Merge branch 'master' of https://github.com/Evolveum/midpoint

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ClusterCacheListener.java

@@ -57,7 +57,12 @@ public <O extends ObjectType> void invalidate(Class<O> type, String oid, boolean
 			LOGGER.trace("Ignoring invalidate() call for type {} (oid={}) because clusterwide=false", type, oid);
 			return;
 		}
-
+
+		if (!taskManager.isClustered()) {
+			LOGGER.trace("Node is not part of a cluster, skipping remote cache entry invalidation");
+			return;
+		}
+
 		Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
 		if (authentication instanceof NodeAuthenticationToken || context != null && context.isFromRemoteNode()) {
 			// This is actually a safety check only. The invalidation call coming from the other node

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelObjectResolver.java

@@ -105,6 +105,11 @@ public <O extends ObjectType> PrismObject<O> resolve(PrismReferenceValue refVal,
 	public <O extends ObjectType> PrismObject<O> resolve(PrismReferenceValue refVal, String string, GetOperationOptions options, Task task,
 			OperationResult result) throws ObjectNotFoundException {
 		String oid = refVal.getOid();
+		if (oid == null) {
+			// e.g. for targetName-only references
+			//noinspection unchecked
+			return refVal.getObject();
+		}
 		Class<?> typeClass = ObjectType.class;
 		QName typeQName = refVal.getTargetType();
 		if (typeQName == null && refVal.getParent() != null && refVal.getParent().getDefinition() != null) {

model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestModelServiceContract.java

@@ -42,6 +42,7 @@
 import com.evolveum.midpoint.schema.*;
 import com.evolveum.midpoint.schema.processor.*;
 import com.evolveum.prism.xml.ns._public.types_3.ItemPathType;
+import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
 import com.evolveum.prism.xml.ns._public.types_3.RawType;
 
 import org.apache.commons.lang.StringUtils;
@@ -3404,6 +3405,47 @@ accountJackBlueOid, getDummyResourceController(RESOURCE_DUMMY_BLUE_NAME).getAttr
         assertSteadyResources();
     }
 
+	@Test   // MID-5516
+	public void test400RemoveExtensionProtectedStringValue() throws Exception {
+		final String TEST_NAME = "test400RemoveExtensionProtectedStringValue";
+		TestUtil.displayTestTitle(TEST_NAME);
+
+		// GIVEN
+		Task task = createTask(TEST_NAME);
+		OperationResult result = task.getResult();
+		preTestCleanup(AssignmentPolicyEnforcementType.FULL);
+
+		ProtectedStringType protectedValue = protector.encryptString("hi");
+		UserType joe = new UserType(prismContext)
+				.name("joe");
+		PrismPropertyDefinition<ProtectedStringType> definition = joe.asPrismObject().getDefinition()
+				.findPropertyDefinition(ItemPath.create(UserType.F_EXTENSION, "locker"));
+		PrismProperty<ProtectedStringType> protectedProperty = definition.instantiate();
+		protectedProperty.setRealValue(protectedValue.clone());
+		joe.asPrismObject().addExtensionItem(protectedProperty);
+
+		addObject(joe.asPrismObject());
+
+		display("joe before", joe.asPrismObject());
+
+		// WHEN
+
+		ObjectDelta<UserType> delta = prismContext.deltaFor(UserType.class)
+				.item(UserType.F_EXTENSION, "locker")
+				.delete(protectedValue.clone())
+				.asObjectDelta(joe.getOid());
+
+		executeChanges(delta, null, task, result);
+
+		// THEN
+
+		PrismObject<UserType> joeAfter = getObject(UserType.class, joe.getOid());
+
+		display("joe after", joeAfter);
+
+		joeAfter.checkConsistence();
+	}
+
 	private void assertDummyScriptsAdd(PrismObject<UserType> user, PrismObject<? extends ShadowType> account, ResourceType resource) {
 		ProvisioningScriptSpec script = new ProvisioningScriptSpec("\nto spiral :size\n" +
 				"   if  :size > 30 [stop]\n   fd :size rt 15\n   spiral :size *1.02\nend\n			");

repo/repo-sql-impl-test/src/test/java/com/evolveum/midpoint/repo/sql/BaseSQLRepoTest.java

