use xxx, yyy and zzz for test customers, makes tests easier to read

This commit is contained in:
Michael Hoennig 2022-08-24 17:56:13 +02:00
parent 258f8b1f66
commit 6b4c9f6c51
16 changed files with 453 additions and 416 deletions

View File

@ -10,7 +10,6 @@ import org.springframework.transaction.annotation.Transactional;
import org.springframework.web.bind.annotation.*; import org.springframework.web.bind.annotation.*;
import org.springframework.web.servlet.mvc.method.annotation.MvcUriComponentsBuilder; import org.springframework.web.servlet.mvc.method.annotation.MvcUriComponentsBuilder;
import javax.persistence.EntityManager;
import java.util.List; import java.util.List;
import java.util.UUID; import java.util.UUID;

View File

@ -15,48 +15,51 @@ begin
return 10000 + customerCount; return 10000 + customerCount;
end; $$; end; $$;
/* /*
Creates test data for the customer main table. Creates a single customer test record with dist.
*/ */
create or replace procedure createCustomerTestData( create or replace procedure createCustomerTestData(
startCount integer, -- count of auto generated rows before the run custReference integer,
endCount integer, -- count of auto generated rows after the run custPrefix varchar
doCommitAfterEach boolean -- only for mass data creation outside of Liquibase
) )
language plpgsql as $$ language plpgsql as $$
declare declare
currentTask varchar; currentTask varchar;
custReference integer;
custRowId uuid; custRowId uuid;
custPrefix varchar;
custAdminName varchar; custAdminName varchar;
begin
currentTask = 'creating RBAC test customer #' || custReference || '/' || custPrefix;
set local hsadminng.currentUser to 'mike@hostsharing.net';
set local hsadminng.assumedRoles to 'global#hostsharing.admin';
execute format('set local hsadminng.currentTask to %L', currentTask);
custRowId = uuid_generate_v4();
custAdminName = 'customer-admin@' || custPrefix || '.example.com';
raise notice 'creating customer %:%', custReference, custPrefix;
insert
into customer (reference, prefix, adminUserName)
values (custReference, custPrefix, custAdminName);
end; $$;
--//
/*
Creates a range of test customers for mass data generation.
*/
create or replace procedure createCustomerTestData(
startCount integer, -- count of auto generated rows before the run
endCount integer -- count of auto generated rows after the run
)
language plpgsql as $$
begin begin
set hsadminng.currentUser to ''; set hsadminng.currentUser to '';
for t in startCount..endCount for t in startCount..endCount
loop loop
currentTask = 'creating RBAC test customer #' || t; call createCustomerTestData(testCustomerReference(t), intToVarChar(t, 3));
set local hsadminng.currentUser to 'mike@hostsharing.net'; commit;
set local hsadminng.assumedRoles to 'global#hostsharing.admin';
execute format('set local hsadminng.currentTask to %L', currentTask);
-- When a new customer is created,
custReference = testCustomerReference(t);
custRowId = uuid_generate_v4();
custPrefix = intToVarChar(t, 3);
custAdminName = 'admin@' || custPrefix || '.example.com';
raise notice 'creating customer %:%', custReference, custPrefix;
insert
into customer (reference, prefix, adminUserName)
values (custReference, custPrefix, custAdminName);
if doCommitAfterEach then
commit;
end if;
end loop; end loop;
end; $$; end; $$;
--// --//
@ -67,7 +70,9 @@ end; $$;
do language plpgsql $$ do language plpgsql $$
begin begin
call createCustomerTestData(0, 2, false); call createCustomerTestData(99901, 'xxx');
call createCustomerTestData(99902, 'yyy');
call createCustomerTestData(99903, 'zzz');
end; end;
$$; $$;
--// --//

View File

@ -4,12 +4,9 @@
--changeset hs-package-TEST-DATA-GENERATOR:1 endDelimiter:--// --changeset hs-package-TEST-DATA-GENERATOR:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Creates test data for the package main table. Creates the given number of test packages for the given customer.
*/ */
create or replace procedure createPackageTestData( create or replace procedure createPackageTestData(customerPrefix varchar, pacCount int)
minCustomerReference integer, -- skip customers with reference below this
doCommitAfterEach boolean -- only for mass data creation outside of Liquibase
)
language plpgsql as $$ language plpgsql as $$
declare declare
cust customer; cust customer;
@ -18,43 +15,53 @@ declare
pacName varchar; pacName varchar;
currentTask varchar; currentTask varchar;
pac package; pac package;
begin
select * from customer where customer.prefix = customerPrefix into cust;
for t in 0..(pacCount-1)
loop
pacName = cust.prefix || to_char(t, 'fm00');
currentTask = 'creating RBAC test package #' || pacName || ' for customer ' || cust.prefix || ' #' ||
cust.uuid;
custAdminUser = 'customer-admin@' || cust.prefix || '.example.com';
custAdminRole = 'customer#' || cust.prefix || '.admin';
execute format('set local hsadminng.currentUser to %L', custAdminUser);
execute format('set local hsadminng.assumedRoles to %L', custAdminRole);
execute format('set local hsadminng.currentTask to %L', currentTask);
raise notice 'task: % by % as %', currentTask, custAdminUser, custAdminRole;
insert
into package (customerUuid, name, description)
values (cust.uuid, pacName, 'Here can add your own description of package ' || pacName || '.')
returning * into pac;
call grantRoleToUser(
getRoleId(customerAdmin(cust), 'fail'),
findRoleId(packageAdmin(pac)),
createRbacUser('pac-admin-' || pacName || '@' || cust.prefix || '.example.com'),
true);
end loop;
end; $$;
/*
Creates a range of test packages for mass data generation.
*/
create or replace procedure createPackageTestData()
language plpgsql as $$
declare
cust customer;
begin begin
set hsadminng.currentUser to ''; set hsadminng.currentUser to '';
for cust in (select * from customer) for cust in (select * from customer)
loop loop
continue when cust.reference < minCustomerReference; continue when cust.reference >= 90000; -- reserved for functional testing
call createPackageTestData(cust.prefix, 3);
for t in 0..2
loop
pacName = cust.prefix || to_char(t, 'fm00');
currentTask = 'creating RBAC test package #' || pacName || ' for customer ' || cust.prefix || ' #' ||
cust.uuid;
custAdminUser = 'admin@' || cust.prefix || '.example.com';
custAdminRole = 'customer#' || cust.prefix || '.admin';
execute format('set local hsadminng.currentUser to %L', custAdminUser);
execute format('set local hsadminng.assumedRoles to %L', custAdminRole);
execute format('set local hsadminng.currentTask to %L', currentTask);
raise notice 'task: % by % as %', currentTask, custAdminUser, custAdminRole;
insert
into package (customerUuid, name, description)
values (cust.uuid, pacName, 'Here can add your own description of package ' || pacName || '.')
returning * into pac;
call grantRoleToUser(
getRoleId(customerAdmin(cust), 'fail'),
findRoleId(packageAdmin(pac)),
createRbacUser(pacName || '@' || cust.prefix || '.example.com'),
true);
end loop;
end loop; end loop;
if doCommitAfterEach then commit;
commit;
end if;
end ; end ;
$$; $$;
--// --//
@ -66,7 +73,9 @@ $$;
do language plpgsql $$ do language plpgsql $$
begin begin
call createPackageTestData(0, false); call createPackageTestData('xxx', 3);
call createPackageTestData('yyy', 3);
call createPackageTestData('zzz', 3);
end; end;
$$; $$;
--// --//

View File

@ -4,13 +4,42 @@
--changeset hs-unixuser-TEST-DATA-GENERATOR:1 endDelimiter:--// --changeset hs-unixuser-TEST-DATA-GENERATOR:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Creates test data for the package main table. Creates the given count of test unix users for a single package.
*/ */
create or replace procedure createUnixUserTestData( create or replace procedure createUnixUserTestData( packageName varchar, unixUserCount int )
minCustomerReference integer, -- skip customers with reference below this language plpgsql as $$
unixUserPerPackage integer, -- create this many unix users for each package declare
doCommitAfterEach boolean -- only for mass data creation outside of Liquibase pac record;
) pacAdmin varchar;
currentTask varchar;
begin
set hsadminng.currentUser to '';
select p.uuid, p.name, c.prefix as custPrefix
from package p
join customer c on p.customeruuid = c.uuid
where p.name = packageName
into pac;
for t in 0..(unixUserCount-1)
loop
currentTask = 'creating RBAC test unixuser #' || t || ' for package ' || pac.name || ' #' || pac.uuid;
raise notice 'task: %', currentTask;
pacAdmin = 'pac-admin-' || pac.name || '@' || pac.custPrefix || '.example.com';
execute format('set local hsadminng.currentTask to %L', currentTask);
execute format('set local hsadminng.currentUser to %L', pacAdmin);
set local hsadminng.assumedRoles = '';
insert
into unixuser (name, packageUuid)
values (pac.name || '-' || intToVarChar(t, 4), pac.uuid);
end loop;
end; $$;
/*
Creates a range of unix users for mass data generation.
*/
create or replace procedure createUnixUserTestData( unixUserPerPackage integer )
language plpgsql as $$ language plpgsql as $$
declare declare
pac record; pac record;
@ -23,30 +52,13 @@ begin
(select p.uuid, p.name (select p.uuid, p.name
from package p from package p
join customer c on p.customeruuid = c.uuid join customer c on p.customeruuid = c.uuid
where c.reference >= minCustomerReference) where c.reference < 90000) -- reserved for functional testing
loop loop
call createUnixUserTestData(pac.name, 2);
for t in 0..(unixUserPerPackage-1) commit;
loop
currentTask = 'creating RBAC test unixuser #' || t || ' for package ' || pac.name || ' #' || pac.uuid;
raise notice 'task: %', currentTask;
pacAdmin = 'admin@' || pac.name || '.example.com';
execute format('set local hsadminng.currentTask to %L', currentTask);
execute format('set local hsadminng.currentUser to %L', pacAdmin);
set local hsadminng.assumedRoles = '';
insert
into unixuser (name, packageUuid)
values (pac.name || '-' || intToVarChar(t, 4), pac.uuid);
if doCommitAfterEach then
commit;
end if;
end loop;
end loop; end loop;
end; end; $$;
$$;
--// --//
@ -56,7 +68,17 @@ $$;
do language plpgsql $$ do language plpgsql $$
begin begin
call createUnixUserTestData(0, 2, false); call createUnixUserTestData('xxx00', 2);
call createUnixUserTestData('xxx01', 2);
call createUnixUserTestData('xxx02', 2);
call createUnixUserTestData('yyy00', 2);
call createUnixUserTestData('yyy01', 2);
call createUnixUserTestData('yyy02', 2);
call createUnixUserTestData('zzz00', 2);
call createUnixUserTestData('zzz01', 2);
call createUnixUserTestData('zzz02', 2);
end; end;
$$; $$;
--// --//

