Compare commits

..

No commits in common. "e3f48127d2eb6418b82262c70a9f8b9a64ac8d71" and "ba226fd802ffa0419e56a3dff95ac0325bcda302" have entirely different histories.

50 changed files with 163 additions and 162 deletions

View File

@ -467,7 +467,7 @@ public class RbacView {
return new RbacExampleRole(entityAlias, role);
}
private RbacGrantDefinition grantRoleToSubject(final RbacRoleDefinition roleDefinition, final RbacUserReference user) {
private RbacGrantDefinition grantRoleToUser(final RbacRoleDefinition roleDefinition, final RbacUserReference user) {
return findOrCreateGrantDef(roleDefinition, user).toCreate();
}
@ -771,7 +771,7 @@ public class RbacView {
* The grant definition for further chained calls.
*/
public RbacGrantDefinition owningUser(final RbacUserReference.UserRole userRole) {
return grantRoleToSubject(this, findUserRef(userRole));
return grantRoleToUser(this, findUserRef(userRole));
}
/**

View File

@ -312,7 +312,7 @@ class RolesGrantsAndPermissionsGenerator {
case ROLE_TO_ROLE -> "call revokeRoleFromRole(${subRoleRef}, ${superRoleRef});"
.replace("${subRoleRef}", roleRef(OLD, grantDef.getSubRoleDef()))
.replace("${superRoleRef}", roleRef(OLD, grantDef.getSuperRoleDef()));
case PERM_TO_ROLE -> "call rbac.revokePermissionFromRole(${permRef}, ${superRoleRef});"
case PERM_TO_ROLE -> "call revokePermissionFromRole(${permRef}, ${superRoleRef});"
.replace("${permRef}", getPerm(OLD, grantDef.getPermDef()))
.replace("${superRoleRef}", roleRef(OLD, grantDef.getSuperRoleDef()));
};
@ -415,7 +415,7 @@ class RolesGrantsAndPermissionsGenerator {
.map(this::toPlPgSqlReference)
.toList();
plPgSql.indented(() ->
plPgSql.writeLn("subjectUuids => array[" + joinArrayElements(arrayElements, 2) + "],\n"));
plPgSql.writeLn("userUuids => array[" + joinArrayElements(arrayElements, 2) + "],\n"));
rbacGrants.removeAll(grantsToUsers);
}
}

View File

@ -36,11 +36,11 @@ public class RbacGrantController implements RbacGrantsApi {
final String currentSubject,
final String assumedRoles,
final UUID grantedRoleUuid,
final UUID granteeSubjectUuid) {
final UUID granteeUserUuid) {
context.define(currentSubject, assumedRoles);
final var id = new RbacGrantId(granteeSubjectUuid, grantedRoleUuid);
final var id = new RbacGrantId(granteeUserUuid, grantedRoleUuid);
final var result = rbacGrantRepository.findById(id);
if (result == null) {
return ResponseEntity.notFound().build();
@ -61,7 +61,7 @@ public class RbacGrantController implements RbacGrantsApi {
@Override
@Transactional
public ResponseEntity<RbacGrantResource> grantRoleToSubject(
public ResponseEntity<RbacGrantResource> grantRoleToUser(
final String currentSubject,
final String assumedRoles,
final RbacGrantResource body) {
@ -82,22 +82,22 @@ public class RbacGrantController implements RbacGrantsApi {
@Override
@Transactional
public ResponseEntity<Void> revokeRoleFromSubject(
public ResponseEntity<Void> revokeRoleFromUser(
final String currentSubject,
final String assumedRoles,
final UUID grantedRoleUuid,
final UUID granteeSubjectUuid) {
final UUID granteeUserUuid) {
context.define(currentSubject, assumedRoles);
rbacGrantRepository.deleteByRbacGrantId(new RbacGrantId(granteeSubjectUuid, grantedRoleUuid));
rbacGrantRepository.deleteByRbacGrantId(new RbacGrantId(granteeUserUuid, grantedRoleUuid));
return ResponseEntity.noContent().build();
}
// TODO.feat: implement an endpoint to create a Mermaid flowchart with all grants of a given user
// TODO: implement an endpoint to create a Mermaid flowchart with all grants of a given user
// @GetMapping(
// path = "/api/rbac/users/{subjectUuid}/grants",
// path = "/api/rbac/users/{userUuid}/grants",
// produces = {"text/vnd.mermaid"})
// @Transactional(readOnly = true)
// public ResponseEntity<String> allGrantsOfUserAsMermaid(

View File

@ -36,8 +36,8 @@ public class RbacGrantEntity {
private String granteeUserName;
@Id
@Column(name = "subjectuuid")
private UUID granteeSubjectUuid;
@Column(name = "useruuid")
private UUID granteeUserUuid;
private boolean assumed;
@ -55,7 +55,7 @@ public class RbacGrantEntity {
private RbacRoleType grantedRoleType;
RbacGrantId getRbacGrantId() {
return new RbacGrantId(granteeSubjectUuid, grantedRoleUuid);
return new RbacGrantId(granteeUserUuid, grantedRoleUuid);
}
public String toDisplay() {

View File

@ -14,6 +14,6 @@ import java.util.UUID;
@AllArgsConstructor
public class RbacGrantId implements Serializable {
private UUID granteeSubjectUuid;
private UUID granteeUserUuid;
private UUID grantedRoleUuid;
}

View File

@ -11,7 +11,7 @@ public interface RbacGrantRepository extends Repository<RbacGrantEntity, RbacGra
@Query(value = """
select g from RbacGrantEntity as g
where g.grantedRoleUuid=:#{#rbacGrantId.grantedRoleUuid}
and g.granteeSubjectUuid=:#{#rbacGrantId.granteeSubjectUuid}
and g.granteeUserUuid=:#{#rbacGrantId.granteeUserUuid}
""")
RbacGrantEntity findById(RbacGrantId rbacGrantId);
@ -25,7 +25,7 @@ public interface RbacGrantRepository extends Repository<RbacGrantEntity, RbacGra
@Query(value = """
delete from RbacGrantEntity as g
where g.grantedRoleUuid=:#{#rbacGrantId.grantedRoleUuid}
and g.granteeSubjectUuid=:#{#rbacGrantId.granteeSubjectUuid}
and g.granteeUserUuid=:#{#rbacGrantId.granteeUserUuid}
""")
void deleteByRbacGrantId(RbacGrantId rbacGrantId);
}

