refactor to only a single global admin object global#global.admin
This commit is contained in:
parent
87e2b05926
commit
da793ee546
@ -65,21 +65,21 @@ If you have at least Docker, the Java JDK and Gradle installed in appropriate ve
|
||||
|
||||
# the following command should return a JSON array with just all customers:
|
||||
curl \
|
||||
-H 'current-user: mike@example.org' \
|
||||
-H 'current-user: alex@hostsharing.net' \
|
||||
http://localhost:8080/api/test/customers
|
||||
|
||||
# the following command should return a JSON array with just all packages visible for the admin of the customer yyy:
|
||||
curl \
|
||||
-H 'current-user: mike@example.org' -H 'assumed-roles: test_customer#yyy.admin' \
|
||||
-H 'current-user: alex@hostsharing.net' -H 'assumed-roles: test_customer#yyy.admin' \
|
||||
http://localhost:8080/api/test/packages
|
||||
|
||||
# add a new customer
|
||||
curl \
|
||||
-H 'current-user: mike@example.org' -H "Content-Type: application/json" \
|
||||
-H 'current-user: alex@hostsharing.net' -H "Content-Type: application/json" \
|
||||
-d '{ "prefix":"ttt", "reference":80001, "adminUserName":"admin@ttt.example.com" }' \
|
||||
-X POST http://localhost:8080/api/test/customers
|
||||
|
||||
If you wonder who 'mike@example.org' and 'sven@example.org' are and where the data comes from:
|
||||
If you wonder who 'alex@hostsharing.net' and 'fran@hostsharing.net' are and where the data comes from:
|
||||
Mike and Sven are just example global admin accounts as part of the example data which is automatically inserted in Testcontainers and Development environments.
|
||||
Also try for example 'admin@xxx.example.com' or 'unknown@example.org'.
|
||||
|
||||
|
@ -17,7 +17,7 @@ BEGIN
|
||||
|
||||
-- hostmaster accessing a single customer
|
||||
SET SESSION SESSION AUTHORIZATION restricted;
|
||||
SET LOCAL hsadminng.currentUser = 'mike@example.org';
|
||||
SET LOCAL hsadminng.currentUser = 'alex@hostsharing.net';
|
||||
SET LOCAL hsadminng.assumedRoles = '';
|
||||
-- SELECT *
|
||||
SELECT count(*) INTO resultCount
|
||||
@ -27,7 +27,7 @@ BEGIN
|
||||
|
||||
-- hostmaster listing all customers
|
||||
SET SESSION SESSION AUTHORIZATION restricted;
|
||||
SET LOCAL hsadminng.currentUser = 'mike@example.org';
|
||||
SET LOCAL hsadminng.currentUser = 'alex@hostsharing.net';
|
||||
SET LOCAL hsadminng.assumedRoles = '';
|
||||
-- SELECT *
|
||||
SELECT count(*) INTO resultCount
|
||||
@ -54,7 +54,7 @@ BEGIN
|
||||
|
||||
-- hostsharing admin assuming customer role and listing all accessible packages
|
||||
SET SESSION SESSION AUTHORIZATION restricted;
|
||||
SET LOCAL hsadminng.currentUser = 'mike@example.org';
|
||||
SET LOCAL hsadminng.currentUser = 'alex@hostsharing.net';
|
||||
SET LOCAL hsadminng.assumedRoles = 'test_customer#aaa.admin;test_customer#aab.admin';
|
||||
-- SELECT *
|
||||
SELECT count(*) INTO resultCount
|
||||
@ -63,7 +63,7 @@ BEGIN
|
||||
|
||||
-- hostsharing admin assuming two customer admin roles and listing all accessible domains
|
||||
SET SESSION SESSION AUTHORIZATION restricted;
|
||||
SET LOCAL hsadminng.currentUser = 'mike@example.org';
|
||||
SET LOCAL hsadminng.currentUser = 'alex@hostsharing.net';
|
||||
SET LOCAL hsadminng.assumedRoles = 'test_customer#aab.admin;test_customer#aac.admin';
|
||||
-- SELECT c.prefix, c.reference, uu.*
|
||||
SELECT count(*) INTO resultCount
|
||||
@ -75,7 +75,7 @@ BEGIN
|
||||
-- hostsharing admin assuming two customer admin roles and listing all accessible domains
|
||||
-- ABORT; START TRANSACTION;
|
||||
SET SESSION SESSION AUTHORIZATION restricted;
|
||||
SET LOCAL hsadminng.currentUser = 'mike@example.org';
|
||||
SET LOCAL hsadminng.currentUser = 'alex@hostsharing.net';
|
||||
SET LOCAL hsadminng.assumedRoles = 'test_customer#aac.admin;test_customer#aad.admin';
|
||||
-- SELECT p.name, uu.name, dom.name
|
||||
SELECT count(*) INTO resultCount
|
||||
@ -88,7 +88,7 @@ BEGIN
|
||||
-- hostsharing admin assuming two customer admin roles and listing all accessible email addresses
|
||||
-- ABORT; START TRANSACTION;
|
||||
SET SESSION SESSION AUTHORIZATION restricted;
|
||||
SET LOCAL hsadminng.currentUser = 'mike@example.org';
|
||||
SET LOCAL hsadminng.currentUser = 'alex@hostsharing.net';
|
||||
SET LOCAL hsadminng.assumedRoles = 'test_customer#aae.admin;test_customer#aaf.admin';
|
||||
-- SELECT c.prefix, p.name as "package", ema.localPart || '@' || dom.name as "email-address"
|
||||
SELECT count(*) INTO resultCount
|
||||
|
@ -9,10 +9,10 @@ select isGranted(findRoleId('test_package#aaa00.owner'), findRoleId('administrat
|
||||
-- call grantRoleToRole(findRoleId('administrators'), findRoleId('test_package#aaa00.owner'));
|
||||
|
||||
select count(*)
|
||||
FROM queryAllPermissionsOfSubjectIdForObjectUuids(findRbacUser('sven@example.org'),
|
||||
FROM queryAllPermissionsOfSubjectIdForObjectUuids(findRbacUser('fran@hostsharing.net'),
|
||||
ARRAY(select uuid from customer where reference < 1100000));
|
||||
select count(*)
|
||||
FROM queryAllPermissionsOfSubjectId(findRbacUser('sven@example.org'));
|
||||
FROM queryAllPermissionsOfSubjectId(findRbacUser('fran@hostsharing.net'));
|
||||
select *
|
||||
FROM queryAllPermissionsOfSubjectId(findRbacUser('alex@example.com'));
|
||||
select *
|
||||
@ -33,7 +33,7 @@ $$
|
||||
userId uuid;
|
||||
result bool;
|
||||
BEGIN
|
||||
userId = findRbacUser('mike@example.org');
|
||||
userId = findRbacUser('alex@hostsharing.net');
|
||||
result = (SELECT * FROM isPermissionGrantedToSubject(findPermissionId('package', 94928, 'add-package'), userId));
|
||||
IF (result) THEN
|
||||
RAISE EXCEPTION 'expected permission NOT to be granted, but it is';
|
||||
|
@ -38,7 +38,7 @@ CREATE OR REPLACE RULE "_RETURN" AS
|
||||
SELECT * FROM customer WHERE isPermissionGrantedToSubject(findPermissionId('test_customer', id, 'view'), currentUserUuid());
