processing of assignment policy rules

Evolveum · Nov 16, 2016 · b44a655 · b44a655
1 parent f9525e5
commit b44a655
Show file tree

Hide file tree

Showing 5 changed files with 128 additions and 16 deletions.
diff --git a/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd b/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
@@ -8520,21 +8520,25 @@
                 <a:experimental>true</a:experimental>
             </xsd:appinfo>
     	</xsd:annotation>
-	    	<xsd:sequence>
-	    		<!-- TODO: define operation -->
-				<xsd:element name="relation" type="xsd:QName"  minOccurs="0" maxOccurs="unbounded">
-	        		<xsd:annotation>
-	        			<xsd:documentation>
-	        				This policy only applies to relations of the specified type. The value
-	        				of this element is compared to the relation of the targetRef relation
-	        				in the assignment/inducement. If not specified then this policy only
-	        				applies to the null (default) relation. If all relations need to be
-	        				affected by this policy then the special value of "any" should be specified
-	        				in this element.
-	        			</xsd:documentation>
-	        		</xsd:annotation>
-	        	</xsd:element>
+    	<xsd:complexContent>
+    		<xsd:extension base="tns:AbstractPolicyConstraintType">
+		    	<xsd:sequence>
+		    		<!-- TODO: define operation -->
+					<xsd:element name="relation" type="xsd:QName"  minOccurs="0" maxOccurs="unbounded">
+		        		<xsd:annotation>
+		        			<xsd:documentation>
+		        				This policy only applies to relations of the specified type. The value
+		        				of this element is compared to the relation of the targetRef relation
+		        				in the assignment/inducement. If not specified then this policy only
+		        				applies to the null (default) relation. If all relations need to be
+		        				affected by this policy then the special value of "any" should be specified
+		        				in this element.
+		        			</xsd:documentation>
+		        		</xsd:annotation>
+		        	</xsd:element>
 	          	</xsd:sequence>
+          	</xsd:extension>
+       </xsd:complexContent>
     </xsd:complexType>
 
     <xsd:simpleType name="PolicyConstraintEnforcementType">

diff --git a/...pl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/AssignmentProcessor.java b/...pl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/AssignmentProcessor.java
@@ -28,6 +28,7 @@
 import java.util.Set;
 
 import javax.xml.datatype.XMLGregorianCalendar;
+import javax.xml.namespace.QName;
 
 import com.evolveum.midpoint.prism.query.builder.QueryBuilder;
 import com.evolveum.midpoint.prism.query.builder.S_AtomicFilterExit;
@@ -97,6 +98,7 @@
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.result.OperationResultStatus;
+import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.schema.util.ObjectResolver;
 import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
 import com.evolveum.midpoint.schema.util.SchemaDebugUtil;
@@ -113,6 +115,7 @@
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractRoleType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentPolicyConstraintType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentPolicyEnforcementType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ConstructionType;
@@ -548,7 +551,7 @@ private <F extends FocusType> void processAssignmentsProjectionsWithFocus(LensCo
 
         // PROCESSING POLICIES
 
-        // Checking for assignment exclusions. This means mostly role exclusions (SoD)
+        checkAssignmentRules(context, evaluatedAssignmentTriple, result);
         checkExclusions(context, evaluatedAssignmentTriple.getZeroSet(), evaluatedAssignmentTriple.getPlusSet());
         checkExclusions(context, evaluatedAssignmentTriple.getPlusSet(), evaluatedAssignmentTriple.getPlusSet());
         checkAssigneeConstraints(context, evaluatedAssignmentTriple, result);
@@ -1607,6 +1610,44 @@ private int countAssignees(PrismObject<? extends AbstractRoleType> target, Strin
 		ObjectQuery query = q.build();
 		return repositoryService.countObjects(FocusType.class, query, result);
 	}
+
+	private <F extends FocusType> void checkAssignmentRules(LensContext<F> context,
+			DeltaSetTriple<EvaluatedAssignmentImpl<F>> evaluatedAssignmentTriple,
+			OperationResult result) throws PolicyViolationException, SchemaException {
+		checkAssignmentRules(context, evaluatedAssignmentTriple.getPlusSet(), result);
+		checkAssignmentRules(context, evaluatedAssignmentTriple.getMinusSet(), result);
+	}
+
+	private <F extends FocusType> void checkAssignmentRules(LensContext<F> context,
+			Collection<EvaluatedAssignmentImpl<F>> evaluatedAssignmentSet,
+			OperationResult result) throws PolicyViolationException, SchemaException {
+		for( EvaluatedAssignmentImpl<F> evaluatedAssignment: evaluatedAssignmentSet) {
+			Collection<EvaluatedPolicyRule> policyRules = evaluatedAssignment.getPolicyRules();
+			for (EvaluatedPolicyRule policyRule: policyRules) {
+				PolicyConstraintsType policyConstraints = policyRule.getPolicyConstraints();
+				if (policyConstraints == null) {
+					continue;
+				}
+				for (AssignmentPolicyConstraintType assignmentConstraint: policyConstraints.getAssignment()) {
+					if (assignmentConstraint.getRelation().isEmpty()) {
+						if (MiscSchemaUtil.compareRelation(null, evaluatedAssignment.getRelation())) {
+							EvaluatedPolicyRuleTrigger trigger = new EvaluatedPolicyRuleTrigger(PolicyConstraintKindType.ASSIGNMENT, 
+									assignmentConstraint, "Assignment of "+evaluatedAssignment.getTarget());
+							evaluatedAssignment.triggerConstraint(policyRule, trigger);
+						}
+					} else {
+						for (QName constraintRelation: assignmentConstraint.getRelation()) {
+							if (MiscSchemaUtil.compareRelation(constraintRelation, evaluatedAssignment.getRelation())) {
+								EvaluatedPolicyRuleTrigger trigger = new EvaluatedPolicyRuleTrigger(PolicyConstraintKindType.ASSIGNMENT, 
+										assignmentConstraint, "Assignment of "+evaluatedAssignment.getTarget());
+								evaluatedAssignment.triggerConstraint(policyRule, trigger);
+							}
+						}
+					}
+				}
+			}
+		}
+	}
 
