/
ModelInteractionService.java
385 lines (338 loc) · 24.9 KB
/
ModelInteractionService.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
/*
* Copyright (c) 2010-2018 Evolveum
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.evolveum.midpoint.model.api;
import com.evolveum.midpoint.common.refinery.RefinedObjectClassDefinition;
import com.evolveum.midpoint.model.api.authentication.CompiledUserProfile;
import com.evolveum.midpoint.model.api.context.ModelContext;
import com.evolveum.midpoint.model.api.util.MergeDeltas;
import com.evolveum.midpoint.model.api.visualizer.Scene;
import com.evolveum.midpoint.prism.Item;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.PrismObjectDefinition;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
import com.evolveum.midpoint.prism.query.ObjectFilter;
import com.evolveum.midpoint.prism.query.ObjectQuery;
import com.evolveum.midpoint.schema.ResourceShadowDiscriminator;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.statistics.ConnectorOperationalStatus;
import com.evolveum.midpoint.security.api.AuthorizationTransformer;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.security.enforcer.api.ItemSecurityConstraints;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.DisplayableValue;
import com.evolveum.midpoint.util.annotation.Experimental;
import com.evolveum.midpoint.util.exception.*;
import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ExecuteCredentialResetRequestType;
import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ExecuteCredentialResetResponseType;
import com.evolveum.midpoint.xml.ns._public.common.api_types_3.PolicyItemsDefinitionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import org.jetbrains.annotations.NotNull;
import javax.xml.namespace.QName;
import java.util.Collection;
import java.util.List;
import java.util.Map;
/**
* A service provided by the IDM Model that allows to improve the (user) interaction with the model.
* It is supposed to provide services such as preview of changes, diagnostics and other informational
* services. It should only provide access to read-only data or provide a temporary (throw-away) previews
* of data. It should not change the state of IDM repository, resources or tasks.
*
* EXPERIMENTAL/UNSTABLE: This is likely to change at any moment without a notice. Depend on this interface on your own risk.
*
* @author Radovan Semancik
*
*/
@Experimental
public interface ModelInteractionService {
String CLASS_NAME_WITH_DOT = ModelInteractionService.class.getName() + ".";
String PREVIEW_CHANGES = CLASS_NAME_WITH_DOT + "previewChanges";
String GET_EDIT_OBJECT_DEFINITION = CLASS_NAME_WITH_DOT + "getEditObjectDefinition";
String GET_EDIT_SHADOW_DEFINITION = CLASS_NAME_WITH_DOT + "getEditShadowDefinition";
String GET_ALLOWED_REQUEST_ASSIGNMENT_ITEMS = CLASS_NAME_WITH_DOT + "getAllowedRequestAssignmentItems";
String GET_ASSIGNABLE_ROLE_SPECIFICATION = CLASS_NAME_WITH_DOT + "getAssignableRoleSpecification";
String GET_CREDENTIALS_POLICY = CLASS_NAME_WITH_DOT + "getCredentialsPolicy";
String GET_AUTHENTICATIONS_POLICY = CLASS_NAME_WITH_DOT + "getAuthenticationsPolicy";
String GET_REGISTRATIONS_POLICY = CLASS_NAME_WITH_DOT + "getRegistrationsPolicy";
String GET_SECURITY_POLICY = CLASS_NAME_WITH_DOT + "resolveSecurityPolicy";
String CHECK_PASSWORD = CLASS_NAME_WITH_DOT + "checkPassword";
String GET_CONNECTOR_OPERATIONAL_STATUS = CLASS_NAME_WITH_DOT + "getConnectorOperationalStatus";
String MERGE_OBJECTS_PREVIEW_DELTA = CLASS_NAME_WITH_DOT + "mergeObjectsPreviewDelta";
String MERGE_OBJECTS_PREVIEW_OBJECT = CLASS_NAME_WITH_DOT + "mergeObjectsPreviewObject";
String GET_DEPUTY_ASSIGNEES = CLASS_NAME_WITH_DOT + "getDeputyAssignees";
String SUBMIT_TASK_FROM_TEMPLATE = CLASS_NAME_WITH_DOT + "submitTaskFromTemplate";
/**
* Computes the most likely changes triggered by the provided delta. The delta may be any change of any object, e.g.
