More tests for lifecycle+authentication + little cleanup

Evolveum · Jul 10, 2018 · 8375ed0 · 8375ed0
1 parent 60635b6
commit 8375ed0
Show file tree

Hide file tree

Showing 5 changed files with 104 additions and 22 deletions.
diff --git a/...-impl/src/main/java/com/evolveum/midpoint/model/impl/security/UserProfileServiceImpl.java b/...-impl/src/main/java/com/evolveum/midpoint/model/impl/security/UserProfileServiceImpl.java
@@ -219,19 +219,7 @@ private void initializePrincipalFromAssignments(MidPointPrincipal principal, Pri
         principal.setApplicableSecurityPolicy(securityHelper.locateSecurityPolicy(userType.asPrismObject(), systemConfiguration, task, result));
 
 		if (!userType.getAssignment().isEmpty()) {
-			LensContext<UserType> lensContext = new LensContextPlaceholder<>(userType.asPrismObject(), prismContext);
-			//FIXME: quick hack TODO: coppied from ContextLoader
-			ObjectPolicyConfigurationType policyConfigurationType;
-			try {
-				policyConfigurationType = ModelUtils.determineObjectPolicyConfiguration(userType.asPrismObject(), systemConfiguration.asObjectable());
-			} catch (ConfigurationException e) {
-				throw new SchemaException(e.getMessage(), e);
-			}
-			if (LOGGER.isTraceEnabled()) {
-				LOGGER.trace("Selected policy configuration from subtypes {}:\n{}", 
-						FocusTypeUtil.determineSubTypes(userType.asPrismObject()), policyConfigurationType==null?null:policyConfigurationType.asPrismContainerValue().debugDump(1));
-			}
-            lensContext.getFocusContext().setObjectPolicyConfigurationType(policyConfigurationType);
+			LensContext<UserType> lensContext = createAuthenticationLensContext(userType.asPrismObject(), systemConfiguration);
 			AssignmentEvaluator.Builder<UserType> builder =
 					new AssignmentEvaluator.Builder<UserType>()
 							.repository(repositoryService)
@@ -291,6 +279,22 @@ private void initializePrincipalFromAssignments(MidPointPrincipal principal, Pri
         principal.setAdminGuiConfiguration(AdminGuiConfigTypeUtil.compileAdminGuiConfiguration(adminGuiConfigurations, systemConfiguration));
 	}
 
+	private LensContext<UserType> createAuthenticationLensContext(PrismObject<UserType> user, PrismObject<SystemConfigurationType> systemConfiguration) throws SchemaException {
+		LensContext<UserType> lensContext = new LensContextPlaceholder<>(user, prismContext);
+		ObjectPolicyConfigurationType policyConfigurationType;
+		try {
+			policyConfigurationType = ModelUtils.determineObjectPolicyConfiguration(user, systemConfiguration.asObjectable());
+		} catch (ConfigurationException e) {
+			throw new SchemaException(e.getMessage(), e);
+		}
+		if (LOGGER.isTraceEnabled()) {
+			LOGGER.trace("Selected policy configuration from subtypes {}:\n{}", 
+					FocusTypeUtil.determineSubTypes(user), policyConfigurationType==null?null:policyConfigurationType.asPrismContainerValue().debugDump(1));
+		}
+        lensContext.getFocusContext().setObjectPolicyConfigurationType(policyConfigurationType);
+		return lensContext;
+	}
+
 	private void addAuthorizations(Collection<Authorization> targetCollection, Collection<Authorization> sourceCollection, AuthorizationTransformer authorizationTransformer) {
 		if (sourceCollection == null) {
 			return;

diff --git a/.../test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java b/.../test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java
@@ -523,6 +523,10 @@ public class AbstractConfiguredModelIntegrationTest extends AbstractModelIntegra
 	protected static final String AUTZ_SAIL_URL = QNameUtil.qNameToUri(AUTZ_SAIL_QNAME);
 	protected static final QName AUTZ_DRINK_QNAME = new QName(NS_TEST_AUTZ, "drink");
 	protected static final String AUTZ_DRINK_URL = QNameUtil.qNameToUri(AUTZ_DRINK_QNAME);
+	protected static final QName AUTZ_APPARATE_QNAME = new QName(NS_TEST_AUTZ, "apparate");
+	protected static final String AUTZ_APPARATE_URL = QNameUtil.qNameToUri(AUTZ_APPARATE_QNAME);
+	protected static final QName AUTZ_GAMBLE_QNAME = new QName(NS_TEST_AUTZ, "gamble");
+	protected static final String AUTZ_GAMBLE_URL = QNameUtil.qNameToUri(AUTZ_GAMBLE_QNAME);
 
 	protected static final String NOTIFIER_ACCOUNT_PASSWORD_NAME = "accountPasswordNotifier";
 	protected static final String NOTIFIER_USER_PASSWORD_NAME = "userPasswordNotifier";

diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestLifecycle.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestLifecycle.java
@@ -25,11 +25,16 @@
 import org.testng.annotations.Test;
 
 import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.prism.util.PrismTestUtil;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.security.api.MidPointPrincipal;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentPolicyEnforcementType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
 
