use xxx, yyy and zzz for test customers, makes tests easier to read

This commit is contained in:
Michael Hoennig 2022-08-24 17:56:13 +02:00
parent 258f8b1f66
commit 6b4c9f6c51
16 changed files with 453 additions and 416 deletions

View File

@ -10,7 +10,6 @@ import org.springframework.transaction.annotation.Transactional;
import org.springframework.web.bind.annotation.*;
import org.springframework.web.servlet.mvc.method.annotation.MvcUriComponentsBuilder;
import javax.persistence.EntityManager;
import java.util.List;
import java.util.UUID;

View File

@ -15,48 +15,51 @@ begin
return 10000 + customerCount;
end; $$;
/*
Creates test data for the customer main table.
Creates a single customer test record with dist.
*/
create or replace procedure createCustomerTestData(
startCount integer, -- count of auto generated rows before the run
endCount integer, -- count of auto generated rows after the run
doCommitAfterEach boolean -- only for mass data creation outside of Liquibase
custReference integer,
custPrefix varchar
)
language plpgsql as $$
declare
currentTask varchar;
custReference integer;
custRowId uuid;
custPrefix varchar;
custAdminName varchar;
begin
set hsadminng.currentUser to '';
for t in startCount..endCount
loop
currentTask = 'creating RBAC test customer #' || t;
currentTask = 'creating RBAC test customer #' || custReference || '/' || custPrefix;
set local hsadminng.currentUser to 'mike@hostsharing.net';
set local hsadminng.assumedRoles to 'global#hostsharing.admin';
execute format('set local hsadminng.currentTask to %L', currentTask);
-- When a new customer is created,
custReference = testCustomerReference(t);
custRowId = uuid_generate_v4();
custPrefix = intToVarChar(t, 3);
custAdminName = 'admin@' || custPrefix || '.example.com';
custAdminName = 'customer-admin@' || custPrefix || '.example.com';
raise notice 'creating customer %:%', custReference, custPrefix;
insert
into customer (reference, prefix, adminUserName)
values (custReference, custPrefix, custAdminName);
end; $$;
--//
if doCommitAfterEach then
/*
Creates a range of test customers for mass data generation.
*/
create or replace procedure createCustomerTestData(
startCount integer, -- count of auto generated rows before the run
endCount integer -- count of auto generated rows after the run
)
language plpgsql as $$
begin
set hsadminng.currentUser to '';
for t in startCount..endCount
loop
call createCustomerTestData(testCustomerReference(t), intToVarChar(t, 3));
commit;
end if;
end loop;
end; $$;
--//
@ -67,7 +70,9 @@ end; $$;
do language plpgsql $$
begin
call createCustomerTestData(0, 2, false);
call createCustomerTestData(99901, 'xxx');
call createCustomerTestData(99902, 'yyy');
call createCustomerTestData(99903, 'zzz');
end;
$$;
--//

View File

@ -4,12 +4,9 @@
--changeset hs-package-TEST-DATA-GENERATOR:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Creates test data for the package main table.
Creates the given number of test packages for the given customer.
*/
create or replace procedure createPackageTestData(
minCustomerReference integer, -- skip customers with reference below this
doCommitAfterEach boolean -- only for mass data creation outside of Liquibase
)
create or replace procedure createPackageTestData(customerPrefix varchar, pacCount int)
language plpgsql as $$
declare
cust customer;
@ -19,19 +16,15 @@ declare
currentTask varchar;
pac package;
begin
set hsadminng.currentUser to '';
select * from customer where customer.prefix = customerPrefix into cust;
for cust in (select * from customer)
loop
continue when cust.reference < minCustomerReference;
for t in 0..2
for t in 0..(pacCount-1)
loop
pacName = cust.prefix || to_char(t, 'fm00');
currentTask = 'creating RBAC test package #' || pacName || ' for customer ' || cust.prefix || ' #' ||
cust.uuid;
custAdminUser = 'admin@' || cust.prefix || '.example.com';
custAdminUser = 'customer-admin@' || cust.prefix || '.example.com';
custAdminRole = 'customer#' || cust.prefix || '.admin';
execute format('set local hsadminng.currentUser to %L', custAdminUser);
execute format('set local hsadminng.assumedRoles to %L', custAdminRole);
@ -46,15 +39,29 @@ begin
call grantRoleToUser(
getRoleId(customerAdmin(cust), 'fail'),
findRoleId(packageAdmin(pac)),
createRbacUser(pacName || '@' || cust.prefix || '.example.com'),
createRbacUser('pac-admin-' || pacName || '@' || cust.prefix || '.example.com'),
true);
end loop;
end; $$;
/*
Creates a range of test packages for mass data generation.
*/
create or replace procedure createPackageTestData()
language plpgsql as $$
declare
cust customer;
begin
set hsadminng.currentUser to '';
for cust in (select * from customer)
loop
continue when cust.reference >= 90000; -- reserved for functional testing
call createPackageTestData(cust.prefix, 3);
end loop;
if doCommitAfterEach then
commit;
end if;
end ;
$$;
--//
@ -66,7 +73,9 @@ $$;
do language plpgsql $$
begin
call createPackageTestData(0, false);
call createPackageTestData('xxx', 3);
call createPackageTestData('yyy', 3);
call createPackageTestData('zzz', 3);
end;
$$;
--//

View File

@ -4,13 +4,42 @@
--changeset hs-unixuser-TEST-DATA-GENERATOR:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Creates test data for the package main table.
Creates the given count of test unix users for a single package.
*/
create or replace procedure createUnixUserTestData(
minCustomerReference integer, -- skip customers with reference below this
unixUserPerPackage integer, -- create this many unix users for each package
doCommitAfterEach boolean -- only for mass data creation outside of Liquibase
)
create or replace procedure createUnixUserTestData( packageName varchar, unixUserCount int )
language plpgsql as $$
declare
pac record;
pacAdmin varchar;
currentTask varchar;
begin
set hsadminng.currentUser to '';
select p.uuid, p.name, c.prefix as custPrefix
from package p
join customer c on p.customeruuid = c.uuid
where p.name = packageName
into pac;
for t in 0..(unixUserCount-1)
loop
currentTask = 'creating RBAC test unixuser #' || t || ' for package ' || pac.name || ' #' || pac.uuid;
raise notice 'task: %', currentTask;
pacAdmin = 'pac-admin-' || pac.name || '@' || pac.custPrefix || '.example.com';
execute format('set local hsadminng.currentTask to %L', currentTask);
execute format('set local hsadminng.currentUser to %L', pacAdmin);
set local hsadminng.assumedRoles = '';
insert
into unixuser (name, packageUuid)
values (pac.name || '-' || intToVarChar(t, 4), pac.uuid);
end loop;
end; $$;
/*
Creates a range of unix users for mass data generation.
*/
create or replace procedure createUnixUserTestData( unixUserPerPackage integer )
language plpgsql as $$
declare
pac record;
@ -23,30 +52,13 @@ begin
(select p.uuid, p.name
from package p
join customer c on p.customeruuid = c.uuid
where c.reference >= minCustomerReference)
where c.reference < 90000) -- reserved for functional testing
loop
for t in 0..(unixUserPerPackage-1)
loop
currentTask = 'creating RBAC test unixuser #' || t || ' for package ' || pac.name || ' #' || pac.uuid;
raise notice 'task: %', currentTask;
pacAdmin = 'admin@' || pac.name || '.example.com';
execute format('set local hsadminng.currentTask to %L', currentTask);
execute format('set local hsadminng.currentUser to %L', pacAdmin);
set local hsadminng.assumedRoles = '';
insert
into unixuser (name, packageUuid)
values (pac.name || '-' || intToVarChar(t, 4), pac.uuid);
if doCommitAfterEach then
call createUnixUserTestData(pac.name, 2);
commit;
end if;
end loop;
end loop;
end;
$$;
end; $$;
--//
@ -56,7 +68,17 @@ $$;
do language plpgsql $$
begin
call createUnixUserTestData(0, 2, false);
call createUnixUserTestData('xxx00', 2);
call createUnixUserTestData('xxx01', 2);
call createUnixUserTestData('xxx02', 2);
call createUnixUserTestData('yyy00', 2);
call createUnixUserTestData('yyy01', 2);
call createUnixUserTestData('yyy02', 2);
call createUnixUserTestData('zzz00', 2);
call createUnixUserTestData('zzz01', 2);
call createUnixUserTestData('zzz02', 2);
end;
$$;
--//

