use xxx, yyy and zzz for test customers, makes tests easier to read
This commit is contained in:
parent
258f8b1f66
commit
6b4c9f6c51
@ -10,7 +10,6 @@ import org.springframework.transaction.annotation.Transactional;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
import org.springframework.web.servlet.mvc.method.annotation.MvcUriComponentsBuilder;
|
||||
|
||||
import javax.persistence.EntityManager;
|
||||
import java.util.List;
|
||||
import java.util.UUID;
|
||||
|
||||
|
@ -15,48 +15,51 @@ begin
|
||||
return 10000 + customerCount;
|
||||
end; $$;
|
||||
|
||||
|
||||
/*
|
||||
Creates test data for the customer main table.
|
||||
Creates a single customer test record with dist.
|
||||
*/
|
||||
create or replace procedure createCustomerTestData(
|
||||
startCount integer, -- count of auto generated rows before the run
|
||||
endCount integer, -- count of auto generated rows after the run
|
||||
doCommitAfterEach boolean -- only for mass data creation outside of Liquibase
|
||||
custReference integer,
|
||||
custPrefix varchar
|
||||
)
|
||||
language plpgsql as $$
|
||||
declare
|
||||
currentTask varchar;
|
||||
custReference integer;
|
||||
custRowId uuid;
|
||||
custPrefix varchar;
|
||||
custAdminName varchar;
|
||||
begin
|
||||
set hsadminng.currentUser to '';
|
||||
|
||||
for t in startCount..endCount
|
||||
loop
|
||||
currentTask = 'creating RBAC test customer #' || t;
|
||||
currentTask = 'creating RBAC test customer #' || custReference || '/' || custPrefix;
|
||||
set local hsadminng.currentUser to 'mike@hostsharing.net';
|
||||
set local hsadminng.assumedRoles to 'global#hostsharing.admin';
|
||||
execute format('set local hsadminng.currentTask to %L', currentTask);
|
||||
|
||||
-- When a new customer is created,
|
||||
custReference = testCustomerReference(t);
|
||||
custRowId = uuid_generate_v4();
|
||||
custPrefix = intToVarChar(t, 3);
|
||||
custAdminName = 'admin@' || custPrefix || '.example.com';
|
||||
custAdminName = 'customer-admin@' || custPrefix || '.example.com';
|
||||
|
||||
raise notice 'creating customer %:%', custReference, custPrefix;
|
||||
insert
|
||||
into customer (reference, prefix, adminUserName)
|
||||
values (custReference, custPrefix, custAdminName);
|
||||
end; $$;
|
||||
--//
|
||||
|
||||
if doCommitAfterEach then
|
||||
/*
|
||||
Creates a range of test customers for mass data generation.
|
||||
*/
|
||||
create or replace procedure createCustomerTestData(
|
||||
startCount integer, -- count of auto generated rows before the run
|
||||
endCount integer -- count of auto generated rows after the run
|
||||
)
|
||||
language plpgsql as $$
|
||||
begin
|
||||
set hsadminng.currentUser to '';
|
||||
|
||||
for t in startCount..endCount
|
||||
loop
|
||||
call createCustomerTestData(testCustomerReference(t), intToVarChar(t, 3));
|
||||
commit;
|
||||
end if;
|
||||
|
||||
end loop;
|
||||
|
||||
end; $$;
|
||||
--//
|
||||
|
||||
@ -67,7 +70,9 @@ end; $$;
|
||||
|
||||
do language plpgsql $$
|
||||
begin
|
||||
call createCustomerTestData(0, 2, false);
|
||||
call createCustomerTestData(99901, 'xxx');
|
||||
call createCustomerTestData(99902, 'yyy');
|
||||
call createCustomerTestData(99903, 'zzz');
|
||||
end;
|
||||
$$;
|
||||
--//
|
||||
|
@ -4,12 +4,9 @@
|
||||
--changeset hs-package-TEST-DATA-GENERATOR:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
Creates test data for the package main table.
|
||||
Creates the given number of test packages for the given customer.
|
||||
*/
|
||||
create or replace procedure createPackageTestData(
|
||||
minCustomerReference integer, -- skip customers with reference below this
|
||||
doCommitAfterEach boolean -- only for mass data creation outside of Liquibase
|
||||
)
|
||||
create or replace procedure createPackageTestData(customerPrefix varchar, pacCount int)
|
||||
language plpgsql as $$
|
||||
declare
|
||||
cust customer;
|
||||
@ -19,19 +16,15 @@ declare
|
||||
currentTask varchar;
|
||||
pac package;
|
||||
begin
|
||||
set hsadminng.currentUser to '';
|
||||
select * from customer where customer.prefix = customerPrefix into cust;
|
||||
|
||||
for cust in (select * from customer)
|
||||
loop
|
||||
continue when cust.reference < minCustomerReference;
|
||||
|
||||
for t in 0..2
|
||||
for t in 0..(pacCount-1)
|
||||
loop
|
||||
pacName = cust.prefix || to_char(t, 'fm00');
|
||||
currentTask = 'creating RBAC test package #' || pacName || ' for customer ' || cust.prefix || ' #' ||
|
||||
cust.uuid;
|
||||
|
||||
custAdminUser = 'admin@' || cust.prefix || '.example.com';
|
||||
custAdminUser = 'customer-admin@' || cust.prefix || '.example.com';
|
||||
custAdminRole = 'customer#' || cust.prefix || '.admin';
|
||||
execute format('set local hsadminng.currentUser to %L', custAdminUser);
|
||||
execute format('set local hsadminng.assumedRoles to %L', custAdminRole);
|
||||
@ -46,15 +39,29 @@ begin
|
||||
call grantRoleToUser(
|
||||
getRoleId(customerAdmin(cust), 'fail'),
|
||||
findRoleId(packageAdmin(pac)),
|
||||
createRbacUser(pacName || '@' || cust.prefix || '.example.com'),
|
||||
createRbacUser('pac-admin-' || pacName || '@' || cust.prefix || '.example.com'),
|
||||
true);
|
||||
|
||||
end loop;
|
||||
end; $$;
|
||||
|
||||
/*
|
||||
Creates a range of test packages for mass data generation.
|
||||
*/
|
||||
create or replace procedure createPackageTestData()
|
||||
language plpgsql as $$
|
||||
declare
|
||||
cust customer;
|
||||
begin
|
||||
set hsadminng.currentUser to '';
|
||||
|
||||
for cust in (select * from customer)
|
||||
loop
|
||||
continue when cust.reference >= 90000; -- reserved for functional testing
|
||||
call createPackageTestData(cust.prefix, 3);
|
||||
end loop;
|
||||
|
||||
if doCommitAfterEach then
|
||||
commit;
|
||||
end if;
|
||||
end ;
|
||||
$$;
|
||||
--//
|
||||
@ -66,7 +73,9 @@ $$;
|
||||
|
||||
do language plpgsql $$
|
||||
begin
|
||||
call createPackageTestData(0, false);
|
||||
call createPackageTestData('xxx', 3);
|
||||
call createPackageTestData('yyy', 3);
|
||||
call createPackageTestData('zzz', 3);
|
||||
end;
|
||||
$$;
|
||||
--//
|
||||
|
@ -4,13 +4,42 @@
|
||||
--changeset hs-unixuser-TEST-DATA-GENERATOR:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
Creates test data for the package main table.
|
||||
Creates the given count of test unix users for a single package.
|
||||
*/
|
||||
create or replace procedure createUnixUserTestData(
|
||||
minCustomerReference integer, -- skip customers with reference below this
|
||||
unixUserPerPackage integer, -- create this many unix users for each package
|
||||
doCommitAfterEach boolean -- only for mass data creation outside of Liquibase
|
||||
)
|
||||
create or replace procedure createUnixUserTestData( packageName varchar, unixUserCount int )
|
||||
language plpgsql as $$
|
||||
declare
|
||||
pac record;
|
||||
pacAdmin varchar;
|
||||
currentTask varchar;
|
||||
begin
|
||||
set hsadminng.currentUser to '';
|
||||
|
||||
select p.uuid, p.name, c.prefix as custPrefix
|
||||
from package p
|
||||
join customer c on p.customeruuid = c.uuid
|
||||
where p.name = packageName
|
||||
into pac;
|
||||
|
||||
for t in 0..(unixUserCount-1)
|
||||
loop
|
||||
currentTask = 'creating RBAC test unixuser #' || t || ' for package ' || pac.name || ' #' || pac.uuid;
|
||||
raise notice 'task: %', currentTask;
|
||||
pacAdmin = 'pac-admin-' || pac.name || '@' || pac.custPrefix || '.example.com';
|
||||
execute format('set local hsadminng.currentTask to %L', currentTask);
|
||||
execute format('set local hsadminng.currentUser to %L', pacAdmin);
|
||||
set local hsadminng.assumedRoles = '';
|
||||
|
||||
insert
|
||||
into unixuser (name, packageUuid)
|
||||
values (pac.name || '-' || intToVarChar(t, 4), pac.uuid);
|
||||
end loop;
|
||||
end; $$;
|
||||
|
||||
/*
|
||||
Creates a range of unix users for mass data generation.