* add of a user or change of a shadow. The resulting context will sort that out to "focus" and "projection" as needed.
* The supplied delta will be used as a primary change. The resulting context will reflect both this primary change and
* any resulting secondary changes.
*
* The changes are only computed, NOT EXECUTED. It also does not change any state of any repository object or task. Therefore
* this method is safe to use anytime. However it is reading the data from the repository and possibly also from the resources
* therefore there is still potential for communication (and other) errors and invocation of this method may not be cheap.
* However, as no operations are really executed there may be issues with resource dependencies. E.g. identifier that are generated
* by the resource are not taken into account while recomputing the values. This may also cause errors if some expressions depend
* on the generated values.
*/
<F extends ObjectType> ModelContext<F> previewChanges(
Collection<ObjectDelta<? extends ObjectType>> deltas, ModelExecuteOptions options, Task task, OperationResult result)
throws SchemaException, PolicyViolationException, ExpressionEvaluationException, ObjectNotFoundException, ObjectAlreadyExistsException, CommunicationException, ConfigurationException, SecurityViolationException;
<F extends ObjectType> ModelContext<F> previewChanges(
Collection<ObjectDelta<? extends ObjectType>> deltas, ModelExecuteOptions options, Task task, Collection<ProgressListener> listeners, OperationResult result)
throws SchemaException, PolicyViolationException, ExpressionEvaluationException, ObjectNotFoundException, ObjectAlreadyExistsException, CommunicationException, ConfigurationException, SecurityViolationException;
<F extends ObjectType> ModelContext<F> unwrapModelContext(LensContextType wrappedContext, Task task, OperationResult result) throws SchemaException, ConfigurationException, ObjectNotFoundException, CommunicationException, ExpressionEvaluationException;
/**
* <p>
* Returns a schema that reflects editability of the object in terms of midPoint schema limitations and security. This method
* merges together all the applicable limitations that midPoint knows of (schema, security, other constratints). It may be required
* to pre-populate new object before calling this method, e.g. to put the object in a correct org in case that delegated administration
* is used.
* </p>
* <p>
* If null is returned then the access to the entire object is denied. It cannot be created or edited at all.
* </p>
* <p>
* The returned definition contains all parts of static schema and run-time extensions. It does not contain parts of resource
* "refined" schemas. Therefore for shadows it is only applicable to static parts of the shadow (not attributes).
* </p>
* <p>
* This is <b>not</b> security-sensitive function. It provides data about security constraints but it does <b>not</b> enforce it and
* it does not modify anything or reveal any data. The purpose of this method is to enable convenient display of GUI form fields,
* e.g. to hide non-accessible fields from the form. The actual enforcement of the security is executed regardless of this
* method.
* </p>
*
* @param object object to edit
* @return schema with correctly set constraint parts or null
*/
<O extends ObjectType> PrismObjectDefinition<O> getEditObjectDefinition(PrismObject<O> object, AuthorizationPhaseType phase, Task task, OperationResult result) throws SchemaException, ConfigurationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, SecurityViolationException;
PrismObjectDefinition<ShadowType> getEditShadowDefinition(ResourceShadowDiscriminator discr, AuthorizationPhaseType phase, Task task, OperationResult result) throws SchemaException, ConfigurationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, SecurityViolationException;
RefinedObjectClassDefinition getEditObjectClassDefinition(PrismObject<ShadowType> shadow, PrismObject<ResourceType> resource, AuthorizationPhaseType phase, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException;
/**
* <p>
* Returns a collection of all authorization actions known to the system. The format of returned data is designed for displaying
* purposes.
* </p>
* <p>
* Note: this method returns only the list of authorization actions that are known to the IDM Model component and the components
* below. It does <b>not</b> return a GUI-specific authorization actions.
