Merge remote-tracking branch 'refs/remotes/origin/master'

gui/admin-gui/pom.xml

@@ -798,6 +798,8 @@
                     </execution>
                 </executions>
                 <configuration>
+                    <nodeDownloadRoot>https://nexus.evolveum.com/nexus/repository/nodejs-dist/</nodeDownloadRoot>
+                    <npmDownloadRoot>https://nexus.evolveum.com/nexus/repository/npmjs-dist/</npmDownloadRoot>
                     <nodeVersion>v18.12.1</nodeVersion>
                     <npmVersion>8.19.2</npmVersion>
                     <installDirectory>target</installDirectory>

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/cases/PageCases.java

@@ -6,22 +6,36 @@
  */
 package com.evolveum.midpoint.web.page.admin.cases;
 
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+
+import org.apache.commons.collections4.CollectionUtils;
+import org.apache.wicket.ajax.AjaxRequestTarget;
+import org.apache.wicket.model.IModel;
+import org.apache.wicket.model.Model;
+import org.apache.wicket.request.mapper.parameter.PageParameters;
+
+import com.evolveum.midpoint.authentication.api.authorization.AuthorizationAction;
+import com.evolveum.midpoint.authentication.api.authorization.PageDescriptor;
+import com.evolveum.midpoint.authentication.api.authorization.Url;
 import com.evolveum.midpoint.gui.api.GuiStyleConstants;
 import com.evolveum.midpoint.gui.api.util.WebModelServiceUtils;
 import com.evolveum.midpoint.gui.impl.component.icon.CompositedIconBuilder;
+import com.evolveum.midpoint.prism.PrismContext;
+import com.evolveum.midpoint.prism.query.ObjectFilter;
 import com.evolveum.midpoint.prism.query.ObjectQuery;
 import com.evolveum.midpoint.schema.GetOperationOptions;
 import com.evolveum.midpoint.schema.SelectorOptions;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.cases.CaseTypeUtil;
-import com.evolveum.midpoint.authentication.api.authorization.AuthorizationAction;
 import com.evolveum.midpoint.security.api.AuthorizationConstants;
-import com.evolveum.midpoint.authentication.api.authorization.PageDescriptor;
-import com.evolveum.midpoint.authentication.api.authorization.Url;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
-import com.evolveum.midpoint.web.application.*;
+import com.evolveum.midpoint.web.application.CollectionInstance;
+import com.evolveum.midpoint.web.application.PanelDisplay;
 import com.evolveum.midpoint.web.component.data.column.ColumnMenuAction;
 import com.evolveum.midpoint.web.component.menu.cog.ButtonInlineMenuItem;
 import com.evolveum.midpoint.web.component.menu.cog.InlineMenuItem;
@@ -31,15 +45,7 @@
 import com.evolveum.midpoint.web.page.admin.server.CasesTablePanel;
 import com.evolveum.midpoint.web.page.admin.users.component.ExecuteChangeOptionsDto;
 import com.evolveum.midpoint.web.session.UserProfileStorage;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
-
-import org.apache.commons.collections4.CollectionUtils;
-import org.apache.wicket.ajax.AjaxRequestTarget;
-import org.apache.wicket.model.IModel;
-import org.apache.wicket.model.Model;
-import org.apache.wicket.request.mapper.parameter.PageParameters;
-
-import java.util.*;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.CaseType;
 
 @PageDescriptor(
         urls = {
@@ -91,6 +97,14 @@ private void initLayout() {
 
             private static final long serialVersionUID = 1L;
 
+            @Override
+            protected ObjectFilter getCasesFilter() {
+                PageParameters pageParameters = getPageBase().getPageParameters();
+                return pageParameters != null && pageParameters.isEmpty() ? PrismContext.get().queryFor(CaseType.class)
+                        .item(CaseType.F_PARENT_REF).isNull()
+                        .buildFilter() : super.getCasesFilter();
+            }
+
             @Override
             protected UserProfileStorage.TableId getTableId() {
                 return UserProfileStorage.TableId.TABLE_CASES;

model/model-api/src/main/java/com/evolveum/midpoint/model/api/context/AssociatedPolicyRule.java