|
||||
SELECT * from cust_view LIMIT 10;
|
||||
|
||||
select queryAllPermissionsOfSubjectId(findRbacUser('mike@example.org'));
|
||||
select queryAllPermissionsOfSubjectId(findRbacUser('alex@hostsharing.net'));
|
||||
|
||||
-- access control via view-rule with join to recursive permissions - really fast (38ms for 1 million rows)
|
||||
SET SESSION SESSION AUTHORIZATION DEFAULT;
|
||||
@ -73,7 +73,7 @@ GRANT ALL PRIVILEGES ON cust_view TO restricted;
|
||||
|
||||
SET SESSION SESSION AUTHORIZATION restricted;
|
||||
-- SET hsadminng.currentUser TO 'alex@example.com';
|
||||
SET hsadminng.currentUser TO 'mike@example.org';
|
||||
SET hsadminng.currentUser TO 'alex@hostsharing.net';
|
||||
-- SET hsadminng.currentUser TO 'aaaaouq@example.com';
|
||||
SELECT * from cust_view where reference=1144150;
|
||||
|
||||
|
@ -16,7 +16,7 @@ create table Global
|
||||
uuid uuid primary key references RbacObject (uuid) on delete cascade,
|
||||
name varchar(63) unique
|
||||
);
|
||||
-- create unique index Global_Singleton on Global ((0));
|
||||
create unique index Global_Singleton on Global ((0));
|
||||
|
||||
grant select on global to restricted;
|
||||
--//
|
||||
@ -70,3 +70,87 @@ create or replace function globalIdNameByUuid(uuid uuid)
|
||||
select idName from global_iv iv where iv.uuid = globalIdNameByUuid.uuid;
|
||||
$$;
|
||||
--//
|
||||
|
||||
--liquibase formatted sql
|
||||
|
||||
-- ============================================================================
|
||||
--changeset rbac-global-PSEUDO-OBJECT:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/**
|
||||
A single row to be referenced as a global object.
|
||||
*/
|
||||
begin transaction;
|
||||
call defineContext('initializing table "global"', null, null, null);
|
||||
insert
|
||||
into RbacObject (objecttable) values ('global');
|
||||
insert
|
||||
into Global (uuid, name) values ((select uuid from RbacObject where objectTable = 'global'), 'global');
|
||||
commit;
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset rbac-global-ADMIN-ROLE:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
A global administrator role.
|
||||
*/
|
||||
create or replace function globalAdmin()
|
||||
returns RbacRoleDescriptor
|
||||
returns null on null input
|
||||
stable leakproof
|
||||
language sql as $$
|
||||
select 'global', (select uuid from RbacObject where objectTable = 'global'), 'admin'::RbacRoleType;
|
||||
$$;
|
||||
|
||||
begin transaction;
|
||||
call defineContext('creating global admin role', null, null, null);
|
||||
select createRole(globalAdmin());
|
||||
commit;
|
||||
|
||||
-- ============================================================================
|
||||
--changeset rbac-global-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
Create two users and assign both to the administrators role.
|
||||
*/
|
||||
do language plpgsql $$
|
||||
declare
|
||||
admins uuid ;
|
||||
begin
|
||||
call defineContext('creating fake test-realm admin users', null, null, null);
|
||||
|
||||
admins = findRoleId(globalAdmin());
|
||||
call grantRoleToUserUnchecked(admins, admins, createRbacUser('alex@hostsharing.net'));
|
||||
call grantRoleToUserUnchecked(admins, admins, createRbacUser('fran@hostsharing.net'));
|
||||
end;
|
||||
$$;
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset rbac-global-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/*
|
||||
Tests if currentUserUuid() can fetch the user from the session variable.
|
||||
*/
|
||||
|
||||
do language plpgsql $$
|
||||
declare
|
||||
userName varchar;
|
||||
begin
|
||||
call defineContext('testing currentUserUuid', null, 'fran@hostsharing.net', null);
|
||||
select userName from RbacUser where uuid = currentUserUuid() into userName;
|
||||
if userName <> 'fran@hostsharing.net' then
|
||||
raise exception 'setting or fetching initial currentUser failed, got: %', userName;
|
||||
end if;
|
||||
|
||||
call defineContext('testing currentUserUuid', null, 'alex@hostsharing.net', null);
|
||||
select userName from RbacUser where uuid = currentUserUuid() into userName;
|
||||
if userName = 'alex@hostsharing.net' then
|
||||
raise exception 'currentUser should not change in one transaction, but did change, got: %', userName;
|
||||
end if;
|
||||
end; $$;
|
||||
--//
|
||||
|
@ -1,83 +0,0 @@
|
||||
--liquibase formatted sql
|
||||
|
||||
-- ============================================================================
|
||||
--changeset test-base-GLOBAL-OBJECT:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/**
|
||||
A single row to be referenced as a global object.
|
||||
*/
|
||||
begin transaction;
|
||||
call defineContext('initializing table "global"', null, null, null);
|
||||
insert
|
||||
into RbacObject (objecttable) values ('global');
|
||||
insert
|
||||
into Global (uuid, name) values ((select uuid from RbacObject where objectTable = 'global'), 'test-global');
|
||||
commit;
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset test-base-ADMIN-ROLE:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
A global administrator role.
|
||||
*/
|
||||
create or replace function testGlobalAdmin()
|
||||
returns RbacRoleDescriptor
|
||||
returns null on null input
|
||||
stable leakproof
|
||||
language sql as $$
|
||||
select 'global', (select uuid from RbacObject where objectTable = 'global'), 'admin'::RbacRoleType;
|
||||
$$;
|
||||
|
||||
begin transaction;
|
||||
call defineContext('creating test-global admin role', null, null, null);
|
||||
select createRole(testGlobalAdmin());
|
||||
commit;
|
||||
|
||||
-- ============================================================================
|
||||
--changeset test-base-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
Create two users and assign both to the administrators role.
