Global policy rules also for assignments.

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/AssignmentProcessor.java

@@ -239,14 +239,15 @@ private <F extends FocusType> void processAssignmentsProjectionsWithFocus(LensCo
         // Evaluates all assignments and sorts them to triple: added, removed and untouched assignments.
         // This is where most of the assignment-level action happens.
         DeltaSetTriple<EvaluatedAssignmentImpl<F>> evaluatedAssignmentTriple = assignmentTripleEvaluator.processAllAssignments();
+        policyRuleProcessor.addGlobalPoliciesToAssignments(context, evaluatedAssignmentTriple);
         context.setEvaluatedAssignmentTriple((DeltaSetTriple)evaluatedAssignmentTriple);
 
         if (LOGGER.isTraceEnabled()) {
         	LOGGER.trace("evaluatedAssignmentTriple:\n{}", evaluatedAssignmentTriple.debugDump());
         }
 
         // PROCESSING POLICIES
-        
+
         policyRuleProcessor.processPolicies(context, evaluatedAssignmentTriple, result);
 
         boolean needToReevaluateAssignments = policyRuleProcessor.processPruning(context, evaluatedAssignmentTriple, result);
@@ -255,7 +256,10 @@ private <F extends FocusType> void processAssignmentsProjectionsWithFocus(LensCo
         	LOGGER.debug("Re-evaluating assignments because exclusion pruning rule was triggered");
 
         	evaluatedAssignmentTriple = assignmentTripleEvaluator.processAllAssignments();
-
+        	// TODO shouldn't we store this re-evaluated triple back into the context?
+
+			policyRuleProcessor.addGlobalPoliciesToAssignments(context, evaluatedAssignmentTriple);
+
         	if (LOGGER.isTraceEnabled()) {
             	LOGGER.trace("re-evaluatedAssignmentTriple:\n{}", evaluatedAssignmentTriple.debugDump());
             }

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/FocusProcessor.java

@@ -396,7 +396,9 @@ private <F extends FocusType> void evaluateFocusPolicyRules(LensContext<F> conte
 		triggerAssignmentFocusPolicyRules(context, activityDescription, now, task, result);
 		triggerGlobalRules(context);
 	}
-
+
+	// TODO: should we really do this? Focus policy rules (e.g. forbidden modifications) are irrelevant in this situation,
+	// TODO: i.e. if we are assigning the object into some other object [med]
 	private <F extends FocusType> void triggerAssignmentFocusPolicyRules(LensContext<F> context, String activityDescription,
 			XMLGregorianCalendar now, Task task, OperationResult result) throws PolicyViolationException {
 		LensFocusContext<F> focusContext = context.getFocusContext();

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/PolicyRuleProcessor.java

@@ -21,7 +21,7 @@
 import javax.xml.namespace.QName;
 
 import com.evolveum.midpoint.model.api.context.*;
-import com.evolveum.midpoint.model.impl.lens.LensFocusContext;
+import com.evolveum.midpoint.model.impl.lens.*;
 import com.evolveum.midpoint.prism.*;
 import com.evolveum.midpoint.prism.delta.*;
 import com.evolveum.midpoint.prism.delta.builder.DeltaBuilder;
@@ -38,9 +38,6 @@
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.stereotype.Component;
 
