Merge branch 'master' of github.com:Evolveum/midpoint

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/page/PageBase.java

@@ -17,6 +17,8 @@
 
 import com.evolveum.midpoint.web.page.admin.PageAdminObjectDetails;
 
+import com.evolveum.midpoint.web.page.admin.certification.*;
+
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.lang.Validate;
 import org.apache.commons.lang3.ObjectUtils;
@@ -145,14 +147,9 @@
 import com.evolveum.midpoint.web.component.util.VisibleBehaviour;
 import com.evolveum.midpoint.web.component.util.VisibleEnableBehaviour;
 import com.evolveum.midpoint.web.page.admin.PageAdmin;
-import com.evolveum.midpoint.web.page.admin.PageAdminFocus;
 import com.evolveum.midpoint.web.page.admin.archetype.PageArchetype;
 import com.evolveum.midpoint.web.page.admin.archetype.PageArchetypes;
 import com.evolveum.midpoint.web.page.admin.cases.*;
-import com.evolveum.midpoint.web.page.admin.certification.PageCertCampaigns;
-import com.evolveum.midpoint.web.page.admin.certification.PageCertDecisions;
-import com.evolveum.midpoint.web.page.admin.certification.PageCertDefinition;
-import com.evolveum.midpoint.web.page.admin.certification.PageCertDefinitions;
 import com.evolveum.midpoint.web.page.admin.configuration.*;
 import com.evolveum.midpoint.web.page.admin.home.PageDashboardConfigurable;
 import com.evolveum.midpoint.web.page.admin.home.PageDashboardInfo;
@@ -658,6 +655,16 @@ public <O extends ObjectType> boolean isAuthorized(ModelAuthorizationAction acti
         }
     }
 
+    // TODO reconsider this method
+    public boolean isFullyAuthorized() {
+        try {
+            return isAuthorized(AuthorizationConstants.AUTZ_ALL_URL);
+        } catch (Throwable t) {
+            LoggingUtils.logUnexpectedException(LOGGER, "Couldn't check the authorization", t);
+            return false;
+        }
+    }
+
     public <O extends ObjectType, T extends ObjectType> boolean isAuthorized(String operationUrl) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, SecurityViolationException {
         return isAuthorized(operationUrl, null, null, null, null, null);
     }
@@ -1953,6 +1960,9 @@ public String getBubbleLabel() {
                 PageTasksCertScheduling.class, params, null);
         item.getItems().add(menu);
 
+        if (isFullyAuthorized()) {  // workaround for MID-5917
+            addMenuItem(item, "PageAdmin.menu.top.certification.allDecisions", PageCertDecisionsAll.class);
+        }
         addMenuItem(item, "PageAdmin.menu.top.certification.decisions", PageCertDecisions.class);
 
         MenuItem newCertificationMenu = new MenuItem(createStringResource("PageAdmin.menu.top.certification.newDefinition"), GuiStyleConstants.CLASS_PLUS_CIRCLE, PageCertDefinition.class, null,

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/certification/PageCertDecisions.java

@@ -57,7 +57,6 @@
 import org.apache.wicket.model.IModel;
 import org.apache.wicket.model.Model;
 import org.apache.wicket.request.mapper.parameter.PageParameters;
-import org.apache.xpath.operations.Bool;
 
 import javax.xml.datatype.XMLGregorianCalendar;
 import java.util.ArrayList;
@@ -68,9 +67,6 @@
 import static com.evolveum.midpoint.web.page.admin.certification.CertDecisionHelper.WhichObject.TARGET;
 import static com.evolveum.midpoint.xml.ns._public.common.common_3.AccessCertificationResponseType.*;
 
-/**
- * @author mederly
- */
 @PageDescriptor(url = "/admin/certification/decisions",
         action = {
                 @AuthorizationAction(actionUri = PageAdminCertification.AUTH_CERTIFICATION_ALL,
@@ -97,6 +93,10 @@ public class PageCertDecisions extends PageAdminCertification {
 
     private CertDecisionHelper helper = new CertDecisionHelper();
 
+    boolean isDisplayingAllItems() {
+        return false;
+    }
+
     public PageCertDecisions() {
     }
 
@@ -112,6 +112,8 @@ private CertWorkItemDtoProvider createProvider() {
         provider.setQuery(createCaseQuery());
         provider.setCampaignQuery(createCampaignQuery());
         provider.setReviewerOid(getCurrentUserOid());
+        provider.setNotDecidedOnly(getCertDecisionsStorage().getShowNotDecidedOnly());
+        provider.setAllItems(isDisplayingAllItems());
         provider.setSort(SearchingUtils.CURRENT_REVIEW_DEADLINE, SortOrder.ASCENDING);        // default sorting
         return provider;
     }
@@ -518,7 +520,8 @@ private void searchFilterPerformed(AjaxRequestTarget target) {
         DataTable table = panel.getDataTable();
         CertWorkItemDtoProvider provider = (CertWorkItemDtoProvider) table.getDataProvider();
         provider.setQuery(query);
-        provider.setNotDecidedOnly(getCertDecisionsStorage().getShowNotDecidedOnly().booleanValue());
+        provider.setNotDecidedOnly(getCertDecisionsStorage().getShowNotDecidedOnly());
+        provider.setAllItems(isDisplayingAllItems());
         table.setCurrentPage(0);
 
         target.add(getFeedbackPanel());

