Compare commits
2 Commits
ba226fd802
...
e3f48127d2
Author | SHA1 | Date | |
---|---|---|---|
|
e3f48127d2 | ||
|
dbf0aa5980 |
@ -467,7 +467,7 @@ public class RbacView {
|
|||||||
return new RbacExampleRole(entityAlias, role);
|
return new RbacExampleRole(entityAlias, role);
|
||||||
}
|
}
|
||||||
|
|
||||||
private RbacGrantDefinition grantRoleToUser(final RbacRoleDefinition roleDefinition, final RbacUserReference user) {
|
private RbacGrantDefinition grantRoleToSubject(final RbacRoleDefinition roleDefinition, final RbacUserReference user) {
|
||||||
return findOrCreateGrantDef(roleDefinition, user).toCreate();
|
return findOrCreateGrantDef(roleDefinition, user).toCreate();
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -771,7 +771,7 @@ public class RbacView {
|
|||||||
* The grant definition for further chained calls.
|
* The grant definition for further chained calls.
|
||||||
*/
|
*/
|
||||||
public RbacGrantDefinition owningUser(final RbacUserReference.UserRole userRole) {
|
public RbacGrantDefinition owningUser(final RbacUserReference.UserRole userRole) {
|
||||||
return grantRoleToUser(this, findUserRef(userRole));
|
return grantRoleToSubject(this, findUserRef(userRole));
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -312,7 +312,7 @@ class RolesGrantsAndPermissionsGenerator {
|
|||||||
case ROLE_TO_ROLE -> "call revokeRoleFromRole(${subRoleRef}, ${superRoleRef});"
|
case ROLE_TO_ROLE -> "call revokeRoleFromRole(${subRoleRef}, ${superRoleRef});"
|
||||||
.replace("${subRoleRef}", roleRef(OLD, grantDef.getSubRoleDef()))
|
.replace("${subRoleRef}", roleRef(OLD, grantDef.getSubRoleDef()))
|
||||||
.replace("${superRoleRef}", roleRef(OLD, grantDef.getSuperRoleDef()));
|
.replace("${superRoleRef}", roleRef(OLD, grantDef.getSuperRoleDef()));
|
||||||
case PERM_TO_ROLE -> "call revokePermissionFromRole(${permRef}, ${superRoleRef});"
|
case PERM_TO_ROLE -> "call rbac.revokePermissionFromRole(${permRef}, ${superRoleRef});"
|
||||||
.replace("${permRef}", getPerm(OLD, grantDef.getPermDef()))
|
.replace("${permRef}", getPerm(OLD, grantDef.getPermDef()))
|
||||||
.replace("${superRoleRef}", roleRef(OLD, grantDef.getSuperRoleDef()));
|
.replace("${superRoleRef}", roleRef(OLD, grantDef.getSuperRoleDef()));
|
||||||
};
|
};
|
||||||
@ -415,7 +415,7 @@ class RolesGrantsAndPermissionsGenerator {
|
|||||||
.map(this::toPlPgSqlReference)
|
.map(this::toPlPgSqlReference)
|
||||||
.toList();
|
.toList();
|
||||||
plPgSql.indented(() ->
|
plPgSql.indented(() ->
|
||||||
plPgSql.writeLn("userUuids => array[" + joinArrayElements(arrayElements, 2) + "],\n"));
|
plPgSql.writeLn("subjectUuids => array[" + joinArrayElements(arrayElements, 2) + "],\n"));
|
||||||
rbacGrants.removeAll(grantsToUsers);
|
rbacGrants.removeAll(grantsToUsers);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -36,11 +36,11 @@ public class RbacGrantController implements RbacGrantsApi {
|
|||||||
final String currentSubject,
|
final String currentSubject,
|
||||||
final String assumedRoles,
|
final String assumedRoles,
|
||||||
final UUID grantedRoleUuid,
|
final UUID grantedRoleUuid,
|
||||||
final UUID granteeUserUuid) {
|
final UUID granteeSubjectUuid) {
|
||||||
|
|
||||||
context.define(currentSubject, assumedRoles);
|
context.define(currentSubject, assumedRoles);
|
||||||
|
|
||||||
final var id = new RbacGrantId(granteeUserUuid, grantedRoleUuid);
|
final var id = new RbacGrantId(granteeSubjectUuid, grantedRoleUuid);
|
||||||
final var result = rbacGrantRepository.findById(id);
|
final var result = rbacGrantRepository.findById(id);
|
||||||
if (result == null) {
|
if (result == null) {
|
||||||
return ResponseEntity.notFound().build();
|
return ResponseEntity.notFound().build();
|
||||||
@ -61,7 +61,7 @@ public class RbacGrantController implements RbacGrantsApi {
|
|||||||
|
|
||||||
@Override
|
@Override
|
||||||
@Transactional
|
@Transactional
|
||||||
public ResponseEntity<RbacGrantResource> grantRoleToUser(
|
public ResponseEntity<RbacGrantResource> grantRoleToSubject(
|
||||||
final String currentSubject,
|
final String currentSubject,
|
||||||
final String assumedRoles,
|
final String assumedRoles,
|
||||||
final RbacGrantResource body) {
|
final RbacGrantResource body) {
|
||||||
@ -82,22 +82,22 @@ public class RbacGrantController implements RbacGrantsApi {
|
|||||||
|
|
||||||
@Override
|
@Override
|
||||||
@Transactional
|
@Transactional
|
||||||
public ResponseEntity<Void> revokeRoleFromUser(
|
public ResponseEntity<Void> revokeRoleFromSubject(
|
||||||
final String currentSubject,
|
final String currentSubject,
|
||||||
final String assumedRoles,
|
final String assumedRoles,
|
||||||
final UUID grantedRoleUuid,
|
final UUID grantedRoleUuid,
|
||||||
final UUID granteeUserUuid) {
|
final UUID granteeSubjectUuid) {
|
||||||
|
|
||||||
context.define(currentSubject, assumedRoles);
|
context.define(currentSubject, assumedRoles);
|
||||||
|
|
||||||
rbacGrantRepository.deleteByRbacGrantId(new RbacGrantId(granteeUserUuid, grantedRoleUuid));
|
rbacGrantRepository.deleteByRbacGrantId(new RbacGrantId(granteeSubjectUuid, grantedRoleUuid));
|
||||||
|
|
||||||
return ResponseEntity.noContent().build();
|
return ResponseEntity.noContent().build();
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: implement an endpoint to create a Mermaid flowchart with all grants of a given user
|
// TODO.feat: implement an endpoint to create a Mermaid flowchart with all grants of a given user
|
||||||
// @GetMapping(
|
// @GetMapping(
|
||||||
// path = "/api/rbac/users/{userUuid}/grants",
|
// path = "/api/rbac/users/{subjectUuid}/grants",
|
||||||
// produces = {"text/vnd.mermaid"})
|
// produces = {"text/vnd.mermaid"})
|
||||||
// @Transactional(readOnly = true)
|
// @Transactional(readOnly = true)
|
||||||
// public ResponseEntity<String> allGrantsOfUserAsMermaid(
|
// public ResponseEntity<String> allGrantsOfUserAsMermaid(
|
||||||
|
@ -36,8 +36,8 @@ public class RbacGrantEntity {
|
|||||||
private String granteeUserName;
|
private String granteeUserName;
|
||||||
|
|
||||||
@Id
|
@Id
|
||||||
@Column(name = "useruuid")
|
@Column(name = "subjectuuid")
|
||||||
private UUID granteeUserUuid;
|
private UUID granteeSubjectUuid;
|
||||||
|
|
||||||
private boolean assumed;
|
private boolean assumed;
|
||||||
|
|
||||||
@ -55,7 +55,7 @@ public class RbacGrantEntity {
|
|||||||
private RbacRoleType grantedRoleType;
|
private RbacRoleType grantedRoleType;
|
||||||
|
|
||||||
RbacGrantId getRbacGrantId() {
|
RbacGrantId getRbacGrantId() {
|
||||||
return new RbacGrantId(granteeUserUuid, grantedRoleUuid);
|
return new RbacGrantId(granteeSubjectUuid, grantedRoleUuid);
|
||||||
}
|
}
|
||||||
|
|
||||||
public String toDisplay() {
|
public String toDisplay() {
|
||||||
|
@ -14,6 +14,6 @@ import java.util.UUID;
|
|||||||
@AllArgsConstructor
|
@AllArgsConstructor
|
||||||
public class RbacGrantId implements Serializable {
|
public class RbacGrantId implements Serializable {
|
||||||
|
|
||||||
private UUID granteeUserUuid;
|
private UUID granteeSubjectUuid;
|
||||||
private UUID grantedRoleUuid;
|
private UUID grantedRoleUuid;
|
||||||
}
|
}
|
||||||
|
@ -11,7 +11,7 @@ public interface RbacGrantRepository extends Repository<RbacGrantEntity, RbacGra
|
|||||||
@Query(value = """
|
@Query(value = """
|
||||||
select g from RbacGrantEntity as g
|
select g from RbacGrantEntity as g
|
||||||
where g.grantedRoleUuid=:#{#rbacGrantId.grantedRoleUuid}
|
where g.grantedRoleUuid=:#{#rbacGrantId.grantedRoleUuid}
|
||||||
and g.granteeUserUuid=:#{#rbacGrantId.granteeUserUuid}
|
and g.granteeSubjectUuid=:#{#rbacGrantId.granteeSubjectUuid}
|
||||||
""")
|
""")
|
||||||
RbacGrantEntity findById(RbacGrantId rbacGrantId);
|
RbacGrantEntity findById(RbacGrantId rbacGrantId);
|
||||||
|
|
||||||
@ -25,7 +25,7 @@ public interface RbacGrantRepository extends Repository<RbacGrantEntity, RbacGra
|
|||||||
@Query(value = """
|
@Query(value = """
|
||||||
delete from RbacGrantEntity as g
|
delete from RbacGrantEntity as g
|
||||||
where g.grantedRoleUuid=:#{#rbacGrantId.grantedRoleUuid}
|
where g.grantedRoleUuid=:#{#rbacGrantId.grantedRoleUuid}
|
||||||
and g.granteeUserUuid=:#{#rbacGrantId.granteeUserUuid}
|
and g.granteeSubjectUuid=:#{#rbacGrantId.granteeSubjectUuid}
|
||||||
""")
|
""")
|
||||||
void deleteByRbacGrantId(RbacGrantId rbacGrantId);
|
void deleteByRbacGrantId(RbacGrantId rbacGrantId);
|
||||||
}
|
}
|
||||||
|
@ -51,11 +51,11 @@ public class RbacUserController implements RbacUsersApi {
|
|||||||
public ResponseEntity<Void> deleteUserByUuid(
|
public ResponseEntity<Void> deleteUserByUuid(
|
||||||
final String currentSubject,
|
final String currentSubject,
|
||||||
final String assumedRoles,
|
final String assumedRoles,
|
||||||
final UUID userUuid
|
final UUID subjectUuid
|
||||||
) {
|
) {
|
||||||
context.define(currentSubject, assumedRoles);
|
context.define(currentSubject, assumedRoles);
|
||||||
|
|
||||||
rbacUserRepository.deleteByUuid(userUuid);
|
rbacUserRepository.deleteByUuid(subjectUuid);
|
||||||
|
|
||||||
return ResponseEntity.noContent().build();
|
return ResponseEntity.noContent().build();
|
||||||