@@ -0,0 +1,120 @@
+/*
+ * Copyright (C) 2010-2023 Evolveum and contributors
+ *
+ * This work is dual-licensed under the Apache License 2.0
+ * and European Union Public License. See LICENSE file for details.
+ */
+
+package com.evolveum.midpoint.model.api.context;
+
+import com.evolveum.midpoint.util.DebugDumpable;
+import com.evolveum.midpoint.util.annotation.Experimental;
+
+import com.evolveum.midpoint.xml.ns._public.common.common_3.EvaluatedPolicyRuleType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.PolicyActionType;
+
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+
+import java.io.Serializable;
+import java.util.Collection;
+import java.util.List;
+import java.util.function.Predicate;
+
+/**
+ * {@link EvaluatedPolicyRule} that is associated to given {@link EvaluatedAssignment}, either as "own"
+ * (i.e. directly evaluated and triggered on) or as "foreign" (triggered on another assignment but connected to this one,
+ * typically because of an exclusion constraint).
+ *
+ * The purpose of this class is to provide the necessary functionality when such rules are returned by
+ * {@link EvaluatedAssignment#getAllAssociatedPolicyRules()} method.
+ *
+ * Important things to consider:
+ *
+ * . The exclusion constraints on foreign policy rules are just as they are triggered on their original assignments.
+ * It means that exclusion triggers on them point to the current assigment as {@link EvaluatedExclusionTrigger#conflictingTarget},
+ * and to original one as {@link EvaluatedExclusionTrigger#thisTarget}. See also
+ * {@link EvaluatedExclusionTrigger#getRealConflictingAssignment(EvaluatedAssignment)}.
+ *
+ * . Also note that not all triggers on the original policy rule are relevant to this (new) assignment. For example,
+ * if a role `coordinator` excludes all roles of type `worker`, and has appropriate policy rule on it, then when you
+ * are assigning `worker-1` and `worker-2`, both get this policy rule (with 2 triggers) as a foreign rule. However, only
+ * one trigger is relevant for each of the workers. Hence, use appropriate method to select relevant triggers, e.g.
+ * {@link #getRelevantExclusionTriggers()} or {@link EvaluatedPolicyRuleTrigger#isRelevantForNewOwner(EvaluatedAssignment)}.
+ */
+@Experimental
+public interface AssociatedPolicyRule extends DebugDumpable, Serializable, Cloneable {
+
+    /** Automatically generated identifier that - we hope - uniquely identifies the policy rule. */
+    @NotNull String getPolicyRuleIdentifier();
+
+    /**
+     * Was this rule triggered, i.e. are there any triggers? We do not distinguish between relevant and irrelevant
+     * triggers here, as foreign rules should have always some triggers, so this is always `true` for them.
+     */
+    boolean isTriggered();
+
+    /** Are there any enabled actions of given type? */
+    boolean containsEnabledAction(Class<? extends PolicyActionType> type);
+
+    /** Returns enabled action of given type, if there's any. Throws an exception if there are more of them. */
+    <T extends PolicyActionType> @Nullable T getEnabledAction(Class<T> type);
+
+    /** Returns all enabled actions of given type. */
+    <T extends PolicyActionType> @NotNull List<T> getEnabledActions(Class<T> type);
+
+    /** Returns exclusion triggers without ones that are not relevant for given "new owner" (see class javadoc). */
+    @NotNull Collection<EvaluatedExclusionTrigger> getRelevantExclusionTriggers();
+
+    /** Returns short, (more or less) user-level characterization of this object. */
+    String toShortString();
+
+    /** Returns new owner (for foreign rules) or `null` (for original ones). */
+    @Nullable EvaluatedAssignment getNewOwner();
+
+    /** Returns the original policy rule. */
+    @NotNull EvaluatedPolicyRule getEvaluatedPolicyRule();
+
+    default String getNewOwnerShortString() {
+        EvaluatedAssignment newOwner = getNewOwner();
+        if (newOwner != null) {
+            return String.format("from [%d] (-> %s)", newOwner.getAssignmentId(), newOwner.getTarget());
+        } else {
+            return "";
+        }
+    }
+
+    /** Returns the policy situation connected to this rule. Will be replaced by object marks. */
+    @Nullable String getPolicySituation();
+
+    /**
+     * Serializes the policy rule into bean form ({@link EvaluatedPolicyRuleType}).
+     *
+     * Currently not very nice contract, should be improved later.
+     *
+     * @param ruleBeans Collection of beans into which to put the result.
+     * @param options Options - how the serialization should take place.
+     * @param triggerSelector Which triggers should be processed?
+     * @param newOwner If set, we should ignore triggers not relevant for this evaluated assignment.
+     */
+    void addToEvaluatedPolicyRuleBeans(
+            @NotNull Collection<EvaluatedPolicyRuleType> ruleBeans,
+            @NotNull PolicyRuleExternalizationOptions options,
+            @Nullable Predicate<EvaluatedPolicyRuleTrigger<?>> triggerSelector,
+            @Nullable EvaluatedAssignment newOwner);
+
+    /**
+     * Adds a trigger to the policy rule.
+     * For internal use only.
+     */
+    void addTrigger(@NotNull EvaluatedPolicyRuleTrigger<?> trigger);
+
+    static int getTriggeredRulesCount(Collection<? extends AssociatedPolicyRule> policyRules) {
+        return (int) policyRules.stream().filter(AssociatedPolicyRule::isTriggered).count();
+    }
+
+    static boolean contains(List<? extends AssociatedPolicyRule> rules, AssociatedPolicyRule otherRule) {
+        return rules.stream()
+                .anyMatch(r -> r.getPolicyRuleIdentifier().equals(otherRule.getPolicyRuleIdentifier()));
+    }
+}

