From 66af0def5b49ca798f44c41913fe7634b59c324c Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Mon, 25 Mar 2024 09:13:37 +0100 Subject: [PATCH] minor fixes --- .../hsadminng/test/dom/TestDomainEntity.java | 4 +-- .../db/changelog/133-test-domain-rbac.sql | 35 ++++++++++++++++--- .../223-hs-office-relation-rbac-generated.sql | 8 ++--- ...3-hs-office-sepamandate-rbac-generated.sql | 2 +- .../TestCustomerControllerAcceptanceTest.java | 2 +- 5 files changed, 39 insertions(+), 12 deletions(-) diff --git a/src/main/java/net/hostsharing/hsadminng/test/dom/TestDomainEntity.java b/src/main/java/net/hostsharing/hsadminng/test/dom/TestDomainEntity.java index 7db03c7e..70626f89 100644 --- a/src/main/java/net/hostsharing/hsadminng/test/dom/TestDomainEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/test/dom/TestDomainEntity.java @@ -14,7 +14,7 @@ import java.io.IOException; import java.util.UUID; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn; -import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NULLABLE; +import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.directlyFetchedByDependsOnColumn; @@ -51,7 +51,7 @@ public class TestDomainEntity implements HasUuid { .importEntityAlias("package", TestPackageEntity.class, dependsOnColumn("packageUuid"), directlyFetchedByDependsOnColumn(), - NULLABLE) + NOT_NULL) .toRole("package", ADMIN).grantPermission(INSERT) .createRole(OWNER, (with) -> { diff --git a/src/main/resources/db/changelog/133-test-domain-rbac.sql b/src/main/resources/db/changelog/133-test-domain-rbac.sql index 3b41dcbf..e87adb9c 100644 --- a/src/main/resources/db/changelog/133-test-domain-rbac.sql +++ b/src/main/resources/db/changelog/133-test-domain-rbac.sql @@ -36,6 +36,8 @@ begin call enterTriggerForObjectUuid(NEW.uuid); SELECT * FROM test_package WHERE uuid = NEW.packageUuid INTO newPackage; + assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s', NEW.packageUuid); + perform createRoleWithGrants( testDomainOwner(NEW), @@ -87,12 +89,37 @@ create or replace procedure updateRbacRulesForTestDomain( NEW test_domain ) language plpgsql as $$ -begin - if NEW.packageUuid is distinct from OLD.packageUuid then - delete from rbacgrants g where g.grantedbytriggerof = OLD.uuid; - call buildRbacSystemForTestDomain(NEW); +declare + oldPackage test_package; + newPackage test_package; + +begin + call enterTriggerForObjectUuid(NEW.uuid); + + SELECT * FROM test_package WHERE uuid = OLD.packageUuid INTO oldPackage; + assert oldPackage.uuid is not null, format('oldPackage must not be null for OLD.packageUuid = %s', OLD.packageUuid); + + SELECT * FROM test_package WHERE uuid = NEW.packageUuid INTO newPackage; + assert newPackage.uuid is not null, format('newPackage must not be null for NEW.packageUuid = %s', NEW.packageUuid); + + + if NEW.packageUuid <> OLD.packageUuid then + + call revokePermissionFromRole(getPermissionId(OLD.uuid, 'INSERT'), testPackageAdmin(oldPackage)); + + call revokeRoleFromRole(testDomainOwner(OLD), testPackageAdmin(oldPackage)); + call grantRoleToRole(testDomainOwner(NEW), testPackageAdmin(newPackage)); + + call revokeRoleFromRole(testPackageTenant(oldPackage), testDomainOwner(OLD)); + call grantRoleToRole(testPackageTenant(newPackage), testDomainOwner(NEW)); + + call revokeRoleFromRole(testPackageTenant(oldPackage), testDomainAdmin(OLD)); + call grantRoleToRole(testPackageTenant(newPackage), testDomainAdmin(NEW)); + end if; + + call leaveTriggerForObjectUuid(NEW.uuid); end; $$; /* diff --git a/src/main/resources/db/changelog/223-hs-office-relation-rbac-generated.sql b/src/main/resources/db/changelog/223-hs-office-relation-rbac-generated.sql index 0b918ccc..1b72bc0a 100644 --- a/src/main/resources/db/changelog/223-hs-office-relation-rbac-generated.sql +++ b/src/main/resources/db/changelog/223-hs-office-relation-rbac-generated.sql @@ -54,8 +54,8 @@ begin hsOfficeRelationAdmin(NEW), permissions => array['UPDATE'], incomingSuperRoles => array[ - hsOfficeRelationOwner(NEW), - hsOfficePersonAdmin(newAnchorPerson)] + hsOfficePersonAdmin(newAnchorPerson), + hsOfficeRelationOwner(NEW)] ); perform createRoleWithGrants( @@ -74,8 +74,8 @@ begin hsOfficePersonAdmin(newHolderPerson)], outgoingSubRoles => array[ hsOfficePersonReferrer(newAnchorPerson), - hsOfficePersonReferrer(newHolderPerson), - hsOfficeContactReferrer(newContact)] + hsOfficeContactReferrer(newContact), + hsOfficePersonReferrer(newHolderPerson)] ); call leaveTriggerForObjectUuid(NEW.uuid); diff --git a/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac-generated.sql b/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac-generated.sql index b1a3fbd0..5edf9454 100644 --- a/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac-generated.sql +++ b/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac-generated.sql @@ -65,8 +65,8 @@ begin hsOfficeSepaMandateReferrer(NEW), permissions => array['SELECT'], incomingSuperRoles => array[ - hsOfficeBankAccountAdmin(newBankAccount), hsOfficeRelationAgent(newDebitorRel), + hsOfficeBankAccountAdmin(newBankAccount), hsOfficeSepaMandateAgent(NEW)], outgoingSubRoles => array[hsOfficeRelationTenant(newDebitorRel)] ); diff --git a/src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerControllerAcceptanceTest.java index 942351c0..e9e1d47c 100644 --- a/src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerControllerAcceptanceTest.java +++ b/src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerControllerAcceptanceTest.java @@ -204,7 +204,7 @@ class TestCustomerControllerAcceptanceTest { .statusCode(403) .contentType(ContentType.JSON) .statusCode(403) - .body("message", containsString("insert into test_customer not allowed for current subjects {customer-admin@yyy.example.com}")); + .body("message", containsString("ERROR: [403] insert into test_customer not allowed for current subjects {customer-admin@yyy.example.com}")); // @formatter:on // finally, the new customer was not created