hostsharing/hs.hsadmin.ng
6
0
Fork 0
Code Pull Requests 1 Activity

Compare commits

base: hostsharing:0a9fd9f83bf358bbd28e9d1618a3aa918d478a9f
Branches Tags
hostsharing:master
hostsharing:feature/implement-coop-asset-transaction-reversal
hostsharing:TP-20241126-znuny-view-customer_company
hostsharing:office-rbac-revision
hostsharing:feature/introduce-global-agent-for-non-hostmaster-admins
hostsharing:spike/auto-build
hostsharing:java-for-gradlew
hostsharing:TP-202408-cors_webui
hostsharing:idea-bug-refactor-inline
hostsharing:api-vision
hostsharing:rbac-object-scope-to-replace-serial-id
hostsharing:office-related-spec-clarifications-and-amendmends
hostsharing:revert-upgrade-openapiprocessor-spring-back-to-2022-5
hostsharing:upgrade-io.openapiprocessoropenapi-processor-spring-to-2024.2
hostsharing:spike/JSonSerializerDeserializerForDTOs
hostsharing:spike/master-detail-for-customer-and-contacts
..
compare: hostsharing:b2cea1e88296ab3f16d2cb05e544d7a54ce4eb66
Branches Tags
hostsharing:feature/implement-coop-asset-transaction-reversal
hostsharing:TP-20241126-znuny-view-customer_company
hostsharing:master
hostsharing:office-rbac-revision
hostsharing:feature/introduce-global-agent-for-non-hostmaster-admins
hostsharing:spike/auto-build
hostsharing:java-for-gradlew
hostsharing:TP-202408-cors_webui
hostsharing:idea-bug-refactor-inline
hostsharing:api-vision
hostsharing:rbac-object-scope-to-replace-serial-id
hostsharing:office-related-spec-clarifications-and-amendmends
hostsharing:revert-upgrade-openapiprocessor-spring-back-to-2022-5
hostsharing:upgrade-io.openapiprocessoropenapi-processor-spring-to-2024.2
hostsharing:spike/JSonSerializerDeserializerForDTOs
hostsharing:spike/master-detail-for-customer-and-contacts

No commits in common. "0a9fd9f83bf358bbd28e9d1618a3aa918d478a9f" and "b2cea1e88296ab3f16d2cb05e544d7a54ce4eb66" have entirely different histories.
0a9fd9f83b ... b2cea1e882

47 changed files with 441 additions and 1016 deletions
Show Stats Expand all files Collapse all files

148
doc/rbac.md
View File

@ -11,7 +11,7 @@ Our implementation is based on Role-Based-Access-Management (RBAC) in conjunctio
As far as possible, we are using the same terms as defined in the RBAC standard, for our function names though, we chose more expressive names. As far as possible, we are using the same terms as defined in the RBAC standard, for our function names though, we chose more expressive names.
In RBAC, subjects can be assigned to roles, roles can be hierarchical and eventually have assigned permissions. In RBAC, subjects can be assigned to roles, roles can be hierarchical and eventually have assigned permissions.
A permission allows a specific operation (e.g. SELECT or UPDATE) on a specific (business-) object. A permission allows a specific operation (e.g. view or edit) on a specific (business-) object.
You can find the entity structure as a UML class diagram as follows: You can find the entity structure as a UML class diagram as follows:
@ -101,12 +101,13 @@ package RBAC {
RbacPermission *-- RbacObject RbacPermission *-- RbacObject
enum RbacOperation { enum RbacOperation {
INSERT:package add-package
INSERT:domain add-domain
add-domain
... ...
SELECT view
UPDATE edit
DELETE delete
} }
entity RbacObject { entity RbacObject {
@ -171,10 +172,11 @@ An *RbacPermission* allows a specific *RbacOperation* on a specific *RbacObject*
An *RbacOperation* determines, <u>what</u> an *RbacPermission* allows to do. An *RbacOperation* determines, <u>what</u> an *RbacPermission* allows to do.
It can be one of: It can be one of:
- **'INSERT'** - permits inserting new rows related to the row, to which the permission belongs, in the table which is specified an extra column - **'add-...'** - permits creating new instances of specific entity types underneath the object specified by the permission, e.g. "add-package"
- **'SELECT'** - permits selecting the row specified by the permission - **'view'** - permits reading the contents of the object specified by the permission
- **'UPDATE'** - permits updating (only the updatable columns of) the row specified by the permission - **'edit'** - change the contents of the object specified by the permission
- **'DELETE'** - permits deleting the row specified by the permission - **'delete'** - delete the object specified by the permission
- **'\*'**
This list is extensible according to the needs of the access rule system. This list is extensible according to the needs of the access rule system.
@ -210,7 +212,7 @@ E.g. for a new *customer* it would be granted to 'administrators' and for a new
Whoever has the owner-role assigned can do everything with the related business-object, including deleting (or deactivating) it. Whoever has the owner-role assigned can do everything with the related business-object, including deleting (or deactivating) it.
In most cases, the permissions to other operations than 'DELETE' are granted through the 'admin' role. In most cases, the permissions to other operations than 'delete' are granted through the 'admin' role.
By this, all roles ob sub-objects, which are assigned to the 'admin' role, are also granted to the 'owner'. By this, all roles ob sub-objects, which are assigned to the 'admin' role, are also granted to the 'owner'.
#### admin #### admin
@ -218,14 +220,14 @@ By this, all roles ob sub-objects, which are assigned to the 'admin' role, are a
The admin-role is granted to a role of those subjects who manage the business object. The admin-role is granted to a role of those subjects who manage the business object.
E.g. a 'package' is manged by the admin of the customer. E.g. a 'package' is manged by the admin of the customer.
Whoever has the admin-role assigned, can usually update the related business-object but not delete (or deactivating) it. Whoever has the admin-role assigned, can usually edit the related business-object but not deleting (or deactivating) it.
The admin-role also comprises lesser roles, through which the SELECT-permission is granted. The admin-role also comprises lesser roles, through which the view-permission is granted.
#### agent #### agent
The agent-role is not used in the examples of this document, because it's for more complex cases. The agent-role is not used in the examples of this document, because it's for more complex cases.
It's usually granted to those roles and users who represent the related business-object, but are not allowed to update it. It's usually granted to those roles and users who represent the related business-object, but are not allowed to edit it.
Other than the tenant-role, it usually offers broader visibility of sub-business-objects (joined entities). Other than the tenant-role, it usually offers broader visibility of sub-business-objects (joined entities).
E.g. a package-admin is allowed to see the related debitor-business-object, E.g. a package-admin is allowed to see the related debitor-business-object,
@ -233,19 +235,19 @@ but not its banking data.
#### tenant #### tenant
The tenant-role is granted to everybody who needs to be able to select the business-object and (probably some) related business-objects. The tenant-role is granted to everybody who needs to be able to view the business-object and (probably some) related business-objects.
Usually all owners, admins and tenants of sub-objects get this role granted. Usually all owners, admins and tenants of sub-objects get this role granted.
Some business-objects only have very limited data directly in the main business-object and store more sensitive data in special sub-objects (e.g. 'customer-details') to which tenants of sub-objects of the main-object (e.g. package admins) do not get SELECT permission. Some business-objects only have very limited data directly in the main business-object and store more sensitive data in special sub-objects (e.g. 'customer-details') to which tenants of sub-objects of the main-object (e.g. package admins) do not get view permission.
#### guest #### guest
Like the agent-role, the guest-role too is not used in the examples of this document, because it's for more complex cases. Like the agent-role, the guest-role too is not used in the examples of this document, because it's for more complex cases.
If the guest-role exists, the SELECT-permission is granted to it, instead of to the tenant-role. If the guest-role exists, the view-permission is granted to it, instead of to the tenant-role.
Other than the tenant-role, the guest-roles does never grant any roles of related objects. Other than the tenant-role, the guest-roles does never grant any roles of related objects.
Also, if the guest-role exists, the tenant-role receives the SELECT-permission through the guest-role. Also, if the guest-role exists, the tenant-role receives the view-permission through the guest-role.
### Referenced Business Objects and Role-Depreciation ### Referenced Business Objects and Role-Depreciation
@ -261,7 +263,7 @@ The admin-role of one object could be granted visibility to another object throu
But not in all cases role-depreciation takes place. But not in all cases role-depreciation takes place.
E.g. often a tenant-role is granted another tenant-role, E.g. often a tenant-role is granted another tenant-role,
because it should be again allowed to select sub-objects. because it should be again allowed to view sub-objects.
The same for the agent-role, often it is granted another agent-role. The same for the agent-role, often it is granted another agent-role.
@ -295,14 +297,14 @@ package RbacRoles {
RbacUsers -[hidden]> RbacRoles RbacUsers -[hidden]> RbacRoles
package RbacPermissions { package RbacPermissions {
object PermCustXyz_SELECT object PermCustXyz_View
object PermCustXyz_UPDATE object PermCustXyz_Edit
object PermCustXyz_DELETE object PermCustXyz_Delete
object PermCustXyz_INSERT:Package object PermCustXyz_AddPackage
object PermPackXyz00_SELECT object PermPackXyz00_View
object PermPackXyz00_EDIT object PermPackXyz00_Edit
object PermPackXyz00_DELETE object PermPackXyz00_Delete
object PermPackXyz00_INSERT:USER object PermPackXyz00_AddUser
} }
RbacRoles -[hidden]> RbacPermissions RbacRoles -[hidden]> RbacPermissions
@ -320,23 +322,23 @@ RoleAdministrators o..> RoleCustXyz_Owner
RoleCustXyz_Owner o-> RoleCustXyz_Admin RoleCustXyz_Owner o-> RoleCustXyz_Admin
RoleCustXyz_Admin o-> RolePackXyz00_Owner RoleCustXyz_Admin o-> RolePackXyz00_Owner
RoleCustXyz_Owner o--> PermCustXyz_UPDATE RoleCustXyz_Owner o--> PermCustXyz_Edit
RoleCustXyz_Owner o--> PermCustXyz_DELETE RoleCustXyz_Owner o--> PermCustXyz_Delete
RoleCustXyz_Admin o--> PermCustXyz_SELECT RoleCustXyz_Admin o--> PermCustXyz_View
RoleCustXyz_Admin o--> PermCustXyz_INSERT:Package RoleCustXyz_Admin o--> PermCustXyz_AddPackage
RolePackXyz00_Owner o--> PermPackXyz00_SELECT RolePackXyz00_Owner o--> PermPackXyz00_View
RolePackXyz00_Owner o--> PermPackXyz00_UPDATE RolePackXyz00_Owner o--> PermPackXyz00_Edit
RolePackXyz00_Owner o--> PermPackXyz00_DELETE RolePackXyz00_Owner o--> PermPackXyz00_Delete
RolePackXyz00_Owner o--> PermPackXyz00_INSERT:User RolePackXyz00_Owner o--> PermPackXyz00_AddUser
PermCustXyz_SELECT o--> CustXyz PermCustXyz_View o--> CustXyz
PermCustXyz_UPDATE o--> CustXyz PermCustXyz_Edit o--> CustXyz
PermCustXyz_DELETE o--> CustXyz PermCustXyz_Delete o--> CustXyz
PermCustXyz_INSERT:Package o--> CustXyz PermCustXyz_AddPackage o--> CustXyz
PermPackXyz00_SELECT o--> PackXyz00 PermPackXyz00_View o--> PackXyz00
PermPackXyz00_UPDATE o--> PackXyz00 PermPackXyz00_Edit o--> PackXyz00
PermPackXyz00_DELETE o--> PackXyz00 PermPackXyz00_Delete o--> PackXyz00
PermPackXyz00_INSERT:User o--> PackXyz00 PermPackXyz00_AddUser o--> PackXyz00
@enduml @enduml
``` ```
@ -351,12 +353,12 @@ To support the RBAC system, for each business-object-table, some more artifacts
Not yet implemented, but planned are these actions: Not yet implemented, but planned are these actions:
- an `ON DELETE ... DO INSTEAD` rule to allow `SQL DELETE` if applicable for the business-object-table and the user has 'DELETE' permission, - an `ON DELETE ... DO INSTEAD` rule to allow `SQL DELETE` if applicable for the business-object-table and the user has 'delete' permission,
- an `ON UPDATE ... DO INSTEAD` rule to allow `SQL UPDATE` if the user has 'UPDATE' right, - an `ON UPDATE ... DO INSTEAD` rule to allow `SQL UPDATE` if the user has 'edit' right,
- an `ON INSERT ... DO INSTEAD` rule to allow `SQL INSERT` if the user has the 'INSERT' right for the parent-business-object. - an `ON INSERT ... DO INSTEAD` rule to allow `SQL INSERT` if the user has 'add-..' right to the parent-business-object.
The restricted view takes the current user from a session property and applies the hierarchy of its roles all the way down to the permissions related to the respective business-object-table. The restricted view takes the current user from a session property and applies the hierarchy of its roles all the way down to the permissions related to the respective business-object-table.
This way, each user can only select the data they have 'SELECT'-permission for, only create those they have 'add-...'-permission, only update those they have 'UPDATE'- and only delete those they have 'DELETE'-permission to. This way, each user can only view the data they have 'view'-permission for, only create those they have 'add-...'-permission, only update those they have 'edit'- and only delete those they have 'delete'-permission to.
### Current User ### Current User
@ -456,26 +458,26 @@ allow_mixing
entity "BObj customer#xyz" as boCustXyz entity "BObj customer#xyz" as boCustXyz
together { together {
entity "Perm customer#xyz *" as permCustomerXyzDELETE entity "Perm customer#xyz *" as permCustomerXyzAll
permCustomerXyzDELETE --> boCustXyz permCustomerXyzAll --> boCustXyz
entity "Perm customer#xyz INSERT:package" as permCustomerXyzINSERT:package entity "Perm customer#xyz add-package" as permCustomerXyzAddPack
permCustomerXyzINSERT:package --> boCustXyz permCustomerXyzAddPack --> boCustXyz
entity "Perm customer#xyz SELECT" as permCustomerXyzSELECT entity "Perm customer#xyz view" as permCustomerXyzView
permCustomerXyzSELECT--> boCustXyz permCustomerXyzView --> boCustXyz
} }
entity "Role customer#xyz.tenant" as roleCustXyzTenant entity "Role customer#xyz.tenant" as roleCustXyzTenant
roleCustXyzTenant --> permCustomerXyzSELECT roleCustXyzTenant --> permCustomerXyzView
entity "Role customer#xyz.admin" as roleCustXyzAdmin entity "Role customer#xyz.admin" as roleCustXyzAdmin
roleCustXyzAdmin --> roleCustXyzTenant roleCustXyzAdmin --> roleCustXyzTenant
roleCustXyzAdmin --> permCustomerXyzINSERT:package roleCustXyzAdmin --> permCustomerXyzAddPack
entity "Role customer#xyz.owner" as roleCustXyzOwner entity "Role customer#xyz.owner" as roleCustXyzOwner
roleCustXyzOwner ..> roleCustXyzAdmin roleCustXyzOwner ..> roleCustXyzAdmin
roleCustXyzOwner --> permCustomerXyzDELETE roleCustXyzOwner --> permCustomerXyzAll
actor "Customer XYZ Admin" as actorCustXyzAdmin actor "Customer XYZ Admin" as actorCustXyzAdmin
actorCustXyzAdmin --> roleCustXyzAdmin actorCustXyzAdmin --> roleCustXyzAdmin
@ -485,6 +487,8 @@ roleAdmins --> roleCustXyzOwner
actor "Any Hostmaster" as actorHostmaster actor "Any Hostmaster" as actorHostmaster
actorHostmaster --> roleAdmins actorHostmaster --> roleAdmins
@enduml @enduml
``` ```
@ -523,17 +527,17 @@ allow_mixing
entity "BObj package#xyz00" as boPacXyz00 entity "BObj package#xyz00" as boPacXyz00
together { together {
entity "Perm package#xyz00 *" as permPackageXyzDELETE entity "Perm package#xyz00 *" as permPackageXyzAll
permPackageXyzDELETE --> boPacXyz00 permPackageXyzAll --> boPacXyz00
entity "Perm package#xyz00 INSERT:domain" as permPacXyz00INSERT:user entity "Perm package#xyz00 add-domain" as permPacXyz00AddUser
permPacXyz00INSERT:user --> boPacXyz00 permPacXyz00AddUser --> boPacXyz00
entity "Perm package#xyz00 UPDATE" as permPacXyz00UPDATE entity "Perm package#xyz00 edit" as permPacXyz00Edit
permPacXyz00UPDATE --> boPacXyz00 permPacXyz00Edit --> boPacXyz00
entity "Perm package#xyz00 SELECT" as permPacXyz00SELECT entity "Perm package#xyz00 view" as permPacXyz00View
permPacXyz00SELECT --> boPacXyz00 permPacXyz00View --> boPacXyz00
} }
package { package {
@ -548,11 +552,11 @@ package {
entity "Role package#xyz00.tenant" as rolePacXyz00Tenant entity "Role package#xyz00.tenant" as rolePacXyz00Tenant
} }
rolePacXyz00Tenant --> permPacXyz00SELECT rolePacXyz00Tenant --> permPacXyz00View
rolePacXyz00Tenant --> roleCustXyzTenant rolePacXyz00Tenant --> roleCustXyzTenant
rolePacXyz00Owner --> rolePacXyz00Admin rolePacXyz00Owner --> rolePacXyz00Admin
rolePacXyz00Owner --> permPackageXyzDELETE rolePacXyz00Owner --> permPackageXyzAll
roleCustXyzAdmin --> rolePacXyz00Owner roleCustXyzAdmin --> rolePacXyz00Owner
roleCustXyzAdmin --> roleCustXyzTenant roleCustXyzAdmin --> roleCustXyzTenant
@ -560,8 +564,8 @@ roleCustXyzAdmin --> roleCustXyzTenant
roleCustXyzOwner ..> roleCustXyzAdmin roleCustXyzOwner ..> roleCustXyzAdmin
rolePacXyz00Admin --> rolePacXyz00Tenant rolePacXyz00Admin --> rolePacXyz00Tenant
rolePacXyz00Admin --> permPacXyz00INSERT:user rolePacXyz00Admin --> permPacXyz00AddUser
rolePacXyz00Admin --> permPacXyz00UPDATE rolePacXyz00Admin --> permPacXyz00Edit
actor "Package XYZ00 Admin" as actorPacXyzAdmin actor "Package XYZ00 Admin" as actorPacXyzAdmin
actorPacXyzAdmin -l-> rolePacXyz00Admin actorPacXyzAdmin -l-> rolePacXyz00Admin
@ -620,10 +624,10 @@ Let's have a look at the two view queries:
WHERE target.uuid IN ( WHERE target.uuid IN (
SELECT uuid SELECT uuid
FROM queryAccessibleObjectUuidsOfSubjectIds( FROM queryAccessibleObjectUuidsOfSubjectIds(
'SELECTÄ, 'customer', currentSubjectsUuids())); 'view', 'customer', currentSubjectsUuids()));
This view should be automatically updatable. This view should be automatically updatable.
Where, for updates, we actually have to check for 'UPDATE' instead of 'SELECTÄ operation, which makes it a bit more complicated. Where, for updates, we actually have to check for 'edit' instead of 'view' operation, which makes it a bit more complicated.
With the larger dataset, the test suite initially needed over 7 seconds with this view query. With the larger dataset, the test suite initially needed over 7 seconds with this view query.
At this point the second variant was tried. At this point the second variant was tried.
@ -638,7 +642,7 @@ Looks like the query optimizer needed some statistics to find the best path.
SELECT DISTINCT target.* SELECT DISTINCT target.*
FROM customer AS target FROM customer AS target
JOIN queryAccessibleObjectUuidsOfSubjectIds( JOIN queryAccessibleObjectUuidsOfSubjectIds(
'SELECTÄ, 'customer', currentSubjectsUuids()) AS allowedObjId 'view', 'customer', currentSubjectsUuids()) AS allowedObjId
ON target.uuid = allowedObjId; ON target.uuid = allowedObjId;
This view cannot is not updatable automatically, This view cannot is not updatable automatically,
@ -684,7 +688,7 @@ Otherwise, it would not be possible to assign roles to new users.
All roles are system-defined and cannot be created or modified by any external API. All roles are system-defined and cannot be created or modified by any external API.
Users can view only the roles to which are granted to them. Users can view only the roles to which they are assigned.
## RbacGrant ## RbacGrant

