From 66af0def5b49ca798f44c41913fe7634b59c324c Mon Sep 17 00:00:00 2001
From: Michael Hoennig <michael@hoennig.de>
Date: Mon, 25 Mar 2024 09:13:37 +0100
Subject: [PATCH] minor fixes

---
 .../hsadminng/test/dom/TestDomainEntity.java  |  4 +--
 .../db/changelog/133-test-domain-rbac.sql     | 35 ++++++++++++++++---
 .../223-hs-office-relation-rbac-generated.sql |  8 ++---
 ...3-hs-office-sepamandate-rbac-generated.sql |  2 +-
 .../TestCustomerControllerAcceptanceTest.java |  2 +-
 5 files changed, 39 insertions(+), 12 deletions(-)

diff --git a/src/main/java/net/hostsharing/hsadminng/test/dom/TestDomainEntity.java b/src/main/java/net/hostsharing/hsadminng/test/dom/TestDomainEntity.java
index 7db03c7e..70626f89 100644
--- a/src/main/java/net/hostsharing/hsadminng/test/dom/TestDomainEntity.java
+++ b/src/main/java/net/hostsharing/hsadminng/test/dom/TestDomainEntity.java
@@ -14,7 +14,7 @@ import java.io.IOException;
 import java.util.UUID;
 
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
-import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NULLABLE;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn;
@@ -51,7 +51,7 @@ public class TestDomainEntity implements HasUuid {
                 .importEntityAlias("package", TestPackageEntity.class,
                         dependsOnColumn("packageUuid"),
                         directlyFetchedByDependsOnColumn(),
-                        NULLABLE)
+                        NOT_NULL)
                 .toRole("package", ADMIN).grantPermission(INSERT)
 
                 .createRole(OWNER, (with) -> {
diff --git a/src/main/resources/db/changelog/133-test-domain-rbac.sql b/src/main/resources/db/changelog/133-test-domain-rbac.sql
index 3b41dcbf..e87adb9c 100644
--- a/src/main/resources/db/changelog/133-test-domain-rbac.sql
+++ b/src/main/resources/db/changelog/133-test-domain-rbac.sql
@@ -36,6 +36,8 @@ begin
     call enterTriggerForObjectUuid(NEW.uuid);
 
     SELECT * FROM test_package WHERE uuid = NEW.packageUuid    INTO newPackage;
+    assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s', NEW.packageUuid);
+
 
     perform createRoleWithGrants(
         testDomainOwner(NEW),
@@ -87,12 +89,37 @@ create or replace procedure updateRbacRulesForTestDomain(
     NEW test_domain
 )
     language plpgsql as $$
-begin
 
-    if NEW.packageUuid is distinct from OLD.packageUuid then
-        delete from rbacgrants g where g.grantedbytriggerof = OLD.uuid;
-        call buildRbacSystemForTestDomain(NEW);
+declare
+    oldPackage test_package;
+    newPackage test_package;
+
+begin
+    call enterTriggerForObjectUuid(NEW.uuid);
+
+    SELECT * FROM test_package WHERE uuid = OLD.packageUuid    INTO oldPackage;
+    assert oldPackage.uuid is not null, format('oldPackage must not be null for OLD.packageUuid = %s', OLD.packageUuid);
+
+    SELECT * FROM test_package WHERE uuid = NEW.packageUuid    INTO newPackage;
+    assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s', NEW.packageUuid);
+
+
+    if NEW.packageUuid <> OLD.packageUuid then
+
+        call revokePermissionFromRole(getPermissionId(OLD.uuid, 'INSERT'), testPackageAdmin(oldPackage));
+
+        call revokeRoleFromRole(testDomainOwner(OLD), testPackageAdmin(oldPackage));
+        call grantRoleToRole(testDomainOwner(NEW), testPackageAdmin(newPackage));
+
+        call revokeRoleFromRole(testPackageTenant(oldPackage), testDomainOwner(OLD));
+        call grantRoleToRole(testPackageTenant(newPackage), testDomainOwner(NEW));
+
+        call revokeRoleFromRole(testPackageTenant(oldPackage), testDomainAdmin(OLD));
+        call grantRoleToRole(testPackageTenant(newPackage), testDomainAdmin(NEW));
+
     end if;
+
+    call leaveTriggerForObjectUuid(NEW.uuid);
 end; $$;
 
 /*
diff --git a/src/main/resources/db/changelog/223-hs-office-relation-rbac-generated.sql b/src/main/resources/db/changelog/223-hs-office-relation-rbac-generated.sql
index 0b918ccc..1b72bc0a 100644
--- a/src/main/resources/db/changelog/223-hs-office-relation-rbac-generated.sql
+++ b/src/main/resources/db/changelog/223-hs-office-relation-rbac-generated.sql
@@ -54,8 +54,8 @@ begin
         hsOfficeRelationAdmin(NEW),
             permissions => array['UPDATE'],
             incomingSuperRoles => array[
-            	hsOfficeRelationOwner(NEW),
-            	hsOfficePersonAdmin(newAnchorPerson)]
+            	hsOfficePersonAdmin(newAnchorPerson),
+            	hsOfficeRelationOwner(NEW)]
     );
 
     perform createRoleWithGrants(
@@ -74,8 +74,8 @@ begin
             	hsOfficePersonAdmin(newHolderPerson)],
             outgoingSubRoles => array[
             	hsOfficePersonReferrer(newAnchorPerson),
-            	hsOfficePersonReferrer(newHolderPerson),
-            	hsOfficeContactReferrer(newContact)]
+            	hsOfficeContactReferrer(newContact),
+            	hsOfficePersonReferrer(newHolderPerson)]
     );
 
     call leaveTriggerForObjectUuid(NEW.uuid);
diff --git a/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac-generated.sql b/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac-generated.sql
index b1a3fbd0..5edf9454 100644
--- a/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac-generated.sql
+++ b/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac-generated.sql
@@ -65,8 +65,8 @@ begin
         hsOfficeSepaMandateReferrer(NEW),
             permissions => array['SELECT'],
             incomingSuperRoles => array[
-            	hsOfficeBankAccountAdmin(newBankAccount),
             	hsOfficeRelationAgent(newDebitorRel),
+            	hsOfficeBankAccountAdmin(newBankAccount),
             	hsOfficeSepaMandateAgent(NEW)],
             outgoingSubRoles => array[hsOfficeRelationTenant(newDebitorRel)]
     );
diff --git a/src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerControllerAcceptanceTest.java
index 942351c0..e9e1d47c 100644
--- a/src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerControllerAcceptanceTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerControllerAcceptanceTest.java
@@ -204,7 +204,7 @@ class TestCustomerControllerAcceptanceTest {
                     .statusCode(403)
                     .contentType(ContentType.JSON)
                     .statusCode(403)
-                    .body("message", containsString("insert into test_customer not allowed for current subjects {customer-admin@yyy.example.com}"));
+                    .body("message", containsString("ERROR: [403] insert into test_customer not allowed for current subjects {customer-admin@yyy.example.com}"));
                 // @formatter:on
 
             // finally, the new customer was not created