Merge remote-tracking branch 'refs/remotes/origin/master' into java-for-gradlew
# Conflicts: # README.md
This commit is contained in:
commit
45994b2f48
44
.aliases
44
.aliases
@ -1,9 +1,6 @@
|
|||||||
# For using the alias import-office-tables, # copy these exports to .environment (ignored by git)
|
# For using the alias gw-importOfficeData or gw-importHostingAssets,
|
||||||
# and amend them according to your external DB:
|
# copy the file .tc-environment to .environment (ignored by git)
|
||||||
export HSADMINNG_POSTGRES_JDBC_URL=jdbc:tc:postgresql:15.5-bookworm:///spring_boot_testcontainers
|
# and amend them according to your external DB.
|
||||||
export HSADMINNG_POSTGRES_ADMIN_USERNAME=admin
|
|
||||||
export HSADMINNG_POSTGRES_ADMIN_PASSWORD=
|
|
||||||
export HSADMINNG_POSTGRES_RESTRICTED_USERNAME=restricted
|
|
||||||
|
|
||||||
gradleWrapper () {
|
gradleWrapper () {
|
||||||
if [ ! -f gradlew ]; then
|
if [ ! -f gradlew ]; then
|
||||||
@ -45,23 +42,29 @@ postgresAutodoc () {
|
|||||||
}
|
}
|
||||||
alias postgres-autodoc=postgresAutodoc
|
alias postgres-autodoc=postgresAutodoc
|
||||||
|
|
||||||
function importOfficeData() {
|
function importLegacyData() {
|
||||||
export HSADMINNG_POSTGRES_JDBC=jdbc:tc:postgresql:15.5-bookworm:///spring_boot_testcontainers
|
export target=$1
|
||||||
export HSADMINNG_POSTGRES_ADMIN_USERNAME=admin
|
if [ -z "$target" ]; then
|
||||||
export HSADMINNG_POSTGRES_ADMIN_PASSWORD=password
|
echo "importLegacyData needs target argument, but none was given" >&2
|
||||||
export HSADMINNG_POSTGRES_RESTRICTED_USERNAME=restricted
|
else
|
||||||
export HSADMINNG_SUPERUSER=superuser-alex@hostsharing.net
|
source .tc-environment
|
||||||
|
|
||||||
if [ -f .environment ]; then
|
if [ -f .environment ]; then
|
||||||
source .environment
|
source .environment
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "using environment (with ending ';' for use in IntelliJ IDEA):"
|
echo "using environment (with ending ';' for use in IntelliJ IDEA):"
|
||||||
|
echo "--- BEGIN: ---"
|
||||||
set | grep ^HSADMINNG_ | sed 's/$/;/'
|
set | grep ^HSADMINNG_ | sed 's/$/;/'
|
||||||
|
echo "---- END. ----"
|
||||||
|
echo
|
||||||
|
|
||||||
./gradlew importOfficeData --rerun
|
echo ./gradlew $target --rerun
|
||||||
|
./gradlew $target --rerun
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
alias gw-importOfficeData=importOfficeData
|
alias gw-importOfficeData='importLegacyData importOfficeData'
|
||||||
|
alias gw-importHostingAssets='importLegacyData importHostingAssets'
|
||||||
|
|
||||||
alias podman-start='systemctl --user enable --now podman.socket && systemctl --user status podman.socket && ls -la /run/user/$UID/podman/podman.sock'
|
alias podman-start='systemctl --user enable --now podman.socket && systemctl --user status podman.socket && ls -la /run/user/$UID/podman/podman.sock'
|
||||||
alias podman-stop='systemctl --user disable --now podman.socket && systemctl --user status podman.socket && ls -la /run/user/$UID/podman/podman.sock'
|
alias podman-stop='systemctl --user disable --now podman.socket && systemctl --user status podman.socket && ls -la /run/user/$UID/podman/podman.sock'
|
||||||
@ -79,5 +82,16 @@ alias pg-sql-restore='gunzip --stdout | docker exec -i hsadmin-ng-postgres psql
|
|||||||
alias fp='grep -r '@Accepts' src | sed -e 's/^.*@/@/g' | sort -u | wc -l'
|
alias fp='grep -r '@Accepts' src | sed -e 's/^.*@/@/g' | sort -u | wc -l'
|
||||||
|
|
||||||
alias gw-spotless='./gradlew spotlessApply -x pitest -x test -x :processResources'
|
alias gw-spotless='./gradlew spotlessApply -x pitest -x test -x :processResources'
|
||||||
alias gw-test='. .aliases; ./gradlew test importOfficeData'
|
alias gw-test='. .aliases; ./gradlew test'
|
||||||
alias gw-check='. .aliases; gw test importOfficeData check -x pitest -x :dependencyCheckAnalyze'
|
alias gw-check='. .aliases; gw test importOfficeData check -x pitest -x :dependencyCheckAnalyze'
|
||||||
|
|
||||||
|
# etc/docker-compose.yml limits CPUs+MEM and includes a PostgreSQL config for analysing slow queries
|
||||||
|
alias gw-importOfficeData-in-docker-compose='
|
||||||
|
docker-compose -f etc/docker-compose.yml down &&
|
||||||
|
docker-compose -f etc/docker-compose.yml up -d && sleep 10 &&
|
||||||
|
time gw-importHostingAssets'
|
||||||
|
|
||||||
|
if [ ! -f .environment ]; then
|
||||||
|
cp .tc-environment .environment
|
||||||
|
fi
|
||||||
|
source .environment
|
||||||
|
6
.gitignore
vendored
6
.gitignore
vendored
@ -4,7 +4,6 @@
|
|||||||
/build/www/**
|
/build/www/**
|
||||||
/src/test/javascript/coverage/
|
/src/test/javascript/coverage/
|
||||||
/worktrees/
|
/worktrees/
|
||||||
TODO-progress.png
|
|
||||||
|
|
||||||
######################
|
######################
|
||||||
# Node
|
# Node
|
||||||
@ -137,4 +136,9 @@ Desktop.ini
|
|||||||
# ESLint
|
# ESLint
|
||||||
######################
|
######################
|
||||||
.eslintcache
|
.eslintcache
|
||||||
|
|
||||||
|
######################
|
||||||
|
# Project Related
|
||||||
|
######################
|
||||||
/.environment*
|
/.environment*
|
||||||
|
/src/test/resources/migration-prod/*
|
||||||
|
37
.run/ImportHostingAssets into local.run.xml
Normal file
37
.run/ImportHostingAssets into local.run.xml
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
<component name="ProjectRunConfigurationManager">
|
||||||
|
<configuration default="false" name="ImportHostingAssets into local" type="GradleRunConfiguration" factoryName="Gradle">
|
||||||
|
<ExternalSystemSettings>
|
||||||
|
<option name="env">
|
||||||
|
<map>
|
||||||
|
<entry key="HSADMINNG_POSTGRES_ADMIN_PASSWORD" value="password" />
|
||||||
|
<entry key="HSADMINNG_POSTGRES_ADMIN_USERNAME" value="postgres" />
|
||||||
|
<entry key="HSADMINNG_POSTGRES_JDBC_URL" value="jdbc:postgresql://localhost:5432/postgres" />
|
||||||
|
<entry key="HSADMINNG_POSTGRES_RESTRICTED_USERNAME" value="restricted" />
|
||||||
|
</map>
|
||||||
|
</option>
|
||||||
|
<option name="executionName" />
|
||||||
|
<option name="externalProjectPath" value="$PROJECT_DIR$" />
|
||||||
|
<option name="externalSystemIdString" value="GRADLE" />
|
||||||
|
<option name="scriptParameters" value="" />
|
||||||
|
<option name="taskDescriptions">
|
||||||
|
<list />
|
||||||
|
</option>
|
||||||
|
<option name="taskNames">
|
||||||
|
<list>
|
||||||
|
<option value=":importHostingAssets" />
|
||||||
|
<option value="--tests" />
|
||||||
|
<option value=""net.hostsharing.hsadminng.hs.migration.ImportHostingAssets"" />
|
||||||
|
</list>
|
||||||
|
</option>
|
||||||
|
<option name="vmOptions" />
|
||||||
|
</ExternalSystemSettings>
|
||||||
|
<ExternalSystemDebugServerProcess>false</ExternalSystemDebugServerProcess>
|
||||||
|
<ExternalSystemReattachDebugProcess>true</ExternalSystemReattachDebugProcess>
|
||||||
|
<EXTENSION ID="com.intellij.execution.ExternalSystemRunConfigurationJavaExtension">
|
||||||
|
<extension name="coverage" sample_coverage="false" />
|
||||||
|
</EXTENSION>
|
||||||
|
<DebugAllEnabled>false</DebugAllEnabled>
|
||||||
|
<RunAsTest>true</RunAsTest>
|
||||||
|
<method v="2" />
|
||||||
|
</configuration>
|
||||||
|
</component>
|
36
.run/ImportHostingAssets.run.xml
Normal file
36
.run/ImportHostingAssets.run.xml
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
<component name="ProjectRunConfigurationManager">
|
||||||
|
<configuration default="false" name="ImportHostingAssets" type="GradleRunConfiguration" factoryName="Gradle">
|
||||||
|
<ExternalSystemSettings>
|
||||||
|
<option name="env">
|
||||||
|
<map>
|
||||||
|
<entry key="HSADMINNG_MIGRATION_DATA_PATH" value="migration" />
|
||||||
|
<entry key="HSADMINNG_POSTGRES_ADMIN_USERNAME" value="admin" />
|
||||||
|
<entry key="HSADMINNG_POSTGRES_RESTRICTED_USERNAME" value="restricted" />
|
||||||
|
</map>
|
||||||
|
</option>
|
||||||
|
<option name="executionName" />
|
||||||
|
<option name="externalProjectPath" value="$PROJECT_DIR$" />
|
||||||
|
<option name="externalSystemIdString" value="GRADLE" />
|
||||||
|
<option name="scriptParameters" value="" />
|
||||||
|
<option name="taskDescriptions">
|
||||||
|
<list />
|
||||||
|
</option>
|
||||||
|
<option name="taskNames">
|
||||||
|
<list>
|
||||||
|
<option value=":importHostingAssets" />
|
||||||
|
<option value="--tests" />
|
||||||
|
<option value=""net.hostsharing.hsadminng.hs.migration.ImportHostingAssets"" />
|
||||||
|
</list>
|
||||||
|
</option>
|
||||||
|
<option name="vmOptions" />
|
||||||
|
</ExternalSystemSettings>
|
||||||
|
<ExternalSystemDebugServerProcess>false</ExternalSystemDebugServerProcess>
|
||||||
|
<ExternalSystemReattachDebugProcess>true</ExternalSystemReattachDebugProcess>
|
||||||
|
<EXTENSION ID="com.intellij.execution.ExternalSystemRunConfigurationJavaExtension">
|
||||||
|
<extension name="coverage" sample_coverage="false" />
|
||||||
|
</EXTENSION>
|
||||||
|
<DebugAllEnabled>false</DebugAllEnabled>
|
||||||
|
<RunAsTest>true</RunAsTest>
|
||||||
|
<method v="2" />
|
||||||
|
</configuration>
|
||||||
|
</component>
|
103
.run/ImportOfficeData.run.xml
Normal file
103
.run/ImportOfficeData.run.xml
Normal file
@ -0,0 +1,103 @@
|
|||||||
|
<component name="ProjectRunConfigurationManager">
|
||||||
|
<configuration default="false" name="ImportOfficeData" type="GradleRunConfiguration" factoryName="Gradle">
|
||||||
|
<ExternalSystemSettings>
|
||||||
|
<option name="env">
|
||||||
|
<map>
|
||||||
|
<entry key="HSADMINNG_MIGRATION_DATA_PATH" value="migration" />
|
||||||
|
<entry key="HSADMINNG_POSTGRES_ADMIN_USERNAME" value="admin" />
|
||||||
|
<entry key="HSADMINNG_POSTGRES_RESTRICTED_USERNAME" value="restricted" />
|
||||||
|
</map>
|
||||||
|
</option>
|
||||||
|
<option name="executionName" />
|
||||||
|
<option name="externalProjectPath" value="$PROJECT_DIR$" />
|
||||||
|
<option name="externalSystemIdString" value="GRADLE" />
|
||||||
|
<option name="scriptParameters" value="" />
|
||||||
|
<option name="taskDescriptions">
|
||||||
|
<list />
|
||||||
|
</option>
|
||||||
|
<option name="taskNames">
|
||||||
|
<list>
|
||||||
|
<option value=":importOfficeData" />
|
||||||
|
<option value="--tests" />
|
||||||
|
<option value=""net.hostsharing.hsadminng.hs.migration.ImportOfficeData"" />
|
||||||
|
</list>
|
||||||
|
</option>
|
||||||
|
<option name="vmOptions" />
|
||||||
|
</ExternalSystemSettings>
|
||||||
|
<ExternalSystemDebugServerProcess>false</ExternalSystemDebugServerProcess>
|
||||||
|
<ExternalSystemReattachDebugProcess>true</ExternalSystemReattachDebugProcess>
|
||||||
|
<EXTENSION ID="com.intellij.execution.ExternalSystemRunConfigurationJavaExtension">
|
||||||
|
<extension name="coverage" sample_coverage="false" />
|
||||||
|
</EXTENSION>
|
||||||
|
<DebugAllEnabled>false</DebugAllEnabled>
|
||||||
|
<RunAsTest>true</RunAsTest>
|
||||||
|
<method v="2" />
|
||||||
|
</configuration>
|
||||||
|
<configuration default="false" name="ImportOfficeData" type="GradleRunConfiguration" factoryName="Gradle">
|
||||||
|
<ExternalSystemSettings>
|
||||||
|
<option name="env">
|
||||||
|
<map>
|
||||||
|
<entry key="HSADMINNG_MIGRATION_DATA_PATH" value="migration" />
|
||||||
|
<entry key="HSADMINNG_POSTGRES_ADMIN_USERNAME" value="admin" />
|
||||||
|
<entry key="HSADMINNG_POSTGRES_RESTRICTED_USERNAME" value="restricted" />
|
||||||
|
</map>
|
||||||
|
</option>
|
||||||
|
<option name="executionName" />
|
||||||
|
<option name="externalProjectPath" value="$PROJECT_DIR$" />
|
||||||
|
<option name="externalSystemIdString" value="GRADLE" />
|
||||||
|
<option name="scriptParameters" value="" />
|
||||||
|
<option name="taskDescriptions">
|
||||||
|
<list />
|
||||||
|
</option>
|
||||||
|
<option name="taskNames">
|
||||||
|
<list>
|
||||||
|
<option value=":importOfficeData" />
|
||||||
|
<option value="--tests" />
|
||||||
|
<option value=""net.hostsharing.hsadminng.hs.office.migration.ImportOfficeData"" />
|
||||||
|
</list>
|
||||||
|
</option>
|
||||||
|
<option name="vmOptions" />
|
||||||
|
</ExternalSystemSettings>
|
||||||
|
<ExternalSystemDebugServerProcess>false</ExternalSystemDebugServerProcess>
|
||||||
|
<ExternalSystemReattachDebugProcess>true</ExternalSystemReattachDebugProcess>
|
||||||
|
<EXTENSION ID="com.intellij.execution.ExternalSystemRunConfigurationJavaExtension">
|
||||||
|
<extension name="coverage" sample_coverage="false" />
|
||||||
|
</EXTENSION>
|
||||||
|
<DebugAllEnabled>false</DebugAllEnabled>
|
||||||
|
<RunAsTest>true</RunAsTest>
|
||||||
|
<method v="2" />
|
||||||
|
</configuration>
|
||||||
|
<configuration default="false" name="ImportOfficeData" type="GradleRunConfiguration" factoryName="Gradle">
|
||||||
|
<ExternalSystemSettings>
|
||||||
|
<option name="env">
|
||||||
|
<map>
|
||||||
|
<entry key="HSADMINNG_POSTGRES_ADMIN_USERNAME" value="admin" />
|
||||||
|
<entry key="HSADMINNG_POSTGRES_RESTRICTED_USERNAME" value="restricted" />
|
||||||
|
</map>
|
||||||
|
</option>
|
||||||
|
<option name="executionName" />
|
||||||
|
<option name="externalProjectPath" value="$PROJECT_DIR$" />
|
||||||
|
<option name="externalSystemIdString" value="GRADLE" />
|
||||||
|
<option name="scriptParameters" value="" />
|
||||||
|
<option name="taskDescriptions">
|
||||||
|
<list />
|
||||||
|
</option>
|
||||||
|
<option name="taskNames">
|
||||||
|
<list>
|
||||||
|
<option value=":importOfficeData" />
|
||||||
|
<option value="--tests" />
|
||||||
|
<option value=""net.hostsharing.hsadminng.hs.migration.ImportOfficeData"" />
|
||||||
|
</list>
|
||||||
|
</option>
|
||||||
|
<option name="vmOptions" />
|
||||||
|
</ExternalSystemSettings>
|
||||||
|
<ExternalSystemDebugServerProcess>false</ExternalSystemDebugServerProcess>
|
||||||
|
<ExternalSystemReattachDebugProcess>true</ExternalSystemReattachDebugProcess>
|
||||||
|
<EXTENSION ID="com.intellij.execution.ExternalSystemRunConfigurationJavaExtension">
|
||||||
|
<extension name="coverage" sample_coverage="false" />
|
||||||
|
</EXTENSION>
|
||||||
|
<DebugAllEnabled>false</DebugAllEnabled>
|
||||||
|
<RunAsTest>true</RunAsTest>
|
||||||
|
<method v="2" />
|
||||||
|
</configuration>
|
||||||
|
</component>
|
1
.run/README.txt
Normal file
1
.run/README.txt
Normal file
@ -0,0 +1 @@
|
|||||||
|
Stored run-Configurations for IntelliJ IDEA.
|
8
.tc-environment
Normal file
8
.tc-environment
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
unset HSADMINNG_POSTGRES_JDBC_URL # dynamically set, different for normal tests and imports
|
||||||
|
export HSADMINNG_POSTGRES_ADMIN_USERNAME=admin
|
||||||
|
export HSADMINNG_POSTGRES_ADMIN_PASSWORD=
|
||||||
|
export HSADMINNG_POSTGRES_RESTRICTED_USERNAME=restricted
|
||||||
|
export HSADMINNG_SUPERUSER=superuser-alex@hostsharing.net
|
||||||
|
export HSADMINNG_MIGRATION_DATA_PATH=migration
|
||||||
|
export LIQUIBASE_CONTEXT=
|
||||||
|
export LANG=en_US.UTF-8
|
8
.unset-environment
Normal file
8
.unset-environment
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
unset HSADMINNG_POSTGRES_JDBC_URL
|
||||||
|
unset HSADMINNG_POSTGRES_ADMIN_USERNAME
|
||||||
|
unset HSADMINNG_POSTGRES_ADMIN_PASSWORD
|
||||||
|
unset HSADMINNG_POSTGRES_RESTRICTED_USERNAME
|
||||||
|
unset HSADMINNG_SUPERUSER
|
||||||
|
unset HSADMINNG_MIGRATION_DATA_PATH
|
||||||
|
unset LIQUIBASE_CONTEXT
|
||||||
|
|
10
Dockerfile
Normal file
10
Dockerfile
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
# build using:
|
||||||
|
# docker build -t postgres-with-contrib:15.5-bookworm .
|
||||||
|
|
||||||
|
FROM postgres:15.5-bookworm
|
||||||
|
|
||||||
|
RUN apt-get update && \
|
||||||
|
apt-get install -y postgresql-contrib && \
|
||||||
|
apt-get clean
|
||||||
|
|
||||||
|
COPY etc/postgresql-log-slow-queries.conf /etc/postgresql/postgresql.conf
|
18
README.md
18
README.md
@ -50,13 +50,10 @@ Everything is tested on _Ubuntu Linux 22.04_ and _MacOS Monterey (12.4)_.
|
|||||||
|
|
||||||
To be able to build and run the Java Spring Boot application, you need the following tools:
|
To be able to build and run the Java Spring Boot application, you need the following tools:
|
||||||
|
|
||||||
- git, e.g. via `sudo apt install git`
|
- Docker 20.x (on MacOS you also need *Docker Desktop* or similar) or Podman
|
||||||
- A Java Runtime (JRE) at least version 17 to run the gradle wrapper, e.g. via
|
|
||||||
`sudo apt install openjdk-17-jre-headless`.
|
|
||||||
(The matching Java JDK for building the application will be automatically installed by Gradle toolchain support.)
|
|
||||||
- Docker 20.x (on MacOS you also need *Docker Desktop* or similar) or Podman.
|
|
||||||
- optionally: PostgreSQL Server 15.5-bookworm
|
- optionally: PostgreSQL Server 15.5-bookworm
|
||||||
(see instructions below to install and run in Docker)
|
(see instructions below to install and run in Docker)
|
||||||
|
- The matching Java JDK at will be automatically installed by Gradle toolchain support to `~/.gradle/jdks/`.
|
||||||
- You also might need an IDE (e.g. *IntelliJ IDEA* or *Eclipse* or *VS Code* with *[STS](https://spring.io/tools)* and a GUI Frontend for *PostgreSQL* like *Postbird*.
|
- You also might need an IDE (e.g. *IntelliJ IDEA* or *Eclipse* or *VS Code* with *[STS](https://spring.io/tools)* and a GUI Frontend for *PostgreSQL* like *Postbird*.
|
||||||
|
|
||||||
If you have at least Docker and the Java JDK installed in appropriate versions and in your `PATH`, then you can start like this:
|
If you have at least Docker and the Java JDK installed in appropriate versions and in your `PATH`, then you can start like this:
|
||||||
@ -85,7 +82,7 @@ If you have at least Docker and the Java JDK installed in appropriate versions a
|
|||||||
|
|
||||||
# the following command should return a JSON array with just all packages visible for the admin of the customer yyy:
|
# the following command should return a JSON array with just all packages visible for the admin of the customer yyy:
|
||||||
curl \
|
curl \
|
||||||
-H 'current-user: superuser-alex@hostsharing.net' -H 'assumed-roles: test_customer#yyy.admin' \
|
-H 'current-user: superuser-alex@hostsharing.net' -H 'assumed-roles: test_customer#yyy:ADMIN' \
|
||||||
http://localhost:8080/api/test/packages
|
http://localhost:8080/api/test/packages
|
||||||
|
|
||||||
# add a new customer
|
# add a new customer
|
||||||
@ -383,12 +380,6 @@ You can explore the prototype as follows:
|
|||||||
`src/`
|
`src/`
|
||||||
The actual source-code, see [Source Code Package Structure](#source-code-package-structure) for details.
|
The actual source-code, see [Source Code Package Structure](#source-code-package-structure) for details.
|
||||||
|
|
||||||
`TODO.md`
|
|
||||||
Requirements of initial project. Do not touch!
|
|
||||||
|
|
||||||
`TODO-progress.png`
|
|
||||||
Generated diagram image of the project progress.
|
|
||||||
|
|
||||||
`tools/`
|
`tools/`
|
||||||
Some shell-scripts to useful tasks.
|
Some shell-scripts to useful tasks.
|
||||||
|
|
||||||
@ -768,5 +759,4 @@ The output will list the generated files.
|
|||||||
## Further Documentation
|
## Further Documentation
|
||||||
|
|
||||||
- the `doc` directory contains architecture concepts and a glossary
|
- the `doc` directory contains architecture concepts and a glossary
|
||||||
- TODO.md tracks requirements and progress for the contract of the initial project,
|
- the `ideas` directory contains unstructured ideas for future development or documentation
|
||||||
please do not amend anything in this document
|
|
||||||
|
83
build.gradle
83
build.gradle
@ -1,15 +1,15 @@
|
|||||||
plugins {
|
plugins {
|
||||||
id 'java'
|
id 'java'
|
||||||
id 'org.springframework.boot' version '3.1.7'
|
id 'org.springframework.boot' version '3.2.4'
|
||||||
id 'io.spring.dependency-management' version '1.1.4'
|
id 'io.spring.dependency-management' version '1.1.4'
|
||||||
id 'io.openapiprocessor.openapi-processor' version '2023.2'
|
id 'io.openapiprocessor.openapi-processor' version '2023.2'
|
||||||
id 'com.github.jk1.dependency-license-report' version '2.5'
|
id 'com.github.jk1.dependency-license-report' version '2.6'
|
||||||
id "org.owasp.dependencycheck" version "9.0.7"
|
id "org.owasp.dependencycheck" version "9.0.10"
|
||||||
id "com.diffplug.spotless" version "6.23.3"
|
id "com.diffplug.spotless" version "6.25.0"
|
||||||
id 'jacoco'
|
id 'jacoco'
|
||||||
id 'info.solidsoft.pitest' version '1.15.0'
|
id 'info.solidsoft.pitest' version '1.15.0'
|
||||||
id 'se.patrikerdes.use-latest-versions' version '0.2.18'
|
id 'se.patrikerdes.use-latest-versions' version '0.2.18'
|
||||||
id 'com.github.ben-manes.versions' version '0.50.0'
|
id 'com.github.ben-manes.versions' version '0.51.0'
|
||||||
}
|
}
|
||||||
|
|
||||||
group = 'net.hostsharing'
|
group = 'net.hostsharing'
|
||||||
@ -59,35 +59,24 @@ dependencies {
|
|||||||
implementation 'org.springframework.boot:spring-boot-starter-web'
|
implementation 'org.springframework.boot:spring-boot-starter-web'
|
||||||
implementation 'org.springframework.boot:spring-boot-starter-validation'
|
implementation 'org.springframework.boot:spring-boot-starter-validation'
|
||||||
implementation 'com.github.gavlyukovskiy:datasource-proxy-spring-boot-starter:1.9.1'
|
implementation 'com.github.gavlyukovskiy:datasource-proxy-spring-boot-starter:1.9.1'
|
||||||
implementation 'org.springdoc:springdoc-openapi:2.3.0'
|
implementation 'org.springdoc:springdoc-openapi:2.4.0'
|
||||||
implementation 'org.postgresql:postgresql:42.7.1'
|
implementation 'org.postgresql:postgresql:42.7.3'
|
||||||
implementation 'org.liquibase:liquibase-core:4.25.1'
|
implementation 'org.liquibase:liquibase-core:4.27.0'
|
||||||
implementation 'com.vladmihalcea:hibernate-types-60:2.21.1'
|
implementation 'io.hypersistence:hypersistence-utils-hibernate-63:3.7.3'
|
||||||
implementation 'io.hypersistence:hypersistence-utils-hibernate-62:3.7.0'
|
implementation 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.17.0'
|
||||||
implementation 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.16.1'
|
|
||||||
implementation 'org.openapitools:jackson-databind-nullable:0.2.6'
|
implementation 'org.openapitools:jackson-databind-nullable:0.2.6'
|
||||||
implementation 'org.apache.commons:commons-text:1.11.0'
|
implementation 'org.apache.commons:commons-text:1.11.0'
|
||||||
|
implementation 'net.java.dev.jna:jna:5.8.0'
|
||||||
implementation 'org.modelmapper:modelmapper:3.2.0'
|
implementation 'org.modelmapper:modelmapper:3.2.0'
|
||||||
implementation 'org.iban4j:iban4j:3.2.7-RELEASE'
|
implementation 'org.iban4j:iban4j:3.2.7-RELEASE'
|
||||||
implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.3.0'
|
implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.4.0'
|
||||||
|
implementation 'org.reflections:reflections:0.9.12'
|
||||||
// fixes vulnerability CVE-2022-1471
|
|
||||||
// The dependency usually comes from Spring Boot, just in the wrong version.
|
|
||||||
// TODO: Remove this explicit dependency once we are on SpringBoot 3.2.x
|
|
||||||
// as well as the related exclude in settings.gradle
|
|
||||||
// and the dependency suppression in owasp-dependency-check-suppression.xml.
|
|
||||||
implementation('org.yaml:snakeyaml') {
|
|
||||||
version {
|
|
||||||
strictly('2.2')
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
compileOnly 'org.projectlombok:lombok'
|
compileOnly 'org.projectlombok:lombok'
|
||||||
testCompileOnly 'org.projectlombok:lombok'
|
testCompileOnly 'org.projectlombok:lombok'
|
||||||
|
|
||||||
developmentOnly 'org.springframework.boot:spring-boot-devtools'
|
developmentOnly 'org.springframework.boot:spring-boot-devtools'
|
||||||
|
|
||||||
|
|
||||||
annotationProcessor 'org.projectlombok:lombok'
|
annotationProcessor 'org.projectlombok:lombok'
|
||||||
testAnnotationProcessor 'org.projectlombok:lombok'
|
testAnnotationProcessor 'org.projectlombok:lombok'
|
||||||
|
|
||||||
@ -152,7 +141,7 @@ openapiProcessor {
|
|||||||
showWarnings true
|
showWarnings true
|
||||||
openApiNullable true
|
openApiNullable true
|
||||||
}
|
}
|
||||||
springHs {
|
springHsOffice {
|
||||||
processorName 'spring'
|
processorName 'spring'
|
||||||
processor 'io.openapiprocessor:openapi-processor-spring:2022.5'
|
processor 'io.openapiprocessor:openapi-processor-spring:2022.5'
|
||||||
apiPath "$projectDir/src/main/resources/api-definition/hs-office/hs-office.yaml"
|
apiPath "$projectDir/src/main/resources/api-definition/hs-office/hs-office.yaml"
|
||||||
@ -161,18 +150,44 @@ openapiProcessor {
|
|||||||
showWarnings true
|
showWarnings true
|
||||||
openApiNullable true
|
openApiNullable true
|
||||||
}
|
}
|
||||||
|
springHsBooking {
|
||||||
|
processorName 'spring'
|
||||||
|
processor 'io.openapiprocessor:openapi-processor-spring:2022.5'
|
||||||
|
apiPath "$projectDir/src/main/resources/api-definition/hs-booking/hs-booking.yaml"
|
||||||
|
mapping "$projectDir/src/main/resources/api-definition/hs-booking/api-mappings.yaml"
|
||||||
|
targetDir "$buildDir/generated/sources/openapi-javax"
|
||||||
|
showWarnings true
|
||||||
|
openApiNullable true
|
||||||
|
}
|
||||||
|
springHsHosting {
|
||||||
|
processorName 'spring'
|
||||||
|
processor 'io.openapiprocessor:openapi-processor-spring:2022.5'
|
||||||
|
apiPath "$projectDir/src/main/resources/api-definition/hs-hosting/hs-hosting.yaml"
|
||||||
|
mapping "$projectDir/src/main/resources/api-definition/hs-hosting/api-mappings.yaml"
|
||||||
|
targetDir "$buildDir/generated/sources/openapi-javax"
|
||||||
|
showWarnings true
|
||||||
|
openApiNullable true
|
||||||
|
}
|
||||||
}
|
}
|
||||||
sourceSets.main.java.srcDir 'build/generated/sources/openapi'
|
sourceSets.main.java.srcDir 'build/generated/sources/openapi'
|
||||||
abstract class ProcessSpring extends DefaultTask {}
|
abstract class ProcessSpring extends DefaultTask {}
|
||||||
tasks.register('processSpring', ProcessSpring)
|
tasks.register('processSpring', ProcessSpring)
|
||||||
['processSpringRoot', 'processSpringRbac', 'processSpringTest', 'processSpringHs'].each {
|
['processSpringRoot',
|
||||||
|
'processSpringRbac',
|
||||||
|
'processSpringTest',
|
||||||
|
'processSpringHsOffice',
|
||||||
|
'processSpringHsBooking',
|
||||||
|
'processSpringHsHosting'
|
||||||
|
].each {
|
||||||
project.tasks.processSpring.dependsOn it
|
project.tasks.processSpring.dependsOn it
|
||||||
}
|
}
|
||||||
project.tasks.processResources.dependsOn processSpring
|
project.tasks.processResources.dependsOn processSpring
|
||||||
project.tasks.compileJava.dependsOn processSpring
|
project.tasks.compileJava.dependsOn processSpring
|
||||||
|
|
||||||
// Rename javax to jakarta in OpenApi generated java files because
|
// Rename javax to jakarta in OpenApi generated java files because
|
||||||
// io.openapiprocessor.openapi-processor 2022.2 does not yet support the openapiprocessor useSpringBoot3 config option.
|
// io.openapiprocessor.openapi-processor 2022.5 does not yet support the openapiprocessor useSpringBoot3 config option.
|
||||||
|
// TODO.impl: Upgrade to io.openapiprocessor.openapi-processor >= 2024.2
|
||||||
|
// and use either `bean-validation: true` in api-mapping.yaml or `useSpringBoot3 true` (not sure where exactly).
|
||||||
task openApiGenerate(type: Copy) {
|
task openApiGenerate(type: Copy) {
|
||||||
from "$buildDir/generated/sources/openapi-javax"
|
from "$buildDir/generated/sources/openapi-javax"
|
||||||
into "$buildDir/generated/sources/openapi"
|
into "$buildDir/generated/sources/openapi"
|
||||||
@ -303,13 +318,25 @@ jacocoTestCoverageVerification {
|
|||||||
|
|
||||||
tasks.register('importOfficeData', Test) {
|
tasks.register('importOfficeData', Test) {
|
||||||
useJUnitPlatform {
|
useJUnitPlatform {
|
||||||
includeTags 'import'
|
includeTags 'importOfficeData'
|
||||||
}
|
}
|
||||||
|
|
||||||
group 'verification'
|
group 'verification'
|
||||||
description 'run the import jobs as tests'
|
description 'run the import jobs as tests'
|
||||||
|
|
||||||
|
mustRunAfter spotlessJava
|
||||||
}
|
}
|
||||||
|
|
||||||
|
tasks.register('importHostingAssets', Test) {
|
||||||
|
useJUnitPlatform {
|
||||||
|
includeTags 'importHostingAssets'
|
||||||
|
}
|
||||||
|
|
||||||
|
group 'verification'
|
||||||
|
description 'run the import jobs as tests'
|
||||||
|
|
||||||
|
mustRunAfter spotlessJava
|
||||||
|
}
|
||||||
|
|
||||||
// pitest mutation testing
|
// pitest mutation testing
|
||||||
pitest {
|
pitest {
|
||||||
|
@ -74,7 +74,7 @@ For restricted DB-users, which are used by the backend, access to rows is filter
|
|||||||
FOR SELECT
|
FOR SELECT
|
||||||
TO restricted
|
TO restricted
|
||||||
USING (
|
USING (
|
||||||
isPermissionGrantedToSubject(findPermissionId('customer', id, 'view'), currentUserUuid())
|
isPermissionGrantedToSubject(findEffectivePermissionId('customer', id, 'view'), currentUserUuid())
|
||||||
);
|
);
|
||||||
|
|
||||||
SET SESSION AUTHORIZATION restricted;
|
SET SESSION AUTHORIZATION restricted;
|
||||||
@ -101,7 +101,7 @@ We are bound to PostgreSQL, including integration tests and testing the RBAC sys
|
|||||||
CREATE OR REPLACE RULE "_RETURN" AS
|
CREATE OR REPLACE RULE "_RETURN" AS
|
||||||
ON SELECT TO cust_view
|
ON SELECT TO cust_view
|
||||||
DO INSTEAD
|
DO INSTEAD
|
||||||
SELECT * FROM customer WHERE isPermissionGrantedToSubject(findPermissionId('customer', id, 'view'), currentUserUuid());
|
SELECT * FROM customer WHERE isPermissionGrantedToSubject(findEffectivePermissionId('customer', id, 'view'), currentUserUuid());
|
||||||
|
|
||||||
SET SESSION AUTHORIZATION restricted;
|
SET SESSION AUTHORIZATION restricted;
|
||||||
SET hsadminng.currentUser TO 'alex@example.com';
|
SET hsadminng.currentUser TO 'alex@example.com';
|
||||||
|
218
doc/hs-hosting-asset-type-structure.md
Normal file
218
doc/hs-hosting-asset-type-structure.md
Normal file
@ -0,0 +1,218 @@
|
|||||||
|
## HostingAsset Type Structure
|
||||||
|
|
||||||
|
|
||||||
|
### Server+Webspace
|
||||||
|
|
||||||
|
```plantuml
|
||||||
|
@startuml
|
||||||
|
left to right direction
|
||||||
|
|
||||||
|
package Booking #feb28c {
|
||||||
|
entity BI_PRIVATE_CLOUD
|
||||||
|
entity BI_CLOUD_SERVER
|
||||||
|
entity BI_MANAGED_SERVER
|
||||||
|
entity BI_MANAGED_WEBSPACE
|
||||||
|
entity BI_DOMAIN_SETUP
|
||||||
|
}
|
||||||
|
|
||||||
|
package Hosting #feb28c{
|
||||||
|
package Server #99bcdb {
|
||||||
|
entity HA_CLOUD_SERVER
|
||||||
|
entity HA_MANAGED_SERVER
|
||||||
|
entity HA_IPV4_NUMBER
|
||||||
|
entity HA_IPV6_NUMBER
|
||||||
|
}
|
||||||
|
|
||||||
|
package Webspace #99bcdb {
|
||||||
|
entity HA_MANAGED_WEBSPACE
|
||||||
|
entity HA_UNIX_USER
|
||||||
|
entity HA_EMAIL_ALIAS
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
BI_CLOUD_SERVER *--> BI_PRIVATE_CLOUD
|
||||||
|
BI_MANAGED_SERVER *--> BI_PRIVATE_CLOUD
|
||||||
|
BI_MANAGED_WEBSPACE *--> BI_MANAGED_SERVER
|
||||||
|
|
||||||
|
HA_CLOUD_SERVER *==> BI_CLOUD_SERVER
|
||||||
|
HA_MANAGED_SERVER *==> BI_MANAGED_SERVER
|
||||||
|
HA_MANAGED_WEBSPACE *==> BI_MANAGED_WEBSPACE
|
||||||
|
HA_MANAGED_WEBSPACE o..> HA_MANAGED_SERVER
|
||||||
|
HA_UNIX_USER *==> HA_MANAGED_WEBSPACE
|
||||||
|
HA_EMAIL_ALIAS *==> HA_MANAGED_WEBSPACE
|
||||||
|
HA_IPV4_NUMBER o..> HA_CLOUD_SERVER
|
||||||
|
HA_IPV4_NUMBER o..> HA_MANAGED_SERVER
|
||||||
|
HA_IPV4_NUMBER o..> HA_MANAGED_WEBSPACE
|
||||||
|
HA_IPV6_NUMBER o..> HA_CLOUD_SERVER
|
||||||
|
HA_IPV6_NUMBER o..> HA_MANAGED_SERVER
|
||||||
|
HA_IPV6_NUMBER o..> HA_MANAGED_WEBSPACE
|
||||||
|
|
||||||
|
package Legend #white {
|
||||||
|
SUB_ENTITY1 *--> REQUIRED_PARENT_ENTITY
|
||||||
|
SUB_ENTITY2 *..> OPTIONAL_PARENT_ENTITY
|
||||||
|
ASSIGNED_ENTITY1 o--> REQUIRED_ASSIGNED_TO_ENTITY1
|
||||||
|
ASSIGNED_ENTITY2 o..> OPTIONAL_ASSIGNED_TO_ENTITY2
|
||||||
|
}
|
||||||
|
Booking -down[hidden]->Legend
|
||||||
|
```
|
||||||
|
|
||||||
|
### Domain
|
||||||
|
|
||||||
|
```plantuml
|
||||||
|
@startuml
|
||||||
|
left to right direction
|
||||||
|
|
||||||
|
package Booking #feb28c {
|
||||||
|
entity BI_PRIVATE_CLOUD
|
||||||
|
entity BI_CLOUD_SERVER
|
||||||
|
entity BI_MANAGED_SERVER
|
||||||
|
entity BI_MANAGED_WEBSPACE
|
||||||
|
entity BI_DOMAIN_SETUP
|
||||||
|
}
|
||||||
|
|
||||||
|
package Hosting #feb28c{
|
||||||
|
package Domain #99bcdb {
|
||||||
|
entity HA_DOMAIN_SETUP
|
||||||
|
entity HA_DOMAIN_DNS_SETUP
|
||||||
|
entity HA_DOMAIN_HTTP_SETUP
|
||||||
|
entity HA_DOMAIN_SMTP_SETUP
|
||||||
|
entity HA_DOMAIN_MBOX_SETUP
|
||||||
|
entity HA_EMAIL_ADDRESS
|
||||||
|
}
|
||||||
|
|
||||||
|
package Webspace #99bcdb {
|
||||||
|
entity HA_MANAGED_WEBSPACE
|
||||||
|
entity HA_UNIX_USER
|
||||||
|
entity HA_EMAIL_ALIAS
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
BI_CLOUD_SERVER *--> BI_PRIVATE_CLOUD
|
||||||
|
BI_MANAGED_SERVER *--> BI_PRIVATE_CLOUD
|
||||||
|
BI_MANAGED_WEBSPACE *--> BI_MANAGED_SERVER
|
||||||
|
|
||||||
|
HA_MANAGED_WEBSPACE *==> BI_MANAGED_WEBSPACE
|
||||||
|
HA_UNIX_USER *==> HA_MANAGED_WEBSPACE
|
||||||
|
HA_EMAIL_ALIAS *==> HA_MANAGED_WEBSPACE
|
||||||
|
HA_DOMAIN_SETUP *==> BI_DOMAIN_SETUP
|
||||||
|
HA_DOMAIN_SETUP o..> HA_DOMAIN_SETUP
|
||||||
|
HA_DOMAIN_DNS_SETUP *==> HA_DOMAIN_SETUP
|
||||||
|
HA_DOMAIN_DNS_SETUP o--> HA_MANAGED_WEBSPACE
|
||||||
|
HA_DOMAIN_HTTP_SETUP *==> HA_DOMAIN_SETUP
|
||||||
|
HA_DOMAIN_HTTP_SETUP o--> HA_UNIX_USER
|
||||||
|
HA_DOMAIN_SMTP_SETUP *==> HA_DOMAIN_SETUP
|
||||||
|
HA_DOMAIN_SMTP_SETUP o--> HA_MANAGED_WEBSPACE
|
||||||
|
HA_DOMAIN_MBOX_SETUP *==> HA_DOMAIN_SETUP
|
||||||
|
HA_DOMAIN_MBOX_SETUP o--> HA_MANAGED_WEBSPACE
|
||||||
|
HA_EMAIL_ADDRESS *==> HA_DOMAIN_MBOX_SETUP
|
||||||
|
|
||||||
|
package Legend #white {
|
||||||
|
SUB_ENTITY1 *--> REQUIRED_PARENT_ENTITY
|
||||||
|
SUB_ENTITY2 *..> OPTIONAL_PARENT_ENTITY
|
||||||
|
ASSIGNED_ENTITY1 o--> REQUIRED_ASSIGNED_TO_ENTITY1
|
||||||
|
ASSIGNED_ENTITY2 o..> OPTIONAL_ASSIGNED_TO_ENTITY2
|
||||||
|
}
|
||||||
|
Booking -down[hidden]->Legend
|
||||||
|
```
|
||||||
|
|
||||||
|
### MariaDB
|
||||||
|
|
||||||
|
```plantuml
|
||||||
|
@startuml
|
||||||
|
left to right direction
|
||||||
|
|
||||||
|
package Booking #feb28c {
|
||||||
|
entity BI_PRIVATE_CLOUD
|
||||||
|
entity BI_CLOUD_SERVER
|
||||||
|
entity BI_MANAGED_SERVER
|
||||||
|
entity BI_MANAGED_WEBSPACE
|
||||||
|
entity BI_DOMAIN_SETUP
|
||||||
|
}
|
||||||
|
|
||||||
|
package Hosting #feb28c{
|
||||||
|
package MariaDB #99bcdb {
|
||||||
|
entity HA_MARIADB_INSTANCE
|
||||||
|
entity HA_MARIADB_USER
|
||||||
|
entity HA_MARIADB_DATABASE
|
||||||
|
}
|
||||||
|
|
||||||
|
package Webspace #99bcdb {
|
||||||
|
entity HA_MANAGED_WEBSPACE
|
||||||
|
entity HA_UNIX_USER
|
||||||
|
entity HA_EMAIL_ALIAS
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
BI_CLOUD_SERVER *--> BI_PRIVATE_CLOUD
|
||||||
|
BI_MANAGED_SERVER *--> BI_PRIVATE_CLOUD
|
||||||
|
BI_MANAGED_WEBSPACE *--> BI_MANAGED_SERVER
|
||||||
|
|
||||||
|
HA_MANAGED_WEBSPACE *==> BI_MANAGED_WEBSPACE
|
||||||
|
HA_UNIX_USER *==> HA_MANAGED_WEBSPACE
|
||||||
|
HA_EMAIL_ALIAS *==> HA_MANAGED_WEBSPACE
|
||||||
|
HA_MARIADB_USER *==> HA_MANAGED_WEBSPACE
|
||||||
|
HA_MARIADB_USER o--> HA_MARIADB_INSTANCE
|
||||||
|
HA_MARIADB_DATABASE *==> HA_MARIADB_USER
|
||||||
|
|
||||||
|
package Legend #white {
|
||||||
|
SUB_ENTITY1 *--> REQUIRED_PARENT_ENTITY
|
||||||
|
SUB_ENTITY2 *..> OPTIONAL_PARENT_ENTITY
|
||||||
|
ASSIGNED_ENTITY1 o--> REQUIRED_ASSIGNED_TO_ENTITY1
|
||||||
|
ASSIGNED_ENTITY2 o..> OPTIONAL_ASSIGNED_TO_ENTITY2
|
||||||
|
}
|
||||||
|
Booking -down[hidden]->Legend
|
||||||
|
```
|
||||||
|
|
||||||
|
### PostgreSQL
|
||||||
|
|
||||||
|
```plantuml
|
||||||
|
@startuml
|
||||||
|
left to right direction
|
||||||
|
|
||||||
|
package Booking #feb28c {
|
||||||
|
entity BI_PRIVATE_CLOUD
|
||||||
|
entity BI_CLOUD_SERVER
|
||||||
|
entity BI_MANAGED_SERVER
|
||||||
|
entity BI_MANAGED_WEBSPACE
|
||||||
|
entity BI_DOMAIN_SETUP
|
||||||
|
}
|
||||||
|
|
||||||
|
package Hosting #feb28c{
|
||||||
|
package PostgreSQL #99bcdb {
|
||||||
|
entity HA_PGSQL_INSTANCE
|
||||||
|
entity HA_PGSQL_USER
|
||||||
|
entity HA_PGSQL_DATABASE
|
||||||
|
}
|
||||||
|
|
||||||
|
package Webspace #99bcdb {
|
||||||
|
entity HA_MANAGED_WEBSPACE
|
||||||
|
entity HA_UNIX_USER
|
||||||
|
entity HA_EMAIL_ALIAS
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
BI_CLOUD_SERVER *--> BI_PRIVATE_CLOUD
|
||||||
|
BI_MANAGED_SERVER *--> BI_PRIVATE_CLOUD
|
||||||
|
BI_MANAGED_WEBSPACE *--> BI_MANAGED_SERVER
|
||||||
|
|
||||||
|
HA_MANAGED_WEBSPACE *==> BI_MANAGED_WEBSPACE
|
||||||
|
HA_UNIX_USER *==> HA_MANAGED_WEBSPACE
|
||||||
|
HA_EMAIL_ALIAS *==> HA_MANAGED_WEBSPACE
|
||||||
|
HA_PGSQL_USER *==> HA_MANAGED_WEBSPACE
|
||||||
|
HA_PGSQL_USER o--> HA_PGSQL_INSTANCE
|
||||||
|
HA_PGSQL_DATABASE *==> HA_PGSQL_USER
|
||||||
|
|
||||||
|
package Legend #white {
|
||||||
|
SUB_ENTITY1 *--> REQUIRED_PARENT_ENTITY
|
||||||
|
SUB_ENTITY2 *..> OPTIONAL_PARENT_ENTITY
|
||||||
|
ASSIGNED_ENTITY1 o--> REQUIRED_ASSIGNED_TO_ENTITY1
|
||||||
|
ASSIGNED_ENTITY2 o..> OPTIONAL_ASSIGNED_TO_ENTITY2
|
||||||
|
}
|
||||||
|
Booking -down[hidden]->Legend
|
||||||
|
```
|
||||||
|
|
||||||
|
This code generated was by HsHostingAssetType.main, do not amend manually.
|
@ -10,7 +10,7 @@ classDiagram
|
|||||||
|
|
||||||
namespace Partner {
|
namespace Partner {
|
||||||
class partner-MeierGmbH
|
class partner-MeierGmbH
|
||||||
class role-MeierGmbH
|
class rel-MeierGmbH
|
||||||
class personDetails-MeierGmbH
|
class personDetails-MeierGmbH
|
||||||
class contactData-MeierGmbH
|
class contactData-MeierGmbH
|
||||||
class person-MeierGmbH
|
class person-MeierGmbH
|
||||||
@ -19,28 +19,29 @@ classDiagram
|
|||||||
namespace Representatives {
|
namespace Representatives {
|
||||||
class person-FrankMeier
|
class person-FrankMeier
|
||||||
class contactData-FrankMeier
|
class contactData-FrankMeier
|
||||||
class role-MeierGmbH-FrankMeier
|
class rel-MeierGmbH-FrankMeier
|
||||||
}
|
}
|
||||||
|
|
||||||
namespace Debitors {
|
namespace Debitors {
|
||||||
class debitor-MeierGmbH
|
class debitor-MeierGmbH
|
||||||
class contactData-MeierGmbH-Buha
|
class contactData-MeierGmbH-Buha
|
||||||
class role-MeierGmbH-Buha
|
class rel-MeierGmbH-Buha
|
||||||
}
|
}
|
||||||
|
|
||||||
namespace Operations {
|
namespace Operations {
|
||||||
class person-SabineMeier
|
class person-SabineMeier
|
||||||
class contactData-SabineMeier
|
class contactData-SabineMeier
|
||||||
class role-MeierGmbH-SabineMeier
|
class rel-MeierGmbH-SabineMeier
|
||||||
}
|
}
|
||||||
|
|
||||||
namespace Enums {
|
namespace Enums {
|
||||||
|
|
||||||
class RoleType {
|
class RelationType {
|
||||||
<<enumeration>>
|
<<enumeration>>
|
||||||
UNKNOWN
|
UNKNOWN
|
||||||
|
PARTNER
|
||||||
|
DEBITOR
|
||||||
REPRESENTATIVE
|
REPRESENTATIVE
|
||||||
ACCOUNTING
|
|
||||||
OPERATIONS
|
OPERATIONS
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -64,9 +65,9 @@ classDiagram
|
|||||||
|
|
||||||
class partner-MeierGmbH {
|
class partner-MeierGmbH {
|
||||||
+Numeric partnerNumber: 12345
|
+Numeric partnerNumber: 12345
|
||||||
+Role partnerRole
|
+Relation partnerRel
|
||||||
}
|
}
|
||||||
partner-MeierGmbH *-- role-MeierGmbH
|
partner-MeierGmbH *-- rel-MeierGmbH
|
||||||
|
|
||||||
class person-MeierGmbH {
|
class person-MeierGmbH {
|
||||||
+personType: LEGAL
|
+personType: LEGAL
|
||||||
@ -90,22 +91,22 @@ classDiagram
|
|||||||
+emailAddresses: office@meier-gmbh.de
|
+emailAddresses: office@meier-gmbh.de
|
||||||
}
|
}
|
||||||
|
|
||||||
class role-MeierGmbH {
|
class rel-MeierGmbH {
|
||||||
+RoleType RoleType PARTNER
|
+RelationType type PARTNER
|
||||||
+Person anchor
|
+Person anchor
|
||||||
+Person holder
|
+Person holder
|
||||||
+Contact roleContact
|
+Contact contact
|
||||||
}
|
}
|
||||||
role-MeierGmbH o-- person-HostsharingEG : anchor
|
rel-MeierGmbH o-- person-HostsharingEG : anchor
|
||||||
role-MeierGmbH o-- person-MeierGmbH : holder
|
rel-MeierGmbH o-- person-MeierGmbH : holder
|
||||||
role-MeierGmbH o-- contactData-MeierGmbH
|
rel-MeierGmbH o-- contactData-MeierGmbH
|
||||||
|
|
||||||
%% --- Debitors ---
|
%% --- Debitors ---
|
||||||
|
|
||||||
class debitor-MeierGmbH {
|
class debitor-MeierGmbH {
|
||||||
+Partner partner
|
+Partner partner
|
||||||
+Numeric[2] debitorNumberSuffix: 00
|
+Numeric[2] debitorNumberSuffix: 00
|
||||||
+Role billingRole
|
+Relation debitorRel
|
||||||
+boolean billable: true
|
+boolean billable: true
|
||||||
+String vatId: ID123456789
|
+String vatId: ID123456789
|
||||||
+String vatCountryCode: DE
|
+String vatCountryCode: DE
|
||||||
@ -115,7 +116,7 @@ classDiagram
|
|||||||
+String defaultPrefix: mei
|
+String defaultPrefix: mei
|
||||||
}
|
}
|
||||||
debitor-MeierGmbH o-- partner-MeierGmbH
|
debitor-MeierGmbH o-- partner-MeierGmbH
|
||||||
debitor-MeierGmbH *-- role-MeierGmbH-Buha
|
debitor-MeierGmbH *-- rel-MeierGmbH-Buha
|
||||||
|
|
||||||
class contactData-MeierGmbH-Buha {
|
class contactData-MeierGmbH-Buha {
|
||||||
+postalAddress: Hauptstraße 5, 22345 Hamburg
|
+postalAddress: Hauptstraße 5, 22345 Hamburg
|
||||||
@ -123,15 +124,15 @@ classDiagram
|
|||||||
+emailAddresses: buha@meier-gmbh.de
|
+emailAddresses: buha@meier-gmbh.de
|
||||||
}
|
}
|
||||||
|
|
||||||
class role-MeierGmbH-Buha {
|
class rel-MeierGmbH-Buha {
|
||||||
+RoleType RoleType ACCOUNTING
|
+RelationType type DEBITOR
|
||||||
+Person anchor
|
+Person anchor
|
||||||
+Person holder
|
+Person holder
|
||||||
+Contact roleContact
|
+Contact contact
|
||||||
}
|
}
|
||||||
role-MeierGmbH-Buha o-- person-MeierGmbH : anchor
|
rel-MeierGmbH-Buha o-- person-MeierGmbH : anchor
|
||||||
role-MeierGmbH-Buha o-- person-MeierGmbH : holder
|
rel-MeierGmbH-Buha o-- person-MeierGmbH : holder
|
||||||
role-MeierGmbH-Buha o-- contactData-MeierGmbH-Buha
|
rel-MeierGmbH-Buha o-- contactData-MeierGmbH-Buha
|
||||||
|
|
||||||
%% --- Representatives ---
|
%% --- Representatives ---
|
||||||
|
|
||||||
@ -148,15 +149,15 @@ classDiagram
|
|||||||
+emailAddresses: frank.meier@meier-gmbh.de
|
+emailAddresses: frank.meier@meier-gmbh.de
|
||||||
}
|
}
|
||||||
|
|
||||||
class role-MeierGmbH-FrankMeier {
|
class rel-MeierGmbH-FrankMeier {
|
||||||
+RoleType RoleType REPRESENTATIVE
|
+RelationType type REPRESENTATIVE
|
||||||
+Person anchor
|
+Person anchor
|
||||||
+Person holder
|
+Person holder
|
||||||
+Contact roleContact
|
+Contact contact
|
||||||
}
|
}
|
||||||
role-MeierGmbH-FrankMeier o-- person-MeierGmbH : anchor
|
rel-MeierGmbH-FrankMeier o-- person-MeierGmbH : anchor
|
||||||
role-MeierGmbH-FrankMeier o-- person-FrankMeier : holder
|
rel-MeierGmbH-FrankMeier o-- person-FrankMeier : holder
|
||||||
role-MeierGmbH-FrankMeier o-- contactData-FrankMeier
|
rel-MeierGmbH-FrankMeier o-- contactData-FrankMeier
|
||||||
|
|
||||||
%% --- Operations ---
|
%% --- Operations ---
|
||||||
|
|
||||||
@ -173,14 +174,14 @@ classDiagram
|
|||||||
+emailAddresses: sabine.meier@meier-gmbh.de
|
+emailAddresses: sabine.meier@meier-gmbh.de
|
||||||
}
|
}
|
||||||
|
|
||||||
class role-MeierGmbH-SabineMeier {
|
class rel-MeierGmbH-SabineMeier {
|
||||||
+RoleType RoleType OPERATIONAL
|
+RelationType type OPERATIONAL
|
||||||
+Person anchor
|
+Person anchor
|
||||||
+Person holder
|
+Person holder
|
||||||
+Contact roleContact
|
+Contact contact
|
||||||
}
|
}
|
||||||
role-MeierGmbH-SabineMeier o-- person-MeierGmbH : anchor
|
rel-MeierGmbH-SabineMeier o-- person-MeierGmbH : anchor
|
||||||
role-MeierGmbH-SabineMeier o-- person-SabineMeier : holder
|
rel-MeierGmbH-SabineMeier o-- person-SabineMeier : holder
|
||||||
role-MeierGmbH-SabineMeier o-- contactData-SabineMeier
|
rel-MeierGmbH-SabineMeier o-- contactData-SabineMeier
|
||||||
|
|
||||||
```
|
```
|
||||||
|
83
doc/ideas/rbac-schema-f.md
Normal file
83
doc/ideas/rbac-schema-f.md
Normal file
@ -0,0 +1,83 @@
|
|||||||
|
*(this is just a scribbled draft, that's why it's still in German)*
|
||||||
|
|
||||||
|
### *Schema-F* für Permissions, Rollen und Grants
|
||||||
|
|
||||||
|
Permissions, Rollen und Grants werden in den INSERT/UPDATE/DELETE-Triggern von Geschäftsobjekten erzeugt und gelöscht. Das Löschen erfolgt meistens automatisch über das zugehörige RbacObject, die INSERT- und UPDATE-Trigger müssen jedoch in *pl/pgsql* ausprogrammiert werden.
