Merge branch 'master' of github.com:Evolveum/midpoint

Evolveum · Mar 13, 2017 · 38afd54 · 38afd54
2 parents 89184f9 + 7a3594c
commit 38afd54
Show file tree

Hide file tree

Showing 5 changed files with 131 additions and 10 deletions.
diff --git a/gui/admin-gui/src/main/resources/initial-objects/040-role-enduser.xml b/gui/admin-gui/src/main/resources/initial-objects/040-role-enduser.xml
@@ -160,5 +160,19 @@
             <type>ServiceType</type>
         </object>
     </authorization>
+    <authorization>
+    	<name>assignment-target-read-task</name>
+    	<description>
+    		Authorization that allows to read workflow status of tasks. This is used to display requests
+    		to the end users, especially in the "My Requests" box in user dashboard.
+    		This authorization is a temporary solution. It will be replaced by a finer-grained
+    		permissions in the future.
+    	</description>
+        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+        <object>
+            <type>TaskType</type>
+        </object>
+        <item>workflowContext</item>
+    </authorization>
     <roleType>system</roleType>
 </role>
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java
@@ -1559,6 +1559,108 @@ public void test242AutzJackManagerFullControlManagerMinistryOfRum() throws Excep
         assertGlobalStateUntouched();
 	}
 
+	@Test
+    public void test246AutzJackManagerFullControlManagerMinistryOfRumAndDefense() throws Exception {
+		final String TEST_NAME = "test246AutzJackManagerFullControlManagerMinistryOfRumAndDefense";
+        TestUtil.displayTestTile(this, TEST_NAME);
+        // GIVEN
+        cleanupAutzTest(USER_JACK_OID);
+
+        assignRole(USER_JACK_OID, ROLE_MANAGER_FULL_CONTROL_OID);
+        assignOrg(USER_JACK_OID, ORG_MINISTRY_OF_RUM_OID, SchemaConstants.ORG_MANAGER);
+        assignOrg(USER_JACK_OID, ORG_MINISTRY_OF_DEFENSE_OID, SchemaConstants.ORG_MANAGER);
+        assignAccount(USER_JACK_OID, RESOURCE_DUMMY_OID, null);
+
+        // precondition
+        PrismObject<ShadowType> elaineShadow = getObject(ShadowType.class, ACCOUNT_SHADOW_ELAINE_DUMMY_OID);
+        assertNotNull(elaineShadow);
+        display("Elaine's shadow", elaineShadow);
+
+        login(USER_JACK_USERNAME);
+
+        // WHEN
+        TestUtil.displayWhen(TEST_NAME);
+
+        assertGetAllow(UserType.class, USER_JACK_OID);
+        assertGetAllow(UserType.class, USER_JACK_OID, SelectorOptions.createCollection(GetOperationOptions.createRaw()));
+        assertGetDeny(UserType.class, USER_GUYBRUSH_OID);
+        assertGetDeny(UserType.class, USER_GUYBRUSH_OID, SelectorOptions.createCollection(GetOperationOptions.createRaw()));
+
+        assertSearch(UserType.class, null, 4);
+        assertSearch(UserType.class, createNameQuery(USER_JACK_USERNAME), 1);
+        assertSearch(UserType.class, createNameQuery(USER_JACK_USERNAME), SelectorOptions.createCollection(GetOperationOptions.createRaw()), 1);
+        assertSearch(UserType.class, createNameQuery(USER_GUYBRUSH_USERNAME), 0);
+        assertSearch(UserType.class, createNameQuery(USER_GUYBRUSH_USERNAME), SelectorOptions.createCollection(GetOperationOptions.createRaw()), 0);
+
+        assertAddDeny();
+
+		assertModifyAllow(UserType.class, USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Captain"));
+		assertModifyAllowOptions(UserType.class, USER_JACK_OID, UserType.F_HONORIFIC_SUFFIX, ModelExecuteOptions.createRaw(), PrismTestUtil.createPolyString("CSc"));
+		assertModifyDeny(UserType.class, USER_GUYBRUSH_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Pirate"));
+
+        assertDeleteDeny();
+
+        assertGetAllow(UserType.class, userRumRogersOid);
+        assertModifyAllow(UserType.class, userRumRogersOid, UserType.F_TITLE, PrismTestUtil.createPolyString("drunk"));
+        assertGetAllow(UserType.class, userCobbOid); // Cobb is in Scumm Bar, transitive descendant of Ministry of Rum
+        assertAddAllow(USER_MANCOMB_FILE);
+
+        PrismObject<UserType> user = getUser(USER_JACK_OID);
+        String accountOid = getSingleLinkOid(user);
+        assertGetAllow(ShadowType.class, accountOid);
+        PrismObject<ShadowType> shadow = getObject(ShadowType.class, accountOid);
+        display("Jack's shadow", shadow);
+
+        assertGetDeny(ShadowType.class, ACCOUNT_SHADOW_ELAINE_DUMMY_OID);
+
+        assertVisibleUsers(5);
+
+        assertGetAllow(OrgType.class, ORG_MINISTRY_OF_RUM_OID);
+        assertSearch(OrgType.class, null, 3);
+
+        assertModifyDeny(OrgType.class, ORG_MINISTRY_OF_RUM_OID, OrgType.F_DESCRIPTION, "blababla");
+        assertModifyAllow(OrgType.class, ORG_SCUMM_BAR_OID, OrgType.F_DESCRIPTION, "Hosting the worst scumm of the World.");
+
+        assignAccount(USER_ESTEVAN_OID, RESOURCE_DUMMY_OID, null);
+
+        PrismObject<UserType> userEstevan = getUser(USER_ESTEVAN_OID);
+        String accountEstevanOid = getSingleLinkOid(userEstevan);
+        assertGetAllow(ShadowType.class, accountEstevanOid);
+        PrismObject<ShadowType> shadowEstevan = getObject(ShadowType.class, accountEstevanOid);
+        display("Estevan shadow", shadowEstevan);
+
+    	// MID-2822
+
+    	Task task = taskManager.createTaskInstance(TestSecurity.class.getName() + "." + TEST_NAME);
+        OperationResult result = task.getResult();
+
+        ObjectQuery query = ObjectQuery.createObjectQuery(
+        		ObjectQueryUtil.createResourceAndObjectClassFilter(RESOURCE_DUMMY_OID, 
+        				new QName(RESOURCE_DUMMY_NAMESPACE, "AccountObjectClass"), prismContext));
+
+        // When finally fixed is should be like this:
+//    	assertSearch(ShadowType.class, query, 2);
+
+        try {
+
+            modelService.searchObjects(ShadowType.class, query, null, task, result);
+
+        	AssertJUnit.fail("unexpected success");
+
+		} catch (SchemaException e) {
+			// This is expected. The authorizations will mix on-resource and off-resource search.
+			display("Expected exception", e);
+		}
+        result.computeStatus();
+		TestUtil.assertFailure(result);
+
+
+        assertDeleteAllow(UserType.class, USER_ESTEVAN_OID);
+
+        assertVisibleUsers(4);
+
+        assertGlobalStateUntouched();
+	}
 
