MID-7534 improved shadow resolving for entitlement shadow modificatio…

…ns (during auditing)

provisioning/provisioning-api/src/main/java/com/evolveum/midpoint/provisioning/api/ProvisioningOperationContext.java

@@ -11,6 +11,7 @@
 
 import com.evolveum.midpoint.schema.expression.ExpressionProfile;
 import com.evolveum.midpoint.task.api.ExpressionEnvironment;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
 
 public class ProvisioningOperationContext {
 
@@ -20,6 +21,22 @@ public class ProvisioningOperationContext {
 
     private ExpressionProfile expressionProfile;
 
+    /**
+     * This reference can be used if shadow is not available when trying to record audit event.
+     * Reference is used mainly when modification of shadow object also invokes modification of different object on target system.
+     * E.g. modification of user group membership (when real modification doesn't happen on user shadow but on group on target system).
+     */
+    private ObjectReferenceType shadowRef;
+
+    public ObjectReferenceType shadowRef() {
+        return shadowRef;
+    }
+
+    public ProvisioningOperationContext shadowRef(ObjectReferenceType shadowRef) {
+        this.shadowRef = shadowRef;
+        return this;
+    }
+
     public String requestIdentifier() {
         return requestIdentifier;
     }

provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/resourceobjects/EntitlementConverter.java

@@ -15,6 +15,7 @@
 import com.evolveum.midpoint.prism.*;
 import com.evolveum.midpoint.prism.path.ItemName;
 import com.evolveum.midpoint.prism.path.ItemPath;
+import com.evolveum.midpoint.provisioning.api.ProvisioningOperationContext;
 import com.evolveum.midpoint.provisioning.impl.ProvisioningContext;
 import com.evolveum.midpoint.provisioning.impl.ResourceObjectDiscriminator;
 import com.evolveum.midpoint.provisioning.impl.ResourceObjectOperations;
@@ -829,6 +830,11 @@ private <TV,TA> ShadowType collectEntitlementAsObjectOperation(
             ConfigurationException, ExpressionEvaluationException {
         ResourceType resource = subjectCtx.getResource();
         ShadowAssociationType associationBean = associationValue.asContainerable();
+        if (subjectCtx.getOperationContext() != null) {
+            ProvisioningOperationContext ctx = subjectCtx.getOperationContext();
+            ctx.shadowRef(associationBean.getShadowRef());
+        }
+
         QName associationName = associationBean.getName();
         if (associationName == null) {
             throw new SchemaException("No name in entitlement association "+associationValue);

provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/resourceobjects/ShadowAuditHelper.java

@@ -72,6 +72,15 @@ public void auditEvent(AuditEventType event, ShadowType shadow, Collection<Opera
 
         AuditEventRecord auditRecord = new AuditEventRecord(event, AuditEventStage.RESOURCE);
         auditRecord.setRequestIdentifier(operationContext.requestIdentifier());
+        if (shadow == null && operationContext.shadowRef() != null) {
+            ObjectReferenceType shadowRef = operationContext.shadowRef();
+            try {
+                shadow = repositoryService.getObject(ShadowType.class, shadowRef.getOid(), null, result).asObjectable();
+            } catch (Exception ex) {
+                // we can ignore this one
+            }
+        }
+
         if (shadow != null) {   // todo if shadow is null check shadow manager to get it by identifier (or something like that), or check EntitlementConverter - it should know shadow oid
             auditRecord.setTargetRef(new ObjectReferenceType()
                     .oid(shadow.getOid())