-import com.evolveum.midpoint.model.impl.lens.EvaluatedAssignmentImpl;
-import com.evolveum.midpoint.model.impl.lens.EvaluatedAssignmentTargetImpl;
-import com.evolveum.midpoint.model.impl.lens.LensContext;
 import com.evolveum.midpoint.prism.query.ObjectQuery;
 import com.evolveum.midpoint.prism.query.builder.QueryBuilder;
 import com.evolveum.midpoint.prism.query.builder.S_AtomicFilterExit;
@@ -503,4 +500,41 @@ private PropertyDelta<String> createSituationDelta(ItemPath path, Set<String> cu
 		situationsDelta.setEstimatedOldValues(PrismPropertyValue.wrap(currentSituations));
 		return situationsDelta;
 	}
+
+	public <F extends FocusType> void addGlobalPoliciesToAssignments(LensContext<F> context,
+			DeltaSetTriple<EvaluatedAssignmentImpl<F>> evaluatedAssignmentTriple) throws SchemaException {
+
+		PrismObject<SystemConfigurationType> systemConfiguration = context.getSystemConfiguration();
+		if (systemConfiguration == null) {
+			return;
+		}
+		// We need to consider object before modification here.
+		LensFocusContext<F> focusContext = context.getFocusContext();
+		PrismObject<F> focus = focusContext.getObjectCurrent();
+		if (focus == null) {
+			focus = focusContext.getObjectNew();
+		}
+
+		for (GlobalPolicyRuleType globalPolicyRule: systemConfiguration.asObjectable().getGlobalPolicyRule()) {
+			ObjectSelectorType focusSelector = globalPolicyRule.getFocusSelector();
+			if (!repositoryService.selectorMatches(focusSelector, focus, LOGGER,
+					"Global policy rule "+globalPolicyRule.getName()+" focus selector: ")) {
+				continue;
+			}
+			for (EvaluatedAssignmentImpl<F> evaluatedAssignment : evaluatedAssignmentTriple.getAllValues()) {
+				for (EvaluatedAssignmentTargetImpl target : evaluatedAssignment.getRoles().getNonNegativeValues()) {
+					if (!repositoryService.selectorMatches(globalPolicyRule.getTargetSelector(),
+							target.getTarget(), LOGGER, "Global policy rule "+globalPolicyRule.getName()+" target selector: ")) {
+						continue;
+					}
+					EvaluatedPolicyRule evaluatedRule = new EvaluatedPolicyRuleImpl(globalPolicyRule,
+							target.getAssignmentPath() != null ? target.getAssignmentPath().clone() : null);
+					evaluatedAssignment.addTargetPolicyRule(evaluatedRule);
+					if (target.getAssignmentPath() != null && target.getAssignmentPath().size() == 1) {
+						evaluatedAssignment.addThisTargetPolicyRule(evaluatedRule);
+					}
+				}
+			}
+		}
+	}
 }

model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestPolicyRules.java

@@ -104,8 +104,8 @@ public void test005JackAttemptAssignRoleJudge() throws Exception {
 
 		dumpPolicyRules(context);
 
-		assertEvaluatedRules(context, 3);
-		assertTriggeredRules(context, 1, PolicyConstraintKindType.ASSIGNMENT);
+		assertEvaluatedRules(context, 4);
+		assertTriggeredRules(context, 2, PolicyConstraintKindType.ASSIGNMENT);
 	}
 
 
@@ -167,7 +167,7 @@ public void test020JackUnassignRoleJudge() throws Exception {
 
 		dumpPolicyRules(context);
 
-		assertEvaluatedRules(context, 3);
+		assertEvaluatedRules(context, 4);
 		assertTriggeredRules(context, 2, PolicyConstraintKindType.ASSIGNMENT);
 	}
 
@@ -210,7 +210,7 @@ public void test100AssignRoleMutinierToJack() throws Exception {
 
         dumpPolicyRules(context);
 
-        assertEvaluatedRules(context, 3);
+        assertEvaluatedRules(context, 4);
         assertTriggeredRules(context, 0, null);
 	}
 
@@ -249,7 +249,7 @@ public void test110AssignRolePirateToJack() throws Exception {
 
         dumpPolicyRules(context);
 
-        assertEvaluatedRules(context, 3);
+        assertEvaluatedRules(context, 4);
         EvaluatedExclusionTrigger trigger = (EvaluatedExclusionTrigger) assertTriggeredRule(context, null, PolicyConstraintKindType.EXCLUSION, 1, true);
         assertNotNull("No conflicting assignment in trigger", trigger.getConflictingAssignment());
         assertEquals("Wrong conflicting assignment in trigger", ROLE_PIRATE_OID, trigger.getConflictingAssignment().getTarget().getOid());
@@ -298,7 +298,7 @@ public void test112AssignRolePirateWithExceptionToJack() throws Exception {
 
         dumpPolicyRules(context);
 
-        List<EvaluatedPolicyRule> evaluatedRules = assertEvaluatedRules(context, 3);
+        List<EvaluatedPolicyRule> evaluatedRules = assertEvaluatedRules(context, 4);
         assertTriggeredRules(context, 0, null);
 
         EvaluatedPolicyRule evaluatedPolicyRule = evaluatedRules.get(0);
@@ -343,7 +343,7 @@ public void test120AssignRoleConstableToJack() throws Exception {
 
         dumpPolicyRules(context);
 
