Merge branch 'master' of github.com:Evolveum/midpoint

gui/admin-gui/pom.xml

@@ -304,6 +304,11 @@
             <artifactId>security-api</artifactId>
             <version>3.7-SNAPSHOT</version>
         </dependency>
+        <dependency>
+            <groupId>com.evolveum.midpoint.repo</groupId>
+            <artifactId>security-enforcer-api</artifactId>
+            <version>3.7-SNAPSHOT</version>
+        </dependency>
         <dependency>
             <groupId>com.evolveum.midpoint.model</groupId>
             <artifactId>workflow-api</artifactId>
@@ -388,6 +393,12 @@
             <version>3.7-SNAPSHOT</version>
             <scope>runtime</scope>
         </dependency>
+        <dependency>
+            <groupId>com.evolveum.midpoint.repo</groupId>
+            <artifactId>security-enforcer-impl</artifactId>
+            <version>3.7-SNAPSHOT</version>
+            <scope>runtime</scope>
+        </dependency>
         <dependency>
             <groupId>com.evolveum.midpoint.model</groupId>
             <artifactId>model-impl</artifactId>

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/component/MainObjectListPanel.java

@@ -206,8 +206,7 @@ public boolean isVisible(){
 
                     boolean isVisible = false;
                     try {
-                        isVisible = ((PageBase) getPage()).getSecurityEnforcer().isAuthorized(ModelAuthorizationAction.IMPORT_OBJECTS.getUrl(),
-                                null, null, null, null, null)
+                        isVisible = ((PageBase) getPage()).isAuthorized(ModelAuthorizationAction.IMPORT_OBJECTS.getUrl())
                                 && WebComponentUtil.isAuthorized(AuthorizationConstants.AUTZ_UI_CONFIGURATION_ALL_URL,
                                 AuthorizationConstants.AUTZ_UI_CONFIGURATION_IMPORT_URL);
                     } catch (Exception ex){

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/component/TypedAssignablePanel.java

@@ -25,6 +25,7 @@
 import com.evolveum.midpoint.prism.query.ObjectQuery;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.logging.LoggingUtils;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
@@ -247,12 +248,13 @@ protected void onUpdateCheckbox(AjaxRequestTarget target) {
             protected ObjectQuery addFilterToContentQuery(ObjectQuery query) {
                 if (type.equals(RoleType.COMPLEX_TYPE)) {
                     LOGGER.debug("Loading roles which the current user has right to assign");
-                    OperationResult result = new OperationResult(OPERATION_LOAD_ASSIGNABLE_ROLES);
+                    Task task = getPageBase().createSimpleTask(OPERATION_LOAD_ASSIGNABLE_ROLES);
+                    OperationResult result = task.getResult();
                     ObjectFilter filter = null;
                     try {
                         ModelInteractionService mis = parentPage.getModelInteractionService();
                         RoleSelectionSpecification roleSpec =
-                                mis.getAssignableRoleSpecification(SecurityUtils.getPrincipalUser().getUser().asPrismObject(), result);
+                                mis.getAssignableRoleSpecification(SecurityUtils.getPrincipalUser().getUser().asPrismObject(), task, result);
                         filter = roleSpec.getFilter();
                     } catch (Exception ex) {
                         LoggingUtils.logUnexpectedException(LOGGER, "Couldn't load available roles", ex);

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/component/result/OpResult.java

@@ -170,11 +170,11 @@ public void determineBackgroundTaskVisibility(PageBase pageBase) {
 			return;
 		}
 		try {
-			if (pageBase.getSecurityEnforcer().isAuthorized(AuthorizationConstants.AUTZ_ALL_URL, null, null, null, null, null)) {
+			if (pageBase.isAuthorized(AuthorizationConstants.AUTZ_ALL_URL)) {
 				backgroundTaskVisible = true;
 				return;
 			}
-		} catch (SchemaException e) {
+		} catch (SchemaException | ExpressionEvaluationException | ObjectNotFoundException e) {
 			backgroundTaskVisible = false;
 			LoggingUtils.logUnexpectedException(LOGGER, "Couldn't determine background task visibility", e);
 			return;

