hostsharing/hs.hsadmin.ng
1
0
Fork 0
Code Activity

introduce separate database schema-test and amend RBAC generators for schema-generation (#104)

Browse Source 
Co-authored-by: Michael Hoennig <michael@hoennig.de>
Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/104
Reviewed-by: Marc Sandlus <marc.sandlus@hostsharing.net>
This commit is contained in:
Michael Hoennig
2024-09-17 14:21:43 +02:00
parent 1eed0e9b21
commit 285e6fbeb5
57 changed files with 599 additions and 525 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/test/java/net/hostsharing/hsadminng/hs/migration/CsvDataImport.java
View File

@@ -289,9 +289,9 @@ public class CsvDataImport extends ContextBasedTest {
protected void deleteFromTestTables() {
jpaAttempt.transacted(() -> {
context(rbacSuperuser);
em.createNativeQuery("delete from test_domain where true").executeUpdate();
em.createNativeQuery("delete from test_package where true").executeUpdate();
em.createNativeQuery("delete from test_customer where true").executeUpdate();
em.createNativeQuery("delete from rbactest.domain where true").executeUpdate();
em.createNativeQuery("delete from rbactest.package where true").executeUpdate();
em.createNativeQuery("delete from rbactest.customer where true").executeUpdate();
}).assertSuccessful();
}

12
src/test/java/net/hostsharing/hsadminng/rbac/context/ContextIntegrationTests.java
View File

@@ -62,13 +62,13 @@ class ContextIntegrationTests {
void defineWithoutcurrentSubjectButWithAssumedRoles() {
// when
final var result = jpaAttempt.transacted(() ->
context.define(null, "test_package#yyy00:ADMIN")
context.define(null, "rbactest.package#yyy00:ADMIN")
);
// then
result.assertExceptionWithRootCauseMessage(
jakarta.persistence.PersistenceException.class,
"ERROR: [403] undefined has no permission to assume role test_package#yyy00:ADMIN");
"ERROR: [403] undefined has no permission to assume role rbactest.package#yyy00:ADMIN");
}
@Test
@@ -88,7 +88,7 @@ class ContextIntegrationTests {
@Transactional
void defineWithcurrentSubjectAndAssumedRoles() {
// given
context.define("superuser-alex@hostsharing.net", "test_customer#xxx:OWNER;test_customer#yyy:OWNER");
context.define("superuser-alex@hostsharing.net", "rbactest.customer#xxx:OWNER;rbactest.customer#yyy:OWNER");
// when
final var currentSubject = context.fetchCurrentSubject();
@@ -96,7 +96,7 @@ class ContextIntegrationTests {
// then
assertThat(context.fetchAssumedRoles())
.isEqualTo(Array.of("test_customer#xxx:OWNER", "test_customer#yyy:OWNER"));
.isEqualTo(Array.of("rbactest.customer#xxx:OWNER", "rbactest.customer#yyy:OWNER"));
assertThat(context.fetchCurrentSubjectOrAssumedRolesUuids()).hasSize(2);
}
@@ -104,12 +104,12 @@ class ContextIntegrationTests {
public void defineContextWithcurrentSubjectAndAssumeInaccessibleRole() {
// when
final var result = jpaAttempt.transacted(() ->
context.define("customer-admin@xxx.example.com", "test_package#yyy00:ADMIN")
context.define("customer-admin@xxx.example.com", "rbactest.package#yyy00:ADMIN")
);
// then
result.assertExceptionWithRootCauseMessage(
jakarta.persistence.PersistenceException.class,
"ERROR: [403] subject customer-admin@xxx.example.com has no permission to assume role test_package#yyy00:ADMIN");
"ERROR: [403] subject customer-admin@xxx.example.com has no permission to assume role rbactest.package#yyy00:ADMIN");
}
}

70
src/test/java/net/hostsharing/hsadminng/rbac/grant/RbacGrantControllerAcceptanceTest.java
View File

@@ -71,16 +71,16 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
.body("", hasItem(
allOf(
// TODO: should there be a grantedByRole or just a grantedByTrigger?
hasEntry("grantedByRoleIdName", "test_customer#xxx:OWNER"),
hasEntry("grantedRoleIdName", "test_customer#xxx:ADMIN"),
hasEntry("grantedByRoleIdName", "rbactest.customer#xxx:OWNER"),
hasEntry("grantedRoleIdName", "rbactest.customer#xxx:ADMIN"),
hasEntry("granteeSubjectName", "customer-admin@xxx.example.com")
)
))
.body("", hasItem(
allOf(
// TODO: should there be a grantedByRole or just a grantedByTrigger?
hasEntry("grantedByRoleIdName", "test_customer#yyy:OWNER"),
hasEntry("grantedRoleIdName", "test_customer#yyy:ADMIN"),
hasEntry("grantedByRoleIdName", "rbactest.customer#yyy:OWNER"),
hasEntry("grantedRoleIdName", "rbactest.customer#yyy:ADMIN"),
hasEntry("granteeSubjectName", "customer-admin@yyy.example.com")
)
))
@@ -93,15 +93,15 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
))
.body("", hasItem(
allOf(
hasEntry("grantedByRoleIdName", "test_customer#xxx:ADMIN"),
hasEntry("grantedRoleIdName", "test_package#xxx00:ADMIN"),
hasEntry("grantedByRoleIdName", "rbactest.customer#xxx:ADMIN"),
hasEntry("grantedRoleIdName", "rbactest.package#xxx00:ADMIN"),
hasEntry("granteeSubjectName", "pac-admin-xxx00@xxx.example.com")
)
))
.body("", hasItem(
allOf(
hasEntry("grantedByRoleIdName", "test_customer#zzz:ADMIN"),
hasEntry("grantedRoleIdName", "test_package#zzz02:ADMIN"),
hasEntry("grantedByRoleIdName", "rbactest.customer#zzz:ADMIN"),
hasEntry("grantedRoleIdName", "rbactest.package#zzz02:ADMIN"),
hasEntry("granteeSubjectName", "pac-admin-zzz02@zzz.example.com")
)
))
@@ -114,7 +114,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
RestAssured // @formatter:off
.given()
.header("current-subject", "superuser-alex@hostsharing.net")
.header("assumed-roles", "test_package#yyy00:ADMIN")
.header("assumed-roles", "rbactest.package#yyy00:ADMIN")
.port(port)
.when()
.get("http://localhost/api/rbac/grants")
@@ -123,8 +123,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
.contentType("application/json")
.body("", hasItem(
allOf(
hasEntry("grantedByRoleIdName", "test_customer#yyy:ADMIN"),
hasEntry("grantedRoleIdName", "test_package#yyy00:ADMIN"),
hasEntry("grantedByRoleIdName", "rbactest.customer#yyy:ADMIN"),
hasEntry("grantedRoleIdName", "rbactest.package#yyy00:ADMIN"),
hasEntry("granteeSubjectName", "pac-admin-yyy00@yyy.example.com")
)
))
@@ -145,13 +145,13 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
.contentType("application/json")
.body("", hasItem(
allOf(
hasEntry("grantedByRoleIdName", "test_customer#yyy:ADMIN"),
hasEntry("grantedRoleIdName", "test_package#yyy00:ADMIN"),
hasEntry("grantedByRoleIdName", "rbactest.customer#yyy:ADMIN"),
hasEntry("grantedRoleIdName", "rbactest.package#yyy00:ADMIN"),
hasEntry("granteeSubjectName", "pac-admin-yyy00@yyy.example.com")
)
))
.body("[0].grantedByRoleIdName", is("test_customer#yyy:ADMIN"))
