diff --git a/gui/admin-gui/src/main/resources/initial-objects/040-role-enduser.xml b/gui/admin-gui/src/main/resources/initial-objects/040-role-enduser.xml
index 39bea19a57b..d8b69d15f80 100644
--- a/gui/admin-gui/src/main/resources/initial-objects/040-role-enduser.xml
+++ b/gui/admin-gui/src/main/resources/initial-objects/040-role-enduser.xml
@@ -131,9 +131,6 @@
- credentials
- assignment
- - parentOrgRef
- - roleMembershipRef
- - metadata
self-shadow-execution-add-modify-delete
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/AbstractSecurityTest.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/AbstractSecurityTest.java
index a2821e59f90..8deafa43f1f 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/AbstractSecurityTest.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/AbstractSecurityTest.java
@@ -85,11 +85,13 @@
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AccessCertificationCampaignType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AccessCertificationCaseType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentPolicyEnforcementType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationDecisionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.MetadataType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OwnedObjectSelectorType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PartialProcessingOptionsType;
@@ -101,6 +103,7 @@
import com.evolveum.midpoint.xml.ns._public.common.common_3.SubjectedObjectSelectorType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.TaskType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
+import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
/**
* @author semancik
@@ -567,8 +570,11 @@ protected void assertAttributeFlags(RefinedObjectClassDefinition rOcDef, QName a
assertEquals("Wrong modification flag for "+attrName, expectedModify, rAttrDef.canModify());
}
-
protected void cleanupAutzTest(String userOid) throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, ObjectAlreadyExistsException, PolicyViolationException, SecurityViolationException, IOException {
+ cleanupAutzTest(userOid, 0);
+ }
+
+ protected void cleanupAutzTest(String userOid, int expectedAssignments) throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, ObjectAlreadyExistsException, PolicyViolationException, SecurityViolationException, IOException {
login(userAdministrator);
if (userOid != null) {
unassignAllRoles(userOid);
@@ -576,6 +582,8 @@ protected void cleanupAutzTest(String userOid) throws ObjectNotFoundException, S
Task task = taskManager.createTaskInstance(AbstractSecurityTest.class.getName() + ".cleanupAutzTest");
OperationResult result = task.getResult();
+
+ assumeAssignmentPolicy(AssignmentPolicyEnforcementType.FULL);
cleanupDelete(UserType.class, USER_HERMAN_OID, task, result);
cleanupDelete(UserType.class, USER_DRAKE_OID, task, result);
@@ -592,6 +600,7 @@ protected void cleanupAutzTest(String userOid) throws ObjectNotFoundException, S
modifyUserReplace(USER_JACK_OID, SchemaConstants.PATH_ACTIVATION_VALID_FROM, task, result);
modifyUserReplace(USER_JACK_OID, UserType.F_GIVEN_NAME, task, result, createPolyString(USER_JACK_GIVEN_NAME));
+ unassignAccount(USER_JACK_OID, RESOURCE_DUMMY_OID, null);
unassignOrg(USER_JACK_OID, ORG_MINISTRY_OF_RUM_OID, SchemaConstants.ORG_MANAGER, task, result);
unassignOrg(USER_JACK_OID, ORG_MINISTRY_OF_RUM_OID, null, task, result);
unassignOrg(USER_JACK_OID, ORG_MINISTRY_OF_DEFENSE_OID, SchemaConstants.ORG_MANAGER, task, result);
@@ -603,6 +612,14 @@ protected void cleanupAutzTest(String userOid) throws ObjectNotFoundException, S
cleanupDelete(TaskType.class, TASK_T4_OID, task, result);
cleanupDelete(TaskType.class, TASK_T5_OID, task, result);
cleanupDelete(TaskType.class, TASK_T6_OID, task, result);
+
+ assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