|
||||
*/
|
||||
create or replace procedure createUnixUserTestData( unixUserPerPackage integer )
|
||||
language plpgsql as $$
|
||||
declare
|
||||
pac record;
|
||||
@ -23,30 +52,13 @@ begin
|
||||
(select p.uuid, p.name
|
||||
from package p
|
||||
join customer c on p.customeruuid = c.uuid
|
||||
where c.reference >= minCustomerReference)
|
||||
where c.reference < 90000) -- reserved for functional testing
|
||||
loop
|
||||
|
||||
for t in 0..(unixUserPerPackage-1)
|
||||
loop
|
||||
currentTask = 'creating RBAC test unixuser #' || t || ' for package ' || pac.name || ' #' || pac.uuid;
|
||||
raise notice 'task: %', currentTask;
|
||||
pacAdmin = 'admin@' || pac.name || '.example.com';
|
||||
execute format('set local hsadminng.currentTask to %L', currentTask);
|
||||
execute format('set local hsadminng.currentUser to %L', pacAdmin);
|
||||
set local hsadminng.assumedRoles = '';
|
||||
|
||||
insert
|
||||
into unixuser (name, packageUuid)
|
||||
values (pac.name || '-' || intToVarChar(t, 4), pac.uuid);
|
||||
|
||||
if doCommitAfterEach then
|
||||
call createUnixUserTestData(pac.name, 2);
|
||||
commit;
|
||||
end if;
|
||||
end loop;
|
||||
end loop;
|
||||
|
||||
end;
|
||||
$$;
|
||||
end; $$;
|
||||
--//
|
||||
|
||||
|
||||
@ -56,7 +68,17 @@ $$;
|
||||
|
||||
do language plpgsql $$
|
||||
begin
|
||||
call createUnixUserTestData(0, 2, false);
|
||||
call createUnixUserTestData('xxx00', 2);
|
||||
call createUnixUserTestData('xxx01', 2);
|
||||
call createUnixUserTestData('xxx02', 2);
|
||||
|
||||
call createUnixUserTestData('yyy00', 2);
|
||||
call createUnixUserTestData('yyy01', 2);
|
||||
call createUnixUserTestData('yyy02', 2);
|
||||
|
||||
call createUnixUserTestData('zzz00', 2);
|
||||
call createUnixUserTestData('zzz01', 2);
|
||||
call createUnixUserTestData('zzz02', 2);
|
||||
end;
|
||||
$$;
|
||||
--//
|
||||
|
@ -33,12 +33,12 @@ class ContextIntegrationTests {
|
||||
@Transactional
|
||||
void assumeRoles() {
|
||||
context.setCurrentUser("mike@hostsharing.net");
|
||||
context.assumeRoles("customer#aaa.owner;customer#aab.owner");
|
||||
context.assumeRoles("customer#xxx.owner;customer#yyy.owner");
|
||||
|
||||
final var currentUser = context.getCurrentUser();
|
||||
assertThat(currentUser).isEqualTo("mike@hostsharing.net");
|
||||
|
||||
final var assumedRoles = context.getAssumedRoles();
|
||||
assertThat(assumedRoles).containsExactlyInAnyOrder("customer#aaa.owner", "customer#aab.owner");
|
||||
assertThat(assumedRoles).containsExactlyInAnyOrder("customer#xxx.owner", "customer#yyy.owner");
|
||||
}
|
||||
}
|
||||
|
@ -92,7 +92,7 @@ class CustomerControllerRestTest {
|
||||
mockMvc.perform(MockMvcRequestBuilders
|
||||
.get("/api/customers")
|
||||
.header("current-user", "mike@hostsharing.net")
|
||||
.header("assumed-roles", "admin@yyy.example.com")
|
||||
.header("assumed-roles", "customer-admin@yyy.example.com")
|
||||
.accept(MediaType.APPLICATION_JSON))
|
||||
|
||||
// then
|
||||
@ -103,7 +103,7 @@ class CustomerControllerRestTest {
|
||||
|
||||
// then
|
||||
verify(contextMock).setCurrentUser("mike@hostsharing.net");
|
||||
verify(contextMock).assumeRoles("admin@yyy.example.com");
|
||||
verify(contextMock).assumeRoles("customer-admin@yyy.example.com");
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -42,7 +42,7 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
|
||||
|
||||
final var result = attempt(em, () -> {
|
||||
final var newCustomer = new CustomerEntity(
|
||||
UUID.randomUUID(), "xxx", 90001, "admin@xxx.example.com");
|
||||
UUID.randomUUID(), "www", 90001, "customer-admin@www.example.com");
|
||||
return customerRepository.save(newCustomer);
|
||||
});
|
||||
|
||||
@ -56,37 +56,37 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
|
||||
@Test
|
||||
public void hostsharingAdmin_withAssumedCustomerRole_cannotCreateNewCustomer() {
|
||||
// given
|
||||
context("mike@hostsharing.net", "customer#aaa.admin");
|
||||
context("mike@hostsharing.net", "customer#xxx.admin");
|
||||
|
||||
// when
|
||||
final var result = attempt(em, () -> {
|
||||
final var newCustomer = new CustomerEntity(
|
||||
UUID.randomUUID(), "xxx", 90001, "admin@xxx.example.com");
|
||||
UUID.randomUUID(), "www", 90001, "customer-admin@www.example.com");
|
||||
return customerRepository.save(newCustomer);
|
||||
});
|
||||
|
||||
// then
|
||||
result.assertExceptionWithRootCauseMessage(
|
||||
PersistenceException.class,
|
||||
"add-customer not permitted for customer#aaa.admin");
|
||||
"add-customer not permitted for customer#xxx.admin");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void customerAdmin_withoutAssumedRole_cannotCreateNewCustomer() {
|
||||
// given
|
||||
context("admin@aaa.example.com", null);
|
||||
context("customer-admin@xxx.example.com", null);
|
||||
|
||||
// when
|
||||
final var result = attempt(em, () -> {
|
||||
final var newCustomer = new CustomerEntity(
|
||||
UUID.randomUUID(), "yyy", 90002, "admin@yyy.example.com");
|
||||
UUID.randomUUID(), "www", 90001, "customer-admin@www.example.com");
|
||||
return customerRepository.save(newCustomer);
|
||||
});
|
||||
|
||||
// then
|
||||
result.assertExceptionWithRootCauseMessage(
|
||||
PersistenceException.class,
|
||||
"add-customer not permitted for admin@aaa.example.com");
|
||||
"add-customer not permitted for customer-admin@xxx.example.com");
|
||||
|
||||
}
|
||||
|
||||
@ -108,7 +108,7 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
|
||||
final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
|
||||
|
||||
// then
|
||||
exactlyTheseCustomersAreReturned(result, "aaa", "aab", "aac");
|
||||
exactlyTheseCustomersAreReturned(result, "xxx", "yyy", "zzz");
|
||||
}
|
||||
|
||||
@Test
|
||||
@ -120,34 +120,34 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
|
||||
final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
|
||||
|
||||
then:
|
||||
exactlyTheseCustomersAreReturned(result, "aaa", "aab", "aac");
|
||||
exactlyTheseCustomersAreReturned(result, "xxx", "yyy", "zzz");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void customerAdmin_withoutAssumedRole_canViewOnlyItsOwnCustomer() {
|
||||
// given:
|
||||
context("admin@aaa.example.com", null);
|
||||
context("customer-admin@xxx.example.com", null);
|
||||
|
||||
// when:
|
||||
final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
|
||||
|
||||
// then:
|
||||
exactlyTheseCustomersAreReturned(result, "aaa");
|
||||
exactlyTheseCustomersAreReturned(result, "xxx");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnCustomer() {
|
||||
context("admin@aaa.example.com", "package#aaa00.admin");
|
||||
context("customer-admin@xxx.example.com", "package#xxx00.admin");
|
||||
|
||||
final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
|
||||
|
||||
exactlyTheseCustomersAreReturned(result, "aaa");
|
||||
exactlyTheseCustomersAreReturned(result, "xxx");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void customerAdmin_withAssumedAlienPackageAdminRole_cannotViewAnyCustomer() {
|
||||
// given:
|
||||
context("admin@aaa.example.com", "package#aab00.admin");
|
||||
context("customer-admin@xxx.example.com", "package#yyy00.admin");
|
||||
|
||||
// when
|
||||
final var result = attempt(
|
||||
@ -157,7 +157,7 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
|
||||
// then
|
||||
result.assertExceptionWithRootCauseMessage(
|
||||
JpaSystemException.class,
|
||||
"[403] user admin@aaa.example.com", "has no permission to assume role package#aab00#admin");
|
||||
"[403] user customer-admin@xxx.example.com", "has no permission to assume role package#yyy00#admin");
|
||||
}
|
||||
|
||||
@Test
|
||||
@ -176,7 +176,7 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
|
||||
@Test
|
||||
@Transactional
|
||||
void unknownUser_withAssumedCustomerRole_cannotViewAnyCustomers() {
|
||||
context("unknown@example.org", "customer#aaa.admin");
|
||||
context("unknown@example.org", "customer#xxx.admin");
|
||||
|
||||
final var result = attempt(
|
||||
em,
|
||||
@ -198,19 +198,19 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
|
||||
context("mike@hostsharing.net", null);
|
||||
|
||||
// when
|
||||
final var result = customerRepository.findCustomerByOptionalPrefixLike("aab");
|
||||
final var result = customerRepository.findCustomerByOptionalPrefixLike("yyy");
|
||||
|
||||
// then
|
||||
exactlyTheseCustomersAreReturned(result, "aab");
|
||||
exactlyTheseCustomersAreReturned(result, "yyy");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void customerAdmin_withoutAssumedRole_canViewOnlyItsOwnCustomer() {
|
||||
// given:
|
||||
context("admin@aaa.example.com", null);
|
||||
context("customer-admin@xxx.example.com", null);
|
||||
|
||||
// when:
|
||||
final var result = customerRepository.findCustomerByOptionalPrefixLike("aab");
|
||||
final var result = customerRepository.findCustomerByOptionalPrefixLike("yyy");
|
||||
|
||||
// then:
|
||||
exactlyTheseCustomersAreReturned(result);
|
||||
|
@ -44,19 +44,19 @@ class PackageControllerAcceptanceTest {
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-user", "mike@hostsharing.net")
|
||||
.header("assumed-roles", "customer#aaa.admin")
|
||||
.header("assumed-roles", "customer#xxx.admin")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/packages")
|
||||
.then().assertThat()
|
||||
.statusCode(200)
|
||||
.contentType("application/json")
|
||||
.body("[0].name", is("aaa00"))
|
||||
.body("[0].customer.reference", is(10000))
|
||||
.body("[1].name", is("aaa01"))
|
||||
.body("[1].customer.reference", is(10000))
|
||||
.body("[2].name", is("aaa02"))
|
||||
.body("[2].customer.reference", is(10000));
|
||||
.body("[0].name", is("xxx00"))
|
||||
.body("[0].customer.reference", is(99901))
|
||||
.body("[1].name", is("xxx01"))
|
||||
.body("[1].customer.reference", is(99901))
|
||||
.body("[2].name", is("xxx02"))
|
||||
.body("[2].customer.reference", is(99901));
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@ -66,15 +66,15 @@ class PackageControllerAcceptanceTest {