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/certification/PageCertDecisionsAll.java

@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2020 Evolveum and contributors
+ *
+ * This work is dual-licensed under the Apache License 2.0
+ * and European Union Public License. See LICENSE file for details.
+ */
+
+package com.evolveum.midpoint.web.page.admin.certification;
+
+import com.evolveum.midpoint.web.application.AuthorizationAction;
+import com.evolveum.midpoint.web.application.PageDescriptor;
+
+/**
+ * Displays all certification decisions.
+ *
+ * Note: The ultimate authorization check is done in certification-impl module.
+ */
+@PageDescriptor(url = "/admin/certification/decisionsAll",
+        action = {
+                @AuthorizationAction(actionUri = PageAdminCertification.AUTH_CERTIFICATION_ALL,
+                        label = PageAdminCertification.AUTH_CERTIFICATION_ALL_LABEL,
+                        description = PageAdminCertification.AUTH_CERTIFICATION_ALL_DESCRIPTION),
+                @AuthorizationAction(actionUri = PageAdminCertification.AUTH_CERTIFICATION_DECISIONS,
+                        label = PageAdminCertification.AUTH_CERTIFICATION_DECISIONS_LABEL,
+                        description = PageAdminCertification.AUTH_CERTIFICATION_DECISIONS_DESCRIPTION)})
+public class PageCertDecisionsAll extends PageCertDecisions {
+
+    @Override
+    boolean isDisplayingAllItems() {
+        return true;
+    }
+}

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/certification/dto/CertWorkItemDtoProvider.java

@@ -7,7 +7,6 @@
 
 package com.evolveum.midpoint.web.page.admin.certification.dto;
 
-import com.evolveum.midpoint.gui.api.util.WebComponentUtil;
 import com.evolveum.midpoint.model.api.AccessCertificationService;
 import com.evolveum.midpoint.prism.query.ObjectOrdering;
 import com.evolveum.midpoint.prism.query.ObjectPaging;
@@ -20,10 +19,8 @@
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.web.component.data.BaseSortableDataProvider;
-import com.evolveum.midpoint.web.page.error.PageError;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AccessCertificationWorkItemType;
 import org.apache.wicket.Component;
-import org.apache.wicket.RestartResponseException;
 import org.apache.wicket.extensions.markup.html.repeater.util.SortParam;
 import org.jetbrains.annotations.NotNull;
 
@@ -50,6 +47,7 @@ public class CertWorkItemDtoProvider extends BaseSortableDataProvider<CertWorkIt
 
     private boolean notDecidedOnly;
     private String reviewerOid;
+    private boolean allItems;
 
     public CertWorkItemDtoProvider(Component component) {
         super(component, false);        // TODO make this cache-able
@@ -71,7 +69,7 @@ public Iterator<CertWorkItemDto> internalIterator(long first, long count) {
 
             Collection<SelectorOptions<GetOperationOptions>> resolveNames = createCollection(createResolveNames());
             AccessCertificationService acs = getPage().getCertificationService();
-            List<AccessCertificationWorkItemType> workitems = acs.searchOpenWorkItems(caseQuery, notDecidedOnly, resolveNames, task, result);
+            List<AccessCertificationWorkItemType> workitems = acs.searchOpenWorkItems(caseQuery, notDecidedOnly, allItems, resolveNames, task, result);
             for (AccessCertificationWorkItemType workItem : workitems) {
                 getAvailableData().add(new CertWorkItemDto(workItem, getPage()));
             }
@@ -88,11 +86,6 @@ public Iterator<CertWorkItemDto> internalIterator(long first, long count) {
         return getAvailableData().iterator();
     }
 
-    private void handleNotSuccessOrHandledErrorInIterator(OperationResult result) {
-        getPage().showResult(result);
-        throw new RestartResponseException(PageError.class);
-    }
-
     @Override
     protected int internalSize() {
         LOGGER.trace("begin::internalSize()");
@@ -102,7 +95,7 @@ protected int internalSize() {
             Task task = getPage().createSimpleTask(OPERATION_COUNT_OBJECTS);
             AccessCertificationService acs = getPage().getCertificationService();
             ObjectQuery query = getQuery().clone();
-            count = acs.countOpenWorkItems(query, notDecidedOnly, null, task, result);
+            count = acs.countOpenWorkItems(query, notDecidedOnly, allItems,null, task, result);
         } catch (Exception ex) {
             result.recordFatalError(
                     getPage().createStringResource("CertWorkItemDtoProvider.message.internalSize.fatalError", ex.getMessage()).getString(), ex);
@@ -150,4 +143,7 @@ protected List<ObjectOrdering> createObjectOrderings(SortParam<String> sortParam
         return SearchingUtils.createObjectOrderings(sortParam, true, getPrismContext());
     }
 
