Merge branch 'master' of github.com:Evolveum/midpoint

Conflicts:
	model/workflow-impl/src/main/java/com/evolveum/midpoint/wf/util/MiscDataUtil.java

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/users/component/OrgTreeProvider.java

@@ -82,7 +82,7 @@ public Iterator<? extends OrgTreeDto> getChildren(OrgTreeDto node) {
         LOGGER.debug("Loading children for {}", new Object[]{node});
         Iterator<OrgTreeDto> iterator = null;
 
-        OrgFilter orgFilter = OrgFilter.createOrg(node.getOid(), 1, 1);
+        OrgFilter orgFilter = OrgFilter.createOrg(node.getOid(), OrgFilter.Scope.ONE_LEVEL);
         ObjectQuery query = ObjectQuery.createObjectQuery(orgFilter);
         query.setPaging(ObjectPaging.createPaging(null, null, ObjectType.F_NAME, OrderDirection.ASCENDING));
 

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/users/component/TreeTablePanel.java

@@ -755,7 +755,7 @@ private ObjectQuery createTableQuery() {
         OrgTreeDto dto = selected.getObject();
         String oid = dto != null ? dto.getOid() : getModel().getObject();
 
-        OrgFilter org = OrgFilter.createOrg(oid, 1, 1);
+        OrgFilter org = OrgFilter.createOrg(oid, OrgFilter.Scope.ONE_LEVEL);
 //        return ObjectQuery.createObjectQuery(org);
 
         BasicSearchPanel<String> basicSearch = (BasicSearchPanel) get(createComponentPath(ID_SEARCH_FORM, ID_BASIC_SEARCH));

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidPointGuiAuthorizationEvaluator.java

@@ -23,11 +23,13 @@
 import com.evolveum.midpoint.security.api.AuthorizationConstants;
 import com.evolveum.midpoint.security.api.MidPointPrincipal;
 import com.evolveum.midpoint.security.api.ObjectSecurityConstraints;
+import com.evolveum.midpoint.security.api.OwnerResolver;
 import com.evolveum.midpoint.security.api.SecurityEnforcer;
 import com.evolveum.midpoint.security.api.UserProfileService;
 import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.util.exception.SecurityViolationException;
 import com.evolveum.midpoint.web.application.DescriptorLoader;
+import com.evolveum.midpoint.xml.ns._public.common.common_2a.AuthorizationPhaseType;
 import com.evolveum.midpoint.xml.ns._public.common.common_2a.ObjectType;
 import com.evolveum.midpoint.xml.ns._public.common.common_2a.UserType;
 
@@ -70,19 +72,20 @@ public MidPointPrincipal getPrincipal() throws SecurityViolationException {
 		return securityEnforcer.getPrincipal();
 	}
 
-	public <O extends ObjectType, T extends ObjectType> boolean isAuthorized(String operationUrl,
-			PrismObject<O> object, ObjectDelta<O> delta, PrismObject<T> target) throws SchemaException {
-		return securityEnforcer.isAuthorized(operationUrl, object, delta, target);
+	public <O extends ObjectType, T extends ObjectType> boolean isAuthorized(String operationUrl, AuthorizationPhaseType phase,
+			PrismObject<O> object, ObjectDelta<O> delta, PrismObject<T> target, OwnerResolver ownerResolver) throws SchemaException {
+		return securityEnforcer.isAuthorized(operationUrl, phase, object, delta, target, ownerResolver);
 	}
 
 	public boolean supports(ConfigAttribute attribute) {
 		return securityEnforcer.supports(attribute);
 	}
 
-	public <O extends ObjectType, T extends ObjectType> void authorize(String operationUrl,
-			PrismObject<O> object, ObjectDelta<O> delta, PrismObject<T> target, OperationResult result)
+	@Override
+	public <O extends ObjectType, T extends ObjectType> void authorize(String operationUrl, AuthorizationPhaseType phase,
+			PrismObject<O> object, ObjectDelta<O> delta, PrismObject<T> target, OwnerResolver ownerResolver, OperationResult result)
 			throws SecurityViolationException, SchemaException {
-		securityEnforcer.authorize(operationUrl, object, delta, target, result);
+		securityEnforcer.authorize(operationUrl, phase, object, delta, target, ownerResolver, result);
 	}
 
 	public boolean supports(Class<?> clazz) {
@@ -139,15 +142,15 @@ private void addSecurityConfig(FilterInvocation filterInvocation, Collection<Con
     }
 
     @Override
-	public <O extends ObjectType> ObjectSecurityConstraints compileSecurityContraints(PrismObject<O> object)
+	public <O extends ObjectType> ObjectSecurityConstraints compileSecurityContraints(PrismObject<O> object, OwnerResolver ownerResolver)
 			throws SchemaException {
-		return securityEnforcer.compileSecurityContraints(object);
+		return securityEnforcer.compileSecurityContraints(object, ownerResolver);
 	}
 
