/
|
*/
|
||||||
create or replace function hs_hosting_asset_hs_booking_item_insert_tf()
|
create or replace function new_hs_hosting_asset_grants_insert_to_hs_booking_item_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
begin
|
begin
|
||||||
|
-- unconditional for all rows in that table:
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(NEW.uuid, 'INSERT', 'hs_hosting_asset'),
|
createPermission(NEW.uuid, 'INSERT', 'hs_hosting_asset'),
|
||||||
hsBookingItemAGENT(NEW));
|
hsBookingItemAGENT(NEW));
|
||||||
|
-- end.
|
||||||
return NEW;
|
return NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_hs_hosting_asset_hs_booking_item_insert_tg
|
create trigger z_new_hs_hosting_asset_grants_insert_to_hs_booking_item_tg
|
||||||
after insert on hs_booking_item
|
after insert on hs_booking_item
|
||||||
for each row
|
for each row
|
||||||
execute procedure hs_hosting_asset_hs_booking_item_insert_tf();
|
execute procedure new_hs_hosting_asset_grants_insert_to_hs_booking_item_tf();
|
||||||
|
|
||||||
|
-- ---------------------------------------------------------------------------------------
|
||||||
|
-- to hs_hosting_asset
|
||||||
|
-- ---------------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
/*
|
||||||
|
Grants INSERT INTO hs_hosting_asset permissions to specified role of new hs_hosting_asset rows.
|
||||||
|
*/
|
||||||
|
-- such rows cannot yet exist => code block skipped
|
||||||
|
|
||||||
|
/**
|
||||||
|
Grants hs_hosting_asset INSERT permission to specified role of new hs_hosting_asset rows.
|
||||||
|
*/
|
||||||
|
create or replace function new_hs_hosting_asset_grants_insert_to_hs_hosting_asset_tf()
|
||||||
|
returns trigger
|
||||||
|
language plpgsql
|
||||||
|
strict as $$
|
||||||
|
begin
|
||||||
|
if NEW.type in ('MANAGED_SERVER') then
|
||||||
|
call grantPermissionToRole(
|
||||||
|
createPermission(NEW.uuid, 'INSERT', 'hs_hosting_asset'),
|
||||||
|
hsHostingAssetADMIN(NEW));
|
||||||
|
end if;
|
||||||
|
return NEW;
|
||||||
|
end; $$;
|
||||||
|
|
||||||
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
|
create trigger z_new_hs_hosting_asset_grants_insert_to_hs_hosting_asset_tg
|
||||||
|
after insert on hs_hosting_asset
|
||||||
|
for each row
|
||||||
|
execute procedure new_hs_hosting_asset_grants_insert_to_hs_hosting_asset_tf();
|
||||||
|
--//
|
||||||
|
|
||||||
|
|
||||||
|
-- ============================================================================
|
||||||
|
--changeset hs-hosting-asset-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Checks if the user or assumed roles are allowed to insert a row to hs_hosting_asset,
|
Checks if the user or assumed roles are allowed to insert a row to hs_hosting_asset,
|
||||||
@ -148,7 +192,10 @@ end; $$;
|
|||||||
create trigger hs_hosting_asset_insert_permission_check_tg
|
create trigger hs_hosting_asset_insert_permission_check_tg
|
||||||
before insert on hs_hosting_asset
|
before insert on hs_hosting_asset
|
||||||
for each row
|
for each row
|
||||||
when ( not hasInsertPermission(NEW.bookingItemUuid, 'INSERT', 'hs_hosting_asset') )
|
when ( not (
|
||||||
|
hasInsertPermission(NEW.bookingItemUuid, 'INSERT', 'hs_hosting_asset') or
|
||||||
|
