use customer/package/unixuser only as test data structure (DB part)

This commit is contained in:
Michael Hoennig 2022-08-31 09:42:40 +02:00
parent 817c1a9e58
commit a33cb4ec29
33 changed files with 603 additions and 595 deletions

View File

@ -65,22 +65,22 @@ If you have at least Docker, the Java JDK and Gradle installed in appropriate ve
# the following command should return a JSON array with just all customers: # the following command should return a JSON array with just all customers:
curl \ curl \
-H 'current-user: mike@hostsharing.net' \ -H 'current-user: mike@example.org' \
http://localhost:8080/api/customers http://localhost:8080/api/customers
# the following command should return a JSON array with just all packages visible for the admin of the customer yyy: # the following command should return a JSON array with just all packages visible for the admin of the customer yyy:
curl \ curl \
-H 'current-user: mike@hostsharing.net' -H 'assumed-roles: customer#yyy.admin' \ -H 'current-user: mike@example.org' -H 'assumed-roles: test_customer#yyy.admin' \
http://localhost:8080/api/packages http://localhost:8080/api/packages
# add a new customer # add a new customer
curl \ curl \
-H 'current-user: mike@hostsharing.net' -H "Content-Type: application/json" \ -H 'current-user: mike@example.org' -H "Content-Type: application/json" \
-d '{ "prefix":"ttt", "reference":80001, "adminUserName":"admin@ttt.example.com" }' \ -d '{ "prefix":"ttt", "reference":80001, "adminUserName":"admin@ttt.example.com" }' \
-X POST http://localhost:8080/api/customers -X POST http://localhost:8080/api/customers
If you wonder who 'mike@hostsharing.net' and 'sven@hostsharing.net' are and where the data comes from: If you wonder who 'mike@example.org' and 'sven@example.org' are and where the data comes from:
Mike and Sven are just example Hostsharing hostmaster accounts as part of the example data which is automatically inserted in Testcontainers and Development environments. Mike and Sven are just example global admin accounts as part of the example data which is automatically inserted in Testcontainers and Development environments.
Also try for example 'admin@xxx.example.com' or 'unknown@example.org'. Also try for example 'admin@xxx.example.com' or 'unknown@example.org'.
If you want a formatted JSON output, you can pipe the result to `jq` or similar. If you want a formatted JSON output, you can pipe the result to `jq` or similar.

View File

@ -64,7 +64,7 @@ begin
domainOwnerRoleUuid = createRole( domainOwnerRoleUuid = createRole(
domainOwner(NEW), domainOwner(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']), grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
beneathRole(packageAdmin(parentPackage)) beneathRole(testPackageAdmin(parentPackage))
); );
-- a domain admin role is created and assigned to the domain's owner role -- a domain admin role is created and assigned to the domain's owner role

View File

@ -17,21 +17,21 @@ BEGIN
-- hostmaster accessing a single customer -- hostmaster accessing a single customer
SET SESSION SESSION AUTHORIZATION restricted; SET SESSION SESSION AUTHORIZATION restricted;
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net'; SET LOCAL hsadminng.currentUser = 'mike@example.org';
SET LOCAL hsadminng.assumedRoles = ''; SET LOCAL hsadminng.assumedRoles = '';
-- SELECT * -- SELECT *
SELECT count(*) INTO resultCount SELECT count(*) INTO resultCount
from customer_rv c from test_customer_rv c
where c.prefix='aab'; where c.prefix='aab';
call expectBetween(resultCount, 1, 1); call expectBetween(resultCount, 1, 1);
-- hostmaster listing all customers -- hostmaster listing all customers
SET SESSION SESSION AUTHORIZATION restricted; SET SESSION SESSION AUTHORIZATION restricted;
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net'; SET LOCAL hsadminng.currentUser = 'mike@example.org';
SET LOCAL hsadminng.assumedRoles = ''; SET LOCAL hsadminng.assumedRoles = '';
-- SELECT * -- SELECT *
SELECT count(*) INTO resultCount SELECT count(*) INTO resultCount
FROM customer_rv; FROM test_customer_rv;
call expectBetween(resultCount, 10, 20000); call expectBetween(resultCount, 10, 20000);
-- customer admin listing all their packages -- customer admin listing all their packages
@ -40,7 +40,7 @@ BEGIN
SET LOCAL hsadminng.assumedRoles = ''; SET LOCAL hsadminng.assumedRoles = '';
-- SELECT * -- SELECT *
SELECT count(*) INTO resultCount SELECT count(*) INTO resultCount
FROM package_rv; FROM test_package_rv;
call expectBetween(resultCount, 2, 10); call expectBetween(resultCount, 2, 10);
-- cutomer admin listing all their unix users -- cutomer admin listing all their unix users
@ -54,49 +54,49 @@ BEGIN
-- hostsharing admin assuming customer role and listing all accessible packages -- hostsharing admin assuming customer role and listing all accessible packages
SET SESSION SESSION AUTHORIZATION restricted; SET SESSION SESSION AUTHORIZATION restricted;
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net'; SET LOCAL hsadminng.currentUser = 'mike@example.org';
SET LOCAL hsadminng.assumedRoles = 'customer#aaa.admin;customer#aab.admin'; SET LOCAL hsadminng.assumedRoles = 'test_customer#aaa.admin;test_customer#aab.admin';
-- SELECT * -- SELECT *
SELECT count(*) INTO resultCount SELECT count(*) INTO resultCount
FROM package_rv p; FROM test_package_rv p;
call expectBetween(resultCount, 2, 10); call expectBetween(resultCount, 2, 10);
-- hostsharing admin assuming two customer admin roles and listing all accessible unixusers -- hostsharing admin assuming two customer admin roles and listing all accessible unixusers
SET SESSION SESSION AUTHORIZATION restricted; SET SESSION SESSION AUTHORIZATION restricted;
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net'; SET LOCAL hsadminng.currentUser = 'mike@example.org';
SET LOCAL hsadminng.assumedRoles = 'customer#aab.admin;customer#aac.admin'; SET LOCAL hsadminng.assumedRoles = 'test_customer#aab.admin;test_customer#aac.admin';
-- SELECT c.prefix, c.reference, uu.* -- SELECT c.prefix, c.reference, uu.*
SELECT count(*) INTO resultCount SELECT count(*) INTO resultCount
FROM unixuser_rv uu FROM unixuser_rv uu
JOIN package_rv p ON p.uuid = uu.packageuuid JOIN test_package_rv p ON p.uuid = uu.packageuuid
JOIN customer_rv c ON c.uuid = p.customeruuid; JOIN test_customer_rv c ON c.uuid = p.customeruuid;
call expectBetween(resultCount, 40, 60); call expectBetween(resultCount, 40, 60);
-- hostsharing admin assuming two customer admin roles and listing all accessible domains -- hostsharing admin assuming two customer admin roles and listing all accessible domains
-- ABORT; START TRANSACTION; -- ABORT; START TRANSACTION;
SET SESSION SESSION AUTHORIZATION restricted; SET SESSION SESSION AUTHORIZATION restricted;
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net'; SET LOCAL hsadminng.currentUser = 'mike@example.org';
SET LOCAL hsadminng.assumedRoles = 'customer#aac.admin;customer#aad.admin'; SET LOCAL hsadminng.assumedRoles = 'test_customer#aac.admin;test_customer#aad.admin';
-- SELECT p.name, uu.name, dom.name -- SELECT p.name, uu.name, dom.name
SELECT count(*) INTO resultCount SELECT count(*) INTO resultCount
FROM domain_rv dom FROM domain_rv dom
JOIN unixuser_rv uu ON uu.uuid = dom.unixuseruuid JOIN unixuser_rv uu ON uu.uuid = dom.unixuseruuid
JOIN package_rv p ON p.uuid = uu.packageuuid JOIN test_package_rv p ON p.uuid = uu.packageuuid
JOIN customer_rv c ON c.uuid = p.customeruuid; JOIN test_customer_rv c ON c.uuid = p.customeruuid;
call expectBetween(resultCount, 20, 40); call expectBetween(resultCount, 20, 40);
-- hostsharing admin assuming two customer admin roles and listing all accessible email addresses -- hostsharing admin assuming two customer admin roles and listing all accessible email addresses
-- ABORT; START TRANSACTION; -- ABORT; START TRANSACTION;
SET SESSION SESSION AUTHORIZATION restricted; SET SESSION SESSION AUTHORIZATION restricted;
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net'; SET LOCAL hsadminng.currentUser = 'mike@example.org';
SET LOCAL hsadminng.assumedRoles = 'customer#aae.admin;customer#aaf.admin'; SET LOCAL hsadminng.assumedRoles = 'test_customer#aae.admin;test_customer#aaf.admin';
-- SELECT c.prefix, p.name as "package", ema.localPart || '@' || dom.name as "email-address" -- SELECT c.prefix, p.name as "package", ema.localPart || '@' || dom.name as "email-address"
SELECT count(*) INTO resultCount SELECT count(*) INTO resultCount
FROM emailaddress_rv ema FROM emailaddress_rv ema
JOIN domain_rv dom ON dom.uuid = ema.domainuuid JOIN domain_rv dom ON dom.uuid = ema.domainuuid
JOIN unixuser_rv uu ON uu.uuid = dom.unixuseruuid JOIN unixuser_rv uu ON uu.uuid = dom.unixuseruuid
JOIN package_rv p ON p.uuid = uu.packageuuid JOIN test_package_rv p ON p.uuid = uu.packageuuid
JOIN customer_rv c ON c.uuid = p.customeruuid; JOIN test_customer_rv c ON c.uuid = p.customeruuid;
call expectBetween(resultCount, 100, 300); call expectBetween(resultCount, 100, 300);
-- ~170ms -- ~170ms

View File

@ -3,16 +3,16 @@
-- -------------------------------------------------------- -- --------------------------------------------------------
select isGranted(findRoleId('administrators'), findRoleId('package#aaa00.owner')); select isGranted(findRoleId('administrators'), findRoleId('test_package#aaa00.owner'));
select isGranted(findRoleId('package#aaa00.owner'), findRoleId('administrators')); select isGranted(findRoleId('test_package#aaa00.owner'), findRoleId('administrators'));
-- call grantRoleToRole(findRoleId('package#aaa00.owner'), findRoleId('administrators')); -- call grantRoleToRole(findRoleId('test_package#aaa00.owner'), findRoleId('administrators'));
-- call grantRoleToRole(findRoleId('administrators'), findRoleId('package#aaa00.owner')); -- call grantRoleToRole(findRoleId('administrators'), findRoleId('test_package#aaa00.owner'));
select count(*) select count(*)
FROM queryAllPermissionsOfSubjectIdForObjectUuids(findRbacUser('sven@hostsharing.net'), FROM queryAllPermissionsOfSubjectIdForObjectUuids(findRbacUser('sven@example.org'),
ARRAY(select uuid from customer where reference < 1100000)); ARRAY(select uuid from customer where reference < 1100000));
select count(*) select count(*)
FROM queryAllPermissionsOfSubjectId(findRbacUser('sven@hostsharing.net')); FROM queryAllPermissionsOfSubjectId(findRbacUser('sven@example.org'));
select * select *
FROM queryAllPermissionsOfSubjectId(findRbacUser('alex@example.com')); FROM queryAllPermissionsOfSubjectId(findRbacUser('alex@example.com'));
select * select *
@ -33,7 +33,7 @@ $$
userId uuid; userId uuid;
result bool; result bool;
BEGIN BEGIN
userId = findRbacUser('mike@hostsharing.net'); userId = findRbacUser('mike@example.org');
result = (SELECT * FROM isPermissionGrantedToSubject(findPermissionId('package', 94928, 'add-package'), userId)); result = (SELECT * FROM isPermissionGrantedToSubject(findPermissionId('package', 94928, 'add-package'), userId));
IF (result) THEN IF (result) THEN
RAISE EXCEPTION 'expected permission NOT to be granted, but it is'; RAISE EXCEPTION 'expected permission NOT to be granted, but it is';

View File

@ -20,7 +20,7 @@ CREATE POLICY customer_policy ON customer
TO restricted TO restricted
USING ( USING (
-- id=1000 -- id=1000
isPermissionGrantedToSubject(findPermissionId('customer', id, 'view'), currentUserUuid()) isPermissionGrantedToSubject(findPermissionId('test_customer', id, 'view'), currentUserUuid())
); );
SET SESSION AUTHORIZATION restricted; SET SESSION AUTHORIZATION restricted;
@ -35,10 +35,10 @@ SELECT * FROM customer;
CREATE OR REPLACE RULE "_RETURN" AS CREATE OR REPLACE RULE "_RETURN" AS
ON SELECT TO cust_view ON SELECT TO cust_view
DO INSTEAD DO INSTEAD
SELECT * FROM customer WHERE isPermissionGrantedToSubject(findPermissionId('customer', id, 'view'), currentUserUuid()); SELECT * FROM customer WHERE isPermissionGrantedToSubject(findPermissionId('test_customer', id, 'view'), currentUserUuid());
SELECT * from cust_view LIMIT 10; SELECT * from cust_view LIMIT 10;
select queryAllPermissionsOfSubjectId(findRbacUser('mike@hostsharing.net')); select queryAllPermissionsOfSubjectId(findRbacUser('mike@example.org'));
-- access control via view-rule with join to recursive permissions - really fast (38ms for 1 million rows) -- access control via view-rule with join to recursive permissions - really fast (38ms for 1 million rows)
SET SESSION SESSION AUTHORIZATION DEFAULT; SET SESSION SESSION AUTHORIZATION DEFAULT;
@ -52,7 +52,7 @@ CREATE OR REPLACE RULE "_RETURN" AS
DO INSTEAD DO INSTEAD
SELECT c.uuid, c.reference, c.prefix FROM customer AS c SELECT c.uuid, c.reference, c.prefix FROM customer AS c
JOIN queryAllPermissionsOfSubjectId(currentUserUuid()) AS p JOIN queryAllPermissionsOfSubjectId(currentUserUuid()) AS p
ON p.objectTable='customer' AND p.objectUuid=c.uuid AND p.op in ('*', 'view'); ON p.objectTable='test_customer' AND p.objectUuid=c.uuid AND p.op in ('*', 'view');
GRANT ALL PRIVILEGES ON cust_view TO restricted; GRANT ALL PRIVILEGES ON cust_view TO restricted;
SET SESSION SESSION AUTHORIZATION restricted; SET SESSION SESSION AUTHORIZATION restricted;
@ -73,7 +73,7 @@ GRANT ALL PRIVILEGES ON cust_view TO restricted;
SET SESSION SESSION AUTHORIZATION restricted; SET SESSION SESSION AUTHORIZATION restricted;
-- SET hsadminng.currentUser TO 'alex@example.com'; -- SET hsadminng.currentUser TO 'alex@example.com';
SET hsadminng.currentUser TO 'mike@hostsharing.net'; SET hsadminng.currentUser TO 'mike@example.org';
-- SET hsadminng.currentUser TO 'aaaaouq@example.com'; -- SET hsadminng.currentUser TO 'aaaaouq@example.com';
SELECT * from cust_view where reference=1144150; SELECT * from cust_view where reference=1144150;
@ -81,9 +81,9 @@ select rr.uuid, rr.type from RbacGrants g
join RbacReference RR on g.ascendantUuid = RR.uuid join RbacReference RR on g.ascendantUuid = RR.uuid
where g.descendantUuid in ( where g.descendantUuid in (
select uuid from queryAllPermissionsOfSubjectId(findRbacUser('alex@example.com')) select uuid from queryAllPermissionsOfSubjectId(findRbacUser('alex@example.com'))
where objectTable='customer' and op in ('*', 'view')); where objectTable='test_customer' and op in ('*', 'view'));
call grantRoleToUser(findRoleId('customer#aaa.admin'), findRbacUser('aaaaouq@example.com')); call grantRoleToUser(findRoleId('test_customer#aaa.admin'), findRbacUser('aaaaouq@example.com'));
select queryAllPermissionsOfSubjectId(findRbacUser('aaaaouq@example.com')); select queryAllPermissionsOfSubjectId(findRbacUser('aaaaouq@example.com'));

View File

@ -9,7 +9,7 @@ import javax.persistence.*;
import java.util.UUID; import java.util.UUID;
@Entity @Entity
@Table(name = "customer_rv") @Table(name = "test_customer_rv")
@Getter @Getter
@Setter @Setter
@NoArgsConstructor @NoArgsConstructor

View File

@ -10,7 +10,7 @@ import javax.persistence.*;
import java.util.UUID; import java.util.UUID;
@Entity @Entity
@Table(name = "package_rv") @Table(name = "test_package_rv")
@Getter @Getter
@Setter @Setter
@NoArgsConstructor @NoArgsConstructor

View File

@ -152,8 +152,14 @@ create or replace function pureIdentifier(rawIdentifier varchar)
returns varchar returns varchar
returns null on null input returns null on null input
language plpgsql as $$ language plpgsql as $$
declare
cleanIdentifier varchar;
begin begin
return regexp_replace(rawIdentifier, '\W+', ''); cleanIdentifier := regexp_replace(rawIdentifier, '[^A-Za-z0-9\-._]+', '', 'g');
if cleanIdentifier != rawIdentifier then
raise exception 'identifier "%" contains invalid characters, maybe use "%"', rawIdentifier, cleanIdentifier;
end if;
return cleanIdentifier;
end; $$; end; $$;
create or replace function findObjectUuidByIdName(objectTable varchar, objectIdName varchar) create or replace function findObjectUuidByIdName(objectTable varchar, objectIdName varchar)

View File

@ -228,6 +228,9 @@ begin
roleTypeFromRoleIdName = split_part(roleParts, '#', 3); roleTypeFromRoleIdName = split_part(roleParts, '#', 3);
objectUuidOfRole = findObjectUuidByIdName(objectTableFromRoleIdName, objectNameFromRoleIdName); objectUuidOfRole = findObjectUuidByIdName(objectTableFromRoleIdName, objectNameFromRoleIdName);
raise notice $sql$findObjectUuidByIdName('%', '%') = %;$sql$, objectTableFromRoleIdName, objectNameFromRoleIdName, objectUuidOfRole;
raise notice 'finding %, % (%), %', objectTableFromRoleIdName, objectNameFromRoleIdName, objectUuidOfRole, roleTypeFromRoleIdName;
select uuid select uuid
from RbacRole from RbacRole
where objectUuid = objectUuidOfRole where objectUuid = objectUuidOfRole