+
+ PrismObject user = getUser(userOid);
+ assertAssignments(user, expectedAssignments);
+ if (expectedAssignments == 0) {
+ assertLinks(user, 0);
+ }
}
protected void cleanupAdd(File userLargoFile, Task task, OperationResult result) throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, PolicyViolationException, SecurityViolationException, IOException {
@@ -982,6 +999,24 @@ protected void assertAddAllow(File file, ModelExecuteOpti
logAllow("add", object.getCompileTimeClass(), object.getOid(), null);
}
+ protected void assertModifyMetadataDeny(Class type, String oid) throws ObjectAlreadyExistsException, ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, PolicyViolationException, SecurityViolationException {
+ XMLGregorianCalendar oneHourAgo = XmlTypeConverter.addDuration(clock.currentTimeXMLGregorianCalendar(), "-PT1H");
+ assertModifyDenyOptions(type, oid, getMetadataPath(MetadataType.F_MODIFY_TIMESTAMP), null, oneHourAgo);
+ assertModifyDenyOptions(type, oid, getMetadataPath(MetadataType.F_CREATE_CHANNEL), null, "hackHackHack");
+ }
+
+ protected void assertPasswordChangeDeny(Class type, String oid, String newPassword) throws ObjectAlreadyExistsException, ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, PolicyViolationException, SecurityViolationException {
+ ProtectedStringType passwordPs = new ProtectedStringType();
+ passwordPs.setClearValue(newPassword);
+ assertModifyDeny(type, oid, PASSWORD_PATH, passwordPs);
+ }
+
+ protected void assertPasswordChangeAllow(Class type, String oid, String newPassword) throws ObjectAlreadyExistsException, ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, PolicyViolationException, SecurityViolationException {
+ ProtectedStringType passwordPs = new ProtectedStringType();
+ passwordPs.setClearValue(newPassword);
+ assertModifyAllow(type, oid, PASSWORD_PATH, passwordPs);
+ }
+
protected void assertModifyDeny(Class type, String oid, QName propertyName, Object... newRealValue) throws ObjectAlreadyExistsException, ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, PolicyViolationException, SecurityViolationException {
assertModifyDenyOptions(type, oid, propertyName, null, newRealValue);
}
@@ -1375,5 +1410,5 @@ protected void assertCanSearch(Stri
protected ObjectQuery createMembersQuery(Class resultType, String roleOid) {
return QueryBuilder.queryFor(resultType, prismContext).item(UserType.F_ROLE_MEMBERSHIP_REF).ref(roleOid).build();
}
-
+
}
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityAdvanced.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityAdvanced.java
index 2e2bc282afd..b01cda6ef5c 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityAdvanced.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityAdvanced.java
@@ -104,7 +104,7 @@ public void test102AutzLechuckPersonaManagement() throws Exception {
final String TEST_NAME = "test102AutzLechuckPersonaManagement";
displayTestTitle(TEST_NAME);
// GIVEN
- cleanupAutzTest(USER_LECHUCK_OID);
+ cleanupAutzTest(USER_LECHUCK_OID, 1);
assignRole(USER_LECHUCK_OID, ROLE_PERSONA_MANAGEMENT_OID);
login(USER_LECHUCK_USERNAME);
@@ -1178,8 +1178,8 @@ public void test202AutzJackModifyOrgunitAndAssignRole() throws Exception {
}
@Override
- protected void cleanupAutzTest(String userOid) throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, ObjectAlreadyExistsException, PolicyViolationException, SecurityViolationException, IOException {
- super.cleanupAutzTest(userOid);
+ protected void cleanupAutzTest(String userOid, int expectedAssignments) throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, ObjectAlreadyExistsException, PolicyViolationException, SecurityViolationException, IOException {
+ super.cleanupAutzTest(userOid, expectedAssignments);
