From fb0e5491a4803c8e904b90efd466bcc5e43e3894 Mon Sep 17 00:00:00 2001
From: "Katarina Valalikova (katkav)" <k.valalikova@evolveum.com>
Date: Tue, 15 Jul 2014 07:49:53 +0200
Subject: [PATCH 1/4] fixing MID-1976 (some GUI authorization problem)

---
 .../main/java/com/evolveum/midpoint/web/page/PageTest.java    | 2 +-
 .../main/java/com/evolveum/midpoint/web/page/PageTest2.java   | 2 +-
 .../midpoint/web/page/admin/configuration/PageBulkAction.java | 2 +-
 .../midpoint/web/page/admin/resources/PageResourceWizard.java | 2 +-
 .../page/admin/resources/content/PageContentEntitlements.java | 2 +-
 .../evolveum/midpoint/web/page/admin/users/PageFindUsers.java | 2 +-
 .../midpoint/security/api/AuthorizationConstants.java         | 4 ++++
 7 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/PageTest.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/PageTest.java
index 0658ba85815..cc0e429e592 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/PageTest.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/PageTest.java
@@ -31,7 +31,7 @@
 /**
  * @author lazyman
  */
-@PageDescriptor(url = "/admin/test", action = {@AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_DENY_ALL)})
+@PageDescriptor(url = "/admin/test", action = {@AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_DEVEL_URL)})
 public class PageTest extends PageBase {
 
     public PageTest() {
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/PageTest2.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/PageTest2.java
index 970fb8c1038..001b17a520d 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/PageTest2.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/PageTest2.java
@@ -33,7 +33,7 @@
  *
  *  @author shood
  */
-@PageDescriptor(url = "/capability", action = {@AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_DENY_ALL)})
+@PageDescriptor(url = "/capability", action = {@AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_DEVEL_URL)})
 public class PageTest2 extends PageBase {
 
     private static final String ID_CAPABILITY = "capability";
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/configuration/PageBulkAction.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/configuration/PageBulkAction.java
index 8b6782c4cc2..29009292c83 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/configuration/PageBulkAction.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/configuration/PageBulkAction.java
@@ -37,7 +37,7 @@
 //                label = PageAdminConfiguration.AUTH_CONFIGURATION_ALL_LABEL, description = PageAdminConfiguration.AUTH_CONFIGURATION_ALL_DESCRIPTION),
 //        @AuthorizationAction(actionUri = AuthorizationConstants.NS_AUTHORIZATION + "#bulkAction",
 //                label = "PageBulkAction.auth.bulkAction.label", description = "PageBulkAction.auth.bulkAction.description")
-        @AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_DENY_ALL)
+        @AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_DEVEL_URL)
 })
 public class PageBulkAction extends PageAdminConfiguration {
 
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/resources/PageResourceWizard.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/resources/PageResourceWizard.java
index e244dfe30cb..3d687977d41 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/resources/PageResourceWizard.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/resources/PageResourceWizard.java
@@ -44,7 +44,7 @@
 //        PageAdminResources.AUTHORIZATION_RESOURCE_ALL,
 //        AuthorizationConstants.NS_AUTHORIZATION + "#resourceWizard"})
 @PageDescriptor(url = "/admin/resources/wizard",
-        action = {@AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_DENY_ALL)})
+        action = {@AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_DEVEL_URL)})
 public class PageResourceWizard extends PageAdminResources {
 
     private static final String ID_WIZARD = "wizard";
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/resources/content/PageContentEntitlements.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/resources/content/PageContentEntitlements.java
index 4a41182dada..41ac3fdd714 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/resources/content/PageContentEntitlements.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/resources/content/PageContentEntitlements.java
@@ -35,7 +35,7 @@
  * @author lazyman
  */
 @PageDescriptor(url = "/admin/resources/content/entitlements", encoder = OnePageParameterEncoder.class, action = {
-        @AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_DENY_ALL)})
+        @AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_DEVEL_URL)})
 public class PageContentEntitlements extends PageAdminResources {
 
     private IModel<PrismObject<ResourceType>> resourceModel;
diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/users/PageFindUsers.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/users/PageFindUsers.java
index 133f6be8f22..763508c785e 100644
--- a/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/users/PageFindUsers.java
+++ b/gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/users/PageFindUsers.java
@@ -25,7 +25,7 @@
 /**
  * @author lazyman
  */
-@PageDescriptor(url = "/admin/users/find", action = {@AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_DENY_ALL)})
+@PageDescriptor(url = "/admin/users/find", action = {@AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_DEVEL_URL)})
 public class PageFindUsers extends PageAdminUsers {
 
     private static final Trace LOGGER = TraceManager.getTrace(PageFindUsers.class);
diff --git a/repo/security-api/src/main/java/com/evolveum/midpoint/security/api/AuthorizationConstants.java b/repo/security-api/src/main/java/com/evolveum/midpoint/security/api/AuthorizationConstants.java
index 88c9c5414eb..ae2982a21ae 100644
--- a/repo/security-api/src/main/java/com/evolveum/midpoint/security/api/AuthorizationConstants.java
+++ b/repo/security-api/src/main/java/com/evolveum/midpoint/security/api/AuthorizationConstants.java
@@ -36,6 +36,10 @@ public class AuthorizationConstants {
 	public static final QName AUTZ_ALL_QNAME = new QName(NS_AUTHORIZATION, "all");
 	public static final String AUTZ_ALL_URL = QNameUtil.qNameToUri(AUTZ_ALL_QNAME);
 	