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-user", "mike@hostsharing.net")
|
||||
.header("assumed-roles", "customer#aaa.admin")
|
||||
.header("assumed-roles", "customer#xxx.admin")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/packages?name=aaa01")
|
||||
.get("http://localhost/api/packages?name=xxx01")
|
||||
.then().assertThat()
|
||||
.statusCode(200)
|
||||
.contentType("application/json")
|
||||
.body("[0].name", is("aaa01"))
|
||||
.body("[0].customer.reference", is(10000));
|
||||
.body("[0].name", is("xxx01"))
|
||||
.body("[0].customer.reference", is(99901));
|
||||
// @formatter:on
|
||||
}
|
||||
}
|
||||
@ -85,8 +85,8 @@ class PackageControllerAcceptanceTest {
|
||||
@Test
|
||||
void withDescriptionUpdatesDescription() {
|
||||
|
||||
assumeThat(getDescriptionOfPackage("aaa00"))
|
||||
.isEqualTo("Here can add your own description of package aaa00.");
|
||||
assumeThat(getDescriptionOfPackage("xxx00"))
|
||||
.isEqualTo("Here can add your own description of package xxx00.");
|
||||
|
||||
final var randomDescription = RandomStringUtils.randomAlphanumeric(80);
|
||||
|
||||
@ -94,7 +94,7 @@ class PackageControllerAcceptanceTest {
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-user", "mike@hostsharing.net")
|
||||
.header("assumed-roles", "customer#aaa.admin")
|
||||
.header("assumed-roles", "customer#xxx.admin")
|
||||
.contentType(ContentType.JSON)
|
||||
.body(format("""
|
||||
{
|
||||
@ -103,12 +103,12 @@ class PackageControllerAcceptanceTest {
|
||||
""", randomDescription))
|
||||
.port(port)
|
||||
.when()
|
||||
.patch("http://localhost/api/packages/{uuidOfPackage}", getUuidOfPackage("aaa00"))
|
||||
.patch("http://localhost/api/packages/{uuidOfPackage}", getUuidOfPackage("xxx00"))
|
||||
.then()
|
||||
.assertThat()
|
||||
.statusCode(200)
|
||||
.contentType("application/json")
|
||||
.body("name", is("aaa00"))
|
||||
.body("name", is("xxx00"))
|
||||
.body("description", is(randomDescription));
|
||||
// @formatter:on
|
||||
|
||||
@ -117,14 +117,14 @@ class PackageControllerAcceptanceTest {
|
||||
@Test
|
||||
void withNullDescriptionUpdatesDescriptionToNull() {
|
||||
|
||||
assumeThat(getDescriptionOfPackage("aaa01"))
|
||||
.isEqualTo("Here can add your own description of package aaa01.");
|
||||
assumeThat(getDescriptionOfPackage("xxx01"))
|
||||
.isEqualTo("Here can add your own description of package xxx01.");
|
||||
|
||||
// @formatter:off
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-user", "mike@hostsharing.net")
|
||||
.header("assumed-roles", "customer#aaa.admin")
|
||||
.header("assumed-roles", "customer#xxx.admin")
|
||||
.contentType(ContentType.JSON)
|
||||
.body("""
|
||||
{
|
||||
@ -133,12 +133,12 @@ class PackageControllerAcceptanceTest {
|
||||
""")
|
||||
.port(port)
|
||||
.when()
|
||||
.patch("http://localhost/api/packages/{uuidOfPackage}", getUuidOfPackage("aaa01"))
|
||||
.patch("http://localhost/api/packages/{uuidOfPackage}", getUuidOfPackage("xxx01"))
|
||||
.then()
|
||||
.assertThat()
|
||||
.statusCode(200)
|
||||
.contentType("application/json")
|
||||
.body("name", is("aaa01"))
|
||||
.body("name", is("xxx01"))
|
||||
.body("description", equalTo(null));
|
||||
// @formatter:on
|
||||
}
|
||||
@ -146,24 +146,24 @@ class PackageControllerAcceptanceTest {
|
||||
@Test
|
||||
void withoutDescriptionDoesNothing() {
|
||||
|
||||
assumeThat(getDescriptionOfPackage("aaa02"))
|
||||
.isEqualTo("Here can add your own description of package aaa02.");
|
||||
assumeThat(getDescriptionOfPackage("xxx02"))
|
||||
.isEqualTo("Here can add your own description of package xxx02.");
|
||||
|
||||
// @formatter:off
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-user", "mike@hostsharing.net")
|
||||
.header("assumed-roles", "customer#aaa.admin")
|
||||
.header("assumed-roles", "customer#xxx.admin")
|
||||
.contentType(ContentType.JSON)
|
||||
.body("{}")
|
||||
.port(port)
|
||||
.when()
|
||||
.patch("http://localhost/api/packages/{uuidOfPackage}", getUuidOfPackage("aaa02"))
|
||||
.patch("http://localhost/api/packages/{uuidOfPackage}", getUuidOfPackage("xxx02"))
|
||||
.then().assertThat()
|
||||
.statusCode(200)
|
||||
.contentType("application/json")
|
||||
.body("name", is("aaa02"))
|
||||
.body("description", is("Here can add your own description of package aaa02.")); // unchanged
|
||||
.body("name", is("xxx02"))
|
||||
.body("description", is("Here can add your own description of package xxx02.")); // unchanged
|
||||
// @formatter:on
|
||||
}
|
||||
}
|
||||
@ -173,7 +173,7 @@ class PackageControllerAcceptanceTest {
|
||||
return UUID.fromString(RestAssured
|
||||
.given()
|
||||
.header("current-user", "mike@hostsharing.net")
|
||||
.header("assumed-roles", "customer#aaa.admin")
|
||||
.header("assumed-roles", "customer#xxx.admin")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/packages?name={packageName}", packageName)
|
||||
@ -186,7 +186,7 @@ class PackageControllerAcceptanceTest {
|
||||
|
||||
String getDescriptionOfPackage(final String packageName) {
|
||||
context.setCurrentUser("mike@hostsharing.net");
|
||||
context.assumeRoles("customer#aaa.admin");
|
||||
context.assumeRoles("customer#xxx.admin");
|
||||
return packageRepository.findAllByOptionalNameLike(packageName).get(0).getDescription();
|
||||
}
|
||||
}
|
||||
|
@ -67,30 +67,30 @@ class PackageRepositoryIntegrationTest {
|
||||
@Test
|
||||
public void customerAdmin_withoutAssumedRole_canViewOnlyItsOwnPackages() {
|
||||
// given:
|
||||
currentUser("admin@aaa.example.com");
|
||||
currentUser("customer-admin@xxx.example.com");
|
||||
|
||||
// when:
|
||||
final var result = packageRepository.findAllByOptionalNameLike(null);
|
||||
|
||||
// then:
|
||||
exactlyThesePackagesAreReturned(result, "aaa00", "aaa01", "aaa02");
|
||||
exactlyThesePackagesAreReturned(result, "xxx00", "xxx01", "xxx02");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnPackages() {
|
||||
currentUser("admin@aaa.example.com");
|
||||
assumedRoles("package#aaa00.admin");
|
||||
currentUser("customer-admin@xxx.example.com");
|
||||
assumedRoles("package#xxx00.admin");
|
||||
|
||||
final var result = packageRepository.findAllByOptionalNameLike(null);
|
||||
|
||||
exactlyThesePackagesAreReturned(result, "aaa00");
|
||||
exactlyThesePackagesAreReturned(result, "xxx00");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void customerAdmin_withAssumedAlienPackageAdminRole_cannotViewAnyPackages() {
|
||||
// given:
|
||||
currentUser("admin@aaa.example.com");
|
||||
assumedRoles("package#aab00.admin");
|
||||
currentUser("customer-admin@xxx.example.com");
|
||||
assumedRoles("package#yyy00.admin");
|
||||
|
||||
// when
|
||||
final var result = attempt(
|
||||
@ -100,7 +100,7 @@ class PackageRepositoryIntegrationTest {
|
||||
// then
|
||||
result.assertExceptionWithRootCauseMessage(
|
||||
JpaSystemException.class,
|
||||
"[403] user admin@aaa.example.com", "has no permission to assume role package#aab00#admin");
|
||||
"[403] user customer-admin@xxx.example.com", "has no permission to assume role package#yyy00#admin");
|
||||
}
|
||||
|
||||
@Test
|
||||
@ -120,7 +120,7 @@ class PackageRepositoryIntegrationTest {
|
||||
@Transactional
|
||||
void unknownUser_withAssumedCustomerRole_cannotViewAnyPackages() {
|
||||
currentUser("unknown@example.org");
|
||||
assumedRoles("customer#aaa.admin");
|
||||
assumedRoles("customer#xxx.admin");
|
||||
|
||||
final var result = attempt(
|
||||
em,
|
||||
@ -139,17 +139,17 @@ class PackageRepositoryIntegrationTest {
|
||||
@Test
|
||||
public void supportsOptimisticLocking() throws InterruptedException {
|
||||
// given
|
||||
hostsharingAdminWithAssumedRole("package#aaa00.admin");
|
||||
hostsharingAdminWithAssumedRole("package#xxx00.admin");
|
||||
final var pac = packageRepository.findAllByOptionalNameLike("%").get(0);
|
||||
|
||||
// when
|
||||
final var result1 = jpaAttempt.transacted(() -> {
|
||||
hostsharingAdminWithAssumedRole("package#aaa00.admin");
|
||||
hostsharingAdminWithAssumedRole("package#xxx00.admin");
|
||||
pac.setDescription("description set by thread 1");
|
||||
packageRepository.save(pac);
|
||||
});
|
||||
final var result2 = jpaAttempt.transacted(() -> {
|
||||
hostsharingAdminWithAssumedRole("package#aaa00.admin");
|
||||
hostsharingAdminWithAssumedRole("package#xxx00.admin");
|
||||
pac.setDescription("description set by thread 2");
|
||||
packageRepository.save(pac);
|
||||
sleep(1500);
|
||||
|
@ -62,9 +62,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
@Accepts({ "GRT:R(Read)" })
|
||||
void customerAdmin_withAssumedPacketAdminRole_canReadPacketAdminsGrantById() {
|
||||
// given
|
||||
final var givenCurrentUserAsPackageAdmin = new Subject("admin@aaa.example.com");
|
||||
final var givenGranteeUser = findRbacUserByName("aaa00@aaa.example.com");
|
||||
final var givenGrantedRole = findRbacRoleByName("package#aaa00.admin");
|
||||
final var givenCurrentUserAsPackageAdmin = new Subject("customer-admin@xxx.example.com");
|
||||
final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
|
||||
final var givenGrantedRole = findRbacRoleByName("package#xxx00.admin");
|
||||
|
||||
// when
|
||||
final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
|
||||
@ -73,18 +73,18 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
// then
|
||||
grant.assertThat()
|
||||
.statusCode(200)
|
||||
.body("grantedByRoleIdName", is("customer#aaa.admin"))
|
||||
.body("grantedRoleIdName", is("package#aaa00.admin"))
|
||||
.body("granteeUserName", is("aaa00@aaa.example.com"));
|
||||
.body("grantedByRoleIdName", is("customer#xxx.admin"))
|
||||
.body("grantedRoleIdName", is("package#xxx00.admin"))
|
||||
.body("granteeUserName", is("pac-admin-xxx00@xxx.example.com"));
|
||||
}
|
||||
|
||||
@Test
|
||||
@Accepts({ "GRT:R(Read)" })
|
||||
void packageAdmin_withoutAssumedRole_canReadItsOwnGrantById() {
|
||||
// given
|
||||
final var givenCurrentUserAsPackageAdmin = new Subject("aaa00@aaa.example.com");
|
||||
