From 1e2390191f862ca259385a4a3b0d19eddb607f60 Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Fri, 13 Sep 2024 20:11:34 +0200 Subject: [PATCH] rbac.global --- .../booking/item/HsBookingItemRbacEntity.java | 2 +- .../hs/booking/project/HsBookingProject.java | 2 +- .../project/HsBookingProjectRbacEntity.java | 2 +- .../asset/HsHostingAssetRbacEntity.java | 2 +- .../rbac/rbacdef/InsertTriggerGenerator.java | 8 +-- .../hsadminng/rbac/rbacdef/RbacView.java | 12 ++-- .../rbacgrant/RbacGrantsDiagramService.java | 2 +- .../rbac/test/cust/TestCustomerEntity.java | 2 +- .../db/changelog/1-rbac/1050-rbac-base.sql | 2 +- .../db/changelog/1-rbac/1054-rbac-context.sql | 2 +- .../changelog/1-rbac/1059-rbac-statistics.sql | 2 +- .../db/changelog/1-rbac/1080-rbac-global.sql | 68 +++++++++---------- .../2013-test-customer-rbac.md | 4 +- .../2013-test-customer-rbac.sql | 18 ++--- .../2018-test-customer-test-data.sql | 2 +- .../2023-test-package-rbac.md | 2 +- .../203-test-domain/2033-test-domain-rbac.md | 2 +- .../5013-hs-office-contact-rbac.md | 4 +- .../502-person/5023-hs-office-person-rbac.md | 4 +- ...-hs-office-relation-rbac-REPRESENTATIVE.md | 8 +-- .../5033-hs-office-relation-rbac.md | 8 +-- .../5038-hs-office-relation-test-data.sql | 2 +- .../5043-hs-office-partner-rbac.md | 10 +-- .../5043-hs-office-partner-rbac.sql | 18 ++--- .../5044-hs-office-partner-details-rbac.md | 2 +- .../5044-hs-office-partner-details-rbac.sql | 28 ++++---- .../5048-hs-office-partner-test-data.sql | 2 +- .../5053-hs-office-bankaccount-rbac.md | 4 +- .../5063-hs-office-debitor-rbac.md | 20 +++--- .../5063-hs-office-debitor-rbac.sql | 18 ++--- .../5068-hs-office-debitor-test-data.sql | 2 +- .../5073-hs-office-sepamandate-rbac.md | 12 ++-- .../5078-hs-office-sepamandate-test-data.sql | 2 +- .../5103-hs-office-membership-rbac.md | 10 +-- .../5103-hs-office-membership-rbac.sql | 18 ++--- .../5108-hs-office-membership-test-data.sql | 2 +- .../5113-hs-office-coopshares-rbac.md | 8 +-- .../5123-hs-office-coopassets-rbac.md | 8 +-- .../6203-hs-booking-project-rbac.md | 4 +- .../6208-hs-booking-project-test-data.sql | 2 +- .../6203-hs-booking-item-rbac.md | 4 +- .../6203-hs-booking-item-rbac.sql | 14 ++-- .../6208-hs-booking-item-test-data.sql | 2 +- .../6303-hs-booking-item-rbac.md | 4 +- .../6303-hs-booking-item-rbac.sql | 14 ++-- .../7013-hs-hosting-asset-rbac.md | 8 +-- .../7018-hs-hosting-asset-test-data.sql | 4 +- .../changelog/9-hs-global/9000-statistics.sql | 2 +- .../db/changelog/db.changelog-master.yaml | 2 +- .../hsadminng/arch/ArchitectureTest.java | 2 +- ...sBookingItemRepositoryIntegrationTest.java | 4 +- ...okingProjectRepositoryIntegrationTest.java | 4 +- ...HostingAssetRepositoryIntegrationTest.java | 6 +- ...eBankAccountRepositoryIntegrationTest.java | 2 +- ...eContactRbacRepositoryIntegrationTest.java | 2 +- ...fficeDebitorRepositoryIntegrationTest.java | 8 +-- ...fficePartnerRepositoryIntegrationTest.java | 4 +- ...OfficePersonRepositoryIntegrationTest.java | 2 +- ...ficeRelationRepositoryIntegrationTest.java | 4 +- ...eSepaMandateRepositoryIntegrationTest.java | 2 +- .../RbacGrantControllerAcceptanceTest.java | 4 +- .../RbacRoleControllerAcceptanceTest.java | 2 +- .../rbacrole/RbacRoleControllerRestTest.java | 2 +- .../RbacRoleRepositoryIntegrationTest.java | 6 +- .../hsadminng/rbac/rbacrole/TestRbacRole.java | 2 +- .../RbacSubjectRepositoryIntegrationTest.java | 2 +- .../test/cust/TestCustomerEntityUnitTest.java | 12 ++-- .../test/pac/TestPackageEntityUnitTest.java | 2 +- .../TestPackageRepositoryIntegrationTest.java | 4 +- 69 files changed, 230 insertions(+), 230 deletions(-) diff --git a/src/main/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemRbacEntity.java b/src/main/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemRbacEntity.java index 5bd7b15d..1b3fc598 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemRbacEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemRbacEntity.java @@ -74,7 +74,7 @@ public class HsBookingItemRbacEntity extends HsBookingItem { with.permission(SELECT); }) - .limitDiagramTo("bookingItem", "project", "global"); + .limitDiagramTo("bookingItem", "project", "rbac.global"); } public static void main(String[] args) throws IOException { diff --git a/src/main/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProject.java b/src/main/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProject.java index 6c109ef5..3197503d 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProject.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProject.java @@ -105,7 +105,7 @@ public abstract class HsBookingProject implements Stringifyable, BaseEntity { .withIdentityView(SQL.projection("prefix")) .withRestrictedViewOrderBy(SQL.expression("reference")) .withUpdatableColumns("reference", "prefix", "adminUserName") - .toRole("global", ADMIN).grantPermission(INSERT) + .toRole("rbac.global", ADMIN).grantPermission(INSERT) .createRole(OWNER, (with) -> { with.owningUser(CREATOR).unassumed(); diff --git a/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql b/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql index 7c73ec7b..de1b5112 100644 --- a/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql +++ b/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql @@ -584,7 +584,7 @@ select exists( join RbacRole as r on r.uuid = g.descendantuuid join rbac.object as o on o.uuid = r.objectuuid where g.ascendantuuid = forAscendantUuid - and o.objecttable = 'global' + and o.objecttable = 'rbac.global' ); $$; diff --git a/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql b/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql index 2380c84d..8e870636 100644 --- a/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql +++ b/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql @@ -57,7 +57,7 @@ begin objectUuidToAssume = findObjectUuidByIdName(objectTableToAssume, objectNameToAssume); if objectUuidToAssume is null then - raise exception '[401] object % cannot be found in table %', objectNameToAssume, objectTableToAssume; + raise exception '[401] object % cannot be found in table % (from roleNameParts=%)', objectNameToAssume, objectTableToAssume, roleNameParts; end if; select uuid diff --git a/src/main/resources/db/changelog/1-rbac/1059-rbac-statistics.sql b/src/main/resources/db/changelog/1-rbac/1059-rbac-statistics.sql index 4cb5ff19..2f11a5ca 100644 --- a/src/main/resources/db/changelog/1-rbac/1059-rbac-statistics.sql +++ b/src/main/resources/db/changelog/1-rbac/1059-rbac-statistics.sql @@ -5,7 +5,7 @@ /* Creates a view which presents some statistics about the RBAC tables. */ -create view RbacStatisticsView as +create view rbac.statistics_v as select no, to_char("count", '9 999 999 999') as "count", "table" from (select 1 as no, count(*) as "count", 'login users' as "table" from rbac.subject diff --git a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql index d0c0f444..e9f5a6d2 100644 --- a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql +++ b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql @@ -1,7 +1,7 @@ --liquibase formatted sql -- ============================================================================ ---changeset rbac-global-GLOBAL-OBJECT:1 endDelimiter:--// +--changeset rbac-global-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* The purpose of this table is provide root business objects @@ -11,14 +11,14 @@ In production databases, there is only a single row in this table, in test stages, there can be one row for each test data realm. */ -create table Global +create table rbac.global ( uuid uuid primary key references rbac.object (uuid) on delete cascade, name varchar(63) unique ); -create unique index Global_Singleton on Global ((0)); +create unique index Global_Singleton on rbac.global ((0)); -grant select on global to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME}; +grant select on rbac.global to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME}; --// @@ -26,7 +26,7 @@ grant select on global to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME}; --changeset rbac-global-IS-GLOBAL-ADMIN:1 endDelimiter:--// -- ------------------------------------------------------------------ -create or replace function isGlobalAdmin() +create or replace function rbac.isGlobalAdmin() returns boolean language plpgsql as $$ begin @@ -36,117 +36,117 @@ end; $$; -- ============================================================================ ---changeset rbac-global-HAS-GLOBAL-PERMISSION:1 endDelimiter:--// +--changeset rbac-global-HAS-global-PERMISSION:1 endDelimiter:--// -- ------------------------------------------------------------------ -create or replace function hasGlobalPermission(op RbacOp) +create or replace function rbac.hasGlobalPermission(op RbacOp) returns boolean language sql as $$ -- TODO.perf: this could to be optimized -select (select uuid from global) in - (select queryAccessibleObjectUuidsOfSubjectIds(op, 'global', rbac.currentSubjectOrAssumedRolesUuids())); +select (select uuid from rbac.global) in + (select queryAccessibleObjectUuidsOfSubjectIds(op, 'rbac.global', rbac.currentSubjectOrAssumedRolesUuids())); $$; --// -- ============================================================================ ---changeset rbac-global-GLOBAL-IDENTITY-VIEW:1 endDelimiter:--// +--changeset rbac-global-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* - Creates a view to the global object table which maps the identifying name to the objectUuid. + Creates a view to the rbac.global object table which maps the identifying name to the objectUuid. */ -drop view if exists global_iv; -create or replace view global_iv as +drop view if exists rbac.global_iv; +create or replace view rbac.global_iv as select target.uuid, target.name as idName - from global as target; -grant all privileges on global_iv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME}; + from rbac.global as target; +grant all privileges on rbac.global_iv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME}; /* Returns the objectUuid for a given identifying name (in this case the idName). */ -create or replace function globalUuidByIdName(idName varchar) +create or replace function rbac.globalUuidByIdName(idName varchar) returns uuid language sql strict as $$ -select uuid from global_iv iv where iv.idName = globalUuidByIdName.idName; +select uuid from rbac.global_iv iv where