10
sql/rbac-tests.sql
View File

@ -19,13 +19,13 @@ select *
FROM queryAllPermissionsOfSubjectId(findRbacUser('rosa@example.com')); FROM queryAllPermissionsOfSubjectId(findRbacUser('rosa@example.com'));
select * select *
FROM queryAllRbacUsersWithPermissionsFor(findPermissionId('customer', FROM queryAllRbacUsersWithPermissionsFor(findEffectivePermissionId('customer',
(SELECT uuid FROM RbacObject WHERE objectTable = 'customer' LIMIT 1), (SELECT uuid FROM RbacObject WHERE objectTable = 'customer' LIMIT 1),
'add-package')); 'add-package'));
select * select *
FROM queryAllRbacUsersWithPermissionsFor(findPermissionId('package', FROM queryAllRbacUsersWithPermissionsFor(findEffectivePermissionId('package',
(SELECT uuid FROM RbacObject WHERE objectTable = 'package' LIMIT 1), (SELECT uuid FROM RbacObject WHERE objectTable = 'package' LIMIT 1),
'DELETE')); 'delete'));
DO LANGUAGE plpgsql DO LANGUAGE plpgsql
$$ $$
@ -34,12 +34,12 @@ $$
result bool; result bool;
BEGIN BEGIN
userId = findRbacUser('superuser-alex@hostsharing.net'); userId = findRbacUser('superuser-alex@hostsharing.net');
result = (SELECT * FROM isPermissionGrantedToSubject(findPermissionId('package', 94928, 'add-package'), userId)); result = (SELECT * FROM isPermissionGrantedToSubject(findEffectivePermissionId('package', 94928, 'add-package'), userId));
IF (result) THEN IF (result) THEN
RAISE EXCEPTION 'expected permission NOT to be granted, but it is'; RAISE EXCEPTION 'expected permission NOT to be granted, but it is';
end if; end if;
result = (SELECT * FROM isPermissionGrantedToSubject(findPermissionId('package', 94928, 'SELECT'), userId)); result = (SELECT * FROM isPermissionGrantedToSubject(findEffectivePermissionId('package', 94928, 'view'), userId));
IF (NOT result) THEN IF (NOT result) THEN
RAISE EXCEPTION 'expected permission to be granted, but it is NOT'; RAISE EXCEPTION 'expected permission to be granted, but it is NOT';
end if; end if;

10
sql/rbac-view-option-experiments.sql
View File

@ -20,7 +20,7 @@ CREATE POLICY customer_policy ON customer
TO restricted TO restricted
USING ( USING (
-- id=1000 -- id=1000
isPermissionGrantedToSubject(findPermissionId('test_customer', id, 'SELECT'), currentUserUuid()) isPermissionGrantedToSubject(findEffectivePermissionId('test_customer', id, 'view'), currentUserUuid())
); );
SET SESSION AUTHORIZATION restricted; SET SESSION AUTHORIZATION restricted;
@ -35,7 +35,7 @@ SELECT * FROM customer;
CREATE OR REPLACE RULE "_RETURN" AS CREATE OR REPLACE RULE "_RETURN" AS
ON SELECT TO cust_view ON SELECT TO cust_view
DO INSTEAD DO INSTEAD
SELECT * FROM customer WHERE isPermissionGrantedToSubject(findPermissionId('test_customer', id, 'SELECT'), currentUserUuid()); SELECT * FROM customer WHERE isPermissionGrantedToSubject(findEffectivePermissionId('test_customer', id, 'view'), currentUserUuid());
SELECT * from cust_view LIMIT 10; SELECT * from cust_view LIMIT 10;
select queryAllPermissionsOfSubjectId(findRbacUser('superuser-alex@hostsharing.net')); select queryAllPermissionsOfSubjectId(findRbacUser('superuser-alex@hostsharing.net'));
@ -52,7 +52,7 @@ CREATE OR REPLACE RULE "_RETURN" AS
DO INSTEAD DO INSTEAD
SELECT c.uuid, c.reference, c.prefix FROM customer AS c SELECT c.uuid, c.reference, c.prefix FROM customer AS c
JOIN queryAllPermissionsOfSubjectId(currentUserUuid()) AS p JOIN queryAllPermissionsOfSubjectId(currentUserUuid()) AS p
ON p.objectTable='test_customer' AND p.objectUuid=c.uuid AND p.op = 'SELECT'; ON p.objectTable='test_customer' AND p.objectUuid=c.uuid AND p.op in ('*', 'view');
GRANT ALL PRIVILEGES ON cust_view TO restricted; GRANT ALL PRIVILEGES ON cust_view TO restricted;
SET SESSION SESSION AUTHORIZATION restricted; SET SESSION SESSION AUTHORIZATION restricted;
@ -68,7 +68,7 @@ CREATE OR REPLACE VIEW cust_view AS
SELECT c.uuid, c.reference, c.prefix SELECT c.uuid, c.reference, c.prefix
FROM customer AS c FROM customer AS c
JOIN queryAllPermissionsOfSubjectId(currentUserUuid()) AS p JOIN queryAllPermissionsOfSubjectId(currentUserUuid()) AS p
ON p.objectUuid=c.uuid AND p.op = 'SELECT'; ON p.objectUuid=c.uuid AND p.op in ('*', 'view');
GRANT ALL PRIVILEGES ON cust_view TO restricted; GRANT ALL PRIVILEGES ON cust_view TO restricted;
SET SESSION SESSION AUTHORIZATION restricted; SET SESSION SESSION AUTHORIZATION restricted;
@ -81,7 +81,7 @@ select rr.uuid, rr.type from RbacGrants g
join RbacReference RR on g.ascendantUuid = RR.uuid join RbacReference RR on g.ascendantUuid = RR.uuid
where g.descendantUuid in ( where g.descendantUuid in (
select uuid from queryAllPermissionsOfSubjectId(findRbacUser('alex@example.com')) select uuid from queryAllPermissionsOfSubjectId(findRbacUser('alex@example.com'))
where objectTable='test_customer' and op = 'SELECT'); where objectTable='test_customer' and op in ('*', 'view'));
call grantRoleToUser(findRoleId('test_customer#aaa.admin'), findRbacUser('aaaaouq@example.com')); call grantRoleToUser(findRoleId('test_customer#aaa.admin'), findRbacUser('aaaaouq@example.com'));

8
src/main/java/net/hostsharing/hsadminng/hs/office/bankaccount/HsOfficeBankAccountEntity.java
View File

@ -64,17 +64,17 @@ public class HsOfficeBankAccountEntity implements HasUuid, Stringifyable {
.createRole(OWNER, (with) -> { .createRole(OWNER, (with) -> {
with.owningUser(CREATOR); with.owningUser(CREATOR);
with.incomingSuperRole(GLOBAL, ADMIN); with.incomingSuperRole(GLOBAL, ADMIN);
with.permission(DELETE); with.permission(ALL);
}) })
.createSubRole(ADMIN, (with) -> { .createSubRole(ADMIN, (with) -> {
with.permission(UPDATE); with.permission(EDIT);
}) })
.createSubRole(REFERRER, (with) -> { .createSubRole(REFERRER, (with) -> {
with.permission(SELECT); with.permission(VIEW);
}); });
} }
public static void main(String[] args) throws IOException { public static void main(String[] args) throws IOException {
rbac().generateWithBaseFileName("243-hs-office-bankaccount-rbac-generated"); rbac().generateWithBaseFileName("243-hs-office-bankaccount-rbac");
} }
} }

8
src/main/java/net/hostsharing/hsadminng/hs/office/contact/HsOfficeContactEntity.java
View File

@ -68,17 +68,17 @@ public class HsOfficeContactEntity implements Stringifyable, HasUuid {
.createRole(OWNER, (with) -> { .createRole(OWNER, (with) -> {
with.owningUser(CREATOR); with.owningUser(CREATOR);
with.incomingSuperRole(GLOBAL, ADMIN); with.incomingSuperRole(GLOBAL, ADMIN);
with.permission(DELETE); with.permission(ALL);
}) })
.createSubRole(ADMIN, (with) -> { .createSubRole(ADMIN, (with) -> {
with.permission(UPDATE); with.permission(EDIT);
}) })
.createSubRole(REFERRER, (with) -> { .createSubRole(REFERRER, (with) -> {
with.permission(SELECT); with.permission(VIEW);
}); });
} }
public static void main(String[] args) throws IOException { public static void main(String[] args) throws IOException {
rbac().generateWithBaseFileName("203-hs-office-contact-rbac-generated"); rbac().generateWithBaseFileName("203-hs-office-contact-rbac");
} }
} }

8
src/main/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorEntity.java
View File

@ -140,9 +140,9 @@ public class HsOfficeDebitorEntity implements HasUuid, Stringifyable {
WHERE r.relType = 'ACCOUNTING' AND r.relHolderUuid = ${REF}.debitorRelUuid WHERE r.relType = 'ACCOUNTING' AND r.relHolderUuid = ${REF}.debitorRelUuid
"""), """),
dependsOnColumn("debitorRelUuid")) dependsOnColumn("debitorRelUuid"))
.createPermission(DELETE).grantedTo("debitorRel", OWNER) .createPermission(ALL).grantedTo("debitorRel", OWNER)
.createPermission(UPDATE).grantedTo("debitorRel", ADMIN) .createPermission(EDIT).grantedTo("debitorRel", ADMIN)
.createPermission(SELECT).grantedTo("debitorRel", TENANT) .createPermission(VIEW).grantedTo("debitorRel", TENANT)
.importEntityAlias("refundBankAccount", HsOfficeBankAccountEntity.class, .importEntityAlias("refundBankAccount", HsOfficeBankAccountEntity.class,
dependsOnColumn("refundBankAccountUuid"), fetchedBySql(""" dependsOnColumn("refundBankAccountUuid"), fetchedBySql("""
@ -171,6 +171,6 @@ public class HsOfficeDebitorEntity implements HasUuid, Stringifyable {
} }
public static void main(String[] args) throws IOException { public static void main(String[] args) throws IOException {
rbac().generateWithBaseFileName("273-hs-office-debitor-rbac-generated"); rbac().generateWithBaseFileName("273-hs-office-debitor-rbac");
} }
} }

2
src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerDetailsEntity.java
View File