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/page/PageBase.java

@@ -35,20 +35,29 @@
 import com.evolveum.midpoint.prism.Objectable;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.prism.delta.ObjectDelta;
+import com.evolveum.midpoint.prism.*;
+import com.evolveum.midpoint.prism.delta.PrismValueDeltaSetTriple;
 import com.evolveum.midpoint.prism.match.MatchingRuleRegistry;
 import com.evolveum.midpoint.prism.query.ObjectQuery;
 import com.evolveum.midpoint.prism.query.builder.QueryBuilder;
 import com.evolveum.midpoint.prism.query.builder.S_FilterEntryOrEmpty;
+import com.evolveum.midpoint.repo.common.expression.Expression;
+import com.evolveum.midpoint.repo.common.expression.ExpressionEvaluationContext;
 import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
+import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
 import com.evolveum.midpoint.report.api.ReportManager;
+import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.internals.InternalsConfig;
 import com.evolveum.midpoint.schema.result.OperationConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.ObjectResolver;
 import com.evolveum.midpoint.security.api.AuthorizationConstants;
 import com.evolveum.midpoint.security.api.MidPointPrincipal;
-import com.evolveum.midpoint.security.api.SecurityEnforcer;
+import com.evolveum.midpoint.security.api.OwnerResolver;
+import com.evolveum.midpoint.security.api.SecurityContextManager;
+import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.task.api.TaskCategory;
 import com.evolveum.midpoint.task.api.TaskManager;
@@ -110,6 +119,7 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.lang.Validate;
+import org.apache.poi.ss.formula.functions.T;
 import org.apache.wicket.*;
 import org.apache.wicket.Component;
 import org.apache.wicket.ajax.AbstractDefaultAjaxBehavior;
@@ -259,6 +269,9 @@ public abstract class PageBase extends WebPage implements ModelServiceLocator {
 
     @SpringBean(name = "accessDecisionManager")
     private SecurityEnforcer securityEnforcer;
+
+    @SpringBean
+    private SecurityContextManager securityContextManager;
 
     @SpringBean
     private MidpointFormValidatorRegistry formValidatorRegistry;
@@ -323,7 +336,7 @@ protected Integer load() {
                     ObjectQuery query = QueryUtils.filterForAssignees(q, getPrincipal(),
                             OtherPrivilegesLimitationType.F_APPROVAL_WORK_ITEMS).build();
                     return getModelService().countContainers(WorkItemType.class, query, null, task, task.getResult());
-                } catch (SchemaException | SecurityViolationException e) {
+                } catch (SchemaException | SecurityViolationException | ExpressionEvaluationException | ObjectNotFoundException e) {
                     LoggingUtils.logExceptionAsWarning(LOGGER, "Couldn't load work item count", e);
                     return null;
                 }
@@ -340,7 +353,7 @@ protected Integer load() {
                     OperationResult result = task.getResult();
                     return acs.countOpenWorkItems(new ObjectQuery(), true, null, task, result);
                 } catch (SchemaException | SecurityViolationException | ObjectNotFoundException
-                        | ConfigurationException | CommunicationException e) {
+                        | ConfigurationException | CommunicationException | ExpressionEvaluationException e) {
                     LoggingUtils.logExceptionAsWarning(LOGGER, "Couldn't load certification work item count", e);
                     return null;
                 }
@@ -485,6 +498,11 @@ public TaskService getTaskService() {
     public SecurityEnforcer getSecurityEnforcer() {
         return securityEnforcer;
     }
+
+    @Override
+    public SecurityContextManager getSecurityContextManager() {
+        return securityContextManager;
+    }
 
     @Override
     public ModelInteractionService getModelInteractionService() {
@@ -521,7 +539,31 @@ public Task getPageTask() {
         }
         return pageTask;
     }
+
+    public <O extends ObjectType, T extends ObjectType> boolean isAuthorized(String operationUrl) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException {
+    	return isAuthorized(operationUrl, null, null, null, null, null);
+    }
+
+    public <O extends ObjectType, T extends ObjectType> boolean isAuthorized(String operationUrl, AuthorizationPhaseType phase,
+			PrismObject<O> object, ObjectDelta<O> delta, PrismObject<T> target, OwnerResolver ownerResolver) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException {
+    	Task task = getPageTask();
+    	return getSecurityEnforcer().isAuthorized(operationUrl, phase, object, delta, target, ownerResolver, task, task.getResult());
+    }
+
+    public <O extends ObjectType, T extends ObjectType> void authorize(String operationUrl, AuthorizationPhaseType phase,
+			PrismObject<O> object, ObjectDelta<O> delta, PrismObject<T> target, OwnerResolver ownerResolver, OperationResult result)
+			throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException {
+    	getSecurityEnforcer().authorize(operationUrl, phase, object, delta, target, ownerResolver, getPageTask(), result);
+    }
 
+    public <O extends ObjectType, T extends ObjectType> void authorize(String operationUrl, AuthorizationPhaseType phase,
+			PrismObject<O> object, ObjectDelta<O> delta, PrismObject<T> target, OwnerResolver ownerResolver)
+			throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException {
+    	Task task = getPageTask();
+    	getSecurityEnforcer().authorize(operationUrl, phase, object, delta, target, ownerResolver, task, task.getResult());
+    }
+
+
     public MidpointFormValidatorRegistry getFormValidatorRegistry() {
         return formValidatorRegistry;
     }
@@ -1002,6 +1044,11 @@ public OpResult showResult(OperationResult result, String errorMessageKey, boole
         Validate.notNull(result, "Operation result must not be null.");
         Validate.notNull(result.getStatus(), "Operation result status must not be null.");
 