|
||||
*/
|
||||
do language plpgsql $$
|
||||
declare
|
||||
admins uuid ;
|
||||
begin
|
||||
call defineContext('creating fake test-realm admin users', null, null, null);
|
||||
|
||||
admins = findRoleId(testGlobalAdmin());
|
||||
call grantRoleToUserUnchecked(admins, admins, createRbacUser('mike@example.org'));
|
||||
call grantRoleToUserUnchecked(admins, admins, createRbacUser('sven@example.org'));
|
||||
end;
|
||||
$$;
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset test-base-hostsharing-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/*
|
||||
Tests if currentUserUuid() can fetch the user from the session variable.
|
||||
*/
|
||||
|
||||
do language plpgsql $$
|
||||
declare
|
||||
userName varchar;
|
||||
begin
|
||||
call defineContext('testing currentUserUuid', null, 'sven@example.org', null);
|
||||
select userName from RbacUser where uuid = currentUserUuid() into userName;
|
||||
if userName <> 'sven@example.org' then
|
||||
raise exception 'setting or fetching initial currentUser failed, got: %', userName;
|
||||
end if;
|
||||
|
||||
call defineContext('testing currentUserUuid', null, 'mike@example.org', null);
|
||||
select userName from RbacUser where uuid = currentUserUuid() into userName;
|
||||
if userName = 'mike@example.org' then
|
||||
raise exception 'currentUser should not change in one transaction, but did change, got: %', userName;
|
||||
end if;
|
||||
end; $$;
|
||||
--//
|
@ -69,7 +69,7 @@ begin
|
||||
testCustomerOwnerUuid = createRole(
|
||||
testCustomerOwner(NEW),
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['*']),
|
||||
beneathRole(testGlobalAdmin())
|
||||
beneathRole(globalAdmin())
|
||||
);
|
||||
|
||||
-- the admin role for the customer's admins, who can view and add products
|
||||
@ -78,7 +78,7 @@ begin
|
||||
grantingPermissions(forObjectUuid => NEW.uuid, permitOps => array ['view', 'add-package']),
|
||||
-- NO auto assume for customer owner to avoid exploding permissions for administrators
|
||||
withUser(NEW.adminUserName, 'create'), -- implicitly ignored if null
|
||||
grantedByRole(testGlobalAdmin())
|
||||
grantedByRole(globalAdmin())
|
||||
);
|
||||
|
||||
-- allow the customer owner role (thus administrators) to assume the customer admin role
|
||||
@ -208,7 +208,7 @@ do language plpgsql $$
|
||||
begin
|
||||
call defineContext('granting global add-customer permission to global admin role', null, null, null);
|
||||
|
||||
globalAdminRoleUuid := findRoleId(testGlobalAdmin());
|
||||
globalAdminRoleUuid := findRoleId(globalAdmin());
|
||||
globalObjectUuid := (select uuid from global);
|
||||
addCustomerPermissions := createPermissions(globalObjectUuid, array ['add-customer']);
|
||||
call grantPermissionsToRole(globalAdminRoleUuid, addCustomerPermissions);
|
||||
@ -234,7 +234,7 @@ create trigger test_customer_insert_trigger
|
||||
before insert
|
||||
on test_customer
|
||||
for each row
|
||||
when ( currentUser() <> 'mike@example.org' or not hasGlobalPermission('add-customer') )
|
||||
when ( currentUser() <> 'alex@hostsharing.net' or not hasGlobalPermission('add-customer') )
|
||||
execute procedure addTestCustomerNotAllowedForCurrentSubjects();
|
||||
--//
|
||||
|
||||
|
@ -30,7 +30,7 @@ declare
|
||||
custAdminName varchar;
|
||||
begin
|
||||
currentTask = 'creating RBAC test customer #' || custReference || '/' || custPrefix;
|
||||
call defineContext(currentTask, null, 'mike@example.org', 'global#test-global.admin');
|
||||
call defineContext(currentTask, null, 'alex@hostsharing.net', 'global#global.admin');
|
||||
execute format('set local hsadminng.currentTask to %L', currentTask);
|
||||
|
||||
custRowId = uuid_generate_v4();
|
||||
|
@ -1,83 +0,0 @@
|
||||
--liquibase formatted sql
|
||||
|
||||
-- ============================================================================
|
||||
--changeset hs-base-GLOBAL-OBJECT:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/**
|
||||
A single row to be referenced as a global object.
|
||||
*/
|
||||
begin transaction;
|
||||
call defineContext('initializing table "global"', null, null, null);
|
||||
insert
|
||||
into RbacObject (objecttable) values ('global');
|
||||
insert
|
||||
into Global (uuid, name) values ((select uuid from RbacObject where objectTable = 'global'), 'hostsharing');
|
||||
commit;
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset hs-base-ADMIN-ROLE:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
A global administrator role.
|
||||
*/
|
||||
create or replace function hsHostsharingAdmin()
|
||||
returns RbacRoleDescriptor
|
||||
returns null on null input
|
||||
stable leakproof
|
||||
language sql as $$
|
||||
select 'global', (select uuid from RbacObject where objectTable = 'global'), 'admin'::RbacRoleType;
|
||||
$$;
|
||||
|
||||
begin transaction;
|
||||
call defineContext('creating Hostsharing admin role', null, null, null);
|
||||
select createRole(hsHostsharingAdmin());
|
||||
commit;
|
||||
|
||||
-- ============================================================================
|
||||
--changeset hs-base-ADMIN-USERS:1 context:dev,tc endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
/*
|
||||
Create two users and assign both to the administrators role.
|
||||
*/
|
||||
do language plpgsql $$
|
||||
declare
|
||||
admins uuid ;
|
||||
begin
|
||||
call defineContext('creating fake Hostsharing admin users', null, null, null);
|
||||
|
||||
admins = findRoleId(hsHostsharingAdmin());
|
||||
call grantRoleToUserUnchecked(admins, admins, createRbacUser('mike@hostsharing.net'));
|
||||
call grantRoleToUserUnchecked(admins, admins, createRbacUser('sven@hostsharing.net'));
|
||||
end;
|
||||
$$;
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset hs-base-hostsharing-TEST:1 context:dev,tc runAlways:true endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/*
|
||||
Tests if currentUserUuid() can fetch the user from the session variable.
