From 2b951bd308a03a57ab22a42f1c491158d646c2a3 Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Fri, 13 Sep 2024 16:20:14 +0200 Subject: [PATCH] rbac schema for user-grant --- .../hsadminng/rbac/rbacdef/RbacView.java | 4 +-- .../RolesGrantsAndPermissionsGenerator.java | 4 +-- .../rbac/rbacgrant/RbacGrantController.java | 16 ++++----- .../rbac/rbacgrant/RbacGrantEntity.java | 6 ++-- .../hsadminng/rbac/rbacgrant/RbacGrantId.java | 2 +- .../rbac/rbacgrant/RbacGrantRepository.java | 4 +-- .../rbac/rbacuser/RbacUserController.java | 12 +++---- .../rbac/rbacuser/RbacUserRepository.java | 6 ++-- .../rbac/rbac-grant-schemas.yaml | 4 +-- .../rbac/rbac-grants-with-id.yaml | 6 ++-- .../api-definition/rbac/rbac-grants.yaml | 2 +- .../rbac/rbac-users-with-id-permissions.yaml | 2 +- .../rbac/rbac-users-with-uuid.yaml | 4 +-- .../resources/api-definition/rbac/rbac.yaml | 6 ++-- .../db/changelog/1-rbac/1050-rbac-base.sql | 2 +- .../changelog/1-rbac/1051-rbac-user-grant.sql | 36 +++++++++---------- .../db/changelog/1-rbac/1055-rbac-views.sql | 26 +++++++------- .../1-rbac/1057-rbac-role-builder.sql | 10 +++--- .../db/changelog/1-rbac/1080-rbac-global.sql | 4 +-- .../2013-test-customer-rbac.sql | 2 +- .../2018-test-customer-test-data.sql | 2 +- .../2028-test-package-test-data.sql | 2 +- .../5013-hs-office-contact-rbac.sql | 2 +- .../502-person/5023-hs-office-person-rbac.sql | 2 +- .../5033-hs-office-relation-rbac.sql | 2 +- .../5043-hs-office-partner-rbac.sql | 12 +++---- .../5053-hs-office-bankaccount-rbac.sql | 2 +- .../5073-hs-office-sepamandate-rbac.sql | 2 +- .../5103-hs-office-membership-rbac.sql | 2 +- .../7013-hs-hosting-asset-rbac.sql | 2 +- .../7018-hs-hosting-asset-test-data.sql | 30 ++++++++-------- ...HsBookingItemControllerAcceptanceTest.java | 4 +-- ...ookingProjectControllerAcceptanceTest.java | 4 +-- ...sHostingAssetControllerAcceptanceTest.java | 4 +-- ...ceBankAccountControllerAcceptanceTest.java | 4 +-- ...OfficeContactControllerAcceptanceTest.java | 4 +-- ...OfficeDebitorControllerAcceptanceTest.java | 8 ++--- ...iceMembershipControllerAcceptanceTest.java | 6 ++-- ...OfficePartnerControllerAcceptanceTest.java | 4 +-- ...sOfficePersonControllerAcceptanceTest.java | 4 +-- ...fficeRelationControllerAcceptanceTest.java | 4 +-- ...ceSepaMandateControllerAcceptanceTest.java | 4 +-- .../RbacGrantControllerAcceptanceTest.java | 8 ++--- .../rbacgrant/RbacGrantEntityUnitTest.java | 6 ++-- .../RbacGrantRepositoryIntegrationTest.java | 14 ++++---- .../RbacUserControllerAcceptanceTest.java | 4 +-- .../RbacUserRepositoryIntegrationTest.java | 18 +++++----- .../test/ContextBasedTestWithCleanup.java | 1 - .../TestCustomerControllerAcceptanceTest.java | 4 +-- 49 files changed, 161 insertions(+), 162 deletions(-) diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java index ed3a1486..32f5d7af 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java @@ -467,7 +467,7 @@ public class RbacView { return new RbacExampleRole(entityAlias, role); } - private RbacGrantDefinition grantRoleToUser(final RbacRoleDefinition roleDefinition, final RbacUserReference user) { + private RbacGrantDefinition grantRoleToSubject(final RbacRoleDefinition roleDefinition, final RbacUserReference user) { return findOrCreateGrantDef(roleDefinition, user).toCreate(); } @@ -771,7 +771,7 @@ public class RbacView { * The grant definition for further chained calls. */ public RbacGrantDefinition owningUser(final RbacUserReference.UserRole userRole) { - return grantRoleToUser(this, findUserRef(userRole)); + return grantRoleToSubject(this, findUserRef(userRole)); } /** diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java index 238e1208..7b3d9d06 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java @@ -312,7 +312,7 @@ class RolesGrantsAndPermissionsGenerator { case ROLE_TO_ROLE -> "call revokeRoleFromRole(${subRoleRef}, ${superRoleRef});" .replace("${subRoleRef}", roleRef(OLD, grantDef.getSubRoleDef())) .replace("${superRoleRef}", roleRef(OLD, grantDef.getSuperRoleDef())); - case PERM_TO_ROLE -> "call revokePermissionFromRole(${permRef}, ${superRoleRef});" + case PERM_TO_ROLE -> "call rbac.revokePermissionFromRole(${permRef}, ${superRoleRef});" .replace("${permRef}", getPerm(OLD, grantDef.getPermDef())) .replace("${superRoleRef}", roleRef(OLD, grantDef.getSuperRoleDef())); }; @@ -415,7 +415,7 @@ class RolesGrantsAndPermissionsGenerator { .map(this::toPlPgSqlReference) .toList(); plPgSql.indented(() -> - plPgSql.writeLn("userUuids => array[" + joinArrayElements(arrayElements, 2) + "],\n")); + plPgSql.writeLn("subjectUuids => array[" + joinArrayElements(arrayElements, 2) + "],\n")); rbacGrants.removeAll(grantsToUsers); } } diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantController.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantController.java index ccdfb38b..a002254d 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantController.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantController.java @@ -36,11 +36,11 @@ public class RbacGrantController implements RbacGrantsApi { final String currentSubject, final String assumedRoles, final UUID grantedRoleUuid, - final UUID granteeUserUuid) { + final UUID granteeSubjectUuid) { context.define(currentSubject, assumedRoles); - final var id = new RbacGrantId(granteeUserUuid, grantedRoleUuid); + final var id = new RbacGrantId(granteeSubjectUuid, grantedRoleUuid); final var result = rbacGrantRepository.findById(id); if (result == null) { return ResponseEntity.notFound().build(); @@ -61,7 +61,7 @@ public class RbacGrantController implements RbacGrantsApi { @Override @Transactional - public ResponseEntity grantRoleToUser( + public ResponseEntity grantRoleToSubject( final String currentSubject, final String assumedRoles, final RbacGrantResource body) { @@ -82,22 +82,22 @@ public class RbacGrantController implements RbacGrantsApi { @Override @Transactional - public ResponseEntity revokeRoleFromUser( + public ResponseEntity revokeRoleFromSubject( final String currentSubject, final String assumedRoles, final UUID grantedRoleUuid, - final UUID granteeUserUuid) { + final UUID granteeSubjectUuid) { context.define(currentSubject, assumedRoles); - rbacGrantRepository.deleteByRbacGrantId(new RbacGrantId(granteeUserUuid, grantedRoleUuid)); + rbacGrantRepository.deleteByRbacGrantId(new RbacGrantId(granteeSubjectUuid, grantedRoleUuid)); return ResponseEntity.noContent().build(); } -// TODO: implement an endpoint to create a Mermaid flowchart with all grants of a given user +// TODO.feat: implement an endpoint to create a Mermaid flowchart with all grants of a given user // @GetMapping( -// path = "/api/rbac/users/{userUuid}/grants", +// path = "/api/rbac/users/{subjectUuid}/grants", // produces = {"text/vnd.mermaid"}) // @Transactional(readOnly = true) // public ResponseEntity allGrantsOfUserAsMermaid( diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantEntity.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantEntity.java index c2f2d524..88541762 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantEntity.java @@ -36,8 +36,8 @@ public class RbacGrantEntity { private String granteeUserName; @Id - @Column(name = "useruuid") - private UUID granteeUserUuid; + @Column(name = "subjectuuid") + private UUID granteeSubjectUuid; private boolean assumed; @@ -55,7 +55,7 @@ public class RbacGrantEntity { private RbacRoleType grantedRoleType; RbacGrantId getRbacGrantId() { - return new RbacGrantId(granteeUserUuid, grantedRoleUuid); + return new RbacGrantId(granteeSubjectUuid, grantedRoleUuid); } public String toDisplay() { diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantId.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantId.java index 4c3449e7..a5e73a0c 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantId.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantId.java @@ -14,6 +14,6 @@ import java.util.UUID; @AllArgsConstructor public class RbacGrantId implements Serializable { - private UUID granteeUserUuid; + private UUID granteeSubjectUuid; private UUID grantedRoleUuid; } diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantRepository.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantRepository.java index 90cf0e58..87ffd3c2 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantRepository.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantRepository.java @@ -11,7 +11,7 @@ public interface RbacGrantRepository extends Repository deleteUserByUuid( final String currentSubject, final String assumedRoles, - final UUID userUuid + final UUID subjectUuid ) { context.define(currentSubject, assumedRoles); - rbacUserRepository.deleteByUuid(userUuid); + rbacUserRepository.deleteByUuid(subjectUuid); return ResponseEntity.noContent().build(); } @@ -65,11 +65,11 @@ public class RbacUserController implements RbacUsersApi { public ResponseEntity getUserById( final String currentSubject, final String assumedRoles, - final UUID userUuid) { + final UUID subjectUuid) { context.define(currentSubject, assumedRoles); - final var result = rbacUserRepository.findByUuid(userUuid); + final var result = rbacUserRepository.findByUuid(subjectUuid); if (result == null) { return ResponseEntity.notFound().build(); } @@ -93,12 +93,12 @@ public class RbacUserController implements RbacUsersApi { public ResponseEntity> listUserPermissions( final String currentSubject, final String assumedRoles, - final UUID userUuid + final UUID subjectUuid ) { context.define(currentSubject, assumedRoles); return ResponseEntity.ok(mapper.mapList( - rbacUserRepository.findPermissionsOfUserByUuid(userUuid), + rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid), RbacUserPermissionResource.class)); } } diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserRepository.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserRepository.java index 3560741e..88d854c2 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserRepository.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserRepository.java @@ -22,8 +22,8 @@ public interface RbacUserRepository extends Repository { RbacUserEntity findByUuid(UUID uuid); - @Query(value = "select * from grantedPermissions(:userUuid)", nativeQuery = true) - List findPermissionsOfUserByUuid(UUID userUuid); + @Query(value = "select * from grantedPermissions(:subjectUuid)", nativeQuery = true) + List findPermissionsOfUserByUuid(UUID subjectUuid); /* Can't use save/saveAndFlush from SpringData because the uuid is not generated on the entity level, @@ -42,5 +42,5 @@ public interface RbacUserRepository extends Repository { return rbacUserEntity; } - void deleteByUuid(UUID userUuid); + void deleteByUuid(UUID subjectUuid); } diff --git a/src/main/resources/api-definition/rbac/rbac-grant-schemas.yaml b/src/main/resources/api-definition/rbac/rbac-grant-schemas.yaml index 12a2cbbd..4f64f575 100644 --- a/src/main/resources/api-definition/rbac/rbac-grant-schemas.yaml +++ b/src/main/resources/api-definition/rbac/rbac-grant-schemas.yaml @@ -20,9 +20,9 @@ components: format: uuid granteeUserName: type: string - granteeUserUuid: + granteeSubjectUuid: type: string format: uuid required: - grantedRoleUuid - - granteeUserUuid + - granteeSubjectUuid diff --git a/src/main/resources/api-definition/rbac/rbac-grants-with-id.yaml b/src/main/resources/api-definition/rbac/rbac-grants-with-id.yaml index 5bdcd29e..be0b1e08 100644 --- a/src/main/resources/api-definition/rbac/rbac-grants-with-id.yaml +++ b/src/main/resources/api-definition/rbac/rbac-grants-with-id.yaml @@ -12,7 +12,7 @@ get: type: string format: uuid description: UUID of the granted role. - - name: granteeUserUuid + - name: granteeSubjectUuid in: path required: true schema: @@ -36,7 +36,7 @@ get: delete: tags: - rbac-grants - operationId: revokeRoleFromUser + operationId: revokeRoleFromSubject parameters: - $ref: 'auth.yaml#/components/parameters/currentSubject' - $ref: 'auth.yaml#/components/parameters/assumedRoles' @@ -47,7 +47,7 @@ delete: type: string format: uuid description: UUID of the granted role. - - name: granteeUserUuid + - name: granteeSubjectUuid in: path required: true schema: diff --git a/src/main/resources/api-definition/rbac/rbac-grants.yaml b/src/main/resources/api-definition/rbac/rbac-grants.yaml index 1452b8c6..4fbfd43c 100644 --- a/src/main/resources/api-definition/rbac/rbac-grants.yaml +++ b/src/main/resources/api-definition/rbac/rbac-grants.yaml @@ -18,7 +18,7 @@ get: post: tags: - rbac-grants - operationId: grantRoleToUser + operationId: grantRoleToSubject parameters: - $ref: 'auth.yaml#/components/parameters/currentSubject' - $ref: 'auth.yaml#/components/parameters/assumedRoles' diff --git a/src/main/resources/api-definition/rbac/rbac-users-with-id-permissions.yaml b/src/main/resources/api-definition/rbac/rbac-users-with-id-permissions.yaml index 34ea9fcc..dd3594ca 100644 --- a/src/main/resources/api-definition/rbac/rbac-users-with-id-permissions.yaml +++ b/src/main/resources/api-definition/rbac/rbac-users-with-id-permissions.yaml @@ -6,7 +6,7 @@ get: parameters: - $ref: 'auth.yaml#/components/parameters/currentSubject' - $ref: 'auth.yaml#/components/parameters/assumedRoles' - - name: userUuid + - name: subjectUuid in: path required: true schema: diff --git a/src/main/resources/api-definition/rbac/rbac-users-with-uuid.yaml b/src/main/resources/api-definition/rbac/rbac-users-with-uuid.yaml index 974faa3c..fa6de05f 100644 --- a/src/main/resources/api-definition/rbac/rbac-users-with-uuid.yaml +++ b/src/main/resources/api-definition/rbac/rbac-users-with-uuid.yaml @@ -6,7 +6,7 @@ get: parameters: - $ref: 'auth.yaml#/components/parameters/currentSubject' - $ref: 'auth.yaml#/components/parameters/assumedRoles' - - name: userUuid + - name: subjectUuid in: path required: true schema: @@ -33,7 +33,7 @@ delete: parameters: - $ref: 'auth.yaml#/components/parameters/currentSubject' - $ref: 'auth.yaml#/components/parameters/assumedRoles' - - name: userUuid + - name: subjectUuid in: path required: true schema: diff --git a/src/main/resources/api-definition/rbac/rbac.yaml b/src/main/resources/api-definition/rbac/rbac.yaml index ad6dfca4..a02e3cd9 100644 --- a/src/main/resources/api-definition/rbac/rbac.yaml +++ b/src/main/resources/api-definition/rbac/rbac.yaml @@ -11,10 +11,10 @@ paths: /api/rbac/users: $ref: 'rbac-users.yaml' - /api/rbac/users/{userUuid}/permissions: + /api/rbac/users/{subjectUuid}/permissions: $ref: 'rbac-users-with-id-permissions.yaml' - /api/rbac/users/{userUuid}: + /api/rbac/users/{subjectUuid}: $ref: 'rbac-users-with-uuid.yaml' /api/rbac/roles: @@ -23,6 +23,6 @@ paths: /api/rbac/grants: $ref: 'rbac-grants.yaml' - /api/rbac/grants/{grantedRoleUuid}/{granteeUserUuid}: + /api/rbac/grants/{grantedRoleUuid}/{granteeSubjectUuid}: $ref: 'rbac-grants-with-id.yaml' diff --git a/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql b/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql index 99665c18..84f0d262 100644 --- a/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql +++ b/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql @@ -672,7 +672,7 @@ begin end if; end; $$; -create or replace procedure revokePermissionFromRole(permissionId UUID, superRole RbacRoleDescriptor) +create or replace procedure rbac.revokePermissionFromRole(permissionId UUID, superRole RbacRoleDescriptor) language plpgsql as $$ declare superRoleId uuid; diff --git a/src/main/resources/db/changelog/1-rbac/1051-rbac-user-grant.sql b/src/main/resources/db/changelog/1-rbac/1051-rbac-user-grant.sql index 397ec9df..52ab4f21 100644 --- a/src/main/resources/db/changelog/1-rbac/1051-rbac-user-grant.sql +++ b/src/main/resources/db/changelog/1-rbac/1051-rbac-user-grant.sql @@ -20,21 +20,21 @@ begin return currentSubjectOrAssumedRolesUuids[1]; end; $$; -create or replace procedure grantRoleToUserUnchecked(grantedByRoleUuid uuid, grantedRoleUuid uuid, userUuid uuid, doAssume boolean = true) +create or replace procedure rbac.grantRoleToUserUnchecked(grantedByRoleUuid uuid, grantedRoleUuid uuid, subjectUuid uuid, doAssume boolean = true) language plpgsql as $$ begin perform rbac.assertReferenceType('grantingRoleUuid', grantedByRoleUuid, 'RbacRole'); perform rbac.assertReferenceType('roleId (descendant)', grantedRoleUuid, 'RbacRole'); - perform rbac.assertReferenceType('userId (ascendant)', userUuid, 'rbac.subject'); + perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject'); insert into RbacGrants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed) - values (grantedByRoleUuid, userUuid, grantedRoleUuid, doAssume) + values (grantedByRoleUuid, subjectUuid, grantedRoleUuid, doAssume) -- TODO: check if grantedByRoleUuid+doAssume are the same, otherwise raise exception? on conflict do nothing; -- allow granting multiple