rbac.global

This commit is contained in:
Michael Hoennig 2024-09-13 20:11:34 +02:00
parent 06d8e24e66
commit 1e2390191f
69 changed files with 230 additions and 230 deletions

View File

@ -74,7 +74,7 @@ public class HsBookingItemRbacEntity extends HsBookingItem {
with.permission(SELECT); with.permission(SELECT);
}) })
.limitDiagramTo("bookingItem", "project", "global"); .limitDiagramTo("bookingItem", "project", "rbac.global");
} }
public static void main(String[] args) throws IOException { public static void main(String[] args) throws IOException {

View File

@ -105,7 +105,7 @@ public abstract class HsBookingProject implements Stringifyable, BaseEntity<HsBo
with.permission(SELECT); with.permission(SELECT);
}) })
.limitDiagramTo("project", "debitorRel", "global"); .limitDiagramTo("project", "debitorRel", "rbac.global");
} }
public static void main(String[] args) throws IOException { public static void main(String[] args) throws IOException {

View File

@ -77,7 +77,7 @@ public class HsBookingProjectRbacEntity extends HsBookingProject {
with.permission(SELECT); with.permission(SELECT);
}) })
.limitDiagramTo("project", "debitorRel", "global"); .limitDiagramTo("project", "debitorRel", "rbac.global");
} }
public static void main(String[] args) throws IOException { public static void main(String[] args) throws IOException {

View File

@ -106,7 +106,7 @@ public class HsHostingAssetRbacEntity extends HsHostingAsset {
"parentAsset", "parentAsset",
"assignedToAsset", "assignedToAsset",
"alarmContact", "alarmContact",
"global"); "rbac.global");
} }
public static void main(String[] args) throws IOException { public static void main(String[] args) throws IOException {

View File

@ -152,7 +152,7 @@ public class InsertTriggerGenerator {
begin begin
raise exception '[403] insert into ${rawSubTable} values(%) not allowed regardless of current subject, no insert permissions granted at all', NEW; raise exception '[403] insert into ${rawSubTable} values(%) not allowed regardless of current subject, no insert permissions granted at all', NEW;
end; $$; end; $$;
create trigger ${rawSubTable}_insert_permission_check_tg create trigger ${rawSubTable}_insert_permission_check_tg
before insert on ${rawSubTable} before insert on ${rawSubTable}
for each row for each row
@ -206,7 +206,7 @@ public class InsertTriggerGenerator {
if (g.getSuperRoleDef().isGlobal(GUEST)) { if (g.getSuperRoleDef().isGlobal(GUEST)) {
plPgSql.writeLn( plPgSql.writeLn(
""" """
-- check INSERT INSERT permission for global anyone -- check INSERT INSERT permission for rbac.global anyone
if ${caseCondition}true then if ${caseCondition}true then
return NEW; return NEW;
end if; end if;
@ -215,8 +215,8 @@ public class InsertTriggerGenerator {
} else if (g.getSuperRoleDef().isGlobal(ADMIN)) { } else if (g.getSuperRoleDef().isGlobal(ADMIN)) {
plPgSql.writeLn( plPgSql.writeLn(
""" """
-- check INSERT INSERT if global ADMIN -- check INSERT INSERT if rbac.global ADMIN
if ${caseCondition}isGlobalAdmin() then if ${caseCondition}rbac.isGlobalAdmin() then
return NEW; return NEW;
end if; end if;
""", """,

View File

@ -36,7 +36,7 @@ import static org.apache.commons.lang3.StringUtils.uncapitalize;
// TODO.refa: rename to RbacDSL // TODO.refa: rename to RbacDSL
public class RbacView { public class RbacView {
public static final String GLOBAL = "global"; public static final String GLOBAL = "rbac.global";
public static final String OUTPUT_BASEDIR = "src/main/resources/db/changelog"; public static final String OUTPUT_BASEDIR = "src/main/resources/db/changelog";
private final EntityAlias rootEntityAlias; private final EntityAlias rootEntityAlias;
@ -98,7 +98,7 @@ public class RbacView {
rootEntityAlias = new EntityAlias(alias, entityClass); rootEntityAlias = new EntityAlias(alias, entityClass);
entityAliases.put(alias, rootEntityAlias); entityAliases.put(alias, rootEntityAlias);
new RbacSubjectReference(CREATOR); new RbacSubjectReference(CREATOR);
entityAliases.put("global", new EntityAlias("global")); entityAliases.put("rbac.global", new EntityAlias("rbac.global"));
} }
/** /**
@ -922,7 +922,7 @@ public class RbacView {
} }
boolean isGlobal() { boolean isGlobal() {
return aliasName().equals("global"); return aliasName().equals("rbac.global");
} }
boolean isPlaceholder() { boolean isPlaceholder() {
@ -961,8 +961,8 @@ public class RbacView {
} }
String getRawTableName() { String getRawTableName() {
if ( aliasName.equals("global")) { if ( aliasName.equals("rbac.global")) {
return "global"; // TODO: maybe we should introduce a GlobalEntity class? return "rbac.global"; // TODO: maybe we should introduce a GlobalEntity class?
} }
return withoutRvSuffix(entityClass.getAnnotation(Table.class).name()); return withoutRvSuffix(entityClass.getAnnotation(Table.class).name());
} }
@ -1166,7 +1166,7 @@ public class RbacView {
} }
String map(final String originalAliasName) { String map(final String originalAliasName) {
if (outerAliasNames.contains(originalAliasName) || originalAliasName.equals("global")) { if (outerAliasNames.contains(originalAliasName) || originalAliasName.equals("rbac.global")) {
return originalAliasName; return originalAliasName;
} }
if (originalAliasName.equals(importedRbacView.rootEntityAlias.aliasName)) { if (originalAliasName.equals(importedRbacView.rootEntityAlias.aliasName)) {

View File

@ -78,7 +78,7 @@ public class RbacGrantsDiagramService {
if (!includes.contains(PERMISSIONS) && g.getDescendantIdName().startsWith("perm:")) { if (!includes.contains(PERMISSIONS) && g.getDescendantIdName().startsWith("perm:")) {
return; return;
} }
if ( !g.getDescendantIdName().startsWith("role:global")) { if ( !g.getDescendantIdName().startsWith("role:rbac.global")) {
if (!includes.contains(TEST_ENTITIES) && g.getDescendantIdName().contains(":test_")) { if (!includes.contains(TEST_ENTITIES) && g.getDescendantIdName().contains(":test_")) {
return; return;
} }

View File

@ -46,7 +46,7 @@ public class TestCustomerEntity implements BaseEntity<TestCustomerEntity> {
.withIdentityView(SQL.projection("prefix")) .withIdentityView(SQL.projection("prefix"))
.withRestrictedViewOrderBy(SQL.expression("reference")) .withRestrictedViewOrderBy(SQL.expression("reference"))
.withUpdatableColumns("reference", "prefix", "adminUserName") .withUpdatableColumns("reference", "prefix", "adminUserName")
.toRole("global", ADMIN).grantPermission(INSERT) .toRole("rbac.global", ADMIN).grantPermission(INSERT)
.createRole(OWNER, (with) -> { .createRole(OWNER, (with) -> {
with.owningUser(CREATOR).unassumed(); with.owningUser(CREATOR).unassumed();

View File

@ -584,7 +584,7 @@ select exists(
join RbacRole as r on r.uuid = g.descendantuuid join RbacRole as r on r.uuid = g.descendantuuid
join rbac.object as o on o.uuid = r.objectuuid join rbac.object as o on o.uuid = r.objectuuid
where g.ascendantuuid = forAscendantUuid where g.ascendantuuid = forAscendantUuid
and o.objecttable = 'global' and o.objecttable = 'rbac.global'
); );
$$; $$;

View File

@ -57,7 +57,7 @@ begin
objectUuidToAssume = findObjectUuidByIdName(objectTableToAssume, objectNameToAssume); objectUuidToAssume = findObjectUuidByIdName(objectTableToAssume, objectNameToAssume);
if objectUuidToAssume is null then if objectUuidToAssume is null then
raise exception '[401] object % cannot be found in table %', objectNameToAssume, objectTableToAssume; raise exception '[401] object % cannot be found in table % (from roleNameParts=%)', objectNameToAssume, objectTableToAssume, roleNameParts;
end if; end if;
select uuid select uuid

View File

@ -5,7 +5,7 @@
/* /*
Creates a view which presents some statistics about the RBAC tables. Creates a view which presents some statistics about the RBAC tables.
*/ */
create view RbacStatisticsView as create view rbac.statistics_v as
select no, to_char("count", '9 999 999 999') as "count", "table" select no, to_char("count", '9 999 999 999') as "count", "table"
from (select 1 as no, count(*) as "count", 'login users' as "table" from (select 1 as no, count(*) as "count", 'login users' as "table"
from rbac.subject from rbac.subject

