RBAC generator with conditional grants used for REPRESENTATIVE-Relation #33
@ -104,18 +104,21 @@ public class HsOfficeRelationEntity implements RbacObject, Stringifyable {
|
|||||||
.createRole(OWNER, (with) -> {
|
.createRole(OWNER, (with) -> {
|
||||||
with.owningUser(CREATOR);
|
with.owningUser(CREATOR);
|
||||||
with.incomingSuperRole(GLOBAL, ADMIN);
|
with.incomingSuperRole(GLOBAL, ADMIN);
|
||||||
with.incomingSuperRole("holderPerson", ADMIN).where("${REF}.type = 'REPRESENTATIVE'");
|
// TODO: if type=REPRESENTATIIVE
|
||||||
|
// with.incomingSuperRole("holderPerson", ADMIN);
|
||||||
with.permission(DELETE);
|
with.permission(DELETE);
|
||||||
})
|
})
|
||||||
.createSubRole(ADMIN, (with) -> {
|
.createSubRole(ADMIN, (with) -> {
|
||||||
with.incomingSuperRole("anchorPerson", ADMIN).where("${REF}.type <> 'REPRESENTATIVE'");
|
with.incomingSuperRole("anchorPerson", ADMIN);
|
||||||
with.outgoingSubRole("anchorPerson", OWNER).where("${REF}.type = 'REPRESENTATIVE'");
|
// TODO: if type=REPRESENTATIIVE
|
||||||
|
// with.outgoingSuperRole("anchorPerson", OWNER);
|
||||||
with.permission(UPDATE);
|
with.permission(UPDATE);
|
||||||
})
|
})
|
||||||
.createSubRole(AGENT, (with) -> {
|
.createSubRole(AGENT, (with) -> {
|
||||||
with.incomingSuperRole("holderPerson", ADMIN).where("${REF}.type <> 'REPRESENTATIVE'");
|
with.incomingSuperRole("holderPerson", ADMIN);
|
||||||
})
|
})
|
||||||
.createSubRole(TENANT, (with) -> {
|
.createSubRole(TENANT, (with) -> {
|
||||||
|
with.incomingSuperRole("holderPerson", ADMIN);
|
||||||
with.incomingSuperRole("contact", ADMIN);
|
with.incomingSuperRole("contact", ADMIN);
|
||||||
with.outgoingSubRole("anchorPerson", REFERRER);
|
with.outgoingSubRole("anchorPerson", REFERRER);
|
||||||
with.outgoingSubRole("holderPerson", REFERRER);
|
with.outgoingSubRole("holderPerson", REFERRER);
|
||||||
|
@ -14,7 +14,6 @@ import net.hostsharing.hsadminng.hs.office.person.HsOfficePersonEntity;
|
|||||||
import net.hostsharing.hsadminng.hs.office.relation.HsOfficeRelationEntity;
|
import net.hostsharing.hsadminng.hs.office.relation.HsOfficeRelationEntity;
|
||||||
import net.hostsharing.hsadminng.hs.office.sepamandate.HsOfficeSepaMandateEntity;
|
import net.hostsharing.hsadminng.hs.office.sepamandate.HsOfficeSepaMandateEntity;
|
||||||
import net.hostsharing.hsadminng.rbac.rbacobject.RbacObject;
|
import net.hostsharing.hsadminng.rbac.rbacobject.RbacObject;
|
||||||
import net.hostsharing.hsadminng.rbac.rbacobject.RbacObject;
|
|
||||||
import net.hostsharing.hsadminng.test.cust.TestCustomerEntity;
|
import net.hostsharing.hsadminng.test.cust.TestCustomerEntity;
|
||||||
import net.hostsharing.hsadminng.test.dom.TestDomainEntity;
|
import net.hostsharing.hsadminng.test.dom.TestDomainEntity;
|
||||||
import net.hostsharing.hsadminng.test.pac.TestPackageEntity;
|
import net.hostsharing.hsadminng.test.pac.TestPackageEntity;
|
||||||
|
@ -301,11 +301,11 @@ class RolesGrantsAndPermissionsGenerator {
|
|||||||
.replace("${permRef}", createPerm(NEW, grantDef.getPermDef()))
|
.replace("${permRef}", createPerm(NEW, grantDef.getPermDef()))
|
||||||
.replace("${superRoleRef}", roleRef(NEW, grantDef.getSuperRoleDef()));
|
.replace("${superRoleRef}", roleRef(NEW, grantDef.getSuperRoleDef()));
|
||||||
};
|
};
|
||||||
if (grantDef.isConditional()) {
|
// if (grantDef.isConditional()) {
|
||||||
return "if " + grantDef.getOnlyInCaseOf() + " then\n"
|
// return "if " + grantDef.getOnlyInCaseOf() + " then\n"
|
||||||
+ " " + grantSql + "\n"
|
// + " " + grantSql + "\n"
|
||||||
+ "end if;";
|
// + "end if;";
|
||||||
}
|
// }
|
||||||
return grantSql;
|
return grantSql;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -82,13 +82,12 @@ role:global:ADMIN -.-> role:contact:OWNER
|
|||||||
role:contact:OWNER -.-> role:contact:ADMIN
|
role:contact:OWNER -.-> role:contact:ADMIN
|
||||||
role:contact:ADMIN -.-> role:contact:REFERRER
|
role:contact:ADMIN -.-> role:contact:REFERRER
|
||||||
role:global:ADMIN ==> role:relation:OWNER
|
role:global:ADMIN ==> role:relation:OWNER
|
||||||
