fix HsOfficeRelationshipEntity tests

This commit is contained in:
Michael Hoennig 2024-03-15 18:41:02 +01:00
parent 3c8eb13f0a
commit 86148c3258
18 changed files with 112 additions and 40 deletions

View File

@ -119,10 +119,12 @@ public class HsOfficeRelationshipEntity implements HasUuid, Stringifyable {
with.outgoingSubRole("holderPerson", REFERRER); with.outgoingSubRole("holderPerson", REFERRER);
with.outgoingSubRole("contact", REFERRER); with.outgoingSubRole("contact", REFERRER);
with.permission(SELECT); with.permission(SELECT);
}); })
.toRole("anchorPerson", ADMIN).grantPermission(INSERT);
} }
public static void main(String[] args) throws IOException { public static void main(String[] args) throws IOException {
rbac().generateWithBaseFileName("223-hs-office-relationship-rbac-generated"); rbac().generateWithBaseFileName("223-hs-office-relationship-rbac");
} }
} }

View File

@ -80,12 +80,13 @@ public class InsertTriggerGenerator {
strict as $$ strict as $$
begin begin
call grantPermissionToRole( call grantPermissionToRole(
${rawSuperRoleDescriptor}, createPermission(NEW.uuid, 'INSERT', '${rawSubTableName}'),
createPermission(NEW.uuid, 'INSERT', '${rawSubTableName}')); ${rawSuperRoleDescriptor});
return NEW; return NEW;
end; $$; end; $$;
create trigger ${rawSubTableName}_${rawSuperTableName}_insert_tg -- z_... is to put it at the end of after insert triggers, to make sure the roles exist
create trigger z_${rawSubTableName}_${rawSuperTableName}_insert_tg
after insert on ${rawSuperTableName} after insert on ${rawSuperTableName}
for each row for each row
execute procedure ${rawSubTableName}_${rawSuperTableName}_insert_tf(); execute procedure ${rawSubTableName}_${rawSuperTableName}_insert_tf();

View File

@ -179,7 +179,7 @@ begin
return NEW; return NEW;
end; $$; end; $$;
create trigger test_package_test_customer_insert_tg create trigger z_test_package_test_customer_insert_tg
after insert on test_customer after insert on test_customer
for each row for each row
execute procedure test_package_test_customer_insert_tf(); execute procedure test_package_test_customer_insert_tf();

View File

@ -178,7 +178,7 @@ begin
return NEW; return NEW;
end; $$; end; $$;
create trigger test_domain_test_package_insert_tg create trigger z_test_domain_test_package_insert_tg
after insert on test_package after insert on test_package
for each row for each row
execute procedure test_domain_test_package_insert_tf(); execute procedure test_domain_test_package_insert_tf();

View File

@ -114,7 +114,7 @@ begin
return NEW; return NEW;
end; $$; end; $$;
create trigger hs_office_contact_global_insert_tg create trigger z_hs_office_contact_global_insert_tg
after insert on global after insert on global
for each row for each row
execute procedure hs_office_contact_global_insert_tf(); execute procedure hs_office_contact_global_insert_tf();

View File

@ -114,7 +114,7 @@ begin
return NEW; return NEW;
end; $$; end; $$;
create trigger hs_office_person_global_insert_tg create trigger z_hs_office_person_global_insert_tg
after insert on global after insert on global
for each row for each row
execute procedure hs_office_person_global_insert_tf(); execute procedure hs_office_person_global_insert_tf();

View File

@ -1,6 +1,6 @@
### rbac relationship ### rbac relationship
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-15T15:30:23.331560468. This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-15T17:17:00.854621634.
```mermaid ```mermaid
%%{init:{'flowchart':{'htmlLabels':false}}}%% %%{init:{'flowchart':{'htmlLabels':false}}}%%
@ -64,6 +64,7 @@ subgraph relationship["`**relationship**`"]
perm:relationship:DELETE{{relationship:DELETE}} perm:relationship:DELETE{{relationship:DELETE}}
perm:relationship:UPDATE{{relationship:UPDATE}} perm:relationship:UPDATE{{relationship:UPDATE}}
perm:relationship:SELECT{{relationship:SELECT}} perm:relationship:SELECT{{relationship:SELECT}}
perm:relationship:INSERT{{relationship:INSERT}}
end end
end end
@ -96,5 +97,6 @@ role:relationship:tenant ==> role:contact:referrer
role:relationship:owner ==> perm:relationship:DELETE role:relationship:owner ==> perm:relationship:DELETE
role:relationship:admin ==> perm:relationship:UPDATE role:relationship:admin ==> perm:relationship:UPDATE
role:relationship:tenant ==> perm:relationship:SELECT role:relationship:tenant ==> perm:relationship:SELECT
role:anchorPerson:admin ==> perm:relationship:INSERT
``` ```

