From ba3982d873f70db65b25e72af0db442af115a813 Mon Sep 17 00:00:00 2001
From: Pavol Mederly <mederly@evolveum.com>
Date: Wed, 1 Mar 2017 16:17:20 +0100
Subject: [PATCH] Global policy rules also for assignments.

---
 .../lens/projector/AssignmentProcessor.java   |  8 +++-
 .../impl/lens/projector/FocusProcessor.java   |  4 +-
 .../lens/projector/PolicyRuleProcessor.java   | 42 +++++++++++++++++--
 .../model/impl/lens/TestPolicyRules.java      | 20 ++++-----
 .../resources/common/system-configuration.xml | 28 ++++++++++++-
 5 files changed, 83 insertions(+), 19 deletions(-)

diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/AssignmentProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/AssignmentProcessor.java
index c91e63b3ae8..c1d5b3bb7b0 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/AssignmentProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/AssignmentProcessor.java
@@ -239,6 +239,7 @@ private <F extends FocusType> void processAssignmentsProjectionsWithFocus(LensCo
         // Evaluates all assignments and sorts them to triple: added, removed and untouched assignments.
         // This is where most of the assignment-level action happens.
         DeltaSetTriple<EvaluatedAssignmentImpl<F>> evaluatedAssignmentTriple = assignmentTripleEvaluator.processAllAssignments();
+        policyRuleProcessor.addGlobalPoliciesToAssignments(context, evaluatedAssignmentTriple);
         context.setEvaluatedAssignmentTriple((DeltaSetTriple)evaluatedAssignmentTriple);
         
         if (LOGGER.isTraceEnabled()) {
@@ -246,7 +247,7 @@ private <F extends FocusType> void processAssignmentsProjectionsWithFocus(LensCo
         }
         
         // PROCESSING POLICIES
-        
+
         policyRuleProcessor.processPolicies(context, evaluatedAssignmentTriple, result);
         
         boolean needToReevaluateAssignments = policyRuleProcessor.processPruning(context, evaluatedAssignmentTriple, result);
@@ -255,7 +256,10 @@ private <F extends FocusType> void processAssignmentsProjectionsWithFocus(LensCo
         	LOGGER.debug("Re-evaluating assignments because exclusion pruning rule was triggered");
         	
         	evaluatedAssignmentTriple = assignmentTripleEvaluator.processAllAssignments();
-        	
+        	// TODO shouldn't we store this re-evaluated triple back into the context?
+
+			policyRuleProcessor.addGlobalPoliciesToAssignments(context, evaluatedAssignmentTriple);
+
         	if (LOGGER.isTraceEnabled()) {
             	LOGGER.trace("re-evaluatedAssignmentTriple:\n{}", evaluatedAssignmentTriple.debugDump());
             }
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/FocusProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/FocusProcessor.java
index ffd25020cd9..7a5c78e9b30 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/FocusProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/FocusProcessor.java
@@ -396,7 +396,9 @@ private <F extends FocusType> void evaluateFocusPolicyRules(LensContext<F> conte
 		triggerAssignmentFocusPolicyRules(context, activityDescription, now, task, result);
 		triggerGlobalRules(context);
 	}
-	
+
+	// TODO: should we really do this? Focus policy rules (e.g. forbidden modifications) are irrelevant in this situation,
+	// TODO: i.e. if we are assigning the object into some other object [med]
 	private <F extends FocusType> void triggerAssignmentFocusPolicyRules(LensContext<F> context, String activityDescription,
 			XMLGregorianCalendar now, Task task, OperationResult result) throws PolicyViolationException {
 		LensFocusContext<F> focusContext = context.getFocusContext();
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/PolicyRuleProcessor.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/PolicyRuleProcessor.java
index b91c8fde507..f48f77420e4 100644
--- a/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/PolicyRuleProcessor.java
+++ b/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/PolicyRuleProcessor.java
@@ -21,7 +21,7 @@
 import javax.xml.namespace.QName;
 
 import com.evolveum.midpoint.model.api.context.*;
-import com.evolveum.midpoint.model.impl.lens.LensFocusContext;
+import com.evolveum.midpoint.model.impl.lens.*;
 import com.evolveum.midpoint.prism.*;
 import com.evolveum.midpoint.prism.delta.*;
 import com.evolveum.midpoint.prism.delta.builder.DeltaBuilder;
@@ -38,9 +38,6 @@
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.stereotype.Component;
 
