diff --git a/infra/axiom/src/main/java/com/evolveum/axiom/lang/api/IdentifierSpaceKey.java b/infra/axiom/src/main/java/com/evolveum/axiom/lang/api/IdentifierSpaceKey.java index 7fe6d301e42..6d8826c6a52 100644 --- a/infra/axiom/src/main/java/com/evolveum/axiom/lang/api/IdentifierSpaceKey.java +++ b/infra/axiom/src/main/java/com/evolveum/axiom/lang/api/IdentifierSpaceKey.java @@ -56,4 +56,5 @@ public String toString() { public static IdentifierSpaceKey of(AxiomIdentifier key, Object value) { return from(ImmutableMap.of(key, value)); } + } diff --git a/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/BasicStatementRule.java b/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/BasicStatementRule.java index b2abd57db56..28c5d38d27d 100644 --- a/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/BasicStatementRule.java +++ b/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/BasicStatementRule.java @@ -24,7 +24,7 @@ public enum BasicStatementRule implements AxiomStatementRule { -/* + /* REQUIRE_REQUIRED_ITEMS(all(),all()) { @Override public void apply(Context rule) throws AxiomSemanticException { @@ -117,21 +117,13 @@ public void apply(Lookup context, ActionBuilder> typeDef = action.require(context.global(AxiomTypeDefinition.IDENTIFIER_SPACE, AxiomTypeDefinition.identifier(type))); typeDef.notFound(() -> action.error("type '%s' was not found.", type)); typeDef.unsatisfied(() -> action.error("Referenced type %s is not complete.", type)); - action.apply(ctx -> { - ctx.replace(typeDef.get()); - AxiomItemValue superType = typeDef.get(); - // Copy Identifiers - Optional> identifiers = superType.item(Item.IDENTIFIER_DEFINITION); - if(identifiers.isPresent()) { - ctx.parentValue().mergeItem(identifiers.get()); - }// Copy Items - Optional> items = superType.item(Item.ITEM_DEFINITION); - if(items.isPresent()) { - ctx.parentValue().mergeItem(items.get()); - } + action.apply(superTypeValue -> { + superTypeValue.replace(typeDef.get()); + addFromType(typeDef.get(), superTypeValue.parentValue()); }); } + }, IMPORT_DEFAULT_TYPES(all(), types(Type.MODEL)) { @@ -169,6 +161,7 @@ public void apply(Lookup context, ActionBuilder rule) throws AxiomSemanticException { }, */ ; -/* - ADD_SUPERTYPE(items(), types(Type.TYPE_DEFINITION)) { - - @Override - public void apply(Context rule) throws AxiomSemanticException { - Optional superType = action.optionalChildValue(Item.SUPERTYPE_REFERENCE, AxiomIdentifier.class); - if(superType.isPresent()) { - Requirement> req = action.requireGlobalItem(Item.TYPE_DEFINITION, superType.get()); - action.apply((ctx) -> { - //ctx.builder().add(Item.SUPERTYPE_REFERENCE, req.get()); - }); - action.errorMessage(() -> { - if(!req.isSatisfied()) { - return action.error("Supertype %s is not defined", superType.get()); - } - return null; - }); - } - } - };*/ private final Set items; private final Set types; @@ -264,4 +237,18 @@ private static ImmutableSet all() { private static IdentifierSpaceKey namespaceId(String uri) { return IdentifierSpaceKey.of(Item.NAMESPACE.name(), uri); } + + public static void addFromType(AxiomItemValue source, AxiomValueContext target) { + AxiomItemValue superType = source; + // FIXME: Add namespace change if necessary + // Copy Identifiers + Optional> identifiers = superType.item(Item.IDENTIFIER_DEFINITION); + if(identifiers.isPresent()) { + target.mergeItem(identifiers.get()); + }// Copy Items + Optional> items = superType.item(Item.ITEM_DEFINITION); + if(items.isPresent()) { + target.mergeItem(items.get()); + } + } } diff --git a/infra/axiom/src/main/resources/axiom-lang.axiom b/infra/axiom/src/main/resources/axiom-lang.axiom index 0911a54d50a..c9834ab3328 100644 --- a/infra/axiom/src/main/resources/axiom-lang.axiom +++ b/infra/axiom/src/main/resources/axiom-lang.axiom @@ -57,26 +57,6 @@ model axiom-lang { item extension { type AxiomExtensionDefinition; } - - // TODO move to prism schema; consider renaming to objectType? - item object { - type PrismObjectDefinition; - } - - // TODO move to prism schema; consider renaming to containerType? - item container { - type PrismContainerDefinition; - } - - // TODO move to prism schema; consider renaming to referenceType? - item reference { - type PrismReferenceDefinition; - } - - // TODO move to prism schema - item item { - type PrismItemDefinition; - } } type AxiomImportDeclaration { @@ -161,21 +141,6 @@ model axiom-lang { type AxiomIdentifierDefinition; } - // TODO move to prism schema - item object { - type boolean; - } - - // TODO move to prism schema - item container { - type boolean; - } - - // TODO move to prism schema - item objectReference { - type boolean; - } - // TODO reconsider this - strictly speaking this is part of "global type+item definition combo" item itemName { type AxiomIdentifier; @@ -242,23 +207,4 @@ model axiom-lang { extends string; } - // TODO move to prism schema; probably should be prism:ObjectDefinition - type PrismObjectDefinition { - extends AxiomTypeDefinition; - } - - // TODO move to prism schema; probably should be prism:ContainerDefinition - type PrismContainerDefinition { - extends AxiomTypeDefinition; - } - - // TODO move to prism schema; probably should be prism:ReferenceDefinition - type PrismReferenceDefinition { - extends AxiomTypeDefinition; - } - - // TODO move to prism schema; probably should be prism:ItemDefinition - type PrismItemDefinition { - extends AxiomItemDefinition; - } } diff --git a/infra/axiom/src/test/resources/prism/common-core.axiom b/infra/axiom/src/test/resources/prism/common-core.axiom new file mode 100644 index 00000000000..83b95e6c0b4 --- /dev/null +++ b/infra/axiom/src/test/resources/prism/common-core.axiom @@ -0,0 +1,1220 @@ +// Copyright (c) 2020 Evolveum and contributors +// +// This work is dual-licensed under the Apache License 2.0 +// and European Union Public License. See LICENSE file for details. + +// This is "common-core.axiom" file containing core definitions from the common-3 namespace. +// Due to its size the common-3 schema is distributed across multiple files. + +model common-core { + + namespace "http://midpoint.evolveum.com/xml/ns/public/common/common-3"; + version "3.0.0"; + + import prism { + namespace "http://midpoint.evolveum.com/xml/ns/public/common/prism"; + } + + type Object { + prism:object; + itemName object; + documentation """ + Common supertype for all identity objects. Defines basic properties + that each object must have to live in our system (identifier, name). + + All objects are identified by OID. The OID is an immutable identifier + (usually UUID). Except the OID all the objects have human-readable name. + The name is usually unique for each object type, but this is not a + strict requirement. + + Note: object type is fixed, it cannot be changed. The object retains its + type from the time it was created to the end of its life. + """; + item name { + type PolyString; + documentation """ + Human-readable, mutable name of the object. It + may also be an identifier (login name, group name). + It is usually unique in the respective context of + interpretation. E.g. the name of the UserType subtype + is usually unique in the whole system. + The name of the ShadowType subtype is usually unique in the + scope of resource (target system) that it belongs to. + + The name may not be human-readable in a sense to display + to a common end-user. It is intended to be displayed to + IDM system administrator. Therefore it may contain quite + a "ugly" structures such as LDAP DN or URL. + + Name is mutable. It is considered to be ordinary property + of the object. Therefore it can be changed by invoking + usual modifyObject operations. However, change of the name + may have side effects (rename process). + + Although name is specified as optional by this schema, it + is in fact mandatory for most object types. The reason for + specifying the name as optional is that the name may be + generated by the system instead of supplied by the clients. + However, all objects stored in the repository must have a name. + """; + // ObjectType.name + // 0 + // true + } + + // Note: the description property is referenced from various contexts (e.g. Object and Assignment). + // To avoid duplication we use global property definition. + // item description; // TODO make this work + + // The same is true for documentation. + // item documentation; // TODO make this work + + item subtype { + type string; + maxOccurs unbounded; + documentation """ + Type of the object. It is used to distinguish what a specific object + represents. Whether it is a different kind of organizational unit, project, + team, or different kind of user, etc. + """; + // ObjectType.subtype + // 15 + } + + item fetchResult { + type OperationResult; + documentation """ + Result of the operation that fetched this instance of the object. + It is mostly used to indicate that the object is not complete or + there is some problem with the object. This is used instead of + exception if the object is part of larger structures (lists as in + list/search operations or composite objects). If not present then + the "SUCCESS" state is assumed. + + This field is TRANSIENT. It must only be used in runtime. It should + never be stored in the repository. + """; + // a:operational + } + + // item extension; // TODO make this work + + item trigger { + type Trigger; + maxOccurs unbounded; + documentation """ + Triggers for this object. They drive invocations of corresponding trigger handlers + at specified time. + """; + // a:operational + } + + item parentOrg { // TODO or should we use 'Ref' suffix i.e. 