@ -103,6 +103,6 @@ public class HsOfficePartnerDetailsEntity implements HasUuid, Stringifyable {
} }
public static void main(String[] args) throws IOException { public static void main(String[] args) throws IOException {
rbac().generateWithBaseFileName("234-hs-office-partner-details-rbac-generated"); rbac().generateWithBaseFileName("234-hs-office-partner-details-rbac");
} }
} }

16
src/main/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerEntity.java
View File

@ -20,7 +20,7 @@ import java.util.UUID;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.*;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.SELECT; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.VIEW;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.fetchedBySql; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.SQL.fetchedBySql;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.rbacViewFor;
@ -95,19 +95,19 @@ public class HsOfficePartnerEntity implements Stringifyable, HasUuid {
.importRootEntityAliasProxy("partnerRel", HsOfficeRelationshipEntity.class, .importRootEntityAliasProxy("partnerRel", HsOfficeRelationshipEntity.class,
fetchedBySql("SELECT * FROM hs_office_relationship AS r WHERE r.uuid = ${ref}.partnerRoleUuid"), fetchedBySql("SELECT * FROM hs_office_relationship AS r WHERE r.uuid = ${ref}.partnerRoleUuid"),
dependsOnColumn("partnerRelUuid")) dependsOnColumn("partnerRelUuid"))
.createPermission(DELETE).grantedTo("partnerRel", ADMIN) .createPermission(ALL).grantedTo("partnerRel", ADMIN)
.createPermission(UPDATE).grantedTo("partnerRel", AGENT) .createPermission(EDIT).grantedTo("partnerRel", AGENT)
.createPermission(SELECT).grantedTo("partnerRel", TENANT) .createPermission(VIEW).grantedTo("partnerRel", TENANT)
.importSubEntityAlias("partnerDetails", HsOfficePartnerDetailsEntity.class, .importSubEntityAlias("partnerDetails", HsOfficePartnerDetailsEntity.class,
fetchedBySql("SELECT * FROM hs_office_partner_details AS d WHERE d.uuid = ${ref}.detailsUuid"), fetchedBySql("SELECT * FROM hs_office_partner_details AS d WHERE d.uuid = ${ref}.detailsUuid"),
dependsOnColumn("detailsUuid")) dependsOnColumn("detailsUuid"))
.createPermission("partnerDetails", DELETE).grantedTo("partnerRel", ADMIN) .createPermission("partnerDetails", ALL).grantedTo("partnerRel", ADMIN)
.createPermission("partnerDetails", UPDATE).grantedTo("partnerRel", AGENT) .createPermission("partnerDetails", EDIT).grantedTo("partnerRel", AGENT)
.createPermission("partnerDetails", SELECT).grantedTo("partnerRel", AGENT); .createPermission("partnerDetails", VIEW).grantedTo("partnerRel", AGENT);
} }
public static void main(String[] args) throws IOException { public static void main(String[] args) throws IOException {
rbac().generateWithBaseFileName("233-hs-office-partner-rbac-generated"); rbac().generateWithBaseFileName("233-hs-office-partner-rbac");
} }
} }

8
src/main/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonEntity.java
View File

@ -70,20 +70,20 @@ public class HsOfficePersonEntity implements HasUuid, Stringifyable {
.withIdentityView(SQL.projection("concat(tradeName, familyName, givenName)")) .withIdentityView(SQL.projection("concat(tradeName, familyName, givenName)"))
.withUpdatableColumns("personType", "tradeName", "givenName", "familyName") .withUpdatableColumns("personType", "tradeName", "givenName", "familyName")
.createRole(OWNER, (with) -> { .createRole(OWNER, (with) -> {
with.permission(DELETE); with.permission(ALL);
with.owningUser(CREATOR); with.owningUser(CREATOR);
with.incomingSuperRole(GLOBAL, ADMIN); with.incomingSuperRole(GLOBAL, ADMIN);
}) })
.createSubRole(ADMIN, (with) -> { .createSubRole(ADMIN, (with) -> {
with.permission(UPDATE); with.permission(EDIT);
}) })
.createSubRole(REFERRER, (with) -> { .createSubRole(REFERRER, (with) -> {
with.permission(SELECT); with.permission(VIEW);
}); });
} }
public static void main(String[] args) throws IOException { public static void main(String[] args) throws IOException {
rbac().generateWithBaseFileName("213-hs-office-person-rbac-generated"); rbac().generateWithBaseFileName("213-hs-office-person-rbac");
} }
} }

8
src/main/java/net/hostsharing/hsadminng/hs/office/relationship/HsOfficeRelationshipEntity.java
View File

@ -103,11 +103,11 @@ public class HsOfficeRelationshipEntity implements HasUuid, Stringifyable {
.createRole(OWNER, (with) -> { .createRole(OWNER, (with) -> {
with.owningUser(CREATOR); with.owningUser(CREATOR);
with.incomingSuperRole(GLOBAL, ADMIN); with.incomingSuperRole(GLOBAL, ADMIN);
with.permission(DELETE); with.permission(ALL);
}) })
.createSubRole(ADMIN, (with) -> { .createSubRole(ADMIN, (with) -> {
with.incomingSuperRole("anchorPerson", ADMIN); with.incomingSuperRole("anchorPerson", ADMIN);
with.permission(UPDATE); with.permission(EDIT);
}) })
.createSubRole(AGENT, (with) -> { .createSubRole(AGENT, (with) -> {
with.incomingSuperRole("holderPerson", ADMIN); with.incomingSuperRole("holderPerson", ADMIN);
@ -118,11 +118,11 @@ public class HsOfficeRelationshipEntity implements HasUuid, Stringifyable {
with.outgoingSubRole("anchorPerson", REFERRER); with.outgoingSubRole("anchorPerson", REFERRER);
with.outgoingSubRole("holderPerson", REFERRER); with.outgoingSubRole("holderPerson", REFERRER);
with.outgoingSubRole("contact", REFERRER); with.outgoingSubRole("contact", REFERRER);
with.permission(SELECT); with.permission(VIEW);
}); });
} }
public static void main(String[] args) throws IOException { public static void main(String[] args) throws IOException {
rbac().generateWithBaseFileName("223-hs-office-relationship-rbac-generated"); rbac().generateWithBaseFileName("223-hs-office-relationship-rbac");
} }
} }

8
src/main/java/net/hostsharing/hsadminng/hs/office/sepamandate/HsOfficeSepaMandateEntity.java
View File

@ -105,10 +105,10 @@ public class HsOfficeSepaMandateEntity implements Stringifyable, HasUuid {
.createRole(OWNER, (with) -> { .createRole(OWNER, (with) -> {
with.owningUser(CREATOR); with.owningUser(CREATOR);
with.incomingSuperRole(GLOBAL, ADMIN); with.incomingSuperRole(GLOBAL, ADMIN);
with.permission(DELETE); with.permission(ALL);
}) })
.createSubRole(ADMIN, (with) -> { .createSubRole(ADMIN, (with) -> {
with.permission(UPDATE); with.permission(EDIT);
}) })
.createSubRole(AGENT, (with) -> { .createSubRole(AGENT, (with) -> {
with.outgoingSubRole("bankAccount", REFERRER); with.outgoingSubRole("bankAccount", REFERRER);
@ -118,11 +118,11 @@ public class HsOfficeSepaMandateEntity implements Stringifyable, HasUuid {
with.incomingSuperRole("bankAccount", ADMIN); with.incomingSuperRole("bankAccount", ADMIN);
with.incomingSuperRole("debitorRel", AGENT); with.incomingSuperRole("debitorRel", AGENT);
with.outgoingSubRole("debitorRel", TENANT); with.outgoingSubRole("debitorRel", TENANT);
with.permission(SELECT); with.permission(VIEW);
}); });
} }
public static void main(String[] args) throws IOException { public static void main(String[] args) throws IOException {
rbac().generateWithBaseFileName("253-hs-office-sepamandate-rbac-generated"); rbac().generateWithBaseFileName("253-hs-office-sepamandate-rbac");
} }
} }

119
src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/InsertTriggerGenerator.java
View File

@ -1,12 +1,7 @@
package net.hostsharing.hsadminng.rbac.rbacdef; package net.hostsharing.hsadminng.rbac.rbacdef;
import java.util.Optional;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacGrantDefinition.GrantType.PERM_TO_ROLE; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacGrantDefinition.GrantType.PERM_TO_ROLE;
import static net.hostsharing.hsadminng.rbac.rbacdef.StringWriter.with; import static net.hostsharing.hsadminng.rbac.rbacdef.StringWriter.with;
import static org.apache.commons.lang3.StringUtils.capitalize;
import static org.apache.commons.lang3.StringUtils.uncapitalize;
public class InsertTriggerGenerator { public class InsertTriggerGenerator {
@ -21,8 +16,25 @@ public class InsertTriggerGenerator {
void generateTo(final StringWriter plPgSql) { void generateTo(final StringWriter plPgSql) {
generateLiquibaseChangesetHeader(plPgSql); generateLiquibaseChangesetHeader(plPgSql);
generateGrantInsertRoleToExistingCustomers(plPgSql); generateGrantInsertRoleToExistingCustomers(plPgSql);
generateInsertPermissionGrantTrigger(plPgSql); rbacDef.getGrantDefs().stream()
generateInsertCheckTrigger(plPgSql); .filter(g -> g.isToCreate() && g.grantType() == PERM_TO_ROLE &&
g.getPermDef().getPermission() == RbacView.Permission.INSERT )
.forEach(g -> {
plPgSql.writeLn("""
/**
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable}.
*/
create trigger ${rawSubTable}_it
before insert
on ${rawSubTable}
for each row
when ( hasInsertPermission(NEW.${referenceColumn}, 'INSERT', '${rawSubTable}') )
execute procedure insertNotAllowedForCurrentSubjects('${rawSubTable}');
""",
with("rawSubTable", g.getPermDef().entityAlias.getRawTableName()),
with("referenceColumn", g.getSuperRoleDef().getEntityAlias().dependsOnColumName() ));
});
plPgSql.writeLn("--//"); plPgSql.writeLn("--//");
} }
@ -36,104 +48,29 @@ public class InsertTriggerGenerator {
} }
private void generateGrantInsertRoleToExistingCustomers(final StringWriter plPgSql) { private void generateGrantInsertRoleToExistingCustomers(final StringWriter plPgSql) {
getOptionalInsertSuperRole().ifPresent( superRoleDef -> { plPgSql.writeLn("""
plPgSql.writeLn("""
/* /*
Creates INSERT INTO ${rawSubTableName} permissions for the related ${rawSuperTableName} rows. Creates an INSERT INTO ${rawSubTableName} permission for the related ${rawSuperTableName} row.
*/ */
do language plpgsql $$ do language plpgsql $$
declare declare
row ${rawSuperTableName}; row ${rawSuperTableName};
permissionUuid uuid; permissionUuids uuid[];
roleUuid uuid; roleUuid uuid;
begin begin
call defineContext('generated Liquibase: create INSERT INTO ${rawSubTableName} permissions for the related ${rawSuperTableName} rows');
FOR row IN SELECT * FROM ${rawSuperTableName} FOR row IN SELECT * FROM ${rawSuperTableName}
LOOP LOOP
roleUuid := findRoleId(${rawSuperRoleDescriptor}(row)); roleUuid := ${rawSuperRoleDescriptor}(row);
permissionUuid := createPermission(row.uuid, 'INSERT', '${rawSubTableName}'); permissionUuids := createPermissions(row.uuid, array ['INSERT:${rawSubTableName}']);
call grantPermissionToRole(roleUuid, permissionUuid); call grantPermissionsToRole(roleUuid, permissionUuids);
END LOOP; END LOOP;
END; END;
$$; $$;
""", """,
with("rawSubTableName", rbacDef.getRootEntityAlias().getRawTableName()), with("rawSubTableName", "test_package"), // TODO
with("rawSuperTableName", superRoleDef.getEntityAlias().getRawTableName()), with("rawSuperTableName", "test_customer"), // TODO
with("rawSuperRoleDescriptor", toVar(superRoleDef)) with("rawSuperRoleDescriptor", "testCustomerAdmin") // TODO
); );
});
}
private void generateInsertPermissionGrantTrigger(final StringWriter plPgSql) {
getOptionalInsertSuperRole().ifPresent( superRoleDef -> {
plPgSql.writeLn("""
/**
Adds ${rawSubTableName} INSERT permission to specified role of new ${rawSuperTableName} rows.
*/
create or replace function ${rawSubTableName}_${rawSuperTableName}_insert_tf()
returns trigger
language plpgsql
strict as $$
begin
call grantPermissionToRole(
${rawSuperRoleDescriptor}(NEW),
createPermission(NEW.uuid, 'INSERT', '${rawSubTableName}'));
return NEW;
end; $$;
create trigger ${rawSubTableName}_${rawSuperTableName}_insert_tg
after insert on ${rawSuperTableName}
for each row
execute procedure ${rawSubTableName}_${rawSuperTableName}_insert_tf();
""",
with("rawSubTableName", rbacDef.getRootEntityAlias().getRawTableName()),
with("rawSuperTableName", superRoleDef.getEntityAlias().getRawTableName()),
with("rawSuperRoleDescriptor", toVar(superRoleDef))
);
});
}
private void generateInsertCheckTrigger(final StringWriter plPgSql) {
rbacDef.getGrantDefs().stream()
.filter(g -> g.isToCreate() && g.grantType() == PERM_TO_ROLE &&
g.getPermDef().getPermission() == INSERT )
.forEach(g -> {
plPgSql.writeLn("""
/**
Checks if the user or assumed roles are allowed to insert a row to ${rawSubTable}.
*/
create or replace function ${rawSubTable}_insert_permission_missing_tf()
returns trigger
language plpgsql as $$
begin
raise exception 'insert into ${rawSubTable} not allowed for current subjects %', currentSubjectsUuids();
end; $$;
create trigger ${rawSubTable}_insert_permission_check_tg
before insert on ${rawSubTable}
for each row
when ( not hasInsertPermission(NEW.${referenceColumn}, 'INSERT', '${rawSubTable}') )
execute procedure ${rawSubTable}_insert_permission_missing_tf();
""",
with("rawSubTable", g.getPermDef().entityAlias.getRawTableName()),
with("referenceColumn", g.getSuperRoleDef().getEntityAlias().dependsOnColumName() ));
});
}
private Optional<RbacView.RbacRoleDefinition> getOptionalInsertSuperRole() {
return rbacDef.getGrantDefs().stream()
.filter(g -> g.grantType() == PERM_TO_ROLE)
.filter(g -> g.getPermDef().toCreate && g.getPermDef().getPermission() == INSERT)
.map(RbacView.RbacGrantDefinition::getSuperRoleDef)
.reduce((x, y) -> {
throw new IllegalStateException("only a single INSERT permission grant allowed");
});
}
private static String toVar(final RbacView.RbacRoleDefinition roleDef) {
return uncapitalize(roleDef.getEntityAlias().simpleName()) + capitalize(roleDef.getRole().roleName());
} }
} }

