Added conditions support for global focus policy rules.

Evolveum · Aug 31, 2017 · 36dc0d1 · 36dc0d1
1 parent 067ddf8
commit 36dc0d1
Show file tree

Hide file tree

Showing 5 changed files with 90 additions and 5 deletions.
diff --git a/...main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/PolicyRuleProcessor.java b/...main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/PolicyRuleProcessor.java
@@ -136,15 +136,16 @@ public <F extends FocusType> void evaluateAssignmentPolicyRules(LensContext<F> c
 
 	//region ------------------------------------------------------------------ Focus policy rules
 	public <F extends FocusType> void evaluateFocusPolicyRules(LensContext<F> context, String activityDescription,
-			XMLGregorianCalendar now, Task task, OperationResult result) throws PolicyViolationException, SchemaException {
+			XMLGregorianCalendar now, Task task, OperationResult result)
+			throws PolicyViolationException, SchemaException, ExpressionEvaluationException, ObjectNotFoundException {
 		LensFocusContext<F> focusContext = context.getFocusContext();
 		if (focusContext == null) {
 			return;
 		}
 
 		List<EvaluatedPolicyRule> rules = new ArrayList<>();
 		collectFocusRulesFromAssignments(rules, context);
-		collectGlobalFocusRules(rules, context);
+		collectGlobalFocusRules(rules, context, task, result);
 
 		for (EvaluatedPolicyRule rule : rules) {
 			if (!hasSituationConstraint(rule)) {
@@ -174,7 +175,9 @@ private <F extends FocusType> void collectFocusRulesFromAssignments(List<Evaluat
 		}
 	}
 
-	private <F extends FocusType> void collectGlobalFocusRules(List<EvaluatedPolicyRule> rules, LensContext<F> context) throws SchemaException, PolicyViolationException {
+	private <F extends FocusType> void collectGlobalFocusRules(List<EvaluatedPolicyRule> rules, LensContext<F> context,
+			Task task, OperationResult result)
+			throws SchemaException, PolicyViolationException, ExpressionEvaluationException, ObjectNotFoundException {
 		PrismObject<SystemConfigurationType> systemConfiguration = context.getSystemConfiguration();
 		if (systemConfiguration == null) {
 			return;
@@ -190,7 +193,10 @@ private <F extends FocusType> void collectGlobalFocusRules(List<EvaluatedPolicyR
 		for (GlobalPolicyRuleType globalPolicyRule: systemConfiguration.asObjectable().getGlobalPolicyRule()) {
 			ObjectSelectorType focusSelector = globalPolicyRule.getFocusSelector();
 			if (repositoryService.selectorMatches(focusSelector, focus, LOGGER, "Global policy rule "+globalPolicyRule.getName()+": ")) {
-				// TODO check rule condition as well
+				if (!isRuleConditionTrue(globalPolicyRule, focus, null, context, task, result)) {
+					LOGGER.trace("Skipping global policy rule because the condition evaluated to false: {}", globalPolicyRule);
+					continue;
+				}
 				rules.add(new EvaluatedPolicyRuleImpl(globalPolicyRule, null));
 			}
 		}
@@ -406,7 +412,7 @@ private <F extends FocusType> boolean isRuleConditionTrue(GlobalPolicyRuleType g
 						new PrismPropertyDefinitionImpl<>(CONDITION_OUTPUT_NAME, DOMUtil.XSD_BOOLEAN, prismContext))
 				.addVariableDefinition(ExpressionConstants.VAR_USER, focusOdo)
 				.addVariableDefinition(ExpressionConstants.VAR_FOCUS, focusOdo)
-				.addVariableDefinition(ExpressionConstants.VAR_TARGET, evaluatedAssignment.getTarget())
+				.addVariableDefinition(ExpressionConstants.VAR_TARGET, evaluatedAssignment != null ? evaluatedAssignment.getTarget() : null)
 				.addVariableDefinition(ExpressionConstants.VAR_ASSIGNMENT, evaluatedAssignment)                // TODO: ok?
 				.rootNode(focusOdo);
 

