From fa06062dcd9f90db2c71e99e42bcda07cb07f8f8 Mon Sep 17 00:00:00 2001
From: Michael Hoennig <michael@hoennig.de>
Date: Fri, 27 Dec 2024 09:04:18 +0100
Subject: [PATCH 01/13] cas-curl to support assume

---
 bin/cas-curl | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/bin/cas-curl b/bin/cas-curl
index 41427a41..6bf351e0 100755
--- a/bin/cas-curl
+++ b/bin/cas-curl
@@ -11,13 +11,23 @@ EOF
   exit
 fi
 
+export HSADMINNG_CAS_ASSUME_HEADER
+if [ -f ~/.cas-curl-assume ]; then
+  HSADMINNG_CAS_ASSUME="$(cat ~/.cas-curl-assume)"
+else
+  HSADMINNG_CAS_ASSUME=
+fi
+
 if [ "$1" == "--trace" ]; then
   function trace() {
     echo "$*" >&2
   }
   function doCurl() {
     set -x
-    curl --fail-with-body --header "Authorization: $HSADMINNG_CAS_TICKET" "$@"
+    curl --fail-with-body \
+        --header "Authorization: $HSADMINNG_CAS_TICKET" \
+        --header "assumed-roles: $HSADMINNG_CAS_ASSUME" \
+        "$@"
     set +x
   }
   shift
@@ -76,6 +86,7 @@ function casLogin() {
   if [ -z "$HSADMINNG_CAS_TGT" ]; then
     echo "ERROR: could not get ticket granting ticket" >&2
     cat ~/.cas-login-tgt.response >&2
+    exit 1
   fi
   echo "$HSADMINNG_CAS_TGT" >~/.cas-login-tgt
   trace "$HSADMINNG_CAS_TGT"
@@ -121,6 +132,14 @@ case "${1,,}" in
     export HSADMINNG_CAS_PASSWORD=
     casLogin
     ;;
+  "assume") # assumes the given comma-separated roles
+    shift
+    if [ -z "$1" ]; then
+      rm ~/.cas-curl-assume
+    else
+      echo "$1" >~/.cas-curl-assume
+    fi
+    ;;
   "logout") # logout, deleting ticket granting ticket
     casLogout
     ;;
-- 
2.39.5


From 5e74431d3380900dee5306b6063dad3b2abb8ea8 Mon Sep 17 00:00:00 2001
From: Michael Hoennig <michael@hoennig.de>
Date: Fri, 27 Dec 2024 09:05:04 +0100
Subject: [PATCH 02/13] improved error messages in
 findObjectUuidByIdName+findIdNameByObjectUuid

---
 .../resources/db/changelog/1-rbac/1050-rbac-base.sql | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql b/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql
index 82c43238..e9ae48c4 100644
--- a/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql
+++ b/src/main/resources/db/changelog/1-rbac/1050-rbac-base.sql
@@ -251,9 +251,14 @@ begin
         execute sql into uuid;
     exception
         when others then
-            raise exception 'function %_uuid_by_id_name(...) not found, add identity view support for table %', objectTable, objectTable;
+            raise exception 'function %_uuid_by_id_name(''%'') failed: %, SQLSTATE: %. If it could not be found, add identity view support to %\nSQL:%',
+                objectTable, objectIdName, SQLERRM, SQLSTATE, objectTable, sql;
     end;
-    return uuid;
+    if uuid is null then
+        raise exception 'SQL returned null: %', sql;
+    else
+        return uuid;
+    end if;
 end ; $$;
 
 create or replace function rbac.findIdNameByObjectUuid(objectTable varchar, objectUuid uuid)
@@ -270,7 +275,8 @@ begin
         execute sql into idName;
     exception
         when others then
-            raise exception 'function %_id_name_by_uuid(...) not found, add identity view support for table %', objectTable, objectTable;
+            raise exception 'function %_id_name_by_uuid(''%'') failed: %, SQLSTATE: %. If it could not be found, add identity view support to %',
+                objectTable, objectUuid, SQLERRM, SQLSTATE, objectTable;
     end;
     return idName;
 end ; $$;
-- 
2.39.5


From 1f14c370f7e4bfcbaf0c05a33b9754cf618b72e1 Mon Sep 17 00:00:00 2001
From: Michael Hoennig <michael@hoennig.de>
Date: Fri, 27 Dec 2024 09:06:17 +0100
Subject: [PATCH 03/13] temporarily set length of objectNameToAssume to 1024

---
 src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql b/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql
index 892b5933..ba50fbc3 100644
--- a/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql
+++ b/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql
@@ -31,7 +31,7 @@ declare
     roleName            text;
     roleNameParts       text;
     objectTableToAssume varchar(63);
-    objectNameToAssume  varchar(63);
+    objectNameToAssume  varchar(1024); -- FIXME: find sensible limit
     objectUuidToAssume  uuid;
     roleTypeToAssume    rbac.RoleType;
     roleIdsToAssume     uuid[];
-- 
2.39.5


From 44951f439ab76585c8df326e66382e032d7374fb Mon Sep 17 00:00:00 2001
From: Michael Hoennig <michael@hoennig.de>
Date: Sat, 28 Dec 2024 16:07:02 +0100
Subject: [PATCH 04/13] assume with table#uuid:roletype

---
 .../hsadminng/context/Context.java            |   2 +-
 .../HsOfficeRelationRbacRepository.java       |   2 +-
 .../HsOfficeRelationRealRepository.java       |  63 +++++++--
 .../db/changelog/0-base/010-context.sql       |   6 +-
 .../db/changelog/1-rbac/1054-rbac-context.sql |  15 +-
 .../5028-hs-office-person-test-data.sql       |   3 +-
 .../5038-hs-office-relation-test-data.sql     |   6 +-
 .../5048-hs-office-partner-test-data.sql      |   2 +-
 .../5058-hs-office-bankaccount-test-data.sql  |   4 +-
 .../5068-hs-office-debitor-test-data.sql      |   2 +-
 ...ceBankAccountControllerAcceptanceTest.java |   2 +-
 ...eBankAccountRepositoryIntegrationTest.java |   2 +-
 ...OfficeDebitorControllerAcceptanceTest.java |  15 +-
 ...fficeDebitorRepositoryIntegrationTest.java |   2 +-
 ...OfficePartnerControllerAcceptanceTest.java |   2 +-
 ...fficePartnerRepositoryIntegrationTest.java |   2 +-
 ...cePersonRbacRepositoryIntegrationTest.java |  35 +----
 ...cePersonRealRepositoryIntegrationTest.java |  22 +--
 ...RealRelationRepositoryIntegrationTest.java |   8 +-
 ...fficeRelationControllerAcceptanceTest.java |   2 +-
 ...ficeRelationRepositoryIntegrationTest.java | 128 ++++++++++++------
 ...ceSepaMandateControllerAcceptanceTest.java |   2 +-
 .../RbacRoleRepositoryIntegrationTest.java    |   2 +-
 23 files changed, 179 insertions(+), 150 deletions(-)

diff --git a/src/main/java/net/hostsharing/hsadminng/context/Context.java b/src/main/java/net/hostsharing/hsadminng/context/Context.java
index 6ceed023..c3b27126 100644
--- a/src/main/java/net/hostsharing/hsadminng/context/Context.java
+++ b/src/main/java/net/hostsharing/hsadminng/context/Context.java
@@ -58,7 +58,7 @@ public class Context {
                     cast(:currentTask as varchar(127)),
                     cast(:currentRequest as text),
                     cast(:currentSubject as varchar(63)),
-                    cast(:assumedRoles as varchar(1023)));
+                    cast(:assumedRoles as text));
                 """);
         query.setParameter("currentTask", shortenToMaxLength(currentTask, 127));
         query.setParameter("currentRequest", currentRequest);
diff --git a/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRbacRepository.java b/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRbacRepository.java
index 82e245ae..e687bdcb 100644
--- a/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRbacRepository.java
+++ b/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRbacRepository.java
@@ -42,7 +42,7 @@ public interface HsOfficeRelationRbacRepository extends Repository<HsOfficeRelat
                 toSqlLikeOperand(mark), toSqlLikeOperand(personData), toSqlLikeOperand(contactData));
     }
 
-    // TODO: use ELIKE instead of lower(...) LIKE ...? Or use jsonb_path with RegEx like emailAddressRegEx in ContactRepo?
+    // TODO: Or use jsonb_path with RegEx like emailAddressRegEx in ContactRepo?
     @Query(value = """
             SELECT rel FROM HsOfficeRelationRbacEntity AS rel
                 WHERE (:relationType IS NULL OR CAST(rel.type AS String) = :relationType)
diff --git a/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRealRepository.java b/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRealRepository.java
index bd1eac0c..5a2249d7 100644
--- a/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRealRepository.java
+++ b/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRealRepository.java
@@ -14,24 +14,58 @@ public interface HsOfficeRelationRealRepository extends Repository<HsOfficeRelat
     @Timed("app.repo.relations.findByUuid.real")
     Optional<HsOfficeRelationRealEntity> findByUuid(UUID id);
 
-    default List<HsOfficeRelationRealEntity> findRelationRelatedToPersonUuidAndRelationType(@NotNull UUID personUuid, HsOfficeRelationType relationType) {
-        return findRelationRelatedToPersonUuidAndRelationTypeString(personUuid, relationType == null ? null : relationType.toString());
-    }
-
     @Query(value = """
             SELECT p.* FROM hs_office.relation AS p
                 WHERE p.anchorUuid = :personUuid OR p.holderUuid = :personUuid
-               """, nativeQuery = true)
+            """, nativeQuery = true)
     @Timed("app.repo.relations.findRelationRelatedToPersonUuid.real")
     List<HsOfficeRelationRealEntity> findRelationRelatedToPersonUuid(@NotNull UUID personUuid);
 
