fix relationship-related grants (WIP)

This commit is contained in:
Michael Hoennig 2024-02-08 17:36:49 +01:00
parent ecc91592b0
commit 443b9b4b8a
12 changed files with 32 additions and 31 deletions

View File

@ -1,5 +1,5 @@
package net.hostsharing.hsadminng.rbac.rbacrole; package net.hostsharing.hsadminng.rbac.rbacrole;
public enum RbacRoleType { public enum RbacRoleType {
owner, admin, agent, tenant, guest owner, admin, agent, tenant, guest, referrer
} }

View File

@ -22,5 +22,6 @@ components:
- owner - owner
- admin - admin
- tenant - tenant
- referrer
roleName: roleName:
type: string type: string

View File

@ -187,7 +187,7 @@ end; $$;
*/ */
create type RbacRoleType as enum ('owner', 'admin', 'agent', 'tenant', 'guest'); create type RbacRoleType as enum ('owner', 'admin', 'agent', 'tenant', 'guest', 'referrer');
create table RbacRole create table RbacRole
( (

View File

@ -27,10 +27,12 @@ begin
perform assertReferenceType('roleId (descendant)', roleUuid, 'RbacRole'); perform assertReferenceType('roleId (descendant)', roleUuid, 'RbacRole');
perform assertReferenceType('userId (ascendant)', userUuid, 'RbacUser'); perform assertReferenceType('userId (ascendant)', userUuid, 'RbacUser');
raise notice 'role % grants role % to user %, assumed=%', grantedByRoleUuid, roleUuid, userUuid, doAssume;
insert insert
into RbacGrants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed) into RbacGrants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)
values (grantedByRoleUuid, userUuid, roleUuid, doAssume); values (grantedByRoleUuid, userUuid, roleUuid, doAssume);
-- TODO.spec: What should happen on mupltiple grants? What if options (doAssume) are not the same? -- TODO.spec: What should happen on multiple grants? What if options (doAssume) are not the same?
-- Most powerful or latest grant wins? What about managed? -- Most powerful or latest grant wins? What about managed?
-- on conflict do nothing; -- allow granting multiple times -- on conflict do nothing; -- allow granting multiple times
end; $$; end; $$;

View File

@ -136,6 +136,7 @@ begin
raise exception '[401] currentUserUuid cannot be determined, please call `defineContext(...)` first;"'; raise exception '[401] currentUserUuid cannot be determined, please call `defineContext(...)` first;"';
end if; end if;
end if; end if;
raise notice 'currentUserUuid %', currentUserUuid;
return currentUserUuid::uuid; return currentUserUuid::uuid;
end; $$; end; $$;
--// --//

View File

@ -46,14 +46,9 @@ begin
); );
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficeContactTenant(NEW), hsOfficeContactReferrer(NEW),
incomingSuperRoles => array[hsOfficeContactAdmin(NEW)]
);
perform createRoleWithGrants(
hsOfficeContactGuest(NEW),
permissions => array['view'], permissions => array['view'],
incomingSuperRoles => array[hsOfficeContactTenant(NEW)] incomingSuperRoles => array[hsOfficeContactAdmin(NEW)]
); );
return NEW; return NEW;

View File

@ -45,14 +45,9 @@ begin
); );
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficePersonTenant(NEW), hsOfficePersonReferrer(NEW),
incomingSuperRoles => array[hsOfficePersonAdmin(NEW)]
);
perform createRoleWithGrants(
hsOfficePersonGuest(NEW),
permissions => array['view'], permissions => array['view'],
incomingSuperRoles => array[hsOfficePersonTenant(NEW)] incomingSuperRoles => array[hsOfficePersonAdmin(NEW)]
); );
return NEW; return NEW;