times end; $$; -create or replace procedure grantRoleToUser(grantedByRoleUuid uuid, grantedRoleUuid uuid, userUuid uuid, doAssume boolean = true) +create or replace procedure rbac.grantRoleToSubject(grantedByRoleUuid uuid, grantedRoleUuid uuid, subjectUuid uuid, doAssume boolean = true) language plpgsql as $$ declare grantedByRoleIdName text; @@ -42,11 +42,11 @@ declare begin perform rbac.assertReferenceType('grantingRoleUuid', grantedByRoleUuid, 'RbacRole'); perform rbac.assertReferenceType('grantedRoleUuid (descendant)', grantedRoleUuid, 'RbacRole'); - perform rbac.assertReferenceType('userUuid (ascendant)', userUuid, 'rbac.subject'); + perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject'); assert grantedByRoleUuid is not null, 'grantedByRoleUuid must not be null'; assert grantedRoleUuid is not null, 'grantedRoleUuid must not be null'; - assert userUuid is not null, 'userUuid must not be null'; + assert subjectUuid is not null, 'subjectUuid must not be null'; if NOT isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then select roleIdName from rbacRole_ev where uuid=grantedByRoleUuid into grantedByRoleIdName; @@ -62,8 +62,8 @@ begin insert into RbacGrants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed) - values (grantedByRoleUuid, userUuid, grantedRoleUuid, doAssume); - -- TODO.impl: What should happen on mupltiple grants? What if options (doAssume) are not the same? + values (grantedByRoleUuid, subjectUuid, grantedRoleUuid, doAssume); + -- TODO.impl: What should happen on multiple grants? What if options (doAssume) are not the same? -- Most powerful or latest grant wins? What about managed? -- on conflict do nothing; -- allow granting multiple times end; $$; @@ -74,12 +74,12 @@ end; $$; --changeset rbac-user-grant-REVOKE-ROLE-FROM-USER:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -create or replace procedure checkRevokeRoleFromUserPreconditions(grantedByRoleUuid uuid, grantedRoleUuid uuid, userUuid uuid) +create or replace procedure rbac.checkRevokeRoleFromSubjectPreconditions(grantedByRoleUuid uuid, grantedRoleUuid uuid, subjectUuid uuid) language plpgsql as $$ begin perform rbac.assertReferenceType('grantedByRoleUuid', grantedByRoleUuid, 'RbacRole'); perform rbac.assertReferenceType('grantedRoleUuid (descendant)', grantedRoleUuid, 'RbacRole'); - perform rbac.assertReferenceType('userUuid (ascendant)', userUuid, 'rbac.subject'); + perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject'); if NOT isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then raise exception '[403] Revoking role created by % is forbidden for %.', grantedByRoleUuid, currentSubjects(); @@ -94,20 +94,20 @@ begin raise exception '[403] Revoking role granted by % is forbidden for %.', grantedByRoleUuid, currentSubjects(); end if; - if NOT isGranted(userUuid, grantedRoleUuid) then - raise exception '[404] No such grant found granted by % for user % to role %.', grantedByRoleUuid, userUuid, grantedRoleUuid; + if NOT isGranted(subjectUuid, grantedRoleUuid) then + raise exception '[404] No such grant found granted by % for subject % to role %.', grantedByRoleUuid, subjectUuid, grantedRoleUuid; end if; end; $$; -create or replace procedure revokeRoleFromUser(grantedByRoleUuid uuid, grantedRoleUuid uuid, userUuid uuid) +create or replace procedure rbac.revokeRoleFromSubject(grantedByRoleUuid uuid, grantedRoleUuid uuid, subjectUuid uuid) language plpgsql as $$ begin - call checkRevokeRoleFromUserPreconditions(grantedByRoleUuid, grantedRoleUuid, userUuid); + call rbac.checkRevokeRoleFromSubjectPreconditions(grantedByRoleUuid, grantedRoleUuid, subjectUuid); - raise INFO 'delete from RbacGrants where ascendantUuid = % and descendantUuid = %', userUuid, grantedRoleUuid; + raise INFO 'delete from RbacGrants where ascendantUuid = % and descendantUuid = %', subjectUuid, grantedRoleUuid; delete from RbacGrants as g - where g.ascendantUuid = userUuid and g.descendantUuid = grantedRoleUuid - and g.grantedByRoleUuid = revokeRoleFromUser.grantedByRoleUuid; + where g.ascendantUuid = subjectUuid and g.descendantUuid = grantedRoleUuid + and g.grantedByRoleUuid = revokeRoleFromSubject.grantedByRoleUuid; end; $$; --// @@ -115,7 +115,7 @@ end; $$; --changeset rbac-user-grant-REVOKE-PERMISSION-FROM-ROLE:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -create or replace procedure revokePermissionFromRole(permissionUuid uuid, superRoleUuid uuid) +create or replace procedure rbac.revokePermissionFromRole(permissionUuid uuid, superRoleUuid uuid) language plpgsql as $$ begin raise INFO 'delete from RbacGrants where ascendantUuid = % and descendantUuid = %', superRoleUuid, permissionUuid; diff --git a/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql b/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql index aa611aed..4db11c7b 100644 --- a/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql +++ b/src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql @@ -117,7 +117,7 @@ create or replace view rbacgrants_rv as -- @formatter:off select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName, g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed, - g.grantedByRoleUuid, g.descendantUuid as grantedRoleUuid, g.ascendantUuid as userUuid, + g.grantedByRoleUuid, g.descendantUuid as grantedRoleUuid, g.ascendantUuid as subjectUuid, g.objectTable, g.objectUuid, g.objectIdName, g.roleType as grantedRoleType from ( select g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid, g.assumed, @@ -150,10 +150,10 @@ create or replace function insertRbacGrant() declare newGrant RbacGrants_RV; begin - call grantRoleToUser(rbac.assumedRoleUuid(), new.grantedRoleUuid, new.userUuid, new.assumed); + call rbac.grantRoleToSubject(rbac.assumedRoleUuid(), new.grantedRoleUuid, new.subjectUuid, new.assumed); select grv.