View File

@ -1,7 +1,7 @@
--liquibase formatted sql --liquibase formatted sql
-- ============================================================================ -- ============================================================================
--changeset hs-base-GLOBAL-OBJECT:1 endDelimiter:--// --changeset test-base-GLOBAL-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/** /**
@ -12,32 +12,32 @@ begin transaction;
insert insert
into RbacObject (objecttable) values ('global'); into RbacObject (objecttable) values ('global');
insert insert
into Global (uuid, name) values ((select uuid from RbacObject where objectTable = 'global'), 'hostsharing'); into Global (uuid, name) values ((select uuid from RbacObject where objectTable = 'global'), 'test-global');
commit; commit;
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-base-ADMIN-ROLE:1 endDelimiter:--// --changeset test-base-ADMIN-ROLE:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
A global administrator role. A global administrator role.
*/ */
create or replace function hostsharingAdmin() create or replace function testGlobalAdmin()
returns RbacRoleDescriptor returns RbacRoleDescriptor
returns null on null input returns null on null input
stable leakproof stable leakproof
language sql as $$ language sql as $$
select 'global', (select uuid from RbacObject where objectTable = 'global'), 'admin'::RbacRoleType; select 'global', (select uuid from RbacObject where objectTable = 'global'), 'admin'::RbacRoleType;
$$; $$;
begin transaction; begin transaction;
call defineContext('creating Hostsharing admin role', null, null, null); call defineContext('creating test-global admin role', null, null, null);
select createRole(hostsharingAdmin()); select createRole(testGlobalAdmin());
commit; commit;
-- ============================================================================ -- ============================================================================
--changeset hs-base-ADMIN-USERS:1 context:dev,tc endDelimiter:--// --changeset test-base-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Create two users and assign both to the administrators role. Create two users and assign both to the administrators role.
@ -46,18 +46,18 @@ do language plpgsql $$
declare declare
admins uuid ; admins uuid ;
begin begin
call defineContext('creating fake Hostsharing admin users', null, null, null); call defineContext('creating fake test-realm admin users', null, null, null);
admins = findRoleId(hostsharingAdmin()); admins = findRoleId(testGlobalAdmin());
call grantRoleToUserUnchecked(admins, admins, createRbacUser('mike@hostsharing.net')); call grantRoleToUserUnchecked(admins, admins, createRbacUser('mike@example.org'));
call grantRoleToUserUnchecked(admins, admins, createRbacUser('sven@hostsharing.net')); call grantRoleToUserUnchecked(admins, admins, createRbacUser('sven@example.org'));
end; end;
$$; $$;
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-base-hostsharing-TEST:1 context:dev,tc runAlways:true endDelimiter:--// --changeset test-base-hostsharing-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
@ -68,15 +68,15 @@ do language plpgsql $$
declare declare
userName varchar; userName varchar;
begin begin
call defineContext('testing currentUserUuid', null, 'sven@hostsharing.net', null); call defineContext('testing currentUserUuid', null, 'sven@example.org', null);
select userName from RbacUser where uuid = currentUserUuid() into userName; select userName from RbacUser where uuid = currentUserUuid() into userName;
if userName <> 'sven@hostsharing.net' then if userName <> 'sven@example.org' then
raise exception 'setting or fetching initial currentUser failed, got: %', userName; raise exception 'setting or fetching initial currentUser failed, got: %', userName;
end if; end if;
call defineContext('testing currentUserUuid', null, 'mike@hostsharing.net', null); call defineContext('testing currentUserUuid', null, 'mike@example.org', null);
select userName from RbacUser where uuid = currentUserUuid() into userName; select userName from RbacUser where uuid = currentUserUuid() into userName;
if userName = 'mike@hostsharing.net' then if userName = 'mike@example.org' then
raise exception 'currentUser should not change in one transaction, but did change, got: %', userName; raise exception 'currentUser should not change in one transaction, but did change, got: %', userName;
end if; end if;
end; $$; end; $$;

View File

@ -1,10 +1,10 @@
--liquibase formatted sql --liquibase formatted sql
-- ============================================================================ -- ============================================================================
--changeset hs-customer-MAIN-TABLE:1 endDelimiter:--// --changeset test-customer-MAIN-TABLE:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
create table if not exists customer create table if not exists test_customer
( (
uuid uuid unique references RbacObject (uuid), uuid uuid unique references RbacObject (uuid),
reference int not null unique check (reference between 10000 and 99999), reference int not null unique check (reference between 10000 and 99999),

View File

@ -1,64 +1,64 @@
--liquibase formatted sql --liquibase formatted sql
-- ============================================================================ -- ============================================================================
--changeset hs-customer-rbac-CREATE-OBJECT:1 endDelimiter:--// --changeset test-customer-rbac-CREATE-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Creates the related RbacObject through a BEFORE INSERT TRIGGER. Creates the related RbacObject through a BEFORE INSERT TRIGGER.
*/ */
drop trigger if exists createRbacObjectForCustomer_Trigger on customer; drop trigger if exists createRbacObjectForCustomer_Trigger on test_customer;
create trigger createRbacObjectForCustomer_Trigger create trigger createRbacObjectForCustomer_Trigger
before insert before insert
on customer on test_customer
for each row for each row
execute procedure createRbacObject(); execute procedure createRbacObject();
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-customer-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --changeset test-customer-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
create or replace function customerOwner(customer customer) create or replace function testCustomerOwner(customer test_customer)
returns RbacRoleDescriptor returns RbacRoleDescriptor
language plpgsql language plpgsql
strict as $$ strict as $$
begin begin
return roleDescriptor('customer', customer.uuid, 'owner'); return roleDescriptor('test_customer', customer.uuid, 'owner');
end; $$; end; $$;
create or replace function customerAdmin(customer customer) create or replace function testCustomerAdmin(customer test_customer)
returns RbacRoleDescriptor returns RbacRoleDescriptor
language plpgsql language plpgsql
strict as $$ strict as $$
begin begin
return roleDescriptor('customer', customer.uuid, 'admin'); return roleDescriptor('test_customer', customer.uuid, 'admin');
end; $$; end; $$;
create or replace function customerTenant(customer customer) create or replace function testCustomerTenant(customer test_customer)
returns RbacRoleDescriptor returns RbacRoleDescriptor
language plpgsql language plpgsql
strict as $$ strict as $$
begin begin
return roleDescriptor('customer', customer.uuid, 'tenant'); return roleDescriptor('test_customer', customer.uuid, 'tenant');
end; $$; end; $$;
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-customer-rbac-ROLES-CREATION:1 endDelimiter:--// --changeset test-customer-rbac-ROLES-CREATION:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Creates the roles and their assignments for a new customer for the AFTER INSERT TRIGGER. Creates the roles and their assignments for a new customer for the AFTER INSERT TRIGGER.
*/ */
create or replace function createRbacRolesForCustomer() create or replace function createRbacRolesForTestCustomer()
returns trigger returns trigger
language plpgsql language plpgsql
strict as $$ strict as $$
declare declare
customerOwnerUuid uuid; testCustomerOwnerUuid uuid;
customerAdminUuid uuid; customerAdminUuid uuid;
begin begin
if TG_OP <> 'INSERT' then if TG_OP <> 'INSERT' then
@ -66,27 +66,27 @@ begin
end if; end if;
-- the owner role with full access for Hostsharing administrators -- the owner role with full access for Hostsharing administrators
customerOwnerUuid = createRole( testCustomerOwnerUuid = createRole(
customerOwner(NEW), testCustomerOwner(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']), grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
beneathRole(hostsharingAdmin()) beneathRole(testGlobalAdmin())
); );
-- the admin role for the customer's admins, who can view and add products -- the admin role for the customer's admins, who can view and add products
customerAdminUuid = createRole( customerAdminUuid = createRole(
customerAdmin(NEW), testCustomerAdmin(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view', 'add-package']), grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view', 'add-package']),
-- NO auto assume for customer owner to avoid exploding permissions for administrators -- NO auto assume for customer owner to avoid exploding permissions for administrators
withUser(NEW.adminUserName, 'create'), -- implicitly ignored if null withUser(NEW.adminUserName, 'create'), -- implicitly ignored if null
grantedByRole(hostsharingAdmin()) grantedByRole(testGlobalAdmin())
); );
-- allow the customer owner role (thus administrators) to assume the customer admin role -- allow the customer owner role (thus administrators) to assume the customer admin role
call grantRoleToRole(customerAdminUuid, customerOwnerUuid, false); call grantRoleToRole(customerAdminUuid, testCustomerOwnerUuid, false);
-- the tenant role which later can be used by owners+admins of sub-objects -- the tenant role which later can be used by owners+admins of sub-objects
perform createRole( perform createRole(
customerTenant(NEW), testCustomerTenant(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']) grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view'])
); );
@ -97,32 +97,32 @@ end; $$;
An AFTER INSERT TRIGGER which creates the role structure for a new customer. An AFTER INSERT TRIGGER which creates the role structure for a new customer.
*/ */
drop trigger if exists createRbacRolesForCustomer_Trigger on customer; drop trigger if exists createRbacRolesForTestCustomer_Trigger on test_customer;
create trigger createRbacRolesForCustomer_Trigger create trigger createRbacRolesForTestCustomer_Trigger
after insert after insert
on customer on test_customer
for each row for each row
execute procedure createRbacRolesForCustomer(); execute procedure createRbacRolesForTestCustomer();
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-customer-rbac-ROLES-REMOVAL:1 endDelimiter:--// --changeset test-customer-rbac-ROLES-REMOVAL:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Deletes the roles and their assignments of a deleted customer for the BEFORE DELETE TRIGGER. Deletes the roles and their assignments of a deleted customer for the BEFORE DELETE TRIGGER.
*/ */
create or replace function deleteRbacRulesForCustomer() create or replace function deleteRbacRulesForTestCustomer()
returns trigger returns trigger
language plpgsql language plpgsql
strict as $$ strict as $$
begin begin
if TG_OP = 'DELETE' then if TG_OP = 'DELETE' then
call deleteRole(findRoleId(customerOwner(OLD))); call deleteRole(findRoleId(testCustomerOwner(OLD)));
call deleteRole(findRoleId(customerAdmin(OLD))); call deleteRole(findRoleId(testCustomerAdmin(OLD)));
call deleteRole(findRoleId(customerTenant(OLD))); call deleteRole(findRoleId(testCustomerTenant(OLD)));
else else
raise exception 'invalid usage of TRIGGER BEFORE DELETE'; raise exception 'invalid usage of TRIGGER BEFORE DELETE';
end if; end if;
@ -132,70 +132,70 @@ end; $$;
An BEFORE DELETE TRIGGER which deletes the role structure of a customer. An BEFORE DELETE TRIGGER which deletes the role structure of a customer.
*/ */
drop trigger if exists deleteRbacRulesForCustomer_Trigger on customer; drop trigger if exists deleteRbacRulesForTestCustomer_Trigger on test_customer;
create trigger deleteRbacRulesForCustomer_Trigger create trigger deleteRbacRulesForTestCustomer_Trigger
before delete before delete
on customer on test_customer
for each row for each row
execute procedure deleteRbacRulesForCustomer(); execute procedure deleteRbacRulesForTestCustomer();
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--// --changeset test-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Creates a view to the customer main table which maps the identifying name Creates a view to the customer main table which maps the identifying name
(in this case, the prefix) to the objectUuid. (in this case, the prefix) to the objectUuid.
*/ */
drop view if exists customer_iv; drop view if exists test_customer_iv;
create or replace view customer_iv as create or replace view test_customer_iv as
select target.uuid, target.prefix as idName select target.uuid, target.prefix as idName
from customer as target; from test_customer as target;
-- TODO: Is it ok that everybody has access to this information? -- TODO: Is it ok that everybody has access to this information?
grant all privileges on customer_iv to restricted; grant all privileges on test_customer_iv to restricted;
/* /*
Returns the objectUuid for a given identifying name (in this case the prefix). Returns the objectUuid for a given identifying name (in this case the prefix).
*/ */
create or replace function customerUuidByIdName(idName varchar) create or replace function test_customerUuidByIdName(idName varchar)
returns uuid returns uuid
language sql language sql
strict as $$ strict as $$
select uuid from customer_iv iv where iv.idName = customerUuidByIdName.idName; select uuid from test_customer_iv iv where iv.idName = test_customerUuidByIdName.idName;
$$; $$;
/* /*
Returns the identifying name for a given objectUuid (in this case the prefix). Returns the identifying name for a given objectUuid (in this case the prefix).
*/ */
create or replace function customerIdNameByUuid(uuid uuid) create or replace function test_customerIdNameByUuid(uuid uuid)
returns varchar returns varchar
language sql language sql
strict as $$ strict as $$
select idName from customer_iv iv where iv.uuid = customerIdNameByUuid.uuid; select idName from test_customer_iv iv where iv.uuid = test_customerIdNameByUuid.uuid;
$$; $$;
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-customer-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --changeset test-customer-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Creates a view to the customer main table with row-level limitation Creates a view to the customer main table with row-level limitation
based on the 'view' permission of the current user or assumed roles. based on the 'view' permission of the current user or assumed roles.
*/ */
set session session authorization default; set session session authorization default;
drop view if exists customer_rv; drop view if exists test_customer_rv;
create or replace view customer_rv as create or replace view test_customer_rv as
select target.* select target.*
from customer as target from test_customer as target
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'customer', currentSubjectsUuids())); where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'test_customer', currentSubjectsUuids()));
grant all privileges on customer_rv to restricted; grant all privileges on test_customer_rv to restricted;
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-customer-rbac-ADD-CUSTOMER:1 endDelimiter:--// --changeset test-customer-rbac-ADD-CUSTOMER:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Creates a global permission for add-customer and assigns it to the hostsharing admins role. Creates a global permission for add-customer and assigns it to the hostsharing admins role.
@ -203,22 +203,22 @@ grant all privileges on customer_rv to restricted;
do language plpgsql $$ do language plpgsql $$
declare declare
addCustomerPermissions uuid[]; addCustomerPermissions uuid[];
hostsharingObjectUuid uuid; globalObjectUuid uuid;
hsAdminRoleUuid uuid ; globalAdminRoleUuid uuid ;
begin begin
call defineContext('granting global add-customer permission to Hostsharing admin role', null, null, null); call defineContext('granting global add-customer permission to global admin role', null, null, null);
hsAdminRoleUuid := findRoleId(hostsharingAdmin()); globalAdminRoleUuid := findRoleId(testGlobalAdmin());
hostsharingObjectUuid := (select uuid from global); globalObjectUuid := (select uuid from global);
addCustomerPermissions := createPermissions(hostsharingObjectUuid, array ['add-customer']); addCustomerPermissions := createPermissions(globalObjectUuid, array ['add-customer']);
call grantPermissionsToRole(hsAdminRoleUuid, addCustomerPermissions); call grantPermissionsToRole(globalAdminRoleUuid, addCustomerPermissions);
end; end;
$$; $$;
/** /**
Used by the trigger to prevent the add-customer to current user respectively assumed roles. Used by the trigger to prevent the add-customer to current user respectively assumed roles.
*/ */
create or replace function addCustomerNotAllowedForCurrentSubjects() create or replace function addTestCustomerNotAllowedForCurrentSubjects()
returns trigger returns trigger
language PLPGSQL language PLPGSQL
as $$ as $$
@ -230,11 +230,11 @@ end; $$;
/** /**
Checks if the user or assumed roles are allowed to add a new customer. Checks if the user or assumed roles are allowed to add a new customer.
*/ */
create trigger customer_insert_trigger create trigger test_customer_insert_trigger
before insert before insert
on customer on test_customer
for each row for each row
when ( currentUser() <> 'mike@hostsharing.net' or not hasGlobalPermission('add-customer') ) when ( currentUser() <> 'mike@example.org' or not hasGlobalPermission('add-customer') )
execute procedure addCustomerNotAllowedForCurrentSubjects(); execute procedure addTestCustomerNotAllowedForCurrentSubjects();
--// --//

View File

@ -2,7 +2,7 @@
-- ============================================================================ -- ============================================================================
--changeset hs-customer-TEST-DATA-GENERATOR:1 endDelimiter:--// --changeset test-customer-TEST-DATA-GENERATOR:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Generates a customer reference number for a given test data counter. Generates a customer reference number for a given test data counter.
@ -19,7 +19,7 @@ end; $$;
/* /*
Creates a single customer test record with dist. Creates a single customer test record with dist.
*/ */
create or replace procedure createCustomerTestData( create or replace procedure createTestCustomerTestData(
custReference integer, custReference integer,
custPrefix varchar custPrefix varchar
) )
@ -30,7 +30,7 @@ declare
custAdminName varchar; custAdminName varchar;
begin begin
currentTask = 'creating RBAC test customer #' || custReference || '/' || custPrefix; currentTask = 'creating RBAC test customer #' || custReference || '/' || custPrefix;
call defineContext(currentTask, null, 'mike@hostsharing.net', 'global#hostsharing.admin'); call defineContext(currentTask, null, 'mike@example.org', 'global#test-global.admin');
execute format('set local hsadminng.currentTask to %L', currentTask); execute format('set local hsadminng.currentTask to %L', currentTask);
custRowId = uuid_generate_v4(); custRowId = uuid_generate_v4();
@ -38,7 +38,7 @@ begin
raise notice 'creating customer %:%', custReference, custPrefix; raise notice 'creating customer %:%', custReference, custPrefix;
insert insert
into customer (reference, prefix, adminUserName) into test_customer (reference, prefix, adminUserName)
values (custReference, custPrefix, custAdminName); values (custReference, custPrefix, custAdminName);
end; $$; end; $$;
--// --//
@ -46,7 +46,7 @@ end; $$;
/* /*
Creates a range of test customers for mass data generation. Creates a range of test customers for mass data generation.
*/ */
create or replace procedure createCustomerTestData( create or replace procedure createTestCustomerTestData(
startCount integer, -- count of auto generated rows before the run startCount integer, -- count of auto generated rows before the run
endCount integer -- count of auto generated rows after the run endCount integer -- count of auto generated rows after the run
) )
@ -54,7 +54,7 @@ create or replace procedure createCustomerTestData(
begin begin
for t in startCount..endCount for t in startCount..endCount
loop loop
call createCustomerTestData(testCustomerReference(t), intToVarChar(t, 3)); call createTestCustomerTestData(testCustomerReference(t), intToVarChar(t, 3));
commit; commit;
end loop; end loop;
end; $$; end; $$;
@ -62,14 +62,14 @@ end; $$;
-- ============================================================================ -- ============================================================================
--changeset hs-customer-TEST-DATA-GENERATION:1 context=dev,tc endDelimiter:--// --changeset test-customer-TEST-DATA-GENERATION:1 context=dev,tc endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
do language plpgsql $$ do language plpgsql $$
begin begin
call createCustomerTestData(99901, 'xxx'); call createTestCustomerTestData(99901, 'xxx');
call createCustomerTestData(99902, 'yyy'); call createTestCustomerTestData(99902, 'yyy');
call createCustomerTestData(99903, 'zzz'); call createTestCustomerTestData(99903, 'zzz');
end; end;
$$; $$;
--// --//

