add-domain-setup-validation #71
@ -41,6 +41,7 @@ import java.util.Map;
|
||||
import java.util.UUID;
|
||||
|
||||
import static java.util.Collections.emptyMap;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.CaseDef.inCaseOf;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Column.dependsOnColumn;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.ColumnValue.usingDefaultCase;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.GLOBAL;
|
||||
@ -51,6 +52,7 @@ import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.SELECT;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Permission.UPDATE;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.ADMIN;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.AGENT;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.GUEST;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.OWNER;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.REFERRER;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacdef.RbacView.Role.TENANT;
|
||||
@ -199,6 +201,13 @@ public class HsHostingAssetEntity implements Stringifyable, RbacObject, Properti
|
||||
directlyFetchedByDependsOnColumn(),
|
||||
NULLABLE)
|
||||
|
||||
.switchOnColumn("type",
|
||||
inCaseOf("DOMAIN_SETUP", then -> {
|
||||
then.toRole(GLOBAL, GUEST).grantPermission(INSERT);
|
||||
then.toRole(GLOBAL, ADMIN).grantPermission(SELECT); // FIXME: remove
|
||||
})
|
||||
)
|
||||
|
||||
.createRole(OWNER, (with) -> {
|
||||
with.incomingSuperRole("bookingItem", ADMIN);
|
||||
with.incomingSuperRole("parentAsset", ADMIN);
|
||||
@ -217,8 +226,11 @@ public class HsHostingAssetEntity implements Stringifyable, RbacObject, Properti
|
||||
with.outgoingSubRole("bookingItem", TENANT);
|
||||
with.outgoingSubRole("parentAsset", TENANT);
|
||||
with.incomingSuperRole("alarmContact", ADMIN);
|
||||
with.incomingSuperRole(GLOBAL, GUEST); // FIXME: remove
|
||||
hsh-michaelhoennig marked this conversation as resolved
Outdated
|
||||
with.incomingSuperRole(GLOBAL, ADMIN); // FIXME: remove
|
||||
with.permission(SELECT);
|
||||
})
|
||||
|
||||
.limitDiagramTo("asset", "bookingItem", "bookingItem.debitorRel", "parentAsset", "assignedToAsset", "alarmContact", "global");
|
||||
}
|
||||
|
||||
|
@ -36,9 +36,9 @@ subgraph asset["`**asset**`"]
|
||||
style asset:permissions fill:#dd4901,stroke:white
|
||||
|
||||
perm:asset:INSERT{{asset:INSERT}}
|
||||
perm:asset:SELECT{{asset:SELECT}}
|
||||
perm:asset:DELETE{{asset:DELETE}}
|
||||
perm:asset:UPDATE{{asset:UPDATE}}
|
||||
perm:asset:SELECT{{asset:SELECT}}
|
||||
end
|
||||
end
|
||||
|
||||
@ -99,10 +99,14 @@ role:asset:AGENT ==> role:asset:TENANT
|
||||
role:asset:TENANT ==> role:bookingItem:TENANT
|
||||
role:asset:TENANT ==> role:parentAsset:TENANT
|
||||
role:alarmContact:ADMIN ==> role:asset:TENANT
|
||||
role:global:GUEST ==> role:asset:TENANT
|
||||
role:global:ADMIN ==> role:asset:TENANT
|
||||
|
||||
%% granting permissions to roles
|
||||
role:global:ADMIN ==> perm:asset:INSERT
|
||||
role:parentAsset:ADMIN ==> perm:asset:INSERT
|
||||
role:global:GUEST ==> perm:asset:INSERT
|
||||
role:global:ADMIN ==> perm:asset:SELECT
|
||||
role:asset:OWNER ==> perm:asset:DELETE
|
||||
role:asset:ADMIN ==> perm:asset:UPDATE
|
||||
role:asset:TENANT ==> perm:asset:SELECT
|
||||
|
@ -75,6 +75,8 @@ begin
|
||||
hsHostingAssetTENANT(NEW),
|
||||
permissions => array['SELECT'],
|
||||
incomingSuperRoles => array[
