2024-03-28 12:15:14 +01:00
18 changed files with 112 additions and 40 deletions
--- a/src/main/java/net/hostsharing/hsadminng/hs/office/relationship/HsOfficeRelationshipEntity.java
+++ b/src/main/java/net/hostsharing/hsadminng/hs/office/relationship/HsOfficeRelationshipEntity.java
@ -119,10 +119,12 @@ public class HsOfficeRelationshipEntity implements HasUuid, Stringifyable {
                    with.outgoingSubRole("holderPerson", REFERRER);
                    with.outgoingSubRole("contact", REFERRER);
                    with.permission(SELECT);
-                });
+                })
                .toRole("anchorPerson", ADMIN).grantPermission(INSERT);
    }
    public static void main(String[] args) throws IOException {
-        rbac().generateWithBaseFileName("223-hs-office-relationship-rbac-generated");
+        rbac().generateWithBaseFileName("223-hs-office-relationship-rbac");
    }
 }
--- a/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/InsertTriggerGenerator.java
+++ b/src/main/java/net/hostsharing/hsadminng/rbac/rbacdef/InsertTriggerGenerator.java
@ -80,12 +80,13 @@ public class InsertTriggerGenerator {
                    strict as $$
                begin
                    call grantPermissionToRole(
-                            ${rawSuperRoleDescriptor},
+                            createPermission(NEW.uuid, 'INSERT', '${rawSubTableName}'),
-                            createPermission(NEW.uuid, 'INSERT', '${rawSubTableName}'));
+                            ${rawSuperRoleDescriptor});
                    return NEW;
                end; $$;
-                create trigger ${rawSubTableName}_${rawSuperTableName}_insert_tg
+                -- z_... is to put it at the end of after insert triggers, to make sure the roles exist                
                create trigger z_${rawSubTableName}_${rawSuperTableName}_insert_tg
                    after insert on ${rawSuperTableName}
                    for each row
                execute procedure ${rawSubTableName}_${rawSuperTableName}_insert_tf();
--- a/src/main/resources/db/changelog/123-test-package-rbac.sql
+++ b/src/main/resources/db/changelog/123-test-package-rbac.sql
@ -179,7 +179,7 @@ begin
    return NEW;
 end; $$;
-create trigger test_package_test_customer_insert_tg
+create trigger z_test_package_test_customer_insert_tg
    after insert on test_customer
    for each row
 execute procedure test_package_test_customer_insert_tf();
--- a/src/main/resources/db/changelog/133-test-domain-rbac.sql
+++ b/src/main/resources/db/changelog/133-test-domain-rbac.sql
@ -178,7 +178,7 @@ begin
    return NEW;
 end; $$;
-create trigger test_domain_test_package_insert_tg
+create trigger z_test_domain_test_package_insert_tg
    after insert on test_package
    for each row
 execute procedure test_domain_test_package_insert_tf();
--- a/src/main/resources/db/changelog/203-hs-office-contact-rbac.sql
+++ b/src/main/resources/db/changelog/203-hs-office-contact-rbac.sql
@ -114,7 +114,7 @@ begin
    return NEW;
 end; $$;
-create trigger hs_office_contact_global_insert_tg
+create trigger z_hs_office_contact_global_insert_tg
    after insert on global
    for each row
 execute procedure hs_office_contact_global_insert_tf();
--- a/src/main/resources/db/changelog/213-hs-office-person-rbac.sql
+++ b/src/main/resources/db/changelog/213-hs-office-person-rbac.sql
@ -114,7 +114,7 @@ begin
    return NEW;
 end; $$;
-create trigger hs_office_person_global_insert_tg
+create trigger z_hs_office_person_global_insert_tg
    after insert on global
    for each row
 execute procedure hs_office_person_global_insert_tf();
--- a/src/main/resources/db/changelog/223-hs-office-relationship-rbac.md
+++ b/src/main/resources/db/changelog/223-hs-office-relationship-rbac.md
@ -1,6 +1,6 @@
 ### rbac relationship
-This code generated was by RbacViewMermaidFlowchartGenerator at  2024-03-15T15:30:23.331560468.
+This code generated was by RbacViewMermaidFlowchartGenerator at  2024-03-15T17:17:00.854621634.
