rbac.global
This commit is contained in:
parent
55c4983509
commit
a583be71be
@ -74,7 +74,7 @@ public class HsBookingItemRbacEntity extends HsBookingItem {
|
||||
with.permission(SELECT);
|
||||
})
|
||||
|
||||
.limitDiagramTo("bookingItem", "project", "global");
|
||||
.limitDiagramTo("bookingItem", "project", "rbac.global");
|
||||
}
|
||||
|
||||
public static void main(String[] args) throws IOException {
|
||||
|
@ -105,7 +105,7 @@ public abstract class HsBookingProject implements Stringifyable, BaseEntity<HsBo
|
||||
with.permission(SELECT);
|
||||
})
|
||||
|
||||
.limitDiagramTo("project", "debitorRel", "global");
|
||||
.limitDiagramTo("project", "debitorRel", "rbac.global");
|
||||
}
|
||||
|
||||
public static void main(String[] args) throws IOException {
|
||||
|
@ -77,7 +77,7 @@ public class HsBookingProjectRbacEntity extends HsBookingProject {
|
||||
with.permission(SELECT);
|
||||
})
|
||||
|
||||
.limitDiagramTo("project", "debitorRel", "global");
|
||||
.limitDiagramTo("project", "debitorRel", "rbac.global");
|
||||
}
|
||||
|
||||
public static void main(String[] args) throws IOException {
|
||||
|
@ -106,7 +106,7 @@ public class HsHostingAssetRbacEntity extends HsHostingAsset {
|
||||
"parentAsset",
|
||||
"assignedToAsset",
|
||||
"alarmContact",
|
||||
"global");
|
||||
"rbac.global");
|
||||
}
|
||||
|
||||
public static void main(String[] args) throws IOException {
|
||||
|
@ -152,7 +152,7 @@ public class InsertTriggerGenerator {
|
||||
begin
|
||||
raise exception '[403] insert into ${rawSubTable} values(%) not allowed regardless of current subject, no insert permissions granted at all', NEW;
|
||||
end; $$;
|
||||
|
||||
|
||||
create trigger ${rawSubTable}_insert_permission_check_tg
|
||||
before insert on ${rawSubTable}
|
||||
for each row
|
||||
@ -206,7 +206,7 @@ public class InsertTriggerGenerator {
|
||||
if (g.getSuperRoleDef().isGlobal(GUEST)) {
|
||||
plPgSql.writeLn(
|
||||
"""
|
||||
-- check INSERT INSERT permission for global anyone
|
||||
-- check INSERT INSERT permission for rbac.global anyone
|
||||
if ${caseCondition}true then
|
||||
return NEW;
|
||||
end if;
|
||||
@ -215,8 +215,8 @@ public class InsertTriggerGenerator {
|
||||
} else if (g.getSuperRoleDef().isGlobal(ADMIN)) {
|
||||
plPgSql.writeLn(
|
||||
"""
|
||||
-- check INSERT INSERT if global ADMIN
|
||||
if ${caseCondition}isGlobalAdmin() then
|
||||
-- check INSERT INSERT if rbac.global ADMIN
|
||||
if ${caseCondition}rbac.isGlobalAdmin() then
|
||||
return NEW;
|
||||
end if;
|
||||
""",
|
||||
|
@ -36,7 +36,7 @@ import static org.apache.commons.lang3.StringUtils.uncapitalize;
|
||||
// TODO.refa: rename to RbacDSL
|
||||
public class RbacView {
|
||||
|
||||
public static final String GLOBAL = "global";
|
||||
public static final String GLOBAL = "rbac.global";
|
||||
public static final String OUTPUT_BASEDIR = "src/main/resources/db/changelog";
|
||||
|
||||
private final EntityAlias rootEntityAlias;
|
||||
@ -98,7 +98,7 @@ public class RbacView {
|
||||
rootEntityAlias = new EntityAlias(alias, entityClass);
|
||||
entityAliases.put(alias, rootEntityAlias);
|
||||
new RbacSubjectReference(CREATOR);
|
||||
entityAliases.put("global", new EntityAlias("global"));
|
||||
entityAliases.put("rbac.global", new EntityAlias("rbac.global"));
|
||||
}
|
||||
|
||||
/**
|
||||
@ -922,7 +922,7 @@ public class RbacView {
|
||||
}
|
||||
|
||||
boolean isGlobal() {
|
||||
return aliasName().equals("global");
|
||||
return aliasName().equals("rbac.global");
|
||||
}
|
||||
|
||||
boolean isPlaceholder() {
|
||||
@ -961,8 +961,8 @@ public class RbacView {
|
||||
}
|
||||
|
||||
String getRawTableName() {
|
||||
if ( aliasName.equals("global")) {
|
||||
return "global"; // TODO: maybe we should introduce a GlobalEntity class?
|
||||
if ( aliasName.equals("rbac.global")) {
|
||||
return "rbac.global"; // TODO: maybe we should introduce a GlobalEntity class?
|
||||
}
|
||||
return withoutRvSuffix(entityClass.getAnnotation(Table.class).name());
|
||||
}
|
||||
@ -1166,7 +1166,7 @@ public class RbacView {
|
||||
}
|
||||
|
||||
String map(final String originalAliasName) {
|
||||
if (outerAliasNames.contains(originalAliasName) || originalAliasName.equals("global")) {
|
||||
if (outerAliasNames.contains(originalAliasName) || originalAliasName.equals("rbac.global")) {
|
||||
return originalAliasName;
|
||||
}
|
||||
if (originalAliasName.equals(importedRbacView.rootEntityAlias.aliasName)) {
|
||||
|
@ -78,7 +78,7 @@ public class RbacGrantsDiagramService {
|
||||
if (!includes.contains(PERMISSIONS) && g.getDescendantIdName().startsWith("perm:")) {
|
||||
return;
|
||||
}
|
||||
if ( !g.getDescendantIdName().startsWith("role:global")) {
|
||||
if ( !g.getDescendantIdName().startsWith("role:rbac.global")) {
|
||||
if (!includes.contains(TEST_ENTITIES) && g.getDescendantIdName().contains(":test_")) {
|
||||
return;
|
||||
}
|
||||
|
@ -46,7 +46,7 @@ public class TestCustomerEntity implements BaseEntity<TestCustomerEntity> {
|
||||
.withIdentityView(SQL.projection("prefix"))
|
||||
.withRestrictedViewOrderBy(SQL.expression("reference"))
|
||||
.withUpdatableColumns("reference", "prefix", "adminUserName")
|
||||
.toRole("global", ADMIN).grantPermission(INSERT)
|
||||
.toRole("rbac.global", ADMIN).grantPermission(INSERT)
|
||||
|
||||
.createRole(OWNER, (with) -> {
|
||||
with.owningUser(CREATOR).unassumed();
|
||||
|
@ -584,7 +584,7 @@ select exists(
|
||||
join RbacRole as r on r.uuid = g.descendantuuid
|
||||
join rbac.object as o on o.uuid = r.objectuuid
|
||||
where g.ascendantuuid = forAscendantUuid
|
||||
and o.objecttable = 'global'
|
||||
and o.objecttable = 'rbac.global'
|
||||
);
|
||||
$$;
|
||||
|
||||
|
@ -57,7 +57,7 @@ begin
|
||||
|
||||
objectUuidToAssume = findObjectUuidByIdName(objectTableToAssume, objectNameToAssume);
|
||||
if objectUuidToAssume is null then
|
||||
raise exception '[401] object % cannot be found in table %', objectNameToAssume, objectTableToAssume;
|
||||
raise exception '[401] object % cannot be found in table % (from roleNameParts=%)', objectNameToAssume, objectTableToAssume, roleNameParts;
|
||||
end if;
|
||||
|
||||
select uuid
|
||||
|
@ -5,7 +5,7 @@
|
||||
/*
|
||||
Creates a view which presents some statistics about the RBAC tables.
|
||||
*/
|
||||
create view RbacStatisticsView as
|
||||
create view rbac.statistics_v as
|
||||
select no, to_char("count", '9 999 999 999') as "count", "table"
|
||||
from (select 1 as no, count(*) as "count", 'login users' as "table"
|
||||
from rbac.subject
|
||||
|
@ -1,7 +1,7 @@
|
||||
--liquibase formatted sql
|
||||
|
||||
-- ============================================================================
|
||||
--changeset rbac-global-GLOBAL-OBJECT:1 endDelimiter:--//
|
||||
--changeset rbac-global-OBJECT:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
The purpose of this table is provide root business objects
|
||||
@ -11,14 +11,14 @@
|
||||
In production databases, there is only a single row in this table,
|
||||
in test stages, there can be one row for each test data realm.
|
||||
*/
|
||||
create table Global
|
||||
create table rbac.global
|
||||
(
|
||||
uuid uuid primary key references rbac.object (uuid) on delete cascade,
|
||||
name varchar(63) unique
|
||||
);
|
||||
create unique index Global_Singleton on Global ((0));
|
||||
create unique index Global_Singleton on rbac.global ((0));
|
||||
|
||||
grant select on global to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
|
||||
grant select on rbac.global to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
|
||||
--//
|
||||
|
||||
|
||||
@ -26,7 +26,7 @@ grant select on global to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
|
||||
--changeset rbac-global-IS-GLOBAL-ADMIN:1 endDelimiter:--//
|
||||
-- ------------------------------------------------------------------
|
||||
|
||||
create or replace function isGlobalAdmin()
|
||||
create or replace function rbac.isGlobalAdmin()
|
||||
returns boolean
|
||||
language plpgsql as $$
|
||||
begin
|
||||
@ -36,117 +36,117 @@ end; $$;
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset rbac-global-HAS-GLOBAL-PERMISSION:1 endDelimiter:--//
|
||||
--changeset rbac-global-HAS-global-PERMISSION:1 endDelimiter:--//
|
||||
-- ------------------------------------------------------------------
|
||||
|
||||
create or replace function hasGlobalPermission(op RbacOp)
|
||||
create or replace function rbac.hasGlobalPermission(op RbacOp)
|
||||
returns boolean
|
||||
language sql as
|
||||
$$
|
||||
-- TODO.perf: this could to be optimized
|
||||
select (select uuid from global) in
|
||||
(select queryAccessibleObjectUuidsOfSubjectIds(op, 'global', rbac.currentSubjectOrAssumedRolesUuids()));
|
||||
select (select uuid from rbac.global) in
|
||||
(select queryAccessibleObjectUuidsOfSubjectIds(op, 'rbac.global', rbac.currentSubjectOrAssumedRolesUuids()));
|
||||
$$;
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset rbac-global-GLOBAL-IDENTITY-VIEW:1 endDelimiter:--//
|
||||
--changeset rbac-global-IDENTITY-VIEW:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/*
|
||||
Creates a view to the global object table which maps the identifying name to the objectUuid.