+    /**
+     * Finds relations by a conjunction of optional criteria, including anchorPerson, holderPerson and contact data.
+     *      *
+     * @param personUuid the optional UUID of the anchorPerson or holderPerson
+     * @param relationType the type of the relation
+     * @param mark the mark (use '%' for wildcard), case ignored
+     * @param personData a string to match the persons tradeName, familyName or givenName (use '%' for wildcard), case ignored
+     * @param contactData a string to match the contacts caption, postalAddress, emailAddresses or phoneNumbers (use '%' for wildcard), case ignored
+     * @return a list of (accessible) relations which match all given criteria
+     */
+    default List<HsOfficeRelationRealEntity> findRelationRelatedToPersonUuidRelationTypeMarkPersonAndContactData(
+            final UUID personUuid,
+            final HsOfficeRelationType relationType,
+            final String mark,
+            final String personData,
+            final String contactData) {
+        return findRelationRelatedToPersonUuidRelationByTypeMarkPersonAndContactDataImpl(
+                personUuid, toStringOrNull(relationType),
+                toSqlLikeOperand(mark), toSqlLikeOperand(personData), toSqlLikeOperand(contactData));
+    }
+
+    // TODO: Or use jsonb_path with RegEx like emailAddressRegEx in ContactRepo?
     @Query(value = """
-            SELECT p.* FROM hs_office.relation AS p
-                WHERE (:relationType IS NULL OR p.type = cast(:relationType AS hs_office.RelationType))
-                    AND ( p.anchorUuid = :personUuid OR p.holderUuid = :personUuid)
-               """, nativeQuery = true)
-    @Timed("app.repo.relations.findRelationRelatedToPersonUuidAndRelationTypeString.real")
-    List<HsOfficeRelationRealEntity> findRelationRelatedToPersonUuidAndRelationTypeString(@NotNull UUID personUuid, String relationType);
+            SELECT rel FROM HsOfficeRelationRealEntity AS rel
+                WHERE (:relationType IS NULL OR CAST(rel.type AS String) = :relationType)
+                    AND ( :personUuid IS NULL
+                            OR rel.anchor.uuid = :personUuid OR rel.holder.uuid = :personUuid )
+                    AND ( :mark IS NULL OR lower(rel.mark) LIKE :mark )
+                    AND ( :personData IS NULL
+                            OR lower(rel.anchor.tradeName) LIKE :personData OR lower(rel.holder.tradeName) LIKE :personData
+                            OR lower(rel.anchor.familyName) LIKE :personData OR lower(rel.holder.familyName) LIKE :personData
+                            OR lower(rel.anchor.givenName) LIKE :personData OR lower(rel.holder.givenName) LIKE :personData )
+                    AND ( :contactData IS NULL
+                            OR lower(rel.contact.caption) LIKE :contactData
+                            OR lower(CAST(rel.contact.postalAddress AS String)) LIKE :contactData
+                            OR lower(CAST(rel.contact.emailAddresses AS String)) LIKE :contactData
+                            OR lower(CAST(rel.contact.phoneNumbers AS String)) LIKE :contactData )
+            """)
+    @Timed("app.office.relations.repo.findRelationRelatedToPersonUuidRelationByTypeMarkPersonAndContactDataImpl.real")
+    List<HsOfficeRelationRealEntity> findRelationRelatedToPersonUuidRelationByTypeMarkPersonAndContactDataImpl(
+            final UUID personUuid,
+            final String relationType,
+            final String mark,
+            final String personData,
+            final String contactData);
 
     @Timed("app.repo.relations.save.real")
     HsOfficeRelationRealEntity save(final HsOfficeRelationRealEntity entity);
@@ -41,4 +75,11 @@ public interface HsOfficeRelationRealRepository extends Repository<HsOfficeRelat
 
     @Timed("app.repo.relations.deleteByUuid.real")
     int deleteByUuid(UUID uuid);
+    private static String toSqlLikeOperand(final String text) {
+        return text == null ? null : ("%" + text.toLowerCase() + "%");
+    }
+
+    private static String toStringOrNull(final HsOfficeRelationType relationType) {
+        return relationType == null ? null : relationType.name();
+    }
 }
diff --git a/src/main/resources/db/changelog/0-base/010-context.sql b/src/main/resources/db/changelog/0-base/010-context.sql
index abafe3b6..41df847c 100644
--- a/src/main/resources/db/changelog/0-base/010-context.sql
+++ b/src/main/resources/db/changelog/0-base/010-context.sql
@@ -13,7 +13,7 @@ create procedure base.contextDefined(
     currentTask varchar(127),
     currentRequest text,
     currentSubject varchar(63),
-    assumedRoles varchar(1023)
+    assumedRoles varchar(4096)
 )
     language plpgsql as $$
 begin
@@ -26,7 +26,7 @@ create or replace procedure base.defineContext(
     currentTask varchar(127),
     currentRequest text = null,
     currentSubject varchar(63) = null,
-    assumedRoles varchar(1023) = null
+    assumedRoles text = null
 )
     language plpgsql as $$
 begin
@@ -43,7 +43,7 @@ begin
     execute format('set local hsadminng.currentSubject to %L', currentSubject);
 
     assumedRoles := coalesce(assumedRoles, '');
-    assert length(assumedRoles) <= 1023, FORMAT('assumedRoles must not be longer than 1023 characters: "%s"', assumedRoles);
+    assert length(assumedRoles) <= 4096, FORMAT('assumedRoles must not be longer than 4096 characters: "%s"', assumedRoles);
     execute format('set local hsadminng.assumedRoles to %L', assumedRoles);
 
     call base.contextDefined(currentTask, currentRequest, currentSubject, assumedRoles);
diff --git a/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql b/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql
index ba50fbc3..d12eac5e 100644
--- a/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql
+++ b/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql
@@ -23,7 +23,7 @@ begin
     return currentSubjectUuid;
 end; $$;
 
-create or replace function rbac.determinecurrentsubjectorassumedrolesuuids(currentSubjectOrAssumedRolesUuids uuid, assumedRoles varchar)
+create or replace function rbac.determinecurrentsubjectorassumedrolesuuids(currentSubjectOrAssumedRolesUuids uuid, assumedRoles text)
     returns uuid[]
     stable -- leakproof
     language plpgsql as $$
@@ -31,7 +31,7 @@ declare
     roleName            text;
     roleNameParts       text;
     objectTableToAssume varchar(63);
-    objectNameToAssume  varchar(1024); -- FIXME: find sensible limit
+    objectNameToAssume  varchar(1024); -- e.g. for relation: 2*(96+48+48)+length('-with-REPRESENTATIVE-') = 405
     objectUuidToAssume  uuid;
     roleTypeToAssume    rbac.RoleType;
     roleIdsToAssume     uuid[];
@@ -55,7 +55,12 @@ begin
             objectNameToAssume = split_part(roleNameParts, '#', 2);
             roleTypeToAssume = split_part(roleNameParts, '#', 3);
 
-            objectUuidToAssume = rbac.findObjectUuidByIdName(objectTableToAssume, objectNameToAssume);
+            begin
+                objectUuidToAssume = objectNameToAssume::uuid;
+            exception when invalid_text_representation then
+                objectUuidToAssume = rbac.findObjectUuidByIdName(objectTableToAssume, objectNameToAssume);
+            end;
+
             if objectUuidToAssume is null then
                 raise exception '[401] object % cannot be found in table % (from roleNameParts=%)', objectNameToAssume, objectTableToAssume, roleNameParts;
             end if;
@@ -88,7 +93,7 @@ create or replace procedure base.contextDefined(
     currentTask varchar(127),
     currentRequest text,
     currentSubject varchar(63),
-    assumedRoles varchar(1023)
+    assumedRoles varchar(4096)
 )
     language plpgsql as $$
 declare
@@ -103,7 +108,7 @@ begin
     execute format('set local hsadminng.currentSubjectUuid to %L', coalesce(currentSubjectUuid::text, ''));
 
     execute format('set local hsadminng.assumedRoles to %L', assumedRoles);
-    execute format('set local hsadminng.currentSubjectOrAssumedRolesUuids to %L',
+    execute format('set local hsadminng.currentSubjectOrAssumedRolesUuids to %L', -- FIXME: can this be removed?
        (select array_to_string(rbac.determinecurrentsubjectorassumedrolesuuids(currentSubjectUuid, assumedRoles), ';')));
 
     raise notice 'Context defined as: %, %, %, [%]', currentTask, currentRequest, currentSubject, assumedRoles;
diff --git a/src/main/resources/db/changelog/5-hs-office/502-person/5028-hs-office-person-test-data.sql b/src/main/resources/db/changelog/5-hs-office/502-person/5028-hs-office-person-test-data.sql
index 2408602e..49380a13 100644
--- a/src/main/resources/db/changelog/5-hs-office/502-person/5028-hs-office-person-test-data.sql
+++ b/src/main/resources/db/changelog/5-hs-office/502-person/5028-hs-office-person-test-data.sql
@@ -45,7 +45,8 @@ do language plpgsql $$
         call hs_office.person_create_test_data('NP', null, 'Smith', 'Peter');
         call hs_office.person_create_test_data('NP', null, 'Tucker', 'Jack');
         call hs_office.person_create_test_data('NP', null, 'Fouler', 'Ellie');
-        call hs_office.person_create_test_data('LP', 'Second e.K.', 'Smith', 'Peter');
+        -- the next tradeName is deliberately 63 chars in length, the max length for that field, also to test long rbac-role names
+        call hs_office.person_create_test_data('LP', 'Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.', 'Smith', 'Peter');
         call hs_office.person_create_test_data('IF', 'Third OHG');
         call hs_office.person_create_test_data('LP', 'Fourth eG');
         call hs_office.person_create_test_data('UF', 'Erben Bessler', 'Mel', 'Bessler');
diff --git a/src/main/resources/db/changelog/5-hs-office/503-relation/5038-hs-office-relation-test-data.sql b/src/main/resources/db/changelog/5-hs-office/503-relation/5038-hs-office-relation-test-data.sql
index 8813ac7e..1e88bbe0 100644
--- a/src/main/resources/db/changelog/5-hs-office/503-relation/5038-hs-office-relation-test-data.sql
+++ b/src/main/resources/db/changelog/5-hs-office/503-relation/5038-hs-office-relation-test-data.sql
@@ -91,9 +91,9 @@ do language plpgsql $$
         call hs_office.relation_create_test_data('Firby', 'REPRESENTATIVE', 'First GmbH', 'first contact');
         call hs_office.relation_create_test_data('First GmbH', 'DEBITOR', 'First GmbH', 'first contact');
 
