Merge branch 'feature/provisioning-run-as'

build-system/pom.xml

@@ -83,7 +83,7 @@
         <activiti-spring.version>5.22.0</activiti-spring.version>
         <commons-email.version>1.3</commons-email.version>
         <xmlsec.version>2.0.6</xmlsec.version>
-        <connid.version>1.4.3.41</connid.version>
+        <connid.version>1.4.3.43</connid.version>
         <jasper.version>6.5.0</jasper.version>
         <derby.version>10.11.1.1</derby.version>
         <wro4j.version>1.8.0</wro4j.version>

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/server/PageTaskController.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2018 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -78,7 +78,7 @@ public void deleteSyncTokenPerformed(AjaxRequestTarget target) {
 			if (property == null) {
 				result.recordWarning("Token is not present in this task.");		// should be treated by isVisible
 			} else {
-				final ObjectDelta<? extends ObjectType> delta = (ObjectDelta<? extends ObjectType>)
+				final ObjectDelta<? extends ObjectType> delta =
 						DeltaBuilder.deltaFor(TaskType.class, parentPage.getPrismContext())
 								.item(new ItemPath(TaskType.F_EXTENSION, SchemaConstants.SYNC_TOKEN), property.getDefinition()).replace()
 								.asObjectDelta(parentPage.getTaskDto().getOid());

icf-connectors/dummy-connector/src/main/java/com/evolveum/icf/dummy/connector/AbstractDummyConnector.java

@@ -23,6 +23,7 @@
 import org.identityconnectors.framework.common.exceptions.ConnectorException;
 import org.identityconnectors.framework.common.exceptions.ConnectorIOException;
 import org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException;
+import org.identityconnectors.framework.common.exceptions.InvalidPasswordException;
 import org.identityconnectors.framework.common.exceptions.UnknownUidException;
 import org.identityconnectors.framework.common.objects.*;
 
@@ -390,7 +391,8 @@ public Schema schema() {
         	throw new UnsupportedOperationException();
         }
 
-        SchemaBuilder builder = new SchemaBuilder(AbstractDummyConnector.class);
+        SchemaBuilder builder = new SchemaBuilder(this.getClass());
+        log.ok("Building schema for {0}", this.getClass());
 
     	try {
 
@@ -418,11 +420,17 @@ public Schema schema() {
 			builder.defineOperationOption(OperationOptionInfoBuilder.buildPageSize(), SearchOp.class);
 			builder.defineOperationOption(OperationOptionInfoBuilder.buildSortKeys(), SearchOp.class);
 		}
+
+		extendSchema(builder);
 
         log.info("schema::end");
         return builder.build();
     }
 
+	protected void extendSchema(SchemaBuilder builder) {
+		// for subclasses
+	}
+
 	private String getAccountObjectClassName() {
 		if (configuration.getUseLegacySchema()) {
 			return ObjectClass.ACCOUNT_NAME;
@@ -1598,6 +1606,32 @@ private boolean attributesToGetHasAttribute(Collection<String> attributesToGet,
 		}
 		return attributesToGet.contains(attrName);
 	}
+
+	protected void applyModifyMetadata(DummyObject object, OperationOptions options) throws ConnectException, FileNotFoundException, SchemaViolationException, ConflictException {
+		String runAsUser = options.getRunAsUser();
+		if (runAsUser != null) {
+			if (!configuration.getSupportRunAs()) {
+				throw new UnsupportedOperationException("runAsUser option is not supported");
+			}
+			DummyAccount runAsAccount = resource.getAccountByUsername(runAsUser);
+			if (runAsAccount == null) {
+				new ConfigurationException("No runAsUser "+runAsUser);
+			}
+			GuardedString runWithPassword = options.getRunWithPassword();
+			if (runWithPassword != null) {
+				runWithPassword.access((clearChars) -> {
+					if (!runAsAccount.getPassword().equals(new String(clearChars))) {
+						throw new InvalidPasswordException("Wrong runWithPassword");
+					}
+				});
+			} else {
+				throw new InvalidPasswordException("No runWithPassword");
+			}
+			object.setLastModifier(runAsAccount.getName());
+		} else {
+			object.setLastModifier(null);
+		}
+	}
 
 	public void validate(ObjectClass oc) {
         if (oc == null) {

icf-connectors/dummy-connector/src/main/java/com/evolveum/icf/dummy/connector/DummyConfiguration.java