+	public static final QName AUTZ_DEVEL_QNAME = new QName(NS_AUTHORIZATION, "devel");
+	public static final String AUTZ_DEVEL_URL = NS_AUTHORIZATION + "#devel";
+//	public static final String AUTZ_DEVEL_URL = QNameUtil.qNameToUri(AUTZ_DEVEL_QNAME);
+	
 	public static final QName AUTZ_DENY_ALL_QNAME = new QName(NS_AUTHORIZATION, "denyAll");
 	public static final String AUTZ_DENY_ALL_URL = QNameUtil.qNameToUri(AUTZ_DENY_ALL_QNAME);
     public static final String AUTZ_DENY_ALL = NS_AUTHORIZATION + "#denyAll";

From 1cd83bcbf70bf8e4057f77f11f8112880073862b Mon Sep 17 00:00:00 2001
From: Viliam Repan <vilo.repan@evolveum.com>
Date: Tue, 15 Jul 2014 13:27:20 +0200
Subject: [PATCH 2/4] fix for MID-1983

---
 gui/admin-gui/src/main/webapp/status.html | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 gui/admin-gui/src/main/webapp/status.html

diff --git a/gui/admin-gui/src/main/webapp/status.html b/gui/admin-gui/src/main/webapp/status.html
new file mode 100644
index 00000000000..4118e598aa5
--- /dev/null
+++ b/gui/admin-gui/src/main/webapp/status.html
@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<html>
+<head lang="en">
+    <meta charset="UTF-8">
+    <title>MidPoint</title>
+</head>
+<body>Alive</body>
+</html>
\ No newline at end of file

From 1a93713eb2838312be2b6a52e105f75da42ad3d7 Mon Sep 17 00:00:00 2001
From: Radovan Semancik <radovan.semancik@evolveum.com>
Date: Tue, 15 Jul 2014 14:48:39 +0200
Subject: [PATCH 3/4] Fixing dependencies between object types on the same
 resource (MID-1841)

---
 .../refinery/ResourceShadowDiscriminator.java |   8 +-
 .../impl/lens/projector/ContextLoader.java    |   2 +-
 .../model/impl/lens/projector/Projector.java  |  45 ++++----
 .../midpoint/testing/story/TestVillage.java   |  42 +++++++-
 .../story/src/test/resources/logback-test.xml |  32 +++---
 .../village/org-project-jolly-roger.xml       |  27 +++++
 .../story/src/test/resources/village/orgs.xml |   5 +
 .../resources/village/resource-opendj.xml     | 101 ++++++++++++++++++
 .../village/role-meta-project-org.xml         |  46 ++++++++
 9 files changed, 265 insertions(+), 43 deletions(-)
 create mode 100644 testing/story/src/test/resources/village/org-project-jolly-roger.xml
 create mode 100644 testing/story/src/test/resources/village/role-meta-project-org.xml

diff --git a/infra/common/src/main/java/com/evolveum/midpoint/common/refinery/ResourceShadowDiscriminator.java b/infra/common/src/main/java/com/evolveum/midpoint/common/refinery/ResourceShadowDiscriminator.java
index 670ba800504..6c26ecdb640 100644
--- a/infra/common/src/main/java/com/evolveum/midpoint/common/refinery/ResourceShadowDiscriminator.java
+++ b/infra/common/src/main/java/com/evolveum/midpoint/common/refinery/ResourceShadowDiscriminator.java
@@ -58,12 +58,16 @@ public ResourceShadowDiscriminator(ShadowDiscriminatorType accRefType) {
 		this(accRefType.getResourceRef().getOid(), accRefType.getKind(), accRefType.getIntent());
 	}
 	
