Mulivalue subjeRelation in roleRelation (MID-4949)

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/page/PageBase.java

@@ -635,13 +635,14 @@ public UserType getPrincipalUser() {
         return principal.getUser();
     }
 
-    public boolean hasSubjectRoleRelation(String oid, QName relation) {
+    public boolean hasSubjectRoleRelation(String oid, List<QName> subjectRelations) {
     	UserType userType = getPrincipalUser();
     	if (userType == null) {
     		return false;
     	}
     	for (ObjectReferenceType roleMembershipRef : userType.getRoleMembershipRef()) {
-    		if (oid.equals(roleMembershipRef.getOid()) && QNameUtil.match(relation, roleMembershipRef.getRelation())) {
+    		if (oid.equals(roleMembershipRef.getOid()) && 
+    				getPrismContext().relationMatches(subjectRelations, roleMembershipRef.getRelation())) {
     			return true;
     		}
     	}

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/util/FocusTabVisibleBehavior.java

@@ -142,8 +142,8 @@ private boolean isApplicable(ObjectFormType form, PrismObject<O> object) {
     	}
     	RoleRelationObjectSpecificationType roleRelation = form.getRoleRelation();
     	if (roleRelation != null) {
-    		QName subjectRelation = roleRelation.getSubjectRelation();
-    		if (!pageBase.hasSubjectRoleRelation(object.getOid(), subjectRelation)) {
+    		List<QName> subjectRelations = roleRelation.getSubjectRelation();
+    		if (!pageBase.hasSubjectRoleRelation(object.getOid(), subjectRelations)) {
     			return false;
     		}
     	}

infra/prism/src/main/java/com/evolveum/midpoint/prism/PrismContext.java

@@ -282,6 +282,9 @@ <C extends Containerable, O extends Objectable> void adopt(PrismContainerValue<C
 
 	boolean relationMatches(QName relationQuery, QName relation);
 
+	/**
+	 * Returns true of any of the relation in the relationQuery list matches specified relation.
+	 */
 	boolean relationMatches(@NotNull List<QName> relationQuery, QName relation);
 
 }

infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd

@@ -12910,7 +12910,7 @@
             </xsd:appinfo>
         </xsd:annotation>
         <xsd:sequence>
-        	<xsd:element name="subjectRelation" minOccurs="0" type="xsd:QName">
+        	<xsd:element name="subjectRelation" minOccurs="0" type="xsd:QName" maxOccurs="unbounded">
         		<xsd:annotation>
         			<xsd:documentation>
         				Specifies the relation that the subject needs to have to the role for this condition to

repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/SecurityEnforcerImpl.java

@@ -1698,7 +1698,7 @@ private ObjectFilter processRoleRelationFilter(MidPointPrincipal principal, Auth
 					throw new UnsupportedOperationException("Inefficient roleRelation search (includeMembers=true without role in the original query) is not supported yet");
 				}
 			} else {
-				QName subjectRelation = specRoleRelation.getSubjectRelation();
+				List<QName> subjectRelation = specRoleRelation.getSubjectRelation();
 				boolean isRoleOidOk = false;
 				for (ObjectReferenceType subjectRoleMembershipRef: principal.getUser().getRoleMembershipRef()) {
 					if (!prismContext.relationMatches(subjectRelation, subjectRoleMembershipRef.getRelation())) {

testing/story/src/test/resources/security/role-members/users-roles.xml

@@ -94,6 +94,7 @@
 	    		<type>UserType</type>
 	    		<roleRelation>
 					<subjectRelation>org:owner</subjectRelation>
+					<subjectRelation>org:approver</subjectRelation>
 					<objectRelation>org:default</objectRelation>
 				</roleRelation>
 	    	</object>