From 8835a9c46e51af99973c8ad36f1922fb52becf15 Mon Sep 17 00:00:00 2001
From: Radovan Semancik <radovan.semancik@evolveum.com>
Date: Fri, 17 Apr 2015 16:40:48 +0200
Subject: [PATCH] Implementing
 modelInteractionService.getCredentialsPolicy(...)

---
 .../xml/ns/public/common/common-3.xsd         |  5 --
 .../model/api/ModelInteractionService.java    | 16 +++++
 .../impl/controller/ModelController.java      | 35 +++++++++++
 ...bstractConfiguredModelIntegrationTest.java |  3 +
 ...stractInitializedModelIntegrationTest.java |  5 +-
 .../midpoint/model/intest/TestSecurity.java   | 62 +++++++++++++++++--
 .../test/resources/common/security-policy.xml | 34 ++++++++++
 .../system-configuration-with-template.xml    |  3 +-
 .../resources/common/system-configuration.xml |  3 +-
 9 files changed, 154 insertions(+), 12 deletions(-)
 create mode 100644 model/model-intest/src/test/resources/common/security-policy.xml

diff --git a/infra/schema/src/main/resources/xml/ns/public/common/common-3.xsd b/infra/schema/src/main/resources/xml/ns/public/common/common-3.xsd
index af93cdf5428..021b09c8a63 100644
--- a/infra/schema/src/main/resources/xml/ns/public/common/common-3.xsd
+++ b/infra/schema/src/main/resources/xml/ns/public/common/common-3.xsd
@@ -8926,11 +8926,6 @@
 		<xsd:complexContent>
 			<xsd:extension base="tns:AbstractCredentialPolicyType">
 				<xsd:sequence>
-					<!-- TODO: sabri 
-						settings that apply to all questions should go here, like this:
-						<xsd:element name="whatever" type="xsd:string" minOccurs="0"/>
-						This is good place to specify an overall policy, e.g. "display all questions" or "randomly select 3 questions".
-					 -->
 					   <xsd:element name="questionNumber" type="xsd:int" minOccurs="0"  maxOccurs="1">
 		                <xsd:annotation>
 		                    <xsd:documentation>
diff --git a/model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelInteractionService.java b/model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelInteractionService.java
index b02abddcd29..7206ad1ce07 100644
--- a/model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelInteractionService.java
+++ b/model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelInteractionService.java
@@ -33,10 +33,12 @@
 import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.util.exception.SecurityViolationException;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
 import com.evolveum.midpoint.xml.ns._public.model.model_context_3.LensContextType;
 
 /**
@@ -57,6 +59,7 @@ public interface ModelInteractionService {
 	static final String PREVIEW_CHANGES = CLASS_NAME_WITH_DOT + "previewChanges";
 	static final String GET_EDIT_OBJECT_DEFINITION = CLASS_NAME_WITH_DOT + "getEditObjectDefinition";
 	static final String GET_ASSIGNABLE_ROLE_SPECIFICATION = CLASS_NAME_WITH_DOT + "getAssignableRoleSpecification";
+	static final String GET_CREDENTIALS_POLICY = CLASS_NAME_WITH_DOT + "getCredentialsPolicy";
 	