-	public ResourceShadowDiscriminator(ShadowDiscriminatorType accRefType, ShadowKindType defaultKind) {
+	public ResourceShadowDiscriminator(ShadowDiscriminatorType accRefType, String defaultResourceOid, ShadowKindType defaultKind) {
 		ShadowKindType kind = accRefType.getKind();
 		if (kind == null) {
 			kind = defaultKind;
 		}
-		this.resourceOid = accRefType.getResourceRef().getOid();
+		if (accRefType.getResourceRef() == null) {
+			this.resourceOid = defaultResourceOid;
+		} else {
+			this.resourceOid = accRefType.getResourceRef().getOid();
+		}
 		this.thombstone = false;
 		setIntent(accRefType.getIntent());
 		setKind(kind);
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ContextLoader.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ContextLoader.java
index 5a72f13d8d3..ee45f891b81 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ContextLoader.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ContextLoader.java
@@ -318,7 +318,7 @@ private <F extends ObjectType> void loadObjectCurrent(LensContext<F> context, Op
             return;
         }
         ObjectDelta<F> objectDelta = focusContext.getDelta();
-        if (objectDelta != null && objectDelta.isAdd()) {
+        if (objectDelta != null && objectDelta.isAdd() && focusContext.getExecutedDeltas().isEmpty()) {
             //we're adding the focal object. No need to load it, it is in the delta
         	focusContext.setFresh(true);
             return;
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/Projector.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/Projector.java
index deaf27034c2..ecac5490e77 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/Projector.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/Projector.java
@@ -391,7 +391,8 @@ private <F extends ObjectType> LensProjectionContext determineProjectionWave(Len
 			}
 			checkForCircular(depPath, outDependency);
 			depPath.add(outDependency);
-			ResourceShadowDiscriminator refDiscr = new ResourceShadowDiscriminator(outDependency, projectionContext.getKind());
+			ResourceShadowDiscriminator refDiscr = new ResourceShadowDiscriminator(outDependency, 
+					projectionContext.getResource().getOid(), projectionContext.getKind());
 			LensProjectionContext dependencyProjectionContext = findDependencyContext(context, projectionContext, outDependency);
 //			if (LOGGER.isTraceEnabled()) {
 //				LOGGER.trace("DEP: {} -> {}", refDiscr, dependencyProjectionContext);
@@ -473,7 +474,8 @@ private boolean isHigerOrder(ResourceObjectTypeDependencyType a,
 	 */
 	private <F extends ObjectType> LensProjectionContext findDependencyContext(
 			LensContext<F> context, LensProjectionContext projContext, ResourceObjectTypeDependencyType dependency){
-		ResourceShadowDiscriminator refDiscr = new ResourceShadowDiscriminator(dependency, projContext.getKind());
+		ResourceShadowDiscriminator refDiscr = new ResourceShadowDiscriminator(dependency, 
+				projContext.getResource().getOid(), projContext.getKind());
 		LensProjectionContext selected = null;
 		for (LensProjectionContext projectionContext: context.getProjectionContexts()) {
 			if (!projectionContext.compareResourceShadowDiscriminator(refDiscr, false)) {
@@ -511,21 +513,21 @@ private <F extends ObjectType> LensProjectionContext createAnotherContext(LensCo
 	 * and stuff like that. 
 	 */
 	private <F extends ObjectType> boolean checkDependencies(LensContext<F> context, 
-    		LensProjectionContext accountContext) throws PolicyViolationException {
-		if (accountContext.isDelete()) {
+    		LensProjectionContext projContext) throws PolicyViolationException {
+		if (projContext.isDelete()) {
 			// It is OK if we depend on something that is not there if we are being removed ... for now
 			return true;
 		}
 		
-		if (accountContext.getOid() == null || accountContext.getSynchronizationPolicyDecision() == SynchronizationPolicyDecision.ADD) {
+		if (projContext.getOid() == null || projContext.getSynchronizationPolicyDecision() == SynchronizationPolicyDecision.ADD) {
 			// Check for lower-order contexts
 			LensProjectionContext lowerOrderContext = null;
 			for (LensProjectionContext projectionContext: context.getProjectionContexts()) {
-				if (accountContext == projectionContext) {
+				if (projContext == projectionContext) {
 					continue;
 				}
-				if (projectionContext.compareResourceShadowDiscriminator(accountContext.getResourceShadowDiscriminator(), false) &&
-						projectionContext.getResourceShadowDiscriminator().getOrder() < accountContext.getResourceShadowDiscriminator().getOrder()) {
+				if (projectionContext.compareResourceShadowDiscriminator(projContext.getResourceShadowDiscriminator(), false) &&
+						projectionContext.getResourceShadowDiscriminator().getOrder() < projContext.getResourceShadowDiscriminator().getOrder()) {
 					if (projectionContext.getOid() != null) {
 						lowerOrderContext = projectionContext;
 						break;
@@ -534,23 +536,24 @@ private <F extends ObjectType> boolean checkDependencies(LensContext<F> context,
 			}
 			if (lowerOrderContext != null) {
 				if (lowerOrderContext.getOid() != null) {
-					if (accountContext.getOid() == null) {
-						accountContext.setOid(lowerOrderContext.getOid());
+					if (projContext.getOid() == null) {
+						projContext.setOid(lowerOrderContext.getOid());
 					}
-					if (accountContext.getSynchronizationPolicyDecision() == SynchronizationPolicyDecision.ADD) {
+					if (projContext.getSynchronizationPolicyDecision() == SynchronizationPolicyDecision.ADD) {
 						// This context cannot be ADD. There is a lower-order context with an OID
 						// it means that the lower-order projection exists, we cannot add it twice
-						accountContext.setSynchronizationPolicyDecision(SynchronizationPolicyDecision.KEEP);
+						projContext.setSynchronizationPolicyDecision(SynchronizationPolicyDecision.KEEP);
 					}
 				}
 				if (lowerOrderContext.isDelete()) {
-					accountContext.setSynchronizationPolicyDecision(SynchronizationPolicyDecision.DELETE);
+					projContext.setSynchronizationPolicyDecision(SynchronizationPolicyDecision.DELETE);
 				}
 			}
 		}		
 		