View File

@ -51,11 +51,11 @@ public class RbacUserController implements RbacUsersApi {
public ResponseEntity<Void> deleteUserByUuid(
final String currentSubject,
final String assumedRoles,
final UUID subjectUuid
final UUID userUuid
) {
context.define(currentSubject, assumedRoles);
rbacUserRepository.deleteByUuid(subjectUuid);
rbacUserRepository.deleteByUuid(userUuid);
return ResponseEntity.noContent().build();
}
@ -65,11 +65,11 @@ public class RbacUserController implements RbacUsersApi {
public ResponseEntity<RbacUserResource> getUserById(
final String currentSubject,
final String assumedRoles,
final UUID subjectUuid) {
final UUID userUuid) {
context.define(currentSubject, assumedRoles);
final var result = rbacUserRepository.findByUuid(subjectUuid);
final var result = rbacUserRepository.findByUuid(userUuid);
if (result == null) {
return ResponseEntity.notFound().build();
}
@ -93,12 +93,12 @@ public class RbacUserController implements RbacUsersApi {
public ResponseEntity<List<RbacUserPermissionResource>> listUserPermissions(
final String currentSubject,
final String assumedRoles,
final UUID subjectUuid
final UUID userUuid
) {
context.define(currentSubject, assumedRoles);
return ResponseEntity.ok(mapper.mapList(
rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid),
rbacUserRepository.findPermissionsOfUserByUuid(userUuid),
RbacUserPermissionResource.class));
}
}

View File

@ -22,8 +22,8 @@ public interface RbacUserRepository extends Repository<RbacUserEntity, UUID> {
RbacUserEntity findByUuid(UUID uuid);
@Query(value = "select * from grantedPermissions(:subjectUuid)", nativeQuery = true)
List<RbacUserPermission> findPermissionsOfUserByUuid(UUID subjectUuid);
@Query(value = "select * from grantedPermissions(:userUuid)", nativeQuery = true)
List<RbacUserPermission> findPermissionsOfUserByUuid(UUID userUuid);
/*
Can't use save/saveAndFlush from SpringData because the uuid is not generated on the entity level,
@ -42,5 +42,5 @@ public interface RbacUserRepository extends Repository<RbacUserEntity, UUID> {
return rbacUserEntity;
}
void deleteByUuid(UUID subjectUuid);
void deleteByUuid(UUID userUuid);
}

View File

@ -20,9 +20,9 @@ components:
format: uuid
granteeUserName:
type: string
granteeSubjectUuid:
granteeUserUuid:
type: string
format: uuid
required:
- grantedRoleUuid
- granteeSubjectUuid
- granteeUserUuid

View File

@ -12,7 +12,7 @@ get:
type: string
format: uuid
description: UUID of the granted role.
- name: granteeSubjectUuid
- name: granteeUserUuid
in: path
required: true
schema:
@ -36,7 +36,7 @@ get:
delete:
tags:
- rbac-grants
operationId: revokeRoleFromSubject
operationId: revokeRoleFromUser
parameters:
- $ref: 'auth.yaml#/components/parameters/currentSubject'
- $ref: 'auth.yaml#/components/parameters/assumedRoles'
@ -47,7 +47,7 @@ delete:
type: string
format: uuid
description: UUID of the granted role.
- name: granteeSubjectUuid
- name: granteeUserUuid
in: path
required: true
schema:

View File

@ -18,7 +18,7 @@ get:
post:
tags:
- rbac-grants
operationId: grantRoleToSubject
operationId: grantRoleToUser
parameters:
- $ref: 'auth.yaml#/components/parameters/currentSubject'
- $ref: 'auth.yaml#/components/parameters/assumedRoles'

View File

@ -6,7 +6,7 @@ get:
parameters:
- $ref: 'auth.yaml#/components/parameters/currentSubject'
- $ref: 'auth.yaml#/components/parameters/assumedRoles'
- name: subjectUuid
- name: userUuid
in: path
required: true
schema:

View File

@ -6,7 +6,7 @@ get:
parameters:
- $ref: 'auth.yaml#/components/parameters/currentSubject'
- $ref: 'auth.yaml#/components/parameters/assumedRoles'
- name: subjectUuid
- name: userUuid
in: path
required: true
schema:
@ -33,7 +33,7 @@ delete:
parameters:
- $ref: 'auth.yaml#/components/parameters/currentSubject'
- $ref: 'auth.yaml#/components/parameters/assumedRoles'
- name: subjectUuid
- name: userUuid
in: path
required: true
schema:

View File

@ -11,10 +11,10 @@ paths:
/api/rbac/users:
$ref: 'rbac-users.yaml'
/api/rbac/users/{subjectUuid}/permissions:
/api/rbac/users/{userUuid}/permissions:
$ref: 'rbac-users-with-id-permissions.yaml'
/api/rbac/users/{subjectUuid}:
/api/rbac/users/{userUuid}:
$ref: 'rbac-users-with-uuid.yaml'
/api/rbac/roles:
@ -23,6 +23,6 @@ paths:
/api/rbac/grants:
$ref: 'rbac-grants.yaml'
/api/rbac/grants/{grantedRoleUuid}/{granteeSubjectUuid}:
/api/rbac/grants/{grantedRoleUuid}/{granteeUserUuid}:
$ref: 'rbac-grants-with-id.yaml'

View File

@ -672,7 +672,7 @@ begin
end if;
end; $$;
create or replace procedure rbac.revokePermissionFromRole(permissionId UUID, superRole RbacRoleDescriptor)
create or replace procedure revokePermissionFromRole(permissionId UUID, superRole RbacRoleDescriptor)
language plpgsql as $$
declare
superRoleId uuid;