View File

@ -1,7 +1,7 @@
--liquibase formatted sql --liquibase formatted sql
-- ============================================================================ -- ============================================================================
--changeset rbac-global-GLOBAL-OBJECT:1 endDelimiter:--// --changeset rbac-global-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
The purpose of this table is provide root business objects The purpose of this table is provide root business objects
@ -11,14 +11,14 @@
In production databases, there is only a single row in this table, In production databases, there is only a single row in this table,
in test stages, there can be one row for each test data realm. in test stages, there can be one row for each test data realm.
*/ */
create table Global create table rbac.global
( (
uuid uuid primary key references rbac.object (uuid) on delete cascade, uuid uuid primary key references rbac.object (uuid) on delete cascade,
name varchar(63) unique name varchar(63) unique
); );
create unique index Global_Singleton on Global ((0)); create unique index Global_Singleton on rbac.global ((0));
grant select on global to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME}; grant select on rbac.global to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
--// --//
@ -26,7 +26,7 @@ grant select on global to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
--changeset rbac-global-IS-GLOBAL-ADMIN:1 endDelimiter:--// --changeset rbac-global-IS-GLOBAL-ADMIN:1 endDelimiter:--//
-- ------------------------------------------------------------------ -- ------------------------------------------------------------------
create or replace function isGlobalAdmin() create or replace function rbac.isGlobalAdmin()
returns boolean returns boolean
language plpgsql as $$ language plpgsql as $$
begin begin
@ -36,117 +36,117 @@ end; $$;
-- ============================================================================ -- ============================================================================
--changeset rbac-global-HAS-GLOBAL-PERMISSION:1 endDelimiter:--// --changeset rbac-global-HAS-global-PERMISSION:1 endDelimiter:--//
-- ------------------------------------------------------------------ -- ------------------------------------------------------------------
create or replace function hasGlobalPermission(op RbacOp) create or replace function rbac.hasGlobalPermission(op RbacOp)
returns boolean returns boolean
language sql as language sql as
$$ $$
-- TODO.perf: this could to be optimized -- TODO.perf: this could to be optimized
select (select uuid from global) in select (select uuid from rbac.global) in
(select queryAccessibleObjectUuidsOfSubjectIds(op, 'global', rbac.currentSubjectOrAssumedRolesUuids())); (select queryAccessibleObjectUuidsOfSubjectIds(op, 'rbac.global', rbac.currentSubjectOrAssumedRolesUuids()));
$$; $$;
--// --//
-- ============================================================================ -- ============================================================================
--changeset rbac-global-GLOBAL-IDENTITY-VIEW:1 endDelimiter:--// --changeset rbac-global-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Creates a view to the global object table which maps the identifying name to the objectUuid. Creates a view to the rbac.global object table which maps the identifying name to the objectUuid.
*/ */
drop view if exists global_iv; drop view if exists rbac.global_iv;
create or replace view global_iv as create or replace view rbac.global_iv as
select target.uuid, target.name as idName select target.uuid, target.name as idName
from global as target; from rbac.global as target;
grant all privileges on global_iv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME}; grant all privileges on rbac.global_iv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
/* /*
Returns the objectUuid for a given identifying name (in this case the idName). Returns the objectUuid for a given identifying name (in this case the idName).
*/ */
create or replace function globalUuidByIdName(idName varchar) create or replace function rbac.globalUuidByIdName(idName varchar)
returns uuid returns uuid
language sql language sql
strict as $$ strict as $$
select uuid from global_iv iv where iv.idName = globalUuidByIdName.idName; select uuid from rbac.global_iv iv where iv.idName = globalUuidByIdName.idName;
$$; $$;
/* /*
Returns the identifying name for a given objectUuid (in this case the idName). Returns the identifying name for a given objectUuid (in this case the idName).
*/ */
create or replace function globalIdNameByUuid(uuid uuid) create or replace function rbac.globalIdNameByUuid(uuid uuid)
returns varchar returns varchar
language sql language sql
strict as $$ strict as $$
select idName from global_iv iv where iv.uuid = globalIdNameByUuid.uuid; select idName from rbac.global_iv iv where iv.uuid = globalIdNameByUuid.uuid;
$$; $$;
--// --//
--liquibase formatted sql --liquibase formatted sql
-- ============================================================================ -- ============================================================================
--changeset rbac-global-PSEUDO-OBJECT:1 endDelimiter:--// --changeset rbac-rbac.Global-PSEUDO-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/** /**
A single row to be referenced as a global object. A single row to be referenced as a rbac.Global object.
*/ */
begin transaction; begin transaction;
call basis.defineContext('initializing table "global"', null, null, null); call basis.defineContext('initializing table "rbac.global"', null, null, null);
insert insert
into rbac.object (objecttable) values ('global'); into rbac.object (objecttable) values ('rbac.global');
insert insert
into Global (uuid, name) values ((select uuid from rbac.object where objectTable = 'global'), 'global'); into rbac.global (uuid, name) values ((select uuid from rbac.object where objectTable = 'rbac.global'), 'global');
commit; commit;
--// --//
-- ============================================================================ -- ============================================================================
--changeset rbac-global-ADMIN-ROLE:1 endDelimiter:--// --changeset rbac-rbac.Global-ADMIN-ROLE:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
A global administrator role. A rbac.Global administrator role.
*/ */
create or replace function globalAdmin(assumed boolean = true) create or replace function globalAdmin(assumed boolean = true)
returns RbacRoleDescriptor returns RbacRoleDescriptor
returns null on null input returns null on null input
stable -- leakproof stable -- leakproof
language sql as $$ language sql as $$
select 'global', (select uuid from rbac.object where objectTable = 'global'), 'ADMIN'::RbacRoleType, assumed; select 'rbac.global', (select uuid from rbac.object where objectTable = 'rbac.global'), 'ADMIN'::RbacRoleType, assumed;
$$; $$;
begin transaction; begin transaction;
call basis.defineContext('creating role:global#global:ADMIN', null, null, null); call basis.defineContext('creating role:rbac.global#global:ADMIN', null, null, null);
select createRole(globalAdmin()); select createRole(globalAdmin());
commit; commit;
--// --//
-- ============================================================================ -- ============================================================================
--changeset rbac-global-GUEST-ROLE:1 endDelimiter:--// --changeset rbac-rbac.Global-GUEST-ROLE:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
A global guest role. A rbac.Global guest role.
*/ */
create or replace function globalGuest(assumed boolean = true) create or replace function globalGuest(assumed boolean = true)
returns RbacRoleDescriptor returns RbacRoleDescriptor
returns null on null input returns null on null input
stable -- leakproof stable -- leakproof
language sql as $$ language sql as $$
select 'global', (select uuid from rbac.object where objectTable = 'global'), 'GUEST'::RbacRoleType, assumed; select 'rbac.global', (select uuid from rbac.object where objectTable = 'rbac.global'), 'GUEST'::RbacRoleType, assumed;
$$; $$;
begin transaction; begin transaction;
call basis.defineContext('creating role:global#global:guest', null, null, null); call basis.defineContext('creating role:rbac.global#global:guest', null, null, null);
select createRole(globalGuest()); select createRole(globalGuest());
commit; commit;
--// --//
-- ============================================================================ -- ============================================================================
--changeset rbac-global-ADMIN-USERS:1 context:dev,tc endDelimiter:--// --changeset rbac-GLOBAL-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Create two users and assign both to the administrators role. Create two users and assign both to the administrators role.
@ -168,7 +168,7 @@ $$;
-- ============================================================================ -- ============================================================================
--changeset rbac-global-TEST:1 context:dev,tc runAlways:true endDelimiter:--// --changeset rbac-GLOBAL-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*

View File

@ -32,12 +32,12 @@ end
user:creator ==>|XX| role:customer:OWNER user:creator ==>|XX| role:customer:OWNER
%% granting roles to roles %% granting roles to roles
role:global:ADMIN ==>|XX| role:customer:OWNER role:rbac.global:ADMIN ==>|XX| role:customer:OWNER
role:customer:OWNER ==> role:customer:ADMIN role:customer:OWNER ==> role:customer:ADMIN
role:customer:ADMIN ==> role:customer:TENANT role:customer:ADMIN ==> role:customer:TENANT
%% granting permissions to roles %% granting permissions to roles
role:global:ADMIN ==> perm:customer:INSERT role:rbac.global:ADMIN ==> perm:customer:INSERT
role:customer:OWNER ==> perm:customer:DELETE role:customer:OWNER ==> perm:customer:DELETE
role:customer:ADMIN ==> perm:customer:UPDATE role:customer:ADMIN ==> perm:customer:UPDATE
role:customer:TENANT ==> perm:customer:SELECT role:customer:TENANT ==> perm:customer:SELECT

View File

@ -80,18 +80,18 @@ execute procedure insertTriggerForTestCustomer_tf();
--changeset test-customer-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--// --changeset test-customer-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
-- granting INSERT permission to global ---------------------------- -- granting INSERT permission to rbac.global ----------------------------
/* /*
Grants INSERT INTO test_customer permissions to specified role of pre-existing global rows. Grants INSERT INTO test_customer permissions to specified role of pre-existing rbac.global rows.
*/ */
do language plpgsql $$ do language plpgsql $$
declare declare
row global; row rbac.global%ROWTYPE;
begin begin
call basis.defineContext('create INSERT INTO test_customer permissions for pre-exising global rows'); call basis.defineContext('create INSERT INTO test_customer permissions for pre-exising rbac.global rows');
FOR row IN SELECT * FROM global FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
@ -102,7 +102,7 @@ do language plpgsql $$
$$; $$;
/** /**
Grants test_customer INSERT permission to specified role of new global rows. Grants test_customer INSERT permission to specified role of new rbac.global rows.
*/ */
create or replace function new_test_customer_grants_insert_to_global_tf() create or replace function new_test_customer_grants_insert_to_global_tf()
returns trigger returns trigger
@ -119,7 +119,7 @@ end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_test_customer_grants_insert_to_global_tg create trigger z_new_test_customer_grants_insert_to_global_tg
after insert on global after insert on rbac.global
for each row for each row
execute procedure new_test_customer_grants_insert_to_global_tf(); execute procedure new_test_customer_grants_insert_to_global_tf();
@ -137,8 +137,8 @@ create or replace function test_customer_insert_permission_check_tf()
declare declare
superObjectUuid uuid; superObjectUuid uuid;
begin begin
-- check INSERT INSERT if global ADMIN -- check INSERT INSERT if rbac.global ADMIN
if isGlobalAdmin() then if rbac.isGlobalAdmin() then
return NEW; return NEW;
end if; end if;

View File

@ -72,7 +72,7 @@ end; $$;
do language plpgsql $$ do language plpgsql $$
begin begin
call basis.defineContext('creating RBAC test customer', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN'); call basis.defineContext('creating RBAC test customer', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
call createTestCustomerTestData(99901, 'xxx'); call createTestCustomerTestData(99901, 'xxx');
call createTestCustomerTestData(99902, 'yyy'); call createTestCustomerTestData(99902, 'yyy');

View File

@ -42,7 +42,7 @@ subgraph package["`**package**`"]
end end
%% granting roles to roles %% granting roles to roles
role:global:ADMIN -.->|XX| role:customer:OWNER role:rbac.global:ADMIN -.->|XX| role:customer:OWNER
role:customer:OWNER -.-> role:customer:ADMIN role:customer:OWNER -.-> role:customer:ADMIN
role:customer:ADMIN -.-> role:customer:TENANT role:customer:ADMIN -.-> role:customer:TENANT
role:customer:ADMIN ==> role:package:OWNER role:customer:ADMIN ==> role:package:OWNER

View File

@ -54,7 +54,7 @@ subgraph package.customer["`**package.customer**`"]
end end
%% granting roles to roles %% granting roles to roles
role:global:ADMIN -.->|XX| role:package.customer:OWNER role:rbac.global:ADMIN -.->|XX| role:package.customer:OWNER
role:package.customer:OWNER -.-> role:package.customer:ADMIN role:package.customer:OWNER -.-> role:package.customer:ADMIN
role:package.customer:ADMIN -.-> role:package.customer:TENANT role:package.customer:ADMIN -.-> role:package.customer:TENANT
role:package.customer:ADMIN -.-> role:package:OWNER role:package.customer:ADMIN -.-> role:package:OWNER

