Merge branch 'support-4.4' of github.com:Evolveum/midpoint into suppo…

…rt-4.4

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/component/MainObjectListPanel.java

@@ -487,7 +487,7 @@ private void deleteConfirmedPerformed(AjaxRequestTarget target, O objectToDelete
             try {
                 Task task = getPageBase().createSimpleTask(OPERATION_DELETE_OBJECT);
 
-                ObjectDelta delta = getPrismContext().deltaFactory().object().create(objectToDelete.getClass(), ChangeType.DELETE);
+                ObjectDelta delta = getPrismContext().deltaFactory().object().create(object.getClass(), ChangeType.DELETE);
                 delta.setOid(object.getOid());
 
                 ExecuteChangeOptionsDto executeOptions = getExecuteOptions();

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/admin/abstractrole/component/FocusApplicablePoliciesPanel.java

@@ -8,6 +8,8 @@
 package com.evolveum.midpoint.gui.impl.page.admin.abstractrole.component;
 
 import com.evolveum.midpoint.gui.api.GuiStyleConstants;
+import com.evolveum.midpoint.gui.api.model.LoadableModel;
+import com.evolveum.midpoint.gui.api.prism.wrapper.PrismObjectWrapper;
 import com.evolveum.midpoint.gui.impl.page.admin.AbstractObjectMainPanel;
 import com.evolveum.midpoint.gui.impl.page.admin.assignmentholder.FocusDetailsModels;
 import com.evolveum.midpoint.web.application.PanelDisplay;
@@ -43,8 +45,9 @@ protected void initLayout() {
         applicablePoliciesContainer.setOutputMarkupId(true);
         add(applicablePoliciesContainer);
 
-        ApplicablePolicyConfigPanel applicablePolicyPanel = new ApplicablePolicyConfigPanel(ID_APPLICABLE_POLICIES_PANEL,
-                PrismContainerWrapperModel.fromContainerWrapper(getObjectWrapperModel(), FocusType.F_ASSIGNMENT));
+        ApplicablePolicyConfigPanel applicablePolicyPanel = new ApplicablePolicyConfigPanel<AR>(ID_APPLICABLE_POLICIES_PANEL,
+                PrismContainerWrapperModel.fromContainerWrapper(getObjectWrapperModel(), FocusType.F_ASSIGNMENT),
+                getObjectWrapperModel());
 
         applicablePoliciesContainer.add(applicablePolicyPanel);
     }

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/admin/org/component/OrgMemberPanel.java

@@ -135,7 +135,7 @@ private Class<? extends AssignmentHolderType> getSearchTypeClass() {
 
     @Override
     protected boolean reloadPageOnRefresh() {
-        return true;
+        return "orgTreeMembers".equals(getStorageKeyTabSuffix());
     }
 
     @Override

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/assignment/ApplicablePolicyConfigPanel.java

@@ -9,6 +9,11 @@
 import java.util.ArrayList;
 import java.util.List;
 
+import com.evolveum.midpoint.gui.api.prism.wrapper.PrismObjectWrapper;
+
+import com.evolveum.midpoint.web.model.PrismContainerWrapperModel;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
+
 import org.apache.wicket.markup.html.list.ListItem;
 import org.apache.wicket.markup.html.list.ListView;
 import org.apache.wicket.model.IModel;
@@ -21,16 +26,11 @@
 import com.evolveum.midpoint.util.logging.LoggingUtils;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
-import com.evolveum.midpoint.web.component.objectdetails.AbstractObjectMainPanel;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ArchetypePolicyType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
 
 /**
  * Created by honchar.
  */
-public class ApplicablePolicyConfigPanel extends BasePanel<PrismContainerWrapper<AssignmentType>>{
+public class ApplicablePolicyConfigPanel<F extends FocusType> extends BasePanel<PrismContainerWrapper<AssignmentType>>{
     private static final long serialVersionUID = 1L;
 
     private static final Trace LOGGER = TraceManager.getTrace(ApplicablePolicyConfigPanel.class);
@@ -41,9 +41,12 @@ public class ApplicablePolicyConfigPanel extends BasePanel<PrismContainerWrapper
     private static final String ID_POLICY_GROUP_PANEL = "policyGroupPanel";
 
     private LoadableModel<List<ObjectReferenceType>> policyGroupsListModel;
+    private LoadableModel<PrismObjectWrapper<F>> abstractRoleModel;
 