View File

@ -1,14 +1,14 @@
--liquibase formatted sql --liquibase formatted sql
-- ============================================================================ -- ============================================================================
--changeset hs-package-MAIN-TABLE:1 endDelimiter:--// --changeset test-package-MAIN-TABLE:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
create table if not exists package create table if not exists test_package
( (
uuid uuid unique references RbacObject (uuid), uuid uuid unique references RbacObject (uuid),
version int not null default 0, version int not null default 0,
customerUuid uuid references customer (uuid), customerUuid uuid references test_customer (uuid),
name varchar(5), name varchar(5),
description varchar(96) description varchar(96)
); );

View File

@ -1,62 +1,62 @@
--liquibase formatted sql --liquibase formatted sql
-- ============================================================================ -- ============================================================================
--changeset hs-package-rbac-CREATE-OBJECT:1 endDelimiter:--// --changeset test-package-rbac-CREATE-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Creates the related RbacObject through a BEFORE INSERT TRIGGER. Creates the related RbacObject through a BEFORE INSERT TRIGGER.
*/ */
drop trigger if exists createRbacObjectForPackage_Trigger on package; drop trigger if exists createRbacObjectForPackage_Trigger on test_package;
create trigger createRbacObjectForPackage_Trigger create trigger createRbacObjectForPackage_Trigger
before insert before insert
on package on test_package
for each row for each row
execute procedure createRbacObject(); execute procedure createRbacObject();
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-package-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --changeset test-package-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
create or replace function packageOwner(pac package) create or replace function testPackageOwner(pac test_package)
returns RbacRoleDescriptor returns RbacRoleDescriptor
returns null on null input returns null on null input
language plpgsql as $$ language plpgsql as $$
begin begin
return roleDescriptor('package', pac.uuid, 'owner'); return roleDescriptor('test_package', pac.uuid, 'owner');
end; $$; end; $$;
create or replace function packageAdmin(pac package) create or replace function testPackageAdmin(pac test_package)
returns RbacRoleDescriptor returns RbacRoleDescriptor
returns null on null input returns null on null input
language plpgsql as $$ language plpgsql as $$
begin begin
return roleDescriptor('package', pac.uuid, 'admin'); return roleDescriptor('test_package', pac.uuid, 'admin');
end; $$; end; $$;
create or replace function packageTenant(pac package) create or replace function testPackageTenant(pac test_package)
returns RbacRoleDescriptor returns RbacRoleDescriptor
returns null on null input returns null on null input
language plpgsql as $$ language plpgsql as $$
begin begin
return roleDescriptor('package', pac.uuid, 'tenant'); return roleDescriptor('test_package', pac.uuid, 'tenant');
end; $$; end; $$;
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-package-rbac-ROLES-CREATION:1 endDelimiter:--// --changeset test-package-rbac-ROLES-CREATION:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Creates the roles and their assignments for a new package for the AFTER INSERT TRIGGER. Creates the roles and their assignments for a new package for the AFTER INSERT TRIGGER.
*/ */
create or replace function createRbacRolesForPackage() create or replace function createRbacRolesForTestPackage()
returns trigger returns trigger
language plpgsql language plpgsql
strict as $$ strict as $$
declare declare
parentCustomer customer; parentCustomer test_customer;
packageOwnerRoleUuid uuid; packageOwnerRoleUuid uuid;
packageAdminRoleUuid uuid; packageAdminRoleUuid uuid;
begin begin
@ -64,28 +64,28 @@ begin
raise exception 'invalid usage of TRIGGER AFTER INSERT'; raise exception 'invalid usage of TRIGGER AFTER INSERT';
end if; end if;
select * from customer as c where c.uuid = NEW.customerUuid into parentCustomer; select * from test_customer as c where c.uuid = NEW.customerUuid into parentCustomer;
-- an owner role is created and assigned to the customer's admin role -- an owner role is created and assigned to the customer's admin role
packageOwnerRoleUuid = createRole( packageOwnerRoleUuid = createRole(
packageOwner(NEW), testPackageOwner(NEW),
withoutPermissions(), withoutPermissions(),
beneathRole(customerAdmin(parentCustomer)) beneathRole(testCustomerAdmin(parentCustomer))
); );
-- an owner role is created and assigned to the package owner role -- an owner role is created and assigned to the package owner role
packageAdminRoleUuid = createRole( packageAdminRoleUuid = createRole(
packageAdmin(NEW), testPackageAdmin(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['add-unixuser', 'add-domain']), grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['add-unixuser', 'add-domain']),
beneathRole(packageOwnerRoleUuid) beneathRole(packageOwnerRoleUuid)
); );
-- and a package tenant role is created and assigned to the package admin as well -- and a package tenant role is created and assigned to the package admin as well
perform createRole( perform createRole(
packageTenant(NEW), testPackageTenant(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']), grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']),
beneathRole(packageAdminRoleUuid), beneathRole(packageAdminRoleUuid),
beingItselfA(customerTenant(parentCustomer)) beingItselfA(testCustomerTenant(parentCustomer))
); );
return NEW; return NEW;
@ -95,31 +95,31 @@ end; $$;
An AFTER INSERT TRIGGER which creates the role structure for a new package. An AFTER INSERT TRIGGER which creates the role structure for a new package.
*/ */
drop trigger if exists createRbacRolesForPackage_Trigger on package; drop trigger if exists createRbacRolesForTestPackage_Trigger on test_package;
create trigger createRbacRolesForPackage_Trigger create trigger createRbacRolesForTestPackage_Trigger
after insert after insert
on package on test_package
for each row for each row
execute procedure createRbacRolesForPackage(); execute procedure createRbacRolesForTestPackage();
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-package-rbac-ROLES-REMOVAL:1 endDelimiter:--// --changeset test-package-rbac-ROLES-REMOVAL:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Deletes the roles and their assignments of a deleted package for the BEFORE DELETE TRIGGER. Deletes the roles and their assignments of a deleted package for the BEFORE DELETE TRIGGER.
*/ */
create or replace function deleteRbacRulesForPackage() create or replace function deleteRbacRulesForTestPackage()
returns trigger returns trigger
language plpgsql language plpgsql
strict as $$ strict as $$
begin begin
if TG_OP = 'DELETE' then if TG_OP = 'DELETE' then
call deleteRole(findRoleId(packageOwner(OLD))); call deleteRole(findRoleId(testPackageOwner(OLD)));
call deleteRole(findRoleId(packageAdmin(OLD))); call deleteRole(findRoleId(testPackageAdmin(OLD)));
call deleteRole(findRoleId(packageTenant(OLD))); call deleteRole(findRoleId(testPackageTenant(OLD)));
else else
raise exception 'invalid usage of TRIGGER BEFORE DELETE'; raise exception 'invalid usage of TRIGGER BEFORE DELETE';
end if; end if;
@ -129,66 +129,66 @@ end; $$;
An BEFORE DELETE TRIGGER which deletes the role structure of a package. An BEFORE DELETE TRIGGER which deletes the role structure of a package.
*/ */
drop trigger if exists deleteRbacRulesForPackage_Trigger on package; drop trigger if exists deleteRbacRulesForTestPackage_Trigger on test_package;
create trigger deleteRbacRulesForPackage_Trigger create trigger deleteRbacRulesForTestPackage_Trigger
before delete before delete
on package on test_package
for each row for each row
execute procedure deleteRbacRulesForPackage(); execute procedure deleteRbacRulesForTestPackage();
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-package-rbac-IDENTITY-VIEW:1 endDelimiter:--// --changeset test-package-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Creates a view to the package main table which maps the identifying name Creates a view to the package main table which maps the identifying name
(in this case, actually the column `name`) to the objectUuid. (in this case, actually the column `name`) to the objectUuid.
*/ */
drop view if exists package_iv; drop view if exists test_package_iv;
create or replace view package_iv as create or replace view test_package_iv as
select distinct target.uuid, target.name as idName select distinct target.uuid, target.name as idName
from package as target; from test_package as target;
-- TODO: Is it ok that everybody has access to this information? -- TODO: Is it ok that everybody has access to this information?
grant all privileges on package_iv to restricted; grant all privileges on test_package_iv to restricted;
/* /*
Returns the objectUuid for a given identifying name (in this case, actually the column `name`). Returns the objectUuid for a given identifying name (in this case, actually the column `name`).
*/ */
create or replace function packageUuidByIdName(idName varchar) create or replace function test_packageUuidByIdName(idName varchar)
returns uuid returns uuid
language sql language sql
strict as $$ strict as $$
select uuid from package_iv iv where iv.idName = packageUuidByIdName.idName; select uuid from test_package_iv iv where iv.idName = test_packageUuidByIdName.idName;
$$; $$;
/* /*
Returns the identifying name for a given objectUuid (in this case the name). Returns the identifying name for a given objectUuid (in this case the name).
*/ */
create or replace function packageIdNameByUuid(uuid uuid) create or replace function test_packageIdNameByUuid(uuid uuid)
returns varchar returns varchar
stable leakproof stable leakproof
language sql language sql
strict as $$ strict as $$
select idName from package_iv iv where iv.uuid = packageIdNameByUuid.uuid; select idName from test_package_iv iv where iv.uuid = test_packageIdNameByUuid.uuid;
$$; $$;
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Creates a view to the customer main table which maps the identifying name Creates a view to the customer main table which maps the identifying name
(in this case, the prefix) to the objectUuid. (in this case, the prefix) to the objectUuid.
*/ */
drop view if exists package_rv; drop view if exists test_package_rv;
create or replace view package_rv as create or replace view test_package_rv as
select target.* select target.*
from package as target from test_package as target
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'package', currentSubjectsUuids())) where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'test_package', currentSubjectsUuids()))
order by target.name; order by target.name;
grant all privileges on package_rv to restricted; grant all privileges on test_package_rv to restricted;
--// --//

View File

@ -1,7 +1,7 @@
--liquibase formatted sql --liquibase formatted sql
-- ============================================================================ -- ============================================================================
--changeset hs-package-TEST-DATA-GENERATOR:1 endDelimiter:--// --changeset test-package-TEST-DATA-GENERATOR:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Creates the given number of test packages for the given customer. Creates the given number of test packages for the given customer.
@ -9,14 +9,14 @@
create or replace procedure createPackageTestData(customerPrefix varchar, pacCount int) create or replace procedure createPackageTestData(customerPrefix varchar, pacCount int)
language plpgsql as $$ language plpgsql as $$
declare declare
cust customer; cust test_customer;
custAdminUser varchar; custAdminUser varchar;
custAdminRole varchar; custAdminRole varchar;
pacName varchar; pacName varchar;
currentTask varchar; currentTask varchar;
pac package; pac test_package;
begin begin
select * from customer where customer.prefix = customerPrefix into cust; select * from test_customer where test_customer.prefix = customerPrefix into cust;
for t in 0..(pacCount-1) for t in 0..(pacCount-1)
loop loop
@ -25,18 +25,18 @@ begin
cust.uuid; cust.uuid;
custAdminUser = 'customer-admin@' || cust.prefix || '.example.com'; custAdminUser = 'customer-admin@' || cust.prefix || '.example.com';
custAdminRole = 'customer#' || cust.prefix || '.admin'; custAdminRole = 'test_customer#' || cust.prefix || '.admin';
call defineContext(currentTask, null, custAdminUser, custAdminRole); call defineContext(currentTask, null, custAdminUser, custAdminRole);
raise notice 'task: % by % as %', currentTask, custAdminUser, custAdminRole; raise notice 'task: % by % as %', currentTask, custAdminUser, custAdminRole;
insert insert
into package (customerUuid, name, description) into test_package (customerUuid, name, description)
values (cust.uuid, pacName, 'Here can add your own description of package ' || pacName || '.') values (cust.uuid, pacName, 'Here can add your own description of package ' || pacName || '.')
returning * into pac; returning * into pac;
call grantRoleToUser( call grantRoleToUser(
getRoleId(customerAdmin(cust), 'fail'), getRoleId(testCustomerAdmin(cust), 'fail'),
findRoleId(packageAdmin(pac)), findRoleId(testPackageAdmin(pac)),
createRbacUser('pac-admin-' || pacName || '@' || cust.prefix || '.example.com'), createRbacUser('pac-admin-' || pacName || '@' || cust.prefix || '.example.com'),
true); true);
@ -49,9 +49,9 @@ end; $$;
create or replace procedure createPackageTestData() create or replace procedure createPackageTestData()
language plpgsql as $$ language plpgsql as $$
declare declare
cust customer; cust test_customer;
begin begin
for cust in (select * from customer) for cust in (select * from test_customer)
loop loop
continue when cust.reference >= 90000; -- reserved for functional testing continue when cust.reference >= 90000; -- reserved for functional testing
call createPackageTestData(cust.prefix, 3); call createPackageTestData(cust.prefix, 3);
@ -64,7 +64,7 @@ $$;
-- ============================================================================ -- ============================================================================
--changeset hs-package-TEST-DATA-GENERATION:1 context=dev,tc endDelimiter:--// --changeset test-package-TEST-DATA-GENERATION:1 context=dev,tc endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
do language plpgsql $$ do language plpgsql $$

View File

@ -4,10 +4,10 @@
--changeset hs-unixuser-MAIN-TABLE:1 endDelimiter:--// --changeset hs-unixuser-MAIN-TABLE:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
create table if not exists UnixUser create table if not exists test_unixuser
( (
uuid uuid unique references RbacObject (uuid), uuid uuid unique references RbacObject (uuid),
packageUuid uuid references package (uuid), packageUuid uuid references test_package (uuid),
name character varying(32), name character varying(32),
description character varying(96) description character varying(96)
); );

