use schema rbactest (just hardcoded, not yet generated)
This commit is contained in:
Michael Hoennig
parent
a4054b310d
commit
3a595366ea
@ -82,7 +82,7 @@ If you have at least Docker and the Java JDK installed in appropriate versions a
|
||||
|
||||
# the following command should return a JSON array with just all packages visible for the admin of the customer yyy:
|
||||
curl \
|
||||
-H 'current-subject: superuser-alex@hostsharing.net' -H 'assumed-roles: test.customer#yyy:ADMIN' \
|
||||
-H 'current-subject: superuser-alex@hostsharing.net' -H 'assumed-roles: rbactest.customer#yyy:ADMIN' \
|
||||
http://localhost:8080/api/test/packages
|
||||
|
||||
# add a new customer
|
||||
|
||||
@ -3,14 +3,14 @@
|
||||
-- --------------------------------------------------------
|
||||
|
||||
|
||||
select rbac.isGranted(rbac.findRoleId('administrators'), rbac.findRoleId('test.package#aaa00:OWNER'));
|
||||
select rbac.isGranted(rbac.findRoleId('test.package#aaa00:OWNER'), rbac.findRoleId('administrators'));
|
||||
-- call rbac.grantRoleToRole(findRoleId('test.package#aaa00:OWNER'), findRoleId('administrators'));
|
||||
-- call rbac.grantRoleToRole(findRoleId('administrators'), findRoleId('test.package#aaa00:OWNER'));
|
||||
select rbac.isGranted(rbac.findRoleId('administrators'), rbac.findRoleId('rbactest.package#aaa00:OWNER'));
|
||||
select rbac.isGranted(rbac.findRoleId('rbactest.package#aaa00:OWNER'), rbac.findRoleId('administrators'));
|
||||
-- call rbac.grantRoleToRole(findRoleId('rbactest.package#aaa00:OWNER'), findRoleId('administrators'));
|
||||
-- call rbac.grantRoleToRole(findRoleId('administrators'), findRoleId('rbactest.package#aaa00:OWNER'));
|
||||
|
||||
select count(*)
|
||||
FROM rbac.queryAllPermissionsOfSubjectIdForObjectUuids(rbac.findRbacSubject('superuser-fran@hostsharing.net'),
|
||||
ARRAY(select uuid from test.customer where reference < 1100000));
|
||||
ARRAY(select uuid from rbactest.customer where reference < 1100000));
|
||||
select count(*)
|
||||
FROM rbac.queryAllPermissionsOfSubjectId(findRbacSubject('superuser-fran@hostsharing.net'));
|
||||
select *
|
||||
|
||||
@ -20,7 +20,7 @@ CREATE POLICY customer_policy ON customer
|
||||
TO restricted
|
||||
USING (
|
||||
-- id=1000
|
||||
rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('test.customer', id, 'SELECT'), rbac.currentSubjectUuid())
|
||||
rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('rbactest.customer', id, 'SELECT'), rbac.currentSubjectUuid())
|
||||
);
|
||||
|
||||
SET SESSION AUTHORIZATION restricted;
|
||||
@ -31,28 +31,28 @@ SELECT * from customer;
|
||||
SET SESSION SESSION AUTHORIZATION DEFAULT;
|
||||
DROP VIEW cust_view;
|
||||
CREATE VIEW cust_view AS
|
||||
SELECT * FROM test.customer;
|
||||
SELECT * FROM rbactest.customer;
|
||||
CREATE OR REPLACE RULE "_RETURN" AS
|
||||
ON SELECT TO cust_view
|
||||
DO INSTEAD
|
||||
SELECT * FROM test.customer WHERE rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('test.customer', id, 'SELECT'), rbac.currentSubjectUuid());
|
||||
SELECT * FROM rbactest.customer WHERE rbac.isPermissionGrantedToSubject(rbac.findEffectivePermissionId('rbactest.customer', id, 'SELECT'), rbac.currentSubjectUuid());
|
||||
SELECT * from cust_view LIMIT 10;
|
||||
|
||||
select rbac.queryAllPermissionsOfSubjectId(findRbacSubject('superuser-alex@hostsharing.net'));
|
||||
|
||||
-- access control via view-rule with join to recursive permissions - really fast (38ms for 1 million rows)
|
||||
SET SESSION SESSION AUTHORIZATION DEFAULT;
|
||||
ALTER TABLE test.customer ENABLE ROW LEVEL SECURITY;
|
||||
ALTER TABLE rbactest.customer ENABLE ROW LEVEL SECURITY;
|
||||
DROP VIEW IF EXISTS cust_view;
|
||||
CREATE OR REPLACE VIEW cust_view AS
|
||||
SELECT *
|
||||
FROM test.customer;
|
||||
FROM rbactest.customer;
|
||||
CREATE OR REPLACE RULE "_RETURN" AS
|
||||
ON SELECT TO cust_view
|
||||
DO INSTEAD
|
||||
SELECT c.uuid, c.reference, c.prefix FROM test.customer AS c
|
||||
SELECT c.uuid, c.reference, c.prefix FROM rbactest.customer AS c
|
||||
JOIN rbac.queryAllPermissionsOfSubjectId(rbac.currentSubjectUuid()) AS p
|
||||
ON p.objectTable='test.customer' AND p.objectUuid=c.uuid;
|
||||
ON p.objectTable='rbactest.customer' AND p.objectUuid=c.uuid;
|
||||
GRANT ALL PRIVILEGES ON cust_view TO restricted;
|
||||
|
||||
SET SESSION SESSION AUTHORIZATION restricted;
|
||||
@ -81,9 +81,9 @@ select rr.uuid, rr.type from rbac.RbacGrants g
|
||||
join rbac.RbacReference RR on g.ascendantUuid = RR.uuid
|
||||
where g.descendantUuid in (
|
||||
select uuid from rbac.queryAllPermissionsOfSubjectId(findRbacSubject('alex@example.com'))
|
||||
where objectTable='test.customer');
|
||||
where objectTable='rbactest.customer');
|
||||
|
||||
call rbac.grantRoleToUser(rbac.findRoleId('test.customer#aaa:ADMIN'), rbac.findRbacSubject('aaaaouq@example.com'));
|
||||
call rbac.grantRoleToUser(rbac.findRoleId('rbactest.customer#aaa:ADMIN'), rbac.findRbacSubject('aaaaouq@example.com'));
|
||||
|
||||
select rbac.queryAllPermissionsOfSubjectId(findRbacSubject('aaaaouq@example.com'));
|
||||
|
||||
|
||||
@ -121,7 +121,7 @@ public class RbacView {
|
||||
* <p>An identity view is a view which maps an objectUuid to an idName.
|
||||
* The idName should be a human-readable representation of the row, but as short as possible.
|
||||
* The idName must only consist of letters (A-Z, a-z), digits (0-9), dash (-), dot (.) and unserscore '_'.
|
||||
* It's used to create the object-specific-role-names like test.customer#abc:ADMIN - here 'abc' is the idName.
|
||||
* It's used to create the object-specific-role-names like rbactest.customer#abc:ADMIN - here 'abc' is the idName.
|
||||
* The idName not necessarily unique in a table, but it should be avoided.
|
||||
* </p>
|
||||
*
|
||||
|
||||
@ -79,10 +79,10 @@ public class RbacGrantsDiagramService {
|
||||
return;
|
||||
}
|
||||
if ( !g.getDescendantIdName().startsWith("role:rbac.global")) {
|
||||
if (!includes.contains(TEST_ENTITIES) && g.getDescendantIdName().contains(":test_")) {
|
||||
if (!includes.contains(TEST_ENTITIES) && g.getDescendantIdName().contains(":rbactest.")) {
|
||||
return;
|
||||
}
|
||||
if (!includes.contains(NON_TEST_ENTITIES) && !g.getDescendantIdName().contains(":test_")) {
|
||||
if (!includes.contains(NON_TEST_ENTITIES) && !g.getDescendantIdName().contains(":rbactest.")) {
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
@ -20,7 +20,7 @@ import static net.hostsharing.hsadminng.rbac.generator.RbacView.Role.*;
|
||||
import static net.hostsharing.hsadminng.rbac.generator.RbacView.rbacViewFor;
|
||||
|
||||
@Entity
|
||||
@Table(name = "test_customer_rv")
|
||||
@Table(schema = "rbactest", name = "customer_rv")
|
||||
@Getter
|
||||
@Setter
|
||||
@NoArgsConstructor
|
||||
|
||||
@ -22,7 +22,7 @@ import static net.hostsharing.hsadminng.rbac.generator.RbacView.SQL.directlyFetc
|
||||
import static net.hostsharing.hsadminng.rbac.generator.RbacView.rbacViewFor;
|
||||
|
||||
@Entity
|
||||
@Table(name = "test_domain_rv")
|
||||
@Table(schema = "rbactest", name = "domain_rv")
|
||||
@Getter
|
||||
@Setter
|
||||
@NoArgsConstructor
|
||||
|
||||
@ -22,7 +22,7 @@ import static net.hostsharing.hsadminng.rbac.generator.RbacView.SQL.*;
|
||||
import static net.hostsharing.hsadminng.rbac.generator.RbacView.rbacViewFor;
|
||||
|
||||
@Entity
|
||||
@Table(name = "test_package_rv")
|
||||
@Table(schema = "rbactest", name = "package_rv")
|
||||
@Getter
|
||||
@Setter
|
||||
@NoArgsConstructor
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
--changeset michael.hoennig:rbactest-customer-MAIN-TABLE endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
create table if not exists test_customer
|
||||
create table if not exists rbactest.customer
|
||||
(
|
||||
uuid uuid unique references rbac.object (uuid),
|
||||
version int not null default 0,
|
||||
|
||||
@ -3,21 +3,21 @@
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RbacObjectGenerator:test-customer-rbac-OBJECT endDelimiter:--//
|
||||
--changeset RbacObjectGenerator:rbactest-customer-rbac-OBJECT endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call rbac.generateRelatedRbacObject('test_customer');
|
||||
call rbac.generateRelatedRbacObject('rbactest.customer');
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RbacRoleDescriptorsGenerator:test-customer-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
--changeset RbacRoleDescriptorsGenerator:rbactest-customer-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call rbac.generateRbacRoleDescriptors('testCustomer', 'test_customer');
|
||||
call rbac.generateRbacRoleDescriptors('testCustomer', 'rbactest.customer');
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RolesGrantsAndPermissionsGenerator:test-customer-rbac-insert-trigger endDelimiter:--//
|
||||
--changeset RolesGrantsAndPermissionsGenerator:rbactest-customer-rbac-insert-trigger endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/*
|
||||
@ -25,7 +25,7 @@ call rbac.generateRbacRoleDescriptors('testCustomer', 'test_customer');
|
||||
*/
|
||||
|
||||
create or replace procedure buildRbacSystemForTestCustomer(
|
||||
NEW test_customer
|
||||
NEW rbactest.customer
|
||||
)
|
||||
language plpgsql as $$
|
||||
|
||||
@ -57,7 +57,7 @@ begin
|
||||
end; $$;
|
||||
|
||||
/*
|
||||
AFTER INSERT TRIGGER to create the role+grant structure for a new test_customer row.
|
||||
AFTER INSERT TRIGGER to create the role+grant structure for a new rbactest.customer row.
|
||||
*/
|
||||
|
||||
create or replace function insertTriggerForTestCustomer_tf()
|
||||
@ -70,68 +70,68 @@ begin
|
||||
end; $$;
|
||||
|
||||
create trigger insertTriggerForTestCustomer_tg
|
||||
after insert on test_customer
|
||||
after insert on rbactest.customer
|
||||
for each row
|
||||
execute procedure insertTriggerForTestCustomer_tf();
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset InsertTriggerGenerator:test-customer-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--//
|
||||
--changeset InsertTriggerGenerator:rbactest-customer-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
-- granting INSERT permission to rbac.global ----------------------------
|
||||
|
||||
/*
|
||||
Grants INSERT INTO test_customer permissions to specified role of pre-existing rbac.global rows.
|
||||
Grants INSERT INTO rbactest-customer permissions to specified role of pre-existing rbac.global rows.
|
||||
*/
|
||||
do language plpgsql $$
|
||||
declare
|
||||
row rbac.global;
|
||||
begin
|
||||
call base.defineContext('create INSERT INTO test_customer permissions for pre-exising rbac.global rows');
|
||||
call base.defineContext('create INSERT INTO rbactest.customer permissions for pre-exising rbac.global rows');
|
||||
|
||||
FOR row IN SELECT * FROM rbac.global
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'test_customer'),
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'rbactest.customer'),
|
||||
rbac.globalADMIN());
|
||||
END LOOP;
|
||||
end;
|
||||
$$;
|
||||
|
||||
/**
|
||||
Grants test_customer INSERT permission to specified role of new global rows.
|
||||
Grants rbactest.customer INSERT permission to specified role of new global rows.
|
||||
*/
|
||||
create or replace function rbac.new_test_customer_grants_insert_to_global_tf()
|
||||
create or replace function rbactest.new_customer_grants_insert_to_global_tf()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'test_customer'),
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'rbactest.customer'),
|
||||
rbac.globalADMIN());
|
||||
-- end.
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_test_customer_grants_after_insert_tg
|
||||
create trigger z_new_customer_grants_after_insert_tg
|
||||
after insert on rbac.global
|
||||
for each row
|
||||
execute procedure rbac.new_test_customer_grants_insert_to_global_tf();
|
||||
execute procedure rbactest.new_customer_grants_insert_to_global_tf();
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset InsertTriggerGenerator:test_customer-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
|
||||
--changeset InsertTriggerGenerator:rbactest-customer-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/**
|
||||
Checks if the user respectively the assumed roles are allowed to insert a row to test_customer.
|
||||
Checks if the user respectively the assumed roles are allowed to insert a row to rbactest.customer.