16
src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java
View File

@ -75,7 +75,6 @@ public class RbacView {
public RbacView withUpdatableColumns(final String... columnNames) { public RbacView withUpdatableColumns(final String... columnNames) {
Collections.addAll(updatableColumns, columnNames); Collections.addAll(updatableColumns, columnNames);
// TODO: automatically add @Version column, otherwise optimistic locking won't work
return this; return this;
} }
@ -250,8 +249,8 @@ public class RbacView {
} }
public void generateWithBaseFileName(final String baseFileName) { public void generateWithBaseFileName(final String baseFileName) {
new RbacViewMermaidFlowchart(this).generateToMarkdownFile(Path.of(OUTPUT_BASEDIR, baseFileName + ".md")); new RbacViewMermaidFlowchart(this).generateToMarkdownFile(Path.of(OUTPUT_BASEDIR, baseFileName + "-generated.md"));
new RbacViewPostgresGenerator(this).generateToChangeLog(Path.of(OUTPUT_BASEDIR, baseFileName + ".sql")); new RbacViewPostgresGenerator(this).generateToChangeLog(Path.of(OUTPUT_BASEDIR, baseFileName + "-generated.sql"));
} }
public class RbacGrantBuilder { public class RbacGrantBuilder {
@ -466,7 +465,6 @@ public class RbacView {
public class RbacUserReference { public class RbacUserReference {
public enum UserRole { public enum UserRole {
GLOBAL_ADMIN,
CREATOR CREATOR
} }
@ -630,10 +628,10 @@ public class RbacView {
public record Permission(String permission) { public record Permission(String permission) {
public static final Permission INSERT = new Permission("INSERT"); public static final Permission INSERT = new Permission("insert");
public static final Permission DELETE = new Permission("DELETE"); public static final Permission ALL = new Permission("*");
public static final Permission UPDATE = new Permission("UPDATE"); public static final Permission EDIT = new Permission("edit");
public static final Permission SELECT = new Permission("SELECT"); public static final Permission VIEW = new Permission("view");
public static Permission custom(final String permission) { public static Permission custom(final String permission) {
return new Permission(permission); return new Permission(permission);
@ -673,7 +671,7 @@ public class RbacView {
} }
/** /**
* DSL method to explicitly specify that there is no SQL query. * DSL method to specify there there is no SQL query specified.
* *
* @return a wrapped SQL definition object representing a noop query * @return a wrapped SQL definition object representing a noop query
*/ */

40
src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java
View File

@ -11,7 +11,6 @@ import static java.util.stream.Collectors.joining;
import static java.util.stream.Collectors.toSet; import static java.util.stream.Collectors.toSet;
import static net.hostsharing.hsadminng.rbac.rbacdef.PostgresTriggerReference.NEW; import static net.hostsharing.hsadminng.rbac.rbacdef.PostgresTriggerReference.NEW;
import static net.hostsharing.hsadminng.rbac.rbacdef.PostgresTriggerReference.OLD; import static net.hostsharing.hsadminng.rbac.rbacdef.PostgresTriggerReference.OLD;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.INSERT;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacGrantDefinition.GrantType.*; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.RbacGrantDefinition.GrantType.*;
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*; import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.*;
import static net.hostsharing.hsadminng.rbac.rbacdef.StringWriter.with; import static net.hostsharing.hsadminng.rbac.rbacdef.StringWriter.with;
@ -81,10 +80,8 @@ class RolesGrantsAndPermissionsGenerator {
plPgSql.writeLn(); plPgSql.writeLn();
plPgSql.writeLn("begin"); plPgSql.writeLn("begin");
plPgSql.indented(() -> { plPgSql.indented(() -> {
plPgSql.writeLn("call enterTriggerForObjectUuid(NEW.uuid);");
generateCreateRolesAndGrantsAfterInsert(plPgSql); generateCreateRolesAndGrantsAfterInsert(plPgSql);
plPgSql.ensureSingleEmptyLine(); plPgSql.ensureSingleEmptyLine();
plPgSql.writeLn("call leaveTriggerForObjectUuid(NEW.uuid);");
}); });
plPgSql.writeLn("end; $$;"); plPgSql.writeLn("end; $$;");
plPgSql.writeLn(); plPgSql.writeLn();
@ -96,7 +93,7 @@ class RolesGrantsAndPermissionsGenerator {
Called from the AFTER UPDATE TRIGGER to re-wire the grants. Called from the AFTER UPDATE TRIGGER to re-wire the grants.
*/ */
create or replace procedure updateRbacRulesFor${simpleEntityName}( create or replace procedure updateRbacGrantsFor${simpleEntityName}(
OLD ${rawTableName}, OLD ${rawTableName},
NEW ${rawTableName} NEW ${rawTableName}
) )
@ -119,10 +116,8 @@ class RolesGrantsAndPermissionsGenerator {
plPgSql.writeLn(); plPgSql.writeLn();
plPgSql.writeLn("begin"); plPgSql.writeLn("begin");
plPgSql.indented(() -> { plPgSql.indented(() -> {
plPgSql.writeLn("call enterTriggerForObjectUuid(NEW.uuid);");
generateUpdateRolesAndGrantsAfterUpdate(plPgSql); generateUpdateRolesAndGrantsAfterUpdate(plPgSql);
plPgSql.ensureSingleEmptyLine(); plPgSql.ensureSingleEmptyLine();
plPgSql.writeLn("call leaveTriggerForObjectUuid(NEW.uuid);");
}); });
plPgSql.writeLn("end; $$;"); plPgSql.writeLn("end; $$;");
plPgSql.writeLn(); plPgSql.writeLn();
@ -222,7 +217,7 @@ class RolesGrantsAndPermissionsGenerator {
.replace("${subRoleRef}", roleRef(OLD, grantDef.getSubRoleDef())) .replace("${subRoleRef}", roleRef(OLD, grantDef.getSubRoleDef()))
.replace("${superRoleRef}", roleRef(OLD, grantDef.getSuperRoleDef())); .replace("${superRoleRef}", roleRef(OLD, grantDef.getSuperRoleDef()));
case PERM_TO_ROLE -> "call revokePermissionFromRole(${permRef}, ${superRoleRef});" case PERM_TO_ROLE -> "call revokePermissionFromRole(${permRef}, ${superRoleRef});"
.replace("${permRef}", findPerm(OLD, grantDef.getPermDef())) .replace("${permRef}", permRef(OLD, grantDef.getPermDef()))
.replace("${superRoleRef}", roleRef(OLD, grantDef.getSuperRoleDef())); .replace("${superRoleRef}", roleRef(OLD, grantDef.getSuperRoleDef()));
}; };
} }
@ -233,25 +228,14 @@ class RolesGrantsAndPermissionsGenerator {
case ROLE_TO_ROLE -> "call grantRoleToRole(${subRoleRef}, ${superRoleRef});" case ROLE_TO_ROLE -> "call grantRoleToRole(${subRoleRef}, ${superRoleRef});"
.replace("${subRoleRef}", roleRef(NEW, grantDef.getSubRoleDef())) .replace("${subRoleRef}", roleRef(NEW, grantDef.getSubRoleDef()))
.replace("${superRoleRef}", roleRef(NEW, grantDef.getSuperRoleDef())); .replace("${superRoleRef}", roleRef(NEW, grantDef.getSuperRoleDef()));
case PERM_TO_ROLE -> case PERM_TO_ROLE -> "call grantPermissionsToRole(${permRef}, ${superRoleRef});"
grantDef.getPermDef().getPermission() == INSERT ? "" .replace("${permRef}", permRef(NEW, grantDef.getPermDef()))
: "call grantPermissionToRole(${permRef}, ${superRoleRef});" .replace("${superRoleRef}", roleRef(NEW, grantDef.getSuperRoleDef()));
.replace("${permRef}", createPerm(NEW, grantDef.getPermDef()))
.replace("${superRoleRef}", roleRef(NEW, grantDef.getSuperRoleDef()));
}; };
} }
private String findPerm(final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) { private String permRef(final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) {
return permRef("findPermissionId", ref, permDef); return "createPermissions(${entityRef}.uuid, array ['${perm}'])"
}
private String createPerm(final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) {
return permRef("createPermission", ref, permDef);
}
private String permRef(final String functionName, final PostgresTriggerReference ref, final RbacPermissionDefinition permDef) {
return "${prefix}(${entityRef}.uuid, '${perm}')"
.replace("${prefix}", functionName)
.replace("${entityRef}", rbacDef.isRootEntityAlias(permDef.entityAlias) .replace("${entityRef}", rbacDef.isRootEntityAlias(permDef.entityAlias)
? ref.name() ? ref.name()
: refVarName(ref, permDef.entityAlias)) : refVarName(ref, permDef.entityAlias))
@ -425,12 +409,13 @@ class RolesGrantsAndPermissionsGenerator {
language plpgsql language plpgsql
strict as $$ strict as $$
begin begin
call buildRbacSystemFor${simpleEntityName}(NEW); call buildRbacSystemFor${simpleEntityName}(TG_OP, OLD, NEW);
return NEW; return NEW;
end; $$; end; $$;
create trigger insertTriggerFor${simpleEntityName}_tg create trigger insertTriggerFor${simpleEntityName}_tg
after insert on ${rawTableName} after insert
on ${rawTableName}
for each row for each row
execute procedure insertTriggerFor${simpleEntityName}_tf(); execute procedure insertTriggerFor${simpleEntityName}_tf();
""" """
@ -456,12 +441,13 @@ class RolesGrantsAndPermissionsGenerator {
language plpgsql language plpgsql
strict as $$ strict as $$
begin begin
call updateRbacRulesFor${simpleEntityName}(OLD, NEW); call buildRbacSystemFor${simpleEntityName}(NEW);
return NEW; return NEW;
end; $$; end; $$;
create trigger updateTriggerFor${simpleEntityName}_tg create trigger updateTriggerFor${simpleEntityName}_tg
after update on ${rawTableName} after update
on ${rawTableName}
for each row for each row
execute procedure updateTriggerFor${simpleEntityName}_tf(); execute procedure updateTriggerFor${simpleEntityName}_tf();
""" """

204
src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantsDiagramService.java
View File

@ -1,204 +0,0 @@
package net.hostsharing.hsadminng.rbac.rbacgrant;
import net.hostsharing.hsadminng.context.Context;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import jakarta.persistence.EntityManager;
import jakarta.persistence.PersistenceContext;
import jakarta.validation.constraints.NotNull;
import java.io.BufferedWriter;
import java.io.FileWriter;
import java.io.IOException;
import java.util.*;
import java.util.stream.Stream;
import static java.util.stream.Collectors.groupingBy;
import static java.util.stream.Collectors.joining;
import static net.hostsharing.hsadminng.rbac.rbacgrant.RbacGrantsDiagramService.Include.*;
// TODO: cleanup - this code was 'hacked' to quickly fix a specific problem, needs refactoring
@Service
public class RbacGrantsDiagramService {
public static void writeToFile(final String title, final String graph, final String fileName) {
try (BufferedWriter writer = new BufferedWriter(new FileWriter(fileName))) {
writer.write("""
### all grants to %s
```mermaid
%s
```
""".formatted(title, graph));
} catch (IOException e) {
throw new RuntimeException(e);
}
}
public enum Include {
DETAILS,
USERS,
PERMISSIONS,
NOT_ASSUMED,
TEST_ENTITIES,
NON_TEST_ENTITIES
}
@Autowired
private Context context;
@Autowired
private RawRbacGrantRepository rawGrantRepo;
@PersistenceContext
private EntityManager em;
public String allGrantsToCurrentUser(final EnumSet<Include> includes) {
final var graph = new HashSet<RawRbacGrantEntity>();
for ( UUID subjectUuid: context.currentSubjectsUuids() ) {
traverseGrantsTo(graph, subjectUuid, includes);
}
return toMermaidFlowchart(graph, includes);
}
private void traverseGrantsTo(final Set<RawRbacGrantEntity> graph, final UUID refUuid, final EnumSet<Include> includes) {
final var grants = rawGrantRepo.findByAscendingUuid(refUuid);
grants.forEach(g -> {
if (!includes.contains(PERMISSIONS) && g.getDescendantIdName().startsWith("perm ")) {
return;
}
if (!includes.contains(TEST_ENTITIES) && g.getDescendantIdName().contains(" test_")) {
return;
}
if (!includes.contains(NON_TEST_ENTITIES) && !g.getDescendantIdName().contains(" test_")) {
return;
}
graph.add(g);
if (includes.contains(NOT_ASSUMED) || g.isAssumed()) {
traverseGrantsTo(graph, g.getDescendantUuid(), includes);
}
});
}
public String allGrantsFrom(final UUID targetObject, final String op, final EnumSet<Include> includes) {
final var refUuid = (UUID) em.createNativeQuery("SELECT uuid FROM rbacpermission WHERE objectuuid=:targetObject AND op=:op")
.setParameter("targetObject", targetObject)
.setParameter("op", op)
.getSingleResult();
final var graph = new HashSet<RawRbacGrantEntity>();
traverseGrantsFrom(graph, refUuid, includes);
return toMermaidFlowchart(graph, includes);
}
private void traverseGrantsFrom(final Set<RawRbacGrantEntity> graph, final UUID refUuid, final EnumSet<Include> option) {
final var grants = rawGrantRepo.findByDescendantUuid(refUuid);
grants.forEach(g -> {
if (!option.contains(USERS) && g.getAscendantIdName().startsWith("user ")) {
return;
}
graph.add(g);
if (option.contains(NOT_ASSUMED) || g.isAssumed()) {
traverseGrantsFrom(graph, g.getAscendingUuid(), option);
}
});
}
private String toMermaidFlowchart(final HashSet<RawRbacGrantEntity> graph, final EnumSet<Include> includes) {
final var entities =
includes.contains(DETAILS)
? graph.stream()
.flatMap(g -> Stream.of(
new Node(g.getAscendantIdName(), g.getAscendingUuid()),
new Node(g.getDescendantIdName(), g.getDescendantUuid()))
)
.collect(groupingBy(RbacGrantsDiagramService::renderEntityIdName))
.entrySet().stream()
.map(entity -> "subgraph " + quoted(entity.getKey()) + renderSubgraph(entity.getKey()) + "\n\n "
+ entity.getValue().stream()
.map(n -> renderNode(n.idName(), n.uuid()).replace("\n", "\n "))
.sorted()
.distinct()
.collect(joining("\n\n ")))
.collect(joining("\n\nend\n\n"))
+ "\n\nend\n\n"
: "";
final var grants = graph.stream()
.map(g -> quoted(g.getAscendantIdName()) +
(g.isAssumed() ? " --> " : " -.-> ") +
quoted(g.getDescendantIdName()))
.sorted()
.collect(joining("\n"));
final var avoidCroppedNodeLabels = "%%{init:{'flowchart':{'htmlLabels':false}}}%%\n\n";
return (includes.contains(DETAILS) ? avoidCroppedNodeLabels : "")
+ "flowchart TB\n\n"
+ entities
+ grants;
}
private String renderSubgraph(final String entityId) {
// this does not work according to Mermaid bug https://github.com/mermaid-js/mermaid/issues/3806
// if (entityId.contains("#")) {
// final var parts = entityId.split("#");
// final var table = parts[0];
// final var entity = parts[1];
// if (table.equals("entity")) {
// return "[" + entity "]";
// }
// return "[" + table + "\n" + entity + "]";
// }
return "[" + entityId + "]";
}
private static String renderEntityIdName(final Node node) {
final var refType = refType(node.idName());
if (refType.equals("user")) {
return "users";
}
if (refType.equals("perm")) {
return node.idName().split(" ", 4)[3];
}
if (refType.equals("role")) {
final var withoutRolePrefix = node.idName().substring("role:".length());
return withoutRolePrefix.substring(0, withoutRolePrefix.lastIndexOf('.'));
}
throw new IllegalArgumentException("unknown refType '" + refType + "' in '" + node.idName() + "'");
}
private String renderNode(final String idName, final UUID uuid) {
return quoted(idName) + renderNodeContent(idName, uuid);
}
private String renderNodeContent(final String idName, final UUID uuid) {
final var refType = refType(idName);
if (refType.equals("user")) {
final var displayName = idName.substring(refType.length()+1);
return "(" + displayName + "\nref:" + uuid + ")";
}
if (refType.equals("role")) {
final var roleType = idName.substring(idName.lastIndexOf('.') + 1);
return "[" + roleType + "\nref:" + uuid + "]";
}
if (refType.equals("perm")) {
final var roleType = idName.split(" ")[1];
return "{{" + roleType + "\nref:" + uuid + "}}";
}
return "";
}
private static String refType(final String idName) {
return idName.split(" ", 2)[0];
}
@NotNull
private static String quoted(final String idName) {
return idName.replace(" ", ":").replaceAll("@.*", "");
}
}
record Node(String idName, UUID uuid) {
}

