From bae2b4f8841037244729acec489f02efe1154da7 Mon Sep 17 00:00:00 2001
From: Katarina Valalikova <k.valalikova@evolveum.com>
Date: Sat, 18 Jan 2020 12:24:16 +0100
Subject: [PATCH 1/3] limit association modifications - replace not supported
 (MID-5382)

---
 .../impl/EntitlementConverter.java            |  5 ++
 .../provisioning/impl/opendj/TestOpenDj.java  | 74 ++++++++++++++-----
 .../opendj/account-modify-association.xml     | 27 +++++++
 3 files changed, 89 insertions(+), 17 deletions(-)
 create mode 100644 provisioning/provisioning-impl/src/test/resources/opendj/account-modify-association.xml

diff --git a/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/EntitlementConverter.java b/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/EntitlementConverter.java
index a1d63a807c5..187dbc4c14a 100644
--- a/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/EntitlementConverter.java
+++ b/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/EntitlementConverter.java
@@ -17,6 +17,7 @@
 import com.evolveum.midpoint.prism.path.ItemName;
 import com.evolveum.midpoint.prism.path.ItemPath;
 import com.evolveum.midpoint.schema.processor.*;
+import org.apache.commons.collections4.CollectionUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
@@ -339,6 +340,10 @@ public void collectEntitlementChange(ProvisioningContext ctx, ContainerDelta<Sha
             Collection<Operation> operations) throws SchemaException, ConfigurationException, ObjectNotFoundException, CommunicationException, ExpressionEvaluationException {
         Map<QName, PropertyModificationOperation> operationsMap = new HashMap<>();
 
+        if (CollectionUtils.isNotEmpty(itemDelta.getValuesToReplace())) {
+            LOGGER.error("Replace delta not supported for association, modifications {},\n provisioning context: ", itemDelta, ctx);
+            throw new SchemaException("Cannot perform replace delta for association, replace values: " + itemDelta.getValuesToReplace());
+        }
         collectEntitlementToAttrsDelta(ctx, operationsMap, itemDelta.getValuesToAdd(), ModificationType.ADD);
         collectEntitlementToAttrsDelta(ctx, operationsMap, itemDelta.getValuesToDelete(), ModificationType.DELETE);
         collectEntitlementToAttrsDelta(ctx, operationsMap, itemDelta.getValuesToReplace(), ModificationType.REPLACE);
diff --git a/provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/opendj/TestOpenDj.java b/provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/opendj/TestOpenDj.java
index 864ba0f2a04..526795beeda 100644
--- a/provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/opendj/TestOpenDj.java
+++ b/provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/opendj/TestOpenDj.java
@@ -33,8 +33,10 @@
 import com.evolveum.midpoint.prism.path.ItemPath;
 import com.evolveum.midpoint.prism.polystring.PolyString;
 import com.evolveum.midpoint.prism.query.*;
+import com.evolveum.midpoint.schema.constants.MidPointConstants;
 import com.evolveum.midpoint.schema.processor.*;
 
+import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
 import org.apache.commons.lang.StringUtils;
 import org.opends.server.types.Entry;
 import org.opends.server.util.LDIFException;
@@ -89,23 +91,6 @@
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ObjectModificationType;
 import com.evolveum.midpoint.xml.ns._public.common.api_types_3.PropertyReferenceListType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.CachingMetadataType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.CapabilityCollectionType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ConnectorType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.LockoutStatusType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.OperationProvisioningScriptsType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ProvisioningScriptHostType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.SchemaGenerationConstraintsType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowAssociationType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowKindType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.XmlSchemaType;
 import com.evolveum.midpoint.xml.ns._public.resource.capabilities_3.ActivationCapabilityType;
 import com.evolveum.midpoint.xml.ns._public.resource.capabilities_3.CreateCapabilityType;
 import com.evolveum.midpoint.xml.ns._public.resource.capabilities_3.CredentialsCapabilityType;
@@ -141,6 +126,7 @@
 public class TestOpenDj extends AbstractOpenDjTest {
 
     protected static final String USER_JACK_FULL_NAME = "Jack Sparrow";
+    private static final File FILE_MODIFY_ASSOCIATION_REPLACE = new File(TEST_DIR, "account-modify-association.xml");
 
     private static final String[] JACK_FULL_NAME_LANG_EN_SK = {
             "en", "Jack Sparrow",
@@ -2532,6 +2518,60 @@ public void test402AddAccountMorganWithAssociation() throws Exception {
         assertShadows(19);
     }
 
