From 6f36cb215b307e294c451b256d649f8c0b379563 Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Mon, 8 Jul 2024 18:37:19 +0200 Subject: [PATCH] improve RBAC grants --- .../hsadminng/hs/hosting/asset/HsHostingAssetEntity.java | 5 ++--- .../701-hosting-asset/7013-hs-hosting-asset-rbac.md | 3 +++ .../701-hosting-asset/7013-hs-hosting-asset-rbac.sql | 3 ++- .../asset/HsHostingAssetRepositoryIntegrationTest.java | 6 ++++-- 4 files changed, 11 insertions(+), 6 deletions(-) diff --git a/src/main/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetEntity.java b/src/main/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetEntity.java index b56b01d0..fd094a44 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetEntity.java @@ -50,6 +50,7 @@ import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.DELETE; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.SELECT; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.UPDATE; +import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacUserReference.UserRole.CREATOR; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.ADMIN; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.AGENT; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.GUEST; @@ -203,15 +204,13 @@ public class HsHostingAssetEntity implements Stringifyable, RbacObject, Properti .switchOnColumn("type", inCaseOf("DOMAIN_SETUP", then -> { - // grant(ADMIN).to(currentlyAssumedRole() // FIXME - // oder: - // via with.incomingSuperRole("bookingItem", ADMIN); (s.u.) then.toRole(GLOBAL, GUEST).grantPermission(INSERT); then.toRole(GLOBAL, ADMIN).grantPermission(SELECT); // TODO.spec: replace by a proper solution }) ) .createRole(OWNER, (with) -> { + with.owningUser(CREATOR); with.incomingSuperRole("bookingItem", ADMIN); with.incomingSuperRole("parentAsset", ADMIN); with.permission(DELETE); diff --git a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.md b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.md index 37b47e15..197b15f4 100644 --- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.md +++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.md @@ -80,6 +80,9 @@ subgraph parentAsset["`**parentAsset**`"] end end +%% granting roles to users +user:creator ==> role:asset:OWNER + %% granting roles to roles role:bookingItem:OWNER -.-> role:bookingItem:ADMIN role:bookingItem:ADMIN -.-> role:bookingItem:AGENT diff --git a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql index 5b740226..13fdcace 100644 --- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql +++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql @@ -51,7 +51,8 @@ begin permissions => array['DELETE'], incomingSuperRoles => array[ hsBookingItemADMIN(newBookingItem), - hsHostingAssetADMIN(newParentAsset)] + hsHostingAssetADMIN(newParentAsset)], + userUuids => array[currentUserUuid()] ); perform createRoleWithGrants( diff --git a/src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetRepositoryIntegrationTest.java index fa0855d6..8ad6e99d 100644 --- a/src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetRepositoryIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetRepositoryIntegrationTest.java @@ -134,6 +134,7 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu "{ grant perm:hs_hosting_asset#fir00:SELECT to role:global#global:ADMIN by system and assume }", // workaround // owner + "{ grant role:hs_hosting_asset#fir00:OWNER to user:superuser-alex@hostsharing.net by hs_hosting_asset#fir00:OWNER and assume }", "{ grant role:hs_hosting_asset#fir00:OWNER to role:hs_booking_item#fir01:ADMIN by system and assume }", "{ grant role:hs_hosting_asset#fir00:OWNER to role:hs_hosting_asset#vm1011:ADMIN by system and assume }", "{ grant perm:hs_hosting_asset#fir00:DELETE to role:hs_hosting_asset#fir00:OWNER by system and assume }", @@ -177,15 +178,16 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu result.assertSuccessful(); assertThat(result.returnedValue()).isNotNull().extracting(HsHostingAssetEntity::getUuid).isNotNull(); assertThat(result.returnedValue().isLoaded()).isFalse(); - context("superuser-alex@hostsharing.net"); + context("person-SmithPeter@example.com"); assertThatAssetIsPersisted(result.returnedValue()); + context("superuser-alex@hostsharing.net"); assertThat(assetRepo.count()).isEqualTo(assetCount + 1); } private void assertThatAssetIsPersisted(final HsHostingAssetEntity saved) { attempt(em, () -> { final var found = assetRepo.findByUuid(saved.getUuid()); - assertThat(found).isNotEmpty().map(HsHostingAssetEntity::toString).get().isEqualTo(saved.toString()); + assertThat(found).isNotEmpty().map(HsHostingAssetEntity::toString).contains(saved.toString()); }); }