View File

@ -28,7 +28,7 @@ begin
call defineContext(currentTask, null, emailAddr); call defineContext(currentTask, null, emailAddr);
execute format('set local hsadminng.currentTask to %L', currentTask); execute format('set local hsadminng.currentTask to %L', currentTask);
raise notice 'creating test person: %', fullName; raise notice 'creating test person: % by %', fullName, emailAddr;
insert insert
into hs_office_person (persontype, tradename, givenname, familyname) into hs_office_person (persontype, tradename, givenname, familyname)
values (newPersonType, newTradeName, newGivenName, newFamilyName); values (newPersonType, newTradeName, newGivenName, newFamilyName);

View File

@ -74,9 +74,9 @@ begin
hsOfficeRelationshipAdmin(NEW) hsOfficeRelationshipAdmin(NEW)
], ],
outgoingSubRoles => array[ outgoingSubRoles => array[
-- hsOfficePersonAdmin(newAnchorPerson), hsOfficePersonReferrer(newAnchorPerson),
-- hsOfficePersonAdmin(newHolderPerson), hsOfficePersonReferrer(newHolderPerson),
hsOfficeContactAdmin(newContact) hsOfficeContactReferrer(newContact)
] ]
); );
@ -91,8 +91,8 @@ begin
call revokeRoleFromRole( hsOfficeRelationshipTenant(NEW), hsOfficeContactAdmin(oldContact) ); call revokeRoleFromRole( hsOfficeRelationshipTenant(NEW), hsOfficeContactAdmin(oldContact) );
call grantRoleToRole( hsOfficeRelationshipTenant(NEW), hsOfficeContactAdmin(newContact) ); call grantRoleToRole( hsOfficeRelationshipTenant(NEW), hsOfficeContactAdmin(newContact) );
call revokeRoleFromRole( hsOfficeContactTenant(oldContact), hsOfficeRelationshipAgent(NEW) ); call revokeRoleFromRole( hsOfficeContactAdmin(oldContact), hsOfficeRelationshipAgent(NEW) );
call grantRoleToRole( hsOfficeContactTenant(newContact), hsOfficeRelationshipAgent(NEW) ); call grantRoleToRole( hsOfficeContactAdmin(newContact), hsOfficeRelationshipAgent(NEW) );
end if; end if;
else else
raise exception 'invalid usage of TRIGGER'; raise exception 'invalid usage of TRIGGER';

View File

@ -79,7 +79,7 @@ begin
hsOfficeBankAccountAdmin(newBankaccount)], hsOfficeBankAccountAdmin(newBankaccount)],
outgoingSubRoles => array[ outgoingSubRoles => array[
hsOfficeRelationshipTenant(newPartnerRel), hsOfficeRelationshipTenant(newPartnerRel),
hsOfficeContactGuest(newContact), hsOfficeContactReferrer(newContact),
hsOfficeBankAccountGuest(newBankaccount)] hsOfficeBankAccountGuest(newBankaccount)]
); );
@ -112,8 +112,8 @@ begin
call revokeRoleFromRole(hsOfficeDebitorAgent(OLD), hsOfficeContactAdmin(oldContact)); call revokeRoleFromRole(hsOfficeDebitorAgent(OLD), hsOfficeContactAdmin(oldContact));
call grantRoleToRole(hsOfficeDebitorAgent(NEW), hsOfficeContactAdmin(newContact)); call grantRoleToRole(hsOfficeDebitorAgent(NEW), hsOfficeContactAdmin(newContact));
call revokeRoleFromRole(hsOfficeContactGuest(oldContact), hsOfficeDebitorTenant(OLD)); call revokeRoleFromRole(hsOfficeContactReferrer(oldContact), hsOfficeDebitorTenant(OLD));
call grantRoleToRole(hsOfficeContactGuest(newContact), hsOfficeDebitorTenant(NEW)); call grantRoleToRole(hsOfficeContactReferrer(newContact), hsOfficeDebitorTenant(NEW));
end if; end if;
if (OLD.refundBankAccountUuid is not null or NEW.refundBankAccountUuid is not null) and if (OLD.refundBankAccountUuid is not null or NEW.refundBankAccountUuid is not null) and

View File

@ -456,6 +456,7 @@ public class ImportOfficeData extends ContextBasedTest {
} }
@Test @Test
@Disabled
@Order(3000) @Order(3000)
@Commit @Commit
void persistEntities() { void persistEntities() {