iv.idName = globalUuidByIdName.idName; $$; /* Returns the identifying name for a given objectUuid (in this case the idName). */ -create or replace function globalIdNameByUuid(uuid uuid) +create or replace function rbac.globalIdNameByUuid(uuid uuid) returns varchar language sql strict as $$ -select idName from global_iv iv where iv.uuid = globalIdNameByUuid.uuid; +select idName from rbac.global_iv iv where iv.uuid = globalIdNameByUuid.uuid; $$; --// --liquibase formatted sql -- ============================================================================ ---changeset rbac-global-PSEUDO-OBJECT:1 endDelimiter:--// +--changeset rbac-rbac.Global-PSEUDO-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /** - A single row to be referenced as a global object. + A single row to be referenced as a rbac.Global object. */ begin transaction; -call basis.defineContext('initializing table "global"', null, null, null); +call basis.defineContext('initializing table "rbac.global"', null, null, null); insert - into rbac.object (objecttable) values ('global'); + into rbac.object (objecttable) values ('rbac.global'); insert - into Global (uuid, name) values ((select uuid from rbac.object where objectTable = 'global'), 'global'); + into rbac.global (uuid, name) values ((select uuid from rbac.object where objectTable = 'rbac.global'), 'global'); commit; --// -- ============================================================================ ---changeset rbac-global-ADMIN-ROLE:1 endDelimiter:--// +--changeset rbac-rbac.Global-ADMIN-ROLE:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* - A global administrator role. + A rbac.Global administrator role. */ create or replace function globalAdmin(assumed boolean = true) returns RbacRoleDescriptor returns null on null input stable -- leakproof language sql as $$ -select 'global', (select uuid from rbac.object where objectTable = 'global'), 'ADMIN'::RbacRoleType, assumed; +select 'rbac.global', (select uuid from rbac.object where objectTable = 'rbac.global'), 'ADMIN'::RbacRoleType, assumed; $$; begin transaction; - call basis.defineContext('creating role:global#global:ADMIN', null, null, null); + call basis.defineContext('creating role:rbac.global#global:ADMIN', null, null, null); select createRole(globalAdmin()); commit; --// -- ============================================================================ ---changeset rbac-global-GUEST-ROLE:1 endDelimiter:--// +--changeset rbac-rbac.Global-GUEST-ROLE:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* - A global guest role. + A rbac.Global guest role. */ create or replace function globalGuest(assumed boolean = true) returns RbacRoleDescriptor returns null on null input stable -- leakproof language sql as $$ -select 'global', (select uuid from rbac.object where objectTable = 'global'), 'GUEST'::RbacRoleType, assumed; +select 'rbac.global', (select uuid from rbac.object where objectTable = 'rbac.global'), 'GUEST'::RbacRoleType, assumed; $$; begin transaction; - call basis.defineContext('creating role:global#global:guest', null, null, null); + call basis.defineContext('creating role:rbac.global#global:guest', null, null, null); select createRole(globalGuest()); commit; --// -- ============================================================================ ---changeset rbac-global-ADMIN-USERS:1 context:dev,tc endDelimiter:--// +--changeset rbac-GLOBAL-ADMIN-USERS:1 context:dev,tc endDelimiter:--// -- ---------------------------------------------------------------------------- /* Create two users and assign both to the administrators role. @@ -168,7 +168,7 @@ $$; -- ============================================================================ ---changeset rbac-global-TEST:1 context:dev,tc runAlways:true endDelimiter:--// +--changeset rbac-GLOBAL-TEST:1 context:dev,tc runAlways:true endDelimiter:--// -- ---------------------------------------------------------------------------- /* diff --git a/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.md b/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.md index 19e67a38..b1c4ab5a 100644 --- a/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.md +++ b/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.md @@ -32,12 +32,12 @@ end user:creator ==>|XX| role:customer:OWNER %% granting roles to roles -role:global:ADMIN ==>|XX| role:customer:OWNER +role:rbac.global:ADMIN ==>|XX| role:customer:OWNER role:customer:OWNER ==> role:customer:ADMIN role:customer:ADMIN ==> role:customer:TENANT %% granting permissions to roles -role:global:ADMIN ==> perm:customer:INSERT +role:rbac.global:ADMIN ==> perm:customer:INSERT role:customer:OWNER ==> perm:customer:DELETE role:customer:ADMIN ==> perm:customer:UPDATE role:customer:TENANT ==> perm:customer:SELECT diff --git a/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql b/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql index 6117c1e6..4bcd7ef8 100644 --- a/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql +++ b/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql @@ -80,18 +80,18 @@ execute procedure insertTriggerForTestCustomer_tf(); --changeset test-customer-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--// -- ---------------------------------------------------------------------------- --- granting INSERT permission to global ---------------------------- +-- granting INSERT permission to rbac.global ---------------------------- /* - Grants INSERT INTO test_customer permissions to specified role of pre-existing global rows. + Grants INSERT INTO test_customer permissions to specified role of pre-existing rbac.global rows. */ do language plpgsql $$ declare - row global; + row rbac.global%ROWTYPE; begin - call basis.defineContext('create INSERT INTO test_customer permissions for pre-exising global rows'); + call basis.defineContext('create INSERT INTO test_customer permissions for pre-exising rbac.global rows'); - FOR row IN SELECT * FROM global + FOR row IN SELECT * FROM rbac.global -- unconditional for all rows in that table LOOP call grantPermissionToRole( @@ -102,7 +102,7 @@ do language plpgsql $$ $$; /** - Grants test_customer INSERT permission to specified role of new global rows. + Grants test_customer INSERT permission to specified role of new rbac.global rows. */ create or replace function new_test_customer_grants_insert_to_global_tf() returns trigger @@ -119,7 +119,7 @@ end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist create trigger z_new_test_customer_grants_insert_to_global_tg - after insert on global + after insert on rbac.global for each row execute procedure new_test_customer_grants_insert_to_global_tf(); @@ -137,8 +137,8 @@ create or replace function test_customer_insert_permission_check_tf() declare superObjectUuid uuid; begin - -- check INSERT INSERT if global ADMIN - if isGlobalAdmin() then + -- check INSERT INSERT if rbac.global ADMIN + if rbac.isGlobalAdmin() then return NEW; end if; diff --git a/src/main/resources/db/changelog/2-test/201-test-customer/2018-test-customer-test-data.sql b/src/main/resources/db/changelog/2-test/201-test-customer/2018-test-customer-test-data.sql index 7fd294f0..70e0a993 100644 --- a/src/main/resources/db/changelog/2-test/201-test-customer/2018-test-customer-test-data.sql +++ b/src/main/resources/db/changelog/2-test/201-test-customer/2018-test-customer-test-data.sql @@ -72,7 +72,7 @@ end; $$; do language plpgsql $$ begin - call basis.defineContext('creating RBAC test customer', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN'); + call basis.defineContext('creating RBAC test customer', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN'); call createTestCustomerTestData(99901, 'xxx'); call createTestCustomerTestData(99902, 'yyy'); diff --git a/src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.md b/src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.md index af3a5f84..4114d6b3 100644 --- a/src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.md +++ b/src/main/resources/db/changelog/2-test/202-test-package/2023-test-package-rbac.md @@ -42,7 +42,7 @@ subgraph package["`**package**`"] end %% granting roles to roles -role:global:ADMIN -.->|XX| role:customer:OWNER +role:rbac.global:ADMIN -.->|XX| role:customer:OWNER role:customer:OWNER -.-> role:customer:ADMIN role:customer:ADMIN -.-> role:customer:TENANT role:customer:ADMIN ==> role:package:OWNER diff --git a/src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.md b/src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.md index 72693972..a9716182 100644 --- a/src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.md +++ b/src/main/resources/db/changelog/2-test/203-test-domain/2033-test-domain-rbac.md @@ -54,7 +54,7 @@ subgraph package.customer["`**package.customer**`"] end %% granting roles to roles -role:global:ADMIN -.->|XX| role:package.customer:OWNER +role:rbac.global:ADMIN -.->|XX| role:package.customer:OWNER role:package.customer:OWNER -.-> role:package.customer:ADMIN role:package.customer:ADMIN -.-> role:package.customer:TENANT role:package.customer:ADMIN -.-> role:package:OWNER diff --git a/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.md b/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.md index fe736072..b91848c6 100644 --- a/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.md +++ b/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.md @@ -32,7 +32,7 @@ end user:creator ==> role:contact:OWNER %% granting roles to roles -role:global:ADMIN ==> role:contact:OWNER +role:rbac.global:ADMIN ==> role:contact:OWNER role:contact:OWNER ==> role:contact:ADMIN role:contact:ADMIN ==> role:contact:REFERRER @@ -40,6 +40,6 @@ role:contact:ADMIN ==> role:contact:REFERRER role:contact:OWNER ==> perm:contact:DELETE role:contact:ADMIN ==> perm:contact:UPDATE role:contact:REFERRER ==> perm:contact:SELECT -role:global:GUEST ==> perm:contact:INSERT +role:rbac.global:GUEST ==> perm:contact:INSERT ``` diff --git a/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.md b/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.md index d0eebfdd..4ace6eed 100644 --- a/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.md +++ b/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.md @@ -32,12 +32,12 @@ end user:creator ==> role:person:OWNER %% granting roles to roles -role:global:ADMIN ==> role:person:OWNER +role:rbac.global:ADMIN ==> role:person:OWNER role:person:OWNER ==> role:person:ADMIN role:person:ADMIN ==> role:person:REFERRER %% granting permissions to roles -role:global:GUEST ==> perm:person:INSERT +role:rbac.global:GUEST ==> perm:person:INSERT role:person:OWNER ==> perm:person:DELETE role:person:ADMIN ==> perm:person:UPDATE role:person:REFERRER ==> perm:person:SELECT diff --git a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac-REPRESENTATIVE.md b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac-REPRESENTATIVE.md index 0d944401..743aa7bf 100644 --- a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac-REPRESENTATIVE.md +++ b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac-REPRESENTATIVE.md @@ -72,16 +72,16 @@ end user:creator ==> role:relation:OWNER %% granting roles to roles -role:global:ADMIN -.