10
src/main/java/net/hostsharing/hsadminng/test/cust/TestCustomerEntity.java
View File

@ -43,15 +43,13 @@ public class TestCustomerEntity implements HasUuid {
.withUpdatableColumns("reference", "prefix", "adminUserName") .withUpdatableColumns("reference", "prefix", "adminUserName")
.createRole(OWNER, (with) -> { .createRole(OWNER, (with) -> {
// with.owningUser(CREATOR); TODO: needs assumed role with.owningUser(CREATOR);
with.incomingSuperRole(GLOBAL, ADMIN); with.incomingSuperRole(GLOBAL, ADMIN);
with.permission(DELETE); with.permission(ALL);
})
.createSubRole(ADMIN, (with) -> {
with.permission(UPDATE);
}) })
.createSubRole(ADMIN)
.createSubRole(TENANT, (with) -> { .createSubRole(TENANT, (with) -> {
with.permission(SELECT); with.permission(VIEW);
}); });
} }

8
src/main/java/net/hostsharing/hsadminng/test/pac/TestPackageEntity.java
View File

@ -47,7 +47,7 @@ public class TestPackageEntity implements HasUuid {
public static RbacView rbac() { public static RbacView rbac() {
return rbacViewFor("package", TestPackageEntity.class) return rbacViewFor("package", TestPackageEntity.class)
.withIdentityView(SQL.projection("name")) .withIdentityView(SQL.projection("name"))
.withUpdatableColumns("version", "customerUuid", "description") .withUpdatableColumns("customerUuid", "description")
.importEntityAlias("customer", TestCustomerEntity.class, .importEntityAlias("customer", TestCustomerEntity.class,
dependsOnColumn("customerUuid"), dependsOnColumn("customerUuid"),
@ -60,13 +60,13 @@ public class TestPackageEntity implements HasUuid {
.createRole(OWNER, (with) -> { .createRole(OWNER, (with) -> {
with.owningUser(CREATOR); with.owningUser(CREATOR);
with.incomingSuperRole("customer", ADMIN).unassumed(); with.incomingSuperRole("customer", ADMIN).unassumed();
with.permission(DELETE); with.permission(ALL);
with.permission(UPDATE); with.permission(EDIT);
}) })
.createSubRole(ADMIN) .createSubRole(ADMIN)
.createSubRole(TENANT, (with) -> { .createSubRole(TENANT, (with) -> {
with.outgoingSubRole("customer", TENANT); with.outgoingSubRole("customer", TENANT);
with.permission(SELECT); with.permission(VIEW);
}); });
} }

9
src/main/resources/db/changelog/010-context.sql
View File

@ -66,11 +66,10 @@ begin
when others then when others then
currentTask := null; currentTask := null;
end; end;
-- TODO: uncomment if (currentTask is null or currentTask = '') then
-- if (currentTask is null or currentTask = '') then raise exception '[401] currentTask must be defined, please call `defineContext(...)`';
-- raise exception '[401] currentTask must be defined, please call `defineContext(...)`'; end if;
-- end if; return currentTask;
return 'unknown'; -- TODO: currentTask;
end; $$; end; $$;
--// --//

90
src/main/resources/db/changelog/050-rbac-base.sql
View File

@ -365,18 +365,16 @@ create trigger deleteRbacRolesOfRbacObject_Trigger
/* /*
*/ */
create domain RbacOp as varchar(67) -- TODO: shorten to 8, once the deprecated values are gone create domain RbacOp as varchar(67)
-- check ( check (
-- VALUE = 'INSERT' or VALUE = '*'
-- VALUE = 'DELETE' or or VALUE = 'delete'
-- VALUE = 'UPDATE' or or VALUE = 'edit'
-- VALUE = 'SELECT' or or VALUE = 'view'
-- VALUE = 'ASSUME' or or VALUE = 'assume'
-- -- TODO: all values below are deprecated, use insert with table or VALUE ~ '^add-[a-z]+$'
-- VALUE ~ '^add-[a-z]+$' or or VALUE ~ '^new-[a-z-]+$'
-- VALUE ~ '^new-[a-z-]+$' );
-- );
;
create table RbacPermission create table RbacPermission
( (
@ -396,38 +394,37 @@ select exists(
select op select op
from RbacPermission p from RbacPermission p
where p.objectUuid = forObjectUuid where p.objectUuid = forObjectUuid
and p.op = forOp and p.op in ('*', forOp)
); );
$$; $$;
create or replace function createPermission(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null) create or replace function createPermissions(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null)
returns uuid returns uuid[]
language plpgsql as $$ language plpgsql as $$
declare declare
permissionUuid uuid; permissionId uuid;
begin begin
if (forObjectUuid is null) then if (forObjectUuid is null) then
raise exception 'forObjectUuid must not be null'; raise exception 'forObjectUuid must not be null';
end if; end if;
if (forOp = 'INSERT' and forOpTableName is null) then if (forOp = 'INSERT' && forOpTableName is null) then
raise exception 'INSERT permissions needs forOpTableName'; raise exception 'INSERT permissions needs forOpTableName';
end if; end if;
if (forOp <> 'INSERT' and forOpTableName is not null) then if (forOp <> 'INSERT' && forOpTableName is not null) then
raise exception 'forOpTableName must only be specified for ops: [INSERT]'; -- currently no other raise exception 'forOpTableName must only be specified for ops: [INSERT]'; -- currently no other
end if; end if;
permissionUuid = (select uuid from RbacPermission where objectUuid = forObjectUuid and op = forOp and opTableName = forOpTableName); permissionId = (select uuid from RbacPermission where objectUuid = forObjectUuid and op = forOp and opTableName = forOpTableName);
if (permissionUuid is null) then if (permissionId is null) then
insert insert
into RbacReference ("type") into RbacReference ("type")
values ('RbacPermission') values ('RbacPermission')
returning uuid into permissionUuid; returning uuid into permissionId;
raise warning 'for values (%, %, %, %)', permissionUuid, forObjectUuid, forOp, forOpTableName; -- TODO: remove
insert insert
into RbacPermission (uuid, objectUuid, op, opTableName) into RbacPermission (uuid, objectUuid, op, opTableName)
values (permissionUuid, forObjectUuid, forOp, forOpTableName); values (permissionId, forObjectUuid, forOp, opTableName);
end if; end if;
return permissionUuid; return permissionId;
end; end;
$$; $$;
@ -442,6 +439,9 @@ begin
if (forObjectUuid is null) then if (forObjectUuid is null) then
raise exception 'forObjectUuid must not be null'; raise exception 'forObjectUuid must not be null';
end if; end if;
if (array_length(permitOps, 1) > 1 and '*' = any (permitOps)) then
raise exception '"*" operation must not be assigned along with other operations: %', permitOps;
end if;
for i in array_lower(permitOps, 1)..array_upper(permitOps, 1) for i in array_lower(permitOps, 1)..array_upper(permitOps, 1)
loop loop
@ -462,7 +462,7 @@ begin
end; end;
$$; $$;
create or replace function findPermissionId(forObjectUuid uuid, forOp RbacOp, forOpTableName text = null ) create or replace function findPermissionId(forObjectUuid uuid, forOp RbacOp, opTableName text = null )
returns uuid returns uuid
returns null on null input returns null on null input
stable -- leakproof stable -- leakproof
@ -471,9 +471,24 @@ select uuid
from RbacPermission p from RbacPermission p
where p.objectUuid = forObjectUuid where p.objectUuid = forObjectUuid
and p.op = forOp and p.op = forOp
and p.opTableName = forOpTableName and p.opTableName = opTableName
$$; $$;
create or replace function findEffectivePermissionId(forObjectUuid uuid, forOp RbacOp)
returns uuid
returns null on null input
stable -- leakproof
language plpgsql as $$
declare
permissionId uuid;
begin
permissionId := findPermissionId(forObjectUuid, forOp);
if permissionId is null and forOp <> '*' then
permissionId := findPermissionId(forObjectUuid, '*');
end if;
return permissionId;
end $$;
--// --//
-- ============================================================================ -- ============================================================================
@ -577,8 +592,8 @@ create or replace function hasInsertPermission(objectUuid uuid, forOp RbacOp, ta
declare declare
permissionUuid uuid; permissionUuid uuid;
begin begin
permissionUuid = findPermissionId(objectUuid, forOp, tableName); permissionUuid = findPermissionId(objectUuid, forOp);
return permissionUuid is not null;
end; end;
$$; $$;
@ -596,20 +611,6 @@ select exists(
); );
$$; $$;
create or replace procedure grantPermissionToRole(roleUuid uuid, permissionUuid uuid)
language plpgsql as $$
begin
perform assertReferenceType('roleId (ascendant)', roleUuid, 'RbacRole');
perform assertReferenceType('permissionId (descendant)', permissionUuid, 'RbacPermission');
insert
into RbacGrants (grantedByTriggerOf, ascendantUuid, descendantUuid, assumed)
values (currentTriggerObjectUuid(), roleUuid, permissionUuid, true)
on conflict do nothing; -- allow granting multiple times
end;
$$;
-- TODO: deprecated, remove and use grantPermissionToRole(...)
create or replace procedure grantPermissionsToRole(roleUuid uuid, permissionIds uuid[]) create or replace procedure grantPermissionsToRole(roleUuid uuid, permissionIds uuid[])
language plpgsql as $$ language plpgsql as $$
begin begin
@ -741,7 +742,7 @@ begin
select descendantUuid select descendantUuid
from grants) as granted from grants) as granted
join RbacPermission perm join RbacPermission perm
on granted.descendantUuid = perm.uuid and perm.op = requiredOp on granted.descendantUuid = perm.uuid and perm.op in ('*', requiredOp)
join RbacObject obj on obj.uuid = perm.objectUuid and obj.objectTable = forObjectTable join RbacObject obj on obj.uuid = perm.objectUuid and obj.objectTable = forObjectTable
limit maxObjects + 1; limit maxObjects + 1;
@ -833,5 +834,6 @@ do $$
create role restricted; create role restricted;
grant all privileges on all tables in schema public to restricted; grant all privileges on all tables in schema public to restricted;
end if; end if;
end $$; end $$
--// --//

19
src/main/resources/db/changelog/051-rbac-user-grant.sql
View File

@ -30,7 +30,7 @@ begin
insert insert
into RbacGrants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed) into RbacGrants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)
values (grantedByRoleUuid, userUuid, roleUuid, doAssume); values (grantedByRoleUuid, userUuid, roleUuid, doAssume);
-- TODO.spec: What should happen on multiple grants? What if options (doAssume) are not the same? -- TODO.spec: What should happen on mupltiple grants? What if options (doAssume) are not the same?
-- Most powerful or latest grant wins? What about managed? -- Most powerful or latest grant wins? What about managed?
-- on conflict do nothing; -- allow granting multiple times -- on conflict do nothing; -- allow granting multiple times
end; $$; end; $$;
@ -99,19 +99,4 @@ begin
where g.ascendantUuid = userUuid and g.descendantUuid = grantedRoleUuid where g.ascendantUuid = userUuid and g.descendantUuid = grantedRoleUuid
and g.grantedByRoleUuid = revokeRoleFromUser.grantedByRoleUuid; and g.grantedByRoleUuid = revokeRoleFromUser.grantedByRoleUuid;
end; $$; end; $$;
--// --/
-- ============================================================================
--changeset rbac-user-grant-REVOKE-PERMISSION-FROM-ROLE:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace procedure revokePermissionFromRole(permissionUuid uuid, superRoleUuid uuid)
language plpgsql as $$
begin
-- TODO: call checkRevokeRoleFromUserPreconditions(grantedByRoleUuid, grantedRoleUuid, userUuid);
raise INFO 'delete from RbacGrants where ascendantUuid = % and descendantUuid = %', superRoleUuid, permissionUuid;
delete from RbacGrants as g
where g.ascendantUuid = superRoleUuid and g.descendantUuid = permissionUuid;
end; $$;
--//

5
src/main/resources/db/changelog/057-rbac-role-builder.sql
View File

@ -73,10 +73,9 @@ begin
if cardinality(userUuids) > 0 then if cardinality(userUuids) > 0 then
if grantedByRole is null then if grantedByRole is null then
grantedByRoleUuid := roleUuid; raise exception 'to directly assign users to roles, grantingRole has to be given';
else
grantedByRoleUuid := getRoleId(grantedByRole, 'fail');
end if; end if;
grantedByRoleUuid := getRoleId(grantedByRole, 'fail');
foreach userUuid in array userUuids foreach userUuid in array userUuids
loop loop
call grantRoleToUserUnchecked(grantedByRoleUuid, roleUuid, userUuid); call grantRoleToUserUnchecked(grantedByRoleUuid, roleUuid, userUuid);

13
src/main/resources/db/changelog/058-rbac-generators.sql
View File

@ -13,7 +13,8 @@ declare
begin begin
createInsertTriggerSQL = format($sql$ createInsertTriggerSQL = format($sql$
create trigger createRbacObjectFor_%s_Trigger create trigger createRbacObjectFor_%s_Trigger
before insert on %s before insert
on %s
for each row for each row
execute procedure insertRelatedRbacObject(); execute procedure insertRelatedRbacObject();
$sql$, targetTable, targetTable); $sql$, targetTable, targetTable);
@ -144,13 +145,13 @@ begin
targetTable := lower(targetTable); targetTable := lower(targetTable);
/* /*
Creates a restricted view based on the 'SELECT' permission of the current subject. Creates a restricted view based on the 'view' permission of the current subject.
*/ */
sql := format($sql$ sql := format($sql$
set session session authorization default; set session session authorization default;
create view %1$s_rv as create view %1$s_rv as
with accessibleObjects as ( with accessibleObjects as (
select queryAccessibleObjectUuidsOfSubjectIds('SELECT', '%1$s', currentSubjectsUuids()) select queryAccessibleObjectUuidsOfSubjectIds('view', '%1$s', currentSubjectsUuids())
) )
select target.* select target.*
from %1$s as target from %1$s as target
@ -199,7 +200,7 @@ begin
returns trigger returns trigger
language plpgsql as $f$ language plpgsql as $f$
begin begin
if old.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('DELETE', '%1$s', currentSubjectsUuids())) then if old.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('delete', '%1$s', currentSubjectsUuids())) then
delete from %1$s p where p.uuid = old.uuid; delete from %1$s p where p.uuid = old.uuid;
return old; return old;
end if; end if;
@ -222,7 +223,7 @@ begin
/** /**
Instead of update trigger function for the restricted view Instead of update trigger function for the restricted view
based on the 'UPDATE' permission of the current subject. based on the 'edit' permission of the current subject.
*/ */
if columnUpdates is not null then if columnUpdates is not null then
sql := format($sql$ sql := format($sql$
@ -230,7 +231,7 @@ begin
returns trigger returns trigger
language plpgsql as $f$ language plpgsql as $f$
begin begin
if old.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('UPDATE', '%1$s', currentSubjectsUuids())) then if old.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('edit', '%1$s', currentSubjectsUuids())) then
update %1$s update %1$s
set %2$s set %2$s
where uuid = old.uuid; where uuid = old.uuid;