 	/**
 	 * Computes the most likely changes triggered by the provided delta. The delta may be any change of any object, e.g.
@@ -126,4 +129,17 @@ <F extends ObjectType> ModelContext<F> previewChanges(
      * @param focus Object of the operation. The object (usually user) to whom the roles should be assigned.
      */
     <F extends FocusType> RoleSelectionSpecification getAssignableRoleSpecification(PrismObject<F> focus, OperationResult parentResult) throws ObjectNotFoundException, SchemaException, ConfigurationException;
+    
+    /**
+     * Returns a credential policy that applies to the specified user. This method is designed to be used
+     * during credential reset so the GUI has enough information to set up the credential (e.g. password policies,
+     * security questions, etc).
+     * 
+     * @param user user for who the policy should apply
+     * @param parentResult
+     * @return applicable credentials policy or null
+     * @throws ObjectNotFoundException No system configuration or other major system inconsistency
+     * @throws SchemaException Wrong schema or content of security policy
+     */
+    CredentialsPolicyType getCredentialsPolicy(PrismObject<UserType> user, OperationResult parentResult) throws ObjectNotFoundException, SchemaException;
 }
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelController.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelController.java
index 51b14090b35..e46444f4fe2 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelController.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelController.java
@@ -139,6 +139,7 @@
 import com.evolveum.midpoint.util.DebugUtil;
 import com.evolveum.midpoint.util.DisplayableValue;
 import com.evolveum.midpoint.util.exception.AuthorizationException;
+import com.evolveum.midpoint.util.exception.CommonException;
 import com.evolveum.midpoint.util.exception.CommunicationException;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
@@ -155,6 +156,7 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ConnectorHostType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ConnectorType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.LayerType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.LookupTableRowType;
@@ -172,6 +174,7 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ReportType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowKindType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
@@ -1296,6 +1299,38 @@ private DisplayableValue<String> getRoleSelectionSpecEq(EqualFilter<String> eqFi
 		}
 		return null;
 	}
+	
+	@Override
+	public CredentialsPolicyType getCredentialsPolicy(PrismObject<UserType> user, OperationResult parentResult) throws ObjectNotFoundException, SchemaException {
+		// TODO: check for user membership in an organization (later versions)
+		
+		OperationResult result = parentResult.createMinorSubresult(GET_CREDENTIALS_POLICY);
+		try {
+			PrismObject<SystemConfigurationType> systemConfiguration = getSystemConfiguration(result);
+			if (systemConfiguration == null) {
+				result.recordNotApplicableIfUnknown();
+				return null;
+			}
+			ObjectReferenceType secPolicyRef = systemConfiguration.asObjectable().getGlobalSecurityPolicyRef();
+			if (secPolicyRef == null) {
+				result.recordNotApplicableIfUnknown();
+				return null;			
+			}
+			SecurityPolicyType securityPolicyType;
+			securityPolicyType = objectResolver.resolve(secPolicyRef, SecurityPolicyType.class, null, "security policy referred from system configuration", result);
+			if (securityPolicyType == null) {
+				result.recordNotApplicableIfUnknown();
+				return null;			
+			}
+			CredentialsPolicyType credentialsPolicyType = securityPolicyType.getCredentials();
+			result.recordSuccess();
+			return credentialsPolicyType;
+		} catch (ObjectNotFoundException | SchemaException e) {
+			result.recordFatalError(e);
+			throw e;
+		}
+
+	}
 
 	private PrismObject<SystemConfigurationType> getSystemConfiguration(OperationResult result) throws ObjectNotFoundException, SchemaException {
         PrismObject<SystemConfigurationType> config = cacheRepositoryService.getObject(SystemConfigurationType.class,
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java
index 87bf11e5c64..8af81d365c4 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java
@@ -340,6 +340,9 @@ public class AbstractConfiguredModelIntegrationTest extends AbstractModelIntegra
 	public static final String LOOKUP_LANGUAGES_OID = "70000000-0000-0000-1111-000000000001";
 	public static final String LOOKUP_LANGUAGES_NAME = "Languages";
 	
+	protected static final File SECURITY_POLICY_FILE = new File(COMMON_DIR, "security-policy.xml");
+	protected static final String SECURITY_POLICY_OID = "28bf845a-b107-11e3-85bc-001e8c717e5b";
+	
 	protected static final String NS_PIRACY = "http://midpoint.evolveum.com/xml/ns/samples/piracy";
 	protected static final QName PIRACY_SHIP = new QName(NS_PIRACY, "ship");
 	protected static final QName PIRACY_TALES = new QName(NS_PIRACY, "tales");
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractInitializedModelIntegrationTest.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractInitializedModelIntegrationTest.java
index fe2db014fca..307f2a663e9 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractInitializedModelIntegrationTest.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractInitializedModelIntegrationTest.java
@@ -28,9 +28,9 @@
 import java.util.List;
 
