Add more relation-related fixes (MID-3581)

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/page/PageBase.java

@@ -356,7 +356,7 @@ protected Integer load() {
                     Task task = createSimpleTask(OPERATION_LOAD_WORK_ITEM_COUNT);
                     S_FilterEntryOrEmpty q = QueryBuilder.queryFor(WorkItemType.class, getPrismContext());
                     ObjectQuery query = QueryUtils.filterForAssignees(q, getPrincipal(),
-                            OtherPrivilegesLimitationType.F_APPROVAL_WORK_ITEMS, getPrismContext()).build();        // TODO MID-3581
+                            OtherPrivilegesLimitationType.F_APPROVAL_WORK_ITEMS, getRelationRegistry()).build();
                     return getModelService().countContainers(WorkItemType.class, query, null, task, task.getResult());
                 } catch (SchemaException | SecurityViolationException | ExpressionEvaluationException | ObjectNotFoundException | CommunicationException | ConfigurationException e) {
                     LoggingUtils.logExceptionAsWarning(LOGGER, "Couldn't load work item count", e);

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/data/BaseSortableDataProvider.java

@@ -27,6 +27,7 @@
 import com.evolveum.midpoint.prism.query.OrderDirection;
 import com.evolveum.midpoint.repo.api.RepositoryService;
 import com.evolveum.midpoint.schema.GetOperationOptions;
+import com.evolveum.midpoint.schema.RelationRegistry;
 import com.evolveum.midpoint.schema.SchemaConstantsGenerated;
 import com.evolveum.midpoint.schema.SelectorOptions;
 import com.evolveum.midpoint.schema.result.OperationResult;
@@ -116,6 +117,11 @@ protected PrismContext getPrismContext() {
         return application.getPrismContext();
     }
 
+    protected RelationRegistry getRelationRegistry() {
+        MidPointApplication application = MidPointApplication.get();
+        return application.getRelationRegistry();
+    }
+
     protected TaskService getTaskService() {
         MidPointApplication application = MidPointApplication.get();
         return application.getTaskService();

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/cases/PageCaseWorkItems.java

@@ -142,7 +142,7 @@ private ObjectQuery createQuery() throws SchemaException, ObjectNotFoundExceptio
         } else {
             // not authorized to see all => sees only allocated to him (not quite what is expected, but sufficient for the time being)
             query = QueryUtils.filterForAssignees(q, SecurityUtils.getPrincipalUser(),
-                    OtherPrivilegesLimitationType.F_APPROVAL_WORK_ITEMS, getPrismContext())     // TODO MID-3581
+                    OtherPrivilegesLimitationType.F_APPROVAL_WORK_ITEMS, getRelationRegistry())
                     .and().item(CaseWorkItemType.F_CLOSE_TIMESTAMP).isNull().build();
         }
         IsolatedCheckBoxPanel includeClosedCases = (IsolatedCheckBoxPanel) getCaseWorkItemsSearchField(ID_SEARCH_FILTER_INCLUDE_CLOSED_CASES);

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/roles/MemberOperationsHelper.java

@@ -158,7 +158,7 @@ public static <O extends ObjectType, R extends AbstractRoleType> void initObject
 	public static <R extends AbstractRoleType> ObjectQuery createDirectMemberQuery(R targetObject, QName objectType, Collection<QName> relations, ObjectViewDto<OrgType> tenant, ObjectViewDto<OrgType> project, PrismContext prismContext) {
 		ObjectQuery query;
 
-		// TODO MID-3581 fix the query from the point of relations!
+		// We assume tenantRef.relation and orgRef.relation are always default ones (see also MID-3581)
 		S_AtomicFilterExit q = QueryBuilder.queryFor(FocusType.class, prismContext)
 				.item(FocusType.F_ASSIGNMENT, AssignmentType.F_TARGET_REF)
 				.ref(createReferenceValuesList(targetObject, relations));
@@ -167,7 +167,7 @@ public static <R extends AbstractRoleType> ObjectQuery createDirectMemberQuery(R
 					prismContext).asReferenceValue());
 		}
 
