Compare commits
No commits in common. "4eda99b95a495a5849c30b9c649426204fcb8c8e" and "5b18681e964fb24a58b0af48137bc21898929140" have entirely different histories.
4eda99b95a
...
5b18681e96
@ -141,12 +141,12 @@ public class HsBookingItemEntity implements Stringifyable, RbacObject {
|
|||||||
public static RbacView rbac() {
|
public static RbacView rbac() {
|
||||||
return rbacViewFor("bookingItem", HsBookingItemEntity.class)
|
return rbacViewFor("bookingItem", HsBookingItemEntity.class)
|
||||||
.withIdentityView(SQL.query("""
|
.withIdentityView(SQL.query("""
|
||||||
SELECT bookingItem.uuid as uuid, debitorIV.idName || '-' || cleanIdentifier(bookingItem.caption) as idName
|
SELECT i.uuid as uuid, d.idName || ':' || i.caption as idName
|
||||||
FROM hs_booking_item bookingItem
|
FROM hs_booking_item i
|
||||||
JOIN hs_office_debitor_iv debitorIV ON debitorIV.uuid = bookingItem.debitorUuid
|
JOIN hs_office_debitor_iv d ON d.uuid = i.debitorUuid
|
||||||
"""))
|
"""))
|
||||||
.withRestrictedViewOrderBy(SQL.expression("validity"))
|
.withRestrictedViewOrderBy(SQL.expression("validity"))
|
||||||
.withUpdatableColumns("version", "caption", "validity", "resources")
|
.withUpdatableColumns("version", "validity", "resources")
|
||||||
|
|
||||||
.importEntityAlias("debitor", HsOfficeDebitorEntity.class,
|
.importEntityAlias("debitor", HsOfficeDebitorEntity.class,
|
||||||
dependsOnColumn("debitorUuid"),
|
dependsOnColumn("debitorUuid"),
|
||||||
@ -167,12 +167,9 @@ public class HsBookingItemEntity implements Stringifyable, RbacObject {
|
|||||||
|
|
||||||
.createRole(OWNER, (with) -> {
|
.createRole(OWNER, (with) -> {
|
||||||
with.incomingSuperRole("debitorRel", AGENT);
|
with.incomingSuperRole("debitorRel", AGENT);
|
||||||
})
|
|
||||||
.createSubRole(ADMIN, (with) -> {
|
|
||||||
with.incomingSuperRole("debitorRel", AGENT);
|
|
||||||
with.permission(UPDATE);
|
with.permission(UPDATE);
|
||||||
})
|
})
|
||||||
.createSubRole(AGENT)
|
.createSubRole(ADMIN)
|
||||||
.createSubRole(TENANT, (with) -> {
|
.createSubRole(TENANT, (with) -> {
|
||||||
with.outgoingSubRole("debitorRel", TENANT);
|
with.outgoingSubRole("debitorRel", TENANT);
|
||||||
with.permission(SELECT);
|
with.permission(SELECT);
|
||||||
|
@ -48,7 +48,7 @@ components:
|
|||||||
caption:
|
caption:
|
||||||
type: string
|
type: string
|
||||||
minLength: 3
|
minLength: 3
|
||||||
maxLength: 80
|
maxLength:
|
||||||
nullable: false
|
nullable: false
|
||||||
validFrom:
|
validFrom:
|
||||||
type: string
|
type: string
|
||||||
@ -75,6 +75,11 @@ components:
|
|||||||
ManagedServerBookingResources:
|
ManagedServerBookingResources:
|
||||||
type: object
|
type: object
|
||||||
properties:
|
properties:
|
||||||
|
caption:
|
||||||
|
type: string
|
||||||
|
minLength: 3
|
||||||
|
maxLength:
|
||||||
|
nullable: false
|
||||||
CPU:
|
CPU:
|
||||||
type: integer
|
type: integer
|
||||||
minimum: 1
|
minimum: 1
|
||||||
|
@ -95,7 +95,6 @@ subgraph bookingItem["`**bookingItem**`"]
|
|||||||
|
|
||||||
role:bookingItem:OWNER[[bookingItem:OWNER]]
|
role:bookingItem:OWNER[[bookingItem:OWNER]]
|
||||||
role:bookingItem:ADMIN[[bookingItem:ADMIN]]
|
role:bookingItem:ADMIN[[bookingItem:ADMIN]]
|
||||||
role:bookingItem:AGENT[[bookingItem:AGENT]]
|
|
||||||
role:bookingItem:TENANT[[bookingItem:TENANT]]
|
role:bookingItem:TENANT[[bookingItem:TENANT]]
|
||||||
end
|
end
|
||||||
|
|
||||||
@ -274,15 +273,13 @@ role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:OWNER
|
|||||||
