Fixing null filter in authorization target (MID-2549)

Evolveum · Oct 21, 2015 · a226cb4 · a226cb4
1 parent 2feb36c
commit a226cb4
Show file tree

Hide file tree

Showing 6 changed files with 118 additions and 4 deletions.
diff --git a/...ontroller/ModelInterationServiceImpl.java → ...ntroller/ModelInteractionServiceImpl.java b/...ontroller/ModelInterationServiceImpl.java → ...ntroller/ModelInteractionServiceImpl.java
@@ -105,9 +105,9 @@
  *
  */
 @Component("modelInteractionService")
-public class ModelInterationServiceImpl implements ModelInteractionService {
+public class ModelInteractionServiceImpl implements ModelInteractionService {
 
-	private static final Trace LOGGER = TraceManager.getTrace(ModelInterationServiceImpl.class);
+	private static final Trace LOGGER = TraceManager.getTrace(ModelInteractionServiceImpl.class);
 
 	@Autowired(required = true)
 	private ContextFactory contextFactory;
@@ -454,7 +454,10 @@ private RoleSelectionSpecification getAllRoleTypesSpec(RoleSelectionSpecificatio
 	}
 
 	private Collection<DisplayableValue<String>> getRoleSelectionSpec(ObjectFilter filter) throws SchemaException {
-		if (filter instanceof EqualFilter<?>) {
+		LOGGER.trace("getRoleSelectionSpec({})", filter);
+		if (filter == null || filter instanceof AllFilter) {
+			return null;
+		} else if (filter instanceof EqualFilter<?>) {
 			return createSingleDisplayableValueCollection(getRoleSelectionSpecEq((EqualFilter)filter));
 		} else if (filter instanceof AndFilter) {
 			for (ObjectFilter subfilter: ((AndFilter)filter).getConditions()) {

diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java
@@ -170,6 +170,9 @@ public class TestSecurity extends AbstractInitializedModelIntegrationTest {
 	protected static final File ROLE_ASSIGN_APPLICATION_ROLES_FILE = new File(TEST_DIR, "role-assign-application-roles.xml");
 	protected static final String ROLE_ASSIGN_APPLICATION_ROLES_OID = "00000000-0000-0000-0000-00000000aa0c";
 
+	protected static final File ROLE_ASSIGN_ANY_ROLES_FILE = new File(TEST_DIR, "role-assign-any-roles.xml");
+	protected static final String ROLE_ASSIGN_ANY_ROLES_OID = "00000000-0000-0000-0000-00000000ab0c";
+
 	protected static final File ROLE_ORG_READ_ORGS_MINISTRY_OF_RUM_FILE = new File(TEST_DIR, "role-org-read-orgs-ministry-of-rum.xml");
 	protected static final String ROLE_ORG_READ_ORGS_MINISTRY_OF_RUM_OID = "00000000-0000-0000-0000-00000000aa0d";
 
@@ -232,6 +235,7 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
 		repoAddObjectFromFile(ROLE_SELF_ACCOUNTS_READ_WRITE_FILE, RoleType.class, initResult);
 		repoAddObjectFromFile(ROLE_SELF_ACCOUNTS_PARTIAL_CONTROL_FILE, RoleType.class, initResult);
 		repoAddObjectFromFile(ROLE_ASSIGN_APPLICATION_ROLES_FILE, RoleType.class, initResult);
+		repoAddObjectFromFile(ROLE_ASSIGN_ANY_ROLES_FILE, RoleType.class, initResult);
 		repoAddObjectFromFile(ROLE_ORG_READ_ORGS_MINISTRY_OF_RUM_FILE, RoleType.class, initResult);
 		repoAddObjectFromFile(ROLE_FILTER_OBJECT_USER_LOCATION_SHADOWS_FILE, RoleType.class, initResult);
 		repoAddObjectFromFile(ROLE_FILTER_OBJECT_USER_TYPE_SHADOWS_FILE, RoleType.class, initResult);
@@ -1426,6 +1430,66 @@ public void run(Task task, OperationResult result) throws Exception {
 
