Merge branches 'master' and 'master' of https://github.com/Evolveum/m…

…idpoint

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/AssignmentProcessor.java

@@ -239,14 +239,15 @@ private <F extends FocusType> void processAssignmentsProjectionsWithFocus(LensCo
         // Evaluates all assignments and sorts them to triple: added, removed and untouched assignments.
         // This is where most of the assignment-level action happens.
         DeltaSetTriple<EvaluatedAssignmentImpl<F>> evaluatedAssignmentTriple = assignmentTripleEvaluator.processAllAssignments();
+        policyRuleProcessor.addGlobalPoliciesToAssignments(context, evaluatedAssignmentTriple);
         context.setEvaluatedAssignmentTriple((DeltaSetTriple)evaluatedAssignmentTriple);
 
         if (LOGGER.isTraceEnabled()) {
         	LOGGER.trace("evaluatedAssignmentTriple:\n{}", evaluatedAssignmentTriple.debugDump());
         }
 
         // PROCESSING POLICIES
-        
+
         policyRuleProcessor.processPolicies(context, evaluatedAssignmentTriple, result);
 
         boolean needToReevaluateAssignments = policyRuleProcessor.processPruning(context, evaluatedAssignmentTriple, result);
@@ -255,7 +256,10 @@ private <F extends FocusType> void processAssignmentsProjectionsWithFocus(LensCo
         	LOGGER.debug("Re-evaluating assignments because exclusion pruning rule was triggered");
 
         	evaluatedAssignmentTriple = assignmentTripleEvaluator.processAllAssignments();
-
+        	// TODO shouldn't we store this re-evaluated triple back into the context?
+
+			policyRuleProcessor.addGlobalPoliciesToAssignments(context, evaluatedAssignmentTriple);
+
         	if (LOGGER.isTraceEnabled()) {
             	LOGGER.trace("re-evaluatedAssignmentTriple:\n{}", evaluatedAssignmentTriple.debugDump());
             }

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/FocusProcessor.java

@@ -396,7 +396,9 @@ private <F extends FocusType> void evaluateFocusPolicyRules(LensContext<F> conte
 		triggerAssignmentFocusPolicyRules(context, activityDescription, now, task, result);
 		triggerGlobalRules(context);
 	}
-
+
+	// TODO: should we really do this? Focus policy rules (e.g. forbidden modifications) are irrelevant in this situation,
+	// TODO: i.e. if we are assigning the object into some other object [med]
 	private <F extends FocusType> void triggerAssignmentFocusPolicyRules(LensContext<F> context, String activityDescription,
 			XMLGregorianCalendar now, Task task, OperationResult result) throws PolicyViolationException {
 		LensFocusContext<F> focusContext = context.getFocusContext();

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/PolicyRuleProcessor.java

@@ -21,7 +21,7 @@
 import javax.xml.namespace.QName;
 
 import com.evolveum.midpoint.model.api.context.*;
-import com.evolveum.midpoint.model.impl.lens.LensFocusContext;
+import com.evolveum.midpoint.model.impl.lens.*;
 import com.evolveum.midpoint.prism.*;
 import com.evolveum.midpoint.prism.delta.*;
 import com.evolveum.midpoint.prism.delta.builder.DeltaBuilder;
@@ -38,9 +38,6 @@
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.stereotype.Component;
 