NEW.type = 'MANAGED_WEBSPACE' and hasInsertPermission(NEW.parentAssetUuid, 'INSERT', 'hs_hosting_asset')
|
||||||
|
) )
|
||||||
execute procedure hs_hosting_asset_insert_permission_missing_tf();
|
execute procedure hs_hosting_asset_insert_permission_missing_tf();
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
@ -18,6 +18,7 @@ declare
|
|||||||
currentTask varchar;
|
currentTask varchar;
|
||||||
relatedDebitor hs_office_debitor;
|
relatedDebitor hs_office_debitor;
|
||||||
relatedBookingItem hs_booking_item;
|
relatedBookingItem hs_booking_item;
|
||||||
|
managedServerUuid uuid;
|
||||||
begin
|
begin
|
||||||
currentTask := 'creating hosting-asset test-data ' || givenPartnerNumber::text || givenDebitorSuffix;
|
currentTask := 'creating hosting-asset test-data ' || givenPartnerNumber::text || givenDebitorSuffix;
|
||||||
call defineContext(currentTask, null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
|
call defineContext(currentTask, null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
|
||||||
@ -33,14 +34,15 @@ begin
|
|||||||
from hs_booking_item item
|
from hs_booking_item item
|
||||||
where item.debitoruuid = relatedDebitor.uuid
|
where item.debitoruuid = relatedDebitor.uuid
|
||||||
and item.caption = 'some PrivateCloud';
|
and item.caption = 'some PrivateCloud';
|
||||||
|
select uuid_generate_v4() into managedServerUuid;
|
||||||
|
|
||||||
raise notice 'creating test hosting-asset: %', givenPartnerNumber::text || givenDebitorSuffix::text;
|
raise notice 'creating test hosting-asset: %', givenPartnerNumber::text || givenDebitorSuffix::text;
|
||||||
raise notice '- using debitor (%): %', relatedDebitor.uuid, relatedDebitor;
|
raise notice '- using debitor (%): %', relatedDebitor.uuid, relatedDebitor;
|
||||||
insert
|
insert
|
||||||
into hs_hosting_asset (uuid, bookingitemuuid, type, identifier, caption, config)
|
into hs_hosting_asset (uuid, bookingitemuuid, type, parentAssetUuid, identifier, caption, config)
|
||||||
values (uuid_generate_v4(), relatedBookingItem.uuid, 'MANAGED_SERVER'::HsHostingAssetType, 'vm10' || givenDebitorSuffix, 'some ManagedServer', '{ "CPU": 2, "SDD": 512, "extra": 42 }'::jsonb),
|
values (managedServerUuid, relatedBookingItem.uuid, 'MANAGED_SERVER', null, 'vm10' || givenDebitorSuffix, 'some ManagedServer', '{ "CPU": 2, "SDD": 512, "extra": 42 }'::jsonb),
|
||||||
(uuid_generate_v4(), relatedBookingItem.uuid, 'CLOUD_SERVER'::HsHostingAssetType, 'vm20' || givenDebitorSuffix, 'another CloudServer', '{ "CPU": 2, "HDD": 1024, "extra": 42 }'::jsonb),
|
(uuid_generate_v4(), relatedBookingItem.uuid, 'CLOUD_SERVER', null, 'vm20' || givenDebitorSuffix, 'another CloudServer', '{ "CPU": 2, "HDD": 1024, "extra": 42 }'::jsonb),
|
||||||
(uuid_generate_v4(), relatedBookingItem.uuid, 'MANAGED_WEBSPACE'::HsHostingAssetType, givenWebspacePrefix || '01', 'some Webspace', '{ "RAM": 1, "SDD": 512, "HDD": 2048, "extra": 42 }'::jsonb);
|
(uuid_generate_v4(), relatedBookingItem.uuid, 'MANAGED_WEBSPACE', managedServerUuid, givenWebspacePrefix || '01', 'some Webspace', '{ "RAM": 1, "SDD": 512, "HDD": 2048, "extra": 42 }'::jsonb);
|
||||||
end; $$;
|
end; $$;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
@ -13,6 +13,8 @@ databaseChangeLog:
|
|||||||
file: db/changelog/0-basis/006-numeric-hash-functions.sql