View File

@ -32,7 +32,7 @@ end
user:creator ==> role:contact:OWNER user:creator ==> role:contact:OWNER
%% granting roles to roles %% granting roles to roles
role:global:ADMIN ==> role:contact:OWNER role:rbac.global:ADMIN ==> role:contact:OWNER
role:contact:OWNER ==> role:contact:ADMIN role:contact:OWNER ==> role:contact:ADMIN
role:contact:ADMIN ==> role:contact:REFERRER role:contact:ADMIN ==> role:contact:REFERRER
@ -40,6 +40,6 @@ role:contact:ADMIN ==> role:contact:REFERRER
role:contact:OWNER ==> perm:contact:DELETE role:contact:OWNER ==> perm:contact:DELETE
role:contact:ADMIN ==> perm:contact:UPDATE role:contact:ADMIN ==> perm:contact:UPDATE
role:contact:REFERRER ==> perm:contact:SELECT role:contact:REFERRER ==> perm:contact:SELECT
role:global:GUEST ==> perm:contact:INSERT role:rbac.global:GUEST ==> perm:contact:INSERT
``` ```

View File

@ -32,12 +32,12 @@ end
user:creator ==> role:person:OWNER user:creator ==> role:person:OWNER
%% granting roles to roles %% granting roles to roles
role:global:ADMIN ==> role:person:OWNER role:rbac.global:ADMIN ==> role:person:OWNER
role:person:OWNER ==> role:person:ADMIN role:person:OWNER ==> role:person:ADMIN
role:person:ADMIN ==> role:person:REFERRER role:person:ADMIN ==> role:person:REFERRER
%% granting permissions to roles %% granting permissions to roles
role:global:GUEST ==> perm:person:INSERT role:rbac.global:GUEST ==> perm:person:INSERT
role:person:OWNER ==> perm:person:DELETE role:person:OWNER ==> perm:person:DELETE
role:person:ADMIN ==> perm:person:UPDATE role:person:ADMIN ==> perm:person:UPDATE
role:person:REFERRER ==> perm:person:SELECT role:person:REFERRER ==> perm:person:SELECT

View File

@ -72,16 +72,16 @@ end
user:creator ==> role:relation:OWNER user:creator ==> role:relation:OWNER
%% granting roles to roles %% granting roles to roles
role:global:ADMIN -.-> role:anchorPerson:OWNER role:rbac.global:ADMIN -.-> role:anchorPerson:OWNER
role:anchorPerson:OWNER -.-> role:anchorPerson:ADMIN role:anchorPerson:OWNER -.-> role:anchorPerson:ADMIN
role:anchorPerson:ADMIN -.-> role:anchorPerson:REFERRER role:anchorPerson:ADMIN -.-> role:anchorPerson:REFERRER
role:global:ADMIN -.-> role:holderPerson:OWNER role:rbac.global:ADMIN -.-> role:holderPerson:OWNER
role:holderPerson:OWNER -.-> role:holderPerson:ADMIN role:holderPerson:OWNER -.-> role:holderPerson:ADMIN
role:holderPerson:ADMIN -.-> role:holderPerson:REFERRER role:holderPerson:ADMIN -.-> role:holderPerson:REFERRER
role:global:ADMIN -.-> role:contact:OWNER role:rbac.global:ADMIN -.-> role:contact:OWNER
role:contact:OWNER -.-> role:contact:ADMIN role:contact:OWNER -.-> role:contact:ADMIN
role:contact:ADMIN -.-> role:contact:REFERRER role:contact:ADMIN -.-> role:contact:REFERRER
role:global:ADMIN ==> role:relation:OWNER role:rbac.global:ADMIN ==> role:relation:OWNER
role:holderPerson:ADMIN ==> role:relation:OWNER role:holderPerson:ADMIN ==> role:relation:OWNER
role:relation:OWNER ==> role:relation:ADMIN role:relation:OWNER ==> role:relation:ADMIN
role:relation:ADMIN ==> role:anchorPerson:OWNER role:relation:ADMIN ==> role:anchorPerson:OWNER

View File

@ -72,16 +72,16 @@ end
user:creator ==> role:relation:OWNER user:creator ==> role:relation:OWNER
%% granting roles to roles %% granting roles to roles
role:global:ADMIN -.-> role:anchorPerson:OWNER role:rbac.global:ADMIN -.-> role:anchorPerson:OWNER
role:anchorPerson:OWNER -.-> role:anchorPerson:ADMIN role:anchorPerson:OWNER -.-> role:anchorPerson:ADMIN
role:anchorPerson:ADMIN -.-> role:anchorPerson:REFERRER role:anchorPerson:ADMIN -.-> role:anchorPerson:REFERRER
role:global:ADMIN -.-> role:holderPerson:OWNER role:rbac.global:ADMIN -.-> role:holderPerson:OWNER
role:holderPerson:OWNER -.-> role:holderPerson:ADMIN role:holderPerson:OWNER -.-> role:holderPerson:ADMIN
role:holderPerson:ADMIN -.-> role:holderPerson:REFERRER role:holderPerson:ADMIN -.-> role:holderPerson:REFERRER
role:global:ADMIN -.-> role:contact:OWNER role:rbac.global:ADMIN -.-> role:contact:OWNER
role:contact:OWNER -.-> role:contact:ADMIN role:contact:OWNER -.-> role:contact:ADMIN
role:contact:ADMIN -.-> role:contact:REFERRER role:contact:ADMIN -.-> role:contact:REFERRER
role:global:ADMIN ==> role:relation:OWNER role:rbac.global:ADMIN ==> role:relation:OWNER
role:relation:OWNER ==> role:relation:ADMIN role:relation:OWNER ==> role:relation:ADMIN
role:relation:ADMIN ==> role:relation:AGENT role:relation:ADMIN ==> role:relation:AGENT
role:relation:AGENT ==> role:relation:TENANT role:relation:AGENT ==> role:relation:TENANT

View File

@ -85,7 +85,7 @@ end; $$;
do language plpgsql $$ do language plpgsql $$
begin begin
call basis.defineContext('creating relation test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN'); call basis.defineContext('creating relation test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
call createHsOfficeRelationTestData('First GmbH', 'PARTNER', 'Hostsharing eG', 'first contact'); call createHsOfficeRelationTestData('First GmbH', 'PARTNER', 'Hostsharing eG', 'first contact');
call createHsOfficeRelationTestData('Firby', 'REPRESENTATIVE', 'First GmbH', 'first contact'); call createHsOfficeRelationTestData('Firby', 'REPRESENTATIVE', 'First GmbH', 'first contact');

View File

@ -87,16 +87,16 @@ subgraph partnerRel.holderPerson["`**partnerRel.holderPerson**`"]
end end
%% granting roles to roles %% granting roles to roles
role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER role:rbac.global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER
role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER role:rbac.global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER
role:global:ADMIN -.-> role:partnerRel.contact:OWNER role:rbac.global:ADMIN -.-> role:partnerRel.contact:OWNER
role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
role:global:ADMIN -.-> role:partnerRel:OWNER role:rbac.global:ADMIN -.-> role:partnerRel:OWNER
role:partnerRel:OWNER -.-> role:partnerRel:ADMIN role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
role:partnerRel:ADMIN -.-> role:partnerRel:AGENT role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
role:partnerRel:AGENT -.-> role:partnerRel:TENANT role:partnerRel:AGENT -.-> role:partnerRel:TENANT
@ -108,7 +108,7 @@ role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:OWNER
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
%% granting permissions to roles %% granting permissions to roles
role:global:ADMIN ==> perm:partner:INSERT role:rbac.global:ADMIN ==> perm:partner:INSERT
role:partnerRel:OWNER ==> perm:partner:DELETE role:partnerRel:OWNER ==> perm:partner:DELETE
role:partnerRel:ADMIN ==> perm:partner:UPDATE role:partnerRel:ADMIN ==> perm:partner:UPDATE
role:partnerRel:TENANT ==> perm:partner:SELECT role:partnerRel:TENANT ==> perm:partner:SELECT

View File

@ -157,18 +157,18 @@ execute procedure updateTriggerForHsOfficePartner_tf();
--changeset hs-office-partner-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--// --changeset hs-office-partner-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
-- granting INSERT permission to global ---------------------------- -- granting INSERT permission to rbac.global ----------------------------
/* /*
Grants INSERT INTO hs_office_partner permissions to specified role of pre-existing global rows. Grants INSERT INTO hs_office_partner permissions to specified role of pre-existing rbac.global rows.
*/ */
do language plpgsql $$ do language plpgsql $$
declare declare
row global; row rbac.global%ROWTYPE;
begin begin
call basis.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising global rows'); call basis.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising rbac.Global rows');
FOR row IN SELECT * FROM global FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
@ -179,7 +179,7 @@ do language plpgsql $$
$$; $$;
/** /**
Grants hs_office_partner INSERT permission to specified role of new global rows. Grants hs_office_partner INSERT permission to specified role of new rbac.global rows.
*/ */
create or replace function new_hs_office_partner_grants_insert_to_global_tf() create or replace function new_hs_office_partner_grants_insert_to_global_tf()
returns trigger returns trigger
@ -196,7 +196,7 @@ end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_partner_grants_insert_to_global_tg create trigger z_new_hs_office_partner_grants_insert_to_global_tg
after insert on global after insert on rbac.global
for each row for each row
execute procedure new_hs_office_partner_grants_insert_to_global_tf(); execute procedure new_hs_office_partner_grants_insert_to_global_tf();
@ -214,8 +214,8 @@ create or replace function hs_office_partner_insert_permission_check_tf()
declare declare
superObjectUuid uuid; superObjectUuid uuid;
begin begin
-- check INSERT INSERT if global ADMIN -- check INSERT INSERT if rbac.global ADMIN
if isGlobalAdmin() then if rbac.isGlobalAdmin() then
return NEW; return NEW;
end if; end if;

View File

@ -18,6 +18,6 @@ subgraph partnerDetails["`**partnerDetails**`"]
end end
%% granting permissions to roles %% granting permissions to roles
role:global:ADMIN ==> perm:partnerDetails:INSERT role:rbac.global:ADMIN ==> perm:partnerDetails:INSERT
``` ```

View File

@ -61,25 +61,25 @@ execute procedure insertTriggerForHsOfficePartnerDetails_tf();
--changeset hs-office-partner-details-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--// --changeset hs-office-partner-details-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
-- granting INSERT permission to global ---------------------------- -- granting INSERT permission to rbac.global ----------------------------
/* /*
Grants INSERT INTO hs_office_partner_details permissions to specified role of pre-existing global rows. Grants INSERT INTO hs_office_partner_details permissions to specified role of pre-existing rbac.global rows.
*/ */
do language plpgsql $$ do language plpgsql $$
declare declare
row global; row rbac.global;
begin begin
call basis.defineContext('create INSERT INTO hs_office_partner_details permissions for pre-exising global rows'); call basis.defineContext('create INSERT INTO hs_office_partner_details permissions for pre-exising global rows');
FOR row IN SELECT * FROM global FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'), createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
globalADMIN()); globalADMIN());
END LOOP; END LOOP;
end; end;
$$; $$;
/** /**
@ -100,7 +100,7 @@ end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_partner_details_grants_insert_to_global_tg create trigger z_new_hs_office_partner_details_grants_insert_to_global_tg
after insert on global after insert on rbac.global
for each row for each row
execute procedure new_hs_office_partner_details_grants_insert_to_global_tf(); execute procedure new_hs_office_partner_details_grants_insert_to_global_tf();
@ -118,8 +118,8 @@ create or replace function hs_office_partner_details_insert_permission_check_tf(
declare declare
superObjectUuid uuid; superObjectUuid uuid;
begin begin
-- check INSERT INSERT if global ADMIN -- check INSERT INSERT if rbac.Global ADMIN
if isGlobalAdmin() then if rbac.isGlobalAdmin() then
return NEW; return NEW;
end if; end if;

View File

@ -71,7 +71,7 @@ end; $$;
do language plpgsql $$ do language plpgsql $$
begin begin
call basis.defineContext('creating partner test-data ', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN'); call basis.defineContext('creating partner test-data ', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
call createHsOfficePartnerTestData('Hostsharing eG', 10001, 'First GmbH', 'first contact'); call createHsOfficePartnerTestData('Hostsharing eG', 10001, 'First GmbH', 'first contact');
call createHsOfficePartnerTestData('Hostsharing eG', 10002, 'Second e.K.', 'second contact'); call createHsOfficePartnerTestData('Hostsharing eG', 10002, 'Second e.K.', 'second contact');

