fix Rbac most Rbac Integration-Tests (view->SELECT etc.)

This commit is contained in:
Michael Hoennig 2024-03-08 19:46:35 +01:00
parent d71d0215ec
commit eb6b56e476
7 changed files with 106 additions and 119 deletions

View File

@ -8,8 +8,8 @@ public interface RbacUserPermission {
String getRoleName();
UUID getPermissionUuid();
String getOp();
String getOpTableName();
String getObjectTable();
String getObjectIdName();
UUID getObjectUuid();
}

View File

@ -58,7 +58,7 @@ begin
select roleIdName from rbacRole_ev where uuid=grantedByRoleUuid into grantedByRoleIdName;
select roleIdName from rbacRole_ev where uuid=grantedRoleUuid into grantedRoleIdName;
raise exception '[403] Access to granted role % (%) forbidden for % (%)',
grantedRoleIdName, grantedRoleUuid, grantedByRoleUuid, grantedByRoleIdName;
grantedRoleIdName, grantedRoleUuid, grantedByRoleIdName, grantedByRoleUuid;
end if;
insert

View File

@ -341,7 +341,7 @@ grant all privileges on RbacOwnGrantedPermissions_rv to ${HSADMINNG_POSTGRES_RES
*/
create or replace function grantedPermissions(targetUserUuid uuid)
returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, objectTable varchar, objectIdName varchar, objectUuid uuid)
returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid)
returns null on null input
language plpgsql as $$
declare
@ -357,11 +357,13 @@ begin
return query select
xp.roleUuid,
(xp.roleObjectTable || '#' || xp.roleObjectIdName || '.' || xp.roleType) as roleName,
xp.permissionUuid, xp.op, xp.permissionObjectTable, xp.permissionObjectIdName, xp.permissionObjectUuid
xp.permissionUuid, xp.op, xp.opTableName,
xp.permissionObjectTable, xp.permissionObjectIdName, xp.permissionObjectUuid
from (select
r.uuid as roleUuid, r.roletype, ro.objectTable as roleObjectTable,
findIdNameByObjectUuid(ro.objectTable, ro.uuid) as roleObjectIdName,
p.uuid as permissionUuid, p.op, po.objecttable as permissionObjectTable,
p.uuid as permissionUuid, p.op, p.opTableName,
po.objecttable as permissionObjectTable,
findIdNameByObjectUuid(po.objectTable, po.uuid) as permissionObjectIdName,
po.uuid as permissionObjectUuid
from queryPermissionsGrantedToSubjectId( targetUserUuid) as p

View File

@ -73,14 +73,14 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
.contentType("application/json")
.body("", hasItem(
allOf(
hasEntry("grantedByRoleIdName", "global#global.admin"),
hasEntry("grantedByRoleIdName", "test_customer#xxx.owner"),
hasEntry("grantedRoleIdName", "test_customer#xxx.admin"),
hasEntry("granteeUserName", "customer-admin@xxx.example.com")
)
))
.body("", hasItem(
allOf(
hasEntry("grantedByRoleIdName", "global#global.admin"),
hasEntry("grantedByRoleIdName", "test_customer#yyy.owner"),
hasEntry("grantedRoleIdName", "test_customer#yyy.admin"),
hasEntry("granteeUserName", "customer-admin@yyy.example.com")
)
@ -296,7 +296,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
result.assertThat()
.statusCode(403)
.body("message", containsString("Access to granted role"))
.body("message", containsString("forbidden for {test_package#xxx00.admin}"));
.body("message", containsString("forbidden for test_package#xxx00.admin"));
assertThat(findAllGrantsOf(givenCurrentUserAsPackageAdmin))
.extracting(RbacGrantEntity::getGranteeUserName)
.doesNotContain(givenNewUser.getName());

