From 889a501a810fc4dfb24b0087d7b04081f1696759 Mon Sep 17 00:00:00 2001
From: Katarina Valalikova <k.valalikova@evolveum.com>
Date: Mon, 16 Mar 2020 07:19:29 +0100
Subject: [PATCH 1/2] fix for MID-5947 - support for securityPolicy for
 projection defined in schemaHandling/objectType

(cherry picked from commit a41a66216342f8d69962ebf67d47c691004cd158)
---
 .../impl/lens/projector/ContextLoader.java    | 50 ++-----------------
 .../model/impl/security/SecurityHelper.java   | 43 ++++++++++++++++
 2 files changed, 47 insertions(+), 46 deletions(-)

diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ContextLoader.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ContextLoader.java
index e9e8c0d4c0c..7362fc55a88 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ContextLoader.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ContextLoader.java
@@ -1326,7 +1326,10 @@ private <F extends ObjectType> void finishLoadOfProjectionContext(LensContext<F>
         //Determine refined schema and password policies for account type
         RefinedObjectClassDefinition structuralObjectClassDef = projContext.getStructuralObjectClassDefinition();
         if (structuralObjectClassDef != null) {
-            loadProjectionSecurityPolicy(context, projContext, task, result);
+            LOGGER.trace("Finishing loading of projection context: security policy");
+            SecurityPolicyType projectionSecurityPolicy = securityHelper.locateProjectionSecurityPolicy(projContext.getStructuralObjectClassDefinition(), task, result);
+            LOGGER.trace("Located security policy for: {},\n {}", projContext, projectionSecurityPolicy);
+            projContext.setProjectionSecurityPolicy(projectionSecurityPolicy);
         } else {
             LOGGER.trace("No structural object class definition, skipping determining security policy");
         }
@@ -1343,51 +1346,6 @@ private <F extends ObjectType> void finishLoadOfProjectionContext(LensContext<F>
         setPrimaryDeltaOldValue(projContext);
     }
 
-    private <F extends ObjectType> void loadProjectionSecurityPolicy(LensContext<F> context,
-            LensProjectionContext projContext, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException {
-        LOGGER.trace("Finishing loading of projection context: security policy");
-        ObjectReferenceType securityPolicyRef = projContext.getStructuralObjectClassDefinition().getSecurityPolicyRef();
-        if (securityPolicyRef == null || securityPolicyRef.getOid() == null) {
-            LOGGER.trace("Security policy not defined for the projection context.");
-            loadProjectionLegacyPasswordPolicy(context, projContext, task, result);
-            return;
-        }
-        LOGGER.trace("Loading security policy {} for projection context: {}", securityPolicyRef, projContext);
-        PrismObject<SecurityPolicyType> securityPolicy = cacheRepositoryService.getObject(SecurityPolicyType.class, securityPolicyRef.getOid(), null, result);
-        if (securityPolicy == null) {
-            LOGGER.debug("Security policy {} defined for the projection does not exist", securityPolicyRef);
-            return;
-        }
-        LOGGER.trace("Found legacy password policy: {}", securityPolicy);
-        projContext.setProjectionSecurityPolicy(securityPolicy.asObjectable());
-    }
-
-
-    private <F extends ObjectType> void loadProjectionLegacyPasswordPolicy(LensContext<F> context,
-            LensProjectionContext projContext, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException {
-        ObjectReferenceType passwordPolicyRef = projContext.getStructuralObjectClassDefinition().getPasswordPolicy();
-        if (passwordPolicyRef == null || passwordPolicyRef.getOid() == null) {
-            LOGGER.trace("Legacy password policy not defined for the projection context.");
-            return;
-        }
-        LOGGER.trace("Loading legacy password policy {} for projection context: {}", passwordPolicyRef, projContext);
-        PrismObject<ValuePolicyType> passwordPolicy = cacheRepositoryService.getObject(
-                    ValuePolicyType.class, passwordPolicyRef.getOid(), null, result);
-        if (passwordPolicy == null) {
-            LOGGER.debug("Legacy password policy {} defined for the projection does not exist", passwordPolicyRef);
-            return;
-        }
-        ObjectReferenceType dummyPasswordPolicyRef = new ObjectReferenceType();
-        dummyPasswordPolicyRef.asReferenceValue().setObject(passwordPolicy);
-        PrismObject<SecurityPolicyType> securityPolicy = prismContext.createObject(SecurityPolicyType.class);
-        securityPolicy.asObjectable()
-            .beginCredentials()
-                .beginPassword()
-                    .valuePolicyRef(dummyPasswordPolicyRef);
-        projContext.setProjectionSecurityPolicy(securityPolicy.asObjectable());
-    }
-
-
     private <F extends ObjectType> boolean needToReload(LensContext<F> context,
             LensProjectionContext projContext) {
         ResourceShadowDiscriminator discr = projContext.getResourceShadowDiscriminator();
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SecurityHelper.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SecurityHelper.java
index b858dfcef7d..de54a774b10 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SecurityHelper.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SecurityHelper.java
@@ -9,8 +9,10 @@
 import javax.xml.datatype.Duration;
 import javax.xml.soap.SOAPMessage;
 