Task task = taskManager.createTaskInstance(TestSecurityAdvanced.class.getName() + ".cleanupAutzTest");
OperationResult result = task.getResult();
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityBasic.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityBasic.java
index 33fafb3cb90..8a9d520195b 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityBasic.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityBasic.java
@@ -15,7 +15,6 @@
*/
package com.evolveum.midpoint.model.intest.security;
-import static com.evolveum.midpoint.test.IntegrationTestTools.display;
import static org.testng.AssertJUnit.assertEquals;
import static org.testng.AssertJUnit.assertNotNull;
import static org.testng.AssertJUnit.assertNull;
@@ -41,6 +40,7 @@
import com.evolveum.midpoint.prism.delta.ContainerDelta;
import com.evolveum.midpoint.prism.delta.ItemDelta;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
+import com.evolveum.midpoint.prism.delta.ReferenceDelta;
import com.evolveum.midpoint.prism.path.ItemPath;
import com.evolveum.midpoint.prism.query.ObjectFilter;
import com.evolveum.midpoint.prism.query.ObjectQuery;
@@ -1465,6 +1465,7 @@ public void test255AutzJackSelfAccountsReadWrite() throws Exception {
// GIVEN
cleanupAutzTest(USER_JACK_OID);
assignRole(USER_JACK_OID, ROLE_SELF_ACCOUNTS_READ_WRITE_OID);
+ assignAccount(USER_JACK_OID, RESOURCE_DUMMY_OID, null);
assumeAssignmentPolicy(AssignmentPolicyEnforcementType.NONE);
@@ -1528,6 +1529,7 @@ public void test256AutzJackSelfAccountsPartialControl() throws Exception {
// GIVEN
cleanupAutzTest(USER_JACK_OID);
assignRole(USER_JACK_OID, ROLE_SELF_ACCOUNTS_PARTIAL_CONTROL_OID);
+ assignAccount(USER_JACK_OID, RESOURCE_DUMMY_OID, null);
assumeAssignmentPolicy(AssignmentPolicyEnforcementType.NONE);
@@ -1568,10 +1570,8 @@ public void test256AutzJackSelfAccountsPartialControl() throws Exception {
// Not even jack's account
assertAddDeny(ACCOUNT_GUYBRUSH_DUMMY_FILE);
- ProtectedStringType passwordPs = new ProtectedStringType();
- passwordPs.setClearValue("nbusr123");
- assertModifyDeny(UserType.class, USER_JACK_OID, PASSWORD_PATH, passwordPs);
- assertModifyDeny(UserType.class, USER_GUYBRUSH_OID, PASSWORD_PATH, passwordPs);
+ assertPasswordChangeDeny(UserType.class, USER_JACK_OID, "nbusr123");
+ assertPasswordChangeDeny(UserType.class, USER_GUYBRUSH_OID, "nbusr123");
Task task = taskManager.createTaskInstance(TEST_NAME);
OperationResult result = task.getResult();
@@ -1611,6 +1611,7 @@ public void test258AutzJackSelfAccountsPartialControlPassword() throws Exception
// GIVEN
cleanupAutzTest(USER_JACK_OID);
assignRole(USER_JACK_OID, ROLE_SELF_ACCOUNTS_PARTIAL_CONTROL_PASSWORD_OID);
+ assignAccount(USER_JACK_OID, RESOURCE_DUMMY_OID, null);
assumeAssignmentPolicy(AssignmentPolicyEnforcementType.NONE);
@@ -1651,11 +1652,9 @@ public void test258AutzJackSelfAccountsPartialControlPassword() throws Exception
// Not even jack's account
assertAddDeny(ACCOUNT_GUYBRUSH_DUMMY_FILE);
- ProtectedStringType passwordPs = new ProtectedStringType();
- passwordPs.setClearValue("nbusr123");
- assertModifyAllow(UserType.class, USER_JACK_OID, PASSWORD_PATH, passwordPs);
- assertModifyDeny(UserType.class, USER_GUYBRUSH_OID, PASSWORD_PATH, passwordPs);
-
+ assertPasswordChangeAllow(UserType.class, USER_JACK_OID, "nbusr123");
+ assertPasswordChangeDeny(UserType.class, USER_GUYBRUSH_OID, "nbusr123");
+
Task task = taskManager.createTaskInstance(TEST_NAME);
OperationResult result = task.getResult();
PrismObjectDefinition rDef = modelInteractionService.getEditObjectDefinition(user, AuthorizationPhaseType.REQUEST, task, result);
@@ -1672,6 +1671,8 @@ public void test260AutzJackObjectFilterLocationShadowRole() throws Exception {
cleanupAutzTest(USER_JACK_OID);
assignRole(USER_JACK_OID, ROLE_FILTER_OBJECT_USER_LOCATION_SHADOWS_OID);
login(USER_JACK_USERNAME);
+
