fix spurious revoke of insert permission and add sorted for stable order
This commit is contained in:
parent
86bdeaabe3
commit
09fc332dcc
@ -95,7 +95,7 @@ public class HsOfficePartnerEntity implements Stringifyable, HasUuid {
|
|||||||
return rbacViewFor("partner", HsOfficePartnerEntity.class)
|
return rbacViewFor("partner", HsOfficePartnerEntity.class)
|
||||||
.withIdentityView(SQL.projection("'P-' || partnerNumber"))
|
.withIdentityView(SQL.projection("'P-' || partnerNumber"))
|
||||||
.withUpdatableColumns("partnerRelUuid")
|
.withUpdatableColumns("partnerRelUuid")
|
||||||
.toRole("global", ADMIN).grantPermission(INSERT) // FIXME: global -> partnerRel.anchor?
|
.toRole("global", ADMIN).grantPermission(INSERT)
|
||||||
|
|
||||||
.importRootEntityAliasProxy("partnerRel", HsOfficeRelationEntity.class,
|
.importRootEntityAliasProxy("partnerRel", HsOfficeRelationEntity.class,
|
||||||
directlyFetchedByDependsOnColumn(),
|
directlyFetchedByDependsOnColumn(),
|
||||||
|
@ -7,6 +7,7 @@ import java.util.List;
|
|||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
import java.util.stream.Stream;
|
import java.util.stream.Stream;
|
||||||
|
|
||||||
|
import static java.util.Optional.ofNullable;
|
||||||
import static java.util.stream.Collectors.joining;
|
import static java.util.stream.Collectors.joining;
|
||||||
import static java.util.stream.Collectors.toSet;
|
import static java.util.stream.Collectors.toSet;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.PostgresTriggerReference.NEW;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.PostgresTriggerReference.NEW;
|
||||||
@ -245,14 +246,11 @@ class RolesGrantsAndPermissionsGenerator {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private boolean isUpdatable(final RbacView.Column c) {
|
|
||||||
return rbacDef.getUpdatableColumns().contains(c);
|
|
||||||
}
|
|
||||||
|
|
||||||
private void updateGrantsDependingOn(final StringWriter plPgSql, final String columnName) {
|
private void updateGrantsDependingOn(final StringWriter plPgSql, final String columnName) {
|
||||||
rbacDef.getGrantDefs().stream()
|
rbacDef.getGrantDefs().stream()
|
||||||
.filter(RbacView.RbacGrantDefinition::isToCreate)
|
.filter(RbacView.RbacGrantDefinition::isToCreate)
|
||||||
.filter(g -> g.dependsOnColumn(columnName))
|
.filter(g -> g.dependsOnColumn(columnName))
|
||||||
|
.filter(g -> !isInsertPermissionGrant(g))
|
||||||
.forEach(g -> {
|
.forEach(g -> {
|
||||||
plPgSql.ensureSingleEmptyLine();
|
plPgSql.ensureSingleEmptyLine();
|
||||||
plPgSql.writeLn(generateRevoke(g));
|
plPgSql.writeLn(generateRevoke(g));
|
||||||
@ -261,6 +259,11 @@ class RolesGrantsAndPermissionsGenerator {
|
|||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private static Boolean isInsertPermissionGrant(final RbacView.RbacGrantDefinition g) {
|
||||||
|
final var isInsertPermissionGrant = ofNullable(g.getPermDef()).map(RbacPermissionDefinition::getPermission).map(p -> p == INSERT).orElse(false);
|
||||||
|
return isInsertPermissionGrant;
|
||||||
|
}
|
||||||
|
|
||||||
private void generateGrants(final StringWriter plPgSql, final RbacView.RbacGrantDefinition.GrantType grantType) {