'parentOrgRef'? + type ObjectReference; + maxOccurs unbounded; + documentation """ + Set of the orgs (organizational units, projects, teams) that the object relates to. + This usually means that the object belongs to them but it may have other meanings as well + (e.g. user manages an organizational unit). + """; + // tns:OrgType + // OrgType.parentOrganization + // 240 + // + } + + item tenant { + type ObjectReference; + documentation """ + Reference to the tenant to which this object belongs. It is a computed value set automatically + by midPoint. It is determined from the organizational structure. Even though this value is + computed it is also stored in the repository due to performance reasons. + """; + // tns:OrgType + // OrgType.tenant + // 250 + // true + } + + item lifecycleState { + type string; + documentation """ + Lifecycle state of the object. This property defines whether the + object represents a draft, proposed definition, whether it is active, + deprecated, and so on. + + There are few pre-defined lifecycle states. But custom lifecycle states + may also be defined. Pre-defined lifecycle states are: + + - draft: Definition of the new object in progress. The object is + NOT active. The definition may change at any moment. It is + not ready yet. + - proposed: Definition of a new object is ready for use, but there + is still a review process to be applied (e.g. approval). + The object is NOT active. However the definition should + not change in this state. + - active: Active and working definition. Ready to be used without + any unusual limitations. + - deprecated: Active definition which is being phased out. The + definition is still fully operational. But it should not + be used for new assignments. E.g. it should not be requested, + it should not be approved, etc. + - archived: Inactive historical definition. It is no longer used. + It is maintained only for historical, auditing and + sentimental reasons. + - failed: Unexpected error has occurred during object lifecycle. Result + of that event is that the object is rendered inactive. + The situation cannot be automatically remedied. Manual action + is needed. + """; + // ObjectType.lifecycleState + // 20 + since "3.5"; + // + } + + item operationExecution { + type OperationExecution; + maxOccurs unbounded; + documentation """ + Description of recent operations executed on this object (or related objects, e.g. shadows + in case of a focal object). The number of operations to be kept here is configurable. + """; + since "3.6"; + // true + } + + item lensContext { + type LensContext; + documentation """ + Model context describing executed operation. + """; + since "4.0"; + // true + } + + item policySituation { + type uri; + maxOccurs unbounded; + documentation """ + The policy situation(s) of this object. The situations are result of + evaluation of the policy rules. This property is recorded for each object + and can be used for reporting, diagnostics, target selection in certification + campaigns, etc. + """; + since "3.5"; + // true + } + + item policyException { + type PolicyException; + maxOccurs unbounded; + documentation """ + Recorded exception from a policy rule. The exceptions that are approved are + recoded here to avoid re-evaluating and re-approving them all the time. + This is EXPERIMENTAL functionality. It is likely to change in the near future. + """; + since "3.5"; + // true + } + + item diagnosticInformation { + type DiagnosticInformation; + maxOccurs unbounded; + documentation """ + Diagnostic information attached to this object. + """; + since "4.0"; + // true + } + + // Note that oid and version are not defined here. These are intrinsic parts of prism objects + // so they do not have to be mentioned in the schema. + // TODO: is this OK? See also related questions in ObjectReference type. + } + + type AssignmentHolder { + extends Object; + itemName assignmentHolder; + documentation """ + Abstract supertype for all object types that can have assignments. + """; + + item assignment { + type Assignment; + maxOccurs unbounded; + documentation """ + Set of object's assignments. + Assignments define the privileges and "features" that this object should have, that + this object is entitled to. Typical assignment will point to a role or define + a construction of an account. + + Assignments represent what the object SHOULD HAVE. The assignments represent a policy, + a desired state of things (cf. linkRef). + """; + // FocusType.assignmentKey + } + + item iteration { + type int; // TODO + documentation """ + Iteration number. Starts with 0. It is used to iteratively find unique identifier + for the object. + """; + // true + } + + item iterationToken { + type string; + documentation """ + Iteration token. String value that is usually a suffix to the identifier based + on iteration number. E.g. ".007". It is used to iteratively find unique identifier + for the object. + """; + // true + } + + item archetype { + type ObjectReference; + maxOccurs unbounded; + documentation """ + References to all applicable archetypes, including "indirect" archetypes such as archetype supertypes. + Contains references to active archetypes only. + + Note: the value of this reference is only updated when object is recomputed. + Therefore if a role definition changes then all the affected objects must be recomputed + for this reference to be consistent. + + This is an operational property. It is set and managed by the system. It is used + for efficient use of archetypes. + """; + // tns:ArchetypeType + // true + // AssignmentHolderType.archetypeRef + since "4.0"; + } + + item roleMembership { + type ObjectReference; + maxOccurs unbounded; + documentation """ + References to abstract roles (roles, orgs, services) that this focus currently belongs to - directly + or indirectly. This reference points to all the roles in the role hierarchy. It only points to + the roles that were evaluated as active during last recompute (conditions were true, validity + constraints not violated). + + Note: the value of this reference is only updated when a focal object is recomputed. + Therefore if a role definition changes then all the affected focal objects must be recomputed + for this reference to be consistent. + + Roles mentioned here are those that are NOT obtained via delegation, i.e. "deputy" relations. + Relations acquired by delegation are listed in delegatedRef item. + + This is an operational property. It is set and managed by the system. It is used + for efficient search of all current role members, e.g. for the purpose of displaying this + information in the GUI. + """; + // tns:AbstractRoleType + // true + // FocusType.roleMembershipRef + } + + item delegated { + type ObjectReference; + maxOccurs unbounded; + documentation """ + References to objects (abstract roles as well as users) obtained via delegation. + If A1 is a deputy of A, its delegatedRef contains a union of A, A.roleMembershipRef and + A.delegatedRef. + + This is an operational property. It is set and managed by the system. It is used + for efficient search of all current role members, e.g. for the purpose of displaying this + information in the GUI. + """; + // tns:FocusType + // true + since "3.5"; + } + + item roleInfluence { + type ObjectReference; + maxOccurs unbounded; + documentation """ + References to abstract roles (roles and orgs) that this focus may directly belong to. + This reference only points to the next role in the hierarchy. However, it is backed by + a "closure" index in the repository subsystem. Therefore it can efficiently support tree-like + queries. This reference points to the roles for whose the condition is not true. + Therefore it does not reliably show + who actually has a role. It shows potential role members - all the object that are possibly + influenced when a role definition changes. + + This is an operational property. It is set and managed by the system. It is used + for efficient search of all possible role members, e.g. for the purpose of recomputing + all role members after the role definition is changed. + + TODO. NOT IMPLEMENTED YET. EXPERIMENTAL. UNSTABLE. + """; + // tns:AbstractRoleType + // true + } + } + + type Focus { + extends AssignmentHolder; + itemName focus; + documentation """ + Abstract supertype for all object types that can be focus of full midPoint computation. + This basically means objects that have projections. But focal objects also have + activation, they may have personas, etc. + """; + item link { + type ObjectReference; + maxOccurs unbounded; + documentation """ + Set of shadows (projections) linked to this focal object. + E.g. a set of accounts linked to a user. This is the set of + shadows that belongs to the focal object in a sense + that these shadows represents the focal object on the resource. + E.g. The set of accounts that represent the same midPoint user (the + same physical person, they are "analogous"). + + Links define what the object HAS. The links reflect real state of things + (cf. assignment). + """; + // tns:ShadowType + } + + item persona { + type ObjectReference; + maxOccurs unbounded; + documentation """ + Set of personas linked to this focal object. + E.g. a set of virtual identities linked to a user. This is the set of + "secondary" focal objects that belongs to this focal object in a sense + that the current focal object is in control over the linked focal objects. + E.g. this reference can be used to link user object which specified a physical + person with his virtual identities (personas) that specify his identity as an + employee, system administrator, customer, etc. + The default meaning is that the personas are "analogous", i.e. the represent + different facets of the same physical person. However, this meaning may be + theoretically overridden by using various relation parameters in this reference. + + This reference define what the object HAS. The links reflect real state of + things (cf. assignment). + """; + // tns:FocusType + since "3.6"; + } + + item activation { + type Activation; + } + + item jpegPhoto { + type binary; + documentation """ + Photo corresponding to the user / org / role / service. + """; + // FocusType.jpegPhoto + } + + item costCenter { + type string; + documentation """ + The name, identifier or code of the cost center to which the object belongs. + + Please note