-		for (ResourceObjectTypeDependencyType dependency: accountContext.getDependencies()) {
-			ResourceShadowDiscriminator refRat = new ResourceShadowDiscriminator(dependency, accountContext.getKind());
+		for (ResourceObjectTypeDependencyType dependency: projContext.getDependencies()) {
+			ResourceShadowDiscriminator refRat = new ResourceShadowDiscriminator(dependency, 
+					projContext.getResource().getOid(), projContext.getKind());
 			LOGGER.trace("LOOKING FOR {}", refRat);
 			LensProjectionContext dependencyAccountContext = context.findProjectionContext(refRat);
 			ResourceObjectTypeDependencyStrictnessType strictness = ResourceTypeUtil.getDependencyStrictness(dependency);
@@ -558,17 +561,17 @@ private <F extends ObjectType> boolean checkDependencies(LensContext<F> context,
 				if (strictness == ResourceObjectTypeDependencyStrictnessType.STRICT) {
 					// This should not happen, it is checked before projection
 					throw new PolicyViolationException("Unsatisfied strict dependency of "
-							+ accountContext.getResourceShadowDiscriminator().toHumanReadableString() +
+							+ projContext.getResourceShadowDiscriminator().toHumanReadableString() +
 							" dependent on " + refRat.toHumanReadableString() + ": No context in dependency check");
 				} else if (strictness == ResourceObjectTypeDependencyStrictnessType.LAX) {
 					// independent object not in the context, just ignore it
 					LOGGER.trace("Unsatisfied lax dependency of account " + 
-							accountContext.getResourceShadowDiscriminator().toHumanReadableString() +
+							projContext.getResourceShadowDiscriminator().toHumanReadableString() +
 							" dependent on " + refRat.toHumanReadableString() + "; dependency skipped");
 				} else if (strictness == ResourceObjectTypeDependencyStrictnessType.RELAXED) {
 					// independent object not in the context, just ignore it
 					LOGGER.trace("Unsatisfied relaxed dependency of account "
-							+ accountContext.getResourceShadowDiscriminator().toHumanReadableString() +
+							+ projContext.getResourceShadowDiscriminator().toHumanReadableString() +
 							" dependent on " + refRat.toHumanReadableString() + "; dependency skipped");
 				} else {
 					throw new IllegalArgumentException("Unknown dependency strictness "+dependency.getStrictness()+" in "+refRat);
@@ -582,9 +585,9 @@ private <F extends ObjectType> boolean checkDependencies(LensContext<F> context,
 					} else {
 						// We do not want to throw exception here. That will stop entire projection.
 						// Let's just mark the projection as broken and skip it.
-						LOGGER.warn("Unsatisfied dependency of account "+accountContext.getResourceShadowDiscriminator()+
-								" dependent on "+refRat+": Account not provisioned in dependency check (execution wave "+context.getExecutionWave()+", account wave "+accountContext.getWave() + ", depenedency account wave "+dependencyAccountContext.getWave()+")");
-						accountContext.setSynchronizationPolicyDecision(SynchronizationPolicyDecision.BROKEN);
+						LOGGER.warn("Unsatisfied dependency of account "+projContext.getResourceShadowDiscriminator()+
+								" dependent on "+refRat+": Account not provisioned in dependency check (execution wave "+context.getExecutionWave()+", account wave "+projContext.getWave() + ", depenedency account wave "+dependencyAccountContext.getWave()+")");
+						projContext.setSynchronizationPolicyDecision(SynchronizationPolicyDecision.BROKEN);
 						return false;
 					}
 				} else if (strictness == ResourceObjectTypeDependencyStrictnessType.LAX) {
diff --git a/testing/story/src/test/java/com/evolveum/midpoint/testing/story/TestVillage.java b/testing/story/src/test/java/com/evolveum/midpoint/testing/story/TestVillage.java
index ede979a85a6..98df89347ba 100644
--- a/testing/story/src/test/java/com/evolveum/midpoint/testing/story/TestVillage.java
+++ b/testing/story/src/test/java/com/evolveum/midpoint/testing/story/TestVillage.java
@@ -51,6 +51,7 @@
 import com.evolveum.icf.dummy.resource.DummyObjectClass;
 import com.evolveum.icf.dummy.resource.DummyResource;
 import com.evolveum.icf.dummy.resource.DummySyncStyle;
+import com.evolveum.midpoint.common.InternalsConfig;
 import com.evolveum.midpoint.common.refinery.RefinedObjectClassDefinition;
 import com.evolveum.midpoint.common.refinery.RefinedResourceSchema;
 import com.evolveum.midpoint.common.refinery.ShadowDiscriminatorObjectDelta;
@@ -162,6 +163,9 @@ public class TestVillage extends AbstractStoryTest {
 	public static final File ROLE_META_FUNCTIONAL_ORG_FILE = new File(TEST_DIR, "role-meta-functional-org.xml");
 	public static final String ROLE_META_FUNCTIONAL_ORG_OID = "74aac2c8-ca0f-11e3-bb29-001e8c717e5b";
 	
