use customer/package/unixuser only as test data structure (DB part)
This commit is contained in:
parent
817c1a9e58
commit
a33cb4ec29
10
README.md
10
README.md
@ -65,22 +65,22 @@ If you have at least Docker, the Java JDK and Gradle installed in appropriate ve
|
|||||||
|
|
||||||
# the following command should return a JSON array with just all customers:
|
# the following command should return a JSON array with just all customers:
|
||||||
curl \
|
curl \
|
||||||
-H 'current-user: mike@hostsharing.net' \
|
-H 'current-user: mike@example.org' \
|
||||||
http://localhost:8080/api/customers
|
http://localhost:8080/api/customers
|
||||||
|
|
||||||
# the following command should return a JSON array with just all packages visible for the admin of the customer yyy:
|
# the following command should return a JSON array with just all packages visible for the admin of the customer yyy:
|
||||||
curl \
|
curl \
|
||||||
-H 'current-user: mike@hostsharing.net' -H 'assumed-roles: customer#yyy.admin' \
|
-H 'current-user: mike@example.org' -H 'assumed-roles: test_customer#yyy.admin' \
|
||||||
http://localhost:8080/api/packages
|
http://localhost:8080/api/packages
|
||||||
|
|
||||||
# add a new customer
|
# add a new customer
|
||||||
curl \
|
curl \
|
||||||
-H 'current-user: mike@hostsharing.net' -H "Content-Type: application/json" \
|
-H 'current-user: mike@example.org' -H "Content-Type: application/json" \
|
||||||
-d '{ "prefix":"ttt", "reference":80001, "adminUserName":"admin@ttt.example.com" }' \
|
-d '{ "prefix":"ttt", "reference":80001, "adminUserName":"admin@ttt.example.com" }' \
|
||||||
-X POST http://localhost:8080/api/customers
|
-X POST http://localhost:8080/api/customers
|
||||||
|
|
||||||
If you wonder who 'mike@hostsharing.net' and 'sven@hostsharing.net' are and where the data comes from:
|
If you wonder who 'mike@example.org' and 'sven@example.org' are and where the data comes from:
|
||||||
Mike and Sven are just example Hostsharing hostmaster accounts as part of the example data which is automatically inserted in Testcontainers and Development environments.
|
Mike and Sven are just example global admin accounts as part of the example data which is automatically inserted in Testcontainers and Development environments.
|
||||||
Also try for example 'admin@xxx.example.com' or 'unknown@example.org'.
|
Also try for example 'admin@xxx.example.com' or 'unknown@example.org'.
|
||||||
|
|
||||||
If you want a formatted JSON output, you can pipe the result to `jq` or similar.
|
If you want a formatted JSON output, you can pipe the result to `jq` or similar.
|
||||||
|
@ -64,7 +64,7 @@ begin
|
|||||||
domainOwnerRoleUuid = createRole(
|
domainOwnerRoleUuid = createRole(
|
||||||
domainOwner(NEW),
|
domainOwner(NEW),
|
||||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
||||||
beneathRole(packageAdmin(parentPackage))
|
beneathRole(testPackageAdmin(parentPackage))
|
||||||
);
|
);
|
||||||
|
|
||||||
-- a domain admin role is created and assigned to the domain's owner role
|
-- a domain admin role is created and assigned to the domain's owner role
|
||||||
|
@ -17,21 +17,21 @@ BEGIN
|
|||||||
|
|
||||||
-- hostmaster accessing a single customer
|
-- hostmaster accessing a single customer
|
||||||
SET SESSION SESSION AUTHORIZATION restricted;
|
SET SESSION SESSION AUTHORIZATION restricted;
|
||||||
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net';
|
SET LOCAL hsadminng.currentUser = 'mike@example.org';
|
||||||
SET LOCAL hsadminng.assumedRoles = '';
|
SET LOCAL hsadminng.assumedRoles = '';
|
||||||
-- SELECT *
|
-- SELECT *
|
||||||
SELECT count(*) INTO resultCount
|
SELECT count(*) INTO resultCount
|
||||||
from customer_rv c
|
from test_customer_rv c
|
||||||
where c.prefix='aab';
|
where c.prefix='aab';
|
||||||
call expectBetween(resultCount, 1, 1);
|
call expectBetween(resultCount, 1, 1);
|
||||||
|
|
||||||
-- hostmaster listing all customers
|
-- hostmaster listing all customers
|
||||||
SET SESSION SESSION AUTHORIZATION restricted;
|
SET SESSION SESSION AUTHORIZATION restricted;
|
||||||
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net';
|
SET LOCAL hsadminng.currentUser = 'mike@example.org';
|
||||||
SET LOCAL hsadminng.assumedRoles = '';
|
SET LOCAL hsadminng.assumedRoles = '';
|
||||||
-- SELECT *
|
-- SELECT *
|
||||||
SELECT count(*) INTO resultCount
|
SELECT count(*) INTO resultCount
|
||||||
FROM customer_rv;
|
FROM test_customer_rv;
|
||||||
call expectBetween(resultCount, 10, 20000);
|
call expectBetween(resultCount, 10, 20000);
|
||||||
|
|
||||||
-- customer admin listing all their packages
|
-- customer admin listing all their packages
|
||||||
@ -40,7 +40,7 @@ BEGIN
|
|||||||
SET LOCAL hsadminng.assumedRoles = '';
|
SET LOCAL hsadminng.assumedRoles = '';
|
||||||
-- SELECT *
|
-- SELECT *
|
||||||
SELECT count(*) INTO resultCount
|
SELECT count(*) INTO resultCount
|
||||||
FROM package_rv;
|
FROM test_package_rv;
|
||||||
call expectBetween(resultCount, 2, 10);
|
call expectBetween(resultCount, 2, 10);
|
||||||
|
|
||||||
-- cutomer admin listing all their unix users
|
-- cutomer admin listing all their unix users
|
||||||
@ -54,49 +54,49 @@ BEGIN
|
|||||||
|
|
||||||
-- hostsharing admin assuming customer role and listing all accessible packages
|
-- hostsharing admin assuming customer role and listing all accessible packages
|
||||||
SET SESSION SESSION AUTHORIZATION restricted;
|
SET SESSION SESSION AUTHORIZATION restricted;
|
||||||
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net';
|
SET LOCAL hsadminng.currentUser = 'mike@example.org';
|
||||||
SET LOCAL hsadminng.assumedRoles = 'customer#aaa.admin;customer#aab.admin';
|
SET LOCAL hsadminng.assumedRoles = 'test_customer#aaa.admin;test_customer#aab.admin';
|
||||||
-- SELECT *
|
-- SELECT *
|
||||||
SELECT count(*) INTO resultCount
|
SELECT count(*) INTO resultCount
|
||||||
FROM package_rv p;
|
FROM test_package_rv p;
|
||||||
call expectBetween(resultCount, 2, 10);
|
call expectBetween(resultCount, 2, 10);
|
||||||
|
|
||||||
-- hostsharing admin assuming two customer admin roles and listing all accessible unixusers
|
-- hostsharing admin assuming two customer admin roles and listing all accessible unixusers
|
||||||
SET SESSION SESSION AUTHORIZATION restricted;
|
SET SESSION SESSION AUTHORIZATION restricted;
|
||||||
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net';
|
SET LOCAL hsadminng.currentUser = 'mike@example.org';
|
||||||
SET LOCAL hsadminng.assumedRoles = 'customer#aab.admin;customer#aac.admin';
|
SET LOCAL hsadminng.assumedRoles = 'test_customer#aab.admin;test_customer#aac.admin';
|
||||||
-- SELECT c.prefix, c.reference, uu.*
|
-- SELECT c.prefix, c.reference, uu.*
|
||||||
SELECT count(*) INTO resultCount
|
SELECT count(*) INTO resultCount
|
||||||
FROM unixuser_rv uu
|
FROM unixuser_rv uu
|
||||||
JOIN package_rv p ON p.uuid = uu.packageuuid
|
JOIN test_package_rv p ON p.uuid = uu.packageuuid
|
||||||
JOIN customer_rv c ON c.uuid = p.customeruuid;
|
JOIN test_customer_rv c ON c.uuid = p.customeruuid;
|
||||||
call expectBetween(resultCount, 40, 60);
|
call expectBetween(resultCount, 40, 60);
|
||||||
|
|
||||||
-- hostsharing admin assuming two customer admin roles and listing all accessible domains
|
-- hostsharing admin assuming two customer admin roles and listing all accessible domains
|
||||||
-- ABORT; START TRANSACTION;
|
-- ABORT; START TRANSACTION;
|
||||||
SET SESSION SESSION AUTHORIZATION restricted;
|
SET SESSION SESSION AUTHORIZATION restricted;
|
||||||
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net';
|
SET LOCAL hsadminng.currentUser = 'mike@example.org';
|
||||||
SET LOCAL hsadminng.assumedRoles = 'customer#aac.admin;customer#aad.admin';
|
SET LOCAL hsadminng.assumedRoles = 'test_customer#aac.admin;test_customer#aad.admin';
|
||||||
-- SELECT p.name, uu.name, dom.name
|
-- SELECT p.name, uu.name, dom.name
|
||||||
SELECT count(*) INTO resultCount
|
SELECT count(*) INTO resultCount
|
||||||
FROM domain_rv dom
|
FROM domain_rv dom
|
||||||
JOIN unixuser_rv uu ON uu.uuid = dom.unixuseruuid
|
JOIN unixuser_rv uu ON uu.uuid = dom.unixuseruuid
|
||||||
JOIN package_rv p ON p.uuid = uu.packageuuid
|
JOIN test_package_rv p ON p.uuid = uu.packageuuid
|
||||||
JOIN customer_rv c ON c.uuid = p.customeruuid;
|
JOIN test_customer_rv c ON c.uuid = p.customeruuid;
|
||||||
call expectBetween(resultCount, 20, 40);
|
call expectBetween(resultCount, 20, 40);
|
||||||
|
|
||||||
-- hostsharing admin assuming two customer admin roles and listing all accessible email addresses
|
-- hostsharing admin assuming two customer admin roles and listing all accessible email addresses
|
||||||
-- ABORT; START TRANSACTION;
|
-- ABORT; START TRANSACTION;
|
||||||
SET SESSION SESSION AUTHORIZATION restricted;
|
SET SESSION SESSION AUTHORIZATION restricted;
|
||||||
SET LOCAL hsadminng.currentUser = 'mike@hostsharing.net';
|
SET LOCAL hsadminng.currentUser = 'mike@example.org';
|
||||||
SET LOCAL hsadminng.assumedRoles = 'customer#aae.admin;customer#aaf.admin';
|
SET LOCAL hsadminng.assumedRoles = 'test_customer#aae.admin;test_customer#aaf.admin';
|
||||||
-- SELECT c.prefix, p.name as "package", ema.localPart || '@' || dom.name as "email-address"
|
-- SELECT c.prefix, p.name as "package", ema.localPart || '@' || dom.name as "email-address"
|
||||||
SELECT count(*) INTO resultCount
|
SELECT count(*) INTO resultCount
|
||||||
FROM emailaddress_rv ema
|
FROM emailaddress_rv ema
|
||||||
JOIN domain_rv dom ON dom.uuid = ema.domainuuid
|
JOIN domain_rv dom ON dom.uuid = ema.domainuuid
|
||||||
JOIN unixuser_rv uu ON uu.uuid = dom.unixuseruuid
|
JOIN unixuser_rv uu ON uu.uuid = dom.unixuseruuid
|
||||||
JOIN package_rv p ON p.uuid = uu.packageuuid
|
JOIN test_package_rv p ON p.uuid = uu.packageuuid
|
||||||
JOIN customer_rv c ON c.uuid = p.customeruuid;
|
JOIN test_customer_rv c ON c.uuid = p.customeruuid;
|
||||||
call expectBetween(resultCount, 100, 300);
|
call expectBetween(resultCount, 100, 300);
|
||||||
|
|
||||||
-- ~170ms
|
-- ~170ms
|
||||||
|
@ -3,16 +3,16 @@
|
|||||||
-- --------------------------------------------------------
|
-- --------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
select isGranted(findRoleId('administrators'), findRoleId('package#aaa00.owner'));
|
select isGranted(findRoleId('administrators'), findRoleId('test_package#aaa00.owner'));
|
||||||
select isGranted(findRoleId('package#aaa00.owner'), findRoleId('administrators'));
|
select isGranted(findRoleId('test_package#aaa00.owner'), findRoleId('administrators'));
|
||||||
-- call grantRoleToRole(findRoleId('package#aaa00.owner'), findRoleId('administrators'));
|
-- call grantRoleToRole(findRoleId('test_package#aaa00.owner'), findRoleId('administrators'));
|
||||||
-- call grantRoleToRole(findRoleId('administrators'), findRoleId('package#aaa00.owner'));
|
-- call grantRoleToRole(findRoleId('administrators'), findRoleId('test_package#aaa00.owner'));
|
||||||
|
|
||||||
select count(*)
|
select count(*)
|
||||||
FROM queryAllPermissionsOfSubjectIdForObjectUuids(findRbacUser('sven@hostsharing.net'),
|
FROM queryAllPermissionsOfSubjectIdForObjectUuids(findRbacUser('sven@example.org'),
|
||||||
ARRAY(select uuid from customer where reference < 1100000));
|
ARRAY(select uuid from customer where reference < 1100000));
|
||||||
select count(*)
|
select count(*)
|
||||||
FROM queryAllPermissionsOfSubjectId(findRbacUser('sven@hostsharing.net'));
|
FROM queryAllPermissionsOfSubjectId(findRbacUser('sven@example.org'));
|
||||||
select *
|
select *
|
||||||
FROM queryAllPermissionsOfSubjectId(findRbacUser('alex@example.com'));
|
FROM queryAllPermissionsOfSubjectId(findRbacUser('alex@example.com'));
|
||||||
select *
|
select *
|
||||||
@ -33,7 +33,7 @@ $$
|
|||||||
userId uuid;
|
userId uuid;
|
||||||
result bool;
|
result bool;
|
||||||
BEGIN
|
BEGIN
|
||||||
userId = findRbacUser('mike@hostsharing.net');
|
userId = findRbacUser('mike@example.org');
|
||||||
result = (SELECT * FROM isPermissionGrantedToSubject(findPermissionId('package', 94928, 'add-package'), userId));
|
result = (SELECT * FROM isPermissionGrantedToSubject(findPermissionId('package', 94928, 'add-package'), userId));
|
||||||
IF (result) THEN
|
IF (result) THEN
|
||||||
RAISE EXCEPTION 'expected permission NOT to be granted, but it is';
|
RAISE EXCEPTION 'expected permission NOT to be granted, but it is';
|
||||||
|
@ -20,7 +20,7 @@ CREATE POLICY customer_policy ON customer
|
|||||||
TO restricted
|
TO restricted
|
||||||
USING (
|
USING (
|
||||||
-- id=1000
|
-- id=1000
|
||||||
isPermissionGrantedToSubject(findPermissionId('customer', id, 'view'), currentUserUuid())
|
isPermissionGrantedToSubject(findPermissionId('test_customer', id, 'view'), currentUserUuid())
|
||||||
);
|
);
|
||||||
|
|
||||||
SET SESSION AUTHORIZATION restricted;
|
SET SESSION AUTHORIZATION restricted;
|
||||||
@ -35,10 +35,10 @@ SELECT * FROM customer;
|
|||||||
CREATE OR REPLACE RULE "_RETURN" AS
|
CREATE OR REPLACE RULE "_RETURN" AS
|
||||||
ON SELECT TO cust_view
|
ON SELECT TO cust_view
|
||||||
DO INSTEAD
|
DO INSTEAD
|
||||||
SELECT * FROM customer WHERE isPermissionGrantedToSubject(findPermissionId('customer', id, 'view'), currentUserUuid());
|
SELECT * FROM customer WHERE isPermissionGrantedToSubject(findPermissionId('test_customer', id, 'view'), currentUserUuid());
|
||||||
SELECT * from cust_view LIMIT 10;
|
SELECT * from cust_view LIMIT 10;
|
||||||
|
|
||||||
select queryAllPermissionsOfSubjectId(findRbacUser('mike@hostsharing.net'));
|
select queryAllPermissionsOfSubjectId(findRbacUser('mike@example.org'));
|
||||||
|
|
||||||
-- access control via view-rule with join to recursive permissions - really fast (38ms for 1 million rows)
|
-- access control via view-rule with join to recursive permissions - really fast (38ms for 1 million rows)
|
||||||
SET SESSION SESSION AUTHORIZATION DEFAULT;
|
SET SESSION SESSION AUTHORIZATION DEFAULT;
|
||||||
@ -52,7 +52,7 @@ CREATE OR REPLACE RULE "_RETURN" AS
|
|||||||
DO INSTEAD
|
DO INSTEAD
|
||||||
SELECT c.uuid, c.reference, c.prefix FROM customer AS c
|
SELECT c.uuid, c.reference, c.prefix FROM customer AS c
|
||||||
JOIN queryAllPermissionsOfSubjectId(currentUserUuid()) AS p
|
JOIN queryAllPermissionsOfSubjectId(currentUserUuid()) AS p
|
||||||
ON p.objectTable='customer' AND p.objectUuid=c.uuid AND p.op in ('*', 'view');
|
ON p.objectTable='test_customer' AND p.objectUuid=c.uuid AND p.op in ('*', 'view');
|
||||||
GRANT ALL PRIVILEGES ON cust_view TO restricted;
|
GRANT ALL PRIVILEGES ON cust_view TO restricted;
|
||||||
|
|
||||||
SET SESSION SESSION AUTHORIZATION restricted;
|
SET SESSION SESSION AUTHORIZATION restricted;
|
||||||
@ -73,7 +73,7 @@ GRANT ALL PRIVILEGES ON cust_view TO restricted;
|
|||||||
|
|
||||||
SET SESSION SESSION AUTHORIZATION restricted;
|
SET SESSION SESSION AUTHORIZATION restricted;
|
||||||
-- SET hsadminng.currentUser TO 'alex@example.com';
|
-- SET hsadminng.currentUser TO 'alex@example.com';
|
||||||
SET hsadminng.currentUser TO 'mike@hostsharing.net';
|
SET hsadminng.currentUser TO 'mike@example.org';
|
||||||
-- SET hsadminng.currentUser TO 'aaaaouq@example.com';
|
-- SET hsadminng.currentUser TO 'aaaaouq@example.com';
|
||||||
SELECT * from cust_view where reference=1144150;
|
SELECT * from cust_view where reference=1144150;
|
||||||
|
|
||||||
@ -81,9 +81,9 @@ select rr.uuid, rr.type from RbacGrants g
|
|||||||
join RbacReference RR on g.ascendantUuid = RR.uuid
|
join RbacReference RR on g.ascendantUuid = RR.uuid
|
||||||
where g.descendantUuid in (
|
where g.descendantUuid in (
|
||||||
select uuid from queryAllPermissionsOfSubjectId(findRbacUser('alex@example.com'))
|
select uuid from queryAllPermissionsOfSubjectId(findRbacUser('alex@example.com'))
|
||||||
where objectTable='customer' and op in ('*', 'view'));
|
where objectTable='test_customer' and op in ('*', 'view'));
|
||||||
|
|
||||||
call grantRoleToUser(findRoleId('customer#aaa.admin'), findRbacUser('aaaaouq@example.com'));
|
call grantRoleToUser(findRoleId('test_customer#aaa.admin'), findRbacUser('aaaaouq@example.com'));
|
||||||
|
|
||||||
select queryAllPermissionsOfSubjectId(findRbacUser('aaaaouq@example.com'));
|
select queryAllPermissionsOfSubjectId(findRbacUser('aaaaouq@example.com'));
|
||||||
|
|
||||||
|
@ -9,7 +9,7 @@ import javax.persistence.*;
|
|||||||
import java.util.UUID;
|
import java.util.UUID;
|
||||||
|
|
||||||
@Entity
|
@Entity
|
||||||
@Table(name = "customer_rv")
|
@Table(name = "test_customer_rv")
|
||||||
@Getter
|
@Getter
|
||||||
@Setter
|
@Setter
|
||||||
@NoArgsConstructor
|
@NoArgsConstructor
|
||||||
|
@ -10,7 +10,7 @@ import javax.persistence.*;
|
|||||||
import java.util.UUID;
|
import java.util.UUID;
|
||||||
|
|
||||||
@Entity
|
@Entity
|
||||||
@Table(name = "package_rv")
|
@Table(name = "test_package_rv")
|
||||||
@Getter
|
@Getter
|
||||||
@Setter
|
@Setter
|
||||||
@NoArgsConstructor
|
@NoArgsConstructor
|
||||||
|
@ -152,8 +152,14 @@ create or replace function pureIdentifier(rawIdentifier varchar)
|
|||||||
returns varchar
|
returns varchar
|
||||||
returns null on null input
|
returns null on null input
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
|
declare
|
||||||
|
cleanIdentifier varchar;
|
||||||
begin
|
begin
|
||||||
return regexp_replace(rawIdentifier, '\W+', '');
|
cleanIdentifier := regexp_replace(rawIdentifier, '[^A-Za-z0-9\-._]+', '', 'g');
|
||||||
|
if cleanIdentifier != rawIdentifier then
|
||||||
|
raise exception 'identifier "%" contains invalid characters, maybe use "%"', rawIdentifier, cleanIdentifier;
|
||||||
|
end if;
|
||||||
|
return cleanIdentifier;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create or replace function findObjectUuidByIdName(objectTable varchar, objectIdName varchar)
|
create or replace function findObjectUuidByIdName(objectTable varchar, objectIdName varchar)
|
||||||
|
@ -228,6 +228,9 @@ begin
|
|||||||
roleTypeFromRoleIdName = split_part(roleParts, '#', 3);
|
roleTypeFromRoleIdName = split_part(roleParts, '#', 3);
|
||||||
objectUuidOfRole = findObjectUuidByIdName(objectTableFromRoleIdName, objectNameFromRoleIdName);
|
objectUuidOfRole = findObjectUuidByIdName(objectTableFromRoleIdName, objectNameFromRoleIdName);
|
||||||
|
|
||||||
|
raise notice $sql$findObjectUuidByIdName('%', '%') = %;$sql$, objectTableFromRoleIdName, objectNameFromRoleIdName, objectUuidOfRole;
|
||||||
|
raise notice 'finding %, % (%), %', objectTableFromRoleIdName, objectNameFromRoleIdName, objectUuidOfRole, roleTypeFromRoleIdName;
|
||||||
|
|
||||||
select uuid
|
select uuid
|
||||||
from RbacRole
|
from RbacRole
|
||||||
where objectUuid = objectUuidOfRole
|
where objectUuid = objectUuidOfRole
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
--liquibase formatted sql
|
--liquibase formatted sql
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-base-GLOBAL-OBJECT:1 endDelimiter:--//
|
--changeset test-base-GLOBAL-OBJECT:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -12,32 +12,32 @@ begin transaction;
|
|||||||
insert
|
insert
|
||||||
into RbacObject (objecttable) values ('global');
|
into RbacObject (objecttable) values ('global');
|
||||||
insert
|
insert
|
||||||
into Global (uuid, name) values ((select uuid from RbacObject where objectTable = 'global'), 'hostsharing');
|
into Global (uuid, name) values ((select uuid from RbacObject where objectTable = 'global'), 'test-global');
|
||||||
commit;
|
commit;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-base-ADMIN-ROLE:1 endDelimiter:--//
|
--changeset test-base-ADMIN-ROLE:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
/*
|
/*
|
||||||
A global administrator role.
