rbac.global
This commit is contained in:
parent
55c4983509
commit
a583be71be
@ -74,7 +74,7 @@ public class HsBookingItemRbacEntity extends HsBookingItem {
|
|||||||
with.permission(SELECT);
|
with.permission(SELECT);
|
||||||
})
|
})
|
||||||
|
|
||||||
.limitDiagramTo("bookingItem", "project", "global");
|
.limitDiagramTo("bookingItem", "project", "rbac.global");
|
||||||
}
|
}
|
||||||
|
|
||||||
public static void main(String[] args) throws IOException {
|
public static void main(String[] args) throws IOException {
|
||||||
|
@ -105,7 +105,7 @@ public abstract class HsBookingProject implements Stringifyable, BaseEntity<HsBo
|
|||||||
with.permission(SELECT);
|
with.permission(SELECT);
|
||||||
})
|
})
|
||||||
|
|
||||||
.limitDiagramTo("project", "debitorRel", "global");
|
.limitDiagramTo("project", "debitorRel", "rbac.global");
|
||||||
}
|
}
|
||||||
|
|
||||||
public static void main(String[] args) throws IOException {
|
public static void main(String[] args) throws IOException {
|
||||||
|
@ -77,7 +77,7 @@ public class HsBookingProjectRbacEntity extends HsBookingProject {
|
|||||||
with.permission(SELECT);
|
with.permission(SELECT);
|
||||||
})
|
})
|
||||||
|
|
||||||
.limitDiagramTo("project", "debitorRel", "global");
|
.limitDiagramTo("project", "debitorRel", "rbac.global");
|
||||||
}
|
}
|
||||||
|
|
||||||
public static void main(String[] args) throws IOException {
|
public static void main(String[] args) throws IOException {
|
||||||
|
@ -106,7 +106,7 @@ public class HsHostingAssetRbacEntity extends HsHostingAsset {
|
|||||||
"parentAsset",
|
"parentAsset",
|
||||||
"assignedToAsset",
|
"assignedToAsset",
|
||||||
"alarmContact",
|
"alarmContact",
|
||||||
"global");
|
"rbac.global");
|
||||||
}
|
}
|
||||||
|
|
||||||
public static void main(String[] args) throws IOException {
|
public static void main(String[] args) throws IOException {
|
||||||
|
@ -152,7 +152,7 @@ public class InsertTriggerGenerator {
|
|||||||
begin
|
begin
|
||||||
raise exception '[403] insert into ${rawSubTable} values(%) not allowed regardless of current subject, no insert permissions granted at all', NEW;
|
raise exception '[403] insert into ${rawSubTable} values(%) not allowed regardless of current subject, no insert permissions granted at all', NEW;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create trigger ${rawSubTable}_insert_permission_check_tg
|
create trigger ${rawSubTable}_insert_permission_check_tg
|
||||||
before insert on ${rawSubTable}
|
before insert on ${rawSubTable}
|
||||||
for each row
|
for each row
|
||||||
@ -206,7 +206,7 @@ public class InsertTriggerGenerator {
|
|||||||
if (g.getSuperRoleDef().isGlobal(GUEST)) {
|
if (g.getSuperRoleDef().isGlobal(GUEST)) {
|
||||||
plPgSql.writeLn(
|
plPgSql.writeLn(
|
||||||
"""
|
"""
|
||||||
-- check INSERT INSERT permission for global anyone
|
-- check INSERT INSERT permission for rbac.global anyone
|
||||||
if ${caseCondition}true then
|
if ${caseCondition}true then
|
||||||
return NEW;
|
return NEW;
|
||||||
end if;
|
end if;
|
||||||
@ -215,8 +215,8 @@ public class InsertTriggerGenerator {
|
|||||||
} else if (g.getSuperRoleDef().isGlobal(ADMIN)) {
|
} else if (g.getSuperRoleDef().isGlobal(ADMIN)) {
|
||||||
plPgSql.writeLn(
|
plPgSql.writeLn(
|
||||||
"""
|
"""
|
||||||
-- check INSERT INSERT if global ADMIN
|
-- check INSERT INSERT if rbac.global ADMIN
|
||||||
if ${caseCondition}isGlobalAdmin() then
|
if ${caseCondition}rbac.isGlobalAdmin() then
|
||||||
return NEW;
|
return NEW;
|
||||||
end if;
|
end if;
|
||||||
""",
|
""",
|
||||||
|
@ -36,7 +36,7 @@ import static org.apache.commons.lang3.StringUtils.uncapitalize;
|
|||||||
// TODO.refa: rename to RbacDSL
|
// TODO.refa: rename to RbacDSL
|
||||||
public class RbacView {
|
public class RbacView {
|
||||||
|
|
||||||
public static final String GLOBAL = "global";
|
public static final String GLOBAL = "rbac.global";
|
||||||
public static final String OUTPUT_BASEDIR = "src/main/resources/db/changelog";
|
public static final String OUTPUT_BASEDIR = "src/main/resources/db/changelog";
|
||||||
|
|
||||||
private final EntityAlias rootEntityAlias;
|
private final EntityAlias rootEntityAlias;
|
||||||
@ -98,7 +98,7 @@ public class RbacView {
|
|||||||
rootEntityAlias = new EntityAlias(alias, entityClass);
|
rootEntityAlias = new EntityAlias(alias, entityClass);
|
||||||
entityAliases.put(alias, rootEntityAlias);
|
entityAliases.put(alias, rootEntityAlias);
|
||||||
new RbacSubjectReference(CREATOR);
|
new RbacSubjectReference(CREATOR);
|
||||||
entityAliases.put("global", new EntityAlias("global"));
|
entityAliases.put("rbac.global", new EntityAlias("rbac.global"));
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -922,7 +922,7 @@ public class RbacView {
|
|||||||
}
|
}
|
||||||
|
|
||||||
boolean isGlobal() {
|
boolean isGlobal() {
|
||||||
return aliasName().equals("global");
|
return aliasName().equals("rbac.global");
|
||||||
}
|
}
|
||||||
|
|
||||||
boolean isPlaceholder() {
|
boolean isPlaceholder() {
|
||||||
@ -961,8 +961,8 @@ public class RbacView {
|
|||||||
}
|
}
|
||||||
|
|
||||||
String getRawTableName() {
|
String getRawTableName() {
|
||||||
if ( aliasName.equals("global")) {
|
if ( aliasName.equals("rbac.global")) {
|
||||||
return "global"; // TODO: maybe we should introduce a GlobalEntity class?
|
return "rbac.global"; // TODO: maybe we should introduce a GlobalEntity class?
|
||||||
}
|
}
|
||||||
return withoutRvSuffix(entityClass.getAnnotation(Table.class).name());
|
return withoutRvSuffix(entityClass.getAnnotation(Table.class).name());
|
||||||
}
|
}
|
||||||
@ -1166,7 +1166,7 @@ public class RbacView {
|
|||||||
}
|
}
|
||||||
|
|
||||||
String map(final String originalAliasName) {
|
String map(final String originalAliasName) {
|
||||||
if (outerAliasNames.contains(originalAliasName) || originalAliasName.equals("global")) {
|
if (outerAliasNames.contains(originalAliasName) || originalAliasName.equals("rbac.global")) {
|
||||||
return originalAliasName;
|
return originalAliasName;
|
||||||
}
|
}
|
||||||
if (originalAliasName.equals(importedRbacView.rootEntityAlias.aliasName)) {
|
if (originalAliasName.equals(importedRbacView.rootEntityAlias.aliasName)) {
|
||||||
|
@ -78,7 +78,7 @@ public class RbacGrantsDiagramService {
|
|||||||
if (!includes.contains(PERMISSIONS) && g.getDescendantIdName().startsWith("perm:")) {
|
if (!includes.contains(PERMISSIONS) && g.getDescendantIdName().startsWith("perm:")) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if ( !g.getDescendantIdName().startsWith("role:global")) {
|
if ( !g.getDescendantIdName().startsWith("role:rbac.global")) {
|
||||||
if (!includes.contains(TEST_ENTITIES) && g.getDescendantIdName().contains(":test_")) {
|
if (!includes.contains(TEST_ENTITIES) && g.getDescendantIdName().contains(":test_")) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@ -46,7 +46,7 @@ public class TestCustomerEntity implements BaseEntity<TestCustomerEntity> {
|
|||||||
.withIdentityView(SQL.projection("prefix"))
|
.withIdentityView(SQL.projection("prefix"))
|
||||||
.withRestrictedViewOrderBy(SQL.expression("reference"))
|
.withRestrictedViewOrderBy(SQL.expression("reference"))
|
||||||
.withUpdatableColumns("reference", "prefix", "adminUserName")
|
.withUpdatableColumns("reference", "prefix", "adminUserName")
|
||||||
.toRole("global", ADMIN).grantPermission(INSERT)
|
.toRole("rbac.global", ADMIN).grantPermission(INSERT)
|
||||||
|
|
||||||
.createRole(OWNER, (with) -> {
|
.createRole(OWNER, (with) -> {
|
||||||
with.owningUser(CREATOR).unassumed();
|
with.owningUser(CREATOR).unassumed();
|
||||||
|
@ -584,7 +584,7 @@ select exists(
|
|||||||
join RbacRole as r on r.uuid = g.descendantuuid
|
join RbacRole as r on r.uuid = g.descendantuuid
|
||||||
join rbac.object as o on o.uuid = r.objectuuid
|
join rbac.object as o on o.uuid = r.objectuuid
|
||||||
where g.ascendantuuid = forAscendantUuid
|
where g.ascendantuuid = forAscendantUuid
|
||||||
and o.objecttable = 'global'
|
and o.objecttable = 'rbac.global'
|
||||||
);
|
);
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
|
@ -57,7 +57,7 @@ begin
|
|||||||
|
|
||||||
objectUuidToAssume = findObjectUuidByIdName(objectTableToAssume, objectNameToAssume);
|
objectUuidToAssume = findObjectUuidByIdName(objectTableToAssume, objectNameToAssume);
|
||||||
if objectUuidToAssume is null then
|
if objectUuidToAssume is null then
|
||||||
raise exception '[401] object % cannot be found in table %', objectNameToAssume, objectTableToAssume;
|
raise exception '[401] object % cannot be found in table % (from roleNameParts=%)', objectNameToAssume, objectTableToAssume, roleNameParts;
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
select uuid
|
select uuid
|
||||||
|
@ -5,7 +5,7 @@
|
|||||||
/*
|
/*
|
||||||
Creates a view which presents some statistics about the RBAC tables.
|
Creates a view which presents some statistics about the RBAC tables.
|
||||||
*/
|
*/
|
||||||
create view RbacStatisticsView as
|
create view rbac.statistics_v as
|
||||||
select no, to_char("count", '9 999 999 999') as "count", "table"
|
select no, to_char("count", '9 999 999 999') as "count", "table"
|
||||||
from (select 1 as no, count(*) as "count", 'login users' as "table"
|
from (select 1 as no, count(*) as "count", 'login users' as "table"
|
||||||
from rbac.subject
|
from rbac.subject
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
--liquibase formatted sql
|
--liquibase formatted sql
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset rbac-global-GLOBAL-OBJECT:1 endDelimiter:--//
|
--changeset rbac-global-OBJECT:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
/*
|
/*
|
||||||
The purpose of this table is provide root business objects
|
The purpose of this table is provide root business objects
|
||||||
@ -11,14 +11,14 @@
|
|||||||
In production databases, there is only a single row in this table,
|
In production databases, there is only a single row in this table,
|
||||||
in test stages, there can be one row for each test data realm.
|
in test stages, there can be one row for each test data realm.
|
||||||
*/
|
*/
|
||||||
create table Global
|
create table rbac.global
|
||||||
(
|
(
|
||||||
uuid uuid primary key references rbac.object (uuid) on delete cascade,
|
uuid uuid primary key references rbac.object (uuid) on delete cascade,
|
||||||
name varchar(63) unique
|
name varchar(63) unique
|
||||||
);
|
);
|
||||||
create unique index Global_Singleton on Global ((0));
|
create unique index Global_Singleton on rbac.global ((0));
|
||||||
|
|
||||||
grant select on global to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
|
grant select on rbac.global to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
@ -26,7 +26,7 @@ grant select on global to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
|
|||||||
--changeset rbac-global-IS-GLOBAL-ADMIN:1 endDelimiter:--//
|
--changeset rbac-global-IS-GLOBAL-ADMIN:1 endDelimiter:--//
|
||||||
-- ------------------------------------------------------------------
|
-- ------------------------------------------------------------------
|
||||||
|
|
||||||
create or replace function isGlobalAdmin()
|
create or replace function rbac.isGlobalAdmin()
|
||||||
returns boolean
|
returns boolean
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
begin
|
||||||
@ -36,117 +36,117 @@ end; $$;
|
|||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset rbac-global-HAS-GLOBAL-PERMISSION:1 endDelimiter:--//
|
--changeset rbac-global-HAS-global-PERMISSION:1 endDelimiter:--//
|
||||||
-- ------------------------------------------------------------------
|
-- ------------------------------------------------------------------
|
||||||
|
|
||||||
create or replace function hasGlobalPermission(op RbacOp)
|
create or replace function rbac.hasGlobalPermission(op RbacOp)
|
||||||
returns boolean
|
returns boolean
|
||||||
language sql as
|
language sql as
|
||||||
$$
|
$$
|
||||||
-- TODO.perf: this could to be optimized
|
-- TODO.perf: this could to be optimized
|
||||||
select (select uuid from global) in
|
select (select uuid from rbac.global) in
|
||||||
(select queryAccessibleObjectUuidsOfSubjectIds(op, 'global', rbac.currentSubjectOrAssumedRolesUuids()));
|
(select queryAccessibleObjectUuidsOfSubjectIds(op, 'rbac.global', rbac.currentSubjectOrAssumedRolesUuids()));
|
||||||
$$;
|
$$;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset rbac-global-GLOBAL-IDENTITY-VIEW:1 endDelimiter:--//
|
--changeset rbac-global-IDENTITY-VIEW:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Creates a view to the global object table which maps the identifying name to the objectUuid.
