More fixes in expression type handling. This fixes security tests in …

…model-intest.
Evolveum · Apr 8, 2019 · 9154412 · 9154412
1 parent 06a3eed
commit 9154412
Show file tree

Hide file tree

Showing 7 changed files with 80 additions and 14 deletions.
diff --git a/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/util/ItemDeltaItem.java b/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/util/ItemDeltaItem.java
@@ -206,7 +206,7 @@ public void recompute() throws SchemaException {
 		}
 	}
 
-	public <IV extends PrismValue, ID extends ItemDefinition> ItemDeltaItem<IV,ID> findIdi(ItemPath path) {
+	public <IV extends PrismValue, ID extends ItemDefinition> ItemDeltaItem<IV,ID> findIdi(ItemPath path) throws SchemaException {
 		if (path.isEmpty()) {
 			return (ItemDeltaItem<IV,ID>) this;
 		}

diff --git a/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/util/ObjectDeltaObject.java b/infra/prism-api/src/main/java/com/evolveum/midpoint/prism/util/ObjectDeltaObject.java
@@ -161,7 +161,7 @@ public Class<O> getObjectCompileTimeClass() {
 	}
 
 	@Override
-	public <IV extends PrismValue,ID extends ItemDefinition> ItemDeltaItem<IV,ID> findIdi(@NotNull ItemPath path) {
+	public <IV extends PrismValue,ID extends ItemDefinition> ItemDeltaItem<IV,ID> findIdi(@NotNull ItemPath path) throws SchemaException {
 		Item<IV,ID> subItemOld = null;
 		ItemPath subResidualPath = null;
 		if (oldObject != null) {
@@ -232,6 +232,19 @@ public <IV extends PrismValue,ID extends ItemDefinition> ItemDeltaItem<IV,ID> fi
 		if (definition != null) {
 			subDefinition = definition.findItemDefinition(path);
 		}
+		if (subDefinition == null) {
+			// This may be a bit redundant, because IDI constructor does similar logic.
+			// But we want to know the situation here, so we can provide better error message.
+			if (subItemNew != null && subItemNew.getDefinition() != null) {
+				subDefinition = subItemNew.getDefinition();
+			} else if (subItemOld != null && subItemOld.getDefinition() != null) {
+				subDefinition = subItemOld.getDefinition();
+			} else if (itemDelta != null && itemDelta.getDefinition() != null) {
+				subDefinition = itemDelta.getDefinition();
+			} else {
+				throw new SchemaException("Cannot find definition of a subitem "+path+" of "+this);
+			}
+		}
 		ItemDeltaItem<IV,ID> subIdi = new ItemDeltaItem<>(subItemOld, itemDelta, subItemNew, subDefinition);
 		subIdi.setSubItemDeltas(subSubItemDeltas);
 		subIdi.setResolvePath(path);

diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/Construction.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/Construction.java
@@ -454,13 +454,38 @@ private <T> MappingImpl<PrismPropertyValue<T>, ResourceAttributeDefinition<T>> e
 				outboundMappingType,
 				"for attribute " + PrettyPrinter.prettyPrint(attrName) + " in " + getSource());
 
-		MappingImpl<PrismPropertyValue<T>, ResourceAttributeDefinition<T>> evaluatedMapping = evaluateMapping(
-				builder, attrName, outputDefinition, null, task, result);
+		MappingImpl<PrismPropertyValue<T>, ResourceAttributeDefinition<T>> evaluatedMapping;
+
+		try {
+
+			evaluatedMapping = evaluateMapping(builder, attrName, outputDefinition, null, task, result);
+
+		} catch (SchemaException e) {
+			throw new SchemaException(getAttributeEvaluationErrorMesssage(attrName, e), e);
+		} catch (ExpressionEvaluationException e) {
+			throw new ExpressionEvaluationException(getAttributeEvaluationErrorMesssage(attrName, e), e);
+		} catch (ObjectNotFoundException e) {
+			throw new ObjectNotFoundException(getAttributeEvaluationErrorMesssage(attrName, e), e);
+		} catch (SecurityViolationException e) {
+			throw new SecurityViolationException(getAttributeEvaluationErrorMesssage(attrName, e), e);
+		} catch (ConfigurationException e) {
+			throw new ConfigurationException(getAttributeEvaluationErrorMesssage(attrName, e), e);
+		} catch (CommunicationException e) {
+			throw new CommunicationException(getAttributeEvaluationErrorMesssage(attrName, e), e);
+		}
 
 		LOGGER.trace("Evaluated mapping for attribute " + attrName + ": " + evaluatedMapping);
 		return evaluatedMapping;
 	}
 