View File

@ -1,5 +1,5 @@
--liquibase formatted sql --liquibase formatted sql
-- This code generated was by RbacViewPostgresGenerator at 2024-03-15T15:30:23.341470108. -- This code generated was by RbacViewPostgresGenerator at 2024-03-15T17:17:00.864301165.
-- ============================================================================ -- ============================================================================
@ -186,13 +186,68 @@ execute procedure updateTriggerForHsOfficeRelationship_tf();
--changeset hs-office-relationship-rbac-INSERT:1 endDelimiter:--// --changeset hs-office-relationship-rbac-INSERT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
-- FIXME: Where is this case necessary? /*
Creates INSERT INTO hs_office_relationship permissions for the related hs_office_person rows.
*/
do language plpgsql $$
declare
row hs_office_person;
permissionUuid uuid;
roleUuid uuid;
begin
call defineContext('create INSERT INTO hs_office_relationship permissions for the related hs_office_person rows');
FOR row IN SELECT * FROM hs_office_person
LOOP
roleUuid := findRoleId(hsOfficePersonAdmin(row));
permissionUuid := createPermission(row.uuid, 'INSERT', 'hs_office_relationship');
call grantPermissionToRole(permissionUuid, roleUuid);
END LOOP;
END;
$$;
/**
Adds hs_office_relationship INSERT permission to specified role of new hs_office_person rows.
*/
create or replace function hs_office_relationship_hs_office_person_insert_tf()
returns trigger
language plpgsql
strict as $$
begin
call grantPermissionToRole(
createPermission(NEW.uuid, 'INSERT', 'hs_office_relationship'),
hsOfficePersonAdmin(NEW));
return NEW;
end; $$;
create trigger z_hs_office_relationship_hs_office_person_insert_tg
after insert on hs_office_person
for each row
execute procedure hs_office_relationship_hs_office_person_insert_tf();
/**
Checks if the user or assumed roles are allowed to insert a row to hs_office_relationship.
*/
create or replace function hs_office_relationship_insert_permission_missing_tf()
returns trigger
language plpgsql as $$
begin
if ( not hasInsertPermission(
( SELECT anchorPerson.uuid FROM
(select * from hs_office_person as p where p.uuid = NEW.relAnchorUuid) AS anchorPerson
), 'INSERT', 'hs_office_relationship') ) then
raise exception
'[403] insert into hs_office_relationship not allowed for current subjects % (%)',
currentSubjects(), currentSubjectsUuids();
end if;
return NEW;
end; $$;
create trigger hs_office_relationship_insert_permission_check_tg create trigger hs_office_relationship_insert_permission_check_tg
before insert on hs_office_relationship before insert on hs_office_relationship
for each row for each row
-- As there is no explicit INSERT grant specified for this table,
-- only global admins are allowed to insert any rows.
when ( not isGlobalAdmin() )
execute procedure hs_office_relationship_insert_permission_missing_tf(); execute procedure hs_office_relationship_insert_permission_missing_tf();
--// --//

View File

@ -110,7 +110,7 @@ begin
return NEW; return NEW;
end; $$; end; $$;
create trigger hs_office_partner_global_insert_tg create trigger z_hs_office_partner_global_insert_tg
after insert on global after insert on global
for each row for each row
execute procedure hs_office_partner_global_insert_tf(); execute procedure hs_office_partner_global_insert_tf();

View File

@ -95,7 +95,7 @@ begin
return NEW; return NEW;
end; $$; end; $$;
create trigger hs_office_partner_details_global_insert_tg create trigger z_hs_office_partner_details_global_insert_tg
after insert on global after insert on global
for each row for each row
execute procedure hs_office_partner_details_global_insert_tf(); execute procedure hs_office_partner_details_global_insert_tf();

View File

@ -114,7 +114,7 @@ begin
return NEW; return NEW;
end; $$; end; $$;
create trigger hs_office_bankaccount_global_insert_tg create trigger z_hs_office_bankaccount_global_insert_tg
after insert on global after insert on global
for each row for each row
execute procedure hs_office_bankaccount_global_insert_tf(); execute procedure hs_office_bankaccount_global_insert_tf();

