use xxx, yyy and zzz for test customers, makes tests easier to read
This commit is contained in:
Michael Hoennig
parent
258f8b1f66
commit
6b4c9f6c51
@ -10,7 +10,6 @@ import org.springframework.transaction.annotation.Transactional;
|
|||||||
import org.springframework.web.bind.annotation.*;
|
import org.springframework.web.bind.annotation.*;
|
||||||
import org.springframework.web.servlet.mvc.method.annotation.MvcUriComponentsBuilder;
|
import org.springframework.web.servlet.mvc.method.annotation.MvcUriComponentsBuilder;
|
||||||
|
|
||||||
import javax.persistence.EntityManager;
|
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.UUID;
|
import java.util.UUID;
|
||||||
|
|
||||||
|
|||||||
@ -15,48 +15,51 @@ begin
|
|||||||
return 10000 + customerCount;
|
return 10000 + customerCount;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates test data for the customer main table.
|
Creates a single customer test record with dist.
|
||||||
*/
|
*/
|
||||||
create or replace procedure createCustomerTestData(
|
create or replace procedure createCustomerTestData(
|
||||||
startCount integer, -- count of auto generated rows before the run
|
custReference integer,
|
||||||
endCount integer, -- count of auto generated rows after the run
|
custPrefix varchar
|
||||||
doCommitAfterEach boolean -- only for mass data creation outside of Liquibase
|
|
||||||
)
|
)
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
currentTask varchar;
|
currentTask varchar;
|
||||||
custReference integer;
|
|
||||||
custRowId uuid;
|
custRowId uuid;
|
||||||
custPrefix varchar;
|
|
||||||
custAdminName varchar;
|
custAdminName varchar;
|
||||||
|
begin
|
||||||
|
currentTask = 'creating RBAC test customer #' || custReference || '/' || custPrefix;
|
||||||
|
set local hsadminng.currentUser to 'mike@hostsharing.net';
|
||||||
|
set local hsadminng.assumedRoles to 'global#hostsharing.admin';
|
||||||
|
execute format('set local hsadminng.currentTask to %L', currentTask);
|
||||||
|
|
||||||
|
custRowId = uuid_generate_v4();
|
||||||
|
custAdminName = 'customer-admin@' || custPrefix || '.example.com';
|
||||||
|
|
||||||
|
raise notice 'creating customer %:%', custReference, custPrefix;
|
||||||
|
insert
|
||||||
|
into customer (reference, prefix, adminUserName)
|
||||||
|
values (custReference, custPrefix, custAdminName);
|
||||||
|
end; $$;
|
||||||
|
--//
|
||||||
|
|
||||||
|
/*
|
||||||
|
Creates a range of test customers for mass data generation.
|
||||||
|
*/
|
||||||
|
create or replace procedure createCustomerTestData(
|
||||||
|
startCount integer, -- count of auto generated rows before the run
|
||||||
|
endCount integer -- count of auto generated rows after the run
|
||||||
|
)
|
||||||
|
language plpgsql as $$
|
||||||
begin
|
begin
|
||||||
set hsadminng.currentUser to '';
|
set hsadminng.currentUser to '';
|
||||||
|
|
||||||
for t in startCount..endCount
|
for t in startCount..endCount
|
||||||
loop
|
loop
|
||||||
currentTask = 'creating RBAC test customer #' || t;
|
call createCustomerTestData(testCustomerReference(t), intToVarChar(t, 3));
|
||||||
set local hsadminng.currentUser to 'mike@hostsharing.net';
|
commit;
|
||||||
set local hsadminng.assumedRoles to 'global#hostsharing.admin';
|
|
||||||
execute format('set local hsadminng.currentTask to %L', currentTask);
|
|
||||||
|
|
||||||
-- When a new customer is created,
|
|
||||||
custReference = testCustomerReference(t);
|
|
||||||
custRowId = uuid_generate_v4();
|
|
||||||
custPrefix = intToVarChar(t, 3);
|
|
||||||
custAdminName = 'admin@' || custPrefix || '.example.com';
|
|
||||||
|
|
||||||
raise notice 'creating customer %:%', custReference, custPrefix;
|
|
||||||
insert
|
|
||||||
into customer (reference, prefix, adminUserName)
|
|
||||||
values (custReference, custPrefix, custAdminName);
|
|
||||||
|
|
||||||
if doCommitAfterEach then
|
|
||||||
commit;
|
|
||||||
end if;
|
|
||||||
|
|
||||||
end loop;
|
end loop;
|
||||||
|
|
||||||
end; $$;
|
end; $$;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
@ -67,7 +70,9 @@ end; $$;
|
|||||||
|
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
begin
|
begin
|
||||||
call createCustomerTestData(0, 2, false);
|
call createCustomerTestData(99901, 'xxx');
|
||||||
|
call createCustomerTestData(99902, 'yyy');
|
||||||
|
call createCustomerTestData(99903, 'zzz');
|
||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
--//
|
--//
|
||||||
|
|||||||
@ -4,12 +4,9 @@
|
|||||||
--changeset hs-package-TEST-DATA-GENERATOR:1 endDelimiter:--//
|
--changeset hs-package-TEST-DATA-GENERATOR:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
/*
|
/*
|
||||||
Creates test data for the package main table.
|
Creates the given number of test packages for the given customer.
|
||||||
*/
|
*/
|
||||||
create or replace procedure createPackageTestData(
|
create or replace procedure createPackageTestData(customerPrefix varchar, pacCount int)
|
||||||
minCustomerReference integer, -- skip customers with reference below this
|
|
||||||
doCommitAfterEach boolean -- only for mass data creation outside of Liquibase
|
|
||||||
)
|
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
cust customer;
|
cust customer;
|
||||||
@ -18,43 +15,53 @@ declare
|
|||||||
pacName varchar;
|
pacName varchar;
|
||||||
currentTask varchar;
|
currentTask varchar;
|
||||||
pac package;
|
pac package;
|
||||||
|
begin
|
||||||
|
select * from customer where customer.prefix = customerPrefix into cust;
|
||||||
|
|
||||||
|
for t in 0..(pacCount-1)
|
||||||
|
loop
|
||||||
|
pacName = cust.prefix || to_char(t, 'fm00');
|
||||||
|
currentTask = 'creating RBAC test package #' || pacName || ' for customer ' || cust.prefix || ' #' ||
|
||||||
|
cust.uuid;
|
||||||
|
|
||||||
|
custAdminUser = 'customer-admin@' || cust.prefix || '.example.com';
|
||||||
|
custAdminRole = 'customer#' || cust.prefix || '.admin';
|
||||||
|
execute format('set local hsadminng.currentUser to %L', custAdminUser);
|
||||||
|
execute format('set local hsadminng.assumedRoles to %L', custAdminRole);
|
||||||
|
execute format('set local hsadminng.currentTask to %L', currentTask);
|
||||||
|
raise notice 'task: % by % as %', currentTask, custAdminUser, custAdminRole;
|
||||||
|
|
||||||
|
insert
|
||||||
|
into package (customerUuid, name, description)
|
||||||
|
values (cust.uuid, pacName, 'Here can add your own description of package ' || pacName || '.')
|
||||||
|
returning * into pac;
|
||||||
|
|
||||||
|
call grantRoleToUser(
|
||||||
|
getRoleId(customerAdmin(cust), 'fail'),
|
||||||
|
findRoleId(packageAdmin(pac)),
|
||||||
|
createRbacUser('pac-admin-' || pacName || '@' || cust.prefix || '.example.com'),
|
||||||
|
true);
|
||||||
|
|
||||||
|
end loop;
|
||||||
|
end; $$;
|
||||||
|
|
||||||
|
/*
|
||||||
|
Creates a range of test packages for mass data generation.
|
||||||
|
*/
|
||||||
|
create or replace procedure createPackageTestData()
|
||||||
|
language plpgsql as $$
|
||||||
|
declare
|
||||||
|
cust customer;
|
||||||
begin
|
begin
|
||||||
set hsadminng.currentUser to '';
|
set hsadminng.currentUser to '';
|
||||||
|
|
||||||
for cust in (select * from customer)
|
for cust in (select * from customer)
|
||||||
loop
|
loop
|
||||||
continue when cust.reference < minCustomerReference;
|
continue when cust.reference >= 90000; -- reserved for functional testing
|
||||||
|
call createPackageTestData(cust.prefix, 3);
|
||||||
for t in 0..2
|
|
||||||
loop
|
|
||||||
pacName = cust.prefix || to_char(t, 'fm00');
|
|
||||||
currentTask = 'creating RBAC test package #' || pacName || ' for customer ' || cust.prefix || ' #' ||
|
|
||||||
cust.uuid;
|
|
||||||
|
|
||||||
custAdminUser = 'admin@' || cust.prefix || '.example.com';
|
|
||||||
custAdminRole = 'customer#' || cust.prefix || '.admin';
|
|
||||||
execute format('set local hsadminng.currentUser to %L', custAdminUser);
|
|
||||||
execute format('set local hsadminng.assumedRoles to %L', custAdminRole);
|
|
||||||
execute format('set local hsadminng.currentTask to %L', currentTask);
|
|
||||||
raise notice 'task: % by % as %', currentTask, custAdminUser, custAdminRole;
|
|
||||||
|
|
||||||
insert
|
|
||||||
into package (customerUuid, name, description)
|
|
||||||
values (cust.uuid, pacName, 'Here can add your own description of package ' || pacName || '.')
|
|
||||||
returning * into pac;
|
|
||||||
|
|
||||||
call grantRoleToUser(
|
|
||||||
getRoleId(customerAdmin(cust), 'fail'),
|
|
||||||
findRoleId(packageAdmin(pac)),
|
|
||||||
createRbacUser(pacName || '@' || cust.prefix || '.example.com'),
|
|
||||||
true);
|
|
||||||
|
|
||||||
end loop;
|
|
||||||
end loop;
|
end loop;
|
||||||
|
|
||||||
if doCommitAfterEach then
|
commit;
|
||||||
commit;
|
|
||||||
end if;
|
|
||||||
end ;
|
end ;
|
||||||
$$;
|
$$;
|
||||||
--//
|
--//
|
||||||
@ -66,7 +73,9 @@ $$;
|
|||||||
|
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
begin
|
begin
|
||||||
call createPackageTestData(0, false);
|
call createPackageTestData('xxx', 3);
|
||||||
|
call createPackageTestData('yyy', 3);
|
||||||
|
call createPackageTestData('zzz', 3);
|
||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
--//
|
--//
|
||||||
|
|||||||
@ -4,13 +4,42 @@
|
|||||||
--changeset hs-unixuser-TEST-DATA-GENERATOR:1 endDelimiter:--//
|
--changeset hs-unixuser-TEST-DATA-GENERATOR:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
/*
|
/*
|
||||||
Creates test data for the package main table.
|
Creates the given count of test unix users for a single package.
|
||||||
*/
|
*/
|
||||||
create or replace procedure createUnixUserTestData(
|
create or replace procedure createUnixUserTestData( packageName varchar, unixUserCount int )
|
||||||
minCustomerReference integer, -- skip customers with reference below this
|
language plpgsql as $$
|
||||||
unixUserPerPackage integer, -- create this many unix users for each package
|
declare
|
||||||
doCommitAfterEach boolean -- only for mass data creation outside of Liquibase
|
pac record;
|
||||||
)
|
pacAdmin varchar;
|
||||||
|
currentTask varchar;
|
||||||
|
begin
|
||||||
|
set hsadminng.currentUser to '';
|
||||||
|
|
||||||
|
select p.uuid, p.name, c.prefix as custPrefix
|
||||||
|
from package p
|
||||||
|
join customer c on p.customeruuid = c.uuid
|
||||||
|
where p.name = packageName
|
||||||
|
into pac;
|
||||||
|
|
||||||
|
for t in 0..(unixUserCount-1)
|
||||||
|
loop
|
||||||
|
currentTask = 'creating RBAC test unixuser #' || t || ' for package ' || pac.name || ' #' || pac.uuid;
|
||||||
|
raise notice 'task: %', currentTask;
|
||||||
|
pacAdmin = 'pac-admin-' || pac.name || '@' || pac.custPrefix || '.example.com';
|
||||||
|
execute format('set local hsadminng.currentTask to %L', currentTask);
|
||||||
|
execute format('set local hsadminng.currentUser to %L', pacAdmin);
|
||||||
|
set local hsadminng.assumedRoles = '';
|
||||||
|
|
||||||
|
insert
|
||||||
|
into unixuser (name, packageUuid)
|
||||||
|
values (pac.name || '-' || intToVarChar(t, 4), pac.uuid);
|
||||||
|
end loop;
|
||||||
|
end; $$;
|
||||||
|
|
||||||
|
/*
|
||||||
|
Creates a range of unix users for mass data generation.