-> role:anchorPerson:OWNER +role:rbac.global:ADMIN -.-> role:anchorPerson:OWNER role:anchorPerson:OWNER -.-> role:anchorPerson:ADMIN role:anchorPerson:ADMIN -.-> role:anchorPerson:REFERRER -role:global:ADMIN -.-> role:holderPerson:OWNER +role:rbac.global:ADMIN -.-> role:holderPerson:OWNER role:holderPerson:OWNER -.-> role:holderPerson:ADMIN role:holderPerson:ADMIN -.-> role:holderPerson:REFERRER -role:global:ADMIN -.-> role:contact:OWNER +role:rbac.global:ADMIN -.-> role:contact:OWNER role:contact:OWNER -.-> role:contact:ADMIN role:contact:ADMIN -.-> role:contact:REFERRER -role:global:ADMIN ==> role:relation:OWNER +role:rbac.global:ADMIN ==> role:relation:OWNER role:holderPerson:ADMIN ==> role:relation:OWNER role:relation:OWNER ==> role:relation:ADMIN role:relation:ADMIN ==> role:anchorPerson:OWNER diff --git a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.md b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.md index 47d4d220..ccd95235 100644 --- a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.md +++ b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.md @@ -72,16 +72,16 @@ end user:creator ==> role:relation:OWNER %% granting roles to roles -role:global:ADMIN -.-> role:anchorPerson:OWNER +role:rbac.global:ADMIN -.-> role:anchorPerson:OWNER role:anchorPerson:OWNER -.-> role:anchorPerson:ADMIN role:anchorPerson:ADMIN -.-> role:anchorPerson:REFERRER -role:global:ADMIN -.-> role:holderPerson:OWNER +role:rbac.global:ADMIN -.-> role:holderPerson:OWNER role:holderPerson:OWNER -.-> role:holderPerson:ADMIN role:holderPerson:ADMIN -.-> role:holderPerson:REFERRER -role:global:ADMIN -.-> role:contact:OWNER +role:rbac.global:ADMIN -.-> role:contact:OWNER role:contact:OWNER -.-> role:contact:ADMIN role:contact:ADMIN -.-> role:contact:REFERRER -role:global:ADMIN ==> role:relation:OWNER +role:rbac.global:ADMIN ==> role:relation:OWNER role:relation:OWNER ==> role:relation:ADMIN role:relation:ADMIN ==> role:relation:AGENT role:relation:AGENT ==> role:relation:TENANT diff --git a/src/main/resources/db/changelog/5-hs-office/503-relation/5038-hs-office-relation-test-data.sql b/src/main/resources/db/changelog/5-hs-office/503-relation/5038-hs-office-relation-test-data.sql index 56ee5791..9f4ef1c1 100644 --- a/src/main/resources/db/changelog/5-hs-office/503-relation/5038-hs-office-relation-test-data.sql +++ b/src/main/resources/db/changelog/5-hs-office/503-relation/5038-hs-office-relation-test-data.sql @@ -85,7 +85,7 @@ end; $$; do language plpgsql $$ begin - call basis.defineContext('creating relation test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN'); + call basis.defineContext('creating relation test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN'); call createHsOfficeRelationTestData('First GmbH', 'PARTNER', 'Hostsharing eG', 'first contact'); call createHsOfficeRelationTestData('Firby', 'REPRESENTATIVE', 'First GmbH', 'first contact'); diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.md b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.md index ecbe29de..162d81bf 100644 --- a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.md +++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.md @@ -87,16 +87,16 @@ subgraph partnerRel.holderPerson["`**partnerRel.holderPerson**`"] end %% granting roles to roles -role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER +role:rbac.global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER -role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER +role:rbac.global:ADMIN -.-> role:partnerRel.holderPerson:OWNER role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER -role:global:ADMIN -.-> role:partnerRel.contact:OWNER +role:rbac.global:ADMIN -.-> role:partnerRel.contact:OWNER role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER -role:global:ADMIN -.-> role:partnerRel:OWNER +role:rbac.global:ADMIN -.-> role:partnerRel:OWNER role:partnerRel:OWNER -.-> role:partnerRel:ADMIN role:partnerRel:ADMIN -.-> role:partnerRel:AGENT role:partnerRel:AGENT -.-> role:partnerRel:TENANT @@ -108,7 +108,7 @@ role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:OWNER role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT %% granting permissions to roles -role:global:ADMIN ==> perm:partner:INSERT +role:rbac.global:ADMIN ==> perm:partner:INSERT role:partnerRel:OWNER ==> perm:partner:DELETE role:partnerRel:ADMIN ==> perm:partner:UPDATE role:partnerRel:TENANT ==> perm:partner:SELECT diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql index debae10b..8428f536 100644 --- a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql @@ -157,18 +157,18 @@ execute procedure updateTriggerForHsOfficePartner_tf(); --changeset hs-office-partner-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--// -- ---------------------------------------------------------------------------- --- granting INSERT permission to global ---------------------------- +-- granting INSERT permission to rbac.global ---------------------------- /* - Grants INSERT INTO hs_office_partner permissions to specified role of pre-existing global rows. + Grants INSERT INTO hs_office_partner permissions to specified role of pre-existing rbac.global rows. */ do language plpgsql $$ declare - row global; + row rbac.global%ROWTYPE; begin - call basis.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising global rows'); + call basis.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising rbac.Global rows'); - FOR row IN SELECT * FROM global + FOR row IN SELECT * FROM rbac.global -- unconditional for all rows in that table LOOP call grantPermissionToRole( @@ -179,7 +179,7 @@ do language plpgsql $$ $$; /** - Grants hs_office_partner INSERT permission to specified role of new global rows. + Grants hs_office_partner INSERT permission to specified role of new rbac.global rows. */ create or replace function new_hs_office_partner_grants_insert_to_global_tf() returns trigger @@ -196,7 +196,7 @@ end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist create trigger z_new_hs_office_partner_grants_insert_to_global_tg - after insert on global + after insert on rbac.global for each row execute procedure new_hs_office_partner_grants_insert_to_global_tf(); @@ -214,8 +214,8 @@ create or replace function hs_office_partner_insert_permission_check_tf() declare superObjectUuid uuid; begin - -- check INSERT INSERT if global ADMIN - if isGlobalAdmin() then + -- check INSERT INSERT if rbac.global ADMIN + if rbac.isGlobalAdmin() then return NEW; end if; diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.md b/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.md index 347896bb..e79f14f4 100644 --- a/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.md +++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.md @@ -18,6 +18,6 @@ subgraph partnerDetails["`**partnerDetails**`"] end %% granting permissions to roles -role:global:ADMIN ==> perm:partnerDetails:INSERT +role:rbac.global:ADMIN ==> perm:partnerDetails:INSERT ``` diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql b/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql index 93d6de7f..a3e74102 100644 --- a/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5044-hs-office-partner-details-rbac.sql @@ -61,25 +61,25 @@ execute procedure insertTriggerForHsOfficePartnerDetails_tf(); --changeset hs-office-partner-details-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--// -- ---------------------------------------------------------------------------- --- granting INSERT permission to global ---------------------------- +-- granting INSERT permission to rbac.global ---------------------------- /* - Grants INSERT INTO hs_office_partner_details permissions to specified role of pre-existing global rows. + Grants INSERT INTO hs_office_partner_details permissions to specified role of pre-existing rbac.global rows. */ do language plpgsql $$ - declare - row global; - begin - call basis.defineContext('create INSERT INTO hs_office_partner_details permissions for pre-exising global rows'); +declare + row rbac.global; +begin + call basis.defineContext('create INSERT INTO hs_office_partner_details permissions for pre-exising global rows'); - FOR row IN SELECT * FROM global - -- unconditional for all rows in that table - LOOP + FOR row IN SELECT * FROM rbac.global + -- unconditional for all rows in that table + LOOP call grantPermissionToRole( createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'), globalADMIN()); - END LOOP; - end; + END LOOP; +end; $$; /** @@ -100,7 +100,7 @@ end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist create trigger z_new_hs_office_partner_details_grants_insert_to_global_tg - after insert on global + after insert on rbac.global for each row execute procedure new_hs_office_partner_details_grants_insert_to_global_tf(); @@ -118,8 +118,8 @@ create or replace function hs_office_partner_details_insert_permission_check_tf( declare superObjectUuid uuid; begin - -- check INSERT INSERT if global ADMIN - if isGlobalAdmin() then + -- check INSERT INSERT if rbac.Global ADMIN + if rbac.isGlobalAdmin() then return NEW; end if; diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5048-hs-office-partner-test-data.sql b/src/main/resources/db/changelog/5-hs-office/504-partner/5048-hs-office-partner-test-data.sql index ae932604..acc3a899 100644 --- a/src/main/resources/db/changelog/5-hs-office/504-partner/5048-hs-office-partner-test-data.sql +++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5048-hs-office-partner-test-data.sql @@ -71,7 +71,7 @@ end; $$; do language plpgsql $$ begin - call basis.defineContext('creating partner test-data ', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN'); + call basis.defineContext('creating partner test-data ', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN'); call createHsOfficePartnerTestData('Hostsharing eG', 10001, 'First GmbH', 'first contact'); call createHsOfficePartnerTestData('Hostsharing eG', 10002, 'Second e.K.', 'second contact'); diff --git a/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.md b/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.md index 4558815c..7a2b3af9 100644 --- a/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.md +++ b/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.md @@ -32,12 +32,12 @@ end user:creator ==> role:bankAccount:OWNER %% granting roles to roles -role:global:ADMIN ==> role:bankAccount:OWNER +role:rbac.global:ADMIN ==> role:bankAccount:OWNER role:bankAccount:OWNER ==> role:bankAccount:ADMIN role:bankAccount:ADMIN ==> role:bankAccount:REFERRER %% granting permissions to roles -role:global:GUEST ==> perm:bankAccount:INSERT +role:rbac.global:GUEST ==> perm:bankAccount:INSERT role:bankAccount:OWNER ==> perm:bankAccount:DELETE role:bankAccount:ADMIN ==> perm:bankAccount:UPDATE role:bankAccount:REFERRER ==> perm:bankAccount:SELECT diff --git a/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.md b/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.md index ef8bc404..7caebefa 100644 --- a/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.md +++ b/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.md @@ -140,16 +140,16 @@ subgraph refundBankAccount["`**refundBankAccount**`"] end %% granting roles to roles -role:global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER +role:rbac.global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER role:debitorRel.anchorPerson:OWNER -.-> role:debitorRel.anchorPerson:ADMIN role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel.anchorPerson:REFERRER -role:global:ADMIN -.-> role:debitorRel.holderPerson:OWNER +role:rbac.global:ADMIN -.-> role:debitorRel.holderPerson:OWNER role:debitorRel.holderPerson:OWNER -.-> role:debitorRel.holderPerson:ADMIN role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel.holderPerson:REFERRER -role:global:ADMIN -.-> role:debitorRel.contact:OWNER +role:rbac.global:ADMIN -.-> role:debitorRel.contact:OWNER role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER -role:global:ADMIN -.-> role:debitorRel:OWNER +role:rbac.global:ADMIN -.-> role:debitorRel:OWNER role:debitorRel:OWNER -.-> role:debitorRel:ADMIN role:debitorRel:ADMIN -.-> role:debitorRel:AGENT role:debitorRel:AGENT -.-> role:debitorRel:TENANT @@ -159,21 +159,21 @@ role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:OWNER role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT -role:global:ADMIN -.-> role:refundBankAccount:OWNER +role:rbac.global:ADMIN -.-> role:refundBankAccount:OWNER role:refundBankAccount:OWNER -.-> role:refundBankAccount:ADMIN role:refundBankAccount:ADMIN -.-> role:refundBankAccount:REFERRER role:refundBankAccount:ADMIN ==> role:debitorRel:AGENT role:debitorRel:AGENT ==> role:refundBankAccount:REFERRER -role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER +role:rbac.global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER -role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER +role:rbac.global:ADMIN -.-> role:partnerRel.holderPerson:OWNER role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER -role:global:ADMIN -.-> role:partnerRel.contact:OWNER +role:rbac.global:ADMIN -.-> role:partnerRel.contact:OWNER role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER -role:global:ADMIN -.-> role:partnerRel:OWNER +role:rbac.global:ADMIN -.-> role:partnerRel:OWNER role:partnerRel:OWNER -.-> role:partnerRel:ADMIN role:partnerRel:ADMIN -.-> role:partnerRel:AGENT role:partnerRel:AGENT -.-> role:partnerRel:TENANT @@ -188,7 +188,7 @@ role:partnerRel:AGENT ==> role:debitorRel:AGENT role:debitorRel:AGENT ==> role:partnerRel:TENANT %% granting permissions to roles -role:global:ADMIN ==> perm:debitor:INSERT +role:rbac.global:ADMIN ==> perm:debitor:INSERT role:debitorRel:OWNER ==> perm:debitor:DELETE role:debitorRel:ADMIN ==> perm:debitor:UPDATE role:debitorRel:TENANT ==> perm:debitor:SELECT diff --git a/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql b/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql index d53a08ef..62d3ba8b 100644 --- a/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/506-debitor/5063-hs-office-debitor-rbac.sql @@ -130,18 +130,18 @@ execute procedure updateTriggerForHsOfficeDebitor_tf(); --changeset hs-office-debitor-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--// -- ---------------------------------------------------------------------------- --- granting INSERT permission to global ---------------------------- +-- granting INSERT permission to rbac.Global ---------------------------- /* - Grants INSERT INTO hs_office_debitor permissions to specified role of pre-existing global rows. + Grants INSERT INTO hs_office_debitor permissions to specified role of pre-existing rbac.global rows. */ do language plpgsql $$ declare - row global; + row rbac.global%ROWTYPE; begin - call basis.defineContext('create INSERT INTO hs_office_debitor permissions for pre-exising global rows'); + call basis.defineContext('create INSERT INTO hs_office_debitor permissions for pre-exising rbac.Global rows'); - FOR row IN SELECT * FROM global + FOR row IN SELECT * FROM rbac.global -- unconditional for all rows in that table LOOP call grantPermissionToRole( @@ -152,7 +152,7 @@ do language plpgsql $$ $$; /** - Grants hs_office_debitor INSERT permission to specified role of new global rows. + Grants hs_office_debitor INSERT permission to specified role of new rbac.global rows. */ create or replace function new_hs_office_debitor_grants_insert_to_global_tf() returns trigger @@ -169,7 +169,7 @@ end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist create trigger z_new_hs_office_debitor_grants_insert_to_global_tg - after insert on global + after insert on rbac.global for each row execute procedure new_hs_office_debitor_grants_insert_to_global_tf(); @@ -187,8 +187,8 @@ create or replace function hs_office_debitor_insert_permission_check_tf() declare superObjectUuid uuid; begin - -- check INSERT INSERT if global ADMIN - if isGlobalAdmin() then + -- check INSERT INSERT if rbac.global ADMIN + if rbac.isGlobalAdmin() then return NEW; end if; diff --git a/src/main/resources/db/changelog/5-hs-office/506-debitor/5068-hs-office-debitor-test-data.sql b/src/main/resources/db/changelog/5-hs-office/506-debitor/5068-hs-office-debitor-test-data.sql index 399c9e70..cb4ce02e 100644 --- a/src/main/resources/db/changelog/5-hs-office/506-debitor/5068-hs-office-debitor-test-data.sql +++ b/src/main/resources/db/changelog/5-hs-office/506-debitor/5068-hs-office-debitor-test-data.sql @@ -50,7 +50,7 @@ end; $$; do language plpgsql $$ begin - call basis.defineContext('creating debitor test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN'); + call basis.defineContext('creating debitor test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN'); call createHsOfficeDebitorTestData(11, 'First GmbH', 'first contact', 'fir'); call createHsOfficeDebitorTestData(12, 'Second e.K.', 'second contact', 'sec'); diff --git a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.md b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.md index d6b47c0e..a2a89591 100644 --- a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.md +++ b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.md @@ -99,16 +99,16 @@ end user:creator ==> role:sepaMandate:OWNER %% granting roles to roles -role:global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER +role:rbac.global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER role:debitorRel.anchorPerson:OWNER -.-> role:debitorRel.anchorPerson:ADMIN role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel.anchorPerson:REFERRER -role:global:ADMIN -.-> role:debitorRel.holderPerson:OWNER +role:rbac.global:ADMIN -.-> role:debitorRel.holderPerson:OWNER role:debitorRel.holderPerson:OWNER -.-> role:debitorRel.holderPerson:ADMIN role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel.holderPerson:REFERRER -role:global:ADMIN -.-> role:debitorRel.contact:OWNER +role:rbac.global:ADMIN -.-> role:debitorRel.contact:OWNER role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER -role:global:ADMIN -.-> role:debitorRel:OWNER +role:rbac.global:ADMIN -.-> role:debitorRel:OWNER role:debitorRel:OWNER -.-> role:debitorRel:ADMIN role:debitorRel:ADMIN -.-> role:debitorRel:AGENT role:debitorRel:AGENT -.-> role:debitorRel:TENANT @@ -118,10 +118,10 @@ role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:OWNER role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT -role:global:ADMIN -.-> role:bankAccount:OWNER +role:rbac.global:ADMIN -.-> role:bankAccount:OWNER role:bankAccount:OWNER -.-> role:bankAccount:ADMIN role:bankAccount:ADMIN -.-> role:bankAccount:REFERRER -role:global:ADMIN ==> role:sepaMandate:OWNER +role:rbac.global:ADMIN ==> role:sepaMandate:OWNER role:sepaMandate:OWNER ==> role:sepaMandate:ADMIN role:sepaMandate:ADMIN ==> role:sepaMandate:AGENT role:sepaMandate:AGENT ==> role:bankAccount:REFERRER diff --git a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5078-hs-office-sepamandate-test-data.sql b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5078-hs-office-sepamandate-test-data.sql index 071ad1b8..49f30655 100644 --- a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5078-hs-office-sepamandate-test-data.sql +++ b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5078-hs-office-sepamandate-test-data.sql @@ -43,7 +43,7 @@ end; $$; do language plpgsql $$ begin - call basis.defineContext('creating SEPA-mandate test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN'); + call basis.defineContext('creating SEPA-mandate test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN'); call createHsOfficeSepaMandateTestData(10001, '11', 'DE02120300000000202051', 'ref-10001-11'); call createHsOfficeSepaMandateTestData(10002, '12', 'DE02100500000054540402', 'ref-10002-12'); diff --git a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.md b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.md index 083e244e..2b7b2739 100644 --- a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.md +++ b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.md @@ -85,16 +85,16 @@ end user:creator ==> role:membership:OWNER %% granting roles to roles -role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER +role:rbac.global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER -role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER +role:rbac.global:ADMIN -.