Add role membership management activity handler

That handler assigns a (presumably) business role to selected members, while unassigning (presumably) application roles induced by that role. Besides the handler itself, two features are of interest here: 1. RoleManagementUtil that could encapsulate knowledge about how exactly we treat e.g. induced roles or matching assignments; 2. New ObjectSetType.objectRef item that allows explicit enumeration of objects to be processed. Work in progress. Large sets of objects to be processed are not supported yet.
Evolveum · Aug 10, 2023 · 93abc62 · 93abc62
1 parent 42c92da
commit 93abc62
Show file tree

Hide file tree

Showing 20 changed files with 583 additions and 31 deletions.
diff --git a/...m/evolveum/midpoint/gui/impl/page/admin/role/mining/panel/BusinessRoleApplicationDto.java b/...m/evolveum/midpoint/gui/impl/page/admin/role/mining/panel/BusinessRoleApplicationDto.java
@@ -87,6 +87,8 @@ private void prepareUserDeltas(@NotNull PrismObject<UserType> prismObjectUser,
         ObjectDelta<UserType> addDelta = addRoleAssignment(userOid, prismObjectRole, pageBase);
         deltas.add(addDelta);
 
+        // TODO consider using methods from RoleManagementUtil here
+
         List<String> userRolesAssignmentOids = getRolesOidAssignment(userObject);
         List<String> roleRolesAssignmentOids = getRolesOidInducements(prismObjectRole);
 

diff --git a/.../java/com/evolveum/midpoint/gui/impl/page/admin/role/mining/utils/ClusterObjectUtils.java b/.../java/com/evolveum/midpoint/gui/impl/page/admin/role/mining/utils/ClusterObjectUtils.java
@@ -19,6 +19,8 @@
 import javax.xml.datatype.XMLGregorianCalendar;
 import javax.xml.namespace.QName;
 
+import com.evolveum.midpoint.schema.util.roles.RoleManagementUtil;
+
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
 
@@ -476,13 +478,9 @@ public static List<String> getRolesOidAssignment(AssignmentHolderType object) {
     }
 
     public static List<String> getRolesOidInducements(PrismObject<RoleType> object) {
-        List<String> oidList;
-        List<AssignmentType> assignments = object.asObjectable().getInducement();
-        oidList = assignments.stream().map(AssignmentType::getTargetRef).filter(
-                        targetRef -> targetRef.getType().equals(AbstractRoleType.COMPLEX_TYPE))
-                .map(AbstractReferencable::getOid).sorted()
-                .collect(Collectors.toList());
-        return oidList;
+        return RoleManagementUtil.getInducedRolesOids(object.asObjectable()).stream()
+                .sorted() // do we need this?
+                .toList();
     }
 
     public static void recomputeRoleAnalysisClusterDetectionOptions(String clusterOid, PageBase pageBase,

