Merge branch 'master' of https://github.com/Evolveum/midpoint

infra/common/src/main/java/com/evolveum/midpoint/common/crypto/CryptoUtil.java

@@ -200,7 +200,7 @@ private static void checkEncrypted(PrismPropertyValue<?> pval) {
 		    @SuppressWarnings("unchecked")
 		    PrismPropertyValue<ProtectedStringType> psPval = (PrismPropertyValue<ProtectedStringType>)pval;
             ProtectedStringType ps = psPval.getValue();
-            if (ps.getClearValue() != null) {
+            if (ps != null && ps.getClearValue() != null) {
                 throw new IllegalStateException("Unencrypted value in field " + propName);
             }
         } else if (itemDef.getTypeName().equals(MailConfigurationType.COMPLEX_TYPE)) {

infra/test-util/src/main/java/com/evolveum/midpoint/test/util/MidPointAsserts.java

@@ -113,6 +113,21 @@ public static <F extends FocusType> void assertNotAssigned(PrismObject<F> user,
 			}
 		}
 	}
+
+	public static <F extends FocusType> void assertNotAssigned(PrismObject<F> user, String targetOid, QName refType, QName relation) {
+		F userType = user.asObjectable();
+		for (AssignmentType assignmentType: userType.getAssignment()) {
+			ObjectReferenceType targetRef = assignmentType.getTargetRef();
+			if (targetRef != null) {
+				if (QNameUtil.match(refType, targetRef.getType())) {
+					if (targetOid.equals(targetRef.getOid()) &&
+							getPrismContext().relationMatches(targetRef.getRelation(), relation)) {
+						AssertJUnit.fail(user + " does have assigned "+refType.getLocalPart()+" "+targetOid+", relation "+relation+"while not expecting it");
+					}
+				}
+			}
+		}
+	}
 
 	public static <F extends AssignmentHolderType> void assertAssignments(PrismObject<F> user, int expectedNumber) {
 		F userType = user.asObjectable();

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ExtensionSchemaRestService.java

@@ -102,9 +102,9 @@ public Response getSchema(@PathParam("name") String name) {
                     .entity("Name not defined").build();
         }
 
-        if (!name.toLowerCase().endsWith("\\.xsd")) {
+        if (!name.toLowerCase().endsWith(".xsd") && name.length() > 4) {
             return Response.status(Response.Status.BAD_REQUEST).type(MediaType.TEXT_PLAIN_TYPE)
-                    .entity("Name must be and xsd schema (.xsd extension expected)").build();
+                    .entity("Name must be an xsd schema (.xsd extension expected)").build();
         }
 
         SchemaRegistry registry = prismContext.getSchemaRegistry();

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.java

@@ -1132,22 +1132,28 @@ private <O extends ObjectType> ValuePolicyType getValuePolicy(PrismObject<O> obj
 		CredentialsPolicyType policy = null;
 		PrismObject<UserType> user = null;
 		if (object != null && object.getCompileTimeClass().isAssignableFrom(UserType.class)) {
+			LOGGER.trace("Start to resolve policy for user");
 			user = (PrismObject<UserType>) object;
 			policy = getCredentialsPolicy(user, task, parentResult);
+			LOGGER.trace("Resolved user policy: {}", policy);
 		}
+
+
 
 		SystemConfigurationType systemConfigurationType = getSystemConfiguration(parentResult);
 		if (!containsValuePolicyDefinition(policy)) {
 			SecurityPolicyType securityPolicy = securityHelper.locateGlobalSecurityPolicy(user, systemConfigurationType.asPrismObject(), task, parentResult);
 			if (securityPolicy != null) {
 				policy = securityPolicy.getCredentials();
+				LOGGER.trace("Resolved policy from global security policy: {}", policy);
 			}
 		}
 
 		if (!containsValuePolicyDefinition(policy)) {
 			SecurityPolicyType securityPolicy = securityHelper.locateGlobalPasswordPolicy(systemConfigurationType, task, parentResult);
 			if (securityPolicy != null) {
 				policy = securityPolicy.getCredentials();
+				LOGGER.trace("Resolved global password policy: {}", policy);
 			}
 		}
 
