introduce separate database-schemas base+rbac #103
@ -144,7 +144,7 @@ grant all privileges on rbacrole_rv to ${HSADMINNG_POSTGRES_RESTRICTED_USERNAME}
|
||||
/**
|
||||
Instead of insert trigger function for RbacGrants_RV.
|
||||
*/
|
||||
create or replace function insertRbacGrant()
|
||||
create or replace function rbac.insert_grant_tf()
|
||||
returns trigger
|
||||
language plpgsql as $$
|
||||
declare
|
||||
@ -161,11 +161,11 @@ end; $$;
|
||||
/*
|
||||
Creates an instead of insert trigger for the RbacGrants_rv view.
|
||||
*/
|
||||
create trigger insertRbacGrant_Trigger
|
||||
create trigger insert_grant_tg
|
||||
instead of insert
|
||||
on RbacGrants_rv
|
||||
for each row
|
||||
execute function insertRbacGrant();
|
||||
execute function rbac.insert_grant_tf();
|
||||
--/
|
||||
|
||||
|
||||
@ -178,7 +178,7 @@ execute function insertRbacGrant();
|
||||
|
||||
Checks if the current subject or assumed role have the permission to revoke the grant.
|
||||
*/
|
||||
create or replace function deleteRbacGrant()
|
||||
create or replace function rbac.delete_grant_tf()
|
||||
returns trigger
|
||||
language plpgsql as $$
|
||||
begin
|
||||
@ -189,11 +189,11 @@ end; $$;
|
||||
/*
|
||||
Creates an instead of delete trigger for the RbacGrants_rv view.
|
||||
*/
|
||||
create trigger deleteRbacGrant_Trigger
|
||||
create trigger delete_grant_tg
|
||||
instead of delete
|
||||
on RbacGrants_rv
|
||||
for each row
|
||||
execute function deleteRbacGrant();
|
||||
execute function rbac.delete_grant_tf();
|
||||
--/
|
||||
|
||||
|
||||
|
@ -304,28 +304,28 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
|
||||
// given
|
||||
final var givenArbitraryUser = createRBacUser();
|
||||
final var givenRoleToGrant = "test_package#xxx00:ADMIN";
|
||||
final var givencurrentSubjectAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
|
||||
final var givenCurrentSubjectAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
|
||||
final var givenOwnPackageAdminRole = getRbacRoleByName("test_package#xxx00:ADMIN");
|
||||
|
||||
// and given an existing grant
|
||||
assumeCreated(givencurrentSubjectAsPackageAdmin
|
||||
assumeCreated(givenCurrentSubjectAsPackageAdmin
|
||||
.grantsRole(givenOwnPackageAdminRole).assumed()
|
||||
.toUser(givenArbitraryUser));
|
||||
assumeGrantExists(
|
||||
givencurrentSubjectAsPackageAdmin,
|
||||
givenCurrentSubjectAsPackageAdmin,
|
||||
"{ grant role:%s to user:%s by role:%s and assume }".formatted(
|
||||
givenOwnPackageAdminRole.getRoleName(),
|
||||
givenArbitraryUser.getName(),
|
||||
givencurrentSubjectAsPackageAdmin.assumedRole));
|
||||
givenCurrentSubjectAsPackageAdmin.assumedRole));
|
||||
|
||||
// when
|
||||
final var revokeResponse = givencurrentSubjectAsPackageAdmin
|
||||
final var revokeResponse = givenCurrentSubjectAsPackageAdmin
|
||||
.revokesRole(givenOwnPackageAdminRole)
|
||||
.fromUser(givenArbitraryUser);
|
||||
|
||||
// then
|
||||
revokeResponse.assertThat().statusCode(204);
|
||||
assertThat(findAllGrantsOf(givencurrentSubjectAsPackageAdmin))
|
||||
assertThat(findAllGrantsOf(givenCurrentSubjectAsPackageAdmin))
|
||||
.extracting(RbacGrantEntity::getGranteeUserName)
|
||||
.doesNotContain(givenArbitraryUser.getName());
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user