final var givenGranteeUser = findRbacUserByName("aaa00@aaa.example.com");
|
||||
final var givenGrantedRole = findRbacRoleByName("package#aaa00.admin");
|
||||
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com");
|
||||
final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
|
||||
final var givenGrantedRole = findRbacRoleByName("package#xxx00.admin");
|
||||
|
||||
// when
|
||||
final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
|
||||
@ -93,18 +93,18 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
// then
|
||||
grant.assertThat()
|
||||
.statusCode(200)
|
||||
.body("grantedByRoleIdName", is("customer#aaa.admin"))
|
||||
.body("grantedRoleIdName", is("package#aaa00.admin"))
|
||||
.body("granteeUserName", is("aaa00@aaa.example.com"));
|
||||
.body("grantedByRoleIdName", is("customer#xxx.admin"))
|
||||
.body("grantedRoleIdName", is("package#xxx00.admin"))
|
||||
.body("granteeUserName", is("pac-admin-xxx00@xxx.example.com"));
|
||||
}
|
||||
|
||||
@Test
|
||||
@Accepts({ "GRT:R(Read)" })
|
||||
void packageAdmin_withAssumedUnixUserAdmin_canNotReadItsOwnGrantById() {
|
||||
// given
|
||||
final var givenCurrentUserAsPackageAdmin = new Subject("aaa00@aaa.example.com", "unixuser#aaa00-aaaa.admin");
|
||||
final var givenGranteeUser = findRbacUserByName("aaa00@aaa.example.com");
|
||||
final var givenGrantedRole = findRbacRoleByName("package#aaa00.admin");
|
||||
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", "unixuser#xxx00-xxxa.admin");
|
||||
final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
|
||||
final var givenGrantedRole = findRbacRoleByName("package#xxx00.admin");
|
||||
|
||||
// when
|
||||
final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
|
||||
@ -125,8 +125,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
|
||||
// given
|
||||
final var givenNewUser = createRBacUser();
|
||||
final var givenRoleToGrant = "package#aaa00.admin";
|
||||
final var givenCurrentUserAsPackageAdmin = new Subject("aaa00@aaa.example.com", givenRoleToGrant);
|
||||
final var givenRoleToGrant = "package#xxx00.admin";
|
||||
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
|
||||
final var givenOwnPackageAdminRole =
|
||||
findRbacRoleByName(givenCurrentUserAsPackageAdmin.assumedRole);
|
||||
|
||||
@ -149,9 +149,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
|
||||
// given
|
||||
final var givenNewUser = createRBacUser();
|
||||
final var givenRoleToGrant = "package#aaa00.admin";
|
||||
final var givenCurrentUserAsPackageAdmin = new Subject("aaa00@aaa.example.com", givenRoleToGrant);
|
||||
final var givenAlienPackageAdminRole = findRbacRoleByName("package#aab00.admin");
|
||||
final var givenRoleToGrant = "package#xxx00.admin";
|
||||
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
|
||||
final var givenAlienPackageAdminRole = findRbacRoleByName("package#yyy00.admin");
|
||||
|
||||
// when
|
||||
final var result = givenCurrentUserAsPackageAdmin
|
||||
@ -161,7 +161,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
// then
|
||||
result.assertThat()
|
||||
.body("message", containsString("Access to granted role"))
|
||||
.body("message", containsString("forbidden for {package#aaa00.admin}"))
|
||||
.body("message", containsString("forbidden for {package#xxx00.admin}"))
|
||||
.statusCode(403);
|
||||
assertThat(findAllGrantsOf(givenCurrentUserAsPackageAdmin))
|
||||
.extracting(RbacGrantEntity::getGranteeUserName)
|
||||
@ -179,9 +179,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
|
||||
// given
|
||||
final var givenArbitraryUser = createRBacUser();
|
||||
final var givenRoleToGrant = "package#aaa00.admin";
|
||||
final var givenCurrentUserAsPackageAdmin = new Subject("aaa00@aaa.example.com", givenRoleToGrant);
|
||||
final var givenOwnPackageAdminRole = findRbacRoleByName("package#aaa00.admin");
|
||||
final var givenRoleToGrant = "package#xxx00.admin";
|
||||
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
|
||||
final var givenOwnPackageAdminRole = findRbacRoleByName("package#xxx00.admin");
|
||||
|
||||
// and given an existing grant
|
||||
assumeCreated(givenCurrentUserAsPackageAdmin
|
||||
|
@ -55,7 +55,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
||||
@Accepts({ "GRT:L(List)" })
|
||||
public void packageAdmin_canViewItsRbacGrants() {
|
||||
// given
|
||||
context("aaa00@aaa.example.com", null);
|
||||
context("pac-admin-xxx00@xxx.example.com", null);
|
||||
|
||||
// when
|
||||
final var result = rbacGrantRepository.findAll();
|
||||
@ -63,14 +63,14 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
||||
// then
|
||||
exactlyTheseRbacGrantsAreReturned(
|
||||
result,
|
||||
"{ grant assumed role package#aaa00.admin to user aaa00@aaa.example.com by role customer#aaa.admin }");
|
||||
"{ grant assumed role package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role customer#xxx.admin }");
|
||||
}
|
||||
|
||||
@Test
|
||||
@Accepts({ "GRT:L(List)" })
|
||||
public void customerAdmin_canViewItsRbacGrants() {
|
||||
// given
|
||||
context("admin@aaa.example.com", null);
|
||||
context("customer-admin@xxx.example.com", null);
|
||||
|
||||
// when
|
||||
final var result = rbacGrantRepository.findAll();
|
||||
@ -78,17 +78,17 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
||||
// then
|
||||
exactlyTheseRbacGrantsAreReturned(
|
||||
result,
|
||||
"{ grant assumed role customer#aaa.admin to user admin@aaa.example.com by role global#hostsharing.admin }",
|
||||
"{ grant assumed role package#aaa00.admin to user aaa00@aaa.example.com by role customer#aaa.admin }",
|
||||
"{ grant assumed role package#aaa01.admin to user aaa01@aaa.example.com by role customer#aaa.admin }",
|
||||
"{ grant assumed role package#aaa02.admin to user aaa02@aaa.example.com by role customer#aaa.admin }");
|
||||
"{ grant assumed role customer#xxx.admin to user customer-admin@xxx.example.com by role global#hostsharing.admin }",
|
||||
"{ grant assumed role package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role customer#xxx.admin }",
|
||||
"{ grant assumed role package#xxx01.admin to user pac-admin-xxx01@xxx.example.com by role customer#xxx.admin }",
|
||||
"{ grant assumed role package#xxx02.admin to user pac-admin-xxx02@xxx.example.com by role customer#xxx.admin }");
|
||||
}
|
||||
|
||||
@Test
|
||||
@Accepts({ "GRT:L(List)" })
|
||||
public void customerAdmin_withAssumedRole_canOnlyViewRbacGrantsVisibleByAssumedRole() {
|
||||
// given:
|
||||
context("admin@aaa.example.com", "package#aaa00.admin");
|
||||
context("customer-admin@xxx.example.com", "package#xxx00.admin");
|
||||
|
||||
// when
|
||||
final var result = rbacGrantRepository.findAll();
|
||||
@ -96,7 +96,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
||||
// then
|
||||
exactlyTheseRbacGrantsAreReturned(
|
||||
result,
|
||||
"{ grant assumed role package#aaa00.admin to user aaa00@aaa.example.com by role customer#aaa.admin }");
|
||||
"{ grant assumed role package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role customer#xxx.admin }");
|
||||
}
|
||||
}
|
||||
|
||||
@ -106,9 +106,9 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
||||
@Test
|
||||
public void customerAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() {
|
||||
// given
|
||||
context("admin@aaa.example.com", "customer#aaa.admin");
|
||||
final var givenArbitraryUserUuid = rbacUserRepository.findByName("aac00@aac.example.com").getUuid();
|
||||
final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName("package#aaa00.admin").getUuid();
|
||||
context("customer-admin@xxx.example.com", "customer#xxx.admin");
|
||||
final var givenArbitraryUserUuid = rbacUserRepository.findByName("pac-admin-zzz00@zzz.example.com").getUuid();
|
||||
final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName("package#xxx00.admin").getUuid();
|
||||
|
||||
// when
|
||||
final var grant = RbacGrantEntity.builder()
|
||||
@ -124,7 +124,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
||||
assertThat(rbacGrantRepository.findAll())
|
||||
.extracting(RbacGrantEntity::toDisplay)
|
||||
.contains(
|
||||
"{ grant assumed role package#aaa00.admin to user aac00@aac.example.com by role customer#aaa.admin }");
|
||||
"{ grant assumed role package#xxx00.admin to user pac-admin-zzz00@zzz.example.com by role customer#xxx.admin }");
|
||||
}
|
||||
|
||||
@Test
|
||||
@ -134,17 +134,17 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
||||
record Given(RbacUserEntity arbitraryUser, UUID packageOwnerRoleUuid) {}
|
||||
final var given = jpaAttempt.transacted(() -> {
|
||||
// to find the uuids of we need to have access rights to these
|
||||
context("admin@aaa.example.com", null);
|
||||
context("customer-admin@xxx.example.com", null);
|
||||
return new Given(
|
||||
createNewUser(),
|
||||
rbacRoleRepository.findByRoleName("package#aaa00.owner").getUuid()
|
||||
rbacRoleRepository.findByRoleName("package#xxx00.owner").getUuid()
|
||||
);
|
||||
}).assumeSuccessful().returnedValue();
|
||||
|
||||
// when
|
||||
final var attempt = jpaAttempt.transacted(() -> {
|
||||
// now we try to use these uuids as a less privileged user
|
||||
context("aaa00@aaa.example.com", "package#aaa00.admin");
|
||||
context("pac-admin-xxx00@xxx.example.com", "package#xxx00.admin");
|
||||
final var grant = RbacGrantEntity.builder()
|
||||
.granteeUserUuid(given.arbitraryUser.getUuid())
|
||||
.grantedRoleUuid(given.packageOwnerRoleUuid)
|
||||
@ -157,7 +157,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
||||
attempt.assertExceptionWithRootCauseMessage(
|
||||
JpaSystemException.class,
|
||||
"ERROR: [403] Access to granted role " + given.packageOwnerRoleUuid
|
||||
+ " forbidden for {package#aaa00.admin}");
|
||||
+ " forbidden for {package#xxx00.admin}");
|
||||
jpaAttempt.transacted(() -> {
|
||||
// finally, we use the new user to make sure, no roles were granted
|
||||
context(given.arbitraryUser.getName(), null);
|
||||
@ -175,21 +175,21 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
||||