|
||||||
|
|
||||||
|
Das folgende Schema soll dabei unterstützen, die richtigen Permissions, Rollen und Grants festzulegen.
|
||||||
|
|
||||||
|
An einigen Stellen ist vom *Initiator* die Rede. Als *Initiator* gilt derjenige User, der die Operation (INSERT oder UPDATE) durchführt bzw. eine explizit anzugebende Rolle des Users.
|
||||||
|
Wird keine solche explizite Rolle angegeben, gilt die granted Rolle als diejenige, als der das Grant erfolgt.
|
||||||
|
|
||||||
|
#### Typ Root: Objekte, welche nur eine Spezialisierung bzw. Zusatzdaten für andere Objekte bereitstellen (z.B. Partner für Relations vom Typ Partner oder Partner Details für Partner)
|
||||||
|
|
||||||
|
Objektorientiert gedacht, enthalten solche Objekte die Zusatzdaten einer Subklasse; die Daten im Partner erweitern also eine Relation vom Typ `partner`.
|
||||||
|
|
||||||
|
- Dann muss dieses Objekt zeitlich nach dem Objekt erzeugt werden, auf dass es sich bezieht, also z.B. zeitlich nach der Relation.
|
||||||
|
- Es werden Delete (\*), Edit und View Permissions für dieses Objekt erzeugt.
|
||||||
|
- Es werden **keine** Rollen für dieses Objekt erzeugt.
|
||||||
|
- Statt eigener Rollen werden die o.g. Permissions passenden Rollen des Hauptobjekts zugewiesen (granted) bzw. aus denen entfernt (revoked).
|
||||||
|
- Handelt es sich um Zusatzdaten zum Zwecke der Spezialisierung, dann z.B. so:
|
||||||
|
- Delete (\*) <-- Owner des Hauptobjektes
|
||||||
|
- Edit <-- **Admin** des Hauptobjektes
|
||||||
|
- View <-- Agent des Hauptobjektes
|
||||||
|
- Handelt es sich um Zusatzdaten, für die sich Edit-Rechte delegieren lassen sollen (wie im Falle der Partner-Details eines Partners), dann z.B. so:
|
||||||
|
- Delete (\*) <-- Owner des Hauptobjektes
|
||||||
|
- Edit <-- **Agent** des Hauptobjektes
|
||||||
|
- View <-- Agent des Hauptobjektes
|
||||||
|
- Für die Rollenzuordnung zwischen referenzierten Objekten gilt:
|
||||||
|
- Für Objekte vom Typ Root werden die Rollen des zugehörigen Aggregator-Objektes verwendet.
|
||||||
|
- Gibt es Referenzen auf hierarchisch verbundene Objekte (z.B. Debitor.refundBankAccount) gilt folgende Faustregel:
|
||||||
|
***Nach oben absteigen, nach unten halten oder aufsteigen.*** An einem fachlich übergeordneten Objekt wird also eine niedrigere Rolle (z.B. Debitor.ADMIN -> Partner.AGENT), einem fachlich untergeordneten Objekt eine gleichwertige Rolle (z.B. Partner.ADMIN -> Debitor.ADMIN) zugewiesen oder sogar aufgestiegen (Debitor.ADMIN -> Package.TENANT).
|
||||||
|
- Für Referenzen zwischen Objekten, die nicht hierarchisch zueinander stehen (z.B. Debitor und Bankverbindung), wird auf beiden seiten abgestiegen (also Debitor.ADMIN -> BankAccount.REFERRER und BankAccount.ADMIN -> Debitor.TENANT).
|
||||||
|
|
||||||
|
Anmerkung: Der Typ-Begriff *Root* bezieht sich auf die Rolle im fachlichen Datenmodell. Im Bezug auf den Teilgraphen eines fachlichen Kontexts ist dies auch eine Wurzel im Sinne der Graphentheorie. Aber in anderen fachlichen Kontexten können auch diese Objekte von anderen Teilgraphen referenziert werden und werden dann zum inneren Knoten.
|
||||||
|
|
||||||
|
|
||||||
|
#### Typ Aggregator: Objekte, welche weitere Objekte zusammenfassen (z.B. Relation fasst zwei Persons und einen Contact zusammen)
|
||||||
|
|
||||||
|
Solche Objekte verweisen üblicherweise auf Objekte vom Typ Leaf und werden oft von Objekten des Typs Root referenziert.
|
||||||
|
|
||||||
|
- Es werden i.d.R. folgende Rollen für diese Objekte erzeugt:
|
||||||
|
- Owner, Admin, Agent, Tenent(, Guest?)
|
||||||
|
- Es werden Delete (\*), Edit und View Permissions für dieses Objekt erzeugt.
|
||||||
|
- Die Permissions werden den Rollen sinnvoll zugewiesen, z.B.:
|
||||||
|
- Owner -> Delete (\*)
|
||||||
|
- Admin --> Edit
|
||||||
|
- Tenant (oder ggf. Guest) --> View
|
||||||
|
- Außerdem werden folgende Grants erstellt bzw. entzogen:
|
||||||
|
- Initiator --> Owner
|
||||||
|
- Owner --> Admin
|
||||||
|
- Admin --> Referrer
|
||||||
|
- Admins der referenzierten Objekte werden Agent des Aggregators
|
||||||
|
- Tenants des Aggregators werden Referrer der referenzierten Objekte
|
||||||
|
|
||||||
|
### Typ Leaf: Handelt es sich um ein Objekt, welches (außer zur Modellierung separater Permissions) keine Unterobjekte enthält (z.B. Person, Customer)?
|
||||||
|
|
||||||
|
Solche Objekte werden üblicherweise von Objekten des Typs Aggregator, manchmal auch von Objekten des Typs Root, referenziert.
|
||||||
|
|
||||||
|
- Es werden i.d.R. folgende Rollen für diese Objekte erzeugt:
|
||||||
|
- Owner, Admin, Referrer
|
||||||
|
- Es werden Delete (\*), Edit und View Permissions für dieses Objekt erzeugt.
|
||||||
|
- Die Permissions werden den Rollen sinnvoll zugewiesen, z.B.:
|
||||||
|
- Delete (\*) <-- Owner
|
||||||
|
- Edit <-- Admin
|
||||||
|
- View <-- Referrer
|
||||||
|
- Außerdem werden folgende Grants erstellt bzw. entzogen:
|
||||||
|
- Owner --> Admin
|
||||||
|
- Admin --> Referrer
|
||||||
|
|
||||||
|
```mermaid
|
||||||
|
flowchart LR
|
||||||
|
|
||||||
|
subgraph partnerDetails
|
||||||
|
direction TB
|
||||||
|
style partnerDetails fill:#eee
|
||||||
|
|
||||||
|
perm:partnerDetails.*{{partnerDetails.*}}
|
||||||
|
role:partnerDetails.edit{{partnerDetails.edit}}
|
||||||
|
role:partnerDetails.view{{partnerDetails.view}}
|
||||||
|
|
||||||
|
|
||||||
|
end
|
||||||
|
```
|
29
doc/ideas/simplified-grant-structure.md
Normal file
29
doc/ideas/simplified-grant-structure.md
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
(this is just a scribbled idea, that's why it's still in German)
|
||||||
|
|
||||||
|
Ich habe mal wieder vom RBAC-System geträumt 🙈 Ok, im Halbschlaf darüber nachgedacht trifft es wohl besser. Und jetzt frage ich mich, ob wir viel zu kompliziert gedacht haben.
|
||||||
|
|
||||||
|
Bislang gingen wir ja davon aus, dass, wenn komplexe Entitäten (z.B. Partner) erzeugt werden, wir wir über den INSERT-Trigger den Rollen der verknüpften Entitäten (z.B. den Rollen der Personendaten des Partners) auch Rechte an den komplexeren Entitäten und umgekehrt geben müssen.
|
||||||
|
|
||||||
|
Da die komplexen Entitäten nur mit gewissen verbundenen Entitäten überhaupt sinnvoll nutzbar sind und diese daher über INNSER JOINs mitladen, könnte sonst auch nur jemand diese Entitäten, der auch die SELECT-Permission an den verküpften Entitäten hat.
|
||||||
|
|
||||||
|
Vor einigen Wochen hatten wir schon einmal darüber geredet, ob wir dieses Geflecht wirklich komplett durchplanen müssen, also über mehrere Stufen hinweg, oder ob sehr warscheinlich eh dieselben Leuten an den weiter entfernten Entitäten die nötien Rechte haben, weil dahinter dieselben User stehen. Also z.B. dass gewährleistet ist, dass jemand mit ADMIN-Recht an den Personendaten des Partners auch bis in die SEPA-Mandate eines Debitors hineinsehen kann.
|
||||||
|
|
||||||
|
Und nun gehe ich noch einen Schritt weiter: Könnte es nicht auch andersherum sein? Also wenn jemand z.B. SELECT-Recht am Partner hat, dass wir davon ausgehen können, dass derjenige auch die Partner-Personen- und Kontaktdaten sehen darf, und zwar implizit durch seine Partner-SELECT-Permission und ohne dass er explizit Rollen für diese Partner-Personen oder Kontaktdaten inne hat?
|
||||||
|
|
||||||
|
Im Halbschlaf kam mir nur die Idee, warum wir nicht einfach die komplexen JPA-Entitäten zwar auf die restricted View setzen, wie bisher, aber für die verknüpften Entitäten auf die direkten (bisher "Raw..." genannt) Entitäten gehen. Dann könnte jemand mit einer Rolle, welche die SELECT-Permission auf die komplexe JPA-Entität (z.B.) Partner inne hat, auch die dazugehörige Relation(ship) ["Relation" wurde vor kurzem auf kurz "Relation" umbenannt] und die wiederum dazu gehörigen Personen- und Kontaktdaten lesen, ohne dass in einem INSERT- und UPDATE-Trigger der Partner-Entität die ganzen Grants mit den verknüpften Entäten aufgebaut und aktualisiert werden müssen.
|
||||||
|
|
||||||
|
Beim Debitor ist das nämlich selbst mit Generator die Hölle, zumal eben auch Querverbindungen gegranted werden müssen, z.B. von der Debitor-Person zum Sema-Mandat - jedenfalls wenn man nicht Gefahr laufen wollte, dass jemand mit Admin-Rechten an der Partner-Person (also z.B. ein Repräsentant des Partners) die Sepa-Mandate der Debitoren gar nicht mehr sehen kann. Natürlich bräuchte man immer noch die Agent-Rolle am Partner und Debitor (evtl. repräsentiert durch die jeweils zugehörigen Relation - falls dieser Trick überhaupt noch nötig wäre), sowie ein Grant vom Partner-Agent auf den Debitor-Agent und vom Debitor-Agent auf die Sepa-Mandate-Admins, aber eben ohne filigran die ganzen Neben-Entäten (Personen- und Kontaktdaten von Partner und Debitor sowie Bank-Account) in jedem Trigger berücksichtigen zu müssen. Beim Refund-Bank-Account sogar besonders ätzend, weil der optional ist und dadurch zig "if ...refundBankAccountUuid is not null then ..." im Code enstehen (wenn der auch generiert ist).
|
||||||
|
|
||||||
|
Mit anderen Worten, um als Repräsentant eines Geschäftspartners auf den Bank-Account der Sepa-Mandate sehen zu dürfen, wird derzeut folgende Grant-Kette durchlaufen (bzw. eben noch nicht, weil es noch nicht funktioniert):
|
||||||
|
|
||||||
|
User -> Partner-Holder-Person:ADMIN -> Partner-Relation:AGENT -> Debitor-Relation:AGENT -> Sepa-Mandat:ADMIN -> BankAccount:ADMIN -> BankAccount:SELECT
|
||||||
|
|
||||||
|
Daraus würde:
|
||||||
|
|
||||||
|
User -> Partner-Relation:AGENT -> Debitor-Relation:AGENT -> Sepa-Mandat:ADMIN -> Sepa-Mandat:SELECT*
|
||||||
|
|
||||||
|
(*mit JOIN auf RawBankAccount, also implizitem Leserecht)
|
||||||
|
|
||||||
|
Das klingt zunächst nach nur einer marginalen Vereinfachung, die eigentlich Vereinfachung liegt aber im Erzeugen der Grants in den Triggern, denn da sind zudem noch Partner-Anchor-Person, Debitor-Holder- und Anchor-Person, Partner- und Debitor-Contact sowie der RefundBankAccount zu berücksichtigen. Und genau diese Grants würden großteils wegfallen, und durch implizite Persmissions über die JOINs auf die Raw-Tables ersetzt werden. Den refundBankAccound müssten wir dann, analog zu den Sepa-Mandataten, umgedreht modellieren, da den sonst
|
||||||
|
|
||||||
|
Man könnte das Ganze auch als "Entwicklung der Rechtestruktur für Hosting-Entitäten auf der obersten Ebene" (Manged Webspace, Managed Server, Cloud Server etc.) sehen, denn die hängen alle unter dem Mega-komplexen Debitor.
|
288
doc/projects-booking-items-and-hosting-entities.md
Normal file
288
doc/projects-booking-items-and-hosting-entities.md
Normal file
@ -0,0 +1,288 @@
|
|||||||
|
## HSAdmin-NG
|
||||||
|
### Project/BookingItems/HostingEntities
|
||||||
|
|
||||||
|
__ATTENTION__: The notation uses UML clas diagram elements, but partly with different meanings. See Agenda.
|
||||||
|
|
||||||
|
```mermaid
|
||||||
|
classDiagram
|
||||||
|
direction TD
|
||||||
|
|
||||||
|
Partner o-- "0..n" Membership
|
||||||
|
Partner *-- "1..n" Debitor
|
||||||
|
Debitor *-- "1..n" Project
|
||||||
|
|
||||||
|
Project o-- "0..n" PrivateCloudBI
|
||||||
|
Project o-- "0..n" CloudServerBI
|
||||||
|
Project o-- "0..n" ManagedServerBI
|
||||||
|
Project o-- "0..n" ManagedWebspaceBI
|
||||||
|
|
||||||
|
PrivateCloudBI o-- "0..n" ManagedServerBI
|
||||||
|
PrivateCloudBI o-- "0..n" CloudServerBI
|
||||||
|
|
||||||
|
CloudServerBI *-- CloudServerHE
|
||||||
|
|
||||||
|
ManagedServerBI *-- ManagedServerHE
|
||||||
|
ManagedServerBI o-- "0..n" ManagedWebspaceBI
|
||||||
|
ManagedWebspaceBI *-- ManagedWebspaceHE
|
||||||
|
|
||||||
|
ManagedWebspaceHE *-- "1..n" UnixUserHE
|
||||||
|
ManagedWebspaceHE o-- "0..n" DomainDNSSetupHE
|
||||||
|
ManagedWebspaceHE o-- "0..n" DomainHttpSetupHE
|
||||||
|
ManagedWebspaceHE o-- "0..n" DomainEMailSetupHE
|
||||||
|
ManagedWebspaceHE o-- "0..n" EMailAliasHE
|
||||||
|
DomainEMailSetupHE o-- "0..n" EMailAddressHE
|
||||||
|
ManagedWebspaceHE o-- "0..n" MariaDBUserHE
|
||||||
|
MariaDBUserHE o-- "0..n" MariaDBHE
|
||||||
|
ManagedWebspaceHE o-- "0..n" PostgresDBUserHE
|
||||||
|
PostgresDBUserHE o-- "0..n" PostgresDBHE
|
||||||
|
|
||||||
|
DomainHttpSetupHE --|> UnixUserHE : assignedToAsset
|
||||||
|
|
||||||
|
ManagedWebspaceHE --|> ManagedServerHE
|
||||||
|
|
||||||
|
namespace Office {
|
||||||
|
class Partner {
|
||||||
|
}
|
||||||
|
|
||||||
|
class Membership {
|
||||||
|
}
|
||||||
|
|
||||||
|
class Debitor {
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
namespace Booking {
|
||||||
|
class Project {
|
||||||
|
+caption
|
||||||
|
+create()
|
||||||
|
}
|
||||||
|
class PrivateCloudBI {
|
||||||
|
+caption
|
||||||
|
~resources = [
|
||||||
|
⠀⠀+CPUs
|
||||||
|
⠀⠀+RAM
|
||||||
|
⠀⠀+SSD
|
||||||
|
⠀⠀+HDD
|
||||||
|
⠀⠀+Traffic
|
||||||
|
]
|
||||||
|
|
||||||
|
+book()
|
||||||
|
}
|
||||||
|
class CloudServerBI {
|
||||||
|
+caption
|
||||||
|
~resources = [
|
||||||
|
⠀⠀+CPUs
|
||||||
|
⠀⠀+RAM
|
||||||
|
⠀⠀+SSD
|
||||||
|
⠀⠀+HDD
|
||||||
|
⠀⠀+Traffic
|
||||||
|
]
|
||||||
|
|
||||||
|
+book()
|
||||||
|
}
|
||||||
|
class ManagedServerBI {
|
||||||
|
+caption
|
||||||
|
~respources = [
|
||||||
|
⠀⠀+CPUs
|
||||||
|
⠀⠀+RAM
|
||||||
|
⠀⠀+SSD
|
||||||
|
⠀⠀+HDD
|
||||||
|
⠀⠀+Traffic
|
||||||
|
]
|
||||||
|
|
||||||
|
+book()
|
||||||
|
}
|
||||||
|
class ManagedWebspaceBI {
|
||||||
|
+caption
|
||||||
|
~resources = [
|
||||||
|
⠀⠀+SSD
|
||||||
|
⠀⠀+HDD
|
||||||
|
⠀⠀+Traffic
|
||||||
|
⠀⠀+MultiOptions
|
||||||
|
⠀⠀+Daemons
|
||||||
|
]
|
||||||
|
|
||||||
|
+book()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
style Project stroke:blue,stroke-width:4px
|
||||||
|
style PrivateCloudBI stroke:blue,stroke-width:4px
|
||||||
|
style CloudServerBI stroke:blue,stroke-width:4px
|
||||||
|
style ManagedServerBI stroke:blue,stroke-width:4px
|
||||||
|
style ManagedWebspaceBI stroke:blue,stroke-width:4px
|
||||||
|
|
||||||
|
%% ---------------------------------------------------------
|
||||||
|
|
||||||
|
namespace HostingServers {
|
||||||
|
%% separate (pseudo-) namespace just for better rendering
|
||||||
|
|
||||||
|
class CloudServerHE {
|
||||||
|
-identifier, e.g. "vm1234"
|
||||||
|
-caption := bi.caption?
|
||||||
|
-parentAsset := parentHost
|
||||||
|
-identifier := serverName
|
||||||
|
-create()
|
||||||
|
}
|
||||||
|
class ManagedServerHE {
|
||||||
|
-identifier, e.g. "vm1234"
|
||||||
|
-caption := bi.caption?
|
||||||
|
-parentAsset := parentHost
|
||||||
|
-identifier := serverName
|
||||||
|
~config = [
|
||||||
|
⠀⠀+installed Software
|
||||||
|
]
|
||||||
|
-create()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
namespace Hosting {
|
||||||
|
class ManagedWebspaceHE {
|
||||||
|
-parentAsset := parentManagedServer
|
||||||
|
-identifier : webspaceName
|
||||||
|
+caption
|
||||||
|
|
||||||
|
-create()
|
||||||
|
}
|
||||||
|
|
||||||
|
class UnixUserHE {
|
||||||
|
+identifier ["xyz00-..."]
|
||||||
|
+caption
|
||||||
|
~config = [
|
||||||
|
⠀⠀+SSD Soft Quota
|
||||||
|
⠀⠀+SSD Hard Quota
|
||||||
|
⠀⠀+HDD Soft Quota
|
||||||
|
⠀⠀+HDD Hard Quota
|
||||||
|
⠀⠀#shell
|
||||||
|
⠀⠀#password
|
||||||
|
]
|
||||||
|
|
||||||
|
+create()
|
||||||
|
}
|
||||||
|
class DomainDNSSetupHE {
|
||||||
|
+identifier, e.g. "example.com"
|
||||||
|
+caption
|
||||||
|
|
||||||
|
+create()
|
||||||
|
}
|
||||||
|
class DomainHttpSetupHE {
|
||||||
|
+identifier, e.g. "example.com"
|
||||||
|
+caption
|
||||||
|
|
||||||
|
+create()
|
||||||
|
}
|
||||||
|
class DomainEMailSetupHE {
|
||||||
|
+identifier, e.g. "example.com"
|
||||||
|
+caption
|
||||||
|
|
||||||
|
+create()
|
||||||
|
}
|
||||||
|
class EMailAliasHE {
|
||||||
|
+identifier, e.g "xyz00-..."
|
||||||
|
+caption
|
||||||
|
|
||||||
|
~config = [
|
||||||
|
⠀⠀+target[]
|
||||||
|
]
|
||||||
|
|
||||||
|
+create()
|
||||||
|
}
|
||||||
|
class EMailAddressHE {
|
||||||
|
+identifier, e.g. "test@example.org"
|
||||||
|
+caption
|
||||||
|
~config = [
|
||||||
|
⠀⠀+sub-domain
|
||||||
|
⠀⠀+local-part
|
||||||
|
⠀⠀+target
|
||||||
|
]
|
||||||
|
|
||||||
|
+create()
|
||||||
|
}
|
||||||
|
class MariaDBUserHE {
|
||||||
|
+identifier, e.g. "xyz00_mydb"
|
||||||
|
+caption
|
||||||
|
config = [
|
||||||
|
⠀⠀#password
|
||||||
|
]
|
||||||
|
|
||||||
|
+create()
|
||||||
|
}
|
||||||
|
class MariaDBHE {
|
||||||
|
+identifier, e.g. "xyz00_mydb"
|
||||||
|
+caption
|
||||||
|
~config = [
|
||||||
|
⠀⠀+encoding
|
||||||
|
]
|
||||||
|
|
||||||
|
+create()
|
||||||
|
}
|
||||||
|
class PostgresDBUserHE {
|
||||||
|
+identifier, e.g. "xyz00_mydb"
|
||||||
|
+caption
|
||||||
|
~config = [
|
||||||
|
⠀⠀#password
|
||||||
|
]
|
||||||
|
|
||||||
|
+create()
|
||||||
|
}
|
||||||
|
class PostgresDBHE {
|
||||||
|
+identifier, e.g. "xyz00_mydb"
|
||||||
|
+caption
|
||||||
|
|
||||||
|
~config = [
|
||||||
|
⠀⠀+encoding
|
||||||
|
⠀⠀+extensions
|
||||||
|
]
|
||||||
|
+create()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
style CloudServerHE stroke:orange,stroke-width:4px
|
||||||
|
style ManagedServerHE stroke:orange,stroke-width:4px
|
||||||
|
style ManagedWebspaceHE stroke:orange,stroke-width:4px
|
||||||
|
style UnixUserHE stroke:blue,stroke-width:4px
|
||||||
|
style DomainDNSSetupHE stroke:blue,stroke-width:4px
|
||||||
|
style DomainHttpSetupHE stroke:blue,stroke-width:4px
|
||||||
|
style DomainEMailSetupHE stroke:blue,stroke-width:4px
|
||||||
|
style EMailAliasHE stroke:blue,stroke-width:4px
|
||||||
|
style EMailAddressHE stroke:blue,stroke-width:4px
|
||||||
|
style MariaDBUserHE stroke:blue,stroke-width:4px
|
||||||
|
style MariaDBHE stroke:blue,stroke-width:4px
|
||||||
|
style PostgresDBUserHE stroke:blue,stroke-width:4px
|
||||||
|
style PostgresDBHE stroke:blue,stroke-width:4px
|
||||||
|
|
||||||
|
%% --------------------------------------
|
||||||
|
|
||||||
|
ParentA o-- ChildA : can contain
|
||||||
|
ParentB *-- ChildB : contains
|
||||||
|
|
||||||
|
namespace Agenda {
|
||||||
|
class ParentA {
|
||||||
|
}
|
||||||
|
class ChildA {
|
||||||
|
}
|
||||||
|
class ParentB {
|
||||||
|
}
|
||||||
|
class ChildB {
|
||||||
|
}
|
||||||
|
class CreatedByClient {
|
||||||
|
}
|
||||||
|
class CreatedAutomatically {
|
||||||
|
}
|
||||||
|
class SomeEntity {
|
||||||
|
~patchable = [
|
||||||
|
%% the following indentations uses two U+2800 to have effect in the rendered diagram
|
||||||
|
⠀⠀+first
|
||||||
|
⠀⠀+second
|
||||||
|
]
|
||||||
|
-readOnly for client accounts
|
||||||
|
+readWrite for client accounts
|
||||||
|
#writeOnly
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
style CreatedByClient stroke:blue,stroke-width:4px
|
||||||
|
style CreatedAutomatically stroke:orange,stroke-width:4px
|
||||||
|
end
|
||||||
|
```
|
468
doc/rbac-performance-analysis.md
Normal file
468
doc/rbac-performance-analysis.md
Normal file
@ -0,0 +1,468 @@
|
|||||||
|
# RBAC Performance Analysis
|
||||||
|
|
||||||
|
This describes the analysis of the legacy-data-import which took way too long, which turned out to be a problem in the RBAC-access-rights-check as well as `EntityManager.persist` creating too many SQL queries.
|
||||||
|
|
||||||
|
|
||||||
|
## Our Performance-Problem
|
||||||
|
|
||||||
|
During the legacy data import for hosting assets we noticed massive performance problems. The import of about 2200 hosting-assets (IP-numbers, managed-webspaces, managed- and cloud-servers) as well as the creation of booking-items and booking-projects as well as necessary office-data entities (persons, contacts, partners, debitors, relations) **took 25 minutes**.
|
||||||
|
|
||||||
|
Importing hosting assets up to UnixUsers and EmailAddresses even **took about 100 minutes**.
|
||||||
|
|
||||||
|
(The office data import sometimes, but rarely, took only 10min.
|
||||||
|
We could not find a pattern, why that was the case. The impression that it had to do with too many other parallel processes, e.g. browser with BBB or IntelliJ IDEA was proved wrong, but stopping all unnecessary processes and performing the import again.)
|
||||||
|
|
||||||
|
|
||||||
|
## Preparation
|
||||||
|
|
||||||
|
### Configuring PostgreSQL
|
||||||
|
|
||||||
|
The pg_stat_statements PostgreSQL-Extension can be used to measure how long queries take and how often they are called.
|
||||||
|
|
||||||
|
The module auto_explain can be used to automatically run EXPLAIN on long-running queries.
|
||||||
|
|
||||||
|
To use this extension and module, we extended the PostgreSQL-Docker-image:
|
||||||
|
|
||||||
|
```Dockerfile
|
||||||
|
FROM postgres:15.5-bookworm
|
||||||
|
|
||||||
|
RUN apt-get update && \
|
||||||
|
apt-get install -y postgresql-contrib && \
|
||||||
|
apt-get clean
|
||||||
|
|
||||||
|
COPY etc/postgresql-log-slow-queries.conf /etc/postgresql/postgresql.conf
|
||||||
|
```
|
||||||
|
|
||||||
|
And create an image from it:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
docker build -t postgres-with-contrib:15.5-bookworm .
|
||||||
|
```
|
||||||
|
|
||||||
|
Then we created a config file for PostgreSQL in `etc/postgresql-log-slow-queries.conf`:
|
||||||
|
|
||||||
|
```
|
||||||
|
shared_preload_libraries = 'pg_stat_statements,auto_explain'
|
||||||
|
log_min_duration_statement = 1000
|
||||||
|
log_statement = 'all'
|
||||||
|
log_duration = on
|
||||||
|
pg_stat_statements.track = all
|
||||||
|
auto_explain.log_min_duration = '1s' # Logs queries taking longer than 1 second
|
||||||
|
auto_explain.log_analyze = on # Include actual run times
|
||||||
|
auto_explain.log_buffers = on # Include buffer usage statistics
|
||||||
|
auto_explain.log_format = 'json' # Format the log output in JSON
|
||||||
|
listen_addresses = '*'
|
||||||
|
```
|
||||||
|
|
||||||
|
And a Docker-Compose config in 'docker-compose.yml':
|
||||||
|
|
||||||
|
```
|
||||||
|
version: '3.8'
|
||||||
|
|
||||||
|
services:
|
||||||
|
postgres:
|
||||||
|
image: postgres-with-contrib:15.5-bookworm
|
||||||
|
container_name: custom-postgres
|
||||||
|
environment:
|
||||||
|
POSTGRES_PASSWORD: password
|
||||||
|
volumes:
|
||||||
|
- /home/mi/Projekte/Hostsharing/hsadmin-ng/etc/postgresql-log-slow-queries.conf:/etc/postgresql/postgresql.conf
|
||||||
|
ports:
|
||||||
|
- "5432:5432"
|
||||||
|
command:
|
||||||
|
- bash
|
||||||
|
- -c
|
||||||
|
- >
|
||||||
|
apt-get update &&
|
||||||
|
apt-get install -y postgresql-contrib &&
|
||||||
|
docker-entrypoint.sh postgres -c config_file=/etc/postgresql/postgresql.conf
|
||||||
|
```
|
||||||
|
|
||||||
|
### Activate the pg_stat_statements Extension
|
||||||
|
|
||||||
|
The pg_stat_statements extension was activated in our Liquibase-scripts:
|
||||||
|
|
||||||
|
```
|
||||||
|
create extension if not exists "pg_stat_statements";
|
||||||
|
```
|
||||||
|
|
||||||
|
### Running the Tweaked PostgreSQL
|
||||||
|
|
||||||
|
Now we can run PostgreSQL with activated slow-query-logging:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
docker-compose up -d
|
||||||
|
```
|
||||||
|
|
||||||
|
### Running the Import
|
||||||
|
|
||||||
|
Using an environment like this:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
export HSADMINNG_POSTGRES_JDBC_URL=jdbc:postgresql://localhost:5432/postgres
|
||||||
|
export HSADMINNG_POSTGRES_ADMIN_USERNAME=postgres
|
||||||
|
export HSADMINNG_POSTGRES_ADMIN_PASSWORD=password
|
||||||
|
export HSADMINNG_POSTGRES_RESTRICTED_USERNAME=restricted
|
||||||
|
export HSADMINNG_SUPERUSER=superuser-alex@hostsharing.net
|
||||||
|
```
|
||||||
|
|
||||||
|
We can now run the hosting-assets-import:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
time gw-importHostingAssets
|
||||||
|
```
|
||||||
|
|
||||||
|
### Fetch the Query Statistics
|
||||||
|
|
||||||
|
And afterward we can query the statistics in PostgreSQL, e.g.:
|
||||||
|
|
||||||
|
```SQL
|
||||||
|
WITH statements AS (
|
||||||
|
SELECT * FROM pg_stat_statements pss
|
||||||
|
)
|
||||||
|
SELECT calls,
|
||||||
|
total_exec_time::int/(60*1000) as total_mins,
|
||||||
|
mean_exec_time::int as mean_millis,
|
||||||
|
query
|
||||||
|
FROM statements
|
||||||
|
WHERE calls > 100 AND shared_blks_hit > 0
|
||||||
|
ORDER BY total_exec_time DESC
|
||||||
|
LIMIT 16;
|
||||||
|
```
|
||||||
|
|
||||||
|
### Reset the Query Statistics
|
||||||
|
|
||||||
|
```SQL
|
||||||
|
SELECT pg_stat_statements_reset();
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Analysis Result
|
||||||
|
|
||||||
|
### RBAC-Access-Rights Detection query
|
||||||
|
|
||||||
|
This CTE query was run over 4000 times during a single import and takes in total the whole execution time of the import process:
|
||||||
|
|
||||||
|
```SQL
|
||||||
|
WITH RECURSIVE grants AS (
|
||||||
|
SELECT descendantUuid, ascendantUuid, $5 AS level
|
||||||
|
FROM RbacGrants
|
||||||
|
WHERE assumed
|
||||||
|
AND ascendantUuid = any(subjectIds)
|
||||||
|
UNION ALL
|
||||||
|
SELECT g.descendantUuid, g.ascendantUuid, grants.level + $6 AS level
|
||||||
|
FROM RbacGrants g
|
||||||
|
INNER JOIN grants ON grants.descendantUuid = g.ascendantUuid
|
||||||
|
WHERE g.assumed
|
||||||
|
),
|
||||||
|
granted AS (
|
||||||
|
SELECT DISTINCT descendantUuid
|
||||||
|
FROM grants
|
||||||
|
)
|
||||||
|
SELECT DISTINCT perm.objectUuid
|
||||||
|
FROM granted
|
||||||
|
JOIN RbacPermission perm ON granted.descendantUuid = perm.uuid
|
||||||
|
JOIN RbacObject obj ON obj.uuid = perm.objectUuid
|
||||||
|
WHERE (requiredOp = $7 OR perm.op = requiredOp)
|
||||||
|
AND obj.objectTable = forObjectTable
|
||||||
|
LIMIT maxObjects+$8
|
||||||
|
```
|
||||||
|
|
||||||
|
That query is used to determine access rights of the currently active RBAC-subject(s).
|
||||||
|
|
||||||
|
We used `EXPLAIN` with a concrete version (parameters substituted with real values) of that query and got this result:
|
||||||
|
|
||||||
|
```
|
||||||
|
QUERY PLAN
|
||||||
|
Limit (cost=6549.08..6549.35 rows=54 width=16)
|
||||||
|
CTE grants
|
||||||
|
-> Recursive Union (cost=4.32..5845.97 rows=1103 width=36)
|
||||||
|
-> Bitmap Heap Scan on rbacgrants (cost=4.32..15.84 rows=3 width=36)
|
||||||
|
Recheck Cond: (ascendantuuid = ANY ('{ad1133dc-fbb7-43c9-8c20-0da3f89a2388}'::uuid[]))
|
||||||
|
Filter: assumed
|
||||||
|
-> Bitmap Index Scan on rbacgrants_ascendantuuid_idx (cost=0.00..4.32 rows=3 width=0)
|
||||||
|
Index Cond: (ascendantuuid = ANY ('{ad1133dc-fbb7-43c9-8c20-0da3f89a2388}'::uuid[]))
|
||||||
|
-> Nested Loop (cost=0.29..580.81 rows=110 width=36)
|
||||||
|
-> WorkTable Scan on grants grants_1 (cost=0.00..0.60 rows=30 width=20)
|
||||||
|
-> Index Scan using rbacgrants_ascendantuuid_idx on rbacgrants g (cost=0.29..19.29 rows=4 width=32)
|
||||||
|
Index Cond: (ascendantuuid = grants_1.descendantuuid)
|
||||||
|
Filter: assumed
|
||||||
|
-> Unique (cost=703.11..703.38 rows=54 width=16)
|
||||||
|
-> Sort (cost=703.11..703.25 rows=54 width=16)
|
||||||
|
Sort Key: perm.objectuuid
|
||||||
|
-> Nested Loop (cost=31.60..701.56 rows=54 width=16)
|
||||||
|
-> Hash Join (cost=31.32..638.78 rows=200 width=16)
|
||||||
|
Hash Cond: (perm.uuid = grants.descendantuuid)
|
||||||
|
-> Seq Scan on rbacpermission perm (cost=0.00..532.92 rows=28392 width=32)
|
||||||
|
-> Hash (cost=28.82..28.82 rows=200 width=16)
|
||||||
|
-> HashAggregate (cost=24.82..26.82 rows=200 width=16)
|
||||||
|
Group Key: grants.descendantuuid
|
||||||
|
-> CTE Scan on grants (cost=0.00..22.06 rows=1103 width=16)
|
||||||
|
-> Index Only Scan using rbacobject_objecttable_uuid_key on rbacobject obj (cost=0.28..0.31 rows=1 width=16)
|
||||||
|
Index Cond: ((objecttable = 'hs_hosting_asset'::text) AND (uuid = perm.objectuuid))
|
||||||
|
```
|
||||||
|
|
||||||
|
### Office-Relation-Query
|
||||||
|
|
||||||
|
```SQL
|
||||||
|
SELECT hore1_0.uuid,a1_0.uuid,a1_0.familyname,a1_0.givenname,a1_0.persontype,a1_0.salutation,a1_0.title,a1_0.tradename,a1_0.version,c1_0.uuid,c1_0.caption,c1_0.emailaddresses,c1_0.phonenumbers,c1_0.postaladdress,c1_0.version,h1_0.uuid,h1_0.familyname,h1_0.givenname,h1_0.persontype,h1_0.salutation,h1_0.title,h1_0.tradename,h1_0.version,hore1_0.mark,hore1_0.type,hore1_0.version
|
||||||
|
FROM hs_office_relation_rv hore1_0
|
||||||
|
LEFT JOIN hs_office_person_rv a1_0 ON a1_0.uuid=hore1_0.anchoruuid
|
||||||
|
LEFT JOIN hs_office_contact_rv c1_0 ON c1_0.uuid=hore1_0.contactuuid
|
||||||
|
LEFT JOIN hs_office_person_rv h1_0 ON h1_0.uuid=hore1_0.holderuuid
|
||||||
|
WHERE hore1_0.uuid=$1
|
||||||
|
```
|
||||||
|
|
||||||
|
That query on the `hs_office_relation_rv`-table joins the three references anchor-person, holder-person and contact.
|
||||||
|
|
||||||
|
|
||||||
|
### Total-Query-Time > Total-Import-Runtime
|
||||||
|
|
||||||
|
That both queries total up to more than the runtime of the import-process is most likely due to internal parallel query processing.
|
||||||
|
|
||||||
|
|
||||||
|
## Attempts to Mitigate the Problem
|
||||||
|
|
||||||
|
### VACUUM ANALYZE
|
||||||
|
|
||||||
|
In the middle of the import, we updated the PostgreSQL statistics to recalibrate the query optimizer:
|
||||||
|
|
||||||
|
```SQL
|
||||||
|
VACUUM ANALYZE;
|
||||||
|
```
|
||||||
|
|
||||||
|
This did not improve the performance.
|
||||||
|
|
||||||
|
|
||||||
|
### Improving Joins + Indexes
|
||||||
|
|
||||||
|
We were suspicious about the sequential scan over all `rbacpermission` rows which was done by PostgreSQL to execute a HashJoin strategy. Turning off that strategy by
|
||||||
|
|
||||||
|
```SQL
|
||||||
|
ALTER FUNCTION queryAccessibleObjectUuidsOfSubjectIds SET enable_hashjoin = off;
|
||||||
|
```
|
||||||
|
|
||||||
|
did not improve the performance though. The HashJoin was actually still applied, but no full table scan anymore:
|
||||||
|
|
||||||
|
```
|
||||||
|
[...]
|
||||||
|
QUERY PLAN
|
||||||
|
-> Hash Join (cost=36.02..40.78 rows=1 width=16)
|
||||||
|
Hash Cond: (grants.descendantuuid = perm.uuid)
|
||||||
|
-> HashAggregate (cost=13.32..15.32 rows=200 width=16)
|
||||||
|
Group Key: grants.descendantuuid
|
||||||
|
-> CTE Scan on grants (cost=0.00..11.84 rows=592 width=16)
|
||||||
|
[...]
|
||||||
|
```
|
||||||
|
|
||||||
|
The HashJoin strategy could be great if the hash-map could be kept for multiple invocations. But during an import process, of course, there are always new rows in the underlying table and the hash-map would be outdated immediately.
|
||||||
|
|
||||||
|
Also creating indexes which should suppor the RBAC query, like the following, did not improve performance:
|
||||||
|
|
||||||
|
```SQL
|
||||||
|
create index on RbacPermission (objectUuid, op);
|
||||||
|
create index on RbacPermission (opTableName, op);
|
||||||
|
```
|
||||||
|
|
||||||
|
### LAZY loading for Relation.anchorPerson/.holderPerson/
|
||||||
|
|
||||||
|
At this point, the import took 21mins with these statistics:
|
||||||
|
|
||||||
|
| query | calls | total_m | mean_ms |
|
||||||
|
|-------|-------|---------|---------|
|
||||||
|
| select hore1_0.uuid,a1_0.uuid,a1_0.familyname,a1_0.givenname,a1_0.persontype,a1_0.salutation,a1_0.title,a1_0.tradename,a1_0.version,c1_0.uuid,c1_0.caption,c1_0.emailaddresses,c1_0.phonenumbers,c1_0.postaladdress, c1_0.version,h1_0.uuid,h1_0.familyname,h1_0.givenname,h1_0.persontype,h1_0.salutation,h1_0.title,h1_0.tradename,h1_0.version,hore1_0.mark,hore1_0.type,hore1_0.version from public.hs_office_relation_rv hore1_0 left join public.hs_office_person_rv a1_0 on a1_0.uuid=hore1_0.anchoruuid left join public.hs_office_contact_rv c1_0 on c1_0.uuid=hore1_0.contactuuid left join public.hs_office_person_rv h1_0 on h1_0.uuid=hore1_0.holderuuid where hore1_0.uuid=$1 | 517 | 11 | 1282 |
|
||||||
|
| select hope1_0.uuid,hope1_0.familyname,hope1_0.givenname,hope1_0.persontype,hope1_0.salutation,hope1_0.title,hope1_0.tradename,hope1_0.version from public.hs_office_person_rv hope1_0 where hope1_0.uuid=$1 | 973 | 4 | 254 |
|
||||||
|
| select hoce1_0.uuid,hoce1_0.caption,hoce1_0.emailaddresses,hoce1_0.phonenumbers,hoce1_0.postaladdress,hoce1_0.version from public.hs_office_contact_rv hoce1_0 where hoce1_0.uuid=$1 | 973 | 4 | 253 |
|
||||||
|
| call grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed) | 31316 | 0 | 1 |
|
||||||
|
| call buildRbacSystemForHsHostingAsset(NEW) | 2258 | 0 | 7 |
|
||||||
|
| select * from isGranted(array[granteeId], grantedId) | 44613 | 0 | 0 |
|
||||||
|
| insert into public.hs_hosting_asset_rv (alarmcontactuuid,assignedtoassetuuid,bookingitemuuid,caption,config,identifier,parentassetuuid,type,version,uuid) values ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10) | 2207 | 0 | 7 |
|
||||||
|
| insert into hs_hosting_asset (alarmcontactuuid, version, bookingitemuuid, type, parentassetuuid, assignedtoassetuuid, config, uuid, identifier, caption) values (new.alarmcontactuuid, new. version, new. bookingitemuuid, new. type, new. parentassetuuid, new. assignedtoassetuuid, new. config, new. uuid, new. identifier, new. caption) returning * | 2207 | 0 | 7 |
|
||||||
|
| insert into public.hs_office_relation_rv (anchoruuid,contactuuid,holderuuid,mark,type,version,uuid) values ($1,$2,$3,$4,$5,$6,$7) | 1261 | 0 | 9 |
|
||||||
|
| insert into hs_office_relation (uuid, version, anchoruuid, holderuuid, contactuuid, type, mark) values (new.uuid, new. version, new. anchoruuid, new. holderuuid, new. contactuuid, new. type, new. mark) returning * | 1261 | 0 | 9 |
|
||||||
|
| call buildRbacSystemForHsOfficeRelation(NEW) | 1276 | 0 | 8 |
|
||||||
|
| with recursive grants as ( select descendantUuid, ascendantUuid from RbacGrants where descendantUuid = grantedId union all select ""grant"".descendantUuid, ""grant"".ascendantUuid from RbacGrants ""grant"" inner join grants recur on recur.ascendantUuid = ""grant"".descendantUuid ) select exists ( select $3 from grants where ascendantUuid = any(granteeIds) ) or grantedId = any(granteeIds) | 47540 | 0 | 0 |
|
||||||
|
| insert into RbacGrants (grantedByTriggerOf, ascendantuuid, descendantUuid, assumed) values (currentTriggerObjectUuid(), superRoleId, subRoleId, doAssume) on conflict do nothing" | 40472 | 0 | 0 |
|
||||||
|
| insert into public.hs_booking_item_rv (caption,parentitemuuid,projectuuid,resources,type,validity,version,uuid) values ($1,$2,$3,$4,$5,$6,$7,$8) | 926 | 0 | 7 |
|
||||||
|
| insert into hs_booking_item (resources, version, projectuuid, type, parentitemuuid, validity, uuid, caption) values (new.resources, new. version, new. projectuuid, new. type, new. parentitemuuid, new. validity, new. uuid, new. caption) returning * | 926 | 0 | 7 |
|
||||||
|
|
||||||
|
|
||||||
|
The slowest query now was fetching Relations joined with Contact, Anchor-Person and Holder-Person, for all tables using the restricted (RBAC) views (_rv).
|
||||||
|
|
||||||
|
We changed these mappings from `EAGER` (default) to `LAZY` to `@ManyToOne(fetch = FetchType.LAZY)` and got this result:
|
||||||
|
|
||||||
|
:::small
|
||||||
|
| query | calls | total (min) | mean (ms) |
|
||||||
|
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------|-------------|----------|
|
||||||
|
| select hope1_0.uuid,hope1_0.familyname,hope1_0.givenname,hope1_0.persontype,hope1_0.salutation,hope1_0.title,hope1_0.tradename,hope1_0.version from public.hs_office_person_rv hope1_0 where hope1_0.uuid=$1 | 1015 | 4 | 238 |
|
||||||
|
| select hore1_0.uuid,hore1_0.anchoruuid,hore1_0.contactuuid,hore1_0.holderuuid,hore1_0.mark,hore1_0.type,hore1_0.version from public.hs_office_relation_rv hore1_0 where hore1_0.uuid=$1 | 517 | 4 | 439 |
|
||||||
|
| select hoce1_0.uuid,hoce1_0.caption,hoce1_0.emailaddresses,hoce1_0.phonenumbers,hoce1_0.postaladdress,hoce1_0.version from public.hs_office_contact_rv hoce1_0 where hoce1_0.uuid=$1 | 497 | 2 | 213 |
|
||||||
|
| call grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed) | 31316 | 0 | 1 |
|
||||||
|
| select * from isGranted(array[granteeId], grantedId) | 44613 | 0 | 0 |
|
||||||
|
| call buildRbacSystemForHsHostingAsset(NEW) | 2258 | 0 | 7 |
|
||||||
|
| insert into public.hs_hosting_asset_rv (alarmcontactuuid,assignedtoassetuuid,bookingitemuuid,caption,config,identifier,parentassetuuid,type,version,uuid) values ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10) | 2207 | 0 | 7 |
|
||||||
|
| insert into hs_hosting_asset (alarmcontactuuid, version, bookingitemuuid, type, parentassetuuid, assignedtoassetuuid, config, uuid, identifier, caption) values (new.alarmcontactuuid, new. version, new. bookingitemuuid, new. type, new. parentassetuuid, new. assignedtoassetuuid, new. config, new. uuid, new. identifier, new. caption) returning * | 2207 | 0 | 7 |
|
||||||
|
| with recursive grants as ( select descendantUuid, ascendantUuid from RbacGrants where descendantUuid = grantedId union all select ""grant"".descendantUuid, ""grant"".ascendantUuid from RbacGrants ""grant"" inner join grants recur on recur.ascendantUuid = ""grant"".descendantUuid ) select exists ( select $3 from grants where ascendantUuid = any(granteeIds) ) or grantedId = any(granteeIds) | 47538 | 0 | 0 |
|
||||||
|
insert into public.hs_office_relation_rv (anchoruuid,contactuuid,holderuuid,mark,type,version,uuid) values ($1,$2,$3,$4,$5,$6,$7) | 1261 | 0 | 8 |
|
||||||
|
| insert into hs_office_relation (uuid, version, anchoruuid, holderuuid, contactuuid, type, mark) values (new.uuid, new. version, new. anchoruuid, new. holderuuid, new. contactuuid, new. type, new. mark) returning * | 1261 | 0 | 8 |
|
||||||
|
| call buildRbacSystemForHsOfficeRelation(NEW) | 1276 | 0 | 7 |
|
||||||
|
| insert into public.hs_booking_item_rv (caption,parentitemuuid,projectuuid,resources,type,validity,version,uuid) values ($1,$2,$3,$4,$5,$6,$7,$8) | 926 | 0 | 7 |
|
||||||
|
| insert into hs_booking_item (resources, version, projectuuid, type, parentitemuuid, validity, uuid, caption) values (new.resources, new. version, new. projectuuid, new. type, new. parentitemuuid, new. validity, new. uuid, new. caption) returning * | 926 | 0 | 7 |
|
||||||
|
insert into RbacGrants (grantedByTriggerOf, ascendantuuid, descendantUuid, assumed) values (currentTriggerObjectUuid(), superRoleId, subRoleId, doAssume) on conflict do nothing | 40472 | 0 | 0 |
|
||||||
|
|
||||||
|
Now, finally, the total runtime of the import was down to 12 minutes. This is repeatable, where originally, the import took about 25mins in most cases and just rarely - and for unknown reasons - 10min.
|
||||||
|
|
||||||
|
### Importing UnixUser and EmailAlias Assets
|
||||||
|
|
||||||
|
But once UnixUser and EmailAlias assets got added to the import, the total time went up to about 110min.
|
||||||
|
|
||||||
|
This was not acceptable, especially not, considering that domains, email-addresses and database-assets are almost 10 times that number and thus the import would go up to over 1100min which is 20 hours.
|
||||||
|
|
||||||
|
In a first step, a `HsHostingAssetRawEntity` was created, mapped to the raw table (hs_hosting_asset) not to the RBAC-view (hs_hosting_asset_rv). Unfortunately we did not keep measurements, but that was only part of the problem anyway.
|
||||||
|
|
||||||
|
The main problem was, that there is something strange with persisting (`EntityManager.persist`) for EmailAlias assets. Where importing UnixUsers was mostly slow due to RBAC SELECT-permission checks, persisting EmailAliases suddenly created about a million (in numbers 1.000.000) SQL UPDATE statements after the INSERT, all with the same data, just increased version number (used for optimistic locking). We were not able to figure out why this happened.
