Merge remote-tracking branch 'origin/feature/state-constraint-custom-…

…messages' into support-3.7

infra/schema/src/main/resources/localization/schema.properties

@@ -478,6 +478,7 @@ PolicyConstraints.before=before operation
 PolicyConstraints.after=after operation
 DefaultPolicyConstraint.objectState.unnamed=Object state {0} matches constraint
 DefaultPolicyConstraint.objectState.named=Object state {0} matches constraint "{1}"
+DefaultPolicyConstraint.objectState.namedWithPath=Object state {0} matches constraint "{1}" in assignment path {2}
 # {0} = before/after, {1} target/path, {2} rule name
 DefaultPolicyConstraint.assignmentState.unnamed=Assignment state {0} matches constraint ({1})
 DefaultPolicyConstraint.assignmentState.named=Assignment state {0} matches constraint "{1}" ({2})
@@ -692,4 +693,4 @@ relation.owner=owner
 relation.consent=consent
 AbstractCredentialType.forceChange=Force change on next login
 PasswordType.value=Value
-AdminGuiConfigurationType.enableExperimentalFeatures=Enable GUI experimental features
+AdminGuiConfigurationType.enableExperimentalFeatures=Enable GUI experimental features

infra/schema/src/main/resources/localization/schema_en.properties

@@ -478,6 +478,7 @@ PolicyConstraints.before=before operation
 PolicyConstraints.after=after operation
 DefaultPolicyConstraint.objectState.unnamed=Object state {0} matches constraint
 DefaultPolicyConstraint.objectState.named=Object state {0} matches constraint "{1}"
+DefaultPolicyConstraint.objectState.namedWithPath=Object state {0} matches constraint "{1}" in assignment path {2}
 # {0} = before/after, {1} target/path, {2} rule name
 DefaultPolicyConstraint.assignmentState.unnamed=Assignment state {0} matches constraint ({1})
 DefaultPolicyConstraint.assignmentState.named=Assignment state {0} matches constraint "{1}" ({2})

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/evaluators/StateConstraintEvaluator.java

@@ -109,10 +109,11 @@ private <F extends FocusType> EvaluatedPolicyRuleTrigger<?> evaluateForObject(JA
 		int count =
 				(constraint.getFilter() != null ? 1 : 0)
 				+ (constraint.getExpression() != null ? 1 : 0)
+				+ (constraint.getMessageExpression() != null ? 1 : 0)
 				+ (constraint.getExecuteScript() != null ? 1 : 0);
 
 		if (count != 1) {
-			throw new SchemaException("Exactly one of filter, expression, executeScript element must be present.");
+			throw new SchemaException("Exactly one of filter, expression, messageExpression, executeScript element must be present.");
 		}
 
 		PrismObject<F> object = ctx.getObject();

testing/story/src/test/resources/delivery/rules/k20.xml

@@ -33,17 +33,22 @@ Matches if the role 'roleRef' is not assigned to the user.
 		<policyRule>
 			<policyConstraints>
 				<objectState>
-					<expression>
+					<messageExpression>
 						<script>
-							<code>
-								rulesLib.execute('evaluateRolePresence', [
+							<code><![CDATA[
+
+								return rulesLib.execute('evaluateRolePresenceWithMessage', [
 									object : object,
 									ruleEvaluationContext : ruleEvaluationContext,
-									assumeExistence : true
+									assumeExistence : true,
+									rolesAttributeName : 'k20RoleRef',
+									evaluatorHelper: evaluatorHelper,
+									constraint: constraint
 								])
+								]]>
 							</code>
 						</script>
-					</expression>
+					</messageExpression>
 				</objectState>
 			</policyConstraints>
 			<policyActions>

testing/story/src/test/resources/delivery/rules/library.xml

@@ -87,6 +87,77 @@
 			</code>
 		</script>
 	</function>
+	<function>
+		<name>evaluateRolePresenceWithMessage</name>
+		<parameter>
+			<name>object</name>
+			<type>c:ObjectType</type>
+		</parameter>
+		<parameter>
+			<name>ruleEvaluationContext</name>
+			<type>xsd:anyType</type>
+		</parameter>
+		<parameter>
+			<name>assumeExistence</name>
+			<type>xsd:boolean</type>
+		</parameter>
+		<parameter>
+			<name>rolesAttributeName</name>
+			<type>xsd:string</type>
+		</parameter>
+		<parameter>
+			<name>evaluatorHelper</name>
+			<type>xsd:anyType</type>
+		</parameter>
+		<parameter>
+			<name>constraint</name>
+			<type>xsd:anyType</type>
+		</parameter>
+		<returnType>c:SingleLocalizableMessageType</returnType>
+		<script>
+			<code><![CDATA[
+				import com.evolveum.midpoint.util.LocalizableMessageBuilder;
+				import com.evolveum.midpoint.schema.util.LocalizationUtil;
+ 
+ 				def extension = ruleEvaluationContext.policyRule.assignmentPath.collectExtensions(0)
+				this.binding.variables.each {k,v -> log.info('{} = {}', k, v)}
+				log.info('### Extension:\n{}', extension?.asPrismContainerValue().debugDump())
+
+				def roleRefs = basic.getPropertyValues(extension, rolesAttributeName)
+
+				def allExist = roleRefs?.every { roleRef ->
+					if (roleRef == null || roleRef.oid == null) {
+						throw new IllegalArgumentException('No attribute ' + rolesAttributeName + ' (' + roleRef + ') or oid (' + roleRef?.oid + ') defined');
+					}
+					
+					midpoint.isDirectlyAssigned(object, roleRef.oid)
+				}
+				matches = assumeExistence && !allExist || !assumeExistence && allExist
+				
+				if (matches) {
+					pathMessage = ruleEvaluationContext.policyRule?.assignmentPath?.segments
+						?.collect { it?.target?.name?.orig }
+						?.grep { it }
+						?.join (' > ');
+						
+					beforeAfter = evaluatorHelper.createBeforeAfterMessage(ruleEvaluationContext);
+
+					message = new LocalizableMessageBuilder()
+							.key('DefaultPolicyConstraint.objectState.namedWithPath')
+							.args([
+								beforeAfter, 
+								constraint.name ? constraint.name : '-', 
+								pathMessage ? pathMessage : '-'])
+							.build();
+							
+					return LocalizationUtil.createLocalizableMessageType(message);
+				
+				} else {
+					return null;
+				}
+			]]></code>
+		</script>
+	</function>	
 	<function>
 		<name>remediatorPresent</name>
 		<parameter>