View File

@ -33,12 +33,12 @@ class ContextIntegrationTests {
@Transactional @Transactional
void assumeRoles() { void assumeRoles() {
context.setCurrentUser("mike@hostsharing.net"); context.setCurrentUser("mike@hostsharing.net");
context.assumeRoles("customer#aaa.owner;customer#aab.owner"); context.assumeRoles("customer#xxx.owner;customer#yyy.owner");
final var currentUser = context.getCurrentUser(); final var currentUser = context.getCurrentUser();
assertThat(currentUser).isEqualTo("mike@hostsharing.net"); assertThat(currentUser).isEqualTo("mike@hostsharing.net");
final var assumedRoles = context.getAssumedRoles(); final var assumedRoles = context.getAssumedRoles();
assertThat(assumedRoles).containsExactlyInAnyOrder("customer#aaa.owner", "customer#aab.owner"); assertThat(assumedRoles).containsExactlyInAnyOrder("customer#xxx.owner", "customer#yyy.owner");
} }
} }

View File

@ -92,7 +92,7 @@ class CustomerControllerRestTest {
mockMvc.perform(MockMvcRequestBuilders mockMvc.perform(MockMvcRequestBuilders
.get("/api/customers") .get("/api/customers")
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@hostsharing.net")
.header("assumed-roles", "admin@yyy.example.com") .header("assumed-roles", "customer-admin@yyy.example.com")
.accept(MediaType.APPLICATION_JSON)) .accept(MediaType.APPLICATION_JSON))
// then // then
@ -103,7 +103,7 @@ class CustomerControllerRestTest {
// then // then
verify(contextMock).setCurrentUser("mike@hostsharing.net"); verify(contextMock).setCurrentUser("mike@hostsharing.net");
verify(contextMock).assumeRoles("admin@yyy.example.com"); verify(contextMock).assumeRoles("customer-admin@yyy.example.com");
} }
} }

View File

@ -42,7 +42,7 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
final var result = attempt(em, () -> { final var result = attempt(em, () -> {
final var newCustomer = new CustomerEntity( final var newCustomer = new CustomerEntity(
UUID.randomUUID(), "xxx", 90001, "admin@xxx.example.com"); UUID.randomUUID(), "www", 90001, "customer-admin@www.example.com");
return customerRepository.save(newCustomer); return customerRepository.save(newCustomer);
}); });
@ -56,37 +56,37 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
@Test @Test
public void hostsharingAdmin_withAssumedCustomerRole_cannotCreateNewCustomer() { public void hostsharingAdmin_withAssumedCustomerRole_cannotCreateNewCustomer() {
// given // given
context("mike@hostsharing.net", "customer#aaa.admin"); context("mike@hostsharing.net", "customer#xxx.admin");
// when // when
final var result = attempt(em, () -> { final var result = attempt(em, () -> {
final var newCustomer = new CustomerEntity( final var newCustomer = new CustomerEntity(
UUID.randomUUID(), "xxx", 90001, "admin@xxx.example.com"); UUID.randomUUID(), "www", 90001, "customer-admin@www.example.com");
return customerRepository.save(newCustomer); return customerRepository.save(newCustomer);
}); });
// then // then
result.assertExceptionWithRootCauseMessage( result.assertExceptionWithRootCauseMessage(
PersistenceException.class, PersistenceException.class,
"add-customer not permitted for customer#aaa.admin"); "add-customer not permitted for customer#xxx.admin");
} }
@Test @Test
public void customerAdmin_withoutAssumedRole_cannotCreateNewCustomer() { public void customerAdmin_withoutAssumedRole_cannotCreateNewCustomer() {
// given // given
context("admin@aaa.example.com", null); context("customer-admin@xxx.example.com", null);
// when // when
final var result = attempt(em, () -> { final var result = attempt(em, () -> {
final var newCustomer = new CustomerEntity( final var newCustomer = new CustomerEntity(
UUID.randomUUID(), "yyy", 90002, "admin@yyy.example.com"); UUID.randomUUID(), "www", 90001, "customer-admin@www.example.com");
return customerRepository.save(newCustomer); return customerRepository.save(newCustomer);
}); });
// then // then
result.assertExceptionWithRootCauseMessage( result.assertExceptionWithRootCauseMessage(
PersistenceException.class, PersistenceException.class,
"add-customer not permitted for admin@aaa.example.com"); "add-customer not permitted for customer-admin@xxx.example.com");
} }
@ -108,7 +108,7 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
final var result = customerRepository.findCustomerByOptionalPrefixLike(null); final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
// then // then
exactlyTheseCustomersAreReturned(result, "aaa", "aab", "aac"); exactlyTheseCustomersAreReturned(result, "xxx", "yyy", "zzz");
} }
@Test @Test
@ -120,34 +120,34 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
final var result = customerRepository.findCustomerByOptionalPrefixLike(null); final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
then: then:
exactlyTheseCustomersAreReturned(result, "aaa", "aab", "aac"); exactlyTheseCustomersAreReturned(result, "xxx", "yyy", "zzz");
} }
@Test @Test
public void customerAdmin_withoutAssumedRole_canViewOnlyItsOwnCustomer() { public void customerAdmin_withoutAssumedRole_canViewOnlyItsOwnCustomer() {
// given: // given:
context("admin@aaa.example.com", null); context("customer-admin@xxx.example.com", null);
// when: // when:
final var result = customerRepository.findCustomerByOptionalPrefixLike(null); final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
// then: // then:
exactlyTheseCustomersAreReturned(result, "aaa"); exactlyTheseCustomersAreReturned(result, "xxx");
} }
@Test @Test
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnCustomer() { public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnCustomer() {
context("admin@aaa.example.com", "package#aaa00.admin"); context("customer-admin@xxx.example.com", "package#xxx00.admin");
final var result = customerRepository.findCustomerByOptionalPrefixLike(null); final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
exactlyTheseCustomersAreReturned(result, "aaa"); exactlyTheseCustomersAreReturned(result, "xxx");
} }
@Test @Test
public void customerAdmin_withAssumedAlienPackageAdminRole_cannotViewAnyCustomer() { public void customerAdmin_withAssumedAlienPackageAdminRole_cannotViewAnyCustomer() {
// given: // given:
context("admin@aaa.example.com", "package#aab00.admin"); context("customer-admin@xxx.example.com", "package#yyy00.admin");
// when // when
final var result = attempt( final var result = attempt(
@ -157,7 +157,7 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
// then // then
result.assertExceptionWithRootCauseMessage( result.assertExceptionWithRootCauseMessage(
JpaSystemException.class, JpaSystemException.class,
"[403] user admin@aaa.example.com", "has no permission to assume role package#aab00#admin"); "[403] user customer-admin@xxx.example.com", "has no permission to assume role package#yyy00#admin");
} }
@Test @Test
@ -176,7 +176,7 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
@Test @Test
@Transactional @Transactional
void unknownUser_withAssumedCustomerRole_cannotViewAnyCustomers() { void unknownUser_withAssumedCustomerRole_cannotViewAnyCustomers() {
context("unknown@example.org", "customer#aaa.admin"); context("unknown@example.org", "customer#xxx.admin");
final var result = attempt( final var result = attempt(
em, em,
@ -198,19 +198,19 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
context("mike@hostsharing.net", null); context("mike@hostsharing.net", null);
// when // when
final var result = customerRepository.findCustomerByOptionalPrefixLike("aab"); final var result = customerRepository.findCustomerByOptionalPrefixLike("yyy");
// then // then
exactlyTheseCustomersAreReturned(result, "aab"); exactlyTheseCustomersAreReturned(result, "yyy");
} }
@Test @Test
public void customerAdmin_withoutAssumedRole_canViewOnlyItsOwnCustomer() { public void customerAdmin_withoutAssumedRole_canViewOnlyItsOwnCustomer() {
// given: // given:
context("admin@aaa.example.com", null); context("customer-admin@xxx.example.com", null);
// when: // when:
final var result = customerRepository.findCustomerByOptionalPrefixLike("aab"); final var result = customerRepository.findCustomerByOptionalPrefixLike("yyy");
// then: // then:
exactlyTheseCustomersAreReturned(result); exactlyTheseCustomersAreReturned(result);