+	public static final File ROLE_META_PROJECT_ORG_FILE = new File(TEST_DIR, "role-meta-project-org.xml");
+	public static final String ROLE_META_PROJECT_ORG_OID = "ab33ec1e-0c0b-11e4-ba88-001e8c717e5b";
+	
 	protected static final File ORGS_FILE = new File(TEST_DIR, "orgs.xml");
 	public static final String ORG_GOV_NAME = "Gov";
 	public static final String ORG_EXEC_NAME = "Exec";
@@ -173,6 +177,9 @@ public class TestVillage extends AbstractStoryTest {
 	private static final File GLOBAL_PASSWORD_POLICY_FILE = new File(TEST_DIR, "global-password-policy.xml");
 	private static final File ORG_PASSWORD_POLICY_FILE = new File(TEST_DIR, "org-password-policy.xml");
 	
+	public static final File ORG_PROJECT_JOLLY_ROGER_FILE = new File(TEST_DIR, "org-project-jolly-roger.xml");
+	public static final String ORG_PROJECT_JOLLY_ROGER_OID = "a9ac1aa2-0c0f-11e4-9214-001e8c717e5b";
+	
 	protected static final File TASK_LIVE_SYNC_DUMMY_SOURCE_FILE = new File(TEST_DIR, "task-dumy-source-livesync.xml");
 	protected static final String TASK_LIVE_SYNC_DUMMY_SOURCE_OID = "10000000-0000-0000-5555-555500000001";
 	
@@ -290,6 +297,7 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
 		importObjectFromFile(ROLE_BASIC_FILE, initResult);
 		importObjectFromFile(ROLE_SIMPLE_FILE, initResult);
 		importObjectFromFile(ROLE_META_FUNCTIONAL_ORG_FILE, initResult);
+		importObjectFromFile(ROLE_META_PROJECT_ORG_FILE, initResult);
 		
 		// Org
 		repoAddObjectsFromFile(ORGS_FILE, OrgType.class, initResult);
@@ -602,10 +610,12 @@ public void test132ModifySrcAccountHermanDeleteOrg() throws Exception {
         DummyAccount account = dummyResourceSrc.getAccountByUsername(ACCOUNT_HERMAN_USERNAME);
 		
         // WHEN
+        TestUtil.displayWhen(TEST_NAME);
         account.replaceAttributeValues(DUMMY_ACCOUNT_ATTRIBUTE_SRC_ORG);
         waitForTaskNextRun(TASK_LIVE_SYNC_DUMMY_SOURCE_OID, true);
         
         // THEN
+        TestUtil.displayThen(TEST_NAME);
         PrismObject<UserType> user = findUserByUsername(getUsername(ACCOUNT_HERMAN_FIST_NAME, ACCOUNT_HERMAN_LAST_NAME, null));
         assertUserNoRole(user, ACCOUNT_HERMAN_FIST_NAME, ACCOUNT_HERMAN_LAST_NAME, null);
         assertLocGov(user, null, null);
@@ -633,9 +643,11 @@ public void test200createUserAssignOrgPwdPolicy() throws Exception{
 		Collection deltas = MiscUtil.createCollection(orgPasswordPolicyRefDelta);
 		modelService.executeChanges(deltas, null, task, result);
 		
+		InternalsConfig.avoidLoggingChange = true;
 		ObjectDelta sysConfigPasswordPolicyRefDelta = ObjectDelta.createModificationAddReference(SystemConfigurationType.class, SYSTEM_CONFIGURATION_OID, SystemConfigurationType.F_GLOBAL_PASSWORD_POLICY_REF, prismContext, GLOBAL_PASSWORD_POLICY_OID);
 		deltas = MiscUtil.createCollection(sysConfigPasswordPolicyRefDelta);
 		modelService.executeChanges(deltas, null, task, result);
+		InternalsConfig.avoidLoggingChange = false;
 		
 		//add user + assign role + assign org with the password policy specified
 		PrismObject<UserType> objectToAdd = PrismTestUtil.parseObject(USER_MIKE_FILE);
@@ -651,7 +663,7 @@ public void test200createUserAssignOrgPwdPolicy() throws Exception{
 	
 	@Test
 	public void test201unassignRole() throws Exception{
-		final String TEST_NAME = "test200createUserAssignOrgPwdPolicy";
+		final String TEST_NAME = "test201unassignRole";
         TestUtil.displayTestTile(this, TEST_NAME);
 		unassignRole(USER_MIKE_OID, ROLE_BASIC_OID);
 		//TODO: assertions
@@ -659,7 +671,7 @@ public void test201unassignRole() throws Exception{
 	
 	@Test
 	public void test202assignRoleOrgPwdPolicy() throws Exception{
-		final String TEST_NAME = "test200createUserAssignOrgPwdPolicy";
+		final String TEST_NAME = "test202assignRoleOrgPwdPolicy";
         TestUtil.displayTestTile(this, TEST_NAME);
 		
         //this will throw exception, if incorrect pwd policy is selected...but some assertion will be nice :)
@@ -668,7 +680,31 @@ public void test202assignRoleOrgPwdPolicy() throws Exception{
 		//TODO: assertion
 	}
 	