148
src/main/resources/db/changelog/113-test-customer-rbac.sql
View File

@ -1,6 +1,4 @@
--liquibase formatted sql --liquibase formatted sql
-- This code generated was by RbacViewPostgresGenerator at 2024-03-06T15:40:13.239729250.
-- ============================================================================ -- ============================================================================
--changeset test-customer-rbac-OBJECT:1 endDelimiter:--// --changeset test-customer-rbac-OBJECT:1 endDelimiter:--//
@ -9,7 +7,6 @@ call generateRelatedRbacObject('test_customer');
--// --//
-- ============================================================================ -- ============================================================================
--changeset test-customer-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --changeset test-customer-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
@ -18,85 +15,82 @@ call generateRbacRoleDescriptors('testCustomer', 'test_customer');
-- ============================================================================ -- ============================================================================
--changeset test-customer-rbac-insert-trigger:1 endDelimiter:--// --changeset test-customer-rbac-ROLES-CREATION:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
A Creates the roles, grants and permission for the AFTER INSERT TRIGGER. Creates the roles and their assignments for a new customer for the AFTER INSERT TRIGGER.
*/ */
create or replace procedure buildRbacSystemForTestCustomer( create or replace function createRbacRolesForTestCustomer()
NEW test_customer
)
language plpgsql as $$
declare
begin
call enterTriggerForObjectUuid(NEW.uuid);
perform createRoleWithGrants(
testCustomerOwner(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalAdmin()]
);
perform createRoleWithGrants(
testCustomerAdmin(NEW),
permissions => array['UPDATE'],
incomingSuperRoles => array[testCustomerOwner(NEW)]
);
perform createRoleWithGrants(
testCustomerTenant(NEW),
permissions => array['SELECT'],
incomingSuperRoles => array[testCustomerAdmin(NEW)]
);
call leaveTriggerForObjectUuid(NEW.uuid);
end; $$;
/*
AFTER INSERT TRIGGER to create the role+grant structure for a new test_customer row.
*/
create or replace function insertTriggerForTestCustomer_tf()
returns trigger returns trigger
language plpgsql language plpgsql
strict as $$ strict as $$
declare
testCustomerOwnerUuid uuid;
customerAdminUuid uuid;
begin begin
call buildRbacSystemForTestCustomer(NEW); if TG_OP <> 'INSERT' then
raise exception 'invalid usage of TRIGGER AFTER INSERT';
end if;
call enterTriggerForObjectUuid(NEW.uuid);
-- the owner role with full access for Hostsharing administrators
testCustomerOwnerUuid = createRoleWithGrants(
testCustomerOwner(NEW),
permissions => array['*'],
incomingSuperRoles => array[globalAdmin()]
);
-- the admin role for the customer's admins, who can view and add products
customerAdminUuid = createRoleWithGrants(
testCustomerAdmin(NEW),
permissions => array['view', 'add-package'],
-- NO auto assume for customer owner to avoid exploding permissions for administrators
userUuids => array[getRbacUserId(NEW.adminUserName, 'create')], -- implicitly ignored if null
grantedByRole => globalAdmin()
);
-- allow the customer owner role (thus administrators) to assume the customer admin role
call grantRoleToRole(customerAdminUuid, testCustomerOwnerUuid, false);
-- the tenant role which later can be used by owners+admins of sub-objects
perform createRoleWithGrants(
testCustomerTenant(NEW),
permissions => array['view']
);
call leaveTriggerForObjectUuid(NEW.uuid);
return NEW; return NEW;
end; $$; end; $$;
create trigger insertTriggerForTestCustomer_tg /*
after insert on test_customer An AFTER INSERT TRIGGER which creates the role structure for a new customer.
*/
drop trigger if exists createRbacRolesForTestCustomer_Trigger on test_customer;
create trigger createRbacRolesForTestCustomer_Trigger
after insert
on test_customer
for each row for each row
execute procedure insertTriggerForTestCustomer_tf(); execute procedure createRbacRolesForTestCustomer();
--// --//
-- ============================================================================
--changeset test-customer-rbac-INSERT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
--//
-- ============================================================================ -- ============================================================================
--changeset test-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--// --changeset test-customer-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacIdentityView('test_customer', $idName$ call generateRbacIdentityView('test_customer', $idName$
prefix target.prefix
$idName$); $idName$);
--// --//
-- ============================================================================ -- ============================================================================
--changeset test-customer-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --changeset test-customer-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRestrictedView('test_customer', call generateRbacRestrictedView('test_customer', 'target.prefix',
'reference',
$updates$ $updates$
reference = new.reference, reference = new.reference,
prefix = new.prefix, prefix = new.prefix,
@ -105,3 +99,47 @@ call generateRbacRestrictedView('test_customer',
--// --//
-- ============================================================================
--changeset test-customer-rbac-ADD-CUSTOMER:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Creates a global permission for add-customer and assigns it to the hostsharing admins role.
*/
do language plpgsql $$
declare
addCustomerPermissions uuid[];
globalObjectUuid uuid;
globalAdminRoleUuid uuid ;
begin
call defineContext('granting global add-customer permission to global admin role', null, null, null);
globalAdminRoleUuid := findRoleId(globalAdmin());
globalObjectUuid := (select uuid from global);
addCustomerPermissions := createPermissions(globalObjectUuid, array ['add-customer']);
call grantPermissionsToRole(globalAdminRoleUuid, addCustomerPermissions);
end;
$$;
/**
Used by the trigger to prevent the add-customer to current user respectively assumed roles.
*/
create or replace function addTestCustomerNotAllowedForCurrentSubjects()
returns trigger
language PLPGSQL
as $$
begin
raise exception '[403] add-customer not permitted for %',
array_to_string(currentSubjects(), ';', 'null');
end; $$;
/**
Checks if the user or assumed roles are allowed to add a new customer.
*/
create trigger test_customer_insert_trigger
before insert
on test_customer
for each row
when ( not hasGlobalPermission('add-customer') )
execute procedure addTestCustomerNotAllowedForCurrentSubjects();
--//

12
src/main/resources/db/changelog/118-test-customer-test-data.sql
View File

@ -28,8 +28,6 @@ declare
currentTask varchar; currentTask varchar;
custRowId uuid; custRowId uuid;
custAdminName varchar; custAdminName varchar;
custAdminUuid uuid;
newCust test_customer;
begin begin
currentTask = 'creating RBAC test customer #' || custReference || '/' || custPrefix; currentTask = 'creating RBAC test customer #' || custReference || '/' || custPrefix;
call defineContext(currentTask, null, 'superuser-alex@hostsharing.net', 'global#global.admin'); call defineContext(currentTask, null, 'superuser-alex@hostsharing.net', 'global#global.admin');
@ -37,20 +35,10 @@ begin
custRowId = uuid_generate_v4(); custRowId = uuid_generate_v4();
custAdminName = 'customer-admin@' || custPrefix || '.example.com'; custAdminName = 'customer-admin@' || custPrefix || '.example.com';
custAdminUuid = createRbacUser(custAdminName);
insert insert
into test_customer (reference, prefix, adminUserName) into test_customer (reference, prefix, adminUserName)
values (custReference, custPrefix, custAdminName); values (custReference, custPrefix, custAdminName);
select * into newCust
from test_customer where reference=custReference;
-- call grantRoleToUser(
-- getRoleId(testCustomerAdmin(newCust), 'fail'),
-- findRoleId(testCustomerOwner(newCust)),
-- custAd
-- minUuid,
-- true);
end; $$; end; $$;
--// --//

231
src/main/resources/db/changelog/123-test-package-rbac.sql
View File

@ -1,6 +1,4 @@
--liquibase formatted sql --liquibase formatted sql
-- This code generated was by RbacViewPostgresGenerator at 2024-03-06T15:40:13.277446553.
-- ============================================================================ -- ============================================================================
--changeset test-package-rbac-OBJECT:1 endDelimiter:--// --changeset test-package-rbac-OBJECT:1 endDelimiter:--//
@ -9,7 +7,6 @@ call generateRelatedRbacObject('test_package');
--// --//
-- ============================================================================ -- ============================================================================
--changeset test-package-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--// --changeset test-package-rbac-ROLE-DESCRIPTORS:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
@ -18,213 +15,95 @@ call generateRbacRoleDescriptors('testPackage', 'test_package');
-- ============================================================================ -- ============================================================================
--changeset test-package-rbac-insert-trigger:1 endDelimiter:--// --changeset test-package-rbac-ROLES-CREATION:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
A Creates the roles, grants and permission for the AFTER INSERT TRIGGER. Creates the roles and their assignments for a new package for the AFTER INSERT TRIGGER.
*/ */
create or replace function createRbacRolesForTestPackage()
create or replace procedure buildRbacSystemForTestPackage(
NEW test_package
)
language plpgsql as $$
declare
newCustomer test_customer;
begin
call enterTriggerForObjectUuid(NEW.uuid);
SELECT * FROM test_customer c
WHERE c.uuid= NEW.customerUuid
into newCustomer;
perform createRoleWithGrants(
testPackageOwner(NEW),
permissions => array['DELETE', 'UPDATE'],
userUuids => array[currentUserUuid()],
incomingSuperRoles => array[testCustomerAdmin(newCustomer)]
);
perform createRoleWithGrants(
testPackageAdmin(NEW),
incomingSuperRoles => array[testPackageOwner(NEW)]
);
perform createRoleWithGrants(
testPackageTenant(NEW),
permissions => array['SELECT'],
incomingSuperRoles => array[testPackageAdmin(NEW)],
outgoingSubRoles => array[testCustomerTenant(newCustomer)]
);
call leaveTriggerForObjectUuid(NEW.uuid);
end; $$;
/*
AFTER INSERT TRIGGER to create the role+grant structure for a new test_package row.
*/
create or replace function insertTriggerForTestPackage_tf()
returns trigger returns trigger
language plpgsql language plpgsql
strict as $$ strict as $$
begin
call buildRbacSystemForTestPackage(NEW);
return NEW;
end; $$;
create trigger insertTriggerForTestPackage_tg
after insert on test_package
for each row
execute procedure insertTriggerForTestPackage_tf();
--//
-- ============================================================================
--changeset test-package-rbac-update-trigger:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/*
Called from the AFTER UPDATE TRIGGER to re-wire the grants.
*/
create or replace procedure updateRbacRulesForTestPackage(
OLD test_package,
NEW test_package
)
language plpgsql as $$
declare declare
oldCustomer test_customer; parentCustomer test_customer;
newCustomer test_customer;
begin begin
call enterTriggerForObjectUuid(NEW.uuid); if TG_OP <> 'INSERT' then
raise exception 'invalid usage of TRIGGER AFTER INSERT';
SELECT * FROM test_customer c
WHERE c.uuid= OLD.customerUuid
into oldCustomer;
SELECT * FROM test_customer c
WHERE c.uuid= NEW.customerUuid
into newCustomer;
if NEW.customerUuid <> OLD.customerUuid then
call revokePermissionFromRole(findPermissionId(OLD.uuid, 'INSERT'), testCustomerAdmin(oldCustomer));
call revokeRoleFromRole(testPackageOwner(OLD), testCustomerAdmin(oldCustomer));
call grantRoleToRole(testPackageOwner(NEW), testCustomerAdmin(newCustomer));
call revokeRoleFromRole(testCustomerTenant(oldCustomer), testPackageTenant(OLD));
call grantRoleToRole(testCustomerTenant(newCustomer), testPackageTenant(NEW));
end if; end if;
call enterTriggerForObjectUuid(NEW.uuid);
select * from test_customer as c where c.uuid = NEW.customerUuid into parentCustomer;
-- an owner role is created and assigned to the customer's admin role
perform createRoleWithGrants(
testPackageOwner(NEW),
permissions => array ['*'],
incomingSuperRoles => array[testCustomerAdmin(parentCustomer)]
);
-- an owner role is created and assigned to the package owner role
perform createRoleWithGrants(
testPackageAdmin(NEW),
permissions => array ['add-domain'],
incomingSuperRoles => array[testPackageOwner(NEW)]
);
-- and a package tenant role is created and assigned to the package admin as well
perform createRoleWithGrants(
testPackageTenant(NEW),
permissions => array['view'],
incomingsuperroles => array[testPackageAdmin(NEW)],
outgoingSubRoles => array[testCustomerTenant(parentCustomer)]
);
call leaveTriggerForObjectUuid(NEW.uuid); call leaveTriggerForObjectUuid(NEW.uuid);
end; $$;
/*
AFTER INSERT TRIGGER to re-wire the grant structure for a new test_package row.
*/
create or replace function updateTriggerForTestPackage_tf()
returns trigger
language plpgsql
strict as $$
begin
call updateRbacRulesForTestPackage(OLD, NEW);
return NEW; return NEW;
end; $$; end; $$;
create trigger updateTriggerForTestPackage_tg
after update on test_package
for each row
execute procedure updateTriggerForTestPackage_tf();
--//
-- ============================================================================
--changeset test-package-rbac-INSERT:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
/* /*
Creates INSERT INTO test_package permissions for the related test_customer rows. An AFTER INSERT TRIGGER which creates the role structure for a new package.
*/ */
do language plpgsql $$
declare
row test_customer;
permissionUuid uuid;
roleUuid uuid;
begin
call defineContext('generated Liquibase: create INSERT INTO test_package permissions for the related test_customer rows');
FOR row IN SELECT * FROM test_customer create trigger createRbacRolesForTestPackage_Trigger
LOOP after insert
roleUuid := findRoleId(testCustomerAdmin(row)); on test_package
permissionUuid := createPermission(row.uuid, 'INSERT', 'test_package');
call grantPermissionToRole(roleUuid, permissionUuid);
END LOOP;
END;
$$;
/**
Adds test_package INSERT permission to specified role of new test_customer rows.
*/
create or replace function test_package_test_customer_insert_tf()
returns trigger
language plpgsql
strict as $$
begin
call grantPermissionToRole(
testCustomerAdmin(NEW),
createPermission(NEW.uuid, 'INSERT', 'test_package'));
return NEW;
end; $$;
create trigger test_package_test_customer_insert_tg
after insert on test_customer
for each row for each row
execute procedure test_package_test_customer_insert_tf(); execute procedure createRbacRolesForTestPackage();
/**
Checks if the user or assumed roles are allowed to insert a row to test_package.
*/
create or replace function test_package_insert_permission_missing_tf()
returns trigger
language plpgsql as $$
begin
raise exception 'insert into test_package not allowed for current subjects %', currentSubjectsUuids();
end; $$;
create trigger test_package_insert_permission_check_tg
before insert on test_package
for each row
when ( not hasInsertPermission(NEW.customerUuid, 'INSERT', 'test_package') )
execute procedure test_package_insert_permission_missing_tf();
--// --//
-- ============================================================================ -- ============================================================================
--changeset test-package-rbac-IDENTITY-VIEW:1 endDelimiter:--// --changeset test-package-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacIdentityView('test_package', $idName$ call generateRbacIdentityView('test_package', 'target.name');
name
$idName$);
--// --//
-- ============================================================================ -- ============================================================================
--changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--// --changeset test-package-rbac-RESTRICTED-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
call generateRbacRestrictedView('test_package',
'name', /*
Creates a view to the customer main table which maps the identifying name
(in this case, the prefix) to the objectUuid.
*/
-- drop view if exists test_package_rv;
-- create or replace view test_package_rv as
-- select target.*
-- from test_package as target
-- where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'test_package', currentSubjectsUuids()))
-- order by target.name;
-- grant all privileges on test_package_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
call generateRbacRestrictedView('test_package', 'target.name',
$updates$ $updates$
version = new.version, version = new.version,
customerUuid = new.customerUuid, customerUuid = new.customerUuid,
name = new.name,
description = new.description description = new.description
$updates$); $updates$);
--// --//