View File

@ -32,12 +32,12 @@ end
user:creator ==> role:bankAccount:OWNER user:creator ==> role:bankAccount:OWNER
%% granting roles to roles %% granting roles to roles
role:global:ADMIN ==> role:bankAccount:OWNER role:rbac.global:ADMIN ==> role:bankAccount:OWNER
role:bankAccount:OWNER ==> role:bankAccount:ADMIN role:bankAccount:OWNER ==> role:bankAccount:ADMIN
role:bankAccount:ADMIN ==> role:bankAccount:REFERRER role:bankAccount:ADMIN ==> role:bankAccount:REFERRER
%% granting permissions to roles %% granting permissions to roles
role:global:GUEST ==> perm:bankAccount:INSERT role:rbac.global:GUEST ==> perm:bankAccount:INSERT
role:bankAccount:OWNER ==> perm:bankAccount:DELETE role:bankAccount:OWNER ==> perm:bankAccount:DELETE
role:bankAccount:ADMIN ==> perm:bankAccount:UPDATE role:bankAccount:ADMIN ==> perm:bankAccount:UPDATE
role:bankAccount:REFERRER ==> perm:bankAccount:SELECT role:bankAccount:REFERRER ==> perm:bankAccount:SELECT

View File

@ -140,16 +140,16 @@ subgraph refundBankAccount["`**refundBankAccount**`"]
end end
%% granting roles to roles %% granting roles to roles
role:global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER role:rbac.global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER
role:debitorRel.anchorPerson:OWNER -.-> role:debitorRel.anchorPerson:ADMIN role:debitorRel.anchorPerson:OWNER -.-> role:debitorRel.anchorPerson:ADMIN
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel.anchorPerson:REFERRER role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel.anchorPerson:REFERRER
role:global:ADMIN -.-> role:debitorRel.holderPerson:OWNER role:rbac.global:ADMIN -.-> role:debitorRel.holderPerson:OWNER
role:debitorRel.holderPerson:OWNER -.-> role:debitorRel.holderPerson:ADMIN role:debitorRel.holderPerson:OWNER -.-> role:debitorRel.holderPerson:ADMIN
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel.holderPerson:REFERRER role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel.holderPerson:REFERRER
role:global:ADMIN -.-> role:debitorRel.contact:OWNER role:rbac.global:ADMIN -.-> role:debitorRel.contact:OWNER
role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN
role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER
role:global:ADMIN -.-> role:debitorRel:OWNER role:rbac.global:ADMIN -.-> role:debitorRel:OWNER
role:debitorRel:OWNER -.-> role:debitorRel:ADMIN role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
role:debitorRel:ADMIN -.-> role:debitorRel:AGENT role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
role:debitorRel:AGENT -.-> role:debitorRel:TENANT role:debitorRel:AGENT -.-> role:debitorRel:TENANT
@ -159,21 +159,21 @@ role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:OWNER role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:OWNER
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
role:global:ADMIN -.-> role:refundBankAccount:OWNER role:rbac.global:ADMIN -.-> role:refundBankAccount:OWNER
role:refundBankAccount:OWNER -.-> role:refundBankAccount:ADMIN role:refundBankAccount:OWNER -.-> role:refundBankAccount:ADMIN
role:refundBankAccount:ADMIN -.-> role:refundBankAccount:REFERRER role:refundBankAccount:ADMIN -.-> role:refundBankAccount:REFERRER
role:refundBankAccount:ADMIN ==> role:debitorRel:AGENT role:refundBankAccount:ADMIN ==> role:debitorRel:AGENT
role:debitorRel:AGENT ==> role:refundBankAccount:REFERRER role:debitorRel:AGENT ==> role:refundBankAccount:REFERRER
role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER role:rbac.global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER
role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER role:rbac.global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER
role:global:ADMIN -.-> role:partnerRel.contact:OWNER role:rbac.global:ADMIN -.-> role:partnerRel.contact:OWNER
role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
role:global:ADMIN -.-> role:partnerRel:OWNER role:rbac.global:ADMIN -.-> role:partnerRel:OWNER
role:partnerRel:OWNER -.-> role:partnerRel:ADMIN role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
role:partnerRel:ADMIN -.-> role:partnerRel:AGENT role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
role:partnerRel:AGENT -.-> role:partnerRel:TENANT role:partnerRel:AGENT -.-> role:partnerRel:TENANT
@ -188,7 +188,7 @@ role:partnerRel:AGENT ==> role:debitorRel:AGENT
role:debitorRel:AGENT ==> role:partnerRel:TENANT role:debitorRel:AGENT ==> role:partnerRel:TENANT
%% granting permissions to roles %% granting permissions to roles
role:global:ADMIN ==> perm:debitor:INSERT role:rbac.global:ADMIN ==> perm:debitor:INSERT
role:debitorRel:OWNER ==> perm:debitor:DELETE role:debitorRel:OWNER ==> perm:debitor:DELETE
role:debitorRel:ADMIN ==> perm:debitor:UPDATE role:debitorRel:ADMIN ==> perm:debitor:UPDATE
role:debitorRel:TENANT ==> perm:debitor:SELECT role:debitorRel:TENANT ==> perm:debitor:SELECT

View File

@ -130,18 +130,18 @@ execute procedure updateTriggerForHsOfficeDebitor_tf();
--changeset hs-office-debitor-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--// --changeset hs-office-debitor-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
-- granting INSERT permission to global ---------------------------- -- granting INSERT permission to rbac.Global ----------------------------
/* /*
Grants INSERT INTO hs_office_debitor permissions to specified role of pre-existing global rows. Grants INSERT INTO hs_office_debitor permissions to specified role of pre-existing rbac.global rows.
*/ */
do language plpgsql $$ do language plpgsql $$
declare declare
row global; row rbac.global%ROWTYPE;
begin begin
call basis.defineContext('create INSERT INTO hs_office_debitor permissions for pre-exising global rows'); call basis.defineContext('create INSERT INTO hs_office_debitor permissions for pre-exising rbac.Global rows');
FOR row IN SELECT * FROM global FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
@ -152,7 +152,7 @@ do language plpgsql $$
$$; $$;
/** /**
Grants hs_office_debitor INSERT permission to specified role of new global rows. Grants hs_office_debitor INSERT permission to specified role of new rbac.global rows.
*/ */
create or replace function new_hs_office_debitor_grants_insert_to_global_tf() create or replace function new_hs_office_debitor_grants_insert_to_global_tf()
returns trigger returns trigger
@ -169,7 +169,7 @@ end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_debitor_grants_insert_to_global_tg create trigger z_new_hs_office_debitor_grants_insert_to_global_tg
after insert on global after insert on rbac.global
for each row for each row
execute procedure new_hs_office_debitor_grants_insert_to_global_tf(); execute procedure new_hs_office_debitor_grants_insert_to_global_tf();
@ -187,8 +187,8 @@ create or replace function hs_office_debitor_insert_permission_check_tf()
declare declare
superObjectUuid uuid; superObjectUuid uuid;
begin begin
-- check INSERT INSERT if global ADMIN -- check INSERT INSERT if rbac.global ADMIN
if isGlobalAdmin() then if rbac.isGlobalAdmin() then
return NEW; return NEW;
end if; end if;

View File

@ -50,7 +50,7 @@ end; $$;
do language plpgsql $$ do language plpgsql $$
begin begin
call basis.defineContext('creating debitor test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN'); call basis.defineContext('creating debitor test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
call createHsOfficeDebitorTestData(11, 'First GmbH', 'first contact', 'fir'); call createHsOfficeDebitorTestData(11, 'First GmbH', 'first contact', 'fir');
call createHsOfficeDebitorTestData(12, 'Second e.K.', 'second contact', 'sec'); call createHsOfficeDebitorTestData(12, 'Second e.K.', 'second contact', 'sec');

View File

@ -99,16 +99,16 @@ end
user:creator ==> role:sepaMandate:OWNER user:creator ==> role:sepaMandate:OWNER
%% granting roles to roles %% granting roles to roles
role:global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER role:rbac.global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER
role:debitorRel.anchorPerson:OWNER -.-> role:debitorRel.anchorPerson:ADMIN role:debitorRel.anchorPerson:OWNER -.-> role:debitorRel.anchorPerson:ADMIN
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel.anchorPerson:REFERRER role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel.anchorPerson:REFERRER
role:global:ADMIN -.-> role:debitorRel.holderPerson:OWNER role:rbac.global:ADMIN -.-> role:debitorRel.holderPerson:OWNER
role:debitorRel.holderPerson:OWNER -.-> role:debitorRel.holderPerson:ADMIN role:debitorRel.holderPerson:OWNER -.-> role:debitorRel.holderPerson:ADMIN
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel.holderPerson:REFERRER role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel.holderPerson:REFERRER
role:global:ADMIN -.-> role:debitorRel.contact:OWNER role:rbac.global:ADMIN -.-> role:debitorRel.contact:OWNER
role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN
role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER
role:global:ADMIN -.-> role:debitorRel:OWNER role:rbac.global:ADMIN -.-> role:debitorRel:OWNER
role:debitorRel:OWNER -.-> role:debitorRel:ADMIN role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
role:debitorRel:ADMIN -.-> role:debitorRel:AGENT role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
role:debitorRel:AGENT -.-> role:debitorRel:TENANT role:debitorRel:AGENT -.-> role:debitorRel:TENANT
@ -118,10 +118,10 @@ role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:OWNER role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:OWNER
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
role:global:ADMIN -.-> role:bankAccount:OWNER role:rbac.global:ADMIN -.-> role:bankAccount:OWNER
role:bankAccount:OWNER -.-> role:bankAccount:ADMIN role:bankAccount:OWNER -.-> role:bankAccount:ADMIN
role:bankAccount:ADMIN -.-> role:bankAccount:REFERRER role:bankAccount:ADMIN -.-> role:bankAccount:REFERRER
role:global:ADMIN ==> role:sepaMandate:OWNER role:rbac.global:ADMIN ==> role:sepaMandate:OWNER
role:sepaMandate:OWNER ==> role:sepaMandate:ADMIN role:sepaMandate:OWNER ==> role:sepaMandate:ADMIN
role:sepaMandate:ADMIN ==> role:sepaMandate:AGENT role:sepaMandate:ADMIN ==> role:sepaMandate:AGENT
role:sepaMandate:AGENT ==> role:bankAccount:REFERRER role:sepaMandate:AGENT ==> role:bankAccount:REFERRER

View File

@ -43,7 +43,7 @@ end; $$;
do language plpgsql $$ do language plpgsql $$
begin begin
call basis.defineContext('creating SEPA-mandate test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN'); call basis.defineContext('creating SEPA-mandate test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
call createHsOfficeSepaMandateTestData(10001, '11', 'DE02120300000000202051', 'ref-10001-11'); call createHsOfficeSepaMandateTestData(10001, '11', 'DE02120300000000202051', 'ref-10001-11');
call createHsOfficeSepaMandateTestData(10002, '12', 'DE02100500000054540402', 'ref-10002-12'); call createHsOfficeSepaMandateTestData(10002, '12', 'DE02100500000054540402', 'ref-10002-12');