-	
+	@Test
+    public void test300AddProjectJollyRoger() throws Exception {
+		final String TEST_NAME = "test300AddProjectJollyRoger";
+        TestUtil.displayTestTile(this, TEST_NAME);
+        Task task = taskManager.createTaskInstance(TestTrafo.class.getName() + "." + TEST_NAME);
+        OperationResult result = task.getResult();
+		
+        // WHEN
+        TestUtil.displayWhen(TEST_NAME);
+        addObject(ORG_PROJECT_JOLLY_ROGER_FILE, task, result);
+        
+        // THEN
+        TestUtil.displayThen(TEST_NAME);
+        result.computeStatus();
+        TestUtil.assertSuccess(result);
+        
+        // TODO
+        PrismObject<OrgType> org = getObject(OrgType.class, ORG_PROJECT_JOLLY_ROGER_OID);
+        display("Org", org);
+        assertLinks(org, 2);
+        
+        SearchResultEntry ouEntry = openDJController.fetchAndAssertEntry("ou=Jolly Roger,dc=example,dc=com", "organizationalUnit");
+        SearchResultEntry groupEntry = openDJController.fetchAndAssertEntry("cn=admins,ou=Jolly Roger,dc=example,dc=com", "groupOfUniqueNames");
+      //TODO: assertions
+	}
 	
 	
 	private void assertLocGov(PrismObject<UserType> user, String expLoc, String expOrg) throws SchemaException, ObjectNotFoundException, SecurityViolationException, CommunicationException, ConfigurationException {
diff --git a/testing/story/src/test/resources/logback-test.xml b/testing/story/src/test/resources/logback-test.xml
index 47b3e8691d2..468394569a4 100644
--- a/testing/story/src/test/resources/logback-test.xml
+++ b/testing/story/src/test/resources/logback-test.xml
@@ -29,27 +29,27 @@
 	<logger name="com.evolveum.midpoint.model.intest" level="TRACE" />
 	<logger name="com.evolveum.midpoint.model" level="DEBUG" />
     <logger name="com.evolveum.midpoint.notifications" level="DEBUG" />	
-	<logger name="com.evolveum.midpoint.model.sync.LiveSyncTaskHandler" level="DEBUG" />
-	<logger name="com.evolveum.midpoint.model.sync.ReconciliationTaskHandler" level="DEBUG" />
-	<logger name="com.evolveum.midpoint.model.sync.SynchronizeAccountResultHandler" level="DEBUG" />
+	<logger name="com.evolveum.midpoint.model.impl.sync.LiveSyncTaskHandler" level="DEBUG" />
+	<logger name="com.evolveum.midpoint.model.impl.sync.ReconciliationTaskHandler" level="DEBUG" />
+	<logger name="com.evolveum.midpoint.model.impl.sync.SynchronizeAccountResultHandler" level="DEBUG" />
 	<logger name="com.evolveum.midpoint.provisioning.impl.ChangeNotificationDispatcherImpl" level="DEBUG" />
 	<logger name="com.evolveum.midpoint.test" level="TRACE" />
 	<logger name="PROFILING" level="OFF" />
 	
     <!-- "TRACE" is just too much info, "DEBUG" should be enough for the following talkative components ... 
          if any of the following is set to "TRACE" then it was changed by mistake and should be changed back -->
-	<logger name="com.evolveum.midpoint.model.lens.projector" level="DEBUG" />
-	<logger name="com.evolveum.midpoint.model.lens.projector.Projector" level="TRACE" />
-	<logger name="com.evolveum.midpoint.model.lens" level="DEBUG" />
-	<logger name="com.evolveum.midpoint.model.lens.AssignmentEvaluator" level="DEBUG" />
-	<logger name="com.evolveum.midpoint.model.lens.Clockwork" level="DEBUG" />
-	<logger name="com.evolveum.midpoint.model.lens.ChangeExecutor" level="DEBUG" />
-	<logger name="com.evolveum.midpoint.model.lens.ShadowConstraintsChecker" level="DEBUG" />
-	<logger name="com.evolveum.midpoint.model.lens.LensUtil" level="DEBUG" />
-	<logger name="com.evolveum.midpoint.model.expr" level="TRACE" />
-	<logger name="com.evolveum.midpoint.model.util" level="DEBUG" />
-	<logger name="com.evolveum.midpoint.model.sync" level="TRACE" />
-	<logger name="com.evolveum.midpoint.model.sync.CorrelationConfirmationEvaluator" level="DEBUG" />
+	<logger name="com.evolveum.midpoint.model.impl.lens.projector" level="TRACE" />
+	<logger name="com.evolveum.midpoint.model.impl.lens.projector.Projector" level="TRACE" />
+	<logger name="com.evolveum.midpoint.model.impl.lens" level="TRACE" />
+	<logger name="com.evolveum.midpoint.model.impl.lens.AssignmentEvaluator" level="DEBUG" />
+	<logger name="com.evolveum.midpoint.model.impl.lens.Clockwork" level="DEBUG" />
+	<logger name="com.evolveum.midpoint.model.impl.lens.ChangeExecutor" level="DEBUG" />
+	<logger name="com.evolveum.midpoint.model.impl.lens.ShadowConstraintsChecker" level="DEBUG" />
+	<logger name="com.evolveum.midpoint.model.impl.lens.LensUtil" level="DEBUG" />
+	<logger name="com.evolveum.midpoint.model.impl.expr" level="TRACE" />
+	<logger name="com.evolveum.midpoint.model.impl.util" level="DEBUG" />
+	<logger name="com.evolveum.midpoint.model.impl.sync" level="TRACE" />
+	<logger name="com.evolveum.midpoint.model.impl.sync.CorrelationConfirmationEvaluator" level="DEBUG" />
     <logger name="com.evolveum.midpoint.provisioning" level="DEBUG" />
 	<logger name="com.evolveum.midpoint.expression" level="DEBUG" />
 	<logger name="com.evolveum.midpoint.model.common.expression" level="DEBUG" />
@@ -57,7 +57,7 @@
 	<logger name="com.evolveum.midpoint.model.common.mapping" level="DEBUG" />
 	<logger name="com.evolveum.midpoint.common.monitor" level="DEBUG" />
 	<logger name="com.evolveum.midpoint.notifications" level="DEBUG" />
-	<logger name="com.evolveum.midpoint.model.controller.SystemConfigurationHandler" level="DEBUG" />
+	<logger name="com.evolveum.midpoint.model.impl.controller.SystemConfigurationHandler" level="DEBUG" />
 	<logger name="com.evolveum.midpoint.model.common.expression.evaluator.AbstractSearchExpressionEvaluator" level="TRACE" />
 	