|
||||||
|
*/
|
||||||
|
create or replace procedure createUnixUserTestData( unixUserPerPackage integer )
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
pac record;
|
pac record;
|
||||||
@ -23,30 +52,13 @@ begin
|
|||||||
(select p.uuid, p.name
|
(select p.uuid, p.name
|
||||||
from package p
|
from package p
|
||||||
join customer c on p.customeruuid = c.uuid
|
join customer c on p.customeruuid = c.uuid
|
||||||
where c.reference >= minCustomerReference)
|
where c.reference < 90000) -- reserved for functional testing
|
||||||
loop
|
loop
|
||||||
|
call createUnixUserTestData(pac.name, 2);
|
||||||
for t in 0..(unixUserPerPackage-1)
|
commit;
|
||||||
loop
|
|
||||||
currentTask = 'creating RBAC test unixuser #' || t || ' for package ' || pac.name || ' #' || pac.uuid;
|
|
||||||
raise notice 'task: %', currentTask;
|
|
||||||
pacAdmin = 'admin@' || pac.name || '.example.com';
|
|
||||||
execute format('set local hsadminng.currentTask to %L', currentTask);
|
|
||||||
execute format('set local hsadminng.currentUser to %L', pacAdmin);
|
|
||||||
set local hsadminng.assumedRoles = '';
|
|
||||||
|
|
||||||
insert
|
|
||||||
into unixuser (name, packageUuid)
|
|
||||||
values (pac.name || '-' || intToVarChar(t, 4), pac.uuid);
|
|
||||||
|
|
||||||
if doCommitAfterEach then
|
|
||||||
commit;
|
|
||||||
end if;
|
|
||||||
end loop;
|
|
||||||
end loop;
|
end loop;
|
||||||
|
|
||||||
end;
|
end; $$;
|
||||||
$$;
|
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
@ -56,7 +68,17 @@ $$;
|
|||||||
|
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
begin
|
begin
|
||||||
call createUnixUserTestData(0, 2, false);
|
call createUnixUserTestData('xxx00', 2);
|
||||||
|
call createUnixUserTestData('xxx01', 2);
|
||||||
|
call createUnixUserTestData('xxx02', 2);
|
||||||
|
|
||||||
|
call createUnixUserTestData('yyy00', 2);
|
||||||
|
call createUnixUserTestData('yyy01', 2);
|
||||||
|
call createUnixUserTestData('yyy02', 2);
|
||||||
|
|
||||||
|
call createUnixUserTestData('zzz00', 2);
|
||||||
|
call createUnixUserTestData('zzz01', 2);
|
||||||
|
call createUnixUserTestData('zzz02', 2);
|
||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
--//
|
--//
|
||||||
|
|||||||
@ -33,12 +33,12 @@ class ContextIntegrationTests {
|
|||||||
@Transactional
|
@Transactional
|
||||||
void assumeRoles() {
|
void assumeRoles() {
|
||||||
context.setCurrentUser("mike@hostsharing.net");
|
context.setCurrentUser("mike@hostsharing.net");
|
||||||
context.assumeRoles("customer#aaa.owner;customer#aab.owner");
|
context.assumeRoles("customer#xxx.owner;customer#yyy.owner");
|
||||||
|
|
||||||
final var currentUser = context.getCurrentUser();
|
final var currentUser = context.getCurrentUser();
|
||||||
assertThat(currentUser).isEqualTo("mike@hostsharing.net");
|
assertThat(currentUser).isEqualTo("mike@hostsharing.net");
|
||||||
|
|
||||||
final var assumedRoles = context.getAssumedRoles();
|
final var assumedRoles = context.getAssumedRoles();
|
||||||
assertThat(assumedRoles).containsExactlyInAnyOrder("customer#aaa.owner", "customer#aab.owner");
|
assertThat(assumedRoles).containsExactlyInAnyOrder("customer#xxx.owner", "customer#yyy.owner");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -92,7 +92,7 @@ class CustomerControllerRestTest {
|
|||||||
mockMvc.perform(MockMvcRequestBuilders
|
mockMvc.perform(MockMvcRequestBuilders
|
||||||
.get("/api/customers")
|
.get("/api/customers")
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@hostsharing.net")
|
||||||
.header("assumed-roles", "admin@yyy.example.com")
|
.header("assumed-roles", "customer-admin@yyy.example.com")
|
||||||
.accept(MediaType.APPLICATION_JSON))
|
.accept(MediaType.APPLICATION_JSON))
|
||||||
|
|
||||||
// then
|
// then
|
||||||
@ -103,7 +103,7 @@ class CustomerControllerRestTest {
|
|||||||
|
|
||||||
// then
|
// then
|
||||||
verify(contextMock).setCurrentUser("mike@hostsharing.net");
|
verify(contextMock).setCurrentUser("mike@hostsharing.net");
|
||||||
verify(contextMock).assumeRoles("admin@yyy.example.com");
|
verify(contextMock).assumeRoles("customer-admin@yyy.example.com");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -42,7 +42,7 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
|
|
||||||
final var result = attempt(em, () -> {
|
final var result = attempt(em, () -> {
|
||||||
final var newCustomer = new CustomerEntity(
|
final var newCustomer = new CustomerEntity(
|
||||||
UUID.randomUUID(), "xxx", 90001, "admin@xxx.example.com");
|
UUID.randomUUID(), "www", 90001, "customer-admin@www.example.com");
|
||||||
return customerRepository.save(newCustomer);
|
return customerRepository.save(newCustomer);
|
||||||
});
|
});
|
||||||
|
|
||||||
@ -56,37 +56,37 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
@Test
|
@Test
|
||||||
public void hostsharingAdmin_withAssumedCustomerRole_cannotCreateNewCustomer() {
|
public void hostsharingAdmin_withAssumedCustomerRole_cannotCreateNewCustomer() {
|
||||||
// given
|
// given
|
||||||
context("mike@hostsharing.net", "customer#aaa.admin");
|
context("mike@hostsharing.net", "customer#xxx.admin");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = attempt(em, () -> {
|
final var result = attempt(em, () -> {
|
||||||
final var newCustomer = new CustomerEntity(
|
final var newCustomer = new CustomerEntity(
|
||||||
UUID.randomUUID(), "xxx", 90001, "admin@xxx.example.com");
|
UUID.randomUUID(), "www", 90001, "customer-admin@www.example.com");
|
||||||
return customerRepository.save(newCustomer);
|
return customerRepository.save(newCustomer);
|
||||||
});
|
});
|
||||||
|
|
||||||
// then
|
// then
|
||||||
result.assertExceptionWithRootCauseMessage(
|
result.assertExceptionWithRootCauseMessage(
|
||||||
PersistenceException.class,
|
PersistenceException.class,
|
||||||
"add-customer not permitted for customer#aaa.admin");
|
"add-customer not permitted for customer#xxx.admin");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void customerAdmin_withoutAssumedRole_cannotCreateNewCustomer() {
|
public void customerAdmin_withoutAssumedRole_cannotCreateNewCustomer() {
|
||||||
// given
|
// given
|
||||||
context("admin@aaa.example.com", null);
|
context("customer-admin@xxx.example.com", null);
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = attempt(em, () -> {
|
final var result = attempt(em, () -> {
|
||||||
final var newCustomer = new CustomerEntity(
|
final var newCustomer = new CustomerEntity(
|
||||||
UUID.randomUUID(), "yyy", 90002, "admin@yyy.example.com");
|
UUID.randomUUID(), "www", 90001, "customer-admin@www.example.com");
|
||||||
return customerRepository.save(newCustomer);
|
return customerRepository.save(newCustomer);
|
||||||
});
|
});
|
||||||
|
|
||||||
// then
|
// then
|
||||||
result.assertExceptionWithRootCauseMessage(
|
result.assertExceptionWithRootCauseMessage(
|
||||||
PersistenceException.class,
|
PersistenceException.class,
|
||||||
"add-customer not permitted for admin@aaa.example.com");
|
"add-customer not permitted for customer-admin@xxx.example.com");
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -108,7 +108,7 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
|
final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
|
||||||
|
|
||||||
// then
|
// then
|
||||||
exactlyTheseCustomersAreReturned(result, "aaa", "aab", "aac");
|
exactlyTheseCustomersAreReturned(result, "xxx", "yyy", "zzz");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -120,34 +120,34 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
|
final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
|
||||||
|
|
||||||
then:
|
then:
|
||||||
exactlyTheseCustomersAreReturned(result, "aaa", "aab", "aac");
|
exactlyTheseCustomersAreReturned(result, "xxx", "yyy", "zzz");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void customerAdmin_withoutAssumedRole_canViewOnlyItsOwnCustomer() {
|
public void customerAdmin_withoutAssumedRole_canViewOnlyItsOwnCustomer() {
|
||||||
// given:
|
// given:
|
||||||
context("admin@aaa.example.com", null);
|
context("customer-admin@xxx.example.com", null);
|
||||||
|
|
||||||
// when:
|
// when:
|
||||||
final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
|
final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
|
||||||
|
|
||||||
// then:
|
// then:
|
||||||
exactlyTheseCustomersAreReturned(result, "aaa");
|
exactlyTheseCustomersAreReturned(result, "xxx");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnCustomer() {
|
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnCustomer() {
|
||||||
context("admin@aaa.example.com", "package#aaa00.admin");
|
context("customer-admin@xxx.example.com", "package#xxx00.admin");
|
||||||
|
|
||||||
final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
|
final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
|
||||||
|
|
||||||
exactlyTheseCustomersAreReturned(result, "aaa");
|
exactlyTheseCustomersAreReturned(result, "xxx");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void customerAdmin_withAssumedAlienPackageAdminRole_cannotViewAnyCustomer() {
|
public void customerAdmin_withAssumedAlienPackageAdminRole_cannotViewAnyCustomer() {
|
||||||
// given:
|
// given:
|
||||||
context("admin@aaa.example.com", "package#aab00.admin");
|
context("customer-admin@xxx.example.com", "package#yyy00.admin");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = attempt(
|
final var result = attempt(
|
||||||
@ -157,7 +157,7 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
// then
|
// then
|
||||||
result.assertExceptionWithRootCauseMessage(
|
result.assertExceptionWithRootCauseMessage(
|
||||||
JpaSystemException.class,
|
JpaSystemException.class,
|
||||||
"[403] user admin@aaa.example.com", "has no permission to assume role package#aab00#admin");
|
"[403] user customer-admin@xxx.example.com", "has no permission to assume role package#yyy00#admin");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -176,7 +176,7 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
@Test
|
@Test
|
||||||
@Transactional
|
@Transactional
|
||||||
void unknownUser_withAssumedCustomerRole_cannotViewAnyCustomers() {
|
void unknownUser_withAssumedCustomerRole_cannotViewAnyCustomers() {
|
||||||
context("unknown@example.org", "customer#aaa.admin");
|
context("unknown@example.org", "customer#xxx.admin");
|
||||||
|
|
||||||
final var result = attempt(
|
final var result = attempt(
|
||||||
em,
|
em,
|
||||||
@ -198,19 +198,19 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
context("mike@hostsharing.net", null);
|
context("mike@hostsharing.net", null);
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = customerRepository.findCustomerByOptionalPrefixLike("aab");
|
final var result = customerRepository.findCustomerByOptionalPrefixLike("yyy");
|
||||||
|
|
||||||
// then
|
// then
|
||||||
exactlyTheseCustomersAreReturned(result, "aab");
|
exactlyTheseCustomersAreReturned(result, "yyy");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void customerAdmin_withoutAssumedRole_canViewOnlyItsOwnCustomer() {
|
public void customerAdmin_withoutAssumedRole_canViewOnlyItsOwnCustomer() {
|
||||||
// given:
|
// given:
|
||||||
context("admin@aaa.example.com", null);
|
context("customer-admin@xxx.example.com", null);
|
||||||
|
|
||||||
// when:
|
// when:
|
||||||
final var result = customerRepository.findCustomerByOptionalPrefixLike("aab");
|
final var result = customerRepository.findCustomerByOptionalPrefixLike("yyy");
|
||||||
|
|
||||||
// then:
|
// then:
|
||||||
exactlyTheseCustomersAreReturned(result);
|
exactlyTheseCustomersAreReturned(result);
|
||||||
|
|||||||
@ -44,19 +44,19 @@ class PackageControllerAcceptanceTest {
|
|||||||
RestAssured
|
RestAssured
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@hostsharing.net")
|
||||||
.header("assumed-roles", "customer#aaa.admin")
|
.header("assumed-roles", "customer#xxx.admin")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/packages")
|
.get("http://localhost/api/packages")
|
||||||
.then().assertThat()
|
.then().assertThat()
|
||||||
.statusCode(200)
|
.statusCode(200)
|
||||||
.contentType("application/json")
|
.contentType("application/json")
|
||||||
.body("[0].name", is("aaa00"))
|
.body("[0].name", is("xxx00"))
|
||||||
.body("[0].customer.reference", is(10000))
|
.body("[0].customer.reference", is(99901))
|
||||||
.body("[1].name", is("aaa01"))
|
.body("[1].name", is("xxx01"))
|
||||||
.body("[1].customer.reference", is(10000))
|
.body("[1].customer.reference", is(99901))
|
||||||
.body("[2].name", is("aaa02"))
|
.body("[2].name", is("xxx02"))
|
||||||
.body("[2].customer.reference", is(10000));
|
.body("[2].customer.reference", is(99901));