|
||||
*/
|
||||
create or replace function test_customer_insert_permission_check_tf()
|
||||
create or replace function rbactest.customer_insert_permission_check_tf()
|
||||
returns trigger
|
||||
language plpgsql as $$
|
||||
declare
|
||||
@ -142,22 +142,22 @@ begin
|
||||
return NEW;
|
||||
end if;
|
||||
|
||||
raise exception '[403] insert into test_customer values(%) not allowed for current subjects % (%)',
|
||||
raise exception '[403] insert into rbactest.customer values(%) not allowed for current subjects % (%)',
|
||||
NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
end; $$;
|
||||
|
||||
create trigger test_customer_insert_permission_check_tg
|
||||
before insert on test_customer
|
||||
create trigger customer_insert_permission_check_tg
|
||||
before insert on rbactest.customer
|
||||
for each row
|
||||
execute procedure test_customer_insert_permission_check_tf();
|
||||
execute procedure rbactest.customer_insert_permission_check_tf();
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RbacIdentityViewGenerator:test-customer-rbac-IDENTITY-VIEW endDelimiter:--//
|
||||
--changeset RbacIdentityViewGenerator:rbactest-customer-rbac-IDENTITY-VIEW endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
call rbac.generateRbacIdentityViewFromProjection('test_customer',
|
||||
call rbac.generateRbacIdentityViewFromProjection('rbactest.customer',
|
||||
$idName$
|
||||
prefix
|
||||
$idName$);
|
||||
@ -165,9 +165,9 @@ call rbac.generateRbacIdentityViewFromProjection('test_customer',
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RbacRestrictedViewGenerator:test-customer-rbac-RESTRICTED-VIEW endDelimiter:--//
|
||||
--changeset RbacRestrictedViewGenerator:rbactest-customer-rbac-RESTRICTED-VIEW endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call rbac.generateRbacRestrictedView('test_customer',
|
||||
call rbac.generateRbacRestrictedView('rbactest.customer',
|
||||
$orderBy$
|
||||
reference
|
||||
$orderBy$,
|
||||
|
||||
@ -28,18 +28,18 @@ declare
|
||||
custRowId uuid;
|
||||
custAdminName varchar;
|
||||
custAdminUuid uuid;
|
||||
newCust test_customer;
|
||||
newCust rbactest.customer;
|
||||
begin
|
||||
custRowId = uuid_generate_v4();
|
||||
custAdminName = 'customer-admin@' || custPrefix || '.example.com';
|
||||
custAdminUuid = rbac.create_subject(custAdminName);
|
||||
|
||||
insert
|
||||
into test_customer (reference, prefix, adminUserName)
|
||||
into rbactest.customer (reference, prefix, adminUserName)
|
||||
values (custReference, custPrefix, custAdminName);
|
||||
|
||||
select * into newCust
|
||||
from test_customer where reference=custReference;
|
||||
from rbactest.customer where reference=custReference;
|
||||
call rbac.grantRoleToSubject(
|
||||
rbac.getRoleId(testCustomerOwner(newCust)),
|
||||
rbac.getRoleId(testCustomerAdmin(newCust)),
|
||||
|
||||
@ -4,11 +4,11 @@
|
||||
--changeset michael.hoennig:rbactest-package-MAIN-TABLE endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
create table if not exists test_package
|
||||
create table if not exists rbactest.package
|
||||
(
|
||||
uuid uuid unique references rbac.object (uuid),
|
||||
version int not null default 0,
|
||||
customerUuid uuid references test_customer (uuid),
|
||||
customerUuid uuid references rbactest.customer (uuid),
|
||||
name varchar(5),
|
||||
description varchar(96)
|
||||
);
|
||||
|
||||
@ -3,21 +3,21 @@
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RbacObjectGenerator:test-package-rbac-OBJECT endDelimiter:--//
|
||||
--changeset RbacObjectGenerator:rbactest-package-rbac-OBJECT endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call rbac.generateRelatedRbacObject('test_package');
|
||||
call rbac.generateRelatedRbacObject('rbactest.package');
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RbacRoleDescriptorsGenerator:test-package-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
--changeset RbacRoleDescriptorGenerator:rbactest-package-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call rbac.generateRbacRoleDescriptors('testPackage', 'test_package');
|
||||
call rbac.generateRbacRoleDescriptors('testPackage', 'rbactest.package');
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RolesGrantsAndPermissionsGenerator:test-package-rbac-insert-trigger endDelimiter:--//
|
||||
--changeset RolesGrantsAndPermissionsGenerator:rbactest-package-rbac-insert-trigger endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/*
|
||||
@ -25,17 +25,17 @@ call rbac.generateRbacRoleDescriptors('testPackage', 'test_package');
|
||||
*/
|
||||
|
||||
create or replace procedure buildRbacSystemForTestPackage(
|
||||
NEW test_package
|
||||
NEW rbactest.package
|
||||
)
|
||||
language plpgsql as $$
|
||||
|
||||
declare
|
||||
newCustomer test_customer;
|
||||
newCustomer rbactest.customer;
|
||||
|
||||
begin
|
||||
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
||||
|
||||
SELECT * FROM test_customer WHERE uuid = NEW.customerUuid INTO newCustomer;
|
||||
SELECT * FROM rbactest.customer WHERE uuid = NEW.customerUuid INTO newCustomer;
|
||||
assert newCustomer.uuid is not null, format('newCustomer must not be null for NEW.customerUuid = %s', NEW.customerUuid);
|
||||
|
||||
|
||||
@ -61,7 +61,7 @@ begin
|
||||
end; $$;
|
||||
|
||||
/*
|
||||
AFTER INSERT TRIGGER to create the role+grant structure for a new test_package row.
|
||||
AFTER INSERT TRIGGER to create the role+grant structure for a new rbactest.package row.
|
||||
*/
|
||||
|
||||
create or replace function insertTriggerForTestPackage_tf()
|
||||
@ -74,14 +74,14 @@ begin
|
||||
end; $$;
|
||||
|
||||
create trigger insertTriggerForTestPackage_tg
|
||||
after insert on test_package
|
||||
after insert on rbactest.package
|
||||
for each row
|
||||
execute procedure insertTriggerForTestPackage_tf();
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RolesGrantsAndPermissionsGenerator:test-package-rbac-update-trigger endDelimiter:--//
|
||||
--changeset RolesGrantsAndPermissionsGenerator:rbactest-package-rbac-update-trigger endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/*
|
||||
@ -89,22 +89,22 @@ execute procedure insertTriggerForTestPackage_tf();
|
||||
*/
|
||||
|
||||
create or replace procedure updateRbacRulesForTestPackage(
|
||||
OLD test_package,
|
||||
NEW test_package
|
||||
OLD rbactest.package,
|
||||
NEW rbactest.package
|
||||
)
|
||||
language plpgsql as $$
|
||||
|
||||
declare
|
||||
oldCustomer test_customer;
|
||||
newCustomer test_customer;
|
||||
oldCustomer rbactest.customer;
|
||||
newCustomer rbactest.customer;
|
||||
|
||||
begin
|
||||
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
||||
|
||||
SELECT * FROM test_customer WHERE uuid = OLD.customerUuid INTO oldCustomer;
|
||||
SELECT * FROM rbactest.customer WHERE uuid = OLD.customerUuid INTO oldCustomer;
|
||||
assert oldCustomer.uuid is not null, format('oldCustomer must not be null for OLD.customerUuid = %s', OLD.customerUuid);
|
||||
|
||||
SELECT * FROM test_customer WHERE uuid = NEW.customerUuid INTO newCustomer;
|
||||
SELECT * FROM rbactest.customer WHERE uuid = NEW.customerUuid INTO newCustomer;
|
||||
assert newCustomer.uuid is not null, format('newCustomer must not be null for NEW.customerUuid = %s', NEW.customerUuid);
|
||||
|
||||
|
||||
@ -122,7 +122,7 @@ begin
|
||||
end; $$;
|
||||
|
||||
/*
|
||||
AFTER INSERT TRIGGER to re-wire the grant structure for a new test_package row.
|
||||
AFTER INSERT TRIGGER to re-wire the grant structure for a new rbactest.package row.
|
||||
*/
|
||||
|
||||
create or replace function updateTriggerForTestPackage_tf()
|
||||
@ -135,94 +135,94 @@ begin
|
||||
end; $$;
|
||||
|
||||
create trigger updateTriggerForTestPackage_tg
|
||||
after update on test_package
|
||||
after update on rbactest.package
|
||||
for each row
|
||||
execute procedure updateTriggerForTestPackage_tf();
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset InsertTriggerGenerator:test-package-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--//
|
||||
--changeset InsertTriggerGenerator:rbactest-package-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
-- granting INSERT permission to test_customer ----------------------------
|
||||
-- granting INSERT permission to rbactest.customer ----------------------------
|
||||
|
||||
/*
|
||||
Grants INSERT INTO test_package permissions to specified role of pre-existing test_customer rows.
|
||||
Grants INSERT INTO rbactest.package permissions to specified role of pre-existing rbactest.customer rows.
|
||||
*/
|
||||
do language plpgsql $$
|
||||
declare
|
||||
row test_customer;
|
||||
row rbactest.customer;
|
||||
begin
|
||||
call base.defineContext('create INSERT INTO test_package permissions for pre-exising test_customer rows');
|
||||
call base.defineContext('create INSERT INTO rbactest.package permissions for pre-exising rbactest.customer rows');
|
||||
|
||||
FOR row IN SELECT * FROM test_customer
|
||||
FOR row IN SELECT * FROM rbactest.customer
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'test_package'),
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'rbactest.package'),
|
||||
testCustomerADMIN(row));
|
||||
END LOOP;
|
||||
end;
|
||||
$$;
|
||||
|
||||
/**
|
||||
Grants test_package INSERT permission to specified role of new test_customer rows.
|
||||
Grants rbactest.package INSERT permission to specified role of new customer rows.
|
||||
*/
|
||||
create or replace function new_test_package_grants_insert_to_test_customer_tf()
|
||||
create or replace function rbactest.new_package_grants_insert_to_customer_tf()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'test_package'),
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'rbactest.package'),
|
||||
testCustomerADMIN(NEW));
|
||||
-- end.
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_test_package_grants_after_insert_tg
|
||||
after insert on test_customer
|
||||
create trigger z_new_package_grants_after_insert_tg
|
||||
after insert on rbactest.customer
|
||||
for each row
|
||||
execute procedure new_test_package_grants_insert_to_test_customer_tf();
|
||||
execute procedure rbactest.new_package_grants_insert_to_customer_tf();
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset InsertTriggerGenerator:test_package-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
|
||||
--changeset InsertTriggerGenerator:rbactest-package-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/**
|
||||
Checks if the user respectively the assumed roles are allowed to insert a row to test_package.
|
||||
Checks if the user respectively the assumed roles are allowed to insert a row to rbactest.package.
|
||||
*/
|
||||
create or replace function test_package_insert_permission_check_tf()
|
||||
create or replace function rbactest.package_insert_permission_check_tf()
|
||||
returns trigger
|
||||
language plpgsql as $$
|
||||
declare
|
||||
superObjectUuid uuid;
|
||||
begin
|
||||
-- check INSERT permission via direct foreign key: NEW.customerUuid
|
||||
if rbac.hasInsertPermission(NEW.customerUuid, 'test_package') then
|
||||
if rbac.hasInsertPermission(NEW.customerUuid, 'rbactest.package') then
|
||||
return NEW;
|
||||
end if;
|
||||
|
||||
raise exception '[403] insert into test_package values(%) not allowed for current subjects % (%)',
|
||||
raise exception '[403] insert into rbactest.package values(%) not allowed for current subjects % (%)',
|
||||
NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
end; $$;
|
||||
|
||||
create trigger test_package_insert_permission_check_tg
|
||||
before insert on test_package
|
||||
create trigger package_insert_permission_check_tg
|
||||
before insert on rbactest.package
|
||||
for each row
|
||||
execute procedure test_package_insert_permission_check_tf();
|
||||
execute procedure rbactest.package_insert_permission_check_tf();
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RbacIdentityViewGenerator:test-package-rbac-IDENTITY-VIEW endDelimiter:--//
|
||||
--changeset RbacIdentityViewGenerator:rbactest-package-rbac-IDENTITY-VIEW endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
call rbac.generateRbacIdentityViewFromProjection('test_package',
|
||||
call rbac.generateRbacIdentityViewFromProjection('rbactest.package',
|
||||
$idName$
|
||||
name
|
||||
$idName$);
|
||||
@ -230,9 +230,9 @@ call rbac.generateRbacIdentityViewFromProjection('test_package',
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RbacRestrictedViewGenerator:test-package-rbac-RESTRICTED-VIEW endDelimiter:--//
|
||||
--changeset RbacRestrictedViewGenerator:rbactest-package-rbac-RESTRICTED-VIEW endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call rbac.generateRbacRestrictedView('test_package',
|
||||
call rbac.generateRbacRestrictedView('rbactest.package',
|
||||
$orderBy$
|
||||
name
|
||||
$orderBy$,
|
||||
|
||||
@ -9,23 +9,23 @@
|
||||
create or replace procedure createPackageTestData(customerPrefix varchar, pacCount int)
|
||||
language plpgsql as $$
|
||||
declare
|
||||
cust test_customer;
|
||||
cust rbactest.customer;
|
||||
custAdminUser varchar;
|
||||
custAdminRole varchar;
|
||||
pacName varchar;
|
||||
pac test_package;
|
||||
pac rbactest.package;
|
||||
begin
|
||||
select * from test_customer where test_customer.prefix = customerPrefix into cust;
|
||||
select * from rbactest.customer where rbactest.customer.prefix = customerPrefix into cust;
|
||||
|
||||
for t in 0..(pacCount-1)
|
||||
loop
|
||||
pacName = cust.prefix || to_char(t, 'fm00');
|
||||
custAdminUser = 'customer-admin@' || cust.prefix || '.example.com';
|
||||
custAdminRole = 'test_customer#' || cust.prefix || ':ADMIN';
|
||||
custAdminRole = 'rbactest.customer#' || cust.prefix || ':ADMIN';
|
||||
call base.defineContext('creating RBAC test package', null, 'superuser-fran@hostsharing.net', custAdminRole);
|
||||
|
||||
insert
|
||||
into test_package (customerUuid, name, description)
|
||||
into rbactest.package (customerUuid, name, description)
|
||||
values (cust.uuid, pacName, 'Here you can add your own description of package ' || pacName || '.')
|
||||
returning * into pac;
|
||||
|
||||
@ -44,9 +44,9 @@ end; $$;
|
||||
create or replace procedure createPackageTestData()
|
||||
language plpgsql as $$
|
||||
declare
|
||||
cust test_customer;
|
||||
cust rbactest.customer;
|
||||
begin
|
||||
for cust in (select * from test_customer)
|
||||
for cust in (select * from rbactest.customer)
|
||||
loop
|
||||
continue when cust.reference >= 90000; -- reserved for functional testing
|
||||
call createPackageTestData(cust.prefix, 3);
|
||||
|
||||
@ -4,10 +4,10 @@
|
||||
--changeset michael.hoennig:rbactest-domain-MAIN-TABLE endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
create table if not exists test_domain
|
||||
create table if not exists rbactest.domain
|
||||
(
|
||||
uuid uuid unique references rbac.object (uuid),
|
||||
packageUuid uuid references test_package (uuid),
|
||||
packageUuid uuid references rbactest.package (uuid),
|
||||
name character varying(253),
|
||||
description character varying(96)
|
||||
);
|
||||
|
||||
@ -3,21 +3,21 @@
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RbacObjectGenerator:test-domain-rbac-OBJECT endDelimiter:--//
|
||||
--changeset RbacObjectGenerator:rbactest-domain-rbac-OBJECT endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call rbac.generateRelatedRbacObject('test_domain');
|
||||
call rbac.generateRelatedRbacObject('rbactest.domain');
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RbacRoleDescriptorsGenerator:test-domain-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
--changeset RbacRoleDescriptorGenerator:rbactest-domain-rbac-ROLE-DESCRIPTORS endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call rbac.generateRbacRoleDescriptors('testDomain', 'test_domain');
|
||||
call rbac.generateRbacRoleDescriptors('testDomain', 'rbactest.domain');
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RolesGrantsAndPermissionsGenerator:test-domain-rbac-insert-trigger endDelimiter:--//
|
||||
--changeset RolesGrantsAndPermissionsGenerator:rbactest-domain-rbac-insert-trigger endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/*
|
||||
@ -25,17 +25,17 @@ call rbac.generateRbacRoleDescriptors('testDomain', 'test_domain');
|
||||
*/
|
||||
|
||||
create or replace procedure buildRbacSystemForTestDomain(
|
||||
NEW test_domain
|
||||
NEW rbactest.domain
|
||||
)
|
||||
language plpgsql as $$
|
||||
|
||||
declare
|
||||
newPackage test_package;
|
||||
newPackage rbactest.package;
|
||||
|
||||
begin
|
||||
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
||||
|
||||
SELECT * FROM test_package WHERE uuid = NEW.packageUuid INTO newPackage;
|
||||
SELECT * FROM rbactest.package WHERE uuid = NEW.packageUuid INTO newPackage;
|
||||
assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s', NEW.packageUuid);
|
||||
|
||||
|
||||
@ -57,7 +57,7 @@ begin
|
||||
end; $$;
|
||||
|
||||
/*
|
||||
AFTER INSERT TRIGGER to create the role+grant structure for a new test_domain row.