View File

@ -1,49 +1,49 @@
--liquibase formatted sql --liquibase formatted sql
-- ============================================================================ -- ============================================================================
--changeset hs-package-rbac-CREATE-OBJECT:1 endDelimiter:--// --changeset test-package-rbac-CREATE-OBJECT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Creates the related RbacObject through a BEFORE INSERT TRIGGER. Creates the related RbacObject through a BEFORE INSERT TRIGGER.
*/ */
drop trigger if exists createRbacObjectForUnixUser_Trigger on UnixUser; drop trigger if exists createRbacObjectFortest_unixuser_Trigger on test_unixuser;
create trigger createRbacObjectForUnixUser_Trigger create trigger createRbacObjectFortest_unixuser_Trigger
before insert before insert
on UnixUser on test_unixuser
for each row for each row
execute procedure createRbacObject(); execute procedure createRbacObject();
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-unixuser-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --changeset test-unixuser-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
create or replace function unixUserOwner(uu UnixUser) create or replace function testUnixUserOwner(uu test_unixuser)
returns RbacRoleDescriptor returns RbacRoleDescriptor
returns null on null input returns null on null input
language plpgsql as $$ language plpgsql as $$
begin begin
return roleDescriptor('unixuser', uu.uuid, 'owner'); return roleDescriptor('test_unixuser', uu.uuid, 'owner');
end; $$; end; $$;
create or replace function unixUserAdmin(uu UnixUser) create or replace function testUnixUserAdmin(uu test_unixuser)
returns RbacRoleDescriptor returns RbacRoleDescriptor
returns null on null input returns null on null input
language plpgsql as $$ language plpgsql as $$
begin begin
return roleDescriptor('unixuser', uu.uuid, 'admin'); return roleDescriptor('test_unixuser', uu.uuid, 'admin');
end; $$; end; $$;
create or replace function unixUserTenant(uu UnixUser) create or replace function testUnixUserTenant(uu test_unixuser)
returns RbacRoleDescriptor returns RbacRoleDescriptor
returns null on null input returns null on null input
language plpgsql as $$ language plpgsql as $$
begin begin
return roleDescriptor('unixuser', uu.uuid, 'tenant'); return roleDescriptor('test_unixuser', uu.uuid, 'tenant');
end; $$; end; $$;
create or replace function createUnixUserTenantRoleIfNotExists(unixUser UnixUser) create or replace function createTestUnixUserTenantRoleIfNotExists(unixUser test_unixuser)
returns uuid returns uuid
returns null on null input returns null on null input
language plpgsql as $$ language plpgsql as $$
@ -51,7 +51,7 @@ declare
unixUserTenantRoleDesc RbacRoleDescriptor; unixUserTenantRoleDesc RbacRoleDescriptor;
unixUserTenantRoleUuid uuid; unixUserTenantRoleUuid uuid;
begin begin
unixUserTenantRoleDesc = unixUserTenant(unixUser); unixUserTenantRoleDesc = testUnixUserTenant(unixUser);
unixUserTenantRoleUuid = findRoleId(unixUserTenantRoleDesc); unixUserTenantRoleUuid = findRoleId(unixUserTenantRoleDesc);
if unixUserTenantRoleUuid is not null then if unixUserTenantRoleUuid is not null then
return unixUserTenantRoleUuid; return unixUserTenantRoleUuid;
@ -60,25 +60,25 @@ begin
return createRole( return createRole(
unixUserTenantRoleDesc, unixUserTenantRoleDesc,
grantingPermissions(forObjectUuid => unixUser.uuid, permitOps => array ['view']), grantingPermissions(forObjectUuid => unixUser.uuid, permitOps => array ['view']),
beneathRole(unixUserAdmin(unixUser)) beneathRole(testUnixUserAdmin(unixUser))
); );
end; $$; end; $$;
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-unixuser-rbac-ROLES-CREATION:1 endDelimiter:--// --changeset test-unixuser-rbac-ROLES-CREATION:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Creates the roles and their assignments for a new UnixUser for the AFTER INSERT TRIGGER. Creates the roles and their assignments for a new UnixUser for the AFTER INSERT TRIGGER.
*/ */
create or replace function createRbacRulesForUnixUser() create or replace function createRbacRulesForTestUnixUser()
returns trigger returns trigger
language plpgsql language plpgsql
strict as $$ strict as $$
declare declare
parentPackage package; parentPackage test_package;
unixuserOwnerRoleId uuid; unixuserOwnerRoleId uuid;
unixuserAdminRoleId uuid; unixuserAdminRoleId uuid;
begin begin
@ -86,21 +86,21 @@ begin
raise exception 'invalid usage of TRIGGER AFTER INSERT'; raise exception 'invalid usage of TRIGGER AFTER INSERT';
end if; end if;
select * from package where uuid = NEW.packageUuid into parentPackage; select * from test_package where uuid = NEW.packageUuid into parentPackage;
-- an owner role is created and assigned to the package's admin group -- an owner role is created and assigned to the package's admin group
unixuserOwnerRoleId = createRole( unixuserOwnerRoleId = createRole(
unixUserOwner(NEW), testUnixUserOwner(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']), grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
beneathRole(packageAdmin(parentPackage)) beneathRole(testPackageAdmin(parentPackage))
); );
-- and a unixuser admin role is created and assigned to the unixuser owner as well -- and a unixuser admin role is created and assigned to the unixuser owner as well
unixuserAdminRoleId = createRole( unixuserAdminRoleId = createRole(
unixUserAdmin(NEW), testUnixUserAdmin(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']), grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']),
beneathRole(unixuserOwnerRoleId), beneathRole(unixuserOwnerRoleId),
beingItselfA(packageTenant(parentPackage)) beingItselfA(testPackageTenant(parentPackage))
); );
-- a tenent role is only created on demand -- a tenent role is only created on demand
@ -112,32 +112,32 @@ end; $$;
/* /*
An AFTER INSERT TRIGGER which creates the role structure for a new UnixUser. An AFTER INSERT TRIGGER which creates the role structure for a new UnixUser.
*/ */
drop trigger if exists createRbacRulesForUnixUser_Trigger on UnixUser; drop trigger if exists createRbacRulesForTestUnixuser_Trigger on test_unixuser;
create trigger createRbacRulesForUnixUser_Trigger create trigger createRbacRulesForTestUnixuser_Trigger
after insert after insert
on UnixUser on test_unixuser
for each row for each row
execute procedure createRbacRulesForUnixUser(); execute procedure createRbacRulesForTestUnixUser();
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-unixuser-rbac-ROLES-REMOVAL:1 endDelimiter:--// --changeset test-unixuser-rbac-ROLES-REMOVAL:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Deletes the roles and their assignments of a deleted UnixUser for the BEFORE DELETE TRIGGER. Deletes the roles and their assignments of a deleted UnixUser for the BEFORE DELETE TRIGGER.
*/ */
create or replace function deleteRbacRulesForUnixUser() create or replace function deleteRbacRulesForTestUnixUser()
returns trigger returns trigger
language plpgsql language plpgsql
strict as $$ strict as $$
begin begin
if TG_OP = 'DELETE' then if TG_OP = 'DELETE' then
call deleteRole(findRoleId(unixUserOwner(OLD))); call deleteRole(findRoleId(testUnixUserOwner(OLD)));
call deleteRole(findRoleId(unixUserAdmin(OLD))); call deleteRole(findRoleId(testUnixUserAdmin(OLD)));
call deleteRole(findRoleId(unixUserTenant(OLD))); call deleteRole(findRoleId(testUnixUserTenant(OLD)));
else else
raise exception 'invalid usage of TRIGGER BEFORE DELETE'; raise exception 'invalid usage of TRIGGER BEFORE DELETE';
end if; end if;
@ -147,65 +147,65 @@ end; $$;
An BEFORE DELETE TRIGGER which deletes the role structure of a UnixUser. An BEFORE DELETE TRIGGER which deletes the role structure of a UnixUser.
*/ */
drop trigger if exists deleteRbacRulesForUnixUser_Trigger on package; drop trigger if exists deleteRbacRulesForTestUnixUser_Trigger on test_package;
create trigger deleteRbacRulesForUnixUser_Trigger create trigger deleteRbacRulesForTestUnixUser_Trigger
before delete before delete
on UnixUser on test_unixuser
for each row for each row
execute procedure deleteRbacRulesForUnixUser(); execute procedure deleteRbacRulesForTestUnixUser();
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-unixuser-rbac-IDENTITY-VIEW:1 endDelimiter:--// --changeset test-unixuser-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Creates a view to the UnixUser main table which maps the identifying name Creates a view to the UnixUser main table which maps the identifying name
(in this case, actually the column `name`) to the objectUuid. (in this case, actually the column `name`) to the objectUuid.
*/ */
drop view if exists UnixUser_iv; drop view if exists test_unixuser_iv;
create or replace view UnixUser_iv as create or replace view test_unixuser_iv as
select distinct target.uuid, target.name as idName select distinct target.uuid, target.name as idName
from UnixUser as target; from test_unixuser as target;
-- TODO: Is it ok that everybody has access to this information? -- TODO: Is it ok that everybody has access to this information?
grant all privileges on UnixUser_iv to restricted; grant all privileges on test_unixuser_iv to restricted;
/* /*
Returns the objectUuid for a given identifying name (in this case, actually the column `name`). Returns the objectUuid for a given identifying name (in this case, actually the column `name`).
*/ */
create or replace function unixUserUuidByIdName(idName varchar) create or replace function test_unixUserUuidByIdName(idName varchar)
returns uuid returns uuid
language sql language sql
strict as $$ strict as $$
select uuid from UnixUser_iv iv where iv.idName = unixUserUuidByIdName.idName; select uuid from test_unixuser_iv iv where iv.idName = test_unixUserUuidByIdName.idName;
$$; $$;
/* /*
Returns the identifying name for a given objectUuid (in this case the name). Returns the identifying name for a given objectUuid (in this case the name).
*/ */
create or replace function unixUserIdNameByUuid(uuid uuid) create or replace function test_unixUserIdNameByUuid(uuid uuid)
returns varchar returns varchar
stable leakproof stable leakproof
language sql language sql
strict as $$ strict as $$
select idName from UnixUser_iv iv where iv.uuid = unixUserIdNameByUuid.uuid; select idName from test_unixuser_iv iv where iv.uuid = test_unixUserIdNameByUuid.uuid;
$$; $$;
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Creates a view to the customer main table which maps the identifying name Creates a view to the customer main table which maps the identifying name
(in this case, the prefix) to the objectUuid. (in this case, the prefix) to the objectUuid.
*/ */
drop view if exists unixuser_rv; drop view if exists test_unixuser_rv;
create or replace view unixuser_rv as create or replace view test_unixuser_rv as
select target.* select target.*
from unixuser as target from test_unixuser as target
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'unixuser', currentSubjectsUuids())); where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'unixuser', currentSubjectsUuids()));
grant all privileges on unixuser_rv to restricted; grant all privileges on test_unixuser_rv to restricted;
--// --//

View File

@ -14,8 +14,8 @@ declare
currentTask varchar; currentTask varchar;
begin begin
select p.uuid, p.name, c.prefix as custPrefix select p.uuid, p.name, c.prefix as custPrefix
from package p from test_package p
join customer c on p.customeruuid = c.uuid join test_customer c on p.customeruuid = c.uuid
where p.name = packageName where p.name = packageName
into pac; into pac;
@ -27,7 +27,7 @@ begin
call defineContext(currentTask, null, pacAdmin, null); call defineContext(currentTask, null, pacAdmin, null);
insert insert
into unixuser (name, packageUuid) into test_unixuser (name, packageUuid)
values (pac.name || '-' || intToVarChar(t, 4), pac.uuid); values (pac.name || '-' || intToVarChar(t, 4), pac.uuid);
end loop; end loop;
end; $$; end; $$;
@ -44,8 +44,8 @@ declare
begin begin
for pac in for pac in
(select p.uuid, p.name (select p.uuid, p.name
from package p from test_package p
join customer c on p.customeruuid = c.uuid join test_customer c on p.customeruuid = c.uuid
where c.reference < 90000) -- reserved for functional testing where c.reference < 90000) -- reserved for functional testing
loop loop
call createUnixUserTestData(pac.name, 2); call createUnixUserTestData(pac.name, 2);

View File

@ -28,24 +28,24 @@ databaseChangeLog:
- include: - include:
file: db/changelog/080-rbac-global.sql file: db/changelog/080-rbac-global.sql
- include: - include:
file: db/changelog/100-hs-base.sql file: db/changelog/100-test-base.sql
- include: - include:
file: db/changelog/110-hs-customer.sql file: db/changelog/110-test-customer.sql
- include: - include:
file: db/changelog/113-hs-customer-rbac.sql file: db/changelog/113-test-customer-rbac.sql
- include: - include:
file: db/changelog/118-hs-customer-test-data.sql file: db/changelog/118-test-customer-test-data.sql
- include: - include:
file: db/changelog/120-hs-package.sql file: db/changelog/120-test-package.sql
- include: - include:
file: db/changelog/123-hs-package-rbac.sql file: db/changelog/123-test-package-rbac.sql
- include: - include:
file: db/changelog/128-hs-package-test-data.sql file: db/changelog/128-test-package-test-data.sql
- include: - include:
file: db/changelog/130-hs-unixuser.sql file: db/changelog/130-test-unixuser.sql
- include: - include:
file: db/changelog/133-hs-unixuser-rbac.sql file: db/changelog/133-test-unixuser-rbac.sql
- include: - include:
file: db/changelog/138-hs-unixuser-test-data.sql file: db/changelog/138-test-unixuser-test-data.sql

View File

@ -31,7 +31,7 @@ class ContextIntegrationTests {
@Test @Test
void defineWithoutHttpServletRequestUsesCallStack() { void defineWithoutHttpServletRequestUsesCallStack() {
context.define("mike@hostsharing.net", null); context.define("mike@example.org", null);
assertThat(context.getCurrentTask()) assertThat(context.getCurrentTask())
.isEqualTo("ContextIntegrationTests.defineWithoutHttpServletRequestUsesCallStack"); .isEqualTo("ContextIntegrationTests.defineWithoutHttpServletRequestUsesCallStack");
@ -41,11 +41,11 @@ class ContextIntegrationTests {
@Transactional @Transactional
void defineWithCurrentUserButWithoutAssumedRoles() { void defineWithCurrentUserButWithoutAssumedRoles() {
// when // when
context.define("mike@hostsharing.net"); context.define("mike@example.org");
// then // then
assertThat(context.getCurrentUser()). assertThat(context.getCurrentUser()).
isEqualTo("mike@hostsharing.net"); isEqualTo("mike@example.org");
assertThat(context.getCurrentUserUUid()).isNotNull(); assertThat(context.getCurrentUserUUid()).isNotNull();
@ -59,41 +59,41 @@ class ContextIntegrationTests {
void defineWithoutCurrentUserButWithAssumedRoles() { void defineWithoutCurrentUserButWithAssumedRoles() {
// when // when
final var result = jpaAttempt.transacted(() -> final var result = jpaAttempt.transacted(() ->
context.define(null, "package#yyy00.admin") context.define(null, "test_package#yyy00.admin")
); );
// then // then
result.assertExceptionWithRootCauseMessage( result.assertExceptionWithRootCauseMessage(
javax.persistence.PersistenceException.class, javax.persistence.PersistenceException.class,
"ERROR: [403] undefined has no permission to assume role package#yyy00.admin"); "ERROR: [403] undefined has no permission to assume role test_package#yyy00.admin");
} }
@Test @Test
void defineWithUnknownCurrentUserButWithAssumedRoles() { void defineWithUnknownCurrentUserButWithAssumedRoles() {
// when // when
final var result = jpaAttempt.transacted(() -> final var result = jpaAttempt.transacted(() ->
context.define("unknown@example.org", "package#yyy00.admin") context.define("unknown@example.org", "test_package#yyy00.admin")
); );
// then // then
result.assertExceptionWithRootCauseMessage( result.assertExceptionWithRootCauseMessage(
javax.persistence.PersistenceException.class, javax.persistence.PersistenceException.class,
"ERROR: [403] undefined has no permission to assume role package#yyy00.admin"); "ERROR: [403] undefined has no permission to assume role test_package#yyy00.admin");
} }
@Test @Test
@Transactional @Transactional
void defineWithCurrentUserAndAssumedRoles() { void defineWithCurrentUserAndAssumedRoles() {
// given // given
context.define("mike@hostsharing.net", "customer#xxx.owner;customer#yyy.owner"); context.define("mike@example.org", "test_customer#xxx.owner;test_customer#yyy.owner");
// when // when
final var currentUser = context.getCurrentUser(); final var currentUser = context.getCurrentUser();
assertThat(currentUser).isEqualTo("mike@hostsharing.net"); assertThat(currentUser).isEqualTo("mike@example.org");
// then // then
assertThat(context.getAssumedRoles()) assertThat(context.getAssumedRoles())
.isEqualTo(Array.of("customer#xxx.owner", "customer#yyy.owner")); .isEqualTo(Array.of("test_customer#xxx.owner", "test_customer#yyy.owner"));
assertThat(context.currentSubjectsUuids()).hasSize(2); assertThat(context.currentSubjectsUuids()).hasSize(2);
} }
@ -101,12 +101,12 @@ class ContextIntegrationTests {
public void defineContextWithCurrentUserAndAssumeInaccessibleRole() { public void defineContextWithCurrentUserAndAssumeInaccessibleRole() {
// when // when
final var result = jpaAttempt.transacted(() -> final var result = jpaAttempt.transacted(() ->
context.define("customer-admin@xxx.example.com", "package#yyy00.admin") context.define("customer-admin@xxx.example.com", "test_package#yyy00.admin")
); );
// then // then
result.assertExceptionWithRootCauseMessage( result.assertExceptionWithRootCauseMessage(
javax.persistence.PersistenceException.class, javax.persistence.PersistenceException.class,
"ERROR: [403] user customer-admin@xxx.example.com has no permission to assume role package#yyy00.admin"); "ERROR: [403] user customer-admin@xxx.example.com has no permission to assume role test_package#yyy00.admin");
} }
} }

View File

@ -39,10 +39,10 @@ class CustomerControllerAcceptanceTest {
class ListCustomers { class ListCustomers {
@Test @Test
void hostsharingAdmin_withoutAssumedRoles_canViewAllCustomers_ifNoCriteriaGiven() { void testGlobalAdmin_withoutAssumedRoles_canViewAllCustomers_ifNoCriteriaGiven() {
RestAssured // @formatter:off RestAssured // @formatter:off
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@example.org")
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/customers") .get("http://localhost/api/customers")
@ -57,10 +57,10 @@ class CustomerControllerAcceptanceTest {
} }
@Test @Test
void hostsharingAdmin_withoutAssumedRoles_canViewMatchingCustomers_ifCriteriaGiven() { void testGlobalAdmin_withoutAssumedRoles_canViewMatchingCustomers_ifCriteriaGiven() {
RestAssured // @formatter:off RestAssured // @formatter:off
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@example.org")
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/customers?prefix=y") .get("http://localhost/api/customers?prefix=y")
@ -73,11 +73,11 @@ class CustomerControllerAcceptanceTest {
} }
@Test @Test
void hostsharingAdmin_withoutAssumedCustomerAdminRole_canOnlyViewOwnCustomer() { void testGlobalAdmin_withoutAssumedCustomerAdminRole_canOnlyViewOwnCustomer() {
RestAssured // @formatter:off RestAssured // @formatter:off
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@example.org")
.header("assumed-roles", "customer#yyy.admin") .header("assumed-roles", "test_customer#yyy.admin")
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/customers") .get("http://localhost/api/customers")
@ -110,11 +110,11 @@ class CustomerControllerAcceptanceTest {
class AddCustomer { class AddCustomer {
@Test @Test
void hostsharingAdmin_withoutAssumedRole_canAddCustomer() { void testGlobalAdmin_withoutAssumedRole_canAddCustomer() {
final var location = RestAssured // @formatter:off final var location = RestAssured // @formatter:off
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@example.org")
.contentType(ContentType.JSON) .contentType(ContentType.JSON)
.body(""" .body("""
{ {
@ -142,13 +142,13 @@ class CustomerControllerAcceptanceTest {
} }
@Test @Test
void hostsharingAdmin_withoutAssumedRole_canAddCustomerWithGivenUuid() { void testGlobalAdmin_withoutAssumedRole_canAddCustomerWithGivenUuid() {
final var givenUuid = UUID.randomUUID(); final var givenUuid = UUID.randomUUID();
final var location = RestAssured // @formatter:off final var location = RestAssured // @formatter:off
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@example.org")
.contentType(ContentType.JSON) .contentType(ContentType.JSON)
.body(""" .body("""
{ {
@ -180,12 +180,12 @@ class CustomerControllerAcceptanceTest {
} }
@Test @Test
void hostsharingAdmin_withAssumedCustomerAdminRole_canNotAddCustomer() { void testGlobalAdmin_withAssumedCustomerAdminRole_canNotAddCustomer() {
RestAssured // @formatter:off RestAssured // @formatter:off
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@example.org")
.header("assumed-roles", "customer#xxx.admin") .header("assumed-roles", "test_customer#xxx.admin")
.contentType(ContentType.JSON) .contentType(ContentType.JSON)
.body(""" .body("""
{ {
@ -201,11 +201,11 @@ class CustomerControllerAcceptanceTest {
.statusCode(403) .statusCode(403)
.contentType(ContentType.JSON) .contentType(ContentType.JSON)
.statusCode(403) .statusCode(403)
.body("message", containsString("add-customer not permitted for customer#xxx.admin")); .body("message", containsString("add-customer not permitted for test_customer#xxx.admin"));
// @formatter:on // @formatter:on
// finally, the new customer was not created // finally, the new customer was not created
context.define("sven@hostsharing.net"); context.define("sven@example.org");
assertThat(customerRepository.findCustomerByOptionalPrefixLike("uuu")).hasSize(0); assertThat(customerRepository.findCustomerByOptionalPrefixLike("uuu")).hasSize(0);
} }
@ -234,7 +234,7 @@ class CustomerControllerAcceptanceTest {
// @formatter:on // @formatter:on
// finally, the new customer was not created // finally, the new customer was not created
context.define("sven@hostsharing.net"); context.define("sven@example.org");
assertThat(customerRepository.findCustomerByOptionalPrefixLike("uuu")).hasSize(0); assertThat(customerRepository.findCustomerByOptionalPrefixLike("uuu")).hasSize(0);
} }
} }