|
A global administrator role.
|
||||||
*/
|
*/
|
||||||
create or replace function hostsharingAdmin()
|
create or replace function testGlobalAdmin()
|
||||||
returns RbacRoleDescriptor
|
returns RbacRoleDescriptor
|
||||||
returns null on null input
|
returns null on null input
|
||||||
stable leakproof
|
stable leakproof
|
||||||
language sql as $$
|
language sql as $$
|
||||||
select 'global', (select uuid from RbacObject where objectTable = 'global'), 'admin'::RbacRoleType;
|
select 'global', (select uuid from RbacObject where objectTable = 'global'), 'admin'::RbacRoleType;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
begin transaction;
|
begin transaction;
|
||||||
call defineContext('creating Hostsharing admin role', null, null, null);
|
call defineContext('creating test-global admin role', null, null, null);
|
||||||
select createRole(hostsharingAdmin());
|
select createRole(testGlobalAdmin());
|
||||||
commit;
|
commit;
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-base-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
|
--changeset test-base-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
/*
|
/*
|
||||||
Create two users and assign both to the administrators role.
|
Create two users and assign both to the administrators role.
|
||||||
@ -46,18 +46,18 @@ do language plpgsql $$
|
|||||||
declare
|
declare
|
||||||
admins uuid ;
|
admins uuid ;
|
||||||
begin
|
begin
|
||||||
call defineContext('creating fake Hostsharing admin users', null, null, null);
|
call defineContext('creating fake test-realm admin users', null, null, null);
|
||||||
|
|
||||||
admins = findRoleId(hostsharingAdmin());
|
admins = findRoleId(testGlobalAdmin());
|
||||||
call grantRoleToUserUnchecked(admins, admins, createRbacUser('mike@hostsharing.net'));
|
call grantRoleToUserUnchecked(admins, admins, createRbacUser('mike@example.org'));
|
||||||
call grantRoleToUserUnchecked(admins, admins, createRbacUser('sven@hostsharing.net'));
|
call grantRoleToUserUnchecked(admins, admins, createRbacUser('sven@example.org'));
|
||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-base-hostsharing-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
|
--changeset test-base-hostsharing-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -68,15 +68,15 @@ do language plpgsql $$
|
|||||||
declare
|
declare
|
||||||
userName varchar;
|
userName varchar;
|
||||||
begin
|
begin
|
||||||
call defineContext('testing currentUserUuid', null, 'sven@hostsharing.net', null);
|
call defineContext('testing currentUserUuid', null, 'sven@example.org', null);
|
||||||
select userName from RbacUser where uuid = currentUserUuid() into userName;
|
select userName from RbacUser where uuid = currentUserUuid() into userName;
|
||||||
if userName <> 'sven@hostsharing.net' then
|
if userName <> 'sven@example.org' then
|
||||||
raise exception 'setting or fetching initial currentUser failed, got: %', userName;
|
raise exception 'setting or fetching initial currentUser failed, got: %', userName;
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
call defineContext('testing currentUserUuid', null, 'mike@hostsharing.net', null);
|
call defineContext('testing currentUserUuid', null, 'mike@example.org', null);
|
||||||
select userName from RbacUser where uuid = currentUserUuid() into userName;
|
select userName from RbacUser where uuid = currentUserUuid() into userName;
|
||||||
if userName = 'mike@hostsharing.net' then
|
if userName = 'mike@example.org' then
|
||||||
raise exception 'currentUser should not change in one transaction, but did change, got: %', userName;
|
raise exception 'currentUser should not change in one transaction, but did change, got: %', userName;
|
||||||
end if;
|
end if;
|
||||||
end; $$;
|
end; $$;
|
@ -1,10 +1,10 @@
|
|||||||
--liquibase formatted sql
|
--liquibase formatted sql
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-customer-MAIN-TABLE:1 endDelimiter:--//
|
--changeset test-customer-MAIN-TABLE:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
create table if not exists customer
|
create table if not exists test_customer
|
||||||
(
|
(
|
||||||
uuid uuid unique references RbacObject (uuid),
|
uuid uuid unique references RbacObject (uuid),
|
||||||
reference int not null unique check (reference between 10000 and 99999),
|
reference int not null unique check (reference between 10000 and 99999),
|
@ -1,64 +1,64 @@
|
|||||||
--liquibase formatted sql
|
--liquibase formatted sql
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-customer-rbac-CREATE-OBJECT:1 endDelimiter:--//
|
--changeset test-customer-rbac-CREATE-OBJECT:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates the related RbacObject through a BEFORE INSERT TRIGGER.
|
Creates the related RbacObject through a BEFORE INSERT TRIGGER.
|
||||||
*/
|
*/
|
||||||
drop trigger if exists createRbacObjectForCustomer_Trigger on customer;
|
drop trigger if exists createRbacObjectForCustomer_Trigger on test_customer;
|
||||||
create trigger createRbacObjectForCustomer_Trigger
|
create trigger createRbacObjectForCustomer_Trigger
|
||||||
before insert
|
before insert
|
||||||
on customer
|
on test_customer
|
||||||
for each row
|
for each row
|
||||||
execute procedure createRbacObject();
|
execute procedure createRbacObject();
|
||||||
--//
|
--//
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-customer-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
|
--changeset test-customer-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
create or replace function customerOwner(customer customer)
|
create or replace function testCustomerOwner(customer test_customer)
|
||||||
returns RbacRoleDescriptor
|
returns RbacRoleDescriptor
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
begin
|
begin
|
||||||
return roleDescriptor('customer', customer.uuid, 'owner');
|
return roleDescriptor('test_customer', customer.uuid, 'owner');
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create or replace function customerAdmin(customer customer)
|
create or replace function testCustomerAdmin(customer test_customer)
|
||||||
returns RbacRoleDescriptor
|
returns RbacRoleDescriptor
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
begin
|
begin
|
||||||
return roleDescriptor('customer', customer.uuid, 'admin');
|
return roleDescriptor('test_customer', customer.uuid, 'admin');
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create or replace function customerTenant(customer customer)
|
create or replace function testCustomerTenant(customer test_customer)
|
||||||
returns RbacRoleDescriptor
|
returns RbacRoleDescriptor
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
begin
|
begin
|
||||||
return roleDescriptor('customer', customer.uuid, 'tenant');
|
return roleDescriptor('test_customer', customer.uuid, 'tenant');
|
||||||
end; $$;
|
end; $$;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-customer-rbac-ROLES-CREATION:1 endDelimiter:--//
|
--changeset test-customer-rbac-ROLES-CREATION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates the roles and their assignments for a new customer for the AFTER INSERT TRIGGER.
|
Creates the roles and their assignments for a new customer for the AFTER INSERT TRIGGER.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
create or replace function createRbacRolesForCustomer()
|
create or replace function createRbacRolesForTestCustomer()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
declare
|
declare
|
||||||
customerOwnerUuid uuid;
|
testCustomerOwnerUuid uuid;
|
||||||
customerAdminUuid uuid;
|
customerAdminUuid uuid;
|
||||||
begin
|
begin
|
||||||
if TG_OP <> 'INSERT' then
|
if TG_OP <> 'INSERT' then
|
||||||
@ -66,27 +66,27 @@ begin
|
|||||||
end if;
|
end if;
|
||||||
|
|
||||||
-- the owner role with full access for Hostsharing administrators
|
-- the owner role with full access for Hostsharing administrators
|
||||||
customerOwnerUuid = createRole(
|
testCustomerOwnerUuid = createRole(
|
||||||
customerOwner(NEW),
|
testCustomerOwner(NEW),
|
||||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
||||||
beneathRole(hostsharingAdmin())
|
beneathRole(testGlobalAdmin())
|
||||||
);
|
);
|
||||||
|
|
||||||
-- the admin role for the customer's admins, who can view and add products
|
-- the admin role for the customer's admins, who can view and add products
|
||||||
customerAdminUuid = createRole(
|
customerAdminUuid = createRole(
|
||||||
customerAdmin(NEW),
|
testCustomerAdmin(NEW),
|
||||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view', 'add-package']),
|
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view', 'add-package']),
|
||||||
-- NO auto assume for customer owner to avoid exploding permissions for administrators
|
-- NO auto assume for customer owner to avoid exploding permissions for administrators
|
||||||
withUser(NEW.adminUserName, 'create'), -- implicitly ignored if null
|
withUser(NEW.adminUserName, 'create'), -- implicitly ignored if null
|
||||||
grantedByRole(hostsharingAdmin())
|
grantedByRole(testGlobalAdmin())
|
||||||
);
|
);
|
||||||
|
|
||||||
-- allow the customer owner role (thus administrators) to assume the customer admin role
|
-- allow the customer owner role (thus administrators) to assume the customer admin role
|
||||||
call grantRoleToRole(customerAdminUuid, customerOwnerUuid, false);
|
call grantRoleToRole(customerAdminUuid, testCustomerOwnerUuid, false);
|
||||||
|
|
||||||
-- the tenant role which later can be used by owners+admins of sub-objects
|
-- the tenant role which later can be used by owners+admins of sub-objects
|
||||||
perform createRole(
|
perform createRole(
|
||||||
customerTenant(NEW),
|
testCustomerTenant(NEW),
|
||||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view'])
|
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view'])
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -97,32 +97,32 @@ end; $$;
|
|||||||
An AFTER INSERT TRIGGER which creates the role structure for a new customer.
|
An AFTER INSERT TRIGGER which creates the role structure for a new customer.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
drop trigger if exists createRbacRolesForCustomer_Trigger on customer;
|
drop trigger if exists createRbacRolesForTestCustomer_Trigger on test_customer;
|
||||||
create trigger createRbacRolesForCustomer_Trigger
|
create trigger createRbacRolesForTestCustomer_Trigger
|
||||||
after insert
|
after insert
|
||||||
on customer
|
on test_customer
|
||||||
for each row
|
for each row
|
||||||
execute procedure createRbacRolesForCustomer();
|
execute procedure createRbacRolesForTestCustomer();
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-customer-rbac-ROLES-REMOVAL:1 endDelimiter:--//
|
--changeset test-customer-rbac-ROLES-REMOVAL:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Deletes the roles and their assignments of a deleted customer for the BEFORE DELETE TRIGGER.
|
Deletes the roles and their assignments of a deleted customer for the BEFORE DELETE TRIGGER.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
create or replace function deleteRbacRulesForCustomer()
|
create or replace function deleteRbacRulesForTestCustomer()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
begin
|
begin
|
||||||
if TG_OP = 'DELETE' then
|
if TG_OP = 'DELETE' then
|
||||||
call deleteRole(findRoleId(customerOwner(OLD)));
|
call deleteRole(findRoleId(testCustomerOwner(OLD)));
|
||||||
call deleteRole(findRoleId(customerAdmin(OLD)));
|
call deleteRole(findRoleId(testCustomerAdmin(OLD)));
|
||||||
call deleteRole(findRoleId(customerTenant(OLD)));
|
call deleteRole(findRoleId(testCustomerTenant(OLD)));
|
||||||
else
|
else
|
||||||
raise exception 'invalid usage of TRIGGER BEFORE DELETE';
|
raise exception 'invalid usage of TRIGGER BEFORE DELETE';
|
||||||
end if;
|
end if;
|
||||||
@ -132,70 +132,70 @@ end; $$;
|
|||||||
An BEFORE DELETE TRIGGER which deletes the role structure of a customer.
|
An BEFORE DELETE TRIGGER which deletes the role structure of a customer.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
drop trigger if exists deleteRbacRulesForCustomer_Trigger on customer;
|
drop trigger if exists deleteRbacRulesForTestCustomer_Trigger on test_customer;
|
||||||
create trigger deleteRbacRulesForCustomer_Trigger
|
create trigger deleteRbacRulesForTestCustomer_Trigger
|
||||||
before delete
|
before delete
|
||||||
on customer
|
on test_customer
|
||||||
for each row
|
for each row
|
||||||
execute procedure deleteRbacRulesForCustomer();
|
execute procedure deleteRbacRulesForTestCustomer();
|
||||||
--//
|
--//
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset test-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates a view to the customer main table which maps the identifying name
|
Creates a view to the customer main table which maps the identifying name
|
||||||
(in this case, the prefix) to the objectUuid.
|
(in this case, the prefix) to the objectUuid.
|
||||||
*/
|
*/
|
||||||
drop view if exists customer_iv;
|
drop view if exists test_customer_iv;
|
||||||
create or replace view customer_iv as
|
create or replace view test_customer_iv as
|
||||||
select target.uuid, target.prefix as idName
|
select target.uuid, target.prefix as idName
|
||||||
from customer as target;
|
from test_customer as target;
|
||||||
-- TODO: Is it ok that everybody has access to this information?
|
-- TODO: Is it ok that everybody has access to this information?
|
||||||
grant all privileges on customer_iv to restricted;
|
grant all privileges on test_customer_iv to restricted;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Returns the objectUuid for a given identifying name (in this case the prefix).
|
Returns the objectUuid for a given identifying name (in this case the prefix).
|
||||||
*/
|
*/
|
||||||
create or replace function customerUuidByIdName(idName varchar)
|
create or replace function test_customerUuidByIdName(idName varchar)
|
||||||
returns uuid
|
returns uuid
|
||||||
language sql
|
language sql
|
||||||
strict as $$
|
strict as $$
|
||||||
select uuid from customer_iv iv where iv.idName = customerUuidByIdName.idName;
|
select uuid from test_customer_iv iv where iv.idName = test_customerUuidByIdName.idName;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Returns the identifying name for a given objectUuid (in this case the prefix).
|
Returns the identifying name for a given objectUuid (in this case the prefix).
|
||||||
*/
|
*/
|
||||||
create or replace function customerIdNameByUuid(uuid uuid)
|
create or replace function test_customerIdNameByUuid(uuid uuid)
|
||||||
returns varchar
|
returns varchar
|
||||||
language sql
|
language sql
|
||||||
strict as $$
|
strict as $$
|
||||||
select idName from customer_iv iv where iv.uuid = customerIdNameByUuid.uuid;
|
select idName from test_customer_iv iv where iv.uuid = test_customerIdNameByUuid.uuid;
|
||||||
$$;
|
$$;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-customer-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
--changeset test-customer-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
/*
|
/*
|
||||||
Creates a view to the customer main table with row-level limitation
|
Creates a view to the customer main table with row-level limitation
|
||||||
based on the 'view' permission of the current user or assumed roles.
|
based on the 'view' permission of the current user or assumed roles.
|
||||||
*/
|
*/
|
||||||
set session session authorization default;
|
set session session authorization default;
|
||||||
drop view if exists customer_rv;
|
drop view if exists test_customer_rv;
|
||||||
create or replace view customer_rv as
|
create or replace view test_customer_rv as
|
||||||
select target.*
|
select target.*
|
||||||
from customer as target
|
from test_customer as target
|
||||||
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'customer', currentSubjectsUuids()));
|
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'test_customer', currentSubjectsUuids()));
|
||||||
grant all privileges on customer_rv to restricted;
|
grant all privileges on test_customer_rv to restricted;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-customer-rbac-ADD-CUSTOMER:1 endDelimiter:--//
|
--changeset test-customer-rbac-ADD-CUSTOMER:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
/*
|
/*
|
||||||
Creates a global permission for add-customer and assigns it to the hostsharing admins role.
|
Creates a global permission for add-customer and assigns it to the hostsharing admins role.
|
||||||
@ -203,22 +203,22 @@ grant all privileges on customer_rv to restricted;
|
|||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
addCustomerPermissions uuid[];
|
addCustomerPermissions uuid[];
|
||||||
hostsharingObjectUuid uuid;
|
globalObjectUuid uuid;
|
||||||
hsAdminRoleUuid uuid ;
|
globalAdminRoleUuid uuid ;
|
||||||
begin
|
begin
|
||||||
call defineContext('granting global add-customer permission to Hostsharing admin role', null, null, null);
|
call defineContext('granting global add-customer permission to global admin role', null, null, null);
|
||||||
|
|
||||||
hsAdminRoleUuid := findRoleId(hostsharingAdmin());
|
globalAdminRoleUuid := findRoleId(testGlobalAdmin());
|
||||||
hostsharingObjectUuid := (select uuid from global);
|
globalObjectUuid := (select uuid from global);
|
||||||
addCustomerPermissions := createPermissions(hostsharingObjectUuid, array ['add-customer']);
|
addCustomerPermissions := createPermissions(globalObjectUuid, array ['add-customer']);
|
||||||
call grantPermissionsToRole(hsAdminRoleUuid, addCustomerPermissions);
|
call grantPermissionsToRole(globalAdminRoleUuid, addCustomerPermissions);
|
||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Used by the trigger to prevent the add-customer to current user respectively assumed roles.
|
Used by the trigger to prevent the add-customer to current user respectively assumed roles.
|
||||||
*/
|
*/
|
||||||
create or replace function addCustomerNotAllowedForCurrentSubjects()
|
create or replace function addTestCustomerNotAllowedForCurrentSubjects()
|
||||||
returns trigger
|
returns trigger
|
||||||
language PLPGSQL
|
language PLPGSQL
|
||||||
as $$
|
as $$
|
||||||
@ -230,11 +230,11 @@ end; $$;
|
|||||||
/**
|
/**
|
||||||
Checks if the user or assumed roles are allowed to add a new customer.
|
Checks if the user or assumed roles are allowed to add a new customer.
|
||||||
*/
|
*/
|
||||||
create trigger customer_insert_trigger
|
create trigger test_customer_insert_trigger
|
||||||
before insert
|
before insert
|
||||||
on customer
|
on test_customer
|
||||||
for each row
|
for each row
|
||||||
when ( currentUser() <> 'mike@hostsharing.net' or not hasGlobalPermission('add-customer') )
|
when ( currentUser() <> 'mike@example.org' or not hasGlobalPermission('add-customer') )
|
||||||
execute procedure addCustomerNotAllowedForCurrentSubjects();
|
execute procedure addTestCustomerNotAllowedForCurrentSubjects();
|
||||||
--//
|
--//
|
||||||
|
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-customer-TEST-DATA-GENERATOR:1 endDelimiter:--//
|
--changeset test-customer-TEST-DATA-GENERATOR:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
/*
|
/*
|
||||||
Generates a customer reference number for a given test data counter.
|
Generates a customer reference number for a given test data counter.
|
||||||
@ -19,7 +19,7 @@ end; $$;
|
|||||||
/*
|
/*
|
||||||
Creates a single customer test record with dist.
|
Creates a single customer test record with dist.
|
||||||
*/
|
*/
|
||||||
create or replace procedure createCustomerTestData(
|
create or replace procedure createTestCustomerTestData(
|
||||||
custReference integer,
|
custReference integer,
|
||||||
custPrefix varchar
|
custPrefix varchar
|
||||||
)
|
)
|
||||||
@ -30,7 +30,7 @@ declare
|
|||||||
custAdminName varchar;
|
custAdminName varchar;
|
||||||
begin
|
begin
|
||||||
currentTask = 'creating RBAC test customer #' || custReference || '/' || custPrefix;
|
currentTask = 'creating RBAC test customer #' || custReference || '/' || custPrefix;
|
||||||
call defineContext(currentTask, null, 'mike@hostsharing.net', 'global#hostsharing.admin');
|
call defineContext(currentTask, null, 'mike@example.org', 'global#test-global.admin');
|
||||||
execute format('set local hsadminng.currentTask to %L', currentTask);
|
execute format('set local hsadminng.currentTask to %L', currentTask);
|
||||||
|
|
||||||
custRowId = uuid_generate_v4();
|
custRowId = uuid_generate_v4();
|
||||||
@ -38,7 +38,7 @@ begin
|
|||||||
|
|
||||||
raise notice 'creating customer %:%', custReference, custPrefix;
|
raise notice 'creating customer %:%', custReference, custPrefix;
|
||||||
insert
|
insert
|
||||||
into customer (reference, prefix, adminUserName)
|
into test_customer (reference, prefix, adminUserName)
|
||||||
values (custReference, custPrefix, custAdminName);
|
values (custReference, custPrefix, custAdminName);
|
||||||
end; $$;
|
end; $$;
|
||||||
--//
|
--//
|
||||||
@ -46,7 +46,7 @@ end; $$;
|
|||||||
/*
|
/*
|
||||||
Creates a range of test customers for mass data generation.
|
Creates a range of test customers for mass data generation.