* </p>
*
* @return
*/
Collection<? extends DisplayableValue<String>> getActionUrls();
/**
* Returns an object that defines which roles can be assigned by the currently logged-in user.
*
* @param focus Object of the operation. The object (usually user) to whom the roles should be assigned.
* @param assignmentOrder order=0 means assignment, order>0 means inducement
*/
<F extends FocusType, R extends AbstractRoleType> RoleSelectionSpecification getAssignableRoleSpecification(PrismObject<F> focus, Class<R> targetType, int assignmentOrder, Task task, OperationResult parentResult) throws ObjectNotFoundException, SchemaException, ConfigurationException, ExpressionEvaluationException, CommunicationException, SecurityViolationException;
/**
* Returns filter for lookup of donors or power of attorney. The donors are the users that have granted
* the power of attorney to the currently logged-in user.
*
* TODO: authorization limitations
*
* @param searchResultType type of the expected search results
* @param origFilter original filter (e.g. taken from GUI search bar)
* @param targetAuthorizationAction Authorization action that the attorney is trying to execute
* on behalf of donor. Only donors for which the use of this authorization was
* not limited will be returned (that does not necessarily mean that the donor
* is able to execute this action, it may be limited by donor's authorizations).
* If the parameter is null then all donors are returned.
* @param task task
* @param parentResult operation result
* @return original filter with AND clause limiting the search.
*/
<T extends ObjectType> ObjectFilter getDonorFilter(Class<T> searchResultType, ObjectFilter origFilter, String targetAuthorizationAction, Task task, OperationResult parentResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException;
/**
* TODO
* Question: does object make any sense here? E.g. when searching role members, the role OID should be determined from the query.
*
* @param includeSpecial include special authorizations, such as "self". If set to false those authorizations
* will be ignored. This is a good way to avoid interference of "self" when checking for
* authorizations such as ability to display role members.
*/
<T extends ObjectType, O extends ObjectType> boolean canSearch(Class<T> resultType, Class<O> objectType, String objectOid, boolean includeSpecial, ObjectQuery query, Task task, OperationResult result) throws ObjectNotFoundException, CommunicationException, SchemaException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException ;
/**
* Returns decisions for individual items for "assign" authorization. This is usually applicable to assignment parameters.
* The decisions are evaluated using the security context of a currently logged-in user.
*
* @param object object of the operation (user)
* @param target target of the operation (role, org, service that is being assigned)
*/
<O extends ObjectType,R extends AbstractRoleType> ItemSecurityConstraints getAllowedRequestAssignmentItems(PrismObject<O> object, PrismObject<R> target, Task task, OperationResult result) throws SchemaException, SecurityViolationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException;
SecurityPolicyType getSecurityPolicy(PrismObject<UserType> user, Task task, OperationResult parentResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException;
/**
* Returns an authentications policies as defined in the system configuration security policy. This method is designed to be used
* during registration process or reset password process.
* security questions, etc).
*
*
* @param task
* @param parentResult
* @return applicable credentials policy or null
* @throws ObjectNotFoundException No system configuration or other major system inconsistency
* @throws SchemaException Wrong schema or content of security policy
*/
AuthenticationsPolicyType getAuthenticationPolicy(PrismObject<UserType> user, Task task, OperationResult parentResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException;
/**
* Returns a policy for registration, e.g. type of the supported registrations (self, social,...)
*
* @param user user for who the policy should apply
* @param task
* @param parentResult
* @return applicable credentials policy or null
* @throws ObjectNotFoundException No system configuration or other major system inconsistency
* @throws SchemaException Wrong schema or content of security policy
* @deprecated
*/
RegistrationsPolicyType getRegistrationPolicy(PrismObject<UserType> user, Task task, OperationResult parentResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException;
/**
* Returns a policy for registration, e.g. type of the supported registrations (self, social,...)
