Fixed MID-3099: Recompute customer admin with Password policy fails i…

…n SaaS story (probably due to 2 parentOrgRefs, one as manager).

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/PasswordPolicyProcessor.java

@@ -19,9 +19,11 @@
 import java.util.ArrayList;
 import java.util.List;
 
+import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
 
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
@@ -235,43 +237,45 @@ private ValuePolicyType determineValuePolicy(ObjectDelta<UserType> userDelta, Ta
 
 	private ValuePolicyType determineValuePolicy(PrismObject object, Task task, OperationResult result)
 			throws SchemaException {
-		LOGGER.trace("Determining password policies from object", object);
+		LOGGER.trace("Determining password policies from object: {}", ObjectTypeUtil.toShortString(object));
 		PrismReference orgRef = object.findReference(ObjectType.F_PARENT_ORG_REF);
 		if (orgRef == null) {
 			return null;
 		}
-		List<PrismReferenceValue> values = orgRef.getValues();
-		ValuePolicyType valuePolicy = null;
+		List<PrismReferenceValue> orgRefValues = orgRef.getValues();
+		ValuePolicyType resultingValuePolicy = null;
 		List<PrismObject<OrgType>> orgs = new ArrayList<PrismObject<OrgType>>();
 		try {
-			for (PrismReferenceValue orgRefValue : values) {
+			for (PrismReferenceValue orgRefValue : orgRefValues) {
 				if (orgRefValue != null) {
 
-					if (valuePolicy != null) {
-						throw new IllegalStateException(
-								"Found more than one policy while trying to validate user's password. Please check your configuration");
-					}
-
-					PrismObject<OrgType> org = resolver.resolve(orgRefValue,
-							"resolving parent org ref", null, null, result);
+					PrismObject<OrgType> org = resolver.resolve(orgRefValue, "resolving parent org ref", null, null, result);
 					orgs.add(org);
-					valuePolicy = resolvePolicy(org, task, result);
+					ValuePolicyType valuePolicy = resolvePolicy(org, task, result);
 
+					if (valuePolicy != null) {
+						if (resultingValuePolicy == null) {
+							resultingValuePolicy = valuePolicy;
+						} else if (!StringUtils.equals(valuePolicy.getOid(), resultingValuePolicy.getOid())) {
+							throw new IllegalStateException(
+									"Found more than one policy while trying to validate user's password. Please check your configuration");
+						}
+					}
 				}
 			}
 		} catch (ObjectNotFoundException ex) {
 			throw new IllegalStateException(ex);
 		}
 		// go deeper
-		if (valuePolicy == null) {
+		if (resultingValuePolicy == null) {
 			for (PrismObject<OrgType> orgType : orgs) {
-				valuePolicy = determineValuePolicy(orgType, task, result);
-				if (valuePolicy != null){
-					return valuePolicy;
+				resultingValuePolicy = determineValuePolicy(orgType, task, result);
+				if (resultingValuePolicy != null) {
+					return resultingValuePolicy;
 				}
 			}
 		}
-		return valuePolicy;
+		return resultingValuePolicy;
 	}
 
 	private ValuePolicyType resolvePolicy(PrismObject<OrgType> org, Task task, OperationResult result)

model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestPassword.java

@@ -28,6 +28,8 @@
 import javax.xml.bind.JAXBException;
 import javax.xml.datatype.XMLGregorianCalendar;
 
+import com.evolveum.midpoint.prism.delta.builder.DeltaBuilder;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
 import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
 
 import org.springframework.test.annotation.DirtiesContext;
@@ -53,17 +55,6 @@
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.test.IntegrationTestTools;
 import com.evolveum.midpoint.test.util.TestUtil;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentPolicyEnforcementType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.MetadataType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.SystemObjectsType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType;
 
 /**
  * @author semancik
@@ -694,7 +685,70 @@ public void test222ModifyUserJackPasswordBadContainer() throws Exception {
 	}
 
 	// TODO: add user with password that violates the policy
-
+
+	/**
+	 * Create an org, and create two parentOrgRefs for jack (MID-3099).
+	 * Change to password that violates the password policy.
+	 */
+	@Test
+	public void test300TwoParentOrgRefs() throws Exception {
+		final String TEST_NAME = "test300TwoParentOrgRefs";
+		TestUtil.displayTestTile(this, TEST_NAME);
+
+		// GIVEN
+		Task task = taskManager.createTaskInstance(TestPassword.class.getName() + "." + TEST_NAME);
+		OperationResult result = task.getResult();
+		assumeAssignmentPolicy(AssignmentPolicyEnforcementType.FULL);
+
+		assignOrg(USER_JACK_OID, ORG_GOVERNOR_OFFICE_OID, null);
+		assignOrg(USER_JACK_OID, ORG_GOVERNOR_OFFICE_OID, SchemaConstants.ORG_MANAGER);
+
+		UserType jack = getUser(USER_JACK_OID).asObjectable();
+		display("jack", jack);
+		assertEquals("Wrong # of parentOrgRefs", 2, jack.getParentOrgRef().size());
+
+		ObjectDelta<OrgType> orgDelta = (ObjectDelta<OrgType>) DeltaBuilder.deltaFor(OrgType.class, prismContext)
+				.item(OrgType.F_PASSWORD_POLICY_REF).replace(new PrismReferenceValue(PASSWORD_POLICY_GLOBAL_OID))
+				.asObjectDelta(ORG_GOVERNOR_OFFICE_OID);
+		executeChanges(orgDelta, null, task, result);
+
+		OrgType govOffice = getObject(OrgType.class, ORG_GOVERNOR_OFFICE_OID).asObjectable();
+		display("governor's office", govOffice);
+		assertEquals("Wrong OID of password policy ref", PASSWORD_POLICY_GLOBAL_OID, govOffice.getPasswordPolicyRef().getOid());
+
+		try {
+			// WHEN
+			modifyUserChangePassword(USER_JACK_OID, USER_PASSWORD_1_CLEAR, task, result);
+
+			AssertJUnit.fail("Unexpected success");
+		} catch (PolicyViolationException e) {
+			// This is expected
+			display("Exected exception", e);
+		}
+
+		// THEN
+		result.computeStatus();
+		TestUtil.assertFailure(result);
+
+		PrismObject<UserType> userJack = getUser(USER_JACK_OID);
+		display("User after change execution", userJack);
+		assertUserJack(userJack);
+		assertLinks(userJack, 3);
+		accountYellowOid = getLinkRefOid(userJack, RESOURCE_DUMMY_YELLOW_OID);
+
+		// Make sure that the password is unchanged
+
+		assertEncryptedUserPassword(userJack, USER_PASSWORD_VALID);
+		assertPasswordMetadata(userJack, false, lastPasswordChangeStart, lastPasswordChangeEnd);
+
+		assertDummyPassword(ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_VALID);
+
+		assertDummyAccount(RESOURCE_DUMMY_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
+		assertDummyPassword(RESOURCE_DUMMY_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_VALID);
+
+		assertDummyAccount(RESOURCE_DUMMY_RED_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
+		assertDummyPassword(RESOURCE_DUMMY_RED_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_VALID);
+	}
 
 	private void assertDummyPassword(String userId, String expectedClearPassword) throws SchemaViolationException {
 		assertDummyPassword(null, userId, expectedClearPassword);