 /**
@@ -59,13 +64,17 @@ public class TestLifecycle extends AbstractInitializedModelIntegrationTest {
 	public static final String SUBTYPE_EMPLOYEE = "employee";
 	private static final Object USER_JACK_TELEPHONE_NUMBER = "12345654321";
 
+	private String accontJackOid;
+
 	@Override
     public void initSystem(Task initTask, OperationResult initResult) throws Exception {
         super.initSystem(initTask, initResult);
 
 		repoAddObjectFromFile(ROLE_HEADMASTER_FILE, initResult);
 		repoAddObjectFromFile(ROLE_CARETAKER_FILE, initResult);
 		repoAddObjectFromFile(ROLE_GAMBLER_FILE, initResult);
+
+		assumeAssignmentPolicy(AssignmentPolicyEnforcementType.FULL);
     }
 
 	@Override
@@ -92,6 +101,7 @@ public void test050SetupJack() throws Exception {
 
         assignRole(USER_JACK_OID, ROLE_HEADMASTER_OID, task, result);
         assignRole(USER_JACK_OID, ROLE_GAMBLER_OID, task, result);
+        assignRole(USER_JACK_OID, ROLE_PIRATE_OID, task, result);
         modifyUserReplace(USER_JACK_OID, UserType.F_LIFECYCLE_STATE, task, result, SchemaConstants.LIFECYCLE_DRAFT);
         modifyUserReplace(USER_JACK_OID, UserType.F_EMPLOYEE_TYPE, task, result, SUBTYPE_EMPLOYEE);
         modifyUserReplace(USER_JACK_OID, UserType.F_TELEPHONE_NUMBER, task, result, USER_JACK_TELEPHONE_NUMBER);
@@ -102,13 +112,31 @@ public void test050SetupJack() throws Exception {
 
         PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
         display("User after", userAfter);
-        assertAssignments(userAfter, 2);
+        assertAssignments(userAfter, 3);
         assertLifecycleState(userAfter, SchemaConstants.LIFECYCLE_DRAFT);
         assertTelephoneNumber(userAfter, USER_JACK_TELEPHONE_NUMBER);
         assertEffectiveActivation(userAfter, ActivationStatusType.DISABLED);
+        // User is in draft lifecycle. Assignments are not active. Therefore account does not exist yet.
         assertLinks(userAfter, 0);
     }
 
+    @Test
+    public void test052PrincipalJackDraft() throws Exception {
+		final String TEST_NAME = "test052AutzJackDraft";
+        displayTestTitle(TEST_NAME);
+        // GIVEN
+
+        // WHEN
+        displayWhen(TEST_NAME);
+        MidPointPrincipal principal = userProfileService.getPrincipal(USER_JACK_USERNAME);
+
+        // THEN
+        displayThen(TEST_NAME);
+        assertNotAuthorized(principal, AUTZ_COMMAND_URL);
+        assertNotAuthorized(principal, AUTZ_GAMBLE_URL);
+        assertNotAuthorized(principal, AUTZ_APPARATE_URL);
+	}
+
     /**
      * Transition Jack to proposed lifecycle state (manual transition).
      * Proposed state should have effective status of "disabled" by default.
@@ -133,13 +161,36 @@ public void test060TransitionJackToProposed() throws Exception {
 
         PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
         display("User after", userAfter);
-        assertAssignments(userAfter, 2);
+        assertAssignments(userAfter, 3);
         assertLifecycleState(userAfter, SchemaConstants.LIFECYCLE_PROPOSED);
         assertTelephoneNumber(userAfter, USER_JACK_TELEPHONE_NUMBER);
         assertEffectiveActivation(userAfter, ActivationStatusType.ENABLED);
-        assertLinks(userAfter, 0);
+        // Although we are in the proposed lifecycle and assignments would not be active by default
+        // the proposed lifecycle is forcing activation to enabled. Therefore also assignments are
+        // considered active.
+        accontJackOid = getSingleLinkOid(userAfter);
     }
 