|
||||
*/
|
||||
|
||||
do language plpgsql $$
|
||||
declare
|
||||
userName varchar;
|
||||
begin
|
||||
call defineContext('testing currentUserUuid', null, 'sven@hostsharing.net', null);
|
||||
select userName from RbacUser where uuid = currentUserUuid() into userName;
|
||||
if userName <> 'sven@hostsharing.net' then
|
||||
raise exception 'setting or fetching initial currentUser failed, got: %', userName;
|
||||
end if;
|
||||
|
||||
call defineContext('testing currentUserUuid', null, 'mike@hostsharing.net', null);
|
||||
select userName from RbacUser where uuid = currentUserUuid() into userName;
|
||||
if userName = 'mike@ehostsharing.net' then
|
||||
raise exception 'currentUser should not change in one transaction, but did change, got: %', userName;
|
||||
end if;
|
||||
end; $$;
|
||||
--//
|
@ -27,8 +27,6 @@ databaseChangeLog:
|
||||
file: db/changelog/059-rbac-statistics.sql
|
||||
- include:
|
||||
file: db/changelog/080-rbac-global.sql
|
||||
- include:
|
||||
file: db/changelog/100-test-base.sql
|
||||
- include:
|
||||
file: db/changelog/110-test-customer.sql
|
||||
- include:
|
||||
|
@ -31,7 +31,7 @@ class ContextIntegrationTests {
|
||||
@Test
|
||||
void defineWithoutHttpServletRequestUsesCallStack() {
|
||||
|
||||
context.define("mike@example.org", null);
|
||||
context.define("alex@hostsharing.net", null);
|
||||
|
||||
assertThat(context.getCurrentTask())
|
||||
.isEqualTo("ContextIntegrationTests.defineWithoutHttpServletRequestUsesCallStack");
|
||||
@ -41,11 +41,11 @@ class ContextIntegrationTests {
|
||||
@Transactional
|
||||
void defineWithCurrentUserButWithoutAssumedRoles() {
|
||||
// when
|
||||
context.define("mike@example.org");
|
||||
context.define("alex@hostsharing.net");
|
||||
|
||||
// then
|
||||
assertThat(context.getCurrentUser()).
|
||||
isEqualTo("mike@example.org");
|
||||
isEqualTo("alex@hostsharing.net");
|
||||
|
||||
assertThat(context.getCurrentUserUUid()).isNotNull();
|
||||
|
||||
@ -85,11 +85,11 @@ class ContextIntegrationTests {
|
||||
@Transactional
|
||||
void defineWithCurrentUserAndAssumedRoles() {
|
||||
// given
|
||||
context.define("mike@example.org", "test_customer#xxx.owner;test_customer#yyy.owner");
|
||||
context.define("alex@hostsharing.net", "test_customer#xxx.owner;test_customer#yyy.owner");
|
||||
|
||||
// when
|
||||
final var currentUser = context.getCurrentUser();
|
||||
assertThat(currentUser).isEqualTo("mike@example.org");
|
||||
assertThat(currentUser).isEqualTo("alex@hostsharing.net");
|
||||
|
||||
// then
|
||||
assertThat(context.getAssumedRoles())
|
||||
|
@ -41,7 +41,7 @@ class HsAdminPartnerRepositoryIntegrationTest extends ContextBasedTest {
|
||||
@Test
|
||||
public void testHostsharingAdmin_withoutAssumedRole_canCreateNewCustomer() {
|
||||
// given
|
||||
context("mike@example.org", null);
|
||||
context("alex@hostsharing.net", null);
|
||||
final var count = partnerRepository.count();
|
||||
|
||||
// when
|
||||
@ -67,9 +67,9 @@ class HsAdminPartnerRepositoryIntegrationTest extends ContextBasedTest {
|
||||
class FindAllCustomers {
|
||||
|
||||
@Test
|
||||
public void testGlobalAdmin_withoutAssumedRole_canViewAllCustomers() {
|
||||
public void globalAdmin_withoutAssumedRole_canViewAllCustomers() {
|
||||
// given
|
||||
context("mike@example.org", null);
|
||||
context("alex@hostsharing.net", null);
|
||||
|
||||
// when
|
||||
final var result = partnerRepository.findPartnerByOptionalNameLike(null);
|
||||
@ -84,9 +84,9 @@ class HsAdminPartnerRepositoryIntegrationTest extends ContextBasedTest {
|
||||
class FindByPrefixLike {
|
||||
|
||||
@Test
|
||||
public void testGlobalAdmin_withoutAssumedRole_canViewAllCustomers() {
|
||||
public void globalAdmin_withoutAssumedRole_canViewAllCustomers() {
|
||||
// given
|
||||
context("mike@example.org", null);
|
||||
context("alex@hostsharing.net", null);
|
||||
|
||||
// when
|
||||
final var result = partnerRepository.findPartnerByOptionalNameLike("Yps");
|
||||
|
@ -61,10 +61,10 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
|
||||
@Test
|
||||
@Accepts("GRT:L(List)")
|
||||
void testGlobalAdmin_withoutAssumedRole_canViewAllGrants() {
|
||||
void globalAdmin_withoutAssumedRole_canViewAllGrants() {
|
||||
RestAssured // @formatter:off
|
||||
.given()
|
||||
.header("current-user", "mike@example.org")
|
||||
.header("current-user", "alex@hostsharing.net")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/rbac/grants")
|
||||
@ -73,23 +73,23 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
.contentType("application/json")
|
||||
.body("", hasItem(
|
||||
allOf(
|
||||
hasEntry("grantedByRoleIdName", "global#test-global.admin"),
|
||||
hasEntry("grantedByRoleIdName", "global#global.admin"),
|
||||
hasEntry("grantedRoleIdName", "test_customer#xxx.admin"),
|
||||
hasEntry("granteeUserName", "customer-admin@xxx.example.com")
|
||||
)
|
||||
))
|
||||
.body("", hasItem(
|
||||
allOf(
|
||||
hasEntry("grantedByRoleIdName", "global#test-global.admin"),
|
||||
hasEntry("grantedByRoleIdName", "global#global.admin"),
|
||||
hasEntry("grantedRoleIdName", "test_customer#yyy.admin"),
|
||||
hasEntry("granteeUserName", "customer-admin@yyy.example.com")
|
||||
)
|
||||
))
|
||||
.body("", hasItem(
|
||||
allOf(
|
||||
hasEntry("grantedByRoleIdName", "global#test-global.admin"),
|
||||
hasEntry("grantedRoleIdName", "global#test-global.admin"),
|
||||
hasEntry("granteeUserName", "sven@example.org")
|
||||
hasEntry("grantedByRoleIdName", "global#global.admin"),
|
||||
hasEntry("grantedRoleIdName", "global#global.admin"),
|
||||
hasEntry("granteeUserName", "fran@hostsharing.net")
