fix matching grant detection

This commit is contained in:
Michael Hoennig 2024-04-28 15:53:51 +02:00
parent 35e961c758
commit c6c5d52af3
7 changed files with 26 additions and 5 deletions

View File

@ -181,7 +181,7 @@ public class HsBookingItemEntity implements Stringifyable, RbacObject {
with.permission(SELECT);
})
.limitDiagramTo("bookingItem", "debitor", "debitorRel", "global");
.limitDiagramTo("bookingItem", "debitorRel", "global");
}
public static void main(String[] args) throws IOException {

View File

@ -25,6 +25,7 @@ import static java.util.Optional.ofNullable;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Nullable.NOT_NULL;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacGrantDefinition.GrantType.PERM_TO_ROLE;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacGrantDefinition.GrantType.ROLE_TO_ROLE;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacUserReference.UserRole.CREATOR;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.Part.AUTO_FETCH;
import static org.apache.commons.collections4.SetUtils.hashSet;
@ -397,8 +398,7 @@ public class RbacView {
new RbacRoleDefinition(findEntityAlias(mapper.map(roleDef.entityAlias.aliasName)), roleDef.role);
});
copyOf(importedRbacView.getGrantDefs()).forEach(grantDef -> {
if ( grantDef.grantType() == RbacGrantDefinition.GrantType.ROLE_TO_ROLE &&
(grantDef.forCases == null || grantDef.matchesCase(forCase)) ) {
if ( grantDef.grantType() == ROLE_TO_ROLE && grantDef.matchesCase(forCase) ) {
final var importedGrantDef = findOrCreateGrantDef(
findRbacRole(
mapper.map(grantDef.getSubRoleDef().entityAlias.aliasName),
@ -610,7 +610,7 @@ public class RbacView {
GrantType grantType() {
return permDef != null ? PERM_TO_ROLE
: userDef != null ? GrantType.ROLE_TO_USER
: GrantType.ROLE_TO_ROLE;
: ROLE_TO_ROLE;
}
boolean isAssumed() {
@ -630,7 +630,8 @@ public class RbacView {
boolean matchesCase(final ColumnValue requestedCase) {
final var noCasesDefined = forCases == null;
final var generateForAllCases = requestedCase == null;
final boolean isGrantedForRequestedCase = forCases == null || forCases.stream().anyMatch(c -> c.isCase(requestedCase));
final boolean isGrantedForRequestedCase = forCases == null || forCases.stream().anyMatch(c -> c.isCase(requestedCase))
|| forCases.stream().anyMatch(CaseDef::isDefaultCase) && !allCases.stream().anyMatch(c -> c.isCase(requestedCase));
return noCasesDefined || generateForAllCases || isGrantedForRequestedCase;
}

View File

@ -44,6 +44,10 @@ subgraph bookingItem["`**bookingItem**`"]
end
%% granting roles to roles
role:global:ADMIN -.-> role:debitorRel:OWNER
role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
role:debitorRel:AGENT -.-> role:debitorRel:TENANT
role:debitorRel:AGENT ==> role:bookingItem:OWNER
role:bookingItem:OWNER ==> role:bookingItem:ADMIN
role:debitorRel:AGENT ==> role:bookingItem:ADMIN

View File

@ -68,6 +68,10 @@ subgraph parentServer["`**parentServer**`"]
end
%% granting roles to roles
role:global:ADMIN -.-> role:bookingItem.debitorRel:OWNER
role:bookingItem.debitorRel:OWNER -.-> role:bookingItem.debitorRel:ADMIN
role:bookingItem.debitorRel:ADMIN -.-> role:bookingItem.debitorRel:AGENT
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem.debitorRel:TENANT
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER
role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN

View File

@ -68,6 +68,10 @@ subgraph parentServer["`**parentServer**`"]
end
%% granting roles to roles
role:global:ADMIN -.-> role:bookingItem.debitorRel:OWNER
role:bookingItem.debitorRel:OWNER -.-> role:bookingItem.debitorRel:ADMIN
role:bookingItem.debitorRel:ADMIN -.-> role:bookingItem.debitorRel:AGENT
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem.debitorRel:TENANT
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER
role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN

View File

@ -68,6 +68,10 @@ subgraph parentServer["`**parentServer**`"]
end
%% granting roles to roles
role:global:ADMIN -.-> role:bookingItem.debitorRel:OWNER
role:bookingItem.debitorRel:OWNER -.-> role:bookingItem.debitorRel:ADMIN
role:bookingItem.debitorRel:ADMIN -.-> role:bookingItem.debitorRel:AGENT
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem.debitorRel:TENANT
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER
role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN

View File

@ -68,6 +68,10 @@ subgraph parentServer["`**parentServer**`"]
end
%% granting roles to roles
role:global:ADMIN -.-> role:bookingItem.debitorRel:OWNER
role:bookingItem.debitorRel:OWNER -.-> role:bookingItem.debitorRel:ADMIN
role:bookingItem.debitorRel:ADMIN -.-> role:bookingItem.debitorRel:AGENT
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem.debitorRel:TENANT
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:OWNER
role:bookingItem:OWNER -.-> role:bookingItem:ADMIN
role:bookingItem.debitorRel:AGENT -.-> role:bookingItem:ADMIN