hostsharing/hs.hsadmin.ng
6
0
Fork 0
Code Pull Requests 3 Activity

Compare commits

base: hostsharing:e3f48127d2eb6418b82262c70a9f8b9a64ac8d71
Branches Tags
hostsharing:master
hostsharing:TP-20240927-importfixes
hostsharing:add-hsoting-asset-to-booking-item-resource-and-created-event
hostsharing:spike/auto-build
hostsharing:office-rbac-revision
hostsharing:java-for-gradlew
hostsharing:TP-202408-cors_webui
hostsharing:TP-202405-filtered_import
hostsharing:idea-bug-refactor-inline
hostsharing:api-vision
hostsharing:rbac-object-scope-to-replace-serial-id
hostsharing:office-related-spec-clarifications-and-amendmends
hostsharing:revert-upgrade-openapiprocessor-spring-back-to-2022-5
hostsharing:upgrade-io.openapiprocessoropenapi-processor-spring-to-2024.2
hostsharing:spike/JSonSerializerDeserializerForDTOs
hostsharing:spike/master-detail-for-customer-and-contacts
..
compare: hostsharing:ba226fd802ffa0419e56a3dff95ac0325bcda302
Branches Tags
hostsharing:TP-20240927-importfixes
hostsharing:add-hsoting-asset-to-booking-item-resource-and-created-event
hostsharing:master
hostsharing:spike/auto-build
hostsharing:office-rbac-revision
hostsharing:java-for-gradlew
hostsharing:TP-202408-cors_webui
hostsharing:TP-202405-filtered_import
hostsharing:idea-bug-refactor-inline
hostsharing:api-vision
hostsharing:rbac-object-scope-to-replace-serial-id
hostsharing:office-related-spec-clarifications-and-amendmends
hostsharing:revert-upgrade-openapiprocessor-spring-back-to-2022-5
hostsharing:upgrade-io.openapiprocessoropenapi-processor-spring-to-2024.2
hostsharing:spike/JSonSerializerDeserializerForDTOs
hostsharing:spike/master-detail-for-customer-and-contacts

No commits in common. "e3f48127d2eb6418b82262c70a9f8b9a64ac8d71" and "ba226fd802ffa0419e56a3dff95ac0325bcda302" have entirely different histories.
e3f48127d2 ... ba226fd802

50 changed files with 163 additions and 162 deletions
Show Stats Expand all files Collapse all files

4
src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RbacView.java
View File

@ -467,7 +467,7 @@ public class RbacView {
return new RbacExampleRole(entityAlias, role); return new RbacExampleRole(entityAlias, role);
} }
private RbacGrantDefinition grantRoleToSubject(final RbacRoleDefinition roleDefinition, final RbacUserReference user) { private RbacGrantDefinition grantRoleToUser(final RbacRoleDefinition roleDefinition, final RbacUserReference user) {
return findOrCreateGrantDef(roleDefinition, user).toCreate(); return findOrCreateGrantDef(roleDefinition, user).toCreate();
} }
@ -771,7 +771,7 @@ public class RbacView {
* The grant definition for further chained calls. * The grant definition for further chained calls.
*/ */
public RbacGrantDefinition owningUser(final RbacUserReference.UserRole userRole) { public RbacGrantDefinition owningUser(final RbacUserReference.UserRole userRole) {
return grantRoleToSubject(this, findUserRef(userRole)); return grantRoleToUser(this, findUserRef(userRole));
} }
/** /**

4
src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/RolesGrantsAndPermissionsGenerator.java
View File

@ -312,7 +312,7 @@ class RolesGrantsAndPermissionsGenerator {
case ROLE_TO_ROLE -> "call revokeRoleFromRole(${subRoleRef}, ${superRoleRef});" case ROLE_TO_ROLE -> "call revokeRoleFromRole(${subRoleRef}, ${superRoleRef});"
.replace("${subRoleRef}", roleRef(OLD, grantDef.getSubRoleDef())) .replace("${subRoleRef}", roleRef(OLD, grantDef.getSubRoleDef()))
.replace("${superRoleRef}", roleRef(OLD, grantDef.getSuperRoleDef())); .replace("${superRoleRef}", roleRef(OLD, grantDef.getSuperRoleDef()));
case PERM_TO_ROLE -> "call rbac.revokePermissionFromRole(${permRef}, ${superRoleRef});" case PERM_TO_ROLE -> "call revokePermissionFromRole(${permRef}, ${superRoleRef});"
.replace("${permRef}", getPerm(OLD, grantDef.getPermDef())) .replace("${permRef}", getPerm(OLD, grantDef.getPermDef()))
.replace("${superRoleRef}", roleRef(OLD, grantDef.getSuperRoleDef())); .replace("${superRoleRef}", roleRef(OLD, grantDef.getSuperRoleDef()));
}; };
@ -415,7 +415,7 @@ class RolesGrantsAndPermissionsGenerator {
.map(this::toPlPgSqlReference) .map(this::toPlPgSqlReference)
.toList(); .toList();
plPgSql.indented(() -> plPgSql.indented(() ->
plPgSql.writeLn("subjectUuids => array[" + joinArrayElements(arrayElements, 2) + "],\n")); plPgSql.writeLn("userUuids => array[" + joinArrayElements(arrayElements, 2) + "],\n"));
rbacGrants.removeAll(grantsToUsers); rbacGrants.removeAll(grantsToUsers);
} }
} }

16
src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantController.java
View File

@ -36,11 +36,11 @@ public class RbacGrantController implements RbacGrantsApi {
final String currentSubject, final String currentSubject,
final String assumedRoles, final String assumedRoles,
final UUID grantedRoleUuid, final UUID grantedRoleUuid,
final UUID granteeSubjectUuid) { final UUID granteeUserUuid) {
context.define(currentSubject, assumedRoles); context.define(currentSubject, assumedRoles);
final var id = new RbacGrantId(granteeSubjectUuid, grantedRoleUuid); final var id = new RbacGrantId(granteeUserUuid, grantedRoleUuid);
final var result = rbacGrantRepository.findById(id); final var result = rbacGrantRepository.findById(id);
if (result == null) { if (result == null) {
return ResponseEntity.notFound().build(); return ResponseEntity.notFound().build();
@ -61,7 +61,7 @@ public class RbacGrantController implements RbacGrantsApi {
@Override @Override
@Transactional @Transactional
public ResponseEntity<RbacGrantResource> grantRoleToSubject( public ResponseEntity<RbacGrantResource> grantRoleToUser(
final String currentSubject, final String currentSubject,
final String assumedRoles, final String assumedRoles,
final RbacGrantResource body) { final RbacGrantResource body) {
@ -82,22 +82,22 @@ public class RbacGrantController implements RbacGrantsApi {
@Override @Override
@Transactional @Transactional
public ResponseEntity<Void> revokeRoleFromSubject( public ResponseEntity<Void> revokeRoleFromUser(
final String currentSubject, final String currentSubject,
final String assumedRoles, final String assumedRoles,
final UUID grantedRoleUuid, final UUID grantedRoleUuid,
final UUID granteeSubjectUuid) { final UUID granteeUserUuid) {
context.define(currentSubject, assumedRoles); context.define(currentSubject, assumedRoles);
rbacGrantRepository.deleteByRbacGrantId(new RbacGrantId(granteeSubjectUuid, grantedRoleUuid)); rbacGrantRepository.deleteByRbacGrantId(new RbacGrantId(granteeUserUuid, grantedRoleUuid));
return ResponseEntity.noContent().build(); return ResponseEntity.noContent().build();
} }
// TODO.feat: implement an endpoint to create a Mermaid flowchart with all grants of a given user // TODO: implement an endpoint to create a Mermaid flowchart with all grants of a given user
// @GetMapping( // @GetMapping(
// path = "/api/rbac/users/{subjectUuid}/grants", // path = "/api/rbac/users/{userUuid}/grants",
// produces = {"text/vnd.mermaid"}) // produces = {"text/vnd.mermaid"})
// @Transactional(readOnly = true) // @Transactional(readOnly = true)
// public ResponseEntity<String> allGrantsOfUserAsMermaid( // public ResponseEntity<String> allGrantsOfUserAsMermaid(

6
src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantEntity.java
View File

@ -36,8 +36,8 @@ public class RbacGrantEntity {
private String granteeUserName; private String granteeUserName;
@Id @Id
@Column(name = "subjectuuid") @Column(name = "useruuid")
private UUID granteeSubjectUuid; private UUID granteeUserUuid;
private boolean assumed; private boolean assumed;
@ -55,7 +55,7 @@ public class RbacGrantEntity {
private RbacRoleType grantedRoleType; private RbacRoleType grantedRoleType;
RbacGrantId getRbacGrantId() { RbacGrantId getRbacGrantId() {
return new RbacGrantId(granteeSubjectUuid, grantedRoleUuid); return new RbacGrantId(granteeUserUuid, grantedRoleUuid);
} }
public String toDisplay() { public String toDisplay() {

2
src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantId.java
View File

@ -14,6 +14,6 @@ import java.util.UUID;
@AllArgsConstructor @AllArgsConstructor
public class RbacGrantId implements Serializable { public class RbacGrantId implements Serializable {
private UUID granteeSubjectUuid; private UUID granteeUserUuid;
private UUID grantedRoleUuid; private UUID grantedRoleUuid;
} }

4
src/main/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantRepository.java
View File