|
file: db/changelog/0-basis/006-numeric-hash-functions.sql
|
||||||
- include:
|
- include:
|
||||||
file: db/changelog/0-basis/007-table-columns.sql
|
file: db/changelog/0-basis/007-table-columns.sql
|
||||||
|
- include:
|
||||||
|
file: db/changelog/0-basis/008-raise-functions.sql
|
||||||
- include:
|
- include:
|
||||||
file: db/changelog/0-basis/009-check-environment.sql
|
file: db/changelog/0-basis/009-check-environment.sql
|
||||||
- include:
|
- include:
|
||||||
|
@ -68,12 +68,13 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu
|
|||||||
// given
|
// given
|
||||||
context("superuser-alex@hostsharing.net");
|
context("superuser-alex@hostsharing.net");
|
||||||
final var count = assetRepo.count();
|
final var count = assetRepo.count();
|
||||||
final var givenBookingItem = givenBookingItem("First", "some CloudServer");
|
final var givenManagedServer = givenManagedServer("First", "some ManagedServer");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = attempt(em, () -> {
|
final var result = attempt(em, () -> {
|
||||||
final var newAsset = HsHostingAssetEntity.builder()
|
final var newAsset = HsHostingAssetEntity.builder()
|
||||||
.bookingItem(givenBookingItem)
|
.bookingItem(givenManagedServer.getBookingItem())
|
||||||
|
.parentAsset(givenManagedServer)
|
||||||
.caption("some new managed webspace")
|
.caption("some new managed webspace")
|
||||||
.type(HsHostingAssetType.MANAGED_WEBSPACE)
|
.type(HsHostingAssetType.MANAGED_WEBSPACE)
|
||||||
.identifier("xyz90")
|
.identifier("xyz90")
|
||||||
@ -96,14 +97,14 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu
|
|||||||
final var initialGrantNames = distinctGrantDisplaysOf(rawGrantRepo.findAll()).stream()
|
final var initialGrantNames = distinctGrantDisplaysOf(rawGrantRepo.findAll()).stream()
|
||||||
.map(s -> s.replace("hs_office_", ""))
|
.map(s -> s.replace("hs_office_", ""))
|
||||||
.toList();
|
.toList();
|
||||||
final var givenBookingItem = givenBookingItem("First", "some CloudServer");
|
final var givenBookingItem = givenBookingItem("First", "some PrivateCloud");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = attempt(em, () -> {
|
final var result = attempt(em, () -> {
|
||||||
final var newAsset = HsHostingAssetEntity.builder()
|
final var newAsset = HsHostingAssetEntity.builder()
|
||||||
.bookingItem(givenBookingItem)
|
.bookingItem(givenBookingItem)
|
||||||
.type(HsHostingAssetType.MANAGED_WEBSPACE)
|
.type(HsHostingAssetType.MANAGED_SERVER)
|
||||||
.identifier("xyz91")
|
.identifier("vm9000")
|
||||||
.caption("some new managed webspace")
|
.caption("some new managed webspace")
|
||||||
.build();
|
.build();
|
||||||
return toCleanup(assetRepo.save(newAsset));
|
return toCleanup(assetRepo.save(newAsset));
|
||||||
@ -114,27 +115,27 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu
|
|||||||
final var all = rawRoleRepo.findAll();
|
final var all = rawRoleRepo.findAll();
|
||||||
assertThat(distinctRoleNamesOf(all)).containsExactlyInAnyOrder(Array.from(
|
assertThat(distinctRoleNamesOf(all)).containsExactlyInAnyOrder(Array.from(
|
||||||
initialRoleNames,
|
initialRoleNames,
|
||||||
"hs_hosting_asset#D-1000111-someCloudServer-xyz91:ADMIN",
|