View File

@ -37,9 +37,9 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
class CreateCustomer { class CreateCustomer {
@Test @Test
public void hostsharingAdmin_withoutAssumedRole_canCreateNewCustomer() { public void testGlobalAdmin_withoutAssumedRole_canCreateNewCustomer() {
// given // given
context("mike@hostsharing.net", null); context("mike@example.org", null);
final var count = customerRepository.count(); final var count = customerRepository.count();
// when // when
@ -58,9 +58,9 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
} }
@Test @Test
public void hostsharingAdmin_withAssumedCustomerRole_cannotCreateNewCustomer() { public void testGlobalAdmin_withAssumedCustomerRole_cannotCreateNewCustomer() {
// given // given
context("mike@hostsharing.net", "customer#xxx.admin"); context("mike@example.org", "test_customer#xxx.admin");
// when // when
final var result = attempt(em, () -> { final var result = attempt(em, () -> {
@ -72,7 +72,7 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
// then // then
result.assertExceptionWithRootCauseMessage( result.assertExceptionWithRootCauseMessage(
PersistenceException.class, PersistenceException.class,
"add-customer not permitted for customer#xxx.admin"); "add-customer not permitted for test_customer#xxx.admin");
} }
@Test @Test
@ -104,9 +104,9 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
class FindAllCustomers { class FindAllCustomers {
@Test @Test
public void hostsharingAdmin_withoutAssumedRole_canViewAllCustomers() { public void testGlobalAdmin_withoutAssumedRole_canViewAllCustomers() {
// given // given
context("mike@hostsharing.net", null); context("mike@example.org", null);
// when // when
final var result = customerRepository.findCustomerByOptionalPrefixLike(null); final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
@ -116,9 +116,9 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
} }
@Test @Test
public void hostsharingAdmin_withAssumedHostsharingAdminRole_canViewAllCustomers() { public void testGlobalAdmin_withAssumedtestGlobalAdminRole_canViewAllCustomers() {
given: given:
context("mike@hostsharing.net", "global#hostsharing.admin"); context("mike@example.org", "global#test-global.admin");
// when // when
final var result = customerRepository.findCustomerByOptionalPrefixLike(null); final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
@ -141,7 +141,7 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
@Test @Test
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnCustomer() { public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnCustomer() {
context("customer-admin@xxx.example.com", "package#xxx00.admin"); context("customer-admin@xxx.example.com", "test_package#xxx00.admin");
final var result = customerRepository.findCustomerByOptionalPrefixLike(null); final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
@ -153,9 +153,9 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
class FindByPrefixLike { class FindByPrefixLike {
@Test @Test
public void hostsharingAdmin_withoutAssumedRole_canViewAllCustomers() { public void testGlobalAdmin_withoutAssumedRole_canViewAllCustomers() {
// given // given
context("mike@hostsharing.net", null); context("mike@example.org", null);
// when // when
final var result = customerRepository.findCustomerByOptionalPrefixLike("yyy"); final var result = customerRepository.findCustomerByOptionalPrefixLike("yyy");

View File

@ -43,8 +43,8 @@ class PackageControllerAcceptanceTest {
// @formatter:off // @formatter:off
RestAssured RestAssured
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@example.org")
.header("assumed-roles", "customer#xxx.admin") .header("assumed-roles", "test_customer#xxx.admin")
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/packages") .get("http://localhost/api/packages")
@ -65,8 +65,8 @@ class PackageControllerAcceptanceTest {
// @formatter:off // @formatter:off
RestAssured RestAssured
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@example.org")
.header("assumed-roles", "customer#xxx.admin") .header("assumed-roles", "test_customer#xxx.admin")
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/packages?name=xxx01") .get("http://localhost/api/packages?name=xxx01")
@ -93,8 +93,8 @@ class PackageControllerAcceptanceTest {
// @formatter:off // @formatter:off
RestAssured RestAssured
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@example.org")
.header("assumed-roles", "customer#xxx.admin") .header("assumed-roles", "test_customer#xxx.admin")
.contentType(ContentType.JSON) .contentType(ContentType.JSON)
.body(format(""" .body(format("""
{ {
@ -123,8 +123,8 @@ class PackageControllerAcceptanceTest {
// @formatter:off // @formatter:off
RestAssured RestAssured
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@example.org")
.header("assumed-roles", "customer#xxx.admin") .header("assumed-roles", "test_customer#xxx.admin")
.contentType(ContentType.JSON) .contentType(ContentType.JSON)
.body(""" .body("""
{ {
@ -152,8 +152,8 @@ class PackageControllerAcceptanceTest {
// @formatter:off // @formatter:off
RestAssured RestAssured
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@example.org")
.header("assumed-roles", "customer#xxx.admin") .header("assumed-roles", "test_customer#xxx.admin")
.contentType(ContentType.JSON) .contentType(ContentType.JSON)
.body("{}") .body("{}")
.port(port) .port(port)
@ -172,8 +172,8 @@ class PackageControllerAcceptanceTest {
// @formatter:off // @formatter:off
return UUID.fromString(RestAssured return UUID.fromString(RestAssured
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@example.org")
.header("assumed-roles", "customer#xxx.admin") .header("assumed-roles", "test_customer#xxx.admin")
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/packages?name={packageName}", packageName) .get("http://localhost/api/packages?name={packageName}", packageName)
@ -185,7 +185,7 @@ class PackageControllerAcceptanceTest {
} }
String getDescriptionOfPackage(final String packageName) { String getDescriptionOfPackage(final String packageName) {
context.define("mike@hostsharing.net","customer#xxx.admin"); context.define("mike@example.org","test_customer#xxx.admin");
return packageRepository.findAllByOptionalNameLike(packageName).get(0).getDescription(); return packageRepository.findAllByOptionalNameLike(packageName).get(0).getDescription();
} }
} }

View File

@ -42,9 +42,9 @@ class PackageRepositoryIntegrationTest {
class FindAllByOptionalNameLike { class FindAllByOptionalNameLike {
@Test @Test
public void hostsharingAdmin_withoutAssumedRole_canNotViewAnyPackages_becauseThoseGrantsAreNotassumedd() { public void testGlobalAdmin_withoutAssumedRole_canNotViewAnyPackages_becauseThoseGrantsAreNotassumedd() {
// given // given
context.define("mike@hostsharing.net"); context.define("mike@example.org");
// when // when
final var result = packageRepository.findAllByOptionalNameLike(null); final var result = packageRepository.findAllByOptionalNameLike(null);
@ -54,9 +54,9 @@ class PackageRepositoryIntegrationTest {
} }
@Test @Test
public void hostsharingAdmin_withAssumedHostsharingAdminRole__canNotViewAnyPackages_becauseThoseGrantsAreNotassumedd() { public void testGlobalAdmin_withAssumedtestGlobalAdminRole__canNotViewAnyPackages_becauseThoseGrantsAreNotassumedd() {
given: given:
context.define("mike@hostsharing.net", "global#hostsharing.admin"); context.define("mike@example.org", "global#test-global.admin");
// when // when
final var result = packageRepository.findAllByOptionalNameLike(null); final var result = packageRepository.findAllByOptionalNameLike(null);
@ -79,7 +79,7 @@ class PackageRepositoryIntegrationTest {
@Test @Test
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnPackages() { public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnPackages() {
context.define("customer-admin@xxx.example.com", "package#xxx00.admin"); context.define("customer-admin@xxx.example.com", "test_package#xxx00.admin");
final var result = packageRepository.findAllByOptionalNameLike(null); final var result = packageRepository.findAllByOptionalNameLike(null);
@ -93,17 +93,17 @@ class PackageRepositoryIntegrationTest {
@Test @Test
public void supportsOptimisticLocking() throws InterruptedException { public void supportsOptimisticLocking() throws InterruptedException {
// given // given
hostsharingAdminWithAssumedRole("package#xxx00.admin"); testGlobalAdminWithAssumedRole("test_package#xxx00.admin");
final var pac = packageRepository.findAllByOptionalNameLike("%").get(0); final var pac = packageRepository.findAllByOptionalNameLike("%").get(0);
// when // when
final var result1 = jpaAttempt.transacted(() -> { final var result1 = jpaAttempt.transacted(() -> {
hostsharingAdminWithAssumedRole("package#xxx00.admin"); testGlobalAdminWithAssumedRole("test_package#xxx00.admin");
pac.setDescription("description set by thread 1"); pac.setDescription("description set by thread 1");
packageRepository.save(pac); packageRepository.save(pac);
}); });
final var result2 = jpaAttempt.transacted(() -> { final var result2 = jpaAttempt.transacted(() -> {
hostsharingAdminWithAssumedRole("package#xxx00.admin"); testGlobalAdminWithAssumedRole("test_package#xxx00.admin");
pac.setDescription("description set by thread 2"); pac.setDescription("description set by thread 2");
packageRepository.save(pac); packageRepository.save(pac);
sleep(1500); sleep(1500);
@ -125,8 +125,8 @@ class PackageRepositoryIntegrationTest {
} }
} }
private void hostsharingAdminWithAssumedRole(final String assumedRoles) { private void testGlobalAdminWithAssumedRole(final String assumedRoles) {
context.define("mike@hostsharing.net", assumedRoles); context.define("mike@example.org", assumedRoles);
} }
void noPackagesAreReturned(final List<PackageEntity> actualResult) { void noPackagesAreReturned(final List<PackageEntity> actualResult) {

View File

@ -62,10 +62,10 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
@Test @Test
@Accepts("GRT:L(List)") @Accepts("GRT:L(List)")
void hostsharingAdmin_withoutAssumedRole_canViewAllGrants() { void testGlobalAdmin_withoutAssumedRole_canViewAllGrants() {
RestAssured // @formatter:off RestAssured // @formatter:off
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@example.org")
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/rbac-grants") .get("http://localhost/api/rbac-grants")
@ -74,36 +74,36 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
.contentType("application/json") .contentType("application/json")
.body("", hasItem( .body("", hasItem(
allOf( allOf(
hasEntry("grantedByRoleIdName", "global#hostsharing.admin"), hasEntry("grantedByRoleIdName", "global#test-global.admin"),
hasEntry("grantedRoleIdName", "customer#xxx.admin"), hasEntry("grantedRoleIdName", "test_customer#xxx.admin"),
hasEntry("granteeUserName", "customer-admin@xxx.example.com") hasEntry("granteeUserName", "customer-admin@xxx.example.com")
) )
)) ))
.body("", hasItem( .body("", hasItem(
allOf( allOf(
hasEntry("grantedByRoleIdName", "global#hostsharing.admin"), hasEntry("grantedByRoleIdName", "global#test-global.admin"),
hasEntry("grantedRoleIdName", "customer#yyy.admin"), hasEntry("grantedRoleIdName", "test_customer#yyy.admin"),
hasEntry("granteeUserName", "customer-admin@yyy.example.com") hasEntry("granteeUserName", "customer-admin@yyy.example.com")
) )
)) ))
.body("", hasItem( .body("", hasItem(
allOf( allOf(
hasEntry("grantedByRoleIdName", "global#hostsharing.admin"), hasEntry("grantedByRoleIdName", "global#test-global.admin"),
hasEntry("grantedRoleIdName", "global#hostsharing.admin"), hasEntry("grantedRoleIdName", "global#test-global.admin"),
hasEntry("granteeUserName", "sven@hostsharing.net") hasEntry("granteeUserName", "sven@example.org")
) )
)) ))
.body("", hasItem( .body("", hasItem(
allOf( allOf(
hasEntry("grantedByRoleIdName", "customer#xxx.admin"), hasEntry("grantedByRoleIdName", "test_customer#xxx.admin"),
hasEntry("grantedRoleIdName", "package#xxx00.admin"), hasEntry("grantedRoleIdName", "test_package#xxx00.admin"),
hasEntry("granteeUserName", "pac-admin-xxx00@xxx.example.com") hasEntry("granteeUserName", "pac-admin-xxx00@xxx.example.com")
) )
)) ))
.body("", hasItem( .body("", hasItem(
allOf( allOf(
hasEntry("grantedByRoleIdName", "customer#zzz.admin"), hasEntry("grantedByRoleIdName", "test_customer#zzz.admin"),
hasEntry("grantedRoleIdName", "package#zzz02.admin"), hasEntry("grantedRoleIdName", "test_package#zzz02.admin"),
hasEntry("granteeUserName", "pac-admin-zzz02@zzz.example.com") hasEntry("granteeUserName", "pac-admin-zzz02@zzz.example.com")
) )
)) ))
@ -113,11 +113,11 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
@Test @Test
@Accepts({ "GRT:L(List)", "GRT:X(Access Control)" }) @Accepts({ "GRT:L(List)", "GRT:X(Access Control)" })
void hostsharingAdmin_withAssumedPackageAdminRole_canViewPacketRelatedGrants() { void testGlobalAdmin_withAssumedPackageAdminRole_canViewPacketRelatedGrants() {
RestAssured // @formatter:off RestAssured // @formatter:off
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@example.org")
.header("assumed-roles", "package#yyy00.admin") .header("assumed-roles", "test_package#yyy00.admin")
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/rbac-grants") .get("http://localhost/api/rbac-grants")
@ -126,8 +126,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
.contentType("application/json") .contentType("application/json")
.body("", hasItem( .body("", hasItem(
allOf( allOf(
hasEntry("grantedByRoleIdName", "customer#yyy.admin"), hasEntry("grantedByRoleIdName", "test_customer#yyy.admin"),
hasEntry("grantedRoleIdName", "package#yyy00.admin"), hasEntry("grantedRoleIdName", "test_package#yyy00.admin"),
hasEntry("granteeUserName", "pac-admin-yyy00@yyy.example.com") hasEntry("granteeUserName", "pac-admin-yyy00@yyy.example.com")
) )
)) ))
@ -149,8 +149,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
.contentType("application/json") .contentType("application/json")
.body("", hasItem( .body("", hasItem(
allOf( allOf(
hasEntry("grantedByRoleIdName", "customer#yyy.admin"), hasEntry("grantedByRoleIdName", "test_customer#yyy.admin"),
hasEntry("grantedRoleIdName", "package#yyy00.admin"), hasEntry("grantedRoleIdName", "test_package#yyy00.admin"),
hasEntry("granteeUserName", "pac-admin-yyy00@yyy.example.com") hasEntry("granteeUserName", "pac-admin-yyy00@yyy.example.com")
) )
)) ))
@ -168,7 +168,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// given // given
final var givenCurrentUserAsPackageAdmin = new Subject("customer-admin@xxx.example.com"); final var givenCurrentUserAsPackageAdmin = new Subject("customer-admin@xxx.example.com");
final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com"); final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
final var givenGrantedRole = findRbacRoleByName("package#xxx00.admin"); final var givenGrantedRole = findRbacRoleByName("test_package#xxx00.admin");
// when // when
final var grant = givenCurrentUserAsPackageAdmin.getGrantById() final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
@ -177,8 +177,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// then // then
grant.assertThat() grant.assertThat()
.statusCode(200) .statusCode(200)
.body("grantedByRoleIdName", is("customer#xxx.admin")) .body("grantedByRoleIdName", is("test_customer#xxx.admin"))
.body("grantedRoleIdName", is("package#xxx00.admin")) .body("grantedRoleIdName", is("test_package#xxx00.admin"))
.body("granteeUserName", is("pac-admin-xxx00@xxx.example.com")); .body("granteeUserName", is("pac-admin-xxx00@xxx.example.com"));
} }
@ -188,7 +188,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// given // given
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com"); final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com");
final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com"); final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
final var givenGrantedRole = findRbacRoleByName("package#xxx00.admin"); final var givenGrantedRole = findRbacRoleByName("test_package#xxx00.admin");
// when // when
final var grant = givenCurrentUserAsPackageAdmin.getGrantById() final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
@ -197,8 +197,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// then // then
grant.assertThat() grant.assertThat()
.statusCode(200) .statusCode(200)
.body("grantedByRoleIdName", is("customer#xxx.admin")) .body("grantedByRoleIdName", is("test_customer#xxx.admin"))
.body("grantedRoleIdName", is("package#xxx00.admin")) .body("grantedRoleIdName", is("test_package#xxx00.admin"))
.body("granteeUserName", is("pac-admin-xxx00@xxx.example.com")); .body("granteeUserName", is("pac-admin-xxx00@xxx.example.com"));
} }
@ -208,9 +208,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// given // given
final var givenCurrentUserAsPackageAdmin = new Subject( final var givenCurrentUserAsPackageAdmin = new Subject(
"pac-admin-xxx00@xxx.example.com", "pac-admin-xxx00@xxx.example.com",
"package#xxx00.admin"); "test_package#xxx00.admin");
final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com"); final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
final var givenGrantedRole = findRbacRoleByName("package#xxx00.admin"); final var givenGrantedRole = findRbacRoleByName("test_package#xxx00.admin");
// when // when
final var grant = givenCurrentUserAsPackageAdmin.getGrantById() final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
@ -219,8 +219,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// then // then
grant.assertThat() grant.assertThat()
.statusCode(200) .statusCode(200)
.body("grantedByRoleIdName", is("customer#xxx.admin")) .body("grantedByRoleIdName", is("test_customer#xxx.admin"))
.body("grantedRoleIdName", is("package#xxx00.admin")) .body("grantedRoleIdName", is("test_package#xxx00.admin"))
.body("granteeUserName", is("pac-admin-xxx00@xxx.example.com")); .body("granteeUserName", is("pac-admin-xxx00@xxx.example.com"));
} }
@ -231,9 +231,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// given // given
final var givenCurrentUserAsPackageAdmin = new Subject( final var givenCurrentUserAsPackageAdmin = new Subject(
"pac-admin-xxx00@xxx.example.com", "pac-admin-xxx00@xxx.example.com",
"package#xxx00.tenant"); "test_package#xxx00.tenant");
final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com"); final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
final var givenGrantedRole = findRbacRoleByName("package#xxx00.admin"); final var givenGrantedRole = findRbacRoleByName("test_package#xxx00.admin");
final var grant = givenCurrentUserAsPackageAdmin.getGrantById() final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
.forGrantedRole(givenGrantedRole).toGranteeUser(givenGranteeUser); .forGrantedRole(givenGrantedRole).toGranteeUser(givenGranteeUser);
@ -252,7 +252,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// given // given
final var givenNewUser = createRBacUser(); final var givenNewUser = createRBacUser();
final var givenRoleToGrant = "package#xxx00.admin"; final var givenRoleToGrant = "test_package#xxx00.admin";
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant); final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
final var givenOwnPackageAdminRole = final var givenOwnPackageAdminRole =
findRbacRoleByName(givenCurrentUserAsPackageAdmin.assumedRole); findRbacRoleByName(givenCurrentUserAsPackageAdmin.assumedRole);
@ -265,9 +265,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// then // then
response.assertThat() response.assertThat()
.statusCode(201) .statusCode(201)
.body("grantedByRoleIdName", is("package#xxx00.admin")) .body("grantedByRoleIdName", is("test_package#xxx00.admin"))
.body("assumed", is(true)) .body("assumed", is(true))
.body("grantedRoleIdName", is("package#xxx00.admin")) .body("grantedRoleIdName", is("test_package#xxx00.admin"))
.body("granteeUserName", is(givenNewUser.getName())); .body("granteeUserName", is(givenNewUser.getName()));
assertThat(findAllGrantsOf(givenCurrentUserAsPackageAdmin)) assertThat(findAllGrantsOf(givenCurrentUserAsPackageAdmin))
.extracting(RbacGrantEntity::toDisplay) .extracting(RbacGrantEntity::toDisplay)
@ -282,9 +282,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// given // given
final var givenNewUser = createRBacUser(); final var givenNewUser = createRBacUser();
final var givenRoleToGrant = "package#xxx00.admin"; final var givenRoleToGrant = "test_package#xxx00.admin";
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant); final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
final var givenAlienPackageAdminRole = findRbacRoleByName("package#yyy00.admin"); final var givenAlienPackageAdminRole = findRbacRoleByName("test_package#yyy00.admin");
// when // when
final var result = givenCurrentUserAsPackageAdmin final var result = givenCurrentUserAsPackageAdmin
@ -295,7 +295,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
result.assertThat() result.assertThat()
.statusCode(403) .statusCode(403)
.body("message", containsString("Access to granted role")) .body("message", containsString("Access to granted role"))
.body("message", containsString("forbidden for {package#xxx00.admin}")); .body("message", containsString("forbidden for {test_package#xxx00.admin}"));
assertThat(findAllGrantsOf(givenCurrentUserAsPackageAdmin)) assertThat(findAllGrantsOf(givenCurrentUserAsPackageAdmin))
.extracting(RbacGrantEntity::getGranteeUserName) .extracting(RbacGrantEntity::getGranteeUserName)
.doesNotContain(givenNewUser.getName()); .doesNotContain(givenNewUser.getName());
@ -312,9 +312,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// given // given
final var givenArbitraryUser = createRBacUser(); final var givenArbitraryUser = createRBacUser();
final var givenRoleToGrant = "package#xxx00.admin"; final var givenRoleToGrant = "test_package#xxx00.admin";
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant); final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
final var givenOwnPackageAdminRole = findRbacRoleByName("package#xxx00.admin"); final var givenOwnPackageAdminRole = findRbacRoleByName("test_package#xxx00.admin");
// and given an existing grant // and given an existing grant
assumeCreated(givenCurrentUserAsPackageAdmin assumeCreated(givenCurrentUserAsPackageAdmin
@ -499,14 +499,14 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
RbacUserEntity findRbacUserByName(final String userName) { RbacUserEntity findRbacUserByName(final String userName) {
return jpaAttempt.transacted(() -> { return jpaAttempt.transacted(() -> {
context("mike@hostsharing.net", null); context("mike@example.org", null);
return rbacUserRepository.findByName(userName); return rbacUserRepository.findByName(userName);
}).returnedValue(); }).returnedValue();
} }
RbacRoleEntity findRbacRoleByName(final String roleName) { RbacRoleEntity findRbacRoleByName(final String roleName) {
return jpaAttempt.transacted(() -> { return jpaAttempt.transacted(() -> {
context("mike@hostsharing.net", null); context("mike@example.org", null);
return rbacRoleRepository.findByRoleName(roleName); return rbacRoleRepository.findByRoleName(roleName);
}).returnedValue(); }).returnedValue();
} }