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -66,15 +66,15 @@ class PackageControllerAcceptanceTest {
|
|||||||
RestAssured
|
RestAssured
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@hostsharing.net")
|
||||||
.header("assumed-roles", "customer#aaa.admin")
|
.header("assumed-roles", "customer#xxx.admin")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/packages?name=aaa01")
|
.get("http://localhost/api/packages?name=xxx01")
|
||||||
.then().assertThat()
|
.then().assertThat()
|
||||||
.statusCode(200)
|
.statusCode(200)
|
||||||
.contentType("application/json")
|
.contentType("application/json")
|
||||||
.body("[0].name", is("aaa01"))
|
.body("[0].name", is("xxx01"))
|
||||||
.body("[0].customer.reference", is(10000));
|
.body("[0].customer.reference", is(99901));
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -85,8 +85,8 @@ class PackageControllerAcceptanceTest {
|
|||||||
@Test
|
@Test
|
||||||
void withDescriptionUpdatesDescription() {
|
void withDescriptionUpdatesDescription() {
|
||||||
|
|
||||||
assumeThat(getDescriptionOfPackage("aaa00"))
|
assumeThat(getDescriptionOfPackage("xxx00"))
|
||||||
.isEqualTo("Here can add your own description of package aaa00.");
|
.isEqualTo("Here can add your own description of package xxx00.");
|
||||||
|
|
||||||
final var randomDescription = RandomStringUtils.randomAlphanumeric(80);
|
final var randomDescription = RandomStringUtils.randomAlphanumeric(80);
|
||||||
|
|
||||||
@ -94,7 +94,7 @@ class PackageControllerAcceptanceTest {
|
|||||||
RestAssured
|
RestAssured
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@hostsharing.net")
|
||||||
.header("assumed-roles", "customer#aaa.admin")
|
.header("assumed-roles", "customer#xxx.admin")
|
||||||
.contentType(ContentType.JSON)
|
.contentType(ContentType.JSON)
|
||||||
.body(format("""
|
.body(format("""
|
||||||
{
|
{
|
||||||
@ -103,12 +103,12 @@ class PackageControllerAcceptanceTest {
|
|||||||
""", randomDescription))
|
""", randomDescription))
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.patch("http://localhost/api/packages/{uuidOfPackage}", getUuidOfPackage("aaa00"))
|
.patch("http://localhost/api/packages/{uuidOfPackage}", getUuidOfPackage("xxx00"))
|
||||||
.then()
|
.then()
|
||||||
.assertThat()
|
.assertThat()
|
||||||
.statusCode(200)
|
.statusCode(200)
|
||||||
.contentType("application/json")
|
.contentType("application/json")
|
||||||
.body("name", is("aaa00"))
|
.body("name", is("xxx00"))
|
||||||
.body("description", is(randomDescription));
|
.body("description", is(randomDescription));
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
|
|
||||||
@ -117,14 +117,14 @@ class PackageControllerAcceptanceTest {
|
|||||||
@Test
|
@Test
|
||||||
void withNullDescriptionUpdatesDescriptionToNull() {
|
void withNullDescriptionUpdatesDescriptionToNull() {
|
||||||
|
|
||||||
assumeThat(getDescriptionOfPackage("aaa01"))
|
assumeThat(getDescriptionOfPackage("xxx01"))
|
||||||
.isEqualTo("Here can add your own description of package aaa01.");
|
.isEqualTo("Here can add your own description of package xxx01.");
|
||||||
|
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
RestAssured
|
RestAssured
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@hostsharing.net")
|
||||||
.header("assumed-roles", "customer#aaa.admin")
|
.header("assumed-roles", "customer#xxx.admin")
|
||||||
.contentType(ContentType.JSON)
|
.contentType(ContentType.JSON)
|
||||||
.body("""
|
.body("""
|
||||||
{
|
{
|
||||||
@ -133,12 +133,12 @@ class PackageControllerAcceptanceTest {
|
|||||||
""")
|
""")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.patch("http://localhost/api/packages/{uuidOfPackage}", getUuidOfPackage("aaa01"))
|
.patch("http://localhost/api/packages/{uuidOfPackage}", getUuidOfPackage("xxx01"))
|
||||||
.then()
|
.then()
|
||||||
.assertThat()
|
.assertThat()
|
||||||
.statusCode(200)
|
.statusCode(200)
|
||||||
.contentType("application/json")
|
.contentType("application/json")
|
||||||
.body("name", is("aaa01"))
|
.body("name", is("xxx01"))
|
||||||
.body("description", equalTo(null));
|
.body("description", equalTo(null));
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
}
|
}
|
||||||
@ -146,24 +146,24 @@ class PackageControllerAcceptanceTest {
|
|||||||
@Test
|
@Test
|
||||||
void withoutDescriptionDoesNothing() {
|
void withoutDescriptionDoesNothing() {
|
||||||
|
|
||||||
assumeThat(getDescriptionOfPackage("aaa02"))
|
assumeThat(getDescriptionOfPackage("xxx02"))
|
||||||
.isEqualTo("Here can add your own description of package aaa02.");
|
.isEqualTo("Here can add your own description of package xxx02.");
|
||||||
|
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
RestAssured
|
RestAssured
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@hostsharing.net")
|
||||||
.header("assumed-roles", "customer#aaa.admin")
|
.header("assumed-roles", "customer#xxx.admin")
|
||||||
.contentType(ContentType.JSON)
|
.contentType(ContentType.JSON)
|
||||||
.body("{}")
|
.body("{}")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.patch("http://localhost/api/packages/{uuidOfPackage}", getUuidOfPackage("aaa02"))
|
.patch("http://localhost/api/packages/{uuidOfPackage}", getUuidOfPackage("xxx02"))
|
||||||
.then().assertThat()
|
.then().assertThat()
|
||||||
.statusCode(200)
|
.statusCode(200)
|
||||||
.contentType("application/json")
|
.contentType("application/json")
|
||||||
.body("name", is("aaa02"))
|
.body("name", is("xxx02"))
|
||||||
.body("description", is("Here can add your own description of package aaa02.")); // unchanged
|
.body("description", is("Here can add your own description of package xxx02.")); // unchanged
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -173,7 +173,7 @@ class PackageControllerAcceptanceTest {
|
|||||||
return UUID.fromString(RestAssured
|
return UUID.fromString(RestAssured
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@hostsharing.net")
|
||||||
.header("assumed-roles", "customer#aaa.admin")
|
.header("assumed-roles", "customer#xxx.admin")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/packages?name={packageName}", packageName)
|
.get("http://localhost/api/packages?name={packageName}", packageName)
|
||||||
@ -186,7 +186,7 @@ class PackageControllerAcceptanceTest {
|
|||||||
|
|
||||||
String getDescriptionOfPackage(final String packageName) {
|
String getDescriptionOfPackage(final String packageName) {
|
||||||
context.setCurrentUser("mike@hostsharing.net");
|
context.setCurrentUser("mike@hostsharing.net");
|
||||||
context.assumeRoles("customer#aaa.admin");
|
context.assumeRoles("customer#xxx.admin");
|
||||||
return packageRepository.findAllByOptionalNameLike(packageName).get(0).getDescription();
|
return packageRepository.findAllByOptionalNameLike(packageName).get(0).getDescription();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -67,30 +67,30 @@ class PackageRepositoryIntegrationTest {
|
|||||||
@Test
|
@Test
|
||||||
public void customerAdmin_withoutAssumedRole_canViewOnlyItsOwnPackages() {
|
public void customerAdmin_withoutAssumedRole_canViewOnlyItsOwnPackages() {
|
||||||
// given:
|
// given:
|
||||||
currentUser("admin@aaa.example.com");
|
currentUser("customer-admin@xxx.example.com");
|
||||||
|
|
||||||
// when:
|
// when:
|
||||||
final var result = packageRepository.findAllByOptionalNameLike(null);
|
final var result = packageRepository.findAllByOptionalNameLike(null);
|
||||||
|
|
||||||
// then:
|
// then:
|
||||||
exactlyThesePackagesAreReturned(result, "aaa00", "aaa01", "aaa02");
|
exactlyThesePackagesAreReturned(result, "xxx00", "xxx01", "xxx02");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnPackages() {
|
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnPackages() {
|
||||||
currentUser("admin@aaa.example.com");
|
currentUser("customer-admin@xxx.example.com");
|
||||||
assumedRoles("package#aaa00.admin");
|
assumedRoles("package#xxx00.admin");
|
||||||
|
|
||||||
final var result = packageRepository.findAllByOptionalNameLike(null);
|
final var result = packageRepository.findAllByOptionalNameLike(null);
|
||||||
|
|
||||||
exactlyThesePackagesAreReturned(result, "aaa00");
|
exactlyThesePackagesAreReturned(result, "xxx00");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void customerAdmin_withAssumedAlienPackageAdminRole_cannotViewAnyPackages() {
|
public void customerAdmin_withAssumedAlienPackageAdminRole_cannotViewAnyPackages() {
|
||||||
// given:
|
// given:
|
||||||
currentUser("admin@aaa.example.com");
|
currentUser("customer-admin@xxx.example.com");
|
||||||
assumedRoles("package#aab00.admin");
|
assumedRoles("package#yyy00.admin");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = attempt(
|
final var result = attempt(
|
||||||
@ -100,7 +100,7 @@ class PackageRepositoryIntegrationTest {
|
|||||||
// then
|
// then
|
||||||
result.assertExceptionWithRootCauseMessage(
|
result.assertExceptionWithRootCauseMessage(
|
||||||
JpaSystemException.class,
|
JpaSystemException.class,
|
||||||
"[403] user admin@aaa.example.com", "has no permission to assume role package#aab00#admin");
|
"[403] user customer-admin@xxx.example.com", "has no permission to assume role package#yyy00#admin");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -120,7 +120,7 @@ class PackageRepositoryIntegrationTest {
|
|||||||
@Transactional
|
@Transactional
|
||||||
void unknownUser_withAssumedCustomerRole_cannotViewAnyPackages() {
|
void unknownUser_withAssumedCustomerRole_cannotViewAnyPackages() {
|
||||||
currentUser("unknown@example.org");
|
currentUser("unknown@example.org");
|
||||||
assumedRoles("customer#aaa.admin");
|
assumedRoles("customer#xxx.admin");
|
||||||
|
|
||||||
final var result = attempt(
|
final var result = attempt(
|
||||||
em,
|
em,
|
||||||
@ -139,17 +139,17 @@ class PackageRepositoryIntegrationTest {
|
|||||||
@Test
|
@Test
|
||||||
public void supportsOptimisticLocking() throws InterruptedException {
|
public void supportsOptimisticLocking() throws InterruptedException {
|
||||||
// given
|
// given
|
||||||
hostsharingAdminWithAssumedRole("package#aaa00.admin");
|
hostsharingAdminWithAssumedRole("package#xxx00.admin");
|
||||||
final var pac = packageRepository.findAllByOptionalNameLike("%").get(0);
|
final var pac = packageRepository.findAllByOptionalNameLike("%").get(0);
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result1 = jpaAttempt.transacted(() -> {
|
final var result1 = jpaAttempt.transacted(() -> {
|
||||||
hostsharingAdminWithAssumedRole("package#aaa00.admin");
|
hostsharingAdminWithAssumedRole("package#xxx00.admin");
|
||||||
pac.setDescription("description set by thread 1");
|
pac.setDescription("description set by thread 1");
|
||||||
packageRepository.save(pac);
|
packageRepository.save(pac);
|
||||||
});
|
});
|
||||||
final var result2 = jpaAttempt.transacted(() -> {
|
final var result2 = jpaAttempt.transacted(() -> {
|
||||||
hostsharingAdminWithAssumedRole("package#aaa00.admin");
|
hostsharingAdminWithAssumedRole("package#xxx00.admin");
|
||||||
pac.setDescription("description set by thread 2");
|
pac.setDescription("description set by thread 2");
|
||||||
packageRepository.save(pac);
|
packageRepository.save(pac);
|
||||||
sleep(1500);
|
sleep(1500);
|
||||||
|
|||||||
@ -62,9 +62,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
@Accepts({ "GRT:R(Read)" })
|
@Accepts({ "GRT:R(Read)" })
|
||||||
void customerAdmin_withAssumedPacketAdminRole_canReadPacketAdminsGrantById() {
|
void customerAdmin_withAssumedPacketAdminRole_canReadPacketAdminsGrantById() {
|
||||||
// given
|
// given
|
||||||
final var givenCurrentUserAsPackageAdmin = new Subject("admin@aaa.example.com");
|
final var givenCurrentUserAsPackageAdmin = new Subject("customer-admin@xxx.example.com");
|
||||||
final var givenGranteeUser = findRbacUserByName("aaa00@aaa.example.com");
|
final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
|
||||||
final var givenGrantedRole = findRbacRoleByName("package#aaa00.admin");
|
final var givenGrantedRole = findRbacRoleByName("package#xxx00.admin");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
|
final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
|
||||||
@ -73,18 +73,18 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
// then
|
// then
|
||||||
grant.assertThat()
|
grant.assertThat()
|
||||||
.statusCode(200)
|
.statusCode(200)
|
||||||
.body("grantedByRoleIdName", is("customer#aaa.admin"))
|
.body("grantedByRoleIdName", is("customer#xxx.admin"))
|
||||||
.body("grantedRoleIdName", is("package#aaa00.admin"))
|
.body("grantedRoleIdName", is("package#xxx00.admin"))
|
||||||
.body("granteeUserName", is("aaa00@aaa.example.com"));
|
.body("granteeUserName", is("pac-admin-xxx00@xxx.example.com"));
