From f3fb063163f0e91522d386ef77995bc1bb0dd214 Mon Sep 17 00:00:00 2001
From: Arnost Starosta <arnost.starosta@gmail.com>
Date: Tue, 6 Mar 2018 17:59:14 +0100
Subject: [PATCH] Policy constraint messageExpression sample and small fix of
 mandatory elements check in state policy constraint evaluator.

---
 .../resources/localization/schema.properties  |  3 +-
 .../localization/schema_en.properties         |  1 +
 .../evaluators/StateConstraintEvaluator.java  |  3 +-
 .../src/test/resources/delivery/rules/k20.xml | 15 ++--
 .../test/resources/delivery/rules/library.xml | 71 +++++++++++++++++++
 5 files changed, 86 insertions(+), 7 deletions(-)

diff --git a/infra/schema/src/main/resources/localization/schema.properties b/infra/schema/src/main/resources/localization/schema.properties
index 761fe7b70e2..6990695a205 100755
--- a/infra/schema/src/main/resources/localization/schema.properties
+++ b/infra/schema/src/main/resources/localization/schema.properties
@@ -478,6 +478,7 @@ PolicyConstraints.before=before operation
 PolicyConstraints.after=after operation
 DefaultPolicyConstraint.objectState.unnamed=Object state {0} matches constraint
 DefaultPolicyConstraint.objectState.named=Object state {0} matches constraint "{1}"
+DefaultPolicyConstraint.objectState.namedWithPath=Object state {0} matches constraint "{1}" in assignment path {2}
 # {0} = before/after, {1} target/path, {2} rule name
 DefaultPolicyConstraint.assignmentState.unnamed=Assignment state {0} matches constraint ({1})
 DefaultPolicyConstraint.assignmentState.named=Assignment state {0} matches constraint "{1}" ({2})
@@ -692,4 +693,4 @@ relation.owner=owner
 relation.consent=consent
 AbstractCredentialType.forceChange=Force change on next login
 PasswordType.value=Value
-AdminGuiConfigurationType.enableExperimentalFeatures=Enable GUI experimental features
\ No newline at end of file
+AdminGuiConfigurationType.enableExperimentalFeatures=Enable GUI experimental features
diff --git a/infra/schema/src/main/resources/localization/schema_en.properties b/infra/schema/src/main/resources/localization/schema_en.properties
index 49085afd0c9..6f085e0ad54 100644
--- a/infra/schema/src/main/resources/localization/schema_en.properties
+++ b/infra/schema/src/main/resources/localization/schema_en.properties
@@ -478,6 +478,7 @@ PolicyConstraints.before=before operation
 PolicyConstraints.after=after operation
 DefaultPolicyConstraint.objectState.unnamed=Object state {0} matches constraint
 DefaultPolicyConstraint.objectState.named=Object state {0} matches constraint "{1}"
+DefaultPolicyConstraint.objectState.namedWithPath=Object state {0} matches constraint "{1}" in assignment path {2}
 # {0} = before/after, {1} target/path, {2} rule name
 DefaultPolicyConstraint.assignmentState.unnamed=Assignment state {0} matches constraint ({1})
 DefaultPolicyConstraint.assignmentState.named=Assignment state {0} matches constraint "{1}" ({2})
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/evaluators/StateConstraintEvaluator.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/evaluators/StateConstraintEvaluator.java
index 56db716a01b..d853fc23d56 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/evaluators/StateConstraintEvaluator.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/evaluators/StateConstraintEvaluator.java
@@ -109,10 +109,11 @@ private <F extends FocusType> EvaluatedPolicyRuleTrigger<?> evaluateForObject(JA
 		int count =
 				(constraint.getFilter() != null ? 1 : 0)
 				+ (constraint.getExpression() != null ? 1 : 0)
+				+ (constraint.getMessageExpression() != null ? 1 : 0)
 				+ (constraint.getExecuteScript() != null ? 1 : 0);
 
 		if (count != 1) {
-			throw new SchemaException("Exactly one of filter, expression, executeScript element must be present.");
+			throw new SchemaException("Exactly one of filter, expression, messageExpression, executeScript element must be present.");
 		}
 