@ -11,7 +11,7 @@ public interface RbacGrantRepository extends Repository<RbacGrantEntity, RbacGra
@Query(value = """ @Query(value = """
select g from RbacGrantEntity as g select g from RbacGrantEntity as g
where g.grantedRoleUuid=:#{#rbacGrantId.grantedRoleUuid} where g.grantedRoleUuid=:#{#rbacGrantId.grantedRoleUuid}
and g.granteeSubjectUuid=:#{#rbacGrantId.granteeSubjectUuid} and g.granteeUserUuid=:#{#rbacGrantId.granteeUserUuid}
""") """)
RbacGrantEntity findById(RbacGrantId rbacGrantId); RbacGrantEntity findById(RbacGrantId rbacGrantId);
@ -25,7 +25,7 @@ public interface RbacGrantRepository extends Repository<RbacGrantEntity, RbacGra
@Query(value = """ @Query(value = """
delete from RbacGrantEntity as g delete from RbacGrantEntity as g
where g.grantedRoleUuid=:#{#rbacGrantId.grantedRoleUuid} where g.grantedRoleUuid=:#{#rbacGrantId.grantedRoleUuid}
and g.granteeSubjectUuid=:#{#rbacGrantId.granteeSubjectUuid} and g.granteeUserUuid=:#{#rbacGrantId.granteeUserUuid}
""") """)
void deleteByRbacGrantId(RbacGrantId rbacGrantId); void deleteByRbacGrantId(RbacGrantId rbacGrantId);
} }

12
src/main/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserController.java
View File

@ -51,11 +51,11 @@ public class RbacUserController implements RbacUsersApi {
public ResponseEntity<Void> deleteUserByUuid( public ResponseEntity<Void> deleteUserByUuid(
final String currentSubject, final String currentSubject,
final String assumedRoles, final String assumedRoles,
final UUID subjectUuid final UUID userUuid
) { ) {
context.define(currentSubject, assumedRoles); context.define(currentSubject, assumedRoles);
rbacUserRepository.deleteByUuid(subjectUuid); rbacUserRepository.deleteByUuid(userUuid);
return ResponseEntity.noContent().build(); return ResponseEntity.noContent().build();
} }
@ -65,11 +65,11 @@ public class RbacUserController implements RbacUsersApi {
public ResponseEntity<RbacUserResource> getUserById( public ResponseEntity<RbacUserResource> getUserById(
final String currentSubject, final String currentSubject,
final String assumedRoles, final String assumedRoles,
final UUID subjectUuid) { final UUID userUuid) {
context.define(currentSubject, assumedRoles); context.define(currentSubject, assumedRoles);
final var result = rbacUserRepository.findByUuid(subjectUuid); final var result = rbacUserRepository.findByUuid(userUuid);
if (result == null) { if (result == null) {
return ResponseEntity.notFound().build(); return ResponseEntity.notFound().build();
} }
@ -93,12 +93,12 @@ public class RbacUserController implements RbacUsersApi {
public ResponseEntity<List<RbacUserPermissionResource>> listUserPermissions( public ResponseEntity<List<RbacUserPermissionResource>> listUserPermissions(
final String currentSubject, final String currentSubject,
final String assumedRoles, final String assumedRoles,
final UUID subjectUuid final UUID userUuid
) { ) {
context.define(currentSubject, assumedRoles); context.define(currentSubject, assumedRoles);
return ResponseEntity.ok(mapper.mapList( return ResponseEntity.ok(mapper.mapList(
rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid), rbacUserRepository.findPermissionsOfUserByUuid(userUuid),
RbacUserPermissionResource.class)); RbacUserPermissionResource.class));
} }
} }

6
src/main/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserRepository.java
View File

@ -22,8 +22,8 @@ public interface RbacUserRepository extends Repository<RbacUserEntity, UUID> {
RbacUserEntity findByUuid(UUID uuid); RbacUserEntity findByUuid(UUID uuid);
@Query(value = "select * from grantedPermissions(:subjectUuid)", nativeQuery = true) @Query(value = "select * from grantedPermissions(:userUuid)", nativeQuery = true)
List<RbacUserPermission> findPermissionsOfUserByUuid(UUID subjectUuid); List<RbacUserPermission> findPermissionsOfUserByUuid(UUID userUuid);
/* /*
Can't use save/saveAndFlush from SpringData because the uuid is not generated on the entity level, Can't use save/saveAndFlush from SpringData because the uuid is not generated on the entity level,
@ -42,5 +42,5 @@ public interface RbacUserRepository extends Repository<RbacUserEntity, UUID> {
return rbacUserEntity; return rbacUserEntity;
} }
void deleteByUuid(UUID subjectUuid); void deleteByUuid(UUID userUuid);
} }

4
src/main/resources/api-definition/rbac/rbac-grant-schemas.yaml
View File

@ -20,9 +20,9 @@ components:
format: uuid format: uuid
granteeUserName: granteeUserName:
type: string type: string
granteeSubjectUuid: granteeUserUuid:
type: string type: string
format: uuid format: uuid
required: required:
- grantedRoleUuid - grantedRoleUuid
- granteeSubjectUuid - granteeUserUuid

6
src/main/resources/api-definition/rbac/rbac-grants-with-id.yaml
View File

@ -12,7 +12,7 @@ get:
type: string type: string
format: uuid format: uuid
description: UUID of the granted role. description: UUID of the granted role.
- name: granteeSubjectUuid - name: granteeUserUuid
in: path in: path
required: true required: true
schema: schema:
@ -36,7 +36,7 @@ get:
delete: delete:
tags: tags:
- rbac-grants - rbac-grants
operationId: revokeRoleFromSubject operationId: revokeRoleFromUser
parameters: parameters:
- $ref: 'auth.yaml#/components/parameters/currentSubject' - $ref: 'auth.yaml#/components/parameters/currentSubject'
- $ref: 'auth.yaml#/components/parameters/assumedRoles' - $ref: 'auth.yaml#/components/parameters/assumedRoles'
@ -47,7 +47,7 @@ delete:
type: string type: string
format: uuid format: uuid
description: UUID of the granted role. description: UUID of the granted role.
- name: granteeSubjectUuid - name: granteeUserUuid
in: path in: path
required: true required: true
schema: schema:

2
src/main/resources/api-definition/rbac/rbac-grants.yaml
View File

@ -18,7 +18,7 @@ get:
post: post:
tags: tags:
- rbac-grants - rbac-grants
operationId: grantRoleToSubject operationId: grantRoleToUser
parameters: parameters:
- $ref: 'auth.yaml#/components/parameters/currentSubject' - $ref: 'auth.yaml#/components/parameters/currentSubject'
- $ref: 'auth.yaml#/components/parameters/assumedRoles' - $ref: 'auth.yaml#/components/parameters/assumedRoles'

2
src/main/resources/api-definition/rbac/rbac-users-with-id-permissions.yaml
View File

@ -6,7 +6,7 @@ get:
parameters: parameters:
- $ref: 'auth.yaml#/components/parameters/currentSubject' - $ref: 'auth.yaml#/components/parameters/currentSubject'
- $ref: 'auth.yaml#/components/parameters/assumedRoles' - $ref: 'auth.yaml#/components/parameters/assumedRoles'
- name: subjectUuid - name: userUuid
in: path in: path
required: true required: true
schema: schema:

4
src/main/resources/api-definition/rbac/rbac-users-with-uuid.yaml
View File

@ -6,7 +6,7 @@ get:
parameters: parameters:
- $ref: 'auth.yaml#/components/parameters/currentSubject' - $ref: 'auth.yaml#/components/parameters/currentSubject'
- $ref: 'auth.yaml#/components/parameters/assumedRoles' - $ref: 'auth.yaml#/components/parameters/assumedRoles'
- name: subjectUuid - name: userUuid
in: path in: path
required: true required: true
schema: schema:
@ -33,7 +33,7 @@ delete:
parameters: parameters:
- $ref: 'auth.yaml#/components/parameters/currentSubject' - $ref: 'auth.yaml#/components/parameters/currentSubject'
- $ref: 'auth.yaml#/components/parameters/assumedRoles' - $ref: 'auth.yaml#/components/parameters/assumedRoles'
- name: subjectUuid - name: userUuid
in: path in: path
required: true required: true
schema: schema:

6
src/main/resources/api-definition/rbac/rbac.yaml
View File

@ -11,10 +11,10 @@ paths:
/api/rbac/users: /api/rbac/users:
$ref: 'rbac-users.yaml' $ref: 'rbac-users.yaml'
/api/rbac/users/{subjectUuid}/permissions: /api/rbac/users/{userUuid}/permissions:
$ref: 'rbac-users-with-id-permissions.yaml' $ref: 'rbac-users-with-id-permissions.yaml'
/api/rbac/users/{subjectUuid}: /api/rbac/users/{userUuid}:
$ref: 'rbac-users-with-uuid.yaml' $ref: 'rbac-users-with-uuid.yaml'
/api/rbac/roles: /api/rbac/roles:
@ -23,6 +23,6 @@ paths:
/api/rbac/grants: /api/rbac/grants:
$ref: 'rbac-grants.yaml' $ref: 'rbac-grants.yaml'
/api/rbac/grants/{grantedRoleUuid}/{granteeSubjectUuid}: /api/rbac/grants/{grantedRoleUuid}/{granteeUserUuid}:
$ref: 'rbac-grants-with-id.yaml' $ref: 'rbac-grants-with-id.yaml'