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Accepts({ "GRT:R(Read)" })
|
@Accepts({ "GRT:R(Read)" })
|
||||||
void packageAdmin_withoutAssumedRole_canReadItsOwnGrantById() {
|
void packageAdmin_withoutAssumedRole_canReadItsOwnGrantById() {
|
||||||
// given
|
// given
|
||||||
final var givenCurrentUserAsPackageAdmin = new Subject("aaa00@aaa.example.com");
|
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com");
|
||||||
final var givenGranteeUser = findRbacUserByName("aaa00@aaa.example.com");
|
final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
|
||||||
final var givenGrantedRole = findRbacRoleByName("package#aaa00.admin");
|
final var givenGrantedRole = findRbacRoleByName("package#xxx00.admin");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
|
final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
|
||||||
@ -93,18 +93,18 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
// then
|
// then
|
||||||
grant.assertThat()
|
grant.assertThat()
|
||||||
.statusCode(200)
|
.statusCode(200)
|
||||||
.body("grantedByRoleIdName", is("customer#aaa.admin"))
|
.body("grantedByRoleIdName", is("customer#xxx.admin"))
|
||||||
.body("grantedRoleIdName", is("package#aaa00.admin"))
|
.body("grantedRoleIdName", is("package#xxx00.admin"))
|
||||||
.body("granteeUserName", is("aaa00@aaa.example.com"));
|
.body("granteeUserName", is("pac-admin-xxx00@xxx.example.com"));
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Accepts({ "GRT:R(Read)" })
|
@Accepts({ "GRT:R(Read)" })
|
||||||
void packageAdmin_withAssumedUnixUserAdmin_canNotReadItsOwnGrantById() {
|
void packageAdmin_withAssumedUnixUserAdmin_canNotReadItsOwnGrantById() {
|
||||||
// given
|
// given
|
||||||
final var givenCurrentUserAsPackageAdmin = new Subject("aaa00@aaa.example.com", "unixuser#aaa00-aaaa.admin");
|
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", "unixuser#xxx00-xxxa.admin");
|
||||||
final var givenGranteeUser = findRbacUserByName("aaa00@aaa.example.com");
|
final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
|
||||||
final var givenGrantedRole = findRbacRoleByName("package#aaa00.admin");
|
final var givenGrantedRole = findRbacRoleByName("package#xxx00.admin");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
|
final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
|
||||||
@ -125,8 +125,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
|
|
||||||
// given
|
// given
|
||||||
final var givenNewUser = createRBacUser();
|
final var givenNewUser = createRBacUser();
|
||||||
final var givenRoleToGrant = "package#aaa00.admin";
|
final var givenRoleToGrant = "package#xxx00.admin";
|
||||||
final var givenCurrentUserAsPackageAdmin = new Subject("aaa00@aaa.example.com", givenRoleToGrant);
|
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
|
||||||
final var givenOwnPackageAdminRole =
|
final var givenOwnPackageAdminRole =
|
||||||
findRbacRoleByName(givenCurrentUserAsPackageAdmin.assumedRole);
|
findRbacRoleByName(givenCurrentUserAsPackageAdmin.assumedRole);
|
||||||
|
|
||||||
@ -149,9 +149,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
|
|
||||||
// given
|
// given
|
||||||
final var givenNewUser = createRBacUser();
|
final var givenNewUser = createRBacUser();
|
||||||
final var givenRoleToGrant = "package#aaa00.admin";
|
final var givenRoleToGrant = "package#xxx00.admin";
|
||||||
final var givenCurrentUserAsPackageAdmin = new Subject("aaa00@aaa.example.com", givenRoleToGrant);
|
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
|
||||||
final var givenAlienPackageAdminRole = findRbacRoleByName("package#aab00.admin");
|
final var givenAlienPackageAdminRole = findRbacRoleByName("package#yyy00.admin");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = givenCurrentUserAsPackageAdmin
|
final var result = givenCurrentUserAsPackageAdmin
|
||||||
@ -161,7 +161,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
// then
|
// then
|
||||||
result.assertThat()
|
result.assertThat()
|
||||||
.body("message", containsString("Access to granted role"))
|
.body("message", containsString("Access to granted role"))
|
||||||
.body("message", containsString("forbidden for {package#aaa00.admin}"))
|
.body("message", containsString("forbidden for {package#xxx00.admin}"))
|
||||||
.statusCode(403);
|
.statusCode(403);
|
||||||
assertThat(findAllGrantsOf(givenCurrentUserAsPackageAdmin))
|
assertThat(findAllGrantsOf(givenCurrentUserAsPackageAdmin))
|
||||||
.extracting(RbacGrantEntity::getGranteeUserName)
|
.extracting(RbacGrantEntity::getGranteeUserName)
|
||||||
@ -179,9 +179,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
|
|
||||||
// given
|
// given
|
||||||
final var givenArbitraryUser = createRBacUser();
|
final var givenArbitraryUser = createRBacUser();
|
||||||
final var givenRoleToGrant = "package#aaa00.admin";
|
final var givenRoleToGrant = "package#xxx00.admin";
|
||||||
final var givenCurrentUserAsPackageAdmin = new Subject("aaa00@aaa.example.com", givenRoleToGrant);
|
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
|
||||||
final var givenOwnPackageAdminRole = findRbacRoleByName("package#aaa00.admin");
|
final var givenOwnPackageAdminRole = findRbacRoleByName("package#xxx00.admin");
|
||||||
|
|
||||||
// and given an existing grant
|
// and given an existing grant
|
||||||
assumeCreated(givenCurrentUserAsPackageAdmin
|
assumeCreated(givenCurrentUserAsPackageAdmin
|
||||||
|
|||||||
@ -55,7 +55,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
@Accepts({ "GRT:L(List)" })
|
@Accepts({ "GRT:L(List)" })
|
||||||
public void packageAdmin_canViewItsRbacGrants() {
|
public void packageAdmin_canViewItsRbacGrants() {
|
||||||
// given
|
// given
|
||||||
context("aaa00@aaa.example.com", null);
|
context("pac-admin-xxx00@xxx.example.com", null);
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = rbacGrantRepository.findAll();
|
final var result = rbacGrantRepository.findAll();
|
||||||
@ -63,14 +63,14 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
// then
|
// then
|
||||||
exactlyTheseRbacGrantsAreReturned(
|
exactlyTheseRbacGrantsAreReturned(
|
||||||
result,
|
result,
|
||||||
"{ grant assumed role package#aaa00.admin to user aaa00@aaa.example.com by role customer#aaa.admin }");
|
"{ grant assumed role package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role customer#xxx.admin }");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Accepts({ "GRT:L(List)" })
|
@Accepts({ "GRT:L(List)" })
|
||||||
public void customerAdmin_canViewItsRbacGrants() {
|
public void customerAdmin_canViewItsRbacGrants() {
|
||||||
// given
|
// given
|
||||||
context("admin@aaa.example.com", null);
|
context("customer-admin@xxx.example.com", null);
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = rbacGrantRepository.findAll();
|
final var result = rbacGrantRepository.findAll();
|
||||||
@ -78,17 +78,17 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
// then
|
// then
|
||||||
exactlyTheseRbacGrantsAreReturned(
|
exactlyTheseRbacGrantsAreReturned(
|
||||||
result,
|
result,
|
||||||
"{ grant assumed role customer#aaa.admin to user admin@aaa.example.com by role global#hostsharing.admin }",
|
"{ grant assumed role customer#xxx.admin to user customer-admin@xxx.example.com by role global#hostsharing.admin }",
|
||||||
"{ grant assumed role package#aaa00.admin to user aaa00@aaa.example.com by role customer#aaa.admin }",
|
"{ grant assumed role package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role customer#xxx.admin }",
|
||||||
"{ grant assumed role package#aaa01.admin to user aaa01@aaa.example.com by role customer#aaa.admin }",
|
"{ grant assumed role package#xxx01.admin to user pac-admin-xxx01@xxx.example.com by role customer#xxx.admin }",
|
||||||
"{ grant assumed role package#aaa02.admin to user aaa02@aaa.example.com by role customer#aaa.admin }");
|
"{ grant assumed role package#xxx02.admin to user pac-admin-xxx02@xxx.example.com by role customer#xxx.admin }");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Accepts({ "GRT:L(List)" })
|
@Accepts({ "GRT:L(List)" })
|
||||||
public void customerAdmin_withAssumedRole_canOnlyViewRbacGrantsVisibleByAssumedRole() {
|
public void customerAdmin_withAssumedRole_canOnlyViewRbacGrantsVisibleByAssumedRole() {
|
||||||
// given:
|
// given:
|
||||||
context("admin@aaa.example.com", "package#aaa00.admin");
|
context("customer-admin@xxx.example.com", "package#xxx00.admin");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = rbacGrantRepository.findAll();
|
final var result = rbacGrantRepository.findAll();
|
||||||
@ -96,7 +96,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
// then
|
// then
|
||||||
exactlyTheseRbacGrantsAreReturned(
|
exactlyTheseRbacGrantsAreReturned(
|
||||||
result,
|
result,
|
||||||
"{ grant assumed role package#aaa00.admin to user aaa00@aaa.example.com by role customer#aaa.admin }");
|
"{ grant assumed role package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role customer#xxx.admin }");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -106,9 +106,9 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
@Test
|
@Test
|
||||||
public void customerAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() {
|
public void customerAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() {
|
||||||
// given
|
// given
|
||||||
context("admin@aaa.example.com", "customer#aaa.admin");
|
context("customer-admin@xxx.example.com", "customer#xxx.admin");
|
||||||
final var givenArbitraryUserUuid = rbacUserRepository.findByName("aac00@aac.example.com").getUuid();
|
final var givenArbitraryUserUuid = rbacUserRepository.findByName("pac-admin-zzz00@zzz.example.com").getUuid();
|
||||||
final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName("package#aaa00.admin").getUuid();
|
final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName("package#xxx00.admin").getUuid();
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var grant = RbacGrantEntity.builder()
|
final var grant = RbacGrantEntity.builder()
|
||||||
@ -124,7 +124,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
assertThat(rbacGrantRepository.findAll())
|
assertThat(rbacGrantRepository.findAll())
|
||||||
.extracting(RbacGrantEntity::toDisplay)
|
.extracting(RbacGrantEntity::toDisplay)
|
||||||
.contains(
|
.contains(
|
||||||
"{ grant assumed role package#aaa00.admin to user aac00@aac.example.com by role customer#aaa.admin }");
|
"{ grant assumed role package#xxx00.admin to user pac-admin-zzz00@zzz.example.com by role customer#xxx.admin }");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -134,17 +134,17 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
record Given(RbacUserEntity arbitraryUser, UUID packageOwnerRoleUuid) {}
|
record Given(RbacUserEntity arbitraryUser, UUID packageOwnerRoleUuid) {}
|
||||||
final var given = jpaAttempt.transacted(() -> {
|
final var given = jpaAttempt.transacted(() -> {
|
||||||
// to find the uuids of we need to have access rights to these
|
// to find the uuids of we need to have access rights to these
|
||||||
context("admin@aaa.example.com", null);
|
context("customer-admin@xxx.example.com", null);
|
||||||
return new Given(
|
return new Given(
|
||||||
createNewUser(),
|
createNewUser(),
|
||||||
rbacRoleRepository.findByRoleName("package#aaa00.owner").getUuid()
|
rbacRoleRepository.findByRoleName("package#xxx00.owner").getUuid()
|
||||||
);
|
);
|
||||||
}).assumeSuccessful().returnedValue();
|
}).assumeSuccessful().returnedValue();
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var attempt = jpaAttempt.transacted(() -> {
|
final var attempt = jpaAttempt.transacted(() -> {
|
||||||
// now we try to use these uuids as a less privileged user
|
// now we try to use these uuids as a less privileged user
|
||||||
context("aaa00@aaa.example.com", "package#aaa00.admin");
|
context("pac-admin-xxx00@xxx.example.com", "package#xxx00.admin");
|
||||||
final var grant = RbacGrantEntity.builder()
|
final var grant = RbacGrantEntity.builder()
|
||||||
.granteeUserUuid(given.arbitraryUser.getUuid())
|
.granteeUserUuid(given.arbitraryUser.getUuid())
|
||||||
.grantedRoleUuid(given.packageOwnerRoleUuid)
|
.grantedRoleUuid(given.packageOwnerRoleUuid)
|
||||||
@ -157,7 +157,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
attempt.assertExceptionWithRootCauseMessage(
|
attempt.assertExceptionWithRootCauseMessage(
|
||||||
JpaSystemException.class,
|
JpaSystemException.class,
|
||||||
"ERROR: [403] Access to granted role " + given.packageOwnerRoleUuid
|
"ERROR: [403] Access to granted role " + given.packageOwnerRoleUuid
|
||||||
+ " forbidden for {package#aaa00.admin}");
|
+ " forbidden for {package#xxx00.admin}");