role:holderPerson:ADMIN ==> |??| role:relation:OWNER
|
|
||||||
role:relation:OWNER ==> role:relation:ADMIN
|
role:relation:OWNER ==> role:relation:ADMIN
|
||||||
role:anchorPerson:ADMIN ==> |??| role:relation:ADMIN
|
role:anchorPerson:ADMIN ==> role:relation:ADMIN
|
||||||
role:relation:ADMIN ==> |??| role:anchorPerson:OWNER
|
|
||||||
role:relation:ADMIN ==> role:relation:AGENT
|
role:relation:ADMIN ==> role:relation:AGENT
|
||||||
role:holderPerson:ADMIN ==> |??| role:relation:AGENT
|
role:holderPerson:ADMIN ==> role:relation:AGENT
|
||||||
role:relation:AGENT ==> role:relation:TENANT
|
role:relation:AGENT ==> role:relation:TENANT
|
||||||
|
role:holderPerson:ADMIN ==> role:relation:TENANT
|
||||||
role:contact:ADMIN ==> role:relation:TENANT
|
role:contact:ADMIN ==> role:relation:TENANT
|
||||||
role:relation:TENANT ==> role:anchorPerson:REFERRER
|
role:relation:TENANT ==> role:anchorPerson:REFERRER
|
||||||
role:relation:TENANT ==> role:holderPerson:REFERRER
|
role:relation:TENANT ==> role:holderPerson:REFERRER
|
||||||
|
@ -57,12 +57,16 @@ begin
|
|||||||
perform createRoleWithGrants(
|
perform createRoleWithGrants(
|
||||||
hsOfficeRelationADMIN(NEW),
|
hsOfficeRelationADMIN(NEW),
|
||||||
permissions => array['UPDATE'],
|
permissions => array['UPDATE'],
|
||||||
incomingSuperRoles => array[hsOfficeRelationOWNER(NEW)]
|
incomingSuperRoles => array[
|
||||||
|
hsOfficePersonADMIN(newAnchorPerson),
|
||||||
|
hsOfficeRelationOWNER(NEW)]
|
||||||
);
|
);
|
||||||
|
|
||||||
perform createRoleWithGrants(
|
perform createRoleWithGrants(
|
||||||
hsOfficeRelationAGENT(NEW),
|
hsOfficeRelationAGENT(NEW),
|
||||||
incomingSuperRoles => array[hsOfficeRelationADMIN(NEW)]
|
incomingSuperRoles => array[
|
||||||
|
hsOfficePersonADMIN(newHolderPerson),
|
||||||
|
hsOfficeRelationADMIN(NEW)]
|
||||||
);
|
);
|
||||||
|
|
||||||
perform createRoleWithGrants(
|
perform createRoleWithGrants(
|
||||||
@ -70,6 +74,7 @@ begin
|
|||||||
permissions => array['SELECT'],
|
permissions => array['SELECT'],
|
||||||
incomingSuperRoles => array[
|
incomingSuperRoles => array[
|
||||||
hsOfficeContactADMIN(newContact),
|
hsOfficeContactADMIN(newContact),
|
||||||
|
hsOfficePersonADMIN(newHolderPerson),
|
||||||
hsOfficeRelationAGENT(NEW)],
|
hsOfficeRelationAGENT(NEW)],
|
||||||
outgoingSubRoles => array[
|
outgoingSubRoles => array[
|
||||||
hsOfficeContactREFERRER(newContact),
|
hsOfficeContactREFERRER(newContact),
|
||||||
@ -77,19 +82,6 @@ begin
|
|||||||
hsOfficePersonREFERRER(newHolderPerson)]
|
hsOfficePersonREFERRER(newHolderPerson)]
|
||||||
);
|
);
|
||||||
|
|
||||||
if NEW.type <> 'REPRESENTATIVE' then
|
|
||||||
call grantRoleToRole(hsOfficeRelationADMIN(NEW), hsOfficePersonADMIN(newAnchorPerson));
|
|
||||||
end if;
|
|
||||||
if NEW.type <> 'REPRESENTATIVE' then
|
|
||||||
call grantRoleToRole(hsOfficeRelationAGENT(NEW), hsOfficePersonADMIN(newHolderPerson));
|
|
||||||
end if;
|
|
||||||
if NEW.type = 'REPRESENTATIVE' then
|
|
||||||
call grantRoleToRole(hsOfficePersonOWNER(newAnchorPerson), hsOfficeRelationADMIN(NEW));
|
|
||||||
end if;
|
|
||||||
if NEW.type = 'REPRESENTATIVE' then
|
|
||||||
call grantRoleToRole(hsOfficeRelationOWNER(NEW), hsOfficePersonADMIN(newHolderPerson));
|
|
||||||
end if;
|
|
||||||
|
|
||||||
call leaveTriggerForObjectUuid(NEW.uuid);
|
call leaveTriggerForObjectUuid(NEW.uuid);
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
@ -126,12 +118,48 @@ create or replace procedure updateRbacRulesForHsOfficeRelation(
|
|||||||
NEW hs_office_relation
|
NEW hs_office_relation
|
||||||
)
|
)
|
||||||
language plpgsql as $$
|
language plpgsql as $$
|
||||||
begin
|
|
||||||
|
|
||||||
if NEW.contactUuid is distinct from OLD.contactUuid then
|
declare
|
||||||
delete from rbacgrants g where g.grantedbytriggerof = OLD.uuid;
|
oldHolderPerson hs_office_person;
|
||||||
call buildRbacSystemForHsOfficeRelation(NEW);
|
newHolderPerson hs_office_person;
|
||||||
|
oldAnchorPerson hs_office_person;
|
||||||
|
newAnchorPerson hs_office_person;
|
||||||
|
oldContact hs_office_contact;
