replace unixuser test entities with domain
This commit is contained in:
parent
84ce90b28f
commit
a117258085
12
doc/rbac.md
12
doc/rbac.md
@ -103,7 +103,7 @@ package RBAC {
|
||||
enum RbacOperation {
|
||||
add-package
|
||||
add-domain
|
||||
add-unixuser
|
||||
add-domain
|
||||
...
|
||||
view
|
||||
edit
|
||||
@ -359,7 +359,7 @@ A full example is shown here:
|
||||
SELECT c.prefix, p.name as "package", ema.localPart || '@' || dom.name as "email-address"
|
||||
FROM emailaddress_rv ema
|
||||
JOIN domain_rv dom ON dom.uuid = ema.domainuuid
|
||||
JOIN unixuser_rv uu ON uu.uuid = dom.unixuseruuid
|
||||
JOIN domain_rv uu ON uu.uuid = dom.domainuuid
|
||||
JOIN package_rv p ON p.uuid = uu.packageuuid
|
||||
JOIN customer_rv c ON c.uuid = p.customeruuid;
|
||||
END TRANSACTION;
|
||||
@ -387,11 +387,11 @@ entity EMailAddress
|
||||
entity Domain
|
||||
Domain o-- "*" EMailAddress
|
||||
|
||||
entity UnixUser
|
||||
UnixUser o-- "*" Domain
|
||||
entity domain
|
||||
domain o-- "*" Domain
|
||||
|
||||
entity Package
|
||||
Package o.. "*" UnixUser
|
||||
Package o.. "*" domain
|
||||
|
||||
entity Customer
|
||||
Customer o-- "*" Package
|
||||
@ -497,7 +497,7 @@ together {
|
||||
entity "Perm package#xyz00 *" as permPackageXyzAll
|
||||
permPackageXyzAll --> boPacXyz00
|
||||
|
||||
entity "Perm package#xyz00 add-unixuser" as permPacXyz00AddUser
|
||||
entity "Perm package#xyz00 add-domain" as permPacXyz00AddUser
|
||||
permPacXyz00AddUser --> boPacXyz00
|
||||
|
||||
entity "Perm package#xyz00 edit" as permPacXyz00Edit
|
||||
|
@ -8,7 +8,7 @@ create table if not exists Domain
|
||||
(
|
||||
uuid uuid unique references RbacObject (uuid),
|
||||
name character varying(32),
|
||||
unixUserUuid uuid references unixuser (uuid)
|
||||
domainUuid uuid references domain (uuid)
|
||||
);
|
||||
|
||||
drop trigger if exists createRbacObjectForDomain_Trigger on Domain;
|
||||
@ -48,7 +48,7 @@ create or replace function createRbacRulesForDomain()
|
||||
language plpgsql
|
||||
strict as $$
|
||||
declare
|
||||
parentUser UnixUser;
|
||||
parentUser domain;
|
||||
parentPackage package;
|
||||
domainOwnerRoleUuid uuid;
|
||||
domainAdminRoleUuid uuid;
|
||||
@ -57,10 +57,10 @@ begin
|
||||
raise exception 'invalid usage of TRIGGER AFTER INSERT';
|
||||
end if;
|
||||
|
||||
select * from UnixUser where uuid = NEW.unixUserUuid into parentUser;
|
||||
select * from domain where uuid = NEW.domainUuid into parentUser;
|
||||
select * from Package where uuid = parentUser.packageuuid into parentPackage;
|
||||
|
||||
-- a domain owner role is created and assigned to the unixuser's admin role
|
||||
-- a domain owner role is created and assigned to the domain's admin role
|
||||
domainOwnerRoleUuid = createRole(
|
||||
domainOwner(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
||||
@ -79,7 +79,7 @@ begin
|
||||
domainTenant(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
||||
beneathRole(domainAdminRoleUuid),
|
||||
beingItselfA(createUnixUserTenantRoleIfNotExists(parentUser))
|
||||
beingItselfA(createdomainTenantRoleIfNotExists(parentUser))
|
||||
);
|
||||
|
||||
return NEW;
|
||||
@ -118,7 +118,7 @@ do language plpgsql $$
|
||||
set hsadminng.currentUser to '';
|
||||
|
||||
for uu in (select u.uuid, u.name, u.packageuuid, c.reference
|
||||
from unixuser u
|
||||
from domain u
|
||||
join package p on u.packageuuid = p.uuid
|
||||
join customer c on p.customeruuid = c.uuid
|
||||
-- WHERE c.reference >= 18000
|
||||
@ -127,7 +127,7 @@ do language plpgsql $$
|
||||
if (random() < 0.3) then
|
||||
for t in 0..1
|
||||
loop
|
||||
currentTask = 'creating RBAC test Domain #' || t || ' for UnixUser ' || uu.name || ' #' || uu.uuid;
|
||||
currentTask = 'creating RBAC test Domain #' || t || ' for domain ' || uu.name || ' #' || uu.uuid;
|
||||
raise notice 'task: %', currentTask;
|
||||
|
||||
select * from package where uuid = uu.packageUuid into pac;
|
||||
@ -137,7 +137,7 @@ do language plpgsql $$
|
||||
set local hsadminng.assumedRoles = '';
|
||||
|
||||
insert
|
||||
into Domain (name, unixUserUuid)
|
||||
into Domain (name, domainUuid)
|
||||
values ('dom-' || t || '.' || uu.name || '.example.org', uu.uuid);
|
||||
|
||||
commit;
|
||||
|
@ -48,7 +48,7 @@ begin
|
||||
|
||||
select d.*
|
||||
from domain d
|
||||
left join unixuser u on u.uuid = d.unixuseruuid
|
||||
left join domain u on u.uuid = d.domainuuid
|
||||
where d.uuid = NEW.domainUuid
|
||||
into parentDomain;
|
||||
|
||||
@ -59,7 +59,7 @@ begin
|
||||
beneathRole(domainAdmin(parentDomain))
|
||||
);
|
||||
|
||||
-- and an admin role is created and assigned to the unixuser owner as well
|
||||
-- and an admin role is created and assigned to the domain owner as well
|
||||