|
||||
AFTER INSERT TRIGGER to create the role+grant structure for a new rbactest.domain row.
|
||||
*/
|
||||
|
||||
create or replace function insertTriggerForTestDomain_tf()
|
||||
@ -70,14 +70,14 @@ begin
|
||||
end; $$;
|
||||
|
||||
create trigger insertTriggerForTestDomain_tg
|
||||
after insert on test_domain
|
||||
after insert on rbactest.domain
|
||||
for each row
|
||||
execute procedure insertTriggerForTestDomain_tf();
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RolesGrantsAndPermissionsGenerator:test-domain-rbac-update-trigger endDelimiter:--//
|
||||
--changeset RolesGrantsAndPermissionsGenerator:rbactest-domain-rbac-update-trigger endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/*
|
||||
@ -85,22 +85,22 @@ execute procedure insertTriggerForTestDomain_tf();
|
||||
*/
|
||||
|
||||
create or replace procedure updateRbacRulesForTestDomain(
|
||||
OLD test_domain,
|
||||
NEW test_domain
|
||||
OLD rbactest.domain,
|
||||
NEW rbactest.domain
|
||||
)
|
||||
language plpgsql as $$
|
||||
|
||||
declare
|
||||
oldPackage test_package;
|
||||
newPackage test_package;
|
||||
oldPackage rbactest.package;
|
||||
newPackage rbactest.package;
|
||||
|
||||
begin
|
||||
call rbac.enterTriggerForObjectUuid(NEW.uuid);
|
||||
|
||||
SELECT * FROM test_package WHERE uuid = OLD.packageUuid INTO oldPackage;
|
||||
SELECT * FROM rbactest.package WHERE uuid = OLD.packageUuid INTO oldPackage;
|
||||
assert oldPackage.uuid is not null, format('oldPackage must not be null for OLD.packageUuid = %s', OLD.packageUuid);
|
||||
|
||||
SELECT * FROM test_package WHERE uuid = NEW.packageUuid INTO newPackage;
|
||||
SELECT * FROM rbactest.package WHERE uuid = NEW.packageUuid INTO newPackage;
|
||||
assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s', NEW.packageUuid);
|
||||
|
||||
|
||||
@ -121,7 +121,7 @@ begin
|
||||
end; $$;
|
||||
|
||||
/*
|
||||
AFTER INSERT TRIGGER to re-wire the grant structure for a new test_domain row.
|
||||
AFTER INSERT TRIGGER to re-wire the grant structure for a new rbactest.domain row.
|
||||
*/
|
||||
|
||||
create or replace function updateTriggerForTestDomain_tf()
|
||||
@ -134,94 +134,94 @@ begin
|
||||
end; $$;
|
||||
|
||||
create trigger updateTriggerForTestDomain_tg
|
||||
after update on test_domain
|
||||
after update on rbactest.domain
|
||||
for each row
|
||||
execute procedure updateTriggerForTestDomain_tf();
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset InsertTriggerGenerator:test-domain-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--//
|
||||
--changeset InsertTriggerGenerator:rbactest-domain-rbac-GRANTING-INSERT-PERMISSION endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
-- granting INSERT permission to test_package ----------------------------
|
||||
-- granting INSERT permission to rbactest.package ----------------------------
|
||||
|
||||
/*
|
||||
Grants INSERT INTO test_domain permissions to specified role of pre-existing test_package rows.
|
||||
Grants INSERT INTO rbactest.domain permissions to specified role of pre-existing rbactest.package rows.
|
||||
*/
|
||||
do language plpgsql $$
|
||||
declare
|
||||
row test_package;
|
||||
row rbactest.package;
|
||||
begin
|
||||
call base.defineContext('create INSERT INTO test_domain permissions for pre-exising test_package rows');
|
||||
call base.defineContext('create INSERT INTO rbactest.domain permissions for pre-exising rbactest.package rows');
|
||||
|
||||
FOR row IN SELECT * FROM test_package
|
||||
FOR row IN SELECT * FROM rbactest.package
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'test_domain'),
|
||||
rbac.createPermission(row.uuid, 'INSERT', 'rbactest.domain'),
|
||||
testPackageADMIN(row));
|
||||
END LOOP;
|
||||
end;
|
||||
$$;
|
||||
|
||||
/**
|
||||
Grants test_domain INSERT permission to specified role of new test_package rows.
|
||||
Grants rbactest.domain INSERT permission to specified role of new package rows.
|
||||
*/
|
||||
create or replace function new_test_domain_grants_insert_to_test_package_tf()
|
||||
create or replace function rbactest.new_domain_grants_insert_to_package_tf()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call rbac.grantPermissionToRole(
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'test_domain'),
|
||||
rbac.createPermission(NEW.uuid, 'INSERT', 'rbactest.domain'),
|
||||
testPackageADMIN(NEW));
|
||||
-- end.
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_test_domain_grants_after_insert_tg
|
||||
after insert on test_package
|
||||
create trigger z_new_domain_grants_after_insert_tg
|
||||
after insert on rbactest.package
|
||||
for each row
|
||||
execute procedure new_test_domain_grants_insert_to_test_package_tf();
|
||||
execute procedure rbactest.new_domain_grants_insert_to_package_tf();
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset InsertTriggerGenerator:test_domain-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
|
||||
--changeset InsertTriggerGenerator:rbactest-domain-rbac-CHECKING-INSERT-PERMISSION endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/**
|
||||
Checks if the user respectively the assumed roles are allowed to insert a row to test_domain.
|
||||
Checks if the user respectively the assumed roles are allowed to insert a row to rbactest.domain.
|
||||
*/
|
||||
create or replace function test_domain_insert_permission_check_tf()
|
||||
create or replace function rbactest.domain_insert_permission_check_tf()
|
||||
returns trigger
|
||||
language plpgsql as $$
|
||||
declare
|
||||
superObjectUuid uuid;
|
||||
begin
|
||||
-- check INSERT permission via direct foreign key: NEW.packageUuid
|
||||
if rbac.hasInsertPermission(NEW.packageUuid, 'test_domain') then
|
||||
if rbac.hasInsertPermission(NEW.packageUuid, 'rbactest.domain') then
|
||||
return NEW;
|
||||
end if;
|
||||
|
||||
raise exception '[403] insert into test_domain values(%) not allowed for current subjects % (%)',
|
||||
raise exception '[403] insert into rbactest.domain values(%) not allowed for current subjects % (%)',
|
||||
NEW, base.currentSubjects(), rbac.currentSubjectOrAssumedRolesUuids();
|
||||
end; $$;
|
||||
|
||||
create trigger test_domain_insert_permission_check_tg
|
||||
before insert on test_domain
|
||||
create trigger domain_insert_permission_check_tg
|
||||
before insert on rbactest.domain
|
||||
for each row
|
||||
execute procedure test_domain_insert_permission_check_tf();
|
||||
execute procedure rbactest.domain_insert_permission_check_tf();
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RbacIdentityViewGenerator:test-domain-rbac-IDENTITY-VIEW endDelimiter:--//
|
||||
--changeset RbacIdentityViewGenerator:rbactest-domain-rbac-IDENTITY-VIEW endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
call rbac.generateRbacIdentityViewFromProjection('test_domain',
|
||||
call rbac.generateRbacIdentityViewFromProjection('rbactest.domain',
|
||||
$idName$
|
||||
name
|
||||
$idName$);
|
||||
@ -229,9 +229,9 @@ call rbac.generateRbacIdentityViewFromProjection('test_domain',
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset RbacRestrictedViewGenerator:test-domain-rbac-RESTRICTED-VIEW endDelimiter:--//
|
||||
--changeset RbacRestrictedViewGenerator:rbactest-domain-rbac-RESTRICTED-VIEW endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
call rbac.generateRbacRestrictedView('test_domain',
|
||||
call rbac.generateRbacRestrictedView('rbactest.domain',
|
||||
$orderBy$
|
||||
name
|
||||
$orderBy$,
|
||||
|
||||
@ -13,8 +13,8 @@ declare
|
||||
pacAdmin varchar;
|
||||
begin
|
||||
select p.uuid, p.name, c.prefix as custPrefix
|
||||
from test_package p
|
||||
join test_customer c on p.customeruuid = c.uuid
|
||||
from rbactest.package p
|
||||
join rbactest.customer c on p.customeruuid = c.uuid
|
||||
where p.name = packageName
|
||||
into pac;
|
||||
|
||||
@ -24,7 +24,7 @@ begin
|
||||
call base.defineContext('creating RBAC test domain', null, pacAdmin, null);
|
||||
|
||||
insert
|
||||
into test_domain (name, packageUuid)
|
||||
into rbactest.domain (name, packageUuid)
|
||||
values (pac.name || '-' || base.intToVarChar(t, 4), pac.uuid);
|
||||
end loop;
|
||||
end; $$;
|
||||
@ -41,8 +41,8 @@ declare
|
||||
begin
|
||||
for pac in
|
||||
(select p.uuid, p.name
|
||||
from test_package p
|
||||
join test_customer c on p.customeruuid = c.uuid
|
||||
from rbactest.package p
|
||||
join rbactest.customer c on p.customeruuid = c.uuid
|
||||
where c.reference < 90000) -- reserved for functional testing
|
||||
loop
|
||||
call createdomainTestData(pac.name, 2);
|
||||
|
||||
@ -289,9 +289,9 @@ public class CsvDataImport extends ContextBasedTest {
|
||||
protected void deleteFromTestTables() {
|
||||
jpaAttempt.transacted(() -> {
|
||||
context(rbacSuperuser);
|
||||
em.createNativeQuery("delete from test_domain where true").executeUpdate();
|
||||
em.createNativeQuery("delete from test_package where true").executeUpdate();
|
||||
em.createNativeQuery("delete from test_customer where true").executeUpdate();
|
||||
em.createNativeQuery("delete from rbactest.domain where true").executeUpdate();
|
||||
em.createNativeQuery("delete from rbactest.package where true").executeUpdate();
|
||||
em.createNativeQuery("delete from rbactest.customer where true").executeUpdate();
|
||||
}).assertSuccessful();
|
||||
}
|
||||
|
||||
|
||||
@ -62,13 +62,13 @@ class ContextIntegrationTests {
|
||||
void defineWithoutcurrentSubjectButWithAssumedRoles() {
|
||||
// when
|
||||
final var result = jpaAttempt.transacted(() ->
|
||||
context.define(null, "test_package#yyy00:ADMIN")
|
||||
context.define(null, "rbactest.package#yyy00:ADMIN")
|
||||
);
|
||||
|
||||
// then
|
||||
result.assertExceptionWithRootCauseMessage(
|
||||
jakarta.persistence.PersistenceException.class,
|
||||
"ERROR: [403] undefined has no permission to assume role test_package#yyy00:ADMIN");
|
||||
"ERROR: [403] undefined has no permission to assume role rbactest.package#yyy00:ADMIN");
|
||||
}
|
||||
|
||||
@Test
|
||||
@ -88,7 +88,7 @@ class ContextIntegrationTests {
|
||||
@Transactional
|
||||
void defineWithcurrentSubjectAndAssumedRoles() {
|
||||
// given
|
||||
context.define("superuser-alex@hostsharing.net", "test_customer#xxx:OWNER;test_customer#yyy:OWNER");
|
||||
context.define("superuser-alex@hostsharing.net", "rbactest.customer#xxx:OWNER;rbactest.customer#yyy:OWNER");
|
||||
|
||||
// when
|
||||
final var currentSubject = context.fetchCurrentSubject();
|
||||
@ -96,7 +96,7 @@ class ContextIntegrationTests {
|
||||
|
||||
// then
|
||||
assertThat(context.fetchAssumedRoles())
|
||||
.isEqualTo(Array.of("test_customer#xxx:OWNER", "test_customer#yyy:OWNER"));
|
||||
.isEqualTo(Array.of("rbactest.customer#xxx:OWNER", "rbactest.customer#yyy:OWNER"));
|
||||
assertThat(context.fetchCurrentSubjectOrAssumedRolesUuids()).hasSize(2);
|
||||
}
|
||||
|
||||
@ -104,12 +104,12 @@ class ContextIntegrationTests {
|
||||
public void defineContextWithcurrentSubjectAndAssumeInaccessibleRole() {
|
||||
// when
|
||||
final var result = jpaAttempt.transacted(() ->
|
||||
context.define("customer-admin@xxx.example.com", "test_package#yyy00:ADMIN")
|
||||
context.define("customer-admin@xxx.example.com", "rbactest.package#yyy00:ADMIN")
|
||||
);
|
||||
|
||||
// then
|
||||
result.assertExceptionWithRootCauseMessage(
|
||||
jakarta.persistence.PersistenceException.class,
|
||||
"ERROR: [403] subject customer-admin@xxx.example.com has no permission to assume role test_package#yyy00:ADMIN");
|
||||
"ERROR: [403] subject customer-admin@xxx.example.com has no permission to assume role rbactest.package#yyy00:ADMIN");
|
||||
}
|
||||
}
|
||||
|
||||
@ -71,16 +71,16 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
.body("", hasItem(
|
||||
allOf(
|
||||
// TODO: should there be a grantedByRole or just a grantedByTrigger?
|
||||
hasEntry("grantedByRoleIdName", "test_customer#xxx:OWNER"),
|
||||
hasEntry("grantedRoleIdName", "test_customer#xxx:ADMIN"),
|
||||
hasEntry("grantedByRoleIdName", "rbactest.customer#xxx:OWNER"),
|
||||
hasEntry("grantedRoleIdName", "rbactest.customer#xxx:ADMIN"),
|
||||
hasEntry("granteeSubjectName", "customer-admin@xxx.example.com")
|
||||
)
|
||||
))
|
||||
.body("", hasItem(
|
||||
allOf(
|
||||
// TODO: should there be a grantedByRole or just a grantedByTrigger?
