fix relationship-related grants (WIP)

src/main/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleType.java

@@ -1,5 +1,5 @@
 package net.hostsharing.hsadminng.rbac.rbacrole;
 
 public enum RbacRoleType {
-    owner, admin, agent, tenant, guest
+    owner, admin, agent, tenant, guest, referrer
 }

src/main/resources/api-definition/rbac/rbac-role-schemas.yaml

@@ -22,5 +22,6 @@ components:
                         - owner
                         - admin
                         - tenant
+                        - referrer
                 roleName:
                     type: string

src/main/resources/db/changelog/050-rbac-base.sql

@@ -187,7 +187,7 @@ end; $$;
 
  */
 
-create type RbacRoleType as enum ('owner', 'admin', 'agent', 'tenant', 'guest');
+create type RbacRoleType as enum ('owner', 'admin', 'agent', 'tenant', 'guest', 'referrer');
 
 create table RbacRole
 (

src/main/resources/db/changelog/051-rbac-user-grant.sql

@@ -27,10 +27,12 @@ begin
     perform assertReferenceType('roleId (descendant)', roleUuid, 'RbacRole');
     perform assertReferenceType('userId (ascendant)', userUuid, 'RbacUser');
 
+    raise notice 'role % grants role % to user %, assumed=%', grantedByRoleUuid, roleUuid, userUuid, doAssume;
+
     insert
         into RbacGrants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)
         values (grantedByRoleUuid, userUuid, roleUuid, doAssume);
-    -- TODO.spec: What should happen on mupltiple grants? What if options (doAssume) are not the same?
+    -- TODO.spec: What should happen on multiple grants? What if options (doAssume) are not the same?
     --      Most powerful or latest grant wins? What about managed?
     -- on conflict do nothing; -- allow granting multiple times
 end; $$;

src/main/resources/db/changelog/054-rbac-context.sql

@@ -136,6 +136,7 @@ begin
             raise exception '[401] currentUserUuid cannot be determined, please call `defineContext(...)` first;"';
         end if;
     end if;
+    raise notice 'currentUserUuid %', currentUserUuid;
     return currentUserUuid::uuid;
 end; $$;
 --//

src/main/resources/db/changelog/203-hs-office-contact-rbac.sql

@@ -46,14 +46,9 @@ begin
         );
 
     perform createRoleWithGrants(
-            hsOfficeContactTenant(NEW),
-            incomingSuperRoles => array[hsOfficeContactAdmin(NEW)]
-        );
-
-    perform createRoleWithGrants(
-            hsOfficeContactGuest(NEW),
+            hsOfficeContactReferrer(NEW),
             permissions => array['view'],
-            incomingSuperRoles => array[hsOfficeContactTenant(NEW)]
+            incomingSuperRoles => array[hsOfficeContactAdmin(NEW)]
         );
 
     return NEW;

src/main/resources/db/changelog/213-hs-office-person-rbac.sql

@@ -45,14 +45,9 @@ begin
         );
 
     perform createRoleWithGrants(
-            hsOfficePersonTenant(NEW),
-            incomingSuperRoles => array[hsOfficePersonAdmin(NEW)]
-        );
-
-    perform createRoleWithGrants(
-            hsOfficePersonGuest(NEW),
+            hsOfficePersonReferrer(NEW),
             permissions => array['view'],
-            incomingSuperRoles => array[hsOfficePersonTenant(NEW)]
+            incomingSuperRoles => array[hsOfficePersonAdmin(NEW)]
         );
 
     return NEW;

src/main/resources/db/changelog/218-hs-office-person-test-data.sql

@@ -28,7 +28,7 @@ begin
     call defineContext(currentTask, null, emailAddr);
     execute format('set local hsadminng.currentTask to %L', currentTask);
 
-    raise notice 'creating test person: %', fullName;
+    raise notice 'creating test person: % by %', fullName, emailAddr;
     insert
         into hs_office_person (persontype, tradename, givenname, familyname)
         values (newPersonType, newTradeName, newGivenName, newFamilyName);

src/main/resources/db/changelog/223-hs-office-relationship-rbac.sql

@@ -74,9 +74,9 @@ begin
                     hsOfficeRelationshipAdmin(NEW)
                     ],
                 outgoingSubRoles => array[
---                     hsOfficePersonAdmin(newAnchorPerson),
---                     hsOfficePersonAdmin(newHolderPerson),
-                    hsOfficeContactAdmin(newContact)
+                    hsOfficePersonReferrer(newAnchorPerson),
+                    hsOfficePersonReferrer(newHolderPerson),
+                    hsOfficeContactReferrer(newContact)
                     ]
                 );
 
@@ -91,8 +91,8 @@ begin
             call revokeRoleFromRole( hsOfficeRelationshipTenant(NEW), hsOfficeContactAdmin(oldContact) );
             call grantRoleToRole( hsOfficeRelationshipTenant(NEW), hsOfficeContactAdmin(newContact) );
 