}
|
}
|
||||||
@ -65,11 +65,11 @@ public class RbacUserController implements RbacUsersApi {
|
|||||||
public ResponseEntity<RbacUserResource> getUserById(
|
public ResponseEntity<RbacUserResource> getUserById(
|
||||||
final String currentSubject,
|
final String currentSubject,
|
||||||
final String assumedRoles,
|
final String assumedRoles,
|
||||||
final UUID userUuid) {
|
final UUID subjectUuid) {
|
||||||
|
|
||||||
context.define(currentSubject, assumedRoles);
|
context.define(currentSubject, assumedRoles);
|
||||||
|
|
||||||
final var result = rbacUserRepository.findByUuid(userUuid);
|
final var result = rbacUserRepository.findByUuid(subjectUuid);
|
||||||
if (result == null) {
|
if (result == null) {
|
||||||
return ResponseEntity.notFound().build();
|
return ResponseEntity.notFound().build();
|
||||||
}
|
}
|
||||||
@ -93,12 +93,12 @@ public class RbacUserController implements RbacUsersApi {
|
|||||||
public ResponseEntity<List<RbacUserPermissionResource>> listUserPermissions(
|
public ResponseEntity<List<RbacUserPermissionResource>> listUserPermissions(
|
||||||
final String currentSubject,
|
final String currentSubject,
|
||||||
final String assumedRoles,
|
final String assumedRoles,
|
||||||
final UUID userUuid
|
final UUID subjectUuid
|
||||||
) {
|
) {
|
||||||
context.define(currentSubject, assumedRoles);
|
context.define(currentSubject, assumedRoles);
|
||||||
|
|
||||||
return ResponseEntity.ok(mapper.mapList(
|
return ResponseEntity.ok(mapper.mapList(
|
||||||
rbacUserRepository.findPermissionsOfUserByUuid(userUuid),
|
rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid),
|
||||||
RbacUserPermissionResource.class));
|
RbacUserPermissionResource.class));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -22,8 +22,8 @@ public interface RbacUserRepository extends Repository<RbacUserEntity, UUID> {
|
|||||||
|
|
||||||
RbacUserEntity findByUuid(UUID uuid);
|
RbacUserEntity findByUuid(UUID uuid);
|
||||||
|
|
||||||
@Query(value = "select * from grantedPermissions(:userUuid)", nativeQuery = true)
|
@Query(value = "select * from grantedPermissions(:subjectUuid)", nativeQuery = true)
|
||||||
List<RbacUserPermission> findPermissionsOfUserByUuid(UUID userUuid);
|
List<RbacUserPermission> findPermissionsOfUserByUuid(UUID subjectUuid);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Can't use save/saveAndFlush from SpringData because the uuid is not generated on the entity level,
|
Can't use save/saveAndFlush from SpringData because the uuid is not generated on the entity level,
|
||||||
@ -42,5 +42,5 @@ public interface RbacUserRepository extends Repository<RbacUserEntity, UUID> {
|
|||||||
return rbacUserEntity;
|
return rbacUserEntity;
|
||||||
}
|
}
|
||||||
|
|
||||||
void deleteByUuid(UUID userUuid);
|
void deleteByUuid(UUID subjectUuid);
|
||||||
}
|
}
|
||||||
|
@ -20,9 +20,9 @@ components:
|
|||||||
format: uuid
|
format: uuid
|
||||||
granteeUserName:
|
granteeUserName:
|
||||||
type: string
|
type: string
|
||||||
granteeUserUuid:
|
granteeSubjectUuid:
|
||||||
type: string
|
type: string
|
||||||
format: uuid
|
format: uuid
|
||||||
required:
|
required:
|
||||||
- grantedRoleUuid
|
- grantedRoleUuid
|
||||||
- granteeUserUuid
|
- granteeSubjectUuid
|
||||||
|
@ -12,7 +12,7 @@ get:
|
|||||||
type: string
|
type: string
|
||||||
format: uuid
|
format: uuid
|
||||||
description: UUID of the granted role.
|
description: UUID of the granted role.
|
||||||
- name: granteeUserUuid
|
- name: granteeSubjectUuid
|
||||||
in: path
|
in: path
|
||||||
required: true
|
required: true
|
||||||
schema:
|
schema:
|
||||||
@ -36,7 +36,7 @@ get:
|
|||||||
delete:
|
delete:
|
||||||
tags:
|
tags:
|
||||||
- rbac-grants
|
- rbac-grants
|
||||||
operationId: revokeRoleFromUser
|
operationId: revokeRoleFromSubject
|
||||||
parameters:
|
parameters:
|
||||||
- $ref: 'auth.yaml#/components/parameters/currentSubject'
|
- $ref: 'auth.yaml#/components/parameters/currentSubject'
|
||||||
- $ref: 'auth.yaml#/components/parameters/assumedRoles'
|
- $ref: 'auth.yaml#/components/parameters/assumedRoles'
|
||||||
@ -47,7 +47,7 @@ delete:
|
|||||||
type: string
|
type: string
|
||||||
format: uuid
|
format: uuid
|
||||||
description: UUID of the granted role.
|
description: UUID of the granted role.
|
||||||
- name: granteeUserUuid
|
- name: granteeSubjectUuid
|
||||||
in: path
|
in: path
|
||||||
required: true
|
required: true
|
||||||
schema:
|
schema:
|
||||||
|
@ -18,7 +18,7 @@ get:
|
|||||||
post:
|
post:
|
||||||
tags:
|
tags:
|
||||||
- rbac-grants
|
- rbac-grants
|
||||||
operationId: grantRoleToUser
|
operationId: grantRoleToSubject
|
||||||
parameters:
|
parameters:
|
||||||
- $ref: 'auth.yaml#/components/parameters/currentSubject'
|
- $ref: 'auth.yaml#/components/parameters/currentSubject'
|
||||||
- $ref: 'auth.yaml#/components/parameters/assumedRoles'
|
- $ref: 'auth.yaml#/components/parameters/assumedRoles'
|
||||||
|
@ -6,7 +6,7 @@ get:
|
|||||||
parameters:
|
parameters:
|
||||||
- $ref: 'auth.yaml#/components/parameters/currentSubject'
|
- $ref: 'auth.yaml#/components/parameters/currentSubject'
|
||||||
- $ref: 'auth.yaml#/components/parameters/assumedRoles'
|
- $ref: 'auth.yaml#/components/parameters/assumedRoles'
|
||||||
- name: userUuid
|
- name: subjectUuid
|
||||||
in: path
|
in: path
|
||||||
required: true
|
required: true
|
||||||
schema:
|
schema:
|
||||||
|
@ -6,7 +6,7 @@ get:
|
|||||||
parameters:
|
parameters:
|
||||||
- $ref: 'auth.yaml#/components/parameters/currentSubject'
|
- $ref: 'auth.yaml#/components/parameters/currentSubject'
|
||||||
- $ref: 'auth.yaml#/components/parameters/assumedRoles'
|
- $ref: 'auth.yaml#/components/parameters/assumedRoles'
|
||||||
- name: userUuid
|
- name: subjectUuid
|
||||||
in: path
|
in: path
|
||||||
required: true
|
required: true
|
||||||
schema:
|
schema:
|
||||||
@ -33,7 +33,7 @@ delete:
|
|||||||
parameters:
|
parameters:
|
||||||
- $ref: 'auth.yaml#/components/parameters/currentSubject'
|
- $ref: 'auth.yaml#/components/parameters/currentSubject'
|
||||||
- $ref: 'auth.yaml#/components/parameters/assumedRoles'
|
- $ref: 'auth.yaml#/components/parameters/assumedRoles'
|
||||||
- name: userUuid
|
- name: subjectUuid
|
||||||
in: path
|
in: path
|
||||||
required: true
|
required: true
|
||||||
schema:
|
schema:
|
||||||
|
@ -11,10 +11,10 @@ paths:
|
|||||||
/api/rbac/users:
|
/api/rbac/users:
|
||||||
$ref: 'rbac-users.yaml'
|
$ref: 'rbac-users.yaml'
|
||||||
|
|
||||||
/api/rbac/users/{userUuid}/permissions:
|
/api/rbac/users/{subjectUuid}/permissions:
|
||||||
$ref: 'rbac-users-with-id-permissions.yaml'
|
$ref: 'rbac-users-with-id-permissions.yaml'
|
||||||
|
|
||||||
/api/rbac/users/{userUuid}:
|
/api/rbac/users/{subjectUuid}:
|
||||||
$ref: 'rbac-users-with-uuid.yaml'
|
$ref: 'rbac-users-with-uuid.yaml'
|
||||||
|
|
||||||
/api/rbac/roles:
|
/api/rbac/roles:
|
||||||
@ -23,6 +23,6 @@ paths:
|
|||||||
/api/rbac/grants:
|
/api/rbac/grants:
|
||||||
$ref: 'rbac-grants.yaml'
|
$ref: 'rbac-grants.yaml'
|
||||||
|
|
||||||
/api/rbac/grants/{grantedRoleUuid}/{granteeUserUuid}:
|
/api/rbac/grants/{grantedRoleUuid}/{granteeSubjectUuid}:
|
||||||
$ref: 'rbac-grants-with-id.yaml'
|
$ref: 'rbac-grants-with-id.yaml'
|
||||||
|
|
||||||
|
@ -672,7 +672,7 @@ begin
|
|||||||
end if;
|
end if;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create or replace procedure revokePermissionFromRole(permissionId UUID, superRole RbacRoleDescriptor)
|
create or replace procedure rbac.revokePermissionFromRole(permissionId UUID, superRole RbacRoleDescriptor)
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
superRoleId uuid;
|
superRoleId uuid;
|
||||||
|
@ -20,21 +20,21 @@ begin
|
|||||||
return currentSubjectOrAssumedRolesUuids[1];
|
return currentSubjectOrAssumedRolesUuids[1];
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create or replace procedure grantRoleToUserUnchecked(grantedByRoleUuid uuid, grantedRoleUuid uuid, userUuid uuid, doAssume boolean = true)
|
create or replace procedure rbac.grantRoleToUserUnchecked(grantedByRoleUuid uuid, grantedRoleUuid uuid, subjectUuid uuid, doAssume boolean = true)
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
begin
|
||||||
perform rbac.assertReferenceType('grantingRoleUuid', grantedByRoleUuid, 'RbacRole');
|
perform rbac.assertReferenceType('grantingRoleUuid', grantedByRoleUuid, 'RbacRole');
|
||||||
perform rbac.assertReferenceType('roleId (descendant)', grantedRoleUuid, 'RbacRole');
|
perform rbac.assertReferenceType('roleId (descendant)', grantedRoleUuid, 'RbacRole');
|
||||||
perform rbac.assertReferenceType('userId (ascendant)', userUuid, 'rbac.subject');
|
perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject');
|
||||||
|
|
||||||
insert
|
insert
|
||||||
into RbacGrants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)
|
into RbacGrants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)
|
||||||
values (grantedByRoleUuid, userUuid, grantedRoleUuid, doAssume)
|
values (grantedByRoleUuid, subjectUuid, grantedRoleUuid, doAssume)
|
||||||
-- TODO: check if grantedByRoleUuid+doAssume are the same, otherwise raise exception?