-import com.evolveum.midpoint.model.impl.lens.EvaluatedAssignmentImpl;
-import com.evolveum.midpoint.model.impl.lens.EvaluatedAssignmentTargetImpl;
-import com.evolveum.midpoint.model.impl.lens.LensContext;
 import com.evolveum.midpoint.prism.query.ObjectQuery;
 import com.evolveum.midpoint.prism.query.builder.QueryBuilder;
 import com.evolveum.midpoint.prism.query.builder.S_AtomicFilterExit;
@@ -503,4 +500,41 @@ private PropertyDelta<String> createSituationDelta(ItemPath path, Set<String> cu
 		situationsDelta.setEstimatedOldValues(PrismPropertyValue.wrap(currentSituations));
 		return situationsDelta;
 	}
+
+	public <F extends FocusType> void addGlobalPoliciesToAssignments(LensContext<F> context,
+			DeltaSetTriple<EvaluatedAssignmentImpl<F>> evaluatedAssignmentTriple) throws SchemaException {
+
+		PrismObject<SystemConfigurationType> systemConfiguration = context.getSystemConfiguration();
+		if (systemConfiguration == null) {
+			return;
+		}
+		// We need to consider object before modification here.
+		LensFocusContext<F> focusContext = context.getFocusContext();
+		PrismObject<F> focus = focusContext.getObjectCurrent();
+		if (focus == null) {
+			focus = focusContext.getObjectNew();
+		}
+
+		for (GlobalPolicyRuleType globalPolicyRule: systemConfiguration.asObjectable().getGlobalPolicyRule()) {
+			ObjectSelectorType focusSelector = globalPolicyRule.getFocusSelector();
+			if (!repositoryService.selectorMatches(focusSelector, focus, LOGGER,
+					"Global policy rule "+globalPolicyRule.getName()+" focus selector: ")) {
+				continue;
+			}
+			for (EvaluatedAssignmentImpl<F> evaluatedAssignment : evaluatedAssignmentTriple.getAllValues()) {
+				for (EvaluatedAssignmentTargetImpl target : evaluatedAssignment.getRoles().getNonNegativeValues()) {
+					if (!repositoryService.selectorMatches(globalPolicyRule.getTargetSelector(),
+							target.getTarget(), LOGGER, "Global policy rule "+globalPolicyRule.getName()+" target selector: ")) {
+						continue;
+					}
+					EvaluatedPolicyRule evaluatedRule = new EvaluatedPolicyRuleImpl(globalPolicyRule,
+							target.getAssignmentPath() != null ? target.getAssignmentPath().clone() : null);
+					evaluatedAssignment.addTargetPolicyRule(evaluatedRule);
+					if (target.getAssignmentPath() != null && target.getAssignmentPath().size() == 1) {
+						evaluatedAssignment.addThisTargetPolicyRule(evaluatedRule);
+					}
+				}
+			}
+		}
+	}
 }
diff --git a/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestPolicyRules.java b/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestPolicyRules.java
index cdda090510a..8b5a375dc4d 100644
--- a/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestPolicyRules.java
+++ b/model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestPolicyRules.java
@@ -104,8 +104,8 @@ public void test005JackAttemptAssignRoleJudge() throws Exception {
 
 		dumpPolicyRules(context);
 
-		assertEvaluatedRules(context, 3);
-		assertTriggeredRules(context, 1, PolicyConstraintKindType.ASSIGNMENT);
+		assertEvaluatedRules(context, 4);
+		assertTriggeredRules(context, 2, PolicyConstraintKindType.ASSIGNMENT);
 	}
 
 
@@ -167,7 +167,7 @@ public void test020JackUnassignRoleJudge() throws Exception {
 
 		dumpPolicyRules(context);
 
-		assertEvaluatedRules(context, 3);
+		assertEvaluatedRules(context, 4);
 		assertTriggeredRules(context, 2, PolicyConstraintKindType.ASSIGNMENT);
 	}
 
@@ -210,7 +210,7 @@ public void test100AssignRoleMutinierToJack() throws Exception {
         
         dumpPolicyRules(context);
         
-        assertEvaluatedRules(context, 3);
+        assertEvaluatedRules(context, 4);
         assertTriggeredRules(context, 0, null);
 	}
 	
@@ -249,7 +249,7 @@ public void test110AssignRolePirateToJack() throws Exception {
         
         dumpPolicyRules(context);
         
-        assertEvaluatedRules(context, 3);
+        assertEvaluatedRules(context, 4);
         EvaluatedExclusionTrigger trigger = (EvaluatedExclusionTrigger) assertTriggeredRule(context, null, PolicyConstraintKindType.EXCLUSION, 1, true);
         assertNotNull("No conflicting assignment in trigger", trigger.getConflictingAssignment());
         assertEquals("Wrong conflicting assignment in trigger", ROLE_PIRATE_OID, trigger.getConflictingAssignment().getTarget().getOid());
@@ -298,7 +298,7 @@ public void test112AssignRolePirateWithExceptionToJack() throws Exception {
 
         dumpPolicyRules(context);
         
-        List<EvaluatedPolicyRule> evaluatedRules = assertEvaluatedRules(context, 3);
+        List<EvaluatedPolicyRule> evaluatedRules = assertEvaluatedRules(context, 4);
         assertTriggeredRules(context, 0, null);
 
         EvaluatedPolicyRule evaluatedPolicyRule = evaluatedRules.get(0);
@@ -343,7 +343,7 @@ public void test120AssignRoleConstableToJack() throws Exception {
 
         dumpPolicyRules(context);
         