that organization objects (OrgType) also have a costCenter property. + Therefore it is usual that if a user belongs to an organization the costCenter from + the organization is used. Therefore this property is usually used only for users that + do not belong to any organization or for users that have different cost center than + the one defined by the organization. + """; + // FocusType.costCenter + // 420 + } + + item locality { + type PolyString; + documentation """ + Primary locality of the object, the place where + the (e.g.) user usually works, the country, city or + building that he belongs to. The specific meaning + and form of this property is deployment-specific. + """; + // FocusType.locality + // 450 + } + + item preferredLanguage { + type string; + documentation """ + Indicates user's preferred language, usually for the purpose of localizing + user interfaces. The format is IETF language tag defined in BCP 47, where + underscore is used as a subtag separator. This is usually a ISO 639-1 two-letter + language code optionally followed by ISO 3166-1 two letter country code + separated by underscore. The languages that do not have country-specific + variants are usually specified by using a two-letter country code ("sk", + "cs", "tr"). Languages with country-specific variants have country-specific + subtags ("pt_BR", "zn_CN"). + If no value is specified in this property then system default locale is assumed. + + Examples: + - en_US + - sk + - cs + - pt_BR + """; + // FocusType.preferredLanguage + // 200 + // + } + + item locale { + type string; + documentation """ + Defines user's preference in displaying currency, dates and other items + related to location and culture. The format is IETF language tag defined in BCP 47, where + underscore is used as a subtag separator. This is usually a ISO 639-1 two-letter + language code optionally followed by ISO 3166-1 two letter country code + separated by underscore. The languages that do not have country-specific + variants are usually specified by using a two-letter country code ("sk", + "cs", "tr"). Languages with country-specific variants have country-specific + subtags ("pt_BR", "zn_CN"). + If not specified then system default locale is assumed. + + Examples: + - en_US + - sk + - cs + - pt_BR + """; + // FocusType.locale + // 210 + // + } + + item timezone { + type string; + documentation """ + User's preferred timezone. It is specified in the "tz database" (a.k.a "Olson") + format. If not specified then system default timezone is assumed. + + Examples: + - Europe/Bratislava + """; + // FocusType.timezone + // 220 + // + } + + item emailAddress { + type string; + documentation """ + E-Mail address of the user, org. unit, etc. This is the address + supposed to be used for communication with the + user, org. unit, etc. E.g. IDM system may send notifications + to the e-mail address. It is NOT supposed to be + full-featured e-mail address data structure + e.g. for the purpose of complex address-book application. + """; + // FocusType.emailAddress + // 300 + } + + item telephoneNumber { + type string; + documentation """ + Primary telephone number of the user, org. unit, etc. + """; + // FocusType.telephoneNumber + // 310 + } + + item credentials { + type Credentials; + documentation """ + The set of focus's credentials (such as passwords). + """; + // FocusType.credentials + } + } + + type User { + extends Focus; + documentation """ + User object represents a physical user of the system. + It differs from the account, as "account" represents a data structure in a target system while + "user" represents data structure in midPoint. One user typically has many accounts. + Properties of User object typically describe the user as a physical person. + Therefore the user object defines handful of properties that are commonly used to describe users + in the IDM solutions (employees, customers, partners, etc.) Custom extensions are possible by utilizing + the "extension" container. + """; + + item fullName { + type PolyString; + documentation """ + Full name of the user with all the decorations, + middle name initials, honorific title and any + other structure that is usual in the cultural + environment that the system operates in. This + element is intended to be displayed to + a common user of the system. + + Examples: + - cpt. Jack Sparrow + - William "Bootstrap" Turner + - James W. Random, PhD. + - Vladimir Iljic Lenin + - Josip Broz Tito + - Chuck Norris + """; + // UserType.fullName + // 100 + // true + } + + item givenName { + type PolyString; + documentation """ + Given name of the user. It is usually the first + name of the user, but the order of names may + differ in various cultural environments. This + element will always contain the name that was + given to the user at birth or was chosen + by the user. + + Examples: + - Jack + - Chuck + """; + // UserType.givenName + // 110 + // true + } + + item familyName { + type PolyString; + documentation """ + Family name of the user. It is usually the last + name of the user, but the order of names may + differ in various cultural environments. This + element will always contain the name that was + inherited from the family or was assigned + to a user by some other means. + + Examples: + - Sparrow + - Norris + """; + // UserType.familyName + // 120 + // true + } + + item additionalName { + type PolyString; + documentation """ + Middle name, patronymic, matronymic or any other name of a person. It is usually the + middle component of the name, however that may be culture-dependent. + + Examples: + - Walker + - John + - Iljic + """; + // UserType.additionalName + // 130 + } + + item nickName { + type PolyString; + documentation """ + Familiar or otherwise informal way to address a person. + + Examples: + - Bootstrap + - Bobby< + + The meaning of this property is to take part in the formatted full + name of the person, e.g. William "Bootstrap" Turner. It is not intended + to be used as a username or login name. This value is usually changeable + by the user itself and it defines how the user wants other to address him. + Therefore it is not ideal for use as an identifier. + """; + // UserType.nickname + // 140 + } + + item honorificPrefix { + type PolyString; + documentation """ + Honorific titles that go before the name. + Examples: + - cpt. + - Ing. + - Sir + + This property is single-valued. If more + than one title is applicable, they have to be represented in + a single string (concatenated) form in the correct order. + """; + // UserType.honorificPrefix + // 150 + } + + item honorificSuffix { + type PolyString; + documentation """ + Honorific titles that go after the name. + + Examples: + - PhD. + - KBE + + This property is single-valued. If more + than one title is applicable, they have to be represented in + a single string (concatenated) form in the correct order. + """; + // UserType.honorificSuffix + // 160 + } + + item title { + type PolyString; + documentation """ + User's title defining a work position or a primary role in the + organization. + Examples: + - CEO + - Security Officer + - Assistant + """; + // UserType.title + // 170 + } + + item employeeNumber { + type string; + documentation """ + Unique, business-oriented identifier of the employee. + Typically used as correlation identifier and for + auditing purposes. Should be immutable, but the + specific properties and usage are deployment-specific. + """; + // UserType.employeeNumber + // 400 + } + + item employeeType { + type string; + maxOccurs unbounded; + documentation """ + Employee type specification such as internal employee, + external or partner. The specific values are + deployment-specific. However it is generally assumed that this + will be enumeration of several type names or codes that define + "classes" of users. + + Even though this property is named "employeeType" due to the historical + reasons it is used in a more generic way to mean general type of user. + Therefore it can be used to distinguish employees from customers, etc. + + DEPRECATED: Use ObjectType.subtype + """; + // UserType.employeeType + // 410 + // true + // 3.8 + } + item organization { + type PolyString; + maxOccurs unbounded; + documentation """ + Name or (preferably) immutable identifier of organization that the user belongs to. + The format is deployment-specific. This property together with organizationalUnit + may be used to provide easy-to-use data about organizational membership of the user. + + This is multi-valued property to allow membership of a user to several + organizations. Please note that midPoint does not maintain ordering in + multi-value properties therefore this is not usable to model a complex + organization hierarchies. Use OrgType instead. + """; + // UserType.organization + // 430 + } + + item organizationalUnit { + type PolyString; + maxOccurs unbounded; + documentation """ + Name or (preferably) immutable identifier of organizational unit that the user belongs to. + The format is deployment-specific. This property together with organization + may be used to provide easy-to-use data about organizational membership of the user. + + This is multi-valued property to allow membership of a user to several + organizational units. Please note that midPoint does not maintain ordering in + multi-value properties therefore this is not usable to model a complex + organization hierarchies. Use OrgType instead. + """; + // UserType.organizationalUnit + // 440 + } + item adminGuiConfiguration { + type AdminGuiConfiguration; + documentation """ + Specifies the admin GUI configuration that should be used + by this user. + """; + since "3.5"; + // AdminGuiConfigurationType.adminGuiConfiguration + } + } + + type ObjectReference { + prism:objectReference; + documentation """ + Reference to an object. It contains OID of the object that it + refers to. + """; + + // item description; // TODO make this work + + // item documentation; // TODO