Merge remote-tracking branch 'refs/remotes/origin/master'

Evolveum · Mar 22, 2024 · 9c5054c · 9c5054c
2 parents b3c6059 + c28544c
commit 9c5054c
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 13 deletions.
diff --git a/docs/roles-policies/classification/index.adoc b/docs/roles-policies/classification/index.adoc
@@ -9,6 +9,8 @@ compliance:
             description: 'Example demonstrating use of policy rules to enforce classification requirements'
         '5.14':
             description: 'Description of an idea for limiting access to internal information using classification scheme'
+        '5.16':
+            description: 'Management of user clearances'
 ---
 = Information Classification and Clearances
 :page-toc: top
@@ -301,7 +303,12 @@ E.g. certify access to category III systems every 6 months, certify access to ca
 // TODO: create an example for this, after 4.9 when new certification settles in.
 // TODO: Refer from ISO 27001 5.13
 
-* As classifications (labels) and clearances are assigned to relevant objects using ordinary feature:assignment[assignments], feature:access-certification[access certification] features can be used to regularly re-certify the classifications and clearances. Furthermore, the feature:schema-activation[activation mechanisms] of the assignment can be used to assign clearances for a limited time period.
+* As clearances are assigned to users using ordinary feature:assignment[assignments], feature:access-certification[access certification] features can be used to regularly re-certify the  clearances. Furthermore, the feature:schema-activation[activation mechanisms] of the assignment can be used to assign clearances for a limited time period.
+// TODO: create an example for this, after 4.9 when new certification settles in.
+// TODO: Refer from ISO 27001 5.6
+
+// TODO * As classifications (labels) are assigned to relevant objects using ordinary feature:assignment[assignments], feature:access-certification[access certification] features can be used to regularly re-certify the classifications.
+// TODO: we need ability to replace assignment in certification, not just removal of assignment
 // TODO: create an example for this, after 4.9 when new certification settles in.
 // TODO: Refer from ISO 27001 5.12
 

diff --git a/infra/common/src/main/java/com/evolveum/midpoint/common/cleanup/CleanupActionProcessor.java b/infra/common/src/main/java/com/evolveum/midpoint/common/cleanup/CleanupActionProcessor.java
@@ -190,14 +190,14 @@ private boolean processItem(
             return false;
         }
 
-        if (def.isOperational()) {
-            return true;
-        }
-
         if (def.isOptionalCleanup()) {
             return fireConfirmOptionalCleanup(createEvent(object, currentPath, item, source, result));
         }
 
+        if (def.isOperational()) {
+            return true;
+        }
+
         return false;
     }
 

diff --git a/...ain/java/com/evolveum/midpoint/schema/processor/AbstractResourceObjectDefinitionImpl.java b/...ain/java/com/evolveum/midpoint/schema/processor/AbstractResourceObjectDefinitionImpl.java
@@ -316,6 +316,8 @@ public PrismObjectDefinition<ShadowType> getPrismObjectDefinition() {
         if (prismObjectDefinition == null) {
             PrismObjectDefinition<ShadowType> definition = toPrismObjectDefinition();
             definition.freeze();
+            // We could also consider not caching the definition if this object is still mutable. That would be perhaps safer.
+            // Currently, it is solved by invalidation this definition when attributes/associations are added. See also MID-9535.
             this.prismObjectDefinition = definition;
         }
         return prismObjectDefinition;
@@ -757,6 +759,7 @@ public void add(ItemDefinition<?> definition) {
         }
 
         attributeDefinitions.add(definitionToAdd);
+        invalidatePrismObjectDefinition();
         return definitionToAdd;
     }
 
@@ -814,6 +817,7 @@ public void validate() throws SchemaException {
     void addAssociationDefinition(@NotNull ShadowAssociationDefinition associationDef) {
         checkMutable();
         associationDefinitions.add(associationDef);
+        invalidatePrismObjectDefinition();
     }
 
     void addAuxiliaryObjectClassDefinition(@NotNull ResourceObjectDefinition definition) {

diff --git a/provisioning/provisioning-impl/src/test/resources/dummy/dummy-extra/resource-dummy.xml b/provisioning/provisioning-impl/src/test/resources/dummy/dummy-extra/resource-dummy.xml
@@ -30,13 +30,6 @@
             <icfi:supportValidity>true</icfi:supportValidity>
             <icfi:passwordReadabilityMode>readable</icfi:passwordReadabilityMode>
         </icfc:configurationProperties>
-
-        <icfc:resultsHandlerConfiguration>
-            <icfc:enableNormalizingResultsHandler>false</icfc:enableNormalizingResultsHandler>
-            <icfc:enableFilteredResultsHandler>false</icfc:enableFilteredResultsHandler>
-            <icfc:enableAttributesToGetSearchResultsHandler>false</icfc:enableAttributesToGetSearchResultsHandler>
-        </icfc:resultsHandlerConfiguration>
-
     </connectorConfiguration>
     <!-- No schema. It should be generated by provisioning on the first use of this resource. -->
     <schemaHandling>
@@ -56,7 +49,12 @@
             <intent>default</intent>
             <displayName>Default Account</displayName>
             <default>true</default>
-            <objectClass>ri:AccountObjectClass</objectClass>
+            <delineation>
+                <objectClass>ri:AccountObjectClass</objectClass>
+                <filter> <!-- MID-9535 -->
+                    <q:text>attributes/name not endsWith "nonsense-string"</q:text>
+                </filter>
+            </delineation>
             <attribute>
                 <ref>icfs:name</ref>
                 <displayName>Username</displayName>