diff --git a/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/roles/RoleManagementUtil.java b/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/roles/RoleManagementUtil.java
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2010-2023 Evolveum and contributors
+ *
+ * This work is dual-licensed under the Apache License 2.0
+ * and European Union Public License. See LICENSE file for details.
+ */
+
+package com.evolveum.midpoint.schema.util.roles;
+
+import java.util.Collection;
+import java.util.List;
+import java.util.Objects;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+import org.jetbrains.annotations.NotNull;
+
+import com.evolveum.midpoint.prism.PrismContext;
+import com.evolveum.midpoint.prism.impl.binding.AbstractReferencable;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractRoleType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
+
+/**
+ * General methods useful for role analysis and management, e.g. determination of "is induced by" relations between roles.
+ */
+public class RoleManagementUtil {
+
+    /**
+     * Returns OIDs of roles induced by a given role.
+     * To be used e.g. for replacement of application role assignments by an equivalent business role assignment.
+     *
+     * TODO should we consider e.g. order constraints here? probably yes
+     */
+    public static @NotNull Set<String> getInducedRolesOids(@NotNull AbstractRoleType role) {
+        return role.getInducement().stream()
+                .map(AssignmentType::getTargetRef)
+                .filter(Objects::nonNull) // non-role inducements (e.g. policy rules, constructions, etc)
+                .map(AbstractReferencable::getOid)
+                .filter(Objects::nonNull) // dynamically resolved references
+                .collect(Collectors.toSet());
+    }
+
+    /**
+     * Selects assignments that match the collection of role OIDs, e.g. when dealing with a migration from application
+     * to business roles.
+     *
+     * We assume assignments have explicit OIDs, i.e. no dynamic references here.
+     *
+     * TODO review this assumption:
+     *  - Currently, only the default relation is taken into account here.
+     *
+     * Roughly related: `UnassignExecutor`
+     */
+    public static @NotNull List<AssignmentType> getMatchingAssignments(
+            @NotNull List<AssignmentType> assignments,
+            @NotNull Collection<String> targetOids) {
+        return assignments.stream()
+                .filter(a -> assignmentMatches(a, targetOids))
+                .toList();
+    }
+
+    private static boolean assignmentMatches(@NotNull AssignmentType assignment, @NotNull Collection<String> targetOids) {
+        ObjectReferenceType targetRef = assignment.getTargetRef();
+        return targetRef != null
+                && PrismContext.get().isDefaultRelation(targetRef.getRelation())
+                && targetOids.contains(targetRef.getOid());
+    }
+}
diff --git a/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/roles/package-info.java b/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/roles/package-info.java
@@ -0,0 +1,11 @@
+/*
+ * Copyright (C) 2010-2023 Evolveum and contributors
+ *
+ * This work is dual-licensed under the Apache License 2.0
+ * and European Union Public License. See LICENSE file for details.
+ */
+
+/**
+ * Contains "auxiliary" functionality useful for role management area, e.g. role mining, role membership management, etc.
+ */
+package com.evolveum.midpoint.schema.util.roles;
diff --git a/.../schema/src/main/java/com/evolveum/midpoint/schema/util/task/work/WorkDefinitionUtil.java b/.../schema/src/main/java/com/evolveum/midpoint/schema/util/task/work/WorkDefinitionUtil.java
@@ -57,6 +57,7 @@ public class WorkDefinitionUtil {
         addTypedParameters(values, definitions.getNoOp());
         addTypedParameters(values, definitions.getPropagation());
         addTypedParameters(values, definitions.getMultiPropagation());
+        addTypedParameters(values, definitions.getRoleMembershipManagement());
 
         addUntypedParameters(values, definitions.getExtension());
         return values;