View File

@ -44,19 +44,19 @@ class PackageControllerAcceptanceTest {
RestAssured RestAssured
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@hostsharing.net")
.header("assumed-roles", "customer#aaa.admin") .header("assumed-roles", "customer#xxx.admin")
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/packages") .get("http://localhost/api/packages")
.then().assertThat() .then().assertThat()
.statusCode(200) .statusCode(200)
.contentType("application/json") .contentType("application/json")
.body("[0].name", is("aaa00")) .body("[0].name", is("xxx00"))
.body("[0].customer.reference", is(10000)) .body("[0].customer.reference", is(99901))
.body("[1].name", is("aaa01")) .body("[1].name", is("xxx01"))
.body("[1].customer.reference", is(10000)) .body("[1].customer.reference", is(99901))
.body("[2].name", is("aaa02")) .body("[2].name", is("xxx02"))
.body("[2].customer.reference", is(10000)); .body("[2].customer.reference", is(99901));
// @formatter:on // @formatter:on
} }
@ -66,15 +66,15 @@ class PackageControllerAcceptanceTest {
RestAssured RestAssured
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@hostsharing.net")
.header("assumed-roles", "customer#aaa.admin") .header("assumed-roles", "customer#xxx.admin")
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/packages?name=aaa01") .get("http://localhost/api/packages?name=xxx01")
.then().assertThat() .then().assertThat()
.statusCode(200) .statusCode(200)
.contentType("application/json") .contentType("application/json")
.body("[0].name", is("aaa01")) .body("[0].name", is("xxx01"))
.body("[0].customer.reference", is(10000)); .body("[0].customer.reference", is(99901));
// @formatter:on // @formatter:on
} }
} }
@ -85,8 +85,8 @@ class PackageControllerAcceptanceTest {
@Test @Test
void withDescriptionUpdatesDescription() { void withDescriptionUpdatesDescription() {
assumeThat(getDescriptionOfPackage("aaa00")) assumeThat(getDescriptionOfPackage("xxx00"))
.isEqualTo("Here can add your own description of package aaa00."); .isEqualTo("Here can add your own description of package xxx00.");
final var randomDescription = RandomStringUtils.randomAlphanumeric(80); final var randomDescription = RandomStringUtils.randomAlphanumeric(80);
@ -94,7 +94,7 @@ class PackageControllerAcceptanceTest {
RestAssured RestAssured
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@hostsharing.net")
.header("assumed-roles", "customer#aaa.admin") .header("assumed-roles", "customer#xxx.admin")
.contentType(ContentType.JSON) .contentType(ContentType.JSON)
.body(format(""" .body(format("""
{ {
@ -103,12 +103,12 @@ class PackageControllerAcceptanceTest {
""", randomDescription)) """, randomDescription))
.port(port) .port(port)
.when() .when()
.patch("http://localhost/api/packages/{uuidOfPackage}", getUuidOfPackage("aaa00")) .patch("http://localhost/api/packages/{uuidOfPackage}", getUuidOfPackage("xxx00"))
.then() .then()
.assertThat() .assertThat()
.statusCode(200) .statusCode(200)
.contentType("application/json") .contentType("application/json")
.body("name", is("aaa00")) .body("name", is("xxx00"))
.body("description", is(randomDescription)); .body("description", is(randomDescription));
// @formatter:on // @formatter:on
@ -117,14 +117,14 @@ class PackageControllerAcceptanceTest {
@Test @Test
void withNullDescriptionUpdatesDescriptionToNull() { void withNullDescriptionUpdatesDescriptionToNull() {
assumeThat(getDescriptionOfPackage("aaa01")) assumeThat(getDescriptionOfPackage("xxx01"))
.isEqualTo("Here can add your own description of package aaa01."); .isEqualTo("Here can add your own description of package xxx01.");
// @formatter:off // @formatter:off
RestAssured RestAssured
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@hostsharing.net")
.header("assumed-roles", "customer#aaa.admin") .header("assumed-roles", "customer#xxx.admin")
.contentType(ContentType.JSON) .contentType(ContentType.JSON)
.body(""" .body("""
{ {
@ -133,12 +133,12 @@ class PackageControllerAcceptanceTest {
""") """)
.port(port) .port(port)
.when() .when()
.patch("http://localhost/api/packages/{uuidOfPackage}", getUuidOfPackage("aaa01")) .patch("http://localhost/api/packages/{uuidOfPackage}", getUuidOfPackage("xxx01"))
.then() .then()
.assertThat() .assertThat()
.statusCode(200) .statusCode(200)
.contentType("application/json") .contentType("application/json")
.body("name", is("aaa01")) .body("name", is("xxx01"))
.body("description", equalTo(null)); .body("description", equalTo(null));
// @formatter:on // @formatter:on
} }
@ -146,24 +146,24 @@ class PackageControllerAcceptanceTest {
@Test @Test
void withoutDescriptionDoesNothing() { void withoutDescriptionDoesNothing() {
assumeThat(getDescriptionOfPackage("aaa02")) assumeThat(getDescriptionOfPackage("xxx02"))
.isEqualTo("Here can add your own description of package aaa02."); .isEqualTo("Here can add your own description of package xxx02.");
// @formatter:off // @formatter:off
RestAssured RestAssured
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@hostsharing.net")
.header("assumed-roles", "customer#aaa.admin") .header("assumed-roles", "customer#xxx.admin")
.contentType(ContentType.JSON) .contentType(ContentType.JSON)
.body("{}") .body("{}")
.port(port) .port(port)
.when() .when()
.patch("http://localhost/api/packages/{uuidOfPackage}", getUuidOfPackage("aaa02")) .patch("http://localhost/api/packages/{uuidOfPackage}", getUuidOfPackage("xxx02"))
.then().assertThat() .then().assertThat()
.statusCode(200) .statusCode(200)
.contentType("application/json") .contentType("application/json")
.body("name", is("aaa02")) .body("name", is("xxx02"))
.body("description", is("Here can add your own description of package aaa02.")); // unchanged .body("description", is("Here can add your own description of package xxx02.")); // unchanged
// @formatter:on // @formatter:on
} }
} }
@ -173,7 +173,7 @@ class PackageControllerAcceptanceTest {
return UUID.fromString(RestAssured return UUID.fromString(RestAssured
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@hostsharing.net")
.header("assumed-roles", "customer#aaa.admin") .header("assumed-roles", "customer#xxx.admin")
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/packages?name={packageName}", packageName) .get("http://localhost/api/packages?name={packageName}", packageName)
@ -186,7 +186,7 @@ class PackageControllerAcceptanceTest {
String getDescriptionOfPackage(final String packageName) { String getDescriptionOfPackage(final String packageName) {
context.setCurrentUser("mike@hostsharing.net"); context.setCurrentUser("mike@hostsharing.net");
context.assumeRoles("customer#aaa.admin"); context.assumeRoles("customer#xxx.admin");
return packageRepository.findAllByOptionalNameLike(packageName).get(0).getDescription(); return packageRepository.findAllByOptionalNameLike(packageName).get(0).getDescription();
} }
} }

View File

@ -67,30 +67,30 @@ class PackageRepositoryIntegrationTest {
@Test @Test
public void customerAdmin_withoutAssumedRole_canViewOnlyItsOwnPackages() { public void customerAdmin_withoutAssumedRole_canViewOnlyItsOwnPackages() {
// given: // given:
currentUser("admin@aaa.example.com"); currentUser("customer-admin@xxx.example.com");
// when: // when:
final var result = packageRepository.findAllByOptionalNameLike(null); final var result = packageRepository.findAllByOptionalNameLike(null);
// then: // then:
exactlyThesePackagesAreReturned(result, "aaa00", "aaa01", "aaa02"); exactlyThesePackagesAreReturned(result, "xxx00", "xxx01", "xxx02");
} }
@Test @Test
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnPackages() { public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnPackages() {
currentUser("admin@aaa.example.com"); currentUser("customer-admin@xxx.example.com");
assumedRoles("package#aaa00.admin"); assumedRoles("package#xxx00.admin");
final var result = packageRepository.findAllByOptionalNameLike(null); final var result = packageRepository.findAllByOptionalNameLike(null);
exactlyThesePackagesAreReturned(result, "aaa00"); exactlyThesePackagesAreReturned(result, "xxx00");
} }
@Test @Test
public void customerAdmin_withAssumedAlienPackageAdminRole_cannotViewAnyPackages() { public void customerAdmin_withAssumedAlienPackageAdminRole_cannotViewAnyPackages() {
// given: // given:
currentUser("admin@aaa.example.com"); currentUser("customer-admin@xxx.example.com");
assumedRoles("package#aab00.admin"); assumedRoles("package#yyy00.admin");
// when // when
final var result = attempt( final var result = attempt(
@ -100,7 +100,7 @@ class PackageRepositoryIntegrationTest {
// then // then
result.assertExceptionWithRootCauseMessage( result.assertExceptionWithRootCauseMessage(
JpaSystemException.class, JpaSystemException.class,
"[403] user admin@aaa.example.com", "has no permission to assume role package#aab00#admin"); "[403] user customer-admin@xxx.example.com", "has no permission to assume role package#yyy00#admin");
} }
@Test @Test
@ -120,7 +120,7 @@ class PackageRepositoryIntegrationTest {
@Transactional @Transactional
void unknownUser_withAssumedCustomerRole_cannotViewAnyPackages() { void unknownUser_withAssumedCustomerRole_cannotViewAnyPackages() {
currentUser("unknown@example.org"); currentUser("unknown@example.org");
assumedRoles("customer#aaa.admin"); assumedRoles("customer#xxx.admin");
final var result = attempt( final var result = attempt(
em, em,
@ -139,17 +139,17 @@ class PackageRepositoryIntegrationTest {
@Test @Test
public void supportsOptimisticLocking() throws InterruptedException { public void supportsOptimisticLocking() throws InterruptedException {
// given // given
hostsharingAdminWithAssumedRole("package#aaa00.admin"); hostsharingAdminWithAssumedRole("package#xxx00.admin");
final var pac = packageRepository.findAllByOptionalNameLike("%").get(0); final var pac = packageRepository.findAllByOptionalNameLike("%").get(0);
// when // when
final var result1 = jpaAttempt.transacted(() -> { final var result1 = jpaAttempt.transacted(() -> {
hostsharingAdminWithAssumedRole("package#aaa00.admin"); hostsharingAdminWithAssumedRole("package#xxx00.admin");
pac.setDescription("description set by thread 1"); pac.setDescription("description set by thread 1");
packageRepository.save(pac); packageRepository.save(pac);
}); });
final var result2 = jpaAttempt.transacted(() -> { final var result2 = jpaAttempt.transacted(() -> {
hostsharingAdminWithAssumedRole("package#aaa00.admin"); hostsharingAdminWithAssumedRole("package#xxx00.admin");
pac.setDescription("description set by thread 2"); pac.setDescription("description set by thread 2");
packageRepository.save(pac); packageRepository.save(pac);
sleep(1500); sleep(1500);

