Policy violation error when inconsistent assignment/parentOrgRef delt…

…a is attempted. (MID-3874)
Evolveum · Jul 10, 2017 · 0915158 · 0915158
1 parent dc7ecc6
commit 0915158
Show file tree

Hide file tree

Showing 13 changed files with 332 additions and 122 deletions.
diff --git a/infra/prism/src/main/java/com/evolveum/midpoint/prism/delta/ItemDelta.java b/infra/prism/src/main/java/com/evolveum/midpoint/prism/delta/ItemDelta.java
@@ -1006,8 +1006,43 @@ public void validate(String contextDescription) throws SchemaException {
     		}
     	}
     }
+
+
+    public void validateValues(ItemDeltaValidator<V> validator) throws SchemaException {
+    	validateValues(validator, getEstimatedOldValues());
+    }
+
+    public void validateValues(ItemDeltaValidator<V> validator, Collection<V> oldValues) throws SchemaException {
+    	validateSet(valuesToAdd, PlusMinusZero.PLUS, validator);
+    	validateSet(valuesToDelete, PlusMinusZero.MINUS, validator);
+    	if (isReplace()) {
+    		for (V val: getValuesToReplace()) {
+    			if (oldValues != null && PrismValue.containsRealValue(oldValues, val)) {
+    				validator.validate(PlusMinusZero.ZERO, val);
+    			} else {
+    				validator.validate(PlusMinusZero.PLUS, val);
+    			}
+    		}
+    		if (oldValues != null) {
+    			for (V val: getValuesToReplace()) {
+    				if (!PrismValue.containsRealValue(getValuesToReplace(), val)) {
+    					validator.validate(PlusMinusZero.MINUS, val);
+    				}
+    			}
+    		}
+    	}
+    }
+
+    private void validateSet(Collection<V> set, PlusMinusZero plusMinusZero,
+			ItemDeltaValidator<V> validator) {
+		if (set != null) {
+			for (V val: set) {
+				validator.validate(plusMinusZero, val);
+			}
+		}
+	}
 
-    public static void checkConsistence(Collection<? extends ItemDelta> deltas) {
+	public static void checkConsistence(Collection<? extends ItemDelta> deltas) {
         checkConsistence(deltas, ConsistencyCheckScope.THOROUGH);
     }
 

diff --git a/infra/prism/src/main/java/com/evolveum/midpoint/prism/delta/ItemDeltaValidator.java b/infra/prism/src/main/java/com/evolveum/midpoint/prism/delta/ItemDeltaValidator.java
@@ -0,0 +1,28 @@
+/**
+ * Copyright (c) 2017 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.prism.delta;
+
+import com.evolveum.midpoint.prism.PrismValue;
+
+/**
+ * @author semancik
+ *
+ */
+public interface ItemDeltaValidator<V extends PrismValue> {
+
+	void validate(PlusMinusZero plusMinusZero, V itemValue);
+
+}
diff --git a/infra/prism/src/main/java/com/evolveum/midpoint/prism/delta/ObjectDelta.java b/infra/prism/src/main/java/com/evolveum/midpoint/prism/delta/ObjectDelta.java
@@ -377,7 +377,19 @@ public <X extends Containerable> ContainerDelta<X> findContainerDelta(QName name
     }
 
     private <D extends ItemDelta> D findModification(ItemPath propertyPath, Class<D> deltaType) {
-    	return ItemDelta.findItemDelta(modifications, propertyPath, deltaType);
+    	if (isModify()) {
+    		return ItemDelta.findItemDelta(modifications, propertyPath, deltaType);
+    	} else if (isAdd()) {
+    		Item<PrismValue, ItemDefinition> item = getObjectToAdd().findItem(propertyPath);
+    		if (item == null) {
+    			return null;
+    		}
+    		D itemDelta = (D) item.createDelta();
+            itemDelta.addValuesToAdd(item.getClonedValues());
+    		return itemDelta;
+    	} else {
+    		return null;
+    	}
     }
 
     private  <D extends ItemDelta> D findModification(QName itemName, Class<D> deltaType) {

diff --git a/...pl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/AssignmentProcessor.java b/...pl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/AssignmentProcessor.java
@@ -84,6 +84,7 @@
 import com.evolveum.midpoint.util.exception.PolicyViolationException;
 import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.util.exception.SecurityViolationException;
+import com.evolveum.midpoint.util.exception.TunnelException;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 
@@ -716,7 +717,7 @@ private <F extends FocusType> void createAssignmentDelta(LensContext<F> context,
 
 	}
 
-	public <F extends ObjectType> void processOrgAssignments(LensContext<F> context, OperationResult result) throws SchemaException {
+	public <F extends ObjectType> void processOrgAssignments(LensContext<F> context, OperationResult result) throws SchemaException, PolicyViolationException {
 