+ assumeAssignmentPolicy(AssignmentPolicyEnforcementType.NONE);
// WHEN
displayWhen(TEST_NAME);
@@ -1711,6 +1712,20 @@ public void test260AutzJackObjectFilterLocationShadowRole() throws Exception {
assertGetAllow(ShadowType.class, accountRedOid);
assertGlobalStateUntouched();
+
+ displayCleanup(TEST_NAME);
+ login(USER_ADMINISTRATOR_USERNAME);
+
+ Task task = createTask(TEST_NAME);
+ PrismObject account = PrismTestUtil.parseObject(ACCOUNT_JACK_DUMMY_RED_FILE);
+ account.setOid(accountRedOid);
+ ObjectDelta userDelta = ObjectDelta.createEmptyModifyDelta(UserType.class, USER_JACK_OID, prismContext);
+ ReferenceDelta accountDelta = ReferenceDelta.createModificationDelete(UserType.F_LINK_REF, getUserDefinition(), account);
+ userDelta.addModification(accountDelta);
+ executeChanges(userDelta, null, task, task.getResult());
+
+ user = getUser(USER_JACK_OID);
+ assertLinks(user, 0);
}
@@ -1771,7 +1786,7 @@ public void test270AutzJackAssignApplicationRoles() throws Exception {
assertDeleteDeny();
PrismObject user = getUser(USER_JACK_OID);
- assertAssignments(user, 2);
+ assertAssignments(user, 1);
assertAssignedRole(user, ROLE_ASSIGN_APPLICATION_ROLES_OID);
assertAllow("assign application role to jack",
@@ -1779,7 +1794,7 @@ public void test270AutzJackAssignApplicationRoles() throws Exception {
);
user = getUser(USER_JACK_OID);
- assertAssignments(user, 3);
+ assertAssignments(user, 2);
assertAssignedRole(user, ROLE_APPLICATION_1_OID);
assertDeny("assign business role to jack",
@@ -1790,7 +1805,7 @@ public void test270AutzJackAssignApplicationRoles() throws Exception {
);
user = getUser(USER_JACK_OID);
- assertAssignments(user, 2);
+ assertAssignments(user, 1);
RoleSelectionSpecification spec = getAssignableRoleSpecification(getUser(USER_JACK_OID));
assertRoleTypes(spec, "application", "nonexistent");
@@ -1823,7 +1838,7 @@ public void test272AutzJackAssignAnyRoles() throws Exception {
assertDeleteDeny();
PrismObject user = getUser(USER_JACK_OID);
- assertAssignments(user, 2);
+ assertAssignments(user, 1);
assertAssignedRole(user, ROLE_ASSIGN_ANY_ROLES_OID);
assertAllow("assign application role to jack",
@@ -1831,7 +1846,7 @@ public void test272AutzJackAssignAnyRoles() throws Exception {
);
user = getUser(USER_JACK_OID);
- assertAssignments(user, 3);
+ assertAssignments(user, 2);
assertAssignedRole(user, ROLE_APPLICATION_1_OID);
assertAllow("assign business role to jack",
@@ -1842,7 +1857,7 @@ public void test272AutzJackAssignAnyRoles() throws Exception {
);
user = getUser(USER_JACK_OID);
- assertAssignments(user, 3);
+ assertAssignments(user, 2);
RoleSelectionSpecification spec = getAssignableRoleSpecification(getUser(USER_JACK_OID));
assertRoleTypes(spec);
@@ -1878,7 +1893,7 @@ public void test273AutzJackRedyAssignmentExceptionRules() throws Exception {
assertDeleteDeny();
PrismObject user = getUser(USER_JACK_OID);
- assertAssignments(user, 2);
+ assertAssignments(user, 1);
assertAssignedRole(user, ROLE_ASSIGN_ANY_ROLES_OID);
assertDeny("assign application role to jack",
@@ -1892,7 +1907,7 @@ public void test273AutzJackRedyAssignmentExceptionRules() throws Exception {
);
user = getUser(USER_JACK_OID);
- assertAssignments(user, 2);
+ assertAssignments(user, 1);
assertDeny("assign application role to jack",
(task, result) -> assignRole(USER_JACK_OID, ROLE_BUSINESS_1_OID, null,
@@ -1906,7 +1921,7 @@ public void test273AutzJackRedyAssignmentExceptionRules() throws Exception {
user = getUser(USER_JACK_OID);
- assertAssignments(user, 2);
+ assertAssignments(user, 1);
assertGlobalStateUntouched();
}
@@ -1932,14 +1947,14 @@ public void test274AutzJackAssignNonApplicationRoles() throws Exception {
assertDeleteDeny();
PrismObject user = getUser(USER_JACK_OID);
- assertAssignments(user, 2);
+ assertAssignments(user, 1);
assertAssignedRole(user, ROLE_ASSIGN_NON_APPLICATION_ROLES_OID);
