Merge remote-tracking branch 'refs/remotes/origin/master'

Evolveum · Aug 10, 2023 · 5399f10 · 5399f10
2 parents f8d8717 + 9a7f314
commit 5399f10
Show file tree

Hide file tree

Showing 32 changed files with 348 additions and 89 deletions.
diff --git a/config/sql/native-new/postgres-new-audit.sql b/config/sql/native-new/postgres-new-audit.sql
@@ -78,6 +78,8 @@ CREATE TYPE AuditEventTypeType AS ENUM ('GET_OBJECT', 'ADD_OBJECT', 'MODIFY_OBJE
 
 CREATE TYPE AuditEventStageType AS ENUM ('REQUEST', 'EXECUTION', 'RESOURCE');
 
+CREATE TYPE EffectivePrivilegesModificationType AS ENUM ('ELEVATION', 'FULL_ELEVATION', 'REDUCTION', 'OTHER');
+
 CREATE TYPE ChangeType AS ENUM ('ADD', 'MODIFY', 'DELETE');
 -- endregion
 
@@ -110,6 +112,10 @@ CREATE TABLE ma_audit_event (
     initiatorName TEXT,
     attorneyOid UUID,
     attorneyName TEXT,
+    effectivePrincipalOid UUID,
+    effectivePrincipalType ObjectType,
+    effectivePrincipalName TEXT,
+    effectivePrivilegesModification EffectivePrivilegesModificationType,
     targetOid UUID,
     targetType ObjectType,
     targetName TEXT,
@@ -354,4 +360,4 @@ limit 50;
 -- This is important to avoid applying any change more than once.
 -- Also update SqaleUtils.CURRENT_SCHEMA_AUDIT_CHANGE_NUMBER
 -- repo/repo-sqale/src/main/java/com/evolveum/midpoint/repo/sqale/SqaleUtils.java
-call apply_audit_change(4, $$ SELECT 1 $$, true);
+call apply_audit_change(5, $$ SELECT 1 $$, true);
diff --git a/config/sql/native-new/postgres-new-upgrade-audit.sql b/config/sql/native-new/postgres-new-upgrade-audit.sql
@@ -116,6 +116,15 @@ call apply_audit_change(4, $aa$
    ALTER TYPE AuditEventTypeType ADD VALUE IF NOT EXISTS 'DISCOVER_OBJECT' AFTER 'RUN_TASK_IMMEDIATELY';
 $aa$);
 
+call apply_audit_change(5, $aa$
+   CREATE TYPE EffectivePrivilegesModificationType AS ENUM ('ELEVATION', 'FULL_ELEVATION', 'REDUCTION', 'OTHER');
+   ALTER TABLE ma_audit_event
+     ADD COLUMN effectivePrincipalOid UUID,
+     ADD COLUMN effectivePrincipalType ObjectType,
+     ADD COLUMN effectivePrincipalName TEXT,
+     ADD COLUMN effectivePrivilegesModification EffectivePrivilegesModificationType;
+$aa$);
+
 -- WRITE CHANGES ABOVE ^^
 -- IMPORTANT: update apply_audit_change number at the end of postgres-new-audit.sql
 -- to match the number used in the last change here!

diff --git a/...ui/src/main/java/com/evolveum/midpoint/gui/api/component/wizard/BasicWizardStepPanel.html b/...ui/src/main/java/com/evolveum/midpoint/gui/api/component/wizard/BasicWizardStepPanel.html
@@ -8,25 +8,25 @@
 <html xmlns:wicket="http://wicket.apache.org">
 <wicket:panel>
     <div class="d-flex flex-column align-items-center mt-5">
-        <h2 class="mb-3" wicket:id="text"/>
+        <h2 class="mb-4 font-weight-bold" wicket:id="text"/>
         <h5 class="text-center text-secondary mb-5" wicket:id="subText"/>
 