|
||||
Creates a view to the rbac.global object table which maps the identifying name to the objectUuid.
|
||||
*/
|
||||
drop view if exists global_iv;
|
||||
create or replace view global_iv as
|
||||
drop view if exists rbac.global_iv;
|
||||
create or replace view rbac.global_iv as
|
||||
select target.uuid, target.name as idName
|
||||
from global as target;
|
||||
grant all privileges on global_iv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
|
||||
from rbac.global as target;
|
||||
grant all privileges on rbac.global_iv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
|
||||
|
||||
/*
|
||||
Returns the objectUuid for a given identifying name (in this case the idName).
|
||||
*/
|
||||
create or replace function globalUuidByIdName(idName varchar)
|
||||
create or replace function rbac.globalUuidByIdName(idName varchar)
|
||||
returns uuid
|
||||
language sql
|
||||
strict as $$
|
||||
select uuid from global_iv iv where iv.idName = globalUuidByIdName.idName;
|
||||
select uuid from rbac.global_iv iv where iv.idName = globalUuidByIdName.idName;
|
||||
$$;
|
||||
|
||||
/*
|
||||
Returns the identifying name for a given objectUuid (in this case the idName).
|
||||
*/
|
||||
create or replace function globalIdNameByUuid(uuid uuid)
|
||||
create or replace function rbac.globalIdNameByUuid(uuid uuid)
|
||||
returns varchar
|
||||
language sql
|
||||
strict as $$
|
||||
select idName from global_iv iv where iv.uuid = globalIdNameByUuid.uuid;
|
||||
select idName from rbac.global_iv iv where iv.uuid = globalIdNameByUuid.uuid;
|
||||
$$;
|
||||
--//
|
||||
|
||||
--liquibase formatted sql
|
||||
|
||||
-- ============================================================================
|
||||
--changeset rbac-global-PSEUDO-OBJECT:1 endDelimiter:--//
|
||||
--changeset rbac-rbac.Global-PSEUDO-OBJECT:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/**
|
||||
A single row to be referenced as a global object.
|
||||
A single row to be referenced as a rbac.Global object.
|
||||
*/
|
||||
begin transaction;
|
||||
call basis.defineContext('initializing table "global"', null, null, null);
|
||||
call basis.defineContext('initializing table "rbac.global"', null, null, null);
|
||||
insert
|
||||
into rbac.object (objecttable) values ('global');
|
||||
into rbac.object (objecttable) values ('rbac.global');
|
||||
insert
|
||||
into Global (uuid, name) values ((select uuid from rbac.object where objectTable = 'global'), 'global');
|
||||
into rbac.global (uuid, name) values ((select uuid from rbac.object where objectTable = 'rbac.global'), 'global');
|
||||
commit;
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset rbac-global-ADMIN-ROLE:1 endDelimiter:--//
|
||||
--changeset rbac-rbac.Global-ADMIN-ROLE:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
A global administrator role.
|
||||
A rbac.Global administrator role.
|
||||
*/
|
||||
create or replace function globalAdmin(assumed boolean = true)
|
||||
returns RbacRoleDescriptor
|
||||
returns null on null input
|
||||
stable -- leakproof
|
||||
language sql as $$
|
||||
select 'global', (select uuid from rbac.object where objectTable = 'global'), 'ADMIN'::RbacRoleType, assumed;
|
||||
select 'rbac.global', (select uuid from rbac.object where objectTable = 'rbac.global'), 'ADMIN'::RbacRoleType, assumed;
|
||||
$$;
|
||||
|
||||
begin transaction;
|
||||
call basis.defineContext('creating role:global#global:ADMIN', null, null, null);
|
||||
call basis.defineContext('creating role:rbac.global#global:ADMIN', null, null, null);
|
||||
select createRole(globalAdmin());
|
||||
commit;
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset rbac-global-GUEST-ROLE:1 endDelimiter:--//
|
||||
--changeset rbac-rbac.Global-GUEST-ROLE:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
A global guest role.
|
||||
A rbac.Global guest role.
|
||||
*/
|
||||
create or replace function globalGuest(assumed boolean = true)
|
||||
returns RbacRoleDescriptor
|
||||
returns null on null input
|
||||
stable -- leakproof
|
||||
language sql as $$
|
||||
select 'global', (select uuid from rbac.object where objectTable = 'global'), 'GUEST'::RbacRoleType, assumed;
|
||||
select 'rbac.global', (select uuid from rbac.object where objectTable = 'rbac.global'), 'GUEST'::RbacRoleType, assumed;
|
||||
$$;
|
||||
|
||||
begin transaction;
|
||||
call basis.defineContext('creating role:global#global:guest', null, null, null);
|
||||
call basis.defineContext('creating role:rbac.global#global:guest', null, null, null);
|
||||
select createRole(globalGuest());
|
||||
commit;
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset rbac-global-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
|
||||
--changeset rbac-GLOBAL-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
Create two users and assign both to the administrators role.
|
||||
@ -168,7 +168,7 @@ $$;
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset rbac-global-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
|
||||
--changeset rbac-GLOBAL-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/*
|
||||
|
@ -32,12 +32,12 @@ end
|
||||
user:creator ==>|XX| role:customer:OWNER
|
||||
|
||||
%% granting roles to roles
|
||||
role:global:ADMIN ==>|XX| role:customer:OWNER
|
||||
role:rbac.global:ADMIN ==>|XX| role:customer:OWNER
|
||||
role:customer:OWNER ==> role:customer:ADMIN
|
||||
role:customer:ADMIN ==> role:customer:TENANT
|
||||
|
||||
%% granting permissions to roles
|
||||
role:global:ADMIN ==> perm:customer:INSERT
|
||||
role:rbac.global:ADMIN ==> perm:customer:INSERT
|
||||
role:customer:OWNER ==> perm:customer:DELETE
|
||||
role:customer:ADMIN ==> perm:customer:UPDATE
|
||||
role:customer:TENANT ==> perm:customer:SELECT
|
||||
|
@ -80,18 +80,18 @@ execute procedure insertTriggerForTestCustomer_tf();
|
||||
--changeset test-customer-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
-- granting INSERT permission to global ----------------------------
|
||||
-- granting INSERT permission to rbac.global ----------------------------
|
||||
|
||||
/*
|
||||
Grants INSERT INTO test_customer permissions to specified role of pre-existing global rows.
|
||||
Grants INSERT INTO test_customer permissions to specified role of pre-existing rbac.global rows.
|
||||
*/
|
||||
do language plpgsql $$
|
||||
declare
|
||||
row global;
|
||||
row rbac.global%ROWTYPE;
|
||||
begin
|
||||
call basis.defineContext('create INSERT INTO test_customer permissions for pre-exising global rows');
|
||||
call basis.defineContext('create INSERT INTO test_customer permissions for pre-exising rbac.global rows');
|
||||
|
||||
FOR row IN SELECT * FROM global
|
||||
FOR row IN SELECT * FROM rbac.global
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
@ -102,7 +102,7 @@ do language plpgsql $$
|
||||
$$;
|
||||
|
||||
/**
|
||||
Grants test_customer INSERT permission to specified role of new global rows.
|
||||
Grants test_customer INSERT permission to specified role of new rbac.global rows.