View File

@ -62,9 +62,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
@Accepts({ "GRT:R(Read)" }) @Accepts({ "GRT:R(Read)" })
void customerAdmin_withAssumedPacketAdminRole_canReadPacketAdminsGrantById() { void customerAdmin_withAssumedPacketAdminRole_canReadPacketAdminsGrantById() {
// given // given
final var givenCurrentUserAsPackageAdmin = new Subject("admin@aaa.example.com"); final var givenCurrentUserAsPackageAdmin = new Subject("customer-admin@xxx.example.com");
final var givenGranteeUser = findRbacUserByName("aaa00@aaa.example.com"); final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
final var givenGrantedRole = findRbacRoleByName("package#aaa00.admin"); final var givenGrantedRole = findRbacRoleByName("package#xxx00.admin");
// when // when
final var grant = givenCurrentUserAsPackageAdmin.getGrantById() final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
@ -73,18 +73,18 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// then // then
grant.assertThat() grant.assertThat()
.statusCode(200) .statusCode(200)
.body("grantedByRoleIdName", is("customer#aaa.admin")) .body("grantedByRoleIdName", is("customer#xxx.admin"))
.body("grantedRoleIdName", is("package#aaa00.admin")) .body("grantedRoleIdName", is("package#xxx00.admin"))
.body("granteeUserName", is("aaa00@aaa.example.com")); .body("granteeUserName", is("pac-admin-xxx00@xxx.example.com"));
} }
@Test @Test
@Accepts({ "GRT:R(Read)" }) @Accepts({ "GRT:R(Read)" })
void packageAdmin_withoutAssumedRole_canReadItsOwnGrantById() { void packageAdmin_withoutAssumedRole_canReadItsOwnGrantById() {
// given // given
final var givenCurrentUserAsPackageAdmin = new Subject("aaa00@aaa.example.com"); final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com");
final var givenGranteeUser = findRbacUserByName("aaa00@aaa.example.com"); final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
final var givenGrantedRole = findRbacRoleByName("package#aaa00.admin"); final var givenGrantedRole = findRbacRoleByName("package#xxx00.admin");
// when // when
final var grant = givenCurrentUserAsPackageAdmin.getGrantById() final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
@ -93,18 +93,18 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// then // then
grant.assertThat() grant.assertThat()
.statusCode(200) .statusCode(200)
.body("grantedByRoleIdName", is("customer#aaa.admin")) .body("grantedByRoleIdName", is("customer#xxx.admin"))
.body("grantedRoleIdName", is("package#aaa00.admin")) .body("grantedRoleIdName", is("package#xxx00.admin"))
.body("granteeUserName", is("aaa00@aaa.example.com")); .body("granteeUserName", is("pac-admin-xxx00@xxx.example.com"));
} }
@Test @Test
@Accepts({ "GRT:R(Read)" }) @Accepts({ "GRT:R(Read)" })
void packageAdmin_withAssumedUnixUserAdmin_canNotReadItsOwnGrantById() { void packageAdmin_withAssumedUnixUserAdmin_canNotReadItsOwnGrantById() {
// given // given
final var givenCurrentUserAsPackageAdmin = new Subject("aaa00@aaa.example.com", "unixuser#aaa00-aaaa.admin"); final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", "unixuser#xxx00-xxxa.admin");
final var givenGranteeUser = findRbacUserByName("aaa00@aaa.example.com"); final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
final var givenGrantedRole = findRbacRoleByName("package#aaa00.admin"); final var givenGrantedRole = findRbacRoleByName("package#xxx00.admin");
// when // when
final var grant = givenCurrentUserAsPackageAdmin.getGrantById() final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
@ -125,8 +125,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// given // given
final var givenNewUser = createRBacUser(); final var givenNewUser = createRBacUser();
final var givenRoleToGrant = "package#aaa00.admin"; final var givenRoleToGrant = "package#xxx00.admin";
final var givenCurrentUserAsPackageAdmin = new Subject("aaa00@aaa.example.com", givenRoleToGrant); final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
final var givenOwnPackageAdminRole = final var givenOwnPackageAdminRole =
findRbacRoleByName(givenCurrentUserAsPackageAdmin.assumedRole); findRbacRoleByName(givenCurrentUserAsPackageAdmin.assumedRole);
@ -149,9 +149,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// given // given
final var givenNewUser = createRBacUser(); final var givenNewUser = createRBacUser();
final var givenRoleToGrant = "package#aaa00.admin"; final var givenRoleToGrant = "package#xxx00.admin";
final var givenCurrentUserAsPackageAdmin = new Subject("aaa00@aaa.example.com", givenRoleToGrant); final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
final var givenAlienPackageAdminRole = findRbacRoleByName("package#aab00.admin"); final var givenAlienPackageAdminRole = findRbacRoleByName("package#yyy00.admin");
// when // when
final var result = givenCurrentUserAsPackageAdmin final var result = givenCurrentUserAsPackageAdmin
@ -161,7 +161,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// then // then
result.assertThat() result.assertThat()
.body("message", containsString("Access to granted role")) .body("message", containsString("Access to granted role"))
.body("message", containsString("forbidden for {package#aaa00.admin}")) .body("message", containsString("forbidden for {package#xxx00.admin}"))
.statusCode(403); .statusCode(403);
assertThat(findAllGrantsOf(givenCurrentUserAsPackageAdmin)) assertThat(findAllGrantsOf(givenCurrentUserAsPackageAdmin))
.extracting(RbacGrantEntity::getGranteeUserName) .extracting(RbacGrantEntity::getGranteeUserName)
@ -179,9 +179,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// given // given
final var givenArbitraryUser = createRBacUser(); final var givenArbitraryUser = createRBacUser();
final var givenRoleToGrant = "package#aaa00.admin"; final var givenRoleToGrant = "package#xxx00.admin";
final var givenCurrentUserAsPackageAdmin = new Subject("aaa00@aaa.example.com", givenRoleToGrant); final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
final var givenOwnPackageAdminRole = findRbacRoleByName("package#aaa00.admin"); final var givenOwnPackageAdminRole = findRbacRoleByName("package#xxx00.admin");
// and given an existing grant // and given an existing grant
assumeCreated(givenCurrentUserAsPackageAdmin assumeCreated(givenCurrentUserAsPackageAdmin

View File

@ -55,7 +55,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
@Accepts({ "GRT:L(List)" }) @Accepts({ "GRT:L(List)" })
public void packageAdmin_canViewItsRbacGrants() { public void packageAdmin_canViewItsRbacGrants() {
// given // given
context("aaa00@aaa.example.com", null); context("pac-admin-xxx00@xxx.example.com", null);
// when // when
final var result = rbacGrantRepository.findAll(); final var result = rbacGrantRepository.findAll();
@ -63,14 +63,14 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
// then // then
exactlyTheseRbacGrantsAreReturned( exactlyTheseRbacGrantsAreReturned(
result, result,
"{ grant assumed role package#aaa00.admin to user aaa00@aaa.example.com by role customer#aaa.admin }"); "{ grant assumed role package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role customer#xxx.admin }");
} }
@Test @Test
@Accepts({ "GRT:L(List)" }) @Accepts({ "GRT:L(List)" })
public void customerAdmin_canViewItsRbacGrants() { public void customerAdmin_canViewItsRbacGrants() {
// given // given
context("admin@aaa.example.com", null); context("customer-admin@xxx.example.com", null);
// when // when
final var result = rbacGrantRepository.findAll(); final var result = rbacGrantRepository.findAll();
@ -78,17 +78,17 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
// then // then
exactlyTheseRbacGrantsAreReturned( exactlyTheseRbacGrantsAreReturned(
result, result,
"{ grant assumed role customer#aaa.admin to user admin@aaa.example.com by role global#hostsharing.admin }", "{ grant assumed role customer#xxx.admin to user customer-admin@xxx.example.com by role global#hostsharing.admin }",
"{ grant assumed role package#aaa00.admin to user aaa00@aaa.example.com by role customer#aaa.admin }", "{ grant assumed role package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role customer#xxx.admin }",
"{ grant assumed role package#aaa01.admin to user aaa01@aaa.example.com by role customer#aaa.admin }", "{ grant assumed role package#xxx01.admin to user pac-admin-xxx01@xxx.example.com by role customer#xxx.admin }",
"{ grant assumed role package#aaa02.admin to user aaa02@aaa.example.com by role customer#aaa.admin }"); "{ grant assumed role package#xxx02.admin to user pac-admin-xxx02@xxx.example.com by role customer#xxx.admin }");
} }
@Test @Test
@Accepts({ "GRT:L(List)" }) @Accepts({ "GRT:L(List)" })
public void customerAdmin_withAssumedRole_canOnlyViewRbacGrantsVisibleByAssumedRole() { public void customerAdmin_withAssumedRole_canOnlyViewRbacGrantsVisibleByAssumedRole() {
// given: // given:
context("admin@aaa.example.com", "package#aaa00.admin"); context("customer-admin@xxx.example.com", "package#xxx00.admin");
// when // when
final var result = rbacGrantRepository.findAll(); final var result = rbacGrantRepository.findAll();
@ -96,7 +96,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
// then // then
exactlyTheseRbacGrantsAreReturned( exactlyTheseRbacGrantsAreReturned(
result, result,
"{ grant assumed role package#aaa00.admin to user aaa00@aaa.example.com by role customer#aaa.admin }"); "{ grant assumed role package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role customer#xxx.admin }");
} }
} }
@ -106,9 +106,9 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
@Test @Test
public void customerAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() { public void customerAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() {
// given // given
context("admin@aaa.example.com", "customer#aaa.admin"); context("customer-admin@xxx.example.com", "customer#xxx.admin");
final var givenArbitraryUserUuid = rbacUserRepository.findByName("aac00@aac.example.com").getUuid(); final var givenArbitraryUserUuid = rbacUserRepository.findByName("pac-admin-zzz00@zzz.example.com").getUuid();
final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName("package#aaa00.admin").getUuid(); final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName("package#xxx00.admin").getUuid();
// when // when
final var grant = RbacGrantEntity.builder() final var grant = RbacGrantEntity.builder()
@ -124,7 +124,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
assertThat(rbacGrantRepository.findAll()) assertThat(rbacGrantRepository.findAll())
.extracting(RbacGrantEntity::toDisplay) .extracting(RbacGrantEntity::toDisplay)
.contains( .contains(
"{ grant assumed role package#aaa00.admin to user aac00@aac.example.com by role customer#aaa.admin }"); "{ grant assumed role package#xxx00.admin to user pac-admin-zzz00@zzz.example.com by role customer#xxx.admin }");
} }
@Test @Test
@ -134,17 +134,17 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
record Given(RbacUserEntity arbitraryUser, UUID packageOwnerRoleUuid) {} record Given(RbacUserEntity arbitraryUser, UUID packageOwnerRoleUuid) {}
final var given = jpaAttempt.transacted(() -> { final var given = jpaAttempt.transacted(() -> {
// to find the uuids of we need to have access rights to these // to find the uuids of we need to have access rights to these
context("admin@aaa.example.com", null); context("customer-admin@xxx.example.com", null);
return new Given( return new Given(
createNewUser(), createNewUser(),
rbacRoleRepository.findByRoleName("package#aaa00.owner").getUuid() rbacRoleRepository.findByRoleName("package#xxx00.owner").getUuid()
); );
}).assumeSuccessful().returnedValue(); }).assumeSuccessful().returnedValue();
// when // when
final var attempt = jpaAttempt.transacted(() -> { final var attempt = jpaAttempt.transacted(() -> {
// now we try to use these uuids as a less privileged user // now we try to use these uuids as a less privileged user
context("aaa00@aaa.example.com", "package#aaa00.admin"); context("pac-admin-xxx00@xxx.example.com", "package#xxx00.admin");
final var grant = RbacGrantEntity.builder() final var grant = RbacGrantEntity.builder()
.granteeUserUuid(given.arbitraryUser.getUuid()) .granteeUserUuid(given.arbitraryUser.getUuid())
.grantedRoleUuid(given.packageOwnerRoleUuid) .grantedRoleUuid(given.packageOwnerRoleUuid)
@ -157,7 +157,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
attempt.assertExceptionWithRootCauseMessage( attempt.assertExceptionWithRootCauseMessage(
JpaSystemException.class, JpaSystemException.class,
"ERROR: [403] Access to granted role " + given.packageOwnerRoleUuid "ERROR: [403] Access to granted role " + given.packageOwnerRoleUuid
+ " forbidden for {package#aaa00.admin}"); + " forbidden for {package#xxx00.admin}");
jpaAttempt.transacted(() -> { jpaAttempt.transacted(() -> {
// finally, we use the new user to make sure, no roles were granted // finally, we use the new user to make sure, no roles were granted
context(given.arbitraryUser.getName(), null); context(given.arbitraryUser.getName(), null);
@ -175,21 +175,21 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
public void customerAdmin_canRevokeSelfGrantedPackageAdminRole() { public void customerAdmin_canRevokeSelfGrantedPackageAdminRole() {
// given // given
final var grant = create(grant() final var grant = create(grant()
.byUser("admin@aaa.example.com").withAssumedRole("customer#aaa.admin") .byUser("customer-admin@xxx.example.com").withAssumedRole("customer#xxx.admin")
.grantingRole("package#aaa00.admin").toUser("aac00@aac.example.com")); .grantingRole("package#xxx00.admin").toUser("pac-admin-zzz00@zzz.example.com"));
// when // when
context("admin@aaa.example.com", "customer#aaa.admin"); context("customer-admin@xxx.example.com", "customer#xxx.admin");
final var revokeAttempt = attempt(em, () -> { final var revokeAttempt = attempt(em, () -> {
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId()); rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId());
}); });
// then // then
context("admin@aaa.example.com", "customer#aaa.admin"); context("customer-admin@xxx.example.com", "customer#xxx.admin");
assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull(); assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull();
assertThat(rbacGrantRepository.findAll()) assertThat(rbacGrantRepository.findAll())
.extracting(RbacGrantEntity::getGranteeUserName) .extracting(RbacGrantEntity::getGranteeUserName)
.doesNotContain("aac00@aac.example.com"); .doesNotContain("pac-admin-zzz00@zzz.example.com");
} }
@Test @Test
@ -197,33 +197,33 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
// given // given
final var newUser = createNewUserTransacted(); final var newUser = createNewUserTransacted();
final var grant = create(grant() final var grant = create(grant()
.byUser("admin@aaa.example.com").withAssumedRole("package#aaa00.admin") .byUser("customer-admin@xxx.example.com").withAssumedRole("package#xxx00.admin")
.grantingRole("package#aaa00.admin").toUser(newUser.getName())); .grantingRole("package#xxx00.admin").toUser(newUser.getName()));
// when // when
context("aaa00@aaa.example.com", "package#aaa00.admin"); context("pac-admin-xxx00@xxx.example.com", "package#xxx00.admin");
final var revokeAttempt = attempt(em, () -> { final var revokeAttempt = attempt(em, () -> {
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId()); rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId());
}); });
// then // then
assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull(); assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull();
context("admin@aaa.example.com", "customer#aaa.admin"); context("customer-admin@xxx.example.com", "customer#xxx.admin");
assertThat(rbacGrantRepository.findAll()) assertThat(rbacGrantRepository.findAll())
.extracting(RbacGrantEntity::getGranteeUserName) .extracting(RbacGrantEntity::getGranteeUserName)
.doesNotContain("aac00@aac.example.com"); .doesNotContain("pac-admin-zzz00@zzz.example.com");
} }
@Test @Test
public void packageAdmin_canNotRevokeOwnPackageAdminRoleGrantedByOwnerRoleOfThatPackage() { public void packageAdmin_canNotRevokeOwnPackageAdminRoleGrantedByOwnerRoleOfThatPackage() {
// given // given
final var grant = create(grant() final var grant = create(grant()
.byUser("admin@aaa.example.com").withAssumedRole("package#aaa00.owner") .byUser("customer-admin@xxx.example.com").withAssumedRole("package#xxx00.owner")
.grantingRole("package#aaa00.admin").toUser("aac00@aac.example.com")); .grantingRole("package#xxx00.admin").toUser("pac-admin-zzz00@zzz.example.com"));
final var grantedByRole = rbacRoleRepository.findByRoleName("package#aaa00.owner"); final var grantedByRole = rbacRoleRepository.findByRoleName("package#xxx00.owner");
// when // when
context("aaa00@aaa.example.com", "package#aaa00.admin"); context("pac-admin-xxx00@xxx.example.com", "package#xxx00.admin");
final var revokeAttempt = attempt(em, () -> { final var revokeAttempt = attempt(em, () -> {
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId()); rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId());
}); });
@ -231,7 +231,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
// then // then
revokeAttempt.assertExceptionWithRootCauseMessage( revokeAttempt.assertExceptionWithRootCauseMessage(
JpaSystemException.class, JpaSystemException.class,
"ERROR: [403] Revoking role created by %s is forbidden for {package#aaa00.admin}.".formatted( "ERROR: [403] Revoking role created by %s is forbidden for {package#xxx00.admin}.".formatted(
grantedByRole.getUuid() grantedByRole.getUuid()
)); ));
} }

