Tests (and fixes) for attorney authorizations

infra/util/src/main/java/com/evolveum/midpoint/util/MiscUtil.java

@@ -129,6 +129,7 @@ public static <A,B> boolean unorderedCollectionEquals(Collection<A> a, Collectio
 				if (comparator.isEquivalent(ao, oo)) {
 					iterator.remove();
 					found = true;
+					break;
 				}
 			}
 			if (!found) {

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/UserProfileServiceImpl.java

@@ -49,6 +49,7 @@
 import com.evolveum.midpoint.schema.util.ObjectQueryUtil;
 import com.evolveum.midpoint.schema.util.ObjectResolver;
 import com.evolveum.midpoint.security.api.Authorization;
+import com.evolveum.midpoint.security.api.AuthorizationTransformer;
 import com.evolveum.midpoint.security.api.DelegatorWithOtherPrivilegesLimitations;
 import com.evolveum.midpoint.security.api.MidPointPrincipal;
 import com.evolveum.midpoint.security.api.UserProfileService;
@@ -135,7 +136,7 @@ public MidPointPrincipal getPrincipal(PrismObject<UserType> user) throws SchemaE
     }
 
     @Override
-    public MidPointPrincipal getPrincipal(PrismObject<UserType> user, Predicate<Authorization> authorizationLimiter, OperationResult result) throws SchemaException {
+    public MidPointPrincipal getPrincipal(PrismObject<UserType> user, AuthorizationTransformer authorizationTransformer, OperationResult result) throws SchemaException {
         if (user == null) {
             return null;
         }
@@ -144,7 +145,7 @@ public MidPointPrincipal getPrincipal(PrismObject<UserType> user, Predicate<Auth
 
     	userComputer.recompute(user);
         MidPointPrincipal principal = new MidPointPrincipal(user.asObjectable());
-        initializePrincipalFromAssignments(principal, systemConfiguration, authorizationLimiter);
+        initializePrincipalFromAssignments(principal, systemConfiguration, authorizationTransformer);
         return principal;
     }
 
@@ -183,7 +184,7 @@ private PrismObject<UserType> findByUsername(String username, OperationResult re
         return list.get(0);
     }
 
-	private void initializePrincipalFromAssignments(MidPointPrincipal principal, PrismObject<SystemConfigurationType> systemConfiguration, Predicate<Authorization> authorizationLimiter) throws SchemaException {
+	private void initializePrincipalFromAssignments(MidPointPrincipal principal, PrismObject<SystemConfigurationType> systemConfiguration, AuthorizationTransformer authorizationTransformer) throws SchemaException {
 		UserType userType = principal.getUser();
 
 		Collection<Authorization> authorizations = principal.getAuthorities();
@@ -228,7 +229,7 @@ private void initializePrincipalFromAssignments(MidPointPrincipal principal, Pri
 						assignmentIdi.recompute();
 						EvaluatedAssignment<UserType> assignment = assignmentEvaluator.evaluate(assignmentIdi, PlusMinusZero.ZERO, false, userType, userType.toString(), task, result);
 						if (assignment.isValid()) {
-							addAuthorizations(authorizations, assignment.getAuthorizations(), authorizationLimiter);
+							addAuthorizations(authorizations, assignment.getAuthorizations(), authorizationTransformer);
 							adminGuiConfigurations.addAll(assignment.getAdminGuiConfigurations());
 						}
 						for (EvaluatedAssignmentTarget target : assignment.getRoles().getNonNegativeValues()) {
@@ -255,13 +256,18 @@ private void initializePrincipalFromAssignments(MidPointPrincipal principal, Pri
         principal.setAdminGuiConfiguration(AdminGuiConfigTypeUtil.compileAdminGuiConfiguration(adminGuiConfigurations, systemConfiguration));
 	}
 
-	private void addAuthorizations(Collection<Authorization> targetCollection, Collection<Authorization> sourceCollection, Predicate<Authorization> authorizationLimiter) {
+	private void addAuthorizations(Collection<Authorization> targetCollection, Collection<Authorization> sourceCollection, AuthorizationTransformer authorizationTransformer) {
 		if (sourceCollection == null) {
 			return;
 		}
 		for (Authorization autz: sourceCollection) {
-			if (authorizationLimiter == null || authorizationLimiter.test(autz)) {
+			if (authorizationTransformer == null) {
 				targetCollection.add(autz);
+			} else {
+				Collection<Authorization> transformedAutzs = authorizationTransformer.transform(autz);
+				if (transformedAutzs != null) {
+					targetCollection.addAll(transformedAutzs);
+				}
 			}
 		}
 	}

model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/security/TestAbstractAuthenticationEvaluator.java

@@ -20,7 +20,6 @@
 import static org.testng.AssertJUnit.assertTrue;
 
 import java.io.File;
-import java.util.function.Predicate;
 
 import javax.xml.datatype.XMLGregorianCalendar;
 import javax.xml.namespace.QName;
@@ -135,7 +134,7 @@ public MidPointPrincipal getPrincipal(PrismObject<UserType> user) throws SchemaE
 
 			@Override
 			public MidPointPrincipal getPrincipal(PrismObject<UserType> user,
-					Predicate<Authorization> authorizationLimiter, OperationResult result)
+					AuthorizationTransformer authorizationLimiter, OperationResult result)
 					throws SchemaException {
 				MidPointPrincipal principal = userProfileService.getPrincipal(user);
 				addFakeAuthorization(principal);

model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/AbstractSecurityTest.java