|
||||||
*/
|
*/
|
||||||
create or replace procedure createCustomerTestData(
|
create or replace procedure createTestCustomerTestData(
|
||||||
startCount integer, -- count of auto generated rows before the run
|
startCount integer, -- count of auto generated rows before the run
|
||||||
endCount integer -- count of auto generated rows after the run
|
endCount integer -- count of auto generated rows after the run
|
||||||
)
|
)
|
||||||
@ -54,7 +54,7 @@ create or replace procedure createCustomerTestData(
|
|||||||
begin
|
begin
|
||||||
for t in startCount..endCount
|
for t in startCount..endCount
|
||||||
loop
|
loop
|
||||||
call createCustomerTestData(testCustomerReference(t), intToVarChar(t, 3));
|
call createTestCustomerTestData(testCustomerReference(t), intToVarChar(t, 3));
|
||||||
commit;
|
commit;
|
||||||
end loop;
|
end loop;
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -62,14 +62,14 @@ end; $$;
|
|||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-customer-TEST-DATA-GENERATION:1 –context=dev,tc endDelimiter:--//
|
--changeset test-customer-TEST-DATA-GENERATION:1 –context=dev,tc endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
begin
|
begin
|
||||||
call createCustomerTestData(99901, 'xxx');
|
call createTestCustomerTestData(99901, 'xxx');
|
||||||
call createCustomerTestData(99902, 'yyy');
|
call createTestCustomerTestData(99902, 'yyy');
|
||||||
call createCustomerTestData(99903, 'zzz');
|
call createTestCustomerTestData(99903, 'zzz');
|
||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
--//
|
--//
|
@ -1,14 +1,14 @@
|
|||||||
--liquibase formatted sql
|
--liquibase formatted sql
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-package-MAIN-TABLE:1 endDelimiter:--//
|
--changeset test-package-MAIN-TABLE:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
create table if not exists package
|
create table if not exists test_package
|
||||||
(
|
(
|
||||||
uuid uuid unique references RbacObject (uuid),
|
uuid uuid unique references RbacObject (uuid),
|
||||||
version int not null default 0,
|
version int not null default 0,
|
||||||
customerUuid uuid references customer (uuid),
|
customerUuid uuid references test_customer (uuid),
|
||||||
name varchar(5),
|
name varchar(5),
|
||||||
description varchar(96)
|
description varchar(96)
|
||||||
);
|
);
|
@ -1,62 +1,62 @@
|
|||||||
--liquibase formatted sql
|
--liquibase formatted sql
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-package-rbac-CREATE-OBJECT:1 endDelimiter:--//
|
--changeset test-package-rbac-CREATE-OBJECT:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
/*
|
/*
|
||||||
Creates the related RbacObject through a BEFORE INSERT TRIGGER.
|
Creates the related RbacObject through a BEFORE INSERT TRIGGER.
|
||||||
*/
|
*/
|
||||||
drop trigger if exists createRbacObjectForPackage_Trigger on package;
|
drop trigger if exists createRbacObjectForPackage_Trigger on test_package;
|
||||||
create trigger createRbacObjectForPackage_Trigger
|
create trigger createRbacObjectForPackage_Trigger
|
||||||
before insert
|
before insert
|
||||||
on package
|
on test_package
|
||||||
for each row
|
for each row
|
||||||
execute procedure createRbacObject();
|
execute procedure createRbacObject();
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-package-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
|
--changeset test-package-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
create or replace function packageOwner(pac package)
|
create or replace function testPackageOwner(pac test_package)
|
||||||
returns RbacRoleDescriptor
|
returns RbacRoleDescriptor
|
||||||
returns null on null input
|
returns null on null input
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
begin
|
||||||
return roleDescriptor('package', pac.uuid, 'owner');
|
return roleDescriptor('test_package', pac.uuid, 'owner');
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create or replace function packageAdmin(pac package)
|
create or replace function testPackageAdmin(pac test_package)
|
||||||
returns RbacRoleDescriptor
|
returns RbacRoleDescriptor
|
||||||
returns null on null input
|
returns null on null input
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
begin
|
||||||
return roleDescriptor('package', pac.uuid, 'admin');
|
return roleDescriptor('test_package', pac.uuid, 'admin');
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create or replace function packageTenant(pac package)
|
create or replace function testPackageTenant(pac test_package)
|
||||||
returns RbacRoleDescriptor
|
returns RbacRoleDescriptor
|
||||||
returns null on null input
|
returns null on null input
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
begin
|
||||||
return roleDescriptor('package', pac.uuid, 'tenant');
|
return roleDescriptor('test_package', pac.uuid, 'tenant');
|
||||||
end; $$;
|
end; $$;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-package-rbac-ROLES-CREATION:1 endDelimiter:--//
|
--changeset test-package-rbac-ROLES-CREATION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
/*
|
/*
|
||||||
Creates the roles and their assignments for a new package for the AFTER INSERT TRIGGER.
|
Creates the roles and their assignments for a new package for the AFTER INSERT TRIGGER.
|
||||||
*/
|
*/
|
||||||
create or replace function createRbacRolesForPackage()
|
create or replace function createRbacRolesForTestPackage()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
declare
|
declare
|
||||||
parentCustomer customer;
|
parentCustomer test_customer;
|
||||||
packageOwnerRoleUuid uuid;
|
packageOwnerRoleUuid uuid;
|
||||||
packageAdminRoleUuid uuid;
|
packageAdminRoleUuid uuid;
|
||||||
begin
|
begin
|
||||||
@ -64,28 +64,28 @@ begin
|
|||||||
raise exception 'invalid usage of TRIGGER AFTER INSERT';
|
raise exception 'invalid usage of TRIGGER AFTER INSERT';
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
select * from customer as c where c.uuid = NEW.customerUuid into parentCustomer;
|
select * from test_customer as c where c.uuid = NEW.customerUuid into parentCustomer;
|
||||||
|
|
||||||
-- an owner role is created and assigned to the customer's admin role
|
-- an owner role is created and assigned to the customer's admin role
|
||||||
packageOwnerRoleUuid = createRole(
|
packageOwnerRoleUuid = createRole(
|
||||||
packageOwner(NEW),
|
testPackageOwner(NEW),
|
||||||
withoutPermissions(),
|
withoutPermissions(),
|
||||||
beneathRole(customerAdmin(parentCustomer))
|
beneathRole(testCustomerAdmin(parentCustomer))
|
||||||
);
|
);
|
||||||
|
|
||||||
-- an owner role is created and assigned to the package owner role
|
-- an owner role is created and assigned to the package owner role
|
||||||
packageAdminRoleUuid = createRole(
|
packageAdminRoleUuid = createRole(
|
||||||
packageAdmin(NEW),
|
testPackageAdmin(NEW),
|
||||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['add-unixuser', 'add-domain']),
|
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['add-unixuser', 'add-domain']),
|
||||||
beneathRole(packageOwnerRoleUuid)
|
beneathRole(packageOwnerRoleUuid)
|
||||||
);
|
);
|
||||||
|
|
||||||
-- and a package tenant role is created and assigned to the package admin as well
|
-- and a package tenant role is created and assigned to the package admin as well
|
||||||
perform createRole(
|
perform createRole(
|
||||||
packageTenant(NEW),
|
testPackageTenant(NEW),
|
||||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']),
|
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view']),
|
||||||
beneathRole(packageAdminRoleUuid),
|
beneathRole(packageAdminRoleUuid),
|
||||||
beingItselfA(customerTenant(parentCustomer))
|
beingItselfA(testCustomerTenant(parentCustomer))
|
||||||
);
|
);
|
||||||
|
|
||||||
return NEW;
|
return NEW;
|
||||||
@ -95,31 +95,31 @@ end; $$;
|
|||||||
An AFTER INSERT TRIGGER which creates the role structure for a new package.
|
An AFTER INSERT TRIGGER which creates the role structure for a new package.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
drop trigger if exists createRbacRolesForPackage_Trigger on package;
|
drop trigger if exists createRbacRolesForTestPackage_Trigger on test_package;
|
||||||
create trigger createRbacRolesForPackage_Trigger
|
create trigger createRbacRolesForTestPackage_Trigger
|
||||||
after insert
|
after insert
|
||||||
on package
|
on test_package
|
||||||
for each row
|
for each row
|
||||||
execute procedure createRbacRolesForPackage();
|
execute procedure createRbacRolesForTestPackage();
|
||||||
--//
|
--//
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-package-rbac-ROLES-REMOVAL:1 endDelimiter:--//
|
--changeset test-package-rbac-ROLES-REMOVAL:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Deletes the roles and their assignments of a deleted package for the BEFORE DELETE TRIGGER.
|
Deletes the roles and their assignments of a deleted package for the BEFORE DELETE TRIGGER.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
create or replace function deleteRbacRulesForPackage()
|
create or replace function deleteRbacRulesForTestPackage()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
begin
|
begin
|
||||||
if TG_OP = 'DELETE' then
|
if TG_OP = 'DELETE' then
|
||||||
call deleteRole(findRoleId(packageOwner(OLD)));
|
call deleteRole(findRoleId(testPackageOwner(OLD)));
|
||||||
call deleteRole(findRoleId(packageAdmin(OLD)));
|
call deleteRole(findRoleId(testPackageAdmin(OLD)));
|
||||||
call deleteRole(findRoleId(packageTenant(OLD)));
|
call deleteRole(findRoleId(testPackageTenant(OLD)));
|
||||||
else
|
else
|
||||||
raise exception 'invalid usage of TRIGGER BEFORE DELETE';
|
raise exception 'invalid usage of TRIGGER BEFORE DELETE';
|
||||||
end if;
|
end if;
|
||||||
@ -129,66 +129,66 @@ end; $$;
|
|||||||
An BEFORE DELETE TRIGGER which deletes the role structure of a package.
|
An BEFORE DELETE TRIGGER which deletes the role structure of a package.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
drop trigger if exists deleteRbacRulesForPackage_Trigger on package;
|
drop trigger if exists deleteRbacRulesForTestPackage_Trigger on test_package;
|
||||||
create trigger deleteRbacRulesForPackage_Trigger
|
create trigger deleteRbacRulesForTestPackage_Trigger
|
||||||
before delete
|
before delete
|
||||||
on package
|
on test_package
|
||||||
for each row
|
for each row
|
||||||
execute procedure deleteRbacRulesForPackage();
|
execute procedure deleteRbacRulesForTestPackage();
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-package-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset test-package-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates a view to the package main table which maps the identifying name
|
Creates a view to the package main table which maps the identifying name
|
||||||
(in this case, actually the column `name`) to the objectUuid.
|
(in this case, actually the column `name`) to the objectUuid.
|
||||||
*/
|
*/
|
||||||
drop view if exists package_iv;
|
drop view if exists test_package_iv;
|
||||||
create or replace view package_iv as
|
create or replace view test_package_iv as
|
||||||
select distinct target.uuid, target.name as idName
|
select distinct target.uuid, target.name as idName
|
||||||
from package as target;
|
from test_package as target;
|
||||||
-- TODO: Is it ok that everybody has access to this information?
|
-- TODO: Is it ok that everybody has access to this information?
|
||||||
grant all privileges on package_iv to restricted;
|
grant all privileges on test_package_iv to restricted;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Returns the objectUuid for a given identifying name (in this case, actually the column `name`).
|
Returns the objectUuid for a given identifying name (in this case, actually the column `name`).
|
||||||
*/
|
*/
|
||||||
create or replace function packageUuidByIdName(idName varchar)
|
create or replace function test_packageUuidByIdName(idName varchar)
|
||||||
returns uuid
|
returns uuid
|
||||||
language sql
|
language sql
|
||||||
strict as $$
|
strict as $$
|
||||||
select uuid from package_iv iv where iv.idName = packageUuidByIdName.idName;
|
select uuid from test_package_iv iv where iv.idName = test_packageUuidByIdName.idName;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Returns the identifying name for a given objectUuid (in this case the name).
|
Returns the identifying name for a given objectUuid (in this case the name).
|
||||||
*/
|
*/
|
||||||
create or replace function packageIdNameByUuid(uuid uuid)
|
create or replace function test_packageIdNameByUuid(uuid uuid)
|
||||||
returns varchar
|
returns varchar
|
||||||
stable leakproof
|
stable leakproof
|
||||||
language sql
|
language sql
|
||||||
strict as $$
|
strict as $$
|
||||||
select idName from package_iv iv where iv.uuid = packageIdNameByUuid.uuid;
|
select idName from test_package_iv iv where iv.uuid = test_packageIdNameByUuid.uuid;
|
||||||
$$;
|
$$;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
--changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates a view to the customer main table which maps the identifying name
|
Creates a view to the customer main table which maps the identifying name
|
||||||
(in this case, the prefix) to the objectUuid.
|
(in this case, the prefix) to the objectUuid.
|
||||||
*/
|
*/
|
||||||
drop view if exists package_rv;
|
drop view if exists test_package_rv;
|
||||||
create or replace view package_rv as
|
create or replace view test_package_rv as
|
||||||
select target.*
|
select target.*
|
||||||
from package as target
|
from test_package as target
|
||||||
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'package', currentSubjectsUuids()))
|
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'test_package', currentSubjectsUuids()))
|
||||||
order by target.name;
|
order by target.name;
|
||||||
grant all privileges on package_rv to restricted;
|
grant all privileges on test_package_rv to restricted;
|
||||||
--//
|
--//
|
@ -1,7 +1,7 @@
|
|||||||
--liquibase formatted sql
|
--liquibase formatted sql
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-package-TEST-DATA-GENERATOR:1 endDelimiter:--//
|
--changeset test-package-TEST-DATA-GENERATOR:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
/*
|
/*
|
||||||
Creates the given number of test packages for the given customer.
|
Creates the given number of test packages for the given customer.
|
||||||
@ -9,14 +9,14 @@
|
|||||||
create or replace procedure createPackageTestData(customerPrefix varchar, pacCount int)
|
create or replace procedure createPackageTestData(customerPrefix varchar, pacCount int)
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
cust customer;
|
cust test_customer;
|
||||||
custAdminUser varchar;
|
custAdminUser varchar;
|
||||||
custAdminRole varchar;
|
custAdminRole varchar;
|
||||||
pacName varchar;
|
pacName varchar;
|
||||||
currentTask varchar;
|
currentTask varchar;
|
||||||
pac package;
|
pac test_package;
|
||||||
begin
|
begin
|
||||||
select * from customer where customer.prefix = customerPrefix into cust;
|
select * from test_customer where test_customer.prefix = customerPrefix into cust;
|
||||||
|
|
||||||
for t in 0..(pacCount-1)
|
for t in 0..(pacCount-1)
|
||||||
loop
|
loop
|
||||||
@ -25,18 +25,18 @@ begin
|
|||||||
cust.uuid;
|
cust.uuid;
|
||||||
|
|
||||||
custAdminUser = 'customer-admin@' || cust.prefix || '.example.com';
|
custAdminUser = 'customer-admin@' || cust.prefix || '.example.com';
|
||||||
custAdminRole = 'customer#' || cust.prefix || '.admin';
|
custAdminRole = 'test_customer#' || cust.prefix || '.admin';
|
||||||
call defineContext(currentTask, null, custAdminUser, custAdminRole);
|
call defineContext(currentTask, null, custAdminUser, custAdminRole);
|
||||||
raise notice 'task: % by % as %', currentTask, custAdminUser, custAdminRole;
|
raise notice 'task: % by % as %', currentTask, custAdminUser, custAdminRole;
|
||||||
|
|
||||||
insert
|
insert
|
||||||
into package (customerUuid, name, description)
|
into test_package (customerUuid, name, description)
|
||||||
values (cust.uuid, pacName, 'Here can add your own description of package ' || pacName || '.')
|
values (cust.uuid, pacName, 'Here can add your own description of package ' || pacName || '.')
|
||||||
returning * into pac;
|
returning * into pac;
|
||||||
|
|
||||||
call grantRoleToUser(
|
call grantRoleToUser(
|
||||||
getRoleId(customerAdmin(cust), 'fail'),
|
getRoleId(testCustomerAdmin(cust), 'fail'),
|
||||||
findRoleId(packageAdmin(pac)),
|
findRoleId(testPackageAdmin(pac)),
|
||||||
createRbacUser('pac-admin-' || pacName || '@' || cust.prefix || '.example.com'),
|
createRbacUser('pac-admin-' || pacName || '@' || cust.prefix || '.example.com'),
|
||||||
true);
|
true);
|
||||||
|
|
||||||
@ -49,9 +49,9 @@ end; $$;
|
|||||||
create or replace procedure createPackageTestData()
|
create or replace procedure createPackageTestData()
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
cust customer;
|
cust test_customer;
|
||||||
begin
|
begin
|
||||||
for cust in (select * from customer)
|
for cust in (select * from test_customer)
|
||||||
loop
|
loop
|
||||||
continue when cust.reference >= 90000; -- reserved for functional testing
|
continue when cust.reference >= 90000; -- reserved for functional testing
|
||||||
call createPackageTestData(cust.prefix, 3);
|
call createPackageTestData(cust.prefix, 3);
|
||||||
@ -64,7 +64,7 @@ $$;
|
|||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-package-TEST-DATA-GENERATION:1 –context=dev,tc endDelimiter:--//
|
--changeset test-package-TEST-DATA-GENERATION:1 –context=dev,tc endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
@ -4,10 +4,10 @@
|
|||||||
--changeset hs-unixuser-MAIN-TABLE:1 endDelimiter:--//
|
--changeset hs-unixuser-MAIN-TABLE:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
create table if not exists UnixUser
|
create table if not exists test_unixuser
|
||||||
(
|
(
|
||||||
uuid uuid unique references RbacObject (uuid),
|
uuid uuid unique references RbacObject (uuid),
|
||||||
packageUuid uuid references package (uuid),
|
packageUuid uuid references test_package (uuid),
|
||||||
name character varying(32),
|
name character varying(32),
|
||||||
description character varying(96)
|
description character varying(96)
|
||||||
);
|
);
|
@ -1,49 +1,49 @@
|
|||||||
--liquibase formatted sql
|
--liquibase formatted sql
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-package-rbac-CREATE-OBJECT:1 endDelimiter:--//
|
--changeset test-package-rbac-CREATE-OBJECT:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
/*
|
/*
|
||||||
Creates the related RbacObject through a BEFORE INSERT TRIGGER.
|
Creates the related RbacObject through a BEFORE INSERT TRIGGER.
|
||||||
*/
|
*/
|
||||||
drop trigger if exists createRbacObjectForUnixUser_Trigger on UnixUser;
|
drop trigger if exists createRbacObjectFortest_unixuser_Trigger on test_unixuser;
|
||||||
create trigger createRbacObjectForUnixUser_Trigger
|
create trigger createRbacObjectFortest_unixuser_Trigger
|
||||||
before insert
|
before insert
|
||||||
on UnixUser
|
on test_unixuser
|
||||||
for each row
|
for each row
|
||||||
execute procedure createRbacObject();
|
execute procedure createRbacObject();
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-unixuser-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
|
--changeset test-unixuser-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
create or replace function unixUserOwner(uu UnixUser)
|
create or replace function testUnixUserOwner(uu test_unixuser)
|
||||||
returns RbacRoleDescriptor
|
returns RbacRoleDescriptor
|
||||||
returns null on null input
|
returns null on null input
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
begin
|
||||||
return roleDescriptor('unixuser', uu.uuid, 'owner');
|
return roleDescriptor('test_unixuser', uu.uuid, 'owner');
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create or replace function unixUserAdmin(uu UnixUser)
|
create or replace function testUnixUserAdmin(uu test_unixuser)
|
||||||
returns RbacRoleDescriptor
|
returns RbacRoleDescriptor
|
||||||
returns null on null input
|
returns null on null input
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
begin
|
||||||
return roleDescriptor('unixuser', uu.uuid, 'admin');
|
return roleDescriptor('test_unixuser', uu.uuid, 'admin');
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create or replace function unixUserTenant(uu UnixUser)
|
create or replace function testUnixUserTenant(uu test_unixuser)
|
||||||
returns RbacRoleDescriptor
|
returns RbacRoleDescriptor
|
||||||
returns null on null input
|
returns null on null input
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
begin
|
||||||
return roleDescriptor('unixuser', uu.uuid, 'tenant');
|
return roleDescriptor('test_unixuser', uu.uuid, 'tenant');
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create or replace function createUnixUserTenantRoleIfNotExists(unixUser UnixUser)
|
create or replace function createTestUnixUserTenantRoleIfNotExists(unixUser test_unixuser)
|
||||||
returns uuid
|
returns uuid
|
||||||
returns null on null input
|
returns null on null input
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
@ -51,7 +51,7 @@ declare
|
|||||||
unixUserTenantRoleDesc RbacRoleDescriptor;
|
unixUserTenantRoleDesc RbacRoleDescriptor;
|
||||||
unixUserTenantRoleUuid uuid;
|
unixUserTenantRoleUuid uuid;
|
||||||
begin
|
begin
|
||||||
unixUserTenantRoleDesc = unixUserTenant(unixUser);
|
unixUserTenantRoleDesc = testUnixUserTenant(unixUser);
|
||||||
unixUserTenantRoleUuid = findRoleId(unixUserTenantRoleDesc);
|
unixUserTenantRoleUuid = findRoleId(unixUserTenantRoleDesc);
|
||||||
if unixUserTenantRoleUuid is not null then
|
if unixUserTenantRoleUuid is not null then
|
||||||
return unixUserTenantRoleUuid;
|
return unixUserTenantRoleUuid;
|
||||||
@ -60,25 +60,25 @@ begin
|
|||||||
return createRole(
|
return createRole(
|
||||||
unixUserTenantRoleDesc,
|
unixUserTenantRoleDesc,
|
||||||
grantingPermissions(forObjectUuid => unixUser.uuid, permitOps => array ['view']),
|
grantingPermissions(forObjectUuid => unixUser.uuid, permitOps => array ['view']),
|
||||||
beneathRole(unixUserAdmin(unixUser))
|
beneathRole(testUnixUserAdmin(unixUser))
|
||||||
);
|
);
|
||||||
end; $$;
|
end; $$;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-unixuser-rbac-ROLES-CREATION:1 endDelimiter:--//
|
--changeset test-unixuser-rbac-ROLES-CREATION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
/*
|
/*
|
||||||
Creates the roles and their assignments for a new UnixUser for the AFTER INSERT TRIGGER.