make this work + + item filter { + type SearchFilter; // TODO namespace of "query-3" + documentation """ + Filter that can be used to dynamically lookup the reference OID e.g. during imports. + It must not be used for normal operations. The filter may be stored in the repository + to avoid data loss. But even if it is stored it will not be used beyond initial + import or unless explicitly requested (e.g. by setting resolutionTime). + + Note: The filter will NOT be used if the OID in the reference is set. The OID always takes + precedence. + """; + } + + item resolutionTime { + type EvaluationTime; + // TODO defaultValue "import"; + documentation """ + Definition of the "time" when the reference will be resolved. Resolving the reference means using + the filter to get object(s) or OID(s). + + Import-time resolution means that the reference will be resolved once when the file is imported. + OID will be recorded in the reference and then only the OID will be used to follow the reference. + This is a very efficient method and it is the default. + + Run-time resolution means that the reference will be resolved every time that the reference is + evaluated. This is less efficient but it provides great flexibility as the filter may contain + expressions and therefore the reference target may dynamically change. + """; + } + + item referentialIntegrity { + type ReferentialIntegrity; + // TODO defaultValue "default"; + documentation """ + Definition of the behavior related to non-existence of object with specified target OID. + (Currently supported only at selected places in midPoint.) + """; + since "4.1"; + } + + item targetName { + type PolyString; + documentation """ + Cached name of the target object. + This is a ephemeral value. It is not stored in the repository. + It may be computed at object retrieval time or it may not be present at all. + This is NOT an authoritative information. Setting it or changing it will + not influence the reference meaning. OID is the only authoritative linking + mechanism. + """; + } + + // TODO what about (attributes) oid, type, and relation? + // Should they be listed here even if they are defined in PrismReferenceValue? + // But if not, why should we list filter, resolution time, referential integrity here, + // as they are also defined in PrismReferenceValue. + } + + mixin Description { + item description { + type string; + documentation """ + Free-form textual description of the object. It is supposed to describe + the object or a construct that it is attached to. + + This information may be presented to midPoint users, even to ordinary end users. + For example role description may be presented to users when they are selecting + roles to request. Therefore the description should be written in a language that + the users can understand. + + Description is assumed to be a plan, non-formatted text. + Amount of white space is considered insignificant. E.g. leading and trailing + white space may be skipped, multiple spaces can be collapsed to one and so on. + """; + // ObjectType.description + // 10 + } + } + + mixin Documentation { + item documentation { + type string; + documentation """ + Technical documentation for a particular object or construct. + + The purpose of this element is to document system configuration and behavior. + The documentation will not be presented to end users. In fact, it will probably + not be presented at all in midPoint user interface. This documentation element + is supposed to be a part of the technical documentation of midPoint deployment. + The tools than generate deployment configuration will look for these elements + and combine them to compiled documentation document. + + AsciiDoc formatting is assumed for this element. Any leading or trailing + whitespace is skipped. Indentation equivalent to he indentation of the first + non-blank line of text is also skipped. + """; + // ObjectType.documentation + // 11 + } + } + + // Example of short version of container definition. + prism:container { + name Assignment; + itemName assignment; + + // item description; // TODO make this work + // item documentation; // TODO make this work + // item extension; // TODO make this work + + // ... + } + + prism:container { + name Extension; + itemName extension; + documentation """ + Extension container that provides generic extensibility mechanism. + Almost any extension property can be placed in this container. + This mechanism is used to extend objects with new properties. + The extension is treated exactly the same as other object + properties by the code (storage, modifications, etc), except + that the system may not be able to understand their meaning. + """; + // ObjectType.extension + // 1000 + } + + prism:object GenericObject { + extends Focus; + itemName genericObject; + documentation """ + Generic object for storing unknown (unexpected) object types. + + The generic object should be used if there is a need to + store a custom object (e.g KangarooType) at deployment-time. + The properties of such custom objects are to be placed in the + extension part of this object. The schema is not checked or + enforced for this type of objects if technically possible. + """; + item objectType { + type uri; // TODO + // deprecated + } + } + + prism:container Trigger { + itemName trigger; + documentation """ + Defines triggers for an object. Trigger is an action that should take place + at specified time or under some other condition. + """; + item timestamp { + type dateTime; // TODO + documentation """ + The time when a trigger needs to be activated. + """; + } + item handlerUri { + type uri; // TODO + documentation """ + Handler URI indirectly specifies which class is responsible to handle the task. The handler will + to be used to handle trigger activation. + """; + } + item originDescription { + type string; + documentation """ + Short description of trigger origin, e.g. name of the mapping. + Used for diagnostic purposes. + """; + // true + since "4.0"; + } + item extension { // TODO + type Extension; + documentation """ + Extension container used to provide additional situation-specific information to the trigger. + """; + } + } + + prism:container Metadata { + itemName metadata; + documentation """ + Meta-data about data creation, modification, etc. + It may apply to objects but also parts of the object (e.g. assignments). + + Meta-data only apply to successful operations. That is obvious for create, but it also applies + to modify. For obvious reasons there are no metadata about delete. + We keep no metadata about reading. That would be a huge performance hit. + + Meta-data only describe the last operation of its kind. E.g. there is a record of last + modification, last approval, etc. There is no history. The last operation overwrites data + about the previous operation. + + These data are informational only. They should not be used for security purposes (use auditing + subsystem for that). But presence of metadata simplifies system administration and may provide + some basic information "at the glance" which may be later confirmed by the audit logs. + + Meta-data are also supposed to be searchable. Therefore they may be used to quickly find + "candidate" objects for a closer examination. + """; + // true + // + // Metadata + + item requestTimestamp { + type dateTime; + documentation """ + The timestamp of "create" operation request. It is set once and should never be changed. + + In case of "background" processes to create object (e.g. create with approval) + this should be the timestamp when the process started. I.e. the timestamp when + the operation was requested. + """; + // MetadataType.requestTimestamp + // true + since "3.5"; + // + } + + item requestor { + type ObjectReference; + documentation """ + Reference to the user that requested the "create" operation for this object or assignment. + """; + // MetadataType.requestorRef + // true + // tns:UserType + // + } + + item requestorComment { + type string; + documentation """ + Comment of the user that requested the "create" operation for this object or assignment. + """; + // MetadataType.requestorComment + // true + since "3.7"; + } + + item createTimestamp { + type dateTime; + documentation """ + The timestamp of data creation. It is set once and should never be changed. + + In case of "background" processes to create object (e.g. create with approval) + this should be the timestamp when the process ended. I.e. the timestamp when + the operation was executed. + """; + // MetadataType.createTimestamp + // true + // true + since "3.5"; + } + + item creator { + type ObjectReference; + maxOccurs unbounded; + documentation """ + Reference to the user that approved the creation of the data (if there was such a user). + This is multi-value reference therefore multiple approvers may be recorded. However the order and + hierarchy of the approvers is lost. + """; + // MetadataType.createApproverRef + // true + // true + // tns:UserType + } + + item createApproverComment { + type string; + maxOccurs unbounded; + documentation """ + Comments of the approvers during the creation of the data. Note that these comments are in no + particular order, so basically it is not known who entered which comment. + """; + // MetadataType.createApprovalComment + // true + since "3.7"; + } + + item createApprovalTimestamp { + type dateTime; + documentation """ + The timestamp of creation approval. + """; + // MetadataType.createApprovalTimestamp + // true + since "3.5"; + } + + item createChannel { + type uri; + documentation """ + Channel in which the object was created. + """; + // MetadataType.createChannel + // true + // true + } + + item createTask { + type ObjectReference; + documentation """ + Reference to the task that created the object (if it was a persistent one). + """; + // MetadataType.createTaskRef + // true + // tns:TaskType + since "3.7"; + } + + item modifyTimestamp { + type