refactor to only a single global admin object global#global.admin

This commit is contained in:
Michael Hoennig 2022-09-06 13:48:30 +02:00
parent 87e2b05926
commit da793ee546
24 changed files with 211 additions and 295 deletions

View File

@ -65,21 +65,21 @@ If you have at least Docker, the Java JDK and Gradle installed in appropriate ve
# the following command should return a JSON array with just all customers:
curl \
-H 'current-user: mike@example.org' \
-H 'current-user: alex@hostsharing.net' \
http://localhost:8080/api/test/customers
# the following command should return a JSON array with just all packages visible for the admin of the customer yyy:
curl \
-H 'current-user: mike@example.org' -H 'assumed-roles: test_customer#yyy.admin' \
-H 'current-user: alex@hostsharing.net' -H 'assumed-roles: test_customer#yyy.admin' \
http://localhost:8080/api/test/packages
# add a new customer
curl \
-H 'current-user: mike@example.org' -H "Content-Type: application/json" \
-H 'current-user: alex@hostsharing.net' -H "Content-Type: application/json" \
-d '{ "prefix":"ttt", "reference":80001, "adminUserName":"admin@ttt.example.com" }' \
-X POST http://localhost:8080/api/test/customers
If you wonder who 'mike@example.org' and 'sven@example.org' are and where the data comes from:
If you wonder who 'alex@hostsharing.net' and 'fran@hostsharing.net' are and where the data comes from:
Mike and Sven are just example global admin accounts as part of the example data which is automatically inserted in Testcontainers and Development environments.
Also try for example 'admin@xxx.example.com' or 'unknown@example.org'.

View File

@ -17,7 +17,7 @@ BEGIN
-- hostmaster accessing a single customer
SET SESSION SESSION AUTHORIZATION restricted;
SET LOCAL hsadminng.currentUser = 'mike@example.org';
SET LOCAL hsadminng.currentUser = 'alex@hostsharing.net';
SET LOCAL hsadminng.assumedRoles = '';
-- SELECT *
SELECT count(*) INTO resultCount
@ -27,7 +27,7 @@ BEGIN
-- hostmaster listing all customers
SET SESSION SESSION AUTHORIZATION restricted;
SET LOCAL hsadminng.currentUser = 'mike@example.org';
SET LOCAL hsadminng.currentUser = 'alex@hostsharing.net';
SET LOCAL hsadminng.assumedRoles = '';
-- SELECT *
SELECT count(*) INTO resultCount
@ -54,7 +54,7 @@ BEGIN
-- hostsharing admin assuming customer role and listing all accessible packages
SET SESSION SESSION AUTHORIZATION restricted;
SET LOCAL hsadminng.currentUser = 'mike@example.org';
SET LOCAL hsadminng.currentUser = 'alex@hostsharing.net';
SET LOCAL hsadminng.assumedRoles = 'test_customer#aaa.admin;test_customer#aab.admin';
-- SELECT *
SELECT count(*) INTO resultCount
@ -63,7 +63,7 @@ BEGIN
-- hostsharing admin assuming two customer admin roles and listing all accessible domains
SET SESSION SESSION AUTHORIZATION restricted;
SET LOCAL hsadminng.currentUser = 'mike@example.org';
SET LOCAL hsadminng.currentUser = 'alex@hostsharing.net';
SET LOCAL hsadminng.assumedRoles = 'test_customer#aab.admin;test_customer#aac.admin';
-- SELECT c.prefix, c.reference, uu.*
SELECT count(*) INTO resultCount
@ -75,7 +75,7 @@ BEGIN
-- hostsharing admin assuming two customer admin roles and listing all accessible domains
-- ABORT; START TRANSACTION;
SET SESSION SESSION AUTHORIZATION restricted;
SET LOCAL hsadminng.currentUser = 'mike@example.org';
SET LOCAL hsadminng.currentUser = 'alex@hostsharing.net';
SET LOCAL hsadminng.assumedRoles = 'test_customer#aac.admin;test_customer#aad.admin';
-- SELECT p.name, uu.name, dom.name
SELECT count(*) INTO resultCount
@ -88,7 +88,7 @@ BEGIN
-- hostsharing admin assuming two customer admin roles and listing all accessible email addresses
-- ABORT; START TRANSACTION;
SET SESSION SESSION AUTHORIZATION restricted;
SET LOCAL hsadminng.currentUser = 'mike@example.org';
SET LOCAL hsadminng.currentUser = 'alex@hostsharing.net';
SET LOCAL hsadminng.assumedRoles = 'test_customer#aae.admin;test_customer#aaf.admin';
-- SELECT c.prefix, p.name as "package", ema.localPart || '@' || dom.name as "email-address"
SELECT count(*) INTO resultCount