|
||||||
|
|
||||||
|
Keep in mind, it's the same table with the same RBAC-triggers, just a different value in the type column.
|
||||||
|
|
||||||
|
Once `EntityManager.persist` was replaced by an explicit SQL INSERT - just for `HsHostingAssetRawEntity`, the total time was down to 17min. Thus importing the UnixUsers and EmailAliases took just 5min, which is an acceptable result. The total import of all HostingAssets is now estimated to about 1 hour (on my developer laptop).
|
||||||
|
|
||||||
|
Now, the longest running queries are these:
|
||||||
|
|
||||||
|
| No.| calls | total_m | mean_ms | query |
|
||||||
|
|---:|---------|--------:|--------:|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||||
|
| 1 | 13.093 | 4 | 21 | insert into hs_hosting_asset( uuid, type, bookingitemuuid, parentassetuuid, assignedtoassetuuid, alarmcontactuuid, identifier, caption, config, version) values ( $1, $2, $3, $4, $5, $6, $7, $8, cast($9 as jsonb), $10) |
|
||||||
|
| 2 | 517 | 4 | 502 | select hore1_0.uuid,hore1_0.anchoruuid,hore1_0.contactuuid,hore1_0.holderuuid,hore1_0.mark,hore1_0.type,hore1_0.version from public.hs_office_relation_rv hore1_0 where hore1_0.uuid=$1 |
|
||||||
|
| 3 | 13.144 | 4 | 21 | call buildRbacSystemForHsHostingAsset(NEW) |
|
||||||
|
| 4 | 96.632 | 3 | 2 | call grantRoleToRole(roleUuid, superRoleUuid, superRoleDesc.assumed) |
|
||||||
|
| 5 | 120.815 | 3 | 2 | select * from isGranted(array[granteeId], grantedId) |
|
||||||
|
| 6 | 123.740 | 3 | 2 | with recursive grants as ( select descendantUuid, ascendantUuid from RbacGrants where descendantUuid = grantedId union all select "grant".descendantUuid, "grant".ascendantUuid from RbacGrants "grant" inner join grants recur on recur.ascendantUuid = "grant".descendantUuid ) select exists ( select $3 from grants where ascendantUuid = any(granteeIds) ) or grantedId = any(granteeIds) |
|
||||||
|
| 7 | 497 | 2 | 259 | select hoce1_0.uuid,hoce1_0.caption,hoce1_0.emailaddresses,hoce1_0.phonenumbers,hoce1_0.postaladdress,hoce1_0.version from public.hs_office_contact_rv hoce1_0 where hoce1_0.uuid=$1 |
|
||||||
|
| 8 | 497 | 2 | 255 | select hope1_0.uuid,hope1_0.familyname,hope1_0.givenname,hope1_0.persontype,hope1_0.salutation,hope1_0.title,hope1_0.tradename,hope1_0.version from public.hs_office_person_rv hope1_0 where hope1_0.uuid=$1 |
|
||||||
|
| 9 | 13.144 | 1 | 8 | SELECT createRoleWithGrants( hsHostingAssetTENANT(NEW), permissions => array[$7], incomingSuperRoles => array[ hsHostingAssetAGENT(NEW), hsOfficeContactADMIN(newAlarmContact)], outgoingSubRoles => array[ hsBookingItemTENANT(newBookingItem), hsHostingAssetTENANT(newParentAsset)] ) |
|
||||||
|
| 10 | 13.144 | 1 | 5 | SELECT createRoleWithGrants( hsHostingAssetADMIN(NEW), permissions => array[$7], incomingSuperRoles => array[ hsBookingItemAGENT(newBookingItem), hsHostingAssetAGENT(newParentAsset), hsHostingAssetOWNER(NEW)] ) |
|
||||||
|
|
||||||
|
That the `INSERT into hs_hosting_asset` (No. 1) takes up the most time, seems to be normal, and 21ms for each call is also fine.
|
||||||
|
|
||||||
|
It seems that the trigger effects (eg. No. 3 and No. 4) are included in the measure for the causing INSERT, otherwise summing up the totals would exceed the actual total time of the whole import. And it was to be expected that building the RBAC rules for new business objects takes most of the time.
|
||||||
|
|
||||||
|
In production, the `SELECT ... FROM hs_office_relation_rv` (No. 2) with about 0.5 seconds could still be a problem. But once we apply the improvements from the hosting asset area also to the office area, this should not be a problem for the import anymore.
|
||||||
|
|
||||||
|
|
||||||
|
## Further Options To Explore
|
||||||
|
|
||||||
|
1. Instead of separate SQL INSERT statements, we could try bulk INSERT.
|
||||||
|
2. We could use the SQL INSERT method for all entity-classes, or at least for all which have high row counts.
|
||||||
|
3. For the production code, we could use raw-entities for referenced entities, here usually RBAC SELECT permission is given anyway.
|
||||||
|
|
||||||
|
|
||||||
|
## The Problematically Huge Join
|
||||||
|
|
||||||
|
The origin problem was the expensive RBAC check for many SELECT queries.
|
||||||
|
This consists of two parts:
|
||||||
|
|
||||||
|
1. The recursive CTE query to determine which object's UUIDs are visible for the current subject.
|
||||||
|
This query itself takes currently about 250ms thus is no problem by itself as long as we only need it once per request.
|
||||||
|
2. Joining the result from 1. with the result if a business query.
|
||||||
|
The performance of the business query itself is no problem, for the join see the following explanations.
|
||||||
|
|
||||||
|
Superusers can see all objects (currently already over 90.000)
|
||||||
|
and even high level roles of customers with many hosting assets can see several thousand objects.
|
||||||
|
This is the one side of that problematic join.
|
||||||
|
|
||||||
|
The other side of that problematic is the result of the business query.
|
||||||
|
For example if a user wants to select all of their e-mail-addresses, that might easily half of the visible objects.
|
||||||
|
|
||||||
|
Thus, we would have a join of for example 5.000 x 2.500 rows, which is going to be slow.
|
||||||
|
As there are currently about 84.000 objects are hosting assets and 33.000 e-mail-addresses in our system,
|
||||||
|
for a superuser we would even run into an 84.0000 x 33.0000 join.
|
||||||
|
|
||||||
|
We found some solution approaches:
|
||||||
|
|
||||||
|
1. Getting rid of the `rbacrole` and `rbacpermission` table and only having implicit roles with implicit grants (OWNER->ADMIN->AGENT->TENENT->REFERRER) by comparison of ordered enum values and fixed permission assignments (e.g. OWENER->DELETE, ADMIN->UPDATE etc.). We could also get rid of the table `rbacreferece` if we enter users as business objects.
|
||||||
|
|
||||||
|
This should dramatically reduce the size of the table `rbackgrant` as well as the recusion levels.
|
||||||
|
|
||||||
|
But since we only apply this query once for each business query, that would only improve performance once we have way more objects in our system, but does not help our current problem.
|
||||||
|
|
||||||
|
It's quite some effort to implement even just a prototype, so we did not further explore this idea.
|
||||||
|
|
||||||
|
2. Adding the object type to the table `rbacObject` to reduce the size of the result of the recursive CTE query.
|
||||||
|
|
||||||
|
See chapter below.
|
||||||
|
|
||||||
|
3. Inverting the recursion of the CTE-query, combined with the type condition.
|
||||||
|
|
||||||
|
Instead of starting the recursion with `currentsubjectsuuids()`,
|
||||||
|
we could start it with the target table name and row-type,
|
||||||
|
then recurse down to the `currentsubjectsuuids()`.
|
||||||
|
|
||||||
|
In the end, we need the object UUIDs, though.
|
||||||
|
But if we start with the join of `rbacObject` with `rbacPermission`,
|
||||||
|
we need to forward the object UUIDs through the whole recursion.
|
||||||
|
|
||||||
|
This idea was not yet further explored.
|
||||||
|
|
||||||
|
|
||||||
|
### Adding The Object Type To The Table `rbacObject`
|
||||||
|
|
||||||
|
This optimization idea came from Michael Hierweck and was promising.
|
||||||
|
The idea is to reduce the size of the result of the recursive CTE query and maybe even speed up that query itself.
|
||||||
|
|
||||||
|
To evaluate this, I added a type column to the `rbacObject` table, initially as an enum hsHostingAssetType. Then I entered the type there for all rows from hs_hosting_asset. This means that 83,886 of 92,545 rows in `rbacobject` have a type set, leaving 8,659 without.
|
||||||
|
|
||||||
|
If we do this for other types (we currently have 1,271 relations and 927 booking items), it gets more complicated because they are different enum types. As varchar(16), we could lose performance again due to the higher storage space requirements.
|
||||||
|
|
||||||
|
But the performance gained is not particularly high anyway.
|
||||||
|
See the average seconds per recursive CTE select as role 'hs_hosting_asset:<DEBITOR>defaultproject:ADMIN',
|
||||||
|
joined with business query for all `'EMAIL_ADDRESSES'`:
|
||||||
|
|
||||||
|
| | D-1000000-hsh | D-1000300-mih |
|
||||||
|
|-----------------------------------------------------|------------------|---------------|
|
||||||
|
| currently (without type comparision in rbacobject): | ~3.30 - ~3.49 | ~0.23 |
|
||||||
|
| optimized (with type comparision in rbacobject): | ~2.99 - ~3.08 | ~0.21 |
|
||||||
|
|
||||||
|
As you can see, the query is no problem at all for normal customers (in the example, yours truly). With Hostsharing (D-1000000-hsh) it is quite slow.
|
||||||
|
|
||||||
|
Luckily this experiment also shows that it's not a big problem, having all hosting assets in the same database table.
|
||||||
|
|
||||||
|
Implementing this approach would be a bit difficult anyway, because we would need to transfer the type query parameter into the definition of the restricted view. We have not even the slightest idea how this could be done.
|
||||||
|
|
||||||
|
See the related queries in [recursive-cte-experiments-for-accessible-uuids.sql](../sql/recursive-cte-experiments-for-accessible-uuids.sql). They might have changed independently since this document was written, but you can still check out the old version from git.
|
||||||
|
|
||||||
|
### Rearranging the Parts of the CTE-Query
|
||||||
|
|
||||||
|
I also moved the function call which determines into its own WITH-section, with no improvement.
|
||||||
|
|
||||||
|
Experimentally I moved the business condition into the CTE SELECT, also with no improvement.
|
||||||
|
|
||||||
|
Such rearrangements seem to be successfully done by the PostgreSQL query optimizer.
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
### What we did Achieve?
|
||||||
|
|
||||||
|
In a first step, the total import runtime for office entities was reduced from about 25min to about 10min.
|
||||||
|
|
||||||
|
In a second step, we reduced the import of booking- and hosting-assets from about 100min (not counting the required office entities) to 5min.
|
||||||
|
|
||||||
|
### What did not Help?
|
||||||
|
|
||||||
|
Rearranging the CTE query by extracting parts into WITH-clauses did not improve the performance.
|
||||||
|
|
||||||
|
Surprisingly little performance gain (<10% improvement) came from reducing the result of the CTE query by moving the hosting asset type into RBAC-system and using it in the inner SELECT query instead of in the outer SELECT query of the application side.
|
||||||
|
|
||||||
|
### What did Help?
|
||||||
|
|
||||||
|
Merging the recursive CTE query to determine the RBAC SELECT-permission, made it more clear which business-queries take the time.
|
||||||
|
|
||||||
|
Avoiding EAGER-loading where not necessary, reduced the total runtime of the import to about the half.
|
||||||
|
|
||||||
|
The major improvement came from using direct INSERT statements, which avoided some SELECT statements unnecessarily generated by the EntityManager and also completely bypassed the RBAC SELECT permission checks.
|
||||||
|
|
||||||
|
### What Still Has To Be Done?
|
||||||
|
|
||||||
|
Where this performance analysis was mostly helping the performance of the legacy data import, we still need measures and improvements for the productive code.
|
||||||
|
|
||||||
|
For sure, using more LAZY-loading also helps in the production code. For some more ideas see section _Further Options To Explore_.
|
||||||
|
|
||||||
|
|
196
doc/rbac.md
196
doc/rbac.md
@ -1,6 +1,6 @@
|
|||||||
## *hsadmin-ng*'s Role-Based-Access-Management (RBAC)
|
## *hsadmin-ng*'s Role-Based-Access-Management (RBAC)
|
||||||
|
|
||||||
The requirements of *hsadmin-ng* include table-m row- and column-level-security for read and write access to business-objects.
|
The requirements of *hsadmin-ng* include table-, row- and column-level-security for read and write access to business-objects.
|
||||||
More precisely, any access has to be controlled according to given rules depending on the accessing users, their roles and the accessed business-object.
|
More precisely, any access has to be controlled according to given rules depending on the accessing users, their roles and the accessed business-object.
|
||||||
Further, roles and business-objects are hierarchical.
|
Further, roles and business-objects are hierarchical.
|
||||||
|
|
||||||
@ -11,7 +11,7 @@ Our implementation is based on Role-Based-Access-Management (RBAC) in conjunctio
|
|||||||
As far as possible, we are using the same terms as defined in the RBAC standard, for our function names though, we chose more expressive names.
|
As far as possible, we are using the same terms as defined in the RBAC standard, for our function names though, we chose more expressive names.
|
||||||
|
|
||||||
In RBAC, subjects can be assigned to roles, roles can be hierarchical and eventually have assigned permissions.
|
In RBAC, subjects can be assigned to roles, roles can be hierarchical and eventually have assigned permissions.
|
||||||
A permission allows a specific operation (e.g. view or edit) on a specific (business-) object.
|
A permission allows a specific operation (e.g. SELECT or UPDATE) on a specific (business-) object.
|
||||||
|
|
||||||
You can find the entity structure as a UML class diagram as follows:
|
You can find the entity structure as a UML class diagram as follows:
|
||||||
|
|
||||||
@ -101,13 +101,12 @@ package RBAC {
|
|||||||
RbacPermission *-- RbacObject
|
RbacPermission *-- RbacObject
|
||||||
|
|
||||||
enum RbacOperation {
|
enum RbacOperation {
|
||||||
add-package
|
INSERT:package
|
||||||
add-domain
|
INSERT:domain
|
||||||
add-domain
|
|
||||||
...
|
...
|
||||||
view
|
SELECT
|
||||||
edit
|
UPDATE
|
||||||
delete
|
DELETE
|
||||||
}
|
}
|
||||||
|
|
||||||
entity RbacObject {
|
entity RbacObject {
|
||||||
@ -172,11 +171,10 @@ An *RbacPermission* allows a specific *RbacOperation* on a specific *RbacObject*
|
|||||||
An *RbacOperation* determines, <u>what</u> an *RbacPermission* allows to do.
|
An *RbacOperation* determines, <u>what</u> an *RbacPermission* allows to do.
|
||||||
It can be one of:
|
It can be one of:
|
||||||
|
|
||||||
- **'add-...'** - permits creating new instances of specific entity types underneath the object specified by the permission, e.g. "add-package"
|
- **'INSERT'** - permits inserting new rows related to the row, to which the permission belongs, in the table which is specified an extra column, includes 'SELECT'
|
||||||
- **'view'** - permits reading the contents of the object specified by the permission
|
- **'SELECT'** - permits selecting the row specified by the permission, is included in all other permissions
|
||||||
- **'edit'** - change the contents of the object specified by the permission
|
- **'UPDATE'** - permits updating (only the updatable columns of) the row specified by the permission, includes 'SELECT'
|
||||||
- **'delete'** - delete the object specified by the permission
|
- **'DELETE'** - permits deleting the row specified by the permission, includes 'SELECT'
|
||||||
- **'\*'**
|
|
||||||
|
|
||||||
This list is extensible according to the needs of the access rule system.
|
This list is extensible according to the needs of the access rule system.
|
||||||
|
|
||||||
@ -198,56 +196,60 @@ E.g. if a new package is added, the admin-role of the related customer has to be
|
|||||||
There can be global roles like 'administrators'.
|
There can be global roles like 'administrators'.
|
||||||
Most roles, though, are specific for certain business-objects and automatically generated as such:
|
Most roles, though, are specific for certain business-objects and automatically generated as such:
|
||||||
|
|
||||||
business-object-table#business-object-name.relative-role
|
business-object-table#business-object-name.role-stereotype
|
||||||
|
|
||||||
|
|
||||||
Where *business-object-table* is the name of the SQL table of the business object (e.g *customer* or 'package'),
|
Where *business-object-table* is the name of the SQL table of the business object (e.g *customer* or 'package'),
|
||||||
*business-object-name* is generated from an immutable business key(e.g. a prefix like 'xyz' or 'xyz00')
|
*business-object-name* is generated from an immutable business key(e.g. a prefix like 'xyz' or 'xyz00')
|
||||||
and the *relative-role*' describes the role relative to the referenced business-object as follows:
|
and the *role-stereotype* describes a role relative to a referenced business-object as follows:
|
||||||
|
|
||||||
#### owner
|
#### owner
|
||||||
|
|
||||||
The owner-role is granted to the subject which created the business object.
|
The owner-role is granted to the subject which created the business object.
|
||||||
E.g. for a new *customer* it would be granted to 'administrators' and for a new *package* to the 'customer#...admin'.
|
E.g. for a new *customer* it would be granted to 'administrators' and for a new *package* to the 'customer#...:ADMIN'.
|
||||||
|
|
||||||
Whoever has the owner-role assigned can do everything with the related business-object, including deleting (or deactivating) it.
|
Whoever has the owner-role assigned can do everything with the related business-object, including deleting (or deactivating) it.
|
||||||
|
|
||||||
In most cases, the permissions to other operations than 'delete' are granted through the 'admin' role.
|
In most cases, the permissions to other operations than 'DELETE' are granted through the 'admin' role.
|
||||||
By this, all roles ob sub-objects, which are assigned to the 'admin' role, are also granted to the 'owner'.
|
By this, all roles ob sub-objects, which are assigned to the 'admin' role, are also granted to the 'owner'.
|
||||||
|
|
||||||
#### admin
|
#### ADMIN
|
||||||
|
|
||||||
The admin-role is granted to a role of those subjects who manage the business object.
|
The admin-role is granted to a role of those subjects who manage the business object.
|
||||||
E.g. a 'package' is manged by the admin of the customer.
|
E.g. a 'package' is manged by the admin of the customer.
|
||||||
|
|
||||||
Whoever has the admin-role assigned, can usually edit the related business-object but not deleting (or deactivating) it.
|
Whoever has the admin-role assigned, can usually update the related business-object but not delete (or deactivating) it.
|
||||||
|
|
||||||
The admin-role also comprises lesser roles, through which the view-permission is granted.
|
The admin-role also comprises lesser roles, through which the SELECT-permission is granted.
|
||||||
|
|
||||||
#### agent
|
#### AGENT
|
||||||
|
|
||||||
The agent-role is not used in the examples of this document, because it's for more complex cases.
|
The agent-role is not used in the examples of this document, because it's for more complex cases.
|
||||||
It's usually granted to those roles and users who represent the related business-object, but are not allowed to edit it.
|
It's usually granted to those roles and users who represent the related business-object, but are not allowed to update it.
|
||||||
|
|
||||||
Other than the tenant-role, it usually offers broader visibility of sub-business-objects (joined entities).
|
Other than the tenant-role, it usually offers broader visibility of sub-business-objects (joined entities).
|
||||||
E.g. a package-admin is allowed to see the related debitor-business-object,
|
E.g. a package-admin is allowed to see the related debitor-business-object,
|
||||||
but not its banking data.
|
but not its banking data.
|
||||||
|
|
||||||
#### tenant
|
#### TENANT
|
||||||
|
|
||||||
The tenant-role is granted to everybody who needs to be able to view the business-object and (probably some) related business-objects.
|
The tenant-role is granted to everybody who needs to be able to select the business-object and (probably some) related business-objects.
|
||||||
Usually all owners, admins and tenants of sub-objects get this role granted.
|
Usually all owners, admins and tenants of sub-objects get this role granted.
|
||||||
|
|
||||||
Some business-objects only have very limited data directly in the main business-object and store more sensitive data in special sub-objects (e.g. 'customer-details') to which tenants of sub-objects of the main-object (e.g. package admins) do not get view permission.
|
Some business-objects only have very limited data directly in the main business-object and store more sensitive data in special sub-objects (e.g. 'customer-details') to which tenants of sub-objects of the main-object (e.g. package admins) do not get SELECT permission.
|
||||||
|
|
||||||
#### guest
|
#### GUEST
|
||||||
|
|
||||||
|
(Deprecated)
|
||||||
|
|
||||||
|
#### REFERRER
|
||||||
|
|
||||||
Like the agent-role, the guest-role too is not used in the examples of this document, because it's for more complex cases.
|
Like the agent-role, the guest-role too is not used in the examples of this document, because it's for more complex cases.
|
||||||
|
|
||||||
If the guest-role exists, the view-permission is granted to it, instead of to the tenant-role.
|
If the referrer-role exists, the SELECT-permission is granted to it, instead of to the tenant-role.
|
||||||
Other than the tenant-role, the guest-roles does never grant any roles of related objects.
|
Other than the tenant-role, the referrer-roles does never grant any roles of related objects.
|
||||||
|
|
||||||
Also, if the guest-role exists, the tenant-role receives the view-permission through the guest-role.
|
Also, if the referrer-role exists, the tenant-role receives the SELECT-permission through the referrer-role.
|
||||||
|
|
||||||
|
|
||||||
### Referenced Business Objects and Role-Depreciation
|
### Referenced Business Objects and Role-Depreciation
|
||||||
@ -263,7 +265,7 @@ The admin-role of one object could be granted visibility to another object throu
|
|||||||
|
|
||||||
But not in all cases role-depreciation takes place.
|
But not in all cases role-depreciation takes place.
|
||||||
E.g. often a tenant-role is granted another tenant-role,
|
E.g. often a tenant-role is granted another tenant-role,
|
||||||
because it should be again allowed to view sub-objects.
|
because it should be again allowed to select sub-objects.
|
||||||
The same for the agent-role, often it is granted another agent-role.
|
The same for the agent-role, often it is granted another agent-role.
|
||||||
|
|
||||||
|
|
||||||
@ -297,14 +299,14 @@ package RbacRoles {
|
|||||||
RbacUsers -[hidden]> RbacRoles
|
RbacUsers -[hidden]> RbacRoles
|
||||||
|
|
||||||
package RbacPermissions {
|
package RbacPermissions {
|
||||||
object PermCustXyz_View
|
object PermCustXyz_SELECT
|
||||||
object PermCustXyz_Edit
|
object PermCustXyz_UPDATE
|
||||||
object PermCustXyz_Delete
|
object PermCustXyz_DELETE
|
||||||
object PermCustXyz_AddPackage
|
object PermCustXyz_INSERT:Package
|
||||||
object PermPackXyz00_View
|
object PermPackXyz00_SELECT
|
||||||
object PermPackXyz00_Edit
|
object PermPackXyz00_EDIT
|
||||||
object PermPackXyz00_Delete
|
object PermPackXyz00_DELETE
|
||||||
object PermPackXyz00_AddUser
|
object PermPackXyz00_INSERT:USER
|
||||||
}
|
}
|
||||||
RbacRoles -[hidden]> RbacPermissions
|
RbacRoles -[hidden]> RbacPermissions
|
||||||
|
|
||||||
@ -322,23 +324,23 @@ RoleAdministrators o..> RoleCustXyz_Owner
|
|||||||
RoleCustXyz_Owner o-> RoleCustXyz_Admin
|
RoleCustXyz_Owner o-> RoleCustXyz_Admin
|
||||||
RoleCustXyz_Admin o-> RolePackXyz00_Owner
|
RoleCustXyz_Admin o-> RolePackXyz00_Owner
|
||||||
|
|
||||||
RoleCustXyz_Owner o--> PermCustXyz_Edit
|
RoleCustXyz_Owner o--> PermCustXyz_UPDATE
|
||||||
RoleCustXyz_Owner o--> PermCustXyz_Delete
|
RoleCustXyz_Owner o--> PermCustXyz_DELETE
|
||||||
RoleCustXyz_Admin o--> PermCustXyz_View
|
RoleCustXyz_Admin o--> PermCustXyz_SELECT
|
||||||
RoleCustXyz_Admin o--> PermCustXyz_AddPackage
|
RoleCustXyz_Admin o--> PermCustXyz_INSERT:Package
|
||||||
RolePackXyz00_Owner o--> PermPackXyz00_View
|
RolePackXyz00_Owner o--> PermPackXyz00_SELECT
|
||||||
RolePackXyz00_Owner o--> PermPackXyz00_Edit
|
RolePackXyz00_Owner o--> PermPackXyz00_UPDATE
|
||||||
RolePackXyz00_Owner o--> PermPackXyz00_Delete
|
RolePackXyz00_Owner o--> PermPackXyz00_DELETE
|
||||||
RolePackXyz00_Owner o--> PermPackXyz00_AddUser
|
RolePackXyz00_Owner o--> PermPackXyz00_INSERT:User
|
||||||
|
|
||||||
PermCustXyz_View o--> CustXyz
|
PermCustXyz_SELECT o--> CustXyz
|
||||||
PermCustXyz_Edit o--> CustXyz
|
PermCustXyz_UPDATE o--> CustXyz
|
||||||
PermCustXyz_Delete o--> CustXyz
|
PermCustXyz_DELETE o--> CustXyz
|
||||||
PermCustXyz_AddPackage o--> CustXyz
|
PermCustXyz_INSERT:Package o--> CustXyz
|
||||||
PermPackXyz00_View o--> PackXyz00
|
PermPackXyz00_SELECT o--> PackXyz00
|
||||||
PermPackXyz00_Edit o--> PackXyz00
|
PermPackXyz00_UPDATE o--> PackXyz00
|
||||||
PermPackXyz00_Delete o--> PackXyz00
|
PermPackXyz00_DELETE o--> PackXyz00
|
||||||
PermPackXyz00_AddUser o--> PackXyz00
|
PermPackXyz00_INSERT:User o--> PackXyz00
|
||||||
|
|
||||||
@enduml
|
@enduml
|
||||||
```
|
```
|
||||||
@ -353,12 +355,12 @@ To support the RBAC system, for each business-object-table, some more artifacts
|
|||||||
|
|
||||||
Not yet implemented, but planned are these actions:
|
Not yet implemented, but planned are these actions:
|
||||||
|
|
||||||
- an `ON DELETE ... DO INSTEAD` rule to allow `SQL DELETE` if applicable for the business-object-table and the user has 'delete' permission,
|
- an `ON DELETE ... DO INSTEAD` rule to allow `SQL DELETE` if applicable for the business-object-table and the user has 'DELETE' permission,
|
||||||
- an `ON UPDATE ... DO INSTEAD` rule to allow `SQL UPDATE` if the user has 'edit' right,
|
- an `ON UPDATE ... DO INSTEAD` rule to allow `SQL UPDATE` if the user has 'UPDATE' right,
|
||||||
- an `ON INSERT ... DO INSTEAD` rule to allow `SQL INSERT` if the user has 'add-..' right to the parent-business-object.
|
- an `ON INSERT ... DO INSTEAD` rule to allow `SQL INSERT` if the user has the 'INSERT' right for the parent-business-object.
|
||||||
|
|
||||||
The restricted view takes the current user from a session property and applies the hierarchy of its roles all the way down to the permissions related to the respective business-object-table.
|
The restricted view takes the current user from a session property and applies the hierarchy of its roles all the way down to the permissions related to the respective business-object-table.
|
||||||
This way, each user can only view the data they have 'view'-permission for, only create those they have 'add-...'-permission, only update those they have 'edit'- and only delete those they have 'delete'-permission to.
|
This way, each user can only select the data they have 'SELECT'-permission for, only create those they have 'add-...'-permission, only update those they have 'UPDATE'- and only delete those they have 'DELETE'-permission to.
|
||||||
|
|
||||||
### Current User
|
### Current User
|
||||||
|
|
||||||
@ -374,7 +376,7 @@ That user is also used for historicization and audit log, but which is a differe
|
|||||||
If the session variable `hsadminng.assumedRoles` is set to a non-empty value, its content is interpreted as a list of semicolon-separated role names.
|
If the session variable `hsadminng.assumedRoles` is set to a non-empty value, its content is interpreted as a list of semicolon-separated role names.
|
||||||
Example:
|
Example:
|
||||||
|
|
||||||
SET LOCAL hsadminng.assumedRoles = 'customer#aab.admin;customer#aac.admin';
|
SET LOCAL hsadminng.assumedRoles = 'customer#aab:admin;customer#aac:admin';
|
||||||
|
|
||||||
In this case, not the current user but the assumed roles are used as a starting point for any further queries.
|
In this case, not the current user but the assumed roles are used as a starting point for any further queries.
|
||||||
Roles which are not granted to the current user, directly or indirectly, cannot be assumed.
|
Roles which are not granted to the current user, directly or indirectly, cannot be assumed.
|
||||||
@ -387,7 +389,7 @@ A full example is shown here:
|
|||||||
BEGIN TRANSACTION;
|
BEGIN TRANSACTION;
|
||||||
SET SESSION SESSION AUTHORIZATION restricted;
|
SET SESSION SESSION AUTHORIZATION restricted;
|
||||||
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net';
|
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net';
|
||||||
SET LOCAL hsadminng.assumedRoles = 'customer#aab.admin;customer#aac.admin';
|
SET LOCAL hsadminng.assumedRoles = 'customer#aab:admin;customer#aac:admin';
|
||||||
|
|
||||||
SELECT c.prefix, p.name as "package", ema.localPart || '@' || dom.name as "email-address"
|
SELECT c.prefix, p.name as "package", ema.localPart || '@' || dom.name as "email-address"
|
||||||
FROM emailaddress_rv ema
|
FROM emailaddress_rv ema
|
||||||
@ -458,26 +460,26 @@ allow_mixing
|
|||||||
entity "BObj customer#xyz" as boCustXyz
|
entity "BObj customer#xyz" as boCustXyz
|
||||||
|
|
||||||
together {
|
together {
|
||||||
entity "Perm customer#xyz *" as permCustomerXyzAll
|
entity "Perm customer#xyz *" as permCustomerXyzDELETE
|
||||||
permCustomerXyzAll --> boCustXyz
|
permCustomerXyzDELETE --> boCustXyz
|
||||||
|
|
||||||
entity "Perm customer#xyz add-package" as permCustomerXyzAddPack
|
entity "Perm customer#xyz INSERT:package" as permCustomerXyzINSERT:package
|
||||||
permCustomerXyzAddPack --> boCustXyz
|
permCustomerXyzINSERT:package --> boCustXyz
|
||||||
|
|
||||||
entity "Perm customer#xyz view" as permCustomerXyzView
|
entity "Perm customer#xyz SELECT" as permCustomerXyzSELECT
|
||||||
permCustomerXyzView --> boCustXyz
|
permCustomerXyzSELECT--> boCustXyz
|
||||||
}
|
}
|
||||||
|
|
||||||
entity "Role customer#xyz.tenant" as roleCustXyzTenant
|
entity "Role customer#xyz:TENANT" as roleCustXyzTenant
|
||||||
roleCustXyzTenant --> permCustomerXyzView
|
roleCustXyzTenant --> permCustomerXyzSELECT
|
||||||
|
|
||||||
entity "Role customer#xyz.admin" as roleCustXyzAdmin
|
entity "Role customer#xyz:ADMIN" as roleCustXyzAdmin
|
||||||
roleCustXyzAdmin --> roleCustXyzTenant
|
roleCustXyzAdmin --> roleCustXyzTenant
|
||||||
roleCustXyzAdmin --> permCustomerXyzAddPack
|
roleCustXyzAdmin --> permCustomerXyzINSERT:package
|
||||||
|
|
||||||
entity "Role customer#xyz.owner" as roleCustXyzOwner
|
entity "Role customer#xyz:OWNER" as roleCustXyzOwner
|
||||||
roleCustXyzOwner ..> roleCustXyzAdmin
|
roleCustXyzOwner ..> roleCustXyzAdmin
|
||||||
roleCustXyzOwner --> permCustomerXyzAll
|
roleCustXyzOwner --> permCustomerXyzDELETE
|
||||||
|
|
||||||
actor "Customer XYZ Admin" as actorCustXyzAdmin
|
actor "Customer XYZ Admin" as actorCustXyzAdmin
|
||||||
actorCustXyzAdmin --> roleCustXyzAdmin
|
actorCustXyzAdmin --> roleCustXyzAdmin
|
||||||
@ -487,13 +489,11 @@ roleAdmins --> roleCustXyzOwner
|
|||||||
|
|
||||||
actor "Any Hostmaster" as actorHostmaster
|
actor "Any Hostmaster" as actorHostmaster
|
||||||
actorHostmaster --> roleAdmins
|
actorHostmaster --> roleAdmins
|
||||||
|
|
||||||
|
|
||||||
@enduml
|
@enduml
|
||||||
```
|
```
|
||||||
|
|
||||||
As you can see, there something special:
|
As you can see, there something special:
|
||||||
From the 'Role customer#xyz.owner' to the 'Role customer#xyz.admin' there is a dashed line, whereas all other lines are solid lines.
|
From the 'Role customer#xyz:OWNER' to the 'Role customer#xyz:admin' there is a dashed line, whereas all other lines are solid lines.
|
||||||
Solid lines means, that one role is granted to another and automatically assumed in all queries to the restricted views.
|
Solid lines means, that one role is granted to another and automatically assumed in all queries to the restricted views.
|
||||||
The dashed line means that one role is granted to another but not automatically assumed in queries to the restricted views.
|
The dashed line means that one role is granted to another but not automatically assumed in queries to the restricted views.
|
||||||
|
|
||||||
@ -527,36 +527,36 @@ allow_mixing
|
|||||||
entity "BObj package#xyz00" as boPacXyz00
|
entity "BObj package#xyz00" as boPacXyz00
|
||||||
|
|
||||||
together {
|
together {
|
||||||
entity "Perm package#xyz00 *" as permPackageXyzAll
|
entity "Perm package#xyz00 *" as permPackageXyzDELETE
|
||||||
permPackageXyzAll --> boPacXyz00
|
permPackageXyzDELETE --> boPacXyz00
|
||||||
|
|
||||||
entity "Perm package#xyz00 add-domain" as permPacXyz00AddUser
|
entity "Perm package#xyz00 INSERT:domain" as permPacXyz00INSERT:user
|
||||||
permPacXyz00AddUser --> boPacXyz00
|
permPacXyz00INSERT:user --> boPacXyz00
|
||||||
|
|
||||||
entity "Perm package#xyz00 edit" as permPacXyz00Edit
|
entity "Perm package#xyz00 UPDATE" as permPacXyz00UPDATE
|
||||||
permPacXyz00Edit --> boPacXyz00
|
permPacXyz00UPDATE --> boPacXyz00
|
||||||
|
|
||||||
entity "Perm package#xyz00 view" as permPacXyz00View
|
entity "Perm package#xyz00 SELECT" as permPacXyz00SELECT
|
||||||
permPacXyz00View --> boPacXyz00
|
permPacXyz00SELECT --> boPacXyz00
|
||||||
}
|
}
|
||||||
|
|
||||||
package {
|
package {
|
||||||
entity "Role customer#xyz.tenant" as roleCustXyzTenant
|
entity "Role customer#xyz:TENANT" as roleCustXyzTenant
|
||||||
entity "Role customer#xyz.admin" as roleCustXyzAdmin
|
entity "Role customer#xyz:ADMIN" as roleCustXyzAdmin
|
||||||
entity "Role customer#xyz.owner" as roleCustXyzOwner
|
entity "Role customer#xyz:OWNER" as roleCustXyzOwner
|
||||||
}
|
}
|
||||||
|
|
||||||
package {
|
package {
|
||||||
entity "Role package#xyz00.owner" as rolePacXyz00Owner
|
entity "Role package#xyz00:OWNER" as rolePacXyz00Owner
|
||||||
entity "Role package#xyz00.admin" as rolePacXyz00Admin
|
entity "Role package#xyz00:ADMIN" as rolePacXyz00Admin
|
||||||
entity "Role package#xyz00.tenant" as rolePacXyz00Tenant
|
entity "Role package#xyz00:TENANT" as rolePacXyz00Tenant
|
||||||
}
|
}
|
||||||
|
|
||||||
rolePacXyz00Tenant --> permPacXyz00View
|
rolePacXyz00Tenant --> permPacXyz00SELECT
|
||||||
rolePacXyz00Tenant --> roleCustXyzTenant
|
rolePacXyz00Tenant --> roleCustXyzTenant
|
||||||
|
|
||||||
rolePacXyz00Owner --> rolePacXyz00Admin
|
rolePacXyz00Owner --> rolePacXyz00Admin
|
||||||
rolePacXyz00Owner --> permPackageXyzAll
|
rolePacXyz00Owner --> permPackageXyzDELETE
|
||||||
|
|
||||||
roleCustXyzAdmin --> rolePacXyz00Owner
|
roleCustXyzAdmin --> rolePacXyz00Owner
|
||||||
roleCustXyzAdmin --> roleCustXyzTenant
|
roleCustXyzAdmin --> roleCustXyzTenant
|
||||||
@ -564,8 +564,8 @@ roleCustXyzAdmin --> roleCustXyzTenant
|
|||||||
roleCustXyzOwner ..> roleCustXyzAdmin
|
roleCustXyzOwner ..> roleCustXyzAdmin
|
||||||
|
|
||||||
rolePacXyz00Admin --> rolePacXyz00Tenant
|
rolePacXyz00Admin --> rolePacXyz00Tenant
|
||||||
rolePacXyz00Admin --> permPacXyz00AddUser
|
rolePacXyz00Admin --> permPacXyz00INSERT:user
|
||||||
rolePacXyz00Admin --> permPacXyz00Edit
|
rolePacXyz00Admin --> permPacXyz00UPDATE
|
||||||
|
|
||||||
actor "Package XYZ00 Admin" as actorPacXyzAdmin
|
actor "Package XYZ00 Admin" as actorPacXyzAdmin
|
||||||
actorPacXyzAdmin -l-> rolePacXyz00Admin
|
actorPacXyzAdmin -l-> rolePacXyz00Admin
|
||||||
@ -624,10 +624,10 @@ Let's have a look at the two view queries:
|
|||||||
WHERE target.uuid IN (
|
WHERE target.uuid IN (
|
||||||
SELECT uuid
|
SELECT uuid
|
||||||
FROM queryAccessibleObjectUuidsOfSubjectIds(
|
FROM queryAccessibleObjectUuidsOfSubjectIds(
|
||||||
'view', 'customer', currentSubjectsUuids()));
|
'SELECT, 'customer', currentSubjectsUuids()));
|
||||||
|
|
||||||
This view should be automatically updatable.
|
This view should be automatically updatable.
|
||||||
Where, for updates, we actually have to check for 'edit' instead of 'view' operation, which makes it a bit more complicated.
|
Where, for updates, we actually have to check for 'UPDATE' instead of 'SELECT' operation, which makes it a bit more complicated.
|
||||||
|
|
||||||
With the larger dataset, the test suite initially needed over 7 seconds with this view query.
|
With the larger dataset, the test suite initially needed over 7 seconds with this view query.
|
||||||
At this point the second variant was tried.
|
At this point the second variant was tried.
|
||||||
@ -642,7 +642,7 @@ Looks like the query optimizer needed some statistics to find the best path.
|
|||||||
SELECT DISTINCT target.*
|
SELECT DISTINCT target.*
|
||||||
FROM customer AS target
|
FROM customer AS target
|
||||||
JOIN queryAccessibleObjectUuidsOfSubjectIds(
|
JOIN queryAccessibleObjectUuidsOfSubjectIds(
|
||||||
'view', 'customer', currentSubjectsUuids()) AS allowedObjId
|
'SELECT, 'customer', currentSubjectsUuids()) AS allowedObjId
|
||||||
ON target.uuid = allowedObjId;
|
ON target.uuid = allowedObjId;
|
||||||
|
|
||||||
This view cannot is not updatable automatically,
|
This view cannot is not updatable automatically,
|
||||||
@ -688,13 +688,13 @@ Otherwise, it would not be possible to assign roles to new users.
|
|||||||
|
|
||||||
All roles are system-defined and cannot be created or modified by any external API.
|
All roles are system-defined and cannot be created or modified by any external API.
|
||||||
|
|
||||||
Users can view only the roles to which they are assigned.
|
Users can view only the roles to which are granted to them.
|
||||||
|
|
||||||
## RbacGrant
|
## RbacGrant
|
||||||
|
|
||||||
Grant can be `empowered`, this means that the grantee user can grant the granted role to other users
|
Grant can be `empowered`, this means that the grantee user can grant the granted role to other users
|
||||||
and revoke grants to that role.
|
and revoke grants to that role.
|
||||||
(TODO: access control part not yet implemented)
|
(TODO: access control part not yet implemented, currently all accessible roles can be granted to other users)
|
||||||
|
|
||||||
Grants can be `managed`, which means they are created and deleted by system-defined rules.
|
Grants can be `managed`, which means they are created and deleted by system-defined rules.
|
||||||
If a grant is not managed, it was created by an empowered user and can be deleted by empowered users.
|
If a grant is not managed, it was created by an empowered user and can be deleted by empowered users.
|
||||||
|
@ -87,7 +87,7 @@ Acceptance-Tests run on a fully integrated and deployed system with deployed dou
|
|||||||
|
|
||||||
Acceptance-tests, are blackbox-tests and do <u>not</u> count into test-code-coverage.
|
Acceptance-tests, are blackbox-tests and do <u>not</u> count into test-code-coverage.
|
||||||
|
|
||||||
TODO: Complete the Acceptance-Tests test concept.
|
TODO.test: Complete the Acceptance-Tests test concept.
|
||||||
|
|
||||||
|
|
||||||
#### Performance-Tests
|
#### Performance-Tests
|
||||||
@ -107,4 +107,4 @@ We define System-Integration-Tests as test in which this system is deployed in a
|
|||||||
|
|
||||||
System-Integration-tests, are blackbox-tests and do <u>not</u> count into test-code-coverage.
|
System-Integration-tests, are blackbox-tests and do <u>not</u> count into test-code-coverage.
|
||||||
|
|
||||||
TODO: Complete the System-Integration-Tests test concept.
|
TODO.test: Complete the System-Integration-Tests test concept.
|
||||||
|
27
etc/docker-compose.yml
Normal file
27
etc/docker-compose.yml
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
version: '3.8'
|
||||||
|
|
||||||
|
services:
|
||||||
|
postgres:
|
||||||
|
image: postgres-with-contrib:15.5-bookworm
|
||||||
|
container_name: custom-postgres
|
||||||
|
environment:
|
||||||
|
POSTGRES_PASSWORD: password
|
||||||
|
volumes:
|
||||||
|
- ./postgresql-log-slow-queries.conf:/etc/postgresql/postgresql.conf
|
||||||
|
ports:
|
||||||
|
- "5432:5432"
|
||||||
|
command:
|
||||||
|
- bash
|
||||||
|
- -c
|
||||||
|
- >
|
||||||
|
apt-get update &&
|
||||||
|
apt-get install -y postgresql-contrib &&
|
||||||
|
docker-entrypoint.sh postgres -c config_file=/etc/postgresql/postgresql.conf
|
||||||
|
deploy:
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpus: '2'
|
||||||
|
memory: 8G
|
||||||
|
reservations:
|
||||||
|
cpus: '1'
|
||||||
|
memory: 2G
|
@ -1,33 +1,5 @@
|
|||||||
<?xml version="1.0" encoding="UTF-8"?>
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
|
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
|
||||||
<suppress>
|
|
||||||
<notes><![CDATA[
|
|
||||||
We don't use the Spring HTTP invoker which causes this vulnerability due to Java deserialization.
|
|
||||||
]]></notes>
|
|
||||||
<packageUrl regex="true">^pkg:maven/org\.springframework/spring-web@.*$</packageUrl>
|
|
||||||
<cve>CVE-2016-1000027</cve>
|
|
||||||
</suppress>
|
|
||||||
<suppress>
|
|
||||||
<notes><![CDATA[
|
|
||||||
We don't use the UNWRAP_SINGLE_VALUE_ARRAYS feature and thus are not affected.
|
|
||||||
]]></notes>
|
|
||||||
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
|
|
||||||
<cve>CVE-2022-42003</cve>
|
|
||||||
</suppress>
|
|
||||||
<suppress>
|
|
||||||
<notes><![CDATA[
|
|
||||||
We don't parse external XML.
|
|
||||||
]]></notes>
|
|
||||||
<packageUrl regex="true">^pkg:maven/org\.eclipse\.angus/angus\-activation@.*$</packageUrl>
|
|
||||||
<cpe>cpe:/a:eclipse:eclipse_ide</cpe>
|
|
||||||
</suppress>
|
|
||||||
<suppress>
|
|
||||||
<notes><![CDATA[
|
|
||||||
We don't parse external XML.
|
|
||||||
]]></notes>
|
|
||||||
<packageUrl regex="true">^pkg:maven/jakarta\.activation/jakarta\.activation\-api@.*$</packageUrl>
|
|
||||||
<cpe>cpe:/a:eclipse:eclipse_ide</cpe>
|
|
||||||
</suppress>
|
|
||||||
<suppress>
|
<suppress>
|
||||||
<notes><![CDATA[
|
<notes><![CDATA[
|
||||||
Cyclic references are not possible if file comes in JSON text format.
|
Cyclic references are not possible if file comes in JSON text format.
|
||||||
@ -35,13 +7,6 @@
|
|||||||
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
|
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
|
||||||
<cpe>cpe:/a:fasterxml:jackson-databind</cpe>
|
<cpe>cpe:/a:fasterxml:jackson-databind</cpe>
|
||||||
</suppress>
|
</suppress>
|
||||||
<suppress>
|
|
||||||
<notes><![CDATA[
|
|
||||||
As far as I see Criteria.parse(...) cannot be reached with external data.
|
|
||||||
]]></notes>
|
|
||||||
<packageUrl regex="true">^pkg:maven/com\.jayway\.jsonpath/json\-path@.*$</packageUrl>
|
|
||||||
<vulnerabilityName>CVE-2023-51074</vulnerabilityName>
|
|
||||||
</suppress>
|
|
||||||
<suppress>
|
<suppress>
|
||||||
<notes><![CDATA[
|
<notes><![CDATA[
|
||||||
Internal tooling, not exposed to the Internet.
|
Internal tooling, not exposed to the Internet.
|
||||||
@ -49,17 +14,4 @@
|
|||||||
<packageUrl regex="true">^pkg:maven/org\.pitest/pitest\-command\-line@.*$</packageUrl>
|
<packageUrl regex="true">^pkg:maven/org\.pitest/pitest\-command\-line@.*$</packageUrl>
|
||||||
<cpe>cpe:/a:line:line</cpe>
|
<cpe>cpe:/a:line:line</cpe>
|
||||||
</suppress>
|
</suppress>
|
||||||
<suppress>
|
|
||||||
<notes><![CDATA[
|
|
||||||
Spring Boot 3.1.x has a transient dependency to snakeyaml 1.3
|
|
||||||
which contains this vulnerability.
|
|
||||||
|
|
||||||
We've explicitly bumped to 2.2, but the vulnerability checker does not seem to notice that.
|
|
||||||
|
|
||||||
TODO: Remove this suppression once we are on SpringBoot 3.2,
|
|
||||||
as well as the explicit version bump and the transient dependency exclude.
|
|
||||||
]]></notes>
|
|
||||||
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
|
|
||||||
<cve>CVE-2022-1471</cve>
|
|
||||||
</suppress>
|
|
||||||
</suppressions>
|
</suppressions>
|
||||||
|
10
etc/postgresql-log-slow-queries.conf
Normal file
10
etc/postgresql-log-slow-queries.conf
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
shared_preload_libraries = 'pg_stat_statements,auto_explain'
|
||||||
|
log_min_duration_statement = 1000
|
||||||
|
log_statement = 'all'
|
||||||
|
log_duration = on
|
||||||
|
pg_stat_statements.track = all
|
||||||
|
auto_explain.log_min_duration = '1s' # Logs queries taking longer than 1 second
|
||||||
|
auto_explain.log_analyze = on # Include actual run times
|
||||||
|
auto_explain.log_buffers = on # Include buffer usage statistics
|
||||||
|
auto_explain.log_format = 'json' # Format the log output in JSON
|
||||||
|
listen_addresses = '*'
|
@ -11,28 +11,4 @@ plugins {
|
|||||||
id 'org.gradle.toolchains.foojay-resolver-convention' version '0.7.0'
|
id 'org.gradle.toolchains.foojay-resolver-convention' version '0.7.0'
|
||||||
}
|
}
|
||||||
|
|
||||||
dependencyResolutionManagement {
|
|
||||||
components {
|
|
||||||
all {
|
|
||||||
allVariants {
|
|
||||||
withDependencies {
|
|
||||||
removeAll {
|
|
||||||
// Spring Boot 3.1.x has a transient dependency to snakeyaml 1.3
|
|
||||||
// which contains a severe vulnerability.
|
|
||||||
// Here we remove this transient dependency and in build.gradle
|
|
||||||
// we add an explicit dependency to snakeyaml 2.2,
|
|
||||||
// which does not have this vulnerability anymore.
|
|
||||||
//
|
|
||||||
// TODO: Check Once we are on SpringBoot 3.2.x, check if this exclude
|
|
||||||
// is still neccessary. If not:
|
|
||||||
// Remove it // as well as the related explicit dependency in build.gradle
|
|
||||||
// and the dependency suppression in owasp-dependency-check-suppression.xml.