|
||||||
|
newContact hs_office_contact;
|
||||||
|
|
||||||
|
begin
|
||||||
|
call enterTriggerForObjectUuid(NEW.uuid);
|
||||||
|
|
||||||
|
SELECT * FROM hs_office_person WHERE uuid = OLD.holderUuid INTO oldHolderPerson;
|
||||||
|
assert oldHolderPerson.uuid is not null, format('oldHolderPerson must not be null for OLD.holderUuid = %s', OLD.holderUuid);
|
||||||
|
|
||||||
|
SELECT * FROM hs_office_person WHERE uuid = NEW.holderUuid INTO newHolderPerson;
|
||||||
|
assert newHolderPerson.uuid is not null, format('newHolderPerson must not be null for NEW.holderUuid = %s', NEW.holderUuid);
|
||||||
|
|
||||||
|
SELECT * FROM hs_office_person WHERE uuid = OLD.anchorUuid INTO oldAnchorPerson;
|
||||||
|
assert oldAnchorPerson.uuid is not null, format('oldAnchorPerson must not be null for OLD.anchorUuid = %s', OLD.anchorUuid);
|
||||||
|
|
||||||
|
SELECT * FROM hs_office_person WHERE uuid = NEW.anchorUuid INTO newAnchorPerson;
|
||||||
|
assert newAnchorPerson.uuid is not null, format('newAnchorPerson must not be null for NEW.anchorUuid = %s', NEW.anchorUuid);
|
||||||
|
|
||||||
|
SELECT * FROM hs_office_contact WHERE uuid = OLD.contactUuid INTO oldContact;
|
||||||
|
assert oldContact.uuid is not null, format('oldContact must not be null for OLD.contactUuid = %s', OLD.contactUuid);
|
||||||
|
|
||||||
|
SELECT * FROM hs_office_contact WHERE uuid = NEW.contactUuid INTO newContact;
|
||||||
|
assert newContact.uuid is not null, format('newContact must not be null for NEW.contactUuid = %s', NEW.contactUuid);
|
||||||
|
|
||||||
|
|
||||||
|
if NEW.contactUuid <> OLD.contactUuid then
|
||||||
|
|
||||||
|
call revokeRoleFromRole(hsOfficeRelationTENANT(OLD), hsOfficeContactADMIN(oldContact));
|
||||||
|
call grantRoleToRole(hsOfficeRelationTENANT(NEW), hsOfficeContactADMIN(newContact));
|
||||||
|
|
||||||
|
call revokeRoleFromRole(hsOfficeContactREFERRER(oldContact), hsOfficeRelationTENANT(OLD));
|
||||||
|
call grantRoleToRole(hsOfficeContactREFERRER(newContact), hsOfficeRelationTENANT(NEW));
|
||||||
|
|
||||||
end if;
|
end if;
|
||||||
|
|
||||||
|
call leaveTriggerForObjectUuid(NEW.uuid);
|
||||||
end; $$;
|
end; $$;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -97,13 +97,12 @@ role:global:ADMIN -.-> role:partnerRel.contact:OWNER
|
|||||||
role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
|
role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
|
||||||
role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
|
role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
|
||||||
role:global:ADMIN -.-> role:partnerRel:OWNER
|
role:global:ADMIN -.-> role:partnerRel:OWNER
|
||||||
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:OWNER
|
|
||||||
role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
|
role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
|
||||||
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:ADMIN
|
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:ADMIN
|
||||||
role:partnerRel:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
|
|
||||||
role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
|
role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
|
||||||
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
|
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
|
||||||
role:partnerRel:AGENT -.-> role:partnerRel:TENANT
|
role:partnerRel:AGENT -.-> role:partnerRel:TENANT
|
||||||
|
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:TENANT
|
||||||
role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT
|
role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT
|
||||||
role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
|
role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
|
||||||
role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
|
role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
|
||||||
|
@ -150,13 +150,12 @@ role:global:ADMIN -.-> role:debitorRel.contact:OWNER
|
|||||||
role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN
|
role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN
|
||||||
role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER
|
role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER
|
||||||
role:global:ADMIN -.-> role:debitorRel:OWNER
|
role:global:ADMIN -.-> role:debitorRel:OWNER
|
||||||
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:OWNER
|
|
||||||
role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
|
role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
|
||||||
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:ADMIN
|
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:ADMIN
|
||||||
role:debitorRel:ADMIN -.-> role:debitorRel.anchorPerson:OWNER
|
|
||||||
role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
|
role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
|
||||||
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
|
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
|
||||||
role:debitorRel:AGENT -.-> role:debitorRel:TENANT
|
role:debitorRel:AGENT -.-> role:debitorRel:TENANT
|
||||||
|
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:TENANT
|
||||||
role:debitorRel.contact:ADMIN -.-> role:debitorRel:TENANT
|
role:debitorRel.contact:ADMIN -.-> role:debitorRel:TENANT
|
||||||
role:debitorRel:TENANT -.-> role:debitorRel.anchorPerson:REFERRER
|
role:debitorRel:TENANT -.-> role:debitorRel.anchorPerson:REFERRER
|
||||||
role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
|
role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
|
||||||
@ -176,13 +175,12 @@ role:global:ADMIN -.-> role:partnerRel.contact:OWNER
|
|||||||
role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
|
role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
|
||||||
role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
|
role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
|
||||||
role:global:ADMIN -.-> role:partnerRel:OWNER
|
role:global:ADMIN -.-> role:partnerRel:OWNER
|
||||||
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:OWNER
|
|
||||||
role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
|
role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
|
||||||
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:ADMIN
|
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:ADMIN
|
||||||
role:partnerRel:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
|
|
||||||
role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
|
role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
|
||||||
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
|
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
|
||||||
role:partnerRel:AGENT -.-> role:partnerRel:TENANT
|
role:partnerRel:AGENT -.-> role:partnerRel:TENANT
|
||||||
|
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:TENANT
|
||||||
role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT
|
role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT
|
||||||
role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
|
role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
|
||||||
role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
|
role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
|
||||||
|
@ -109,13 +109,12 @@ role:global:ADMIN -.-> role:debitorRel.contact:OWNER
|
|||||||
role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN
|
role:debitorRel.contact:OWNER -.-> role:debitorRel.contact:ADMIN
|
||||||
role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER
|
role:debitorRel.contact:ADMIN -.-> role:debitorRel.contact:REFERRER
|
||||||
role:global:ADMIN -.-> role:debitorRel:OWNER
|
role:global:ADMIN -.-> role:debitorRel:OWNER
|
||||||
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:OWNER
|
|
||||||
role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
|
role:debitorRel:OWNER -.-> role:debitorRel:ADMIN
|
||||||
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:ADMIN
|
role:debitorRel.anchorPerson:ADMIN -.-> role:debitorRel:ADMIN
|
||||||
role:debitorRel:ADMIN -.-> role:debitorRel.anchorPerson:OWNER
|
|
||||||
role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