@@ -21,6 +21,7 @@
 import com.evolveum.midpoint.prism.ItemFactory;
 import com.evolveum.midpoint.prism.PrismContext;
 import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.prism.crypto.Protector;
 import com.evolveum.midpoint.prism.delta.builder.S_ItemEntry;
 import com.evolveum.midpoint.prism.util.PrismTestUtil;
 import com.evolveum.midpoint.repo.api.RepositoryService;
@@ -82,6 +83,7 @@ public class BaseSQLRepoTest extends AbstractTestNGSpringContextTests {
     @Autowired protected RelationRegistry relationRegistry;
     @Autowired protected SessionFactory factory;
     @Autowired protected ExtItemDictionary extItemDictionary;
+    @Autowired protected Protector protector;
 
     protected static Set<Class> initializedClasses = new HashSet<>();
 

repo/repo-sql-impl-test/src/test/java/com/evolveum/midpoint/repo/sql/ModifyTest.java

@@ -35,6 +35,9 @@
 import javax.xml.datatype.XMLGregorianCalendar;
 import javax.xml.namespace.QName;
 
+import com.evolveum.midpoint.prism.*;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
+import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
 import org.hibernate.Session;
 import org.springframework.test.annotation.DirtiesContext;
 import org.springframework.test.context.ContextConfiguration;
@@ -45,18 +48,6 @@
 import org.xml.sax.SAXException;
 
 import com.evolveum.midpoint.common.SynchronizationUtils;
-import com.evolveum.midpoint.prism.Containerable;
-import com.evolveum.midpoint.prism.Item;
-import com.evolveum.midpoint.prism.ItemDefinition;
-import com.evolveum.midpoint.prism.MutablePrismPropertyDefinition;
-import com.evolveum.midpoint.prism.Objectable;
-import com.evolveum.midpoint.prism.PrismContainer;
-import com.evolveum.midpoint.prism.PrismObject;
-import com.evolveum.midpoint.prism.PrismObjectDefinition;
-import com.evolveum.midpoint.prism.PrismProperty;
-import com.evolveum.midpoint.prism.PrismPropertyDefinition;
-import com.evolveum.midpoint.prism.PrismReferenceDefinition;
-import com.evolveum.midpoint.prism.PrismValue;
 import com.evolveum.midpoint.prism.delta.ItemDelta;
 import com.evolveum.midpoint.prism.delta.ItemDeltaCollectionsUtil;
 import com.evolveum.midpoint.prism.delta.ObjectDelta;
@@ -93,22 +84,6 @@
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ObjectModificationType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.CaseType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.CaseWorkItemType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.MetadataType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectCollectionType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.PendingOperationType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowAttributesType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.SynchronizationSituationDescriptionType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.SynchronizationSituationType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.TaskType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
 import com.evolveum.prism.xml.ns._public.query_3.SearchFilterType;
 import com.evolveum.prism.xml.ns._public.types_3.PolyStringType;
 
@@ -1253,4 +1228,93 @@ public void test360ReplaceModifyApprovers() throws Exception {
         assertEquals("Wrong # of users found", 1, users.size());
     }
 
+    // Normally this would be in schema module but we don't have initialized protector there
+    @Test   // MID-5516
+    public void test400RemoveCoreProtectedStringValueInMemory() throws Exception {
+        ProtectedStringType passwordValue = protector.encryptString("hi");
+        UserType jack = new UserType(prismContext)
+                .name("jack")
+                .beginCredentials()
+                .beginPassword()
+                .value(passwordValue.clone())
+                .<CredentialsType>end()
+                .end();
+
+        PrismTestUtil.display("jack before", jack.asPrismObject());
+
+        ObjectDelta<UserType> delta = prismContext.deltaFor(UserType.class)
+                .item(UserType.F_CREDENTIALS, CredentialsType.F_PASSWORD, PasswordType.F_VALUE)
+                .delete(passwordValue.clone())
+                .asObjectDelta("");
+
+        delta.applyTo(jack.asPrismObject());
+
+        PrismTestUtil.display("jack after", jack.asPrismObject());
+
+        jack.asPrismObject().checkConsistence();
+    }
+
+    @Test   // MID-5516
+    public void test410RemoveExtensionProtectedStringValueInMemory() throws Exception {
+        ProtectedStringType protectedValue = protector.encryptString("hi");
+        UserType jack = new UserType(prismContext)
+                .name("jack");
+        PrismPropertyDefinition<ProtectedStringType> definition = jack.asPrismObject().getDefinition()
+                .findPropertyDefinition(ItemPath.create(UserType.F_EXTENSION, "protected"));
+        PrismProperty<ProtectedStringType> protectedProperty = definition.instantiate();
+        protectedProperty.setRealValue(protectedValue.clone());
+        jack.asPrismObject().addExtensionItem(protectedProperty);
+
+        PrismTestUtil.display("jack before", jack.asPrismObject());
+
+        ObjectDelta<UserType> delta = prismContext.deltaFor(UserType.class)
+                .item(UserType.F_EXTENSION, "protected")
+                .delete(protectedValue.clone())
+                .asObjectDelta("");
+
+        delta.applyTo(jack.asPrismObject());
+
+        PrismTestUtil.display("jack after", jack.asPrismObject());
+
+        jack.asPrismObject().checkConsistence();
+    }
+
+    @Test   // MID-5516
+    public void test420RemoveExtensionProtectedStringValueInRepo() throws Exception {
+        final String TEST_NAME = "test420RemoveExtensionProtectedStringValueInRepo";
+        TestUtil.displayTestTitle(TEST_NAME);
+
+        // GIVEN
+        OperationResult result = new OperationResult(TEST_NAME);
+
+        ProtectedStringType protectedValue = protector.encryptString("hi");
+        UserType jack = new UserType(prismContext)
+                .name("jack");
+        PrismPropertyDefinition<ProtectedStringType> definition = jack.asPrismObject().getDefinition()
+                .findPropertyDefinition(ItemPath.create(UserType.F_EXTENSION, "protected"));
+        PrismProperty<ProtectedStringType> protectedProperty = definition.instantiate();
+        protectedProperty.setRealValue(protectedValue.clone());
+        jack.asPrismObject().addExtensionItem(protectedProperty);
+
+        repositoryService.addObject(jack.asPrismObject(), null, result);
+
+        PrismTestUtil.display("jack before", jack.asPrismObject());
+
+        // WHEN
+
+        ObjectDelta<UserType> delta = prismContext.deltaFor(UserType.class)
+                .item(UserType.F_EXTENSION, "protected")
+                .delete(protectedValue.clone())
+                .asObjectDelta("");
+
+        repositoryService.modifyObject(UserType.class, jack.getOid(), delta.getModifications(), result);
+
+        // THEN
+
+        PrismObject<UserType> jackAfter = repositoryService.getObject(UserType.class, jack.getOid(), null, result);
+
+        PrismTestUtil.display("jack after", jackAfter);
+
+        jackAfter.checkConsistence();
+    }
 }