View File

@ -50,14 +50,14 @@ class RbacRoleControllerAcceptanceTest {
.then().assertThat() .then().assertThat()
.statusCode(200) .statusCode(200)
.contentType("application/json") .contentType("application/json")
.body("[0].roleName", is("customer#aaa.admin")) .body("[0].roleName", is("customer#xxx.admin"))
.body("[1].roleName", is("customer#aaa.owner")) .body("[1].roleName", is("customer#xxx.owner"))
.body("[2].roleName", is("customer#aaa.tenant")) .body("[2].roleName", is("customer#xxx.tenant"))
// ... // ...
.body("", hasItem(hasEntry("roleName", "global#hostsharing.admin"))) .body("", hasItem(hasEntry("roleName", "global#hostsharing.admin")))
.body("", hasItem(hasEntry("roleName", "customer#aab.admin"))) .body("", hasItem(hasEntry("roleName", "customer#yyy.admin")))
.body("", hasItem(hasEntry("roleName", "package#aab00.admin"))) .body("", hasItem(hasEntry("roleName", "package#yyy00.admin")))
.body("", hasItem(hasEntry("roleName", "unixuser#aab00-aaaa.owner"))) .body("", hasItem(hasEntry("roleName", "unixuser#yyy00-aaaa.owner")))
.body( "size()", is(73)); // increases with new test data .body( "size()", is(73)); // increases with new test data
// @formatter:on // @formatter:on
} }
@ -70,17 +70,19 @@ class RbacRoleControllerAcceptanceTest {
RestAssured RestAssured
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@hostsharing.net")
.header("assumed-roles", "package#aab00.admin") .header("assumed-roles", "package#yyy00.admin")
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/rbac-roles") .get("http://localhost/api/rbac-roles")
.then().assertThat() .then()
.log().body()
.assertThat()
.statusCode(200) .statusCode(200)
.contentType("application/json") .contentType("application/json")
.body("[0].roleName", is("customer#aab.tenant")) .body("[0].roleName", is("customer#yyy.tenant"))
.body("[1].roleName", is("package#aab00.admin")) .body("[1].roleName", is("package#yyy00.admin"))
.body("[2].roleName", is("package#aab00.tenant")) .body("[2].roleName", is("package#yyy00.tenant"))
.body("[3].roleName", is("unixuser#aab00-aaaa.admin")) .body("[3].roleName", is("unixuser#yyy00-aaaa.admin"))
.body("size()", is(7)); // increases with new test data .body("size()", is(7)); // increases with new test data
// @formatter:on // @formatter:on
} }
@ -92,18 +94,18 @@ class RbacRoleControllerAcceptanceTest {
// @formatter:off // @formatter:off
RestAssured RestAssured
.given() .given()
.header("current-user", "aac00@aac.example.com") .header("current-user", "pac-admin-zzz00@zzz.example.com")
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/rbac-roles") .get("http://localhost/api/rbac-roles")
.then().assertThat() .then().assertThat()
.statusCode(200) .statusCode(200)
.contentType("application/json") .contentType("application/json")
.body("[0].roleName", is("customer#aac.tenant")) .body("[0].roleName", is("customer#zzz.tenant"))
.body("[1].roleName", is("package#aac00.admin")) .body("[1].roleName", is("package#zzz00.admin"))
.body("[2].roleName", is("package#aac00.tenant")) .body("[2].roleName", is("package#zzz00.tenant"))
.body("[3].roleName", is("unixuser#aac00-aaaa.admin")) .body("[3].roleName", is("unixuser#zzz00-aaaa.admin"))
.body("size()", is(7)); // increases with new test data .body("size()", is(7)); // increases with new test data
// @formatter:on // @formatter:on
} }