 ```mermaid
 %%{init:{'flowchart':{'htmlLabels':false}}}%%
@ -64,6 +64,7 @@ subgraph relationship["`**relationship**`"]
        perm:relationship:DELETE{{relationship:DELETE}}
        perm:relationship:UPDATE{{relationship:UPDATE}}
        perm:relationship:SELECT{{relationship:SELECT}}
        perm:relationship:INSERT{{relationship:INSERT}}
    end
 end
@ -96,5 +97,6 @@ role:relationship:tenant ==> role:contact:referrer
 role:relationship:owner ==> perm:relationship:DELETE
 role:relationship:admin ==> perm:relationship:UPDATE
 role:relationship:tenant ==> perm:relationship:SELECT
 role:anchorPerson:admin ==> perm:relationship:INSERT
 ```
--- a/src/main/resources/db/changelog/223-hs-office-relationship-rbac.sql
+++ b/src/main/resources/db/changelog/223-hs-office-relationship-rbac.sql
@ -1,5 +1,5 @@
 --liquibase formatted sql
-- This code generated was by RbacViewPostgresGenerator at 2024-03-15T15:30:23.341470108.
+-- This code generated was by RbacViewPostgresGenerator at 2024-03-15T17:17:00.864301165.
 -- ============================================================================
@ -186,13 +186,68 @@ execute procedure updateTriggerForHsOfficeRelationship_tf();
 --changeset hs-office-relationship-rbac-INSERT:1 endDelimiter:--//
 -- ----------------------------------------------------------------------------
-- FIXME: Where is this case necessary?
+/*
    Creates INSERT INTO hs_office_relationship permissions for the related hs_office_person rows.
 */
 do language plpgsql $$
    declare
        row hs_office_person;
        permissionUuid uuid;
        roleUuid uuid;
    begin
        call defineContext('create INSERT INTO hs_office_relationship permissions for the related hs_office_person rows');
        FOR row IN SELECT * FROM hs_office_person
            LOOP
                roleUuid := findRoleId(hsOfficePersonAdmin(row));
                permissionUuid := createPermission(row.uuid, 'INSERT', 'hs_office_relationship');
                call grantPermissionToRole(permissionUuid, roleUuid);
            END LOOP;
    END;
 $$;
 /**
    Adds hs_office_relationship INSERT permission to specified role of new hs_office_person rows.
 */
 create or replace function hs_office_relationship_hs_office_person_insert_tf()
    returns trigger
    language plpgsql
    strict as $$
 begin
    call grantPermissionToRole(
            createPermission(NEW.uuid, 'INSERT', 'hs_office_relationship'),
            hsOfficePersonAdmin(NEW));
    return NEW;
 end; $$;
 create trigger z_hs_office_relationship_hs_office_person_insert_tg
    after insert on hs_office_person
    for each row
 execute procedure hs_office_relationship_hs_office_person_insert_tf();
 /**
    Checks if the user or assumed roles are allowed to insert a row to hs_office_relationship.
 */
 create or replace function hs_office_relationship_insert_permission_missing_tf()
    returns trigger
    language plpgsql as $$
 begin
    if ( not hasInsertPermission(
        ( SELECT anchorPerson.uuid FROM
            (select * from hs_office_person as p where p.uuid = NEW.relAnchorUuid) AS anchorPerson
        ), 'INSERT', 'hs_office_relationship') ) then
            raise exception
                '[403] insert into hs_office_relationship not allowed for current subjects % (%)',
                currentSubjects(), currentSubjectsUuids();
    end if;
    return NEW;
 end; $$;
 create trigger hs_office_relationship_insert_permission_check_tg
    before insert on hs_office_relationship
    for each row
    -- As there is no explicit INSERT grant specified for this table,
    -- only global admins are allowed to insert any rows.
    when ( not isGlobalAdmin() )
        execute procedure hs_office_relationship_insert_permission_missing_tf();
 --//
--- a/src/main/resources/db/changelog/233-hs-office-partner-rbac.sql
+++ b/src/main/resources/db/changelog/233-hs-office-partner-rbac.sql
@ -110,7 +110,7 @@ begin
    return NEW;
 end; $$;
-create trigger hs_office_partner_global_insert_tg
+create trigger z_hs_office_partner_global_insert_tg
    after insert on global
    for each row
 execute procedure hs_office_partner_global_insert_tf();
--- a/src/main/resources/db/changelog/234-hs-office-partner-details-rbac.sql
+++ b/src/main/resources/db/changelog/234-hs-office-partner-details-rbac.sql
@ -95,7 +95,7 @@ begin
    return NEW;
 end; $$;
-create trigger hs_office_partner_details_global_insert_tg
+create trigger z_hs_office_partner_details_global_insert_tg
    after insert on global
    for each row
 execute procedure hs_office_partner_details_global_insert_tf();
--- a/src/main/resources/db/changelog/243-hs-office-bankaccount-rbac.sql
+++ b/src/main/resources/db/changelog/243-hs-office-bankaccount-rbac.sql
@ -114,7 +114,7 @@ begin
    return NEW;
 end; $$;
-create trigger hs_office_bankaccount_global_insert_tg
+create trigger z_hs_office_bankaccount_global_insert_tg
    after insert on global
    for each row
 execute procedure hs_office_bankaccount_global_insert_tf();
--- a/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.md
+++ b/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.md
@ -1,6 +1,6 @@
 ### rbac sepaMandate
-This code generated was by RbacViewMermaidFlowchartGenerator at  2024-03-15T06:12:35.337470470.