|
Creates a view to the rbac.global object table which maps the identifying name to the objectUuid.
|
||||||
*/
|
*/
|
||||||
drop view if exists global_iv;
|
drop view if exists rbac.global_iv;
|
||||||
create or replace view global_iv as
|
create or replace view rbac.global_iv as
|
||||||
select target.uuid, target.name as idName
|
select target.uuid, target.name as idName
|
||||||
from global as target;
|
from rbac.global as target;
|
||||||
grant all privileges on global_iv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
|
grant all privileges on rbac.global_iv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Returns the objectUuid for a given identifying name (in this case the idName).
|
Returns the objectUuid for a given identifying name (in this case the idName).
|
||||||
*/
|
*/
|
||||||
create or replace function globalUuidByIdName(idName varchar)
|
create or replace function rbac.globalUuidByIdName(idName varchar)
|
||||||
returns uuid
|
returns uuid
|
||||||
language sql
|
language sql
|
||||||
strict as $$
|
strict as $$
|
||||||
select uuid from global_iv iv where iv.idName = globalUuidByIdName.idName;
|
select uuid from rbac.global_iv iv where iv.idName = globalUuidByIdName.idName;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Returns the identifying name for a given objectUuid (in this case the idName).
|
Returns the identifying name for a given objectUuid (in this case the idName).
|
||||||
*/
|
*/
|
||||||
create or replace function globalIdNameByUuid(uuid uuid)
|
create or replace function rbac.globalIdNameByUuid(uuid uuid)
|
||||||
returns varchar
|
returns varchar
|
||||||
language sql
|
language sql
|
||||||
strict as $$
|
strict as $$
|
||||||
select idName from global_iv iv where iv.uuid = globalIdNameByUuid.uuid;
|
select idName from rbac.global_iv iv where iv.uuid = globalIdNameByUuid.uuid;
|
||||||
$$;
|
$$;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
--liquibase formatted sql
|
--liquibase formatted sql
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset rbac-global-PSEUDO-OBJECT:1 endDelimiter:--//
|
--changeset rbac-rbac.Global-PSEUDO-OBJECT:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/**
|
/**
|
||||||
A single row to be referenced as a global object.
|
A single row to be referenced as a rbac.Global object.
|
||||||
*/
|
*/
|
||||||
begin transaction;
|
begin transaction;
|
||||||
call basis.defineContext('initializing table "global"', null, null, null);
|
call basis.defineContext('initializing table "rbac.global"', null, null, null);
|
||||||
insert
|
insert
|
||||||
into rbac.object (objecttable) values ('global');
|
into rbac.object (objecttable) values ('rbac.global');
|
||||||
insert
|
insert
|
||||||
into Global (uuid, name) values ((select uuid from rbac.object where objectTable = 'global'), 'global');
|
into rbac.global (uuid, name) values ((select uuid from rbac.object where objectTable = 'rbac.global'), 'global');
|
||||||
commit;
|
commit;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset rbac-global-ADMIN-ROLE:1 endDelimiter:--//
|
--changeset rbac-rbac.Global-ADMIN-ROLE:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
/*
|
/*
|
||||||
A global administrator role.
|
A rbac.Global administrator role.
|
||||||
*/
|
*/
|
||||||
create or replace function globalAdmin(assumed boolean = true)
|
create or replace function globalAdmin(assumed boolean = true)
|
||||||
returns RbacRoleDescriptor
|
returns RbacRoleDescriptor
|
||||||
returns null on null input
|
returns null on null input
|
||||||
stable -- leakproof
|
stable -- leakproof
|
||||||
language sql as $$
|
language sql as $$
|
||||||
select 'global', (select uuid from rbac.object where objectTable = 'global'), 'ADMIN'::RbacRoleType, assumed;
|
select 'rbac.global', (select uuid from rbac.object where objectTable = 'rbac.global'), 'ADMIN'::RbacRoleType, assumed;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
begin transaction;
|
begin transaction;
|
||||||
call basis.defineContext('creating role:global#global:ADMIN', null, null, null);
|
call basis.defineContext('creating role:rbac.global#global:ADMIN', null, null, null);
|
||||||
select createRole(globalAdmin());
|
select createRole(globalAdmin());
|
||||||
commit;
|
commit;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset rbac-global-GUEST-ROLE:1 endDelimiter:--//
|
--changeset rbac-rbac.Global-GUEST-ROLE:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
/*
|
/*
|
||||||
A global guest role.
|
A rbac.Global guest role.
|
||||||
*/
|
*/
|
||||||
create or replace function globalGuest(assumed boolean = true)
|
create or replace function globalGuest(assumed boolean = true)
|
||||||
returns RbacRoleDescriptor
|
returns RbacRoleDescriptor
|
||||||
returns null on null input
|
returns null on null input
|
||||||
stable -- leakproof
|
stable -- leakproof
|
||||||
language sql as $$
|
language sql as $$
|
||||||
select 'global', (select uuid from rbac.object where objectTable = 'global'), 'GUEST'::RbacRoleType, assumed;
|
select 'rbac.global', (select uuid from rbac.object where objectTable = 'rbac.global'), 'GUEST'::RbacRoleType, assumed;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
begin transaction;
|
begin transaction;
|
||||||
call basis.defineContext('creating role:global#global:guest', null, null, null);
|
call basis.defineContext('creating role:rbac.global#global:guest', null, null, null);
|
||||||
select createRole(globalGuest());
|
select createRole(globalGuest());
|
||||||
commit;
|
commit;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset rbac-global-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
|
--changeset rbac-GLOBAL-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
/*
|
/*
|
||||||
Create two users and assign both to the administrators role.
|
Create two users and assign both to the administrators role.
|
||||||
@ -168,7 +168,7 @@ $$;
|
|||||||
|
|
||||||
|
|
||||||
-- ============================================================================
|
-- ============================================================================
|
||||||
--changeset rbac-global-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
|
--changeset rbac-GLOBAL-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -32,12 +32,12 @@ end
|
|||||||
user:creator ==>|XX| role:customer:OWNER
|
user:creator ==>|XX| role:customer:OWNER
|
||||||
|
|
||||||
%% granting roles to roles
|
%% granting roles to roles
|
||||||
role:global:ADMIN ==>|XX| role:customer:OWNER
|
role:rbac.global:ADMIN ==>|XX| role:customer:OWNER
|
||||||
role:customer:OWNER ==> role:customer:ADMIN
|
role:customer:OWNER ==> role:customer:ADMIN
|
||||||
role:customer:ADMIN ==> role:customer:TENANT
|
role:customer:ADMIN ==> role:customer:TENANT
|
||||||
|
|
||||||
%% granting permissions to roles
|
%% granting permissions to roles
|
||||||
role:global:ADMIN ==> perm:customer:INSERT
|
role:rbac.global:ADMIN ==> perm:customer:INSERT
|
||||||
role:customer:OWNER ==> perm:customer:DELETE
|
role:customer:OWNER ==> perm:customer:DELETE
|
||||||
role:customer:ADMIN ==> perm:customer:UPDATE
|
role:customer:ADMIN ==> perm:customer:UPDATE
|
||||||
role:customer:TENANT ==> perm:customer:SELECT
|
role:customer:TENANT ==> perm:customer:SELECT
|
||||||
|
@ -80,18 +80,18 @@ execute procedure insertTriggerForTestCustomer_tf();
|
|||||||
--changeset test-customer-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
--changeset test-customer-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
-- granting INSERT permission to global ----------------------------
|
-- granting INSERT permission to rbac.global ----------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Grants INSERT INTO test_customer permissions to specified role of pre-existing global rows.
|
Grants INSERT INTO test_customer permissions to specified role of pre-existing rbac.global rows.
|
||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row global;
|
row rbac.global%ROWTYPE;
|
||||||
begin
|
begin
|
||||||
call basis.defineContext('create INSERT INTO test_customer permissions for pre-exising global rows');
|
call basis.defineContext('create INSERT INTO test_customer permissions for pre-exising rbac.global rows');
|
||||||
|
|
||||||
FOR row IN SELECT * FROM global
|
FOR row IN SELECT * FROM rbac.global
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
@ -102,7 +102,7 @@ do language plpgsql $$
|
|||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Grants test_customer INSERT permission to specified role of new global rows.
|
Grants test_customer INSERT permission to specified role of new rbac.global rows.
|
||||||
*/
|
*/
|
||||||
create or replace function new_test_customer_grants_insert_to_global_tf()
|
create or replace function new_test_customer_grants_insert_to_global_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
@ -119,7 +119,7 @@ end; $$;
|
|||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_new_test_customer_grants_insert_to_global_tg
|
create trigger z_new_test_customer_grants_insert_to_global_tg
|
||||||
after insert on global
|
after insert on rbac.global
|
||||||
for each row
|
for each row
|
||||||
execute procedure new_test_customer_grants_insert_to_global_tf();
|
execute procedure new_test_customer_grants_insert_to_global_tf();
|
||||||
|
|
||||||
@ -137,8 +137,8 @@ create or replace function test_customer_insert_permission_check_tf()
|
|||||||
declare
|
declare
|
||||||
superObjectUuid uuid;
|
superObjectUuid uuid;
|
||||||
begin
|
begin
|
||||||
-- check INSERT INSERT if global ADMIN
|
-- check INSERT INSERT if rbac.global ADMIN
|
||||||
if isGlobalAdmin() then
|
if rbac.isGlobalAdmin() then
|
||||||
return NEW;
|
return NEW;
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
|
@ -72,7 +72,7 @@ end; $$;
|
|||||||
|
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
begin
|
begin
|
||||||
call basis.defineContext('creating RBAC test customer', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
|
call basis.defineContext('creating RBAC test customer', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
|
||||||
|
|
||||||
call createTestCustomerTestData(99901, 'xxx');
|
call createTestCustomerTestData(99901, 'xxx');
|
||||||
call createTestCustomerTestData(99902, 'yyy');
|
call createTestCustomerTestData(99902, 'yyy');
|
||||||
|
@ -42,7 +42,7 @@ subgraph package["`**package**`"]
|
|||||||
end
|
end
|
||||||
|
|
||||||
%% granting roles to roles
|
%% granting roles to roles
|
||||||
role:global:ADMIN -.->|XX| role:customer:OWNER
|
role:rbac.global:ADMIN -.->|XX| role:customer:OWNER
|
||||||
role:customer:OWNER -.-> role:customer:ADMIN
|
role:customer:OWNER -.-> role:customer:ADMIN
|
||||||
role:customer:ADMIN -.-> role:customer:TENANT
|
role:customer:ADMIN -.-> role:customer:TENANT
|
||||||
role:customer:ADMIN ==> role:package:OWNER
|
role:customer:ADMIN ==> role:package:OWNER
|
||||||
|
@ -54,7 +54,7 @@ subgraph package.customer["`**package.customer**`"]
|
|||||||
end
|
end
|
||||||
|
|
||||||
%% granting roles to roles
|
%% granting roles to roles
|
||||||
role:global:ADMIN -.->|XX| role:package.customer:OWNER
|
role:rbac.global:ADMIN -.->|XX| role:package.customer:OWNER
|
||||||
role:package.customer:OWNER -.-> role:package.customer:ADMIN
|
role:package.customer:OWNER -.-> role:package.customer:ADMIN
|
||||||
role:package.customer:ADMIN -.-> role:package.customer:TENANT
|
role:package.customer:ADMIN -.-> role:package.customer:TENANT
|
||||||
role:package.customer:ADMIN -.-> role:package:OWNER
|
role:package.customer:ADMIN -.-> role:package:OWNER
|
||||||
|
@ -32,7 +32,7 @@ end
|
|||||||
user:creator ==> role:contact:OWNER
|
user:creator ==> role:contact:OWNER
|
||||||
|
|
||||||
%% granting roles to roles
|
%% granting roles to roles
|
||||||