View File

@ -84,7 +84,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
// then
exactlyTheseRbacGrantsAreReturned(
result,
"{ grant role test_customer#xxx.admin to user customer-admin@xxx.example.com by role global#global.admin and assume }",
"{ grant role test_customer#xxx.admin to user customer-admin@xxx.example.com by role test_customer#xxx.owner and assume }",
"{ grant role test_package#xxx00.admin to user pac-admin-xxx00@xxx.example.com by role test_customer#xxx.admin and assume }",
"{ grant role test_package#xxx01.admin to user pac-admin-xxx01@xxx.example.com by role test_customer#xxx.admin and assume }",
"{ grant role test_package#xxx02.admin to user pac-admin-xxx02@xxx.example.com by role test_customer#xxx.admin and assume }");
@ -162,8 +162,8 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
// then
attempt.assertExceptionWithRootCauseMessage(
JpaSystemException.class,
"ERROR: [403] Access to granted role " + given.packageOwnerRoleUuid
+ " forbidden for {test_package#xxx00.admin}");
"ERROR: [403] Access to granted role test_package#xxx00.owner",
"forbidden for test_package#xxx00.admin");
jpaAttempt.transacted(() -> {
// finally, we use the new user to make sure, no roles were granted
context(given.arbitraryUser.getName(), null);

View File

@ -288,19 +288,14 @@ class RbacUserControllerAcceptanceTest {
.body("", hasItem(
allOf(
hasEntry("roleName", "test_customer#yyy.tenant"),
hasEntry("op", "select"))
))
.body("", hasItem(
allOf(
hasEntry("roleName", "test_package#yyy00.admin"),
hasEntry("op", "add-domain"))
hasEntry("op", "SELECT"))
))
.body("", hasItem(
allOf(
hasEntry("roleName", "test_domain#yyy00-aaaa.owner"),
hasEntry("op", "delete"))
hasEntry("op", "DELETE"))
))
.body("size()", is(7));
.body("size()", is(6));
// @formatter:on
}
@ -313,7 +308,7 @@ class RbacUserControllerAcceptanceTest {
RestAssured
.given()
.header("current-user", "superuser-alex@hostsharing.net")
.header("assumed-roles", "test_package#yyy00.admin")
.header("assumed-roles", "test_customer#yyy.admin")
.port(port)
.when()
.get("http://localhost/api/rbac/users/" + givenUser.getUuid() + "/permissions")
@ -323,19 +318,14 @@ class RbacUserControllerAcceptanceTest {
.body("", hasItem(
allOf(
hasEntry("roleName", "test_customer#yyy.tenant"),
hasEntry("op", "select"))
))
.body("", hasItem(
allOf(
hasEntry("roleName", "test_package#yyy00.admin"),
hasEntry("op", "add-domain"))
hasEntry("op", "SELECT"))
))
.body("", hasItem(
allOf(
hasEntry("roleName", "test_domain#yyy00-aaaa.owner"),
hasEntry("op", "delete"))
hasEntry("op", "DELETE"))
))
.body("size()", is(7));
.body("size()", is(6));
// @formatter:on
}
@ -357,19 +347,14 @@ class RbacUserControllerAcceptanceTest {
.body("", hasItem(
allOf(
hasEntry("roleName", "test_customer#yyy.tenant"),
hasEntry("op", "select"))
))
.body("", hasItem(
allOf(
hasEntry("roleName", "test_package#yyy00.admin"),
hasEntry("op", "add-domain"))
hasEntry("op", "SELECT"))
))
.body("", hasItem(
allOf(
hasEntry("roleName", "test_domain#yyy00-aaaa.owner"),
hasEntry("op", "delete"))
hasEntry("op", "DELETE"))
))
.body("size()", is(7));
.body("size()", is(6));
// @formatter:on
}