perform createRole(
|
||||
emailAddressAdmin(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']),
|
||||
@ -102,7 +102,7 @@ do language plpgsql $$
|
||||
|
||||
for dom in (select d.uuid, d.name, p.name as packageName
|
||||
from domain d
|
||||
join unixuser u on u.uuid = d.unixuseruuid
|
||||
join domain u on u.uuid = d.domainuuid
|
||||
join package p on u.packageuuid = p.uuid
|
||||
join customer c on p.customeruuid = c.uuid
|
||||
-- WHERE c.reference >= 18000
|
||||
|
@ -49,7 +49,7 @@ BEGIN
|
||||
SET LOCAL hsadminng.assumedRoles = '';
|
||||
-- SELECT *
|
||||
SELECT count(*) INTO resultCount
|
||||
FROM unixuser_rv;
|
||||
FROM domain_rv;
|
||||
call expectBetween(resultCount, 20, 50);
|
||||
|
||||
-- hostsharing admin assuming customer role and listing all accessible packages
|
||||
@ -61,13 +61,13 @@ BEGIN
|
||||
FROM test_package_rv p;
|
||||
call expectBetween(resultCount, 2, 10);
|
||||
|
||||
-- hostsharing admin assuming two customer admin roles and listing all accessible unixusers
|
||||
-- hostsharing admin assuming two customer admin roles and listing all accessible domains
|
||||
SET SESSION SESSION AUTHORIZATION restricted;
|
||||
SET LOCAL hsadminng.currentUser = 'mike@example.org';
|
||||
SET LOCAL hsadminng.assumedRoles = 'test_customer#aab.admin;test_customer#aac.admin';
|
||||
-- SELECT c.prefix, c.reference, uu.*
|
||||
SELECT count(*) INTO resultCount
|
||||
FROM unixuser_rv uu
|
||||
FROM domain_rv uu
|
||||
JOIN test_package_rv p ON p.uuid = uu.packageuuid
|
||||
JOIN test_customer_rv c ON c.uuid = p.customeruuid;
|
||||
call expectBetween(resultCount, 40, 60);
|
||||
@ -80,7 +80,7 @@ BEGIN
|
||||
-- SELECT p.name, uu.name, dom.name
|
||||
SELECT count(*) INTO resultCount
|
||||
FROM domain_rv dom
|
||||
JOIN unixuser_rv uu ON uu.uuid = dom.unixuseruuid
|
||||
JOIN domain_rv uu ON uu.uuid = dom.domainuuid
|
||||
JOIN test_package_rv p ON p.uuid = uu.packageuuid
|
||||
JOIN test_customer_rv c ON c.uuid = p.customeruuid;
|
||||
call expectBetween(resultCount, 20, 40);
|
||||
@ -94,7 +94,7 @@ BEGIN
|
||||
SELECT count(*) INTO resultCount
|
||||
FROM emailaddress_rv ema
|
||||
JOIN domain_rv dom ON dom.uuid = ema.domainuuid
|
||||
JOIN unixuser_rv uu ON uu.uuid = dom.unixuseruuid
|
||||
JOIN domain_rv uu ON uu.uuid = dom.domainuuid
|
||||
JOIN test_package_rv p ON p.uuid = uu.packageuuid
|
||||
JOIN test_customer_rv c ON c.uuid = p.customeruuid;
|
||||
call expectBetween(resultCount, 100, 300);
|
||||
@ -112,7 +112,7 @@ END; $$;
|
||||
no count required factor table
|
||||
1 7 000 7 000 1.000 customers
|
||||
2 17 436 15 000 1.162 packages
|
||||
3 174 360 150 000 1.162 unixuser
|
||||
3 174 360 150 000 1.162 domain
|
||||
4 105 206 100 000 1.052 domain
|
||||
5 526 030 500 000 1.052 emailaddress
|
||||
|
||||
@ -126,7 +126,7 @@ in average +9,33%
|
||||
no count required factor table
|
||||
1 10 000 7 000 1.429 customers
|
||||
2 24 904 15 000 1.660 packages
|
||||
3 249 040 150 000 1.660 unixuser
|
||||
3 249 040 150 000 1.660 domain
|
||||
4 149 946 100 000 1.499 domain
|
||||
5 749 730 500 000 1.499 emailaddress
|
||||
|
||||
|
@ -15,8 +15,8 @@ select no,
|
||||
select 2 as no, count(*) as "count", 15000 as "required", 'packages' as "table"
|
||||
from package
|
||||
union
|
||||
select 3 as no, count(*) as "count", 150000 as "required", 'unixuser' as "table"
|
||||
from unixuser
|
||||
select 3 as no, count(*) as "count", 150000 as "required", 'domain' as "table"
|
||||
from domain
|
||||
union
|
||||
select 4 as no, count(*) as "count", 100000 as "required", 'domain' as "table"
|
||||
from domain
|
||||
|
@ -76,7 +76,7 @@ begin
|
||||
-- an owner role is created and assigned to the package owner role
|
||||
packageAdminRoleUuid = createRole(
|
||||
testPackageAdmin(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['add-unixuser', 'add-domain']),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['add-domain']),
|
||||
beneathRole(packageOwnerRoleUuid)
|
||||
);
|
||||
|
||||
|
@ -1,14 +1,14 @@
|
||||
--liquibase formatted sql
|
||||
|
||||
-- ============================================================================
|
||||
--changeset hs-unixuser-MAIN-TABLE:1 endDelimiter:--//
|
||||
--changeset test-domain-MAIN-TABLE:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
create table if not exists test_unixuser
|
||||
create table if not exists test_domain
|
||||
(
|
||||
uuid uuid unique references RbacObject (uuid),
|
||||
packageUuid uuid references test_package (uuid),
|
||||
name character varying(32),
|
||||
name character varying(253),
|
||||
description character varying(96)
|
||||
);
|
||||
--//
|
@ -6,81 +6,81 @@
|
||||
/*
|
||||
Creates the related RbacObject through a BEFORE INSERT TRIGGER.