View File

@ -33,12 +33,12 @@ class ContextIntegrationTests {
@Transactional
void assumeRoles() {
context.setCurrentUser("mike@hostsharing.net");
context.assumeRoles("customer#aaa.owner;customer#aab.owner");
context.assumeRoles("customer#xxx.owner;customer#yyy.owner");
final var currentUser = context.getCurrentUser();
assertThat(currentUser).isEqualTo("mike@hostsharing.net");
final var assumedRoles = context.getAssumedRoles();
assertThat(assumedRoles).containsExactlyInAnyOrder("customer#aaa.owner", "customer#aab.owner");
assertThat(assumedRoles).containsExactlyInAnyOrder("customer#xxx.owner", "customer#yyy.owner");
}
}

View File

@ -92,7 +92,7 @@ class CustomerControllerRestTest {
mockMvc.perform(MockMvcRequestBuilders
.get("/api/customers")
.header("current-user", "mike@hostsharing.net")
.header("assumed-roles", "admin@yyy.example.com")
.header("assumed-roles", "customer-admin@yyy.example.com")
.accept(MediaType.APPLICATION_JSON))
// then
@ -103,7 +103,7 @@ class CustomerControllerRestTest {
// then
verify(contextMock).setCurrentUser("mike@hostsharing.net");
verify(contextMock).assumeRoles("admin@yyy.example.com");
verify(contextMock).assumeRoles("customer-admin@yyy.example.com");
}
}

View File

@ -42,7 +42,7 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
final var result = attempt(em, () -> {
final var newCustomer = new CustomerEntity(
UUID.randomUUID(), "xxx", 90001, "admin@xxx.example.com");
UUID.randomUUID(), "www", 90001, "customer-admin@www.example.com");
return customerRepository.save(newCustomer);
});
@ -56,37 +56,37 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
@Test
public void hostsharingAdmin_withAssumedCustomerRole_cannotCreateNewCustomer() {
// given
context("mike@hostsharing.net", "customer#aaa.admin");
context("mike@hostsharing.net", "customer#xxx.admin");
// when
final var result = attempt(em, () -> {
final var newCustomer = new CustomerEntity(
UUID.randomUUID(), "xxx", 90001, "admin@xxx.example.com");
UUID.randomUUID(), "www", 90001, "customer-admin@www.example.com");
return customerRepository.save(newCustomer);
});
// then
result.assertExceptionWithRootCauseMessage(
PersistenceException.class,
"add-customer not permitted for customer#aaa.admin");
"add-customer not permitted for customer#xxx.admin");
}
@Test
public void customerAdmin_withoutAssumedRole_cannotCreateNewCustomer() {
// given
context("admin@aaa.example.com", null);
context("customer-admin@xxx.example.com", null);
// when
final var result = attempt(em, () -> {
final var newCustomer = new CustomerEntity(
UUID.randomUUID(), "yyy", 90002, "admin@yyy.example.com");
UUID.randomUUID(), "www", 90001, "customer-admin@www.example.com");
return customerRepository.save(newCustomer);
});
// then
result.assertExceptionWithRootCauseMessage(
PersistenceException.class,
"add-customer not permitted for admin@aaa.example.com");
"add-customer not permitted for customer-admin@xxx.example.com");
}
@ -108,7 +108,7 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
// then
exactlyTheseCustomersAreReturned(result, "aaa", "aab", "aac");
exactlyTheseCustomersAreReturned(result, "xxx", "yyy", "zzz");
}
@Test
@ -120,34 +120,34 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
then:
exactlyTheseCustomersAreReturned(result, "aaa", "aab", "aac");
exactlyTheseCustomersAreReturned(result, "xxx", "yyy", "zzz");
}
@Test
public void customerAdmin_withoutAssumedRole_canViewOnlyItsOwnCustomer() {
// given:
context("admin@aaa.example.com", null);
context("customer-admin@xxx.example.com", null);
// when:
final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
// then:
exactlyTheseCustomersAreReturned(result, "aaa");
exactlyTheseCustomersAreReturned(result, "xxx");
}
@Test
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnCustomer() {
context("admin@aaa.example.com", "package#aaa00.admin");
context("customer-admin@xxx.example.com", "package#xxx00.admin");
final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
exactlyTheseCustomersAreReturned(result, "aaa");
exactlyTheseCustomersAreReturned(result, "xxx");
}
@Test
public void customerAdmin_withAssumedAlienPackageAdminRole_cannotViewAnyCustomer() {
// given:
context("admin@aaa.example.com", "package#aab00.admin");
context("customer-admin@xxx.example.com", "package#yyy00.admin");
// when
final var result = attempt(
@ -157,7 +157,7 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
// then
result.assertExceptionWithRootCauseMessage(
JpaSystemException.class,
"[403] user admin@aaa.example.com", "has no permission to assume role package#aab00#admin");
"[403] user customer-admin@xxx.example.com", "has no permission to assume role package#yyy00#admin");
}
@Test
@ -176,7 +176,7 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
@Test
@Transactional
void unknownUser_withAssumedCustomerRole_cannotViewAnyCustomers() {
context("unknown@example.org", "customer#aaa.admin");
context("unknown@example.org", "customer#xxx.admin");
final var result = attempt(
em,
@ -198,19 +198,19 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
context("mike@hostsharing.net", null);
// when
final var result = customerRepository.findCustomerByOptionalPrefixLike("aab");
final var result = customerRepository.findCustomerByOptionalPrefixLike("yyy");
// then
exactlyTheseCustomersAreReturned(result, "aab");
exactlyTheseCustomersAreReturned(result, "yyy");
}
@Test
public void customerAdmin_withoutAssumedRole_canViewOnlyItsOwnCustomer() {
// given:
context("admin@aaa.example.com", null);
context("customer-admin@xxx.example.com", null);
// when:
final var result = customerRepository.findCustomerByOptionalPrefixLike("aab");
final var result = customerRepository.findCustomerByOptionalPrefixLike("yyy");
// then:
exactlyTheseCustomersAreReturned(result);

