Merge branch 'master' of https://github.com/Evolveum/midpoint

gui/admin-gui/src/main/resources/localization/Midpoint.properties

@@ -4170,7 +4170,6 @@ ObjectFormType.details.newValue=New object form
 GuiObjectColumnType.details.newValue=New gui object column
 GuiObjectListViewType.details.newValue=New gui object list view
 DashboardWidgetType.details.newValue=New dashboard widget
-GenericPcpAspectConfigurationType.details.newValue=New generic pcp aspect configuration
 RelationDefinitionType.details.newValue=New relation definition
 GuiActionType.details.newValue=New gui action
 ApprovalStageDefinitionType.details.newValue=New approval stage definition

infra/prism/src/main/java/com/evolveum/midpoint/prism/query/TypeFilter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2014 Evolveum
+ * Copyright (c) 2010-2018 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -53,6 +53,9 @@ public ObjectFilter getFilter() {
     }
 
     public void setFilter(ObjectFilter filter) {
+    	if (filter == this) {
+    		throw new IllegalArgumentException("Type filte has itself as a subfilter");
+    	}
         this.filter = filter;
     }
 

infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd

@@ -12380,6 +12380,9 @@
 
 								LIMITATION: Supported only for TaskType and not for search pre-processing.
 							</xsd:documentation>
+							<xsd:appinfo>
+								<a:since>3.9</a:since>
+							</xsd:appinfo>
 						</xsd:annotation>
 					</xsd:element>
 					<xsd:element name="assignee" type="tns:SubjectedObjectSelectorType" minOccurs="0" maxOccurs="1">
@@ -12391,16 +12394,32 @@
 								LIMITATION: Supported only for TaskType with work items fully fetched; and not for search
 								pre-processing.
 							</xsd:documentation>
+							<xsd:appinfo>
+								<a:since>3.9</a:since>
+							</xsd:appinfo>
 						</xsd:annotation>
 					</xsd:element>
-					<xsd:element name="object" type="tns:SubjectedObjectSelectorType" minOccurs="0" maxOccurs="1">
+					<xsd:element name="relatedObject" type="tns:SubjectedObjectSelectorType" minOccurs="0" maxOccurs="1">
 						<xsd:annotation>
 							<xsd:documentation>
 								The object matches the specification if it has a related object specified by this element.
 								(So it is applicable only for task-, case- and work item-like objects.)
 
 								LIMITATION: Supported only for TaskType; and for search pre-processing it is limited to "self".
 							</xsd:documentation>
+							<xsd:appinfo>
+								<a:since>3.9</a:since>
+							</xsd:appinfo>
+						</xsd:annotation>
+					</xsd:element>
+					<xsd:element name="tenant" type="tns:TenantSelectorType" minOccurs="0" maxOccurs="1">
+						<xsd:annotation>
+							<xsd:documentation>
+								The object matches the specification if it is related to the specified tenant.
+							</xsd:documentation>
+							<xsd:appinfo>
+								<a:since>3.9</a:since>
+							</xsd:appinfo>
 						</xsd:annotation>
 					</xsd:element>
 		        </xsd:sequence>
@@ -12446,6 +12465,32 @@
         <xsd:attribute name="id" type="xsd:long" use="optional"/>
 	</xsd:complexType>
 
+	<xsd:complexType name="TenantSelectorType">
+        <xsd:annotation>
+            <xsd:documentation>
+                Selects an object by comparing tenant information.
+            </xsd:documentation>
+            <xsd:appinfo>
+                <a:container/>
+                <a:since>3.9</a:since>
+            </xsd:appinfo>
+        </xsd:annotation>
+        <xsd:sequence>
+        	<xsd:element name="sameAsSubject" type="xsd:boolean" minOccurs="0" maxOccurs="1" default="false">
+               <xsd:annotation>
+                   <xsd:documentation>
+                       Selects object/target if it has the same tenant as subject.
+                       Subject must be part of the tenant (must have tenantRef set).
+                       This authorization will not select any object if subject tenantRef is empty.
+                   </xsd:documentation>
+               </xsd:annotation>
+           </xsd:element>
+			<!-- allow empty tenant? -->
+			<!-- TODO: add explicit tenantRef? -->
+        </xsd:sequence>
+        <xsd:attribute name="id" type="xsd:long" use="optional"/>
+	</xsd:complexType>
+
 	<xsd:complexType name="OtherPrivilegesLimitationType">
         <xsd:annotation>
             <xsd:documentation>

