Merge branch 'master' of https://github.com/Evolveum/midpoint

infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/ExpressionConstants.java

@@ -116,4 +116,8 @@ public class ExpressionConstants {
 	public static final QName VAR_PERFORMER = new QName(SchemaConstants.NS_C, "performer");
 	public static final QName VAR_OUTPUT = new QName(SchemaConstants.NS_C, "output");
 	public static final QName VAR_EVENT = new QName(SchemaConstants.NS_C, "event");
+
+	public static final QName VAR_POLICY_RULE = new QName(SchemaConstants.NS_C, "policyRule");
+	public static final QName VAR_POLICY_ACTION = new QName(SchemaConstants.NS_C, "policyAction");
+	public static final QName VAR_LOGIN_MODE = new QName(SchemaConstants.NS_C, "loginMode");
 }

infra/schema/src/main/java/com/evolveum/midpoint/schema/util/PolicyRuleTypeUtil.java

@@ -176,6 +176,12 @@ public static String toShortString(PolicyActionsType actions, List<PolicyActionT
 				sb.append("X");
 			}
 		}
+		if (!actions.getScriptExecution().isEmpty()) {
+			sb.append(" execute");
+			if (filterActions(enabledActions, ScriptExecutionPolicyActionType.class).isEmpty()) {
+				sb.append("X");
+			}
+		}
 		return sb.toString().trim();
 	}
 
@@ -367,6 +373,7 @@ public static List<PolicyActionType> getAllActions(PolicyActionsType actions) {
 		rv.addAll(actions.getApproval());
 		addIgnoreNull(rv, actions.getRecord());
 		rv.addAll(actions.getNotification());
+		rv.addAll(actions.getScriptExecution());
 		addIgnoreNull(rv, actions.getCertification());
 		addIgnoreNull(rv, actions.getPrune());
 		addIgnoreNull(rv, actions.getRemediation());

infra/schema/src/main/resources/xml/ns/public/common/common-policy-3.xsd

@@ -1378,6 +1378,19 @@
                     </xsd:appinfo>
                 </xsd:annotation>
             </xsd:element>
+            <xsd:element name="scriptExecution" type="tns:ScriptExecutionPolicyActionType" minOccurs="0" maxOccurs="unbounded">
+                <xsd:annotation>
+                    <xsd:documentation>
+                        Execute script (bulk action). The operation will proceed. Script(s) are executed at the end of the operation.
+						HIGHLY EXPERIMENTAL. Use at your own risk. No guarantees here.
+                    </xsd:documentation>
+                    <xsd:appinfo>
+						<a:experimental>true</a:experimental>
+                    	<a:displayName>PolicyActionsType.scriptExecution</a:displayName>
+						<a:help>PolicyActionsType.scriptExecution.help</a:help>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:element>
         </xsd:sequence>
         <xsd:attribute name="id" type="xsd:long" use="optional"/>
     </xsd:complexType>
@@ -1435,6 +1448,7 @@
                 </xsd:annotation>
             </xsd:element>
         </xsd:sequence>
+		<xsd:attribute name="id" type="xsd:long" use="optional"/>
     </xsd:complexType>
 
     <xsd:complexType name="EnforcementPolicyActionType">
@@ -1949,6 +1963,28 @@
         </xsd:complexContent>
     </xsd:complexType>
 
+    <xsd:complexType name="ScriptExecutionPolicyActionType">
+        <xsd:annotation>
+            <xsd:documentation>
+                TODO
+				HIGHLY EXPERIMENTAL. Use at your own risk. No guarantees here.
+            </xsd:documentation>
+            <xsd:appinfo>
+                <a:container />
+                <a:since>3.9</a:since>
+                <a:experimental>true</a:experimental>
+				<a:displayName>ExecuteScriptPolicyActionType.details</a:displayName>
+            </xsd:appinfo>
+        </xsd:annotation>
+        <xsd:complexContent>
+            <xsd:extension base="tns:PolicyActionType">
+                <xsd:sequence>
+                    <xsd:element name="executeScript" type="s:ExecuteScriptType" minOccurs="0" maxOccurs="unbounded"/>
+                </xsd:sequence>
+            </xsd:extension>
+        </xsd:complexContent>
+    </xsd:complexType>
+
     <xsd:complexType name="RecordPolicyActionType">
         <xsd:annotation>
             <xsd:documentation>

model/model-api/src/main/java/com/evolveum/midpoint/model/api/context/AssignmentPath.java