+        Object scriptResult = executeResultScriptHook(result);
+        if (scriptResult instanceof OperationResult) {
+            result = (OperationResult) scriptResult;
+        }
+
         OpResult opResult = OpResult.getOpResult((PageBase) getPage(), result);
         opResult.determineBackgroundTaskVisibility(this);
         switch (opResult.getStatus()) {
@@ -1030,6 +1077,56 @@ public OpResult showResult(OperationResult result, String errorMessageKey, boole
         return opResult;
     }
 
+    private OperationResult executeResultScriptHook(OperationResult result) {
+        AdminGuiConfigurationType adminGuiConfiguration = getAdminGuiConfiguration();
+        if (adminGuiConfiguration == null || adminGuiConfiguration.getFeedbackMessagesHook() == null) {
+            return result;
+        }
+
+        FeedbackMessagesHookType hook = adminGuiConfiguration.getFeedbackMessagesHook();
+        ExpressionType expressionType = hook.getOperationResultHook();
+        if (expressionType == null) {
+            return result;
+        }
+
+        String contextDesc = "operation result (" + result.getOperation() + ") script hook";
+
+        Task task = getPageTask();
+        OperationResult topResult = task.getResult();
+        try {
+            ExpressionFactory factory = getExpressionFactory();
+            Expression expression = factory.makeExpression(expressionType, null, contextDesc, task, topResult);
+
+            ExpressionVariables variables = new ExpressionVariables();
+            variables.addVariableDefinition(ExpressionConstants.VAR_INPUT, result);
+
+            ExpressionEvaluationContext context = new ExpressionEvaluationContext(null, variables, contextDesc, task, topResult);
+            PrismValueDeltaSetTriple<PrismPropertyValue<?>> outputTriple = expression.evaluate(context);
+            if (outputTriple == null) {
+                return null;
+            }
+
+            Collection<PrismPropertyValue<?>> values = outputTriple.getNonNegativeValues();
+            if (values == null || values.isEmpty()) {
+                return null;
+            }
+
+            if (values.size() > 1) {
+                throw new SchemaException("Expression " + contextDesc + " produced more than one value");
+            }
+
+            return values.iterator().next().getRealValue();
+        } catch (SchemaException | ExpressionEvaluationException | ObjectNotFoundException e) {
+            result.recordFatalError(e);
+            LoggingUtils.logUnexpectedException(LOGGER, contextDesc, e);
+            if (InternalsConfig.nonCriticalExceptionsAreFatal()) {
+                throw new SystemException(e.getMessage(), e);
+            } else {
+                return topResult;
+            }
+        }
+    }
+
     // common result processing
     protected void processResult(AjaxRequestTarget target, OperationResult result, boolean showSuccess) {
         result.computeStatusIfUnknown();
@@ -1637,10 +1734,10 @@ private boolean isMenuItemAuthorized(Class<? extends PageAdmin> newPageClass) {
 
             // TODO: the modify authorization here is probably wrong.
             // It is a model autz. UI autz should be here instead?
-            return getSecurityEnforcer().isAuthorized(ModelAuthorizationAction.ADD.getUrl(),
+            return isAuthorized(ModelAuthorizationAction.ADD.getUrl(),
                     AuthorizationPhaseType.REQUEST, object == null ? null : object.asPrismObject(),
                     null, null, null);
-        } catch (SchemaException ex) {
+        } catch (SchemaException | ObjectNotFoundException | ExpressionEvaluationException ex) {
             LoggingUtils.logUnexpectedException(LOGGER, "Couldn't solve authorization for New organization menu item", ex);
         }
         return false;
@@ -1878,8 +1975,8 @@ protected void setTimeZone(PageBase page) {
         }
     }
 
-    protected <T> T runPrivileged(Producer<T> producer) {
-        return securityEnforcer.runPrivileged(producer);
+    public <T> T runPrivileged(Producer<T> producer) {
+        return securityContextManager.runPrivileged(producer);
     }
 
     public void setBreadcrumbs(List<Breadcrumb> breadcrumbs) {

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/util/ModelServiceLocator.java

@@ -20,7 +20,8 @@
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
 import com.evolveum.midpoint.schema.util.ObjectResolver;
-import com.evolveum.midpoint.security.api.SecurityEnforcer;
+import com.evolveum.midpoint.security.api.SecurityContextManager;
+import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AdminGuiConfigurationType;
 
@@ -51,6 +52,8 @@ public interface ModelServiceLocator {
 	PrismContext getPrismContext();
 