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentEvaluator.java

@@ -1092,6 +1092,12 @@ private void collectMembership(FocusType targetType, QName relation, EvaluationC
 		refVal.setTargetName(targetType.getName().toPolyString());
 
 		collectMembershipRefVal(refVal, targetType.getClass(), relation, targetType, ctx);
+
+		if (targetType instanceof OrgType) {
+			if (BooleanUtils.isTrue(((OrgType)targetType).isTenant()) && ctx.evalAssignment.getTenantOid() == null) {
+				ctx.evalAssignment.setTenantOid(targetType.getOid());
+			}
+		}
 	}
 
 	private void collectMembership(ObjectReferenceType targetRef, QName relation, EvaluationContext ctx) {

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/EvaluatedAssignmentImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2018 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -81,6 +81,7 @@ public class EvaluatedAssignmentImpl<F extends FocusType> implements EvaluatedAs
 	// usually, these rules do not cause direct action (e.g. in the case of approvals);
 	// however, there are situations in which they are used (e.g. for exclusion rules)
 	@NotNull private final Collection<EvaluatedPolicyRule> otherTargetsPolicyRules = new ArrayList<>();
+	private String tenantOid;
 
 	private PrismObject<?> target;
 	private boolean virtual;
@@ -252,6 +253,14 @@ public void addDelegationRefVal(PrismReferenceValue org) {
 		delegationRefVals.add(org);
 	}
 
+	public String getTenantOid() {
+		return tenantOid;
+	}
+
+	public void setTenantOid(String tenantOid) {
+		this.tenantOid = tenantOid;
+	}
+
 	@NotNull
 	@Override
 	public Collection<Authorization> getAuthorizations() {

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensElementContext.java

@@ -20,6 +20,8 @@
 import com.evolveum.midpoint.prism.ConsistencyCheckScope;
 import com.evolveum.midpoint.prism.Objectable;
 import com.evolveum.midpoint.prism.delta.PlusMinusZero;
+import com.evolveum.midpoint.prism.delta.builder.DeltaBuilder;
+import com.evolveum.midpoint.prism.delta.builder.S_ItemEntry;
 import com.evolveum.midpoint.schema.DeltaConvertor;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
@@ -816,4 +818,8 @@ public boolean isOfType(Class<?> aClass) {
 	}
 
 	public abstract void deleteSecondaryDeltas();
+
+	public S_ItemEntry deltaBuilder() throws SchemaException {
+		return DeltaBuilder.deltaFor(getObjectTypeClass(), getPrismContext());
+	}
 }