View File

@ -68,7 +68,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
// then // then
exactlyTheseRbacGrantsAreReturned( exactlyTheseRbacGrantsAreReturned(
result, result,
"{ grant assumed role package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role customer#xxx.admin }"); "{ grant assumed role test_package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role test_customer#xxx.admin }");
} }
@Test @Test
@ -83,17 +83,17 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
// then // then
exactlyTheseRbacGrantsAreReturned( exactlyTheseRbacGrantsAreReturned(
result, result,
"{ grant assumed role customer#xxx.admin to user customer-admin@xxx.example.com by role global#hostsharing.admin }", "{ grant assumed role test_customer#xxx.admin to user customer-admin@xxx.example.com by role global#test-global.admin }",
"{ grant assumed role package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role customer#xxx.admin }", "{ grant assumed role test_package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role test_customer#xxx.admin }",
"{ grant assumed role package#xxx01.admin to user pac-admin-xxx01@xxx.example.com by role customer#xxx.admin }", "{ grant assumed role test_package#xxx01.admin to user pac-admin-xxx01@xxx.example.com by role test_customer#xxx.admin }",
"{ grant assumed role package#xxx02.admin to user pac-admin-xxx02@xxx.example.com by role customer#xxx.admin }"); "{ grant assumed role test_package#xxx02.admin to user pac-admin-xxx02@xxx.example.com by role test_customer#xxx.admin }");
} }
@Test @Test
@Accepts({ "GRT:L(List)" }) @Accepts({ "GRT:L(List)" })
public void customerAdmin_withAssumedRole_canOnlyViewRbacGrantsVisibleByAssumedRole() { public void customerAdmin_withAssumedRole_canOnlyViewRbacGrantsVisibleByAssumedRole() {
// given: // given:
context("customer-admin@xxx.example.com", "package#xxx00.admin"); context("customer-admin@xxx.example.com", "test_package#xxx00.admin");
// when // when
final var result = rbacGrantRepository.findAll(); final var result = rbacGrantRepository.findAll();
@ -101,7 +101,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
// then // then
exactlyTheseRbacGrantsAreReturned( exactlyTheseRbacGrantsAreReturned(
result, result,
"{ grant assumed role package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role customer#xxx.admin }"); "{ grant assumed role test_package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role test_customer#xxx.admin }");
} }
} }
@ -111,9 +111,9 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
@Test @Test
public void customerAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() { public void customerAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() {
// given // given
context("customer-admin@xxx.example.com", "customer#xxx.admin"); context("customer-admin@xxx.example.com", "test_customer#xxx.admin");
final var givenArbitraryUserUuid = rbacUserRepository.findByName("pac-admin-zzz00@zzz.example.com").getUuid(); final var givenArbitraryUserUuid = rbacUserRepository.findByName("pac-admin-zzz00@zzz.example.com").getUuid();
final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName("package#xxx00.admin").getUuid(); final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName("test_package#xxx00.admin").getUuid();
// when // when
final var grant = RbacGrantEntity.builder() final var grant = RbacGrantEntity.builder()
@ -129,7 +129,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
assertThat(rbacGrantRepository.findAll()) assertThat(rbacGrantRepository.findAll())
.extracting(RbacGrantEntity::toDisplay) .extracting(RbacGrantEntity::toDisplay)
.contains( .contains(
"{ grant assumed role package#xxx00.admin to user pac-admin-zzz00@zzz.example.com by role customer#xxx.admin }"); "{ grant assumed role test_package#xxx00.admin to user pac-admin-zzz00@zzz.example.com by role test_customer#xxx.admin }");
} }
@Test @Test
@ -142,14 +142,14 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
context("customer-admin@xxx.example.com", null); context("customer-admin@xxx.example.com", null);
return new Given( return new Given(
createNewUser(), createNewUser(),
rbacRoleRepository.findByRoleName("package#xxx00.owner").getUuid() rbacRoleRepository.findByRoleName("test_package#xxx00.owner").getUuid()
); );
}).assumeSuccessful().returnedValue(); }).assumeSuccessful().returnedValue();
// when // when
final var attempt = jpaAttempt.transacted(() -> { final var attempt = jpaAttempt.transacted(() -> {
// now we try to use these uuids as a less privileged user // now we try to use these uuids as a less privileged user
context("pac-admin-xxx00@xxx.example.com", "package#xxx00.admin"); context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00.admin");
final var grant = RbacGrantEntity.builder() final var grant = RbacGrantEntity.builder()
.granteeUserUuid(given.arbitraryUser.getUuid()) .granteeUserUuid(given.arbitraryUser.getUuid())
.grantedRoleUuid(given.packageOwnerRoleUuid) .grantedRoleUuid(given.packageOwnerRoleUuid)
@ -162,7 +162,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
attempt.assertExceptionWithRootCauseMessage( attempt.assertExceptionWithRootCauseMessage(
JpaSystemException.class, JpaSystemException.class,
"ERROR: [403] Access to granted role " + given.packageOwnerRoleUuid "ERROR: [403] Access to granted role " + given.packageOwnerRoleUuid
+ " forbidden for {package#xxx00.admin}"); + " forbidden for {test_package#xxx00.admin}");
jpaAttempt.transacted(() -> { jpaAttempt.transacted(() -> {
// finally, we use the new user to make sure, no roles were granted // finally, we use the new user to make sure, no roles were granted
context(given.arbitraryUser.getName(), null); context(given.arbitraryUser.getName(), null);
@ -180,17 +180,17 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
public void customerAdmin_canRevokeSelfGrantedPackageAdminRole() { public void customerAdmin_canRevokeSelfGrantedPackageAdminRole() {
// given // given
final var grant = create(grant() final var grant = create(grant()
.byUser("customer-admin@xxx.example.com").withAssumedRole("customer#xxx.admin") .byUser("customer-admin@xxx.example.com").withAssumedRole("test_customer#xxx.admin")
.grantingRole("package#xxx00.admin").toUser("pac-admin-zzz00@zzz.example.com")); .grantingRole("test_package#xxx00.admin").toUser("pac-admin-zzz00@zzz.example.com"));
// when // when
context("customer-admin@xxx.example.com", "customer#xxx.admin"); context("customer-admin@xxx.example.com", "test_customer#xxx.admin");
final var revokeAttempt = attempt(em, () -> { final var revokeAttempt = attempt(em, () -> {
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId()); rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId());
}); });
// then // then
context("customer-admin@xxx.example.com", "customer#xxx.admin"); context("customer-admin@xxx.example.com", "test_customer#xxx.admin");
assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull(); assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull();
assertThat(rbacGrantRepository.findAll()) assertThat(rbacGrantRepository.findAll())
.extracting(RbacGrantEntity::getGranteeUserName) .extracting(RbacGrantEntity::getGranteeUserName)
@ -202,18 +202,18 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
// given // given
final var newUser = createNewUserTransacted(); final var newUser = createNewUserTransacted();
final var grant = create(grant() final var grant = create(grant()
.byUser("customer-admin@xxx.example.com").withAssumedRole("package#xxx00.admin") .byUser("customer-admin@xxx.example.com").withAssumedRole("test_package#xxx00.admin")
.grantingRole("package#xxx00.admin").toUser(newUser.getName())); .grantingRole("test_package#xxx00.admin").toUser(newUser.getName()));
// when // when
context("pac-admin-xxx00@xxx.example.com", "package#xxx00.admin"); context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00.admin");
final var revokeAttempt = attempt(em, () -> { final var revokeAttempt = attempt(em, () -> {
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId()); rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId());
}); });
// then // then
assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull(); assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull();
context("customer-admin@xxx.example.com", "customer#xxx.admin"); context("customer-admin@xxx.example.com", "test_customer#xxx.admin");
assertThat(rbacGrantRepository.findAll()) assertThat(rbacGrantRepository.findAll())
.extracting(RbacGrantEntity::getGranteeUserName) .extracting(RbacGrantEntity::getGranteeUserName)
.doesNotContain("pac-admin-zzz00@zzz.example.com"); .doesNotContain("pac-admin-zzz00@zzz.example.com");
@ -223,12 +223,12 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
public void packageAdmin_canNotRevokeOwnPackageAdminRoleGrantedByOwnerRoleOfThatPackage() { public void packageAdmin_canNotRevokeOwnPackageAdminRoleGrantedByOwnerRoleOfThatPackage() {
// given // given
final var grant = create(grant() final var grant = create(grant()
.byUser("customer-admin@xxx.example.com").withAssumedRole("package#xxx00.owner") .byUser("customer-admin@xxx.example.com").withAssumedRole("test_package#xxx00.owner")
.grantingRole("package#xxx00.admin").toUser("pac-admin-zzz00@zzz.example.com")); .grantingRole("test_package#xxx00.admin").toUser("pac-admin-zzz00@zzz.example.com"));
final var grantedByRole = rbacRoleRepository.findByRoleName("package#xxx00.owner"); final var grantedByRole = rbacRoleRepository.findByRoleName("test_package#xxx00.owner");
// when // when
context("pac-admin-xxx00@xxx.example.com", "package#xxx00.admin"); context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00.admin");
final var revokeAttempt = attempt(em, () -> { final var revokeAttempt = attempt(em, () -> {
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId()); rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId());
}); });
@ -236,7 +236,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
// then // then
revokeAttempt.assertExceptionWithRootCauseMessage( revokeAttempt.assertExceptionWithRootCauseMessage(
JpaSystemException.class, JpaSystemException.class,
"ERROR: [403] Revoking role created by %s is forbidden for {package#xxx00.admin}.".formatted( "ERROR: [403] Revoking role created by %s is forbidden for {test_package#xxx00.admin}.".formatted(
grantedByRole.getUuid() grantedByRole.getUuid()
)); ));
} }

View File

@ -38,39 +38,39 @@ class RbacRoleControllerAcceptanceTest {
@Test @Test
@Accepts({ "ROL:L(List)" }) @Accepts({ "ROL:L(List)" })
void hostsharingAdmin_withoutAssumedRole_canViewAllRoles() { void testGlobalAdmin_withoutAssumedRole_canViewAllRoles() {
// @formatter:off // @formatter:off
RestAssured RestAssured
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@example.org")
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/rbac-roles") .get("http://localhost/api/rbac-roles")
.then().assertThat() .then().assertThat()
.statusCode(200) .statusCode(200)
.contentType("application/json") .contentType("application/json")
.body("", hasItem(hasEntry("roleName", "customer#xxx.admin"))) .body("", hasItem(hasEntry("roleName", "test_customer#xxx.admin")))
.body("", hasItem(hasEntry("roleName", "customer#xxx.owner"))) .body("", hasItem(hasEntry("roleName", "test_customer#xxx.owner")))
.body("", hasItem(hasEntry("roleName", "customer#xxx.tenant"))) .body("", hasItem(hasEntry("roleName", "test_customer#xxx.tenant")))
// ... // ...
.body("", hasItem(hasEntry("roleName", "global#hostsharing.admin"))) .body("", hasItem(hasEntry("roleName", "global#test-global.admin")))
.body("", hasItem(hasEntry("roleName", "customer#yyy.admin"))) .body("", hasItem(hasEntry("roleName", "test_customer#yyy.admin")))
.body("", hasItem(hasEntry("roleName", "package#yyy00.admin"))) .body("", hasItem(hasEntry("roleName", "test_package#yyy00.admin")))
.body("", hasItem(hasEntry("roleName", "unixuser#yyy00-aaaa.owner"))) .body("", hasItem(hasEntry("roleName", "test_unixuser#yyy00-aaaa.owner")))
.body( "size()", greaterThanOrEqualTo(73)); // increases with new test data .body( "size()", greaterThanOrEqualTo(73)); // increases with new test data
// @formatter:on // @formatter:on
} }
@Test @Test
@Accepts({ "ROL:L(List)", "ROL:X(Access Control)" }) @Accepts({ "ROL:L(List)", "ROL:X(Access Control)" })
void hostsharingAdmin_withAssumedPackageAdminRole_canViewPackageAdminRoles() { void testGlobalAdmin_withAssumedPackageAdminRole_canViewPackageAdminRoles() {
// @formatter:off // @formatter:off
RestAssured RestAssured
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@example.org")
.header("assumed-roles", "package#yyy00.admin") .header("assumed-roles", "test_package#yyy00.admin")
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/rbac-roles") .get("http://localhost/api/rbac-roles")
@ -79,10 +79,10 @@ class RbacRoleControllerAcceptanceTest {
.assertThat() .assertThat()
.statusCode(200) .statusCode(200)
.contentType("application/json") .contentType("application/json")
.body("[0].roleName", is("customer#yyy.tenant")) .body("[0].roleName", is("test_customer#yyy.tenant"))
.body("[1].roleName", is("package#yyy00.admin")) .body("[1].roleName", is("test_package#yyy00.admin"))
.body("[2].roleName", is("package#yyy00.tenant")) .body("[2].roleName", is("test_package#yyy00.tenant"))
.body("[3].roleName", is("unixuser#yyy00-aaaa.admin")) .body("[3].roleName", is("test_unixuser#yyy00-aaaa.admin"))
.body("size()", is(7)); // increases with new test data .body("size()", is(7)); // increases with new test data
// @formatter:on // @formatter:on
} }
@ -101,12 +101,11 @@ class RbacRoleControllerAcceptanceTest {
.then().assertThat() .then().assertThat()
.statusCode(200) .statusCode(200)
.contentType("application/json") .contentType("application/json")
.body("[0].roleName", is("customer#zzz.tenant")) .body("[0].roleName", is("test_customer#zzz.tenant"))
.body("[1].roleName", is("package#zzz00.admin")) .body("[1].roleName", is("test_package#zzz00.admin"))
.body("[2].roleName", is("package#zzz00.tenant")) .body("[2].roleName", is("test_package#zzz00.tenant"))
.body("[3].roleName", is("unixuser#zzz00-aaaa.admin")) .body("[3].roleName", is("test_unixuser#zzz00-aaaa.admin"))
.body("size()", is(7)); // increases with new test data .body("size()", is(7)); // increases with new test data
// @formatter:on // @formatter:on
} }
} }

View File

@ -37,15 +37,15 @@ class RbacRoleControllerRestTest {
// when // when
mockMvc.perform(MockMvcRequestBuilders mockMvc.perform(MockMvcRequestBuilders
.get("/api/rbac-roles") .get("/api/rbac-roles")
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@example.org")
.accept(MediaType.APPLICATION_JSON)) .accept(MediaType.APPLICATION_JSON))
// then // then
.andExpect(status().isOk()) .andExpect(status().isOk())
.andExpect(jsonPath("$", hasSize(3))) .andExpect(jsonPath("$", hasSize(3)))
.andExpect(jsonPath("$[0].roleName", is("global#hostsharing.admin"))) .andExpect(jsonPath("$[0].roleName", is("global#test-global.admin")))
.andExpect(jsonPath("$[1].roleName", is("customer#xxx.owner"))) .andExpect(jsonPath("$[1].roleName", is("test_customer#xxx.owner")))
.andExpect(jsonPath("$[2].roleName", is("customer#xxx.admin"))) .andExpect(jsonPath("$[2].roleName", is("test_customer#xxx.admin")))
.andExpect(jsonPath("$[2].uuid", is(customerXxxAdmin.getUuid().toString()))) .andExpect(jsonPath("$[2].uuid", is(customerXxxAdmin.getUuid().toString())))
.andExpect(jsonPath("$[2].objectUuid", is(customerXxxAdmin.getObjectUuid().toString()))) .andExpect(jsonPath("$[2].objectUuid", is(customerXxxAdmin.getObjectUuid().toString())))
.andExpect(jsonPath("$[2].objectTable", is(customerXxxAdmin.getObjectTable().toString()))) .andExpect(jsonPath("$[2].objectTable", is(customerXxxAdmin.getObjectTable().toString())))