-> role:partnerRel.holderPerson:OWNER role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER -role:global:ADMIN -.-> role:partnerRel.contact:OWNER +role:rbac.global:ADMIN -.-> role:partnerRel.contact:OWNER role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER -role:global:ADMIN -.-> role:partnerRel:OWNER +role:rbac.global:ADMIN -.-> role:partnerRel:OWNER role:partnerRel:OWNER -.-> role:partnerRel:ADMIN role:partnerRel:ADMIN -.-> role:partnerRel:AGENT role:partnerRel:AGENT -.-> role:partnerRel:TENANT @@ -111,7 +111,7 @@ role:partnerRel:AGENT ==> role:membership:AGENT role:membership:AGENT ==> role:partnerRel:TENANT %% granting permissions to roles -role:global:ADMIN ==> perm:membership:INSERT +role:rbac.global:ADMIN ==> perm:membership:INSERT role:membership:ADMIN ==> perm:membership:DELETE role:membership:ADMIN ==> perm:membership:UPDATE role:membership:AGENT ==> perm:membership:SELECT diff --git a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql index d60f8eef..5994d929 100644 --- a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql @@ -92,18 +92,18 @@ execute procedure insertTriggerForHsOfficeMembership_tf(); --changeset hs-office-membership-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--// -- ---------------------------------------------------------------------------- --- granting INSERT permission to global ---------------------------- +-- granting INSERT permission to rbac.global ---------------------------- /* - Grants INSERT INTO hs_office_membership permissions to specified role of pre-existing global rows. + Grants INSERT INTO hs_office_membership permissions to specified role of pre-existing rbac.global rows. */ do language plpgsql $$ declare - row global; + row rbac.global%ROWTYPE; begin - call basis.defineContext('create INSERT INTO hs_office_membership permissions for pre-exising global rows'); + call basis.defineContext('create INSERT INTO hs_office_membership permissions for pre-exising rbac.Global rows'); - FOR row IN SELECT * FROM global + FOR row IN SELECT * FROM rbac.global -- unconditional for all rows in that table LOOP call grantPermissionToRole( @@ -114,7 +114,7 @@ do language plpgsql $$ $$; /** - Grants hs_office_membership INSERT permission to specified role of new global rows. + Grants hs_office_membership INSERT permission to specified role of new rbac.Global rows. */ create or replace function new_hs_office_membership_grants_insert_to_global_tf() returns trigger @@ -131,7 +131,7 @@ end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist create trigger z_new_hs_office_membership_grants_insert_to_global_tg - after insert on global + after insert on rbac.global for each row execute procedure new_hs_office_membership_grants_insert_to_global_tf(); @@ -149,8 +149,8 @@ create or replace function hs_office_membership_insert_permission_check_tf() declare superObjectUuid uuid; begin - -- check INSERT INSERT if global ADMIN - if isGlobalAdmin() then + -- check INSERT INSERT if rbac.Global ADMIN + if rbac.isGlobalAdmin() then return NEW; end if; diff --git a/src/main/resources/db/changelog/5-hs-office/510-membership/5108-hs-office-membership-test-data.sql b/src/main/resources/db/changelog/5-hs-office/510-membership/5108-hs-office-membership-test-data.sql index 36195fdb..805fb4b9 100644 --- a/src/main/resources/db/changelog/5-hs-office/510-membership/5108-hs-office-membership-test-data.sql +++ b/src/main/resources/db/changelog/5-hs-office/510-membership/5108-hs-office-membership-test-data.sql @@ -33,7 +33,7 @@ end; $$; do language plpgsql $$ begin - call basis.defineContext('creating Membership test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN'); + call basis.defineContext('creating Membership test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN'); call createHsOfficeMembershipTestData(10001, '01'); call createHsOfficeMembershipTestData(10002, '02'); diff --git a/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.md b/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.md index 23103840..aac10ba1 100644 --- a/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.md +++ b/src/main/resources/db/changelog/5-hs-office/511-coopshares/5113-hs-office-coopshares-rbac.md @@ -86,16 +86,16 @@ subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPers end %% granting roles to roles -role:global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER +role:rbac.global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER role:membership.partnerRel.anchorPerson:OWNER -.-> role:membership.partnerRel.anchorPerson:ADMIN role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel.anchorPerson:REFERRER -role:global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER +role:rbac.global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER role:membership.partnerRel.holderPerson:OWNER -.-> role:membership.partnerRel.holderPerson:ADMIN role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel.holderPerson:REFERRER -role:global:ADMIN -.-> role:membership.partnerRel.contact:OWNER +role:rbac.global:ADMIN -.-> role:membership.partnerRel.contact:OWNER role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER -role:global:ADMIN -.-> role:membership.partnerRel:OWNER +role:rbac.global:ADMIN -.-> role:membership.partnerRel:OWNER role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT diff --git a/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.md b/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.md index de30185b..dba2011f 100644 --- a/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.md +++ b/src/main/resources/db/changelog/5-hs-office/512-coopassets/5123-hs-office-coopassets-rbac.md @@ -86,16 +86,16 @@ subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPers end %% granting roles to roles -role:global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER +role:rbac.global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER role:membership.partnerRel.anchorPerson:OWNER -.-> role:membership.partnerRel.anchorPerson:ADMIN role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel.anchorPerson:REFERRER -role:global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER +role:rbac.global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER role:membership.partnerRel.holderPerson:OWNER -.-> role:membership.partnerRel.holderPerson:ADMIN role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel.holderPerson:REFERRER -role:global:ADMIN -.-> role:membership.partnerRel.contact:OWNER +role:rbac.global:ADMIN -.-> role:membership.partnerRel.contact:OWNER role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER -role:global:ADMIN -.-> role:membership.partnerRel:OWNER +role:rbac.global:ADMIN -.-> role:membership.partnerRel:OWNER role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT diff --git a/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.md b/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.md index 7fb81cd7..3f4204f3 100644 --- a/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.md +++ b/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.md @@ -44,7 +44,7 @@ subgraph project["`**project**`"] end %% granting roles to roles -role:global:ADMIN -.-> role:debitorRel:OWNER +role:rbac.global:ADMIN -.-> role:debitorRel:OWNER role:debitorRel:OWNER -.-> role:debitorRel:ADMIN role:debitorRel:ADMIN -.-> role:debitorRel:AGENT role:debitorRel:AGENT -.-> role:debitorRel:TENANT @@ -56,7 +56,7 @@ role:project:TENANT ==> role:debitorRel:TENANT %% granting permissions to roles role:debitorRel:ADMIN ==> perm:project:INSERT -role:global:ADMIN ==> perm:project:DELETE +role:rbac.global:ADMIN ==> perm:project:DELETE role:project:ADMIN ==> perm:project:UPDATE role:project:TENANT ==> perm:project:SELECT diff --git a/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6208-hs-booking-project-test-data.sql b/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6208-hs-booking-project-test-data.sql index 459f4cee..d9f2653d 100644 --- a/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6208-hs-booking-project-test-data.sql +++ b/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6208-hs-booking-project-test-data.sql @@ -39,7 +39,7 @@ end; $$; do language plpgsql $$ begin - call basis.defineContext('creating booking-project test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN'); + call basis.defineContext('creating booking-project test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN'); call createHsBookingProjectTransactionTestData(10001, '11'); call createHsBookingProjectTransactionTestData(10002, '12'); diff --git a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.md b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.md index 4775616f..4c19e05f 100644 --- a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.md +++ b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.md @@ -54,8 +54,8 @@ role:bookingItem:AGENT ==> role:bookingItem:TENANT role:bookingItem:TENANT ==> role:project:TENANT %% granting permissions to roles -role:global:ADMIN ==> perm:bookingItem:INSERT -role:global:ADMIN ==> perm:bookingItem:DELETE +role:rbac.global:ADMIN ==> perm:bookingItem:INSERT +role:rbac.global:ADMIN ==> perm:bookingItem:DELETE role:project:ADMIN ==> perm:bookingItem:INSERT role:bookingItem:ADMIN ==> perm:bookingItem:UPDATE role:bookingItem:TENANT ==> perm:bookingItem:SELECT diff --git a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.sql b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.sql index bc47690a..55467ff8 100644 --- a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.sql +++ b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6203-hs-booking-item-rbac.sql @@ -105,11 +105,11 @@ execute procedure insertTriggerForHsBookingItem_tf(); */ do language plpgsql $$ declare - row global; + row rbac.global%ROWTYPE; begin - call basis.defineContext('create INSERT INTO hs_booking_item permissions for pre-exising global rows'); + call basis.defineContext('create INSERT INTO hs_booking_item permissions for pre-exising rbac.global rows'); - FOR row IN SELECT * FROM global + FOR row IN SELECT * FROM rbac.global -- unconditional for all rows in that table LOOP call grantPermissionToRole( @@ -120,7 +120,7 @@ do language plpgsql $$ $$; /** - Grants hs_booking_item INSERT permission to specified role of new global rows. + Grants hs_booking_item INSERT permission to specified role of new rbac.global rows. */ create or replace function new_hs_booking_item_grants_insert_to_global_tf() returns trigger @@ -137,7 +137,7 @@ end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist create trigger z_new_hs_booking_item_grants_insert_to_global_tg - after insert on global + after insert on rbac.global for each row execute procedure new_hs_booking_item_grants_insert_to_global_tf(); @@ -225,8 +225,8 @@ create or replace function hs_booking_item_insert_permission_check_tf() declare superObjectUuid uuid; begin - -- check INSERT INSERT if global ADMIN - if isGlobalAdmin() then + -- check INSERT INSERT if rbac.Global ADMIN + if rbac.isGlobalAdmin() then return NEW; end if; -- check INSERT permission via direct foreign key: NEW.projectUuid diff --git a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6208-hs-booking-item-test-data.sql b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6208-hs-booking-item-test-data.sql index aa610cf8..67522d9b 100644 --- a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6208-hs-booking-item-test-data.sql +++ b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6208-hs-booking-item-test-data.sql @@ -47,7 +47,7 @@ do language plpgsql $$ declare currentTask text; begin - call basis.defineContext('creating booking-item test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN'); + call basis.defineContext('creating booking-item test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN'); call createHsBookingItemTransactionTestData(10001, '11'); call createHsBookingItemTransactionTestData(10002, '12'); diff --git a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.md b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.md index 4775616f..4c19e05f 100644 --- a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.md +++ b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.md @@ -54,8 +54,8 @@ role:bookingItem:AGENT ==> role:bookingItem:TENANT role:bookingItem:TENANT ==> role:project:TENANT %% granting permissions to roles -role:global:ADMIN ==> perm:bookingItem:INSERT -role:global:ADMIN ==> perm:bookingItem:DELETE +role:rbac.global:ADMIN ==> perm:bookingItem:INSERT +role:rbac.global:ADMIN ==> perm:bookingItem:DELETE role:project:ADMIN ==> perm:bookingItem:INSERT role:bookingItem:ADMIN ==> perm:bookingItem:UPDATE role:bookingItem:TENANT ==> perm:bookingItem:SELECT diff --git a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql index bc47690a..55467ff8 100644 --- a/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql +++ b/src/main/resources/db/changelog/6-hs-booking/630-booking-item/6303-hs-booking-item-rbac.sql @@ -105,11 +105,11 @@ execute procedure insertTriggerForHsBookingItem_tf(); */ do language plpgsql $$ declare - row global; + row rbac.global%ROWTYPE; begin - call basis.defineContext('create INSERT INTO hs_booking_item permissions for pre-exising global rows'); + call basis.defineContext('create INSERT INTO hs_booking_item permissions for pre-exising rbac.global rows'); - FOR row IN SELECT * FROM global + FOR row IN SELECT * FROM rbac.global -- unconditional for all rows in that table LOOP call grantPermissionToRole( @@ -120,7 +120,7 @@ do language plpgsql $$ $$; /** - Grants hs_booking_item INSERT permission to specified role of new global rows. + Grants hs_booking_item INSERT permission to specified role of new rbac.global rows. */ create or replace function new_hs_booking_item_grants_insert_to_global_tf() returns trigger @@ -137,7 +137,7 @@ end; $$; -- z_... is to put it at the end of after insert triggers, to make sure the roles exist create trigger z_new_hs_booking_item_grants_insert_to_global_tg - after insert on global + after insert on rbac.global for each row execute procedure new_hs_booking_item_grants_insert_to_global_tf(); @@ -225,8 +225,8 @@ create or replace function hs_booking_item_insert_permission_check_tf() declare superObjectUuid uuid; begin - -- check INSERT INSERT if global ADMIN - if isGlobalAdmin() then + -- check INSERT INSERT if rbac.Global ADMIN + if rbac.isGlobalAdmin() then return NEW; end if; -- check INSERT permission via direct foreign key: NEW.projectUuid diff --git a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.md b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.md index d06f9f9a..b5ece0c6 100644 --- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.md +++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.md @@ -88,10 +88,10 @@ user:creator ==> role:asset:OWNER role:bookingItem:OWNER -.-> role:bookingItem:ADMIN role:bookingItem:ADMIN -.-> role:bookingItem:AGENT role:bookingItem:AGENT -.-> role:bookingItem:TENANT -role:global:ADMIN -.-> role:alarmContact:OWNER +role:rbac.global:ADMIN -.-> role:alarmContact:OWNER role:alarmContact:OWNER -.-> role:alarmContact:ADMIN role:alarmContact:ADMIN -.-> role:alarmContact:REFERRER -role:global:ADMIN ==>|XX| role:asset:OWNER +role:rbac.global:ADMIN ==>|XX| role:asset:OWNER role:bookingItem:ADMIN ==> role:asset:OWNER role:parentAsset:ADMIN ==> role:asset:OWNER role:asset:OWNER ==> role:asset:ADMIN @@ -107,9 +107,9 @@ role:asset:TENANT ==> role:parentAsset:TENANT role:alarmContact:ADMIN ==> role:asset:TENANT %% granting permissions to roles -role:global:ADMIN ==> perm:asset:INSERT +role:rbac.global:ADMIN ==> perm:asset:INSERT role:parentAsset:ADMIN ==> perm:asset:INSERT -role:global:GUEST ==> perm:asset:INSERT +role:rbac.global:GUEST ==> perm:asset:INSERT role:asset:OWNER ==> perm:asset:DELETE role:asset:ADMIN ==> perm:asset:UPDATE role:asset:TENANT ==> perm:asset:SELECT diff --git a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7018-hs-hosting-asset-test-data.sql b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7018-hs-hosting-asset-test-data.sql index 91610a8b..b24e01a3 100644 --- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7018-hs-hosting-asset-test-data.sql +++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7018-hs-hosting-asset-test-data.sql @@ -30,7 +30,7 @@ declare pgSqlInstanceUuid uuid; PgSqlSubjectUuid uuid; begin - call basis.defineContext('creating hosting-asset test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN'); + call basis.defineContext('creating hosting-asset test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN'); select project.* into relatedProject from hs_booking_project project @@ -110,7 +110,7 @@ end; $$; do language plpgsql $$ begin - call basis.defineContext('creating hosting-asset test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN'); + call basis.defineContext('creating hosting-asset test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN'); call createHsHostingAssetTestData('D-1000111 default project'); call createHsHostingAssetTestData('D-1000212 default project'); diff --git a/src/main/resources/db/changelog/9-hs-global/9000-statistics.sql b/src/main/resources/db/changelog/9-hs-global/9000-statistics.sql index 7265d2cc..4386fcb9 100644 --- a/src/main/resources/db/changelog/9-hs-global/9000-statistics.sql +++ b/src/main/resources/db/changelog/9-hs-global/9000-statistics.sql @@ -6,7 +6,7 @@ CREATE VIEW hs_statistics_view AS select * from (select count, "table" as "rbac-table", '' as "hs-table", '' as "type" - from rbacstatisticsview + from rbac.statistics_v union all select to_char(count(*)::int, '9 999 999 999') as "count", 'objects' as "rbac-table", objecttable as "hs-table", '' as "type" from rbac.object diff --git a/src/main/resources/db/changelog/db.changelog-master.yaml b/src/main/resources/db/changelog/db.changelog-master.yaml index 51fa853b..bdd6d3c5 100644 --- a/src/main/resources/db/changelog/db.changelog-master.yaml +++ b/src/main/resources/db/changelog/db.changelog-master.yaml @@ -158,4 +158,4 @@ databaseChangeLog: - include: file: db/changelog/7-hs-hosting/701-hosting-asset/7018-hs-hosting-asset-test-data.sql - include: - file: db/changelog/9-hs-global/9000-statistics.sql + file: db/changelog/9-hs-global/9000-statistics.sql diff --git a/src/test/java/net/hostsharing/hsadminng/arch/ArchitectureTest.java b/src/test/java/net/hostsharing/hsadminng/arch/ArchitectureTest.java index ee19f534..3d31a30b 100644 --- a/src/test/java/net/hostsharing/hsadminng/arch/ArchitectureTest.java +++ b/src/test/java/net/hostsharing/hsadminng/arch/ArchitectureTest.java @@ -68,7 +68,7 @@ public class ArchitectureTest { "..mapper", "..ping", "..rbac", - "..rbac.rbacSubject", + "..rbac.subject", "..rbac.rbacgrant", "..rbac.rbacrole", "..rbac.rbacobject", diff --git a/src/test/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemRepositoryIntegrationTest.java index 40292ce3..cda131b2 100644 --- a/src/test/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemRepositoryIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemRepositoryIntegrationTest.java @@ -175,9 +175,9 @@ class HsBookingItemRepositoryIntegrationTest extends ContextBasedTestWithCleanup .containsExactlyInAnyOrder(fromFormatted( initialGrantNames, - // global-admin + // rbac.global-admin "{ grant perm:hs_booking_item#somenewbookingitem:INSERT>hs_booking_item to role:hs_booking_item#somenewbookingitem:ADMIN by system and assume }", - "{ grant perm:hs_booking_item#somenewbookingitem:DELETE to role:global#global:ADMIN by system and assume }", + "{ grant perm:hs_booking_item#somenewbookingitem:DELETE to role:rbac.global#global:ADMIN by system and assume }", // owner "{ grant role:hs_booking_item#somenewbookingitem:OWNER to role:hs_booking_project#D-1000111-D-1000111defaultproject:AGENT by system and assume }", diff --git a/src/test/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProjectRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProjectRepositoryIntegrationTest.java index 6fc7c555..ccab7074 100644 --- a/src/test/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProjectRepositoryIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProjectRepositoryIntegrationTest.java @@ -161,8 +161,8 @@ class HsBookingProjectRepositoryIntegrationTest extends ContextBasedTestWithClea .containsExactlyInAnyOrder(fromFormatted( initialGrantNames, - // global-admin - "{ grant perm:hs_booking_project#D-1000111-somenewbookingproject:DELETE