+    public void setAllItems(boolean allItems) {
+        this.allItems = allItems;
+    }
 }

model/certification-api/src/main/java/com/evolveum/midpoint/certification/api/CertificationManager.java

@@ -54,7 +54,6 @@ public interface CertificationManager {
      * @param task Task in context of which all operations will take place.
      * @param parentResult Result for the operations.
      * @return Object for the created campaign. It will be stored in the repository as well.
-     * @throws ExpressionEvaluationException
      */
     AccessCertificationCampaignType createCampaign(String definitionOid, Task task, OperationResult parentResult)
             throws SchemaException, SecurityViolationException, ObjectNotFoundException, ObjectAlreadyExistsException, ExpressionEvaluationException, CommunicationException, ConfigurationException;
@@ -87,19 +86,11 @@ AccessCertificationCampaignType createCampaign(String definitionOid, Task task,
     /**
      * Starts the remediation phase for the campaign.
      * The campaign has to be in the last stage and that stage has to be already closed.
-     *
-     * @param campaignOid
-     * @param task
-     * @param result
      */
     void startRemediation(String campaignOid, Task task, OperationResult result) throws ObjectNotFoundException, SchemaException, SecurityViolationException, ObjectAlreadyExistsException, ExpressionEvaluationException, CommunicationException, ConfigurationException;
 
     /**
      * Closes a campaign.
-     *
-     * @param campaignOid
-     * @param task
-     * @param result
      */
     void closeCampaign(String campaignOid, Task task, OperationResult result) throws ObjectNotFoundException, SchemaException, SecurityViolationException, ObjectAlreadyExistsException, ExpressionEvaluationException, CommunicationException, ConfigurationException;
 
@@ -135,28 +126,41 @@ List<AccessCertificationCaseType> searchDecisionsToReview(ObjectQuery caseQuery,
             throws ObjectNotFoundException, SchemaException, SecurityViolationException;
 
     /**
-     * Returns a set of certification work items for currently logged-in user.
+     * Returns a set of certification work items for currently logged-in user (or all users).
      * Query argument for cases is the same as in the model.searchContainers(AccessCertificationCaseType...) call.
      *
      * @param caseQuery Specification of the cases to retrieve.
      * @param notDecidedOnly If true, only response==(NO_DECISION or null) should be returned.
      *                       Although it can be formulated in Query API terms, this would refer to implementation details - so
      *                       the cleaner way is keep this knowledge inside certification module only.
+     * @param allItems If true, retrieves work items for all users. Requires root ("ALL") authorization.
      * @param options Options to use (e.g. RESOLVE_NAMES).
      * @param task Task in context of which all operations will take place.
      * @param parentResult Result for the operations.
      * @return A list of relevant certification cases.
-     * @throws ExpressionEvaluationException
      *
      */
-    List<AccessCertificationWorkItemType> searchOpenWorkItems(ObjectQuery caseQuery, boolean notDecidedOnly,
+    List<AccessCertificationWorkItemType> searchOpenWorkItems(ObjectQuery caseQuery, boolean notDecidedOnly, boolean allItems,
             Collection<SelectorOptions<GetOperationOptions>> options, Task task, OperationResult parentResult)
             throws ObjectNotFoundException, SchemaException, SecurityViolationException, ExpressionEvaluationException, CommunicationException, ConfigurationException;
 
-    int countOpenWorkItems(ObjectQuery caseQuery, boolean notDecidedOnly,
+    default List<AccessCertificationWorkItemType> searchOpenWorkItems(ObjectQuery caseQuery, boolean notDecidedOnly,
+            Collection<SelectorOptions<GetOperationOptions>> options, Task task, OperationResult parentResult)
+            throws ObjectNotFoundException, SchemaException, SecurityViolationException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
+        return searchOpenWorkItems(caseQuery, notDecidedOnly, false, options, task, parentResult);
+    }
+
+    int countOpenWorkItems(ObjectQuery caseQuery, boolean notDecidedOnly, boolean allItems,
             Collection<SelectorOptions<GetOperationOptions>> options, Task task, OperationResult parentResult)
             throws ObjectNotFoundException, SchemaException, SecurityViolationException, ExpressionEvaluationException, CommunicationException, ConfigurationException;
 