role:global:ADMIN ==> role:contact:OWNER
|
role:rbac.global:ADMIN ==> role:contact:OWNER
|
||||||
role:contact:OWNER ==> role:contact:ADMIN
|
role:contact:OWNER ==> role:contact:ADMIN
|
||||||
role:contact:ADMIN ==> role:contact:REFERRER
|
role:contact:ADMIN ==> role:contact:REFERRER
|
||||||
|
|
||||||
@ -40,6 +40,6 @@ role:contact:ADMIN ==> role:contact:REFERRER
|
|||||||
role:contact:OWNER ==> perm:contact:DELETE
|
role:contact:OWNER ==> perm:contact:DELETE
|
||||||
role:contact:ADMIN ==> perm:contact:UPDATE
|
role:contact:ADMIN ==> perm:contact:UPDATE
|
||||||
role:contact:REFERRER ==> perm:contact:SELECT
|
role:contact:REFERRER ==> perm:contact:SELECT
|
||||||
role:global:GUEST ==> perm:contact:INSERT
|
role:rbac.global:GUEST ==> perm:contact:INSERT
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -32,12 +32,12 @@ end
|
|||||||
user:creator ==> role:person:OWNER
|
user:creator ==> role:person:OWNER
|
||||||
|
|
||||||
%% granting roles to roles
|
%% granting roles to roles
|
||||||
role:global:ADMIN ==> role:person:OWNER
|
role:rbac.global:ADMIN ==> role:person:OWNER
|
||||||
role:person:OWNER ==> role:person:ADMIN
|
role:person:OWNER ==> role:person:ADMIN
|
||||||
role:person:ADMIN ==> role:person:REFERRER
|
role:person:ADMIN ==> role:person:REFERRER
|
||||||
|
|
||||||
%% granting permissions to roles
|
%% granting permissions to roles
|
||||||
role:global:GUEST ==> perm:person:INSERT
|
role:rbac.global:GUEST ==> perm:person:INSERT
|
||||||
role:person:OWNER ==> perm:person:DELETE
|
role:person:OWNER ==> perm:person:DELETE
|
||||||
role:person:ADMIN ==> perm:person:UPDATE
|
role:person:ADMIN ==> perm:person:UPDATE
|
||||||
role:person:REFERRER ==> perm:person:SELECT
|
role:person:REFERRER ==> perm:person:SELECT
|
||||||
|
@ -72,16 +72,16 @@ end
|
|||||||
user:creator ==> role:relation:OWNER
|
user:creator ==> role:relation:OWNER
|
||||||
|
|
||||||
%% granting roles to roles
|
%% granting roles to roles
|
||||||
role:global:ADMIN -.-> role:anchorPerson:OWNER
|
role:rbac.global:ADMIN -.-> role:anchorPerson:OWNER
|
||||||
role:anchorPerson:OWNER -.-> role:anchorPerson:ADMIN
|
role:anchorPerson:OWNER -.-> role:anchorPerson:ADMIN
|
||||||
role:anchorPerson:ADMIN -.-> role:anchorPerson:REFERRER
|
role:anchorPerson:ADMIN -.-> role:anchorPerson:REFERRER
|
||||||
role:global:ADMIN -.-> role:holderPerson:OWNER
|
role:rbac.global:ADMIN -.-> role:holderPerson:OWNER
|
||||||
role:holderPerson:OWNER -.-> role:holderPerson:ADMIN
|
role:holderPerson:OWNER -.-> role:holderPerson:ADMIN
|
||||||
role:holderPerson:ADMIN -.-> role:holderPerson:REFERRER
|
role:holderPerson:ADMIN -.-> role:holderPerson:REFERRER
|
||||||
role:global:ADMIN -.-> role:contact:OWNER
|
role:rbac.global:ADMIN -.-> role:contact:OWNER
|
||||||
role:contact:OWNER -.-> role:contact:ADMIN
|
role:contact:OWNER -.-> role:contact:ADMIN
|
||||||
role:contact:ADMIN -.-> role:contact:REFERRER
|
role:contact:ADMIN -.-> role:contact:REFERRER
|
||||||
role:global:ADMIN ==> role:relation:OWNER
|
role:rbac.global:ADMIN ==> role:relation:OWNER
|
||||||
role:holderPerson:ADMIN ==> role:relation:OWNER
|
role:holderPerson:ADMIN ==> role:relation:OWNER
|
||||||
role:relation:OWNER ==> role:relation:ADMIN
|
role:relation:OWNER ==> role:relation:ADMIN
|
||||||
role:relation:ADMIN ==> role:anchorPerson:OWNER
|
role:relation:ADMIN ==> role:anchorPerson:OWNER
|
||||||
|
@ -72,16 +72,16 @@ end
|
|||||||
user:creator ==> role:relation:OWNER
|
user:creator ==> role:relation:OWNER
|
||||||
|
|
||||||
%% granting roles to roles
|
%% granting roles to roles
|
||||||
role:global:ADMIN -.-> role:anchorPerson:OWNER
|
role:rbac.global:ADMIN -.-> role:anchorPerson:OWNER
|
||||||
role:anchorPerson:OWNER -.-> role:anchorPerson:ADMIN
|
role:anchorPerson:OWNER -.-> role:anchorPerson:ADMIN
|
||||||
role:anchorPerson:ADMIN -.-> role:anchorPerson:REFERRER
|
role:anchorPerson:ADMIN -.-> role:anchorPerson:REFERRER
|
||||||
role:global:ADMIN -.-> role:holderPerson:OWNER
|
role:rbac.global:ADMIN -.-> role:holderPerson:OWNER
|
||||||
role:holderPerson:OWNER -.-> role:holderPerson:ADMIN
|
role:holderPerson:OWNER -.-> role:holderPerson:ADMIN
|
||||||
role:holderPerson:ADMIN -.-> role:holderPerson:REFERRER
|
role:holderPerson:ADMIN -.-> role:holderPerson:REFERRER
|
||||||
role:global:ADMIN -.-> role:contact:OWNER
|
role:rbac.global:ADMIN -.-> role:contact:OWNER
|
||||||
role:contact:OWNER -.-> role:contact:ADMIN
|
role:contact:OWNER -.-> role:contact:ADMIN
|
||||||
role:contact:ADMIN -.-> role:contact:REFERRER
|
role:contact:ADMIN -.-> role:contact:REFERRER
|
||||||
role:global:ADMIN ==> role:relation:OWNER
|
role:rbac.global:ADMIN ==> role:relation:OWNER
|
||||||
role:relation:OWNER ==> role:relation:ADMIN
|
role:relation:OWNER ==> role:relation:ADMIN
|
||||||
role:relation:ADMIN ==> role:relation:AGENT
|
role:relation:ADMIN ==> role:relation:AGENT
|
||||||
role:relation:AGENT ==> role:relation:TENANT
|
role:relation:AGENT ==> role:relation:TENANT
|
||||||
|
@ -85,7 +85,7 @@ end; $$;
|
|||||||
|
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
begin
|
begin
|
||||||
call basis.defineContext('creating relation test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
|
call basis.defineContext('creating relation test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
|
||||||
|
|
||||||
call createHsOfficeRelationTestData('First GmbH', 'PARTNER', 'Hostsharing eG', 'first contact');
|
call createHsOfficeRelationTestData('First GmbH', 'PARTNER', 'Hostsharing eG', 'first contact');
|
||||||
call createHsOfficeRelationTestData('Firby', 'REPRESENTATIVE', 'First GmbH', 'first contact');
|
call createHsOfficeRelationTestData('Firby', 'REPRESENTATIVE', 'First GmbH', 'first contact');
|
||||||
|
@ -87,16 +87,16 @@ subgraph partnerRel.holderPerson["`**partnerRel.holderPerson**`"]
|
|||||||
end
|
end
|
||||||
|
|
||||||
%% granting roles to roles
|
%% granting roles to roles
|
||||||
role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
|
role:rbac.global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
|
||||||
role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN
|
role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN
|
||||||
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER
|
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER
|
||||||
role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
|
role:rbac.global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
|
||||||
role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN
|
role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN
|
||||||
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER
|
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER
|
||||||
role:global:ADMIN -.-> role:partnerRel.contact:OWNER
|
role:rbac.global:ADMIN -.-> role:partnerRel.contact:OWNER
|
||||||
role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
|
role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
|
||||||
role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
|
role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
|
||||||
role:global:ADMIN -.-> role:partnerRel:OWNER
|
role:rbac.global:ADMIN -.-> role:partnerRel:OWNER
|
||||||
role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
|
role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
|
||||||
role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
|
role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
|
||||||
role:partnerRel:AGENT -.-> role:partnerRel:TENANT
|
role:partnerRel:AGENT -.-> role:partnerRel:TENANT
|
||||||
@ -108,7 +108,7 @@ role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:OWNER
|
|||||||
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
|
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
|
||||||
|
|
||||||
%% granting permissions to roles
|
%% granting permissions to roles
|
||||||
role:global:ADMIN ==> perm:partner:INSERT
|
role:rbac.global:ADMIN ==> perm:partner:INSERT
|
||||||
role:partnerRel:OWNER ==> perm:partner:DELETE
|
role:partnerRel:OWNER ==> perm:partner:DELETE
|
||||||
role:partnerRel:ADMIN ==> perm:partner:UPDATE
|
role:partnerRel:ADMIN ==> perm:partner:UPDATE
|
||||||
role:partnerRel:TENANT ==> perm:partner:SELECT
|
role:partnerRel:TENANT ==> perm:partner:SELECT
|
||||||
|
@ -157,18 +157,18 @@ execute procedure updateTriggerForHsOfficePartner_tf();
|
|||||||
--changeset hs-office-partner-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
--changeset hs-office-partner-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
-- granting INSERT permission to global ----------------------------
|
-- granting INSERT permission to rbac.global ----------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Grants INSERT INTO hs_office_partner permissions to specified role of pre-existing global rows.
|
Grants INSERT INTO hs_office_partner permissions to specified role of pre-existing rbac.global rows.
|
||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row global;
|
row rbac.global%ROWTYPE;
|
||||||
begin
|
begin
|
||||||
call basis.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising global rows');
|
call basis.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising rbac.Global rows');
|
||||||
|
|
||||||
FOR row IN SELECT * FROM global
|
FOR row IN SELECT * FROM rbac.global
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
@ -179,7 +179,7 @@ do language plpgsql $$
|
|||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Grants hs_office_partner INSERT permission to specified role of new global rows.
|
Grants hs_office_partner INSERT permission to specified role of new rbac.global rows.
|
||||||
*/
|
*/
|
||||||
create or replace function new_hs_office_partner_grants_insert_to_global_tf()
|
create or replace function new_hs_office_partner_grants_insert_to_global_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
@ -196,7 +196,7 @@ end; $$;
|
|||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_new_hs_office_partner_grants_insert_to_global_tg
|
create trigger z_new_hs_office_partner_grants_insert_to_global_tg
|
||||||
after insert on global
|
after insert on rbac.global
|
||||||
for each row
|
for each row
|
||||||
execute procedure new_hs_office_partner_grants_insert_to_global_tf();
|
execute procedure new_hs_office_partner_grants_insert_to_global_tf();
|
||||||
|
|
||||||
@ -214,8 +214,8 @@ create or replace function hs_office_partner_insert_permission_check_tf()
|
|||||||
declare
|
declare
|
||||||
superObjectUuid uuid;
|
superObjectUuid uuid;
|
||||||
begin
|
begin
|
||||||
-- check INSERT INSERT if global ADMIN
|
-- check INSERT INSERT if rbac.global ADMIN
|
||||||
if isGlobalAdmin() then
|
if rbac.isGlobalAdmin() then
|
||||||
return NEW;
|
return NEW;
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
|
@ -18,6 +18,6 @@ subgraph partnerDetails["`**partnerDetails**`"]
|
|||||||
end
|
end
|
||||||
|
|
||||||
%% granting permissions to roles
|
%% granting permissions to roles
|
||||||
role:global:ADMIN ==> perm:partnerDetails:INSERT
|
role:rbac.global:ADMIN ==> perm:partnerDetails:INSERT
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -61,25 +61,25 @@ execute procedure insertTriggerForHsOfficePartnerDetails_tf();
|
|||||||
--changeset hs-office-partner-details-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
--changeset hs-office-partner-details-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
-- granting INSERT permission to global ----------------------------
|
-- granting INSERT permission to rbac.global ----------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Grants INSERT INTO hs_office_partner_details permissions to specified role of pre-existing global rows.
|
Grants INSERT INTO hs_office_partner_details permissions to specified role of pre-existing rbac.global rows.