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/AssignmentProcessor.java

@@ -30,6 +30,8 @@
 import com.evolveum.midpoint.model.impl.util.ModelImplUtils;
 import com.evolveum.midpoint.schema.RelationRegistry;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
+
+import org.apache.commons.lang.BooleanUtils;
 import org.jetbrains.annotations.NotNull;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
@@ -794,6 +796,66 @@ public <F extends ObjectType> void processOrgAssignments(LensContext<F> context,
 				}
 			}
 		}
+
+		computeTenantRef(context, result);
+	}
+
+	private <F extends ObjectType> void computeTenantRef(LensContext<F> context, OperationResult result) throws PolicyViolationException, SchemaException {
+		String tenantOid = null;
+		LensFocusContext<F> focusContext = context.getFocusContext();
+		PrismObject<F> objectNew = focusContext.getObjectNew();
+		if (objectNew == null) {
+			return;
+		}
+
+		if (objectNew.canRepresent(OrgType.class) && BooleanUtils.isTrue(((OrgType)objectNew.asObjectable()).isTenant())) {
+			// Special "zero" case. Tenant org has itself as a tenant.
+			tenantOid = objectNew.getOid();
+
+		} else {
+
+			DeltaSetTriple<EvaluatedAssignmentImpl<?>> evaluatedAssignmentTriple = context.getEvaluatedAssignmentTriple();
+			for (EvaluatedAssignmentImpl<?> evalAssignment : evaluatedAssignmentTriple.getNonNegativeValues()) {
+				if (!evalAssignment.isValid()) {
+					continue;
+				}
+				String assignmentTenantOid = evalAssignment.getTenantOid();
+				if (assignmentTenantOid == null) {
+					continue;
+				}
+				if (tenantOid == null) {
+					tenantOid = assignmentTenantOid;
+				} else {
+					if (!assignmentTenantOid.equals(tenantOid)) {
+						throw new PolicyViolationException("Two different tenants ("+tenantOid+", "+assignmentTenantOid+") applicable to "+context.getFocusContext().getHumanReadableName());
+					}
+				}
+			}
+		}
+
+
+		ObjectReferenceType currentTenantRef = objectNew.asObjectable().getTenantRef();
+		if (currentTenantRef == null) {
+			if (tenantOid == null) {
+				return;
+			} else {
+				LOGGER.trace("Setting tenantRef to {}", tenantOid);
+				ReferenceDelta tenantRefDelta = ReferenceDelta.createModificationReplace(ObjectType.F_TENANT_REF, focusContext.getObjectDefinition(), tenantOid);
+				context.getFocusContext().swallowToProjectionWaveSecondaryDelta(tenantRefDelta);
+			}
+		} else {
+			if (tenantOid == null) {
+				LOGGER.trace("Clearing tenantRef");
+				ReferenceDelta tenantRefDelta = ReferenceDelta.createModificationReplace(ObjectType.F_TENANT_REF, focusContext.getObjectDefinition(), (PrismReferenceValue)null);
+				context.getFocusContext().swallowToProjectionWaveSecondaryDelta(tenantRefDelta);
+			} else {
+				if (!tenantOid.equals(currentTenantRef.getOid())) {
+					LOGGER.trace("Changing tenantRef to {}", tenantOid);
+					ReferenceDelta tenantRefDelta = ReferenceDelta.createModificationReplace(ObjectType.F_TENANT_REF, focusContext.getObjectDefinition(), tenantOid);
+					context.getFocusContext().swallowToProjectionWaveSecondaryDelta(tenantRefDelta);
+				}
+			}
+		}
 	}
 
 	public <F extends ObjectType> void checkForAssignmentConflicts(LensContext<F> context,

model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/AbstractSecurityTest.java

@@ -663,10 +663,12 @@ protected void cleanupAutzTest(String userOid, int expectedAssignments) throws O
 
         assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
 
-        PrismObject<UserType> user = getUser(userOid);
-        assertAssignments(user, expectedAssignments);
-        if (expectedAssignments == 0) {
-        	assertLinks(user, 0);
+        if (userOid != null) {
+	        PrismObject<UserType> user = getUser(userOid);
+	        assertAssignments(user, expectedAssignments);
+	        if (expectedAssignments == 0) {
+	        	assertLinks(user, 0);
+	        }
         }
 	}
 

model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityAdvanced.java

@@ -288,6 +288,7 @@ public void test102AutzLechuckPersonaManagement() throws Exception {
         assertGetDeny(UserType.class, USER_JACK_OID);
         assertGetDeny(UserType.class, USER_GUYBRUSH_OID);
         assertGetAllow(UserType.class, USER_LECHUCK_OID);
+        display("HEREHERE");
         assertGetAllow(UserType.class, USER_CHARLES_OID);
 
 //        TODO: MID-3899