 import com.evolveum.midpoint.prism.query.OrgFilter;
-
 import com.evolveum.midpoint.prism.xml.XmlTypeConverter;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.SynchronizationSituationType;
+
 import org.springframework.beans.factory.annotation.Autowired;
 
 import com.evolveum.icf.dummy.resource.DummyGroup;
@@ -65,6 +65,7 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemObjectsType;
@@ -242,6 +243,8 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
 		
 		repoAddObjectFromFile(LOOKUP_LANGUAGES_FILE, ObjectTemplateType.class, initResult);
 		
+		repoAddObjectFromFile(SECURITY_POLICY_FILE, SecurityPolicyType.class, initResult);
+		
 		// User Templates
 		repoAddObjectFromFile(USER_TEMPLATE_FILENAME, ObjectTemplateType.class, initResult);
 		repoAddObjectFromFile(USER_TEMPLATE_COMPLEX_FILENAME, ObjectTemplateType.class, initResult);
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java
index 2eb762206da..3b53a9aacd3 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java
@@ -66,12 +66,15 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationPhaseType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.MetadataType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectSpecificationType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.OwnedObjectSpecificationType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityQuestionsCredentialsPolicyType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowKindType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.SpecialObjectSpecificationType;
@@ -1329,8 +1332,59 @@ public void run(Task task, OperationResult result) throws Exception {
 	}
 	
 	@Test
-    public void test280AutzJackEndUserAndModify() throws Exception {
-		final String TEST_NAME = "test280AutzJackEndUserAndModify";
+    public void test280AutzJackEndUser() throws Exception {
+		final String TEST_NAME = "test280AutzJackEndUser";
+        TestUtil.displayTestTile(this, TEST_NAME);
+        // GIVEN
+        cleanupAutzTest(USER_JACK_OID);        
+        
+        assignRole(USER_JACK_OID, ROLE_END_USER_OID);
+        
+        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
+        
+        login(USER_JACK_USERNAME);
+        
+        // WHEN
+        TestUtil.displayWhen(TEST_NAME);
+
+        assertGetAllow(UserType.class, USER_JACK_OID);
+        assertGetAllow(UserType.class, USER_JACK_OID, SelectorOptions.createCollection(GetOperationOptions.createRaw()));
+        assertGetDeny(UserType.class, USER_GUYBRUSH_OID);
+        assertGetDeny(UserType.class, USER_GUYBRUSH_OID, SelectorOptions.createCollection(GetOperationOptions.createRaw()));
+        
+        assertSearch(UserType.class, null, 1);
+        assertSearch(UserType.class, createNameQuery(USER_JACK_USERNAME), 1);
+        assertSearch(UserType.class, createNameQuery(USER_JACK_USERNAME), SelectorOptions.createCollection(GetOperationOptions.createRaw()), 1);
+        assertSearch(UserType.class, createNameQuery(USER_GUYBRUSH_USERNAME), 0);
+        assertSearch(UserType.class, createNameQuery(USER_GUYBRUSH_USERNAME), SelectorOptions.createCollection(GetOperationOptions.createRaw()), 0);
+        
+        assertAddDeny();
+        assertModifyDeny();
+        assertDeleteDeny();
+
+        PrismObject<UserType> user = getUser(USER_JACK_OID);
+        assertAssignments(user, 2);
+        
+        user = getUser(USER_JACK_OID);
+       
+        assertGlobalStateUntouched();
+        
+        assertCredentialsPolicy(user);
+	}
+	
+	private void assertCredentialsPolicy(PrismObject<UserType> user) throws ObjectNotFoundException, SchemaException {
+		OperationResult result = new OperationResult("assertCredentialsPolicy");
+		CredentialsPolicyType credentialsPolicy = modelInteractionService.getCredentialsPolicy(user, result);
+		result.computeStatus();
+		TestUtil.assertSuccess(result);
+		assertNotNull("No credentials policy for "+user, credentialsPolicy);
+		SecurityQuestionsCredentialsPolicyType securityQuestions = credentialsPolicy.getSecurityQuestions();
+		assertEquals("Unexepected number of security questions for "+user, 2, securityQuestions.getQuestion().size());
+	}
+
+	@Test
+    public void test282AutzJackEndUserAndModify() throws Exception {
+		final String TEST_NAME = "test282AutzJackEndUserAndModify";
         TestUtil.displayTestTile(this, TEST_NAME);
         // GIVEN
         cleanupAutzTest(USER_JACK_OID);        
@@ -1368,8 +1422,8 @@ public void run(Task task, OperationResult result) throws Exception {
 