View File

@ -9,10 +9,10 @@ select isGranted(findRoleId('test_package#aaa00.owner'), findRoleId('administrat
-- call grantRoleToRole(findRoleId('administrators'), findRoleId('test_package#aaa00.owner'));
select count(*)
FROM queryAllPermissionsOfSubjectIdForObjectUuids(findRbacUser('sven@example.org'),
FROM queryAllPermissionsOfSubjectIdForObjectUuids(findRbacUser('fran@hostsharing.net'),
ARRAY(select uuid from customer where reference < 1100000));
select count(*)
FROM queryAllPermissionsOfSubjectId(findRbacUser('sven@example.org'));
FROM queryAllPermissionsOfSubjectId(findRbacUser('fran@hostsharing.net'));
select *
FROM queryAllPermissionsOfSubjectId(findRbacUser('alex@example.com'));
select *
@ -33,7 +33,7 @@ $$
userId uuid;
result bool;
BEGIN
userId = findRbacUser('mike@example.org');
userId = findRbacUser('alex@hostsharing.net');
result = (SELECT * FROM isPermissionGrantedToSubject(findPermissionId('package', 94928, 'add-package'), userId));
IF (result) THEN
RAISE EXCEPTION 'expected permission NOT to be granted, but it is';

View File

@ -38,7 +38,7 @@ CREATE OR REPLACE RULE "_RETURN" AS
SELECT * FROM customer WHERE isPermissionGrantedToSubject(findPermissionId('test_customer', id, 'view'), currentUserUuid());
SELECT * from cust_view LIMIT 10;
select queryAllPermissionsOfSubjectId(findRbacUser('mike@example.org'));
select queryAllPermissionsOfSubjectId(findRbacUser('alex@hostsharing.net'));
-- access control via view-rule with join to recursive permissions - really fast (38ms for 1 million rows)
SET SESSION SESSION AUTHORIZATION DEFAULT;
@ -73,7 +73,7 @@ GRANT ALL PRIVILEGES ON cust_view TO restricted;
SET SESSION SESSION AUTHORIZATION restricted;
-- SET hsadminng.currentUser TO 'alex@example.com';
SET hsadminng.currentUser TO 'mike@example.org';
SET hsadminng.currentUser TO 'alex@hostsharing.net';
-- SET hsadminng.currentUser TO 'aaaaouq@example.com';
SELECT * from cust_view where reference=1144150;

View File

@ -16,7 +16,7 @@ create table Global
uuid uuid primary key references RbacObject (uuid) on delete cascade,
name varchar(63) unique
);
-- create unique index Global_Singleton on Global ((0));
create unique index Global_Singleton on Global ((0));
grant select on global to restricted;
--//
@ -70,3 +70,87 @@ create or replace function globalIdNameByUuid(uuid uuid)
select idName from global_iv iv where iv.uuid = globalIdNameByUuid.uuid;
$$;
--//
--liquibase formatted sql
-- ============================================================================
--changeset rbac-global-PSEUDO-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/**
A single row to be referenced as a global object.
*/
begin transaction;
call defineContext('initializing table "global"', null, null, null);
insert
into RbacObject (objecttable) values ('global');
insert
into Global (uuid, name) values ((select uuid from RbacObject where objectTable = 'global'), 'global');
commit;
--//
-- ============================================================================
--changeset rbac-global-ADMIN-ROLE:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
A global administrator role.
*/
create or replace function globalAdmin()
returns RbacRoleDescriptor
returns null on null input
stable leakproof
language sql as $$
select 'global', (select uuid from RbacObject where objectTable = 'global'), 'admin'::RbacRoleType;
$$;
begin transaction;
call defineContext('creating global admin role', null, null, null);
select createRole(globalAdmin());
commit;
-- ============================================================================
--changeset rbac-global-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Create two users and assign both to the administrators role.
*/
do language plpgsql $$
declare
admins uuid ;
begin
call defineContext('creating fake test-realm admin users', null, null, null);
admins = findRoleId(globalAdmin());
call grantRoleToUserUnchecked(admins, admins, createRbacUser('alex@hostsharing.net'));
call grantRoleToUserUnchecked(admins, admins, createRbacUser('fran@hostsharing.net'));
end;
$$;
--//
-- ============================================================================
--changeset rbac-global-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Tests if currentUserUuid() can fetch the user from the session variable.
*/
do language plpgsql $$
declare
userName varchar;
begin
call defineContext('testing currentUserUuid', null, 'fran@hostsharing.net', null);
select userName from RbacUser where uuid = currentUserUuid() into userName;
if userName <> 'fran@hostsharing.net' then
raise exception 'setting or fetching initial currentUser failed, got: %', userName;
end if;
call defineContext('testing currentUserUuid', null, 'alex@hostsharing.net', null);
select userName from RbacUser where uuid = currentUserUuid() into userName;
if userName = 'alex@hostsharing.net' then
raise exception 'currentUser should not change in one transaction, but did change, got: %', userName;
end if;
end; $$;
--//