View File

@ -85,16 +85,16 @@ end
user:creator ==> role:membership:OWNER user:creator ==> role:membership:OWNER
%% granting roles to roles %% granting roles to roles
role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER role:rbac.global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER
role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER role:rbac.global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER
role:global:ADMIN -.-> role:partnerRel.contact:OWNER role:rbac.global:ADMIN -.-> role:partnerRel.contact:OWNER
role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
role:global:ADMIN -.-> role:partnerRel:OWNER role:rbac.global:ADMIN -.-> role:partnerRel:OWNER
role:partnerRel:OWNER -.-> role:partnerRel:ADMIN role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
role:partnerRel:ADMIN -.-> role:partnerRel:AGENT role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
role:partnerRel:AGENT -.-> role:partnerRel:TENANT role:partnerRel:AGENT -.-> role:partnerRel:TENANT
@ -111,7 +111,7 @@ role:partnerRel:AGENT ==> role:membership:AGENT
role:membership:AGENT ==> role:partnerRel:TENANT role:membership:AGENT ==> role:partnerRel:TENANT
%% granting permissions to roles %% granting permissions to roles
role:global:ADMIN ==> perm:membership:INSERT role:rbac.global:ADMIN ==> perm:membership:INSERT
role:membership:ADMIN ==> perm:membership:DELETE role:membership:ADMIN ==> perm:membership:DELETE
role:membership:ADMIN ==> perm:membership:UPDATE role:membership:ADMIN ==> perm:membership:UPDATE
role:membership:AGENT ==> perm:membership:SELECT role:membership:AGENT ==> perm:membership:SELECT

View File

@ -92,18 +92,18 @@ execute procedure insertTriggerForHsOfficeMembership_tf();
--changeset hs-office-membership-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--// --changeset hs-office-membership-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
-- granting INSERT permission to global ---------------------------- -- granting INSERT permission to rbac.global ----------------------------
/* /*
Grants INSERT INTO hs_office_membership permissions to specified role of pre-existing global rows. Grants INSERT INTO hs_office_membership permissions to specified role of pre-existing rbac.global rows.
*/ */
do language plpgsql $$ do language plpgsql $$
declare declare
row global; row rbac.global%ROWTYPE;
begin begin
call basis.defineContext('create INSERT INTO hs_office_membership permissions for pre-exising global rows'); call basis.defineContext('create INSERT INTO hs_office_membership permissions for pre-exising rbac.Global rows');
FOR row IN SELECT * FROM global FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
@ -114,7 +114,7 @@ do language plpgsql $$
$$; $$;
/** /**
Grants hs_office_membership INSERT permission to specified role of new global rows. Grants hs_office_membership INSERT permission to specified role of new rbac.Global rows.
*/ */
create or replace function new_hs_office_membership_grants_insert_to_global_tf() create or replace function new_hs_office_membership_grants_insert_to_global_tf()
returns trigger returns trigger
@ -131,7 +131,7 @@ end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_office_membership_grants_insert_to_global_tg create trigger z_new_hs_office_membership_grants_insert_to_global_tg
after insert on global after insert on rbac.global
for each row for each row
execute procedure new_hs_office_membership_grants_insert_to_global_tf(); execute procedure new_hs_office_membership_grants_insert_to_global_tf();
@ -149,8 +149,8 @@ create or replace function hs_office_membership_insert_permission_check_tf()
declare declare
superObjectUuid uuid; superObjectUuid uuid;
begin begin
-- check INSERT INSERT if global ADMIN -- check INSERT INSERT if rbac.Global ADMIN
if isGlobalAdmin() then if rbac.isGlobalAdmin() then
return NEW; return NEW;
end if; end if;

View File

@ -33,7 +33,7 @@ end; $$;
do language plpgsql $$ do language plpgsql $$
begin begin
call basis.defineContext('creating Membership test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN'); call basis.defineContext('creating Membership test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
call createHsOfficeMembershipTestData(10001, '01'); call createHsOfficeMembershipTestData(10001, '01');
call createHsOfficeMembershipTestData(10002, '02'); call createHsOfficeMembershipTestData(10002, '02');

View File

@ -86,16 +86,16 @@ subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPers
end end
%% granting roles to roles %% granting roles to roles
role:global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER role:rbac.global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER
role:membership.partnerRel.anchorPerson:OWNER -.-> role:membership.partnerRel.anchorPerson:ADMIN role:membership.partnerRel.anchorPerson:OWNER -.-> role:membership.partnerRel.anchorPerson:ADMIN
role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel.anchorPerson:REFERRER role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel.anchorPerson:REFERRER
role:global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER role:rbac.global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER
role:membership.partnerRel.holderPerson:OWNER -.-> role:membership.partnerRel.holderPerson:ADMIN role:membership.partnerRel.holderPerson:OWNER -.-> role:membership.partnerRel.holderPerson:ADMIN
role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel.holderPerson:REFERRER role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel.holderPerson:REFERRER
role:global:ADMIN -.-> role:membership.partnerRel.contact:OWNER role:rbac.global:ADMIN -.-> role:membership.partnerRel.contact:OWNER
role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN
role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER
role:global:ADMIN -.-> role:membership.partnerRel:OWNER role:rbac.global:ADMIN -.-> role:membership.partnerRel:OWNER
role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN
role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT
role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT

View File

@ -86,16 +86,16 @@ subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPers
end end
%% granting roles to roles %% granting roles to roles
role:global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER role:rbac.global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER
role:membership.partnerRel.anchorPerson:OWNER -.-> role:membership.partnerRel.anchorPerson:ADMIN role:membership.partnerRel.anchorPerson:OWNER -.-> role:membership.partnerRel.anchorPerson:ADMIN
role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel.anchorPerson:REFERRER role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel.anchorPerson:REFERRER
role:global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER role:rbac.global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER
role:membership.partnerRel.holderPerson:OWNER -.-> role:membership.partnerRel.holderPerson:ADMIN role:membership.partnerRel.holderPerson:OWNER -.-> role:membership.partnerRel.holderPerson:ADMIN
role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel.holderPerson:REFERRER role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel.holderPerson:REFERRER
role:global:ADMIN -.-> role:membership.partnerRel.contact:OWNER role:rbac.global:ADMIN -.-> role:membership.partnerRel.contact:OWNER
role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN
role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER
role:global:ADMIN -.-> role:membership.partnerRel:OWNER role:rbac.global:ADMIN -.-> role:membership.partnerRel:OWNER
role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN
role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT
role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT

View File

@ -44,7 +44,7 @@ subgraph project["`**project**`"]
end end
%% granting roles to roles %% granting roles to roles
role:global:ADMIN -.-> role:debitorRel:OWNER role:rbac.global:ADMIN -.-> role:debitorRel:OWNER
role:debitorRel:OWNER -.-> role:debitorRel:ADMIN role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
role:debitorRel:ADMIN -.-> role:debitorRel:AGENT role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
role:debitorRel:AGENT -.-> role:debitorRel:TENANT role:debitorRel:AGENT -.-> role:debitorRel:TENANT
@ -56,7 +56,7 @@ role:project:TENANT ==> role:debitorRel:TENANT
%% granting permissions to roles %% granting permissions to roles
role:debitorRel:ADMIN ==> perm:project:INSERT role:debitorRel:ADMIN ==> perm:project:INSERT
role:global:ADMIN ==> perm:project:DELETE role:rbac.global:ADMIN ==> perm:project:DELETE
role:project:ADMIN ==> perm:project:UPDATE role:project:ADMIN ==> perm:project:UPDATE
role:project:TENANT ==> perm:project:SELECT role:project:TENANT ==> perm:project:SELECT

View File

@ -39,7 +39,7 @@ end; $$;
do language plpgsql $$ do language plpgsql $$
begin begin
call basis.defineContext('creating booking-project test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN'); call basis.defineContext('creating booking-project test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
call createHsBookingProjectTransactionTestData(10001, '11'); call createHsBookingProjectTransactionTestData(10001, '11');
call createHsBookingProjectTransactionTestData(10002, '12'); call createHsBookingProjectTransactionTestData(10002, '12');

View File

@ -54,8 +54,8 @@ role:bookingItem:AGENT ==> role:bookingItem:TENANT
role:bookingItem:TENANT ==> role:project:TENANT role:bookingItem:TENANT ==> role:project:TENANT
%% granting permissions to roles %% granting permissions to roles
role:global:ADMIN ==> perm:bookingItem:INSERT role:rbac.global:ADMIN ==> perm:bookingItem:INSERT
role:global:ADMIN ==> perm:bookingItem:DELETE role:rbac.global:ADMIN ==> perm:bookingItem:DELETE
role:project:ADMIN ==> perm:bookingItem:INSERT role:project:ADMIN ==> perm:bookingItem:INSERT
role:bookingItem:ADMIN ==> perm:bookingItem:UPDATE role:bookingItem:ADMIN ==> perm:bookingItem:UPDATE
role:bookingItem:TENANT ==> perm:bookingItem:SELECT role:bookingItem:TENANT ==> perm:bookingItem:SELECT

View File

@ -105,11 +105,11 @@ execute procedure insertTriggerForHsBookingItem_tf();
*/ */
do language plpgsql $$ do language plpgsql $$
declare declare
row global; row rbac.global%ROWTYPE;
begin begin
call basis.defineContext('create INSERT INTO hs_booking_item permissions for pre-exising global rows'); call basis.defineContext('create INSERT INTO hs_booking_item permissions for pre-exising rbac.global rows');
FOR row IN SELECT * FROM global FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
@ -120,7 +120,7 @@ do language plpgsql $$
$$; $$;
/** /**
Grants hs_booking_item INSERT permission to specified role of new global rows. Grants hs_booking_item INSERT permission to specified role of new rbac.global rows.
*/ */
create or replace function new_hs_booking_item_grants_insert_to_global_tf() create or replace function new_hs_booking_item_grants_insert_to_global_tf()
returns trigger returns trigger
@ -137,7 +137,7 @@ end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_booking_item_grants_insert_to_global_tg create trigger z_new_hs_booking_item_grants_insert_to_global_tg
after insert on global after insert on rbac.global
for each row for each row
execute procedure new_hs_booking_item_grants_insert_to_global_tf(); execute procedure new_hs_booking_item_grants_insert_to_global_tf();
@ -225,8 +225,8 @@ create or replace function hs_booking_item_insert_permission_check_tf()
declare declare
superObjectUuid uuid; superObjectUuid uuid;
begin begin
-- check INSERT INSERT if global ADMIN -- check INSERT INSERT if rbac.Global ADMIN
if isGlobalAdmin() then if rbac.isGlobalAdmin() then
return NEW; return NEW;
end if; end if;
-- check INSERT permission via direct foreign key: NEW.projectUuid -- check INSERT permission via direct foreign key: NEW.projectUuid

View File

@ -47,7 +47,7 @@ do language plpgsql $$
declare declare
currentTask text; currentTask text;
begin begin
call basis.defineContext('creating booking-item test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN'); call basis.defineContext('creating booking-item test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
call createHsBookingItemTransactionTestData(10001, '11'); call createHsBookingItemTransactionTestData(10001, '11');
call createHsBookingItemTransactionTestData(10002, '12'); call createHsBookingItemTransactionTestData(10002, '12');