|
||||
hasEntry("grantedByRoleIdName", "test_customer#yyy:OWNER"),
|
||||
hasEntry("grantedRoleIdName", "test_customer#yyy:ADMIN"),
|
||||
hasEntry("grantedByRoleIdName", "rbactest.customer#yyy:OWNER"),
|
||||
hasEntry("grantedRoleIdName", "rbactest.customer#yyy:ADMIN"),
|
||||
hasEntry("granteeSubjectName", "customer-admin@yyy.example.com")
|
||||
)
|
||||
))
|
||||
@ -93,15 +93,15 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
))
|
||||
.body("", hasItem(
|
||||
allOf(
|
||||
hasEntry("grantedByRoleIdName", "test_customer#xxx:ADMIN"),
|
||||
hasEntry("grantedRoleIdName", "test_package#xxx00:ADMIN"),
|
||||
hasEntry("grantedByRoleIdName", "rbactest.customer#xxx:ADMIN"),
|
||||
hasEntry("grantedRoleIdName", "rbactest.package#xxx00:ADMIN"),
|
||||
hasEntry("granteeSubjectName", "pac-admin-xxx00@xxx.example.com")
|
||||
)
|
||||
))
|
||||
.body("", hasItem(
|
||||
allOf(
|
||||
hasEntry("grantedByRoleIdName", "test_customer#zzz:ADMIN"),
|
||||
hasEntry("grantedRoleIdName", "test_package#zzz02:ADMIN"),
|
||||
hasEntry("grantedByRoleIdName", "rbactest.customer#zzz:ADMIN"),
|
||||
hasEntry("grantedRoleIdName", "rbactest.package#zzz02:ADMIN"),
|
||||
hasEntry("granteeSubjectName", "pac-admin-zzz02@zzz.example.com")
|
||||
)
|
||||
))
|
||||
@ -114,7 +114,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
RestAssured // @formatter:off
|
||||
.given()
|
||||
.header("current-subject", "superuser-alex@hostsharing.net")
|
||||
.header("assumed-roles", "test_package#yyy00:ADMIN")
|
||||
.header("assumed-roles", "rbactest.package#yyy00:ADMIN")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/rbac/grants")
|
||||
@ -123,8 +123,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
.contentType("application/json")
|
||||
.body("", hasItem(
|
||||
allOf(
|
||||
hasEntry("grantedByRoleIdName", "test_customer#yyy:ADMIN"),
|
||||
hasEntry("grantedRoleIdName", "test_package#yyy00:ADMIN"),
|
||||
hasEntry("grantedByRoleIdName", "rbactest.customer#yyy:ADMIN"),
|
||||
hasEntry("grantedRoleIdName", "rbactest.package#yyy00:ADMIN"),
|
||||
hasEntry("granteeSubjectName", "pac-admin-yyy00@yyy.example.com")
|
||||
)
|
||||
))
|
||||
@ -145,13 +145,13 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
.contentType("application/json")
|
||||
.body("", hasItem(
|
||||
allOf(
|
||||
hasEntry("grantedByRoleIdName", "test_customer#yyy:ADMIN"),
|
||||
hasEntry("grantedRoleIdName", "test_package#yyy00:ADMIN"),
|
||||
hasEntry("grantedByRoleIdName", "rbactest.customer#yyy:ADMIN"),
|
||||
hasEntry("grantedRoleIdName", "rbactest.package#yyy00:ADMIN"),
|
||||
hasEntry("granteeSubjectName", "pac-admin-yyy00@yyy.example.com")
|
||||
)
|
||||
))
|
||||
.body("[0].grantedByRoleIdName", is("test_customer#yyy:ADMIN"))
|
||||
.body("[0].grantedRoleIdName", is("test_package#yyy00:ADMIN"))
|
||||
.body("[0].grantedByRoleIdName", is("rbactest.customer#yyy:ADMIN"))
|
||||
.body("[0].grantedRoleIdName", is("rbactest.package#yyy00:ADMIN"))
|
||||
.body("[0].granteeSubjectName", is("pac-admin-yyy00@yyy.example.com"));
|
||||
// @formatter:on
|
||||
}
|
||||
@ -165,7 +165,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
// given
|
||||
final var givencurrentSubjectAsPackageAdmin = new Subject("customer-admin@xxx.example.com");
|
||||
final var givenGranteeUser = findRbacSubjectByName("pac-admin-xxx00@xxx.example.com");
|
||||
final var givenGrantedRole = getRbacRoleByName("test_package#xxx00:ADMIN");
|
||||
final var givenGrantedRole = getRbacRoleByName("rbactest.package#xxx00:ADMIN");
|
||||
|
||||
// when
|
||||
final var grant = givencurrentSubjectAsPackageAdmin.getGrantById()
|
||||
@ -174,8 +174,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
// then
|
||||
grant.assertThat()
|
||||
.statusCode(200)
|
||||
.body("grantedByRoleIdName", is("test_customer#xxx:ADMIN"))
|
||||
.body("grantedRoleIdName", is("test_package#xxx00:ADMIN"))
|
||||
.body("grantedByRoleIdName", is("rbactest.customer#xxx:ADMIN"))
|
||||
.body("grantedRoleIdName", is("rbactest.package#xxx00:ADMIN"))
|
||||
.body("granteeSubjectName", is("pac-admin-xxx00@xxx.example.com"));
|
||||
}
|
||||
|
||||
@ -184,7 +184,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
// given
|
||||
final var givencurrentSubjectAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com");
|
||||
final var givenGranteeUser = findRbacSubjectByName("pac-admin-xxx00@xxx.example.com");
|
||||
final var givenGrantedRole = getRbacRoleByName("test_package#xxx00:ADMIN");
|
||||
final var givenGrantedRole = getRbacRoleByName("rbactest.package#xxx00:ADMIN");
|
||||
|
||||
// when
|
||||
final var grant = givencurrentSubjectAsPackageAdmin.getGrantById()
|
||||
@ -193,8 +193,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
// then
|
||||
grant.assertThat()
|
||||
.statusCode(200)
|
||||
.body("grantedByRoleIdName", is("test_customer#xxx:ADMIN"))
|
||||
.body("grantedRoleIdName", is("test_package#xxx00:ADMIN"))
|
||||
.body("grantedByRoleIdName", is("rbactest.customer#xxx:ADMIN"))
|
||||
.body("grantedRoleIdName", is("rbactest.package#xxx00:ADMIN"))
|
||||
.body("granteeSubjectName", is("pac-admin-xxx00@xxx.example.com"));
|
||||
}
|
||||
|
||||
@ -203,9 +203,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
// given
|
||||
final var givencurrentSubjectAsPackageAdmin = new Subject(
|
||||
"pac-admin-xxx00@xxx.example.com",
|
||||
"test_package#xxx00:ADMIN");
|
||||
"rbactest.package#xxx00:ADMIN");
|
||||
final var givenGranteeUser = findRbacSubjectByName("pac-admin-xxx00@xxx.example.com");
|
||||
final var givenGrantedRole = getRbacRoleByName("test_package#xxx00:ADMIN");
|
||||
final var givenGrantedRole = getRbacRoleByName("rbactest.package#xxx00:ADMIN");
|
||||
|
||||
// when
|
||||
final var grant = givencurrentSubjectAsPackageAdmin.getGrantById()
|
||||
@ -214,8 +214,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
// then
|
||||
grant.assertThat()
|
||||
.statusCode(200)
|
||||
.body("grantedByRoleIdName", is("test_customer#xxx:ADMIN"))
|
||||
.body("grantedRoleIdName", is("test_package#xxx00:ADMIN"))
|
||||
.body("grantedByRoleIdName", is("rbactest.customer#xxx:ADMIN"))
|
||||
.body("grantedRoleIdName", is("rbactest.package#xxx00:ADMIN"))
|
||||
.body("granteeSubjectName", is("pac-admin-xxx00@xxx.example.com"));
|
||||
}
|
||||
|
||||
@ -225,9 +225,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
// given
|
||||
final var givencurrentSubjectAsPackageAdmin = new Subject(
|
||||
"pac-admin-xxx00@xxx.example.com",
|
||||
"test_package#xxx00:TENANT");
|
||||
"rbactest.package#xxx00:TENANT");
|
||||
final var givenGranteeUser = findRbacSubjectByName("pac-admin-xxx00@xxx.example.com");
|
||||
final var givenGrantedRole = getRbacRoleByName("test_package#xxx00:ADMIN");
|
||||
final var givenGrantedRole = getRbacRoleByName("rbactest.package#xxx00:ADMIN");
|
||||
final var grant = givencurrentSubjectAsPackageAdmin.getGrantById()
|
||||
.forGrantedRole(givenGrantedRole).toGranteeUser(givenGranteeUser);
|
||||
|
||||
@ -245,7 +245,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
|
||||
// given
|
||||
final var givenNewUser = createRbacSubject();
|
||||
final var givenRoleToGrant = "test_package#xxx00:ADMIN";
|
||||
final var givenRoleToGrant = "rbactest.package#xxx00:ADMIN";
|
||||
final var givencurrentSubjectAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
|
||||
final var givenOwnPackageAdminRole =
|
||||
getRbacRoleByName(givencurrentSubjectAsPackageAdmin.assumedRole);
|
||||
@ -258,9 +258,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
// then
|
||||
response.assertThat()
|
||||
.statusCode(201)
|
||||
.body("grantedByRoleIdName", is("test_package#xxx00:ADMIN"))
|
||||
.body("grantedByRoleIdName", is("rbactest.package#xxx00:ADMIN"))
|
||||
.body("assumed", is(true))
|
||||
.body("grantedRoleIdName", is("test_package#xxx00:ADMIN"))
|
||||
.body("grantedRoleIdName", is("rbactest.package#xxx00:ADMIN"))
|
||||
.body("granteeSubjectName", is(givenNewUser.getName()));
|
||||
assertThat(findAllGrantsOf(givencurrentSubjectAsPackageAdmin))
|
||||
.extracting(RbacGrantEntity::toDisplay)
|
||||
@ -274,9 +274,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
|
||||
// given
|
||||
final var givenNewUser = createRbacSubject();
|
||||
final var givenRoleToGrant = "test_package#xxx00:ADMIN";
|
||||
final var givenRoleToGrant = "rbactest.package#xxx00:ADMIN";
|
||||
final var givencurrentSubjectAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
|
||||
final var givenAlienPackageAdminRole = getRbacRoleByName("test_package#yyy00:ADMIN");
|
||||
final var givenAlienPackageAdminRole = getRbacRoleByName("rbactest.package#yyy00:ADMIN");
|
||||
|
||||
// when
|
||||
final var result = givencurrentSubjectAsPackageAdmin
|
||||
@ -287,7 +287,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
result.assertThat()
|
||||
.statusCode(403)
|
||||
.body("message", containsString("Access to granted role"))
|
||||
.body("message", containsString("forbidden for test_package#xxx00:ADMIN"));
|
||||
.body("message", containsString("forbidden for rbactest.package#xxx00:ADMIN"));
|
||||
assertThat(findAllGrantsOf(givencurrentSubjectAsPackageAdmin))
|
||||
.extracting(RbacGrantEntity::getGranteeSubjectName)
|
||||
.doesNotContain(givenNewUser.getName());
|
||||
@ -303,9 +303,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
|
||||
// given
|
||||
final var givenArbitraryUser = createRbacSubject();
|
||||
final var givenRoleToGrant = "test_package#xxx00:ADMIN";
|
||||
final var givenRoleToGrant = "rbactest.package#xxx00:ADMIN";
|
||||
final var givenCurrentSubjectAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
|
||||
final var givenOwnPackageAdminRole = getRbacRoleByName("test_package#xxx00:ADMIN");
|
||||
final var givenOwnPackageAdminRole = getRbacRoleByName("rbactest.package#xxx00:ADMIN");
|
||||
|
||||
// and given an existing grant
|
||||
assumeCreated(givenCurrentSubjectAsPackageAdmin
|
||||
|
||||
@ -67,7 +67,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
||||
// then
|
||||
exactlyTheseRbacGrantsAreReturned(
|
||||
result,
|
||||
"{ grant role:test_package#xxx00:ADMIN to user:pac-admin-xxx00@xxx.example.com by role:test_customer#xxx:ADMIN and assume }");
|
||||
"{ grant role:rbactest.package#xxx00:ADMIN to user:pac-admin-xxx00@xxx.example.com by role:rbactest.customer#xxx:ADMIN and assume }");
|
||||
}
|
||||
|
||||
@Test
|
||||
@ -81,16 +81,16 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
||||
// then
|
||||
exactlyTheseRbacGrantsAreReturned(
|
||||
result,
|
||||
"{ grant role:test_customer#xxx:ADMIN to user:customer-admin@xxx.example.com by role:test_customer#xxx:OWNER and assume }",
|
||||
"{ grant role:test_package#xxx00:ADMIN to user:pac-admin-xxx00@xxx.example.com by role:test_customer#xxx:ADMIN and assume }",
|
||||
"{ grant role:test_package#xxx01:ADMIN to user:pac-admin-xxx01@xxx.example.com by role:test_customer#xxx:ADMIN and assume }",
|
||||
"{ grant role:test_package#xxx02:ADMIN to user:pac-admin-xxx02@xxx.example.com by role:test_customer#xxx:ADMIN and assume }");
|
||||
"{ grant role:rbactest.customer#xxx:ADMIN to user:customer-admin@xxx.example.com by role:rbactest.customer#xxx:OWNER and assume }",
|
||||
"{ grant role:rbactest.package#xxx00:ADMIN to user:pac-admin-xxx00@xxx.example.com by role:rbactest.customer#xxx:ADMIN and assume }",
|
||||
"{ grant role:rbactest.package#xxx01:ADMIN to user:pac-admin-xxx01@xxx.example.com by role:rbactest.customer#xxx:ADMIN and assume }",
|
||||
"{ grant role:rbactest.package#xxx02:ADMIN to user:pac-admin-xxx02@xxx.example.com by role:rbactest.customer#xxx:ADMIN and assume }");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void customerAdmin_withAssumedRole_canOnlyViewRbacGrantsVisibleByAssumedRole() {
|
||||
// given:
|
||||
context("customer-admin@xxx.example.com", "test_package#xxx00:ADMIN");
|
||||
context("customer-admin@xxx.example.com", "rbactest.package#xxx00:ADMIN");
|
||||
|
||||
// when
|
||||
final var result = rbacGrantRepository.findAll();
|
||||
@ -98,7 +98,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
||||
// then
|
||||
exactlyTheseRbacGrantsAreReturned(
|
||||
result,
|
||||
"{ grant role:test_package#xxx00:ADMIN to user:pac-admin-xxx00@xxx.example.com by role:test_customer#xxx:ADMIN and assume }");
|
||||
"{ grant role:rbactest.package#xxx00:ADMIN to user:pac-admin-xxx00@xxx.example.com by role:rbactest.customer#xxx:ADMIN and assume }");
|
||||
}
|
||||
}
|
||||
|
||||
@ -108,9 +108,9 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