-import com.evolveum.midpoint.model.impl.lens.EvaluatedAssignmentImpl;
-import com.evolveum.midpoint.model.impl.lens.EvaluatedAssignmentTargetImpl;
-import com.evolveum.midpoint.model.impl.lens.LensContext;
 import com.evolveum.midpoint.prism.query.ObjectQuery;
 import com.evolveum.midpoint.prism.query.builder.QueryBuilder;
 import com.evolveum.midpoint.prism.query.builder.S_AtomicFilterExit;
@@ -503,4 +500,41 @@ private PropertyDelta<String> createSituationDelta(ItemPath path, Set<String> cu
 		situationsDelta.setEstimatedOldValues(PrismPropertyValue.wrap(currentSituations));
 		return situationsDelta;
 	}
+
+	public <F extends FocusType> void addGlobalPoliciesToAssignments(LensContext<F> context,
+			DeltaSetTriple<EvaluatedAssignmentImpl<F>> evaluatedAssignmentTriple) throws SchemaException {
+
+		PrismObject<SystemConfigurationType> systemConfiguration = context.getSystemConfiguration();
+		if (systemConfiguration == null) {
+			return;
+		}
+		// We need to consider object before modification here.
+		LensFocusContext<F> focusContext = context.getFocusContext();
+		PrismObject<F> focus = focusContext.getObjectCurrent();
+		if (focus == null) {
+			focus = focusContext.getObjectNew();
+		}
+
+		for (GlobalPolicyRuleType globalPolicyRule: systemConfiguration.asObjectable().getGlobalPolicyRule()) {
+			ObjectSelectorType focusSelector = globalPolicyRule.getFocusSelector();
+			if (!repositoryService.selectorMatches(focusSelector, focus, LOGGER,
+					"Global policy rule "+globalPolicyRule.getName()+" focus selector: ")) {
+				continue;
+			}
+			for (EvaluatedAssignmentImpl<F> evaluatedAssignment : evaluatedAssignmentTriple.getAllValues()) {
+				for (EvaluatedAssignmentTargetImpl target : evaluatedAssignment.getRoles().getNonNegativeValues()) {
+					if (!repositoryService.selectorMatches(globalPolicyRule.getTargetSelector(),
+							target.getTarget(), LOGGER, "Global policy rule "+globalPolicyRule.getName()+" target selector: ")) {
+						continue;
+					}
+					EvaluatedPolicyRule evaluatedRule = new EvaluatedPolicyRuleImpl(globalPolicyRule,
+							target.getAssignmentPath() != null ? target.getAssignmentPath().clone() : null);
+					evaluatedAssignment.addTargetPolicyRule(evaluatedRule);
+					if (target.getAssignmentPath() != null && target.getAssignmentPath().size() == 1) {
+						evaluatedAssignment.addThisTargetPolicyRule(evaluatedRule);
+					}
+				}
+			}
+		}
+	}
 }

model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestPolicyRules.java

@@ -104,8 +104,8 @@ public void test005JackAttemptAssignRoleJudge() throws Exception {
 
 		dumpPolicyRules(context);
 
-		assertEvaluatedRules(context, 3);
-		assertTriggeredRules(context, 1, PolicyConstraintKindType.ASSIGNMENT);
+		assertEvaluatedRules(context, 4);
+		assertTriggeredRules(context, 2, PolicyConstraintKindType.ASSIGNMENT);
 	}
 
 
@@ -167,7 +167,7 @@ public void test020JackUnassignRoleJudge() throws Exception {
 
 		dumpPolicyRules(context);
 
-		assertEvaluatedRules(context, 3);
+		assertEvaluatedRules(context, 4);
 		assertTriggeredRules(context, 2, PolicyConstraintKindType.ASSIGNMENT);
 	}
 
@@ -210,7 +210,7 @@ public void test100AssignRoleMutinierToJack() throws Exception {
 
         dumpPolicyRules(context);
 
-        assertEvaluatedRules(context, 3);
+        assertEvaluatedRules(context, 4);
         assertTriggeredRules(context, 0, null);
 	}
 
@@ -249,7 +249,7 @@ public void test110AssignRolePirateToJack() throws Exception {
 
         dumpPolicyRules(context);
 
-        assertEvaluatedRules(context, 3);
+        assertEvaluatedRules(context, 4);
         EvaluatedExclusionTrigger trigger = (EvaluatedExclusionTrigger) assertTriggeredRule(context, null, PolicyConstraintKindType.EXCLUSION, 1, true);
         assertNotNull("No conflicting assignment in trigger", trigger.getConflictingAssignment());
         assertEquals("Wrong conflicting assignment in trigger", ROLE_PIRATE_OID, trigger.getConflictingAssignment().getTarget().getOid());
@@ -298,7 +298,7 @@ public void test112AssignRolePirateWithExceptionToJack() throws Exception {
 
         dumpPolicyRules(context);
 
-        List<EvaluatedPolicyRule> evaluatedRules = assertEvaluatedRules(context, 3);
+        List<EvaluatedPolicyRule> evaluatedRules = assertEvaluatedRules(context, 4);
         assertTriggeredRules(context, 0, null);
 
         EvaluatedPolicyRule evaluatedPolicyRule = evaluatedRules.get(0);
@@ -343,7 +343,7 @@ public void test120AssignRoleConstableToJack() throws Exception {
 
         dumpPolicyRules(context);
 