-        assertEvaluatedRules(context, 4);
+        assertEvaluatedRules(context, 5);
 		EvaluatedExclusionTrigger trigger = (EvaluatedExclusionTrigger) assertTriggeredRule(context, null, PolicyConstraintKindType.EXCLUSION, 1, true);
         assertNotNull("No conflicting assignment in trigger", trigger.getConflictingAssignment());
         assertEquals("Wrong conflicting assignment in trigger", ROLE_JUDGE_OID, trigger.getConflictingAssignment().getTarget().getOid());
@@ -401,7 +401,7 @@ public void test150AssignRoleThiefToJack() throws Exception {
 
 		dumpPolicyRules(context);
 
-		assertEvaluatedRules(context, 5);
+		assertEvaluatedRules(context, 6);
 		EvaluatedExclusionTrigger triggerExclusion = (EvaluatedExclusionTrigger) assertTriggeredRule(context, null, PolicyConstraintKindType.EXCLUSION, 1, false);
 		assertNotNull("No conflicting assignment in trigger", triggerExclusion.getConflictingAssignment());
 		assertEquals("Wrong conflicting assignment in trigger", ROLE_JUDGE_OID, triggerExclusion.getConflictingAssignment().getTarget().getOid());
@@ -479,7 +479,7 @@ public void test210AssignRoleEmployeeToJack() throws Exception {
 		// Judge: criminal-exclusion, unassignment, all-assignment-operations
 		// Employee: approve-any-corp-role, notify-exclusion-violations, employee-excludes-contractor
 		// Contractor: approve-any-corp-role, notify-exclusion-violations, contractor-excludes-employee
-		assertEvaluatedRules(context, 9);
+		assertEvaluatedRules(context, 10);
 		EvaluatedExclusionTrigger trigger = (EvaluatedExclusionTrigger) assertTriggeredRule(context, ROLE_CORP_EMPLOYEE_OID, PolicyConstraintKindType.EXCLUSION, 1, false);
 		assertNotNull("No conflicting assignment in trigger", trigger.getConflictingAssignment());
 		assertEquals("Wrong conflicting assignment in trigger", ROLE_CORP_CONTRACTOR_OID, trigger.getConflictingAssignment().getTarget().getOid());
@@ -524,7 +524,7 @@ public void test220AssignRoleEngineerToJack() throws Exception {
 		// Judge: L:criminal-exclusion, L:unassignment, L:all-assignment-operations
 		// Contractor: L:approve-any-corp-role, L:notify-exclusion-violations, L:contractor-excludes-employee
 		// Engineer: approve-any-corp-role, notify-exclusion-violations, employee-excludes-contractor, L:approve-any-corp-role, L:notify-exclusion-violations
-		assertEvaluatedRules(context, 11);
+		assertEvaluatedRules(context, 12);
 		EvaluatedExclusionTrigger trigger = (EvaluatedExclusionTrigger) assertTriggeredRule(context, ROLE_CORP_ENGINEER_OID, PolicyConstraintKindType.EXCLUSION, 1, false);
 		assertNotNull("No conflicting assignment in trigger", trigger.getConflictingAssignment());
 		assertEquals("Wrong conflicting assignment in trigger", ROLE_CORP_CONTRACTOR_OID, trigger.getConflictingAssignment().getTarget().getOid());

model/model-impl/src/test/resources/common/system-configuration.xml

@@ -16,8 +16,9 @@
   -->
 
 <systemConfiguration oid="00000000-0000-0000-0000-000000000001" version="0"
-	xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-	xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+					 xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+					 xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+					 xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
     <name>SystemConfiguration</name>
     <logging>
     	<rootLoggerAppender>File Appender</rootLoggerAppender>
@@ -33,6 +34,29 @@
         </appender>
     </logging>
     <globalSecurityPolicyRef oid="28bf845a-b107-11e3-85bc-001e8c717e5b"/>
+	<globalPolicyRule>
+		<name>global-assignment-notification</name>
+		<policyConstraints>
+			<assignment>
+				<operation>add</operation>
+			</assignment>
+		</policyConstraints>
+		<policyActions>
+			<notification/>
+		</policyActions>
+		<focusSelector>
+			<type>UserType</type>
+		</focusSelector>
+		<targetSelector>
+			<type>RoleType</type>
+			<filter>
+				<q:equal>
+					<q:path>name</q:path>
+					<q:value>Judge</q:value>
+				</q:equal>
+			</filter>
+		</targetSelector>
+	</globalPolicyRule>
     <adminGuiConfiguration>
 	    <userDashboardLink>
 	    	<targetUrl>/foo</targetUrl>