|
|
||||||
it.module in [ 'snakeyaml' ]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
rootProject.name = 'hsadmin-ng'
|
rootProject.name = 'hsadmin-ng'
|
||||||
|
@ -1,53 +0,0 @@
|
|||||||
-- ========================================================
|
|
||||||
-- First Example Entity with History
|
|
||||||
-- --------------------------------------------------------
|
|
||||||
|
|
||||||
CREATE TABLE IF NOT EXISTS customer (
|
|
||||||
"id" SERIAL PRIMARY KEY,
|
|
||||||
"reference" int not null unique, -- 10000-99999
|
|
||||||
"prefix" character(3) unique
|
|
||||||
);
|
|
||||||
|
|
||||||
CALL create_historicization('customer');
|
|
||||||
|
|
||||||
|
|
||||||
-- ========================================================
|
|
||||||
-- Second Example Entity with History
|
|
||||||
-- --------------------------------------------------------
|
|
||||||
|
|
||||||
CREATE TABLE IF NOT EXISTS package_type (
|
|
||||||
"id" serial PRIMARY KEY,
|
|
||||||
"name" character varying(8)
|
|
||||||
);
|
|
||||||
|
|
||||||
CALL create_historicization('package_type');
|
|
||||||
|
|
||||||
-- ========================================================
|
|
||||||
-- Third Example Entity with History
|
|
||||||
-- --------------------------------------------------------
|
|
||||||
|
|
||||||
CREATE TABLE IF NOT EXISTS package (
|
|
||||||
"id" serial PRIMARY KEY,
|
|
||||||
"name" character varying(5),
|
|
||||||
"customer_id" INTEGER REFERENCES customer(id)
|
|
||||||
);
|
|
||||||
|
|
||||||
CALL create_historicization('package');
|
|
||||||
|
|
||||||
|
|
||||||
-- ========================================================
|
|
||||||
-- query historical data
|
|
||||||
-- --------------------------------------------------------
|
|
||||||
|
|
||||||
|
|
||||||
ABORT;
|
|
||||||
BEGIN TRANSACTION;
|
|
||||||
SET LOCAL hsadminng.currentUser TO 'mih42_customer_aaa';
|
|
||||||
SET LOCAL hsadminng.currentTask TO 'adding customer_aaa';
|
|
||||||
INSERT INTO package (customer_id, name) VALUES (10000, 'aaa00');
|
|
||||||
COMMIT;
|
|
||||||
-- Usage:
|
|
||||||
|
|
||||||
SET hsadminng.timestamp TO '2022-07-12 08:53:27.723315';
|
|
||||||
SET hsadminng.timestamp TO '2022-07-12 11:38:27.723315';
|
|
||||||
SELECT * FROM customer_hv p WHERE prefix = 'aaa';
|
|
@ -1,166 +1,39 @@
|
|||||||
|
|
||||||
-- ========================================================
|
-- ========================================================
|
||||||
-- Historization
|
-- Historization twiddle
|
||||||
-- --------------------------------------------------------
|
-- --------------------------------------------------------
|
||||||
|
|
||||||
CREATE TABLE "tx_history" (
|
rollback;
|
||||||
"tx_id" BIGINT NOT NULL UNIQUE,
|
begin transaction;
|
||||||
"tx_timestamp" TIMESTAMP NOT NULL,
|
call defineContext('historization testing', null, 'superuser-alex@hostsharing.net',
|
||||||
"user" VARCHAR(64) NOT NULL, -- references postgres user
|
-- 'hs_booking_project#D-1000000-hshdefaultproject:ADMIN'); -- prod+test
|
||||||
"task" VARCHAR NOT NULL
|
'hs_booking_project#D-1000313-D-1000313defaultproject:ADMIN'); -- prod+test
|
||||||
);
|
-- 'hs_booking_project#D-1000300-mihdefaultproject:ADMIN'); -- prod
|
||||||
|
-- 'hs_booking_project#D-1000300-mimdefaultproject:ADMIN'); -- test
|
||||||
|
-- update hs_hosting_asset set caption='lug00 b' where identifier = 'lug00' and type = 'MANAGED_WEBSPACE'; -- prod
|
||||||
|
-- update hs_hosting_asset set caption='hsh00 A ' || now()::text where identifier = 'hsh00' and type = 'MANAGED_WEBSPACE'; -- test
|
||||||
|
-- update hs_hosting_asset set caption='hsh00 B ' || now()::text where identifier = 'hsh00' and type = 'MANAGED_WEBSPACE'; -- test
|
||||||
|
|
||||||
CREATE TYPE "operation" AS ENUM ('INSERT', 'UPDATE', 'DELETE', 'TRUNCATE');
|
-- insert into hs_hosting_asset
|
||||||
|
-- (uuid, bookingitemuuid, type, parentassetuuid, assignedtoassetuuid, identifier, caption, config, alarmcontactuuid)
|
||||||
|
-- values
|
||||||
|
-- (uuid_generate_v4(), null, 'EMAIL_ADDRESS', 'bbda5895-0569-4e20-bb4c-34f3a38f3f63'::uuid, null,
|
||||||
|
-- 'new@thi.example.org', 'some new E-Mail-Address', '{}'::jsonb, null);
|
||||||
|
|
||||||
-- see https://www.postgresql.org/docs/current/plpgsql-trigger.html
|
delete from hs_hosting_asset where uuid='5aea68d2-3b55-464f-8362-b05c76c5a681'::uuid;
|
||||||
|
commit;
|
||||||
|
|
||||||
CREATE OR REPLACE FUNCTION historicize()
|
-- single version at point in time
|
||||||
RETURNS trigger
|
-- set hsadminng.tx_history_txid to (select max(txid) from tx_context where txtimestamp<='2024-08-27 12:13:13.450821');
|
||||||
LANGUAGE plpgsql STRICT AS $$
|
set hsadminng.tx_history_txid to '';
|
||||||
DECLARE
|
set hsadminng.tx_history_timestamp to '2024-08-29 12:42';
|
||||||
currentUser VARCHAR(64);
|
-- all versions
|
||||||
currentTask varchar;
|
select tx_history_txid(), txc.txtimestamp, txc.currentUser, txc.currentTask, haex.*
|
||||||
"row" RECORD;
|
from hs_hosting_asset_ex haex
|
||||||
"alive" BOOLEAN;
|
join tx_context txc on haex.txid=txc.txid
|
||||||
"sql" varchar;
|
where haex.identifier = 'test@thi.example.org';
|
||||||
BEGIN
|
|
||||||
-- determine user_id
|
|
||||||
BEGIN
|
|
||||||
currentUser := current_setting('hsadminng.currentUser');
|
|
||||||
EXCEPTION WHEN OTHERS THEN
|
|
||||||
currentUser := NULL;
|
|
||||||
END;
|
|
||||||
IF (currentUser IS NULL OR currentUser = '') THEN
|
|
||||||
RAISE EXCEPTION 'hsadminng.currentUser must be defined, please use "SET LOCAL ...;"';
|
|
||||||
END IF;
|
|
||||||
RAISE NOTICE 'currentUser: %', currentUser;
|
|
||||||
|
|
||||||
-- determine task
|
select uuid, version, type, identifier, caption from hs_hosting_asset_hv p where identifier = 'test@thi.example.org';
|
||||||
currentTask = current_setting('hsadminng.currentTask');
|
|
||||||
IF (currentTask IS NULL OR length(currentTask) < 12) THEN
|
|
||||||
RAISE EXCEPTION 'hsadminng.currentTask (%) must be defined and min 12 characters long, please use "SET LOCAL ...;"', currentTask;
|
|
||||||
END IF;
|
|
||||||
RAISE NOTICE 'currentTask: %', currentTask;
|
|
||||||
|
|
||||||
IF (TG_OP = 'INSERT') OR (TG_OP = 'UPDATE') THEN
|
select pg_current_xact_id();
|
||||||
"row" := NEW;
|
|
||||||
"alive" := TRUE;
|
|
||||||
ELSE -- DELETE or TRUNCATE
|
|
||||||
"row" := OLD;
|
|
||||||
"alive" := FALSE;
|
|
||||||
END IF;
|
|
||||||
|
|
||||||
sql := format('INSERT INTO tx_history VALUES (txid_current(), now(), %1L, %2L) ON CONFLICT DO NOTHING', currentUser, currentTask);
|
|
||||||
RAISE NOTICE 'sql: %', sql;
|
|
||||||
EXECUTE sql;
|
|
||||||
sql := format('INSERT INTO %3$I_versions VALUES (DEFAULT, txid_current(), %1$L, %2$L, $1.*)', TG_OP, alive, TG_TABLE_NAME);
|
|
||||||
RAISE NOTICE 'sql: %', sql;
|
|
||||||
EXECUTE sql USING "row";
|
|
||||||
|
|
||||||
RETURN "row";
|
|
||||||
END; $$;
|
|
||||||
|
|
||||||
CREATE OR REPLACE PROCEDURE create_historical_view(baseTable varchar)
|
|
||||||
LANGUAGE plpgsql AS $$
|
|
||||||
DECLARE
|
|
||||||
createTriggerSQL varchar;
|
|
||||||
viewName varchar;
|
|
||||||
versionsTable varchar;
|
|
||||||
createViewSQL varchar;
|
|
||||||
baseCols varchar;
|
|
||||||
BEGIN
|
|
||||||
|
|
||||||
viewName = quote_ident(format('%s_hv', baseTable));
|
|
||||||
versionsTable = quote_ident(format('%s_versions', baseTable));
|
|
||||||
baseCols = (SELECT string_agg(quote_ident(column_name), ', ')
|
|
||||||
FROM information_schema.columns
|
|
||||||
WHERE table_schema = 'public' AND table_name = baseTable);
|
|
||||||
|
|
||||||
createViewSQL = format(
|
|
||||||
'CREATE OR REPLACE VIEW %1$s AS' ||
|
|
||||||
'(' ||
|
|
||||||
' SELECT %2$s' ||
|
|
||||||
' FROM %3$s' ||
|
|
||||||
' WHERE alive = TRUE' ||
|
|
||||||
' AND version_id IN' ||
|
|
||||||
' (' ||
|
|
||||||
' SELECT max(vt.version_id) AS history_id' ||
|
|
||||||
' FROM %3$s AS vt' ||
|
|
||||||
' JOIN tx_history as txh ON vt.tx_id = txh.tx_id' ||
|
|
||||||
' WHERE txh.tx_timestamp <= current_setting(''hsadminng.timestamp'')::timestamp' ||
|
|
||||||
' GROUP BY id' ||
|
|
||||||
' )' ||
|
|
||||||
')',
|
|
||||||
viewName, baseCols, versionsTable
|
|
||||||
);
|
|
||||||
RAISE NOTICE 'sql: %', createViewSQL;
|
|
||||||
EXECUTE createViewSQL;
|
|
||||||
|
|
||||||
createTriggerSQL = 'CREATE TRIGGER ' || baseTable || '_historicize' ||
|
|
||||||
' AFTER INSERT OR DELETE OR UPDATE ON ' || baseTable ||
|
|
||||||
' FOR EACH ROW EXECUTE PROCEDURE historicize()';
|
|
||||||
RAISE NOTICE 'sql: %', createTriggerSQL;
|
|
||||||
EXECUTE createTriggerSQL;
|
|
||||||
|
|
||||||
END; $$;
|
|
||||||
|
|
||||||
CREATE OR REPLACE PROCEDURE create_historicization(baseTable varchar)
|
|
||||||
LANGUAGE plpgsql AS $$
|
|
||||||
DECLARE
|
|
||||||
createHistTableSql varchar;
|
|
||||||
createTriggerSQL varchar;
|
|
||||||
viewName varchar;
|
|
||||||
versionsTable varchar;
|
|
||||||
createViewSQL varchar;
|
|
||||||
baseCols varchar;
|
|
||||||
BEGIN
|
|
||||||
|
|
||||||
-- create the history table
|
|
||||||
createHistTableSql = '' ||
|
|
||||||
'CREATE TABLE ' || baseTable || '_versions (' ||
|
|
||||||
' version_id serial PRIMARY KEY,' ||
|
|
||||||
' tx_id bigint NOT NULL REFERENCES tx_history(tx_id),' ||
|
|
||||||
' trigger_op operation NOT NULL,' ||
|
|
||||||
' alive boolean not null,' ||
|
|
||||||
|
|
||||||
' LIKE ' || baseTable ||
|
|
||||||
' EXCLUDING CONSTRAINTS' ||
|
|
||||||
' EXCLUDING STATISTICS' ||
|
|
||||||
')';
|
|
||||||
RAISE NOTICE 'sql: %', createHistTableSql;
|
|
||||||
EXECUTE createHistTableSql;
|
|
||||||
|
|
||||||
-- create the historical view
|
|
||||||
viewName = quote_ident(format('%s_hv', baseTable));
|
|
||||||
versionsTable = quote_ident(format('%s_versions', baseTable));
|
|
||||||
baseCols = (SELECT string_agg(quote_ident(column_name), ', ')
|
|
||||||
FROM information_schema.columns
|
|
||||||
WHERE table_schema = 'public' AND table_name = baseTable);
|
|
||||||
|
|
||||||
createViewSQL = format(
|
|
||||||
'CREATE OR REPLACE VIEW %1$s AS' ||
|
|
||||||
'(' ||
|
|
||||||
' SELECT %2$s' ||
|
|
||||||
' FROM %3$s' ||
|
|
||||||
' WHERE alive = TRUE' ||
|
|
||||||
' AND version_id IN' ||
|
|
||||||
' (' ||
|
|
||||||
' SELECT max(vt.version_id) AS history_id' ||
|
|
||||||
' FROM %3$s AS vt' ||
|
|
||||||
' JOIN tx_history as txh ON vt.tx_id = txh.tx_id' ||
|
|
||||||
' WHERE txh.tx_timestamp <= current_setting(''hsadminng.timestamp'')::timestamp' ||
|
|
||||||
' GROUP BY id' ||
|
|
||||||
' )' ||
|
|
||||||
')',
|
|
||||||
viewName, baseCols, versionsTable
|
|
||||||
);
|
|
||||||
RAISE NOTICE 'sql: %', createViewSQL;
|
|
||||||
EXECUTE createViewSQL;
|
|
||||||
|
|
||||||
createTriggerSQL = 'CREATE TRIGGER ' || baseTable || '_historicize' ||
|
|
||||||
' AFTER INSERT OR DELETE OR UPDATE ON ' || baseTable ||
|
|
||||||
' FOR EACH ROW EXECUTE PROCEDURE historicize()';
|
|
||||||
RAISE NOTICE 'sql: %', createTriggerSQL;
|
|
||||||
EXECUTE createTriggerSQL;
|
|
||||||
|
|
||||||
END; $$;
|
|
||||||
|
@ -3,10 +3,10 @@
|
|||||||
-- --------------------------------------------------------
|
-- --------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
select isGranted(findRoleId('administrators'), findRoleId('test_package#aaa00.owner'));
|
select isGranted(findRoleId('administrators'), findRoleId('test_package#aaa00:OWNER'));
|
||||||
select isGranted(findRoleId('test_package#aaa00.owner'), findRoleId('administrators'));
|
select isGranted(findRoleId('test_package#aaa00:OWNER'), findRoleId('administrators'));
|
||||||
-- call grantRoleToRole(findRoleId('test_package#aaa00.owner'), findRoleId('administrators'));
|
-- call grantRoleToRole(findRoleId('test_package#aaa00:OWNER'), findRoleId('administrators'));
|
||||||
-- call grantRoleToRole(findRoleId('administrators'), findRoleId('test_package#aaa00.owner'));
|
-- call grantRoleToRole(findRoleId('administrators'), findRoleId('test_package#aaa00:OWNER'));
|
||||||
|
|
||||||
select count(*)
|
select count(*)
|
||||||
FROM queryAllPermissionsOfSubjectIdForObjectUuids(findRbacUser('superuser-fran@hostsharing.net'),
|
FROM queryAllPermissionsOfSubjectIdForObjectUuids(findRbacUser('superuser-fran@hostsharing.net'),
|
||||||
@ -19,13 +19,13 @@ select *
|
|||||||
FROM queryAllPermissionsOfSubjectId(findRbacUser('rosa@example.com'));
|
FROM queryAllPermissionsOfSubjectId(findRbacUser('rosa@example.com'));
|
||||||
|
|
||||||
select *
|
select *
|
||||||
FROM queryAllRbacUsersWithPermissionsFor(findPermissionId('customer',
|
FROM queryAllRbacUsersWithPermissionsFor(findEffectivePermissionId('customer',
|
||||||
(SELECT uuid FROM RbacObject WHERE objectTable = 'customer' LIMIT 1),
|
(SELECT uuid FROM RbacObject WHERE objectTable = 'customer' LIMIT 1),
|
||||||
'add-package'));
|
'add-package'));
|
||||||
select *
|
select *
|
||||||
FROM queryAllRbacUsersWithPermissionsFor(findPermissionId('package',
|
FROM queryAllRbacUsersWithPermissionsFor(findEffectivePermissionId('package',
|
||||||
(SELECT uuid FROM RbacObject WHERE objectTable = 'package' LIMIT 1),
|
(SELECT uuid FROM RbacObject WHERE objectTable = 'package' LIMIT 1),
|
||||||
'delete'));
|
'DELETE'));
|
||||||
|
|
||||||
DO LANGUAGE plpgsql
|
DO LANGUAGE plpgsql
|
||||||
$$
|
$$
|
||||||
@ -39,7 +39,7 @@ $$
|
|||||||
RAISE EXCEPTION 'expected permission NOT to be granted, but it is';
|
RAISE EXCEPTION 'expected permission NOT to be granted, but it is';
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
result = (SELECT * FROM isPermissionGrantedToSubject(findPermissionId('package', 94928, 'view'), userId));
|
result = (SELECT * FROM isPermissionGrantedToSubject(findPermissionId('package', 94928, 'SELECT'), userId));
|
||||||
IF (NOT result) THEN
|
IF (NOT result) THEN
|
||||||
RAISE EXCEPTION 'expected permission to be granted, but it is NOT';
|
RAISE EXCEPTION 'expected permission to be granted, but it is NOT';
|
||||||
end if;
|
end if;
|
||||||
|
@ -20,7 +20,7 @@ CREATE POLICY customer_policy ON customer
|
|||||||
TO restricted
|
TO restricted
|
||||||
USING (
|
USING (
|
||||||
-- id=1000
|
-- id=1000
|
||||||
isPermissionGrantedToSubject(findPermissionId('test_customer', id, 'view'), currentUserUuid())
|
isPermissionGrantedToSubject(findEffectivePermissionId('test_customer', id, 'SELECT'), currentUserUuid())
|
||||||
);
|
);
|
||||||
|
|
||||||
SET SESSION AUTHORIZATION restricted;
|
SET SESSION AUTHORIZATION restricted;
|
||||||
@ -35,7 +35,7 @@ SELECT * FROM customer;
|
|||||||
CREATE OR REPLACE RULE "_RETURN" AS
|
CREATE OR REPLACE RULE "_RETURN" AS
|
||||||
ON SELECT TO cust_view
|
ON SELECT TO cust_view
|
||||||
DO INSTEAD
|
DO INSTEAD
|
||||||
SELECT * FROM customer WHERE isPermissionGrantedToSubject(findPermissionId('test_customer', id, 'view'), currentUserUuid());
|
SELECT * FROM customer WHERE isPermissionGrantedToSubject(findEffectivePermissionId('test_customer', id, 'SELECT'), currentUserUuid());
|
||||||
SELECT * from cust_view LIMIT 10;
|
SELECT * from cust_view LIMIT 10;
|
||||||
|
|
||||||
select queryAllPermissionsOfSubjectId(findRbacUser('superuser-alex@hostsharing.net'));
|
select queryAllPermissionsOfSubjectId(findRbacUser('superuser-alex@hostsharing.net'));
|
||||||
@ -52,7 +52,7 @@ CREATE OR REPLACE RULE "_RETURN" AS
|
|||||||
DO INSTEAD
|
DO INSTEAD
|
||||||
SELECT c.uuid, c.reference, c.prefix FROM customer AS c
|
SELECT c.uuid, c.reference, c.prefix FROM customer AS c
|
||||||
JOIN queryAllPermissionsOfSubjectId(currentUserUuid()) AS p
|
JOIN queryAllPermissionsOfSubjectId(currentUserUuid()) AS p
|
||||||
ON p.objectTable='test_customer' AND p.objectUuid=c.uuid AND p.op in ('*', 'view');
|
ON p.objectTable='test_customer' AND p.objectUuid=c.uuid;
|
||||||
GRANT ALL PRIVILEGES ON cust_view TO restricted;
|
GRANT ALL PRIVILEGES ON cust_view TO restricted;
|
||||||
|
|
||||||
SET SESSION SESSION AUTHORIZATION restricted;
|
SET SESSION SESSION AUTHORIZATION restricted;
|
||||||
@ -68,7 +68,7 @@ CREATE OR REPLACE VIEW cust_view AS
|
|||||||
SELECT c.uuid, c.reference, c.prefix
|
SELECT c.uuid, c.reference, c.prefix
|
||||||
FROM customer AS c
|
FROM customer AS c
|
||||||
JOIN queryAllPermissionsOfSubjectId(currentUserUuid()) AS p
|
JOIN queryAllPermissionsOfSubjectId(currentUserUuid()) AS p
|
||||||
ON p.objectUuid=c.uuid AND p.op in ('*', 'view');
|
ON p.objectUuid=c.uuid;
|
||||||
GRANT ALL PRIVILEGES ON cust_view TO restricted;
|
GRANT ALL PRIVILEGES ON cust_view TO restricted;
|
||||||
|
|
||||||
SET SESSION SESSION AUTHORIZATION restricted;
|
SET SESSION SESSION AUTHORIZATION restricted;
|
||||||
@ -81,9 +81,9 @@ select rr.uuid, rr.type from RbacGrants g
|
|||||||
join RbacReference RR on g.ascendantUuid = RR.uuid
|
join RbacReference RR on g.ascendantUuid = RR.uuid
|
||||||
where g.descendantUuid in (
|
where g.descendantUuid in (
|
||||||
select uuid from queryAllPermissionsOfSubjectId(findRbacUser('alex@example.com'))
|
select uuid from queryAllPermissionsOfSubjectId(findRbacUser('alex@example.com'))
|
||||||
where objectTable='test_customer' and op in ('*', 'view'));
|
where objectTable='test_customer');
|
||||||
|
|
||||||
call grantRoleToUser(findRoleId('test_customer#aaa.admin'), findRbacUser('aaaaouq@example.com'));
|
call grantRoleToUser(findRoleId('test_customer#aaa:ADMIN'), findRbacUser('aaaaouq@example.com'));
|
||||||
|
|
||||||
select queryAllPermissionsOfSubjectId(findRbacUser('aaaaouq@example.com'));
|
select queryAllPermissionsOfSubjectId(findRbacUser('aaaaouq@example.com'));
|
||||||
|
|
||||||
|
175
sql/recursive-cte-experiments-for-accessible-uuids.sql
Normal file
175
sql/recursive-cte-experiments-for-accessible-uuids.sql
Normal file
@ -0,0 +1,175 @@
|
|||||||
|
-- just a permanent playground to explore optimization of the central recursive CTE query for RBAC
|
||||||
|
|
||||||
|
select * from hs_statistics_view;
|
||||||
|
|
||||||
|
-- ========================================================
|
||||||
|
|
||||||
|
-- This is the extracted recursive CTE query to determine the visible object UUIDs of a single table
|
||||||
|
-- (and optionally the hosting-asset-type) as a separate VIEW.
|
||||||
|
-- In the generated code this is part of the hs_hosting_asset_rv VIEW.
|
||||||
|
|
||||||
|
drop view if exists hs_hosting_asset_example_gv;
|
||||||
|
create view hs_hosting_asset_example_gv as
|
||||||
|
with recursive
|
||||||
|
recursive_grants as (
|
||||||
|
select distinct rbacgrants.descendantuuid,
|
||||||
|
rbacgrants.ascendantuuid,
|
||||||
|
1 as level,
|
||||||
|
true
|
||||||
|
from rbacgrants
|
||||||
|
where (rbacgrants.ascendantuuid = any (currentsubjectsuuids()))
|
||||||
|
and rbacgrants.assumed
|
||||||
|
union all
|
||||||
|
select distinct g.descendantuuid,
|
||||||
|
g.ascendantuuid,
|
||||||
|
grants.level + 1 as level,
|
||||||
|
assertTrue(grants.level < 22, 'too many grant-levels: ' || grants.level)
|
||||||
|
from rbacgrants g
|
||||||
|
join recursive_grants grants on grants.descendantuuid = g.ascendantuuid
|
||||||
|
where g.assumed
|
||||||
|
),
|
||||||
|
grant_count as (
|
||||||
|
select count(*) as grant_count from recursive_grants
|
||||||
|
),
|
||||||
|
count_check as (
|
||||||
|
select assertTrue((select grant_count from grant_count) < 600000,
|
||||||
|
'too many grants for current subjects: ' || (select grant_count from grant_count)) as valid
|
||||||
|
)
|
||||||
|
select distinct perm.objectuuid
|
||||||
|
from recursive_grants
|
||||||
|
join rbacpermission perm on recursive_grants.descendantuuid = perm.uuid
|
||||||
|
join rbacobject obj on obj.uuid = perm.objectuuid
|
||||||
|
join count_check cc on cc.valid
|
||||||
|
where obj.objecttable::text = 'hs_hosting_asset'::text
|
||||||
|
-- with/without this type condition
|
||||||
|
-- and obj.type = 'EMAIL_ADDRESS'::hshostingassettype
|
||||||
|
and obj.type = 'EMAIL_ADDRESS'::hshostingassettype
|
||||||
|
;
|
||||||
|
|
||||||
|
-- -----------------------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
-- A query just on the above view, only determining visible objects, no JOIN with business data:
|
||||||
|
|
||||||
|
rollback transaction;
|
||||||
|
begin transaction;
|
||||||
|
CALL defineContext('performance testing', null, 'superuser-alex@hostsharing.net',
|
||||||
|
'hs_booking_project#D-1000000-hshdefaultproject:ADMIN');
|
||||||
|
-- 'hs_booking_project#D-1000300-mihdefaultproject:ADMIN');
|
||||||
|
SET TRANSACTION READ ONLY;
|
||||||
|
EXPLAIN ANALYZE select * from hs_hosting_asset_example_gv;
|
||||||
|
end transaction ;
|
||||||
|
|
||||||
|
-- ========================================================
|
||||||
|
|
||||||
|
-- An example for a restricted view (_rv) similar to the one generated by our RBAC system,
|
||||||
|
-- but using the above separate VIEW to determine the visible objects.
|
||||||
|
|
||||||
|
drop view if exists hs_hosting_asset_example_rv;
|
||||||
|
create view hs_hosting_asset_example_rv as
|
||||||
|
with accessible_hs_hosting_asset_uuids as (
|
||||||
|
select * from hs_hosting_asset_example_gv
|
||||||
|
)
|
||||||
|
select target.*
|
||||||
|
from hs_hosting_asset target
|
||||||
|
where (target.uuid in (select accessible_hs_hosting_asset_uuids.objectuuid
|
||||||
|
from accessible_hs_hosting_asset_uuids));
|
||||||
|
|
||||||
|
-- -------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
-- performing several queries on the above view to determine average performance:
|
||||||
|
|
||||||
|
rollback transaction;
|
||||||
|
DO language plpgsql $$
|
||||||
|
DECLARE
|
||||||
|
start_time timestamp;
|
||||||
|
end_time timestamp;
|
||||||
|
total_time interval;
|
||||||
|
letter char(1);
|
||||||
|
BEGIN
|
||||||
|
start_time := clock_timestamp();
|
||||||
|
|
||||||
|
CALL defineContext('performance testing', null, 'superuser-alex@hostsharing.net',
|
||||||
|
'hs_booking_project#D-1000000-hshdefaultproject:ADMIN');
|
||||||
|
-- 'hs_booking_project#D-1000300-mihdefaultproject:ADMIN');
|
||||||
|
SET TRANSACTION READ ONLY;
|
||||||
|
|
||||||
|
FOR i IN 0..25 LOOP
|
||||||
|
letter := chr(i+ascii('a'));
|
||||||
|
PERFORM count(*) from (
|
||||||
|
|
||||||
|
-- An example for a business query based on the view:
|
||||||
|
select type, uuid, identifier, caption
|
||||||
|
from hs_hosting_asset_example_rv
|
||||||
|
where type = 'EMAIL_ADDRESS'
|
||||||
|
and identifier like letter || '%'
|
||||||
|
-- end of the business query example.
|
||||||
|
|
||||||
|
) AS timed;
|
||||||
|
|
||||||
|
END LOOP;
|
||||||
|
|
||||||
|
end_time := clock_timestamp();
|
||||||
|
total_time := end_time - start_time;
|
||||||
|
|
||||||
|
RAISE NOTICE 'average execution time: %', total_time/26;
|
||||||
|
END;
|
||||||
|
$$;
|
||||||
|
|
||||||
|
-- average seconds per recursive CTE select as role 'hs_hosting_asset:<DEBITOR>defaultproject:ADMIN'
|
||||||
|
-- joined with business query for all 'EMAIL_ADDRESSES':
|
||||||
|
-- D-1000000-hsh D-1000300-mih
|
||||||
|
-- - without type comparison in rbacobject: ~3.30 - ~3.49 ~0.23
|
||||||
|
-- - with type comparison in rbacobject: ~2.99 - ~3.08 ~0.21
|
||||||
|
|
||||||
|
-- -------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
-- and a single query, so EXPLAIN can be used
|
||||||
|
|
||||||
|
rollback transaction;
|
||||||
|
begin transaction;
|
||||||
|
CALL defineContext('performance testing', null, 'superuser-alex@hostsharing.net',
|
||||||
|
'hs_booking_project#D-1000000-hshdefaultproject:ADMIN');
|
||||||
|
-- 'hs_booking_project#D-1000300-mihdefaultproject:ADMIN');
|
||||||
|
SET TRANSACTION READ ONLY;
|
||||||
|
|
||||||
|
EXPLAIN SELECT * from (
|
||||||
|
|
||||||
|
-- An example for a business query based on the view:
|
||||||
|
select type, uuid, identifier, caption
|
||||||
|
from hs_hosting_asset_example_rv
|
||||||
|
where type = 'EMAIL_ADDRESS'
|
||||||
|
-- and identifier like 'b%'
|
||||||
|
-- end of the business query example.
|
||||||
|
|
||||||
|
) ha;
|
||||||
|
|
||||||
|
end transaction;
|
||||||
|
|
||||||
|
-- =============================================================================
|
||||||
|
|
||||||
|
-- extending the rbacobject table:
|
||||||
|
|
||||||
|
alter table rbacobject
|
||||||
|
-- just for performance testing, we would need a joined enum or a varchar(16) which would make it slow
|
||||||
|
add column type hshostingassettype;
|
||||||
|
|
||||||
|
-- and fill the type column with hs_hosting_asset types:
|
||||||
|
|
||||||
|
rollback transaction;
|
||||||
|
begin transaction;
|
||||||
|
call defineContext('setting rbacobject.type from hs_hosting_asset.type', null, 'superuser-alex@hostsharing.net');
|
||||||
|
|
||||||
|
UPDATE rbacobject
|
||||||
|
SET type = hs.type
|
||||||
|
FROM hs_hosting_asset hs
|
||||||
|
WHERE rbacobject.uuid = hs.uuid;
|
||||||
|
|
||||||
|
end transaction;
|
||||||
|
|
||||||
|
-- check the result:
|
||||||
|
|
||||||
|
select
|
||||||
|
(select count(*) as "total" from rbacobject),
|
||||||
|
(select count(*) as "not null" from rbacobject where type is not null),
|
||||||
|
(select count(*) as "null" from rbacobject where type is null);
|
||||||
|
|
@ -15,11 +15,9 @@ import java.util.Collections;
|
|||||||
import java.util.Optional;
|
import java.util.Optional;
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
import java.util.UUID;
|
import java.util.UUID;
|
||||||
import java.util.function.Function;
|
|
||||||
import java.util.stream.Collectors;
|
import java.util.stream.Collectors;
|
||||||
|
|
||||||
import static java.util.function.Predicate.not;
|
import static java.util.function.Predicate.not;
|
||||||
import static net.hostsharing.hsadminng.mapper.PostgresArray.fromPostgresArray;
|
|
||||||
import static org.springframework.transaction.annotation.Propagation.MANDATORY;
|
import static org.springframework.transaction.annotation.Propagation.MANDATORY;
|
||||||
|
|
||||||
@Service
|
@Service
|
||||||
@ -55,16 +53,15 @@ public class Context {
|
|||||||
final String currentRequest,
|
final String currentRequest,
|
||||||
final String currentUser,
|
final String currentUser,
|
||||||
final String assumedRoles) {
|
final String assumedRoles) {
|
||||||
final var query = em.createNativeQuery(
|
final var query = em.createNativeQuery("""
|
||||||
"""
|
|
||||||
call defineContext(
|
call defineContext(
|
||||||
cast(:currentTask as varchar),
|
cast(:currentTask as varchar(127)),
|
||||||
cast(:currentRequest as varchar),
|
cast(:currentRequest as text),
|
||||||
cast(:currentUser as varchar),
|
cast(:currentUser as varchar(63)),
|
||||||
cast(:assumedRoles as varchar));
|
cast(:assumedRoles as varchar(1023)));
|
||||||
""");
|
""");
|
||||||
query.setParameter("currentTask", shortenToMaxLength(currentTask, 96));
|
query.setParameter("currentTask", shortenToMaxLength(currentTask, 127));
|
||||||
query.setParameter("currentRequest", shortenToMaxLength(currentRequest, 512)); // TODO.spec: length?
|
query.setParameter("currentRequest", currentRequest);
|
||||||
query.setParameter("currentUser", currentUser);
|
query.setParameter("currentUser", currentUser);
|
||||||
query.setParameter("assumedRoles", assumedRoles != null ? assumedRoles : "");
|
query.setParameter("assumedRoles", assumedRoles != null ? assumedRoles : "");
|
||||||
query.executeUpdate();
|
query.executeUpdate();
|
||||||
@ -83,14 +80,11 @@ public class Context {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public String[] getAssumedRoles() {
|
public String[] getAssumedRoles() {
|
||||||
final byte[] result = (byte[]) em.createNativeQuery("select assumedRoles() as roles", String[].class).getSingleResult();
|
return (String[]) em.createNativeQuery("select assumedRoles() as roles", String[].class).getSingleResult();
|
||||||
return fromPostgresArray(result, String.class, Function.identity());
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public UUID[] currentSubjectsUuids() {
|
public UUID[] currentSubjectsUuids() {
|
||||||
final byte[] result = (byte[]) em.createNativeQuery("select currentSubjectsUuids() as uuids", UUID[].class)
|
return (UUID[]) em.createNativeQuery("select currentSubjectsUuids() as uuids", UUID[].class).getSingleResult();
|
||||||
.getSingleResult();
|
|
||||||
return fromPostgresArray(result, UUID.class, UUID::fromString);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public static String getCallerMethodNameFromStackFrame(final int skipFrames) {
|
public static String getCallerMethodNameFromStackFrame(final int skipFrames) {
|
||||||
|
@ -9,7 +9,7 @@ import org.springframework.web.context.request.WebRequest;
|
|||||||
import java.time.LocalDateTime;
|
import java.time.LocalDateTime;
|
||||||
|
|
||||||
@Getter
|
@Getter
|
||||||
class CustomErrorResponse {
|
public class CustomErrorResponse {
|
||||||
|
|
||||||
static ResponseEntity<CustomErrorResponse> errorResponse(
|
static ResponseEntity<CustomErrorResponse> errorResponse(
|
||||||
final WebRequest request,
|
final WebRequest request,
|
||||||
@ -46,6 +46,6 @@ class CustomErrorResponse {
|
|||||||
this.path = path;
|
this.path = path;
|
||||||
this.statusCode = status.value();
|
this.statusCode = status.value();
|
||||||
this.statusPhrase = status.getReasonPhrase();
|
this.statusPhrase = status.getReasonPhrase();
|
||||||
this.message = message;
|
this.message = message.startsWith("ERROR: [") ? message : "ERROR: [" + statusCode + "] " + message;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -0,0 +1,24 @@
|
|||||||
|
package net.hostsharing.hsadminng.errors;
|
||||||
|
|
||||||
|
import jakarta.validation.constraints.NotNull;
|
||||||
|
import java.lang.annotation.ElementType;
|
||||||
|
import java.lang.annotation.Retention;
|
||||||
|
import java.lang.annotation.RetentionPolicy;
|
||||||
|
import java.lang.annotation.Target;
|
||||||
|
|
||||||
|
@Target(ElementType.TYPE)
|
||||||
|
@Retention(RetentionPolicy.RUNTIME)
|
||||||
|
public @interface DisplayAs {
|
||||||
|
class DisplayName {
|
||||||
|
public static String of(final Class<?> clazz) {
|
||||||
|
final var displayNameAnnot = clazz.getAnnotation(DisplayAs.class);
|
||||||
|
return displayNameAnnot != null ? displayNameAnnot.value() : clazz.getSimpleName();
|
||||||
|
}
|
||||||
|
|
||||||
|
public static String of(@NotNull final Object instance) {
|
||||||
|
return of(instance.getClass());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
String value() default "";
|
||||||
|
}
|
@ -1,12 +0,0 @@
|
|||||||
package net.hostsharing.hsadminng.errors;
|
|
||||||
|
|
||||||
import java.lang.annotation.ElementType;
|
|
||||||
import java.lang.annotation.Retention;
|
|
||||||
import java.lang.annotation.RetentionPolicy;
|
|
||||||
import java.lang.annotation.Target;
|
|
||||||
|
|
||||||
@Target(ElementType.TYPE)
|
|
||||||
@Retention(RetentionPolicy.RUNTIME)
|
|
||||||
public @interface DisplayName {
|
|
||||||
String value() default "";
|
|
||||||
}
|
|
@ -0,0 +1,23 @@
|
|||||||
|
package net.hostsharing.hsadminng.errors;
|
||||||
|
|
||||||
|
import jakarta.validation.ValidationException;
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
import static java.lang.String.join;
|
||||||
|
|
||||||
|
public class MultiValidationException extends ValidationException {
|
||||||
|
|
||||||
|
private MultiValidationException(final List<String> violations) {
|
||||||
|
super(
|
||||||
|
violations.size() > 1
|
||||||
|
? "[\n" + join(",\n", violations) + "\n]"
|
||||||
|
: "[" + join(",\n", violations) + "]"
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
public static void throwIfNotEmpty(final List<String> violations) {
|
||||||
|
if (!violations.isEmpty()) {
|
||||||
|
throw new MultiValidationException(violations);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,19 @@
|
|||||||
|
package net.hostsharing.hsadminng.errors;
|
||||||
|
|
||||||
|
import java.util.UUID;
|
||||||
|
|
||||||
|
public class ReferenceNotFoundException extends RuntimeException {
|
||||||
|
|
||||||
|
private final Class<?> entityClass;
|
||||||
|
private final UUID uuid;
|
||||||
|
public <E> ReferenceNotFoundException(final Class<E> entityClass, final UUID uuid, final Throwable exc) {
|
||||||
|
super(exc);
|
||||||
|
this.entityClass = entityClass;
|
||||||
|
this.uuid = uuid;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String getMessage() {
|
||||||
|
return "Cannot resolve " + entityClass.getSimpleName() +" with uuid " + uuid;
|
||||||
|
}
|
||||||
|
}
|
@ -11,16 +11,18 @@ import org.springframework.http.converter.HttpMessageNotReadableException;
|
|||||||
import org.springframework.lang.Nullable;
|
import org.springframework.lang.Nullable;
|
||||||
import org.springframework.orm.jpa.JpaObjectRetrievalFailureException;
|
import org.springframework.orm.jpa.JpaObjectRetrievalFailureException;
|
||||||
import org.springframework.orm.jpa.JpaSystemException;
|
import org.springframework.orm.jpa.JpaSystemException;
|
||||||
|
import org.springframework.validation.FieldError;
|
||||||
|
import org.springframework.validation.method.ParameterValidationResult;
|
||||||
import org.springframework.web.bind.MethodArgumentNotValidException;
|
import org.springframework.web.bind.MethodArgumentNotValidException;
|
||||||
import org.springframework.web.bind.annotation.ControllerAdvice;
|
import org.springframework.web.bind.annotation.ControllerAdvice;
|
||||||
import org.springframework.web.bind.annotation.ExceptionHandler;
|
import org.springframework.web.bind.annotation.ExceptionHandler;
|
||||||
import org.springframework.web.context.request.WebRequest;
|
import org.springframework.web.context.request.WebRequest;
|
||||||
|
import org.springframework.web.method.annotation.HandlerMethodValidationException;
|
||||||
import org.springframework.web.servlet.mvc.method.annotation.ResponseEntityExceptionHandler;
|
import org.springframework.web.servlet.mvc.method.annotation.ResponseEntityExceptionHandler;
|
||||||
|
|
||||||
import jakarta.persistence.EntityNotFoundException;
|
import jakarta.persistence.EntityNotFoundException;
|
||||||
import jakarta.validation.ValidationException;
|
import jakarta.validation.ValidationException;
|
||||||
import java.util.NoSuchElementException;
|
import java.util.*;
|
||||||
import java.util.Optional;
|
|
||||||
import java.util.regex.Pattern;
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
import static net.hostsharing.hsadminng.errors.CustomErrorResponse.*;
|
import static net.hostsharing.hsadminng.errors.CustomErrorResponse.*;
|
||||||
@ -45,7 +47,7 @@ public class RestResponseEntityExceptionHandler
|
|||||||
protected ResponseEntity<CustomErrorResponse> handleJpaExceptions(
|
protected ResponseEntity<CustomErrorResponse> handleJpaExceptions(
|
||||||
final RuntimeException exc, final WebRequest request) {
|
final RuntimeException exc, final WebRequest request) {
|
||||||
final var message = line(NestedExceptionUtils.getMostSpecificCause(exc).getMessage(), 0);
|
final var message = line(NestedExceptionUtils.getMostSpecificCause(exc).getMessage(), 0);
|
||||||
return errorResponse(request, httpStatus(message).orElse(HttpStatus.INTERNAL_SERVER_ERROR), message);
|
return errorResponse(request, httpStatus(exc, message).orElse(HttpStatus.INTERNAL_SERVER_ERROR), message);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ExceptionHandler(NoSuchElementException.class)
|
@ExceptionHandler(NoSuchElementException.class)
|
||||||
@ -55,6 +57,12 @@ public class RestResponseEntityExceptionHandler
|
|||||||
return errorResponse(request, HttpStatus.NOT_FOUND, message);
|
return errorResponse(request, HttpStatus.NOT_FOUND, message);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ExceptionHandler(ReferenceNotFoundException.class)
|
||||||
|
protected ResponseEntity<CustomErrorResponse> handleReferenceNotFoundException(
|
||||||
|
final ReferenceNotFoundException exc, final WebRequest request) {
|
||||||
|
return errorResponse(request, HttpStatus.BAD_REQUEST, exc.getMessage());
|
||||||
|
}
|
||||||
|
|
||||||
@ExceptionHandler({ JpaObjectRetrievalFailureException.class, EntityNotFoundException.class })
|
@ExceptionHandler({ JpaObjectRetrievalFailureException.class, EntityNotFoundException.class })
|
||||||
protected ResponseEntity<CustomErrorResponse> handleJpaObjectRetrievalFailureException(
|
protected ResponseEntity<CustomErrorResponse> handleJpaObjectRetrievalFailureException(
|
||||||
final RuntimeException exc, final WebRequest request) {
|
final RuntimeException exc, final WebRequest request) {
|
||||||
@ -65,17 +73,19 @@ public class RestResponseEntityExceptionHandler
|
|||||||
}
|
}
|
||||||
|
|
||||||
@ExceptionHandler({ Iban4jException.class, ValidationException.class })
|
@ExceptionHandler({ Iban4jException.class, ValidationException.class })
|
||||||
protected ResponseEntity<CustomErrorResponse> handleIbanAndBicExceptions(
|
protected ResponseEntity<CustomErrorResponse> handleValidationExceptions(
|
||||||
final Throwable exc, final WebRequest request) {
|
final Throwable exc, final WebRequest request) {
|
||||||
final var message = line(NestedExceptionUtils.getMostSpecificCause(exc).getMessage(), 0);
|
final String fullMessage = NestedExceptionUtils.getMostSpecificCause(exc).getMessage();
|
||||||
|
final var message = exc instanceof MultiValidationException ? fullMessage : line(fullMessage, 0);
|
||||||
return errorResponse(request, HttpStatus.BAD_REQUEST, message);
|
return errorResponse(request, HttpStatus.BAD_REQUEST, message);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ExceptionHandler(Throwable.class)
|
@ExceptionHandler(Throwable.class)
|
||||||
protected ResponseEntity<CustomErrorResponse> handleOtherExceptions(
|
protected ResponseEntity<CustomErrorResponse> handleOtherExceptions(
|
||||||
final Throwable exc, final WebRequest request) {
|
final Throwable exc, final WebRequest request) {
|
||||||
final var message = firstMessageLine(NestedExceptionUtils.getMostSpecificCause(exc));
|
final var causingException = NestedExceptionUtils.getMostSpecificCause(exc);
|
||||||
return errorResponse(request, httpStatus(message).orElse(HttpStatus.INTERNAL_SERVER_ERROR), message);
|
final var message = firstMessageLine(causingException);
|
||||||
|
return errorResponse(request, httpStatus(causingException, message).orElse(HttpStatus.INTERNAL_SERVER_ERROR), message);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
@ -112,6 +122,28 @@ public class RestResponseEntityExceptionHandler
|
|||||||
return errorResponse(request, HttpStatus.BAD_REQUEST, errorList.toString());
|
return errorResponse(request, HttpStatus.BAD_REQUEST, errorList.toString());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@SuppressWarnings("unchecked,rawtypes")
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected ResponseEntity handleHandlerMethodValidationException(
|
||||||
|
final HandlerMethodValidationException exc,
|
||||||
|
final HttpHeaders headers,
|
||||||
|
final HttpStatusCode status,
|
||||||
|
final WebRequest request) {
|
||||||
|
final var errorList = exc
|
||||||
|
.getAllValidationResults()
|
||||||
|
.stream()
|
||||||
|
.map(ParameterValidationResult::getResolvableErrors)
|
||||||
|
.flatMap(Collection::stream)
|
||||||
|
.filter(FieldError.class::isInstance)
|
||||||
|
.map(FieldError.class::cast)
|
||||||
|
.map(fieldError -> fieldError.getField() + " " + fieldError.getDefaultMessage() + " but is \""
|
||||||
|
+ fieldError.getRejectedValue() + "\"")
|
||||||
|
.toList();
|
||||||
|
return errorResponse(request, HttpStatus.BAD_REQUEST, errorList.toString());
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
private String userReadableEntityClassName(final String exceptionMessage) {
|
private String userReadableEntityClassName(final String exceptionMessage) {
|
||||||
final var regex = "(net.hostsharing.hsadminng.[a-z0-9_.]*.[A-Za-z0-9_$]*Entity) ";
|
final var regex = "(net.hostsharing.hsadminng.[a-z0-9_.]*.[A-Za-z0-9_$]*Entity) ";
|
||||||
final var pattern = Pattern.compile(regex);
|
final var pattern = Pattern.compile(regex);
|
||||||
@ -120,8 +152,8 @@ public class RestResponseEntityExceptionHandler
|
|||||||
final var entityName = matcher.group(1);
|
final var entityName = matcher.group(1);
|
||||||
final var entityClass = resolveClass(entityName);
|
final var entityClass = resolveClass(entityName);
|
||||||
if (entityClass.isPresent()) {
|
if (entityClass.isPresent()) {
|
||||||
return (entityClass.get().isAnnotationPresent(DisplayName.class)
|
return (entityClass.get().isAnnotationPresent(DisplayAs.class)
|
||||||
? exceptionMessage.replace(entityName, entityClass.get().getAnnotation(DisplayName.class).value())
|
? exceptionMessage.replace(entityName, entityClass.get().getAnnotation(DisplayAs.class).value())
|
||||||
: exceptionMessage.replace(entityName, entityClass.get().getSimpleName()))
|
: exceptionMessage.replace(entityName, entityClass.get().getSimpleName()))
|
||||||
.replace(" with id ", " with uuid ");
|
.replace(" with id ", " with uuid ");
|
||||||
}
|
}
|
||||||
@ -138,7 +170,10 @@ public class RestResponseEntityExceptionHandler
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private Optional<HttpStatus> httpStatus(final String message) {
|
private Optional<HttpStatus> httpStatus(final Throwable causingException, final String message) {
|
||||||
|
if ( EntityNotFoundException.class.isInstance(causingException) ) {
|
||||||
|
return Optional.of(HttpStatus.BAD_REQUEST);
|
||||||
|
}
|
||||||
if (message.startsWith("ERROR: [")) {
|
if (message.startsWith("ERROR: [")) {
|
||||||
for (HttpStatus status : HttpStatus.values()) {
|
for (HttpStatus status : HttpStatus.values()) {
|
||||||
if (message.startsWith("ERROR: [" + status.value() + "]")) {
|
if (message.startsWith("ERROR: [" + status.value() + "]")) {
|
||||||
|
130
src/main/java/net/hostsharing/hsadminng/hash/HashGenerator.java
Normal file
130
src/main/java/net/hostsharing/hsadminng/hash/HashGenerator.java
Normal file
@ -0,0 +1,130 @@
|
|||||||
|
package net.hostsharing.hsadminng.hash;
|
||||||
|
|
||||||
|
import java.security.SecureRandom;
|
||||||
|
import java.util.Arrays;
|
||||||
|
import java.util.PriorityQueue;
|
||||||
|
import java.util.Queue;
|
||||||
|
import java.util.function.BiFunction;
|
||||||
|
import java.util.random.RandomGenerator;
|
||||||
|
|
||||||
|
import lombok.Getter;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Usage-example to generate hash:
|
||||||
|
* HashGenerator.using(LINUX_SHA512).withRandomSalt().hash("plaintext password");
|
||||||
|
*
|
||||||
|
* Usage-example to verify hash:
|
||||||
|
* HashGenerator.fromHash("hashed password).verify("plaintext password");
|
||||||
|
*/
|
||||||
|
@Getter
|
||||||
|
public final class HashGenerator {
|
||||||
|
|
||||||
|
private static final RandomGenerator random = new SecureRandom();
|
||||||
|
private static final Queue<String> predefinedSalts = new PriorityQueue<>();
|
||||||
|
|
||||||
|
public static final int RANDOM_SALT_LENGTH = 16;
|
||||||
|
private static final String RANDOM_SALT_CHARACTERS =
|
||||||
|
"abcdefghijklmnopqrstuvwxyz" +
|
||||||
|
"ABCDEFGHIJKLMNOPQRSTUVWXYZ" +
|
||||||
|
"0123456789/.";
|
||||||
|
private static boolean couldBeHashEnabled; // TODO.impl: remove after legacy data is migrated
|
||||||
|
|
||||||
|
public enum Algorithm {
|
||||||
|
LINUX_SHA512(LinuxEtcShadowHashGenerator::hash, "6"),
|
||||||
|
LINUX_YESCRYPT(LinuxEtcShadowHashGenerator::hash, "y", "j9T$") {
|
||||||
|
@Override
|
||||||
|
String enrichedSalt(final String salt) {
|
||||||
|
return prefix + "$" + (salt.startsWith(optionalParam) ? salt : optionalParam + salt);
|
||||||
|
}
|
||||||
|
},
|
||||||
|
MYSQL_NATIVE(MySQLNativePasswordHashGenerator::hash, "*"),
|
||||||
|
SCRAM_SHA256(PostgreSQLScramSHA256::hash, "SCRAM-SHA-256");
|
||||||
|
|
||||||
|
final BiFunction<HashGenerator, String, String> implementation;
|
||||||
|
final String prefix;
|
||||||
|
final String optionalParam;
|
||||||
|
|
||||||
|
Algorithm(BiFunction<HashGenerator, String, String> implementation, final String prefix, final String optionalParam) {
|
||||||
|
this.implementation = implementation;
|
||||||
|
this.prefix = prefix;
|
||||||
|
this.optionalParam = optionalParam;
|
||||||
|
}
|
||||||
|
|
||||||
|
Algorithm(BiFunction<HashGenerator, String, String> implementation, final String prefix) {
|
||||||
|
this(implementation, prefix, null);
|
||||||
|
}
|
||||||
|
|
||||||
|
static Algorithm byPrefix(final String prefix) {
|
||||||
|
return Arrays.stream(Algorithm.values()).filter(a -> a.prefix.equals(prefix)).findAny()
