fix of additional authorization for registration flow

model/authentication-api/src/main/java/com/evolveum/midpoint/authentication/api/AuthenticationChannel.java

@@ -9,6 +9,8 @@
 import com.evolveum.midpoint.security.api.Authorization;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationSequenceType;
 
+import org.jetbrains.annotations.Nullable;
+
 /**
  * Wrapper for define channel of authentication, channel define scope of authentication etc. rest, gui, reset password ...
  *
@@ -45,5 +47,7 @@ public interface AuthenticationChannel {
 
     boolean isPostAuthenticationEnabled();
 
-    boolean isAllowedAuthorization(Authorization autz);
+    @Nullable Authorization resolveAuthorization(Authorization autz);
+
+    @Nullable Authorization getAdditionalAuthority();
 }

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/channel/ActuatorAuthenticationChannel.java

@@ -35,14 +35,16 @@ public boolean isSupportGuiConfigByChannel() {
     }
 
     @Override
-    public boolean isAllowedAuthorization(Authorization autz) {
-        for (String action : autz.getAction()) {
-            if (action.startsWith(AuthorizationConstants.NS_AUTHORIZATION_ACTUATOR)
-                    || action.equals(AuthorizationConstants.AUTZ_ALL_URL)
-                    || action.equals(AuthorizationConstants.NS_AUTHORIZATION_UI)) {
-                return true;
-            }
+    public Authorization resolveAuthorization(Authorization autz) {
+        if (autz == null) {
+            return null;
         }
-        return false;
+
+        Authorization retAutz = autz.clone();
+        retAutz.getAction().removeIf(action ->
+                !action.startsWith(AuthorizationConstants.NS_AUTHORIZATION_ACTUATOR)
+                        && !action.equals(AuthorizationConstants.AUTZ_ALL_URL)
+                        && !action.equals(AuthorizationConstants.NS_AUTHORIZATION_UI));
+        return retAutz;
     }
 }

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/channel/AuthenticationChannelImpl.java

@@ -88,8 +88,8 @@ public boolean isDefault() {
         return Boolean.TRUE.equals(this.channel.isDefault());
     }
 
-    protected Collection<String> getAdditionalAuthoritiesList() {
-        return Collections.emptyList();
+    public Authorization getAdditionalAuthority() {
+        return null;
     }
 
     @Override
@@ -122,7 +122,7 @@ public boolean isPostAuthenticationEnabled() {
     }
 
     @Override
-    public boolean isAllowedAuthorization(Authorization autz) {
-        return true;
+    public Authorization resolveAuthorization(Authorization autz) {
+        return autz;
     }
 }

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/channel/GuiAuthenticationChannel.java

@@ -6,9 +6,6 @@
  */
 package com.evolveum.midpoint.authentication.impl.channel;
 
-import java.util.Collection;
-import java.util.Collections;
-
 import com.evolveum.midpoint.model.api.ModelInteractionService;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.authentication.api.util.AuthUtil;
@@ -51,10 +48,10 @@ public boolean isPostAuthenticationEnabled() {
     }
 
     @Override
-    protected Collection<String> getAdditionalAuthoritiesList() {
+    public Authorization getAdditionalAuthority() {
         if (isPostAuthenticationEnabled()) {
-            return Collections.singletonList(AuthorizationConstants.AUTZ_UI_SELF_POST_AUTHENTICATION_URL);
+            return new Authorization(new AuthorizationType().action(AuthorizationConstants.AUTZ_UI_SELF_POST_AUTHENTICATION_URL));
         }
-        return super.getAdditionalAuthoritiesList();
+        return super.getAdditionalAuthority();
     }
 }

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/channel/IdentityRecoveryAuthenticationChannel.java

@@ -59,10 +59,4 @@ public String getChannelId() {
     public String getPathAfterSuccessfulAuthentication() {
         return "/identityRecovery";
     }
-
-//    @Override
-//    protected Collection<String> getAdditionalAuthoritiesList() {
-//        return Collections.singletonList(AuthorizationConstants.AUTZ_UI_IDENTITY_RECOVERY_URL);
-//    }
-
 }

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/channel/InvitationAuthenticationChannel.java

@@ -7,8 +7,10 @@
 package com.evolveum.midpoint.authentication.impl.channel;
 
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.security.api.Authorization;
 import com.evolveum.midpoint.security.api.AuthorizationConstants;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationSequenceChannelType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationType;
 
 import java.util.Collection;
 import java.util.Collections;
@@ -51,7 +53,7 @@ public String getPathDuringProccessing() {
     }
 
