From 8285360cc073ea5cf10f1fcb5177c58d51dcecdf Mon Sep 17 00:00:00 2001
From: Radovan Semancik <radovan.semancik@evolveum.com>
Date: Fri, 10 Jun 2016 13:02:48 +0200
Subject: [PATCH] Error when trying on-resource and off-resource query
 (MID-2822)

---
 .../midpoint/model/intest/TestSecurity.java   |  30 +++++-
 .../provisioning/impl/ShadowCache.java        |  22 +++-
 .../provisioning/impl/dummy/TestDummy.java    | 100 +++++++++++++++++-
 3 files changed, 145 insertions(+), 7 deletions(-)

diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java
index b16eb5cb808..a133da05b42 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java
@@ -1263,12 +1263,32 @@ public void test242AutzJackManagerFullControlManagerMinistryOfRum() throws Excep
         PrismObject<ShadowType> shadowEstevan = getObject(ShadowType.class, accountEstevanOid);
         display("Estevan shadow", shadowEstevan);
 
-//        This does not work, and it might not work anytime soon.
-//        see MID-2822
-//        assertSearch(ShadowType.class, ObjectQuery.createObjectQuery(
-//        		ObjectQueryUtil.createResourceAndObjectClassFilter(RESOURCE_DUMMY_OID, 
-//        				new QName(RESOURCE_DUMMY_NAMESPACE, "AccountObjectClass"), prismContext)), 2);
+    	// MID-2822
         
+    	Task task = taskManager.createTaskInstance(TestSecurity.class.getName() + "." + TEST_NAME);
+        OperationResult result = task.getResult();
+
+        ObjectQuery query = ObjectQuery.createObjectQuery(
+        		ObjectQueryUtil.createResourceAndObjectClassFilter(RESOURCE_DUMMY_OID, 
+        				new QName(RESOURCE_DUMMY_NAMESPACE, "AccountObjectClass"), prismContext));
+
+        // When finally fixed is should be like this:
+//    	assertSearch(ShadowType.class, query, 2);
+        
+        try {
+            
+            modelService.searchObjects(ShadowType.class, query, null, task, result);
+                    	
+        	AssertJUnit.fail("unexpected success");
+			
+		} catch (SchemaException e) {
+			// This is expected. The authorizations will mix on-resource and off-resource search.
+			display("Expected exception", e);
+		}
+        result.computeStatus();
+		TestUtil.assertFailure(result);
+        
+		
         assertDeleteAllow(UserType.class, USER_ESTEVAN_OID);
                 
         assertVisibleUsers(3);
diff --git a/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/ShadowCache.java b/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/ShadowCache.java
index bbb55722696..984c288c360 100644
--- a/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/ShadowCache.java
+++ b/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/ShadowCache.java
@@ -65,6 +65,7 @@
 import com.evolveum.midpoint.prism.query.ObjectPaging;
 import com.evolveum.midpoint.prism.query.ObjectQuery;
 import com.evolveum.midpoint.prism.query.OrFilter;
+import com.evolveum.midpoint.prism.query.RefFilter;
 import com.evolveum.midpoint.prism.query.SubstringFilter;
 import com.evolveum.midpoint.prism.query.ValueFilter;
 import com.evolveum.midpoint.prism.util.PrismUtil;
@@ -886,7 +887,15 @@ private List<ObjectFilter> createAttributeQueryInternal(List<? extends ObjectFil
 			if (f instanceof EqualFilter) {
 				ItemPath parentPath = ((EqualFilter) f).getParentPath();
 				if (parentPath == null || parentPath.isEmpty()) {
-					continue;
+					QName elementName = ((EqualFilter) f).getElementName();
+					if (QNameUtil.match(ShadowType.F_OBJECT_CLASS, elementName) ||
+							QNameUtil.match(ShadowType.F_AUXILIARY_OBJECT_CLASS, elementName) ||
+							QNameUtil.match(ShadowType.F_KIND, elementName) ||
+							QNameUtil.match(ShadowType.F_INTENT, elementName)) {
+						continue;
+					}
+					throw new SchemaException("Cannot combine on-resource and off-resource properties in a shadow search query. Encountered property " +
+							((EqualFilter) f).getFullPath());
 				}
 				attributeFilter.add(f);
 			} else if (f instanceof NaryLogicalFilter) {
@@ -909,6 +918,17 @@ private List<ObjectFilter> createAttributeQueryInternal(List<? extends ObjectFil
 
 			} else if (f instanceof SubstringFilter) {
 				attributeFilter.add(f);
+			} else if (f instanceof RefFilter) {
+				ItemPath parentPath = ((RefFilter)f).getParentPath();
+				if (parentPath == null || parentPath.isEmpty()) {
+					QName elementName = ((RefFilter) f).getElementName();
+					if (QNameUtil.match(ShadowType.F_RESOURCE_REF, elementName)) {
+						continue;
+					}
+				}
+				throw new SchemaException("Cannot combine on-resource and off-resource properties in a shadow search query. Encountered filter " + f);
+			} else {
+				throw new SchemaException("Cannot combine on-resource and off-resource properties in a shadow search query. Encountered filter " + f);
 			}
 