|
-- TODO: check if grantedByRoleUuid+doAssume are the same, otherwise raise exception?
|
||||||
on conflict do nothing; -- allow granting multiple times
|
on conflict do nothing; -- allow granting multiple times
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create or replace procedure grantRoleToUser(grantedByRoleUuid uuid, grantedRoleUuid uuid, userUuid uuid, doAssume boolean = true)
|
create or replace procedure rbac.grantRoleToSubject(grantedByRoleUuid uuid, grantedRoleUuid uuid, subjectUuid uuid, doAssume boolean = true)
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
declare
|
declare
|
||||||
grantedByRoleIdName text;
|
grantedByRoleIdName text;
|
||||||
@ -42,11 +42,11 @@ declare
|
|||||||
begin
|
begin
|
||||||
perform rbac.assertReferenceType('grantingRoleUuid', grantedByRoleUuid, 'RbacRole');
|
perform rbac.assertReferenceType('grantingRoleUuid', grantedByRoleUuid, 'RbacRole');
|
||||||
perform rbac.assertReferenceType('grantedRoleUuid (descendant)', grantedRoleUuid, 'RbacRole');
|
perform rbac.assertReferenceType('grantedRoleUuid (descendant)', grantedRoleUuid, 'RbacRole');
|
||||||
perform rbac.assertReferenceType('userUuid (ascendant)', userUuid, 'rbac.subject');
|
perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject');
|
||||||
|
|
||||||
assert grantedByRoleUuid is not null, 'grantedByRoleUuid must not be null';
|
assert grantedByRoleUuid is not null, 'grantedByRoleUuid must not be null';
|
||||||
assert grantedRoleUuid is not null, 'grantedRoleUuid must not be null';
|
assert grantedRoleUuid is not null, 'grantedRoleUuid must not be null';
|
||||||
assert userUuid is not null, 'userUuid must not be null';
|
assert subjectUuid is not null, 'subjectUuid must not be null';
|
||||||
|
|
||||||
if NOT isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then
|
if NOT isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then
|
||||||
select roleIdName from rbacRole_ev where uuid=grantedByRoleUuid into grantedByRoleIdName;
|
select roleIdName from rbacRole_ev where uuid=grantedByRoleUuid into grantedByRoleIdName;
|
||||||
@ -62,8 +62,8 @@ begin
|
|||||||
|
|
||||||
insert
|
insert
|
||||||
into RbacGrants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)
|
into RbacGrants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)
|
||||||
values (grantedByRoleUuid, userUuid, grantedRoleUuid, doAssume);
|
values (grantedByRoleUuid, subjectUuid, grantedRoleUuid, doAssume);
|
||||||
-- TODO.impl: What should happen on mupltiple grants? What if options (doAssume) are not the same?
|
-- TODO.impl: What should happen on multiple grants? What if options (doAssume) are not the same?
|
||||||
-- Most powerful or latest grant wins? What about managed?
|
-- Most powerful or latest grant wins? What about managed?
|
||||||
-- on conflict do nothing; -- allow granting multiple times
|
-- on conflict do nothing; -- allow granting multiple times
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -74,12 +74,12 @@ end; $$;
|
|||||||
--changeset rbac-user-grant-REVOKE-ROLE-FROM-USER:1 endDelimiter:--//
|
--changeset rbac-user-grant-REVOKE-ROLE-FROM-USER:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
create or replace procedure checkRevokeRoleFromUserPreconditions(grantedByRoleUuid uuid, grantedRoleUuid uuid, userUuid uuid)
|
create or replace procedure rbac.checkRevokeRoleFromSubjectPreconditions(grantedByRoleUuid uuid, grantedRoleUuid uuid, subjectUuid uuid)
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
begin
|
||||||
perform rbac.assertReferenceType('grantedByRoleUuid', grantedByRoleUuid, 'RbacRole');
|
perform rbac.assertReferenceType('grantedByRoleUuid', grantedByRoleUuid, 'RbacRole');
|
||||||
perform rbac.assertReferenceType('grantedRoleUuid (descendant)', grantedRoleUuid, 'RbacRole');
|
perform rbac.assertReferenceType('grantedRoleUuid (descendant)', grantedRoleUuid, 'RbacRole');
|
||||||
perform rbac.assertReferenceType('userUuid (ascendant)', userUuid, 'rbac.subject');
|
perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject');
|
||||||
|
|
||||||
if NOT isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then
|
if NOT isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then
|
||||||
raise exception '[403] Revoking role created by % is forbidden for %.', grantedByRoleUuid, currentSubjects();
|
raise exception '[403] Revoking role created by % is forbidden for %.', grantedByRoleUuid, currentSubjects();
|
||||||
@ -94,20 +94,20 @@ begin
|
|||||||
raise exception '[403] Revoking role granted by % is forbidden for %.', grantedByRoleUuid, currentSubjects();
|
raise exception '[403] Revoking role granted by % is forbidden for %.', grantedByRoleUuid, currentSubjects();
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
if NOT isGranted(userUuid, grantedRoleUuid) then
|
if NOT isGranted(subjectUuid, grantedRoleUuid) then
|
||||||
raise exception '[404] No such grant found granted by % for user % to role %.', grantedByRoleUuid, userUuid, grantedRoleUuid;
|
raise exception '[404] No such grant found granted by % for subject % to role %.', grantedByRoleUuid, subjectUuid, grantedRoleUuid;
|
||||||
end if;
|
end if;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create or replace procedure revokeRoleFromUser(grantedByRoleUuid uuid, grantedRoleUuid uuid, userUuid uuid)
|
create or replace procedure rbac.revokeRoleFromSubject(grantedByRoleUuid uuid, grantedRoleUuid uuid, subjectUuid uuid)
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
begin
|
||||||
call checkRevokeRoleFromUserPreconditions(grantedByRoleUuid, grantedRoleUuid, userUuid);
|
call rbac.checkRevokeRoleFromSubjectPreconditions(grantedByRoleUuid, grantedRoleUuid, subjectUuid);
|
||||||
|
|
||||||
raise INFO 'delete from RbacGrants where ascendantUuid = % and descendantUuid = %', userUuid, grantedRoleUuid;
|
raise INFO 'delete from RbacGrants where ascendantUuid = % and descendantUuid = %', subjectUuid, grantedRoleUuid;
|
||||||
delete from RbacGrants as g
|
delete from RbacGrants as g
|
||||||
where g.ascendantUuid = userUuid and g.descendantUuid = grantedRoleUuid
|
where g.ascendantUuid = subjectUuid and g.descendantUuid = grantedRoleUuid
|
||||||
and g.grantedByRoleUuid = revokeRoleFromUser.grantedByRoleUuid;
|
and g.grantedByRoleUuid = revokeRoleFromSubject.grantedByRoleUuid;
|
||||||
end; $$;
|
end; $$;
|
||||||
--//
|
--//
|
||||||
|
|
||||||
@ -115,7 +115,7 @@ end; $$;
|
|||||||
--changeset rbac-user-grant-REVOKE-PERMISSION-FROM-ROLE:1 endDelimiter:--//
|
--changeset rbac-user-grant-REVOKE-PERMISSION-FROM-ROLE:1 endDelimiter:--//
|
||||||
-- ----------------------------------------------------------------------------
|
-- ----------------------------------------------------------------------------
|
||||||
|
|
||||||
create or replace procedure revokePermissionFromRole(permissionUuid uuid, superRoleUuid uuid)
|
create or replace procedure rbac.revokePermissionFromRole(permissionUuid uuid, superRoleUuid uuid)
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
begin
|
||||||
raise INFO 'delete from RbacGrants where ascendantUuid = % and descendantUuid = %', superRoleUuid, permissionUuid;
|
raise INFO 'delete from RbacGrants where ascendantUuid = % and descendantUuid = %', superRoleUuid, permissionUuid;
|
@ -117,7 +117,7 @@ create or replace view rbacgrants_rv as
|
|||||||
-- @formatter:off
|
-- @formatter:off
|
||||||
select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName,
|
select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName,
|
||||||
g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed,
|
g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed,
|
||||||
g.grantedByRoleUuid, g.descendantUuid as grantedRoleUuid, g.ascendantUuid as userUuid,
|
g.grantedByRoleUuid, g.descendantUuid as grantedRoleUuid, g.ascendantUuid as subjectUuid,
|
||||||
g.objectTable, g.objectUuid, g.objectIdName, g.roleType as grantedRoleType
|
g.objectTable, g.objectUuid, g.objectIdName, g.roleType as grantedRoleType
|
||||||
from (
|
from (
|
||||||
select g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid, g.assumed,
|
select g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid, g.assumed,
|
||||||
@ -150,10 +150,10 @@ create or replace function insertRbacGrant()
|
|||||||
declare
|
declare
|
||||||
newGrant RbacGrants_RV;
|
newGrant RbacGrants_RV;
|
||||||
begin
|
begin
|
||||||
call grantRoleToUser(rbac.assumedRoleUuid(), new.grantedRoleUuid, new.userUuid, new.assumed);
|
call rbac.grantRoleToSubject(rbac.assumedRoleUuid(), new.grantedRoleUuid, new.subjectUuid, new.assumed);
|
||||||
select grv.*
|
select grv.*
|
||||||
from RbacGrants_RV grv
|
from RbacGrants_RV grv
|
||||||
where grv.userUuid=new.userUuid and grv.grantedRoleUuid=new.grantedRoleUuid
|
where grv.subjectUuid=new.subjectUuid and grv.grantedRoleUuid=new.grantedRoleUuid
|
||||||
into newGrant;
|
into newGrant;
|
||||||
return newGrant;
|
return newGrant;
|
||||||
end; $$;
|
end; $$;
|
||||||
@ -176,13 +176,13 @@ execute function insertRbacGrant();
|
|||||||
/**
|
/**
|
||||||
Instead of delete trigger function for RbacGrants_RV.