@@ -1278,15 +1284,34 @@ private <T, O extends ObjectType> boolean validateValue(PrismObject<O> object, V
 			evaluator.setOriginResolver(getOriginResolver(object));
 			evaluator.setTask(task);
 			evaluator.setShortDesc(" rest validate ");
-			if (object != null && path != null && path.isSuperPathOrEquivalent(SchemaConstants.PATH_PASSWORD)) {
-				evaluator.setSecurityPolicy(getSecurityPolicy((PrismObject<UserType>) object, task, parentResult));
-				PrismContainer<PasswordType> password = object.findContainer(SchemaConstants.PATH_PASSWORD);
-				PasswordType passwordType = null;
-				if (password != null) {
-					PrismContainerValue<PasswordType> passwordPcv = password.getValue();
-					passwordType = passwordPcv != null ? passwordPcv.asContainerable() : null;
+			if (object != null && path != null) {
+				if (path.isSuperPathOrEquivalent(SchemaConstants.PATH_PASSWORD)) {
+
+					evaluator.setSecurityPolicy(getSecurityPolicy((PrismObject<UserType>) object, task, parentResult));
+					PrismContainer<PasswordType> password = object.findContainer(SchemaConstants.PATH_PASSWORD);
+					PasswordType passwordType = null;
+					if (password != null) {
+						PrismContainerValue<PasswordType> passwordPcv = password.getValue();
+						passwordType = passwordPcv != null ? passwordPcv.asContainerable() : null;
+					}
+					evaluator.setOldCredentialType(passwordType);
+				} else if (path.isSuperPathOrEquivalent(SchemaConstants.PATH_SECURITY_QUESTIONS)) {
+						LOGGER.trace("Setting security questions related policy.");
+						SecurityPolicyType securityPolicy = getSecurityPolicy((PrismObject<UserType>) object, task, parentResult);
+						evaluator.setSecurityPolicy(securityPolicy);
+						PrismContainer<SecurityQuestionsCredentialsType> securityQuestionsContainer = object.findContainer(SchemaConstants.PATH_SECURITY_QUESTIONS);
+						SecurityQuestionsCredentialsType securityQuestions = null;
+						if (securityQuestionsContainer != null) {
+							PrismContainerValue<SecurityQuestionsCredentialsType> secQestionPcv = securityQuestionsContainer.getValue();
+							securityQuestions = secQestionPcv != null ? secQestionPcv.asContainerable() : null;
+						}
+						//evaluator.setOldCredentialType(securityQuestions);
+
+						ValuePolicyType valuePolicy = resolveSecurityQuestionsPolicy(securityPolicy, task, parentResult);
+						if (valuePolicy != null) {
+							evaluator.setValuePolicy(valuePolicy);
+						}
 				}
-				evaluator.setOldCredentialType(passwordType);
 			}
 			evaluator.setNow(clock.currentTimeXMLGregorianCalendar());
 			LOGGER.trace("Validating value started");
@@ -1310,6 +1335,39 @@ private <T, O extends ObjectType> boolean validateValue(PrismObject<O> object, V
 
 	}
 
+	/**
+	 * @param securityPolicy
+	 * @return
+	 * @throws ExpressionEvaluationException 
+	 * @throws SecurityViolationException 
+	 * @throws ConfigurationException 
+	 * @throws CommunicationException 
+	 * @throws SchemaException 
+	 * @throws ObjectNotFoundException 
+	 */
+	private ValuePolicyType resolveSecurityQuestionsPolicy(SecurityPolicyType securityPolicy, Task task, OperationResult result) throws ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
+		if (securityPolicy == null) {
+			return null;
+		}
+
+		CredentialsPolicyType credentialsPolicy  = securityPolicy.getCredentials();
+		if (credentialsPolicy == null) {
+			return null;
+		}
+
+		SecurityQuestionsCredentialsPolicyType securityQuestionsPolicy = credentialsPolicy.getSecurityQuestions();
+		if (securityQuestionsPolicy == null) {
+			return null;
+		}
+
+		ObjectReferenceType policyRef = securityQuestionsPolicy.getValuePolicyRef();
+		if (policyRef == null) {
+			return null;
+		}
+
+		return objectResolver.resolve(policyRef, ValuePolicyType.class, null, " resolve value policy for security questions", task, result);
+	}
+
 	private <O extends ObjectType> AbstractValuePolicyOriginResolver<O> getOriginResolver(PrismObject<O> object) {
 		if (object != null && UserType.class.equals(object.getCompileTimeClass())) {
 			return (AbstractValuePolicyOriginResolver) new UserValuePolicyOriginResolver((PrismObject<UserType>) object, objectResolver);

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/actions/UnassignExecutor.java

@@ -25,7 +25,10 @@
 import com.evolveum.midpoint.prism.PrismObjectValue;
 import com.evolveum.midpoint.prism.PrismValue;
 import com.evolveum.midpoint.prism.delta.ObjectDelta;
+import com.evolveum.midpoint.prism.path.ItemPath;
+import com.evolveum.midpoint.schema.constants.RelationTypes;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.util.QNameUtil;
 import com.evolveum.midpoint.util.exception.CommonException;
 import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.util.logging.Trace;
@@ -37,7 +40,12 @@
 import org.springframework.stereotype.Component;
 
 import javax.annotation.PostConstruct;
+import javax.xml.namespace.QName;
+
+import java.util.ArrayList;
 import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
 