-    public ApplicablePolicyConfigPanel(String id, IModel<PrismContainerWrapper<AssignmentType>> model){
+    public ApplicablePolicyConfigPanel(String id, IModel<PrismContainerWrapper<AssignmentType>> model,
+            LoadableModel<PrismObjectWrapper<F>> abstractRoleModel){
         super(id, model);
+        this.abstractRoleModel = abstractRoleModel;
     }
 
     @Override
@@ -62,7 +65,7 @@ protected List<ObjectReferenceType> load() {
                 List<ObjectReferenceType> policyGroupsList = new ArrayList<>();
                 OperationResult result = new OperationResult(OPERATION_LOAD_SYS_CONFIG);
                 try {
-                    ArchetypePolicyType archetypePolicy = getPageBase().getModelInteractionService().determineArchetypePolicy(getMainPanelFocusObject(), result);
+                    ArchetypePolicyType archetypePolicy = getPageBase().getModelInteractionService().determineArchetypePolicy(getAbstractRoleModelObject(), result);
                     if (archetypePolicy == null){
                         return policyGroupsList;
                     } else {
@@ -71,7 +74,7 @@ protected List<ObjectReferenceType> load() {
                         }
                     }
                 } catch (Exception ex){
-                    LoggingUtils.logUnexpectedException(LOGGER, "Cannot retrieve archetype policy for " + getMainPanelFocusObject(), ex);
+                    LoggingUtils.logUnexpectedException(LOGGER, "Cannot retrieve archetype policy for " + getAbstractRoleModelObject(), ex);
                 }
                 return policyGroupsList;
             }
@@ -92,10 +95,9 @@ protected void populateItem(ListItem<ObjectReferenceType> listItem) {
         add(policyGroupsPanel);
     }
 
-    private PrismObject<FocusType> getMainPanelFocusObject(){
-        AbstractObjectMainPanel mainPanel = ApplicablePolicyConfigPanel.this.findParent(AbstractObjectMainPanel.class);
-        if (mainPanel != null){
-            return mainPanel.getObject();
+    private PrismObject<F> getAbstractRoleModelObject(){
+        if (abstractRoleModel != null && abstractRoleModel.getObject() != null){
+            return abstractRoleModel.getObject().getObject();
         }
         return null;
     }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/objectdetails/FocusApplicablePoliciesTabPanel.java

@@ -43,8 +43,9 @@ private void initLayout() {
         applicablePoliciesContainer.setOutputMarkupId(true);
         add(applicablePoliciesContainer);
 
-        ApplicablePolicyConfigPanel applicablePolicyPanel = new ApplicablePolicyConfigPanel(ID_APPLICABLE_POLICIES_PANEL,
-                PrismContainerWrapperModel.fromContainerWrapper(getObjectWrapperModel(), FocusType.F_ASSIGNMENT));
+        ApplicablePolicyConfigPanel applicablePolicyPanel = new ApplicablePolicyConfigPanel<F>(ID_APPLICABLE_POLICIES_PANEL,
+                PrismContainerWrapperModel.fromContainerWrapper(getObjectWrapperModel(), FocusType.F_ASSIGNMENT),
+                getObjectWrapperModel());
 
         applicablePoliciesContainer.add(applicablePolicyPanel);
     }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/module/configuration/SamlModuleWebSecurityConfiguration.java

@@ -173,52 +173,54 @@ private static void createRelyingPartyRegistration(RelyingPartyRegistration.Buil
                     }
                 });
         Saml2X509Credential activeCredential = null;
-        ModuleSaml2SimpleKeyType simpleKeyType = keysType.getActiveSimpleKey();
-        if (simpleKeyType != null) {
-            activeCredential = getSaml2Credential(simpleKeyType, true);
-        }
-        ModuleSaml2KeyStoreKeyType storeKeyType = keysType.getActiveKeyStoreKey();
-        if (storeKeyType != null) {
-            activeCredential = getSaml2Credential(storeKeyType, true);
-        }
+        if (keysType != null) {
+            ModuleSaml2SimpleKeyType simpleKeyType = keysType.getActiveSimpleKey();
+            if (simpleKeyType != null) {
+                activeCredential = getSaml2Credential(simpleKeyType, true);
+            }
+            ModuleSaml2KeyStoreKeyType storeKeyType = keysType.getActiveKeyStoreKey();
+            if (storeKeyType != null) {
+                activeCredential = getSaml2Credential(storeKeyType, true);
+            }
 