|
Instead of delete trigger function for RbacGrants_RV.
|
||||||
|
|
||||||
Checks if the current subject (user / assumed role) has the permission to revoke the grant.
|
Checks if the current subject or assumed role have the permission to revoke the grant.
|
||||||
*/
|
*/
|
||||||
create or replace function deleteRbacGrant()
|
create or replace function deleteRbacGrant()
|
||||||
returns trigger
|
returns trigger
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
begin
|
||||||
call revokeRoleFromUser(old.grantedByRoleUuid, old.grantedRoleUuid, old.userUuid);
|
call rbac.revokeRoleFromSubject(old.grantedByRoleUuid, old.grantedRoleUuid, old.subjectUuid);
|
||||||
return old;
|
return old;
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
@ -343,7 +343,7 @@ grant all privileges on RbacOwnGrantedPermissions_rv to ${HSADMINNG_POSTGRES_RES
|
|||||||
Returns all permissions granted to the given user,
|
Returns all permissions granted to the given user,
|
||||||
which are also visible to the current user or assumed roles.
|
which are also visible to the current user or assumed roles.
|
||||||
*/
|
*/
|
||||||
create or replace function grantedPermissionsRaw(targetUserUuid uuid)
|
create or replace function grantedPermissionsRaw(targetSubjectUuid uuid)
|
||||||
returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid)
|
returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid)
|
||||||
returns null on null input
|
returns null on null input
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
@ -353,8 +353,8 @@ begin
|
|||||||
-- @formatter:off
|
-- @formatter:off
|
||||||
currentSubjectUuid := rbac.currentSubjectUuid();
|
currentSubjectUuid := rbac.currentSubjectUuid();
|
||||||
|
|
||||||
if hasGlobalRoleGranted(targetUserUuid) and not hasGlobalRoleGranted(currentSubjectUuid) then
|
if hasGlobalRoleGranted(targetSubjectUuid) and not hasGlobalRoleGranted(currentSubjectUuid) then
|
||||||
raise exception '[403] permissions of user "%" are not accessible to user "%"', targetUserUuid, basis.currentSubject();
|
raise exception '[403] permissions of user "%" are not accessible to user "%"', targetSubjectUuid, basis.currentSubject();
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
return query select
|
return query select
|
||||||
@ -369,24 +369,24 @@ begin
|
|||||||
po.objecttable as permissionObjectTable,
|
po.objecttable as permissionObjectTable,
|
||||||
findIdNameByObjectUuid(po.objectTable, po.uuid) as permissionObjectIdName,
|
findIdNameByObjectUuid(po.objectTable, po.uuid) as permissionObjectIdName,
|
||||||
po.uuid as permissionObjectUuid
|
po.uuid as permissionObjectUuid
|
||||||
from queryPermissionsGrantedToSubjectId( targetUserUuid) as p
|
from queryPermissionsGrantedToSubjectId( targetSubjectUuid) as p
|
||||||
join rbacgrants as g on g.descendantUuid = p.uuid
|
join rbacgrants as g on g.descendantUuid = p.uuid
|
||||||
join rbac.object as po on po.uuid = p.objectUuid
|
join rbac.object as po on po.uuid = p.objectUuid
|
||||||
join rbacrole_rv as r on r.uuid = g.ascendantUuid
|
join rbacrole_rv as r on r.uuid = g.ascendantUuid
|
||||||
join rbac.object as ro on ro.uuid = r.objectUuid
|
join rbac.object as ro on ro.uuid = r.objectUuid
|
||||||
where isGranted(targetUserUuid, r.uuid)
|
where isGranted(targetSubjectUuid, r.uuid)
|
||||||
) xp;
|
) xp;
|
||||||
-- @formatter:on
|
-- @formatter:on
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
create or replace function grantedPermissions(targetUserUuid uuid)
|
create or replace function grantedPermissions(targetSubjectUuid uuid)
|
||||||
returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid)
|
returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid)
|
||||||
returns null on null input
|
returns null on null input
|
||||||
language sql as $$
|
language sql as $$
|
||||||
select * from grantedPermissionsRaw(targetUserUuid)
|
select * from grantedPermissionsRaw(targetSubjectUuid)
|
||||||
union all
|
union all
|
||||||
select roleUuid, roleName, permissionUuid, 'SELECT'::RbacOp, opTableName, objectTable, objectIdName, objectUuid
|
select roleUuid, roleName, permissionUuid, 'SELECT'::RbacOp, opTableName, objectTable, objectIdName, objectUuid
|
||||||
from grantedPermissionsRaw(targetUserUuid)
|
from grantedPermissionsRaw(targetSubjectUuid)
|
||||||
where op <> 'SELECT'::RbacOp;
|
where op <> 'SELECT'::RbacOp;
|
||||||
$$;
|
$$;
|
||||||
--//
|
--//
|
||||||
|
@ -12,7 +12,7 @@ create or replace function createRoleWithGrants(
|
|||||||
permissions RbacOp[] = array[]::RbacOp[],
|
permissions RbacOp[] = array[]::RbacOp[],
|
||||||
incomingSuperRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
|
incomingSuperRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
|
||||||
outgoingSubRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
|
outgoingSubRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
|
||||||
userUuids uuid[] = array[]::uuid[],
|
subjectUuids uuid[] = array[]::uuid[],
|
||||||
grantedByRole RbacRoleDescriptor = null
|
grantedByRole RbacRoleDescriptor = null
|
||||||
)
|
)
|
||||||
returns uuid
|
returns uuid
|
||||||
@ -26,7 +26,7 @@ declare
|
|||||||
superRoleDesc RbacRoleDescriptor;
|
superRoleDesc RbacRoleDescriptor;
|
||||||
subRoleUuid uuid;
|
subRoleUuid uuid;
|
||||||
superRoleUuid uuid;
|
superRoleUuid uuid;
|
||||||
userUuid uuid;
|
subjectUuid uuid;
|
||||||
userGrantsByRoleUuid uuid;
|
userGrantsByRoleUuid uuid;
|
||||||
begin
|
begin
|
||||||
roleUuid := coalesce(findRoleId(roleDescriptor), createRole(roleDescriptor));
|
roleUuid := coalesce(findRoleId(roleDescriptor), createRole(roleDescriptor));
|
||||||
@ -49,16 +49,16 @@ begin
|
|||||||
call grantRoleToRole(subRoleUuid, roleUuid, subRoleDesc.assumed);
|
call grantRoleToRole(subRoleUuid, roleUuid, subRoleDesc.assumed);
|
||||||
end loop;
|
end loop;
|
||||||
|
|
||||||
if cardinality(userUuids) > 0 then
|
if cardinality(subjectUuids) > 0 then
|
||||||
-- direct grants to users need a grantedByRole which can revoke the grant
|
-- direct grants to users need a grantedByRole which can revoke the grant
|
||||||
if grantedByRole is null then
|
if grantedByRole is null then
|
||||||
userGrantsByRoleUuid := roleUuid; -- TODO.impl: or do we want to require an explicit userGrantsByRoleUuid?
|
userGrantsByRoleUuid := roleUuid; -- TODO.impl: or do we want to require an explicit userGrantsByRoleUuid?
|
||||||
else
|
else
|
||||||
userGrantsByRoleUuid := getRoleId(grantedByRole);
|
userGrantsByRoleUuid := getRoleId(grantedByRole);
|
||||||
end if;
|
end if;
|
||||||
foreach userUuid in array userUuids
|
foreach subjectUuid in array subjectUuids
|
||||||
loop
|
loop
|
||||||
call grantRoleToUserUnchecked(userGrantsByRoleUuid, roleUuid, userUuid);
|
call rbac.grantRoleToUserUnchecked(userGrantsByRoleUuid, roleUuid, subjectUuid);
|
||||||
end loop;
|
end loop;
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
|
@ -158,8 +158,8 @@ do language plpgsql $$
|
|||||||
call basis.defineContext('creating fake test-realm admin users', null, null, null);
|
call basis.defineContext('creating fake test-realm admin users', null, null, null);
|
||||||
|
|
||||||
admins = findRoleId(globalAdmin());
|
admins = findRoleId(globalAdmin());
|
||||||
call grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-alex@hostsharing.net'));
|
call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-alex@hostsharing.net'));
|
||||||
call grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-fran@hostsharing.net'));
|
call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-fran@hostsharing.net'));
|
||||||
perform rbac.create_subject('selfregistered-user-drew@hostsharing.org');
|
perform rbac.create_subject('selfregistered-user-drew@hostsharing.org');
|
||||||
perform rbac.create_subject('selfregistered-test-user@hostsharing.org');
|
perform rbac.create_subject('selfregistered-test-user@hostsharing.org');
|
||||||
end;
|
end;
|
||||||
|
@ -38,7 +38,7 @@ begin
|
|||||||
testCustomerOWNER(NEW),
|
testCustomerOWNER(NEW),
|
||||||
permissions => array['DELETE'],
|
permissions => array['DELETE'],
|
||||||
incomingSuperRoles => array[globalADMIN(unassumed())],
|
incomingSuperRoles => array[globalADMIN(unassumed())],
|
||||||
userUuids => array[rbac.currentSubjectUuid()]
|
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||||
);
|
);
|
||||||
|
|
||||||
perform createRoleWithGrants(
|
perform createRoleWithGrants(
|
||||||
|
@ -40,7 +40,7 @@ begin
|
|||||||
|
|
||||||
select * into newCust
|
select * into newCust
|
||||||
from test_customer where reference=custReference;
|
from test_customer where reference=custReference;
|
||||||
call grantRoleToUser(
|
call rbac.grantRoleToSubject(
|
||||||
getRoleId(testCustomerOwner(newCust)),
|
getRoleId(testCustomerOwner(newCust)),
|
||||||
getRoleId(testCustomerAdmin(newCust)),
|
getRoleId(testCustomerAdmin(newCust)),
|
||||||
custAdminUuid,
|
custAdminUuid,
|
||||||
|
@ -29,7 +29,7 @@ begin
|
|||||||
values (cust.uuid, pacName, 'Here you can add your own description of package ' || pacName || '.')
