diff --git a/README.md b/README.md index a532a1f8..a46a9905 100644 --- a/README.md +++ b/README.md @@ -65,22 +65,22 @@ If you have at least Docker, the Java JDK and Gradle installed in appropriate ve # the following command should return a JSON array with just all customers: curl \ - -H 'current-user: mike@hostsharing.net' \ + -H 'current-user: mike@example.org' \ http://localhost:8080/api/customers # the following command should return a JSON array with just all packages visible for the admin of the customer yyy: curl \ - -H 'current-user: mike@hostsharing.net' -H 'assumed-roles: customer#yyy.admin' \ + -H 'current-user: mike@example.org' -H 'assumed-roles: test_customer#yyy.admin' \ http://localhost:8080/api/packages # add a new customer curl \ - -H 'current-user: mike@hostsharing.net' -H "Content-Type: application/json" \ + -H 'current-user: mike@example.org' -H "Content-Type: application/json" \ -d '{ "prefix":"ttt", "reference":80001, "adminUserName":"admin@ttt.example.com" }' \ -X POST http://localhost:8080/api/customers -If you wonder who 'mike@hostsharing.net' and 'sven@hostsharing.net' are and where the data comes from: -Mike and Sven are just example Hostsharing hostmaster accounts as part of the example data which is automatically inserted in Testcontainers and Development environments. +If you wonder who 'mike@example.org' and 'sven@example.org' are and where the data comes from: +Mike and Sven are just example global admin accounts as part of the example data which is automatically inserted in Testcontainers and Development environments. Also try for example 'admin@xxx.example.com' or 'unknown@example.org'. If you want a formatted JSON output, you can pipe the result to `jq` or similar. diff --git a/sql/24-hs-domain.sql b/sql/24-hs-domain.sql index 274d7efe..857eef50 100644 --- a/sql/24-hs-domain.sql +++ b/sql/24-hs-domain.sql @@ -64,7 +64,7 @@ begin domainOwnerRoleUuid = createRole( domainOwner(NEW), grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']), - beneathRole(packageAdmin(parentPackage)) + beneathRole(testPackageAdmin(parentPackage)) ); -- a domain admin role is created and assigned to the domain's owner role diff --git a/sql/28-hs-tests.sql b/sql/28-hs-tests.sql index c7593ab3..4e1ad176 100644 --- a/sql/28-hs-tests.sql +++ b/sql/28-hs-tests.sql @@ -17,21 +17,21 @@ BEGIN -- hostmaster accessing a single customer SET SESSION SESSION AUTHORIZATION restricted; - SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net'; + SET LOCAL hsadminng.currentUser = 'mike@example.org'; SET LOCAL hsadminng.assumedRoles = ''; -- SELECT * SELECT count(*) INTO resultCount - from customer_rv c + from test_customer_rv c where c.prefix='aab'; call expectBetween(resultCount, 1, 1); -- hostmaster listing all customers SET SESSION SESSION AUTHORIZATION restricted; - SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net'; + SET LOCAL hsadminng.currentUser = 'mike@example.org'; SET LOCAL hsadminng.assumedRoles = ''; -- SELECT * SELECT count(*) INTO resultCount - FROM customer_rv; + FROM test_customer_rv; call expectBetween(resultCount, 10, 20000); -- customer admin listing all their packages @@ -40,7 +40,7 @@ BEGIN SET LOCAL hsadminng.assumedRoles = ''; -- SELECT * SELECT count(*) INTO resultCount - FROM package_rv; + FROM test_package_rv; call expectBetween(resultCount, 2, 10); -- cutomer admin listing all their unix users @@ -54,49 +54,49 @@ BEGIN -- hostsharing admin assuming customer role and listing all accessible packages SET SESSION SESSION AUTHORIZATION restricted; - SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net'; - SET LOCAL hsadminng.assumedRoles = 'customer#aaa.admin;customer#aab.admin'; + SET LOCAL hsadminng.currentUser = 'mike@example.org'; + SET LOCAL hsadminng.assumedRoles = 'test_customer#aaa.admin;test_customer#aab.admin'; -- SELECT * SELECT count(*) INTO resultCount - FROM package_rv p; + FROM test_package_rv p; call expectBetween(resultCount, 2, 10); -- hostsharing admin assuming two customer admin roles and listing all accessible unixusers SET SESSION SESSION AUTHORIZATION restricted; - SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net'; - SET LOCAL hsadminng.assumedRoles = 'customer#aab.admin;customer#aac.admin'; + SET LOCAL hsadminng.currentUser = 'mike@example.org'; + SET LOCAL hsadminng.assumedRoles = 'test_customer#aab.admin;test_customer#aac.admin'; -- SELECT c.prefix, c.reference, uu.* SELECT count(*) INTO resultCount FROM unixuser_rv uu - JOIN package_rv p ON p.uuid = uu.packageuuid - JOIN customer_rv c ON c.uuid = p.customeruuid; + JOIN test_package_rv p ON p.uuid = uu.packageuuid + JOIN test_customer_rv c ON c.uuid = p.customeruuid; call expectBetween(resultCount, 40, 60); -- hostsharing admin assuming two customer admin roles and listing all accessible domains -- ABORT; START TRANSACTION; SET SESSION SESSION AUTHORIZATION restricted; - SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net'; - SET LOCAL hsadminng.assumedRoles = 'customer#aac.admin;customer#aad.admin'; + SET LOCAL hsadminng.currentUser = 'mike@example.org'; + SET LOCAL hsadminng.assumedRoles = 'test_customer#aac.admin;test_customer#aad.admin'; -- SELECT p.name, uu.name, dom.name SELECT count(*) INTO resultCount FROM domain_rv dom JOIN unixuser_rv uu ON uu.uuid = dom.unixuseruuid - JOIN package_rv p ON p.uuid = uu.packageuuid - JOIN customer_rv c ON c.uuid = p.customeruuid; + JOIN test_package_rv p ON p.uuid = uu.packageuuid + JOIN test_customer_rv c ON c.uuid = p.customeruuid; call expectBetween(resultCount, 20, 40); -- hostsharing admin assuming two customer admin roles and listing all accessible email addresses -- ABORT; START TRANSACTION; SET SESSION SESSION AUTHORIZATION restricted; - SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net'; - SET LOCAL hsadminng.assumedRoles = 'customer#aae.admin;customer#aaf.admin'; + SET LOCAL hsadminng.currentUser = 'mike@example.org'; + SET LOCAL hsadminng.assumedRoles = 'test_customer#aae.admin;test_customer#aaf.admin'; -- SELECT c.prefix, p.name as "package", ema.localPart || '@' || dom.name as "email-address" SELECT count(*) INTO resultCount FROM emailaddress_rv ema JOIN domain_rv dom ON dom.uuid = ema.domainuuid JOIN unixuser_rv uu ON uu.uuid = dom.unixuseruuid - JOIN package_rv p ON p.uuid = uu.packageuuid - JOIN customer_rv c ON c.uuid = p.customeruuid; + JOIN test_package_rv p ON p.uuid = uu.packageuuid + JOIN test_customer_rv c ON c.uuid = p.customeruuid; call expectBetween(resultCount, 100, 300); -- ~170ms diff --git a/sql/rbac-tests.sql b/sql/rbac-tests.sql index 4cf65b9f..8d78bab8 100644 --- a/sql/rbac-tests.sql +++ b/sql/rbac-tests.sql @@ -3,16 +3,16 @@ -- -------------------------------------------------------- -select isGranted(findRoleId('administrators'), findRoleId('package#aaa00.owner')); -select isGranted(findRoleId('package#aaa00.owner'), findRoleId('administrators')); --- call grantRoleToRole(findRoleId('package#aaa00.owner'), findRoleId('administrators')); --- call grantRoleToRole(findRoleId('administrators'), findRoleId('package#aaa00.owner')); +select isGranted(findRoleId('administrators'), findRoleId('test_package#aaa00.owner')); +select isGranted(findRoleId('test_package#aaa00.owner'), findRoleId('administrators')); +-- call grantRoleToRole(findRoleId('test_package#aaa00.owner'), findRoleId('administrators')); +-- call grantRoleToRole(findRoleId('administrators'), findRoleId('test_package#aaa00.owner')); select count(*) -FROM queryAllPermissionsOfSubjectIdForObjectUuids(findRbacUser('sven@hostsharing.net'), +FROM queryAllPermissionsOfSubjectIdForObjectUuids(findRbacUser('sven@example.org'), ARRAY(select uuid from customer where reference < 1100000)); select count(*) -FROM queryAllPermissionsOfSubjectId(findRbacUser('sven@hostsharing.net')); +FROM queryAllPermissionsOfSubjectId(findRbacUser('sven@example.org')); select * FROM queryAllPermissionsOfSubjectId(findRbacUser('alex@example.com')); select * @@ -33,7 +33,7 @@ $$ userId uuid; result bool; BEGIN - userId = findRbacUser('mike@hostsharing.net'); + userId = findRbacUser('mike@example.org'); result = (SELECT * FROM isPermissionGrantedToSubject(findPermissionId('package', 94928, 'add-package'), userId)); IF (result) THEN RAISE EXCEPTION 'expected permission NOT to be granted, but it is'; diff --git a/sql/rbac-view-option-experiments.sql b/sql/rbac-view-option-experiments.sql index 75f6443e..3cea0aee 100644 --- a/sql/rbac-view-option-experiments.sql +++ b/sql/rbac-view-option-experiments.sql @@ -20,7 +20,7 @@ CREATE POLICY customer_policy ON customer TO restricted USING ( -- id=1000 - isPermissionGrantedToSubject(findPermissionId('customer', id, 'view'), currentUserUuid()) + isPermissionGrantedToSubject(findPermissionId('test_customer', id, 'view'), currentUserUuid()) ); SET SESSION AUTHORIZATION restricted; @@ -35,10 +35,10 @@ SELECT * FROM customer; CREATE OR REPLACE RULE "_RETURN" AS ON SELECT TO cust_view DO INSTEAD - SELECT * FROM customer WHERE isPermissionGrantedToSubject(findPermissionId('customer', id, 'view'), currentUserUuid()); + SELECT * FROM customer WHERE isPermissionGrantedToSubject(findPermissionId('test_customer', id, 'view'), currentUserUuid()); SELECT * from cust_view LIMIT 10; -select queryAllPermissionsOfSubjectId(findRbacUser('mike@hostsharing.net')); +select queryAllPermissionsOfSubjectId(findRbacUser('mike@example.org')); -- access control via view-rule with join to recursive permissions - really fast (38ms for 1 million rows) SET SESSION SESSION AUTHORIZATION DEFAULT; @@ -52,7 +52,7 @@ CREATE OR REPLACE RULE "_RETURN" AS DO INSTEAD SELECT c.uuid, c.reference, c.prefix FROM customer AS c JOIN queryAllPermissionsOfSubjectId(currentUserUuid()) AS p - ON p.objectTable='customer' AND p.objectUuid=c.uuid AND p.op in ('*', 'view'); + ON p.objectTable='test_customer' AND p.objectUuid=c.uuid AND p.op in ('*', 'view'); GRANT ALL PRIVILEGES ON cust_view TO restricted; SET SESSION SESSION AUTHORIZATION restricted; @@ -73,7 +73,7 @@ GRANT ALL PRIVILEGES ON cust_view TO restricted; SET SESSION SESSION AUTHORIZATION restricted; -- SET hsadminng.currentUser TO 'alex@example.com'; -SET hsadminng.currentUser TO 'mike@hostsharing.net'; +SET hsadminng.currentUser TO 'mike@example.org'; -- SET hsadminng.currentUser TO 'aaaaouq@example.com'; SELECT * from cust_view where reference=1144150; @@ -81,9 +81,9 @@ select rr.uuid, rr.type from RbacGrants g join RbacReference RR on g.ascendantUuid = RR.uuid where g.descendantUuid in ( select uuid from queryAllPermissionsOfSubjectId(findRbacUser('alex@example.com')) - where objectTable='customer' and op in ('*', 'view')); + where objectTable='test_customer' and op in ('*', 'view')); -call grantRoleToUser(findRoleId('customer#aaa.admin'), findRbacUser('aaaaouq@example.com')); +call grantRoleToUser(findRoleId('test_customer#aaa.admin'), findRbacUser('aaaaouq@example.com')); select queryAllPermissionsOfSubjectId(findRbacUser('aaaaouq@example.com')); diff --git a/src/main/java/net/hostsharing/hsadminng/hs/hscustomer/CustomerEntity.java b/src/main/java/net/hostsharing/hsadminng/hs/hscustomer/CustomerEntity.java index 174d2d83..a706c885 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/hscustomer/CustomerEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/hscustomer/CustomerEntity.java @@ -9,7 +9,7 @@ import javax.persistence.*; import java.util.UUID; @Entity -@Table(name = "customer_rv") +@Table(name = "test_customer_rv") @Getter @Setter @NoArgsConstructor diff --git a/src/main/java/net/hostsharing/hsadminng/hs/hspackage/PackageEntity.java b/src/main/java/net/hostsharing/hsadminng/hs/hspackage/PackageEntity.java index 3d5d149e..9ba57d30 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/hspackage/PackageEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/hspackage/PackageEntity.java @@ -10,7 +10,7 @@ import javax.persistence.*; import java.util.UUID; @Entity -@Table(name = "package_rv") +@Table(name = "test_package_rv") @Getter @Setter @NoArgsConstructor diff --git a/src/main/resources/db/changelog/010-context.sql b/src/main/resources/db/changelog/010-context.sql index b046a088..d2e8370d 100644 --- a/src/main/resources/db/changelog/010-context.sql +++ b/src/main/resources/db/changelog/010-context.sql @@ -152,8 +152,14 @@ create or replace function pureIdentifier(rawIdentifier varchar) returns varchar returns null on null input language plpgsql as $$ +declare + cleanIdentifier varchar; begin - return regexp_replace(rawIdentifier, '\W+', ''); + cleanIdentifier := regexp_replace(rawIdentifier, '[^A-Za-z0-9\-._]+', '', 'g'); + if cleanIdentifier != rawIdentifier then + raise exception 'identifier "%" contains invalid characters, maybe use "%"', rawIdentifier, cleanIdentifier; + end if; + return cleanIdentifier; end; $$; create or replace function findObjectUuidByIdName(objectTable varchar, objectIdName varchar) diff --git a/src/main/resources/db/changelog/050-rbac-base.sql b/src/main/resources/db/changelog/050-rbac-base.sql index ddbdb596..daedc552 100644 --- a/src/main/resources/db/changelog/050-rbac-base.sql +++ b/src/main/resources/db/changelog/050-rbac-base.sql @@ -228,6 +228,9 @@ begin roleTypeFromRoleIdName = split_part(roleParts, '#', 3); objectUuidOfRole = findObjectUuidByIdName(objectTableFromRoleIdName, objectNameFromRoleIdName); + raise notice $sql$findObjectUuidByIdName('%', '%') = %;$sql$, objectTableFromRoleIdName, objectNameFromRoleIdName, objectUuidOfRole; + raise notice 'finding %, % (%), %', objectTableFromRoleIdName, objectNameFromRoleIdName, objectUuidOfRole, roleTypeFromRoleIdName; + select uuid from RbacRole where objectUuid = objectUuidOfRole diff --git a/src/main/resources/db/changelog/100-hs-base.sql b/src/main/resources/db/changelog/100-test-base.sql similarity index 71% rename from src/main/resources/db/changelog/100-hs-base.sql rename to src/main/resources/db/changelog/100-test-base.sql index 6e2b531b..18b94cbf 100644 --- a/src/main/resources/db/changelog/100-hs-base.sql +++ b/src/main/resources/db/changelog/100-test-base.sql @@ -1,7 +1,7 @@ --liquibase formatted sql -- ============================================================================ ---changeset hs-base-GLOBAL-OBJECT:1 endDelimiter:--// +--changeset test-base-GLOBAL-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /** @@ -12,32 +12,32 @@ begin transaction; insert into RbacObject (objecttable) values ('global'); insert - into Global (uuid, name) values ((select uuid from RbacObject where objectTable = 'global'), 'hostsharing'); + into Global (uuid, name) values ((select uuid from RbacObject where objectTable = 'global'), 'test-global'); commit; --// -- ============================================================================ ---changeset hs-base-ADMIN-ROLE:1 endDelimiter:--// +--changeset test-base-ADMIN-ROLE:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* A global administrator role. */ -create or replace function hostsharingAdmin() - returns RbacRoleDescriptor - returns null on null input +create or replace function testGlobalAdmin() +returns RbacRoleDescriptor +returns null on null input stable leakproof language sql as $$ select 'global', (select uuid from RbacObject where objectTable = 'global'), 'admin'::RbacRoleType; $$; begin transaction; - call defineContext('creating Hostsharing admin role', null, null, null); - select createRole(hostsharingAdmin()); + call defineContext('creating test-global admin role', null, null, null); + select createRole(testGlobalAdmin()); commit; -- ============================================================================ ---changeset hs-base-ADMIN-USERS:1 context:dev,tc endDelimiter:--// +--changeset test-base-ADMIN-USERS:1 context:dev,tc endDelimiter:--// -- ---------------------------------------------------------------------------- /* Create two users and assign both to the administrators role. @@ -46,18 +46,18 @@ do language plpgsql $$ declare admins uuid ; begin - call defineContext('creating fake Hostsharing admin users', null, null, null); + call defineContext('creating fake test-realm admin users', null, null, null); - admins = findRoleId(hostsharingAdmin()); - call grantRoleToUserUnchecked(admins, admins, createRbacUser('mike@hostsharing.net')); - call grantRoleToUserUnchecked(admins, admins, createRbacUser('sven@hostsharing.net')); + admins = findRoleId(testGlobalAdmin()); + call grantRoleToUserUnchecked(admins, admins, createRbacUser('mike@example.org')); + call grantRoleToUserUnchecked(admins, admins, createRbacUser('sven@example.org')); end; $$; --// -- ============================================================================ ---changeset hs-base-hostsharing-TEST:1 context:dev,tc runAlways:true endDelimiter:--// +--changeset test-base-hostsharing-TEST:1 context:dev,tc runAlways:true endDelimiter:--// -- ---------------------------------------------------------------------------- /* @@ -68,15 +68,15 @@ do language plpgsql $$ declare userName varchar; begin - call defineContext('testing currentUserUuid', null, 'sven@hostsharing.net', null); + call defineContext('testing currentUserUuid', null, 'sven@example.org', null); select userName from RbacUser where uuid = currentUserUuid() into userName; - if userName <> 'sven@hostsharing.net' then + if userName <> 'sven@example.org' then raise exception 'setting or fetching initial currentUser failed, got: %', userName; end if; - call defineContext('testing currentUserUuid', null, 'mike@hostsharing.net', null); + call defineContext('testing currentUserUuid', null, 'mike@example.org', null); select userName from RbacUser where uuid = currentUserUuid() into userName; - if userName = 'mike@hostsharing.net' then + if userName = 'mike@example.org' then raise exception 'currentUser should not change in one transaction, but did change, got: %', userName; end if; end; $$; diff --git a/src/main/resources/db/changelog/110-hs-customer.sql b/src/main/resources/db/changelog/110-test-customer.sql similarity index 80% rename from src/main/resources/db/changelog/110-hs-customer.sql rename to src/main/resources/db/changelog/110-test-customer.sql index ace77ea6..7eb539f7 100644 --- a/src/main/resources/db/changelog/110-hs-customer.sql +++ b/src/main/resources/db/changelog/110-test-customer.sql @@ -1,10 +1,10 @@ --liquibase formatted sql -- ============================================================================ ---changeset hs-customer-MAIN-TABLE:1 endDelimiter:--// +--changeset test-customer-MAIN-TABLE:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -create table if not exists customer +create table if not exists test_customer ( uuid uuid unique references RbacObject (uuid), reference int not null unique check (reference between 10000 and 99999), diff --git a/src/main/resources/db/changelog/113-hs-customer-rbac.sql b/src/main/resources/db/changelog/113-test-customer-rbac.sql similarity index 58% rename from src/main/resources/db/changelog/113-hs-customer-rbac.sql rename to src/main/resources/db/changelog/113-test-customer-rbac.sql index 63cbef1c..89271586 100644 --- a/src/main/resources/db/changelog/113-hs-customer-rbac.sql +++ b/src/main/resources/db/changelog/113-test-customer-rbac.sql @@ -1,64 +1,64 @@ --liquibase formatted sql -- ============================================================================ ---changeset hs-customer-rbac-CREATE-OBJECT:1 endDelimiter:--// +--changeset test-customer-rbac-CREATE-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* Creates the related RbacObject through a BEFORE INSERT TRIGGER. */ -drop trigger if exists createRbacObjectForCustomer_Trigger on customer; +drop trigger if exists createRbacObjectForCustomer_Trigger on test_customer; create trigger createRbacObjectForCustomer_Trigger before insert - on customer + on test_customer for each row execute procedure createRbacObject(); --// -- ============================================================================ ---changeset hs-customer-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// +--changeset test-customer-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -create or replace function customerOwner(customer customer) +create or replace function testCustomerOwner(customer test_customer) returns RbacRoleDescriptor language plpgsql strict as $$ begin - return roleDescriptor('customer', customer.uuid, 'owner'); + return roleDescriptor('test_customer', customer.uuid, 'owner'); end; $$; -create or replace function customerAdmin(customer customer) +create or replace function testCustomerAdmin(customer test_customer) returns RbacRoleDescriptor language plpgsql strict as $$ begin - return roleDescriptor('customer', customer.uuid, 'admin'); + return roleDescriptor('test_customer', customer.uuid, 'admin'); end; $$; -create or replace function customerTenant(customer customer) +create or replace function testCustomerTenant(customer test_customer) returns RbacRoleDescriptor language plpgsql strict as $$ begin - return roleDescriptor('customer', customer.uuid, 'tenant'); + return roleDescriptor('test_customer', customer.uuid, 'tenant'); end; $$; --// -- ============================================================================ ---changeset hs-customer-rbac-ROLES-CREATION:1 endDelimiter:--// +--changeset test-customer-rbac-ROLES-CREATION:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* Creates the roles and their assignments for a new customer for the AFTER INSERT TRIGGER. */ -create or replace function createRbacRolesForCustomer() +create or replace function createRbacRolesForTestCustomer() returns trigger language plpgsql strict as $$ declare - customerOwnerUuid uuid; + testCustomerOwnerUuid uuid; customerAdminUuid uuid; begin if TG_OP <> 'INSERT' then @@ -66,27 +66,27 @@ begin end if; -- the owner role with full access for Hostsharing administrators - customerOwnerUuid = createRole( - customerOwner(NEW), + testCustomerOwnerUuid = createRole( + testCustomerOwner(NEW), grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']), - beneathRole(hostsharingAdmin()) + beneathRole(testGlobalAdmin()) ); -- the admin role for the customer's admins, who can view and add products customerAdminUuid = createRole( - customerAdmin(NEW), + testCustomerAdmin(NEW), grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view', 'add-package']), -- NO auto assume for customer owner to avoid exploding permissions for administrators withUser(NEW.adminUserName, 'create'), -- implicitly ignored if null - grantedByRole(hostsharingAdmin()) + grantedByRole(testGlobalAdmin()) ); -- allow the customer owner role (thus administrators) to assume the customer admin role - call grantRoleToRole(customerAdminUuid, customerOwnerUuid, false); + call grantRoleToRole(customerAdminUuid, testCustomerOwnerUuid, false); -- the tenant role which later can be used by owners+admins of sub-objects perform createRole( - customerTenant(NEW), + testCustomerTenant(NEW), grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']) ); @@ -97,32 +97,32 @@ end; $$; An AFTER INSERT TRIGGER which creates the role structure for a new customer. */ -drop trigger if exists createRbacRolesForCustomer_Trigger on customer; -create trigger createRbacRolesForCustomer_Trigger +drop trigger if exists createRbacRolesForTestCustomer_Trigger on test_customer; +create trigger createRbacRolesForTestCustomer_Trigger after insert - on customer + on test_customer for each row -execute procedure createRbacRolesForCustomer(); +execute procedure createRbacRolesForTestCustomer(); --// -- ============================================================================ ---changeset hs-customer-rbac-ROLES-REMOVAL:1 endDelimiter:--// +--changeset test-customer-rbac-ROLES-REMOVAL:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* Deletes the roles and their assignments of a deleted customer for the BEFORE DELETE TRIGGER. */ -create or replace function deleteRbacRulesForCustomer() +create or replace function deleteRbacRulesForTestCustomer() returns trigger language plpgsql strict as $$ begin if TG_OP = 'DELETE' then - call deleteRole(findRoleId(customerOwner(OLD))); - call deleteRole(findRoleId(customerAdmin(OLD))); - call deleteRole(findRoleId(customerTenant(OLD))); + call deleteRole(findRoleId(testCustomerOwner(OLD))); + call deleteRole(findRoleId(testCustomerAdmin(OLD))); + call deleteRole(findRoleId(testCustomerTenant(OLD))); else raise exception 'invalid usage of TRIGGER BEFORE DELETE'; end if; @@ -132,93 +132,93 @@ end; $$; An BEFORE DELETE TRIGGER which deletes the role structure of a customer. */ -drop trigger if exists deleteRbacRulesForCustomer_Trigger on customer; -create trigger deleteRbacRulesForCustomer_Trigger +drop trigger if exists deleteRbacRulesForTestCustomer_Trigger on test_customer; +create trigger deleteRbacRulesForTestCustomer_Trigger before delete - on customer + on test_customer for each row -execute procedure deleteRbacRulesForCustomer(); +execute procedure deleteRbacRulesForTestCustomer(); --// -- ============================================================================ ---changeset hs-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--// +--changeset test-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* Creates a view to the customer main table which maps the identifying name (in this case, the prefix) to the objectUuid. */ -drop view if exists customer_iv; -create or replace view customer_iv as +drop view if exists test_customer_iv; +create or replace view test_customer_iv as select target.uuid, target.prefix as idName - from customer as target; + from test_customer as target; -- TODO: Is it ok that everybody has access to this information? -grant all privileges on customer_iv to restricted; +grant all privileges on test_customer_iv to restricted; /* Returns the objectUuid for a given identifying name (in this case the prefix). */ -create or replace function customerUuidByIdName(idName varchar) +create or replace function test_customerUuidByIdName(idName varchar) returns uuid language sql strict as $$ -select uuid from customer_iv iv where iv.idName = customerUuidByIdName.idName; +select uuid from test_customer_iv iv where iv.idName = test_customerUuidByIdName.idName; $$; /* Returns the identifying name for a given objectUuid (in this case the prefix). */ -create or replace function customerIdNameByUuid(uuid uuid) +create or replace function test_customerIdNameByUuid(uuid uuid) returns varchar language sql strict as $$ -select idName from customer_iv iv where iv.uuid = customerIdNameByUuid.uuid; +select idName from test_customer_iv iv where iv.uuid = test_customerIdNameByUuid.uuid; $$; --// -- ============================================================================ ---changeset hs-customer-rbac-RESTRICTED-VIEW:1 endDelimiter:--// +--changeset test-customer-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* Creates a view to the customer main table with row-level limitation based on the 'view' permission of the current user or assumed roles. */ set session session authorization default; -drop view if exists customer_rv; -create or replace view customer_rv as +drop view if exists test_customer_rv; +create or replace view test_customer_rv as select target.* - from customer as target - where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'customer', currentSubjectsUuids())); -grant all privileges on customer_rv to restricted; + from test_customer as target + where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'test_customer', currentSubjectsUuids())); +grant all privileges on test_customer_rv to restricted; --// -- ============================================================================ ---changeset hs-customer-rbac-ADD-CUSTOMER:1 endDelimiter:--// +--changeset test-customer-rbac-ADD-CUSTOMER:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* Creates a global permission for add-customer and assigns it to the hostsharing admins role. */ do language plpgsql $$ declare - addCustomerPermissions uuid[]; - hostsharingObjectUuid uuid; - hsAdminRoleUuid uuid ; + addCustomerPermissions uuid[]; + globalObjectUuid uuid; + globalAdminRoleUuid uuid ; begin - call defineContext('granting global add-customer permission to Hostsharing admin role', null, null, null); + call defineContext('granting global add-customer permission to global admin role', null, null, null); - hsAdminRoleUuid := findRoleId(hostsharingAdmin()); - hostsharingObjectUuid := (select uuid from global); - addCustomerPermissions := createPermissions(hostsharingObjectUuid, array ['add-customer']); - call grantPermissionsToRole(hsAdminRoleUuid, addCustomerPermissions); + globalAdminRoleUuid := findRoleId(testGlobalAdmin()); + globalObjectUuid := (select uuid from global); + addCustomerPermissions := createPermissions(globalObjectUuid, array ['add-customer']); + call grantPermissionsToRole(globalAdminRoleUuid, addCustomerPermissions); end; $$; /** Used by the trigger to prevent the add-customer to current user respectively assumed roles. */ -create or replace function addCustomerNotAllowedForCurrentSubjects() +create or replace function addTestCustomerNotAllowedForCurrentSubjects() returns trigger language PLPGSQL as $$ @@ -230,11 +230,11 @@ end; $$; /** Checks if the user or assumed roles are allowed to add a new customer. */ -create trigger customer_insert_trigger +create trigger test_customer_insert_trigger before insert - on customer + on test_customer for each row - when ( currentUser() <> 'mike@hostsharing.net' or not hasGlobalPermission('add-customer') ) -execute procedure addCustomerNotAllowedForCurrentSubjects(); + when ( currentUser() <> 'mike@example.org' or not hasGlobalPermission('add-customer') ) +execute procedure addTestCustomerNotAllowedForCurrentSubjects(); --// diff --git a/src/main/resources/db/changelog/118-hs-customer-test-data.sql b/src/main/resources/db/changelog/118-test-customer-test-data.sql similarity index 71% rename from src/main/resources/db/changelog/118-hs-customer-test-data.sql rename to src/main/resources/db/changelog/118-test-customer-test-data.sql index 172b0d40..1960fc5c 100644 --- a/src/main/resources/db/changelog/118-hs-customer-test-data.sql +++ b/src/main/resources/db/changelog/118-test-customer-test-data.sql @@ -2,7 +2,7 @@ -- ============================================================================ ---changeset hs-customer-TEST-DATA-GENERATOR:1 endDelimiter:--// +--changeset test-customer-TEST-DATA-GENERATOR:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* Generates a customer reference number for a given test data counter. @@ -19,7 +19,7 @@ end; $$; /* Creates a single customer test record with dist. */ -create or replace procedure createCustomerTestData( +create or replace procedure createTestCustomerTestData( custReference integer, custPrefix varchar ) @@ -30,7 +30,7 @@ declare custAdminName varchar; begin currentTask = 'creating RBAC test customer #' || custReference || '/' || custPrefix; - call defineContext(currentTask, null, 'mike@hostsharing.net', 'global#hostsharing.admin'); + call defineContext(currentTask, null, 'mike@example.org', 'global#test-global.admin'); execute format('set local hsadminng.currentTask to %L', currentTask); custRowId = uuid_generate_v4(); @@ -38,7 +38,7 @@ begin raise notice 'creating customer %:%', custReference, custPrefix; insert - into customer (reference, prefix, adminUserName) + into test_customer (reference, prefix, adminUserName) values (custReference, custPrefix, custAdminName); end; $$; --// @@ -46,7 +46,7 @@ end; $$; /* Creates a range of test customers for mass data generation. */ -create or replace procedure createCustomerTestData( +create or replace procedure createTestCustomerTestData( startCount integer, -- count of auto generated rows before the run endCount integer -- count of auto generated rows after the run ) @@ -54,7 +54,7 @@ create