 	@Test
     public void test250AutzJackSelfAccountsRead() throws Exception {
@@ -3234,6 +3336,8 @@ private void cleanupAutzTest(String userOid) throws ObjectNotFoundException, Sch
 
         unassignOrg(USER_JACK_OID, ORG_MINISTRY_OF_RUM_OID, SchemaConstants.ORG_MANAGER, task, result);
         unassignOrg(USER_JACK_OID, ORG_MINISTRY_OF_RUM_OID, null, task, result);
+        unassignOrg(USER_JACK_OID, ORG_MINISTRY_OF_DEFENSE_OID, SchemaConstants.ORG_MANAGER, task, result);
+        unassignOrg(USER_JACK_OID, ORG_MINISTRY_OF_DEFENSE_OID, null, task, result);
 	}
 
 	private void cleanupAdd(File userLargoFile, Task task, OperationResult result) throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, PolicyViolationException, SecurityViolationException, IOException {

diff --git a/...security-impl/src/main/java/com/evolveum/midpoint/security/impl/SecurityEnforcerImpl.java b/...security-impl/src/main/java/com/evolveum/midpoint/security/impl/SecurityEnforcerImpl.java
@@ -965,7 +965,7 @@ private <T extends ObjectType, O extends ObjectType> ObjectFilter preProcessObje
 										if (BooleanUtils.isTrue(specOrgRelation.isIncludeReferenceOrg())) {
 											q2 = q2.or().id(subjectParentOrgRef.getOid());
 										}
-										objSpecOrgRelationFilter = ObjectQueryUtil.filterAnd(objSpecOrgRelationFilter, q2.buildFilter());
+										objSpecOrgRelationFilter = ObjectQueryUtil.filterOr(objSpecOrgRelationFilter, q2.buildFilter());
 									}
 								}
 								if (objSpecOrgRelationFilter == null) {

diff --git a/samples/evolveum/org-users.xml b/samples/evolveum/org-users.xml
@@ -24,6 +24,9 @@
 	<role oid="8471b89a-0802-11e7-971d-7728366eba21">
 		<name>Manager</name>
 		<description>Role for organizational unit managers. Allows delegated administration.</description>
+		<inducement>
+			<targetRef oid="00000000-0000-0000-0000-00000000000a" type="RoleType"/> <!-- Approver -->
+		</inducement>
 		<authorization>
 		    	<name>gui-access</name>
 		    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#usersAll</action>

diff --git a/samples/evolveum/role-catalog.xml b/samples/evolveum/role-catalog.xml
@@ -144,8 +144,8 @@
 				 </association>
 			</construction>
 		</inducement>
-		<approverRef oid="00000000-ee88-6666-0000-000000000002" type="UserType" /> <!-- semancik -->
 		<requestable>true</requestable>
+		<approverRef oid="00000000-ee88-6666-0000-000000000002" type="UserType" /> <!-- semancik -->
 		<roleType>application</roleType>
 	</role>
 