 	public <F extends ObjectType> void removeIgnoredContexts(LensContext<F> context) {
 		Collection<LensProjectionContext> projectionContexts = context.getProjectionContexts();

diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/rbac/TestRbac.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/rbac/TestRbac.java
@@ -121,6 +121,8 @@ public class TestRbac extends AbstractInitializedModelIntegrationTest {
 	protected static final String ROLE_IMMUTABLE_OID = "e53baf94-aa99-11e6-962a-5362ec2dd7df";
 	private static final String ROLE_IMMUTABLE_DESCRIPTION = "Role that cannot be modified because there is a modification rule with enforcement action.";
 
+	protected static final File ROLE_NON_ASSIGNABLE_FILE = new File(TEST_DIR, "role-non-assignable.xml");
+	protected static final String ROLE_NON_ASSIGNABLE_OID = "db67d2f0-abd8-11e6-9c30-b35abe3e4e3a";
 
 	protected static final File ORG_PROJECT_RECLAIM_BLACK_PEARL_FILE = new File(TEST_DIR, "org-project-reclaim-black-pearl.xml");
 	protected static final String ORG_PROJECT_RECLAIM_BLACK_PEARL_OID = "00000000-8888-6666-0000-200000005000";
@@ -171,6 +173,7 @@ public void initSystem(Task initTask, OperationResult initResult)
 		repoAddObjectFromFile(ROLE_PROJECT_OMNINAMAGER_FILE, RoleType.class, initResult);
 		repoAddObjectFromFile(ROLE_WEAK_GOSSIPER_FILE, RoleType.class, initResult);
 		repoAddObjectFromFile(ROLE_IMMUTABLE_FILE, RoleType.class, initResult);
+		repoAddObjectFromFile(ROLE_NON_ASSIGNABLE_FILE, RoleType.class, initResult);
 	}
 
 	@Test
@@ -2913,5 +2916,35 @@ public void test810ModifyRoleJudge() throws Exception {
         PrismAsserts.assertPropertyValue(roleAfter, RoleType.F_DESCRIPTION, "whatever");
 	}
 
+	@Test
+    public void test820AssignRoleNonAssignable() throws Exception {
+		final String TEST_NAME = "test820AssignRoleNonAssignable";
+        TestUtil.displayTestTile(this, TEST_NAME);
+        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.FULL);
+
+        Task task = taskManager.createTaskInstance(TestRbac.class.getName() + "." + TEST_NAME);
+        OperationResult result = task.getResult();
+
+        PrismObject<UserType> userJackBefore = getUser(USER_JACK_OID);
+        display("user jack", userJackBefore);
+        assertNoAssignments(userJackBefore);
+
+        try {
+	        // WHEN
+			TestUtil.displayWhen(TEST_NAME);
+			assignRole(USER_JACK_OID, ROLE_NON_ASSIGNABLE_OID, task, result);
+
+			AssertJUnit.fail("Unexpected success");
+        } catch (PolicyViolationException e) {
+        	// THEN
+            TestUtil.displayThen(TEST_NAME);
+            result.computeStatus();
+        	TestUtil.assertFailure(result);
+        }
+
+        PrismObject<UserType> userJackAfter = getUser(USER_JACK_OID);
+        display("user after", userJackAfter);
+        assertNoAssignments(userJackAfter);
+	}
 
 }
diff --git a/model/model-intest/src/test/resources/rbac/role-immutable.xml b/model/model-intest/src/test/resources/rbac/role-immutable.xml
@@ -18,7 +18,7 @@
         xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
         xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
         xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy">
-    <name>Immetable</name>
+    <name>Immutable</name>
     <description>Role that cannot be modified because there is a modification rule with enforcement action.</description>
     <assignment>
     	<policyRule>

diff --git a/model/model-intest/src/test/resources/rbac/role-non-assignable.xml b/model/model-intest/src/test/resources/rbac/role-non-assignable.xml
@@ -0,0 +1,34 @@
+<!--
+  ~ Copyright (c) 2016 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<role oid="db67d2f0-abd8-11e6-9c30-b35abe3e4e3a"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+        xmlns:piracy="http://midpoint.evolveum.com/xml/ns/samples/piracy">
+    <name>Non-assignable</name>
+    <description>Role that cannot be assigned because there is a rule with enforcement action.</description>
+    <assignment>
+    	<policyRule>
+    		<name>non-assignable</name>
+    		<policyConstraints>
+		    	<assignment/>
+		    </policyConstraints>
+		    <policyActions>
+		    	<enforcement/>
+		    </policyActions>
+    	</policyRule>
+    </assignment>
+</role>