or replace procedure createCustomerTestData( begin for t in startCount..endCount loop - call createCustomerTestData(testCustomerReference(t), intToVarChar(t, 3)); + call createTestCustomerTestData(testCustomerReference(t), intToVarChar(t, 3)); commit; end loop; end; $$; @@ -62,14 +62,14 @@ end; $$; -- ============================================================================ ---changeset hs-customer-TEST-DATA-GENERATION:1 –context=dev,tc endDelimiter:--// +--changeset test-customer-TEST-DATA-GENERATION:1 –context=dev,tc endDelimiter:--// -- ---------------------------------------------------------------------------- do language plpgsql $$ begin - call createCustomerTestData(99901, 'xxx'); - call createCustomerTestData(99902, 'yyy'); - call createCustomerTestData(99903, 'zzz'); + call createTestCustomerTestData(99901, 'xxx'); + call createTestCustomerTestData(99902, 'yyy'); + call createTestCustomerTestData(99903, 'zzz'); end; $$; --// diff --git a/src/main/resources/db/changelog/120-hs-package.sql b/src/main/resources/db/changelog/120-test-package.sql similarity index 70% rename from src/main/resources/db/changelog/120-hs-package.sql rename to src/main/resources/db/changelog/120-test-package.sql index 94a413d6..30739cd3 100644 --- a/src/main/resources/db/changelog/120-hs-package.sql +++ b/src/main/resources/db/changelog/120-test-package.sql @@ -1,14 +1,14 @@ --liquibase formatted sql -- ============================================================================ ---changeset hs-package-MAIN-TABLE:1 endDelimiter:--// +--changeset test-package-MAIN-TABLE:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -create table if not exists package +create table if not exists test_package ( uuid uuid unique references RbacObject (uuid), version int not null default 0, - customerUuid uuid references customer (uuid), + customerUuid uuid references test_customer (uuid), name varchar(5), description varchar(96) ); diff --git a/src/main/resources/db/changelog/123-hs-package-rbac.sql b/src/main/resources/db/changelog/123-test-package-rbac.sql similarity index 60% rename from src/main/resources/db/changelog/123-hs-package-rbac.sql rename to src/main/resources/db/changelog/123-test-package-rbac.sql index 66cfbd42..bfcf954b 100644 --- a/src/main/resources/db/changelog/123-hs-package-rbac.sql +++ b/src/main/resources/db/changelog/123-test-package-rbac.sql @@ -1,62 +1,62 @@ --liquibase formatted sql -- ============================================================================ ---changeset hs-package-rbac-CREATE-OBJECT:1 endDelimiter:--// +--changeset test-package-rbac-CREATE-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* Creates the related RbacObject through a BEFORE INSERT TRIGGER. */ -drop trigger if exists createRbacObjectForPackage_Trigger on package; +drop trigger if exists createRbacObjectForPackage_Trigger on test_package; create trigger createRbacObjectForPackage_Trigger before insert - on package + on test_package for each row execute procedure createRbacObject(); --// -- ============================================================================ ---changeset hs-package-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// +--changeset test-package-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -create or replace function packageOwner(pac package) +create or replace function testPackageOwner(pac test_package) returns RbacRoleDescriptor returns null on null input language plpgsql as $$ begin - return roleDescriptor('package', pac.uuid, 'owner'); + return roleDescriptor('test_package', pac.uuid, 'owner'); end; $$; -create or replace function packageAdmin(pac package) +create or replace function testPackageAdmin(pac test_package) returns RbacRoleDescriptor returns null on null input language plpgsql as $$ begin - return roleDescriptor('package', pac.uuid, 'admin'); + return roleDescriptor('test_package', pac.uuid, 'admin'); end; $$; -create or replace function packageTenant(pac package) +create or replace function testPackageTenant(pac test_package) returns RbacRoleDescriptor returns null on null input language plpgsql as $$ begin - return roleDescriptor('package', pac.uuid, 'tenant'); + return roleDescriptor('test_package', pac.uuid, 'tenant'); end; $$; --// -- ============================================================================ ---changeset hs-package-rbac-ROLES-CREATION:1 endDelimiter:--// +--changeset test-package-rbac-ROLES-CREATION:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* Creates the roles and their assignments for a new package for the AFTER INSERT TRIGGER. */ -create or replace function createRbacRolesForPackage() +create or replace function createRbacRolesForTestPackage() returns trigger language plpgsql strict as $$ declare - parentCustomer customer; + parentCustomer test_customer; packageOwnerRoleUuid uuid; packageAdminRoleUuid uuid; begin @@ -64,28 +64,28 @@ begin raise exception 'invalid usage of TRIGGER AFTER INSERT'; end if; - select * from customer as c where c.uuid = NEW.customerUuid into parentCustomer; + select * from test_customer as c where c.uuid = NEW.customerUuid into parentCustomer; -- an owner role is created and assigned to the customer's admin role packageOwnerRoleUuid = createRole( - packageOwner(NEW), + testPackageOwner(NEW), withoutPermissions(), - beneathRole(customerAdmin(parentCustomer)) + beneathRole(testCustomerAdmin(parentCustomer)) ); -- an owner role is created and assigned to the package owner role packageAdminRoleUuid = createRole( - packageAdmin(NEW), + testPackageAdmin(NEW), grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['add-unixuser', 'add-domain']), beneathRole(packageOwnerRoleUuid) ); -- and a package tenant role is created and assigned to the package admin as well perform createRole( - packageTenant(NEW), + testPackageTenant(NEW), grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']), beneathRole(packageAdminRoleUuid), - beingItselfA(customerTenant(parentCustomer)) + beingItselfA(testCustomerTenant(parentCustomer)) ); return NEW; @@ -95,31 +95,31 @@ end; $$; An AFTER INSERT TRIGGER which creates the role structure for a new package. */ -drop trigger if exists createRbacRolesForPackage_Trigger on package; -create trigger createRbacRolesForPackage_Trigger +drop trigger if exists createRbacRolesForTestPackage_Trigger on test_package; +create trigger createRbacRolesForTestPackage_Trigger after insert - on package + on test_package for each row -execute procedure createRbacRolesForPackage(); +execute procedure createRbacRolesForTestPackage(); --// -- ============================================================================ ---changeset hs-package-rbac-ROLES-REMOVAL:1 endDelimiter:--// +--changeset test-package-rbac-ROLES-REMOVAL:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* Deletes the roles and their assignments of a deleted package for the BEFORE DELETE TRIGGER. */ -create or replace function deleteRbacRulesForPackage() +create or replace function deleteRbacRulesForTestPackage() returns trigger language plpgsql strict as $$ begin if TG_OP = 'DELETE' then - call deleteRole(findRoleId(packageOwner(OLD))); - call deleteRole(findRoleId(packageAdmin(OLD))); - call deleteRole(findRoleId(packageTenant(OLD))); + call deleteRole(findRoleId(testPackageOwner(OLD))); + call deleteRole(findRoleId(testPackageAdmin(OLD))); + call deleteRole(findRoleId(testPackageTenant(OLD))); else raise exception 'invalid usage of TRIGGER BEFORE DELETE'; end if; @@ -129,66 +129,66 @@ end; $$; An BEFORE DELETE TRIGGER which deletes the role structure of a package. */ -drop trigger if exists deleteRbacRulesForPackage_Trigger on package; -create trigger deleteRbacRulesForPackage_Trigger +drop trigger if exists deleteRbacRulesForTestPackage_Trigger on test_package; +create trigger deleteRbacRulesForTestPackage_Trigger before delete - on package + on test_package for each row -execute procedure deleteRbacRulesForPackage(); +execute procedure deleteRbacRulesForTestPackage(); --// -- ============================================================================ ---changeset hs-package-rbac-IDENTITY-VIEW:1 endDelimiter:--// +--changeset test-package-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* Creates a view to the package main table which maps the identifying name (in this case, actually the column `name`) to the objectUuid. */ -drop view if exists package_iv; -create or replace view package_iv as +drop view if exists test_package_iv; +create or replace view test_package_iv as select distinct target.uuid, target.name as idName - from package as target; + from test_package as target; -- TODO: Is it ok that everybody has access to this information? -grant all privileges on package_iv to restricted; +grant all privileges on test_package_iv to restricted; /* Returns the objectUuid for a given identifying name (in this case, actually the column `name`). */ -create or replace function packageUuidByIdName(idName varchar) +create or replace function test_packageUuidByIdName(idName varchar) returns uuid language sql strict as $$ -select uuid from package_iv iv where iv.idName = packageUuidByIdName.idName; +select uuid from test_package_iv iv where iv.idName = test_packageUuidByIdName.idName; $$; /* Returns the identifying name for a given objectUuid (in this case the name). */ -create or replace function packageIdNameByUuid(uuid uuid) +create or replace function test_packageIdNameByUuid(uuid uuid) returns varchar stable leakproof language sql strict as $$ -select idName from package_iv iv where iv.uuid = packageIdNameByUuid.uuid; +select idName from test_package_iv iv where iv.uuid = test_packageIdNameByUuid.uuid; $$; --// -- ============================================================================ ---changeset hs-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--// +--changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* Creates a view to the customer main table which maps the identifying name (in this case, the prefix) to the objectUuid. */ -drop view if exists package_rv; -create or replace view package_rv as +drop view if exists test_package_rv; +create or replace view test_package_rv as select target.* - from package as target - where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'package', currentSubjectsUuids())) + from test_package as target + where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'test_package', currentSubjectsUuids())) order by target.name; -grant all privileges on package_rv to restricted; +grant all privileges on test_package_rv to restricted; --// diff --git a/src/main/resources/db/changelog/128-hs-package-test-data.sql b/src/main/resources/db/changelog/128-test-package-test-data.sql similarity index 76% rename from src/main/resources/db/changelog/128-hs-package-test-data.sql rename to src/main/resources/db/changelog/128-test-package-test-data.sql index 35f098de..8c8b8d9c 100644 --- a/src/main/resources/db/changelog/128-hs-package-test-data.sql +++ b/src/main/resources/db/changelog/128-test-package-test-data.sql @@ -1,7 +1,7 @@ --liquibase formatted sql -- ============================================================================ ---changeset hs-package-TEST-DATA-GENERATOR:1 endDelimiter:--// +--changeset test-package-TEST-DATA-GENERATOR:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* Creates the given number of test packages for the given customer. @@ -9,14 +9,14 @@ create or replace procedure createPackageTestData(customerPrefix varchar, pacCount int) language plpgsql as $$ declare - cust customer; + cust test_customer; custAdminUser varchar; custAdminRole varchar; pacName varchar; currentTask varchar; - pac package; + pac test_package; begin - select * from customer where customer.prefix = customerPrefix into cust; + select * from test_customer where test_customer.prefix = customerPrefix into cust; for t in 0..(pacCount-1) loop @@ -25,18 +25,18 @@ begin cust.uuid; custAdminUser = 'customer-admin@' || cust.prefix || '.example.com'; - custAdminRole = 'customer#' || cust.prefix || '.admin'; + custAdminRole = 'test_customer#' || cust.prefix || '.admin'; call defineContext(currentTask, null, custAdminUser, custAdminRole); raise notice 'task: % by % as %', currentTask, custAdminUser, custAdminRole; insert - into package (customerUuid, name, description) + into test_package (customerUuid, name, description) values (cust.uuid, pacName, 'Here can add your own description of package ' || pacName || '.') returning * into pac; call grantRoleToUser( - getRoleId(customerAdmin(cust), 'fail'), - findRoleId(packageAdmin(pac)), + getRoleId(testCustomerAdmin(cust), 'fail'), + findRoleId(testPackageAdmin(pac)), createRbacUser('pac-admin-' || pacName || '@' || cust.prefix || '.example.com'), true); @@ -49,9 +49,9 @@ end; $$; create or replace procedure createPackageTestData() language plpgsql as $$ declare - cust customer; + cust test_customer; begin - for cust in (select * from customer) + for cust in (select * from test_customer) loop continue when cust.reference >= 90000; -- reserved for functional testing call createPackageTestData(cust.prefix, 3); @@ -64,7 +64,7 @@ $$; -- ============================================================================ ---changeset hs-package-TEST-DATA-GENERATION:1 –context=dev,tc endDelimiter:--// +--changeset test-package-TEST-DATA-GENERATION:1 –context=dev,tc endDelimiter:--// -- ---------------------------------------------------------------------------- do language plpgsql $$ diff --git a/src/main/resources/db/changelog/130-hs-unixuser.sql b/src/main/resources/db/changelog/130-test-unixuser.sql similarity index 80% rename from src/main/resources/db/changelog/130-hs-unixuser.sql rename to src/main/resources/db/changelog/130-test-unixuser.sql index 6bee836c..0b0c6076 100644 --- a/src/main/resources/db/changelog/130-hs-unixuser.sql +++ b/src/main/resources/db/changelog/130-test-unixuser.sql @@ -4,10 +4,10 @@ --changeset hs-unixuser-MAIN-TABLE:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -create table if not exists UnixUser +create table if not exists test_unixuser ( uuid uuid unique references RbacObject (uuid), - packageUuid uuid references package (uuid), + packageUuid uuid references test_package (uuid), name character varying(32), description character varying(96) ); diff --git a/src/main/resources/db/changelog/133-hs-unixuser-rbac.sql b/src/main/resources/db/changelog/133-test-unixuser-rbac.sql similarity index 60% rename from src/main/resources/db/changelog/133-hs-unixuser-rbac.sql rename to src/main/resources/db/changelog/133-test-unixuser-rbac.sql index 142cba03..2bd1b822 100644 --- a/src/main/resources/db/changelog/133-hs-unixuser-rbac.sql +++ b/src/main/resources/db/changelog/133-test-unixuser-rbac.sql @@ -1,49 +1,49 @@ --liquibase formatted sql -- ============================================================================ ---changeset hs-package-rbac-CREATE-OBJECT:1 endDelimiter:--// +--changeset test-package-rbac-CREATE-OBJECT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* Creates the related RbacObject through a BEFORE INSERT TRIGGER. */ -drop trigger if exists createRbacObjectForUnixUser_Trigger on UnixUser; -create trigger createRbacObjectForUnixUser_Trigger +drop trigger if exists createRbacObjectFortest_unixuser_Trigger on test_unixuser; +create trigger createRbacObjectFortest_unixuser_Trigger before insert - on UnixUser + on test_unixuser for each row execute procedure createRbacObject(); --// -- ============================================================================ ---changeset hs-unixuser-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// +--changeset test-unixuser-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- -create or replace function unixUserOwner(uu UnixUser) +create or replace function testUnixUserOwner(uu test_unixuser) returns RbacRoleDescriptor returns null on null input