diff --git a/.../model-intest/src/test/java/com/evolveum/midpoint/model/intest/rbac/AbstractRbacTest.java b/.../model-intest/src/test/java/com/evolveum/midpoint/model/intest/rbac/AbstractRbacTest.java
@@ -140,6 +140,9 @@ public abstract class AbstractRbacTest extends AbstractInitializedModelIntegrati
 	protected static final File ROLE_NON_CREATEABLE_FILE = new File(TEST_DIR, "role-non-createable.xml");
 	protected static final String ROLE_NON_CREATEABLE_OID = "c45a25ce-b2e8-11e6-923e-938d2c54d334";
 
+	protected static final File ROLE_CREATEABLE_FILE = new File(TEST_DIR, "role-createable.xml");
+	protected static final String ROLE_CREATEABLE_OID = "667a242c-dd13-4dbb-bc9f-ab678ba80d37";
+
 	protected static final File ROLE_IMMUTABLE_ASSIGN_FILE = new File(TEST_DIR, "role-immutable-assign.xml");
 	protected static final String ROLE_IMMUTABLE_ASSIGN_OID = "a6b10a7c-b57e-11e6-bcb3-1ba47cb07e2e";
 

diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/rbac/TestRbac.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/rbac/TestRbac.java
@@ -4243,6 +4243,27 @@ public void test826AddNonCreateableRole() throws Exception {
         assertNoObject(RoleType.class, ROLE_NON_CREATEABLE_OID);
 	}
 
+	@Test
+    public void test826bAddCreateableRole() throws Exception {
+		final String TEST_NAME = "test826bAddCreateableRole";
+        displayTestTitle(TEST_NAME);
+        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.FULL);
+
+        Task task = createTask(TEST_NAME);
+        OperationResult result = task.getResult();
+
+        PrismObject<RoleType> role = PrismTestUtil.parseObject(ROLE_CREATEABLE_FILE);
+        display("Role before", role);
+
+		// WHEN
+		displayWhen(TEST_NAME);
+		addObject(role, getDefaultOptions(), task, result);
+		result.computeStatus();
+		TestUtil.assertSuccess(result);
+
+		assertNotNull("object does not exist", getObject(RoleType.class, ROLE_CREATEABLE_OID));     // would get exception anyway
+	}
+
 	/**
 	 * This role has a metarole which has immutable policy rule in the
 	 * inducement.

diff --git a/model/model-intest/src/test/resources/common/system-configuration.xml b/model/model-intest/src/test/resources/common/system-configuration.xml
@@ -207,6 +207,33 @@
     		</filter>
     	</focusSelector>
     </globalPolicyRule>
+    <globalPolicyRule>
+    	<name>non-createable-role-disabled</name>
+    	<policyConstraints>
+    		<modification>
+    			<operation>add</operation>
+    		</modification>
+    	</policyConstraints>
+    	<policyActions>
+    		<enforcement/>
+    	</policyActions>
+    	<focusSelector>
+    		<type>RoleType</type>
+    		<filter>
+    			<q:equal>
+    				<q:path>description</q:path>
+    				<q:value>Thou shalt not create this role! (disabled)</q:value>
+    			</q:equal>
+    		</filter>
+    	</focusSelector>
+		<condition>
+			<expression>
+				<script>
+					<code>false</code>
+				</script>
+			</expression>
+		</condition>
+    </globalPolicyRule>
     <globalPolicyRule>
     	<name>immutable-role</name>
     	<policyConstraints>

diff --git a/model/model-intest/src/test/resources/rbac/role-createable.xml b/model/model-intest/src/test/resources/rbac/role-createable.xml
@@ -0,0 +1,28 @@
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+  <!-- There is a global policy rule that prohibits adding this role.
+       The rule triggers on description.
+   -->
+
+<role oid="667a242c-dd13-4dbb-bc9f-ab678ba80d37"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+        xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy">
+    <name>Createable</name>
+    <description>Thou shalt not create this role! (disabled)</description>
+</role>