* from RbacGrants_RV grv - where grv.userUuid=new.userUuid and grv.grantedRoleUuid=new.grantedRoleUuid + where grv.subjectUuid=new.subjectUuid and grv.grantedRoleUuid=new.grantedRoleUuid into newGrant; return newGrant; end; $$; @@ -176,13 +176,13 @@ execute function insertRbacGrant(); /** Instead of delete trigger function for RbacGrants_RV. - Checks if the current subject (user / assumed role) has the permission to revoke the grant. + Checks if the current subject or assumed role have the permission to revoke the grant. */ create or replace function deleteRbacGrant() returns trigger language plpgsql as $$ begin - call revokeRoleFromUser(old.grantedByRoleUuid, old.grantedRoleUuid, old.userUuid); + call rbac.revokeRoleFromSubject(old.grantedByRoleUuid, old.grantedRoleUuid, old.subjectUuid); return old; end; $$; @@ -343,7 +343,7 @@ grant all privileges on RbacOwnGrantedPermissions_rv to ${HSADMINNG_POSTGRES_RES Returns all permissions granted to the given user, which are also visible to the current user or assumed roles. */ -create or replace function grantedPermissionsRaw(targetUserUuid uuid) +create or replace function grantedPermissionsRaw(targetSubjectUuid uuid) returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid) returns null on null input language plpgsql as $$ @@ -353,8 +353,8 @@ begin -- @formatter:off currentSubjectUuid := rbac.currentSubjectUuid(); - if hasGlobalRoleGranted(targetUserUuid) and not hasGlobalRoleGranted(currentSubjectUuid) then - raise exception '[403] permissions of user "%" are not accessible to user "%"', targetUserUuid, basis.currentSubject(); + if hasGlobalRoleGranted(targetSubjectUuid) and not hasGlobalRoleGranted(currentSubjectUuid) then + raise exception '[403] permissions of user "%" are not accessible to user "%"', targetSubjectUuid, basis.currentSubject(); end if; return query select @@ -369,24 +369,24 @@ begin po.objecttable as permissionObjectTable, findIdNameByObjectUuid(po.objectTable, po.uuid) as permissionObjectIdName, po.uuid as permissionObjectUuid - from queryPermissionsGrantedToSubjectId( targetUserUuid) as p + from queryPermissionsGrantedToSubjectId( targetSubjectUuid) as p join rbacgrants as g on g.descendantUuid = p.uuid join rbac.object as po on po.uuid = p.objectUuid join rbacrole_rv as r on r.uuid = g.ascendantUuid join rbac.object as ro on ro.uuid = r.objectUuid - where isGranted(targetUserUuid, r.uuid) + where isGranted(targetSubjectUuid, r.uuid) ) xp; -- @formatter:on end; $$; -create or replace function grantedPermissions(targetUserUuid uuid) +create or replace function grantedPermissions(targetSubjectUuid uuid) returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid) returns null on null input language sql as $$ - select * from grantedPermissionsRaw(targetUserUuid) + select * from grantedPermissionsRaw(targetSubjectUuid) union all select roleUuid, roleName, permissionUuid, 'SELECT'::RbacOp, opTableName, objectTable, objectIdName, objectUuid - from grantedPermissionsRaw(targetUserUuid) + from grantedPermissionsRaw(targetSubjectUuid) where op <> 'SELECT'::RbacOp; $$; --// diff --git a/src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql b/src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql index cb20bbbc..d56dddeb 100644 --- a/src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql +++ b/src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql @@ -12,7 +12,7 @@ create or replace function createRoleWithGrants( permissions RbacOp[] = array[]::RbacOp[], incomingSuperRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[], outgoingSubRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[], - userUuids uuid[] = array[]::uuid[], + subjectUuids uuid[] = array[]::uuid[], grantedByRole RbacRoleDescriptor = null ) returns uuid @@ -26,7 +26,7 @@ declare superRoleDesc RbacRoleDescriptor; subRoleUuid uuid; superRoleUuid uuid; - userUuid uuid; + subjectUuid uuid; userGrantsByRoleUuid uuid; begin roleUuid := coalesce(findRoleId(roleDescriptor), createRole(roleDescriptor)); @@ -49,16 +49,16 @@ begin call grantRoleToRole(subRoleUuid, roleUuid, subRoleDesc.assumed); end loop; - if cardinality(userUuids) > 0 then + if cardinality(subjectUuids) > 0 then -- direct grants to users need a grantedByRole which can revoke the grant if grantedByRole is null then userGrantsByRoleUuid := roleUuid; -- TODO.impl: or do we want to require an explicit userGrantsByRoleUuid? else userGrantsByRoleUuid := getRoleId(grantedByRole); end if; - foreach userUuid in array userUuids + foreach subjectUuid in array subjectUuids loop - call grantRoleToUserUnchecked(userGrantsByRoleUuid, roleUuid, userUuid); + call rbac.grantRoleToUserUnchecked(userGrantsByRoleUuid, roleUuid, subjectUuid); end loop; end if; diff --git a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql index 8fb1f19e..d0c0f444 100644 --- a/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql +++ b/src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql @@ -158,8 +158,8 @@ do language plpgsql $$ call basis.defineContext('creating fake test-realm admin users', null, null, null); admins = findRoleId(globalAdmin()); - call grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-alex@hostsharing.net')); - call grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-fran@hostsharing.net')); + call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-alex@hostsharing.net')); + call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-fran@hostsharing.net')); perform rbac.create_subject('selfregistered-user-drew@hostsharing.org'); perform rbac.create_subject('selfregistered-test-user@hostsharing.org'); end; diff --git a/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql b/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql index f1ebb9dd..2435b37e 100644 --- a/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql +++ b/src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql @@ -38,7 +38,7 @@ begin testCustomerOWNER(NEW), permissions => array['DELETE'], incomingSuperRoles => array[globalADMIN(unassumed())], - userUuids => array[rbac.currentSubjectUuid()] + subjectUuids => array[rbac.currentSubjectUuid()] ); perform createRoleWithGrants( diff --git a/src/main/resources/db/changelog/2-test/201-test-customer/2018-test-customer-test-data.sql b/src/main/resources/db/changelog/2-test/201-test-customer/2018-test-customer-test-data.sql index e9a63044..7fd294f0 100644 --- a/src/main/resources/db/changelog/2-test/201-test-customer/2018-test-customer-test-data.sql +++ b/src/main/resources/db/changelog/2-test/201-test-customer/2018-test-customer-test-data.sql @@ -40,7 +40,7 @@ begin select * into newCust from test_customer where reference=custReference; - call grantRoleToUser( + call rbac.grantRoleToSubject( getRoleId(testCustomerOwner(newCust)), getRoleId(testCustomerAdmin(newCust)), custAdminUuid, diff --git a/src/main/resources/db/changelog/2-test/202-test-package/2028-test-package-test-data.sql b/src/main/resources/db/changelog/2-test/202-test-package/2028-test-package-test-data.sql index d8c64916..8a5283f3 100644 --- a/src/main/resources/db/changelog/2-test/202-test-package/2028-test-package-test-data.sql +++ b/src/main/resources/db/changelog/2-test/202-test-package/2028-test-package-test-data.sql @@ -29,7 +29,7 @@ begin values (cust.uuid, pacName, 'Here you can add your own description of package ' || pacName || '.') returning * into pac; - call grantRoleToUser( + call rbac.grantRoleToSubject( getRoleId(testCustomerAdmin(cust)), findRoleId(testPackageAdmin(pac)), rbac.create_subject('pac-admin-' || pacName || '@' || cust.prefix || '.example.com'), diff --git a/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql b/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql index bfd66de5..27d246ef 100644 --- a/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql @@ -38,7 +38,7 @@ begin hsOfficeContactOWNER(NEW), permissions => array['DELETE'], incomingSuperRoles => array[globalADMIN()], - userUuids => array[rbac.currentSubjectUuid()] + subjectUuids => array[rbac.currentSubjectUuid()] ); perform createRoleWithGrants( diff --git a/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql b/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql index 4fb80622..ad148e37 100644 --- a/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql @@ -38,7 +38,7 @@ begin hsOfficePersonOWNER(NEW), permissions => array['DELETE'], incomingSuperRoles => array[globalADMIN()], - userUuids => array[rbac.currentSubjectUuid()] + subjectUuids => array[rbac.currentSubjectUuid()] ); perform createRoleWithGrants( diff --git a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql index 3941456a..c7d3610b 100644 --- a/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql @@ -51,7 +51,7 @@ begin hsOfficeRelationOWNER(NEW), permissions => array['DELETE'], incomingSuperRoles => array[globalADMIN()], - userUuids => array[rbac.currentSubjectUuid()] + subjectUuids => array[rbac.currentSubjectUuid()] ); perform createRoleWithGrants( diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql index 36040336..7a865ce3 100644 --- a/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql @@ -110,22 +110,22 @@ begin if NEW.partnerRelUuid <> OLD.partnerRelUuid then - call revokePermissionFromRole(getPermissionId(OLD.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel)); + call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel)); call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel)); - call revokePermissionFromRole(getPermissionId(OLD.uuid, 'UPDATE'), hsOfficeRelationADMIN(oldPartnerRel)); + call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'UPDATE'), hsOfficeRelationADMIN(oldPartnerRel)); call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel)); - call revokePermissionFromRole(getPermissionId(OLD.uuid, 'SELECT'), hsOfficeRelationTENANT(oldPartnerRel)); + call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'SELECT'), hsOfficeRelationTENANT(oldPartnerRel)); call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel)); - call revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel)); + call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel)); call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel)); - call revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(oldPartnerRel)); + call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(oldPartnerRel)); call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel)); - call revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(oldPartnerRel)); + call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(oldPartnerRel)); call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel)); end if; diff --git a/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql b/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql index 4d05ae0c..2a8f3f10 100644 --- a/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql @@ -38,7 +38,7 @@ begin