diff --git a/sql/recursive-cte-experiments-for-accessible-uuids.sql b/sql/recursive-cte-experiments-for-accessible-uuids.sql new file mode 100644 index 00000000..ae6f27dc --- /dev/null +++ b/sql/recursive-cte-experiments-for-accessible-uuids.sql @@ -0,0 +1,148 @@ +-- just a permanent playground to explore optimization of the central recursive CTE query for RBAC + +rollback transaction; +begin transaction; +SET TRANSACTION READ ONLY; +call defineContext('performance testing', null, 'superuser-alex@hostsharing.net', + 'hs_booking_project#D-1000000-hshdefaultproject:ADMIN'); +-- 'hs_booking_project#D-1000300-mihdefaultproject:ADMIN'); +select count(type) as counter, type from hs_hosting_asset_rv + group by type + order by counter desc; +commit transaction; + + + + +rollback transaction; +begin transaction; +SET TRANSACTION READ ONLY; +call defineContext('performance testing', null, 'superuser-alex@hostsharing.net', + 'hs_booking_project#D-1000000-hshdefaultproject:ADMIN'); +-- 'hs_booking_project#D-1000300-mihdefaultproject:ADMIN'); + +with accessible_hs_hosting_asset_uuids as + (with recursive + recursive_grants as + (select distinct rbacgrants.descendantuuid, + rbacgrants.ascendantuuid, + 1 as level, + true + from rbacgrants + where rbacgrants.assumed + and (rbacgrants.ascendantuuid = any (currentsubjectsuuids())) + union all + select distinct g.descendantuuid, + g.ascendantuuid, + grants.level + 1 as level, + assertTrue(grants.level < 22, 'too many grant-levels: ' || grants.level) + from rbacgrants g + join recursive_grants grants on grants.descendantuuid = g.ascendantuuid + where g.assumed), + grant_count AS ( + SELECT COUNT(*) AS grant_count FROM recursive_grants + ), + count_check as (select assertTrue((select count(*) as grant_count from recursive_grants) < 300000, + 'too many grants for current subjects: ' || (select count(*) as grant_count from recursive_grants)) + as valid) + select distinct perm.objectuuid + from recursive_grants + join rbacpermission perm on recursive_grants.descendantuuid = perm.uuid + join rbacobject obj on obj.uuid = perm.objectuuid + join count_check cc on cc.valid + where obj.objecttable::text = 'hs_hosting_asset'::text) +select type, +-- count(*) as counter + target.uuid, +-- target.version, +-- target.bookingitemuuid, +-- target.type, +-- target.parentassetuuid, +-- target.assignedtoassetuuid, + target.identifier, + target.caption +-- target.config, +-- target.alarmcontactuuid + from hs_hosting_asset target + where (target.uuid in (select accessible_hs_hosting_asset_uuids.objectuuid + from accessible_hs_hosting_asset_uuids)) + and target.type in ('EMAIL_ADDRESS', 'CLOUD_SERVER', 'MANAGED_SERVER', 'MANAGED_WEBSPACE') +-- and target.type = 'EMAIL_ADDRESS' +-- order by target.identifier; +-- group by type +-- order by counter desc +; +commit transaction; + + + + +rollback transaction; +begin transaction; +SET TRANSACTION READ ONLY; +call defineContext('performance testing', null, 'superuser-alex@hostsharing.net', + 'hs_booking_project#D-1000000-hshdefaultproject:ADMIN'); +-- 'hs_booking_project#D-1000300-mihdefaultproject:ADMIN'); + +with one_path as (with recursive path as ( + -- Base case: Start with the row where ascending equals the starting UUID + select ascendantuuid, + descendantuuid, + array [ascendantuuid] as path_so_far + from rbacgrants + where ascendantuuid = any (currentsubjectsuuids()) + + union all + + -- Recursive case: Find the next step in the path + select c.ascendantuuid, + c.descendantuuid, + p.path_so_far || c.ascendantuuid + from rbacgrants c + inner join + path p on c.ascendantuuid = p.descendantuuid + where c.ascendantuuid != all (p.path_so_far) -- Prevent cycles + ) + -- Final selection: Output all paths that reach the target UUID + select distinct array_length(path_so_far, 1), + path_so_far || descendantuuid as full_path + from path + join rbacpermission perm on perm.uuid = path.descendantuuid + join hs_hosting_asset ha on ha.uuid = perm.objectuuid + -- JOIN rbacrole_ev re on re.uuid = any(path_so_far) + where ha.identifier = 'vm1068' + order by array_length(path_so_far, 1) + limit 1 + ) +select + ( + SELECT ARRAY_AGG(re.roleidname ORDER BY ord.idx) + FROM UNNEST(one_path.full_path) WITH ORDINALITY AS ord(uuid, idx) + JOIN rbacrole_ev re ON ord.uuid = re.uuid + ) AS name_array + from one_path; +commit transaction; + + + + +select * from +( + select uuid, roleidname as name from rbacrole_ev + union all + select uuid, p.optablename || ':' || p.objectuuid || ':' || p.op as name from rbacpermission p +) united + where uuid in ( + '4157915c-a09b-490c-9430-00005fcfbb4f', + '046f2da0-66d5-4e6a-af17-d41fba617b30', + '6239ca11-5224-401d-9780-1af7f5cbf35a', + '70004958-39c7-4d32-8ba6-d78145f3ad32', + '7065fbc1-c605-4da3-97dd-f40fe1b90b4c', + 'd551551b-b1dd-414a-a0ed-a07712f15e62', + 