public void customerAdmin_canRevokeSelfGrantedPackageAdminRole() {
|
||||
// given
|
||||
final var grant = create(grant()
|
||||
.byUser("admin@aaa.example.com").withAssumedRole("customer#aaa.admin")
|
||||
.grantingRole("package#aaa00.admin").toUser("aac00@aac.example.com"));
|
||||
.byUser("customer-admin@xxx.example.com").withAssumedRole("customer#xxx.admin")
|
||||
.grantingRole("package#xxx00.admin").toUser("pac-admin-zzz00@zzz.example.com"));
|
||||
|
||||
// when
|
||||
context("admin@aaa.example.com", "customer#aaa.admin");
|
||||
context("customer-admin@xxx.example.com", "customer#xxx.admin");
|
||||
final var revokeAttempt = attempt(em, () -> {
|
||||
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId());
|
||||
});
|
||||
|
||||
// then
|
||||
context("admin@aaa.example.com", "customer#aaa.admin");
|
||||
context("customer-admin@xxx.example.com", "customer#xxx.admin");
|
||||
assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull();
|
||||
assertThat(rbacGrantRepository.findAll())
|
||||
.extracting(RbacGrantEntity::getGranteeUserName)
|
||||
.doesNotContain("aac00@aac.example.com");
|
||||
.doesNotContain("pac-admin-zzz00@zzz.example.com");
|
||||
}
|
||||
|
||||
@Test
|
||||
@ -197,33 +197,33 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
||||
// given
|
||||
final var newUser = createNewUserTransacted();
|
||||
final var grant = create(grant()
|
||||
.byUser("admin@aaa.example.com").withAssumedRole("package#aaa00.admin")
|
||||
.grantingRole("package#aaa00.admin").toUser(newUser.getName()));
|
||||
.byUser("customer-admin@xxx.example.com").withAssumedRole("package#xxx00.admin")
|
||||
.grantingRole("package#xxx00.admin").toUser(newUser.getName()));
|
||||
|
||||
// when
|
||||
context("aaa00@aaa.example.com", "package#aaa00.admin");
|
||||
context("pac-admin-xxx00@xxx.example.com", "package#xxx00.admin");
|
||||
final var revokeAttempt = attempt(em, () -> {
|
||||
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId());
|
||||
});
|
||||
|
||||
// then
|
||||
assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull();
|
||||
context("admin@aaa.example.com", "customer#aaa.admin");
|
||||
context("customer-admin@xxx.example.com", "customer#xxx.admin");
|
||||
assertThat(rbacGrantRepository.findAll())
|
||||
.extracting(RbacGrantEntity::getGranteeUserName)
|
||||
.doesNotContain("aac00@aac.example.com");
|
||||
.doesNotContain("pac-admin-zzz00@zzz.example.com");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void packageAdmin_canNotRevokeOwnPackageAdminRoleGrantedByOwnerRoleOfThatPackage() {
|
||||
// given
|
||||
final var grant = create(grant()
|
||||
.byUser("admin@aaa.example.com").withAssumedRole("package#aaa00.owner")
|
||||
.grantingRole("package#aaa00.admin").toUser("aac00@aac.example.com"));
|
||||
final var grantedByRole = rbacRoleRepository.findByRoleName("package#aaa00.owner");
|
||||
.byUser("customer-admin@xxx.example.com").withAssumedRole("package#xxx00.owner")
|
||||
.grantingRole("package#xxx00.admin").toUser("pac-admin-zzz00@zzz.example.com"));
|
||||
final var grantedByRole = rbacRoleRepository.findByRoleName("package#xxx00.owner");
|
||||
|
||||
// when
|
||||
context("aaa00@aaa.example.com", "package#aaa00.admin");
|
||||
context("pac-admin-xxx00@xxx.example.com", "package#xxx00.admin");
|
||||
final var revokeAttempt = attempt(em, () -> {
|
||||
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId());
|
||||
});
|
||||
@ -231,7 +231,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
||||
// then
|
||||
revokeAttempt.assertExceptionWithRootCauseMessage(
|
||||
JpaSystemException.class,
|
||||
"ERROR: [403] Revoking role created by %s is forbidden for {package#aaa00.admin}.".formatted(
|
||||
"ERROR: [403] Revoking role created by %s is forbidden for {package#xxx00.admin}.".formatted(
|
||||
grantedByRole.getUuid()
|
||||
));
|
||||
}
|
||||
|
@ -50,14 +50,14 @@ class RbacRoleControllerAcceptanceTest {
|
||||
.then().assertThat()
|
||||
.statusCode(200)
|
||||
.contentType("application/json")
|
||||
.body("[0].roleName", is("customer#aaa.admin"))
|
||||
.body("[1].roleName", is("customer#aaa.owner"))
|
||||
.body("[2].roleName", is("customer#aaa.tenant"))
|
||||
.body("[0].roleName", is("customer#xxx.admin"))
|
||||
.body("[1].roleName", is("customer#xxx.owner"))
|
||||
.body("[2].roleName", is("customer#xxx.tenant"))
|
||||
// ...
|
||||
.body("", hasItem(hasEntry("roleName", "global#hostsharing.admin")))
|
||||
.body("", hasItem(hasEntry("roleName", "customer#aab.admin")))
|
||||
.body("", hasItem(hasEntry("roleName", "package#aab00.admin")))
|
||||
.body("", hasItem(hasEntry("roleName", "unixuser#aab00-aaaa.owner")))
|
||||
.body("", hasItem(hasEntry("roleName", "customer#yyy.admin")))
|
||||
.body("", hasItem(hasEntry("roleName", "package#yyy00.admin")))
|
||||
.body("", hasItem(hasEntry("roleName", "unixuser#yyy00-aaaa.owner")))
|
||||
.body( "size()", is(73)); // increases with new test data
|
||||
// @formatter:on
|
||||
}
|
||||
@ -70,17 +70,19 @@ class RbacRoleControllerAcceptanceTest {
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-user", "mike@hostsharing.net")
|
||||
.header("assumed-roles", "package#aab00.admin")
|
||||
.header("assumed-roles", "package#yyy00.admin")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/rbac-roles")
|
||||
.then().assertThat()
|
||||
.then()
|
||||
.log().body()
|
||||
.assertThat()
|
||||
.statusCode(200)
|
||||
.contentType("application/json")
|
||||
.body("[0].roleName", is("customer#aab.tenant"))
|
||||
.body("[1].roleName", is("package#aab00.admin"))
|
||||
.body("[2].roleName", is("package#aab00.tenant"))
|
||||
.body("[3].roleName", is("unixuser#aab00-aaaa.admin"))
|
||||
.body("[0].roleName", is("customer#yyy.tenant"))
|
||||
.body("[1].roleName", is("package#yyy00.admin"))
|
||||
.body("[2].roleName", is("package#yyy00.tenant"))
|
||||
.body("[3].roleName", is("unixuser#yyy00-aaaa.admin"))
|
||||
.body("size()", is(7)); // increases with new test data
|
||||
// @formatter:on
|
||||
}
|
||||
@ -92,17 +94,17 @@ class RbacRoleControllerAcceptanceTest {
|
||||
// @formatter:off
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-user", "aac00@aac.example.com")
|
||||
.header("current-user", "pac-admin-zzz00@zzz.example.com")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/rbac-roles")
|
||||
.then().assertThat()
|
||||
.statusCode(200)
|
||||
.contentType("application/json")
|
||||
.body("[0].roleName", is("customer#aac.tenant"))
|
||||
.body("[1].roleName", is("package#aac00.admin"))
|
||||
.body("[2].roleName", is("package#aac00.tenant"))
|
||||
.body("[3].roleName", is("unixuser#aac00-aaaa.admin"))
|
||||
.body("[0].roleName", is("customer#zzz.tenant"))
|
||||
.body("[1].roleName", is("package#zzz00.admin"))
|
||||
.body("[2].roleName", is("package#zzz00.tenant"))
|
||||
.body("[3].roleName", is("unixuser#zzz00-aaaa.admin"))
|
||||
.body("size()", is(7)); // increases with new test data
|
||||
// @formatter:on
|
||||
}
|
||||
|
@ -35,18 +35,18 @@ class RbacRoleRepositoryIntegrationTest {
|
||||
private static final String[] ALL_TEST_DATA_ROLES = Array.of(
|
||||
// @formatter:off
|
||||
"global#hostsharing.admin",
|
||||
"customer#aaa.admin", "customer#aaa.owner", "customer#aaa.tenant",
|
||||
"package#aaa00.admin", "package#aaa00.owner", "package#aaa00.tenant",
|
||||
"package#aaa01.admin", "package#aaa01.owner", "package#aaa01.tenant",
|
||||
"package#aaa02.admin", "package#aaa02.owner", "package#aaa02.tenant",
|
||||
"customer#aab.admin", "customer#aab.owner", "customer#aab.tenant",
|
||||
"package#aab00.admin", "package#aab00.owner", "package#aab00.tenant",
|
||||
"package#aab01.admin", "package#aab01.owner", "package#aab01.tenant",
|
||||
"package#aab02.admin", "package#aab02.owner", "package#aab02.tenant",
|
||||
"customer#aac.admin", "customer#aac.owner", "customer#aac.tenant",
|
||||
"package#aac00.admin", "package#aac00.owner", "package#aac00.tenant",
|
||||
"package#aac01.admin", "package#aac01.owner", "package#aac01.tenant",
|
||||
"package#aac02.admin", "package#aac02.owner", "package#aac02.tenant"
|
||||
"customer#xxx.admin", "customer#xxx.owner", "customer#xxx.tenant",
|
||||
"package#xxx00.admin", "package#xxx00.owner", "package#xxx00.tenant",
|
||||
"package#xxx01.admin", "package#xxx01.owner", "package#xxx01.tenant",
|
||||
"package#xxx02.admin", "package#xxx02.owner", "package#xxx02.tenant",
|
||||
"customer#yyy.admin", "customer#yyy.owner", "customer#yyy.tenant",
|
||||
"package#yyy00.admin", "package#yyy00.owner", "package#yyy00.tenant",
|
||||
"package#yyy01.admin", "package#yyy01.owner", "package#yyy01.tenant",
|
||||
"package#yyy02.admin", "package#yyy02.owner", "package#yyy02.tenant",
|
||||
"customer#zzz.admin", "customer#zzz.owner", "customer#zzz.tenant",
|
||||
"package#zzz00.admin", "package#zzz00.owner", "package#zzz00.tenant",
|
||||
"package#zzz01.admin", "package#zzz01.owner", "package#zzz01.tenant",
|
||||
"package#zzz02.admin", "package#zzz02.owner", "package#zzz02.tenant"
|
||||
// @formatter:on
|
||||
);
|
||||
|
||||
@ -78,7 +78,7 @@ class RbacRoleRepositoryIntegrationTest {
|
||||
@Test
|
||||
public void customerAdmin_withoutAssumedRole_canViewOnlyItsOwnRbacRole() {
|
||||
// given:
|
||||
currentUser("admin@aaa.example.com");
|
||||
currentUser("customer-admin@xxx.example.com");
|
||||
|
||||
// when:
|
||||
final var result = rbacRoleRepository.findAll();
|
||||
@ -87,57 +87,57 @@ class RbacRoleRepositoryIntegrationTest {
|
||||
allTheseRbacRolesAreReturned(
|
||||
result,
|
||||
// @formatter:off
|
||||
"customer#aaa.admin",
|
||||
"customer#aaa.tenant",
|
||||
"package#aaa00.admin",
|
||||
"package#aaa00.owner",
|
||||
"package#aaa00.tenant",
|
||||
"package#aaa01.admin",
|
||||
"package#aaa01.owner",
|
||||
"package#aaa01.tenant",
|
||||
"customer#xxx.admin",
|
||||
"customer#xxx.tenant",
|
||||
"package#xxx00.admin",
|
||||
"package#xxx00.owner",
|
||||
"package#xxx00.tenant",
|
||||
"package#xxx01.admin",
|
||||
"package#xxx01.owner",
|
||||
"package#xxx01.tenant",
|
||||
// ...