 		}
diff --git a/provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/dummy/TestDummy.java b/provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/dummy/TestDummy.java
index e40a80e1bca..2c153e43511 100644
--- a/provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/dummy/TestDummy.java
+++ b/provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/dummy/TestDummy.java
@@ -2738,8 +2738,106 @@ public void test190SearchNone() throws Exception {
 		ObjectFilter attrFilter = NoneFilter.createNone();
 		testSeachIterative(TEST_NAME, attrFilter, null, true, true, false);
 	}
+    
+    /**
+     * Search with query that queries both the repository and the resource.
+     * We cannot do this. This should fail.
+     * MID-2822
+     */
+    @Test
+	public void test195SearchOnAndOffResource() throws Exception {
+		final String TEST_NAME = "test195SearchOnAndOffResource";
+		TestUtil.displayTestTile(TEST_NAME);
+		
+		// GIVEN
+		Task task = taskManager.createTaskInstance(TestDummy.class.getName() + "." + TEST_NAME);
+		OperationResult result = task.getResult();
+		
+		ObjectQuery query = createOnOffQuery();
+		
+		ResultHandler<ShadowType> handler = new ResultHandler<ShadowType>() {
+			@Override
+			public boolean handle(PrismObject<ShadowType> object, OperationResult parentResult) {
+				AssertJUnit.fail("Handler called: "+object);
+				return false;
+			}
+		};
+		
+		try {
+			// WHEN
+			provisioningService.searchObjectsIterative(ShadowType.class, query, 
+					null, handler, task, result);
+			
+			AssertJUnit.fail("unexpected success");
+			
+		} catch (SchemaException e) {
+			// This is expected
+			display("Expected exception", e);
+		}
+		
+		// THEN
+		result.computeStatus();
+		TestUtil.assertFailure(result);
+			
+	}
+    
+    /**
+     * Search with query that queries both the repository and the resource.
+     * NoFetch. This should go OK.
+     * MID-2822
+     */
+    @Test
+	public void test196SearchOnAndOffResourceNoFetch() throws Exception {
+		final String TEST_NAME = "test196SearchOnAndOffResourceNoFetch";
+		TestUtil.displayTestTile(TEST_NAME);
+		
+		// GIVEN
+		Task task = taskManager.createTaskInstance(TestDummy.class.getName() + "." + TEST_NAME);
+		OperationResult result = task.getResult();
+		
+		ObjectQuery query = createOnOffQuery();
+		
+		ResultHandler<ShadowType> handler = new ResultHandler<ShadowType>() {
+			@Override
+			public boolean handle(PrismObject<ShadowType> object, OperationResult parentResult) {
+				AssertJUnit.fail("Handler called: "+object);
+				return false;
+			}
+		};
+		
+		// WHEN
+		provisioningService.searchObjectsIterative(ShadowType.class, query, 
+				SelectorOptions.createCollection(GetOperationOptions.createNoFetch()),
+				handler, task, result);
+			
+		// THEN
+		result.computeStatus();
+		TestUtil.assertSuccess(result);
+			
+	}
+
+    private ObjectQuery createOnOffQuery() throws SchemaException {
+		ObjectQuery query = ObjectQueryUtil.createResourceAndObjectClassQuery(RESOURCE_DUMMY_OID, new QName(ResourceTypeUtil.getResourceNamespace(resourceType),
+                ConnectorFactoryIcfImpl.ACCOUNT_OBJECT_CLASS_LOCAL_NAME), prismContext);
+		
+		ResourceSchema resourceSchema = RefinedResourceSchema.getResourceSchema(resource, prismContext);
+		ObjectClassComplexTypeDefinition objectClassDef = resourceSchema.findObjectClassDefinition(SchemaTestConstants.ACCOUNT_OBJECT_CLASS_LOCAL_NAME);
+		
+		ResourceAttributeDefinition<String> attrDef = objectClassDef.findAttributeDefinition(
+				dummyResourceCtl.getAttributeQName(DummyResourceContoller.DUMMY_ACCOUNT_ATTRIBUTE_SHIP_NAME));
+		ObjectFilter attrFilter = EqualFilter.createEqual(new ItemPath(ShadowType.F_ATTRIBUTES, attrDef.getName()), attrDef, 
+				"Sea Monkey");
+		
+		ObjectFilter deadFilter = EqualFilter.createEqual(ShadowType.F_DEAD, ShadowType.class, prismContext, Boolean.TRUE);
+		
+		ObjectFilter filter = AndFilter.createAnd(query.getFilter(), attrFilter, deadFilter);
+		query.setFilter(filter);
+		display("Query", query);
+
+		return query;
+	}
 
-    protected <T> void testSeachIterativeSingleAttrFilter(final String TEST_NAME, String attrName, T attrVal,
+	protected <T> void testSeachIterativeSingleAttrFilter(final String TEST_NAME, String attrName, T attrVal,
 			GetOperationOptions rootOptions, boolean fullShadow, String... expectedAccountIds) throws Exception {
 		testSeachIterativeSingleAttrFilter(TEST_NAME, dummyResourceCtl.getAttributeQName(attrName), attrVal, 
 				rootOptions, fullShadow, expectedAccountIds);