Skip to content

Commit

Permalink
Policy rules with multiple constraints - AND (MID-3959)
Browse files Browse the repository at this point in the history
  • Loading branch information
@semancik
semancik committed Jun 19, 2017
1 parent 9fb6788 commit 6a58a4e
Show file tree
Hide file tree
Showing 5 changed files with 100 additions and 54 deletions.
8 changes: 7 additions & 1 deletion ...pl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/PolicyRuleProcessor.java
View file
Expand Up @@ -221,7 +221,13 @@ private <F extends FocusType> void checkExclusionsRuleBased(LensContext<F> conte
if (!targetB.appliesToFocus() || allowedTargetOids.contains(targetB.getOid())) {
continue;
}
for (ExclusionPolicyConstraintType exclusionConstraint : policyRule.getPolicyConstraints().getExclusion()) {
List<ExclusionPolicyConstraintType> exclusionConstraints = policyRule.getPolicyConstraints().getExclusion();
// TODO: implement proper AND logic between multiple constraints (MID-3959)
if (exclusionConstraints.size() > 1) {
throw new UnsupportedOperationException("Multiple exclusion constraints in the same policy rules are not supported yet.");
}
if (!exclusionConstraints.isEmpty()) {
ExclusionPolicyConstraintType exclusionConstraint = exclusionConstraints.iterator().next();
if (excludes(exclusionConstraint, targetB)) {
triggerExclusionConstraintViolation(assignmentA, assignmentB, targetB, exclusionConstraint, policyRule);
}
Expand Down
2 changes: 1 addition & 1 deletion .../test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java
View file
Expand Up @@ -240,7 +240,7 @@ public class AbstractConfiguredModelIntegrationTest extends AbstractModelIntegra
protected static final String ROLE_JUDGE_TITLE = "Honorable Justice";
protected static final String ROLE_JUDGE_DRINK = "tea";
protected static final String ROLE_JUDGE_DESCRIPTION = "Role with role exclusions";
protected static final String ROLE_JUDGE_POLICY_RULE_EXCLUSION_NAME = "criminal exclusion";
protected static final String ROLE_JUDGE_POLICY_RULE_EXCLUSION_PREFIX = "criminal exclusion: ";

protected static final File ROLE_JUDGE_DEPRECATED_FILE = new File(COMMON_DIR, "role-judge-deprecated.xml");
protected static final String ROLE_JUDGE_DEPRECATED_OID = "12345111-1111-2222-1111-d21212111111";
Expand Down
98 changes: 49 additions & 49 deletions ...intest/src/test/java/com/evolveum/midpoint/model/intest/rbac/TestSegregationOfDuties.java
View file
Expand Up @@ -162,9 +162,9 @@ public void test110SimpleExclusion1() throws Exception {
@Test
public void test112SimpleExclusion1Deprecated() throws Exception {
final String TEST_NAME = "test112SimpleExclusion1Deprecated";
TestUtil.displayTestTile(this, TEST_NAME);
displayTestTile(TEST_NAME);

Task task = taskManager.createTaskInstance(TestSegregationOfDuties.class.getName() + "." + TEST_NAME);
Task task = createTask(TEST_NAME);
OperationResult result = task.getResult();

// This should go well
Expand All @@ -190,9 +190,9 @@ public void test112SimpleExclusion1Deprecated() throws Exception {
@Test
public void test120SimpleExclusion2() throws Exception {
final String TEST_NAME = "test120SimpleExclusion2";
TestUtil.displayTestTile(this, TEST_NAME);
displayTestTile(TEST_NAME);

Task task = taskManager.createTaskInstance(TestSegregationOfDuties.class.getName() + "." + TEST_NAME);
Task task = createTask(TEST_NAME);
OperationResult result = task.getResult();

// This should go well
Expand All @@ -217,9 +217,9 @@ public void test120SimpleExclusion2() throws Exception {
@Test
public void test122SimpleExclusion2Deprecated() throws Exception {
final String TEST_NAME = "test122SimpleExclusion2Deprecated";
TestUtil.displayTestTile(this, TEST_NAME);
displayTestTile(TEST_NAME);

Task task = taskManager.createTaskInstance(TestSegregationOfDuties.class.getName() + "." + TEST_NAME);
Task task = createTask(TEST_NAME);
OperationResult result = task.getResult();