         <wicket:child/>
         <div class="d-flex gap-3 justify-content-center mt-5">
-            <a class="btn btn-outline-primary" wicket:id="back">
+            <a class="btn text-primary" wicket:id="back">
                 <i class="fas fa-arrow-left mr-2"></i>
                 <wicket:message key="WizardHeader.back"/>
             </a>
-            <a class="btn btn-outline-primary" wicket:id="exit">
+            <a class="btn btn-default" wicket:id="exit">
                 <i class="fas fa-right-from-bracket mr-2"></i>
                 <wicket:message key="WizardPanel.exit"/>
             </a>
-            <a class="btn btn-primary" wicket:id="customButtons" />
+            <a class="btn btn-default" wicket:id="customButtons" />
             <a class="btn btn-success" wicket:id="submit">
                 <i class="fas fa-check mr-2"/>
                 <span wicket:id="submitLabel"/>
             </a>
-            <a class="btn btn-success" wicket:id="next">
+            <a class="btn btn-primary" wicket:id="next">
                 <wicket:message key="WizardHeader.next"/>
                 <span wicket:id="nextLabel"/>
                 <i class="fas fa-arrow-right ml-2"></i>

diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/component/tile/TilePanel.html b/gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/component/tile/TilePanel.html
@@ -7,8 +7,8 @@
 <!DOCTYPE html>
 <html xmlns:wicket="http://wicket.apache.org">
 <wicket:panel>
-    <i class="fa-4x text-lightblue mt-5" wicket:id="icon"></i>
-    <span class="mt-4 text-secondary text-capitalize" wicket:id="title"/>
+    <i class="text-lightblue" style="font-size: 2.625rem;" wicket:id="icon"></i>
+    <span class="mt-4 text-secondary text-capitalize text-center" wicket:id="title"/>
     <div class="tile-description mt-2 text-center text-secondary flex-grow-1" style="display: -webkit-box; text-overflow: ellipsis;" wicket:id="description"/>
 </wicket:panel>
 </html>
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/component/tile/TilePanel.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/component/tile/TilePanel.java
@@ -40,7 +40,7 @@ public TilePanel(String id, IModel<T> model) {
     }
 
     private void initLayout() {
-        add(AttributeAppender.append("class", "tile-panel d-flex flex-column align-items-center bg-white rounded p-3"));
+        add(AttributeAppender.append("class", "tile-panel d-flex flex-column align-items-center bg-white rounded p-3 justify-content-center"));
         add(AttributeAppender.append("class", () -> getModelObject().isSelected() ? "active" : null));
         setOutputMarkupId(true);
 

diff --git a/...admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/component/tile/TileTablePanel.html b/...admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/component/tile/TileTablePanel.html
@@ -10,7 +10,7 @@
     <wicket:enclosure child="tilesContainer">
         <div class="d-flex flex-column flex-grow-1">
             <div wicket:id="header"/>
-            <div class="row justify-content-center pt-3" wicket:id="tilesContainer"/>
+            <div class="row justify-content-left pt-3" wicket:id="tilesContainer"/>
             <div class="d-flex" wicket:id="footerContainer">
                 <div class="d-flex">
                     <div wicket:id="buttonToolbar"/>

diff --git a/...c/main/java/com/evolveum/midpoint/gui/impl/component/wizard/AbstractWizardBasicPanel.html b/...c/main/java/com/evolveum/midpoint/gui/impl/component/wizard/AbstractWizardBasicPanel.html
@@ -11,22 +11,22 @@
 <body>
 <wicket:panel>
     <div class="d-flex flex-column gap-3 align-items-center mt-5">
-        <div>
+        <div class="mb-3">
             <ol class="breadcrumb p-0 bg-transparent">
                 <li class="breadcrumb-item" wicket:id="breadcrumb">
                     <span wicket:id="bcName"/>
                 </li>
             </ol>
         </div>
-        <h2 class="mb-3" wicket:id="text"/>
+        <h2 class="mb-1 font-weight-bold" wicket:id="text"/>
         <h5 class="text-center text-secondary mb-5 col-xxl-8 col-10" wicket:id="subText"/>
         <div class="col-12">
             <div wicket:id="feedbackContainer" class="feedbackContainer mx-auto p-0">
                 <div wicket:id="feedback" class="messagePanel"/>
             </div>
             <wicket:child/>
         </div>
-        <div class="d-flex gap-3 justify-content-center" wicket:id="buttonsContainer">
+        <div class="d-flex mt-5 gap-3 justify-content-center" wicket:id="buttonsContainer">
             <a class="btn" wicket:id="buttons"/>
         </div>
     </div>