2
src/main/resources/db/changelog/128-test-package-test-data.sql
View File

@ -26,7 +26,7 @@ begin
custAdminUser = 'customer-admin@' || cust.prefix || '.example.com'; custAdminUser = 'customer-admin@' || cust.prefix || '.example.com';
custAdminRole = 'test_customer#' || cust.prefix || '.admin'; custAdminRole = 'test_customer#' || cust.prefix || '.admin';
call defineContext(currentTask, null, 'superuser-fran@hostsharing.net', custAdminRole); call defineContext(currentTask, null, custAdminUser, custAdminRole);
raise notice 'task: % by % as %', currentTask, custAdminUser, custAdminRole; raise notice 'task: % by % as %', currentTask, custAdminUser, custAdminRole;
insert insert

8
src/main/resources/db/changelog/133-test-domain-rbac.sql
View File

@ -28,7 +28,7 @@ begin
return createRoleWithGrants( return createRoleWithGrants(
domainTenantRoleDesc, domainTenantRoleDesc,
permissions => array['SELECT'], permissions => array['view'],
incomingSuperRoles => array[testdomainAdmin(domain)] incomingSuperRoles => array[testdomainAdmin(domain)]
); );
end; $$; end; $$;
@ -60,14 +60,14 @@ begin
-- an owner role is created and assigned to the package's admin group -- an owner role is created and assigned to the package's admin group
perform createRoleWithGrants( perform createRoleWithGrants(
testDomainOwner(NEW), testDomainOwner(NEW),
permissions => array['DELETE'], permissions => array['*'],
incomingSuperRoles => array[testPackageAdmin(parentPackage)] incomingSuperRoles => array[testPackageAdmin(parentPackage)]
); );
-- and a domain admin role is created and assigned to the domain owner as well -- and a domain admin role is created and assigned to the domain owner as well
perform createRoleWithGrants( perform createRoleWithGrants(
testDomainAdmin(NEW), testDomainAdmin(NEW),
permissions => array['UPDATE'], permissions => array['edit'],
incomingSuperRoles => array[testDomainOwner(NEW)], incomingSuperRoles => array[testDomainOwner(NEW)],
outgoingSubRoles => array[testPackageTenant(parentPackage)] outgoingSubRoles => array[testPackageTenant(parentPackage)]
); );
@ -112,6 +112,6 @@ drop view if exists test_domain_rv;
create or replace view test_domain_rv as create or replace view test_domain_rv as
select target.* select target.*
from test_domain as target from test_domain as target
where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('SELECT', 'domain', currentSubjectsUuids())); where target.uuid in (select queryAccessibleObjectUuidsOfSubjectIds('view', 'domain', currentSubjectsUuids()));
grant all privileges on test_domain_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME}; grant all privileges on test_domain_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME};
--// --//

6
src/main/resources/db/changelog/203-hs-office-contact-rbac.sql
View File

@ -33,7 +33,7 @@ begin
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficeContactOwner(NEW), hsOfficeContactOwner(NEW),
permissions => array['DELETE'], permissions => array['*'],
incomingSuperRoles => array[globalAdmin()], incomingSuperRoles => array[globalAdmin()],
userUuids => array[currentUserUuid()], userUuids => array[currentUserUuid()],
grantedByRole => globalAdmin() grantedByRole => globalAdmin()
@ -41,7 +41,7 @@ begin
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficeContactAdmin(NEW), hsOfficeContactAdmin(NEW),
permissions => array['UPDATE'], permissions => array['edit'],
incomingSuperRoles => array[hsOfficeContactOwner(NEW)] incomingSuperRoles => array[hsOfficeContactOwner(NEW)]
); );
@ -52,7 +52,7 @@ begin
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficeContactGuest(NEW), hsOfficeContactGuest(NEW),
permissions => array['SELECT'], permissions => array['view'],
incomingSuperRoles => array[hsOfficeContactTenant(NEW)] incomingSuperRoles => array[hsOfficeContactTenant(NEW)]
); );

8
src/main/resources/db/changelog/213-hs-office-person-rbac.sql
View File

@ -31,16 +31,16 @@ begin
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficePersonOwner(NEW), hsOfficePersonOwner(NEW),
permissions => array['DELETE'], permissions => array['*'],
incomingSuperRoles => array[globalAdmin()], incomingSuperRoles => array[globalAdmin()],
userUuids => array[currentUserUuid()], userUuids => array[currentUserUuid()],
grantedByRole => globalAdmin() grantedByRole => globalAdmin()
); );
-- TODO: who is admin? the person itself? is it allowed for the person itself or a representative to update the data? -- TODO: who is admin? the person itself? is it allowed for the person itself or a representative to edit the data?
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficePersonAdmin(NEW), hsOfficePersonAdmin(NEW),
permissions => array['UPDATE'], permissions => array['edit'],
incomingSuperRoles => array[hsOfficePersonOwner(NEW)] incomingSuperRoles => array[hsOfficePersonOwner(NEW)]
); );
@ -51,7 +51,7 @@ begin
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficePersonGuest(NEW), hsOfficePersonGuest(NEW),
permissions => array['SELECT'], permissions => array['view'],
incomingSuperRoles => array[hsOfficePersonTenant(NEW)] incomingSuperRoles => array[hsOfficePersonTenant(NEW)]
); );

6
src/main/resources/db/changelog/223-hs-office-relationship-rbac.sql
View File

@ -45,7 +45,7 @@ begin
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficeRelationshipOwner(NEW), hsOfficeRelationshipOwner(NEW),
permissions => array['DELETE'], permissions => array['*'],
incomingSuperRoles => array[ incomingSuperRoles => array[
globalAdmin(), globalAdmin(),
hsOfficePersonAdmin(newRelAnchor)] hsOfficePersonAdmin(newRelAnchor)]
@ -53,14 +53,14 @@ begin
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficeRelationshipAdmin(NEW), hsOfficeRelationshipAdmin(NEW),
permissions => array['UPDATE'], permissions => array['edit'],
incomingSuperRoles => array[hsOfficeRelationshipOwner(NEW)] incomingSuperRoles => array[hsOfficeRelationshipOwner(NEW)]
); );
-- the tenant role for those related users who can view the data -- the tenant role for those related users who can view the data
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficeRelationshipTenant, hsOfficeRelationshipTenant,
permissions => array['SELECT'], permissions => array['view'],
incomingSuperRoles => array[ incomingSuperRoles => array[
hsOfficeRelationshipAdmin(NEW), hsOfficeRelationshipAdmin(NEW),
hsOfficePersonAdmin(newRelAnchor), hsOfficePersonAdmin(newRelAnchor),

12
src/main/resources/db/changelog/233-hs-office-partner-rbac.sql
View File

@ -48,13 +48,13 @@ begin
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficePartnerOwner(NEW), hsOfficePartnerOwner(NEW),
permissions => array['DELETE'], permissions => array['*'],
incomingSuperRoles => array[globalAdmin()] incomingSuperRoles => array[globalAdmin()]
); );
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficePartnerAdmin(NEW), hsOfficePartnerAdmin(NEW),
permissions => array['UPDATE'], permissions => array['edit'],
incomingSuperRoles => array[ incomingSuperRoles => array[
hsOfficePartnerOwner(NEW)], hsOfficePartnerOwner(NEW)],
outgoingSubRoles => array[ outgoingSubRoles => array[
@ -84,7 +84,7 @@ begin
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficePartnerGuest(NEW), hsOfficePartnerGuest(NEW),
permissions => array['SELECT'], permissions => array['view'],
incomingSuperRoles => array[hsOfficePartnerTenant(NEW)] incomingSuperRoles => array[hsOfficePartnerTenant(NEW)]
); );
@ -99,12 +99,12 @@ begin
call grantPermissionsToRole( call grantPermissionsToRole(
getRoleId(hsOfficePartnerOwner(NEW), 'fail'), getRoleId(hsOfficePartnerOwner(NEW), 'fail'),
createPermissions(NEW.detailsUuid, array ['DELETE']) createPermissions(NEW.detailsUuid, array ['*'])
); );
call grantPermissionsToRole( call grantPermissionsToRole(
getRoleId(hsOfficePartnerAdmin(NEW), 'fail'), getRoleId(hsOfficePartnerAdmin(NEW), 'fail'),
createPermissions(NEW.detailsUuid, array ['UPDATE']) createPermissions(NEW.detailsUuid, array ['edit'])
); );
call grantPermissionsToRole( call grantPermissionsToRole(
@ -112,7 +112,7 @@ begin
-- Do NOT grant view permission on partner-details to hsOfficePartnerTENANT! -- Do NOT grant view permission on partner-details to hsOfficePartnerTENANT!
-- Otherwise package-admins etc. would be able to read the data. -- Otherwise package-admins etc. would be able to read the data.
getRoleId(hsOfficePartnerAgent(NEW), 'fail'), getRoleId(hsOfficePartnerAgent(NEW), 'fail'),
createPermissions(NEW.detailsUuid, array ['SELECT']) createPermissions(NEW.detailsUuid, array ['view'])
); );

5
src/main/resources/db/changelog/234-hs-office-partner-details-rbac.sql
View File

@ -7,6 +7,9 @@ call generateRelatedRbacObject('hs_office_partner_details');
--// --//
-- ============================================================================ -- ============================================================================
--changeset hs-office-partner-details-rbac-IDENTITY-VIEW:1 endDelimiter:--// --changeset hs-office-partner-details-rbac-IDENTITY-VIEW:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
@ -35,7 +38,7 @@ call generateRbacRestrictedView('hs_office_partner_details',
-- ============================================================================ -- ============================================================================
--changeset hs-office-partner-details-rbac-NEW-PARTNER-DETAILS:1 endDelimiter:--// --changeset hs-office-partner-details-rbac-NEW-CONTACT:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
/* /*
Creates a global permission for new-partner-details and assigns it to the hostsharing admins role. Creates a global permission for new-partner-details and assigns it to the hostsharing admins role.

4
src/main/resources/db/changelog/243-hs-office-bankaccount-rbac.sql
View File

@ -33,7 +33,7 @@ begin
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficeBankAccountOwner(NEW), hsOfficeBankAccountOwner(NEW),
permissions => array['DELETE'], permissions => array['delete'],
incomingSuperRoles => array[globalAdmin()], incomingSuperRoles => array[globalAdmin()],
userUuids => array[currentUserUuid()], userUuids => array[currentUserUuid()],
grantedByRole => globalAdmin() grantedByRole => globalAdmin()
@ -51,7 +51,7 @@ begin
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficeBankAccountGuest(NEW), hsOfficeBankAccountGuest(NEW),
permissions => array['SELECT'], permissions => array['view'],
incomingSuperRoles => array[hsOfficeBankAccountTenant(NEW)] incomingSuperRoles => array[hsOfficeBankAccountTenant(NEW)]
); );

6
src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.sql
View File

@ -41,13 +41,13 @@ begin
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficeSepaMandateOwner(NEW), hsOfficeSepaMandateOwner(NEW),
permissions => array['DELETE'], permissions => array['*'],
incomingSuperRoles => array[globalAdmin()] incomingSuperRoles => array[globalAdmin()]
); );
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficeSepaMandateAdmin(NEW), hsOfficeSepaMandateAdmin(NEW),
permissions => array['UPDATE'], permissions => array['edit'],
incomingSuperRoles => array[hsOfficeSepaMandateOwner(NEW)], incomingSuperRoles => array[hsOfficeSepaMandateOwner(NEW)],
outgoingSubRoles => array[hsOfficeBankAccountTenant(newHsOfficeBankAccount)] outgoingSubRoles => array[hsOfficeBankAccountTenant(newHsOfficeBankAccount)]
); );
@ -66,7 +66,7 @@ begin
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficeSepaMandateGuest(NEW), hsOfficeSepaMandateGuest(NEW),
permissions => array['SELECT'], permissions => array['view'],
incomingSuperRoles => array[hsOfficeSepaMandateTenant(NEW)] incomingSuperRoles => array[hsOfficeSepaMandateTenant(NEW)]
); );

6
src/main/resources/db/changelog/273-hs-office-debitor-rbac.sql
View File

@ -49,7 +49,7 @@ begin
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficeDebitorOwner(NEW), hsOfficeDebitorOwner(NEW),
permissions => array['DELETE'], permissions => array['*'],
incomingSuperRoles => array[globalAdmin()], incomingSuperRoles => array[globalAdmin()],
userUuids => array[currentUserUuid()], userUuids => array[currentUserUuid()],
grantedByRole => globalAdmin() grantedByRole => globalAdmin()
@ -57,7 +57,7 @@ begin
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficeDebitorAdmin(NEW), hsOfficeDebitorAdmin(NEW),
permissions => array['UPDATE'], permissions => array['edit'],
incomingSuperRoles => array[hsOfficeDebitorOwner(NEW)] incomingSuperRoles => array[hsOfficeDebitorOwner(NEW)]
); );
@ -85,7 +85,7 @@ begin
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficeDebitorGuest(NEW), hsOfficeDebitorGuest(NEW),
permissions => array['SELECT'], permissions => array['view'],
incomingSuperRoles => array[ incomingSuperRoles => array[
hsOfficeDebitorTenant(NEW)] hsOfficeDebitorTenant(NEW)]
); );

6
src/main/resources/db/changelog/303-hs-office-membership-rbac.sql
View File

@ -41,13 +41,13 @@ begin
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficeMembershipOwner(NEW), hsOfficeMembershipOwner(NEW),
permissions => array['DELETE'], permissions => array['*'],
incomingSuperRoles => array[globalAdmin()] incomingSuperRoles => array[globalAdmin()]
); );
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficeMembershipAdmin(NEW), hsOfficeMembershipAdmin(NEW),
permissions => array['UPDATE'], permissions => array['edit'],
incomingSuperRoles => array[hsOfficeMembershipOwner(NEW)] incomingSuperRoles => array[hsOfficeMembershipOwner(NEW)]
); );
@ -65,7 +65,7 @@ begin
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficeMembershipGuest(NEW), hsOfficeMembershipGuest(NEW),
permissions => array['SELECT'], permissions => array['view'],
incomingSuperRoles => array[hsOfficeMembershipTenant(NEW), hsOfficePartnerTenant(newHsOfficePartner), hsOfficeDebitorTenant(newHsOfficeDebitor)] incomingSuperRoles => array[hsOfficeMembershipTenant(NEW), hsOfficePartnerTenant(newHsOfficePartner), hsOfficeDebitorTenant(newHsOfficeDebitor)]
); );

