Merge remote-tracking branch 'origin/master' into feature/upgrade-pro…

…cess

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/configuration/PageAuthorizationPlayground.html

@@ -71,6 +71,11 @@ <h3>Authorization evaluation</h3>
                 <div class="main-button-bar" style="margin-top: 10px">
                     <a class="btn btn-primary" wicket:id="execute"></a>
                 </div>
+                <span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span> <!-- hack -->
+                <div>
+                    <label for="selectorTracing">Selector tracing enabled</label>
+                    <input type="checkbox" id="selectorTracing" wicket:id="selectorTracing"/>
+                </div>
             </div>
             <div class="row">
                 <div class="col-lg-12" style="margin-top: 15px">

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/configuration/PageAuthorizationPlayground.java

@@ -20,6 +20,7 @@
 
 import org.apache.commons.lang3.StringUtils;
 import org.apache.wicket.ajax.AjaxRequestTarget;
+import org.apache.wicket.markup.html.form.CheckBox;
 import org.apache.wicket.markup.html.form.Form;
 import org.apache.wicket.markup.html.form.TextField;
 import org.apache.wicket.model.IModel;
@@ -76,6 +77,8 @@ public class PageAuthorizationPlayground extends PageAdminConfiguration {
 
     private static final String ID_SAMPLE = "sample";
 
+    private static final String ID_SELECTOR_TRACING = "selectorTracing";
+
     private static final String ID_EXECUTE = "execute";
 
     private static final String ID_RESULT_TEXT = "resultText";
@@ -98,6 +101,8 @@ public class PageAuthorizationPlayground extends PageAdminConfiguration {
     private final IModel<String> filterModel = new Model<>();
     private final IModel<String> objectOidModel = Model.of("");
 
+    private final IModel<Boolean> selectorTracingModel = Model.of(false);
+
     private final IModel<String> resultModel = new Model<>();
     private final IModel<String> computationModel = new Model<>();
 
@@ -125,6 +130,8 @@ private void initLayout() {
 
         mainForm.add(new TextField<>(ID_OBJECT_OID, objectOidModel));
 
+        mainForm.add(new CheckBox(ID_SELECTOR_TRACING, selectorTracingModel));
+
         mainForm.add(
                 new AjaxSubmitButton(ID_EXECUTE, createStringResource("PageAuthorizationPlayground.button.evaluate")) {
                     @Override
@@ -183,6 +190,7 @@ private void evaluatePerformed(AjaxRequestTarget target) {
 
             setSubjectRef(request);
             addExplicitAuthorizations(request);
+            setTracing(request);
 
             var response = getModelDiagnosticService().evaluateAuthorizations(request, task, result);
 
@@ -252,4 +260,9 @@ private void addExplicitAuthorizations(AuthorizationEvaluationRequestType reques
                             additional.getAuthorization()));
         }
     }
+
+    private void setTracing(AuthorizationEvaluationRequestType request) {
+        request.tracing(new AuthorizationEvaluationTracingOptionsType()
+                .selectorTracingEnabled(selectorTracingModel.getObject()));
+    }
 }

infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/eval/FilteringContext.java

@@ -60,7 +60,7 @@ public FilteringContext(
             @Nullable ClauseApplicabilityPredicate clauseApplicabilityPredicate,
             @NotNull FilterCollector filterCollector,
             @Nullable ObjectFilterExpressionEvaluator filterEvaluator,
-            @NotNull ProcessingTracer<SelectorTraceEvent> tracer,
+            @NotNull ProcessingTracer<? super SelectorTraceEvent> tracer,
             @NotNull OrgTreeEvaluator orgTreeEvaluator,
             @Nullable SubjectedEvaluationContext subjectedEvaluationContext,
             @Nullable OwnerResolver ownerResolver,

infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/eval/MatchingContext.java