View File

@ -35,18 +35,18 @@ class RbacRoleRepositoryIntegrationTest {
private static final String[] ALL_TEST_DATA_ROLES = Array.of( private static final String[] ALL_TEST_DATA_ROLES = Array.of(
// @formatter:off // @formatter:off
"global#hostsharing.admin", "global#hostsharing.admin",
"customer#aaa.admin", "customer#aaa.owner", "customer#aaa.tenant", "customer#xxx.admin", "customer#xxx.owner", "customer#xxx.tenant",
"package#aaa00.admin", "package#aaa00.owner", "package#aaa00.tenant", "package#xxx00.admin", "package#xxx00.owner", "package#xxx00.tenant",
"package#aaa01.admin", "package#aaa01.owner", "package#aaa01.tenant", "package#xxx01.admin", "package#xxx01.owner", "package#xxx01.tenant",
"package#aaa02.admin", "package#aaa02.owner", "package#aaa02.tenant", "package#xxx02.admin", "package#xxx02.owner", "package#xxx02.tenant",
"customer#aab.admin", "customer#aab.owner", "customer#aab.tenant", "customer#yyy.admin", "customer#yyy.owner", "customer#yyy.tenant",
"package#aab00.admin", "package#aab00.owner", "package#aab00.tenant", "package#yyy00.admin", "package#yyy00.owner", "package#yyy00.tenant",
"package#aab01.admin", "package#aab01.owner", "package#aab01.tenant", "package#yyy01.admin", "package#yyy01.owner", "package#yyy01.tenant",
"package#aab02.admin", "package#aab02.owner", "package#aab02.tenant", "package#yyy02.admin", "package#yyy02.owner", "package#yyy02.tenant",
"customer#aac.admin", "customer#aac.owner", "customer#aac.tenant", "customer#zzz.admin", "customer#zzz.owner", "customer#zzz.tenant",
"package#aac00.admin", "package#aac00.owner", "package#aac00.tenant", "package#zzz00.admin", "package#zzz00.owner", "package#zzz00.tenant",
"package#aac01.admin", "package#aac01.owner", "package#aac01.tenant", "package#zzz01.admin", "package#zzz01.owner", "package#zzz01.tenant",
"package#aac02.admin", "package#aac02.owner", "package#aac02.tenant" "package#zzz02.admin", "package#zzz02.owner", "package#zzz02.tenant"
// @formatter:on // @formatter:on
); );
@ -78,7 +78,7 @@ class RbacRoleRepositoryIntegrationTest {
@Test @Test
public void customerAdmin_withoutAssumedRole_canViewOnlyItsOwnRbacRole() { public void customerAdmin_withoutAssumedRole_canViewOnlyItsOwnRbacRole() {
// given: // given:
currentUser("admin@aaa.example.com"); currentUser("customer-admin@xxx.example.com");
// when: // when:
final var result = rbacRoleRepository.findAll(); final var result = rbacRoleRepository.findAll();
@ -87,57 +87,57 @@ class RbacRoleRepositoryIntegrationTest {
allTheseRbacRolesAreReturned( allTheseRbacRolesAreReturned(
result, result,
// @formatter:off // @formatter:off
"customer#aaa.admin", "customer#xxx.admin",
"customer#aaa.tenant", "customer#xxx.tenant",
"package#aaa00.admin", "package#xxx00.admin",
"package#aaa00.owner", "package#xxx00.owner",
"package#aaa00.tenant", "package#xxx00.tenant",
"package#aaa01.admin", "package#xxx01.admin",
"package#aaa01.owner", "package#xxx01.owner",
"package#aaa01.tenant", "package#xxx01.tenant",
// ... // ...
"unixuser#aaa00-aaaa.admin", "unixuser#xxx00-aaaa.admin",
"unixuser#aaa00-aaaa.owner", "unixuser#xxx00-aaaa.owner",
// .. // ..
"unixuser#aaa01-aaaa.admin", "unixuser#xxx01-aaab.admin",
"unixuser#aaa01-aaaa.owner" "unixuser#xxx01-aaab.owner"
// @formatter:on // @formatter:on
); );
noneOfTheseRbacRolesIsReturned( noneOfTheseRbacRolesIsReturned(
result, result,
// @formatter:off // @formatter:off
"global#hostsharing.admin", "global#hostsharing.admin",
"customer#aaa.owner", "customer#xxx.owner",
"package#aab00.admin", "package#yyy00.admin",
"package#aab00.owner", "package#yyy00.owner",
"package#aab00.tenant" "package#yyy00.tenant"
// @formatter:on // @formatter:on
); );
} }
@Test @Test
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnRbacRole() { public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnRbacRole() {
currentUser("admin@aaa.example.com"); currentUser("customer-admin@xxx.example.com");
assumedRoles("package#aaa00.admin"); assumedRoles("package#xxx00.admin");
final var result = rbacRoleRepository.findAll(); final var result = rbacRoleRepository.findAll();
exactlyTheseRbacRolesAreReturned( exactlyTheseRbacRolesAreReturned(
result, result,
"customer#aaa.tenant", "customer#xxx.tenant",
"package#aaa00.admin", "package#xxx00.admin",
"package#aaa00.tenant", "package#xxx00.tenant",
"unixuser#aaa00-aaaa.admin", "unixuser#xxx00-aaaa.admin",
"unixuser#aaa00-aaaa.owner", "unixuser#xxx00-aaaa.owner",
"unixuser#aaa00-aaab.admin", "unixuser#xxx00-aaab.admin",
"unixuser#aaa00-aaab.owner"); "unixuser#xxx00-aaab.owner");
} }
@Test @Test
public void customerAdmin_withAssumedAlienPackageAdminRole_cannotViewAnyRbacRole() { public void customerAdmin_withAssumedAlienPackageAdminRole_cannotViewAnyRbacRole() {
// given: // given:
currentUser("admin@aaa.example.com"); currentUser("customer-admin@xxx.example.com");
assumedRoles("package#aab00.admin"); assumedRoles("package#yyy00.admin");
// when // when
final var result = attempt( final var result = attempt(
@ -147,7 +147,7 @@ class RbacRoleRepositoryIntegrationTest {
// then // then
result.assertExceptionWithRootCauseMessage( result.assertExceptionWithRootCauseMessage(
JpaSystemException.class, JpaSystemException.class,
"[403] user admin@aaa.example.com", "has no permission to assume role package#aab00#admin"); "[403] user customer-admin@xxx.example.com", "has no permission to assume role package#yyy00#admin");
} }
@Test @Test
@ -166,7 +166,7 @@ class RbacRoleRepositoryIntegrationTest {
@Test @Test
void unknownUser_withAssumedRbacRoleRole_cannotViewAnyRbacRoles() { void unknownUser_withAssumedRbacRoleRole_cannotViewAnyRbacRoles() {
currentUser("unknown@example.org"); currentUser("unknown@example.org");
assumedRoles("RbacRole#aaa.admin"); assumedRoles("RbacRole#xxx.admin");
final var result = attempt( final var result = attempt(
em, em,
@ -183,19 +183,19 @@ class RbacRoleRepositoryIntegrationTest {
@Test @Test
void customerAdmin_withoutAssumedRole_canFindItsOwnRolesByName() { void customerAdmin_withoutAssumedRole_canFindItsOwnRolesByName() {
currentUser("admin@aaa.example.com"); currentUser("customer-admin@xxx.example.com");
final var result = rbacRoleRepository.findByRoleName("customer#aaa.admin"); final var result = rbacRoleRepository.findByRoleName("customer#xxx.admin");
assertThat(result).isNotNull(); assertThat(result).isNotNull();
assertThat(result.getObjectTable()).isEqualTo("customer"); assertThat(result.getObjectTable()).isEqualTo("customer");
assertThat(result.getObjectIdName()).isEqualTo("aaa"); assertThat(result.getObjectIdName()).isEqualTo("xxx");
assertThat(result.getRoleType()).isEqualTo(RbacRoleType.admin); assertThat(result.getRoleType()).isEqualTo(RbacRoleType.admin);
} }
@Test @Test
void customerAdmin_withoutAssumedRole_canNotFindAlienRolesByName() { void customerAdmin_withoutAssumedRole_canNotFindAlienRolesByName() {
currentUser("admin@aaa.example.com"); currentUser("customer-admin@xxx.example.com");
final var result = rbacRoleRepository.findByRoleName("customer#bbb.admin"); final var result = rbacRoleRepository.findByRoleName("customer#bbb.admin");

View File

@ -49,16 +49,16 @@ class RbacUserControllerAcceptanceTest {
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/rbac-users") .get("http://localhost/api/rbac-users")
.then().assertThat() .then().log().body().assertThat()
.statusCode(200) .statusCode(200)
.contentType("application/json") .contentType("application/json")
.body("[0].name", is("aaa00@aaa.example.com")) .body("[0].name", is("customer-admin@xxx.example.com"))
.body("[1].name", is("aaa01@aaa.example.com")) .body("[1].name", is("customer-admin@yyy.example.com"))
.body("[2].name", is("aaa02@aaa.example.com")) .body("[2].name", is("customer-admin@zzz.example.com"))
.body("[3].name", is("aab00@aab.example.com")) .body("[3].name", is("mike@hostsharing.net"))
// ... // ...
.body("[11].name", is("admin@aac.example.com")) .body("[11].name", is("pac-admin-zzz01@zzz.example.com"))
.body("[12].name", is("mike@hostsharing.net")) .body("[12].name", is("pac-admin-zzz02@zzz.example.com"))
.body("[13].name", is("sven@hostsharing.net")) .body("[13].name", is("sven@hostsharing.net"))
.body("size()", greaterThanOrEqualTo(14)); .body("size()", greaterThanOrEqualTo(14));
// @formatter:on // @formatter:on
@ -73,13 +73,13 @@ class RbacUserControllerAcceptanceTest {
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@hostsharing.net")
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/rbac-users?name=aac") .get("http://localhost/api/rbac-users?name=pac-admin-zzz0")
.then().assertThat() .then().log().body().assertThat()
.statusCode(200) .statusCode(200)
.contentType("application/json") .contentType("application/json")
.body("[0].name", is("aac00@aac.example.com")) .body("[0].name", is("pac-admin-zzz00@zzz.example.com"))
.body("[1].name", is("aac01@aac.example.com")) .body("[1].name", is("pac-admin-zzz01@zzz.example.com"))
.body("[2].name", is("aac02@aac.example.com")) .body("[2].name", is("pac-admin-zzz02@zzz.example.com"))
.body("size()", is(3)); .body("size()", is(3));
// @formatter:on // @formatter:on
} }
@ -90,17 +90,17 @@ class RbacUserControllerAcceptanceTest {
// @formatter:off // @formatter:off
RestAssured RestAssured
.given() .given()
.header("current-user", "admin@aab.example.com") .header("current-user", "customer-admin@yyy.example.com")
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/rbac-users") .get("http://localhost/api/rbac-users")
.then().assertThat() .then().assertThat()
.statusCode(200) .statusCode(200)
.contentType("application/json") .contentType("application/json")
.body("[0].name", is("aab00@aab.example.com")) .body("[0].name", is("customer-admin@yyy.example.com"))
.body("[1].name", is("aab01@aab.example.com")) .body("[1].name", is("pac-admin-yyy00@yyy.example.com"))
.body("[2].name", is("aab02@aab.example.com")) .body("[2].name", is("pac-admin-yyy01@yyy.example.com"))
.body("[3].name", is("admin@aab.example.com")) .body("[3].name", is("pac-admin-yyy02@yyy.example.com"))
.body("size()", is(4)); .body("size()", is(4));
// @formatter:on // @formatter:on
} }
@ -111,14 +111,14 @@ class RbacUserControllerAcceptanceTest {
// @formatter:off // @formatter:off
RestAssured RestAssured
.given() .given()
.header("current-user", "aaa01@aaa.example.com") .header("current-user", "pac-admin-xxx01@xxx.example.com")
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/rbac-users") .get("http://localhost/api/rbac-users")
.then().assertThat() .then().assertThat()
.statusCode(200) .statusCode(200)
.contentType("application/json") .contentType("application/json")
.body("[0].name", is("aaa01@aaa.example.com")) .body("[0].name", is("pac-admin-xxx01@xxx.example.com"))
.body("size()", is(1)); .body("size()", is(1));
// @formatter:on // @formatter:on
} }