dateTime; + // MetadataType.modifyTimestamp + // true + // true + } + + item modifier { + type ObjectReference; + // MetadataType.modifierRef + // true + // true + // tns:UserType + } + + item modifyApprover { + type ObjectReference; + maxOccurs unbounded; + // MetadataType.modifyApproverRef + // true + // true + // tns:UserType + } + + item modifyApprovalComment { + type string; + maxOccurs unbounded; + // MetadataType.modifyApprovalComment + // true + since "3.7"; + } + + item modifyChannel { + type uri; + // MetadataType.modifyChannel + // true + // true + } + + item modifyTask { + type ObjectReference; + // MetadataType.modifyTaskRef + // true + // tns:TaskType + since "3.7"; + } + + item lastProvisioningTimestamp { + type dateTime; + // MetadataType.lastProvisioningTimestamp + // true + since "3.6.1"; + } + + item certificationFinishedTimestamp { + type dateTime; + // MetadataType.certificationFinishedTimestamp + // true + since "3.7"; + } + + item certificationOutcome { + type string; + // MetadataType.certificationOutcome + // true + since "3.7"; + } + + item certifier { + type ObjectReference; + // MetadataType.certifierRef + // true + // tns:UserType + since "3.7"; + } + + item certifierComment { + type string; + maxOccurs unbounded; + // MetadataType.certifierComment + // true + since "3.7"; + } + + item originMappingName { + type string; + // MetadataType.originMappingName + // true + since "3.7"; + } + } + + // axiom + + // types-3 + type PolyString; + + // query-3 + type SearchFilter; + type EvaluationTime; + type ReferentialIntegrity; + + // ??? + // type Extension; + + // common-3 + type OperationResult; + type OperationExecution; + type LensContext; + type PolicyException; + type DiagnosticInformation; + type Credentials; + type AdminGuiConfiguration; + type Activation; + + // should exist because of "container XXX" + // Already defined + // type Trigger; + // type Assignment; + +} diff --git a/infra/axiom/src/test/resources/prism/common-core.prism b/infra/axiom/src/test/resources/prism/common-core.prism new file mode 100644 index 00000000000..f8b4f02e6f3 --- /dev/null +++ b/infra/axiom/src/test/resources/prism/common-core.prism @@ -0,0 +1,1216 @@ +// Copyright (c) 2020 Evolveum and contributors +// +// This work is dual-licensed under the Apache License 2.0 +// and European Union Public License. See LICENSE file for details. + +// This is "common-core.axiom" file containing core definitions from the common-3 namespace. +// Due to its size the common-3 schema is distributed across multiple files. + +prism:model common-core { + + namespace "http://midpoint.evolveum.com/xml/ns/public/common/common-3"; + version "3.0.0"; + + import prism { + namespace "http://midpoint.evolveum.com/xml/ns/public/common/prism"; + } + + type Object { + object; + itemName object; + documentation """ + Common supertype for all identity objects. Defines basic properties + that each object must have to live in our system (identifier, name). + + All objects are identified by OID. The OID is an immutable identifier + (usually UUID). Except the OID all the objects have human-readable name. + The name is usually unique for each object type, but this is not a + strict requirement. + + Note: object type is fixed, it cannot be changed. The object retains its + type from the time it was created to the end of its life. + """; + item name { + type PolyString; + documentation """ + Human-readable, mutable name of the object. It + may also be an identifier (login name, group name). + It is usually unique in the respective context of + interpretation. E.g. the name of the UserType subtype + is usually unique in the whole system. + The name of the ShadowType subtype is usually unique in the + scope of resource (target system) that it belongs to. + + The name may not be human-readable in a sense to display + to a common end-user. It is intended to be displayed to + IDM system administrator. Therefore it may contain quite + a "ugly" structures such as LDAP DN or URL. + + Name is mutable. It is considered to be ordinary property + of the object. Therefore it can be changed by invoking + usual modifyObject operations. However, change of the name + may have side effects (rename process). + + Although name is specified as optional by this schema, it + is in fact mandatory for most object types. The reason for + specifying the name as optional is that the name may be + generated by the system instead of supplied by the clients. + However, all objects stored in the repository must have a name. + """; + // ObjectType.name + // 0 + // true + } + + // Note: the description property is referenced from various contexts (e.g. Object and Assignment). + // To avoid duplication we use global property definition. + // item description; // TODO make this work + + // The same is true for documentation. + // item documentation; // TODO make this work + + item subtype { + type string; + maxOccurs unbounded; + documentation """ + Type of the object. It is used to distinguish what a specific object + represents. Whether it is a different kind of organizational unit, project, + team, or different kind of user, etc. + """; + // ObjectType.subtype + // 15 + } + + item fetchResult { + type OperationResult; + documentation """ + Result of the operation that fetched this instance of the object. + It is mostly used to indicate that the object is not complete or + there is some problem with the object. This is used instead of + exception if the object is part of larger structures (lists as in + list/search operations or composite objects). If not present then + the "SUCCESS" state is assumed. + + This field is TRANSIENT. It must only be used in runtime. It should + never be stored in the repository. + """; + // a:operational + } + + // item extension; // TODO make this work + + item trigger { + type Trigger; + maxOccurs unbounded; + documentation """ + Triggers for this object. They drive invocations of corresponding trigger handlers + at specified time. + """; + // a:operational + } + + item parentOrg { // TODO or should we use 'Ref' suffix i.e. 'parentOrgRef'? + type ObjectReference; + maxOccurs unbounded; + documentation """ + Set of the orgs (organizational units, projects, teams) that the object relates to. + This usually means that the object belongs to them but it may have other meanings as well + (e.g. user manages an organizational unit). + """; + // tns:OrgType + // OrgType.parentOrganization + // 240 + // + } + + item tenant { + type ObjectReference; + documentation """ + Reference to the tenant to which this object belongs. It is a computed value set automatically + by midPoint. It is determined from the organizational structure. Even though this value is + computed it is also stored in the repository due to performance reasons. + """; + // tns:OrgType + // OrgType.tenant + // 250 + // true + } + + item lifecycleState { + type string; + documentation """ + Lifecycle state of the object. This property defines whether the + object represents a draft, proposed definition, whether it is active, + deprecated, and so on. + + There are few pre-defined lifecycle states. But custom lifecycle states + may also be defined. Pre-defined lifecycle states are: + + - draft: Definition of the new object in progress. The object is + NOT active. The definition may change at any moment. It is + not ready yet. + - proposed: Definition of a new object is ready for use, but there + is still a review process to be applied (e.g. approval). + The object is NOT active. However the definition should + not change in this state. + - active: Active and working definition. Ready to be used without + any unusual limitations. + - deprecated: Active definition which is being phased out. The + definition is still fully operational. But it should not + be used for new assignments. E.g. it should not be requested, + it should not be approved, etc. + - archived: Inactive historical definition. It is no longer used. + It is maintained only for historical, auditing and + sentimental reasons. + - failed: Unexpected error has occurred during object lifecycle. Result + of that event is that the object is rendered inactive. + The situation cannot be automatically remedied. Manual action + is needed. + """; + // ObjectType.lifecycleState + // 20 + since "3.5"; + // + } + + item operationExecution { + type OperationExecution; + maxOccurs unbounded; + documentation """ + Description of recent operations executed on this object (or related objects, e.g. shadows + in case of a focal object). The number of operations to be kept here is configurable. + """; + since "3.6"; + // true + } + + item lensContext { + type LensContext; + documentation """ + Model context describing executed operation. + """; + since "4.0"; + // true + } + + item policySituation { + type uri; + maxOccurs unbounded; + documentation """ + The policy situation(s) of this object. The situations are result of + evaluation of the policy rules. This property is recorded for each object + and can be used for reporting, diagnostics, target selection in certification + campaigns, etc. + """; + since "3.5"; + // true + } + + item policyException { + type PolicyException; + maxOccurs unbounded; + documentation """ + Recorded exception from a policy rule. The exceptions that are approved are + recoded here to avoid re-evaluating and re-approving them all the time. + This is EXPERIMENTAL functionality. It is likely to change in the near future. + """; + since "3.5"; + // true + } + + item diagnosticInformation { + type DiagnosticInformation; + maxOccurs unbounded; + documentation """ + Diagnostic information attached to this object. + """; + since "4.0"; + // true + } + + // Note that oid and version are not defined here. These are intrinsic parts of prism objects + // so they do not have to be mentioned in the schema. + // TODO: is this OK? See also related questions in ObjectReference type. + } + + type AssignmentHolder { + extends Object; + itemName