+	private String getAttributeEvaluationErrorMesssage(QName attrName, Exception e) {
+		return "Error evaluating mapping for attribute "+PrettyPrinter.prettyPrint(attrName)+" in "+getHumanReadableConstructionDescription()+": "+e.getMessage();
+	}
+
+	private String getHumanReadableConstructionDescription() {
+		return "construction for ("+resource+"/"+getKind()+"/"+getIntent()+") in "+getSource();
+	}
+
 	public <T> RefinedAttributeDefinition<T> findAttributeDefinition(QName attributeName) {
 		if (refinedObjectClassDefinition == null) {
 			throw new IllegalStateException(

diff --git a/model/model-intest/src/test/resources/common/role-pirate.xml b/model/model-intest/src/test/resources/common/role-pirate.xml
@@ -1,5 +1,5 @@
 <!--
-  ~ Copyright (c) 2010-2017 Evolveum
+  ~ Copyright (c) 2010-2019 Evolveum
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -25,6 +25,12 @@
     	<extension>
     		<piracy:sea>The Seven Seas</piracy:sea>
     	</extension>
+    	<!-- This role is always assigned to users. Therefore this should not be needed.
+    	     But, there are some attempts in security tests to assign this role to another role.
+    	     This attempt fails on gossip attribute mapping not getting fullName. We do not want
+    	     that failure, we want to check whether security properly denies the operation.
+    	     Hence the focusType definition. -->
+    	<focusType>UserType</focusType>
     	<construction id="60004">
     		<resourceRef oid="10000000-0000-0000-0000-000000000004" type="c:ResourceType"/>
     		<kind>account</kind>
@@ -73,7 +79,7 @@
                 	</source>
                 	<expression>
 						<script>
-							<code>fullName + ' is the best pirate ' + ( locality == null ? 'the world' : locality ) + ' has ever seen'</code> 
+							<code>fullName + ' is the best pirate ' + ( locality == null ? 'the world' : locality ) + ' has ever seen'</code>
 						</script>
 					</expression>
 				</outbound>

diff --git a/model/model-intest/src/test/resources/schema/piracy.xsd b/model/model-intest/src/test/resources/schema/piracy.xsd
@@ -209,5 +209,18 @@
 			</xsd:element>
 		</xsd:sequence>
 	</xsd:complexType>
+
+	<!-- org extension -->
+
+    <xsd:complexType name="OrgTypeExtensionType">
+        <xsd:annotation>
+            <xsd:appinfo>
+                <a:extension ref="c:OrgType"/>
+            </xsd:appinfo>
+        </xsd:annotation>
+        <xsd:sequence>
+			<xsd:element ref="tns:sea"/>
+        </xsd:sequence>
+    </xsd:complexType>
 
 </xsd:schema>
diff --git a/...epo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionUtil.java b/...epo-common/src/main/java/com/evolveum/midpoint/repo/common/expression/ExpressionUtil.java
@@ -376,14 +376,20 @@ private static ItemDefinition determineItemDefinition(PrismContainerDefinition c
 		if (parentDef == null) {
 			return null;
 		}
-		if (!(parentDef instanceof PrismPropertyDefinition)) {
-			return null;
-		}
-		if (!PrismUtil.isStructuredType(parentDef.getTypeName())) {
-			return null;
+		if (parentDef instanceof PrismContainerDefinition) {
+			if (parentDef.isDynamic() && ((PrismContainerDefinition)parentDef).isEmpty()) {
+				// The case of dynamic schema for which there are no definitions
+				// E.g. assignment extension
+				// just default to single-value strings. Better than nothing. At least for now.
+				return parentDef.getPrismContext().definitionFactory().createPropertyDefinition(relativePath.lastName(), PrimitiveType.STRING.getQname());
+			}
+		} else if ((parentDef instanceof PrismPropertyDefinition)) {
+			if (PrismUtil.isStructuredType(parentDef.getTypeName())) {
+				// All "subproperties" are hardcoded as singlevalue strings
+				return parentDef.getPrismContext().definitionFactory().createPropertyDefinition(relativePath.lastName(), PrimitiveType.STRING.getQname());
+			}
 		}
-		// All "subproperties" are hardcoded as singlevalue strings
-		return parentDef.getPrismContext().definitionFactory().createPropertyDefinition(relativePath.lastName(), PrimitiveType.STRING.getQname());
+		return null;
 	}
 
 	private static TypedValue normalizeValuesToDelete(TypedValue root) {

diff --git a/...pi/src/main/java/com/evolveum/midpoint/security/enforcer/api/AuthorizationParameters.java b/...pi/src/main/java/com/evolveum/midpoint/security/enforcer/api/AuthorizationParameters.java
@@ -242,7 +242,10 @@ public static <O extends ObjectType> AuthorizationParameters<O,ObjectType> build
 		}
 
 		public static <O extends ObjectType> AuthorizationParameters<O,ObjectType> buildObject(PrismObject<O> object) {
-			ObjectDeltaObject<O> odo = new ObjectDeltaObject<>(object, null, object, object.getDefinition());
+			ObjectDeltaObject<O> odo = null;
+			if (object != null) {
+				odo = new ObjectDeltaObject<>(object, null, object, object.getDefinition());
+			}
 			return new AuthorizationParameters<>(odo, null, null, null);
 		}