View File

@ -44,19 +44,19 @@ class PackageControllerAcceptanceTest {
RestAssured
.given()
.header("current-user", "mike@hostsharing.net")
.header("assumed-roles", "customer#aaa.admin")
.header("assumed-roles", "customer#xxx.admin")
.port(port)
.when()
.get("http://localhost/api/packages")
.then().assertThat()
.statusCode(200)
.contentType("application/json")
.body("[0].name", is("aaa00"))
.body("[0].customer.reference", is(10000))
.body("[1].name", is("aaa01"))
.body("[1].customer.reference", is(10000))
.body("[2].name", is("aaa02"))
.body("[2].customer.reference", is(10000));
.body("[0].name", is("xxx00"))
.body("[0].customer.reference", is(99901))
.body("[1].name", is("xxx01"))
.body("[1].customer.reference", is(99901))
.body("[2].name", is("xxx02"))
.body("[2].customer.reference", is(99901));
// @formatter:on
}
@ -66,15 +66,15 @@ class PackageControllerAcceptanceTest {
RestAssured
.given()
.header("current-user", "mike@hostsharing.net")
.header("assumed-roles", "customer#aaa.admin")
.header("assumed-roles", "customer#xxx.admin")
.port(port)
.when()
.get("http://localhost/api/packages?name=aaa01")
.get("http://localhost/api/packages?name=xxx01")
.then().assertThat()
.statusCode(200)
.contentType("application/json")
.body("[0].name", is("aaa01"))
.body("[0].customer.reference", is(10000));
.body("[0].name", is("xxx01"))
.body("[0].customer.reference", is(99901));
// @formatter:on
}
}
@ -85,8 +85,8 @@ class PackageControllerAcceptanceTest {
@Test
void withDescriptionUpdatesDescription() {
assumeThat(getDescriptionOfPackage("aaa00"))
.isEqualTo("Here can add your own description of package aaa00.");
assumeThat(getDescriptionOfPackage("xxx00"))
.isEqualTo("Here can add your own description of package xxx00.");
final var randomDescription = RandomStringUtils.randomAlphanumeric(80);
@ -94,7 +94,7 @@ class PackageControllerAcceptanceTest {
RestAssured
.given()
.header("current-user", "mike@hostsharing.net")
.header("assumed-roles", "customer#aaa.admin")
.header("assumed-roles", "customer#xxx.admin")
.contentType(ContentType.JSON)
.body(format("""
{
@ -103,12 +103,12 @@ class PackageControllerAcceptanceTest {
""", randomDescription))
.port(port)
.when()
.patch("http://localhost/api/packages/{uuidOfPackage}", getUuidOfPackage("aaa00"))
.patch("http://localhost/api/packages/{uuidOfPackage}", getUuidOfPackage("xxx00"))
.then()
.assertThat()
.statusCode(200)
.contentType("application/json")
.body("name", is("aaa00"))
.body("name", is("xxx00"))
.body("description", is(randomDescription));
// @formatter:on
@ -117,14 +117,14 @@ class PackageControllerAcceptanceTest {
@Test
void withNullDescriptionUpdatesDescriptionToNull() {
assumeThat(getDescriptionOfPackage("aaa01"))
.isEqualTo("Here can add your own description of package aaa01.");
assumeThat(getDescriptionOfPackage("xxx01"))
.isEqualTo("Here can add your own description of package xxx01.");
// @formatter:off
RestAssured
.given()
.header("current-user", "mike@hostsharing.net")
.header("assumed-roles", "customer#aaa.admin")
.header("assumed-roles", "customer#xxx.admin")
.contentType(ContentType.JSON)
.body("""
{
@ -133,12 +133,12 @@ class PackageControllerAcceptanceTest {
""")
.port(port)
.when()
.patch("http://localhost/api/packages/{uuidOfPackage}", getUuidOfPackage("aaa01"))
.patch("http://localhost/api/packages/{uuidOfPackage}", getUuidOfPackage("xxx01"))
.then()
.assertThat()
.statusCode(200)
.contentType("application/json")
.body("name", is("aaa01"))
.body("name", is("xxx01"))
.body("description", equalTo(null));
// @formatter:on
}
@ -146,24 +146,24 @@ class PackageControllerAcceptanceTest {
@Test
void withoutDescriptionDoesNothing() {
assumeThat(getDescriptionOfPackage("aaa02"))
.isEqualTo("Here can add your own description of package aaa02.");
assumeThat(getDescriptionOfPackage("xxx02"))
.isEqualTo("Here can add your own description of package xxx02.");
// @formatter:off
RestAssured
.given()
.header("current-user", "mike@hostsharing.net")
.header("assumed-roles", "customer#aaa.admin")
.header("assumed-roles", "customer#xxx.admin")
.contentType(ContentType.JSON)
.body("{}")
.port(port)
.when()
.patch("http://localhost/api/packages/{uuidOfPackage}", getUuidOfPackage("aaa02"))
.patch("http://localhost/api/packages/{uuidOfPackage}", getUuidOfPackage("xxx02"))
.then().assertThat()
.statusCode(200)
.contentType("application/json")
.body("name", is("aaa02"))
.body("description", is("Here can add your own description of package aaa02.")); // unchanged
.body("name", is("xxx02"))
.body("description", is("Here can add your own description of package xxx02.")); // unchanged
// @formatter:on
}
}
@ -173,7 +173,7 @@ class PackageControllerAcceptanceTest {
return UUID.fromString(RestAssured
.given()
.header("current-user", "mike@hostsharing.net")
.header("assumed-roles", "customer#aaa.admin")
.header("assumed-roles", "customer#xxx.admin")
.port(port)
.when()
.get("http://localhost/api/packages?name={packageName}", packageName)
@ -186,7 +186,7 @@ class PackageControllerAcceptanceTest {
String getDescriptionOfPackage(final String packageName) {
context.setCurrentUser("mike@hostsharing.net");
context.assumeRoles("customer#aaa.admin");
context.assumeRoles("customer#xxx.admin");
return packageRepository.findAllByOptionalNameLike(packageName).get(0).getDescription();
}
}

View File

@ -67,30 +67,30 @@ class PackageRepositoryIntegrationTest {
@Test
public void customerAdmin_withoutAssumedRole_canViewOnlyItsOwnPackages() {
// given:
currentUser("admin@aaa.example.com");
currentUser("customer-admin@xxx.example.com");
// when:
final var result = packageRepository.findAllByOptionalNameLike(null);
// then:
exactlyThesePackagesAreReturned(result, "aaa00", "aaa01", "aaa02");
exactlyThesePackagesAreReturned(result, "xxx00", "xxx01", "xxx02");
}
@Test
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnPackages() {
currentUser("admin@aaa.example.com");
assumedRoles("package#aaa00.admin");
currentUser("customer-admin@xxx.example.com");
assumedRoles("package#xxx00.admin");
final var result = packageRepository.findAllByOptionalNameLike(null);
exactlyThesePackagesAreReturned(result, "aaa00");
exactlyThesePackagesAreReturned(result, "xxx00");
}
@Test
public void customerAdmin_withAssumedAlienPackageAdminRole_cannotViewAnyPackages() {
// given:
currentUser("admin@aaa.example.com");
assumedRoles("package#aab00.admin");
currentUser("customer-admin@xxx.example.com");
assumedRoles("package#yyy00.admin");
// when
final var result = attempt(
@ -100,7 +100,7 @@ class PackageRepositoryIntegrationTest {
// then
result.assertExceptionWithRootCauseMessage(
JpaSystemException.class,
"[403] user admin@aaa.example.com", "has no permission to assume role package#aab00#admin");
"[403] user customer-admin@xxx.example.com", "has no permission to assume role package#yyy00#admin");
}
@Test
@ -120,7 +120,7 @@ class PackageRepositoryIntegrationTest {
@Transactional
void unknownUser_withAssumedCustomerRole_cannotViewAnyPackages() {
currentUser("unknown@example.org");
assumedRoles("customer#aaa.admin");
assumedRoles("customer#xxx.admin");
final var result = attempt(
em,
@ -139,17 +139,17 @@ class PackageRepositoryIntegrationTest {
@Test
public void supportsOptimisticLocking() throws InterruptedException {
// given
hostsharingAdminWithAssumedRole("package#aaa00.admin");
hostsharingAdminWithAssumedRole("package#xxx00.admin");
final var pac = packageRepository.findAllByOptionalNameLike("%").get(0);
// when
final var result1 = jpaAttempt.transacted(() -> {
hostsharingAdminWithAssumedRole("package#aaa00.admin");
hostsharingAdminWithAssumedRole("package#xxx00.admin");
pac.setDescription("description set by thread 1");
packageRepository.save(pac);
});
final var result2 = jpaAttempt.transacted(() -> {
hostsharingAdminWithAssumedRole("package#aaa00.admin");
hostsharingAdminWithAssumedRole("package#xxx00.admin");
pac.setDescription("description set by thread 2");
packageRepository.save(pac);
sleep(1500);

View File

@ -62,9 +62,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
@Accepts({ "GRT:R(Read)" })
void customerAdmin_withAssumedPacketAdminRole_canReadPacketAdminsGrantById() {
// given
final var givenCurrentUserAsPackageAdmin = new Subject("admin@aaa.example.com");
final var givenGranteeUser = findRbacUserByName("aaa00@aaa.example.com");
final var givenGrantedRole = findRbacRoleByName("package#aaa00.admin");
final var givenCurrentUserAsPackageAdmin = new Subject("customer-admin@xxx.example.com");
final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
final var givenGrantedRole = findRbacRoleByName("package#xxx00.admin");
// when
final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
@ -73,18 +73,18 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// then
grant.assertThat()
.statusCode(200)
.body("grantedByRoleIdName", is("customer#aaa.admin"))
.body("grantedRoleIdName", is("package#aaa00.admin"))
.body("granteeUserName", is("aaa00@aaa.example.com"));
.body("grantedByRoleIdName", is("customer#xxx.admin"))
.body("grantedRoleIdName", is("package#xxx00.admin"))
.body("granteeUserName", is("pac-admin-xxx00@xxx.example.com"));
}
@Test
@Accepts({ "GRT:R(Read)" })
void packageAdmin_withoutAssumedRole_canReadItsOwnGrantById() {
// given
final var givenCurrentUserAsPackageAdmin = new Subject("aaa00@aaa.example.com");
final var givenGranteeUser = findRbacUserByName("aaa00@aaa.example.com");
final var givenGrantedRole = findRbacRoleByName("package#aaa00.admin");
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com");
final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
final var givenGrantedRole = findRbacRoleByName("package#xxx00.admin");
// when
final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
@ -93,18 +93,18 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// then
grant.assertThat()
.statusCode(200)
.body("grantedByRoleIdName", is("customer#aaa.admin"))
.body("grantedRoleIdName", is("package#aaa00.admin"))
.body("granteeUserName", is("aaa00@aaa.example.com"));
.body("grantedByRoleIdName", is("customer#xxx.admin"))
.body("grantedRoleIdName", is("package#xxx00.admin"))
.body("granteeUserName", is("pac-admin-xxx00@xxx.example.com"));
}
@Test
@Accepts({ "GRT:R(Read)" })
void packageAdmin_withAssumedUnixUserAdmin_canNotReadItsOwnGrantById() {
// given
final var givenCurrentUserAsPackageAdmin = new Subject("aaa00@aaa.example.com", "unixuser#aaa00-aaaa.admin");
final var givenGranteeUser = findRbacUserByName("aaa00@aaa.example.com");
final var givenGrantedRole = findRbacRoleByName("package#aaa00.admin");
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", "unixuser#xxx00-xxxa.admin");
final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
final var givenGrantedRole = findRbacRoleByName("package#xxx00.admin");
// when
final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
@ -125,8 +125,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// given
final var givenNewUser = createRBacUser();
final var givenRoleToGrant = "package#aaa00.admin";
final var givenCurrentUserAsPackageAdmin = new Subject("aaa00@aaa.example.com", givenRoleToGrant);
final var givenRoleToGrant = "package#xxx00.admin";
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
final var givenOwnPackageAdminRole =
findRbacRoleByName(givenCurrentUserAsPackageAdmin.assumedRole);
@ -149,9 +149,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// given
final var givenNewUser = createRBacUser();
final var givenRoleToGrant = "package#aaa00.admin";
final var givenCurrentUserAsPackageAdmin = new Subject("aaa00@aaa.example.com", givenRoleToGrant);
final var givenAlienPackageAdminRole = findRbacRoleByName("package#aab00.admin");
final var givenRoleToGrant = "package#xxx00.admin";
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
final var givenAlienPackageAdminRole = findRbacRoleByName("package#yyy00.admin");
// when
final var result = givenCurrentUserAsPackageAdmin
@ -161,7 +161,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// then
result.assertThat()
.body("message", containsString("Access to granted role"))
.body("message", containsString("forbidden for {package#aaa00.admin}"))
.body("message", containsString("forbidden for {package#xxx00.admin}"))
.statusCode(403);
assertThat(findAllGrantsOf(givenCurrentUserAsPackageAdmin))
.extracting(RbacGrantEntity::getGranteeUserName)
@ -179,9 +179,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// given
final var givenArbitraryUser = createRBacUser();
final var givenRoleToGrant = "package#aaa00.admin";
final var givenCurrentUserAsPackageAdmin = new Subject("aaa00@aaa.example.com", givenRoleToGrant);
final var givenOwnPackageAdminRole = findRbacRoleByName("package#aaa00.admin");
final var givenRoleToGrant = "package#xxx00.admin";
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
final var givenOwnPackageAdminRole = findRbacRoleByName("package#xxx00.admin");
// and given an existing grant
assumeCreated(givenCurrentUserAsPackageAdmin