-            call revokeRoleFromRole( hsOfficeContactTenant(oldContact), hsOfficeRelationshipAgent(NEW) );
-            call grantRoleToRole( hsOfficeContactTenant(newContact), hsOfficeRelationshipAgent(NEW) );
+            call revokeRoleFromRole( hsOfficeContactAdmin(oldContact), hsOfficeRelationshipAgent(NEW) );
+            call grantRoleToRole( hsOfficeContactAdmin(newContact), hsOfficeRelationshipAgent(NEW) );
         end if;
     else
         raise exception 'invalid usage of TRIGGER';

src/main/resources/db/changelog/273-hs-office-debitor-rbac.sql

@@ -79,7 +79,7 @@ begin
                     hsOfficeBankAccountAdmin(newBankaccount)],
                 outgoingSubRoles => array[
                     hsOfficeRelationshipTenant(newPartnerRel),
-                    hsOfficeContactGuest(newContact),
+                    hsOfficeContactReferrer(newContact),
                     hsOfficeBankAccountGuest(newBankaccount)]
             );
 
@@ -112,8 +112,8 @@ begin
             call revokeRoleFromRole(hsOfficeDebitorAgent(OLD), hsOfficeContactAdmin(oldContact));
             call grantRoleToRole(hsOfficeDebitorAgent(NEW), hsOfficeContactAdmin(newContact));
 
-            call revokeRoleFromRole(hsOfficeContactGuest(oldContact), hsOfficeDebitorTenant(OLD));
-            call grantRoleToRole(hsOfficeContactGuest(newContact), hsOfficeDebitorTenant(NEW));
+            call revokeRoleFromRole(hsOfficeContactReferrer(oldContact), hsOfficeDebitorTenant(OLD));
+            call grantRoleToRole(hsOfficeContactReferrer(newContact), hsOfficeDebitorTenant(NEW));
         end if;
 
         if (OLD.refundBankAccountUuid is not null or NEW.refundBankAccountUuid is not null) and

src/test/java/net/hostsharing/hsadminng/hs/office/migration/ImportOfficeData.java

@@ -456,6 +456,7 @@ public class ImportOfficeData extends ContextBasedTest {
     }
 
     @Test
+    @Disabled
     @Order(3000)
     @Commit
     void persistEntities() {

src/test/java/net/hostsharing/hsadminng/hs/office/relationship/HsOfficeRelationshipRepositoryIntegrationTest.java

@@ -3,6 +3,7 @@ package net.hostsharing.hsadminng.hs.office.relationship;
 import net.hostsharing.hsadminng.context.Context;
 import net.hostsharing.hsadminng.hs.office.contact.HsOfficeContactRepository;
 import net.hostsharing.hsadminng.hs.office.person.HsOfficePersonRepository;
+import net.hostsharing.hsadminng.hs.office.person.HsOfficePersonType;
 import net.hostsharing.hsadminng.hs.office.test.ContextBasedTestWithCleanup;
 import net.hostsharing.hsadminng.rbac.rbacgrant.RawRbacGrantRepository;
 import net.hostsharing.hsadminng.rbac.rbacrole.RawRbacRoleRepository;
@@ -146,7 +147,9 @@ class HsOfficeRelationshipRepositoryIntegrationTest extends ContextBasedTestWith
         public void globalAdmin_withoutAssumedRole_canViewAllRelationshipsOfArbitraryPerson() {
             // given
             context("superuser-alex@hostsharing.net");
-            final var person = personRepo.findPersonByOptionalNameLike("Second e.K.").stream().findFirst().orElseThrow();
+            final var person = personRepo.findPersonByOptionalNameLike("Smith").stream()
+                    .filter(p -> p.getPersonType() == HsOfficePersonType.NATURAL_PERSON)
+                    .findFirst().orElseThrow();
 
             // when
             final var result = relationshipRepo.findRelationshipRelatedToPersonUuid(person.getUuid());
@@ -154,15 +157,18 @@ class HsOfficeRelationshipRepositoryIntegrationTest extends ContextBasedTestWith
             // then
             allTheseRelationshipsAreReturned(
                     result,
-                    "rel(relAnchor='LP Hostsharing eG', relType='PARTNER', relHolder='LP Second e.K.', contact='second contact')",
-                    "rel(relAnchor='LP Second e.K.', relType='REPRESENTATIVE', relHolder='NP Smith, Peter', contact='second contact')");
+                    "rel(relAnchor='LP Hostsharing eG', relType='PARTNER', relHolder='NP Smith, Peter', contact='sixth contact')",
+                    "rel(relAnchor='LP Second e.K.', relType='REPRESENTATIVE', relHolder='NP Smith, Peter', contact='second contact')",
+                    "rel(relAnchor='IF Third OHG', relType='SUBSCRIBER', relMark='members-announce', relHolder='NP Smith, Peter', contact='third contact')");
         }
 
         @Test
         public void normalUser_canViewRelationshipsOfOwnedPersons() {
             // given:
-            context("person-FirstGmbH@example.com");
-            final var person = personRepo.findPersonByOptionalNameLike("First").stream().findFirst().orElseThrow();
+            context("person-SmithPeter@example.com");
+            final var person = personRepo.findPersonByOptionalNameLike("Smith").stream()
+                    .filter(p -> p.getPersonType() == HsOfficePersonType.NATURAL_PERSON)
+                    .findFirst().orElseThrow();
 
             // when:
             final var result = relationshipRepo.findRelationshipRelatedToPersonUuid(person.getUuid());