|
||||||
jpaAttempt.transacted(() -> {
|
jpaAttempt.transacted(() -> {
|
||||||
// finally, we use the new user to make sure, no roles were granted
|
// finally, we use the new user to make sure, no roles were granted
|
||||||
context(given.arbitraryUser.getName(), null);
|
context(given.arbitraryUser.getName(), null);
|
||||||
@ -175,21 +175,21 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
public void customerAdmin_canRevokeSelfGrantedPackageAdminRole() {
|
public void customerAdmin_canRevokeSelfGrantedPackageAdminRole() {
|
||||||
// given
|
// given
|
||||||
final var grant = create(grant()
|
final var grant = create(grant()
|
||||||
.byUser("admin@aaa.example.com").withAssumedRole("customer#aaa.admin")
|
.byUser("customer-admin@xxx.example.com").withAssumedRole("customer#xxx.admin")
|
||||||
.grantingRole("package#aaa00.admin").toUser("aac00@aac.example.com"));
|
.grantingRole("package#xxx00.admin").toUser("pac-admin-zzz00@zzz.example.com"));
|
||||||
|
|
||||||
// when
|
// when
|
||||||
context("admin@aaa.example.com", "customer#aaa.admin");
|
context("customer-admin@xxx.example.com", "customer#xxx.admin");
|
||||||
final var revokeAttempt = attempt(em, () -> {
|
final var revokeAttempt = attempt(em, () -> {
|
||||||
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId());
|
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId());
|
||||||
});
|
});
|
||||||
|
|
||||||
// then
|
// then
|
||||||
context("admin@aaa.example.com", "customer#aaa.admin");
|
context("customer-admin@xxx.example.com", "customer#xxx.admin");
|
||||||
assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull();
|
assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull();
|
||||||
assertThat(rbacGrantRepository.findAll())
|
assertThat(rbacGrantRepository.findAll())
|
||||||
.extracting(RbacGrantEntity::getGranteeUserName)
|
.extracting(RbacGrantEntity::getGranteeUserName)
|
||||||
.doesNotContain("aac00@aac.example.com");
|
.doesNotContain("pac-admin-zzz00@zzz.example.com");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -197,33 +197,33 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
// given
|
// given
|
||||||
final var newUser = createNewUserTransacted();
|
final var newUser = createNewUserTransacted();
|
||||||
final var grant = create(grant()
|
final var grant = create(grant()
|
||||||
.byUser("admin@aaa.example.com").withAssumedRole("package#aaa00.admin")
|
.byUser("customer-admin@xxx.example.com").withAssumedRole("package#xxx00.admin")
|
||||||
.grantingRole("package#aaa00.admin").toUser(newUser.getName()));
|
.grantingRole("package#xxx00.admin").toUser(newUser.getName()));
|
||||||
|
|
||||||
// when
|
// when
|
||||||
context("aaa00@aaa.example.com", "package#aaa00.admin");
|
context("pac-admin-xxx00@xxx.example.com", "package#xxx00.admin");
|
||||||
final var revokeAttempt = attempt(em, () -> {
|
final var revokeAttempt = attempt(em, () -> {
|
||||||
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId());
|
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId());
|
||||||
});
|
});
|
||||||
|
|
||||||
// then
|
// then
|
||||||
assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull();
|
assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull();
|
||||||
context("admin@aaa.example.com", "customer#aaa.admin");
|
context("customer-admin@xxx.example.com", "customer#xxx.admin");
|
||||||
assertThat(rbacGrantRepository.findAll())
|
assertThat(rbacGrantRepository.findAll())
|
||||||
.extracting(RbacGrantEntity::getGranteeUserName)
|
.extracting(RbacGrantEntity::getGranteeUserName)
|
||||||
.doesNotContain("aac00@aac.example.com");
|
.doesNotContain("pac-admin-zzz00@zzz.example.com");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void packageAdmin_canNotRevokeOwnPackageAdminRoleGrantedByOwnerRoleOfThatPackage() {
|
public void packageAdmin_canNotRevokeOwnPackageAdminRoleGrantedByOwnerRoleOfThatPackage() {
|
||||||
// given
|
// given
|
||||||
final var grant = create(grant()
|
final var grant = create(grant()
|
||||||
.byUser("admin@aaa.example.com").withAssumedRole("package#aaa00.owner")
|
.byUser("customer-admin@xxx.example.com").withAssumedRole("package#xxx00.owner")
|
||||||
.grantingRole("package#aaa00.admin").toUser("aac00@aac.example.com"));
|
.grantingRole("package#xxx00.admin").toUser("pac-admin-zzz00@zzz.example.com"));
|
||||||
final var grantedByRole = rbacRoleRepository.findByRoleName("package#aaa00.owner");
|
final var grantedByRole = rbacRoleRepository.findByRoleName("package#xxx00.owner");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
context("aaa00@aaa.example.com", "package#aaa00.admin");
|
context("pac-admin-xxx00@xxx.example.com", "package#xxx00.admin");
|
||||||
final var revokeAttempt = attempt(em, () -> {
|
final var revokeAttempt = attempt(em, () -> {
|
||||||
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId());
|
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId());
|
||||||
});
|
});
|
||||||
@ -231,7 +231,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
// then
|
// then
|
||||||
revokeAttempt.assertExceptionWithRootCauseMessage(
|
revokeAttempt.assertExceptionWithRootCauseMessage(
|
||||||
JpaSystemException.class,
|
JpaSystemException.class,
|
||||||
"ERROR: [403] Revoking role created by %s is forbidden for {package#aaa00.admin}.".formatted(
|
"ERROR: [403] Revoking role created by %s is forbidden for {package#xxx00.admin}.".formatted(
|
||||||
grantedByRole.getUuid()
|
grantedByRole.getUuid()
|
||||||
));
|
));
|
||||||
}
|
}
|
||||||
|
|||||||
@ -50,14 +50,14 @@ class RbacRoleControllerAcceptanceTest {
|
|||||||
.then().assertThat()
|
.then().assertThat()
|
||||||
.statusCode(200)
|
.statusCode(200)
|
||||||
.contentType("application/json")
|
.contentType("application/json")
|
||||||
.body("[0].roleName", is("customer#aaa.admin"))
|
.body("[0].roleName", is("customer#xxx.admin"))
|
||||||
.body("[1].roleName", is("customer#aaa.owner"))
|
.body("[1].roleName", is("customer#xxx.owner"))
|
||||||
.body("[2].roleName", is("customer#aaa.tenant"))
|
.body("[2].roleName", is("customer#xxx.tenant"))
|
||||||
// ...
|
// ...
|
||||||
.body("", hasItem(hasEntry("roleName", "global#hostsharing.admin")))
|
.body("", hasItem(hasEntry("roleName", "global#hostsharing.admin")))
|
||||||
.body("", hasItem(hasEntry("roleName", "customer#aab.admin")))
|
.body("", hasItem(hasEntry("roleName", "customer#yyy.admin")))
|
||||||
.body("", hasItem(hasEntry("roleName", "package#aab00.admin")))
|
.body("", hasItem(hasEntry("roleName", "package#yyy00.admin")))
|
||||||
.body("", hasItem(hasEntry("roleName", "unixuser#aab00-aaaa.owner")))
|
.body("", hasItem(hasEntry("roleName", "unixuser#yyy00-aaaa.owner")))
|
||||||
.body( "size()", is(73)); // increases with new test data
|
.body( "size()", is(73)); // increases with new test data
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
}
|
}
|
||||||
@ -70,17 +70,19 @@ class RbacRoleControllerAcceptanceTest {
|
|||||||
RestAssured
|
RestAssured
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@hostsharing.net")
|
||||||
.header("assumed-roles", "package#aab00.admin")
|
.header("assumed-roles", "package#yyy00.admin")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/rbac-roles")
|
.get("http://localhost/api/rbac-roles")
|
||||||
.then().assertThat()
|
.then()
|
||||||
|
.log().body()
|
||||||
|
.assertThat()
|
||||||
.statusCode(200)
|
.statusCode(200)
|
||||||
.contentType("application/json")
|
.contentType("application/json")
|
||||||
.body("[0].roleName", is("customer#aab.tenant"))
|
.body("[0].roleName", is("customer#yyy.tenant"))
|
||||||
.body("[1].roleName", is("package#aab00.admin"))
|
.body("[1].roleName", is("package#yyy00.admin"))
|
||||||
.body("[2].roleName", is("package#aab00.tenant"))
|
.body("[2].roleName", is("package#yyy00.tenant"))
|
||||||
.body("[3].roleName", is("unixuser#aab00-aaaa.admin"))
|
.body("[3].roleName", is("unixuser#yyy00-aaaa.admin"))
|
||||||
.body("size()", is(7)); // increases with new test data
|
.body("size()", is(7)); // increases with new test data
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
}
|
}
|
||||||
@ -92,18 +94,18 @@ class RbacRoleControllerAcceptanceTest {
|
|||||||
// @formatter:off
|
// @formatter:off
|
||||||
RestAssured
|
RestAssured
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "aac00@aac.example.com")
|
.header("current-user", "pac-admin-zzz00@zzz.example.com")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/rbac-roles")
|
.get("http://localhost/api/rbac-roles")
|
||||||
.then().assertThat()
|
.then().assertThat()
|
||||||
.statusCode(200)
|
.statusCode(200)
|
||||||
.contentType("application/json")
|
.contentType("application/json")
|
||||||
.body("[0].roleName", is("customer#aac.tenant"))
|
.body("[0].roleName", is("customer#zzz.tenant"))
|
||||||
.body("[1].roleName", is("package#aac00.admin"))
|
.body("[1].roleName", is("package#zzz00.admin"))
|
||||||
.body("[2].roleName", is("package#aac00.tenant"))
|
.body("[2].roleName", is("package#zzz00.tenant"))
|
||||||
.body("[3].roleName", is("unixuser#aac00-aaaa.admin"))
|
.body("[3].roleName", is("unixuser#zzz00-aaaa.admin"))
|
||||||
.body("size()", is(7)); // increases with new test data
|
.body("size()", is(7)); // increases with new test data
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -35,18 +35,18 @@ class RbacRoleRepositoryIntegrationTest {
|
|||||||
private static final String[] ALL_TEST_DATA_ROLES = Array.of(
|
private static final String[] ALL_TEST_DATA_ROLES = Array.of(
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
"global#hostsharing.admin",
|
"global#hostsharing.admin",
|
||||||
"customer#aaa.admin", "customer#aaa.owner", "customer#aaa.tenant",
|
"customer#xxx.admin", "customer#xxx.owner", "customer#xxx.tenant",
|
||||||
"package#aaa00.admin", "package#aaa00.owner", "package#aaa00.tenant",
|
"package#xxx00.admin", "package#xxx00.owner", "package#xxx00.tenant",
|
||||||
"package#aaa01.admin", "package#aaa01.owner", "package#aaa01.tenant",
|
"package#xxx01.admin", "package#xxx01.owner", "package#xxx01.tenant",
|
||||||
"package#aaa02.admin", "package#aaa02.owner", "package#aaa02.tenant",
|
"package#xxx02.admin", "package#xxx02.owner", "package#xxx02.tenant",
|
||||||
"customer#aab.admin", "customer#aab.owner", "customer#aab.tenant",
|
"customer#yyy.admin", "customer#yyy.owner", "customer#yyy.tenant",
|
||||||
"package#aab00.admin", "package#aab00.owner", "package#aab00.tenant",
|
"package#yyy00.admin", "package#yyy00.owner", "package#yyy00.tenant",
|
||||||
"package#aab01.admin", "package#aab01.owner", "package#aab01.tenant",
|
"package#yyy01.admin", "package#yyy01.owner", "package#yyy01.tenant",
|
||||||
"package#aab02.admin", "package#aab02.owner", "package#aab02.tenant",
|
"package#yyy02.admin", "package#yyy02.owner", "package#yyy02.tenant",
|
||||||
"customer#aac.admin", "customer#aac.owner", "customer#aac.tenant",
|
"customer#zzz.admin", "customer#zzz.owner", "customer#zzz.tenant",
|
||||||
"package#aac00.admin", "package#aac00.owner", "package#aac00.tenant",
|
"package#zzz00.admin", "package#zzz00.owner", "package#zzz00.tenant",
|
||||||
"package#aac01.admin", "package#aac01.owner", "package#aac01.tenant",
|
"package#zzz01.admin", "package#zzz01.owner", "package#zzz01.tenant",
|
||||||
"package#aac02.admin", "package#aac02.owner", "package#aac02.tenant"
|
"package#zzz02.admin", "package#zzz02.owner", "package#zzz02.tenant"
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -78,7 +78,7 @@ class RbacRoleRepositoryIntegrationTest {
|
|||||||
@Test
|
@Test
|
||||||
public void customerAdmin_withoutAssumedRole_canViewOnlyItsOwnRbacRole() {
|
public void customerAdmin_withoutAssumedRole_canViewOnlyItsOwnRbacRole() {
|
||||||
// given:
|
// given:
|
||||||
currentUser("admin@aaa.example.com");
|
currentUser("customer-admin@xxx.example.com");
|
||||||
|
|
||||||
// when:
|
// when:
|
||||||
final var result = rbacRoleRepository.findAll();
|
final var result = rbacRoleRepository.findAll();
|
||||||
@ -87,57 +87,57 @@ class RbacRoleRepositoryIntegrationTest {
|
|||||||
allTheseRbacRolesAreReturned(
|
allTheseRbacRolesAreReturned(
|
||||||
result,
|
result,
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
"customer#aaa.admin",
|
"customer#xxx.admin",
|
||||||
"customer#aaa.tenant",
|
"customer#xxx.tenant",
|
||||||
"package#aaa00.admin",
|
"package#xxx00.admin",
|
||||||
"package#aaa00.owner",
|
"package#xxx00.owner",
|
||||||
"package#aaa00.tenant",
|
"package#xxx00.tenant",
|
||||||
"package#aaa01.admin",
|
"package#xxx01.admin",
|
||||||
"package#aaa01.owner",
|
"package#xxx01.owner",
|
||||||
"package#aaa01.tenant",
|
"package#xxx01.tenant",
|
||||||
// ...