@@ -45,6 +45,7 @@ public class DummyConfiguration extends AbstractConfiguration {
     private boolean supportSchema = true;
     private boolean supportActivation = true;
     private boolean supportValidity = false;
+    private boolean supportRunAs = true;
     private String uidMode =  UID_MODE_NAME;
     private boolean enforceUniqueName = true;
     private String passwordReadabilityMode = PASSWORD_READABILITY_MODE_UNREADABLE;
@@ -126,6 +127,16 @@ public boolean getSupportValidity() {
 	public void setSupportValidity(boolean supportValidity) {
 		this.supportValidity = supportValidity;
 	}
+
+	@ConfigurationProperty(displayMessageKey = "UI_SUPPORT_RUN_AS",
+    		helpMessageKey = "UI_SUPPORT_RUN_AS_HELP")
+	public boolean getSupportRunAs() {
+		return supportRunAs;
+	}
+
+	public void setSupportRunAs(boolean supportRunAs) {
+		this.supportRunAs = supportRunAs;
+	}
 
 	@ConfigurationProperty(displayMessageKey = "UI_UID_MODE",
     		helpMessageKey = "UI_UID_MODE_HELP")

icf-connectors/dummy-connector/src/main/java/com/evolveum/icf/dummy/connector/DummyConnector.java

@@ -23,6 +23,7 @@
 import org.identityconnectors.framework.common.exceptions.ConnectorException;
 import org.identityconnectors.framework.common.exceptions.ConnectorIOException;
 import org.identityconnectors.framework.common.exceptions.InvalidAttributeValueException;
+import org.identityconnectors.framework.common.exceptions.InvalidPasswordException;
 import org.identityconnectors.framework.common.exceptions.UnknownUidException;
 import org.identityconnectors.framework.common.objects.*;
 
@@ -125,6 +126,7 @@ public Set<AttributeDelta> updateDelta(final ObjectClass objectClass, final Uid
 		        if (account == null) {
 		        	throw new UnknownUidException("Account with UID "+uid+" does not exist on resource");
 		        }
+		        applyModifyMetadata(account, options);
 
 				// we do this before setting attribute values, in case when description itself would be changed
 				resource.changeDescriptionIfNeeded(account);
@@ -174,6 +176,7 @@ public Set<AttributeDelta> updateDelta(final ObjectClass objectClass, final Uid
 
 		        	}
 		        }
+
 
 	        } else if (ObjectClass.GROUP.is(objectClass.getObjectClassValue())) {
 
@@ -188,6 +191,7 @@ public Set<AttributeDelta> updateDelta(final ObjectClass objectClass, final Uid
 		        if (group == null) {
 		        	throw new UnknownUidException("Group with UID "+uid+" does not exist on resource");
 		        }
+		        applyModifyMetadata(group, options);
 
 		        for (AttributeDelta delta : modifications) {
 		        	if (delta.is(Name.NAME)) {
@@ -219,6 +223,7 @@ public Set<AttributeDelta> updateDelta(final ObjectClass objectClass, final Uid
 						applyOrdinaryAttributeDelta(group, delta, valuesTransformer);
 		        	}
 		        }
+
 
 	        } else if (objectClass.is(OBJECTCLASS_PRIVILEGE_NAME)) {
 
@@ -233,6 +238,7 @@ public Set<AttributeDelta> updateDelta(final ObjectClass objectClass, final Uid
 		        if (priv == null) {
 		        	throw new UnknownUidException("Privilege with UID "+uid+" does not exist on resource");
 		        }
+		        applyModifyMetadata(priv, options);
 
 		        for (AttributeDelta delta : modifications) {
 		        	if (delta.is(Name.NAME)) {
@@ -257,6 +263,7 @@ public Set<AttributeDelta> updateDelta(final ObjectClass objectClass, final Uid
 		        		applyOrdinaryAttributeDelta(priv, delta, null);
 		        	}
 		        }
+
 
 	        } else if (objectClass.is(OBJECTCLASS_ORG_NAME)) {
 
@@ -271,6 +278,7 @@ public Set<AttributeDelta> updateDelta(final ObjectClass objectClass, final Uid
 		        if (org == null) {
 		        	throw new UnknownUidException("Org with UID "+uid+" does not exist on resource");
 		        }
+		        applyModifyMetadata(org, options);
 
 		        for (AttributeDelta delta : modifications) {
 		        	if (delta.is(Name.NAME)) {
@@ -295,7 +303,7 @@ public Set<AttributeDelta> updateDelta(final ObjectClass objectClass, final Uid
 		        		applyOrdinaryAttributeDelta(org, delta, null);
 		        	}
 		        }
-
+		        
 