model/model-api/src/main/java/com/evolveum/midpoint/model/api/context/EvaluatedAssignment.java

@@ -9,7 +9,6 @@
 import java.io.Serializable;
 import java.util.Collection;
 import java.util.Set;
-import java.util.stream.Collectors;
 import javax.xml.namespace.QName;
 
 import org.jetbrains.annotations.NotNull;
@@ -74,32 +73,21 @@ default AssignmentType getAssignmentType(boolean old) {
      * - even those that were not triggered. The policy rules are compiled from all the applicable
      * sources (target, meta-roles, etc.)
      */
-    @NotNull
-    Collection<? extends EvaluatedPolicyRule> getObjectPolicyRules();
+    @NotNull Collection<? extends EvaluatedPolicyRule> getObjectPolicyRules();
 
     /**
      * Returns all policy rules that directly apply to the target object of this assignment
      * (and are derived from this assignment) - even those that were not triggered. The policy rules
      * are compiled from all the applicable sources (target, meta-roles, etc.)
      */
-    @NotNull
-    default Collection<? extends EvaluatedPolicyRule> getThisTargetPolicyRules() {
-        return getAllTargetsPolicyRules().stream()
-                .filter(r -> r.getTargetType() == EvaluatedPolicyRule.TargetType.DIRECT_ASSIGNMENT_TARGET)
-                .collect(Collectors.toList());
-    }
+    @NotNull Collection<? extends EvaluatedPolicyRule> getThisTargetPolicyRules();
 
     /**
      * Returns all policy rules that apply to some other target object of this assignment
      * (and are derived from this assignment) - even those that were not triggered. The policy rules
      * are compiled from all the applicable sources (target, meta-roles, etc.)
      */
-    @NotNull
-    default Collection<? extends EvaluatedPolicyRule> getOtherTargetsPolicyRules() {
-        return getAllTargetsPolicyRules().stream()
-                .filter(r -> r.getTargetType() == EvaluatedPolicyRule.TargetType.INDIRECT_ASSIGNMENT_TARGET)
-                .collect(Collectors.toList());
-    }
+    @NotNull Collection<? extends EvaluatedPolicyRule> getOtherTargetsPolicyRules();
 