repo/repo-sql-impl-test/src/test/resources/schema/extension.xsd

@@ -193,6 +193,13 @@
                     </xsd:appinfo>
                 </xsd:annotation>
             </xsd:element>
+            <xsd:element name="protected" type="t:ProtectedStringType" minOccurs="0">
+                <xsd:annotation>
+                    <xsd:appinfo>
+                        <a:indexed>false</a:indexed>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:element>
         </xsd:sequence>
     </xsd:complexType>
 

repo/task-api/src/main/java/com/evolveum/midpoint/task/api/TaskManager.java

@@ -758,4 +758,6 @@ String recordTaskThreadsDump(String taskOid, String cause, OperationResult paren
 	boolean isDynamicProfilingEnabled();
 
 	Tracer getTracer();
+
+	boolean isClustered();
 }

repo/task-quartz-impl/src/main/java/com/evolveum/midpoint/task/quartzimpl/TaskManagerQuartzImpl.java

@@ -2480,6 +2480,11 @@ public boolean isLocalNodeClusteringEnabled() {
 		return configuration.isLocalNodeClusteringEnabled();
 	}
 
+	@Override
+	public boolean isClustered() {
+		return configuration.isClustered();
+	}
+
 	public SystemConfigurationChangeDispatcher getSystemConfigurationChangeDispatcher() {
 		return systemConfigurationChangeDispatcher;
 	}

repo/task-quartz-impl/src/main/java/com/evolveum/midpoint/task/quartzimpl/cluster/ClusterExecutionHelperImpl.java

@@ -24,6 +24,7 @@
 import com.evolveum.midpoint.repo.api.RepositoryService;
 import com.evolveum.midpoint.schema.SearchResultList;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.schema.result.OperationResultStatus;
 import com.evolveum.midpoint.security.api.RestAuthenticationMethod;
 import com.evolveum.midpoint.task.api.ClusterExecutionHelper;
 import com.evolveum.midpoint.task.api.TaskManager;
@@ -65,6 +66,12 @@ public void execute(@NotNull BiConsumer<WebClient, OperationResult> code, String
 		OperationResult result = parentResult.createSubresult(DOT_CLASS + "execute");
 		String nodeId = taskManager.getNodeId();
 
+		if (!taskManager.isClustered()) {
+			LOGGER.trace("Node is not part of a cluster, skipping remote code execution");
+			result.recordStatus(OperationResultStatus.NOT_APPLICABLE, "Node not in cluster");
+			return;
+		}
+
 		SearchResultList<PrismObject<NodeType>> otherClusterNodes;
 		try {
 			ObjectQuery query = prismContext.queryFor(NodeType.class).not().item(NodeType.F_NODE_IDENTIFIER).eq(nodeId).build();