|
role:debitorRel:ADMIN -.-> role:debitorRel:AGENT
|
||||||
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
|
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:AGENT
|
||||||
role:debitorRel:AGENT -.-> role:debitorRel:TENANT
|
role:debitorRel:AGENT -.-> role:debitorRel:TENANT
|
||||||
|
role:debitorRel.holderPerson:ADMIN -.-> role:debitorRel:TENANT
|
||||||
role:debitorRel.contact:ADMIN -.-> role:debitorRel:TENANT
|
role:debitorRel.contact:ADMIN -.-> role:debitorRel:TENANT
|
||||||
role:debitorRel:TENANT -.-> role:debitorRel.anchorPerson:REFERRER
|
role:debitorRel:TENANT -.-> role:debitorRel.anchorPerson:REFERRER
|
||||||
role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
|
role:debitorRel:TENANT -.-> role:debitorRel.holderPerson:REFERRER
|
||||||
|
@ -95,13 +95,12 @@ role:global:ADMIN -.-> role:partnerRel.contact:OWNER
|
|||||||
role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
|
role:partnerRel.contact:OWNER -.-> role:partnerRel.contact:ADMIN
|
||||||
role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
|
role:partnerRel.contact:ADMIN -.-> role:partnerRel.contact:REFERRER
|
||||||
role:global:ADMIN -.-> role:partnerRel:OWNER
|
role:global:ADMIN -.-> role:partnerRel:OWNER
|
||||||
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:OWNER
|
|
||||||
role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
|
role:partnerRel:OWNER -.-> role:partnerRel:ADMIN
|
||||||
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:ADMIN
|
role:partnerRel.anchorPerson:ADMIN -.-> role:partnerRel:ADMIN
|
||||||
role:partnerRel:ADMIN -.-> role:partnerRel.anchorPerson:OWNER
|
|
||||||
role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
|
role:partnerRel:ADMIN -.-> role:partnerRel:AGENT
|
||||||
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
|
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:AGENT
|
||||||
role:partnerRel:AGENT -.-> role:partnerRel:TENANT
|
role:partnerRel:AGENT -.-> role:partnerRel:TENANT
|
||||||
|
role:partnerRel.holderPerson:ADMIN -.-> role:partnerRel:TENANT
|
||||||
role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT
|
role:partnerRel.contact:ADMIN -.-> role:partnerRel:TENANT
|
||||||
role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
|
role:partnerRel:TENANT -.-> role:partnerRel.anchorPerson:REFERRER
|
||||||
role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
|
role:partnerRel:TENANT -.-> role:partnerRel.holderPerson:REFERRER
|
||||||
|
@ -96,13 +96,12 @@ role:global:ADMIN -.-> role:membership.partnerRel.contact:OWNER
|
|||||||
role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN
|
role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN
|
||||||
role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER
|
role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER
|
||||||
role:global:ADMIN -.-> role:membership.partnerRel:OWNER
|
role:global:ADMIN -.-> role:membership.partnerRel:OWNER
|
||||||
role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:OWNER
|
|
||||||
role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN
|
role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN
|
||||||
role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel:ADMIN
|
role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel:ADMIN
|
||||||
role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER
|
|
||||||
role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT
|
role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT
|
||||||
role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:AGENT
|
role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:AGENT
|
||||||
role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT
|
role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT
|
||||||
|
role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:TENANT
|
||||||
role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel:TENANT
|
role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel:TENANT
|
||||||
role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:REFERRER
|