'f1f0fc3e-020a-48fe-b9c1-ac495cc21fdf', + '63ad71f3-214c-411e-8b0b-a859e54af770', + '561bbe75-b8f2-4e4b-86ac-02a72ab9a6e8', + '379e99b3-b53f-421d-a53e-2e81c464fbf2', + '5cb1ecb2-7962-47e0-b8bf-67974da45208' + ); + diff --git a/src/main/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProjectEntity.java b/src/main/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProjectEntity.java index c44d43f5..1d893ac0 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProjectEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProjectEntity.java @@ -94,7 +94,7 @@ public class HsBookingProjectEntity implements Stringifyable, BaseEntity { - with.incomingSuperRole("debitorRel", AGENT); + with.incomingSuperRole("debitorRel", AGENT).unassumed(); }) .createSubRole(ADMIN, (with) -> { with.permission(UPDATE); diff --git a/src/main/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetEntity.java b/src/main/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetEntity.java index 46b315ff..0b28197c 100644 --- a/src/main/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetEntity.java @@ -192,6 +192,9 @@ public class HsHostingAssetEntity implements HsHostingAsset { with.outgoingSubRole("bookingItem", TENANT); with.outgoingSubRole("parentAsset", TENANT); with.incomingSuperRole("alarmContact", ADMIN); + }) + .createSubRole(REFERRER, (with) -> { + with.incomingSuperRole("assignedToAsset", AGENT); with.permission(SELECT); }) diff --git a/src/main/resources/db/changelog/0-basis/008-raise-functions.sql b/src/main/resources/db/changelog/0-basis/008-raise-functions.sql index 15b34d7d..ad298dc9 100644 --- a/src/main/resources/db/changelog/0-basis/008-raise-functions.sql +++ b/src/main/resources/db/changelog/0-basis/008-raise-functions.sql @@ -1,11 +1,10 @@ --liquibase formatted sql -- ============================================================================ --- RAISE-FUNCTIONS --changeset RAISE-FUNCTIONS:1 endDelimiter:--// -- ---------------------------------------------------------------------------- /* - Like RAISE EXCEPTION ... just as an expression instead of a statement. + Like `RAISE EXCEPTION` ... just as an expression instead of a statement. */ create or replace function raiseException(msg text) returns varchar @@ -14,3 +13,19 @@ begin raise exception using message = msg; end; $$; --// + + +-- ============================================================================ +--changeset ASSERT-FUNCTIONS:1 endDelimiter:--// +-- ---------------------------------------------------------------------------- +/* + Like `ASSERT` but as an expression instead of a statement. + */ +create or replace function assertTrue(expectedTrue boolean, msg text) + returns boolean + language plpgsql as $$ +begin + assert expectedTrue, msg; + return expectedTrue; +end; $$; +--// diff --git a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql index 59223d9d..44281bed 100644 --- a/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql +++ b/src/main/resources/db/changelog/1-rbac/1058-rbac-generators.sql @@ -177,26 +177,35 @@ begin sql := format($sql$ create or replace view %1$s_rv as with accessible_%1$s_uuids as ( - - -- TODO.perf: this CTE query makes RBAC-SELECT-permission-queries so slow (~500ms), any idea how to optimize? - -- My guess is, that the depth of role-grants causes the problem. - with recursive grants as ( - select descendantUuid, ascendantUuid, 1 as level - from RbacGrants - where assumed - and ascendantUuid = any (currentSubjectsuUids()) - union all - select g.descendantUuid, g.ascendantUuid, level + 1 as level - from RbacGrants g - inner join grants on grants.descendantUuid = g.ascendantUuid - where g.assumed and level<10 - ) - select distinct perm.objectUuid as objectUuid - from grants - join RbacPermission perm on grants.descendantUuid = perm.uuid - join RbacObject obj on obj.uuid = perm.objectUuid - where obj.objectTable = '%1$s' -- 'SELECT' permission is included in all other permissions - limit 8001 + with recursive + recursive_grants as + (select distinct rbacgrants.descendantuuid, + rbacgrants.ascendantuuid, + 1 as level, + true + from rbacgrants + where rbacgrants.assumed + and (rbacgrants.ascendantuuid = any (currentsubjectsuuids())) + union all + select distinct g.descendantuuid, + g.ascendantuuid, + grants.level + 1 as level, + assertTrue(grants.level < 22, 'too many grant-levels: ' || grants.level) + from rbacgrants g + join recursive_grants grants on grants.descendantuuid = g.ascendantuuid + where g.assumed), + grant_count AS ( + SELECT COUNT(*) AS grant_count FROM recursive_grants + ), + count_check as (select assertTrue((select count(*) as grant_count from recursive_grants) < 400000, + 'too many grants for current subjects: ' || (select count(*) as grant_count from recursive_grants)) + as valid) + select distinct perm.objectuuid + from recursive_grants + join rbacpermission perm on recursive_grants.descendantuuid = perm.uuid + join rbacobject obj on obj.uuid = perm.objectuuid + join count_check cc on cc.valid + where obj.objectTable = '%1$s' -- 'SELECT' permission is included in all other permissions ) select target.