More tests for Groovy "sandbox". Some fixes.

Evolveum · Mar 25, 2019 · 1b8bc5b · 1b8bc5b
1 parent 609dec0
commit 1b8bc5b
Show file tree

Hide file tree

Showing 30 changed files with 1,693 additions and 75 deletions.
diff --git a/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/PrimitiveType.java b/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/PrimitiveType.java
@@ -34,6 +34,7 @@ public enum PrimitiveType {
 	SHORT("short"),
 	FLOAT("float"),
 	DOUBLE("double"),
+	BOOLEAN("boolean"),
 	BASE64BINARY("base64binary"),
 	DATETIME("dateTime"),
 	DURATION("duration"),
@@ -61,6 +62,7 @@ public QName getQname() {
 	public static final QName XSD_SHORT = SHORT.getQname();
 	public static final QName XSD_FLOAT = FLOAT.getQname();
 	public static final QName XSD_DOUBLE = DOUBLE.getQname();
+	public static final QName XSD_BOOLEAN = BOOLEAN.getQname();
 	public static final QName XSD_BASE64BINARY = BASE64BINARY.getQname();
 	public static final QName XSD_DATETIME = DATETIME.getQname();
 	public static final QName XSD_DURATION = DURATION.getQname();

diff --git a/infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/xjc/PrismForJAXBUtil.java b/infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/xjc/PrismForJAXBUtil.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2018 Evolveum
+ * Copyright (c) 2010-2019 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -38,10 +38,13 @@
 
 /**
  * @author lazyman
+ * @author semancik
  */
 public final class PrismForJAXBUtil {
 
-    private PrismForJAXBUtil() {
+    private static final Object JAXB_CLASS_MANGLED = "clazz";
+
+	private PrismForJAXBUtil() {
     }
 
     public static <T> T getPropertyValue(PrismContainerValue container, QName name, Class<T> clazz) {
@@ -163,6 +166,11 @@ public static <T extends Containerable> T getFieldSingleContainerable(PrismConta
     public static <T extends PrismContainer<?>> T getContainer(PrismContainerValue parentValue, QName name) {
         Validate.notNull(parentValue, "Parent container value must not be null.");
         Validate.notNull(name, "QName must not be null.");
+
+        // This is how JAXB compiler handles elements of name "class".
+        if (JAXB_CLASS_MANGLED.equals(name.getLocalPart())) {
+        	name = new QName(name.getNamespaceURI(), "class");
+        }
 
         try {
 			PrismContainer container = parentValue.findContainer(name);

diff --git a/...ma/src/main/java/com/evolveum/midpoint/schema/expression/ExpressionPermissionProfile.java b/...ma/src/main/java/com/evolveum/midpoint/schema/expression/ExpressionPermissionProfile.java
@@ -21,6 +21,7 @@
 import com.evolveum.midpoint.schema.AccessDecision;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionPermissionClassProfileType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionPermissionMethodProfileType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionPermissionPackageProfileType;
 
 /**
  * Compiled expression permission profile.
@@ -32,7 +33,8 @@ public class ExpressionPermissionProfile {
 
 	private final String identifier;
 	private AccessDecision decision;
-	private List<ExpressionPermissionClassProfileType> classProfiles = new ArrayList<>();
+	private final List<ExpressionPermissionPackageProfileType> packageProfiles = new ArrayList<>();
+	private final List<ExpressionPermissionClassProfileType> classProfiles = new ArrayList<>();
 
 	public ExpressionPermissionProfile(String identifier) {
 		super();
@@ -50,19 +52,28 @@ public AccessDecision getDecision() {
 	public void setDecision(AccessDecision decision) {
 		this.decision = decision; 
 	}
+
+	public List<ExpressionPermissionPackageProfileType> getPackageProfiles() {
+		return packageProfiles;
+	}
 
 	public List<ExpressionPermissionClassProfileType> getClassProfiles() {
 		return classProfiles;
 	}
 
 	public boolean hasRestrictions() {
-		return !classProfiles.isEmpty();
+		return !classProfiles.isEmpty() || !packageProfiles.isEmpty() || decision != AccessDecision.ALLOW;
 	}
 
 	public AccessDecision decideClassAccess(String className, String methodName) {
 		ExpressionPermissionClassProfileType classProfile = getClassProfile(className);
 		if (classProfile == null) {
-			return decision;
+			ExpressionPermissionPackageProfileType packageProfile = getPackageProfileByClassName(className);
+			if (packageProfile == null) {
+				return decision;
+			} else {
+				return AccessDecision.translate(packageProfile.getDecision());
+			}
 		}
 		ExpressionPermissionMethodProfileType methodProfile = getMethodProfile(classProfile, methodName);
 		if (methodProfile == null) {
@@ -72,6 +83,22 @@ public AccessDecision decideClassAccess(String className, String methodName) {
 		}
 	}
 