.body("[0].grantedRoleIdName", is("test_package#yyy00:ADMIN"))
.body("[0].grantedByRoleIdName", is("rbactest.customer#yyy:ADMIN"))
.body("[0].grantedRoleIdName", is("rbactest.package#yyy00:ADMIN"))
.body("[0].granteeSubjectName", is("pac-admin-yyy00@yyy.example.com"));
// @formatter:on
}
@@ -165,7 +165,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// given
final var givencurrentSubjectAsPackageAdmin = new Subject("customer-admin@xxx.example.com");
final var givenGranteeUser = findRbacSubjectByName("pac-admin-xxx00@xxx.example.com");
final var givenGrantedRole = getRbacRoleByName("test_package#xxx00:ADMIN");
final var givenGrantedRole = getRbacRoleByName("rbactest.package#xxx00:ADMIN");
// when
final var grant = givencurrentSubjectAsPackageAdmin.getGrantById()
@@ -174,8 +174,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// then
grant.assertThat()
.statusCode(200)
.body("grantedByRoleIdName", is("test_customer#xxx:ADMIN"))
.body("grantedRoleIdName", is("test_package#xxx00:ADMIN"))
.body("grantedByRoleIdName", is("rbactest.customer#xxx:ADMIN"))
.body("grantedRoleIdName", is("rbactest.package#xxx00:ADMIN"))
.body("granteeSubjectName", is("pac-admin-xxx00@xxx.example.com"));
}
@@ -184,7 +184,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// given
final var givencurrentSubjectAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com");
final var givenGranteeUser = findRbacSubjectByName("pac-admin-xxx00@xxx.example.com");
final var givenGrantedRole = getRbacRoleByName("test_package#xxx00:ADMIN");
final var givenGrantedRole = getRbacRoleByName("rbactest.package#xxx00:ADMIN");
// when
final var grant = givencurrentSubjectAsPackageAdmin.getGrantById()
@@ -193,8 +193,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// then
grant.assertThat()
.statusCode(200)
.body("grantedByRoleIdName", is("test_customer#xxx:ADMIN"))
.body("grantedRoleIdName", is("test_package#xxx00:ADMIN"))
.body("grantedByRoleIdName", is("rbactest.customer#xxx:ADMIN"))
.body("grantedRoleIdName", is("rbactest.package#xxx00:ADMIN"))
.body("granteeSubjectName", is("pac-admin-xxx00@xxx.example.com"));
}
@@ -203,9 +203,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// given
final var givencurrentSubjectAsPackageAdmin = new Subject(
"pac-admin-xxx00@xxx.example.com",
"test_package#xxx00:ADMIN");
"rbactest.package#xxx00:ADMIN");
final var givenGranteeUser = findRbacSubjectByName("pac-admin-xxx00@xxx.example.com");
final var givenGrantedRole = getRbacRoleByName("test_package#xxx00:ADMIN");
final var givenGrantedRole = getRbacRoleByName("rbactest.package#xxx00:ADMIN");
// when
final var grant = givencurrentSubjectAsPackageAdmin.getGrantById()
@@ -214,8 +214,8 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// then
grant.assertThat()
.statusCode(200)
.body("grantedByRoleIdName", is("test_customer#xxx:ADMIN"))
.body("grantedRoleIdName", is("test_package#xxx00:ADMIN"))
.body("grantedByRoleIdName", is("rbactest.customer#xxx:ADMIN"))
.body("grantedRoleIdName", is("rbactest.package#xxx00:ADMIN"))
.body("granteeSubjectName", is("pac-admin-xxx00@xxx.example.com"));
}
@@ -225,9 +225,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// given
final var givencurrentSubjectAsPackageAdmin = new Subject(
"pac-admin-xxx00@xxx.example.com",
"test_package#xxx00:TENANT");
"rbactest.package#xxx00:TENANT");
final var givenGranteeUser = findRbacSubjectByName("pac-admin-xxx00@xxx.example.com");
final var givenGrantedRole = getRbacRoleByName("test_package#xxx00:ADMIN");
final var givenGrantedRole = getRbacRoleByName("rbactest.package#xxx00:ADMIN");
final var grant = givencurrentSubjectAsPackageAdmin.getGrantById()
.forGrantedRole(givenGrantedRole).toGranteeUser(givenGranteeUser);
@@ -245,7 +245,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// given
final var givenNewUser = createRbacSubject();
final var givenRoleToGrant = "test_package#xxx00:ADMIN";
final var givenRoleToGrant = "rbactest.package#xxx00:ADMIN";
final var givencurrentSubjectAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
final var givenOwnPackageAdminRole =
getRbacRoleByName(givencurrentSubjectAsPackageAdmin.assumedRole);
@@ -258,9 +258,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// then
response.assertThat()
.statusCode(201)
.body("grantedByRoleIdName", is("test_package#xxx00:ADMIN"))
.body("grantedByRoleIdName", is("rbactest.package#xxx00:ADMIN"))
.body("assumed", is(true))
.body("grantedRoleIdName", is("test_package#xxx00:ADMIN"))
.body("grantedRoleIdName", is("rbactest.package#xxx00:ADMIN"))
.body("granteeSubjectName", is(givenNewUser.getName()));
assertThat(findAllGrantsOf(givencurrentSubjectAsPackageAdmin))
.extracting(RbacGrantEntity::toDisplay)
@@ -274,9 +274,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// given
final var givenNewUser = createRbacSubject();
final var givenRoleToGrant = "test_package#xxx00:ADMIN";
final var givenRoleToGrant = "rbactest.package#xxx00:ADMIN";
final var givencurrentSubjectAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
final var givenAlienPackageAdminRole = getRbacRoleByName("test_package#yyy00:ADMIN");
final var givenAlienPackageAdminRole = getRbacRoleByName("rbactest.package#yyy00:ADMIN");
// when
final var result = givencurrentSubjectAsPackageAdmin
@@ -287,7 +287,7 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
result.assertThat()
.statusCode(403)
.body("message", containsString("Access to granted role"))
.body("message", containsString("forbidden for test_package#xxx00:ADMIN"));
.body("message", containsString("forbidden for rbactest.package#xxx00:ADMIN"));
assertThat(findAllGrantsOf(givencurrentSubjectAsPackageAdmin))
.extracting(RbacGrantEntity::getGranteeSubjectName)
.doesNotContain(givenNewUser.getName());
@@ -303,9 +303,9 @@ class RbacGrantControllerAcceptanceTest extends ContextBasedTest {
// given
final var givenArbitraryUser = createRbacSubject();
final var givenRoleToGrant = "test_package#xxx00:ADMIN";
final var givenRoleToGrant = "rbactest.package#xxx00:ADMIN";
final var givenCurrentSubjectAsPackageAdmin = new Subject("pac-admin-xxx00@xxx.example.com", givenRoleToGrant);
final var givenOwnPackageAdminRole = getRbacRoleByName("test_package#xxx00:ADMIN");
final var givenOwnPackageAdminRole = getRbacRoleByName("rbactest.package#xxx00:ADMIN");
// and given an existing grant
assumeCreated(givenCurrentSubjectAsPackageAdmin