         assertGlobalStateUntouched();
 	}
+
+	@Test
+    public void test272AutzJackAssignAnyRoles() throws Exception {
+		final String TEST_NAME = "test272AutzJackAssignAnyRoles";
+        TestUtil.displayTestTile(this, TEST_NAME);
+        // GIVEN
+        cleanupAutzTest(USER_JACK_OID);        
+        assignRole(USER_JACK_OID, ROLE_ASSIGN_ANY_ROLES_OID);
+
+        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
+
+        login(USER_JACK_USERNAME);
+
+        // WHEN
+        TestUtil.displayWhen(TEST_NAME);
+
+        assertReadAllow(10);
+        assertAddDeny();
+        assertModifyDeny();
+        assertDeleteDeny();
+
+        PrismObject<UserType> user = getUser(USER_JACK_OID);
+        assertAssignments(user, 2);
+        assertAssignedRole(user, ROLE_ASSIGN_ANY_ROLES_OID);
+
+        assertAllow("assign application role to jack", new Attempt() {
+			@Override
+			public void run(Task task, OperationResult result) throws Exception {
+				assignRole(USER_JACK_OID, ROLE_APPLICATION_1_OID, task, result);
+			}
+		});
+
+        user = getUser(USER_JACK_OID);
+        assertAssignments(user, 3);
+        assertAssignedRole(user, ROLE_APPLICATION_1_OID);
+
+        assertAllow("assign business role to jack", new Attempt() {
+			@Override
+			public void run(Task task, OperationResult result) throws Exception {
+				assignRole(USER_JACK_OID, ROLE_BUSINESS_1_OID, task, result);
+			}
+		});
+
+        assertAllow("unassign application role from jack", new Attempt() {
+			@Override
+			public void run(Task task, OperationResult result) throws Exception {
+				unassignRole(USER_JACK_OID, ROLE_APPLICATION_1_OID, task, result);
+			}
+		});
+
+        user = getUser(USER_JACK_OID);
+        assertAssignments(user, 3);
+
+        RoleSelectionSpecification spec = getAssignableRoleSpecification(getUser(USER_JACK_OID));
+        assertRoleTypes(spec);
+        assertFilter(spec.getFilter(), TypeFilter.class);
+
+        assertGlobalStateUntouched();
+	}
+
 
 	@Test
     public void test280AutzJackEndUser() throws Exception {

diff --git a/model/model-intest/src/test/resources/logback-test.xml b/model/model-intest/src/test/resources/logback-test.xml
@@ -76,6 +76,7 @@
     <logger name="com.evolveum.midpoint.model.impl.util.AbstractSearchIterativeTaskHandler" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.sync.SynchronizationService" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.controller.ModelController" level="DEBUG" />
+    <logger name="com.evolveum.midpoint.model.impl.controller.ModelInteractionServiceImpl" level="TRACE" />
     <logger name="com.evolveum.icf.dummy" level="INFO" />
     <logger name="com.evolveum.midpoint.model.impl.expr" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.util.DeleteTaskHandler" level="DEBUG" />

diff --git a/model/model-intest/src/test/resources/security/role-assign-any-roles.xml b/model/model-intest/src/test/resources/security/role-assign-any-roles.xml
@@ -0,0 +1,37 @@
+<!--
+  ~ Copyright (c) 2014 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<role oid="00000000-0000-0000-0000-00000000ab0c"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3">
+    <name>Assign Any Role</name>    
+    <authorization>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+    </authorization>
+    <authorization>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#unassign</action>
+    	<phase>request</phase>
+    	<target>
+    		<type>RoleType</type>
+    	</target>
+    </authorization>
+    <authorization>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
+    	<phase>execution</phase>
+    </authorization>
+</role>
diff --git a/model/model-intest/src/test/resources/security/role-assign-application-roles.xml b/model/model-intest/src/test/resources/security/role-assign-application-roles.xml
@@ -33,6 +33,12 @@
 	    				<q:path>roleType</q:path>
 	    				<q:value>application</q:value>
 	    			</q:equal>
+	    			<q:equal>
+	    				<!-- This role does not even exists. 
+	    				     But it does not change the result and it replicates MID-2549 -->
+	    				<q:path>name</q:path>
+	    				<q:value>nonexistent</q:value>
+	    			</q:equal>
 	    			<q:equal>
 	    				<!-- This role type does not even exists. 
 	    				     But it does not change the result and it replicates MID-2549 -->

diff --git a/...del-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java b/...del-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
@@ -2917,7 +2917,10 @@ protected void assertRoleTypes(RoleSelectionSpecification roleSpec, String... ex
 		assertNotNull("Null role spec", roleSpec);
         display("Role spec", roleSpec);
         List<DisplayableValue<String>> roleTypes = roleSpec.getRoleTypes();
-        assertNotNull("Null roleTypes in roleSpec "+roleSpec);
+        if ((roleTypes == null || roleTypes.isEmpty()) && expectedRoleTypes.length == 0) {
+        	return;
+        }
+        assertNotNull("Null roleTypes in roleSpec "+roleSpec, roleTypes);
         if (roleTypes.size() != expectedRoleTypes.length) {
         	AssertJUnit.fail("Expected role types "+Arrays.toString(expectedRoleTypes)+" but got "+roleTypes);
         }