-		if (project != null && project.getObjectType() !=null) {
+		if (project != null && project.getObjectType() != null) {
 			q = q.and().item(FocusType.F_ASSIGNMENT, AssignmentType.F_ORG_REF).ref(ObjectTypeUtil.createObjectRef(project.getObjectType(),
 					prismContext).asReferenceValue());
 		}
@@ -186,9 +186,8 @@ public static <R extends AbstractRoleType> ObjectQuery createDirectMemberQuery(R
 
 	public static <R extends AbstractRoleType> List<PrismReferenceValue> createReferenceValuesList(R targetObject, Collection<QName> relations) {
 		List<PrismReferenceValue> referenceValuesList = new ArrayList<>();
-		relations.stream().forEach(relation -> referenceValuesList.add(createReference(targetObject, relation).asReferenceValue()));
+		relations.forEach(relation -> referenceValuesList.add(createReference(targetObject, relation).asReferenceValue()));
 		return referenceValuesList;
-
 	}
 
 	public static <O extends ObjectType> ObjectQuery createSelectedObjectsQuery(List<O> selectedObjects) {

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/workflow/dto/WorkItemDtoProvider.java

@@ -181,11 +181,11 @@ private ObjectQuery createQuery(OperationResult result) throws SchemaException {
         if (WorkItemsPageType.ALL.equals(workItemsPageType) && authorizedToSeeAll) {
             return q.build();
         } else if (WorkItemsPageType.CLAIMABLE.equals(workItemsPageType)) {
-            return QueryUtils.filterForGroups(q, currentUserOid(), getRepositoryService(), result).build();
+            return QueryUtils.filterForGroups(q, currentUserOid(), getRepositoryService(), getRelationRegistry(), result).build();
         } else {
             // not authorized to see all => sees only allocated to him (not quite what is expected, but sufficient for the time being)
-            return QueryUtils.filterForAssignees(q, SecurityUtils.getPrincipalUser(),   // TODO MID-3581
-                    OtherPrivilegesLimitationType.F_APPROVAL_WORK_ITEMS, getPrismContext()).build();
+            return QueryUtils.filterForAssignees(q, SecurityUtils.getPrincipalUser(),
+                    OtherPrivilegesLimitationType.F_APPROVAL_WORK_ITEMS, getRelationRegistry()).build();
         }
     }
 

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/PageSelfDashboard.java

@@ -288,7 +288,7 @@ private CallableResult<List<WorkItemDto>> loadWorkItems() {
             // (Note that the current code is consistent with the other places where work items are displayed.)
             S_FilterEntryOrEmpty q = QueryBuilder.queryFor(WorkItemType.class, getPrismContext());
             ObjectQuery query = QueryUtils.filterForAssignees(q, SecurityUtils.getPrincipalUser(),
-                    OtherPrivilegesLimitationType.F_APPROVAL_WORK_ITEMS, getPrismContext())     // TODO MID-3581
+                    OtherPrivilegesLimitationType.F_APPROVAL_WORK_ITEMS, getRelationRegistry())
                     .desc(F_CREATE_TIMESTAMP)
                     .build();
             Collection<SelectorOptions<GetOperationOptions>> options =

infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ObjectQueryUtil.java

@@ -27,6 +27,8 @@
 import com.evolveum.midpoint.prism.query.Visitor;
 import com.evolveum.midpoint.prism.query.builder.QueryBuilder;
 import com.evolveum.midpoint.prism.query.builder.S_AtomicFilterExit;
+import com.evolveum.midpoint.schema.RelationRegistry;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.lang.Validate;
 import org.apache.commons.lang.mutable.MutableBoolean;
@@ -38,13 +40,11 @@
 import com.evolveum.midpoint.schema.ResourceShadowDiscriminator;
 import com.evolveum.midpoint.util.DOMUtil;
 import com.evolveum.midpoint.util.exception.SchemaException;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowKindType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
 import com.evolveum.prism.xml.ns._public.query_3.QueryType;
 import com.evolveum.prism.xml.ns._public.types_3.PolyStringType;
 import org.jetbrains.annotations.NotNull;
 
