fix relationship-related grants (WIP)

This commit is contained in:
Michael Hoennig 2024-02-08 17:36:49 +01:00
parent ecc91592b0
commit 443b9b4b8a
12 changed files with 32 additions and 31 deletions

View File

@ -1,5 +1,5 @@
package net.hostsharing.hsadminng.rbac.rbacrole;
public enum RbacRoleType {
owner, admin, agent, tenant, guest
owner, admin, agent, tenant, guest, referrer
}

View File

@ -22,5 +22,6 @@ components:
- owner
- admin
- tenant
- referrer
roleName:
type: string

View File

@ -187,7 +187,7 @@ end; $$;
*/
create type RbacRoleType as enum ('owner', 'admin', 'agent', 'tenant', 'guest');
create type RbacRoleType as enum ('owner', 'admin', 'agent', 'tenant', 'guest', 'referrer');
create table RbacRole
(

View File

@ -27,10 +27,12 @@ begin
perform assertReferenceType('roleId (descendant)', roleUuid, 'RbacRole');
perform assertReferenceType('userId (ascendant)', userUuid, 'RbacUser');
raise notice 'role % grants role % to user %, assumed=%', grantedByRoleUuid, roleUuid, userUuid, doAssume;
insert
into RbacGrants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)
values (grantedByRoleUuid, userUuid, roleUuid, doAssume);
-- TODO.spec: What should happen on mupltiple grants? What if options (doAssume) are not the same?
-- TODO.spec: What should happen on multiple grants? What if options (doAssume) are not the same?
-- Most powerful or latest grant wins? What about managed?
-- on conflict do nothing; -- allow granting multiple times
end; $$;

View File

@ -136,6 +136,7 @@ begin
raise exception '[401] currentUserUuid cannot be determined, please call `defineContext(...)` first;"';
end if;
end if;
raise notice 'currentUserUuid %', currentUserUuid;
return currentUserUuid::uuid;
end; $$;
--//

View File

@ -46,14 +46,9 @@ begin
);
perform createRoleWithGrants(
hsOfficeContactTenant(NEW),
incomingSuperRoles => array[hsOfficeContactAdmin(NEW)]
);
perform createRoleWithGrants(
hsOfficeContactGuest(NEW),
hsOfficeContactReferrer(NEW),
permissions => array['view'],
incomingSuperRoles => array[hsOfficeContactTenant(NEW)]
incomingSuperRoles => array[hsOfficeContactAdmin(NEW)]
);
return NEW;

View File

@ -45,14 +45,9 @@ begin
);
perform createRoleWithGrants(
hsOfficePersonTenant(NEW),
incomingSuperRoles => array[hsOfficePersonAdmin(NEW)]
);
perform createRoleWithGrants(
hsOfficePersonGuest(NEW),
hsOfficePersonReferrer(NEW),
permissions => array['view'],
incomingSuperRoles => array[hsOfficePersonTenant(NEW)]
incomingSuperRoles => array[hsOfficePersonAdmin(NEW)]
);
return NEW;

View File

@ -28,7 +28,7 @@ begin
call defineContext(currentTask, null, emailAddr);
execute format('set local hsadminng.currentTask to %L', currentTask);
raise notice 'creating test person: %', fullName;
raise notice 'creating test person: % by %', fullName, emailAddr;
insert
into hs_office_person (persontype, tradename, givenname, familyname)
values (newPersonType, newTradeName, newGivenName, newFamilyName);

View File

@ -74,9 +74,9 @@ begin
hsOfficeRelationshipAdmin(NEW)
],
outgoingSubRoles => array[
-- hsOfficePersonAdmin(newAnchorPerson),
-- hsOfficePersonAdmin(newHolderPerson),
hsOfficeContactAdmin(newContact)
hsOfficePersonReferrer(newAnchorPerson),
hsOfficePersonReferrer(newHolderPerson),
hsOfficeContactReferrer(newContact)
]
);
@ -91,8 +91,8 @@ begin
call revokeRoleFromRole( hsOfficeRelationshipTenant(NEW), hsOfficeContactAdmin(oldContact) );
call grantRoleToRole( hsOfficeRelationshipTenant(NEW), hsOfficeContactAdmin(newContact) );
call revokeRoleFromRole( hsOfficeContactTenant(oldContact), hsOfficeRelationshipAgent(NEW) );
call grantRoleToRole( hsOfficeContactTenant(newContact), hsOfficeRelationshipAgent(NEW) );
call revokeRoleFromRole( hsOfficeContactAdmin(oldContact), hsOfficeRelationshipAgent(NEW) );
call grantRoleToRole( hsOfficeContactAdmin(newContact), hsOfficeRelationshipAgent(NEW) );
end if;
else
raise exception 'invalid usage of TRIGGER';