-        call hs_office.relation_create_test_data('Second e.K.', 'PARTNER', 'Hostsharing eG', 'second contact');
-        call hs_office.relation_create_test_data('Smith', 'REPRESENTATIVE', 'Second e.K.', 'second contact');
-        call hs_office.relation_create_test_data('Second e.K.', 'DEBITOR', 'Second e.K.', 'second contact');
+        call hs_office.relation_create_test_data('Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.', 'PARTNER', 'Hostsharing eG', 'second contact');
+        call hs_office.relation_create_test_data('Smith', 'REPRESENTATIVE', 'Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.', 'second contact');
+        call hs_office.relation_create_test_data('Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.', 'DEBITOR', 'Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.', 'second contact');
 
         call hs_office.relation_create_test_data('Third OHG', 'PARTNER', 'Hostsharing eG', 'third contact');
         call hs_office.relation_create_test_data('Tucker', 'REPRESENTATIVE', 'Third OHG', 'third contact');
diff --git a/src/main/resources/db/changelog/5-hs-office/504-partner/5048-hs-office-partner-test-data.sql b/src/main/resources/db/changelog/5-hs-office/504-partner/5048-hs-office-partner-test-data.sql
index b0e9e345..3a6ced65 100644
--- a/src/main/resources/db/changelog/5-hs-office/504-partner/5048-hs-office-partner-test-data.sql
+++ b/src/main/resources/db/changelog/5-hs-office/504-partner/5048-hs-office-partner-test-data.sql
@@ -74,7 +74,7 @@ do language plpgsql $$
         call base.defineContext('creating partner test-data ', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
 
         call hs_office.partner_create_test_data('Hostsharing eG', 10001, 'First GmbH', 'first contact');
-        call hs_office.partner_create_test_data('Hostsharing eG', 10002, 'Second e.K.', 'second contact');
+        call hs_office.partner_create_test_data('Hostsharing eG', 10002, 'Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.', 'second contact');
         call hs_office.partner_create_test_data('Hostsharing eG', 10003, 'Third OHG', 'third contact');
         call hs_office.partner_create_test_data('Hostsharing eG', 10004, 'Fourth eG', 'fourth contact');
         call hs_office.partner_create_test_data('Hostsharing eG', 10010, 'Smith', 'fifth contact');
diff --git a/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5058-hs-office-bankaccount-test-data.sql b/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5058-hs-office-bankaccount-test-data.sql
index 15f1035d..7aedc340 100644
--- a/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5058-hs-office-bankaccount-test-data.sql
+++ b/src/main/resources/db/changelog/5-hs-office/505-bankaccount/5058-hs-office-bankaccount-test-data.sql
@@ -13,7 +13,7 @@ create or replace procedure hs_office.bankaccount_create_test_data(givenHolder v
 declare
     emailAddr varchar;
 begin
-    emailAddr = 'bankaccount-admin@' || base.cleanIdentifier(givenHolder) || '.example.com';
+    emailAddr = 'bankaccount-admin@' || TRIM(SUBSTRING(base.cleanIdentifier(givenHolder) FOR 32)) || '.example.com';
     perform rbac.create_subject(emailAddr);
     call base.defineContext('creating bankaccount test-data', null, emailAddr);
 
@@ -36,7 +36,7 @@ do language plpgsql $$
         -- IBANs+BICs taken from https://ibanvalidieren.de/beispiele.html
         call hs_office.bankaccount_create_test_data('First GmbH', 'DE02120300000000202051', 'BYLADEM1001');
         call hs_office.bankaccount_create_test_data('Peter Smith', 'DE02500105170137075030', 'INGDDEFF');
-        call hs_office.bankaccount_create_test_data('Second e.K.', 'DE02100500000054540402', 'BELADEBE');
+        call hs_office.bankaccount_create_test_data('Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.', 'DE02100500000054540402', 'BELADEBE');
         call hs_office.bankaccount_create_test_data('Third OHG', 'DE02300209000106531065', 'CMCIDEDD');
         call hs_office.bankaccount_create_test_data('Fourth eG', 'DE02200505501015871393', 'HASPDEHH');
         call hs_office.bankaccount_create_test_data('Mel Bessler', 'DE02100100100006820101', 'PBNKDEFF');
diff --git a/src/main/resources/db/changelog/5-hs-office/506-debitor/5068-hs-office-debitor-test-data.sql b/src/main/resources/db/changelog/5-hs-office/506-debitor/5068-hs-office-debitor-test-data.sql
index 1b30b8f1..1133621d 100644
--- a/src/main/resources/db/changelog/5-hs-office/506-debitor/5068-hs-office-debitor-test-data.sql
+++ b/src/main/resources/db/changelog/5-hs-office/506-debitor/5068-hs-office-debitor-test-data.sql
@@ -53,7 +53,7 @@ do language plpgsql $$
         call base.defineContext('creating debitor test-data', null, 'superuser-alex@hostsharing.net', 'rbac.global#global:ADMIN');
 
         call hs_office.debitor_create_test_data(11, 'First GmbH', 'first contact', 'fir');
-        call hs_office.debitor_create_test_data(12, 'Second e.K.', 'second contact', 'sec');
+        call hs_office.debitor_create_test_data(12, 'Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.', 'second contact', 'sec');
         call hs_office.debitor_create_test_data(13, 'Third OHG', 'third contact', 'thi');
     end;
 $$;
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/bankaccount/HsOfficeBankAccountControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/bankaccount/HsOfficeBankAccountControllerAcceptanceTest.java
index 1ce84ba9..a81c220c 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/bankaccount/HsOfficeBankAccountControllerAcceptanceTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/bankaccount/HsOfficeBankAccountControllerAcceptanceTest.java
@@ -97,7 +97,7 @@ class HsOfficeBankAccountControllerAcceptanceTest extends ContextBasedTestWithCl
                                   "bic": "INGDDEFF"
                               },
                               {
-                                  "holder": "Second e.K.",
+                                  "holder": "Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.",
                                   "iban": "DE02100500000054540402",
                                   "bic": "BELADEBE"
                               },
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/bankaccount/HsOfficeBankAccountRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/bankaccount/HsOfficeBankAccountRepositoryIntegrationTest.java
index 770ef859..f0f197d9 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/bankaccount/HsOfficeBankAccountRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/bankaccount/HsOfficeBankAccountRepositoryIntegrationTest.java
@@ -147,7 +147,7 @@ class HsOfficeBankAccountRepositoryIntegrationTest extends ContextBasedTestWithC
                     "Mel Bessler",
                     "Paul Winkler",
                     "Peter Smith",
-                    "Second e.K.",
+                    "Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.",
                     "Third OHG");
         }
 
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorControllerAcceptanceTest.java
index ca9e7c84..fd46f721 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorControllerAcceptanceTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorControllerAcceptanceTest.java
@@ -227,20 +227,7 @@ class HsOfficeDebitorControllerAcceptanceTest extends ContextBasedTestWithCleanu
                       },
                       {
                         "debitorRel": {
-                          "anchor": {"tradeName": "Second e.K."},
-                          "holder": {"tradeName": "Second e.K."},
-                          "type": "DEBITOR",
-                          "contact": {
-                            "emailAddresses": { "main": "contact-admin@secondcontact.example.com" }
-                           }
-                        },
-                        "debitorNumber": "D-1000212",
-                        "debitorNumberSuffix": "12",
-                        "partner": {
-                          "partnerNumber": "P-10002",
-                          "partnerRel": {
-                            "anchor": {"tradeName": "Hostsharing eG"},
-                            "holder": {"tradeName": "Second e.K."},
+                          "anchor": {"tradeName": "Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K."},
                             "type": "PARTNER",
                             "contact": {
                                 "emailAddresses": { "main": "contact-admin@secondcontact.example.com" }
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorRepositoryIntegrationTest.java
index 0be9d9ca..27bc08bc 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorRepositoryIntegrationTest.java
@@ -240,7 +240,7 @@ class HsOfficeDebitorRepositoryIntegrationTest extends ContextBasedTestWithClean
             allTheseDebitorsAreReturned(
                     result,
                     "debitor(D-1000111: rel(anchor='LP First GmbH', type='DEBITOR', holder='LP First GmbH'), fir)",
-                    "debitor(D-1000212: rel(anchor='LP Second e.K.', type='DEBITOR', holder='LP Second e.K.'), sec)",
+                    "debitor(D-1000212: rel(anchor='LP Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.', type='DEBITOR', holder='LP Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.'), sec)",
                     "debitor(D-1000313: rel(anchor='IF Third OHG', type='DEBITOR', holder='IF Third OHG'), thi)");
         }
 
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerControllerAcceptanceTest.java
index 941d2917..dc66c74b 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerControllerAcceptanceTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerControllerAcceptanceTest.java
@@ -411,7 +411,7 @@ class HsOfficePartnerControllerAcceptanceTest extends ContextBasedTestWithCleanu
 
