From 4e5fdb45de6fed78242fea108341b33c9dcc88b1 Mon Sep 17 00:00:00 2001
From: Radovan Semancik <radovan.semancik@evolveum.com>
Date: Mon, 12 Nov 2018 14:17:56 +0100
Subject: [PATCH] Attempt to reproduce MID-4931

---
 .../midpoint/schema/util/ObjectQueryUtil.java |  6 +++
 .../intest/security/TestSecurityAdvanced.java | 37 +++++++++++++++++++
 .../resources/security/role-read-org-exec.xml | 31 ++++++++++++++++
 .../test/AbstractIntegrationTest.java         |  6 +++
 4 files changed, 80 insertions(+)
 create mode 100644 model/model-intest/src/test/resources/security/role-read-org-exec.xml

diff --git a/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ObjectQueryUtil.java b/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ObjectQueryUtil.java
index dd5abf41686..2f8109072d7 100644
--- a/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ObjectQueryUtil.java
+++ b/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ObjectQueryUtil.java
@@ -174,6 +174,12 @@ public static <T extends ObjectType> ObjectQuery createNameQuery(Class<T> clazz,
 				.build();
 	}
 	
+	public static ObjectQuery createOrgSubtreeQuery(PrismContext prismContext, String orgOid) throws SchemaException {
+		return QueryBuilder.queryFor(ObjectType.class, prismContext)
+				.isChildOf(orgOid)
+				.build();
+	}
+	
 	public static ObjectQuery createRootOrgQuery(PrismContext prismContext) throws SchemaException {
 		return QueryBuilder.queryFor(ObjectType.class, prismContext).isRoot().build();
 	}
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityAdvanced.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityAdvanced.java
index b776ccc8f70..3cb6d0a346c 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityAdvanced.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityAdvanced.java
@@ -64,10 +64,16 @@
 @DirtiesContext(classMode = ClassMode.AFTER_CLASS)
 public class TestSecurityAdvanced extends AbstractSecurityTest {
 	
+	protected static final File ROLE_READ_ORG_EXEC_FILE = new File(TEST_DIR, "role-read-org-exec.xml");
+	protected static final String ROLE_READ_ORG_EXEC_OID = "1ac39d34-e675-11e8-a1ec-37748272d526";
+
+
 	@Override
 	public void initSystem(Task initTask, OperationResult initResult) throws Exception {
 		super.initSystem(initTask, initResult);
 		
+		repoAddObjectFromFile(ROLE_READ_ORG_EXEC_FILE, initResult);
+
 		setDefaultObjectTemplate(UserType.COMPLEX_TYPE, USER_TEMPLATE_SECURITY_OID, initResult);
 	}
 
@@ -1176,6 +1182,37 @@ public void test202AutzJackModifyOrgunitAndAssignRole() throws Exception {
         
         assertGlobalStateUntouched();
 	}
+	
+	/**
+	 * Superuser role should allow everything. Adding another role with any (allow)
+	 * authorizations should not limit superuser. Not even if those authorizations
+	 * are completely loony.
+	 * 
+	 * MID-4931
+	 */
+	@Test
+    public void test340AutzJackSuperUserAndExecRead() throws Exception {
+		final String TEST_NAME = "test340AutzJackSuperUserAndExecRead";
+		displayTestTitle(TEST_NAME);
+		// GIVEN
+		cleanupAutzTest(USER_JACK_OID);
+		
+		assignRole(USER_JACK_OID, ROLE_SUPERUSER_OID);
+		assignRole(USER_JACK_OID, ROLE_READ_ORG_EXEC_OID);
+				
+		assertSearch(UserType.class, createOrgSubtreeQuery(ORG_MINISTRY_OF_OFFENSE_OID), USER_LECHUCK_OID, USER_GUYBRUSH_OID, userCobbOid, USER_ESTEVAN_OID);
+		
+		login(USER_JACK_USERNAME);
+
+		// WHEN
+		displayWhen(TEST_NAME);
+
+		assertSearch(UserType.class, createOrgSubtreeQuery(ORG_MINISTRY_OF_OFFENSE_OID), USER_LECHUCK_OID, USER_GUYBRUSH_OID, userCobbOid, USER_ESTEVAN_OID);
+		
+		assertSuperuserAccess(NUMBER_OF_ALL_USERS);
+		
+		assertGlobalStateUntouched();
+	}
     
     @Override
     protected void cleanupAutzTest(String userOid, int expectedAssignments) throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, ObjectAlreadyExistsException, PolicyViolationException, SecurityViolationException, IOException {
diff --git a/model/model-intest/src/test/resources/security/role-read-org-exec.xml b/model/model-intest/src/test/resources/security/role-read-org-exec.xml
new file mode 100644
index 00000000000..74017cb2c88
--- /dev/null
+++ b/model/model-intest/src/test/resources/security/role-read-org-exec.xml
@@ -0,0 +1,31 @@
+<!--
+  ~ Copyright (c) 2017-2018 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+  <!-- MID-4931 -->
+<role oid="1ac39d34-e675-11e8-a1ec-37748272d526"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+        xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
+    <name>Read org exec</name>
+    <authorization>
+    	<name>read-org-exec</name>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+    	<phase>execution</phase>
+    	<object>
+    		<type>OrgType</type>
+    	</object>
+    </authorization>
+</role>
diff --git a/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/AbstractIntegrationTest.java b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/AbstractIntegrationTest.java
index b540defaab1..a5ca01d8a7b 100644
--- a/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/AbstractIntegrationTest.java
+++ b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/AbstractIntegrationTest.java
@@ -1126,6 +1126,12 @@ protected ObjectQuery createShadowQueryByAttribute(ObjectClassComplexTypeDefinit
 				.build();
 	}
 	
+	protected ObjectQuery createOrgSubtreeQuery(String orgOid) throws SchemaException {
+		return queryFor(ObjectType.class)
+				.isChildOf(orgOid)
+				.build();
+	}
+
 	protected <O extends ObjectType> PrismObjectDefinition<O> getObjectDefinition(Class<O> type) {
 		return prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(type);
 	}