|
||||
*/
|
||||
drop trigger if exists createRbacObjectFortest_unixuser_Trigger on test_unixuser;
|
||||
create trigger createRbacObjectFortest_unixuser_Trigger
|
||||
drop trigger if exists createRbacObjectFortest_domain_Trigger on test_domain;
|
||||
create trigger createRbacObjectFortest_domain_Trigger
|
||||
before insert
|
||||
on test_unixuser
|
||||
on test_domain
|
||||
for each row
|
||||
execute procedure createRbacObject();
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset test-unixuser-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
|
||||
--changeset test-domain-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
create or replace function testUnixUserOwner(uu test_unixuser)
|
||||
create or replace function testdomainOwner(uu test_domain)
|
||||
returns RbacRoleDescriptor
|
||||
returns null on null input
|
||||
language plpgsql as $$
|
||||
begin
|
||||
return roleDescriptor('test_unixuser', uu.uuid, 'owner');
|
||||
return roleDescriptor('test_domain', uu.uuid, 'owner');
|
||||
end; $$;
|
||||
|
||||
create or replace function testUnixUserAdmin(uu test_unixuser)
|
||||
create or replace function testdomainAdmin(uu test_domain)
|
||||
returns RbacRoleDescriptor
|
||||
returns null on null input
|
||||
language plpgsql as $$
|
||||
begin
|
||||
return roleDescriptor('test_unixuser', uu.uuid, 'admin');
|
||||
return roleDescriptor('test_domain', uu.uuid, 'admin');
|
||||
end; $$;
|
||||
|
||||
create or replace function testUnixUserTenant(uu test_unixuser)
|
||||
create or replace function testdomainTenant(uu test_domain)
|
||||
returns RbacRoleDescriptor
|
||||
returns null on null input
|
||||
language plpgsql as $$
|
||||
begin
|
||||
return roleDescriptor('test_unixuser', uu.uuid, 'tenant');
|
||||
return roleDescriptor('test_domain', uu.uuid, 'tenant');
|
||||
end; $$;
|
||||
|
||||
create or replace function createTestUnixUserTenantRoleIfNotExists(unixUser test_unixuser)
|
||||
create or replace function createTestDomainTenantRoleIfNotExists(domain test_domain)
|
||||
returns uuid
|
||||
returns null on null input
|
||||
language plpgsql as $$
|
||||
declare
|
||||
unixUserTenantRoleDesc RbacRoleDescriptor;
|
||||
unixUserTenantRoleUuid uuid;
|
||||
domainTenantRoleDesc RbacRoleDescriptor;
|
||||
domainTenantRoleUuid uuid;
|
||||
begin
|
||||
unixUserTenantRoleDesc = testUnixUserTenant(unixUser);
|
||||
unixUserTenantRoleUuid = findRoleId(unixUserTenantRoleDesc);
|
||||
if unixUserTenantRoleUuid is not null then
|
||||
return unixUserTenantRoleUuid;
|
||||
domainTenantRoleDesc = testdomainTenant(domain);
|
||||
domainTenantRoleUuid = findRoleId(domainTenantRoleDesc);
|
||||
if domainTenantRoleUuid is not null then
|
||||
return domainTenantRoleUuid;
|
||||
end if;
|
||||
|
||||
return createRole(
|
||||
unixUserTenantRoleDesc,
|
||||
grantingPermissions(forObjectUuid => unixUser.uuid, permitOps => array ['view']),
|
||||
beneathRole(testUnixUserAdmin(unixUser))
|
||||
domainTenantRoleDesc,
|
||||
grantingPermissions(forObjectUuid => domain.uuid, permitOps => array ['view']),
|
||||
beneathRole(testdomainAdmin(domain))
|
||||
);
|
||||
end; $$;
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset test-unixuser-rbac-ROLES-CREATION:1 endDelimiter:--//
|
||||
--changeset test-domain-rbac-ROLES-CREATION:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
Creates the roles and their assignments for a new UnixUser for the AFTER INSERT TRIGGER.
|
||||
Creates the roles and their assignments for a new domain for the AFTER INSERT TRIGGER.