View File

@ -55,7 +55,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
@Accepts({ "GRT:L(List)" })
public void packageAdmin_canViewItsRbacGrants() {
// given
context("aaa00@aaa.example.com", null);
context("pac-admin-xxx00@xxx.example.com", null);
// when
final var result = rbacGrantRepository.findAll();
@ -63,14 +63,14 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
// then
exactlyTheseRbacGrantsAreReturned(
result,
"{ grant assumed role package#aaa00.admin to user aaa00@aaa.example.com by role customer#aaa.admin }");
"{ grant assumed role package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role customer#xxx.admin }");
}
@Test
@Accepts({ "GRT:L(List)" })
public void customerAdmin_canViewItsRbacGrants() {
// given
context("admin@aaa.example.com", null);
context("customer-admin@xxx.example.com", null);
// when
final var result = rbacGrantRepository.findAll();
@ -78,17 +78,17 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
// then
exactlyTheseRbacGrantsAreReturned(
result,
"{ grant assumed role customer#aaa.admin to user admin@aaa.example.com by role global#hostsharing.admin }",
"{ grant assumed role package#aaa00.admin to user aaa00@aaa.example.com by role customer#aaa.admin }",
"{ grant assumed role package#aaa01.admin to user aaa01@aaa.example.com by role customer#aaa.admin }",
"{ grant assumed role package#aaa02.admin to user aaa02@aaa.example.com by role customer#aaa.admin }");
"{ grant assumed role customer#xxx.admin to user customer-admin@xxx.example.com by role global#hostsharing.admin }",
"{ grant assumed role package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role customer#xxx.admin }",
"{ grant assumed role package#xxx01.admin to user pac-admin-xxx01@xxx.example.com by role customer#xxx.admin }",
"{ grant assumed role package#xxx02.admin to user pac-admin-xxx02@xxx.example.com by role customer#xxx.admin }");
}
@Test
@Accepts({ "GRT:L(List)" })
public void customerAdmin_withAssumedRole_canOnlyViewRbacGrantsVisibleByAssumedRole() {
// given:
context("admin@aaa.example.com", "package#aaa00.admin");
context("customer-admin@xxx.example.com", "package#xxx00.admin");
// when
final var result = rbacGrantRepository.findAll();
@ -96,7 +96,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
// then
exactlyTheseRbacGrantsAreReturned(
result,
"{ grant assumed role package#aaa00.admin to user aaa00@aaa.example.com by role customer#aaa.admin }");
"{ grant assumed role package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role customer#xxx.admin }");
}
}
@ -106,9 +106,9 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
@Test
public void customerAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() {
// given
context("admin@aaa.example.com", "customer#aaa.admin");
final var givenArbitraryUserUuid = rbacUserRepository.findByName("aac00@aac.example.com").getUuid();
final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName("package#aaa00.admin").getUuid();
context("customer-admin@xxx.example.com", "customer#xxx.admin");
final var givenArbitraryUserUuid = rbacUserRepository.findByName("pac-admin-zzz00@zzz.example.com").getUuid();
final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName("package#xxx00.admin").getUuid();
// when
final var grant = RbacGrantEntity.builder()
@ -124,7 +124,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
assertThat(rbacGrantRepository.findAll())
.extracting(RbacGrantEntity::toDisplay)
.contains(
"{ grant assumed role package#aaa00.admin to user aac00@aac.example.com by role customer#aaa.admin }");
"{ grant assumed role package#xxx00.admin to user pac-admin-zzz00@zzz.example.com by role customer#xxx.admin }");
}
@Test
@ -134,17 +134,17 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
record Given(RbacUserEntity arbitraryUser, UUID packageOwnerRoleUuid) {}
final var given = jpaAttempt.transacted(() -> {
// to find the uuids of we need to have access rights to these
context("admin@aaa.example.com", null);
context("customer-admin@xxx.example.com", null);
return new Given(
createNewUser(),
rbacRoleRepository.findByRoleName("package#aaa00.owner").getUuid()
rbacRoleRepository.findByRoleName("package#xxx00.owner").getUuid()
);
}).assumeSuccessful().returnedValue();
// when
final var attempt = jpaAttempt.transacted(() -> {
// now we try to use these uuids as a less privileged user
context("aaa00@aaa.example.com", "package#aaa00.admin");
context("pac-admin-xxx00@xxx.example.com", "package#xxx00.admin");
final var grant = RbacGrantEntity.builder()
.granteeUserUuid(given.arbitraryUser.getUuid())
.grantedRoleUuid(given.packageOwnerRoleUuid)
@ -157,7 +157,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
attempt.assertExceptionWithRootCauseMessage(
JpaSystemException.class,
"ERROR: [403] Access to granted role " + given.packageOwnerRoleUuid
+ " forbidden for {package#aaa00.admin}");
+ " forbidden for {package#xxx00.admin}");
jpaAttempt.transacted(() -> {
// finally, we use the new user to make sure, no roles were granted
context(given.arbitraryUser.getName(), null);
@ -175,21 +175,21 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
public void customerAdmin_canRevokeSelfGrantedPackageAdminRole() {
// given
final var grant = create(grant()
.byUser("admin@aaa.example.com").withAssumedRole("customer#aaa.admin")
.grantingRole("package#aaa00.admin").toUser("aac00@aac.example.com"));
.byUser("customer-admin@xxx.example.com").withAssumedRole("customer#xxx.admin")
.grantingRole("package#xxx00.admin").toUser("pac-admin-zzz00@zzz.example.com"));
// when
context("admin@aaa.example.com", "customer#aaa.admin");
context("customer-admin@xxx.example.com", "customer#xxx.admin");
final var revokeAttempt = attempt(em, () -> {
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId());
});
// then
context("admin@aaa.example.com", "customer#aaa.admin");
context("customer-admin@xxx.example.com", "customer#xxx.admin");
assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull();
assertThat(rbacGrantRepository.findAll())
.extracting(RbacGrantEntity::getGranteeUserName)
.doesNotContain("aac00@aac.example.com");
.doesNotContain("pac-admin-zzz00@zzz.example.com");
}
@Test
@ -197,33 +197,33 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
// given
final var newUser = createNewUserTransacted();
final var grant = create(grant()
.byUser("admin@aaa.example.com").withAssumedRole("package#aaa00.admin")
.grantingRole("package#aaa00.admin").toUser(newUser.getName()));
.byUser("customer-admin@xxx.example.com").withAssumedRole("package#xxx00.admin")
.grantingRole("package#xxx00.admin").toUser(newUser.getName()));
// when
context("aaa00@aaa.example.com", "package#aaa00.admin");
context("pac-admin-xxx00@xxx.example.com", "package#xxx00.admin");
final var revokeAttempt = attempt(em, () -> {
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId());
});
// then
assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull();
context("admin@aaa.example.com", "customer#aaa.admin");
context("customer-admin@xxx.example.com", "customer#xxx.admin");
assertThat(rbacGrantRepository.findAll())
.extracting(RbacGrantEntity::getGranteeUserName)
.doesNotContain("aac00@aac.example.com");
.doesNotContain("pac-admin-zzz00@zzz.example.com");
}
@Test
public void packageAdmin_canNotRevokeOwnPackageAdminRoleGrantedByOwnerRoleOfThatPackage() {
// given
final var grant = create(grant()
.byUser("admin@aaa.example.com").withAssumedRole("package#aaa00.owner")
.grantingRole("package#aaa00.admin").toUser("aac00@aac.example.com"));
final var grantedByRole = rbacRoleRepository.findByRoleName("package#aaa00.owner");
.byUser("customer-admin@xxx.example.com").withAssumedRole("package#xxx00.owner")
.grantingRole("package#xxx00.admin").toUser("pac-admin-zzz00@zzz.example.com"));
final var grantedByRole = rbacRoleRepository.findByRoleName("package#xxx00.owner");
// when
context("aaa00@aaa.example.com", "package#aaa00.admin");
context("pac-admin-xxx00@xxx.example.com", "package#xxx00.admin");
final var revokeAttempt = attempt(em, () -> {
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId());
});
@ -231,7 +231,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
// then
revokeAttempt.assertExceptionWithRootCauseMessage(
JpaSystemException.class,
"ERROR: [403] Revoking role created by %s is forbidden for {package#aaa00.admin}.".formatted(
"ERROR: [403] Revoking role created by %s is forbidden for {package#xxx00.admin}.".formatted(
grantedByRole.getUuid()
));
}