View File

@ -54,8 +54,8 @@ role:bookingItem:AGENT ==> role:bookingItem:TENANT
role:bookingItem:TENANT ==> role:project:TENANT role:bookingItem:TENANT ==> role:project:TENANT
%% granting permissions to roles %% granting permissions to roles
role:global:ADMIN ==> perm:bookingItem:INSERT role:rbac.global:ADMIN ==> perm:bookingItem:INSERT
role:global:ADMIN ==> perm:bookingItem:DELETE role:rbac.global:ADMIN ==> perm:bookingItem:DELETE
role:project:ADMIN ==> perm:bookingItem:INSERT role:project:ADMIN ==> perm:bookingItem:INSERT
role:bookingItem:ADMIN ==> perm:bookingItem:UPDATE role:bookingItem:ADMIN ==> perm:bookingItem:UPDATE
role:bookingItem:TENANT ==> perm:bookingItem:SELECT role:bookingItem:TENANT ==> perm:bookingItem:SELECT

View File

@ -105,11 +105,11 @@ execute procedure insertTriggerForHsBookingItem_tf();
*/ */
do language plpgsql $$ do language plpgsql $$
declare declare
row global; row rbac.global%ROWTYPE;
begin begin
call basis.defineContext('create INSERT INTO hs_booking_item permissions for pre-exising global rows'); call basis.defineContext('create INSERT INTO hs_booking_item permissions for pre-exising rbac.global rows');
FOR row IN SELECT * FROM global FOR row IN SELECT * FROM rbac.global
-- unconditional for all rows in that table -- unconditional for all rows in that table
LOOP LOOP
call grantPermissionToRole( call grantPermissionToRole(
@ -120,7 +120,7 @@ do language plpgsql $$
$$; $$;
/** /**
Grants hs_booking_item INSERT permission to specified role of new global rows. Grants hs_booking_item INSERT permission to specified role of new rbac.global rows.
*/ */
create or replace function new_hs_booking_item_grants_insert_to_global_tf() create or replace function new_hs_booking_item_grants_insert_to_global_tf()
returns trigger returns trigger
@ -137,7 +137,7 @@ end; $$;
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_new_hs_booking_item_grants_insert_to_global_tg create trigger z_new_hs_booking_item_grants_insert_to_global_tg
after insert on global after insert on rbac.global
for each row for each row
execute procedure new_hs_booking_item_grants_insert_to_global_tf(); execute procedure new_hs_booking_item_grants_insert_to_global_tf();
@ -225,8 +225,8 @@ create or replace function hs_booking_item_insert_permission_check_tf()
declare declare
superObjectUuid uuid; superObjectUuid uuid;
begin begin
-- check INSERT INSERT if global ADMIN -- check INSERT INSERT if rbac.Global ADMIN
if isGlobalAdmin() then if rbac.isGlobalAdmin() then
return NEW; return NEW;
end if; end if;
-- check INSERT permission via direct foreign key: NEW.projectUuid -- check INSERT permission via direct foreign key: NEW.projectUuid

View File

@ -88,10 +88,10 @@ user:creator ==> role:asset:OWNER
role:bookingItem:OWNER -.-> role:bookingItem:ADMIN role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
role:bookingItem:ADMIN -.-> role:bookingItem:AGENT role:bookingItem:ADMIN -.-> role:bookingItem:AGENT
role:bookingItem:AGENT -.-> role:bookingItem:TENANT role:bookingItem:AGENT -.-> role:bookingItem:TENANT
role:global:ADMIN -.-> role:alarmContact:OWNER role:rbac.global:ADMIN -.-> role:alarmContact:OWNER
role:alarmContact:OWNER -.-> role:alarmContact:ADMIN role:alarmContact:OWNER -.-> role:alarmContact:ADMIN
role:alarmContact:ADMIN -.-> role:alarmContact:REFERRER role:alarmContact:ADMIN -.-> role:alarmContact:REFERRER
role:global:ADMIN ==>|XX| role:asset:OWNER role:rbac.global:ADMIN ==>|XX| role:asset:OWNER
role:bookingItem:ADMIN ==> role:asset:OWNER role:bookingItem:ADMIN ==> role:asset:OWNER
role:parentAsset:ADMIN ==> role:asset:OWNER role:parentAsset:ADMIN ==> role:asset:OWNER
role:asset:OWNER ==> role:asset:ADMIN role:asset:OWNER ==> role:asset:ADMIN
@ -107,9 +107,9 @@ role:asset:TENANT ==> role:parentAsset:TENANT
role:alarmContact:ADMIN ==> role:asset:TENANT role:alarmContact:ADMIN ==> role:asset:TENANT
%% granting permissions to roles %% granting permissions to roles
role:global:ADMIN ==> perm:asset:INSERT role:rbac.global:ADMIN ==> perm:asset:INSERT
role:parentAsset:ADMIN ==> perm:asset:INSERT role:parentAsset:ADMIN ==> perm:asset:INSERT
role:global:GUEST ==> perm:asset:INSERT role:rbac.global:GUEST ==> perm:asset:INSERT
role:asset:OWNER ==> perm:asset:DELETE role:asset:OWNER ==> perm:asset:DELETE
role:asset:ADMIN ==> perm:asset:UPDATE role:asset:ADMIN ==> perm:asset:UPDATE
role:asset:TENANT ==> perm:asset:SELECT role:asset:TENANT ==> perm:asset:SELECT

View File

@ -30,7 +30,7 @@ declare
pgSqlInstanceUuid uuid; pgSqlInstanceUuid uuid;
PgSqlSubjectUuid uuid; PgSqlSubjectUuid uuid;
begin begin
call basis.defineContext('creating hosting-asset test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN'); call basis.defineContext('creating hosting-asset test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
select project.* into relatedProject select project.* into relatedProject
from hs_booking_project project from hs_booking_project project
@ -110,7 +110,7 @@ end; $$;
do language plpgsql $$ do language plpgsql $$
begin begin
call basis.defineContext('creating hosting-asset test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN'); call basis.defineContext('creating hosting-asset test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
call createHsHostingAssetTestData('D-1000111 default project'); call createHsHostingAssetTestData('D-1000111 default project');
call createHsHostingAssetTestData('D-1000212 default project'); call createHsHostingAssetTestData('D-1000212 default project');

View File

@ -6,7 +6,7 @@
CREATE VIEW hs_statistics_view AS CREATE VIEW hs_statistics_view AS
select * select *
from (select count, "table" as "rbac-table", '' as "hs-table", '' as "type" from (select count, "table" as "rbac-table", '' as "hs-table", '' as "type"
from rbacstatisticsview from rbac.statistics_v
union all union all
select to_char(count(*)::int, '9 999 999 999') as "count", 'objects' as "rbac-table", objecttable as "hs-table", '' as "type" select to_char(count(*)::int, '9 999 999 999') as "count", 'objects' as "rbac-table", objecttable as "hs-table", '' as "type"
from rbac.object from rbac.object

View File

@ -158,4 +158,4 @@ databaseChangeLog:
- include: - include:
file: db/changelog/7-hs-hosting/701-hosting-asset/7018-hs-hosting-asset-test-data.sql file: db/changelog/7-hs-hosting/701-hosting-asset/7018-hs-hosting-asset-test-data.sql
- include: - include:
file: db/changelog/9-hs-global/9000-statistics.sql file: db/changelog/9-hs-global/9000-statistics.sql

View File

@ -68,7 +68,7 @@ public class ArchitectureTest {
"..mapper", "..mapper",
"..ping", "..ping",
"..rbac", "..rbac",
"..rbac.rbacSubject", "..rbac.subject",
"..rbac.rbacgrant", "..rbac.rbacgrant",
"..rbac.rbacrole", "..rbac.rbacrole",
"..rbac.rbacobject", "..rbac.rbacobject",

View File

@ -175,9 +175,9 @@ class HsBookingItemRepositoryIntegrationTest extends ContextBasedTestWithCleanup
.containsExactlyInAnyOrder(fromFormatted( .containsExactlyInAnyOrder(fromFormatted(
initialGrantNames, initialGrantNames,
// global-admin // rbac.global-admin
"{ grant perm:hs_booking_item#somenewbookingitem:INSERT>hs_booking_item to role:hs_booking_item#somenewbookingitem:ADMIN by system and assume }", "{ grant perm:hs_booking_item#somenewbookingitem:INSERT>hs_booking_item to role:hs_booking_item#somenewbookingitem:ADMIN by system and assume }",
"{ grant perm:hs_booking_item#somenewbookingitem:DELETE to role:global#global:ADMIN by system and assume }", "{ grant perm:hs_booking_item#somenewbookingitem:DELETE to role:rbac.global#global:ADMIN by system and assume }",
// owner // owner
"{ grant role:hs_booking_item#somenewbookingitem:OWNER to role:hs_booking_project#D-1000111-D-1000111defaultproject:AGENT by system and assume }", "{ grant role:hs_booking_item#somenewbookingitem:OWNER to role:hs_booking_project#D-1000111-D-1000111defaultproject:AGENT by system and assume }",

View File

@ -161,8 +161,8 @@ class HsBookingProjectRepositoryIntegrationTest extends ContextBasedTestWithClea
.containsExactlyInAnyOrder(fromFormatted( .containsExactlyInAnyOrder(fromFormatted(
initialGrantNames, initialGrantNames,
// global-admin // rbacgGlobal-admin
"{ grant perm:hs_booking_project#D-1000111-somenewbookingproject:DELETE to role:global#global:ADMIN by system and assume }", "{ grant perm:hs_booking_project#D-1000111-somenewbookingproject:DELETE to role:rbac.global#global:ADMIN by system and assume }",
// owner // owner
"{ grant role:hs_booking_project#D-1000111-somenewbookingproject:ADMIN to role:hs_booking_project#D-1000111-somenewbookingproject:OWNER by system and assume }", "{ grant role:hs_booking_project#D-1000111-somenewbookingproject:ADMIN to role:hs_booking_project#D-1000111-somenewbookingproject:OWNER by system and assume }",

View File

@ -200,8 +200,8 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu
.containsExactlyInAnyOrder(fromFormatted( .containsExactlyInAnyOrder(fromFormatted(
initialGrantNames, initialGrantNames,
// global-admin // rbac.global-admin
"{ grant role:hs_hosting_asset#fir00:OWNER to role:global#global:ADMIN by system }", // workaround "{ grant role:hs_hosting_asset#fir00:OWNER to role:rbac.global#global:ADMIN by system }", // workaround
// owner // owner
"{ grant role:hs_hosting_asset#fir00:OWNER to user:superuser-alex@hostsharing.net by hs_hosting_asset#fir00:OWNER and assume }", "{ grant role:hs_hosting_asset#fir00:OWNER to user:superuser-alex@hostsharing.net by hs_hosting_asset#fir00:OWNER and assume }",
@ -250,7 +250,7 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu
context("person-SmithPeter@example.com"); context("person-SmithPeter@example.com");
assertThatAssetIsPersisted(result.returnedValue()); assertThatAssetIsPersisted(result.returnedValue());
// ... a global admin can see the new domain setup as well if the domain OWNER role is assumed // ... a rbac.global admin can see the new domain setup as well if the domain OWNER role is assumed
context("superuser-alex@hostsharing.net", "hs_hosting_asset#example.net:OWNER"); // only works with the assumed role context("superuser-alex@hostsharing.net", "hs_hosting_asset#example.net:OWNER"); // only works with the assumed role
assertThatAssetIsPersisted(result.returnedValue()); assertThatAssetIsPersisted(result.returnedValue());
} }