|
// ...
|
||||||
"unixuser#aaa00-aaaa.admin",
|
"unixuser#xxx00-aaaa.admin",
|
||||||
"unixuser#aaa00-aaaa.owner",
|
"unixuser#xxx00-aaaa.owner",
|
||||||
// ..
|
// ..
|
||||||
"unixuser#aaa01-aaaa.admin",
|
"unixuser#xxx01-aaab.admin",
|
||||||
"unixuser#aaa01-aaaa.owner"
|
"unixuser#xxx01-aaab.owner"
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
);
|
);
|
||||||
noneOfTheseRbacRolesIsReturned(
|
noneOfTheseRbacRolesIsReturned(
|
||||||
result,
|
result,
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
"global#hostsharing.admin",
|
"global#hostsharing.admin",
|
||||||
"customer#aaa.owner",
|
"customer#xxx.owner",
|
||||||
"package#aab00.admin",
|
"package#yyy00.admin",
|
||||||
"package#aab00.owner",
|
"package#yyy00.owner",
|
||||||
"package#aab00.tenant"
|
"package#yyy00.tenant"
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnRbacRole() {
|
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnRbacRole() {
|
||||||
currentUser("admin@aaa.example.com");
|
currentUser("customer-admin@xxx.example.com");
|
||||||
assumedRoles("package#aaa00.admin");
|
assumedRoles("package#xxx00.admin");
|
||||||
|
|
||||||
final var result = rbacRoleRepository.findAll();
|
final var result = rbacRoleRepository.findAll();
|
||||||
|
|
||||||
exactlyTheseRbacRolesAreReturned(
|
exactlyTheseRbacRolesAreReturned(
|
||||||
result,
|
result,
|
||||||
"customer#aaa.tenant",
|
"customer#xxx.tenant",
|
||||||
"package#aaa00.admin",
|
"package#xxx00.admin",
|
||||||
"package#aaa00.tenant",
|
"package#xxx00.tenant",
|
||||||
"unixuser#aaa00-aaaa.admin",
|
"unixuser#xxx00-aaaa.admin",
|
||||||
"unixuser#aaa00-aaaa.owner",
|
"unixuser#xxx00-aaaa.owner",
|
||||||
"unixuser#aaa00-aaab.admin",
|
"unixuser#xxx00-aaab.admin",
|
||||||
"unixuser#aaa00-aaab.owner");
|
"unixuser#xxx00-aaab.owner");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void customerAdmin_withAssumedAlienPackageAdminRole_cannotViewAnyRbacRole() {
|
public void customerAdmin_withAssumedAlienPackageAdminRole_cannotViewAnyRbacRole() {
|
||||||
// given:
|
// given:
|
||||||
currentUser("admin@aaa.example.com");
|
currentUser("customer-admin@xxx.example.com");
|
||||||
assumedRoles("package#aab00.admin");
|
assumedRoles("package#yyy00.admin");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = attempt(
|
final var result = attempt(
|
||||||
@ -147,7 +147,7 @@ class RbacRoleRepositoryIntegrationTest {
|
|||||||
// then
|
// then
|
||||||
result.assertExceptionWithRootCauseMessage(
|
result.assertExceptionWithRootCauseMessage(
|
||||||
JpaSystemException.class,
|
JpaSystemException.class,
|
||||||
"[403] user admin@aaa.example.com", "has no permission to assume role package#aab00#admin");
|
"[403] user customer-admin@xxx.example.com", "has no permission to assume role package#yyy00#admin");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -166,7 +166,7 @@ class RbacRoleRepositoryIntegrationTest {
|
|||||||
@Test
|
@Test
|
||||||
void unknownUser_withAssumedRbacRoleRole_cannotViewAnyRbacRoles() {
|
void unknownUser_withAssumedRbacRoleRole_cannotViewAnyRbacRoles() {
|
||||||
currentUser("unknown@example.org");
|
currentUser("unknown@example.org");
|
||||||
assumedRoles("RbacRole#aaa.admin");
|
assumedRoles("RbacRole#xxx.admin");
|
||||||
|
|
||||||
final var result = attempt(
|
final var result = attempt(
|
||||||
em,
|
em,
|
||||||
@ -183,19 +183,19 @@ class RbacRoleRepositoryIntegrationTest {
|
|||||||
|
|
||||||
@Test
|
@Test
|
||||||
void customerAdmin_withoutAssumedRole_canFindItsOwnRolesByName() {
|
void customerAdmin_withoutAssumedRole_canFindItsOwnRolesByName() {
|
||||||
currentUser("admin@aaa.example.com");
|
currentUser("customer-admin@xxx.example.com");
|
||||||
|
|
||||||
final var result = rbacRoleRepository.findByRoleName("customer#aaa.admin");
|
final var result = rbacRoleRepository.findByRoleName("customer#xxx.admin");
|
||||||
|
|
||||||
assertThat(result).isNotNull();
|
assertThat(result).isNotNull();
|
||||||
assertThat(result.getObjectTable()).isEqualTo("customer");
|
assertThat(result.getObjectTable()).isEqualTo("customer");
|
||||||
assertThat(result.getObjectIdName()).isEqualTo("aaa");
|
assertThat(result.getObjectIdName()).isEqualTo("xxx");
|
||||||
assertThat(result.getRoleType()).isEqualTo(RbacRoleType.admin);
|
assertThat(result.getRoleType()).isEqualTo(RbacRoleType.admin);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
void customerAdmin_withoutAssumedRole_canNotFindAlienRolesByName() {
|
void customerAdmin_withoutAssumedRole_canNotFindAlienRolesByName() {
|
||||||
currentUser("admin@aaa.example.com");
|
currentUser("customer-admin@xxx.example.com");
|
||||||
|
|
||||||
final var result = rbacRoleRepository.findByRoleName("customer#bbb.admin");
|
final var result = rbacRoleRepository.findByRoleName("customer#bbb.admin");
|
||||||
|
|
||||||
|
|||||||
@ -49,16 +49,16 @@ class RbacUserControllerAcceptanceTest {
|
|||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/rbac-users")
|
.get("http://localhost/api/rbac-users")
|
||||||
.then().assertThat()
|
.then().log().body().assertThat()
|
||||||
.statusCode(200)
|
.statusCode(200)
|
||||||
.contentType("application/json")
|
.contentType("application/json")
|
||||||
.body("[0].name", is("aaa00@aaa.example.com"))
|
.body("[0].name", is("customer-admin@xxx.example.com"))
|
||||||
.body("[1].name", is("aaa01@aaa.example.com"))
|
.body("[1].name", is("customer-admin@yyy.example.com"))
|
||||||
.body("[2].name", is("aaa02@aaa.example.com"))
|
.body("[2].name", is("customer-admin@zzz.example.com"))
|
||||||
.body("[3].name", is("aab00@aab.example.com"))
|
.body("[3].name", is("mike@hostsharing.net"))
|
||||||
// ...
|
// ...