54
src/test/java/net/hostsharing/hsadminng/rbac/grant/RbacGrantRepositoryIntegrationTest.java
View File

@@ -67,7 +67,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
// then
exactlyTheseRbacGrantsAreReturned(
result,
"{ grant role:test_package#xxx00:ADMIN to user:pac-admin-xxx00@xxx.example.com by role:test_customer#xxx:ADMIN and assume }");
"{ grant role:rbactest.package#xxx00:ADMIN to user:pac-admin-xxx00@xxx.example.com by role:rbactest.customer#xxx:ADMIN and assume }");
}
@Test
@@ -81,16 +81,16 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
// then
exactlyTheseRbacGrantsAreReturned(
result,
"{ grant role:test_customer#xxx:ADMIN to user:customer-admin@xxx.example.com by role:test_customer#xxx:OWNER and assume }",
"{ grant role:test_package#xxx00:ADMIN to user:pac-admin-xxx00@xxx.example.com by role:test_customer#xxx:ADMIN and assume }",
"{ grant role:test_package#xxx01:ADMIN to user:pac-admin-xxx01@xxx.example.com by role:test_customer#xxx:ADMIN and assume }",
"{ grant role:test_package#xxx02:ADMIN to user:pac-admin-xxx02@xxx.example.com by role:test_customer#xxx:ADMIN and assume }");
"{ grant role:rbactest.customer#xxx:ADMIN to user:customer-admin@xxx.example.com by role:rbactest.customer#xxx:OWNER and assume }",
"{ grant role:rbactest.package#xxx00:ADMIN to user:pac-admin-xxx00@xxx.example.com by role:rbactest.customer#xxx:ADMIN and assume }",
"{ grant role:rbactest.package#xxx01:ADMIN to user:pac-admin-xxx01@xxx.example.com by role:rbactest.customer#xxx:ADMIN and assume }",
"{ grant role:rbactest.package#xxx02:ADMIN to user:pac-admin-xxx02@xxx.example.com by role:rbactest.customer#xxx:ADMIN and assume }");
}
@Test
public void customerAdmin_withAssumedRole_canOnlyViewRbacGrantsVisibleByAssumedRole() {
// given:
context("customer-admin@xxx.example.com", "test_package#xxx00:ADMIN");
context("customer-admin@xxx.example.com", "rbactest.package#xxx00:ADMIN");
// when
final var result = rbacGrantRepository.findAll();
@@ -98,7 +98,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
// then
exactlyTheseRbacGrantsAreReturned(
result,
"{ grant role:test_package#xxx00:ADMIN to user:pac-admin-xxx00@xxx.example.com by role:test_customer#xxx:ADMIN and assume }");
"{ grant role:rbactest.package#xxx00:ADMIN to user:pac-admin-xxx00@xxx.example.com by role:rbactest.customer#xxx:ADMIN and assume }");
}
}
@@ -108,9 +108,9 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
@Test
public void customerAdmin_canGrantOwnPackageAdminRole_toArbitraryUser() {
// given
context("customer-admin@xxx.example.com", "test_customer#xxx:ADMIN");
context("customer-admin@xxx.example.com", "rbactest.customer#xxx:ADMIN");
final var givenArbitrarySubjectUuid = rbacSubjectRepository.findByName("pac-admin-zzz00@zzz.example.com").getUuid();
final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName("test_package#xxx00:ADMIN").getUuid();
final var givenOwnPackageRoleUuid = rbacRoleRepository.findByRoleName("rbactest.package#xxx00:ADMIN").getUuid();
// when
final var grant = RbacGrantEntity.builder()
@@ -126,7 +126,7 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
assertThat(rbacGrantRepository.findAll())
.extracting(RbacGrantEntity::toDisplay)
.contains(
"{ grant role:test_package#xxx00:ADMIN to user:pac-admin-zzz00@zzz.example.com by role:test_customer#xxx:ADMIN and assume }");
"{ grant role:rbactest.package#xxx00:ADMIN to user:pac-admin-zzz00@zzz.example.com by role:rbactest.customer#xxx:ADMIN and assume }");
}
@Test
@@ -139,14 +139,14 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
context("customer-admin@xxx.example.com", null);
return new Given(
createNewUser(),
rbacRoleRepository.findByRoleName("test_package#xxx00:OWNER").getUuid()
rbacRoleRepository.findByRoleName("rbactest.package#xxx00:OWNER").getUuid()
);
}).assumeSuccessful().returnedValue();
// when
final var attempt = jpaAttempt.transacted(() -> {
// now we try to use these uuids as a less privileged user
context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00:ADMIN");
context("pac-admin-xxx00@xxx.example.com", "rbactest.package#xxx00:ADMIN");
final var grant = RbacGrantEntity.builder()
.granteeSubjectUuid(given.arbitraryUser.getUuid())
.grantedRoleUuid(given.packageOwnerRoleUuid)
@@ -158,8 +158,8 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
// then
attempt.assertExceptionWithRootCauseMessage(
JpaSystemException.class,
"ERROR: [403] Access to granted role test_package#xxx00:OWNER",
"forbidden for test_package#xxx00:ADMIN");
"ERROR: [403] Access to granted role rbactest.package#xxx00:OWNER",
"forbidden for rbactest.package#xxx00:ADMIN");
jpaAttempt.transacted(() -> {
// finally, we use the new user to make sure, no roles were granted
context(given.arbitraryUser.getName(), null);
@@ -176,16 +176,16 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
public void customerAdmin_canRevokeSelfGrantedPackageAdminRole() {
// given
final var grant = create(grant()
.byUser("customer-admin@xxx.example.com").withAssumedRole("test_customer#xxx:ADMIN")
.grantingRole("test_package#xxx00:ADMIN").toUser("pac-admin-zzz00@zzz.example.com"));
.byUser("customer-admin@xxx.example.com").withAssumedRole("rbactest.customer#xxx:ADMIN")
.grantingRole("rbactest.package#xxx00:ADMIN").toUser("pac-admin-zzz00@zzz.example.com"));
// when
context("customer-admin@xxx.example.com", "test_customer#xxx:ADMIN");
context("customer-admin@xxx.example.com", "rbactest.customer#xxx:ADMIN");
final var revokeAttempt = attempt(em, () ->
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId()));
// then
context("customer-admin@xxx.example.com", "test_customer#xxx:ADMIN");
context("customer-admin@xxx.example.com", "rbactest.customer#xxx:ADMIN");
assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull();
assertThat(rbacGrantRepository.findAll())
.extracting(RbacGrantEntity::getGranteeSubjectName)
@@ -197,17 +197,17 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
// given
final var newUser = createNewUserTransacted();
final var grant = create(grant()
.byUser("customer-admin@xxx.example.com").withAssumedRole("test_package#xxx00:ADMIN")
.grantingRole("test_package#xxx00:ADMIN").toUser(newUser.getName()));
.byUser("customer-admin@xxx.example.com").withAssumedRole("rbactest.package#xxx00:ADMIN")
.grantingRole("rbactest.package#xxx00:ADMIN").toUser(newUser.getName()));
// when
context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00:ADMIN");
context("pac-admin-xxx00@xxx.example.com", "rbactest.package#xxx00:ADMIN");
final var revokeAttempt = attempt(em, () ->
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId()));
// then
assertThat(revokeAttempt.caughtExceptionsRootCause()).isNull();
context("customer-admin@xxx.example.com", "test_customer#xxx:ADMIN");
context("customer-admin@xxx.example.com", "rbactest.customer#xxx:ADMIN");
assertThat(rbacGrantRepository.findAll())
.extracting(RbacGrantEntity::getGranteeSubjectName)
.doesNotContain("pac-admin-zzz00@zzz.example.com");
@@ -217,19 +217,19 @@ class RbacGrantRepositoryIntegrationTest extends ContextBasedTest {
public void packageAdmin_canNotRevokeOwnPackageAdminRoleGrantedByOwnerRoleOfThatPackage() {
// given
final var grant = create(grant()
.byUser("customer-admin@xxx.example.com").withAssumedRole("test_package#xxx00:OWNER")
.grantingRole("test_package#xxx00:ADMIN").toUser("pac-admin-zzz00@zzz.example.com"));
final var grantedByRole = rbacRoleRepository.findByRoleName("test_package#xxx00:OWNER");
.byUser("customer-admin@xxx.example.com").withAssumedRole("rbactest.package#xxx00:OWNER")
.grantingRole("rbactest.package#xxx00:ADMIN").toUser("pac-admin-zzz00@zzz.example.com"));
final var grantedByRole = rbacRoleRepository.findByRoleName("rbactest.package#xxx00:OWNER");
// when
context("pac-admin-xxx00@xxx.example.com", "test_package#xxx00:ADMIN");
context("pac-admin-xxx00@xxx.example.com", "rbactest.package#xxx00:ADMIN");
final var revokeAttempt = attempt(em, () ->
rbacGrantRepository.deleteByRbacGrantId(grant.getRbacGrantId()));
// then
revokeAttempt.assertExceptionWithRootCauseMessage(
JpaSystemException.class,
"ERROR: [403] Revoking role created by %s is forbidden for {test_package#xxx00:ADMIN}.".formatted(
"ERROR: [403] Revoking role created by %s is forbidden for {rbactest.package#xxx00:ADMIN}.".formatted(
grantedByRole.getUuid()
));
}

30
src/test/java/net/hostsharing/hsadminng/rbac/grant/RbacGrantsDiagramServiceIntegrationTest.java
View File

@@ -54,36 +54,36 @@ class RbacGrantsDiagramServiceIntegrationTest extends ContextBasedTestWithCleanu
@Test
void allGrantsTocurrentSubject() {
context("superuser-alex@hostsharing.net", "test_domain#xxx00-aaaa:OWNER");
context("superuser-alex@hostsharing.net", "rbactest.domain#xxx00-aaaa:OWNER");
final var graph = grantsMermaidService.allGrantsTocurrentSubject(EnumSet.of(Include.TEST_ENTITIES));
assertThat(graph).isEqualTo("""
flowchart TB
role:test_domain#xxx00-aaaa:ADMIN --> role:test_package#xxx00:TENANT
role:test_domain#xxx00-aaaa:OWNER --> role:test_domain#xxx00-aaaa:ADMIN
role:test_domain#xxx00-aaaa:OWNER --> role:test_package#xxx00:TENANT
role:test_package#xxx00:TENANT --> role:test_customer#xxx:TENANT
role:rbactest.domain#xxx00-aaaa:ADMIN --> role:rbactest.package#xxx00:TENANT
role:rbactest.domain#xxx00-aaaa:OWNER --> role:rbactest.domain#xxx00-aaaa:ADMIN
role:rbactest.domain#xxx00-aaaa:OWNER --> role:rbactest.package#xxx00:TENANT
role:rbactest.package#xxx00:TENANT --> role:rbactest.customer#xxx:TENANT
""".trim());
}
@Test
void allGrantsTocurrentSubjectIncludingPermissions() {
context("superuser-alex@hostsharing.net", "test_domain#xxx00-aaaa:OWNER");
context("superuser-alex@hostsharing.net", "rbactest.domain#xxx00-aaaa:OWNER");
final var graph = grantsMermaidService.allGrantsTocurrentSubject(EnumSet.of(Include.TEST_ENTITIES, Include.PERMISSIONS));
assertThat(graph).isEqualTo("""
flowchart TB
role:test_customer#xxx:TENANT --> perm:test_customer#xxx:SELECT
role:test_domain#xxx00-aaaa:ADMIN --> perm:test_domain#xxx00-aaaa:SELECT
role:test_domain#xxx00-aaaa:ADMIN --> role:test_package#xxx00:TENANT
role:test_domain#xxx00-aaaa:OWNER --> perm:test_domain#xxx00-aaaa:DELETE
role:test_domain#xxx00-aaaa:OWNER --> perm:test_domain#xxx00-aaaa:UPDATE
role:test_domain#xxx00-aaaa:OWNER --> role:test_domain#xxx00-aaaa:ADMIN
role:test_domain#xxx00-aaaa:OWNER --> role:test_package#xxx00:TENANT
role:test_package#xxx00:TENANT --> perm:test_package#xxx00:SELECT
role:test_package#xxx00:TENANT --> role:test_customer#xxx:TENANT
role:rbactest.customer#xxx:TENANT --> perm:rbactest.customer#xxx:SELECT
role:rbactest.domain#xxx00-aaaa:ADMIN --> perm:rbactest.domain#xxx00-aaaa:SELECT
role:rbactest.domain#xxx00-aaaa:ADMIN --> role:rbactest.package#xxx00:TENANT
role:rbactest.domain#xxx00-aaaa:OWNER --> perm:rbactest.domain#xxx00-aaaa:DELETE
role:rbactest.domain#xxx00-aaaa:OWNER --> perm:rbactest.domain#xxx00-aaaa:UPDATE
role:rbactest.domain#xxx00-aaaa:OWNER --> role:rbactest.domain#xxx00-aaaa:ADMIN
role:rbactest.domain#xxx00-aaaa:OWNER --> role:rbactest.package#xxx00:TENANT
role:rbactest.package#xxx00:TENANT --> perm:rbactest.package#xxx00:SELECT
role:rbactest.package#xxx00:TENANT --> role:rbactest.customer#xxx:TENANT
""".trim());
}

52
src/test/java/net/hostsharing/hsadminng/rbac/role/RbacRoleControllerAcceptanceTest.java
View File