assignmentHolder; + documentation """ + Abstract supertype for all object types that can have assignments. + """; + + item assignment { + type Assignment; + maxOccurs unbounded; + documentation """ + Set of object's assignments. + Assignments define the privileges and "features" that this object should have, that + this object is entitled to. Typical assignment will point to a role or define + a construction of an account. + + Assignments represent what the object SHOULD HAVE. The assignments represent a policy, + a desired state of things (cf. linkRef). + """; + // FocusType.assignmentKey + } + + item iteration { + type int; // TODO + documentation """ + Iteration number. Starts with 0. It is used to iteratively find unique identifier + for the object. + """; + // true + } + + item iterationToken { + type string; + documentation """ + Iteration token. String value that is usually a suffix to the identifier based + on iteration number. E.g. ".007". It is used to iteratively find unique identifier + for the object. + """; + // true + } + + item archetype { + type ObjectReference; + maxOccurs unbounded; + documentation """ + References to all applicable archetypes, including "indirect" archetypes such as archetype supertypes. + Contains references to active archetypes only. + + Note: the value of this reference is only updated when object is recomputed. + Therefore if a role definition changes then all the affected objects must be recomputed + for this reference to be consistent. + + This is an operational property. It is set and managed by the system. It is used + for efficient use of archetypes. + """; + // tns:ArchetypeType + // true + // AssignmentHolderType.archetypeRef + since "4.0"; + } + + item roleMembership { + type ObjectReference; + maxOccurs unbounded; + documentation """ + References to abstract roles (roles, orgs, services) that this focus currently belongs to - directly + or indirectly. This reference points to all the roles in the role hierarchy. It only points to + the roles that were evaluated as active during last recompute (conditions were true, validity + constraints not violated). + + Note: the value of this reference is only updated when a focal object is recomputed. + Therefore if a role definition changes then all the affected focal objects must be recomputed + for this reference to be consistent. + + Roles mentioned here are those that are NOT obtained via delegation, i.e. "deputy" relations. + Relations acquired by delegation are listed in delegatedRef item. + + This is an operational property. It is set and managed by the system. It is used + for efficient search of all current role members, e.g. for the purpose of displaying this + information in the GUI. + """; + // tns:AbstractRoleType + // true + // FocusType.roleMembershipRef + } + + item delegated { + type ObjectReference; + maxOccurs unbounded; + documentation """ + References to objects (abstract roles as well as users) obtained via delegation. + If A1 is a deputy of A, its delegatedRef contains a union of A, A.roleMembershipRef and + A.delegatedRef. + + This is an operational property. It is set and managed by the system. It is used + for efficient search of all current role members, e.g. for the purpose of displaying this + information in the GUI. + """; + // tns:FocusType + // true + since "3.5"; + } + + item roleInfluence { + type ObjectReference; + maxOccurs unbounded; + documentation """ + References to abstract roles (roles and orgs) that this focus may directly belong to. + This reference only points to the next role in the hierarchy. However, it is backed by + a "closure" index in the repository subsystem. Therefore it can efficiently support tree-like + queries. This reference points to the roles for whose the condition is not true. + Therefore it does not reliably show + who actually has a role. It shows potential role members - all the object that are possibly + influenced when a role definition changes. + + This is an operational property. It is set and managed by the system. It is used + for efficient search of all possible role members, e.g. for the purpose of recomputing + all role members after the role definition is changed. + + TODO. NOT IMPLEMENTED YET. EXPERIMENTAL. UNSTABLE. + """; + // tns:AbstractRoleType + // true + } + } + + type Focus { + extends AssignmentHolder; + itemName focus; + documentation """ + Abstract supertype for all object types that can be focus of full midPoint computation. + This basically means objects that have projections. But focal objects also have + activation, they may have personas, etc. + """; + item link { + type ObjectReference; + maxOccurs unbounded; + documentation """ + Set of shadows (projections) linked to this focal object. + E.g. a set of accounts linked to a user. This is the set of + shadows that belongs to the focal object in a sense + that these shadows represents the focal object on the resource. + E.g. The set of accounts that represent the same midPoint user (the + same physical person, they are "analogous"). + + Links define what the object HAS. The links reflect real state of things + (cf. assignment). + """; + // tns:ShadowType + } + + item persona { + type ObjectReference; + maxOccurs unbounded; + documentation """ + Set of personas linked to this focal object. + E.g. a set of virtual identities linked to a user. This is the set of + "secondary" focal objects that belongs to this focal object in a sense + that the current focal object is in control over the linked focal objects. + E.g. this reference can be used to link user object which specified a physical + person with his virtual identities (personas) that specify his identity as an + employee, system administrator, customer, etc. + The default meaning is that the personas are "analogous", i.e. the represent + different facets of the same physical person. However, this meaning may be + theoretically overridden by using various relation parameters in this reference. + + This reference define what the object HAS. The links reflect real state of + things (cf. assignment). + """; + // tns:FocusType + since "3.6"; + } + + item activation { + type Activation; + } + + item jpegPhoto { + type binary; + documentation """ + Photo corresponding to the user / org / role / service. + """; + // FocusType.jpegPhoto + } + + item costCenter { + type string; + documentation """ + The name, identifier or code of the cost center to which the object belongs. + + Please note that organization objects (OrgType) also have a costCenter property. + Therefore it is usual that if a user belongs to an organization the costCenter from + the organization is used. Therefore this property is usually used only for users that + do not belong to any organization or for users that have different cost center than + the one defined by the organization. + """; + // FocusType.costCenter + // 420 + } + + item locality { + type PolyString; + documentation """ + Primary locality of the object, the place where + the (e.g.) user usually works, the country, city or + building that he belongs to. The specific meaning + and form of this property is deployment-specific. + """; + // FocusType.locality + // 450 + } + + item preferredLanguage { + type string; + documentation """ + Indicates user's preferred language, usually for the purpose of localizing + user interfaces. The format is IETF language tag defined in BCP 47, where + underscore is used as a subtag separator. This is usually a ISO 639-1 two-letter + language code optionally followed by ISO 3166-1 two letter country code + separated by underscore. The languages that do not have country-specific + variants are usually specified by using a two-letter country code ("sk", + "cs", "tr"). Languages with country-specific variants have country-specific + subtags ("pt_BR", "zn_CN"). + If no value is specified in this property then system default locale is assumed. + + Examples: + - en_US + - sk + - cs + - pt_BR + """; + // FocusType.preferredLanguage + // 200 + // + } + + item locale { + type string; + documentation """ + Defines user's preference in displaying currency, dates and other items + related to location and culture. The format is IETF language tag defined in BCP 47, where + underscore is used as a subtag separator. This is usually a ISO 639-1 two-letter + language code optionally followed by ISO 3166-1 two letter country code + separated by underscore. The languages that do not have country-specific + variants are usually specified by using a two-letter country code ("sk", + "cs", "tr"). Languages with country-specific variants have country-specific + subtags ("pt_BR", "zn_CN"). + If not specified then system default locale is assumed. + + Examples: + - en_US + - sk + - cs + - pt_BR + """; + // FocusType.locale + // 210 + // + } + + item timezone { + type string; + documentation """ + User's preferred timezone. It is specified in the "tz database" (a.k.a "Olson") + format. If not specified then system default timezone is assumed. + + Examples: + - Europe/Bratislava + """; + // FocusType.timezone + // 220 + // + } + + item emailAddress { + type string; + documentation """ + E-Mail address of the user, org. unit, etc. This is the address + supposed to be used for communication with the + user, org. unit, etc. E.g. IDM system may send notifications + to the e-mail address. It is NOT supposed to be + full-featured e-mail address data structure + e.g. for the purpose of complex address-book application. + """; + // FocusType.emailAddress + // 300 + } + + item telephoneNumber { + type string; + documentation """ + Primary telephone number of the user, org. unit, etc. + """; + // FocusType.telephoneNumber + // 310 + } + + item credentials { + type Credentials; + documentation """ + The set of focus's credentials (such as passwords). + """; + // FocusType.credentials + } + } + + type User { + extends Focus; + documentation """ + User object represents a physical user of