View File

@ -109,7 +109,7 @@ class HsOfficeBankAccountRepositoryIntegrationTest extends ContextBasedTestWithC
assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())).containsExactlyInAnyOrder(Array.fromFormatted( assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())).containsExactlyInAnyOrder(Array.fromFormatted(
initialGrantNames, initialGrantNames,
"{ grant perm:hs_office_bankaccount#DE25500105176934832579:DELETE to role:hs_office_bankaccount#DE25500105176934832579:OWNER by system and assume }", "{ grant perm:hs_office_bankaccount#DE25500105176934832579:DELETE to role:hs_office_bankaccount#DE25500105176934832579:OWNER by system and assume }",
"{ grant role:hs_office_bankaccount#DE25500105176934832579:OWNER to role:global#global:ADMIN by system and assume }", "{ grant role:hs_office_bankaccount#DE25500105176934832579:OWNER to role:rbac.global#global:ADMIN by system and assume }",
"{ grant role:hs_office_bankaccount#DE25500105176934832579:OWNER to user:selfregistered-user-drew@hostsharing.org by hs_office_bankaccount#DE25500105176934832579:OWNER and assume }", "{ grant role:hs_office_bankaccount#DE25500105176934832579:OWNER to user:selfregistered-user-drew@hostsharing.org by hs_office_bankaccount#DE25500105176934832579:OWNER and assume }",
"{ grant role:hs_office_bankaccount#DE25500105176934832579:ADMIN to role:hs_office_bankaccount#DE25500105176934832579:OWNER by system and assume }", "{ grant role:hs_office_bankaccount#DE25500105176934832579:ADMIN to role:hs_office_bankaccount#DE25500105176934832579:OWNER by system and assume }",

View File

@ -109,7 +109,7 @@ class HsOfficeContactRbacRepositoryIntegrationTest extends ContextBasedTestWithC
)); ));
assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())).containsExactlyInAnyOrder(Array.fromFormatted( assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())).containsExactlyInAnyOrder(Array.fromFormatted(
initialGrantNames, initialGrantNames,
"{ grant role:hs_office_contact#anothernewcontact:OWNER to role:global#global:ADMIN by system and assume }", "{ grant role:hs_office_contact#anothernewcontact:OWNER to role:rbac.global#global:ADMIN by system and assume }",
"{ grant perm:hs_office_contact#anothernewcontact:UPDATE to role:hs_office_contact#anothernewcontact:ADMIN by system and assume }", "{ grant perm:hs_office_contact#anothernewcontact:UPDATE to role:hs_office_contact#anothernewcontact:ADMIN by system and assume }",
"{ grant role:hs_office_contact#anothernewcontact:OWNER to user:selfregistered-user-drew@hostsharing.org by hs_office_contact#anothernewcontact:OWNER and assume }", "{ grant role:hs_office_contact#anothernewcontact:OWNER to user:selfregistered-user-drew@hostsharing.org by hs_office_contact#anothernewcontact:OWNER and assume }",
"{ grant perm:hs_office_contact#anothernewcontact:DELETE to role:hs_office_contact#anothernewcontact:OWNER by system and assume }", "{ grant perm:hs_office_contact#anothernewcontact:DELETE to role:hs_office_contact#anothernewcontact:OWNER by system and assume }",

View File

@ -190,7 +190,7 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean
// owner // owner
"{ grant perm:debitor#D-1000122:DELETE to role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER by system and assume }", "{ grant perm:debitor#D-1000122:DELETE to role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER by system and assume }",
"{ grant perm:relation#FirstGmbH-with-DEBITOR-FourtheG:DELETE to role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER by system and assume }", "{ grant perm:relation#FirstGmbH-with-DEBITOR-FourtheG:DELETE to role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER by system and assume }",
"{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER to role:global#global:ADMIN by system and assume }", "{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER to role:rbac.global#global:ADMIN by system and assume }",
"{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER to role:person#FirstGmbH:ADMIN by system and assume }", "{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER to role:person#FirstGmbH:ADMIN by system and assume }",
"{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER to user:superuser-alex@hostsharing.net by relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER and assume }", "{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER to user:superuser-alex@hostsharing.net by relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER and assume }",
@ -349,7 +349,7 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean
// then // then
result.assertSuccessful(); result.assertSuccessful();
assertThatDebitorIsVisibleForUserWithRole(result.returnedValue(), "global#global:ADMIN", true); assertThatDebitorIsVisibleForUserWithRole(result.returnedValue(), "rbac.global#global:ADMIN", true);
// ... partner role was reassigned: // ... partner role was reassigned:
assertThatDebitorIsNotVisibleForUserWithRole( assertThatDebitorIsNotVisibleForUserWithRole(
@ -398,7 +398,7 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean
result.assertSuccessful(); result.assertSuccessful();
assertThatDebitorIsVisibleForUserWithRole( assertThatDebitorIsVisibleForUserWithRole(
result.returnedValue(), result.returnedValue(),
"global#global:ADMIN", true); "rbac.global#global:ADMIN", true);
// ... bank-account role was assigned: // ... bank-account role was assigned:
assertThatDebitorIsVisibleForUserWithRole( assertThatDebitorIsVisibleForUserWithRole(
@ -427,7 +427,7 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean
result.assertSuccessful(); result.assertSuccessful();
assertThatDebitorIsVisibleForUserWithRole( assertThatDebitorIsVisibleForUserWithRole(
result.returnedValue(), result.returnedValue(),
"global#global:ADMIN", true); "rbac.global#global:ADMIN", true);
// ... bank-account role was removed from previous bank-account admin: // ... bank-account role was removed from previous bank-account admin:
assertThatDebitorIsNotVisibleForUserWithRole( assertThatDebitorIsNotVisibleForUserWithRole(

View File

@ -158,7 +158,7 @@ class HsOfficePartnerRepositoryIntegrationTest extends ContextBasedTestWithClean
"{ grant perm:relation#HostsharingeG-with-PARTNER-EBess:SELECT to role:relation#HostsharingeG-with-PARTNER-EBess:TENANT by system and assume }", "{ grant perm:relation#HostsharingeG-with-PARTNER-EBess:SELECT to role:relation#HostsharingeG-with-PARTNER-EBess:TENANT by system and assume }",
// relation owner // relation owner
"{ grant role:relation#HostsharingeG-with-PARTNER-EBess:OWNER to role:global#global:ADMIN by system and assume }", "{ grant role:relation#HostsharingeG-with-PARTNER-EBess:OWNER to role:rbac.global#global:ADMIN by system and assume }",
"{ grant role:relation#HostsharingeG-with-PARTNER-EBess:OWNER to user:superuser-alex@hostsharing.net by relation#HostsharingeG-with-PARTNER-EBess:OWNER and assume }", "{ grant role:relation#HostsharingeG-with-PARTNER-EBess:OWNER to user:superuser-alex@hostsharing.net by relation#HostsharingeG-with-PARTNER-EBess:OWNER and assume }",
// relation admin // relation admin
@ -278,7 +278,7 @@ class HsOfficePartnerRepositoryIntegrationTest extends ContextBasedTestWithClean
assertThatPartnerIsVisibleForUserWithRole( assertThatPartnerIsVisibleForUserWithRole(
givenPartner, givenPartner,
"global#global:ADMIN"); "rbac.global#global:ADMIN");
assertThatPartnerIsVisibleForUserWithRole( assertThatPartnerIsVisibleForUserWithRole(
givenPartner, givenPartner,
"hs_office_person#ThirdOHG:ADMIN"); "hs_office_person#ThirdOHG:ADMIN");

View File

@ -112,7 +112,7 @@ class HsOfficePersonRepositoryIntegrationTest extends ContextBasedTestWithCleanu
"{ grant perm:hs_office_person#anothernewperson:INSERT>hs_office_relation to role:hs_office_person#anothernewperson:ADMIN by system and assume }", "{ grant perm:hs_office_person#anothernewperson:INSERT>hs_office_relation to role:hs_office_person#anothernewperson:ADMIN by system and assume }",
"{ grant role:hs_office_person#anothernewperson:OWNER to user:selfregistered-user-drew@hostsharing.org by hs_office_person#anothernewperson:OWNER and assume }", "{ grant role:hs_office_person#anothernewperson:OWNER to user:selfregistered-user-drew@hostsharing.org by hs_office_person#anothernewperson:OWNER and assume }",
"{ grant role:hs_office_person#anothernewperson:OWNER to role:global#global:ADMIN by system and assume }", "{ grant role:hs_office_person#anothernewperson:OWNER to role:rbac.global#global:ADMIN by system and assume }",
"{ grant perm:hs_office_person#anothernewperson:UPDATE to role:hs_office_person#anothernewperson:ADMIN by system and assume }", "{ grant perm:hs_office_person#anothernewperson:UPDATE to role:hs_office_person#anothernewperson:ADMIN by system and assume }",
"{ grant perm:hs_office_person#anothernewperson:DELETE to role:hs_office_person#anothernewperson:OWNER by system and assume }", "{ grant perm:hs_office_person#anothernewperson:DELETE to role:hs_office_person#anothernewperson:OWNER by system and assume }",
"{ grant role:hs_office_person#anothernewperson:ADMIN to role:hs_office_person#anothernewperson:OWNER by system and assume }", "{ grant role:hs_office_person#anothernewperson:ADMIN to role:hs_office_person#anothernewperson:OWNER by system and assume }",

View File

@ -133,7 +133,7 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
initialGrantNames, initialGrantNames,
"{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:DELETE to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER by system and assume }", "{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:DELETE to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER by system and assume }",
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER to role:global#global:ADMIN by system and assume }", "{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER to role:rbac.global#global:ADMIN by system and assume }",
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER to user:superuser-alex@hostsharing.net by hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER and assume }", "{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER to user:superuser-alex@hostsharing.net by hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER and assume }",
"{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:UPDATE to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:ADMIN by system and assume }", "{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:UPDATE to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:ADMIN by system and assume }",
@ -233,7 +233,7 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
assertThat(result.returnedValue().getContact().getCaption()).isEqualTo("sixth contact"); assertThat(result.returnedValue().getContact().getCaption()).isEqualTo("sixth contact");
assertThatRelationIsVisibleForUserWithRole( assertThatRelationIsVisibleForUserWithRole(
result.returnedValue(), result.returnedValue(),
"global#global:ADMIN"); "rbac.global#global:ADMIN");
assertThatRelationIsVisibleForUserWithRole( assertThatRelationIsVisibleForUserWithRole(
result.returnedValue(), result.returnedValue(),
"hs_office_contact#sixthcontact:ADMIN"); "hs_office_contact#sixthcontact:ADMIN");