View File

@ -66,7 +66,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
// when: // when:
final var result = jpaAttempt.transacted(() -> { final var result = jpaAttempt.transacted(() -> {
context("admin@aaa.example.com"); context("customer-admin@xxx.example.com");
return rbacUserRepository.create(new RbacUserEntity(givenUuid, newUserName)); return rbacUserRepository.create(new RbacUserEntity(givenUuid, newUserName));
}); });
@ -88,12 +88,12 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
private static final String[] ALL_TEST_DATA_USERS = Array.of( private static final String[] ALL_TEST_DATA_USERS = Array.of(
// @formatter:off // @formatter:off
"mike@hostsharing.net", "sven@hostsharing.net", "mike@hostsharing.net", "sven@hostsharing.net",
"admin@aaa.example.com", "customer-admin@xxx.example.com",
"aaa00@aaa.example.com", "aaa01@aaa.example.com", "aaa02@aaa.example.com", "pac-admin-xxx00@xxx.example.com", "pac-admin-xxx01@xxx.example.com", "pac-admin-xxx02@xxx.example.com",
"admin@aab.example.com", "customer-admin@yyy.example.com",
"aab00@aab.example.com", "aab01@aab.example.com", "aab02@aab.example.com", "pac-admin-yyy00@yyy.example.com", "pac-admin-yyy01@yyy.example.com", "pac-admin-yyy02@yyy.example.com",
"admin@aac.example.com", "customer-admin@zzz.example.com",
"aac00@aac.example.com", "aac01@aac.example.com", "aac02@aac.example.com" "pac-admin-zzz00@zzz.example.com", "pac-admin-zzz01@zzz.example.com", "pac-admin-zzz02@zzz.example.com"
// @formatter:on // @formatter:on
); );
@ -124,7 +124,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
@Test @Test
public void hostsharingAdmin_withAssumedCustomerAdminRole_canViewOnlyUsersHavingRolesInThatCustomersRealm() { public void hostsharingAdmin_withAssumedCustomerAdminRole_canViewOnlyUsersHavingRolesInThatCustomersRealm() {
given: given:
context("mike@hostsharing.net", "customer#aaa.admin"); context("mike@hostsharing.net", "customer#xxx.admin");
// when // when
final var result = rbacUserRepository.findByOptionalNameLike(null); final var result = rbacUserRepository.findByOptionalNameLike(null);
@ -132,15 +132,15 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
then: then:
exactlyTheseRbacUsersAreReturned( exactlyTheseRbacUsersAreReturned(
result, result,
"admin@aaa.example.com", "customer-admin@xxx.example.com",
"aaa00@aaa.example.com", "aaa01@aaa.example.com", "aaa02@aaa.example.com" "pac-admin-xxx00@xxx.example.com", "pac-admin-xxx01@xxx.example.com", "pac-admin-xxx02@xxx.example.com"
); );
} }
@Test @Test
public void customerAdmin_withoutAssumedRole_canViewOnlyUsersHavingRolesInThatCustomersRealm() { public void customerAdmin_withoutAssumedRole_canViewOnlyUsersHavingRolesInThatCustomersRealm() {
// given: // given:
context("admin@aaa.example.com"); context("customer-admin@xxx.example.com");
// when: // when:
final var result = rbacUserRepository.findByOptionalNameLike(null); final var result = rbacUserRepository.findByOptionalNameLike(null);
@ -148,27 +148,27 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
// then: // then:
exactlyTheseRbacUsersAreReturned( exactlyTheseRbacUsersAreReturned(
result, result,
"admin@aaa.example.com", "customer-admin@xxx.example.com",
"aaa00@aaa.example.com", "aaa01@aaa.example.com", "aaa02@aaa.example.com" "pac-admin-xxx00@xxx.example.com", "pac-admin-xxx01@xxx.example.com", "pac-admin-xxx02@xxx.example.com"
); );
} }
@Test @Test
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyUsersHavingRolesInThatPackage() { public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyUsersHavingRolesInThatPackage() {
context("admin@aaa.example.com", "package#aaa00.admin"); context("customer-admin@xxx.example.com", "package#xxx00.admin");
final var result = rbacUserRepository.findByOptionalNameLike(null); final var result = rbacUserRepository.findByOptionalNameLike(null);
exactlyTheseRbacUsersAreReturned(result, "aaa00@aaa.example.com"); exactlyTheseRbacUsersAreReturned(result, "pac-admin-xxx00@xxx.example.com");
} }
@Test @Test
public void packageAdmin_withoutAssumedRole_canViewOnlyUsersHavingRolesInThatPackage() { public void packageAdmin_withoutAssumedRole_canViewOnlyUsersHavingRolesInThatPackage() {
context("aaa00@aaa.example.com"); context("pac-admin-xxx00@xxx.example.com");
final var result = rbacUserRepository.findByOptionalNameLike(null); final var result = rbacUserRepository.findByOptionalNameLike(null);
exactlyTheseRbacUsersAreReturned(result, "aaa00@aaa.example.com"); exactlyTheseRbacUsersAreReturned(result, "pac-admin-xxx00@xxx.example.com");
} }
} }
@ -180,47 +180,47 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
// @formatter:off // @formatter:off
"global#hostsharing.admin -> global#hostsharing: add-customer", "global#hostsharing.admin -> global#hostsharing: add-customer",
"customer#aaa.admin -> customer#aaa: add-package", "customer#xxx.admin -> customer#xxx: add-package",
"customer#aaa.admin -> customer#aaa: view", "customer#xxx.admin -> customer#xxx: view",
"customer#aaa.owner -> customer#aaa: *", "customer#xxx.owner -> customer#xxx: *",
"customer#aaa.tenant -> customer#aaa: view", "customer#xxx.tenant -> customer#xxx: view",
"package#aaa00.admin -> package#aaa00: add-domain", "package#xxx00.admin -> package#xxx00: add-domain",
"package#aaa00.admin -> package#aaa00: add-unixuser", "package#xxx00.admin -> package#xxx00: add-unixuser",
"package#aaa00.tenant -> package#aaa00: view", "package#xxx00.tenant -> package#xxx00: view",
"package#aaa01.admin -> package#aaa01: add-domain", "package#xxx01.admin -> package#xxx01: add-domain",
"package#aaa01.admin -> package#aaa01: add-unixuser", "package#xxx01.admin -> package#xxx01: add-unixuser",
"package#aaa01.tenant -> package#aaa01: view", "package#xxx01.tenant -> package#xxx01: view",
"package#aaa02.admin -> package#aaa02: add-domain", "package#xxx02.admin -> package#xxx02: add-domain",
"package#aaa02.admin -> package#aaa02: add-unixuser", "package#xxx02.admin -> package#xxx02: add-unixuser",
"package#aaa02.tenant -> package#aaa02: view", "package#xxx02.tenant -> package#xxx02: view",
"customer#aab.admin -> customer#aab: add-package", "customer#yyy.admin -> customer#yyy: add-package",
"customer#aab.admin -> customer#aab: view", "customer#yyy.admin -> customer#yyy: view",
"customer#aab.owner -> customer#aab: *", "customer#yyy.owner -> customer#yyy: *",
"customer#aab.tenant -> customer#aab: view", "customer#yyy.tenant -> customer#yyy: view",
"package#aab00.admin -> package#aab00: add-domain", "package#yyy00.admin -> package#yyy00: add-domain",
"package#aab00.admin -> package#aab00: add-unixuser", "package#yyy00.admin -> package#yyy00: add-unixuser",
"package#aab00.tenant -> package#aab00: view", "package#yyy00.tenant -> package#yyy00: view",
"package#aab01.admin -> package#aab01: add-domain", "package#yyy01.admin -> package#yyy01: add-domain",
"package#aab01.admin -> package#aab01: add-unixuser", "package#yyy01.admin -> package#yyy01: add-unixuser",
"package#aab01.tenant -> package#aab01: view", "package#yyy01.tenant -> package#yyy01: view",
"package#aab02.admin -> package#aab02: add-domain", "package#yyy02.admin -> package#yyy02: add-domain",
"package#aab02.admin -> package#aab02: add-unixuser", "package#yyy02.admin -> package#yyy02: add-unixuser",
"package#aab02.tenant -> package#aab02: view", "package#yyy02.tenant -> package#yyy02: view",
"customer#aac.admin -> customer#aac: add-package", "customer#zzz.admin -> customer#zzz: add-package",
"customer#aac.admin -> customer#aac: view", "customer#zzz.admin -> customer#zzz: view",
"customer#aac.owner -> customer#aac: *", "customer#zzz.owner -> customer#zzz: *",
"customer#aac.tenant -> customer#aac: view", "customer#zzz.tenant -> customer#zzz: view",
"package#aac00.admin -> package#aac00: add-domain", "package#zzz00.admin -> package#zzz00: add-domain",
"package#aac00.admin -> package#aac00: add-unixuser", "package#zzz00.admin -> package#zzz00: add-unixuser",
"package#aac00.tenant -> package#aac00: view", "package#zzz00.tenant -> package#zzz00: view",
"package#aac01.admin -> package#aac01: add-domain", "package#zzz01.admin -> package#zzz01: add-domain",
"package#aac01.admin -> package#aac01: add-unixuser", "package#zzz01.admin -> package#zzz01: add-unixuser",
"package#aac01.tenant -> package#aac01: view", "package#zzz01.tenant -> package#zzz01: view",
"package#aac02.admin -> package#aac02: add-domain", "package#zzz02.admin -> package#zzz02: add-domain",
"package#aac02.admin -> package#aac02: add-unixuser", "package#zzz02.admin -> package#zzz02: add-unixuser",
"package#aac02.tenant -> package#aac02: view" "package#zzz02.tenant -> package#zzz02: view"
// @formatter:on // @formatter:on
); );
@ -255,41 +255,41 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
@Test @Test
public void customerAdmin_withoutAssumedRole_canViewTheirOwnPermissions() { public void customerAdmin_withoutAssumedRole_canViewTheirOwnPermissions() {
// given // given
context("admin@aaa.example.com"); context("customer-admin@xxx.example.com");
// when // when
final var result = rbacUserRepository.findPermissionsOfUser("admin@aaa.example.com"); final var result = rbacUserRepository.findPermissionsOfUser("customer-admin@xxx.example.com");
// then // then
allTheseRbacPermissionsAreReturned( allTheseRbacPermissionsAreReturned(