|
Creates the roles and their assignments for a new UnixUser for the AFTER INSERT TRIGGER.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
create or replace function createRbacRulesForUnixUser()
|
create or replace function createRbacRulesForTestUnixUser()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
declare
|
declare
|
||||||
parentPackage package;
|
parentPackage test_package;
|
||||||
unixuserOwnerRoleId uuid;
|
unixuserOwnerRoleId uuid;
|
||||||
unixuserAdminRoleId uuid;
|
unixuserAdminRoleId uuid;
|
||||||
begin
|
begin
|
||||||
@ -86,21 +86,21 @@ begin
|
|||||||
raise exception 'invalid usage of TRIGGER AFTER INSERT';
|
raise exception 'invalid usage of TRIGGER AFTER INSERT';
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
select * from package where uuid = NEW.packageUuid into parentPackage;
|
select * from test_package where uuid = NEW.packageUuid into parentPackage;
|
||||||
|
|
||||||
-- an owner role is created and assigned to the package's admin group
|
-- an owner role is created and assigned to the package's admin group
|
||||||
unixuserOwnerRoleId = createRole(
|
unixuserOwnerRoleId = createRole(
|
||||||
unixUserOwner(NEW),
|
testUnixUserOwner(NEW),
|
||||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
||||||
beneathRole(packageAdmin(parentPackage))
|
beneathRole(testPackageAdmin(parentPackage))
|
||||||
);
|
);
|
||||||
|
|
||||||
-- and a unixuser admin role is created and assigned to the unixuser owner as well
|
-- and a unixuser admin role is created and assigned to the unixuser owner as well
|
||||||
unixuserAdminRoleId = createRole(
|
unixuserAdminRoleId = createRole(
|
||||||
unixUserAdmin(NEW),
|
testUnixUserAdmin(NEW),
|
||||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']),
|
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['edit']),
|
||||||
beneathRole(unixuserOwnerRoleId),
|
beneathRole(unixuserOwnerRoleId),
|
||||||
beingItselfA(packageTenant(parentPackage))
|
beingItselfA(testPackageTenant(parentPackage))
|
||||||
);
|
);
|
||||||
|
|
||||||
-- a tenent role is only created on demand
|
-- a tenent role is only created on demand
|
||||||
@ -112,32 +112,32 @@ end; $$;
|
|||||||
/*
|
/*
|
||||||
An AFTER INSERT TRIGGER which creates the role structure for a new UnixUser.
|
An AFTER INSERT TRIGGER which creates the role structure for a new UnixUser.
|
||||||
*/
|
*/
|
||||||
drop trigger if exists createRbacRulesForUnixUser_Trigger on UnixUser;
|
drop trigger if exists createRbacRulesForTestUnixuser_Trigger on test_unixuser;
|
||||||
create trigger createRbacRulesForUnixUser_Trigger
|
create trigger createRbacRulesForTestUnixuser_Trigger
|
||||||
after insert
|
after insert
|
||||||
on UnixUser
|
on test_unixuser
|
||||||
for each row
|
for each row
|
||||||
execute procedure createRbacRulesForUnixUser();
|
execute procedure createRbacRulesForTestUnixUser();
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-unixuser-rbac-ROLES-REMOVAL:1 endDelimiter:--//
|
--changeset test-unixuser-rbac-ROLES-REMOVAL:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Deletes the roles and their assignments of a deleted UnixUser for the BEFORE DELETE TRIGGER.
|
Deletes the roles and their assignments of a deleted UnixUser for the BEFORE DELETE TRIGGER.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
create or replace function deleteRbacRulesForUnixUser()
|
create or replace function deleteRbacRulesForTestUnixUser()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql
|
language plpgsql
|
||||||
strict as $$
|
strict as $$
|
||||||
begin
|
begin
|
||||||
if TG_OP = 'DELETE' then
|
if TG_OP = 'DELETE' then
|
||||||
call deleteRole(findRoleId(unixUserOwner(OLD)));
|
call deleteRole(findRoleId(testUnixUserOwner(OLD)));
|
||||||
call deleteRole(findRoleId(unixUserAdmin(OLD)));
|
call deleteRole(findRoleId(testUnixUserAdmin(OLD)));
|
||||||
call deleteRole(findRoleId(unixUserTenant(OLD)));
|
call deleteRole(findRoleId(testUnixUserTenant(OLD)));
|
||||||
else
|
else
|
||||||
raise exception 'invalid usage of TRIGGER BEFORE DELETE';
|
raise exception 'invalid usage of TRIGGER BEFORE DELETE';
|
||||||
end if;
|
end if;
|
||||||
@ -147,65 +147,65 @@ end; $$;
|
|||||||
An BEFORE DELETE TRIGGER which deletes the role structure of a UnixUser.
|
An BEFORE DELETE TRIGGER which deletes the role structure of a UnixUser.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
drop trigger if exists deleteRbacRulesForUnixUser_Trigger on package;
|
drop trigger if exists deleteRbacRulesForTestUnixUser_Trigger on test_package;
|
||||||
create trigger deleteRbacRulesForUnixUser_Trigger
|
create trigger deleteRbacRulesForTestUnixUser_Trigger
|
||||||
before delete
|
before delete
|
||||||
on UnixUser
|
on test_unixuser
|
||||||
for each row
|
for each row
|
||||||
execute procedure deleteRbacRulesForUnixUser();
|
execute procedure deleteRbacRulesForTestUnixUser();
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-unixuser-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset test-unixuser-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates a view to the UnixUser main table which maps the identifying name
|
Creates a view to the UnixUser main table which maps the identifying name
|
||||||
(in this case, actually the column `name`) to the objectUuid.
|
(in this case, actually the column `name`) to the objectUuid.
|
||||||
*/
|
*/
|
||||||
drop view if exists UnixUser_iv;
|
drop view if exists test_unixuser_iv;
|
||||||
create or replace view UnixUser_iv as
|
create or replace view test_unixuser_iv as
|
||||||
select distinct target.uuid, target.name as idName
|
select distinct target.uuid, target.name as idName
|
||||||
from UnixUser as target;
|
from test_unixuser as target;
|
||||||
-- TODO: Is it ok that everybody has access to this information?
|
-- TODO: Is it ok that everybody has access to this information?
|
||||||
grant all privileges on UnixUser_iv to restricted;
|
grant all privileges on test_unixuser_iv to restricted;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Returns the objectUuid for a given identifying name (in this case, actually the column `name`).
|
Returns the objectUuid for a given identifying name (in this case, actually the column `name`).
|
||||||
*/
|
*/
|
||||||
create or replace function unixUserUuidByIdName(idName varchar)
|
create or replace function test_unixUserUuidByIdName(idName varchar)
|
||||||
returns uuid
|
returns uuid
|
||||||
language sql
|
language sql
|
||||||
strict as $$
|
strict as $$
|
||||||
select uuid from UnixUser_iv iv where iv.idName = unixUserUuidByIdName.idName;
|
select uuid from test_unixuser_iv iv where iv.idName = test_unixUserUuidByIdName.idName;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Returns the identifying name for a given objectUuid (in this case the name).
|
Returns the identifying name for a given objectUuid (in this case the name).
|
||||||
*/
|
*/
|
||||||
create or replace function unixUserIdNameByUuid(uuid uuid)
|
create or replace function test_unixUserIdNameByUuid(uuid uuid)
|
||||||
returns varchar
|
returns varchar
|
||||||
stable leakproof
|
stable leakproof
|
||||||
language sql
|
language sql
|
||||||
strict as $$
|
strict as $$
|
||||||
select idName from UnixUser_iv iv where iv.uuid = unixUserIdNameByUuid.uuid;
|
select idName from test_unixuser_iv iv where iv.uuid = test_unixUserIdNameByUuid.uuid;
|
||||||
$$;
|
$$;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset hs-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
--changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates a view to the customer main table which maps the identifying name
|
Creates a view to the customer main table which maps the identifying name
|
||||||
(in this case, the prefix) to the objectUuid.
|
(in this case, the prefix) to the objectUuid.
|
||||||
*/
|
*/
|
||||||
drop view if exists unixuser_rv;
|
drop view if exists test_unixuser_rv;
|
||||||
create or replace view unixuser_rv as
|
create or replace view test_unixuser_rv as
|
||||||
select target.*
|
select target.*
|
||||||
from unixuser as target
|
from test_unixuser as target
|
||||||
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'unixuser', currentSubjectsUuids()));
|
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'unixuser', currentSubjectsUuids()));
|
||||||
grant all privileges on unixuser_rv to restricted;
|
grant all privileges on test_unixuser_rv to restricted;
|
||||||
--//
|
--//
|
@ -14,8 +14,8 @@ declare
|
|||||||
currentTask varchar;
|
currentTask varchar;
|
||||||
begin
|
begin
|
||||||
select p.uuid, p.name, c.prefix as custPrefix
|
select p.uuid, p.name, c.prefix as custPrefix
|
||||||
from package p
|
from test_package p
|
||||||
join customer c on p.customeruuid = c.uuid
|
join test_customer c on p.customeruuid = c.uuid
|
||||||
where p.name = packageName
|
where p.name = packageName
|
||||||
into pac;
|
into pac;
|
||||||
|
|
||||||
@ -27,7 +27,7 @@ begin
|
|||||||
call defineContext(currentTask, null, pacAdmin, null);
|
call defineContext(currentTask, null, pacAdmin, null);
|
||||||
|
|
||||||
insert
|
insert
|
||||||
into unixuser (name, packageUuid)
|
into test_unixuser (name, packageUuid)
|
||||||
values (pac.name || '-' || intToVarChar(t, 4), pac.uuid);
|
values (pac.name || '-' || intToVarChar(t, 4), pac.uuid);
|
||||||
end loop;
|
end loop;
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -44,8 +44,8 @@ declare
|
|||||||
begin
|
begin
|
||||||
for pac in
|
for pac in
|
||||||
(select p.uuid, p.name
|
(select p.uuid, p.name
|
||||||
from package p
|
from test_package p
|
||||||
join customer c on p.customeruuid = c.uuid
|
join test_customer c on p.customeruuid = c.uuid
|
||||||
where c.reference < 90000) -- reserved for functional testing
|
where c.reference < 90000) -- reserved for functional testing
|
||||||
loop
|
loop
|
||||||
call createUnixUserTestData(pac.name, 2);
|
call createUnixUserTestData(pac.name, 2);
|
@ -28,24 +28,24 @@ databaseChangeLog:
|
|||||||
- include:
|
- include:
|
||||||
file: db/changelog/080-rbac-global.sql
|
file: db/changelog/080-rbac-global.sql
|
||||||
- include:
|
- include:
|
||||||
file: db/changelog/100-hs-base.sql
|
file: db/changelog/100-test-base.sql
|
||||||
- include:
|
- include:
|
||||||
file: db/changelog/110-hs-customer.sql
|
file: db/changelog/110-test-customer.sql
|
||||||
- include:
|
- include:
|
||||||
file: db/changelog/113-hs-customer-rbac.sql
|
file: db/changelog/113-test-customer-rbac.sql
|
||||||
- include:
|
- include:
|
||||||
file: db/changelog/118-hs-customer-test-data.sql
|
file: db/changelog/118-test-customer-test-data.sql
|
||||||
- include:
|
- include:
|
||||||
file: db/changelog/120-hs-package.sql
|
file: db/changelog/120-test-package.sql
|
||||||
- include:
|
- include:
|
||||||
file: db/changelog/123-hs-package-rbac.sql
|
file: db/changelog/123-test-package-rbac.sql
|
||||||
- include:
|
- include:
|
||||||
file: db/changelog/128-hs-package-test-data.sql
|
file: db/changelog/128-test-package-test-data.sql
|
||||||
- include:
|
- include:
|
||||||
file: db/changelog/130-hs-unixuser.sql
|
file: db/changelog/130-test-unixuser.sql
|
||||||
- include:
|
- include:
|
||||||
file: db/changelog/133-hs-unixuser-rbac.sql
|
file: db/changelog/133-test-unixuser-rbac.sql
|
||||||
- include:
|
- include:
|
||||||
file: db/changelog/138-hs-unixuser-test-data.sql
|
file: db/changelog/138-test-unixuser-test-data.sql
|
||||||
|
|
||||||
|
|
||||||
|
@ -31,7 +31,7 @@ class ContextIntegrationTests {
|
|||||||
@Test
|
@Test
|
||||||
void defineWithoutHttpServletRequestUsesCallStack() {
|
void defineWithoutHttpServletRequestUsesCallStack() {
|
||||||
|
|
||||||
context.define("mike@hostsharing.net", null);
|
context.define("mike@example.org", null);
|
||||||
|
|
||||||
assertThat(context.getCurrentTask())
|
assertThat(context.getCurrentTask())
|
||||||
.isEqualTo("ContextIntegrationTests.defineWithoutHttpServletRequestUsesCallStack");
|
.isEqualTo("ContextIntegrationTests.defineWithoutHttpServletRequestUsesCallStack");
|
||||||
@ -41,11 +41,11 @@ class ContextIntegrationTests {
|
|||||||
@Transactional
|
@Transactional
|
||||||
void defineWithCurrentUserButWithoutAssumedRoles() {
|
void defineWithCurrentUserButWithoutAssumedRoles() {
|
||||||
// when
|
// when
|
||||||
context.define("mike@hostsharing.net");
|
context.define("mike@example.org");
|
||||||
|
|
||||||
// then
|
// then
|
||||||
assertThat(context.getCurrentUser()).
|
assertThat(context.getCurrentUser()).
|
||||||
isEqualTo("mike@hostsharing.net");
|
isEqualTo("mike@example.org");
|
||||||
|
|
||||||
assertThat(context.getCurrentUserUUid()).isNotNull();
|
assertThat(context.getCurrentUserUUid()).isNotNull();
|
||||||
|
|
||||||
@ -59,41 +59,41 @@ class ContextIntegrationTests {
|
|||||||
void defineWithoutCurrentUserButWithAssumedRoles() {
|
void defineWithoutCurrentUserButWithAssumedRoles() {
|
||||||
// when
|
// when
|
||||||
final var result = jpaAttempt.transacted(() ->
|
final var result = jpaAttempt.transacted(() ->
|
||||||
context.define(null, "package#yyy00.admin")
|
context.define(null, "test_package#yyy00.admin")
|
||||||
);
|
);
|
||||||
|
|
||||||
// then
|
// then
|
||||||
result.assertExceptionWithRootCauseMessage(
|
result.assertExceptionWithRootCauseMessage(
|
||||||
javax.persistence.PersistenceException.class,
|
javax.persistence.PersistenceException.class,
|
||||||
"ERROR: [403] undefined has no permission to assume role package#yyy00.admin");
|
"ERROR: [403] undefined has no permission to assume role test_package#yyy00.admin");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
void defineWithUnknownCurrentUserButWithAssumedRoles() {
|
void defineWithUnknownCurrentUserButWithAssumedRoles() {
|
||||||
// when
|
// when
|
||||||
final var result = jpaAttempt.transacted(() ->
|
final var result = jpaAttempt.transacted(() ->
|
||||||
context.define("unknown@example.org", "package#yyy00.admin")
|
context.define("unknown@example.org", "test_package#yyy00.admin")
|
||||||
);
|
);
|
||||||
|
|
||||||
// then
|
// then
|
||||||
result.assertExceptionWithRootCauseMessage(
|
result.assertExceptionWithRootCauseMessage(
|
||||||
javax.persistence.PersistenceException.class,
|
javax.persistence.PersistenceException.class,
|
||||||
"ERROR: [403] undefined has no permission to assume role package#yyy00.admin");
|
"ERROR: [403] undefined has no permission to assume role test_package#yyy00.admin");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Transactional
|
@Transactional
|
||||||
void defineWithCurrentUserAndAssumedRoles() {
|
void defineWithCurrentUserAndAssumedRoles() {
|
||||||
// given
|
// given
|
||||||
context.define("mike@hostsharing.net", "customer#xxx.owner;customer#yyy.owner");
|
context.define("mike@example.org", "test_customer#xxx.owner;test_customer#yyy.owner");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var currentUser = context.getCurrentUser();
|
final var currentUser = context.getCurrentUser();
|
||||||
assertThat(currentUser).isEqualTo("mike@hostsharing.net");
|
assertThat(currentUser).isEqualTo("mike@example.org");
|
||||||
|
|
||||||
// then
|
// then
|
||||||
assertThat(context.getAssumedRoles())
|
assertThat(context.getAssumedRoles())
|
||||||
.isEqualTo(Array.of("customer#xxx.owner", "customer#yyy.owner"));
|
.isEqualTo(Array.of("test_customer#xxx.owner", "test_customer#yyy.owner"));
|
||||||
assertThat(context.currentSubjectsUuids()).hasSize(2);
|
assertThat(context.currentSubjectsUuids()).hasSize(2);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -101,12 +101,12 @@ class ContextIntegrationTests {
|
|||||||
public void defineContextWithCurrentUserAndAssumeInaccessibleRole() {
|
public void defineContextWithCurrentUserAndAssumeInaccessibleRole() {
|
||||||
// when
|
// when
|
||||||
final var result = jpaAttempt.transacted(() ->
|
final var result = jpaAttempt.transacted(() ->
|
||||||
context.define("customer-admin@xxx.example.com", "package#yyy00.admin")
|
context.define("customer-admin@xxx.example.com", "test_package#yyy00.admin")
|
||||||
);
|
);
|
||||||
|
|
||||||
// then
|
// then
|
||||||
result.assertExceptionWithRootCauseMessage(
|
result.assertExceptionWithRootCauseMessage(
|
||||||
javax.persistence.PersistenceException.class,
|
javax.persistence.PersistenceException.class,
|
||||||
"ERROR: [403] user customer-admin@xxx.example.com has no permission to assume role package#yyy00.admin");
|
"ERROR: [403] user customer-admin@xxx.example.com has no permission to assume role test_package#yyy00.admin");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -39,10 +39,10 @@ class CustomerControllerAcceptanceTest {
|
|||||||
class ListCustomers {
|
class ListCustomers {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
void hostsharingAdmin_withoutAssumedRoles_canViewAllCustomers_ifNoCriteriaGiven() {
|
void testGlobalAdmin_withoutAssumedRoles_canViewAllCustomers_ifNoCriteriaGiven() {
|
||||||
RestAssured // @formatter:off
|
RestAssured // @formatter:off
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@example.org")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/customers")
|
.get("http://localhost/api/customers")
|
||||||
@ -57,10 +57,10 @@ class CustomerControllerAcceptanceTest {
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
void hostsharingAdmin_withoutAssumedRoles_canViewMatchingCustomers_ifCriteriaGiven() {
|
void testGlobalAdmin_withoutAssumedRoles_canViewMatchingCustomers_ifCriteriaGiven() {
|
||||||
RestAssured // @formatter:off
|
RestAssured // @formatter:off
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@example.org")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/customers?prefix=y")
|
.get("http://localhost/api/customers?prefix=y")
|
||||||
@ -73,11 +73,11 @@ class CustomerControllerAcceptanceTest {
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
void hostsharingAdmin_withoutAssumedCustomerAdminRole_canOnlyViewOwnCustomer() {
|
void testGlobalAdmin_withoutAssumedCustomerAdminRole_canOnlyViewOwnCustomer() {
|
||||||
RestAssured // @formatter:off
|
RestAssured // @formatter:off
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@example.org")
|
||||||
.header("assumed-roles", "customer#yyy.admin")
|
.header("assumed-roles", "test_customer#yyy.admin")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/customers")
|
.get("http://localhost/api/customers")
|
||||||
@ -110,11 +110,11 @@ class CustomerControllerAcceptanceTest {
|
|||||||
class AddCustomer {
|
class AddCustomer {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
void hostsharingAdmin_withoutAssumedRole_canAddCustomer() {
|
void testGlobalAdmin_withoutAssumedRole_canAddCustomer() {
|
||||||
|
|
||||||
final var location = RestAssured // @formatter:off
|
final var location = RestAssured // @formatter:off
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@example.org")
|
||||||
.contentType(ContentType.JSON)
|
.contentType(ContentType.JSON)
|
||||||
.body("""
|
.body("""
|
||||||
{
|
{
|
||||||
@ -142,13 +142,13 @@ class CustomerControllerAcceptanceTest {
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
void hostsharingAdmin_withoutAssumedRole_canAddCustomerWithGivenUuid() {
|
void testGlobalAdmin_withoutAssumedRole_canAddCustomerWithGivenUuid() {
|
||||||
|
|
||||||
final var givenUuid = UUID.randomUUID();
|
final var givenUuid = UUID.randomUUID();
|
||||||
|
|
||||||
final var location = RestAssured // @formatter:off
|
final var location = RestAssured // @formatter:off
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@example.org")
|
||||||
.contentType(ContentType.JSON)
|
.contentType(ContentType.JSON)
|
||||||
.body("""
|
.body("""
|
||||||
{
|
{
|
||||||
@ -180,12 +180,12 @@ class CustomerControllerAcceptanceTest {
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
void hostsharingAdmin_withAssumedCustomerAdminRole_canNotAddCustomer() {
|
void testGlobalAdmin_withAssumedCustomerAdminRole_canNotAddCustomer() {
|
||||||
|
|
||||||
RestAssured // @formatter:off
|
RestAssured // @formatter:off
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@example.org")
|
||||||
.header("assumed-roles", "customer#xxx.admin")
|
.header("assumed-roles", "test_customer#xxx.admin")
|
||||||
.contentType(ContentType.JSON)
|