|
||||
"unixuser#aaa00-aaaa.admin",
|
||||
"unixuser#aaa00-aaaa.owner",
|
||||
"unixuser#xxx00-aaaa.admin",
|
||||
"unixuser#xxx00-aaaa.owner",
|
||||
// ..
|
||||
"unixuser#aaa01-aaaa.admin",
|
||||
"unixuser#aaa01-aaaa.owner"
|
||||
"unixuser#xxx01-aaab.admin",
|
||||
"unixuser#xxx01-aaab.owner"
|
||||
// @formatter:on
|
||||
);
|
||||
noneOfTheseRbacRolesIsReturned(
|
||||
result,
|
||||
// @formatter:off
|
||||
"global#hostsharing.admin",
|
||||
"customer#aaa.owner",
|
||||
"package#aab00.admin",
|
||||
"package#aab00.owner",
|
||||
"package#aab00.tenant"
|
||||
"customer#xxx.owner",
|
||||
"package#yyy00.admin",
|
||||
"package#yyy00.owner",
|
||||
"package#yyy00.tenant"
|
||||
// @formatter:on
|
||||
);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnRbacRole() {
|
||||
currentUser("admin@aaa.example.com");
|
||||
assumedRoles("package#aaa00.admin");
|
||||
currentUser("customer-admin@xxx.example.com");
|
||||
assumedRoles("package#xxx00.admin");
|
||||
|
||||
final var result = rbacRoleRepository.findAll();
|
||||
|
||||
exactlyTheseRbacRolesAreReturned(
|
||||
result,
|
||||
"customer#aaa.tenant",
|
||||
"package#aaa00.admin",
|
||||
"package#aaa00.tenant",
|
||||
"unixuser#aaa00-aaaa.admin",
|
||||
"unixuser#aaa00-aaaa.owner",
|
||||
"unixuser#aaa00-aaab.admin",
|
||||
"unixuser#aaa00-aaab.owner");
|
||||
"customer#xxx.tenant",
|
||||
"package#xxx00.admin",
|
||||
"package#xxx00.tenant",
|
||||
"unixuser#xxx00-aaaa.admin",
|
||||
"unixuser#xxx00-aaaa.owner",
|
||||
"unixuser#xxx00-aaab.admin",
|
||||
"unixuser#xxx00-aaab.owner");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void customerAdmin_withAssumedAlienPackageAdminRole_cannotViewAnyRbacRole() {
|
||||
// given:
|
||||
currentUser("admin@aaa.example.com");
|
||||
assumedRoles("package#aab00.admin");
|
||||
currentUser("customer-admin@xxx.example.com");
|
||||
assumedRoles("package#yyy00.admin");
|
||||
|
||||
// when
|
||||
final var result = attempt(
|
||||
@ -147,7 +147,7 @@ class RbacRoleRepositoryIntegrationTest {
|
||||
// then
|
||||
result.assertExceptionWithRootCauseMessage(
|
||||
JpaSystemException.class,
|
||||
"[403] user admin@aaa.example.com", "has no permission to assume role package#aab00#admin");
|
||||
"[403] user customer-admin@xxx.example.com", "has no permission to assume role package#yyy00#admin");
|
||||
}
|
||||
|
||||
@Test
|
||||
@ -166,7 +166,7 @@ class RbacRoleRepositoryIntegrationTest {
|
||||
@Test
|
||||
void unknownUser_withAssumedRbacRoleRole_cannotViewAnyRbacRoles() {
|
||||
currentUser("unknown@example.org");
|
||||
assumedRoles("RbacRole#aaa.admin");
|
||||
assumedRoles("RbacRole#xxx.admin");
|
||||
|
||||
final var result = attempt(
|
||||
em,
|
||||
@ -183,19 +183,19 @@ class RbacRoleRepositoryIntegrationTest {
|
||||
|
||||
@Test
|
||||
void customerAdmin_withoutAssumedRole_canFindItsOwnRolesByName() {
|
||||
currentUser("admin@aaa.example.com");
|
||||
currentUser("customer-admin@xxx.example.com");
|
||||
|
||||
final var result = rbacRoleRepository.findByRoleName("customer#aaa.admin");
|
||||
final var result = rbacRoleRepository.findByRoleName("customer#xxx.admin");
|
||||
|
||||
assertThat(result).isNotNull();
|
||||
assertThat(result.getObjectTable()).isEqualTo("customer");
|
||||
assertThat(result.getObjectIdName()).isEqualTo("aaa");
|
||||
assertThat(result.getObjectIdName()).isEqualTo("xxx");
|
||||
assertThat(result.getRoleType()).isEqualTo(RbacRoleType.admin);
|
||||
}
|
||||
|
||||
@Test
|
||||
void customerAdmin_withoutAssumedRole_canNotFindAlienRolesByName() {
|
||||
currentUser("admin@aaa.example.com");
|
||||
currentUser("customer-admin@xxx.example.com");
|
||||
|
||||
final var result = rbacRoleRepository.findByRoleName("customer#bbb.admin");
|
||||
|
||||
|
@ -49,16 +49,16 @@ class RbacUserControllerAcceptanceTest {
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/rbac-users")
|
||||
.then().assertThat()
|
||||
.then().log().body().assertThat()
|
||||
.statusCode(200)
|
||||
.contentType("application/json")
|
||||
.body("[0].name", is("aaa00@aaa.example.com"))
|
||||
.body("[1].name", is("aaa01@aaa.example.com"))
|
||||
.body("[2].name", is("aaa02@aaa.example.com"))
|
||||
.body("[3].name", is("aab00@aab.example.com"))
|
||||
.body("[0].name", is("customer-admin@xxx.example.com"))
|
||||
.body("[1].name", is("customer-admin@yyy.example.com"))
|
||||
.body("[2].name", is("customer-admin@zzz.example.com"))
|
||||
.body("[3].name", is("mike@hostsharing.net"))
|
||||
// ...
|
||||
.body("[11].name", is("admin@aac.example.com"))
|
||||
.body("[12].name", is("mike@hostsharing.net"))
|
||||
.body("[11].name", is("pac-admin-zzz01@zzz.example.com"))
|
||||
.body("[12].name", is("pac-admin-zzz02@zzz.example.com"))
|
||||
.body("[13].name", is("sven@hostsharing.net"))
|
||||
.body("size()", greaterThanOrEqualTo(14));
|
||||
// @formatter:on
|
||||
@ -73,13 +73,13 @@ class RbacUserControllerAcceptanceTest {
|
||||
.header("current-user", "mike@hostsharing.net")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/rbac-users?name=aac")
|
||||
.then().assertThat()
|
||||
.get("http://localhost/api/rbac-users?name=pac-admin-zzz0")
|
||||
.then().log().body().assertThat()
|
||||
.statusCode(200)
|
||||
.contentType("application/json")
|
||||
.body("[0].name", is("aac00@aac.example.com"))
|
||||
.body("[1].name", is("aac01@aac.example.com"))
|
||||
.body("[2].name", is("aac02@aac.example.com"))
|
||||
.body("[0].name", is("pac-admin-zzz00@zzz.example.com"))
|
||||
.body("[1].name", is("pac-admin-zzz01@zzz.example.com"))
|
||||
.body("[2].name", is("pac-admin-zzz02@zzz.example.com"))
|
||||
.body("size()", is(3));
|
||||
// @formatter:on
|
||||
}
|
||||
@ -90,17 +90,17 @@ class RbacUserControllerAcceptanceTest {
|
||||
// @formatter:off
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-user", "admin@aab.example.com")
|
||||
.header("current-user", "customer-admin@yyy.example.com")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/rbac-users")
|
||||
.then().assertThat()
|
||||
.statusCode(200)
|
||||
.contentType("application/json")
|
||||
.body("[0].name", is("aab00@aab.example.com"))
|
||||
.body("[1].name", is("aab01@aab.example.com"))
|
||||
.body("[2].name", is("aab02@aab.example.com"))
|
||||
.body("[3].name", is("admin@aab.example.com"))
|
||||
.body("[0].name", is("customer-admin@yyy.example.com"))
|
||||
.body("[1].name", is("pac-admin-yyy00@yyy.example.com"))
|
||||
.body("[2].name", is("pac-admin-yyy01@yyy.example.com"))
|
||||
.body("[3].name", is("pac-admin-yyy02@yyy.example.com"))
|
||||
.body("size()", is(4));
|
||||
// @formatter:on
|
||||
}
|
||||
@ -111,14 +111,14 @@ class RbacUserControllerAcceptanceTest {
|
||||
// @formatter:off
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-user", "aaa01@aaa.example.com")
|
||||
.header("current-user", "pac-admin-xxx01@xxx.example.com")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/rbac-users")
|
||||
.then().assertThat()
|
||||
.statusCode(200)
|
||||
.contentType("application/json")
|
||||
.body("[0].name", is("aaa01@aaa.example.com"))
|
||||
.body("[0].name", is("pac-admin-xxx01@xxx.example.com"))
|
||||
.body("size()", is(1));
|
||||
// @formatter:on
|
||||
}
|
||||
|
@ -66,7 +66,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
|
||||
// when:
|
||||
final var result = jpaAttempt.transacted(() -> {
|
||||
context("admin@aaa.example.com");
|
||||
context("customer-admin@xxx.example.com");
|
||||
return rbacUserRepository.create(new RbacUserEntity(givenUuid, newUserName));
|
||||
});
|
||||
|
||||
@ -88,12 +88,12 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
private static final String[] ALL_TEST_DATA_USERS = Array.of(
|
||||
// @formatter:off
|
||||
"mike@hostsharing.net", "sven@hostsharing.net",
|
||||
"admin@aaa.example.com",
|
||||
"aaa00@aaa.example.com", "aaa01@aaa.example.com", "aaa02@aaa.example.com",
|
||||
"admin@aab.example.com",
|
||||
"aab00@aab.example.com", "aab01@aab.example.com", "aab02@aab.example.com",
|
||||
"admin@aac.example.com",
|
||||
"aac00@aac.example.com", "aac01@aac.example.com", "aac02@aac.example.com"
|
||||
"customer-admin@xxx.example.com",
|
||||
"pac-admin-xxx00@xxx.example.com", "pac-admin-xxx01@xxx.example.com", "pac-admin-xxx02@xxx.example.com",
|
||||
"customer-admin@yyy.example.com",
|
||||
"pac-admin-yyy00@yyy.example.com", "pac-admin-yyy01@yyy.example.com", "pac-admin-yyy02@yyy.example.com",
|
||||
"customer-admin@zzz.example.com",
|
||||
"pac-admin-zzz00@zzz.example.com", "pac-admin-zzz01@zzz.example.com", "pac-admin-zzz02@zzz.example.com"
|
||||