|
||||
*/
|
||||
create or replace function new_test_customer_grants_insert_to_global_tf()
|
||||
returns trigger
|
||||
@ -119,7 +119,7 @@ end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_test_customer_grants_insert_to_global_tg
|
||||
after insert on global
|
||||
after insert on rbac.global
|
||||
for each row
|
||||
execute procedure new_test_customer_grants_insert_to_global_tf();
|
||||
|
||||
@ -137,8 +137,8 @@ create or replace function test_customer_insert_permission_check_tf()
|
||||
declare
|
||||
superObjectUuid uuid;
|
||||
begin
|
||||
-- check INSERT INSERT if global ADMIN
|
||||
if isGlobalAdmin() then
|
||||
-- check INSERT INSERT if rbac.global ADMIN
|
||||
if rbac.isGlobalAdmin() then
|
||||
return NEW;
|
||||
end if;
|
||||
|
||||
|
@ -72,7 +72,7 @@ end; $$;
|
||||
|
||||
do language plpgsql $$
|
||||
begin
|
||||
call basis.defineContext('creating RBAC test customer', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
|
||||
call basis.defineContext('creating RBAC test customer', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
|
||||
|
||||
call createTestCustomerTestData(99901, 'xxx');
|
||||
call createTestCustomerTestData(99902, 'yyy');
|
||||
|
@ -42,7 +42,7 @@ subgraph package["`**package**`"]
|
||||
end
|
||||
|
||||
%% granting roles to roles
|
||||
role:global:ADMIN -.->|XX| role:customer:OWNER
|
||||
role:rbac.global:ADMIN -.->|XX| role:customer:OWNER
|
||||
role:customer:OWNER -.-> role:customer:ADMIN
|
||||
role:customer:ADMIN -.-> role:customer:TENANT
|
||||
role:customer:ADMIN ==> role:package:OWNER
|
||||
|
@ -54,7 +54,7 @@ subgraph package.customer["`**package.customer**`"]
|
||||
end
|
||||
|
||||
%% granting roles to roles
|
||||
role:global:ADMIN -.->|XX| role:package.customer:OWNER
|
||||
role:rbac.global:ADMIN -.->|XX| role:package.customer:OWNER
|
||||
role:package.customer:OWNER -.-> role:package.customer:ADMIN
|
||||
role:package.customer:ADMIN -.-> role:package.customer:TENANT
|
||||
role:package.customer:ADMIN -.-> role:package:OWNER
|
||||
|
@ -32,7 +32,7 @@ end
|
||||
user:creator ==> role:contact:OWNER
|
||||
|
||||
%% granting roles to roles
|
||||
role:global:ADMIN ==> role:contact:OWNER
|
||||
role:rbac.global:ADMIN ==> role:contact:OWNER
|
||||
role:contact:OWNER ==> role:contact:ADMIN
|
||||
role:contact:ADMIN ==> role:contact:REFERRER
|
||||
|
||||
@ -40,6 +40,6 @@ role:contact:ADMIN ==> role:contact:REFERRER
|
||||
role:contact:OWNER ==> perm:contact:DELETE
|
||||
role:contact:ADMIN ==> perm:contact:UPDATE
|
||||
role:contact:REFERRER ==> perm:contact:SELECT
|
||||
role:global:GUEST ==> perm:contact:INSERT
|
||||
role:rbac.global:GUEST ==> perm:contact:INSERT
|
||||
|
||||
```
|
||||
|
@ -32,12 +32,12 @@ end
|
||||
user:creator ==> role:person:OWNER
|
||||
|
||||
%% granting roles to roles
|
||||
role:global:ADMIN ==> role:person:OWNER
|
||||
role:rbac.global:ADMIN ==> role:person:OWNER
|
||||
role:person:OWNER ==> role:person:ADMIN
|
||||
role:person:ADMIN ==> role:person:REFERRER
|
||||
|
||||
%% granting permissions to roles
|
||||
role:global:GUEST ==> perm:person:INSERT
|
||||
role:rbac.global:GUEST ==> perm:person:INSERT
|
||||
role:person:OWNER ==> perm:person:DELETE
|
||||
role:person:ADMIN ==> perm:person:UPDATE
|
||||
role:person:REFERRER ==> perm:person:SELECT
|
||||
|
@ -72,16 +72,16 @@ end
|
||||
user:creator ==> role:relation:OWNER
|
||||
|
||||
%% granting roles to roles
|
||||
role:global:ADMIN -.-> role:anchorPerson:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:anchorPerson:OWNER
|
||||
role:anchorPerson:OWNER -.-> role:anchorPerson:ADMIN
|
||||
role:anchorPerson:ADMIN -.-> role:anchorPerson:REFERRER
|
||||
role:global:ADMIN -.-> role:holderPerson:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:holderPerson:OWNER
|
||||
role:holderPerson:OWNER -.-> role:holderPerson:ADMIN
|
||||
role:holderPerson:ADMIN -.-> role:holderPerson:REFERRER
|
||||
role:global:ADMIN -.-> role:contact:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:contact:OWNER
|
||||
role:contact:OWNER -.-> role:contact:ADMIN
|
||||
role:contact:ADMIN -.-> role:contact:REFERRER
|
||||
role:global:ADMIN ==> role:relation:OWNER
|
||||
role:rbac.global:ADMIN ==> role:relation:OWNER
|
||||
role:holderPerson:ADMIN ==> role:relation:OWNER
|
||||
role:relation:OWNER ==> role:relation:ADMIN
|
||||
role:relation:ADMIN ==> role:anchorPerson:OWNER
|
||||
|
@ -72,16 +72,16 @@ end
|
||||
user:creator ==> role:relation:OWNER
|
||||
|
||||
%% granting roles to roles
|
||||
role:global:ADMIN -.-> role:anchorPerson:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:anchorPerson:OWNER
|
||||
role:anchorPerson:OWNER -.-> role:anchorPerson:ADMIN
|
||||
role:anchorPerson:ADMIN -.-> role:anchorPerson:REFERRER
|
||||
role:global:ADMIN -.-> role:holderPerson:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:holderPerson:OWNER
|
||||
role:holderPerson:OWNER -.-> role:holderPerson:ADMIN
|
||||
role:holderPerson:ADMIN -.-> role:holderPerson:REFERRER
|
||||
role:global:ADMIN -.-> role:contact:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:contact:OWNER
|
||||
role:contact:OWNER -.-> role:contact:ADMIN
|
||||
role:contact:ADMIN -.-> role:contact:REFERRER
|
||||
role:global:ADMIN ==> role:relation:OWNER
|
||||
role:rbac.global:ADMIN ==> role:relation:OWNER
|
||||
role:relation:OWNER ==> role:relation:ADMIN
|
||||
role:relation:ADMIN ==> role:relation:AGENT
|
||||
role:relation:AGENT ==> role:relation:TENANT
|
||||
|
@ -85,7 +85,7 @@ end; $$;
|
||||
|
||||
do language plpgsql $$
|
||||
begin
|
||||
call basis.defineContext('creating relation test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
|
||||
call basis.defineContext('creating relation test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
|
||||
|
||||
call createHsOfficeRelationTestData('First GmbH', 'PARTNER', 'Hostsharing eG', 'first contact');
|
||||
call createHsOfficeRelationTestData('Firby', 'REPRESENTATIVE', 'First GmbH', 'first contact');
|
||||
|
@ -87,16 +87,16 @@ subgraph partnerRel.holderPerson["`**partnerRel.holderPerson**`"]
|
||||
end
|
||||
|
||||
%% granting roles to roles
|
||||
role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
|
||||
role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN
|
||||
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER
|
||||
role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
|
||||
role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN
|
||||
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER
|
||||
role:global:ADMIN -.-> role:partnerRel.contact:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:partnerRel.contact:OWNER
|
||||
role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
|
||||
role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
|
||||
role:global:ADMIN -.-> role:partnerRel:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:partnerRel:OWNER
|
||||
role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
|
||||
role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
|
||||
role:partnerRel:AGENT -.-> role:partnerRel:TENANT
|
||||
@ -108,7 +108,7 @@ role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:OWNER
|
||||
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
|
||||
|
||||
%% granting permissions to roles
|
||||
role:global:ADMIN ==> perm:partner:INSERT
|
||||
role:rbac.global:ADMIN ==> perm:partner:INSERT
|
||||
role:partnerRel:OWNER ==> perm:partner:DELETE
|
||||
role:partnerRel:ADMIN ==> perm:partner:UPDATE
|
||||
role:partnerRel:TENANT ==> perm:partner:SELECT
|
||||
|
@ -157,18 +157,18 @@ execute procedure updateTriggerForHsOfficePartner_tf();
|
||||
--changeset hs-office-partner-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
-- granting INSERT permission to global ----------------------------
|
||||
-- granting INSERT permission to rbac.global ----------------------------
|
||||
|
||||
/*
|
||||
Grants INSERT INTO hs_office_partner permissions to specified role of pre-existing global rows.
|
||||
Grants INSERT INTO hs_office_partner permissions to specified role of pre-existing rbac.global rows.
|
||||
*/
|
||||
do language plpgsql $$
|
||||
declare
|
||||
row global;
|
||||
row rbac.global%ROWTYPE;
|
||||
begin
|
||||
call basis.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising global rows');
|
||||
call basis.defineContext('create INSERT INTO hs_office_partner permissions for pre-exising rbac.Global rows');
|
||||
|
||||
FOR row IN SELECT * FROM global
|
||||
FOR row IN SELECT * FROM rbac.global
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
@ -179,7 +179,7 @@ do language plpgsql $$
|
||||
$$;
|
||||
|
||||
/**
|
||||
Grants hs_office_partner INSERT permission to specified role of new global rows.
|
||||
Grants hs_office_partner INSERT permission to specified role of new rbac.global rows.
|
||||
*/
|
||||
create or replace function new_hs_office_partner_grants_insert_to_global_tf()
|
||||
returns trigger
|
||||
@ -196,7 +196,7 @@ end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_hs_office_partner_grants_insert_to_global_tg
|
||||
after insert on global
|
||||
after insert on rbac.global
|
||||
for each row
|
||||
execute procedure new_hs_office_partner_grants_insert_to_global_tf();
|
||||
|
||||
@ -214,8 +214,8 @@ create or replace function hs_office_partner_insert_permission_check_tf()
|
||||
declare
|
||||
superObjectUuid uuid;
|
||||
begin
|
||||
-- check INSERT INSERT if global ADMIN
|
||||
if isGlobalAdmin() then
|
||||
-- check INSERT INSERT if rbac.global ADMIN
|
||||
if rbac.isGlobalAdmin() then
|
||||
return NEW;
|
||||
end if;
|
||||
|
||||
|
@ -18,6 +18,6 @@ subgraph partnerDetails["`**partnerDetails**`"]
|
||||
end
|
||||
|
||||
%% granting permissions to roles
|
||||
role:global:ADMIN ==> perm:partnerDetails:INSERT
|
||||
role:rbac.global:ADMIN ==> perm:partnerDetails:INSERT
|
||||
|
||||
```
|
||||
|
@ -61,25 +61,25 @@ execute procedure insertTriggerForHsOfficePartnerDetails_tf();
|
||||
--changeset hs-office-partner-details-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
-- granting INSERT permission to global ----------------------------
|
||||
-- granting INSERT permission to rbac.global ----------------------------
|
||||
|
||||
/*
|
||||
Grants INSERT INTO hs_office_partner_details permissions to specified role of pre-existing global rows.