View File

@ -50,14 +50,14 @@ class RbacRoleControllerAcceptanceTest {
.then().assertThat()
.statusCode(200)
.contentType("application/json")
.body("[0].roleName", is("customer#aaa.admin"))
.body("[1].roleName", is("customer#aaa.owner"))
.body("[2].roleName", is("customer#aaa.tenant"))
.body("[0].roleName", is("customer#xxx.admin"))
.body("[1].roleName", is("customer#xxx.owner"))
.body("[2].roleName", is("customer#xxx.tenant"))
// ...
.body("", hasItem(hasEntry("roleName", "global#hostsharing.admin")))
.body("", hasItem(hasEntry("roleName", "customer#aab.admin")))
.body("", hasItem(hasEntry("roleName", "package#aab00.admin")))
.body("", hasItem(hasEntry("roleName", "unixuser#aab00-aaaa.owner")))
.body("", hasItem(hasEntry("roleName", "customer#yyy.admin")))
.body("", hasItem(hasEntry("roleName", "package#yyy00.admin")))
.body("", hasItem(hasEntry("roleName", "unixuser#yyy00-aaaa.owner")))
.body( "size()", is(73)); // increases with new test data
// @formatter:on
}
@ -70,17 +70,19 @@ class RbacRoleControllerAcceptanceTest {
RestAssured
.given()
.header("current-user", "mike@hostsharing.net")
.header("assumed-roles", "package#aab00.admin")
.header("assumed-roles", "package#yyy00.admin")
.port(port)
.when()
.get("http://localhost/api/rbac-roles")
.then().assertThat()
.then()
.log().body()
.assertThat()
.statusCode(200)
.contentType("application/json")
.body("[0].roleName", is("customer#aab.tenant"))
.body("[1].roleName", is("package#aab00.admin"))
.body("[2].roleName", is("package#aab00.tenant"))
.body("[3].roleName", is("unixuser#aab00-aaaa.admin"))
.body("[0].roleName", is("customer#yyy.tenant"))
.body("[1].roleName", is("package#yyy00.admin"))
.body("[2].roleName", is("package#yyy00.tenant"))
.body("[3].roleName", is("unixuser#yyy00-aaaa.admin"))
.body("size()", is(7)); // increases with new test data
// @formatter:on
}
@ -92,17 +94,17 @@ class RbacRoleControllerAcceptanceTest {
// @formatter:off
RestAssured
.given()
.header("current-user", "aac00@aac.example.com")
.header("current-user", "pac-admin-zzz00@zzz.example.com")
.port(port)
.when()
.get("http://localhost/api/rbac-roles")
.then().assertThat()
.statusCode(200)
.contentType("application/json")
.body("[0].roleName", is("customer#aac.tenant"))
.body("[1].roleName", is("package#aac00.admin"))
.body("[2].roleName", is("package#aac00.tenant"))
.body("[3].roleName", is("unixuser#aac00-aaaa.admin"))
.body("[0].roleName", is("customer#zzz.tenant"))
.body("[1].roleName", is("package#zzz00.admin"))
.body("[2].roleName", is("package#zzz00.tenant"))
.body("[3].roleName", is("unixuser#zzz00-aaaa.admin"))
.body("size()", is(7)); // increases with new test data
// @formatter:on
}