|
||||||
|
.orElseThrow(() -> new IllegalArgumentException("unknown hash algorithm: '" + prefix + "'"));
|
||||||
|
}
|
||||||
|
|
||||||
|
String enrichedSalt(final String salt) {
|
||||||
|
return prefix + "$" + salt;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private final Algorithm algorithm;
|
||||||
|
private String salt;
|
||||||
|
|
||||||
|
public static HashGenerator using(final Algorithm algorithm) {
|
||||||
|
return new HashGenerator(algorithm);
|
||||||
|
}
|
||||||
|
|
||||||
|
private HashGenerator(final Algorithm algorithm) {
|
||||||
|
this.algorithm = algorithm;
|
||||||
|
}
|
||||||
|
|
||||||
|
public static void enableCouldBeHash(final boolean enable) {
|
||||||
|
couldBeHashEnabled = enable;
|
||||||
|
}
|
||||||
|
|
||||||
|
public boolean couldBeHash(final String value) {
|
||||||
|
return couldBeHashEnabled && value.startsWith(algorithm.prefix);
|
||||||
|
}
|
||||||
|
|
||||||
|
public String hash(final String plaintextPassword) {
|
||||||
|
if (plaintextPassword == null) {
|
||||||
|
throw new IllegalStateException("no password given");
|
||||||
|
}
|
||||||
|
|
||||||
|
final var hash = algorithm.implementation.apply(this, plaintextPassword);
|
||||||
|
if (hash.length() < plaintextPassword.length()) {
|
||||||
|
throw new AssertionError("generated hash too short: " + hash);
|
||||||
|
}
|
||||||
|
return hash;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String hashIfNotYetHashed(final String plaintextPasswordOrHash) {
|
||||||
|
return couldBeHash(plaintextPasswordOrHash)
|
||||||
|
? plaintextPasswordOrHash
|
||||||
|
: hash(plaintextPasswordOrHash);
|
||||||
|
}
|
||||||
|
|
||||||
|
public static void nextSalt(final String salt) {
|
||||||
|
predefinedSalts.add(salt);
|
||||||
|
}
|
||||||
|
|
||||||
|
public HashGenerator withSalt(final String salt) {
|
||||||
|
this.salt = salt;
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
|
public HashGenerator withRandomSalt() {
|
||||||
|
if (!predefinedSalts.isEmpty()) {
|
||||||
|
return withSalt(predefinedSalts.poll());
|
||||||
|
}
|
||||||
|
final var stringBuilder = new StringBuilder(RANDOM_SALT_LENGTH);
|
||||||
|
for (int i = 0; i < RANDOM_SALT_LENGTH; ++i) {
|
||||||
|
int randomIndex = random.nextInt(RANDOM_SALT_CHARACTERS.length());
|
||||||
|
stringBuilder.append(RANDOM_SALT_CHARACTERS.charAt(randomIndex));
|
||||||
|
}
|
||||||
|
return withSalt(stringBuilder.toString());
|
||||||
|
}
|
||||||
|
|
||||||
|
public static void main(String[] args) {
|
||||||
|
System.out.println(
|
||||||
|
HashGenerator.using(Algorithm.LINUX_YESCRYPT).withRandomSalt().hash("my plaintext domain transfer passphrase")
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,36 @@
|
|||||||
|
package net.hostsharing.hsadminng.hash;
|
||||||
|
|
||||||
|
import com.sun.jna.Library;
|
||||||
|
import com.sun.jna.Native;
|
||||||
|
|
||||||
|
public class LinuxEtcShadowHashGenerator {
|
||||||
|
|
||||||
|
public static String hash(final HashGenerator generator, final String payload) {
|
||||||
|
if (generator.getSalt() == null) {
|
||||||
|
throw new IllegalStateException("no salt given");
|
||||||
|
}
|
||||||
|
|
||||||
|
return NativeCryptLibrary.INSTANCE.crypt(payload, "$" + generator.getAlgorithm().enrichedSalt(generator.getSalt()));
|
||||||
|
}
|
||||||
|
|
||||||
|
public static void verify(final String givenHash, final String payload) {
|
||||||
|
|
||||||
|
final var parts = givenHash.split("\\$");
|
||||||
|
if (parts.length < 3 || parts.length > 5) {
|
||||||
|
throw new IllegalArgumentException("hash with unknown hash method: " + givenHash);
|
||||||
|
}
|
||||||
|
|
||||||
|
final var algorithm = HashGenerator.Algorithm.byPrefix(parts[1]);
|
||||||
|
final var salt = parts.length == 4 ? parts[2] : parts[2] + "$" + parts[3];
|
||||||
|
final var calculatedHash = HashGenerator.using(algorithm).withSalt(salt).hash(payload);
|
||||||
|
if (!calculatedHash.equals(givenHash)) {
|
||||||
|
throw new IllegalArgumentException("invalid password");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public interface NativeCryptLibrary extends Library {
|
||||||
|
NativeCryptLibrary INSTANCE = Native.load("crypt", NativeCryptLibrary.class);
|
||||||
|
|
||||||
|
String crypt(String password, String salt);
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,35 @@
|
|||||||
|
package net.hostsharing.hsadminng.hash;
|
||||||
|
|
||||||
|
import java.security.MessageDigest;
|
||||||
|
import java.security.NoSuchAlgorithmException;
|
||||||
|
|
||||||
|
public class MySQLNativePasswordHashGenerator {
|
||||||
|
|
||||||
|
public static String hash(final HashGenerator generator, final String password) {
|
||||||
|
// TODO.impl: if a random salt is generated or not should be part of the algorithm definition
|
||||||
|
// if (generator.getSalt() != null) {
|
||||||
|
// throw new IllegalStateException("salt not supported");
|
||||||
|
// }
|
||||||
|
|
||||||
|
try {
|
||||||
|
final var sha1 = MessageDigest.getInstance("SHA-1");
|
||||||
|
final var firstHash = sha1.digest(password.getBytes());
|
||||||
|
final var secondHash = sha1.digest(firstHash);
|
||||||
|
return "*" + bytesToHex(secondHash).toUpperCase();
|
||||||
|
} catch (NoSuchAlgorithmException e) {
|
||||||
|
throw new RuntimeException("SHA-1 algorithm not found", e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private static String bytesToHex(byte[] bytes) {
|
||||||
|
final var hexString = new StringBuilder();
|
||||||
|
for (byte b : bytes) {
|
||||||
|
final var hex = Integer.toHexString(0xff & b);
|
||||||
|
if (hex.length() == 1) {
|
||||||
|
hexString.append('0');
|
||||||
|
}
|
||||||
|
hexString.append(hex);
|
||||||
|
}
|
||||||
|
return hexString.toString();
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,61 @@
|
|||||||
|
package net.hostsharing.hsadminng.hash;
|
||||||
|
|
||||||
|
import lombok.SneakyThrows;
|
||||||
|
|
||||||
|
import javax.crypto.Mac;
|
||||||
|
import javax.crypto.SecretKeyFactory;
|
||||||
|
import javax.crypto.spec.PBEKeySpec;
|
||||||
|
import javax.crypto.spec.SecretKeySpec;
|
||||||
|
import java.nio.charset.Charset;
|
||||||
|
import java.security.InvalidKeyException;
|
||||||
|
import java.security.MessageDigest;
|
||||||
|
import java.security.NoSuchAlgorithmException;
|
||||||
|
import java.security.spec.InvalidKeySpecException;
|
||||||
|
import java.util.Base64;
|
||||||
|
|
||||||
|
public class PostgreSQLScramSHA256 {
|
||||||
|
|
||||||
|
private static final String PBKDF_2_WITH_HMAC_SHA256 = "PBKDF2WithHmacSHA256";
|
||||||
|
private static final String HMAC_SHA256 = "HmacSHA256";
|
||||||
|
private static final String SHA256 = "SHA-256";
|
||||||
|
private static final int ITERATIONS = 4096;
|
||||||
|
public static final int KEY_LENGTH_IN_BITS = 256;
|
||||||
|
|
||||||
|
private static final PostgreSQLScramSHA256 scram = new PostgreSQLScramSHA256();
|
||||||
|
|
||||||
|
@SneakyThrows
|
||||||
|
public static String hash(final HashGenerator generator, final String password) {
|
||||||
|
if (generator.getSalt() == null) {
|
||||||
|
throw new IllegalStateException("no salt given");
|
||||||
|
}
|
||||||
|
|
||||||
|
final byte[] salt = generator.getSalt().getBytes(Charset.forName("latin1")); // Base64.getEncoder().encode(generator.getSalt().getBytes());
|
||||||
|
final byte[] saltedPassword = scram.generateSaltedPassword(password, salt);
|
||||||
|
final byte[] clientKey = scram.hmacSHA256(saltedPassword, "Client Key".getBytes());
|
||||||
|
final byte[] storedKey = MessageDigest.getInstance(SHA256).digest(clientKey);
|
||||||
|
final byte[] serverKey = scram.hmacSHA256(saltedPassword, "Server Key".getBytes());
|
||||||
|
|
||||||
|
return "SCRAM-SHA-256${iterations}:{base64EncodedSalt}${base64EncodedStoredKey}:{base64EncodedServerKey}"
|
||||||
|
.replace("{iterations}", Integer.toString(ITERATIONS))
|
||||||
|
.replace("{base64EncodedSalt}", base64(salt))
|
||||||
|
.replace("{base64EncodedStoredKey}", base64(storedKey))
|
||||||
|
.replace("{base64EncodedServerKey}", base64(serverKey));
|
||||||
|
}
|
||||||
|
|
||||||
|
private static String base64(final byte[] salt) {
|
||||||
|
return Base64.getEncoder().encodeToString(salt);
|
||||||
|
}
|
||||||
|
|
||||||
|
private byte[] generateSaltedPassword(String password, byte[] salt) throws NoSuchAlgorithmException, InvalidKeySpecException {
|
||||||
|
final var spec = new PBEKeySpec(password.toCharArray(), salt, ITERATIONS, KEY_LENGTH_IN_BITS);
|
||||||
|
return SecretKeyFactory.getInstance(PBKDF_2_WITH_HMAC_SHA256).generateSecret(spec).getEncoded();
|
||||||
|
}
|
||||||
|
|
||||||
|
private byte[] hmacSHA256(byte[] key, byte[] message)
|
||||||
|
throws NoSuchAlgorithmException, InvalidKeyException {
|
||||||
|
final var mac = Mac.getInstance(HMAC_SHA256);
|
||||||
|
mac.init(new SecretKeySpec(key, HMAC_SHA256));
|
||||||
|
return mac.doFinal(message);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,55 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.debitor;
|
||||||
|
|
||||||
|
import lombok.AllArgsConstructor;
|
||||||
|
import lombok.Builder;
|
||||||
|
import lombok.Getter;
|
||||||
|
import lombok.NoArgsConstructor;
|
||||||
|
import net.hostsharing.hsadminng.errors.DisplayAs;
|
||||||
|
import net.hostsharing.hsadminng.stringify.Stringify;
|
||||||
|
import net.hostsharing.hsadminng.stringify.Stringifyable;
|
||||||
|
|
||||||
|
import jakarta.persistence.Column;
|
||||||
|
import jakarta.persistence.Entity;
|
||||||
|
import jakarta.persistence.Id;
|
||||||
|
import jakarta.persistence.Table;
|
||||||
|
import java.util.UUID;
|
||||||
|
|
||||||
|
import static net.hostsharing.hsadminng.stringify.Stringify.stringify;
|
||||||
|
|
||||||
|
// a partial HsOfficeDebitorEntity to reduce the number of SQL queries to load the entity
|
||||||
|
@Entity
|
||||||
|
@Table(name = "hs_booking_debitor_xv")
|
||||||
|
@Getter
|
||||||
|
@Builder
|
||||||
|
@NoArgsConstructor
|
||||||
|
@AllArgsConstructor
|
||||||
|
@DisplayAs("BookingDebitor")
|
||||||
|
public class HsBookingDebitorEntity implements Stringifyable {
|
||||||
|
|
||||||
|
public static final String DEBITOR_NUMBER_TAG = "D-";
|
||||||
|
|
||||||
|
private static Stringify<HsBookingDebitorEntity> stringify =
|
||||||
|
stringify(HsBookingDebitorEntity.class, "booking-debitor")
|
||||||
|
.withIdProp(HsBookingDebitorEntity::toShortString)
|
||||||
|
.withProp(HsBookingDebitorEntity::getDefaultPrefix)
|
||||||
|
.quotedValues(false);
|
||||||
|
|
||||||
|
@Id
|
||||||
|
private UUID uuid;
|
||||||
|
|
||||||
|
@Column(name = "debitornumber")
|
||||||
|
private Integer debitorNumber;
|
||||||
|
|
||||||
|
@Column(name = "defaultprefix", columnDefinition = "char(3) not null")
|
||||||
|
private String defaultPrefix;
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String toString() {
|
||||||
|
return stringify.apply(this);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String toShortString() {
|
||||||
|
return DEBITOR_NUMBER_TAG + debitorNumber;
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,14 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.debitor;
|
||||||
|
|
||||||
|
import org.springframework.data.repository.Repository;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Optional;
|
||||||
|
import java.util.UUID;
|
||||||
|
|
||||||
|
public interface HsBookingDebitorRepository extends Repository<HsBookingDebitorEntity, UUID> {
|
||||||
|
|
||||||
|
Optional<HsBookingDebitorEntity> findByUuid(UUID id);
|
||||||
|
|
||||||
|
List<HsBookingDebitorEntity> findByDebitorNumber(int debitorNumber);
|
||||||
|
}
|
@ -0,0 +1,172 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.item;
|
||||||
|
|
||||||
|
import io.hypersistence.utils.hibernate.type.json.JsonType;
|
||||||
|
import io.hypersistence.utils.hibernate.type.range.PostgreSQLRangeType;
|
||||||
|
import io.hypersistence.utils.hibernate.type.range.Range;
|
||||||
|
import lombok.AccessLevel;
|
||||||
|
import lombok.AllArgsConstructor;
|
||||||
|
import lombok.Builder;
|
||||||
|
import lombok.Getter;
|
||||||
|
import lombok.NoArgsConstructor;
|
||||||
|
import lombok.Setter;
|
||||||
|
import lombok.experimental.SuperBuilder;
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.project.HsBookingProject;
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.project.HsBookingProjectRealEntity;
|
||||||
|
import net.hostsharing.hsadminng.hs.validation.PropertiesProvider;
|
||||||
|
import net.hostsharing.hsadminng.mapper.PatchableMapWrapper;
|
||||||
|
import net.hostsharing.hsadminng.rbac.rbacobject.BaseEntity;
|
||||||
|
import net.hostsharing.hsadminng.stringify.Stringify;
|
||||||
|
import net.hostsharing.hsadminng.stringify.Stringifyable;
|
||||||
|
import org.hibernate.annotations.Type;
|
||||||
|
|
||||||
|
import jakarta.persistence.CascadeType;
|
||||||
|
import jakarta.persistence.Column;
|
||||||
|
import jakarta.persistence.EnumType;
|
||||||
|
import jakarta.persistence.Enumerated;
|
||||||
|
import jakarta.persistence.FetchType;
|
||||||
|
import jakarta.persistence.GeneratedValue;
|
||||||
|
import jakarta.persistence.Id;
|
||||||
|
import jakarta.persistence.JoinColumn;
|
||||||
|
import jakarta.persistence.ManyToOne;
|
||||||
|
import jakarta.persistence.MappedSuperclass;
|
||||||
|
import jakarta.persistence.OneToMany;
|
||||||
|
import jakarta.persistence.PostLoad;
|
||||||
|
import jakarta.persistence.Transient;
|
||||||
|
import jakarta.persistence.Version;
|
||||||
|
import jakarta.validation.constraints.NotNull;
|
||||||
|
import java.time.LocalDate;
|
||||||
|
import java.util.HashMap;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Map;
|
||||||
|
import java.util.UUID;
|
||||||
|
|
||||||
|
import static java.util.Collections.emptyMap;
|
||||||
|
import static java.util.Optional.ofNullable;
|
||||||
|
import static net.hostsharing.hsadminng.mapper.PostgresDateRange.lowerInclusiveFromPostgresDateRange;
|
||||||
|
import static net.hostsharing.hsadminng.mapper.PostgresDateRange.toPostgresDateRange;
|
||||||
|
import static net.hostsharing.hsadminng.mapper.PostgresDateRange.upperInclusiveFromPostgresDateRange;
|
||||||
|
import static net.hostsharing.hsadminng.stringify.Stringify.stringify;
|
||||||
|
|
||||||
|
@MappedSuperclass
|
||||||
|
@Getter
|
||||||
|
@Setter
|
||||||
|
@NoArgsConstructor(access = AccessLevel.PROTECTED)
|
||||||
|
@AllArgsConstructor(access = AccessLevel.PROTECTED)
|
||||||
|
@SuperBuilder(builderMethodName = "baseBuilder", toBuilder = true)
|
||||||
|
public abstract class HsBookingItem implements Stringifyable, BaseEntity<HsBookingItem>, PropertiesProvider {
|
||||||
|
|
||||||
|
private static Stringify<HsBookingItem> stringify = stringify(HsBookingItem.class)
|
||||||
|
.withProp(HsBookingItem::getType)
|
||||||
|
.withProp(HsBookingItem::getCaption)
|
||||||
|
.withProp(HsBookingItem::getProject)
|
||||||
|
.withProp(e -> e.getValidity().asString())
|
||||||
|
.withProp(HsBookingItem::getResources)
|
||||||
|
.quotedValues(false);
|
||||||
|
|
||||||
|
@Id
|
||||||
|
@GeneratedValue
|
||||||
|
private UUID uuid;
|
||||||
|
|
||||||
|
@Version
|
||||||
|
private int version;
|
||||||
|
|
||||||
|
@ManyToOne(fetch = FetchType.LAZY)
|
||||||
|
@JoinColumn(name = "projectuuid")
|
||||||
|
private HsBookingProjectRealEntity project;
|
||||||
|
|
||||||
|
@ManyToOne(fetch = FetchType.LAZY)
|
||||||
|
@JoinColumn(name = "parentitemuuid")
|
||||||
|
private HsBookingItemRealEntity parentItem;
|
||||||
|
|
||||||
|
@NotNull
|
||||||
|
@Column(name = "type")
|
||||||
|
@Enumerated(EnumType.STRING)
|
||||||
|
private HsBookingItemType type;
|
||||||
|
|
||||||
|
@Builder.Default
|
||||||
|
@Type(PostgreSQLRangeType.class)
|
||||||
|
@Column(name = "validity", columnDefinition = "daterange")
|
||||||
|
private Range<LocalDate> validity = Range.closedInfinite(LocalDate.now());
|
||||||
|
|
||||||
|
@Column(name = "caption")
|
||||||
|
private String caption;
|
||||||
|
|
||||||
|
@Builder.Default
|
||||||
|
@Setter(AccessLevel.NONE)
|
||||||
|
@Type(JsonType.class)
|
||||||
|
@Column(columnDefinition = "resources")
|
||||||
|
private Map<String, Object> resources = new HashMap<>();
|
||||||
|
|
||||||
|
@OneToMany(cascade = CascadeType.REFRESH, orphanRemoval = true)
|
||||||
|
@JoinColumn(name = "parentitemuuid", referencedColumnName = "uuid")
|
||||||
|
private List<HsBookingItemRealEntity> subBookingItems;
|
||||||
|
|
||||||
|
@Transient
|
||||||
|
private PatchableMapWrapper<Object> resourcesWrapper;
|
||||||
|
|
||||||
|
@Transient
|
||||||
|
private boolean isLoaded;
|
||||||
|
|
||||||
|
@PostLoad
|
||||||
|
public void markAsLoaded() {
|
||||||
|
this.isLoaded = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
public PatchableMapWrapper<Object> getResources() {
|
||||||
|
return PatchableMapWrapper.of(resourcesWrapper, (newWrapper) -> {resourcesWrapper = newWrapper;}, resources);
|
||||||
|
}
|
||||||
|
|
||||||
|
public void putResources(Map<String, Object> newResources) {
|
||||||
|
getResources().assign(newResources);
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setValidFrom(final LocalDate validFrom) {
|
||||||
|
setValidity(toPostgresDateRange(validFrom, getValidTo()));
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setValidTo(final LocalDate validTo) {
|
||||||
|
setValidity(toPostgresDateRange(getValidFrom(), validTo));
|
||||||
|
}
|
||||||
|
|
||||||
|
public LocalDate getValidFrom() {
|
||||||
|
return lowerInclusiveFromPostgresDateRange(getValidity());
|
||||||
|
}
|
||||||
|
|
||||||
|
public LocalDate getValidTo() {
|
||||||
|
return upperInclusiveFromPostgresDateRange(getValidity());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public PatchableMapWrapper<Object> directProps() {
|
||||||
|
return getResources();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Object getContextValue(final String propName) {
|
||||||
|
final var v = resources.get(propName);
|
||||||
|
if (v != null) {
|
||||||
|
return v;
|
||||||
|
}
|
||||||
|
if (parentItem != null) {
|
||||||
|
return parentItem.getResources().get(propName);
|
||||||
|
}
|
||||||
|
return emptyMap();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String toString() {
|
||||||
|
return stringify.apply(this);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String toShortString() {
|
||||||
|
return ofNullable(getRelatedProject()).map(HsBookingProject::toShortString).orElse("D-???????-?") +
|
||||||
|
":" + caption;
|
||||||
|
}
|
||||||
|
|
||||||
|
public HsBookingProject getRelatedProject() {
|
||||||
|
return project != null ? project
|
||||||
|
: parentItem != null ? parentItem.getRelatedProject()
|
||||||
|
: null; // can be the case for technical assets like IP-numbers
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,138 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.item;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.context.Context;
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.generated.api.v1.api.HsBookingItemsApi;
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.generated.api.v1.model.HsBookingItemInsertResource;
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.generated.api.v1.model.HsBookingItemPatchResource;
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.generated.api.v1.model.HsBookingItemResource;
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.item.validators.HsBookingItemEntityValidatorRegistry;
|
||||||
|
import net.hostsharing.hsadminng.mapper.KeyValueMap;
|
||||||
|
import net.hostsharing.hsadminng.mapper.Mapper;
|
||||||
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
|
import org.springframework.http.ResponseEntity;
|
||||||
|
import org.springframework.transaction.annotation.Transactional;
|
||||||
|
import org.springframework.web.bind.annotation.RestController;
|
||||||
|
import org.springframework.web.servlet.mvc.method.annotation.MvcUriComponentsBuilder;
|
||||||
|
|
||||||
|
import jakarta.persistence.EntityManager;
|
||||||
|
import jakarta.persistence.PersistenceContext;
|
||||||
|
import java.time.LocalDate;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.UUID;
|
||||||
|
import java.util.function.BiConsumer;
|
||||||
|
|
||||||
|
import static net.hostsharing.hsadminng.mapper.PostgresDateRange.toPostgresDateRange;
|
||||||
|
|
||||||
|
@RestController
|
||||||
|
public class HsBookingItemController implements HsBookingItemsApi {
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private Context context;
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private Mapper mapper;
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private HsBookingItemRbacRepository bookingItemRepo;
|
||||||
|
|
||||||
|
@PersistenceContext
|
||||||
|
private EntityManager em;
|
||||||
|
|
||||||
|
@Override
|
||||||
|
@Transactional(readOnly = true)
|
||||||
|
public ResponseEntity<List<HsBookingItemResource>> listBookingItemsByProjectUuid(
|
||||||
|
final String currentUser,
|
||||||
|
final String assumedRoles,
|
||||||
|
final UUID projectUuid) {
|
||||||
|
context.define(currentUser, assumedRoles);
|
||||||
|
|
||||||
|
final var entities = bookingItemRepo.findAllByProjectUuid(projectUuid);
|
||||||
|
|
||||||
|
final var resources = mapper.mapList(entities, HsBookingItemResource.class, ENTITY_TO_RESOURCE_POSTMAPPER);
|
||||||
|
return ResponseEntity.ok(resources);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
@Transactional
|
||||||
|
public ResponseEntity<HsBookingItemResource> addBookingItem(
|
||||||
|
final String currentUser,
|
||||||
|
final String assumedRoles,
|
||||||
|
final HsBookingItemInsertResource body) {
|
||||||
|
|
||||||
|
context.define(currentUser, assumedRoles);
|
||||||
|
|
||||||
|
final var entityToSave = mapper.map(body, HsBookingItemRbacEntity.class, RESOURCE_TO_ENTITY_POSTMAPPER);
|
||||||
|
|
||||||
|
final var saved = HsBookingItemEntityValidatorRegistry.validated(em, bookingItemRepo.save(entityToSave));
|
||||||
|
|
||||||
|
final var uri =
|
||||||
|
MvcUriComponentsBuilder.fromController(getClass())
|
||||||
|
.path("/api/hs/booking/items/{id}")
|
||||||
|
.buildAndExpand(saved.getUuid())
|
||||||
|
.toUri();
|
||||||
|
final var mapped = mapper.map(saved, HsBookingItemResource.class, ENTITY_TO_RESOURCE_POSTMAPPER);
|
||||||
|
return ResponseEntity.created(uri).body(mapped);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
@Transactional(readOnly = true)
|
||||||
|
public ResponseEntity<HsBookingItemResource> getBookingItemByUuid(
|
||||||
|
final String currentUser,
|
||||||
|
final String assumedRoles,
|
||||||
|
final UUID bookingItemUuid) {
|
||||||
|
|
||||||
|
context.define(currentUser, assumedRoles);
|
||||||
|
|
||||||
|
final var result = bookingItemRepo.findByUuid(bookingItemUuid);
|
||||||
|
result.ifPresent(entity -> em.detach(entity)); // prevent further LAZY-loading
|
||||||
|
return result
|
||||||
|
.map(bookingItemEntity -> ResponseEntity.ok(
|
||||||
|
mapper.map(bookingItemEntity, HsBookingItemResource.class, ENTITY_TO_RESOURCE_POSTMAPPER)))
|
||||||
|
.orElseGet(() -> ResponseEntity.notFound().build());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
@Transactional
|
||||||
|
public ResponseEntity<Void> deleteBookingIemByUuid(
|
||||||
|
final String currentUser,
|
||||||
|
final String assumedRoles,
|
||||||
|
final UUID bookingItemUuid) {
|
||||||
|
context.define(currentUser, assumedRoles);
|
||||||
|
|
||||||
|
final var result = bookingItemRepo.deleteByUuid(bookingItemUuid);
|
||||||
|
return result == 0
|
||||||
|
? ResponseEntity.notFound().build()
|
||||||
|
: ResponseEntity.noContent().build();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
@Transactional
|
||||||
|
public ResponseEntity<HsBookingItemResource> patchBookingItem(
|
||||||
|
final String currentUser,
|
||||||
|
final String assumedRoles,
|
||||||
|
final UUID bookingItemUuid,
|
||||||
|
final HsBookingItemPatchResource body) {
|
||||||
|
|
||||||
|
context.define(currentUser, assumedRoles);
|
||||||
|
|
||||||
|
final var current = bookingItemRepo.findByUuid(bookingItemUuid).orElseThrow();
|
||||||
|
|
||||||
|
new HsBookingItemEntityPatcher(current).apply(body);
|
||||||
|
|
||||||
|
final var saved = bookingItemRepo.save(HsBookingItemEntityValidatorRegistry.validated(em, current));
|
||||||
|
final var mapped = mapper.map(saved, HsBookingItemResource.class, ENTITY_TO_RESOURCE_POSTMAPPER);
|
||||||
|
return ResponseEntity.ok(mapped);
|
||||||
|
}
|
||||||
|
|
||||||
|
final BiConsumer<HsBookingItemRbacEntity, HsBookingItemResource> ENTITY_TO_RESOURCE_POSTMAPPER = (entity, resource) -> {
|
||||||
|
resource.setValidFrom(entity.getValidity().lower());
|
||||||
|
if (entity.getValidity().hasUpperBound()) {
|
||||||
|
resource.setValidTo(entity.getValidity().upper().minusDays(1));
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
final BiConsumer<HsBookingItemInsertResource, HsBookingItemRbacEntity> RESOURCE_TO_ENTITY_POSTMAPPER = (resource, entity) -> {
|
||||||
|
entity.setValidity(toPostgresDateRange(LocalDate.now(), resource.getValidTo()));
|
||||||
|
entity.putResources(KeyValueMap.from(resource.getResources()));
|
||||||
|
};
|
||||||
|
}
|
@ -0,0 +1,28 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.item;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.generated.api.v1.model.HsBookingItemPatchResource;
|
||||||
|
import net.hostsharing.hsadminng.mapper.EntityPatcher;
|
||||||
|
import net.hostsharing.hsadminng.mapper.KeyValueMap;
|
||||||
|
import net.hostsharing.hsadminng.mapper.OptionalFromJson;
|
||||||
|
|
||||||
|
import java.util.Optional;
|
||||||
|
|
||||||
|
|
||||||
|
public class HsBookingItemEntityPatcher implements EntityPatcher<HsBookingItemPatchResource> {
|
||||||
|
|
||||||
|
private final HsBookingItem entity;
|
||||||
|
|
||||||
|
public HsBookingItemEntityPatcher(final HsBookingItem entity) {
|
||||||
|
this.entity = entity;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void apply(final HsBookingItemPatchResource resource) {
|
||||||
|
OptionalFromJson.of(resource.getCaption())
|
||||||
|
.ifPresent(entity::setCaption);
|
||||||
|
Optional.ofNullable(resource.getResources())
|
||||||
|
.ifPresent(r -> entity.getResources().patch(KeyValueMap.from(resource.getResources())));
|
||||||
|
OptionalFromJson.of(resource.getValidTo())
|
||||||
|
.ifPresent(entity::setValidTo);
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,83 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.item;
|
||||||
|
|
||||||
|
import lombok.Getter;
|
||||||
|
import lombok.NoArgsConstructor;
|
||||||
|
import lombok.Setter;
|
||||||
|
import lombok.experimental.SuperBuilder;
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.project.HsBookingProject;
|
||||||
|
import net.hostsharing.hsadminng.rbac.rbacdef.RbacView;
|
||||||
|
import net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL;
|
||||||
|
|
||||||
|
import jakarta.persistence.AttributeOverride;
|
||||||
|
import jakarta.persistence.AttributeOverrides;
|
||||||
|
import jakarta.persistence.Column;
|
||||||
|
import jakarta.persistence.Entity;
|
||||||
|
import jakarta.persistence.Table;
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NULLABLE;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.SELECT;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.UPDATE;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.ADMIN;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.AGENT;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.OWNER;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.TENANT;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
|
||||||
|
|
||||||
|
@Entity
|
||||||
|
@Table(name = "hs_booking_item_rv")
|
||||||
|
@SuperBuilder(toBuilder = true)
|
||||||
|
@Getter
|
||||||
|
@Setter
|
||||||
|
@NoArgsConstructor
|
||||||
|
@AttributeOverrides({
|
||||||
|
@AttributeOverride(name = "uuid", column = @Column(name = "uuid"))
|
||||||
|
})
|
||||||
|
public class HsBookingItemRbacEntity extends HsBookingItem {
|
||||||
|
|
||||||
|
public static RbacView rbac() {
|
||||||
|
return rbacViewFor("bookingItem", HsBookingItemRbacEntity.class)
|
||||||
|
.withIdentityView(SQL.projection("caption"))
|
||||||
|
.withRestrictedViewOrderBy(SQL.expression("validity"))
|
||||||
|
.withUpdatableColumns("version", "caption", "validity", "resources")
|
||||||
|
.toRole("global", ADMIN).grantPermission(INSERT) // TODO.impl: Why is this necessary to insert test data?
|
||||||
|
.toRole("global", ADMIN).grantPermission(DELETE)
|
||||||
|
|
||||||
|
.importEntityAlias("project", HsBookingProject.class, usingDefaultCase(),
|
||||||
|
dependsOnColumn("projectUuid"),
|
||||||
|
directlyFetchedByDependsOnColumn(),
|
||||||
|
NULLABLE)
|
||||||
|
.toRole("project", ADMIN).grantPermission(INSERT)
|
||||||
|
|
||||||
|
.importEntityAlias("parentItem", HsBookingItemRbacEntity.class, usingDefaultCase(),
|
||||||
|
dependsOnColumn("parentItemUuid"),
|
||||||
|
directlyFetchedByDependsOnColumn(),
|
||||||
|
NULLABLE)
|
||||||
|
.toRole("parentItem", ADMIN).grantPermission(INSERT)
|
||||||
|
|
||||||
|
.createRole(OWNER, (with) -> {
|
||||||
|
with.incomingSuperRole("project", AGENT);
|
||||||
|
with.incomingSuperRole("parentItem", AGENT);
|
||||||
|
})
|
||||||
|
.createSubRole(ADMIN, (with) -> {
|
||||||
|
with.permission(UPDATE);
|
||||||
|
})
|
||||||
|
.createSubRole(AGENT)
|
||||||
|
.createSubRole(TENANT, (with) -> {
|
||||||
|
with.outgoingSubRole("project", TENANT);
|
||||||
|
with.outgoingSubRole("parentItem", TENANT);
|
||||||
|
with.permission(SELECT);
|
||||||
|
})
|
||||||
|
|
||||||
|
.limitDiagramTo("bookingItem", "project", "global");
|
||||||
|
}
|
||||||
|
|
||||||
|
public static void main(String[] args) throws IOException {
|
||||||
|
rbac().generateWithBaseFileName("6-hs-booking/630-booking-item/6303-hs-booking-item-rbac");
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,23 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.item;
|
||||||
|
|
||||||
|
import org.springframework.data.repository.Repository;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Optional;
|
||||||
|
import java.util.UUID;
|
||||||
|
|
||||||
|
public interface HsBookingItemRbacRepository extends HsBookingItemRepository<HsBookingItemRbacEntity>,
|
||||||
|
Repository<HsBookingItemRbacEntity, UUID> {
|
||||||
|
|
||||||
|
Optional<HsBookingItemRbacEntity> findByUuid(final UUID bookingItemUuid);
|
||||||
|
|
||||||
|
List<HsBookingItemRbacEntity> findByCaption(String bookingItemCaption);
|
||||||
|
|
||||||
|
List<HsBookingItemRbacEntity> findAllByProjectUuid(final UUID projectItemUuid);
|
||||||
|
|
||||||
|
HsBookingItemRbacEntity save(HsBookingItemRbacEntity current);
|
||||||
|
|
||||||
|
int deleteByUuid(final UUID uuid);
|
||||||
|
|
||||||
|
long count();
|
||||||
|
}
|
@ -0,0 +1,24 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.item;
|
||||||
|
|
||||||
|
import lombok.Getter;
|
||||||
|
import lombok.NoArgsConstructor;
|
||||||
|
import lombok.Setter;
|
||||||
|
import lombok.experimental.SuperBuilder;
|
||||||
|
|
||||||
|
import jakarta.persistence.AttributeOverride;
|
||||||
|
import jakarta.persistence.AttributeOverrides;
|
||||||
|
import jakarta.persistence.Column;
|
||||||
|
import jakarta.persistence.Entity;
|
||||||
|
import jakarta.persistence.Table;
|
||||||
|
|
||||||
|
|
||||||
|
@Entity
|
||||||
|
@Table(name = "hs_booking_item")
|
||||||
|
@SuperBuilder(toBuilder = true)
|
||||||
|
@Getter
|
||||||
|
@Setter
|
||||||
|
@NoArgsConstructor
|
||||||
|
@AttributeOverrides({
|
||||||
|
@AttributeOverride(name = "uuid", column = @Column(name = "uuid"))
|
||||||
|
})public class HsBookingItemRealEntity extends HsBookingItem {
|
||||||
|
}
|
@ -0,0 +1,23 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.item;
|
||||||
|
|
||||||
|
import org.springframework.data.repository.Repository;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Optional;
|
||||||
|
import java.util.UUID;
|
||||||
|
|
||||||
|
public interface HsBookingItemRealRepository extends HsBookingItemRepository<HsBookingItemRealEntity>,
|
||||||
|
Repository<HsBookingItemRealEntity, UUID> {
|
||||||
|
|
||||||
|
Optional<HsBookingItemRealEntity> findByUuid(final UUID bookingItemUuid);
|
||||||
|
|
||||||
|
List<HsBookingItemRealEntity> findByCaption(String bookingItemCaption);
|
||||||
|
|
||||||
|
List<HsBookingItemRealEntity> findAllByProjectUuid(final UUID projectItemUuid);
|
||||||
|
|
||||||
|
HsBookingItemRealEntity save(HsBookingItemRealEntity current);
|
||||||
|
|
||||||
|
int deleteByUuid(final UUID uuid);
|
||||||
|
|
||||||
|
long count();
|
||||||
|
}
|
@ -0,0 +1,20 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.item;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Optional;
|
||||||
|
import java.util.UUID;
|
||||||
|
|
||||||
|
public interface HsBookingItemRepository<E extends HsBookingItem> {
|
||||||
|
|
||||||
|
Optional<E> findByUuid(final UUID bookingItemUuid);
|
||||||
|
|
||||||
|
List<E> findByCaption(String bookingItemCaption);
|
||||||
|
|
||||||
|
List<E> findAllByProjectUuid(final UUID projectItemUuid);
|
||||||
|
|
||||||
|
E save(E current);
|
||||||
|
|
||||||
|
int deleteByUuid(final UUID uuid);
|
||||||
|
|
||||||
|
long count();
|
||||||
|
}
|
@ -0,0 +1,42 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.item;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Set;
|
||||||
|
|
||||||
|
import static java.util.Optional.ofNullable;
|
||||||
|
|
||||||
|
public enum HsBookingItemType implements Node {
|
||||||
|
PRIVATE_CLOUD,
|
||||||
|
CLOUD_SERVER(PRIVATE_CLOUD),
|
||||||
|
MANAGED_SERVER(PRIVATE_CLOUD),
|
||||||
|
MANAGED_WEBSPACE(MANAGED_SERVER),
|
||||||
|
DOMAIN_SETUP;
|
||||||
|
|
||||||
|
private final HsBookingItemType parentItemType;
|
||||||
|
|
||||||
|
HsBookingItemType() {
|
||||||
|
this.parentItemType = null;
|
||||||
|
}
|
||||||
|
|
||||||
|
HsBookingItemType(final HsBookingItemType parentItemType) {
|
||||||
|
this.parentItemType = parentItemType;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public List<String> edges(final Set<String> inGroups) {
|
||||||
|
return ofNullable(parentItemType)
|
||||||
|
.map(p -> (nodeName() + " *--> " + p.nodeName()))
|
||||||
|
.stream().toList();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean belongsToAny(final Set<String> groups) {
|
||||||
|
return true; // we currently do not filter booking item types
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String nodeName() {
|
||||||
|
return "BI_" + name();
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,11 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.item;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Set;
|
||||||
|
|
||||||
|
public interface Node {
|
||||||
|
|
||||||
|
String nodeName();
|
||||||
|
boolean belongsToAny(Set<String> groups);
|
||||||
|
List<String> edges(final Set<String> inGroup);
|
||||||
|
}
|
@ -0,0 +1,88 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.item.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.item.HsBookingItem;
|
||||||
|
import net.hostsharing.hsadminng.hs.validation.HsEntityValidator;
|
||||||
|
import net.hostsharing.hsadminng.hs.validation.ValidatableProperty;
|
||||||
|
import org.apache.commons.lang3.BooleanUtils;
|
||||||
|
|
||||||
|
import java.util.Collection;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Objects;
|
||||||
|
import java.util.stream.Stream;
|
||||||
|
|
||||||
|
import static java.util.Arrays.stream;
|
||||||
|
import static java.util.Collections.emptyList;
|
||||||
|
import static java.util.Optional.ofNullable;
|
||||||
|
|
||||||
|
public class HsBookingItemEntityValidator extends HsEntityValidator<HsBookingItem> {
|
||||||
|
|
||||||
|
public HsBookingItemEntityValidator(final ValidatableProperty<?, ?>... properties) {
|
||||||
|
super(properties);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public List<String> validateEntity(final HsBookingItem bookingItem) {
|
||||||
|
// TODO.impl: HsBookingItemType could do this similar to HsHostingAssetType
|
||||||
|
if ( bookingItem.getParentItem() == null && bookingItem.getProject() == null) {
|
||||||
|
return List.of(bookingItem + ".'parentItem' or .'project' expected to be set, but both are null");
|
||||||
|
}
|
||||||
|
return enrich(prefix(bookingItem.toShortString(), "resources"), super.validateProperties(bookingItem));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public List<String> validateContext(final HsBookingItem bookingItem) {
|
||||||
|
return sequentiallyValidate(
|
||||||
|
() -> optionallyValidate(bookingItem.getParentItem()),
|
||||||
|
() -> validateAgainstSubEntities(bookingItem)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
private static List<String> optionallyValidate(final HsBookingItem bookingItem) {
|
||||||
|
return bookingItem != null
|
||||||
|
? enrich(prefix(bookingItem.toShortString(), ""),
|
||||||
|
HsBookingItemEntityValidatorRegistry.forType(bookingItem.getType()).validateContext(bookingItem))
|
||||||
|
: emptyList();
|
||||||
|
}
|
||||||
|
|
||||||
|
protected List<String> validateAgainstSubEntities(final HsBookingItem bookingItem) {
|
||||||
|
return enrich(prefix(bookingItem.toShortString(), "resources"),
|
||||||
|
Stream.concat(
|
||||||
|
stream(propertyValidators)
|
||||||
|
.map(propDef -> propDef.validateTotals(bookingItem))
|
||||||
|
.flatMap(Collection::stream),
|
||||||
|
stream(propertyValidators)
|
||||||
|
.filter(ValidatableProperty::isTotalsValidator)
|
||||||
|
.map(prop -> validateMaxTotalValue(bookingItem, prop))
|
||||||
|
).filter(Objects::nonNull).toList());
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO.refa: convert into generic shape like multi-options validator
|
||||||
|
private static String validateMaxTotalValue(
|
||||||
|
final HsBookingItem bookingItem,
|
||||||
|
final ValidatableProperty<?, ?> propDef) {
|
||||||
|
final var propName = propDef.propertyName();
|
||||||
|
final var propUnit = ofNullable(propDef.unit()).map(u -> " " + u).orElse("");
|
||||||
|
final var totalValue = ofNullable(bookingItem.getSubBookingItems()).orElse(emptyList())
|
||||||
|
.stream()
|
||||||
|
.map(subItem -> propDef.getValue(subItem.getResources()))
|
||||||
|
.map(HsBookingItemEntityValidator::convertBooleanToInteger)
|
||||||
|
.map(HsBookingItemEntityValidator::toIntegerWithDefault0)
|
||||||
|
.reduce(0, Integer::sum);
|
||||||
|
final var maxValue = getIntegerValueWithDefault0(propDef, bookingItem.getResources());
|
||||||
|
if (propDef.thresholdPercentage() != null ) {
|
||||||
|
return totalValue > (maxValue * propDef.thresholdPercentage() / 100)
|
||||||
|
? "%s' maximum total is %d%s, but actual total %s is %d%s, which exceeds threshold of %d%%"
|
||||||
|
.formatted(propName, maxValue, propUnit, propName, totalValue, propUnit, propDef.thresholdPercentage())
|
||||||
|
: null;
|
||||||
|
} else {
|
||||||
|
return totalValue > maxValue
|
||||||
|
? "%s' maximum total is %d%s, but actual total %s is %d%s"
|
||||||
|
.formatted(propName, maxValue, propUnit, propName, totalValue, propUnit)
|
||||||
|
: null;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private static Object convertBooleanToInteger(final Object value) {
|
||||||
|
return value instanceof Boolean ? BooleanUtils.toInteger((Boolean)value) : value;
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,62 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.item.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.item.HsBookingItem;
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.item.HsBookingItemType;
|
||||||
|
import net.hostsharing.hsadminng.hs.validation.HsEntityValidator;
|
||||||
|
import net.hostsharing.hsadminng.errors.MultiValidationException;
|
||||||
|
|
||||||
|
import jakarta.persistence.EntityManager;
|
||||||
|
import java.util.HashMap;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Map;
|
||||||
|
import java.util.Set;
|
||||||
|
|
||||||
|
import static java.util.Arrays.stream;
|
||||||
|
import static net.hostsharing.hsadminng.hs.booking.item.HsBookingItemType.CLOUD_SERVER;
|
||||||
|
import static net.hostsharing.hsadminng.hs.booking.item.HsBookingItemType.DOMAIN_SETUP;
|
||||||
|
import static net.hostsharing.hsadminng.hs.booking.item.HsBookingItemType.MANAGED_SERVER;
|
||||||
|
import static net.hostsharing.hsadminng.hs.booking.item.HsBookingItemType.MANAGED_WEBSPACE;
|
||||||
|
import static net.hostsharing.hsadminng.hs.booking.item.HsBookingItemType.PRIVATE_CLOUD;
|
||||||
|
|
||||||
|
public class HsBookingItemEntityValidatorRegistry {
|
||||||
|
|
||||||
|
private static final Map<Enum<HsBookingItemType>, HsEntityValidator<HsBookingItem>> validators = new HashMap<>();
|
||||||
|
static {
|
||||||
|
register(PRIVATE_CLOUD, new HsPrivateCloudBookingItemValidator());
|
||||||
|
register(CLOUD_SERVER, new HsCloudServerBookingItemValidator());
|
||||||
|
register(MANAGED_SERVER, new HsManagedServerBookingItemValidator());
|
||||||
|
register(MANAGED_WEBSPACE, new HsManagedWebspaceBookingItemValidator());
|
||||||
|
register(DOMAIN_SETUP, new HsDomainSetupBookingItemValidator());
|
||||||
|
}
|
||||||
|
|
||||||
|
private static void register(final Enum<HsBookingItemType> type, final HsEntityValidator<HsBookingItem> validator) {
|
||||||
|
stream(validator.propertyValidators).forEach( entry -> {
|
||||||
|
entry.verifyConsistency(Map.entry(type, validator));
|
||||||
|
});
|
||||||
|
validators.put(type, validator);
|
||||||
|
}
|
||||||
|
|
||||||
|
public static HsEntityValidator<HsBookingItem> forType(final Enum<HsBookingItemType> type) {
|
||||||
|
if ( validators.containsKey(type)) {
|
||||||
|
return validators.get(type);
|
||||||
|
}
|
||||||
|
throw new IllegalArgumentException("no validator found for type " + type);
|
||||||
|
}
|
||||||
|
|
||||||
|
public static Set<Enum<HsBookingItemType>> types() {
|
||||||
|
return validators.keySet();
|
||||||
|
}
|
||||||
|
|
||||||
|
public static List<String> doValidate(final EntityManager em, final HsBookingItem bookingItem) {
|
||||||
|
return HsEntityValidator.doWithEntityManager(em, () ->
|
||||||
|
HsEntityValidator.sequentiallyValidate(
|
||||||
|
() -> HsBookingItemEntityValidatorRegistry.forType(bookingItem.getType()).validateEntity(bookingItem),
|
||||||
|
() -> HsBookingItemEntityValidatorRegistry.forType(bookingItem.getType()).validateContext(bookingItem))
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
public static <E extends HsBookingItem> E validated(final EntityManager em, final E entityToSave) {
|
||||||
|
MultiValidationException.throwIfNotEmpty(doValidate(em, entityToSave));
|
||||||
|
return entityToSave;
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,29 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.item.validators;
|
||||||
|
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.BooleanProperty.booleanProperty;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.EnumerationProperty.enumerationProperty;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.IntegerProperty.integerProperty;
|
||||||
|
|
||||||
|
class HsCloudServerBookingItemValidator extends HsBookingItemEntityValidator {
|
||||||
|
|
||||||
|
HsCloudServerBookingItemValidator() {
|
||||||
|
super(
|
||||||
|
// @formatter:off
|
||||||
|
booleanProperty("active") .withDefault(true),
|
||||||
|
|
||||||
|
integerProperty("CPU") .min( 1) .max( 32) .required(),
|
||||||
|
integerProperty("RAM").unit("GB") .min( 1) .max( 8192) .required(),
|
||||||
|
integerProperty("SSD").unit("GB") .min( 25) .max( 1000) .step(25).requiresAtLeastOneOf("SDD", "HDD"),
|
||||||
|
integerProperty("HDD").unit("GB") .min(250) .max( 4000) .step(250).requiresAtLeastOneOf("SSD", "HDD"),
|
||||||
|
integerProperty("Traffic").unit("GB") .min(250) .max(10000) .step(250).requiresAtMaxOneOf("Bandwidth", "Traffic"),
|
||||||
|
integerProperty("Bandwidth").unit("GB") .min(250) .max(10000) .step(250).requiresAtMaxOneOf("Bandwidth", "Traffic"), // TODO.spec
|
||||||
|
|
||||||
|
enumerationProperty("SLA-Infrastructure").values("BASIC", "EXT8H", "EXT4H", "EXT2H").optional()
|
||||||
|
// @formatter:on
|
||||||
|
);
|
||||||
|
|
||||||
|
// (q) We do have pre-existing CloudServers without SSD, just HDD, thus SSD starts with min=0.
|
||||||
|
// TODO.impl: Validation that SSD+HDD is at minimum 25 GB is missing.