|
||||
globalADMIN(),
|
||||
globalGUEST(),
|
||||
hsHostingAssetAGENT(NEW),
|
||||
hsOfficeContactADMIN(newAlarmContact)],
|
||||
outgoingSubRoles => array[
|
||||
@ -82,6 +84,13 @@ begin
|
||||
hsHostingAssetTENANT(newParentAsset)]
|
||||
);
|
||||
|
||||
IF NEW.type = 'DOMAIN_SETUP' THEN
|
||||
END IF;
|
||||
|
||||
|
||||
|
||||
call grantPermissionToRole(createPermission(NEW.uuid, 'SELECT'), globalAdmin());
|
||||
|
||||
call leaveTriggerForObjectUuid(NEW.uuid);
|
||||
end; $$;
|
||||
|
||||
@ -147,114 +156,6 @@ execute procedure updateTriggerForHsHostingAsset_tf();
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset hs-hosting-asset-rbac-GRANTING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
-- granting INSERT permission to global ----------------------------
|
||||
|
||||
/*
|
||||
Grants INSERT INTO hs_hosting_asset permissions to specified role of pre-existing global rows.
|
||||
*/
|
||||
do language plpgsql $$
|
||||
declare
|
||||
row global;
|
||||
begin
|
||||
call defineContext('create INSERT INTO hs_hosting_asset permissions for pre-exising global rows');
|
||||
|
||||
FOR row IN SELECT * FROM global
|
||||
-- unconditional for all rows in that table
|
||||
LOOP
|
||||
call grantPermissionToRole(
|
||||
createPermission(row.uuid, 'INSERT', 'hs_hosting_asset'),
|
||||
globalADMIN());
|
||||
END LOOP;
|
||||
end;
|
||||
$$;
|
||||
|
||||
/**
|
||||
Grants hs_hosting_asset INSERT permission to specified role of new global rows.
|
||||
*/
|
||||
create or replace function new_hs_hosting_asset_grants_insert_to_global_tf()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
createPermission(NEW.uuid, 'INSERT', 'hs_hosting_asset'),
|
||||
globalADMIN());
|
||||
-- end.
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_hs_hosting_asset_grants_insert_to_global_tg
|
||||
after insert on global
|
||||
for each row
|
||||
execute procedure new_hs_hosting_asset_grants_insert_to_global_tf();
|
||||
|
||||
-- granting INSERT permission to hs_hosting_asset ----------------------------
|
||||
|
||||
-- Granting INSERT INTO hs_hosting_asset permissions to specified role of pre-existing hs_hosting_asset rows slipped,
|
||||
-- because there cannot yet be any pre-existing rows in the same table yet.
|
||||
|
||||
/**
|
||||
Grants hs_hosting_asset INSERT permission to specified role of new hs_hosting_asset rows.
|
||||
*/
|
||||
create or replace function new_hs_hosting_asset_grants_insert_to_hs_hosting_asset_tf()
|
||||
returns trigger
|
||||
language plpgsql
|
||||
strict as $$
|
||||
begin
|
||||
-- unconditional for all rows in that table
|
||||
call grantPermissionToRole(
|
||||
createPermission(NEW.uuid, 'INSERT', 'hs_hosting_asset'),
|
||||
hsHostingAssetADMIN(NEW));
|
||||
-- end.
|
||||
return NEW;
|
||||
end; $$;
|
||||
|
||||
-- z_... is to put it at the end of after insert triggers, to make sure the roles exist
|
||||
create trigger z_new_hs_hosting_asset_grants_insert_to_hs_hosting_asset_tg
|
||||
after insert on hs_hosting_asset
|
||||
for each row
|
||||
execute procedure new_hs_hosting_asset_grants_insert_to_hs_hosting_asset_tf();
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset hs_hosting_asset-rbac-CHECKING-INSERT-PERMISSION:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
||||
/**
|
||||
Checks if the user respectively the assumed roles are allowed to insert a row to hs_hosting_asset.