View File

@ -35,18 +35,18 @@ class RbacRoleRepositoryIntegrationTest {
private static final String[] ALL_TEST_DATA_ROLES = Array.of(
// @formatter:off
"global#hostsharing.admin",
"customer#aaa.admin", "customer#aaa.owner", "customer#aaa.tenant",
"package#aaa00.admin", "package#aaa00.owner", "package#aaa00.tenant",
"package#aaa01.admin", "package#aaa01.owner", "package#aaa01.tenant",
"package#aaa02.admin", "package#aaa02.owner", "package#aaa02.tenant",
"customer#aab.admin", "customer#aab.owner", "customer#aab.tenant",
"package#aab00.admin", "package#aab00.owner", "package#aab00.tenant",
"package#aab01.admin", "package#aab01.owner", "package#aab01.tenant",
"package#aab02.admin", "package#aab02.owner", "package#aab02.tenant",
"customer#aac.admin", "customer#aac.owner", "customer#aac.tenant",
"package#aac00.admin", "package#aac00.owner", "package#aac00.tenant",
"package#aac01.admin", "package#aac01.owner", "package#aac01.tenant",
"package#aac02.admin", "package#aac02.owner", "package#aac02.tenant"
"customer#xxx.admin", "customer#xxx.owner", "customer#xxx.tenant",
"package#xxx00.admin", "package#xxx00.owner", "package#xxx00.tenant",
"package#xxx01.admin", "package#xxx01.owner", "package#xxx01.tenant",
"package#xxx02.admin", "package#xxx02.owner", "package#xxx02.tenant",
"customer#yyy.admin", "customer#yyy.owner", "customer#yyy.tenant",
"package#yyy00.admin", "package#yyy00.owner", "package#yyy00.tenant",
"package#yyy01.admin", "package#yyy01.owner", "package#yyy01.tenant",
"package#yyy02.admin", "package#yyy02.owner", "package#yyy02.tenant",
"customer#zzz.admin", "customer#zzz.owner", "customer#zzz.tenant",
"package#zzz00.admin", "package#zzz00.owner", "package#zzz00.tenant",
"package#zzz01.admin", "package#zzz01.owner", "package#zzz01.tenant",
"package#zzz02.admin", "package#zzz02.owner", "package#zzz02.tenant"
// @formatter:on
);
@ -78,7 +78,7 @@ class RbacRoleRepositoryIntegrationTest {
@Test
public void customerAdmin_withoutAssumedRole_canViewOnlyItsOwnRbacRole() {
// given:
currentUser("admin@aaa.example.com");
currentUser("customer-admin@xxx.example.com");
// when:
final var result = rbacRoleRepository.findAll();
@ -87,57 +87,57 @@ class RbacRoleRepositoryIntegrationTest {
allTheseRbacRolesAreReturned(
result,
// @formatter:off
"customer#aaa.admin",
"customer#aaa.tenant",
"package#aaa00.admin",
"package#aaa00.owner",
"package#aaa00.tenant",
"package#aaa01.admin",
"package#aaa01.owner",
"package#aaa01.tenant",
"customer#xxx.admin",
"customer#xxx.tenant",
"package#xxx00.admin",
"package#xxx00.owner",
"package#xxx00.tenant",
"package#xxx01.admin",
"package#xxx01.owner",
"package#xxx01.tenant",
// ...
"unixuser#aaa00-aaaa.admin",
"unixuser#aaa00-aaaa.owner",
"unixuser#xxx00-aaaa.admin",
"unixuser#xxx00-aaaa.owner",
// ..
"unixuser#aaa01-aaaa.admin",
"unixuser#aaa01-aaaa.owner"
"unixuser#xxx01-aaab.admin",
"unixuser#xxx01-aaab.owner"
// @formatter:on
);
noneOfTheseRbacRolesIsReturned(
result,
// @formatter:off
"global#hostsharing.admin",
"customer#aaa.owner",
"package#aab00.admin",
"package#aab00.owner",
"package#aab00.tenant"
"customer#xxx.owner",
"package#yyy00.admin",
"package#yyy00.owner",
"package#yyy00.tenant"
// @formatter:on
);
}
@Test
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnRbacRole() {
currentUser("admin@aaa.example.com");
assumedRoles("package#aaa00.admin");
currentUser("customer-admin@xxx.example.com");
assumedRoles("package#xxx00.admin");
final var result = rbacRoleRepository.findAll();
exactlyTheseRbacRolesAreReturned(
result,
"customer#aaa.tenant",
"package#aaa00.admin",
"package#aaa00.tenant",
"unixuser#aaa00-aaaa.admin",
"unixuser#aaa00-aaaa.owner",
"unixuser#aaa00-aaab.admin",
"unixuser#aaa00-aaab.owner");
"customer#xxx.tenant",
"package#xxx00.admin",
"package#xxx00.tenant",
"unixuser#xxx00-aaaa.admin",
"unixuser#xxx00-aaaa.owner",
"unixuser#xxx00-aaab.admin",
"unixuser#xxx00-aaab.owner");
}
@Test
public void customerAdmin_withAssumedAlienPackageAdminRole_cannotViewAnyRbacRole() {
// given:
currentUser("admin@aaa.example.com");
assumedRoles("package#aab00.admin");
currentUser("customer-admin@xxx.example.com");
assumedRoles("package#yyy00.admin");
// when
final var result = attempt(
@ -147,7 +147,7 @@ class RbacRoleRepositoryIntegrationTest {
// then
result.assertExceptionWithRootCauseMessage(
JpaSystemException.class,
"[403] user admin@aaa.example.com", "has no permission to assume role package#aab00#admin");
"[403] user customer-admin@xxx.example.com", "has no permission to assume role package#yyy00#admin");
}
@Test
@ -166,7 +166,7 @@ class RbacRoleRepositoryIntegrationTest {
@Test
void unknownUser_withAssumedRbacRoleRole_cannotViewAnyRbacRoles() {
currentUser("unknown@example.org");
assumedRoles("RbacRole#aaa.admin");
assumedRoles("RbacRole#xxx.admin");
final var result = attempt(
em,
@ -183,19 +183,19 @@ class RbacRoleRepositoryIntegrationTest {
@Test
void customerAdmin_withoutAssumedRole_canFindItsOwnRolesByName() {
currentUser("admin@aaa.example.com");
currentUser("customer-admin@xxx.example.com");
final var result = rbacRoleRepository.findByRoleName("customer#aaa.admin");
final var result = rbacRoleRepository.findByRoleName("customer#xxx.admin");
assertThat(result).isNotNull();
assertThat(result.getObjectTable()).isEqualTo("customer");
assertThat(result.getObjectIdName()).isEqualTo("aaa");
assertThat(result.getObjectIdName()).isEqualTo("xxx");
assertThat(result.getRoleType()).isEqualTo(RbacRoleType.admin);
}
@Test
void customerAdmin_withoutAssumedRole_canNotFindAlienRolesByName() {
currentUser("admin@aaa.example.com");
currentUser("customer-admin@xxx.example.com");
final var result = rbacRoleRepository.findByRoleName("customer#bbb.admin");

View File

@ -49,16 +49,16 @@ class RbacUserControllerAcceptanceTest {
.port(port)
.when()
.get("http://localhost/api/rbac-users")
.then().assertThat()
.then().log().body().assertThat()
.statusCode(200)
.contentType("application/json")
.body("[0].name", is("aaa00@aaa.example.com"))
.body("[1].name", is("aaa01@aaa.example.com"))
.body("[2].name", is("aaa02@aaa.example.com"))
.body("[3].name", is("aab00@aab.example.com"))
.body("[0].name", is("customer-admin@xxx.example.com"))
.body("[1].name", is("customer-admin@yyy.example.com"))
.body("[2].name", is("customer-admin@zzz.example.com"))
.body("[3].name", is("mike@hostsharing.net"))
// ...
.body("[11].name", is("admin@aac.example.com"))
.body("[12].name", is("mike@hostsharing.net"))
.body("[11].name", is("pac-admin-zzz01@zzz.example.com"))
.body("[12].name", is("pac-admin-zzz02@zzz.example.com"))
.body("[13].name", is("sven@hostsharing.net"))
.body("size()", greaterThanOrEqualTo(14));
// @formatter:on
@ -73,13 +73,13 @@ class RbacUserControllerAcceptanceTest {
.header("current-user", "mike@hostsharing.net")
.port(port)
.when()
.get("http://localhost/api/rbac-users?name=aac")
.then().assertThat()
.get("http://localhost/api/rbac-users?name=pac-admin-zzz0")
.then().log().body().assertThat()
.statusCode(200)
.contentType("application/json")
.body("[0].name", is("aac00@aac.example.com"))
.body("[1].name", is("aac01@aac.example.com"))
.body("[2].name", is("aac02@aac.example.com"))
.body("[0].name", is("pac-admin-zzz00@zzz.example.com"))
.body("[1].name", is("pac-admin-zzz01@zzz.example.com"))
.body("[2].name", is("pac-admin-zzz02@zzz.example.com"))
.body("size()", is(3));
// @formatter:on
}
@ -90,17 +90,17 @@ class RbacUserControllerAcceptanceTest {
// @formatter:off
RestAssured
.given()
.header("current-user", "admin@aab.example.com")
.header("current-user", "customer-admin@yyy.example.com")
.port(port)
.when()
.get("http://localhost/api/rbac-users")
.then().assertThat()
.statusCode(200)
.contentType("application/json")
.body("[0].name", is("aab00@aab.example.com"))
.body("[1].name", is("aab01@aab.example.com"))
.body("[2].name", is("aab02@aab.example.com"))
.body("[3].name", is("admin@aab.example.com"))
.body("[0].name", is("customer-admin@yyy.example.com"))
.body("[1].name", is("pac-admin-yyy00@yyy.example.com"))
.body("[2].name", is("pac-admin-yyy01@yyy.example.com"))
.body("[3].name", is("pac-admin-yyy02@yyy.example.com"))
.body("size()", is(4));
// @formatter:on
}
@ -111,14 +111,14 @@ class RbacUserControllerAcceptanceTest {
// @formatter:off
RestAssured
.given()
.header("current-user", "aaa01@aaa.example.com")
.header("current-user", "pac-admin-xxx01@xxx.example.com")
.port(port)
.when()
.get("http://localhost/api/rbac-users")
.then().assertThat()
.statusCode(200)
.contentType("application/json")
.body("[0].name", is("aaa01@aaa.example.com"))
.body("[0].name", is("pac-admin-xxx01@xxx.example.com"))
.body("size()", is(1));
// @formatter:on
}