|
||||||
|
// e.g. validationGroup("SSD", "HDD").min(0);
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,60 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.item.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.item.HsBookingItem;
|
||||||
|
import net.hostsharing.hsadminng.hs.validation.PropertiesProvider;
|
||||||
|
|
||||||
|
import jakarta.persistence.EntityManager;
|
||||||
|
import java.security.SecureRandom;
|
||||||
|
import java.util.ArrayList;
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.validators.Dns.REGISTRAR_LEVEL_DOMAINS;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.StringProperty.stringProperty;
|
||||||
|
|
||||||
|
class HsDomainSetupBookingItemValidator extends HsBookingItemEntityValidator {
|
||||||
|
|
||||||
|
public static final String FQDN_REGEX = "^((?!-)[A-Za-z0-9-]{1,63}(?<!-)\\.)+[A-Za-z]{2,12}";
|
||||||
|
public static final String DOMAIN_NAME_PROPERTY_NAME = "domainName";
|
||||||
|
public static final String VERIFICATION_CODE_PROPERTY_NAME = "verificationCode";
|
||||||
|
|
||||||
|
HsDomainSetupBookingItemValidator() {
|
||||||
|
super(
|
||||||
|
stringProperty(DOMAIN_NAME_PROPERTY_NAME).writeOnce()
|
||||||
|
.maxLength(253)
|
||||||
|
.matchesRegEx(FQDN_REGEX).describedAs("is not a (non-top-level) fully qualified domain name")
|
||||||
|
.notMatchesRegEx(REGISTRAR_LEVEL_DOMAINS).describedAs("is a forbidden registrar-level domain name")
|
||||||
|
.required(),
|
||||||
|
stringProperty(VERIFICATION_CODE_PROPERTY_NAME)
|
||||||
|
.minLength(12)
|
||||||
|
.maxLength(64)
|
||||||
|
.initializedBy(HsDomainSetupBookingItemValidator::generateVerificationCode)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public List<String> validateEntity(final HsBookingItem bookingItem) {
|
||||||
|
final var violations = new ArrayList<String>();
|
||||||
|
final var domainName = bookingItem.getDirectValue(DOMAIN_NAME_PROPERTY_NAME, String.class);
|
||||||
|
if (!bookingItem.isLoaded() &&
|
||||||
|
domainName.matches("hostsharing.(com|net|org|coop|de)")) {
|
||||||
|
violations.add("'" + bookingItem.toShortString() + ".resources." + DOMAIN_NAME_PROPERTY_NAME + "' = '" + domainName
|
||||||
|
+ "' is a forbidden Hostsharing domain name");
|
||||||
|
}
|
||||||
|
violations.addAll(super.validateEntity(bookingItem));
|
||||||
|
return violations;
|
||||||
|
}
|
||||||
|
|
||||||
|
private static String generateVerificationCode(final EntityManager em, final PropertiesProvider propertiesProvider) {
|
||||||
|
final var alphaNumeric = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789";
|
||||||
|
final var secureRandom = new SecureRandom();
|
||||||
|
final var sb = new StringBuilder();
|
||||||
|
for (int i = 0; i < 40; ++i) {
|
||||||
|
if ( i > 0 && i % 4 == 0 ) {
|
||||||
|
sb.append("-");
|
||||||
|
}
|
||||||
|
sb.append(alphaNumeric.charAt(secureRandom.nextInt(alphaNumeric.length())));
|
||||||
|
}
|
||||||
|
return sb.toString();
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,27 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.item.validators;
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.BooleanProperty.booleanProperty;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.EnumerationProperty.enumerationProperty;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.IntegerProperty.integerProperty;
|
||||||
|
|
||||||
|
class HsManagedServerBookingItemValidator extends HsBookingItemEntityValidator {
|
||||||
|
|
||||||
|
HsManagedServerBookingItemValidator() {
|
||||||
|
super(
|
||||||
|
integerProperty("CPU").min(1).max(32).required(),
|
||||||
|
integerProperty("RAM").unit("GB").min(1).max(128).required(),
|
||||||
|
integerProperty("SSD").unit("GB").min(25).max(2000).step(25).requiresAtLeastOneOf("SSD", "HDD").asTotalLimit().withThreshold(200),
|
||||||
|
integerProperty("HDD").unit("GB").min(250).max(10000).step(250).requiresAtLeastOneOf("SSD", "HDD").asTotalLimit().withThreshold(200),
|
||||||
|
integerProperty("Traffic").unit("GB").min(250).max(64000).step(250).requiresAtMaxOneOf("Bandwidth", "Traffic").asTotalLimit().withThreshold(200),
|
||||||
|
integerProperty("Bandwidth").unit("GB").min(250).max(64000).step(250).requiresAtMaxOneOf("Bandwidth", "Traffic").asTotalLimit().withThreshold(200), // TODO.spec
|
||||||
|
enumerationProperty("SLA-Platform").values("BASIC", "EXT8H", "EXT4H", "EXT2H").withDefault("BASIC"),
|
||||||
|
booleanProperty("SLA-EMail").falseIf("SLA-Platform", "BASIC").withDefault(false),
|
||||||
|
booleanProperty("SLA-Maria").falseIf("SLA-Platform", "BASIC").optional(),
|
||||||
|
booleanProperty("SLA-PgSQL").falseIf("SLA-Platform", "BASIC").optional(),
|
||||||
|
booleanProperty("SLA-Office").falseIf("SLA-Platform", "BASIC").optional(),
|
||||||
|
booleanProperty("SLA-Web").falseIf("SLA-Platform", "BASIC").optional()
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,115 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.item.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.item.HsBookingItem;
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetRealEntity;
|
||||||
|
import net.hostsharing.hsadminng.hs.validation.HsEntityValidator;
|
||||||
|
import net.hostsharing.hsadminng.hs.validation.IntegerProperty;
|
||||||
|
import org.apache.commons.lang3.function.TriFunction;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Optional;
|
||||||
|
|
||||||
|
import static java.util.Collections.emptyList;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.DOMAIN_MBOX_SETUP;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.EMAIL_ADDRESS;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.MARIADB_DATABASE;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.MARIADB_USER;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.PGSQL_DATABASE;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.PGSQL_USER;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.UNIX_USER;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.BooleanProperty.booleanProperty;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.EnumerationProperty.enumerationProperty;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.IntegerProperty.integerProperty;
|
||||||
|
|
||||||
|
class HsManagedWebspaceBookingItemValidator extends HsBookingItemEntityValidator {
|
||||||
|
|
||||||
|
public HsManagedWebspaceBookingItemValidator() {
|
||||||
|
super(
|
||||||
|
integerProperty("SSD").unit("GB").min(1).max(2000).step(1).required(),
|
||||||
|
integerProperty("HDD").unit("GB").min(0).max(10000).step(10).optional(),
|
||||||
|
integerProperty("Traffic").unit("GB").min(10).max(64000).step(10).requiresAtMaxOneOf("Bandwidth", "Traffic"),
|
||||||
|
integerProperty("Bandwidth").unit("GB").min(10).max(1000).step(10).requiresAtMaxOneOf("Bandwidth", "Traffic"), // TODO.spec
|
||||||
|
integerProperty("Multi").min(1).max(100).step(1).withDefault(1)
|
||||||
|
.eachComprising( 25, unixUsers())
|
||||||
|
.eachComprising( 5, databaseUsers())
|
||||||
|
.eachComprising( 5, databases())
|
||||||
|
.eachComprising(250, eMailAddresses()),
|
||||||
|
integerProperty("Daemons").min(0).max(16).withDefault(0),
|
||||||
|
booleanProperty("Online Office Server").optional(), // TODO.impl: shorten to "Office"
|
||||||
|
enumerationProperty("SLA-Platform").values("BASIC", "EXT24H").withDefault("BASIC")
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
private static TriFunction<HsBookingItem, IntegerProperty<?>, Integer, List<String>> unixUsers() {
|
||||||
|
return (final HsBookingItem entity, final IntegerProperty<?> prop, final Integer factor) -> {
|
||||||
|
final var unixUserCount = fetchRelatedBookingItem(entity)
|
||||||
|
.map(ha -> ha.getSubHostingAssets().stream()
|
||||||
|
.filter(subAsset -> subAsset.getType() == UNIX_USER)
|
||||||
|
.count())
|
||||||
|
.orElse(0L);
|
||||||
|
final long limitingValue = prop.getValue(entity.getResources());
|
||||||
|
if (unixUserCount > factor*limitingValue) {
|
||||||
|
return List.of(prop.propertyName() + "=" + limitingValue + " allows at maximum " + limitingValue*factor + " unix users, but " + unixUserCount + " found");
|
||||||
|
}
|
||||||
|
return emptyList();
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
private static TriFunction<HsBookingItem, IntegerProperty<?>, Integer, List<String>> databaseUsers() {
|
||||||
|
return (final HsBookingItem entity, final IntegerProperty<?> prop, final Integer factor) -> {
|
||||||
|
final var dbUserCount = fetchRelatedBookingItem(entity)
|
||||||
|
.map(ha -> ha.getSubHostingAssets().stream()
|
||||||
|
.filter(bi -> bi.getType() == PGSQL_USER || bi.getType() == MARIADB_USER )
|
||||||
|
.count())
|
||||||
|
.orElse(0L);
|
||||||
|
final long limitingValue = prop.getValue(entity.getResources());
|
||||||
|
if (dbUserCount > factor*limitingValue) {
|
||||||
|
return List.of(prop.propertyName() + "=" + limitingValue + " allows at maximum " + limitingValue*factor + " database users, but " + dbUserCount + " found");
|
||||||
|
}
|
||||||
|
return emptyList();
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
private static TriFunction<HsBookingItem, IntegerProperty<?>, Integer, List<String>> databases() {
|
||||||
|
return (final HsBookingItem entity, final IntegerProperty<?> prop, final Integer factor) -> {
|
||||||
|
final var unixUserCount = fetchRelatedBookingItem(entity)
|
||||||
|
.map(ha -> ha.getSubHostingAssets().stream()
|
||||||
|
.filter(bi -> bi.getType()==PGSQL_USER || bi.getType()==MARIADB_USER )
|
||||||
|
.flatMap(domainEMailSetup -> domainEMailSetup.getSubHostingAssets().stream()
|
||||||
|
.filter(subAsset -> subAsset.getType()==PGSQL_DATABASE || subAsset.getType()==MARIADB_DATABASE))
|
||||||
|
.count())
|
||||||
|
.orElse(0L);
|
||||||
|
final long limitingValue = prop.getValue(entity.getResources());
|
||||||
|
if (unixUserCount > factor*limitingValue) {
|
||||||
|
return List.of(prop.propertyName() + "=" + limitingValue + " allows at maximum " + limitingValue*factor + " databases, but " + unixUserCount + " found");
|
||||||
|
}
|
||||||
|
return emptyList();
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
private static TriFunction<HsBookingItem, IntegerProperty<?>, Integer, List<String>> eMailAddresses() {
|
||||||
|
return (final HsBookingItem entity, final IntegerProperty<?> prop, final Integer factor) -> {
|
||||||
|
final var unixUserCount = fetchRelatedBookingItem(entity)
|
||||||
|
.map(ha -> ha.getSubHostingAssets().stream()
|
||||||
|
.filter(bi -> bi.getType() == DOMAIN_MBOX_SETUP)
|
||||||
|
.flatMap(domainEMailSetup -> domainEMailSetup.getSubHostingAssets().stream()
|
||||||
|
.filter(subAsset -> subAsset.getType()==EMAIL_ADDRESS))
|
||||||
|
.count())
|
||||||
|
.orElse(0L);
|
||||||
|
final long limitingValue = prop.getValue(entity.getResources());
|
||||||
|
if (unixUserCount > factor*limitingValue) {
|
||||||
|
return List.of(prop.propertyName() + "=" + limitingValue + " allows at maximum " + limitingValue*factor + " databases, but " + unixUserCount + " found");
|
||||||
|
}
|
||||||
|
return emptyList();
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
private static Optional<HsHostingAssetRealEntity> fetchRelatedBookingItem(final HsBookingItem entity) {
|
||||||
|
// TODO.perf: maybe we need to cache the result at least for a single valiationrun
|
||||||
|
return HsEntityValidator.localEntityManager.get().createQuery(
|
||||||
|
"SELECT asset FROM HsHostingAssetRealEntity asset WHERE asset.bookingItem.uuid=:bookingItemUuid",
|
||||||
|
HsHostingAssetRealEntity.class)
|
||||||
|
.setParameter("bookingItemUuid", entity.getUuid())
|
||||||
|
.getResultStream().findFirst(); // there are 0 or 1, never more
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,41 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.item.validators;
|
||||||
|
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.IntegerProperty.integerProperty;
|
||||||
|
|
||||||
|
class HsPrivateCloudBookingItemValidator extends HsBookingItemEntityValidator {
|
||||||
|
|
||||||
|
HsPrivateCloudBookingItemValidator() {
|
||||||
|
super(
|
||||||
|
// @formatter:off
|
||||||
|
integerProperty("CPU") .min( 1).max( 128).required().asTotalLimit(),
|
||||||
|
integerProperty("RAM").unit("GB") .min( 1).max( 512).required().asTotalLimit(),
|
||||||
|
integerProperty("SSD").unit("GB") .min( 25).max( 4000).step(25).requiresAtLeastOneOf("SSD", "HDD").asTotalLimit(),
|
||||||
|
integerProperty("HDD").unit("GB") .min(250).max(16000).step(250).requiresAtLeastOneOf("SSD", "HDD").asTotalLimit(),
|
||||||
|
integerProperty("Traffic").unit("GB") .min(250).max(64000).step(250).requiresAtMaxOneOf("Bandwidth", "Traffic").asTotalLimit(),
|
||||||
|
integerProperty("Bandwidth").unit("GB") .min(250).max(64000).step(250).requiresAtMaxOneOf("Bandwidth", "Traffic").asTotalLimit(), // TODO.spec
|
||||||
|
|
||||||
|
// Alternatively we could specify it similarly to "Multi" option but exclusively counting:
|
||||||
|
// integerProperty("Resource-Points") .min(4).max(100).required()
|
||||||
|
// .each("CPU").countsAs(64)
|
||||||
|
// .each("RAM").countsAs(64)
|
||||||
|
// .each("SSD").countsAs(18)
|
||||||
|
// .each("HDD").countsAs(2)
|
||||||
|
// .each("Traffic").countsAs(1),
|
||||||
|
|
||||||
|
integerProperty("SLA-Infrastructure EXT8H") .min( 0).max( 20).withDefault(0).asTotalLimitFor("SLA-Infrastructure", "EXT8H"),
|
||||||
|
integerProperty("SLA-Infrastructure EXT4H") .min( 0).max( 20).withDefault(0).asTotalLimitFor("SLA-Infrastructure", "EXT4H"),
|
||||||
|
integerProperty("SLA-Infrastructure EXT2H") .min( 0).max( 20).withDefault(0).asTotalLimitFor("SLA-Infrastructure", "EXT2H"),
|
||||||
|
|
||||||
|
integerProperty("SLA-Platform EXT8H") .min( 0).max( 20).withDefault(0).asTotalLimitFor("SLA-Platform", "EXT8H"),
|
||||||
|
integerProperty("SLA-Platform EXT4H") .min( 0).max( 20).withDefault(0).asTotalLimitFor("SLA-Platform", "EXT4H"),
|
||||||
|
integerProperty("SLA-Platform EXT2H") .min( 0).max( 20).withDefault(0).asTotalLimitFor("SLA-Platform", "EXT2H"),
|
||||||
|
|
||||||
|
integerProperty("SLA-EMail") .min( 0).max( 20).withDefault(0).asTotalLimit(),
|
||||||
|
integerProperty("SLA-Maria") .min( 0).max( 20).withDefault(0).asTotalLimit(),
|
||||||
|
integerProperty("SLA-PgSQL") .min( 0).max( 20).withDefault(0).asTotalLimit(),
|
||||||
|
integerProperty("SLA-Office") .min( 0).max( 20).withDefault(0).asTotalLimit(),
|
||||||
|
integerProperty("SLA-Web") .min( 0).max( 20).withDefault(0).asTotalLimit()
|
||||||
|
// @formatter:on
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,114 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.project;
|
||||||
|
|
||||||
|
import lombok.*;
|
||||||
|
import lombok.experimental.SuperBuilder;
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.debitor.HsBookingDebitorEntity;
|
||||||
|
import net.hostsharing.hsadminng.hs.office.debitor.HsOfficeDebitorEntity;
|
||||||
|
import net.hostsharing.hsadminng.hs.office.relation.HsOfficeRelationRbacEntity;
|
||||||
|
import net.hostsharing.hsadminng.rbac.rbacdef.RbacView;
|
||||||
|
import net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL;
|
||||||
|
import net.hostsharing.hsadminng.rbac.rbacobject.BaseEntity;
|
||||||
|
import net.hostsharing.hsadminng.stringify.Stringify;
|
||||||
|
import net.hostsharing.hsadminng.stringify.Stringifyable;
|
||||||
|
|
||||||
|
import jakarta.persistence.*;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.util.UUID;
|
||||||
|
|
||||||
|
import static java.util.Optional.ofNullable;
|
||||||
|
import static net.hostsharing.hsadminng.hs.office.relation.HsOfficeRelationType.DEBITOR;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingCase;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.fetchedBySql;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
|
||||||
|
import static net.hostsharing.hsadminng.stringify.Stringify.stringify;
|
||||||
|
|
||||||
|
@MappedSuperclass
|
||||||
|
@Getter
|
||||||
|
@Setter
|
||||||
|
@NoArgsConstructor(access = AccessLevel.PROTECTED)
|
||||||
|
@AllArgsConstructor(access = AccessLevel.PROTECTED)
|
||||||
|
@SuperBuilder(builderMethodName = "baseBuilder", toBuilder = true)
|
||||||
|
public abstract class HsBookingProject implements Stringifyable, BaseEntity<HsBookingProject> {
|
||||||
|
|
||||||
|
private static Stringify<HsBookingProject> stringify = stringify(HsBookingProject.class)
|
||||||
|
.withProp(HsBookingProject::getDebitor)
|
||||||
|
.withProp(HsBookingProject::getCaption)
|
||||||
|
.quotedValues(false);
|
||||||
|
|
||||||
|
@Id
|
||||||
|
@GeneratedValue
|
||||||
|
private UUID uuid;
|
||||||
|
|
||||||
|
@Version
|
||||||
|
private int version;
|
||||||
|
|
||||||
|
@ManyToOne(optional = false)
|
||||||
|
@JoinColumn(name = "debitoruuid")
|
||||||
|
private HsBookingDebitorEntity debitor;
|
||||||
|
|
||||||
|
@Column(name = "caption")
|
||||||
|
private String caption;
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String toString() {
|
||||||
|
return stringify.apply(this);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String toShortString() {
|
||||||
|
return ofNullable(debitor).map(HsBookingDebitorEntity::toShortString).orElse("D-???????") +
|
||||||
|
":" + caption;
|
||||||
|
}
|
||||||
|
|
||||||
|
public static RbacView rbac() {
|
||||||
|
return rbacViewFor("project", HsBookingProject.class)
|
||||||
|
.withIdentityView(SQL.query("""
|
||||||
|
SELECT bookingProject.uuid as uuid, debitorIV.idName || '-' || cleanIdentifier(bookingProject.caption) as idName
|
||||||
|
FROM hs_booking_project bookingProject
|
||||||
|
JOIN hs_office_debitor_iv debitorIV ON debitorIV.uuid = bookingProject.debitorUuid
|
||||||
|
"""))
|
||||||
|
.withRestrictedViewOrderBy(SQL.expression("caption"))
|
||||||
|
.withUpdatableColumns("version", "caption")
|
||||||
|
|
||||||
|
.importEntityAlias("debitor", HsOfficeDebitorEntity.class, usingDefaultCase(),
|
||||||
|
dependsOnColumn("debitorUuid"),
|
||||||
|
directlyFetchedByDependsOnColumn(),
|
||||||
|
NOT_NULL)
|
||||||
|
|
||||||
|
.importEntityAlias("debitorRel", HsOfficeRelationRbacEntity.class, usingCase(DEBITOR),
|
||||||
|
dependsOnColumn("debitorUuid"),
|
||||||
|
fetchedBySql("""
|
||||||
|
SELECT ${columns}
|
||||||
|
FROM hs_office_relation debitorRel
|
||||||
|
JOIN hs_office_debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid
|
||||||
|
WHERE debitor.uuid = ${REF}.debitorUuid
|
||||||
|
"""),
|
||||||
|
NOT_NULL)
|
||||||
|
.toRole("debitorRel", ADMIN).grantPermission(INSERT)
|
||||||
|
.toRole("global", ADMIN).grantPermission(DELETE)
|
||||||
|
|
||||||
|
.createRole(OWNER, (with) -> {
|
||||||
|
with.incomingSuperRole("debitorRel", AGENT).unassumed();
|
||||||
|
})
|
||||||
|
.createSubRole(ADMIN, (with) -> {
|
||||||
|
with.permission(UPDATE);
|
||||||
|
})
|
||||||
|
.createSubRole(AGENT)
|
||||||
|
.createSubRole(TENANT, (with) -> {
|
||||||
|
with.outgoingSubRole("debitorRel", TENANT);
|
||||||
|
with.permission(SELECT);
|
||||||
|
})
|
||||||
|
|
||||||
|
.limitDiagramTo("project", "debitorRel", "global");
|
||||||
|
}
|
||||||
|
|
||||||
|
public static void main(String[] args) throws IOException {
|
||||||
|
rbac().generateWithBaseFileName("6-hs-booking/620-booking-project/6203-hs-booking-project-rbac");
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,128 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.project;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.context.Context;
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.debitor.HsBookingDebitorRepository;
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.generated.api.v1.api.HsBookingProjectsApi;
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.generated.api.v1.model.HsBookingProjectInsertResource;
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.generated.api.v1.model.HsBookingProjectPatchResource;
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.generated.api.v1.model.HsBookingProjectResource;
|
||||||
|
import net.hostsharing.hsadminng.mapper.Mapper;
|
||||||
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
|
import org.springframework.http.ResponseEntity;
|
||||||
|
import org.springframework.transaction.annotation.Transactional;
|
||||||
|
import org.springframework.web.bind.annotation.RestController;
|
||||||
|
import org.springframework.web.servlet.mvc.method.annotation.MvcUriComponentsBuilder;
|
||||||
|
|
||||||
|
import jakarta.persistence.EntityNotFoundException;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.UUID;
|
||||||
|
import java.util.function.BiConsumer;
|
||||||
|
|
||||||
|
@RestController
|
||||||
|
public class HsBookingProjectController implements HsBookingProjectsApi {
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private Context context;
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private Mapper mapper;
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private HsBookingProjectRbacRepository bookingProjectRepo;
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private HsBookingDebitorRepository debitorRepo;
|
||||||
|
|
||||||
|
@Override
|
||||||
|
@Transactional(readOnly = true)
|
||||||
|
public ResponseEntity<List<HsBookingProjectResource>> listBookingProjectsByDebitorUuid(
|
||||||
|
final String currentUser,
|
||||||
|
final String assumedRoles,
|
||||||
|
final UUID debitorUuid) {
|
||||||
|
context.define(currentUser, assumedRoles);
|
||||||
|
|
||||||
|
final var entities = bookingProjectRepo.findAllByDebitorUuid(debitorUuid);
|
||||||
|
|
||||||
|
final var resources = mapper.mapList(entities, HsBookingProjectResource.class);
|
||||||
|
return ResponseEntity.ok(resources);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
@Transactional
|
||||||
|
public ResponseEntity<HsBookingProjectResource> addBookingProject(
|
||||||
|
final String currentUser,
|
||||||
|
final String assumedRoles,
|
||||||
|
final HsBookingProjectInsertResource body) {
|
||||||
|
|
||||||
|
context.define(currentUser, assumedRoles);
|
||||||
|
|
||||||
|
final var entityToSave = mapper.map(body, HsBookingProjectRbacEntity.class, RESOURCE_TO_ENTITY_POSTMAPPER);
|
||||||
|
|
||||||
|
final var saved = bookingProjectRepo.save(entityToSave);
|
||||||
|
|
||||||
|
final var uri =
|
||||||
|
MvcUriComponentsBuilder.fromController(getClass())
|
||||||
|
.path("/api/hs/booking/projects/{id}")
|
||||||
|
.buildAndExpand(saved.getUuid())
|
||||||
|
.toUri();
|
||||||
|
final var mapped = mapper.map(saved, HsBookingProjectResource.class);
|
||||||
|
return ResponseEntity.created(uri).body(mapped);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
@Transactional(readOnly = true)
|
||||||
|
public ResponseEntity<HsBookingProjectResource> getBookingProjectByUuid(
|
||||||
|
final String currentUser,
|
||||||
|
final String assumedRoles,
|
||||||
|
final UUID bookingProjectUuid) {
|
||||||
|
|
||||||
|
context.define(currentUser, assumedRoles);
|
||||||
|
|
||||||
|
final var result = bookingProjectRepo.findByUuid(bookingProjectUuid);
|
||||||
|
return result
|
||||||
|
.map(bookingProjectEntity -> ResponseEntity.ok(
|
||||||
|
mapper.map(bookingProjectEntity, HsBookingProjectResource.class)))
|
||||||
|
.orElseGet(() -> ResponseEntity.notFound().build());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
@Transactional
|
||||||
|
public ResponseEntity<Void> deleteBookingIemByUuid(
|
||||||
|
final String currentUser,
|
||||||
|
final String assumedRoles,
|
||||||
|
final UUID bookingProjectUuid) {
|
||||||
|
context.define(currentUser, assumedRoles);
|
||||||
|
|
||||||
|
final var result = bookingProjectRepo.deleteByUuid(bookingProjectUuid);
|
||||||
|
return result == 0
|
||||||
|
? ResponseEntity.notFound().build()
|
||||||
|
: ResponseEntity.noContent().build();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
@Transactional
|
||||||
|
public ResponseEntity<HsBookingProjectResource> patchBookingProject(
|
||||||
|
final String currentUser,
|
||||||
|
final String assumedRoles,
|
||||||
|
final UUID bookingProjectUuid,
|
||||||
|
final HsBookingProjectPatchResource body) {
|
||||||
|
|
||||||
|
context.define(currentUser, assumedRoles);
|
||||||
|
|
||||||
|
final var current = bookingProjectRepo.findByUuid(bookingProjectUuid).orElseThrow();
|
||||||
|
|
||||||
|
new HsBookingProjectEntityPatcher(current).apply(body);
|
||||||
|
|
||||||
|
final var saved = bookingProjectRepo.save(current);
|
||||||
|
final var mapped = mapper.map(saved, HsBookingProjectResource.class);
|
||||||
|
return ResponseEntity.ok(mapped);
|
||||||
|
}
|
||||||
|
|
||||||
|
final BiConsumer<HsBookingProjectInsertResource, HsBookingProjectRbacEntity> RESOURCE_TO_ENTITY_POSTMAPPER = (resource, entity) -> {
|
||||||
|
if (resource.getDebitorUuid() != null) {
|
||||||
|
entity.setDebitor(debitorRepo.findByUuid(resource.getDebitorUuid())
|
||||||
|
.orElseThrow(() -> new EntityNotFoundException("ERROR: [400] debitorUuid %s not found".formatted(
|
||||||
|
resource.getDebitorUuid()))));
|
||||||
|
}
|
||||||
|
};
|
||||||
|
}
|
@ -0,0 +1,22 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.project;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.generated.api.v1.model.HsBookingProjectPatchResource;
|
||||||
|
import net.hostsharing.hsadminng.mapper.EntityPatcher;
|
||||||
|
import net.hostsharing.hsadminng.mapper.OptionalFromJson;
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
public class HsBookingProjectEntityPatcher implements EntityPatcher<HsBookingProjectPatchResource> {
|
||||||
|
|
||||||
|
private final HsBookingProject entity;
|
||||||
|
|
||||||
|
public HsBookingProjectEntityPatcher(final HsBookingProject entity) {
|
||||||
|
this.entity = entity;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void apply(final HsBookingProjectPatchResource resource) {
|
||||||
|
OptionalFromJson.of(resource.getCaption())
|
||||||
|
.ifPresent(entity::setCaption);
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,86 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.project;
|
||||||
|
|
||||||
|
import lombok.Getter;
|
||||||
|
import lombok.NoArgsConstructor;
|
||||||
|
import lombok.Setter;
|
||||||
|
import lombok.experimental.SuperBuilder;
|
||||||
|
import net.hostsharing.hsadminng.hs.office.debitor.HsOfficeDebitorEntity;
|
||||||
|
import net.hostsharing.hsadminng.hs.office.relation.HsOfficeRelationRbacEntity;
|
||||||
|
import net.hostsharing.hsadminng.rbac.rbacdef.RbacView;
|
||||||
|
import net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL;
|
||||||
|
|
||||||
|
import jakarta.persistence.Entity;
|
||||||
|
import jakarta.persistence.Table;
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import static net.hostsharing.hsadminng.hs.office.relation.HsOfficeRelationType.DEBITOR;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingCase;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.SELECT;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.UPDATE;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.ADMIN;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.AGENT;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.OWNER;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.TENANT;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.fetchedBySql;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
|
||||||
|
|
||||||
|
@Entity
|
||||||
|
@Table(name = "hs_booking_project_rv")
|
||||||
|
@SuperBuilder(toBuilder = true)
|
||||||
|
@Getter
|
||||||
|
@Setter
|
||||||
|
@NoArgsConstructor
|
||||||
|
public class HsBookingProjectRbacEntity extends HsBookingProject {
|
||||||
|
|
||||||
|
public static RbacView rbac() {
|
||||||
|
return rbacViewFor("project", HsBookingProjectRbacEntity.class)
|
||||||
|
.withIdentityView(SQL.query("""
|
||||||
|
SELECT bookingProject.uuid as uuid, debitorIV.idName || '-' || cleanIdentifier(bookingProject.caption) as idName
|
||||||
|
FROM hs_booking_project bookingProject
|
||||||
|
JOIN hs_office_debitor_iv debitorIV ON debitorIV.uuid = bookingProject.debitorUuid
|
||||||
|
"""))
|
||||||
|
.withRestrictedViewOrderBy(SQL.expression("caption"))
|
||||||
|
.withUpdatableColumns("version", "caption")
|
||||||
|
|
||||||
|
.importEntityAlias("debitor", HsOfficeDebitorEntity.class, usingDefaultCase(),
|
||||||
|
dependsOnColumn("debitorUuid"),
|
||||||
|
directlyFetchedByDependsOnColumn(),
|
||||||
|
NOT_NULL)
|
||||||
|
|
||||||
|
.importEntityAlias("debitorRel", HsOfficeRelationRbacEntity.class, usingCase(DEBITOR),
|
||||||
|
dependsOnColumn("debitorUuid"),
|
||||||
|
fetchedBySql("""
|
||||||
|
SELECT ${columns}
|
||||||
|
FROM hs_office_relation debitorRel
|
||||||
|
JOIN hs_office_debitor debitor ON debitor.debitorRelUuid = debitorRel.uuid
|
||||||
|
WHERE debitor.uuid = ${REF}.debitorUuid
|
||||||
|
"""),
|
||||||
|
NOT_NULL)
|
||||||
|
.toRole("debitorRel", ADMIN).grantPermission(INSERT)
|
||||||
|
.toRole("global", ADMIN).grantPermission(DELETE)
|
||||||
|
|
||||||
|
.createRole(OWNER, (with) -> {
|
||||||
|
with.incomingSuperRole("debitorRel", AGENT).unassumed();
|
||||||
|
})
|
||||||
|
.createSubRole(ADMIN, (with) -> {
|
||||||
|
with.permission(UPDATE);
|
||||||
|
})
|
||||||
|
.createSubRole(AGENT)
|
||||||
|
.createSubRole(TENANT, (with) -> {
|
||||||
|
with.outgoingSubRole("debitorRel", TENANT);
|
||||||
|
with.permission(SELECT);
|
||||||
|
})
|
||||||
|
|
||||||
|
.limitDiagramTo("project", "debitorRel", "global");
|
||||||
|
}
|
||||||
|
|
||||||
|
public static void main(String[] args) throws IOException {
|
||||||
|
rbac().generateWithBaseFileName("6-hs-booking/620-booking-project/6203-hs-booking-project-rbac");
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,22 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.project;
|
||||||
|
|
||||||
|
import org.springframework.data.repository.Repository;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Optional;
|
||||||
|
import java.util.UUID;
|
||||||
|
|
||||||
|
public interface HsBookingProjectRbacRepository extends HsBookingProjectRepository<HsBookingProjectRbacEntity>,
|
||||||
|
Repository<HsBookingProjectRbacEntity, UUID> {
|
||||||
|
|
||||||
|
Optional<HsBookingProjectRbacEntity> findByUuid(final UUID bookingProjectUuid);
|
||||||
|
List<HsBookingProjectRbacEntity> findByCaption(final String projectCaption);
|
||||||
|
|
||||||
|
List<HsBookingProjectRbacEntity> findAllByDebitorUuid(final UUID bookingProjectUuid);
|
||||||
|
|
||||||
|
HsBookingProjectRbacEntity save(HsBookingProjectRbacEntity current);
|
||||||
|
|
||||||
|
int deleteByUuid(final UUID uuid);
|
||||||
|
|
||||||
|
long count();
|
||||||
|
}
|
@ -0,0 +1,19 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.project;
|
||||||
|
|
||||||
|
import lombok.Getter;
|
||||||
|
import lombok.NoArgsConstructor;
|
||||||
|
import lombok.Setter;
|
||||||
|
import lombok.experimental.SuperBuilder;
|
||||||
|
|
||||||
|
import jakarta.persistence.Entity;
|
||||||
|
import jakarta.persistence.Table;
|
||||||
|
|
||||||
|
|
||||||
|
@Entity
|
||||||
|
@Table(name = "hs_booking_project")
|
||||||
|
@SuperBuilder(toBuilder = true)
|
||||||
|
@Getter
|
||||||
|
@Setter
|
||||||
|
@NoArgsConstructor
|
||||||
|
public class HsBookingProjectRealEntity extends HsBookingProject {
|
||||||
|
}
|
@ -0,0 +1,22 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.project;
|
||||||
|
|
||||||
|
import org.springframework.data.repository.Repository;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Optional;
|
||||||
|
import java.util.UUID;
|
||||||
|
|
||||||
|
public interface HsBookingProjectRealRepository extends HsBookingProjectRepository<HsBookingProjectRealEntity>,
|
||||||
|
Repository<HsBookingProjectRealEntity, UUID> {
|
||||||
|
|
||||||
|
Optional<HsBookingProjectRealEntity> findByUuid(final UUID bookingProjectUuid);
|
||||||
|
List<HsBookingProjectRealEntity> findByCaption(final String projectCaption);
|
||||||
|
|
||||||
|
List<HsBookingProjectRealEntity> findAllByDebitorUuid(final UUID bookingProjectUuid);
|
||||||
|
|
||||||
|
HsBookingProjectRealEntity save(HsBookingProjectRealEntity current);
|
||||||
|
|
||||||
|
int deleteByUuid(final UUID uuid);
|
||||||
|
|
||||||
|
long count();
|
||||||
|
}
|
@ -0,0 +1,19 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.booking.project;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Optional;
|
||||||
|
import java.util.UUID;
|
||||||
|
|
||||||
|
public interface HsBookingProjectRepository<E extends HsBookingProject> {
|
||||||
|
|
||||||
|
Optional<E> findByUuid(final UUID bookingProjectUuid);
|
||||||
|
List<E> findByCaption(final String projectCaption);
|
||||||
|
|
||||||
|
List<E> findAllByDebitorUuid(final UUID bookingProjectUuid);
|
||||||
|
|
||||||
|
E save(E current);
|
||||||
|
|
||||||
|
int deleteByUuid(final UUID uuid);
|
||||||
|
|
||||||
|
long count();
|
||||||
|
}
|
@ -0,0 +1,166 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset;
|
||||||
|
|
||||||
|
import io.hypersistence.utils.hibernate.type.json.JsonType;
|
||||||
|
import lombok.AccessLevel;
|
||||||
|
import lombok.AllArgsConstructor;
|
||||||
|
import lombok.Builder;
|
||||||
|
import lombok.NoArgsConstructor;
|
||||||
|
import lombok.Setter;
|
||||||
|
import lombok.Getter;
|
||||||
|
import lombok.experimental.SuperBuilder;
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.item.HsBookingItem;
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.item.HsBookingItemRealEntity;
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.project.HsBookingProject;
|
||||||
|
import net.hostsharing.hsadminng.hs.office.contact.HsOfficeContactRealEntity;
|
||||||
|
import net.hostsharing.hsadminng.hs.validation.PropertiesProvider;
|
||||||
|
import net.hostsharing.hsadminng.mapper.PatchableMapWrapper;
|
||||||
|
import net.hostsharing.hsadminng.rbac.rbacobject.BaseEntity;
|
||||||
|
import net.hostsharing.hsadminng.stringify.Stringify;
|
||||||
|
import net.hostsharing.hsadminng.stringify.Stringifyable;
|
||||||
|
import org.hibernate.annotations.Type;
|
||||||
|
|
||||||
|
import jakarta.persistence.CascadeType;
|
||||||
|
import jakarta.persistence.Column;
|
||||||
|
import jakarta.persistence.EnumType;
|
||||||
|
import jakarta.persistence.Enumerated;
|
||||||
|
import jakarta.persistence.FetchType;
|
||||||
|
import jakarta.persistence.GeneratedValue;
|
||||||
|
import jakarta.persistence.Id;
|
||||||
|
import jakarta.persistence.JoinColumn;
|
||||||
|
import jakarta.persistence.ManyToOne;
|
||||||
|
import jakarta.persistence.MappedSuperclass;
|
||||||
|
import jakarta.persistence.OneToMany;
|
||||||
|
import jakarta.persistence.OneToOne;
|
||||||
|
import jakarta.persistence.PostLoad;
|
||||||
|
import jakarta.persistence.Transient;
|
||||||
|
import jakarta.persistence.Version;
|
||||||
|
import java.util.ArrayList;
|
||||||
|
import java.util.HashMap;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Map;
|
||||||
|
import java.util.Optional;
|
||||||
|
import java.util.UUID;
|
||||||
|
|
||||||
|
import static java.util.Collections.emptyMap;
|
||||||
|
import static net.hostsharing.hsadminng.stringify.Stringify.stringify;
|
||||||
|
|
||||||
|
@MappedSuperclass
|
||||||
|
@Getter
|
||||||
|
@Setter
|
||||||
|
@NoArgsConstructor(access = AccessLevel.PROTECTED)
|
||||||
|
@AllArgsConstructor(access = AccessLevel.PROTECTED)
|
||||||
|
@SuperBuilder(builderMethodName = "baseBuilder", toBuilder = true)
|
||||||
|
public abstract class HsHostingAsset implements Stringifyable, BaseEntity<HsHostingAsset>, PropertiesProvider {
|
||||||
|
|
||||||
|
static Stringify<HsHostingAsset> stringify = stringify(HsHostingAsset.class)
|
||||||
|
.withProp(HsHostingAsset::getType)
|
||||||
|
.withProp(HsHostingAsset::getIdentifier)
|
||||||
|
.withProp(HsHostingAsset::getCaption)
|
||||||
|
.withProp(HsHostingAsset::getParentAsset)
|
||||||
|
.withProp(HsHostingAsset::getAssignedToAsset)
|
||||||
|
.withProp(HsHostingAsset::getBookingItem)
|
||||||
|
.withProp(HsHostingAsset::getConfig)
|
||||||
|
.quotedValues(false);
|
||||||
|
|
||||||
|
@Id
|
||||||
|
@GeneratedValue
|
||||||
|
private UUID uuid;
|
||||||
|
|
||||||
|
@Version
|
||||||
|
private int version;
|
||||||
|
|
||||||
|
@OneToOne(fetch = FetchType.LAZY)
|
||||||
|
@JoinColumn(name = "bookingitemuuid")
|
||||||
|
private HsBookingItemRealEntity bookingItem;
|
||||||
|
|
||||||
|
@ManyToOne(fetch = FetchType.LAZY)
|
||||||
|
@JoinColumn(name = "parentassetuuid")
|
||||||
|
private HsHostingAssetRealEntity parentAsset;
|
||||||
|
|
||||||
|
@ManyToOne(fetch = FetchType.LAZY)
|
||||||
|
@JoinColumn(name = "assignedtoassetuuid")
|
||||||
|
private HsHostingAssetRealEntity assignedToAsset;
|
||||||
|
|
||||||
|
@Column(name = "type")
|
||||||
|
@Enumerated(EnumType.STRING)
|
||||||
|
private HsHostingAssetType type;
|
||||||
|
|
||||||
|
@ManyToOne(fetch = FetchType.LAZY)
|
||||||
|
@JoinColumn(name = "alarmcontactuuid")
|
||||||
|
private HsOfficeContactRealEntity alarmContact;
|
||||||
|
|
||||||
|
@Builder.Default
|
||||||
|
@OneToMany(cascade = CascadeType.REFRESH, orphanRemoval = true, fetch = FetchType.LAZY)
|
||||||
|
@JoinColumn(name = "parentassetuuid", referencedColumnName = "uuid")
|
||||||
|
private List<HsHostingAssetRealEntity> subHostingAssets = new ArrayList<>();
|
||||||
|
|
||||||
|
@Column(name = "identifier")
|
||||||
|
private String identifier; // e.g. vm1234, xyz00, example.org, xyz00_abc
|
||||||
|
|
||||||
|
@Column(name = "caption")
|
||||||
|
private String caption;
|
||||||
|
|
||||||
|
@Builder.Default
|
||||||
|
@Setter(AccessLevel.NONE)
|
||||||
|
@Type(JsonType.class)
|
||||||
|
@Column(columnDefinition = "config")
|
||||||
|
private Map<String, Object> config = new HashMap<>();
|
||||||
|
|
||||||
|
@Transient
|
||||||
|
private PatchableMapWrapper<Object> configWrapper;
|
||||||
|
|
||||||
|
@Transient
|
||||||
|
private boolean isLoaded;
|
||||||
|
|
||||||
|
@PostLoad
|
||||||
|
public void markAsLoaded() {
|
||||||
|
this.isLoaded = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
public PatchableMapWrapper<Object> getConfig() {
|
||||||
|
return PatchableMapWrapper.of(configWrapper, (newWrapper) -> {configWrapper = newWrapper;}, config);
|
||||||
|
}
|
||||||
|
|
||||||
|
public void putConfig(Map<String, Object> newConfig) {
|
||||||
|
PatchableMapWrapper.of(configWrapper, (newWrapper) -> {configWrapper = newWrapper;}, config).assign(newConfig);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public PatchableMapWrapper<Object> directProps() {
|
||||||
|
return getConfig();
|
||||||
|
}
|
||||||
|
|
||||||
|
public HsBookingProject getRelatedProject() {
|
||||||
|
return Optional.ofNullable(getBookingItem())
|
||||||
|
.map(HsBookingItem::getRelatedProject)
|
||||||
|
.orElseGet(() -> Optional.ofNullable(getParentAsset())
|
||||||
|
.map(HsHostingAsset::getRelatedProject)
|
||||||
|
.orElse(null));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Object getContextValue(final String propName) {
|
||||||
|
final var v = directProps().get(propName);
|
||||||
|
if (v != null) {
|
||||||
|
return v;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (getBookingItem() != null) {
|
||||||
|
return getBookingItem().getResources().get(propName);
|
||||||
|
}
|
||||||
|
if (getParentAsset() != null && getParentAsset().getBookingItem() != null) {
|
||||||
|
return getParentAsset().getBookingItem().getResources().get(propName);
|
||||||
|
}
|
||||||
|
return emptyMap();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String toShortString() {
|
||||||
|
return getType() + ":" + getIdentifier();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String toString() {
|
||||||
|
return stringify.apply(this);
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,168 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.item.HsBookingItemRealRepository;
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.validators.HostingAssetEntitySaveProcessor;
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.validators.HostingAssetEntityValidatorRegistry;
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.generated.api.v1.api.HsHostingAssetsApi;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.context.Context;
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.generated.api.v1.model.HsHostingAssetInsertResource;
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.generated.api.v1.model.HsHostingAssetPatchResource;
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.generated.api.v1.model.HsHostingAssetResource;
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.generated.api.v1.model.HsHostingAssetTypeResource;
|
||||||
|
import net.hostsharing.hsadminng.mapper.KeyValueMap;
|
||||||
|
import net.hostsharing.hsadminng.mapper.Mapper;
|
||||||
|
import net.hostsharing.hsadminng.persistence.EntityManagerWrapper;
|
||||||
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
|
import org.springframework.http.ResponseEntity;
|
||||||
|
import org.springframework.transaction.annotation.Transactional;
|
||||||
|
import org.springframework.web.bind.annotation.RestController;
|
||||||
|
import org.springframework.web.servlet.mvc.method.annotation.MvcUriComponentsBuilder;
|
||||||
|
|
||||||
|
import jakarta.persistence.EntityNotFoundException;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Map;
|
||||||
|
import java.util.UUID;
|
||||||
|
import java.util.function.BiConsumer;
|
||||||
|
|
||||||
|
@RestController
|
||||||
|
public class HsHostingAssetController implements HsHostingAssetsApi {
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private EntityManagerWrapper emw;
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private Context context;
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private Mapper mapper;
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private HsHostingAssetRbacRepository rbacAssetRepo;
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private HsHostingAssetRealRepository realAssetRepo;
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private HsBookingItemRealRepository realBookingItemRepo;
|
||||||
|
|
||||||
|
@Override
|
||||||
|
@Transactional(readOnly = true)
|
||||||
|
public ResponseEntity<List<HsHostingAssetResource>> listAssets(
|
||||||
|
final String currentUser,
|
||||||
|
final String assumedRoles,
|
||||||
|
final UUID debitorUuid,
|
||||||
|
final UUID parentAssetUuid,
|
||||||
|
final HsHostingAssetTypeResource type) {
|
||||||
|
context.define(currentUser, assumedRoles);
|
||||||
|
|
||||||
|
final var entities = rbacAssetRepo.findAllByCriteria(debitorUuid, parentAssetUuid, HsHostingAssetType.of(type));
|
||||||
|
|
||||||
|
final var resources = mapper.mapList(entities, HsHostingAssetResource.class, ENTITY_TO_RESOURCE_POSTMAPPER);
|
||||||
|
return ResponseEntity.ok(resources);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@Override
|
||||||
|
@Transactional
|
||||||
|
public ResponseEntity<HsHostingAssetResource> addAsset(
|
||||||
|
final String currentUser,
|
||||||
|
final String assumedRoles,
|
||||||
|
final HsHostingAssetInsertResource body) {
|
||||||
|
|
||||||
|
context.define(currentUser, assumedRoles);
|
||||||
|
|
||||||
|
final var entity = mapper.map(body, HsHostingAssetRbacEntity.class, RESOURCE_TO_ENTITY_POSTMAPPER);
|
||||||
|
|
||||||
|
final var mapped = new HostingAssetEntitySaveProcessor(emw, entity)
|
||||||
|
.preprocessEntity()
|
||||||
|
.validateEntity()
|
||||||
|
.prepareForSave()
|
||||||
|
.save()
|
||||||
|
.validateContext()
|
||||||
|
.mapUsing(e -> mapper.map(e, HsHostingAssetResource.class))
|
||||||
|
.revampProperties();
|
||||||
|
|
||||||
|
final var uri =
|
||||||
|
MvcUriComponentsBuilder.fromController(getClass())
|
||||||
|
.path("/api/hs/hosting/assets/{id}")
|
||||||
|
.buildAndExpand(mapped.getUuid())
|
||||||
|
.toUri();
|
||||||
|
return ResponseEntity.created(uri).body(mapped);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
@Transactional(readOnly = true)
|
||||||
|
public ResponseEntity<HsHostingAssetResource> getAssetByUuid(
|
||||||
|
final String currentUser,
|
||||||
|
final String assumedRoles,
|
||||||
|
final UUID assetUuid) {
|
||||||
|
|
||||||
|
context.define(currentUser, assumedRoles);
|
||||||
|
|
||||||
|
final var result = rbacAssetRepo.findByUuid(assetUuid);
|
||||||
|
return result
|
||||||
|
.map(assetEntity -> ResponseEntity.ok(
|
||||||
|
mapper.map(assetEntity, HsHostingAssetResource.class, ENTITY_TO_RESOURCE_POSTMAPPER)))
|
||||||
|
.orElseGet(() -> ResponseEntity.notFound().build());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
@Transactional
|
||||||
|
public ResponseEntity<Void> deleteAssetUuid(
|
||||||
|
final String currentUser,
|
||||||
|
final String assumedRoles,
|
||||||
|
final UUID assetUuid) {
|
||||||
|
context.define(currentUser, assumedRoles);
|
||||||
|
|
||||||
|
final var result = rbacAssetRepo.deleteByUuid(assetUuid);
|
||||||
|
return result == 0
|
||||||
|
? ResponseEntity.notFound().build()
|
||||||
|
: ResponseEntity.noContent().build();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
@Transactional
|
||||||
|
public ResponseEntity<HsHostingAssetResource> patchAsset(
|
||||||
|
final String currentUser,
|
||||||
|
final String assumedRoles,
|
||||||
|
final UUID assetUuid,
|
||||||
|
final HsHostingAssetPatchResource body) {
|
||||||
|
|
||||||
|
context.define(currentUser, assumedRoles);
|
||||||
|
|
||||||
|
final var entity = rbacAssetRepo.findByUuid(assetUuid).orElseThrow();
|
||||||
|
|
||||||
|
new HsHostingAssetEntityPatcher(emw, entity).apply(body);
|
||||||
|
|
||||||
|
final var mapped = new HostingAssetEntitySaveProcessor(emw, entity)
|
||||||
|
.preprocessEntity()
|
||||||
|
.validateEntity()
|
||||||
|
.prepareForSave()
|
||||||
|
.save()
|
||||||
|
.validateContext()
|
||||||
|
.mapUsing(e -> mapper.map(e, HsHostingAssetResource.class))
|
||||||
|
.revampProperties();
|
||||||
|
|
||||||
|
return ResponseEntity.ok(mapped);
|
||||||
|
}
|
||||||
|
|
||||||
|
final BiConsumer<HsHostingAssetInsertResource, HsHostingAssetRbacEntity> RESOURCE_TO_ENTITY_POSTMAPPER = (resource, entity) -> {
|
||||||
|
entity.putConfig(KeyValueMap.from(resource.getConfig()));
|
||||||
|
if (resource.getBookingItemUuid() != null) {
|
||||||
|
entity.setBookingItem(realBookingItemRepo.findByUuid(resource.getBookingItemUuid())
|
||||||
|
.orElseThrow(() -> new EntityNotFoundException("ERROR: [400] bookingItemUuid %s not found".formatted(
|
||||||
|
resource.getBookingItemUuid()))));
|
||||||
|
}
|
||||||
|
if (resource.getParentAssetUuid() != null) {
|
||||||
|
entity.setParentAsset(realAssetRepo.findByUuid(resource.getParentAssetUuid())
|
||||||
|
.orElseThrow(() -> new EntityNotFoundException("ERROR: [400] parentAssetUuid %s not found".formatted(
|
||||||
|
resource.getParentAssetUuid()))));
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
@SuppressWarnings("unchecked")
|
||||||
|
final BiConsumer<HsHostingAssetRbacEntity, HsHostingAssetResource> ENTITY_TO_RESOURCE_POSTMAPPER = (entity, resource)
|
||||||
|
-> resource.setConfig(HostingAssetEntityValidatorRegistry.forType(entity.getType())
|
||||||
|
.revampProperties(emw, entity, (Map<String, Object>) resource.getConfig()));
|
||||||
|
}
|
@ -0,0 +1,35 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.generated.api.v1.model.HsHostingAssetPatchResource;
|
||||||
|
import net.hostsharing.hsadminng.hs.office.contact.HsOfficeContactRealEntity;
|
||||||
|
import net.hostsharing.hsadminng.mapper.EntityPatcher;
|
||||||
|
import net.hostsharing.hsadminng.mapper.KeyValueMap;
|
||||||
|
import net.hostsharing.hsadminng.mapper.OptionalFromJson;
|
||||||
|
|
||||||
|
import jakarta.persistence.EntityManager;
|
||||||
|
import java.util.Optional;
|
||||||
|
|
||||||
|
public class HsHostingAssetEntityPatcher implements EntityPatcher<HsHostingAssetPatchResource> {
|
||||||
|
|
||||||
|
private final EntityManager em;
|
||||||
|
private final HsHostingAssetRbacEntity entity;
|
||||||
|
|
||||||
|
public HsHostingAssetEntityPatcher(final EntityManager em, final HsHostingAssetRbacEntity entity) {
|
||||||
|
this.em = em;
|
||||||
|
this.entity = entity;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void apply(final HsHostingAssetPatchResource resource) {
|
||||||
|
OptionalFromJson.of(resource.getCaption())
|
||||||
|
.ifPresent(entity::setCaption);
|
||||||
|
Optional.ofNullable(resource.getConfig())
|
||||||
|
.ifPresent(r -> entity.getConfig().patch(KeyValueMap.from(resource.getConfig())));
|
||||||
|
OptionalFromJson.of(resource.getAlarmContactUuid())
|
||||||
|
// HOWTO: patch nullable JSON resource uuid to an ntity reference
|
||||||
|
.ifPresent(newValue -> entity.setAlarmContact(
|
||||||
|
Optional.ofNullable(newValue)
|
||||||
|
.map(uuid -> em.getReference(HsOfficeContactRealEntity.class, newValue))
|
||||||
|
.orElse(null)));
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,40 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.validators.HostingAssetEntityValidatorRegistry;
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.generated.api.v1.api.HsHostingAssetPropsApi;
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.generated.api.v1.model.HsHostingAssetTypeResource;
|
||||||
|
import org.springframework.http.ResponseEntity;
|
||||||
|
import org.springframework.web.bind.annotation.RestController;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Map;
|
||||||
|
|
||||||
|
|
||||||
|
@RestController
|
||||||
|
public class HsHostingAssetPropsController implements HsHostingAssetPropsApi {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public ResponseEntity<List<String>> listAssetTypes() {
|
||||||
|
final var resource = HostingAssetEntityValidatorRegistry.types().stream()
|
||||||
|
.map(Enum::name)
|
||||||
|
.toList();
|
||||||
|
return ResponseEntity.ok(resource);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public ResponseEntity<List<Object>> listAssetTypeProps(
|
||||||
|
final HsHostingAssetTypeResource assetType) {
|
||||||
|
|
||||||
|
final Enum<HsHostingAssetType> type = HsHostingAssetType.of(assetType);
|
||||||
|
final var propValidators = HostingAssetEntityValidatorRegistry.forType(type);
|
||||||
|
final List<Map<String, Object>> resource = propValidators.properties();
|
||||||
|
return ResponseEntity.ok(toListOfObjects(resource));
|
||||||
|
}
|
||||||
|
|
||||||
|
private List<Object> toListOfObjects(final List<Map<String, Object>> resource) {
|
||||||
|
// OpenApi ony generates List<Object> not List<Map<String, Object>> for the Java interface.
|
||||||
|
// But Spring properly converts the List of Maps, thus we can simply cast the type:
|
||||||
|
//noinspection rawtypes,unchecked
|
||||||
|
return (List) resource;
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,115 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset;
|
||||||
|
|
||||||
|
import lombok.Getter;
|
||||||
|
import lombok.NoArgsConstructor;
|
||||||
|
import lombok.Setter;
|
||||||
|
import lombok.experimental.SuperBuilder;
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.item.HsBookingItem;
|
||||||
|
import net.hostsharing.hsadminng.hs.office.contact.HsOfficeContactRbacEntity;
|
||||||
|
import net.hostsharing.hsadminng.rbac.rbacdef.RbacView;
|
||||||
|
import net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL;
|
||||||
|
|
||||||
|
import jakarta.persistence.Entity;
|
||||||
|
import jakarta.persistence.Table;
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.CaseDef.inCaseOf;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NULLABLE;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.SELECT;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.UPDATE;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacUserReference.UserRole.CREATOR;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.ADMIN;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.AGENT;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.GUEST;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.OWNER;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.REFERRER;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.TENANT;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
|
||||||
|
|
||||||
|
@Entity
|
||||||
|
@Table(name = "hs_hosting_asset_rv")
|
||||||
|
@SuperBuilder(toBuilder = true)
|
||||||
|
@Getter
|
||||||
|
@Setter
|
||||||
|
@NoArgsConstructor
|
||||||
|
public class HsHostingAssetRbacEntity extends HsHostingAsset {
|
||||||
|
|
||||||
|
public static RbacView rbac() {
|
||||||
|
return rbacViewFor("asset", HsHostingAssetRbacEntity.class)
|
||||||
|
.withIdentityView(SQL.projection("identifier"))
|
||||||
|
.withRestrictedViewOrderBy(SQL.expression("identifier"))
|
||||||
|
.withUpdatableColumns("version", "caption", "config", "assignedToAssetUuid", "alarmContactUuid")
|
||||||
|
.toRole(GLOBAL, ADMIN).grantPermission(INSERT) // TODO.impl: Why is this necessary to insert test data?
|
||||||
|
|
||||||
|
.importEntityAlias("bookingItem", HsBookingItem.class, usingDefaultCase(),
|
||||||
|
dependsOnColumn("bookingItemUuid"),
|
||||||
|
directlyFetchedByDependsOnColumn(),
|
||||||
|
NULLABLE)
|
||||||
|
|
||||||
|
.importEntityAlias("parentAsset", HsHostingAssetRbacEntity.class, usingDefaultCase(),
|
||||||
|
dependsOnColumn("parentAssetUuid"),
|
||||||
|
directlyFetchedByDependsOnColumn(),
|
||||||
|
NULLABLE)
|
||||||
|
.toRole("parentAsset", ADMIN).grantPermission(INSERT)
|
||||||
|
|
||||||
|
.importEntityAlias("assignedToAsset", HsHostingAssetRbacEntity.class, usingDefaultCase(),
|
||||||
|
dependsOnColumn("assignedToAssetUuid"),
|
||||||
|
directlyFetchedByDependsOnColumn(),
|
||||||
|
NULLABLE)
|
||||||
|
|
||||||
|
.importEntityAlias("alarmContact", HsOfficeContactRbacEntity.class, usingDefaultCase(),
|
||||||
|
dependsOnColumn("alarmContactUuid"),
|
||||||
|
directlyFetchedByDependsOnColumn(),
|
||||||
|
NULLABLE)
|
||||||
|
|
||||||
|
.switchOnColumn(
|
||||||
|
"type",
|
||||||
|
inCaseOf("DOMAIN_SETUP", then -> {
|
||||||
|
then.toRole(GLOBAL, GUEST).grantPermission(INSERT);
|
||||||
|
})
|
||||||
|
)
|
||||||
|
|
||||||
|
.createRole(OWNER, (with) -> {
|
||||||
|
with.owningUser(CREATOR);
|
||||||
|
with.incomingSuperRole(GLOBAL, ADMIN).unassumed(); // TODO.spec: replace by a better solution
|
||||||
|
with.incomingSuperRole("bookingItem", ADMIN);
|
||||||
|
with.incomingSuperRole("parentAsset", ADMIN);
|
||||||
|
with.permission(DELETE);
|
||||||
|
})
|
||||||
|
.createSubRole(ADMIN, (with) -> {
|
||||||
|
with.incomingSuperRole("bookingItem", AGENT);
|
||||||
|
with.incomingSuperRole("parentAsset", AGENT);
|
||||||
|
with.permission(UPDATE);
|
||||||
|
})
|
||||||
|
.createSubRole(AGENT, (with) -> {
|
||||||
|
with.incomingSuperRole("assignedToAsset", AGENT); // TODO.spec: or ADMIN?
|
||||||
|
with.outgoingSubRole("assignedToAsset", TENANT);
|
||||||
|
with.outgoingSubRole("alarmContact", REFERRER);
|
||||||
|
})
|
||||||
|
.createSubRole(TENANT, (with) -> {
|
||||||
|
with.outgoingSubRole("bookingItem", TENANT);
|
||||||
|
with.outgoingSubRole("parentAsset", TENANT);
|
||||||
|
with.incomingSuperRole("alarmContact", ADMIN);
|
||||||
|
with.permission(SELECT);
|
||||||
|
})
|
||||||
|
|
||||||
|
.limitDiagramTo(
|
||||||
|
"asset",
|
||||||
|
"bookingItem",
|
||||||
|
"bookingItem.debitorRel",
|
||||||
|
"parentAsset",
|
||||||
|
"assignedToAsset",
|
||||||
|
"alarmContact",
|
||||||
|
"global");
|
||||||
|
}
|
||||||
|
|
||||||
|
public static void main(String[] args) throws IOException {
|
||||||
|
rbac().generateWithBaseFileName("7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac");
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,47 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset;
|
||||||
|
|
||||||
|
import org.springframework.data.jpa.repository.Query;
|
||||||
|
import org.springframework.data.repository.Repository;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Optional;
|
||||||
|
import java.util.UUID;
|
||||||
|
|
||||||
|
|
||||||
|
public interface HsHostingAssetRbacRepository extends HsHostingAssetRepository<HsHostingAssetRbacEntity>, Repository<HsHostingAssetRbacEntity, UUID> {
|
||||||
|
|
||||||
|
Optional<HsHostingAssetRbacEntity> findByUuid(final UUID serverUuid);
|
||||||
|
|
||||||
|
List<HsHostingAssetRbacEntity> findByIdentifier(String assetIdentifier);
|
||||||
|
|
||||||
|
@Query(value = """
|
||||||
|
select ha.uuid,
|
||||||
|
ha.alarmcontactuuid,
|
||||||
|
ha.assignedtoassetuuid,
|
||||||
|
ha.bookingitemuuid,
|
||||||
|
ha.caption,
|
||||||
|
ha.config,
|
||||||
|
ha.identifier,
|
||||||
|
ha.parentassetuuid,
|
||||||
|
ha.type,
|
||||||
|
ha.version
|
||||||
|
from hs_hosting_asset_rv ha
|
||||||
|
left join hs_booking_item bi on bi.uuid = ha.bookingitemuuid
|
||||||
|
left join hs_hosting_asset pha on pha.uuid = ha.parentassetuuid
|
||||||
|
where (:projectUuid is null or bi.projectuuid=:projectUuid)
|
||||||
|
and (:parentAssetUuid is null or pha.uuid=:parentAssetUuid)
|
||||||
|
and (:type is null or :type=cast(ha.type as text))
|
||||||
|
""", nativeQuery = true)
|
||||||
|
// The JPQL query did not generate "left join" but just "join".
|
||||||
|
// I also optimized the query by not using the _rv for hs_booking_item and hs_hosting_asset, only for hs_hosting_asset_rv.