diff --git a/...i/impl/page/admin/resource/component/wizard/AbstractValueFormResourceWizardStepPanel.html b/...i/impl/page/admin/resource/component/wizard/AbstractValueFormResourceWizardStepPanel.html
@@ -11,7 +11,7 @@
         <div wicket:id="feedback" class="messagePanel"/>
     </div>
     <div class="col-8">
-        <div class="d-flex flex-column justify-content-center mt-5 col-12">
+        <div class="d-flex flex-column justify-content-center col-12 p-0">
             <div class="mb-3">
                 <div wicket:id="value"/>
             </div>

diff --git a/...nt/gui/impl/page/admin/role/component/wizard/construction/ConstructionGroupStepPanel.html b/...nt/gui/impl/page/admin/role/component/wizard/construction/ConstructionGroupStepPanel.html
@@ -9,7 +9,7 @@
 <html xmlns:wicket="http://wicket.apache.org">
 <wicket:panel>
     <div class="d-flex flex-column align-items-center mt-5">
-        <h2 class="mb-3" wicket:id="text"/>
+        <h2 class="mb-4 font-weight-bold" wicket:id="text"/>
         <h5 class="text-center text-secondary mb-5" wicket:id="subText"/>
     <div wicket:id="feedbackContainer" class="col-12 p-0 feedbackContainer">
         <div wicket:id="feedback" class="messagePanel"/>
@@ -25,19 +25,19 @@ <h5 class="text-center text-secondary mb-5" wicket:id="subText"/>
         <div wicket:id="table" class="col-12 p-0 "/>
     </div>
     <div class="d-flex gap-3 justify-content-center mt-5">
-        <a class="btn btn-outline-primary" wicket:id="back">
+        <a class="btn text-primary" wicket:id="back">
             <i class="fas fa-arrow-left mr-2"></i>
             <wicket:message key="WizardHeader.back"/>
         </a>
-        <a class="btn btn-outline-primary" wicket:id="exit">
+        <a class="btn btn-default" wicket:id="exit">
             <i class="fas fa-right-from-bracket mr-2"></i>
             <wicket:message key="WizardPanel.exit"/>
         </a>
         <a class="btn btn-success" wicket:id="submit">
             <i class="fas fa-check mr-2"/>
             <span wicket:id="submitLabel"/>
         </a>
-        <a class="btn btn-success" wicket:id="next">
+        <a class="btn btn-primary" wicket:id="next">
             <wicket:message key="WizardHeader.next"/>
             <span wicket:id="nextLabel"/>
             <i class="fas fa-arrow-right ml-2"></i>

diff --git a/...main/java/com/evolveum/midpoint/gui/impl/prism/panel/vertical/form/VerticalFormPanel.html b/...main/java/com/evolveum/midpoint/gui/impl/prism/panel/vertical/form/VerticalFormPanel.html
@@ -10,7 +10,7 @@
         xmlns:wicket="http://wicket.apache.org">
 <body>
 <wicket:panel>
-    <div class="d-flex flex-column justify-content-center mt-5 col-12">
+    <div class="d-flex flex-column justify-content-center col-12">
         <div wicket:id="singleContainer"/>
     </div>
 </wicket:panel>