"hs_hosting_asset#D-1000111-somePrivateCloud-vm9000:ADMIN",
|
||||||
"hs_hosting_asset#D-1000111-someCloudServer-xyz91:OWNER",
|
"hs_hosting_asset#D-1000111-somePrivateCloud-vm9000:OWNER",
|
||||||
"hs_hosting_asset#D-1000111-someCloudServer-xyz91:TENANT"));
|
"hs_hosting_asset#D-1000111-somePrivateCloud-vm9000:TENANT"));
|
||||||
assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll()))
|
assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll()))
|
||||||
.map(s -> s.replace("hs_office_", ""))
|
.map(s -> s.replace("hs_office_", ""))
|
||||||
.containsExactlyInAnyOrder(fromFormatted(
|
.containsExactlyInAnyOrder(fromFormatted(
|
||||||
initialGrantNames,
|
initialGrantNames,
|
||||||
// global-admin
|
|
||||||
|
|
||||||
// owner
|
// owner
|
||||||
"{ grant perm:hs_hosting_asset#D-1000111-someCloudServer-xyz91:DELETE to role:hs_hosting_asset#D-1000111-someCloudServer-xyz91:OWNER by system and assume }",
|
"{ grant perm:hs_hosting_asset#D-1000111-somePrivateCloud-vm9000:DELETE to role:hs_hosting_asset#D-1000111-somePrivateCloud-vm9000:OWNER by system and assume }",
|
||||||
|
"{ grant role:hs_hosting_asset#D-1000111-somePrivateCloud-vm9000:OWNER to role:hs_booking_item#D-1000111-somePrivateCloud:ADMIN by system and assume }",
|
||||||
|
|
||||||
// admin
|
// admin
|
||||||
"{ grant perm:hs_hosting_asset#D-1000111-someCloudServer-xyz91:UPDATE to role:hs_hosting_asset#D-1000111-someCloudServer-xyz91:ADMIN by system and assume }",
|
"{ grant perm:hs_hosting_asset#D-1000111-somePrivateCloud-vm9000:INSERT>hs_hosting_asset to role:hs_hosting_asset#D-1000111-somePrivateCloud-vm9000:ADMIN by system and assume }",
|
||||||
"{ grant role:hs_hosting_asset#D-1000111-someCloudServer-xyz91:ADMIN to role:hs_hosting_asset#D-1000111-someCloudServer-xyz91:OWNER by system and assume }",
|
"{ grant perm:hs_hosting_asset#D-1000111-somePrivateCloud-vm9000:UPDATE to role:hs_hosting_asset#D-1000111-somePrivateCloud-vm9000:ADMIN by system and assume }",
|
||||||
"{ grant role:hs_hosting_asset#D-1000111-someCloudServer-xyz91:OWNER to role:hs_booking_item#D-1000111-someCloudServer:ADMIN by system and assume }",
|
"{ grant role:hs_hosting_asset#D-1000111-somePrivateCloud-vm9000:ADMIN to role:hs_hosting_asset#D-1000111-somePrivateCloud-vm9000:OWNER by system and assume }",
|
||||||
|
|
||||||
// tenant
|
// tenant
|
||||||
"{ grant perm:hs_hosting_asset#D-1000111-someCloudServer-xyz91:SELECT to role:hs_hosting_asset#D-1000111-someCloudServer-xyz91:TENANT by system and assume }",
|
"{ grant perm:hs_hosting_asset#D-1000111-somePrivateCloud-vm9000:SELECT to role:hs_hosting_asset#D-1000111-somePrivateCloud-vm9000:TENANT by system and assume }",
|
||||||
"{ grant role:hs_hosting_asset#D-1000111-someCloudServer-xyz91:TENANT to role:hs_hosting_asset#D-1000111-someCloudServer-xyz91:ADMIN by system and assume }",
|
"{ grant role:hs_booking_item#D-1000111-somePrivateCloud:TENANT to role:hs_hosting_asset#D-1000111-somePrivateCloud-vm9000:TENANT by system and assume }",
|
||||||
"{ grant role:hs_booking_item#D-1000111-someCloudServer:TENANT to role:hs_hosting_asset#D-1000111-someCloudServer-xyz91:TENANT by system and assume }",
|
"{ grant role:hs_hosting_asset#D-1000111-somePrivateCloud-vm9000:TENANT to role:hs_hosting_asset#D-1000111-somePrivateCloud-vm9000:ADMIN by system and assume }",