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
|
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
|
||||||
role:debitorRel:AGENT ==> role:bookingItem:OWNER
|
role:debitorRel:AGENT ==> role:bookingItem:OWNER
|
||||||
role:bookingItem:OWNER ==> role:bookingItem:ADMIN
|
role:bookingItem:OWNER ==> role:bookingItem:ADMIN
|
||||||
role:debitorRel:AGENT ==> role:bookingItem:ADMIN
|
role:bookingItem:ADMIN ==> role:bookingItem:TENANT
|
||||||
role:bookingItem:ADMIN ==> role:bookingItem:AGENT
|
|
||||||
role:bookingItem:AGENT ==> role:bookingItem:TENANT
|
|
||||||
role:bookingItem:TENANT ==> role:debitorRel:TENANT
|
role:bookingItem:TENANT ==> role:debitorRel:TENANT
|
||||||
|
|
||||||
%% granting permissions to roles
|
%% granting permissions to roles
|
||||||
role:debitorRel:ADMIN ==> perm:bookingItem:INSERT
|
role:debitorRel:ADMIN ==> perm:bookingItem:INSERT
|
||||||
role:global:ADMIN ==> perm:bookingItem:DELETE
|
role:global:ADMIN ==> perm:bookingItem:DELETE
|
||||||
role:bookingItem:ADMIN ==> perm:bookingItem:UPDATE
|
role:bookingItem:OWNER ==> perm:bookingItem:UPDATE
|
||||||
role:bookingItem:TENANT ==> perm:bookingItem:SELECT
|
role:bookingItem:TENANT ==> perm:bookingItem:SELECT
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -49,26 +49,19 @@ begin
|
|||||||
|
|
||||||
perform createRoleWithGrants(
|
perform createRoleWithGrants(
|
||||||
hsBookingItemOWNER(NEW),
|
hsBookingItemOWNER(NEW),
|
||||||
|
permissions => array['UPDATE'],
|
||||||
incomingSuperRoles => array[hsOfficeRelationAGENT(newDebitorRel)]
|
incomingSuperRoles => array[hsOfficeRelationAGENT(newDebitorRel)]
|
||||||
);
|
);
|
||||||
|
|
||||||
perform createRoleWithGrants(
|
perform createRoleWithGrants(
|
||||||
hsBookingItemADMIN(NEW),
|
hsBookingItemADMIN(NEW),
|
||||||
permissions => array['UPDATE'],
|
incomingSuperRoles => array[hsBookingItemOWNER(NEW)]
|
||||||
incomingSuperRoles => array[
|
|
||||||
hsBookingItemOWNER(NEW),
|
|
||||||
hsOfficeRelationAGENT(newDebitorRel)]
|
|
||||||
);
|
|
||||||
|
|
||||||
perform createRoleWithGrants(
|
|
||||||
hsBookingItemAGENT(NEW),
|
|
||||||
incomingSuperRoles => array[hsBookingItemADMIN(NEW)]
|
|
||||||
);
|
);
|
||||||
|
|
||||||
perform createRoleWithGrants(
|
perform createRoleWithGrants(
|
||||||
hsBookingItemTENANT(NEW),
|
hsBookingItemTENANT(NEW),
|
||||||
permissions => array['SELECT'],
|
permissions => array['SELECT'],
|
||||||
incomingSuperRoles => array[hsBookingItemAGENT(NEW)],
|
incomingSuperRoles => array[hsBookingItemADMIN(NEW)],
|
||||||
outgoingSubRoles => array[hsOfficeRelationTENANT(newDebitorRel)]
|
outgoingSubRoles => array[hsOfficeRelationTENANT(newDebitorRel)]
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -184,9 +177,9 @@ create trigger hs_booking_item_insert_permission_check_tg
|
|||||||
|
|
||||||
call generateRbacIdentityViewFromQuery('hs_booking_item',
|
call generateRbacIdentityViewFromQuery('hs_booking_item',
|
||||||
$idName$
|
$idName$
|
||||||
SELECT bookingItem.uuid as uuid, debitorIV.idName || '-' || cleanIdentifier(bookingItem.caption) as idName
|
SELECT i.uuid as uuid, d.idName || ':' || i.caption as idName
|
||||||
FROM hs_booking_item bookingItem
|
FROM hs_booking_item i
|
||||||
JOIN hs_office_debitor_iv debitorIV ON debitorIV.uuid = bookingItem.debitorUuid
|
JOIN hs_office_debitor_iv d ON d.uuid = i.debitorUuid
|
||||||
$idName$);
|
$idName$);
|
||||||
--//
|
--//
|
||||||
|
|
||||||
@ -199,7 +192,6 @@ call generateRbacRestrictedView('hs_booking_item',
