fix matching grant detection
This commit is contained in:
parent
35e961c758
commit
c6c5d52af3
@ -181,7 +181,7 @@ public class HsBookingItemEntity implements Stringifyable, RbacObject {
|
|||||||
with.permission(SELECT);
|
with.permission(SELECT);
|
||||||
})
|
})
|
||||||
|
|
||||||
.limitDiagramTo("bookingItem", "debitor", "debitorRel", "global");
|
.limitDiagramTo("bookingItem", "debitorRel", "global");
|
||||||
}
|
}
|
||||||
|
|
||||||
public static void main(String[] args) throws IOException {
|
public static void main(String[] args) throws IOException {
|
||||||
|
@ -25,6 +25,7 @@ import static java.util.Optional.ofNullable;
|
|||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacGrantDefinition.GrantType.PERM_TO_ROLE;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacGrantDefinition.GrantType.PERM_TO_ROLE;
|
||||||
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacGrantDefinition.GrantType.ROLE_TO_ROLE;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacUserReference.UserRole.CREATOR;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacUserReference.UserRole.CREATOR;
|
||||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.Part.AUTO_FETCH;
|
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.Part.AUTO_FETCH;
|
||||||
import static org.apache.commons.collections4.SetUtils.hashSet;
|
import static org.apache.commons.collections4.SetUtils.hashSet;
|
||||||
@ -397,8 +398,7 @@ public class RbacView {
|
|||||||
new RbacRoleDefinition(findEntityAlias(mapper.map(roleDef.entityAlias.aliasName)), roleDef.role);
|
new RbacRoleDefinition(findEntityAlias(mapper.map(roleDef.entityAlias.aliasName)), roleDef.role);
|
||||||
});
|
});
|
||||||
copyOf(importedRbacView.getGrantDefs()).forEach(grantDef -> {
|
copyOf(importedRbacView.getGrantDefs()).forEach(grantDef -> {
|
||||||
if ( grantDef.grantType() == RbacGrantDefinition.GrantType.ROLE_TO_ROLE &&
|
if ( grantDef.grantType() == ROLE_TO_ROLE && grantDef.matchesCase(forCase) ) {
|
||||||
(grantDef.forCases == null || grantDef.matchesCase(forCase)) ) {
|
|
||||||
final var importedGrantDef = findOrCreateGrantDef(
|
final var importedGrantDef = findOrCreateGrantDef(
|
||||||
findRbacRole(
|
findRbacRole(
|
||||||
mapper.map(grantDef.getSubRoleDef().entityAlias.aliasName),
|
mapper.map(grantDef.getSubRoleDef().entityAlias.aliasName),
|
||||||
@ -610,7 +610,7 @@ public class RbacView {
|
|||||||
GrantType grantType() {
|
GrantType grantType() {
|
||||||
return permDef != null ? PERM_TO_ROLE
|
return permDef != null ? PERM_TO_ROLE
|
||||||
: userDef != null ? GrantType.ROLE_TO_USER
|
: userDef != null ? GrantType.ROLE_TO_USER
|
||||||
: GrantType.ROLE_TO_ROLE;
|
: ROLE_TO_ROLE;
|
||||||
}
|
}
|
||||||
|
|
||||||
boolean isAssumed() {
|
boolean isAssumed() {
|
||||||
@ -630,7 +630,8 @@ public class RbacView {
|
|||||||
boolean matchesCase(final ColumnValue requestedCase) {
|
boolean matchesCase(final ColumnValue requestedCase) {
|
||||||
final var noCasesDefined = forCases == null;
|
final var noCasesDefined = forCases == null;
|
||||||
final var generateForAllCases = requestedCase == null;
|
final var generateForAllCases = requestedCase == null;
|
||||||
final boolean isGrantedForRequestedCase = forCases == null || forCases.stream().anyMatch(c -> c.isCase(requestedCase));
|
final boolean isGrantedForRequestedCase = forCases == null || forCases.stream().anyMatch(c -> c.isCase(requestedCase))
|
||||||
|
|| forCases.stream().anyMatch(CaseDef::isDefaultCase) && !allCases.stream().anyMatch(c -> c.isCase(requestedCase));
|
||||||
return noCasesDefined || generateForAllCases || isGrantedForRequestedCase;
|
return noCasesDefined || generateForAllCases || isGrantedForRequestedCase;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -44,6 +44,10 @@ subgraph bookingItem["`**bookingItem**`"]
|
|||||||
end
|
end
|
||||||
|
|
||||||
%% granting roles to roles
|
%% granting roles to roles
|
||||||
|
role:global:ADMIN -.-> role:debitorRel:OWNER
|
||||||
|