.contentType(ContentType.JSON)
|
||||||
.body("""
|
.body("""
|
||||||
{
|
{
|
||||||
@ -201,11 +201,11 @@ class CustomerControllerAcceptanceTest {
|
|||||||
.statusCode(403)
|
.statusCode(403)
|
||||||
.contentType(ContentType.JSON)
|
.contentType(ContentType.JSON)
|
||||||
.statusCode(403)
|
.statusCode(403)
|
||||||
.body("message", containsString("add-customer not permitted for customer#xxx.admin"));
|
.body("message", containsString("add-customer not permitted for test_customer#xxx.admin"));
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
|
|
||||||
// finally, the new customer was not created
|
// finally, the new customer was not created
|
||||||
context.define("sven@hostsharing.net");
|
context.define("sven@example.org");
|
||||||
assertThat(customerRepository.findCustomerByOptionalPrefixLike("uuu")).hasSize(0);
|
assertThat(customerRepository.findCustomerByOptionalPrefixLike("uuu")).hasSize(0);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -234,7 +234,7 @@ class CustomerControllerAcceptanceTest {
|
|||||||
// @formatter:on
|
// @formatter:on
|
||||||
|
|
||||||
// finally, the new customer was not created
|
// finally, the new customer was not created
|
||||||
context.define("sven@hostsharing.net");
|
context.define("sven@example.org");
|
||||||
assertThat(customerRepository.findCustomerByOptionalPrefixLike("uuu")).hasSize(0);
|
assertThat(customerRepository.findCustomerByOptionalPrefixLike("uuu")).hasSize(0);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -37,9 +37,9 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
class CreateCustomer {
|
class CreateCustomer {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void hostsharingAdmin_withoutAssumedRole_canCreateNewCustomer() {
|
public void testGlobalAdmin_withoutAssumedRole_canCreateNewCustomer() {
|
||||||
// given
|
// given
|
||||||
context("mike@hostsharing.net", null);
|
context("mike@example.org", null);
|
||||||
final var count = customerRepository.count();
|
final var count = customerRepository.count();
|
||||||
|
|
||||||
// when
|
// when
|
||||||
@ -58,9 +58,9 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void hostsharingAdmin_withAssumedCustomerRole_cannotCreateNewCustomer() {
|
public void testGlobalAdmin_withAssumedCustomerRole_cannotCreateNewCustomer() {
|
||||||
// given
|
// given
|
||||||
context("mike@hostsharing.net", "customer#xxx.admin");
|
context("mike@example.org", "test_customer#xxx.admin");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = attempt(em, () -> {
|
final var result = attempt(em, () -> {
|
||||||
@ -72,7 +72,7 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
// then
|
// then
|
||||||
result.assertExceptionWithRootCauseMessage(
|
result.assertExceptionWithRootCauseMessage(
|
||||||
PersistenceException.class,
|
PersistenceException.class,
|
||||||
"add-customer not permitted for customer#xxx.admin");
|
"add-customer not permitted for test_customer#xxx.admin");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -104,9 +104,9 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
class FindAllCustomers {
|
class FindAllCustomers {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void hostsharingAdmin_withoutAssumedRole_canViewAllCustomers() {
|
public void testGlobalAdmin_withoutAssumedRole_canViewAllCustomers() {
|
||||||
// given
|
// given
|
||||||
context("mike@hostsharing.net", null);
|
context("mike@example.org", null);
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
|
final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
|
||||||
@ -116,9 +116,9 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void hostsharingAdmin_withAssumedHostsharingAdminRole_canViewAllCustomers() {
|
public void testGlobalAdmin_withAssumedtestGlobalAdminRole_canViewAllCustomers() {
|
||||||
given:
|
given:
|
||||||
context("mike@hostsharing.net", "global#hostsharing.admin");
|
context("mike@example.org", "global#test-global.admin");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
|
final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
|
||||||
@ -141,7 +141,7 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnCustomer() {
|
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnCustomer() {
|
||||||
context("customer-admin@xxx.example.com", "package#xxx00.admin");
|
context("customer-admin@xxx.example.com", "test_package#xxx00.admin");
|
||||||
|
|
||||||
final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
|
final var result = customerRepository.findCustomerByOptionalPrefixLike(null);
|
||||||
|
|
||||||
@ -153,9 +153,9 @@ class CustomerRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
class FindByPrefixLike {
|
class FindByPrefixLike {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void hostsharingAdmin_withoutAssumedRole_canViewAllCustomers() {
|
public void testGlobalAdmin_withoutAssumedRole_canViewAllCustomers() {
|
||||||
// given
|
// given
|
||||||
context("mike@hostsharing.net", null);
|
context("mike@example.org", null);
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = customerRepository.findCustomerByOptionalPrefixLike("yyy");
|
final var result = customerRepository.findCustomerByOptionalPrefixLike("yyy");
|
||||||
|
@ -43,8 +43,8 @@ class PackageControllerAcceptanceTest {
|
|||||||
// @formatter:off
|
// @formatter:off
|
||||||
RestAssured
|
RestAssured
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@example.org")
|
||||||
.header("assumed-roles", "customer#xxx.admin")
|
.header("assumed-roles", "test_customer#xxx.admin")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/packages")
|
.get("http://localhost/api/packages")
|
||||||
@ -65,8 +65,8 @@ class PackageControllerAcceptanceTest {
|
|||||||
// @formatter:off
|
// @formatter:off
|
||||||
RestAssured
|
RestAssured
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@example.org")
|
||||||
.header("assumed-roles", "customer#xxx.admin")
|
.header("assumed-roles", "test_customer#xxx.admin")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/packages?name=xxx01")
|
.get("http://localhost/api/packages?name=xxx01")
|
||||||
@ -93,8 +93,8 @@ class PackageControllerAcceptanceTest {
|
|||||||
// @formatter:off
|
// @formatter:off
|
||||||
RestAssured
|
RestAssured
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@example.org")
|
||||||
.header("assumed-roles", "customer#xxx.admin")
|
.header("assumed-roles", "test_customer#xxx.admin")
|
||||||
.contentType(ContentType.JSON)
|
.contentType(ContentType.JSON)
|
||||||
.body(format("""
|
.body(format("""
|
||||||
{
|
{
|
||||||
@ -123,8 +123,8 @@ class PackageControllerAcceptanceTest {
|
|||||||
// @formatter:off
|
// @formatter:off
|
||||||
RestAssured
|
RestAssured
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@example.org")
|
||||||
.header("assumed-roles", "customer#xxx.admin")
|
.header("assumed-roles", "test_customer#xxx.admin")
|
||||||
.contentType(ContentType.JSON)
|
.contentType(ContentType.JSON)
|
||||||
.body("""
|
.body("""
|
||||||
{
|
{
|
||||||
@ -152,8 +152,8 @@ class PackageControllerAcceptanceTest {
|
|||||||
// @formatter:off
|
// @formatter:off
|
||||||
RestAssured
|
RestAssured
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@example.org")
|
||||||
.header("assumed-roles", "customer#xxx.admin")
|
.header("assumed-roles", "test_customer#xxx.admin")
|
||||||
.contentType(ContentType.JSON)
|
.contentType(ContentType.JSON)
|
||||||
.body("{}")
|
.body("{}")
|
||||||
.port(port)
|
.port(port)
|
||||||
@ -172,8 +172,8 @@ class PackageControllerAcceptanceTest {
|
|||||||
// @formatter:off
|
// @formatter:off
|
||||||
return UUID.fromString(RestAssured
|
return UUID.fromString(RestAssured
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@example.org")
|
||||||
.header("assumed-roles", "customer#xxx.admin")
|
.header("assumed-roles", "test_customer#xxx.admin")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/packages?name={packageName}", packageName)
|
.get("http://localhost/api/packages?name={packageName}", packageName)
|
||||||
@ -185,7 +185,7 @@ class PackageControllerAcceptanceTest {
|
|||||||
}
|
}
|
||||||
|
|
||||||
String getDescriptionOfPackage(final String packageName) {
|
String getDescriptionOfPackage(final String packageName) {
|
||||||
context.define("mike@hostsharing.net","customer#xxx.admin");
|
context.define("mike@example.org","test_customer#xxx.admin");
|
||||||
return packageRepository.findAllByOptionalNameLike(packageName).get(0).getDescription();
|
return packageRepository.findAllByOptionalNameLike(packageName).get(0).getDescription();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -42,9 +42,9 @@ class PackageRepositoryIntegrationTest {
|
|||||||
class FindAllByOptionalNameLike {
|
class FindAllByOptionalNameLike {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void hostsharingAdmin_withoutAssumedRole_canNotViewAnyPackages_becauseThoseGrantsAreNotassumedd() {
|
public void testGlobalAdmin_withoutAssumedRole_canNotViewAnyPackages_becauseThoseGrantsAreNotassumedd() {
|
||||||
// given
|
// given
|
||||||
context.define("mike@hostsharing.net");
|
context.define("mike@example.org");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = packageRepository.findAllByOptionalNameLike(null);
|
final var result = packageRepository.findAllByOptionalNameLike(null);
|
||||||
@ -54,9 +54,9 @@ class PackageRepositoryIntegrationTest {
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void hostsharingAdmin_withAssumedHostsharingAdminRole__canNotViewAnyPackages_becauseThoseGrantsAreNotassumedd() {
|
public void testGlobalAdmin_withAssumedtestGlobalAdminRole__canNotViewAnyPackages_becauseThoseGrantsAreNotassumedd() {
|
||||||
given:
|
given:
|
||||||
context.define("mike@hostsharing.net", "global#hostsharing.admin");
|
context.define("mike@example.org", "global#test-global.admin");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = packageRepository.findAllByOptionalNameLike(null);
|
final var result = packageRepository.findAllByOptionalNameLike(null);
|
||||||
@ -79,7 +79,7 @@ class PackageRepositoryIntegrationTest {
|
|||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnPackages() {
|
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnPackages() {
|
||||||
context.define("customer-admin@xxx.example.com", "package#xxx00.admin");
|
context.define("customer-admin@xxx.example.com", "test_package#xxx00.admin");
|
||||||
|
|
||||||
final var result = packageRepository.findAllByOptionalNameLike(null);
|
final var result = packageRepository.findAllByOptionalNameLike(null);
|
||||||
|
|
||||||
@ -93,17 +93,17 @@ class PackageRepositoryIntegrationTest {
|
|||||||
@Test
|
@Test
|
||||||
public void supportsOptimisticLocking() throws InterruptedException {
|
public void supportsOptimisticLocking() throws InterruptedException {
|
||||||
// given
|
// given
|
||||||
hostsharingAdminWithAssumedRole("package#xxx00.admin");
|
testGlobalAdminWithAssumedRole("test_package#xxx00.admin");
|
||||||
final var pac = packageRepository.findAllByOptionalNameLike("%").get(0);
|
final var pac = packageRepository.findAllByOptionalNameLike("%").get(0);
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result1 = jpaAttempt.transacted(() -> {
|
final var result1 = jpaAttempt.transacted(() -> {
|
||||||
hostsharingAdminWithAssumedRole("package#xxx00.admin");
|
testGlobalAdminWithAssumedRole("test_package#xxx00.admin");
|
||||||
pac.setDescription("description set by thread 1");
|
pac.setDescription("description set by thread 1");
|
||||||
packageRepository.save(pac);
|
packageRepository.save(pac);
|
||||||
});
|
});
|
||||||
final var result2 = jpaAttempt.transacted(() -> {
|
final var result2 = jpaAttempt.transacted(() -> {
|
||||||
hostsharingAdminWithAssumedRole("package#xxx00.admin");
|
testGlobalAdminWithAssumedRole("test_package#xxx00.admin");
|
||||||
pac.setDescription("description set by thread 2");
|
pac.setDescription("description set by thread 2");
|
||||||
packageRepository.save(pac);
|
packageRepository.save(pac);
|
||||||
sleep(1500);
|
sleep(1500);
|
||||||
@ -125,8 +125,8 @@ class PackageRepositoryIntegrationTest {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private void hostsharingAdminWithAssumedRole(final String assumedRoles) {
|
private void testGlobalAdminWithAssumedRole(final String assumedRoles) {
|
||||||
context.define("mike@hostsharing.net", assumedRoles);
|
context.define("mike@example.org", assumedRoles);
|
||||||
}
|
}
|
||||||
|
|
||||||
void noPackagesAreReturned(final List<PackageEntity> actualResult) {
|
void noPackagesAreReturned(final List<PackageEntity> actualResult) {
|
||||||
|
@ -62,10 +62,10 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Accepts("GRT:L(List)")
|
@Accepts("GRT:L(List)")
|
||||||
void hostsharingAdmin_withoutAssumedRole_canViewAllGrants() {
|
void testGlobalAdmin_withoutAssumedRole_canViewAllGrants() {
|
||||||
RestAssured // @formatter:off
|
RestAssured // @formatter:off
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@example.org")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/rbac-grants")
|
.get("http://localhost/api/rbac-grants")
|
||||||
@ -74,36 +74,36 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
.contentType("application/json")
|
.contentType("application/json")
|
||||||
.body("", hasItem(
|
.body("", hasItem(
|
||||||
allOf(
|
allOf(
|
||||||
hasEntry("grantedByRoleIdName", "global#hostsharing.admin"),
|
hasEntry("grantedByRoleIdName", "global#test-global.admin"),
|
||||||
hasEntry("grantedRoleIdName", "customer#xxx.admin"),
|
hasEntry("grantedRoleIdName", "test_customer#xxx.admin"),
|
||||||
hasEntry("granteeUserName", "customer-admin@xxx.example.com")
|
hasEntry("granteeUserName", "customer-admin@xxx.example.com")
|
||||||
)
|
)
|
||||||
))
|
))
|
||||||
.body("", hasItem(
|
.body("", hasItem(
|
||||||
allOf(
|
allOf(
|
||||||
hasEntry("grantedByRoleIdName", "global#hostsharing.admin"),
|
hasEntry("grantedByRoleIdName", "global#test-global.admin"),
|
||||||
hasEntry("grantedRoleIdName", "customer#yyy.admin"),
|
hasEntry("grantedRoleIdName", "test_customer#yyy.admin"),
|
||||||
hasEntry("granteeUserName", "customer-admin@yyy.example.com")
|
hasEntry("granteeUserName", "customer-admin@yyy.example.com")
|
||||||
)
|
)
|
||||||
))
|
))
|
||||||
.body("", hasItem(
|
.body("", hasItem(
|
||||||
allOf(
|
allOf(
|
||||||
hasEntry("grantedByRoleIdName", "global#hostsharing.admin"),
|
hasEntry("grantedByRoleIdName", "global#test-global.admin"),
|
||||||
hasEntry("grantedRoleIdName", "global#hostsharing.admin"),
|
hasEntry("grantedRoleIdName", "global#test-global.admin"),
|
||||||
hasEntry("granteeUserName", "sven@hostsharing.net")
|
hasEntry("granteeUserName", "sven@example.org")
|
||||||
)
|
)
|
||||||
))
|
))
|
||||||
.body("", hasItem(
|
.body("", hasItem(
|
||||||
allOf(
|
allOf(
|
||||||
hasEntry("grantedByRoleIdName", "customer#xxx.admin"),
|
hasEntry("grantedByRoleIdName", "test_customer#xxx.admin"),
|
||||||
hasEntry("grantedRoleIdName", "package#xxx00.admin"),
|
hasEntry("grantedRoleIdName", "test_package#xxx00.admin"),
|
||||||
hasEntry("granteeUserName", "pac-admin-xxx00@xxx.example.com")
|
hasEntry("granteeUserName", "pac-admin-xxx00@xxx.example.com")
|
||||||
)
|
)
|
||||||
))
|
))
|
||||||
.body("", hasItem(
|
.body("", hasItem(
|
||||||
allOf(
|
allOf(
|
||||||
hasEntry("grantedByRoleIdName", "customer#zzz.admin"),
|
hasEntry("grantedByRoleIdName", "test_customer#zzz.admin"),
|
||||||
hasEntry("grantedRoleIdName", "package#zzz02.admin"),
|
hasEntry("grantedRoleIdName", "test_package#zzz02.admin"),
|
||||||
hasEntry("granteeUserName", "pac-admin-zzz02@zzz.example.com")
|
hasEntry("granteeUserName", "pac-admin-zzz02@zzz.example.com")
|
||||||
)
|
)
|
||||||
))
|
))
|
||||||
@ -113,11 +113,11 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Accepts({ "GRT:L(List)", "GRT:X(Access Control)" })
|
@Accepts({ "GRT:L(List)", "GRT:X(Access Control)" })
|
||||||
void hostsharingAdmin_withAssumedPackageAdminRole_canViewPacketRelatedGrants() {
|
void testGlobalAdmin_withAssumedPackageAdminRole_canViewPacketRelatedGrants() {
|
||||||
RestAssured // @formatter:off
|
RestAssured // @formatter:off
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@example.org")
|
||||||
.header("assumed-roles", "package#yyy00.admin")
|
.header("assumed-roles", "test_package#yyy00.admin")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/rbac-grants")
|
.get("http://localhost/api/rbac-grants")
|
||||||
@ -126,8 +126,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
.contentType("application/json")
|
.contentType("application/json")
|
||||||
.body("", hasItem(
|
.body("", hasItem(
|
||||||
allOf(
|
allOf(
|
||||||
hasEntry("grantedByRoleIdName", "customer#yyy.admin"),
|
hasEntry("grantedByRoleIdName", "test_customer#yyy.admin"),
|
||||||
hasEntry("grantedRoleIdName", "package#yyy00.admin"),
|
hasEntry("grantedRoleIdName", "test_package#yyy00.admin"),
|
||||||
hasEntry("granteeUserName", "pac-admin-yyy00@yyy.example.com")
|
hasEntry("granteeUserName", "pac-admin-yyy00@yyy.example.com")
|
||||||
)
|
)
|
||||||
))
|
))
|
||||||
@ -149,8 +149,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
.contentType("application/json")
|
.contentType("application/json")
|
||||||
.body("", hasItem(
|
.body("", hasItem(
|
||||||
allOf(
|
allOf(
|
||||||
hasEntry("grantedByRoleIdName", "customer#yyy.admin"),
|
hasEntry("grantedByRoleIdName", "test_customer#yyy.admin"),
|
||||||
hasEntry("grantedRoleIdName", "package#yyy00.admin"),
|
hasEntry("grantedRoleIdName", "test_package#yyy00.admin"),
|
||||||
hasEntry("granteeUserName", "pac-admin-yyy00@yyy.example.com")
|
hasEntry("granteeUserName", "pac-admin-yyy00@yyy.example.com")
|
||||||
)
|
)
|
||||||
))
|
))
|
||||||
@ -168,7 +168,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
// given
|
// given
|
||||||
final var givenCurrentUserAsPackageAdmin = new Subject("customer-admin@xxx.example.com");
|
final var givenCurrentUserAsPackageAdmin = new Subject("customer-admin@xxx.example.com");
|
||||||
final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
|
final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
|
||||||
final var givenGrantedRole = findRbacRoleByName("package#xxx00.admin");
|
final var givenGrantedRole = findRbacRoleByName("test_package#xxx00.admin");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
|
final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
|
||||||
@ -177,8 +177,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
// then
|
// then
|
||||||
grant.assertThat()
|
grant.assertThat()
|
||||||
.statusCode(200)
|
.statusCode(200)
|
||||||
.body("grantedByRoleIdName", is("customer#xxx.admin"))
|
.body("grantedByRoleIdName", is("test_customer#xxx.admin"))
|
||||||
.body("grantedRoleIdName", is("package#xxx00.admin"))
|
.body("grantedRoleIdName", is("test_package#xxx00.admin"))
|
||||||
.body("granteeUserName", is("pac-admin-xxx00@xxx.example.com"));
|
.body("granteeUserName", is("pac-admin-xxx00@xxx.example.com"));
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -188,7 +188,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
// given
|
// given
|
||||||
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com");
|
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com");
|
||||||
final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
|
final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
|
||||||
final var givenGrantedRole = findRbacRoleByName("package#xxx00.admin");
|
final var givenGrantedRole = findRbacRoleByName("test_package#xxx00.admin");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
|
final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
|
||||||
@ -197,8 +197,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
// then
|
// then
|
||||||
grant.assertThat()
|
grant.assertThat()
|
||||||
.statusCode(200)
|
.statusCode(200)
|
||||||
.body("grantedByRoleIdName", is("customer#xxx.admin"))
|
.body("grantedByRoleIdName", is("test_customer#xxx.admin"))
|
||||||
.body("grantedRoleIdName", is("package#xxx00.admin"))
|
.body("grantedRoleIdName", is("test_package#xxx00.admin"))
|
||||||
.body("granteeUserName", is("pac-admin-xxx00@xxx.example.com"));
|
.body("granteeUserName", is("pac-admin-xxx00@xxx.example.com"));
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -208,9 +208,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
// given
|
// given
|
||||||
final var givenCurrentUserAsPackageAdmin = new Subject(
|
final var givenCurrentUserAsPackageAdmin = new Subject(
|
||||||
"pac-admin-xxx00@xxx.example.com",
|
"pac-admin-xxx00@xxx.example.com",
|
||||||
"package#xxx00.admin");
|
"test_package#xxx00.admin");
|
||||||
final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
|
final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
|
||||||
final var givenGrantedRole = findRbacRoleByName("package#xxx00.admin");
|
final var givenGrantedRole = findRbacRoleByName("test_package#xxx00.admin");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
|
final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
|
||||||
@ -219,8 +219,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
// then
|
// then
|
||||||
grant.assertThat()
|
grant.assertThat()
|
||||||
.statusCode(200)
|
.statusCode(200)
|
||||||
.body("grantedByRoleIdName", is("customer#xxx.admin"))
|
.body("grantedByRoleIdName", is("test_customer#xxx.admin"))
|
||||||
.body("grantedRoleIdName", is("package#xxx00.admin"))
|
.body("grantedRoleIdName", is("test_package#xxx00.admin"))
|
||||||
.body("granteeUserName", is("pac-admin-xxx00@xxx.example.com"));
|
.body("granteeUserName", is("pac-admin-xxx00@xxx.example.com"));
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -231,9 +231,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
// given
|
// given
|
||||||
final var givenCurrentUserAsPackageAdmin = new Subject(
|
final var givenCurrentUserAsPackageAdmin = new Subject(
|
||||||
"pac-admin-xxx00@xxx.example.com",
|
"pac-admin-xxx00@xxx.example.com",
|
||||||
"package#xxx00.tenant");
|
"test_package#xxx00.tenant");
|
||||||
final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
|
final var givenGranteeUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
|
||||||
final var givenGrantedRole = findRbacRoleByName("package#xxx00.admin");
|
final var givenGrantedRole = findRbacRoleByName("test_package#xxx00.admin");
|
||||||
final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
|
final var grant = givenCurrentUserAsPackageAdmin.getGrantById()
|
||||||
.forGrantedRole(givenGrantedRole).toGranteeUser(givenGranteeUser);
|
.forGrantedRole(givenGrantedRole).toGranteeUser(givenGranteeUser);
|
||||||
|
|
||||||
@ -252,7 +252,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
|
|
||||||
// given
|
// given
|
||||||
final var givenNewUser = createRBacUser();
|
final var givenNewUser = createRBacUser();
|
||||||
final var givenRoleToGrant = "package#xxx00.admin";
|
final var givenRoleToGrant = "test_package#xxx00.admin";
|
||||||
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
|
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
|
||||||
final var givenOwnPackageAdminRole =
|
final var givenOwnPackageAdminRole =
|
||||||
findRbacRoleByName(givenCurrentUserAsPackageAdmin.assumedRole);
|
findRbacRoleByName(givenCurrentUserAsPackageAdmin.assumedRole);
|
||||||
@ -265,9 +265,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
// then
|
// then
|
||||||
response.assertThat()
|
response.assertThat()
|
||||||
.statusCode(201)
|
.statusCode(201)
|
||||||
.body("grantedByRoleIdName", is("package#xxx00.admin"))
|
.body("grantedByRoleIdName", is("test_package#xxx00.admin"))
|
||||||
.body("assumed", is(true))
|
.body("assumed", is(true))
|
||||||
.body("grantedRoleIdName", is("package#xxx00.admin"))
|
.body("grantedRoleIdName", is("test_package#xxx00.admin"))
|
||||||
.body("granteeUserName", is(givenNewUser.getName()));
|
.body("granteeUserName", is(givenNewUser.getName()));
|
||||||
assertThat(findAllGrantsOf(givenCurrentUserAsPackageAdmin))
|
assertThat(findAllGrantsOf(givenCurrentUserAsPackageAdmin))
|
||||||
.extracting(RbacGrantEntity::toDisplay)
|
.extracting(RbacGrantEntity::toDisplay)
|
||||||
@ -282,9 +282,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
|
|
||||||
// given
|
// given
|
||||||
final var givenNewUser = createRBacUser();
|
final var givenNewUser = createRBacUser();
|
||||||
final var givenRoleToGrant = "package#xxx00.admin";
|
final var givenRoleToGrant = "test_package#xxx00.admin";
|
||||||
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
|
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
|
||||||
final var givenAlienPackageAdminRole = findRbacRoleByName("package#yyy00.admin");
|
final var givenAlienPackageAdminRole = findRbacRoleByName("test_package#yyy00.admin");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = givenCurrentUserAsPackageAdmin
|
final var result = givenCurrentUserAsPackageAdmin
|
||||||
@ -295,7 +295,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
result.assertThat()
|
result.assertThat()
|
||||||
.statusCode(403)
|
.statusCode(403)
|
||||||
.body("message", containsString("Access to granted role"))
|
.body("message", containsString("Access to granted role"))
|
||||||
.body("message", containsString("forbidden for {package#xxx00.admin}"));
|
.body("message", containsString("forbidden for {test_package#xxx00.admin}"));
|
||||||
assertThat(findAllGrantsOf(givenCurrentUserAsPackageAdmin))
|
assertThat(findAllGrantsOf(givenCurrentUserAsPackageAdmin))
|
||||||
.extracting(RbacGrantEntity::getGranteeUserName)
|
.extracting(RbacGrantEntity::getGranteeUserName)
|
||||||
.doesNotContain(givenNewUser.getName());
|
.doesNotContain(givenNewUser.getName());
|
||||||
@ -312,9 +312,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
|
|
||||||
// given
|
// given
|
||||||
final var givenArbitraryUser = createRBacUser();
|
final var givenArbitraryUser = createRBacUser();
|
||||||
final var givenRoleToGrant = "package#xxx00.admin";
|
final var givenRoleToGrant = "test_package#xxx00.admin";
|
||||||
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
|
final var givenCurrentUserAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
|
||||||
final var givenOwnPackageAdminRole = findRbacRoleByName("package#xxx00.admin");
|
final var givenOwnPackageAdminRole = findRbacRoleByName("test_package#xxx00.admin");
|
||||||
|
|
||||||
// and given an existing grant
|
// and given an existing grant
|
||||||
assumeCreated(givenCurrentUserAsPackageAdmin
|
assumeCreated(givenCurrentUserAsPackageAdmin
|
||||||
@ -499,14 +499,14 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
|
|
||||||
RbacUserEntity findRbacUserByName(final String userName) {
|
RbacUserEntity findRbacUserByName(final String userName) {
|
||||||
return jpaAttempt.transacted(() -> {
|
return jpaAttempt.transacted(() -> {
|
||||||
context("mike@hostsharing.net", null);
|
context("mike@example.org", null);
|
||||||
return rbacUserRepository.findByName(userName);
|
return rbacUserRepository.findByName(userName);
|
||||||
}).returnedValue();
|
}).returnedValue();
|
||||||
}
|
}
|
||||||
|
|
||||||
RbacRoleEntity findRbacRoleByName(final String roleName) {
|
RbacRoleEntity findRbacRoleByName(final String roleName) {
|
||||||
return jpaAttempt.transacted(() -> {
|
return jpaAttempt.transacted(() -> {
|
||||||
context("mike@hostsharing.net", null);
|
context("mike@example.org", null);
|
||||||
return rbacRoleRepository.findByRoleName(roleName);
|
return rbacRoleRepository.findByRoleName(roleName);
|
||||||
}).returnedValue();
|
}).returnedValue();
|
||||||
}
|
}
|
||||||
|
@ -68,7 +68,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
// then
|
// then
|
||||||
exactlyTheseRbacGrantsAreReturned(
|
exactlyTheseRbacGrantsAreReturned(
|
||||||
result,
|
result,
|
||||||
"{ grant assumed role package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role customer#xxx.admin }");
|
"{ grant assumed role test_package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role test_customer#xxx.admin }");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -83,17 +83,17 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
// then
|
// then
|
||||||
exactlyTheseRbacGrantsAreReturned(
|
exactlyTheseRbacGrantsAreReturned(
|
||||||
result,
|
result,
|
||||||
"{ grant assumed role customer#xxx.admin to user customer-admin@xxx.example.com by role global#hostsharing.admin }",
|
"{ grant assumed role test_customer#xxx.admin to user customer-admin@xxx.example.com by role global#test-global.admin }",
|
||||||
"{ grant assumed role package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role customer#xxx.admin }",
|
"{ grant assumed role test_package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role test_customer#xxx.admin }",
|
||||||
"{ grant assumed role package#xxx01.admin to user pac-admin-xxx01@xxx.example.com by role customer#xxx.admin }",
|
"{ grant assumed role test_package#xxx01.admin to user pac-admin-xxx01@xxx.example.com by role test_customer#xxx.admin }",
|
||||||
"{ grant assumed role package#xxx02.admin to user pac-admin-xxx02@xxx.example.com by role customer#xxx.admin }");
|
"{ grant assumed role test_package#xxx02.admin to user pac-admin-xxx02@xxx.example.com by role test_customer#xxx.admin }");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Accepts({ "GRT:L(List)" })
|
@Accepts({ "GRT:L(List)" })
|
||||||
public void customerAdmin_withAssumedRole_canOnlyViewRbacGrantsVisibleByAssumedRole() {
|
public void customerAdmin_withAssumedRole_canOnlyViewRbacGrantsVisibleByAssumedRole() {
|
||||||
// given:
|
// given:
|
||||||
context("customer-admin@xxx.example.com", "package#xxx00.admin");
|
context("customer-admin@xxx.example.com", "test_package#xxx00.admin");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = rbacGrantRepository.findAll();
|
final var result = rbacGrantRepository.findAll();
|
||||||
@ -101,7 +101,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
// then
|
// then
|
||||||
exactlyTheseRbacGrantsAreReturned(
|
exactlyTheseRbacGrantsAreReturned(
|
||||||
result,
|
result,
|
||||||
"{ grant assumed role package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role customer#xxx.admin }");
|
"{ grant assumed role test_package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role test_customer#xxx.admin }");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -111,9 +111,9 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
@Test
|
@Test
|
||||||
public void customerAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() {
|
public void customerAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() {
|
||||||
// given
|
// given
|
||||||
context("customer-admin@xxx.example.com", "customer#xxx.admin");
|
context("customer-admin@xxx.example.com", "test_customer#xxx.admin");
|
||||||
final var givenArbitraryUserUuid = rbacUserRepository.findByName("pac-admin-zzz00@zzz.example.com").getUuid();
|
final var givenArbitraryUserUuid = rbacUserRepository.findByName("pac-admin-zzz00@zzz.example.com").getUuid();
|
||||||
final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName("package#xxx00.admin").getUuid();
|
final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName("test_package#xxx00.admin").getUuid();
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var grant = RbacGrantEntity.builder()
|
final var grant = RbacGrantEntity.builder()
|
||||||
@ -129,7 +129,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
assertThat(rbacGrantRepository.findAll())
|
assertThat(rbacGrantRepository.findAll())
|
||||||
.extracting(RbacGrantEntity::toDisplay)
|
.extracting(RbacGrantEntity::toDisplay)
|
||||||
.contains(
|
.contains(
|
||||||
"{ grant assumed role package#xxx00.admin to user pac-admin-zzz00@zzz.example.com by role customer#xxx.admin }");
|
"{ grant assumed role test_package#xxx00.admin to user pac-admin-zzz00@zzz.example.com by role test_customer#xxx.admin }");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -142,14 +142,14 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
context("customer-admin@xxx.example.com", null);
|
context("customer-admin@xxx.example.com", null);
|
||||||
return new Given(
|
return new Given(
|
||||||
createNewUser(),
|
createNewUser(),
|
||||||
rbacRoleRepository.findByRoleName("package#xxx00.owner").getUuid()
|
rbacRoleRepository.findByRoleName("test_package#xxx00.owner").getUuid()
|
||||||
);
|
);
|
||||||
}).assumeSuccessful().returnedValue();
|
}).assumeSuccessful().returnedValue();
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var attempt = jpaAttempt.transacted(() -> {
|
final var attempt = jpaAttempt.transacted(() -> {
|
||||||
// now we try to use these uuids as a less privileged user
|
// now we try to use these uuids as a less privileged user
|
||||||
context("pac-admin-xxx00@xxx.example.com", "package#xxx00.admin");
|
context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00.admin");
|
||||||
final var grant = RbacGrantEntity.builder()
|
final var grant = RbacGrantEntity.builder()
|
||||||
.granteeUserUuid(given.arbitraryUser.getUuid())
|
.granteeUserUuid(given.arbitraryUser.getUuid())
|
||||||
.grantedRoleUuid(given.packageOwnerRoleUuid)
|
.grantedRoleUuid(given.packageOwnerRoleUuid)
|
||||||
@ -162,7 +162,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
attempt.assertExceptionWithRootCauseMessage(
|
attempt.assertExceptionWithRootCauseMessage(
|
||||||
JpaSystemException.class,
|
JpaSystemException.class,
|
||||||
"ERROR: [403] Access to granted role " + given.packageOwnerRoleUuid
|
"ERROR: [403] Access to granted role " + given.packageOwnerRoleUuid
|
||||||
+ " forbidden for {package#xxx00.admin}");
|
+ " forbidden for {test_package#xxx00.admin}");
|
||||||
jpaAttempt.transacted(() -> {
|
jpaAttempt.transacted(() -> {
|
||||||
// finally, we use the new user to make sure, no roles were granted
|
// finally, we use the new user to make sure, no roles were granted
|
||||||
context(given.arbitraryUser.getName(), null);
|
context(given.arbitraryUser.getName(), null);
|
||||||
@ -180,17 +180,17 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
public void customerAdmin_canRevokeSelfGrantedPackageAdminRole() {
|
public void customerAdmin_canRevokeSelfGrantedPackageAdminRole() {
|
||||||
// given
|
// given
|
||||||
final var grant = create(grant()
|
final var grant = create(grant()
|
||||||
.byUser("customer-admin@xxx.example.com").withAssumedRole("customer#xxx.admin")
|
.byUser("customer-admin@xxx.example.com").withAssumedRole("test_customer#xxx.admin")
|
||||||
.grantingRole("package#xxx00.admin").toUser("pac-admin-zzz00@zzz.example.com"));
|
.grantingRole("test_package#xxx00.admin").toUser("pac-admin-zzz00@zzz.example.com"));
|
||||||
|
|
||||||
// when
|
// when
|
||||||
context("customer-admin@xxx.example.com", "customer#xxx.admin");
|
context("customer-admin@xxx.example.com", "test_customer#xxx.admin");
|
||||||
final var revokeAttempt = attempt(em, () -> {
|
final var revokeAttempt = attempt(em, () -> {
|
||||||
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId());
|
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId());
|
||||||
});
|
});
|
||||||
|
|
||||||
// then
|
// then
|
||||||
context("customer-admin@xxx.example.com", "customer#xxx.admin");
|
context("customer-admin@xxx.example.com", "test_customer#xxx.admin");
|
||||||
assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull();
|
assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull();
|
||||||
assertThat(rbacGrantRepository.findAll())
|
assertThat(rbacGrantRepository.findAll())
|
||||||
.extracting(RbacGrantEntity::getGranteeUserName)
|
.extracting(RbacGrantEntity::getGranteeUserName)
|
||||||
@ -202,18 +202,18 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
// given
|
// given
|
||||||
final var newUser = createNewUserTransacted();
|
final var newUser = createNewUserTransacted();
|
||||||
final var grant = create(grant()
|
final var grant = create(grant()
|
||||||
.byUser("customer-admin@xxx.example.com").withAssumedRole("package#xxx00.admin")
|
.byUser("customer-admin@xxx.example.com").withAssumedRole("test_package#xxx00.admin")
|
||||||
.grantingRole("package#xxx00.admin").toUser(newUser.getName()));
|
.grantingRole("test_package#xxx00.admin").toUser(newUser.getName()));
|
||||||
|
|
||||||
// when
|
// when
|
||||||
context("pac-admin-xxx00@xxx.example.com", "package#xxx00.admin");
|
context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00.admin");
|
||||||
final var revokeAttempt = attempt(em, () -> {
|
final var revokeAttempt = attempt(em, () -> {
|
||||||
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId());
|
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId());
|
||||||
});
|
});
|
||||||
|
|
||||||
// then
|
// then
|
||||||
assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull();
|
assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull();
|
||||||
context("customer-admin@xxx.example.com", "customer#xxx.admin");
|
context("customer-admin@xxx.example.com", "test_customer#xxx.admin");
|
||||||
assertThat(rbacGrantRepository.findAll())
|
assertThat(rbacGrantRepository.findAll())
|
||||||
.extracting(RbacGrantEntity::getGranteeUserName)
|
.extracting(RbacGrantEntity::getGranteeUserName)
|
||||||
.doesNotContain("pac-admin-zzz00@zzz.example.com");
|
.doesNotContain("pac-admin-zzz00@zzz.example.com");
|
||||||
@ -223,12 +223,12 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
public void packageAdmin_canNotRevokeOwnPackageAdminRoleGrantedByOwnerRoleOfThatPackage() {
|
public void packageAdmin_canNotRevokeOwnPackageAdminRoleGrantedByOwnerRoleOfThatPackage() {
|
||||||
// given
|
// given
|
||||||
final var grant = create(grant()
|
final var grant = create(grant()
|
||||||
.byUser("customer-admin@xxx.example.com").withAssumedRole("package#xxx00.owner")
|
.byUser("customer-admin@xxx.example.com").withAssumedRole("test_package#xxx00.owner")
|
||||||
.grantingRole("package#xxx00.admin").toUser("pac-admin-zzz00@zzz.example.com"));
|
.grantingRole("test_package#xxx00.admin").toUser("pac-admin-zzz00@zzz.example.com"));
|
||||||
final var grantedByRole = rbacRoleRepository.findByRoleName("package#xxx00.owner");
|
final var grantedByRole = rbacRoleRepository.findByRoleName("test_package#xxx00.owner");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
context("pac-admin-xxx00@xxx.example.com", "package#xxx00.admin");
|
context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00.admin");
|
||||||
final var revokeAttempt = attempt(em, () -> {
|
final var revokeAttempt = attempt(em, () -> {
|
||||||
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId());
|
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId());
|
||||||
});
|
});
|
||||||
@ -236,7 +236,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
// then
|
// then
|
||||||
revokeAttempt.assertExceptionWithRootCauseMessage(
|
revokeAttempt.assertExceptionWithRootCauseMessage(
|
||||||
JpaSystemException.class,
|
JpaSystemException.class,
|
||||||
"ERROR: [403] Revoking role created by %s is forbidden for {package#xxx00.admin}.".formatted(
|
"ERROR: [403] Revoking role created by %s is forbidden for {test_package#xxx00.admin}.".formatted(
|
||||||
grantedByRole.getUuid()
|
grantedByRole.getUuid()
|
||||||
));
|
));
|
||||||
}
|
}
|
||||||
|
@ -38,39 +38,39 @@ class RbacRoleControllerAcceptanceTest {
|
|||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Accepts({ "ROL:L(List)" })
|
@Accepts({ "ROL:L(List)" })
|
||||||
void hostsharingAdmin_withoutAssumedRole_canViewAllRoles() {
|
void testGlobalAdmin_withoutAssumedRole_canViewAllRoles() {
|
||||||
|
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
RestAssured
|
RestAssured
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@example.org")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/rbac-roles")
|
.get("http://localhost/api/rbac-roles")
|
||||||
.then().assertThat()
|
.then().assertThat()
|
||||||
.statusCode(200)
|
.statusCode(200)
|
||||||
.contentType("application/json")
|
.contentType("application/json")
|
||||||
.body("", hasItem(hasEntry("roleName", "customer#xxx.admin")))
|
.body("", hasItem(hasEntry("roleName", "test_customer#xxx.admin")))
|
||||||
.body("", hasItem(hasEntry("roleName", "customer#xxx.owner")))
|
.body("", hasItem(hasEntry("roleName", "test_customer#xxx.owner")))
|
||||||
.body("", hasItem(hasEntry("roleName", "customer#xxx.tenant")))
|
.body("", hasItem(hasEntry("roleName", "test_customer#xxx.tenant")))
|
||||||
// ...
|
// ...