View File

@ -79,7 +79,7 @@ begin
hsOfficeBankAccountAdmin(newBankaccount)],
outgoingSubRoles => array[
hsOfficeRelationshipTenant(newPartnerRel),
hsOfficeContactGuest(newContact),
hsOfficeContactReferrer(newContact),
hsOfficeBankAccountGuest(newBankaccount)]
);
@ -112,8 +112,8 @@ begin
call revokeRoleFromRole(hsOfficeDebitorAgent(OLD), hsOfficeContactAdmin(oldContact));
call grantRoleToRole(hsOfficeDebitorAgent(NEW), hsOfficeContactAdmin(newContact));
call revokeRoleFromRole(hsOfficeContactGuest(oldContact), hsOfficeDebitorTenant(OLD));
call grantRoleToRole(hsOfficeContactGuest(newContact), hsOfficeDebitorTenant(NEW));
call revokeRoleFromRole(hsOfficeContactReferrer(oldContact), hsOfficeDebitorTenant(OLD));
call grantRoleToRole(hsOfficeContactReferrer(newContact), hsOfficeDebitorTenant(NEW));
end if;
if (OLD.refundBankAccountUuid is not null or NEW.refundBankAccountUuid is not null) and

View File

@ -456,6 +456,7 @@ public class ImportOfficeData extends ContextBasedTest {
}
@Test
@Disabled
@Order(3000)
@Commit
void persistEntities() {

View File

@ -3,6 +3,7 @@ package net.hostsharing.hsadminng.hs.office.relationship;
import net.hostsharing.hsadminng.context.Context;
import net.hostsharing.hsadminng.hs.office.contact.HsOfficeContactRepository;
import net.hostsharing.hsadminng.hs.office.person.HsOfficePersonRepository;
import net.hostsharing.hsadminng.hs.office.person.HsOfficePersonType;
import net.hostsharing.hsadminng.hs.office.test.ContextBasedTestWithCleanup;
import net.hostsharing.hsadminng.rbac.rbacgrant.RawRbacGrantRepository;
import net.hostsharing.hsadminng.rbac.rbacrole.RawRbacRoleRepository;
@ -146,7 +147,9 @@ class HsOfficeRelationshipRepositoryIntegrationTest extends ContextBasedTestWith
public void globalAdmin_withoutAssumedRole_canViewAllRelationshipsOfArbitraryPerson() {
// given
context("superuser-alex@hostsharing.net");
final var person = personRepo.findPersonByOptionalNameLike("Second e.K.").stream().findFirst().orElseThrow();
final var person = personRepo.findPersonByOptionalNameLike("Smith").stream()
.filter(p -> p.getPersonType() == HsOfficePersonType.NATURAL_PERSON)
.findFirst().orElseThrow();
// when
final var result = relationshipRepo.findRelationshipRelatedToPersonUuid(person.getUuid());
@ -154,15 +157,18 @@ class HsOfficeRelationshipRepositoryIntegrationTest extends ContextBasedTestWith
// then
allTheseRelationshipsAreReturned(
result,
"rel(relAnchor='LP Hostsharing eG', relType='PARTNER', relHolder='LP Second e.K.', contact='second contact')",
"rel(relAnchor='LP Second e.K.', relType='REPRESENTATIVE', relHolder='NP Smith, Peter', contact='second contact')");
"rel(relAnchor='LP Hostsharing eG', relType='PARTNER', relHolder='NP Smith, Peter', contact='sixth contact')",
"rel(relAnchor='LP Second e.K.', relType='REPRESENTATIVE', relHolder='NP Smith, Peter', contact='second contact')",
"rel(relAnchor='IF Third OHG', relType='SUBSCRIBER', relMark='members-announce', relHolder='NP Smith, Peter', contact='third contact')");
}
@Test
public void normalUser_canViewRelationshipsOfOwnedPersons() {
// given:
context("person-FirstGmbH@example.com");
final var person = personRepo.findPersonByOptionalNameLike("First").stream().findFirst().orElseThrow();
context("person-SmithPeter@example.com");
final var person = personRepo.findPersonByOptionalNameLike("Smith").stream()
.filter(p -> p.getPersonType() == HsOfficePersonType.NATURAL_PERSON)
.findFirst().orElseThrow();
// when:
final var result = relationshipRepo.findRelationshipRelatedToPersonUuid(person.getUuid());