             // and an ex-partner-relation got created
             final var anchorpartnerPersonUUid = givenPartner.getPartnerRel().getAnchor().getUuid();
-            assertThat(relationRepo.findRelationRelatedToPersonUuidAndRelationType(anchorpartnerPersonUUid, EX_PARTNER))
+            assertThat(relationRepo.findRelationRelatedToPersonUuidRelationTypeMarkPersonAndContactData(anchorpartnerPersonUUid, EX_PARTNER, null, null, null))
                     .map(HsOfficeRelation::toShortString)
                     .contains("rel(anchor='LP Hostsharing eG', type='EX_PARTNER', holder='UF Erben Bessler')");
         }
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerRepositoryIntegrationTest.java
index 92683a6b..f2d09c12 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/partner/HsOfficePartnerRepositoryIntegrationTest.java
@@ -199,7 +199,7 @@ class HsOfficePartnerRepositoryIntegrationTest extends ContextBasedTestWithClean
             allThesePartnersAreReturned(
                     result,
                     "partner(P-10001: LP First GmbH, first contact)",
-                    "partner(P-10002: LP Second e.K., second contact)",
+                    "partner(P-10002: LP Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K., second contact)",
                     "partner(P-10003: IF Third OHG, third contact)",
                     "partner(P-10004: LP Fourth eG, fourth contact)",
                     "partner(P-10010: NP Smith, Peter, sixth contact)");
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRbacRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRbacRepositoryIntegrationTest.java
index b13cc976..6263d425 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRbacRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRbacRepositoryIntegrationTest.java
@@ -143,38 +143,7 @@ class HsOfficePersonRbacRepositoryIntegrationTest extends ContextBasedTestWithCl
             allThesePersonsAreReturned(
                     result,
                     "NP Smith, Peter",
-                    "LP Second e.K.",
-                    "IF Third OHG",
-                    "UF Erben Bessler");
-        }
-
-        @Test
-        public void arbitraryUser_canViewOnlyItsOwnPerson() {
-            // given:
-            final var givenPerson = givenSomeTemporaryPerson("pac-admin-zzz00@zzz.example.com");
-
-            // when:
-            context("pac-admin-zzz00@zzz.example.com");
-            final var result = personRbacRepo.findPersonByOptionalNameLike(null);
-
-            // then:
-            exactlyThesePersonsAreReturned(result, givenPerson.getTradeName());
-        }
-    }
-
-    @Nested
-    class FindByCaptionLike {
-
-        @Test
-        public void globalAdmin_withoutAssumedRole_canViewAllPersons() {
-            // given
-            context("superuser-alex@hostsharing.net", null);
-
-            // when
-            final var result = personRbacRepo.findPersonByOptionalNameLike("Second");
-
-            // then
-            exactlyThesePersonsAreReturned(result, "Second e.K.");
+                    "LP Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.");
         }
 
         @Test
@@ -272,7 +241,7 @@ class HsOfficePersonRbacRepositoryIntegrationTest extends ContextBasedTestWithCl
         assertThat(customerLogEntries).map(Arrays::toString).contains(
                 "[creating person test-data, hs_office.person, INSERT, Hostsharing eG, null]",
                 "[creating person test-data, hs_office.person, INSERT, First GmbH, null]",
-                "[creating person test-data, hs_office.person, INSERT, Second e.K., null]",
+                "[creating person test-data, hs_office.person, INSERT, Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K., null]",
                 "[creating person test-data, hs_office.person, INSERT, Third OHG, null]");
     }
 
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRealRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRealRepositoryIntegrationTest.java
index 91897601..e7f50fed 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRealRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRealRepositoryIntegrationTest.java
@@ -126,25 +126,7 @@ class HsOfficePersonRealRepositoryIntegrationTest extends ContextBasedTestWithCl
             allThesePersonsAreReturned(
                     result,
                     "NP Smith, Peter",
-                    "LP Second e.K.",
-                    "IF Third OHG",
-                    "UF Erben Bessler");
-        }
-    }
-
-    @Nested
-    class FindByCaptionLike {
-
-        @Test
-        public void arbitraryUser_canViewAllPersons() {
-            // given
-            context("selfregistered-user-drew@hostsharing.org");
-
-            // when
-            final var result = personRealRepo.findPersonByOptionalNameLike("Second");
-
-            // then
-            exactlyThesePersonsAreReturned(result, "Second e.K.");
+                    "LP Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.");
         }
     }
 
@@ -164,7 +146,7 @@ class HsOfficePersonRealRepositoryIntegrationTest extends ContextBasedTestWithCl
         assertThat(customerLogEntries).map(Arrays::toString).contains(
                 "[creating person test-data, hs_office.person, INSERT, Hostsharing eG, null]",
                 "[creating person test-data, hs_office.person, INSERT, First GmbH, null]",
-                "[creating person test-data, hs_office.person, INSERT, Second e.K., null]",
+                "[creating person test-data, hs_office.person, INSERT, Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K., null]",
                 "[creating person test-data, hs_office.person, INSERT, Third OHG, null]");
     }
 
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRealRelationRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRealRelationRepositoryIntegrationTest.java
index 0b51abf9..05c2d971 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRealRelationRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRealRelationRepositoryIntegrationTest.java
@@ -47,13 +47,13 @@ class HsOfficeRealRelationRepositoryIntegrationTest extends ContextBasedTestWith
             final var personUuid = determinePersonUuid(NATURAL_PERSON, "Smith");
 
             // when
-            final var result = relationRealRepo.findRelationRelatedToPersonUuidAndRelationType(personUuid, null);
+            final var result = relationRealRepo.findRelationRelatedToPersonUuid(personUuid);
 
             // then
             context("superuser-alex@hostsharing.net"); // just to be able to access RBAc-entities persons+contact
             exactlyTheseRelationsAreReturned(
                     result,
-                    "rel(anchor='LP Second e.K.', type='REPRESENTATIVE', holder='NP Smith, Peter', contact='second contact')",
+                    "rel(anchor='LP Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.', type='REPRESENTATIVE', holder='NP Smith, Peter', contact='second contact')",
                     "rel(anchor='LP Hostsharing eG', type='PARTNER', holder='NP Smith, Peter', contact='sixth contact')",
                     "rel(anchor='NP Smith, Peter', type='DEBITOR', holder='NP Smith, Peter', contact='third contact')",
                     "rel(anchor='IF Third OHG', type='SUBSCRIBER', mark='members-announce', holder='NP Smith, Peter', contact='third contact')"
@@ -66,13 +66,13 @@ class HsOfficeRealRelationRepositoryIntegrationTest extends ContextBasedTestWith
             final var personUuid = determinePersonUuid(NATURAL_PERSON, "Smith");
 
             // when:
-            final var result = relationRealRepo.findRelationRelatedToPersonUuidAndRelationType(personUuid, REPRESENTATIVE);
+            final var result = relationRealRepo.findRelationRelatedToPersonUuidRelationTypeMarkPersonAndContactData(personUuid, REPRESENTATIVE, null, null, null);
 
             // then:
             context("superuser-alex@hostsharing.net"); // just to be able to access RBAc-entities persons+contact
             exactlyTheseRelationsAreReturned(
                     result,
-                    "rel(anchor='LP Second e.K.', type='REPRESENTATIVE', holder='NP Smith, Peter', contact='second contact')"
+                    "rel(anchor='LP Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.', type='REPRESENTATIVE', holder='NP Smith, Peter', contact='second contact')"
             );
         }
     }
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationControllerAcceptanceTest.java
index c1ce47e4..0ed4b82f 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationControllerAcceptanceTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationControllerAcceptanceTest.java
@@ -90,7 +90,7 @@ class HsOfficeRelationControllerAcceptanceTest extends ContextBasedTestWithClean
                         },
                         {
                             "anchor": { "personType": "LEGAL_PERSON", "tradeName": "Hostsharing eG" },
-                            "holder": { "personType": "LEGAL_PERSON", "tradeName": "Second e.K.", "givenName": "Peter", "familyName": "Smith" },
+                            "holder": { "personType": "LEGAL_PERSON", "tradeName": "Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.", "givenName": "Peter", "familyName": "Smith" },
                             "type": "PARTNER",
                             "mark": null,
                             "contact": { "caption": "second contact" }
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRepositoryIntegrationTest.java
index e55959c7..580bd1a8 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRepositoryIntegrationTest.java
@@ -3,10 +3,12 @@ package net.hostsharing.hsadminng.hs.office.relation;
 import net.hostsharing.hsadminng.context.Context;
 import net.hostsharing.hsadminng.hs.office.contact.HsOfficeContactRealRepository;
 import net.hostsharing.hsadminng.hs.office.person.HsOfficePersonRealRepository;
-import net.hostsharing.hsadminng.rbac.test.ContextBasedTestWithCleanup;
+import net.hostsharing.hsadminng.lambda.Reducer;
+import net.hostsharing.hsadminng.mapper.Array;
 import net.hostsharing.hsadminng.rbac.grant.RawRbacGrantRepository;
 import net.hostsharing.hsadminng.rbac.role.RawRbacRoleRepository;
-import net.hostsharing.hsadminng.mapper.Array;
+import net.hostsharing.hsadminng.rbac.role.RbacRoleRepository;
+import net.hostsharing.hsadminng.rbac.test.ContextBasedTestWithCleanup;
 import net.hostsharing.hsadminng.rbac.test.JpaAttempt;
 import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
@@ -30,17 +32,20 @@ import static net.hostsharing.hsadminng.rbac.test.JpaAttempt.attempt;
 import static org.assertj.core.api.Assertions.assertThat;
 
 @DataJpaTest
-@Import( { Context.class, JpaAttempt.class })
+@Import({ Context.class, JpaAttempt.class })
 class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithCleanup {
 
     @Autowired
     HsOfficeRelationRbacRepository relationRbacRepo;
 
+    @Autowired
+    HsOfficeRelationRealRepository relationRealRepo;
+
     @Autowired
     HsOfficePersonRealRepository personRepo;
 
     @Autowired
-    HsOfficeContactRealRepository contactrealRepo;
+    HsOfficeContactRealRepository contactRealRepo;
 
     @Autowired
     RawRbacRoleRepository rawRoleRepo;
@@ -57,6 +62,29 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
     @MockBean
     HttpServletRequest request;
 
+    @Autowired
+    private RbacRoleRepository rbacRoleRepository;
+
+    @Nested
+    class AssumeRelationRole {
+
+        @Test
+        public void testHostsharingAdminCanAssumeRelationRoleWithLongIdName() {
+            context(
+                    "superuser-alex@hostsharing.net",
+                    "hs_office.relation#HostsharingeG-with-PARTNER-PeterSmith-TheSecondHandandThriftStores-n-Shippinge.K.SmithPeter:AGENT");
+        }
+
+        @Test
+        public void testHostsharingAdminCanAssumeRelationRoleWithUuid() {
+            final var relationUuid = relationRealRepo.findRelationRelatedToPersonUuidRelationTypeMarkPersonAndContactData(
+                    null, HsOfficeRelationType.PARTNER, null, "Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.", null)
+                    .stream().reduce(Reducer::toSingleElement).orElseThrow().getUuid();
+
+            context("superuser-alex@hostsharing.net", "hs_office.relation#" + relationUuid + ":AGENT");
+        }
+    }
+
     @Nested
     class CreateRelation {
 