 	SecurityEnforcer getSecurityEnforcer();
+
+	SecurityContextManager getSecurityContextManager();
 
 	ExpressionFactory getExpressionFactory();
 

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/util/WebComponentUtil.java

@@ -907,7 +907,7 @@ public static String getName(PrismObject object) {
 	}
 
 	public static <C extends Containerable> String getDisplayName(PrismContainerValue<C> prismContainerValue) {
-		if (prismContainerValue == null || prismContainerValue.isEmpty()) {
+		if (prismContainerValue == null) {
 			return "ContainerPanel.containerProperties";
 		}
 
@@ -919,14 +919,16 @@ public static <C extends Containerable> String getDisplayName(PrismContainerValu
 
 		if (containerable instanceof ExclusionPolicyConstraintType){
 			ExclusionPolicyConstraintType exclusionConstraint = (ExclusionPolicyConstraintType) containerable;
-			String displayName = (exclusionConstraint.getName() != null ? exclusionConstraint.getName() + "-" : "")
+			String displayName = (exclusionConstraint.getName() != null ? exclusionConstraint.getName() :
+					exclusionConstraint.asPrismContainerValue().getPath().last())  + " - "
 					+ StringUtils.defaultIfEmpty(getName(exclusionConstraint.getTargetRef()), "");
 			return StringUtils.isNotEmpty(displayName) ? displayName : "Not defined exclusion name";
 		}
 		if (containerable instanceof AbstractPolicyConstraintType){
 			AbstractPolicyConstraintType constraint = (AbstractPolicyConstraintType) containerable;
-			String displayName = constraint.getName() + "-" + constraint.getDescription();
-			return StringUtils.isNotEmpty(displayName) ? displayName : "ContainerPanel.containerProperties";
+			String displayName = (StringUtils.isEmpty(constraint.getName()) ? (constraint.asPrismContainerValue().getPath().last()) : constraint.getName())
+					+ (StringUtils.isEmpty(constraint.getDescription()) ? "" : (" - " + constraint.getDescription()));
+			return displayName;
 		}
 		return "ContainerPanel.containerProperties";
 	}

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/SecurityContextAwareCallable.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2014 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,38 +16,40 @@
 
 package com.evolveum.midpoint.web.component;
 
-import com.evolveum.midpoint.security.api.SecurityEnforcer;
 import org.apache.commons.lang.Validate;
 import org.apache.wicket.Application;
 import org.apache.wicket.Session;
 import org.apache.wicket.ThreadContext;
 import org.springframework.security.core.Authentication;
 
+import com.evolveum.midpoint.security.api.SecurityContextManager;
+import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
+
 import java.util.concurrent.Callable;
 
 /**
  * @author lazyman
  */
 public abstract class SecurityContextAwareCallable<V> implements Callable<V> {
 
-    private SecurityEnforcer enforcer;
+    private SecurityContextManager securityContextManager;
     private Authentication authentication;
 
-    protected SecurityContextAwareCallable(SecurityEnforcer enforcer, Authentication authentication) {
-        Validate.notNull(enforcer, "Security enforcer must not be null.");
+    protected SecurityContextAwareCallable(SecurityContextManager securityContextManager, Authentication authentication) {
+        Validate.notNull(securityContextManager, "Security enforcer must not be null.");
 
-        this.enforcer = enforcer;
+        this.securityContextManager = securityContextManager;
         this.authentication = authentication;
     }
 
     @Override
     public final V call() throws Exception {
-        enforcer.setupPreAuthenticatedSecurityContext(authentication);
+    	securityContextManager.setupPreAuthenticatedSecurityContext(authentication);
 
         try {
             return callWithContextPrepared();
         } finally {
-            enforcer.setupPreAuthenticatedSecurityContext((Authentication) null);
+        	securityContextManager.setupPreAuthenticatedSecurityContext((Authentication) null);
             //todo cleanup security context
         }
     }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/assignment/AbstractRoleAssignmentPanel.java

@@ -163,12 +163,7 @@ protected <T extends ObjectType> void addSelectedAssignmentsPerformed(AjaxReques
         	   } else {
         		   assignmentType.setTargetRef(ref);
         	   }
-        	   ContainerValueWrapper<AssignmentType> newAssignmentValueWrapper = createNewAssignmentContainerValueWrapper(newAssignment);
-//        	   getModelObject().getValues().add(newAssignmentValueWrapper);
-
-//               ContainerValueWrapper<AssignmentType> valueWrapper = factory.createContainerValueWrapper(getModelObject(), newAssignment.asPrismContainerValue(),
-//                       ValueStatus.ADDED, new ItemPath(FocusType.F_ASSIGNMENT));
-//               getModelObject().getValues().add(valueWrapper);
+        	   createNewAssignmentContainerValueWrapper(newAssignment);
            }
 
            refreshTable(target);