|
||||
*/
|
||||
|
||||
create or replace function createRbacRulesForTestUnixUser()
|
||||
create or replace function createRbacRulesForTestDomain()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
declare
|
||||
parentPackage test_package;
|
||||
unixuserOwnerRoleId uuid;
|
||||
unixuserAdminRoleId uuid;
|
||||
domainOwnerRoleId uuid;
|
||||
domainAdminRoleId uuid;
|
||||
begin
|
||||
if TG_OP <> 'INSERT' then
|
||||
raise exception 'invalid usage of TRIGGER AFTER INSERT';
|
||||
@ -89,17 +89,17 @@ begin
|
||||
select * from test_package where uuid = NEW.packageUuid into parentPackage;
|
||||
|
||||
-- an owner role is created and assigned to the package's admin group
|
||||
unixuserOwnerRoleId = createRole(
|
||||
testUnixUserOwner(NEW),
|
||||
domainOwnerRoleId = createRole(
|
||||
testdomainOwner(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
||||
beneathRole(testPackageAdmin(parentPackage))
|
||||
);
|
||||
|
||||
-- and a unixuser admin role is created and assigned to the unixuser owner as well
|
||||
unixuserAdminRoleId = createRole(
|
||||
testUnixUserAdmin(NEW),
|
||||
-- and a domain admin role is created and assigned to the domain owner as well
|
||||
domainAdminRoleId = createRole(
|
||||
testdomainAdmin(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']),
|
||||
beneathRole(unixuserOwnerRoleId),
|
||||
beneathRole(domainOwnerRoleId),
|
||||
beingItselfA(testPackageTenant(parentPackage))
|
||||
);
|
||||
|
||||
@ -110,86 +110,86 @@ end; $$;
|
||||
|
||||
|
||||
/*
|
||||
An AFTER INSERT TRIGGER which creates the role structure for a new UnixUser.
|
||||
An AFTER INSERT TRIGGER which creates the role structure for a new domain.
|
||||
*/
|
||||
drop trigger if exists createRbacRulesForTestUnixuser_Trigger on test_unixuser;
|
||||
create trigger createRbacRulesForTestUnixuser_Trigger
|
||||
drop trigger if exists createRbacRulesForTestDomain_Trigger on test_domain;
|
||||
create trigger createRbacRulesForTestDomain_Trigger
|
||||
after insert
|
||||
on test_unixuser
|
||||
on test_domain
|
||||
for each row
|
||||
execute procedure createRbacRulesForTestUnixUser();
|
||||
execute procedure createRbacRulesForTestDomain();
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset test-unixuser-rbac-ROLES-REMOVAL:1 endDelimiter:--//
|
||||
--changeset test-domain-rbac-ROLES-REMOVAL:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/*
|
||||
Deletes the roles and their assignments of a deleted UnixUser for the BEFORE DELETE TRIGGER.
|
||||
Deletes the roles and their assignments of a deleted domain for the BEFORE DELETE TRIGGER.
|
||||
*/
|
||||
|
||||
create or replace function deleteRbacRulesForTestUnixUser()
|
||||
create or replace function deleteRbacRulesForTestDomain()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
begin
|
||||
if TG_OP = 'DELETE' then
|
||||
call deleteRole(findRoleId(testUnixUserOwner(OLD)));
|
||||
call deleteRole(findRoleId(testUnixUserAdmin(OLD)));
|
||||
call deleteRole(findRoleId(testUnixUserTenant(OLD)));
|
||||
call deleteRole(findRoleId(testdomainOwner(OLD)));
|
||||
call deleteRole(findRoleId(testdomainAdmin(OLD)));
|
||||
call deleteRole(findRoleId(testdomainTenant(OLD)));
|
||||
else
|
||||
raise exception 'invalid usage of TRIGGER BEFORE DELETE';
|
||||
end if;
|
||||
end; $$;
|
||||
|
||||
/*
|
||||
An BEFORE DELETE TRIGGER which deletes the role structure of a UnixUser.
|
||||
An BEFORE DELETE TRIGGER which deletes the role structure of a domain.
|
||||
*/
|
||||
|
||||
drop trigger if exists deleteRbacRulesForTestUnixUser_Trigger on test_package;
|
||||
create trigger deleteRbacRulesForTestUnixUser_Trigger
|
||||
drop trigger if exists deleteRbacRulesForTestDomain_Trigger on test_package;
|
||||
create trigger deleteRbacRulesForTestDomain_Trigger
|
||||
before delete
|
||||
on test_unixuser
|
||||
on test_domain
|
||||
for each row
|
||||
execute procedure deleteRbacRulesForTestUnixUser();
|
||||
execute procedure deleteRbacRulesForTestDomain();
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset test-unixuser-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||
--changeset test-domain-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/*
|
||||
Creates a view to the UnixUser main table which maps the identifying name
|
||||
Creates a view to the domain main table which maps the identifying name
|
||||
(in this case, actually the column `name`) to the objectUuid.
|
||||
*/
|
||||
drop view if exists test_unixuser_iv;
|
||||
create or replace view test_unixuser_iv as
|
||||
drop view if exists test_domain_iv;
|
||||
create or replace view test_domain_iv as
|
||||
select distinct target.uuid, target.name as idName
|
||||
from test_unixuser as target;
|
||||
from test_domain as target;
|
||||
-- TODO: Is it ok that everybody has access to this information?
|
||||
grant all privileges on test_unixuser_iv to restricted;
|
||||
grant all privileges on test_domain_iv to restricted;
|
||||
|
||||
/*
|
||||
Returns the objectUuid for a given identifying name (in this case, actually the column `name`).
|
||||
*/
|
||||
create or replace function test_unixUserUuidByIdName(idName varchar)
|
||||
create or replace function test_domainUuidByIdName(idName varchar)
|
||||
returns uuid
|
||||
language sql
|
||||
strict as $$
|
||||
select uuid from test_unixuser_iv iv where iv.idName = test_unixUserUuidByIdName.idName;
|
||||
select uuid from test_domain_iv iv where iv.idName = test_domainUuidByIdName.idName;
|
||||
$$;
|
||||
|
||||
/*
|
||||
Returns the identifying name for a given objectUuid (in this case the name).