@@ -64,6 +92,7 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
         public void testHostsharingAdmin_withoutAssumedRole_canCreateNewRelation() {
             // given
             context("superuser-alex@hostsharing.net");
+
             final var count = relationRbacRepo.count();
             final var givenAnchorPerson = personRepo.findPersonByOptionalNameLike("Bessler").stream()
                     .filter(p -> p.getPersonType() == UNINCORPORATED_FIRM)
@@ -71,20 +100,21 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
             final var givenHolderPerson = personRepo.findPersonByOptionalNameLike("Paul").stream()
                     .filter(p -> p.getPersonType() == NATURAL_PERSON)
                     .findFirst().orElseThrow();
-            final var givenContact = contactrealRepo.findContactByOptionalCaptionLike("fourth contact").stream()
+            final var givenContact = contactRealRepo.findContactByOptionalCaptionLike("fourth contact").stream()
                     .findFirst().orElseThrow();
 
             // when
-            final var result = attempt(em, () -> {
-                final var newRelation = HsOfficeRelationRbacEntity.builder()
-                        .anchor(givenAnchorPerson)
-                        .holder(givenHolderPerson)
-                        .type(HsOfficeRelationType.SUBSCRIBER)
-                        .mark("operations-announce")
-                        .contact(givenContact)
-                        .build();
-                return toCleanup(relationRbacRepo.save(newRelation));
-            });
+            final var result = attempt(
+                    em, () -> {
+                        final var newRelation = HsOfficeRelationRbacEntity.builder()
+                                .anchor(givenAnchorPerson)
+                                .holder(givenHolderPerson)
+                                .type(HsOfficeRelationType.SUBSCRIBER)
+                                .mark("operations-announce")
+                                .contact(givenContact)
+                                .build();
+                        return toCleanup(relationRbacRepo.save(newRelation));
+                    });
 
             // then
             result.assertSuccessful();
@@ -93,7 +123,8 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
             assertThat(relationRbacRepo.count()).isEqualTo(count + 1);
             final var stored = relationRbacRepo.findByUuid(result.returnedValue().getUuid());
             assertThat(stored).isNotEmpty().map(HsOfficeRelation::toString).get()
-                    .isEqualTo("rel(anchor='UF Erben Bessler', type='SUBSCRIBER', mark='operations-announce', holder='NP Winkler, Paul', contact='fourth contact')");
+                    .isEqualTo(
+                            "rel(anchor='UF Erben Bessler', type='SUBSCRIBER', mark='operations-announce', holder='NP Winkler, Paul', contact='fourth contact')");
         }
 
         @Test
@@ -104,23 +135,24 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
             final var initialGrantNames = distinctGrantDisplaysOf(rawGrantRepo.findAll());
 
             // when
-            attempt(em, () -> {
-                final var givenAnchorPerson = personRepo.findPersonByOptionalNameLike("Bessler").stream()
-                        .filter(p -> p.getPersonType() == UNINCORPORATED_FIRM)
-                        .findFirst().orElseThrow();
-                final var givenHolderPerson = personRepo.findPersonByOptionalNameLike("Bert").stream()
-                        .filter(p -> p.getPersonType() == NATURAL_PERSON)
-                        .findFirst().orElseThrow();
-                final var givenContact = contactrealRepo.findContactByOptionalCaptionLike("fourth contact").stream()
-                        .findFirst().orElseThrow();
-                final var newRelation = HsOfficeRelationRbacEntity.builder()
-                        .anchor(givenAnchorPerson)
-                        .holder(givenHolderPerson)
-                        .type(HsOfficeRelationType.REPRESENTATIVE)
-                        .contact(givenContact)
-                        .build();
-                return toCleanup(relationRbacRepo.save(newRelation));
-            });
+            attempt(
+                    em, () -> {
+                        final var givenAnchorPerson = personRepo.findPersonByOptionalNameLike("Bessler").stream()
+                                .filter(p -> p.getPersonType() == UNINCORPORATED_FIRM)
+                                .findFirst().orElseThrow();
+                        final var givenHolderPerson = personRepo.findPersonByOptionalNameLike("Bert").stream()
+                                .filter(p -> p.getPersonType() == NATURAL_PERSON)
+                                .findFirst().orElseThrow();
+                        final var givenContact = contactRealRepo.findContactByOptionalCaptionLike("fourth contact").stream()
+                                .findFirst().orElseThrow();
+                        final var newRelation = HsOfficeRelationRbacEntity.builder()
+                                .anchor(givenAnchorPerson)
+                                .holder(givenHolderPerson)
+                                .type(HsOfficeRelationType.REPRESENTATIVE)
+                                .contact(givenContact)
+                                .build();
+                        return toCleanup(relationRbacRepo.save(newRelation));
+                    });
 
             // then
             assertThat(distinctRoleNamesOf(rawRoleRepo.findAll())).containsExactlyInAnyOrder(Array.from(
@@ -180,7 +212,7 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
             allTheseRelationsAreReturned(
                     result,
                     "rel(anchor='LP Hostsharing eG', type='PARTNER', holder='NP Smith, Peter', contact='sixth contact')",
-                    "rel(anchor='LP Second e.K.', type='REPRESENTATIVE', holder='NP Smith, Peter', contact='second contact')",
+                    "rel(anchor='LP Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.', type='REPRESENTATIVE', holder='NP Smith, Peter', contact='second contact')",
                     "rel(anchor='IF Third OHG', type='SUBSCRIBER', mark='members-announce', holder='NP Smith, Peter', contact='third contact')");
         }
 
@@ -193,12 +225,17 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
                     .findFirst().orElseThrow();
 
             // when:
-            final var result = relationRbacRepo.findRelationRelatedToPersonUuidRelationTypeMarkPersonAndContactData(person.getUuid(), null, null, null, null);
+            final var result = relationRbacRepo.findRelationRelatedToPersonUuidRelationTypeMarkPersonAndContactData(
+                    person.getUuid(),
+                    null,
+                    null,
+                    null,
+                    null);
 
             // then:
             exactlyTheseRelationsAreReturned(
                     result,
-                    "rel(anchor='LP Second e.K.', type='REPRESENTATIVE', holder='NP Smith, Peter', contact='second contact')",
+                    "rel(anchor='LP Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.', type='REPRESENTATIVE', holder='NP Smith, Peter', contact='second contact')",
                     "rel(anchor='IF Third OHG', type='SUBSCRIBER', mark='members-announce', holder='NP Smith, Peter', contact='third contact')",
                     "rel(anchor='LP Hostsharing eG', type='PARTNER', holder='NP Smith, Peter', contact='sixth contact')",
                     "rel(anchor='NP Smith, Peter', type='DEBITOR', holder='NP Smith, Peter', contact='third contact')");
@@ -219,7 +256,10 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
                     givenRelation,
                     "hs_office.person#ErbenBesslerMelBessler:ADMIN");
             context("superuser-alex@hostsharing.net");
-            final var givenContact = contactrealRepo.findContactByOptionalCaptionLike("sixth contact").stream().findFirst().orElseThrow();
+            final var givenContact = contactRealRepo.findContactByOptionalCaptionLike("sixth contact")
+                    .stream()
+                    .findFirst()
+                    .orElseThrow();
 
             // when
             final var result = jpaAttempt.transacted(() -> {
@@ -258,13 +298,16 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
 
             // when
             final var result = jpaAttempt.transacted(() -> {
-                context("superuser-alex@hostsharing.net", "hs_office.relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerAnita:AGENT");
+                context(
+                        "superuser-alex@hostsharing.net",
+                        "hs_office.relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerAnita:AGENT");
                 givenRelation.setContact(null);
                 return relationRbacRepo.save(givenRelation);
             });
 
             // then
-            result.assertExceptionWithRootCauseMessage(JpaSystemException.class,
+            result.assertExceptionWithRootCauseMessage(
+                    JpaSystemException.class,
                     "[403] Subject ", " is not allowed to update hs_office.relation uuid");
         }
 
@@ -287,7 +330,8 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
             });
 
             // then
-            result.assertExceptionWithRootCauseMessage(JpaSystemException.class,
+            result.assertExceptionWithRootCauseMessage(
+                    JpaSystemException.class,
                     "[403] Subject ", " is not allowed to update hs_office.relation uuid");
         }
 
@@ -397,7 +441,7 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
                 select currentTask, targetTable, targetOp, targetdelta->>'mark'
                     from base.tx_journal_v
                     where targettable = 'hs_office.relation';
-                    """);
+                """);
 
         // when
         @SuppressWarnings("unchecked") final List<Object[]> customerLogEntries = query.getResultList();
@@ -412,7 +456,7 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
             context("superuser-alex@hostsharing.net");
             final var givenAnchorPerson = personRepo.findPersonByOptionalNameLike("Erben Bessler").get(0);
             final var givenHolderPerson = personRepo.findPersonByOptionalNameLike(holderPerson).get(0);
-            final var givenContact = contactrealRepo.findContactByOptionalCaptionLike(contact).get(0);
+            final var givenContact = contactRealRepo.findContactByOptionalCaptionLike(contact).get(0);
             final var newRelation = HsOfficeRelationRbacEntity.builder()
                     .type(HsOfficeRelationType.REPRESENTATIVE)
                     .anchor(givenAnchorPerson)
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/sepamandate/HsOfficeSepaMandateControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/sepamandate/HsOfficeSepaMandateControllerAcceptanceTest.java
index ef334b0a..eabde5a7 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/sepamandate/HsOfficeSepaMandateControllerAcceptanceTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/sepamandate/HsOfficeSepaMandateControllerAcceptanceTest.java
@@ -83,7 +83,7 @@ class HsOfficeSepaMandateControllerAcceptanceTest extends ContextBasedTestWithCl
                          },
                          {
                              "debitor": { "debitorNumber": "D-1000212" },
-                             "bankAccount": { "holder": "Second e.K." },
+                             "bankAccount": { "holder": "Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K." },
                              "reference": "ref-10002-12",
                              "validFrom": "2022-10-01",
                              "validTo": "2026-12-31"
diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/role/RbacRoleRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/role/RbacRoleRepositoryIntegrationTest.java
index 7540777a..98495e81 100644
--- a/src/test/java/net/hostsharing/hsadminng/rbac/role/RbacRoleRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/rbac/role/RbacRoleRepositoryIntegrationTest.java
@@ -68,7 +68,7 @@ class RbacRoleRepositoryIntegrationTest {
         }
 