assertAllow("assign business role to jack",
(task, result) -> assignRole(USER_JACK_OID, ROLE_BUSINESS_1_OID, task, result));
user = getUser(USER_JACK_OID);
- assertAssignments(user, 3);
+ assertAssignments(user, 2);
assertAssignedRole(user, ROLE_BUSINESS_1_OID);
assertDeny("assign application role to jack",
@@ -1949,7 +1964,7 @@ public void test274AutzJackAssignNonApplicationRoles() throws Exception {
(task, result) -> unassignRole(USER_JACK_OID, ROLE_BUSINESS_1_OID, task, result));
user = getUser(USER_JACK_OID);
- assertAssignments(user, 2);
+ assertAssignments(user, 1);
RoleSelectionSpecification spec = getAssignableRoleSpecification(getUser(USER_JACK_OID));
assertRoleTypes(spec);
@@ -1979,14 +1994,14 @@ public void test275aAutzJackAssignRequestableRoles() throws Exception {
assertDeleteDeny();
PrismObject user = getUser(USER_JACK_OID);
- assertAssignments(user, 2);
+ assertAssignments(user, 1);
assertAssignedRole(user, ROLE_ASSIGN_REQUESTABLE_ROLES_OID);
assertAllow("assign business role to jack",
(task, result) -> assignRole(USER_JACK_OID, ROLE_BUSINESS_1_OID, task, result));
user = getUser(USER_JACK_OID);
- assertAssignments(user, 3);
+ assertAssignments(user, 2);
assertAssignedRole(user, ROLE_BUSINESS_1_OID);
assertDeny("assign application role to jack",
@@ -1996,7 +2011,7 @@ public void test275aAutzJackAssignRequestableRoles() throws Exception {
(task, result) -> unassignRole(USER_JACK_OID, ROLE_BUSINESS_1_OID, task, result));
user = getUser(USER_JACK_OID);
- assertAssignments(user, 2);
+ assertAssignments(user, 1);
RoleSelectionSpecification spec = getAssignableRoleSpecification(getUser(USER_JACK_OID));
assertRoleTypes(spec);
@@ -2023,7 +2038,7 @@ public void test275bAutzJackAssignRequestableOrgs() throws Exception {
// WHEN
displayWhen(TEST_NAME);
PrismObject user = getUser(USER_JACK_OID);
- assertAssignments(user, 2);
+ assertAssignments(user, 1);
assertAssignedRole(user, ROLE_END_USER_REQUESTABLE_ABSTACTROLES_OID);
assertAllow("assign requestable org to jack",
@@ -2073,14 +2088,14 @@ public void test276AutzJackAssignRequestableRolesWithOrgRef() throws Exception {
assertDeleteDeny();
PrismObject user = getUser(USER_JACK_OID);
- assertAssignments(user, 2);
+ assertAssignments(user, 1);
assertAssignedRole(user, ROLE_ASSIGN_REQUESTABLE_ROLES_OID);
assertAllow("assign business role to jack",
(task, result) -> assignParametricRole(USER_JACK_OID, ROLE_BUSINESS_1_OID, ORG_MINISTRY_OF_RUM_OID, null, task, result));
user = getUser(USER_JACK_OID);
- assertAssignments(user, 3);
+ assertAssignments(user, 2);
assertAssignedRole(user, ROLE_BUSINESS_1_OID);
assertDeny("assign application role to jack",
@@ -2090,8 +2105,8 @@ public void test276AutzJackAssignRequestableRolesWithOrgRef() throws Exception {
(task, result) -> unassignParametricRole(USER_JACK_OID, ROLE_BUSINESS_1_OID, ORG_MINISTRY_OF_RUM_OID, null, task, result));
user = getUser(USER_JACK_OID);
- display("user after (expected 2 assignments)", user);
- assertAssignments(user, 2);
+ display("user after (expected 1 assignments)", user);
+ assertAssignments(user, 1);
RoleSelectionSpecification spec = getAssignableRoleSpecification(getUser(USER_JACK_OID));
assertRoleTypes(spec);
@@ -2126,38 +2141,38 @@ public void test277AutzJackAssignRequestableRolesWithOrgRefSecondTime() throws E
assertDeleteDeny();
PrismObject user = getUser(USER_JACK_OID);
- assertAssignments(user, 2);
+ assertAssignments(user, 1);
assertAssignedRole(user, ROLE_ASSIGN_REQUESTABLE_ROLES_OID);
assertAllow("assign business role to jack (no param)",
(task, result) -> assignParametricRole(USER_JACK_OID, ROLE_BUSINESS_1_OID, null, null, task, result));
user = getUser(USER_JACK_OID);
- assertAssignments(user, 3);
+ assertAssignments(user, 2);
assertAssignedRole(user, ROLE_BUSINESS_1_OID);