+import static java.util.Collections.singleton;
 import static java.util.Collections.singletonList;
 import static org.apache.commons.collections4.CollectionUtils.isEmpty;
 
@@ -544,6 +544,23 @@ public static FilterComponents factorOutOrFilter(ObjectFilter filter, ItemPath..
 		return components;
 	}
 
+	// Creates references for querying
+	public static List<PrismReferenceValue> createReferences(String oid, RelationKindType kind,
+			RelationRegistry relationRegistry) {
+		return createReferences(singleton(oid), kind, relationRegistry);
+	}
+
+	public static List<PrismReferenceValue> createReferences(Collection<String> oids, RelationKindType kind,
+			RelationRegistry relationRegistry) {
+		List<PrismReferenceValue> rv = new ArrayList<>();
+		for (QName relation : relationRegistry.getAllRelationsFor(kind)) {
+			for (String oid : oids) {
+				rv.add(new ObjectReferenceType().oid(oid).relation(relation).asReferenceValue());
+			}
+		}
+		return rv;
+	}
+
 	/**
 	 * Describes how to treat a filter when factoring out a query/filter.
 	 */

model/certification-impl/src/main/java/com/evolveum/midpoint/certification/impl/AccCertQueryHelper.java

@@ -24,6 +24,7 @@
 import com.evolveum.midpoint.prism.query.builder.QueryBuilder;
 import com.evolveum.midpoint.repo.api.RepositoryService;
 import com.evolveum.midpoint.schema.GetOperationOptions;
+import com.evolveum.midpoint.schema.RelationRegistry;
 import com.evolveum.midpoint.schema.SelectorOptions;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
@@ -54,6 +55,7 @@ public class AccCertQueryHelper {
     private static final transient Trace LOGGER = TraceManager.getTrace(AccCertQueryHelper.class);
 
     @Autowired private PrismContext prismContext;
+    @Autowired private RelationRegistry relationRegistry;
     @Autowired protected AccCertGeneralHelper helper;
 	@Autowired @Qualifier("cacheRepositoryService")
 	private RepositoryService repositoryService;
@@ -139,7 +141,7 @@ private ObjectFilter getReviewerAndEnabledFilterForWI(MidPointPrincipal principa
 						QueryBuilder.queryFor(AccessCertificationWorkItemType.class, prismContext),
 						principal,
 						OtherPrivilegesLimitationType.F_CERTIFICATION_WORK_ITEMS,
-						prismContext)       // TODO MID-3581
+						relationRegistry)
 					.and().item(F_CLOSE_TIMESTAMP).isNull()
 					.buildFilter();
         } else {

model/certification-impl/src/main/java/com/evolveum/midpoint/certification/impl/AccCertReviewersHelper.java

@@ -30,6 +30,7 @@
 import com.evolveum.midpoint.schema.constants.ExpressionConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.CertCampaignTypeUtil;
+import com.evolveum.midpoint.schema.util.ObjectQueryUtil;
 import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
 import com.evolveum.midpoint.schema.util.ResourceTypeUtil;
 import com.evolveum.midpoint.task.api.Task;
@@ -131,11 +132,15 @@ private void resolveRoleReviewers(List<ObjectReferenceType> reviewers, Operation
 