to role:global#global:ADMIN by system and assume }", + // rbacgGlobal-admin + "{ grant perm:hs_booking_project#D-1000111-somenewbookingproject:DELETE to role:rbac.global#global:ADMIN by system and assume }", // owner "{ grant role:hs_booking_project#D-1000111-somenewbookingproject:ADMIN to role:hs_booking_project#D-1000111-somenewbookingproject:OWNER by system and assume }", diff --git a/src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetRepositoryIntegrationTest.java index c2469a30..f54ee4cb 100644 --- a/src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetRepositoryIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetRepositoryIntegrationTest.java @@ -200,8 +200,8 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu .containsExactlyInAnyOrder(fromFormatted( initialGrantNames, - // global-admin - "{ grant role:hs_hosting_asset#fir00:OWNER to role:global#global:ADMIN by system }", // workaround + // rbac.global-admin + "{ grant role:hs_hosting_asset#fir00:OWNER to role:rbac.global#global:ADMIN by system }", // workaround // owner "{ grant role:hs_hosting_asset#fir00:OWNER to user:superuser-alex@hostsharing.net by hs_hosting_asset#fir00:OWNER and assume }", @@ -250,7 +250,7 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu context("person-SmithPeter@example.com"); assertThatAssetIsPersisted(result.returnedValue()); - // ... a global admin can see the new domain setup as well if the domain OWNER role is assumed + // ... a rbac.global admin can see the new domain setup as well if the domain OWNER role is assumed context("superuser-alex@hostsharing.net", "hs_hosting_asset#example.net:OWNER"); // only works with the assumed role assertThatAssetIsPersisted(result.returnedValue()); } diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/bankaccount/HsOfficeBankAccountRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/bankaccount/HsOfficeBankAccountRepositoryIntegrationTest.java index b7baaa95..c5882f7c 100644 --- a/src/test/java/net/hostsharing/hsadminng/hs/office/bankaccount/HsOfficeBankAccountRepositoryIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/hs/office/bankaccount/HsOfficeBankAccountRepositoryIntegrationTest.java @@ -109,7 +109,7 @@ class HsOfficeBankAccountRepositoryIntegrationTest extends ContextBasedTestWithC assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())).containsExactlyInAnyOrder(Array.fromFormatted( initialGrantNames, "{ grant perm:hs_office_bankaccount#DE25500105176934832579:DELETE to role:hs_office_bankaccount#DE25500105176934832579:OWNER by system and assume }", - "{ grant role:hs_office_bankaccount#DE25500105176934832579:OWNER to role:global#global:ADMIN by system and assume }", + "{ grant role:hs_office_bankaccount#DE25500105176934832579:OWNER to role:rbac.global#global:ADMIN by system and assume }", "{ grant role:hs_office_bankaccount#DE25500105176934832579:OWNER to user:selfregistered-user-drew@hostsharing.org by hs_office_bankaccount#DE25500105176934832579:OWNER and assume }", "{ grant role:hs_office_bankaccount#DE25500105176934832579:ADMIN to role:hs_office_bankaccount#DE25500105176934832579:OWNER by system and assume }", diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/contact/HsOfficeContactRbacRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/contact/HsOfficeContactRbacRepositoryIntegrationTest.java index dbaccbbd..9fc25607 100644 --- a/src/test/java/net/hostsharing/hsadminng/hs/office/contact/HsOfficeContactRbacRepositoryIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/hs/office/contact/HsOfficeContactRbacRepositoryIntegrationTest.java @@ -109,7 +109,7 @@ class HsOfficeContactRbacRepositoryIntegrationTest extends ContextBasedTestWithC )); assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())).containsExactlyInAnyOrder(Array.fromFormatted( initialGrantNames, - "{ grant role:hs_office_contact#anothernewcontact:OWNER to role:global#global:ADMIN by system and assume }", + "{ grant role:hs_office_contact#anothernewcontact:OWNER to role:rbac.global#global:ADMIN by system and assume }", "{ grant perm:hs_office_contact#anothernewcontact:UPDATE to role:hs_office_contact#anothernewcontact:ADMIN by system and assume }", "{ grant role:hs_office_contact#anothernewcontact:OWNER to user:selfregistered-user-drew@hostsharing.org by hs_office_contact#anothernewcontact:OWNER and assume }", "{ grant perm:hs_office_contact#anothernewcontact:DELETE to role:hs_office_contact#anothernewcontact:OWNER by system and assume }", diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorRepositoryIntegrationTest.java index ac29eb5e..50eb7164 100644 --- a/src/test/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorRepositoryIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorRepositoryIntegrationTest.java @@ -190,7 +190,7 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean // owner "{ grant perm:debitor#D-1000122:DELETE to role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER by system and assume }", "{ grant perm:relation#FirstGmbH-with-DEBITOR-FourtheG:DELETE to role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER by system and assume }", - "{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER to role:global#global:ADMIN by system and assume }", + "{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER to role:rbac.global#global:ADMIN by system and assume }", "{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER to role:person#FirstGmbH:ADMIN by system and assume }", "{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER to user:superuser-alex@hostsharing.net by relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER and assume }", @@ -349,7 +349,7 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean // then result.assertSuccessful(); - assertThatDebitorIsVisibleForUserWithRole(result.returnedValue(), "global#global:ADMIN", true); + assertThatDebitorIsVisibleForUserWithRole(result.returnedValue(), "rbac.global#global:ADMIN", true); // ... partner role was reassigned: assertThatDebitorIsNotVisibleForUserWithRole( @@ -398,7 +398,7 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean result.assertSuccessful(); assertThatDebitorIsVisibleForUserWithRole( result.returnedValue(), - "global#global:ADMIN", true); + "rbac.global#global:ADMIN", true); // ... bank-account role was assigned: assertThatDebitorIsVisibleForUserWithRole( @@ -427,7 +427,7 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean result.assertSuccessful(); assertThatDebitorIsVisibleForUserWithRole( result.returnedValue(), - "global#global:ADMIN", true); + "rbac.global#global:ADMIN", true); // ... bank-account role was removed from previous bank-account admin: assertThatDebitorIsNotVisibleForUserWithRole( diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerRepositoryIntegrationTest.java index 055a835c..f9db0bfa 100644 --- a/src/test/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerRepositoryIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerRepositoryIntegrationTest.java @@ -158,7 +158,7 @@ class HsOfficePartnerRepositoryIntegrationTest extends ContextBasedTestWithClean "{ grant perm:relation#HostsharingeG-with-PARTNER-EBess:SELECT to role:relation#HostsharingeG-with-PARTNER-EBess:TENANT by system and assume }", // relation owner - "{ grant role:relation#HostsharingeG-with-PARTNER-EBess:OWNER to role:global#global:ADMIN by system and assume }", + "{ grant role:relation#HostsharingeG-with-PARTNER-EBess:OWNER to role:rbac.global#global:ADMIN by system and assume }", "{ grant role:relation#HostsharingeG-with-PARTNER-EBess:OWNER to user:superuser-alex@hostsharing.net by relation#HostsharingeG-with-PARTNER-EBess:OWNER and assume }", // relation admin @@ -278,7 +278,7 @@ class HsOfficePartnerRepositoryIntegrationTest extends ContextBasedTestWithClean assertThatPartnerIsVisibleForUserWithRole( givenPartner, - "global#global:ADMIN"); + "rbac.global#global:ADMIN"); assertThatPartnerIsVisibleForUserWithRole( givenPartner, "hs_office_person#ThirdOHG:ADMIN"); diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRepositoryIntegrationTest.java index 5445ff29..571fe256 100644 --- a/src/test/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRepositoryIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRepositoryIntegrationTest.java @@ -112,7 +112,7 @@ class HsOfficePersonRepositoryIntegrationTest extends ContextBasedTestWithCleanu "{ grant perm:hs_office_person#anothernewperson:INSERT>hs_office_relation to role:hs_office_person#anothernewperson:ADMIN by system and assume }", "{ grant role:hs_office_person#anothernewperson:OWNER to user:selfregistered-user-drew@hostsharing.org by hs_office_person#anothernewperson:OWNER and assume }", - "{ grant role:hs_office_person#anothernewperson:OWNER to role:global#global:ADMIN by system and assume }", + "{ grant role:hs_office_person#anothernewperson:OWNER to role:rbac.global#global:ADMIN by system and assume }", "{ grant perm:hs_office_person#anothernewperson:UPDATE to role:hs_office_person#anothernewperson:ADMIN by system and assume }", "{ grant perm:hs_office_person#anothernewperson:DELETE to role:hs_office_person#anothernewperson:OWNER by system and assume }", "{ grant role:hs_office_person#anothernewperson:ADMIN to role:hs_office_person#anothernewperson:OWNER by system and assume }", diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRepositoryIntegrationTest.java index 3092fb54..ac97db26 100644 --- a/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRepositoryIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRepositoryIntegrationTest.java @@ -133,7 +133,7 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea initialGrantNames, "{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:DELETE to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER by system and assume }", - "{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER to role:global#global:ADMIN by system and assume }", + "{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER to role:rbac.global#global:ADMIN by system and assume }", "{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER to user:superuser-alex@hostsharing.net by hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER and assume }", "{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:UPDATE to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:ADMIN by system and assume }", @@ -233,7 +233,7 