|
||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row global;
|
row rbac.global;
|
||||||
begin
|
begin
|
||||||
call basis.defineContext('create INSERT INTO hs_office_partner_details permissions for pre-exising global rows');
|
call basis.defineContext('create INSERT INTO hs_office_partner_details permissions for pre-exising global rows');
|
||||||
|
|
||||||
FOR row IN SELECT * FROM global
|
FOR row IN SELECT * FROM rbac.global
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
|
createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
|
||||||
globalADMIN());
|
globalADMIN());
|
||||||
END LOOP;
|
END LOOP;
|
||||||
end;
|
end;
|
||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -100,7 +100,7 @@ end; $$;
|
|||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_new_hs_office_partner_details_grants_insert_to_global_tg
|
create trigger z_new_hs_office_partner_details_grants_insert_to_global_tg
|
||||||
after insert on global
|
after insert on rbac.global
|
||||||
for each row
|
for each row
|
||||||
execute procedure new_hs_office_partner_details_grants_insert_to_global_tf();
|
execute procedure new_hs_office_partner_details_grants_insert_to_global_tf();
|
||||||
|
|
||||||
@ -118,8 +118,8 @@ create or replace function hs_office_partner_details_insert_permission_check_tf(
|
|||||||
declare
|
declare
|
||||||
superObjectUuid uuid;
|
superObjectUuid uuid;
|
||||||
begin
|
begin
|
||||||
-- check INSERT INSERT if global ADMIN
|
-- check INSERT INSERT if rbac.Global ADMIN
|
||||||
if isGlobalAdmin() then
|
if rbac.isGlobalAdmin() then
|
||||||
return NEW;
|
return NEW;
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
|
@ -71,7 +71,7 @@ end; $$;
|
|||||||
|
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
begin
|
begin
|
||||||
call basis.defineContext('creating partner test-data ', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
|
call basis.defineContext('creating partner test-data ', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
|
||||||
|
|
||||||
call createHsOfficePartnerTestData('Hostsharing eG', 10001, 'First GmbH', 'first contact');
|
call createHsOfficePartnerTestData('Hostsharing eG', 10001, 'First GmbH', 'first contact');
|
||||||
call createHsOfficePartnerTestData('Hostsharing eG', 10002, 'Second e.K.', 'second contact');
|
call createHsOfficePartnerTestData('Hostsharing eG', 10002, 'Second e.K.', 'second contact');
|
||||||
|
@ -32,12 +32,12 @@ end
|
|||||||
user:creator ==> role:bankAccount:OWNER
|
user:creator ==> role:bankAccount:OWNER
|
||||||
|
|
||||||
%% granting roles to roles
|
%% granting roles to roles
|
||||||
role:global:ADMIN ==> role:bankAccount:OWNER
|
role:rbac.global:ADMIN ==> role:bankAccount:OWNER
|
||||||
role:bankAccount:OWNER ==> role:bankAccount:ADMIN
|
role:bankAccount:OWNER ==> role:bankAccount:ADMIN
|
||||||
role:bankAccount:ADMIN ==> role:bankAccount:REFERRER
|
role:bankAccount:ADMIN ==> role:bankAccount:REFERRER
|
||||||
|
|
||||||
%% granting permissions to roles
|
%% granting permissions to roles
|
||||||
role:global:GUEST ==> perm:bankAccount:INSERT
|
role:rbac.global:GUEST ==> perm:bankAccount:INSERT
|
||||||
role:bankAccount:OWNER ==> perm:bankAccount:DELETE
|
role:bankAccount:OWNER ==> perm:bankAccount:DELETE
|
||||||
role:bankAccount:ADMIN ==> perm:bankAccount:UPDATE
|
role:bankAccount:ADMIN ==> perm:bankAccount:UPDATE
|
||||||
role:bankAccount:REFERRER ==> perm:bankAccount:SELECT
|
role:bankAccount:REFERRER ==> perm:bankAccount:SELECT
|
||||||
|
@ -140,16 +140,16 @@ subgraph refundBankAccount["`**refundBankAccount**`"]
|
|||||||
end
|
end
|
||||||
|
|
||||||
%% granting roles to roles
|
%% granting roles to roles
|
||||||
role:global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER
|
role:rbac.global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER
|
||||||
role:debitorRel.anchorPerson:OWNER -.-> role:debitorRel.anchorPerson:ADMIN
|
role:debitorRel.anchorPerson:OWNER -.-> role:debitorRel.anchorPerson:ADMIN
|
||||||
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel.anchorPerson:REFERRER
|
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel.anchorPerson:REFERRER
|
||||||
role:global:ADMIN -.-> role:debitorRel.holderPerson:OWNER
|
role:rbac.global:ADMIN -.-> role:debitorRel.holderPerson:OWNER
|
||||||
role:debitorRel.holderPerson:OWNER -.-> role:debitorRel.holderPerson:ADMIN
|
role:debitorRel.holderPerson:OWNER -.-> role:debitorRel.holderPerson:ADMIN
|
||||||
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel.holderPerson:REFERRER
|
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel.holderPerson:REFERRER
|
||||||
role:global:ADMIN -.-> role:debitorRel.contact:OWNER
|
role:rbac.global:ADMIN -.-> role:debitorRel.contact:OWNER
|
||||||
role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN
|
role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN
|
||||||
role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER
|
role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER
|
||||||
role:global:ADMIN -.-> role:debitorRel:OWNER
|
role:rbac.global:ADMIN -.-> role:debitorRel:OWNER
|
||||||
role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
|
role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
|
||||||
role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
|
role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
|
||||||
role:debitorRel:AGENT -.-> role:debitorRel:TENANT
|
role:debitorRel:AGENT -.-> role:debitorRel:TENANT
|
||||||
@ -159,21 +159,21 @@ role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
|
|||||||
role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER
|
role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER
|
||||||
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:OWNER
|
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:OWNER
|
||||||
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
|
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
|
||||||
role:global:ADMIN -.-> role:refundBankAccount:OWNER
|
role:rbac.global:ADMIN -.-> role:refundBankAccount:OWNER
|
||||||
role:refundBankAccount:OWNER -.-> role:refundBankAccount:ADMIN
|
role:refundBankAccount:OWNER -.-> role:refundBankAccount:ADMIN
|
||||||
role:refundBankAccount:ADMIN -.-> role:refundBankAccount:REFERRER
|
role:refundBankAccount:ADMIN -.-> role:refundBankAccount:REFERRER
|
||||||
role:refundBankAccount:ADMIN ==> role:debitorRel:AGENT
|
role:refundBankAccount:ADMIN ==> role:debitorRel:AGENT
|
||||||
role:debitorRel:AGENT ==> role:refundBankAccount:REFERRER
|
role:debitorRel:AGENT ==> role:refundBankAccount:REFERRER
|
||||||
role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
|
role:rbac.global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
|
||||||
role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN
|
role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN
|
||||||
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER
|
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER
|
||||||
role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
|
role:rbac.global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
|
||||||
role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN
|
role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN
|
||||||
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER
|
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER
|
||||||
role:global:ADMIN -.-> role:partnerRel.contact:OWNER
|
role:rbac.global:ADMIN -.-> role:partnerRel.contact:OWNER
|
||||||
role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
|
role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
|
||||||
role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
|
role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
|
||||||
role:global:ADMIN -.-> role:partnerRel:OWNER
|
role:rbac.global:ADMIN -.-> role:partnerRel:OWNER
|
||||||
role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
|
role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
|
||||||
role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
|
role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
|
||||||
role:partnerRel:AGENT -.-> role:partnerRel:TENANT
|
role:partnerRel:AGENT -.-> role:partnerRel:TENANT
|
||||||
@ -188,7 +188,7 @@ role:partnerRel:AGENT ==> role:debitorRel:AGENT
|
|||||||
role:debitorRel:AGENT ==> role:partnerRel:TENANT
|
role:debitorRel:AGENT ==> role:partnerRel:TENANT
|
||||||
|
|
||||||
%% granting permissions to roles
|
%% granting permissions to roles
|
||||||
role:global:ADMIN ==> perm:debitor:INSERT
|
role:rbac.global:ADMIN ==> perm:debitor:INSERT
|
||||||
role:debitorRel:OWNER ==> perm:debitor:DELETE
|
role:debitorRel:OWNER ==> perm:debitor:DELETE
|
||||||
role:debitorRel:ADMIN ==> perm:debitor:UPDATE
|
role:debitorRel:ADMIN ==> perm:debitor:UPDATE
|
||||||
role:debitorRel:TENANT ==> perm:debitor:SELECT
|
role:debitorRel:TENANT ==> perm:debitor:SELECT
|
||||||
|
@ -130,18 +130,18 @@ execute procedure updateTriggerForHsOfficeDebitor_tf();
|
|||||||
--changeset hs-office-debitor-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
--changeset hs-office-debitor-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
-- granting INSERT permission to global ----------------------------
|
-- granting INSERT permission to rbac.Global ----------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Grants INSERT INTO hs_office_debitor permissions to specified role of pre-existing global rows.
|
Grants INSERT INTO hs_office_debitor permissions to specified role of pre-existing rbac.global rows.
|
||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row global;
|
row rbac.global%ROWTYPE;
|
||||||
begin
|
begin
|
||||||
call basis.defineContext('create INSERT INTO hs_office_debitor permissions for pre-exising global rows');
|
call basis.defineContext('create INSERT INTO hs_office_debitor permissions for pre-exising rbac.Global rows');
|
||||||
|
|
||||||
FOR row IN SELECT * FROM global
|
FOR row IN SELECT * FROM rbac.global
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
@ -152,7 +152,7 @@ do language plpgsql $$
|
|||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Grants hs_office_debitor INSERT permission to specified role of new global rows.
|
Grants hs_office_debitor INSERT permission to specified role of new rbac.global rows.
|
||||||
*/
|
*/
|
||||||
create or replace function new_hs_office_debitor_grants_insert_to_global_tf()
|
create or replace function new_hs_office_debitor_grants_insert_to_global_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
@ -169,7 +169,7 @@ end; $$;
|
|||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_new_hs_office_debitor_grants_insert_to_global_tg
|
create trigger z_new_hs_office_debitor_grants_insert_to_global_tg
|
||||||
after insert on global
|
after insert on rbac.global
|
||||||
for each row
|
for each row
|
||||||
execute procedure new_hs_office_debitor_grants_insert_to_global_tf();
|
execute procedure new_hs_office_debitor_grants_insert_to_global_tf();
|
||||||
|
|
||||||
@ -187,8 +187,8 @@ create or replace function hs_office_debitor_insert_permission_check_tf()
|
|||||||
declare
|
declare
|
||||||
superObjectUuid uuid;
|
superObjectUuid uuid;
|
||||||
begin
|
begin
|
||||||
-- check INSERT INSERT if global ADMIN
|
-- check INSERT INSERT if rbac.global ADMIN
|
||||||
if isGlobalAdmin() then
|
if rbac.isGlobalAdmin() then
|
||||||
return NEW;
|
return NEW;
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
|
@ -50,7 +50,7 @@ end; $$;
|
|||||||
|
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
begin
|
begin
|
||||||
call basis.defineContext('creating debitor test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
|
call basis.defineContext('creating debitor test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
|
||||||
|
|
||||||
call createHsOfficeDebitorTestData(11, 'First GmbH', 'first contact', 'fir');
|
call createHsOfficeDebitorTestData(11, 'First GmbH', 'first contact', 'fir');
|
||||||
call createHsOfficeDebitorTestData(12, 'Second e.K.', 'second contact', 'sec');
|
call createHsOfficeDebitorTestData(12, 'Second e.K.', 'second contact', 'sec');
|
||||||
|
@ -99,16 +99,16 @@ end
|
|||||||
user:creator ==> role:sepaMandate:OWNER
|
user:creator ==> role:sepaMandate:OWNER
|
||||||
|
|
||||||
%% granting roles to roles
|
%% granting roles to roles
|
||||||
role:global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER
|
role:rbac.global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER
|
||||||
role:debitorRel.anchorPerson:OWNER -.-> role:debitorRel.anchorPerson:ADMIN
|
role:debitorRel.anchorPerson:OWNER -.-> role:debitorRel.anchorPerson:ADMIN
|
||||||
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel.anchorPerson:REFERRER
|
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel.anchorPerson:REFERRER
|
||||||
role:global:ADMIN -.-> role:debitorRel.holderPerson:OWNER
|
role:rbac.global:ADMIN -.-> role:debitorRel.holderPerson:OWNER
|
||||||
role:debitorRel.holderPerson:OWNER -.-> role:debitorRel.holderPerson:ADMIN
|
role:debitorRel.holderPerson:OWNER -.-> role:debitorRel.holderPerson:ADMIN
|
||||||
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel.holderPerson:REFERRER
|
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel.holderPerson:REFERRER
|
||||||
role:global:ADMIN -.-> role:debitorRel.contact:OWNER
|
role:rbac.global:ADMIN -.-> role:debitorRel.contact:OWNER
|
||||||
role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN
|
role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN
|
||||||
role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER
|
role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER
|
||||||
role:global:ADMIN -.-> role:debitorRel:OWNER
|
role:rbac.global:ADMIN -.-> role:debitorRel:OWNER
|
||||||
role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
|
role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
|
||||||
role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
|
role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
|
||||||
role:debitorRel:AGENT -.-> role:debitorRel:TENANT
|
role:debitorRel:AGENT -.-> role:debitorRel:TENANT
|
||||||
@ -118,10 +118,10 @@ role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
|
|||||||
role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER
|
role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER
|
||||||
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:OWNER
|
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:OWNER
|
||||||
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
|
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
|
||||||
role:global:ADMIN -.-> role:bankAccount:OWNER
|
role:rbac.global:ADMIN -.-> role:bankAccount:OWNER
|
||||||
role:bankAccount:OWNER -.-> role:bankAccount:ADMIN
|
role:bankAccount:OWNER -.-> role:bankAccount:ADMIN
|
||||||
role:bankAccount:ADMIN -.-> role:bankAccount:REFERRER
|
role:bankAccount:ADMIN -.-> role:bankAccount:REFERRER
|
||||||
role:global:ADMIN ==> role:sepaMandate:OWNER
|
role:rbac.global:ADMIN ==> role:sepaMandate:OWNER
|
||||||
role:sepaMandate:OWNER ==> role:sepaMandate:ADMIN
|
role:sepaMandate:OWNER ==> role:sepaMandate:ADMIN
|
||||||
role:sepaMandate:ADMIN ==> role:sepaMandate:AGENT
|
role:sepaMandate:ADMIN ==> role:sepaMandate:AGENT
|
||||||
role:sepaMandate:AGENT ==> role:bankAccount:REFERRER
|
role:sepaMandate:AGENT ==> role:bankAccount:REFERRER
|
||||||
|
@ -43,7 +43,7 @@ end; $$;
|
|||||||
|
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
begin
|
begin
|
||||||
call basis.defineContext('creating SEPA-mandate test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
|
call basis.defineContext('creating SEPA-mandate test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
|
||||||
|
|
||||||
call createHsOfficeSepaMandateTestData(10001, '11', 'DE02120300000000202051', 'ref-10001-11');
|
call createHsOfficeSepaMandateTestData(10001, '11', 'DE02120300000000202051', 'ref-10001-11');
|
||||||
call createHsOfficeSepaMandateTestData(10002, '12', 'DE02100500000054540402', 'ref-10002-12');
|
call createHsOfficeSepaMandateTestData(10002, '12', 'DE02100500000054540402', 'ref-10002-12');
|
||||||
|
@ -85,16 +85,16 @@ end
|
|||||||
user:creator ==> role:membership:OWNER
|
user:creator ==> role:membership:OWNER
|
||||||
|
|
||||||
%% granting roles to roles
|
%% granting roles to roles
|
||||||
role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
|
role:rbac.global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
|
||||||
role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN
|
role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN
|
||||||
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER
|
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER
|
||||||
role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
|
role:rbac.global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
|
||||||
role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN
|
role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN
|
||||||
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER
|
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER
|
||||||
role:global:ADMIN -.-> role:partnerRel.contact:OWNER
|
role:rbac.global:ADMIN -.-> role:partnerRel.contact:OWNER
|
||||||
role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
|
role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
|
||||||
role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
|
role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
|
||||||
role:global:ADMIN -.-> role:partnerRel:OWNER
|
role:rbac.global:ADMIN -.-> role:partnerRel:OWNER
|
||||||
role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
|
role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
|
||||||
role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
|
role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
|
||||||
role:partnerRel:AGENT -.-> role:partnerRel:TENANT
|
role:partnerRel:AGENT -.-> role:partnerRel:TENANT
|
||||||
@ -111,7 +111,7 @@ role:partnerRel:AGENT ==> role:membership:AGENT
|
|||||||
role:membership:AGENT ==> role:partnerRel:TENANT
|
role:membership:AGENT ==> role:partnerRel:TENANT
|
||||||
|
|
||||||
%% granting permissions to roles
|
%% granting permissions to roles
|
||||||
role:global:ADMIN ==> perm:membership:INSERT
|
role:rbac.global:ADMIN ==> perm:membership:INSERT
|
||||||
role:membership:ADMIN ==> perm:membership:DELETE
|
role:membership:ADMIN ==> perm:membership:DELETE
|
||||||
role:membership:ADMIN ==> perm:membership:UPDATE
|
role:membership:ADMIN ==> perm:membership:UPDATE
|
||||||
role:membership:AGENT ==> perm:membership:SELECT
|
role:membership:AGENT ==> perm:membership:SELECT
|
||||||
|
@ -92,18 +92,18 @@ execute procedure insertTriggerForHsOfficeMembership_tf();
|
|||||||
--changeset hs-office-membership-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
--changeset hs-office-membership-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
-- granting INSERT permission to global ----------------------------
|
-- granting INSERT permission to rbac.global ----------------------------
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Grants INSERT INTO hs_office_membership permissions to specified role of pre-existing global rows.