the system. + It differs from the account, as "account" represents a data structure in a target system while + "user" represents data structure in midPoint. One user typically has many accounts. + Properties of User object typically describe the user as a physical person. + Therefore the user object defines handful of properties that are commonly used to describe users + in the IDM solutions (employees, customers, partners, etc.) Custom extensions are possible by utilizing + the "extension" container. + """; + + item fullName { + type PolyString; + documentation """ + Full name of the user with all the decorations, + middle name initials, honorific title and any + other structure that is usual in the cultural + environment that the system operates in. This + element is intended to be displayed to + a common user of the system. + + Examples: + - cpt. Jack Sparrow + - William "Bootstrap" Turner + - James W. Random, PhD. + - Vladimir Iljic Lenin + - Josip Broz Tito + - Chuck Norris + """; + // UserType.fullName + // 100 + // true + } + + item givenName { + type PolyString; + documentation """ + Given name of the user. It is usually the first + name of the user, but the order of names may + differ in various cultural environments. This + element will always contain the name that was + given to the user at birth or was chosen + by the user. + + Examples: + - Jack + - Chuck + """; + // UserType.givenName + // 110 + // true + } + + item familyName { + type PolyString; + documentation """ + Family name of the user. It is usually the last + name of the user, but the order of names may + differ in various cultural environments. This + element will always contain the name that was + inherited from the family or was assigned + to a user by some other means. + + Examples: + - Sparrow + - Norris + """; + // UserType.familyName + // 120 + // true + } + + item additionalName { + type PolyString; + documentation """ + Middle name, patronymic, matronymic or any other name of a person. It is usually the + middle component of the name, however that may be culture-dependent. + + Examples: + - Walker + - John + - Iljic + """; + // UserType.additionalName + // 130 + } + + item nickName { + type PolyString; + documentation """ + Familiar or otherwise informal way to address a person. + + Examples: + - Bootstrap + - Bobby< + + The meaning of this property is to take part in the formatted full + name of the person, e.g. William "Bootstrap" Turner. It is not intended + to be used as a username or login name. This value is usually changeable + by the user itself and it defines how the user wants other to address him. + Therefore it is not ideal for use as an identifier. + """; + // UserType.nickname + // 140 + } + + item honorificPrefix { + type PolyString; + documentation """ + Honorific titles that go before the name. + Examples: + - cpt. + - Ing. + - Sir + + This property is single-valued. If more + than one title is applicable, they have to be represented in + a single string (concatenated) form in the correct order. + """; + // UserType.honorificPrefix + // 150 + } + + item honorificSuffix { + type PolyString; + documentation """ + Honorific titles that go after the name. + + Examples: + - PhD. + - KBE + + This property is single-valued. If more + than one title is applicable, they have to be represented in + a single string (concatenated) form in the correct order. + """; + // UserType.honorificSuffix + // 160 + } + + item title { + type PolyString; + documentation """ + User's title defining a work position or a primary role in the + organization. + Examples: + - CEO + - Security Officer + - Assistant + """; + // UserType.title + // 170 + } + + item employeeNumber { + type string; + documentation """ + Unique, business-oriented identifier of the employee. + Typically used as correlation identifier and for + auditing purposes. Should be immutable, but the + specific properties and usage are deployment-specific. + """; + // UserType.employeeNumber + // 400 + } + + item employeeType { + type string; + maxOccurs unbounded; + documentation """ + Employee type specification such as internal employee, + external or partner. The specific values are + deployment-specific. However it is generally assumed that this + will be enumeration of several type names or codes that define + "classes" of users. + + Even though this property is named "employeeType" due to the historical + reasons it is used in a more generic way to mean general type of user. + Therefore it can be used to distinguish employees from customers, etc. + + DEPRECATED: Use ObjectType.subtype + """; + // UserType.employeeType + // 410 + // true + // 3.8 + } + item organization { + type PolyString; + maxOccurs unbounded; + documentation """ + Name or (preferably) immutable identifier of organization that the user belongs to. + The format is deployment-specific. This property together with organizationalUnit + may be used to provide easy-to-use data about organizational membership of the user. + + This is multi-valued property to allow membership of a user to several + organizations. Please note that midPoint does not maintain ordering in + multi-value properties therefore this is not usable to model a complex + organization hierarchies. Use OrgType instead. + """; + // UserType.organization + // 430 + } + + item organizationalUnit { + type PolyString; + maxOccurs unbounded; + documentation """ + Name or (preferably) immutable identifier of organizational unit that the user belongs to. + The format is deployment-specific. This property together with organization + may be used to provide easy-to-use data about organizational membership of the user. + + This is multi-valued property to allow membership of a user to several + organizational units. Please note that midPoint does not maintain ordering in + multi-value properties therefore this is not usable to model a complex + organization hierarchies. Use OrgType instead. + """; + // UserType.organizationalUnit + // 440 + } + item adminGuiConfiguration { + type AdminGuiConfiguration; + documentation """ + Specifies the admin GUI configuration that should be used + by this user. + """; + since "3.5"; + // AdminGuiConfigurationType.adminGuiConfiguration + } + } + + type ObjectReference { + objectReference; + documentation """ + Reference to an object. It contains OID of the object that it + refers to. + """; + + // item description; // TODO make this work + + // item documentation; // TODO make this work + + item filter { + type SearchFilter; // TODO namespace of "query-3" + documentation """ + Filter that can be used to dynamically lookup the reference OID e.g. during imports. + It must not be used for normal operations. The filter may be stored in the repository + to avoid data loss. But even if it is stored it will not be used beyond initial + import or unless explicitly requested (e.g. by setting resolutionTime). + + Note: The filter will NOT be used if the OID in the reference is set. The OID always takes + precedence. + """; + } + + item resolutionTime { + type EvaluationTime; + // TODO defaultValue "import"; + documentation """ + Definition of the "time" when the reference will be resolved. Resolving the reference means using + the filter to get object(s) or OID(s). + + Import-time resolution means that the reference will be resolved once when the file is imported. + OID will be recorded in the reference and then only the OID will be used to follow the reference. + This is a very efficient method and it is the default. + + Run-time resolution means that the reference will be resolved every time that the reference is + evaluated. This is less efficient but it provides great flexibility as the filter may contain + expressions and therefore the reference target may dynamically change. + """; + } + + item referentialIntegrity { + type ReferentialIntegrity; + // TODO defaultValue "default"; + documentation """ + Definition of the behavior related to non-existence of object with specified target OID. + (Currently supported only at selected places in midPoint.) + """; + since "4.1"; + } + + item targetName { + type PolyString; + documentation """ + Cached name of the target object. + This is a ephemeral value. It is not stored in the repository. + It may be computed at object retrieval time or it may not be present at all. + This is NOT an authoritative information. Setting it or changing it will + not influence the reference meaning. OID is the only authoritative linking + mechanism. + """; + } + + // TODO what about (attributes) oid, type, and relation? + // Should they be listed here even if they are defined in PrismReferenceValue? + // But if not, why should we list filter, resolution time, referential integrity here, + // as they are also defined in PrismReferenceValue. + } + + item description { + type string; + documentation """ + Free-form textual description of the object. It is supposed to describe + the object or a construct that it is attached to. + + This information may be presented to midPoint users, even to ordinary end users. + For example role description may be presented to users when they are selecting + roles to request. Therefore the description should be written in a language that + the users can understand. + + Description is assumed to be a plan, non-formatted text. + Amount of white space is considered insignificant. E.g. leading and trailing + white space may be skipped, multiple spaces can be collapsed to one and so on. + """; + // ObjectType.description + // 10 + } + + item documentation { + type string; + documentation """ + Technical documentation for a particular object or construct. + + The purpose of this element is to document system configuration and behavior. + The documentation will not be presented to end users. In fact, it will probably + not be presented at all in midPoint user interface. This documentation element + is supposed to be a part of the technical documentation of