diff --git a/...n-gui/src/main/java/com/evolveum/midpoint/web/page/admin/reports/PageAuditLogDetails.html b/...n-gui/src/main/java/com/evolveum/midpoint/web/page/admin/reports/PageAuditLogDetails.html
@@ -42,6 +42,16 @@
                                         key="PageAuditLogDetails.eventAttorneyRef" /></td>
                                 <td><span wicket:id="attorneyRef" /></td>
                             </tr>
+                            <tr>
+                                <td class="prop-name"><wicket:message
+                                        key="PageAuditLogDetails.eventEffectivePrincipalRef" /></td>
+                                <td><span wicket:id="effectivePrincipalRef" /></td>
+                            </tr>
+                            <tr>
+                                <td class="prop-name"><wicket:message
+                                        key="PageAuditLogDetails.eventEffectivePrivilegesModification" /></td>
+                                <td><span wicket:id="effectivePrivilegesModification" /></td>
+                            </tr>
                             <tr>
                                 <td class="prop-name"><wicket:message key="PageAuditLogDetails.eventTargetRef" /></td>
                                 <td><span wicket:id="targetRef" /></td>

diff --git a/...n-gui/src/main/java/com/evolveum/midpoint/web/page/admin/reports/PageAuditLogDetails.java b/...n-gui/src/main/java/com/evolveum/midpoint/web/page/admin/reports/PageAuditLogDetails.java
@@ -85,6 +85,8 @@ public class PageAuditLogDetails extends PageBase {
     private static final String ID_PARAMETERS_REMOTE_HOST_ADDRESS = "remoteHostAddress";
     private static final String ID_PARAMETERS_EVENT_INITIATOR = "initiatorRef";
     private static final String ID_PARAMETERS_EVENT_ATTORNEY = "attorneyRef";
+    private static final String ID_PARAMETERS_EVENT_EFFECTIVE_PRINCIPAL = "effectivePrincipalRef";
+    private static final String ID_PARAMETERS_EVENT_EFFECTIVE_PRIVILEGES_MODIFICATION = "effectivePrivilegesModification";
     private static final String ID_PARAMETERS_EVENT_TARGET = "targetRef";
     private static final String ID_PARAMETERS_EVENT_TARGET_OWNER = "targetOwnerRef";
     private static final String ID_PARAMETERS_EVENT_TYPE = "eventType";
@@ -210,6 +212,8 @@ private void initEventPanel(WebMarkupContainer eventPanel) {
         eventDetailsPanel.add(createLabel(ID_PARAMETERS_REMOTE_HOST_ADDRESS, new PropertyModel<>(recordModel, ID_PARAMETERS_REMOTE_HOST_ADDRESS)));
         eventDetailsPanel.add(createLabel(ID_PARAMETERS_EVENT_INITIATOR, createInitiatorRefModel()));
         eventDetailsPanel.add(createLabel(ID_PARAMETERS_EVENT_ATTORNEY, createAttorneyRefModel()));
+        eventDetailsPanel.add(createLabel(ID_PARAMETERS_EVENT_EFFECTIVE_PRINCIPAL, createEffectivePrincipalRefModel()));
+        eventDetailsPanel.add(createLabel(ID_PARAMETERS_EVENT_EFFECTIVE_PRIVILEGES_MODIFICATION, new PropertyModel<>(recordModel, AuditEventRecordType.F_EFFECTIVE_PRIVILEGES_MODIFICATION.getLocalPart())));
         eventDetailsPanel.add(createLabel(ID_PARAMETERS_EVENT_TARGET, createTargetRefModel()));
         eventDetailsPanel.add(createLabel(ID_PARAMETERS_EVENT_TARGET_OWNER, createTargetOwnerRefModel()));
         eventDetailsPanel.add(createLabel(ID_PARAMETERS_EVENT_TYPE, new PropertyModel<>(recordModel, ID_PARAMETERS_EVENT_TYPE)));
@@ -332,6 +336,13 @@ private IModel<String> createAttorneyRefModel() {
                 new OperationResult(ID_PARAMETERS_EVENT_ATTORNEY)));
     }
 