// This should go well
Expand All @@ -241,9 +241,9 @@ public void test122SimpleExclusion2Deprecated() throws Exception {
@Test
public void test130SimpleExclusionBoth1() throws Exception {
final String TEST_NAME = "test130SimpleExclusionBoth1";
TestUtil.displayTestTile(this, TEST_NAME);
displayTestTile(TEST_NAME);

Task task = taskManager.createTaskInstance(TestSegregationOfDuties.class.getName() + "." + TEST_NAME);
Task task = createTask(TEST_NAME);
OperationResult result = task.getResult();

Collection<ItemDelta<?,?>> modifications = new ArrayList<>();
Expand All @@ -266,9 +266,9 @@ public void test130SimpleExclusionBoth1() throws Exception {
@Test
public void test132SimpleExclusionBoth1Deprecated() throws Exception {
final String TEST_NAME = "test132SimpleExclusionBoth1Deprecated";
TestUtil.displayTestTile(this, TEST_NAME);
displayTestTile(TEST_NAME);

Task task = taskManager.createTaskInstance(TestSegregationOfDuties.class.getName() + "." + TEST_NAME);
Task task = createTask(TEST_NAME);
OperationResult result = task.getResult();

Collection<ItemDelta<?,?>> modifications = new ArrayList<>();
Expand All @@ -291,9 +291,9 @@ public void test132SimpleExclusionBoth1Deprecated() throws Exception {
@Test
public void test140SimpleExclusionBoth2() throws Exception {
final String TEST_NAME = "test140SimpleExclusionBoth2";
TestUtil.displayTestTile(this, TEST_NAME);
displayTestTile(TEST_NAME);

Task task = taskManager.createTaskInstance(TestSegregationOfDuties.class.getName() + "." + TEST_NAME);
Task task = createTask(TEST_NAME);
OperationResult result = task.getResult();

Collection<ItemDelta<?,?>> modifications = new ArrayList<>();
Expand All @@ -316,9 +316,9 @@ public void test140SimpleExclusionBoth2() throws Exception {
@Test
public void test142SimpleExclusionBoth2Deprecated() throws Exception {
final String TEST_NAME = "test142SimpleExclusionBoth2Deprecated";
TestUtil.displayTestTile(this, TEST_NAME);
displayTestTile(TEST_NAME);

Task task = taskManager.createTaskInstance(TestSegregationOfDuties.class.getName() + "." + TEST_NAME);
Task task = createTask(TEST_NAME);
OperationResult result = task.getResult();

Collection<ItemDelta<?,?>> modifications = new ArrayList<>();
Expand All @@ -341,9 +341,9 @@ public void test142SimpleExclusionBoth2Deprecated() throws Exception {
@Test
public void test150SimpleExclusionBothBidirectional1() throws Exception {
final String TEST_NAME = "test150SimpleExclusionBothBidirectional1";
TestUtil.displayTestTile(this, TEST_NAME);
displayTestTile(TEST_NAME);

Task task = taskManager.createTaskInstance(TestSegregationOfDuties.class.getName() + "." + TEST_NAME);
Task task = createTask(TEST_NAME);
OperationResult result = task.getResult();

Collection<ItemDelta<?,?>> modifications = new ArrayList<>();
Expand All @@ -365,9 +365,9 @@ public void test150SimpleExclusionBothBidirectional1() throws Exception {
@Test
public void test160SimpleExclusionBothBidirectional2() throws Exception {
final String TEST_NAME = "test160SimpleExclusionBothBidirectional2";
TestUtil.displayTestTile(this, TEST_NAME);
displayTestTile(TEST_NAME);

Task task = taskManager.createTaskInstance(TestSegregationOfDuties.class.getName() + "." + TEST_NAME);
Task task = createTask(TEST_NAME);
OperationResult result = task.getResult();

Collection<ItemDelta<?,?>> modifications = new ArrayList<>();
Expand All @@ -389,34 +389,34 @@ public void test160SimpleExclusionBothBidirectional2() throws Exception {
@Test
public void test171SimpleExclusion1WithPolicyException() throws Exception {
final String TEST_NAME = "test171SimpleExclusion1WithPolicyException";
TestUtil.displayTestTile(this, TEST_NAME);
displayTestTile(TEST_NAME);