2
src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql
View File

@ -672,7 +672,7 @@ begin
end if; end if;
end; $$; end; $$;
create or replace procedure rbac.revokePermissionFromRole(permissionId UUID, superRole RbacRoleDescriptor) create or replace procedure revokePermissionFromRole(permissionId UUID, superRole RbacRoleDescriptor)
language plpgsql as $$ language plpgsql as $$
declare declare
superRoleId uuid; superRoleId uuid;

36
src/main/resources/db/changelog/1-rbac/1051-rbac-subject-grant.sql → src/main/resources/db/changelog/1-rbac/1051-rbac-user-grant.sql
View File

@ -20,21 +20,21 @@ begin
return currentSubjectOrAssumedRolesUuids[1]; return currentSubjectOrAssumedRolesUuids[1];
end; $$; end; $$;
create or replace procedure rbac.grantRoleToUserUnchecked(grantedByRoleUuid uuid, grantedRoleUuid uuid, subjectUuid uuid, doAssume boolean = true) create or replace procedure grantRoleToUserUnchecked(grantedByRoleUuid uuid, grantedRoleUuid uuid, userUuid uuid, doAssume boolean = true)
language plpgsql as $$ language plpgsql as $$
begin begin
perform rbac.assertReferenceType('grantingRoleUuid', grantedByRoleUuid, 'RbacRole'); perform rbac.assertReferenceType('grantingRoleUuid', grantedByRoleUuid, 'RbacRole');
perform rbac.assertReferenceType('roleId (descendant)', grantedRoleUuid, 'RbacRole'); perform rbac.assertReferenceType('roleId (descendant)', grantedRoleUuid, 'RbacRole');
perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject'); perform rbac.assertReferenceType('userId (ascendant)', userUuid, 'rbac.subject');
insert insert
into RbacGrants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed) into RbacGrants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)
values (grantedByRoleUuid, subjectUuid, grantedRoleUuid, doAssume) values (grantedByRoleUuid, userUuid, grantedRoleUuid, doAssume)
-- TODO: check if grantedByRoleUuid+doAssume are the same, otherwise raise exception? -- TODO: check if grantedByRoleUuid+doAssume are the same, otherwise raise exception?
on conflict do nothing; -- allow granting multiple times on conflict do nothing; -- allow granting multiple times
end; $$; end; $$;
create or replace procedure rbac.grantRoleToSubject(grantedByRoleUuid uuid, grantedRoleUuid uuid, subjectUuid uuid, doAssume boolean = true) create or replace procedure grantRoleToUser(grantedByRoleUuid uuid, grantedRoleUuid uuid, userUuid uuid, doAssume boolean = true)
language plpgsql as $$ language plpgsql as $$
declare declare
grantedByRoleIdName text; grantedByRoleIdName text;
@ -42,11 +42,11 @@ declare
begin begin
perform rbac.assertReferenceType('grantingRoleUuid', grantedByRoleUuid, 'RbacRole'); perform rbac.assertReferenceType('grantingRoleUuid', grantedByRoleUuid, 'RbacRole');
perform rbac.assertReferenceType('grantedRoleUuid (descendant)', grantedRoleUuid, 'RbacRole'); perform rbac.assertReferenceType('grantedRoleUuid (descendant)', grantedRoleUuid, 'RbacRole');
perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject'); perform rbac.assertReferenceType('userUuid (ascendant)', userUuid, 'rbac.subject');
assert grantedByRoleUuid is not null, 'grantedByRoleUuid must not be null'; assert grantedByRoleUuid is not null, 'grantedByRoleUuid must not be null';
assert grantedRoleUuid is not null, 'grantedRoleUuid must not be null'; assert grantedRoleUuid is not null, 'grantedRoleUuid must not be null';
assert subjectUuid is not null, 'subjectUuid must not be null'; assert userUuid is not null, 'userUuid must not be null';
if NOT isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then if NOT isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then
select roleIdName from rbacRole_ev where uuid=grantedByRoleUuid into grantedByRoleIdName; select roleIdName from rbacRole_ev where uuid=grantedByRoleUuid into grantedByRoleIdName;
@ -62,8 +62,8 @@ begin
insert insert
into RbacGrants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed) into RbacGrants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)
values (grantedByRoleUuid, subjectUuid, grantedRoleUuid, doAssume); values (grantedByRoleUuid, userUuid, grantedRoleUuid, doAssume);
-- TODO.impl: What should happen on multiple grants? What if options (doAssume) are not the same? -- TODO.impl: What should happen on mupltiple grants? What if options (doAssume) are not the same?
-- Most powerful or latest grant wins? What about managed? -- Most powerful or latest grant wins? What about managed?
-- on conflict do nothing; -- allow granting multiple times -- on conflict do nothing; -- allow granting multiple times
end; $$; end; $$;
@ -74,12 +74,12 @@ end; $$;
--changeset rbac-user-grant-REVOKE-ROLE-FROM-USER:1 endDelimiter:--// --changeset rbac-user-grant-REVOKE-ROLE-FROM-USER:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
create or replace procedure rbac.checkRevokeRoleFromSubjectPreconditions(grantedByRoleUuid uuid, grantedRoleUuid uuid, subjectUuid uuid) create or replace procedure checkRevokeRoleFromUserPreconditions(grantedByRoleUuid uuid, grantedRoleUuid uuid, userUuid uuid)
language plpgsql as $$ language plpgsql as $$
begin begin
perform rbac.assertReferenceType('grantedByRoleUuid', grantedByRoleUuid, 'RbacRole'); perform rbac.assertReferenceType('grantedByRoleUuid', grantedByRoleUuid, 'RbacRole');
perform rbac.assertReferenceType('grantedRoleUuid (descendant)', grantedRoleUuid, 'RbacRole'); perform rbac.assertReferenceType('grantedRoleUuid (descendant)', grantedRoleUuid, 'RbacRole');
perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject'); perform rbac.assertReferenceType('userUuid (ascendant)', userUuid, 'rbac.subject');
if NOT isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then if NOT isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then
raise exception '[403] Revoking role created by % is forbidden for %.', grantedByRoleUuid, currentSubjects(); raise exception '[403] Revoking role created by % is forbidden for %.', grantedByRoleUuid, currentSubjects();
@ -94,20 +94,20 @@ begin
raise exception '[403] Revoking role granted by % is forbidden for %.', grantedByRoleUuid, currentSubjects(); raise exception '[403] Revoking role granted by % is forbidden for %.', grantedByRoleUuid, currentSubjects();
end if; end if;
if NOT isGranted(subjectUuid, grantedRoleUuid) then if NOT isGranted(userUuid, grantedRoleUuid) then
raise exception '[404] No such grant found granted by % for subject % to role %.', grantedByRoleUuid, subjectUuid, grantedRoleUuid; raise exception '[404] No such grant found granted by % for user % to role %.', grantedByRoleUuid, userUuid, grantedRoleUuid;
end if; end if;
end; $$; end; $$;
create or replace procedure rbac.revokeRoleFromSubject(grantedByRoleUuid uuid, grantedRoleUuid uuid, subjectUuid uuid) create or replace procedure revokeRoleFromUser(grantedByRoleUuid uuid, grantedRoleUuid uuid, userUuid uuid)
language plpgsql as $$ language plpgsql as $$
begin begin
call rbac.checkRevokeRoleFromSubjectPreconditions(grantedByRoleUuid, grantedRoleUuid, subjectUuid); call checkRevokeRoleFromUserPreconditions(grantedByRoleUuid, grantedRoleUuid, userUuid);
raise INFO 'delete from RbacGrants where ascendantUuid = % and descendantUuid = %', subjectUuid, grantedRoleUuid; raise INFO 'delete from RbacGrants where ascendantUuid = % and descendantUuid = %', userUuid, grantedRoleUuid;
delete from RbacGrants as g delete from RbacGrants as g
where g.ascendantUuid = subjectUuid and g.descendantUuid = grantedRoleUuid where g.ascendantUuid = userUuid and g.descendantUuid = grantedRoleUuid
and g.grantedByRoleUuid = revokeRoleFromSubject.grantedByRoleUuid; and g.grantedByRoleUuid = revokeRoleFromUser.grantedByRoleUuid;
end; $$; end; $$;
--// --//
@ -115,7 +115,7 @@ end; $$;
--changeset rbac-user-grant-REVOKE-PERMISSION-FROM-ROLE:1 endDelimiter:--// --changeset rbac-user-grant-REVOKE-PERMISSION-FROM-ROLE:1 endDelimiter:--//
-- ---------------------------------------------------------------------------- -- ----------------------------------------------------------------------------
create or replace procedure rbac.revokePermissionFromRole(permissionUuid uuid, superRoleUuid uuid) create or replace procedure revokePermissionFromRole(permissionUuid uuid, superRoleUuid uuid)
language plpgsql as $$ language plpgsql as $$
begin begin
raise INFO 'delete from RbacGrants where ascendantUuid = % and descendantUuid = %', superRoleUuid, permissionUuid; raise INFO 'delete from RbacGrants where ascendantUuid = % and descendantUuid = %', superRoleUuid, permissionUuid;