|
||||
*/
|
||||
create or replace function test_unixUserIdNameByUuid(uuid uuid)
|
||||
create or replace function test_domainIdNameByUuid(uuid uuid)
|
||||
returns varchar
|
||||
stable leakproof
|
||||
language sql
|
||||
strict as $$
|
||||
select idName from test_unixuser_iv iv where iv.uuid = test_unixUserIdNameByUuid.uuid;
|
||||
select idName from test_domain_iv iv where iv.uuid = test_domainIdNameByUuid.uuid;
|
||||
$$;
|
||||
--//
|
||||
|
||||
@ -202,10 +202,10 @@ $$;
|
||||
Creates a view to the customer main table which maps the identifying name
|
||||
(in this case, the prefix) to the objectUuid.
|
||||
*/
|
||||
drop view if exists test_unixuser_rv;
|
||||
create or replace view test_unixuser_rv as
|
||||
drop view if exists test_domain_rv;
|
||||
create or replace view test_domain_rv as
|
||||
select target.*
|
||||
from test_unixuser as target
|
||||
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'unixuser', currentSubjectsUuids()));
|
||||
grant all privileges on test_unixuser_rv to restricted;
|
||||
from test_domain as target
|
||||
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'domain', currentSubjectsUuids()));
|
||||
grant all privileges on test_domain_rv to restricted;
|
||||
--//
|
@ -1,12 +1,12 @@
|
||||
--liquibase formatted sql
|
||||
|
||||
-- ============================================================================
|
||||
--changeset hs-unixuser-TEST-DATA-GENERATOR:1 endDelimiter:--//
|
||||
--changeset hs-domain-TEST-DATA-GENERATOR:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
Creates the given count of test unix users for a single package.
|
||||
*/
|
||||
create or replace procedure createUnixUserTestData( packageName varchar, unixUserCount int )
|
||||
create or replace procedure createdomainTestData( packageName varchar, domainCount int )
|
||||
language plpgsql as $$
|
||||
declare
|
||||
pac record;
|
||||
@ -19,15 +19,15 @@ begin
|
||||
where p.name = packageName
|
||||
into pac;
|
||||
|
||||
for t in 0..(unixUserCount-1)
|
||||
for t in 0..(domainCount-1)
|
||||
loop
|
||||
currentTask = 'creating RBAC test unixuser #' || t || ' for package ' || pac.name || ' #' || pac.uuid;
|
||||
currentTask = 'creating RBAC test domain #' || t || ' for package ' || pac.name || ' #' || pac.uuid;
|
||||
raise notice 'task: %', currentTask;
|
||||
pacAdmin = 'pac-admin-' || pac.name || '@' || pac.custPrefix || '.example.com';
|
||||
call defineContext(currentTask, null, pacAdmin, null);
|
||||
|
||||
insert
|
||||
into test_unixuser (name, packageUuid)
|
||||
into test_domain (name, packageUuid)
|
||||
values (pac.name || '-' || intToVarChar(t, 4), pac.uuid);
|
||||
end loop;
|
||||
end; $$;
|
||||
@ -35,7 +35,7 @@ end; $$;
|
||||
/*
|
||||
Creates a range of unix users for mass data generation.
|
||||
*/
|
||||
create or replace procedure createUnixUserTestData( unixUserPerPackage integer )
|
||||
create or replace procedure createdomainTestData( domainPerPackage integer )
|
||||
language plpgsql as $$
|
||||
declare
|
||||
pac record;
|
||||
@ -48,7 +48,7 @@ begin
|
||||
join test_customer c on p.customeruuid = c.uuid
|
||||
where c.reference < 90000) -- reserved for functional testing
|
||||
loop
|
||||
call createUnixUserTestData(pac.name, 2);
|
||||
call createdomainTestData(pac.name, 2);
|
||||
commit;
|
||||
end loop;
|
||||
|
||||
@ -57,22 +57,22 @@ end; $$;
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset hs-unixuser-TEST-DATA-GENERATION:1 –context=dev,tc endDelimiter:--//
|
||||
--changeset hs-domain-TEST-DATA-GENERATION:1 –context=dev,tc endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
do language plpgsql $$
|
||||
begin
|
||||
call createUnixUserTestData('xxx00', 2);
|
||||
call createUnixUserTestData('xxx01', 2);
|
||||
call createUnixUserTestData('xxx02', 2);
|
||||
call createdomainTestData('xxx00', 2);
|
||||
call createdomainTestData('xxx01', 2);
|
||||
call createdomainTestData('xxx02', 2);
|
||||
|
||||
call createUnixUserTestData('yyy00', 2);
|
||||
call createUnixUserTestData('yyy01', 2);
|
||||
call createUnixUserTestData('yyy02', 2);
|
||||
call createdomainTestData('yyy00', 2);
|
||||
call createdomainTestData('yyy01', 2);
|
||||
call createdomainTestData('yyy02', 2);
|
||||
|
||||
call createUnixUserTestData('zzz00', 2);
|
||||
call createUnixUserTestData('zzz01', 2);
|
||||
call createUnixUserTestData('zzz02', 2);
|
||||
call createdomainTestData('zzz00', 2);
|
||||
call createdomainTestData('zzz01', 2);