2
src/main/resources/db/changelog/313-hs-office-coopshares-rbac.sql
View File

@ -43,7 +43,7 @@ begin
-- coopsharestransactions cannot be edited nor deleted, just created+viewed -- coopsharestransactions cannot be edited nor deleted, just created+viewed
call grantPermissionsToRole( call grantPermissionsToRole(
getRoleId(hsOfficeMembershipTenant(newHsOfficeMembership), 'fail'), getRoleId(hsOfficeMembershipTenant(newHsOfficeMembership), 'fail'),
createPermissions(NEW.uuid, array ['SELECT']) createPermissions(NEW.uuid, array ['view'])
); );
else else

2
src/main/resources/db/changelog/323-hs-office-coopassets-rbac.sql
View File

@ -43,7 +43,7 @@ begin
-- coopassetstransactions cannot be edited nor deleted, just created+viewed -- coopassetstransactions cannot be edited nor deleted, just created+viewed
call grantPermissionsToRole( call grantPermissionsToRole(
getRoleId(hsOfficeMembershipTenant(newHsOfficeMembership), 'fail'), getRoleId(hsOfficeMembershipTenant(newHsOfficeMembership), 'fail'),
createPermissions(NEW.uuid, array ['SELECT']) createPermissions(NEW.uuid, array ['view'])
); );
else else

9
src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RawRbacGrantEntity.java → src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RawRbacGrantEntity.java
View File

@ -1,13 +1,13 @@
package net.hostsharing.hsadminng.rbac.rbacgrant; package net.hostsharing.hsadminng.rbac.rbacgrant;
import lombok.*; import lombok.*;
import org.jetbrains.annotations.NotNull;
import org.springframework.data.annotation.Immutable; import org.springframework.data.annotation.Immutable;
import jakarta.persistence.Column; import jakarta.persistence.Column;
import jakarta.persistence.Entity; import jakarta.persistence.Entity;
import jakarta.persistence.Id; import jakarta.persistence.Id;
import jakarta.persistence.Table; import jakarta.persistence.Table;
import jakarta.validation.constraints.NotNull;
import java.util.List; import java.util.List;
import java.util.UUID; import java.util.UUID;
@ -20,7 +20,7 @@ import java.util.UUID;
@Immutable @Immutable
@NoArgsConstructor @NoArgsConstructor
@AllArgsConstructor @AllArgsConstructor
public class RawRbacGrantEntity implements Comparable { public class RawRbacGrantEntity {
@Id @Id
private UUID uuid; private UUID uuid;
@ -64,9 +64,4 @@ public class RawRbacGrantEntity implements Comparable {
// TODO: remove .distinct() once partner.person + partner.contact are removed // TODO: remove .distinct() once partner.person + partner.contact are removed
return roles.stream().map(RawRbacGrantEntity::toDisplay).sorted().distinct().toList(); return roles.stream().map(RawRbacGrantEntity::toDisplay).sorted().distinct().toList();
} }
@Override
public int compareTo(final Object o) {
return uuid.compareTo(((RawRbacGrantEntity)o).uuid);
}
} }

4
src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RawRbacGrantRepository.java → src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RawRbacGrantRepository.java
View File

@ -8,8 +8,4 @@ import java.util.UUID;
public interface RawRbacGrantRepository extends Repository<RawRbacGrantEntity, UUID> { public interface RawRbacGrantRepository extends Repository<RawRbacGrantEntity, UUID> {
List<RawRbacGrantEntity> findAll(); List<RawRbacGrantEntity> findAll();
List<RawRbacGrantEntity> findByAscendingUuid(UUID ascendingUuid);
List<RawRbacGrantEntity> findByDescendantUuid(UUID refUuid);
} }

136
src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantsDiagramServiceIntegrationTest.java
View File

@ -1,136 +0,0 @@
package net.hostsharing.hsadminng.rbac.rbacgrant;
import net.hostsharing.hsadminng.context.Context;
import net.hostsharing.hsadminng.hs.office.test.ContextBasedTestWithCleanup;
import net.hostsharing.hsadminng.rbac.rbacgrant.RbacGrantsDiagramService.Include;
import net.hostsharing.test.JpaAttempt;
import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest;
import org.springframework.boot.test.mock.mockito.MockBean;
import org.springframework.context.annotation.Import;
import jakarta.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.util.EnumSet;
import java.util.UUID;
import static java.lang.String.join;
import static org.assertj.core.api.Assertions.assertThat;
@DataJpaTest
@Import( { Context.class, JpaAttempt.class, RbacGrantsDiagramService.class})
class RbacGrantsDiagramServiceIntegrationTest extends ContextBasedTestWithCleanup {
@Autowired
RbacGrantsDiagramService grantsMermaidService;
@MockBean
HttpServletRequest request;
@Test
void allGrantsToCurrentUser() {
context("superuser-alex@hostsharing.net", "test_domain#xxx00-aaaa.owner");
final var graph = grantsMermaidService.allGrantsToCurrentUser(EnumSet.of(Include.TEST_ENTITIES));
assertThat(graph).isEqualTo("""
flowchart TB
role:test_package#xxx00.tenant[
test_package
xxx00.t
tenant] --> role:test_customer#xxx.tenant[
test_customer
xxx.t
tenant]
role:test_domain#xxx00-aaaa.owner[
test_domain
xxx00-aaaa.o
owner] --> role:test_domain#xxx00-aaaa.admin[
test_domain
xxx00-aaaa.a
admin]
role:test_domain#xxx00-aaaa.admin[
test_domain
xxx00-aaaa.a
admin] --> role:test_package#xxx00.tenant[
test_package
xxx00.t
tenant]
""".trim());
}
@Test
void allGrantsToCurrentUserIncludingPermissions() {
context("superuser-alex@hostsharing.net", "test_domain#xxx00-aaaa.owner");
final var graph = grantsMermaidService.allGrantsToCurrentUser(EnumSet.of(Include.TEST_ENTITIES, Include.PERMISSIONS));
assertThat(graph).isEqualTo("""
flowchart TB
role:test_domain#xxx00-aaaa.owner[
test_domain
xxx00-aaaa.o
owner] --> perm:*:on:test_domain#xxx00-aaaa{{
test_domain
xxx00-aaaa
*}}
role:test_customer#xxx.tenant[
test_customer
xxx.t
tenant] --> perm:view:on:test_customer#xxx{{
test_customer
xxx
view}}
role:test_domain#xxx00-aaaa.admin[
test_domain
xxx00-aaaa.a
admin] --> perm:edit:on:test_domain#xxx00-aaaa{{
test_domain
xxx00-aaaa
edit}}
role:test_package#xxx00.tenant[
test_package
xxx00.t
tenant] --> role:test_customer#xxx.tenant[
test_customer
xxx.t
tenant]
role:test_domain#xxx00-aaaa.owner[
test_domain
xxx00-aaaa.o
owner] --> role:test_domain#xxx00-aaaa.admin[
test_domain
xxx00-aaaa.a
admin]
role:test_package#xxx00.tenant[
test_package
xxx00.t
tenant] --> perm:view:on:test_package#xxx00{{
test_package
xxx00
view}}
role:test_domain#xxx00-aaaa.admin[
test_domain
xxx00-aaaa.a
admin] --> role:test_package#xxx00.tenant[
test_package
xxx00.t
tenant]
""".trim());
}
@Test
// @Disabled
void print() throws IOException {
//context("superuser-alex@hostsharing.net", "hs_office_person#FirbySusan.admin");
context("superuser-alex@hostsharing.net");
//final var graph = grantsMermaidService.allGrantsToCurrentUser(EnumSet.of(Include.NON_TEST_ENTITIES, Include.PERMISSIONS));
final var targetObject = (UUID) em.createNativeQuery("SELECT uuid FROM hs_office_coopassetstransaction WHERE reference='ref 1000101-1'").getSingleResult();
final var graph = grantsMermaidService.allGrantsFrom(targetObject, "view", EnumSet.of(Include.USERS));
RbacGrantsDiagramService.writeToFile(join(";", context.getAssumedRoles()), graph, "doc/all-grants.md");
}
}

31
src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RawRbacObjectEntity.java
View File

@ -1,31 +0,0 @@
package net.hostsharing.hsadminng.rbac.rbacrole;
import lombok.*;
import org.jetbrains.annotations.NotNull;
import org.springframework.data.annotation.Immutable;
import jakarta.persistence.*;
import java.util.List;
import java.util.UUID;
@Entity
@Table(name = "rbacobject") // TODO: create view rbacobject_ev
@Getter
@Setter
@ToString
@Immutable
@NoArgsConstructor
@AllArgsConstructor
public class RawRbacObjectEntity {
@Id
private UUID uuid;
@Column(name="objecttable")
private String objectTable;
@NotNull
public static List<String> objectDisplaysOf(@NotNull final List<RawRbacObjectEntity> roles) {
return roles.stream().map(e -> e.objectTable+ "#" + e.uuid).sorted().toList();
}
}

11
src/test/java/net/hostsharing/hsadminng/rbac/rbacrole/RawRbacObjectRepository.java
View File

@ -1,11 +0,0 @@
package net.hostsharing.hsadminng.rbac.rbacrole;
import org.springframework.data.repository.Repository;
import java.util.List;
import java.util.UUID;
public interface RawRbacObjectRepository extends Repository<RawRbacObjectEntity, UUID> {
List<RawRbacObjectEntity> findAll();
}

12
src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserControllerAcceptanceTest.java
View File

@ -288,7 +288,7 @@ class RbacUserControllerAcceptanceTest {
.body("", hasItem( .body("", hasItem(
allOf( allOf(
hasEntry("roleName", "test_customer#yyy.tenant"), hasEntry("roleName", "test_customer#yyy.tenant"),
hasEntry("op", "select")) hasEntry("op", "view"))
)) ))
.body("", hasItem( .body("", hasItem(
allOf( allOf(
@ -298,7 +298,7 @@ class RbacUserControllerAcceptanceTest {
.body("", hasItem( .body("", hasItem(
allOf( allOf(
hasEntry("roleName", "test_domain#yyy00-aaaa.owner"), hasEntry("roleName", "test_domain#yyy00-aaaa.owner"),
hasEntry("op", "delete")) hasEntry("op", "*"))
)) ))
.body("size()", is(7)); .body("size()", is(7));
// @formatter:on // @formatter:on
@ -323,7 +323,7 @@ class RbacUserControllerAcceptanceTest {
.body("", hasItem( .body("", hasItem(
allOf( allOf(
hasEntry("roleName", "test_customer#yyy.tenant"), hasEntry("roleName", "test_customer#yyy.tenant"),
hasEntry("op", "select")) hasEntry("op", "view"))
)) ))
.body("", hasItem( .body("", hasItem(
allOf( allOf(
@ -333,7 +333,7 @@ class RbacUserControllerAcceptanceTest {
.body("", hasItem( .body("", hasItem(
allOf( allOf(
hasEntry("roleName", "test_domain#yyy00-aaaa.owner"), hasEntry("roleName", "test_domain#yyy00-aaaa.owner"),
hasEntry("op", "delete")) hasEntry("op", "*"))
)) ))
.body("size()", is(7)); .body("size()", is(7));
// @formatter:on // @formatter:on
@ -357,7 +357,7 @@ class RbacUserControllerAcceptanceTest {
.body("", hasItem( .body("", hasItem(
allOf( allOf(
hasEntry("roleName", "test_customer#yyy.tenant"), hasEntry("roleName", "test_customer#yyy.tenant"),
hasEntry("op", "select")) hasEntry("op", "view"))
)) ))
.body("", hasItem( .body("", hasItem(
allOf( allOf(
@ -367,7 +367,7 @@ class RbacUserControllerAcceptanceTest {
.body("", hasItem( .body("", hasItem(
allOf( allOf(
hasEntry("roleName", "test_domain#yyy00-aaaa.owner"), hasEntry("roleName", "test_domain#yyy00-aaaa.owner"),
hasEntry("op", "delete")) hasEntry("op", "*"))
)) ))
.body("size()", is(7)); .body("size()", is(7));
// @formatter:on // @formatter:on

9
src/test/java/net/hostsharing/hsadminng/test/cust/TestCustomerEntityTest.java
View File

@ -29,9 +29,8 @@ class TestCustomerEntityTest {
subgraph customer:permissions[ ] subgraph customer:permissions[ ]
style customer:permissions fill:#dd4901,stroke:white style customer:permissions fill:#dd4901,stroke:white
perm:customer:delete{{customer:delete}} perm:customer:*{{customer:*}}
perm:customer:update{{customer:update}} perm:customer:view{{customer:view}}
perm:customer:select{{customer:select}}
end end
end end
@ -44,9 +43,9 @@ class TestCustomerEntityTest {
role:customer:admin ==> role:customer:tenant role:customer:admin ==> role:customer:tenant
%% granting permissions to roles %% granting permissions to roles
role:customer:owner ==> perm:customer:delete role:customer:owner ==> perm:customer:*
role:customer:admin ==> perm:customer:add-package role:customer:admin ==> perm:customer:add-package
role:customer:tenant ==> perm:customer:select role:customer:tenant ==> perm:customer:view
"""); """);
} }
} }

12
src/test/java/net/hostsharing/hsadminng/test/pac/TestPackageEntityTest.java
View File

@ -30,9 +30,9 @@ class TestPackageEntityTest {
style package:permissions fill:#dd4901,stroke:white style package:permissions fill:#dd4901,stroke:white
perm:package:insert{{package:insert}} perm:package:insert{{package:insert}}
perm:package:delete{{package:delete}} perm:package:*{{package:*}}
perm:package:update{{package:update}} perm:package:edit{{package:edit}}
perm:package:select{{package:select}} perm:package:view{{package:view}}
end end
end end
@ -63,9 +63,9 @@ class TestPackageEntityTest {
%% granting permissions to roles %% granting permissions to roles
role:customer:admin ==> perm:package:insert role:customer:admin ==> perm:package:insert
role:package:owner ==> perm:package:delete role:package:owner ==> perm:package:*
role:package:owner ==> perm:package:update role:package:owner ==> perm:package:edit
role:package:tenant ==> perm:package:select role:package:tenant ==> perm:package:view
"""); """);
} }
} }

2
src/test/java/net/hostsharing/hsadminng/test/pac/TestPackageRepositoryIntegrationTest.java
View File

@ -89,7 +89,7 @@ class TestPackageRepositoryIntegrationTest {
class OptimisticLocking { class OptimisticLocking {
@Test @Test
public void supportsOptimisticLocking() { public void supportsOptimisticLocking() throws InterruptedException {
// given // given
globalAdminWithAssumedRole("test_package#xxx00.admin"); globalAdminWithAssumedRole("test_package#xxx00.admin");
final var pac = testPackageRepository.findAllByOptionalNameLike("%").get(0); final var pac = testPackageRepository.findAllByOptionalNameLike("%").get(0);