fix spurious revoke of insert permission and add sorted for stable order

2024-03-26 09:48:14 +01:00 · 2024-03-26 09:48:14 +01:00 · 09fc332dcc
commit 09fc332dcc
parent 86bdeaabe3
7 changed files with 22 additions and 23 deletions
--- a/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerEntity.java
+++ b/src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerEntity.java
@ -95,7 +95,7 @@ public class HsOfficePartnerEntity implements Stringifyable, HasUuid {
        return rbacViewFor("partner", HsOfficePartnerEntity.class)
                .withIdentityView(SQL.projection("'P-' || partnerNumber"))
                .withUpdatableColumns("partnerRelUuid")
-                .toRole("global", ADMIN).grantPermission(INSERT) // FIXME: global -> partnerRel.anchor?
+                .toRole("global", ADMIN).grantPermission(INSERT)

                .importRootEntityAliasProxy("partnerRel", HsOfficeRelationEntity.class,
                        directlyFetchedByDependsOnColumn(),
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java
@ -7,6 +7,7 @@ import java.util.List;
 import java.util.Set;
 import java.util.stream.Stream;

+import static java.util.Optional.ofNullable;
 import static java.util.stream.Collectors.joining;
 import static java.util.stream.Collectors.toSet;
 import static net.hostsharing.hsadminng.rbac.rbacdef.PostgresTriggerReference.NEW;
@ -245,14 +246,11 @@ class RolesGrantsAndPermissionsGenerator {
        }
    }

-    private boolean isUpdatable(final RbacView.Column c) {
-        return rbacDef.getUpdatableColumns().contains(c);
-    }
-
    private void updateGrantsDependingOn(final StringWriter plPgSql, final String columnName) {
        rbacDef.getGrantDefs().stream()
                .filter(RbacView.RbacGrantDefinition::isToCreate)
                .filter(g -> g.dependsOnColumn(columnName))
+                .filter(g -> !isInsertPermissionGrant(g))
                .forEach(g -> {
                    plPgSql.ensureSingleEmptyLine();
                    plPgSql.writeLn(generateRevoke(g));
@ -261,6 +259,11 @@ class RolesGrantsAndPermissionsGenerator {
                });
    }

+    private static Boolean isInsertPermissionGrant(final RbacView.RbacGrantDefinition g) {
+        final var isInsertPermissionGrant = ofNullable(g.getPermDef()).map(RbacPermissionDefinition::getPermission).map(p -> p == INSERT).orElse(false);
+        return isInsertPermissionGrant;
+    }
+
    private void generateGrants(final StringWriter plPgSql, final RbacView.RbacGrantDefinition.GrantType grantType) {
        plPgSql.ensureSingleEmptyLine();
        rbacGrants.stream()
@ -407,7 +410,7 @@ class RolesGrantsAndPermissionsGenerator {
        if (!incomingGrants.isEmpty()) {
            final var arrayElements = incomingGrants.stream()
                    .map(g -> toPlPgSqlReference(NEW, g.getSuperRoleDef(), g.isAssumed()))
-                    .toList();
+                    .sorted().toList();
            plPgSql.indented(() ->
                    plPgSql.writeLn("incomingSuperRoles => array[" + joinArrayElements(arrayElements, 1) + "],\n"));
            rbacGrants.removeAll(incomingGrants);
@ -419,7 +422,7 @@ class RolesGrantsAndPermissionsGenerator {
        if (!outgoingGrants.isEmpty()) {
            final var arrayElements = outgoingGrants.stream()
                    .map(g -> toPlPgSqlReference(NEW, g.getSubRoleDef(), g.isAssumed()))
-                    .toList();
+                    .sorted().toList();
            plPgSql.indented(() ->
                    plPgSql.writeLn("outgoingSubRoles => array[" + joinArrayElements(arrayElements, 1) + "],\n"));
            rbacGrants.removeAll(outgoingGrants);
--- a/src/main/resources/db/changelog/123-test-package-rbac.sql
+++ b/src/main/resources/db/changelog/123-test-package-rbac.sql
@ -110,8 +110,6 @@ begin

    if NEW.customerUuid <> OLD.customerUuid then

-        call revokePermissionFromRole(getPermissionId(OLD.uuid, 'INSERT'), testCustomerAdmin(oldCustomer));
-
        call revokeRoleFromRole(testPackageOwner(OLD), testCustomerAdmin(oldCustomer));
        call grantRoleToRole(testPackageOwner(NEW), testCustomerAdmin(newCustomer));