26
src/main/resources/db/changelog/1-rbac/1055-rbac-views.sql
View File

@ -117,7 +117,7 @@ create or replace view rbacgrants_rv as
-- @formatter:off -- @formatter:off
select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName, select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName,
g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed, g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed,
g.grantedByRoleUuid, g.descendantUuid as grantedRoleUuid, g.ascendantUuid as subjectUuid, g.grantedByRoleUuid, g.descendantUuid as grantedRoleUuid, g.ascendantUuid as userUuid,
g.objectTable, g.objectUuid, g.objectIdName, g.roleType as grantedRoleType g.objectTable, g.objectUuid, g.objectIdName, g.roleType as grantedRoleType
from ( from (
select g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid, g.assumed, select g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid, g.assumed,
@ -150,10 +150,10 @@ create or replace function insertRbacGrant()
declare declare
newGrant RbacGrants_RV; newGrant RbacGrants_RV;
begin begin
call rbac.grantRoleToSubject(rbac.assumedRoleUuid(), new.grantedRoleUuid, new.subjectUuid, new.assumed); call grantRoleToUser(rbac.assumedRoleUuid(), new.grantedRoleUuid, new.userUuid, new.assumed);
select grv.* select grv.*
from RbacGrants_RV grv from RbacGrants_RV grv
where grv.subjectUuid=new.subjectUuid and grv.grantedRoleUuid=new.grantedRoleUuid where grv.userUuid=new.userUuid and grv.grantedRoleUuid=new.grantedRoleUuid
into newGrant; into newGrant;
return newGrant; return newGrant;
end; $$; end; $$;
@ -176,13 +176,13 @@ execute function insertRbacGrant();
/** /**
Instead of delete trigger function for RbacGrants_RV. Instead of delete trigger function for RbacGrants_RV.
Checks if the current subject or assumed role have the permission to revoke the grant. Checks if the current subject (user / assumed role) has the permission to revoke the grant.
*/ */
create or replace function deleteRbacGrant() create or replace function deleteRbacGrant()
returns trigger returns trigger
language plpgsql as $$ language plpgsql as $$
begin begin
call rbac.revokeRoleFromSubject(old.grantedByRoleUuid, old.grantedRoleUuid, old.subjectUuid); call revokeRoleFromUser(old.grantedByRoleUuid, old.grantedRoleUuid, old.userUuid);
return old; return old;
end; $$; end; $$;
@ -343,7 +343,7 @@ grant all privileges on RbacOwnGrantedPermissions_rv to ${HSADMINNG_POSTGRES_RES
Returns all permissions granted to the given user, Returns all permissions granted to the given user,
which are also visible to the current user or assumed roles. which are also visible to the current user or assumed roles.
*/ */
create or replace function grantedPermissionsRaw(targetSubjectUuid uuid) create or replace function grantedPermissionsRaw(targetUserUuid uuid)
returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid) returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid)
returns null on null input returns null on null input
language plpgsql as $$ language plpgsql as $$
@ -353,8 +353,8 @@ begin
-- @formatter:off -- @formatter:off
currentSubjectUuid := rbac.currentSubjectUuid(); currentSubjectUuid := rbac.currentSubjectUuid();
if hasGlobalRoleGranted(targetSubjectUuid) and not hasGlobalRoleGranted(currentSubjectUuid) then if hasGlobalRoleGranted(targetUserUuid) and not hasGlobalRoleGranted(currentSubjectUuid) then
raise exception '[403] permissions of user "%" are not accessible to user "%"', targetSubjectUuid, basis.currentSubject(); raise exception '[403] permissions of user "%" are not accessible to user "%"', targetUserUuid, basis.currentSubject();
end if; end if;
return query select return query select
@ -369,24 +369,24 @@ begin
po.objecttable as permissionObjectTable, po.objecttable as permissionObjectTable,
findIdNameByObjectUuid(po.objectTable, po.uuid) as permissionObjectIdName, findIdNameByObjectUuid(po.objectTable, po.uuid) as permissionObjectIdName,
po.uuid as permissionObjectUuid po.uuid as permissionObjectUuid
from queryPermissionsGrantedToSubjectId( targetSubjectUuid) as p from queryPermissionsGrantedToSubjectId( targetUserUuid) as p
join rbacgrants as g on g.descendantUuid = p.uuid join rbacgrants as g on g.descendantUuid = p.uuid
join rbac.object as po on po.uuid = p.objectUuid join rbac.object as po on po.uuid = p.objectUuid
join rbacrole_rv as r on r.uuid = g.ascendantUuid join rbacrole_rv as r on r.uuid = g.ascendantUuid
join rbac.object as ro on ro.uuid = r.objectUuid join rbac.object as ro on ro.uuid = r.objectUuid
where isGranted(targetSubjectUuid, r.uuid) where isGranted(targetUserUuid, r.uuid)
) xp; ) xp;
-- @formatter:on -- @formatter:on
end; $$; end; $$;
create or replace function grantedPermissions(targetSubjectUuid uuid) create or replace function grantedPermissions(targetUserUuid uuid)
returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid) returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid)
returns null on null input returns null on null input
language sql as $$ language sql as $$
select * from grantedPermissionsRaw(targetSubjectUuid) select * from grantedPermissionsRaw(targetUserUuid)
union all union all
select roleUuid, roleName, permissionUuid, 'SELECT'::RbacOp, opTableName, objectTable, objectIdName, objectUuid select roleUuid, roleName, permissionUuid, 'SELECT'::RbacOp, opTableName, objectTable, objectIdName, objectUuid
from grantedPermissionsRaw(targetSubjectUuid) from grantedPermissionsRaw(targetUserUuid)
where op <> 'SELECT'::RbacOp; where op <> 'SELECT'::RbacOp;
$$; $$;
--// --//

10
src/main/resources/db/changelog/1-rbac/1057-rbac-role-builder.sql
View File

@ -12,7 +12,7 @@ create or replace function createRoleWithGrants(
permissions RbacOp[] = array[]::RbacOp[], permissions RbacOp[] = array[]::RbacOp[],
incomingSuperRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[], incomingSuperRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
outgoingSubRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[], outgoingSubRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
subjectUuids uuid[] = array[]::uuid[], userUuids uuid[] = array[]::uuid[],
grantedByRole RbacRoleDescriptor = null grantedByRole RbacRoleDescriptor = null
) )
returns uuid returns uuid
@ -26,7 +26,7 @@ declare
superRoleDesc RbacRoleDescriptor; superRoleDesc RbacRoleDescriptor;
subRoleUuid uuid; subRoleUuid uuid;
superRoleUuid uuid; superRoleUuid uuid;
subjectUuid uuid; userUuid uuid;
userGrantsByRoleUuid uuid; userGrantsByRoleUuid uuid;
begin begin
roleUuid := coalesce(findRoleId(roleDescriptor), createRole(roleDescriptor)); roleUuid := coalesce(findRoleId(roleDescriptor), createRole(roleDescriptor));
@ -49,16 +49,16 @@ begin
call grantRoleToRole(subRoleUuid, roleUuid, subRoleDesc.assumed); call grantRoleToRole(subRoleUuid, roleUuid, subRoleDesc.assumed);
end loop; end loop;
if cardinality(subjectUuids) > 0 then if cardinality(userUuids) > 0 then
-- direct grants to users need a grantedByRole which can revoke the grant -- direct grants to users need a grantedByRole which can revoke the grant
if grantedByRole is null then if grantedByRole is null then
userGrantsByRoleUuid := roleUuid; -- TODO.impl: or do we want to require an explicit userGrantsByRoleUuid? userGrantsByRoleUuid := roleUuid; -- TODO.impl: or do we want to require an explicit userGrantsByRoleUuid?
else else
userGrantsByRoleUuid := getRoleId(grantedByRole); userGrantsByRoleUuid := getRoleId(grantedByRole);
end if; end if;
foreach subjectUuid in array subjectUuids foreach userUuid in array userUuids
loop loop
call rbac.grantRoleToUserUnchecked(userGrantsByRoleUuid, roleUuid, subjectUuid); call grantRoleToUserUnchecked(userGrantsByRoleUuid, roleUuid, userUuid);
end loop; end loop;
end if; end if;

4
src/main/resources/db/changelog/1-rbac/1080-rbac-global.sql
View File

@ -158,8 +158,8 @@ do language plpgsql $$
call basis.defineContext('creating fake test-realm admin users', null, null, null); call basis.defineContext('creating fake test-realm admin users', null, null, null);
admins = findRoleId(globalAdmin()); admins = findRoleId(globalAdmin());
call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-alex@hostsharing.net')); call grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-alex@hostsharing.net'));
call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-fran@hostsharing.net')); call grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-fran@hostsharing.net'));
perform rbac.create_subject('selfregistered-user-drew@hostsharing.org'); perform rbac.create_subject('selfregistered-user-drew@hostsharing.org');
perform rbac.create_subject('selfregistered-test-user@hostsharing.org'); perform rbac.create_subject('selfregistered-test-user@hostsharing.org');
end; end;

2
src/main/resources/db/changelog/2-test/201-test-customer/2013-test-customer-rbac.sql
View File

@ -38,7 +38,7 @@ begin
testCustomerOWNER(NEW), testCustomerOWNER(NEW),
permissions => array['DELETE'], permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN(unassumed())], incomingSuperRoles => array[globalADMIN(unassumed())],
subjectUuids => array[rbac.currentSubjectUuid()] userUuids => array[rbac.currentSubjectUuid()]
); );
perform createRoleWithGrants( perform createRoleWithGrants(