View File

@ -183,47 +183,47 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
// @formatter:off
"global#global.admin -> global#global: add-customer",
"test_customer#xxx.admin -> test_customer#xxx: add-package",
"test_customer#xxx.admin -> test_customer#xxx: view",
"test_customer#xxx.owner -> test_customer#xxx: *",
"test_customer#xxx.tenant -> test_customer#xxx: view",
"test_package#xxx00.admin -> test_package#xxx00: add-domain",
"test_package#xxx00.admin -> test_package#xxx00: add-domain",
"test_package#xxx00.tenant -> test_package#xxx00: view",
"test_package#xxx01.admin -> test_package#xxx01: add-domain",
"test_package#xxx01.admin -> test_package#xxx01: add-domain",
"test_package#xxx01.tenant -> test_package#xxx01: view",
"test_package#xxx02.admin -> test_package#xxx02: add-domain",
"test_package#xxx02.admin -> test_package#xxx02: add-domain",
"test_package#xxx02.tenant -> test_package#xxx02: view",
"test_customer#xxx.admin -> test_customer#xxx: SELECT",
"test_customer#xxx.owner -> test_customer#xxx: DELETE",
"test_customer#xxx.tenant -> test_customer#xxx: SELECT",
"test_customer#xxx.admin -> test_customer#xxx: INSERT:test_package",
"test_package#xxx00.admin -> test_package#xxx00: INSERT:test_domain",
"test_package#xxx00.admin -> test_package#xxx00: INSERT:test_domain",
"test_package#xxx00.tenant -> test_package#xxx00: SELECT",
"test_package#xxx01.admin -> test_package#xxx01: INSERT:test_domain",
"test_package#xxx01.admin -> test_package#xxx01: INSERT:test_domain",
"test_package#xxx01.tenant -> test_package#xxx01: SELECT",
"test_package#xxx02.admin -> test_package#xxx02: INSERT:test_domain",
"test_package#xxx02.admin -> test_package#xxx02: INSERT:test_domain",
"test_package#xxx02.tenant -> test_package#xxx02: SELECT",
"test_customer#yyy.admin -> test_customer#yyy: add-package",
"test_customer#yyy.admin -> test_customer#yyy: view",
"test_customer#yyy.owner -> test_customer#yyy: *",
"test_customer#yyy.tenant -> test_customer#yyy: view",
"test_package#yyy00.admin -> test_package#yyy00: add-domain",
"test_package#yyy00.admin -> test_package#yyy00: add-domain",
"test_package#yyy00.tenant -> test_package#yyy00: view",
"test_package#yyy01.admin -> test_package#yyy01: add-domain",
"test_package#yyy01.admin -> test_package#yyy01: add-domain",
"test_package#yyy01.tenant -> test_package#yyy01: view",
"test_package#yyy02.admin -> test_package#yyy02: add-domain",
"test_package#yyy02.admin -> test_package#yyy02: add-domain",
"test_package#yyy02.tenant -> test_package#yyy02: view",
"test_customer#yyy.admin -> test_customer#yyy: SELECT",
"test_customer#yyy.owner -> test_customer#yyy: DELETE",
"test_customer#yyy.tenant -> test_customer#yyy: SELECT",
"test_customer#yyy.admin -> test_customer#yyy: INSERT:test_package",
"test_package#yyy00.admin -> test_package#yyy00: INSERT:test_domain",
"test_package#yyy00.admin -> test_package#yyy00: INSERT:test_domain",
"test_package#yyy00.tenant -> test_package#yyy00: SELECT",
"test_package#yyy01.admin -> test_package#yyy01: INSERT:test_domain",
"test_package#yyy01.admin -> test_package#yyy01: INSERT:test_domain",
"test_package#yyy01.tenant -> test_package#yyy01: SELECT",
"test_package#yyy02.admin -> test_package#yyy02: INSERT:test_domain",
"test_package#yyy02.admin -> test_package#yyy02: INSERT:test_domain",
"test_package#yyy02.tenant -> test_package#yyy02: SELECT",
"test_customer#zzz.admin -> test_customer#zzz: add-package",
"test_customer#zzz.admin -> test_customer#zzz: view",
"test_customer#zzz.owner -> test_customer#zzz: *",
"test_customer#zzz.tenant -> test_customer#zzz: view",
"test_package#zzz00.admin -> test_package#zzz00: add-domain",
"test_package#zzz00.admin -> test_package#zzz00: add-domain",
"test_package#zzz00.tenant -> test_package#zzz00: view",
"test_package#zzz01.admin -> test_package#zzz01: add-domain",
"test_package#zzz01.admin -> test_package#zzz01: add-domain",
"test_package#zzz01.tenant -> test_package#zzz01: view",