View File

@ -1,83 +0,0 @@
--liquibase formatted sql
-- ============================================================================
--changeset test-base-GLOBAL-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/**
A single row to be referenced as a global object.
*/
begin transaction;
call defineContext('initializing table "global"', null, null, null);
insert
into RbacObject (objecttable) values ('global');
insert
into Global (uuid, name) values ((select uuid from RbacObject where objectTable = 'global'), 'test-global');
commit;
--//
-- ============================================================================
--changeset test-base-ADMIN-ROLE:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
A global administrator role.
*/
create or replace function testGlobalAdmin()
returns RbacRoleDescriptor
returns null on null input
stable leakproof
language sql as $$
select 'global', (select uuid from RbacObject where objectTable = 'global'), 'admin'::RbacRoleType;
$$;
begin transaction;
call defineContext('creating test-global admin role', null, null, null);
select createRole(testGlobalAdmin());
commit;
-- ============================================================================
--changeset test-base-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Create two users and assign both to the administrators role.
*/
do language plpgsql $$
declare
admins uuid ;
begin
call defineContext('creating fake test-realm admin users', null, null, null);
admins = findRoleId(testGlobalAdmin());
call grantRoleToUserUnchecked(admins, admins, createRbacUser('mike@example.org'));
call grantRoleToUserUnchecked(admins, admins, createRbacUser('sven@example.org'));
end;
$$;
--//
-- ============================================================================
--changeset test-base-hostsharing-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Tests if currentUserUuid() can fetch the user from the session variable.
*/
do language plpgsql $$
declare
userName varchar;
begin
call defineContext('testing currentUserUuid', null, 'sven@example.org', null);
select userName from RbacUser where uuid = currentUserUuid() into userName;
if userName <> 'sven@example.org' then
raise exception 'setting or fetching initial currentUser failed, got: %', userName;
end if;
call defineContext('testing currentUserUuid', null, 'mike@example.org', null);
select userName from RbacUser where uuid = currentUserUuid() into userName;
if userName = 'mike@example.org' then
raise exception 'currentUser should not change in one transaction, but did change, got: %', userName;
end if;
end; $$;
--//

View File

@ -69,7 +69,7 @@ begin
testCustomerOwnerUuid = createRole(
testCustomerOwner(NEW),
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
beneathRole(testGlobalAdmin())
beneathRole(globalAdmin())
);
-- the admin role for the customer's admins, who can view and add products
@ -78,7 +78,7 @@ begin
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view', 'add-package']),
-- NO auto assume for customer owner to avoid exploding permissions for administrators
withUser(NEW.adminUserName, 'create'), -- implicitly ignored if null
grantedByRole(testGlobalAdmin())
grantedByRole(globalAdmin())
);
-- allow the customer owner role (thus administrators) to assume the customer admin role
@ -208,7 +208,7 @@ do language plpgsql $$
begin
call defineContext('granting global add-customer permission to global admin role', null, null, null);
globalAdminRoleUuid := findRoleId(testGlobalAdmin());
globalAdminRoleUuid := findRoleId(globalAdmin());
globalObjectUuid := (select uuid from global);
addCustomerPermissions := createPermissions(globalObjectUuid, array ['add-customer']);
call grantPermissionsToRole(globalAdminRoleUuid, addCustomerPermissions);
@ -234,7 +234,7 @@ create trigger test_customer_insert_trigger
before insert
on test_customer
for each row
when ( currentUser() <> 'mike@example.org' or not hasGlobalPermission('add-customer') )
when ( currentUser() <> 'alex@hostsharing.net' or not hasGlobalPermission('add-customer') )
execute procedure addTestCustomerNotAllowedForCurrentSubjects();
--//

View File

@ -30,7 +30,7 @@ declare
custAdminName varchar;
begin
currentTask = 'creating RBAC test customer #' || custReference || '/' || custPrefix;
call defineContext(currentTask, null, 'mike@example.org', 'global#test-global.admin');
call defineContext(currentTask, null, 'alex@hostsharing.net', 'global#global.admin');
execute format('set local hsadminng.currentTask to %L', currentTask);
custRowId = uuid_generate_v4();

View File

@ -1,83 +0,0 @@
--liquibase formatted sql
-- ============================================================================
--changeset hs-base-GLOBAL-OBJECT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/**
A single row to be referenced as a global object.
*/
begin transaction;
call defineContext('initializing table "global"', null, null, null);
insert
into RbacObject (objecttable) values ('global');
insert
into Global (uuid, name) values ((select uuid from RbacObject where objectTable = 'global'), 'hostsharing');
commit;
--//
-- ============================================================================
--changeset hs-base-ADMIN-ROLE:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
A global administrator role.
*/
create or replace function hsHostsharingAdmin()
returns RbacRoleDescriptor
returns null on null input
stable leakproof
language sql as $$
select 'global', (select uuid from RbacObject where objectTable = 'global'), 'admin'::RbacRoleType;
$$;
begin transaction;
call defineContext('creating Hostsharing admin role', null, null, null);
select createRole(hsHostsharingAdmin());
commit;
-- ============================================================================
--changeset hs-base-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Create two users and assign both to the administrators role.
*/
do language plpgsql $$
declare
admins uuid ;
begin
call defineContext('creating fake Hostsharing admin users', null, null, null);
admins = findRoleId(hsHostsharingAdmin());
call grantRoleToUserUnchecked(admins, admins, createRbacUser('mike@hostsharing.net'));
call grantRoleToUserUnchecked(admins, admins, createRbacUser('sven@hostsharing.net'));
end;
$$;
--//
-- ============================================================================
--changeset hs-base-hostsharing-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Tests if currentUserUuid() can fetch the user from the session variable.
*/
do language plpgsql $$
declare
userName varchar;
begin
call defineContext('testing currentUserUuid', null, 'sven@hostsharing.net', null);
select userName from RbacUser where uuid = currentUserUuid() into userName;
if userName <> 'sven@hostsharing.net' then
raise exception 'setting or fetching initial currentUser failed, got: %', userName;
end if;
call defineContext('testing currentUserUuid', null, 'mike@hostsharing.net', null);
select userName from RbacUser where uuid = currentUserUuid() into userName;
if userName = 'mike@ehostsharing.net' then
raise exception 'currentUser should not change in one transaction, but did change, got: %', userName;
end if;
end; $$;
--//