+    private IModel<String> createEffectivePrincipalRefModel() {
+        return new ReadOnlyModel<>(() -> WebModelServiceUtils.resolveReferenceName(
+                recordModel.getObject().getEffectivePrincipalRef(), PageAuditLogDetails.this,
+                createSimpleTask(ID_PARAMETERS_EVENT_EFFECTIVE_PRINCIPAL),
+                new OperationResult(ID_PARAMETERS_EVENT_EFFECTIVE_PRINCIPAL)));
+    }
+
     private IModel<String> createTargetRefModel() {
         return new ReadOnlyModel<>(() -> WebModelServiceUtils.resolveReferenceName(
                 recordModel.getObject().getTargetRef(),

diff --git a/infra/schema/src/main/resources/xml/ns/public/common/audit-3.xsd b/infra/schema/src/main/resources/xml/ns/public/common/audit-3.xsd
@@ -202,11 +202,11 @@
                         It is the subject of the operation. Authorizations of the initiator are
                         used to evaluate access to the operation. This is the entity who is formally
                         responsible for the operation. Although initiator is always a user in
-                        midPoint 3.7 and earlier, the initiator may be an organization in later
-                        midPoint versions.
+                        midPoint 3.7 and earlier, the initiator may be an organization, a role,
+                        or a service in later midPoint versions.
                     </xsd:documentation>
                     <xsd:appinfo>
-                        <a:objectReferenceTargetType>c:UserType</a:objectReferenceTargetType>
+                        <a:objectReferenceTargetType>c:FocusType</a:objectReferenceTargetType>
                         <a:displayName>AuditEventRecordType.initiatorRef</a:displayName>
                     </xsd:appinfo>
                 </xsd:annotation>
@@ -216,16 +216,47 @@
                     <xsd:documentation>
                         Attorney is the (physical) user who have executed the action.
                         This is the user that have logged-in to the user interface. This is the
-                        user that pressed the button to execute the action. This is always identity
-                        of a user and it will always be a user. It cannot be a company or any other
-                        virtual entity.
+                        user that pressed the button to execute the action.
+
+                        For the vast majority of cases, this is really an object of UserType. But sometimes it can be
+                        a ServiceType (or, very occasionally, maybe RoleType or OrgType - but this does not make
+                        much sense).
                     </xsd:documentation>
                     <xsd:appinfo>
-                        <a:objectReferenceTargetType>c:UserType</a:objectReferenceTargetType>
+                        <a:objectReferenceTargetType>c:FocusType</a:objectReferenceTargetType>
                         <a:displayName>AuditEventRecordType.attorneyRef</a:displayName>
                     </xsd:appinfo>
                 </xsd:annotation>
             </xsd:element>
+            <xsd:element name="effectivePrincipalRef" type="c:ObjectReferenceType" minOccurs="0">
+                <xsd:annotation>
+                    <xsd:documentation>
+                        The effective principal that was used to execute the action.
+                        This is the subject whose authorizations were evaluated to determine whether the action is allowed or not.
+                        Usually it is the same as initiator. But e.g. when "runAsRef" mechanism is used for expression evaluation
+                        (or the like), the effective principal is the one that was used to evaluate the expression.
+                    </xsd:documentation>
+                    <xsd:appinfo>
+                        <a:since>4.8</a:since>
+                        <a:objectReferenceTargetType>c:FocusType</a:objectReferenceTargetType>
+                        <a:displayName>AuditEventRecordType.effectivePrincipalRef</a:displayName>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:element>
+            <xsd:element name="effectivePrivilegesModification" type="tns:EffectivePrivilegesModificationType" minOccurs="0">
+                <xsd:annotation>
+                    <xsd:documentation>
+                        Present if the effective privileges used to execute the operation differ or may differ from the regular