@@ -42,14 +42,14 @@ class RbacRoleControllerAcceptanceTest {
.then().assertThat()
.statusCode(200)
.contentType("application/json")
.body("", hasItem(hasEntry("roleName", "test_customer#xxx:ADMIN")))
.body("", hasItem(hasEntry("roleName", "test_customer#xxx:OWNER")))
.body("", hasItem(hasEntry("roleName", "test_customer#xxx:TENANT")))
.body("", hasItem(hasEntry("roleName", "rbactest.customer#xxx:ADMIN")))
.body("", hasItem(hasEntry("roleName", "rbactest.customer#xxx:OWNER")))
.body("", hasItem(hasEntry("roleName", "rbactest.customer#xxx:TENANT")))
// ...
.body("", hasItem(hasEntry("roleName", "rbac.global#global:ADMIN")))
.body("", hasItem(hasEntry("roleName", "test_customer#yyy:ADMIN")))
.body("", hasItem(hasEntry("roleName", "test_package#yyy00:ADMIN")))
.body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa:OWNER")))
.body("", hasItem(hasEntry("roleName", "rbactest.customer#yyy:ADMIN")))
.body("", hasItem(hasEntry("roleName", "rbactest.package#yyy00:ADMIN")))
.body("", hasItem(hasEntry("roleName", "rbactest.domain#yyy00-aaaa:OWNER")))
.body( "size()", greaterThanOrEqualTo(73)); // increases with new test data
// @formatter:on
}
@@ -61,7 +61,7 @@ class RbacRoleControllerAcceptanceTest {
RestAssured
.given()
.header("current-subject", "superuser-alex@hostsharing.net")
.header("assumed-roles", "test_package#yyy00:ADMIN")
.header("assumed-roles", "rbactest.package#yyy00:ADMIN")
.port(port)
.when()
.get("http://localhost/api/rbac/roles")
@@ -71,18 +71,18 @@ class RbacRoleControllerAcceptanceTest {
.statusCode(200)
.contentType("application/json")
.body("", hasItem(hasEntry("roleName", "test_customer#yyy:TENANT")))
.body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa:OWNER")))
.body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa:ADMIN")))
.body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaab:OWNER")))
.body("", hasItem(hasEntry("roleName", "test_domain#yyy00-aaab:ADMIN")))
.body("", hasItem(hasEntry("roleName", "test_package#yyy00:ADMIN")))
.body("", hasItem(hasEntry("roleName", "test_package#yyy00:TENANT")))
.body("", hasItem(hasEntry("roleName", "rbactest.customer#yyy:TENANT")))
.body("", hasItem(hasEntry("roleName", "rbactest.domain#yyy00-aaaa:OWNER")))
.body("", hasItem(hasEntry("roleName", "rbactest.domain#yyy00-aaaa:ADMIN")))
.body("", hasItem(hasEntry("roleName", "rbactest.domain#yyy00-aaab:OWNER")))
.body("", hasItem(hasEntry("roleName", "rbactest.domain#yyy00-aaab:ADMIN")))
.body("", hasItem(hasEntry("roleName", "rbactest.package#yyy00:ADMIN")))
.body("", hasItem(hasEntry("roleName", "rbactest.package#yyy00:TENANT")))
.body("", not(hasItem(hasEntry("roleName", "test_customer#xxx:TENANT"))))
.body("", not(hasItem(hasEntry("roleName", "test_domain#xxx00-aaaa:ADMIN"))))
.body("", not(hasItem(hasEntry("roleName", "test_package#xxx00:ADMIN"))))
.body("", not(hasItem(hasEntry("roleName", "test_package#xxx00:TENANT"))))
.body("", not(hasItem(hasEntry("roleName", "rbactest.customer#xxx:TENANT"))))
.body("", not(hasItem(hasEntry("roleName", "rbactest.domain#xxx00-aaaa:ADMIN"))))
.body("", not(hasItem(hasEntry("roleName", "rbactest.package#xxx00:ADMIN"))))
.body("", not(hasItem(hasEntry("roleName", "rbactest.package#xxx00:TENANT"))))
;
// @formatter:on
}
@@ -101,15 +101,15 @@ class RbacRoleControllerAcceptanceTest {
.statusCode(200)
.contentType("application/json")
.body("", hasItem(hasEntry("roleName", "test_customer#zzz:TENANT")))
.body("", hasItem(hasEntry("roleName", "test_domain#zzz00-aaaa:ADMIN")))
.body("", hasItem(hasEntry("roleName", "test_package#zzz00:ADMIN")))
.body("", hasItem(hasEntry("roleName", "test_package#zzz00:TENANT")))
.body("", hasItem(hasEntry("roleName", "rbactest.customer#zzz:TENANT")))
.body("", hasItem(hasEntry("roleName", "rbactest.domain#zzz00-aaaa:ADMIN")))
.body("", hasItem(hasEntry("roleName", "rbactest.package#zzz00:ADMIN")))
.body("", hasItem(hasEntry("roleName", "rbactest.package#zzz00:TENANT")))
.body("", not(hasItem(hasEntry("roleName", "test_customer#yyy:TENANT"))))
.body("", not(hasItem(hasEntry("roleName", "test_domain#yyy00-aaaa:ADMIN"))))
.body("", not(hasItem(hasEntry("roleName", "test_package#yyy00:ADMIN"))))
.body("", not(hasItem(hasEntry("roleName", "test_package#yyy00:TENANT"))));
.body("", not(hasItem(hasEntry("roleName", "rbactest.customer#yyy:TENANT"))))
.body("", not(hasItem(hasEntry("roleName", "rbactest.domain#yyy00-aaaa:ADMIN"))))
.body("", not(hasItem(hasEntry("roleName", "rbactest.package#yyy00:ADMIN"))))
.body("", not(hasItem(hasEntry("roleName", "rbactest.package#yyy00:TENANT"))));
// @formatter:on
}
}

4
src/test/java/net/hostsharing/hsadminng/rbac/role/RbacRoleControllerRestTest.java
View File

@@ -74,8 +74,8 @@ class RbacRoleControllerRestTest {
.andExpect(status().isOk())
.andExpect(jsonPath("$", hasSize(3)))
.andExpect(jsonPath("$[0].roleName", is("rbac.global#global:ADMIN")))
.andExpect(jsonPath("$[1].roleName", is("test_customer#xxx:OWNER")))
.andExpect(jsonPath("$[2].roleName", is("test_customer#xxx:ADMIN")))
.andExpect(jsonPath("$[1].roleName", is("rbactest.customer#xxx:OWNER")))
.andExpect(jsonPath("$[2].roleName", is("rbactest.customer#xxx:ADMIN")))
.andExpect(jsonPath("$[2].uuid", is(customerXxxAdmin.getUuid().toString())))
.andExpect(jsonPath("$[2].objectUuid", is(customerXxxAdmin.getObjectUuid().toString())))
.andExpect(jsonPath("$[2].objectTable", is(customerXxxAdmin.getObjectTable().toString())))

78
src/test/java/net/hostsharing/hsadminng/rbac/role/RbacRoleRepositoryIntegrationTest.java
View File