|
Grants INSERT INTO hs_office_membership permissions to specified role of pre-existing rbac.global rows.
|
||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row global;
|
row rbac.global%ROWTYPE;
|
||||||
begin
|
begin
|
||||||
call basis.defineContext('create INSERT INTO hs_office_membership permissions for pre-exising global rows');
|
call basis.defineContext('create INSERT INTO hs_office_membership permissions for pre-exising rbac.Global rows');
|
||||||
|
|
||||||
FOR row IN SELECT * FROM global
|
FOR row IN SELECT * FROM rbac.global
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
@ -114,7 +114,7 @@ do language plpgsql $$
|
|||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Grants hs_office_membership INSERT permission to specified role of new global rows.
|
Grants hs_office_membership INSERT permission to specified role of new rbac.Global rows.
|
||||||
*/
|
*/
|
||||||
create or replace function new_hs_office_membership_grants_insert_to_global_tf()
|
create or replace function new_hs_office_membership_grants_insert_to_global_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
@ -131,7 +131,7 @@ end; $$;
|
|||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_new_hs_office_membership_grants_insert_to_global_tg
|
create trigger z_new_hs_office_membership_grants_insert_to_global_tg
|
||||||
after insert on global
|
after insert on rbac.global
|
||||||
for each row
|
for each row
|
||||||
execute procedure new_hs_office_membership_grants_insert_to_global_tf();
|
execute procedure new_hs_office_membership_grants_insert_to_global_tf();
|
||||||
|
|
||||||
@ -149,8 +149,8 @@ create or replace function hs_office_membership_insert_permission_check_tf()
|
|||||||
declare
|
declare
|
||||||
superObjectUuid uuid;
|
superObjectUuid uuid;
|
||||||
begin
|
begin
|
||||||
-- check INSERT INSERT if global ADMIN
|
-- check INSERT INSERT if rbac.Global ADMIN
|
||||||
if isGlobalAdmin() then
|
if rbac.isGlobalAdmin() then
|
||||||
return NEW;
|
return NEW;
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
|
@ -33,7 +33,7 @@ end; $$;
|
|||||||
|
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
begin
|
begin
|
||||||
call basis.defineContext('creating Membership test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
|
call basis.defineContext('creating Membership test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
|
||||||
|
|
||||||
call createHsOfficeMembershipTestData(10001, '01');
|
call createHsOfficeMembershipTestData(10001, '01');
|
||||||
call createHsOfficeMembershipTestData(10002, '02');
|
call createHsOfficeMembershipTestData(10002, '02');
|
||||||
|
@ -86,16 +86,16 @@ subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPers
|
|||||||
end
|
end
|
||||||
|
|
||||||
%% granting roles to roles
|
%% granting roles to roles
|
||||||
role:global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER
|
role:rbac.global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER
|
||||||
role:membership.partnerRel.anchorPerson:OWNER -.-> role:membership.partnerRel.anchorPerson:ADMIN
|
role:membership.partnerRel.anchorPerson:OWNER -.-> role:membership.partnerRel.anchorPerson:ADMIN
|
||||||
role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel.anchorPerson:REFERRER
|
role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel.anchorPerson:REFERRER
|
||||||
role:global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER
|
role:rbac.global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER
|
||||||
role:membership.partnerRel.holderPerson:OWNER -.-> role:membership.partnerRel.holderPerson:ADMIN
|
role:membership.partnerRel.holderPerson:OWNER -.-> role:membership.partnerRel.holderPerson:ADMIN
|
||||||
role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel.holderPerson:REFERRER
|
role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel.holderPerson:REFERRER
|
||||||
role:global:ADMIN -.-> role:membership.partnerRel.contact:OWNER
|
role:rbac.global:ADMIN -.-> role:membership.partnerRel.contact:OWNER
|
||||||
role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN
|
role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN
|
||||||
role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER
|
role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER
|
||||||
role:global:ADMIN -.-> role:membership.partnerRel:OWNER
|
role:rbac.global:ADMIN -.-> role:membership.partnerRel:OWNER
|
||||||
role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN
|
role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN
|
||||||
role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT
|
role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT
|
||||||
role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT
|
role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT
|
||||||
|
@ -86,16 +86,16 @@ subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPers
|
|||||||
end
|
end
|
||||||
|
|
||||||
%% granting roles to roles
|
%% granting roles to roles
|
||||||
role:global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER
|
role:rbac.global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER
|
||||||
role:membership.partnerRel.anchorPerson:OWNER -.-> role:membership.partnerRel.anchorPerson:ADMIN
|
role:membership.partnerRel.anchorPerson:OWNER -.-> role:membership.partnerRel.anchorPerson:ADMIN
|
||||||
role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel.anchorPerson:REFERRER
|
role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel.anchorPerson:REFERRER
|
||||||
role:global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER
|
role:rbac.global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER
|
||||||
role:membership.partnerRel.holderPerson:OWNER -.-> role:membership.partnerRel.holderPerson:ADMIN
|
role:membership.partnerRel.holderPerson:OWNER -.-> role:membership.partnerRel.holderPerson:ADMIN
|
||||||
role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel.holderPerson:REFERRER
|
role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel.holderPerson:REFERRER
|
||||||
role:global:ADMIN -.-> role:membership.partnerRel.contact:OWNER
|
role:rbac.global:ADMIN -.-> role:membership.partnerRel.contact:OWNER
|
||||||
role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN
|
role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN
|
||||||
role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER
|
role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER
|
||||||
role:global:ADMIN -.-> role:membership.partnerRel:OWNER
|
role:rbac.global:ADMIN -.-> role:membership.partnerRel:OWNER
|
||||||
role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN
|
role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN
|
||||||
role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT
|
role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT
|
||||||
role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT
|
role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT
|
||||||
|
@ -44,7 +44,7 @@ subgraph project["`**project**`"]
|
|||||||
end
|
end
|
||||||
|
|
||||||
%% granting roles to roles
|
%% granting roles to roles
|
||||||
role:global:ADMIN -.-> role:debitorRel:OWNER
|
role:rbac.global:ADMIN -.-> role:debitorRel:OWNER
|
||||||
role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
|
role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
|
||||||
role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
|
role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
|
||||||
role:debitorRel:AGENT -.-> role:debitorRel:TENANT
|
role:debitorRel:AGENT -.-> role:debitorRel:TENANT
|
||||||
@ -56,7 +56,7 @@ role:project:TENANT ==> role:debitorRel:TENANT
|
|||||||
|
|
||||||
%% granting permissions to roles
|
%% granting permissions to roles
|
||||||
role:debitorRel:ADMIN ==> perm:project:INSERT
|
role:debitorRel:ADMIN ==> perm:project:INSERT
|
||||||
role:global:ADMIN ==> perm:project:DELETE
|
role:rbac.global:ADMIN ==> perm:project:DELETE
|
||||||
role:project:ADMIN ==> perm:project:UPDATE
|
role:project:ADMIN ==> perm:project:UPDATE
|
||||||
role:project:TENANT ==> perm:project:SELECT
|
role:project:TENANT ==> perm:project:SELECT
|
||||||
|
|
||||||
|
@ -39,7 +39,7 @@ end; $$;
|
|||||||
|
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
begin
|
begin
|
||||||
call basis.defineContext('creating booking-project test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
|
call basis.defineContext('creating booking-project test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
|
||||||
|
|
||||||
call createHsBookingProjectTransactionTestData(10001, '11');
|
call createHsBookingProjectTransactionTestData(10001, '11');
|
||||||
call createHsBookingProjectTransactionTestData(10002, '12');
|
call createHsBookingProjectTransactionTestData(10002, '12');
|
||||||
|
@ -54,8 +54,8 @@ role:bookingItem:AGENT ==> role:bookingItem:TENANT
|
|||||||
role:bookingItem:TENANT ==> role:project:TENANT
|
role:bookingItem:TENANT ==> role:project:TENANT
|
||||||
|
|
||||||
%% granting permissions to roles
|
%% granting permissions to roles
|
||||||
role:global:ADMIN ==> perm:bookingItem:INSERT
|
role:rbac.global:ADMIN ==> perm:bookingItem:INSERT
|
||||||
role:global:ADMIN ==> perm:bookingItem:DELETE
|
role:rbac.global:ADMIN ==> perm:bookingItem:DELETE
|
||||||
role:project:ADMIN ==> perm:bookingItem:INSERT
|
role:project:ADMIN ==> perm:bookingItem:INSERT
|
||||||
role:bookingItem:ADMIN ==> perm:bookingItem:UPDATE
|
role:bookingItem:ADMIN ==> perm:bookingItem:UPDATE
|
||||||
role:bookingItem:TENANT ==> perm:bookingItem:SELECT
|
role:bookingItem:TENANT ==> perm:bookingItem:SELECT
|
||||||
|
@ -105,11 +105,11 @@ execute procedure insertTriggerForHsBookingItem_tf();
|
|||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row global;
|
row rbac.global%ROWTYPE;
|
||||||
begin
|
begin
|
||||||
call basis.defineContext('create INSERT INTO hs_booking_item permissions for pre-exising global rows');
|
call basis.defineContext('create INSERT INTO hs_booking_item permissions for pre-exising rbac.global rows');
|
||||||
|
|
||||||
FOR row IN SELECT * FROM global
|
FOR row IN SELECT * FROM rbac.global
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
@ -120,7 +120,7 @@ do language plpgsql $$
|
|||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Grants hs_booking_item INSERT permission to specified role of new global rows.
|
Grants hs_booking_item INSERT permission to specified role of new rbac.global rows.