"test_package#zzz02.admin -> test_package#zzz02: add-domain",
"test_package#zzz02.admin -> test_package#zzz02: add-domain",
"test_package#zzz02.tenant -> test_package#zzz02: view"
"test_customer#zzz.admin -> test_customer#zzz: SELECT",
"test_customer#zzz.owner -> test_customer#zzz: DELETE",
"test_customer#zzz.tenant -> test_customer#zzz: SELECT",
"test_customer#zzz.admin -> test_customer#zzz: INSERT:test_package",
"test_package#zzz00.admin -> test_package#zzz00: INSERT:test_domain",
"test_package#zzz00.admin -> test_package#zzz00: INSERT:test_domain",
"test_package#zzz00.tenant -> test_package#zzz00: SELECT",
"test_package#zzz01.admin -> test_package#zzz01: INSERT:test_domain",
"test_package#zzz01.admin -> test_package#zzz01: INSERT:test_domain",
"test_package#zzz01.tenant -> test_package#zzz01: SELECT",
"test_package#zzz02.admin -> test_package#zzz02: INSERT:test_domain",
"test_package#zzz02.admin -> test_package#zzz02: INSERT:test_domain",
"test_package#zzz02.tenant -> test_package#zzz02: SELECT"
// @formatter:on
);
@ -251,32 +251,32 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
allTheseRbacPermissionsAreReturned(
result,
// @formatter:off
"test_customer#xxx.admin -> test_customer#xxx: add-package",
"test_customer#xxx.admin -> test_customer#xxx: view",
"test_customer#xxx.tenant -> test_customer#xxx: view",
"test_customer#xxx.admin -> test_customer#xxx: INSERT:test_package",
"test_customer#xxx.admin -> test_customer#xxx: SELECT",
"test_customer#xxx.tenant -> test_customer#xxx: SELECT",
"test_package#xxx00.admin -> test_package#xxx00: add-domain",
"test_package#xxx00.admin -> test_package#xxx00: add-domain",
"test_package#xxx00.tenant -> test_package#xxx00: view",
"test_domain#xxx00-aaaa.owner -> test_domain#xxx00-aaaa: *",
"test_package#xxx00.admin -> test_package#xxx00: INSERT:test_domain",
"test_package#xxx00.admin -> test_package#xxx00: INSERT:test_domain",
"test_package#xxx00.tenant -> test_package#xxx00: SELECT",
"test_domain#xxx00-aaaa.owner -> test_domain#xxx00-aaaa: DELETE",
"test_package#xxx01.admin -> test_package#xxx01: add-domain",
"test_package#xxx01.admin -> test_package#xxx01: add-domain",
"test_package#xxx01.tenant -> test_package#xxx01: view",
"test_domain#xxx01-aaaa.owner -> test_domain#xxx01-aaaa: *",
"test_package#xxx01.admin -> test_package#xxx01: INSERT:test_domain",
"test_package#xxx01.admin -> test_package#xxx01: INSERT:test_domain",
"test_package#xxx01.tenant -> test_package#xxx01: SELECT",
"test_domain#xxx01-aaaa.owner -> test_domain#xxx01-aaaa: DELETE",
"test_package#xxx02.admin -> test_package#xxx02: add-domain",
"test_package#xxx02.admin -> test_package#xxx02: add-domain",
"test_package#xxx02.tenant -> test_package#xxx02: view",
"test_domain#xxx02-aaaa.owner -> test_domain#xxx02-aaaa: *"
"test_package#xxx02.admin -> test_package#xxx02: INSERT:test_domain",
"test_package#xxx02.admin -> test_package#xxx02: INSERT:test_domain",
"test_package#xxx02.tenant -> test_package#xxx02: SELECT",
"test_domain#xxx02-aaaa.owner -> test_domain#xxx02-aaaa: DELETE"
// @formatter:on
);
noneOfTheseRbacPermissionsAreReturned(
result,
// @formatter:off
"test_customer#yyy.admin -> test_customer#yyy: add-package",
"test_customer#yyy.admin -> test_customer#yyy: view",
"test_customer#yyy.tenant -> test_customer#yyy: view"
"test_customer#yyy.admin -> test_customer#yyy: INSERT:test_package",
"test_customer#yyy.admin -> test_customer#yyy: SELECT",
"test_customer#yyy.tenant -> test_customer#yyy: SELECT"
// @formatter:on
);
}
@ -311,26 +311,26 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
allTheseRbacPermissionsAreReturned(
result,
// @formatter:off
"test_customer#xxx.tenant -> test_customer#xxx: view",
"test_customer#xxx.tenant -> test_customer#xxx: SELECT",
// "test_customer#xxx.admin -> test_customer#xxx: view" - Not permissions through the customer admin!
"test_package#xxx00.admin -> test_package#xxx00: add-domain",
"test_package#xxx00.admin -> test_package#xxx00: add-domain",