View File

@ -27,8 +27,6 @@ databaseChangeLog:
file: db/changelog/059-rbac-statistics.sql
- include:
file: db/changelog/080-rbac-global.sql
- include:
file: db/changelog/100-test-base.sql
- include:
file: db/changelog/110-test-customer.sql
- include:

View File

@ -31,7 +31,7 @@ class ContextIntegrationTests {
@Test
void defineWithoutHttpServletRequestUsesCallStack() {
context.define("mike@example.org", null);
context.define("alex@hostsharing.net", null);
assertThat(context.getCurrentTask())
.isEqualTo("ContextIntegrationTests.defineWithoutHttpServletRequestUsesCallStack");
@ -41,11 +41,11 @@ class ContextIntegrationTests {
@Transactional
void defineWithCurrentUserButWithoutAssumedRoles() {
// when
context.define("mike@example.org");
context.define("alex@hostsharing.net");
// then
assertThat(context.getCurrentUser()).
isEqualTo("mike@example.org");
isEqualTo("alex@hostsharing.net");
assertThat(context.getCurrentUserUUid()).isNotNull();
@ -85,11 +85,11 @@ class ContextIntegrationTests {
@Transactional
void defineWithCurrentUserAndAssumedRoles() {
// given
context.define("mike@example.org", "test_customer#xxx.owner;test_customer#yyy.owner");
context.define("alex@hostsharing.net", "test_customer#xxx.owner;test_customer#yyy.owner");
// when
final var currentUser = context.getCurrentUser();
assertThat(currentUser).isEqualTo("mike@example.org");
assertThat(currentUser).isEqualTo("alex@hostsharing.net");
// then
assertThat(context.getAssumedRoles())

View File

@ -41,7 +41,7 @@ class HsAdminPartnerRepositoryIntegrationTest extends ContextBasedTest {
@Test
public void testHostsharingAdmin_withoutAssumedRole_canCreateNewCustomer() {
// given
context("mike@example.org", null);
context("alex@hostsharing.net", null);
final var count = partnerRepository.count();
// when
@ -67,9 +67,9 @@ class HsAdminPartnerRepositoryIntegrationTest extends ContextBasedTest {
class FindAllCustomers {
@Test
public void testGlobalAdmin_withoutAssumedRole_canViewAllCustomers() {
public void globalAdmin_withoutAssumedRole_canViewAllCustomers() {
// given
context("mike@example.org", null);
context("alex@hostsharing.net", null);
// when
final var result = partnerRepository.findPartnerByOptionalNameLike(null);
@ -84,9 +84,9 @@ class HsAdminPartnerRepositoryIntegrationTest extends ContextBasedTest {
class FindByPrefixLike {
@Test
public void testGlobalAdmin_withoutAssumedRole_canViewAllCustomers() {
public void globalAdmin_withoutAssumedRole_canViewAllCustomers() {
// given
context("mike@example.org", null);
context("alex@hostsharing.net", null);
// when
final var result = partnerRepository.findPartnerByOptionalNameLike("Yps");

View File

@ -61,10 +61,10 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
@Test
@Accepts("GRT:L(List)")
void testGlobalAdmin_withoutAssumedRole_canViewAllGrants() {
void globalAdmin_withoutAssumedRole_canViewAllGrants() {
RestAssured // @formatter:off
.given()
.header("current-user", "mike@example.org")
.header("current-user", "alex@hostsharing.net")
.port(port)
.when()
.get("http://localhost/api/rbac/grants")
@ -73,23 +73,23 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
.contentType("application/json")
.body("", hasItem(
allOf(
hasEntry("grantedByRoleIdName", "global#test-global.admin"),
hasEntry("grantedByRoleIdName", "global#global.admin"),
hasEntry("grantedRoleIdName", "test_customer#xxx.admin"),
hasEntry("granteeUserName", "customer-admin@xxx.example.com")
)
))
.body("", hasItem(
allOf(
hasEntry("grantedByRoleIdName", "global#test-global.admin"),
hasEntry("grantedByRoleIdName", "global#global.admin"),
hasEntry("grantedRoleIdName", "test_customer#yyy.admin"),
hasEntry("granteeUserName", "customer-admin@yyy.example.com")
)
))
.body("", hasItem(
allOf(
hasEntry("grantedByRoleIdName", "global#test-global.admin"),
hasEntry("grantedRoleIdName", "global#test-global.admin"),
hasEntry("granteeUserName", "sven@example.org")
hasEntry("grantedByRoleIdName", "global#global.admin"),
hasEntry("grantedRoleIdName", "global#global.admin"),
hasEntry("granteeUserName", "fran@hostsharing.net")
)
))
.body("", hasItem(
@ -112,10 +112,10 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
@Test
@Accepts({ "GRT:L(List)", "GRT:X(Access Control)" })
void testGlobalAdmin_withAssumedPackageAdminRole_canViewPacketRelatedGrants() {
void globalAdmin_withAssumedPackageAdminRole_canViewPacketRelatedGrants() {
RestAssured // @formatter:off
.given()
.header("current-user", "mike@example.org")
.header("current-user", "alex@hostsharing.net")
.header("assumed-roles", "test_package#yyy00.admin")
.port(port)
.when()
@ -498,14 +498,14 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
RbacUserEntity findRbacUserByName(final String userName) {
return jpaAttempt.transacted(() -> {
context("mike@example.org", null);
context("alex@hostsharing.net", null);
return rbacUserRepository.findByName(userName);
}).returnedValue();
}
RbacRoleEntity findRbacRoleByName(final String roleName) {
return jpaAttempt.transacted(() -> {
context("mike@example.org", null);
context("alex@hostsharing.net", null);
return rbacRoleRepository.findByRoleName(roleName);
}).returnedValue();
}