     /**
      * Returns all policy rules that apply to any of the target objects provided by this assignment
@@ -122,12 +110,9 @@ default Collection<? extends EvaluatedPolicyRule> getOtherTargetsPolicyRules() {
      * This is necessary to implement "declare once, use twice" approach where it should be sufficient to declare an exclusion
      * constraint at one of the targets only. See e.g. MID-8269.
      *
-     * BEWARE! The exclusion constraints on foreign policy rules are just as they are triggered on their original assignments.
-     * It means that exclusion triggers on them point to THIS assigment as the conflicting one. The original assignment should
-     * be present in {@link EvaluatedPolicyRule#getAssignmentPath()}.
-     * See also {@link EvaluatedExclusionTrigger#getRealConflictingAssignment(EvaluatedAssignment)}.
+     * There are important things to be aware of, though. Please see {@link AssociatedPolicyRule} for more information.
      */
-    @NotNull Collection<? extends EvaluatedPolicyRule> getAllTargetsAndForeignPolicyRules();
+    @NotNull Collection<AssociatedPolicyRule> getAllAssociatedPolicyRules();
 
     /**
      * How many target policy rules are there.

model/model-api/src/main/java/com/evolveum/midpoint/model/api/context/EvaluatedCollectionStatsTrigger.java

@@ -10,6 +10,7 @@
 import com.evolveum.midpoint.util.LocalizableMessage;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
 import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
 
 public class EvaluatedCollectionStatsTrigger extends EvaluatedPolicyRuleTrigger<CollectionStatsPolicyConstraintType> {
 
@@ -20,7 +21,8 @@ public EvaluatedCollectionStatsTrigger(
     }
 
     @Override
-    public EvaluatedCollectionStatsTriggerType toEvaluatedPolicyRuleTriggerBean(PolicyRuleExternalizationOptions options) {
+    public EvaluatedCollectionStatsTriggerType toEvaluatedPolicyRuleTriggerBean(
+            @NotNull PolicyRuleExternalizationOptions options, @Nullable EvaluatedAssignment newOwner) {
         EvaluatedCollectionStatsTriggerType rv = new EvaluatedCollectionStatsTriggerType();
         fillCommonContent(rv);
         return rv;

model/model-api/src/main/java/com/evolveum/midpoint/model/api/context/EvaluatedCompositeTrigger.java

@@ -13,6 +13,7 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.PolicyConstraintKindType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.PolicyConstraintsType;
 import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
 
 import java.util.Collection;
 import java.util.Objects;
@@ -72,11 +73,16 @@ protected void debugDumpSpecific(StringBuilder sb, int indent) {
     }
 
     @Override
-    public EvaluatedLogicalTriggerType toEvaluatedPolicyRuleTriggerBean(PolicyRuleExternalizationOptions options) {
+    public EvaluatedLogicalTriggerType toEvaluatedPolicyRuleTriggerBean(
+            @NotNull PolicyRuleExternalizationOptions options, @Nullable EvaluatedAssignment newOwner) {
         EvaluatedLogicalTriggerType rv = new EvaluatedLogicalTriggerType();
         fillCommonContent(rv);
-        if (!options.isRespectFinalFlag() || !isFinal()) {
-            innerTriggers.forEach(t -> rv.getEmbedded().add(t.toEvaluatedPolicyRuleTriggerBean(options)));
+        if (!isFinal()) {
+            innerTriggers.stream()
+                    .filter(t -> t.isRelevantForNewOwner(newOwner))
+                    .forEach(t ->
+                            rv.getEmbedded().add(
+                                    t.toEvaluatedPolicyRuleTriggerBean(options, newOwner)));
         }
         return rv;
     }

model/model-api/src/main/java/com/evolveum/midpoint/model/api/context/EvaluatedCustomConstraintTrigger.java

@@ -11,6 +11,7 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
 
 import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
 
 public class EvaluatedCustomConstraintTrigger extends EvaluatedPolicyRuleTrigger<CustomPolicyConstraintType> {
 
