Fixing delegator authorization with search (MID-4892)

model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java

@@ -76,7 +76,6 @@ public class AbstractConfiguredModelIntegrationTest extends AbstractModelIntegra
 
 	public static final File USER_ADMINISTRATOR_FILE = new File(COMMON_DIR, "user-administrator.xml");
 	protected static final String USER_ADMINISTRATOR_OID = "00000000-0000-0000-0000-000000000002";
-	protected static final String USER_ADMINISTRATOR_USERNAME = "administrator";
 
 	protected static final String USER_TEMPLATE_FILENAME = COMMON_DIR + "/user-template.xml";
 	protected static final String USER_TEMPLATE_OID = "10000000-0000-0000-0000-000000000002";

model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityBasic.java

@@ -2272,12 +2272,8 @@ public void test279AutzJackAssignRequestableRolesWithTenantRef() throws Exceptio
         assertAssignments(user, 2);
         assertAssignedRole(user, ROLE_BUSINESS_1_OID);
 
-        assertDeny("assign application role to jack", new Attempt() {
-			@Override
-			public void run(Task task, OperationResult result) throws Exception {
-				assignRole(USER_JACK_OID, ROLE_BUSINESS_2_OID, task, result);
-			}
-		});
+        assertDeny("assign application role to jack", (task, result) -> 
+				assignRole(USER_JACK_OID, ROLE_BUSINESS_2_OID, task, result));
 
         assertAllow("unassign business role from jack",
         	(task, result) ->
@@ -2422,12 +2418,8 @@ public void test281AutzJackEndUserSecondTime() throws Exception {
         assertAssignments(user, 3);
         assertAssignedRole(user, ROLE_BUSINESS_1_OID);
 
-        assertDeny("assign application role to jack", new Attempt() {
-			@Override
-			public void run(Task task, OperationResult result) throws Exception {
-				assignRole(USER_JACK_OID, ROLE_BUSINESS_2_OID, task, result);
-			}
-		});
+        assertDeny("assign application role to jack", 
+        		(task, result) -> assignRole(USER_JACK_OID, ROLE_BUSINESS_2_OID, task, result));
 
         // End-user role has authorization to assign, but not to unassign
         assertDeny("unassign business role from jack",
@@ -2558,12 +2550,8 @@ public void test290AutzJackRoleOwnerAssign() throws Exception {
         assertAssignments(user, 2);
         assertAssignedRole(user, ROLE_APPLICATION_1_OID);
 
-        assertDeny("assign application role 2 to jack", new Attempt() {
-			@Override
-			public void run(Task task, OperationResult result) throws Exception {
-				assignRole(USER_JACK_OID, ROLE_APPLICATION_2_OID, task, result);
-			}
-		});
+        assertDeny("assign application role 2 to jack", 
+        		(task, result) -> assignRole(USER_JACK_OID, ROLE_APPLICATION_2_OID, task, result));
 
         assertAllow("unassign application role 1 from jack",
         		(task,result) -> unassignRole(USER_JACK_OID, ROLE_APPLICATION_1_OID, task, result));

model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityMultitenant.java

@@ -199,15 +199,10 @@ public void test010ImportOrgstruct() throws Exception {
 
         Task task = createTask(TEST_NAME);
         OperationResult result = task.getResult();
-
-        ImportOptionsType options = MiscSchemaUtil.getDefaultImportOptions();
-        ModelExecuteOptionsType modelOptions = new ModelExecuteOptionsType();
-        modelOptions.setRaw(false);
-		options.setModelExecutionOptions(modelOptions);
 
         // WHEN
         displayWhen(TEST_NAME);
-        importObjectFromFile(ORG_MULTITENANT_FILE, options, task, result);
+        importObjectsFromFileNotRaw(ORG_MULTITENANT_FILE, task, result);
 
         // THEN
         displayThen(TEST_NAME);

model/model-test/src/main/java/com/evolveum/midpoint/model/test/Attempt.java

@@ -0,0 +1,30 @@
+/**
+ * Copyright (c) 2018 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.model.test;
+
+import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.task.api.Task;
+
+/**
+ * @author semancik
+ *
+ */
+@FunctionalInterface
+public interface Attempt {
+
+	void run(Task task, OperationResult result) throws Exception;
+
+}

model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/SearchAssertion.java → model/model-test/src/main/java/com/evolveum/midpoint/model/test/SearchAssertion.java

@@ -13,7 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package com.evolveum.midpoint.model.intest.security;
+package com.evolveum.midpoint.model.test;
 
 import java.util.List;
 

repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/AbstractIntegrationTest.java