|
||||
*/
|
||||
create or replace function hs_hosting_asset_insert_permission_check_tf()
|
||||
returns trigger
|
||||
language plpgsql as $$
|
||||
declare
|
||||
superObjectUuid uuid;
|
||||
begin
|
||||
-- check INSERT INSERT if global ADMIN
|
||||
if isGlobalAdmin() then
|
||||
return NEW;
|
||||
end if;
|
||||
-- check INSERT permission via direct foreign key: NEW.parentAssetUuid
|
||||
if hasInsertPermission(NEW.parentAssetUuid, 'hs_hosting_asset') then
|
||||
return NEW;
|
||||
end if;
|
||||
|
||||
raise exception '[403] insert into hs_hosting_asset values(%) not allowed for current subjects % (%)',
|
||||
NEW, currentSubjects(), currentSubjectsUuids();
|
||||
end; $$;
|
||||
|
||||
create trigger hs_hosting_asset_insert_permission_check_tg
|
||||
before insert on hs_hosting_asset
|
||||
for each row
|
||||
execute procedure hs_hosting_asset_insert_permission_check_tf();
|
||||
--//
|
||||
|
||||
|
||||
-- ============================================================================
|
||||
--changeset hs-hosting-asset-rbac-IDENTITY-VIEW:1 endDelimiter:--//
|
||||
-- ----------------------------------------------------------------------------
|
||||
|
@ -27,6 +27,7 @@ import java.util.Map;
|
||||
|
||||
import static java.util.Map.entry;
|
||||
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.CLOUD_SERVER;
|
||||
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.DOMAIN_SETUP;
|
||||
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.MANAGED_SERVER;
|
||||
import static net.hostsharing.hsadminng.hs.hosting.asset.HsHostingAssetType.MANAGED_WEBSPACE;
|
||||
import static net.hostsharing.hsadminng.rbac.rbacgrant.RawRbacGrantEntity.distinctGrantDisplaysOf;
|
||||
@ -153,12 +154,39 @@ class HsHostingAssetRepositoryIntegrationTest extends ContextBasedTestWithCleanu
|
||||
null));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void anyUser_canCreateNewDomainSetupAsset() {
|
||||
// given
|
||||
context("superuser-alex@hostsharing.net");
|
||||
final var assetCount = assetRepo.count();
|
||||
|
||||
// when
|
||||
context("person-SmithPeter@example.com");
|
||||
final var result = attempt(em, () -> {
|
||||
final var newAsset = HsHostingAssetEntity.builder()
|
||||
.caption("some new domain setup")
|
||||
.type(DOMAIN_SETUP)
|
||||
.identifier("example.org")
|
||||
.build();
|
||||
return toCleanup(assetRepo.save(newAsset));
|
||||
});
|
||||
|
||||
// then
|
||||
result.assertSuccessful();
|
||||
assertThat(result.returnedValue()).isNotNull().extracting(HsHostingAssetEntity::getUuid).isNotNull();
|
||||
assertThat(result.returnedValue().isLoaded()).isFalse();
|
||||
context("superuser-alex@hostsharing.net");
|
||||
assertThatAssetIsPersisted(result.returnedValue());
|
||||
assertThat(assetRepo.count()).isEqualTo(assetCount + 1);
|
||||
}
|
||||
|
||||
private void assertThatAssetIsPersisted(final HsHostingAssetEntity saved) {
|
||||
final var context =
|
||||
attempt(em, () -> {
|
||||
context("superuser-alex@hostsharing.net");
|
||||
final var found = assetRepo.findByUuid(saved.getUuid());
|
||||
assertThat(found).isNotEmpty().map(HsHostingAssetEntity::toString).get().isEqualTo(saved.toString());
|
||||
});
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user
kann weg?