-        assertEvaluatedRules(context, 4);
+        assertEvaluatedRules(context, 5);
 		EvaluatedExclusionTrigger trigger = (EvaluatedExclusionTrigger) assertTriggeredRule(context, null, PolicyConstraintKindType.EXCLUSION, 1, true);
         assertNotNull("No conflicting assignment in trigger", trigger.getConflictingAssignment());
         assertEquals("Wrong conflicting assignment in trigger", ROLE_JUDGE_OID, trigger.getConflictingAssignment().getTarget().getOid());
@@ -401,7 +401,7 @@ public void test150AssignRoleThiefToJack() throws Exception {
 
 		dumpPolicyRules(context);
 
-		assertEvaluatedRules(context, 5);
+		assertEvaluatedRules(context, 6);
 		EvaluatedExclusionTrigger triggerExclusion = (EvaluatedExclusionTrigger) assertTriggeredRule(context, null, PolicyConstraintKindType.EXCLUSION, 1, false);
 		assertNotNull("No conflicting assignment in trigger", triggerExclusion.getConflictingAssignment());
 		assertEquals("Wrong conflicting assignment in trigger", ROLE_JUDGE_OID, triggerExclusion.getConflictingAssignment().getTarget().getOid());
@@ -479,7 +479,7 @@ public void test210AssignRoleEmployeeToJack() throws Exception {
 		// Judge: criminal-exclusion, unassignment, all-assignment-operations
 		// Employee: approve-any-corp-role, notify-exclusion-violations, employee-excludes-contractor
 		// Contractor: approve-any-corp-role, notify-exclusion-violations, contractor-excludes-employee
-		assertEvaluatedRules(context, 9);
+		assertEvaluatedRules(context, 10);
 		EvaluatedExclusionTrigger trigger = (EvaluatedExclusionTrigger) assertTriggeredRule(context, ROLE_CORP_EMPLOYEE_OID, PolicyConstraintKindType.EXCLUSION, 1, false);
 		assertNotNull("No conflicting assignment in trigger", trigger.getConflictingAssignment());
 		assertEquals("Wrong conflicting assignment in trigger", ROLE_CORP_CONTRACTOR_OID, trigger.getConflictingAssignment().getTarget().getOid());
@@ -524,7 +524,7 @@ public void test220AssignRoleEngineerToJack() throws Exception {
 		// Judge: L:criminal-exclusion, L:unassignment, L:all-assignment-operations
 		// Contractor: L:approve-any-corp-role, L:notify-exclusion-violations, L:contractor-excludes-employee
 		// Engineer: approve-any-corp-role, notify-exclusion-violations, employee-excludes-contractor, L:approve-any-corp-role, L:notify-exclusion-violations
-		assertEvaluatedRules(context, 11);
+		assertEvaluatedRules(context, 12);
 		EvaluatedExclusionTrigger trigger = (EvaluatedExclusionTrigger) assertTriggeredRule(context, ROLE_CORP_ENGINEER_OID, PolicyConstraintKindType.EXCLUSION, 1, false);
 		assertNotNull("No conflicting assignment in trigger", trigger.getConflictingAssignment());
 		assertEquals("Wrong conflicting assignment in trigger", ROLE_CORP_CONTRACTOR_OID, trigger.getConflictingAssignment().getTarget().getOid());

model/model-impl/src/test/resources/common/system-configuration.xml

@@ -16,8 +16,9 @@
   -->
 
 <systemConfiguration oid="00000000-0000-0000-0000-000000000001" version="0"
-	xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-	xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+					 xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+					 xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+					 xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
     <name>SystemConfiguration</name>
     <logging>
     	<rootLoggerAppender>File Appender</rootLoggerAppender>
@@ -33,6 +34,29 @@
         </appender>
     </logging>
     <globalSecurityPolicyRef oid="28bf845a-b107-11e3-85bc-001e8c717e5b"/>
+	<globalPolicyRule>
+		<name>global-assignment-notification</name>
+		<policyConstraints>
+			<assignment>
+				<operation>add</operation>
+			</assignment>
+		</policyConstraints>
+		<policyActions>
+			<notification/>
+		</policyActions>
+		<focusSelector>
+			<type>UserType</type>
+		</focusSelector>
+		<targetSelector>
+			<type>RoleType</type>
+			<filter>
+				<q:equal>
+					<q:path>name</q:path>
+					<q:value>Judge</q:value>
+				</q:equal>
+			</filter>
+		</targetSelector>
+	</globalPolicyRule>
     <adminGuiConfiguration>
 	    <userDashboardLink>
 	    	<targetUrl>/foo</targetUrl>

model/workflow-impl/src/test/java/com/evolveum/midpoint/wf/impl/policy/assignments/global/TestAssignmentApprovalGlobal.java