-        List<Saml2X509Credential> credentials = new ArrayList<>();
-        if (activeCredential != null) {
-            credentials.add(activeCredential);
-        }
+            List<Saml2X509Credential> credentials = new ArrayList<>();
+            if (activeCredential != null) {
+                credentials.add(activeCredential);
+            }
 
-        if (keysType.getStandBySimpleKey() != null && !keysType.getStandBySimpleKey().isEmpty()) {
-            for (ModuleSaml2SimpleKeyType standByKey : keysType.getStandBySimpleKey()) {
-                Saml2X509Credential credential = getSaml2Credential(standByKey, false);
-                if (credential != null) {
-                    credentials.add(credential);
+            if (keysType.getStandBySimpleKey() != null && !keysType.getStandBySimpleKey().isEmpty()) {
+                for (ModuleSaml2SimpleKeyType standByKey : keysType.getStandBySimpleKey()) {
+                    Saml2X509Credential credential = getSaml2Credential(standByKey, false);
+                    if (credential != null) {
+                        credentials.add(credential);
+                    }
                 }
             }
-        }
-        if (keysType.getStandByKeyStoreKey() != null && !keysType.getStandByKeyStoreKey().isEmpty()) {
-            for (ModuleSaml2KeyStoreKeyType standByKey : keysType.getStandByKeyStoreKey()) {
-                Saml2X509Credential credential = getSaml2Credential(standByKey, false);
-                if (credential != null) {
-                    credentials.add(credential);
+            if (keysType.getStandByKeyStoreKey() != null && !keysType.getStandByKeyStoreKey().isEmpty()) {
+                for (ModuleSaml2KeyStoreKeyType standByKey : keysType.getStandByKeyStoreKey()) {
+                    Saml2X509Credential credential = getSaml2Credential(standByKey, false);
+                    if (credential != null) {
+                        credentials.add(credential);
+                    }
                 }
             }
-        }
 
-        if (!credentials.isEmpty()) {
-            registrationBuilder.decryptionX509Credentials(c -> {
-                credentials.forEach(cred -> {
-                    if (cred.getCredentialTypes().contains(Saml2X509Credential.Saml2X509CredentialType.DECRYPTION)) {
-                        c.add(cred);
-                    }
+            if (!credentials.isEmpty()) {
+                registrationBuilder.decryptionX509Credentials(c -> {
+                    credentials.forEach(cred -> {
+                        if (cred.getCredentialTypes().contains(Saml2X509Credential.Saml2X509CredentialType.DECRYPTION)) {
+                            c.add(cred);
+                        }
+                    });
                 });
-            });
-            registrationBuilder.signingX509Credentials(c -> {
-                credentials.forEach(cred -> {
-                    if (cred.getCredentialTypes().contains(Saml2X509Credential.Saml2X509CredentialType.SIGNING)) {
-                        c.add(cred);
-                    }
+                registrationBuilder.signingX509Credentials(c -> {
+                    credentials.forEach(cred -> {
+                        if (cred.getCredentialTypes().contains(Saml2X509Credential.Saml2X509CredentialType.SIGNING)) {
+                            c.add(cred);
+                        }
+                    });
                 });
-            });
+            }
         }
     }
 

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/AuthenticationEvaluatorImpl.java

@@ -11,12 +11,15 @@
 import javax.xml.datatype.Duration;
 import javax.xml.datatype.XMLGregorianCalendar;
 
+import com.evolveum.midpoint.security.api.Authorization;
+import com.evolveum.midpoint.security.api.ConnectionEnvironment;
+import com.evolveum.midpoint.security.api.MidPointPrincipal;
+import com.evolveum.midpoint.security.api.SecurityUtil;
 import com.evolveum.midpoint.model.api.util.AuthenticationEvaluatorUtil;
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.delta.ItemDelta;
 import com.evolveum.midpoint.prism.delta.ObjectDelta;
 import com.evolveum.midpoint.prism.equivalence.ParameterizedEquivalenceStrategy;
-import com.evolveum.midpoint.security.api.*;
 