*
* @param user user for who the policy should apply
* @param task
* @param parentResult
* @return applicable credentials policy or null
* @throws ObjectNotFoundException No system configuration or other major system inconsistency
* @throws SchemaException Wrong schema or content of security policy
*/
RegistrationsPolicyType getFlowPolicy(PrismObject<UserType> user, Task task, OperationResult parentResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException;
/**
* Returns a credential policy that applies to the specified user. This method is designed to be used
* during credential reset so the GUI has enough information to set up the credential (e.g. password policies,
* security questions, etc).
*
* @param user user for who the policy should apply
* @param task
* @param parentResult
* @return applicable credentials policy or null
* @throws ObjectNotFoundException No system configuration or other major system inconsistency
* @throws SchemaException Wrong schema or content of security policy
*/
CredentialsPolicyType getCredentialsPolicy(PrismObject<UserType> user, Task task, OperationResult parentResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException;
/**
* Returns currently applicable user profile, compiled for efficient use in the user interface.
* Use profile contains configuration, customization and user preferences for the user interface.
* Note: This operation bypasses the authorizations. It will always return the value regardless whether
* the current user is authorized to read the underlying objects or not. However, it will always return only
* values applicable for current user, therefore the authorization might be considered to be implicit in this case.
*/
@NotNull
CompiledUserProfile getCompiledUserProfile(Task task, OperationResult parentResult) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException;
SystemConfigurationType getSystemConfiguration(OperationResult parentResult) throws ObjectNotFoundException, SchemaException;
DeploymentInformationType getDeploymentInformationConfiguration(OperationResult parentResult) throws ObjectNotFoundException, SchemaException;
AccessCertificationConfigurationType getCertificationConfiguration(OperationResult parentResult)
throws ObjectNotFoundException, SchemaException;
/**
* Checks if the supplied password matches with current user password. This method is NOT subject to any
* password expiration policies, it does not update failed login counters, it does not change any data or meta-data.
* This method is NOT SUPPOSED to be used to validate password on login. This method is supposed to check
* old password when the password is changed by the user. We assume that the user already passed normal
* system authentication.
*
* Note: no authorizations are checked in the implementation. It is assumed that authorizations will be
* enforced at the page level.
*
* @return true if the password matches, false otherwise
*/
boolean checkPassword(String userOid, ProtectedStringType password, Task task, OperationResult parentResult) throws ObjectNotFoundException, SchemaException;
// TEMPORARY
List<? extends Scene> visualizeDeltas(List<ObjectDelta<? extends ObjectType>> deltas, Task task, OperationResult result) throws SchemaException, ExpressionEvaluationException;
@NotNull
Scene visualizeDelta(ObjectDelta<? extends ObjectType> delta, Task task, OperationResult result) throws SchemaException, ExpressionEvaluationException;
@NotNull
Scene visualizeDelta(ObjectDelta<? extends ObjectType> delta, ObjectReferenceType objectRef, Task task, OperationResult result) throws SchemaException, ExpressionEvaluationException;
List<ConnectorOperationalStatus> getConnectorOperationalStatus(String resourceOid, Task task, OperationResult parentResult)
throws SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, ExpressionEvaluationException;
<O extends ObjectType> MergeDeltas<O> mergeObjectsPreviewDeltas(Class<O> type,
String leftOid, String rightOid, String mergeConfigurationName, Task task, OperationResult result)
throws ObjectNotFoundException, SchemaException, ConfigurationException, ExpressionEvaluationException, CommunicationException, SecurityViolationException ;
<O extends ObjectType> PrismObject<O> mergeObjectsPreviewObject(Class<O> type,
String leftOid, String rightOid, String mergeConfigurationName, Task task, OperationResult result)
throws ObjectNotFoundException, SchemaException, ConfigurationException, ExpressionEvaluationException, CommunicationException, SecurityViolationException ;
/**
* TEMPORARY. Need to find out better way how to deal with generated values
*
* @param policy
* @param defaultLength
* @param generateMinimalSize
* @param object object for which we generate the value (e.g. user or shadow)
* @param inputResult
* @return
* @throws ExpressionEvaluationException
*/
<O extends ObjectType> String generateValue(ValuePolicyType policy, int defaultLength, boolean generateMinimalSize,
PrismObject<O> object, String shortDesc, Task task, OperationResult inputResult) throws ExpressionEvaluationException, SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException;
<O extends ObjectType> void generateValue(
PrismObject<O> object, PolicyItemsDefinitionType policyItemsDefinition, Task task, OperationResult parentResult) throws ObjectNotFoundException,
SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException, ObjectAlreadyExistsException, PolicyViolationException;
<O extends ObjectType> void validateValue(PrismObject<O> object, PolicyItemsDefinitionType policyItemsDefinition, Task task,
OperationResult parentResult) throws ExpressionEvaluationException, SchemaException, ObjectNotFoundException,
CommunicationException, ConfigurationException, SecurityViolationException, PolicyViolationException;
/**
* Gets "deputy assignees" i.e. users that are deputies of assignees. Takes limitations into account.