View File

@ -83,7 +83,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
// then
exactlyTheseRbacGrantsAreReturned(
result,
"{ grant assumed role test_customer#xxx.admin to user customer-admin@xxx.example.com by role global#test-global.admin }",
"{ grant assumed role test_customer#xxx.admin to user customer-admin@xxx.example.com by role global#global.admin }",
"{ grant assumed role test_package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role test_customer#xxx.admin }",
"{ grant assumed role test_package#xxx01.admin to user pac-admin-xxx01@xxx.example.com by role test_customer#xxx.admin }",
"{ grant assumed role test_package#xxx02.admin to user pac-admin-xxx02@xxx.example.com by role test_customer#xxx.admin }");

View File

@ -38,12 +38,12 @@ class RbacRoleControllerAcceptanceTest {
@Test
@Accepts({ "ROL:L(List)" })
void testGlobalAdmin_withoutAssumedRole_canViewAllRoles() {
void globalAdmin_withoutAssumedRole_canViewAllRoles() {
// @formatter:off
RestAssured
.given()
.header("current-user", "mike@example.org")
.header("current-user", "alex@hostsharing.net")
.port(port)
.when()
.get("http://localhost/api/rbac/roles")
@ -54,7 +54,7 @@ class RbacRoleControllerAcceptanceTest {
.body("", hasItem(hasEntry("roleName", "test_customer#xxx.owner")))
.body("", hasItem(hasEntry("roleName", "test_customer#xxx.tenant")))
// ...
.body("", hasItem(hasEntry("roleName", "global#test-global.admin")))
.body("", hasItem(hasEntry("roleName", "global#global.admin")))
.body("", hasItem(hasEntry("roleName", "test_customer#yyy.admin")))
.body("", hasItem(hasEntry("roleName", "test_package#yyy00.admin")))
.body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa.owner")))
@ -64,12 +64,12 @@ class RbacRoleControllerAcceptanceTest {
@Test
@Accepts({ "ROL:L(List)", "ROL:X(Access Control)" })
void testGlobalAdmin_withAssumedPackageAdminRole_canViewPackageAdminRoles() {
void globalAdmin_withAssumedPackageAdminRole_canViewPackageAdminRoles() {
// @formatter:off
RestAssured
.given()
.header("current-user", "mike@example.org")
.header("current-user", "alex@hostsharing.net")
.header("assumed-roles", "test_package#yyy00.admin")
.port(port)
.when()

View File

@ -37,13 +37,13 @@ class RbacRoleControllerRestTest {
// when
mockMvc.perform(MockMvcRequestBuilders
.get("/api/rbac/roles")
.header("current-user", "mike@example.org")
.header("current-user", "alex@hostsharing.net")
.accept(MediaType.APPLICATION_JSON))
// then
.andExpect(status().isOk())
.andExpect(jsonPath("$", hasSize(3)))
.andExpect(jsonPath("$[0].roleName", is("global#test-global.admin")))
.andExpect(jsonPath("$[0].roleName", is("global#global.admin")))
.andExpect(jsonPath("$[1].roleName", is("test_customer#xxx.owner")))
.andExpect(jsonPath("$[2].roleName", is("test_customer#xxx.admin")))
.andExpect(jsonPath("$[2].uuid", is(customerXxxAdmin.getUuid().toString())))

View File

@ -40,7 +40,7 @@ class RbacRoleRepositoryIntegrationTest {
private static final String[] ALL_TEST_DATA_ROLES = Array.of(
// @formatter:off
"global#test-global.admin",
"global#global.admin",
"test_customer#xxx.admin", "test_customer#xxx.owner", "test_customer#xxx.tenant",
"test_package#xxx00.admin", "test_package#xxx00.owner", "test_package#xxx00.tenant",
"test_package#xxx01.admin", "test_package#xxx01.owner", "test_package#xxx01.tenant",
@ -57,9 +57,9 @@ class RbacRoleRepositoryIntegrationTest {
);
@Test
public void testGlobalAdmin_withoutAssumedRole_canViewAllRbacRoles() {
public void globalAdmin_withoutAssumedRole_canViewAllRbacRoles() {
// given
context.define("mike@example.org");
context.define("alex@hostsharing.net");
// when
final var result = rbacRoleRepository.findAll();
@ -69,9 +69,9 @@ class RbacRoleRepositoryIntegrationTest {
}
@Test
public void testGlobalAdmin_withAssumedtestGlobalAdminRole_canViewAllRbacRoles() {
public void globalAdmin_withAssumedglobalAdminRole_canViewAllRbacRoles() {
given:
context.define("mike@example.org", "global#test-global.admin");
context.define("alex@hostsharing.net", "global#global.admin");
// when
final var result = rbacRoleRepository.findAll();
@ -111,7 +111,7 @@ class RbacRoleRepositoryIntegrationTest {
noneOfTheseRbacRolesIsReturned(
result,
// @formatter:off
"global#test-global.admin",
"global#global.admin",
"test_customer#xxx.owner",
"test_package#yyy00.admin",
"test_package#yyy00.owner",