* from %1$s as target diff --git a/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.md b/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.md index 270908a8..7fb81cd7 100644 --- a/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.md +++ b/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.md @@ -48,7 +48,7 @@ role:global:ADMIN -.-> role:debitorRel:OWNER role:debitorRel:OWNER -.-> role:debitorRel:ADMIN role:debitorRel:ADMIN -.-> role:debitorRel:AGENT role:debitorRel:AGENT -.-> role:debitorRel:TENANT -role:debitorRel:AGENT ==> role:project:OWNER +role:debitorRel:AGENT ==>|XX| role:project:OWNER role:project:OWNER ==> role:project:ADMIN role:project:ADMIN ==> role:project:AGENT role:project:AGENT ==> role:project:TENANT diff --git a/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql b/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql index e0e0a9b7..c6f3544d 100644 --- a/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql +++ b/src/main/resources/db/changelog/6-hs-booking/620-booking-project/6203-hs-booking-project-rbac.sql @@ -49,7 +49,7 @@ begin perform createRoleWithGrants( hsBookingProjectOWNER(NEW), - incomingSuperRoles => array[hsOfficeRelationAGENT(newDebitorRel)] + incomingSuperRoles => array[hsOfficeRelationAGENT(newDebitorRel, unassumed())] ); perform createRoleWithGrants( diff --git a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.md b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.md index 019bb0a2..926ff65d 100644 --- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.md +++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.md @@ -30,6 +30,7 @@ subgraph asset["`**asset**`"] role:asset:ADMIN[[asset:ADMIN]] role:asset:AGENT[[asset:AGENT]] role:asset:TENANT[[asset:TENANT]] + role:asset:REFERRER[[asset:REFERRER]] end subgraph asset:permissions[ ] @@ -50,6 +51,7 @@ subgraph assignedToAsset["`**assignedToAsset**`"] style assignedToAsset:roles fill:#99bcdb,stroke:white role:assignedToAsset:TENANT[[assignedToAsset:TENANT]] + role:assignedToAsset:AGENT[[assignedToAsset:AGENT]] end end @@ -103,6 +105,8 @@ role:asset:AGENT ==> role:asset:TENANT role:asset:TENANT ==> role:bookingItem:TENANT role:asset:TENANT ==> role:parentAsset:TENANT role:alarmContact:ADMIN ==> role:asset:TENANT +role:asset:TENANT ==> role:asset:REFERRER +role:assignedToAsset:AGENT ==> role:asset:REFERRER %% granting permissions to roles role:global:ADMIN ==> perm:asset:INSERT @@ -110,6 +114,6 @@ role:parentAsset:ADMIN ==> perm:asset:INSERT role:global:GUEST ==> perm:asset:INSERT role:asset:OWNER ==> perm:asset:DELETE role:asset:ADMIN ==> perm:asset:UPDATE -role:asset:TENANT ==> perm:asset:SELECT +role:asset:REFERRER ==> perm:asset:SELECT ``` diff --git a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql index 91afe2b6..987b3cc3 100644 --- a/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql +++ b/src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql @@ -75,7 +75,6 @@ begin perform createRoleWithGrants( hsHostingAssetTENANT(NEW), - permissions => array['SELECT'], incomingSuperRoles => array[ hsHostingAssetAGENT(NEW), hsOfficeContactADMIN(newAlarmContact)], @@ -84,6 +83,14 @@ begin hsHostingAssetTENANT(newParentAsset)] ); + perform createRoleWithGrants( + hsHostingAssetREFERRER(NEW), + permissions => array['SELECT'], + incomingSuperRoles => array[ + hsHostingAssetAGENT(newAssignedToAsset), + hsHostingAssetTENANT(NEW)] + ); + IF NEW.type = 'DOMAIN_SETUP' THEN END IF; diff --git a/src/test/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemControllerAcceptanceTest.java index 71753976..b28e3e4e 100644 --- a/src/test/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemControllerAcceptanceTest.java +++ b/src/test/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemControllerAcceptanceTest.java @@ -287,7 +287,7 @@ class HsBookingItemControllerAcceptanceTest extends ContextBasedTestWithCleanup class PatchBookingItem { @Test - void globalAdmin_canPatchAllUpdatablePropertiesOfBookingItem() { + void projectAgent_canPatchAllUpdatablePropertiesOfBookingItem() { final var givenBookingItem = givenSomeNewBookingItem("D-1000111 default project", MANAGED_WEBSPACE, resource("HDD", 100), resource("SSD", 50), resource("Traffic", 250)); @@ -295,6 +295,7 @@ class HsBookingItemControllerAcceptanceTest extends ContextBasedTestWithCleanup RestAssured // @formatter:off .given() .header("current-user", "superuser-alex@hostsharing.net") + .header("assumed-roles", "hs_booking_project#D-1000111-D-1000111defaultproject:AGENT") .contentType(ContentType.JSON) .body(""" { diff --git a/src/test/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemRepositoryIntegrationTest.java index d0d58cfc..a1b61159 100644 --- a/src/test/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemRepositoryIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemRepositoryIntegrationTest.java @@ -182,7 +182,9 @@ class HsBookingItemRepositoryIntegrationTest extends ContextBasedTestWithCleanup public void normalUser_canViewOnlyRelatedBookingItems() { // given: context("person-FirbySusan@example.com"); - final var projectUuid = debitorRepo.findDebitorByDebitorNumber(1000111).stream() + final var debitor = debitorRepo.findDebitorByDebitorNumber(1000111); + context("person-FirbySusan@example.com", "hs_booking_project#D-1000111-D-1000111defaultproject:OWNER"); + final var projectUuid = debitor.stream() .map(d -> projectRepo.findAllByDebitorUuid(d.getUuid())) .flatMap(List::stream) .findAny().orElseThrow().getUuid(); @@ -209,7 +211,7 @@ class HsBookingItemRepositoryIntegrationTest extends ContextBasedTestWithCleanup // when final var result = jpaAttempt.transacted(() -> { - context("superuser-alex@hostsharing.net"); + context("superuser-alex@hostsharing.net", "hs_booking_project#D-1000111-D-1000111defaultproject:AGENT"); final var foundBookingItem = em.find(HsBookingItemEntity.class, givenBookingItemUuid); foundBookingItem.getResources().put("CPU", 2); foundBookingItem.getResources().remove("SSD-storage"); @@ -262,12 +264,12 @@ class HsBookingItemRepositoryIntegrationTest extends ContextBasedTestWithCleanup @Test public void nonGlobalAdmin_canNotDeleteTheirRelatedBookingItem() { // given - context("superuser-alex@hostsharing.net", null); + context("superuser-alex@hostsharing.net", "hs_booking_project#D-1000111-D-1000111defaultproject:AGENT"); final var givenBookingItem = givenSomeTemporaryBookingItem("D-1000111 default project"); // when final var result = jpaAttempt.transacted(() -> { - context("person-FirbySusan@example.com"); + context("person-FirbySusan@example.com", "hs_booking_project#D-1000111-D-1000111defaultproject:AGENT"); assertThat(bookingItemRepo.findByUuid(givenBookingItem.getUuid())).isPresent(); bookingItemRepo.deleteByUuid(givenBookingItem.getUuid()); @@ -286,7 +288,7 @@ class HsBookingItemRepositoryIntegrationTest extends ContextBasedTestWithCleanup @Test public void deletingABookingItemAlsoDeletesRelatedRolesAndGrants() { // given - context("superuser-alex@hostsharing.net"); + context("superuser-alex@hostsharing.net", "hs_booking_project#D-1000111-D-1000111defaultproject:AGENT"); final var initialRoleNames = Array.from(distinctRoleNamesOf(rawRoleRepo.findAll())); final var initialGrantNames = Array.from(distinctGrantDisplaysOf(rawGrantRepo.findAll())); final var givenBookingItem = givenSomeTemporaryBookingItem("D-1000111 default project"); diff --git a/src/test/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProjectControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProjectControllerAcceptanceTest.java index 9a4c2391..94194b1f 100644 --- a/src/test/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProjectControllerAcceptanceTest.java +++ b/src/test/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProjectControllerAcceptanceTest.java @@ -163,7 +163,7 @@ class HsBookingProjectControllerAcceptanceTest extends ContextBasedTestWithClean } @Test - void debitorAgentUser_canGetRelatedBookingProject() { + void projectAgentUser_canGetRelatedBookingProject() { context.define("superuser-alex@hostsharing.net"); final var givenBookingProjectUuid = bookingProjectRepo.findByCaption("D-1000313 default project").stream() .findAny().orElseThrow().getUuid(); @@ -171,6 +171,7 @@ class HsBookingProjectControllerAcceptanceTest extends ContextBasedTestWithClean RestAssured // @formatter:off .given() .header("current-user", "person-TuckerJack@example.com") + .header("assumed-roles", "hs_booking_project#D-1000313-D-1000313defaultproject:AGENT") .port(port) .when() .get("http://localhost/api/hs/booking/projects/" + givenBookingProjectUuid) diff --git a/src/test/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProjectRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProjectRepositoryIntegrationTest.java index e73bf942..8e3b7168 100644 --- a/src/test/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProjectRepositoryIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProjectRepositoryIntegrationTest.java @@ -125,7 +125,7 @@ class HsBookingProjectRepositoryIntegrationTest extends ContextBasedTestWithClea "{ grant perm:hs_booking_project#D-1000111-somenewbookingproject:INSERT>hs_booking_item to role:hs_booking_project#D-1000111-somenewbookingproject:ADMIN by system and assume }", // agent - "{ grant role:hs_booking_project#D-1000111-somenewbookingproject:OWNER to role:relation#FirstGmbH-with-DEBITOR-FirstGmbH:AGENT by system and assume }", + "{ grant role:hs_booking_project#D-1000111-somenewbookingproject:OWNER to role:relation#FirstGmbH-with-DEBITOR-FirstGmbH:AGENT by system }", "{ grant role:hs_booking_project#D-1000111-somenewbookingproject:TENANT