||||
@Test
|
||||
public void customerAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() {
|
||||
// given
|
||||
context("customer-admin@xxx.example.com", "test_customer#xxx:ADMIN");
|
||||
context("customer-admin@xxx.example.com", "rbactest.customer#xxx:ADMIN");
|
||||
final var givenArbitrarySubjectUuid = rbacSubjectRepository.findByName("pac-admin-zzz00@zzz.example.com").getUuid();
|
||||
final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName("test_package#xxx00:ADMIN").getUuid();
|
||||
final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName("rbactest.package#xxx00:ADMIN").getUuid();
|
||||
|
||||
// when
|
||||
final var grant = RbacGrantEntity.builder()
|
||||
@ -126,7 +126,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
||||
assertThat(rbacGrantRepository.findAll())
|
||||
.extracting(RbacGrantEntity::toDisplay)
|
||||
.contains(
|
||||
"{ grant role:test_package#xxx00:ADMIN to user:pac-admin-zzz00@zzz.example.com by role:test_customer#xxx:ADMIN and assume }");
|
||||
"{ grant role:rbactest.package#xxx00:ADMIN to user:pac-admin-zzz00@zzz.example.com by role:rbactest.customer#xxx:ADMIN and assume }");
|
||||
}
|
||||
|
||||
@Test
|
||||
@ -139,14 +139,14 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
||||
context("customer-admin@xxx.example.com", null);
|
||||
return new Given(
|
||||
createNewUser(),
|
||||
rbacRoleRepository.findByRoleName("test_package#xxx00:OWNER").getUuid()
|
||||
rbacRoleRepository.findByRoleName("rbactest.package#xxx00:OWNER").getUuid()
|
||||
);
|
||||
}).assumeSuccessful().returnedValue();
|
||||
|
||||
// when
|
||||
final var attempt = jpaAttempt.transacted(() -> {
|
||||
// now we try to use these uuids as a less privileged user
|
||||
context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00:ADMIN");
|
||||
context("pac-admin-xxx00@xxx.example.com", "rbactest.package#xxx00:ADMIN");
|
||||
final var grant = RbacGrantEntity.builder()
|
||||
.granteeSubjectUuid(given.arbitraryUser.getUuid())
|
||||
.grantedRoleUuid(given.packageOwnerRoleUuid)
|
||||
@ -158,8 +158,8 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
||||
// then
|
||||
attempt.assertExceptionWithRootCauseMessage(
|
||||
JpaSystemException.class,
|
||||
"ERROR: [403] Access to granted role test_package#xxx00:OWNER",
|
||||
"forbidden for test_package#xxx00:ADMIN");
|
||||
"ERROR: [403] Access to granted role rbactest.package#xxx00:OWNER",
|
||||
"forbidden for rbactest.package#xxx00:ADMIN");
|
||||
jpaAttempt.transacted(() -> {
|
||||
// finally, we use the new user to make sure, no roles were granted
|
||||
context(given.arbitraryUser.getName(), null);
|
||||
@ -176,16 +176,16 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
||||
public void customerAdmin_canRevokeSelfGrantedPackageAdminRole() {
|
||||
// given
|
||||
final var grant = create(grant()
|
||||
.byUser("customer-admin@xxx.example.com").withAssumedRole("test_customer#xxx:ADMIN")
|
||||
.grantingRole("test_package#xxx00:ADMIN").toUser("pac-admin-zzz00@zzz.example.com"));
|
||||
.byUser("customer-admin@xxx.example.com").withAssumedRole("rbactest.customer#xxx:ADMIN")
|
||||
.grantingRole("rbactest.package#xxx00:ADMIN").toUser("pac-admin-zzz00@zzz.example.com"));
|
||||
|
||||
// when
|
||||
context("customer-admin@xxx.example.com", "test_customer#xxx:ADMIN");
|
||||
context("customer-admin@xxx.example.com", "rbactest.customer#xxx:ADMIN");
|
||||
final var revokeAttempt = attempt(em, () ->
|
||||
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId()));
|
||||
|
||||
// then
|
||||
context("customer-admin@xxx.example.com", "test_customer#xxx:ADMIN");
|
||||
context("customer-admin@xxx.example.com", "rbactest.customer#xxx:ADMIN");
|
||||
assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull();
|
||||
assertThat(rbacGrantRepository.findAll())
|
||||
.extracting(RbacGrantEntity::getGranteeSubjectName)
|
||||
@ -197,17 +197,17 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
||||
// given
|
||||
final var newUser = createNewUserTransacted();
|
||||
final var grant = create(grant()
|
||||
.byUser("customer-admin@xxx.example.com").withAssumedRole("test_package#xxx00:ADMIN")
|
||||
.grantingRole("test_package#xxx00:ADMIN").toUser(newUser.getName()));
|
||||
.byUser("customer-admin@xxx.example.com").withAssumedRole("rbactest.package#xxx00:ADMIN")
|
||||
.grantingRole("rbactest.package#xxx00:ADMIN").toUser(newUser.getName()));
|
||||
|
||||
// when
|
||||
context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00:ADMIN");
|
||||
context("pac-admin-xxx00@xxx.example.com", "rbactest.package#xxx00:ADMIN");
|
||||
final var revokeAttempt = attempt(em, () ->
|
||||
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId()));
|
||||
|
||||
// then
|
||||
assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull();
|
||||
context("customer-admin@xxx.example.com", "test_customer#xxx:ADMIN");
|
||||
context("customer-admin@xxx.example.com", "rbactest.customer#xxx:ADMIN");
|
||||
assertThat(rbacGrantRepository.findAll())
|
||||
.extracting(RbacGrantEntity::getGranteeSubjectName)
|
||||
.doesNotContain("pac-admin-zzz00@zzz.example.com");
|
||||
@ -217,19 +217,19 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
||||
public void packageAdmin_canNotRevokeOwnPackageAdminRoleGrantedByOwnerRoleOfThatPackage() {
|
||||
// given
|
||||
final var grant = create(grant()
|
||||
.byUser("customer-admin@xxx.example.com").withAssumedRole("test_package#xxx00:OWNER")
|
||||
.grantingRole("test_package#xxx00:ADMIN").toUser("pac-admin-zzz00@zzz.example.com"));
|
||||
final var grantedByRole = rbacRoleRepository.findByRoleName("test_package#xxx00:OWNER");
|
||||
.byUser("customer-admin@xxx.example.com").withAssumedRole("rbactest.package#xxx00:OWNER")
|
||||
.grantingRole("rbactest.package#xxx00:ADMIN").toUser("pac-admin-zzz00@zzz.example.com"));
|
||||
final var grantedByRole = rbacRoleRepository.findByRoleName("rbactest.package#xxx00:OWNER");
|
||||
|
||||
// when
|
||||
context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00:ADMIN");
|
||||
context("pac-admin-xxx00@xxx.example.com", "rbactest.package#xxx00:ADMIN");
|
||||
final var revokeAttempt = attempt(em, () ->
|
||||
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId()));
|
||||
|
||||
// then
|
||||
revokeAttempt.assertExceptionWithRootCauseMessage(
|
||||
JpaSystemException.class,
|
||||
"ERROR: [403] Revoking role created by %s is forbidden for {test_package#xxx00:ADMIN}.".formatted(
|
||||
"ERROR: [403] Revoking role created by %s is forbidden for {rbactest.package#xxx00:ADMIN}.".formatted(
|
||||
grantedByRole.getUuid()
|
||||
));
|
||||
}
|
||||
|
||||
@ -54,36 +54,36 @@ class RbacGrantsDiagramServiceIntegrationTest extends ContextBasedTestWithCleanu
|
||||
|
||||
@Test
|
||||
void allGrantsTocurrentSubject() {
|
||||
context("superuser-alex@hostsharing.net", "test_domain#xxx00-aaaa:OWNER");
|
||||
context("superuser-alex@hostsharing.net", "rbactest.domain#xxx00-aaaa:OWNER");
|
||||
final var graph = grantsMermaidService.allGrantsTocurrentSubject(EnumSet.of(Include.TEST_ENTITIES));
|
||||
|
||||
assertThat(graph).isEqualTo("""
|
||||
flowchart TB
|
||||
|
||||
role:test_domain#xxx00-aaaa:ADMIN --> role:test_package#xxx00:TENANT
|
||||
role:test_domain#xxx00-aaaa:OWNER --> role:test_domain#xxx00-aaaa:ADMIN
|
||||
role:test_domain#xxx00-aaaa:OWNER --> role:test_package#xxx00:TENANT
|
||||
role:test_package#xxx00:TENANT --> role:test_customer#xxx:TENANT
|
||||
role:rbactest.domain#xxx00-aaaa:ADMIN --> role:rbactest.package#xxx00:TENANT
|
||||
role:rbactest.domain#xxx00-aaaa:OWNER --> role:rbactest.domain#xxx00-aaaa:ADMIN
|
||||
role:rbactest.domain#xxx00-aaaa:OWNER --> role:rbactest.package#xxx00:TENANT
|
||||
role:rbactest.package#xxx00:TENANT --> role:rbactest.customer#xxx:TENANT
|
||||
""".trim());
|
||||
}
|
||||
|
||||
@Test
|
||||
void allGrantsTocurrentSubjectIncludingPermissions() {
|
||||
context("superuser-alex@hostsharing.net", "test_domain#xxx00-aaaa:OWNER");
|
||||
context("superuser-alex@hostsharing.net", "rbactest.domain#xxx00-aaaa:OWNER");
|
||||
final var graph = grantsMermaidService.allGrantsTocurrentSubject(EnumSet.of(Include.TEST_ENTITIES, Include.PERMISSIONS));
|
||||
|
||||
assertThat(graph).isEqualTo("""
|
||||
flowchart TB
|
||||
|
||||
role:test_customer#xxx:TENANT --> perm:test_customer#xxx:SELECT
|
||||
role:test_domain#xxx00-aaaa:ADMIN --> perm:test_domain#xxx00-aaaa:SELECT
|
||||
role:test_domain#xxx00-aaaa:ADMIN --> role:test_package#xxx00:TENANT
|
||||
role:test_domain#xxx00-aaaa:OWNER --> perm:test_domain#xxx00-aaaa:DELETE
|
||||
role:test_domain#xxx00-aaaa:OWNER --> perm:test_domain#xxx00-aaaa:UPDATE
|
||||
role:test_domain#xxx00-aaaa:OWNER --> role:test_domain#xxx00-aaaa:ADMIN
|
||||
role:test_domain#xxx00-aaaa:OWNER --> role:test_package#xxx00:TENANT
|
||||
role:test_package#xxx00:TENANT --> perm:test_package#xxx00:SELECT
|
||||
role:test_package#xxx00:TENANT --> role:test_customer#xxx:TENANT
|
||||
role:rbactest.customer#xxx:TENANT --> perm:rbactest.customer#xxx:SELECT
|
||||
role:rbactest.domain#xxx00-aaaa:ADMIN --> perm:rbactest.domain#xxx00-aaaa:SELECT
|
||||
role:rbactest.domain#xxx00-aaaa:ADMIN --> role:rbactest.package#xxx00:TENANT
|
||||
role:rbactest.domain#xxx00-aaaa:OWNER --> perm:rbactest.domain#xxx00-aaaa:DELETE
|
||||
role:rbactest.domain#xxx00-aaaa:OWNER --> perm:rbactest.domain#xxx00-aaaa:UPDATE
|
||||
role:rbactest.domain#xxx00-aaaa:OWNER --> role:rbactest.domain#xxx00-aaaa:ADMIN
|
||||
role:rbactest.domain#xxx00-aaaa:OWNER --> role:rbactest.package#xxx00:TENANT
|
||||
role:rbactest.package#xxx00:TENANT --> perm:rbactest.package#xxx00:SELECT
|
||||
role:rbactest.package#xxx00:TENANT --> role:rbactest.customer#xxx:TENANT
|
||||
""".trim());
|
||||
}
|
||||
|
||||
|
||||
@ -42,14 +42,14 @@ class RbacRoleControllerAcceptanceTest {
|
||||
.then().assertThat()
|
||||
.statusCode(200)
|
||||
.contentType("application/json")
|
||||
.body("", hasItem(hasEntry("roleName", "test_customer#xxx:ADMIN")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_customer#xxx:OWNER")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_customer#xxx:TENANT")))
|
||||
.body("", hasItem(hasEntry("roleName", "rbactest.customer#xxx:ADMIN")))
|
||||
.body("", hasItem(hasEntry("roleName", "rbactest.customer#xxx:OWNER")))
|
||||
.body("", hasItem(hasEntry("roleName", "rbactest.customer#xxx:TENANT")))
|
||||
// ...
|
||||
.body("", hasItem(hasEntry("roleName", "rbac.global#global:ADMIN")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_customer#yyy:ADMIN")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_package#yyy00:ADMIN")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa:OWNER")))
|
||||
.body("", hasItem(hasEntry("roleName", "rbactest.customer#yyy:ADMIN")))
|
||||
.body("", hasItem(hasEntry("roleName", "rbactest.package#yyy00:ADMIN")))
|
||||
.body("", hasItem(hasEntry("roleName", "rbactest.domain#yyy00-aaaa:OWNER")))
|
||||
.body( "size()", greaterThanOrEqualTo(73)); // increases with new test data
|
||||
// @formatter:on
|
||||
}
|
||||
@ -61,7 +61,7 @@ class RbacRoleControllerAcceptanceTest {
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-subject", "superuser-alex@hostsharing.net")
|
||||
.header("assumed-roles", "test_package#yyy00:ADMIN")
|
||||
.header("assumed-roles", "rbactest.package#yyy00:ADMIN")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/rbac/roles")
|
||||
@ -71,18 +71,18 @@ class RbacRoleControllerAcceptanceTest {
|
||||
.statusCode(200)
|
||||
.contentType("application/json")
|
||||
|
||||
.body("", hasItem(hasEntry("roleName", "test_customer#yyy:TENANT")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa:OWNER")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa:ADMIN")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaab:OWNER")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaab:ADMIN")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_package#yyy00:ADMIN")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_package#yyy00:TENANT")))
|
||||
.body("", hasItem(hasEntry("roleName", "rbactest.customer#yyy:TENANT")))
|
||||
.body("", hasItem(hasEntry("roleName", "rbactest.domain#yyy00-aaaa:OWNER")))
|
||||
.body("", hasItem(hasEntry("roleName", "rbactest.domain#yyy00-aaaa:ADMIN")))
|
||||
.body("", hasItem(hasEntry("roleName", "rbactest.domain#yyy00-aaab:OWNER")))
|
||||
.body("", hasItem(hasEntry("roleName", "rbactest.domain#yyy00-aaab:ADMIN")))
|
||||