diff --git a/infra/schema/src/main/resources/xml/ns/public/common/common-tasks-3.xsd b/infra/schema/src/main/resources/xml/ns/public/common/common-tasks-3.xsd
@@ -2038,6 +2038,13 @@
                         </xsd:documentation>
                     </xsd:annotation>
                 </xsd:element>
+                <xsd:element name="roleMembershipManagement" type="tns:RoleMembershipManagementWorkDefinitionType" minOccurs="0">
+                    <xsd:annotation>
+                        <xsd:documentation>
+                            Executes the "role membership management" activity.
+                        </xsd:documentation>
+                    </xsd:annotation>
+                </xsd:element>
             </xsd:choice>
             <xsd:element name="extension" type="tns:ExtensionType" minOccurs="0">
                 <xsd:annotation>
@@ -6796,6 +6803,25 @@
                             </xsd:documentation>
                         </xsd:annotation>
                     </xsd:element>
+                    <xsd:element name="objectRef" type="tns:ObjectReferenceType" minOccurs="0" maxOccurs="unbounded">
+                        <xsd:annotation>
+                            <xsd:documentation>
+                                Explicit enumeration of objects belonging to this object set.
+                                Functionally equivalent to "inOid" filter in "query".
+
+                                Mutually exclusive with "query".
+
+                                Limitation:
+                                1. All uses except for in "roleMembershipManagementWorkDefinition" are considered
+                                   experimental. (They should work but no guarantees there.)
+                                2. The list here is translated into "has OID" query, so it may not work adequately
+                                   for large lists of objects (e.g. thousands).
+                            </xsd:documentation>
+                            <xsd:appinfo>
+                                <a:objectReferenceTargetType>tns:ObjectType</a:objectReferenceTargetType>
+                            </xsd:appinfo>
+                        </xsd:annotation>
+                    </xsd:element>
                     <xsd:element name="searchOptions" type="c:SelectorQualifiedGetOptionsType" minOccurs="0">
                         <xsd:annotation>
                             <xsd:documentation>
@@ -9041,4 +9067,44 @@
         </xsd:sequence>
     </xsd:complexType>
     <xsd:element name="activityAffectedObjects" type="tns:ActivityAffectedObjectsType"/>
+
+    <xsd:complexType name="RoleMembershipManagementWorkDefinitionType">
+        <xsd:annotation>
+            <xsd:documentation>
+                Definition of "role membership management" activity. Currently, it assigns new members to a role,
+                and un-assigns legacy roles (induced by the business role) from them.
+            </xsd:documentation>
+            <xsd:appinfo>
+                <a:container>true</a:container>
+                <a:since>4.8</a:since>
+            </xsd:appinfo>
+        </xsd:annotation>
+        <xsd:complexContent>
+            <xsd:extension base="tns:AbstractWorkDefinitionType">
+                <xsd:sequence>
+                    <xsd:element name="roleRef" type="tns:ObjectReferenceType">
+                        <xsd:annotation>
+                            <xsd:documentation>
+                                Role whose membership we are going to manage.
+                                It must exist before execution of this activity.
+                            </xsd:documentation>
+                            <xsd:appinfo>
+                                <a:objectReferenceTargetType>tns:AbstractRoleType</a:objectReferenceTargetType>
+                            </xsd:appinfo>
+                        </xsd:annotation>
+                    </xsd:element>
+                    <xsd:element name="members" type="tns:ObjectSetType">
+                        <xsd:annotation>
+                            <xsd:documentation>
+                                Prospective members of the role.
+                            </xsd:documentation>
+                        </xsd:annotation>
+                    </xsd:element>
+                    <xsd:element name="executionOptions" type="tns:ModelExecuteOptionsType" minOccurs="0"/>
+                    <!-- "business" operation options i.e. what we actually want to do (assigning/unassigning members) -->
+                </xsd:sequence>
+            </xsd:extension>
+        </xsd:complexContent>
+    </xsd:complexType>
+    <xsd:element name="roleMembershipManagementWorkDefinition" type="tns:RoleMembershipManagementWorkDefinitionType"/>
 </xsd:schema>
diff --git a/...pl/src/main/java/com/evolveum/midpoint/model/impl/scripting/actions/UnassignExecutor.java b/...pl/src/main/java/com/evolveum/midpoint/model/impl/scripting/actions/UnassignExecutor.java
@@ -10,6 +10,9 @@
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
+
+import com.evolveum.midpoint.schema.util.roles.RoleManagementUtil;
+
 import jakarta.annotation.PostConstruct;
 import javax.xml.namespace.QName;
 
@@ -144,16 +147,19 @@ private VariablesMap createVariables(AssignmentHolderType input, PipelineItem it
         return variables;
     }
 
+    /** Roughly related: {@link RoleManagementUtil#getMatchingAssignments(List, Collection)}. */
     @SuppressWarnings("SimplifiableIfStatement")
     private boolean matches(AssignmentType existingAssignment, UnassignParameters parameters, ObjectFilter resolvedFilter)
             throws SchemaException {
         ObjectReferenceType targetRef = existingAssignment.getTargetRef();
-        if (targetRef != null && matchesOid(targetRef.getOid(), parameters.dynamicRoleRefs)
+        if (targetRef != null
+                && matchesOid(targetRef.getOid(), parameters.dynamicRoleRefs)
                 && matchesRelation(targetRef.getRelation(), parameters.dynamicRelations)) {
             return true;
         }
         ConstructionType construction = existingAssignment.getConstruction();
-        if (construction != null && construction.getResourceRef() != null
+        if (construction != null
+                && construction.getResourceRef() != null
                 && matchesOid(construction.getResourceRef().getOid(), parameters.dynamicResourceRefs)) {
             return true;
         }

diff --git a/...el-impl/src/main/java/com/evolveum/midpoint/model/impl/tasks/DeletionActivityHandler.java b/...el-impl/src/main/java/com/evolveum/midpoint/model/impl/tasks/DeletionActivityHandler.java
@@ -140,6 +140,7 @@ private void executeSafetyChecks() {
             ObjectSetType objects = getWorkDefinition().getObjectSetSpecification();
             argCheck(objects.getType() != null, "Object type must be specified (this is a safety check)");
             argCheck(objects.getQuery() != null, "Object query must be specified (this is a safety check)");
+            // We could later support also explicit object references here
             checkRawModeSettings();
         }