@@ -40,18 +40,18 @@ class RbacRoleRepositoryIntegrationTest {
private static final String[] ALL_TEST_DATA_ROLES = Array.of(
// @formatter:off
"rbac.global#global:ADMIN",
"test_customer#xxx:ADMIN", "test_customer#xxx:OWNER", "test_customer#xxx:TENANT",
"test_package#xxx00:ADMIN", "test_package#xxx00:OWNER", "test_package#xxx00:TENANT",
"test_package#xxx01:ADMIN", "test_package#xxx01:OWNER", "test_package#xxx01:TENANT",
"test_package#xxx02:ADMIN", "test_package#xxx02:OWNER", "test_package#xxx02:TENANT",
"test_customer#yyy:ADMIN", "test_customer#yyy:OWNER", "test_customer#yyy:TENANT",
"test_package#yyy00:ADMIN", "test_package#yyy00:OWNER", "test_package#yyy00:TENANT",
"test_package#yyy01:ADMIN", "test_package#yyy01:OWNER", "test_package#yyy01:TENANT",
"test_package#yyy02:ADMIN", "test_package#yyy02:OWNER", "test_package#yyy02:TENANT",
"test_customer#zzz:ADMIN", "test_customer#zzz:OWNER", "test_customer#zzz:TENANT",
"test_package#zzz00:ADMIN", "test_package#zzz00:OWNER", "test_package#zzz00:TENANT",
"test_package#zzz01:ADMIN", "test_package#zzz01:OWNER", "test_package#zzz01:TENANT",
"test_package#zzz02:ADMIN", "test_package#zzz02:OWNER", "test_package#zzz02:TENANT"
"rbactest.customer#xxx:ADMIN", "rbactest.customer#xxx:OWNER", "rbactest.customer#xxx:TENANT",
"rbactest.package#xxx00:ADMIN", "rbactest.package#xxx00:OWNER", "rbactest.package#xxx00:TENANT",
"rbactest.package#xxx01:ADMIN", "rbactest.package#xxx01:OWNER", "rbactest.package#xxx01:TENANT",
"rbactest.package#xxx02:ADMIN", "rbactest.package#xxx02:OWNER", "rbactest.package#xxx02:TENANT",
"rbactest.customer#yyy:ADMIN", "rbactest.customer#yyy:OWNER", "rbactest.customer#yyy:TENANT",
"rbactest.package#yyy00:ADMIN", "rbactest.package#yyy00:OWNER", "rbactest.package#yyy00:TENANT",
"rbactest.package#yyy01:ADMIN", "rbactest.package#yyy01:OWNER", "rbactest.package#yyy01:TENANT",
"rbactest.package#yyy02:ADMIN", "rbactest.package#yyy02:OWNER", "rbactest.package#yyy02:TENANT",
"rbactest.customer#zzz:ADMIN", "rbactest.customer#zzz:OWNER", "rbactest.customer#zzz:TENANT",
"rbactest.package#zzz00:ADMIN", "rbactest.package#zzz00:OWNER", "rbactest.package#zzz00:TENANT",
"rbactest.package#zzz01:ADMIN", "rbactest.package#zzz01:OWNER", "rbactest.package#zzz01:TENANT",
"rbactest.package#zzz02:ADMIN", "rbactest.package#zzz02:OWNER", "rbactest.package#zzz02:TENANT"
// @formatter:on
);
@@ -91,49 +91,49 @@ class RbacRoleRepositoryIntegrationTest {
allTheseRbacRolesAreReturned(
result,
// @formatter:off
"test_customer#xxx:ADMIN",
"test_customer#xxx:TENANT",
"test_package#xxx00:ADMIN",
"test_package#xxx00:OWNER",
"test_package#xxx00:TENANT",
"test_package#xxx01:ADMIN",
"test_package#xxx01:OWNER",
"test_package#xxx01:TENANT",
"rbactest.customer#xxx:ADMIN",
"rbactest.customer#xxx:TENANT",
"rbactest.package#xxx00:ADMIN",
"rbactest.package#xxx00:OWNER",
"rbactest.package#xxx00:TENANT",
"rbactest.package#xxx01:ADMIN",
"rbactest.package#xxx01:OWNER",
"rbactest.package#xxx01:TENANT",
// ...
"test_domain#xxx00-aaaa:ADMIN",
"test_domain#xxx00-aaaa:OWNER",
"rbactest.domain#xxx00-aaaa:ADMIN",
"rbactest.domain#xxx00-aaaa:OWNER",
// ..
"test_domain#xxx01-aaab:ADMIN",
"test_domain#xxx01-aaab:OWNER"
"rbactest.domain#xxx01-aaab:ADMIN",
"rbactest.domain#xxx01-aaab:OWNER"
// @formatter:on
);
noneOfTheseRbacRolesIsReturned(
result,
// @formatter:off
"rbac.global#global:ADMIN",
"test_customer#xxx:OWNER",
"test_package#yyy00:ADMIN",
"test_package#yyy00:OWNER",
"test_package#yyy00:TENANT"
"rbactest.customer#xxx:OWNER",
"rbactest.package#yyy00:ADMIN",
"rbactest.package#yyy00:OWNER",
"rbactest.package#yyy00:TENANT"
// @formatter:on
);
}
@Test
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnRbacRole() {
context.define("customer-admin@xxx.example.com", "test_package#xxx00:ADMIN");
context.define("customer-admin@xxx.example.com", "rbactest.package#xxx00:ADMIN");
final var result = rbacRoleRepository.findAll();
exactlyTheseRbacRolesAreReturned(
result,
"test_customer#xxx:TENANT",
"test_package#xxx00:ADMIN",
"test_package#xxx00:TENANT",
"test_domain#xxx00-aaaa:ADMIN",
"test_domain#xxx00-aaaa:OWNER",
"test_domain#xxx00-aaab:ADMIN",
"test_domain#xxx00-aaab:OWNER");
"rbactest.customer#xxx:TENANT",
"rbactest.package#xxx00:ADMIN",
"rbactest.package#xxx00:TENANT",
"rbactest.domain#xxx00-aaaa:ADMIN",
"rbactest.domain#xxx00-aaaa:OWNER",
"rbactest.domain#xxx00-aaab:ADMIN",
"rbactest.domain#xxx00-aaab:OWNER");
}
@Test
@@ -157,10 +157,10 @@ class RbacRoleRepositoryIntegrationTest {
void customerAdmin_withoutAssumedRole_canFindItsOwnRolesByName() {
context.define("customer-admin@xxx.example.com");
final var result = rbacRoleRepository.findByRoleName("test_customer#xxx:ADMIN");
final var result = rbacRoleRepository.findByRoleName("rbactest.customer#xxx:ADMIN");
assertThat(result).isNotNull();
assertThat(result.getObjectTable()).isEqualTo("test_customer");
assertThat(result.getObjectTable()).isEqualTo("rbactest.customer");
assertThat(result.getObjectIdName()).isEqualTo("xxx");
assertThat(result.getRoleType()).isEqualTo(RbacRoleType.ADMIN);
}
@@ -169,7 +169,7 @@ class RbacRoleRepositoryIntegrationTest {
void customerAdmin_withoutAssumedRole_canNotFindAlienRolesByName() {
context.define("customer-admin@xxx.example.com");
final var result = rbacRoleRepository.findByRoleName("test_customer#bbb:ADMIN");
final var result = rbacRoleRepository.findByRoleName("rbactest.customer#bbb:ADMIN");
assertThat(result).isNull();
}

4
src/test/java/net/hostsharing/hsadminng/rbac/role/TestRbacRole.java
View File

@@ -5,8 +5,8 @@ import static java.util.UUID.randomUUID;
public class TestRbacRole {
public static final RbacRoleEntity hostmasterRole = rbacRole("rbac.global", "global", RbacRoleType.ADMIN);
static final RbacRoleEntity customerXxxOwner = rbacRole("test_customer", "xxx", RbacRoleType.OWNER);
static final RbacRoleEntity customerXxxAdmin = rbacRole("test_customer", "xxx", RbacRoleType.ADMIN);
static final RbacRoleEntity customerXxxOwner = rbacRole("rbactest.customer", "xxx", RbacRoleType.OWNER);
static final RbacRoleEntity customerXxxAdmin = rbacRole("rbactest.customer", "xxx", RbacRoleType.ADMIN);
static public RbacRoleEntity rbacRole(final String objectTable, final String objectIdName, final RbacRoleType roleType) {
return new RbacRoleEntity(randomUUID(), randomUUID(), objectTable, objectIdName, roleType, objectTable+'#'+objectIdName+':'+roleType);

18
src/test/java/net/hostsharing/hsadminng/rbac/subject/RbacSubjectControllerAcceptanceTest.java
View File

@@ -100,7 +100,7 @@ class RbacSubjectControllerAcceptanceTest {
RestAssured
.given()
.header("current-subject", "superuser-alex@hostsharing.net")
.header("assumed-roles", "test_customer#yyy:ADMIN")
.header("assumed-roles", "rbactest.customer#yyy:ADMIN")
.port(port)
.when()
.get("http://localhost/api/rbac/subjects/" + givenUser.getUuid())
@@ -201,7 +201,7 @@ class RbacSubjectControllerAcceptanceTest {
RestAssured
.given()
.header("current-subject", "superuser-alex@hostsharing.net")
.header("assumed-roles", "test_customer#yyy:ADMIN")
.header("assumed-roles", "rbactest.customer#yyy:ADMIN")
.port(port)
.when()
.get("http://localhost/api/rbac/subjects")
@@ -275,12 +275,12 @@ class RbacSubjectControllerAcceptanceTest {
.contentType("application/json")
.body("", hasItem(
allOf(
hasEntry("roleName", "test_customer#yyy:TENANT"),
hasEntry("roleName", "rbactest.customer#yyy:TENANT"),
hasEntry("op", "SELECT"))
))
.body("", hasItem(
allOf(
hasEntry("roleName", "test_domain#yyy00-aaaa:OWNER"),
hasEntry("roleName", "rbactest.domain#yyy00-aaaa:OWNER"),
hasEntry("op", "DELETE"))
))
// actual content tested in integration test, so this is enough for here:
@@ -296,7 +296,7 @@ class RbacSubjectControllerAcceptanceTest {
RestAssured
.given()
.header("current-subject", "superuser-alex@hostsharing.net")
.header("assumed-roles", "test_customer#yyy:ADMIN")
.header("assumed-roles", "rbactest.customer#yyy:ADMIN")
.port(port)
.when()
.get("http://localhost/api/rbac/subjects/" + givenUser.getUuid() + "/permissions")
@@ -305,12 +305,12 @@ class RbacSubjectControllerAcceptanceTest {
.contentType("application/json")
.body("", hasItem(
allOf(
hasEntry("roleName", "test_customer#yyy:TENANT"),
hasEntry("roleName", "rbactest.customer#yyy:TENANT"),
hasEntry("op", "SELECT"))
))
.body("", hasItem(
allOf(
hasEntry("roleName", "test_domain#yyy00-aaaa:OWNER"),
hasEntry("roleName", "rbactest.domain#yyy00-aaaa:OWNER"),
hasEntry("op", "DELETE"))
))
// actual content tested in integration test, so this is enough for here:
@@ -334,12 +334,12 @@ class RbacSubjectControllerAcceptanceTest {
.contentType("application/json")
.body("", hasItem(
allOf(
hasEntry("roleName", "test_customer#yyy:TENANT"),
hasEntry("roleName", "rbactest.customer#yyy:TENANT"),
hasEntry("op", "SELECT"))
))
.body("", hasItem(
allOf(
hasEntry("roleName", "test_domain#yyy00-aaaa:OWNER"),
hasEntry("roleName", "rbactest.domain#yyy00-aaaa:OWNER"),
hasEntry("op", "DELETE"))
))
// actual content tested in integration test, so this is enough for here:

176
src/test/java/net/hostsharing/hsadminng/rbac/subject/RbacSubjectRepositoryIntegrationTest.java
View File