--- a/src/main/resources/db/changelog/133-test-domain-rbac.sql
+++ b/src/main/resources/db/changelog/133-test-domain-rbac.sql
@ -106,8 +106,6 @@ begin

    if NEW.packageUuid <> OLD.packageUuid then

-        call revokePermissionFromRole(getPermissionId(OLD.uuid, 'INSERT'), testPackageAdmin(oldPackage));
-
        call revokeRoleFromRole(testDomainOwner(OLD), testPackageAdmin(oldPackage));
        call grantRoleToRole(testDomainOwner(NEW), testPackageAdmin(newPackage));

--- a/src/main/resources/db/changelog/223-hs-office-relation-rbac.sql
+++ b/src/main/resources/db/changelog/223-hs-office-relation-rbac.sql
@ -65,8 +65,8 @@ begin
    perform createRoleWithGrants(
        hsOfficeRelationAgent(NEW),
            incomingSuperRoles => array[
-            	hsOfficeRelationAdmin(NEW),
-            	hsOfficePersonAdmin(newHolderPerson)]
+            	hsOfficePersonAdmin(newHolderPerson),
+            	hsOfficeRelationAdmin(NEW)]
    );

    perform createRoleWithGrants(
@ -74,12 +74,12 @@ begin
            permissions => array['SELECT'],
            incomingSuperRoles => array[
            	hsOfficeContactAdmin(newContact),
-            	hsOfficeRelationAgent(NEW),
-            	hsOfficePersonAdmin(newHolderPerson)],
+            	hsOfficePersonAdmin(newHolderPerson),
+            	hsOfficeRelationAgent(NEW)],
            outgoingSubRoles => array[
+            	hsOfficeContactReferrer(newContact),
            	hsOfficePersonReferrer(newAnchorPerson),
-            	hsOfficePersonReferrer(newHolderPerson),
-            	hsOfficeContactReferrer(newContact)]
+            	hsOfficePersonReferrer(newHolderPerson)]
    );

    call leaveTriggerForObjectUuid(NEW.uuid);
--- a/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.sql
+++ b/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.sql
@ -64,17 +64,17 @@ begin
        hsOfficeSepaMandateAgent(NEW),
            incomingSuperRoles => array[hsOfficeSepaMandateAdmin(NEW)],
            outgoingSubRoles => array[
-            	hsOfficeRelationAgent(newDebitorRel),
-            	hsOfficeBankAccountReferrer(newBankAccount)]
+            	hsOfficeBankAccountReferrer(newBankAccount),
+            	hsOfficeRelationAgent(newDebitorRel)]
    );

    perform createRoleWithGrants(
        hsOfficeSepaMandateReferrer(NEW),
            permissions => array['SELECT'],
            incomingSuperRoles => array[
+            	hsOfficeBankAccountAdmin(newBankAccount),
            	hsOfficeRelationAgent(newDebitorRel),
-            	hsOfficeSepaMandateAgent(NEW),
-            	hsOfficeBankAccountAdmin(newBankAccount)],
+            	hsOfficeSepaMandateAgent(NEW)],
            outgoingSubRoles => array[hsOfficeRelationTenant(newDebitorRel)]
    );

--- a/src/main/resources/db/changelog/303-hs-office-membership-rbac.sql
+++ b/src/main/resources/db/changelog/303-hs-office-membership-rbac.sql
@ -54,8 +54,8 @@ begin
        hsOfficeMembershipAdmin(NEW),
            permissions => array['UPDATE'],
            incomingSuperRoles => array[
-            	hsOfficeRelationAgent(newPartnerRel),
-            	hsOfficeMembershipOwner(NEW)]
+            	hsOfficeMembershipOwner(NEW),
+            	hsOfficeRelationAgent(newPartnerRel)]
    );

    perform createRoleWithGrants(