@@ -198,8 +198,8 @@
 		<assignment>
 			<targetRef oid="00000000-ee88-6666-0000-c00000002000" type="c:OrgType"/>
 		</assignment>
-		<approverRef oid="00000000-ee88-6666-0000-000000000002" type="UserType" /> <!-- semancik -->
 		<requestable>true</requestable>
+		<approverRef oid="00000000-ee88-6666-0000-000000000002" type="UserType" /> <!-- semancik -->
 		<roleType>application</roleType>
 	</role>
 
@@ -213,8 +213,8 @@
 		<assignment>
 			<targetRef oid="00000000-ee88-6666-0000-c0000000a000" type="c:OrgType"/>
 		</assignment>
-		<approverRef oid="00000000-ee88-6666-0000-000000000002" type="UserType" /> <!-- semancik -->
 		<requestable>true</requestable>
+		<approverRef oid="00000000-ee88-6666-0000-000000000002" type="UserType" /> <!-- semancik -->
 		<roleType>application</roleType>
 	</role>
 
@@ -224,8 +224,8 @@
 		<assignment>
 			<targetRef oid="00000000-ee88-6666-0000-c00000002000" type="c:OrgType"/>
 		</assignment>
-		<approverRef oid="00000000-ee88-6666-0000-000000000002" type="UserType" /> <!-- semancik -->
 		<requestable>true</requestable>
+		<approverRef oid="00000000-ee88-6666-0000-000000000002" type="UserType" /> <!-- semancik -->
 		<roleType>application</roleType>
 	</role>
 
@@ -255,8 +255,8 @@
 		<assignment>
 			<targetRef oid="00000000-ee88-6666-0000-c00000003000" type="c:OrgType"/>
 		</assignment>
-		<approverRef oid="00000000-ee88-6666-0000-000000000002" type="UserType" /> <!-- semancik -->
 		<requestable>true</requestable>
+		<approverRef oid="00000000-ee88-6666-0000-000000000002" type="UserType" /> <!-- semancik -->
 		<roleType>application</roleType>
 	</role>
 
@@ -266,8 +266,8 @@
 		<assignment>
 			<targetRef oid="00000000-ee88-6666-0000-c00000003000" type="c:OrgType"/>
 		</assignment>
-		<approverRef oid="00000000-ee88-6666-0000-000000000002" type="UserType" /> <!-- semancik -->
 		<requestable>true</requestable>
+		<approverRef oid="00000000-ee88-6666-0000-000000000002" type="UserType" /> <!-- semancik -->
 		<roleType>application</roleType>
 	</role>
 
@@ -287,8 +287,8 @@
 		<assignment>
 			<targetRef oid="00000000-ee88-6666-0000-c00000003000" type="c:OrgType"/>
 		</assignment>
-		<approverRef oid="00000000-ee88-6666-0000-000000000002" type="UserType" /> <!-- semancik -->
 		<requestable>true</requestable>
+		<approverRef oid="00000000-ee88-6666-0000-000000000002" type="UserType" /> <!-- semancik -->
 		<roleType>application</roleType>
 	</role>
 
@@ -298,8 +298,8 @@
 		<assignment>
 			<targetRef oid="00000000-ee88-6666-0000-c00000003000" type="c:OrgType"/>
 		</assignment>
-		<approverRef oid="00000000-ee88-6666-0000-000000000002" type="UserType" /> <!-- semancik -->
 		<requestable>true</requestable>
+		<approverRef oid="00000000-ee88-6666-0000-000000000002" type="UserType" /> <!-- semancik -->
 		<roleType>application</roleType>
 	</role>
 
@@ -319,8 +319,8 @@
 		<assignment>
 			<targetRef oid="00000000-ee88-6666-0000-c00000003000" type="c:OrgType"/>
 		</assignment>
-		<approverRef oid="00000000-ee88-6666-0000-000000000002" type="UserType" /> <!-- semancik -->
 		<requestable>true</requestable>
+		<approverRef oid="00000000-ee88-6666-0000-000000000002" type="UserType" /> <!-- semancik -->
 		<roleType>application</roleType>
 	</role>