     @Override
-	public <O extends ObjectType> ObjectFilter preProcessObjectFilter(String operationUrl,
+	public <O extends ObjectType> ObjectFilter preProcessObjectFilter(String operationUrl, AuthorizationPhaseType phase,
 			Class<O> objectType, ObjectFilter origFilter) throws SchemaException {
-		return securityEnforcer.preProcessObjectFilter(operationUrl, objectType, origFilter);
+		return securityEnforcer.preProcessObjectFilter(operationUrl, phase, objectType, origFilter);
 	}
 
 

infra/prism/src/main/java/com/evolveum/midpoint/prism/PrismContainerDefinition.java

@@ -23,6 +23,7 @@
 import com.evolveum.midpoint.prism.schema.PrismSchema;
 import com.evolveum.midpoint.util.DOMUtil;
 import com.evolveum.midpoint.util.DebugDumpable;
+import com.evolveum.midpoint.util.DebugUtil;
 import com.evolveum.midpoint.util.QNameUtil;
 
 import javax.xml.namespace.QName;
@@ -490,16 +491,20 @@ public PrismContainerValue<V> createValue() {
     @Override
     public String debugDump(int indent) {
         StringBuilder sb = new StringBuilder();
-        for (int i = 0; i < indent; i++) {
-            sb.append(DebugDumpable.INDENT_STRING);
-        }
+        DebugUtil.indentDebugDump(sb, indent);
         sb.append(toString());
         if (isRuntimeSchema()) {
             sb.append(" dynamic");
         }
         for (Definition def : getDefinitions()) {
         	sb.append("\n");
-            sb.append(def.debugDump(indent + 1));
+        	if (def == this) {
+        		// Not perfect loop protection, but works for now
+                DebugUtil.indentDebugDump(sb, indent);
+                sb.append("<itself>");
+        	} else {
+        		sb.append(def.debugDump(indent + 1));
+        	}
         }
         return sb.toString();
     }

infra/prism/src/main/java/com/evolveum/midpoint/prism/parser/QueryConvertor.java

@@ -26,6 +26,7 @@
 import com.evolveum.midpoint.prism.query.ExpressionWrapper;
 import com.evolveum.prism.xml.ns._public.query_2.SearchFilterType;
 
+import org.apache.commons.lang.ObjectUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.lang.Validate;
 
@@ -91,6 +92,7 @@ public class QueryConvertor {
 
 	public static final QName KEY_FILTER_ORG_REF = new QName(NS_QUERY, "orgRef");
 	public static final QName KEY_FILTER_ORG_REF_OID = new QName(NS_QUERY, "oid");
+    public static final QName KEY_FILTER_ORG_SCOPE = new QName(NS_QUERY, "scope");
 	public static final QName KEY_FILTER_ORG_MIN_DEPTH = new QName(NS_QUERY, "minDepth");
 	public static final QName KEY_FILTER_ORG_MAX_DEPTH = new QName(NS_QUERY, "maxDepth");
 
@@ -417,7 +419,18 @@ private static <C extends Containerable> OrgFilter parseOrgFilter(XNode xnode, P
 			max = XsdTypeMapper.multiplicityToInteger(maxDepth);
 		}
 
-		return OrgFilter.createOrg(orgOid, min, max);
+        //todo fix scope handling properly
+        OrgFilter.Scope scope;
+        if (min == null && max == null) {
+            scope = OrgFilter.Scope.SUBTREE;
+        } else if (ObjectUtils.equals(min, max) && (min != null && min.intValue() == 1)) {
+            scope = OrgFilter.Scope.ONE_LEVEL;
+        } else {
+            throw new SchemaException("Unsupported min/max (" + min + "/" + max
+                    + ") depth, can't translate it to scope SUBTREE/ONE_LEVEL");
+        }
+
+		return OrgFilter.createOrg(orgOid, scope);
 	}
 
 	private static Entry<QName, XNode> singleSubEntry(MapXNode xmap, String filterName) throws SchemaException {

infra/prism/src/main/java/com/evolveum/midpoint/prism/query/AllFilter.java

@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2014 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.evolveum.midpoint.prism.query;
+
+import com.evolveum.midpoint.prism.Objectable;
+import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.prism.match.MatchingRuleRegistry;
+import com.evolveum.midpoint.util.DebugUtil;
+
+/**
+ * Filter designed to explicitly match everything. It is used in some special cases, e.g.
+ * a security component explicitly indicating that all objects should be returned. 
+ * 
+ * @author Radovan Semancik
+ */
+public class AllFilter extends ObjectFilter {
+
+	public AllFilter() {
+		super();
+	}
+
+	public static AllFilter createAll() {
+		return new AllFilter();
+	}
+
+	@Override
+	public AllFilter clone() {
+		return new AllFilter();
+	}
+
+	@Override
+	public String debugDump() {
+		return debugDump(0);
+	}
+
+	@Override
+	public String debugDump(int indent) {
+		StringBuilder sb = new StringBuilder();
+		DebugUtil.indentDebugDump(sb, indent);
+		sb.append("ALL");
+		return sb.toString();
+
+	}
+
+	@Override
+	public String toString() {
+		return "ALL";
+	}
+
+	@Override
+	public <T extends Objectable> boolean match(PrismObject<T> object, MatchingRuleRegistry matchingRuleRegistry) {
+		return true;
+
+	}
+}