midPoint deployment. + The tools than generate deployment configuration will look for these elements + and combine them to compiled documentation document. + + AsciiDoc formatting is assumed for this element. Any leading or trailing + whitespace is skipped. Indentation equivalent to he indentation of the first + non-blank line of text is also skipped. + """; + // ObjectType.documentation + // 11 + } + + // Example of short version of container definition. + container { + name Assignment; + itemName assignment; + + // item description; // TODO make this work + // item documentation; // TODO make this work + // item extension; // TODO make this work + + // ... + } + + container { + name Extension; + itemName extension; + documentation """ + Extension container that provides generic extensibility mechanism. + Almost any extension property can be placed in this container. + This mechanism is used to extend objects with new properties. + The extension is treated exactly the same as other object + properties by the code (storage, modifications, etc), except + that the system may not be able to understand their meaning. + """; + // ObjectType.extension + // 1000 + } + + object GenericObject { + extends Focus; + itemName genericObject; + documentation """ + Generic object for storing unknown (unexpected) object types. + + The generic object should be used if there is a need to + store a custom object (e.g KangarooType) at deployment-time. + The properties of such custom objects are to be placed in the + extension part of this object. The schema is not checked or + enforced for this type of objects if technically possible. + """; + item objectType { + type uri; // TODO + // deprecated + } + } + + container Trigger { + itemName trigger; + documentation """ + Defines triggers for an object. Trigger is an action that should take place + at specified time or under some other condition. + """; + item timestamp { + type dateTime; // TODO + documentation """ + The time when a trigger needs to be activated. + """; + } + item handlerUri { + type uri; // TODO + documentation """ + Handler URI indirectly specifies which class is responsible to handle the task. The handler will + to be used to handle trigger activation. + """; + } + item originDescription { + type string; + documentation """ + Short description of trigger origin, e.g. name of the mapping. + Used for diagnostic purposes. + """; + // true + since "4.0"; + } + item extension { // TODO + type Extension; + documentation """ + Extension container used to provide additional situation-specific information to the trigger. + """; + } + } + + container Metadata { + itemName metadata; + documentation """ + Meta-data about data creation, modification, etc. + It may apply to objects but also parts of the object (e.g. assignments). + + Meta-data only apply to successful operations. That is obvious for create, but it also applies + to modify. For obvious reasons there are no metadata about delete. + We keep no metadata about reading. That would be a huge performance hit. + + Meta-data only describe the last operation of its kind. E.g. there is a record of last + modification, last approval, etc. There is no history. The last operation overwrites data + about the previous operation. + + These data are informational only. They should not be used for security purposes (use auditing + subsystem for that). But presence of metadata simplifies system administration and may provide + some basic information "at the glance" which may be later confirmed by the audit logs. + + Meta-data are also supposed to be searchable. Therefore they may be used to quickly find + "candidate" objects for a closer examination. + """; + // true + // + // Metadata + + item requestTimestamp { + type dateTime; + documentation """ + The timestamp of "create" operation request. It is set once and should never be changed. + + In case of "background" processes to create object (e.g. create with approval) + this should be the timestamp when the process started. I.e. the timestamp when + the operation was requested. + """; + // MetadataType.requestTimestamp + // true + since "3.5"; + // + } + + item requestor { + type ObjectReference; + documentation """ + Reference to the user that requested the "create" operation for this object or assignment. + """; + // MetadataType.requestorRef + // true + // tns:UserType + // + } + + item requestorComment { + type string; + documentation """ + Comment of the user that requested the "create" operation for this object or assignment. + """; + // MetadataType.requestorComment + // true + since "3.7"; + } + + item createTimestamp { + type dateTime; + documentation """ + The timestamp of data creation. It is set once and should never be changed. + + In case of "background" processes to create object (e.g. create with approval) + this should be the timestamp when the process ended. I.e. the timestamp when + the operation was executed. + """; + // MetadataType.createTimestamp + // true + // true + since "3.5"; + } + + item creator { + type ObjectReference; + maxOccurs unbounded; + documentation """ + Reference to the user that approved the creation of the data (if there was such a user). + This is multi-value reference therefore multiple approvers may be recorded. However the order and + hierarchy of the approvers is lost. + """; + // MetadataType.createApproverRef + // true + // true + // tns:UserType + } + + item createApproverComment { + type string; + maxOccurs unbounded; + documentation """ + Comments of the approvers during the creation of the data. Note that these comments are in no + particular order, so basically it is not known who entered which comment. + """; + // MetadataType.createApprovalComment + // true + since "3.7"; + } + + item createApprovalTimestamp { + type dateTime; + documentation """ + The timestamp of creation approval. + """; + // MetadataType.createApprovalTimestamp + // true + since "3.5"; + } + + item createChannel { + type uri; + documentation """ + Channel in which the object was created. + """; + // MetadataType.createChannel + // true + // true + } + + item createTask { + type ObjectReference; + documentation """ + Reference to the task that created the object (if it was a persistent one). + """; + // MetadataType.createTaskRef + // true + // tns:TaskType + since "3.7"; + } + + item modifyTimestamp { + type dateTime; + // MetadataType.modifyTimestamp + // true + // true + } + + item modifier { + type ObjectReference; + // MetadataType.modifierRef + // true + // true + // tns:UserType + } + + item modifyApprover { + type ObjectReference; + maxOccurs unbounded; + // MetadataType.modifyApproverRef + // true + // true + // tns:UserType + } + + item modifyApprovalComment { + type string; + maxOccurs unbounded; + // MetadataType.modifyApprovalComment + // true + since "3.7"; + } + + item modifyChannel { + type uri; + // MetadataType.modifyChannel + // true + // true + } + + item modifyTask { + type ObjectReference; + // MetadataType.modifyTaskRef + // true + // tns:TaskType + since "3.7"; + } + + item lastProvisioningTimestamp { + type dateTime; + // MetadataType.lastProvisioningTimestamp + // true + since "3.6.1"; + } + + item certificationFinishedTimestamp { + type dateTime; + // MetadataType.certificationFinishedTimestamp + // true + since "3.7"; + } + + item certificationOutcome { + type string; + // MetadataType.certificationOutcome + // true + since "3.7"; + } + + item certifier { + type ObjectReference; + // MetadataType.certifierRef + // true + // tns:UserType + since "3.7"; + } + + item certifierComment { + type string; + maxOccurs unbounded; + // MetadataType.certifierComment + // true + since "3.7"; + } + + item originMappingName { + type string; + // MetadataType.originMappingName + // true + since "3.7"; + } + } + + // axiom + + // types-3 + type PolyString; + + // query-3 + type SearchFilter; + type EvaluationTime; + type ReferentialIntegrity; + + // ??? + // type Extension; + + // common-3 + type OperationResult; + type OperationExecution; + type LensContext; + type PolicyException; + type DiagnosticInformation; + type Credentials; + type AdminGuiConfiguration; + type Activation; + + // should exist because of "container XXX" + // Already defined + // type Trigger; + // type Assignment; + +} diff --git a/infra/axiom/src/test/resources/prism/prism.axiom b/infra/axiom/src/test/resources/prism/prism.axiom new file mode 100644 index 00000000000..9b87afeab98 --- /dev/null +++ b/infra/axiom/src/test/resources/prism/prism.axiom @@ -0,0 +1,79 @@ +model prism { + + namespace "http://midpoint.evolveum.com/xml/ns/public/common/prism"; + + import axiom { + namespace "https://ns.evolveum.com/axiom/language"; + } + + root model { + documentation """ + Axiom Model + + Declares a new axiom model. + """; + type PrismModel; + } + + type PrismModel { + extends axiom:AxiomModel; + + + } + + extension PrismDefinition { + target axiom:AxiomModel; + // TODO move to prism schema; consider renaming to objectType? + item object { + type PrismObjectDefinition; + } + + // TODO move to prism schema; consider renaming to containerType? + item container { + type PrismContainerDefinition; + } + + // TODO move to prism schema; consider renaming to referenceType? + item reference { + type PrismReferenceDefinition; + } + } + + extension PrismTypeDefinitionAnnotation { + target axiom:AxiomTypeDefinition; + // TODO move to prism schema + item object { + type boolean; + } + + // TODO move to prism schema + item container { + type boolean; + } + // TODO move to prism schema + item objectReference { + type boolean; + } + } + + type PrismTypeDefinition { + extends axiom:AxiomTypeDefinition; + } + + type PrismObjectDefinition { + extends PrismTypeDefinition; + } + + type PrismContainerDefinition { + extends PrismTypeDefinition; + } + + type PrismReferenceDefinition { + extends PrismTypeDefinition; + } + + type PrismItemDefinition { + extends PrismTypeDefinition; + } + +}