result, result,
// @formatter:off // @formatter:off
"customer#aaa.admin -> customer#aaa: add-package", "customer#xxx.admin -> customer#xxx: add-package",
"customer#aaa.admin -> customer#aaa: view", "customer#xxx.admin -> customer#xxx: view",
"customer#aaa.tenant -> customer#aaa: view", "customer#xxx.tenant -> customer#xxx: view",
"package#aaa00.admin -> package#aaa00: add-domain", "package#xxx00.admin -> package#xxx00: add-domain",
"package#aaa00.admin -> package#aaa00: add-unixuser", "package#xxx00.admin -> package#xxx00: add-unixuser",
"package#aaa00.tenant -> package#aaa00: view", "package#xxx00.tenant -> package#xxx00: view",
"unixuser#aaa00-aaaa.owner -> unixuser#aaa00-aaaa: *", "unixuser#xxx00-aaaa.owner -> unixuser#xxx00-aaaa: *",
"package#aaa01.admin -> package#aaa01: add-domain", "package#xxx01.admin -> package#xxx01: add-domain",
"package#aaa01.admin -> package#aaa01: add-unixuser", "package#xxx01.admin -> package#xxx01: add-unixuser",
"package#aaa01.tenant -> package#aaa01: view", "package#xxx01.tenant -> package#xxx01: view",
"unixuser#aaa01-aaaa.owner -> unixuser#aaa01-aaaa: *", "unixuser#xxx01-aaaa.owner -> unixuser#xxx01-aaaa: *",
"package#aaa02.admin -> package#aaa02: add-domain", "package#xxx02.admin -> package#xxx02: add-domain",
"package#aaa02.admin -> package#aaa02: add-unixuser", "package#xxx02.admin -> package#xxx02: add-unixuser",
"package#aaa02.tenant -> package#aaa02: view", "package#xxx02.tenant -> package#xxx02: view",
"unixuser#aaa02-aaaa.owner -> unixuser#aaa02-aaaa: *" "unixuser#xxx02-aaaa.owner -> unixuser#xxx02-aaaa: *"
// @formatter:on // @formatter:on
); );
noneOfTheseRbacPermissionsAreReturned( noneOfTheseRbacPermissionsAreReturned(
result, result,
// @formatter:off // @formatter:off
"customer#aab.admin -> customer#aab: add-package", "customer#yyy.admin -> customer#yyy: add-package",
"customer#aab.admin -> customer#aab: view", "customer#yyy.admin -> customer#yyy: view",
"customer#aab.tenant -> customer#aab: view" "customer#yyy.tenant -> customer#yyy: view"
// @formatter:on // @formatter:on
); );
} }
@ -297,7 +297,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
@Test @Test
public void customerAdmin_withoutAssumedRole_isNotAllowedToViewGlobalAdminsPermissions() { public void customerAdmin_withoutAssumedRole_isNotAllowedToViewGlobalAdminsPermissions() {
// given // given
context("admin@aaa.example.com"); context("customer-admin@xxx.example.com");
// when // when
final var result = attempt(em, () -> final var result = attempt(em, () ->
@ -307,41 +307,41 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
// then // then
result.assertExceptionWithRootCauseMessage( result.assertExceptionWithRootCauseMessage(
JpaSystemException.class, JpaSystemException.class,
"[403] permissions of user \"mike@hostsharing.net\" are not accessible to user \"admin@aaa.example.com\""); "[403] permissions of user \"mike@hostsharing.net\" are not accessible to user \"customer-admin@xxx.example.com\"");
} }
@Test @Test
public void customerAdmin_withoutAssumedRole_canViewAllPermissionsWithinThePacketsRealm() { public void customerAdmin_withoutAssumedRole_canViewAllPermissionsWithinThePacketsRealm() {
// given // given
context("admin@aaa.example.com"); context("customer-admin@xxx.example.com");
// when // when
final var result = rbacUserRepository.findPermissionsOfUser("aaa00@aaa.example.com"); final var result = rbacUserRepository.findPermissionsOfUser("pac-admin-xxx00@xxx.example.com");
// then // then
allTheseRbacPermissionsAreReturned( allTheseRbacPermissionsAreReturned(
result, result,
// @formatter:off // @formatter:off
"customer#aaa.tenant -> customer#aaa: view", "customer#xxx.tenant -> customer#xxx: view",
// "customer#aaa.admin -> customer#aaa: view" - Not permissions through the customer admin! // "customer#xxx.admin -> customer#xxx: view" - Not permissions through the customer admin!
"package#aaa00.admin -> package#aaa00: add-unixuser", "package#xxx00.admin -> package#xxx00: add-unixuser",
"package#aaa00.admin -> package#aaa00: add-domain", "package#xxx00.admin -> package#xxx00: add-domain",
"package#aaa00.tenant -> package#aaa00: view", "package#xxx00.tenant -> package#xxx00: view",
"unixuser#aaa00-aaaa.owner -> unixuser#aaa00-aaaa: *", "unixuser#xxx00-aaaa.owner -> unixuser#xxx00-aaaa: *",
"unixuser#aaa00-aaab.owner -> unixuser#aaa00-aaab: *" "unixuser#xxx00-aaab.owner -> unixuser#xxx00-aaab: *"
// @formatter:on // @formatter:on
); );
noneOfTheseRbacPermissionsAreReturned( noneOfTheseRbacPermissionsAreReturned(
result, result,
// @formatter:off // @formatter:off
"customer#aab.admin -> customer#aab: add-package", "customer#yyy.admin -> customer#yyy: add-package",
"customer#aab.admin -> customer#aab: view", "customer#yyy.admin -> customer#yyy: view",
"customer#aab.tenant -> customer#aab: view", "customer#yyy.tenant -> customer#yyy: view",
"package#aab00.admin -> package#aab00: add-unixuser", "package#yyy00.admin -> package#yyy00: add-unixuser",
"package#aab00.admin -> package#aab00: add-domain", "package#yyy00.admin -> package#yyy00: add-domain",
"package#aab00.tenant -> package#aab00: view", "package#yyy00.tenant -> package#yyy00: view",
"unixuser#aab00-aaaa.owner -> unixuser#aab00-aaaa: *", "unixuser#yyy00-aaaa.owner -> unixuser#yyy00-aaaa: *",
"unixuser#aab00-aaab.owner -> unixuser#aab00-aaab: *" "unixuser#yyy00-aaab.owner -> unixuser#yyy00-aaab: *"
// @formatter:on // @formatter:on
); );
} }
@ -349,10 +349,10 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
@Test @Test
public void customerAdmin_withoutAssumedRole_canNotViewPermissionsOfUnrelatedUsers() { public void customerAdmin_withoutAssumedRole_canNotViewPermissionsOfUnrelatedUsers() {
// given // given
context("admin@aaa.example.com"); context("customer-admin@xxx.example.com");
// when // when
final var result = rbacUserRepository.findPermissionsOfUser("aab00@aab.example.com"); final var result = rbacUserRepository.findPermissionsOfUser("pac-admin-yyy00@yyy.example.com");
// then // then
noRbacPermissionsAreReturned(result); noRbacPermissionsAreReturned(result);
@ -361,36 +361,36 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
@Test @Test
public void packetAdmin_withoutAssumedRole_canViewAllPermissionsWithinThePacketsRealm() { public void packetAdmin_withoutAssumedRole_canViewAllPermissionsWithinThePacketsRealm() {
// given // given
context("aaa00@aaa.example.com"); context("pac-admin-xxx00@xxx.example.com");
// when // when
final var result = rbacUserRepository.findPermissionsOfUser("aaa00@aaa.example.com"); final var result = rbacUserRepository.findPermissionsOfUser("pac-admin-xxx00@xxx.example.com");
// then // then
allTheseRbacPermissionsAreReturned( allTheseRbacPermissionsAreReturned(
result, result,
// @formatter:off // @formatter:off
"customer#aaa.tenant -> customer#aaa: view", "customer#xxx.tenant -> customer#xxx: view",
// "customer#aaa.admin -> customer#aaa: view" - Not permissions through the customer admin! // "customer#xxx.admin -> customer#xxx: view" - Not permissions through the customer admin!
"package#aaa00.admin -> package#aaa00: add-unixuser", "package#xxx00.admin -> package#xxx00: add-unixuser",
"package#aaa00.admin -> package#aaa00: add-domain", "package#xxx00.admin -> package#xxx00: add-domain",
"package#aaa00.tenant -> package#aaa00: view" "package#xxx00.tenant -> package#xxx00: view"
// @formatter:on // @formatter:on
); );
noneOfTheseRbacPermissionsAreReturned( noneOfTheseRbacPermissionsAreReturned(
result, result,
// @formatter:off // @formatter:off
// no customer admin permissions // no customer admin permissions
"customer#aaa.admin -> customer#aaa: add-package", "customer#xxx.admin -> customer#xxx: add-package",
// no permissions on other customer's objects // no permissions on other customer's objects
"customer#aab.admin -> customer#aab: add-package", "customer#yyy.admin -> customer#yyy: add-package",
"customer#aab.admin -> customer#aab: view", "customer#yyy.admin -> customer#yyy: view",
"customer#aab.tenant -> customer#aab: view", "customer#yyy.tenant -> customer#yyy: view",
"package#aab00.admin -> package#aab00: add-unixuser", "package#yyy00.admin -> package#yyy00: add-unixuser",
"package#aab00.admin -> package#aab00: add-domain", "package#yyy00.admin -> package#yyy00: add-domain",
"package#aab00.tenant -> package#aab00: view", "package#yyy00.tenant -> package#yyy00: view",
"unixuser#aab00-aaaa.owner -> unixuser#aab00-aaaa: *", "unixuser#yyy00-aaaa.owner -> unixuser#yyy00-aaaa: *",
"unixuser#aab00-aaab.owner -> unixuser#aab00-aaab: *" "unixuser#yyy00-xxxb.owner -> unixuser#yyy00-xxxb: *"
// @formatter:on // @formatter:on
); );
} }

View File

@ -5,8 +5,8 @@ import static java.util.UUID.randomUUID;
public class TestRbacUser { public class TestRbacUser {
static final RbacUserEntity userAaa = rbacRole("admin@aaa.example.com"); static final RbacUserEntity userxxx = rbacRole("customer-admin@xxx.example.com");
static final RbacUserEntity userBbb = rbacRole("admin@bbb.example.com"); static final RbacUserEntity userBbb = rbacRole("customer-admin@bbb.example.com");
static public RbacUserEntity rbacRole(final String userName) { static public RbacUserEntity rbacRole(final String userName) {
return new RbacUserEntity(randomUUID(), userName); return new RbacUserEntity(randomUUID(), userName);