Automatic update of tenantRef (MID-4882)

Evolveum · Sep 10, 2018 · 70ed778 · 70ed778
1 parent c7ded2f
commit 70ed778
Show file tree

Hide file tree

Showing 5 changed files with 87 additions and 3 deletions.
diff --git a/...l/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentEvaluator.java b/...l/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentEvaluator.java
@@ -1088,6 +1088,12 @@ private void collectMembership(FocusType targetType, QName relation, EvaluationC
 		refVal.setTargetName(targetType.getName().toPolyString());
 
 		collectMembershipRefVal(refVal, targetType.getClass(), relation, targetType, ctx);
+
+		if (targetType instanceof OrgType) {
+			if (BooleanUtils.isTrue(((OrgType)targetType).isTenant()) && ctx.evalAssignment.getTenantOid() == null) {
+				ctx.evalAssignment.setTenantOid(targetType.getOid());
+			}
+		}
 	}
 
 	private void collectMembership(ObjectReferenceType targetRef, QName relation, EvaluationContext ctx) {

diff --git a/...del-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/EvaluatedAssignmentImpl.java b/...del-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/EvaluatedAssignmentImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2018 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -81,6 +81,7 @@ public class EvaluatedAssignmentImpl<F extends FocusType> implements EvaluatedAs
 	// usually, these rules do not cause direct action (e.g. in the case of approvals);
 	// however, there are situations in which they are used (e.g. for exclusion rules)
 	@NotNull private final Collection<EvaluatedPolicyRule> otherTargetsPolicyRules = new ArrayList<>();
+	private String tenantOid;
 
 	private PrismObject<?> target;
 	private boolean virtual;
@@ -245,6 +246,14 @@ public void addDelegationRefVal(PrismReferenceValue org) {
 		delegationRefVals.add(org);
 	}
 
+	public String getTenantOid() {
+		return tenantOid;
+	}
+
+	public void setTenantOid(String tenantOid) {
+		this.tenantOid = tenantOid;
+	}
+
 	@NotNull
 	@Override
 	public Collection<Authorization> getAuthorizations() {

diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensElementContext.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensElementContext.java
@@ -20,6 +20,8 @@
 import com.evolveum.midpoint.prism.ConsistencyCheckScope;
 import com.evolveum.midpoint.prism.Objectable;
 import com.evolveum.midpoint.prism.delta.PlusMinusZero;
+import com.evolveum.midpoint.prism.delta.builder.DeltaBuilder;
+import com.evolveum.midpoint.prism.delta.builder.S_ItemEntry;
 import com.evolveum.midpoint.schema.DeltaConvertor;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
@@ -816,4 +818,8 @@ public boolean isOfType(Class<?> aClass) {
 	}
 