+    @Test
+    public void test403modifyMorganReplaceAssociation() throws Exception {
+        final String TEST_NAME = "test403modifyMorganReplaceAssociation";
+        displayTestTitle(TEST_NAME);
+
+        Task task = createTask(TEST_NAME);
+        OperationResult result = task.getResult();
+
+        // WHEN
+        displayWhen(TEST_NAME);
+        ObjectModificationType modification = prismContext.parserFor(FILE_MODIFY_ASSOCIATION_REPLACE).parseRealValue(ObjectModificationType.class);
+        ObjectDelta<ShadowType> delta = DeltaConvertor.createObjectDelta(modification, ShadowType.class, prismContext);
+        try {
+            provisioningService.modifyObject(ShadowType.class, ACCOUNT_MORGAN_OID, delta.getModifications(), null, null, task, result);
+            assertNotReached();
+        } catch (SchemaException e) {
+            //expected exception because replace delta is not supported for association
+        }
+
+        // THEN
+        displayThen(TEST_NAME);
+
+        assertRepoShadow(ACCOUNT_MORGAN_OID)
+                .assertName(ACCOUNT_MORGAN_DN);
+
+        ShadowAsserter<Void> provisioningShadowAsserter = assertShadowProvisioning(ACCOUNT_MORGAN_OID)
+                .assertName(ACCOUNT_MORGAN_DN)
+                .associations()
+                    .assertSize(1)
+                    .association(ASSOCIATION_GROUP_NAME)
+                    .assertShadowOids(GROUP_SWASHBUCKLERS_OID)
+                    .end()
+                .end();
+
+        String uid = provisioningShadowAsserter
+                .attributes()
+                .getValue(getPrimaryIdentifierQName());
+        assertNotNull(uid);
+
+        Entry accountEntry = openDJController.searchAndAssertByEntryUuid(uid);
+        display("LDAP account", accountEntry);
+        assertNotNull("No LDAP account entry");
+        String accountDn = accountEntry.getDN().toString();
+        assertEquals("Wrong account DN", ACCOUNT_MORGAN_DN, accountDn);
+
+        Entry groupEntry = openDJController.fetchEntry(GROUP_SWASHBUCKLERS_DN);
+        display("LDAP group", groupEntry);
+        assertNotNull("No LDAP group entry");
+        openDJController.assertUniqueMember(groupEntry, accountDn);
+
+        assertShadows(19);
+    }
+
+
     @Test
     public void test405GetGroupSwashbucklers() throws Exception {
         final String TEST_NAME = "test405GetGroupSwashbucklers";
diff --git a/provisioning/provisioning-impl/src/test/resources/opendj/account-modify-association.xml b/provisioning/provisioning-impl/src/test/resources/opendj/account-modify-association.xml
new file mode 100644
index 00000000000..5b8516e3faa
--- /dev/null
+++ b/provisioning/provisioning-impl/src/test/resources/opendj/account-modify-association.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+
+<objectModification
+    xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+    xmlns='http://midpoint.evolveum.com/xml/ns/public/common/api-types-3'
+    xmlns:c='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
+    xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+    xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance/ef2bc95b-76e0-59e2-86d6-3d4f02d3ffff">
+    <oid>c0c010c0-d34d-b44f-f11d-333222444566</oid>
+    <itemDelta>
+        <t:modificationType>replace</t:modificationType>
+        <t:path>association</t:path>
+        <t:value>
+            <c:name>group</c:name>
+            <c:identifiers>
+                <ri:dn xsi:type="xsd:string">cn=anygroup,ou=groups,dc=example,dc=com</ri:dn>
+            </c:identifiers>
+        </t:value>
+    </itemDelta>
+</objectModification>