View File

@ -20,21 +20,21 @@ begin
return currentSubjectOrAssumedRolesUuids[1];
end; $$;
create or replace procedure rbac.grantRoleToUserUnchecked(grantedByRoleUuid uuid, grantedRoleUuid uuid, subjectUuid uuid, doAssume boolean = true)
create or replace procedure grantRoleToUserUnchecked(grantedByRoleUuid uuid, grantedRoleUuid uuid, userUuid uuid, doAssume boolean = true)
language plpgsql as $$
begin
perform rbac.assertReferenceType('grantingRoleUuid', grantedByRoleUuid, 'RbacRole');
perform rbac.assertReferenceType('roleId (descendant)', grantedRoleUuid, 'RbacRole');
perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject');
perform rbac.assertReferenceType('userId (ascendant)', userUuid, 'rbac.subject');
insert
into RbacGrants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)
values (grantedByRoleUuid, subjectUuid, grantedRoleUuid, doAssume)
values (grantedByRoleUuid, userUuid, grantedRoleUuid, doAssume)
-- TODO: check if grantedByRoleUuid+doAssume are the same, otherwise raise exception?
on conflict do nothing; -- allow granting multiple times
end; $$;
create or replace procedure rbac.grantRoleToSubject(grantedByRoleUuid uuid, grantedRoleUuid uuid, subjectUuid uuid, doAssume boolean = true)
create or replace procedure grantRoleToUser(grantedByRoleUuid uuid, grantedRoleUuid uuid, userUuid uuid, doAssume boolean = true)
language plpgsql as $$
declare
grantedByRoleIdName text;
@ -42,11 +42,11 @@ declare
begin
perform rbac.assertReferenceType('grantingRoleUuid', grantedByRoleUuid, 'RbacRole');
perform rbac.assertReferenceType('grantedRoleUuid (descendant)', grantedRoleUuid, 'RbacRole');
perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject');
perform rbac.assertReferenceType('userUuid (ascendant)', userUuid, 'rbac.subject');
assert grantedByRoleUuid is not null, 'grantedByRoleUuid must not be null';
assert grantedRoleUuid is not null, 'grantedRoleUuid must not be null';
assert subjectUuid is not null, 'subjectUuid must not be null';
assert userUuid is not null, 'userUuid must not be null';
if NOT isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then
select roleIdName from rbacRole_ev where uuid=grantedByRoleUuid into grantedByRoleIdName;
@ -62,8 +62,8 @@ begin
insert
into RbacGrants (grantedByRoleUuid, ascendantUuid, descendantUuid, assumed)
values (grantedByRoleUuid, subjectUuid, grantedRoleUuid, doAssume);
-- TODO.impl: What should happen on multiple grants? What if options (doAssume) are not the same?
values (grantedByRoleUuid, userUuid, grantedRoleUuid, doAssume);
-- TODO.impl: What should happen on mupltiple grants? What if options (doAssume) are not the same?
-- Most powerful or latest grant wins? What about managed?
-- on conflict do nothing; -- allow granting multiple times
end; $$;
@ -74,12 +74,12 @@ end; $$;
--changeset rbac-user-grant-REVOKE-ROLE-FROM-USER:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace procedure rbac.checkRevokeRoleFromSubjectPreconditions(grantedByRoleUuid uuid, grantedRoleUuid uuid, subjectUuid uuid)
create or replace procedure checkRevokeRoleFromUserPreconditions(grantedByRoleUuid uuid, grantedRoleUuid uuid, userUuid uuid)
language plpgsql as $$
begin
perform rbac.assertReferenceType('grantedByRoleUuid', grantedByRoleUuid, 'RbacRole');
perform rbac.assertReferenceType('grantedRoleUuid (descendant)', grantedRoleUuid, 'RbacRole');
perform rbac.assertReferenceType('subjectUuid (ascendant)', subjectUuid, 'rbac.subject');
perform rbac.assertReferenceType('userUuid (ascendant)', userUuid, 'rbac.subject');
if NOT isGranted(rbac.currentSubjectOrAssumedRolesUuids(), grantedByRoleUuid) then
raise exception '[403] Revoking role created by % is forbidden for %.', grantedByRoleUuid, currentSubjects();
@ -94,20 +94,20 @@ begin
raise exception '[403] Revoking role granted by % is forbidden for %.', grantedByRoleUuid, currentSubjects();
end if;
if NOT isGranted(subjectUuid, grantedRoleUuid) then
raise exception '[404] No such grant found granted by % for subject % to role %.', grantedByRoleUuid, subjectUuid, grantedRoleUuid;
if NOT isGranted(userUuid, grantedRoleUuid) then
raise exception '[404] No such grant found granted by % for user % to role %.', grantedByRoleUuid, userUuid, grantedRoleUuid;
end if;
end; $$;
create or replace procedure rbac.revokeRoleFromSubject(grantedByRoleUuid uuid, grantedRoleUuid uuid, subjectUuid uuid)
create or replace procedure revokeRoleFromUser(grantedByRoleUuid uuid, grantedRoleUuid uuid, userUuid uuid)
language plpgsql as $$
begin
call rbac.checkRevokeRoleFromSubjectPreconditions(grantedByRoleUuid, grantedRoleUuid, subjectUuid);
call checkRevokeRoleFromUserPreconditions(grantedByRoleUuid, grantedRoleUuid, userUuid);
raise INFO 'delete from RbacGrants where ascendantUuid = % and descendantUuid = %', subjectUuid, grantedRoleUuid;
raise INFO 'delete from RbacGrants where ascendantUuid = % and descendantUuid = %', userUuid, grantedRoleUuid;
delete from RbacGrants as g
where g.ascendantUuid = subjectUuid and g.descendantUuid = grantedRoleUuid
and g.grantedByRoleUuid = revokeRoleFromSubject.grantedByRoleUuid;
where g.ascendantUuid = userUuid and g.descendantUuid = grantedRoleUuid
and g.grantedByRoleUuid = revokeRoleFromUser.grantedByRoleUuid;
end; $$;
--//
@ -115,7 +115,7 @@ end; $$;
--changeset rbac-user-grant-REVOKE-PERMISSION-FROM-ROLE:1 endDelimiter:--//
-- ----------------------------------------------------------------------------
create or replace procedure rbac.revokePermissionFromRole(permissionUuid uuid, superRoleUuid uuid)
create or replace procedure revokePermissionFromRole(permissionUuid uuid, superRoleUuid uuid)
language plpgsql as $$
begin
raise INFO 'delete from RbacGrants where ascendantUuid = % and descendantUuid = %', superRoleUuid, permissionUuid;