2
src/main/resources/db/changelog/2-test/201-test-customer/2018-test-customer-test-data.sql
View File

@ -40,7 +40,7 @@ begin
select * into newCust select * into newCust
from test_customer where reference=custReference; from test_customer where reference=custReference;
call rbac.grantRoleToSubject( call grantRoleToUser(
getRoleId(testCustomerOwner(newCust)), getRoleId(testCustomerOwner(newCust)),
getRoleId(testCustomerAdmin(newCust)), getRoleId(testCustomerAdmin(newCust)),
custAdminUuid, custAdminUuid,

2
src/main/resources/db/changelog/2-test/202-test-package/2028-test-package-test-data.sql
View File

@ -29,7 +29,7 @@ begin
values (cust.uuid, pacName, 'Here you can add your own description of package ' || pacName || '.') values (cust.uuid, pacName, 'Here you can add your own description of package ' || pacName || '.')
returning * into pac; returning * into pac;
call rbac.grantRoleToSubject( call grantRoleToUser(
getRoleId(testCustomerAdmin(cust)), getRoleId(testCustomerAdmin(cust)),
findRoleId(testPackageAdmin(pac)), findRoleId(testPackageAdmin(pac)),
rbac.create_subject('pac-admin-' || pacName || '@' || cust.prefix || '.example.com'), rbac.create_subject('pac-admin-' || pacName || '@' || cust.prefix || '.example.com'),

2
src/main/resources/db/changelog/5-hs-office/501-contact/5013-hs-office-contact-rbac.sql
View File

@ -38,7 +38,7 @@ begin
hsOfficeContactOWNER(NEW), hsOfficeContactOWNER(NEW),
permissions => array['DELETE'], permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()], incomingSuperRoles => array[globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()] userUuids => array[rbac.currentSubjectUuid()]
); );
perform createRoleWithGrants( perform createRoleWithGrants(

2
src/main/resources/db/changelog/5-hs-office/502-person/5023-hs-office-person-rbac.sql
View File

@ -38,7 +38,7 @@ begin
hsOfficePersonOWNER(NEW), hsOfficePersonOWNER(NEW),
permissions => array['DELETE'], permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()], incomingSuperRoles => array[globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()] userUuids => array[rbac.currentSubjectUuid()]
); );
perform createRoleWithGrants( perform createRoleWithGrants(

2
src/main/resources/db/changelog/5-hs-office/503-relation/5033-hs-office-relation-rbac.sql
View File

@ -51,7 +51,7 @@ begin
hsOfficeRelationOWNER(NEW), hsOfficeRelationOWNER(NEW),
permissions => array['DELETE'], permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()], incomingSuperRoles => array[globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()] userUuids => array[rbac.currentSubjectUuid()]
); );
perform createRoleWithGrants( perform createRoleWithGrants(

12
src/main/resources/db/changelog/5-hs-office/504-partner/5043-hs-office-partner-rbac.sql
View File

@ -110,22 +110,22 @@ begin
if NEW.partnerRelUuid <> OLD.partnerRelUuid then if NEW.partnerRelUuid <> OLD.partnerRelUuid then
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel)); call revokePermissionFromRole(getPermissionId(OLD.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel)); call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'UPDATE'), hsOfficeRelationADMIN(oldPartnerRel)); call revokePermissionFromRole(getPermissionId(OLD.uuid, 'UPDATE'), hsOfficeRelationADMIN(oldPartnerRel));
call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel)); call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'SELECT'), hsOfficeRelationTENANT(oldPartnerRel)); call revokePermissionFromRole(getPermissionId(OLD.uuid, 'SELECT'), hsOfficeRelationTENANT(oldPartnerRel));
call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel)); call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel)); call revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel)); call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(oldPartnerRel)); call revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(oldPartnerRel));
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel)); call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(oldPartnerRel)); call revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(oldPartnerRel));
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel)); call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
end if; end if;

2
src/main/resources/db/changelog/5-hs-office/505-bankaccount/5053-hs-office-bankaccount-rbac.sql
View File

@ -38,7 +38,7 @@ begin
hsOfficeBankAccountOWNER(NEW), hsOfficeBankAccountOWNER(NEW),
permissions => array['DELETE'], permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()], incomingSuperRoles => array[globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()] userUuids => array[rbac.currentSubjectUuid()]
); );
perform createRoleWithGrants( perform createRoleWithGrants(

2
src/main/resources/db/changelog/5-hs-office/507-sepamandate/5073-hs-office-sepamandate-rbac.sql
View File

@ -51,7 +51,7 @@ begin
hsOfficeSepaMandateOWNER(NEW), hsOfficeSepaMandateOWNER(NEW),
permissions => array['DELETE'], permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()], incomingSuperRoles => array[globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()] userUuids => array[rbac.currentSubjectUuid()]
); );
perform createRoleWithGrants( perform createRoleWithGrants(

2
src/main/resources/db/changelog/5-hs-office/510-membership/5103-hs-office-membership-rbac.sql
View File

@ -45,7 +45,7 @@ begin
perform createRoleWithGrants( perform createRoleWithGrants(
hsOfficeMembershipOWNER(NEW), hsOfficeMembershipOWNER(NEW),
subjectUuids => array[rbac.currentSubjectUuid()] userUuids => array[rbac.currentSubjectUuid()]
); );
perform createRoleWithGrants( perform createRoleWithGrants(

2
src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7013-hs-hosting-asset-rbac.sql
View File

@ -53,7 +53,7 @@ begin
globalADMIN(unassumed()), globalADMIN(unassumed()),
hsBookingItemADMIN(newBookingItem), hsBookingItemADMIN(newBookingItem),
hsHostingAssetADMIN(newParentAsset)], hsHostingAssetADMIN(newParentAsset)],
subjectUuids => array[rbac.currentSubjectUuid()] userUuids => array[rbac.currentSubjectUuid()]
); );
perform createRoleWithGrants( perform createRoleWithGrants(

30
src/main/resources/db/changelog/7-hs-hosting/701-hosting-asset/7018-hs-hosting-asset-test-data.sql
View File