 	<logger name="com.evolveum.midpoint.repo" level="INFO" />
diff --git a/testing/story/src/test/resources/village/org-project-jolly-roger.xml b/testing/story/src/test/resources/village/org-project-jolly-roger.xml
new file mode 100644
index 00000000000..bb1eec88ef5
--- /dev/null
+++ b/testing/story/src/test/resources/village/org-project-jolly-roger.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2014 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<org oid="a9ac1aa2-0c0f-11e4-9214-001e8c717e5b"
+		xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'>
+	<name>Jolly Roger</name>
+	<parentOrgRef oid="00000000-8888-6666-0000-200000000000"/>
+	<assignment>
+		<targetRef oid="ab33ec1e-0c0b-11e4-ba88-001e8c717e5b"/>
+	</assignment>
+	<displayName>Project Jolly Roger</displayName>
+	<orgType>project</orgType>
+</org>
\ No newline at end of file
diff --git a/testing/story/src/test/resources/village/orgs.xml b/testing/story/src/test/resources/village/orgs.xml
index ae67714b1fe..686413919ae 100644
--- a/testing/story/src/test/resources/village/orgs.xml
+++ b/testing/story/src/test/resources/village/orgs.xml
@@ -64,4 +64,9 @@
 		<orgType>functional</orgType>
 	</org>
 	
+	<org oid="00000000-8888-6666-0000-200000000000">
+		<name>Projects</name>
+		<displayName>Projects</displayName>
+	</org>
+	
 </objects>
\ No newline at end of file
diff --git a/testing/story/src/test/resources/village/resource-opendj.xml b/testing/story/src/test/resources/village/resource-opendj.xml
index 4b64787f63c..acf1cc09c56 100644
--- a/testing/story/src/test/resources/village/resource-opendj.xml
+++ b/testing/story/src/test/resources/village/resource-opendj.xml
@@ -207,6 +207,107 @@
             </attribute>
         </objectType>
         
+        <objectType>
+        	<kind>entitlement</kind>
+            <intent>projAdmGroup</intent>
+            <displayName>Project Admin Group</displayName>
+            <objectClass>ri:GroupObjectClass</objectClass>
+            <attribute>
+                <ref>icfs:name</ref>
+                <matchingRule>mr:stringIgnoreCase</matchingRule>
+                <outbound>
+                    <!-- Name cannot be weak. Changes in name trigger object rename. -->
+					<source>
+						<path>$focus/name</path>
+					</source>
+                    <expression>
+                    	<script>
+	                        <code>
+	                        	import javax.naming.ldap.Rdn
+	                        	import javax.naming.ldap.LdapName
+	                        	
+	                        	dn = new LdapName('dc=example,dc=com')
+	                        	dn.add(new Rdn('ou', name.toString()))
+	                        	dn.add(new Rdn('cn', 'admins'))
+	                        	return dn.toString()
+	                        </code>
+                        </script>
+                    </expression>
+                </outbound>
+            </attribute>
+            <attribute>
+                <ref>ri:cn</ref>
+                <matchingRule>mr:stringIgnoreCase</matchingRule>
+                <outbound>
+                	<!-- This MUST be weak in case of OpenDJ. If DN (name) is changed then the uid will be changed
+                	     as a side-effect as it is a naming attribute. -->
+                	<strength>weak</strength>
+                	<expression>
+                		<value>admins</value>
+                	</expression>
+                </outbound>
+            </attribute>
+            <dependency>
+				<kind>generic</kind>
+				<intent>projOu</intent>
+			</dependency>
+        </objectType>
+        
+        <objectType>
+        	<kind>generic</kind>
+            <intent>projOu</intent>
+            <displayName>Project Organizational Unit</displayName>
+            <objectClass>ri:CustomorganizationalUnitObjectClass</objectClass>
+            <attribute>
+                <ref>icfs:name</ref>
+                <matchingRule>mr:stringIgnoreCase</matchingRule>
+                <outbound>
+                    <!-- Name cannot be weak. Changes in name trigger object rename. -->
+					<source>
+						<path>$focus/name</path>
+					</source>
+                    <expression>
+                    	<script>
+	                        <code>
+	                        	import javax.naming.ldap.Rdn
+	                        	import javax.naming.ldap.LdapName
+	                        	
+	                        	dn = new LdapName('dc=example,dc=com')
+                        		dn.add(new Rdn('ou', name.toString()))
+	                        	return dn.toString()
+	                        </code>
+                        </script>
+                    </expression>
+                </outbound>
+            </attribute>
+            <attribute>
+                <ref>ri:ou</ref>
+                <matchingRule>mr:stringIgnoreCase</matchingRule>
+                <outbound>
+                	<!-- This MUST be weak in case of OpenDJ. If DN (name) is changed then the uid will be changed
+                	     as a side-effect as it is a naming attribute. -->
+                	<strength>weak</strength>
+                	<source>
+                		<path>$focus/name</path>
+                	</source>
+                </outbound>
+                <inbound>
+                	<strength>weak</strength>
+                	<target>
+                		<path>$focus/name</path>
+                	</target>
+                </inbound>
+            </attribute>
+            <attribute>
+                <ref>ri:description</ref>
+                <outbound>
+                	<source>
+                		<path>description</path>
+                	</source>
+                </outbound>
+            </attribute>
+        </objectType>
+        
     </schemaHandling>
 
