Merge branch 'master' of https://github.com/Evolveum/midpoint

Evolveum · Jun 21, 2017 · 22893d7 · 22893d7
2 parents 5a9c985 + a8c1fd7
commit 22893d7
Show file tree

Hide file tree

Showing 22 changed files with 941 additions and 196 deletions.
diff --git a/build-system/pom.xml b/build-system/pom.xml
@@ -1404,7 +1404,7 @@
 						<midpoint.home>target/midpoint-home</midpoint.home>
 						<java.util.logging.config.file>${project.build.directory}/test-classes/logging.properties</java.util.logging.config.file>
 					</systemPropertyVariables>
-					<argLine>-Xms1024m -Xmx2048m</argLine>
+					<argLine>-Xms1024m -Xmx4096m</argLine>
 					<!--<argLine>-agentpath:/usr/local/yjp-11.0.10/bin/linux-x86-64/libyjpagent.so=alloceach=10,allocsizelimit=1048576,sampling,walltimespec=/home/lazyman/.yjp/config/.walltime,noj2ee,profileruipath=/usr/local/yjp-11.0.10/bin/yjp.sh,onexit=snapshot 
 						-Xms512m -Xmx1024m -XX:MaxPermSize=192m</argLine> -->
 

diff --git a/...i/src/main/java/com/evolveum/midpoint/web/page/admin/certification/PageCertCampaigns.java b/...i/src/main/java/com/evolveum/midpoint/web/page/admin/certification/PageCertCampaigns.java
@@ -105,6 +105,7 @@ public class PageCertCampaigns extends PageAdminCertification {
 	private String definitionOid;
 
 	public PageCertCampaigns(PageParameters parameters) {
+		getPageParameters().overwriteWith(parameters);
 		definitionOid = getPageParameters().get(OnePageParameterEncoder.PARAMETER).toString();
 		initLayout();
 	}

diff --git a/gui/admin-gui/src/main/webapp/WEB-INF/ctx-web-security-ldap.xml b/gui/admin-gui/src/main/webapp/WEB-INF/ctx-web-security-ldap.xml
@@ -21,7 +21,7 @@
 	</bean>
 
 	<bean id="midPointAuthenticationProvider"
-		class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
+		class="com.evolveum.midpoint.model.impl.security.MidPointLdapAuthenticationProvider">
 		<constructor-arg>
 			<bean
 				class="org.springframework.security.ldap.authentication.BindAuthenticator">
@@ -32,7 +32,7 @@
 					</list>
 				</property>
 				<!--  OPTIONAL -->
-				<!--  <property name="userSearch" ref="userSearch" /> -->
+<!-- 				 <property name="userSearch" ref="userSearch" /> -->
 			</bean>
 		</constructor-arg>
 		<property name="userDetailsContextMapper" ref="userDetailsService" />
@@ -45,5 +45,5 @@
 		<constructor-arg index="2" ref="contextSource" />
 		<property name="searchSubtree" value="${auth.ldap.search.subtree}" />
 	</bean>
-
+	
 </beans>
diff --git a/...mpl/src/test/java/com/evolveum/midpoint/certification/test/AbstractCertificationTest.java b/...mpl/src/test/java/com/evolveum/midpoint/certification/test/AbstractCertificationTest.java
@@ -185,17 +185,13 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
 					"looks like the previous test haven't cleaned it up", e);
 		}
 
-		repoAddObjectsFromFile(ORGS_AND_USERS_FILE, RoleType.class, initResult);
-		repoAddObjectFromFile(USER_BOB_FILE, UserType.class, initResult);
-		repoAddObjectFromFile(USER_BOB_DEPUTY_FULL_FILE, UserType.class, initResult);
-		repoAddObjectFromFile(USER_BOB_DEPUTY_NO_ASSIGNMENTS_FILE, UserType.class, initResult);
-		repoAddObjectFromFile(USER_BOB_DEPUTY_NO_PRIVILEGES_FILE, UserType.class, initResult);
-		repoAddObjectFromFile(USER_ADMINISTRATOR_DEPUTY_NO_ASSIGNMENTS_FILE, UserType.class, initResult);
-		repoAddObjectFromFile(USER_ADMINISTRATOR_DEPUTY_NONE_FILE, UserType.class, initResult);
+		// Administrator
+		roleSuperuser = repoAddObjectFromFile(ROLE_SUPERUSER_FILE, RoleType.class, initResult).asObjectable();
+		userAdministrator = repoAddObjectFromFile(USER_ADMINISTRATOR_FILE, UserType.class, initResult).asObjectable();
+		login(userAdministrator.asPrismObject());
 
 		// roles
 		repoAddObjectFromFile(METAROLE_CXO_FILE, RoleType.class, initResult);
-		roleSuperuser = repoAddObjectFromFile(ROLE_SUPERUSER_FILE, RoleType.class, initResult).asObjectable();
 		roleCeo = repoAddObjectFromFile(ROLE_CEO_FILE, RoleType.class, initResult).asObjectable();
 		roleCoo = repoAddObjectFromFile(ROLE_COO_FILE, RoleType.class, initResult).asObjectable();
 		roleCto = repoAddObjectFromFile(ROLE_CTO_FILE, RoleType.class, initResult).asObjectable();
@@ -204,10 +200,14 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
 
 		repoAddObjectFromFile(ORG_SECURITY_TEAM_FILE, OrgType.class, initResult).asObjectable();
 
-		// Administrator
-		userAdministrator = repoAddObjectFromFile(USER_ADMINISTRATOR_FILE, UserType.class, initResult).asObjectable();
-		login(userAdministrator.asPrismObject());
-
+		repoAddObjectsFromFile(ORGS_AND_USERS_FILE, RoleType.class, initResult);
+		addAndRecompute(USER_BOB_FILE, initTask, initResult);
+		addAndRecompute(USER_BOB_DEPUTY_FULL_FILE, initTask, initResult);
+		addAndRecompute(USER_BOB_DEPUTY_NO_ASSIGNMENTS_FILE, initTask, initResult);
+		addAndRecompute(USER_BOB_DEPUTY_NO_PRIVILEGES_FILE, initTask, initResult);
+		addAndRecompute(USER_ADMINISTRATOR_DEPUTY_NO_ASSIGNMENTS_FILE, initTask, initResult);
+		addAndRecompute(USER_ADMINISTRATOR_DEPUTY_NONE_FILE, initTask, initResult);
+
 		// Users
 		userJack = repoAddObjectFromFile(USER_JACK_FILE, UserType.class, initResult).asObjectable();
 		userElaine = getUser(USER_ELAINE_OID).asObjectable();

diff --git a/...n-impl/src/test/java/com/evolveum/midpoint/certification/test/TestCertificationBasic.java b/...n-impl/src/test/java/com/evolveum/midpoint/certification/test/TestCertificationBasic.java
@@ -176,7 +176,7 @@ public void test006CreateCampaignDeniedBobWrongDeputy() throws Exception {
         }
     }
 
-    @Test(enabled = false)      // https://jira.evolveum.com/browse/MID-3878
+    @Test
     public void test010CreateCampaignAllowedForDeputy() throws Exception {
         final String TEST_NAME = "test010CreateCampaignAllowedForDeputy";
         TestUtil.displayTestTile(this, TEST_NAME);
@@ -204,10 +204,14 @@ public void test010CreateCampaignAllowedForDeputy() throws Exception {
         display("campaign", campaign);
         assertAfterCampaignCreate(campaign, certificationDefinition);
         assertPercentComplete(campaign, 100, 100, 100);      // no cases, no problems
+
+        // delete the campaign to keep other tests working
+        login(userAdministrator.asPrismObject());
+        deleteObject(AccessCertificationCampaignType.class, campaignOid);
     }
 
     @Test
-    public void test010CreateCampaignAllowed() throws Exception {
+    public void test011CreateCampaignAllowed() throws Exception {
         final String TEST_NAME = "test010CreateCampaignAllowed";
         TestUtil.displayTestTile(this, TEST_NAME);
 
@@ -347,7 +351,7 @@ public void test030SearchAllCasesDenied() throws Exception {
     public void test031SearchAllCasesDeniedLimitedDeputy() throws Exception {
         final String TEST_NAME = "test031SearchAllCasesDeniedLimitedDeputy";
         TestUtil.displayTestTile(this, TEST_NAME);
-        login(getUserFromRepo(USER_BOB_DEPUTY_NO_PRIVILEGES_OID));
+        login(getUserFromRepo(USER_BOB_DEPUTY_NO_ASSIGNMENTS_OID));
 
         searchWithNoCasesExpected(TEST_NAME);
     }

diff --git a/...ertification-impl/src/test/resources/common/role-eroot-user-assignment-campaign-owner.xml b/...ertification-impl/src/test/resources/common/role-eroot-user-assignment-campaign-owner.xml
@@ -50,4 +50,5 @@
             <type>UserType</type>
         </object>
     </authorization>
+    <delegable>true</delegable>
 </role>
diff --git a/...in/java/com/evolveum/midpoint/model/impl/security/MidPointLdapAuthenticationProvider.java b/...in/java/com/evolveum/midpoint/model/impl/security/MidPointLdapAuthenticationProvider.java
@@ -0,0 +1,65 @@
+package com.evolveum.midpoint.model.impl.security;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.ldap.core.DirContextOperations;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.ldap.authentication.LdapAuthenticationProvider;
+import org.springframework.security.ldap.authentication.LdapAuthenticator;
+
+import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.security.api.ConnectionEnvironment;
+import com.evolveum.midpoint.security.api.MidPointPrincipal;
+import com.evolveum.midpoint.util.logging.Trace;
+import com.evolveum.midpoint.util.logging.TraceManager;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
+
+public class MidPointLdapAuthenticationProvider extends LdapAuthenticationProvider{
+
+	private static final Trace LOGGER = TraceManager.getTrace(MidPointLdapAuthenticationProvider.class);
+
+	@Autowired private SecurityHelper securityHelper;
+
+	public MidPointLdapAuthenticationProvider(LdapAuthenticator authenticator) {
+		super(authenticator);
+	}
+
+
+	@Override
+	protected DirContextOperations doAuthentication(UsernamePasswordAuthenticationToken authentication) {
+
+		try {
+		return super.doAuthentication(authentication);
+		} catch (RuntimeException e) {
+			LOGGER.error("Failed to authenticate user {}. Error: {}", authentication.getName(), e.getMessage(), e);
+			securityHelper.auditLoginFailure(authentication.getName(), null, ConnectionEnvironment.create(SchemaConstants.CHANNEL_GUI_USER_URI), "bad credentials");
+			throw e;
+		}
+	}
+
+
+	@Override
+	protected Authentication createSuccessfulAuthentication(UsernamePasswordAuthenticationToken authentication,
+			UserDetails user) {
+		Authentication authNCtx = super.createSuccessfulAuthentication(authentication, user);
+
+		Object principal = authNCtx.getPrincipal();
+		if (!(principal instanceof MidPointPrincipal)) {
+			throw new BadCredentialsException("LdapAuthentication.incorrect.value");
+		}
+		MidPointPrincipal midPointPrincipal = (MidPointPrincipal) principal;
+		UserType userType = midPointPrincipal.getUser();
+
+		if (userType == null) {
+			throw new BadCredentialsException("LdapAuthentication.bad.user");
+		}
+
+		securityHelper.auditLoginSuccess(userType, ConnectionEnvironment.create(SchemaConstants.CHANNEL_GUI_USER_URI));
+		return authNCtx;
+	}
+
+
+
+}
diff --git a/.../test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java b/.../test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java
@@ -18,6 +18,7 @@
 import static com.evolveum.midpoint.test.IntegrationTestTools.display;
 import static org.testng.AssertJUnit.assertNotNull;
 
+import com.evolveum.midpoint.model.api.context.EvaluatedAssignmentTarget;
 import com.evolveum.midpoint.model.test.AbstractModelIntegrationTest;
 import com.evolveum.midpoint.prism.PrismContainer;
 import com.evolveum.midpoint.prism.PrismObject;
@@ -50,6 +51,7 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.TaskType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
 
+import org.testng.AssertJUnit;
 import org.testng.IHookCallBack;
 import org.testng.ITestResult;
 import org.testng.annotations.AfterClass;
@@ -77,6 +79,8 @@ public class AbstractConfiguredModelIntegrationTest extends AbstractModelIntegra
 	public static final File SYSTEM_CONFIGURATION_FILE = new File(COMMON_DIR, "system-configuration.xml");
 	public static final String SYSTEM_CONFIGURATION_OID = SystemObjectsType.SYSTEM_CONFIGURATION.value();
 
+	protected static final int NUMBER_OF_GLOBAL_POLICY_RULES = 3;
+
 	public static final File USER_ADMINISTRATOR_FILE = new File(COMMON_DIR, "user-administrator.xml");
 	protected static final String USER_ADMINISTRATOR_OID = "00000000-0000-0000-0000-000000000002";
 	protected static final String USER_ADMINISTRATOR_USERNAME = "administrator";
@@ -651,4 +655,14 @@ protected void clearUserOrgAndRoleRefs(String userOid) throws ObjectNotFoundExce
         PrismObject<UserType> userBefore = getUser(userOid);
         display("User before", userBefore);
 	}
+
+	protected void assertEvaluatedRole(Collection<? extends EvaluatedAssignmentTarget> evaluatedRoles,
+			String expectedRoleOid) {
+		for (EvaluatedAssignmentTarget evalRole: evaluatedRoles) {
+			if (expectedRoleOid.equals(evalRole.getTarget().getOid())) {
+				return;
+			}
+		}
+		AssertJUnit.fail("Role "+expectedRoleOid+" no present in evaluated roles "+evaluatedRoles);
+	}
 }
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/rbac/TestRbac.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/rbac/TestRbac.java
@@ -755,16 +755,6 @@ public void test135PreviewChangesEmptyDelta() throws Exception {
         assertEvaluatedRole(evaluatedRoles, ROLE_PIRATE_OID);
 
 	}
-
-	private void assertEvaluatedRole(Collection<? extends EvaluatedAssignmentTarget> evaluatedRoles,
-			String expectedRoleOid) {
-		for (EvaluatedAssignmentTarget evalRole: evaluatedRoles) {
-			if (expectedRoleOid.equals(evalRole.getTarget().getOid())) {
-				return;
-			}
-		}
-		AssertJUnit.fail("Role "+expectedRoleOid+" no present in evaluated roles "+evaluatedRoles);
-	}
 
 	@Test
     public void test136JackUnAssignRoleAdriaticPirate() throws Exception {