|
||||
call createdomainTestData('zzz02', 2);
|
||||
end;
|
||||
$$;
|
||||
--//
|
@ -42,10 +42,10 @@ databaseChangeLog:
|
||||
- include:
|
||||
file: db/changelog/128-test-package-test-data.sql
|
||||
- include:
|
||||
file: db/changelog/130-test-unixuser.sql
|
||||
file: db/changelog/130-test-domain.sql
|
||||
- include:
|
||||
file: db/changelog/133-test-unixuser-rbac.sql
|
||||
file: db/changelog/133-test-domain-rbac.sql
|
||||
- include:
|
||||
file: db/changelog/138-test-unixuser-test-data.sql
|
||||
file: db/changelog/138-test-domain-test-data.sql
|
||||
|
||||
|
||||
|
@ -57,7 +57,7 @@ class RbacRoleControllerAcceptanceTest {
|
||||
.body("", hasItem(hasEntry("roleName", "global#test-global.admin")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_customer#yyy.admin")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_package#yyy00.admin")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_unixuser#yyy00-aaaa.owner")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa.owner")))
|
||||
.body( "size()", greaterThanOrEqualTo(73)); // increases with new test data
|
||||
// @formatter:on
|
||||
}
|
||||
@ -79,10 +79,10 @@ class RbacRoleControllerAcceptanceTest {
|
||||
.assertThat()
|
||||
.statusCode(200)
|
||||
.contentType("application/json")
|
||||
.body("[0].roleName", is("test_customer#yyy.tenant"))
|
||||
.body("[1].roleName", is("test_package#yyy00.admin"))
|
||||
.body("[2].roleName", is("test_package#yyy00.tenant"))
|
||||
.body("[3].roleName", is("test_unixuser#yyy00-aaaa.admin"))
|
||||
.body("", hasItem(hasEntry("roleName", "test_customer#yyy.tenant")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa.admin")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_package#yyy00.admin")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_package#yyy00.tenant")))
|
||||
.body("size()", is(7)); // increases with new test data
|
||||
// @formatter:on
|
||||
}
|
||||
@ -101,10 +101,10 @@ class RbacRoleControllerAcceptanceTest {
|
||||
.then().assertThat()
|
||||
.statusCode(200)
|
||||
.contentType("application/json")
|
||||
.body("[0].roleName", is("test_customer#zzz.tenant"))
|
||||
.body("[1].roleName", is("test_package#zzz00.admin"))
|
||||
.body("[2].roleName", is("test_package#zzz00.tenant"))
|
||||
.body("[3].roleName", is("test_unixuser#zzz00-aaaa.admin"))
|
||||
.body("", hasItem(hasEntry("roleName", "test_customer#zzz.tenant")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_domain#zzz00-aaaa.admin")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_package#zzz00.admin")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_package#zzz00.tenant")))
|
||||
.body("size()", is(7)); // increases with new test data
|
||||
// @formatter:on
|
||||
}
|
||||
|
@ -101,11 +101,11 @@ class RbacRoleRepositoryIntegrationTest {
|
||||
"test_package#xxx01.owner",
|
||||
"test_package#xxx01.tenant",
|
||||
// ...
|
||||
"test_unixuser#xxx00-aaaa.admin",
|
||||
"test_unixuser#xxx00-aaaa.owner",
|
||||
"test_domain#xxx00-aaaa.admin",
|
||||
"test_domain#xxx00-aaaa.owner",
|
||||
// ..
|
||||
"test_unixuser#xxx01-aaab.admin",
|
||||
"test_unixuser#xxx01-aaab.owner"
|
||||
"test_domain#xxx01-aaab.admin",
|
||||
"test_domain#xxx01-aaab.owner"
|
||||
// @formatter:on
|
||||
);
|
||||
noneOfTheseRbacRolesIsReturned(
|
||||
@ -131,10 +131,10 @@ class RbacRoleRepositoryIntegrationTest {
|
||||
"test_customer#xxx.tenant",
|
||||
"test_package#xxx00.admin",
|
||||
"test_package#xxx00.tenant",
|
||||
"test_unixuser#xxx00-aaaa.admin",
|
||||
"test_unixuser#xxx00-aaaa.owner",
|
||||
"test_unixuser#xxx00-aaab.admin",
|
||||
"test_unixuser#xxx00-aaab.owner");
|
||||
"test_domain#xxx00-aaaa.admin",
|
||||
"test_domain#xxx00-aaaa.owner",
|
||||
"test_domain#xxx00-aaab.admin",
|
||||
"test_domain#xxx00-aaab.owner");
|
||||
}
|
||||
|
||||
@Test
|
||||
|
@ -297,14 +297,14 @@ class RbacUserControllerAcceptanceTest {
|
||||
.body("", hasItem(
|
||||
allOf(
|
||||
hasEntry("roleName", "test_package#yyy00.admin"),
|
||||
hasEntry("op", "add-unixuser"))
|
||||
hasEntry("op", "add-domain"))
|
||||
))
|
||||
.body("", hasItem(
|
||||
allOf(
|
||||
hasEntry("roleName", "test_unixuser#yyy00-aaaa.owner"),
|
||||
hasEntry("roleName", "test_domain#yyy00-aaaa.owner"),
|
||||
hasEntry("op", "*"))
|
||||
))
|
||||
.body("size()", is(8));
|
||||
.body("size()", is(7));
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@ -332,14 +332,14 @@ class RbacUserControllerAcceptanceTest {
|
||||
.body("", hasItem(