@ -21,14 +21,14 @@ declare
defaultPrefix varchar; defaultPrefix varchar;
managedServerUuid uuid; managedServerUuid uuid;
managedWebspaceUuid uuid; managedWebspaceUuid uuid;
webUnixSubjectUuid uuid; webUnixUserUuid uuid;
mboxUnixSubjectUuid uuid; mboxUnixUserUuid uuid;
domainSetupUuid uuid; domainSetupUuid uuid;
domainMBoxSetupUuid uuid; domainMBoxSetupUuid uuid;
mariaDbInstanceUuid uuid; mariaDbInstanceUuid uuid;
mariaDbSubjectUuid uuid; mariaDbUserUuid uuid;
pgSqlInstanceUuid uuid; pgSqlInstanceUuid uuid;
PgSqlSubjectUuid uuid; PgSqlUserUuid uuid;
begin begin
call basis.defineContext('creating hosting-asset test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN'); call basis.defineContext('creating hosting-asset test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
@ -68,14 +68,14 @@ begin
select uuid_generate_v4() into managedServerUuid; select uuid_generate_v4() into managedServerUuid;
select uuid_generate_v4() into managedWebspaceUuid; select uuid_generate_v4() into managedWebspaceUuid;
select uuid_generate_v4() into webUnixSubjectUuid; select uuid_generate_v4() into webUnixUserUuid;
select uuid_generate_v4() into mboxUnixSubjectUuid; select uuid_generate_v4() into mboxUnixUserUuid;
select uuid_generate_v4() into domainSetupUuid; select uuid_generate_v4() into domainSetupUuid;
select uuid_generate_v4() into domainMBoxSetupUuid; select uuid_generate_v4() into domainMBoxSetupUuid;
select uuid_generate_v4() into mariaDbInstanceUuid; select uuid_generate_v4() into mariaDbInstanceUuid;
select uuid_generate_v4() into mariaDbSubjectUuid; select uuid_generate_v4() into mariaDbUserUuid;
select uuid_generate_v4() into pgSqlInstanceUuid; select uuid_generate_v4() into pgSqlInstanceUuid;
select uuid_generate_v4() into pgSqlSubjectUuid; select uuid_generate_v4() into pgSqlUserUuid;
debitorNumberSuffix := relatedDebitor.debitorNumberSuffix; debitorNumberSuffix := relatedDebitor.debitorNumberSuffix;
defaultPrefix := relatedDebitor.defaultPrefix; defaultPrefix := relatedDebitor.defaultPrefix;
@ -86,17 +86,17 @@ begin
(uuid_generate_v4(), cloudServerBI.uuid, 'CLOUD_SERVER', null, null, 'vm20' || debitorNumberSuffix, 'another CloudServer', '{}'::jsonb), (uuid_generate_v4(), cloudServerBI.uuid, 'CLOUD_SERVER', null, null, 'vm20' || debitorNumberSuffix, 'another CloudServer', '{}'::jsonb),
(managedWebspaceUuid, managedWebspaceBI.uuid, 'MANAGED_WEBSPACE', managedServerUuid, null, defaultPrefix || '01', 'some Webspace', '{}'::jsonb), (managedWebspaceUuid, managedWebspaceBI.uuid, 'MANAGED_WEBSPACE', managedServerUuid, null, defaultPrefix || '01', 'some Webspace', '{}'::jsonb),
(mariaDbInstanceUuid, null, 'MARIADB_INSTANCE', managedServerUuid, null, 'vm10' || debitorNumberSuffix || '.MariaDB.default', 'some default MariaDB instance','{}'::jsonb), (mariaDbInstanceUuid, null, 'MARIADB_INSTANCE', managedServerUuid, null, 'vm10' || debitorNumberSuffix || '.MariaDB.default', 'some default MariaDB instance','{}'::jsonb),
(mariaDbSubjectUuid, null, 'MARIADB_USER', managedWebspaceUuid, mariaDbInstanceUuid, defaultPrefix || '01_web', 'some default MariaDB user', '{ "password": "<TODO:replace-by-encrypted-mariadb-password"}'::jsonb ), (mariaDbUserUuid, null, 'MARIADB_USER', managedWebspaceUuid, mariaDbInstanceUuid, defaultPrefix || '01_web', 'some default MariaDB user', '{ "password": "<TODO:replace-by-encrypted-mariadb-password"}'::jsonb ),
(uuid_generate_v4(), null, 'MARIADB_DATABASE', mariaDbSubjectUuid, mariaDbInstanceUuid, defaultPrefix || '01_web', 'some default MariaDB database','{ "encryption": "utf8", "collation": "utf8"}'::jsonb ), (uuid_generate_v4(), null, 'MARIADB_DATABASE', mariaDbUserUuid, mariaDbInstanceUuid, defaultPrefix || '01_web', 'some default MariaDB database','{ "encryption": "utf8", "collation": "utf8"}'::jsonb ),
(pgSqlInstanceUuid, null, 'PGSQL_INSTANCE', managedServerUuid, null, 'vm10' || debitorNumberSuffix || '.Postgresql.default', 'some default Postgresql instance','{}'::jsonb), (pgSqlInstanceUuid, null, 'PGSQL_INSTANCE', managedServerUuid, null, 'vm10' || debitorNumberSuffix || '.Postgresql.default', 'some default Postgresql instance','{}'::jsonb),
(PgSqlSubjectUuid, null, 'PGSQL_USER', managedWebspaceUuid, pgSqlInstanceUuid, defaultPrefix || '01_web', 'some default Postgresql user', '{ "password": "<TODO:replace-by-encrypted-postgresql-password"}'::jsonb ), (PgSqlUserUuid, null, 'PGSQL_USER', managedWebspaceUuid, pgSqlInstanceUuid, defaultPrefix || '01_web', 'some default Postgresql user', '{ "password": "<TODO:replace-by-encrypted-postgresql-password"}'::jsonb ),
(uuid_generate_v4(), null, 'PGSQL_DATABASE', pgSqlSubjectUuid, pgSqlInstanceUuid, defaultPrefix || '01_web', 'some default Postgresql database','{ "encryption": "utf8", "collation": "utf8"}'::jsonb ), (uuid_generate_v4(), null, 'PGSQL_DATABASE', pgSqlUserUuid, pgSqlInstanceUuid, defaultPrefix || '01_web', 'some default Postgresql database','{ "encryption": "utf8", "collation": "utf8"}'::jsonb ),
(uuid_generate_v4(), null, 'EMAIL_ALIAS', managedWebspaceUuid, null, defaultPrefix || '01-web', 'some E-Mail-Alias', '{ "target": [ "office@example.org", "archive@example.com" ] }'::jsonb), (uuid_generate_v4(), null, 'EMAIL_ALIAS', managedWebspaceUuid, null, defaultPrefix || '01-web', 'some E-Mail-Alias', '{ "target": [ "office@example.org", "archive@example.com" ] }'::jsonb),
(webUnixSubjectUuid, null, 'UNIX_USER', managedWebspaceUuid, null, defaultPrefix || '01-web', 'some UnixUser for Website', '{ "SSD-soft-quota": "128", "SSD-hard-quota": "256", "HDD-soft-quota": "512", "HDD-hard-quota": "1024"}'::jsonb), (webUnixUserUuid, null, 'UNIX_USER', managedWebspaceUuid, null, defaultPrefix || '01-web', 'some UnixUser for Website', '{ "SSD-soft-quota": "128", "SSD-hard-quota": "256", "HDD-soft-quota": "512", "HDD-hard-quota": "1024"}'::jsonb),
(mboxUnixSubjectUuid, null, 'UNIX_USER', managedWebspaceUuid, null, defaultPrefix || '01-mbox', 'some UnixUser for E-Mail', '{ "SSD-soft-quota": "128", "SSD-hard-quota": "256", "HDD-soft-quota": "512", "HDD-hard-quota": "1024"}'::jsonb), (mboxUnixUserUuid, null, 'UNIX_USER', managedWebspaceUuid, null, defaultPrefix || '01-mbox', 'some UnixUser for E-Mail', '{ "SSD-soft-quota": "128", "SSD-hard-quota": "256", "HDD-soft-quota": "512", "HDD-hard-quota": "1024"}'::jsonb),
(domainSetupUuid, null, 'DOMAIN_SETUP', null, null, defaultPrefix || '.example.org', 'some Domain-Setup', '{}'::jsonb), (domainSetupUuid, null, 'DOMAIN_SETUP', null, null, defaultPrefix || '.example.org', 'some Domain-Setup', '{}'::jsonb),
(uuid_generate_v4(), null, 'DOMAIN_DNS_SETUP', domainSetupUuid, null, defaultPrefix || '.example.org|DNS', 'some Domain-DNS-Setup', '{}'::jsonb), (uuid_generate_v4(), null, 'DOMAIN_DNS_SETUP', domainSetupUuid, null, defaultPrefix || '.example.org|DNS', 'some Domain-DNS-Setup', '{}'::jsonb),
(uuid_generate_v4(), null, 'DOMAIN_HTTP_SETUP', domainSetupUuid, webUnixSubjectUuid, defaultPrefix || '.example.org|HTTP', 'some Domain-HTTP-Setup', '{ "option-htdocsfallback": true, "use-fcgiphpbin": "/usr/lib/cgi-bin/php", "validsubdomainnames": "*"}'::jsonb), (uuid_generate_v4(), null, 'DOMAIN_HTTP_SETUP', domainSetupUuid, webUnixUserUuid, defaultPrefix || '.example.org|HTTP', 'some Domain-HTTP-Setup', '{ "option-htdocsfallback": true, "use-fcgiphpbin": "/usr/lib/cgi-bin/php", "validsubdomainnames": "*"}'::jsonb),
(uuid_generate_v4(), null, 'DOMAIN_SMTP_SETUP', domainSetupUuid, managedWebspaceUuid, defaultPrefix || '.example.org|SMTP', 'some Domain-SMTP-Setup', '{}'::jsonb), (uuid_generate_v4(), null, 'DOMAIN_SMTP_SETUP', domainSetupUuid, managedWebspaceUuid, defaultPrefix || '.example.org|SMTP', 'some Domain-SMTP-Setup', '{}'::jsonb),
(domainMBoxSetupUuid, null, 'DOMAIN_MBOX_SETUP', domainSetupUuid, managedWebspaceUuid, defaultPrefix || '.example.org|MBOX', 'some Domain-MBOX-Setup', '{}'::jsonb), (domainMBoxSetupUuid, null, 'DOMAIN_MBOX_SETUP', domainSetupUuid, managedWebspaceUuid, defaultPrefix || '.example.org|MBOX', 'some Domain-MBOX-Setup', '{}'::jsonb),
(uuid_generate_v4(), null, 'EMAIL_ADDRESS', domainMBoxSetupUuid, null, 'test@' || defaultPrefix || '.example.org', 'some E-Mail-Address', '{}'::jsonb); (uuid_generate_v4(), null, 'EMAIL_ADDRESS', domainMBoxSetupUuid, null, 'test@' || defaultPrefix || '.example.org', 'some E-Mail-Address', '{}'::jsonb);

2
src/main/resources/db/changelog/db.changelog-master.yaml
View File

@ -32,7 +32,7 @@ databaseChangeLog:
- include: - include:
file: db/changelog/1-rbac/1050-rbac-base.sql file: db/changelog/1-rbac/1050-rbac-base.sql
- include: - include:
file: db/changelog/1-rbac/1051-rbac-subject-grant.sql file: db/changelog/1-rbac/1051-rbac-user-grant.sql
- include: - include:
file: db/changelog/1-rbac/1054-rbac-context.sql file: db/changelog/1-rbac/1054-rbac-context.sql
- include: - include:

4
src/test/java/net/hostsharing/hsadminng/hs/booking/item/HsBookingItemControllerAcceptanceTest.java
View File

@ -176,9 +176,9 @@ class HsBookingItemControllerAcceptanceTest extends ContextBasedTestWithCleanup
.extract().header("Location"); // @formatter:on .extract().header("Location"); // @formatter:on
// finally, the new bookingItem can be accessed under the generated UUID // finally, the new bookingItem can be accessed under the generated UUID
final var newSubjectUuid = UUID.fromString( final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1)); location.substring(location.lastIndexOf('/') + 1));
assertThat(newSubjectUuid).isNotNull(); assertThat(newUserUuid).isNotNull();
} }
} }

4
src/test/java/net/hostsharing/hsadminng/hs/booking/project/HsBookingProjectControllerAcceptanceTest.java
View File