language plpgsql as $$ begin - return roleDescriptor('unixuser', uu.uuid, 'owner'); + return roleDescriptor('test_unixuser', uu.uuid, 'owner'); end; $$; -create or replace function unixUserAdmin(uu UnixUser) +create or replace function testUnixUserAdmin(uu test_unixuser) returns RbacRoleDescriptor returns null on null input language plpgsql as $$ begin - return roleDescriptor('unixuser', uu.uuid, 'admin'); + return roleDescriptor('test_unixuser', uu.uuid, 'admin'); end; $$; -create or replace function unixUserTenant(uu UnixUser) +create or replace function testUnixUserTenant(uu test_unixuser) returns RbacRoleDescriptor returns null on null input language plpgsql as $$ begin - return roleDescriptor('unixuser', uu.uuid, 'tenant'); + return roleDescriptor('test_unixuser', uu.uuid, 'tenant'); end; $$; -create or replace function createUnixUserTenantRoleIfNotExists(unixUser UnixUser) +create or replace function createTestUnixUserTenantRoleIfNotExists(unixUser test_unixuser) returns uuid returns null on null input language plpgsql as $$ @@ -51,7 +51,7 @@ declare unixUserTenantRoleDesc RbacRoleDescriptor; unixUserTenantRoleUuid uuid; begin - unixUserTenantRoleDesc = unixUserTenant(unixUser); + unixUserTenantRoleDesc = testUnixUserTenant(unixUser); unixUserTenantRoleUuid = findRoleId(unixUserTenantRoleDesc); if unixUserTenantRoleUuid is not null then return unixUserTenantRoleUuid; @@ -60,25 +60,25 @@ begin return createRole( unixUserTenantRoleDesc, grantingPermissions(forObjectUuid => unixUser.uuid, permitOps => array ['view']), - beneathRole(unixUserAdmin(unixUser)) + beneathRole(testUnixUserAdmin(unixUser)) ); end; $$; --// -- ============================================================================ ---changeset hs-unixuser-rbac-ROLES-CREATION:1 endDelimiter:--// +--changeset test-unixuser-rbac-ROLES-CREATION:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* Creates the roles and their assignments for a new UnixUser for the AFTER INSERT TRIGGER. */ -create or replace function createRbacRulesForUnixUser() +create or replace function createRbacRulesForTestUnixUser() returns trigger language plpgsql strict as $$ declare - parentPackage package; + parentPackage test_package; unixuserOwnerRoleId uuid; unixuserAdminRoleId uuid; begin @@ -86,21 +86,21 @@ begin raise exception 'invalid usage of TRIGGER AFTER INSERT'; end if; - select * from package where uuid = NEW.packageUuid into parentPackage; + select * from test_package where uuid = NEW.packageUuid into parentPackage; -- an owner role is created and assigned to the package's admin group unixuserOwnerRoleId = createRole( - unixUserOwner(NEW), + testUnixUserOwner(NEW), grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']), - beneathRole(packageAdmin(parentPackage)) + beneathRole(testPackageAdmin(parentPackage)) ); -- and a unixuser admin role is created and assigned to the unixuser owner as well unixuserAdminRoleId = createRole( - unixUserAdmin(NEW), + testUnixUserAdmin(NEW), grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']), beneathRole(unixuserOwnerRoleId), - beingItselfA(packageTenant(parentPackage)) + beingItselfA(testPackageTenant(parentPackage)) ); -- a tenent role is only created on demand @@ -112,32 +112,32 @@ end; $$; /* An AFTER INSERT TRIGGER which creates the role structure for a new UnixUser. */ -drop trigger if exists createRbacRulesForUnixUser_Trigger on UnixUser; -create trigger createRbacRulesForUnixUser_Trigger +drop trigger if exists createRbacRulesForTestUnixuser_Trigger on test_unixuser; +create trigger createRbacRulesForTestUnixuser_Trigger after insert - on UnixUser + on test_unixuser for each row -execute procedure createRbacRulesForUnixUser(); +execute procedure createRbacRulesForTestUnixUser(); --// -- ============================================================================ ---changeset hs-unixuser-rbac-ROLES-REMOVAL:1 endDelimiter:--// +--changeset test-unixuser-rbac-ROLES-REMOVAL:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* Deletes the roles and their assignments of a deleted UnixUser for the BEFORE DELETE TRIGGER. */ -create or replace function deleteRbacRulesForUnixUser() +create or replace function deleteRbacRulesForTestUnixUser() returns trigger language plpgsql strict as $$ begin if TG_OP = 'DELETE' then - call deleteRole(findRoleId(unixUserOwner(OLD))); - call deleteRole(findRoleId(unixUserAdmin(OLD))); - call deleteRole(findRoleId(unixUserTenant(OLD))); + call deleteRole(findRoleId(testUnixUserOwner(OLD))); + call deleteRole(findRoleId(testUnixUserAdmin(OLD))); + call deleteRole(findRoleId(testUnixUserTenant(OLD))); else raise exception 'invalid usage of TRIGGER BEFORE DELETE'; end if; @@ -147,65 +147,65 @@ end; $$; An BEFORE DELETE TRIGGER which deletes the role structure of a UnixUser. */ -drop trigger if exists deleteRbacRulesForUnixUser_Trigger on package; -create trigger deleteRbacRulesForUnixUser_Trigger +drop trigger if exists deleteRbacRulesForTestUnixUser_Trigger on test_package; +create trigger deleteRbacRulesForTestUnixUser_Trigger before delete - on UnixUser + on test_unixuser for each row -execute procedure deleteRbacRulesForUnixUser(); +execute procedure deleteRbacRulesForTestUnixUser(); --// -- ============================================================================ ---changeset hs-unixuser-rbac-IDENTITY-VIEW:1 endDelimiter:--// +--changeset test-unixuser-rbac-IDENTITY-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* Creates a view to the UnixUser main table which maps the identifying name (in this case, actually the column `name`) to the objectUuid. */ -drop view if exists UnixUser_iv; -create or replace view UnixUser_iv as +drop view if exists test_unixuser_iv; +create or replace view test_unixuser_iv as select distinct target.uuid, target.name as idName - from UnixUser as target; + from test_unixuser as target; -- TODO: Is it ok that everybody has access to this information? -grant all privileges on UnixUser_iv to restricted; +grant all privileges on test_unixuser_iv to restricted; /* Returns the objectUuid for a given identifying name (in this case, actually the column `name`). */ -create or replace function unixUserUuidByIdName(idName varchar) +create or replace function test_unixUserUuidByIdName(idName varchar) returns uuid language sql strict as $$ -select uuid from UnixUser_iv iv where iv.idName = unixUserUuidByIdName.idName; +select uuid from test_unixuser_iv iv where iv.idName = test_unixUserUuidByIdName.idName; $$; /* Returns the identifying name for a given objectUuid (in this case the name). */ -create or replace function unixUserIdNameByUuid(uuid uuid) +create or replace function test_unixUserIdNameByUuid(uuid uuid) returns varchar stable leakproof language sql strict as $$ -select idName from UnixUser_iv iv where iv.uuid = unixUserIdNameByUuid.uuid; +select idName from test_unixuser_iv iv where iv.uuid = test_unixUserIdNameByUuid.uuid; $$; --// -- ============================================================================ ---changeset hs-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--// +--changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* Creates a view to the customer main table which maps the identifying name (in this case, the prefix) to the objectUuid. */ -drop view if exists unixuser_rv; -create or replace view unixuser_rv as +drop view if exists test_unixuser_rv; +create or replace view test_unixuser_rv as select target.* - from unixuser as target + from test_unixuser as target where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'unixuser', currentSubjectsUuids())); -grant all privileges on unixuser_rv to restricted; +grant all privileges on test_unixuser_rv to restricted; --// diff --git a/src/main/resources/db/changelog/138-hs-unixuser-test-data.sql b/src/main/resources/db/changelog/138-test-unixuser-test-data.sql similarity index 90% rename from src/main/resources/db/changelog/138-hs-unixuser-test-data.sql rename to src/main/resources/db/changelog/138-test-unixuser-test-data.sql index 0636d63a..996fbb55 100644 --- a/src/main/resources/db/changelog/138-hs-unixuser-test-data.sql +++ b/src/main/resources/db/changelog/138-test-unixuser-test-data.sql @@ -14,8 +14,8 @@ declare currentTask varchar; begin select p.uuid, p.name, c.prefix as custPrefix - from package p - join customer c on p.customeruuid = c.uuid + from test_package p + join test_customer c on p.customeruuid = c.uuid where p.name = packageName into pac; @@ -27,7 +27,7 @@ begin call defineContext(currentTask, null, pacAdmin, null); insert - into unixuser (name, packageUuid) + into test_unixuser (name, packageUuid) values (pac.name || '-' || intToVarChar(t, 4), pac.uuid); end loop; end; $$; @@ -44,8 +44,8 @@ declare begin for pac in (select p.uuid, p.name - from package p - join customer c on p.customeruuid = c.uuid + from test_package p + join test_customer c on p.customeruuid = c.uuid where c.reference < 90000) -- reserved for functional testing loop call createUnixUserTestData(pac.name, 2); diff --git a/src/main/resources/db/changelog/db.changelog-master.yaml b/src/main/resources/db/changelog/db.changelog-master.yaml index 6df6a185..72979c0d 100644 --- a/src/main/resources/db/changelog/db.changelog-master.yaml +++ b/src/main/resources/db/changelog/db.changelog-master.yaml @@ -28,24 +28,24 @@ databaseChangeLog: - include: file: db/changelog/080-rbac-global.sql - include: - file: db/changelog/100-hs-base.sql + file: db/changelog/100-test-base.sql - include: - file: db/changelog/110-hs-customer.sql + file: db/changelog/110-test-customer.sql - include: - file: db/changelog/113-hs-customer-rbac.sql + file: db/changelog/113-test-customer-rbac.sql - include: - file: db/changelog/118-hs-customer-test-data.sql + file: db/changelog/118-test-customer-test-data.sql - include: - file: db/changelog/120-hs-package.sql + file: db/changelog/120-test-package.sql - include: - file: db/changelog/123-hs-package-rbac.sql + file: db/changelog/123-test-package-rbac.sql - include: - file: db/changelog/128-hs-package-test-data.sql + file: db/changelog/128-test-package-test-data.sql - include: - file: db/changelog/130-hs-unixuser.sql + file: db/changelog/130-test-unixuser.sql - include: - file: db/changelog/133-hs-unixuser-rbac.sql + file: db/changelog/133-test-unixuser-rbac.sql - include: - file: db/changelog/138-hs-unixuser-test-data.sql + file: db/changelog/138-test-unixuser-test-data.sql diff --git a/src/test/java/net/hostsharing/hsadminng/context/ContextIntegrationTests.java b/src/test/java/net/hostsharing/hsadminng/context/ContextIntegrationTests.java index 25476ff4..39606ea9 100644 --- a/src/test/java/net/hostsharing/hsadminng/context/ContextIntegrationTests.java +++ b/src/test/java/net/hostsharing/hsadminng/context/ContextIntegrationTests.java @@ -31,7 +31,7 @@ class ContextIntegrationTests { @Test void defineWithoutHttpServletRequestUsesCallStack() { - context.define("mike@hostsharing.net", null); + context.define("mike@example.org", null); assertThat(context.getCurrentTask()) .isEqualTo("ContextIntegrationTests.defineWithoutHttpServletRequestUsesCallStack"); @@ -41,11 +41,11 @@ class ContextIntegrationTests { @Transactional void defineWithCurrentUserButWithoutAssumedRoles() { // when - context.define("mike@hostsharing.net"); + context.define("mike@example.org"); // then assertThat(context.getCurrentUser()). - isEqualTo("mike@hostsharing.net"); + isEqualTo("mike@example.org"); assertThat(context.getCurrentUserUUid()).isNotNull(); @@ -59,41 +59,41 @@ class ContextIntegrationTests { void defineWithoutCurrentUserButWithAssumedRoles() { // when final var result = jpaAttempt.transacted(() -> - context.define(null, "package#yyy00.admin") + context.define(null, "test_package#yyy00.admin") ); // then result.assertExceptionWithRootCauseMessage( javax.persistence.PersistenceException.class, - "ERROR: [403] undefined has no permission to assume role package#yyy00.admin"); + "ERROR: [403] undefined has no permission to assume role test_package#yyy00.admin"); } @Test void defineWithUnknownCurrentUserButWithAssumedRoles() { // when final var result = jpaAttempt.transacted(() -> - context.define("unknown@example.org", "package#yyy00.admin") + context.define("unknown@example.org", "test_package#yyy00.admin") ); // then result.assertExceptionWithRootCauseMessage( javax.persistence.PersistenceException.class, - "ERROR: [403] undefined has no permission to assume role package#yyy00.admin"); + "ERROR: [403] undefined has no permission to assume role test_package#yyy00.admin"); } @Test @Transactional void defineWithCurrentUserAndAssumedRoles() { // given - context.define("mike@hostsharing.net", "customer#xxx.owner;customer#yyy.owner"); + context.define("mike@example.org", "test_customer#xxx.owner;test_customer#yyy.owner"); // when final var currentUser = context.getCurrentUser(); - assertThat(currentUser).isEqualTo("mike@hostsharing.net"); + assertThat(currentUser).isEqualTo("mike@example.org"); // then assertThat(context.getAssumedRoles()) - .isEqualTo(Array.of("customer#xxx.owner", "customer#yyy.owner")); + .isEqualTo(Array.of("test_customer#xxx.owner", "test_customer#yyy.owner")); assertThat(context.currentSubjectsUuids()).hasSize(2); } @@ -101,12 +101,12 @@ class ContextIntegrationTests { public void defineContextWithCurrentUserAndAssumeInaccessibleRole() { // when final var result = jpaAttempt.transacted(() -> - context.define("customer-admin@xxx.example.com", "package#yyy00.admin") + context.define("customer-admin@xxx.example.com", "test_package#yyy00.admin") ); // then result.assertExceptionWithRootCauseMessage( javax.persistence.PersistenceException.class, - "ERROR: [403] user customer-admin@xxx.example.com has no permission to assume role package#yyy00.admin"); + "ERROR: [403] user customer-admin@xxx.example.com has no permission to assume role test_package#yyy00.admin"); } } diff --git a/src/test/java/net/hostsharing/hsadminng/hs/hscustomer/CustomerControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/hs/hscustomer/CustomerControllerAcceptanceTest.java index 2c8212f0..3a5c6186 100644 --- a/src/test/java/net/hostsharing/hsadminng/hs/hscustomer/CustomerControllerAcceptanceTest.java +++ b/src/test/java/net/hostsharing/hsadminng/hs/hscustomer/CustomerControllerAcceptanceTest.java @@ -39,10 +39,10 @@ class CustomerControllerAcceptanceTest { class ListCustomers { @Test - void hostsharingAdmin_withoutAssumedRoles_canViewAllCustomers_ifNoCriteriaGiven() { + void testGlobalAdmin_withoutAssumedRoles_canViewAllCustomers_ifNoCriteriaGiven() { RestAssured // @formatter:off .given() - .header("current-user", "mike@hostsharing.net") + .header("current-user", "mike@example.org") .port(port) .when() .get("http://localhost/api/customers") @@ -57,10 +57,10 @@ class CustomerControllerAcceptanceTest { } @Test - void hostsharingAdmin_withoutAssumedRoles_canViewMatchingCustomers_ifCriteriaGiven() { + void testGlobalAdmin_withoutAssumedRoles_canViewMatchingCustomers_ifCriteriaGiven() { RestAssured // @formatter:off .given() - .header("current-user", "mike@hostsharing.net") + .header("current-user", "mike@example.org") .port(port) .when() .get("http://localhost/api/customers?prefix=y") @@ -73,11 +73,11 @@ class CustomerControllerAcceptanceTest { } @Test - void hostsharingAdmin_withoutAssumedCustomerAdminRole_canOnlyViewOwnCustomer() { + void testGlobalAdmin_withoutAssumedCustomerAdminRole_canOnlyViewOwnCustomer() { RestAssured // @formatter:off .given() - .header("current-user", "mike@hostsharing.net") - .header("assumed-roles", "customer#yyy.admin") + .header("current-user", "mike@example.org") + .header("assumed-roles", "test_customer#yyy.admin") .port(port) .when() .get("http://localhost/api/customers") @@ -110,11 +110,11 @@ class CustomerControllerAcceptanceTest { class AddCustomer { @Test - void hostsharingAdmin_withoutAssumedRole_canAddCustomer() { + void