|
||||||
.body("", hasItem(hasEntry("roleName", "global#hostsharing.admin")))
|
.body("", hasItem(hasEntry("roleName", "global#test-global.admin")))
|
||||||
.body("", hasItem(hasEntry("roleName", "customer#yyy.admin")))
|
.body("", hasItem(hasEntry("roleName", "test_customer#yyy.admin")))
|
||||||
.body("", hasItem(hasEntry("roleName", "package#yyy00.admin")))
|
.body("", hasItem(hasEntry("roleName", "test_package#yyy00.admin")))
|
||||||
.body("", hasItem(hasEntry("roleName", "unixuser#yyy00-aaaa.owner")))
|
.body("", hasItem(hasEntry("roleName", "test_unixuser#yyy00-aaaa.owner")))
|
||||||
.body( "size()", greaterThanOrEqualTo(73)); // increases with new test data
|
.body( "size()", greaterThanOrEqualTo(73)); // increases with new test data
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Accepts({ "ROL:L(List)", "ROL:X(Access Control)" })
|
@Accepts({ "ROL:L(List)", "ROL:X(Access Control)" })
|
||||||
void hostsharingAdmin_withAssumedPackageAdminRole_canViewPackageAdminRoles() {
|
void testGlobalAdmin_withAssumedPackageAdminRole_canViewPackageAdminRoles() {
|
||||||
|
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
RestAssured
|
RestAssured
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@example.org")
|
||||||
.header("assumed-roles", "package#yyy00.admin")
|
.header("assumed-roles", "test_package#yyy00.admin")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/rbac-roles")
|
.get("http://localhost/api/rbac-roles")
|
||||||
@ -79,10 +79,10 @@ class RbacRoleControllerAcceptanceTest {
|
|||||||
.assertThat()
|
.assertThat()
|
||||||
.statusCode(200)
|
.statusCode(200)
|
||||||
.contentType("application/json")
|
.contentType("application/json")
|
||||||
.body("[0].roleName", is("customer#yyy.tenant"))
|
.body("[0].roleName", is("test_customer#yyy.tenant"))
|
||||||
.body("[1].roleName", is("package#yyy00.admin"))
|
.body("[1].roleName", is("test_package#yyy00.admin"))
|
||||||
.body("[2].roleName", is("package#yyy00.tenant"))
|
.body("[2].roleName", is("test_package#yyy00.tenant"))
|
||||||
.body("[3].roleName", is("unixuser#yyy00-aaaa.admin"))
|
.body("[3].roleName", is("test_unixuser#yyy00-aaaa.admin"))
|
||||||
.body("size()", is(7)); // increases with new test data
|
.body("size()", is(7)); // increases with new test data
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
}
|
}
|
||||||
@ -101,12 +101,11 @@ class RbacRoleControllerAcceptanceTest {
|
|||||||
.then().assertThat()
|
.then().assertThat()
|
||||||
.statusCode(200)
|
.statusCode(200)
|
||||||
.contentType("application/json")
|
.contentType("application/json")
|
||||||
.body("[0].roleName", is("customer#zzz.tenant"))
|
.body("[0].roleName", is("test_customer#zzz.tenant"))
|
||||||
.body("[1].roleName", is("package#zzz00.admin"))
|
.body("[1].roleName", is("test_package#zzz00.admin"))
|
||||||
.body("[2].roleName", is("package#zzz00.tenant"))
|
.body("[2].roleName", is("test_package#zzz00.tenant"))
|
||||||
.body("[3].roleName", is("unixuser#zzz00-aaaa.admin"))
|
.body("[3].roleName", is("test_unixuser#zzz00-aaaa.admin"))
|
||||||
.body("size()", is(7)); // increases with new test data
|
.body("size()", is(7)); // increases with new test data
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -37,15 +37,15 @@ class RbacRoleControllerRestTest {
|
|||||||
// when
|
// when
|
||||||
mockMvc.perform(MockMvcRequestBuilders
|
mockMvc.perform(MockMvcRequestBuilders
|
||||||
.get("/api/rbac-roles")
|
.get("/api/rbac-roles")
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@example.org")
|
||||||
.accept(MediaType.APPLICATION_JSON))
|
.accept(MediaType.APPLICATION_JSON))
|
||||||
|
|
||||||
// then
|
// then
|
||||||
.andExpect(status().isOk())
|
.andExpect(status().isOk())
|
||||||
.andExpect(jsonPath("$", hasSize(3)))
|
.andExpect(jsonPath("$", hasSize(3)))
|
||||||
.andExpect(jsonPath("$[0].roleName", is("global#hostsharing.admin")))
|
.andExpect(jsonPath("$[0].roleName", is("global#test-global.admin")))
|
||||||
.andExpect(jsonPath("$[1].roleName", is("customer#xxx.owner")))
|
.andExpect(jsonPath("$[1].roleName", is("test_customer#xxx.owner")))
|
||||||
.andExpect(jsonPath("$[2].roleName", is("customer#xxx.admin")))
|
.andExpect(jsonPath("$[2].roleName", is("test_customer#xxx.admin")))
|
||||||
.andExpect(jsonPath("$[2].uuid", is(customerXxxAdmin.getUuid().toString())))
|
.andExpect(jsonPath("$[2].uuid", is(customerXxxAdmin.getUuid().toString())))
|
||||||
.andExpect(jsonPath("$[2].objectUuid", is(customerXxxAdmin.getObjectUuid().toString())))
|
.andExpect(jsonPath("$[2].objectUuid", is(customerXxxAdmin.getObjectUuid().toString())))
|
||||||
.andExpect(jsonPath("$[2].objectTable", is(customerXxxAdmin.getObjectTable().toString())))
|
.andExpect(jsonPath("$[2].objectTable", is(customerXxxAdmin.getObjectTable().toString())))
|
||||||
|
@ -40,26 +40,26 @@ class RbacRoleRepositoryIntegrationTest {
|
|||||||
|
|
||||||
private static final String[] ALL_TEST_DATA_ROLES = Array.of(
|
private static final String[] ALL_TEST_DATA_ROLES = Array.of(
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
"global#hostsharing.admin",
|
"global#test-global.admin",
|
||||||
"customer#xxx.admin", "customer#xxx.owner", "customer#xxx.tenant",
|
"test_customer#xxx.admin", "test_customer#xxx.owner", "test_customer#xxx.tenant",
|
||||||
"package#xxx00.admin", "package#xxx00.owner", "package#xxx00.tenant",
|
"test_package#xxx00.admin", "test_package#xxx00.owner", "test_package#xxx00.tenant",
|
||||||
"package#xxx01.admin", "package#xxx01.owner", "package#xxx01.tenant",
|
"test_package#xxx01.admin", "test_package#xxx01.owner", "test_package#xxx01.tenant",
|
||||||
"package#xxx02.admin", "package#xxx02.owner", "package#xxx02.tenant",
|
"test_package#xxx02.admin", "test_package#xxx02.owner", "test_package#xxx02.tenant",
|
||||||
"customer#yyy.admin", "customer#yyy.owner", "customer#yyy.tenant",
|
"test_customer#yyy.admin", "test_customer#yyy.owner", "test_customer#yyy.tenant",
|
||||||
"package#yyy00.admin", "package#yyy00.owner", "package#yyy00.tenant",
|
"test_package#yyy00.admin", "test_package#yyy00.owner", "test_package#yyy00.tenant",
|
||||||
"package#yyy01.admin", "package#yyy01.owner", "package#yyy01.tenant",
|
"test_package#yyy01.admin", "test_package#yyy01.owner", "test_package#yyy01.tenant",
|
||||||
"package#yyy02.admin", "package#yyy02.owner", "package#yyy02.tenant",
|
"test_package#yyy02.admin", "test_package#yyy02.owner", "test_package#yyy02.tenant",
|
||||||
"customer#zzz.admin", "customer#zzz.owner", "customer#zzz.tenant",
|
"test_customer#zzz.admin", "test_customer#zzz.owner", "test_customer#zzz.tenant",
|
||||||
"package#zzz00.admin", "package#zzz00.owner", "package#zzz00.tenant",
|
"test_package#zzz00.admin", "test_package#zzz00.owner", "test_package#zzz00.tenant",
|
||||||
"package#zzz01.admin", "package#zzz01.owner", "package#zzz01.tenant",
|
"test_package#zzz01.admin", "test_package#zzz01.owner", "test_package#zzz01.tenant",
|
||||||
"package#zzz02.admin", "package#zzz02.owner", "package#zzz02.tenant"
|
"test_package#zzz02.admin", "test_package#zzz02.owner", "test_package#zzz02.tenant"
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
);
|
);
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void hostsharingAdmin_withoutAssumedRole_canViewAllRbacRoles() {
|
public void testGlobalAdmin_withoutAssumedRole_canViewAllRbacRoles() {
|
||||||
// given
|
// given
|
||||||
context.define("mike@hostsharing.net");
|
context.define("mike@example.org");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = rbacRoleRepository.findAll();
|
final var result = rbacRoleRepository.findAll();
|
||||||
@ -69,9 +69,9 @@ class RbacRoleRepositoryIntegrationTest {
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void hostsharingAdmin_withAssumedHostsharingAdminRole_canViewAllRbacRoles() {
|
public void testGlobalAdmin_withAssumedtestGlobalAdminRole_canViewAllRbacRoles() {
|
||||||
given:
|
given:
|
||||||
context.define("mike@hostsharing.net", "global#hostsharing.admin");
|
context.define("mike@example.org", "global#test-global.admin");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = rbacRoleRepository.findAll();
|
final var result = rbacRoleRepository.findAll();
|
||||||
@ -92,49 +92,49 @@ class RbacRoleRepositoryIntegrationTest {
|
|||||||
allTheseRbacRolesAreReturned(
|
allTheseRbacRolesAreReturned(
|
||||||
result,
|
result,
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
"customer#xxx.admin",
|
"test_customer#xxx.admin",
|
||||||
"customer#xxx.tenant",
|
"test_customer#xxx.tenant",
|
||||||
"package#xxx00.admin",
|
"test_package#xxx00.admin",
|
||||||
"package#xxx00.owner",
|
"test_package#xxx00.owner",
|
||||||
"package#xxx00.tenant",
|
"test_package#xxx00.tenant",
|
||||||
"package#xxx01.admin",
|
"test_package#xxx01.admin",
|
||||||
"package#xxx01.owner",
|
"test_package#xxx01.owner",
|
||||||
"package#xxx01.tenant",
|
"test_package#xxx01.tenant",
|
||||||
// ...
|
// ...
|
||||||
"unixuser#xxx00-aaaa.admin",
|
"test_unixuser#xxx00-aaaa.admin",
|
||||||
"unixuser#xxx00-aaaa.owner",
|
"test_unixuser#xxx00-aaaa.owner",
|
||||||
// ..
|
// ..
|
||||||
"unixuser#xxx01-aaab.admin",
|
"test_unixuser#xxx01-aaab.admin",
|
||||||
"unixuser#xxx01-aaab.owner"
|
"test_unixuser#xxx01-aaab.owner"
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
);
|
);
|
||||||
noneOfTheseRbacRolesIsReturned(
|
noneOfTheseRbacRolesIsReturned(
|
||||||
result,
|
result,
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
"global#hostsharing.admin",
|
"global#test-global.admin",
|
||||||
"customer#xxx.owner",
|
"test_customer#xxx.owner",
|
||||||
"package#yyy00.admin",
|
"test_package#yyy00.admin",
|
||||||
"package#yyy00.owner",
|
"test_package#yyy00.owner",
|
||||||
"package#yyy00.tenant"
|
"test_package#yyy00.tenant"
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnRbacRole() {
|
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnRbacRole() {
|
||||||
context.define("customer-admin@xxx.example.com", "package#xxx00.admin");
|
context.define("customer-admin@xxx.example.com", "test_package#xxx00.admin");
|
||||||
|
|
||||||
final var result = rbacRoleRepository.findAll();
|
final var result = rbacRoleRepository.findAll();
|
||||||
|
|
||||||
exactlyTheseRbacRolesAreReturned(
|
exactlyTheseRbacRolesAreReturned(
|
||||||
result,
|
result,
|
||||||
"customer#xxx.tenant",
|
"test_customer#xxx.tenant",
|
||||||
"package#xxx00.admin",
|
"test_package#xxx00.admin",
|
||||||
"package#xxx00.tenant",
|
"test_package#xxx00.tenant",
|
||||||
"unixuser#xxx00-aaaa.admin",
|
"test_unixuser#xxx00-aaaa.admin",
|
||||||
"unixuser#xxx00-aaaa.owner",
|
"test_unixuser#xxx00-aaaa.owner",
|
||||||
"unixuser#xxx00-aaab.admin",
|
"test_unixuser#xxx00-aaab.admin",
|
||||||
"unixuser#xxx00-aaab.owner");
|
"test_unixuser#xxx00-aaab.owner");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -158,10 +158,10 @@ class RbacRoleRepositoryIntegrationTest {
|
|||||||
void customerAdmin_withoutAssumedRole_canFindItsOwnRolesByName() {
|
void customerAdmin_withoutAssumedRole_canFindItsOwnRolesByName() {
|
||||||
context.define("customer-admin@xxx.example.com");
|
context.define("customer-admin@xxx.example.com");
|
||||||
|
|
||||||
final var result = rbacRoleRepository.findByRoleName("customer#xxx.admin");
|
final var result = rbacRoleRepository.findByRoleName("test_customer#xxx.admin");
|
||||||
|
|
||||||
assertThat(result).isNotNull();
|
assertThat(result).isNotNull();
|
||||||
assertThat(result.getObjectTable()).isEqualTo("customer");
|
assertThat(result.getObjectTable()).isEqualTo("test_customer");
|
||||||
assertThat(result.getObjectIdName()).isEqualTo("xxx");
|
assertThat(result.getObjectIdName()).isEqualTo("xxx");
|
||||||
assertThat(result.getRoleType()).isEqualTo(RbacRoleType.admin);
|
assertThat(result.getRoleType()).isEqualTo(RbacRoleType.admin);
|
||||||
}
|
}
|
||||||
@ -170,7 +170,7 @@ class RbacRoleRepositoryIntegrationTest {
|
|||||||
void customerAdmin_withoutAssumedRole_canNotFindAlienRolesByName() {
|
void customerAdmin_withoutAssumedRole_canNotFindAlienRolesByName() {
|
||||||
context.define("customer-admin@xxx.example.com");
|
context.define("customer-admin@xxx.example.com");
|
||||||
|
|
||||||
final var result = rbacRoleRepository.findByRoleName("customer#bbb.admin");
|
final var result = rbacRoleRepository.findByRoleName("test_customer#bbb.admin");
|
||||||
|
|
||||||
assertThat(result).isNull();
|
assertThat(result).isNull();
|
||||||
}
|
}
|
||||||
|
@ -4,9 +4,9 @@ import static java.util.UUID.randomUUID;
|
|||||||
|
|
||||||
public class TestRbacRole {
|
public class TestRbacRole {
|
||||||
|
|
||||||
public static final RbacRoleEntity hostmasterRole = rbacRole("global", "hostsharing", RbacRoleType.admin);
|
public static final RbacRoleEntity hostmasterRole = rbacRole("global", "test-global", RbacRoleType.admin);
|
||||||
static final RbacRoleEntity customerXxxOwner = rbacRole("customer", "xxx", RbacRoleType.owner);
|
static final RbacRoleEntity customerXxxOwner = rbacRole("test_customer", "xxx", RbacRoleType.owner);
|
||||||
static final RbacRoleEntity customerXxxAdmin = rbacRole("customer", "xxx", RbacRoleType.admin);
|
static final RbacRoleEntity customerXxxAdmin = rbacRole("test_customer", "xxx", RbacRoleType.admin);
|
||||||
|
|
||||||
static public RbacRoleEntity rbacRole(final String objectTable, final String objectIdName, final RbacRoleType roleType) {
|
static public RbacRoleEntity rbacRole(final String objectTable, final String objectIdName, final RbacRoleType roleType) {
|
||||||
return new RbacRoleEntity(randomUUID(), randomUUID(), objectTable, objectIdName, roleType, objectTable+'#'+objectIdName+'.'+roleType);
|
return new RbacRoleEntity(randomUUID(), randomUUID(), objectTable, objectIdName, roleType, objectTable+'#'+objectIdName+'.'+roleType);
|
||||||
|
@ -82,13 +82,13 @@ class RbacUserControllerAcceptanceTest {
|
|||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Accepts({ "USR:R(Read)" })
|
@Accepts({ "USR:R(Read)" })
|
||||||
void hostsharingAdmin_withoutAssumedRole_canGetArbitraryUser() {
|
void testGlobalAdmin_withoutAssumedRole_canGetArbitraryUser() {
|
||||||
final var givenUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
|
final var givenUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
|
||||||
|
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
RestAssured
|
RestAssured
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@example.org")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/rbac-users/" + givenUser.getUuid())
|
.get("http://localhost/api/rbac-users/" + givenUser.getUuid())
|
||||||
@ -101,14 +101,14 @@ class RbacUserControllerAcceptanceTest {
|
|||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Accepts({ "USR:R(Read)", "USR:X(Access Control)" })
|
@Accepts({ "USR:R(Read)", "USR:X(Access Control)" })
|
||||||
void hostsharingAdmin_withAssumedCustomerAdminRole_canGetUserWithinInItsRealm() {
|
void testGlobalAdmin_withAssumedCustomerAdminRole_canGetUserWithinInItsRealm() {
|
||||||
final var givenUser = findRbacUserByName("pac-admin-yyy00@yyy.example.com");
|
final var givenUser = findRbacUserByName("pac-admin-yyy00@yyy.example.com");
|
||||||
|
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
RestAssured
|
RestAssured
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@example.org")
|
||||||
.header("assumed-roles", "customer#yyy.admin")
|
.header("assumed-roles", "test_customer#yyy.admin")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/rbac-users/" + givenUser.getUuid())
|
.get("http://localhost/api/rbac-users/" + givenUser.getUuid())
|
||||||
@ -161,12 +161,12 @@ class RbacUserControllerAcceptanceTest {
|
|||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Accepts({ "USR:L(List)" })
|
@Accepts({ "USR:L(List)" })
|
||||||
void hostsharingAdmin_withoutAssumedRole_canViewAllUsers() {
|
void testGlobalAdmin_withoutAssumedRole_canViewAllUsers() {
|
||||||
|
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
RestAssured
|
RestAssured
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@example.org")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/rbac-users")
|
.get("http://localhost/api/rbac-users")
|
||||||
@ -176,23 +176,23 @@ class RbacUserControllerAcceptanceTest {
|
|||||||
.body("", hasItem(hasEntry("name", "customer-admin@xxx.example.com")))
|
.body("", hasItem(hasEntry("name", "customer-admin@xxx.example.com")))
|
||||||
.body("", hasItem(hasEntry("name", "customer-admin@yyy.example.com")))
|
.body("", hasItem(hasEntry("name", "customer-admin@yyy.example.com")))
|
||||||
.body("", hasItem(hasEntry("name", "customer-admin@zzz.example.com")))
|
.body("", hasItem(hasEntry("name", "customer-admin@zzz.example.com")))
|
||||||
.body("", hasItem(hasEntry("name", "mike@hostsharing.net")))
|
.body("", hasItem(hasEntry("name", "mike@example.org")))
|
||||||
// ...
|
// ...