to role:hs_booking_project#D-1000111-somenewbookingproject:AGENT by system and assume }", // tenant @@ -161,9 +161,10 @@ class HsBookingProjectRepositoryIntegrationTest extends ContextBasedTestWithClea } @Test - public void normalUser_canViewOnlyRelatedBookingProjects() { + public void packetAgent_canViewOnlyRelatedBookingProjects() { + // given: - context("person-FirbySusan@example.com"); + context("person-FirbySusan@example.com", "hs_booking_project#D-1000111-D-1000111defaultproject:AGENT"); final var debitorUuid = debitorRepo.findByDebitorNumber(1000111).stream() .findAny().orElseThrow().getUuid(); @@ -233,12 +234,11 @@ class HsBookingProjectRepositoryIntegrationTest extends ContextBasedTestWithClea @Test public void nonGlobalAdmin_canNotDeleteTheirRelatedBookingProject() { // given - context("superuser-alex@hostsharing.net", null); final var givenBookingProject = givenSomeTemporaryBookingProject(1000111); // when final var result = jpaAttempt.transacted(() -> { - context("person-FirbySusan@example.com"); + context("person-FirbySusan@example.com", "hs_booking_project#D-1000111-sometempproject:AGENT"); assertThat(bookingProjectRepo.findByUuid(givenBookingProject.getUuid())).isPresent(); bookingProjectRepo.deleteByUuid(givenBookingProject.getUuid()); diff --git a/src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetControllerAcceptanceTest.java index 476b6bb0..d84c0815 100644 --- a/src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetControllerAcceptanceTest.java +++ b/src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetControllerAcceptanceTest.java @@ -413,7 +413,7 @@ class HsHostingAssetControllerAcceptanceTest extends ContextBasedTestWithCleanup } @Test - void debitorAgentUser_canGetRelatedAsset() { + void projectAgentUser_canGetRelatedAsset() { context.define("superuser-alex@hostsharing.net"); final var givenAssetUuid = assetRepo.findByIdentifier("vm1013").stream() .filter(bi -> bi.getBookingItem().getProject().getCaption().equals("D-1000313 default project")) @@ -422,6 +422,7 @@ class HsHostingAssetControllerAcceptanceTest extends ContextBasedTestWithCleanup RestAssured // @formatter:off .given() .header("current-user", "person-TuckerJack@example.com") + .header("assumed-roles", "hs_booking_project#D-1000313-D-1000313defaultproject:AGENT") .port(port) .when() .get("http://localhost/api/hs/hosting/assets/" + givenAssetUuid) diff --git a/src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetRepositoryIntegrationTest.java index ae733e54..e5695746 100644 --- a/src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetRepositoryIntegrationTest.java +++ b/src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetRepositoryIntegrationTest.java @@ -98,7 +98,7 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu @Test public void createsAndGrantsRoles() { // given - context("superuser-alex@hostsharing.net"); + context("superuser-alex@hostsharing.net", "hs_booking_project#D-1000111-D-1000111defaultproject:AGENT"); final var givenManagedServer = givenHostingAsset("D-1000111 default project", MANAGED_SERVER); final var newWebspaceBookingItem = newBookingItem(givenManagedServer.getBookingItem(), HsBookingItemType.MANAGED_WEBSPACE, "fir01"); em.flush(); @@ -125,7 +125,8 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu "hs_hosting_asset#fir00:ADMIN", "hs_hosting_asset#fir00:AGENT", "hs_hosting_asset#fir00:OWNER", - "hs_hosting_asset#fir00:TENANT")); + "hs_hosting_asset#fir00:TENANT", + "hs_hosting_asset#fir00:REFERRER")); assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())) .containsExactlyInAnyOrder(fromFormatted( initialGrantNames, @@ -152,7 +153,10 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu "{ grant role:hs_booking_item#fir01:TENANT to role:hs_hosting_asset#fir00:TENANT by system and assume }", "{ grant role:hs_hosting_asset#fir00:TENANT to role:hs_hosting_asset#fir00:AGENT by system and assume }", "{ grant role:hs_hosting_asset#vm1011:TENANT to role:hs_hosting_asset#fir00:TENANT by system and assume }", - "{ grant perm:hs_hosting_asset#fir00:SELECT to role:hs_hosting_asset#fir00:TENANT by system and assume }", // workaround + + // referrer + "{ grant perm:hs_hosting_asset#fir00:SELECT to role:hs_hosting_asset#fir00:REFERRER by system and assume }", + "{ grant role:hs_hosting_asset#fir00:REFERRER to role:hs_hosting_asset#fir00:TENANT by system and assume }", null)); } @@ -216,7 +220,7 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu @Test public void normalUser_canViewOnlyRelatedAsset() { // given: - context("person-FirbySusan@example.com"); + context("person-FirbySusan@example.com", "hs_booking_project#D-1000111-D-1000111defaultproject:AGENT"); final var projectUuid = projectRepo.findByCaption("D-1000111 default project").stream() .findAny().orElseThrow().getUuid(); @@ -310,12 +314,12 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu @Test public void relatedOwner_canDeleteTheirRelatedAsset() { // given - context("superuser-alex@hostsharing.net", null); + context("superuser-alex@hostsharing.net", "hs_booking_project#D-1000111-D-1000111defaultproject:AGENT"); final var givenAsset = givenSomeTemporaryAsset("D-1000111 default project", "vm1000"); // when final var result = jpaAttempt.transacted(() -> { - context("person-FirbySusan@example.com"); + context("person-FirbySusan@example.com", "hs_booking_project#D-1000111-D-1000111defaultproject:AGENT"); assertThat(assetRepo.findByUuid(givenAsset.getUuid())).isPresent(); assetRepo.deleteByUuid(givenAsset.getUuid()); diff --git a/src/test/java/net/hostsharing/hsadminng/hs/migration/ImportHostingAssets.java b/src/test/java/net/hostsharing/hsadminng/hs/migration/ImportHostingAssets.java index 041424f4..f69ef8d0 100644 --- a/src/test/java/net/hostsharing/hsadminng/hs/migration/ImportHostingAssets.java +++ b/src/test/java/net/hostsharing/hsadminng/hs/migration/ImportHostingAssets.java @@ -34,6 +34,7 @@ import org.springframework.test.annotation.DirtiesContext; import java.io.Reader; import java.net.IDN; import java.util.ArrayList; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -183,9 +184,9 @@ public class ImportHostingAssets extends ImportOfficeData { { 363=HsHostingAssetRealEntity(IPV4_NUMBER, 83.223.95.34), 381=HsHostingAssetRealEntity(IPV4_NUMBER, 83.223.95.52), + 401=HsHostingAssetRealEntity(IPV4_NUMBER, 83.223.95.72), 402=HsHostingAssetRealEntity(IPV4_NUMBER, 83.223.95.73), - 433=HsHostingAssetRealEntity(IPV4_NUMBER, 83.223.95.104), - 457=HsHostingAssetRealEntity(IPV4_NUMBER, 83.223.95.128) + 433=HsHostingAssetRealEntity(IPV4_NUMBER, 83.223.95.104) } """); } @@ -244,7 +245,7 @@ public class ImportHostingAssets extends ImportOfficeData { 10978=HsBookingItemEntity(D-1000000:hsh default project, MANAGED_SERVER, [2013-04-01,), BI vm1050), 11061=HsBookingItemEntity(D-1000300:mim default project, MANAGED_SERVER, [2013-08-19,), BI vm1068), 11094=HsBookingItemEntity(D-1000300:mim default project, MANAGED_WEBSPACE, [2013-09-10,), BI lug00), - 11112=HsBookingItemEntity(D-1000300:mim default project, MANAGED_WEBSPACE, [2013-09-17,), BI mim00), + 11111=HsBookingItemEntity(D-1000000:vm1068 Monitor, MANAGED_WEBSPACE, [2013-08-19,), BI xyz68), 23611=HsBookingItemEntity(D-1101800:wws default project, CLOUD_SERVER, [2022-08-10,), BI vm2097) } """); @@ -255,10 +256,10 @@ public class ImportHostingAssets extends ImportOfficeData { 10978=HsHostingAssetRealEntity(MANAGED_SERVER, vm1050, HA vm1050, D-1000000:hsh default project:BI vm1050), 11061=HsHostingAssetRealEntity(MANAGED_SERVER, vm1068, HA vm1068, D-1000300:mim default project:BI vm1068), 11094=HsHostingAssetRealEntity(MANAGED_WEBSPACE, lug00, HA lug00, MANAGED_SERVER:vm1068, D-1000300:mim default project:BI lug00), + 11111=HsHostingAssetRealEntity(MANAGED_WEBSPACE, xyz68, HA xyz68, MANAGED_SERVER:vm1068, D-1000000:vm1068 Monitor:BI xyz68), 11112=HsHostingAssetRealEntity(MANAGED_WEBSPACE, mim00, HA mim00, MANAGED_SERVER:vm1068, D-1000300:mim default project:BI mim00), 11447=HsHostingAssetRealEntity(MANAGED_SERVER, vm1093, HA vm1093, D-1000000:hsh default project:BI vm1093), - 19959=HsHostingAssetRealEntity(MANAGED_WEBSPACE, dph00, HA dph00, MANAGED_SERVER:vm1093, D-1101900:dph default project:BI dph00), - 23611=HsHostingAssetRealEntity(CLOUD_SERVER, vm2097, HA vm2097, D-1101800:wws default project:BI vm2097) + 19959=HsHostingAssetRealEntity(MANAGED_WEBSPACE, dph00, HA dph00, MANAGED_SERVER:vm1093, D-1101900:dph default project:BI dph00) } """); } @@ -287,8 +288,8 @@ public class ImportHostingAssets extends ImportOfficeData { 10978=HsHostingAssetRealEntity(MANAGED_SERVER, vm1050, HA vm1050, D-1000000:hsh default project:BI vm1050), 11061=HsHostingAssetRealEntity(MANAGED_SERVER, vm1068, HA vm1068, D-1000300:mim default project:BI vm1068), 11094=HsHostingAssetRealEntity(MANAGED_WEBSPACE, lug00, HA lug00, MANAGED_SERVER:vm1068, D-1000300:mim default project:BI lug00), - 11112=HsHostingAssetRealEntity(MANAGED_WEBSPACE, mim00, HA mim00, MANAGED_SERVER:vm1068, D-1000300:mim default project:BI mim00), - 11447=HsHostingAssetRealEntity(MANAGED_SERVER, vm1093, HA vm1093, D-1000000:hsh default project:BI vm1093) + 11111=HsHostingAssetRealEntity(MANAGED_WEBSPACE, xyz68, HA xyz68, MANAGED_SERVER:vm1068, D-1000000:vm1068 Monitor:BI xyz68), + 11112=HsHostingAssetRealEntity(MANAGED_WEBSPACE, mim00, HA mim00, MANAGED_SERVER:vm1068, D-1000300:mim default project:BI mim00) } """); assertThat(firstOfEachType( @@ -303,6 +304,7 @@ public class ImportHostingAssets extends ImportOfficeData { 10978=HsBookingItemEntity(D-1000000:hsh default project, MANAGED_SERVER, [2013-04-01,), BI vm1050, {"CPU": 4, "HDD": 250, "RAM": 32, "SLA-EMail": true, "SLA-Maria": true, "SLA-Office": true, "SLA-PgSQL": true, "SLA-Platform": "EXT4H", "SLA-Web": true, "SSD": 150, "Traffic": 250}), 