@@ -149,6 +149,8 @@
 @Listeners({ CurrentTestResultHolder.class })
 public abstract class AbstractIntegrationTest extends AbstractTestNGSpringContextTests {
 
+	protected static final String USER_ADMINISTRATOR_USERNAME = "administrator";
+
 	public static final String COMMON_DIR_NAME = "common";
 	@Deprecated
 	public static final String COMMON_DIR_PATH = MidPointTestConstants.TEST_RESOURCES_PATH + "/" + COMMON_DIR_NAME;

repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/SecurityEnforcerImpl.java

@@ -1214,21 +1214,12 @@ private <T extends ObjectType, O extends ObjectType> ObjectFilter preProcessObje
 								}
 							}
 
-//							// Delegator
-//							if (objectSpecType.getDelegator() != null) {
-//								if (objectDefinition == null) {
-//									objectDefinition = prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(objectType);
-//								}
-//								// TODO: MID-3899
-//								if (UserType.class.isAssignableFrom(objectType)) { TODO
-//									objSpecSecurityFilter = applyOwnerFilterOwnerRef(new ItemPath(AbstractRoleType.F_OWNER_REF), objSpecSecurityFilter,  principal, objectDefinition);
-//								} else if (TaskType.class.isAssignableFrom(objectType)) {
-//									objSpecSecurityFilter = applyOwnerFilterOwnerRef(new ItemPath(TaskType.F_OWNER_REF), objSpecSecurityFilter,  principal, objectDefinition);
-//								} else {
-//									LOGGER.trace("  Authorization not applicable for object because it has owner specification (this is not applicable for search)");
-//									continue;
-//								}
-//							}
+							// Delegator
+							if (objectSpecType.getDelegator() != null) {
+								// TODO: MID-3899
+								LOGGER.trace("    Authorization not applicable for object because it has delegator specification (this is not applicable for search)");
+								continue;
+							}
 
 							applicable = true;
 