+                         (declared) privileges of the "effectivePrincipalRef". This is usually the case e.g. when
+                        "runPrivileged" mechanism is used for expression evaluation.
+                    </xsd:documentation>
+                    <xsd:appinfo>
+                        <a:since>4.8</a:since>
+                        <a:objectReferenceTargetType>c:FocusType</a:objectReferenceTargetType>
+                        <a:displayName>AuditEventRecordType.effectivePrivilegesModification</a:displayName>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:element>
             <xsd:element name="targetRef" type="c:ObjectReferenceType" minOccurs="0">
                 <xsd:annotation>
                     <xsd:documentation>
@@ -652,4 +683,59 @@
             </xsd:enumeration>
         </xsd:restriction>
     </xsd:simpleType>
+
+    <xsd:simpleType name="EffectivePrivilegesModificationType">
+        <xsd:annotation>
+            <xsd:documentation>
+                How were the effective privileges modified?
+            </xsd:documentation>
+            <xsd:appinfo>
+                <jaxb:typesafeEnumClass/>
+                <a:since>4.8</a:since>
+            </xsd:appinfo>
+        </xsd:annotation>
+        <xsd:restriction base="xsd:string">
+            <xsd:enumeration value="elevation">
+                <xsd:annotation>
+                    <xsd:documentation>
+                        Privileges were elevated to some degree. It may or may not be the maximum degree (full authorization).
+                        Only if we are really sure, we set "fullElevation" value.
+                    </xsd:documentation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="ELEVATION"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+            <xsd:enumeration value="fullElevation">
+                <xsd:annotation>
+                    <xsd:documentation>
+                        Privileges were elevated to the maximum degree, i.e. to full authorization.
+                    </xsd:documentation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="FULL_ELEVATION"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+            <xsd:enumeration value="reduction">
+                <xsd:annotation>
+                    <xsd:documentation>
+                        Privileges were reduced to some degree.
+                    </xsd:documentation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="REDUCTION"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+            <xsd:enumeration value="other">
+                <xsd:annotation>
+                    <xsd:documentation>
+                        Privileges were changed in a different way (maybe some reduced, others elevated).
+                    </xsd:documentation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="OTHER"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+        </xsd:restriction>
+    </xsd:simpleType>
 </xsd:schema>
diff --git a/...rc/main/java/com/evolveum/midpoint/model/impl/controller/AuthorizationDiagEvaluation.java b/...rc/main/java/com/evolveum/midpoint/model/impl/controller/AuthorizationDiagEvaluation.java
@@ -85,7 +85,8 @@ static AuthorizationDiagEvaluation<?> of(@NotNull AuthorizationEvaluationRequest
         if (additionalAuthorizations.isEmpty()) {
             return newPrincipal;
         } else {
-            return newPrincipal.cloneWithAdditionalAuthorizations(additionalAuthorizations);
+            // We are not sure if the elevation is total or partial.
+            return newPrincipal.cloneWithAdditionalAuthorizations(additionalAuthorizations, false);
         }
     }
 

diff --git a/.../main/java/com/evolveum/midpoint/model/impl/security/GuiProfiledPrincipalManagerImpl.java b/.../main/java/com/evolveum/midpoint/model/impl/security/GuiProfiledPrincipalManagerImpl.java
@@ -487,7 +487,7 @@ public <O extends ObjectType> void invalidate(Class<O> type, String oid, boolean
             focusComputer.recompute(focus, lifecycleModel);
             principal.clearAuthorizations();
             initializePrincipalFromAssignments(principal, systemConfiguration, null);
-            principal.setAuthorizationsModified(false); // we just recomputed them strictly from user's assignments
+            principal.clearEffectivePrivilegesModification(); // we just recomputed them strictly from user's assignments
             return principal.getCompiledGuiProfile();
         } finally {
             securityContextManager.clearTemporaryPrincipalOid();