role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:REFERRER
|
||||||
role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER
|
role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER
|
||||||
|
@ -96,13 +96,12 @@ role:global:ADMIN -.-> role:membership.partnerRel.contact:OWNER
|
|||||||
role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN
|
role:membership.partnerRel.contact:OWNER -.-> role:membership.partnerRel.contact:ADMIN
|
||||||
role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER
|
role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel.contact:REFERRER
|
||||||
role:global:ADMIN -.-> role:membership.partnerRel:OWNER
|
role:global:ADMIN -.-> role:membership.partnerRel:OWNER
|
||||||
role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:OWNER
|
|
||||||
role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN
|
role:membership.partnerRel:OWNER -.-> role:membership.partnerRel:ADMIN
|
||||||
role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel:ADMIN
|
role:membership.partnerRel.anchorPerson:ADMIN -.-> role:membership.partnerRel:ADMIN
|
||||||
role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel.anchorPerson:OWNER
|
|
||||||
role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT
|
role:membership.partnerRel:ADMIN -.-> role:membership.partnerRel:AGENT
|
||||||
role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:AGENT
|
role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:AGENT
|
||||||
role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT
|
role:membership.partnerRel:AGENT -.-> role:membership.partnerRel:TENANT
|
||||||
|
role:membership.partnerRel.holderPerson:ADMIN -.-> role:membership.partnerRel:TENANT
|
||||||
role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel:TENANT
|
role:membership.partnerRel.contact:ADMIN -.-> role:membership.partnerRel:TENANT
|
||||||
role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:REFERRER
|
role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.anchorPerson:REFERRER
|
||||||
role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER
|
role:membership.partnerRel:TENANT -.-> role:membership.partnerRel.holderPerson:REFERRER
|
||||||
|
@ -362,7 +362,7 @@ class HsOfficeRelationControllerAcceptanceTest extends ContextBasedTestWithClean
|
|||||||
assertThat(givenRelation.getContact().getLabel()).isEqualTo("seventh contact");
|
assertThat(givenRelation.getContact().getLabel()).isEqualTo("seventh contact");
|
||||||
final var givenContact = contactRepo.findContactByOptionalLabelLike("fourth").get(0);
|
final var givenContact = contactRepo.findContactByOptionalLabelLike("fourth").get(0);
|
||||||
|
|
||||||
final var location = RestAssured // @formatter:off
|
RestAssured // @formatter:off
|
||||||
.given()
|
.given()
|
||||||
.header("current-user", "superuser-alex@hostsharing.net")
|
.header("current-user", "superuser-alex@hostsharing.net")
|
||||||
.contentType(ContentType.JSON)
|
.contentType(ContentType.JSON)
|
||||||
|
@ -103,69 +103,6 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
|
|||||||
final var initialRoleNames = distinctRoleNamesOf(rawRoleRepo.findAll());
|
final var initialRoleNames = distinctRoleNamesOf(rawRoleRepo.findAll());
|
||||||
final var initialGrantNames = distinctGrantDisplaysOf(rawGrantRepo.findAll());
|
final var initialGrantNames = distinctGrantDisplaysOf(rawGrantRepo.findAll());
|
||||||
|
|
||||||
// when
|
|
||||||
attempt(em, () -> {
|
|
||||||
final var givenAnchorPerson = personRepo.findPersonByOptionalNameLike("Bessler").stream()
|
|
||||||
.filter(p -> p.getPersonType() == UNINCORPORATED_FIRM)
|
|
||||||
.findFirst().orElseThrow();
|
|
||||||
final var givenHolderPerson = personRepo.findPersonByOptionalNameLike("Bert").stream()
|
|
||||||
.filter(p -> p.getPersonType() == NATURAL_PERSON)
|
|
||||||
.findFirst().orElseThrow();
|
|
||||||
final var givenContact = contactRepo.findContactByOptionalLabelLike("fourth contact").stream()
|
|
||||||
.findFirst().orElseThrow();
|
|
||||||
final var newRelation = HsOfficeRelationEntity.builder()
|
|