View File

@ -1,6 +1,6 @@
### rbac sepaMandate ### rbac sepaMandate
This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-15T06:12:35.337470470. This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-15T17:18:45.736693565.
```mermaid ```mermaid
%%{init:{'flowchart':{'htmlLabels':false}}}%% %%{init:{'flowchart':{'htmlLabels':false}}}%%

View File

@ -1,5 +1,5 @@
--liquibase formatted sql --liquibase formatted sql
-- This code generated was by RbacViewPostgresGenerator at 2024-03-15T06:12:35.345630060. -- This code generated was by RbacViewPostgresGenerator at 2024-03-15T17:18:45.747792100.
-- ============================================================================ -- ============================================================================
@ -134,12 +134,12 @@ create or replace function hs_office_sepamandate_hs_office_relationship_insert_t
strict as $$ strict as $$
begin begin
call grantPermissionToRole( call grantPermissionToRole(
hsOfficeRelationshipAdmin(NEW), createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'),
createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate')); hsOfficeRelationshipAdmin(NEW));
return NEW; return NEW;
end; $$; end; $$;
create trigger hs_office_sepamandate_hs_office_relationship_insert_tg create trigger z_hs_office_sepamandate_hs_office_relationship_insert_tg
after insert on hs_office_relationship after insert on hs_office_relationship
for each row for each row
execute procedure hs_office_sepamandate_hs_office_relationship_insert_tf(); execute procedure hs_office_sepamandate_hs_office_relationship_insert_tf();

View File

@ -225,7 +225,7 @@ begin
return NEW; return NEW;
end; $$; end; $$;
create trigger hs_office_debitor_global_insert_tg create trigger z_hs_office_debitor_global_insert_tg
after insert on global after insert on global
for each row for each row
execute procedure hs_office_debitor_global_insert_tf(); execute procedure hs_office_debitor_global_insert_tf();

View File

@ -124,7 +124,7 @@ begin
return NEW; return NEW;
end; $$; end; $$;
create trigger hs_office_membership_global_insert_tg create trigger z_hs_office_membership_global_insert_tg
after insert on global after insert on global
for each row for each row
execute procedure hs_office_membership_global_insert_tf(); execute procedure hs_office_membership_global_insert_tf();

View File

@ -223,7 +223,17 @@ class HsOfficeCoopSharesTransactionControllerAcceptanceTest extends ContextBased
final var givenCoopShareTransactionUuid = coopSharesTransactionRepo.findCoopSharesTransactionByOptionalMembershipUuidAndDateRange(null, LocalDate.of(2010, 3, 15), LocalDate.of(2010, 3, 15)).get(0).getUuid(); final var givenCoopShareTransactionUuid = coopSharesTransactionRepo.findCoopSharesTransactionByOptionalMembershipUuidAndDateRange(null, LocalDate.of(2010, 3, 15), LocalDate.of(2010, 3, 15)).get(0).getUuid();
RestAssured // @formatter:off RestAssured // @formatter:off
.given().header("current-user", "contact-admin@firstcontact.example.com").port(port).when().get("http://localhost/api/hs/office/coopsharestransactions/" + givenCoopShareTransactionUuid).then().log().body().assertThat().statusCode(200).contentType("application/json").body("", lenientlyEquals(""" .given()
.header("current-user", "contact-admin@firstcontact.example.com")
.port(port)
.when()
.get("http://localhost/api/hs/office/coopsharestransactions/" + givenCoopShareTransactionUuid)
.then()
.log().body()
.assertThat()
.statusCode(200)
.contentType("application/json")
.body("", lenientlyEquals("""
{ {
"transactionType": "SUBSCRIPTION", "transactionType": "SUBSCRIPTION",
"shareCount": 4 "shareCount": 4

View File

@ -88,7 +88,6 @@ class HsOfficeCoopSharesTransactionRepositoryIntegrationTest extends ContextBase
context("superuser-alex@hostsharing.net"); context("superuser-alex@hostsharing.net");
final var initialRoleNames = distinctRoleNamesOf(rawRoleRepo.findAll()); final var initialRoleNames = distinctRoleNamesOf(rawRoleRepo.findAll());
final var initialGrantNames = distinctGrantDisplaysOf(rawGrantRepo.findAll()).stream() final var initialGrantNames = distinctGrantDisplaysOf(rawGrantRepo.findAll()).stream()
.map(s -> s.replace("FirstGmbH-firstcontact", "..."))
.map(s -> s.replace("hs_office_", "")) .map(s -> s.replace("hs_office_", ""))
.toList(); .toList();
@ -109,11 +108,10 @@ class HsOfficeCoopSharesTransactionRepositoryIntegrationTest extends ContextBase
final var all = rawRoleRepo.findAll(); final var all = rawRoleRepo.findAll();
assertThat(distinctRoleNamesOf(all)).containsExactlyInAnyOrder(Array.from(initialRoleNames)); // no new roles created assertThat(distinctRoleNamesOf(all)).containsExactlyInAnyOrder(Array.from(initialRoleNames)); // no new roles created
assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())) assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll()))
.map(s -> s.replace("FirstGmbH-firstcontact", "..."))
.map(s -> s.replace("hs_office_", "")) .map(s -> s.replace("hs_office_", ""))
.containsExactlyInAnyOrder(Array.fromFormatted( .containsExactlyInAnyOrder(Array.fromFormatted(
initialGrantNames, initialGrantNames,
"{ grant perm SELECT on coopsharestransaction#temprefB to role membership#1000101:....tenant by system and assume }", "{ grant perm SELECT on coopsharestransaction#temprefB to role membership#M-1000101.referrer by system and assume }",
null)); null));
} }
@ -194,7 +192,7 @@ class HsOfficeCoopSharesTransactionRepositoryIntegrationTest extends ContextBase