|
values (cust.uuid, pacName, 'Here you can add your own description of package ' || pacName || '.')
|
||||||
returning * into pac;
|
returning * into pac;
|
||||||
|
|
||||||
call grantRoleToUser(
|
call rbac.grantRoleToSubject(
|
||||||
getRoleId(testCustomerAdmin(cust)),
|
getRoleId(testCustomerAdmin(cust)),
|
||||||
findRoleId(testPackageAdmin(pac)),
|
findRoleId(testPackageAdmin(pac)),
|
||||||
rbac.create_subject('pac-admin-' || pacName || '@' || cust.prefix || '.example.com'),
|
rbac.create_subject('pac-admin-' || pacName || '@' || cust.prefix || '.example.com'),
|
||||||
|
@ -38,7 +38,7 @@ begin
|
|||||||
hsOfficeContactOWNER(NEW),
|
hsOfficeContactOWNER(NEW),
|
||||||
permissions => array['DELETE'],
|
permissions => array['DELETE'],
|
||||||
incomingSuperRoles => array[globalADMIN()],
|
incomingSuperRoles => array[globalADMIN()],
|
||||||
userUuids => array[rbac.currentSubjectUuid()]
|
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||||
);
|
);
|
||||||
|
|
||||||
perform createRoleWithGrants(
|
perform createRoleWithGrants(
|
||||||
|
@ -38,7 +38,7 @@ begin
|
|||||||
hsOfficePersonOWNER(NEW),
|
hsOfficePersonOWNER(NEW),
|
||||||
permissions => array['DELETE'],
|
permissions => array['DELETE'],
|
||||||
incomingSuperRoles => array[globalADMIN()],
|
incomingSuperRoles => array[globalADMIN()],
|
||||||
userUuids => array[rbac.currentSubjectUuid()]
|
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||||
);
|
);
|
||||||
|
|
||||||
perform createRoleWithGrants(
|
perform createRoleWithGrants(
|
||||||
|
@ -51,7 +51,7 @@ begin
|
|||||||
hsOfficeRelationOWNER(NEW),
|
hsOfficeRelationOWNER(NEW),
|
||||||
permissions => array['DELETE'],
|
permissions => array['DELETE'],
|
||||||
incomingSuperRoles => array[globalADMIN()],
|
incomingSuperRoles => array[globalADMIN()],
|
||||||
userUuids => array[rbac.currentSubjectUuid()]
|
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||||
);
|
);
|
||||||
|
|
||||||
perform createRoleWithGrants(
|
perform createRoleWithGrants(
|
||||||
|
@ -110,22 +110,22 @@ begin
|
|||||||
|
|
||||||
if NEW.partnerRelUuid <> OLD.partnerRelUuid then
|
if NEW.partnerRelUuid <> OLD.partnerRelUuid then
|
||||||
|
|
||||||
call revokePermissionFromRole(getPermissionId(OLD.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
|
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
|
||||||
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
||||||
|
|
||||||
call revokePermissionFromRole(getPermissionId(OLD.uuid, 'UPDATE'), hsOfficeRelationADMIN(oldPartnerRel));
|
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'UPDATE'), hsOfficeRelationADMIN(oldPartnerRel));
|
||||||
call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
|
call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
|
||||||
|
|
||||||
call revokePermissionFromRole(getPermissionId(OLD.uuid, 'SELECT'), hsOfficeRelationTENANT(oldPartnerRel));
|
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'SELECT'), hsOfficeRelationTENANT(oldPartnerRel));
|
||||||
call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
|
call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
|
||||||
|
|
||||||
call revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
|
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
|
||||||
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
|
||||||
|
|
||||||
call revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(oldPartnerRel));
|
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(oldPartnerRel));
|
||||||
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
|
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
|
||||||
|
|
||||||
call revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(oldPartnerRel));
|
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(oldPartnerRel));
|
||||||
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
|
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
|
||||||
|
|
||||||
end if;
|
end if;
|
||||||
|
@ -38,7 +38,7 @@ begin
|
|||||||
hsOfficeBankAccountOWNER(NEW),
|
hsOfficeBankAccountOWNER(NEW),
|
||||||
permissions => array['DELETE'],
|
permissions => array['DELETE'],
|
||||||
incomingSuperRoles => array[globalADMIN()],
|
incomingSuperRoles => array[globalADMIN()],
|
||||||
userUuids => array[rbac.currentSubjectUuid()]
|
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||||
);
|
);
|
||||||
|
|
||||||
perform createRoleWithGrants(
|
perform createRoleWithGrants(
|
||||||
|
@ -51,7 +51,7 @@ begin
|
|||||||
hsOfficeSepaMandateOWNER(NEW),
|
hsOfficeSepaMandateOWNER(NEW),
|
||||||
permissions => array['DELETE'],
|
permissions => array['DELETE'],
|
||||||
incomingSuperRoles => array[globalADMIN()],
|
incomingSuperRoles => array[globalADMIN()],
|
||||||
userUuids => array[rbac.currentSubjectUuid()]
|
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||||
);
|
);
|
||||||
|
|
||||||
perform createRoleWithGrants(
|
perform createRoleWithGrants(
|
||||||
|
@ -45,7 +45,7 @@ begin
|
|||||||
|
|
||||||
perform createRoleWithGrants(
|
perform createRoleWithGrants(
|
||||||
hsOfficeMembershipOWNER(NEW),
|
hsOfficeMembershipOWNER(NEW),
|
||||||
userUuids => array[rbac.currentSubjectUuid()]
|
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||||
);
|
);
|
||||||
|
|
||||||
perform createRoleWithGrants(
|
perform createRoleWithGrants(
|
||||||
|
@ -53,7 +53,7 @@ begin
|
|||||||
globalADMIN(unassumed()),
|
globalADMIN(unassumed()),
|
||||||
hsBookingItemADMIN(newBookingItem),
|
hsBookingItemADMIN(newBookingItem),
|
||||||
hsHostingAssetADMIN(newParentAsset)],
|
hsHostingAssetADMIN(newParentAsset)],
|
||||||
userUuids => array[rbac.currentSubjectUuid()]
|
subjectUuids => array[rbac.currentSubjectUuid()]
|
||||||
);
|
);
|
||||||
|
|
||||||
perform createRoleWithGrants(
|
perform createRoleWithGrants(
|
||||||
|
@ -21,14 +21,14 @@ declare
|
|||||||
defaultPrefix varchar;
|
defaultPrefix varchar;
|
||||||
managedServerUuid uuid;
|
managedServerUuid uuid;
|
||||||
managedWebspaceUuid uuid;
|
managedWebspaceUuid uuid;
|
||||||
webUnixUserUuid uuid;
|
webUnixSubjectUuid uuid;
|
||||||
mboxUnixUserUuid uuid;
|
mboxUnixSubjectUuid uuid;
|
||||||
domainSetupUuid uuid;
|
domainSetupUuid uuid;
|
||||||
domainMBoxSetupUuid uuid;
|
domainMBoxSetupUuid uuid;
|
||||||
mariaDbInstanceUuid uuid;
|
mariaDbInstanceUuid uuid;
|
||||||
mariaDbUserUuid uuid;
|
mariaDbSubjectUuid uuid;
|
||||||
pgSqlInstanceUuid uuid;
|
pgSqlInstanceUuid uuid;
|
||||||
PgSqlUserUuid uuid;
|
PgSqlSubjectUuid uuid;
|
||||||
begin
|
begin
|
||||||
call basis.defineContext('creating hosting-asset test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
|
call basis.defineContext('creating hosting-asset test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
|
||||||
|
|
||||||
@ -68,14 +68,14 @@ begin
|
|||||||
|
|
||||||
select uuid_generate_v4() into managedServerUuid;
|
select uuid_generate_v4() into managedServerUuid;
|
||||||
select uuid_generate_v4() into managedWebspaceUuid;
|
select uuid_generate_v4() into managedWebspaceUuid;
|
||||||
select uuid_generate_v4() into webUnixUserUuid;
|
select uuid_generate_v4() into webUnixSubjectUuid;
|
||||||
select uuid_generate_v4() into mboxUnixUserUuid;
|
select uuid_generate_v4() into mboxUnixSubjectUuid;
|
||||||
select uuid_generate_v4() into domainSetupUuid;
|
select uuid_generate_v4() into domainSetupUuid;
|
||||||
select uuid_generate_v4() into domainMBoxSetupUuid;
|
select uuid_generate_v4() into domainMBoxSetupUuid;
|
||||||
select uuid_generate_v4() into mariaDbInstanceUuid;
|
select uuid_generate_v4() into mariaDbInstanceUuid;
|
||||||
select uuid_generate_v4() into mariaDbUserUuid;
|
select uuid_generate_v4() into mariaDbSubjectUuid;
|
||||||
select uuid_generate_v4() into pgSqlInstanceUuid;
|
select uuid_generate_v4() into pgSqlInstanceUuid;
|
||||||
select uuid_generate_v4() into pgSqlUserUuid;
|
select uuid_generate_v4() into pgSqlSubjectUuid;
|
||||||
debitorNumberSuffix := relatedDebitor.debitorNumberSuffix;
|
debitorNumberSuffix := relatedDebitor.debitorNumberSuffix;
|
||||||
defaultPrefix := relatedDebitor.defaultPrefix;
|
defaultPrefix := relatedDebitor.defaultPrefix;
|
||||||
|
|
||||||
@ -86,17 +86,17 @@ begin
|
|||||||
(uuid_generate_v4(), cloudServerBI.uuid, 'CLOUD_SERVER', null, null, 'vm20' || debitorNumberSuffix, 'another CloudServer', '{}'::jsonb),
|
(uuid_generate_v4(), cloudServerBI.uuid, 'CLOUD_SERVER', null, null, 'vm20' || debitorNumberSuffix, 'another CloudServer', '{}'::jsonb),
|
||||||
(managedWebspaceUuid, managedWebspaceBI.uuid, 'MANAGED_WEBSPACE', managedServerUuid, null, defaultPrefix || '01', 'some Webspace', '{}'::jsonb),
|
(managedWebspaceUuid, managedWebspaceBI.uuid, 'MANAGED_WEBSPACE', managedServerUuid, null, defaultPrefix || '01', 'some Webspace', '{}'::jsonb),
|
||||||
(mariaDbInstanceUuid, null, 'MARIADB_INSTANCE', managedServerUuid, null, 'vm10' || debitorNumberSuffix || '.MariaDB.default', 'some default MariaDB instance','{}'::jsonb),
|
(mariaDbInstanceUuid, null, 'MARIADB_INSTANCE', managedServerUuid, null, 'vm10' || debitorNumberSuffix || '.MariaDB.default', 'some default MariaDB instance','{}'::jsonb),
|
||||||
(mariaDbUserUuid, null, 'MARIADB_USER', managedWebspaceUuid, mariaDbInstanceUuid, defaultPrefix || '01_web', 'some default MariaDB user', '{ "password": "<TODO:replace-by-encrypted-mariadb-password"}'::jsonb ),