View File

@ -40,26 +40,26 @@ class RbacRoleRepositoryIntegrationTest {
private static final String[] ALL_TEST_DATA_ROLES = Array.of( private static final String[] ALL_TEST_DATA_ROLES = Array.of(
// @formatter:off // @formatter:off
"global#hostsharing.admin", "global#test-global.admin",
"customer#xxx.admin", "customer#xxx.owner", "customer#xxx.tenant", "test_customer#xxx.admin", "test_customer#xxx.owner", "test_customer#xxx.tenant",
"package#xxx00.admin", "package#xxx00.owner", "package#xxx00.tenant", "test_package#xxx00.admin", "test_package#xxx00.owner", "test_package#xxx00.tenant",
"package#xxx01.admin", "package#xxx01.owner", "package#xxx01.tenant", "test_package#xxx01.admin", "test_package#xxx01.owner", "test_package#xxx01.tenant",
"package#xxx02.admin", "package#xxx02.owner", "package#xxx02.tenant", "test_package#xxx02.admin", "test_package#xxx02.owner", "test_package#xxx02.tenant",
"customer#yyy.admin", "customer#yyy.owner", "customer#yyy.tenant", "test_customer#yyy.admin", "test_customer#yyy.owner", "test_customer#yyy.tenant",
"package#yyy00.admin", "package#yyy00.owner", "package#yyy00.tenant", "test_package#yyy00.admin", "test_package#yyy00.owner", "test_package#yyy00.tenant",
"package#yyy01.admin", "package#yyy01.owner", "package#yyy01.tenant", "test_package#yyy01.admin", "test_package#yyy01.owner", "test_package#yyy01.tenant",
"package#yyy02.admin", "package#yyy02.owner", "package#yyy02.tenant", "test_package#yyy02.admin", "test_package#yyy02.owner", "test_package#yyy02.tenant",
"customer#zzz.admin", "customer#zzz.owner", "customer#zzz.tenant", "test_customer#zzz.admin", "test_customer#zzz.owner", "test_customer#zzz.tenant",
"package#zzz00.admin", "package#zzz00.owner", "package#zzz00.tenant", "test_package#zzz00.admin", "test_package#zzz00.owner", "test_package#zzz00.tenant",
"package#zzz01.admin", "package#zzz01.owner", "package#zzz01.tenant", "test_package#zzz01.admin", "test_package#zzz01.owner", "test_package#zzz01.tenant",
"package#zzz02.admin", "package#zzz02.owner", "package#zzz02.tenant" "test_package#zzz02.admin", "test_package#zzz02.owner", "test_package#zzz02.tenant"
// @formatter:on // @formatter:on
); );
@Test @Test
public void hostsharingAdmin_withoutAssumedRole_canViewAllRbacRoles() { public void testGlobalAdmin_withoutAssumedRole_canViewAllRbacRoles() {
// given // given
context.define("mike@hostsharing.net"); context.define("mike@example.org");
// when // when
final var result = rbacRoleRepository.findAll(); final var result = rbacRoleRepository.findAll();
@ -69,9 +69,9 @@ class RbacRoleRepositoryIntegrationTest {
} }
@Test @Test
public void hostsharingAdmin_withAssumedHostsharingAdminRole_canViewAllRbacRoles() { public void testGlobalAdmin_withAssumedtestGlobalAdminRole_canViewAllRbacRoles() {
given: given:
context.define("mike@hostsharing.net", "global#hostsharing.admin"); context.define("mike@example.org", "global#test-global.admin");
// when // when
final var result = rbacRoleRepository.findAll(); final var result = rbacRoleRepository.findAll();
@ -92,49 +92,49 @@ class RbacRoleRepositoryIntegrationTest {
allTheseRbacRolesAreReturned( allTheseRbacRolesAreReturned(
result, result,
// @formatter:off // @formatter:off
"customer#xxx.admin", "test_customer#xxx.admin",
"customer#xxx.tenant", "test_customer#xxx.tenant",
"package#xxx00.admin", "test_package#xxx00.admin",
"package#xxx00.owner", "test_package#xxx00.owner",
"package#xxx00.tenant", "test_package#xxx00.tenant",
"package#xxx01.admin", "test_package#xxx01.admin",
"package#xxx01.owner", "test_package#xxx01.owner",
"package#xxx01.tenant", "test_package#xxx01.tenant",
// ... // ...
"unixuser#xxx00-aaaa.admin", "test_unixuser#xxx00-aaaa.admin",
"unixuser#xxx00-aaaa.owner", "test_unixuser#xxx00-aaaa.owner",
// .. // ..
"unixuser#xxx01-aaab.admin", "test_unixuser#xxx01-aaab.admin",
"unixuser#xxx01-aaab.owner" "test_unixuser#xxx01-aaab.owner"
// @formatter:on // @formatter:on
); );
noneOfTheseRbacRolesIsReturned( noneOfTheseRbacRolesIsReturned(
result, result,
// @formatter:off // @formatter:off
"global#hostsharing.admin", "global#test-global.admin",
"customer#xxx.owner", "test_customer#xxx.owner",
"package#yyy00.admin", "test_package#yyy00.admin",
"package#yyy00.owner", "test_package#yyy00.owner",
"package#yyy00.tenant" "test_package#yyy00.tenant"
// @formatter:on // @formatter:on
); );
} }
@Test @Test
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnRbacRole() { public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnRbacRole() {
context.define("customer-admin@xxx.example.com", "package#xxx00.admin"); context.define("customer-admin@xxx.example.com", "test_package#xxx00.admin");
final var result = rbacRoleRepository.findAll(); final var result = rbacRoleRepository.findAll();
exactlyTheseRbacRolesAreReturned( exactlyTheseRbacRolesAreReturned(
result, result,
"customer#xxx.tenant", "test_customer#xxx.tenant",
"package#xxx00.admin", "test_package#xxx00.admin",
"package#xxx00.tenant", "test_package#xxx00.tenant",
"unixuser#xxx00-aaaa.admin", "test_unixuser#xxx00-aaaa.admin",
"unixuser#xxx00-aaaa.owner", "test_unixuser#xxx00-aaaa.owner",
"unixuser#xxx00-aaab.admin", "test_unixuser#xxx00-aaab.admin",
"unixuser#xxx00-aaab.owner"); "test_unixuser#xxx00-aaab.owner");
} }
@Test @Test
@ -158,10 +158,10 @@ class RbacRoleRepositoryIntegrationTest {
void customerAdmin_withoutAssumedRole_canFindItsOwnRolesByName() { void customerAdmin_withoutAssumedRole_canFindItsOwnRolesByName() {
context.define("customer-admin@xxx.example.com"); context.define("customer-admin@xxx.example.com");
final var result = rbacRoleRepository.findByRoleName("customer#xxx.admin"); final var result = rbacRoleRepository.findByRoleName("test_customer#xxx.admin");
assertThat(result).isNotNull(); assertThat(result).isNotNull();
assertThat(result.getObjectTable()).isEqualTo("customer"); assertThat(result.getObjectTable()).isEqualTo("test_customer");
assertThat(result.getObjectIdName()).isEqualTo("xxx"); assertThat(result.getObjectIdName()).isEqualTo("xxx");
assertThat(result.getRoleType()).isEqualTo(RbacRoleType.admin); assertThat(result.getRoleType()).isEqualTo(RbacRoleType.admin);
} }
@ -170,7 +170,7 @@ class RbacRoleRepositoryIntegrationTest {
void customerAdmin_withoutAssumedRole_canNotFindAlienRolesByName() { void customerAdmin_withoutAssumedRole_canNotFindAlienRolesByName() {
context.define("customer-admin@xxx.example.com"); context.define("customer-admin@xxx.example.com");
final var result = rbacRoleRepository.findByRoleName("customer#bbb.admin"); final var result = rbacRoleRepository.findByRoleName("test_customer#bbb.admin");
assertThat(result).isNull(); assertThat(result).isNull();
} }

View File

@ -4,9 +4,9 @@ import static java.util.UUID.randomUUID;
public class TestRbacRole { public class TestRbacRole {
public static final RbacRoleEntity hostmasterRole = rbacRole("global", "hostsharing", RbacRoleType.admin); public static final RbacRoleEntity hostmasterRole = rbacRole("global", "test-global", RbacRoleType.admin);
static final RbacRoleEntity customerXxxOwner = rbacRole("customer", "xxx", RbacRoleType.owner); static final RbacRoleEntity customerXxxOwner = rbacRole("test_customer", "xxx", RbacRoleType.owner);
static final RbacRoleEntity customerXxxAdmin = rbacRole("customer", "xxx", RbacRoleType.admin); static final RbacRoleEntity customerXxxAdmin = rbacRole("test_customer", "xxx", RbacRoleType.admin);
static public RbacRoleEntity rbacRole(final String objectTable, final String objectIdName, final RbacRoleType roleType) { static public RbacRoleEntity rbacRole(final String objectTable, final String objectIdName, final RbacRoleType roleType) {
return new RbacRoleEntity(randomUUID(), randomUUID(), objectTable, objectIdName, roleType, objectTable+'#'+objectIdName+'.'+roleType); return new RbacRoleEntity(randomUUID(), randomUUID(), objectTable, objectIdName, roleType, objectTable+'#'+objectIdName+'.'+roleType);

View File

@ -82,13 +82,13 @@ class RbacUserControllerAcceptanceTest {
@Test @Test
@Accepts({ "USR:R(Read)" }) @Accepts({ "USR:R(Read)" })
void hostsharingAdmin_withoutAssumedRole_canGetArbitraryUser() { void testGlobalAdmin_withoutAssumedRole_canGetArbitraryUser() {
final var givenUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com"); final var givenUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
// @formatter:off // @formatter:off
RestAssured RestAssured
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@example.org")
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/rbac-users/" + givenUser.getUuid()) .get("http://localhost/api/rbac-users/" + givenUser.getUuid())
@ -101,14 +101,14 @@ class RbacUserControllerAcceptanceTest {
@Test @Test
@Accepts({ "USR:R(Read)", "USR:X(Access Control)" }) @Accepts({ "USR:R(Read)", "USR:X(Access Control)" })
void hostsharingAdmin_withAssumedCustomerAdminRole_canGetUserWithinInItsRealm() { void testGlobalAdmin_withAssumedCustomerAdminRole_canGetUserWithinInItsRealm() {
final var givenUser = findRbacUserByName("pac-admin-yyy00@yyy.example.com"); final var givenUser = findRbacUserByName("pac-admin-yyy00@yyy.example.com");
// @formatter:off // @formatter:off
RestAssured RestAssured
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@example.org")
.header("assumed-roles", "customer#yyy.admin") .header("assumed-roles", "test_customer#yyy.admin")
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/rbac-users/" + givenUser.getUuid()) .get("http://localhost/api/rbac-users/" + givenUser.getUuid())
@ -161,12 +161,12 @@ class RbacUserControllerAcceptanceTest {
@Test @Test
@Accepts({ "USR:L(List)" }) @Accepts({ "USR:L(List)" })
void hostsharingAdmin_withoutAssumedRole_canViewAllUsers() { void testGlobalAdmin_withoutAssumedRole_canViewAllUsers() {
// @formatter:off // @formatter:off
RestAssured RestAssured
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@example.org")
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/rbac-users") .get("http://localhost/api/rbac-users")
@ -176,23 +176,23 @@ class RbacUserControllerAcceptanceTest {
.body("", hasItem(hasEntry("name", "customer-admin@xxx.example.com"))) .body("", hasItem(hasEntry("name", "customer-admin@xxx.example.com")))
.body("", hasItem(hasEntry("name", "customer-admin@yyy.example.com"))) .body("", hasItem(hasEntry("name", "customer-admin@yyy.example.com")))
.body("", hasItem(hasEntry("name", "customer-admin@zzz.example.com"))) .body("", hasItem(hasEntry("name", "customer-admin@zzz.example.com")))
.body("", hasItem(hasEntry("name", "mike@hostsharing.net"))) .body("", hasItem(hasEntry("name", "mike@example.org")))
// ... // ...
.body("", hasItem(hasEntry("name", "pac-admin-zzz01@zzz.example.com"))) .body("", hasItem(hasEntry("name", "pac-admin-zzz01@zzz.example.com")))
.body("", hasItem(hasEntry("name", "pac-admin-zzz02@zzz.example.com"))) .body("", hasItem(hasEntry("name", "pac-admin-zzz02@zzz.example.com")))
.body("", hasItem(hasEntry("name", "sven@hostsharing.net"))) .body("", hasItem(hasEntry("name", "sven@example.org")))
.body("size()", greaterThanOrEqualTo(14)); .body("size()", greaterThanOrEqualTo(14));
// @formatter:on // @formatter:on
} }
@Test @Test
@Accepts({ "USR:F(Filter)" }) @Accepts({ "USR:F(Filter)" })
void hostsharingAdmin_withoutAssumedRole_canViewAllUsersByName() { void testGlobalAdmin_withoutAssumedRole_canViewAllUsersByName() {
// @formatter:off // @formatter:off
RestAssured RestAssured
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@example.org")
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/rbac-users?name=pac-admin-zzz0") .get("http://localhost/api/rbac-users?name=pac-admin-zzz0")
@ -208,13 +208,13 @@ class RbacUserControllerAcceptanceTest {
@Test @Test
@Accepts({ "USR:L(List)", "USR:X(Access Control)" }) @Accepts({ "USR:L(List)", "USR:X(Access Control)" })
void hostsharingAdmin_withAssumedCustomerAdminRole_canViewUsersInItsRealm() { void testGlobalAdmin_withAssumedCustomerAdminRole_canViewUsersInItsRealm() {
// @formatter:off // @formatter:off
RestAssured RestAssured
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@example.org")
.header("assumed-roles", "customer#yyy.admin") .header("assumed-roles", "test_customer#yyy.admin")
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/rbac-users") .get("http://localhost/api/rbac-users")
@ -276,13 +276,13 @@ class RbacUserControllerAcceptanceTest {
@Test @Test
@Accepts({ "PRM:L(List)" }) @Accepts({ "PRM:L(List)" })
void hostsharingAdmin_withoutAssumedRole_canViewArbitraryUsersPermissions() { void testGlobalAdmin_withoutAssumedRole_canViewArbitraryUsersPermissions() {
final var givenUser = findRbacUserByName("pac-admin-yyy00@yyy.example.com"); final var givenUser = findRbacUserByName("pac-admin-yyy00@yyy.example.com");
// @formatter:off // @formatter:off
RestAssured RestAssured
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@example.org")
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/rbac-users/" + givenUser.getUuid() + "/permissions") .get("http://localhost/api/rbac-users/" + givenUser.getUuid() + "/permissions")
@ -291,17 +291,17 @@ class RbacUserControllerAcceptanceTest {
.contentType("application/json") .contentType("application/json")
.body("", hasItem( .body("", hasItem(
allOf( allOf(
hasEntry("roleName", "customer#yyy.tenant"), hasEntry("roleName", "test_customer#yyy.tenant"),
hasEntry("op", "view")) hasEntry("op", "view"))
)) ))
.body("", hasItem( .body("", hasItem(
allOf( allOf(
hasEntry("roleName", "package#yyy00.admin"), hasEntry("roleName", "test_package#yyy00.admin"),
hasEntry("op", "add-unixuser")) hasEntry("op", "add-unixuser"))
)) ))
.body("", hasItem( .body("", hasItem(
allOf( allOf(
hasEntry("roleName", "unixuser#yyy00-aaaa.owner"), hasEntry("roleName", "test_unixuser#yyy00-aaaa.owner"),
hasEntry("op", "*")) hasEntry("op", "*"))
)) ))
.body("size()", is(8)); .body("size()", is(8));
@ -310,14 +310,14 @@ class RbacUserControllerAcceptanceTest {
@Test @Test
@Accepts({ "PRM:L(List)" }) @Accepts({ "PRM:L(List)" })
void hostsharingAdmin_withAssumedCustomerAdminRole_canViewArbitraryUsersPermissions() { void testGlobalAdmin_withAssumedCustomerAdminRole_canViewArbitraryUsersPermissions() {
final var givenUser = findRbacUserByName("pac-admin-yyy00@yyy.example.com"); final var givenUser = findRbacUserByName("pac-admin-yyy00@yyy.example.com");
// @formatter:off // @formatter:off
RestAssured RestAssured
.given() .given()
.header("current-user", "mike@hostsharing.net") .header("current-user", "mike@example.org")
.header("assumed-roles", "package#yyy00.admin") .header("assumed-roles", "test_package#yyy00.admin")
.port(port) .port(port)
.when() .when()
.get("http://localhost/api/rbac-users/" + givenUser.getUuid() + "/permissions") .get("http://localhost/api/rbac-users/" + givenUser.getUuid() + "/permissions")
@ -326,17 +326,17 @@ class RbacUserControllerAcceptanceTest {
.contentType("application/json") .contentType("application/json")
.body("", hasItem( .body("", hasItem(
allOf( allOf(
hasEntry("roleName", "customer#yyy.tenant"), hasEntry("roleName", "test_customer#yyy.tenant"),
hasEntry("op", "view")) hasEntry("op", "view"))
)) ))
.body("", hasItem( .body("", hasItem(
allOf( allOf(
hasEntry("roleName", "package#yyy00.admin"), hasEntry("roleName", "test_package#yyy00.admin"),
hasEntry("op", "add-unixuser")) hasEntry("op", "add-unixuser"))
)) ))
.body("", hasItem( .body("", hasItem(
allOf( allOf(
hasEntry("roleName", "unixuser#yyy00-aaaa.owner"), hasEntry("roleName", "test_unixuser#yyy00-aaaa.owner"),
hasEntry("op", "*")) hasEntry("op", "*"))
)) ))
.body("size()", is(8)); .body("size()", is(8));
@ -360,17 +360,17 @@ class RbacUserControllerAcceptanceTest {
.contentType("application/json") .contentType("application/json")
.body("", hasItem( .body("", hasItem(
allOf( allOf(
hasEntry("roleName", "customer#yyy.tenant"), hasEntry("roleName", "test_customer#yyy.tenant"),
hasEntry("op", "view")) hasEntry("op", "view"))
)) ))
.body("", hasItem( .body("", hasItem(
allOf( allOf(
hasEntry("roleName", "package#yyy00.admin"), hasEntry("roleName", "test_package#yyy00.admin"),
hasEntry("op", "add-unixuser")) hasEntry("op", "add-unixuser"))
)) ))
.body("", hasItem( .body("", hasItem(
allOf( allOf(
hasEntry("roleName", "unixuser#yyy00-aaaa.owner"), hasEntry("roleName", "test_unixuser#yyy00-aaaa.owner"),
hasEntry("op", "*")) hasEntry("op", "*"))
)) ))
.body("size()", is(8)); .body("size()", is(8));
@ -399,7 +399,7 @@ class RbacUserControllerAcceptanceTest {
RbacUserEntity findRbacUserByName(final String userName) { RbacUserEntity findRbacUserByName(final String userName) {
return jpaAttempt.transacted(() -> { return jpaAttempt.transacted(() -> {
context.define("mike@hostsharing.net"); context.define("mike@example.org");
return rbacUserRepository.findByName(userName); return rbacUserRepository.findByName(userName);
}).returnedValue(); }).returnedValue();
} }