|
||||||
.body("", hasItem(hasEntry("name", "pac-admin-zzz01@zzz.example.com")))
|
.body("", hasItem(hasEntry("name", "pac-admin-zzz01@zzz.example.com")))
|
||||||
.body("", hasItem(hasEntry("name", "pac-admin-zzz02@zzz.example.com")))
|
.body("", hasItem(hasEntry("name", "pac-admin-zzz02@zzz.example.com")))
|
||||||
.body("", hasItem(hasEntry("name", "sven@hostsharing.net")))
|
.body("", hasItem(hasEntry("name", "sven@example.org")))
|
||||||
.body("size()", greaterThanOrEqualTo(14));
|
.body("size()", greaterThanOrEqualTo(14));
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Accepts({ "USR:F(Filter)" })
|
@Accepts({ "USR:F(Filter)" })
|
||||||
void hostsharingAdmin_withoutAssumedRole_canViewAllUsersByName() {
|
void testGlobalAdmin_withoutAssumedRole_canViewAllUsersByName() {
|
||||||
|
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
RestAssured
|
RestAssured
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@example.org")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/rbac-users?name=pac-admin-zzz0")
|
.get("http://localhost/api/rbac-users?name=pac-admin-zzz0")
|
||||||
@ -208,13 +208,13 @@ class RbacUserControllerAcceptanceTest {
|
|||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Accepts({ "USR:L(List)", "USR:X(Access Control)" })
|
@Accepts({ "USR:L(List)", "USR:X(Access Control)" })
|
||||||
void hostsharingAdmin_withAssumedCustomerAdminRole_canViewUsersInItsRealm() {
|
void testGlobalAdmin_withAssumedCustomerAdminRole_canViewUsersInItsRealm() {
|
||||||
|
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
RestAssured
|
RestAssured
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@example.org")
|
||||||
.header("assumed-roles", "customer#yyy.admin")
|
.header("assumed-roles", "test_customer#yyy.admin")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/rbac-users")
|
.get("http://localhost/api/rbac-users")
|
||||||
@ -276,13 +276,13 @@ class RbacUserControllerAcceptanceTest {
|
|||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Accepts({ "PRM:L(List)" })
|
@Accepts({ "PRM:L(List)" })
|
||||||
void hostsharingAdmin_withoutAssumedRole_canViewArbitraryUsersPermissions() {
|
void testGlobalAdmin_withoutAssumedRole_canViewArbitraryUsersPermissions() {
|
||||||
final var givenUser = findRbacUserByName("pac-admin-yyy00@yyy.example.com");
|
final var givenUser = findRbacUserByName("pac-admin-yyy00@yyy.example.com");
|
||||||
|
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
RestAssured
|
RestAssured
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@example.org")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/rbac-users/" + givenUser.getUuid() + "/permissions")
|
.get("http://localhost/api/rbac-users/" + givenUser.getUuid() + "/permissions")
|
||||||
@ -291,17 +291,17 @@ class RbacUserControllerAcceptanceTest {
|
|||||||
.contentType("application/json")
|
.contentType("application/json")
|
||||||
.body("", hasItem(
|
.body("", hasItem(
|
||||||
allOf(
|
allOf(
|
||||||
hasEntry("roleName", "customer#yyy.tenant"),
|
hasEntry("roleName", "test_customer#yyy.tenant"),
|
||||||
hasEntry("op", "view"))
|
hasEntry("op", "view"))
|
||||||
))
|
))
|
||||||
.body("", hasItem(
|
.body("", hasItem(
|
||||||
allOf(
|
allOf(
|
||||||
hasEntry("roleName", "package#yyy00.admin"),
|
hasEntry("roleName", "test_package#yyy00.admin"),
|
||||||
hasEntry("op", "add-unixuser"))
|
hasEntry("op", "add-unixuser"))
|
||||||
))
|
))
|
||||||
.body("", hasItem(
|
.body("", hasItem(
|
||||||
allOf(
|
allOf(
|
||||||
hasEntry("roleName", "unixuser#yyy00-aaaa.owner"),
|
hasEntry("roleName", "test_unixuser#yyy00-aaaa.owner"),
|
||||||
hasEntry("op", "*"))
|
hasEntry("op", "*"))
|
||||||
))
|
))
|
||||||
.body("size()", is(8));
|
.body("size()", is(8));
|
||||||
@ -310,14 +310,14 @@ class RbacUserControllerAcceptanceTest {
|
|||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Accepts({ "PRM:L(List)" })
|
@Accepts({ "PRM:L(List)" })
|
||||||
void hostsharingAdmin_withAssumedCustomerAdminRole_canViewArbitraryUsersPermissions() {
|
void testGlobalAdmin_withAssumedCustomerAdminRole_canViewArbitraryUsersPermissions() {
|
||||||
final var givenUser = findRbacUserByName("pac-admin-yyy00@yyy.example.com");
|
final var givenUser = findRbacUserByName("pac-admin-yyy00@yyy.example.com");
|
||||||
|
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
RestAssured
|
RestAssured
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "mike@hostsharing.net")
|
.header("current-user", "mike@example.org")
|
||||||
.header("assumed-roles", "package#yyy00.admin")
|
.header("assumed-roles", "test_package#yyy00.admin")
|
||||||
.port(port)
|
.port(port)
|
||||||
.when()
|
.when()
|
||||||
.get("http://localhost/api/rbac-users/" + givenUser.getUuid() + "/permissions")
|
.get("http://localhost/api/rbac-users/" + givenUser.getUuid() + "/permissions")
|
||||||
@ -326,17 +326,17 @@ class RbacUserControllerAcceptanceTest {
|
|||||||
.contentType("application/json")
|
.contentType("application/json")
|
||||||
.body("", hasItem(
|
.body("", hasItem(
|
||||||
allOf(
|
allOf(
|
||||||
hasEntry("roleName", "customer#yyy.tenant"),
|
hasEntry("roleName", "test_customer#yyy.tenant"),
|
||||||
hasEntry("op", "view"))
|
hasEntry("op", "view"))
|
||||||
))
|
))
|
||||||
.body("", hasItem(
|
.body("", hasItem(
|
||||||
allOf(
|
allOf(
|
||||||
hasEntry("roleName", "package#yyy00.admin"),
|
hasEntry("roleName", "test_package#yyy00.admin"),
|
||||||
hasEntry("op", "add-unixuser"))
|
hasEntry("op", "add-unixuser"))
|
||||||
))
|
))
|
||||||
.body("", hasItem(
|
.body("", hasItem(
|
||||||
allOf(
|
allOf(
|
||||||
hasEntry("roleName", "unixuser#yyy00-aaaa.owner"),
|
hasEntry("roleName", "test_unixuser#yyy00-aaaa.owner"),
|
||||||
hasEntry("op", "*"))
|
hasEntry("op", "*"))
|
||||||
))
|
))
|
||||||
.body("size()", is(8));
|
.body("size()", is(8));
|
||||||
@ -360,17 +360,17 @@ class RbacUserControllerAcceptanceTest {
|
|||||||
.contentType("application/json")
|
.contentType("application/json")
|
||||||
.body("", hasItem(
|
.body("", hasItem(
|
||||||
allOf(
|
allOf(
|
||||||
hasEntry("roleName", "customer#yyy.tenant"),
|
hasEntry("roleName", "test_customer#yyy.tenant"),
|
||||||
hasEntry("op", "view"))
|
hasEntry("op", "view"))
|
||||||
))
|
))
|
||||||
.body("", hasItem(
|
.body("", hasItem(
|
||||||
allOf(
|
allOf(
|
||||||
hasEntry("roleName", "package#yyy00.admin"),
|
hasEntry("roleName", "test_package#yyy00.admin"),
|
||||||
hasEntry("op", "add-unixuser"))
|
hasEntry("op", "add-unixuser"))
|
||||||
))
|
))
|
||||||
.body("", hasItem(
|
.body("", hasItem(
|
||||||
allOf(
|
allOf(
|
||||||
hasEntry("roleName", "unixuser#yyy00-aaaa.owner"),
|
hasEntry("roleName", "test_unixuser#yyy00-aaaa.owner"),
|
||||||
hasEntry("op", "*"))
|
hasEntry("op", "*"))
|
||||||
))
|
))
|
||||||
.body("size()", is(8));
|
.body("size()", is(8));
|
||||||
@ -399,7 +399,7 @@ class RbacUserControllerAcceptanceTest {
|
|||||||
|
|
||||||
RbacUserEntity findRbacUserByName(final String userName) {
|
RbacUserEntity findRbacUserByName(final String userName) {
|
||||||
return jpaAttempt.transacted(() -> {
|
return jpaAttempt.transacted(() -> {
|
||||||
context.define("mike@hostsharing.net");
|
context.define("mike@example.org");
|
||||||
return rbacUserRepository.findByName(userName);
|
return rbacUserRepository.findByName(userName);
|
||||||
}).returnedValue();
|
}).returnedValue();
|
||||||
}
|
}
|
||||||
|
@ -93,7 +93,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
|
|
||||||
private static final String[] ALL_TEST_DATA_USERS = Array.of(
|
private static final String[] ALL_TEST_DATA_USERS = Array.of(
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
"mike@hostsharing.net", "sven@hostsharing.net",
|
"mike@example.org", "sven@example.org",
|
||||||
"customer-admin@xxx.example.com",
|
"customer-admin@xxx.example.com",
|
||||||
"pac-admin-xxx00@xxx.example.com", "pac-admin-xxx01@xxx.example.com", "pac-admin-xxx02@xxx.example.com",
|
"pac-admin-xxx00@xxx.example.com", "pac-admin-xxx01@xxx.example.com", "pac-admin-xxx02@xxx.example.com",
|
||||||
"customer-admin@yyy.example.com",
|
"customer-admin@yyy.example.com",
|
||||||
@ -104,9 +104,9 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
);
|
);
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void hostsharingAdmin_withoutAssumedRole_canViewAllRbacUsers() {
|
public void testGlobalAdmin_withoutAssumedRole_canViewAllRbacUsers() {
|
||||||
// given
|
// given
|
||||||
context("mike@hostsharing.net");
|
context("mike@example.org");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = rbacUserRepository.findByOptionalNameLike(null);
|
final var result = rbacUserRepository.findByOptionalNameLike(null);
|
||||||
@ -116,9 +116,9 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void hostsharingAdmin_withAssumedHostsharingAdminRole_canViewAllRbacUsers() {
|
public void testGlobalAdmin_withAssumedtestGlobalAdminRole_canViewAllRbacUsers() {
|
||||||
given:
|
given:
|
||||||
context("mike@hostsharing.net", "global#hostsharing.admin");
|
context("mike@example.org", "global#test-global.admin");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = rbacUserRepository.findByOptionalNameLike(null);
|
final var result = rbacUserRepository.findByOptionalNameLike(null);
|
||||||
@ -128,9 +128,9 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void hostsharingAdmin_withAssumedCustomerAdminRole_canViewOnlyUsersHavingRolesInThatCustomersRealm() {
|
public void testGlobalAdmin_withAssumedCustomerAdminRole_canViewOnlyUsersHavingRolesInThatCustomersRealm() {
|
||||||
given:
|
given:
|
||||||
context("mike@hostsharing.net", "customer#xxx.admin");
|
context("mike@example.org", "test_customer#xxx.admin");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = rbacUserRepository.findByOptionalNameLike(null);
|
final var result = rbacUserRepository.findByOptionalNameLike(null);
|
||||||
@ -161,7 +161,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyUsersHavingRolesInThatPackage() {
|
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyUsersHavingRolesInThatPackage() {
|
||||||
context("customer-admin@xxx.example.com", "package#xxx00.admin");
|
context("customer-admin@xxx.example.com", "test_package#xxx00.admin");
|
||||||
|
|
||||||
final var result = rbacUserRepository.findByOptionalNameLike(null);
|
final var result = rbacUserRepository.findByOptionalNameLike(null);
|
||||||
|
|
||||||
@ -184,59 +184,59 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
|
|
||||||
private static final String[] ALL_USER_PERMISSIONS = Array.of(
|
private static final String[] ALL_USER_PERMISSIONS = Array.of(
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
"global#hostsharing.admin -> global#hostsharing: add-customer",
|
"global#test-global.admin -> global#test-global: add-customer",
|
||||||
|
|
||||||
"customer#xxx.admin -> customer#xxx: add-package",
|
"test_customer#xxx.admin -> test_customer#xxx: add-package",
|
||||||
"customer#xxx.admin -> customer#xxx: view",
|
"test_customer#xxx.admin -> test_customer#xxx: view",
|
||||||
"customer#xxx.owner -> customer#xxx: *",
|
"test_customer#xxx.owner -> test_customer#xxx: *",
|
||||||
"customer#xxx.tenant -> customer#xxx: view",
|
"test_customer#xxx.tenant -> test_customer#xxx: view",
|
||||||
"package#xxx00.admin -> package#xxx00: add-domain",
|
"test_package#xxx00.admin -> test_package#xxx00: add-domain",
|
||||||
"package#xxx00.admin -> package#xxx00: add-unixuser",
|
"test_package#xxx00.admin -> test_package#xxx00: add-unixuser",
|
||||||
"package#xxx00.tenant -> package#xxx00: view",
|
"test_package#xxx00.tenant -> test_package#xxx00: view",
|
||||||
"package#xxx01.admin -> package#xxx01: add-domain",
|
"test_package#xxx01.admin -> test_package#xxx01: add-domain",
|
||||||
"package#xxx01.admin -> package#xxx01: add-unixuser",
|
"test_package#xxx01.admin -> test_package#xxx01: add-unixuser",
|
||||||
"package#xxx01.tenant -> package#xxx01: view",
|
"test_package#xxx01.tenant -> test_package#xxx01: view",
|
||||||
"package#xxx02.admin -> package#xxx02: add-domain",
|
"test_package#xxx02.admin -> test_package#xxx02: add-domain",
|
||||||
"package#xxx02.admin -> package#xxx02: add-unixuser",
|
"test_package#xxx02.admin -> test_package#xxx02: add-unixuser",
|
||||||
"package#xxx02.tenant -> package#xxx02: view",
|
"test_package#xxx02.tenant -> test_package#xxx02: view",
|
||||||
|
|
||||||
"customer#yyy.admin -> customer#yyy: add-package",
|
"test_customer#yyy.admin -> test_customer#yyy: add-package",
|
||||||
"customer#yyy.admin -> customer#yyy: view",
|
"test_customer#yyy.admin -> test_customer#yyy: view",
|
||||||
"customer#yyy.owner -> customer#yyy: *",
|
"test_customer#yyy.owner -> test_customer#yyy: *",
|
||||||
"customer#yyy.tenant -> customer#yyy: view",
|
"test_customer#yyy.tenant -> test_customer#yyy: view",
|
||||||
"package#yyy00.admin -> package#yyy00: add-domain",
|
"test_package#yyy00.admin -> test_package#yyy00: add-domain",
|
||||||
"package#yyy00.admin -> package#yyy00: add-unixuser",
|
"test_package#yyy00.admin -> test_package#yyy00: add-unixuser",
|
||||||
"package#yyy00.tenant -> package#yyy00: view",
|
"test_package#yyy00.tenant -> test_package#yyy00: view",
|
||||||
"package#yyy01.admin -> package#yyy01: add-domain",
|
"test_package#yyy01.admin -> test_package#yyy01: add-domain",
|
||||||
"package#yyy01.admin -> package#yyy01: add-unixuser",
|
"test_package#yyy01.admin -> test_package#yyy01: add-unixuser",
|
||||||
"package#yyy01.tenant -> package#yyy01: view",
|
"test_package#yyy01.tenant -> test_package#yyy01: view",
|
||||||
"package#yyy02.admin -> package#yyy02: add-domain",
|
"test_package#yyy02.admin -> test_package#yyy02: add-domain",
|
||||||
"package#yyy02.admin -> package#yyy02: add-unixuser",
|
"test_package#yyy02.admin -> test_package#yyy02: add-unixuser",
|
||||||
"package#yyy02.tenant -> package#yyy02: view",
|
"test_package#yyy02.tenant -> test_package#yyy02: view",
|
||||||
|
|
||||||
"customer#zzz.admin -> customer#zzz: add-package",
|
"test_customer#zzz.admin -> test_customer#zzz: add-package",
|
||||||
"customer#zzz.admin -> customer#zzz: view",
|
"test_customer#zzz.admin -> test_customer#zzz: view",
|
||||||
"customer#zzz.owner -> customer#zzz: *",
|
"test_customer#zzz.owner -> test_customer#zzz: *",
|
||||||
"customer#zzz.tenant -> customer#zzz: view",
|
"test_customer#zzz.tenant -> test_customer#zzz: view",
|
||||||
"package#zzz00.admin -> package#zzz00: add-domain",
|
"test_package#zzz00.admin -> test_package#zzz00: add-domain",
|
||||||
"package#zzz00.admin -> package#zzz00: add-unixuser",
|
"test_package#zzz00.admin -> test_package#zzz00: add-unixuser",
|
||||||
"package#zzz00.tenant -> package#zzz00: view",
|
"test_package#zzz00.tenant -> test_package#zzz00: view",
|
||||||
"package#zzz01.admin -> package#zzz01: add-domain",
|
"test_package#zzz01.admin -> test_package#zzz01: add-domain",
|
||||||
"package#zzz01.admin -> package#zzz01: add-unixuser",
|
"test_package#zzz01.admin -> test_package#zzz01: add-unixuser",
|
||||||
"package#zzz01.tenant -> package#zzz01: view",
|
"test_package#zzz01.tenant -> test_package#zzz01: view",
|
||||||
"package#zzz02.admin -> package#zzz02: add-domain",
|
"test_package#zzz02.admin -> test_package#zzz02: add-domain",
|
||||||
"package#zzz02.admin -> package#zzz02: add-unixuser",
|
"test_package#zzz02.admin -> test_package#zzz02: add-unixuser",
|
||||||
"package#zzz02.tenant -> package#zzz02: view"
|
"test_package#zzz02.tenant -> test_package#zzz02: view"
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
);
|
);
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void hostsharingAdmin_withoutAssumedRole_canViewTheirOwnPermissions() {
|
public void testGlobalAdmin_withoutAssumedRole_canViewTheirOwnPermissions() {
|
||||||
// given
|
// given
|
||||||
context("mike@hostsharing.net");
|
context("mike@example.org");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("mike@hostsharing.net"));
|
final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("mike@example.org"));
|
||||||
|
|
||||||
// then
|
// then
|
||||||
allTheseRbacPermissionsAreReturned(result, ALL_USER_PERMISSIONS);
|
allTheseRbacPermissionsAreReturned(result, ALL_USER_PERMISSIONS);
|
||||||
@ -254,32 +254,32 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
allTheseRbacPermissionsAreReturned(
|
allTheseRbacPermissionsAreReturned(
|
||||||
result,
|
result,
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
"customer#xxx.admin -> customer#xxx: add-package",
|
"test_customer#xxx.admin -> test_customer#xxx: add-package",
|
||||||
"customer#xxx.admin -> customer#xxx: view",
|
"test_customer#xxx.admin -> test_customer#xxx: view",
|
||||||
"customer#xxx.tenant -> customer#xxx: view",
|
"test_customer#xxx.tenant -> test_customer#xxx: view",
|
||||||
|
|
||||||
"package#xxx00.admin -> package#xxx00: add-domain",
|
"test_package#xxx00.admin -> test_package#xxx00: add-domain",
|
||||||
"package#xxx00.admin -> package#xxx00: add-unixuser",
|
"test_package#xxx00.admin -> test_package#xxx00: add-unixuser",
|
||||||
"package#xxx00.tenant -> package#xxx00: view",
|
"test_package#xxx00.tenant -> test_package#xxx00: view",
|
||||||
"unixuser#xxx00-aaaa.owner -> unixuser#xxx00-aaaa: *",
|
"test_unixuser#xxx00-aaaa.owner -> test_unixuser#xxx00-aaaa: *",
|
||||||
|
|
||||||
"package#xxx01.admin -> package#xxx01: add-domain",
|
"test_package#xxx01.admin -> test_package#xxx01: add-domain",
|
||||||
"package#xxx01.admin -> package#xxx01: add-unixuser",
|
"test_package#xxx01.admin -> test_package#xxx01: add-unixuser",
|
||||||
"package#xxx01.tenant -> package#xxx01: view",
|
"test_package#xxx01.tenant -> test_package#xxx01: view",
|
||||||
"unixuser#xxx01-aaaa.owner -> unixuser#xxx01-aaaa: *",
|
"test_unixuser#xxx01-aaaa.owner -> test_unixuser#xxx01-aaaa: *",
|
||||||
|
|
||||||
"package#xxx02.admin -> package#xxx02: add-domain",
|
"test_package#xxx02.admin -> test_package#xxx02: add-domain",
|
||||||
"package#xxx02.admin -> package#xxx02: add-unixuser",
|
"test_package#xxx02.admin -> test_package#xxx02: add-unixuser",
|
||||||
"package#xxx02.tenant -> package#xxx02: view",
|
"test_package#xxx02.tenant -> test_package#xxx02: view",
|
||||||
"unixuser#xxx02-aaaa.owner -> unixuser#xxx02-aaaa: *"
|
"test_unixuser#xxx02-aaaa.owner -> test_unixuser#xxx02-aaaa: *"
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
);
|
);
|
||||||
noneOfTheseRbacPermissionsAreReturned(
|
noneOfTheseRbacPermissionsAreReturned(
|
||||||
result,
|
result,
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
"customer#yyy.admin -> customer#yyy: add-package",
|
"test_customer#yyy.admin -> test_customer#yyy: add-package",
|
||||||
"customer#yyy.admin -> customer#yyy: view",
|
"test_customer#yyy.admin -> test_customer#yyy: view",
|
||||||
"customer#yyy.tenant -> customer#yyy: view"
|
"test_customer#yyy.tenant -> test_customer#yyy: view"
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
@ -288,7 +288,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
public void customerAdmin_withoutAssumedRole_isNotAllowedToViewGlobalAdminsPermissions() {
|
public void customerAdmin_withoutAssumedRole_isNotAllowedToViewGlobalAdminsPermissions() {
|
||||||
// given
|
// given
|
||||||
context("customer-admin@xxx.example.com");
|
context("customer-admin@xxx.example.com");
|
||||||
final UUID userUuid = userUUID("mike@hostsharing.net");
|
final UUID userUuid = userUUID("mike@example.org");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = attempt(em, () ->
|
final var result = attempt(em, () ->
|
||||||
@ -314,26 +314,26 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
allTheseRbacPermissionsAreReturned(
|
allTheseRbacPermissionsAreReturned(
|
||||||
result,
|
result,
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
"customer#xxx.tenant -> customer#xxx: view",
|
"test_customer#xxx.tenant -> test_customer#xxx: view",
|
||||||
// "customer#xxx.admin -> customer#xxx: view" - Not permissions through the customer admin!
|
// "test_customer#xxx.admin -> test_customer#xxx: view" - Not permissions through the customer admin!
|
||||||
"package#xxx00.admin -> package#xxx00: add-unixuser",
|
"test_package#xxx00.admin -> test_package#xxx00: add-unixuser",
|
||||||
"package#xxx00.admin -> package#xxx00: add-domain",
|
"test_package#xxx00.admin -> test_package#xxx00: add-domain",
|
||||||
"package#xxx00.tenant -> package#xxx00: view",
|
"test_package#xxx00.tenant -> test_package#xxx00: view",
|
||||||
"unixuser#xxx00-aaaa.owner -> unixuser#xxx00-aaaa: *",
|
"test_unixuser#xxx00-aaaa.owner -> test_unixuser#xxx00-aaaa: *",
|
||||||
"unixuser#xxx00-aaab.owner -> unixuser#xxx00-aaab: *"
|
"test_unixuser#xxx00-aaab.owner -> test_unixuser#xxx00-aaab: *"
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
);
|
);
|
||||||
noneOfTheseRbacPermissionsAreReturned(
|
noneOfTheseRbacPermissionsAreReturned(
|
||||||
result,
|
result,
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
"customer#yyy.admin -> customer#yyy: add-package",
|
"test_customer#yyy.admin -> test_customer#yyy: add-package",
|
||||||
"customer#yyy.admin -> customer#yyy: view",
|
"test_customer#yyy.admin -> test_customer#yyy: view",
|
||||||
"customer#yyy.tenant -> customer#yyy: view",
|
"test_customer#yyy.tenant -> test_customer#yyy: view",
|
||||||
"package#yyy00.admin -> package#yyy00: add-unixuser",
|
"test_package#yyy00.admin -> test_package#yyy00: add-unixuser",
|
||||||
"package#yyy00.admin -> package#yyy00: add-domain",
|
"test_package#yyy00.admin -> test_package#yyy00: add-domain",
|
||||||
"package#yyy00.tenant -> package#yyy00: view",
|
"test_package#yyy00.tenant -> test_package#yyy00: view",
|
||||||
"unixuser#yyy00-aaaa.owner -> unixuser#yyy00-aaaa: *",
|
"test_unixuser#yyy00-aaaa.owner -> test_unixuser#yyy00-aaaa: *",
|
||||||
"unixuser#yyy00-aaab.owner -> unixuser#yyy00-aaab: *"
|
"test_unixuser#yyy00-aaab.owner -> test_unixuser#yyy00-aaab: *"
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
@ -362,27 +362,27 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
allTheseRbacPermissionsAreReturned(
|
allTheseRbacPermissionsAreReturned(
|
||||||
result,
|
result,
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
"customer#xxx.tenant -> customer#xxx: view",
|
"test_customer#xxx.tenant -> test_customer#xxx: view",
|
||||||
// "customer#xxx.admin -> customer#xxx: view" - Not permissions through the customer admin!
|
// "test_customer#xxx.admin -> test_customer#xxx: view" - Not permissions through the customer admin!
|
||||||
"package#xxx00.admin -> package#xxx00: add-unixuser",
|
"test_package#xxx00.admin -> test_package#xxx00: add-unixuser",
|
||||||
"package#xxx00.admin -> package#xxx00: add-domain",
|
"test_package#xxx00.admin -> test_package#xxx00: add-domain",
|
||||||
"package#xxx00.tenant -> package#xxx00: view"
|
"test_package#xxx00.tenant -> test_package#xxx00: view"
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
);
|
);
|
||||||
noneOfTheseRbacPermissionsAreReturned(
|
noneOfTheseRbacPermissionsAreReturned(
|
||||||
result,
|
result,
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
// no customer admin permissions
|
// no customer admin permissions
|
||||||
"customer#xxx.admin -> customer#xxx: add-package",
|
"test_customer#xxx.admin -> test_customer#xxx: add-package",
|
||||||
// no permissions on other customer's objects
|
// no permissions on other customer's objects
|
||||||
"customer#yyy.admin -> customer#yyy: add-package",
|
"test_customer#yyy.admin -> test_customer#yyy: add-package",
|
||||||
"customer#yyy.admin -> customer#yyy: view",
|
"test_customer#yyy.admin -> test_customer#yyy: view",
|
||||||
"customer#yyy.tenant -> customer#yyy: view",
|
"test_customer#yyy.tenant -> test_customer#yyy: view",
|
||||||
"package#yyy00.admin -> package#yyy00: add-unixuser",
|
"test_package#yyy00.admin -> test_package#yyy00: add-unixuser",
|
||||||
"package#yyy00.admin -> package#yyy00: add-domain",
|
"test_package#yyy00.admin -> test_package#yyy00: add-domain",
|
||||||
"package#yyy00.tenant -> package#yyy00: view",
|
"test_package#yyy00.tenant -> test_package#yyy00: view",
|
||||||
"unixuser#yyy00-aaaa.owner -> unixuser#yyy00-aaaa: *",
|
"test_unixuser#yyy00-aaaa.owner -> test_unixuser#yyy00-aaaa: *",
|
||||||
"unixuser#yyy00-xxxb.owner -> unixuser#yyy00-xxxb: *"
|
"test_unixuser#yyy00-xxxb.owner -> test_unixuser#yyy00-xxxb: *"
|
||||||
// @formatter:on
|
// @formatter:on
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user