 	private List<ObjectReferenceType> getMembers(ObjectReferenceType abstractRoleRef, OperationResult result)
 			throws SchemaException {
-		ObjectQuery query = QueryBuilder.queryFor(UserType.class, prismContext)
-				.item(UserType.F_ROLE_MEMBERSHIP_REF).ref(abstractRoleRef.getOid())
-				.build();
+		Collection<PrismReferenceValue> references = ObjectQueryUtil
+				.createReferences(abstractRoleRef.getOid(), RelationKindType.MEMBERSHIP, relationRegistry);
+		ObjectQuery query = references.isEmpty()
+				? QueryBuilder.queryFor(UserType.class, prismContext).none().build()
+				: QueryBuilder.queryFor(UserType.class, prismContext)
+					.item(UserType.F_ROLE_MEMBERSHIP_REF).ref(references)
+					.build();
 		return repositoryService.searchObjects(UserType.class, query, null, result).stream()
-				.map(obj -> ObjectTypeUtil.createObjectRef(obj, prismContext))      // TODO MID-3581
+				.map(obj -> ObjectTypeUtil.createObjectRef(obj, prismContext))
 				.collect(Collectors.toList());
 	}
 

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/sync/ReconciliationTaskHandler.java

@@ -553,7 +553,7 @@ private boolean performShadowReconciliation(final PrismObject<ResourceType> reso
 					.item(ShadowType.F_FULL_SYNCHRONIZATION_TIMESTAMP).le(XmlTypeConverter.createXMLGregorianCalendar(startTimestamp))
 					.or().item(ShadowType.F_FULL_SYNCHRONIZATION_TIMESTAMP).isNull()
 				.endBlock()
-				.and().item(ShadowType.F_RESOURCE_REF).ref(ObjectTypeUtil.createObjectRef(resource, prismContext).asReferenceValue())   // TODO MID-3581
+				.and().item(ShadowType.F_RESOURCE_REF).ref(ObjectTypeUtil.createObjectRef(resource, prismContext).asReferenceValue())
 				.and().item(ShadowType.F_OBJECT_CLASS).eq(objectclassDef.getTypeName())
 				.build();
 

model/workflow-api/src/main/java/com/evolveum/midpoint/wf/util/QueryUtils.java

@@ -17,12 +17,13 @@
 package com.evolveum.midpoint.wf.util;
 
 import com.evolveum.midpoint.model.api.util.DeputyUtils;
-import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismReferenceValue;
 import com.evolveum.midpoint.prism.query.builder.S_AtomicFilterExit;
 import com.evolveum.midpoint.prism.query.builder.S_FilterEntryOrEmpty;
 import com.evolveum.midpoint.prism.query.builder.S_FilterExit;
 import com.evolveum.midpoint.repo.api.RepositoryService;
+import com.evolveum.midpoint.schema.RelationRegistry;
+import com.evolveum.midpoint.schema.constants.ObjectTypes;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
 import com.evolveum.midpoint.security.api.DelegatorWithOtherPrivilegesLimitations;
@@ -50,50 +51,51 @@ public class QueryUtils {
 	 *
 	 * Note that work item limitations are supported only in the current (crude) form: all or none.
 	 */
-	// TODO consider other default relations here!!! MID-3851
 	public static S_AtomicFilterExit filterForAssignees(S_FilterEntryOrEmpty q, MidPointPrincipal principal,
-			QName limitationItemName, PrismContext prismContext) {
+			QName limitationItemName, RelationRegistry relationRegistry) {
 		if (principal == null) {
 			return q.none();
 		} else {
-			return q.item(WorkItemType.F_ASSIGNEE_REF).ref(getPotentialAssigneesForUser(principal, limitationItemName, prismContext));
+			return q.item(WorkItemType.F_ASSIGNEE_REF).ref(getPotentialAssigneesForUser(principal, limitationItemName, relationRegistry));
 		}
 	}
 