.body("", hasItem(hasEntry("roleName", "rbactest.package#yyy00:ADMIN")))
|
||||
.body("", hasItem(hasEntry("roleName", "rbactest.package#yyy00:TENANT")))
|
||||
|
||||
.body("", not(hasItem(hasEntry("roleName", "test_customer#xxx:TENANT"))))
|
||||
.body("", not(hasItem(hasEntry("roleName", "test_domain#xxx00-aaaa:ADMIN"))))
|
||||
.body("", not(hasItem(hasEntry("roleName", "test_package#xxx00:ADMIN"))))
|
||||
.body("", not(hasItem(hasEntry("roleName", "test_package#xxx00:TENANT"))))
|
||||
.body("", not(hasItem(hasEntry("roleName", "rbactest.customer#xxx:TENANT"))))
|
||||
.body("", not(hasItem(hasEntry("roleName", "rbactest.domain#xxx00-aaaa:ADMIN"))))
|
||||
.body("", not(hasItem(hasEntry("roleName", "rbactest.package#xxx00:ADMIN"))))
|
||||
.body("", not(hasItem(hasEntry("roleName", "rbactest.package#xxx00:TENANT"))))
|
||||
;
|
||||
// @formatter:on
|
||||
}
|
||||
@ -101,15 +101,15 @@ class RbacRoleControllerAcceptanceTest {
|
||||
.statusCode(200)
|
||||
.contentType("application/json")
|
||||
|
||||
.body("", hasItem(hasEntry("roleName", "test_customer#zzz:TENANT")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_domain#zzz00-aaaa:ADMIN")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_package#zzz00:ADMIN")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_package#zzz00:TENANT")))
|
||||
.body("", hasItem(hasEntry("roleName", "rbactest.customer#zzz:TENANT")))
|
||||
.body("", hasItem(hasEntry("roleName", "rbactest.domain#zzz00-aaaa:ADMIN")))
|
||||
.body("", hasItem(hasEntry("roleName", "rbactest.package#zzz00:ADMIN")))
|
||||
.body("", hasItem(hasEntry("roleName", "rbactest.package#zzz00:TENANT")))
|
||||
|
||||
.body("", not(hasItem(hasEntry("roleName", "test_customer#yyy:TENANT"))))
|
||||
.body("", not(hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa:ADMIN"))))
|
||||
.body("", not(hasItem(hasEntry("roleName", "test_package#yyy00:ADMIN"))))
|
||||
.body("", not(hasItem(hasEntry("roleName", "test_package#yyy00:TENANT"))));
|
||||
.body("", not(hasItem(hasEntry("roleName", "rbactest.customer#yyy:TENANT"))))
|
||||
.body("", not(hasItem(hasEntry("roleName", "rbactest.domain#yyy00-aaaa:ADMIN"))))
|
||||
.body("", not(hasItem(hasEntry("roleName", "rbactest.package#yyy00:ADMIN"))))
|
||||
.body("", not(hasItem(hasEntry("roleName", "rbactest.package#yyy00:TENANT"))));
|
||||
// @formatter:on
|
||||
}
|
||||
}
|
||||
|
||||
@ -74,8 +74,8 @@ class RbacRoleControllerRestTest {
|
||||
.andExpect(status().isOk())
|
||||
.andExpect(jsonPath("$", hasSize(3)))
|
||||
.andExpect(jsonPath("$[0].roleName", is("rbac.global#global:ADMIN")))
|
||||
.andExpect(jsonPath("$[1].roleName", is("test_customer#xxx:OWNER")))
|
||||
.andExpect(jsonPath("$[2].roleName", is("test_customer#xxx:ADMIN")))
|
||||
.andExpect(jsonPath("$[1].roleName", is("rbactest.customer#xxx:OWNER")))
|
||||
.andExpect(jsonPath("$[2].roleName", is("rbactest.customer#xxx:ADMIN")))
|
||||
.andExpect(jsonPath("$[2].uuid", is(customerXxxAdmin.getUuid().toString())))
|
||||
.andExpect(jsonPath("$[2].objectUuid", is(customerXxxAdmin.getObjectUuid().toString())))
|
||||
.andExpect(jsonPath("$[2].objectTable", is(customerXxxAdmin.getObjectTable().toString())))
|
||||
|
||||
@ -40,18 +40,18 @@ class RbacRoleRepositoryIntegrationTest {
|
||||
private static final String[] ALL_TEST_DATA_ROLES = Array.of(
|
||||
// @formatter:off
|
||||
"rbac.global#global:ADMIN",
|
||||
"test_customer#xxx:ADMIN", "test_customer#xxx:OWNER", "test_customer#xxx:TENANT",
|
||||
"test_package#xxx00:ADMIN", "test_package#xxx00:OWNER", "test_package#xxx00:TENANT",
|
||||
"test_package#xxx01:ADMIN", "test_package#xxx01:OWNER", "test_package#xxx01:TENANT",
|
||||
"test_package#xxx02:ADMIN", "test_package#xxx02:OWNER", "test_package#xxx02:TENANT",
|
||||
"test_customer#yyy:ADMIN", "test_customer#yyy:OWNER", "test_customer#yyy:TENANT",
|
||||
"test_package#yyy00:ADMIN", "test_package#yyy00:OWNER", "test_package#yyy00:TENANT",
|
||||
"test_package#yyy01:ADMIN", "test_package#yyy01:OWNER", "test_package#yyy01:TENANT",
|
||||
"test_package#yyy02:ADMIN", "test_package#yyy02:OWNER", "test_package#yyy02:TENANT",
|
||||
"test_customer#zzz:ADMIN", "test_customer#zzz:OWNER", "test_customer#zzz:TENANT",
|
||||
"test_package#zzz00:ADMIN", "test_package#zzz00:OWNER", "test_package#zzz00:TENANT",
|
||||
"test_package#zzz01:ADMIN", "test_package#zzz01:OWNER", "test_package#zzz01:TENANT",
|
||||
"test_package#zzz02:ADMIN", "test_package#zzz02:OWNER", "test_package#zzz02:TENANT"
|
||||
"rbactest.customer#xxx:ADMIN", "rbactest.customer#xxx:OWNER", "rbactest.customer#xxx:TENANT",
|
||||
"rbactest.package#xxx00:ADMIN", "rbactest.package#xxx00:OWNER", "rbactest.package#xxx00:TENANT",
|
||||
"rbactest.package#xxx01:ADMIN", "rbactest.package#xxx01:OWNER", "rbactest.package#xxx01:TENANT",
|
||||
"rbactest.package#xxx02:ADMIN", "rbactest.package#xxx02:OWNER", "rbactest.package#xxx02:TENANT",
|
||||
"rbactest.customer#yyy:ADMIN", "rbactest.customer#yyy:OWNER", "rbactest.customer#yyy:TENANT",
|
||||
"rbactest.package#yyy00:ADMIN", "rbactest.package#yyy00:OWNER", "rbactest.package#yyy00:TENANT",
|
||||
"rbactest.package#yyy01:ADMIN", "rbactest.package#yyy01:OWNER", "rbactest.package#yyy01:TENANT",
|
||||
"rbactest.package#yyy02:ADMIN", "rbactest.package#yyy02:OWNER", "rbactest.package#yyy02:TENANT",
|
||||
"rbactest.customer#zzz:ADMIN", "rbactest.customer#zzz:OWNER", "rbactest.customer#zzz:TENANT",
|
||||
"rbactest.package#zzz00:ADMIN", "rbactest.package#zzz00:OWNER", "rbactest.package#zzz00:TENANT",
|
||||
"rbactest.package#zzz01:ADMIN", "rbactest.package#zzz01:OWNER", "rbactest.package#zzz01:TENANT",
|
||||
"rbactest.package#zzz02:ADMIN", "rbactest.package#zzz02:OWNER", "rbactest.package#zzz02:TENANT"
|
||||
// @formatter:on
|
||||
);
|
||||
|
||||
@ -91,49 +91,49 @@ class RbacRoleRepositoryIntegrationTest {
|
||||
allTheseRbacRolesAreReturned(
|
||||
result,
|
||||
// @formatter:off
|
||||
"test_customer#xxx:ADMIN",
|
||||
"test_customer#xxx:TENANT",
|
||||
"test_package#xxx00:ADMIN",
|
||||
"test_package#xxx00:OWNER",
|
||||
"test_package#xxx00:TENANT",
|
||||
"test_package#xxx01:ADMIN",
|
||||
"test_package#xxx01:OWNER",
|
||||
"test_package#xxx01:TENANT",
|
||||
"rbactest.customer#xxx:ADMIN",
|
||||
"rbactest.customer#xxx:TENANT",
|
||||
"rbactest.package#xxx00:ADMIN",
|
||||
"rbactest.package#xxx00:OWNER",
|
||||
"rbactest.package#xxx00:TENANT",
|
||||
"rbactest.package#xxx01:ADMIN",
|
||||
"rbactest.package#xxx01:OWNER",
|
||||
"rbactest.package#xxx01:TENANT",
|
||||
// ...
|
||||
"test_domain#xxx00-aaaa:ADMIN",
|
||||
"test_domain#xxx00-aaaa:OWNER",
|
||||
"rbactest.domain#xxx00-aaaa:ADMIN",
|
||||
"rbactest.domain#xxx00-aaaa:OWNER",
|
||||
// ..
|
||||
"test_domain#xxx01-aaab:ADMIN",
|
||||
"test_domain#xxx01-aaab:OWNER"
|
||||
"rbactest.domain#xxx01-aaab:ADMIN",
|
||||
"rbactest.domain#xxx01-aaab:OWNER"
|
||||
// @formatter:on
|
||||
);
|
||||
noneOfTheseRbacRolesIsReturned(
|
||||
result,
|
||||
// @formatter:off
|
||||
"rbac.global#global:ADMIN",
|
||||
"test_customer#xxx:OWNER",
|
||||
"test_package#yyy00:ADMIN",
|
||||
"test_package#yyy00:OWNER",
|
||||
"test_package#yyy00:TENANT"
|
||||
"rbactest.customer#xxx:OWNER",
|
||||
"rbactest.package#yyy00:ADMIN",
|
||||
"rbactest.package#yyy00:OWNER",
|
||||
"rbactest.package#yyy00:TENANT"
|
||||
// @formatter:on
|
||||
);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnRbacRole() {
|
||||
context.define("customer-admin@xxx.example.com", "test_package#xxx00:ADMIN");
|
||||
context.define("customer-admin@xxx.example.com", "rbactest.package#xxx00:ADMIN");
|
||||
|
||||
final var result = rbacRoleRepository.findAll();
|
||||
|
||||
exactlyTheseRbacRolesAreReturned(
|
||||
result,
|
||||
"test_customer#xxx:TENANT",
|
||||
"test_package#xxx00:ADMIN",
|
||||
"test_package#xxx00:TENANT",
|
||||
"test_domain#xxx00-aaaa:ADMIN",
|
||||
"test_domain#xxx00-aaaa:OWNER",
|
||||
"test_domain#xxx00-aaab:ADMIN",
|
||||
"test_domain#xxx00-aaab:OWNER");
|
||||
"rbactest.customer#xxx:TENANT",
|
||||
"rbactest.package#xxx00:ADMIN",
|
||||
"rbactest.package#xxx00:TENANT",
|
||||
"rbactest.domain#xxx00-aaaa:ADMIN",
|
||||
"rbactest.domain#xxx00-aaaa:OWNER",
|
||||
"rbactest.domain#xxx00-aaab:ADMIN",
|
||||
"rbactest.domain#xxx00-aaab:OWNER");
|
||||
}
|
||||
|
||||
@Test
|
||||
@ -157,10 +157,10 @@ class RbacRoleRepositoryIntegrationTest {
|
||||
void customerAdmin_withoutAssumedRole_canFindItsOwnRolesByName() {
|
||||
context.define("customer-admin@xxx.example.com");
|
||||
|
||||
final var result = rbacRoleRepository.findByRoleName("test_customer#xxx:ADMIN");
|
||||
final var result = rbacRoleRepository.findByRoleName("rbactest.customer#xxx:ADMIN");
|
||||
|
||||
assertThat(result).isNotNull();
|
||||
assertThat(result.getObjectTable()).isEqualTo("test_customer");
|
||||
assertThat(result.getObjectTable()).isEqualTo("rbactest.customer");
|
||||
assertThat(result.getObjectIdName()).isEqualTo("xxx");
|
||||
assertThat(result.getRoleType()).isEqualTo(RbacRoleType.ADMIN);
|
||||
}
|
||||
@ -169,7 +169,7 @@ class RbacRoleRepositoryIntegrationTest {
|
||||
void customerAdmin_withoutAssumedRole_canNotFindAlienRolesByName() {
|
||||
context.define("customer-admin@xxx.example.com");
|
||||
|
||||
final var result = rbacRoleRepository.findByRoleName("test_customer#bbb:ADMIN");
|
||||
final var result = rbacRoleRepository.findByRoleName("rbactest.customer#bbb:ADMIN");
|
||||
|
||||
assertThat(result).isNull();
|
||||
}
|
||||
|
||||
@ -5,8 +5,8 @@ import static java.util.UUID.randomUUID;
|
||||
public class TestRbacRole {
|
||||
|
||||
public static final RbacRoleEntity hostmasterRole = rbacRole("rbac.global", "global", RbacRoleType.ADMIN);
|
||||
static final RbacRoleEntity customerXxxOwner = rbacRole("test_customer", "xxx", RbacRoleType.OWNER);
|
||||
static final RbacRoleEntity customerXxxAdmin = rbacRole("test_customer", "xxx", RbacRoleType.ADMIN);
|
||||
static final RbacRoleEntity customerXxxOwner = rbacRole("rbactest.customer", "xxx", RbacRoleType.OWNER);
|
||||
static final RbacRoleEntity customerXxxAdmin = rbacRole("rbactest.customer", "xxx", RbacRoleType.ADMIN);
|
||||
|
||||
static public RbacRoleEntity rbacRole(final String objectTable, final String objectIdName, final RbacRoleType roleType) {
|
||||
return new RbacRoleEntity(randomUUID(), randomUUID(), objectTable, objectIdName, roleType, objectTable+'#'+objectIdName+':'+roleType);
|
||||
|
||||
@ -100,7 +100,7 @@ class RbacSubjectControllerAcceptanceTest {
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-subject", "superuser-alex@hostsharing.net")
|
||||
.header("assumed-roles", "test_customer#yyy:ADMIN")
|
||||
.header("assumed-roles", "rbactest.customer#yyy:ADMIN")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/rbac/subjects/" + givenUser.getUuid())
|
||||
@ -201,7 +201,7 @@ class RbacSubjectControllerAcceptanceTest {
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-subject", "superuser-alex@hostsharing.net")
|
||||
.header("assumed-roles", "test_customer#yyy:ADMIN")
|
||||
.header("assumed-roles", "rbactest.customer#yyy:ADMIN")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/rbac/subjects")
|
||||
@ -275,12 +275,12 @@ class RbacSubjectControllerAcceptanceTest {
|
||||
.contentType("application/json")
|
||||
.body("", hasItem(
|
||||
allOf(
|
||||
hasEntry("roleName", "test_customer#yyy:TENANT"),
|
||||
hasEntry("roleName", "rbactest.customer#yyy:TENANT"),
|
||||
hasEntry("op", "SELECT"))
|
||||
))
|
||||
.body("", hasItem(
|
||||
allOf(
|
||||
hasEntry("roleName", "test_domain#yyy00-aaaa:OWNER"),
|
||||
hasEntry("roleName", "rbactest.domain#yyy00-aaaa:OWNER"),
|
||||
hasEntry("op", "DELETE"))
|
||||
))
|
||||
// actual content tested in integration test, so this is enough for here:
|
||||
@ -296,7 +296,7 @@ class RbacSubjectControllerAcceptanceTest {
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-subject", "superuser-alex@hostsharing.net")
|
||||
.header("assumed-roles", "test_customer#yyy:ADMIN")
|
||||
.header("assumed-roles", "rbactest.customer#yyy:ADMIN")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/rbac/subjects/" + givenUser.getUuid() + "/permissions")
|
||||
@ -305,12 +305,12 @@ class RbacSubjectControllerAcceptanceTest {
|
||||
.contentType("application/json")
|
||||
.body("", hasItem(
|
||||
allOf(
|
||||
hasEntry("roleName", "test_customer#yyy:TENANT"),
|
||||
hasEntry("roleName", "rbactest.customer#yyy:TENANT"),
|
||||
hasEntry("op", "SELECT"))
|
||||
))
|
||||
.body("", hasItem(
|
||||
allOf(
|
||||