hsOfficeBankAccountOWNER(NEW), permissions => array['DELETE'], incomingSuperRoles => array[globalADMIN()], - userUuids => array[rbac.currentSubjectUuid()] + subjectUuids => array[rbac.currentSubjectUuid()] ); perform createRoleWithGrants( diff --git a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql index ea2fe7c0..b37acf34 100644 --- a/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql @@ -51,7 +51,7 @@ begin hsOfficeSepaMandateOWNER(NEW), permissions => array['DELETE'], incomingSuperRoles => array[globalADMIN()], - userUuids => array[rbac.currentSubjectUuid()] + subjectUuids => array[rbac.currentSubjectUuid()] ); perform createRoleWithGrants( diff --git a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql index ad90b0c2..903e6161 100644 --- a/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql +++ b/src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql @@ -45,7 +45,7 @@ begin perform createRoleWithGrants( hsOfficeMembershipOWNER(NEW), - userUuids => array[rbac.currentSubjectUuid()] + subjectUuids => array[rbac.currentSubjectUuid()] ); perform createRoleWithGrants( diff --git a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql index b237a18a..92bd96b7 100644 --- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql +++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql @@ -53,7 +53,7 @@ begin globalADMIN(unassumed()), hsBookingItemADMIN(newBookingItem), hsHostingAssetADMIN(newParentAsset)], - userUuids => array[rbac.currentSubjectUuid()] + subjectUuids => array[rbac.currentSubjectUuid()] ); perform createRoleWithGrants( diff --git a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7018-hs-hosting-asset-test-data.sql b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7018-hs-hosting-asset-test-data.sql index 05494057..91610a8b 100644 --- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7018-hs-hosting-asset-test-data.sql +++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7018-hs-hosting-asset-test-data.sql @@ -21,14 +21,14 @@ declare defaultPrefix varchar; managedServerUuid uuid; managedWebspaceUuid uuid; - webUnixUserUuid uuid; - mboxUnixUserUuid uuid; + webUnixSubjectUuid uuid; + mboxUnixSubjectUuid uuid; domainSetupUuid uuid; domainMBoxSetupUuid uuid; mariaDbInstanceUuid uuid; - mariaDbUserUuid uuid; + mariaDbSubjectUuid uuid; pgSqlInstanceUuid uuid; - PgSqlUserUuid uuid; + PgSqlSubjectUuid uuid; begin call basis.defineContext('creating hosting-asset test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN'); @@ -68,14 +68,14 @@ begin select uuid_generate_v4() into managedServerUuid; select uuid_generate_v4() into managedWebspaceUuid; - select uuid_generate_v4() into webUnixUserUuid; - select uuid_generate_v4() into mboxUnixUserUuid; + select uuid_generate_v4() into webUnixSubjectUuid; + select uuid_generate_v4() into mboxUnixSubjectUuid; select uuid_generate_v4() into domainSetupUuid; select uuid_generate_v4() into domainMBoxSetupUuid; select uuid_generate_v4() into mariaDbInstanceUuid; - select uuid_generate_v4() into mariaDbUserUuid; + select uuid_generate_v4() into mariaDbSubjectUuid; select uuid_generate_v4() into pgSqlInstanceUuid; - select uuid_generate_v4() into pgSqlUserUuid; + select uuid_generate_v4() into pgSqlSubjectUuid; debitorNumberSuffix := relatedDebitor.debitorNumberSuffix; defaultPrefix := relatedDebitor.defaultPrefix; @@ -86,17 +86,17 @@ begin (uuid_generate_v4(), cloudServerBI.uuid, 'CLOUD_SERVER', null, null, 'vm20' || debitorNumberSuffix, 'another CloudServer', '{}'::jsonb), (managedWebspaceUuid, managedWebspaceBI.uuid, 'MANAGED_WEBSPACE', managedServerUuid, null, defaultPrefix || '01', 'some Webspace', '{}'::jsonb), (mariaDbInstanceUuid, null, 'MARIADB_INSTANCE', managedServerUuid, null, 'vm10' || debitorNumberSuffix || '.MariaDB.default', 'some default MariaDB instance','{}'::jsonb), - (mariaDbUserUuid, null, 'MARIADB_USER', managedWebspaceUuid, mariaDbInstanceUuid, defaultPrefix || '01_web', 'some default MariaDB user', '{ "password": " @@ -148,7 +148,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest { // now we try to use these uuids as a less privileged user context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00:ADMIN"); final var grant = RbacGrantEntity.builder() - .granteeUserUuid(given.arbitraryUser.getUuid()) + .granteeSubjectUuid(given.arbitraryUser.getUuid()) .grantedRoleUuid(given.packageOwnerRoleUuid) .assumed(true) .build(); @@ -170,7 +170,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest { } @Nested - class RevokeRoleFromUser { + class revokeRoleFromSubject { @Test public void customerAdmin_canRevokeSelfGrantedPackageAdminRole() { @@ -236,11 +236,11 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest { private RbacGrantEntity create(GrantBuilder with) { context(with.byUserName, with.assumedRole); - final var givenArbitraryUserUuid = rbacUserRepository.findByName(with.granteeUserName).getUuid(); + final var givenArbitrarySubjectUuid = rbacUserRepository.findByName(with.granteeUserName).getUuid(); final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName(with.grantedRole).getUuid(); final var grant = RbacGrantEntity.builder() - .granteeUserUuid(givenArbitraryUserUuid).grantedRoleUuid(givenOwnPackageRoleUuid) + .granteeSubjectUuid(givenArbitrarySubjectUuid).grantedRoleUuid(givenOwnPackageRoleUuid) .assumed(true) .build(); final var grantAttempt = attempt(em, () -> diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserControllerAcceptanceTest.java index f5abca18..e4c4cdaa 100644 --- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserControllerAcceptanceTest.java +++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserControllerAcceptanceTest.java @@ -63,10 +63,10 @@ class RbacUserControllerAcceptanceTest { // @formatter:on // finally, the user can view its own record - final var newUserUuid = UUID.fromString( + final var newSubjectUuid = UUID.fromString( location.substring(location.lastIndexOf('/') + 1)); context.define("new-user@example.com"); - assertThat(rbacUserRepository.findByUuid(newUserUuid)) + assertThat(rbacUserRepository.findByUuid(newSubjectUuid)) .extracting(RbacUserEntity::getName).isEqualTo("new-user@example.com"); } } diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserRepositoryIntegrationTest.java index be6377a0..d19c7454 100644 --- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserRepositoryIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserRepositoryIntegrationTest.java @@ -232,7 +232,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest { context("superuser-alex@hostsharing.net"); // when - final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("superuser-fran@hostsharing.net")) + final var result = rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid("superuser-fran@hostsharing.net")) .stream().filter(p -> p.getObjectTable().contains("test_")) .sorted(comparing(RbacUserPermission::toString)).toList(); @@ -246,7 +246,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest { context("customer-admin@xxx.example.com"); // when - final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("customer-admin@xxx.example.com")); + final var result = rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid("customer-admin@xxx.example.com")); // then allTheseRbacPermissionsAreReturned( @@ -286,17 +286,17 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest { public void customerAdmin_withoutAssumedRole_isNotAllowedToViewGlobalAdminsPermissions() { // given context("customer-admin@xxx.example.com"); - final UUID userUuid = userUUID("superuser-alex@hostsharing.net"); + final UUID subjectUuid = subjectUuid("superuser-alex@hostsharing.net"); // when final var result = attempt(em, () -> - rbacUserRepository.findPermissionsOfUserByUuid(userUuid) + rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid) ); // then result.assertExceptionWithRootCauseMessage( JpaSystemException.class, - "[403] permissions of user \"" + userUuid + "[403] permissions of user \"" + subjectUuid + "\" are not accessible to user \"customer-admin@xxx.example.com\""); } @@ -306,7 +306,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest { context("customer-admin@xxx.example.com"); // when - final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("pac-admin-xxx00@xxx.example.com")); + final var result = rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid("pac-admin-xxx00@xxx.example.com")); // then allTheseRbacPermissionsAreReturned( @@ -342,7 +342,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest { context("customer-admin@xxx.example.com"); // when - final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("pac-admin-yyy00@yyy.example.com")); + final var result = rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid("pac-admin-yyy00@yyy.example.com")); // then noRbacPermissionsAreReturned(result); @@ -354,7 +354,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest { context("pac-admin-xxx00@xxx.example.com"); // when - final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("pac-admin-xxx00@xxx.example.com")); + final var result = rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid("pac-admin-xxx00@xxx.example.com")); // then allTheseRbacPermissionsAreReturned( @@ -385,7 +385,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest { } } - UUID userUUID(final String userName) { + UUID subjectUuid(final String userName) { return rbacUserRepository.findByName(userName).getUuid(); } diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/test/ContextBasedTestWithCleanup.java b/src/test/java/net/hostsharing/hsadminng/rbac/test/ContextBasedTestWithCleanup.java index ac285a45..e386bd4a 100644 --- a/src/test/java/net/hostsharing/hsadminng/rbac/test/ContextBasedTestWithCleanup.java +++ b/src/test/java/net/hostsharing/hsadminng/rbac/test/ContextBasedTestWithCleanup.java @@ -18,7 +18,6 @@ import org.springframework.data.repository.Repository; import org.springframework.transaction.PlatformTransactionManager; import jakarta.persistence.*; -import jakarta.transaction.Transactional; import java.util.*; import java.util.concurrent.atomic.AtomicBoolean; import java.util.function.Supplier; diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/test/cust/TestCustomerControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/test/cust/TestCustomerControllerAcceptanceTest.java index 60b7148d..89783f25 100644 --- a/src/test/java/net/hostsharing/hsadminng/rbac/test/cust/TestCustomerControllerAcceptanceTest.java +++ b/src/test/java/net/hostsharing/hsadminng/rbac/test/cust/TestCustomerControllerAcceptanceTest.java @@ -146,10 +146,10 @@ class TestCustomerControllerAcceptanceTest { .extract().header("Location"); // @formatter:on // finally, the new customer can be viewed by its own admin - final var newUserUuid = UUID.fromString( + final var newSubjectUuid = UUID.fromString( location.substring(location.lastIndexOf('/') + 1)); context.define("superuser-fran@hostsharing.net", "test_customer#uuu:ADMIN"); - assertThat(testCustomerRepository.findByUuid(newUserUuid)) + assertThat(testCustomerRepository.findByUuid(newSubjectUuid)) .hasValueSatisfying(c -> assertThat(c.getPrefix()).isEqualTo("uuu")); }