Task task = taskManager.createTaskInstance(TestSegregationOfDuties.class.getName() + "." + TEST_NAME);
Task task = createTask(TEST_NAME);
OperationResult result = task.getResult();

assignRole(USER_JACK_OID, ROLE_JUDGE_OID, task, result);

assignRole(USER_JACK_OID, ROLE_PIRATE_OID, null, getJudgeExceptionBlock(), task, result);
assignRole(USER_JACK_OID, ROLE_PIRATE_OID, null, getJudgeExceptionBlock(ROLE_PIRATE_NAME), task, result);

PrismObject<UserType> userJackIn = getUser(USER_JACK_OID);
assertAssignedRoles(userJackIn, ROLE_JUDGE_OID, ROLE_PIRATE_OID);

unassignRole(USER_JACK_OID, ROLE_JUDGE_OID, task, result);

unassignRole(USER_JACK_OID, ROLE_PIRATE_OID, null, getJudgeExceptionBlock(), task, result);
unassignRole(USER_JACK_OID, ROLE_PIRATE_OID, null, getJudgeExceptionBlock(ROLE_PIRATE_NAME), task, result);

assertAssignedNoRole(USER_JACK_OID, task, result);
}

@Test
public void test172SimpleExclusion2WithPolicyException() throws Exception {
final String TEST_NAME = "test172SimpleExclusion2WithPolicyException";
TestUtil.displayTestTile(this, TEST_NAME);
displayTestTile(TEST_NAME);

Task task = taskManager.createTaskInstance(TestSegregationOfDuties.class.getName() + "." + TEST_NAME);
Task task = createTask(TEST_NAME);
OperationResult result = task.getResult();

assignRole(USER_JACK_OID, ROLE_PIRATE_OID, null, getJudgeExceptionBlock(), task, result);
assignRole(USER_JACK_OID, ROLE_PIRATE_OID, null, getJudgeExceptionBlock(ROLE_PIRATE_NAME), task, result);

assignRole(USER_JACK_OID, ROLE_JUDGE_OID, task, result);

Expand All @@ -425,42 +425,42 @@ public void test172SimpleExclusion2WithPolicyException() throws Exception {

unassignRole(USER_JACK_OID, ROLE_JUDGE_OID, task, result);

unassignRole(USER_JACK_OID, ROLE_PIRATE_OID, null, getJudgeExceptionBlock(), task, result);
unassignRole(USER_JACK_OID, ROLE_PIRATE_OID, null, getJudgeExceptionBlock(ROLE_PIRATE_NAME), task, result);

assertAssignedNoRole(USER_JACK_OID, task, result);
}

@Test
public void test173SimpleExclusion3WithPolicyException() throws Exception {
final String TEST_NAME = "test173SimpleExclusion3WithPolicyException";
TestUtil.displayTestTile(this, TEST_NAME);
displayTestTile(TEST_NAME);

Task task = taskManager.createTaskInstance(TestSegregationOfDuties.class.getName() + "." + TEST_NAME);
Task task = createTask(TEST_NAME);
OperationResult result = task.getResult();

assignRole(USER_JACK_OID, ROLE_PIRATE_OID, task, result);

assignRole(USER_JACK_OID, ROLE_JUDGE_OID, null, getJudgeExceptionBlock(), task, result);
assignRole(USER_JACK_OID, ROLE_JUDGE_OID, null, getJudgeExceptionBlock(ROLE_PIRATE_NAME), task, result);

PrismObject<UserType> userJackIn = getUser(USER_JACK_OID);
assertAssignedRoles(userJackIn, ROLE_JUDGE_OID, ROLE_PIRATE_OID);

unassignRole(USER_JACK_OID, ROLE_PIRATE_OID, task, result);

unassignRole(USER_JACK_OID, ROLE_JUDGE_OID, null, getJudgeExceptionBlock(), task, result);
unassignRole(USER_JACK_OID, ROLE_JUDGE_OID, null, getJudgeExceptionBlock(ROLE_PIRATE_NAME), task, result);

assertAssignedNoRole(USER_JACK_OID, task, result);
}

@Test
public void test174SimpleExclusion4WithPolicyException() throws Exception {
final String TEST_NAME = "test174SimpleExclusion4WithPolicyException";
TestUtil.displayTestTile(this, TEST_NAME);
displayTestTile(TEST_NAME);