View File

@ -66,7 +66,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
// when:
final var result = jpaAttempt.transacted(() -> {
context("admin@aaa.example.com");
context("customer-admin@xxx.example.com");
return rbacUserRepository.create(new RbacUserEntity(givenUuid, newUserName));
});
@ -88,12 +88,12 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
private static final String[] ALL_TEST_DATA_USERS = Array.of(
// @formatter:off
"mike@hostsharing.net", "sven@hostsharing.net",
"admin@aaa.example.com",
"aaa00@aaa.example.com", "aaa01@aaa.example.com", "aaa02@aaa.example.com",
"admin@aab.example.com",
"aab00@aab.example.com", "aab01@aab.example.com", "aab02@aab.example.com",
"admin@aac.example.com",
"aac00@aac.example.com", "aac01@aac.example.com", "aac02@aac.example.com"
"customer-admin@xxx.example.com",
"pac-admin-xxx00@xxx.example.com", "pac-admin-xxx01@xxx.example.com", "pac-admin-xxx02@xxx.example.com",
"customer-admin@yyy.example.com",
"pac-admin-yyy00@yyy.example.com", "pac-admin-yyy01@yyy.example.com", "pac-admin-yyy02@yyy.example.com",
"customer-admin@zzz.example.com",
"pac-admin-zzz00@zzz.example.com", "pac-admin-zzz01@zzz.example.com", "pac-admin-zzz02@zzz.example.com"
// @formatter:on
);
@ -124,7 +124,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
@Test
public void hostsharingAdmin_withAssumedCustomerAdminRole_canViewOnlyUsersHavingRolesInThatCustomersRealm() {
given:
context("mike@hostsharing.net", "customer#aaa.admin");
context("mike@hostsharing.net", "customer#xxx.admin");
// when
final var result = rbacUserRepository.findByOptionalNameLike(null);
@ -132,15 +132,15 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
then:
exactlyTheseRbacUsersAreReturned(
result,
"admin@aaa.example.com",
"aaa00@aaa.example.com", "aaa01@aaa.example.com", "aaa02@aaa.example.com"
"customer-admin@xxx.example.com",
"pac-admin-xxx00@xxx.example.com", "pac-admin-xxx01@xxx.example.com", "pac-admin-xxx02@xxx.example.com"
);
}
@Test
public void customerAdmin_withoutAssumedRole_canViewOnlyUsersHavingRolesInThatCustomersRealm() {
// given:
context("admin@aaa.example.com");
context("customer-admin@xxx.example.com");
// when:
final var result = rbacUserRepository.findByOptionalNameLike(null);
@ -148,27 +148,27 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
// then:
exactlyTheseRbacUsersAreReturned(
result,
"admin@aaa.example.com",
"aaa00@aaa.example.com", "aaa01@aaa.example.com", "aaa02@aaa.example.com"
"customer-admin@xxx.example.com",
"pac-admin-xxx00@xxx.example.com", "pac-admin-xxx01@xxx.example.com", "pac-admin-xxx02@xxx.example.com"
);
}
@Test
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyUsersHavingRolesInThatPackage() {
context("admin@aaa.example.com", "package#aaa00.admin");
context("customer-admin@xxx.example.com", "package#xxx00.admin");
final var result = rbacUserRepository.findByOptionalNameLike(null);
exactlyTheseRbacUsersAreReturned(result, "aaa00@aaa.example.com");
exactlyTheseRbacUsersAreReturned(result, "pac-admin-xxx00@xxx.example.com");
}
@Test
public void packageAdmin_withoutAssumedRole_canViewOnlyUsersHavingRolesInThatPackage() {
context("aaa00@aaa.example.com");
context("pac-admin-xxx00@xxx.example.com");
final var result = rbacUserRepository.findByOptionalNameLike(null);
exactlyTheseRbacUsersAreReturned(result, "aaa00@aaa.example.com");
exactlyTheseRbacUsersAreReturned(result, "pac-admin-xxx00@xxx.example.com");
}
}
@ -180,47 +180,47 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
// @formatter:off
"global#hostsharing.admin -> global#hostsharing: add-customer",
"customer#aaa.admin -> customer#aaa: add-package",
"customer#aaa.admin -> customer#aaa: view",
"customer#aaa.owner -> customer#aaa: *",
"customer#aaa.tenant -> customer#aaa: view",
"package#aaa00.admin -> package#aaa00: add-domain",
"package#aaa00.admin -> package#aaa00: add-unixuser",
"package#aaa00.tenant -> package#aaa00: view",
"package#aaa01.admin -> package#aaa01: add-domain",
"package#aaa01.admin -> package#aaa01: add-unixuser",
"package#aaa01.tenant -> package#aaa01: view",
"package#aaa02.admin -> package#aaa02: add-domain",
"package#aaa02.admin -> package#aaa02: add-unixuser",
"package#aaa02.tenant -> package#aaa02: view",
"customer#xxx.admin -> customer#xxx: add-package",
"customer#xxx.admin -> customer#xxx: view",
"customer#xxx.owner -> customer#xxx: *",
"customer#xxx.tenant -> customer#xxx: view",
"package#xxx00.admin -> package#xxx00: add-domain",
"package#xxx00.admin -> package#xxx00: add-unixuser",
"package#xxx00.tenant -> package#xxx00: view",
"package#xxx01.admin -> package#xxx01: add-domain",
"package#xxx01.admin -> package#xxx01: add-unixuser",
"package#xxx01.tenant -> package#xxx01: view",
"package#xxx02.admin -> package#xxx02: add-domain",
"package#xxx02.admin -> package#xxx02: add-unixuser",
"package#xxx02.tenant -> package#xxx02: view",
"customer#aab.admin -> customer#aab: add-package",
"customer#aab.admin -> customer#aab: view",
"customer#aab.owner -> customer#aab: *",
"customer#aab.tenant -> customer#aab: view",
"package#aab00.admin -> package#aab00: add-domain",
"package#aab00.admin -> package#aab00: add-unixuser",
"package#aab00.tenant -> package#aab00: view",
"package#aab01.admin -> package#aab01: add-domain",
"package#aab01.admin -> package#aab01: add-unixuser",
"package#aab01.tenant -> package#aab01: view",
"package#aab02.admin -> package#aab02: add-domain",
"package#aab02.admin -> package#aab02: add-unixuser",
"package#aab02.tenant -> package#aab02: view",
"customer#yyy.admin -> customer#yyy: add-package",
"customer#yyy.admin -> customer#yyy: view",
"customer#yyy.owner -> customer#yyy: *",
"customer#yyy.tenant -> customer#yyy: view",
"package#yyy00.admin -> package#yyy00: add-domain",
"package#yyy00.admin -> package#yyy00: add-unixuser",
"package#yyy00.tenant -> package#yyy00: view",
"package#yyy01.admin -> package#yyy01: add-domain",
"package#yyy01.admin -> package#yyy01: add-unixuser",
"package#yyy01.tenant -> package#yyy01: view",
"package#yyy02.admin -> package#yyy02: add-domain",
"package#yyy02.admin -> package#yyy02: add-unixuser",
"package#yyy02.tenant -> package#yyy02: view",
"customer#aac.admin -> customer#aac: add-package",
"customer#aac.admin -> customer#aac: view",
"customer#aac.owner -> customer#aac: *",
"customer#aac.tenant -> customer#aac: view",
"package#aac00.admin -> package#aac00: add-domain",
"package#aac00.admin -> package#aac00: add-unixuser",
"package#aac00.tenant -> package#aac00: view",
"package#aac01.admin -> package#aac01: add-domain",
"package#aac01.admin -> package#aac01: add-unixuser",
"package#aac01.tenant -> package#aac01: view",
"package#aac02.admin -> package#aac02: add-domain",
"package#aac02.admin -> package#aac02: add-unixuser",
"package#aac02.tenant -> package#aac02: view"
"customer#zzz.admin -> customer#zzz: add-package",
"customer#zzz.admin -> customer#zzz: view",
"customer#zzz.owner -> customer#zzz: *",
"customer#zzz.tenant -> customer#zzz: view",
"package#zzz00.admin -> package#zzz00: add-domain",
"package#zzz00.admin -> package#zzz00: add-unixuser",
"package#zzz00.tenant -> package#zzz00: view",
"package#zzz01.admin -> package#zzz01: add-domain",
"package#zzz01.admin -> package#zzz01: add-unixuser",
"package#zzz01.tenant -> package#zzz01: view",
"package#zzz02.admin -> package#zzz02: add-domain",
"package#zzz02.admin -> package#zzz02: add-unixuser",
"package#zzz02.tenant -> package#zzz02: view"
// @formatter:on
);
@ -255,41 +255,41 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
@Test
public void customerAdmin_withoutAssumedRole_canViewTheirOwnPermissions() {
// given
context("admin@aaa.example.com");
context("customer-admin@xxx.example.com");
// when
final var result = rbacUserRepository.findPermissionsOfUser("admin@aaa.example.com");
final var result = rbacUserRepository.findPermissionsOfUser("customer-admin@xxx.example.com");
// then
allTheseRbacPermissionsAreReturned(
result,
// @formatter:off