|
||||||
|
|
||||||
null));
|
null));
|
||||||
}
|
}
|
||||||
@ -161,7 +162,7 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu
|
|||||||
// then
|
// then
|
||||||
allTheseServersAreReturned(
|
allTheseServersAreReturned(
|
||||||
result,
|
result,
|
||||||
"HsHostingAssetEntity(D-1000212:some PrivateCloud, MANAGED_WEBSPACE, bbb01, some Webspace, { HDD: 2048, RAM: 1, SDD: 512, extra: 42 })",
|
"HsHostingAssetEntity(D-1000212:some PrivateCloud, MANAGED_WEBSPACE, D-1000212:some PrivateCloud:vm1012, bbb01, some Webspace, { HDD: 2048, RAM: 1, SDD: 512, extra: 42 })",
|
||||||
"HsHostingAssetEntity(D-1000212:some PrivateCloud, MANAGED_SERVER, vm1012, some ManagedServer, { CPU: 2, SDD: 512, extra: 42 })",
|
"HsHostingAssetEntity(D-1000212:some PrivateCloud, MANAGED_SERVER, vm1012, some ManagedServer, { CPU: 2, SDD: 512, extra: 42 })",
|
||||||
"HsHostingAssetEntity(D-1000212:some PrivateCloud, CLOUD_SERVER, vm2012, another CloudServer, { CPU: 2, HDD: 1024, extra: 42 })");
|
"HsHostingAssetEntity(D-1000212:some PrivateCloud, CLOUD_SERVER, vm2012, another CloudServer, { CPU: 2, HDD: 1024, extra: 42 })");
|
||||||
}
|
}
|
||||||
@ -178,7 +179,7 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu
|
|||||||
// then:
|
// then:
|
||||||
exactlyTheseAssetsAreReturned(
|
exactlyTheseAssetsAreReturned(
|
||||||
result,
|
result,
|
||||||
"HsHostingAssetEntity(D-1000111:some PrivateCloud, MANAGED_WEBSPACE, aaa01, some Webspace, { HDD: 2048, RAM: 1, SDD: 512, extra: 42 })",
|
"HsHostingAssetEntity(D-1000111:some PrivateCloud, MANAGED_WEBSPACE, D-1000111:some PrivateCloud:vm1011, aaa01, some Webspace, { HDD: 2048, RAM: 1, SDD: 512, extra: 42 })",
|
||||||
"HsHostingAssetEntity(D-1000111:some PrivateCloud, MANAGED_SERVER, vm1011, some ManagedServer, { CPU: 2, SDD: 512, extra: 42 })",
|
"HsHostingAssetEntity(D-1000111:some PrivateCloud, MANAGED_SERVER, vm1011, some ManagedServer, { CPU: 2, SDD: 512, extra: 42 })",
|
||||||
"HsHostingAssetEntity(D-1000111:some PrivateCloud, CLOUD_SERVER, vm2011, another CloudServer, { CPU: 2, HDD: 1024, extra: 42 })");
|
"HsHostingAssetEntity(D-1000111:some PrivateCloud, CLOUD_SERVER, vm2011, another CloudServer, { CPU: 2, HDD: 1024, extra: 42 })");
|
||||||
}
|
}
|
||||||
@ -352,6 +353,13 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu
|
|||||||
.findAny().orElseThrow();
|
.findAny().orElseThrow();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
HsHostingAssetEntity givenManagedServer(final String debitorName, final String hostingAssetCaption) {
|
||||||
|
final var givenDebitor = debitorRepo.findDebitorByOptionalNameLike(debitorName).stream().findAny().orElseThrow();
|
||||||
|
return assetRepo.findAllByDebitorUuid(givenDebitor.getUuid()).stream()
|
||||||
|
.filter(i -> i.getCaption().equals(hostingAssetCaption))
|
||||||
|
.findAny().orElseThrow();
|
||||||
|
}
|
||||||
|
|
||||||
void exactlyTheseAssetsAreReturned(
|
void exactlyTheseAssetsAreReturned(
|
||||||
final List<HsHostingAssetEntity> actualResult,
|
final List<HsHostingAssetEntity> actualResult,
|
||||||
final String... serverNames) {
|
final String... serverNames) {
|
||||||
|
Loading…
Reference in New Issue
Block a user