 		LensFocusContext<F> focusContext = context.getFocusContext();
 		if (focusContext == null) {
@@ -735,6 +736,43 @@ public <F extends ObjectType> void processOrgAssignments(LensContext<F> context,
 			}
 		}
 		setReferences(focusContext, ObjectType.F_PARENT_ORG_REF, shouldBeParentOrgRefs);
+
+		ObjectDelta<F> focusPrimaryDelta = focusContext.getPrimaryDelta();
+		if (focusPrimaryDelta != null) {
+			ReferenceDelta parentOrgRefDelta = focusPrimaryDelta.findReferenceModification(ObjectType.F_PARENT_ORG_REF);
+			if (parentOrgRefDelta != null) {
+				List<PrismReferenceValue> parentOrgRefCurrentValues = null;
+				PrismObject<F> objectCurrent = focusContext.getObjectCurrent();
+				if (objectCurrent != null) {
+					PrismReference parentOrgRefCurrent = objectCurrent.findReference(ObjectType.F_PARENT_ORG_REF);
+					if (parentOrgRefCurrent != null) {
+						parentOrgRefCurrentValues = parentOrgRefCurrent.getValues();
+					}
+				}
+				try {
+
+					parentOrgRefDelta.validateValues(
+						(plusMinusZero,val) -> {
+							switch (plusMinusZero) {
+								case PLUS:
+								case ZERO:
+									if (!PrismReferenceValue.containsRealValue(shouldBeParentOrgRefs, val)) {
+										throw new TunnelException(new PolicyViolationException("Attempt to add parentOrgRef "+val.getOid()+", but it is not allowed by assignments"));
+									}
+									break;
+								case MINUS:
+									if (PrismReferenceValue.containsRealValue(shouldBeParentOrgRefs, val)) {
+										throw new TunnelException(new PolicyViolationException("Attempt to delete parentOrgRef "+val.getOid()+", but it is mandated by assignments"));
+									}
+									break;
+							}
+						}, parentOrgRefCurrentValues);
+
+				} catch (TunnelException e) {
+					throw (PolicyViolationException)e.getCause();
+				}
+			}
+		}
 	}
 
 	public <F extends ObjectType> void checkForAssignmentConflicts(LensContext<F> context,

diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestScriptHooks.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestScriptHooks.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013 Evolveum
+ * Copyright (c) 2013-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,7 +15,6 @@
  */
 package com.evolveum.midpoint.model.intest;
 
-import static com.evolveum.midpoint.test.IntegrationTestTools.display;
 import static org.testng.AssertJUnit.assertNotNull;
 
 import java.io.File;
@@ -96,7 +95,7 @@ protected File getSystemConfigurationFile() {
 	@Test
     public void test100JackAssignHookAccount() throws Exception {
 		final String TEST_NAME = "test100JackAssignHookAccount";
-        TestUtil.displayTestTile(this, TEST_NAME);
+        displayTestTile(TEST_NAME);
 
         // GIVEN
         Task task = taskManager.createTaskInstance(TestScriptHooks.class.getName() + "." + TEST_NAME);
@@ -109,8 +108,7 @@ public void test100JackAssignHookAccount() throws Exception {
         assignAccount(USER_JACK_OID, RESOURCE_DUMMY_HOOK_OID, null, task, result);
 
 		// THEN
-		result.computeStatus();
-        TestUtil.assertSuccess(result);
+		assertSuccess(result);
 
 		PrismObject<UserType> userJack = getUser(USER_JACK_OID);
 		display("User after change execution", userJack);
@@ -151,7 +149,7 @@ public void test100JackAssignHookAccount() throws Exception {
 	@Test
     public void test110JackAddOrganization() throws Exception {
 		final String TEST_NAME = "test110JackAddOrganization";
-        TestUtil.displayTestTile(this, TEST_NAME);
+        displayTestTile(TEST_NAME);
 
         // GIVEN
         Task task = taskManager.createTaskInstance(TestScriptHooks.class.getName() + "." + TEST_NAME);
@@ -161,11 +159,10 @@ public void test110JackAddOrganization() throws Exception {
         StaticHookRecorder.reset();
 
 		// WHEN
-        modifyUserAdd(USER_JACK_OID, UserType.F_ORGANIZATION, task, result, new PolyString("Pirate Brethren"));
+        modifyUserAdd(USER_JACK_OID, UserType.F_ORGANIZATION, task, result, createPolyString("Pirate Brethren"));
 
 		// THEN
-		result.computeStatus();
-        TestUtil.assertSuccess(result);
+		assertSuccess(result);
 
 		PrismObject<UserType> userJack = getUser(USER_JACK_OID);
 		display("User after change execution", userJack);