View File

@ -3,6 +3,7 @@ package net.hostsharing.hsadminng.hs.office.relationship;
import net.hostsharing.hsadminng.context.Context; import net.hostsharing.hsadminng.context.Context;
import net.hostsharing.hsadminng.hs.office.contact.HsOfficeContactRepository; import net.hostsharing.hsadminng.hs.office.contact.HsOfficeContactRepository;
import net.hostsharing.hsadminng.hs.office.person.HsOfficePersonRepository; import net.hostsharing.hsadminng.hs.office.person.HsOfficePersonRepository;
import net.hostsharing.hsadminng.hs.office.person.HsOfficePersonType;
import net.hostsharing.hsadminng.hs.office.test.ContextBasedTestWithCleanup; import net.hostsharing.hsadminng.hs.office.test.ContextBasedTestWithCleanup;
import net.hostsharing.hsadminng.rbac.rbacgrant.RawRbacGrantRepository; import net.hostsharing.hsadminng.rbac.rbacgrant.RawRbacGrantRepository;
import net.hostsharing.hsadminng.rbac.rbacrole.RawRbacRoleRepository; import net.hostsharing.hsadminng.rbac.rbacrole.RawRbacRoleRepository;
@ -146,7 +147,9 @@ class HsOfficeRelationshipRepositoryIntegrationTest extends ContextBasedTestWith
public void globalAdmin_withoutAssumedRole_canViewAllRelationshipsOfArbitraryPerson() { public void globalAdmin_withoutAssumedRole_canViewAllRelationshipsOfArbitraryPerson() {
// given // given
context("superuser-alex@hostsharing.net"); context("superuser-alex@hostsharing.net");
final var person = personRepo.findPersonByOptionalNameLike("Second e.K.").stream().findFirst().orElseThrow(); final var person = personRepo.findPersonByOptionalNameLike("Smith").stream()
.filter(p -> p.getPersonType() == HsOfficePersonType.NATURAL_PERSON)
.findFirst().orElseThrow();
// when // when
final var result = relationshipRepo.findRelationshipRelatedToPersonUuid(person.getUuid()); final var result = relationshipRepo.findRelationshipRelatedToPersonUuid(person.getUuid());
@ -154,15 +157,18 @@ class HsOfficeRelationshipRepositoryIntegrationTest extends ContextBasedTestWith
// then // then
allTheseRelationshipsAreReturned( allTheseRelationshipsAreReturned(
result, result,
"rel(relAnchor='LP Hostsharing eG', relType='PARTNER', relHolder='LP Second e.K.', contact='second contact')", "rel(relAnchor='LP Hostsharing eG', relType='PARTNER', relHolder='NP Smith, Peter', contact='sixth contact')",
"rel(relAnchor='LP Second e.K.', relType='REPRESENTATIVE', relHolder='NP Smith, Peter', contact='second contact')"); "rel(relAnchor='LP Second e.K.', relType='REPRESENTATIVE', relHolder='NP Smith, Peter', contact='second contact')",
"rel(relAnchor='IF Third OHG', relType='SUBSCRIBER', relMark='members-announce', relHolder='NP Smith, Peter', contact='third contact')");
} }
@Test @Test
public void normalUser_canViewRelationshipsOfOwnedPersons() { public void normalUser_canViewRelationshipsOfOwnedPersons() {
// given: // given:
context("person-FirstGmbH@example.com"); context("person-SmithPeter@example.com");
final var person = personRepo.findPersonByOptionalNameLike("First").stream().findFirst().orElseThrow(); final var person = personRepo.findPersonByOptionalNameLike("Smith").stream()
.filter(p -> p.getPersonType() == HsOfficePersonType.NATURAL_PERSON)
.findFirst().orElseThrow();
// when: // when:
final var result = relationshipRepo.findRelationshipRelatedToPersonUuid(person.getUuid()); final var result = relationshipRepo.findRelationshipRelatedToPersonUuid(person.getUuid());