@@ -40,7 +40,7 @@
  * @author semancik
  * @author mederly
  */
-public interface AssignmentPath extends DebugDumpable, ShortDumpable {
+public interface AssignmentPath extends DebugDumpable, ShortDumpable, Cloneable {
 
 	List<? extends AssignmentPathSegment> getSegments();
 

model/model-api/src/main/java/com/evolveum/midpoint/model/api/context/EvaluatedPolicyRule.java

@@ -31,7 +31,7 @@
  * @author semancik
  *
  */
-public interface EvaluatedPolicyRule extends DebugDumpable, Serializable {
+public interface EvaluatedPolicyRule extends DebugDumpable, Serializable, Cloneable {
 
 	@NotNull
 	Collection<EvaluatedPolicyRuleTrigger<?>> getTriggers();

model/model-api/src/main/java/com/evolveum/midpoint/model/api/context/ModelElementContext.java

@@ -21,6 +21,7 @@
 import com.evolveum.midpoint.util.DebugDumpable;
 import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
+import org.jetbrains.annotations.NotNull;
 
 import java.io.Serializable;
 import java.util.Collection;
@@ -60,6 +61,7 @@ public interface ModelElementContext<O extends ObjectType> extends Serializable,
 	 * Returns all policy rules that apply to this object - even those that were not triggered.
 	 * The policy rules are compiled from all the applicable sources (target, meta-roles, etc.)
 	 */
+    @NotNull
 	Collection<EvaluatedPolicyRule> getPolicyRules();
 
 	boolean isOfType(Class<?> aClass);

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentEvaluator.java

@@ -710,7 +710,7 @@ private <O extends ObjectType> List<PrismObject<O>> resolveTargetsFromFilter(Cla
 			if (assignmentPathVariables != null) {
 				Utils.addAssignmentPathVariables(assignmentPathVariables, variables);
 			}
-
+			variables.addVariableDefinitions(getAssignmentEvaluationVariables());
 			ObjectFilter origFilter = QueryConvertor.parseFilter(filter, targetClass, prismContext);
 			ObjectFilter evaluatedFilter = ExpressionUtil.evaluateFilterExpressions(origFilter, variables, getMappingFactory().getExpressionFactory(), prismContext, " evaluating resource filter expression ", ctx.task, ctx.result);
 			if (evaluatedFilter == null) {
@@ -723,7 +723,14 @@ private <O extends ObjectType> List<PrismObject<O>> resolveTargetsFromFilter(Cla
 			ModelExpressionThreadLocalHolder.popExpressionEnvironment();
 		}
 	}
-
+
+	private ExpressionVariables getAssignmentEvaluationVariables() {
+		ExpressionVariables variables = new ExpressionVariables();
+		variables.addVariableDefinition(ExpressionConstants.VAR_LOGIN_MODE, loginMode);
+		// e.g. AssignmentEvaluator itself, model context, etc (when needed)
+		return variables;
+	}
+
 	private void evaluateSegmentTarget(AssignmentPathSegmentImpl segment, PlusMinusZero relativeMode, boolean isValid,
 			FocusType targetType, QName relation, EvaluationContext ctx)
 			throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, PolicyViolationException, SecurityViolationException, ConfigurationException, CommunicationException {
@@ -1261,6 +1268,7 @@ public PrismValueDeltaSetTriple<PrismPropertyValue<Boolean>> evaluateCondition(M
 				.originType(OriginType.ASSIGNMENTS)
 				.originObject(source)
 				.defaultTargetDefinition(new PrismPropertyDefinitionImpl<>(CONDITION_OUTPUT_NAME, DOMUtil.XSD_BOOLEAN, prismContext))
+				.addVariableDefinitions(getAssignmentEvaluationVariables().getMap())
 				.addVariableDefinition(ExpressionConstants.VAR_USER, focusOdo)
 				.addVariableDefinition(ExpressionConstants.VAR_FOCUS, focusOdo)
 				.addVariableDefinition(ExpressionConstants.VAR_SOURCE, source)

