From e8dd5b7935381132fbd1ca35327f8ce597e97f29 Mon Sep 17 00:00:00 2001 From: Michael Hoennig Date: Sat, 23 Mar 2024 14:09:40 +0100 Subject: [PATCH] remove generated timestamp and explicitly grant INSERT for customer --- .../RbacViewMermaidFlowchartGenerator.java | 3 +- .../rbacdef/RbacViewPostgresGenerator.java | 3 +- .../test/cust/TestCustomerEntity.java | 3 +- .../db/changelog/113-test-customer-rbac.md | 4 +- .../db/changelog/113-test-customer-rbac.sql | 42 ++++++++++++++++++- .../db/changelog/123-test-package-rbac.md | 2 +- .../db/changelog/123-test-package-rbac.sql | 2 +- .../db/changelog/133-test-domain-rbac.md | 2 +- .../db/changelog/133-test-domain-rbac.sql | 2 +- .../test/cust/TestCustomerEntityUnitTest.java | 2 + 10 files changed, 53 insertions(+), 12 deletions(-) diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewMermaidFlowchartGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewMermaidFlowchartGenerator.java index ccef566d..898a0273 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewMermaidFlowchartGenerator.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewMermaidFlowchartGenerator.java @@ -149,14 +149,13 @@ public class RbacViewMermaidFlowchartGenerator { """ ### rbac %{entityAlias} - This code generated was by RbacViewMermaidFlowchartGenerator at %{timestamp}. + This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually. ```mermaid %{flowchart} ``` """ .replace("%{entityAlias}", rbacDef.getRootEntityAlias().aliasName()) - .replace("%{timestamp}", LocalDateTime.now().toString()) .replace("%{flowchart}", flowchart.toString()), StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING); System.out.println("Markdown-File: " + path.toAbsolutePath()); diff --git a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewPostgresGenerator.java b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewPostgresGenerator.java index 9850d942..dc56a286 100644 --- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewPostgresGenerator.java +++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacViewPostgresGenerator.java @@ -21,10 +21,9 @@ public class RbacViewPostgresGenerator { liqibaseTagPrefix = rbacDef.getRootEntityAlias().getRawTableName().replace("_", "-"); plPgSql.writeLn(""" --liquibase formatted sql - -- This code generated was by ${generator} at ${timestamp}. + -- This code generated was by ${generator}, do not amend manually. """, with("generator", getClass().getSimpleName()), - with("timestamp", LocalDateTime.now().toString()), with("ref", NEW.name())); new RbacObjectGenerator(rbacDef, liqibaseTagPrefix).generateTo(plPgSql); diff --git a/src/main/java/net/hostsharing/hsadminng/test/cust/TestCustomerEntity.java b/src/main/java/net/hostsharing/hsadminng/test/cust/TestCustomerEntity.java index 99b0fb3c..b4152fa9 100644 --- a/src/main/java/net/hostsharing/hsadminng/test/cust/TestCustomerEntity.java +++ b/src/main/java/net/hostsharing/hsadminng/test/cust/TestCustomerEntity.java @@ -41,8 +41,7 @@ public class TestCustomerEntity implements HasUuid { .withIdentityView(SQL.projection("prefix")) .withRestrictedViewOrderBy(SQL.expression("reference")) .withUpdatableColumns("reference", "prefix", "adminUserName") - // TODO: do we want explicit specification of parent-independent insert permissions? - // .toRole("global", ADMIN).grantPermission("customer", INSERT) + .toRole("global", ADMIN).grantPermission(INSERT) .createRole(OWNER, (with) -> { with.owningUser(CREATOR).unassumed(); diff --git a/src/main/resources/db/changelog/113-test-customer-rbac.md b/src/main/resources/db/changelog/113-test-customer-rbac.md index 438b6254..4d63eeac 100644 --- a/src/main/resources/db/changelog/113-test-customer-rbac.md +++ b/src/main/resources/db/changelog/113-test-customer-rbac.md @@ -1,6 +1,6 @@ ### rbac customer -This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-22T14:44:19.425403022. +This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually. ```mermaid %%{init:{'flowchart':{'htmlLabels':false}}}%% @@ -21,6 +21,7 @@ subgraph customer["`**customer**`"] subgraph customer:permissions[ ] style customer:permissions fill:#dd4901,stroke:white + perm:customer:INSERT{{customer:INSERT}} perm:customer:DELETE{{customer:DELETE}} perm:customer:UPDATE{{customer:UPDATE}} perm:customer:SELECT{{customer:SELECT}} @@ -36,6 +37,7 @@ role:customer:owner ==> role:customer:admin role:customer:admin ==> role:customer:tenant %% granting permissions to roles +role:global:admin ==> perm:customer:INSERT role:customer:owner ==> perm:customer:DELETE role:customer:admin ==> perm:customer:UPDATE role:customer:tenant ==> perm:customer:SELECT diff --git a/src/main/resources/db/changelog/113-test-customer-rbac.sql b/src/main/resources/db/changelog/113-test-customer-rbac.sql index dccb3a26..b98fc949 100644 --- a/src/main/resources/db/changelog/113-test-customer-rbac.sql +++ b/src/main/resources/db/changelog/113-test-customer-rbac.sql @@ -1,5 +1,5 @@ --liquibase formatted sql --- This code generated was by RbacViewPostgresGenerator at 2024-03-22T14:44:19.441879428. +-- This code generated was by RbacViewPostgresGenerator, do not amend manually. -- ============================================================================ @@ -80,6 +80,46 @@ execute procedure insertTriggerForTestCustomer_tf(); --changeset test-customer-rbac-INSERT:1 endDelimiter:--// -- ---------------------------------------------------------------------------- +/* + Creates INSERT INTO test_customer permissions for the related global rows. + */ +do language plpgsql $$ + declare + row global; + permissionUuid uuid; + roleUuid uuid; + begin + call defineContext('create INSERT INTO test_customer permissions for the related global rows'); + + FOR row IN SELECT * FROM global + LOOP + roleUuid := findRoleId(globalAdmin()); + permissionUuid := createPermission(row.uuid, 'INSERT', 'test_customer'); + call grantPermissionToRole(permissionUuid, roleUuid); + END LOOP; + END; +$$; + +/** + Adds test_customer INSERT permission to specified role of new global rows. +*/ +create or replace function test_customer_global_insert_tf() + returns trigger + language plpgsql + strict as $$ +begin + call grantPermissionToRole( + createPermission(NEW.uuid, 'INSERT', 'test_customer'), + globalAdmin()); + return NEW; +end; $$; + +-- z_... is to put it at the end of after insert triggers, to make sure the roles exist +create trigger z_test_customer_global_insert_tg + after insert on global + for each row +execute procedure test_customer_global_insert_tf(); + /** Checks if the user or assumed roles are allowed to insert a row to test_customer, where only global-admin has that permission. diff --git a/src/main/resources/db/changelog/123-test-package-rbac.md b/src/main/resources/db/changelog/123-test-package-rbac.md index 895d3269..34b8c7c7 100644 --- a/src/main/resources/db/changelog/123-test-package-rbac.md +++ b/src/main/resources/db/changelog/123-test-package-rbac.md @@ -1,6 +1,6 @@ ### rbac package -This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-22T14:44:19.484173294. +This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually. ```mermaid %%{init:{'flowchart':{'htmlLabels':false}}}%% diff --git a/src/main/resources/db/changelog/123-test-package-rbac.sql b/src/main/resources/db/changelog/123-test-package-rbac.sql index fd375e2d..912430bb 100644 --- a/src/main/resources/db/changelog/123-test-package-rbac.sql +++ b/src/main/resources/db/changelog/123-test-package-rbac.sql @@ -1,5 +1,5 @@ --liquibase formatted sql --- This code generated was by RbacViewPostgresGenerator at 2024-03-22T14:44:19.484728385. +-- This code generated was by RbacViewPostgresGenerator, do not amend manually. -- ============================================================================ diff --git a/src/main/resources/db/changelog/133-test-domain-rbac.md b/src/main/resources/db/changelog/133-test-domain-rbac.md index 4f507312..6954e9b8 100644 --- a/src/main/resources/db/changelog/133-test-domain-rbac.md +++ b/src/main/resources/db/changelog/133-test-domain-rbac.md @@ -1,6 +1,6 @@ ### rbac domain -This code generated was by RbacViewMermaidFlowchartGenerator at 2024-03-22T14:44:19.510830235. +This code generated was by RbacViewMermaidFlowchartGenerator, do not amend manually. ```mermaid %%{init:{'flowchart':{'htmlLabels':false}}}%% diff --git a/src/main/resources/db/changelog/133-test-domain-rbac.sql b/src/main/resources/db/changelog/133-test-domain-rbac.sql index 511b2de4..6344e43d 100644 --- a/src/main/resources/db/changelog/133-test-domain-rbac.sql +++ b/src/main/resources/db/changelog/133-test-domain-rbac.sql @@ -1,5 +1,5 @@ --liquibase formatted sql --- This code generated was by RbacViewPostgresGenerator at 2024-03-22T14:44:19.511320177. +-- This code generated was by RbacViewPostgresGenerator, do not amend manually. -- ============================================================================ diff --git a/src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerEntityUnitTest.java b/src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerEntityUnitTest.java index eca0aec1..d576396a 100644 --- a/src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerEntityUnitTest.java +++ b/src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerEntityUnitTest.java @@ -29,6 +29,7 @@ class TestCustomerEntityUnitTest { subgraph customer:permissions[ ] style customer:permissions fill:#dd4901,stroke:white + perm:customer:INSERT{{customer:INSERT}} perm:customer:DELETE{{customer:DELETE}} perm:customer:UPDATE{{customer:UPDATE}} perm:customer:SELECT{{customer:SELECT}} @@ -44,6 +45,7 @@ class TestCustomerEntityUnitTest { role:customer:admin ==> role:customer:tenant %% granting permissions to roles + role:global:admin ==> perm:customer:INSERT role:customer:owner ==> perm:customer:DELETE role:customer:admin ==> perm:customer:UPDATE role:customer:tenant ==> perm:customer:SELECT