@@ -23,7 +24,8 @@ public EvaluatedCustomConstraintTrigger(
     }
 
     @Override
-    public EvaluatedPolicyRuleTriggerType toEvaluatedPolicyRuleTriggerBean(PolicyRuleExternalizationOptions options) {
+    public EvaluatedPolicyRuleTriggerType toEvaluatedPolicyRuleTriggerBean(
+            @NotNull PolicyRuleExternalizationOptions options, @Nullable EvaluatedAssignment newOwner) {
         EvaluatedPolicyRuleTriggerType rv = new EvaluatedPolicyRuleTriggerType();
         fillCommonContent(rv);
         return rv;

model/model-api/src/main/java/com/evolveum/midpoint/model/api/context/EvaluatedExclusionTrigger.java

@@ -13,19 +13,18 @@
 import com.evolveum.midpoint.util.LocalizableMessage;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
 import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
 
 import java.util.Collection;
 import java.util.List;
 import java.util.Objects;
 
-import static com.evolveum.midpoint.xml.ns._public.common.common_3.TriggeredPolicyRulesStorageStrategyType.FULL;
-
 /**
  * Represents triggered exclusion constraint.
  *
  * [NOTE]
  * ====
- * When present in "foreign policy rules" ({@link EvaluatedAssignment#getAllTargetsAndForeignPolicyRules()}), then the
+ * When present in "foreign policy rules" ({@link EvaluatedAssignment#getAllAssociatedPolicyRules()}), then the
  * values in {@link #conflictingAssignment}, {@link #conflictingTarget}, {@link #thisTarget} and so on may be misleading.
  * They are correct with regards to the original evaluated assignment, but not for the other one.
  *
@@ -131,10 +130,11 @@ protected void debugDumpSpecific(StringBuilder sb, int indent) {
     }
 
     @Override
-    public EvaluatedExclusionTriggerType toEvaluatedPolicyRuleTriggerBean(PolicyRuleExternalizationOptions options) {
+    public EvaluatedExclusionTriggerType toEvaluatedPolicyRuleTriggerBean(
+            @NotNull PolicyRuleExternalizationOptions options, @Nullable EvaluatedAssignment newOwner) {
         EvaluatedExclusionTriggerType rv = new EvaluatedExclusionTriggerType();
         fillCommonContent(rv);
-        if (options.getTriggeredRulesStorageStrategy() == FULL) {
+        if (options.isFullStorageStrategy()) {
             rv.setConflictingObjectRef(ObjectTypeUtil.createObjectRef(conflictingTarget));
             rv.setConflictingObjectDisplayName(ObjectTypeUtil.getDisplayName(conflictingTarget));
             rv.setConflictingObjectPath(conflictingPath.toAssignmentPathType(options.isIncludeAssignmentsContent()));
@@ -149,4 +149,10 @@ public EvaluatedExclusionTriggerType toEvaluatedPolicyRuleTriggerBean(PolicyRule
     public Collection<? extends PrismObject<?>> getTargetObjects() {
         return List.of(conflictingTarget.asPrismObject());
     }
+
+    @Override
+    public boolean isRelevantForNewOwner(@Nullable EvaluatedAssignment newOwner) {
+        return newOwner == null
+                || conflictingAssignment.equals(newOwner);
+    }
 }

model/model-api/src/main/java/com/evolveum/midpoint/model/api/context/EvaluatedHasAssignmentTrigger.java

@@ -11,6 +11,7 @@
 import com.evolveum.midpoint.util.LocalizableMessage;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
 import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
 
 import java.util.Collection;
 
@@ -27,7 +28,8 @@ public EvaluatedHasAssignmentTrigger(
     }
 
     @Override
-    public EvaluatedHasAssignmentTriggerType toEvaluatedPolicyRuleTriggerBean(PolicyRuleExternalizationOptions options) {
+    public EvaluatedHasAssignmentTriggerType toEvaluatedPolicyRuleTriggerBean(
+            @NotNull PolicyRuleExternalizationOptions options, @Nullable EvaluatedAssignment newOwner) {
         EvaluatedHasAssignmentTriggerType rv = new EvaluatedHasAssignmentTriggerType();
         fillCommonContent(rv);
         return rv;