View File

@ -4,7 +4,7 @@ import static java.util.UUID.randomUUID;
public class TestRbacRole {
public static final RbacRoleEntity hostmasterRole = rbacRole("global", "test-global", RbacRoleType.admin);
public static final RbacRoleEntity hostmasterRole = rbacRole("global", "global", RbacRoleType.admin);
static final RbacRoleEntity customerXxxOwner = rbacRole("test_customer", "xxx", RbacRoleType.owner);
static final RbacRoleEntity customerXxxAdmin = rbacRole("test_customer", "xxx", RbacRoleType.admin);

View File

@ -82,13 +82,13 @@ class RbacUserControllerAcceptanceTest {
@Test
@Accepts({ "USR:R(Read)" })
void testGlobalAdmin_withoutAssumedRole_canGetArbitraryUser() {
void globalAdmin_withoutAssumedRole_canGetArbitraryUser() {
final var givenUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
// @formatter:off
RestAssured
.given()
.header("current-user", "mike@example.org")
.header("current-user", "alex@hostsharing.net")
.port(port)
.when()
.get("http://localhost/api/rbac/users/" + givenUser.getUuid())
@ -101,13 +101,13 @@ class RbacUserControllerAcceptanceTest {
@Test
@Accepts({ "USR:R(Read)", "USR:X(Access Control)" })
void testGlobalAdmin_withAssumedCustomerAdminRole_canGetUserWithinInItsRealm() {
void globalAdmin_withAssumedCustomerAdminRole_canGetUserWithinInItsRealm() {
final var givenUser = findRbacUserByName("pac-admin-yyy00@yyy.example.com");
// @formatter:off
RestAssured
.given()
.header("current-user", "mike@example.org")
.header("current-user", "alex@hostsharing.net")
.header("assumed-roles", "test_customer#yyy.admin")
.port(port)
.when()
@ -161,12 +161,12 @@ class RbacUserControllerAcceptanceTest {
@Test
@Accepts({ "USR:L(List)" })
void testGlobalAdmin_withoutAssumedRole_canViewAllUsers() {
void globalAdmin_withoutAssumedRole_canViewAllUsers() {
// @formatter:off
RestAssured
.given()
.header("current-user", "mike@example.org")
.header("current-user", "alex@hostsharing.net")
.port(port)
.when()
.get("http://localhost/api/rbac/users")
@ -176,23 +176,23 @@ class RbacUserControllerAcceptanceTest {
.body("", hasItem(hasEntry("name", "customer-admin@xxx.example.com")))
.body("", hasItem(hasEntry("name", "customer-admin@yyy.example.com")))
.body("", hasItem(hasEntry("name", "customer-admin@zzz.example.com")))
.body("", hasItem(hasEntry("name", "mike@example.org")))
.body("", hasItem(hasEntry("name", "alex@hostsharing.net")))
// ...
.body("", hasItem(hasEntry("name", "pac-admin-zzz01@zzz.example.com")))
.body("", hasItem(hasEntry("name", "pac-admin-zzz02@zzz.example.com")))
.body("", hasItem(hasEntry("name", "sven@example.org")))
.body("", hasItem(hasEntry("name", "fran@hostsharing.net")))
.body("size()", greaterThanOrEqualTo(14));
// @formatter:on
}
@Test
@Accepts({ "USR:F(Filter)" })
void testGlobalAdmin_withoutAssumedRole_canViewAllUsersByName() {
void globalAdmin_withoutAssumedRole_canViewAllUsersByName() {
// @formatter:off
RestAssured
.given()
.header("current-user", "mike@example.org")
.header("current-user", "alex@hostsharing.net")
.port(port)
.when()
.get("http://localhost/api/rbac/users?name=pac-admin-zzz0")
@ -208,12 +208,12 @@ class RbacUserControllerAcceptanceTest {
@Test
@Accepts({ "USR:L(List)", "USR:X(Access Control)" })
void testGlobalAdmin_withAssumedCustomerAdminRole_canViewUsersInItsRealm() {
void globalAdmin_withAssumedCustomerAdminRole_canViewUsersInItsRealm() {
// @formatter:off
RestAssured
.given()
.header("current-user", "mike@example.org")
.header("current-user", "alex@hostsharing.net")
.header("assumed-roles", "test_customer#yyy.admin")
.port(port)
.when()
@ -276,13 +276,13 @@ class RbacUserControllerAcceptanceTest {
@Test
@Accepts({ "PRM:L(List)" })
void testGlobalAdmin_withoutAssumedRole_canViewArbitraryUsersPermissions() {
void globalAdmin_withoutAssumedRole_canViewArbitraryUsersPermissions() {
final var givenUser = findRbacUserByName("pac-admin-yyy00@yyy.example.com");
// @formatter:off
RestAssured
.given()
.header("current-user", "mike@example.org")
.header("current-user", "alex@hostsharing.net")
.port(port)
.when()
.get("http://localhost/api/rbac/users/" + givenUser.getUuid() + "/permissions")
@ -310,13 +310,13 @@ class RbacUserControllerAcceptanceTest {
@Test
@Accepts({ "PRM:L(List)" })
void testGlobalAdmin_withAssumedCustomerAdminRole_canViewArbitraryUsersPermissions() {
void globalAdmin_withAssumedCustomerAdminRole_canViewArbitraryUsersPermissions() {
final var givenUser = findRbacUserByName("pac-admin-yyy00@yyy.example.com");
// @formatter:off
RestAssured
.given()
.header("current-user", "mike@example.org")
.header("current-user", "alex@hostsharing.net")
.header("assumed-roles", "test_package#yyy00.admin")
.port(port)
.when()
@ -455,7 +455,7 @@ class RbacUserControllerAcceptanceTest {
// @formatter:off
final var location = RestAssured
.given()
.header("current-user", "mike@example.org")
.header("current-user", "alex@hostsharing.net")
.port(port)
.when()
.delete("http://localhost/api/rbac/users/" + givenUser.getUuid())
@ -470,7 +470,7 @@ class RbacUserControllerAcceptanceTest {
RbacUserEntity findRbacUserByName(final String userName) {
return jpaAttempt.transacted(() -> {
context.define("mike@example.org");
context.define("alex@hostsharing.net");
return rbacUserRepository.findByName(userName);
}).returnedValue();
}