*
* MAY NOT CHECK AUTHORIZATIONS (uses repository directly, at least at some places) - TODO
* TODO parameterize on limitation kind
*/
@NotNull
List<ObjectReferenceType> getDeputyAssignees(AbstractWorkItemType workItem, Task task, OperationResult parentResult)
throws SchemaException;
@NotNull
List<ObjectReferenceType> getDeputyAssignees(ObjectReferenceType assignee, QName limitationItemName, Task task, OperationResult parentResult)
throws SchemaException;
/**
* Computes effective status for the current ActivationType in for an assignment
*/
ActivationStatusType getAssignmentEffectiveStatus(String lifecycleStatus, ActivationType activationType);
MidPointPrincipal assumePowerOfAttorney(PrismObject<UserType> donor, Task task, OperationResult result)
throws SchemaException, SecurityViolationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException;
MidPointPrincipal dropPowerOfAttorney(Task task, OperationResult result)
throws SchemaException, SecurityViolationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException;
// Maybe a bit of hack: used to deduplicate processing of localizable message templates
@NotNull
LocalizableMessageType createLocalizableMessageType(LocalizableMessageTemplateType template,
Map<QName, Object> variables, Task task, OperationResult result)
throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException,
ConfigurationException, SecurityViolationException;
ExecuteCredentialResetResponseType executeCredentialsReset(PrismObject<UserType> user,
ExecuteCredentialResetRequestType executeCredentialResetRequest, Task task, OperationResult result)
throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException,
SecurityViolationException, ExpressionEvaluationException, ObjectAlreadyExistsException, PolicyViolationException;
void refreshPrincipal(String oid) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException;
List<RelationDefinitionType> getRelationDefinitions();
@NotNull
TaskType submitTaskFromTemplate(String templateTaskOid, List<Item<?, ?>> extensionItems, Task opTask, OperationResult result)
throws CommunicationException, ObjectNotFoundException, SchemaException, SecurityViolationException,
ConfigurationException, ExpressionEvaluationException, ObjectAlreadyExistsException, PolicyViolationException;
@NotNull
TaskType submitTaskFromTemplate(String templateTaskOid, Map<QName, Object> extensionValues, Task opTask, OperationResult result)
throws CommunicationException, ObjectNotFoundException, SchemaException, SecurityViolationException,
ConfigurationException, ExpressionEvaluationException, ObjectAlreadyExistsException, PolicyViolationException;
/**
* Efficiently determines information about all archetype-related interactions for a particular object.
* This include archetype policies, assignments, relations, etc. Returns null if no archetype policy is applicable.
* This is a "one stop" method for archetype information in the GUI. The method returns archetype policy even
* for "legacy" situations, e.g. if the policy needs to be determined from system configuration using legacy subtype.
* GUI should not need to to any other processing to determine archetype-like information.
*
* This method is supposed to be very efficient, it should be using caching as much as possible.
*/
<O extends ObjectType> ArchetypeInteractionSpecification getInteractionSpecification(PrismObject<O> object, OperationResult result) throws SchemaException, ConfigurationException;
}