@@ -128,7 +128,7 @@ class RbacSubjectRepositoryIntegrationTest extends ContextBasedTest {
@Test
public void globalAdmin_withAssumedCustomerAdminRole_canViewOnlyUsersHavingRolesInThatCustomersRealm() {
given:
context("superuser-alex@hostsharing.net", "test_customer#xxx:ADMIN");
context("superuser-alex@hostsharing.net", "rbactest.customer#xxx:ADMIN");
// when
final var result = rbacSubjectRepository.findByOptionalNameLike(null);
@@ -159,7 +159,7 @@ class RbacSubjectRepositoryIntegrationTest extends ContextBasedTest {
@Test
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyUsersHavingRolesInThatPackage() {
context("customer-admin@xxx.example.com", "test_package#xxx00:ADMIN");
context("customer-admin@xxx.example.com", "rbactest.package#xxx00:ADMIN");
final var result = rbacSubjectRepository.findByOptionalNameLike(null);
@@ -182,47 +182,47 @@ class RbacSubjectRepositoryIntegrationTest extends ContextBasedTest {
private static final String[] ALL_USER_PERMISSIONS = Array.of(
// @formatter:off
"test_customer#xxx:ADMIN -> test_customer#xxx: SELECT",
"test_customer#xxx:OWNER -> test_customer#xxx: DELETE",
"test_customer#xxx:TENANT -> test_customer#xxx: SELECT",
"test_customer#xxx:ADMIN -> test_customer#xxx: INSERT:test_package",
"test_package#xxx00:ADMIN -> test_package#xxx00: INSERT:test_domain",
"test_package#xxx00:ADMIN -> test_package#xxx00: INSERT:test_domain",
"test_package#xxx00:TENANT -> test_package#xxx00: SELECT",
"test_package#xxx01:ADMIN -> test_package#xxx01: INSERT:test_domain",
"test_package#xxx01:ADMIN -> test_package#xxx01: INSERT:test_domain",
"test_package#xxx01:TENANT -> test_package#xxx01: SELECT",
"test_package#xxx02:ADMIN -> test_package#xxx02: INSERT:test_domain",
"test_package#xxx02:ADMIN -> test_package#xxx02: INSERT:test_domain",
"test_package#xxx02:TENANT -> test_package#xxx02: SELECT",
"rbactest.customer#xxx:ADMIN -> rbactest.customer#xxx: SELECT",
"rbactest.customer#xxx:OWNER -> rbactest.customer#xxx: DELETE",
"rbactest.customer#xxx:TENANT -> rbactest.customer#xxx: SELECT",
"rbactest.customer#xxx:ADMIN -> rbactest.customer#xxx: INSERT:rbactest.package",
"rbactest.package#xxx00:ADMIN -> rbactest.package#xxx00: INSERT:rbactest.domain",
"rbactest.package#xxx00:ADMIN -> rbactest.package#xxx00: INSERT:rbactest.domain",
"rbactest.package#xxx00:TENANT -> rbactest.package#xxx00: SELECT",
"rbactest.package#xxx01:ADMIN -> rbactest.package#xxx01: INSERT:rbactest.domain",
"rbactest.package#xxx01:ADMIN -> rbactest.package#xxx01: INSERT:rbactest.domain",
"rbactest.package#xxx01:TENANT -> rbactest.package#xxx01: SELECT",
"rbactest.package#xxx02:ADMIN -> rbactest.package#xxx02: INSERT:rbactest.domain",
"rbactest.package#xxx02:ADMIN -> rbactest.package#xxx02: INSERT:rbactest.domain",
"rbactest.package#xxx02:TENANT -> rbactest.package#xxx02: SELECT",
"test_customer#yyy:ADMIN -> test_customer#yyy: SELECT",
"test_customer#yyy:OWNER -> test_customer#yyy: DELETE",
"test_customer#yyy:TENANT -> test_customer#yyy: SELECT",
"test_customer#yyy:ADMIN -> test_customer#yyy: INSERT:test_package",
"test_package#yyy00:ADMIN -> test_package#yyy00: INSERT:test_domain",
"test_package#yyy00:ADMIN -> test_package#yyy00: INSERT:test_domain",
"test_package#yyy00:TENANT -> test_package#yyy00: SELECT",
"test_package#yyy01:ADMIN -> test_package#yyy01: INSERT:test_domain",
"test_package#yyy01:ADMIN -> test_package#yyy01: INSERT:test_domain",
"test_package#yyy01:TENANT -> test_package#yyy01: SELECT",
"test_package#yyy02:ADMIN -> test_package#yyy02: INSERT:test_domain",
"test_package#yyy02:ADMIN -> test_package#yyy02: INSERT:test_domain",
"test_package#yyy02:TENANT -> test_package#yyy02: SELECT",
"rbactest.customer#yyy:ADMIN -> rbactest.customer#yyy: SELECT",
"rbactest.customer#yyy:OWNER -> rbactest.customer#yyy: DELETE",
"rbactest.customer#yyy:TENANT -> rbactest.customer#yyy: SELECT",
"rbactest.customer#yyy:ADMIN -> rbactest.customer#yyy: INSERT:rbactest.package",
"rbactest.package#yyy00:ADMIN -> rbactest.package#yyy00: INSERT:rbactest.domain",
"rbactest.package#yyy00:ADMIN -> rbactest.package#yyy00: INSERT:rbactest.domain",
"rbactest.package#yyy00:TENANT -> rbactest.package#yyy00: SELECT",
"rbactest.package#yyy01:ADMIN -> rbactest.package#yyy01: INSERT:rbactest.domain",
"rbactest.package#yyy01:ADMIN -> rbactest.package#yyy01: INSERT:rbactest.domain",
"rbactest.package#yyy01:TENANT -> rbactest.package#yyy01: SELECT",
"rbactest.package#yyy02:ADMIN -> rbactest.package#yyy02: INSERT:rbactest.domain",
"rbactest.package#yyy02:ADMIN -> rbactest.package#yyy02: INSERT:rbactest.domain",
"rbactest.package#yyy02:TENANT -> rbactest.package#yyy02: SELECT",
"test_customer#zzz:ADMIN -> test_customer#zzz: SELECT",
"test_customer#zzz:OWNER -> test_customer#zzz: DELETE",
"test_customer#zzz:TENANT -> test_customer#zzz: SELECT",
"test_customer#zzz:ADMIN -> test_customer#zzz: INSERT:test_package",
"test_package#zzz00:ADMIN -> test_package#zzz00: INSERT:test_domain",
"test_package#zzz00:ADMIN -> test_package#zzz00: INSERT:test_domain",
"test_package#zzz00:TENANT -> test_package#zzz00: SELECT",
"test_package#zzz01:ADMIN -> test_package#zzz01: INSERT:test_domain",
"test_package#zzz01:ADMIN -> test_package#zzz01: INSERT:test_domain",
"test_package#zzz01:TENANT -> test_package#zzz01: SELECT",
"test_package#zzz02:ADMIN -> test_package#zzz02: INSERT:test_domain",
"test_package#zzz02:ADMIN -> test_package#zzz02: INSERT:test_domain",
"test_package#zzz02:TENANT -> test_package#zzz02: SELECT"
"rbactest.customer#zzz:ADMIN -> rbactest.customer#zzz: SELECT",
"rbactest.customer#zzz:OWNER -> rbactest.customer#zzz: DELETE",
"rbactest.customer#zzz:TENANT -> rbactest.customer#zzz: SELECT",
"rbactest.customer#zzz:ADMIN -> rbactest.customer#zzz: INSERT:rbactest.package",
"rbactest.package#zzz00:ADMIN -> rbactest.package#zzz00: INSERT:rbactest.domain",
"rbactest.package#zzz00:ADMIN -> rbactest.package#zzz00: INSERT:rbactest.domain",
"rbactest.package#zzz00:TENANT -> rbactest.package#zzz00: SELECT",
"rbactest.package#zzz01:ADMIN -> rbactest.package#zzz01: INSERT:rbactest.domain",
"rbactest.package#zzz01:ADMIN -> rbactest.package#zzz01: INSERT:rbactest.domain",
"rbactest.package#zzz01:TENANT -> rbactest.package#zzz01: SELECT",
"rbactest.package#zzz02:ADMIN -> rbactest.package#zzz02: INSERT:rbactest.domain",
"rbactest.package#zzz02:ADMIN -> rbactest.package#zzz02: INSERT:rbactest.domain",
"rbactest.package#zzz02:TENANT -> rbactest.package#zzz02: SELECT"
// @formatter:on
);
@@ -233,7 +233,7 @@ class RbacSubjectRepositoryIntegrationTest extends ContextBasedTest {
// when
final var result = rbacSubjectRepository.findPermissionsOfUserByUuid(subjectUuid("superuser-fran@hostsharing.net"))
.stream().filter(p -> p.getObjectTable().contains("test_"))
.stream().filter(p -> p.getObjectTable().contains("rbactest."))
.sorted(comparing(RbacSubjectPermission::toString)).toList();
// then
@@ -252,32 +252,32 @@ class RbacSubjectRepositoryIntegrationTest extends ContextBasedTest {
allTheseRbacPermissionsAreReturned(
result,
// @formatter:off
"test_customer#xxx:ADMIN -> test_customer#xxx: INSERT:test_package",