+This code generated was by RbacViewMermaidFlowchartGenerator at  2024-03-15T17:18:45.736693565.
 ```mermaid
 %%{init:{'flowchart':{'htmlLabels':false}}}%%
--- a/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.sql
+++ b/src/main/resources/db/changelog/253-hs-office-sepamandate-rbac.sql
@ -1,5 +1,5 @@
 --liquibase formatted sql
-- This code generated was by RbacViewPostgresGenerator at 2024-03-15T06:12:35.345630060.
+-- This code generated was by RbacViewPostgresGenerator at 2024-03-15T17:18:45.747792100.
 -- ============================================================================
@ -134,12 +134,12 @@ create or replace function hs_office_sepamandate_hs_office_relationship_insert_t
    strict as $$
 begin
    call grantPermissionToRole(
-            hsOfficeRelationshipAdmin(NEW),
+            createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'),
-            createPermission(NEW.uuid, 'INSERT', 'hs_office_sepamandate'));
+            hsOfficeRelationshipAdmin(NEW));
    return NEW;
 end; $$;
-create trigger hs_office_sepamandate_hs_office_relationship_insert_tg
+create trigger z_hs_office_sepamandate_hs_office_relationship_insert_tg
    after insert on hs_office_relationship
    for each row
 execute procedure hs_office_sepamandate_hs_office_relationship_insert_tf();
--- a/src/main/resources/db/changelog/273-hs-office-debitor-rbac.sql
+++ b/src/main/resources/db/changelog/273-hs-office-debitor-rbac.sql
@ -225,7 +225,7 @@ begin
    return NEW;
 end; $$;
-create trigger hs_office_debitor_global_insert_tg
+create trigger z_hs_office_debitor_global_insert_tg
    after insert on global
    for each row
 execute procedure hs_office_debitor_global_insert_tf();
--- a/src/main/resources/db/changelog/303-hs-office-membership-rbac.sql
+++ b/src/main/resources/db/changelog/303-hs-office-membership-rbac.sql
@ -124,7 +124,7 @@ begin
    return NEW;
 end; $$;
-create trigger hs_office_membership_global_insert_tg
+create trigger z_hs_office_membership_global_insert_tg
    after insert on global
    for each row
 execute procedure hs_office_membership_global_insert_tf();
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/coopshares/HsOfficeCoopSharesTransactionControllerAcceptanceTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/coopshares/HsOfficeCoopSharesTransactionControllerAcceptanceTest.java
@ -223,7 +223,17 @@ class HsOfficeCoopSharesTransactionControllerAcceptanceTest extends ContextBased
            final var givenCoopShareTransactionUuid = coopSharesTransactionRepo.findCoopSharesTransactionByOptionalMembershipUuidAndDateRange(null, LocalDate.of(2010, 3, 15), LocalDate.of(2010, 3, 15)).get(0).getUuid();
            RestAssured // @formatter:off
-                .given().header("current-user", "contact-admin@firstcontact.example.com").port(port).when().get("http://localhost/api/hs/office/coopsharestransactions/" + givenCoopShareTransactionUuid).then().log().body().assertThat().statusCode(200).contentType("application/json").body("", lenientlyEquals("""
+                .given()
                    .header("current-user", "contact-admin@firstcontact.example.com")
                    .port(port)
                .when()
                    .get("http://localhost/api/hs/office/coopsharestransactions/" + givenCoopShareTransactionUuid)
                .then()
                    .log().body()
                    .assertThat()
                        .statusCode(200)
                        .contentType("application/json")
                        .body("", lenientlyEquals("""
                            {
                                 "transactionType": "SUBSCRIPTION",
                                 "shareCount": 4
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/coopshares/HsOfficeCoopSharesTransactionRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/coopshares/HsOfficeCoopSharesTransactionRepositoryIntegrationTest.java
@ -88,7 +88,6 @@ class HsOfficeCoopSharesTransactionRepositoryIntegrationTest extends ContextBase
            context("superuser-alex@hostsharing.net");
            final var initialRoleNames = distinctRoleNamesOf(rawRoleRepo.findAll());
            final var initialGrantNames = distinctGrantDisplaysOf(rawGrantRepo.findAll()).stream()
                    .map(s -> s.replace("FirstGmbH-firstcontact", "..."))