View File

@ -128,7 +128,7 @@ class HsOfficeSepaMandateRepositoryIntegrationTest extends ContextBasedTestWithC
// owner // owner
"{ grant perm:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):DELETE to role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER by system and assume }", "{ grant perm:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):DELETE to role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER by system and assume }",
"{ grant role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER to role:global#global:ADMIN by system and assume }", "{ grant role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER to role:rbac.global#global:ADMIN by system and assume }",
"{ grant role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER to user:superuser-alex@hostsharing.net by sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER and assume }", "{ grant role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER to user:superuser-alex@hostsharing.net by sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER and assume }",
// admin // admin

View File

@ -86,8 +86,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
)) ))
.body("", hasItem( .body("", hasItem(
allOf( allOf(
hasEntry("grantedByRoleIdName", "global#global:ADMIN"), hasEntry("grantedByRoleIdName", "rbac.global#global:ADMIN"),
hasEntry("grantedRoleIdName", "global#global:ADMIN"), hasEntry("grantedRoleIdName", "rbac.global#global:ADMIN"),
hasEntry("granteeSubjectName", "superuser-fran@hostsharing.net") hasEntry("granteeSubjectName", "superuser-fran@hostsharing.net")
) )
)) ))

View File

@ -46,7 +46,7 @@ class RbacRoleControllerAcceptanceTest {
.body("", hasItem(hasEntry("roleName", "test_customer#xxx:OWNER"))) .body("", hasItem(hasEntry("roleName", "test_customer#xxx:OWNER")))
.body("", hasItem(hasEntry("roleName", "test_customer#xxx:TENANT"))) .body("", hasItem(hasEntry("roleName", "test_customer#xxx:TENANT")))
// ... // ...
.body("", hasItem(hasEntry("roleName", "global#global:ADMIN"))) .body("", hasItem(hasEntry("roleName", "rbac.global#global:ADMIN")))
.body("", hasItem(hasEntry("roleName", "test_customer#yyy:ADMIN"))) .body("", hasItem(hasEntry("roleName", "test_customer#yyy:ADMIN")))
.body("", hasItem(hasEntry("roleName", "test_package#yyy00:ADMIN"))) .body("", hasItem(hasEntry("roleName", "test_package#yyy00:ADMIN")))
.body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa:OWNER"))) .body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa:OWNER")))

View File

@ -73,7 +73,7 @@ class RbacRoleControllerRestTest {
// then // then
.andExpect(status().isOk()) .andExpect(status().isOk())
.andExpect(jsonPath("$", hasSize(3))) .andExpect(jsonPath("$", hasSize(3)))
.andExpect(jsonPath("$[0].roleName", is("global#global:ADMIN"))) .andExpect(jsonPath("$[0].roleName", is("rbac.global#global:ADMIN")))
.andExpect(jsonPath("$[1].roleName", is("test_customer#xxx:OWNER"))) .andExpect(jsonPath("$[1].roleName", is("test_customer#xxx:OWNER")))
.andExpect(jsonPath("$[2].roleName", is("test_customer#xxx:ADMIN"))) .andExpect(jsonPath("$[2].roleName", is("test_customer#xxx:ADMIN")))
.andExpect(jsonPath("$[2].uuid", is(customerXxxAdmin.getUuid().toString()))) .andExpect(jsonPath("$[2].uuid", is(customerXxxAdmin.getUuid().toString())))

View File

@ -39,7 +39,7 @@ class RbacRoleRepositoryIntegrationTest {
private static final String[] ALL_TEST_DATA_ROLES = Array.of( private static final String[] ALL_TEST_DATA_ROLES = Array.of(
// @formatter:off // @formatter:off
"global#global:ADMIN", "rbac.global#global:ADMIN",
"test_customer#xxx:ADMIN", "test_customer#xxx:OWNER", "test_customer#xxx:TENANT", "test_customer#xxx:ADMIN", "test_customer#xxx:OWNER", "test_customer#xxx:TENANT",
"test_package#xxx00:ADMIN", "test_package#xxx00:OWNER", "test_package#xxx00:TENANT", "test_package#xxx00:ADMIN", "test_package#xxx00:OWNER", "test_package#xxx00:TENANT",
"test_package#xxx01:ADMIN", "test_package#xxx01:OWNER", "test_package#xxx01:TENANT", "test_package#xxx01:ADMIN", "test_package#xxx01:OWNER", "test_package#xxx01:TENANT",
@ -70,7 +70,7 @@ class RbacRoleRepositoryIntegrationTest {
@Test @Test
public void globalAdmin_withAssumedglobalAdminRole_canViewAllRbacRoles() { public void globalAdmin_withAssumedglobalAdminRole_canViewAllRbacRoles() {
given: given:
context.define("superuser-alex@hostsharing.net", "global#global:ADMIN"); context.define("superuser-alex@hostsharing.net", "rbac.global#global:ADMIN");
// when // when
final var result = rbacRoleRepository.findAll(); final var result = rbacRoleRepository.findAll();
@ -110,7 +110,7 @@ class RbacRoleRepositoryIntegrationTest {
noneOfTheseRbacRolesIsReturned( noneOfTheseRbacRolesIsReturned(
result, result,
// @formatter:off // @formatter:off
"global#global:ADMIN", "rbac.global#global:ADMIN",
"test_customer#xxx:OWNER", "test_customer#xxx:OWNER",
"test_package#yyy00:ADMIN", "test_package#yyy00:ADMIN",
"test_package#yyy00:OWNER", "test_package#yyy00:OWNER",

View File

@ -4,7 +4,7 @@ import static java.util.UUID.randomUUID;
public class TestRbacRole { public class TestRbacRole {
public static final RbacRoleEntity hostmasterRole = rbacRole("global", "global", RbacRoleType.ADMIN); public static final RbacRoleEntity hostmasterRole = rbacRole("rbac.global", "global", RbacRoleType.ADMIN);
static final RbacRoleEntity customerXxxOwner = rbacRole("test_customer", "xxx", RbacRoleType.OWNER); static final RbacRoleEntity customerXxxOwner = rbacRole("test_customer", "xxx", RbacRoleType.OWNER);
static final RbacRoleEntity customerXxxAdmin = rbacRole("test_customer", "xxx", RbacRoleType.ADMIN); static final RbacRoleEntity customerXxxAdmin = rbacRole("test_customer", "xxx", RbacRoleType.ADMIN);

View File

@ -116,7 +116,7 @@ class RbacSubjectRepositoryIntegrationTest extends ContextBasedTest {
@Test @Test
public void globalAdmin_withAssumedglobalAdminRole_canViewAllRbacSubjects() { public void globalAdmin_withAssumedglobalAdminRole_canViewAllRbacSubjects() {
given: given:
context("superuser-alex@hostsharing.net", "global#global:ADMIN"); context("superuser-alex@hostsharing.net", "rbac.global#global:ADMIN");
// when // when
final var result = rbacSubjectRepository.findByOptionalNameLike(null); final var result = rbacSubjectRepository.findByOptionalNameLike(null);

View File

@ -13,19 +13,19 @@ class TestCustomerEntityUnitTest {
assertThat(rbacFlowchart).isEqualTo(""" assertThat(rbacFlowchart).isEqualTo("""
%%{init:{'flowchart':{'htmlLabels':false}}}%% %%{init:{'flowchart':{'htmlLabels':false}}}%%
flowchart TB flowchart TB
subgraph customer["`**customer**`"] subgraph customer["`**customer**`"]
direction TB direction TB
style customer fill:#dd4901,stroke:#274d6e,stroke-width:8px style customer fill:#dd4901,stroke:#274d6e,stroke-width:8px
subgraph customer:roles[ ] subgraph customer:roles[ ]
style customer:roles fill:#dd4901,stroke:white style customer:roles fill:#dd4901,stroke:white
role:customer:OWNER[[customer:OWNER]] role:customer:OWNER[[customer:OWNER]]
role:customer:ADMIN[[customer:ADMIN]] role:customer:ADMIN[[customer:ADMIN]]
role:customer:TENANT[[customer:TENANT]] role:customer:TENANT[[customer:TENANT]]
end end
subgraph customer:permissions[ ] subgraph customer:permissions[ ]
style customer:permissions fill:#dd4901,stroke:white style customer:permissions fill:#dd4901,stroke:white
@ -40,12 +40,12 @@ class TestCustomerEntityUnitTest {
user:creator ==>|XX| role:customer:OWNER user:creator ==>|XX| role:customer:OWNER
%% granting roles to roles %% granting roles to roles
role:global:ADMIN ==>|XX| role:customer:OWNER role:rbac.global:ADMIN ==>|XX| role:customer:OWNER
role:customer:OWNER ==> role:customer:ADMIN role:customer:OWNER ==> role:customer:ADMIN
role:customer:ADMIN ==> role:customer:TENANT role:customer:ADMIN ==> role:customer:TENANT
%% granting permissions to roles %% granting permissions to roles
role:global:ADMIN ==> perm:customer:INSERT role:rbac.global:ADMIN ==> perm:customer:INSERT
role:customer:OWNER ==> perm:customer:DELETE role:customer:OWNER ==> perm:customer:DELETE
role:customer:ADMIN ==> perm:customer:UPDATE role:customer:ADMIN ==> perm:customer:UPDATE
role:customer:TENANT ==> perm:customer:SELECT role:customer:TENANT ==> perm:customer:SELECT

View File

@ -50,7 +50,7 @@ class TestPackageEntityUnitTest {
end end
%% granting roles to roles %% granting roles to roles
role:global:ADMIN -.->|XX| role:customer:OWNER role:rbac.global:ADMIN -.->|XX| role:customer:OWNER
role:customer:OWNER -.-> role:customer:ADMIN role:customer:OWNER -.-> role:customer:ADMIN
role:customer:ADMIN -.-> role:customer:TENANT role:customer:ADMIN -.-> role:customer:TENANT
role:customer:ADMIN ==> role:package:OWNER role:customer:ADMIN ==> role:package:OWNER

View File

@ -40,7 +40,7 @@ class TestPackageRepositoryIntegrationTest extends ContextBasedTest {
@Test @Test
public void globalAdmin_withoutAssumedRole_canNotViewAnyPackages_becauseThoseGrantsAreNotAssumed() { public void globalAdmin_withoutAssumedRole_canNotViewAnyPackages_becauseThoseGrantsAreNotAssumed() {
// given // given
// alex is not just global-admin but lso the creating user, thus we use fran // alex is not just rbac.global-admin but lso the creating user, thus we use fran
context.define("superuser-fran@hostsharing.net"); context.define("superuser-fran@hostsharing.net");
// when // when
@ -53,7 +53,7 @@ class TestPackageRepositoryIntegrationTest extends ContextBasedTest {
@Test @Test
public void globalAdmin_withAssumedglobalAdminRole__canNotViewAnyPackages_becauseThoseGrantsAreNotAssumed() { public void globalAdmin_withAssumedglobalAdminRole__canNotViewAnyPackages_becauseThoseGrantsAreNotAssumed() {
given: given:
context.define("superuser-alex@hostsharing.net", "global#global:ADMIN"); context.define("superuser-alex@hostsharing.net", "rbac.global#global:ADMIN");
// when // when
final var result = testPackageRepository.findAllByOptionalNameLike(null); final var result = testPackageRepository.findAllByOptionalNameLike(null);