"test_customer#xxx:ADMIN -> test_customer#xxx: SELECT",
"test_customer#xxx:TENANT -> test_customer#xxx: SELECT",
"rbactest.customer#xxx:ADMIN -> rbactest.customer#xxx: INSERT:rbactest.package",
"rbactest.customer#xxx:ADMIN -> rbactest.customer#xxx: SELECT",
"rbactest.customer#xxx:TENANT -> rbactest.customer#xxx: SELECT",
"test_package#xxx00:ADMIN -> test_package#xxx00: INSERT:test_domain",
"test_package#xxx00:ADMIN -> test_package#xxx00: INSERT:test_domain",
"test_package#xxx00:TENANT -> test_package#xxx00: SELECT",
"test_domain#xxx00-aaaa:OWNER -> test_domain#xxx00-aaaa: DELETE",
"rbactest.package#xxx00:ADMIN -> rbactest.package#xxx00: INSERT:rbactest.domain",
"rbactest.package#xxx00:ADMIN -> rbactest.package#xxx00: INSERT:rbactest.domain",
"rbactest.package#xxx00:TENANT -> rbactest.package#xxx00: SELECT",
"rbactest.domain#xxx00-aaaa:OWNER -> rbactest.domain#xxx00-aaaa: DELETE",
"test_package#xxx01:ADMIN -> test_package#xxx01: INSERT:test_domain",
"test_package#xxx01:ADMIN -> test_package#xxx01: INSERT:test_domain",
"test_package#xxx01:TENANT -> test_package#xxx01: SELECT",
"test_domain#xxx01-aaaa:OWNER -> test_domain#xxx01-aaaa: DELETE",
"rbactest.package#xxx01:ADMIN -> rbactest.package#xxx01: INSERT:rbactest.domain",
"rbactest.package#xxx01:ADMIN -> rbactest.package#xxx01: INSERT:rbactest.domain",
"rbactest.package#xxx01:TENANT -> rbactest.package#xxx01: SELECT",
"rbactest.domain#xxx01-aaaa:OWNER -> rbactest.domain#xxx01-aaaa: DELETE",
"test_package#xxx02:ADMIN -> test_package#xxx02: INSERT:test_domain",
"test_package#xxx02:ADMIN -> test_package#xxx02: INSERT:test_domain",
"test_package#xxx02:TENANT -> test_package#xxx02: SELECT",
"test_domain#xxx02-aaaa:OWNER -> test_domain#xxx02-aaaa: DELETE"
"rbactest.package#xxx02:ADMIN -> rbactest.package#xxx02: INSERT:rbactest.domain",
"rbactest.package#xxx02:ADMIN -> rbactest.package#xxx02: INSERT:rbactest.domain",
"rbactest.package#xxx02:TENANT -> rbactest.package#xxx02: SELECT",
"rbactest.domain#xxx02-aaaa:OWNER -> rbactest.domain#xxx02-aaaa: DELETE"
// @formatter:on
);
noneOfTheseRbacPermissionsAreReturned(
result,
// @formatter:off
"test_customer#yyy:ADMIN -> test_customer#yyy: INSERT:test_package",
"test_customer#yyy:ADMIN -> test_customer#yyy: SELECT",
"test_customer#yyy:TENANT -> test_customer#yyy: SELECT"
"rbactest.customer#yyy:ADMIN -> rbactest.customer#yyy: INSERT:rbactest.package",
"rbactest.customer#yyy:ADMIN -> rbactest.customer#yyy: SELECT",
"rbactest.customer#yyy:TENANT -> rbactest.customer#yyy: SELECT"
// @formatter:on
);
}
@@ -312,26 +312,26 @@ class RbacSubjectRepositoryIntegrationTest extends ContextBasedTest {
allTheseRbacPermissionsAreReturned(
result,
// @formatter:off
"test_customer#xxx:TENANT -> test_customer#xxx: SELECT",
// "test_customer#xxx:ADMIN -> test_customer#xxx: view" - Not permissions through the customer admin!
"test_package#xxx00:ADMIN -> test_package#xxx00: INSERT:test_domain",
"test_package#xxx00:ADMIN -> test_package#xxx00: INSERT:test_domain",
"test_package#xxx00:TENANT -> test_package#xxx00: SELECT",
"test_domain#xxx00-aaaa:OWNER -> test_domain#xxx00-aaaa: DELETE",
"test_domain#xxx00-aaab:OWNER -> test_domain#xxx00-aaab: DELETE"
"rbactest.customer#xxx:TENANT -> rbactest.customer#xxx: SELECT",
// "rbactest.customer#xxx:ADMIN -> rbactest.customer#xxx: view" - Not permissions through the customer admin!
"rbactest.package#xxx00:ADMIN -> rbactest.package#xxx00: INSERT:rbactest.domain",
"rbactest.package#xxx00:ADMIN -> rbactest.package#xxx00: INSERT:rbactest.domain",
"rbactest.package#xxx00:TENANT -> rbactest.package#xxx00: SELECT",
"rbactest.domain#xxx00-aaaa:OWNER -> rbactest.domain#xxx00-aaaa: DELETE",
"rbactest.domain#xxx00-aaab:OWNER -> rbactest.domain#xxx00-aaab: DELETE"
// @formatter:on
);
noneOfTheseRbacPermissionsAreReturned(
result,
// @formatter:off
"test_customer#yyy:ADMIN -> test_customer#yyy: INSERT:test_package",
"test_customer#yyy:ADMIN -> test_customer#yyy: SELECT",
"test_customer#yyy:TENANT -> test_customer#yyy: SELECT",
"test_package#yyy00:ADMIN -> test_package#yyy00: INSERT:test_domain",
"test_package#yyy00:ADMIN -> test_package#yyy00: INSERT:test_domain",
"test_package#yyy00:TENANT -> test_package#yyy00: SELECT",
"test_domain#yyy00-aaaa:OWNER -> test_domain#yyy00-aaaa: DELETE",
"test_domain#yyy00-aaab:OWNER -> test_domain#yyy00-aaab: DELETE"
"rbactest.customer#yyy:ADMIN -> rbactest.customer#yyy: INSERT:rbactest.package",
"rbactest.customer#yyy:ADMIN -> rbactest.customer#yyy: SELECT",
"rbactest.customer#yyy:TENANT -> rbactest.customer#yyy: SELECT",
"rbactest.package#yyy00:ADMIN -> rbactest.package#yyy00: INSERT:rbactest.domain",
"rbactest.package#yyy00:ADMIN -> rbactest.package#yyy00: INSERT:rbactest.domain",
"rbactest.package#yyy00:TENANT -> rbactest.package#yyy00: SELECT",
"rbactest.domain#yyy00-aaaa:OWNER -> rbactest.domain#yyy00-aaaa: DELETE",
"rbactest.domain#yyy00-aaab:OWNER -> rbactest.domain#yyy00-aaab: DELETE"
// @formatter:on
);
}
@@ -360,26 +360,26 @@ class RbacSubjectRepositoryIntegrationTest extends ContextBasedTest {
allTheseRbacPermissionsAreReturned(
result,
// @formatter:off
"test_customer#xxx:TENANT -> test_customer#xxx: SELECT",
// "test_customer#xxx:ADMIN -> test_customer#xxx: view" - Not permissions through the customer admin!
"test_package#xxx00:ADMIN -> test_package#xxx00: INSERT:test_domain",
"test_package#xxx00:TENANT -> test_package#xxx00: SELECT"
"rbactest.customer#xxx:TENANT -> rbactest.customer#xxx: SELECT",
// "rbactest.customer#xxx:ADMIN -> rbactest.customer#xxx: view" - Not permissions through the customer admin!
"rbactest.package#xxx00:ADMIN -> rbactest.package#xxx00: INSERT:rbactest.domain",
"rbactest.package#xxx00:TENANT -> rbactest.package#xxx00: SELECT"
// @formatter:on
);
noneOfTheseRbacPermissionsAreReturned(
result,
// @formatter:off
// no customer admin permissions
"test_customer#xxx:ADMIN -> test_customer#xxx: add-package",
"rbactest.customer#xxx:ADMIN -> rbactest.customer#xxx: add-package",
// no permissions on other customer's objects
"test_customer#yyy:ADMIN -> test_customer#yyy: add-package",
"test_customer#yyy:ADMIN -> test_customer#yyy: SELECT",
"test_customer#yyy:TENANT -> test_customer#yyy: SELECT",
"test_package#yyy00:ADMIN -> test_package#yyy00: INSERT:test_domain",
"test_package#yyy00:ADMIN -> test_package#yyy00: INSERT:test_domain",
"test_package#yyy00:TENANT -> test_package#yyy00: SELECT",
"test_domain#yyy00-aaaa:OWNER -> test_domain#yyy00-aaaa: DELETE",
"test_domain#yyy00-xxxb:OWNER -> test_domain#yyy00-xxxb: DELETE"
"rbactest.customer#yyy:ADMIN -> rbactest.customer#yyy: add-package",
"rbactest.customer#yyy:ADMIN -> rbactest.customer#yyy: SELECT",
"rbactest.customer#yyy:TENANT -> rbactest.customer#yyy: SELECT",
"rbactest.package#yyy00:ADMIN -> rbactest.package#yyy00: INSERT:rbactest.domain",
"rbactest.package#yyy00:ADMIN -> rbactest.package#yyy00: INSERT:rbactest.domain",
"rbactest.package#yyy00:TENANT -> rbactest.package#yyy00: SELECT",
"rbactest.domain#yyy00-aaaa:OWNER -> rbactest.domain#yyy00-aaaa: DELETE",
"rbactest.domain#yyy00-xxxb:OWNER -> rbactest.domain#yyy00-xxxb: DELETE"
// @formatter:on
);
}