@ -111,9 +111,9 @@ class HsBookingProjectControllerAcceptanceTest extends ContextBasedTestWithClean
.extract().header("Location"); // @formatter:on .extract().header("Location"); // @formatter:on
// finally, the new bookingProject can be accessed under the generated UUID // finally, the new bookingProject can be accessed under the generated UUID
final var newSubjectUuid = UUID.fromString( final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1)); location.substring(location.lastIndexOf('/') + 1));
assertThat(newSubjectUuid).isNotNull(); assertThat(newUserUuid).isNotNull();
} }
} }

4
src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetControllerAcceptanceTest.java
View File

@ -247,9 +247,9 @@ class HsHostingAssetControllerAcceptanceTest extends ContextBasedTestWithCleanup
.extract().header("Location"); // @formatter:on .extract().header("Location"); // @formatter:on
// finally, the new asset can be accessed under the generated UUID // finally, the new asset can be accessed under the generated UUID
final var newSubjectUuid = UUID.fromString( final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1)); location.substring(location.lastIndexOf('/') + 1));
assertThat(newSubjectUuid).isNotNull(); assertThat(newUserUuid).isNotNull();
} }
@Test @Test

4
src/test/java/net/hostsharing/hsadminng/hs/office/bankaccount/HsOfficeBankAccountControllerAcceptanceTest.java
View File

@ -143,9 +143,9 @@ class HsOfficeBankAccountControllerAcceptanceTest extends ContextBasedTestWithCl
.extract().header("Location"); // @formatter:on .extract().header("Location"); // @formatter:on
// finally, the new bankaccount can be accessed under the generated UUID // finally, the new bankaccount can be accessed under the generated UUID
final var newSubjectUuid = UUID.fromString( final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1)); location.substring(location.lastIndexOf('/') + 1));
assertThat(newSubjectUuid).isNotNull(); assertThat(newUserUuid).isNotNull();
} }
} }

4
src/test/java/net/hostsharing/hsadminng/hs/office/contact/HsOfficeContactControllerAcceptanceTest.java
View File

@ -122,9 +122,9 @@ class HsOfficeContactControllerAcceptanceTest extends ContextBasedTestWithCleanu
.extract().header("Location"); // @formatter:on .extract().header("Location"); // @formatter:on
// finally, the new contact can be accessed under the generated UUID // finally, the new contact can be accessed under the generated UUID
final var newSubjectUuid = UUID.fromString( final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1)); location.substring(location.lastIndexOf('/') + 1));
assertThat(newSubjectUuid).isNotNull(); assertThat(newUserUuid).isNotNull();
} }
} }

8
src/test/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorControllerAcceptanceTest.java
View File

@ -315,9 +315,9 @@ class HsOfficeDebitorControllerAcceptanceTest extends ContextBasedTestWithCleanu
.extract().header("Location"); // @formatter:on .extract().header("Location"); // @formatter:on
// finally, the new debitor can be accessed under the generated UUID // finally, the new debitor can be accessed under the generated UUID
final var newSubjectUuid = UUID.fromString( final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1)); location.substring(location.lastIndexOf('/') + 1));
assertThat(newSubjectUuid).isNotNull(); assertThat(newUserUuid).isNotNull();
} }
@Test @Test
@ -367,9 +367,9 @@ class HsOfficeDebitorControllerAcceptanceTest extends ContextBasedTestWithCleanu
.extract().header("Location"); // @formatter:on .extract().header("Location"); // @formatter:on
// finally, the new debitor can be accessed under the generated UUID // finally, the new debitor can be accessed under the generated UUID
final var newSubjectUuid = UUID.fromString( final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1)); location.substring(location.lastIndexOf('/') + 1));
assertThat(newSubjectUuid).isNotNull(); assertThat(newUserUuid).isNotNull();
} }
@Test @Test

6
src/test/java/net/hostsharing/hsadminng/hs/office/membership/HsOfficeMembershipControllerAcceptanceTest.java
View File

@ -204,10 +204,10 @@ class HsOfficeMembershipControllerAcceptanceTest extends ContextBasedTestWithCle
.extract().header("Location"); // @formatter:on .extract().header("Location"); // @formatter:on
// finally, the new membership can be accessed under the generated UUID // finally, the new membership can be accessed under the generated UUID
final var newSubjectUuid = UUID.fromString( final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1)); location.substring(location.lastIndexOf('/') + 1));
assertThat(newSubjectUuid).isNotNull(); assertThat(newUserUuid).isNotNull();
assertThat(membershipRepo.findByUuid(newSubjectUuid)).isPresent(); assertThat(membershipRepo.findByUuid(newUserUuid)).isPresent();
} }
} }

4
src/test/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerControllerAcceptanceTest.java
View File

@ -141,9 +141,9 @@ class HsOfficePartnerControllerAcceptanceTest extends ContextBasedTestWithCleanu
.extract().header("Location"); // @formatter:on .extract().header("Location"); // @formatter:on
// finally, the new partner can be accessed under the generated UUID // finally, the new partner can be accessed under the generated UUID
final var newSubjectUuid = UUID.fromString( final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1)); location.substring(location.lastIndexOf('/') + 1));
assertThat(newSubjectUuid).isNotNull(); assertThat(newUserUuid).isNotNull();
} }
@Test @Test

4
src/test/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonControllerAcceptanceTest.java
View File

@ -99,9 +99,9 @@ class HsOfficePersonControllerAcceptanceTest extends ContextBasedTestWithCleanup
.extract().header("Location"); // @formatter:on .extract().header("Location"); // @formatter:on
// finally, the new person can be accessed under the generated UUID // finally, the new person can be accessed under the generated UUID
final var newSubjectUuid = UUID.fromString( final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1)); location.substring(location.lastIndexOf('/') + 1));
assertThat(newSubjectUuid).isNotNull(); assertThat(newUserUuid).isNotNull();
} }
} }

4
src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationControllerAcceptanceTest.java
View File

@ -161,9 +161,9 @@ class HsOfficeRelationControllerAcceptanceTest extends ContextBasedTestWithClean
.extract().header("Location"); // @formatter:on .extract().header("Location"); // @formatter:on
// finally, the new relation can be accessed under the generated UUID // finally, the new relation can be accessed under the generated UUID
final var newSubjectUuid = toCleanup(HsOfficeRelationRealEntity.class, UUID.fromString( final var newUserUuid = toCleanup(HsOfficeRelationRealEntity.class, UUID.fromString(
location.substring(location.lastIndexOf('/') + 1))); location.substring(location.lastIndexOf('/') + 1)));
assertThat(newSubjectUuid).isNotNull(); assertThat(newUserUuid).isNotNull();
} }
@Test @Test

4
src/test/java/net/hostsharing/hsadminng/hs/office/sepamandate/HsOfficeSepaMandateControllerAcceptanceTest.java
View File

@ -138,9 +138,9 @@ class HsOfficeSepaMandateControllerAcceptanceTest extends ContextBasedTestWithCl
.extract().header("Location"); // @formatter:on .extract().header("Location"); // @formatter:on
// finally, the new sepaMandate can be accessed under the generated UUID // finally, the new sepaMandate can be accessed under the generated UUID
final var newSubjectUuid = UUID.fromString( final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1)); location.substring(location.lastIndexOf('/') + 1));
assertThat(newSubjectUuid).isNotNull(); assertThat(newUserUuid).isNotNull();
} }
// TODO.test: move validation tests to a ...WebMvcTest // TODO.test: move validation tests to a ...WebMvcTest

8
src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantControllerAcceptanceTest.java
View File

@ -238,7 +238,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
} }
@Nested @Nested
class GrantRoleToSubject { class GrantRoleToUser {
@Test @Test
void packageAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() { void packageAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() {
@ -295,7 +295,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
} }
@Nested @Nested
class RevokeRoleFromSubject { class RevokeRoleFromUser {
@Test @Test
@Transactional(propagation = Propagation.NEVER) @Transactional(propagation = Propagation.NEVER)
@ -389,7 +389,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
{ {
"assumed": true, "assumed": true,
"grantedRoleUuid": "%s", "grantedRoleUuid": "%s",
"granteeSubjectUuid": "%s" "granteeUserUuid": "%s"
} }
""".formatted( """.formatted(
grantedRole.getUuid(), grantedRole.getUuid(),
@ -425,7 +425,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
{ {
"assumed": true, "assumed": true,
"grantedRoleUuid": "%s", "grantedRoleUuid": "%s",
"granteeSubjectUuid": "%s" "granteeUserUuid": "%s"
} }
""".formatted( """.formatted(
grantedRole.getUuid(), grantedRole.getUuid(),

6
src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantEntityUnitTest.java
View File

@ -13,16 +13,16 @@ class RbacGrantEntityUnitTest {
void getRbacGrantId() { void getRbacGrantId() {
// given // given
final var grantedRoleUuid = UUID.randomUUID(); final var grantedRoleUuid = UUID.randomUUID();
final var granteeSubjectUuid = UUID.randomUUID(); final var granteeUserUuid = UUID.randomUUID();
final var entity = new RbacGrantEntity(); final var entity = new RbacGrantEntity();
entity.setGrantedRoleUuid(grantedRoleUuid); entity.setGrantedRoleUuid(grantedRoleUuid);
entity.setGranteeSubjectUuid(granteeSubjectUuid); entity.setGranteeUserUuid(granteeUserUuid);
// when // when
final var grantId = entity.getRbacGrantId(); final var grantId = entity.getRbacGrantId();
// then // then
assertThat(grantId).isEqualTo(new RbacGrantId(granteeSubjectUuid, grantedRoleUuid)); assertThat(grantId).isEqualTo(new RbacGrantId(granteeUserUuid, grantedRoleUuid));
} }
@Test @Test