testGlobalAdmin_withoutAssumedRole_canAddCustomer() { final var location = RestAssured // @formatter:off .given() - .header("current-user", "mike@hostsharing.net") + .header("current-user", "mike@example.org") .contentType(ContentType.JSON) .body(""" { @@ -142,13 +142,13 @@ class CustomerControllerAcceptanceTest { } @Test - void hostsharingAdmin_withoutAssumedRole_canAddCustomerWithGivenUuid() { + void testGlobalAdmin_withoutAssumedRole_canAddCustomerWithGivenUuid() { final var givenUuid = UUID.randomUUID(); final var location = RestAssured // @formatter:off .given() - .header("current-user", "mike@hostsharing.net") + .header("current-user", "mike@example.org") .contentType(ContentType.JSON) .body(""" { @@ -180,12 +180,12 @@ class CustomerControllerAcceptanceTest { } @Test - void hostsharingAdmin_withAssumedCustomerAdminRole_canNotAddCustomer() { + void testGlobalAdmin_withAssumedCustomerAdminRole_canNotAddCustomer() { RestAssured // @formatter:off .given() - .header("current-user", "mike@hostsharing.net") - .header("assumed-roles", "customer#xxx.admin") + .header("current-user", "mike@example.org") + .header("assumed-roles", "test_customer#xxx.admin") .contentType(ContentType.JSON) .body(""" { @@ -201,11 +201,11 @@ class CustomerControllerAcceptanceTest { .statusCode(403) .contentType(ContentType.JSON) .statusCode(403) - .body("message", containsString("add-customer not permitted for customer#xxx.admin")); + .body("message", containsString("add-customer not permitted for test_customer#xxx.admin")); // @formatter:on // finally, the new customer was not created - context.define("sven@hostsharing.net"); + context.define("sven@example.org"); assertThat(customerRepository.findCustomerByOptionalPrefixLike("uuu")).hasSize(0); } @@ -234,7 +234,7 @@ class CustomerControllerAcceptanceTest { // @formatter:on // finally, the new customer was not created - context.define("sven@hostsharing.net"); + context.define("sven@example.org"); assertThat(customerRepository.findCustomerByOptionalPrefixLike("uuu")).hasSize(0); } } diff --git a/src/test/java/net/hostsharing/hsadminng/hs/hscustomer/CustomerRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/hscustomer/CustomerRepositoryIntegrationTest.java index ab84986d..7f026b17 100644 --- a/src/test/java/net/hostsharing/hsadminng/hs/hscustomer/CustomerRepositoryIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/hs/hscustomer/CustomerRepositoryIntegrationTest.java @@ -37,9 +37,9 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest { class CreateCustomer { @Test - public void hostsharingAdmin_withoutAssumedRole_canCreateNewCustomer() { + public void testGlobalAdmin_withoutAssumedRole_canCreateNewCustomer() { // given - context("mike@hostsharing.net", null); + context("mike@example.org", null); final var count = customerRepository.count(); // when @@ -58,9 +58,9 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest { } @Test - public void hostsharingAdmin_withAssumedCustomerRole_cannotCreateNewCustomer() { + public void testGlobalAdmin_withAssumedCustomerRole_cannotCreateNewCustomer() { // given - context("mike@hostsharing.net", "customer#xxx.admin"); + context("mike@example.org", "test_customer#xxx.admin"); // when final var result = attempt(em, () -> { @@ -72,7 +72,7 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest { // then result.assertExceptionWithRootCauseMessage( PersistenceException.class, - "add-customer not permitted for customer#xxx.admin"); + "add-customer not permitted for test_customer#xxx.admin"); } @Test @@ -104,9 +104,9 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest { class FindAllCustomers { @Test - public void hostsharingAdmin_withoutAssumedRole_canViewAllCustomers() { + public void testGlobalAdmin_withoutAssumedRole_canViewAllCustomers() { // given - context("mike@hostsharing.net", null); + context("mike@example.org", null); // when final var result = customerRepository.findCustomerByOptionalPrefixLike(null); @@ -116,9 +116,9 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest { } @Test - public void hostsharingAdmin_withAssumedHostsharingAdminRole_canViewAllCustomers() { + public void testGlobalAdmin_withAssumedtestGlobalAdminRole_canViewAllCustomers() { given: - context("mike@hostsharing.net", "global#hostsharing.admin"); + context("mike@example.org", "global#test-global.admin"); // when final var result = customerRepository.findCustomerByOptionalPrefixLike(null); @@ -141,7 +141,7 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest { @Test public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnCustomer() { - context("customer-admin@xxx.example.com", "package#xxx00.admin"); + context("customer-admin@xxx.example.com", "test_package#xxx00.admin"); final var result = customerRepository.findCustomerByOptionalPrefixLike(null); @@ -153,9 +153,9 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest { class FindByPrefixLike { @Test - public void hostsharingAdmin_withoutAssumedRole_canViewAllCustomers() { + public void testGlobalAdmin_withoutAssumedRole_canViewAllCustomers() { // given - context("mike@hostsharing.net", null); + context("mike@example.org", null); // when final var result = customerRepository.findCustomerByOptionalPrefixLike("yyy"); diff --git a/src/test/java/net/hostsharing/hsadminng/hs/hspackage/PackageControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/hs/hspackage/PackageControllerAcceptanceTest.java index f7a344bc..42c152a3 100644 --- a/src/test/java/net/hostsharing/hsadminng/hs/hspackage/PackageControllerAcceptanceTest.java +++ b/src/test/java/net/hostsharing/hsadminng/hs/hspackage/PackageControllerAcceptanceTest.java @@ -43,8 +43,8 @@ class PackageControllerAcceptanceTest { // @formatter:off RestAssured .given() - .header("current-user", "mike@hostsharing.net") - .header("assumed-roles", "customer#xxx.admin") + .header("current-user", "mike@example.org") + .header("assumed-roles", "test_customer#xxx.admin") .port(port) .when() .get("http://localhost/api/packages") @@ -65,8 +65,8 @@ class PackageControllerAcceptanceTest { // @formatter:off RestAssured .given() - .header("current-user", "mike@hostsharing.net") - .header("assumed-roles", "customer#xxx.admin") + .header("current-user", "mike@example.org") + .header("assumed-roles", "test_customer#xxx.admin") .port(port) .when() .get("http://localhost/api/packages?name=xxx01") @@ -93,8 +93,8 @@ class PackageControllerAcceptanceTest { // @formatter:off RestAssured .given() - .header("current-user", "mike@hostsharing.net") - .header("assumed-roles", "customer#xxx.admin") + .header("current-user", "mike@example.org") + .header("assumed-roles", "test_customer#xxx.admin") .contentType(ContentType.JSON) .body(format(""" { @@ -123,8 +123,8 @@ class PackageControllerAcceptanceTest { // @formatter:off RestAssured .given() - .header("current-user", "mike@hostsharing.net") - .header("assumed-roles", "customer#xxx.admin") + .header("current-user", "mike@example.org") + .header("assumed-roles", "test_customer#xxx.admin") .contentType(ContentType.JSON) .body(""" { @@ -152,8 +152,8 @@ class PackageControllerAcceptanceTest { // @formatter:off RestAssured .given() - .header("current-user", "mike@hostsharing.net") - .header("assumed-roles", "customer#xxx.admin") + .header("current-user", "mike@example.org") + .header("assumed-roles", "test_customer#xxx.admin") .contentType(ContentType.JSON) .body("{}") .port(port) @@ -172,8 +172,8 @@ class PackageControllerAcceptanceTest { // @formatter:off return UUID.fromString(RestAssured .given() - .header("current-user", "mike@hostsharing.net") - .header("assumed-roles", "customer#xxx.admin") + .header("current-user", "mike@example.org") + .header("assumed-roles", "test_customer#xxx.admin") .port(port) .when() .get("http://localhost/api/packages?name={packageName}", packageName) @@ -185,7 +185,7 @@ class PackageControllerAcceptanceTest { } String getDescriptionOfPackage(final String packageName) { - context.define("mike@hostsharing.net","customer#xxx.admin"); + context.define("mike@example.org","test_customer#xxx.admin"); return packageRepository.findAllByOptionalNameLike(packageName).get(0).getDescription(); } } diff --git a/src/test/java/net/hostsharing/hsadminng/hs/hspackage/PackageRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/hspackage/PackageRepositoryIntegrationTest.java index 036750ca..b0a9467d 100644 --- a/src/test/java/net/hostsharing/hsadminng/hs/hspackage/PackageRepositoryIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/hs/hspackage/PackageRepositoryIntegrationTest.java @@ -42,9 +42,9 @@ class PackageRepositoryIntegrationTest { class FindAllByOptionalNameLike { @Test - public void hostsharingAdmin_withoutAssumedRole_canNotViewAnyPackages_becauseThoseGrantsAreNotassumedd() { + public void testGlobalAdmin_withoutAssumedRole_canNotViewAnyPackages_becauseThoseGrantsAreNotassumedd() { // given - context.define("mike@hostsharing.net"); + context.define("mike@example.org"); // when final var result = packageRepository.findAllByOptionalNameLike(null); @@ -54,9 +54,9 @@ class PackageRepositoryIntegrationTest { } @Test - public void hostsharingAdmin_withAssumedHostsharingAdminRole__canNotViewAnyPackages_becauseThoseGrantsAreNotassumedd() { + public void testGlobalAdmin_withAssumedtestGlobalAdminRole__canNotViewAnyPackages_becauseThoseGrantsAreNotassumedd() { given: - context.define("mike@hostsharing.net", "global#hostsharing.admin"); + context.define("mike@example.org", "global#test-global.admin"); // when final var result = packageRepository.findAllByOptionalNameLike(null); @@ -79,7 +79,7 @@ class PackageRepositoryIntegrationTest { @Test public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnPackages() { - context.define("customer-admin@xxx.example.com", "package#xxx00.admin"); + context.define("customer-admin@xxx.example.com", "test_package#xxx00.admin"); final var result = packageRepository.findAllByOptionalNameLike(null); @@ -93,17 +93,17 @@ class PackageRepositoryIntegrationTest { @Test public void supportsOptimisticLocking() throws InterruptedException { // given - hostsharingAdminWithAssumedRole("package#xxx00.admin"); + testGlobalAdminWithAssumedRole("test_package#xxx00.admin"); final var pac = packageRepository.findAllByOptionalNameLike("%").get(0); // when final var result1 = jpaAttempt.transacted(() -> { - hostsharingAdminWithAssumedRole("package#xxx00.admin"); + testGlobalAdminWithAssumedRole("test_package#xxx00.admin"); pac.setDescription("description set by thread 1"); packageRepository.save(pac); }); final var result2 = jpaAttempt.transacted(() -> { - hostsharingAdminWithAssumedRole("package#xxx00.admin"); + testGlobalAdminWithAssumedRole("test_package#xxx00.admin"); pac.setDescription("description set by thread 2"); packageRepository.save(pac); sleep(1500); @@ -125,8 +125,8 @@ class PackageRepositoryIntegrationTest { } } - private void hostsharingAdminWithAssumedRole(final String assumedRoles) { - context.define("mike@hostsharing.net", assumedRoles); + private void testGlobalAdminWithAssumedRole(final String assumedRoles) { + context.define("mike@example.org", assumedRoles); } void noPackagesAreReturned(final List actualResult) { diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantControllerAcceptanceTest.java index 0726e249..41d93221 100644 --- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantControllerAcceptanceTest.java +++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantControllerAcceptanceTest.java @@ -62,10 +62,10 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest { @Test @Accepts("GRT:L(List)") - void hostsharingAdmin_withoutAssumedRole_canViewAllGrants() { + void testGlobalAdmin_withoutAssumedRole_canViewAllGrants() { RestAssured // @formatter:off .given() - .header("current-user", "mike@hostsharing.net") + .header("current-user", "mike@example.org") .port(port) .when() .get("http://localhost/api/rbac-grants") @@ -74,36 +74,36 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest { .contentType("application/json") .body("", hasItem( allOf( - hasEntry("grantedByRoleIdName", "global#hostsharing.admin"), - hasEntry("grantedRoleIdName", "customer#xxx.admin"), + hasEntry("grantedByRoleIdName", "global#test-global.admin"), + hasEntry("grantedRoleIdName", "test_customer#xxx.admin"), hasEntry("granteeUserName", "customer-admin@xxx.example.com") ) )) .body("", hasItem( allOf( - hasEntry("grantedByRoleIdName", "global#hostsharing.admin"), - hasEntry("grantedRoleIdName", "customer#yyy.admin"), + hasEntry("grantedByRoleIdName", "global#test-global.admin"), + hasEntry("grantedRoleIdName", "test_customer#yyy.admin"), hasEntry("granteeUserName", "customer-admin@yyy.example.com") ) )) .body("", hasItem( allOf( - hasEntry("grantedByRoleIdName", "global#hostsharing.admin"), - hasEntry("grantedRoleIdName", "global#hostsharing.admin"), - hasEntry("granteeUserName", "sven@hostsharing.net") + hasEntry("grantedByRoleIdName", "global#test-global.admin"), + hasEntry("grantedRoleIdName", "global#test-global.admin"), + hasEntry("granteeUserName", "sven@example.org") ) )) .body("", hasItem( allOf( - hasEntry("grantedByRoleIdName", "customer#xxx.admin"), - hasEntry("grantedRoleIdName", "package#xxx00.admin"), + hasEntry("grantedByRoleIdName", "test_customer#xxx.admin"), + hasEntry("grantedRoleIdName", "test_package#xxx00.admin"), hasEntry("granteeUserName", "pac-admin-xxx00@xxx.example.com") ) )) .body("", hasItem( allOf( - hasEntry("grantedByRoleIdName", "customer#zzz.admin"), - hasEntry("grantedRoleIdName", "package#zzz02.admin"), + hasEntry("grantedByRoleIdName", "test_customer#zzz.admin"), + hasEntry("grantedRoleIdName", "test_package#zzz02.admin"), hasEntry("granteeUserName", "pac-admin-zzz02@zzz.example.com") ) )) @@ -113,11 +113,11 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest { @Test @Accepts({ "GRT:L(List)", "GRT:X(Access Control)" }) - void hostsharingAdmin_withAssumedPackageAdminRole_canViewPacketRelatedGrants() { + void testGlobalAdmin_withAssumedPackageAdminRole_canViewPacketRelatedGrants() { RestAssured // @formatter:off .given() - .header("current-user", "mike@hostsharing.net") - .header("assumed-roles", "package#yyy00.admin") + .header("current-user", "mike@example.org") + .header("assumed-roles", "test_package#yyy00.admin") .port(port) .when() .get("http://localhost/api/rbac-grants") @@ -126,8 +126,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest { .contentType("application/json") .body("", hasItem( allOf( - hasEntry("grantedByRoleIdName", "customer#yyy.admin"), - hasEntry("grantedRoleIdName", "package#yyy00.admin"), + hasEntry("grantedByRoleIdName", "test_customer#yyy.admin"), + hasEntry("grantedRoleIdName", "test_package#yyy00.admin"), hasEntry("granteeUserName", "pac-admin-yyy00@yyy.example.com") ) )) @@ -149,8 +149,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest { .contentType("application/json") .body("", hasItem( allOf( - hasEntry("grantedByRoleIdName", "customer#yyy.admin"), - hasEntry("grantedRoleIdName", "package#yyy00.admin"), + hasEntry("grantedByRoleIdName", "test_customer#yyy.admin"), + hasEntry("grantedRoleIdName", "test_package#yyy00.admin"), hasEntry("granteeUserName", "pac-admin-yyy00@yyy.example.com") ) )) @@ -168,7 +168,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest { // given final var givenCurrentUserAsPackageAdmin = new Subject("customer-admin@xxx.example.com"); final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com"); - final var givenGrantedRole = findRbacRoleByName("package#xxx00.admin"); + final var givenGrantedRole = findRbacRoleByName("test_package#xxx00.admin"); // when final var grant = givenCurrentUserAsPackageAdmin.getGrantById() @@ -177,8 +177,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest { // then grant.assertThat() .statusCode(200) - .body("grantedByRoleIdName", is("customer#xxx.admin")) - .body("grantedRoleIdName", is("package#xxx00.admin")) + .body("grantedByRoleIdName", is("test_customer#xxx.admin")) + .body("grantedRoleIdName", is("test_package#xxx00.admin")) .body("granteeUserName", is("pac-admin-xxx00@xxx.example.com")); } @@ -188,7 +188,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest { // given final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com"); final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com"); - final var givenGrantedRole = findRbacRoleByName("package#xxx00.admin"); + final var givenGrantedRole = findRbacRoleByName("test_package#xxx00.admin"); // when final var grant = givenCurrentUserAsPackageAdmin.getGrantById() @@ -197,8 +197,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest { // then grant.assertThat() .statusCode(200) - .body("grantedByRoleIdName", is("customer#xxx.admin")) - .body("grantedRoleIdName", is("package#xxx00.admin")) + .body("grantedByRoleIdName", is("test_customer#xxx.admin")) + .body("grantedRoleIdName", is("test_package#xxx00.admin")) .body("granteeUserName", is("pac-admin-xxx00@xxx.example.com")); } @@ -208,9 +208,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest { // given final var givenCurrentUserAsPackageAdmin = new Subject( "pac-admin-xxx00@xxx.example.com", - "package#xxx00.admin"); + "test_package#xxx00.admin"); final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com"); - final var givenGrantedRole = findRbacRoleByName("package#xxx00.admin"); + final var givenGrantedRole = findRbacRoleByName("test_package#xxx00.admin"); // when final var grant = givenCurrentUserAsPackageAdmin.getGrantById() @@ -219,8 +219,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest { // then grant.assertThat() .statusCode(200) - .body("grantedByRoleIdName", is("customer#xxx.admin")) - .body("grantedRoleIdName", is("package#xxx00.admin")) + .body("grantedByRoleIdName", is("test_customer#xxx.admin")) + .body("grantedRoleIdName", is("test_package#xxx00.admin")) .body("granteeUserName", is("pac-admin-xxx00@xxx.example.com")); } @@ -231,9 +231,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest { // given final var givenCurrentUserAsPackageAdmin = new Subject( "pac-admin-xxx00@xxx.example.com", - "package#xxx00.tenant"); + "test_package#xxx00.tenant"); final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com"); - final var givenGrantedRole = findRbacRoleByName("package#xxx00.admin"); + final var givenGrantedRole = findRbacRoleByName("test_package#xxx00.admin"); final var grant = givenCurrentUserAsPackageAdmin.getGrantById() .forGrantedRole(givenGrantedRole).toGranteeUser(givenGranteeUser); @@ -252,7 +252,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest { // given final var givenNewUser = createRBacUser(); - final var givenRoleToGrant = "package#xxx00.admin"; + final var givenRoleToGrant = "test_package#xxx00.admin"; final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant); final var givenOwnPackageAdminRole = findRbacRoleByName(givenCurrentUserAsPackageAdmin.assumedRole); @@ -265,9 +265,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest { // then response.assertThat() .statusCode(201) - .body("grantedByRoleIdName", is("package#xxx00.admin")) + .body("grantedByRoleIdName", is("test_package#xxx00.admin")) .body("assumed", is(true)) - .body("grantedRoleIdName", is("package#xxx00.admin")) + .body("grantedRoleIdName", is("test_package#xxx00.admin")) .body("granteeUserName", is(givenNewUser.getName())); assertThat(findAllGrantsOf(givenCurrentUserAsPackageAdmin)) .extracting(RbacGrantEntity::toDisplay) @@ -282,9 +282,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest { // given final var givenNewUser = createRBacUser(); - final var givenRoleToGrant = "package#xxx00.admin"; + final var givenRoleToGrant = "test_package#xxx00.admin"; final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant); - final var givenAlienPackageAdminRole = findRbacRoleByName("package#yyy00.admin"); + final var givenAlienPackageAdminRole = findRbacRoleByName("test_package#yyy00.admin"); // when final var result = givenCurrentUserAsPackageAdmin @@ -295,7 +295,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest { result.assertThat() .statusCode(403) .body("message", containsString("Access to granted role")) - .body("message", containsString("forbidden for {package#xxx00.admin}")); + .body("message", containsString("forbidden for {test_package#xxx00.admin}")); assertThat(findAllGrantsOf(givenCurrentUserAsPackageAdmin)) .extracting(RbacGrantEntity::getGranteeUserName) .doesNotContain(givenNewUser.getName()); @@ -312,9 +312,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest { // given final var givenArbitraryUser = createRBacUser(); - final var givenRoleToGrant = "package#xxx00.admin"; + final var givenRoleToGrant = "test_package#xxx00.admin"; final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant); - final var givenOwnPackageAdminRole = findRbacRoleByName("package#xxx00.admin"); + final var givenOwnPackageAdminRole = findRbacRoleByName("test_package#xxx00.admin"); // and given an existing grant assumeCreated(givenCurrentUserAsPackageAdmin @@ -499,14 +499,14 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest { RbacUserEntity findRbacUserByName(final String userName) { return jpaAttempt.transacted(() -> { - context("mike@hostsharing.net", null); + context("mike@example.org", null); return rbacUserRepository.findByName(userName); }).returnedValue(); } RbacRoleEntity findRbacRoleByName(final String roleName) { return jpaAttempt.transacted(() -> { - context("mike@hostsharing.net", null); + context("mike@example.org", null); return rbacRoleRepository.findByRoleName(roleName); }).returnedValue(); } diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantRepositoryIntegrationTest.java index d0c12e11..59e211f5 100644 --- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantRepositoryIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantRepositoryIntegrationTest.java @@ -68,7 +68,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest { // then exactlyTheseRbacGrantsAreReturned( result, - "{ grant assumed role package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role customer#xxx.admin }"); + "{ grant assumed role test_package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role test_customer#xxx.admin }"); } @Test @@ -83,17 +83,17 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest { // then exactlyTheseRbacGrantsAreReturned( result, - "{ grant assumed role customer#xxx.admin to user customer-admin@xxx.example.com by role global#hostsharing.admin }", - "{ grant assumed role package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role customer#xxx.admin }", - "{ grant assumed role package#xxx01.admin to user pac-admin-xxx01@xxx.example.com by role customer#xxx.admin }", - "{ grant assumed role package#xxx02.admin to user pac-admin-xxx02@xxx.example.com by role customer#xxx.admin }"); + "{ grant assumed role test_customer#xxx.admin to user customer-admin@xxx.example.com by role global#test-global.admin }", + "{ grant assumed role test_package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role test_customer#xxx.admin }", + "{ grant assumed role test_package#xxx01.admin to user pac-admin-xxx01@xxx.example.com by role test_customer#xxx.admin }", + "{ grant assumed role test_package#xxx02.admin to user pac-admin-xxx02@xxx.example.com by role test_customer#xxx.admin }"); } @Test @Accepts({ "GRT:L(List)" }) public void customerAdmin_withAssumedRole_canOnlyViewRbacGrantsVisibleByAssumedRole() { // given: - context("customer-admin@xxx.example.com", "package#xxx00.admin"); + context("customer-admin@xxx.example.com", "test_package#xxx00.admin"); // when final var result = rbacGrantRepository.findAll(); @@ -101,7 +101,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest { // then exactlyTheseRbacGrantsAreReturned( result, - "{ grant assumed role package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role customer#xxx.admin }"); + "{ grant assumed role test_package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role test_customer#xxx.admin }"); } } @@ -111,9 +111,9 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest { @Test public void customerAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() { // given - context("customer-admin@xxx.example.com", "customer#xxx.admin"); + context("customer-admin@xxx.example.com", "test_customer#xxx.admin"); final var givenArbitraryUserUuid = rbacUserRepository.findByName("pac-admin-zzz00@zzz.example.com").getUuid(); - final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName("package#xxx00.admin").getUuid(); + final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName("test_package#xxx00.admin").getUuid(); // when final var grant = RbacGrantEntity.builder() @@ -129,7 +129,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest { assertThat(rbacGrantRepository.findAll()) .extracting(RbacGrantEntity::toDisplay) .contains( - "{ grant assumed role package#xxx00.admin to user pac-admin-zzz00@zzz.example.com by role customer#xxx.admin }"); + "{ grant assumed role test_package#xxx00.admin to user pac-admin-zzz00@zzz.example.com by role test_customer#xxx.admin }"); } @Test @@ -142,14 +142,14 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest { context("customer-admin@xxx.example.com", null); return new Given( createNewUser(), - rbacRoleRepository.findByRoleName("package#xxx00.owner").getUuid() + rbacRoleRepository.findByRoleName("test_package#xxx00.owner").getUuid() ); }).assumeSuccessful().returnedValue(); // when final var attempt = jpaAttempt.transacted(() -> { // now we try to use these uuids as a less privileged user - context("pac-admin-xxx00@xxx.example.com", "package#xxx00.admin"); + context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00.admin"); final var grant = RbacGrantEntity.builder() .granteeUserUuid(given.arbitraryUser.getUuid()) .grantedRoleUuid(given.packageOwnerRoleUuid) @@ -162,7 +162,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest { attempt.assertExceptionWithRootCauseMessage( JpaSystemException.class, "ERROR: [403] Access to granted role " + given.packageOwnerRoleUuid - + " forbidden for {package#xxx00.admin}"); + + " forbidden for {test_package#xxx00.admin}"); jpaAttempt.transacted(() -> { // finally, we use the new user to make sure, no roles were granted context(given.arbitraryUser.getName(), null); @@ -180,17 +180,17 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest { public void customerAdmin_canRevokeSelfGrantedPackageAdminRole() { // given final var grant = create(grant() - .byUser("customer-admin@xxx.example.com").withAssumedRole("customer#xxx.admin") - .grantingRole("package#xxx00.admin").toUser("pac-admin-zzz00@zzz.example.com")); + .byUser("customer-admin@xxx.example.com").withAssumedRole("test_customer#xxx.admin") + .grantingRole("test_package#xxx00.admin").toUser("pac-admin-zzz00@zzz.example.com")); // when - context("customer-admin@xxx.example.com", "customer#xxx.admin"); + context("customer-admin@xxx.example.com", "test_customer#xxx.admin"); final var revokeAttempt = attempt(em, () -> { rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId()); }); // then - context("customer-admin@xxx.example.com", "customer#xxx.admin"); + context("customer-admin@xxx.example.com", "test_customer#xxx.admin"); assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull(); assertThat(rbacGrantRepository.findAll()) .extracting(RbacGrantEntity::getGranteeUserName) @@ -202,18 +202,18 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest { // given final var newUser = createNewUserTransacted(); final var grant = create(grant() - .byUser("customer-admin@xxx.example.com").withAssumedRole("package#xxx00.admin") - .grantingRole("package#xxx00.admin").toUser(newUser.getName())); + .byUser("customer-admin@xxx.example.com").withAssumedRole("test_package#xxx00.admin") + .grantingRole("test_package#xxx00.admin").toUser(newUser.getName())); // when - context("pac-admin-xxx00@xxx.example.com", "package#xxx00.admin"); + context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00.admin"); final var revokeAttempt = attempt(em, () -> { rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId()); }); // then assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull(); - context("customer-admin@xxx.example.com", "customer#xxx.admin"); + context("customer-admin@xxx.example.com", "test_customer#xxx.admin"); assertThat(rbacGrantRepository.findAll()) .extracting(RbacGrantEntity::getGranteeUserName) .doesNotContain("pac-admin-zzz00@zzz.example.com"); @@ -223,12 +223,12 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest { public void packageAdmin_canNotRevokeOwnPackageAdminRoleGrantedByOwnerRoleOfThatPackage() { // given final var grant = create(grant() - .byUser("customer-admin@xxx.example.com").withAssumedRole("package#xxx00.owner") - .grantingRole("package#xxx00.admin").toUser("pac-admin-zzz00@zzz.example.com")); - final var grantedByRole = rbacRoleRepository.findByRoleName("package#xxx00.owner"); + .byUser("customer-admin@xxx.example.com").withAssumedRole("test_package#xxx00.owner") + .grantingRole("test_package#xxx00.admin").toUser("pac-admin-zzz00@zzz.example.com")); + final var grantedByRole = rbacRoleRepository.findByRoleName("test_package#xxx00.owner"); // when - context("pac-admin-xxx00@xxx.example.com", "package#xxx00.admin"); + context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00.admin"); final var revokeAttempt = attempt(em, () -> { rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId()); }); @@ -236,7 +236,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest { // then revokeAttempt.assertExceptionWithRootCauseMessage( JpaSystemException.class, - "ERROR: [403] Revoking role created by %s is forbidden for {package#xxx00.admin}.".formatted( + "ERROR: [403] Revoking role created by %s is forbidden for {test_package#xxx00.admin}.".formatted( grantedByRole.getUuid() )); } diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleControllerAcceptanceTest.java index dc112db0..704f3660 100644 --- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleControllerAcceptanceTest.java +++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleControllerAcceptanceTest.java @@ -38,39 +38,39 @@ class RbacRoleControllerAcceptanceTest { @Test @Accepts({ "ROL:L(List)" }) - void hostsharingAdmin_withoutAssumedRole_canViewAllRoles() { + void testGlobalAdmin_withoutAssumedRole_canViewAllRoles() { // @formatter:off RestAssured .given() - .header("current-user", "mike@hostsharing.net") + .header("current-user", "mike@example.org") .port(port) .when() .get("http://localhost/api/rbac-roles") .then().assertThat() .statusCode(200) .contentType("application/json") - .body("", hasItem(hasEntry("roleName", "customer#xxx.admin"))) - .body("", hasItem(hasEntry("roleName", "customer#xxx.owner"))) - .body("", hasItem(hasEntry("roleName", "customer#xxx.tenant"))) + .body("", hasItem(hasEntry("roleName", "test_customer#xxx.admin"))) + .body("", hasItem(hasEntry("roleName", "test_customer#xxx.owner"))) + .body("", hasItem(hasEntry("roleName", "test_customer#xxx.tenant"))) // ... - .body("", hasItem(hasEntry("roleName", "global#hostsharing.admin"))) - .body("", hasItem(hasEntry("roleName", "customer#yyy.admin"))) - .body("", hasItem(hasEntry("roleName", "package#yyy00.admin"))) - .body("", hasItem(hasEntry("roleName", "unixuser#yyy00-aaaa.owner"))) + .body("", hasItem(hasEntry("roleName", "global#test-global.admin"))) + .body("", hasItem(hasEntry("roleName", "test_customer#yyy.admin"))) + .body("", hasItem(hasEntry("roleName", "test_package#yyy00.admin"))) + .body("", hasItem(hasEntry("roleName", "test_unixuser#yyy00-aaaa.owner"))) .body( "size()", greaterThanOrEqualTo(73)); // increases with new test data // @formatter:on } @Test @Accepts({ "ROL:L(List)", "ROL:X(Access Control)" }) - void hostsharingAdmin_withAssumedPackageAdminRole_canViewPackageAdminRoles() { + void