@@ -28,7 +28,7 @@ public class MatchingContext extends SelectorProcessingContext {
 
     public MatchingContext(
             @Nullable ObjectFilterExpressionEvaluator filterEvaluator,
-            @NotNull ProcessingTracer<SelectorTraceEvent> tracer,
+            @NotNull ProcessingTracer<? super SelectorTraceEvent> tracer,
             @NotNull OrgTreeEvaluator orgTreeEvaluator,
             @Nullable SubjectedEvaluationContext subjectedEvaluationContext,
             @Nullable OwnerResolver ownerResolver,

infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/eval/SelectorProcessingContext.java

@@ -45,7 +45,7 @@ public abstract class SelectorProcessingContext {
      * Mainly used for troubleshooting of selectors and their clauses; especially important for
      * https://docs.evolveum.com/midpoint/reference/diag/troubleshooting/authorizations.
      */
-    @NotNull public final ProcessingTracer<SelectorTraceEvent> tracer;
+    @NotNull public final ProcessingTracer<? super SelectorTraceEvent> tracer;
 
     /** Evaluates organization tree questions (is descendant, is ancestor). Usually it is the repository itself. */
     @NotNull public final OrgTreeEvaluator orgTreeEvaluator;
@@ -76,7 +76,7 @@ public abstract class SelectorProcessingContext {
 
     public SelectorProcessingContext(
             @Nullable ObjectFilterExpressionEvaluator filterEvaluator,
-            @NotNull ProcessingTracer<SelectorTraceEvent> tracer,
+            @NotNull ProcessingTracer<? super SelectorTraceEvent> tracer,
             @NotNull OrgTreeEvaluator orgTreeEvaluator,
             @Nullable SubjectedEvaluationContext subjectedEvaluationContext,
             @Nullable OwnerResolver ownerResolver,

infra/schema/src/main/resources/xml/ns/public/common/common-security-3.xsd

@@ -2973,6 +2973,13 @@
                     </xsd:documentation>
                 </xsd:annotation>
             </xsd:element>
+            <xsd:element name="tracing" type="tns:AuthorizationEvaluationTracingOptionsType" minOccurs="0">
+                <xsd:annotation>
+                    <xsd:documentation>
+                        How the evaluation should be traced.
+                    </xsd:documentation>
+                </xsd:annotation>
+            </xsd:element>
         </xsd:sequence>
     </xsd:complexType>
 
@@ -3103,4 +3110,26 @@
         </xsd:sequence>
     </xsd:complexType>
     <xsd:element name="additionalAuthorizations" type="tns:AdditionalAuthorizationsType"/>
+
+    <xsd:complexType name="AuthorizationEvaluationTracingOptionsType">
+        <xsd:annotation>
+            <xsd:documentation>
+                How the evaluation should be traced.
+            </xsd:documentation>
+            <xsd:appinfo>
+                <a:container/>
+                <a:experimental>true</a:experimental>
+                <a:since>4.8</a:since>
+            </xsd:appinfo>
+        </xsd:annotation>
+        <xsd:sequence>
+            <xsd:element name="selectorTracingEnabled" type="xsd:boolean" minOccurs="0" default="false">
+                <xsd:annotation>
+                    <xsd:documentation>
+                        Should be the evaluation of selectors traced?
+                    </xsd:documentation>
+                </xsd:annotation>
+            </xsd:element>
+        </xsd:sequence>
+    </xsd:complexType>
 </xsd:schema>

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/AuthorizationDiagEvaluation.java

@@ -41,11 +41,17 @@ abstract class AuthorizationDiagEvaluation<REQ extends AuthorizationEvaluationRe
     @NotNull final Task task;
     @NotNull final ModelBeans b = ModelBeans.get();
 
-    @NotNull private final MyLogCollector logCollector = new MyLogCollector();
+    @NotNull private final MyLogCollector logCollector;
 
     AuthorizationDiagEvaluation(@NotNull REQ request, @NotNull Task task) {
         this.request = request;
         this.task = task;
+        this.logCollector = new MyLogCollector(isSelectorTracingEnabled(request));
+    }
+
+    private boolean isSelectorTracingEnabled(REQ request) {
+        var tracing = request.getTracing();
+        return tracing != null && Boolean.TRUE.equals(tracing.isSelectorTracingEnabled());
     }
 
     static AuthorizationDiagEvaluation<?> of(@NotNull AuthorizationEvaluationRequestType request, @NotNull Task task)
@@ -296,6 +302,12 @@ static class MyLogCollector implements SecurityEnforcer.LogCollector {
 
         private final StringBuilder sb = new StringBuilder();
 