|
||||
Grants INSERT INTO hs_office_partner_details permissions to specified role of pre-existing rbac.global rows.
|
||||
*/
|
||||
do language plpgsql $$
|
||||
declare
|
||||
row global;
|
||||
begin
|
||||
call basis.defineContext('create INSERT INTO hs_office_partner_details permissions for pre-exising global rows');
|
||||
declare
|
||||
row rbac.global;
|
||||
begin
|
||||
call basis.defineContext('create INSERT INTO hs_office_partner_details permissions for pre-exising global rows');
|
||||
|
||||
FOR row IN SELECT * FROM global
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
FOR row IN SELECT * FROM rbac.global
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
createPermission(row.uuid, 'INSERT', 'hs_office_partner_details'),
|
||||
globalADMIN());
|
||||
END LOOP;
|
||||
end;
|
||||
END LOOP;
|
||||
end;
|
||||
$$;
|
||||
|
||||
/**
|
||||
@ -100,7 +100,7 @@ end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_hs_office_partner_details_grants_insert_to_global_tg
|
||||
after insert on global
|
||||
after insert on rbac.global
|
||||
for each row
|
||||
execute procedure new_hs_office_partner_details_grants_insert_to_global_tf();
|
||||
|
||||
@ -118,8 +118,8 @@ create or replace function hs_office_partner_details_insert_permission_check_tf(
|
||||
declare
|
||||
superObjectUuid uuid;
|
||||
begin
|
||||
-- check INSERT INSERT if global ADMIN
|
||||
if isGlobalAdmin() then
|
||||
-- check INSERT INSERT if rbac.Global ADMIN
|
||||
if rbac.isGlobalAdmin() then
|
||||
return NEW;
|
||||
end if;
|
||||
|
||||
|
@ -71,7 +71,7 @@ end; $$;
|
||||
|
||||
do language plpgsql $$
|
||||
begin
|
||||
call basis.defineContext('creating partner test-data ', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
|
||||
call basis.defineContext('creating partner test-data ', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
|
||||
|
||||
call createHsOfficePartnerTestData('Hostsharing eG', 10001, 'First GmbH', 'first contact');
|
||||
call createHsOfficePartnerTestData('Hostsharing eG', 10002, 'Second e.K.', 'second contact');
|
||||
|
@ -32,12 +32,12 @@ end
|
||||
user:creator ==> role:bankAccount:OWNER
|
||||
|
||||
%% granting roles to roles
|
||||
role:global:ADMIN ==> role:bankAccount:OWNER
|
||||
role:rbac.global:ADMIN ==> role:bankAccount:OWNER
|
||||
role:bankAccount:OWNER ==> role:bankAccount:ADMIN
|
||||
role:bankAccount:ADMIN ==> role:bankAccount:REFERRER
|
||||
|
||||
%% granting permissions to roles
|
||||
role:global:GUEST ==> perm:bankAccount:INSERT
|
||||
role:rbac.global:GUEST ==> perm:bankAccount:INSERT
|
||||
role:bankAccount:OWNER ==> perm:bankAccount:DELETE
|
||||
role:bankAccount:ADMIN ==> perm:bankAccount:UPDATE
|
||||
role:bankAccount:REFERRER ==> perm:bankAccount:SELECT
|
||||
|
@ -140,16 +140,16 @@ subgraph refundBankAccount["`**refundBankAccount**`"]
|
||||
end
|
||||
|
||||
%% granting roles to roles
|
||||
role:global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER
|
||||
role:debitorRel.anchorPerson:OWNER -.-> role:debitorRel.anchorPerson:ADMIN
|
||||
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel.anchorPerson:REFERRER
|
||||
role:global:ADMIN -.-> role:debitorRel.holderPerson:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:debitorRel.holderPerson:OWNER
|
||||
role:debitorRel.holderPerson:OWNER -.-> role:debitorRel.holderPerson:ADMIN
|
||||
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel.holderPerson:REFERRER
|
||||
role:global:ADMIN -.-> role:debitorRel.contact:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:debitorRel.contact:OWNER
|
||||
role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN
|
||||
role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER
|
||||
role:global:ADMIN -.-> role:debitorRel:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:debitorRel:OWNER
|
||||
role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
|
||||
role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
|
||||
role:debitorRel:AGENT -.-> role:debitorRel:TENANT
|
||||
@ -159,21 +159,21 @@ role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
|
||||
role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER
|
||||
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:OWNER
|
||||
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
|
||||
role:global:ADMIN -.-> role:refundBankAccount:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:refundBankAccount:OWNER
|
||||
role:refundBankAccount:OWNER -.-> role:refundBankAccount:ADMIN
|
||||
role:refundBankAccount:ADMIN -.-> role:refundBankAccount:REFERRER
|
||||
role:refundBankAccount:ADMIN ==> role:debitorRel:AGENT
|
||||
role:debitorRel:AGENT ==> role:refundBankAccount:REFERRER
|
||||
role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
|
||||
role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN
|
||||
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER
|
||||
role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
|
||||
role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN
|
||||
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER
|
||||
role:global:ADMIN -.-> role:partnerRel.contact:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:partnerRel.contact:OWNER
|
||||
role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
|
||||
role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
|
||||
role:global:ADMIN -.-> role:partnerRel:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:partnerRel:OWNER
|
||||
role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
|
||||
role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
|
||||
role:partnerRel:AGENT -.-> role:partnerRel:TENANT
|
||||
@ -188,7 +188,7 @@ role:partnerRel:AGENT ==> role:debitorRel:AGENT
|
||||
role:debitorRel:AGENT ==> role:partnerRel:TENANT
|
||||
|
||||
%% granting permissions to roles
|
||||
role:global:ADMIN ==> perm:debitor:INSERT
|
||||
role:rbac.global:ADMIN ==> perm:debitor:INSERT
|
||||
role:debitorRel:OWNER ==> perm:debitor:DELETE
|
||||
role:debitorRel:ADMIN ==> perm:debitor:UPDATE
|
||||
role:debitorRel:TENANT ==> perm:debitor:SELECT
|
||||
|
@ -130,18 +130,18 @@ execute procedure updateTriggerForHsOfficeDebitor_tf();
|
||||
--changeset hs-office-debitor-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
-- granting INSERT permission to global ----------------------------
|
||||
-- granting INSERT permission to rbac.Global ----------------------------
|
||||
|
||||
/*
|
||||
Grants INSERT INTO hs_office_debitor permissions to specified role of pre-existing global rows.
|
||||
Grants INSERT INTO hs_office_debitor permissions to specified role of pre-existing rbac.global rows.
|
||||
*/
|
||||
do language plpgsql $$
|
||||
declare
|
||||
row global;
|
||||
row rbac.global%ROWTYPE;
|
||||
begin
|
||||
call basis.defineContext('create INSERT INTO hs_office_debitor permissions for pre-exising global rows');
|
||||
call basis.defineContext('create INSERT INTO hs_office_debitor permissions for pre-exising rbac.Global rows');
|
||||
|
||||
FOR row IN SELECT * FROM global
|
||||
FOR row IN SELECT * FROM rbac.global
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
@ -152,7 +152,7 @@ do language plpgsql $$
|
||||
$$;
|
||||
|
||||
/**
|
||||
Grants hs_office_debitor INSERT permission to specified role of new global rows.
|
||||
Grants hs_office_debitor INSERT permission to specified role of new rbac.global rows.