|
||||
allOf(
|
||||
hasEntry("roleName", "test_package#yyy00.admin"),
|
||||
hasEntry("op", "add-unixuser"))
|
||||
hasEntry("op", "add-domain"))
|
||||
))
|
||||
.body("", hasItem(
|
||||
allOf(
|
||||
hasEntry("roleName", "test_unixuser#yyy00-aaaa.owner"),
|
||||
hasEntry("roleName", "test_domain#yyy00-aaaa.owner"),
|
||||
hasEntry("op", "*"))
|
||||
))
|
||||
.body("size()", is(8));
|
||||
.body("size()", is(7));
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@ -366,14 +366,14 @@ class RbacUserControllerAcceptanceTest {
|
||||
.body("", hasItem(
|
||||
allOf(
|
||||
hasEntry("roleName", "test_package#yyy00.admin"),
|
||||
hasEntry("op", "add-unixuser"))
|
||||
hasEntry("op", "add-domain"))
|
||||
))
|
||||
.body("", hasItem(
|
||||
allOf(
|
||||
hasEntry("roleName", "test_unixuser#yyy00-aaaa.owner"),
|
||||
hasEntry("roleName", "test_domain#yyy00-aaaa.owner"),
|
||||
hasEntry("op", "*"))
|
||||
))
|
||||
.body("size()", is(8));
|
||||
.body("size()", is(7));
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
|
@ -191,13 +191,13 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
"test_customer#xxx.owner -> test_customer#xxx: *",
|
||||
"test_customer#xxx.tenant -> test_customer#xxx: view",
|
||||
"test_package#xxx00.admin -> test_package#xxx00: add-domain",
|
||||
"test_package#xxx00.admin -> test_package#xxx00: add-unixuser",
|
||||
"test_package#xxx00.admin -> test_package#xxx00: add-domain",
|
||||
"test_package#xxx00.tenant -> test_package#xxx00: view",
|
||||
"test_package#xxx01.admin -> test_package#xxx01: add-domain",
|
||||
"test_package#xxx01.admin -> test_package#xxx01: add-unixuser",
|
||||
"test_package#xxx01.admin -> test_package#xxx01: add-domain",
|
||||
"test_package#xxx01.tenant -> test_package#xxx01: view",
|
||||
"test_package#xxx02.admin -> test_package#xxx02: add-domain",
|
||||
"test_package#xxx02.admin -> test_package#xxx02: add-unixuser",
|
||||
"test_package#xxx02.admin -> test_package#xxx02: add-domain",
|
||||
"test_package#xxx02.tenant -> test_package#xxx02: view",
|
||||
|
||||
"test_customer#yyy.admin -> test_customer#yyy: add-package",
|
||||
@ -205,13 +205,13 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
"test_customer#yyy.owner -> test_customer#yyy: *",
|
||||
"test_customer#yyy.tenant -> test_customer#yyy: view",
|
||||
"test_package#yyy00.admin -> test_package#yyy00: add-domain",
|
||||
"test_package#yyy00.admin -> test_package#yyy00: add-unixuser",
|
||||
"test_package#yyy00.admin -> test_package#yyy00: add-domain",
|
||||
"test_package#yyy00.tenant -> test_package#yyy00: view",
|
||||
"test_package#yyy01.admin -> test_package#yyy01: add-domain",
|
||||
"test_package#yyy01.admin -> test_package#yyy01: add-unixuser",
|
||||
"test_package#yyy01.admin -> test_package#yyy01: add-domain",
|
||||
"test_package#yyy01.tenant -> test_package#yyy01: view",
|
||||
"test_package#yyy02.admin -> test_package#yyy02: add-domain",
|
||||
"test_package#yyy02.admin -> test_package#yyy02: add-unixuser",
|
||||
"test_package#yyy02.admin -> test_package#yyy02: add-domain",
|
||||
"test_package#yyy02.tenant -> test_package#yyy02: view",
|
||||
|
||||
"test_customer#zzz.admin -> test_customer#zzz: add-package",
|
||||
@ -219,13 +219,13 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
"test_customer#zzz.owner -> test_customer#zzz: *",
|
||||
"test_customer#zzz.tenant -> test_customer#zzz: view",
|
||||
"test_package#zzz00.admin -> test_package#zzz00: add-domain",
|
||||
"test_package#zzz00.admin -> test_package#zzz00: add-unixuser",
|
||||
"test_package#zzz00.admin -> test_package#zzz00: add-domain",
|
||||
"test_package#zzz00.tenant -> test_package#zzz00: view",
|
||||
"test_package#zzz01.admin -> test_package#zzz01: add-domain",
|
||||
"test_package#zzz01.admin -> test_package#zzz01: add-unixuser",
|
||||
"test_package#zzz01.admin -> test_package#zzz01: add-domain",
|
||||
"test_package#zzz01.tenant -> test_package#zzz01: view",
|
||||
"test_package#zzz02.admin -> test_package#zzz02: add-domain",
|
||||
"test_package#zzz02.admin -> test_package#zzz02: add-unixuser",
|
||||
"test_package#zzz02.admin -> test_package#zzz02: add-domain",
|
||||
"test_package#zzz02.tenant -> test_package#zzz02: view"
|
||||
// @formatter:on
|
||||
);
|
||||
@ -259,19 +259,19 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
"test_customer#xxx.tenant -> test_customer#xxx: view",
|
||||
|
||||
"test_package#xxx00.admin -> test_package#xxx00: add-domain",
|
||||