role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
|
||||||
|
role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
|
||||||
|
role:debitorRel:AGENT -.-> role:debitorRel:TENANT
|
||||||
role:debitorRel:AGENT ==> role:bookingItem:OWNER
|
role:debitorRel:AGENT ==> role:bookingItem:OWNER
|
||||||
role:bookingItem:OWNER ==> role:bookingItem:ADMIN
|
role:bookingItem:OWNER ==> role:bookingItem:ADMIN
|
||||||
role:debitorRel:AGENT ==> role:bookingItem:ADMIN
|
role:debitorRel:AGENT ==> role:bookingItem:ADMIN
|
||||||
|
@ -68,6 +68,10 @@ subgraph parentServer["`**parentServer**`"]
|
|||||||
end
|
end
|
||||||
|
|
||||||
%% granting roles to roles
|
%% granting roles to roles
|
||||||
|
role:global:ADMIN -.-> role:bookingItem.debitorRel:OWNER
|
||||||
|
role:bookingItem.debitorRel:OWNER -.-> role:bookingItem.debitorRel:ADMIN
|
||||||
|
role:bookingItem.debitorRel:ADMIN -.-> role:bookingItem.debitorRel:AGENT
|
||||||
|
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem.debitorRel:TENANT
|
||||||
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER
|
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER
|
||||||
role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
|
role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
|
||||||
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN
|
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN
|
||||||
|
@ -68,6 +68,10 @@ subgraph parentServer["`**parentServer**`"]
|
|||||||
end
|
end
|
||||||
|
|
||||||
%% granting roles to roles
|
%% granting roles to roles
|
||||||
|
role:global:ADMIN -.-> role:bookingItem.debitorRel:OWNER
|
||||||
|
role:bookingItem.debitorRel:OWNER -.-> role:bookingItem.debitorRel:ADMIN
|
||||||
|
role:bookingItem.debitorRel:ADMIN -.-> role:bookingItem.debitorRel:AGENT
|
||||||
|
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem.debitorRel:TENANT
|
||||||
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER
|
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER
|
||||||
role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
|
role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
|
||||||
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN
|
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN
|
||||||
|
@ -68,6 +68,10 @@ subgraph parentServer["`**parentServer**`"]
|
|||||||
end
|
end
|
||||||
|
|
||||||
%% granting roles to roles
|
%% granting roles to roles
|
||||||
|
role:global:ADMIN -.-> role:bookingItem.debitorRel:OWNER
|
||||||
|
role:bookingItem.debitorRel:OWNER -.-> role:bookingItem.debitorRel:ADMIN
|
||||||
|
role:bookingItem.debitorRel:ADMIN -.-> role:bookingItem.debitorRel:AGENT
|
||||||
|
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem.debitorRel:TENANT
|
||||||
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER
|
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER
|
||||||
role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
|
role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
|
||||||
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN
|
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN
|
||||||
|
@ -68,6 +68,10 @@ subgraph parentServer["`**parentServer**`"]
|
|||||||
end
|
end
|
||||||
|
|
||||||
%% granting roles to roles
|
%% granting roles to roles
|
||||||
|
role:global:ADMIN -.-> role:bookingItem.debitorRel:OWNER
|
||||||
|
role:bookingItem.debitorRel:OWNER -.-> role:bookingItem.debitorRel:ADMIN
|
||||||
|
role:bookingItem.debitorRel:ADMIN -.-> role:bookingItem.debitorRel:AGENT
|
||||||
|
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem.debitorRel:TENANT
|
||||||
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER
|
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER
|
||||||
role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
|
role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
|
||||||
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN
|
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN
|
||||||
|
Loading…
Reference in New Issue
Block a user