|
||||
*/
|
||||
create or replace function new_hs_office_debitor_grants_insert_to_global_tf()
|
||||
returns trigger
|
||||
@ -169,7 +169,7 @@ end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_hs_office_debitor_grants_insert_to_global_tg
|
||||
after insert on global
|
||||
after insert on rbac.global
|
||||
for each row
|
||||
execute procedure new_hs_office_debitor_grants_insert_to_global_tf();
|
||||
|
||||
@ -187,8 +187,8 @@ create or replace function hs_office_debitor_insert_permission_check_tf()
|
||||
declare
|
||||
superObjectUuid uuid;
|
||||
begin
|
||||
-- check INSERT INSERT if global ADMIN
|
||||
if isGlobalAdmin() then
|
||||
-- check INSERT INSERT if rbac.global ADMIN
|
||||
if rbac.isGlobalAdmin() then
|
||||
return NEW;
|
||||
end if;
|
||||
|
||||
|
@ -50,7 +50,7 @@ end; $$;
|
||||
|
||||
do language plpgsql $$
|
||||
begin
|
||||
call basis.defineContext('creating debitor test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
|
||||
call basis.defineContext('creating debitor test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
|
||||
|
||||
call createHsOfficeDebitorTestData(11, 'First GmbH', 'first contact', 'fir');
|
||||
call createHsOfficeDebitorTestData(12, 'Second e.K.', 'second contact', 'sec');
|
||||
|
@ -99,16 +99,16 @@ end
|
||||
user:creator ==> role:sepaMandate:OWNER
|
||||
|
||||
%% granting roles to roles
|
||||
role:global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:debitorRel.anchorPerson:OWNER
|
||||
role:debitorRel.anchorPerson:OWNER -.-> role:debitorRel.anchorPerson:ADMIN
|
||||
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel.anchorPerson:REFERRER
|
||||
role:global:ADMIN -.-> role:debitorRel.holderPerson:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:debitorRel.holderPerson:OWNER
|
||||
role:debitorRel.holderPerson:OWNER -.-> role:debitorRel.holderPerson:ADMIN
|
||||
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel.holderPerson:REFERRER
|
||||
role:global:ADMIN -.-> role:debitorRel.contact:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:debitorRel.contact:OWNER
|
||||
role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN
|
||||
role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER
|
||||
role:global:ADMIN -.-> role:debitorRel:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:debitorRel:OWNER
|
||||
role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
|
||||
role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
|
||||
role:debitorRel:AGENT -.-> role:debitorRel:TENANT
|
||||
@ -118,10 +118,10 @@ role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
|
||||
role:debitorRel:TENANT -.-> role:debitorRel.contact:REFERRER
|
||||
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:OWNER
|
||||
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
|
||||
role:global:ADMIN -.-> role:bankAccount:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:bankAccount:OWNER
|
||||
role:bankAccount:OWNER -.-> role:bankAccount:ADMIN
|
||||
role:bankAccount:ADMIN -.-> role:bankAccount:REFERRER
|
||||
role:global:ADMIN ==> role:sepaMandate:OWNER
|
||||
role:rbac.global:ADMIN ==> role:sepaMandate:OWNER
|
||||
role:sepaMandate:OWNER ==> role:sepaMandate:ADMIN
|
||||
role:sepaMandate:ADMIN ==> role:sepaMandate:AGENT
|
||||
role:sepaMandate:AGENT ==> role:bankAccount:REFERRER
|
||||
|
@ -43,7 +43,7 @@ end; $$;
|
||||
|
||||
do language plpgsql $$
|
||||
begin
|
||||
call basis.defineContext('creating SEPA-mandate test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
|
||||
call basis.defineContext('creating SEPA-mandate test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
|
||||
|
||||
call createHsOfficeSepaMandateTestData(10001, '11', 'DE02120300000000202051', 'ref-10001-11');
|
||||
call createHsOfficeSepaMandateTestData(10002, '12', 'DE02100500000054540402', 'ref-10002-12');
|
||||
|
@ -85,16 +85,16 @@ end
|
||||
user:creator ==> role:membership:OWNER
|
||||
|
||||
%% granting roles to roles
|
||||
role:global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
|
||||
role:partnerRel.anchorPerson:OWNER -.-> role:partnerRel.anchorPerson:ADMIN
|
||||
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel.anchorPerson:REFERRER
|
||||
role:global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:partnerRel.holderPerson:OWNER
|
||||
role:partnerRel.holderPerson:OWNER -.-> role:partnerRel.holderPerson:ADMIN
|
||||
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel.holderPerson:REFERRER
|
||||
role:global:ADMIN -.-> role:partnerRel.contact:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:partnerRel.contact:OWNER
|
||||
role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
|
||||
role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
|
||||
role:global:ADMIN -.-> role:partnerRel:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:partnerRel:OWNER
|
||||
role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
|
||||
role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
|
||||
role:partnerRel:AGENT -.-> role:partnerRel:TENANT
|
||||
@ -111,7 +111,7 @@ role:partnerRel:AGENT ==> role:membership:AGENT
|
||||
role:membership:AGENT ==> role:partnerRel:TENANT
|
||||
|
||||
%% granting permissions to roles
|
||||
role:global:ADMIN ==> perm:membership:INSERT
|
||||
role:rbac.global:ADMIN ==> perm:membership:INSERT
|
||||
role:membership:ADMIN ==> perm:membership:DELETE
|
||||
role:membership:ADMIN ==> perm:membership:UPDATE
|
||||
role:membership:AGENT ==> perm:membership:SELECT
|
||||
|
@ -92,18 +92,18 @@ execute procedure insertTriggerForHsOfficeMembership_tf();
|
||||
--changeset hs-office-membership-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
-- granting INSERT permission to global ----------------------------
|
||||
-- granting INSERT permission to rbac.global ----------------------------
|
||||
|
||||
/*
|
||||
Grants INSERT INTO hs_office_membership permissions to specified role of pre-existing global rows.
|
||||
Grants INSERT INTO hs_office_membership permissions to specified role of pre-existing rbac.global rows.
|
||||
*/
|
||||
do language plpgsql $$
|
||||
declare
|
||||
row global;
|
||||
row rbac.global%ROWTYPE;
|
||||
begin
|
||||
call basis.defineContext('create INSERT INTO hs_office_membership permissions for pre-exising global rows');
|
||||
call basis.defineContext('create INSERT INTO hs_office_membership permissions for pre-exising rbac.Global rows');
|
||||
|
||||
FOR row IN SELECT * FROM global
|
||||
FOR row IN SELECT * FROM rbac.global
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
@ -114,7 +114,7 @@ do language plpgsql $$
|
||||
$$;
|
||||
|
||||
/**
|
||||
Grants hs_office_membership INSERT permission to specified role of new global rows.
|
||||
Grants hs_office_membership INSERT permission to specified role of new rbac.Global rows.
|
||||
*/
|
||||
create or replace function new_hs_office_membership_grants_insert_to_global_tf()
|
||||
returns trigger
|
||||
@ -131,7 +131,7 @@ end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_hs_office_membership_grants_insert_to_global_tg
|
||||
after insert on global
|
||||
after insert on rbac.global
|
||||
for each row
|
||||
execute procedure new_hs_office_membership_grants_insert_to_global_tf();
|
||||
|
||||
@ -149,8 +149,8 @@ create or replace function hs_office_membership_insert_permission_check_tf()
|
||||
declare
|
||||
superObjectUuid uuid;
|
||||
begin
|
||||
-- check INSERT INSERT if global ADMIN
|
||||
if isGlobalAdmin() then
|
||||
-- check INSERT INSERT if rbac.Global ADMIN
|
||||
if rbac.isGlobalAdmin() then
|
||||
return NEW;
|
||||
end if;
|
||||
|
||||
|
@ -33,7 +33,7 @@ end; $$;
|
||||
|
||||
do language plpgsql $$
|
||||
begin
|
||||
call basis.defineContext('creating Membership test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
|
||||
call basis.defineContext('creating Membership test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
|
||||
|
||||
call createHsOfficeMembershipTestData(10001, '01');
|
||||
call createHsOfficeMembershipTestData(10002, '02');
|
||||
|
@ -86,16 +86,16 @@ subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPers
|
||||
end
|
||||
|
||||
%% granting roles to roles
|
||||
role:global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER
|
||||
role:membership.partnerRel.anchorPerson:OWNER -.-> role:membership.partnerRel.anchorPerson:ADMIN
|
||||
role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel.anchorPerson:REFERRER
|
||||
role:global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER
|
||||
role:membership.partnerRel.holderPerson:OWNER -.-> role:membership.partnerRel.holderPerson:ADMIN
|
||||
role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel.holderPerson:REFERRER
|
||||
role:global:ADMIN -.-> role:membership.partnerRel.contact:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:membership.partnerRel.contact:OWNER
|
||||
role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN
|
||||
role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER
|
||||
role:global:ADMIN -.-> role:membership.partnerRel:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:membership.partnerRel:OWNER
|
||||
role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN
|
||||
role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT
|
||||
role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT
|
||||
|
@ -86,16 +86,16 @@ subgraph membership.partnerRel.holderPerson["`**membership.partnerRel.holderPers
|
||||
end
|
||||
|
||||
%% granting roles to roles
|
||||
role:global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER
|
||||
role:membership.partnerRel.anchorPerson:OWNER -.-> role:membership.partnerRel.anchorPerson:ADMIN
|
||||
role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel.anchorPerson:REFERRER
|
||||
role:global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:membership.partnerRel.holderPerson:OWNER
|
||||
role:membership.partnerRel.holderPerson:OWNER -.-> role:membership.partnerRel.holderPerson:ADMIN
|
||||
role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel.holderPerson:REFERRER
|
||||
role:global:ADMIN -.-> role:membership.partnerRel.contact:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:membership.partnerRel.contact:OWNER
|
||||
role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN
|
||||
role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER
|
||||
role:global:ADMIN -.-> role:membership.partnerRel:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:membership.partnerRel:OWNER
|
||||
role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN
|
||||
role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT
|
||||
role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT
|
||||
|
@ -44,7 +44,7 @@ subgraph project["`**project**`"]
|
||||
end
|
||||
|
||||
%% granting roles to roles
|
||||
role:global:ADMIN -.-> role:debitorRel:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:debitorRel:OWNER
|
||||
role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
|
||||
role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
|
||||
role:debitorRel:AGENT -.-> role:debitorRel:TENANT
|
||||
@ -56,7 +56,7 @@ role:project:TENANT ==> role:debitorRel:TENANT
|
||||
|
||||
%% granting permissions to roles
|
||||
role:debitorRel:ADMIN ==> perm:project:INSERT
|
||||
role:global:ADMIN ==> perm:project:DELETE
|
||||
role:rbac.global:ADMIN ==> perm:project:DELETE
|
||||
role:project:ADMIN ==> perm:project:UPDATE
|
||||
role:project:TENANT ==> perm:project:SELECT
|
||||
|
||||
|
@ -39,7 +39,7 @@ end; $$;
|
||||
|
||||
do language plpgsql $$
|
||||
begin
|
||||
call basis.defineContext('creating booking-project test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
|
||||
call basis.defineContext('creating booking-project test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
|
||||
|
||||
call createHsBookingProjectTransactionTestData(10001, '11');
|
||||
call createHsBookingProjectTransactionTestData(10002, '12');
|
||||
|
@ -54,8 +54,8 @@ role:bookingItem:AGENT ==> role:bookingItem:TENANT
|
||||
role:bookingItem:TENANT ==> role:project:TENANT
|
||||
|
||||
%% granting permissions to roles
|
||||
role:global:ADMIN ==> perm:bookingItem:INSERT
|
||||
role:global:ADMIN ==> perm:bookingItem:DELETE
|
||||
role:rbac.global:ADMIN ==> perm:bookingItem:INSERT
|
||||
role:rbac.global:ADMIN ==> perm:bookingItem:DELETE
|
||||
role:project:ADMIN ==> perm:bookingItem:INSERT
|
||||
role:bookingItem:ADMIN ==> perm:bookingItem:UPDATE
|
||||
role:bookingItem:TENANT ==> perm:bookingItem:SELECT
|
||||
|
@ -105,11 +105,11 @@ execute procedure insertTriggerForHsBookingItem_tf();
|
||||
*/
|
||||
do language plpgsql $$
|
||||
declare
|
||||
row global;
|
||||
row rbac.global%ROWTYPE;
|
||||
begin
|
||||
call basis.defineContext('create INSERT INTO hs_booking_item permissions for pre-exising global rows');
|
||||
call basis.defineContext('create INSERT INTO hs_booking_item permissions for pre-exising rbac.global rows');
|
||||
|
||||
FOR row IN SELECT * FROM global
|
||||
FOR row IN SELECT * FROM rbac.global
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
@ -120,7 +120,7 @@ do language plpgsql $$
|
||||
$$;
|
||||
|
||||
/**
|
||||
Grants hs_booking_item INSERT permission to specified role of new global rows.
|
||||
Grants hs_booking_item INSERT permission to specified role of new rbac.global rows.
|
||||
*/
|
||||
create or replace function new_hs_booking_item_grants_insert_to_global_tf()
|
||||
returns trigger
|
||||
@ -137,7 +137,7 @@ end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_hs_booking_item_grants_insert_to_global_tg
|
||||
after insert on global
|
||||
after insert on rbac.global
|
||||
for each row
|
||||
execute procedure new_hs_booking_item_grants_insert_to_global_tf();
|
||||
|
||||
@ -225,8 +225,8 @@ create or replace function hs_booking_item_insert_permission_check_tf()
|
||||
declare
|
||||
superObjectUuid uuid;
|
||||
begin
|
||||
-- check INSERT INSERT if global ADMIN
|
||||
if isGlobalAdmin() then
|
||||
-- check INSERT INSERT if rbac.Global ADMIN
|
||||
if rbac.isGlobalAdmin() then
|
||||
return NEW;
|
||||
end if;
|
||||
-- check INSERT permission via direct foreign key: NEW.projectUuid
|
||||
|
@ -47,7 +47,7 @@ do language plpgsql $$
|
||||
declare
|
||||
currentTask text;
|
||||
begin
|
||||
call basis.defineContext('creating booking-item test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
|
||||
call basis.defineContext('creating booking-item test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
|
||||
|
||||
call createHsBookingItemTransactionTestData(10001, '11');
|
||||
call createHsBookingItemTransactionTestData(10002, '12');
|
||||
|
@ -54,8 +54,8 @@ role:bookingItem:AGENT ==> role:bookingItem:TENANT
|
||||
role:bookingItem:TENANT ==> role:project:TENANT
|
||||
|
||||
%% granting permissions to roles
|
||||
role:global:ADMIN ==> perm:bookingItem:INSERT
|
||||
role:global:ADMIN ==> perm:bookingItem:DELETE
|
||||
role:rbac.global:ADMIN ==> perm:bookingItem:INSERT
|
||||
role:rbac.global:ADMIN ==> perm:bookingItem:DELETE
|
||||
role:project:ADMIN ==> perm:bookingItem:INSERT
|
||||
role:bookingItem:ADMIN ==> perm:bookingItem:UPDATE
|
||||
role:bookingItem:TENANT ==> perm:bookingItem:SELECT
|
||||
|
@ -105,11 +105,11 @@ execute procedure insertTriggerForHsBookingItem_tf();
|
||||
*/
|
||||
do language plpgsql $$
|
||||
declare
|
||||
row global;
|
||||
row rbac.global%ROWTYPE;
|
||||
begin
|
||||
call basis.defineContext('create INSERT INTO hs_booking_item permissions for pre-exising global rows');
|
||||
call basis.defineContext('create INSERT INTO hs_booking_item permissions for pre-exising rbac.global rows');
|
||||
|
||||
FOR row IN SELECT * FROM global
|
||||
FOR row IN SELECT * FROM rbac.global
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
@ -120,7 +120,7 @@ do language plpgsql $$
|
||||
$$;
|
||||
|
||||
/**
|
||||
Grants hs_booking_item INSERT permission to specified role of new global rows.
|
||||
Grants hs_booking_item INSERT permission to specified role of new rbac.global rows.
|
||||
*/
|
||||
create or replace function new_hs_booking_item_grants_insert_to_global_tf()
|
||||
returns trigger
|
||||
@ -137,7 +137,7 @@ end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_hs_booking_item_grants_insert_to_global_tg
|
||||
after insert on global
|
||||
after insert on rbac.global
|
||||
for each row
|
||||
execute procedure new_hs_booking_item_grants_insert_to_global_tf();
|
||||
|
||||
@ -225,8 +225,8 @@ create or replace function hs_booking_item_insert_permission_check_tf()
|
||||
declare
|
||||
superObjectUuid uuid;
|
||||
begin
|
||||
-- check INSERT INSERT if global ADMIN
|
||||
if isGlobalAdmin() then
|
||||
-- check INSERT INSERT if rbac.Global ADMIN
|
||||
if rbac.isGlobalAdmin() then
|
||||
return NEW;
|
||||
end if;
|
||||
-- check INSERT permission via direct foreign key: NEW.projectUuid
|
||||
|
@ -88,10 +88,10 @@ user:creator ==> role:asset:OWNER
|
||||
role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
|
||||
role:bookingItem:ADMIN -.-> role:bookingItem:AGENT
|
||||
role:bookingItem:AGENT -.-> role:bookingItem:TENANT
|
||||
role:global:ADMIN -.-> role:alarmContact:OWNER
|
||||
role:rbac.global:ADMIN -.-> role:alarmContact:OWNER
|
||||
role:alarmContact:OWNER -.-> role:alarmContact:ADMIN
|
||||
role:alarmContact:ADMIN -.-> role:alarmContact:REFERRER
|
||||
role:global:ADMIN ==>|XX| role:asset:OWNER
|
||||
role:rbac.global:ADMIN ==>|XX| role:asset:OWNER
|
||||
role:bookingItem:ADMIN ==> role:asset:OWNER
|
||||
role:parentAsset:ADMIN ==> role:asset:OWNER
|
||||
role:asset:OWNER ==> role:asset:ADMIN
|
||||
@ -107,9 +107,9 @@ role:asset:TENANT ==> role:parentAsset:TENANT
|
||||
role:alarmContact:ADMIN ==> role:asset:TENANT
|
||||
|
||||
%% granting permissions to roles
|
||||
role:global:ADMIN ==> perm:asset:INSERT
|
||||
role:rbac.global:ADMIN ==> perm:asset:INSERT
|
||||
role:parentAsset:ADMIN ==> perm:asset:INSERT
|
||||
role:global:GUEST ==> perm:asset:INSERT
|
||||
role:rbac.global:GUEST ==> perm:asset:INSERT
|
||||
role:asset:OWNER ==> perm:asset:DELETE
|
||||
role:asset:ADMIN ==> perm:asset:UPDATE
|
||||
role:asset:TENANT ==> perm:asset:SELECT
|
||||
|
@ -30,7 +30,7 @@ declare
|
||||
pgSqlInstanceUuid uuid;
|
||||
PgSqlSubjectUuid uuid;
|
||||
begin
|
||||
call basis.defineContext('creating hosting-asset test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
|
||||
call basis.defineContext('creating hosting-asset test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
|
||||
|
||||
select project.* into relatedProject
|
||||
from hs_booking_project project
|
||||
@ -110,7 +110,7 @@ end; $$;
|
||||
|
||||
do language plpgsql $$
|
||||
begin
|
||||
call basis.defineContext('creating hosting-asset test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
|
||||
call basis.defineContext('creating hosting-asset test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
|
||||
|
||||
call createHsHostingAssetTestData('D-1000111 default project');
|
||||
call createHsHostingAssetTestData('D-1000212 default project');
|
||||
|
@ -6,7 +6,7 @@
|
||||
CREATE VIEW hs_statistics_view AS
|
||||
select *
|
||||
from (select count, "table" as "rbac-table", '' as "hs-table", '' as "type"
|
||||
from rbacstatisticsview
|
||||
from rbac.statistics_v
|
||||
union all
|
||||
select to_char(count(*)::int, '9 999 999 999') as "count", 'objects' as "rbac-table", objecttable as "hs-table", '' as "type"
|
||||
from rbac.object
|
||||
|
@ -158,4 +158,4 @@ databaseChangeLog:
|
||||
- include:
|
||||
file: db/changelog/7-hs-hosting/701-hosting-asset/7018-hs-hosting-asset-test-data.sql
|
||||
- include:
|
||||
file: db/changelog/9-hs-global/9000-statistics.sql
|
||||
file: db/changelog/9-hs-global/9000-statistics.sql
|
||||
|
@ -68,7 +68,7 @@ public class ArchitectureTest {
|
||||
"..mapper",
|
||||
"..ping",
|
||||
"..rbac",
|
||||
"..rbac.rbacSubject",
|
||||
"..rbac.subject",
|
||||
"..rbac.rbacgrant",
|
||||
"..rbac.rbacrole",
|
||||
"..rbac.rbacobject",
|
||||
|
@ -175,9 +175,9 @@ class HsBookingItemRepositoryIntegrationTest extends ContextBasedTestWithCleanup
|
||||
.containsExactlyInAnyOrder(fromFormatted(
|
||||
initialGrantNames,
|
||||
|
||||
// global-admin
|
||||
// rbac.global-admin
|
||||
"{ grant perm:hs_booking_item#somenewbookingitem:INSERT>hs_booking_item to role:hs_booking_item#somenewbookingitem:ADMIN by system and assume }",
|
||||
"{ grant perm:hs_booking_item#somenewbookingitem:DELETE to role:global#global:ADMIN by system and assume }",
|
||||
"{ grant perm:hs_booking_item#somenewbookingitem:DELETE to role:rbac.global#global:ADMIN by system and assume }",
|
||||
|
||||
// owner
|
||||
"{ grant role:hs_booking_item#somenewbookingitem:OWNER to role:hs_booking_project#D-1000111-D-1000111defaultproject:AGENT by system and assume }",
|
||||
|
@ -161,8 +161,8 @@ class HsBookingProjectRepositoryIntegrationTest extends ContextBasedTestWithClea
|
||||
.containsExactlyInAnyOrder(fromFormatted(
|
||||
initialGrantNames,
|
||||
|
||||
// global-admin
|
||||
"{ grant perm:hs_booking_project#D-1000111-somenewbookingproject:DELETE to role:global#global:ADMIN by system and assume }",
|
||||
// rbacgGlobal-admin
|
||||
"{ grant perm:hs_booking_project#D-1000111-somenewbookingproject:DELETE to role:rbac.global#global:ADMIN by system and assume }",
|
||||
|
||||
// owner
|
||||
"{ grant role:hs_booking_project#D-1000111-somenewbookingproject:ADMIN to role:hs_booking_project#D-1000111-somenewbookingproject:OWNER by system and assume }",
|
||||
|
@ -200,8 +200,8 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu
|
||||
.containsExactlyInAnyOrder(fromFormatted(
|
||||
initialGrantNames,
|
||||
|
||||
// global-admin
|
||||
"{ grant role:hs_hosting_asset#fir00:OWNER to role:global#global:ADMIN by system }", // workaround
|
||||
// rbac.global-admin
|
||||
"{ grant role:hs_hosting_asset#fir00:OWNER to role:rbac.global#global:ADMIN by system }", // workaround
|
||||
|
||||
// owner
|
||||
"{ grant role:hs_hosting_asset#fir00:OWNER to user:superuser-alex@hostsharing.net by hs_hosting_asset#fir00:OWNER and assume }",
|
||||
@ -250,7 +250,7 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu
|
||||
context("person-SmithPeter@example.com");
|
||||
assertThatAssetIsPersisted(result.returnedValue());
|
||||
|
||||
// ... a global admin can see the new domain setup as well if the domain OWNER role is assumed
|
||||
// ... a rbac.global admin can see the new domain setup as well if the domain OWNER role is assumed
|
||||