|
||||||
|
List<HsHostingAssetRbacEntity> findAllByCriteriaImpl(UUID projectUuid, UUID parentAssetUuid, String type);
|
||||||
|
default List<HsHostingAssetRbacEntity> findAllByCriteria(final UUID projectUuid, final UUID parentAssetUuid, final HsHostingAssetType type) {
|
||||||
|
return findAllByCriteriaImpl(projectUuid, parentAssetUuid, HsHostingAssetType.asString(type));
|
||||||
|
}
|
||||||
|
|
||||||
|
HsHostingAssetRbacEntity save(HsHostingAsset current);
|
||||||
|
|
||||||
|
int deleteByUuid(final UUID uuid);
|
||||||
|
|
||||||
|
long count();
|
||||||
|
}
|
@ -0,0 +1,24 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset;
|
||||||
|
|
||||||
|
import lombok.Getter;
|
||||||
|
import lombok.NoArgsConstructor;
|
||||||
|
import lombok.Setter;
|
||||||
|
import lombok.experimental.SuperBuilder;
|
||||||
|
|
||||||
|
import jakarta.persistence.Entity;
|
||||||
|
import jakarta.persistence.Table;
|
||||||
|
|
||||||
|
@Entity
|
||||||
|
@Table(name = "hs_hosting_asset")
|
||||||
|
@SuperBuilder(builderMethodName = "genericBuilder", toBuilder = true)
|
||||||
|
@Getter
|
||||||
|
@Setter
|
||||||
|
@NoArgsConstructor
|
||||||
|
public class HsHostingAssetRealEntity extends HsHostingAsset {
|
||||||
|
|
||||||
|
// without this wrapper method, the builder returns a generic entity which cannot resolved in a generic context
|
||||||
|
public static HsHostingAssetRealEntityBuilder<HsHostingAssetRealEntity, ?> builder() {
|
||||||
|
//noinspection unchecked
|
||||||
|
return (HsHostingAssetRealEntityBuilder<HsHostingAssetRealEntity, ?>) genericBuilder();
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,46 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset;
|
||||||
|
|
||||||
|
import org.springframework.data.jpa.repository.Query;
|
||||||
|
import org.springframework.data.repository.Repository;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Optional;
|
||||||
|
import java.util.UUID;
|
||||||
|
|
||||||
|
public interface HsHostingAssetRealRepository extends HsHostingAssetRepository<HsHostingAssetRealEntity>, Repository<HsHostingAssetRealEntity, UUID> {
|
||||||
|
|
||||||
|
Optional<HsHostingAssetRealEntity> findByUuid(final UUID serverUuid);
|
||||||
|
|
||||||
|
List<HsHostingAssetRealEntity> findByIdentifier(String assetIdentifier);
|
||||||
|
|
||||||
|
@Query(value = """
|
||||||
|
select ha.uuid,
|
||||||
|
ha.alarmcontactuuid,
|
||||||
|
ha.assignedtoassetuuid,
|
||||||
|
ha.bookingitemuuid,
|
||||||
|
ha.caption,
|
||||||
|
ha.config,
|
||||||
|
ha.identifier,
|
||||||
|
ha.parentassetuuid,
|
||||||
|
ha.type,
|
||||||
|
ha.version
|
||||||
|
from hs_hosting_asset_rv ha
|
||||||
|
left join hs_booking_item bi on bi.uuid = ha.bookingitemuuid
|
||||||
|
left join hs_hosting_asset pha on pha.uuid = ha.parentassetuuid
|
||||||
|
where (:projectUuid is null or bi.projectuuid=:projectUuid)
|
||||||
|
and (:parentAssetUuid is null or pha.uuid=:parentAssetUuid)
|
||||||
|
and (:type is null or :type=cast(ha.type as text))
|
||||||
|
""", nativeQuery = true)
|
||||||
|
// The JPQL query did not generate "left join" but just "join".
|
||||||
|
// I also optimized the query by not using the _rv for hs_booking_item and hs_hosting_asset, only for hs_hosting_asset_rv.
|
||||||
|
List<HsHostingAssetRealEntity> findAllByCriteriaImpl(UUID projectUuid, UUID parentAssetUuid, String type);
|
||||||
|
default List<HsHostingAssetRealEntity> findAllByCriteria(final UUID projectUuid, final UUID parentAssetUuid, final HsHostingAssetType type) {
|
||||||
|
return findAllByCriteriaImpl(projectUuid, parentAssetUuid, HsHostingAssetType.asString(type));
|
||||||
|
}
|
||||||
|
|
||||||
|
HsHostingAssetRealEntity save(HsHostingAssetRealEntity current);
|
||||||
|
|
||||||
|
int deleteByUuid(final UUID uuid);
|
||||||
|
|
||||||
|
long count();
|
||||||
|
}
|
@ -0,0 +1,24 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Optional;
|
||||||
|
import java.util.UUID;
|
||||||
|
|
||||||
|
public interface HsHostingAssetRepository<E extends HsHostingAsset> {
|
||||||
|
|
||||||
|
Optional<E> findByUuid(final UUID serverUuid);
|
||||||
|
|
||||||
|
List<E> findByIdentifier(String assetIdentifier);
|
||||||
|
|
||||||
|
List<E> findAllByCriteriaImpl(UUID projectUuid, UUID parentAssetUuid, String type);
|
||||||
|
|
||||||
|
default List<E> findAllByCriteria(final UUID projectUuid, final UUID parentAssetUuid, final HsHostingAssetType type) {
|
||||||
|
return findAllByCriteriaImpl(projectUuid, parentAssetUuid, HsHostingAssetType.asString(type));
|
||||||
|
}
|
||||||
|
|
||||||
|
E save(HsHostingAsset current);
|
||||||
|
|
||||||
|
int deleteByUuid(final UUID uuid);
|
||||||
|
|
||||||
|
long count();
|
||||||
|
}
|
@ -0,0 +1,444 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset;
|
||||||
|
|
||||||
|
import lombok.AllArgsConstructor;
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.item.HsBookingItem;
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.item.HsBookingItemType;
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.item.Node;
|
||||||
|
|
||||||
|
import javax.naming.NamingException;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.nio.file.Files;
|
||||||
|
import java.nio.file.Path;
|
||||||
|
import java.nio.file.StandardOpenOption;
|
||||||
|
import java.util.ArrayList;
|
||||||
|
import java.util.Collection;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Set;
|
||||||
|
import java.util.function.Function;
|
||||||
|
|
||||||
|
import static java.util.Arrays.stream;
|
||||||
|
import static java.util.stream.Collectors.joining;
|
||||||
|
import static java.util.stream.Collectors.toSet;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.EntityTypeRelation.assignedTo;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.EntityTypeRelation.optionalParent;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.EntityTypeRelation.optionallyAssignedTo;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.EntityTypeRelation.requiredParent;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.EntityTypeRelation.requires;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.EntityTypeRelation.terminatory;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.RelationPolicy.OPTIONAL;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.RelationPolicy.REQUIRED;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.RelationPolicy.TERMINATORY;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.RelationType.ASSIGNED_TO_ASSET;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.RelationType.BOOKING_ITEM;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.RelationType.PARENT_ASSET;
|
||||||
|
|
||||||
|
public enum HsHostingAssetType implements Node {
|
||||||
|
SAME_TYPE, // pseudo-type for recursive references
|
||||||
|
|
||||||
|
CLOUD_SERVER( // named e.g. vm1234
|
||||||
|
inGroup("Server"),
|
||||||
|
requires(HsBookingItemType.CLOUD_SERVER)),
|
||||||
|
|
||||||
|
MANAGED_SERVER( // named e.g. vm1234
|
||||||
|
inGroup("Server"),
|
||||||
|
requires(HsBookingItemType.MANAGED_SERVER)),
|
||||||
|
|
||||||
|
MANAGED_WEBSPACE( // named eg. xyz00
|
||||||
|
inGroup("Webspace"),
|
||||||
|
requires(HsBookingItemType.MANAGED_WEBSPACE),
|
||||||
|
optionalParent(MANAGED_SERVER)),
|
||||||
|
|
||||||
|
UNIX_USER( // named e.g. xyz00-abc
|
||||||
|
inGroup("Webspace"),
|
||||||
|
requiredParent(MANAGED_WEBSPACE)),
|
||||||
|
|
||||||
|
// TODO.spec: do we really want to keep email aliases or migrate to unix users with .forward?
|
||||||
|
EMAIL_ALIAS( // named e.g. xyz00-abc
|
||||||
|
inGroup("Webspace"),
|
||||||
|
requiredParent(MANAGED_WEBSPACE)),
|
||||||
|
|
||||||
|
DOMAIN_SETUP( // named e.g. example.org
|
||||||
|
inGroup("Domain"),
|
||||||
|
terminatory(HsBookingItemType.DOMAIN_SETUP),
|
||||||
|
optionalParent(SAME_TYPE)
|
||||||
|
),
|
||||||
|
|
||||||
|
DOMAIN_DNS_SETUP( // named e.g. example.org
|
||||||
|
inGroup("Domain"),
|
||||||
|
requiredParent(DOMAIN_SETUP),
|
||||||
|
assignedTo(MANAGED_WEBSPACE)),
|
||||||
|
|
||||||
|
DOMAIN_HTTP_SETUP( // named e.g. example.org
|
||||||
|
inGroup("Domain"),
|
||||||
|
requiredParent(DOMAIN_SETUP),
|
||||||
|
assignedTo(UNIX_USER)),
|
||||||
|
|
||||||
|
DOMAIN_SMTP_SETUP( // named e.g. example.org
|
||||||
|
inGroup("Domain"),
|
||||||
|
requiredParent(DOMAIN_SETUP),
|
||||||
|
assignedTo(MANAGED_WEBSPACE)),
|
||||||
|
|
||||||
|
DOMAIN_MBOX_SETUP( // named e.g. example.org
|
||||||
|
inGroup("Domain"),
|
||||||
|
requiredParent(DOMAIN_SETUP),
|
||||||
|
assignedTo(MANAGED_WEBSPACE)),
|
||||||
|
|
||||||
|
// TODO.spec: SECURE_MX
|
||||||
|
|
||||||
|
EMAIL_ADDRESS( // named e.g. sample@example.org
|
||||||
|
inGroup("Domain"),
|
||||||
|
requiredParent(DOMAIN_MBOX_SETUP)),
|
||||||
|
|
||||||
|
PGSQL_INSTANCE( // TODO.spec: identifier to be specified
|
||||||
|
inGroup("PostgreSQL"),
|
||||||
|
requiredParent(MANAGED_SERVER)), // TODO.spec: or MANAGED_WEBSPACE?
|
||||||
|
|
||||||
|
PGSQL_USER( // named e.g. xyz00_abc
|
||||||
|
inGroup("PostgreSQL"),
|
||||||
|
requiredParent(MANAGED_WEBSPACE), // thus, the MANAGED_WEBSPACE:Agent becomes RBAC owner
|
||||||
|
assignedTo(PGSQL_INSTANCE)), // keep in mind: no RBAC grants implied
|
||||||
|
|
||||||
|
PGSQL_DATABASE( // named e.g. xyz00_abc
|
||||||
|
inGroup("PostgreSQL"),
|
||||||
|
requiredParent(PGSQL_USER)), // thus, the PGSQL_USER_USER:Agent becomes RBAC owner
|
||||||
|
|
||||||
|
MARIADB_INSTANCE( // TODO.spec: identifier to be specified
|
||||||
|
inGroup("MariaDB"),
|
||||||
|
requiredParent(MANAGED_SERVER)), // TODO.spec: or MANAGED_WEBSPACE?
|
||||||
|
|
||||||
|
MARIADB_USER( // named e.g. xyz00_abc
|
||||||
|
inGroup("MariaDB"),
|
||||||
|
requiredParent(MANAGED_WEBSPACE), // thus, the MANAGED_WEBSPACE:Agent becomes RBAC owner
|
||||||
|
assignedTo(MARIADB_INSTANCE)),
|
||||||
|
|
||||||
|
MARIADB_DATABASE( // named e.g. xyz00_abc
|
||||||
|
inGroup("MariaDB"),
|
||||||
|
requiredParent(MARIADB_USER)), // thus, the MARIADB_USER:Agent becomes RBAC owner
|
||||||
|
|
||||||
|
IPV4_NUMBER(
|
||||||
|
inGroup("Server"),
|
||||||
|
optionallyAssignedTo(CLOUD_SERVER).or(MANAGED_SERVER).or(MANAGED_WEBSPACE)
|
||||||
|
),
|
||||||
|
|
||||||
|
IPV6_NUMBER(
|
||||||
|
inGroup("Server"),
|
||||||
|
optionallyAssignedTo(CLOUD_SERVER).or(MANAGED_SERVER).or(MANAGED_WEBSPACE)
|
||||||
|
);
|
||||||
|
|
||||||
|
private final String groupName;
|
||||||
|
private final EntityTypeRelation<?, ?>[] relations;
|
||||||
|
|
||||||
|
HsHostingAssetType(
|
||||||
|
final String groupName,
|
||||||
|
final EntityTypeRelation<?, ?>... relations
|
||||||
|
) {
|
||||||
|
this.groupName = groupName;
|
||||||
|
this.relations = relations;
|
||||||
|
}
|
||||||
|
|
||||||
|
HsHostingAssetType() {
|
||||||
|
this.groupName = null;
|
||||||
|
this.relations = null;
|
||||||
|
}
|
||||||
|
|
||||||
|
/// just syntactic sugar
|
||||||
|
private static String inGroup(final String groupName) {
|
||||||
|
return groupName;
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO.refa: try to get rid of the following similar methods:
|
||||||
|
|
||||||
|
public RelationPolicy bookingItemPolicy() {
|
||||||
|
return stream(relations)
|
||||||
|
.filter(r -> r.relationType == BOOKING_ITEM)
|
||||||
|
.map(r -> r.relationPolicy)
|
||||||
|
.reduce(HsHostingAssetType::onlyASingleElementExpectedException)
|
||||||
|
.orElse(RelationPolicy.FORBIDDEN);
|
||||||
|
}
|
||||||
|
|
||||||
|
public Set<HsBookingItemType> bookingItemTypes() {
|
||||||
|
return stream(relations)
|
||||||
|
.filter(r -> r.relationType == BOOKING_ITEM)
|
||||||
|
.reduce(HsHostingAssetType::onlyASingleElementExpectedException)
|
||||||
|
.map(r -> r.relatedTypes(this))
|
||||||
|
.stream().flatMap(Set::stream)
|
||||||
|
.map(r -> (HsBookingItemType) r)
|
||||||
|
.collect(toSet());
|
||||||
|
}
|
||||||
|
|
||||||
|
public RelationPolicy parentAssetPolicy() {
|
||||||
|
return stream(relations)
|
||||||
|
.filter(r -> r.relationType == PARENT_ASSET)
|
||||||
|
.reduce(HsHostingAssetType::onlyASingleElementExpectedException)
|
||||||
|
.map(r -> r.relationPolicy)
|
||||||
|
.orElse(RelationPolicy.FORBIDDEN);
|
||||||
|
}
|
||||||
|
|
||||||
|
public Set<HsHostingAssetType> parentAssetTypes() {
|
||||||
|
return stream(relations)
|
||||||
|
.filter(r -> r.relationType == PARENT_ASSET)
|
||||||
|
.reduce(HsHostingAssetType::onlyASingleElementExpectedException)
|
||||||
|
.map(r -> r.relatedTypes(this))
|
||||||
|
.stream().flatMap(Set::stream)
|
||||||
|
.map(r -> (HsHostingAssetType) r)
|
||||||
|
.collect(toSet());
|
||||||
|
}
|
||||||
|
|
||||||
|
public RelationPolicy assignedToAssetPolicy() {
|
||||||
|
return stream(relations)
|
||||||
|
.filter(r -> r.relationType == ASSIGNED_TO_ASSET)
|
||||||
|
.reduce(HsHostingAssetType::onlyASingleElementExpectedException)
|
||||||
|
.map(r -> r.relationPolicy)
|
||||||
|
.orElse(RelationPolicy.FORBIDDEN);
|
||||||
|
}
|
||||||
|
|
||||||
|
public Set<HsHostingAssetType> assignedToAssetTypes() {
|
||||||
|
return stream(relations)
|
||||||
|
.filter(r -> r.relationType == ASSIGNED_TO_ASSET)
|
||||||
|
.reduce(HsHostingAssetType::onlyASingleElementExpectedException)
|
||||||
|
.map(r -> r.relatedTypes(this))
|
||||||
|
.stream().flatMap(Set::stream)
|
||||||
|
.map(r -> (HsHostingAssetType) r)
|
||||||
|
.collect(toSet());
|
||||||
|
}
|
||||||
|
|
||||||
|
private static <X> X onlyASingleElementExpectedException(Object a, Object b) {
|
||||||
|
throw new IllegalStateException("Only a single element expected to match criteria.");
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public List<String> edges(final Set<String> inGroups) {
|
||||||
|
return stream(relations)
|
||||||
|
.map(r -> r.relatedTypes(this).stream()
|
||||||
|
.filter(x -> x.belongsToAny(inGroups))
|
||||||
|
.map(x -> nodeName() + r.edge + x.nodeName())
|
||||||
|
.toList())
|
||||||
|
.flatMap(List::stream)
|
||||||
|
.sorted()
|
||||||
|
.toList();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean belongsToAny(final Set<String> groups) {
|
||||||
|
return groups.contains(this.groupName);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String nodeName() {
|
||||||
|
return "HA_" + name();
|
||||||
|
}
|
||||||
|
|
||||||
|
public static <T extends Enum<?>> HsHostingAssetType of(final T value) {
|
||||||
|
return value == null ? null : valueOf(value.name());
|
||||||
|
}
|
||||||
|
|
||||||
|
static String asString(final HsHostingAssetType type) {
|
||||||
|
return type == null ? null : type.name();
|
||||||
|
}
|
||||||
|
|
||||||
|
private static String renderAsPlantUML(final String caption, final Set<String> includedHostingGroups) {
|
||||||
|
final String bookingNodes = stream(HsBookingItemType.values())
|
||||||
|
.map(t -> " entity " + t.nodeName())
|
||||||
|
.collect(joining("\n"));
|
||||||
|
final String hostingGroups = includedHostingGroups.stream().sorted()
|
||||||
|
.map(HsHostingAssetType::generateGroup)
|
||||||
|
.collect(joining("\n"));
|
||||||
|
final String hostingAssetNodes = stream(HsHostingAssetType.values())
|
||||||
|
.filter(t -> t.isInGroups(includedHostingGroups))
|
||||||
|
.map(t -> "entity " + t.nodeName())
|
||||||
|
.collect(joining("\n"));
|
||||||
|
final String bookingItemEdges = stream(HsBookingItemType.values())
|
||||||
|
.map(t -> t.edges(includedHostingGroups))
|
||||||
|
.flatMap(Collection::stream)
|
||||||
|
.collect(joining("\n"));
|
||||||
|
final String hostingAssetEdges = stream(HsHostingAssetType.values())
|
||||||
|
.filter(t -> t.isInGroups(includedHostingGroups))
|
||||||
|
.map(t -> t.edges(includedHostingGroups))
|
||||||
|
.flatMap(Collection::stream)
|
||||||
|
.collect(joining("\n"));
|
||||||
|
return """
|
||||||
|
|
||||||
|
### %{caption}
|
||||||
|
|
||||||
|
```plantuml
|
||||||
|
@startuml
|
||||||
|
left to right direction
|
||||||
|
|
||||||
|
package Booking #feb28c {
|
||||||
|
%{bookingNodes}
|
||||||
|
}
|
||||||
|
|
||||||
|
package Hosting #feb28c{
|
||||||
|
%{hostingGroups}
|
||||||
|
}
|
||||||
|
|
||||||
|
%{bookingItemEdges}
|
||||||
|
|
||||||
|
%{hostingAssetEdges}
|
||||||
|
|
||||||
|
package Legend #white {
|
||||||
|
SUB_ENTITY1 *--> REQUIRED_PARENT_ENTITY
|
||||||
|
SUB_ENTITY2 *..> OPTIONAL_PARENT_ENTITY
|
||||||
|
ASSIGNED_ENTITY1 o--> REQUIRED_ASSIGNED_TO_ENTITY1
|
||||||
|
ASSIGNED_ENTITY2 o..> OPTIONAL_ASSIGNED_TO_ENTITY2
|
||||||
|
}
|
||||||
|
Booking -down[hidden]->Legend
|
||||||
|
```
|
||||||
|
"""
|
||||||
|
.replace("%{caption}", caption)
|
||||||
|
.replace("%{bookingNodes}", bookingNodes)
|
||||||
|
.replace("%{hostingGroups}", hostingGroups)
|
||||||
|
.replace("%{hostingAssetNodeStyles}", hostingAssetNodes)
|
||||||
|
.replace("%{bookingItemEdges}", bookingItemEdges)
|
||||||
|
.replace("%{hostingAssetEdges}", hostingAssetEdges);
|
||||||
|
}
|
||||||
|
|
||||||
|
private boolean isInGroups(final Set<String> assetGroups) {
|
||||||
|
return groupName != null && assetGroups.contains(groupName);
|
||||||
|
}
|
||||||
|
|
||||||
|
private static String generateGroup(final String group) {
|
||||||
|
return " package " + group + " #99bcdb {\n"
|
||||||
|
+ stream(HsHostingAssetType.values())
|
||||||
|
.filter(t -> group.equals(t.groupName))
|
||||||
|
.map(t -> " entity " + t.nodeName())
|
||||||
|
.collect(joining("\n"))
|
||||||
|
+ "\n }\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
static String renderAsEmbeddedPlantUml() {
|
||||||
|
|
||||||
|
final var markdown = new StringBuilder("""
|
||||||
|
## HostingAsset Type Structure
|
||||||
|
|
||||||
|
""");
|
||||||
|
|
||||||
|
// rendering all types in a single diagram is currently ignored
|
||||||
|
renderAsPlantUML("Domain", stream(HsHostingAssetType.values())
|
||||||
|
.filter(t -> t.groupName != null)
|
||||||
|
.map(t -> t.groupName)
|
||||||
|
.collect(toSet()));
|
||||||
|
|
||||||
|
markdown
|
||||||
|
.append(renderAsPlantUML("Server+Webspace", Set.of("Server", "Webspace")))
|
||||||
|
.append(renderAsPlantUML("Domain", Set.of("Domain", "Webspace")))
|
||||||
|
.append(renderAsPlantUML("MariaDB", Set.of("MariaDB", "Webspace")))
|
||||||
|
.append(renderAsPlantUML("PostgreSQL", Set.of("PostgreSQL", "Webspace")));
|
||||||
|
|
||||||
|
markdown.append("""
|
||||||
|
|
||||||
|
This code generated was by %{this}.main, do not amend manually.
|
||||||
|
"""
|
||||||
|
.replace("%{this}", HsHostingAssetType.class.getSimpleName()));
|
||||||
|
|
||||||
|
return markdown.toString();
|
||||||
|
}
|
||||||
|
|
||||||
|
public static void main(final String[] args) throws IOException, NamingException {
|
||||||
|
Files.writeString(
|
||||||
|
Path.of("doc/hs-hosting-asset-type-structure.md"),
|
||||||
|
renderAsEmbeddedPlantUml(),
|
||||||
|
StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING);
|
||||||
|
}
|
||||||
|
|
||||||
|
public enum RelationPolicy {
|
||||||
|
FORBIDDEN, OPTIONAL, TERMINATORY, REQUIRED
|
||||||
|
}
|
||||||
|
|
||||||
|
public enum RelationType {
|
||||||
|
BOOKING_ITEM,
|
||||||
|
PARENT_ASSET,
|
||||||
|
ASSIGNED_TO_ASSET
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@AllArgsConstructor
|
||||||
|
class EntityTypeRelation<E, T extends Node> {
|
||||||
|
|
||||||
|
final HsHostingAssetType.RelationPolicy relationPolicy;
|
||||||
|
final HsHostingAssetType.RelationType relationType;
|
||||||
|
final Function<HsHostingAssetRbacEntity, E> getter;
|
||||||
|
private final List<T> acceptedRelatedTypes;
|
||||||
|
final String edge;
|
||||||
|
|
||||||
|
private EntityTypeRelation(
|
||||||
|
final HsHostingAssetType.RelationPolicy relationPolicy,
|
||||||
|
final HsHostingAssetType.RelationType relationType,
|
||||||
|
final Function<HsHostingAssetRbacEntity, E> getter,
|
||||||
|
final T acceptedRelatedType,
|
||||||
|
final String edge
|
||||||
|
) {
|
||||||
|
this(relationPolicy, relationType, getter, modifiyableListOf(acceptedRelatedType), edge);
|
||||||
|
}
|
||||||
|
|
||||||
|
public <R extends Node> Set<R> relatedTypes(final HsHostingAssetType referringType) {
|
||||||
|
final Set<Node> result = acceptedRelatedTypes.stream()
|
||||||
|
.map(t -> t == HsHostingAssetType.SAME_TYPE ? referringType : t)
|
||||||
|
.collect(toSet());
|
||||||
|
//noinspection unchecked
|
||||||
|
return (Set<R>) result;
|
||||||
|
}
|
||||||
|
|
||||||
|
static EntityTypeRelation<HsBookingItem, HsBookingItemType> terminatory(final HsBookingItemType bookingItemType) {
|
||||||
|
return new EntityTypeRelation<>(
|
||||||
|
TERMINATORY,
|
||||||
|
BOOKING_ITEM,
|
||||||
|
HsHostingAssetRbacEntity::getBookingItem,
|
||||||
|
bookingItemType,
|
||||||
|
" *..> ");
|
||||||
|
}
|
||||||
|
|
||||||
|
static EntityTypeRelation<HsBookingItem, HsBookingItemType> requires(final HsBookingItemType bookingItemType) {
|
||||||
|
return new EntityTypeRelation<>(
|
||||||
|
REQUIRED,
|
||||||
|
BOOKING_ITEM,
|
||||||
|
HsHostingAssetRbacEntity::getBookingItem,
|
||||||
|
bookingItemType,
|
||||||
|
" *==> ");
|
||||||
|
}
|
||||||
|
|
||||||
|
static EntityTypeRelation<HsHostingAsset, HsHostingAssetType> optionalParent(final HsHostingAssetType hostingAssetType) {
|
||||||
|
return new EntityTypeRelation<>(
|
||||||
|
OPTIONAL,
|
||||||
|
PARENT_ASSET,
|
||||||
|
HsHostingAsset::getParentAsset,
|
||||||
|
hostingAssetType,
|
||||||
|
" o..> ");
|
||||||
|
}
|
||||||
|
|
||||||
|
static EntityTypeRelation<HsHostingAsset, HsHostingAssetType> requiredParent(final HsHostingAssetType hostingAssetType) {
|
||||||
|
return new EntityTypeRelation<>(
|
||||||
|
REQUIRED,
|
||||||
|
PARENT_ASSET,
|
||||||
|
HsHostingAsset::getParentAsset,
|
||||||
|
hostingAssetType,
|
||||||
|
" *==> ");
|
||||||
|
}
|
||||||
|
|
||||||
|
static EntityTypeRelation<HsHostingAsset, HsHostingAssetType> assignedTo(final HsHostingAssetType hostingAssetType) {
|
||||||
|
return new EntityTypeRelation<>(
|
||||||
|
REQUIRED,
|
||||||
|
ASSIGNED_TO_ASSET,
|
||||||
|
HsHostingAsset::getAssignedToAsset,
|
||||||
|
hostingAssetType,
|
||||||
|
" o--> ");
|
||||||
|
}
|
||||||
|
|
||||||
|
EntityTypeRelation<E, T> or(final T alternativeHostingAssetType) {
|
||||||
|
acceptedRelatedTypes.add(alternativeHostingAssetType);
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
|
static EntityTypeRelation<HsHostingAsset, HsHostingAssetType> optionallyAssignedTo(final HsHostingAssetType hostingAssetType) {
|
||||||
|
return new EntityTypeRelation<>(
|
||||||
|
OPTIONAL,
|
||||||
|
ASSIGNED_TO_ASSET,
|
||||||
|
HsHostingAsset::getAssignedToAsset,
|
||||||
|
hostingAssetType,
|
||||||
|
" o..> ");
|
||||||
|
}
|
||||||
|
|
||||||
|
private static <T extends Node> ArrayList<T> modifiyableListOf(final T acceptedRelatedType) {
|
||||||
|
return new ArrayList<>(List.of(acceptedRelatedType));
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,134 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.mapper.Array;
|
||||||
|
import org.apache.commons.collections4.EnumerationUtils;
|
||||||
|
|
||||||
|
import javax.naming.InvalidNameException;
|
||||||
|
import javax.naming.NameNotFoundException;
|
||||||
|
import javax.naming.NamingEnumeration;
|
||||||
|
import javax.naming.NamingException;
|
||||||
|
import javax.naming.ServiceUnavailableException;
|
||||||
|
import javax.naming.directory.Attribute;
|
||||||
|
import javax.naming.directory.InitialDirContext;
|
||||||
|
import java.util.HashMap;
|
||||||
|
import java.util.Hashtable;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Map;
|
||||||
|
import java.util.Optional;
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
import static java.util.Arrays.stream;
|
||||||
|
import static java.util.Collections.emptyList;
|
||||||
|
|
||||||
|
public class Dns {
|
||||||
|
|
||||||
|
public static final String[] REGISTRAR_LEVEL_DOMAINS = Array.of(
|
||||||
|
"[^.]+", // top-level-domains
|
||||||
|
"(co|org|gov|ac|sch)\\.uk",
|
||||||
|
"(com|net|org|edu|gov|asn|id)\\.au",
|
||||||
|
"(co|ne|or|ac|go)\\.jp",
|
||||||
|
"(com|net|org|gov|edu|ac)\\.cn",
|
||||||
|
"(com|net|org|gov|edu|mil|art)\\.br",
|
||||||
|
"(co|net|org|gen|firm|ind)\\.in",
|
||||||
|
"(com|net|org|gob|edu)\\.mx",
|
||||||
|
"(gov|edu)\\.it",
|
||||||
|
"(co|net|org|govt|ac|school|geek|kiwi)\\.nz",
|
||||||
|
"(co|ne|or|go|re|pe)\\.kr"
|
||||||
|
);
|
||||||
|
public static final Pattern[] REGISTRAR_LEVEL_DOMAIN_PATTERN = stream(REGISTRAR_LEVEL_DOMAINS)
|
||||||
|
.map(Pattern::compile)
|
||||||
|
.toArray(Pattern[]::new);
|
||||||
|
|
||||||
|
private final static Map<String, Result> fakeResults = new HashMap<>();
|
||||||
|
|
||||||
|
public static Optional<String> superDomain(final String domainName) {
|
||||||
|
final var parts = domainName.split("\\.", 2);
|
||||||
|
if (parts.length == 2) {
|
||||||
|
return Optional.of(parts[1]);
|
||||||
|
}
|
||||||
|
return Optional.empty();
|
||||||
|
}
|
||||||
|
|
||||||
|
public static boolean isRegistrarLevelDomain(final String domainName) {
|
||||||
|
return stream(REGISTRAR_LEVEL_DOMAIN_PATTERN)
|
||||||
|
.anyMatch(p -> p.matcher(domainName).matches());
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param domainName a fully qualified domain name
|
||||||
|
* @return true if `domainName` can be registered at a registrar, false if it's a subdomain of such or a registrar-level domain itself
|
||||||
|
*/
|
||||||
|
public static boolean isRegistrableDomain(final String domainName) {
|
||||||
|
return !isRegistrarLevelDomain(domainName) &&
|
||||||
|
superDomain(domainName).map(Dns::isRegistrarLevelDomain).orElse(false);
|
||||||
|
}
|
||||||
|
|
||||||
|
public static void fakeResultForDomain(final String domainName, final Result fakeResult) {
|
||||||
|
fakeResults.put(domainName, fakeResult);
|
||||||
|
}
|
||||||
|
|
||||||
|
public static void resetFakeResults() {
|
||||||
|
fakeResults.clear();
|
||||||
|
}
|
||||||
|
|
||||||
|
public enum Status {
|
||||||
|
SUCCESS,
|
||||||
|
NAME_NOT_FOUND,
|
||||||
|
INVALID_NAME,
|
||||||
|
SERVICE_UNAVAILABLE,
|
||||||
|
UNKNOWN_FAILURE
|
||||||
|
}
|
||||||
|
|
||||||
|
public record Result(Status status, List<String> records, NamingException exception) {
|
||||||
|
|
||||||
|
|
||||||
|
public static Result fromRecords(final NamingEnumeration<?> recordEnumeration) {
|
||||||
|
final List<String> records = recordEnumeration == null
|
||||||
|
? emptyList()
|
||||||
|
: EnumerationUtils.toList(recordEnumeration).stream().map(Object::toString).toList();
|
||||||
|
return new Result(Status.SUCCESS, records, null);
|
||||||
|
}
|
||||||
|
|
||||||
|
public static Result fromRecords(final String... records) {
|
||||||
|
return new Result(Status.SUCCESS, stream(records).toList(), null);
|
||||||
|
}
|
||||||
|
|
||||||
|
public static Result fromException(final NamingException exception) {
|
||||||
|
return switch (exception) {
|
||||||
|
case ServiceUnavailableException exc -> new Result(Status.SERVICE_UNAVAILABLE, emptyList(), exc);
|
||||||
|
case NameNotFoundException exc -> new Result(Status.NAME_NOT_FOUND, emptyList(), exc);
|
||||||
|
case InvalidNameException exc -> new Result(Status.INVALID_NAME, emptyList(), exc);
|
||||||
|
case NamingException exc -> new Result(Status.UNKNOWN_FAILURE, emptyList(), exc);
|
||||||
|
};
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private final String domainName;
|
||||||
|
|
||||||
|
public Dns(final String domainName) {
|
||||||
|
this.domainName = domainName;
|
||||||
|
}
|
||||||
|
|
||||||
|
public Result fetchRecordsOfType(final String recordType) {
|
||||||
|
if (fakeResults.containsKey(domainName)) {
|
||||||
|
return fakeResults.get(domainName);
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
final var env = new Hashtable<>();
|
||||||
|
env.put("java.naming.factory.initial", "com.sun.jndi.dns.DnsContextFactory");
|
||||||
|
final Attribute records = new InitialDirContext(env)
|
||||||
|
.getAttributes(domainName, new String[] { recordType })
|
||||||
|
.get(recordType);
|
||||||
|
return Result.fromRecords(records != null ? records.getAll() : null);
|
||||||
|
} catch (final NamingException exception) {
|
||||||
|
return Result.fromException(exception);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public static void main(String[] args) {
|
||||||
|
final var result = new Dns("example.org").fetchRecordsOfType("TXT");
|
||||||
|
System.out.println(result);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,131 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.errors.MultiValidationException;
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAsset;
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.generated.api.v1.model.HsHostingAssetResource;
|
||||||
|
import net.hostsharing.hsadminng.hs.validation.HsEntityValidator;
|
||||||
|
|
||||||
|
import jakarta.persistence.EntityManager;
|
||||||
|
import java.util.Arrays;
|
||||||
|
import java.util.Map;
|
||||||
|
import java.util.function.Function;
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Wraps the steps of the pararation, validation, mapping and revamp around saving of a HsHostingAsset into a readable API.
|
||||||
|
*/
|
||||||
|
public class HostingAssetEntitySaveProcessor {
|
||||||
|
|
||||||
|
private final HsEntityValidator<HsHostingAsset> validator;
|
||||||
|
private String expectedStep = "preprocessEntity";
|
||||||
|
private final EntityManager em;
|
||||||
|
private HsHostingAsset entity;
|
||||||
|
private HsHostingAssetResource resource;
|
||||||
|
|
||||||
|
public HostingAssetEntitySaveProcessor(final EntityManager em, final HsHostingAsset entity) {
|
||||||
|
this.em = em;
|
||||||
|
this.entity = entity;
|
||||||
|
this.validator = HostingAssetEntityValidatorRegistry.forType(entity.getType());
|
||||||
|
}
|
||||||
|
|
||||||
|
/// initial step allowing to set default values before any validations
|
||||||
|
public HostingAssetEntitySaveProcessor preprocessEntity() {
|
||||||
|
step("preprocessEntity", "validateEntity");
|
||||||
|
validator.preprocessEntity(entity);
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/// validates the entity itself including its properties
|
||||||
|
public HostingAssetEntitySaveProcessor validateEntity() {
|
||||||
|
step("validateEntity", "prepareForSave");
|
||||||
|
MultiValidationException.throwIfNotEmpty(validator.validateEntity(entity));
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO.impl: remove once the migration of legacy data is done
|
||||||
|
/// validates the entity itself including its properties, but ignoring some error messages for import of legacy data
|
||||||
|
public HostingAssetEntitySaveProcessor validateEntityIgnoring(final String... ignoreRegExp) {
|
||||||
|
step("validateEntity", "prepareForSave");
|
||||||
|
final var ignoreRegExpPatterns = Arrays.stream(ignoreRegExp).map(Pattern::compile).toList();
|
||||||
|
MultiValidationException.throwIfNotEmpty(
|
||||||
|
validator.validateEntity(entity).stream()
|
||||||
|
.filter(error -> ignoreRegExpPatterns.stream().noneMatch(p -> p.matcher(error).matches() ))
|
||||||
|
.toList()
|
||||||
|
);
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/// hashing passwords etc.
|
||||||
|
@SuppressWarnings("unchecked")
|
||||||
|
public HostingAssetEntitySaveProcessor prepareForSave() {
|
||||||
|
step("prepareForSave", "save");
|
||||||
|
validator.prepareProperties(em, entity);
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Saves the entity using the given `saveFunction`.
|
||||||
|
*
|
||||||
|
* <p>`validator.postPersist(em, entity)` is NOT called.
|
||||||
|
* If any postprocessing is necessary, the saveFunction has to implement this.</p>
|
||||||
|
* @param saveFunction
|
||||||
|
* @return
|
||||||
|
*/
|
||||||
|
public HostingAssetEntitySaveProcessor saveUsing(final Function<HsHostingAsset, HsHostingAsset> saveFunction) {
|
||||||
|
step("save", "validateContext");
|
||||||
|
entity = saveFunction.apply(entity);
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Saves the using the `EntityManager`, but does NOT ever merge the entity.
|
||||||
|
*
|
||||||
|
* <p>`validator.postPersist(em, entity)` is called afterwards with the entity guaranteed to be flushed to the database.</p>
|
||||||
|
* @return
|
||||||
|
*/
|
||||||
|
public HostingAssetEntitySaveProcessor save() {
|
||||||
|
return saveUsing(e -> {
|
||||||
|
if (!em.contains(entity)) {
|
||||||
|
em.persist(entity);
|
||||||
|
}
|
||||||
|
em.flush(); // makes RbacEntity available as RealEntity if needed
|
||||||
|
validator.postPersist(em, entity);
|
||||||
|
return entity;
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
/// validates the entity within it's parent and child hierarchy (e.g. totals validators and other limits)
|
||||||
|
public HostingAssetEntitySaveProcessor validateContext() {
|
||||||
|
step("validateContext", "mapUsing");
|
||||||
|
return HsEntityValidator.doWithEntityManager(em, () -> {
|
||||||
|
MultiValidationException.throwIfNotEmpty(validator.validateContext(entity));
|
||||||
|
return this;
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
/// maps entity to JSON resource representation
|
||||||
|
public HostingAssetEntitySaveProcessor mapUsing(
|
||||||
|
final Function<HsHostingAsset, HsHostingAssetResource> mapFunction) {
|
||||||
|
step("mapUsing", "revampProperties");
|
||||||
|
resource = mapFunction.apply(entity);
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/// removes write-only-properties and ads computed-properties
|
||||||
|
@SuppressWarnings("unchecked")
|
||||||
|
public HsHostingAssetResource revampProperties() {
|
||||||
|
step("revampProperties", null);
|
||||||
|
final var revampedProps = validator.revampProperties(em, entity, (Map<String, Object>) resource.getConfig());
|
||||||
|
resource.setConfig(revampedProps);
|
||||||
|
return resource;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Makes sure that the steps are called in the correct order.
|
||||||
|
// Could also be implemented using an interface per method, but that seems exaggerated.
|
||||||
|
private void step(final String current, final String next) {
|
||||||
|
if (!expectedStep.equals(current)) {
|
||||||
|
throw new IllegalStateException("expected " + expectedStep + " but got " + current);
|
||||||
|
}
|
||||||
|
expectedStep = next;
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,238 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.item.HsBookingItem;
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.item.HsBookingItemType;
|
||||||
|
import net.hostsharing.hsadminng.hs.booking.item.validators.HsBookingItemEntityValidatorRegistry;
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAsset;
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType;
|
||||||
|
import net.hostsharing.hsadminng.hs.office.contact.HsOfficeContactRealEntity;
|
||||||
|
import net.hostsharing.hsadminng.hs.validation.HsEntityValidator;
|
||||||
|
import net.hostsharing.hsadminng.hs.validation.ValidatableProperty;
|
||||||
|
|
||||||
|
import java.util.Collections;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Objects;
|
||||||
|
import java.util.Set;
|
||||||
|
import java.util.function.BiFunction;
|
||||||
|
import java.util.function.Function;
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
import java.util.stream.Collectors;
|
||||||
|
import java.util.stream.Stream;
|
||||||
|
|
||||||
|
import static java.util.Arrays.stream;
|
||||||
|
import static java.util.Collections.emptyList;
|
||||||
|
import static java.util.Optional.ofNullable;
|
||||||
|
|
||||||
|
public abstract class HostingAssetEntityValidator extends HsEntityValidator<HsHostingAsset> {
|
||||||
|
|
||||||
|
static final ValidatableProperty<?, ?>[] NO_EXTRA_PROPERTIES = new ValidatableProperty<?, ?>[0];
|
||||||
|
|
||||||
|
private final ReferenceValidator<HsBookingItem, HsBookingItemType> bookingItemReferenceValidation;
|
||||||
|
private final ReferenceValidator<HsHostingAsset, HsHostingAssetType> parentAssetReferenceValidation;
|
||||||
|
private final ReferenceValidator<HsHostingAsset, HsHostingAssetType> assignedToAssetReferenceValidation;
|
||||||
|
private final HostingAssetEntityValidator.AlarmContact alarmContactValidation;
|
||||||
|
|
||||||
|
HostingAssetEntityValidator(
|
||||||
|
final HsHostingAssetType assetType,
|
||||||
|
final AlarmContact alarmContactValidation, // hostmaster alert address is implicitly added where needed
|
||||||
|
final ValidatableProperty<?, ?>... properties) {
|
||||||
|
super(properties);
|
||||||
|
this.bookingItemReferenceValidation = new ReferenceValidator<>(
|
||||||
|
assetType.bookingItemPolicy(),
|
||||||
|
assetType.bookingItemTypes(),
|
||||||
|
HsHostingAsset::getBookingItem,
|
||||||
|
HsBookingItem::getType);
|
||||||
|
this.parentAssetReferenceValidation = new ReferenceValidator<>(
|
||||||
|
assetType.parentAssetPolicy(),
|
||||||
|
assetType.parentAssetTypes(),
|
||||||
|
HsHostingAsset::getParentAsset,
|
||||||
|
HsHostingAsset::getType);
|
||||||
|
this.assignedToAssetReferenceValidation = new ReferenceValidator<>(
|
||||||
|
assetType.assignedToAssetPolicy(),
|
||||||
|
assetType.assignedToAssetTypes(),
|
||||||
|
HsHostingAsset::getAssignedToAsset,
|
||||||
|
HsHostingAsset::getType);
|
||||||
|
this.alarmContactValidation = alarmContactValidation;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public List<String> validateEntity(final HsHostingAsset assetEntity) {
|
||||||
|
return sequentiallyValidate(
|
||||||
|
() -> validateEntityReferencesAndProperties(assetEntity),
|
||||||
|
() -> validateIdentifierPattern(assetEntity)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public List<String> validateContext(final HsHostingAsset assetEntity) {
|
||||||
|
return sequentiallyValidate(
|
||||||
|
() -> optionallyValidate(assetEntity.getBookingItem()),
|
||||||
|
() -> optionallyValidate(assetEntity.getParentAsset()),
|
||||||
|
() -> validateAgainstSubEntities(assetEntity)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
private List<String> validateEntityReferencesAndProperties(final HsHostingAsset assetEntity) {
|
||||||
|
return Stream.of(
|
||||||
|
validateReferencedEntity(assetEntity, "bookingItem", bookingItemReferenceValidation::validate),
|
||||||
|
validateReferencedEntity(assetEntity, "parentAsset", parentAssetReferenceValidation::validate),
|
||||||
|
validateReferencedEntity(assetEntity, "assignedToAsset", assignedToAssetReferenceValidation::validate),
|
||||||
|
validateReferencedEntity(assetEntity, "alarmContact", alarmContactValidation::validate),
|
||||||
|
validateProperties(assetEntity))
|
||||||
|
.filter(Objects::nonNull)
|
||||||
|
.flatMap(List::stream)
|
||||||
|
.filter(Objects::nonNull)
|
||||||
|
.toList();
|
||||||
|
}
|
||||||
|
|
||||||
|
private List<String> validateReferencedEntity(
|
||||||
|
final HsHostingAsset assetEntity,
|
||||||
|
final String referenceFieldName,
|
||||||
|
final BiFunction<HsHostingAsset, String, List<String>> validator) {
|
||||||
|
return enrich(prefix(assetEntity.toShortString()), validator.apply(assetEntity, referenceFieldName));
|
||||||
|
}
|
||||||
|
|
||||||
|
private List<String> validateProperties(final HsHostingAsset assetEntity) {
|
||||||
|
return enrich(prefix(assetEntity.toShortString(), "config"), super.validateProperties(assetEntity));
|
||||||
|
}
|
||||||
|
|
||||||
|
private static List<String> optionallyValidate(final HsHostingAsset assetEntity) {
|
||||||
|
return assetEntity != null
|
||||||
|
? enrich(
|
||||||
|
prefix(assetEntity.toShortString(), "parentAsset"),
|
||||||
|
HostingAssetEntityValidatorRegistry.forType(assetEntity.getType()).validateContext(assetEntity))
|
||||||
|
: emptyList();
|
||||||
|
}
|
||||||
|
|
||||||
|
private static List<String> optionallyValidate(final HsBookingItem bookingItem) {
|
||||||
|
return bookingItem != null
|
||||||
|
? enrich(
|
||||||
|
prefix(bookingItem.toShortString(), "bookingItem"),
|
||||||
|
HsBookingItemEntityValidatorRegistry.forType(bookingItem.getType()).validateContext(bookingItem))
|
||||||
|
: emptyList();
|
||||||
|
}
|
||||||
|
|
||||||
|
protected List<String> validateAgainstSubEntities(final HsHostingAsset assetEntity) {
|
||||||
|
return enrich(
|
||||||
|
prefix(assetEntity.toShortString(), "config"),
|
||||||
|
stream(propertyValidators)
|
||||||
|
.filter(ValidatableProperty::isTotalsValidator)
|
||||||
|
.map(prop -> validateMaxTotalValue(assetEntity, prop))
|
||||||
|
.filter(Objects::nonNull)
|
||||||
|
.toList());
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO.test: check, if there are any hosting assets which need this validation at all
|
||||||
|
private String validateMaxTotalValue(
|
||||||
|
final HsHostingAsset hostingAsset,
|
||||||
|
final ValidatableProperty<?, ?> propDef) {
|
||||||
|
final var propName = propDef.propertyName();
|
||||||
|
final var propUnit = ofNullable(propDef.unit()).map(u -> " " + u).orElse("");
|
||||||
|
final var totalValue = ofNullable(hostingAsset.getSubHostingAssets()).orElse(emptyList())
|
||||||
|
.stream()
|
||||||
|
.map(subItem -> propDef.getValue(subItem.getConfig()))
|
||||||
|
.map(HsEntityValidator::toIntegerWithDefault0)
|
||||||
|
.reduce(0, Integer::sum);
|
||||||
|
final var maxValue = getIntegerValueWithDefault0(propDef, hostingAsset.getConfig());
|
||||||
|
return totalValue > maxValue
|
||||||
|
? "%s' maximum total is %d%s, but actual total %s is %d%s".formatted(
|
||||||
|
propName, maxValue, propUnit, propName, totalValue, propUnit)
|
||||||
|
: null;
|
||||||
|
}
|
||||||
|
|
||||||
|
private List<String> validateIdentifierPattern(final HsHostingAsset assetEntity) {
|
||||||
|
final var expectedIdentifierPattern = identifierPattern(assetEntity);
|
||||||
|
if (assetEntity.getIdentifier() == null ||
|
||||||
|
!expectedIdentifierPattern.matcher(assetEntity.getIdentifier()).matches()) {
|
||||||
|
return List.of(
|
||||||
|
"'identifier' expected to match '" + expectedIdentifierPattern + "', but is '" + assetEntity.getIdentifier()
|
||||||
|
+ "'");
|
||||||
|
}
|
||||||
|
return Collections.emptyList();
|
||||||
|
}
|
||||||
|
|
||||||
|
protected abstract Pattern identifierPattern(HsHostingAsset assetEntity);
|
||||||
|
|
||||||
|
static class ReferenceValidator<S, T> {
|
||||||
|
|
||||||
|
private final HsHostingAssetType.RelationPolicy policy;
|
||||||
|
private final Set<T> referencedEntityTypes;
|
||||||
|
private final Function<HsHostingAsset, S> referencedEntityGetter;
|
||||||
|
private final Function<S, T> referencedEntityTypeGetter;
|
||||||
|
|
||||||
|
public ReferenceValidator(
|
||||||
|
final HsHostingAssetType.RelationPolicy policy,
|
||||||
|
final Set<T> referencedEntityTypes,
|
||||||
|
final Function<HsHostingAsset, S> referencedEntityGetter,
|
||||||
|
final Function<S, T> referencedEntityTypeGetter) {
|
||||||
|
this.policy = policy;
|
||||||
|
this.referencedEntityTypes = referencedEntityTypes;
|
||||||
|
this.referencedEntityGetter = referencedEntityGetter;
|
||||||
|
this.referencedEntityTypeGetter = referencedEntityTypeGetter;
|
||||||
|
}
|
||||||
|
|
||||||
|
public ReferenceValidator(
|
||||||
|
final HsHostingAssetType.RelationPolicy policy,
|
||||||
|
final Function<HsHostingAsset, S> referencedEntityGetter) {
|
||||||
|
this.policy = policy;
|
||||||
|
this.referencedEntityTypes = Set.of();
|
||||||
|
this.referencedEntityGetter = referencedEntityGetter;
|
||||||
|
this.referencedEntityTypeGetter = e -> null;
|
||||||
|
}
|
||||||
|
|
||||||
|
List<String> validate(final HsHostingAsset assetEntity, final String referenceFieldName) {
|
||||||
|
|
||||||
|
final var referencedEntity = referencedEntityGetter.apply(assetEntity);
|
||||||
|
final var referencedEntityType = referencedEntity != null ? referencedEntityTypeGetter.apply(referencedEntity) : null;
|
||||||
|
|
||||||
|
switch (policy) {
|
||||||
|
case REQUIRED:
|
||||||
|
if (!referencedEntityTypes.contains(referencedEntityType)) {
|
||||||
|
return List.of(referencedEntityType == null
|
||||||
|
? referenceFieldName + "' must be of type " + toDisplay(referencedEntityTypes) + " but is null"
|
||||||
|
: referenceFieldName + "' must be of type " + toDisplay(referencedEntityTypes) + " but is of type " + referencedEntityType);
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case TERMINATORY:
|
||||||
|
if (assetEntity.getParentAsset() != null && assetEntity.getBookingItem() != null) {
|
||||||
|
return List.of(referenceFieldName + "' or parentItem must be null but is of type " + referencedEntityType);
|
||||||
|
}
|
||||||
|
if (assetEntity.getParentAsset() == null && !referencedEntityTypes.contains(referencedEntityType)) {
|
||||||
|
return List.of(referencedEntityType == null
|
||||||
|
? referenceFieldName + "' must be of type " + toDisplay(referencedEntityTypes) + " but is null"
|
||||||
|
: referenceFieldName + "' must be of type " + toDisplay(referencedEntityTypes) + " but is of type " + referencedEntityType);
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case OPTIONAL:
|
||||||
|
if (referencedEntityType != null && !referencedEntityTypes.contains(referencedEntityType)) {
|
||||||
|
return List.of(referenceFieldName + "' must be null or of type " + toDisplay(referencedEntityTypes) + " but is of type "
|
||||||
|
+ referencedEntityType);
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case FORBIDDEN:
|
||||||
|
if (referencedEntityType != null) {
|
||||||
|
return List.of(referenceFieldName + "' must be null but is of type " + referencedEntityType);
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
return emptyList();
|
||||||
|
}
|
||||||
|
|
||||||
|
private String toDisplay(final Set<T> referencedEntityTypes) {
|
||||||
|
return referencedEntityTypes.stream().sorted().map(Object::toString).collect(Collectors.joining(" or "));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static class AlarmContact extends ReferenceValidator<HsOfficeContactRealEntity, Enum<?>> {
|
||||||
|
|
||||||
|
AlarmContact(final HsHostingAssetType.RelationPolicy policy) {
|
||||||
|
super(policy, HsHostingAsset::getAlarmContact);
|
||||||
|
}
|
||||||
|
|
||||||
|
// hostmaster alert address is implicitly added where neccessary
|
||||||
|
static AlarmContact isOptional() {
|
||||||
|
return new AlarmContact(HsHostingAssetType.RelationPolicy.OPTIONAL);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,56 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAsset;
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAsset;
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType;
|
||||||
|
import net.hostsharing.hsadminng.hs.validation.HsEntityValidator;
|
||||||
|
|
||||||
|
import java.util.*;
|
||||||
|
|
||||||
|
import static java.util.Arrays.stream;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.*;
|
||||||
|
|
||||||
|
public class HostingAssetEntityValidatorRegistry {
|
||||||
|
|
||||||
|
private static final Map<Enum<HsHostingAssetType>, HsEntityValidator<HsHostingAsset>> validators = new HashMap<>();
|
||||||
|
static {
|
||||||
|
// HOWTO: add (register) new HsHostingAssetType-specific validators
|
||||||
|
register(CLOUD_SERVER, new HsCloudServerHostingAssetValidator());
|
||||||
|
register(MANAGED_SERVER, new HsManagedServerHostingAssetValidator());
|
||||||
|
register(MANAGED_WEBSPACE, new HsManagedWebspaceHostingAssetValidator());
|
||||||
|
register(UNIX_USER, new HsUnixUserHostingAssetValidator());
|
||||||
|
register(EMAIL_ALIAS, new HsEMailAliasHostingAssetValidator());
|
||||||
|
register(DOMAIN_SETUP, new HsDomainSetupHostingAssetValidator());
|
||||||
|
register(DOMAIN_DNS_SETUP, new HsDomainDnsSetupHostingAssetValidator());
|
||||||
|
register(DOMAIN_HTTP_SETUP, new HsDomainHttpSetupHostingAssetValidator());
|
||||||
|
register(DOMAIN_SMTP_SETUP, new HsDomainSmtpSetupHostingAssetValidator());
|
||||||
|
register(DOMAIN_MBOX_SETUP, new HsDomainMboxSetupHostingAssetValidator());
|
||||||
|
register(EMAIL_ADDRESS, new HsEMailAddressHostingAssetValidator());
|
||||||
|
register(MARIADB_INSTANCE, new HsMariaDbInstanceHostingAssetValidator());
|
||||||
|
register(MARIADB_USER, new HsMariaDbUserHostingAssetValidator());
|
||||||
|
register(MARIADB_DATABASE, new HsMariaDbDatabaseHostingAssetValidator());
|
||||||
|
register(PGSQL_INSTANCE, new HsPostgreSqlDbInstanceHostingAssetValidator());
|
||||||
|
register(PGSQL_USER, new HsPostgreSqlUserHostingAssetValidator());
|
||||||
|
register(PGSQL_DATABASE, new HsPostgreSqlDatabaseHostingAssetValidator());
|
||||||
|
register(IPV4_NUMBER, new HsIPv4NumberHostingAssetValidator());
|
||||||
|
register(IPV6_NUMBER, new HsIPv6NumberHostingAssetValidator());
|
||||||
|
}
|
||||||
|
|
||||||
|
private static void register(final Enum<HsHostingAssetType> type, final HsEntityValidator<HsHostingAsset> validator) {
|
||||||
|
stream(validator.propertyValidators).forEach( entry -> {
|
||||||
|
entry.verifyConsistency(Map.entry(type, validator));
|
||||||
|
});
|
||||||
|
validators.put(type, validator);
|
||||||
|
}
|
||||||
|
|
||||||
|
public static HsEntityValidator<HsHostingAsset> forType(final Enum<HsHostingAssetType> type) {
|
||||||
|
if ( validators.containsKey(type)) {
|
||||||
|
return validators.get(type);
|
||||||
|
}
|
||||||
|
throw new IllegalArgumentException("no validator found for type " + type);
|
||||||
|
}
|
||||||
|
|
||||||
|
public static Set<Enum<HsHostingAssetType>> types() {
|
||||||
|
return validators.keySet();
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,22 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAsset;
|
||||||
|
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.CLOUD_SERVER;
|
||||||
|
|
||||||
|
class HsCloudServerHostingAssetValidator extends HostingAssetEntityValidator {
|
||||||
|
|
||||||
|
HsCloudServerHostingAssetValidator() {
|
||||||
|
super(
|
||||||
|
CLOUD_SERVER,
|
||||||
|
AlarmContact.isOptional(),
|
||||||
|
NO_EXTRA_PROPERTIES);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected Pattern identifierPattern(final HsHostingAsset assetEntity) {
|
||||||
|
return Pattern.compile("^vm[0-9][0-9][0-9][0-9]$");
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,185 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset.validators;
|
||||||
|
|
||||||
|
import lombok.SneakyThrows;
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAsset;
|
||||||
|
import net.hostsharing.hsadminng.system.SystemProcess;
|
||||||
|
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
import static java.util.Arrays.stream;
|
||||||
|
import static java.util.Optional.ofNullable;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.DOMAIN_DNS_SETUP;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.ArrayProperty.arrayOf;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.BooleanProperty.booleanProperty;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.IntegerProperty.integerProperty;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.StringProperty.stringProperty;
|
||||||
|
|
||||||
|
// TODO.impl: make package private once we've migrated the legacy data
|
||||||
|
public class HsDomainDnsSetupHostingAssetValidator extends HostingAssetEntityValidator {
|
||||||
|
|
||||||
|
// according to RFC 1035 (section 5) and RFC 1034
|
||||||
|
static final String RR_REGEX_NAME = "(\\*\\.)?([a-zA-Z0-9\\._-]+|@)[ \t]+";
|
||||||
|
static final String RR_REGEX_TTL = "(([1-9][0-9]*[mMhHdDwW]?)+[ \t]+)?";
|
||||||
|
static final String RR_REGEX_IN = "[iI][nN][ \t]+"; // record class IN for Internet
|
||||||
|
static final String RR_RECORD_TYPE = "[a-zA-Z]+[ \t]+";
|
||||||
|
static final String RR_RECORD_DATA = "(([^;]+)|(\".*\")|(\\(.*\\)))[ \t]*";
|
||||||
|
static final String RR_COMMENT = "(;.*)?";
|
||||||
|
|
||||||
|
static final String RR_REGEX_TTL_IN =
|
||||||
|
RR_REGEX_NAME + RR_REGEX_TTL + RR_REGEX_IN + RR_RECORD_TYPE + RR_RECORD_DATA + RR_COMMENT;
|
||||||
|
|
||||||
|
static final String RR_REGEX_IN_TTL =
|
||||||
|
RR_REGEX_NAME + RR_REGEX_IN + RR_REGEX_TTL + RR_RECORD_TYPE + RR_RECORD_DATA + RR_COMMENT;
|
||||||
|
public static final String IDENTIFIER_SUFFIX = "|DNS";
|
||||||
|
|
||||||
|
private static List<String> zoneFileErrors = null; // TODO.impl: remove once legacy data is migrated
|
||||||
|
|
||||||
|
HsDomainDnsSetupHostingAssetValidator() {
|
||||||
|
super(
|
||||||
|
DOMAIN_DNS_SETUP,
|
||||||
|
AlarmContact.isOptional(),
|
||||||
|
|
||||||
|
integerProperty("TTL").min(0).withDefault(21600),
|
||||||
|
booleanProperty("auto-SOA").withDefault(true),
|
||||||
|
booleanProperty("auto-NS-RR").withDefault(true),
|
||||||
|
booleanProperty("auto-MX-RR").withDefault(true),
|
||||||
|
booleanProperty("auto-A-RR").withDefault(true),
|
||||||
|
booleanProperty("auto-AAAA-RR").withDefault(true),
|
||||||
|
booleanProperty("auto-MAILSERVICES-RR").withDefault(true),
|
||||||
|
booleanProperty("auto-AUTOCONFIG-RR").withDefault(true),
|
||||||
|
booleanProperty("auto-AUTODISCOVER-RR").withDefault(true),
|
||||||
|
booleanProperty("auto-DKIM-RR").withDefault(true),
|
||||||
|
booleanProperty("auto-SPF-RR").withDefault(true),
|
||||||
|
booleanProperty("auto-WILDCARD-MX-RR").withDefault(true),
|
||||||
|
booleanProperty("auto-WILDCARD-A-RR").withDefault(true),
|
||||||
|
booleanProperty("auto-WILDCARD-AAAA-RR").withDefault(true),
|
||||||
|
booleanProperty("auto-WILDCARD-SPF-RR").withDefault(true),
|
||||||
|
arrayOf(
|
||||||
|
stringProperty("user-RR").matchesRegEx(RR_REGEX_TTL_IN, RR_REGEX_IN_TTL).required()
|
||||||
|
).optional());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected Pattern identifierPattern(final HsHostingAsset assetEntity) {
|
||||||
|
return Pattern.compile("^" + Pattern.quote(assetEntity.getParentAsset().getIdentifier() + IDENTIFIER_SUFFIX) + "$");
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void preprocessEntity(final HsHostingAsset entity) {
|
||||||
|
super.preprocessEntity(entity);
|
||||||
|
if (entity.getIdentifier() == null) {
|
||||||
|
ofNullable(entity.getParentAsset()).ifPresent(pa -> entity.setIdentifier(pa.getIdentifier() + IDENTIFIER_SUFFIX));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
@SneakyThrows
|
||||||
|
public List<String> validateContext(final HsHostingAsset assetEntity) {
|
||||||
|
final var result = super.validateContext(assetEntity);
|
||||||
|
|
||||||
|
// TODO.spec: define which checks should get raised to error level
|
||||||
|
final var namedCheckZone = new SystemProcess("named-checkzone", fqdn(assetEntity));
|
||||||
|
final var zonefileString = toZonefileString(assetEntity);
|
||||||
|
final var zoneFileErrorResult = zoneFileErrors != null ? zoneFileErrors : result;
|
||||||
|
if (namedCheckZone.execute(zonefileString) != 0) {
|
||||||
|
// yes, named-checkzone writes error messages to stdout, not stderr
|
||||||
|
stream(namedCheckZone.getStdOut().split("\n"))
|
||||||
|
.map(line -> line.replaceAll(" stream-0x[0-9a-f]+:", "line "))
|
||||||
|
.map(line -> "[" + assetEntity.getIdentifier() + "] " + line)
|
||||||
|
.forEach(zoneFileErrorResult::add);
|
||||||
|
if (!namedCheckZone.getStdErr().isEmpty()) {
|
||||||
|
result.add("unexpected stderr output for " + namedCheckZone.getCommand() + ": " + namedCheckZone.getStdErr());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
|
String toZonefileString(final HsHostingAsset assetEntity) {
|
||||||
|
// TODO.spec: we need to expand the templates (auto-...) in the same way as in Saltstack, with proper IP-numbers etc.