|
|||||||
$orderBy$,
|
$orderBy$,
|
||||||
$updates$
|
$updates$
|
||||||
version = new.version,
|
version = new.version,
|
||||||
caption = new.caption,
|
|
||||||
validity = new.validity,
|
validity = new.validity,
|
||||||
resources = new.resources
|
resources = new.resources
|
||||||
$updates$);
|
$updates$);
|
||||||
|
@ -34,7 +34,7 @@ begin
|
|||||||
into hs_booking_item (uuid, debitoruuid, caption, validity, resources)
|
into hs_booking_item (uuid, debitoruuid, caption, validity, resources)
|
||||||
values (uuid_generate_v4(), relatedDebitor.uuid, 'some ManagedServer', daterange('20221001', null, '[]'), '{ "CPU": 2, "SDD": 512, "extra": 42 }'::jsonb),
|
values (uuid_generate_v4(), relatedDebitor.uuid, 'some ManagedServer', daterange('20221001', null, '[]'), '{ "CPU": 2, "SDD": 512, "extra": 42 }'::jsonb),
|
||||||
(uuid_generate_v4(), relatedDebitor.uuid, 'some CloudServer', daterange('20230115', '20240415', '[)'), '{ "CPU": 2, "HDD": 1024, "extra": 42 }'::jsonb),
|
(uuid_generate_v4(), relatedDebitor.uuid, 'some CloudServer', daterange('20230115', '20240415', '[)'), '{ "CPU": 2, "HDD": 1024, "extra": 42 }'::jsonb),
|
||||||
(uuid_generate_v4(), relatedDebitor.uuid, 'some PrivateCloud', daterange('20240401', null, '[]'), '{ "CPU": 10, "SDD": 10240, "HDD": 10240, "extra": 42 }'::jsonb);
|
(uuid_generate_v4(), relatedDebitor.uuid, 'some Whatever', daterange('20240401', null, '[]'), '{ "CPU": 1, "SDD": 512, "HDD": 2048, "extra": 42 }'::jsonb);
|
||||||
end; $$;
|
end; $$;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
|
@ -89,13 +89,13 @@ class HsBookingItemControllerAcceptanceTest extends ContextBasedTestWithCleanup
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"caption": "some PrivateCloud",
|
"caption": "some Whatever",
|
||||||
"validFrom": "2024-04-01",
|
"validFrom": "2024-04-01",
|
||||||
"validTo": null,
|
"validTo": null,
|
||||||
"resources": {
|
"resources": {
|
||||||
"CPU": 10,
|
"CPU": 1,
|
||||||
"HDD": 10240,
|
"HDD": 2048,
|
||||||
"SDD": 10240,
|
"SDD": 512,
|
||||||
"extra": 42
|
"extra": 42
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -109,35 +109,28 @@ class HsBookingItemRepositoryIntegrationTest extends ContextBasedTestWithCleanup
|
|||||||
final var all = rawRoleRepo.findAll();
|
final var all = rawRoleRepo.findAll();
|
||||||
assertThat(distinctRoleNamesOf(all)).containsExactlyInAnyOrder(Array.from(
|
assertThat(distinctRoleNamesOf(all)).containsExactlyInAnyOrder(Array.from(
|
||||||
initialRoleNames,
|
initialRoleNames,
|
||||||
"hs_booking_item#D-1000111-somenewbookingitem:ADMIN",
|
"hs_booking_item#D-1000111:some new booking item:ADMIN",
|
||||||
"hs_booking_item#D-1000111-somenewbookingitem:AGENT",
|
"hs_booking_item#D-1000111:some new booking item:OWNER",
|
||||||
"hs_booking_item#D-1000111-somenewbookingitem:OWNER",
|
"hs_booking_item#D-1000111:some new booking item:TENANT"));
|
||||||
"hs_booking_item#D-1000111-somenewbookingitem:TENANT"));
|
|
||||||
assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll()))
|
assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll()))
|
||||||
.map(s -> s.replace("hs_office_", ""))
|
.map(s -> s.replace("hs_office_", ""))
|
||||||
.containsExactlyInAnyOrder(fromFormatted(
|
.containsExactlyInAnyOrder(fromFormatted(
|
||||||
initialGrantNames,
|
initialGrantNames,
|
||||||
|
|
||||||
// insert+delete
|
// insert+delete
|
||||||
"{ grant perm:hs_booking_item#D-1000111-somenewbookingitem:DELETE to role:global#global:ADMIN by system and assume }",