         @Test
-        public void globalAdmin_withAssumedglobalAdminRole_canViewAllRbacRoles() {
+        public void globalAdmin_withAssumedGlobalAdminRole_canViewAllRbacRoles() {
             given:
             context.define("superuser-alex@hostsharing.net", "rbac.global#global:ADMIN");
 
-- 
2.39.5


From 8789adf03ed08bc1cccc1c4c9cf59e1cb89408fb Mon Sep 17 00:00:00 2001
From: Michael Hoennig <michael@hoennig.de>
Date: Sat, 28 Dec 2024 17:34:54 +0100
Subject: [PATCH 05/13] fix failing tests

---
 .../HsOfficeDebitorControllerAcceptanceTest.java    | 13 +++++++++++++
 .../hsadminng/rbac/context/ContextUnitTest.java     |  2 +-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorControllerAcceptanceTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorControllerAcceptanceTest.java
index fd46f721..81d40a0d 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorControllerAcceptanceTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/debitor/HsOfficeDebitorControllerAcceptanceTest.java
@@ -228,6 +228,19 @@ class HsOfficeDebitorControllerAcceptanceTest extends ContextBasedTestWithCleanu
                       {
                         "debitorRel": {
                           "anchor": {"tradeName": "Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K."},
+                          "holder": {"tradeName": "Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K."},
+                          "type": "DEBITOR",
+                          "contact": {
+                            "emailAddresses": { "main": "contact-admin@secondcontact.example.com" }
+                           }
+                        },
+                        "debitorNumber": "D-1000212",
+                        "debitorNumberSuffix": "12",
+                        "partner": {
+                          "partnerNumber": "P-10002",
+                          "partnerRel": {
+                            "anchor": {"tradeName": "Hostsharing eG"},
+                            "holder": {"tradeName": "Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K."},
                             "type": "PARTNER",
                             "contact": {
                                 "emailAddresses": { "main": "contact-admin@secondcontact.example.com" }
diff --git a/src/test/java/net/hostsharing/hsadminng/rbac/context/ContextUnitTest.java b/src/test/java/net/hostsharing/hsadminng/rbac/context/ContextUnitTest.java
index 6a6d690f..9546c434 100644
--- a/src/test/java/net/hostsharing/hsadminng/rbac/context/ContextUnitTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/rbac/context/ContextUnitTest.java
@@ -32,7 +32,7 @@ class ContextUnitTest {
                cast(:currentTask as varchar(127)),
                cast(:currentRequest as text),
                cast(:currentSubject as varchar(63)),
-               cast(:assumedRoles as varchar(1023)));
+               cast(:assumedRoles as text));
            """;
 
     @Nested
-- 
2.39.5


From d66e9b2d542cbfe4d4e3f38f1aaaace9b72b149e Mon Sep 17 00:00:00 2001
From: Michael Hoennig <michael@hoennig.de>
Date: Sun, 29 Dec 2024 09:43:17 +0100
Subject: [PATCH 06/13] use ILIKE in Relation-queries

---
 .../relation/HsOfficeRelationRbacRepository.java | 16 ++++++++--------
 .../relation/HsOfficeRelationRealRepository.java | 16 ++++++++--------
 ...sOfficeRelationRepositoryIntegrationTest.java |  2 +-
 3 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRbacRepository.java b/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRbacRepository.java
index e687bdcb..f45fce1a 100644
--- a/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRbacRepository.java
+++ b/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRbacRepository.java
@@ -48,16 +48,16 @@ public interface HsOfficeRelationRbacRepository extends Repository<HsOfficeRelat
                 WHERE (:relationType IS NULL OR CAST(rel.type AS String) = :relationType)
                     AND ( :personUuid IS NULL
                             OR rel.anchor.uuid = :personUuid OR rel.holder.uuid = :personUuid )
-                    AND ( :mark IS NULL OR lower(rel.mark) LIKE :mark )
+                    AND ( :mark IS NULL OR rel.mark ILIKE :mark )
                     AND ( :personData IS NULL
-                            OR lower(rel.anchor.tradeName) LIKE :personData OR lower(rel.holder.tradeName) LIKE :personData
-                            OR lower(rel.anchor.familyName) LIKE :personData OR lower(rel.holder.familyName) LIKE :personData
-                            OR lower(rel.anchor.givenName) LIKE :personData OR lower(rel.holder.givenName) LIKE :personData )
+                            OR rel.anchor.tradeName ILIKE :personData OR rel.holder.tradeName ILIKE :personData
+                            OR rel.anchor.familyName ILIKE :personData OR rel.holder.familyName ILIKE :personData
+                            OR rel.anchor.givenName ILIKE :personData OR rel.holder.givenName ILIKE :personData )
                     AND ( :contactData IS NULL
-                            OR lower(rel.contact.caption) LIKE :contactData
-                            OR lower(CAST(rel.contact.postalAddress AS String)) LIKE :contactData
-                            OR lower(CAST(rel.contact.emailAddresses AS String)) LIKE :contactData
-                            OR lower(CAST(rel.contact.phoneNumbers AS String)) LIKE :contactData )
+                            OR rel.contact.caption ILIKE :contactData
+                            OR CAST(rel.contact.postalAddress AS String) ILIKE :contactData
+                            OR CAST(rel.contact.emailAddresses AS String) ILIKE :contactData
+                            OR CAST(rel.contact.phoneNumbers AS String) ILIKE :contactData )
             """)
     @Timed("app.office.relations.repo.findRelationRelatedToPersonUuidRelationByTypeMarkPersonAndContactDataImpl.rbac")
     List<HsOfficeRelationRbacEntity> findRelationRelatedToPersonUuidRelationByTypeMarkPersonAndContactDataImpl(
diff --git a/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRealRepository.java b/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRealRepository.java
index 5a2249d7..8d2e7e90 100644
--- a/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRealRepository.java
+++ b/src/main/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRealRepository.java
@@ -48,16 +48,16 @@ public interface HsOfficeRelationRealRepository extends Repository<HsOfficeRelat
                 WHERE (:relationType IS NULL OR CAST(rel.type AS String) = :relationType)
                     AND ( :personUuid IS NULL
                             OR rel.anchor.uuid = :personUuid OR rel.holder.uuid = :personUuid )
-                    AND ( :mark IS NULL OR lower(rel.mark) LIKE :mark )
+                    AND ( :mark IS NULL OR rel.mark ILIKE :mark )
                     AND ( :personData IS NULL
-                            OR lower(rel.anchor.tradeName) LIKE :personData OR lower(rel.holder.tradeName) LIKE :personData
-                            OR lower(rel.anchor.familyName) LIKE :personData OR lower(rel.holder.familyName) LIKE :personData
-                            OR lower(rel.anchor.givenName) LIKE :personData OR lower(rel.holder.givenName) LIKE :personData )
+                            OR rel.anchor.tradeName ILIKE :personData OR rel.holder.tradeName ILIKE :personData
+                            OR rel.anchor.familyName ILIKE :personData OR rel.holder.familyName ILIKE :personData
+                            OR rel.anchor.givenName ILIKE :personData OR rel.holder.givenName ILIKE :personData )
                     AND ( :contactData IS NULL
-                            OR lower(rel.contact.caption) LIKE :contactData
-                            OR lower(CAST(rel.contact.postalAddress AS String)) LIKE :contactData
-                            OR lower(CAST(rel.contact.emailAddresses AS String)) LIKE :contactData
-                            OR lower(CAST(rel.contact.phoneNumbers AS String)) LIKE :contactData )
+                            OR rel.contact.caption ILIKE :contactData
+                            OR CAST(rel.contact.postalAddress AS String) ILIKE :contactData
+                            OR CAST(rel.contact.emailAddresses AS String) ILIKE :contactData
+                            OR CAST(rel.contact.phoneNumbers AS String) ILIKE :contactData )
             """)
     @Timed("app.office.relations.repo.findRelationRelatedToPersonUuidRelationByTypeMarkPersonAndContactDataImpl.real")
     List<HsOfficeRelationRealEntity> findRelationRelatedToPersonUuidRelationByTypeMarkPersonAndContactDataImpl(
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRepositoryIntegrationTest.java
index 580bd1a8..aec09e1d 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRepositoryIntegrationTest.java
@@ -78,7 +78,7 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
         @Test
         public void testHostsharingAdminCanAssumeRelationRoleWithUuid() {
             final var relationUuid = relationRealRepo.findRelationRelatedToPersonUuidRelationTypeMarkPersonAndContactData(
-                    null, HsOfficeRelationType.PARTNER, null, "Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.", null)
+                    null, HsOfficeRelationType.PARTNER, null, "%Second%", null)
                     .stream().reduce(Reducer::toSingleElement).orElseThrow().getUuid();
 
             context("superuser-alex@hostsharing.net", "hs_office.relation#" + relationUuid + ":AGENT");
-- 
2.39.5


From b0bfb0683317f81fa20a9e8e6357478a5c899cf5 Mon Sep 17 00:00:00 2001
From: Michael Hoennig <michael@hoennig.de>
Date: Sun, 29 Dec 2024 11:09:05 +0100
Subject: [PATCH 07/13] improve cas-curl, especially help texts with examples