|
||||||
|
// TODO.impl: auto-AUTOCONFIG-RR auto-AUTODISCOVER-RR missing
|
||||||
|
return """
|
||||||
|
$TTL {ttl}
|
||||||
|
|
||||||
|
{auto-SOA}
|
||||||
|
{auto-NS-RR}
|
||||||
|
{auto-MX-RR}
|
||||||
|
{auto-A-RR}
|
||||||
|
{auto-AAAA-RR}
|
||||||
|
{auto-DKIM-RR}
|
||||||
|
{auto-SPF-RR}
|
||||||
|
|
||||||
|
{auto-WILDCARD-MX-RR}
|
||||||
|
{auto-WILDCARD-A-RR}
|
||||||
|
{auto-WILDCARD-AAAA-RR}
|
||||||
|
{auto-WILDCARD-SPF-RR}
|
||||||
|
|
||||||
|
{userRRs}
|
||||||
|
"""
|
||||||
|
.replace("{ttl}", assetEntity.getDirectValue("TTL", Integer.class, 43200).toString())
|
||||||
|
.replace("{auto-SOA}", assetEntity.getDirectValue("auto-SOA", Boolean.class, false).equals(true)
|
||||||
|
? """
|
||||||
|
{domain}. IN SOA h00.hostsharing.net. hostmaster.hostsharing.net. (
|
||||||
|
1303649373 ; serial secs since Jan 1 1970
|
||||||
|
6H ; refresh (>=10000)
|
||||||
|
1H ; retry (>=1800)
|
||||||
|
1W ; expire
|
||||||
|
1H ; minimum
|
||||||
|
)
|
||||||
|
"""
|
||||||
|
: "; no auto-SOA"
|
||||||
|
)
|
||||||
|
.replace("{auto-NS-RR}", assetEntity.getDirectValue("auto-NS-RR", Boolean.class, true)
|
||||||
|
? """
|
||||||
|
{domain}. IN NS dns1.hostsharing.net.
|
||||||
|
{domain}. IN NS dns2.hostsharing.net.
|
||||||
|
{domain}. IN NS dns3.hostsharing.net.
|
||||||
|
"""
|
||||||
|
: "; no auto-NS-RR")
|
||||||
|
.replace("{auto-MX-RR}", assetEntity.getDirectValue("auto-MX-RR", Boolean.class, true)
|
||||||
|
? """
|
||||||
|
{domain}. IN MX 30 mailin1.hostsharing.net.
|
||||||
|
{domain}. IN MX 30 mailin2.hostsharing.net.
|
||||||
|
{domain}. IN MX 30 mailin3.hostsharing.net.
|
||||||
|
"""
|
||||||
|
: "; no auto-MX-RR")
|
||||||
|
.replace("{auto-A-RR}", assetEntity.getDirectValue("auto-A-RR", Boolean.class, true)
|
||||||
|
? "{domain}. IN A 83.223.95.160" // arbitrary IP-number
|
||||||
|
: "; no auto-A-RR")
|
||||||
|
.replace("{auto-AAAA-RR}", assetEntity.getDirectValue("auto-AAA-RR", Boolean.class, true)
|
||||||
|
? "{domain}. IN AAAA 2a01:37:1000::53df:5fa0:0" // arbitrary IP-number
|
||||||
|
: "; no auto-AAAA-RR")
|
||||||
|
.replace("{auto-DKIM-RR}", assetEntity.getDirectValue("auto-DKIM-RR", Boolean.class, true)
|
||||||
|
? "default._domainkey 21600 IN TXT \"v=DKIM1; h=sha256; k=rsa; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmdM9d15bqe94zbHVcKKpUF875XoCWHKRap/sG3NJZ9xZ/BjfGXmqoEYeFNpX3CB7pOXhH5naq4N+6gTjArTviAiVThHXyebhrxaf1dVS4IUC6raTEyQrWPZUf7ZxXmcCYvOdV4jIQ8GRfxwxqibIJcmMiufXTLIgRUif5uaTgFwIDAQAB\""
|
||||||
|
: "; no auto-DKIM-RR")
|
||||||
|
.replace("{auto-SPF-RR}", assetEntity.getDirectValue("auto-SPF-RR", Boolean.class, true)
|
||||||
|
? "{domain}. IN TXT \"v=spf1 include:spf.hostsharing.net ?all\""
|
||||||
|
: "; no auto-SPF-RR")
|
||||||
|
.replace("{auto-WILDCARD-MX-RR}", assetEntity.getDirectValue("auto-SPF-RR", Boolean.class, true)
|
||||||
|
? """
|
||||||
|
*.{domain}. IN MX 30 mailin1.hostsharing.net.
|
||||||
|
*.{domain}. IN MX 30 mailin1.hostsharing.net.
|
||||||
|
*.{domain}. IN MX 30 mailin1.hostsharing.net.
|
||||||
|
"""
|
||||||
|
: "; no auto-WILDCARD-MX-RR")
|
||||||
|
.replace("{auto-WILDCARD-A-RR}", assetEntity.getDirectValue("auto-WILDCARD-A-RR", Boolean.class, true)
|
||||||
|
? "*.{domain}. IN A 83.223.95.160" // arbitrary IP-number
|
||||||
|
: "; no auto-WILDCARD-A-RR")
|
||||||
|
.replace("{auto-WILDCARD-AAAA-RR}", assetEntity.getDirectValue("auto-WILDCARD-AAAA-RR", Boolean.class, true)
|
||||||
|
? "*.{domain}. IN AAAA 2a01:37:1000::53df:5fa0:0" // arbitrary IP-number
|
||||||
|
: "; no auto-WILDCARD-AAAA-RR")
|
||||||
|
.replace("{auto-WILDCARD-SPF-RR}", assetEntity.getDirectValue("auto-WILDCARD-SPF-RR", Boolean.class, true)
|
||||||
|
? "*.{domain}. IN TXT \"v=spf1 include:spf.hostsharing.net ?all\""
|
||||||
|
: "; no auto-WILDCARD-SPF-RR")
|
||||||
|
.replace("{domain}", fqdn(assetEntity))
|
||||||
|
.replace("{userRRs}", getPropertyValues(assetEntity, "user-RR"));
|
||||||
|
}
|
||||||
|
|
||||||
|
private String fqdn(final HsHostingAsset assetEntity) {
|
||||||
|
return assetEntity.getIdentifier().substring(0, assetEntity.getIdentifier().length() - IDENTIFIER_SUFFIX.length());
|
||||||
|
}
|
||||||
|
|
||||||
|
public static void addZonefileErrorsTo(final List<String> zoneFileErrors) {
|
||||||
|
HsDomainDnsSetupHostingAssetValidator.zoneFileErrors = zoneFileErrors;
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,56 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAsset;
|
||||||
|
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
import static java.util.Optional.ofNullable;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.DOMAIN_HTTP_SETUP;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.ArrayProperty.arrayOf;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.BooleanProperty.booleanProperty;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.StringProperty.stringProperty;
|
||||||
|
|
||||||
|
class HsDomainHttpSetupHostingAssetValidator extends HostingAssetEntityValidator {
|
||||||
|
|
||||||
|
public static final String IDENTIFIER_SUFFIX = "|HTTP";
|
||||||
|
public static final String FILESYSTEM_PATH = "^/.*";
|
||||||
|
public static final String SUBDOMAIN_NAME_REGEX = "(\\*|(?!-)[A-Za-z0-9-]{1,63}(?<!-))";
|
||||||
|
|
||||||
|
HsDomainHttpSetupHostingAssetValidator() {
|
||||||
|
super(
|
||||||
|
DOMAIN_HTTP_SETUP,
|
||||||
|
AlarmContact.isOptional(),
|
||||||
|
|
||||||
|
booleanProperty("htdocsfallback").withDefault(true),
|
||||||
|
booleanProperty("indexes").withDefault(true),
|
||||||
|
booleanProperty("cgi").withDefault(true),
|
||||||
|
booleanProperty("passenger").withDefault(true),
|
||||||
|
booleanProperty("passenger-errorpage").withDefault(false),
|
||||||
|
booleanProperty("fastcgi").withDefault(true),
|
||||||
|
booleanProperty("autoconfig").withDefault(true),
|
||||||
|
booleanProperty("greylisting").withDefault(true),
|
||||||
|
booleanProperty("includes").withDefault(true),
|
||||||
|
booleanProperty("letsencrypt").withDefault(true),
|
||||||
|
booleanProperty("multiviews").withDefault(true),
|
||||||
|
stringProperty("fcgi-php-bin").matchesRegEx(FILESYSTEM_PATH).provided("/usr/lib/cgi-bin/php").withDefault("/usr/lib/cgi-bin/php"),
|
||||||
|
stringProperty("passenger-nodejs").matchesRegEx(FILESYSTEM_PATH).provided("/usr/bin/node").withDefault("/usr/bin/node"),
|
||||||
|
stringProperty("passenger-python").matchesRegEx(FILESYSTEM_PATH).provided("/usr/bin/python3").withDefault("/usr/bin/python3"),
|
||||||
|
stringProperty("passenger-ruby").matchesRegEx(FILESYSTEM_PATH).provided("/usr/bin/ruby").withDefault("/usr/bin/ruby"),
|
||||||
|
arrayOf(
|
||||||
|
stringProperty("subdomains").matchesRegEx(SUBDOMAIN_NAME_REGEX).required()
|
||||||
|
).optional());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected Pattern identifierPattern(final HsHostingAsset assetEntity) {
|
||||||
|
return Pattern.compile("^" + Pattern.quote(assetEntity.getParentAsset().getIdentifier() + IDENTIFIER_SUFFIX) + "$");
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void preprocessEntity(final HsHostingAsset entity) {
|
||||||
|
super.preprocessEntity(entity);
|
||||||
|
if (entity.getIdentifier() == null) {
|
||||||
|
ofNullable(entity.getParentAsset()).ifPresent(pa -> entity.setIdentifier(pa.getIdentifier() + IDENTIFIER_SUFFIX));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,34 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAsset;
|
||||||
|
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
import static java.util.Optional.ofNullable;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.DOMAIN_MBOX_SETUP;
|
||||||
|
|
||||||
|
class HsDomainMboxSetupHostingAssetValidator extends HostingAssetEntityValidator {
|
||||||
|
|
||||||
|
public static final String IDENTIFIER_SUFFIX = "|MBOX";
|
||||||
|
|
||||||
|
HsDomainMboxSetupHostingAssetValidator() {
|
||||||
|
super(
|
||||||
|
DOMAIN_MBOX_SETUP,
|
||||||
|
AlarmContact.isOptional(),
|
||||||
|
|
||||||
|
NO_EXTRA_PROPERTIES);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected Pattern identifierPattern(final HsHostingAsset assetEntity) {
|
||||||
|
return Pattern.compile("^" + Pattern.quote(assetEntity.getParentAsset().getIdentifier() + IDENTIFIER_SUFFIX) + "$");
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void preprocessEntity(final HsHostingAsset entity) {
|
||||||
|
super.preprocessEntity(entity);
|
||||||
|
if (entity.getIdentifier() == null) {
|
||||||
|
ofNullable(entity.getParentAsset()).ifPresent(pa -> entity.setIdentifier(pa.getIdentifier() + IDENTIFIER_SUFFIX));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,128 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAsset;
|
||||||
|
|
||||||
|
import java.util.ArrayList;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Optional;
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.DOMAIN_SETUP;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.validators.Dns.superDomain;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.validators.HsDomainHttpSetupHostingAssetValidator.SUBDOMAIN_NAME_REGEX;
|
||||||
|
|
||||||
|
class HsDomainSetupHostingAssetValidator extends HostingAssetEntityValidator {
|
||||||
|
|
||||||
|
public static final String DOMAIN_NAME_PROPERTY_NAME = "domainName";
|
||||||
|
|
||||||
|
HsDomainSetupHostingAssetValidator() {
|
||||||
|
super(
|
||||||
|
DOMAIN_SETUP,
|
||||||
|
AlarmContact.isOptional(),
|
||||||
|
|
||||||
|
NO_EXTRA_PROPERTIES);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public List<String> validateEntity(final HsHostingAsset assetEntity) {
|
||||||
|
final var violations = super.validateEntity(assetEntity);
|
||||||
|
if (!violations.isEmpty() || assetEntity.isLoaded()) {
|
||||||
|
// it makes no sense to do DNS-based validation
|
||||||
|
// if the entity is already persisted or
|
||||||
|
// if the identifier (domain name) or structure is already invalid
|
||||||
|
return violations;
|
||||||
|
}
|
||||||
|
|
||||||
|
final var dnsResult = new Dns(assetEntity.getIdentifier()).fetchRecordsOfType("TXT");
|
||||||
|
switch (dnsResult.status()) {
|
||||||
|
case Dns.Status.SUCCESS:
|
||||||
|
violations.addAll(handleDomainNameFound(assetEntity, dnsResult));
|
||||||
|
break;
|
||||||
|
|
||||||
|
case Dns.Status.NAME_NOT_FOUND:
|
||||||
|
violations.addAll(handleDomainNameNotFoundError(assetEntity, dnsResult));
|
||||||
|
break;
|
||||||
|
|
||||||
|
case Dns.Status.INVALID_NAME:
|
||||||
|
// should not happen because we validate the domain name at booking item level
|
||||||
|
violations.add("[DNS] invalid domain name '" + assetEntity.getIdentifier() + "'");
|
||||||
|
break;
|
||||||
|
|
||||||
|
case Dns.Status.SERVICE_UNAVAILABLE:
|
||||||
|
case Dns.Status.UNKNOWN_FAILURE:
|
||||||
|
violations.add("[DNS] lookup failed for domain name '" + assetEntity.getIdentifier() + "': " + dnsResult.exception());
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
return violations;
|
||||||
|
}
|
||||||
|
|
||||||
|
private static String verificationCode(final HsHostingAsset assetEntity) {
|
||||||
|
return assetEntity.getBookingItem().getDirectValue("verificationCode", String.class);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected Pattern identifierPattern(final HsHostingAsset assetEntity) {
|
||||||
|
if (assetEntity.getBookingItem() != null) {
|
||||||
|
final var bookingItemDomainName = assetEntity.getBookingItem()
|
||||||
|
.getDirectValue(DOMAIN_NAME_PROPERTY_NAME, String.class);
|
||||||
|
return Pattern.compile(bookingItemDomainName, Pattern.CASE_INSENSITIVE | Pattern.LITERAL);
|
||||||
|
}
|
||||||
|
final var parentDomainName = assetEntity.getParentAsset().getIdentifier();
|
||||||
|
return Pattern.compile(SUBDOMAIN_NAME_REGEX + "\\." + parentDomainName.replace(".", "\\."), Pattern.CASE_INSENSITIVE);
|
||||||
|
}
|
||||||
|
|
||||||
|
private static List<String> handleDomainNameFound(final HsHostingAsset assetEntity, final Dns.Result dnsResult) {
|
||||||
|
final var violations = new ArrayList<String>();
|
||||||
|
final var expectedTxtRecordValue = "Hostsharing-domain-setup-verification-code=" + verificationCode(assetEntity);
|
||||||
|
final var verificationFound = findTxtRecord(dnsResult, expectedTxtRecordValue)
|
||||||
|
.or(() -> superDomain(assetEntity.getIdentifier())
|
||||||
|
.flatMap(superDomainName -> findTxtRecord(
|
||||||
|
new Dns(superDomainName).fetchRecordsOfType("TXT"),
|
||||||
|
expectedTxtRecordValue))
|
||||||
|
);
|
||||||
|
if (verificationFound.isEmpty()) {
|
||||||
|
violations.add(
|
||||||
|
"[DNS] no TXT record '" + expectedTxtRecordValue +
|
||||||
|
"' found for domain name '" + assetEntity.getIdentifier() + "' (nor in its super-domain)");
|
||||||
|
}
|
||||||
|
return violations;
|
||||||
|
}
|
||||||
|
|
||||||
|
private static List<String> handleDomainNameNotFoundError(final HsHostingAsset assetEntity, final Dns.Result dnsResult) {
|
||||||
|
final var violations = new ArrayList<String>();
|
||||||
|
if (isDnsVerificationRequiredForUnregisteredDomain(assetEntity)) {
|
||||||
|
final var superDomain = superDomain(assetEntity.getIdentifier());
|
||||||
|
final var expectedTxtRecordValue = "Hostsharing-domain-setup-verification-code=" + verificationCode(assetEntity);
|
||||||
|
final var verificationFoundInSuperDomain = superDomain.map(superDomainName ->
|
||||||
|
{
|
||||||
|
final Dns.Result superDomainDnsResult = new Dns(superDomainName).fetchRecordsOfType("TXT");
|
||||||
|
if (superDomainDnsResult.status() != Dns.Status.SUCCESS) {
|
||||||
|
violations.add("[DNS] lookup failed for domain name '" + superDomainName + "': " + dnsResult.exception());
|
||||||
|
}
|
||||||
|
return superDomainDnsResult;
|
||||||
|
}
|
||||||
|
)
|
||||||
|
.flatMap(records -> findTxtRecord(records, expectedTxtRecordValue));
|
||||||
|
if (verificationFoundInSuperDomain.isEmpty()) {
|
||||||
|
violations.add(
|
||||||
|
"[DNS] no TXT record '" + expectedTxtRecordValue +
|
||||||
|
"' found for domain name '" + superDomain.orElseThrow() + "'");
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
// otherwise no DNS verification to be able to setup DNS for domains to register
|
||||||
|
}
|
||||||
|
return violations;
|
||||||
|
}
|
||||||
|
|
||||||
|
private static boolean isDnsVerificationRequiredForUnregisteredDomain(final HsHostingAsset assetEntity) {
|
||||||
|
return !Dns.isRegistrableDomain(assetEntity.getIdentifier())
|
||||||
|
&& assetEntity.getParentAsset() == null;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
private static Optional<String> findTxtRecord(final Dns.Result result, final String expectedTxtRecordValue) {
|
||||||
|
return result.records().stream()
|
||||||
|
.filter(r -> r.contains(expectedTxtRecordValue))
|
||||||
|
.findAny();
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,34 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAsset;
|
||||||
|
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
import static java.util.Optional.ofNullable;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.DOMAIN_SMTP_SETUP;
|
||||||
|
|
||||||
|
class HsDomainSmtpSetupHostingAssetValidator extends HostingAssetEntityValidator {
|
||||||
|
|
||||||
|
public static final String IDENTIFIER_SUFFIX = "|SMTP";
|
||||||
|
|
||||||
|
HsDomainSmtpSetupHostingAssetValidator() {
|
||||||
|
super(
|
||||||
|
DOMAIN_SMTP_SETUP,
|
||||||
|
AlarmContact.isOptional(),
|
||||||
|
|
||||||
|
NO_EXTRA_PROPERTIES);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected Pattern identifierPattern(final HsHostingAsset assetEntity) {
|
||||||
|
return Pattern.compile("^" + Pattern.quote(assetEntity.getParentAsset().getIdentifier() + IDENTIFIER_SUFFIX) + "$");
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void preprocessEntity(final HsHostingAsset entity) {
|
||||||
|
super.preprocessEntity(entity);
|
||||||
|
if (entity.getIdentifier() == null) {
|
||||||
|
ofNullable(entity.getParentAsset()).ifPresent(pa -> entity.setIdentifier(pa.getIdentifier() + IDENTIFIER_SUFFIX));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,53 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAsset;
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType;
|
||||||
|
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
import static java.util.Optional.ofNullable;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.ArrayProperty.arrayOf;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.StringProperty.stringProperty;
|
||||||
|
|
||||||
|
class HsEMailAddressHostingAssetValidator extends HostingAssetEntityValidator {
|
||||||
|
|
||||||
|
private static final String TARGET_MAILBOX_REGEX = "^[a-z][a-z0-9]{2}[0-9]{2}(-[a-z0-9][a-z0-9\\.+_-]*)?$"; // also accepts legacy pac-names
|
||||||
|
private static final String EMAIL_ADDRESS_LOCAL_PART_REGEX = "[a-zA-Z0-9_!#$%&'*+/=?`{|}~^.-]+"; // RFC 5322
|
||||||
|
private static final String EMAIL_ADDRESS_DOMAIN_PART_REGEX = "[a-zA-Z0-9.-]+";
|
||||||
|
private static final String EMAIL_ADDRESS_FULL_REGEX = "^(" + EMAIL_ADDRESS_LOCAL_PART_REGEX + ")?@" + EMAIL_ADDRESS_DOMAIN_PART_REGEX + "$";
|
||||||
|
private static final String NOBODY_REGEX = "^nobody$";
|
||||||
|
private static final String DEVNULL_REGEX = "^/dev/null$";
|
||||||
|
public static final int EMAIL_ADDRESS_MAX_LENGTH = 320; // according to RFC 5321 and RFC 5322
|
||||||
|
|
||||||
|
HsEMailAddressHostingAssetValidator() {
|
||||||
|
super( HsHostingAssetType.EMAIL_ADDRESS,
|
||||||
|
AlarmContact.isOptional(),
|
||||||
|
|
||||||
|
stringProperty("local-part").matchesRegEx("^" + EMAIL_ADDRESS_LOCAL_PART_REGEX + "$").writeOnce().optional(),
|
||||||
|
stringProperty("sub-domain").matchesRegEx("^" + EMAIL_ADDRESS_LOCAL_PART_REGEX + "$").writeOnce().optional(),
|
||||||
|
arrayOf(
|
||||||
|
stringProperty("target").maxLength(EMAIL_ADDRESS_MAX_LENGTH).matchesRegEx(TARGET_MAILBOX_REGEX, EMAIL_ADDRESS_FULL_REGEX, NOBODY_REGEX, DEVNULL_REGEX)
|
||||||
|
).required().minLength(1));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void preprocessEntity(final HsHostingAsset entity) {
|
||||||
|
super.preprocessEntity(entity);
|
||||||
|
super.preprocessEntity(entity);
|
||||||
|
if (entity.getIdentifier() == null) {
|
||||||
|
entity.setIdentifier(combineIdentifier(entity));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected Pattern identifierPattern(final HsHostingAsset assetEntity) {
|
||||||
|
return Pattern.compile("^"+ Pattern.quote(combineIdentifier(assetEntity)) + "$");
|
||||||
|
}
|
||||||
|
|
||||||
|
private static String combineIdentifier(final HsHostingAsset emailAddressAssetEntity) {
|
||||||
|
return ofNullable(emailAddressAssetEntity.getDirectValue("local-part", String.class)).orElse("")
|
||||||
|
+ "@"
|
||||||
|
+ ofNullable(emailAddressAssetEntity.getDirectValue("sub-domain", String.class)).map(s -> s + ".").orElse("")
|
||||||
|
+ emailAddressAssetEntity.getParentAsset().getParentAsset().getIdentifier();
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,34 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAsset;
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType;
|
||||||
|
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.ArrayProperty.arrayOf;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.StringProperty.stringProperty;
|
||||||
|
|
||||||
|
class HsEMailAliasHostingAssetValidator extends HostingAssetEntityValidator {
|
||||||
|
|
||||||
|
private static final String UNIX_USER_REGEX = "^[a-z][a-z0-9]{2}[0-9]{2}(-[a-z0-9][a-z0-9\\._-]*)?$"; // also accepts legacy pac-names
|
||||||
|
private static final String EMAIL_ADDRESS_REGEX = "^[a-zA-Z0-9_!#$%&'*+/=?`{|}~^.-]+@[a-zA-Z0-9.-]+$"; // RFC 5322
|
||||||
|
private static final String INCLUDE_REGEX = "^:include:/.*$";
|
||||||
|
private static final String PIPE_REGEX = "^\\|.*$";
|
||||||
|
private static final String DEV_NULL_REGEX = "^/dev/null$";
|
||||||
|
public static final int EMAIL_ADDRESS_MAX_LENGTH = 320; // according to RFC 5321 and RFC 5322
|
||||||
|
|
||||||
|
HsEMailAliasHostingAssetValidator() {
|
||||||
|
super( HsHostingAssetType.EMAIL_ALIAS,
|
||||||
|
AlarmContact.isOptional(),
|
||||||
|
|
||||||
|
arrayOf(
|
||||||
|
stringProperty("target").maxLength(EMAIL_ADDRESS_MAX_LENGTH).matchesRegEx(UNIX_USER_REGEX, EMAIL_ADDRESS_REGEX, INCLUDE_REGEX, PIPE_REGEX, DEV_NULL_REGEX)
|
||||||
|
).required().minLength(1));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected Pattern identifierPattern(final HsHostingAsset assetEntity) {
|
||||||
|
final var webspaceIdentifier = assetEntity.getParentAsset().getIdentifier();
|
||||||
|
return Pattern.compile("^"+webspaceIdentifier+"$|^"+webspaceIdentifier+"-[a-z0-9][a-z0-9\\._-]*$");
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,26 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAsset;
|
||||||
|
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.IPV4_NUMBER;
|
||||||
|
|
||||||
|
class HsIPv4NumberHostingAssetValidator extends HostingAssetEntityValidator {
|
||||||
|
|
||||||
|
private static final Pattern IPV4_REGEX = Pattern.compile("^((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}$");
|
||||||
|
|
||||||
|
HsIPv4NumberHostingAssetValidator() {
|
||||||
|
super(
|
||||||
|
IPV4_NUMBER,
|
||||||
|
AlarmContact.isOptional(),
|
||||||
|
|
||||||
|
NO_EXTRA_PROPERTIES
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected Pattern identifierPattern(final HsHostingAsset assetEntity) {
|
||||||
|
return IPV4_REGEX;
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,49 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAsset;
|
||||||
|
|
||||||
|
import java.net.InetAddress;
|
||||||
|
import java.net.UnknownHostException;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.IPV6_NUMBER;
|
||||||
|
|
||||||
|
class HsIPv6NumberHostingAssetValidator extends HostingAssetEntityValidator {
|
||||||
|
|
||||||
|
// simplified pattern, the real check is done by letting Java parse the address
|
||||||
|
private static final Pattern IPV6_REGEX = Pattern.compile("([a-f0-9:]+:+)+[a-f0-9]+");
|
||||||
|
|
||||||
|
HsIPv6NumberHostingAssetValidator() {
|
||||||
|
super(
|
||||||
|
IPV6_NUMBER,
|
||||||
|
AlarmContact.isOptional(),
|
||||||
|
|
||||||
|
NO_EXTRA_PROPERTIES
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public List<String> validateEntity(final HsHostingAsset assetEntity) {
|
||||||
|
final var violations = super.validateEntity(assetEntity);
|
||||||
|
|
||||||
|
if (!isValidIPv6Address(assetEntity.getIdentifier())) {
|
||||||
|
violations.add("'identifier' expected to be a valid IPv6 address, but is '" + assetEntity.getIdentifier() + "'");
|
||||||
|
}
|
||||||
|
|
||||||
|
return violations;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected Pattern identifierPattern(final HsHostingAsset assetEntity) {
|
||||||
|
return IPV6_REGEX;
|
||||||
|
}
|
||||||
|
|
||||||
|
private boolean isValidIPv6Address(final String identifier) {
|
||||||
|
try {
|
||||||
|
return InetAddress.getByName(identifier) instanceof java.net.Inet6Address;
|
||||||
|
} catch (UnknownHostException e) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,60 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAsset;
|
||||||
|
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.MANAGED_SERVER;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.BooleanProperty.booleanProperty;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.EnumerationProperty.enumerationProperty;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.IntegerProperty.integerProperty;
|
||||||
|
|
||||||
|
class HsManagedServerHostingAssetValidator extends HostingAssetEntityValidator {
|
||||||
|
|
||||||
|
public HsManagedServerHostingAssetValidator() {
|
||||||
|
super(
|
||||||
|
MANAGED_SERVER,
|
||||||
|
AlarmContact.isOptional(),
|
||||||
|
|
||||||
|
// monitoring
|
||||||
|
integerProperty("monit_max_cpu_usage").unit("%").min(10).max(100).withDefault(92),
|
||||||
|
integerProperty("monit_max_ram_usage").unit("%").min(10).max(100).withDefault(92),
|
||||||
|
integerProperty("monit_max_ssd_usage").unit("%").min(10).max(100).withDefault(98),
|
||||||
|
integerProperty("monit_min_free_ssd").min(1).max(1000).withDefault(5),
|
||||||
|
integerProperty("monit_max_hdd_usage").unit("%").min(10).max(100).withDefault(95),
|
||||||
|
integerProperty("monit_min_free_hdd").min(1).max(4000).withDefault(10),
|
||||||
|
|
||||||
|
// other settings
|
||||||
|
// booleanProperty("fastcgi_small").withDefault(false), TODO.spec: clarify Salt-Grains
|
||||||
|
|
||||||
|
// database software
|
||||||
|
booleanProperty("software-pgsql").withDefault(true),
|
||||||
|
booleanProperty("software-mariadb").withDefault(true),
|
||||||
|
|
||||||
|
// PHP
|
||||||
|
enumerationProperty("php-default").valuesFromProperties("software-php-").withDefault("8.2"),
|
||||||
|
booleanProperty("software-php-5.6").withDefault(false),
|
||||||
|
booleanProperty("software-php-7.0").withDefault(false),
|
||||||
|
booleanProperty("software-php-7.1").withDefault(false),
|
||||||
|
booleanProperty("software-php-7.2").withDefault(false),
|
||||||
|
booleanProperty("software-php-7.3").withDefault(false),
|
||||||
|
booleanProperty("software-php-7.4").withDefault(true),
|
||||||
|
booleanProperty("software-php-8.0").withDefault(false),
|
||||||
|
booleanProperty("software-php-8.1").withDefault(false),
|
||||||
|
booleanProperty("software-php-8.2").withDefault(true),
|
||||||
|
|
||||||
|
// other software
|
||||||
|
booleanProperty("software-postfix-tls-1.0").withDefault(false),
|
||||||
|
booleanProperty("software-dovecot-tls-1.0").withDefault(false),
|
||||||
|
booleanProperty("software-clamav").withDefault(true),
|
||||||
|
booleanProperty("software-collabora").withDefault(false),
|
||||||
|
booleanProperty("software-libreoffice").withDefault(false),
|
||||||
|
booleanProperty("software-imagemagick-ghostscript").withDefault(false)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected Pattern identifierPattern(final HsHostingAsset assetEntity) {
|
||||||
|
return Pattern.compile("^vm[0-9][0-9][0-9][0-9]$");
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,50 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAsset;
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetRealEntity;
|
||||||
|
|
||||||
|
import jakarta.persistence.EntityManager;
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.MANAGED_WEBSPACE;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.UNIX_USER;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.IntegerProperty.integerProperty;
|
||||||
|
|
||||||
|
class HsManagedWebspaceHostingAssetValidator extends HostingAssetEntityValidator {
|
||||||
|
public HsManagedWebspaceHostingAssetValidator() {
|
||||||
|
super(
|
||||||
|
MANAGED_WEBSPACE,
|
||||||
|
AlarmContact.isOptional(),
|
||||||
|
integerProperty("groupid").readOnly()
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected Pattern identifierPattern(final HsHostingAsset assetEntity) {
|
||||||
|
final var prefixPattern =
|
||||||
|
!assetEntity.isLoaded()
|
||||||
|
? assetEntity.getRelatedProject().getDebitor().getDefaultPrefix()
|
||||||
|
: "[a-z][a-z0-9][a-z0-9]";
|
||||||
|
return Pattern.compile("^" + prefixPattern + "[0-9][0-9]$");
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void postPersist(final EntityManager em, final HsHostingAsset webspaceAsset) {
|
||||||
|
if (!webspaceAsset.isLoaded()) {
|
||||||
|
final var unixUserAsset = HsHostingAssetRealEntity.builder()
|
||||||
|
.type(UNIX_USER)
|
||||||
|
.parentAsset(em.find(HsHostingAssetRealEntity.class, webspaceAsset.getUuid()))
|
||||||
|
.identifier(webspaceAsset.getIdentifier())
|
||||||
|
.caption(webspaceAsset.getIdentifier() + " webspace user")
|
||||||
|
.build();
|
||||||
|
webspaceAsset.getSubHostingAssets().add(unixUserAsset);
|
||||||
|
new HostingAssetEntitySaveProcessor(em, unixUserAsset)
|
||||||
|
.preprocessEntity()
|
||||||
|
.validateEntity()
|
||||||
|
.prepareForSave()
|
||||||
|
.save()
|
||||||
|
.validateContext();
|
||||||
|
webspaceAsset.getConfig().put("groupid", unixUserAsset.getConfig().get("userid"));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,27 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAsset;
|
||||||
|
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.MARIADB_DATABASE;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.StringProperty.stringProperty;
|
||||||
|
|
||||||
|
class HsMariaDbDatabaseHostingAssetValidator extends HostingAssetEntityValidator {
|
||||||
|
|
||||||
|
final static String HEAD_REGEXP = "^MAD\\|";
|
||||||
|
|
||||||
|
public HsMariaDbDatabaseHostingAssetValidator() {
|
||||||
|
super(
|
||||||
|
MARIADB_DATABASE,
|
||||||
|
AlarmContact.isOptional(),
|
||||||
|
|
||||||
|
stringProperty("encoding").matchesRegEx("[a-z0-9_]+").maxLength(24).provided("latin1", "utf8").withDefault("utf8"));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected Pattern identifierPattern(final HsHostingAsset assetEntity) {
|
||||||
|
final var webspaceIdentifier = assetEntity.getParentAsset().getParentAsset().getIdentifier();
|
||||||
|
return Pattern.compile(HEAD_REGEXP+webspaceIdentifier+"$|"+HEAD_REGEXP+webspaceIdentifier+"_[a-zA-Z0-9_]+$");
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,37 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAsset;
|
||||||
|
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
import static java.util.Optional.ofNullable;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.MARIADB_INSTANCE;
|
||||||
|
|
||||||
|
class HsMariaDbInstanceHostingAssetValidator extends HostingAssetEntityValidator {
|
||||||
|
|
||||||
|
final static String DEFAULT_INSTANCE_IDENTIFIER_SUFFIX = "|MariaDB.default"; // TODO.spec: specify instance naming
|
||||||
|
|
||||||
|
public HsMariaDbInstanceHostingAssetValidator() {
|
||||||
|
super(
|
||||||
|
MARIADB_INSTANCE,
|
||||||
|
AlarmContact.isOptional(),
|
||||||
|
NO_EXTRA_PROPERTIES); // TODO.spec: specify instance properties, e.g. installed extensions
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected Pattern identifierPattern(final HsHostingAsset assetEntity) {
|
||||||
|
return Pattern.compile(
|
||||||
|
"^" + Pattern.quote(assetEntity.getParentAsset().getIdentifier()
|
||||||
|
+ DEFAULT_INSTANCE_IDENTIFIER_SUFFIX)
|
||||||
|
+ "$");
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void preprocessEntity(final HsHostingAsset entity) {
|
||||||
|
super.preprocessEntity(entity);
|
||||||
|
if (entity.getIdentifier() == null) {
|
||||||
|
ofNullable(entity.getParentAsset()).ifPresent(pa -> entity.setIdentifier(
|
||||||
|
pa.getIdentifier() + DEFAULT_INSTANCE_IDENTIFIER_SUFFIX));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,35 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hash.HashGenerator;
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAsset;
|
||||||
|
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.MARIADB_USER;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.PasswordProperty.passwordProperty;
|
||||||
|
|
||||||
|
class HsMariaDbUserHostingAssetValidator extends HostingAssetEntityValidator {
|
||||||
|
|
||||||
|
final static String HEAD_REGEXP = "^MAU\\|";
|
||||||
|
|
||||||
|
public HsMariaDbUserHostingAssetValidator() {
|
||||||
|
super(
|
||||||
|
MARIADB_USER,
|
||||||
|
AlarmContact.isOptional(),
|
||||||
|
|
||||||
|
// TODO.impl: we need to be able to suppress updating of fields etc., something like this:
|
||||||
|
// withFieldValidation(
|
||||||
|
// referenceProperty(alarmContact).isOptional(),
|
||||||
|
// referenceProperty(parentAsset).isWriteOnce(),
|
||||||
|
// referenceProperty(assignedToAsset).isWriteOnce(),
|
||||||
|
// );
|
||||||
|
|
||||||
|
passwordProperty("password").minLength(8).maxLength(40).hashedUsing(HashGenerator.Algorithm.MYSQL_NATIVE).writeOnly());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected Pattern identifierPattern(final HsHostingAsset assetEntity) {
|
||||||
|
final var webspaceIdentifier = assetEntity.getParentAsset().getIdentifier();
|
||||||
|
return Pattern.compile(HEAD_REGEXP+webspaceIdentifier+"$|"+HEAD_REGEXP+webspaceIdentifier+"_[a-zA-Z0-9_]+$");
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,30 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAsset;
|
||||||
|
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.PGSQL_DATABASE;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.StringProperty.stringProperty;
|
||||||
|
|
||||||
|
class HsPostgreSqlDatabaseHostingAssetValidator extends HostingAssetEntityValidator {
|
||||||
|
|
||||||
|
final static String HEAD_REGEXP = "^PGD\\|";
|
||||||
|
|
||||||
|
public HsPostgreSqlDatabaseHostingAssetValidator() {
|
||||||
|
super(
|
||||||
|
PGSQL_DATABASE,
|
||||||
|
AlarmContact.isOptional(),
|
||||||
|
|
||||||
|
stringProperty("encoding").matchesRegEx("[A-Z0-9_]+").maxLength(24).provided("LATIN1", "UTF8").withDefault("UTF8")
|
||||||
|
|
||||||
|
// TODO.spec: PostgreSQL extensions in instance and here? also decide which. Free selection or booleans/checkboxes?
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected Pattern identifierPattern(final HsHostingAsset assetEntity) {
|
||||||
|
final var webspaceIdentifier = assetEntity.getParentAsset().getParentAsset().getIdentifier();
|
||||||
|
return Pattern.compile(HEAD_REGEXP+webspaceIdentifier+"$|"+HEAD_REGEXP+webspaceIdentifier+"_[a-zA-Z0-9_]+$");
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,39 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAsset;
|
||||||
|
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
import static java.util.Optional.ofNullable;
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.PGSQL_INSTANCE;
|
||||||
|
|
||||||
|
class HsPostgreSqlDbInstanceHostingAssetValidator extends HostingAssetEntityValidator {
|
||||||
|
|
||||||
|
final static String DEFAULT_INSTANCE_IDENTIFIER_SUFFIX = "|PgSql.default"; // TODO.spec: specify instance naming
|
||||||
|
|
||||||
|
public HsPostgreSqlDbInstanceHostingAssetValidator() {
|
||||||
|
super(
|
||||||
|
PGSQL_INSTANCE,
|
||||||
|
AlarmContact.isOptional(),
|
||||||
|
|
||||||
|
// TODO.spec: PostgreSQL extensions in database and here? also decide which. Free selection or booleans/checkboxes?
|
||||||
|
NO_EXTRA_PROPERTIES); // TODO.spec: specify instance properties, e.g. installed extensions
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected Pattern identifierPattern(final HsHostingAsset assetEntity) {
|
||||||
|
return Pattern.compile(
|
||||||
|
"^" + Pattern.quote(assetEntity.getParentAsset().getIdentifier()
|
||||||
|
+ DEFAULT_INSTANCE_IDENTIFIER_SUFFIX)
|
||||||
|
+ "$");
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void preprocessEntity(final HsHostingAsset entity) {
|
||||||
|
super.preprocessEntity(entity);
|
||||||
|
if (entity.getIdentifier() == null) {
|
||||||
|
ofNullable(entity.getParentAsset()).ifPresent(pa -> entity.setIdentifier(
|
||||||
|
pa.getIdentifier() + DEFAULT_INSTANCE_IDENTIFIER_SUFFIX));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,35 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hash.HashGenerator;
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAsset;
|
||||||
|
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.PGSQL_USER;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.PasswordProperty.passwordProperty;
|
||||||
|
|
||||||
|
class HsPostgreSqlUserHostingAssetValidator extends HostingAssetEntityValidator {
|
||||||
|
|
||||||
|
final static String HEAD_REGEXP = "^PGU\\|";
|
||||||
|
|
||||||
|
public HsPostgreSqlUserHostingAssetValidator() {
|
||||||
|
super(
|
||||||
|
PGSQL_USER,
|
||||||
|
AlarmContact.isOptional(),
|
||||||
|
|
||||||
|
// TODO.impl: we need to be able to suppress updating of fields etc., something like this:
|
||||||
|
// withFieldValidation(
|
||||||
|
// referenceProperty(alarmContact).isOptional(),
|
||||||
|
// referenceProperty(parentAsset).isWriteOnce(),
|
||||||
|
// referenceProperty(assignedToAsset).isWriteOnce(),
|
||||||
|
// );
|
||||||
|
|
||||||
|
passwordProperty("password").minLength(8).maxLength(40).hashedUsing(HashGenerator.Algorithm.SCRAM_SHA256).writeOnly());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected Pattern identifierPattern(final HsHostingAsset assetEntity) {
|
||||||
|
final var webspaceIdentifier = assetEntity.getParentAsset().getIdentifier();
|
||||||
|
return Pattern.compile(HEAD_REGEXP+webspaceIdentifier+"$|"+HEAD_REGEXP+webspaceIdentifier+"_[a-zA-Z0-9_]+$");
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,60 @@
|
|||||||
|
package net.hostsharing.hsadminng.hs.hosting.asset.validators;
|
||||||
|
|
||||||
|
import net.hostsharing.hsadminng.hash.HashGenerator;
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAsset;
|
||||||
|
import net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType;
|
||||||
|
import net.hostsharing.hsadminng.hs.validation.PropertiesProvider;
|
||||||
|
|
||||||
|
import jakarta.persistence.EntityManager;
|
||||||
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.BooleanProperty.booleanProperty;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.IntegerProperty.integerProperty;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.PasswordProperty.passwordProperty;
|
||||||
|
import static net.hostsharing.hsadminng.hs.validation.StringProperty.stringProperty;
|
||||||
|
|
||||||
|
class HsUnixUserHostingAssetValidator extends HostingAssetEntityValidator {
|
||||||
|
|
||||||
|
private static final int DASH_LENGTH = "-".length();
|
||||||
|
|
||||||
|
HsUnixUserHostingAssetValidator() {
|
||||||
|
super(
|
||||||
|
HsHostingAssetType.UNIX_USER,
|
||||||
|
AlarmContact.isOptional(),
|
||||||
|
|
||||||
|
booleanProperty("locked").readOnly(),
|
||||||
|
integerProperty("userid").readOnly().initializedBy(HsUnixUserHostingAssetValidator::computeUserId),
|
||||||
|
|
||||||
|
integerProperty("SSD hard quota").unit("MB").maxFrom("SSD").withFactor(1024).optional(),
|
||||||
|
integerProperty("SSD soft quota").unit("MB").maxFrom("SSD hard quota").optional(),
|
||||||
|
integerProperty("HDD hard quota").unit("MB").maxFrom("HDD").withFactor(1024).optional(),
|
||||||
|
integerProperty("HDD soft quota").unit("MB").maxFrom("HDD hard quota").optional(),
|
||||||
|
stringProperty("shell")
|
||||||
|
// TODO.spec: do we want to change them all to /usr/bin/, also in import?
|
||||||
|
.provided("/bin/false", "/bin/bash", "/bin/csh", "/bin/dash", "/usr/bin/tcsh", "/usr/bin/zsh", "/usr/bin/passwd")
|
||||||
|
.withDefault("/bin/false"),
|
||||||
|
stringProperty("homedir").readOnly().renderedBy(HsUnixUserHostingAssetValidator::computeHomedir),
|
||||||
|
stringProperty("totpKey").matchesRegEx("^0x([0-9A-Fa-f]{2})+$").minLength(20).maxLength(256).undisclosed().writeOnly().optional(),
|
||||||
|
passwordProperty("password").minLength(8).maxLength(40).hashedUsing(HashGenerator.Algorithm.LINUX_SHA512).writeOnly());
|
||||||
|
// TODO.spec: public SSH keys? (only if hsadmin-ng is only accessible with 2FA)
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected Pattern identifierPattern(final HsHostingAsset assetEntity) {
|
||||||
|
final var webspaceIdentifier = assetEntity.getParentAsset().getIdentifier();
|
||||||
|
return Pattern.compile("^"+webspaceIdentifier+"$|^"+webspaceIdentifier+"-[a-z0-9\\._-]+$");
|
||||||
|
}
|
||||||
|
|
||||||
|
private static String computeHomedir(final EntityManager em, final PropertiesProvider propertiesProvider) {
|
||||||
|
final var entity = (HsHostingAsset) propertiesProvider;
|
||||||
|
final var webspaceName = entity.getParentAsset().getIdentifier();
|
||||||
|
return "/home/pacs/" + webspaceName
|
||||||
|
+ "/users/" + entity.getIdentifier().substring(webspaceName.length()+DASH_LENGTH);
|
||||||
|
}
|
||||||
|
|
||||||
|
private static Integer computeUserId(final EntityManager em, final PropertiesProvider propertiesProvider) {
|
||||||
|
final Object result = em.createNativeQuery("SELECT nextval('hs_hosting_asset_unixuser_system_id_seq')", Integer.class)
|
||||||
|
.getSingleResult();
|
||||||
|
return (Integer) result;
|
||||||
|
}
|
||||||
|
}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user