"test_package#xxx00.admin -> test_package#xxx00: add-unixuser",
|
||||
"test_package#xxx00.admin -> test_package#xxx00: add-domain",
|
||||
"test_package#xxx00.tenant -> test_package#xxx00: view",
|
||||
"test_unixuser#xxx00-aaaa.owner -> test_unixuser#xxx00-aaaa: *",
|
||||
"test_domain#xxx00-aaaa.owner -> test_domain#xxx00-aaaa: *",
|
||||
|
||||
"test_package#xxx01.admin -> test_package#xxx01: add-domain",
|
||||
"test_package#xxx01.admin -> test_package#xxx01: add-unixuser",
|
||||
"test_package#xxx01.admin -> test_package#xxx01: add-domain",
|
||||
"test_package#xxx01.tenant -> test_package#xxx01: view",
|
||||
"test_unixuser#xxx01-aaaa.owner -> test_unixuser#xxx01-aaaa: *",
|
||||
"test_domain#xxx01-aaaa.owner -> test_domain#xxx01-aaaa: *",
|
||||
|
||||
"test_package#xxx02.admin -> test_package#xxx02: add-domain",
|
||||
"test_package#xxx02.admin -> test_package#xxx02: add-unixuser",
|
||||
"test_package#xxx02.admin -> test_package#xxx02: add-domain",
|
||||
"test_package#xxx02.tenant -> test_package#xxx02: view",
|
||||
"test_unixuser#xxx02-aaaa.owner -> test_unixuser#xxx02-aaaa: *"
|
||||
"test_domain#xxx02-aaaa.owner -> test_domain#xxx02-aaaa: *"
|
||||
// @formatter:on
|
||||
);
|
||||
noneOfTheseRbacPermissionsAreReturned(
|
||||
@ -316,11 +316,11 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
// @formatter:off
|
||||
"test_customer#xxx.tenant -> test_customer#xxx: view",
|
||||
// "test_customer#xxx.admin -> test_customer#xxx: view" - Not permissions through the customer admin!
|
||||
"test_package#xxx00.admin -> test_package#xxx00: add-unixuser",
|
||||
"test_package#xxx00.admin -> test_package#xxx00: add-domain",
|
||||
"test_package#xxx00.admin -> test_package#xxx00: add-domain",
|
||||
"test_package#xxx00.tenant -> test_package#xxx00: view",
|
||||
"test_unixuser#xxx00-aaaa.owner -> test_unixuser#xxx00-aaaa: *",
|
||||
"test_unixuser#xxx00-aaab.owner -> test_unixuser#xxx00-aaab: *"
|
||||
"test_domain#xxx00-aaaa.owner -> test_domain#xxx00-aaaa: *",
|
||||
"test_domain#xxx00-aaab.owner -> test_domain#xxx00-aaab: *"
|
||||
// @formatter:on
|
||||
);
|
||||
noneOfTheseRbacPermissionsAreReturned(
|
||||
@ -329,11 +329,11 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
"test_customer#yyy.admin -> test_customer#yyy: add-package",
|
||||
"test_customer#yyy.admin -> test_customer#yyy: view",
|
||||
"test_customer#yyy.tenant -> test_customer#yyy: view",
|
||||
"test_package#yyy00.admin -> test_package#yyy00: add-unixuser",
|
||||
"test_package#yyy00.admin -> test_package#yyy00: add-domain",
|
||||
"test_package#yyy00.admin -> test_package#yyy00: add-domain",
|
||||
"test_package#yyy00.tenant -> test_package#yyy00: view",
|
||||
"test_unixuser#yyy00-aaaa.owner -> test_unixuser#yyy00-aaaa: *",
|
||||
"test_unixuser#yyy00-aaab.owner -> test_unixuser#yyy00-aaab: *"
|
||||
"test_domain#yyy00-aaaa.owner -> test_domain#yyy00-aaaa: *",
|
||||
"test_domain#yyy00-aaab.owner -> test_domain#yyy00-aaab: *"
|
||||
// @formatter:on
|
||||
);
|
||||
}
|
||||
@ -364,7 +364,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
// @formatter:off
|
||||
"test_customer#xxx.tenant -> test_customer#xxx: view",
|
||||
// "test_customer#xxx.admin -> test_customer#xxx: view" - Not permissions through the customer admin!
|
||||
"test_package#xxx00.admin -> test_package#xxx00: add-unixuser",
|
||||
"test_package#xxx00.admin -> test_package#xxx00: add-domain",
|
||||
"test_package#xxx00.admin -> test_package#xxx00: add-domain",
|
||||
"test_package#xxx00.tenant -> test_package#xxx00: view"
|
||||
// @formatter:on
|
||||
@ -378,11 +378,11 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
"test_customer#yyy.admin -> test_customer#yyy: add-package",
|
||||
"test_customer#yyy.admin -> test_customer#yyy: view",
|
||||
"test_customer#yyy.tenant -> test_customer#yyy: view",
|
||||
"test_package#yyy00.admin -> test_package#yyy00: add-unixuser",
|
||||
"test_package#yyy00.admin -> test_package#yyy00: add-domain",
|
||||
"test_package#yyy00.admin -> test_package#yyy00: add-domain",
|
||||
"test_package#yyy00.tenant -> test_package#yyy00: view",
|
||||
"test_unixuser#yyy00-aaaa.owner -> test_unixuser#yyy00-aaaa: *",
|
||||
"test_unixuser#yyy00-xxxb.owner -> test_unixuser#yyy00-xxxb: *"
|
||||
"test_domain#yyy00-aaaa.owner -> test_domain#yyy00-aaaa: *",
|
||||
"test_domain#yyy00-xxxb.owner -> test_domain#yyy00-xxxb: *"
|
||||
// @formatter:on
|
||||
);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user