|
||||
)
|
||||
))
|
||||
.body("", hasItem(
|
||||
@ -112,10 +112,10 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
|
||||
@Test
|
||||
@Accepts({ "GRT:L(List)", "GRT:X(Access Control)" })
|
||||
void testGlobalAdmin_withAssumedPackageAdminRole_canViewPacketRelatedGrants() {
|
||||
void globalAdmin_withAssumedPackageAdminRole_canViewPacketRelatedGrants() {
|
||||
RestAssured // @formatter:off
|
||||
.given()
|
||||
.header("current-user", "mike@example.org")
|
||||
.header("current-user", "alex@hostsharing.net")
|
||||
.header("assumed-roles", "test_package#yyy00.admin")
|
||||
.port(port)
|
||||
.when()
|
||||
@ -498,14 +498,14 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
|
||||
RbacUserEntity findRbacUserByName(final String userName) {
|
||||
return jpaAttempt.transacted(() -> {
|
||||
context("mike@example.org", null);
|
||||
context("alex@hostsharing.net", null);
|
||||
return rbacUserRepository.findByName(userName);
|
||||
}).returnedValue();
|
||||
}
|
||||
|
||||
RbacRoleEntity findRbacRoleByName(final String roleName) {
|
||||
return jpaAttempt.transacted(() -> {
|
||||
context("mike@example.org", null);
|
||||
context("alex@hostsharing.net", null);
|
||||
return rbacRoleRepository.findByRoleName(roleName);
|
||||
}).returnedValue();
|
||||
}
|
||||
|
@ -83,7 +83,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
||||
// then
|
||||
exactlyTheseRbacGrantsAreReturned(
|
||||
result,
|
||||
"{ grant assumed role test_customer#xxx.admin to user customer-admin@xxx.example.com by role global#test-global.admin }",
|
||||
"{ grant assumed role test_customer#xxx.admin to user customer-admin@xxx.example.com by role global#global.admin }",
|
||||
"{ grant assumed role test_package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role test_customer#xxx.admin }",
|
||||
"{ grant assumed role test_package#xxx01.admin to user pac-admin-xxx01@xxx.example.com by role test_customer#xxx.admin }",
|
||||
"{ grant assumed role test_package#xxx02.admin to user pac-admin-xxx02@xxx.example.com by role test_customer#xxx.admin }");
|
||||
|
@ -38,12 +38,12 @@ class RbacRoleControllerAcceptanceTest {
|
||||
|
||||
@Test
|
||||
@Accepts({ "ROL:L(List)" })
|
||||
void testGlobalAdmin_withoutAssumedRole_canViewAllRoles() {
|
||||
void globalAdmin_withoutAssumedRole_canViewAllRoles() {
|
||||
|
||||
// @formatter:off
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-user", "mike@example.org")
|
||||
.header("current-user", "alex@hostsharing.net")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/rbac/roles")
|
||||
@ -54,7 +54,7 @@ class RbacRoleControllerAcceptanceTest {
|
||||
.body("", hasItem(hasEntry("roleName", "test_customer#xxx.owner")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_customer#xxx.tenant")))
|
||||
// ...
|
||||
.body("", hasItem(hasEntry("roleName", "global#test-global.admin")))
|
||||
.body("", hasItem(hasEntry("roleName", "global#global.admin")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_customer#yyy.admin")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_package#yyy00.admin")))
|
||||
.body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa.owner")))
|
||||
@ -64,12 +64,12 @@ class RbacRoleControllerAcceptanceTest {
|
||||
|
||||
@Test
|
||||
@Accepts({ "ROL:L(List)", "ROL:X(Access Control)" })
|
||||
void testGlobalAdmin_withAssumedPackageAdminRole_canViewPackageAdminRoles() {
|
||||
void globalAdmin_withAssumedPackageAdminRole_canViewPackageAdminRoles() {
|
||||
|
||||
// @formatter:off
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-user", "mike@example.org")
|
||||
.header("current-user", "alex@hostsharing.net")
|
||||
.header("assumed-roles", "test_package#yyy00.admin")
|
||||
.port(port)
|
||||
.when()
|
||||
|
@ -37,13 +37,13 @@ class RbacRoleControllerRestTest {
|
||||
// when
|
||||
mockMvc.perform(MockMvcRequestBuilders
|
||||
.get("/api/rbac/roles")
|
||||
.header("current-user", "mike@example.org")
|
||||
.header("current-user", "alex@hostsharing.net")
|
||||
.accept(MediaType.APPLICATION_JSON))
|
||||
|
||||
// then
|
||||
.andExpect(status().isOk())
|
||||
.andExpect(jsonPath("$", hasSize(3)))
|
||||
.andExpect(jsonPath("$[0].roleName", is("global#test-global.admin")))
|
||||
.andExpect(jsonPath("$[0].roleName", is("global#global.admin")))
|
||||
.andExpect(jsonPath("$[1].roleName", is("test_customer#xxx.owner")))
|
||||
.andExpect(jsonPath("$[2].roleName", is("test_customer#xxx.admin")))
|
||||
.andExpect(jsonPath("$[2].uuid", is(customerXxxAdmin.getUuid().toString())))
|
||||
|
@ -40,7 +40,7 @@ class RbacRoleRepositoryIntegrationTest {
|
||||
|
||||
private static final String[] ALL_TEST_DATA_ROLES = Array.of(
|
||||
// @formatter:off
|
||||
"global#test-global.admin",
|
||||
"global#global.admin",
|
||||
"test_customer#xxx.admin", "test_customer#xxx.owner", "test_customer#xxx.tenant",
|
||||
"test_package#xxx00.admin", "test_package#xxx00.owner", "test_package#xxx00.tenant",
|
||||
"test_package#xxx01.admin", "test_package#xxx01.owner", "test_package#xxx01.tenant",
|
||||
@ -57,9 +57,9 @@ class RbacRoleRepositoryIntegrationTest {
|
||||
);
|
||||
|
||||
@Test
|
||||
public void testGlobalAdmin_withoutAssumedRole_canViewAllRbacRoles() {
|
||||
public void globalAdmin_withoutAssumedRole_canViewAllRbacRoles() {
|
||||
// given
|
||||
context.define("mike@example.org");
|
||||
context.define("alex@hostsharing.net");
|
||||
|
||||
// when
|
||||
final var result = rbacRoleRepository.findAll();
|
||||
@ -69,9 +69,9 @@ class RbacRoleRepositoryIntegrationTest {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testGlobalAdmin_withAssumedtestGlobalAdminRole_canViewAllRbacRoles() {