testing/story/src/test/java/com/evolveum/midpoint/testing/story/TestPrivacy.java

@@ -0,0 +1,149 @@
+/*
+ * Copyright (c) 2018 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.testing.story;
+
+import static org.testng.Assert.assertEquals;
+import static org.testng.Assert.assertFalse;
+import static org.testng.Assert.assertNotEquals;
+import static org.testng.Assert.assertNull;
+import static org.testng.Assert.assertTrue;
+import static org.testng.AssertJUnit.assertNotNull;
+import static org.testng.AssertJUnit.assertNull;
+
+import java.io.File;
+import java.util.Collection;
+import java.util.List;
+
+import javax.xml.namespace.QName;
+
+import org.apache.commons.lang3.BooleanUtils;
+import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.annotation.DirtiesContext.ClassMode;
+import org.springframework.test.context.ContextConfiguration;
+import org.testng.AssertJUnit;
+import org.testng.annotations.AfterClass;
+import org.testng.annotations.Test;
+
+import com.evolveum.icf.dummy.resource.DummyAccount;
+import com.evolveum.icf.dummy.resource.DummySyncStyle;
+import com.evolveum.midpoint.prism.PrismConstants;
+import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.prism.PrismProperty;
+import com.evolveum.midpoint.prism.PrismReference;
+import com.evolveum.midpoint.prism.PrismReferenceValue;
+import com.evolveum.midpoint.prism.delta.ObjectDelta;
+import com.evolveum.midpoint.prism.delta.ReferenceDelta;
+import com.evolveum.midpoint.prism.path.ItemPath;
+import com.evolveum.midpoint.prism.util.PrismAsserts;
+import com.evolveum.midpoint.schema.constants.MidPointConstants;
+import com.evolveum.midpoint.schema.constants.ObjectTypes;
+import com.evolveum.midpoint.schema.constants.SchemaConstants;
+import com.evolveum.midpoint.schema.processor.ResourceAttribute;
+import com.evolveum.midpoint.schema.processor.ResourceAttributeContainer;
+import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
+import com.evolveum.midpoint.schema.util.ShadowUtil;
+import com.evolveum.midpoint.task.api.Task;
+import com.evolveum.midpoint.task.api.TaskExecutionStatus;
+import com.evolveum.midpoint.test.DummyResourceContoller;
+import com.evolveum.midpoint.test.util.MidPointTestConstants;
+import com.evolveum.midpoint.util.MiscUtil;
+import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ExecuteCredentialResetRequestType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ServiceType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowAssociationType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowKindType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.TaskExecutionStatusType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
+import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
+
+/**
+ * Tests for privacy-enhancing setup. E.g. broad get authorizations, but limited search.
+ * 
+ * @author semancik
+ *
+ */
+@ContextConfiguration(locations = {"classpath:ctx-story-test-main.xml"})
+@DirtiesContext(classMode = ClassMode.AFTER_CLASS)
+public class TestPrivacy extends AbstractStoryTest {
+
+	public static final File TEST_DIR = new File(MidPointTestConstants.TEST_RESOURCES_DIR, "privacy");
+
+	protected static final File USERS_FILE = new File(TEST_DIR, "users.xml");
+
+	protected static final String USER_GUYBRUSH_OID = "0cf84e54-b815-11e8-9862-a7c904bd4e94";
+	protected static final String USER_ELAINE_OID = "30444e02-b816-11e8-a26d-0380f27eebe6";
+	protected static final String USER_RAPP_OID = "353265f2-b816-11e8-91c7-333c643c8719";
+
+	protected static final File ROLE_PRIVACY_END_USER_FILE = new File(TEST_DIR, "role-privacy-end-user.xml");
+	protected static final String ROLE_PRIVACY_END_USER_OID = "d6f2c30a-b816-11e8-88c5-4f735c761a81";
+
+	protected static final File RESOURCE_DUMMY_FILE = new File(TEST_DIR, "resource-dummy.xml");
+	protected static final String RESOURCE_DUMMY_OID = "dfc012e2-b813-11e8-82af-679b6f0a6ad4";
+	private static final String RESOURCE_DUMMY_NS = MidPointConstants.NS_RI;
+
+
+	@Override
+	public void initSystem(Task initTask, OperationResult initResult) throws Exception {
+		super.initSystem(initTask, initResult);
+
+		initDummyResourcePirate(null, RESOURCE_DUMMY_FILE, RESOURCE_DUMMY_OID, initTask, initResult);
+		getDummyResource().setSyncStyle(DummySyncStyle.SMART);
+
+		repoAddObjectFromFile(ROLE_PRIVACY_END_USER_FILE, initResult);
+
+		importObjectsFromFileNotRaw(USERS_FILE, initTask, initResult);
+	}
+
+	/**
+	 * MID-4892
+	 */
+	@Test
+	public void test100AutzJackReadSearch() throws Exception {
+		final String TEST_NAME = "test100AutzJackReadSearch";
+		displayTestTitle(TEST_NAME);
+
+		assignRole(USER_JACK_OID, ROLE_PRIVACY_END_USER_OID);
+
+		login(USER_JACK_USERNAME);
+
+		// WHEN
+        displayWhen(TEST_NAME);
+
+        assertGetAllow(UserType.class, USER_GUYBRUSH_OID);
+        assertGetAllow(UserType.class, USER_ELAINE_OID);
+        assertGetAllow(UserType.class, USER_RAPP_OID);
+
+        display("HEREHERE");
+        assertSearch(UserType.class, null, 
+        		USER_ADMINISTRATOR_OID, USER_GUYBRUSH_OID, USER_ELAINE_OID, USER_JACK_OID);
+
+		// THEN
+		displayThen(TEST_NAME);
+
+	}
+
+
+}

testing/story/src/test/resources/logback-test.xml

@@ -59,13 +59,14 @@
 	<logger name="com.evolveum.midpoint.model.impl.expr" level="DEBUG" />
 	<logger name="com.evolveum.midpoint.model.impl.util" level="DEBUG" />
 	<logger name="com.evolveum.midpoint.model.impl.security" level="DEBUG" />
-	<logger name="com.evolveum.midpoint.model.impl.sync" level="TRACE" />
+	<logger name="com.evolveum.midpoint.model.impl.sync" level="DEBUG" />
 	<logger name="com.evolveum.midpoint.model.impl.sync.ReconciliationTaskHandler" level="DEBUG" />
 	<logger name="com.evolveum.midpoint.model.impl.sync.CorrelationConfirmationEvaluator" level="DEBUG" />
-	<logger name="com.evolveum.midpoint.common.SynchronizationUtils" level="TRACE" />
+	<logger name="com.evolveum.midpoint.common.SynchronizationUtils" level="DEBUG" />
     <logger name="com.evolveum.midpoint.provisioning" level="DEBUG" />
     <logger name="com.evolveum.midpoint.provisioning.impl.ResourceManager" level="DEBUG" />
 	<logger name="com.evolveum.midpoint.expression" level="DEBUG" />
+	<logger name="com.evolveum.midpoint.security" level="TRACE" />
 	<logger name="com.evolveum.midpoint.model.common.expression" level="DEBUG" />
 	<logger name="com.evolveum.midpoint.model.common.expression.Expression" level="DEBUG" />
 	<logger name="com.evolveum.midpoint.model.common.mapping" level="DEBUG" />