     <capabilities xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">
diff --git a/testing/story/src/test/resources/village/role-meta-project-org.xml b/testing/story/src/test/resources/village/role-meta-project-org.xml
new file mode 100644
index 00000000000..59109efc109
--- /dev/null
+++ b/testing/story/src/test/resources/village/role-meta-project-org.xml
@@ -0,0 +1,46 @@
+<!--
+  ~ Copyright (c) 2014 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<!-- This is a meta-role. A Role indented to be assigned to other roles.
+     I really mean assigned, not included or induced. -->
+
+<role oid="ab33ec1e-0c0b-11e4-ba88-001e8c717e5b"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+        xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance/10000000-0000-0000-0000-000000000004"
+        xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy">
+    <name>Project Orgstruct Metarole</name>
+    
+    <inducement>
+    	<construction>
+    		<!-- OpenDJ resource -->
+    		<resourceRef oid="10000000-0000-0000-0000-000000000003" type="c:ResourceType"/>
+    		<kind>generic</kind>
+            <intent>projOu</intent>
+    	</construction>
+    </inducement>
+    
+    <inducement>
+    	<construction>
+    		<!-- OpenDJ resource -->
+    		<resourceRef oid="10000000-0000-0000-0000-000000000003" type="c:ResourceType"/>
+    		<kind>entitlement</kind>
+            <intent>projAdmGroup</intent>
+    	</construction>
+    </inducement>
+        
+</role>

From bbd03e354f569aa304fdb547fd2791d6eeef5683 Mon Sep 17 00:00:00 2001
From: Radovan Semancik <radovan.semancik@evolveum.com>
Date: Tue, 15 Jul 2014 16:11:01 +0200
Subject: [PATCH 4/4] Fixing administrativeStatus, validFrom and validTo
 mapping confusion.

---
 .../model/impl/lens/projector/ActivationProcessor.java      | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ActivationProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ActivationProcessor.java
index ba8e53c0cb7..0dca057adde 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ActivationProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/ActivationProcessor.java
@@ -273,7 +273,7 @@ public <F extends FocusType> void processActivationUserCurrent(LensContext<F> co
         }
 
         if (capValidFrom != null) {
-	    	evaluateActivationMapping(context, accCtx, activationType.getAdministrativeStatus(),
+	    	evaluateActivationMapping(context, accCtx, activationType.getValidFrom(),
 	    			SchemaConstants.PATH_ACTIVATION_VALID_FROM, SchemaConstants.PATH_ACTIVATION_VALID_FROM, 
 	    			null, now, true, ActivationType.F_VALID_FROM.getLocalPart(), task, result);
         } else {
@@ -281,9 +281,9 @@ public <F extends FocusType> void processActivationUserCurrent(LensContext<F> co
         }
 	
         if (capValidTo != null) {
-	    	evaluateActivationMapping(context, accCtx, activationType.getAdministrativeStatus(),
+	    	evaluateActivationMapping(context, accCtx, activationType.getValidTo(),
 	    			SchemaConstants.PATH_ACTIVATION_VALID_TO, SchemaConstants.PATH_ACTIVATION_VALID_TO, 
-	    			null, now, true, ActivationType.F_VALID_FROM.getLocalPart(), task, result);
+	    			null, now, true, ActivationType.F_VALID_TO.getLocalPart(), task, result);
 	    } else {
 	    	LOGGER.trace("Skipping activation validTo processing because {} does not have activation validTo capability", accCtx.getResource());
 	    }