View File

@ -117,7 +117,7 @@ create or replace view rbacgrants_rv as
-- @formatter:off
select o.objectTable || '#' || findIdNameByObjectUuid(o.objectTable, o.uuid) || ':' || r.roletype as grantedByRoleIdName,
g.objectTable || '#' || g.objectIdName || ':' || g.roletype as grantedRoleIdName, g.userName, g.assumed,
g.grantedByRoleUuid, g.descendantUuid as grantedRoleUuid, g.ascendantUuid as subjectUuid,
g.grantedByRoleUuid, g.descendantUuid as grantedRoleUuid, g.ascendantUuid as userUuid,
g.objectTable, g.objectUuid, g.objectIdName, g.roleType as grantedRoleType
from (
select g.grantedbyroleuuid, g.ascendantuuid, g.descendantuuid, g.assumed,
@ -150,10 +150,10 @@ create or replace function insertRbacGrant()
declare
newGrant RbacGrants_RV;
begin
call rbac.grantRoleToSubject(rbac.assumedRoleUuid(), new.grantedRoleUuid, new.subjectUuid, new.assumed);
call grantRoleToUser(rbac.assumedRoleUuid(), new.grantedRoleUuid, new.userUuid, new.assumed);
select grv.*
from RbacGrants_RV grv
where grv.subjectUuid=new.subjectUuid and grv.grantedRoleUuid=new.grantedRoleUuid
where grv.userUuid=new.userUuid and grv.grantedRoleUuid=new.grantedRoleUuid
into newGrant;
return newGrant;
end; $$;
@ -176,13 +176,13 @@ execute function insertRbacGrant();
/**
Instead of delete trigger function for RbacGrants_RV.
Checks if the current subject or assumed role have the permission to revoke the grant.
Checks if the current subject (user / assumed role) has the permission to revoke the grant.
*/
create or replace function deleteRbacGrant()
returns trigger
language plpgsql as $$
begin
call rbac.revokeRoleFromSubject(old.grantedByRoleUuid, old.grantedRoleUuid, old.subjectUuid);
call revokeRoleFromUser(old.grantedByRoleUuid, old.grantedRoleUuid, old.userUuid);
return old;
end; $$;
@ -343,7 +343,7 @@ grant all privileges on RbacOwnGrantedPermissions_rv to ${HSADMINNG_POSTGRES_RES
Returns all permissions granted to the given user,
which are also visible to the current user or assumed roles.
*/
create or replace function grantedPermissionsRaw(targetSubjectUuid uuid)
create or replace function grantedPermissionsRaw(targetUserUuid uuid)
returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid)
returns null on null input
language plpgsql as $$
@ -353,8 +353,8 @@ begin
-- @formatter:off
currentSubjectUuid := rbac.currentSubjectUuid();
if hasGlobalRoleGranted(targetSubjectUuid) and not hasGlobalRoleGranted(currentSubjectUuid) then
raise exception '[403] permissions of user "%" are not accessible to user "%"', targetSubjectUuid, basis.currentSubject();
if hasGlobalRoleGranted(targetUserUuid) and not hasGlobalRoleGranted(currentSubjectUuid) then
raise exception '[403] permissions of user "%" are not accessible to user "%"', targetUserUuid, basis.currentSubject();
end if;
return query select
@ -369,24 +369,24 @@ begin
po.objecttable as permissionObjectTable,
findIdNameByObjectUuid(po.objectTable, po.uuid) as permissionObjectIdName,
po.uuid as permissionObjectUuid
from queryPermissionsGrantedToSubjectId( targetSubjectUuid) as p
from queryPermissionsGrantedToSubjectId( targetUserUuid) as p
join rbacgrants as g on g.descendantUuid = p.uuid
join rbac.object as po on po.uuid = p.objectUuid
join rbacrole_rv as r on r.uuid = g.ascendantUuid
join rbac.object as ro on ro.uuid = r.objectUuid
where isGranted(targetSubjectUuid, r.uuid)
where isGranted(targetUserUuid, r.uuid)
) xp;
-- @formatter:on
end; $$;
create or replace function grantedPermissions(targetSubjectUuid uuid)
create or replace function grantedPermissions(targetUserUuid uuid)
returns table(roleUuid uuid, roleName text, permissionUuid uuid, op RbacOp, opTableName varchar(60), objectTable varchar(60), objectIdName varchar, objectUuid uuid)
returns null on null input
language sql as $$
select * from grantedPermissionsRaw(targetSubjectUuid)
select * from grantedPermissionsRaw(targetUserUuid)
union all
select roleUuid, roleName, permissionUuid, 'SELECT'::RbacOp, opTableName, objectTable, objectIdName, objectUuid
from grantedPermissionsRaw(targetSubjectUuid)
from grantedPermissionsRaw(targetUserUuid)
where op <> 'SELECT'::RbacOp;
$$;
--//

View File

@ -12,7 +12,7 @@ create or replace function createRoleWithGrants(
permissions RbacOp[] = array[]::RbacOp[],
incomingSuperRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
outgoingSubRoles RbacRoleDescriptor[] = array[]::RbacRoleDescriptor[],
subjectUuids uuid[] = array[]::uuid[],
userUuids uuid[] = array[]::uuid[],
grantedByRole RbacRoleDescriptor = null
)
returns uuid
@ -26,7 +26,7 @@ declare
superRoleDesc RbacRoleDescriptor;
subRoleUuid uuid;
superRoleUuid uuid;
subjectUuid uuid;
userUuid uuid;
userGrantsByRoleUuid uuid;
begin
roleUuid := coalesce(findRoleId(roleDescriptor), createRole(roleDescriptor));
@ -49,16 +49,16 @@ begin
call grantRoleToRole(subRoleUuid, roleUuid, subRoleDesc.assumed);
end loop;
if cardinality(subjectUuids) > 0 then
if cardinality(userUuids) > 0 then
-- direct grants to users need a grantedByRole which can revoke the grant
if grantedByRole is null then
userGrantsByRoleUuid := roleUuid; -- TODO.impl: or do we want to require an explicit userGrantsByRoleUuid?
else
userGrantsByRoleUuid := getRoleId(grantedByRole);
end if;
foreach subjectUuid in array subjectUuids
foreach userUuid in array userUuids
loop
call rbac.grantRoleToUserUnchecked(userGrantsByRoleUuid, roleUuid, subjectUuid);
call grantRoleToUserUnchecked(userGrantsByRoleUuid, roleUuid, userUuid);
end loop;
end if;

View File

@ -158,8 +158,8 @@ do language plpgsql $$
call basis.defineContext('creating fake test-realm admin users', null, null, null);
admins = findRoleId(globalAdmin());
call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-alex@hostsharing.net'));
call rbac.grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-fran@hostsharing.net'));
call grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-alex@hostsharing.net'));
call grantRoleToUserUnchecked(admins, admins, rbac.create_subject('superuser-fran@hostsharing.net'));
perform rbac.create_subject('selfregistered-user-drew@hostsharing.org');
perform rbac.create_subject('selfregistered-test-user@hostsharing.org');
end;

View File

@ -38,7 +38,7 @@ begin
testCustomerOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN(unassumed())],
subjectUuids => array[rbac.currentSubjectUuid()]
userUuids => array[rbac.currentSubjectUuid()]
);
perform createRoleWithGrants(

