From 8bc3c17b89bcc88a99e430f31f6e273bffc3658f Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Wed, 27 Mar 2024 14:14:15 +0100 Subject: [PATCH] fix assumedRole max length, so it appears in error messages --- .../resources/db/changelog/010-context.sql | 23 ++++++++++--------- .../resources/db/changelog/020-audit-log.sql | 2 +- .../234-hs-office-partner-details-rbac.sql | 4 ++-- ...fficePartnerRepositoryIntegrationTest.java | 4 +--- 4 files changed, 16 insertions(+), 17 deletions(-) diff --git a/src/main/resources/db/changelog/010-context.sql b/src/main/resources/db/changelog/010-context.sql index 0e5cc457..5a9c6b99 100644 --- a/src/main/resources/db/changelog/010-context.sql +++ b/src/main/resources/db/changelog/010-context.sql @@ -26,7 +26,7 @@ create or replace procedure defineContext( currentTask varchar(96), currentRequest text = null, currentUser varchar(63) = null, - assumedRoles varchar(256) = null + assumedRoles varchar(1023) = null ) language plpgsql as $$ begin @@ -43,7 +43,7 @@ begin execute format('set local hsadminng.currentUser to %L', currentUser); assumedRoles := coalesce(assumedRoles, ''); - assert length(assumedRoles) <= 256, FORMAT('assumedRoles must not be longer than 256 characters: "%s"', assumedRoles); + assert length(assumedRoles) <= 1023, FORMAT('assumedRoles must not be longer than 1023 characters: "%s"', assumedRoles); execute format('set local hsadminng.assumedRoles to %L', assumedRoles); call contextDefined(currentTask, currentRequest, currentUser, assumedRoles); @@ -135,20 +135,21 @@ end; $$; or empty array, if not set. */ create or replace function assumedRoles() - returns varchar(63)[] + returns varchar(1023)[] stable -- leakproof language plpgsql as $$ declare - currentSubject varchar(63); + currentSubject varchar(1023); begin begin currentSubject := current_setting('hsadminng.assumedRoles'); exception - when others then - return array []::varchar[]; + when undefined_object then + return array ['error']::varchar[]; end; + if (currentSubject = '') then - return array []::varchar[]; + return array ['empty']::varchar[]; end if; return string_to_array(currentSubject, ';'); end; $$; @@ -219,17 +220,17 @@ begin end ; $$; create or replace function currentSubjects() - returns varchar(63)[] + returns varchar(127)[] stable -- leakproof language plpgsql as $$ declare - assumedRoles varchar(63)[]; + assumedRoles varchar(127)[]; begin assumedRoles := assumedRoles(); if array_length(assumedRoles, 1) > 0 then - return assumedRoles(); + return assumedRoles; else - return array [currentUser()]::varchar(63)[]; + return array [currentUser()]::varchar(127)[]; end if; end; $$; diff --git a/src/main/resources/db/changelog/020-audit-log.sql b/src/main/resources/db/changelog/020-audit-log.sql index ec14ad0d..543fc153 100644 --- a/src/main/resources/db/changelog/020-audit-log.sql +++ b/src/main/resources/db/changelog/020-audit-log.sql @@ -27,7 +27,7 @@ create table tx_context txId bigint not null, txTimestamp timestamp not null, currentUser varchar(63) not null, -- not the uuid, because users can be deleted - assumedRoles varchar(256) not null, -- not the uuids, because roles can be deleted + assumedRoles varchar(1023) not null, -- not the uuids, because roles can be deleted currentTask varchar(96) not null, currentRequest text not null ); diff --git a/src/main/resources/db/changelog/234-hs-office-partner-details-rbac.sql b/src/main/resources/db/changelog/234-hs-office-partner-details-rbac.sql index 977357c5..a594823b 100644 --- a/src/main/resources/db/changelog/234-hs-office-partner-details-rbac.sql +++ b/src/main/resources/db/changelog/234-hs-office-partner-details-rbac.sql @@ -107,8 +107,8 @@ create or replace function hs_office_partner_details_insert_permission_missing_t returns trigger language plpgsql as $$ begin - raise exception '[403] insert into hs_office_partner_details not allowed for current subjects % (%)', - currentSubjects(), currentSubjectsUuids(); + raise exception '[403] insert into hs_office_partner_details not allowed for current subjects % (%) assumed by user % (%)', + currentSubjects(), currentSubjectsUuids(), currentUser(), currentUserUuid(); end; $$; create trigger hs_office_partner_details_insert_permission_check_tg diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerRepositoryIntegrationTest.java index 6ffb29d4..94bcb9fe 100644 --- a/src/test/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerRepositoryIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerRepositoryIntegrationTest.java @@ -332,9 +332,7 @@ class HsOfficePartnerRepositoryIntegrationTest extends ContextBasedTestWithClean // then result.assertExceptionWithRootCauseMessage(JpaSystemException.class, - // FIXME: the assumed role should appear, but it does not: - //"[403] insert into hs_office_partner_details not allowed for current subjects {hs_office_relation#HostsharingeG-with-PARTNER-ErbenBesslerMelBessler.tenant}"); - "[403] insert into hs_office_partner_details not allowed for current subjects"); + "[403] insert into hs_office_partner_details not allowed for current subjects {hs_office_relation#HostsharingeG-with-PARTNER-ErbenBesslerMelBessler.tenant}"); } private void assertThatPartnerActuallyInDatabase(final HsOfficePartnerEntity saved) {