fix assumedRole max length, so it appears in error messages

2024-03-27 14:14:15 +01:00 · 2024-03-27 14:14:15 +01:00 · 8bc3c17b89
commit 8bc3c17b89
parent 954b24ec7c
4 changed files with 16 additions and 17 deletions
--- a/src/main/resources/db/changelog/010-context.sql
+++ b/src/main/resources/db/changelog/010-context.sql
@ -26,7 +26,7 @@ create or replace procedure defineContext(
    currentTask varchar(96),
    currentRequest text = null,
    currentUser varchar(63) = null,
-    assumedRoles varchar(256) = null
+    assumedRoles varchar(1023) = null
 )
    language plpgsql as $$
 begin
@ -43,7 +43,7 @@ begin
    execute format('set local hsadminng.currentUser to %L', currentUser);

    assumedRoles := coalesce(assumedRoles, '');
-    assert length(assumedRoles) <= 256, FORMAT('assumedRoles must not be longer than 256 characters: "%s"', assumedRoles);
+    assert length(assumedRoles) <= 1023, FORMAT('assumedRoles must not be longer than 1023 characters: "%s"', assumedRoles);
    execute format('set local hsadminng.assumedRoles to %L', assumedRoles);

    call contextDefined(currentTask, currentRequest, currentUser, assumedRoles);
@ -135,20 +135,21 @@ end; $$;
    or empty array, if not set.
 */
 create or replace function assumedRoles()
-    returns varchar(63)[]
+    returns varchar(1023)[]
    stable -- leakproof
    language plpgsql as $$
 declare
-    currentSubject varchar(63);
+    currentSubject varchar(1023);
 begin
    begin
        currentSubject := current_setting('hsadminng.assumedRoles');
    exception
-        when others then
-            return array []::varchar[];
+        when undefined_object then
+            return array ['error']::varchar[];
    end;
+
    if (currentSubject = '') then
-        return array []::varchar[];
+        return array ['empty']::varchar[];
    end if;
    return string_to_array(currentSubject, ';');
 end; $$;
@ -219,17 +220,17 @@ begin
 end ; $$;

 create or replace function currentSubjects()
-    returns varchar(63)[]
+    returns varchar(127)[]
    stable -- leakproof
    language plpgsql as $$
 declare
-    assumedRoles varchar(63)[];
+    assumedRoles varchar(127)[];
 begin
    assumedRoles := assumedRoles();
    if array_length(assumedRoles, 1) > 0 then
-        return assumedRoles();
+        return assumedRoles;
    else
-        return array [currentUser()]::varchar(63)[];
+        return array [currentUser()]::varchar(127)[];
    end if;
 end; $$;

--- a/src/main/resources/db/changelog/020-audit-log.sql
+++ b/src/main/resources/db/changelog/020-audit-log.sql
@ -27,7 +27,7 @@ create table tx_context
    txId            bigint             not null,
    txTimestamp     timestamp          not null,
    currentUser     varchar(63)        not null, -- not the uuid, because users can be deleted
-    assumedRoles    varchar(256)       not null, -- not the uuids, because roles can be deleted
+    assumedRoles    varchar(1023)      not null, -- not the uuids, because roles can be deleted
    currentTask     varchar(96)        not null,
    currentRequest  text       not null
 );
--- a/src/main/resources/db/changelog/234-hs-office-partner-details-rbac.sql
+++ b/src/main/resources/db/changelog/234-hs-office-partner-details-rbac.sql
@ -107,8 +107,8 @@ create or replace function hs_office_partner_details_insert_permission_missing_t
    returns trigger
    language plpgsql as $$
 begin
-    raise exception '[403] insert into hs_office_partner_details not allowed for current subjects % (%)',
-        currentSubjects(), currentSubjectsUuids();
+    raise exception '[403] insert into hs_office_partner_details not allowed for current subjects % (%) assumed by user % (%)',
+        currentSubjects(), currentSubjectsUuids(), currentUser(), currentUserUuid();
 end; $$;

 create trigger hs_office_partner_details_insert_permission_check_tg
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerRepositoryIntegrationTest.java
@ -332,9 +332,7 @@ class HsOfficePartnerRepositoryIntegrationTest extends ContextBasedTestWithClean

            // then
            result.assertExceptionWithRootCauseMessage(JpaSystemException.class,
-                    // FIXME: the assumed role should appear, but it does not:
-                    //"[403] insert into hs_office_partner_details not allowed for current subjects {hs_office_relation#HostsharingeG-with-PARTNER-ErbenBesslerMelBessler.tenant}");
-                    "[403] insert into hs_office_partner_details not allowed for current subjects");
+                    "[403] insert into hs_office_partner_details not allowed for current subjects {hs_office_relation#HostsharingeG-with-PARTNER-ErbenBesslerMelBessler.tenant}");
        }

        private void assertThatPartnerActuallyInDatabase(final HsOfficePartnerEntity saved) {