 	public abstract void deleteSecondaryDeltas();
+
+	public S_ItemEntry deltaBuilder() throws SchemaException {
+		return DeltaBuilder.deltaFor(getObjectTypeClass(), getPrismContext());
+	}
 }
diff --git a/.../main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/AssignmentProcessor.java b/.../main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/AssignmentProcessor.java
@@ -29,6 +29,8 @@
 import com.evolveum.midpoint.model.impl.lens.projector.policy.PolicyRuleProcessor;
 import com.evolveum.midpoint.model.impl.util.ModelImplUtils;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
+
+import org.apache.commons.lang.BooleanUtils;
 import org.jetbrains.annotations.NotNull;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
@@ -790,6 +792,66 @@ public <F extends ObjectType> void processOrgAssignments(LensContext<F> context,
 				}
 			}
 		}
+
+		computeTenantRef(context, result);
+	}
+
+	private <F extends ObjectType> void computeTenantRef(LensContext<F> context, OperationResult result) throws PolicyViolationException, SchemaException {
+		String tenantOid = null;
+		LensFocusContext<F> focusContext = context.getFocusContext();
+		PrismObject<F> objectNew = focusContext.getObjectNew();
+		if (objectNew == null) {
+			return;
+		}
+
+		if (objectNew.canRepresent(OrgType.class) && BooleanUtils.isTrue(((OrgType)objectNew.asObjectable()).isTenant())) {
+			// Special "zero" case. Tenant org has itself as a tenant.
+			tenantOid = objectNew.getOid();
+
+		} else {
+
+			DeltaSetTriple<EvaluatedAssignmentImpl<?>> evaluatedAssignmentTriple = context.getEvaluatedAssignmentTriple();
+			for (EvaluatedAssignmentImpl<?> evalAssignment : evaluatedAssignmentTriple.getNonNegativeValues()) {
+				if (!evalAssignment.isValid()) {
+					continue;
+				}
+				String assignmentTenantOid = evalAssignment.getTenantOid();
+				if (assignmentTenantOid == null) {
+					continue;
+				}
+				if (tenantOid == null) {
+					tenantOid = assignmentTenantOid;
+				} else {
+					if (!assignmentTenantOid.equals(tenantOid)) {
+						throw new PolicyViolationException("Two different tenants ("+tenantOid+", "+assignmentTenantOid+") applicable to "+context.getFocusContext().getHumanReadableName());
+					}
+				}
+			}
+		}
+
+
+		ObjectReferenceType currentTenantRef = objectNew.asObjectable().getTenantRef();
+		if (currentTenantRef == null) {
+			if (tenantOid == null) {
+				return;
+			} else {
+				LOGGER.trace("Setting tenantRef to {}", tenantOid);
+				ReferenceDelta tenantRefDelta = ReferenceDelta.createModificationReplace(ObjectType.F_TENANT_REF, focusContext.getObjectDefinition(), tenantOid);
+				context.getFocusContext().swallowToProjectionWaveSecondaryDelta(tenantRefDelta);
+			}
+		} else {
+			if (tenantOid == null) {
+				LOGGER.trace("Clearing tenantRef");
+				ReferenceDelta tenantRefDelta = ReferenceDelta.createModificationReplace(ObjectType.F_TENANT_REF, focusContext.getObjectDefinition(), (PrismReferenceValue)null);
+				context.getFocusContext().swallowToProjectionWaveSecondaryDelta(tenantRefDelta);
+			} else {
+				if (!tenantOid.equals(currentTenantRef.getOid())) {
+					LOGGER.trace("Changing tenantRef to {}", tenantOid);
+					ReferenceDelta tenantRefDelta = ReferenceDelta.createModificationReplace(ObjectType.F_TENANT_REF, focusContext.getObjectDefinition(), tenantOid);
+					context.getFocusContext().swallowToProjectionWaveSecondaryDelta(tenantRefDelta);
+				}
+			}
+		}
 	}
 
 	public <F extends ObjectType> void checkForAssignmentConflicts(LensContext<F> context,

diff --git a/...st/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityMultitenant.java b/...st/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityMultitenant.java
@@ -201,6 +201,7 @@ public void test010ImportOrgstruct() throws Exception {
 
         assertOrgAfter(ORG_ATREIDES_OID)
         	.assertIsTenant()
+        	.assertTenantRef(ORG_ATREIDES_OID)
         	.assignments()
         		.single()
         			.assertTargetOid(ORG_ROOT_OID)
@@ -209,8 +210,8 @@ public void test010ImportOrgstruct() throws Exception {
         	.assertLinks(0)
         	.assertParentOrgRefs(ORG_ROOT_OID);
 
-        assertRoleAfter(ROLE_CORRINO_ADMIN_OID)
-//        	.assertTenantRef(ORG_ATREIDES_OID)
+        assertRoleAfter(ROLE_ATREIDES_ADMIN_OID)
+        	.assertTenantRef(ORG_ATREIDES_OID)
         	.assertParentOrgRefs(ORG_ATREIDES_OID);
 
         assertGlobalStateUntouched();