// @formatter:on
|
||||
);
|
||||
|
||||
@ -124,7 +124,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
@Test
|
||||
public void hostsharingAdmin_withAssumedCustomerAdminRole_canViewOnlyUsersHavingRolesInThatCustomersRealm() {
|
||||
given:
|
||||
context("mike@hostsharing.net", "customer#aaa.admin");
|
||||
context("mike@hostsharing.net", "customer#xxx.admin");
|
||||
|
||||
// when
|
||||
final var result = rbacUserRepository.findByOptionalNameLike(null);
|
||||
@ -132,15 +132,15 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
then:
|
||||
exactlyTheseRbacUsersAreReturned(
|
||||
result,
|
||||
"admin@aaa.example.com",
|
||||
"aaa00@aaa.example.com", "aaa01@aaa.example.com", "aaa02@aaa.example.com"
|
||||
"customer-admin@xxx.example.com",
|
||||
"pac-admin-xxx00@xxx.example.com", "pac-admin-xxx01@xxx.example.com", "pac-admin-xxx02@xxx.example.com"
|
||||
);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void customerAdmin_withoutAssumedRole_canViewOnlyUsersHavingRolesInThatCustomersRealm() {
|
||||
// given:
|
||||
context("admin@aaa.example.com");
|
||||
context("customer-admin@xxx.example.com");
|
||||
|
||||
// when:
|
||||
final var result = rbacUserRepository.findByOptionalNameLike(null);
|
||||
@ -148,27 +148,27 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
// then:
|
||||
exactlyTheseRbacUsersAreReturned(
|
||||
result,
|
||||
"admin@aaa.example.com",
|
||||
"aaa00@aaa.example.com", "aaa01@aaa.example.com", "aaa02@aaa.example.com"
|
||||
"customer-admin@xxx.example.com",
|
||||
"pac-admin-xxx00@xxx.example.com", "pac-admin-xxx01@xxx.example.com", "pac-admin-xxx02@xxx.example.com"
|
||||
);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyUsersHavingRolesInThatPackage() {
|
||||
context("admin@aaa.example.com", "package#aaa00.admin");
|
||||
context("customer-admin@xxx.example.com", "package#xxx00.admin");
|
||||
|
||||
final var result = rbacUserRepository.findByOptionalNameLike(null);
|
||||
|
||||
exactlyTheseRbacUsersAreReturned(result, "aaa00@aaa.example.com");
|
||||
exactlyTheseRbacUsersAreReturned(result, "pac-admin-xxx00@xxx.example.com");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void packageAdmin_withoutAssumedRole_canViewOnlyUsersHavingRolesInThatPackage() {
|
||||
context("aaa00@aaa.example.com");
|
||||
context("pac-admin-xxx00@xxx.example.com");
|
||||
|
||||
final var result = rbacUserRepository.findByOptionalNameLike(null);
|
||||
|
||||
exactlyTheseRbacUsersAreReturned(result, "aaa00@aaa.example.com");
|
||||
exactlyTheseRbacUsersAreReturned(result, "pac-admin-xxx00@xxx.example.com");
|
||||
}
|
||||
|
||||
}
|
||||
@ -180,47 +180,47 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
// @formatter:off
|
||||
"global#hostsharing.admin -> global#hostsharing: add-customer",
|
||||
|
||||
"customer#aaa.admin -> customer#aaa: add-package",
|
||||
"customer#aaa.admin -> customer#aaa: view",
|
||||
"customer#aaa.owner -> customer#aaa: *",
|
||||
"customer#aaa.tenant -> customer#aaa: view",
|
||||
"package#aaa00.admin -> package#aaa00: add-domain",
|
||||
"package#aaa00.admin -> package#aaa00: add-unixuser",
|
||||
"package#aaa00.tenant -> package#aaa00: view",
|
||||
"package#aaa01.admin -> package#aaa01: add-domain",
|
||||
"package#aaa01.admin -> package#aaa01: add-unixuser",
|
||||
"package#aaa01.tenant -> package#aaa01: view",
|
||||
"package#aaa02.admin -> package#aaa02: add-domain",
|
||||
"package#aaa02.admin -> package#aaa02: add-unixuser",
|
||||
"package#aaa02.tenant -> package#aaa02: view",
|
||||
"customer#xxx.admin -> customer#xxx: add-package",
|
||||
"customer#xxx.admin -> customer#xxx: view",
|
||||
"customer#xxx.owner -> customer#xxx: *",
|
||||
"customer#xxx.tenant -> customer#xxx: view",
|
||||
"package#xxx00.admin -> package#xxx00: add-domain",
|
||||
"package#xxx00.admin -> package#xxx00: add-unixuser",
|
||||
"package#xxx00.tenant -> package#xxx00: view",
|
||||
"package#xxx01.admin -> package#xxx01: add-domain",
|
||||
"package#xxx01.admin -> package#xxx01: add-unixuser",
|
||||
"package#xxx01.tenant -> package#xxx01: view",
|
||||
"package#xxx02.admin -> package#xxx02: add-domain",
|
||||
"package#xxx02.admin -> package#xxx02: add-unixuser",
|
||||
"package#xxx02.tenant -> package#xxx02: view",
|
||||
|
||||
"customer#aab.admin -> customer#aab: add-package",
|
||||
"customer#aab.admin -> customer#aab: view",
|
||||
"customer#aab.owner -> customer#aab: *",
|
||||
"customer#aab.tenant -> customer#aab: view",
|
||||
"package#aab00.admin -> package#aab00: add-domain",
|
||||
"package#aab00.admin -> package#aab00: add-unixuser",
|
||||
"package#aab00.tenant -> package#aab00: view",
|
||||
"package#aab01.admin -> package#aab01: add-domain",
|
||||
"package#aab01.admin -> package#aab01: add-unixuser",
|
||||
"package#aab01.tenant -> package#aab01: view",
|
||||
"package#aab02.admin -> package#aab02: add-domain",
|
||||
"package#aab02.admin -> package#aab02: add-unixuser",
|
||||
"package#aab02.tenant -> package#aab02: view",
|
||||
"customer#yyy.admin -> customer#yyy: add-package",
|
||||
"customer#yyy.admin -> customer#yyy: view",
|
||||
"customer#yyy.owner -> customer#yyy: *",
|
||||
"customer#yyy.tenant -> customer#yyy: view",
|
||||
"package#yyy00.admin -> package#yyy00: add-domain",
|
||||
"package#yyy00.admin -> package#yyy00: add-unixuser",
|
||||
"package#yyy00.tenant -> package#yyy00: view",
|
||||
"package#yyy01.admin -> package#yyy01: add-domain",
|
||||
"package#yyy01.admin -> package#yyy01: add-unixuser",
|
||||
"package#yyy01.tenant -> package#yyy01: view",
|
||||
"package#yyy02.admin -> package#yyy02: add-domain",
|
||||
"package#yyy02.admin -> package#yyy02: add-unixuser",
|
||||
"package#yyy02.tenant -> package#yyy02: view",
|
||||
|
||||
"customer#aac.admin -> customer#aac: add-package",
|
||||
"customer#aac.admin -> customer#aac: view",
|
||||
"customer#aac.owner -> customer#aac: *",
|
||||
"customer#aac.tenant -> customer#aac: view",
|
||||
"package#aac00.admin -> package#aac00: add-domain",
|
||||
"package#aac00.admin -> package#aac00: add-unixuser",
|
||||
"package#aac00.tenant -> package#aac00: view",
|
||||
"package#aac01.admin -> package#aac01: add-domain",
|
||||
"package#aac01.admin -> package#aac01: add-unixuser",
|
||||
"package#aac01.tenant -> package#aac01: view",
|
||||
"package#aac02.admin -> package#aac02: add-domain",
|
||||
"package#aac02.admin -> package#aac02: add-unixuser",
|
||||
"package#aac02.tenant -> package#aac02: view"
|
||||
"customer#zzz.admin -> customer#zzz: add-package",
|
||||
"customer#zzz.admin -> customer#zzz: view",
|
||||
"customer#zzz.owner -> customer#zzz: *",
|
||||
"customer#zzz.tenant -> customer#zzz: view",
|
||||
"package#zzz00.admin -> package#zzz00: add-domain",
|
||||
"package#zzz00.admin -> package#zzz00: add-unixuser",
|
||||
"package#zzz00.tenant -> package#zzz00: view",
|
||||
"package#zzz01.admin -> package#zzz01: add-domain",
|
||||
"package#zzz01.admin -> package#zzz01: add-unixuser",
|
||||
"package#zzz01.tenant -> package#zzz01: view",
|
||||
"package#zzz02.admin -> package#zzz02: add-domain",
|
||||
"package#zzz02.admin -> package#zzz02: add-unixuser",
|
||||
"package#zzz02.tenant -> package#zzz02: view"
|
||||
// @formatter:on
|
||||
);
|
||||
|
||||
@ -255,41 +255,41 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
@Test
|
||||
public void customerAdmin_withoutAssumedRole_canViewTheirOwnPermissions() {
|
||||
// given
|
||||
context("admin@aaa.example.com");
|
||||
context("customer-admin@xxx.example.com");
|
||||
|
||||
// when
|
||||
final var result = rbacUserRepository.findPermissionsOfUser("admin@aaa.example.com");
|
||||
final var result = rbacUserRepository.findPermissionsOfUser("customer-admin@xxx.example.com");
|
||||
|
||||
// then
|
||||
allTheseRbacPermissionsAreReturned(
|
||||
result,
|
||||
// @formatter:off
|
||||
"customer#aaa.admin -> customer#aaa: add-package",
|
||||
"customer#aaa.admin -> customer#aaa: view",
|
||||
"customer#aaa.tenant -> customer#aaa: view",
|
||||
"customer#xxx.admin -> customer#xxx: add-package",
|
||||
"customer#xxx.admin -> customer#xxx: view",
|
||||
"customer#xxx.tenant -> customer#xxx: view",
|
||||
|
||||
"package#aaa00.admin -> package#aaa00: add-domain",
|
||||
"package#aaa00.admin -> package#aaa00: add-unixuser",
|
||||
"package#aaa00.tenant -> package#aaa00: view",
|
||||
"unixuser#aaa00-aaaa.owner -> unixuser#aaa00-aaaa: *",
|
||||
"package#xxx00.admin -> package#xxx00: add-domain",
|
||||
"package#xxx00.admin -> package#xxx00: add-unixuser",
|
||||
"package#xxx00.tenant -> package#xxx00: view",