|
||||
public void globalAdmin_withAssumedglobalAdminRole_canViewAllRbacRoles() {
|
||||
given:
|
||||
context.define("mike@example.org", "global#test-global.admin");
|
||||
context.define("alex@hostsharing.net", "global#global.admin");
|
||||
|
||||
// when
|
||||
final var result = rbacRoleRepository.findAll();
|
||||
@ -111,7 +111,7 @@ class RbacRoleRepositoryIntegrationTest {
|
||||
noneOfTheseRbacRolesIsReturned(
|
||||
result,
|
||||
// @formatter:off
|
||||
"global#test-global.admin",
|
||||
"global#global.admin",
|
||||
"test_customer#xxx.owner",
|
||||
"test_package#yyy00.admin",
|
||||
"test_package#yyy00.owner",
|
||||
|
@ -4,7 +4,7 @@ import static java.util.UUID.randomUUID;
|
||||
|
||||
public class TestRbacRole {
|
||||
|
||||
public static final RbacRoleEntity hostmasterRole = rbacRole("global", "test-global", RbacRoleType.admin);
|
||||
public static final RbacRoleEntity hostmasterRole = rbacRole("global", "global", RbacRoleType.admin);
|
||||
static final RbacRoleEntity customerXxxOwner = rbacRole("test_customer", "xxx", RbacRoleType.owner);
|
||||
static final RbacRoleEntity customerXxxAdmin = rbacRole("test_customer", "xxx", RbacRoleType.admin);
|
||||
|
||||
|
@ -82,13 +82,13 @@ class RbacUserControllerAcceptanceTest {
|
||||
|
||||
@Test
|
||||
@Accepts({ "USR:R(Read)" })
|
||||
void testGlobalAdmin_withoutAssumedRole_canGetArbitraryUser() {
|
||||
void globalAdmin_withoutAssumedRole_canGetArbitraryUser() {
|
||||
final var givenUser = findRbacUserByName("pac-admin-xxx00@xxx.example.com");
|
||||
|
||||
// @formatter:off
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-user", "mike@example.org")
|
||||
.header("current-user", "alex@hostsharing.net")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/rbac/users/" + givenUser.getUuid())
|
||||
@ -101,13 +101,13 @@ class RbacUserControllerAcceptanceTest {
|
||||
|
||||
@Test
|
||||
@Accepts({ "USR:R(Read)", "USR:X(Access Control)" })
|
||||
void testGlobalAdmin_withAssumedCustomerAdminRole_canGetUserWithinInItsRealm() {
|
||||
void globalAdmin_withAssumedCustomerAdminRole_canGetUserWithinInItsRealm() {
|
||||
final var givenUser = findRbacUserByName("pac-admin-yyy00@yyy.example.com");
|
||||
|
||||
// @formatter:off
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-user", "mike@example.org")
|
||||
.header("current-user", "alex@hostsharing.net")
|
||||
.header("assumed-roles", "test_customer#yyy.admin")
|
||||
.port(port)
|
||||
.when()
|
||||
@ -161,12 +161,12 @@ class RbacUserControllerAcceptanceTest {
|
||||
|
||||
@Test
|
||||
@Accepts({ "USR:L(List)" })
|
||||
void testGlobalAdmin_withoutAssumedRole_canViewAllUsers() {
|
||||
void globalAdmin_withoutAssumedRole_canViewAllUsers() {
|
||||
|
||||
// @formatter:off
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-user", "mike@example.org")
|
||||
.header("current-user", "alex@hostsharing.net")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/rbac/users")
|
||||
@ -176,23 +176,23 @@ class RbacUserControllerAcceptanceTest {
|
||||
.body("", hasItem(hasEntry("name", "customer-admin@xxx.example.com")))
|
||||
.body("", hasItem(hasEntry("name", "customer-admin@yyy.example.com")))
|
||||
.body("", hasItem(hasEntry("name", "customer-admin@zzz.example.com")))
|
||||
.body("", hasItem(hasEntry("name", "mike@example.org")))
|
||||
.body("", hasItem(hasEntry("name", "alex@hostsharing.net")))
|
||||
// ...
|
||||
.body("", hasItem(hasEntry("name", "pac-admin-zzz01@zzz.example.com")))
|
||||
.body("", hasItem(hasEntry("name", "pac-admin-zzz02@zzz.example.com")))
|
||||
.body("", hasItem(hasEntry("name", "sven@example.org")))
|
||||
.body("", hasItem(hasEntry("name", "fran@hostsharing.net")))
|
||||
.body("size()", greaterThanOrEqualTo(14));
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@Test
|
||||
@Accepts({ "USR:F(Filter)" })
|
||||
void testGlobalAdmin_withoutAssumedRole_canViewAllUsersByName() {
|
||||
void globalAdmin_withoutAssumedRole_canViewAllUsersByName() {
|
||||
|
||||
// @formatter:off
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-user", "mike@example.org")
|
||||
.header("current-user", "alex@hostsharing.net")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/rbac/users?name=pac-admin-zzz0")
|
||||
@ -208,12 +208,12 @@ class RbacUserControllerAcceptanceTest {
|
||||
|
||||
@Test
|
||||
@Accepts({ "USR:L(List)", "USR:X(Access Control)" })
|
||||
void testGlobalAdmin_withAssumedCustomerAdminRole_canViewUsersInItsRealm() {
|
||||
void globalAdmin_withAssumedCustomerAdminRole_canViewUsersInItsRealm() {
|
||||
|
||||
// @formatter:off
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-user", "mike@example.org")
|
||||
.header("current-user", "alex@hostsharing.net")
|
||||
.header("assumed-roles", "test_customer#yyy.admin")
|
||||
.port(port)
|
||||
.when()
|
||||
@ -276,13 +276,13 @@ class RbacUserControllerAcceptanceTest {
|
||||
|
||||
@Test
|
||||
@Accepts({ "PRM:L(List)" })
|
||||
void testGlobalAdmin_withoutAssumedRole_canViewArbitraryUsersPermissions() {
|
||||
void globalAdmin_withoutAssumedRole_canViewArbitraryUsersPermissions() {
|
||||
final var givenUser = findRbacUserByName("pac-admin-yyy00@yyy.example.com");
|
||||
|
||||
// @formatter:off
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-user", "mike@example.org")
|
||||
.header("current-user", "alex@hostsharing.net")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/rbac/users/" + givenUser.getUuid() + "/permissions")
|
||||
@ -310,13 +310,13 @@ class RbacUserControllerAcceptanceTest {
|
||||
|
||||