+        private final boolean selectorTracingEnabled;
+
+        MyLogCollector(boolean selectorTracingEnabled) {
+            this.selectorTracingEnabled = selectorTracingEnabled;
+        }
+
         @Override
         public void log(String message) {
             sb.append(message).append("\n");
@@ -304,5 +316,9 @@ public void log(String message) {
         public @NotNull String getLog() {
             return sb.toString();
         }
+
+        public boolean isSelectorTracingEnabled() {
+            return selectorTracingEnabled;
+        }
     }
 }

repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/query/SelectorMatcher.java

@@ -42,7 +42,7 @@ public class SelectorMatcher {
 
     @NotNull private final ValueSelector selector;
 
-    private ProcessingTracer<SelectorTraceEvent> tracer;
+    private ProcessingTracer<? super SelectorTraceEvent> tracer;
 
     private ObjectFilterExpressionEvaluator filterEvaluator;
 

repo/security-enforcer-api/src/main/java/com/evolveum/midpoint/security/enforcer/api/SecurityEnforcer.java

@@ -306,6 +306,9 @@ public static Options create() {
 
     /** TEMPORARY */
     interface LogCollector {
+
         void log(String message);
+
+        boolean isSelectorTracingEnabled();
     }
 }

repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/EnforcerOperation.java

@@ -10,6 +10,8 @@
 import java.util.*;
 import java.util.stream.Collectors;
 
+import com.evolveum.midpoint.schema.traces.details.AbstractTraceEvent;
+
 import org.apache.commons.collections4.CollectionUtils;
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
@@ -42,7 +44,7 @@ class EnforcerOperation {
     /** {@link OwnerResolver} to be used during this operation. */
     @Nullable final OwnerResolver ownerResolver;
 
-    @NotNull final ProcessingTracer<SecurityTraceEvent> tracer;
+    @NotNull final ProcessingTracer<AbstractTraceEvent> tracer;
 
     /** Useful Spring beans. */
     @NotNull final Beans b;
@@ -64,8 +66,8 @@ class EnforcerOperation {
     }
 
     // temporary
-    private ProcessingTracer<SecurityTraceEvent> createTracer(SecurityEnforcer.Options options) {
-        return new LogBasedEnforcerTracer(options.logCollector());
+    private ProcessingTracer<AbstractTraceEvent> createTracer(SecurityEnforcer.Options options) {
+        return new LogBasedEnforcerAndSelectorTracer(options.logCollector());
     }
 
     Collection<Authorization> getAuthorizations() {

repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/LogBasedEnforcerTracer.java → repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/LogBasedEnforcerAndSelectorTracer.java

@@ -9,6 +9,8 @@
 
 import static com.evolveum.midpoint.security.enforcer.impl.TracingUtil.*;
 
+import com.evolveum.midpoint.schema.selector.eval.SelectorTraceEvent;
+import com.evolveum.midpoint.schema.traces.details.AbstractTraceEvent;
 import com.evolveum.midpoint.security.enforcer.api.SecurityEnforcer;
 import com.evolveum.midpoint.security.enforcer.impl.SecurityTraceEvent.AuthorizationRelated;
 
@@ -17,19 +19,20 @@
 import org.jetbrains.annotations.NotNull;
 
 import com.evolveum.midpoint.schema.traces.details.ProcessingTracer;
-import com.evolveum.midpoint.security.enforcer.impl.SecurityTraceEvent.End;
-import com.evolveum.midpoint.security.enforcer.impl.SecurityTraceEvent.Start;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 
 import org.jetbrains.annotations.Nullable;
 