|
||||||
*/
|
*/
|
||||||
create or replace function new_hs_booking_item_grants_insert_to_global_tf()
|
create or replace function new_hs_booking_item_grants_insert_to_global_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
@ -137,7 +137,7 @@ end; $$;
|
|||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_new_hs_booking_item_grants_insert_to_global_tg
|
create trigger z_new_hs_booking_item_grants_insert_to_global_tg
|
||||||
after insert on global
|
after insert on rbac.global
|
||||||
for each row
|
for each row
|
||||||
execute procedure new_hs_booking_item_grants_insert_to_global_tf();
|
execute procedure new_hs_booking_item_grants_insert_to_global_tf();
|
||||||
|
|
||||||
@ -225,8 +225,8 @@ create or replace function hs_booking_item_insert_permission_check_tf()
|
|||||||
declare
|
declare
|
||||||
superObjectUuid uuid;
|
superObjectUuid uuid;
|
||||||
begin
|
begin
|
||||||
-- check INSERT INSERT if global ADMIN
|
-- check INSERT INSERT if rbac.Global ADMIN
|
||||||
if isGlobalAdmin() then
|
if rbac.isGlobalAdmin() then
|
||||||
return NEW;
|
return NEW;
|
||||||
end if;
|
end if;
|
||||||
-- check INSERT permission via direct foreign key: NEW.projectUuid
|
-- check INSERT permission via direct foreign key: NEW.projectUuid
|
||||||
|
@ -47,7 +47,7 @@ do language plpgsql $$
|
|||||||
declare
|
declare
|
||||||
currentTask text;
|
currentTask text;
|
||||||
begin
|
begin
|
||||||
call basis.defineContext('creating booking-item test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
|
call basis.defineContext('creating booking-item test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
|
||||||
|
|
||||||
call createHsBookingItemTransactionTestData(10001, '11');
|
call createHsBookingItemTransactionTestData(10001, '11');
|
||||||
call createHsBookingItemTransactionTestData(10002, '12');
|
call createHsBookingItemTransactionTestData(10002, '12');
|
||||||
|
@ -54,8 +54,8 @@ role:bookingItem:AGENT ==> role:bookingItem:TENANT
|
|||||||
role:bookingItem:TENANT ==> role:project:TENANT
|
role:bookingItem:TENANT ==> role:project:TENANT
|
||||||
|
|
||||||
%% granting permissions to roles
|
%% granting permissions to roles
|
||||||
role:global:ADMIN ==> perm:bookingItem:INSERT
|
role:rbac.global:ADMIN ==> perm:bookingItem:INSERT
|
||||||
role:global:ADMIN ==> perm:bookingItem:DELETE
|
role:rbac.global:ADMIN ==> perm:bookingItem:DELETE
|
||||||
role:project:ADMIN ==> perm:bookingItem:INSERT
|
role:project:ADMIN ==> perm:bookingItem:INSERT
|
||||||
role:bookingItem:ADMIN ==> perm:bookingItem:UPDATE
|
role:bookingItem:ADMIN ==> perm:bookingItem:UPDATE
|
||||||
role:bookingItem:TENANT ==> perm:bookingItem:SELECT
|
role:bookingItem:TENANT ==> perm:bookingItem:SELECT
|
||||||
|
@ -105,11 +105,11 @@ execute procedure insertTriggerForHsBookingItem_tf();
|
|||||||
*/
|
*/
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
declare
|
declare
|
||||||
row global;
|
row rbac.global%ROWTYPE;
|
||||||
begin
|
begin
|
||||||
call basis.defineContext('create INSERT INTO hs_booking_item permissions for pre-exising global rows');
|
call basis.defineContext('create INSERT INTO hs_booking_item permissions for pre-exising rbac.global rows');
|
||||||
|
|
||||||
FOR row IN SELECT * FROM global
|
FOR row IN SELECT * FROM rbac.global
|
||||||
-- unconditional for all rows in that table
|
-- unconditional for all rows in that table
|
||||||
LOOP
|
LOOP
|
||||||
call grantPermissionToRole(
|
call grantPermissionToRole(
|
||||||
@ -120,7 +120,7 @@ do language plpgsql $$
|
|||||||
$$;
|
$$;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Grants hs_booking_item INSERT permission to specified role of new global rows.
|
Grants hs_booking_item INSERT permission to specified role of new rbac.global rows.
|
||||||
*/
|
*/
|
||||||
create or replace function new_hs_booking_item_grants_insert_to_global_tf()
|
create or replace function new_hs_booking_item_grants_insert_to_global_tf()
|
||||||
returns trigger
|
returns trigger
|
||||||
@ -137,7 +137,7 @@ end; $$;
|
|||||||
|
|
||||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||||
create trigger z_new_hs_booking_item_grants_insert_to_global_tg
|
create trigger z_new_hs_booking_item_grants_insert_to_global_tg
|
||||||
after insert on global
|
after insert on rbac.global
|
||||||
for each row
|
for each row
|
||||||
execute procedure new_hs_booking_item_grants_insert_to_global_tf();
|
execute procedure new_hs_booking_item_grants_insert_to_global_tf();
|
||||||
|
|
||||||
@ -225,8 +225,8 @@ create or replace function hs_booking_item_insert_permission_check_tf()
|
|||||||
declare
|
declare
|
||||||
superObjectUuid uuid;
|
superObjectUuid uuid;
|
||||||
begin
|
begin
|
||||||
-- check INSERT INSERT if global ADMIN
|
-- check INSERT INSERT if rbac.Global ADMIN
|
||||||
if isGlobalAdmin() then
|
if rbac.isGlobalAdmin() then
|
||||||
return NEW;
|
return NEW;
|
||||||
end if;
|
end if;
|
||||||
-- check INSERT permission via direct foreign key: NEW.projectUuid
|
-- check INSERT permission via direct foreign key: NEW.projectUuid
|
||||||
|
@ -88,10 +88,10 @@ user:creator ==> role:asset:OWNER
|
|||||||
role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
|
role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
|
||||||
role:bookingItem:ADMIN -.-> role:bookingItem:AGENT
|
role:bookingItem:ADMIN -.-> role:bookingItem:AGENT
|
||||||
role:bookingItem:AGENT -.-> role:bookingItem:TENANT
|
role:bookingItem:AGENT -.-> role:bookingItem:TENANT
|
||||||
role:global:ADMIN -.-> role:alarmContact:OWNER
|
role:rbac.global:ADMIN -.-> role:alarmContact:OWNER
|
||||||
role:alarmContact:OWNER -.-> role:alarmContact:ADMIN
|
role:alarmContact:OWNER -.-> role:alarmContact:ADMIN
|
||||||
role:alarmContact:ADMIN -.-> role:alarmContact:REFERRER
|
role:alarmContact:ADMIN -.-> role:alarmContact:REFERRER
|
||||||
role:global:ADMIN ==>|XX| role:asset:OWNER
|
role:rbac.global:ADMIN ==>|XX| role:asset:OWNER
|
||||||
role:bookingItem:ADMIN ==> role:asset:OWNER
|
role:bookingItem:ADMIN ==> role:asset:OWNER
|
||||||
role:parentAsset:ADMIN ==> role:asset:OWNER
|
role:parentAsset:ADMIN ==> role:asset:OWNER
|
||||||
role:asset:OWNER ==> role:asset:ADMIN
|
role:asset:OWNER ==> role:asset:ADMIN
|
||||||
@ -107,9 +107,9 @@ role:asset:TENANT ==> role:parentAsset:TENANT
|
|||||||
role:alarmContact:ADMIN ==> role:asset:TENANT
|
role:alarmContact:ADMIN ==> role:asset:TENANT
|
||||||
|
|
||||||
%% granting permissions to roles
|
%% granting permissions to roles
|
||||||
role:global:ADMIN ==> perm:asset:INSERT
|
role:rbac.global:ADMIN ==> perm:asset:INSERT
|
||||||
role:parentAsset:ADMIN ==> perm:asset:INSERT
|
role:parentAsset:ADMIN ==> perm:asset:INSERT
|
||||||
role:global:GUEST ==> perm:asset:INSERT
|
role:rbac.global:GUEST ==> perm:asset:INSERT
|
||||||
role:asset:OWNER ==> perm:asset:DELETE
|
role:asset:OWNER ==> perm:asset:DELETE
|
||||||
role:asset:ADMIN ==> perm:asset:UPDATE
|
role:asset:ADMIN ==> perm:asset:UPDATE
|
||||||
role:asset:TENANT ==> perm:asset:SELECT
|
role:asset:TENANT ==> perm:asset:SELECT
|
||||||
|
@ -30,7 +30,7 @@ declare
|
|||||||
pgSqlInstanceUuid uuid;
|
pgSqlInstanceUuid uuid;
|
||||||
PgSqlSubjectUuid uuid;
|
PgSqlSubjectUuid uuid;
|
||||||
begin
|
begin
|
||||||
call basis.defineContext('creating hosting-asset test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
|
call basis.defineContext('creating hosting-asset test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
|
||||||
|
|
||||||
select project.* into relatedProject
|
select project.* into relatedProject
|
||||||
from hs_booking_project project
|
from hs_booking_project project
|
||||||
@ -110,7 +110,7 @@ end; $$;
|
|||||||
|
|
||||||
do language plpgsql $$
|
do language plpgsql $$
|
||||||
begin
|
begin
|
||||||
call basis.defineContext('creating hosting-asset test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
|
call basis.defineContext('creating hosting-asset test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
|
||||||
|
|
||||||
call createHsHostingAssetTestData('D-1000111 default project');
|
call createHsHostingAssetTestData('D-1000111 default project');
|
||||||
call createHsHostingAssetTestData('D-1000212 default project');
|
call createHsHostingAssetTestData('D-1000212 default project');
|
||||||
|
@ -6,7 +6,7 @@
|
|||||||
CREATE VIEW hs_statistics_view AS
|
CREATE VIEW hs_statistics_view AS
|
||||||
select *
|
select *
|
||||||
from (select count, "table" as "rbac-table", '' as "hs-table", '' as "type"
|
from (select count, "table" as "rbac-table", '' as "hs-table", '' as "type"
|
||||||
from rbacstatisticsview
|
from rbac.statistics_v
|
||||||
union all
|
union all
|
||||||
select to_char(count(*)::int, '9 999 999 999') as "count", 'objects' as "rbac-table", objecttable as "hs-table", '' as "type"
|
select to_char(count(*)::int, '9 999 999 999') as "count", 'objects' as "rbac-table", objecttable as "hs-table", '' as "type"
|
||||||
from rbac.object
|
from rbac.object
|
||||||
|
@ -158,4 +158,4 @@ databaseChangeLog:
|
|||||||
- include:
|
- include:
|
||||||
file: db/changelog/7-hs-hosting/701-hosting-asset/7018-hs-hosting-asset-test-data.sql
|
file: db/changelog/7-hs-hosting/701-hosting-asset/7018-hs-hosting-asset-test-data.sql
|
||||||
- include:
|
- include:
|
||||||
file: db/changelog/9-hs-global/9000-statistics.sql
|
file: db/changelog/9-hs-global/9000-statistics.sql
|
||||||
|
@ -68,7 +68,7 @@ public class ArchitectureTest {
|
|||||||
"..mapper",
|
"..mapper",
|
||||||
"..ping",
|
"..ping",
|
||||||
"..rbac",
|
"..rbac",
|
||||||
"..rbac.rbacSubject",
|
"..rbac.subject",
|
||||||
"..rbac.rbacgrant",
|
"..rbac.rbacgrant",
|
||||||
"..rbac.rbacrole",
|
"..rbac.rbacrole",
|
||||||
"..rbac.rbacobject",
|
"..rbac.rbacobject",
|
||||||
|
@ -175,9 +175,9 @@ class HsBookingItemRepositoryIntegrationTest extends ContextBasedTestWithCleanup
|
|||||||
.containsExactlyInAnyOrder(fromFormatted(
|
.containsExactlyInAnyOrder(fromFormatted(
|
||||||
initialGrantNames,
|
initialGrantNames,
|
||||||
|
|
||||||
// global-admin
|
// rbac.global-admin
|
||||||
"{ grant perm:hs_booking_item#somenewbookingitem:INSERT>hs_booking_item to role:hs_booking_item#somenewbookingitem:ADMIN by system and assume }",
|
"{ grant perm:hs_booking_item#somenewbookingitem:INSERT>hs_booking_item to role:hs_booking_item#somenewbookingitem:ADMIN by system and assume }",
|
||||||
"{ grant perm:hs_booking_item#somenewbookingitem:DELETE to role:global#global:ADMIN by system and assume }",
|
"{ grant perm:hs_booking_item#somenewbookingitem:DELETE to role:rbac.global#global:ADMIN by system and assume }",
|
||||||
|
|
||||||
// owner
|
// owner
|
||||||
"{ grant role:hs_booking_item#somenewbookingitem:OWNER to role:hs_booking_project#D-1000111-D-1000111defaultproject:AGENT by system and assume }",
|
"{ grant role:hs_booking_item#somenewbookingitem:OWNER to role:hs_booking_project#D-1000111-D-1000111defaultproject:AGENT by system and assume }",
|
||||||
|
@ -161,8 +161,8 @@ class HsBookingProjectRepositoryIntegrationTest extends ContextBasedTestWithClea
|
|||||||
.containsExactlyInAnyOrder(fromFormatted(
|
.containsExactlyInAnyOrder(fromFormatted(
|
||||||
initialGrantNames,
|
initialGrantNames,
|
||||||
|
|
||||||
// global-admin
|
// rbacgGlobal-admin
|
||||||
"{ grant perm:hs_booking_project#D-1000111-somenewbookingproject:DELETE to role:global#global:ADMIN by system and assume }",
|
"{ grant perm:hs_booking_project#D-1000111-somenewbookingproject:DELETE to role:rbac.global#global:ADMIN by system and assume }",
|
||||||
|
|
||||||
// owner
|
// owner
|
||||||
"{ grant role:hs_booking_project#D-1000111-somenewbookingproject:ADMIN to role:hs_booking_project#D-1000111-somenewbookingproject:OWNER by system and assume }",
|
"{ grant role:hs_booking_project#D-1000111-somenewbookingproject:ADMIN to role:hs_booking_project#D-1000111-somenewbookingproject:OWNER by system and assume }",
|
||||||
|
@ -200,8 +200,8 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu
|
|||||||
.containsExactlyInAnyOrder(fromFormatted(
|
.containsExactlyInAnyOrder(fromFormatted(
|
||||||
initialGrantNames,
|
initialGrantNames,
|
||||||
|
|
||||||
// global-admin
|
// rbac.global-admin
|
||||||
"{ grant role:hs_hosting_asset#fir00:OWNER to role:global#global:ADMIN by system }", // workaround
|
"{ grant role:hs_hosting_asset#fir00:OWNER to role:rbac.global#global:ADMIN by system }", // workaround
|
||||||
|
|
||||||
// owner
|
// owner
|
||||||
"{ grant role:hs_hosting_asset#fir00:OWNER to user:superuser-alex@hostsharing.net by hs_hosting_asset#fir00:OWNER and assume }",
|
"{ grant role:hs_hosting_asset#fir00:OWNER to user:superuser-alex@hostsharing.net by hs_hosting_asset#fir00:OWNER and assume }",
|
||||||
@ -250,7 +250,7 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu
|
|||||||
context("person-SmithPeter@example.com");
|
context("person-SmithPeter@example.com");
|
||||||
assertThatAssetIsPersisted(result.returnedValue());
|
assertThatAssetIsPersisted(result.returnedValue());
|
||||||
|
|
||||||
// ... a global admin can see the new domain setup as well if the domain OWNER role is assumed
|
// ... a rbac.global admin can see the new domain setup as well if the domain OWNER role is assumed
|
||||||
context("superuser-alex@hostsharing.net", "hs_hosting_asset#example.net:OWNER"); // only works with the assumed role
|
context("superuser-alex@hostsharing.net", "hs_hosting_asset#example.net:OWNER"); // only works with the assumed role
|
||||||
assertThatAssetIsPersisted(result.returnedValue());
|
assertThatAssetIsPersisted(result.returnedValue());
|
||||||
}
|
}
|
||||||
|
@ -109,7 +109,7 @@ class HsOfficeBankAccountRepositoryIntegrationTest extends ContextBasedTestWithC
|
|||||||
assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())).containsExactlyInAnyOrder(Array.fromFormatted(
|
assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())).containsExactlyInAnyOrder(Array.fromFormatted(