14
src/test/java/net/hostsharing/hsadminng/rbac/rbacgrant/RbacGrantRepositoryIntegrationTest.java
View File

@ -103,18 +103,18 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
} }
@Nested @Nested
class GrantRoleToSubject { class GrantRoleToUser {
@Test @Test
public void customerAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() { public void customerAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() {
// given // given
context("customer-admin@xxx.example.com", "test_customer#xxx:ADMIN"); context("customer-admin@xxx.example.com", "test_customer#xxx:ADMIN");
final var givenArbitrarySubjectUuid = rbacUserRepository.findByName("pac-admin-zzz00@zzz.example.com").getUuid(); final var givenArbitraryUserUuid = rbacUserRepository.findByName("pac-admin-zzz00@zzz.example.com").getUuid();
final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName("test_package#xxx00:ADMIN").getUuid(); final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName("test_package#xxx00:ADMIN").getUuid();
// when // when
final var grant = RbacGrantEntity.builder() final var grant = RbacGrantEntity.builder()
.granteeSubjectUuid(givenArbitrarySubjectUuid).grantedRoleUuid(givenOwnPackageRoleUuid) .granteeUserUuid(givenArbitraryUserUuid).grantedRoleUuid(givenOwnPackageRoleUuid)
.assumed(true) .assumed(true)
.build(); .build();
final var attempt = attempt(em, () -> final var attempt = attempt(em, () ->
@ -148,7 +148,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
// now we try to use these uuids as a less privileged user // now we try to use these uuids as a less privileged user
context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00:ADMIN"); context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00:ADMIN");
final var grant = RbacGrantEntity.builder() final var grant = RbacGrantEntity.builder()
.granteeSubjectUuid(given.arbitraryUser.getUuid()) .granteeUserUuid(given.arbitraryUser.getUuid())
.grantedRoleUuid(given.packageOwnerRoleUuid) .grantedRoleUuid(given.packageOwnerRoleUuid)
.assumed(true) .assumed(true)
.build(); .build();
@ -170,7 +170,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
} }
@Nested @Nested
class revokeRoleFromSubject { class RevokeRoleFromUser {
@Test @Test
public void customerAdmin_canRevokeSelfGrantedPackageAdminRole() { public void customerAdmin_canRevokeSelfGrantedPackageAdminRole() {
@ -236,11 +236,11 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
private RbacGrantEntity create(GrantBuilder with) { private RbacGrantEntity create(GrantBuilder with) {
context(with.byUserName, with.assumedRole); context(with.byUserName, with.assumedRole);
final var givenArbitrarySubjectUuid = rbacUserRepository.findByName(with.granteeUserName).getUuid(); final var givenArbitraryUserUuid = rbacUserRepository.findByName(with.granteeUserName).getUuid();
final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName(with.grantedRole).getUuid(); final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName(with.grantedRole).getUuid();
final var grant = RbacGrantEntity.builder() final var grant = RbacGrantEntity.builder()
.granteeSubjectUuid(givenArbitrarySubjectUuid).grantedRoleUuid(givenOwnPackageRoleUuid) .granteeUserUuid(givenArbitraryUserUuid).grantedRoleUuid(givenOwnPackageRoleUuid)
.assumed(true) .assumed(true)
.build(); .build();
final var grantAttempt = attempt(em, () -> final var grantAttempt = attempt(em, () ->

4
src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserControllerAcceptanceTest.java
View File

@ -63,10 +63,10 @@ class RbacUserControllerAcceptanceTest {
// @formatter:on // @formatter:on
// finally, the user can view its own record // finally, the user can view its own record
final var newSubjectUuid = UUID.fromString( final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1)); location.substring(location.lastIndexOf('/') + 1));
context.define("new-user@example.com"); context.define("new-user@example.com");
assertThat(rbacUserRepository.findByUuid(newSubjectUuid)) assertThat(rbacUserRepository.findByUuid(newUserUuid))
.extracting(RbacUserEntity::getName).isEqualTo("new-user@example.com"); .extracting(RbacUserEntity::getName).isEqualTo("new-user@example.com");
} }
} }

18
src/test/java/net/hostsharing/hsadminng/rbac/rbacuser/RbacUserRepositoryIntegrationTest.java
View File

@ -232,7 +232,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
context("superuser-alex@hostsharing.net"); context("superuser-alex@hostsharing.net");
// when // when
final var result = rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid("superuser-fran@hostsharing.net")) final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("superuser-fran@hostsharing.net"))
.stream().filter(p -> p.getObjectTable().contains("test_")) .stream().filter(p -> p.getObjectTable().contains("test_"))
.sorted(comparing(RbacUserPermission::toString)).toList(); .sorted(comparing(RbacUserPermission::toString)).toList();
@ -246,7 +246,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
context("customer-admin@xxx.example.com"); context("customer-admin@xxx.example.com");
// when // when
final var result = rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid("customer-admin@xxx.example.com")); final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("customer-admin@xxx.example.com"));
// then // then
allTheseRbacPermissionsAreReturned( allTheseRbacPermissionsAreReturned(
@ -286,17 +286,17 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
public void customerAdmin_withoutAssumedRole_isNotAllowedToViewGlobalAdminsPermissions() { public void customerAdmin_withoutAssumedRole_isNotAllowedToViewGlobalAdminsPermissions() {
// given // given
context("customer-admin@xxx.example.com"); context("customer-admin@xxx.example.com");
final UUID subjectUuid = subjectUuid("superuser-alex@hostsharing.net"); final UUID userUuid = userUUID("superuser-alex@hostsharing.net");
// when // when
final var result = attempt(em, () -> final var result = attempt(em, () ->
rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid) rbacUserRepository.findPermissionsOfUserByUuid(userUuid)
); );
// then // then
result.assertExceptionWithRootCauseMessage( result.assertExceptionWithRootCauseMessage(
JpaSystemException.class, JpaSystemException.class,
"[403] permissions of user \"" + subjectUuid "[403] permissions of user \"" + userUuid
+ "\" are not accessible to user \"customer-admin@xxx.example.com\""); + "\" are not accessible to user \"customer-admin@xxx.example.com\"");
} }
@ -306,7 +306,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
context("customer-admin@xxx.example.com"); context("customer-admin@xxx.example.com");
// when // when
final var result = rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid("pac-admin-xxx00@xxx.example.com")); final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("pac-admin-xxx00@xxx.example.com"));
// then // then
allTheseRbacPermissionsAreReturned( allTheseRbacPermissionsAreReturned(
@ -342,7 +342,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
context("customer-admin@xxx.example.com"); context("customer-admin@xxx.example.com");
// when // when
final var result = rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid("pac-admin-yyy00@yyy.example.com")); final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("pac-admin-yyy00@yyy.example.com"));
// then // then
noRbacPermissionsAreReturned(result); noRbacPermissionsAreReturned(result);
@ -354,7 +354,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
context("pac-admin-xxx00@xxx.example.com"); context("pac-admin-xxx00@xxx.example.com");
// when // when
final var result = rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid("pac-admin-xxx00@xxx.example.com")); final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("pac-admin-xxx00@xxx.example.com"));
// then // then
allTheseRbacPermissionsAreReturned( allTheseRbacPermissionsAreReturned(
@ -385,7 +385,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
} }
} }
UUID subjectUuid(final String userName) { UUID userUUID(final String userName) {
return rbacUserRepository.findByName(userName).getUuid(); return rbacUserRepository.findByName(userName).getUuid();
} }

1
src/test/java/net/hostsharing/hsadminng/rbac/test/ContextBasedTestWithCleanup.java
View File

@ -18,6 +18,7 @@ import org.springframework.data.repository.Repository;
import org.springframework.transaction.PlatformTransactionManager; import org.springframework.transaction.PlatformTransactionManager;
import jakarta.persistence.*; import jakarta.persistence.*;
import jakarta.transaction.Transactional;
import java.util.*; import java.util.*;
import java.util.concurrent.atomic.AtomicBoolean; import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Supplier; import java.util.function.Supplier;

4
src/test/java/net/hostsharing/hsadminng/rbac/test/cust/TestCustomerControllerAcceptanceTest.java
View File

@ -146,10 +146,10 @@ class TestCustomerControllerAcceptanceTest {
.extract().header("Location"); // @formatter:on .extract().header("Location"); // @formatter:on
// finally, the new customer can be viewed by its own admin // finally, the new customer can be viewed by its own admin
final var newSubjectUuid = UUID.fromString( final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1)); location.substring(location.lastIndexOf('/') + 1));
context.define("superuser-fran@hostsharing.net", "test_customer#uuu:ADMIN"); context.define("superuser-fran@hostsharing.net", "test_customer#uuu:ADMIN");
assertThat(testCustomerRepository.findByUuid(newSubjectUuid)) assertThat(testCustomerRepository.findByUuid(newUserUuid))
.hasValueSatisfying(c -> assertThat(c.getPrefix()).isEqualTo("uuu")); .hasValueSatisfying(c -> assertThat(c.getPrefix()).isEqualTo("uuu"));
} }