View File

@ -99,7 +99,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
private static final String[] ALL_TEST_DATA_USERS = Array.of(
// @formatter:off
"mike@example.org", "sven@example.org",
"alex@hostsharing.net", "fran@hostsharing.net",
"customer-admin@xxx.example.com",
"pac-admin-xxx00@xxx.example.com", "pac-admin-xxx01@xxx.example.com", "pac-admin-xxx02@xxx.example.com",
"customer-admin@yyy.example.com",
@ -110,9 +110,9 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
);
@Test
public void testGlobalAdmin_withoutAssumedRole_canViewAllRbacUsers() {
public void globalAdmin_withoutAssumedRole_canViewAllRbacUsers() {
// given
context("mike@example.org");
context("alex@hostsharing.net");
// when
final var result = rbacUserRepository.findByOptionalNameLike(null);
@ -122,9 +122,9 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
}
@Test
public void testGlobalAdmin_withAssumedtestGlobalAdminRole_canViewAllRbacUsers() {
public void globalAdmin_withAssumedglobalAdminRole_canViewAllRbacUsers() {
given:
context("mike@example.org", "global#test-global.admin");
context("alex@hostsharing.net", "global#global.admin");
// when
final var result = rbacUserRepository.findByOptionalNameLike(null);
@ -134,9 +134,9 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
}
@Test
public void testGlobalAdmin_withAssumedCustomerAdminRole_canViewOnlyUsersHavingRolesInThatCustomersRealm() {
public void globalAdmin_withAssumedCustomerAdminRole_canViewOnlyUsersHavingRolesInThatCustomersRealm() {
given:
context("mike@example.org", "test_customer#xxx.admin");
context("alex@hostsharing.net", "test_customer#xxx.admin");
// when
final var result = rbacUserRepository.findByOptionalNameLike(null);
@ -190,7 +190,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
private static final String[] ALL_USER_PERMISSIONS = Array.of(
// @formatter:off
"global#test-global.admin -> global#test-global: add-customer",
"global#global.admin -> global#global: add-customer",
"test_customer#xxx.admin -> test_customer#xxx: add-package",
"test_customer#xxx.admin -> test_customer#xxx: view",
@ -237,12 +237,12 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
);
@Test
public void testGlobalAdmin_withoutAssumedRole_canViewTheirOwnPermissions() {
public void globalAdmin_withoutAssumedRole_canViewTheirOwnPermissions() {
// given
context("mike@example.org");
context("alex@hostsharing.net");
// when
final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("mike@example.org"));
final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("alex@hostsharing.net"));
// then
allTheseRbacPermissionsAreReturned(result, ALL_USER_PERMISSIONS);
@ -294,7 +294,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
public void customerAdmin_withoutAssumedRole_isNotAllowedToViewGlobalAdminsPermissions() {
// given
context("customer-admin@xxx.example.com");
final UUID userUuid = userUUID("mike@example.org");
final UUID userUuid = userUUID("alex@hostsharing.net");
// when
final var result = attempt(em, () ->