context("superuser-alex@hostsharing.net", "hs_hosting_asset#example.net:OWNER"); // only works with the assumed role
|
||||
assertThatAssetIsPersisted(result.returnedValue());
|
||||
}
|
||||
|
@ -109,7 +109,7 @@ class HsOfficeBankAccountRepositoryIntegrationTest extends ContextBasedTestWithC
|
||||
assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())).containsExactlyInAnyOrder(Array.fromFormatted(
|
||||
initialGrantNames,
|
||||
"{ grant perm:hs_office_bankaccount#DE25500105176934832579:DELETE to role:hs_office_bankaccount#DE25500105176934832579:OWNER by system and assume }",
|
||||
"{ grant role:hs_office_bankaccount#DE25500105176934832579:OWNER to role:global#global:ADMIN by system and assume }",
|
||||
"{ grant role:hs_office_bankaccount#DE25500105176934832579:OWNER to role:rbac.global#global:ADMIN by system and assume }",
|
||||
"{ grant role:hs_office_bankaccount#DE25500105176934832579:OWNER to user:selfregistered-user-drew@hostsharing.org by hs_office_bankaccount#DE25500105176934832579:OWNER and assume }",
|
||||
|
||||
"{ grant role:hs_office_bankaccount#DE25500105176934832579:ADMIN to role:hs_office_bankaccount#DE25500105176934832579:OWNER by system and assume }",
|
||||
|
@ -109,7 +109,7 @@ class HsOfficeContactRbacRepositoryIntegrationTest extends ContextBasedTestWithC
|
||||
));
|
||||
assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())).containsExactlyInAnyOrder(Array.fromFormatted(
|
||||
initialGrantNames,
|
||||
"{ grant role:hs_office_contact#anothernewcontact:OWNER to role:global#global:ADMIN by system and assume }",
|
||||
"{ grant role:hs_office_contact#anothernewcontact:OWNER to role:rbac.global#global:ADMIN by system and assume }",
|
||||
"{ grant perm:hs_office_contact#anothernewcontact:UPDATE to role:hs_office_contact#anothernewcontact:ADMIN by system and assume }",
|
||||
"{ grant role:hs_office_contact#anothernewcontact:OWNER to user:selfregistered-user-drew@hostsharing.org by hs_office_contact#anothernewcontact:OWNER and assume }",
|
||||
"{ grant perm:hs_office_contact#anothernewcontact:DELETE to role:hs_office_contact#anothernewcontact:OWNER by system and assume }",
|
||||
|
@ -190,7 +190,7 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean
|
||||
// owner
|
||||
"{ grant perm:debitor#D-1000122:DELETE to role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER by system and assume }",
|
||||
"{ grant perm:relation#FirstGmbH-with-DEBITOR-FourtheG:DELETE to role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER by system and assume }",
|
||||
"{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER to role:global#global:ADMIN by system and assume }",
|
||||
"{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER to role:rbac.global#global:ADMIN by system and assume }",
|
||||
"{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER to role:person#FirstGmbH:ADMIN by system and assume }",
|
||||
"{ grant role:relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER to user:superuser-alex@hostsharing.net by relation#FirstGmbH-with-DEBITOR-FourtheG:OWNER and assume }",
|
||||
|
||||
@ -349,7 +349,7 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean
|
||||
|
||||
// then
|
||||
result.assertSuccessful();
|
||||
assertThatDebitorIsVisibleForUserWithRole(result.returnedValue(), "global#global:ADMIN", true);
|
||||
assertThatDebitorIsVisibleForUserWithRole(result.returnedValue(), "rbac.global#global:ADMIN", true);
|
||||
|
||||
// ... partner role was reassigned:
|
||||
assertThatDebitorIsNotVisibleForUserWithRole(
|
||||
@ -398,7 +398,7 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean
|
||||
result.assertSuccessful();
|
||||
assertThatDebitorIsVisibleForUserWithRole(
|
||||
result.returnedValue(),
|
||||
"global#global:ADMIN", true);
|
||||
"rbac.global#global:ADMIN", true);
|
||||
|
||||
// ... bank-account role was assigned:
|
||||
assertThatDebitorIsVisibleForUserWithRole(
|
||||
@ -427,7 +427,7 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean
|
||||
result.assertSuccessful();
|
||||
assertThatDebitorIsVisibleForUserWithRole(
|
||||
result.returnedValue(),
|
||||
"global#global:ADMIN", true);
|
||||
"rbac.global#global:ADMIN", true);
|
||||
|
||||
// ... bank-account role was removed from previous bank-account admin:
|
||||
assertThatDebitorIsNotVisibleForUserWithRole(
|
||||
|
@ -158,7 +158,7 @@ class HsOfficePartnerRepositoryIntegrationTest extends ContextBasedTestWithClean
|
||||
"{ grant perm:relation#HostsharingeG-with-PARTNER-EBess:SELECT to role:relation#HostsharingeG-with-PARTNER-EBess:TENANT by system and assume }",
|
||||
|
||||
// relation owner
|
||||
"{ grant role:relation#HostsharingeG-with-PARTNER-EBess:OWNER to role:global#global:ADMIN by system and assume }",
|
||||
"{ grant role:relation#HostsharingeG-with-PARTNER-EBess:OWNER to role:rbac.global#global:ADMIN by system and assume }",
|
||||
"{ grant role:relation#HostsharingeG-with-PARTNER-EBess:OWNER to user:superuser-alex@hostsharing.net by relation#HostsharingeG-with-PARTNER-EBess:OWNER and assume }",
|
||||
|
||||
// relation admin
|
||||
@ -278,7 +278,7 @@ class HsOfficePartnerRepositoryIntegrationTest extends ContextBasedTestWithClean
|
||||
|
||||
assertThatPartnerIsVisibleForUserWithRole(
|
||||
givenPartner,
|
||||
"global#global:ADMIN");
|
||||
"rbac.global#global:ADMIN");
|
||||
assertThatPartnerIsVisibleForUserWithRole(
|
||||
givenPartner,
|
||||
"hs_office_person#ThirdOHG:ADMIN");
|
||||
|
@ -112,7 +112,7 @@ class HsOfficePersonRepositoryIntegrationTest extends ContextBasedTestWithCleanu
|
||||
"{ grant perm:hs_office_person#anothernewperson:INSERT>hs_office_relation to role:hs_office_person#anothernewperson:ADMIN by system and assume }",
|
||||
|
||||
"{ grant role:hs_office_person#anothernewperson:OWNER to user:selfregistered-user-drew@hostsharing.org by hs_office_person#anothernewperson:OWNER and assume }",
|
||||
"{ grant role:hs_office_person#anothernewperson:OWNER to role:global#global:ADMIN by system and assume }",
|
||||
"{ grant role:hs_office_person#anothernewperson:OWNER to role:rbac.global#global:ADMIN by system and assume }",
|
||||
"{ grant perm:hs_office_person#anothernewperson:UPDATE to role:hs_office_person#anothernewperson:ADMIN by system and assume }",
|
||||
"{ grant perm:hs_office_person#anothernewperson:DELETE to role:hs_office_person#anothernewperson:OWNER by system and assume }",
|
||||
"{ grant role:hs_office_person#anothernewperson:ADMIN to role:hs_office_person#anothernewperson:OWNER by system and assume }",
|
||||
|
@ -133,7 +133,7 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
|
||||
initialGrantNames,
|
||||
|
||||
"{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:DELETE to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER by system and assume }",
|
||||
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER to role:global#global:ADMIN by system and assume }",
|
||||
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER to role:rbac.global#global:ADMIN by system and assume }",
|
||||
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER to user:superuser-alex@hostsharing.net by hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER and assume }",
|
||||
|
||||
"{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:UPDATE to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:ADMIN by system and assume }",
|
||||
@ -233,7 +233,7 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
|
||||
assertThat(result.returnedValue().getContact().getCaption()).isEqualTo("sixth contact");
|
||||
assertThatRelationIsVisibleForUserWithRole(
|
||||
result.returnedValue(),
|
||||
"global#global:ADMIN");
|
||||
"rbac.global#global:ADMIN");
|
||||
assertThatRelationIsVisibleForUserWithRole(
|
||||
result.returnedValue(),
|
||||
"hs_office_contact#sixthcontact:ADMIN");
|
||||
|
@ -128,7 +128,7 @@ class HsOfficeSepaMandateRepositoryIntegrationTest extends ContextBasedTestWithC
|
||||
|
||||
// owner
|
||||
"{ grant perm:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):DELETE to role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER by system and assume }",
|
||||
"{ grant role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER to role:global#global:ADMIN by system and assume }",
|
||||
"{ grant role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER to role:rbac.global#global:ADMIN by system and assume }",
|
||||
"{ grant role:sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER to user:superuser-alex@hostsharing.net by sepamandate#DE02600501010002034304-[2020-01-01,2023-01-01):OWNER and assume }",
|
||||
|
||||
// admin
|
||||
|
@ -86,8 +86,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
))
|
||||
.body("", hasItem(
|
||||
allOf(
|
||||
hasEntry("grantedByRoleIdName", "global#global:ADMIN"),
|
||||
hasEntry("grantedRoleIdName", "global#global:ADMIN"),
|
||||
hasEntry("grantedByRoleIdName", "rbac.global#global:ADMIN"),
|
||||
hasEntry("grantedRoleIdName", "rbac.global#global:ADMIN"),
|
||||
hasEntry("granteeSubjectName", "superuser-fran@hostsharing.net")
|
||||
)
|
||||
))
|
||||
|
@ -46,7 +46,7 @@ class RbacRoleControllerAcceptanceTest {
|
||||
.body("", hasItem(hasEntry("roleName", "test_customer#xxx:OWNER")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_customer#xxx:TENANT")))
|
||||
// ...
