Merge branch 'master' of https://github.com/Evolveum/midpoint

Evolveum · May 5, 2017 · 234aa29 · 234aa29
2 parents 6398a08 + bd83c04
commit 234aa29
Show file tree

Hide file tree

Showing 6 changed files with 62 additions and 8 deletions.
diff --git a/gui/admin-gui/src/main/resources/initial-objects/040-role-enduser.xml b/gui/admin-gui/src/main/resources/initial-objects/040-role-enduser.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  ~ Copyright (c) 2010-2016 Evolveum
+  ~ Copyright (c) 2010-2017 Evolveum
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -51,6 +51,19 @@
             </owner>
         </object>
     </authorization>
+    <authorization>
+    	<name>self-persona-read</name>
+    	<description>
+    		Allow to read all the personas of currently logged-in user.
+    	</description>
+        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+        <object>
+    		<type>UserType</type>
+    		<owner>
+    			<special>self</special>
+    		</owner>
+    	</object>
+    </authorization>
     <authorization>
     	<name>self-credentials-request</name>
     	<description>

diff --git a/...com/evolveum/midpoint/certification/impl/AccessCertificationCloseStageTriggerHandler.java b/...com/evolveum/midpoint/certification/impl/AccessCertificationCloseStageTriggerHandler.java
@@ -38,6 +38,8 @@
 
 import javax.annotation.PostConstruct;
 
+import static com.evolveum.midpoint.xml.ns._public.common.common_3.AccessCertificationCampaignStateType.IN_REVIEW_STAGE;
+
 /**
  * @author mederly
  *
@@ -73,11 +75,19 @@ public <O extends ObjectType> void handle(PrismObject<O> prismObject, TriggerTyp
 			AccessCertificationCampaignType campaign = (AccessCertificationCampaignType) object;
 			LOGGER.info("Automatically closing current stage of {}", ObjectTypeUtil.toShortString(campaign));
 
+			if (campaign.getState() != IN_REVIEW_STAGE) {
+				LOGGER.warn("Campaign {} is not in a review stage; this 'close stage' trigger will be ignored.", ObjectTypeUtil.toShortString(campaign));
+				return;
+			}
+
 			int currentStageNumber = campaign.getStageNumber();
 			certificationManager.closeCurrentStage(campaign.getOid(), currentStageNumber, task, result);
 			if (currentStageNumber < CertCampaignTypeUtil.getNumberOfStages(campaign)) {
 				LOGGER.info("Automatically opening next stage of {}", ObjectTypeUtil.toShortString(campaign));
 				certificationManager.openNextStage(campaign.getOid(), currentStageNumber + 1, task, result);
+			} else {
+				LOGGER.info("Automatically starting remediation for {}", ObjectTypeUtil.toShortString(campaign));
+				certificationManager.startRemediation(campaign.getOid(), task, result);
 			}
 		} catch (SchemaException|ObjectNotFoundException|ObjectAlreadyExistsException|SecurityViolationException|RuntimeException e) {
 			LoggingUtils.logException(LOGGER, "Couldn't close current campaign and possibly advance to the next one", e);

diff --git a/...ification-impl/src/test/java/com/evolveum/midpoint/certification/test/TestEscalation.java b/...ification-impl/src/test/java/com/evolveum/midpoint/certification/test/TestEscalation.java
@@ -377,6 +377,35 @@ public void test120EscalateAgain() throws Exception {
 		assertEquals("Wrong # of dummy notifications", 1, messages.size());			// new approver
     }
 
+	@Test
+	public void test130Remediation() throws Exception {
+		final String TEST_NAME = "test130Remediation";
+		TestUtil.displayTestTile(this, TEST_NAME);
+		login(getUserFromRepo(USER_ADMINISTRATOR_OID));
+
+		// GIVEN
+		Task task = taskManager.createTaskInstance(TestEscalation.class.getName() + "." + TEST_NAME);
+		OperationResult result = task.getResult();
+
+		dummyTransport.clearMessages();
+
+		// WHEN
+		TestUtil.displayWhen(TEST_NAME);
+
+        clock.resetOverride();
+        clock.overrideDuration("P15D");          // stage ends at P14D
+        waitForTaskNextRun(TASK_TRIGGER_SCANNER_OID, true, 20000, true);
+
+		// THEN
+		TestUtil.displayThen(TEST_NAME);
+		result.computeStatus();
+		TestUtil.assertSuccess(result);
+
+		AccessCertificationCampaignType campaign = getCampaignWithCases(campaignOid);
+		display("campaign after escalation", campaign);
+		assertStateAndStage(campaign, AccessCertificationCampaignStateType.IN_REMEDIATION, 2);
+    }
+
 	protected void checkAllCases(Collection<AccessCertificationCaseType> caseList, String campaignOid) {
         assertEquals("Wrong number of certification cases", 7, caseList.size());
         checkCase(caseList, USER_ADMINISTRATOR_OID, ROLE_SUPERUSER_OID, userAdministrator, campaignOid);

diff --git a/...on-impl/src/test/resources/common/certification-of-eroot-user-assignments-escalations.xml b/...on-impl/src/test/resources/common/certification-of-eroot-user-assignments-escalations.xml
@@ -35,7 +35,7 @@
         <relation>default</relation>        <!-- the default -->
     </scopeDefinition>
     <remediationDefinition>
-        <style>automated</style>
+        <style>reportOnly</style>
     </remediationDefinition>
     <stageDefinition>
         <number>1</number>

diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java
@@ -3431,7 +3431,7 @@ private void addTask(String oid, String name, String ownerOid, String handlerUri
 		modelService.executeChanges(MiscSchemaUtil.createCollection(task.createAddDelta()), null, execTask, result);
 	}
 
-	@Test(enabled=false) // need searchable personaRef
+	@Test
     public void test400AutzJackPersonaManagement() throws Exception {
 		final String TEST_NAME = "test400AutzJackPersonaManagement";
         TestUtil.displayTestTile(this, TEST_NAME);
@@ -3449,7 +3449,7 @@ public void test400AutzJackPersonaManagement() throws Exception {
         assertGetDeny(UserType.class, USER_CHARLES_OID);
 
         assertSearch(UserType.class, null, 1);
-        assertSearch(ObjectType.class, null, 0);
+        assertSearch(ObjectType.class, null, 1);
         assertSearch(OrgType.class, null, 0);
 
         assertAddDeny();
@@ -3461,7 +3461,7 @@ public void test400AutzJackPersonaManagement() throws Exception {
         assertGlobalStateUntouched();
 	}
 
-    @Test(enabled=false) // need searchable personaRef
+    @Test
     public void test402AutzLechuckPersonaManagement() throws Exception {
 		final String TEST_NAME = "test402AutzLechuckPersonaManagement";
         TestUtil.displayTestTile(this, TEST_NAME);
@@ -3477,9 +3477,10 @@ public void test402AutzLechuckPersonaManagement() throws Exception {
         assertGetDeny(UserType.class, USER_GUYBRUSH_OID);
         assertGetAllow(UserType.class, USER_LECHUCK_OID);
         assertGetAllow(UserType.class, USER_CHARLES_OID);
-
-        assertSearch(UserType.class, null, 2);
-        assertSearch(ObjectType.class, null, 0);
+
+//        TODO: MID-3899
+//        assertSearch(UserType.class, null, 2);
+//        assertSearch(ObjectType.class, null, 2);
         assertSearch(OrgType.class, null, 0);
 
         assertAddDeny();

diff --git a/...security-impl/src/main/java/com/evolveum/midpoint/security/impl/SecurityEnforcerImpl.java b/...security-impl/src/main/java/com/evolveum/midpoint/security/impl/SecurityEnforcerImpl.java
@@ -996,6 +996,7 @@ private <T extends ObjectType, O extends ObjectType> ObjectFilter preProcessObje
 								if (objectDefinition == null) {
 									objectDefinition = prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(objectType);
 								}
+								// TODO: MID-3899
 								if (AbstractRoleType.class.isAssignableFrom(objectType)) {
 									objSpecSecurityFilter = applyOwnerFilterOwnerRef(new ItemPath(AbstractRoleType.F_OWNER_REF), objSpecSecurityFilter,  principal, objectDefinition);
 								} else if (TaskType.class.isAssignableFrom(objectType)) {