View File

@ -40,7 +40,7 @@ begin
select * into newCust
from test_customer where reference=custReference;
call rbac.grantRoleToSubject(
call grantRoleToUser(
getRoleId(testCustomerOwner(newCust)),
getRoleId(testCustomerAdmin(newCust)),
custAdminUuid,

View File

@ -29,7 +29,7 @@ begin
values (cust.uuid, pacName, 'Here you can add your own description of package ' || pacName || '.')
returning * into pac;
call rbac.grantRoleToSubject(
call grantRoleToUser(
getRoleId(testCustomerAdmin(cust)),
findRoleId(testPackageAdmin(pac)),
rbac.create_subject('pac-admin-' || pacName || '@' || cust.prefix || '.example.com'),

View File

@ -38,7 +38,7 @@ begin
hsOfficeContactOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()]
userUuids => array[rbac.currentSubjectUuid()]
);
perform createRoleWithGrants(

View File

@ -38,7 +38,7 @@ begin
hsOfficePersonOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()]
userUuids => array[rbac.currentSubjectUuid()]
);
perform createRoleWithGrants(

View File

@ -51,7 +51,7 @@ begin
hsOfficeRelationOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()]
userUuids => array[rbac.currentSubjectUuid()]
);
perform createRoleWithGrants(

View File

@ -110,22 +110,22 @@ begin
if NEW.partnerRelUuid <> OLD.partnerRelUuid then
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
call revokePermissionFromRole(getPermissionId(OLD.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
call grantPermissionToRole(createPermission(NEW.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'UPDATE'), hsOfficeRelationADMIN(oldPartnerRel));
call revokePermissionFromRole(getPermissionId(OLD.uuid, 'UPDATE'), hsOfficeRelationADMIN(oldPartnerRel));
call grantPermissionToRole(createPermission(NEW.uuid, 'UPDATE'), hsOfficeRelationADMIN(newPartnerRel));
call rbac.revokePermissionFromRole(getPermissionId(OLD.uuid, 'SELECT'), hsOfficeRelationTENANT(oldPartnerRel));
call revokePermissionFromRole(getPermissionId(OLD.uuid, 'SELECT'), hsOfficeRelationTENANT(oldPartnerRel));
call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), hsOfficeRelationTENANT(newPartnerRel));
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
call revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(oldPartnerRel));
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'DELETE'), hsOfficeRelationOWNER(newPartnerRel));
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(oldPartnerRel));
call revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(oldPartnerRel));
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'UPDATE'), hsOfficeRelationAGENT(newPartnerRel));
call rbac.revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(oldPartnerRel));
call revokePermissionFromRole(getPermissionId(oldPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(oldPartnerRel));
call grantPermissionToRole(createPermission(newPartnerDetails.uuid, 'SELECT'), hsOfficeRelationAGENT(newPartnerRel));
end if;

View File

@ -38,7 +38,7 @@ begin
hsOfficeBankAccountOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()]
userUuids => array[rbac.currentSubjectUuid()]
);
perform createRoleWithGrants(

View File

@ -51,7 +51,7 @@ begin
hsOfficeSepaMandateOWNER(NEW),
permissions => array['DELETE'],
incomingSuperRoles => array[globalADMIN()],
subjectUuids => array[rbac.currentSubjectUuid()]
userUuids => array[rbac.currentSubjectUuid()]
);
perform createRoleWithGrants(

View File

@ -45,7 +45,7 @@ begin
perform createRoleWithGrants(
hsOfficeMembershipOWNER(NEW),
subjectUuids => array[rbac.currentSubjectUuid()]
userUuids => array[rbac.currentSubjectUuid()]
);
perform createRoleWithGrants(

View File

@ -53,7 +53,7 @@ begin
globalADMIN(unassumed()),
hsBookingItemADMIN(newBookingItem),
hsHostingAssetADMIN(newParentAsset)],
subjectUuids => array[rbac.currentSubjectUuid()]
userUuids => array[rbac.currentSubjectUuid()]
);
perform createRoleWithGrants(