12
src/test/java/net/hostsharing/hsadminng/rbac/test/cust/TestCustomerControllerAcceptanceTest.java
View File

@@ -89,7 +89,7 @@ class TestCustomerControllerAcceptanceTest {
RestAssured // @formatter:off
.given()
.header("current-subject", "superuser-alex@hostsharing.net")
.header("assumed-roles", "test_customer#yyy:ADMIN")
.header("assumed-roles", "rbactest.customer#yyy:ADMIN")
.port(port)
.when()
.get("http://localhost/api/test/customers")
@@ -148,7 +148,7 @@ class TestCustomerControllerAcceptanceTest {
// finally, the new customer can be viewed by its own admin
final var newSubjectUuid = UUID.fromString(
location.substring(location.lastIndexOf('/') + 1));
context.define("superuser-fran@hostsharing.net", "test_customer#uuu:ADMIN");
context.define("superuser-fran@hostsharing.net", "rbactest.customer#uuu:ADMIN");
assertThat(testCustomerRepository.findByUuid(newSubjectUuid))
.hasValueSatisfying(c -> assertThat(c.getPrefix()).isEqualTo("uuu"));
}
@@ -159,7 +159,7 @@ class TestCustomerControllerAcceptanceTest {
RestAssured // @formatter:off
.given()
.header("current-subject", "superuser-alex@hostsharing.net")
.header("assumed-roles", "test_customer#xxx:ADMIN")
.header("assumed-roles", "rbactest.customer#xxx:ADMIN")
.contentType(ContentType.JSON)
.body("""
{
@@ -175,8 +175,8 @@ class TestCustomerControllerAcceptanceTest {
.statusCode(403)
.contentType(ContentType.JSON)
.statusCode(403)
.body("message", containsString("ERROR: [403] insert into test_customer "))
.body("message", containsString(" not allowed for current subjects {test_customer#xxx:ADMIN}"));
.body("message", containsString("ERROR: [403] insert into rbactest.customer "))
.body("message", containsString(" not allowed for current subjects {rbactest.customer#xxx:ADMIN}"));
// @formatter:on
// finally, the new customer was not created
@@ -205,7 +205,7 @@ class TestCustomerControllerAcceptanceTest {
.statusCode(403)
.contentType(ContentType.JSON)
.statusCode(403)
.body("message", containsString("ERROR: [403] insert into test_customer "))
.body("message", containsString("ERROR: [403] insert into rbactest.customer "))
.body("message", containsString(" not allowed for current subjects"));
// @formatter:on

12
src/test/java/net/hostsharing/hsadminng/rbac/test/cust/TestCustomerRepositoryIntegrationTest.java
View File

@@ -54,7 +54,7 @@ class TestCustomerRepositoryIntegrationTest extends ContextBasedTest {
@Test
public void globalAdmin_withAssumedCustomerRole_cannotCreateNewCustomer() {
// given
context("superuser-alex@hostsharing.net", "test_customer#xxx:ADMIN");
context("superuser-alex@hostsharing.net", "rbactest.customer#xxx:ADMIN");
// when
final var result = attempt(em, () -> {
@@ -66,8 +66,8 @@ class TestCustomerRepositoryIntegrationTest extends ContextBasedTest {
// then
result.assertExceptionWithRootCauseMessage(
PersistenceException.class,
"ERROR: [403] insert into test_customer ",
"not allowed for current subjects {test_customer#xxx:ADMIN}");
"ERROR: [403] insert into rbactest.customer ",
"not allowed for current subjects {rbactest.customer#xxx:ADMIN}");
}
@Test
@@ -85,7 +85,7 @@ class TestCustomerRepositoryIntegrationTest extends ContextBasedTest {
// then
result.assertExceptionWithRootCauseMessage(
PersistenceException.class,
"ERROR: [403] insert into test_customer ",
"ERROR: [403] insert into rbactest.customer ",
" not allowed for current subjects {customer-admin@xxx.example.com}");
}
@@ -114,7 +114,7 @@ class TestCustomerRepositoryIntegrationTest extends ContextBasedTest {
@Test
public void globalAdmin_withAssumedCustomerOwnerRole_canViewExactlyThatCustomer() {
given:
context("superuser-alex@hostsharing.net", "test_customer#yyy:OWNER");
context("superuser-alex@hostsharing.net", "rbactest.customer#yyy:OWNER");
// when
final var result = testCustomerRepository.findCustomerByOptionalPrefixLike(null);
@@ -139,7 +139,7 @@ class TestCustomerRepositoryIntegrationTest extends ContextBasedTest {
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnCustomer() {
context("customer-admin@xxx.example.com");
context("customer-admin@xxx.example.com", "test_package#xxx00:ADMIN");
context("customer-admin@xxx.example.com", "rbactest.package#xxx00:ADMIN");
final var result = testCustomerRepository.findCustomerByOptionalPrefixLike(null);

14
src/test/java/net/hostsharing/hsadminng/rbac/test/pac/TestPackageControllerAcceptanceTest.java
View File

@@ -44,7 +44,7 @@ class TestPackageControllerAcceptanceTest {
RestAssured
.given()
.header("current-subject", "superuser-alex@hostsharing.net")
.header("assumed-roles", "test_customer#xxx:ADMIN")
.header("assumed-roles", "rbactest.customer#xxx:ADMIN")
.port(port)
.when()
.get("http://localhost/api/test/packages")
@@ -66,7 +66,7 @@ class TestPackageControllerAcceptanceTest {
RestAssured
.given()
.header("current-subject", "superuser-alex@hostsharing.net")
.header("assumed-roles", "test_customer#xxx:ADMIN")
.header("assumed-roles", "rbactest.customer#xxx:ADMIN")
.port(port)
.when()
.get("http://localhost/api/test/packages?name=xxx01")
@@ -95,7 +95,7 @@ class TestPackageControllerAcceptanceTest {
RestAssured
.given()
.header("current-subject", "superuser-alex@hostsharing.net")
.header("assumed-roles", "test_customer#xxx:ADMIN")
.header("assumed-roles", "rbactest.customer#xxx:ADMIN")
.contentType(ContentType.JSON)
.body(format("""
{
@@ -126,7 +126,7 @@ class TestPackageControllerAcceptanceTest {
RestAssured
.given()
.header("current-subject", "superuser-alex@hostsharing.net")
.header("assumed-roles", "test_customer#xxx:ADMIN")
.header("assumed-roles", "rbactest.customer#xxx:ADMIN")
.contentType(ContentType.JSON)
.body("""
{
@@ -156,7 +156,7 @@ class TestPackageControllerAcceptanceTest {
RestAssured
.given()
.header("current-subject", "superuser-alex@hostsharing.net")
.header("assumed-roles", "test_customer#xxx:ADMIN")
.header("assumed-roles", "rbactest.customer#xxx:ADMIN")
.contentType(ContentType.JSON)
.body("{}")
.port(port)
@@ -176,7 +176,7 @@ class TestPackageControllerAcceptanceTest {
return UUID.fromString(RestAssured
.given()
.header("current-subject", "superuser-alex@hostsharing.net")
.header("assumed-roles", "test_customer#xxx:ADMIN")
.header("assumed-roles", "rbactest.customer#xxx:ADMIN")
.port(port)
.when()
.get("http://localhost/api/test/packages?name={packageName}", packageName)
@@ -188,7 +188,7 @@ class TestPackageControllerAcceptanceTest {
}
String getDescriptionOfPackage(final String packageName) {
context.define("superuser-alex@hostsharing.net","test_customer#xxx:ADMIN");
context.define("superuser-alex@hostsharing.net","rbactest.customer#xxx:ADMIN");
return testPackageRepository.findAllByOptionalNameLike(packageName).get(0).getDescription();
}
}

8
src/test/java/net/hostsharing/hsadminng/rbac/test/pac/TestPackageRepositoryIntegrationTest.java
View File

@@ -76,7 +76,7 @@ class TestPackageRepositoryIntegrationTest extends ContextBasedTest {
@Test
public void customerAdmin_withAssumedOwnedPackageAdminRole_canViewOnlyItsOwnPackages() {
context.define("customer-admin@xxx.example.com", "test_package#xxx00:ADMIN");
context.define("customer-admin@xxx.example.com", "rbactest.package#xxx00:ADMIN");
final var result = testPackageRepository.findAllByOptionalNameLike(null);
@@ -90,17 +90,17 @@ class TestPackageRepositoryIntegrationTest extends ContextBasedTest {
@Test
public void supportsOptimisticLocking() {
// given
globalAdminWithAssumedRole("test_package#xxx00:ADMIN");
globalAdminWithAssumedRole("rbactest.package#xxx00:ADMIN");
final var pac = testPackageRepository.findAllByOptionalNameLike("%").get(0);
// when
final var result1 = jpaAttempt.transacted(() -> {
globalAdminWithAssumedRole("test_package#xxx00:OWNER");
globalAdminWithAssumedRole("rbactest.package#xxx00:OWNER");
pac.setDescription("description set by thread 1");
testPackageRepository.save(pac);
});
final var result2 = jpaAttempt.transacted(() -> {
globalAdminWithAssumedRole("test_package#xxx00:OWNER");
globalAdminWithAssumedRole("rbactest.package#xxx00:OWNER");
pac.setDescription("description set by thread 2");
testPackageRepository.save(pac);
sleep(1500);

1
src/test/resources/application.yml
View File

@@ -5,6 +5,7 @@ spring:
datasource:
url-tc: jdbc:tc:postgresql:15.5-bookworm:///spring_boot_testcontainers
url-tcx: jdbc:tc:postgresql:15.5-bookworm:///spring_boot_testcontainers?TC_REUSABLE=true&TC_DAEMON=true
url-local: jdbc:postgresql://localhost:5432/postgres
url: ${spring.datasource.url-tc}
username: postgres