+	private ExpressionPermissionPackageProfileType getPackageProfileByClassName(String className) {
+		for (ExpressionPermissionPackageProfileType packageProfile : packageProfiles) {
+			if (isMemeberClass(packageProfile, className)) {
+				return packageProfile;
+			}
+		}
+		return null;
+	}
+
+
+
+	private boolean isMemeberClass(ExpressionPermissionPackageProfileType packageProfile, String className) {
+		// TODO Maybe too simple. But this will do for now.
+		return className.startsWith(packageProfile.getName());
+	}
+
 	private ExpressionPermissionClassProfileType getClassProfile(String className) {
 		for (ExpressionPermissionClassProfileType classProfile : classProfiles) {
 			if (className.equals(classProfile.getName())) {

diff --git a/infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/TypedValue.java b/infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/TypedValue.java
@@ -84,6 +84,13 @@ public TypedValue(Object value, Class<T> typeClass) {
 		this.value = value;
 		this.typeClass = typeClass;
 	}
+
+	public TypedValue(Object value, ItemDefinition<?> definition, Class<T> typeClass) {
+		super();
+		this.value = value;
+		this.definition = definition;
+		this.typeClass = typeClass;
+	}
 
 	public Object getValue() {
 		return value;
@@ -110,6 +117,9 @@ public void setTypeClass(Class<T> typeClass) {
 		this.typeClass = typeClass;
 	}
 
+	public boolean canDetermineType() {
+		return definition != null || typeClass != null;
+	}
 
 	public Class<T> determineClass() throws SchemaException {
 		if (definition == null) {
@@ -134,6 +144,13 @@ public Class<T> determineClass() throws SchemaException {
 			return determinedClass;
 		}
 	}
+
+	/**
+	 * Returns new TypedValue that has a new (transformed) value, but has the same definition.
+	 */
+	public TypedValue<T> createTransformed(Object newValue) {
+		return new TypedValue(newValue, definition, typeClass);
+	}
 
 	@Override
 	public int hashCode() {
@@ -200,7 +217,7 @@ public void shortDump(StringBuilder sb) {
 			sb.append(", class=").append(typeClass.getSimpleName());
 		}
 		if (definition == null && typeClass == null) {
-			sb.append("definition/class=null");
+			sb.append(", definition/class=null");
 		}
 	}
 

diff --git a/infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/VariablesMap.java b/infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/VariablesMap.java
@@ -79,14 +79,17 @@ public TypedValue get(Object key) {
 
 	public TypedValue put(String key, TypedValue typedValue) {
 		if (typedValue == null) {
-			throw new IllegalArgumentException("Attempt to variable '"+key+"' with null typed value");
+			throw new IllegalArgumentException("Attempt to set variable '"+key+"' with null typed value");
+		}
+		if (!typedValue.canDetermineType()) {
+			throw new IllegalArgumentException("Attempt to set variable '"+key+"' without determinable type");
 		}
 		return variables.put(key, typedValue);
 	}
 
 	@SuppressWarnings("rawtypes")
 	public <D extends ItemDefinition> TypedValue put(String key, Object value, D definition) {
-		return variables.put(key, new TypedValue(value, definition));
+		return variables.put(key, new TypedValue<>(value, definition));
 	}
 
 	/**
@@ -95,7 +98,7 @@ public <D extends ItemDefinition> TypedValue put(String key, Object value, D def
 	 * of the value precisely. 
 	 */
 	public <T> TypedValue put(String key, Object value, Class<T> typeClass) {
-		return variables.put(key, new TypedValue(value, typeClass));
+		return variables.put(key, new TypedValue<>(value, typeClass));
 	}
 