 import org.apache.commons.lang.StringUtils;
 import org.jetbrains.annotations.NotNull;
@@ -108,7 +111,6 @@ public UsernamePasswordAuthenticationToken authenticate(ConnectionEnvironment co
             if(AuthenticationEvaluatorUtil.checkRequiredAssignment(focusType.getAssignment(), authnCtx.getRequireAssignments())){
                 recordAuthenticationBehavior(principal.getUsername(), principal, connEnv, null, authnCtx.getPrincipalType(), true);
                 recordPasswordAuthenticationSuccess(principal, connEnv, getCredential(credentials), false);
-                return new UsernamePasswordAuthenticationToken(principal, authnCtx.getEnteredCredential(), principal.getAuthorities());
             } else {
                 recordAuthenticationBehavior(principal.getUsername(), principal, connEnv, "not contains required assignment", authnCtx.getPrincipalType(), false);
                 recordPasswordAuthenticationFailure(principal, connEnv, getCredential(credentials), credentialsPolicy, "not contains required assignment", false);
@@ -119,6 +121,9 @@ public UsernamePasswordAuthenticationToken authenticate(ConnectionEnvironment co
             recordPasswordAuthenticationFailure(principal, connEnv, getCredential(credentials), credentialsPolicy, "password mismatch", false);
             throw new BadCredentialsException("web.security.provider.invalid");
         }
+
+        checkAuthorizations(principal, connEnv, authnCtx);
+        return new UsernamePasswordAuthenticationToken(principal, authnCtx.getEnteredCredential(), principal.getAuthorities());
     }
 
     @Override
@@ -138,13 +143,25 @@ public FocusType checkCredentials(ConnectionEnvironment connEnv, T authnCtx)
         if (checkCredentials(principal, authnCtx, connEnv)) {
             recordAuthenticationBehavior(principal.getUsername(), principal, connEnv, "password mismatch", authnCtx.getPrincipalType(), true);
             recordPasswordAuthenticationSuccess(principal, connEnv, getCredential(credentials), false);
-            return focusType;
         } else {
             recordAuthenticationBehavior(principal.getUsername(), principal, connEnv, "password mismatch", authnCtx.getPrincipalType(), false);
             recordPasswordAuthenticationFailure(principal, connEnv, getCredential(credentials), credentialsPolicy, "password mismatch", false);
 
             throw new BadCredentialsException("web.security.provider.invalid");
         }
+
+        checkAuthorizations(principal, connEnv, authnCtx);
+        return focusType;
+    }
+
+    private void checkAuthorizations(MidPointPrincipal principal, @NotNull ConnectionEnvironment connEnv, AbstractAuthenticationContext authnCtx) {
+        if (supportsAuthzCheck()) {
+            // Authorizations
+            if (!hasAnyAuthorization(principal)) {
+                recordAuthenticationBehavior(principal.getUsername(), principal, connEnv, "no authorizations", authnCtx.getPrincipalType(),false);
+                throw new DisabledException("web.security.provider.access.denied");
+            }
+        }
     }
 
     private boolean checkCredentials(MidPointPrincipal principal, T authnCtx, ConnectionEnvironment connEnv) {
@@ -164,14 +181,6 @@ private boolean checkCredentials(MidPointPrincipal principal, T authnCtx, Connec
             throw new LockedException("web.security.provider.locked");
         }
 
-        if (supportsAuthzCheck()) {
-            // Authorizations
-            if (!hasAnyAuthorization(principal)) {
-                recordAuthenticationBehavior(principal.getUsername(), principal, connEnv, "no authorizations", authnCtx.getPrincipalType(),false);
-                throw new DisabledException("web.security.provider.access.denied");
-            }
-        }
-
         // Password age
         checkPasswordValidityAndAge(connEnv, principal, getCredential(credentials), credentialsPolicy);
 
@@ -220,16 +229,18 @@ public String getAndCheckUserPassword(ConnectionEnvironment connEnv, String user
             throw new LockedException("web.security.provider.locked");
         }
 
+        // Password age
+        checkPasswordValidityAndAge(connEnv, principal, passwordType.getValue(), passwordType.getMetadata(), passwordCredentialsPolicy);
+
+        String password = getPassword(connEnv, principal, passwordType.getValue());
+
         // Authorizations
         if (!hasAnyAuthorization(principal)) {
             recordAuthenticationBehavior(username, null, connEnv, "no authorizations", FocusType.class,false);
             throw new InternalAuthenticationServiceException("web.security.provider.access.denied");
         }
 
-        // Password age
-        checkPasswordValidityAndAge(connEnv, principal, passwordType.getValue(), passwordType.getMetadata(), passwordCredentialsPolicy);
-
-        return getPassword(connEnv, principal, passwordType.getValue());
+        return password;
     }
 
     @Override