assertAllow("assign business role to jack (org MoR)",
(task, result) -> assignParametricRole(USER_JACK_OID, ROLE_BUSINESS_1_OID, ORG_MINISTRY_OF_RUM_OID, null, task, result));
user = getUser(USER_JACK_OID);
- assertAssignments(user, 4);
- display("user after (expected 4 assignments)", user);
+ assertAssignments(user, 3);
+ display("user after (expected 3 assignments)", user);
assertAssignedRole(user, ROLE_BUSINESS_1_OID);
assertAllow("assign business role to jack (org Scumm)",
(task, result) -> assignParametricRole(USER_JACK_OID, ROLE_BUSINESS_1_OID, ORG_SCUMM_BAR_OID, null, task, result));
user = getUser(USER_JACK_OID);
- assertAssignments(user, 5);
- display("user after (expected 5 assignments)", user);
+ assertAssignments(user, 4);
+ display("user after (expected 4 assignments)", user);
assertAssignedRole(user, ROLE_BUSINESS_1_OID);
assertAllow("unassign business role from jack (org Scumm)",
(task, result) -> unassignParametricRole(USER_JACK_OID, ROLE_BUSINESS_1_OID, ORG_SCUMM_BAR_OID, null, task, result));
user = getUser(USER_JACK_OID);
- assertAssignments(user, 4);
- display("user after (expected 4 assignments)", user);
+ assertAssignments(user, 3);
+ display("user after (expected 3 assignments)", user);
assertAssignedRole(user, ROLE_BUSINESS_1_OID);
assertDeny("assign application role to jack",
@@ -2167,15 +2182,15 @@ public void test277AutzJackAssignRequestableRolesWithOrgRefSecondTime() throws E
(task, result) -> unassignParametricRole(USER_JACK_OID, ROLE_BUSINESS_1_OID, null, null, task, result));
user = getUser(USER_JACK_OID);
- display("user after (expected 3 assignments)", user);
- assertAssignments(user, 3);
+ display("user after (expected 2 assignments)", user);
+ assertAssignments(user, 2);
assertAllow("unassign business role from jack (org MoR)",
(task, result) -> unassignParametricRole(USER_JACK_OID, ROLE_BUSINESS_1_OID, ORG_MINISTRY_OF_RUM_OID, null, task, result));
user = getUser(USER_JACK_OID);
- display("user after (expected 2 assignments)", user);
- assertAssignments(user, 2);
+ display("user after (expected 1 assignments)", user);
+ assertAssignments(user, 1);
RoleSelectionSpecification spec = getAssignableRoleSpecification(getUser(USER_JACK_OID));
assertRoleTypes(spec);
@@ -2208,14 +2223,14 @@ public void test278AutzJackAssignRequestableRolesWithOrgRefTweakedDelta() throws
assertDeleteDeny();
PrismObject user = getUser(USER_JACK_OID);
- assertAssignments(user, 2);
+ assertAssignments(user, 1);
assertAssignedRole(user, ROLE_ASSIGN_REQUESTABLE_ROLES_OID);
assertAllow("assign business role to jack",
(task, result) -> assignParametricRole(USER_JACK_OID, ROLE_BUSINESS_1_OID, ORG_MINISTRY_OF_RUM_OID, null, task, result));
user = getUser(USER_JACK_OID);
- assertAssignments(user, 3);
+ assertAssignments(user, 2);
assertAssignedRole(user, ROLE_BUSINESS_1_OID);
assertDeny("assign application role to jack",
@@ -2242,7 +2257,7 @@ public void test278AutzJackAssignRequestableRolesWithOrgRefTweakedDelta() throws
user = getUser(USER_JACK_OID);
display("user after (expected 2 assignments)", user);
- assertAssignments(user, 2);
+ assertAssignments(user, 1);
RoleSelectionSpecification spec = getAssignableRoleSpecification(getUser(USER_JACK_OID));
assertRoleTypes(spec);
@@ -2275,7 +2290,7 @@ public void test279AutzJackAssignRequestableRolesWithTenantRef() throws Exceptio
assertDeleteDeny();
PrismObject user = getUser(USER_JACK_OID);
- assertAssignments(user, 2);
+ assertAssignments(user, 1);
assertAssignedRole(user, ROLE_ASSIGN_REQUESTABLE_ROLES_OID);
assertAllow("assign business role to jack",
@@ -2283,7 +2298,7 @@ public void test279AutzJackAssignRequestableRolesWithTenantRef() throws Exceptio
assignParametricRole(USER_JACK_OID, ROLE_BUSINESS_1_OID, null, ORG_GOVERNOR_OFFICE_OID, task, result));
user = getUser(USER_JACK_OID);
- assertAssignments(user, 3);
