Skip to content

Commit

Permalink
Attempt to fix policy rule-based exclusions.
Browse files Browse the repository at this point in the history
  • Loading branch information
@mederly
mederly committed Jan 18, 2017
1 parent 496162b commit 02cd107
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 34 deletions.
19 changes: 8 additions & 11 deletions ...pl/src/main/java/com/evolveum/midpoint/model/impl/lens/EvaluatedAssignmentTargetImpl.java
View file
Expand Up @@ -17,7 +17,6 @@

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;

import com.evolveum.midpoint.model.api.context.EvaluatedAssignmentTarget;
import com.evolveum.midpoint.prism.PrismObject;
Expand All @@ -26,9 +25,7 @@
import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ExclusionPolicyConstraintType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PolicyConstraintsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PolicyRuleType;

/**
* @author semancik
Expand Down Expand Up @@ -103,14 +100,14 @@ public Collection<ExclusionPolicyConstraintType> getExclusions() {
}
}

for (AssignmentType assignmentInTarget: target.asObjectable().getAssignment()) {
PolicyRuleType policyRule = assignmentInTarget.getPolicyRule();
if (policyRule != null && policyRule.getPolicyConstraints() != null) {
for (ExclusionPolicyConstraintType exclusionType: policyRule.getPolicyConstraints().getExclusion()) {
exclusions.add(exclusionType);
}
}
}
// for (AssignmentType assignmentInTarget: target.asObjectable().getAssignment()) {
// PolicyRuleType policyRule = assignmentInTarget.getPolicyRule();
// if (policyRule != null && policyRule.getPolicyConstraints() != null) {
// for (ExclusionPolicyConstraintType exclusionType: policyRule.getPolicyConstraints().getExclusion()) {
// exclusions.add(new ExclusionConstraintAndPolicyRule(exclusionType, policyRule));
// }
// }
// }
}

}
Expand Down
55 changes: 32 additions & 23 deletions ...pl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/AssignmentProcessor.java
View file
Expand Up @@ -22,6 +22,7 @@
import javax.xml.datatype.XMLGregorianCalendar;
import javax.xml.namespace.QName;

import com.evolveum.midpoint.model.impl.lens.*;
import com.evolveum.midpoint.prism.query.builder.QueryBuilder;
import com.evolveum.midpoint.prism.query.builder.S_AtomicFilterExit;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
Expand All @@ -42,16 +43,6 @@
import com.evolveum.midpoint.model.common.mapping.Mapping;
import com.evolveum.midpoint.model.common.mapping.MappingFactory;
import com.evolveum.midpoint.model.impl.controller.ModelUtils;
import com.evolveum.midpoint.model.impl.lens.AssignmentEvaluator;
import com.evolveum.midpoint.model.impl.lens.Construction;
import com.evolveum.midpoint.model.impl.lens.ConstructionPack;
import com.evolveum.midpoint.model.impl.lens.EvaluatedAssignmentTargetImpl;
import com.evolveum.midpoint.model.impl.lens.EvaluatedAssignmentImpl;
import com.evolveum.midpoint.model.impl.lens.ItemValueWithOrigin;
import com.evolveum.midpoint.model.impl.lens.LensContext;
import com.evolveum.midpoint.model.impl.lens.LensFocusContext;
import com.evolveum.midpoint.model.impl.lens.LensProjectionContext;
import com.evolveum.midpoint.model.impl.lens.LensUtil;
import com.evolveum.midpoint.prism.ItemDefinition;
import com.evolveum.midpoint.prism.Objectable;
import com.evolveum.midpoint.prism.PrismContainer;
Expand Down Expand Up @@ -1501,29 +1492,47 @@ private <F extends FocusType> void checkExclusion(LensContext<F> context, Evalua
}
for (EvaluatedAssignmentTargetImpl eRoleA: assignmentA.getRoles().getAllValues()) {
for (EvaluatedAssignmentTargetImpl eRoleB: assignmentB.getRoles().getAllValues()) {
checkExclusion(assignmentA, eRoleA, eRoleB);
checkExclusion(assignmentA, assignmentB, eRoleA, eRoleB);
}
}
}