-	public static S_FilterExit filterForGroups(S_FilterEntryOrEmpty q, String userOid, RepositoryService repositoryService, OperationResult result)
+	public static S_FilterExit filterForGroups(S_FilterEntryOrEmpty q, String userOid, RepositoryService repositoryService,
+			RelationRegistry relationRegistry, OperationResult result)
 			throws SchemaException {
-		return q.item(WorkItemType.F_CANDIDATE_REF).ref(getGroupsForUser(userOid, repositoryService, result));
+		return q.item(WorkItemType.F_CANDIDATE_REF).ref(getGroupsForUser(userOid, repositoryService, relationRegistry, result));
 	}
 
 	private static List<PrismReferenceValue> getPotentialAssigneesForUser(MidPointPrincipal principal,
-			QName limitationItemName, PrismContext prismContext) {
+			QName limitationItemName, RelationRegistry relationRegistry) {
+		// As for relations, WorkItem.assigneeRef should contain only the default ones.
+		QName defaultRelation = relationRegistry.getDefaultRelation();
 		List<PrismReferenceValue> rv = new ArrayList<>();
-		rv.add(new PrismReferenceValue(principal.getOid(), UserType.COMPLEX_TYPE));
+		rv.add(ObjectTypeUtil.createObjectRef(principal.getOid(), ObjectTypes.USER).relation(defaultRelation).asReferenceValue());
 		for (DelegatorWithOtherPrivilegesLimitations delegator : principal.getDelegatorWithOtherPrivilegesLimitationsCollection()) {
 			if (DeputyUtils.limitationsAllow(delegator.getLimitations(), limitationItemName)) {
-				rv.add(ObjectTypeUtil.createObjectRef(delegator.getDelegator(), prismContext).asReferenceValue());
+				rv.add(ObjectTypeUtil.createObjectRef(delegator.getDelegator(), defaultRelation).asReferenceValue());
 			}
 		}
 		return rv;
 	}
 
 	private static List<PrismReferenceValue> getGroupsForUser(String userOid, RepositoryService repositoryService,
-			OperationResult result) throws SchemaException {
+			RelationRegistry relationRegistry, OperationResult result) throws SchemaException {
 		List<PrismReferenceValue> rv = new ArrayList<>();
 		UserType userType;
 		try {
 			userType = repositoryService.getObject(UserType.class, userOid, null, result).asObjectable();
 		} catch (ObjectNotFoundException e) {
 			return rv;
 		}
-		userType.getRoleMembershipRef().forEach(ref -> rv.add(ref.clone().asReferenceValue()));
-		userType.getDelegatedRef().forEach(ref ->
-				{
-					if (!QNameUtil.match(ref.getType(), UserType.COMPLEX_TYPE)) {
-						rv.add(ref.clone().asReferenceValue());
-					}
-				}
-		);
+		userType.getRoleMembershipRef().stream()
+				.filter(ref -> relationRegistry.isMembership(ref.getRelation()))
+				.forEach(ref -> rv.add(ref.clone().asReferenceValue()));
+		userType.getDelegatedRef().stream()
+				.filter(ref -> relationRegistry.isMembership(ref.getRelation()))
+				.filter(ref -> !QNameUtil.match(ref.getType(), UserType.COMPLEX_TYPE))   // we are not interested in deputies (but this should be treated above)
+				.forEach(ref -> rv.add(ref.clone().asReferenceValue()));
 		return rv;
 	}
 

model/workflow-impl/src/test/java/com/evolveum/midpoint/wf/impl/policy/AbstractWfTestPolicy.java

@@ -1029,7 +1029,7 @@ protected void checkVisibleWorkItem(ExpectedWorkItem expectedWorkItem, int count
 			throws SchemaException, ObjectNotFoundException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException, CommunicationException {
 		S_AtomicFilterExit q = QueryUtils
 				.filterForAssignees(QueryBuilder.queryFor(WorkItemType.class, prismContext), SecurityUtil.getPrincipal(),
-						OtherPrivilegesLimitationType.F_APPROVAL_WORK_ITEMS, prismContext); // TODO MID-3581
+						OtherPrivilegesLimitationType.F_APPROVAL_WORK_ITEMS, relationRegistry);
 		List<WorkItemType> currentWorkItems = modelService.searchContainers(WorkItemType.class, q.build(), null, task, result);
 		long found = currentWorkItems.stream().filter(wi -> expectedWorkItem == null || expectedWorkItem.matches(wi)).count();
 		assertEquals("Wrong # of matching work items", count, found);