     @Override
-    protected Collection<String> getAdditionalAuthoritiesList() {
-        return Collections.singletonList(AuthorizationConstants.AUTZ_UI_INVITATION_URL);
+    public Authorization getAdditionalAuthority() {
+        return new Authorization(new AuthorizationType().action(AuthorizationConstants.AUTZ_UI_INVITATION_URL));
     }
 }

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/channel/ResetPasswordAuthenticationChannel.java

@@ -34,23 +34,14 @@ public String getPathAfterSuccessfulAuthentication() {
     }
 
     @Override
-    public boolean isAllowedAuthorization(Authorization autz) {
+    public Authorization resolveAuthorization(Authorization autz) {
         if (autz == null) {
-            return false;
+            return null;
         }
-        if (autz.getAction().contains(AuthorizationConstants.AUTZ_UI_RESET_PASSWORD_URL)) {
-            return true;
-        }
-
-        if(!autz.getAction().stream().anyMatch(action -> action.contains(AuthorizationConstants.NS_AUTHORIZATION_UI))) {
-            return true;
-        }
-
-        return false;
-    }
-
-    @Override
-    protected Collection<String> getAdditionalAuthoritiesList() {
-        return Collections.singletonList(AuthorizationConstants.AUTZ_UI_RESET_PASSWORD_URL);
+        Authorization retAutz = autz.clone();
+        retAutz.getAction().removeIf(action ->
+                action != AuthorizationConstants.AUTZ_UI_RESET_PASSWORD_URL
+                        && action.contains(AuthorizationConstants.NS_AUTHORIZATION_UI));
+        return retAutz;
     }
 }

model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/channel/SelfRegistrationAuthenticationChannel.java

@@ -10,8 +10,10 @@
 import java.util.Collections;
 
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.security.api.Authorization;
 import com.evolveum.midpoint.security.api.AuthorizationConstants;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationSequenceChannelType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationType;
 
 /**
  * @author skublik
@@ -46,7 +48,7 @@ public boolean isSupportActivationByChannel() {
     }
 
     @Override
-    protected Collection<String> getAdditionalAuthoritiesList() {
-        return Collections.singletonList(AuthorizationConstants.AUTZ_UI_SELF_REGISTRATION_FINISH_URL);
+    public Authorization getAdditionalAuthority() {
+        return new Authorization(new AuthorizationType().action(AuthorizationConstants.AUTZ_UI_SELF_REGISTRATION_FINISH_URL));
     }
 }

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/GuiProfileCompiler.java

@@ -159,6 +159,13 @@ private void collect(
         MidpointAuthentication auth = AuthUtil.getMidpointAuthenticationNotRequired();
         AuthenticationChannel channel = auth != null ? auth.getAuthenticationChannel() : null;
 
+        if(channel != null) {
+            @Nullable Authorization additionalAuth = channel.getAdditionalAuthority();
+            if (additionalAuth != null) {
+                addAuthorizationToPrincipal(principal, additionalAuth, authorizationTransformer);
+            }
+        }
+
         for (EvaluatedAssignment assignment : evaluatedAssignments) {
             if (assignment.isValid()) {
                 if (options.isCompileGuiAdminConfiguration()) {
@@ -200,16 +207,25 @@ private void addAuthorizations(
             @NotNull Collection<Authorization> sourceCollection,
             @Nullable AuthorizationTransformer authorizationTransformer) {
         for (Authorization autz : sourceCollection) {
-            if (channel != null && !channel.isAllowedAuthorization(autz)) {
-                continue;
-            }
-            if (authorizationTransformer == null) {
-                principal.addAuthorization(autz.clone());
-            } else {
-                for (Authorization transformedAutz : emptyIfNull(authorizationTransformer.transform(autz))) {
-                    principal.addAuthorization(transformedAutz);
+            Authorization resolvedAutz = autz;
+            if (channel != null) {
+                resolvedAutz = channel.resolveAuthorization(autz);
+                if (resolvedAutz == null) {
+                    continue;
                 }
             }
+            addAuthorizationToPrincipal(principal, resolvedAutz, authorizationTransformer);
+        }
+    }
+
+    private void addAuthorizationToPrincipal(
+            MidPointPrincipal principal, Authorization autz, AuthorizationTransformer authorizationTransformer) {
+        if (authorizationTransformer == null) {
+            principal.addAuthorization(autz.clone());
+        } else {
+            for (Authorization transformedAutz : emptyIfNull(authorizationTransformer.transform(autz))) {
+                principal.addAuthorization(transformedAutz);
+            }
         }
     }