Task task = taskManager.createTaskInstance(TestSegregationOfDuties.class.getName() + "." + TEST_NAME);
Task task = createTask(TEST_NAME);
OperationResult result = task.getResult();

assignRole(USER_JACK_OID, ROLE_JUDGE_OID, null, getJudgeExceptionBlock(), task, result);
assignRole(USER_JACK_OID, ROLE_JUDGE_OID, null, getJudgeExceptionBlock(ROLE_PIRATE_NAME), task, result);

assignRole(USER_JACK_OID, ROLE_PIRATE_OID, task, result);

Expand All @@ -469,7 +469,7 @@ public void test174SimpleExclusion4WithPolicyException() throws Exception {

unassignRole(USER_JACK_OID, ROLE_PIRATE_OID, task, result);

unassignRole(USER_JACK_OID, ROLE_JUDGE_OID, null, getJudgeExceptionBlock(), task, result);
unassignRole(USER_JACK_OID, ROLE_JUDGE_OID, null, getJudgeExceptionBlock(ROLE_PIRATE_NAME), task, result);

assertAssignedNoRole(USER_JACK_OID, task, result);
}
Expand All @@ -482,14 +482,14 @@ public void test174SimpleExclusion4WithPolicyException() throws Exception {
@Test
public void test180JudgeExceptionalPirateAndThief() throws Exception {
final String TEST_NAME = "test180JudgeExceptionalPirateAndThief";
TestUtil.displayTestTile(this, TEST_NAME);
displayTestTile(TEST_NAME);

Task task = taskManager.createTaskInstance(TestSegregationOfDuties.class.getName() + "." + TEST_NAME);
Task task = createTask(TEST_NAME);
OperationResult result = task.getResult();

assignRole(USER_JACK_OID, ROLE_JUDGE_OID, task, result);

assignRole(USER_JACK_OID, ROLE_PIRATE_OID, null, getJudgeExceptionBlock(), task, result);
assignRole(USER_JACK_OID, ROLE_PIRATE_OID, null, getJudgeExceptionBlock(ROLE_PIRATE_NAME), task, result);

PrismObject<UserType> userJackIn = getUser(USER_JACK_OID);
assertAssignedRoles(userJackIn, ROLE_JUDGE_OID, ROLE_PIRATE_OID);
Expand All @@ -506,15 +506,15 @@ public void test180JudgeExceptionalPirateAndThief() throws Exception {
// Cleanup

unassignRole(USER_JACK_OID, ROLE_JUDGE_OID, task, result);
unassignRole(USER_JACK_OID, ROLE_PIRATE_OID, null, getJudgeExceptionBlock(), task, result);
unassignRole(USER_JACK_OID, ROLE_PIRATE_OID, null, getJudgeExceptionBlock(ROLE_PIRATE_NAME), task, result);

assertAssignedNoRole(USER_JACK_OID, task, result);
}

Consumer<AssignmentType> getJudgeExceptionBlock() {
Consumer<AssignmentType> getJudgeExceptionBlock(String excludedRoleName) {
return assignment -> {
PolicyExceptionType policyException = new PolicyExceptionType();
policyException.setRuleName(ROLE_JUDGE_POLICY_RULE_EXCLUSION_NAME);
policyException.setRuleName(ROLE_JUDGE_POLICY_RULE_EXCLUSION_PREFIX + excludedRoleName);
assignment.getPolicyException().add(policyException);
};
}
Expand All @@ -525,7 +525,7 @@ Consumer<AssignmentType> getJudgeExceptionBlock() {
@Test
public void test200GuybrushAssignRoleGold() throws Exception {
final String TEST_NAME = "test200GuybrushAssignRoleGold";
TestUtil.displayTestTile(this, TEST_NAME);
displayTestTile(TEST_NAME);

// GIVEN
Task task = createTask(TEST_NAME);
Expand Down Expand Up @@ -559,7 +559,7 @@ public void test200GuybrushAssignRoleGold() throws Exception {
@Test
public void test202GuybrushAssignRoleSilver() throws Exception {
final String TEST_NAME = "test202GuybrushAssignRoleSilver";
TestUtil.displayTestTile(this, TEST_NAME);
displayTestTile(TEST_NAME);