---
 bin/cas-curl | 93 +++++++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 74 insertions(+), 19 deletions(-)

diff --git a/bin/cas-curl b/bin/cas-curl
index 6bf351e0..9f6edb87 100755
--- a/bin/cas-curl
+++ b/bin/cas-curl
@@ -3,19 +3,21 @@
 if [ "$#" -eq 0 ] || [ "$1" == "help" ] || [ "$1" == "--help" ] || [ "$1" == "-h" ]; then
   cat <<EOF
   curl-wrapper utilizing CAS-authentication for hsadmin-ng
-  usage: $0 [--trace] <<command>> [parameters]
+  usage: $0 [--trace] [--show-password] <<command>> [parameters]
 
   commands:
 EOF
-  grep '") ''# ' $0
+  # filters out help texts (marked with ## and following lines with #) from the commands itself
+  # (the '' makes sure that this line is not found, just the lines with actual help texts)
+  sed -n '/#''#/ {s/#''#//; p; :a; n; /^[[:space:]]*#/!b; s/^[[:space:]]*#//; p; ba}' $0
   exit
 fi
 
-export HSADMINNG_CAS_ASSUME_HEADER
-if [ -f ~/.cas-curl-assume ]; then
-  HSADMINNG_CAS_ASSUME="$(cat ~/.cas-curl-assume)"
+if [ "$2" == "--show-password" ]; then
+  HSADMINNG_CAS_SHOW_PASSWORD=yes
+  shift
 else
-  HSADMINNG_CAS_ASSUME=
+  HSADMINNG_CAS_SHOW_PASSWORD=
 fi
 
 if [ "$1" == "--trace" ]; then
@@ -40,6 +42,13 @@ else
   }
 fi
 
+export HSADMINNG_CAS_ASSUME_HEADER
+if [ -f ~/.cas-curl-assume ]; then
+  HSADMINNG_CAS_ASSUME="$(cat ~/.cas-curl-assume)"
+else
+  HSADMINNG_CAS_ASSUME=
+fi
+
 if [ -z "$HSADMINNG_CAS_LOGIN" ] || [ -z "$HSADMINNG_CAS_VALIDATE" ] || \
    [ -z "$HSADMINNG_CAS_SERVICE_ID" ]; then
   cat >&2 <<EOF
@@ -73,10 +82,16 @@ function casLogin() {
     read -s -e -p "Password: " HSADMINNG_CAS_PASSWORD
   fi
 
+  if [ "$HSADMINNG_CAS_SHOW_PASSWORD" == "--show-password" ]; then
+    HSADMINNG_CAS_PASSWORD_DISPLAY=$HSADMINNG_CAS_PASSWORD
+  else
+    HSADMINNG_CAS_PASSWORD_DISPLAY="<<password hidden - use --show-password to show>>"
+  fi
+
   # Do NOT use doCurl here! We do neither want to print the password nor pass a CAS service ticket.
   trace "+ curl --fail-with-body -s -i -X POST \
         -H 'Content-Type: application/x-www-form-urlencoded' \
-        -d \"username=$HSADMINNG_CAS_USERNAME&password=<<PASSWORD OMITTED>>\" \
+        -d \"username=$HSADMINNG_CAS_USERNAME&password=$HSADMINNG_CAS_PASSWORD_DISPLAY\" \
         $HSADMINNG_CAS_LOGIN -o ~/.cas-login-tgt.response -D -"
   HSADMINNG_CAS_TGT=`curl --fail-with-body -s -i -X POST \
         -H 'Content-Type: application/x-www-form-urlencoded' \
@@ -126,45 +141,85 @@ function casValidate() {
 }
 
 case "${1,,}" in
-  "login") # reads username+password and fetches ticket granting ticket (bypasses HSADMINNG_CAS_USERNAME+HSADMINNG_CAS_PASSWORD)
+
+  # -- generic commands --------------------------------------------------------------------------
+
+  "env") ## prints all related HSADMINNG_CAS_... environment variables; use '--show-password' to show the password as well
+  #       example: cas-curl env --show-password
+    echo "HSADMINNG_CAS_LOGIN: $HSADMINNG_CAS_LOGIN"
+    echo "HSADMINNG_CAS_VALIDATE: $HSADMINNG_CAS_VALIDATE"
+    echo "HSADMINNG_CAS_USERNAME: $HSADMINNG_CAS_USERNAME"
+    if [ "$2" == "--show-password" ]; then
+      echo "HSADMINNG_CAS_PASSWORD: $HSADMINNG_CAS_PASSWORD"
+    elif [ -z "$HSADMINNG_CAS_PASSWORD" ]; then
+      echo "HSADMINNG_CAS_PASSWORD: <<not given>>"
+    else
+      echo "HSADMINNG_CAS_PASSWORD: <<given, but hidden - add --show-password to show>>"
+    fi
+    echo "HSADMINNG_CAS_SERVICE_ID: $HSADMINNG_CAS_SERVICE_ID"
+    ;;
+
+  # --- authentication-related commands ------------------------------------------------------------
+
+  "login") ## reads username+password and fetches ticket granting ticket (bypasses HSADMINNG_CAS_USERNAME+HSADMINNG_CAS_PASSWORD)
+  #       example: cas-curl login
     casLogout
     export HSADMINNG_CAS_USERNAME=
     export HSADMINNG_CAS_PASSWORD=
     casLogin
     ;;
-  "assume") # assumes the given comma-separated roles
+  "assume") ## assumes the given comma-separated roles
+  #       example using object-id-name: cas-curl assume 'hs_office.relation#ExampleMandant-with-PARTNER-ExamplePartner:AGENT'
+  #       example using object-uuid:    cas-curl assume 'hs_office.relation#1d3bc468-c5c8-11ef-9d0d-4751ecfda2b7:AGENT'
     shift
     if [ -z "$1" ]; then
-      rm ~/.cas-curl-assume
-    else
-      echo "$1" >~/.cas-curl-assume
+      echo "ERROR: requires comma-separated list of roles to assume" >&2
+      exit 1
     fi
+    echo "$1" >~/.cas-curl-assume
     ;;
-  "logout") # logout, deleting ticket granting ticket
-    casLogout
+  "unassume") ## do not assume any particular role anymore, use the plain user as RBAC subject
+    rm ~/.cas-curl-assume
     ;;
-  "validate") # validates ticket granting ticket and prints currently logged in user
+  "validate") ## validates current ticket granting ticket and prints currently logged in user
     casValidate
     ;;
-  "get") # HTTP GET, add URL as parameter
+  "logout") ## logout, deletes ticket granting ticket
+    casLogout
+    ;;
+
+  # --- HTTP-commands ----------------------------------------------------------------------
+
+  "get") ## HTTP GET, add URL as parameter
+  #       example: cas-curl GET http://localhost:8080/api/hs/office/partners/P-10003 | jq
+  #       hint: '| jq' is just for human-readable formatted JSON output
     shift
     casLogin
     HSADMINNG_CAS_TICKET=`casTicket`
     doCurl "$*"
     ;;
-  "post") # HTTP POST, add curl options to specify the request body and the URL as last parameter
+  "post") ## HTTP POST, add curl options to specify the request body and the URL as last parameter
+  #       example: cas-curl POST \
+  #                   -d '{ "prefix":"ttt", "reference":80001, "adminUserName":"admin@ttt.example.com" }' \
+  #                   http://localhost:8080/api/test/customers | jq
+  #       hint: '| jq' is just for human-readable formatted JSON output
     shift
     casLogin
     HSADMINNG_CAS_TICKET=`casTicket`
     doCurl --header "Content-Type: application/json" -X POST "$@"
     ;;
-  "patch") # HTTP PATCH, add curl options to specify the request body and the URL as last parameter
+  "patch") ## HTTP PATCH, add curl options to specify the request body and the URL as last parameterparameter
+  #       example: cas-curl PATCH \
+  #                   -d '{ "reference":80002 }' \
+  #                   http://localhost:8080/api/test/customers/ae90ac2a-4728-4ca9-802e-a0d0108b2324 | jq
+  #       hint: '| jq' is just for human-readable formatted JSON output
     shift
     casLogin
     HSADMINNG_CAS_TICKET=`casTicket`
     doCurl --header "Content-Type: application/json" -X POST "$*"
     ;;
-  "delete") # HTTP DELETE, add curl options to specify the request body and the URL as last parameter
+  "delete") ## HTTP DELETE, add curl options to specify the request body and the URL as last parameter
+  #     example: cas-curl DELETE http://localhost:8080/api/hs/office/persons/ae90ac2a-4728-4ca9-802e-a0d0108b2324
     shift
     casLogin
     HSADMINNG_CAS_TICKET=`casTicket`
-- 
2.39.5


From 4450deecb711f52cf5ed3791f5ad6cb4f68d514f Mon Sep 17 00:00:00 2001
From: Michael Hoennig <michael@hoennig.de>
Date: Sun, 29 Dec 2024 11:18:55 +0100
Subject: [PATCH 08/13] re-add accidentally deleted tests

---
 ...cePersonRbacRepositoryIntegrationTest.java | 33 ++++++++++++++++++-
 ...cePersonRealRepositoryIntegrationTest.java | 20 ++++++++++-
 2 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRbacRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRbacRepositoryIntegrationTest.java
index 6263d425..481847c2 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRbacRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRbacRepositoryIntegrationTest.java
@@ -143,7 +143,38 @@ class HsOfficePersonRbacRepositoryIntegrationTest extends ContextBasedTestWithCl
             allThesePersonsAreReturned(
                     result,
                     "NP Smith, Peter",
-                    "LP Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.");
+                    "LP Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.",
+                    "IF Third OHG",
+                    "UF Erben Bessler");
+        }
+
+        @Test
+        public void arbitraryUser_canViewOnlyItsOwnPerson() {
+            // given:
+            final var givenPerson = givenSomeTemporaryPerson("pac-admin-zzz00@zzz.example.com");
+
+            // when:
+            context("pac-admin-zzz00@zzz.example.com");
+            final var result = personRbacRepo.findPersonByOptionalNameLike(null);
+
+            // then:
+            exactlyThesePersonsAreReturned(result, givenPerson.getTradeName());
+        }
+    }
+
+    @Nested
+    class FindByCaptionLike {
+
+        @Test
+        public void globalAdmin_withoutAssumedRole_canViewAllPersons() {
+            // given
+            context("superuser-alex@hostsharing.net", null);
+
+            // when
+            final var result = personRbacRepo.findPersonByOptionalNameLike("Peter Smith - The Second Hand%");
+
+            // then
+            exactlyThesePersonsAreReturned(result, "Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.");
         }
 