|
(mariaDbSubjectUuid, null, 'MARIADB_USER', managedWebspaceUuid, mariaDbInstanceUuid, defaultPrefix || '01_web', 'some default MariaDB user', '{ "password": "<TODO:replace-by-encrypted-mariadb-password"}'::jsonb ),
|
||||||
(uuid_generate_v4(), null, 'MARIADB_DATABASE', mariaDbUserUuid, mariaDbInstanceUuid, defaultPrefix || '01_web', 'some default MariaDB database','{ "encryption": "utf8", "collation": "utf8"}'::jsonb ),
|
(uuid_generate_v4(), null, 'MARIADB_DATABASE', mariaDbSubjectUuid, mariaDbInstanceUuid, defaultPrefix || '01_web', 'some default MariaDB database','{ "encryption": "utf8", "collation": "utf8"}'::jsonb ),
|
||||||
(pgSqlInstanceUuid, null, 'PGSQL_INSTANCE', managedServerUuid, null, 'vm10' || debitorNumberSuffix || '.Postgresql.default', 'some default Postgresql instance','{}'::jsonb),
|
(pgSqlInstanceUuid, null, 'PGSQL_INSTANCE', managedServerUuid, null, 'vm10' || debitorNumberSuffix || '.Postgresql.default', 'some default Postgresql instance','{}'::jsonb),
|
||||||
(PgSqlUserUuid, null, 'PGSQL_USER', managedWebspaceUuid, pgSqlInstanceUuid, defaultPrefix || '01_web', 'some default Postgresql user', '{ "password": "<TODO:replace-by-encrypted-postgresql-password"}'::jsonb ),
|
(PgSqlSubjectUuid, null, 'PGSQL_USER', managedWebspaceUuid, pgSqlInstanceUuid, defaultPrefix || '01_web', 'some default Postgresql user', '{ "password": "<TODO:replace-by-encrypted-postgresql-password"}'::jsonb ),
|
||||||
(uuid_generate_v4(), null, 'PGSQL_DATABASE', pgSqlUserUuid, pgSqlInstanceUuid, defaultPrefix || '01_web', 'some default Postgresql database','{ "encryption": "utf8", "collation": "utf8"}'::jsonb ),
|
(uuid_generate_v4(), null, 'PGSQL_DATABASE', pgSqlSubjectUuid, pgSqlInstanceUuid, defaultPrefix || '01_web', 'some default Postgresql database','{ "encryption": "utf8", "collation": "utf8"}'::jsonb ),
|
||||||
(uuid_generate_v4(), null, 'EMAIL_ALIAS', managedWebspaceUuid, null, defaultPrefix || '01-web', 'some E-Mail-Alias', '{ "target": [ "office@example.org", "archive@example.com" ] }'::jsonb),
|
(uuid_generate_v4(), null, 'EMAIL_ALIAS', managedWebspaceUuid, null, defaultPrefix || '01-web', 'some E-Mail-Alias', '{ "target": [ "office@example.org", "archive@example.com" ] }'::jsonb),
|
||||||
(webUnixUserUuid, null, 'UNIX_USER', managedWebspaceUuid, null, defaultPrefix || '01-web', 'some UnixUser for Website', '{ "SSD-soft-quota": "128", "SSD-hard-quota": "256", "HDD-soft-quota": "512", "HDD-hard-quota": "1024"}'::jsonb),
|
(webUnixSubjectUuid, null, 'UNIX_USER', managedWebspaceUuid, null, defaultPrefix || '01-web', 'some UnixUser for Website', '{ "SSD-soft-quota": "128", "SSD-hard-quota": "256", "HDD-soft-quota": "512", "HDD-hard-quota": "1024"}'::jsonb),
|
||||||
(mboxUnixUserUuid, null, 'UNIX_USER', managedWebspaceUuid, null, defaultPrefix || '01-mbox', 'some UnixUser for E-Mail', '{ "SSD-soft-quota": "128", "SSD-hard-quota": "256", "HDD-soft-quota": "512", "HDD-hard-quota": "1024"}'::jsonb),
|
(mboxUnixSubjectUuid, null, 'UNIX_USER', managedWebspaceUuid, null, defaultPrefix || '01-mbox', 'some UnixUser for E-Mail', '{ "SSD-soft-quota": "128", "SSD-hard-quota": "256", "HDD-soft-quota": "512", "HDD-hard-quota": "1024"}'::jsonb),
|
||||||
(domainSetupUuid, null, 'DOMAIN_SETUP', null, null, defaultPrefix || '.example.org', 'some Domain-Setup', '{}'::jsonb),
|
(domainSetupUuid, null, 'DOMAIN_SETUP', null, null, defaultPrefix || '.example.org', 'some Domain-Setup', '{}'::jsonb),
|
||||||
(uuid_generate_v4(), null, 'DOMAIN_DNS_SETUP', domainSetupUuid, null, defaultPrefix || '.example.org|DNS', 'some Domain-DNS-Setup', '{}'::jsonb),
|
(uuid_generate_v4(), null, 'DOMAIN_DNS_SETUP', domainSetupUuid, null, defaultPrefix || '.example.org|DNS', 'some Domain-DNS-Setup', '{}'::jsonb),
|
||||||
(uuid_generate_v4(), null, 'DOMAIN_HTTP_SETUP', domainSetupUuid, webUnixUserUuid, defaultPrefix || '.example.org|HTTP', 'some Domain-HTTP-Setup', '{ "option-htdocsfallback": true, "use-fcgiphpbin": "/usr/lib/cgi-bin/php", "validsubdomainnames": "*"}'::jsonb),
|
(uuid_generate_v4(), null, 'DOMAIN_HTTP_SETUP', domainSetupUuid, webUnixSubjectUuid, defaultPrefix || '.example.org|HTTP', 'some Domain-HTTP-Setup', '{ "option-htdocsfallback": true, "use-fcgiphpbin": "/usr/lib/cgi-bin/php", "validsubdomainnames": "*"}'::jsonb),
|
||||||
(uuid_generate_v4(), null, 'DOMAIN_SMTP_SETUP', domainSetupUuid, managedWebspaceUuid, defaultPrefix || '.example.org|SMTP', 'some Domain-SMTP-Setup', '{}'::jsonb),
|
(uuid_generate_v4(), null, 'DOMAIN_SMTP_SETUP', domainSetupUuid, managedWebspaceUuid, defaultPrefix || '.example.org|SMTP', 'some Domain-SMTP-Setup', '{}'::jsonb),
|
||||||
(domainMBoxSetupUuid, null, 'DOMAIN_MBOX_SETUP', domainSetupUuid, managedWebspaceUuid, defaultPrefix || '.example.org|MBOX', 'some Domain-MBOX-Setup', '{}'::jsonb),
|
(domainMBoxSetupUuid, null, 'DOMAIN_MBOX_SETUP', domainSetupUuid, managedWebspaceUuid, defaultPrefix || '.example.org|MBOX', 'some Domain-MBOX-Setup', '{}'::jsonb),
|
||||||
(uuid_generate_v4(), null, 'EMAIL_ADDRESS', domainMBoxSetupUuid, null, 'test@' || defaultPrefix || '.example.org', 'some E-Mail-Address', '{}'::jsonb);
|
(uuid_generate_v4(), null, 'EMAIL_ADDRESS', domainMBoxSetupUuid, null, 'test@' || defaultPrefix || '.example.org', 'some E-Mail-Address', '{}'::jsonb);
|
||||||
|
@ -32,7 +32,7 @@ databaseChangeLog:
|
|||||||
- include:
|
- include:
|
||||||
file: db/changelog/1-rbac/1050-rbac-base.sql
|
file: db/changelog/1-rbac/1050-rbac-base.sql
|
||||||
- include:
|
- include:
|
||||||
file: db/changelog/1-rbac/1051-rbac-user-grant.sql
|
file: db/changelog/1-rbac/1051-rbac-subject-grant.sql
|
||||||
- include:
|
- include:
|
||||||
file: db/changelog/1-rbac/1054-rbac-context.sql
|
file: db/changelog/1-rbac/1054-rbac-context.sql
|
||||||
- include:
|
- include:
|
||||||
|
@ -176,9 +176,9 @@ class HsBookingItemControllerAcceptanceTest extends ContextBasedTestWithCleanup
|
|||||||
.extract().header("Location"); // @formatter:on
|
.extract().header("Location"); // @formatter:on
|
||||||
|
|
||||||
// finally, the new bookingItem can be accessed under the generated UUID
|
// finally, the new bookingItem can be accessed under the generated UUID
|
||||||
final var newUserUuid = UUID.fromString(
|
final var newSubjectUuid = UUID.fromString(
|
||||||
location.substring(location.lastIndexOf('/') + 1));
|
location.substring(location.lastIndexOf('/') + 1));
|
||||||
assertThat(newUserUuid).isNotNull();
|
assertThat(newSubjectUuid).isNotNull();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -111,9 +111,9 @@ class HsBookingProjectControllerAcceptanceTest extends ContextBasedTestWithClean
|
|||||||
.extract().header("Location"); // @formatter:on
|
.extract().header("Location"); // @formatter:on
|
||||||
|
|
||||||
// finally, the new bookingProject can be accessed under the generated UUID
|
// finally, the new bookingProject can be accessed under the generated UUID
|
||||||
final var newUserUuid = UUID.fromString(
|
final var newSubjectUuid = UUID.fromString(
|
||||||
location.substring(location.lastIndexOf('/') + 1));
|
location.substring(location.lastIndexOf('/') + 1));
|
||||||
assertThat(newUserUuid).isNotNull();
|
assertThat(newSubjectUuid).isNotNull();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -247,9 +247,9 @@ class HsHostingAssetControllerAcceptanceTest extends ContextBasedTestWithCleanup
|
|||||||
.extract().header("Location"); // @formatter:on
|
.extract().header("Location"); // @formatter:on
|
||||||
|
|
||||||
// finally, the new asset can be accessed under the generated UUID
|
// finally, the new asset can be accessed under the generated UUID
|
||||||
final var newUserUuid = UUID.fromString(
|
final var newSubjectUuid = UUID.fromString(
|
||||||
location.substring(location.lastIndexOf('/') + 1));
|
location.substring(location.lastIndexOf('/') + 1));
|
||||||
assertThat(newUserUuid).isNotNull();
|
assertThat(newSubjectUuid).isNotNull();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
@ -143,9 +143,9 @@ class HsOfficeBankAccountControllerAcceptanceTest extends ContextBasedTestWithCl
|
|||||||
.extract().header("Location"); // @formatter:on
|
.extract().header("Location"); // @formatter:on
|
||||||
|
|
||||||
// finally, the new bankaccount can be accessed under the generated UUID
|
// finally, the new bankaccount can be accessed under the generated UUID
|
||||||
final var newUserUuid = UUID.fromString(
|
final var newSubjectUuid = UUID.fromString(
|
||||||
location.substring(location.lastIndexOf('/') + 1));
|
location.substring(location.lastIndexOf('/') + 1));
|
||||||
assertThat(newUserUuid).isNotNull();
|
assertThat(newSubjectUuid).isNotNull();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -122,9 +122,9 @@ class HsOfficeContactControllerAcceptanceTest extends ContextBasedTestWithCleanu
|
|||||||
.extract().header("Location"); // @formatter:on
|
.extract().header("Location"); // @formatter:on
|
||||||
|
|
||||||
// finally, the new contact can be accessed under the generated UUID
|
// finally, the new contact can be accessed under the generated UUID
|
||||||
final var newUserUuid = UUID.fromString(
|
final var newSubjectUuid = UUID.fromString(
|
||||||