hasEntry("roleName", "test_domain#yyy00-aaaa:OWNER"),
|
||||
hasEntry("roleName", "rbactest.domain#yyy00-aaaa:OWNER"),
|
||||
hasEntry("op", "DELETE"))
|
||||
))
|
||||
// actual content tested in integration test, so this is enough for here:
|
||||
@ -334,12 +334,12 @@ class RbacSubjectControllerAcceptanceTest {
|
||||
.contentType("application/json")
|
||||
.body("", hasItem(
|
||||
allOf(
|
||||
hasEntry("roleName", "test_customer#yyy:TENANT"),
|
||||
hasEntry("roleName", "rbactest.customer#yyy:TENANT"),
|
||||
hasEntry("op", "SELECT"))
|
||||
))
|
||||
.body("", hasItem(
|
||||
allOf(
|
||||
hasEntry("roleName", "test_domain#yyy00-aaaa:OWNER"),
|
||||
hasEntry("roleName", "rbactest.domain#yyy00-aaaa:OWNER"),
|
||||
hasEntry("op", "DELETE"))
|
||||
))
|
||||
// actual content tested in integration test, so this is enough for here:
|
||||
|
||||
@ -128,7 +128,7 @@ class RbacSubjectRepositoryIntegrationTest extends ContextBasedTest {
|
||||
@Test
|
||||
public void globalAdmin_withAssumedCustomerAdminRole_canViewOnlyUsersHavingRolesInThatCustomersRealm() {
|
||||
given:
|
||||
context("superuser-alex@hostsharing.net", "test_customer#xxx:ADMIN");
|
||||
context("superuser-alex@hostsharing.net", "rbactest.customer#xxx:ADMIN");
|
||||
|
||||
// when
|
||||
final var result = rbacSubjectRepository.findByOptionalNameLike(null);
|
||||
@ -159,7 +159,7 @@ class RbacSubjectRepositoryIntegrationTest extends ContextBasedTest {
|
||||
|
||||
@Test
|
||||
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyUsersHavingRolesInThatPackage() {
|
||||
context("customer-admin@xxx.example.com", "test_package#xxx00:ADMIN");
|
||||
context("customer-admin@xxx.example.com", "rbactest.package#xxx00:ADMIN");
|
||||
|
||||
final var result = rbacSubjectRepository.findByOptionalNameLike(null);
|
||||
|
||||
@ -182,47 +182,47 @@ class RbacSubjectRepositoryIntegrationTest extends ContextBasedTest {
|
||||
|
||||
private static final String[] ALL_USER_PERMISSIONS = Array.of(
|
||||
// @formatter:off
|
||||
"test_customer#xxx:ADMIN -> test_customer#xxx: SELECT",
|
||||
"test_customer#xxx:OWNER -> test_customer#xxx: DELETE",
|
||||
"test_customer#xxx:TENANT -> test_customer#xxx: SELECT",
|
||||
"test_customer#xxx:ADMIN -> test_customer#xxx: INSERT:test_package",
|
||||
"test_package#xxx00:ADMIN -> test_package#xxx00: INSERT:test_domain",
|
||||
"test_package#xxx00:ADMIN -> test_package#xxx00: INSERT:test_domain",
|
||||
"test_package#xxx00:TENANT -> test_package#xxx00: SELECT",
|
||||
"test_package#xxx01:ADMIN -> test_package#xxx01: INSERT:test_domain",
|
||||
"test_package#xxx01:ADMIN -> test_package#xxx01: INSERT:test_domain",
|
||||
"test_package#xxx01:TENANT -> test_package#xxx01: SELECT",
|
||||
"test_package#xxx02:ADMIN -> test_package#xxx02: INSERT:test_domain",
|
||||
"test_package#xxx02:ADMIN -> test_package#xxx02: INSERT:test_domain",
|
||||
"test_package#xxx02:TENANT -> test_package#xxx02: SELECT",
|
||||
"rbactest.customer#xxx:ADMIN -> rbactest.customer#xxx: SELECT",
|
||||
"rbactest.customer#xxx:OWNER -> rbactest.customer#xxx: DELETE",
|
||||
"rbactest.customer#xxx:TENANT -> rbactest.customer#xxx: SELECT",
|
||||
"rbactest.customer#xxx:ADMIN -> rbactest.customer#xxx: INSERT:rbactest.package",
|
||||
"rbactest.package#xxx00:ADMIN -> rbactest.package#xxx00: INSERT:rbactest.domain",
|
||||
"rbactest.package#xxx00:ADMIN -> rbactest.package#xxx00: INSERT:rbactest.domain",
|
||||
"rbactest.package#xxx00:TENANT -> rbactest.package#xxx00: SELECT",
|
||||
"rbactest.package#xxx01:ADMIN -> rbactest.package#xxx01: INSERT:rbactest.domain",
|
||||
"rbactest.package#xxx01:ADMIN -> rbactest.package#xxx01: INSERT:rbactest.domain",
|
||||
"rbactest.package#xxx01:TENANT -> rbactest.package#xxx01: SELECT",
|
||||
"rbactest.package#xxx02:ADMIN -> rbactest.package#xxx02: INSERT:rbactest.domain",
|
||||
"rbactest.package#xxx02:ADMIN -> rbactest.package#xxx02: INSERT:rbactest.domain",
|
||||
"rbactest.package#xxx02:TENANT -> rbactest.package#xxx02: SELECT",
|
||||
|
||||
"test_customer#yyy:ADMIN -> test_customer#yyy: SELECT",
|
||||
"test_customer#yyy:OWNER -> test_customer#yyy: DELETE",
|
||||
"test_customer#yyy:TENANT -> test_customer#yyy: SELECT",
|
||||
"test_customer#yyy:ADMIN -> test_customer#yyy: INSERT:test_package",
|
||||
"test_package#yyy00:ADMIN -> test_package#yyy00: INSERT:test_domain",
|
||||
"test_package#yyy00:ADMIN -> test_package#yyy00: INSERT:test_domain",
|
||||
"test_package#yyy00:TENANT -> test_package#yyy00: SELECT",
|
||||
"test_package#yyy01:ADMIN -> test_package#yyy01: INSERT:test_domain",
|
||||
"test_package#yyy01:ADMIN -> test_package#yyy01: INSERT:test_domain",
|
||||
"test_package#yyy01:TENANT -> test_package#yyy01: SELECT",
|
||||
"test_package#yyy02:ADMIN -> test_package#yyy02: INSERT:test_domain",
|
||||
"test_package#yyy02:ADMIN -> test_package#yyy02: INSERT:test_domain",
|
||||
"test_package#yyy02:TENANT -> test_package#yyy02: SELECT",
|
||||
"rbactest.customer#yyy:ADMIN -> rbactest.customer#yyy: SELECT",
|
||||
"rbactest.customer#yyy:OWNER -> rbactest.customer#yyy: DELETE",
|
||||
"rbactest.customer#yyy:TENANT -> rbactest.customer#yyy: SELECT",
|
||||
"rbactest.customer#yyy:ADMIN -> rbactest.customer#yyy: INSERT:rbactest.package",
|
||||
"rbactest.package#yyy00:ADMIN -> rbactest.package#yyy00: INSERT:rbactest.domain",
|
||||
"rbactest.package#yyy00:ADMIN -> rbactest.package#yyy00: INSERT:rbactest.domain",
|
||||
"rbactest.package#yyy00:TENANT -> rbactest.package#yyy00: SELECT",
|
||||
"rbactest.package#yyy01:ADMIN -> rbactest.package#yyy01: INSERT:rbactest.domain",
|
||||
"rbactest.package#yyy01:ADMIN -> rbactest.package#yyy01: INSERT:rbactest.domain",
|
||||
"rbactest.package#yyy01:TENANT -> rbactest.package#yyy01: SELECT",
|
||||
"rbactest.package#yyy02:ADMIN -> rbactest.package#yyy02: INSERT:rbactest.domain",
|
||||
"rbactest.package#yyy02:ADMIN -> rbactest.package#yyy02: INSERT:rbactest.domain",
|
||||
"rbactest.package#yyy02:TENANT -> rbactest.package#yyy02: SELECT",
|
||||
|
||||
"test_customer#zzz:ADMIN -> test_customer#zzz: SELECT",
|
||||
"test_customer#zzz:OWNER -> test_customer#zzz: DELETE",
|
||||
"test_customer#zzz:TENANT -> test_customer#zzz: SELECT",
|
||||
"test_customer#zzz:ADMIN -> test_customer#zzz: INSERT:test_package",
|
||||
"test_package#zzz00:ADMIN -> test_package#zzz00: INSERT:test_domain",
|
||||
"test_package#zzz00:ADMIN -> test_package#zzz00: INSERT:test_domain",
|
||||
"test_package#zzz00:TENANT -> test_package#zzz00: SELECT",
|
||||
"test_package#zzz01:ADMIN -> test_package#zzz01: INSERT:test_domain",
|
||||
"test_package#zzz01:ADMIN -> test_package#zzz01: INSERT:test_domain",
|
||||
"test_package#zzz01:TENANT -> test_package#zzz01: SELECT",
|
||||
"test_package#zzz02:ADMIN -> test_package#zzz02: INSERT:test_domain",
|
||||
"test_package#zzz02:ADMIN -> test_package#zzz02: INSERT:test_domain",
|
||||
"test_package#zzz02:TENANT -> test_package#zzz02: SELECT"
|
||||
"rbactest.customer#zzz:ADMIN -> rbactest.customer#zzz: SELECT",
|
||||
"rbactest.customer#zzz:OWNER -> rbactest.customer#zzz: DELETE",
|
||||
"rbactest.customer#zzz:TENANT -> rbactest.customer#zzz: SELECT",
|
||||
"rbactest.customer#zzz:ADMIN -> rbactest.customer#zzz: INSERT:rbactest.package",
|
||||
"rbactest.package#zzz00:ADMIN -> rbactest.package#zzz00: INSERT:rbactest.domain",
|
||||
"rbactest.package#zzz00:ADMIN -> rbactest.package#zzz00: INSERT:rbactest.domain",
|
||||
"rbactest.package#zzz00:TENANT -> rbactest.package#zzz00: SELECT",
|
||||
"rbactest.package#zzz01:ADMIN -> rbactest.package#zzz01: INSERT:rbactest.domain",
|
||||
"rbactest.package#zzz01:ADMIN -> rbactest.package#zzz01: INSERT:rbactest.domain",
|
||||
"rbactest.package#zzz01:TENANT -> rbactest.package#zzz01: SELECT",
|
||||
"rbactest.package#zzz02:ADMIN -> rbactest.package#zzz02: INSERT:rbactest.domain",
|
||||
"rbactest.package#zzz02:ADMIN -> rbactest.package#zzz02: INSERT:rbactest.domain",
|
||||
"rbactest.package#zzz02:TENANT -> rbactest.package#zzz02: SELECT"
|
||||
// @formatter:on
|
||||
);
|
||||
|
||||
@ -233,7 +233,7 @@ class RbacSubjectRepositoryIntegrationTest extends ContextBasedTest {
|
||||
|
||||
// when
|
||||
final var result = rbacSubjectRepository.findPermissionsOfUserByUuid(subjectUuid("superuser-fran@hostsharing.net"))
|
||||
.stream().filter(p -> p.getObjectTable().contains("test_"))
|
||||
.stream().filter(p -> p.getObjectTable().contains("rbactest."))
|
||||
.sorted(comparing(RbacSubjectPermission::toString)).toList();
|
||||
|
||||
// then
|
||||
@ -252,32 +252,32 @@ class RbacSubjectRepositoryIntegrationTest extends ContextBasedTest {
|
||||
allTheseRbacPermissionsAreReturned(
|
||||
result,
|
||||
// @formatter:off
|
||||
"test_customer#xxx:ADMIN -> test_customer#xxx: INSERT:test_package",
|
||||
"test_customer#xxx:ADMIN -> test_customer#xxx: SELECT",
|
||||
"test_customer#xxx:TENANT -> test_customer#xxx: SELECT",
|
||||
"rbactest.customer#xxx:ADMIN -> rbactest.customer#xxx: INSERT:rbactest.package",
|
||||
"rbactest.customer#xxx:ADMIN -> rbactest.customer#xxx: SELECT",
|
||||
"rbactest.customer#xxx:TENANT -> rbactest.customer#xxx: SELECT",
|
||||
|
||||
"test_package#xxx00:ADMIN -> test_package#xxx00: INSERT:test_domain",
|
||||
"test_package#xxx00:ADMIN -> test_package#xxx00: INSERT:test_domain",
|
||||
"test_package#xxx00:TENANT -> test_package#xxx00: SELECT",
|
||||
"test_domain#xxx00-aaaa:OWNER -> test_domain#xxx00-aaaa: DELETE",
|
||||
"rbactest.package#xxx00:ADMIN -> rbactest.package#xxx00: INSERT:rbactest.domain",
|
||||
"rbactest.package#xxx00:ADMIN -> rbactest.package#xxx00: INSERT:rbactest.domain",
|
||||
"rbactest.package#xxx00:TENANT -> rbactest.package#xxx00: SELECT",
|
||||
"rbactest.domain#xxx00-aaaa:OWNER -> rbactest.domain#xxx00-aaaa: DELETE",
|
||||
|
||||
"test_package#xxx01:ADMIN -> test_package#xxx01: INSERT:test_domain",
|
||||
"test_package#xxx01:ADMIN -> test_package#xxx01: INSERT:test_domain",
|
||||
"test_package#xxx01:TENANT -> test_package#xxx01: SELECT",
|
||||
"test_domain#xxx01-aaaa:OWNER -> test_domain#xxx01-aaaa: DELETE",
|
||||
"rbactest.package#xxx01:ADMIN -> rbactest.package#xxx01: INSERT:rbactest.domain",
|
||||
"rbactest.package#xxx01:ADMIN -> rbactest.package#xxx01: INSERT:rbactest.domain",
|
||||
"rbactest.package#xxx01:TENANT -> rbactest.package#xxx01: SELECT",
|
||||
"rbactest.domain#xxx01-aaaa:OWNER -> rbactest.domain#xxx01-aaaa: DELETE",
|
||||
|
||||
"test_package#xxx02:ADMIN -> test_package#xxx02: INSERT:test_domain",
|
||||
"test_package#xxx02:ADMIN -> test_package#xxx02: INSERT:test_domain",
|
||||
"test_package#xxx02:TENANT -> test_package#xxx02: SELECT",
|
||||
"test_domain#xxx02-aaaa:OWNER -> test_domain#xxx02-aaaa: DELETE"
|
||||
"rbactest.package#xxx02:ADMIN -> rbactest.package#xxx02: INSERT:rbactest.domain",
|
||||
"rbactest.package#xxx02:ADMIN -> rbactest.package#xxx02: INSERT:rbactest.domain",
|
||||
"rbactest.package#xxx02:TENANT -> rbactest.package#xxx02: SELECT",
|
||||
"rbactest.domain#xxx02-aaaa:OWNER -> rbactest.domain#xxx02-aaaa: DELETE"
|
||||
// @formatter:on
|
||||
);
|
||||
noneOfTheseRbacPermissionsAreReturned(
|
||||
result,
|
||||
// @formatter:off
|
||||
"test_customer#yyy:ADMIN -> test_customer#yyy: INSERT:test_package",
|
||||
"test_customer#yyy:ADMIN -> test_customer#yyy: SELECT",
|
||||
"test_customer#yyy:TENANT -> test_customer#yyy: SELECT"
|
||||
"rbactest.customer#yyy:ADMIN -> rbactest.customer#yyy: INSERT:rbactest.package",
|
||||
"rbactest.customer#yyy:ADMIN -> rbactest.customer#yyy: SELECT",
|
||||
"rbactest.customer#yyy:TENANT -> rbactest.customer#yyy: SELECT"
|
||||
// @formatter:on
|
||||
);
|
||||
}
|
||||
@ -312,26 +312,26 @@ class RbacSubjectRepositoryIntegrationTest extends ContextBasedTest {
|
||||
allTheseRbacPermissionsAreReturned(
|
||||
result,
|
||||
// @formatter:off
|
||||
"test_customer#xxx:TENANT -> test_customer#xxx: SELECT",
|
||||
// "test_customer#xxx:ADMIN -> test_customer#xxx: view" - Not permissions through the customer admin!
|
||||
"test_package#xxx00:ADMIN -> test_package#xxx00: INSERT:test_domain",
|
||||
"test_package#xxx00:ADMIN -> test_package#xxx00: INSERT:test_domain",
|
||||
"test_package#xxx00:TENANT -> test_package#xxx00: SELECT",
|
||||
"test_domain#xxx00-aaaa:OWNER -> test_domain#xxx00-aaaa: DELETE",
|
||||
"test_domain#xxx00-aaab:OWNER -> test_domain#xxx00-aaab: DELETE"
|
||||
"rbactest.customer#xxx:TENANT -> rbactest.customer#xxx: SELECT",
|
||||
// "rbactest.customer#xxx:ADMIN -> rbactest.customer#xxx: view" - Not permissions through the customer admin!