View File

@ -21,14 +21,14 @@ declare
defaultPrefix varchar;
managedServerUuid uuid;
managedWebspaceUuid uuid;
webUnixSubjectUuid uuid;
mboxUnixSubjectUuid uuid;
webUnixUserUuid uuid;
mboxUnixUserUuid uuid;
domainSetupUuid uuid;
domainMBoxSetupUuid uuid;
mariaDbInstanceUuid uuid;
mariaDbSubjectUuid uuid;
mariaDbUserUuid uuid;
pgSqlInstanceUuid uuid;
PgSqlSubjectUuid uuid;
PgSqlUserUuid uuid;
begin
call basis.defineContext('creating hosting-asset test-data', null, 'superuser-alex@hostsharing.net', 'global#global:ADMIN');
@ -68,14 +68,14 @@ begin
select uuid_generate_v4() into managedServerUuid;
select uuid_generate_v4() into managedWebspaceUuid;
select uuid_generate_v4() into webUnixSubjectUuid;
select uuid_generate_v4() into mboxUnixSubjectUuid;
select uuid_generate_v4() into webUnixUserUuid;
select uuid_generate_v4() into mboxUnixUserUuid;
select uuid_generate_v4() into domainSetupUuid;
select uuid_generate_v4() into domainMBoxSetupUuid;
select uuid_generate_v4() into mariaDbInstanceUuid;
select uuid_generate_v4() into mariaDbSubjectUuid;
select uuid_generate_v4() into mariaDbUserUuid;
select uuid_generate_v4() into pgSqlInstanceUuid;
select uuid_generate_v4() into pgSqlSubjectUuid;
select uuid_generate_v4() into pgSqlUserUuid;
debitorNumberSuffix := relatedDebitor.debitorNumberSuffix;
defaultPrefix := relatedDebitor.defaultPrefix;
@ -86,17 +86,17 @@ begin
(uuid_generate_v4(), cloudServerBI.uuid, 'CLOUD_SERVER', null, null, 'vm20' || debitorNumberSuffix, 'another CloudServer', '{}'::jsonb),
(managedWebspaceUuid, managedWebspaceBI.uuid, 'MANAGED_WEBSPACE', managedServerUuid, null, defaultPrefix || '01', 'some Webspace', '{}'::jsonb),
(mariaDbInstanceUuid, null, 'MARIADB_INSTANCE', managedServerUuid, null, 'vm10' || debitorNumberSuffix || '.MariaDB.default', 'some default MariaDB instance','{}'::jsonb),
(mariaDbSubjectUuid, null, 'MARIADB_USER', managedWebspaceUuid, mariaDbInstanceUuid, defaultPrefix || '01_web', 'some default MariaDB user', '{ "password": "<TODO:replace-by-encrypted-mariadb-password"}'::jsonb ),
(uuid_generate_v4(), null, 'MARIADB_DATABASE', mariaDbSubjectUuid, mariaDbInstanceUuid, defaultPrefix || '01_web', 'some default MariaDB database','{ "encryption": "utf8", "collation": "utf8"}'::jsonb ),
(mariaDbUserUuid, null, 'MARIADB_USER', managedWebspaceUuid, mariaDbInstanceUuid, defaultPrefix || '01_web', 'some default MariaDB user', '{ "password": "<TODO:replace-by-encrypted-mariadb-password"}'::jsonb ),
(uuid_generate_v4(), null, 'MARIADB_DATABASE', mariaDbUserUuid, mariaDbInstanceUuid, defaultPrefix || '01_web', 'some default MariaDB database','{ "encryption": "utf8", "collation": "utf8"}'::jsonb ),
(pgSqlInstanceUuid, null, 'PGSQL_INSTANCE', managedServerUuid, null, 'vm10' || debitorNumberSuffix || '.Postgresql.default', 'some default Postgresql instance','{}'::jsonb),
(PgSqlSubjectUuid, null, 'PGSQL_USER', managedWebspaceUuid, pgSqlInstanceUuid, defaultPrefix || '01_web', 'some default Postgresql user', '{ "password": "<TODO:replace-by-encrypted-postgresql-password"}'::jsonb ),
(uuid_generate_v4(), null, 'PGSQL_DATABASE', pgSqlSubjectUuid, pgSqlInstanceUuid, defaultPrefix || '01_web', 'some default Postgresql database','{ "encryption": "utf8", "collation": "utf8"}'::jsonb ),
(PgSqlUserUuid, null, 'PGSQL_USER', managedWebspaceUuid, pgSqlInstanceUuid, defaultPrefix || '01_web', 'some default Postgresql user', '{ "password": "<TODO:replace-by-encrypted-postgresql-password"}'::jsonb ),
(uuid_generate_v4(), null, 'PGSQL_DATABASE', pgSqlUserUuid, pgSqlInstanceUuid, defaultPrefix || '01_web', 'some default Postgresql database','{ "encryption": "utf8", "collation": "utf8"}'::jsonb ),
(uuid_generate_v4(), null, 'EMAIL_ALIAS', managedWebspaceUuid, null, defaultPrefix || '01-web', 'some E-Mail-Alias', '{ "target": [ "office@example.org", "archive@example.com" ] }'::jsonb),
(webUnixSubjectUuid, null, 'UNIX_USER', managedWebspaceUuid, null, defaultPrefix || '01-web', 'some UnixUser for Website', '{ "SSD-soft-quota": "128", "SSD-hard-quota": "256", "HDD-soft-quota": "512", "HDD-hard-quota": "1024"}'::jsonb),
(mboxUnixSubjectUuid, null, 'UNIX_USER', managedWebspaceUuid, null, defaultPrefix || '01-mbox', 'some UnixUser for E-Mail', '{ "SSD-soft-quota": "128", "SSD-hard-quota": "256", "HDD-soft-quota": "512", "HDD-hard-quota": "1024"}'::jsonb),
(webUnixUserUuid, null, 'UNIX_USER', managedWebspaceUuid, null, defaultPrefix || '01-web', 'some UnixUser for Website', '{ "SSD-soft-quota": "128", "SSD-hard-quota": "256", "HDD-soft-quota": "512", "HDD-hard-quota": "1024"}'::jsonb),
(mboxUnixUserUuid, null, 'UNIX_USER', managedWebspaceUuid, null, defaultPrefix || '01-mbox', 'some UnixUser for E-Mail', '{ "SSD-soft-quota": "128", "SSD-hard-quota": "256", "HDD-soft-quota": "512", "HDD-hard-quota": "1024"}'::jsonb),
(domainSetupUuid, null, 'DOMAIN_SETUP', null, null, defaultPrefix || '.example.org', 'some Domain-Setup', '{}'::jsonb),
(uuid_generate_v4(), null, 'DOMAIN_DNS_SETUP', domainSetupUuid, null, defaultPrefix || '.example.org|DNS', 'some Domain-DNS-Setup', '{}'::jsonb),
(uuid_generate_v4(), null, 'DOMAIN_HTTP_SETUP', domainSetupUuid, webUnixSubjectUuid, defaultPrefix || '.example.org|HTTP', 'some Domain-HTTP-Setup', '{ "option-htdocsfallback": true, "use-fcgiphpbin": "/usr/lib/cgi-bin/php", "validsubdomainnames": "*"}'::jsonb),
(uuid_generate_v4(), null, 'DOMAIN_HTTP_SETUP', domainSetupUuid, webUnixUserUuid, defaultPrefix || '.example.org|HTTP', 'some Domain-HTTP-Setup', '{ "option-htdocsfallback": true, "use-fcgiphpbin": "/usr/lib/cgi-bin/php", "validsubdomainnames": "*"}'::jsonb),
(uuid_generate_v4(), null, 'DOMAIN_SMTP_SETUP', domainSetupUuid, managedWebspaceUuid, defaultPrefix || '.example.org|SMTP', 'some Domain-SMTP-Setup', '{}'::jsonb),
(domainMBoxSetupUuid, null, 'DOMAIN_MBOX_SETUP', domainSetupUuid, managedWebspaceUuid, defaultPrefix || '.example.org|MBOX', 'some Domain-MBOX-Setup', '{}'::jsonb),
(uuid_generate_v4(), null, 'EMAIL_ADDRESS', domainMBoxSetupUuid, null, 'test@' || defaultPrefix || '.example.org', 'some E-Mail-Address', '{}'::jsonb);

View File

@ -32,7 +32,7 @@ databaseChangeLog:
- include:
file: db/changelog/1-rbac/1050-rbac-base.sql
- include:
file: db/changelog/1-rbac/1051-rbac-subject-grant.sql
file: db/changelog/1-rbac/1051-rbac-user-grant.sql
- include:
file: db/changelog/1-rbac/1054-rbac-context.sql
- include:

View File

@ -176,9 +176,9 @@ class HsBookingItemControllerAcceptanceTest extends ContextBasedTestWithCleanup
.extract().header("Location"); // @formatter:on
// finally, the new bookingItem can be accessed under the generated UUID
final var newSubjectUuid = UUID.fromString(
final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1));
assertThat(newSubjectUuid).isNotNull();
assertThat(newUserUuid).isNotNull();
}
}

View File

@ -111,9 +111,9 @@ class HsBookingProjectControllerAcceptanceTest extends ContextBasedTestWithClean
.extract().header("Location"); // @formatter:on
// finally, the new bookingProject can be accessed under the generated UUID
final var newSubjectUuid = UUID.fromString(
final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1));
assertThat(newSubjectUuid).isNotNull();
assertThat(newUserUuid).isNotNull();
}
}

View File

@ -247,9 +247,9 @@ class HsHostingAssetControllerAcceptanceTest extends ContextBasedTestWithCleanup
.extract().header("Location"); // @formatter:on
// finally, the new asset can be accessed under the generated UUID
final var newSubjectUuid = UUID.fromString(
final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1));
assertThat(newSubjectUuid).isNotNull();
assertThat(newUserUuid).isNotNull();
}
@Test

View File

@ -143,9 +143,9 @@ class HsOfficeBankAccountControllerAcceptanceTest extends ContextBasedTestWithCl
.extract().header("Location"); // @formatter:on
// finally, the new bankaccount can be accessed under the generated UUID
final var newSubjectUuid = UUID.fromString(
final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1));
assertThat(newSubjectUuid).isNotNull();
assertThat(newUserUuid).isNotNull();
}
}

View File

@ -122,9 +122,9 @@ class HsOfficeContactControllerAcceptanceTest extends ContextBasedTestWithCleanu
.extract().header("Location"); // @formatter:on
// finally, the new contact can be accessed under the generated UUID
final var newSubjectUuid = UUID.fromString(
final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1));
assertThat(newSubjectUuid).isNotNull();
assertThat(newUserUuid).isNotNull();
}
}

View File

@ -315,9 +315,9 @@ class HsOfficeDebitorControllerAcceptanceTest extends ContextBasedTestWithCleanu
.extract().header("Location"); // @formatter:on
// finally, the new debitor can be accessed under the generated UUID
final var newSubjectUuid = UUID.fromString(
final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1));
assertThat(newSubjectUuid).isNotNull();
assertThat(newUserUuid).isNotNull();
}
@Test
@ -367,9 +367,9 @@ class HsOfficeDebitorControllerAcceptanceTest extends ContextBasedTestWithCleanu
.extract().header("Location"); // @formatter:on
// finally, the new debitor can be accessed under the generated UUID
final var newSubjectUuid = UUID.fromString(
final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1));
assertThat(newSubjectUuid).isNotNull();
assertThat(newUserUuid).isNotNull();
}
@Test

View File

@ -204,10 +204,10 @@ class HsOfficeMembershipControllerAcceptanceTest extends ContextBasedTestWithCle
.extract().header("Location"); // @formatter:on
// finally, the new membership can be accessed under the generated UUID
final var newSubjectUuid = UUID.fromString(
final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1));
assertThat(newSubjectUuid).isNotNull();
assertThat(membershipRepo.findByUuid(newSubjectUuid)).isPresent();
assertThat(newUserUuid).isNotNull();
assertThat(membershipRepo.findByUuid(newUserUuid)).isPresent();
}
}

View File

@ -141,9 +141,9 @@ class HsOfficePartnerControllerAcceptanceTest extends ContextBasedTestWithCleanu
.extract().header("Location"); // @formatter:on
// finally, the new partner can be accessed under the generated UUID
final var newSubjectUuid = UUID.fromString(
final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1));
assertThat(newSubjectUuid).isNotNull();
assertThat(newUserUuid).isNotNull();
}
@Test

View File

@ -99,9 +99,9 @@ class HsOfficePersonControllerAcceptanceTest extends ContextBasedTestWithCleanup
.extract().header("Location"); // @formatter:on
// finally, the new person can be accessed under the generated UUID
final var newSubjectUuid = UUID.fromString(
final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1));
assertThat(newSubjectUuid).isNotNull();
assertThat(newUserUuid).isNotNull();
}
}

View File

@ -161,9 +161,9 @@ class HsOfficeRelationControllerAcceptanceTest extends ContextBasedTestWithClean
.extract().header("Location"); // @formatter:on
// finally, the new relation can be accessed under the generated UUID
final var newSubjectUuid = toCleanup(HsOfficeRelationRealEntity.class, UUID.fromString(
final var newUserUuid = toCleanup(HsOfficeRelationRealEntity.class, UUID.fromString(
location.substring(location.lastIndexOf('/') + 1)));
assertThat(newSubjectUuid).isNotNull();
assertThat(newUserUuid).isNotNull();
}
@Test

View File

@ -138,9 +138,9 @@ class HsOfficeSepaMandateControllerAcceptanceTest extends ContextBasedTestWithCl
.extract().header("Location"); // @formatter:on
// finally, the new sepaMandate can be accessed under the generated UUID
final var newSubjectUuid = UUID.fromString(
final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1));
assertThat(newSubjectUuid).isNotNull();
assertThat(newUserUuid).isNotNull();
}
// TODO.test: move validation tests to a ...WebMvcTest

View File

@ -238,7 +238,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
}
@Nested
class GrantRoleToSubject {
class GrantRoleToUser {
@Test
void packageAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() {
@ -295,7 +295,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
}
@Nested
class RevokeRoleFromSubject {
class RevokeRoleFromUser {
@Test
@Transactional(propagation = Propagation.NEVER)
@ -389,7 +389,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
{
"assumed": true,
"grantedRoleUuid": "%s",
"granteeSubjectUuid": "%s"
"granteeUserUuid": "%s"
}
""".formatted(
grantedRole.getUuid(),
@ -425,7 +425,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
{
"assumed": true,
"grantedRoleUuid": "%s",
"granteeSubjectUuid": "%s"
"granteeUserUuid": "%s"
}
""".formatted(
grantedRole.getUuid(),

View File

@ -13,16 +13,16 @@ class RbacGrantEntityUnitTest {
void getRbacGrantId() {
// given
final var grantedRoleUuid = UUID.randomUUID();
final var granteeSubjectUuid = UUID.randomUUID();
final var granteeUserUuid = UUID.randomUUID();
final var entity = new RbacGrantEntity();
entity.setGrantedRoleUuid(grantedRoleUuid);
entity.setGranteeSubjectUuid(granteeSubjectUuid);
entity.setGranteeUserUuid(granteeUserUuid);
// when
final var grantId = entity.getRbacGrantId();
// then
assertThat(grantId).isEqualTo(new RbacGrantId(granteeSubjectUuid, grantedRoleUuid));
assertThat(grantId).isEqualTo(new RbacGrantId(granteeUserUuid, grantedRoleUuid));
}
@Test