|
private void generateGrants(final StringWriter plPgSql, final RbacView.RbacGrantDefinition.GrantType grantType) {
|
||||||
plPgSql.ensureSingleEmptyLine();
|
plPgSql.ensureSingleEmptyLine();
|
||||||
rbacGrants.stream()
|
rbacGrants.stream()
|
||||||
@ -407,7 +410,7 @@ class RolesGrantsAndPermissionsGenerator {
|
|||||||
if (!incomingGrants.isEmpty()) {
|
if (!incomingGrants.isEmpty()) {
|
||||||
final var arrayElements = incomingGrants.stream()
|
final var arrayElements = incomingGrants.stream()
|
||||||
.map(g -> toPlPgSqlReference(NEW, g.getSuperRoleDef(), g.isAssumed()))
|
.map(g -> toPlPgSqlReference(NEW, g.getSuperRoleDef(), g.isAssumed()))
|
||||||
.toList();
|
.sorted().toList();
|
||||||
plPgSql.indented(() ->
|
plPgSql.indented(() ->
|
||||||
plPgSql.writeLn("incomingSuperRoles => array[" + joinArrayElements(arrayElements, 1) + "],\n"));
|
plPgSql.writeLn("incomingSuperRoles => array[" + joinArrayElements(arrayElements, 1) + "],\n"));
|
||||||
rbacGrants.removeAll(incomingGrants);
|
rbacGrants.removeAll(incomingGrants);
|
||||||
@ -419,7 +422,7 @@ class RolesGrantsAndPermissionsGenerator {
|
|||||||
if (!outgoingGrants.isEmpty()) {
|
if (!outgoingGrants.isEmpty()) {
|
||||||
final var arrayElements = outgoingGrants.stream()
|
final var arrayElements = outgoingGrants.stream()
|
||||||
.map(g -> toPlPgSqlReference(NEW, g.getSubRoleDef(), g.isAssumed()))
|
.map(g -> toPlPgSqlReference(NEW, g.getSubRoleDef(), g.isAssumed()))
|
||||||
.toList();
|
.sorted().toList();
|
||||||
plPgSql.indented(() ->
|
plPgSql.indented(() ->
|
||||||
plPgSql.writeLn("outgoingSubRoles => array[" + joinArrayElements(arrayElements, 1) + "],\n"));
|
plPgSql.writeLn("outgoingSubRoles => array[" + joinArrayElements(arrayElements, 1) + "],\n"));
|
||||||
rbacGrants.removeAll(outgoingGrants);
|
rbacGrants.removeAll(outgoingGrants);
|
||||||
|
@ -110,8 +110,6 @@ begin
|
|||||||
|
|
||||||
if NEW.customerUuid <> OLD.customerUuid then
|
if NEW.customerUuid <> OLD.customerUuid then
|
||||||
|
|
||||||
call revokePermissionFromRole(getPermissionId(OLD.uuid, 'INSERT'), testCustomerAdmin(oldCustomer));
|
|
||||||
|
|
||||||
call revokeRoleFromRole(testPackageOwner(OLD), testCustomerAdmin(oldCustomer));
|
call revokeRoleFromRole(testPackageOwner(OLD), testCustomerAdmin(oldCustomer));
|
||||||
call grantRoleToRole(testPackageOwner(NEW), testCustomerAdmin(newCustomer));
|
call grantRoleToRole(testPackageOwner(NEW), testCustomerAdmin(newCustomer));
|
||||||
|
|
||||||
|
@ -106,8 +106,6 @@ begin
|
|||||||
|
|
||||||
if NEW.packageUuid <> OLD.packageUuid then
|
if NEW.packageUuid <> OLD.packageUuid then
|
||||||
|
|
||||||
call revokePermissionFromRole(getPermissionId(OLD.uuid, 'INSERT'), testPackageAdmin(oldPackage));
|
|
||||||
|
|
||||||
call revokeRoleFromRole(testDomainOwner(OLD), testPackageAdmin(oldPackage));
|
call revokeRoleFromRole(testDomainOwner(OLD), testPackageAdmin(oldPackage));
|
||||||
call grantRoleToRole(testDomainOwner(NEW), testPackageAdmin(newPackage));
|
call grantRoleToRole(testDomainOwner(NEW), testPackageAdmin(newPackage));
|
||||||
|
|
||||||
|
@ -65,8 +65,8 @@ begin
|
|||||||