-        assertEvaluatedRules(context, 4);
+        assertEvaluatedRules(context, 5);
 		EvaluatedExclusionTrigger trigger = (EvaluatedExclusionTrigger) assertTriggeredRule(context, null, PolicyConstraintKindType.EXCLUSION, 1, true);
         assertNotNull("No conflicting assignment in trigger", trigger.getConflictingAssignment());
         assertEquals("Wrong conflicting assignment in trigger", ROLE_JUDGE_OID, trigger.getConflictingAssignment().getTarget().getOid());
@@ -401,7 +401,7 @@ public void test150AssignRoleThiefToJack() throws Exception {
 
 		dumpPolicyRules(context);
 
-		assertEvaluatedRules(context, 5);
+		assertEvaluatedRules(context, 6);
 		EvaluatedExclusionTrigger triggerExclusion = (EvaluatedExclusionTrigger) assertTriggeredRule(context, null, PolicyConstraintKindType.EXCLUSION, 1, false);
 		assertNotNull("No conflicting assignment in trigger", triggerExclusion.getConflictingAssignment());
 		assertEquals("Wrong conflicting assignment in trigger", ROLE_JUDGE_OID, triggerExclusion.getConflictingAssignment().getTarget().getOid());
@@ -479,7 +479,7 @@ public void test210AssignRoleEmployeeToJack() throws Exception {
 		// Judge: criminal-exclusion, unassignment, all-assignment-operations
 		// Employee: approve-any-corp-role, notify-exclusion-violations, employee-excludes-contractor
 		// Contractor: approve-any-corp-role, notify-exclusion-violations, contractor-excludes-employee
-		assertEvaluatedRules(context, 9);
+		assertEvaluatedRules(context, 10);
 		EvaluatedExclusionTrigger trigger = (EvaluatedExclusionTrigger) assertTriggeredRule(context, ROLE_CORP_EMPLOYEE_OID, PolicyConstraintKindType.EXCLUSION, 1, false);
 		assertNotNull("No conflicting assignment in trigger", trigger.getConflictingAssignment());
 		assertEquals("Wrong conflicting assignment in trigger", ROLE_CORP_CONTRACTOR_OID, trigger.getConflictingAssignment().getTarget().getOid());
@@ -524,7 +524,7 @@ public void test220AssignRoleEngineerToJack() throws Exception {
 		// Judge: L:criminal-exclusion, L:unassignment, L:all-assignment-operations
 		// Contractor: L:approve-any-corp-role, L:notify-exclusion-violations, L:contractor-excludes-employee
 		// Engineer: approve-any-corp-role, notify-exclusion-violations, employee-excludes-contractor, L:approve-any-corp-role, L:notify-exclusion-violations
-		assertEvaluatedRules(context, 11);
+		assertEvaluatedRules(context, 12);
 		EvaluatedExclusionTrigger trigger = (EvaluatedExclusionTrigger) assertTriggeredRule(context, ROLE_CORP_ENGINEER_OID, PolicyConstraintKindType.EXCLUSION, 1, false);
 		assertNotNull("No conflicting assignment in trigger", trigger.getConflictingAssignment());
 		assertEquals("Wrong conflicting assignment in trigger", ROLE_CORP_CONTRACTOR_OID, trigger.getConflictingAssignment().getTarget().getOid());
diff --git a/model/model-impl/src/test/resources/common/system-configuration.xml b/model/model-impl/src/test/resources/common/system-configuration.xml
index 2437e3ffbcf..b6e79931623 100644
--- a/model/model-impl/src/test/resources/common/system-configuration.xml
+++ b/model/model-impl/src/test/resources/common/system-configuration.xml
@@ -16,8 +16,9 @@
   -->
 
 <systemConfiguration oid="00000000-0000-0000-0000-000000000001" version="0"
-	xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
-	xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+					 xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+					 xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+					 xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
     <name>SystemConfiguration</name>
     <logging>
     	<rootLoggerAppender>File Appender</rootLoggerAppender>
@@ -33,6 +34,29 @@
         </appender>
     </logging>
     <globalSecurityPolicyRef oid="28bf845a-b107-11e3-85bc-001e8c717e5b"/>
+	<globalPolicyRule>
+		<name>global-assignment-notification</name>
+		<policyConstraints>
+			<assignment>
+				<operation>add</operation>
+			</assignment>
+		</policyConstraints>
+		<policyActions>
+			<notification/>
+		</policyActions>
+		<focusSelector>
+			<type>UserType</type>
+		</focusSelector>
+		<targetSelector>
+			<type>RoleType</type>
+			<filter>
+				<q:equal>
+					<q:path>name</q:path>
+					<q:value>Judge</q:value>
+				</q:equal>
+			</filter>
+		</targetSelector>
+	</globalPolicyRule>
     <adminGuiConfiguration>
 	    <userDashboardLink>
 	    	<targetUrl>/foo</targetUrl>