+import com.evolveum.midpoint.common.refinery.RefinedObjectClassDefinition;
 import com.evolveum.midpoint.model.api.ModelAuditRecorder;
 import com.evolveum.midpoint.model.impl.util.AuditHelper;
+import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.security.api.HttpConnectionInformation;
 import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
 
@@ -74,6 +76,7 @@ public class SecurityHelper implements ModelAuditRecorder {
     @Autowired private AuditHelper auditHelper;
     @Autowired private ModelObjectResolver objectResolver;
     @Autowired private SecurityEnforcer securityEnforcer;
+    @Autowired private PrismContext prismContext;
 
     @Override
     public void auditLoginSuccess(@NotNull UserType user, @NotNull ConnectionEnvironment connEnv) {
@@ -223,6 +226,46 @@ public <F extends FocusType> SecurityPolicyType locateGlobalSecurityPolicy(Prism
         return null;
     }
 
+    public SecurityPolicyType locateProjectionSecurityPolicy(RefinedObjectClassDefinition structuralObjectClassDefinition, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, SecurityViolationException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
+        LOGGER.trace("Finishing loading of projection context: security policy");
+        ObjectReferenceType securityPolicyRef = structuralObjectClassDefinition.getSecurityPolicyRef();
+        if (securityPolicyRef == null || securityPolicyRef.getOid() == null) {
+            LOGGER.trace("Security policy not defined for the projection context.");
+            return loadProjectionLegacyPasswordPolicy(structuralObjectClassDefinition, task, result);
+        }
+        LOGGER.trace("Loading security policy {} from: {}", securityPolicyRef, structuralObjectClassDefinition);
+        SecurityPolicyType securityPolicy = objectResolver.resolve(securityPolicyRef, SecurityPolicyType.class, null, " projection security policy", task, result);
+        if (securityPolicy == null) {
+            LOGGER.debug("Security policy {} defined for the projection does not exist", securityPolicyRef);
+            return null;
+        }
+        postProcessSecurityPolicy(securityPolicy, task, result);
+        return securityPolicy;
+    }
+
+    private SecurityPolicyType loadProjectionLegacyPasswordPolicy(RefinedObjectClassDefinition structuralObjectClassDefinition, Task task, OperationResult result) throws SchemaException, ObjectNotFoundException, SecurityViolationException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
+        ObjectReferenceType passwordPolicyRef = structuralObjectClassDefinition.getPasswordPolicy();
+        if (passwordPolicyRef == null || passwordPolicyRef.getOid() == null) {
+            LOGGER.trace("Legacy password policy not defined for the projection context.");
+            return null;
+        }
+        LOGGER.trace("Loading legacy password policy {} from: {}", passwordPolicyRef, structuralObjectClassDefinition);
+        ValuePolicyType passwordPolicy = objectResolver.resolve(passwordPolicyRef,
+                ValuePolicyType.class, null, " projection legacy password policy ", task, result);
+        if (passwordPolicy == null) {
+            LOGGER.debug("Legacy password policy {} defined for the projection does not exist", passwordPolicyRef);
+            return null;
+        }
+        ObjectReferenceType dummyPasswordPolicyRef = new ObjectReferenceType();
+        dummyPasswordPolicyRef.asReferenceValue().setObject(passwordPolicy.asPrismObject());
+        PrismObject<SecurityPolicyType> securityPolicy = prismContext.createObject(SecurityPolicyType.class);
+        securityPolicy.asObjectable()
+                .beginCredentials()
+                .beginPassword()
+                .valuePolicyRef(dummyPasswordPolicyRef);
+        return securityPolicy.asObjectable();
+    }
+
     private <F extends FocusType> SecurityPolicyType resolveGlobalSecurityPolicy(PrismObject<F> user, SystemConfigurationType systemConfiguration, Task task, OperationResult result) throws CommunicationException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
         ObjectReferenceType globalSecurityPolicyRef = systemConfiguration.getGlobalSecurityPolicyRef();
         if (globalSecurityPolicyRef != null) {

From 63e8481dcd8c8fbc6231296d8c771669da1450fc Mon Sep 17 00:00:00 2001
From: Katarina Valalikova <k.valalikova@evolveum.com>
Date: Mon, 16 Mar 2020 08:37:15 +0100
Subject: [PATCH 2/2] small imrpovements for setting operationResult on
 failure.

---
 .../midpoint/model/impl/sync/SynchronizationServiceImpl.java     | 1 +
 1 file changed, 1 insertion(+)

diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/sync/SynchronizationServiceImpl.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/sync/SynchronizationServiceImpl.java
index 3162c888b7f..52aad789db2 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/sync/SynchronizationServiceImpl.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/sync/SynchronizationServiceImpl.java
@@ -1112,6 +1112,7 @@ private <F extends FocusType> void executeActions(SynchronizationContext<F> sync
                 String handlerUri = actionDef.getHandlerUri();
                 if (handlerUri == null) {
                     LOGGER.error("Action definition in resource {} doesn't contain handler URI", syncCtx.getResource());
+                    parentResult.recordFatalError("Action definition in resource " + syncCtx.getResource() + "doesn't contain handler URI.");
                     throw new ConfigurationException(
                             "Action definition in resource " + syncCtx.getResource() + " doesn't contain handler URI");
                 }