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/Clockwork.java

@@ -21,6 +21,7 @@
 import com.evolveum.midpoint.audit.api.AuditService;
 import com.evolveum.midpoint.common.Clock;
 import com.evolveum.midpoint.model.api.ProgressInformation;
+import com.evolveum.midpoint.model.impl.lens.projector.policy.PolicyRuleScriptExecutor;
 import com.evolveum.midpoint.model.impl.migrator.Migrator;
 import com.evolveum.midpoint.repo.api.ConflictWatcher;
 import com.evolveum.midpoint.repo.api.PreconditionViolationException;
@@ -151,6 +152,7 @@ public class Clockwork {
 	@Autowired private ContextFactory contextFactory;
 	@Autowired private Migrator migrator;
 	@Autowired private ClockworkMedic medic;
+	@Autowired private PolicyRuleScriptExecutor policyRuleScriptExecutor;
 
 	@Autowired(required = false)
 	private HookRegistry hookRegistry;
@@ -619,7 +621,7 @@ private <F extends ObjectType> void processSecondary(LensContext<F> context, Tas
 			throws ObjectAlreadyExistsException, ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, 
 			SecurityViolationException, ExpressionEvaluationException, PolicyViolationException, PreconditionViolationException {
 		if (context.getExecutionWave() > context.getMaxWave() + 1) {
-			switchState(context, ModelState.FINAL);
+			processSecondaryToFinal(context, task, result);
 			return;
 		}
 
@@ -651,6 +653,12 @@ private <F extends ObjectType> void processSecondary(LensContext<F> context, Tas
 		medic.traceContext(LOGGER, "CLOCKWORK (" + context.getState() + ")", "change execution", false, context, false);
 	}
 
+
+	private <F extends ObjectType> void processSecondaryToFinal(LensContext<F> context, Task task, OperationResult result) {
+		switchState(context, ModelState.FINAL);
+		policyRuleScriptExecutor.execute(context, task, result);
+	}
+
 	/**
 	 * Force recompute for the next execution wave. Recompute only those contexts that were changed.
 	 * This is more intelligent than context.rot()

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/ClockworkMedic.java

@@ -185,7 +185,7 @@ public void partialExecute(String componentName, ProjectorComponentRunnable runn
 		}
 	}
 
-	public static <F extends ObjectType> void traceContext(Trace logger, String activity, String phase,
+	public <F extends ObjectType> void traceContext(Trace logger, String activity, String phase,
 			boolean important,  LensContext<F> context, boolean showTriples) throws SchemaException {
         if (logger.isTraceEnabled()) {
         	logger.trace("Lens context:\n"+

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/EvaluatedPolicyRuleImpl.java

@@ -22,6 +22,7 @@
 import com.evolveum.midpoint.model.impl.lens.projector.policy.ObjectState;
 import com.evolveum.midpoint.model.impl.lens.projector.policy.PolicyRuleEvaluationContext;
 import com.evolveum.midpoint.prism.*;
+import com.evolveum.midpoint.prism.util.CloneUtil;
 import com.evolveum.midpoint.prism.util.PrismPrettyPrinter;
 import com.evolveum.midpoint.repo.common.expression.ExpressionFactory;
 import com.evolveum.midpoint.repo.common.expression.ExpressionVariables;
@@ -95,6 +96,10 @@ public EvaluatedPolicyRuleImpl(@NotNull PolicyRuleType policyRuleType, @Nullable
 		this.directOwner = computeDirectOwner();
 	}
 
+	public EvaluatedPolicyRuleImpl clone() {
+		return new EvaluatedPolicyRuleImpl(CloneUtil.clone(policyRuleType), CloneUtil.clone(assignmentPath), prismContextForDebugDump);
+	}
+
 	private ObjectType computeDirectOwner() {
 		if (assignmentPath == null) {
 			return null;

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensElementContext.java

@@ -109,8 +109,8 @@ public abstract class LensElementContext<O extends ObjectType> implements ModelE
 
 	private transient PrismObjectDefinition<O> objectDefinition = null;
 