View File

@ -93,7 +93,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
private static final String[] ALL_TEST_DATA_USERS = Array.of( private static final String[] ALL_TEST_DATA_USERS = Array.of(
// @formatter:off // @formatter:off
"mike@hostsharing.net", "sven@hostsharing.net", "mike@example.org", "sven@example.org",
"customer-admin@xxx.example.com", "customer-admin@xxx.example.com",
"pac-admin-xxx00@xxx.example.com", "pac-admin-xxx01@xxx.example.com", "pac-admin-xxx02@xxx.example.com", "pac-admin-xxx00@xxx.example.com", "pac-admin-xxx01@xxx.example.com", "pac-admin-xxx02@xxx.example.com",
"customer-admin@yyy.example.com", "customer-admin@yyy.example.com",
@ -104,9 +104,9 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
); );
@Test @Test
public void hostsharingAdmin_withoutAssumedRole_canViewAllRbacUsers() { public void testGlobalAdmin_withoutAssumedRole_canViewAllRbacUsers() {
// given // given
context("mike@hostsharing.net"); context("mike@example.org");
// when // when
final var result = rbacUserRepository.findByOptionalNameLike(null); final var result = rbacUserRepository.findByOptionalNameLike(null);
@ -116,9 +116,9 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
} }
@Test @Test
public void hostsharingAdmin_withAssumedHostsharingAdminRole_canViewAllRbacUsers() { public void testGlobalAdmin_withAssumedtestGlobalAdminRole_canViewAllRbacUsers() {
given: given:
context("mike@hostsharing.net", "global#hostsharing.admin"); context("mike@example.org", "global#test-global.admin");
// when // when
final var result = rbacUserRepository.findByOptionalNameLike(null); final var result = rbacUserRepository.findByOptionalNameLike(null);
@ -128,9 +128,9 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
} }
@Test @Test
public void hostsharingAdmin_withAssumedCustomerAdminRole_canViewOnlyUsersHavingRolesInThatCustomersRealm() { public void testGlobalAdmin_withAssumedCustomerAdminRole_canViewOnlyUsersHavingRolesInThatCustomersRealm() {
given: given:
context("mike@hostsharing.net", "customer#xxx.admin"); context("mike@example.org", "test_customer#xxx.admin");
// when // when
final var result = rbacUserRepository.findByOptionalNameLike(null); final var result = rbacUserRepository.findByOptionalNameLike(null);
@ -161,7 +161,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
@Test @Test
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyUsersHavingRolesInThatPackage() { public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyUsersHavingRolesInThatPackage() {
context("customer-admin@xxx.example.com", "package#xxx00.admin"); context("customer-admin@xxx.example.com", "test_package#xxx00.admin");
final var result = rbacUserRepository.findByOptionalNameLike(null); final var result = rbacUserRepository.findByOptionalNameLike(null);
@ -184,59 +184,59 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
private static final String[] ALL_USER_PERMISSIONS = Array.of( private static final String[] ALL_USER_PERMISSIONS = Array.of(
// @formatter:off // @formatter:off
"global#hostsharing.admin -> global#hostsharing: add-customer", "global#test-global.admin -> global#test-global: add-customer",
"customer#xxx.admin -> customer#xxx: add-package", "test_customer#xxx.admin -> test_customer#xxx: add-package",
"customer#xxx.admin -> customer#xxx: view", "test_customer#xxx.admin -> test_customer#xxx: view",
"customer#xxx.owner -> customer#xxx: *", "test_customer#xxx.owner -> test_customer#xxx: *",
"customer#xxx.tenant -> customer#xxx: view", "test_customer#xxx.tenant -> test_customer#xxx: view",
"package#xxx00.admin -> package#xxx00: add-domain", "test_package#xxx00.admin -> test_package#xxx00: add-domain",
"package#xxx00.admin -> package#xxx00: add-unixuser", "test_package#xxx00.admin -> test_package#xxx00: add-unixuser",
"package#xxx00.tenant -> package#xxx00: view", "test_package#xxx00.tenant -> test_package#xxx00: view",
"package#xxx01.admin -> package#xxx01: add-domain", "test_package#xxx01.admin -> test_package#xxx01: add-domain",
"package#xxx01.admin -> package#xxx01: add-unixuser", "test_package#xxx01.admin -> test_package#xxx01: add-unixuser",
"package#xxx01.tenant -> package#xxx01: view", "test_package#xxx01.tenant -> test_package#xxx01: view",
"package#xxx02.admin -> package#xxx02: add-domain", "test_package#xxx02.admin -> test_package#xxx02: add-domain",
"package#xxx02.admin -> package#xxx02: add-unixuser", "test_package#xxx02.admin -> test_package#xxx02: add-unixuser",
"package#xxx02.tenant -> package#xxx02: view", "test_package#xxx02.tenant -> test_package#xxx02: view",
"customer#yyy.admin -> customer#yyy: add-package", "test_customer#yyy.admin -> test_customer#yyy: add-package",
"customer#yyy.admin -> customer#yyy: view", "test_customer#yyy.admin -> test_customer#yyy: view",
"customer#yyy.owner -> customer#yyy: *", "test_customer#yyy.owner -> test_customer#yyy: *",
"customer#yyy.tenant -> customer#yyy: view", "test_customer#yyy.tenant -> test_customer#yyy: view",
"package#yyy00.admin -> package#yyy00: add-domain", "test_package#yyy00.admin -> test_package#yyy00: add-domain",
"package#yyy00.admin -> package#yyy00: add-unixuser", "test_package#yyy00.admin -> test_package#yyy00: add-unixuser",
"package#yyy00.tenant -> package#yyy00: view", "test_package#yyy00.tenant -> test_package#yyy00: view",
"package#yyy01.admin -> package#yyy01: add-domain", "test_package#yyy01.admin -> test_package#yyy01: add-domain",
"package#yyy01.admin -> package#yyy01: add-unixuser", "test_package#yyy01.admin -> test_package#yyy01: add-unixuser",
"package#yyy01.tenant -> package#yyy01: view", "test_package#yyy01.tenant -> test_package#yyy01: view",
"package#yyy02.admin -> package#yyy02: add-domain", "test_package#yyy02.admin -> test_package#yyy02: add-domain",
"package#yyy02.admin -> package#yyy02: add-unixuser", "test_package#yyy02.admin -> test_package#yyy02: add-unixuser",
"package#yyy02.tenant -> package#yyy02: view", "test_package#yyy02.tenant -> test_package#yyy02: view",
"customer#zzz.admin -> customer#zzz: add-package", "test_customer#zzz.admin -> test_customer#zzz: add-package",
"customer#zzz.admin -> customer#zzz: view", "test_customer#zzz.admin -> test_customer#zzz: view",
"customer#zzz.owner -> customer#zzz: *", "test_customer#zzz.owner -> test_customer#zzz: *",
"customer#zzz.tenant -> customer#zzz: view", "test_customer#zzz.tenant -> test_customer#zzz: view",
"package#zzz00.admin -> package#zzz00: add-domain", "test_package#zzz00.admin -> test_package#zzz00: add-domain",
"package#zzz00.admin -> package#zzz00: add-unixuser", "test_package#zzz00.admin -> test_package#zzz00: add-unixuser",
"package#zzz00.tenant -> package#zzz00: view", "test_package#zzz00.tenant -> test_package#zzz00: view",
"package#zzz01.admin -> package#zzz01: add-domain", "test_package#zzz01.admin -> test_package#zzz01: add-domain",
"package#zzz01.admin -> package#zzz01: add-unixuser", "test_package#zzz01.admin -> test_package#zzz01: add-unixuser",
"package#zzz01.tenant -> package#zzz01: view", "test_package#zzz01.tenant -> test_package#zzz01: view",
"package#zzz02.admin -> package#zzz02: add-domain", "test_package#zzz02.admin -> test_package#zzz02: add-domain",
"package#zzz02.admin -> package#zzz02: add-unixuser", "test_package#zzz02.admin -> test_package#zzz02: add-unixuser",
"package#zzz02.tenant -> package#zzz02: view" "test_package#zzz02.tenant -> test_package#zzz02: view"
// @formatter:on // @formatter:on
); );
@Test @Test
public void hostsharingAdmin_withoutAssumedRole_canViewTheirOwnPermissions() { public void testGlobalAdmin_withoutAssumedRole_canViewTheirOwnPermissions() {
// given // given
context("mike@hostsharing.net"); context("mike@example.org");
// when // when
final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("mike@hostsharing.net")); final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("mike@example.org"));
// then // then
allTheseRbacPermissionsAreReturned(result, ALL_USER_PERMISSIONS); allTheseRbacPermissionsAreReturned(result, ALL_USER_PERMISSIONS);
@ -254,32 +254,32 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
allTheseRbacPermissionsAreReturned( allTheseRbacPermissionsAreReturned(
result, result,
// @formatter:off // @formatter:off
"customer#xxx.admin -> customer#xxx: add-package", "test_customer#xxx.admin -> test_customer#xxx: add-package",
"customer#xxx.admin -> customer#xxx: view", "test_customer#xxx.admin -> test_customer#xxx: view",
"customer#xxx.tenant -> customer#xxx: view", "test_customer#xxx.tenant -> test_customer#xxx: view",
"package#xxx00.admin -> package#xxx00: add-domain", "test_package#xxx00.admin -> test_package#xxx00: add-domain",
"package#xxx00.admin -> package#xxx00: add-unixuser", "test_package#xxx00.admin -> test_package#xxx00: add-unixuser",
"package#xxx00.tenant -> package#xxx00: view", "test_package#xxx00.tenant -> test_package#xxx00: view",
"unixuser#xxx00-aaaa.owner -> unixuser#xxx00-aaaa: *", "test_unixuser#xxx00-aaaa.owner -> test_unixuser#xxx00-aaaa: *",
"package#xxx01.admin -> package#xxx01: add-domain", "test_package#xxx01.admin -> test_package#xxx01: add-domain",
"package#xxx01.admin -> package#xxx01: add-unixuser", "test_package#xxx01.admin -> test_package#xxx01: add-unixuser",
"package#xxx01.tenant -> package#xxx01: view", "test_package#xxx01.tenant -> test_package#xxx01: view",
"unixuser#xxx01-aaaa.owner -> unixuser#xxx01-aaaa: *", "test_unixuser#xxx01-aaaa.owner -> test_unixuser#xxx01-aaaa: *",
"package#xxx02.admin -> package#xxx02: add-domain", "test_package#xxx02.admin -> test_package#xxx02: add-domain",
"package#xxx02.admin -> package#xxx02: add-unixuser", "test_package#xxx02.admin -> test_package#xxx02: add-unixuser",
"package#xxx02.tenant -> package#xxx02: view", "test_package#xxx02.tenant -> test_package#xxx02: view",
"unixuser#xxx02-aaaa.owner -> unixuser#xxx02-aaaa: *" "test_unixuser#xxx02-aaaa.owner -> test_unixuser#xxx02-aaaa: *"
// @formatter:on // @formatter:on
); );
noneOfTheseRbacPermissionsAreReturned( noneOfTheseRbacPermissionsAreReturned(
result, result,
// @formatter:off // @formatter:off
"customer#yyy.admin -> customer#yyy: add-package", "test_customer#yyy.admin -> test_customer#yyy: add-package",
"customer#yyy.admin -> customer#yyy: view", "test_customer#yyy.admin -> test_customer#yyy: view",
"customer#yyy.tenant -> customer#yyy: view" "test_customer#yyy.tenant -> test_customer#yyy: view"
// @formatter:on // @formatter:on
); );
} }
@ -288,7 +288,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
public void customerAdmin_withoutAssumedRole_isNotAllowedToViewGlobalAdminsPermissions() { public void customerAdmin_withoutAssumedRole_isNotAllowedToViewGlobalAdminsPermissions() {
// given // given
context("customer-admin@xxx.example.com"); context("customer-admin@xxx.example.com");
final UUID userUuid = userUUID("mike@hostsharing.net"); final UUID userUuid = userUUID("mike@example.org");
// when // when
final var result = attempt(em, () -> final var result = attempt(em, () ->
@ -314,26 +314,26 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
allTheseRbacPermissionsAreReturned( allTheseRbacPermissionsAreReturned(
result, result,
// @formatter:off // @formatter:off
"customer#xxx.tenant -> customer#xxx: view", "test_customer#xxx.tenant -> test_customer#xxx: view",
// "customer#xxx.admin -> customer#xxx: view" - Not permissions through the customer admin! // "test_customer#xxx.admin -> test_customer#xxx: view" - Not permissions through the customer admin!
"package#xxx00.admin -> package#xxx00: add-unixuser", "test_package#xxx00.admin -> test_package#xxx00: add-unixuser",
"package#xxx00.admin -> package#xxx00: add-domain", "test_package#xxx00.admin -> test_package#xxx00: add-domain",
"package#xxx00.tenant -> package#xxx00: view", "test_package#xxx00.tenant -> test_package#xxx00: view",
"unixuser#xxx00-aaaa.owner -> unixuser#xxx00-aaaa: *", "test_unixuser#xxx00-aaaa.owner -> test_unixuser#xxx00-aaaa: *",
"unixuser#xxx00-aaab.owner -> unixuser#xxx00-aaab: *" "test_unixuser#xxx00-aaab.owner -> test_unixuser#xxx00-aaab: *"
// @formatter:on // @formatter:on
); );
noneOfTheseRbacPermissionsAreReturned( noneOfTheseRbacPermissionsAreReturned(
result, result,
// @formatter:off // @formatter:off
"customer#yyy.admin -> customer#yyy: add-package", "test_customer#yyy.admin -> test_customer#yyy: add-package",
"customer#yyy.admin -> customer#yyy: view", "test_customer#yyy.admin -> test_customer#yyy: view",
"customer#yyy.tenant -> customer#yyy: view", "test_customer#yyy.tenant -> test_customer#yyy: view",
"package#yyy00.admin -> package#yyy00: add-unixuser", "test_package#yyy00.admin -> test_package#yyy00: add-unixuser",
"package#yyy00.admin -> package#yyy00: add-domain", "test_package#yyy00.admin -> test_package#yyy00: add-domain",
"package#yyy00.tenant -> package#yyy00: view", "test_package#yyy00.tenant -> test_package#yyy00: view",
"unixuser#yyy00-aaaa.owner -> unixuser#yyy00-aaaa: *", "test_unixuser#yyy00-aaaa.owner -> test_unixuser#yyy00-aaaa: *",
"unixuser#yyy00-aaab.owner -> unixuser#yyy00-aaab: *" "test_unixuser#yyy00-aaab.owner -> test_unixuser#yyy00-aaab: *"
// @formatter:on // @formatter:on
); );
} }
@ -362,27 +362,27 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
allTheseRbacPermissionsAreReturned( allTheseRbacPermissionsAreReturned(
result, result,
// @formatter:off // @formatter:off
"customer#xxx.tenant -> customer#xxx: view", "test_customer#xxx.tenant -> test_customer#xxx: view",
// "customer#xxx.admin -> customer#xxx: view" - Not permissions through the customer admin! // "test_customer#xxx.admin -> test_customer#xxx: view" - Not permissions through the customer admin!
"package#xxx00.admin -> package#xxx00: add-unixuser", "test_package#xxx00.admin -> test_package#xxx00: add-unixuser",
"package#xxx00.admin -> package#xxx00: add-domain", "test_package#xxx00.admin -> test_package#xxx00: add-domain",
"package#xxx00.tenant -> package#xxx00: view" "test_package#xxx00.tenant -> test_package#xxx00: view"
// @formatter:on // @formatter:on
); );
noneOfTheseRbacPermissionsAreReturned( noneOfTheseRbacPermissionsAreReturned(
result, result,
// @formatter:off // @formatter:off
// no customer admin permissions // no customer admin permissions
"customer#xxx.admin -> customer#xxx: add-package", "test_customer#xxx.admin -> test_customer#xxx: add-package",
// no permissions on other customer's objects // no permissions on other customer's objects
"customer#yyy.admin -> customer#yyy: add-package", "test_customer#yyy.admin -> test_customer#yyy: add-package",
"customer#yyy.admin -> customer#yyy: view", "test_customer#yyy.admin -> test_customer#yyy: view",
"customer#yyy.tenant -> customer#yyy: view", "test_customer#yyy.tenant -> test_customer#yyy: view",
"package#yyy00.admin -> package#yyy00: add-unixuser", "test_package#yyy00.admin -> test_package#yyy00: add-unixuser",
"package#yyy00.admin -> package#yyy00: add-domain", "test_package#yyy00.admin -> test_package#yyy00: add-domain",
"package#yyy00.tenant -> package#yyy00: view", "test_package#yyy00.tenant -> test_package#yyy00: view",
"unixuser#yyy00-aaaa.owner -> unixuser#yyy00-aaaa: *", "test_unixuser#yyy00-aaaa.owner -> test_unixuser#yyy00-aaaa: *",
"unixuser#yyy00-xxxb.owner -> unixuser#yyy00-xxxb: *" "test_unixuser#yyy00-xxxb.owner -> test_unixuser#yyy00-xxxb: *"
// @formatter:on // @formatter:on
); );
} }