+    @SuppressWarnings("unused")
+    default int countOpenWorkItems(ObjectQuery caseQuery, boolean notDecidedOnly,
+            Collection<SelectorOptions<GetOperationOptions>> options, Task task, OperationResult parentResult)
+            throws ObjectNotFoundException, SchemaException, SecurityViolationException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
+        return countOpenWorkItems(caseQuery, notDecidedOnly, false, options, task, parentResult);
+    }
+
     /**
      * Records a particular decision of a reviewer.
      *  @param campaignOid OID of the campaign to which the decision belongs.

model/certification-impl/src/main/java/com/evolveum/midpoint/certification/impl/CertificationManagerImpl.java

@@ -24,6 +24,8 @@
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.CertCampaignTypeUtil;
 import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
+import com.evolveum.midpoint.security.api.AuthorizationConstants;
+import com.evolveum.midpoint.security.api.MidPointPrincipal;
 import com.evolveum.midpoint.security.api.SecurityContextManager;
 import com.evolveum.midpoint.security.api.SecurityUtil;
 import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
@@ -343,16 +345,13 @@ public List<AccessCertificationCaseType> searchDecisionsToReview(ObjectQuery cas
 
     @Override
     public List<AccessCertificationWorkItemType> searchOpenWorkItems(ObjectQuery baseWorkItemsQuery, boolean notDecidedOnly,
-            Collection<SelectorOptions<GetOperationOptions>> options, Task task, OperationResult parentResult)
+            boolean allItems, Collection<SelectorOptions<GetOperationOptions>> options, Task task, OperationResult parentResult)
             throws ObjectNotFoundException, SchemaException, SecurityViolationException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
 
         OperationResult result = parentResult.createSubresult(OPERATION_SEARCH_OPEN_WORK_ITEMS);
-
         try {
-            securityEnforcer.authorize(ModelAuthorizationAction.READ_OWN_CERTIFICATION_DECISIONS.getUrl(), null,
-                    AuthorizationParameters.EMPTY, null, task, result);
-
-            return queryHelper.searchOpenWorkItems(baseWorkItemsQuery, SecurityUtil.getPrincipal(), notDecidedOnly, options, result);
+            MidPointPrincipal principal = getAuthorizedPrincipal(allItems, task, result);
+            return queryHelper.searchOpenWorkItems(baseWorkItemsQuery, principal, notDecidedOnly, options, result);
         } catch (RuntimeException e) {
             result.recordFatalError("Couldn't search for certification work items: unexpected exception: " + e.getMessage(), e);
             throw e;
@@ -361,18 +360,36 @@ public List<AccessCertificationWorkItemType> searchOpenWorkItems(ObjectQuery bas
         }
     }
 
+    @Nullable
+    private MidPointPrincipal getAuthorizedPrincipal(boolean allItems, Task task, OperationResult result)
+            throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException,
+            CommunicationException, ConfigurationException {
+        if (allItems) {
+            securityEnforcer.authorize(AuthorizationConstants.AUTZ_ALL_URL, null,
+                    AuthorizationParameters.EMPTY, null, task, result);
+            return null;
+        } else {
+            securityEnforcer.authorize(ModelAuthorizationAction.READ_OWN_CERTIFICATION_DECISIONS.getUrl(), null,
+                    AuthorizationParameters.EMPTY, null, task, result);
+            MidPointPrincipal principal = SecurityUtil.getPrincipal();
+            if (principal == null) {
+                throw new IllegalStateException("No principal");
+            } else {
+                return principal;
+            }
+        }
+    }
+
     @Override
-    public int countOpenWorkItems(ObjectQuery baseWorkItemsQuery, boolean notDecidedOnly,
+    public int countOpenWorkItems(ObjectQuery baseWorkItemsQuery, boolean notDecidedOnly, boolean allItems,
             Collection<SelectorOptions<GetOperationOptions>> options, Task task, OperationResult parentResult)
             throws ObjectNotFoundException, SchemaException, SecurityViolationException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
 
         OperationResult result = parentResult.createSubresult(OPERATION_COUNT_OPEN_WORK_ITEMS);
 
         try {
-            securityEnforcer.authorize(ModelAuthorizationAction.READ_OWN_CERTIFICATION_DECISIONS.getUrl(), null,
-                    AuthorizationParameters.EMPTY, null, task, result);
-
-            return queryHelper.countOpenWorkItems(baseWorkItemsQuery, SecurityUtil.getPrincipal(), notDecidedOnly, options, result);
+            MidPointPrincipal principal = getAuthorizedPrincipal(allItems, task, result);
+            return queryHelper.countOpenWorkItems(baseWorkItemsQuery, principal, notDecidedOnly, options, result);
         } catch (RuntimeException e) {
             result.recordFatalError("Couldn't search for certification work items: unexpected exception: " + e.getMessage(), e);
             throw e;