fix assumedRole max length, so it appears in error messages

This commit is contained in:
Michael Hoennig 2024-03-27 14:14:15 +01:00
parent 954b24ec7c
commit 8bc3c17b89
4 changed files with 16 additions and 17 deletions

View File

@ -26,7 +26,7 @@ create or replace procedure defineContext(
currentTask varchar(96),
currentRequest text = null,
currentUser varchar(63) = null,
assumedRoles varchar(256) = null
assumedRoles varchar(1023) = null
)
language plpgsql as $$
begin
@ -43,7 +43,7 @@ begin
execute format('set local hsadminng.currentUser to %L', currentUser);
assumedRoles := coalesce(assumedRoles, '');
assert length(assumedRoles) <= 256, FORMAT('assumedRoles must not be longer than 256 characters: "%s"', assumedRoles);
assert length(assumedRoles) <= 1023, FORMAT('assumedRoles must not be longer than 1023 characters: "%s"', assumedRoles);
execute format('set local hsadminng.assumedRoles to %L', assumedRoles);
call contextDefined(currentTask, currentRequest, currentUser, assumedRoles);
@ -135,20 +135,21 @@ end; $$;
or empty array, if not set.
*/
create or replace function assumedRoles()
returns varchar(63)[]
returns varchar(1023)[]
stable -- leakproof
language plpgsql as $$
declare
currentSubject varchar(63);
currentSubject varchar(1023);
begin
begin
currentSubject := current_setting('hsadminng.assumedRoles');
exception
when others then
return array []::varchar[];
when undefined_object then
return array ['error']::varchar[];
end;
if (currentSubject = '') then
return array []::varchar[];
return array ['empty']::varchar[];
end if;
return string_to_array(currentSubject, ';');
end; $$;
@ -219,17 +220,17 @@ begin
end ; $$;
create or replace function currentSubjects()
returns varchar(63)[]
returns varchar(127)[]
stable -- leakproof
language plpgsql as $$
declare
assumedRoles varchar(63)[];
assumedRoles varchar(127)[];
begin
assumedRoles := assumedRoles();
if array_length(assumedRoles, 1) > 0 then
return assumedRoles();
return assumedRoles;
else
return array [currentUser()]::varchar(63)[];
return array [currentUser()]::varchar(127)[];
end if;
end; $$;

View File

@ -27,7 +27,7 @@ create table tx_context
txId bigint not null,
txTimestamp timestamp not null,
currentUser varchar(63) not null, -- not the uuid, because users can be deleted
assumedRoles varchar(256) not null, -- not the uuids, because roles can be deleted
assumedRoles varchar(1023) not null, -- not the uuids, because roles can be deleted
currentTask varchar(96) not null,
currentRequest text not null
);

View File

@ -107,8 +107,8 @@ create or replace function hs_office_partner_details_insert_permission_missing_t
returns trigger
language plpgsql as $$
begin
raise exception '[403] insert into hs_office_partner_details not allowed for current subjects % (%)',
currentSubjects(), currentSubjectsUuids();
raise exception '[403] insert into hs_office_partner_details not allowed for current subjects % (%) assumed by user % (%)',
currentSubjects(), currentSubjectsUuids(), currentUser(), currentUserUuid();
end; $$;
create trigger hs_office_partner_details_insert_permission_check_tg

View File

@ -332,9 +332,7 @@ class HsOfficePartnerRepositoryIntegrationTest extends ContextBasedTestWithClean
// then
result.assertExceptionWithRootCauseMessage(JpaSystemException.class,
// FIXME: the assumed role should appear, but it does not:
//"[403] insert into hs_office_partner_details not allowed for current subjects {hs_office_relation#HostsharingeG-with-PARTNER-ErbenBesslerMelBessler.tenant}");
"[403] insert into hs_office_partner_details not allowed for current subjects");
"[403] insert into hs_office_partner_details not allowed for current subjects {hs_office_relation#HostsharingeG-with-PARTNER-ErbenBesslerMelBessler.tenant}");
}
private void assertThatPartnerActuallyInDatabase(final HsOfficePartnerEntity saved) {