View File

@ -103,18 +103,18 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
}
@Nested
class GrantRoleToSubject {
class GrantRoleToUser {
@Test
public void customerAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() {
// given
context("customer-admin@xxx.example.com", "test_customer#xxx:ADMIN");
final var givenArbitrarySubjectUuid = rbacUserRepository.findByName("pac-admin-zzz00@zzz.example.com").getUuid();
final var givenArbitraryUserUuid = rbacUserRepository.findByName("pac-admin-zzz00@zzz.example.com").getUuid();
final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName("test_package#xxx00:ADMIN").getUuid();
// when
final var grant = RbacGrantEntity.builder()
.granteeSubjectUuid(givenArbitrarySubjectUuid).grantedRoleUuid(givenOwnPackageRoleUuid)
.granteeUserUuid(givenArbitraryUserUuid).grantedRoleUuid(givenOwnPackageRoleUuid)
.assumed(true)
.build();
final var attempt = attempt(em, () ->
@ -148,7 +148,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
// now we try to use these uuids as a less privileged user
context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00:ADMIN");
final var grant = RbacGrantEntity.builder()
.granteeSubjectUuid(given.arbitraryUser.getUuid())
.granteeUserUuid(given.arbitraryUser.getUuid())
.grantedRoleUuid(given.packageOwnerRoleUuid)
.assumed(true)
.build();
@ -170,7 +170,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
}
@Nested
class revokeRoleFromSubject {
class RevokeRoleFromUser {
@Test
public void customerAdmin_canRevokeSelfGrantedPackageAdminRole() {
@ -236,11 +236,11 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
private RbacGrantEntity create(GrantBuilder with) {
context(with.byUserName, with.assumedRole);
final var givenArbitrarySubjectUuid = rbacUserRepository.findByName(with.granteeUserName).getUuid();
final var givenArbitraryUserUuid = rbacUserRepository.findByName(with.granteeUserName).getUuid();
final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName(with.grantedRole).getUuid();
final var grant = RbacGrantEntity.builder()
.granteeSubjectUuid(givenArbitrarySubjectUuid).grantedRoleUuid(givenOwnPackageRoleUuid)
.granteeUserUuid(givenArbitraryUserUuid).grantedRoleUuid(givenOwnPackageRoleUuid)
.assumed(true)
.build();
final var grantAttempt = attempt(em, () ->

View File

@ -63,10 +63,10 @@ class RbacUserControllerAcceptanceTest {
// @formatter:on
// finally, the user can view its own record
final var newSubjectUuid = UUID.fromString(
final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1));
context.define("new-user@example.com");
assertThat(rbacUserRepository.findByUuid(newSubjectUuid))
assertThat(rbacUserRepository.findByUuid(newUserUuid))
.extracting(RbacUserEntity::getName).isEqualTo("new-user@example.com");
}
}

View File

@ -232,7 +232,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
context("superuser-alex@hostsharing.net");
// when
final var result = rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid("superuser-fran@hostsharing.net"))
final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("superuser-fran@hostsharing.net"))
.stream().filter(p -> p.getObjectTable().contains("test_"))
.sorted(comparing(RbacUserPermission::toString)).toList();
@ -246,7 +246,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
context("customer-admin@xxx.example.com");
// when
final var result = rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid("customer-admin@xxx.example.com"));
final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("customer-admin@xxx.example.com"));
// then
allTheseRbacPermissionsAreReturned(
@ -286,17 +286,17 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
public void customerAdmin_withoutAssumedRole_isNotAllowedToViewGlobalAdminsPermissions() {
// given
context("customer-admin@xxx.example.com");
final UUID subjectUuid = subjectUuid("superuser-alex@hostsharing.net");
final UUID userUuid = userUUID("superuser-alex@hostsharing.net");
// when
final var result = attempt(em, () ->
rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid)
rbacUserRepository.findPermissionsOfUserByUuid(userUuid)
);
// then
result.assertExceptionWithRootCauseMessage(
JpaSystemException.class,
"[403] permissions of user \"" + subjectUuid
"[403] permissions of user \"" + userUuid
+ "\" are not accessible to user \"customer-admin@xxx.example.com\"");
}
@ -306,7 +306,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
context("customer-admin@xxx.example.com");
// when
final var result = rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid("pac-admin-xxx00@xxx.example.com"));
final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("pac-admin-xxx00@xxx.example.com"));
// then
allTheseRbacPermissionsAreReturned(
@ -342,7 +342,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
context("customer-admin@xxx.example.com");
// when
final var result = rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid("pac-admin-yyy00@yyy.example.com"));
final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("pac-admin-yyy00@yyy.example.com"));
// then
noRbacPermissionsAreReturned(result);
@ -354,7 +354,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
context("pac-admin-xxx00@xxx.example.com");
// when
final var result = rbacUserRepository.findPermissionsOfUserByUuid(subjectUuid("pac-admin-xxx00@xxx.example.com"));
final var result = rbacUserRepository.findPermissionsOfUserByUuid(userUUID("pac-admin-xxx00@xxx.example.com"));
// then
allTheseRbacPermissionsAreReturned(
@ -385,7 +385,7 @@ class RbacUserRepositoryIntegrationTest extends ContextBasedTest {
}
}
UUID subjectUuid(final String userName) {
UUID userUUID(final String userName) {
return rbacUserRepository.findByName(userName).getUuid();
}

View File

@ -18,6 +18,7 @@ import org.springframework.data.repository.Repository;
import org.springframework.transaction.PlatformTransactionManager;
import jakarta.persistence.*;
import jakarta.transaction.Transactional;
import java.util.*;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Supplier;

View File

@ -146,10 +146,10 @@ class TestCustomerControllerAcceptanceTest {
.extract().header("Location"); // @formatter:on
// finally, the new customer can be viewed by its own admin
final var newSubjectUuid = UUID.fromString(
final var newUserUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1));
context.define("superuser-fran@hostsharing.net", "test_customer#uuu:ADMIN");
assertThat(testCustomerRepository.findByUuid(newSubjectUuid))
assertThat(testCustomerRepository.findByUuid(newUserUuid))
.hasValueSatisfying(c -> assertThat(c.getPrefix()).isEqualTo("uuu"));
}