                    .map(s -> s.replace("hs_office_", ""))
                    .toList();
@ -109,11 +108,10 @@ class HsOfficeCoopSharesTransactionRepositoryIntegrationTest extends ContextBase
            final var all = rawRoleRepo.findAll();
            assertThat(distinctRoleNamesOf(all)).containsExactlyInAnyOrder(Array.from(initialRoleNames)); // no new roles created
            assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll()))
                    .map(s -> s.replace("FirstGmbH-firstcontact", "..."))
                    .map(s -> s.replace("hs_office_", ""))
                    .containsExactlyInAnyOrder(Array.fromFormatted(
                            initialGrantNames,
-                            "{ grant perm SELECT on coopsharestransaction#temprefB to role membership#1000101:....tenant by system and assume }",
+                            "{ grant perm SELECT on coopsharestransaction#temprefB to role membership#M-1000101.referrer by system and assume }",
                            null));
        }
@ -194,7 +192,7 @@ class HsOfficeCoopSharesTransactionRepositoryIntegrationTest extends ContextBase
        @Test
        public void normalUser_canViewOnlyRelatedCoopSharesTransactions() {
            // given:
-            context("superuser-alex@hostsharing.net", "hs_office_partner#10001:FirstGmbH-firstcontact.admin");
+            context("superuser-alex@hostsharing.net", "hs_office_membership#M-1000101.admin");
            // when:
            final var result = coopSharesTransactionRepo.findCoopSharesTransactionByOptionalMembershipUuidAndDateRange(
--- a/src/test/java/net/hostsharing/hsadminng/hs/office/relationship/HsOfficeRelationshipRepositoryIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/office/relationship/HsOfficeRelationshipRepositoryIntegrationTest.java
@ -127,16 +127,18 @@ class HsOfficeRelationshipRepositoryIntegrationTest extends ContextBasedTestWith
                    "hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant"));
            assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())).containsExactlyInAnyOrder(Array.fromFormatted(
                    initialGrantNames,
                    "{ grant perm INSERT on hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin by system and assume }",
                    "{ grant perm DELETE on hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner by system and assume }",
                    "{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner to role global#global.admin by system and assume }",
                    "{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner to user superuser-alex@hostsharing.net by hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner and assume }",
-                    "{ grant perm edit on hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin by system and assume }",
+                    "{ grant perm UPDATE on hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin by system and assume }",
                    "{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.owner by system and assume }",
                    "{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin to role hs_office_person#ErbenBesslerMelBessler.admin by system and assume }",
-                    "{ grant perm UPDATE on hs_office_relationship#BesslerAnita-with-REPRESENTATIVE-BesslerAnita to role hs_office_relationship#BesslerAnita-with-REPRESENTATIVE-BesslerAnita.admin by system and assume }",
+                    "{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.agent to role hs_office_person#BesslerBert.admin by system and assume }",
-                    "{ grant role hs_office_relationship#BesslerAnita-with-REPRESENTATIVE-BesslerAnita.admin to role hs_office_relationship#BesslerAnita-with-REPRESENTATIVE-BesslerAnita.owner by system and assume }",
+                    "{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.agent to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.admin by system and assume }",
                    "{ grant perm SELECT on hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant by system and assume }",
                    "{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.agent by system and assume }",
@ -145,7 +147,8 @@ class HsOfficeRelationshipRepositoryIntegrationTest extends ContextBasedTestWith
                    "{ grant role hs_office_contact#fourthcontact.referrer to role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant by system and assume }",
                    // REPRESENTATIVE holder person -> (represented) anchor person
-                    "{ grant role hs_office_person#BesslerBert.admin to role hs_office_person#ErbenBesslerMelBessler.admin by system and assume }",
+                    "{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant to role hs_office_contact#fourthcontact.admin by system and assume }",
                    "{ grant role hs_office_relationship#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert.tenant to role hs_office_person#BesslerBert.admin by system and assume }",
                    null)
            );
@ -195,7 +198,8 @@ class HsOfficeRelationshipRepositoryIntegrationTest extends ContextBasedTestWith
                    result,
                    "rel(relAnchor='LP Second e.K.', relType='REPRESENTATIVE', relHolder='NP Smith, Peter', contact='second contact')",
                    "rel(relAnchor='IF Third OHG', relType='SUBSCRIBER', relMark='members-announce', relHolder='NP Smith, Peter', contact='third contact')",
-                    "rel(relAnchor='LP Hostsharing eG', relType='PARTNER', relHolder='NP Smith, Peter', contact='sixth contact')");
+                    "rel(relAnchor='LP Hostsharing eG', relType='PARTNER', relHolder='NP Smith, Peter', contact='sixth contact')",
                    "rel(relAnchor='NP Smith, Peter', relType='ACCOUNTING', relHolder='NP Smith, Peter', contact='third contact')");
        }
    }