@Test @Test
public void normalUser_canViewOnlyRelatedCoopSharesTransactions() { public void normalUser_canViewOnlyRelatedCoopSharesTransactions() {
// given: // given:
context("superuser-alex@hostsharing.net", "hs_office_partner#10001:FirstGmbH-firstcontact.admin"); context("superuser-alex@hostsharing.net", "hs_office_membership#M-1000101.admin");
// when: // when:
final var result = coopSharesTransactionRepo.findCoopSharesTransactionByOptionalMembershipUuidAndDateRange( final var result = coopSharesTransactionRepo.findCoopSharesTransactionByOptionalMembershipUuidAndDateRange(

View File

@ -127,16 +127,18 @@ class HsOfficeRelationshipRepositoryIntegrationTest extends ContextBasedTestWith
"hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant")); "hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant"));
assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())).containsExactlyInAnyOrder(Array.fromFormatted( assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())).containsExactlyInAnyOrder(Array.fromFormatted(
initialGrantNames, initialGrantNames,
"{ grant perm INSERT on hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin by system and assume }",
"{ grant perm DELETE on hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner by system and assume }", "{ grant perm DELETE on hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner by system and assume }",
"{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner to role global#global.admin by system and assume }", "{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner to role global#global.admin by system and assume }",
"{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner to user superuser-alex@hostsharing.net by hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner and assume }",
"{ grant perm edit on hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin by system and assume }", "{ grant perm UPDATE on hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin by system and assume }",
"{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner by system and assume }", "{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner by system and assume }",
"{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin to role hs_office_person#ErbenBesslerMelBessler.admin by system and assume }", "{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin to role hs_office_person#ErbenBesslerMelBessler.admin by system and assume }",
"{ grant perm UPDATE on hs_office_relationship#BesslerAnita-with-REPRESENTATIVE-BesslerAnita to role hs_office_relationship#BesslerAnita-with-REPRESENTATIVE-BesslerAnita.admin by system and assume }", "{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.agent to role hs_office_person#BesslerBert.admin by system and assume }",
"{ grant role hs_office_relationship#BesslerAnita-with-REPRESENTATIVE-BesslerAnita.admin to role hs_office_relationship#BesslerAnita-with-REPRESENTATIVE-BesslerAnita.owner by system and assume }", "{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.agent to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin by system and assume }",
"{ grant perm SELECT on hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant by system and assume }", "{ grant perm SELECT on hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant by system and assume }",
"{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.agent by system and assume }", "{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.agent by system and assume }",
@ -145,7 +147,8 @@ class HsOfficeRelationshipRepositoryIntegrationTest extends ContextBasedTestWith
"{ grant role hs_office_contact#fourthcontact.referrer to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant by system and assume }", "{ grant role hs_office_contact#fourthcontact.referrer to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant by system and assume }",
// REPRESENTATIVE holder person -> (represented) anchor person // REPRESENTATIVE holder person -> (represented) anchor person
"{ grant role hs_office_person#BesslerBert.admin to role hs_office_person#ErbenBesslerMelBessler.admin by system and assume }", "{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant to role hs_office_contact#fourthcontact.admin by system and assume }",
"{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant to role hs_office_person#BesslerBert.admin by system and assume }",
null) null)
); );
@ -195,7 +198,8 @@ class HsOfficeRelationshipRepositoryIntegrationTest extends ContextBasedTestWith
result, result,
"rel(relAnchor='LP Second e.K.', relType='REPRESENTATIVE', relHolder='NP Smith, Peter', contact='second contact')", "rel(relAnchor='LP Second e.K.', relType='REPRESENTATIVE', relHolder='NP Smith, Peter', contact='second contact')",
"rel(relAnchor='IF Third OHG', relType='SUBSCRIBER', relMark='members-announce', relHolder='NP Smith, Peter', contact='third contact')", "rel(relAnchor='IF Third OHG', relType='SUBSCRIBER', relMark='members-announce', relHolder='NP Smith, Peter', contact='third contact')",
"rel(relAnchor='LP Hostsharing eG', relType='PARTNER', relHolder='NP Smith, Peter', contact='sixth contact')"); "rel(relAnchor='LP Hostsharing eG', relType='PARTNER', relHolder='NP Smith, Peter', contact='sixth contact')",
"rel(relAnchor='NP Smith, Peter', relType='ACCOUNTING', relHolder='NP Smith, Peter', contact='third contact')");
} }
} }