 		PrismObject<F> object = ctx.getObject();
diff --git a/testing/story/src/test/resources/delivery/rules/k20.xml b/testing/story/src/test/resources/delivery/rules/k20.xml
index 952b68ea4f0..5f8ad60e944 100644
--- a/testing/story/src/test/resources/delivery/rules/k20.xml
+++ b/testing/story/src/test/resources/delivery/rules/k20.xml
@@ -33,17 +33,22 @@ Matches if the role 'roleRef' is not assigned to the user.
 		<policyRule>
 			<policyConstraints>
 				<objectState>
-					<expression>
+					<messageExpression>
 						<script>
-							<code>
-								rulesLib.execute('evaluateRolePresence', [
+							<code><![CDATA[
+
+								return rulesLib.execute('evaluateRolePresenceWithMessage', [
 									object : object,
 									ruleEvaluationContext : ruleEvaluationContext,
-									assumeExistence : true
+									assumeExistence : true,
+									rolesAttributeName : 'k20RoleRef',
+									evaluatorHelper: evaluatorHelper,
+									constraint: constraint
 								])
+								]]>
 							</code>
 						</script>
-					</expression>
+					</messageExpression>
 				</objectState>
 			</policyConstraints>
 			<policyActions>
diff --git a/testing/story/src/test/resources/delivery/rules/library.xml b/testing/story/src/test/resources/delivery/rules/library.xml
index 0311771a66e..def87cac843 100644
--- a/testing/story/src/test/resources/delivery/rules/library.xml
+++ b/testing/story/src/test/resources/delivery/rules/library.xml
@@ -87,6 +87,77 @@
 			</code>
 		</script>
 	</function>
+	<function>
+		<name>evaluateRolePresenceWithMessage</name>
+		<parameter>
+			<name>object</name>
+			<type>c:ObjectType</type>
+		</parameter>
+		<parameter>
+			<name>ruleEvaluationContext</name>
+			<type>xsd:anyType</type>
+		</parameter>
+		<parameter>
+			<name>assumeExistence</name>
+			<type>xsd:boolean</type>
+		</parameter>
+		<parameter>
+			<name>rolesAttributeName</name>
+			<type>xsd:string</type>
+		</parameter>
+		<parameter>
+			<name>evaluatorHelper</name>
+			<type>xsd:anyType</type>
+		</parameter>
+		<parameter>
+			<name>constraint</name>
+			<type>xsd:anyType</type>
+		</parameter>
+		<returnType>c:SingleLocalizableMessageType</returnType>
+		<script>
+			<code><![CDATA[
+				import com.evolveum.midpoint.util.LocalizableMessageBuilder;
+				import com.evolveum.midpoint.schema.util.LocalizationUtil;
+ 
+ 				def extension = ruleEvaluationContext.policyRule.assignmentPath.collectExtensions(0)
+				this.binding.variables.each {k,v -> log.info('{} = {}', k, v)}
+				log.info('### Extension:\n{}', extension?.asPrismContainerValue().debugDump())
+
+				def roleRefs = basic.getPropertyValues(extension, rolesAttributeName)
+
+				def allExist = roleRefs?.every { roleRef ->
+					if (roleRef == null || roleRef.oid == null) {
+						throw new IllegalArgumentException('No attribute ' + rolesAttributeName + ' (' + roleRef + ') or oid (' + roleRef?.oid + ') defined');
+					}
+					
+					midpoint.isDirectlyAssigned(object, roleRef.oid)
+				}
+				matches = assumeExistence && !allExist || !assumeExistence && allExist
+				
+				if (matches) {
+					pathMessage = ruleEvaluationContext.policyRule?.assignmentPath?.segments
+						?.collect { it?.target?.name?.orig }
+						?.grep { it }
+						?.join (' > ');
+						
+					beforeAfter = evaluatorHelper.createBeforeAfterMessage(ruleEvaluationContext);
+
+					message = new LocalizableMessageBuilder()
+							.key('DefaultPolicyConstraint.objectState.namedWithPath')
+							.args([
+								beforeAfter, 
+								constraint.name ? constraint.name : '-', 
+								pathMessage ? pathMessage : '-'])
+							.build();
+							
+					return LocalizationUtil.createLocalizableMessageType(message);
+				
+				} else {
+					return null;
+				}
+			]]></code>
+		</script>
+	</function>	
 	<function>
 		<name>remediatorPresent</name>
 		<parameter>