+import java.util.stream.Collectors;
+
 /**
  * Facilitates troubleshooting of authorizations and their components.
  *
  * FIXME preliminary implementation
  */
-public class LogBasedEnforcerTracer implements ProcessingTracer<SecurityTraceEvent> {
+public class LogBasedEnforcerAndSelectorTracer implements
+        ProcessingTracer<AbstractTraceEvent> {
 
     private static final Trace LOGGER = TraceManager.getTrace(SecurityEnforcerImpl.class);
 
@@ -38,7 +41,7 @@ public class LogBasedEnforcerTracer implements ProcessingTracer<SecurityTraceEve
 
     private final boolean traceEnabled = LOGGER.isTraceEnabled();
 
-    LogBasedEnforcerTracer(@Nullable SecurityEnforcer.LogCollector logCollector) {
+    LogBasedEnforcerAndSelectorTracer(@Nullable SecurityEnforcer.LogCollector logCollector) {
         this.logCollector = logCollector;
     }
 
@@ -48,13 +51,41 @@ public boolean isEnabled() {
     }
 
     @Override
-    public void trace(@NotNull SecurityTraceEvent event) {
+    public void trace(@NotNull AbstractTraceEvent event) {
+        boolean additionalTracingAllowed;
+        String prefix;
+        if (event instanceof SelectorTraceEvent selectorEvent) {
+            prefix = getSelectorEventPrefix(selectorEvent);
+            additionalTracingAllowed = logCollector != null && logCollector.isSelectorTracingEnabled();
+        } else if (event instanceof SecurityTraceEvent securityEvent) {
+            prefix = getSecurityEventPrefix(securityEvent);
+            additionalTracingAllowed = true;
+        } else {
+            throw new IllegalStateException("Unsupported trace event type: " + event);
+        }
+
+        logEvent(event, prefix, additionalTracingAllowed);
+    }
+
+    private static String getSelectorEventPrefix(@NotNull SelectorTraceEvent event) {
+        String typeMark;
+        if (event instanceof SelectorTraceEvent.Start) {
+            typeMark = START;
+        } else if (event instanceof SelectorTraceEvent.End) {
+            typeMark = END;
+        } else {
+            typeMark = CONT;
+        }
+        return SEL_SPACE + event.getId() + typeMark;
+    }
+
+    private static String getSecurityEventPrefix(@NotNull SecurityTraceEvent event) {
         String extraPrefix;
         String typeMark;
-        if (event instanceof Start) {
+        if (event instanceof SecurityTraceEvent.Start) {
             typeMark = START;
             extraPrefix = "";
-        } else if (event instanceof End) {
+        } else if (event instanceof SecurityTraceEvent.End) {
             typeMark = END;
             extraPrefix = "";
         } else {
@@ -72,23 +103,34 @@ public void trace(@NotNull SecurityTraceEvent event) {
         } else {
             prefix = "??? " + typeMark;
         }
+        return prefix;
+    }
 
+    private void logEvent(@NotNull AbstractTraceEvent event, String prefix, boolean additionalTracingAllowed) {
         var record = event.defaultTraceRecord();
         var nextLines = record.nextLines();
         if (nextLines == null) {
             if (traceEnabled) {
                 LOGGER.trace("{} {}", prefix, record.firstLine());
             }
-            if (logCollector != null) {
+            if (logCollector != null && additionalTracingAllowed) {
                 logCollector.log(prefix + " " + record.firstLine());
             }
         } else {
             if (traceEnabled) {
                 LOGGER.trace("{} {}\n{}", prefix, record.firstLine(), nextLines);
             }
-            if (logCollector != null) {
-                logCollector.log(prefix + " " + record.firstLine() + "\n" + nextLines);
+            if (logCollector != null && additionalTracingAllowed) {
+                logCollector.log(
+                        prefix + " " + record.firstLine() + "\n"
+                                + applyPrefixToEachLine(prefix + " ", nextLines));
             }
         }
     }
+
+    private String applyPrefixToEachLine(String prefix, String lines) {
+        return lines.lines()
+                .map(line -> prefix + line)
+                .collect(Collectors.joining("\n"));
+    }
 }