 /**
  *
@@ -129,8 +137,55 @@ public PipelineData execute(ActionExpressionType expression, PipelineData input,
         return input;           // TODO updated objects?
     }
 
-    private ObjectDelta<? extends ObjectType> createDelta(ObjectType object, Collection<ObjectReferenceType> resources, Collection<ObjectReferenceType> roles, Collection<String> relations) throws ScriptExecutionException {
-		// TODO implement delta creation
-        return null;
+    private ObjectDelta<? extends ObjectType> createDelta(AssignmentHolderType object, Collection<ObjectReferenceType> resources, Collection<ObjectReferenceType> roles, Collection<String> relations) throws ScriptExecutionException {
+    	if (relations == null || relations.isEmpty()) {
+    		QName defaultRelation = prismContext.getDefaultRelation() != null ?
+				    prismContext.getDefaultRelation() : RelationTypes.MEMBER.getRelation();
+    		relations = Collections.singletonList(QNameUtil.qNameToUri(defaultRelation));
+	    }
+    	List<AssignmentType> assignmentsForDelete = new ArrayList<>();
+
+    	List<AssignmentType> oldAssignments = object.getAssignment();
+	    for (AssignmentType oldAssignment : oldAssignments) {
+		    ObjectReferenceType targetRef = oldAssignment.getTargetRef();
+		    if (targetRef != null) {
+			    if (roles != null) {
+				    outerloop:
+				    for (ObjectReferenceType roleRef : roles) {
+					    if (targetRef.getOid() != null && targetRef.getOid().equals(roleRef.getOid())) {
+						    for (String relationQuery : relations) {
+							    if (prismContext.relationMatches(QNameUtil.uriToQName(relationQuery, true), targetRef.getRelation())) {
+								    assignmentsForDelete.add(oldAssignment.clone());
+								    break outerloop;
+							    }
+						    }
+					    }
+				    }
+			    }
+		    } else if (oldAssignment.getConstruction() != null) {
+			    if (resources != null) {
+				    for (ObjectReferenceType resourceRef : resources) {
+					    if (oldAssignment.getConstruction().getResourceRef() != null &&
+							    oldAssignment.getConstruction().getResourceRef().getOid() != null &&
+							    oldAssignment.getConstruction().getResourceRef().getOid().equals(resourceRef.getOid())) {
+						    assignmentsForDelete.add(oldAssignment.clone());
+						    break;
+					    }
+				    }
+			    }
+		    }
+	    }
+
+    	ObjectDelta<? extends ObjectType> delta;
+
+        try {
+        	delta = prismContext.deltaFor(object.getClass())
+			        .item(ItemPath.create(AssignmentHolderType.F_ASSIGNMENT))
+        	    	.deleteRealValues(assignmentsForDelete)
+			        .asObjectDelta(object.getOid());
+        } catch (SchemaException e) {
+            throw new ScriptExecutionException("Couldn't prepare modification to delete resource/role assignments", e);
+        }
+        return delta;
     }
 }

model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java

@@ -322,6 +322,9 @@ public class AbstractConfiguredModelIntegrationTest extends AbstractModelIntegra
 	protected static final String USER_GUYBRUSH_GIVEN_NAME = "Guybrush";
 	protected static final String USER_GUYBRUSH_FAMILY_NAME = "Threepwood";
 	protected static final String USER_GUYBRUSH_LOCALITY = "Melee Island";
+
+	public static final File USER_WILL_FILE = new File(COMMON_DIR, "user-will.xml");
+	public static final String USER_WILL_OID = "c0c010c0-d34d-b33f-f00d-111111145118";
 
 	// Largo does not have a full name set, employeeType=PIRATE
 	protected static final File USER_LARGO_FILE = new File(COMMON_DIR, "user-largo.xml");

model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractInitializedModelIntegrationTest.java

@@ -82,6 +82,7 @@ public class AbstractInitializedModelIntegrationTest extends AbstractConfiguredM
 	protected UserType userTypeBarbossa;
 	protected UserType userTypeGuybrush;
 	protected UserType userTypeElaine;
+	protected UserType userTypeWill;
 
 	protected DummyResourceContoller dummyResourceCtl;
 
@@ -230,6 +231,7 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
 		userTypeBarbossa = repoAddObjectFromFile(USER_BARBOSSA_FILE, UserType.class, initResult).asObjectable();
 		userTypeGuybrush = repoAddObjectFromFile(USER_GUYBRUSH_FILE, UserType.class, initResult).asObjectable();
 		userTypeElaine = repoAddObjectFromFile(USER_ELAINE_FILE, UserType.class, initResult).asObjectable();
+		userTypeWill = repoAddObjectFromFile(USER_WILL_FILE, UserType.class, true, initResult).asObjectable();
 
 		// Roles
 		repoAddObjectFromFile(ROLE_PIRATE_FILE, initResult);