11061=HsBookingItemEntity(D-1000300:mim default project, MANAGED_SERVER, [2013-08-19,), BI vm1068, {"CPU": 2, "HDD": 250, "RAM": 4, "SLA-EMail": true, "SLA-Maria": true, "SLA-Office": true, "SLA-PgSQL": true, "SLA-Platform": "EXT2H", "SLA-Web": true, "Traffic": 250}), 11094=HsBookingItemEntity(D-1000300:mim default project, MANAGED_WEBSPACE, [2013-09-10,), BI lug00, {"Multi": 5, "SLA-Platform": "EXT24H", "SSD": 1, "Traffic": 10}), + 11111=HsBookingItemEntity(D-1000000:vm1068 Monitor, MANAGED_WEBSPACE, [2013-08-19,), BI xyz68, {"SSD": 3}), 11112=HsBookingItemEntity(D-1000300:mim default project, MANAGED_WEBSPACE, [2013-09-17,), BI mim00, {"Multi": 5, "SLA-Platform": "EXT24H", "SSD": 3, "Traffic": 20}), 11447=HsBookingItemEntity(D-1000000:hsh default project, MANAGED_SERVER, [2014-11-28,), BI vm1093, {"CPU": 6, "HDD": 500, "RAM": 16, "SLA-EMail": true, "SLA-Maria": true, "SLA-Office": true, "SLA-PgSQL": true, "SLA-Platform": "EXT4H", "SLA-Web": true, "SSD": 300, "Traffic": 250}), 19959=HsBookingItemEntity(D-1101900:dph default project, MANAGED_WEBSPACE, [2021-06-02,), BI dph00, {"Multi": 1, "SLA-Platform": "EXT24H", "SSD": 25, "Traffic": 20}), @@ -335,6 +337,7 @@ public class ImportHostingAssets extends ImportOfficeData { 5811=HsHostingAssetRealEntity(UNIX_USER, lug00-ola.a, LUG OLA - POP a, MANAGED_WEBSPACE:lug00, {"SSD hard quota": 0, "SSD soft quota": 0, "locked": false, "shell": "/usr/bin/passwd", "userid": 102094}), 5813=HsHostingAssetRealEntity(UNIX_USER, lug00-ola.b, LUG OLA - POP b, MANAGED_WEBSPACE:lug00, {"SSD hard quota": 0, "SSD soft quota": 0, "locked": false, "shell": "/usr/bin/passwd", "userid": 102095}), 5835=HsHostingAssetRealEntity(UNIX_USER, lug00-test, Test, MANAGED_WEBSPACE:lug00, {"SSD hard quota": 1024, "SSD soft quota": 1024, "locked": false, "shell": "/usr/bin/passwd", "userid": 102106}), + 5961=HsHostingAssetRealEntity(UNIX_USER, xyz68, Monitoring h68, MANAGED_WEBSPACE:xyz68, {"SSD hard quota": 0, "SSD soft quota": 0, "locked": false, "shell": "/bin/bash", "userid": 102141}), 5964=HsHostingAssetRealEntity(UNIX_USER, mim00, Michael Mellis, MANAGED_WEBSPACE:mim00, {"SSD hard quota": 0, "SSD soft quota": 0, "locked": false, "shell": "/bin/bash", "userid": 102147}), 5966=HsHostingAssetRealEntity(UNIX_USER, mim00-1981, Jahrgangstreffen 1981, MANAGED_WEBSPACE:mim00, {"SSD hard quota": 256, "SSD soft quota": 128, "locked": false, "shell": "/bin/bash", "userid": 102148}), 5990=HsHostingAssetRealEntity(UNIX_USER, mim00-mail, Mailbox, MANAGED_WEBSPACE:mim00, {"SSD hard quota": 0, "SSD soft quota": 0, "locked": false, "shell": "/bin/bash", "userid": 102160}), @@ -880,6 +883,7 @@ public class ImportHostingAssets extends ImportOfficeData { 5811=HsHostingAssetRealEntity(UNIX_USER, lug00-ola.a, LUG OLA - POP a, MANAGED_WEBSPACE:lug00, {"SSD hard quota": 0, "SSD soft quota": 0, "locked": false, "password": null, "shell": "/usr/bin/passwd", "userid": 102094}), 5813=HsHostingAssetRealEntity(UNIX_USER, lug00-ola.b, LUG OLA - POP b, MANAGED_WEBSPACE:lug00, {"SSD hard quota": 0, "SSD soft quota": 0, "locked": false, "password": null, "shell": "/usr/bin/passwd", "userid": 102095}), 5835=HsHostingAssetRealEntity(UNIX_USER, lug00-test, Test, MANAGED_WEBSPACE:lug00, {"SSD hard quota": 1024, "SSD soft quota": 1024, "locked": false, "password": null, "shell": "/usr/bin/passwd", "userid": 102106}), + 5961=HsHostingAssetRealEntity(UNIX_USER, xyz68, Monitoring h68, MANAGED_WEBSPACE:xyz68, {"SSD hard quota": 0, "SSD soft quota": 0, "locked": false, "password": null, "shell": "/bin/bash", "userid": 102141}), 5964=HsHostingAssetRealEntity(UNIX_USER, mim00, Michael Mellis, MANAGED_WEBSPACE:mim00, {"SSD hard quota": 0, "SSD soft quota": 0, "locked": false, "password": null, "shell": "/bin/bash", "userid": 102147}), 5966=HsHostingAssetRealEntity(UNIX_USER, mim00-1981, Jahrgangstreffen 1981, MANAGED_WEBSPACE:mim00, {"SSD hard quota": 256, "SSD soft quota": 128, "locked": false, "password": null, "shell": "/bin/bash", "userid": 102148}), 5990=HsHostingAssetRealEntity(UNIX_USER, mim00-mail, Mailbox, MANAGED_WEBSPACE:mim00, {"SSD hard quota": 0, "SSD soft quota": 0, "locked": false, "password": null, "shell": "/bin/bash", "userid": 102160}), @@ -909,8 +913,8 @@ public class ImportHostingAssets extends ImportOfficeData { verifyActuallyPersistedHostingAssetCount(CLOUD_SERVER, 1, 50); verifyActuallyPersistedHostingAssetCount(MANAGED_SERVER, 4, 100); - verifyActuallyPersistedHostingAssetCount(MANAGED_WEBSPACE, 4, 100); - verifyActuallyPersistedHostingAssetCount(UNIX_USER, 14, 100); + verifyActuallyPersistedHostingAssetCount(MANAGED_WEBSPACE, 5, 100); + verifyActuallyPersistedHostingAssetCount(UNIX_USER, 15, 100); verifyActuallyPersistedHostingAssetCount(EMAIL_ALIAS, 9, 1400); verifyActuallyPersistedHostingAssetCount(PGSQL_DATABASE, 8, 100); verifyActuallyPersistedHostingAssetCount(MARIADB_DATABASE, 8, 100); @@ -918,6 +922,25 @@ public class ImportHostingAssets extends ImportOfficeData { verifyActuallyPersistedHostingAssetCount(EMAIL_ADDRESS, 71, 30000); } + @Test + @Order(19930) + void verifyProjectAgentsCanViewEmailAddresses() { + assumeThatWeAreImportingControlledTestData(); + + final var haCount = jpaAttempt.transacted(() -> { + context(rbacSuperuser); + // final var roles = em.createNativeQuery("select * from rbacrole_ev where roleidname like 'hs_office_relation%with-DEBITOR%'").getResultList(); + final var roles = em.createNativeQuery("select * from rbacrole_ev where roleidname like 'hs_booking_project#D-10003%'").getResultList(); + //context(rbacSuperuser, "hs_booking_project#D-1000300-mimdefaultproject:ADMIN"); + context(rbacSuperuser, "hs_booking_project#D-1000300-mimdefaultproject:AGENT"); + final var result = em.createNativeQuery("select * from hs_hosting_asset where type='EMAIL_ADDRESS'") + .getResultList(); + return (Integer) em.createNativeQuery("select count(*) from hs_hosting_asset where type='EMAIL_ADDRESS'", Integer.class) + .getSingleResult(); + }).assertSuccessful().returnedValue(); + assertThat(haCount).isEqualTo(71); + } + // ============================================================================================ @Test @@ -1095,7 +1118,20 @@ public class ImportHostingAssets extends ImportOfficeData { final var managedWebspace = pac(packet_id); final var parentAsset = hive(hive_id).serverRef.get(); managedWebspace.setParentAsset(parentAsset); - managedWebspace.getBookingItem().setParentItem(parentAsset.getBookingItem()); + + if (parentAsset.getRelatedProject() != managedWebspace.getRelatedProject() + && managedWebspace.getRelatedProject().getDebitor().getDebitorNumber() == 10000_00 ) { + assertThat(managedWebspace.getIdentifier()).startsWith("xyz"); + final var hshDebitor = managedWebspace.getBookingItem().getProject().getDebitor(); + final var newProject = HsBookingProjectEntity.builder() + .debitor(hshDebitor) + .caption(parentAsset.getIdentifier() + " Monitor") + .build(); + bookingProjects.put(Collections.max(bookingProjects.keySet())+1, newProject); + managedWebspace.getBookingItem().setProject(newProject); + } else { + managedWebspace.getBookingItem().setParentItem(parentAsset.getBookingItem()); + } } }); } diff --git a/src/test/resources/migration/hosting/inet_addr.csv b/src/test/resources/migration/hosting/inet_addr.csv index 15bab1fb..bee797c4 100644 --- a/src/test/resources/migration/hosting/inet_addr.csv +++ b/src/test/resources/migration/hosting/inet_addr.csv @@ -1,6 +1,7 @@ inet_addr_id;inet_addr;description 363;83.223.95.34; 381;83.223.95.52; +401;83.223.95.72; 402;83.223.95.73; 433;83.223.95.104; 457;83.223.95.128; diff --git a/src/test/resources/migration/hosting/packet.csv b/src/test/resources/migration/hosting/packet.csv index 63637444..6e27b41b 100644 --- a/src/test/resources/migration/hosting/packet.csv +++ b/src/test/resources/migration/hosting/packet.csv @@ -4,6 +4,7 @@ packet_id;basepacket_code;packet_name;bp_id;hive_id;created;cancelled;cur_inet_a 10978;SRV/MGD;vm1050;213;1014;2013-04-01;;433;;1 11061;SRV/MGD;vm1068;100;1037;2013-08-19;;381;;f 11094;PAC/WEB;lug00;100;1037;2013-09-10;;1168;;1 +11111;PAC/WEB;xyz68;213;1037;2013-08-19;;401;;1 11112;PAC/WEB;mim00;100;1037;2013-09-17;;402;;1 11447;SRV/MGD;vm1093;213;1163;2014-11-28;;457;;t 19959;PAC/WEB;dph00;542;1163;2021-06-02;;574;;0 diff --git a/src/test/resources/migration/hosting/packet_component.csv b/src/test/resources/migration/hosting/packet_component.csv index ce35034f..5dee11ad 100644 --- a/src/test/resources/migration/hosting/packet_component.csv +++ b/src/test/resources/migration/hosting/packet_component.csv @@ -7,6 +7,7 @@ packet_component_id;packet_id;quantity;basecomponent_code;created;cancelled 46121;11112;20;TRAFFIC;2017-03-27; 46122;11112;5;MULTI;2017-03-27; 46123;11112;3072;QUOTA;2017-03-27; +46124;11111;3072;QUOTA;2017-03-27; 143133;11094;1;SLABASIC;2017-09-01; 143483;11112;1;SLABASIC;2017-09-01; 757383;11112;0;SLAEXT24H;; diff --git a/src/test/resources/migration/hosting/unixuser.csv b/src/test/resources/migration/hosting/unixuser.csv index cd044e0a..739899d2 100644 --- a/src/test/resources/migration/hosting/unixuser.csv +++ b/src/test/resources/migration/hosting/unixuser.csv @@ -9,6 +9,7 @@ unixuser_id;name;comment;shell;homedir;locked;packet_id;userid;quota_softlimit;q 5835;lug00-test;Test;/usr/bin/passwd;/home/pacs/lug00/users/test;0;11094;102106;2000000;4000000;20;0 6705;hsh00-mim;Michael Mellis;/bin/false;/home/pacs/hsh00/users/mi;0;10630;10003;0;0;0;0 +5961;xyz68;Monitoring h68;/bin/bash;/home/pacs/xyz68;0;11111;102141;0;0;0;0 5964;mim00;Michael Mellis;/bin/bash;/home/pacs/mim00;0;11112;102147;0;0;0;0 5966;mim00-1981;Jahrgangstreffen 1981;/bin/bash;/home/pacs/mim00/users/1981;0;11112;102148;128;256;0;0 5990;mim00-mail;Mailbox;/bin/bash;/home/pacs/mim00/users/mail;0;11112;102160;0;0;0;0