perform createRoleWithGrants(
|
perform createRoleWithGrants(
|
||||||
hsOfficeRelationAgent(NEW),
|
hsOfficeRelationAgent(NEW),
|
||||||
incomingSuperRoles => array[
|
incomingSuperRoles => array[
|
||||||
hsOfficeRelationAdmin(NEW),
|
hsOfficePersonAdmin(newHolderPerson),
|
||||||
hsOfficePersonAdmin(newHolderPerson)]
|
hsOfficeRelationAdmin(NEW)]
|
||||||
);
|
);
|
||||||
|
|
||||||
perform createRoleWithGrants(
|
perform createRoleWithGrants(
|
||||||
@ -74,12 +74,12 @@ begin
|
|||||||
permissions => array['SELECT'],
|
permissions => array['SELECT'],
|
||||||
incomingSuperRoles => array[
|
incomingSuperRoles => array[
|
||||||
hsOfficeContactAdmin(newContact),
|
hsOfficeContactAdmin(newContact),
|
||||||
hsOfficeRelationAgent(NEW),
|
hsOfficePersonAdmin(newHolderPerson),
|
||||||
hsOfficePersonAdmin(newHolderPerson)],
|
hsOfficeRelationAgent(NEW)],
|
||||||
outgoingSubRoles => array[
|
outgoingSubRoles => array[
|
||||||
|
hsOfficeContactReferrer(newContact),
|
||||||
hsOfficePersonReferrer(newAnchorPerson),
|
hsOfficePersonReferrer(newAnchorPerson),
|
||||||
hsOfficePersonReferrer(newHolderPerson),
|
hsOfficePersonReferrer(newHolderPerson)]
|
||||||
hsOfficeContactReferrer(newContact)]
|
|
||||||
);
|
);
|
||||||
|
|
||||||
call leaveTriggerForObjectUuid(NEW.uuid);
|
call leaveTriggerForObjectUuid(NEW.uuid);
|
||||||
|
@ -64,17 +64,17 @@ begin
|
|||||||
hsOfficeSepaMandateAgent(NEW),
|
hsOfficeSepaMandateAgent(NEW),
|
||||||
incomingSuperRoles => array[hsOfficeSepaMandateAdmin(NEW)],
|
incomingSuperRoles => array[hsOfficeSepaMandateAdmin(NEW)],
|
||||||
outgoingSubRoles => array[
|
outgoingSubRoles => array[
|
||||||
hsOfficeRelationAgent(newDebitorRel),
|
hsOfficeBankAccountReferrer(newBankAccount),
|
||||||
hsOfficeBankAccountReferrer(newBankAccount)]
|
hsOfficeRelationAgent(newDebitorRel)]
|
||||||
);
|
);
|
||||||
|
|
||||||
perform createRoleWithGrants(
|
perform createRoleWithGrants(
|
||||||
hsOfficeSepaMandateReferrer(NEW),
|
hsOfficeSepaMandateReferrer(NEW),
|
||||||
permissions => array['SELECT'],
|
permissions => array['SELECT'],
|
||||||
incomingSuperRoles => array[
|
incomingSuperRoles => array[
|
||||||
|
hsOfficeBankAccountAdmin(newBankAccount),
|
||||||
hsOfficeRelationAgent(newDebitorRel),
|
hsOfficeRelationAgent(newDebitorRel),
|
||||||
hsOfficeSepaMandateAgent(NEW),
|
hsOfficeSepaMandateAgent(NEW)],
|
||||||
hsOfficeBankAccountAdmin(newBankAccount)],
|
|
||||||
outgoingSubRoles => array[hsOfficeRelationTenant(newDebitorRel)]
|
outgoingSubRoles => array[hsOfficeRelationTenant(newDebitorRel)]
|
||||||
);
|
);
|
||||||
|
|
||||||
|
@ -54,8 +54,8 @@ begin
|
|||||||
hsOfficeMembershipAdmin(NEW),
|
hsOfficeMembershipAdmin(NEW),
|
||||||
permissions => array['UPDATE'],
|
permissions => array['UPDATE'],
|
||||||
incomingSuperRoles => array[
|
incomingSuperRoles => array[
|
||||||
hsOfficeRelationAgent(newPartnerRel),
|
hsOfficeMembershipOwner(NEW),
|
||||||
hsOfficeMembershipOwner(NEW)]
|
hsOfficeRelationAgent(newPartnerRel)]
|
||||||
);
|
);
|
||||||
|
|
||||||
perform createRoleWithGrants(
|
perform createRoleWithGrants(
|
||||||
|
Loading…
Reference in New Issue
Block a user