From 0434011c0cc61f1f248781d87af47783355f0261 Mon Sep 17 00:00:00 2001
From: Katarina Valalikova <k.valalikova@evolveum.com>
Date: Sat, 18 Jan 2020 16:55:04 +0100
Subject: [PATCH 2/3] improved logging for diagnostic for MID-5908

---
 .../com/evolveum/midpoint/report/impl/ReportServiceImpl.java    | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportServiceImpl.java b/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportServiceImpl.java
index 210fa862ca5..e2ce472672c 100644
--- a/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportServiceImpl.java
+++ b/model/report-impl/src/main/java/com/evolveum/midpoint/report/impl/ReportServiceImpl.java
@@ -179,8 +179,10 @@ public Collection<PrismObject<? extends ObjectType>> searchObjects(ObjectQuery q
         // SelectorOptions(GetOperationOptions.createResolveNames()));
         GetOperationOptions getOptions = GetOperationOptions.createResolveNames();
         if (ShadowType.class.isAssignableFrom(clazz) && securityEnforcer.isAuthorized(ModelAuthorizationAction.RAW_OPERATION.getUrl(), null, AuthorizationParameters.EMPTY, null, task, parentResult)) {
+            LOGGER.trace("Setting searching in raw mode.");
             getOptions.setRaw(Boolean.TRUE);        // shadows in non-raw mode require specifying resource OID and kind (at least) - todo research this further
         } else {
+            LOGGER.trace("Setting searching in noFetch mode. Shadows in non-raw mode require specifying resource OID and objectClass (kind) at least.");
             getOptions.setNoFetch(Boolean.TRUE);
         }
         options = SelectorOptions.createCollection(getOptions);

From 30e2e92778204fa1ebd91e77639be5c1a72363a2 Mon Sep 17 00:00:00 2001
From: Katarina Valalikova <k.valalikova@evolveum.com>
Date: Sat, 18 Jan 2020 17:28:16 +0100
Subject: [PATCH 3/3] dependency problem fix.

---
 provisioning/provisioning-impl/pom.xml                        | 4 ++++
 .../midpoint/provisioning/impl/opendj/TestOpenDj.java         | 2 --
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/provisioning/provisioning-impl/pom.xml b/provisioning/provisioning-impl/pom.xml
index 951f90b5c76..2d740b595e8 100644
--- a/provisioning/provisioning-impl/pom.xml
+++ b/provisioning/provisioning-impl/pom.xml
@@ -121,6 +121,10 @@
             <groupId>javax.annotation</groupId>
             <artifactId>javax.annotation-api</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-collections4</artifactId>
+        </dependency>
 
         <!-- Testing dependencies -->
         <dependency>
diff --git a/provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/opendj/TestOpenDj.java b/provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/opendj/TestOpenDj.java
index 526795beeda..3e116e6aa34 100644
--- a/provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/opendj/TestOpenDj.java
+++ b/provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/opendj/TestOpenDj.java
@@ -33,7 +33,6 @@
 import com.evolveum.midpoint.prism.path.ItemPath;
 import com.evolveum.midpoint.prism.polystring.PolyString;
 import com.evolveum.midpoint.prism.query.*;
-import com.evolveum.midpoint.schema.constants.MidPointConstants;
 import com.evolveum.midpoint.schema.processor.*;
 
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
@@ -80,7 +79,6 @@
 import com.evolveum.midpoint.test.util.MidPointAsserts;
 import com.evolveum.midpoint.test.util.TestUtil;
 import com.evolveum.midpoint.util.DOMUtil;
-import com.evolveum.midpoint.util.DebugUtil;
 import com.evolveum.midpoint.util.JAXBUtil;
 import com.evolveum.midpoint.util.MiscUtil;
 import com.evolveum.midpoint.util.exception.CommunicationException;