@@ -18,10 +18,13 @@
 
 import com.evolveum.midpoint.prism.delta.ItemDelta;
 import com.evolveum.midpoint.prism.delta.builder.DeltaBuilder;
+import com.evolveum.midpoint.prism.marshaller.QueryConvertor;
+import com.evolveum.midpoint.prism.query.builder.QueryBuilder;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.wf.impl.policy.assignments.AbstractTestAssignmentApproval;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
+import com.evolveum.prism.xml.ns._public.types_3.ModificationTypeType;
 
 import javax.xml.namespace.QName;
 import java.util.List;
@@ -66,24 +69,56 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
 		/*
 			<globalPolicyRule>
 				<policyConstraints>
-					<assignment/>
+					<assignment>
+						<operation>add</operation>
+					</assignment>
 				</policyConstraints>
 				<policyActions>
 					<approval>
 						<approverRelation>approver</approverRelation>
 					</approval>
 				</policyActions>
+				<focusSelector>
+					<type>UserType</type>
+				</focusSelector>
+				<targetSelector>
+					<type>RoleType</type>
+					<!-- ...and not Role4 -->
+				</targetSelector>
 			</globalPolicyRule>
 		 */
 
+		/*
+		 * Role4 has no approvers. By default, no workflow process(es) are created for roles that have no approvers.
+		 * But if we would include Role4 in the global policy rule, a workflow process would be created (even if it
+		 * would be automatically approved/rejected, based on setting). But the tests expect there's no process for this role.
+		 * So we have to exclude it from the global policy rule.
+		 */
+
+
 		GlobalPolicyRuleType rule = new GlobalPolicyRuleType(prismContext);
 		PolicyConstraintsType constraints = new PolicyConstraintsType(prismContext);
-		constraints.getAssignment().add(new AssignmentPolicyConstraintType(prismContext));
+		AssignmentPolicyConstraintType assignmentConstraint = new AssignmentPolicyConstraintType(prismContext);
+		assignmentConstraint.getOperation().add(ModificationTypeType.ADD);
+		constraints.getAssignment().add(assignmentConstraint);
 		rule.setPolicyConstraints(constraints);
 		PolicyActionsType actions = new PolicyActionsType(prismContext);
 		ApprovalPolicyActionType approvalAction = new ApprovalPolicyActionType(prismContext);
-		approvalAction.getApproverRelation().add(new QName("approverXX"));		// intentionally wrong (tests should fail with this setting)
+		approvalAction.getApproverRelation().add(new QName("approver"));
 		actions.setApproval(approvalAction);
+		ObjectSelectorType users = new ObjectSelectorType(prismContext);
+		users.setType(UserType.COMPLEX_TYPE);
+		rule.setFocusSelector(users);
+		ObjectSelectorType roles = new ObjectSelectorType(prismContext);
+		roles.setType(RoleType.COMPLEX_TYPE);
+		roles.setFilter(
+				QueryConvertor.createSearchFilterType(
+						QueryBuilder.queryFor(RoleType.class, prismContext)
+								.not().item(RoleType.F_NAME).eqPoly("Role4")
+								.buildFilter(),
+						prismContext)
+		);
+		rule.setTargetSelector(roles);
 		rule.setPolicyActions(actions);
 
 		List<ItemDelta<?, ?>> deltas =

model/workflow-impl/testng-integration.xml

@@ -44,7 +44,7 @@
     </test>
     <test name="Policy (explicit, global)" preserve-order="true" parallel="false" verbose="10" enabled="true">
         <classes>
-            <!-- global policy for assignments is not implemented yet -->
+            <class name="com.evolveum.midpoint.wf.impl.policy.assignments.global.TestAssignmentApprovalGlobal"/>
             <class name="com.evolveum.midpoint.wf.impl.policy.lifecycle.global.TestLifecycleGlobal"/>
         </classes>
     </test>