||||||
.anchor(givenAnchorPerson)
|
|
||||||
.holder(givenHolderPerson)
|
|
||||||
.type(HsOfficeRelationType.SUBSCRIBER)
|
|
||||||
.mark("dummy")
|
|
||||||
.contact(givenContact)
|
|
||||||
.build();
|
|
||||||
return toCleanup(relationRepo.save(newRelation));
|
|
||||||
});
|
|
||||||
|
|
||||||
// then
|
|
||||||
assertThat(distinctRoleNamesOf(rawRoleRepo.findAll())).containsExactlyInAnyOrder(Array.from(
|
|
||||||
initialRoleNames,
|
|
||||||
"hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:OWNER",
|
|
||||||
"hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:ADMIN",
|
|
||||||
"hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:AGENT",
|
|
||||||
"hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:TENANT"));
|
|
||||||
assertThat(distinctGrantDisplaysOf(rawGrantRepo.findAll())).containsExactlyInAnyOrder(Array.fromFormatted(
|
|
||||||
initialGrantNames,
|
|
||||||
// TODO: this grant should only be created for DEBITOR-Relationships, thus the RBAC DSL needs to support conditional grants
|
|
||||||
"{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:INSERT>hs_office_sepamandate to role:hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:ADMIN by system and assume }",
|
|
||||||
|
|
||||||
"{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:DELETE to role:hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:OWNER by system and assume }",
|
|
||||||
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:OWNER to role:global#global:ADMIN by system and assume }",
|
|
||||||
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:OWNER to user:superuser-alex@hostsharing.net by hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:OWNER and assume }",
|
|
||||||
|
|
||||||
"{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:UPDATE to role:hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:ADMIN by system and assume }",
|
|
||||||
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:ADMIN to role:hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:OWNER by system and assume }",
|
|
||||||
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:ADMIN to role:hs_office_person#ErbenBesslerMelBessler:ADMIN by system and assume }",
|
|
||||||
|
|
||||||
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:AGENT to role:hs_office_person#BesslerBert:ADMIN by system and assume }",
|
|
||||||
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:AGENT to role:hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:ADMIN by system and assume }",
|
|
||||||
|
|
||||||
"{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:SELECT to role:hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:TENANT by system and assume }",
|
|
||||||
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:TENANT to role:hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:AGENT by system and assume }",
|
|
||||||
"{ grant role:hs_office_person#BesslerBert:REFERRER to role:hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:TENANT by system and assume }",
|
|
||||||
"{ grant role:hs_office_person#ErbenBesslerMelBessler:REFERRER to role:hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:TENANT by system and assume }",
|
|
||||||
"{ grant role:hs_office_contact#fourthcontact:REFERRER to role:hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:TENANT by system and assume }",
|
|
||||||
|
|
||||||
// SUBSCRIBER holder person -> (represented) anchor person
|
|
||||||
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-SUBSCRIBER-BesslerBert:TENANT to role:hs_office_contact#fourthcontact:ADMIN by system and assume }",
|
|
||||||
|
|
||||||
null)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
|
||||||
public void createsAndGrantsRolesForTypeRepresentative() {
|
|
||||||
// given
|
|
||||||
context("superuser-alex@hostsharing.net");
|
|
||||||
final var initialRoleNames = distinctRoleNamesOf(rawRoleRepo.findAll());
|
|
||||||
final var initialGrantNames = distinctGrantDisplaysOf(rawGrantRepo.findAll());
|
|
||||||
|
|
||||||
// when
|
// when
|
||||||
attempt(em, () -> {