|
||||||
.body("[11].name", is("admin@aac.example.com"))
|
.body("[11].name", is("pac-admin-zzz01@zzz.example.com"))
|
||||||
.body("[12].name", is("mike@hostsharing.net"))
|
.body("[12].name", is("pac-admin-zzz02@zzz.example.com"))
|
||||||
.body("[13].name", is("sven@hostsharing.net"))
|
.body("[13].name", is("sven@hostsharing.net"))
|
||||||
.body("size()", greaterThanOrEqualTo(14));
|
.body("size()", greaterThanOrEqualTo(14));
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
@ -73,13 +73,13 @@ class RbacUserControllerAcceptanceTest {
|
|||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@hostsharing.net")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/rbac-users?name=aac")
|
.get("http://localhost/api/rbac-users?name=pac-admin-zzz0")
|
||||||
.then().assertThat()
|
.then().log().body().assertThat()
|
||||||
.statusCode(200)
|
.statusCode(200)
|
||||||
.contentType("application/json")
|
.contentType("application/json")
|
||||||
.body("[0].name", is("aac00@aac.example.com"))
|
.body("[0].name", is("pac-admin-zzz00@zzz.example.com"))
|
||||||
.body("[1].name", is("aac01@aac.example.com"))
|
.body("[1].name", is("pac-admin-zzz01@zzz.example.com"))
|
||||||
.body("[2].name", is("aac02@aac.example.com"))
|
.body("[2].name", is("pac-admin-zzz02@zzz.example.com"))
|
||||||
.body("size()", is(3));
|
.body("size()", is(3));
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
}
|
}
|
||||||
@ -90,17 +90,17 @@ class RbacUserControllerAcceptanceTest {
|
|||||||
// @formatter:off
|
// @formatter:off
|
||||||
RestAssured
|
RestAssured
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "admin@aab.example.com")
|
.header("current-user", "customer-admin@yyy.example.com")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/rbac-users")
|
.get("http://localhost/api/rbac-users")
|
||||||
.then().assertThat()
|
.then().assertThat()
|
||||||
.statusCode(200)
|
.statusCode(200)
|
||||||
.contentType("application/json")
|
.contentType("application/json")
|
||||||
.body("[0].name", is("aab00@aab.example.com"))
|
.body("[0].name", is("customer-admin@yyy.example.com"))
|
||||||
.body("[1].name", is("aab01@aab.example.com"))
|
.body("[1].name", is("pac-admin-yyy00@yyy.example.com"))
|
||||||
.body("[2].name", is("aab02@aab.example.com"))
|
.body("[2].name", is("pac-admin-yyy01@yyy.example.com"))
|
||||||
.body("[3].name", is("admin@aab.example.com"))
|
.body("[3].name", is("pac-admin-yyy02@yyy.example.com"))
|
||||||
.body("size()", is(4));
|
.body("size()", is(4));
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
}
|
}
|
||||||
@ -111,14 +111,14 @@ class RbacUserControllerAcceptanceTest {
|
|||||||
// @formatter:off
|
// @formatter:off
|
||||||
RestAssured
|
RestAssured
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "aaa01@aaa.example.com")
|
.header("current-user", "pac-admin-xxx01@xxx.example.com")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/rbac-users")
|
.get("http://localhost/api/rbac-users")
|
||||||
.then().assertThat()
|
.then().assertThat()
|
||||||
.statusCode(200)
|
.statusCode(200)
|
||||||
.contentType("application/json")
|
.contentType("application/json")
|
||||||
.body("[0].name", is("aaa01@aaa.example.com"))
|
.body("[0].name", is("pac-admin-xxx01@xxx.example.com"))
|
||||||
.body("size()", is(1));
|
.body("size()", is(1));
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
}
|
}
|
||||||
|
|||||||
@ -66,7 +66,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
|
|
||||||
// when:
|
// when:
|
||||||
final var result = jpaAttempt.transacted(() -> {
|
final var result = jpaAttempt.transacted(() -> {
|
||||||
context("admin@aaa.example.com");
|
context("customer-admin@xxx.example.com");
|
||||||
return rbacUserRepository.create(new RbacUserEntity(givenUuid, newUserName));
|
return rbacUserRepository.create(new RbacUserEntity(givenUuid, newUserName));
|
||||||
});
|
});
|
||||||
|
|
||||||
@ -88,12 +88,12 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
private static final String[] ALL_TEST_DATA_USERS = Array.of(
|
private static final String[] ALL_TEST_DATA_USERS = Array.of(
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
"mike@hostsharing.net", "sven@hostsharing.net",
|
"mike@hostsharing.net", "sven@hostsharing.net",
|
||||||
"admin@aaa.example.com",
|
"customer-admin@xxx.example.com",
|
||||||
"aaa00@aaa.example.com", "aaa01@aaa.example.com", "aaa02@aaa.example.com",
|
"pac-admin-xxx00@xxx.example.com", "pac-admin-xxx01@xxx.example.com", "pac-admin-xxx02@xxx.example.com",
|
||||||
"admin@aab.example.com",
|
"customer-admin@yyy.example.com",
|
||||||
"aab00@aab.example.com", "aab01@aab.example.com", "aab02@aab.example.com",
|
"pac-admin-yyy00@yyy.example.com", "pac-admin-yyy01@yyy.example.com", "pac-admin-yyy02@yyy.example.com",
|
||||||
"admin@aac.example.com",
|
"customer-admin@zzz.example.com",
|
||||||
"aac00@aac.example.com", "aac01@aac.example.com", "aac02@aac.example.com"
|
"pac-admin-zzz00@zzz.example.com", "pac-admin-zzz01@zzz.example.com", "pac-admin-zzz02@zzz.example.com"
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -124,7 +124,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
@Test
|
@Test
|
||||||
public void hostsharingAdmin_withAssumedCustomerAdminRole_canViewOnlyUsersHavingRolesInThatCustomersRealm() {
|
public void hostsharingAdmin_withAssumedCustomerAdminRole_canViewOnlyUsersHavingRolesInThatCustomersRealm() {
|
||||||
given:
|
given:
|
||||||
context("mike@hostsharing.net", "customer#aaa.admin");
|
context("mike@hostsharing.net", "customer#xxx.admin");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = rbacUserRepository.findByOptionalNameLike(null);
|
final var result = rbacUserRepository.findByOptionalNameLike(null);
|
||||||
@ -132,15 +132,15 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
then:
|
then:
|
||||||
exactlyTheseRbacUsersAreReturned(
|
exactlyTheseRbacUsersAreReturned(
|
||||||
result,
|
result,
|
||||||
"admin@aaa.example.com",
|
"customer-admin@xxx.example.com",
|
||||||
"aaa00@aaa.example.com", "aaa01@aaa.example.com", "aaa02@aaa.example.com"
|
"pac-admin-xxx00@xxx.example.com", "pac-admin-xxx01@xxx.example.com", "pac-admin-xxx02@xxx.example.com"
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void customerAdmin_withoutAssumedRole_canViewOnlyUsersHavingRolesInThatCustomersRealm() {
|
public void customerAdmin_withoutAssumedRole_canViewOnlyUsersHavingRolesInThatCustomersRealm() {
|
||||||
// given:
|
// given:
|
||||||
context("admin@aaa.example.com");
|
context("customer-admin@xxx.example.com");
|
||||||
|
|
||||||
// when:
|
// when:
|
||||||
final var result = rbacUserRepository.findByOptionalNameLike(null);
|
final var result = rbacUserRepository.findByOptionalNameLike(null);
|
||||||
@ -148,27 +148,27 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
// then:
|
// then:
|
||||||
exactlyTheseRbacUsersAreReturned(
|
exactlyTheseRbacUsersAreReturned(
|
||||||
result,
|
result,
|
||||||
"admin@aaa.example.com",
|
"customer-admin@xxx.example.com",
|
||||||
"aaa00@aaa.example.com", "aaa01@aaa.example.com", "aaa02@aaa.example.com"
|
"pac-admin-xxx00@xxx.example.com", "pac-admin-xxx01@xxx.example.com", "pac-admin-xxx02@xxx.example.com"
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyUsersHavingRolesInThatPackage() {
|
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyUsersHavingRolesInThatPackage() {
|
||||||
context("admin@aaa.example.com", "package#aaa00.admin");
|
context("customer-admin@xxx.example.com", "package#xxx00.admin");
|
||||||
|
|
||||||
final var result = rbacUserRepository.findByOptionalNameLike(null);
|
final var result = rbacUserRepository.findByOptionalNameLike(null);
|
||||||
|
|
||||||
exactlyTheseRbacUsersAreReturned(result, "aaa00@aaa.example.com");
|
exactlyTheseRbacUsersAreReturned(result, "pac-admin-xxx00@xxx.example.com");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void packageAdmin_withoutAssumedRole_canViewOnlyUsersHavingRolesInThatPackage() {
|
public void packageAdmin_withoutAssumedRole_canViewOnlyUsersHavingRolesInThatPackage() {
|
||||||
context("aaa00@aaa.example.com");
|
context("pac-admin-xxx00@xxx.example.com");
|
||||||
|
|
||||||
final var result = rbacUserRepository.findByOptionalNameLike(null);
|
final var result = rbacUserRepository.findByOptionalNameLike(null);
|
||||||
|
|
||||||
exactlyTheseRbacUsersAreReturned(result, "aaa00@aaa.example.com");
|
exactlyTheseRbacUsersAreReturned(result, "pac-admin-xxx00@xxx.example.com");
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
@ -180,47 +180,47 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
// @formatter:off
|
// @formatter:off
|
||||||
"global#hostsharing.admin -> global#hostsharing: add-customer",
|
"global#hostsharing.admin -> global#hostsharing: add-customer",
|
||||||
|
|
||||||
"customer#aaa.admin -> customer#aaa: add-package",
|
"customer#xxx.admin -> customer#xxx: add-package",
|
||||||
"customer#aaa.admin -> customer#aaa: view",
|
"customer#xxx.admin -> customer#xxx: view",
|
||||||
"customer#aaa.owner -> customer#aaa: *",
|
"customer#xxx.owner -> customer#xxx: *",
|
||||||
"customer#aaa.tenant -> customer#aaa: view",
|
"customer#xxx.tenant -> customer#xxx: view",
|
||||||
"package#aaa00.admin -> package#aaa00: add-domain",
|
"package#xxx00.admin -> package#xxx00: add-domain",
|
||||||
"package#aaa00.admin -> package#aaa00: add-unixuser",
|
"package#xxx00.admin -> package#xxx00: add-unixuser",
|
||||||
"package#aaa00.tenant -> package#aaa00: view",
|
"package#xxx00.tenant -> package#xxx00: view",
|
||||||
"package#aaa01.admin -> package#aaa01: add-domain",
|
"package#xxx01.admin -> package#xxx01: add-domain",
|
||||||
"package#aaa01.admin -> package#aaa01: add-unixuser",
|
"package#xxx01.admin -> package#xxx01: add-unixuser",
|
||||||
"package#aaa01.tenant -> package#aaa01: view",
|
"package#xxx01.tenant -> package#xxx01: view",
|
||||||
"package#aaa02.admin -> package#aaa02: add-domain",
|
"package#xxx02.admin -> package#xxx02: add-domain",
|
||||||
"package#aaa02.admin -> package#aaa02: add-unixuser",
|
"package#xxx02.admin -> package#xxx02: add-unixuser",
|
||||||
"package#aaa02.tenant -> package#aaa02: view",
|
"package#xxx02.tenant -> package#xxx02: view",
|
||||||
|
|
||||||
"customer#aab.admin -> customer#aab: add-package",
|
"customer#yyy.admin -> customer#yyy: add-package",
|
||||||
"customer#aab.admin -> customer#aab: view",
|
"customer#yyy.admin -> customer#yyy: view",
|
||||||
"customer#aab.owner -> customer#aab: *",
|
"customer#yyy.owner -> customer#yyy: *",
|
||||||
"customer#aab.tenant -> customer#aab: view",
|
"customer#yyy.tenant -> customer#yyy: view",
|
||||||
"package#aab00.admin -> package#aab00: add-domain",
|
"package#yyy00.admin -> package#yyy00: add-domain",
|
||||||
"package#aab00.admin -> package#aab00: add-unixuser",
|
"package#yyy00.admin -> package#yyy00: add-unixuser",
|
||||||
"package#aab00.tenant -> package#aab00: view",
|
"package#yyy00.tenant -> package#yyy00: view",
|
||||||
"package#aab01.admin -> package#aab01: add-domain",
|
"package#yyy01.admin -> package#yyy01: add-domain",
|
||||||
"package#aab01.admin -> package#aab01: add-unixuser",
|
"package#yyy01.admin -> package#yyy01: add-unixuser",
|
||||||
"package#aab01.tenant -> package#aab01: view",
|
"package#yyy01.tenant -> package#yyy01: view",
|
||||||
"package#aab02.admin -> package#aab02: add-domain",
|
"package#yyy02.admin -> package#yyy02: add-domain",
|
||||||
"package#aab02.admin -> package#aab02: add-unixuser",
|
"package#yyy02.admin -> package#yyy02: add-unixuser",
|
||||||
"package#aab02.tenant -> package#aab02: view",
|
"package#yyy02.tenant -> package#yyy02: view",
|
||||||
|
|
||||||
"customer#aac.admin -> customer#aac: add-package",
|
"customer#zzz.admin -> customer#zzz: add-package",
|
||||||
"customer#aac.admin -> customer#aac: view",
|
"customer#zzz.admin -> customer#zzz: view",
|
||||||
"customer#aac.owner -> customer#aac: *",
|
"customer#zzz.owner -> customer#zzz: *",
|
||||||
"customer#aac.tenant -> customer#aac: view",
|
"customer#zzz.tenant -> customer#zzz: view",
|
||||||
"package#aac00.admin -> package#aac00: add-domain",
|
"package#zzz00.admin -> package#zzz00: add-domain",
|
||||||
"package#aac00.admin -> package#aac00: add-unixuser",
|