|
||||||
initialGrantNames,
|
initialGrantNames,
|
||||||
"{ grant perm:hs_office_bankaccount#DE25500105176934832579:DELETE to role:hs_office_bankaccount#DE25500105176934832579:OWNER by system and assume }",
|
"{ grant perm:hs_office_bankaccount#DE25500105176934832579:DELETE to role:hs_office_bankaccount#DE25500105176934832579:OWNER by system and assume }",
|
||||||
"{ grant role:hs_office_bankaccount#DE25500105176934832579:OWNER to role:global#global:ADMIN by system and assume }",
|
"{ grant role:hs_office_bankaccount#DE25500105176934832579:OWNER to role:rbac.global#global:ADMIN by system and assume }",
|
||||||
"{ grant role:hs_office_bankaccount#DE25500105176934832579:OWNER to user:selfregistered-user-drew@hostsharing.org by hs_office_bankaccount#DE25500105176934832579:OWNER and assume }",
|
"{ grant role:hs_office_bankaccount#DE25500105176934832579:OWNER to user:selfregistered-user-drew@hostsharing.org by hs_office_bankaccount#DE25500105176934832579:OWNER and assume }",
|
||||||
|
|
||||||
"{ grant role:hs_office_bankaccount#DE25500105176934832579:ADMIN to role:hs_office_bankaccount#DE25500105176934832579:OWNER by system and assume }",
|
"{ grant role:hs_office_bankaccount#DE25500105176934832579:ADMIN to role:hs_office_bankaccount#DE25500105176934832579:OWNER by system and assume }",
|
||||||
|
@ -109,7 +109,7 @@ class HsOfficeContactRbacRepositoryIntegrationTest extends ContextBasedTestWithC
|
|||||||
));
|
));
|
||||||
assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())).containsExactlyInAnyOrder(Array.fromFormatted(
|
assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())).containsExactlyInAnyOrder(Array.fromFormatted(
|
||||||
initialGrantNames,
|
initialGrantNames,
|
||||||
"{ grant role:hs_office_contact#anothernewcontact:OWNER to role:global#global:ADMIN by system and assume }",
|
"{ grant role:hs_office_contact#anothernewcontact:OWNER to role:rbac.global#global:ADMIN by system and assume }",
|
||||||
"{ grant perm:hs_office_contact#anothernewcontact:UPDATE to role:hs_office_contact#anothernewcontact:ADMIN by system and assume }",
|
"{ grant perm:hs_office_contact#anothernewcontact:UPDATE to role:hs_office_contact#anothernewcontact:ADMIN by system and assume }",
|
||||||
"{ grant role:hs_office_contact#anothernewcontact:OWNER to user:selfregistered-user-drew@hostsharing.org by hs_office_contact#anothernewcontact:OWNER and assume }",
|
"{ grant role:hs_office_contact#anothernewcontact:OWNER to user:selfregistered-user-drew@hostsharing.org by hs_office_contact#anothernewcontact:OWNER and assume }",
|
||||||
"{ grant perm:hs_office_contact#anothernewcontact:DELETE to role:hs_office_contact#anothernewcontact:OWNER by system and assume }",
|
"{ grant perm:hs_office_contact#anothernewcontact:DELETE to role:hs_office_contact#anothernewcontact:OWNER by system and assume }",
|
||||||
|
@ -190,7 +190,7 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean
|
|||||||
// owner
|
// owner
|
||||||
"{ grant perm:debitor#D-1000122:DELETE to role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER by system and assume }",
|
"{ grant perm:debitor#D-1000122:DELETE to role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER by system and assume }",
|
||||||
"{ grant perm:relation#FirstGmbH-with-DEBITOR-FourtheG:DELETE to role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER by system and assume }",
|
"{ grant perm:relation#FirstGmbH-with-DEBITOR-FourtheG:DELETE to role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER by system and assume }",
|
||||||
"{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER to role:global#global:ADMIN by system and assume }",
|
"{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER to role:rbac.global#global:ADMIN by system and assume }",
|
||||||
"{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER to role:person#FirstGmbH:ADMIN by system and assume }",
|
"{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER to role:person#FirstGmbH:ADMIN by system and assume }",
|
||||||
"{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER to user:superuser-alex@hostsharing.net by relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER and assume }",
|
"{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER to user:superuser-alex@hostsharing.net by relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER and assume }",
|
||||||
|
|
||||||
@ -349,7 +349,7 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean
|
|||||||
|
|
||||||
// then
|
// then
|
||||||
result.assertSuccessful();
|
result.assertSuccessful();
|
||||||
assertThatDebitorIsVisibleForUserWithRole(result.returnedValue(), "global#global:ADMIN", true);
|
assertThatDebitorIsVisibleForUserWithRole(result.returnedValue(), "rbac.global#global:ADMIN", true);
|
||||||
|
|
||||||
// ... partner role was reassigned:
|
// ... partner role was reassigned:
|
||||||
assertThatDebitorIsNotVisibleForUserWithRole(
|
assertThatDebitorIsNotVisibleForUserWithRole(
|
||||||
@ -398,7 +398,7 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean
|
|||||||
result.assertSuccessful();
|
result.assertSuccessful();
|
||||||
assertThatDebitorIsVisibleForUserWithRole(
|
assertThatDebitorIsVisibleForUserWithRole(
|
||||||
result.returnedValue(),
|
result.returnedValue(),
|
||||||
"global#global:ADMIN", true);
|
"rbac.global#global:ADMIN", true);
|
||||||
|
|
||||||
// ... bank-account role was assigned:
|
// ... bank-account role was assigned:
|
||||||
assertThatDebitorIsVisibleForUserWithRole(
|
assertThatDebitorIsVisibleForUserWithRole(
|
||||||
@ -427,7 +427,7 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean
|
|||||||
result.assertSuccessful();
|
result.assertSuccessful();
|
||||||
assertThatDebitorIsVisibleForUserWithRole(
|
assertThatDebitorIsVisibleForUserWithRole(
|
||||||
result.returnedValue(),
|
result.returnedValue(),
|
||||||
"global#global:ADMIN", true);
|
"rbac.global#global:ADMIN", true);
|
||||||
|
|
||||||
// ... bank-account role was removed from previous bank-account admin:
|
// ... bank-account role was removed from previous bank-account admin:
|
||||||
assertThatDebitorIsNotVisibleForUserWithRole(
|
assertThatDebitorIsNotVisibleForUserWithRole(
|
||||||
|
@ -158,7 +158,7 @@ class HsOfficePartnerRepositoryIntegrationTest extends ContextBasedTestWithClean
|
|||||||
"{ grant perm:relation#HostsharingeG-with-PARTNER-EBess:SELECT to role:relation#HostsharingeG-with-PARTNER-EBess:TENANT by system and assume }",
|
"{ grant perm:relation#HostsharingeG-with-PARTNER-EBess:SELECT to role:relation#HostsharingeG-with-PARTNER-EBess:TENANT by system and assume }",
|
||||||
|
|
||||||
// relation owner
|
// relation owner
|
||||||
"{ grant role:relation#HostsharingeG-with-PARTNER-EBess:OWNER to role:global#global:ADMIN by system and assume }",
|
"{ grant role:relation#HostsharingeG-with-PARTNER-EBess:OWNER to role:rbac.global#global:ADMIN by system and assume }",
|
||||||
"{ grant role:relation#HostsharingeG-with-PARTNER-EBess:OWNER to user:superuser-alex@hostsharing.net by relation#HostsharingeG-with-PARTNER-EBess:OWNER and assume }",
|
"{ grant role:relation#HostsharingeG-with-PARTNER-EBess:OWNER to user:superuser-alex@hostsharing.net by relation#HostsharingeG-with-PARTNER-EBess:OWNER and assume }",
|
||||||
|
|
||||||
// relation admin
|
// relation admin
|
||||||
@ -278,7 +278,7 @@ class HsOfficePartnerRepositoryIntegrationTest extends ContextBasedTestWithClean
|
|||||||
|
|
||||||
assertThatPartnerIsVisibleForUserWithRole(
|
assertThatPartnerIsVisibleForUserWithRole(
|
||||||
givenPartner,
|
givenPartner,
|
||||||
"global#global:ADMIN");
|
"rbac.global#global:ADMIN");
|
||||||
assertThatPartnerIsVisibleForUserWithRole(
|
assertThatPartnerIsVisibleForUserWithRole(
|
||||||
givenPartner,
|
givenPartner,
|
||||||
"hs_office_person#ThirdOHG:ADMIN");
|
"hs_office_person#ThirdOHG:ADMIN");
|
||||||
|
@ -112,7 +112,7 @@ class HsOfficePersonRepositoryIntegrationTest extends ContextBasedTestWithCleanu
|
|||||||
"{ grant perm:hs_office_person#anothernewperson:INSERT>hs_office_relation to role:hs_office_person#anothernewperson:ADMIN by system and assume }",
|
"{ grant perm:hs_office_person#anothernewperson:INSERT>hs_office_relation to role:hs_office_person#anothernewperson:ADMIN by system and assume }",
|
||||||
|
|
||||||
"{ grant role:hs_office_person#anothernewperson:OWNER to user:selfregistered-user-drew@hostsharing.org by hs_office_person#anothernewperson:OWNER and assume }",
|
"{ grant role:hs_office_person#anothernewperson:OWNER to user:selfregistered-user-drew@hostsharing.org by hs_office_person#anothernewperson:OWNER and assume }",
|
||||||
"{ grant role:hs_office_person#anothernewperson:OWNER to role:global#global:ADMIN by system and assume }",
|
"{ grant role:hs_office_person#anothernewperson:OWNER to role:rbac.global#global:ADMIN by system and assume }",
|
||||||
"{ grant perm:hs_office_person#anothernewperson:UPDATE to role:hs_office_person#anothernewperson:ADMIN by system and assume }",
|
"{ grant perm:hs_office_person#anothernewperson:UPDATE to role:hs_office_person#anothernewperson:ADMIN by system and assume }",
|
||||||
"{ grant perm:hs_office_person#anothernewperson:DELETE to role:hs_office_person#anothernewperson:OWNER by system and assume }",
|
"{ grant perm:hs_office_person#anothernewperson:DELETE to role:hs_office_person#anothernewperson:OWNER by system and assume }",
|
||||||
"{ grant role:hs_office_person#anothernewperson:ADMIN to role:hs_office_person#anothernewperson:OWNER by system and assume }",
|
"{ grant role:hs_office_person#anothernewperson:ADMIN to role:hs_office_person#anothernewperson:OWNER by system and assume }",
|
||||||
|
@ -133,7 +133,7 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
|
|||||||
initialGrantNames,
|
initialGrantNames,
|
||||||
|
|
||||||
"{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:DELETE to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER by system and assume }",
|
"{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:DELETE to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER by system and assume }",
|
||||||
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER to role:global#global:ADMIN by system and assume }",
|
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER to role:rbac.global#global:ADMIN by system and assume }",
|
||||||
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER to user:superuser-alex@hostsharing.net by hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER and assume }",
|
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER to user:superuser-alex@hostsharing.net by hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER and assume }",
|
||||||
|
|
||||||
"{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:UPDATE to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:ADMIN by system and assume }",
|
"{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:UPDATE to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:ADMIN by system and assume }",
|
||||||
@ -233,7 +233,7 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
|
|||||||
assertThat(result.returnedValue().getContact().getCaption()).isEqualTo("sixth contact");
|
assertThat(result.returnedValue().getContact().getCaption()).isEqualTo("sixth contact");
|
||||||
assertThatRelationIsVisibleForUserWithRole(
|
assertThatRelationIsVisibleForUserWithRole(
|
||||||
result.returnedValue(),
|
result.returnedValue(),
|
||||||
"global#global:ADMIN");
|
"rbac.global#global:ADMIN");
|
||||||
assertThatRelationIsVisibleForUserWithRole(
|
assertThatRelationIsVisibleForUserWithRole(
|
||||||
result.returnedValue(),
|
result.returnedValue(),
|
||||||
"hs_office_contact#sixthcontact:ADMIN");
|
"hs_office_contact#sixthcontact:ADMIN");
|
||||||
|
@ -128,7 +128,7 @@ class HsOfficeSepaMandateRepositoryIntegrationTest extends ContextBasedTestWithC
|
|||||||
|
|
||||||
// owner
|
// owner
|
||||||
"{ grant perm:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):DELETE to role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER by system and assume }",
|
"{ grant perm:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):DELETE to role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER by system and assume }",
|
||||||
"{ grant role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER to role:global#global:ADMIN by system and assume }",
|
"{ grant role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER to role:rbac.global#global:ADMIN by system and assume }",
|
||||||
"{ grant role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER to user:superuser-alex@hostsharing.net by sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER and assume }",
|
"{ grant role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER to user:superuser-alex@hostsharing.net by sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER and assume }",
|
||||||
|
|
||||||
// admin
|
// admin
|
||||||
|
@ -86,8 +86,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
))
|
))
|
||||||
.body("", hasItem(
|
.body("", hasItem(
|
||||||
allOf(
|
allOf(
|
||||||
hasEntry("grantedByRoleIdName", "global#global:ADMIN"),
|
hasEntry("grantedByRoleIdName", "rbac.global#global:ADMIN"),
|
||||||
hasEntry("grantedRoleIdName", "global#global:ADMIN"),
|
hasEntry("grantedRoleIdName", "rbac.global#global:ADMIN"),
|
||||||
hasEntry("granteeSubjectName", "superuser-fran@hostsharing.net")
|
hasEntry("granteeSubjectName", "superuser-fran@hostsharing.net")
|
||||||
)
|
)
|
||||||
))
|
))
|
||||||
|
@ -46,7 +46,7 @@ class RbacRoleControllerAcceptanceTest {
|
|||||||
.body("", hasItem(hasEntry("roleName", "test_customer#xxx:OWNER")))
|
.body("", hasItem(hasEntry("roleName", "test_customer#xxx:OWNER")))
|
||||||
.body("", hasItem(hasEntry("roleName", "test_customer#xxx:TENANT")))
|
.body("", hasItem(hasEntry("roleName", "test_customer#xxx:TENANT")))
|
||||||
// ...