 	        } else {
 	        	throw new ConnectorException("Unknown object class "+objectClass);
@@ -321,7 +329,7 @@ public Set<AttributeDelta> updateDelta(final ObjectClass objectClass, final Uid
         log.info("update::end {0}", instanceName);
         return sideEffectChanges;
     }
-    
+
 	private void applyAuxiliaryObjectClassDelta(DummyObject dummyObject, AttributeDelta delta) {
     	List<String> replaceValues = getReplaceValues(delta, String.class);
 		if (replaceValues != null) {
@@ -490,4 +498,15 @@ protected void addAdditionalCommonAttributes(ConnectorObjectBuilder builder, Dum
     	}
     }
 
+	@Override
+	protected void extendSchema(SchemaBuilder builder) {
+		super.extendSchema(builder);
+
+		if (configuration.getSupportRunAs()) {
+			log.ok("Adding runAs options to schema");
+			builder.defineOperationOption(OperationOptionInfoBuilder.buildRunWithUser(), UpdateDeltaOp.class);
+			builder.defineOperationOption(OperationOptionInfoBuilder.buildRunWithPassword(), UpdateDeltaOp.class);
+		}
+	}
+
 }

icf-connectors/dummy-connector/src/main/java/com/evolveum/icf/dummy/connector/DummyConnectorLegacyUpdate.java

@@ -116,6 +116,7 @@ public Uid update(ObjectClass objectClass, Uid uid, Set<Attribute> replaceAttrib
 		        if (account == null) {
 		        	throw new UnknownUidException("Account with UID "+uid+" does not exist on resource");
 		        }
+		        applyModifyMetadata(account, options);
 
 				// we do this before setting attribute values, in case when description itself would be changed
 				resource.changeDescriptionIfNeeded(account);
@@ -179,6 +180,7 @@ public Uid update(ObjectClass objectClass, Uid uid, Set<Attribute> replaceAttrib
 		        if (group == null) {
 		        	throw new UnknownUidException("Group with UID "+uid+" does not exist on resource");
 		        }
+		        applyModifyMetadata(group, options);
 
 		        for (Attribute attr : replaceAttributes) {
 		        	if (attr.is(Name.NAME)) {
@@ -229,6 +231,7 @@ public Uid update(ObjectClass objectClass, Uid uid, Set<Attribute> replaceAttrib
 		        if (priv == null) {
 		        	throw new UnknownUidException("Privilege with UID "+uid+" does not exist on resource");
 		        }
+		        applyModifyMetadata(priv, options);
 
 		        for (Attribute attr : replaceAttributes) {
 		        	if (attr.is(Name.NAME)) {
@@ -271,6 +274,7 @@ public Uid update(ObjectClass objectClass, Uid uid, Set<Attribute> replaceAttrib
 		        if (org == null) {
 		        	throw new UnknownUidException("Org with UID "+uid+" does not exist on resource");
 		        }
+		        applyModifyMetadata(org, options);
 
 		        for (Attribute attr : replaceAttributes) {
 		        	if (attr.is(Name.NAME)) {
@@ -346,6 +350,7 @@ public Uid addAttributeValues(ObjectClass objectClass, Uid uid, Set<Attribute> v
 		        if (account == null) {
 		        	throw new UnknownUidException("Account with UID "+uid+" does not exist on resource");
 		        }
+		        applyModifyMetadata(account, options);
 
 				// we could change the description here, but don't do that not to collide with ADD operation
 				// TODO add the functionality if needed
@@ -391,6 +396,7 @@ public Uid addAttributeValues(ObjectClass objectClass, Uid uid, Set<Attribute> v
 		        if (group == null) {
 		        	throw new UnknownUidException("Group with UID "+uid+" does not exist on resource");
 		        }
+		        applyModifyMetadata(group, options);
 
 		        for (Attribute attr : valuesToAdd) {
 
@@ -435,6 +441,7 @@ public Uid addAttributeValues(ObjectClass objectClass, Uid uid, Set<Attribute> v
 		        if (priv == null) {
 		        	throw new UnknownUidException("Privilege with UID "+uid+" does not exist on resource");
 		        }
+		        applyModifyMetadata(priv, options);
 
 		        for (Attribute attr : valuesToAdd) {
 
@@ -471,6 +478,7 @@ public Uid addAttributeValues(ObjectClass objectClass, Uid uid, Set<Attribute> v
 		        if (org == null) {
 		        	throw new UnknownUidException("Org with UID "+uid+" does not exist on resource");
 		        }
+		        applyModifyMetadata(org, options);
 
 		        for (Attribute attr : valuesToAdd) {
 
@@ -538,6 +546,7 @@ public Uid removeAttributeValues(ObjectClass objectClass, Uid uid, Set<Attribute
 		        if (account == null) {
 		        	throw new UnknownUidException("Account with UID "+uid+" does not exist on resource");
 		        }
+		        applyModifyMetadata(account, options);
 