         @Test
diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRealRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRealRepositoryIntegrationTest.java
index e7f50fed..2fc268a6 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRealRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/person/HsOfficePersonRealRepositoryIntegrationTest.java
@@ -126,7 +126,25 @@ class HsOfficePersonRealRepositoryIntegrationTest extends ContextBasedTestWithCl
             allThesePersonsAreReturned(
                     result,
                     "NP Smith, Peter",
-                    "LP Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.");
+                    "LP Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.",
+                    "IF Third OHG",
+                    "UF Erben Bessler");
+        }
+    }
+
+    @Nested
+    class FindByCaptionLike {
+
+        @Test
+        public void arbitraryUser_canViewAllPersons() {
+            // given
+            context("selfregistered-user-drew@hostsharing.org");
+
+            // when
+            final var result = personRealRepo.findPersonByOptionalNameLike("Peter Smith - The Second Hand%");
+
+            // then
+            exactlyThesePersonsAreReturned(result, "Peter Smith - The Second Hand and Thrift Stores-n-Shipping e.K.");
         }
     }
 
-- 
2.39.5


From c522ef24bddf37efb3e0271f104c9fe46c294a06 Mon Sep 17 00:00:00 2001
From: Michael Hoennig <michael@hoennig.de>
Date: Mon, 30 Dec 2024 09:03:50 +0100
Subject: [PATCH 09/13] improve formatting of cas-curl help

---
 bin/cas-curl | 34 +++++++++++++++++++---------------
 1 file changed, 19 insertions(+), 15 deletions(-)

diff --git a/bin/cas-curl b/bin/cas-curl
index 9f6edb87..45fa22dd 100755
--- a/bin/cas-curl
+++ b/bin/cas-curl
@@ -1,18 +1,5 @@
 #!/bin/bash
 
-if [ "$#" -eq 0 ] || [ "$1" == "help" ] || [ "$1" == "--help" ] || [ "$1" == "-h" ]; then
-  cat <<EOF
-  curl-wrapper utilizing CAS-authentication for hsadmin-ng
-  usage: $0 [--trace] [--show-password] <<command>> [parameters]
-
-  commands:
-EOF
-  # filters out help texts (marked with ## and following lines with #) from the commands itself
-  # (the '' makes sure that this line is not found, just the lines with actual help texts)
-  sed -n '/#''#/ {s/#''#//; p; :a; n; /^[[:space:]]*#/!b; s/^[[:space:]]*#//; p; ba}' $0
-  exit
-fi
-
 if [ "$2" == "--show-password" ]; then
   HSADMINNG_CAS_SHOW_PASSWORD=yes
   shift
@@ -64,8 +51,16 @@ EOF
   exit 1
 fi
 
-function casLogout() {
-  rm -f ~/.cas-login-tgt
+function casCurlDocumentation() {
+  cat <<EOF
+  curl-wrapper utilizing CAS-authentication for hsadmin-ng
+  usage: $0 [--trace] [--show-password] <<command>> [parameters]
+
+  commands:
+EOF
+  # filters out help texts (containing double-# and following lines with leading single-#) from the commands itself
+  # (the '' makes sure that this line is not found, just the lines with actual help texts)
+  sed -n '/#''#/ {x; p; x; s/#''#//; p; :a; n; /^[[:space:]]*#/!b; s/^[[:space:]]*#//; p; ba}' <$0
 }
 
 function casLogin() {
@@ -107,6 +102,10 @@ function casLogin() {
   trace "$HSADMINNG_CAS_TGT"
 }
 
+function casLogout() {
+  rm -f ~/.cas-login-tgt
+}
+
 function casTicket() {
   HSADMINNG_CAS_TGT=$(<~/.cas-login-tgt)
   if [[ -z "$HSADMINNG_CAS_TGT" ]]; then
@@ -144,6 +143,11 @@ case "${1,,}" in
 
   # -- generic commands --------------------------------------------------------------------------
 
+  ""|"-h"|"--help"|"help") ## prints documentation about commands and options
+      casCurlDocumentation
+      exit
+    ;;
+
   "env") ## prints all related HSADMINNG_CAS_... environment variables; use '--show-password' to show the password as well
   #       example: cas-curl env --show-password
     echo "HSADMINNG_CAS_LOGIN: $HSADMINNG_CAS_LOGIN"
-- 
2.39.5


From 281736c8e336bc760024e646ab6259194d43bdd8 Mon Sep 17 00:00:00 2001
From: Michael Hoennig <michael@hoennig.de>
Date: Mon, 30 Dec 2024 09:06:49 +0100
Subject: [PATCH 10/13] remove setting unused currentSubjectOrAssumedRolesUuids

---
 src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql b/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql
index d12eac5e..4250f4d0 100644
--- a/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql
+++ b/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql
@@ -108,8 +108,6 @@ begin
     execute format('set local hsadminng.currentSubjectUuid to %L', coalesce(currentSubjectUuid::text, ''));
 
     execute format('set local hsadminng.assumedRoles to %L', assumedRoles);
-    execute format('set local hsadminng.currentSubjectOrAssumedRolesUuids to %L', -- FIXME: can this be removed?
-       (select array_to_string(rbac.determinecurrentsubjectorassumedrolesuuids(currentSubjectUuid, assumedRoles), ';')));
 
     raise notice 'Context defined as: %, %, %, [%]', currentTask, currentRequest, currentSubject, assumedRoles;
 end; $$;
-- 
2.39.5


From 4457c5aa5a2d0b98fdc7e0f890c5dd118b3a2483 Mon Sep 17 00:00:00 2001
From: Michael Hoennig <michael@hoennig.de>
Date: Mon, 30 Dec 2024 09:16:03 +0100
Subject: [PATCH 11/13] Revert "remove setting unused
 currentSubjectOrAssumedRolesUuids"

This reverts commit 281736c8e336bc760024e646ab6259194d43bdd8.
---
 src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql b/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql
index 4250f4d0..d12eac5e 100644
--- a/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql
+++ b/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql
@@ -108,6 +108,8 @@ begin
     execute format('set local hsadminng.currentSubjectUuid to %L', coalesce(currentSubjectUuid::text, ''));
 
     execute format('set local hsadminng.assumedRoles to %L', assumedRoles);
+    execute format('set local hsadminng.currentSubjectOrAssumedRolesUuids to %L', -- FIXME: can this be removed?
+       (select array_to_string(rbac.determinecurrentsubjectorassumedrolesuuids(currentSubjectUuid, assumedRoles), ';')));
 
     raise notice 'Context defined as: %, %, %, [%]', currentTask, currentRequest, currentSubject, assumedRoles;
 end; $$;
-- 
2.39.5


From 6ee3a465c670cb41b76224cf53435506952c23e8 Mon Sep 17 00:00:00 2001
From: Michael Hoennig <michael@hoennig.de>
Date: Mon, 30 Dec 2024 09:21:38 +0100
Subject: [PATCH 12/13] cleanup and TODO added

---
 .../HsOfficeRelationRepositoryIntegrationTest.java         | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRepositoryIntegrationTest.java b/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRepositoryIntegrationTest.java
index aec09e1d..eb92aad9 100644
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/relation/HsOfficeRelationRepositoryIntegrationTest.java
@@ -7,7 +7,6 @@ import net.hostsharing.hsadminng.lambda.Reducer;
 import net.hostsharing.hsadminng.mapper.Array;
 import net.hostsharing.hsadminng.rbac.grant.RawRbacGrantRepository;
 import net.hostsharing.hsadminng.rbac.role.RawRbacRoleRepository;
-import net.hostsharing.hsadminng.rbac.role.RbacRoleRepository;
 import net.hostsharing.hsadminng.rbac.test.ContextBasedTestWithCleanup;
 import net.hostsharing.hsadminng.rbac.test.JpaAttempt;
 import org.junit.jupiter.api.Nested;
@@ -62,12 +61,12 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
     @MockBean
     HttpServletRequest request;
 
-    @Autowired
-    private RbacRoleRepository rbacRoleRepository;
-
     @Nested
     class AssumeRelationRole {
 
+        // TODO.test: these tests would be better placed in the rbac module,
+        //  but for this we need an extra long object-idname in the rbac test data
+
         @Test
         public void testHostsharingAdminCanAssumeRelationRoleWithLongIdName() {
             context(
-- 
2.39.5


From 7a6e77faeabb33e35ab7c5991e98d4a7e1f2d0c7 Mon Sep 17 00:00:00 2001
From: Michael Hoennig <michael@hoennig.de>
Date: Mon, 30 Dec 2024 09:28:04 +0100
Subject: [PATCH 13/13] cleanup for determineCurrentSubjectOrAssumedRolesUuids

---
 src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql b/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql
index d12eac5e..32d67546 100644
--- a/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql
+++ b/src/main/resources/db/changelog/1-rbac/1054-rbac-context.sql
@@ -108,8 +108,8 @@ begin
     execute format('set local hsadminng.currentSubjectUuid to %L', coalesce(currentSubjectUuid::text, ''));
 
     execute format('set local hsadminng.assumedRoles to %L', assumedRoles);
-    execute format('set local hsadminng.currentSubjectOrAssumedRolesUuids to %L', -- FIXME: can this be removed?
-       (select array_to_string(rbac.determinecurrentsubjectorassumedrolesuuids(currentSubjectUuid, assumedRoles), ';')));
+    execute format('set local hsadminng.currentSubjectOrAssumedRolesUuids to %L',
+       (select array_to_string(rbac.determineCurrentSubjectOrAssumedRolesUuids(currentSubjectUuid, assumedRoles), ';')));
 
     raise notice 'Context defined as: %, %, %, [%]', currentTask, currentRequest, currentSubject, assumedRoles;
 end; $$;
-- 
2.39.5