|
||||
"unixuser#xxx00-aaaa.owner -> unixuser#xxx00-aaaa: *",
|
||||
|
||||
"package#aaa01.admin -> package#aaa01: add-domain",
|
||||
"package#aaa01.admin -> package#aaa01: add-unixuser",
|
||||
"package#aaa01.tenant -> package#aaa01: view",
|
||||
"unixuser#aaa01-aaaa.owner -> unixuser#aaa01-aaaa: *",
|
||||
"package#xxx01.admin -> package#xxx01: add-domain",
|
||||
"package#xxx01.admin -> package#xxx01: add-unixuser",
|
||||
"package#xxx01.tenant -> package#xxx01: view",
|
||||
"unixuser#xxx01-aaaa.owner -> unixuser#xxx01-aaaa: *",
|
||||
|
||||
"package#aaa02.admin -> package#aaa02: add-domain",
|
||||
"package#aaa02.admin -> package#aaa02: add-unixuser",
|
||||
"package#aaa02.tenant -> package#aaa02: view",
|
||||
"unixuser#aaa02-aaaa.owner -> unixuser#aaa02-aaaa: *"
|
||||
"package#xxx02.admin -> package#xxx02: add-domain",
|
||||
"package#xxx02.admin -> package#xxx02: add-unixuser",
|
||||
"package#xxx02.tenant -> package#xxx02: view",
|
||||
"unixuser#xxx02-aaaa.owner -> unixuser#xxx02-aaaa: *"
|
||||
// @formatter:on
|
||||
);
|
||||
noneOfTheseRbacPermissionsAreReturned(
|
||||
result,
|
||||
// @formatter:off
|
||||
"customer#aab.admin -> customer#aab: add-package",
|
||||
"customer#aab.admin -> customer#aab: view",
|
||||
"customer#aab.tenant -> customer#aab: view"
|
||||
"customer#yyy.admin -> customer#yyy: add-package",
|
||||
"customer#yyy.admin -> customer#yyy: view",
|
||||
"customer#yyy.tenant -> customer#yyy: view"
|
||||
// @formatter:on
|
||||
);
|
||||
}
|
||||
@ -297,7 +297,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
@Test
|
||||
public void customerAdmin_withoutAssumedRole_isNotAllowedToViewGlobalAdminsPermissions() {
|
||||
// given
|
||||
context("admin@aaa.example.com");
|
||||
context("customer-admin@xxx.example.com");
|
||||
|
||||
// when
|
||||
final var result = attempt(em, () ->
|
||||
@ -307,41 +307,41 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
// then
|
||||
result.assertExceptionWithRootCauseMessage(
|
||||
JpaSystemException.class,
|
||||
"[403] permissions of user \"mike@hostsharing.net\" are not accessible to user \"admin@aaa.example.com\"");
|
||||
"[403] permissions of user \"mike@hostsharing.net\" are not accessible to user \"customer-admin@xxx.example.com\"");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void customerAdmin_withoutAssumedRole_canViewAllPermissionsWithinThePacketsRealm() {
|
||||
// given
|
||||
context("admin@aaa.example.com");
|
||||
context("customer-admin@xxx.example.com");
|
||||
|
||||
// when
|
||||
final var result = rbacUserRepository.findPermissionsOfUser("aaa00@aaa.example.com");
|
||||
final var result = rbacUserRepository.findPermissionsOfUser("pac-admin-xxx00@xxx.example.com");
|
||||
|
||||
// then
|
||||
allTheseRbacPermissionsAreReturned(
|
||||
result,
|
||||
// @formatter:off
|
||||
"customer#aaa.tenant -> customer#aaa: view",
|
||||
// "customer#aaa.admin -> customer#aaa: view" - Not permissions through the customer admin!
|
||||
"package#aaa00.admin -> package#aaa00: add-unixuser",
|
||||
"package#aaa00.admin -> package#aaa00: add-domain",
|
||||
"package#aaa00.tenant -> package#aaa00: view",
|
||||
"unixuser#aaa00-aaaa.owner -> unixuser#aaa00-aaaa: *",
|
||||
"unixuser#aaa00-aaab.owner -> unixuser#aaa00-aaab: *"
|
||||
"customer#xxx.tenant -> customer#xxx: view",
|
||||
// "customer#xxx.admin -> customer#xxx: view" - Not permissions through the customer admin!
|
||||
"package#xxx00.admin -> package#xxx00: add-unixuser",
|
||||
"package#xxx00.admin -> package#xxx00: add-domain",
|
||||
"package#xxx00.tenant -> package#xxx00: view",
|
||||
"unixuser#xxx00-aaaa.owner -> unixuser#xxx00-aaaa: *",
|
||||
"unixuser#xxx00-aaab.owner -> unixuser#xxx00-aaab: *"
|
||||
// @formatter:on
|
||||
);
|
||||
noneOfTheseRbacPermissionsAreReturned(
|
||||
result,
|
||||
// @formatter:off
|
||||
"customer#aab.admin -> customer#aab: add-package",
|
||||
"customer#aab.admin -> customer#aab: view",
|
||||
"customer#aab.tenant -> customer#aab: view",
|
||||
"package#aab00.admin -> package#aab00: add-unixuser",
|
||||
"package#aab00.admin -> package#aab00: add-domain",
|
||||
"package#aab00.tenant -> package#aab00: view",
|
||||
"unixuser#aab00-aaaa.owner -> unixuser#aab00-aaaa: *",
|
||||
"unixuser#aab00-aaab.owner -> unixuser#aab00-aaab: *"
|
||||
"customer#yyy.admin -> customer#yyy: add-package",
|
||||
"customer#yyy.admin -> customer#yyy: view",
|
||||
"customer#yyy.tenant -> customer#yyy: view",
|
||||
"package#yyy00.admin -> package#yyy00: add-unixuser",
|
||||
"package#yyy00.admin -> package#yyy00: add-domain",
|
||||
"package#yyy00.tenant -> package#yyy00: view",
|
||||
"unixuser#yyy00-aaaa.owner -> unixuser#yyy00-aaaa: *",
|
||||
"unixuser#yyy00-aaab.owner -> unixuser#yyy00-aaab: *"
|
||||
// @formatter:on
|
||||
);
|
||||
}
|
||||
@ -349,10 +349,10 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
@Test
|
||||
public void customerAdmin_withoutAssumedRole_canNotViewPermissionsOfUnrelatedUsers() {
|
||||
// given
|
||||
context("admin@aaa.example.com");
|
||||
context("customer-admin@xxx.example.com");
|
||||
|
||||
// when
|
||||
final var result = rbacUserRepository.findPermissionsOfUser("aab00@aab.example.com");
|
||||
final var result = rbacUserRepository.findPermissionsOfUser("pac-admin-yyy00@yyy.example.com");
|
||||
|
||||
// then
|
||||
noRbacPermissionsAreReturned(result);
|
||||
@ -361,36 +361,36 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
@Test
|
||||
public void packetAdmin_withoutAssumedRole_canViewAllPermissionsWithinThePacketsRealm() {
|
||||
// given
|
||||
context("aaa00@aaa.example.com");
|
||||
context("pac-admin-xxx00@xxx.example.com");
|
||||
|
||||
// when
|
||||
final var result = rbacUserRepository.findPermissionsOfUser("aaa00@aaa.example.com");
|
||||
final var result = rbacUserRepository.findPermissionsOfUser("pac-admin-xxx00@xxx.example.com");
|
||||
|
||||
// then
|
||||
allTheseRbacPermissionsAreReturned(
|
||||
result,
|
||||
// @formatter:off
|
||||
"customer#aaa.tenant -> customer#aaa: view",
|
||||
// "customer#aaa.admin -> customer#aaa: view" - Not permissions through the customer admin!
|
||||
"package#aaa00.admin -> package#aaa00: add-unixuser",
|
||||
"package#aaa00.admin -> package#aaa00: add-domain",
|
||||
"package#aaa00.tenant -> package#aaa00: view"
|
||||
"customer#xxx.tenant -> customer#xxx: view",
|
||||
// "customer#xxx.admin -> customer#xxx: view" - Not permissions through the customer admin!
|
||||
"package#xxx00.admin -> package#xxx00: add-unixuser",
|
||||
"package#xxx00.admin -> package#xxx00: add-domain",
|
||||
"package#xxx00.tenant -> package#xxx00: view"
|
||||
// @formatter:on
|
||||
);
|
||||
noneOfTheseRbacPermissionsAreReturned(
|
||||
result,
|
||||
// @formatter:off
|
||||
// no customer admin permissions
|
||||
"customer#aaa.admin -> customer#aaa: add-package",
|
||||
"customer#xxx.admin -> customer#xxx: add-package",
|
||||
// no permissions on other customer's objects
|
||||
"customer#aab.admin -> customer#aab: add-package",
|
||||
"customer#aab.admin -> customer#aab: view",
|
||||
"customer#aab.tenant -> customer#aab: view",
|
||||
"package#aab00.admin -> package#aab00: add-unixuser",
|
||||
"package#aab00.admin -> package#aab00: add-domain",
|
||||
"package#aab00.tenant -> package#aab00: view",
|
||||
"unixuser#aab00-aaaa.owner -> unixuser#aab00-aaaa: *",
|
||||
"unixuser#aab00-aaab.owner -> unixuser#aab00-aaab: *"
|
||||
"customer#yyy.admin -> customer#yyy: add-package",
|
||||
"customer#yyy.admin -> customer#yyy: view",
|
||||
"customer#yyy.tenant -> customer#yyy: view",
|
||||
"package#yyy00.admin -> package#yyy00: add-unixuser",
|
||||
"package#yyy00.admin -> package#yyy00: add-domain",
|
||||
"package#yyy00.tenant -> package#yyy00: view",
|
||||
"unixuser#yyy00-aaaa.owner -> unixuser#yyy00-aaaa: *",
|
||||
"unixuser#yyy00-xxxb.owner -> unixuser#yyy00-xxxb: *"
|
||||
// @formatter:on
|
||||
);
|
||||
}
|
||||
|
@ -5,8 +5,8 @@ import static java.util.UUID.randomUUID;
|
||||
|
||||
public class TestRbacUser {
|
||||
|
||||
static final RbacUserEntity userAaa = rbacRole("admin@aaa.example.com");
|
||||
static final RbacUserEntity userBbb = rbacRole("admin@bbb.example.com");
|
||||
static final RbacUserEntity userxxx = rbacRole("customer-admin@xxx.example.com");
|
||||
static final RbacUserEntity userBbb = rbacRole("customer-admin@bbb.example.com");
|
||||
|
||||
static public RbacUserEntity rbacRole(final String userName) {
|
||||
return new RbacUserEntity(randomUUID(), userName);
|
||||
|
Loading…
Reference in New Issue
Block a user