+    @Test
+    public void test062PrincipalJackProposed() throws Exception {
+		final String TEST_NAME = "test062PrincipalJackProposed";
+        displayTestTitle(TEST_NAME);
+        // GIVEN
+
+        // WHEN
+        displayWhen(TEST_NAME);
+        MidPointPrincipal principal = userProfileService.getPrincipal(USER_JACK_USERNAME);
+
+        // THEN
+        displayThen(TEST_NAME);
+        assertNotAuthorized(principal, AUTZ_COMMAND_URL);
+        // Although we are in the proposed lifecycle and assignments would not be active by default
+        // the proposed lifecycle is forcing activation to enabled. Therefore also assignments are
+        // considered active. Their authorizations should be applied to principal.
+        assertAuthorized(principal, AUTZ_GAMBLE_URL);
+        assertAuthorized(principal, AUTZ_APPARATE_URL);
+	}
+
     /**
      * Transition Jack to default lifecycle (active) state (manual transition).
      * This prepares jack for next tests. 
@@ -162,13 +213,30 @@ public void test090TransitionJackToDefaultActive() throws Exception {
 
         PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
         display("User after", userAfter);
-        assertAssignments(userAfter, 2);
+        assertAssignments(userAfter, 3);
         assertLifecycleState(userAfter, null);
         assertTelephoneNumber(userAfter, USER_JACK_TELEPHONE_NUMBER);
         assertEffectiveActivation(userAfter, ActivationStatusType.ENABLED);
-        assertLinks(userAfter, 0);
+        assertLinks(userAfter, 1);
     }
 
+    @Test
+    public void test092PrincipalJackDefaultActive() throws Exception {
+		final String TEST_NAME = "test092PrincipalJackDefaultActive";
+        displayTestTitle(TEST_NAME);
+        // GIVEN
+
+        // WHEN
+        displayWhen(TEST_NAME);
+        MidPointPrincipal principal = userProfileService.getPrincipal(USER_JACK_USERNAME);
+
+        // THEN
+        displayThen(TEST_NAME);
+        assertNotAuthorized(principal, AUTZ_COMMAND_URL);
+        assertAuthorized(principal, AUTZ_GAMBLE_URL);
+        assertAuthorized(principal, AUTZ_APPARATE_URL);
+	}
+
     private void assertTelephoneNumber(PrismObject<UserType> user, Object expectedTelephoneNumber) {
     	assertEquals("Wrong telephoe number in "+user, expectedTelephoneNumber, user.asObjectable().getTelephoneNumber());
 	}
@@ -196,7 +264,7 @@ public void test100AssignJackCaretaker() throws Exception {
 
         PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
         display("User after", userAfter);
-        assertAssignments(userAfter, 3);
+        assertAssignments(userAfter, 4);
         assertLifecycleState(userAfter, null);
         assertTelephoneNumber(userAfter, USER_JACK_TELEPHONE_NUMBER);
     }
@@ -220,7 +288,7 @@ public void test102UnassignJackHeadmaster() throws Exception {
 
         PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
         display("User after", userAfter);
-        assertAssignments(userAfter, 2);
+        assertAssignments(userAfter, 3);
         assertLifecycleState(userAfter, null);
         assertTelephoneNumber(userAfter, USER_JACK_TELEPHONE_NUMBER);
     }
@@ -248,7 +316,7 @@ public void test110UnassignJackCaretaker() throws Exception {
 
         PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
         display("User after", userAfter);
-        assertAssignments(userAfter, 1);
+        assertAssignments(userAfter, 2);
         assertLifecycleState(userAfter, SchemaConstants.LIFECYCLE_ARCHIVED);
         assertTelephoneNumber(userAfter, null);
     }
@@ -276,7 +344,7 @@ public void test112UnassignJackCaretaker() throws Exception {
 
         PrismObject<UserType> userAfter = getUser(USER_JACK_OID);
         display("User after", userAfter);
-        assertAssignments(userAfter, 2);
+        assertAssignments(userAfter, 3);
         assertLifecycleState(userAfter, SchemaConstants.LIFECYCLE_ARCHIVED);
         assertTelephoneNumber(userAfter, null);
     }

diff --git a/model/model-intest/src/test/resources/lifecycle/role-gambler.xml b/model/model-intest/src/test/resources/lifecycle/role-gambler.xml
@@ -22,4 +22,7 @@
     <name>Gambler</name>
     <description>This is non-employee role. It does NOT work as data processing basis.</description>
     <!-- No roleType -->
+    <authorization>
+    	<action>http://midpoint.evolveum.com/xml/ns/test/authorization#gamble</action>
+    </authorization>
 </role>
diff --git a/model/model-intest/src/test/resources/lifecycle/role-headmaster.xml b/model/model-intest/src/test/resources/lifecycle/role-headmaster.xml
@@ -21,4 +21,7 @@
         xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy">
     <name>Headmaster</name>
     <roleType>dataProcessingBasis</roleType>
+    <authorization>
+    	<action>http://midpoint.evolveum.com/xml/ns/test/authorization#apparate</action>
+    </authorization>
 </role>