private <F extends FocusType> void checkExclusion(EvaluatedAssignmentImpl<F> assignmentA, EvaluatedAssignmentTargetImpl roleA, EvaluatedAssignmentTargetImpl roleB) throws PolicyViolationException {
checkExclusionOneWay(assignmentA, roleA, roleB);
checkExclusionOneWay(assignmentA, roleB, roleA);
private <F extends FocusType> void checkExclusion(EvaluatedAssignmentImpl<F> assignmentA, EvaluatedAssignmentImpl<F> assignmentB, EvaluatedAssignmentTargetImpl roleA, EvaluatedAssignmentTargetImpl roleB) throws PolicyViolationException {
checkExclusionOneWayLegacy(assignmentA, roleA, roleB);
checkExclusionOneWayLegacy(assignmentA, roleB, roleA);
checkExclusionOneWayRuleBased(assignmentA, roleA, roleB);
checkExclusionOneWayRuleBased(assignmentB, roleB, roleA);
}

private <F extends FocusType> void checkExclusionOneWay(EvaluatedAssignmentImpl<F> assignmentA, EvaluatedAssignmentTargetImpl roleA, EvaluatedAssignmentTargetImpl roleB) throws PolicyViolationException {
private <F extends FocusType> void checkExclusionOneWayLegacy(EvaluatedAssignmentImpl<F> assignmentA, EvaluatedAssignmentTargetImpl roleA, EvaluatedAssignmentTargetImpl roleB) throws PolicyViolationException {
for (ExclusionPolicyConstraintType exclusionA : roleA.getExclusions()) {
ObjectReferenceType targetRef = exclusionA.getTargetRef();
if (roleB.getOid().equals(targetRef.getOid())) {
EvaluatedPolicyRuleTrigger trigger = new EvaluatedPolicyRuleTrigger(PolicyConstraintKindType.EXCLUSION, exclusionA,
"Violation of SoD policy: "+roleA.getTarget()+" excludes "+roleB.getTarget()+
", they cannot be assigned at the same time");
assignmentA.triggerConstraint(null, trigger);

checkAndTriggerExclusionConstraintViolation(assignmentA, roleA, roleB, exclusionA, null);
}
}

private <F extends FocusType> void checkExclusionOneWayRuleBased(EvaluatedAssignmentImpl<F> assignmentA, EvaluatedAssignmentTargetImpl roleA, EvaluatedAssignmentTargetImpl roleB) throws PolicyViolationException {
for (EvaluatedPolicyRule policyRule : assignmentA.getThisTargetPolicyRules()) { // or getTargetPolicyRules?
if (policyRule.getPolicyConstraints() != null) {
for (ExclusionPolicyConstraintType exclusionConstraint : policyRule.getPolicyConstraints().getExclusion()) {
checkAndTriggerExclusionConstraintViolation(assignmentA, roleA, roleB, exclusionConstraint, policyRule);
}
}
}
}


private <F extends FocusType> void checkAndTriggerExclusionConstraintViolation(EvaluatedAssignmentImpl<F> assignmentA,
EvaluatedAssignmentTargetImpl roleA, EvaluatedAssignmentTargetImpl roleB,
ExclusionPolicyConstraintType constraint, EvaluatedPolicyRule policyRule)
throws PolicyViolationException {
ObjectReferenceType targetRef = constraint.getTargetRef();
if (roleB.getOid().equals(targetRef.getOid())) {
EvaluatedPolicyRuleTrigger trigger = new EvaluatedPolicyRuleTrigger(PolicyConstraintKindType.EXCLUSION,
constraint, "Violation of SoD policy: " + roleA.getTarget() + " excludes " + roleB.getTarget() +
", they cannot be assigned at the same time");
assignmentA.triggerConstraint(policyRule, trigger);
}
}

private <F extends FocusType> void checkAssigneeConstraints(LensContext<F> context,
DeltaSetTriple<EvaluatedAssignmentImpl<F>> evaluatedAssignmentTriple,
OperationResult result) throws PolicyViolationException, SchemaException {
Expand Down

0 comments on commit 02cd107

Please sign in to comment.