|
// ...
|
||||||
.body("", hasItem(hasEntry("roleName", "global#global:ADMIN")))
|
.body("", hasItem(hasEntry("roleName", "rbac.global#global:ADMIN")))
|
||||||
.body("", hasItem(hasEntry("roleName", "test_customer#yyy:ADMIN")))
|
.body("", hasItem(hasEntry("roleName", "test_customer#yyy:ADMIN")))
|
||||||
.body("", hasItem(hasEntry("roleName", "test_package#yyy00:ADMIN")))
|
.body("", hasItem(hasEntry("roleName", "test_package#yyy00:ADMIN")))
|
||||||
.body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa:OWNER")))
|
.body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa:OWNER")))
|
||||||
|
@ -73,7 +73,7 @@ class RbacRoleControllerRestTest {
|
|||||||
// then
|
// then
|
||||||
.andExpect(status().isOk())
|
.andExpect(status().isOk())
|
||||||
.andExpect(jsonPath("$", hasSize(3)))
|
.andExpect(jsonPath("$", hasSize(3)))
|
||||||
.andExpect(jsonPath("$[0].roleName", is("global#global:ADMIN")))
|
.andExpect(jsonPath("$[0].roleName", is("rbac.global#global:ADMIN")))
|
||||||
.andExpect(jsonPath("$[1].roleName", is("test_customer#xxx:OWNER")))
|
.andExpect(jsonPath("$[1].roleName", is("test_customer#xxx:OWNER")))
|
||||||
.andExpect(jsonPath("$[2].roleName", is("test_customer#xxx:ADMIN")))
|
.andExpect(jsonPath("$[2].roleName", is("test_customer#xxx:ADMIN")))
|
||||||
.andExpect(jsonPath("$[2].uuid", is(customerXxxAdmin.getUuid().toString())))
|
.andExpect(jsonPath("$[2].uuid", is(customerXxxAdmin.getUuid().toString())))
|
||||||
|
@ -39,7 +39,7 @@ class RbacRoleRepositoryIntegrationTest {
|
|||||||
|
|
||||||
private static final String[] ALL_TEST_DATA_ROLES = Array.of(
|
private static final String[] ALL_TEST_DATA_ROLES = Array.of(
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
"global#global:ADMIN",
|
"rbac.global#global:ADMIN",
|
||||||
"test_customer#xxx:ADMIN", "test_customer#xxx:OWNER", "test_customer#xxx:TENANT",
|
"test_customer#xxx:ADMIN", "test_customer#xxx:OWNER", "test_customer#xxx:TENANT",
|
||||||
"test_package#xxx00:ADMIN", "test_package#xxx00:OWNER", "test_package#xxx00:TENANT",
|
"test_package#xxx00:ADMIN", "test_package#xxx00:OWNER", "test_package#xxx00:TENANT",
|
||||||
"test_package#xxx01:ADMIN", "test_package#xxx01:OWNER", "test_package#xxx01:TENANT",
|
"test_package#xxx01:ADMIN", "test_package#xxx01:OWNER", "test_package#xxx01:TENANT",
|
||||||
@ -70,7 +70,7 @@ class RbacRoleRepositoryIntegrationTest {
|
|||||||
@Test
|
@Test
|
||||||
public void globalAdmin_withAssumedglobalAdminRole_canViewAllRbacRoles() {
|
public void globalAdmin_withAssumedglobalAdminRole_canViewAllRbacRoles() {
|
||||||
given:
|
given:
|
||||||
context.define("superuser-alex@hostsharing.net", "global#global:ADMIN");
|
context.define("superuser-alex@hostsharing.net", "rbac.global#global:ADMIN");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = rbacRoleRepository.findAll();
|
final var result = rbacRoleRepository.findAll();
|
||||||
@ -110,7 +110,7 @@ class RbacRoleRepositoryIntegrationTest {
|
|||||||
noneOfTheseRbacRolesIsReturned(
|
noneOfTheseRbacRolesIsReturned(
|
||||||
result,
|
result,
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
"global#global:ADMIN",
|
"rbac.global#global:ADMIN",
|
||||||
"test_customer#xxx:OWNER",
|
"test_customer#xxx:OWNER",
|
||||||
"test_package#yyy00:ADMIN",
|
"test_package#yyy00:ADMIN",
|
||||||
"test_package#yyy00:OWNER",
|
"test_package#yyy00:OWNER",
|
||||||
|
@ -4,7 +4,7 @@ import static java.util.UUID.randomUUID;
|
|||||||
|
|
||||||
public class TestRbacRole {
|
public class TestRbacRole {
|
||||||
|
|
||||||
public static final RbacRoleEntity hostmasterRole = rbacRole("global", "global", RbacRoleType.ADMIN);
|
public static final RbacRoleEntity hostmasterRole = rbacRole("rbac.global", "global", RbacRoleType.ADMIN);
|
||||||
static final RbacRoleEntity customerXxxOwner = rbacRole("test_customer", "xxx", RbacRoleType.OWNER);
|
static final RbacRoleEntity customerXxxOwner = rbacRole("test_customer", "xxx", RbacRoleType.OWNER);
|
||||||
static final RbacRoleEntity customerXxxAdmin = rbacRole("test_customer", "xxx", RbacRoleType.ADMIN);
|
static final RbacRoleEntity customerXxxAdmin = rbacRole("test_customer", "xxx", RbacRoleType.ADMIN);
|
||||||
|
|
||||||
|
@ -116,7 +116,7 @@ class RbacSubjectRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
@Test
|
@Test
|
||||||
public void globalAdmin_withAssumedglobalAdminRole_canViewAllRbacSubjects() {
|
public void globalAdmin_withAssumedglobalAdminRole_canViewAllRbacSubjects() {
|
||||||
given:
|
given:
|
||||||
context("superuser-alex@hostsharing.net", "global#global:ADMIN");
|
context("superuser-alex@hostsharing.net", "rbac.global#global:ADMIN");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = rbacSubjectRepository.findByOptionalNameLike(null);
|
final var result = rbacSubjectRepository.findByOptionalNameLike(null);
|
||||||
|
@ -13,19 +13,19 @@ class TestCustomerEntityUnitTest {
|
|||||||
assertThat(rbacFlowchart).isEqualTo("""
|
assertThat(rbacFlowchart).isEqualTo("""
|
||||||
%%{init:{'flowchart':{'htmlLabels':false}}}%%
|
%%{init:{'flowchart':{'htmlLabels':false}}}%%
|
||||||
flowchart TB
|
flowchart TB
|
||||||
|
|
||||||
subgraph customer["`**customer**`"]
|
subgraph customer["`**customer**`"]
|
||||||
direction TB
|
direction TB
|
||||||
style customer fill:#dd4901,stroke:#274d6e,stroke-width:8px
|
style customer fill:#dd4901,stroke:#274d6e,stroke-width:8px
|
||||||
|
|
||||||
subgraph customer:roles[ ]
|
subgraph customer:roles[ ]
|
||||||
style customer:roles fill:#dd4901,stroke:white
|
style customer:roles fill:#dd4901,stroke:white
|
||||||
|
|
||||||
role:customer:OWNER[[customer:OWNER]]
|
role:customer:OWNER[[customer:OWNER]]
|
||||||
role:customer:ADMIN[[customer:ADMIN]]
|
role:customer:ADMIN[[customer:ADMIN]]
|
||||||
role:customer:TENANT[[customer:TENANT]]
|
role:customer:TENANT[[customer:TENANT]]
|
||||||
end
|
end
|
||||||
|
|
||||||
subgraph customer:permissions[ ]
|
subgraph customer:permissions[ ]
|
||||||
style customer:permissions fill:#dd4901,stroke:white
|
style customer:permissions fill:#dd4901,stroke:white
|
||||||
|
|
||||||
@ -40,12 +40,12 @@ class TestCustomerEntityUnitTest {
|
|||||||
user:creator ==>|XX| role:customer:OWNER
|
user:creator ==>|XX| role:customer:OWNER
|
||||||
|
|
||||||
%% granting roles to roles
|
%% granting roles to roles
|
||||||
role:global:ADMIN ==>|XX| role:customer:OWNER
|
role:rbac.global:ADMIN ==>|XX| role:customer:OWNER
|
||||||
role:customer:OWNER ==> role:customer:ADMIN
|
role:customer:OWNER ==> role:customer:ADMIN
|
||||||
role:customer:ADMIN ==> role:customer:TENANT
|
role:customer:ADMIN ==> role:customer:TENANT
|
||||||
|
|
||||||
%% granting permissions to roles
|
%% granting permissions to roles
|
||||||
role:global:ADMIN ==> perm:customer:INSERT
|
role:rbac.global:ADMIN ==> perm:customer:INSERT
|
||||||
role:customer:OWNER ==> perm:customer:DELETE
|
role:customer:OWNER ==> perm:customer:DELETE
|
||||||
role:customer:ADMIN ==> perm:customer:UPDATE
|
role:customer:ADMIN ==> perm:customer:UPDATE
|
||||||
role:customer:TENANT ==> perm:customer:SELECT
|
role:customer:TENANT ==> perm:customer:SELECT
|
||||||
|
@ -50,7 +50,7 @@ class TestPackageEntityUnitTest {
|
|||||||
end
|
end
|
||||||
|
|
||||||
%% granting roles to roles
|
%% granting roles to roles
|
||||||
role:global:ADMIN -.->|XX| role:customer:OWNER
|
role:rbac.global:ADMIN -.->|XX| role:customer:OWNER
|
||||||
role:customer:OWNER -.-> role:customer:ADMIN
|
role:customer:OWNER -.-> role:customer:ADMIN
|
||||||
role:customer:ADMIN -.-> role:customer:TENANT
|
role:customer:ADMIN -.-> role:customer:TENANT
|
||||||
role:customer:ADMIN ==> role:package:OWNER
|
role:customer:ADMIN ==> role:package:OWNER
|
||||||
|
@ -40,7 +40,7 @@ class TestPackageRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
@Test
|
@Test
|
||||||
public void globalAdmin_withoutAssumedRole_canNotViewAnyPackages_becauseThoseGrantsAreNotAssumed() {
|
public void globalAdmin_withoutAssumedRole_canNotViewAnyPackages_becauseThoseGrantsAreNotAssumed() {
|
||||||
// given
|
// given
|
||||||
// alex is not just global-admin but lso the creating user, thus we use fran
|
// alex is not just rbac.global-admin but lso the creating user, thus we use fran
|
||||||
context.define("superuser-fran@hostsharing.net");
|
context.define("superuser-fran@hostsharing.net");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
@ -53,7 +53,7 @@ class TestPackageRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
@Test
|
@Test
|
||||||
public void globalAdmin_withAssumedglobalAdminRole__canNotViewAnyPackages_becauseThoseGrantsAreNotAssumed() {
|
public void globalAdmin_withAssumedglobalAdminRole__canNotViewAnyPackages_becauseThoseGrantsAreNotAssumed() {
|
||||||
given:
|
given:
|
||||||
context.define("superuser-alex@hostsharing.net", "global#global:ADMIN");
|
context.define("superuser-alex@hostsharing.net", "rbac.global#global:ADMIN");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = testPackageRepository.findAllByOptionalNameLike(null);
|
final var result = testPackageRepository.findAllByOptionalNameLike(null);
|
||||||
|
Loading…
Reference in New Issue
Block a user