 
 	@Test
-    public void test281AutzJackModifyAndEndUser() throws Exception {
-		final String TEST_NAME = "test270AutzJackAssignApplicationRoles";
+    public void test283AutzJackModifyAndEndUser() throws Exception {
+		final String TEST_NAME = "test283AutzJackModifyAndEndUser";
         TestUtil.displayTestTile(this, TEST_NAME);
         // GIVEN
         cleanupAutzTest(USER_JACK_OID);        
diff --git a/model/model-intest/src/test/resources/common/security-policy.xml b/model/model-intest/src/test/resources/common/security-policy.xml
new file mode 100644
index 00000000000..6e36d83150e
--- /dev/null
+++ b/model/model-intest/src/test/resources/common/security-policy.xml
@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2014-2015 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<securityPolicy oid="28bf845a-b107-11e3-85bc-001e8c717e5b" 
+	xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'>
+	<name>Security Policy</name>
+	<credentials>
+		<securityQuestions>
+			<question>
+				<identifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q001</identifier>
+				<enabled>true</enabled>
+				<questionText>How much wood would a woodchuck chuck if woodchuck could chuck wood?</questionText>
+			</question>
+			<question>
+				<identifier>http://midpoint.evolveum.com/xml/ns/public/security/question-2#q002</identifier>
+				<questionText>What is your mother's best friend's uncle's grandaughter's dog's mother maiden name?</questionText>
+			</question>
+		</securityQuestions>
+	</credentials>
+</securityPolicy>
diff --git a/model/model-intest/src/test/resources/common/system-configuration-with-template.xml b/model/model-intest/src/test/resources/common/system-configuration-with-template.xml
index b9295e8ea2d..24263f92f7e 100644
--- a/model/model-intest/src/test/resources/common/system-configuration-with-template.xml
+++ b/model/model-intest/src/test/resources/common/system-configuration-with-template.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 <!--
-  ~ Copyright (c) 2010-2013 Evolveum
+  ~ Copyright (c) 2010-2015 Evolveum
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -19,6 +19,7 @@
 	xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
 	xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
 	<name>System Configuration</name>
+	<globalSecurityPolicyRef oid="28bf845a-b107-11e3-85bc-001e8c717e5b"/>
 	<defaultUserTemplate>
 	    <name>Default User Template</name>
 	    <mapping>
diff --git a/model/model-intest/src/test/resources/common/system-configuration.xml b/model/model-intest/src/test/resources/common/system-configuration.xml
index 431d956beaa..2df26f4be06 100644
--- a/model/model-intest/src/test/resources/common/system-configuration.xml
+++ b/model/model-intest/src/test/resources/common/system-configuration.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 <!--
-  ~ Copyright (c) 2010-2013 Evolveum
+  ~ Copyright (c) 2010-2015 Evolveum
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -19,6 +19,7 @@
 	xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
 	xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
     <name>SystemConfiguration</name>
+    <globalSecurityPolicyRef oid="28bf845a-b107-11e3-85bc-001e8c717e5b"/>
     <logging>
     	<rootLoggerAppender>File Appender</rootLoggerAppender>
     	<rootLoggerLevel>INFO</rootLoggerLevel>