"customer#aaa.admin -> customer#aaa: add-package",
"customer#aaa.admin -> customer#aaa: view",
"customer#aaa.tenant -> customer#aaa: view",
"customer#xxx.admin -> customer#xxx: add-package",
"customer#xxx.admin -> customer#xxx: view",
"customer#xxx.tenant -> customer#xxx: view",
"package#aaa00.admin -> package#aaa00: add-domain",
"package#aaa00.admin -> package#aaa00: add-unixuser",
"package#aaa00.tenant -> package#aaa00: view",
"unixuser#aaa00-aaaa.owner -> unixuser#aaa00-aaaa: *",
"package#xxx00.admin -> package#xxx00: add-domain",
"package#xxx00.admin -> package#xxx00: add-unixuser",
"package#xxx00.tenant -> package#xxx00: view",
"unixuser#xxx00-aaaa.owner -> unixuser#xxx00-aaaa: *",
"package#aaa01.admin -> package#aaa01: add-domain",
"package#aaa01.admin -> package#aaa01: add-unixuser",
"package#aaa01.tenant -> package#aaa01: view",
"unixuser#aaa01-aaaa.owner -> unixuser#aaa01-aaaa: *",
"package#xxx01.admin -> package#xxx01: add-domain",
"package#xxx01.admin -> package#xxx01: add-unixuser",
"package#xxx01.tenant -> package#xxx01: view",
"unixuser#xxx01-aaaa.owner -> unixuser#xxx01-aaaa: *",
"package#aaa02.admin -> package#aaa02: add-domain",
"package#aaa02.admin -> package#aaa02: add-unixuser",
"package#aaa02.tenant -> package#aaa02: view",
"unixuser#aaa02-aaaa.owner -> unixuser#aaa02-aaaa: *"
"package#xxx02.admin -> package#xxx02: add-domain",
"package#xxx02.admin -> package#xxx02: add-unixuser",
"package#xxx02.tenant -> package#xxx02: view",
"unixuser#xxx02-aaaa.owner -> unixuser#xxx02-aaaa: *"
// @formatter:on
);
noneOfTheseRbacPermissionsAreReturned(
result,
// @formatter:off
"customer#aab.admin -> customer#aab: add-package",
"customer#aab.admin -> customer#aab: view",
"customer#aab.tenant -> customer#aab: view"
"customer#yyy.admin -> customer#yyy: add-package",
"customer#yyy.admin -> customer#yyy: view",
"customer#yyy.tenant -> customer#yyy: view"
// @formatter:on
);
}
@ -297,7 +297,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
@Test
public void customerAdmin_withoutAssumedRole_isNotAllowedToViewGlobalAdminsPermissions() {
// given
context("admin@aaa.example.com");
context("customer-admin@xxx.example.com");
// when
final var result = attempt(em, () ->
@ -307,41 +307,41 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
// then
result.assertExceptionWithRootCauseMessage(
JpaSystemException.class,
"[403] permissions of user \"mike@hostsharing.net\" are not accessible to user \"admin@aaa.example.com\"");
"[403] permissions of user \"mike@hostsharing.net\" are not accessible to user \"customer-admin@xxx.example.com\"");
}
@Test
public void customerAdmin_withoutAssumedRole_canViewAllPermissionsWithinThePacketsRealm() {
// given
context("admin@aaa.example.com");
context("customer-admin@xxx.example.com");
// when
final var result = rbacUserRepository.findPermissionsOfUser("aaa00@aaa.example.com");
final var result = rbacUserRepository.findPermissionsOfUser("pac-admin-xxx00@xxx.example.com");
// then
allTheseRbacPermissionsAreReturned(
result,
// @formatter:off
"customer#aaa.tenant -> customer#aaa: view",
// "customer#aaa.admin -> customer#aaa: view" - Not permissions through the customer admin!
"package#aaa00.admin -> package#aaa00: add-unixuser",
"package#aaa00.admin -> package#aaa00: add-domain",
"package#aaa00.tenant -> package#aaa00: view",
"unixuser#aaa00-aaaa.owner -> unixuser#aaa00-aaaa: *",
"unixuser#aaa00-aaab.owner -> unixuser#aaa00-aaab: *"
"customer#xxx.tenant -> customer#xxx: view",
// "customer#xxx.admin -> customer#xxx: view" - Not permissions through the customer admin!
"package#xxx00.admin -> package#xxx00: add-unixuser",
"package#xxx00.admin -> package#xxx00: add-domain",
"package#xxx00.tenant -> package#xxx00: view",
"unixuser#xxx00-aaaa.owner -> unixuser#xxx00-aaaa: *",
"unixuser#xxx00-aaab.owner -> unixuser#xxx00-aaab: *"
// @formatter:on
);
noneOfTheseRbacPermissionsAreReturned(
result,
// @formatter:off
"customer#aab.admin -> customer#aab: add-package",
"customer#aab.admin -> customer#aab: view",
"customer#aab.tenant -> customer#aab: view",
"package#aab00.admin -> package#aab00: add-unixuser",
"package#aab00.admin -> package#aab00: add-domain",
"package#aab00.tenant -> package#aab00: view",
"unixuser#aab00-aaaa.owner -> unixuser#aab00-aaaa: *",
"unixuser#aab00-aaab.owner -> unixuser#aab00-aaab: *"
"customer#yyy.admin -> customer#yyy: add-package",
"customer#yyy.admin -> customer#yyy: view",
"customer#yyy.tenant -> customer#yyy: view",
"package#yyy00.admin -> package#yyy00: add-unixuser",
"package#yyy00.admin -> package#yyy00: add-domain",
"package#yyy00.tenant -> package#yyy00: view",
"unixuser#yyy00-aaaa.owner -> unixuser#yyy00-aaaa: *",
"unixuser#yyy00-aaab.owner -> unixuser#yyy00-aaab: *"
// @formatter:on
);
}
@ -349,10 +349,10 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
@Test
public void customerAdmin_withoutAssumedRole_canNotViewPermissionsOfUnrelatedUsers() {
// given
context("admin@aaa.example.com");
context("customer-admin@xxx.example.com");
// when
final var result = rbacUserRepository.findPermissionsOfUser("aab00@aab.example.com");
final var result = rbacUserRepository.findPermissionsOfUser("pac-admin-yyy00@yyy.example.com");
// then
noRbacPermissionsAreReturned(result);
@ -361,36 +361,36 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
@Test
public void packetAdmin_withoutAssumedRole_canViewAllPermissionsWithinThePacketsRealm() {
// given
context("aaa00@aaa.example.com");
context("pac-admin-xxx00@xxx.example.com");
// when
final var result = rbacUserRepository.findPermissionsOfUser("aaa00@aaa.example.com");
final var result = rbacUserRepository.findPermissionsOfUser("pac-admin-xxx00@xxx.example.com");
// then
allTheseRbacPermissionsAreReturned(
result,
// @formatter:off
"customer#aaa.tenant -> customer#aaa: view",
// "customer#aaa.admin -> customer#aaa: view" - Not permissions through the customer admin!
"package#aaa00.admin -> package#aaa00: add-unixuser",
"package#aaa00.admin -> package#aaa00: add-domain",
"package#aaa00.tenant -> package#aaa00: view"
"customer#xxx.tenant -> customer#xxx: view",
// "customer#xxx.admin -> customer#xxx: view" - Not permissions through the customer admin!
"package#xxx00.admin -> package#xxx00: add-unixuser",
"package#xxx00.admin -> package#xxx00: add-domain",
"package#xxx00.tenant -> package#xxx00: view"
// @formatter:on
);
noneOfTheseRbacPermissionsAreReturned(
result,
// @formatter:off
// no customer admin permissions
"customer#aaa.admin -> customer#aaa: add-package",
"customer#xxx.admin -> customer#xxx: add-package",
// no permissions on other customer's objects
"customer#aab.admin -> customer#aab: add-package",
"customer#aab.admin -> customer#aab: view",
"customer#aab.tenant -> customer#aab: view",
"package#aab00.admin -> package#aab00: add-unixuser",
"package#aab00.admin -> package#aab00: add-domain",
"package#aab00.tenant -> package#aab00: view",
"unixuser#aab00-aaaa.owner -> unixuser#aab00-aaaa: *",
"unixuser#aab00-aaab.owner -> unixuser#aab00-aaab: *"
"customer#yyy.admin -> customer#yyy: add-package",
"customer#yyy.admin -> customer#yyy: view",
"customer#yyy.tenant -> customer#yyy: view",
"package#yyy00.admin -> package#yyy00: add-unixuser",
"package#yyy00.admin -> package#yyy00: add-domain",
"package#yyy00.tenant -> package#yyy00: view",
"unixuser#yyy00-aaaa.owner -> unixuser#yyy00-aaaa: *",
"unixuser#yyy00-xxxb.owner -> unixuser#yyy00-xxxb: *"
// @formatter:on
);
}

View File

@ -5,8 +5,8 @@ import static java.util.UUID.randomUUID;
public class TestRbacUser {
static final RbacUserEntity userAaa = rbacRole("admin@aaa.example.com");
static final RbacUserEntity userBbb = rbacRole("admin@bbb.example.com");
static final RbacUserEntity userxxx = rbacRole("customer-admin@xxx.example.com");
static final RbacUserEntity userBbb = rbacRole("customer-admin@bbb.example.com");
static public RbacUserEntity rbacRole(final String userName) {
return new RbacUserEntity(randomUUID(), userName);