testGlobalAdmin_withAssumedPackageAdminRole_canViewPackageAdminRoles() { // @formatter:off RestAssured .given() - .header("current-user", "mike@hostsharing.net") - .header("assumed-roles", "package#yyy00.admin") + .header("current-user", "mike@example.org") + .header("assumed-roles", "test_package#yyy00.admin") .port(port) .when() .get("http://localhost/api/rbac-roles") @@ -79,10 +79,10 @@ class RbacRoleControllerAcceptanceTest { .assertThat() .statusCode(200) .contentType("application/json") - .body("[0].roleName", is("customer#yyy.tenant")) - .body("[1].roleName", is("package#yyy00.admin")) - .body("[2].roleName", is("package#yyy00.tenant")) - .body("[3].roleName", is("unixuser#yyy00-aaaa.admin")) + .body("[0].roleName", is("test_customer#yyy.tenant")) + .body("[1].roleName", is("test_package#yyy00.admin")) + .body("[2].roleName", is("test_package#yyy00.tenant")) + .body("[3].roleName", is("test_unixuser#yyy00-aaaa.admin")) .body("size()", is(7)); // increases with new test data // @formatter:on } @@ -101,12 +101,11 @@ class RbacRoleControllerAcceptanceTest { .then().assertThat() .statusCode(200) .contentType("application/json") - .body("[0].roleName", is("customer#zzz.tenant")) - .body("[1].roleName", is("package#zzz00.admin")) - .body("[2].roleName", is("package#zzz00.tenant")) - .body("[3].roleName", is("unixuser#zzz00-aaaa.admin")) + .body("[0].roleName", is("test_customer#zzz.tenant")) + .body("[1].roleName", is("test_package#zzz00.admin")) + .body("[2].roleName", is("test_package#zzz00.tenant")) + .body("[3].roleName", is("test_unixuser#zzz00-aaaa.admin")) .body("size()", is(7)); // increases with new test data // @formatter:on } - } diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleControllerRestTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleControllerRestTest.java index 6450b8e0..6d0aadb9 100644 --- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleControllerRestTest.java +++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleControllerRestTest.java @@ -37,15 +37,15 @@ class RbacRoleControllerRestTest { // when mockMvc.perform(MockMvcRequestBuilders .get("/api/rbac-roles") - .header("current-user", "mike@hostsharing.net") + .header("current-user", "mike@example.org") .accept(MediaType.APPLICATION_JSON)) // then .andExpect(status().isOk()) .andExpect(jsonPath("$", hasSize(3))) - .andExpect(jsonPath("$[0].roleName", is("global#hostsharing.admin"))) - .andExpect(jsonPath("$[1].roleName", is("customer#xxx.owner"))) - .andExpect(jsonPath("$[2].roleName", is("customer#xxx.admin"))) + .andExpect(jsonPath("$[0].roleName", is("global#test-global.admin"))) + .andExpect(jsonPath("$[1].roleName", is("test_customer#xxx.owner"))) + .andExpect(jsonPath("$[2].roleName", is("test_customer#xxx.admin"))) .andExpect(jsonPath("$[2].uuid", is(customerXxxAdmin.getUuid().toString()))) .andExpect(jsonPath("$[2].objectUuid", is(customerXxxAdmin.getObjectUuid().toString()))) .andExpect(jsonPath("$[2].objectTable", is(customerXxxAdmin.getObjectTable().toString()))) diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepositoryIntegrationTest.java index 6e423a57..b500c683 100644 --- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepositoryIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RbacRoleRepositoryIntegrationTest.java @@ -40,26 +40,26 @@ class RbacRoleRepositoryIntegrationTest { private static final String[] ALL_TEST_DATA_ROLES = Array.of( // @formatter:off - "global#hostsharing.admin", - "customer#xxx.admin", "customer#xxx.owner", "customer#xxx.tenant", - "package#xxx00.admin", "package#xxx00.owner", "package#xxx00.tenant", - "package#xxx01.admin", "package#xxx01.owner", "package#xxx01.tenant", - "package#xxx02.admin", "package#xxx02.owner", "package#xxx02.tenant", - "customer#yyy.admin", "customer#yyy.owner", "customer#yyy.tenant", - "package#yyy00.admin", "package#yyy00.owner", "package#yyy00.tenant", - "package#yyy01.admin", "package#yyy01.owner", "package#yyy01.tenant", - "package#yyy02.admin", "package#yyy02.owner", "package#yyy02.tenant", - "customer#zzz.admin", "customer#zzz.owner", "customer#zzz.tenant", - "package#zzz00.admin", "package#zzz00.owner", "package#zzz00.tenant", - "package#zzz01.admin", "package#zzz01.owner", "package#zzz01.tenant", - "package#zzz02.admin", "package#zzz02.owner", "package#zzz02.tenant" + "global#test-global.admin", + "test_customer#xxx.admin", "test_customer#xxx.owner", "test_customer#xxx.tenant", + "test_package#xxx00.admin", "test_package#xxx00.owner", "test_package#xxx00.tenant", + "test_package#xxx01.admin", "test_package#xxx01.owner", "test_package#xxx01.tenant", + "test_package#xxx02.admin", "test_package#xxx02.owner", "test_package#xxx02.tenant", + "test_customer#yyy.admin", "test_customer#yyy.owner", "test_customer#yyy.tenant", + "test_package#yyy00.admin", "test_package#yyy00.owner", "test_package#yyy00.tenant", + "test_package#yyy01.admin", "test_package#yyy01.owner", "test_package#yyy01.tenant", + "test_package#yyy02.admin", "test_package#yyy02.owner", "test_package#yyy02.tenant", + "test_customer#zzz.admin", "test_customer#zzz.owner", "test_customer#zzz.tenant", + "test_package#zzz00.admin", "test_package#zzz00.owner", "test_package#zzz00.tenant", + "test_package#zzz01.admin", "test_package#zzz01.owner", "test_package#zzz01.tenant", + "test_package#zzz02.admin", "test_package#zzz02.owner", "test_package#zzz02.tenant" // @formatter:on ); @Test - public void hostsharingAdmin_withoutAssumedRole_canViewAllRbacRoles() { + public void testGlobalAdmin_withoutAssumedRole_canViewAllRbacRoles() { // given - context.define("mike@hostsharing.net"); + context.define("mike@example.org"); // when final var result = rbacRoleRepository.findAll(); @@ -69,9 +69,9 @@ class RbacRoleRepositoryIntegrationTest { } @Test - public void hostsharingAdmin_withAssumedHostsharingAdminRole_canViewAllRbacRoles() { + public void testGlobalAdmin_withAssumedtestGlobalAdminRole_canViewAllRbacRoles() { given: - context.define("mike@hostsharing.net", "global#hostsharing.admin"); + context.define("mike@example.org", "global#test-global.admin"); // when final var result = rbacRoleRepository.findAll(); @@ -92,49 +92,49 @@ class RbacRoleRepositoryIntegrationTest { allTheseRbacRolesAreReturned( result, // @formatter:off - "customer#xxx.admin", - "customer#xxx.tenant", - "package#xxx00.admin", - "package#xxx00.owner", - "package#xxx00.tenant", - "package#xxx01.admin", - "package#xxx01.owner", - "package#xxx01.tenant", + "test_customer#xxx.admin", + "test_customer#xxx.tenant", + "test_package#xxx00.admin", + "test_package#xxx00.owner", + "test_package#xxx00.tenant", + "test_package#xxx01.admin", + "test_package#xxx01.owner", + "test_package#xxx01.tenant", // ... - "unixuser#xxx00-aaaa.admin", - "unixuser#xxx00-aaaa.owner", + "test_unixuser#xxx00-aaaa.admin", + "test_unixuser#xxx00-aaaa.owner", // .. - "unixuser#xxx01-aaab.admin", - "unixuser#xxx01-aaab.owner" + "test_unixuser#xxx01-aaab.admin", + "test_unixuser#xxx01-aaab.owner" // @formatter:on ); noneOfTheseRbacRolesIsReturned( result, // @formatter:off - "global#hostsharing.admin", - "customer#xxx.owner", - "package#yyy00.admin", - "package#yyy00.owner", - "package#yyy00.tenant" + "global#test-global.admin", + "test_customer#xxx.owner", + "test_package#yyy00.admin", + "test_package#yyy00.owner", + "test_package#yyy00.tenant" // @formatter:on ); } @Test public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnRbacRole() { - context.define("customer-admin@xxx.example.com", "package#xxx00.admin"); + context.define("customer-admin@xxx.example.com", "test_package#xxx00.admin"); final var result = rbacRoleRepository.findAll(); exactlyTheseRbacRolesAreReturned( result, - "customer#xxx.tenant", - "package#xxx00.admin", - "package#xxx00.tenant", - "unixuser#xxx00-aaaa.admin", - "unixuser#xxx00-aaaa.owner", - "unixuser#xxx00-aaab.admin", - "unixuser#xxx00-aaab.owner"); + "test_customer#xxx.tenant", + "test_package#xxx00.admin", + "test_package#xxx00.tenant", + "test_unixuser#xxx00-aaaa.admin", + "test_unixuser#xxx00-aaaa.owner", + "test_unixuser#xxx00-aaab.admin", + "test_unixuser#xxx00-aaab.owner"); } @Test @@ -158,10 +158,10 @@ class RbacRoleRepositoryIntegrationTest { void customerAdmin_withoutAssumedRole_canFindItsOwnRolesByName() { context.define("customer-admin@xxx.example.com"); - final var result = rbacRoleRepository.findByRoleName("customer#xxx.admin"); + final var result = rbacRoleRepository.findByRoleName("test_customer#xxx.admin"); assertThat(result).isNotNull(); - assertThat(result.getObjectTable()).isEqualTo("customer"); + assertThat(result.getObjectTable()).isEqualTo("test_customer"); assertThat(result.getObjectIdName()).isEqualTo("xxx"); assertThat(result.getRoleType()).isEqualTo(RbacRoleType.admin); } @@ -170,7 +170,7 @@ class RbacRoleRepositoryIntegrationTest { void customerAdmin_withoutAssumedRole_canNotFindAlienRolesByName() { context.define("customer-admin@xxx.example.com"); - final var result = rbacRoleRepository.findByRoleName("customer#bbb.admin"); + final var result = rbacRoleRepository.findByRoleName("test_customer#bbb.admin"); assertThat(result).isNull(); } diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/TestRbacRole.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/TestRbacRole.java index cabb96b3..ca7e4607 100644 --- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/TestRbacRole.java +++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/TestRbacRole.java @@ -4,9 +4,9 @@ import static java.util.UUID.randomUUID; public class TestRbacRole { - public static final RbacRoleEntity hostmasterRole = rbacRole("global", "hostsharing", RbacRoleType.admin); - static final RbacRoleEntity customerXxxOwner = rbacRole("customer", "xxx", RbacRoleType.owner); - static final RbacRoleEntity customerXxxAdmin = rbacRole("customer", "xxx", RbacRoleType.admin); + public static final RbacRoleEntity hostmasterRole = rbacRole("global", "test-global", RbacRoleType.admin); + static final RbacRoleEntity customerXxxOwner = rbacRole("test_customer", "xxx", RbacRoleType.owner); + static final RbacRoleEntity customerXxxAdmin = rbacRole("test_customer", "xxx", RbacRoleType.admin); static public RbacRoleEntity rbacRole(final String objectTable, final String objectIdName, final RbacRoleType roleType) { return new RbacRoleEntity(randomUUID(), randomUUID(), objectTable, objectIdName, roleType, objectTable+'#'+objectIdName+'.'+roleType); diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserControllerAcceptanceTest.java index ce1670a9..d34cb0bc 100644 --- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserControllerAcceptanceTest.java +++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserControllerAcceptanceTest.java @@ -82,13 +82,13 @@ class RbacUserControllerAcceptanceTest { @Test @Accepts({ "USR:R(Read)" }) - void hostsharingAdmin_withoutAssumedRole_canGetArbitraryUser() { + void testGlobalAdmin_withoutAssumedRole_canGetArbitraryUser() { final var givenUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com"); // @formatter:off RestAssured .given() - .header("current-user", "mike@hostsharing.net") + .header("current-user", "mike@example.org") .port(port) .when() .get("http://localhost/api/rbac-users/" + givenUser.getUuid()) @@ -101,14 +101,14 @@ class RbacUserControllerAcceptanceTest { @Test @Accepts({ "USR:R(Read)", "USR:X(Access Control)" }) - void hostsharingAdmin_withAssumedCustomerAdminRole_canGetUserWithinInItsRealm() { + void testGlobalAdmin_withAssumedCustomerAdminRole_canGetUserWithinInItsRealm() { final var givenUser = findRbacUserByName("pac-admin-yyy00@yyy.example.com"); // @formatter:off RestAssured .given() - .header("current-user", "mike@hostsharing.net") - .header("assumed-roles", "customer#yyy.admin") + .header("current-user", "mike@example.org") + .header("assumed-roles", "test_customer#yyy.admin") .port(port) .when() .get("http://localhost/api/rbac-users/" + givenUser.getUuid()) @@ -161,12 +161,12 @@ class RbacUserControllerAcceptanceTest { @Test @Accepts({ "USR:L(List)" }) - void hostsharingAdmin_withoutAssumedRole_canViewAllUsers() { + void testGlobalAdmin_withoutAssumedRole_canViewAllUsers() { // @formatter:off RestAssured .given() - .header("current-user", "mike@hostsharing.net") + .header("current-user", "mike@example.org") .port(port) .when() .get("http://localhost/api/rbac-users") @@ -176,23 +176,23 @@ class RbacUserControllerAcceptanceTest { .body("", hasItem(hasEntry("name", "customer-admin@xxx.example.com"))) .body("", hasItem(hasEntry("name", "customer-admin@yyy.example.com"))) .body("", hasItem(hasEntry("name", "customer-admin@zzz.example.com"))) - .body("", hasItem(hasEntry("name", "mike@hostsharing.net"))) + .body("", hasItem(hasEntry("name", "mike@example.org"))) // ... .body("", hasItem(hasEntry("name", "pac-admin-zzz01@zzz.example.com"))) .body("", hasItem(hasEntry("name", "pac-admin-zzz02@zzz.example.com"))) - .body("", hasItem(hasEntry("name", "sven@hostsharing.net"))) + .body("", hasItem(hasEntry("name", "sven@example.org"))) .body("size()", greaterThanOrEqualTo(14)); // @formatter:on } @Test @Accepts({ "USR:F(Filter)" }) - void hostsharingAdmin_withoutAssumedRole_canViewAllUsersByName() { + void testGlobalAdmin_withoutAssumedRole_canViewAllUsersByName() { // @formatter:off RestAssured .given() - .header("current-user", "mike@hostsharing.net") + .header("current-user", "mike@example.org") .port(port) .when() .get("http://localhost/api/rbac-users?name=pac-admin-zzz0") @@ -208,13 +208,13 @@ class RbacUserControllerAcceptanceTest { @Test @Accepts({ "USR:L(List)", "USR:X(Access Control)" }) - void hostsharingAdmin_withAssumedCustomerAdminRole_canViewUsersInItsRealm() { + void testGlobalAdmin_withAssumedCustomerAdminRole_canViewUsersInItsRealm() { // @formatter:off RestAssured .given() - .header("current-user", "mike@hostsharing.net") - .header("assumed-roles", "customer#yyy.admin") + .header("current-user", "mike@example.org") + .header("assumed-roles", "test_customer#yyy.admin") .port(port) .when() .get("http://localhost/api/rbac-users") @@ -276,13 +276,13 @@ class RbacUserControllerAcceptanceTest { @Test @Accepts({ "PRM:L(List)" }) - void hostsharingAdmin_withoutAssumedRole_canViewArbitraryUsersPermissions() { + void testGlobalAdmin_withoutAssumedRole_canViewArbitraryUsersPermissions() { final var givenUser = findRbacUserByName("pac-admin-yyy00@yyy.example.com"); // @formatter:off RestAssured .given() - .header("current-user", "mike@hostsharing.net") + .header("current-user", "mike@example.org") .port(port) .when() .get("http://localhost/api/rbac-users/" + givenUser.getUuid() + "/permissions") @@ -291,17 +291,17 @@ class RbacUserControllerAcceptanceTest { .contentType("application/json") .body("", hasItem( allOf( - hasEntry("roleName", "customer#yyy.tenant"), + hasEntry("roleName", "test_customer#yyy.tenant"), hasEntry("op", "view")) )) .body("", hasItem( allOf( - hasEntry("roleName", "package#yyy00.admin"), + hasEntry("roleName", "test_package#yyy00.admin"), hasEntry("op", "add-unixuser")) )) .body("", hasItem( allOf( - hasEntry("roleName", "unixuser#yyy00-aaaa.owner"), + hasEntry("roleName", "test_unixuser#yyy00-aaaa.owner"), hasEntry("op", "*")) )) .body("size()", is(8)); @@ -310,14 +310,14 @@ class RbacUserControllerAcceptanceTest { @Test @Accepts({ "PRM:L(List)" }) - void hostsharingAdmin_withAssumedCustomerAdminRole_canViewArbitraryUsersPermissions() { + void testGlobalAdmin_withAssumedCustomerAdminRole_canViewArbitraryUsersPermissions() { final var givenUser = findRbacUserByName("pac-admin-yyy00@yyy.example.com"); // @formatter:off RestAssured .given() - .header("current-user", "mike@hostsharing.net") - .header("assumed-roles", "package#yyy00.admin") + .header("current-user", "mike@example.org") + .header("assumed-roles", "test_package#yyy00.admin") .port(port) .when() .get("http://localhost/api/rbac-users/" + givenUser.getUuid() + "/permissions") @@ -326,17 +326,17 @@ class RbacUserControllerAcceptanceTest { .contentType("application/json") .body("", hasItem( allOf( - hasEntry("roleName", "customer#yyy.tenant"), + hasEntry("roleName", "test_customer#yyy.tenant"), hasEntry("op", "view")) )) .body("", hasItem( allOf( - hasEntry("roleName", "package#yyy00.admin"), + hasEntry("roleName", "test_package#yyy00.admin"), hasEntry("op", "add-unixuser")) )) .body("", hasItem( allOf( - hasEntry("roleName", "unixuser#yyy00-aaaa.owner"), + hasEntry("roleName", "test_unixuser#yyy00-aaaa.owner"), hasEntry("op", "*")) )) .body("size()", is(8)); @@ -360,17 +360,17 @@ class RbacUserControllerAcceptanceTest { .contentType("application/json") .body("", hasItem( allOf( - hasEntry("roleName", "customer#yyy.tenant"), + hasEntry("roleName", "test_customer#yyy.tenant"), hasEntry("op", "view")) )) .body("", hasItem( allOf( - hasEntry("roleName", "package#yyy00.admin"), + hasEntry("roleName", "test_package#yyy00.admin"), hasEntry("op", "add-unixuser")) )) .body("", hasItem( allOf( - hasEntry("roleName", "unixuser#yyy00-aaaa.owner"), + hasEntry("roleName", "test_unixuser#yyy00-aaaa.owner"), hasEntry("op", "*")) )) .body("size()", is(8)); @@ -399,7 +399,7 @@ class RbacUserControllerAcceptanceTest { RbacUserEntity findRbacUserByName(final String userName) { return jpaAttempt.transacted(() -> { - context.define("mike@hostsharing.net"); + context.define("mike@example.org"); return rbacUserRepository.findByName(userName); }).returnedValue(); } diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserRepositoryIntegrationTest.java index e34776bc..fc9bb63a 100644 --- a/src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserRepositoryIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserRepositoryIntegrationTest.java @@ -93,7 +93,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest { private static final String[] ALL_TEST_DATA_USERS = Array.of( // @formatter:off - "mike@hostsharing.net", "sven@hostsharing.net", + "mike@example.org", "sven@example.org", "customer-admin@xxx.example.com", "pac-admin-xxx00@xxx.example.com", "pac-admin-xxx01@xxx.example.com", "pac-admin-xxx02@xxx.example.com", "customer-admin@yyy.example.com", @@ -104,9 +104,9 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest { ); @Test - public void hostsharingAdmin_withoutAssumedRole_canViewAllRbacUsers() { + public void testGlobalAdmin_withoutAssumedRole_canViewAllRbacUsers() { // given - context("mike@hostsharing.net"); + context("mike@example.org"); // when final var result = rbacUserRepository.findByOptionalNameLike(null); @@ -116,9 +116,9 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest { } @Test - public void hostsharingAdmin_withAssumedHostsharingAdminRole_canViewAllRbacUsers() { + public void testGlobalAdmin_withAssumedtestGlobalAdminRole_canViewAllRbacUsers() { given: - context("mike@hostsharing.net", "global#hostsharing.admin"); + context("mike@example.org", "global#test-global.admin"); // when final var result = rbacUserRepository.findByOptionalNameLike(null); @@ -128,9 +128,9 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest { } @Test - public void hostsharingAdmin_withAssumedCustomerAdminRole_canViewOnlyUsersHavingRolesInThatCustomersRealm() { + public void testGlobalAdmin_withAssumedCustomerAdminRole_canViewOnlyUsersHavingRolesInThatCustomersRealm() { given: - context("mike@hostsharing.net", "customer#xxx.admin"); + context("mike@example.org", "test_customer#xxx.admin"); // when final var result = rbacUserRepository.findByOptionalNameLike(null); @@ -161,7 +161,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest { @Test public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyUsersHavingRolesInThatPackage() { - context("customer-admin@xxx.example.com", "package#xxx00.admin"); + context("customer-admin@xxx.example.com", "test_package#xxx00.admin"); final var result = rbacUserRepository.findByOptionalNameLike(null); @@ -184,59 +184,59 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest { private static final String[] ALL_USER_PERMISSIONS = Array.of( // @formatter:off - "global#hostsharing.admin -> global#hostsharing: add-customer", + "global#test-global.admin -> global#test-global: add-customer", - "customer#xxx.admin -> customer#xxx: add-package", - "customer#xxx.admin -> customer#xxx: view", - "customer#xxx.owner -> customer#xxx: *", - "customer#xxx.tenant -> customer#xxx: view", - "package#xxx00.admin -> package#xxx00: add-domain", - "package#xxx00.admin -> package#xxx00: add-unixuser", - "package#xxx00.tenant -> package#xxx00: view", - "package#xxx01.admin -> package#xxx01: add-domain", - "package#xxx01.admin -> package#xxx01: add-unixuser", - "package#xxx01.tenant -> package#xxx01: view", - "package#xxx02.admin -> package#xxx02: add-domain", - "package#xxx02.admin -> package#xxx02: add-unixuser", - "package#xxx02.tenant -> package#xxx02: view", + "test_customer#xxx.admin -> test_customer#xxx: add-package", + "test_customer#xxx.admin -> test_customer#xxx: view", + "test_customer#xxx.owner -> test_customer#xxx: *", + "test_customer#xxx.tenant -> test_customer#xxx: view", + "test_package#xxx00.admin -> test_package#xxx00: add-domain", + "test_package#xxx00.admin -> test_package#xxx00: add-unixuser", + "test_package#xxx00.tenant -> test_package#xxx00: view", + "test_package#xxx01.admin -> test_package#xxx01: add-domain", + "test_package#xxx01.admin -> test_package#xxx01: add-unixuser", + "test_package#xxx01.tenant -> test_package#xxx01: view", + "test_package#xxx02.admin -> test_package#xxx02: add-domain", + "test_package#xxx02.admin -> test_package#xxx02: add-unixuser", + "test_package#xxx02.tenant -> test_package#xxx02: view", - "customer#yyy.admin -> customer#yyy: add-package", - "customer#yyy.admin -> customer#yyy: view", - "customer#yyy.owner -> customer#yyy: *", - "customer#yyy.tenant -> customer#yyy: view", - "package#yyy00.admin -> package#yyy00: add-domain", - "package#yyy00.admin -> package#yyy00: add-unixuser", - "package#yyy00.tenant -> package#yyy00: view", - "package#yyy01.admin -> package#yyy01: add-domain", - "package#yyy01.admin -> package#yyy01: add-unixuser", - "package#yyy01.tenant -> package#yyy01: view", - "package#yyy02.admin -> package#yyy02: add-domain", - "package#yyy02.admin -> package#yyy02: add-unixuser", - "package#yyy02.tenant -> package#yyy02: view", + "test_customer#yyy.admin -> test_customer#yyy: add-package", + "test_customer#yyy.admin -> test_customer#yyy: view", + "test_customer#yyy.owner -> test_customer#yyy: *", + "test_customer#yyy.tenant -> test_customer#yyy: view", + "test_package#yyy00.admin -> test_package#yyy00: add-domain", + "test_package#yyy00.admin -> test_package#yyy00: add-unixuser", + "test_package#yyy00.tenant -> test_package#yyy00: view", + "test_package#yyy01.admin -> test_package#yyy01: add-domain", + "test_package#yyy01.admin -> test_package#yyy01: add-unixuser", + "test_package#yyy01.tenant -> test_package#yyy01: view", + "test_package#yyy02.admin -> test_package#yyy02: add-domain", + "test_package#yyy02.admin -> test_package#yyy02: add-unixuser", + "test_package#yyy02.tenant -> test_package#yyy02: view", - "customer#zzz.admin -> customer#zzz: add-package", - "customer#zzz.admin -> customer#zzz: view", - "customer#zzz.owner -> customer#zzz: *", - "customer#zzz.tenant -> customer#zzz: view", - "package#zzz00.admin -> package#zzz00: add-domain", - "package#zzz00.admin -> package#zzz00: add-unixuser", - "package#zzz00.tenant -> package#zzz00: view", - "package#zzz01.admin -> package#zzz01: add-domain", - "package#zzz01.admin -> package#zzz01: add-unixuser", - "package#zzz01.tenant -> package#zzz01: view", - "package#zzz02.admin -> package#zzz02: add-domain", - "package#zzz02.admin -> package#zzz02: add-unixuser", - "package#zzz02.tenant -> package#zzz02: view" + "test_customer#zzz.admin -> test_customer#zzz: add-package", + "test_customer#zzz.admin -> test_customer#zzz: view", + "test_customer#zzz.owner -> test_customer#zzz: *", + "test_customer#zzz.tenant -> test_customer#zzz: view", + "test_package#zzz00.admin -> test_package#zzz00: add-domain", + "test_package#zzz00.admin -> test_package#zzz00: add-unixuser", + "test_package#zzz00.tenant -> test_package#zzz00: view", + "test_package#zzz01.admin -> test_package#zzz01: add-domain", + "test_package#zzz01.admin -> test_package#zzz01: add-unixuser", + "test_package#zzz01.tenant -> test_package#zzz01: view", + "test_package#zzz02.admin -> test_package#zzz02: add-domain", + "test_package#zzz02.admin -> test_package#zzz02: add-unixuser", + "test_package#zzz02.tenant -> test_package#zzz02: view" // @formatter:on ); @Test - public void hostsharingAdmin_withoutAssumedRole_canViewTheirOwnPermissions() { + public void testGlobalAdmin_withoutAssumedRole_canViewTheirOwnPermissions() { // given - context("mike@hostsharing.net"); + context("mike@example.org"); // when - final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("mike@hostsharing.net")); + final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("mike@example.org")); // then allTheseRbacPermissionsAreReturned(result, ALL_USER_PERMISSIONS); @@ -254,32 +254,32 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest { allTheseRbacPermissionsAreReturned( result, // @formatter:off - "customer#xxx.admin -> customer#xxx: add-package", - "customer#xxx.admin -> customer#xxx: view", - "customer#xxx.tenant -> customer#xxx: view", + "test_customer#xxx.admin -> test_customer#xxx: add-package", + "test_customer#xxx.admin -> test_customer#xxx: view", + "test_customer#xxx.tenant -> test_customer#xxx: view", - "package#xxx00.admin -> package#xxx00: add-domain", - "package#xxx00.admin -> package#xxx00: add-unixuser", - "package#xxx00.tenant -> package#xxx00: view", - "unixuser#xxx00-aaaa.owner -> unixuser#xxx00-aaaa: *", + "test_package#xxx00.admin -> test_package#xxx00: add-domain", + "test_package#xxx00.admin -> test_package#xxx00: add-unixuser", + "test_package#xxx00.tenant -> test_package#xxx00: view", + "test_unixuser#xxx00-aaaa.owner -> test_unixuser#xxx00-aaaa: *", - "package#xxx01.admin -> package#xxx01: add-domain", - "package#xxx01.admin -> package#xxx01: add-unixuser", - "package#xxx01.tenant -> package#xxx01: view", - "unixuser#xxx01-aaaa.owner -> unixuser#xxx01-aaaa: *", + "test_package#xxx01.admin -> test_package#xxx01: add-domain", + "test_package#xxx01.admin -> test_package#xxx01: add-unixuser", + "test_package#xxx01.tenant -> test_package#xxx01: view", + "test_unixuser#xxx01-aaaa.owner -> test_unixuser#xxx01-aaaa: *", - "package#xxx02.admin -> package#xxx02: add-domain", - "package#xxx02.admin -> package#xxx02: add-unixuser", - "package#xxx02.tenant -> package#xxx02: view", - "unixuser#xxx02-aaaa.owner -> unixuser#xxx02-aaaa: *" + "test_package#xxx02.admin -> test_package#xxx02: add-domain", + "test_package#xxx02.admin -> test_package#xxx02: add-unixuser", + "test_package#xxx02.tenant -> test_package#xxx02: view", + "test_unixuser#xxx02-aaaa.owner -> test_unixuser#xxx02-aaaa: *" // @formatter:on ); noneOfTheseRbacPermissionsAreReturned( result, // @formatter:off - "customer#yyy.admin -> customer#yyy: add-package", - "customer#yyy.admin -> customer#yyy: view", - "customer#yyy.tenant -> customer#yyy: view" + "test_customer#yyy.admin -> test_customer#yyy: add-package", + "test_customer#yyy.admin -> test_customer#yyy: view", + "test_customer#yyy.tenant -> test_customer#yyy: view" // @formatter:on ); } @@ -288,7 +288,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest { public void customerAdmin_withoutAssumedRole_isNotAllowedToViewGlobalAdminsPermissions() { // given context("customer-admin@xxx.example.com"); - final UUID userUuid = userUUID("mike@hostsharing.net"); + final UUID userUuid = userUUID("mike@example.org"); // when final var result = attempt(em, () -> @@ -314,26 +314,26 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest { allTheseRbacPermissionsAreReturned( result, // @formatter:off - "customer#xxx.tenant -> customer#xxx: view", - // "customer#xxx.admin -> customer#xxx: view" - Not permissions through the customer admin! - "package#xxx00.admin -> package#xxx00: add-unixuser", - "package#xxx00.admin -> package#xxx00: add-domain", - "package#xxx00.tenant -> package#xxx00: view", - "unixuser#xxx00-aaaa.owner -> unixuser#xxx00-aaaa: *", - "unixuser#xxx00-aaab.owner -> unixuser#xxx00-aaab: *" + "test_customer#xxx.tenant -> test_customer#xxx: view", + // "test_customer#xxx.admin -> test_customer#xxx: view" - Not permissions through the customer admin! + "test_package#xxx00.admin -> test_package#xxx00: add-unixuser", + "test_package#xxx00.admin -> test_package#xxx00: add-domain", + "test_package#xxx00.tenant -> test_package#xxx00: view", + "test_unixuser#xxx00-aaaa.owner -> test_unixuser#xxx00-aaaa: *", + "test_unixuser#xxx00-aaab.owner -> test_unixuser#xxx00-aaab: *" // @formatter:on ); noneOfTheseRbacPermissionsAreReturned( result, // @formatter:off - "customer#yyy.admin -> customer#yyy: add-package", - "customer#yyy.admin -> customer#yyy: view", - "customer#yyy.tenant -> customer#yyy: view", - "package#yyy00.admin -> package#yyy00: add-unixuser", - "package#yyy00.admin -> package#yyy00: add-domain", - "package#yyy00.tenant -> package#yyy00: view", - "unixuser#yyy00-aaaa.owner -> unixuser#yyy00-aaaa: *", - "unixuser#yyy00-aaab.owner -> unixuser#yyy00-aaab: *" + "test_customer#yyy.admin -> test_customer#yyy: add-package", + "test_customer#yyy.admin -> test_customer#yyy: view", + "test_customer#yyy.tenant -> test_customer#yyy: view", + "test_package#yyy00.admin -> test_package#yyy00: add-unixuser", + "test_package#yyy00.admin -> test_package#yyy00: add-domain", + "test_package#yyy00.tenant -> test_package#yyy00: view", + "test_unixuser#yyy00-aaaa.owner -> test_unixuser#yyy00-aaaa: *", + "test_unixuser#yyy00-aaab.owner -> test_unixuser#yyy00-aaab: *" // @formatter:on ); } @@ -362,27 +362,27 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest { allTheseRbacPermissionsAreReturned( result, // @formatter:off - "customer#xxx.tenant -> customer#xxx: view", - // "customer#xxx.admin -> customer#xxx: view" - Not permissions through the customer admin! - "package#xxx00.admin -> package#xxx00: add-unixuser", - "package#xxx00.admin -> package#xxx00: add-domain", - "package#xxx00.tenant -> package#xxx00: view" + "test_customer#xxx.tenant -> test_customer#xxx: view", + // "test_customer#xxx.admin -> test_customer#xxx: view" - Not permissions through the customer admin! + "test_package#xxx00.admin -> test_package#xxx00: add-unixuser", + "test_package#xxx00.admin -> test_package#xxx00: add-domain", + "test_package#xxx00.tenant -> test_package#xxx00: view" // @formatter:on ); noneOfTheseRbacPermissionsAreReturned( result, // @formatter:off // no customer admin permissions - "customer#xxx.admin -> customer#xxx: add-package", + "test_customer#xxx.admin -> test_customer#xxx: add-package", // no permissions on other customer's objects - "customer#yyy.admin -> customer#yyy: add-package", - "customer#yyy.admin -> customer#yyy: view", - "customer#yyy.tenant -> customer#yyy: view", - "package#yyy00.admin -> package#yyy00: add-unixuser", - "package#yyy00.admin -> package#yyy00: add-domain", - "package#yyy00.tenant -> package#yyy00: view", - "unixuser#yyy00-aaaa.owner -> unixuser#yyy00-aaaa: *", - "unixuser#yyy00-xxxb.owner -> unixuser#yyy00-xxxb: *" + "test_customer#yyy.admin -> test_customer#yyy: add-package", + "test_customer#yyy.admin -> test_customer#yyy: view", + "test_customer#yyy.tenant -> test_customer#yyy: view", + "test_package#yyy00.admin -> test_package#yyy00: add-unixuser", + "test_package#yyy00.admin -> test_package#yyy00: add-domain", + "test_package#yyy00.tenant -> test_package#yyy00: view", + "test_unixuser#yyy00-aaaa.owner -> test_unixuser#yyy00-aaaa: *", + "test_unixuser#yyy00-xxxb.owner -> test_unixuser#yyy00-xxxb: *" // @formatter:on ); }