location.substring(location.lastIndexOf('/') + 1));
|
location.substring(location.lastIndexOf('/') + 1));
|
||||||
assertThat(newUserUuid).isNotNull();
|
assertThat(newSubjectUuid).isNotNull();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -315,9 +315,9 @@ class HsOfficeDebitorControllerAcceptanceTest extends ContextBasedTestWithCleanu
|
|||||||
.extract().header("Location"); // @formatter:on
|
.extract().header("Location"); // @formatter:on
|
||||||
|
|
||||||
// finally, the new debitor can be accessed under the generated UUID
|
// finally, the new debitor can be accessed under the generated UUID
|
||||||
final var newUserUuid = UUID.fromString(
|
final var newSubjectUuid = UUID.fromString(
|
||||||
location.substring(location.lastIndexOf('/') + 1));
|
location.substring(location.lastIndexOf('/') + 1));
|
||||||
assertThat(newUserUuid).isNotNull();
|
assertThat(newSubjectUuid).isNotNull();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -367,9 +367,9 @@ class HsOfficeDebitorControllerAcceptanceTest extends ContextBasedTestWithCleanu
|
|||||||
.extract().header("Location"); // @formatter:on
|
.extract().header("Location"); // @formatter:on
|
||||||
|
|
||||||
// finally, the new debitor can be accessed under the generated UUID
|
// finally, the new debitor can be accessed under the generated UUID
|
||||||
final var newUserUuid = UUID.fromString(
|
final var newSubjectUuid = UUID.fromString(
|
||||||
location.substring(location.lastIndexOf('/') + 1));
|
location.substring(location.lastIndexOf('/') + 1));
|
||||||
assertThat(newUserUuid).isNotNull();
|
assertThat(newSubjectUuid).isNotNull();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
@ -204,10 +204,10 @@ class HsOfficeMembershipControllerAcceptanceTest extends ContextBasedTestWithCle
|
|||||||
.extract().header("Location"); // @formatter:on
|
.extract().header("Location"); // @formatter:on
|
||||||
|
|
||||||
// finally, the new membership can be accessed under the generated UUID
|
// finally, the new membership can be accessed under the generated UUID
|
||||||
final var newUserUuid = UUID.fromString(
|
final var newSubjectUuid = UUID.fromString(
|
||||||
location.substring(location.lastIndexOf('/') + 1));
|
location.substring(location.lastIndexOf('/') + 1));
|
||||||
assertThat(newUserUuid).isNotNull();
|
assertThat(newSubjectUuid).isNotNull();
|
||||||
assertThat(membershipRepo.findByUuid(newUserUuid)).isPresent();
|
assertThat(membershipRepo.findByUuid(newSubjectUuid)).isPresent();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -141,9 +141,9 @@ class HsOfficePartnerControllerAcceptanceTest extends ContextBasedTestWithCleanu
|
|||||||
.extract().header("Location"); // @formatter:on
|
.extract().header("Location"); // @formatter:on
|
||||||
|
|
||||||
// finally, the new partner can be accessed under the generated UUID
|
// finally, the new partner can be accessed under the generated UUID
|
||||||
final var newUserUuid = UUID.fromString(
|
final var newSubjectUuid = UUID.fromString(
|
||||||
location.substring(location.lastIndexOf('/') + 1));
|
location.substring(location.lastIndexOf('/') + 1));
|
||||||
assertThat(newUserUuid).isNotNull();
|
assertThat(newSubjectUuid).isNotNull();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
@ -99,9 +99,9 @@ class HsOfficePersonControllerAcceptanceTest extends ContextBasedTestWithCleanup
|
|||||||
.extract().header("Location"); // @formatter:on
|
.extract().header("Location"); // @formatter:on
|
||||||
|
|
||||||
// finally, the new person can be accessed under the generated UUID
|
// finally, the new person can be accessed under the generated UUID
|
||||||
final var newUserUuid = UUID.fromString(
|
final var newSubjectUuid = UUID.fromString(
|
||||||
location.substring(location.lastIndexOf('/') + 1));
|
location.substring(location.lastIndexOf('/') + 1));
|
||||||
assertThat(newUserUuid).isNotNull();
|
assertThat(newSubjectUuid).isNotNull();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -161,9 +161,9 @@ class HsOfficeRelationControllerAcceptanceTest extends ContextBasedTestWithClean
|
|||||||
.extract().header("Location"); // @formatter:on
|
.extract().header("Location"); // @formatter:on
|
||||||
|
|
||||||
// finally, the new relation can be accessed under the generated UUID
|
// finally, the new relation can be accessed under the generated UUID
|
||||||
final var newUserUuid = toCleanup(HsOfficeRelationRealEntity.class, UUID.fromString(
|
final var newSubjectUuid = toCleanup(HsOfficeRelationRealEntity.class, UUID.fromString(
|
||||||
location.substring(location.lastIndexOf('/') + 1)));
|
location.substring(location.lastIndexOf('/') + 1)));
|
||||||
assertThat(newUserUuid).isNotNull();
|
assertThat(newSubjectUuid).isNotNull();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
@ -138,9 +138,9 @@ class HsOfficeSepaMandateControllerAcceptanceTest extends ContextBasedTestWithCl
|
|||||||
.extract().header("Location"); // @formatter:on
|
.extract().header("Location"); // @formatter:on
|
||||||
|
|
||||||
// finally, the new sepaMandate can be accessed under the generated UUID
|
// finally, the new sepaMandate can be accessed under the generated UUID
|
||||||
final var newUserUuid = UUID.fromString(
|
final var newSubjectUuid = UUID.fromString(
|
||||||
location.substring(location.lastIndexOf('/') + 1));
|
location.substring(location.lastIndexOf('/') + 1));
|
||||||
assertThat(newUserUuid).isNotNull();
|
assertThat(newSubjectUuid).isNotNull();
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO.test: move validation tests to a ...WebMvcTest
|
// TODO.test: move validation tests to a ...WebMvcTest
|
||||||
|
@ -238,7 +238,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Nested
|
@Nested
|
||||||
class GrantRoleToUser {
|
class GrantRoleToSubject {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
void packageAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() {
|
void packageAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() {
|
||||||
@ -295,7 +295,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Nested
|
@Nested
|
||||||
class RevokeRoleFromUser {
|
class RevokeRoleFromSubject {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@Transactional(propagation = Propagation.NEVER)
|
@Transactional(propagation = Propagation.NEVER)
|
||||||
@ -389,7 +389,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
{
|
{
|
||||||
"assumed": true,
|
"assumed": true,
|
||||||
"grantedRoleUuid": "%s",
|
"grantedRoleUuid": "%s",
|
||||||
"granteeUserUuid": "%s"
|
"granteeSubjectUuid": "%s"
|
||||||
}
|
}
|
||||||
""".formatted(
|
""".formatted(
|
||||||
grantedRole.getUuid(),
|
grantedRole.getUuid(),
|
||||||
@ -425,7 +425,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
|||||||
{
|
{
|
||||||
"assumed": true,
|
"assumed": true,
|
||||||
"grantedRoleUuid": "%s",
|
"grantedRoleUuid": "%s",
|
||||||
"granteeUserUuid": "%s"
|
"granteeSubjectUuid": "%s"
|
||||||
}
|
}
|
||||||
""".formatted(
|
""".formatted(
|
||||||
grantedRole.getUuid(),
|
grantedRole.getUuid(),
|
||||||
|
@ -13,16 +13,16 @@ class RbacGrantEntityUnitTest {
|
|||||||
void getRbacGrantId() {
|
void getRbacGrantId() {
|
||||||
// given
|
// given
|
||||||
final var grantedRoleUuid = UUID.randomUUID();
|
final var grantedRoleUuid = UUID.randomUUID();
|
||||||
final var granteeUserUuid = UUID.randomUUID();
|
final var granteeSubjectUuid = UUID.randomUUID();
|
||||||
final var entity = new RbacGrantEntity();
|
final var entity = new RbacGrantEntity();
|
||||||
entity.setGrantedRoleUuid(grantedRoleUuid);
|
entity.setGrantedRoleUuid(grantedRoleUuid);
|
||||||
entity.setGranteeUserUuid(granteeUserUuid);
|
entity.setGranteeSubjectUuid(granteeSubjectUuid);
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var grantId = entity.getRbacGrantId();
|
final var grantId = entity.getRbacGrantId();
|
||||||
|
|
||||||
// then
|
// then
|
||||||
assertThat(grantId).isEqualTo(new RbacGrantId(granteeUserUuid, grantedRoleUuid));
|
assertThat(grantId).isEqualTo(new RbacGrantId(granteeSubjectUuid, grantedRoleUuid));
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
@ -103,18 +103,18 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Nested
|
@Nested
|
||||||
class GrantRoleToUser {
|
class GrantRoleToSubject {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void customerAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() {
|
public void customerAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() {
|
||||||
// given
|
// given
|
||||||
context("customer-admin@xxx.example.com", "test_customer#xxx:ADMIN");
|
context("customer-admin@xxx.example.com", "test_customer#xxx:ADMIN");
|
||||||
final var givenArbitraryUserUuid = rbacUserRepository.findByName("pac-admin-zzz00@zzz.example.com").getUuid();
|
final var givenArbitrarySubjectUuid = rbacUserRepository.findByName("pac-admin-zzz00@zzz.example.com").getUuid();
|
||||||
final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName("test_package#xxx00:ADMIN").getUuid();
|
final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName("test_package#xxx00:ADMIN").getUuid();
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var grant = RbacGrantEntity.builder()
|
final var grant = RbacGrantEntity.builder()
|
||||||
.granteeUserUuid(givenArbitraryUserUuid).grantedRoleUuid(givenOwnPackageRoleUuid)