// GIVEN
Task task = createTask(TEST_NAME);
Expand Down Expand Up @@ -594,7 +594,7 @@ public void test202GuybrushAssignRoleSilver() throws Exception {
@Test
public void test204GuybrushAssignRoleSailor() throws Exception {
final String TEST_NAME = "test204GuybrushAssignRoleSailor";
TestUtil.displayTestTile(this, TEST_NAME);
displayTestTile(TEST_NAME);

// GIVEN
Task task = createTask(TEST_NAME);
Expand Down Expand Up @@ -630,7 +630,7 @@ public void test204GuybrushAssignRoleSailor() throws Exception {
@Test
public void test206GuybrushAssignRoleBronze() throws Exception {
final String TEST_NAME = "test206GuybrushAssignRoleBronze";
TestUtil.displayTestTile(this, TEST_NAME);
displayTestTile(TEST_NAME);

// GIVEN
Task task = createTask(TEST_NAME);
Expand Down Expand Up @@ -665,7 +665,7 @@ public void test206GuybrushAssignRoleBronze() throws Exception {
@Test
public void test208GuybrushUnassignRoleBronze() throws Exception {
final String TEST_NAME = "test209GuybrushUnassignRoleSilver";
TestUtil.displayTestTile(this, TEST_NAME);
displayTestTile(TEST_NAME);

// GIVEN
Task task = createTask(TEST_NAME);
Expand Down Expand Up @@ -698,7 +698,7 @@ public void test208GuybrushUnassignRoleBronze() throws Exception {
@Test
public void test209GuybrushUnassignRoleSailor() throws Exception {
final String TEST_NAME = "test209GuybrushUnassignRoleSailor";
TestUtil.displayTestTile(this, TEST_NAME);
displayTestTile(TEST_NAME);

// GIVEN
Task task = createTask(TEST_NAME);
Expand Down Expand Up @@ -758,7 +758,7 @@ public void test210GuybrushAssignRoleRed() throws Exception {
@Test
public void test212GuybrushAssignRoleGreen() throws Exception {
final String TEST_NAME = "test212GuybrushAssignRoleGreen";
TestUtil.displayTestTile(this, TEST_NAME);
displayTestTile(TEST_NAME);

// GIVEN
Task task = createTask(TEST_NAME);
Expand Down Expand Up @@ -791,7 +791,7 @@ public void test212GuybrushAssignRoleGreen() throws Exception {
@Test
public void test214GuybrushAssignRoleColorNone() throws Exception {
final String TEST_NAME = "test214GuybrushAssignRoleColorNone";
TestUtil.displayTestTile(this, TEST_NAME);
displayTestTile(TEST_NAME);

// GIVEN
Task task = createTask(TEST_NAME);
Expand Down Expand Up @@ -822,7 +822,7 @@ public void test214GuybrushAssignRoleColorNone() throws Exception {
@Test
public void test216GuybrushAssignRoleBlue() throws Exception {
final String TEST_NAME = "test216GuybrushAssignRoleBlue";
TestUtil.displayTestTile(this, TEST_NAME);
displayTestTile(TEST_NAME);

// GIVEN
Task task = createTask(TEST_NAME);
Expand Down
14 changes: 12 additions & 2 deletions model/model-intest/src/test/resources/common/role-judge.xml
View file
@@ -1,5 +1,5 @@
<!--
~ Copyright (c) 2010-2016 Evolveum
~ Copyright (c) 2010-2017 Evolveum
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
Expand All @@ -21,12 +21,22 @@
<description>Role with role exclusions</description>
<assignment>
<policyRule>
<name>criminal exclusion</name>
<name>criminal exclusion: Pirate</name>
<policyConstraints>
<exclusion>
<description>A judge cannot be a pirate at the same time. At least not openly.</description>
<targetRef oid="12345678-d34d-b33f-f00d-555555556666" type="RoleType"/> <!-- Pirate -->
</exclusion>
</policyConstraints>
<policyActions>
<enforcement/>
</policyActions>
</policyRule>
</assignment>
<assignment>
<policyRule>
<name>criminal exclusion: Thief</name>
<policyConstraints>
<exclusion>
<targetRef oid="b189fcb8-1ff9-11e5-8912-001e8c717e5b" type="RoleType"/> <!-- Thief -->
</exclusion>
Expand Down

0 comments on commit 6a58a4e

Please sign in to comment.