 				// we could change the description here, but don't do that not to collide with REMOVE operation
 				// TODO add the functionality if needed
@@ -576,6 +585,7 @@ public Uid removeAttributeValues(ObjectClass objectClass, Uid uid, Set<Attribute
 		        if (group == null) {
 		        	throw new UnknownUidException("Group with UID "+uid+" does not exist on resource");
 		        }
+		        applyModifyMetadata(group, options);
 
 		        for (Attribute attr : valuesToRemove) {
 		        	if (attr.is(OperationalAttributeInfos.PASSWORD.getName())) {
@@ -617,6 +627,7 @@ public Uid removeAttributeValues(ObjectClass objectClass, Uid uid, Set<Attribute
 		        if (priv == null) {
 		        	throw new UnknownUidException("Privilege with UID "+uid+" does not exist on resource");
 		        }
+		        applyModifyMetadata(priv, options);
 
 		        for (Attribute attr : valuesToRemove) {
 		        	if (attr.is(OperationalAttributeInfos.PASSWORD.getName())) {
@@ -650,6 +661,7 @@ public Uid removeAttributeValues(ObjectClass objectClass, Uid uid, Set<Attribute
 		        if (org == null) {
 		        	throw new UnknownUidException("Org with UID "+uid+" does not exist on resource");
 		        }
+		        applyModifyMetadata(org, options);
 
 		        for (Attribute attr : valuesToRemove) {
 		        	if (attr.is(OperationalAttributeInfos.PASSWORD.getName())) {
@@ -691,4 +703,15 @@ public Uid removeAttributeValues(ObjectClass objectClass, Uid uid, Set<Attribute
         return uid;
     }
 
+    @Override
+	protected void extendSchema(SchemaBuilder builder) {
+		super.extendSchema(builder);
+
+		if (configuration.getSupportRunAs()) {
+			log.ok("Adding runAs options to schema");
+			builder.defineOperationOption(OperationOptionInfoBuilder.buildRunWithUser(), UpdateAttributeValuesOp.class);
+			builder.defineOperationOption(OperationOptionInfoBuilder.buildRunWithPassword(), UpdateAttributeValuesOp.class);
+		}
+	}
+
 }

icf-connectors/dummy-resource/src/main/java/com/evolveum/icf/dummy/resource/DummyObject.java

@@ -47,6 +47,7 @@ public abstract class DummyObject implements DebugDumpable {
 	private Boolean enabled = true;
 	private Date validFrom = null;
 	private Date validTo = null;
+	private String lastModifier;
 	protected DummyResource resource;
 
 	private final Set<String> auxiliaryObjectClassNames = new HashSet<>();
@@ -117,6 +118,14 @@ public void setValidTo(Date validTo) throws ConnectException, FileNotFoundExcept
 		recordModify();
 	}
 
+	public String getLastModifier() {
+		return lastModifier;
+	}
+
+	public void setLastModifier(String lastModifier) {
+		this.lastModifier = lastModifier;
+	}
+
 	public BreakMode getModifyBreakMode() {
 		return modifyBreakMode;
 	}
@@ -460,11 +469,6 @@ protected String toStringContent() {
 		return "name=" + name + ", attributes=" + attributes + ", enabled=" + enabled;
 	}
 
-	@Override
-	public String debugDump() {
-		return debugDump(0);
-	}
-
 	@Override
 	public String debugDump(int indent) {
 		StringBuilder sb = new StringBuilder();
@@ -483,6 +487,8 @@ public String debugDump(int indent) {
 			sb.append(" ").append(PrettyPrinter.prettyPrint(validFrom)).append(" - ").append(PrettyPrinter.prettyPrint(validTo));
 		}
 		sb.append("\n");
+		DebugUtil.debugDumpWithLabel(sb, "lastModifier", lastModifier, indent + 1);
+		sb.append("\n");
 		DebugUtil.debugDumpWithLabel(sb, "Attributes", attributes, indent + 1);
 		extendDebugDump(sb, indent);
 		return sb.toString();

infra/prism/src/main/java/com/evolveum/midpoint/prism/delta/builder/DeltaBuilder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2015 Evolveum
+ * Copyright (c) 2010-2018 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -199,6 +199,14 @@ public S_ValuesEntry oldRealValues(Collection<?> realValues) {
         }
         return this;
     }
+
+    @Override
+    public <T> S_ValuesEntry oldRealValue(T realValue) {
+        if (realValue != null) {
+            currentDelta.addEstimatedOldValue(toPrismValue(currentDelta, realValue));
+        }
+        return this;
+    }
 
     @Override
     public S_ValuesEntry old(PrismValue... values) {