View File

@ -39,10 +39,10 @@ class TestCustomerControllerAcceptanceTest {
class ListCustomers {
@Test
void testGlobalAdmin_withoutAssumedRoles_canViewAllCustomers_ifNoCriteriaGiven() {
void globalAdmin_withoutAssumedRoles_canViewAllCustomers_ifNoCriteriaGiven() {
RestAssured // @formatter:off
.given()
.header("current-user", "mike@example.org")
.header("current-user", "alex@hostsharing.net")
.port(port)
.when()
.get("http://localhost/api/test/customers")
@ -57,10 +57,10 @@ class TestCustomerControllerAcceptanceTest {
}
@Test
void testGlobalAdmin_withoutAssumedRoles_canViewMatchingCustomers_ifCriteriaGiven() {
void globalAdmin_withoutAssumedRoles_canViewMatchingCustomers_ifCriteriaGiven() {
RestAssured // @formatter:off
.given()
.header("current-user", "mike@example.org")
.header("current-user", "alex@hostsharing.net")
.port(port)
.when()
.get("http://localhost/api/test/customers?prefix=y")
@ -73,10 +73,10 @@ class TestCustomerControllerAcceptanceTest {
}
@Test
void testGlobalAdmin_withoutAssumedCustomerAdminRole_canOnlyViewOwnCustomer() {
void globalAdmin_withoutAssumedCustomerAdminRole_canOnlyViewOwnCustomer() {
RestAssured // @formatter:off
.given()
.header("current-user", "mike@example.org")
.header("current-user", "alex@hostsharing.net")
.header("assumed-roles", "test_customer#yyy.admin")
.port(port)
.when()
@ -110,11 +110,11 @@ class TestCustomerControllerAcceptanceTest {
class AddCustomer {
@Test
void testGlobalAdmin_withoutAssumedRole_canAddCustomer() {
void globalAdmin_withoutAssumedRole_canAddCustomer() {
final var location = RestAssured // @formatter:off
.given()
.header("current-user", "mike@example.org")
.header("current-user", "alex@hostsharing.net")
.contentType(ContentType.JSON)
.body("""
{
@ -142,13 +142,13 @@ class TestCustomerControllerAcceptanceTest {
}
@Test
void testGlobalAdmin_withoutAssumedRole_canAddCustomerWithGivenUuid() {
void globalAdmin_withoutAssumedRole_canAddCustomerWithGivenUuid() {
final var givenUuid = UUID.randomUUID();
final var location = RestAssured // @formatter:off
.given()
.header("current-user", "mike@example.org")
.header("current-user", "alex@hostsharing.net")
.contentType(ContentType.JSON)
.body("""
{
@ -180,11 +180,11 @@ class TestCustomerControllerAcceptanceTest {
}
@Test
void testGlobalAdmin_withAssumedCustomerAdminRole_canNotAddCustomer() {
void globalAdmin_withAssumedCustomerAdminRole_canNotAddCustomer() {
RestAssured // @formatter:off
.given()
.header("current-user", "mike@example.org")
.header("current-user", "alex@hostsharing.net")
.header("assumed-roles", "test_customer#xxx.admin")
.contentType(ContentType.JSON)
.body("""
@ -205,7 +205,7 @@ class TestCustomerControllerAcceptanceTest {
// @formatter:on
// finally, the new customer was not created
context.define("sven@example.org");
context.define("fran@hostsharing.net");
assertThat(testCustomerRepository.findCustomerByOptionalPrefixLike("uuu")).hasSize(0);
}
@ -234,7 +234,7 @@ class TestCustomerControllerAcceptanceTest {
// @formatter:on
// finally, the new customer was not created
context.define("sven@example.org");
context.define("fran@hostsharing.net");
assertThat(testCustomerRepository.findCustomerByOptionalPrefixLike("uuu")).hasSize(0);
}
}

View File

@ -37,9 +37,9 @@ class TestCustomerRepositoryIntegrationTest extends ContextBasedTest {
class CreateCustomer {
@Test
public void testGlobalAdmin_withoutAssumedRole_canCreateNewCustomer() {
public void globalAdmin_withoutAssumedRole_canCreateNewCustomer() {
// given
context("mike@example.org", null);
context("alex@hostsharing.net", null);
final var count = testCustomerRepository.count();
// when
@ -58,9 +58,9 @@ class TestCustomerRepositoryIntegrationTest extends ContextBasedTest {
}
@Test
public void testGlobalAdmin_withAssumedCustomerRole_cannotCreateNewCustomer() {
public void globalAdmin_withAssumedCustomerRole_cannotCreateNewCustomer() {
// given
context("mike@example.org", "test_customer#xxx.admin");
context("alex@hostsharing.net", "test_customer#xxx.admin");
// when
final var result = attempt(em, () -> {
@ -104,9 +104,9 @@ class TestCustomerRepositoryIntegrationTest extends ContextBasedTest {
class FindAllCustomers {
@Test
public void testGlobalAdmin_withoutAssumedRole_canViewAllCustomers() {
public void globalAdmin_withoutAssumedRole_canViewAllCustomers() {
// given
context("mike@example.org", null);
context("alex@hostsharing.net", null);
// when
final var result = testCustomerRepository.findCustomerByOptionalPrefixLike(null);
@ -116,9 +116,9 @@ class TestCustomerRepositoryIntegrationTest extends ContextBasedTest {
}
@Test
public void testGlobalAdmin_withAssumedtestGlobalAdminRole_canViewAllCustomers() {
public void globalAdmin_withAssumedglobalAdminRole_canViewAllCustomers() {
given:
context("mike@example.org", "global#test-global.admin");
context("alex@hostsharing.net", "global#global.admin");
// when
final var result = testCustomerRepository.findCustomerByOptionalPrefixLike(null);
@ -153,9 +153,9 @@ class TestCustomerRepositoryIntegrationTest extends ContextBasedTest {
class FindByPrefixLike {
@Test
public void testGlobalAdmin_withoutAssumedRole_canViewAllCustomers() {
public void globalAdmin_withoutAssumedRole_canViewAllCustomers() {
// given
context("mike@example.org", null);
context("alex@hostsharing.net", null);
// when
final var result = testCustomerRepository.findCustomerByOptionalPrefixLike("yyy");

View File

@ -43,7 +43,7 @@ class TestPackageControllerAcceptanceTest {
// @formatter:off
RestAssured
.given()
.header("current-user", "mike@example.org")
.header("current-user", "alex@hostsharing.net")
.header("assumed-roles", "test_customer#xxx.admin")
.port(port)
.when()