|
"{ grant perm:hs_booking_item#D-1000111:some new booking item:DELETE to role:global#global:ADMIN by system and assume }",
|
||||||
|
|
||||||
// owner
|
// owner
|
||||||
//"{ grant perm:hs_booking_item#D-1000111-somenewbookingitem:UPDATE to role:hs_booking_item#D-1000111-somenewbookingitem:OWNER by system and assume }",
|
"{ grant perm:hs_booking_item#D-1000111:some new booking item:UPDATE to role:hs_booking_item#D-1000111:some new booking item:OWNER by system and assume }",
|
||||||
"{ grant role:hs_booking_item#D-1000111-somenewbookingitem:OWNER to role:relation#FirstGmbH-with-DEBITOR-FirstGmbH:AGENT by system and assume }",
|
"{ grant role:hs_booking_item#D-1000111:some new booking item:OWNER to role:relation#FirstGmbH-with-DEBITOR-FirstGmbH:AGENT by system and assume }",
|
||||||
|
|
||||||
// admin
|
// admin
|
||||||
"{ grant perm:hs_booking_item#D-1000111-somenewbookingitem:UPDATE to role:hs_booking_item#D-1000111-somenewbookingitem:ADMIN by system and assume }",
|
"{ grant role:hs_booking_item#D-1000111:some new booking item:ADMIN to role:hs_booking_item#D-1000111:some new booking item:OWNER by system and assume }",
|
||||||
"{ grant role:hs_booking_item#D-1000111-somenewbookingitem:ADMIN to role:hs_booking_item#D-1000111-somenewbookingitem:OWNER by system and assume }",
|
|
||||||
//"{ grant role:hs_booking_item#D-1000111-somenewbookingitem:TENANT to role:hs_booking_item#D-1000111-somenewbookingitem:ADMIN by system and assume }",
|
|
||||||
|
|
||||||
// agent
|
|
||||||
"{ grant role:hs_booking_item#D-1000111-somenewbookingitem:ADMIN to role:relation#FirstGmbH-with-DEBITOR-FirstGmbH:AGENT by system and assume }",
|
|
||||||
"{ grant role:hs_booking_item#D-1000111-somenewbookingitem:AGENT to role:hs_booking_item#D-1000111-somenewbookingitem:ADMIN by system and assume }",
|
|
||||||
|
|
||||||
// tenant
|
// tenant
|
||||||
"{ grant role:hs_booking_item#D-1000111-somenewbookingitem:TENANT to role:hs_booking_item#D-1000111-somenewbookingitem:AGENT by system and assume }",
|
"{ grant role:hs_booking_item#D-1000111:some new booking item:TENANT to role:hs_booking_item#D-1000111:some new booking item:ADMIN by system and assume }",
|
||||||
"{ grant perm:hs_booking_item#D-1000111-somenewbookingitem:SELECT to role:hs_booking_item#D-1000111-somenewbookingitem:TENANT by system and assume }",
|
"{ grant perm:hs_booking_item#D-1000111:some new booking item:SELECT to role:hs_booking_item#D-1000111:some new booking item:TENANT by system and assume }",
|
||||||
"{ grant role:relation#FirstGmbH-with-DEBITOR-FirstGmbH:TENANT to role:hs_booking_item#D-1000111-somenewbookingitem:TENANT by system and assume }",
|
"{ grant role:relation#FirstGmbH-with-DEBITOR-FirstGmbH:TENANT to role:hs_booking_item#D-1000111:some new booking item:TENANT by system and assume }",
|
||||||
|
|
||||||
null));
|
null));
|
||||||
}
|
}
|
||||||
@ -166,7 +159,7 @@ class HsBookingItemRepositoryIntegrationTest extends ContextBasedTestWithCleanup
|
|||||||
result,
|
result,
|
||||||
"HsBookingItemEntity(D-1000212, [2022-10-01,), some ManagedServer, { CPU: 2, SDD: 512, extra: 42 })",
|
"HsBookingItemEntity(D-1000212, [2022-10-01,), some ManagedServer, { CPU: 2, SDD: 512, extra: 42 })",
|
||||||
"HsBookingItemEntity(D-1000212, [2023-01-15,2024-04-15), some CloudServer, { CPU: 2, HDD: 1024, extra: 42 })",
|
"HsBookingItemEntity(D-1000212, [2023-01-15,2024-04-15), some CloudServer, { CPU: 2, HDD: 1024, extra: 42 })",
|
||||||