 	/**

diff --git a/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd b/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
@@ -15412,6 +15412,16 @@
 			</xsd:appinfo>
 		</xsd:annotation>
 		<xsd:sequence>
+			<xsd:element name="description" type="xsd:string" minOccurs="0" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Free-form description (comment).
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>SystemConfigurationExpressionsType.name</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
 			<xsd:element name="expressionProfile" type="tns:ExpressionProfileType" minOccurs="0" maxOccurs="unbounded">
 			    <xsd:annotation>
 			        <xsd:documentation>
@@ -15459,6 +15469,16 @@
 					</xsd:appinfo>
 			    </xsd:annotation>
 			</xsd:element>
+			<xsd:element name="description" type="xsd:string" minOccurs="0" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Free-form description (comment).
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionProfileType.name</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
 			<xsd:element name="decision" type="tns:AuthorizationDecisionType" minOccurs="1" maxOccurs="1">
 			    <xsd:annotation>
 			        <xsd:documentation>
@@ -15504,6 +15524,16 @@
 					</xsd:appinfo>
 			    </xsd:annotation>
 			</xsd:element>
+			<xsd:element name="description" type="xsd:string" minOccurs="0" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Free-form description (comment).
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionEvaluatorProfileType.name</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
 			<xsd:element name="decision" type="tns:AuthorizationDecisionType" minOccurs="1" maxOccurs="1">
 			    <xsd:annotation>
 			        <xsd:documentation>
@@ -15551,6 +15581,16 @@
 					</xsd:appinfo>
                 </xsd:annotation>
             </xsd:element>
+            <xsd:element name="description" type="xsd:string" minOccurs="0" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Free-form description (comment).
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ScriptExpressionProfileType.name</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
 			<xsd:element name="decision" type="tns:AuthorizationDecisionType" minOccurs="1" maxOccurs="1">
 			    <xsd:annotation>
 			        <xsd:documentation>
@@ -15617,6 +15657,16 @@
 					</xsd:appinfo>
 			    </xsd:annotation>
 			</xsd:element>
+			<xsd:element name="description" type="xsd:string" minOccurs="0" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Free-form description (comment).
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionPermissionProfileType.name</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
 			<xsd:element name="decision" type="tns:AuthorizationDecisionType" minOccurs="1" maxOccurs="1">
 			    <xsd:annotation>
 			        <xsd:documentation>
@@ -15628,6 +15678,16 @@
 					</xsd:appinfo>
 			    </xsd:annotation>
 			</xsd:element>
+			<xsd:element name="package" type="tns:ExpressionPermissionPackageProfileType" minOccurs="0" maxOccurs="unbounded">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Detailed specification for access to a class.
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionPermissionProfileType.class</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
 			<xsd:element name="class" type="tns:ExpressionPermissionClassProfileType" minOccurs="0" maxOccurs="unbounded">
 			    <xsd:annotation>
 			        <xsd:documentation>
@@ -15638,11 +15698,59 @@
 					</xsd:appinfo>
 			    </xsd:annotation>
 			</xsd:element>
-			<!-- TODO: later: package? -->
 			<!-- TODO: later: sandboxing, allowed operations -->
 		</xsd:sequence>
 	</xsd:complexType>
 
+	<xsd:complexType name="ExpressionPermissionPackageProfileType">
+		<xsd:annotation>
+			<xsd:documentation>
+				Specifies restrictions and permissions for a package.
+				For now package definitions MUST NOT OVERLAP. Therefore there must not be
+				a definiton of a superpackage and subpackage at the same time.
+			</xsd:documentation>
+			<xsd:appinfo>
+				<a:container/>
+            	<a:since>4.0</a:since>
+            	<a:experimental>true</a:experimental>
+			</xsd:appinfo>
+		</xsd:annotation>
+		<xsd:sequence>
+			<xsd:element name="name" type="xsd:string" minOccurs="1" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Full name of the class (including package).
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionPermissionPackageProfileType.name</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<xsd:element name="description" type="xsd:string" minOccurs="0" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Free-form description (comment).
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionPermissionPackageProfileType.name</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<xsd:element name="decision" type="tns:AuthorizationDecisionType" minOccurs="1" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Default decision for the profile. I.e. decision of those aspects of the profile
+			            (e.g. classes, permissions) that are not explicitly enumerated.
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionPermissionPackageProfileType.decision</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
+			<!-- TODO: classes within a package? -->
+		</xsd:sequence>
+	</xsd:complexType>
+
 	<xsd:complexType name="ExpressionPermissionClassProfileType">
 		<xsd:annotation>
 			<xsd:documentation>
@@ -15665,6 +15773,16 @@
 					</xsd:appinfo>
 			    </xsd:annotation>
 			</xsd:element>
+			<xsd:element name="description" type="xsd:string" minOccurs="0" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Free-form description (comment).
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>ExpressionPermissionClassProfileType.name</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
 			<xsd:element name="decision" type="tns:AuthorizationDecisionType" minOccurs="1" maxOccurs="1">
 			    <xsd:annotation>
 			        <xsd:documentation>
@@ -15711,6 +15829,16 @@
 					</xsd:appinfo>
 			    </xsd:annotation>
 			</xsd:element>
+			<xsd:element name="description" type="xsd:string" minOccurs="0" maxOccurs="1">
+			    <xsd:annotation>
+			        <xsd:documentation>
+			            Free-form description (comment).
+			        </xsd:documentation>
+			        <xsd:appinfo>
+						<a:displayName>"ExpressionPermissionMethodProfileType".name</a:displayName>
+					</xsd:appinfo>
+			    </xsd:annotation>
+			</xsd:element>
 			<xsd:element name="decision" type="tns:AuthorizationDecisionType" minOccurs="1" maxOccurs="1">
 			    <xsd:annotation>
 			        <xsd:documentation>