"test_package#xxx00.tenant -> test_package#xxx00: view",
"test_domain#xxx00-aaaa.owner -> test_domain#xxx00-aaaa: *",
"test_domain#xxx00-aaab.owner -> test_domain#xxx00-aaab: *"
"test_package#xxx00.admin -> test_package#xxx00: INSERT:test_domain",
"test_package#xxx00.admin -> test_package#xxx00: INSERT:test_domain",
"test_package#xxx00.tenant -> test_package#xxx00: SELECT",
"test_domain#xxx00-aaaa.owner -> test_domain#xxx00-aaaa: DELETE",
"test_domain#xxx00-aaab.owner -> test_domain#xxx00-aaab: DELETE"
// @formatter:on
);
noneOfTheseRbacPermissionsAreReturned(
result,
// @formatter:off
"test_customer#yyy.admin -> test_customer#yyy: add-package",
"test_customer#yyy.admin -> test_customer#yyy: view",
"test_customer#yyy.tenant -> test_customer#yyy: view",
"test_package#yyy00.admin -> test_package#yyy00: add-domain",
"test_package#yyy00.admin -> test_package#yyy00: add-domain",
"test_package#yyy00.tenant -> test_package#yyy00: view",
"test_domain#yyy00-aaaa.owner -> test_domain#yyy00-aaaa: *",
"test_domain#yyy00-aaab.owner -> test_domain#yyy00-aaab: *"
"test_customer#yyy.admin -> test_customer#yyy: INSERT:test_package",
"test_customer#yyy.admin -> test_customer#yyy: SELECT",
"test_customer#yyy.tenant -> test_customer#yyy: SELECT",
"test_package#yyy00.admin -> test_package#yyy00: INSERT:test_domain",
"test_package#yyy00.admin -> test_package#yyy00: INSERT:test_domain",
"test_package#yyy00.tenant -> test_package#yyy00: SELECT",
"test_domain#yyy00-aaaa.owner -> test_domain#yyy00-aaaa: DELETE",
"test_domain#yyy00-aaab.owner -> test_domain#yyy00-aaab: DELETE"
// @formatter:on
);
}
@ -359,11 +359,10 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
allTheseRbacPermissionsAreReturned(
result,
// @formatter:off
"test_customer#xxx.tenant -> test_customer#xxx: view",
"test_customer#xxx.tenant -> test_customer#xxx: SELECT",
// "test_customer#xxx.admin -> test_customer#xxx: view" - Not permissions through the customer admin!
"test_package#xxx00.admin -> test_package#xxx00: add-domain",
"test_package#xxx00.admin -> test_package#xxx00: add-domain",
"test_package#xxx00.tenant -> test_package#xxx00: view"
"test_package#xxx00.admin -> test_package#xxx00: INSERT:test_domain",
"test_package#xxx00.tenant -> test_package#xxx00: SELECT"
// @formatter:on
);
noneOfTheseRbacPermissionsAreReturned(
@ -373,13 +372,13 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
"test_customer#xxx.admin -> test_customer#xxx: add-package",
// no permissions on other customer's objects
"test_customer#yyy.admin -> test_customer#yyy: add-package",
"test_customer#yyy.admin -> test_customer#yyy: view",
"test_customer#yyy.tenant -> test_customer#yyy: view",
"test_package#yyy00.admin -> test_package#yyy00: add-domain",
"test_package#yyy00.admin -> test_package#yyy00: add-domain",
"test_package#yyy00.tenant -> test_package#yyy00: view",
"test_domain#yyy00-aaaa.owner -> test_domain#yyy00-aaaa: *",
"test_domain#yyy00-xxxb.owner -> test_domain#yyy00-xxxb: *"
"test_customer#yyy.admin -> test_customer#yyy: SELECT",
"test_customer#yyy.tenant -> test_customer#yyy: SELECT",
"test_package#yyy00.admin -> test_package#yyy00: INSERT:test_domain",
"test_package#yyy00.admin -> test_package#yyy00: INSERT:test_domain",
"test_package#yyy00.tenant -> test_package#yyy00: SELECT",
"test_domain#yyy00-aaaa.owner -> test_domain#yyy00-aaaa: DELETE",
"test_domain#yyy00-xxxb.owner -> test_domain#yyy00-xxxb: DELETE"
// @formatter:on
);
}
@ -432,7 +431,8 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
final List<RbacUserPermission> actualResult,
final String... expectedRoleNames) {
assertThat(actualResult)
.extracting(p -> p.getRoleName() + " -> " + p.getObjectTable() + "#" + p.getObjectIdName() + ": " + p.getOp())
.extracting(p -> p.getRoleName() + " -> " + p.getObjectTable() + "#" + p.getObjectIdName() + ": " + p.getOp()
+ (p.getOpTableName() != null ? (":"+p.getOpTableName()) : "" ))
.contains(expectedRoleNames);
}