|
attempt(em, () -> {
|
||||||
final var givenAnchorPerson = personRepo.findPersonByOptionalNameLike("Bessler").stream()
|
final var givenAnchorPerson = personRepo.findPersonByOptionalNameLike("Bessler").stream()
|
||||||
@ -203,9 +140,9 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
|
|||||||
|
|
||||||
"{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:UPDATE to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:ADMIN by system and assume }",
|
"{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:UPDATE to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:ADMIN by system and assume }",
|
||||||
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:ADMIN to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER by system and assume }",
|
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:ADMIN to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER by system and assume }",
|
||||||
"{ grant role:hs_office_person#ErbenBesslerMelBessler:OWNER to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:ADMIN by system and assume }",
|
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:ADMIN to role:hs_office_person#ErbenBesslerMelBessler:ADMIN by system and assume }",
|
||||||
|
|
||||||
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:OWNER to role:hs_office_person#BesslerBert:ADMIN by system and assume }",
|
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:AGENT to role:hs_office_person#BesslerBert:ADMIN by system and assume }",
|
||||||
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:AGENT to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:ADMIN by system and assume }",
|
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:AGENT to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:ADMIN by system and assume }",
|
||||||
|
|
||||||
"{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:SELECT to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:TENANT by system and assume }",
|
"{ grant perm:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:SELECT to role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:TENANT by system and assume }",
|
||||||
@ -216,6 +153,7 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
|
|||||||
|
|
||||||
// REPRESENTATIVE holder person -> (represented) anchor person
|
// REPRESENTATIVE holder person -> (represented) anchor person
|
||||||
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:TENANT to role:hs_office_contact#fourthcontact:ADMIN by system and assume }",
|
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:TENANT to role:hs_office_contact#fourthcontact:ADMIN by system and assume }",
|
||||||
|
"{ grant role:hs_office_relation#ErbenBesslerMelBessler-with-REPRESENTATIVE-BesslerBert:TENANT to role:hs_office_person#BesslerBert:ADMIN by system and assume }",
|
||||||
|
|
||||||
null)
|
null)
|
||||||
);
|
);
|
||||||
@ -279,10 +217,10 @@ class HsOfficeRelationRepositoryIntegrationTest extends ContextBasedTestWithClea
|
|||||||
context("superuser-alex@hostsharing.net");
|
context("superuser-alex@hostsharing.net");
|
||||||
final var givenRelation = givenSomeTemporaryRelationBessler(
|
final var givenRelation = givenSomeTemporaryRelationBessler(
|
||||||
"Bert", "fifth contact");
|
"Bert", "fifth contact");
|
||||||
|
assertThatRelationActuallyInDatabase(givenRelation);
|
||||||
assertThatRelationIsVisibleForUserWithRole(
|
assertThatRelationIsVisibleForUserWithRole(
|
||||||
givenRelation,
|
givenRelation,
|
||||||
"hs_office_person#ErbenBesslerMelBessler:ADMIN");
|
"hs_office_person#ErbenBesslerMelBessler:ADMIN");
|
||||||
assertThatRelationActuallyInDatabase(givenRelation);
|
|
||||||
context("superuser-alex@hostsharing.net");
|
context("superuser-alex@hostsharing.net");
|
||||||
final var givenContact = contactRepo.findContactByOptionalLabelLike("sixth contact").stream().findFirst().orElseThrow();
|
final var givenContact = contactRepo.findContactByOptionalLabelLike("sixth contact").stream().findFirst().orElseThrow();
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user