-	transient private Collection<EvaluatedPolicyRule> policyRules = new ArrayList<>();
-    transient private Collection<String> policySituations = new ArrayList<>();
+	transient private final Collection<EvaluatedPolicyRule> policyRules = new ArrayList<>();
+    transient private final Collection<String> policySituations = new ArrayList<>();
 
 	public LensElementContext(Class<O> objectTypeClass, LensContext<? extends ObjectType> lensContext) {
 		super();
@@ -483,6 +483,7 @@ public void setFresh(boolean isFresh) {
 		this.isFresh = isFresh;
 	}
 
+	@NotNull
 	public Collection<EvaluatedPolicyRule> getPolicyRules() {
 		return policyRules;
 	}
@@ -499,6 +500,7 @@ public void triggerRule(@NotNull EvaluatedPolicyRule rule, Collection<EvaluatedP
     	LensUtil.triggerRule(rule, triggers, policySituations);
 	}
 
+	@NotNull
 	public Collection<String> getPolicySituations() {
 		return policySituations;
 	}

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/Projector.java

@@ -46,8 +46,6 @@
 import com.evolveum.midpoint.schema.internals.InternalMonitor;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.result.OperationResultStatus;
-import com.evolveum.midpoint.schema.util.ExceptionUtil;
-import com.evolveum.midpoint.schema.util.ResourceTypeUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.CommunicationException;
 import com.evolveum.midpoint.util.exception.ConfigurationException;

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/policy/PolicyRuleProcessor.java

@@ -264,18 +264,21 @@ private <F extends FocusType> void collectGlobalObjectRules(List<EvaluatedPolicy
 		}
 		List<GlobalPolicyRuleType> globalPolicyRuleList = systemConfiguration.asObjectable().getGlobalPolicyRule();
 		LOGGER.trace("Checking {} global policy rules", globalPolicyRuleList.size());
+		int globalRulesFound = 0;
 		for (GlobalPolicyRuleType globalPolicyRule: globalPolicyRuleList) {
 			ObjectSelectorType focusSelector = globalPolicyRule.getFocusSelector();
 			if (repositoryService.selectorMatches(focusSelector, focus, null, LOGGER, "Global policy rule "+globalPolicyRule.getName()+": ")) {
 				if (isRuleConditionTrue(globalPolicyRule, focus, null, context, task, result)) {
 					rules.add(new EvaluatedPolicyRuleImpl(globalPolicyRule, null, prismContext));
+					globalRulesFound++;
 				} else {
 					LOGGER.trace("Skipping global policy rule {} because the condition evaluated to false: {}", globalPolicyRule.getName(), globalPolicyRule);
 				}
 			} else {
 				LOGGER.trace("Skipping global policy rule {} because the selector did not match: {}", globalPolicyRule.getName(), globalPolicyRule);
 			}
 		}
+		LOGGER.trace("Selected {} global policy rules for further evaluation", globalRulesFound);
 	}
 
 	//endregion
@@ -510,6 +513,7 @@ public <F extends FocusType> void addGlobalPolicyRulesToAssignments(LensContext<
 
 		List<GlobalPolicyRuleType> globalPolicyRuleList = systemConfiguration.asObjectable().getGlobalPolicyRule();
 		LOGGER.trace("Checking {} global policy rules for selection to assignments", globalPolicyRuleList.size());
+		int globalRulesInstantiated = 0;
 		for (GlobalPolicyRuleType globalPolicyRule: systemConfiguration.asObjectable().getGlobalPolicyRule()) {
 			ObjectSelectorType focusSelector = globalPolicyRule.getFocusSelector();
 			if (!repositoryService.selectorMatches(focusSelector, focus, null, LOGGER,
@@ -542,9 +546,11 @@ public <F extends FocusType> void addGlobalPolicyRulesToAssignments(LensContext<
 					} else {
 						evaluatedAssignment.addOtherTargetPolicyRule(evaluatedRule);
 					}
+					globalRulesInstantiated++;
 				}
 			}
 		}
+		LOGGER.trace("Global policy rules instantiated {} times for further evaluation", globalRulesInstantiated);
 	}
 
 	private <F extends FocusType> boolean isRuleConditionTrue(GlobalPolicyRuleType globalPolicyRule, PrismObject<F> focus,