@Test
|
||||
@Accepts({ "PRM:L(List)" })
|
||||
void testGlobalAdmin_withAssumedCustomerAdminRole_canViewArbitraryUsersPermissions() {
|
||||
void globalAdmin_withAssumedCustomerAdminRole_canViewArbitraryUsersPermissions() {
|
||||
final var givenUser = findRbacUserByName("pac-admin-yyy00@yyy.example.com");
|
||||
|
||||
// @formatter:off
|
||||
RestAssured
|
||||
.given()
|
||||
.header("current-user", "mike@example.org")
|
||||
.header("current-user", "alex@hostsharing.net")
|
||||
.header("assumed-roles", "test_package#yyy00.admin")
|
||||
.port(port)
|
||||
.when()
|
||||
@ -455,7 +455,7 @@ class RbacUserControllerAcceptanceTest {
|
||||
// @formatter:off
|
||||
final var location = RestAssured
|
||||
.given()
|
||||
.header("current-user", "mike@example.org")
|
||||
.header("current-user", "alex@hostsharing.net")
|
||||
.port(port)
|
||||
.when()
|
||||
.delete("http://localhost/api/rbac/users/" + givenUser.getUuid())
|
||||
@ -470,7 +470,7 @@ class RbacUserControllerAcceptanceTest {
|
||||
|
||||
RbacUserEntity findRbacUserByName(final String userName) {
|
||||
return jpaAttempt.transacted(() -> {
|
||||
context.define("mike@example.org");
|
||||
context.define("alex@hostsharing.net");
|
||||
return rbacUserRepository.findByName(userName);
|
||||
}).returnedValue();
|
||||
}
|
||||
|
@ -99,7 +99,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
|
||||
private static final String[] ALL_TEST_DATA_USERS = Array.of(
|
||||
// @formatter:off
|
||||
"mike@example.org", "sven@example.org",
|
||||
"alex@hostsharing.net", "fran@hostsharing.net",
|
||||
"customer-admin@xxx.example.com",
|
||||
"pac-admin-xxx00@xxx.example.com", "pac-admin-xxx01@xxx.example.com", "pac-admin-xxx02@xxx.example.com",
|
||||
"customer-admin@yyy.example.com",
|
||||
@ -110,9 +110,9 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
);
|
||||
|
||||
@Test
|
||||
public void testGlobalAdmin_withoutAssumedRole_canViewAllRbacUsers() {
|
||||
public void globalAdmin_withoutAssumedRole_canViewAllRbacUsers() {
|
||||
// given
|
||||
context("mike@example.org");
|
||||
context("alex@hostsharing.net");
|
||||
|
||||
// when
|
||||
final var result = rbacUserRepository.findByOptionalNameLike(null);
|
||||
@ -122,9 +122,9 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testGlobalAdmin_withAssumedtestGlobalAdminRole_canViewAllRbacUsers() {
|
||||
public void globalAdmin_withAssumedglobalAdminRole_canViewAllRbacUsers() {
|
||||
given:
|
||||
context("mike@example.org", "global#test-global.admin");
|
||||
context("alex@hostsharing.net", "global#global.admin");
|
||||
|
||||
// when
|
||||
final var result = rbacUserRepository.findByOptionalNameLike(null);
|
||||
@ -134,9 +134,9 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testGlobalAdmin_withAssumedCustomerAdminRole_canViewOnlyUsersHavingRolesInThatCustomersRealm() {
|
||||
public void globalAdmin_withAssumedCustomerAdminRole_canViewOnlyUsersHavingRolesInThatCustomersRealm() {
|
||||
given:
|
||||
context("mike@example.org", "test_customer#xxx.admin");
|
||||
context("alex@hostsharing.net", "test_customer#xxx.admin");
|
||||
|
||||
// when
|
||||
final var result = rbacUserRepository.findByOptionalNameLike(null);
|
||||
@ -190,7 +190,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
|
||||
private static final String[] ALL_USER_PERMISSIONS = Array.of(
|
||||
// @formatter:off
|
||||
"global#test-global.admin -> global#test-global: add-customer",
|
||||
"global#global.admin -> global#global: add-customer",
|
||||
|
||||
"test_customer#xxx.admin -> test_customer#xxx: add-package",
|
||||
"test_customer#xxx.admin -> test_customer#xxx: view",
|
||||
@ -237,12 +237,12 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
);
|
||||
|
||||
@Test
|
||||
public void testGlobalAdmin_withoutAssumedRole_canViewTheirOwnPermissions() {
|
||||
public void globalAdmin_withoutAssumedRole_canViewTheirOwnPermissions() {
|
||||
// given
|
||||
context("mike@example.org");
|
||||
context("alex@hostsharing.net");
|
||||
|
||||
// when
|
||||
final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("mike@example.org"));
|
||||
final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("alex@hostsharing.net"));
|
||||
|
||||
// then
|
||||
allTheseRbacPermissionsAreReturned(result, ALL_USER_PERMISSIONS);
|
||||
@ -294,7 +294,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
||||
public void customerAdmin_withoutAssumedRole_isNotAllowedToViewGlobalAdminsPermissions() {
|
||||
// given
|
||||
context("customer-admin@xxx.example.com");
|
||||
final UUID userUuid = userUUID("mike@example.org");
|
||||
final UUID userUuid = userUUID("alex@hostsharing.net");
|
||||
|
||||
// when
|
||||
final var result = attempt(em, () ->
|
||||
|
@ -39,10 +39,10 @@ class TestCustomerControllerAcceptanceTest {
|
||||
class ListCustomers {
|
||||
|
||||
@Test
|
||||
void testGlobalAdmin_withoutAssumedRoles_canViewAllCustomers_ifNoCriteriaGiven() {
|
||||
void globalAdmin_withoutAssumedRoles_canViewAllCustomers_ifNoCriteriaGiven() {
|
||||
RestAssured // @formatter:off
|
||||
.given()
|
||||
.header("current-user", "mike@example.org")
|
||||
.header("current-user", "alex@hostsharing.net")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/test/customers")
|
||||
@ -57,10 +57,10 @@ class TestCustomerControllerAcceptanceTest {
|
||||
}
|
||||
|
||||
@Test
|
||||
void testGlobalAdmin_withoutAssumedRoles_canViewMatchingCustomers_ifCriteriaGiven() {
|
||||
void globalAdmin_withoutAssumedRoles_canViewMatchingCustomers_ifCriteriaGiven() {
|
||||
RestAssured // @formatter:off
|
||||
.given()
|
||||
