fix matching grant detection

2024-04-28 15:53:51 +02:00 · 2024-04-28 15:53:51 +02:00 · c6c5d52af3
commit c6c5d52af3
parent 35e961c758
7 changed files with 26 additions and 5 deletions
--- a/src/main/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemEntity.java
+++ b/src/main/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemEntity.java
@ -181,7 +181,7 @@ public class HsBookingItemEntity implements Stringifyable, RbacObject {
                    with.permission(SELECT);
                })

-                .limitDiagramTo("bookingItem", "debitor", "debitorRel", "global");
+                .limitDiagramTo("bookingItem", "debitorRel", "global");
    }

    public static void main(String[] args) throws IOException {
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java
@ -25,6 +25,7 @@ import static java.util.Optional.ofNullable;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacGrantDefinition.GrantType.PERM_TO_ROLE;
+import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacGrantDefinition.GrantType.ROLE_TO_ROLE;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacUserReference.UserRole.CREATOR;
 import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.Part.AUTO_FETCH;
 import static org.apache.commons.collections4.SetUtils.hashSet;
@ -397,8 +398,7 @@ public class RbacView {
            new RbacRoleDefinition(findEntityAlias(mapper.map(roleDef.entityAlias.aliasName)), roleDef.role);
        });
        copyOf(importedRbacView.getGrantDefs()).forEach(grantDef -> {
-            if ( grantDef.grantType() == RbacGrantDefinition.GrantType.ROLE_TO_ROLE &&
-                    (grantDef.forCases == null || grantDef.matchesCase(forCase)) ) {
+            if ( grantDef.grantType() == ROLE_TO_ROLE && grantDef.matchesCase(forCase) ) {
                final var importedGrantDef = findOrCreateGrantDef(
                        findRbacRole(
                                mapper.map(grantDef.getSubRoleDef().entityAlias.aliasName),
@ -610,7 +610,7 @@ public class RbacView {
        GrantType grantType() {
            return permDef != null ? PERM_TO_ROLE
                    : userDef != null ? GrantType.ROLE_TO_USER
-                    : GrantType.ROLE_TO_ROLE;
+                    : ROLE_TO_ROLE;
        }

        boolean isAssumed() {
@ -630,7 +630,8 @@ public class RbacView {
        boolean matchesCase(final ColumnValue requestedCase) {
            final var noCasesDefined = forCases == null;
            final var generateForAllCases = requestedCase == null;
-            final boolean isGrantedForRequestedCase = forCases == null || forCases.stream().anyMatch(c -> c.isCase(requestedCase));
+            final boolean isGrantedForRequestedCase = forCases == null || forCases.stream().anyMatch(c -> c.isCase(requestedCase))
+                    || forCases.stream().anyMatch(CaseDef::isDefaultCase) && !allCases.stream().anyMatch(c -> c.isCase(requestedCase));
            return  noCasesDefined || generateForAllCases || isGrantedForRequestedCase;
        }

--- a/src/main/resources/db/changelog/6-hs-booking/601-booking-item/6013-hs-booking-item-rbac.md
+++ b/src/main/resources/db/changelog/6-hs-booking/601-booking-item/6013-hs-booking-item-rbac.md
@ -44,6 +44,10 @@ subgraph bookingItem["`**bookingItem**`"]
 end

 %% granting roles to roles
+role:global:ADMIN -.-> role:debitorRel:OWNER
+role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
+role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
+role:debitorRel:AGENT -.-> role:debitorRel:TENANT
 role:debitorRel:AGENT ==> role:bookingItem:OWNER
 role:bookingItem:OWNER ==> role:bookingItem:ADMIN
 role:debitorRel:AGENT ==> role:bookingItem:ADMIN
--- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-CLOUD_SERVER.md
+++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-CLOUD_SERVER.md
@ -68,6 +68,10 @@ subgraph parentServer["`**parentServer**`"]
 end

 %% granting roles to roles
+role:global:ADMIN -.-> role:bookingItem.debitorRel:OWNER
+role:bookingItem.debitorRel:OWNER -.-> role:bookingItem.debitorRel:ADMIN
+role:bookingItem.debitorRel:ADMIN -.-> role:bookingItem.debitorRel:AGENT
+role:bookingItem.debitorRel:AGENT -.-> role:bookingItem.debitorRel:TENANT
 role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER
 role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
 role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN
--- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-MANAGED_SERVER.md
+++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-MANAGED_SERVER.md
@ -68,6 +68,10 @@ subgraph parentServer["`**parentServer**`"]
 end

 %% granting roles to roles
+role:global:ADMIN -.-> role:bookingItem.debitorRel:OWNER
+role:bookingItem.debitorRel:OWNER -.-> role:bookingItem.debitorRel:ADMIN
+role:bookingItem.debitorRel:ADMIN -.-> role:bookingItem.debitorRel:AGENT
+role:bookingItem.debitorRel:AGENT -.-> role:bookingItem.debitorRel:TENANT
 role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER
 role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
 role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN
--- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-MANAGED_WEBSPACE.md
+++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac-MANAGED_WEBSPACE.md
@ -68,6 +68,10 @@ subgraph parentServer["`**parentServer**`"]
 end

 %% granting roles to roles
+role:global:ADMIN -.-> role:bookingItem.debitorRel:OWNER
+role:bookingItem.debitorRel:OWNER -.-> role:bookingItem.debitorRel:ADMIN
+role:bookingItem.debitorRel:ADMIN -.-> role:bookingItem.debitorRel:AGENT
+role:bookingItem.debitorRel:AGENT -.-> role:bookingItem.debitorRel:TENANT
 role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER
 role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
 role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN
--- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.md
+++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.md
@ -68,6 +68,10 @@ subgraph parentServer["`**parentServer**`"]
 end

 %% granting roles to roles
+role:global:ADMIN -.-> role:bookingItem.debitorRel:OWNER
+role:bookingItem.debitorRel:OWNER -.-> role:bookingItem.debitorRel:ADMIN
+role:bookingItem.debitorRel:ADMIN -.-> role:bookingItem.debitorRel:AGENT
+role:bookingItem.debitorRel:AGENT -.-> role:bookingItem.debitorRel:TENANT
 role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER
 role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
 role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN