Fixing assignments and authorizations (MID-2437). Also fixing conditi…

…onal role authorization test.
Evolveum · Jul 14, 2015 · 253e17b · 253e17b
1 parent 65f6579
commit 253e17b
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 7 deletions.
diff --git a/...l/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentEvaluator.java b/...l/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentEvaluator.java
@@ -529,9 +529,11 @@ private boolean evaluateAbstractRole(EvaluatedAssignmentImpl<F> assignment, Assi
 			evaluateAssignment(assignment, roleAssignmentPathSegment, evaluateOld, mode, roleType, subSourceDescription, assignmentPath, task, result);
 		}
 
-		for(AuthorizationType authorizationType: roleType.getAuthorization()) {
-			Authorization authorization = createAuthorization(authorizationType, roleType.toString());
-			assignment.addAuthorization(authorization);
+		if (evaluationOrder == 1) {
+			for(AuthorizationType authorizationType: roleType.getAuthorization()) {
+				Authorization authorization = createAuthorization(authorizationType, roleType.toString());
+				assignment.addAuthorization(authorization);
+			}
 		}
 
 		return mode != PlusMinusZero.MINUS;

diff --git a/.../test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java b/.../test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java
@@ -377,6 +377,10 @@ public class AbstractConfiguredModelIntegrationTest extends AbstractModelIntegra
 	protected static final String AUTZ_PUNISH_URL = QNameUtil.qNameToUri(AUTZ_PUNISH_QNAME);
 	protected static final QName AUTZ_CAPSIZE_QNAME = new QName(NS_TEST_AUTZ, "capsize");
 	protected static final String AUTZ_CAPSIZE_URL = QNameUtil.qNameToUri(AUTZ_CAPSIZE_QNAME);
+	protected static final QName AUTZ_SUPERSPECIAL_QNAME = new QName(NS_TEST_AUTZ, "superspecial");
+	protected static final String AUTZ_SUPERSPECIAL_URL = QNameUtil.qNameToUri(AUTZ_SUPERSPECIAL_QNAME);
+	protected static final QName AUTZ_NONSENSE_QNAME = new QName(NS_TEST_AUTZ, "nonsense");
+	protected static final String AUTZ_NONSENSE_URL = QNameUtil.qNameToUri(AUTZ_NONSENSE_QNAME);
 
 	private static final Trace LOGGER = TraceManager.getTrace(AbstractConfiguredModelIntegrationTest.class);
 

diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java
@@ -200,6 +200,9 @@ public class TestSecurity extends AbstractInitializedModelIntegrationTest {
 	protected static final File ROLE_CONDITIONAL_FILE = new File(TEST_DIR, "role-conditional.xml");
 	protected static final String ROLE_CONDITIONAL_OID = "00000000-0000-0000-0000-00000000aac1";
 
+	protected static final File ROLE_META_NONSENSE_FILE = new File(TEST_DIR, "role-meta-nonsense.xml");
+	protected static final String ROLE_META_NONSENSE_OID = "602f72b8-2a11-11e5-8dd9-001e8c717e5b";
+
 	protected static final File ROLE_BASIC_FILE = new File(TEST_DIR, "role-basic.xml");
 	protected static final String ROLE_BASIC_OID = "00000000-0000-0000-0000-00000000aad1";
 
@@ -240,6 +243,7 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
 		repoAddObjectFromFile(ROLE_BUSINESS_1_FILE, RoleType.class, initResult);
 
 		repoAddObjectFromFile(ROLE_CONDITIONAL_FILE, RoleType.class, initResult);
+		repoAddObjectFromFile(ROLE_META_NONSENSE_FILE, RoleType.class, initResult);
 		repoAddObjectFromFile(ROLE_BASIC_FILE, RoleType.class, initResult);
 
 		repoAddObjectFromFile(ROLE_END_USER_FILE, RoleType.class, initResult);
@@ -391,6 +395,8 @@ public void test060GuybrushConditionalRoleFalse() throws Exception {
 
         assertNotAuthorized(principal, AUTZ_LOOT_URL);
         assertNotAuthorized(principal, AUTZ_COMMAND_URL);
+        assertNotAuthorized(principal, AUTZ_SUPERSPECIAL_URL);
+        assertNotAuthorized(principal, AUTZ_NONSENSE_URL);
 	}
 
 	@Test
@@ -401,23 +407,26 @@ public void test061GuybrushConditionalRoleTrue() throws Exception {
 
         Task task = taskManager.createTaskInstance(TestRbac.class.getName() + "." + TEST_NAME);
         OperationResult result = task.getResult();
-        modifyUserReplace(USER_GUYBRUSH_OID, UserType.F_EMPLOYEE_TYPE, task, result, "looser");
+        modifyUserReplace(USER_GUYBRUSH_OID, UserType.F_EMPLOYEE_TYPE, task, result, "special");
 
         // WHEN
+        TestUtil.displayWhen(TEST_NAME);
         MidPointPrincipal principal = userProfileService.getPrincipal(USER_GUYBRUSH_USERNAME);
 
         // THEN
+        TestUtil.displayThen(TEST_NAME);
         display("Principal guybrush", principal);
         assertEquals("wrong username", USER_GUYBRUSH_USERNAME, principal.getUsername());
         assertEquals("wrong oid", USER_GUYBRUSH_OID, principal.getOid());
-        assertTrue("Unexpected authorizations", principal.getAuthorities().isEmpty());
         display("User in principal guybrush", principal.getUser().asPrismObject());
 
         principal.getUser().asPrismObject().checkConsistence(true, true);
 
+        assertAuthorized(principal, AUTZ_SUPERSPECIAL_URL);
         assertNotAuthorized(principal, AUTZ_LOOT_URL);
         assertNotAuthorized(principal, AUTZ_COMMAND_URL);
         assertNotAuthorized(principal, AUTZ_CAPSIZE_URL);
+        assertNotAuthorized(principal, AUTZ_NONSENSE_URL);
 	}
 
 	@Test

diff --git a/model/model-intest/src/test/resources/security/role-conditional.xml b/model/model-intest/src/test/resources/security/role-conditional.xml
@@ -1,5 +1,5 @@
 <!--
-  ~ Copyright (c) 2010-2014 Evolveum
+  ~ Copyright (c) 2010-2015 Evolveum
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -18,7 +18,10 @@
         xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
         xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
         xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance/10000000-0000-0000-0000-000000000004">
-    <name>Conditional</name>    
+    <name>Conditional</name>
+    <assignment> <!-- ASSIGNMENT, not inducement. This should NOT work for authorizations. -->
+    	<targetRef oid="602f72b8-2a11-11e5-8dd9-001e8c717e5b" type="RoleType"/>
+    </assignment>
     <authorization>
     	<action>http://midpoint.evolveum.com/xml/ns/test/authorization#superspecial</action>
     </authorization>

diff --git a/model/model-intest/src/test/resources/security/role-meta-nonsense.xml b/model/model-intest/src/test/resources/security/role-meta-nonsense.xml
@@ -0,0 +1,25 @@
+<!--
+  ~ Copyright (c) 2015 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<role oid="602f72b8-2a11-11e5-8dd9-001e8c717e5b"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+        xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance/10000000-0000-0000-0000-000000000004">
+    <name>Nonsense Metarole</name>    
+    <authorization>
+    	<action>http://midpoint.evolveum.com/xml/ns/test/authorization#nonsense</action>
+    </authorization>
+</role>