.header("current-user", "mike@example.org")
|
||||
.header("current-user", "alex@hostsharing.net")
|
||||
.port(port)
|
||||
.when()
|
||||
.get("http://localhost/api/test/customers?prefix=y")
|
||||
@ -73,10 +73,10 @@ class TestCustomerControllerAcceptanceTest {
|
||||
}
|
||||
|
||||
@Test
|
||||
void testGlobalAdmin_withoutAssumedCustomerAdminRole_canOnlyViewOwnCustomer() {
|
||||
void globalAdmin_withoutAssumedCustomerAdminRole_canOnlyViewOwnCustomer() {
|
||||
RestAssured // @formatter:off
|
||||
.given()
|
||||
.header("current-user", "mike@example.org")
|
||||
.header("current-user", "alex@hostsharing.net")
|
||||
.header("assumed-roles", "test_customer#yyy.admin")
|
||||
.port(port)
|
||||
.when()
|
||||
@ -110,11 +110,11 @@ class TestCustomerControllerAcceptanceTest {
|
||||
class AddCustomer {
|
||||
|
||||
@Test
|
||||
void testGlobalAdmin_withoutAssumedRole_canAddCustomer() {
|
||||
void globalAdmin_withoutAssumedRole_canAddCustomer() {
|
||||
|
||||
final var location = RestAssured // @formatter:off
|
||||
.given()
|
||||
.header("current-user", "mike@example.org")
|
||||
.header("current-user", "alex@hostsharing.net")
|
||||
.contentType(ContentType.JSON)
|
||||
.body("""
|
||||
{
|
||||
@ -142,13 +142,13 @@ class TestCustomerControllerAcceptanceTest {
|
||||
}
|
||||
|
||||
@Test
|
||||
void testGlobalAdmin_withoutAssumedRole_canAddCustomerWithGivenUuid() {
|
||||
void globalAdmin_withoutAssumedRole_canAddCustomerWithGivenUuid() {
|
||||
|
||||
final var givenUuid = UUID.randomUUID();
|
||||
|
||||
final var location = RestAssured // @formatter:off
|
||||
.given()
|
||||
.header("current-user", "mike@example.org")
|
||||
.header("current-user", "alex@hostsharing.net")
|
||||
.contentType(ContentType.JSON)
|
||||
.body("""
|
||||
{
|
||||
@ -180,11 +180,11 @@ class TestCustomerControllerAcceptanceTest {
|
||||
}
|
||||
|
||||
@Test
|
||||
void testGlobalAdmin_withAssumedCustomerAdminRole_canNotAddCustomer() {
|
||||
void globalAdmin_withAssumedCustomerAdminRole_canNotAddCustomer() {
|
||||
|
||||
RestAssured // @formatter:off
|
||||
.given()
|
||||
.header("current-user", "mike@example.org")
|
||||
.header("current-user", "alex@hostsharing.net")
|
||||
.header("assumed-roles", "test_customer#xxx.admin")
|
||||
.contentType(ContentType.JSON)
|
||||
.body("""
|
||||
@ -205,7 +205,7 @@ class TestCustomerControllerAcceptanceTest {
|
||||
// @formatter:on
|
||||
|
||||
// finally, the new customer was not created
|
||||
context.define("sven@example.org");
|
||||
context.define("fran@hostsharing.net");
|
||||
assertThat(testCustomerRepository.findCustomerByOptionalPrefixLike("uuu")).hasSize(0);
|
||||
}
|
||||
|
||||
@ -234,7 +234,7 @@ class TestCustomerControllerAcceptanceTest {
|
||||
// @formatter:on
|
||||
|
||||
// finally, the new customer was not created
|
||||
context.define("sven@example.org");
|
||||
context.define("fran@hostsharing.net");
|
||||
assertThat(testCustomerRepository.findCustomerByOptionalPrefixLike("uuu")).hasSize(0);
|
||||
}
|
||||
}
|
||||
|
@ -37,9 +37,9 @@ class TestCustomerRepositoryIntegrationTest extends ContextBasedTest {
|
||||
class CreateCustomer {
|
||||
|
||||
@Test
|
||||
public void testGlobalAdmin_withoutAssumedRole_canCreateNewCustomer() {
|
||||
public void globalAdmin_withoutAssumedRole_canCreateNewCustomer() {
|
||||
// given
|
||||
context("mike@example.org", null);
|
||||
context("alex@hostsharing.net", null);
|
||||
final var count = testCustomerRepository.count();
|
||||
|
||||
// when
|
||||
@ -58,9 +58,9 @@ class TestCustomerRepositoryIntegrationTest extends ContextBasedTest {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testGlobalAdmin_withAssumedCustomerRole_cannotCreateNewCustomer() {
|
||||
public void globalAdmin_withAssumedCustomerRole_cannotCreateNewCustomer() {
|
||||
// given
|
||||
context("mike@example.org", "test_customer#xxx.admin");
|
||||
context("alex@hostsharing.net", "test_customer#xxx.admin");
|
||||
|
||||
// when
|
||||
final var result = attempt(em, () -> {
|
||||
@ -104,9 +104,9 @@ class TestCustomerRepositoryIntegrationTest extends ContextBasedTest {
|
||||
class FindAllCustomers {
|
||||
|
||||
@Test
|
||||
public void testGlobalAdmin_withoutAssumedRole_canViewAllCustomers() {
|
||||
public void globalAdmin_withoutAssumedRole_canViewAllCustomers() {
|
||||
// given
|
||||
context("mike@example.org", null);
|
||||
context("alex@hostsharing.net", null);
|
||||
|
||||
// when
|
||||
final var result = testCustomerRepository.findCustomerByOptionalPrefixLike(null);
|
||||
@ -116,9 +116,9 @@ class TestCustomerRepositoryIntegrationTest extends ContextBasedTest {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testGlobalAdmin_withAssumedtestGlobalAdminRole_canViewAllCustomers() {
|
||||
public void globalAdmin_withAssumedglobalAdminRole_canViewAllCustomers() {
|
||||
given:
|
||||
context("mike@example.org", "global#test-global.admin");
|
||||
context("alex@hostsharing.net", "global#global.admin");
|
||||
|
||||
// when
|
||||
final var result = testCustomerRepository.findCustomerByOptionalPrefixLike(null);
|
||||
@ -153,9 +153,9 @@ class TestCustomerRepositoryIntegrationTest extends ContextBasedTest {
|
||||
class FindByPrefixLike {
|
||||
|
||||
@Test
|
||||
public void testGlobalAdmin_withoutAssumedRole_canViewAllCustomers() {
|
||||
public void globalAdmin_withoutAssumedRole_canViewAllCustomers() {
|
||||
// given
|
||||
context("mike@example.org", null);
|
||||
context("alex@hostsharing.net", null);
|
||||
|
||||
// when
|
||||
final var result = testCustomerRepository.findCustomerByOptionalPrefixLike("yyy");
|
||||
|