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea assertThat(result.returnedValue().getContact().getCaption()).isEqualTo("sixth contact"); assertThatRelationIsVisibleForUserWithRole( result.returnedValue(), - "global#global:ADMIN"); + "rbac.global#global:ADMIN"); assertThatRelationIsVisibleForUserWithRole( result.returnedValue(), "hs_office_contact#sixthcontact:ADMIN"); diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/sepamandate/HsOfficeSepaMandateRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/sepamandate/HsOfficeSepaMandateRepositoryIntegrationTest.java index 8f7d7260..c41d1764 100644 --- a/src/test/java/net/hostsharing/hsadminng/hs/office/sepamandate/HsOfficeSepaMandateRepositoryIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/hs/office/sepamandate/HsOfficeSepaMandateRepositoryIntegrationTest.java @@ -128,7 +128,7 @@ class HsOfficeSepaMandateRepositoryIntegrationTest extends ContextBasedTestWithC // owner "{ grant perm:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):DELETE to role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER by system and assume }", - "{ grant role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER to role:global#global:ADMIN by system and assume }", + "{ grant role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER to role:rbac.global#global:ADMIN by system and assume }", "{ grant role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER to user:superuser-alex@hostsharing.net by sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER and assume }", // admin diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantControllerAcceptanceTest.java index fca0ab74..4a91a3bb 100644 --- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantControllerAcceptanceTest.java +++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantControllerAcceptanceTest.java @@ -86,8 +86,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest { )) .body("", hasItem( allOf( - hasEntry("grantedByRoleIdName", "global#global:ADMIN"), - hasEntry("grantedRoleIdName", "global#global:ADMIN"), + hasEntry("grantedByRoleIdName", "rbac.global#global:ADMIN"), + hasEntry("grantedRoleIdName", "rbac.global#global:ADMIN"), hasEntry("granteeSubjectName", "superuser-fran@hostsharing.net") ) )) diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleControllerAcceptanceTest.java index 5492d6d1..29c525a0 100644 --- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleControllerAcceptanceTest.java +++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleControllerAcceptanceTest.java @@ -46,7 +46,7 @@ class RbacRoleControllerAcceptanceTest { .body("", hasItem(hasEntry("roleName", "test_customer#xxx:OWNER"))) .body("", hasItem(hasEntry("roleName", "test_customer#xxx:TENANT"))) // ... - .body("", hasItem(hasEntry("roleName", "global#global:ADMIN"))) + .body("", hasItem(hasEntry("roleName", "rbac.global#global:ADMIN"))) .body("", hasItem(hasEntry("roleName", "test_customer#yyy:ADMIN"))) .body("", hasItem(hasEntry("roleName", "test_package#yyy00:ADMIN"))) .body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa:OWNER"))) diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleControllerRestTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleControllerRestTest.java index 2686ade7..7aedb65f 100644 --- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleControllerRestTest.java +++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleControllerRestTest.java @@ -73,7 +73,7 @@ class RbacRoleControllerRestTest { // then .andExpect(status().isOk()) .andExpect(jsonPath("$", hasSize(3))) - .andExpect(jsonPath("$[0].roleName", is("global#global:ADMIN"))) + .andExpect(jsonPath("$[0].roleName", is("rbac.global#global:ADMIN"))) .andExpect(jsonPath("$[1].roleName", is("test_customer#xxx:OWNER"))) .andExpect(jsonPath("$[2].roleName", is("test_customer#xxx:ADMIN"))) .andExpect(jsonPath("$[2].uuid", is(customerXxxAdmin.getUuid().toString()))) diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepositoryIntegrationTest.java index 71182cd1..b7e3b3d9 100644 --- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepositoryIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepositoryIntegrationTest.java @@ -39,7 +39,7 @@ class RbacRoleRepositoryIntegrationTest { private static final String[] ALL_TEST_DATA_ROLES = Array.of( // @formatter:off - "global#global:ADMIN", + "rbac.global#global:ADMIN", "test_customer#xxx:ADMIN", "test_customer#xxx:OWNER", "test_customer#xxx:TENANT", "test_package#xxx00:ADMIN", "test_package#xxx00:OWNER", "test_package#xxx00:TENANT", "test_package#xxx01:ADMIN", "test_package#xxx01:OWNER", "test_package#xxx01:TENANT", @@ -70,7 +70,7 @@ class RbacRoleRepositoryIntegrationTest { @Test public void globalAdmin_withAssumedglobalAdminRole_canViewAllRbacRoles() { given: - context.define("superuser-alex@hostsharing.net", "global#global:ADMIN"); + context.define("superuser-alex@hostsharing.net", "rbac.global#global:ADMIN"); // when final var result = rbacRoleRepository.findAll(); @@ -110,7 +110,7 @@ class RbacRoleRepositoryIntegrationTest { noneOfTheseRbacRolesIsReturned( result, // @formatter:off - "global#global:ADMIN", + "rbac.global#global:ADMIN", "test_customer#xxx:OWNER", "test_package#yyy00:ADMIN", "test_package#yyy00:OWNER", diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/TestRbacRole.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/TestRbacRole.java index 73e30a1b..69b353b5 100644 --- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/TestRbacRole.java +++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/TestRbacRole.java @@ -4,7 +4,7 @@ import static java.util.UUID.randomUUID; public class TestRbacRole { - public static final RbacRoleEntity hostmasterRole = rbacRole("global", "global", RbacRoleType.ADMIN); + public static final RbacRoleEntity hostmasterRole = rbacRole("rbac.global", "global", RbacRoleType.ADMIN); static final RbacRoleEntity customerXxxOwner = rbacRole("test_customer", "xxx", RbacRoleType.OWNER); static final RbacRoleEntity customerXxxAdmin = rbacRole("test_customer", "xxx", RbacRoleType.ADMIN); diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/subject/RbacSubjectRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/subject/RbacSubjectRepositoryIntegrationTest.java index 841acfdf..d6e50c46 100644 --- a/src/test/java/net/hostsharing/hsadminng/rbac/subject/RbacSubjectRepositoryIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/rbac/subject/RbacSubjectRepositoryIntegrationTest.java @@ -116,7 +116,7 @@ class RbacSubjectRepositoryIntegrationTest extends ContextBasedTest { @Test public void globalAdmin_withAssumedglobalAdminRole_canViewAllRbacSubjects() { given: - context("superuser-alex@hostsharing.net", "global#global:ADMIN"); + context("superuser-alex@hostsharing.net", "rbac.global#global:ADMIN"); // when final var result = rbacSubjectRepository.findByOptionalNameLike(null); diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/test/cust/TestCustomerEntityUnitTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/test/cust/TestCustomerEntityUnitTest.java index e7107909..c0ceb9c3 100644 --- a/src/test/java/net/hostsharing/hsadminng/rbac/test/cust/TestCustomerEntityUnitTest.java +++ b/src/test/java/net/hostsharing/hsadminng/rbac/test/cust/TestCustomerEntityUnitTest.java @@ -13,19 +13,19 @@ class TestCustomerEntityUnitTest { assertThat(rbacFlowchart).isEqualTo(""" %%{init:{'flowchart':{'htmlLabels':false}}}%% flowchart TB - + subgraph customer["`**customer**`"] direction TB style customer fill:#dd4901,stroke:#274d6e,stroke-width:8px - + subgraph customer:roles[ ] style customer:roles fill:#dd4901,stroke:white - + role:customer:OWNER[[customer:OWNER]] role:customer:ADMIN[[customer:ADMIN]] role:customer:TENANT[[customer:TENANT]] end - + subgraph customer:permissions[ ] style customer:permissions fill:#dd4901,stroke:white @@ -40,12 +40,12 @@ class TestCustomerEntityUnitTest { user:creator ==>|XX| role:customer:OWNER %% granting roles to roles - role:global:ADMIN ==>|XX| role:customer:OWNER + role:rbac.global:ADMIN ==>|XX| role:customer:OWNER role:customer:OWNER ==> role:customer:ADMIN role:customer:ADMIN ==> role:customer:TENANT %% granting permissions to roles - role:global:ADMIN ==> perm:customer:INSERT + role:rbac.global:ADMIN ==> perm:customer:INSERT role:customer:OWNER ==> perm:customer:DELETE role:customer:ADMIN ==> perm:customer:UPDATE role:customer:TENANT ==> perm:customer:SELECT diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/test/pac/TestPackageEntityUnitTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/test/pac/TestPackageEntityUnitTest.java index 824bb1bb..35d36c54 100644 --- a/src/test/java/net/hostsharing/hsadminng/rbac/test/pac/TestPackageEntityUnitTest.java +++ b/src/test/java/net/hostsharing/hsadminng/rbac/test/pac/TestPackageEntityUnitTest.java @@ -50,7 +50,7 @@ class TestPackageEntityUnitTest { end %% granting roles to roles - role:global:ADMIN -.->|XX| role:customer:OWNER + role:rbac.global:ADMIN -.->|XX| role:customer:OWNER role:customer:OWNER -.-> role:customer:ADMIN role:customer:ADMIN -.-> role:customer:TENANT role:customer:ADMIN ==> role:package:OWNER diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/test/pac/TestPackageRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/test/pac/TestPackageRepositoryIntegrationTest.java index a8fd8a50..e4f0e6fb 100644 --- a/src/test/java/net/hostsharing/hsadminng/rbac/test/pac/TestPackageRepositoryIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/rbac/test/pac/TestPackageRepositoryIntegrationTest.java @@ -40,7 +40,7 @@ class TestPackageRepositoryIntegrationTest extends ContextBasedTest { @Test public void globalAdmin_withoutAssumedRole_canNotViewAnyPackages_becauseThoseGrantsAreNotAssumed() { // given - // alex is not just global-admin but lso the creating user, thus we use fran + // alex is not just rbac.global-admin but lso the creating user, thus we use fran context.define("superuser-fran@hostsharing.net"); // when @@ -53,7 +53,7 @@ class TestPackageRepositoryIntegrationTest extends ContextBasedTest { @Test public void globalAdmin_withAssumedglobalAdminRole__canNotViewAnyPackages_becauseThoseGrantsAreNotAssumed() { given: - context.define("superuser-alex@hostsharing.net", "global#global:ADMIN"); + context.define("superuser-alex@hostsharing.net", "rbac.global#global:ADMIN"); // when final var result = testPackageRepository.findAllByOptionalNameLike(null);