+ assertAssignments(user, 2);
assertAssignedRole(user, ROLE_BUSINESS_1_OID);
assertDeny("assign application role to jack", new Attempt() {
@@ -2298,8 +2313,8 @@ public void run(Task task, OperationResult result) throws Exception {
unassignParametricRole(USER_JACK_OID, ROLE_BUSINESS_1_OID, null, ORG_GOVERNOR_OFFICE_OID, task, result));
user = getUser(USER_JACK_OID);
- display("user after (expected 2 assignments)", user);
- assertAssignments(user, 2);
+ display("user after (expected 1 assignments)", user);
+ assertAssignments(user, 1);
RoleSelectionSpecification spec = getAssignableRoleSpecification(getUser(USER_JACK_OID));
assertRoleTypes(spec);
@@ -2317,6 +2332,10 @@ public void test280AutzJackEndUser() throws Exception {
cleanupAutzTest(USER_JACK_OID);
assignRole(USER_JACK_OID, ROLE_END_USER_OID);
+
+ PrismObject user = getUser(USER_JACK_OID);
+ assertAssignments(user, 1);
+ assertLinks(user, 0);
assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
@@ -2324,42 +2343,66 @@ public void test280AutzJackEndUser() throws Exception {
// WHEN
displayWhen(TEST_NAME);
-
- assertGetAllow(UserType.class, USER_JACK_OID);
+
assertGetDeny(UserType.class, USER_JACK_OID, SelectorOptions.createCollection(GetOperationOptions.createRaw()));
assertGetDeny(UserType.class, USER_GUYBRUSH_OID);
assertGetDeny(UserType.class, USER_GUYBRUSH_OID, SelectorOptions.createCollection(GetOperationOptions.createRaw()));
-
+
assertSearch(UserType.class, null, 1);
assertSearch(UserType.class, createNameQuery(USER_JACK_USERNAME), 1);
assertSearchDeny(UserType.class, createNameQuery(USER_JACK_USERNAME), SelectorOptions.createCollection(GetOperationOptions.createRaw()));
assertSearch(UserType.class, createNameQuery(USER_GUYBRUSH_USERNAME), 0);
assertSearchDeny(UserType.class, createNameQuery(USER_GUYBRUSH_USERNAME), SelectorOptions.createCollection(GetOperationOptions.createRaw()));
-
+
assertAddDeny();
assertModifyDeny();
assertDeleteDeny();
+
+ assertModifyMetadataDeny(UserType.class, USER_JACK_OID);
+ assertModifyMetadataDeny(UserType.class, USER_GUYBRUSH_OID);
- PrismObject user = getUser(USER_JACK_OID);
- assertAssignments(user, 2);
-
- user = getUser(USER_JACK_OID);
-
+ assertPasswordChangeAllow(UserType.class, USER_JACK_OID, "nbusr123");
+ assertPasswordChangeDeny(UserType.class, USER_GUYBRUSH_OID, "nbusr123");
+
// MID-3136
assertAllow("assign business role to jack",
(task, result) -> assignParametricRole(USER_JACK_OID, ROLE_BUSINESS_1_OID, null, ORG_GOVERNOR_OFFICE_OID, task, result));
user = getUser(USER_JACK_OID);
- assertAssignments(user, 3);
+ assertAssignments(user, 2);
assertAssignedRole(user, ROLE_BUSINESS_1_OID);
assertDeny("assign application role to jack",
(task, result) -> assignRole(USER_JACK_OID, ROLE_BUSINESS_2_OID, task, result));
-
+
// End-user role has authorization to assign, but not to unassign
assertDeny("unassign business role from jack",
(task, result) -> unassignParametricRole(USER_JACK_OID, ROLE_BUSINESS_1_OID, null, ORG_GOVERNOR_OFFICE_OID, task, result));
+ user = getUser(USER_JACK_OID);
+ display("user after (expected 3 assignments)", user);
+ assertAssignments(user, 2);
+
+ assertAllow("assign basic role to jack",
+ (task, result) -> assignRole(USER_JACK_OID, ROLE_BASIC_OID, task, result));
+
+ user = getUser(USER_JACK_OID);
+ display("user after (expected 3 assignments)", user);
+ assertAssignments(user, 3);
+
+ String accountOid = getSingleLinkOid(user);
+
+ PrismObject accountShadow = assertGetAllow(ShadowType.class, accountOid);
+ display("account shadow", accountShadow);
+
+ assertPasswordChangeAllow(UserType.class, USER_JACK_OID, "nbusr321");
+ assertPasswordChangeDeny(UserType.class, USER_GUYBRUSH_OID, "nbusr321");
+
+ assertPasswordChangeAllow(ShadowType.class, accountOid, "nbusr231");
+
+ assertDeny("unassign basic role from jack",