|
||||
.body("", hasItem(hasEntry("roleName", "global#global:ADMIN")))
|
||||
.body("", hasItem(hasEntry("roleName", "rbac.global#global:ADMIN")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_customer#yyy:ADMIN")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_package#yyy00:ADMIN")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa:OWNER")))
|
||||
|
@ -73,7 +73,7 @@ class RbacRoleControllerRestTest {
|
||||
// then
|
||||
.andExpect(status().isOk())
|
||||
.andExpect(jsonPath("$", hasSize(3)))
|
||||
.andExpect(jsonPath("$[0].roleName", is("global#global:ADMIN")))
|
||||
.andExpect(jsonPath("$[0].roleName", is("rbac.global#global:ADMIN")))
|
||||
.andExpect(jsonPath("$[1].roleName", is("test_customer#xxx:OWNER")))
|
||||
.andExpect(jsonPath("$[2].roleName", is("test_customer#xxx:ADMIN")))
|
||||
.andExpect(jsonPath("$[2].uuid", is(customerXxxAdmin.getUuid().toString())))
|
||||
|
@ -39,7 +39,7 @@ class RbacRoleRepositoryIntegrationTest {
|
||||
|
||||
private static final String[] ALL_TEST_DATA_ROLES = Array.of(
|
||||
// @formatter:off
|
||||
"global#global:ADMIN",
|
||||
"rbac.global#global:ADMIN",
|
||||
"test_customer#xxx:ADMIN", "test_customer#xxx:OWNER", "test_customer#xxx:TENANT",
|
||||
"test_package#xxx00:ADMIN", "test_package#xxx00:OWNER", "test_package#xxx00:TENANT",
|
||||
"test_package#xxx01:ADMIN", "test_package#xxx01:OWNER", "test_package#xxx01:TENANT",
|
||||
@ -70,7 +70,7 @@ class RbacRoleRepositoryIntegrationTest {
|
||||
@Test
|
||||
public void globalAdmin_withAssumedglobalAdminRole_canViewAllRbacRoles() {
|
||||
given:
|
||||
context.define("superuser-alex@hostsharing.net", "global#global:ADMIN");
|
||||
context.define("superuser-alex@hostsharing.net", "rbac.global#global:ADMIN");
|
||||
|
||||
// when
|
||||
final var result = rbacRoleRepository.findAll();
|
||||
@ -110,7 +110,7 @@ class RbacRoleRepositoryIntegrationTest {
|
||||
noneOfTheseRbacRolesIsReturned(
|
||||
result,
|
||||
// @formatter:off
|
||||
"global#global:ADMIN",
|
||||
"rbac.global#global:ADMIN",
|
||||
"test_customer#xxx:OWNER",
|
||||
"test_package#yyy00:ADMIN",
|
||||
"test_package#yyy00:OWNER",
|
||||
|
@ -4,7 +4,7 @@ import static java.util.UUID.randomUUID;
|
||||
|
||||
public class TestRbacRole {
|
||||
|
||||
public static final RbacRoleEntity hostmasterRole = rbacRole("global", "global", RbacRoleType.ADMIN);
|
||||
public static final RbacRoleEntity hostmasterRole = rbacRole("rbac.global", "global", RbacRoleType.ADMIN);
|
||||
static final RbacRoleEntity customerXxxOwner = rbacRole("test_customer", "xxx", RbacRoleType.OWNER);
|
||||
static final RbacRoleEntity customerXxxAdmin = rbacRole("test_customer", "xxx", RbacRoleType.ADMIN);
|
||||
|
||||
|
@ -116,7 +116,7 @@ class RbacSubjectRepositoryIntegrationTest extends ContextBasedTest {
|
||||
@Test
|
||||
public void globalAdmin_withAssumedglobalAdminRole_canViewAllRbacSubjects() {
|
||||
given:
|
||||
context("superuser-alex@hostsharing.net", "global#global:ADMIN");
|
||||
context("superuser-alex@hostsharing.net", "rbac.global#global:ADMIN");
|
||||
|
||||
// when
|
||||
final var result = rbacSubjectRepository.findByOptionalNameLike(null);
|
||||
|
@ -13,19 +13,19 @@ class TestCustomerEntityUnitTest {
|
||||
assertThat(rbacFlowchart).isEqualTo("""
|
||||
%%{init:{'flowchart':{'htmlLabels':false}}}%%
|
||||
flowchart TB
|
||||
|
||||
|
||||
subgraph customer["`**customer**`"]
|
||||
direction TB
|
||||
style customer fill:#dd4901,stroke:#274d6e,stroke-width:8px
|
||||
|
||||
|
||||
subgraph customer:roles[ ]
|
||||
style customer:roles fill:#dd4901,stroke:white
|
||||
|
||||
|
||||
role:customer:OWNER[[customer:OWNER]]
|
||||
role:customer:ADMIN[[customer:ADMIN]]
|
||||
role:customer:TENANT[[customer:TENANT]]
|
||||
end
|
||||
|
||||
|
||||
subgraph customer:permissions[ ]
|
||||
style customer:permissions fill:#dd4901,stroke:white
|
||||
|
||||
@ -40,12 +40,12 @@ class TestCustomerEntityUnitTest {
|
||||
user:creator ==>|XX| role:customer:OWNER
|
||||
|
||||
%% granting roles to roles
|
||||
role:global:ADMIN ==>|XX| role:customer:OWNER
|
||||
role:rbac.global:ADMIN ==>|XX| role:customer:OWNER
|
||||
role:customer:OWNER ==> role:customer:ADMIN
|
||||
role:customer:ADMIN ==> role:customer:TENANT
|
||||
|
||||
%% granting permissions to roles
|
||||
role:global:ADMIN ==> perm:customer:INSERT
|
||||
role:rbac.global:ADMIN ==> perm:customer:INSERT
|
||||
role:customer:OWNER ==> perm:customer:DELETE
|
||||
role:customer:ADMIN ==> perm:customer:UPDATE
|
||||
role:customer:TENANT ==> perm:customer:SELECT
|
||||
|
@ -50,7 +50,7 @@ class TestPackageEntityUnitTest {
|
||||
end
|
||||
|
||||
%% granting roles to roles
|
||||
role:global:ADMIN -.->|XX| role:customer:OWNER
|
||||
role:rbac.global:ADMIN -.->|XX| role:customer:OWNER
|
||||
role:customer:OWNER -.-> role:customer:ADMIN
|
||||
role:customer:ADMIN -.-> role:customer:TENANT
|
||||
role:customer:ADMIN ==> role:package:OWNER
|
||||
|
@ -40,7 +40,7 @@ class TestPackageRepositoryIntegrationTest extends ContextBasedTest {
|
||||
@Test
|
||||
public void globalAdmin_withoutAssumedRole_canNotViewAnyPackages_becauseThoseGrantsAreNotAssumed() {
|
||||
// given
|
||||
// alex is not just global-admin but lso the creating user, thus we use fran
|
||||
// alex is not just rbac.global-admin but lso the creating user, thus we use fran
|
||||
context.define("superuser-fran@hostsharing.net");
|
||||
|
||||
// when
|
||||
@ -53,7 +53,7 @@ class TestPackageRepositoryIntegrationTest extends ContextBasedTest {
|
||||
@Test
|
||||
public void globalAdmin_withAssumedglobalAdminRole__canNotViewAnyPackages_becauseThoseGrantsAreNotAssumed() {
|
||||
given:
|
||||
context.define("superuser-alex@hostsharing.net", "global#global:ADMIN");
|
||||
context.define("superuser-alex@hostsharing.net", "rbac.global#global:ADMIN");
|
||||
|
||||
// when
|
||||
final var result = testPackageRepository.findAllByOptionalNameLike(null);
|
||||
|
Loading…
Reference in New Issue
Block a user