@@ -334,6 +334,9 @@ public abstract class AbstractSecurityTest extends AbstractInitializedModelInteg
 
 	protected static final File ROLE_ATTORNEY_MANAGER_WORKITEMS_FILE = new File(TEST_DIR, "role-attorney-manager-workitems.xml");
 	protected static final String ROLE_ATTORNEY_MANAGER_WORKITEMS_OID = "5cf5b6c8-b968-11e7-b77d-6b029450f900";
+
+	protected static final File ROLE_APPROVER_FILE = new File(TEST_DIR, "role-approver.xml");
+	protected static final String ROLE_APPROVER_OID = "1d8d9bec-ba51-11e7-95dc-f3520461c08d";
 
 	protected static final File ORG_REQUESTABLE_FILE = new File(TEST_DIR,"org-requestable.xml");
 	protected static final String ORG_REQUESTABLE_OID = "8f2bd344-a46c-4c0b-aa34-db08b7d7f7f2";
@@ -373,7 +376,7 @@ public abstract class AbstractSecurityTest extends AbstractInitializedModelInteg
 	protected static final XMLGregorianCalendar JACK_VALID_FROM_LONG_AGO = XmlTypeConverter.createXMLGregorianCalendar(10000L);
 
 	protected static final int NUMBER_OF_ALL_USERS = 11;
-	protected static final int NUMBER_OF_IMPORTED_ROLES = 67;
+	protected static final int NUMBER_OF_IMPORTED_ROLES = 68;
 	protected static final int NUMBER_OF_ALL_ORGS = 11;
 
 	protected String userRumRogersOid;
@@ -455,6 +458,7 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
 		repoAddObjectFromFile(ROLE_EXPRESSION_READ_ROLES_FILE, initResult);
 		repoAddObjectFromFile(ROLE_ATTORNEY_CARIBBEAN_UNLIMITED_FILE, initResult);
 		repoAddObjectFromFile(ROLE_ATTORNEY_MANAGER_WORKITEMS_FILE, initResult);
+		repoAddObjectFromFile(ROLE_APPROVER_FILE, initResult);
 
 		repoAddObjectFromFile(ORG_REQUESTABLE_FILE, initResult);
 		repoAddObjectFromFile(ORG_INDIRECT_PIRATE_FILE, initResult);
@@ -639,6 +643,10 @@ protected void cleanupAutzTest(String userOid, int expectedAssignments) throws O
         	assertLinks(user, 0);
         }
 	}
+
+	protected void cleanupUnassign(String userOid, String roleOid) throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, ObjectAlreadyExistsException, PolicyViolationException, SecurityViolationException {
+		unassignRole(userOid, roleOid);
+	}
 
 	protected void cleanupAdd(File userLargoFile, Task task, OperationResult result) throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, PolicyViolationException, SecurityViolationException, IOException {
 		try {
@@ -1474,14 +1482,14 @@ protected MidPointPrincipal dropPowerOfAttorneyAllow() throws Exception {
 	/**
 	 * Assert for "read some, modify some" roles
 	 */
-    protected void assertReadSomeModifySome() throws Exception {
+    protected void assertReadSomeModifySome(int exprectedJackAssignments) throws Exception {
     	assertReadAllow();
 
         assertModifyAllow(UserType.class, USER_JACK_OID, UserType.F_ADDITIONAL_NAME, PrismTestUtil.createPolyString("Captain"));
 
         PrismObject<UserType> userJack = getUser(USER_JACK_OID);
 		display("Jack", userJack);
-		assertUserJackReadSomeModifySome(userJack);
+		assertUserJackReadSomeModifySome(userJack, exprectedJackAssignments);
 		assertJackEditSchemaReadSomeModifySome(userJack);
 
         PrismObject<UserType> userGuybrush = findUserByUsername(USER_GUYBRUSH_USERNAME);
@@ -1514,7 +1522,7 @@ protected void assertReadSomeModifySome() throws Exception {
         assertDeleteDeny();
     }
 
-    protected void assertUserJackReadSomeModifySome(PrismObject<UserType> userJack) throws ObjectNotFoundException, SchemaException, SecurityViolationException, CommunicationException, ConfigurationException {
+    protected void assertUserJackReadSomeModifySome(PrismObject<UserType> userJack, int exprectedJackAssignments) throws ObjectNotFoundException, SchemaException, SecurityViolationException, CommunicationException, ConfigurationException {
 
 		PrismAsserts.assertPropertyValue(userJack, UserType.F_NAME, PrismTestUtil.createPolyString(USER_JACK_USERNAME));
 		PrismAsserts.assertPropertyValue(userJack, UserType.F_FULL_NAME, PrismTestUtil.createPolyString(USER_JACK_FULL_NAME));
@@ -1525,7 +1533,7 @@ protected void assertUserJackReadSomeModifySome(PrismObject<UserType> userJack)
 		PrismAsserts.assertNoItem(userJack, UserType.F_ADDITIONAL_NAME);
 		PrismAsserts.assertNoItem(userJack, UserType.F_DESCRIPTION);
 		PrismAsserts.assertNoItem(userJack, new ItemPath(UserType.F_ACTIVATION, ActivationType.F_EFFECTIVE_STATUS));
-		assertAssignmentsWithTargets(userJack, 1);
+		assertAssignmentsWithTargets(userJack, exprectedJackAssignments);
     }
 
     protected void assertJackEditSchemaReadSomeModifySome(PrismObject<UserType> userJack) throws SchemaException, ConfigurationException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, SecurityViolationException {