|
||||
"rbactest.package#xxx00:ADMIN -> rbactest.package#xxx00: INSERT:rbactest.domain",
|
||||
"rbactest.package#xxx00:ADMIN -> rbactest.package#xxx00: INSERT:rbactest.domain",
|
||||
"rbactest.package#xxx00:TENANT -> rbactest.package#xxx00: SELECT",
|
||||
"rbactest.domain#xxx00-aaaa:OWNER -> rbactest.domain#xxx00-aaaa: DELETE",
|
||||
"rbactest.domain#xxx00-aaab:OWNER -> rbactest.domain#xxx00-aaab: DELETE"
|
||||
// @formatter:on
|
||||
);
|
||||
noneOfTheseRbacPermissionsAreReturned(
|
||||
result,
|
||||
// @formatter:off
|
||||
"test_customer#yyy:ADMIN -> test_customer#yyy: INSERT:test_package",
|
||||
"test_customer#yyy:ADMIN -> test_customer#yyy: SELECT",
|
||||
"test_customer#yyy:TENANT -> test_customer#yyy: SELECT",
|
||||
"test_package#yyy00:ADMIN -> test_package#yyy00: INSERT:test_domain",
|
||||
"test_package#yyy00:ADMIN -> test_package#yyy00: INSERT:test_domain",
|
||||
"test_package#yyy00:TENANT -> test_package#yyy00: SELECT",
|
||||
"test_domain#yyy00-aaaa:OWNER -> test_domain#yyy00-aaaa: DELETE",
|
||||
"test_domain#yyy00-aaab:OWNER -> test_domain#yyy00-aaab: DELETE"
|
||||
"rbactest.customer#yyy:ADMIN -> rbactest.customer#yyy: INSERT:rbactest.package",
|
||||
"rbactest.customer#yyy:ADMIN -> rbactest.customer#yyy: SELECT",
|
||||
"rbactest.customer#yyy:TENANT -> rbactest.customer#yyy: SELECT",
|
||||
"rbactest.package#yyy00:ADMIN -> rbactest.package#yyy00: INSERT:rbactest.domain",
|
||||
"rbactest.package#yyy00:ADMIN -> rbactest.package#yyy00: INSERT:rbactest.domain",
|
||||
"rbactest.package#yyy00:TENANT -> rbactest.package#yyy00: SELECT",
|
||||
"rbactest.domain#yyy00-aaaa:OWNER -> rbactest.domain#yyy00-aaaa: DELETE",
|
||||
"rbactest.domain#yyy00-aaab:OWNER -> rbactest.domain#yyy00-aaab: DELETE"
|
||||
// @formatter:on
|
||||
);
|
||||
}
|
||||
@ -360,26 +360,26 @@ class RbacSubjectRepositoryIntegrationTest extends ContextBasedTest {
|
||||
allTheseRbacPermissionsAreReturned(
|
||||
result,
|
||||
// @formatter:off
|
||||
"test_customer#xxx:TENANT -> test_customer#xxx: SELECT",
|
||||
// "test_customer#xxx:ADMIN -> test_customer#xxx: view" - Not permissions through the customer admin!
|
||||
"test_package#xxx00:ADMIN -> test_package#xxx00: INSERT:test_domain",
|
||||
"test_package#xxx00:TENANT -> test_package#xxx00: SELECT"
|
||||
"rbactest.customer#xxx:TENANT -> rbactest.customer#xxx: SELECT",
|
||||
// "rbactest.customer#xxx:ADMIN -> rbactest.customer#xxx: view" - Not permissions through the customer admin!
|
||||
"rbactest.package#xxx00:ADMIN -> rbactest.package#xxx00: INSERT:rbactest.domain",
|
||||
"rbactest.package#xxx00:TENANT -> rbactest.package#xxx00: SELECT"
|
||||
// @formatter:on
|
||||
);
|
||||
noneOfTheseRbacPermissionsAreReturned(
|
||||
result,
|
||||
// @formatter:off
|
||||
// no customer admin permissions
|
||||
"test_customer#xxx:ADMIN -> test_customer#xxx: add-package",
|
||||
"rbactest.customer#xxx:ADMIN -> rbactest.customer#xxx: add-package",
|
||||
// no permissions on other customer's objects
|
||||
"test_customer#yyy:ADMIN -> test_customer#yyy: add-package",
|
||||
"test_customer#yyy:ADMIN -> test_customer#yyy: SELECT",
|
||||
"test_customer#yyy:TENANT -> test_customer#yyy: SELECT",
|
||||
"test_package#yyy00:ADMIN -> test_package#yyy00: INSERT:test_domain",
|
||||
"test_package#yyy00:ADMIN -> test_package#yyy00: INSERT:test_domain",
|
||||
"test_package#yyy00:TENANT -> test_package#yyy00: SELECT",
|
||||
"test_domain#yyy00-aaaa:OWNER -> test_domain#yyy00-aaaa: DELETE",
|
||||
"test_domain#yyy00-xxxb:OWNER -> test_domain#yyy00-xxxb: DELETE"
|
||||
"rbactest.customer#yyy:ADMIN -> rbactest.customer#yyy: add-package",
|
||||
"rbactest.customer#yyy:ADMIN -> rbactest.customer#yyy: SELECT",
|
||||
"rbactest.customer#yyy:TENANT -> rbactest.customer#yyy: SELECT",
|
||||
"rbactest.package#yyy00:ADMIN -> rbactest.package#yyy00: INSERT:rbactest.domain",
|
||||
"rbactest.package#yyy00:ADMIN -> rbactest.package#yyy00: INSERT:rbactest.domain",
|
||||
"rbactest.package#yyy00:TENANT -> rbactest.package#yyy00: SELECT",
|
||||
"rbactest.domain#yyy00-aaaa:OWNER -> rbactest.domain#yyy00-aaaa: DELETE",
|
||||
"rbactest.domain#yyy00-xxxb:OWNER -> rbactest.domain#yyy00-xxxb: DELETE"
|
||||
// @formatter:on
|
||||
);
|
||||
}
|
||||
|
||||
@ -89,7 +89,7 @@ class TestCustomerControllerAcceptanceTest {
|
||||
RestAssured // @formatter:off
|
||||
.given()
|
||||
.header("current-subject", "superuser-alex@hostsharing.net")
|
||||
.header("assumed-roles", "test_customer#yyy:ADMIN")
|
||||
.header("assumed-roles", "rbactest.customer#yyy:ADMIN")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/test/customers")
|
||||
@ -148,7 +148,7 @@ class TestCustomerControllerAcceptanceTest {
|
||||
// finally, the new customer can be viewed by its own admin
|
||||
final var newSubjectUuid = UUID.fromString(
|
||||
location.substring(location.lastIndexOf('/') + 1));
|
||||
context.define("superuser-fran@hostsharing.net", "test_customer#uuu:ADMIN");
|
||||
context.define("superuser-fran@hostsharing.net", "rbactest.customer#uuu:ADMIN");
|
||||
assertThat(testCustomerRepository.findByUuid(newSubjectUuid))
|
||||
.hasValueSatisfying(c -> assertThat(c.getPrefix()).isEqualTo("uuu"));
|
||||
}
|
||||
@ -159,7 +159,7 @@ class TestCustomerControllerAcceptanceTest {
|
||||
RestAssured // @formatter:off
|
||||
.given()
|
||||
.header("current-subject", "superuser-alex@hostsharing.net")
|
||||
.header("assumed-roles", "test_customer#xxx:ADMIN")
|
||||
.header("assumed-roles", "rbactest.customer#xxx:ADMIN")
|
||||
.contentType(ContentType.JSON)
|
||||
.body("""
|
||||
{
|
||||
@ -175,8 +175,8 @@ class TestCustomerControllerAcceptanceTest {
|
||||
.statusCode(403)
|
||||
.contentType(ContentType.JSON)
|
||||
.statusCode(403)
|
||||
.body("message", containsString("ERROR: [403] insert into test_customer "))
|
||||
.body("message", containsString(" not allowed for current subjects {test_customer#xxx:ADMIN}"));
|
||||
.body("message", containsString("ERROR: [403] insert into rbactest.customer "))
|
||||
.body("message", containsString(" not allowed for current subjects {rbactest.customer#xxx:ADMIN}"));
|
||||
// @formatter:on
|
||||
|
||||
// finally, the new customer was not created
|
||||
@ -205,7 +205,7 @@ class TestCustomerControllerAcceptanceTest {
|
||||
.statusCode(403)
|
||||
.contentType(ContentType.JSON)
|
||||
.statusCode(403)
|
||||
.body("message", containsString("ERROR: [403] insert into test_customer "))
|
||||
.body("message", containsString("ERROR: [403] insert into rbactest.customer "))
|
||||
.body("message", containsString(" not allowed for current subjects"));
|
||||
// @formatter:on
|
||||
|
||||
|
||||
@ -54,7 +54,7 @@ class TestCustomerRepositoryIntegrationTest extends ContextBasedTest {
|
||||
@Test
|
||||
public void globalAdmin_withAssumedCustomerRole_cannotCreateNewCustomer() {
|
||||
// given
|
||||
context("superuser-alex@hostsharing.net", "test_customer#xxx:ADMIN");
|
||||
context("superuser-alex@hostsharing.net", "rbactest.customer#xxx:ADMIN");
|
||||
|
||||
// when
|
||||
final var result = attempt(em, () -> {
|
||||
@ -66,8 +66,8 @@ class TestCustomerRepositoryIntegrationTest extends ContextBasedTest {
|
||||
// then
|
||||
result.assertExceptionWithRootCauseMessage(
|
||||
PersistenceException.class,
|
||||
"ERROR: [403] insert into test_customer ",
|
||||
"not allowed for current subjects {test_customer#xxx:ADMIN}");
|
||||
"ERROR: [403] insert into rbactest.customer ",
|
||||
"not allowed for current subjects {rbactest.customer#xxx:ADMIN}");
|
||||
}
|
||||
|
||||
@Test
|
||||
@ -85,7 +85,7 @@ class TestCustomerRepositoryIntegrationTest extends ContextBasedTest {
|
||||
// then
|
||||
result.assertExceptionWithRootCauseMessage(
|
||||
PersistenceException.class,
|
||||
"ERROR: [403] insert into test_customer ",
|
||||
"ERROR: [403] insert into rbactest.customer ",
|
||||
" not allowed for current subjects {customer-admin@xxx.example.com}");
|
||||
|
||||
}
|
||||
@ -114,7 +114,7 @@ class TestCustomerRepositoryIntegrationTest extends ContextBasedTest {
|
||||
@Test
|
||||
public void globalAdmin_withAssumedCustomerOwnerRole_canViewExactlyThatCustomer() {
|
||||
given:
|
||||
context("superuser-alex@hostsharing.net", "test_customer#yyy:OWNER");
|
||||
context("superuser-alex@hostsharing.net", "rbactest.customer#yyy:OWNER");
|
||||
|
||||
// when
|
||||
final var result = testCustomerRepository.findCustomerByOptionalPrefixLike(null);
|
||||
@ -139,7 +139,7 @@ class TestCustomerRepositoryIntegrationTest extends ContextBasedTest {
|
||||
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnCustomer() {
|
||||
context("customer-admin@xxx.example.com");
|
||||
|
||||
context("customer-admin@xxx.example.com", "test_package#xxx00:ADMIN");
|
||||
context("customer-admin@xxx.example.com", "rbactest.package#xxx00:ADMIN");
|
||||
|
||||
final var result = testCustomerRepository.findCustomerByOptionalPrefixLike(null);
|
||||
|
||||
|
||||
@ -44,7 +44,7 @@ class TestPackageControllerAcceptanceTest {
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-subject", "superuser-alex@hostsharing.net")
|
||||
.header("assumed-roles", "test_customer#xxx:ADMIN")
|
||||
.header("assumed-roles", "rbactest.customer#xxx:ADMIN")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/test/packages")
|
||||
@ -66,7 +66,7 @@ class TestPackageControllerAcceptanceTest {
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-subject", "superuser-alex@hostsharing.net")
|
||||
.header("assumed-roles", "test_customer#xxx:ADMIN")
|
||||
.header("assumed-roles", "rbactest.customer#xxx:ADMIN")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/test/packages?name=xxx01")
|
||||
@ -95,7 +95,7 @@ class TestPackageControllerAcceptanceTest {
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-subject", "superuser-alex@hostsharing.net")
|
||||
.header("assumed-roles", "test_customer#xxx:ADMIN")
|
||||
.header("assumed-roles", "rbactest.customer#xxx:ADMIN")
|
||||
.contentType(ContentType.JSON)
|
||||
.body(format("""
|
||||
{
|
||||
@ -126,7 +126,7 @@ class TestPackageControllerAcceptanceTest {
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-subject", "superuser-alex@hostsharing.net")
|
||||
.header("assumed-roles", "test_customer#xxx:ADMIN")
|
||||
.header("assumed-roles", "rbactest.customer#xxx:ADMIN")
|
||||
.contentType(ContentType.JSON)
|
||||
.body("""
|
||||
{
|
||||
@ -156,7 +156,7 @@ class TestPackageControllerAcceptanceTest {
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-subject", "superuser-alex@hostsharing.net")
|
||||
.header("assumed-roles", "test_customer#xxx:ADMIN")
|
||||
.header("assumed-roles", "rbactest.customer#xxx:ADMIN")
|
||||
.contentType(ContentType.JSON)
|
||||
.body("{}")
|
||||
.port(port)
|
||||
@ -176,7 +176,7 @@ class TestPackageControllerAcceptanceTest {
|
||||
return UUID.fromString(RestAssured
|
||||
.given()
|
||||
.header("current-subject", "superuser-alex@hostsharing.net")
|
||||
.header("assumed-roles", "test_customer#xxx:ADMIN")
|
||||
.header("assumed-roles", "rbactest.customer#xxx:ADMIN")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/test/packages?name={packageName}", packageName)
|
||||
@ -188,7 +188,7 @@ class TestPackageControllerAcceptanceTest {
|
||||
}
|
||||
|
||||
String getDescriptionOfPackage(final String packageName) {
|
||||
context.define("superuser-alex@hostsharing.net","test_customer#xxx:ADMIN");
|
||||
context.define("superuser-alex@hostsharing.net","rbactest.customer#xxx:ADMIN");
|
||||
return testPackageRepository.findAllByOptionalNameLike(packageName).get(0).getDescription();
|
||||
}
|
||||
}
|
||||
|
||||
@ -76,7 +76,7 @@ class TestPackageRepositoryIntegrationTest extends ContextBasedTest {
|
||||
|
||||
@Test
|
||||
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnPackages() {
|
||||
context.define("customer-admin@xxx.example.com", "test_package#xxx00:ADMIN");
|
||||
context.define("customer-admin@xxx.example.com", "rbactest.package#xxx00:ADMIN");
|
||||
|
||||
final var result = testPackageRepository.findAllByOptionalNameLike(null);
|
||||
|
||||
@ -90,17 +90,17 @@ class TestPackageRepositoryIntegrationTest extends ContextBasedTest {
|
||||
@Test
|
||||
public void supportsOptimisticLocking() {
|
||||
// given
|
||||
globalAdminWithAssumedRole("test_package#xxx00:ADMIN");
|
||||
globalAdminWithAssumedRole("rbactest.package#xxx00:ADMIN");
|
||||
final var pac = testPackageRepository.findAllByOptionalNameLike("%").get(0);
|
||||
|
||||
// when
|
||||
final var result1 = jpaAttempt.transacted(() -> {
|
||||
globalAdminWithAssumedRole("test_package#xxx00:OWNER");
|
||||
globalAdminWithAssumedRole("rbactest.package#xxx00:OWNER");
|
||||
pac.setDescription("description set by thread 1");
|
||||
testPackageRepository.save(pac);
|
||||
});
|
||||
final var result2 = jpaAttempt.transacted(() -> {
|
||||
globalAdminWithAssumedRole("test_package#xxx00:OWNER");
|
||||
globalAdminWithAssumedRole("rbactest.package#xxx00:OWNER");
|
||||
pac.setDescription("description set by thread 2");
|
||||
testPackageRepository.save(pac);
|
||||
sleep(1500);
|
||||
|
||||
@ -5,6 +5,7 @@ spring:
|
||||
|
||||
datasource:
|
||||
url-tc: jdbc:tc:postgresql:15.5-bookworm:///spring_boot_testcontainers
|
||||
url-tcx: jdbc:tc:postgresql:15.5-bookworm:///spring_boot_testcontainers?TC_REUSABLE=true&TC_DAEMON=true
|
||||
url-local: jdbc:postgresql://localhost:5432/postgres
|
||||
url: ${spring.datasource.url-tc}
|
||||
username: postgres
|
||||
|
||||
Loading…
Reference in New Issue
Block a user