"package#zzz00.admin -> package#zzz00: add-unixuser",
|
||||||
"package#aac00.tenant -> package#aac00: view",
|
"package#zzz00.tenant -> package#zzz00: view",
|
||||||
"package#aac01.admin -> package#aac01: add-domain",
|
"package#zzz01.admin -> package#zzz01: add-domain",
|
||||||
"package#aac01.admin -> package#aac01: add-unixuser",
|
"package#zzz01.admin -> package#zzz01: add-unixuser",
|
||||||
"package#aac01.tenant -> package#aac01: view",
|
"package#zzz01.tenant -> package#zzz01: view",
|
||||||
"package#aac02.admin -> package#aac02: add-domain",
|
"package#zzz02.admin -> package#zzz02: add-domain",
|
||||||
"package#aac02.admin -> package#aac02: add-unixuser",
|
"package#zzz02.admin -> package#zzz02: add-unixuser",
|
||||||
"package#aac02.tenant -> package#aac02: view"
|
"package#zzz02.tenant -> package#zzz02: view"
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -255,41 +255,41 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
@Test
|
@Test
|
||||||
public void customerAdmin_withoutAssumedRole_canViewTheirOwnPermissions() {
|
public void customerAdmin_withoutAssumedRole_canViewTheirOwnPermissions() {
|
||||||
// given
|
// given
|
||||||
context("admin@aaa.example.com");
|
context("customer-admin@xxx.example.com");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = rbacUserRepository.findPermissionsOfUser("admin@aaa.example.com");
|
final var result = rbacUserRepository.findPermissionsOfUser("customer-admin@xxx.example.com");
|
||||||
|
|
||||||
// then
|
// then
|
||||||
allTheseRbacPermissionsAreReturned(
|
allTheseRbacPermissionsAreReturned(
|
||||||
result,
|
result,
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
"customer#aaa.admin -> customer#aaa: add-package",
|
"customer#xxx.admin -> customer#xxx: add-package",
|
||||||
"customer#aaa.admin -> customer#aaa: view",
|
"customer#xxx.admin -> customer#xxx: view",
|
||||||
"customer#aaa.tenant -> customer#aaa: view",
|
"customer#xxx.tenant -> customer#xxx: view",
|
||||||
|
|
||||||
"package#aaa00.admin -> package#aaa00: add-domain",
|
"package#xxx00.admin -> package#xxx00: add-domain",
|
||||||
"package#aaa00.admin -> package#aaa00: add-unixuser",
|
"package#xxx00.admin -> package#xxx00: add-unixuser",
|
||||||
"package#aaa00.tenant -> package#aaa00: view",
|
"package#xxx00.tenant -> package#xxx00: view",
|
||||||
"unixuser#aaa00-aaaa.owner -> unixuser#aaa00-aaaa: *",
|
"unixuser#xxx00-aaaa.owner -> unixuser#xxx00-aaaa: *",
|
||||||
|
|
||||||
"package#aaa01.admin -> package#aaa01: add-domain",
|
"package#xxx01.admin -> package#xxx01: add-domain",
|
||||||
"package#aaa01.admin -> package#aaa01: add-unixuser",
|
"package#xxx01.admin -> package#xxx01: add-unixuser",
|
||||||
"package#aaa01.tenant -> package#aaa01: view",
|
"package#xxx01.tenant -> package#xxx01: view",
|
||||||
"unixuser#aaa01-aaaa.owner -> unixuser#aaa01-aaaa: *",
|
"unixuser#xxx01-aaaa.owner -> unixuser#xxx01-aaaa: *",
|
||||||
|
|
||||||
"package#aaa02.admin -> package#aaa02: add-domain",
|
"package#xxx02.admin -> package#xxx02: add-domain",
|
||||||
"package#aaa02.admin -> package#aaa02: add-unixuser",
|
"package#xxx02.admin -> package#xxx02: add-unixuser",
|
||||||
"package#aaa02.tenant -> package#aaa02: view",
|
"package#xxx02.tenant -> package#xxx02: view",
|
||||||
"unixuser#aaa02-aaaa.owner -> unixuser#aaa02-aaaa: *"
|
"unixuser#xxx02-aaaa.owner -> unixuser#xxx02-aaaa: *"
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
);
|
);
|
||||||
noneOfTheseRbacPermissionsAreReturned(
|
noneOfTheseRbacPermissionsAreReturned(
|
||||||
result,
|
result,
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
"customer#aab.admin -> customer#aab: add-package",
|
"customer#yyy.admin -> customer#yyy: add-package",
|
||||||
"customer#aab.admin -> customer#aab: view",
|
"customer#yyy.admin -> customer#yyy: view",
|
||||||
"customer#aab.tenant -> customer#aab: view"
|
"customer#yyy.tenant -> customer#yyy: view"
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
@ -297,7 +297,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
@Test
|
@Test
|
||||||
public void customerAdmin_withoutAssumedRole_isNotAllowedToViewGlobalAdminsPermissions() {
|
public void customerAdmin_withoutAssumedRole_isNotAllowedToViewGlobalAdminsPermissions() {
|
||||||
// given
|
// given
|
||||||
context("admin@aaa.example.com");
|
context("customer-admin@xxx.example.com");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = attempt(em, () ->
|
final var result = attempt(em, () ->
|
||||||
@ -307,41 +307,41 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
// then
|
// then
|
||||||
result.assertExceptionWithRootCauseMessage(
|
result.assertExceptionWithRootCauseMessage(
|
||||||
JpaSystemException.class,
|
JpaSystemException.class,
|
||||||
"[403] permissions of user \"mike@hostsharing.net\" are not accessible to user \"admin@aaa.example.com\"");
|
"[403] permissions of user \"mike@hostsharing.net\" are not accessible to user \"customer-admin@xxx.example.com\"");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void customerAdmin_withoutAssumedRole_canViewAllPermissionsWithinThePacketsRealm() {
|
public void customerAdmin_withoutAssumedRole_canViewAllPermissionsWithinThePacketsRealm() {
|
||||||
// given
|
// given
|
||||||
context("admin@aaa.example.com");
|
context("customer-admin@xxx.example.com");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = rbacUserRepository.findPermissionsOfUser("aaa00@aaa.example.com");
|
final var result = rbacUserRepository.findPermissionsOfUser("pac-admin-xxx00@xxx.example.com");
|
||||||
|
|
||||||
// then
|
// then
|
||||||
allTheseRbacPermissionsAreReturned(
|
allTheseRbacPermissionsAreReturned(
|
||||||
result,
|
result,
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
"customer#aaa.tenant -> customer#aaa: view",
|
"customer#xxx.tenant -> customer#xxx: view",
|
||||||
// "customer#aaa.admin -> customer#aaa: view" - Not permissions through the customer admin!
|
// "customer#xxx.admin -> customer#xxx: view" - Not permissions through the customer admin!
|
||||||
"package#aaa00.admin -> package#aaa00: add-unixuser",
|
"package#xxx00.admin -> package#xxx00: add-unixuser",
|
||||||
"package#aaa00.admin -> package#aaa00: add-domain",
|
"package#xxx00.admin -> package#xxx00: add-domain",
|
||||||
"package#aaa00.tenant -> package#aaa00: view",
|
"package#xxx00.tenant -> package#xxx00: view",
|
||||||
"unixuser#aaa00-aaaa.owner -> unixuser#aaa00-aaaa: *",
|
"unixuser#xxx00-aaaa.owner -> unixuser#xxx00-aaaa: *",
|
||||||
"unixuser#aaa00-aaab.owner -> unixuser#aaa00-aaab: *"
|
"unixuser#xxx00-aaab.owner -> unixuser#xxx00-aaab: *"
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
);
|
);
|
||||||
noneOfTheseRbacPermissionsAreReturned(
|
noneOfTheseRbacPermissionsAreReturned(
|
||||||
result,
|
result,
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
"customer#aab.admin -> customer#aab: add-package",
|
"customer#yyy.admin -> customer#yyy: add-package",
|
||||||
"customer#aab.admin -> customer#aab: view",
|
"customer#yyy.admin -> customer#yyy: view",
|
||||||
"customer#aab.tenant -> customer#aab: view",
|
"customer#yyy.tenant -> customer#yyy: view",
|
||||||
"package#aab00.admin -> package#aab00: add-unixuser",
|
"package#yyy00.admin -> package#yyy00: add-unixuser",
|
||||||
"package#aab00.admin -> package#aab00: add-domain",
|
"package#yyy00.admin -> package#yyy00: add-domain",
|
||||||
"package#aab00.tenant -> package#aab00: view",
|
"package#yyy00.tenant -> package#yyy00: view",
|
||||||
"unixuser#aab00-aaaa.owner -> unixuser#aab00-aaaa: *",
|
"unixuser#yyy00-aaaa.owner -> unixuser#yyy00-aaaa: *",
|
||||||
"unixuser#aab00-aaab.owner -> unixuser#aab00-aaab: *"
|
"unixuser#yyy00-aaab.owner -> unixuser#yyy00-aaab: *"
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
@ -349,10 +349,10 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
@Test
|
@Test
|
||||||
public void customerAdmin_withoutAssumedRole_canNotViewPermissionsOfUnrelatedUsers() {
|
public void customerAdmin_withoutAssumedRole_canNotViewPermissionsOfUnrelatedUsers() {
|
||||||
// given
|
// given
|
||||||
context("admin@aaa.example.com");
|
context("customer-admin@xxx.example.com");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = rbacUserRepository.findPermissionsOfUser("aab00@aab.example.com");
|
final var result = rbacUserRepository.findPermissionsOfUser("pac-admin-yyy00@yyy.example.com");
|
||||||
|
|
||||||
// then
|
// then
|
||||||
noRbacPermissionsAreReturned(result);
|
noRbacPermissionsAreReturned(result);
|
||||||
@ -361,36 +361,36 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
@Test
|
@Test
|
||||||
public void packetAdmin_withoutAssumedRole_canViewAllPermissionsWithinThePacketsRealm() {
|
public void packetAdmin_withoutAssumedRole_canViewAllPermissionsWithinThePacketsRealm() {
|
||||||
// given
|
// given
|
||||||
context("aaa00@aaa.example.com");
|
context("pac-admin-xxx00@xxx.example.com");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = rbacUserRepository.findPermissionsOfUser("aaa00@aaa.example.com");
|
final var result = rbacUserRepository.findPermissionsOfUser("pac-admin-xxx00@xxx.example.com");
|
||||||
|
|
||||||
// then
|
// then
|
||||||
allTheseRbacPermissionsAreReturned(
|
allTheseRbacPermissionsAreReturned(
|
||||||
result,
|
result,
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
"customer#aaa.tenant -> customer#aaa: view",
|
"customer#xxx.tenant -> customer#xxx: view",
|
||||||
// "customer#aaa.admin -> customer#aaa: view" - Not permissions through the customer admin!
|
// "customer#xxx.admin -> customer#xxx: view" - Not permissions through the customer admin!
|
||||||
"package#aaa00.admin -> package#aaa00: add-unixuser",
|
"package#xxx00.admin -> package#xxx00: add-unixuser",
|
||||||
"package#aaa00.admin -> package#aaa00: add-domain",
|
"package#xxx00.admin -> package#xxx00: add-domain",
|
||||||
"package#aaa00.tenant -> package#aaa00: view"
|
"package#xxx00.tenant -> package#xxx00: view"
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
);
|
);
|
||||||
noneOfTheseRbacPermissionsAreReturned(
|
noneOfTheseRbacPermissionsAreReturned(
|
||||||
result,
|
result,
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
// no customer admin permissions
|
// no customer admin permissions
|
||||||
"customer#aaa.admin -> customer#aaa: add-package",
|
"customer#xxx.admin -> customer#xxx: add-package",
|
||||||
// no permissions on other customer's objects
|
// no permissions on other customer's objects
|
||||||
"customer#aab.admin -> customer#aab: add-package",
|
"customer#yyy.admin -> customer#yyy: add-package",
|
||||||
"customer#aab.admin -> customer#aab: view",
|
"customer#yyy.admin -> customer#yyy: view",
|
||||||
"customer#aab.tenant -> customer#aab: view",
|
"customer#yyy.tenant -> customer#yyy: view",
|
||||||
"package#aab00.admin -> package#aab00: add-unixuser",
|
"package#yyy00.admin -> package#yyy00: add-unixuser",
|
||||||
"package#aab00.admin -> package#aab00: add-domain",
|
"package#yyy00.admin -> package#yyy00: add-domain",
|
||||||
"package#aab00.tenant -> package#aab00: view",
|
"package#yyy00.tenant -> package#yyy00: view",
|
||||||
"unixuser#aab00-aaaa.owner -> unixuser#aab00-aaaa: *",
|
"unixuser#yyy00-aaaa.owner -> unixuser#yyy00-aaaa: *",
|
||||||
"unixuser#aab00-aaab.owner -> unixuser#aab00-aaab: *"
|
"unixuser#yyy00-xxxb.owner -> unixuser#yyy00-xxxb: *"
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|||||||
@ -5,8 +5,8 @@ import static java.util.UUID.randomUUID;
|
|||||||
|
|
||||||
public class TestRbacUser {
|
public class TestRbacUser {
|
||||||
|
|
||||||
static final RbacUserEntity userAaa = rbacRole("admin@aaa.example.com");
|
static final RbacUserEntity userxxx = rbacRole("customer-admin@xxx.example.com");
|
||||||
static final RbacUserEntity userBbb = rbacRole("admin@bbb.example.com");
|
static final RbacUserEntity userBbb = rbacRole("customer-admin@bbb.example.com");
|
||||||
|
|
||||||
static public RbacUserEntity rbacRole(final String userName) {
|
static public RbacUserEntity rbacRole(final String userName) {
|
||||||
return new RbacUserEntity(randomUUID(), userName);
|
return new RbacUserEntity(randomUUID(), userName);
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user