|
.granteeSubjectUuid(givenArbitrarySubjectUuid).grantedRoleUuid(givenOwnPackageRoleUuid)
|
||||||
.assumed(true)
|
.assumed(true)
|
||||||
.build();
|
.build();
|
||||||
final var attempt = attempt(em, () ->
|
final var attempt = attempt(em, () ->
|
||||||
@ -148,7 +148,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
// now we try to use these uuids as a less privileged user
|
// now we try to use these uuids as a less privileged user
|
||||||
context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00:ADMIN");
|
context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00:ADMIN");
|
||||||
final var grant = RbacGrantEntity.builder()
|
final var grant = RbacGrantEntity.builder()
|
||||||
.granteeUserUuid(given.arbitraryUser.getUuid())
|
.granteeSubjectUuid(given.arbitraryUser.getUuid())
|
||||||
.grantedRoleUuid(given.packageOwnerRoleUuid)
|
.grantedRoleUuid(given.packageOwnerRoleUuid)
|
||||||
.assumed(true)
|
.assumed(true)
|
||||||
.build();
|
.build();
|
||||||
@ -170,7 +170,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
}
|
}
|
||||||
|
|
||||||
@Nested
|
@Nested
|
||||||
class RevokeRoleFromUser {
|
class revokeRoleFromSubject {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void customerAdmin_canRevokeSelfGrantedPackageAdminRole() {
|
public void customerAdmin_canRevokeSelfGrantedPackageAdminRole() {
|
||||||
@ -236,11 +236,11 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
|
|
||||||
private RbacGrantEntity create(GrantBuilder with) {
|
private RbacGrantEntity create(GrantBuilder with) {
|
||||||
context(with.byUserName, with.assumedRole);
|
context(with.byUserName, with.assumedRole);
|
||||||
final var givenArbitraryUserUuid = rbacUserRepository.findByName(with.granteeUserName).getUuid();
|
final var givenArbitrarySubjectUuid = rbacUserRepository.findByName(with.granteeUserName).getUuid();
|
||||||
final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName(with.grantedRole).getUuid();
|
final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName(with.grantedRole).getUuid();
|
||||||
|
|
||||||
final var grant = RbacGrantEntity.builder()
|
final var grant = RbacGrantEntity.builder()
|
||||||
.granteeUserUuid(givenArbitraryUserUuid).grantedRoleUuid(givenOwnPackageRoleUuid)
|
.granteeSubjectUuid(givenArbitrarySubjectUuid).grantedRoleUuid(givenOwnPackageRoleUuid)
|
||||||
.assumed(true)
|
.assumed(true)
|
||||||
.build();
|
.build();
|
||||||
final var grantAttempt = attempt(em, () ->
|
final var grantAttempt = attempt(em, () ->
|
||||||
|
@ -63,10 +63,10 @@ class RbacUserControllerAcceptanceTest {
|
|||||||
// @formatter:on
|
// @formatter:on
|
||||||
|
|
||||||
// finally, the user can view its own record
|
// finally, the user can view its own record
|
||||||
final var newUserUuid = UUID.fromString(
|
final var newSubjectUuid = UUID.fromString(
|
||||||
location.substring(location.lastIndexOf('/') + 1));
|
location.substring(location.lastIndexOf('/') + 1));
|
||||||
context.define("new-user@example.com");
|
context.define("new-user@example.com");
|
||||||
assertThat(rbacUserRepository.findByUuid(newUserUuid))
|
assertThat(rbacUserRepository.findByUuid(newSubjectUuid))
|
||||||
.extracting(RbacUserEntity::getName).isEqualTo("new-user@example.com");
|
.extracting(RbacUserEntity::getName).isEqualTo("new-user@example.com");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -232,7 +232,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
context("superuser-alex@hostsharing.net");
|
context("superuser-alex@hostsharing.net");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("superuser-fran@hostsharing.net"))
|
final var result = rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid("superuser-fran@hostsharing.net"))
|
||||||
.stream().filter(p -> p.getObjectTable().contains("test_"))
|
.stream().filter(p -> p.getObjectTable().contains("test_"))
|
||||||
.sorted(comparing(RbacUserPermission::toString)).toList();
|
.sorted(comparing(RbacUserPermission::toString)).toList();
|
||||||
|
|
||||||
@ -246,7 +246,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
context("customer-admin@xxx.example.com");
|
context("customer-admin@xxx.example.com");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("customer-admin@xxx.example.com"));
|
final var result = rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid("customer-admin@xxx.example.com"));
|
||||||
|
|
||||||
// then
|
// then
|
||||||
allTheseRbacPermissionsAreReturned(
|
allTheseRbacPermissionsAreReturned(
|
||||||
@ -286,17 +286,17 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
public void customerAdmin_withoutAssumedRole_isNotAllowedToViewGlobalAdminsPermissions() {
|
public void customerAdmin_withoutAssumedRole_isNotAllowedToViewGlobalAdminsPermissions() {
|
||||||
// given
|
// given
|
||||||
context("customer-admin@xxx.example.com");
|
context("customer-admin@xxx.example.com");
|
||||||
final UUID userUuid = userUUID("superuser-alex@hostsharing.net");
|
final UUID subjectUuid = subjectUuid("superuser-alex@hostsharing.net");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = attempt(em, () ->
|
final var result = attempt(em, () ->
|
||||||
rbacUserRepository.findPermissionsOfUserByUuid(userUuid)
|
rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid)
|
||||||
);
|
);
|
||||||
|
|
||||||
// then
|
// then
|
||||||
result.assertExceptionWithRootCauseMessage(
|
result.assertExceptionWithRootCauseMessage(
|
||||||
JpaSystemException.class,
|
JpaSystemException.class,
|
||||||
"[403] permissions of user \"" + userUuid
|
"[403] permissions of user \"" + subjectUuid
|
||||||
+ "\" are not accessible to user \"customer-admin@xxx.example.com\"");
|
+ "\" are not accessible to user \"customer-admin@xxx.example.com\"");
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -306,7 +306,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
context("customer-admin@xxx.example.com");
|
context("customer-admin@xxx.example.com");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("pac-admin-xxx00@xxx.example.com"));
|
final var result = rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid("pac-admin-xxx00@xxx.example.com"));
|
||||||
|
|
||||||
// then
|
// then
|
||||||
allTheseRbacPermissionsAreReturned(
|
allTheseRbacPermissionsAreReturned(
|
||||||
@ -342,7 +342,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
context("customer-admin@xxx.example.com");
|
context("customer-admin@xxx.example.com");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("pac-admin-yyy00@yyy.example.com"));
|
final var result = rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid("pac-admin-yyy00@yyy.example.com"));
|
||||||
|
|
||||||
// then
|
// then
|
||||||
noRbacPermissionsAreReturned(result);
|
noRbacPermissionsAreReturned(result);
|
||||||
@ -354,7 +354,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
context("pac-admin-xxx00@xxx.example.com");
|
context("pac-admin-xxx00@xxx.example.com");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("pac-admin-xxx00@xxx.example.com"));
|
final var result = rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid("pac-admin-xxx00@xxx.example.com"));
|
||||||
|
|
||||||
// then
|
// then
|
||||||
allTheseRbacPermissionsAreReturned(
|
allTheseRbacPermissionsAreReturned(
|
||||||
@ -385,7 +385,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
UUID userUUID(final String userName) {
|
UUID subjectUuid(final String userName) {
|
||||||
return rbacUserRepository.findByName(userName).getUuid();
|
return rbacUserRepository.findByName(userName).getUuid();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -18,7 +18,6 @@ import org.springframework.data.repository.Repository;
|
|||||||
import org.springframework.transaction.PlatformTransactionManager;
|
import org.springframework.transaction.PlatformTransactionManager;
|
||||||
|
|
||||||
import jakarta.persistence.*;
|
import jakarta.persistence.*;
|
||||||
import jakarta.transaction.Transactional;
|
|
||||||
import java.util.*;
|
import java.util.*;
|
||||||
import java.util.concurrent.atomic.AtomicBoolean;
|
import java.util.concurrent.atomic.AtomicBoolean;
|
||||||
import java.util.function.Supplier;
|
import java.util.function.Supplier;
|
||||||
|
@ -146,10 +146,10 @@ class TestCustomerControllerAcceptanceTest {
|
|||||||
.extract().header("Location"); // @formatter:on
|
.extract().header("Location"); // @formatter:on
|
||||||
|
|
||||||
// finally, the new customer can be viewed by its own admin
|
// finally, the new customer can be viewed by its own admin
|
||||||
final var newUserUuid = UUID.fromString(
|
final var newSubjectUuid = UUID.fromString(
|
||||||
location.substring(location.lastIndexOf('/') + 1));
|
location.substring(location.lastIndexOf('/') + 1));
|
||||||
context.define("superuser-fran@hostsharing.net", "test_customer#uuu:ADMIN");
|
context.define("superuser-fran@hostsharing.net", "test_customer#uuu:ADMIN");
|
||||||
assertThat(testCustomerRepository.findByUuid(newUserUuid))
|
assertThat(testCustomerRepository.findByUuid(newSubjectUuid))
|
||||||
.hasValueSatisfying(c -> assertThat(c.getPrefix()).isEqualTo("uuu"));
|
.hasValueSatisfying(c -> assertThat(c.getPrefix()).isEqualTo("uuu"));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user