+ (task, result) -> unassignRole(USER_JACK_OID, ROLE_BASIC_OID, task, result));
+
user = getUser(USER_JACK_OID);
display("user after (expected 3 assignments)", user);
assertAssignments(user, 3);
@@ -2386,7 +2429,7 @@ public void test281AutzJackEndUserSecondTime() throws Exception {
displayWhen(TEST_NAME);
PrismObject user = getUser(USER_JACK_OID);
- assertAssignments(user, 2);
+ assertAssignments(user, 1);
user = getUser(USER_JACK_OID);
@@ -2395,7 +2438,7 @@ public void test281AutzJackEndUserSecondTime() throws Exception {
(task, result) -> assignParametricRole(USER_JACK_OID, ROLE_BUSINESS_1_OID, null, null, task, result));
user = getUser(USER_JACK_OID);
- assertAssignments(user, 3);
+ assertAssignments(user, 2);
assertAssignedRole(user, ROLE_BUSINESS_1_OID);
// MID-3136
@@ -2403,7 +2446,7 @@ public void test281AutzJackEndUserSecondTime() throws Exception {
(task, result) -> assignParametricRole(USER_JACK_OID, ROLE_BUSINESS_1_OID, null, ORG_GOVERNOR_OFFICE_OID, task, result));
user = getUser(USER_JACK_OID);
- assertAssignments(user, 4);
+ assertAssignments(user, 3);
assertAssignedRole(user, ROLE_BUSINESS_1_OID);
assertDeny("assign application role to jack", new Attempt() {
@@ -2418,8 +2461,8 @@ public void run(Task task, OperationResult result) throws Exception {
(task, result) -> unassignParametricRole(USER_JACK_OID, ROLE_BUSINESS_1_OID, null, ORG_GOVERNOR_OFFICE_OID, task, result));
user = getUser(USER_JACK_OID);
- display("user after (expected 4 assignments)", user);
- assertAssignments(user, 4);
+ display("user after (expected 3 assignments)", user);
+ assertAssignments(user, 3);
assertGlobalStateUntouched();
@@ -2459,7 +2502,7 @@ public void test282AutzJackEndUserAndModify() throws Exception {
assertDeleteDeny();
PrismObject user = getUser(USER_JACK_OID);
- assertAssignments(user, 3);
+ assertAssignments(user, 2);
assertAllow("modify jack's familyName",
(task, result) -> modifyObjectReplaceProperty(UserType.class, USER_JACK_OID, new ItemPath(UserType.F_FAMILY_NAME), task, result, PrismTestUtil.createPolyString("changed")));
@@ -2495,7 +2538,7 @@ public void test283AutzJackModifyAndEndUser() throws Exception {
assertDeleteDeny();
PrismObject user = getUser(USER_JACK_OID);
- assertAssignments(user, 3);
+ assertAssignments(user, 2);
assertAllow("modify jack's familyName",
(task, result) -> modifyObjectReplaceProperty(UserType.class, USER_JACK_OID, new ItemPath(UserType.F_FAMILY_NAME), task, result, PrismTestUtil.createPolyString("changed")));
@@ -2527,14 +2570,14 @@ public void test290AutzJackRoleOwnerAssign() throws Exception {
assertDeleteDeny();
PrismObject user = getUser(USER_JACK_OID);
- assertAssignments(user, 2);
+ assertAssignments(user, 1);
assertAssignedRole(user, ROLE_ROLE_OWNER_ASSIGN_OID);
assertAllow("assign application role 1 to jack",
(task,result) -> assignRole(USER_JACK_OID, ROLE_APPLICATION_1_OID, task, result));
user = getUser(USER_JACK_OID);
- assertAssignments(user, 3);
+ assertAssignments(user, 2);
assertAssignedRole(user, ROLE_APPLICATION_1_OID);
assertDeny("assign application role 2 to jack", new Attempt() {
@@ -2548,7 +2591,7 @@ public void run(Task task, OperationResult result) throws Exception {
(task,result) -> unassignRole(USER_JACK_OID, ROLE_APPLICATION_1_OID, task, result));
user = getUser(USER_JACK_OID);
- assertAssignments(user, 2);
+ assertAssignments(user, 1);
RoleSelectionSpecification spec = getAssignableRoleSpecification(getUser(USER_JACK_OID));
assertRoleTypes(spec);
diff --git a/model/model-intest/src/test/resources/security/role-basic.xml b/model/model-intest/src/test/resources/security/role-basic.xml
index 3bb0ae3562f..8c713dc3ef9 100644
--- a/model/model-intest/src/test/resources/security/role-basic.xml
+++ b/model/model-intest/src/test/resources/security/role-basic.xml
@@ -1,5 +1,5 @@