"HsBookingItemEntity(D-1000212, [2024-04-01,), some PrivateCloud, { CPU: 10, HDD: 10240, SDD: 10240, extra: 42 })");
|
"HsBookingItemEntity(D-1000212, [2024-04-01,), some Whatever, { CPU: 1, HDD: 2048, SDD: 512, extra: 42 })");
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -183,7 +176,7 @@ class HsBookingItemRepositoryIntegrationTest extends ContextBasedTestWithCleanup
|
|||||||
result,
|
result,
|
||||||
"HsBookingItemEntity(D-1000111, [2022-10-01,), some ManagedServer, { CPU: 2, SDD: 512, extra: 42 })",
|
"HsBookingItemEntity(D-1000111, [2022-10-01,), some ManagedServer, { CPU: 2, SDD: 512, extra: 42 })",
|
||||||
"HsBookingItemEntity(D-1000111, [2023-01-15,2024-04-15), some CloudServer, { CPU: 2, HDD: 1024, extra: 42 })",
|
"HsBookingItemEntity(D-1000111, [2023-01-15,2024-04-15), some CloudServer, { CPU: 2, HDD: 1024, extra: 42 })",
|
||||||
"HsBookingItemEntity(D-1000111, [2024-04-01,), some PrivateCloud, { CPU: 10, HDD: 10240, SDD: 10240, extra: 42 })");
|
"HsBookingItemEntity(D-1000111, [2024-04-01,), some Whatever, { CPU: 1, HDD: 2048, SDD: 512, extra: 42 })");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -141,7 +141,6 @@ class HsOfficePartnerRepositoryIntegrationTest extends ContextBasedTestWithClean
|
|||||||
.map(s -> s.replace("hs_office_", ""))
|
.map(s -> s.replace("hs_office_", ""))
|
||||||
.containsExactlyInAnyOrder(distinct(from(
|
.containsExactlyInAnyOrder(distinct(from(
|
||||||
initialGrantNames,
|
initialGrantNames,
|
||||||
// TODO.rbac: this grant should only be created for DEBITOR-Relationships, thus the RBAC DSL needs to support conditional grants
|
|
||||||
"{ grant perm:relation#HostsharingeG-with-PARTNER-EBess:INSERT>sepamandate to role:relation#HostsharingeG-with-PARTNER-EBess:ADMIN by system and assume }",
|
"{ grant perm:relation#HostsharingeG-with-PARTNER-EBess:INSERT>sepamandate to role:relation#HostsharingeG-with-PARTNER-EBess:ADMIN by system and assume }",
|
||||||
|
|
||||||
// permissions on partner
|
// permissions on partner
|
||||||
|
@ -131,7 +131,7 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
|
|||||||
"hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:TENANT"));
|
"hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:TENANT"));
|
||||||
assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())).containsExactlyInAnyOrder(Array.fromFormatted(
|
assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())).containsExactlyInAnyOrder(Array.fromFormatted(
|
||||||
initialGrantNames,
|
initialGrantNames,
|
||||||
// TODO.rbac: this grant should only be created for DEBITOR-Relationships, thus the RBAC DSL needs to support conditional grants
|
// TODO: this grant should only be created for DEBITOR-Relationships, thus the RBAC DSL needs to support conditional grants
|
||||||
"{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:INSERT>hs_office_sepamandate to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:ADMIN by system and assume }",
|
"{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:INSERT>hs_office_sepamandate to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:ADMIN by system and assume }",
|
||||||
|
|
||||||
"{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:DELETE to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER by system and assume }",
|
"{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:DELETE to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER by system and assume }",
|
||||||
|
Loading…
Reference in New Issue
Block a user