Merge remote-tracking branch 'origin/master'

Evolveum · Dec 5, 2016 · d06d9c1 · d06d9c1
2 parents 2112500 + 5c64b8a
commit d06d9c1
Show file tree

Hide file tree

Showing 9 changed files with 188 additions and 25 deletions.
diff --git a/infra/prism/src/main/java/com/evolveum/midpoint/prism/ItemDefinition.java b/infra/prism/src/main/java/com/evolveum/midpoint/prism/ItemDefinition.java
@@ -63,10 +63,37 @@ public interface ItemDefinition<I extends Item> extends Definition {
 	 */
 	boolean isDynamic();
 
+	/**
+	 * Returns true if this item can be read (displayed).
+	 * In case of containers this means that the container itself can be read, e.g. that the container
+	 * label or block should be displayed. This usually happens if the container contains at least one
+	 * readable item. 
+	 * This does NOT mean that also all the container items can be displayed. The sub-item permissions
+	 * are controlled by similar properties on the items. This property only applies to the container
+	 * itself: the "shell" of the container. 
+	 */
 	boolean canRead();
 
+	/**
+	 * Returns true if this item can be modified (updated).
+	 * In case of containers this means that the container itself should be displayed in modification forms
+	 * E.g. that the container label or block should be displayed. This usually happens if the container
+	 * contains at least one modifiable item. 
+	 * This does NOT mean that also all the container items can be modified. The sub-item permissions
+	 * are controlled by similar properties on the items. This property only applies to the container
+	 * itself: the "shell" of the container.
+	 */
 	boolean canModify();
 
+	/**
+	 * Returns true if this item can be added: it can be part of an object that is created.
+	 * In case of containers this means that the container itself should be displayed in creation forms
+	 * E.g. that the container label or block should be displayed. This usually happens if the container
+	 * contains at least one createable item. 
+	 * This does NOT mean that also all the container items can be created. The sub-item permissions
+	 * are controlled by similar properties on the items. This property only applies to the container
+	 * itself: the "shell" of the container.
+	 */
 	boolean canAdd();
 
 	PrismReferenceValue getValueEnumerationRef();

diff --git a/...del-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/SchemaTransformer.java b/...del-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/SchemaTransformer.java
@@ -338,18 +338,10 @@ private <D extends ItemDefinition> void applySecurityConstraintsItemDef(D itemDe
 		AuthorizationDecisionType readDecision = computeItemDecision(securityConstraints, itemPath, ModelAuthorizationAction.READ.getUrl(), defaultReadDecision, phase);
 		AuthorizationDecisionType addDecision = computeItemDecision(securityConstraints, itemPath, ModelAuthorizationAction.ADD.getUrl(), defaultAddDecision, phase);
 		AuthorizationDecisionType modifyDecision = computeItemDecision(securityConstraints, itemPath, ModelAuthorizationAction.MODIFY.getUrl(), defaultModifyDecision, phase);
-		LOGGER.trace("applySecurityConstraints(itemDef): {}: decisions R={}, A={}, M={}",
-				new Object[]{itemPath, readDecision, addDecision, modifyDecision});
-		if (readDecision != AuthorizationDecisionType.ALLOW) {
-			((ItemDefinitionImpl) itemDefinition).setCanRead(false);
-		}
-		if (addDecision != AuthorizationDecisionType.ALLOW) {
-			((ItemDefinitionImpl) itemDefinition).setCanAdd(false);
-		}
-		if (modifyDecision != AuthorizationDecisionType.ALLOW) {
-			((ItemDefinitionImpl) itemDefinition).setCanModify(false);
-		}
 
+		boolean anySubElementRead = false;
+		boolean anySubElementAdd = false;
+		boolean anySubElementModify = false;
 		if (itemDefinition instanceof PrismContainerDefinition<?>) {
 			PrismContainerDefinition<?> containerDefinition = (PrismContainerDefinition<?>)itemDefinition;
 			List<? extends ItemDefinition> subDefinitions = ((PrismContainerDefinition<?>)containerDefinition).getDefinitions();
@@ -358,8 +350,40 @@ private <D extends ItemDefinition> void applySecurityConstraintsItemDef(D itemDe
 					applySecurityConstraintsItemDef(subDef, new ItemPath(itemPath, subDef.getName()), securityConstraints,
 					    readDecision, addDecision, modifyDecision, phase);
 				}
+				if (subDef.canRead()) {
+					anySubElementRead = true;
+				}
+				if (subDef.canAdd()) {
+					anySubElementAdd = true;
+				}
+				if (subDef.canModify()) {
+					anySubElementModify = true;
+				}
 			}
 		}
+
+		LOGGER.trace("applySecurityConstraints(itemDef): {}: decisions R={}, A={}, M={}; subelements R={}, A={}, M={}",
+				itemPath, readDecision, addDecision, modifyDecision, anySubElementRead, anySubElementAdd, anySubElementModify);
+
+		if (readDecision != AuthorizationDecisionType.ALLOW) {
+			((ItemDefinitionImpl) itemDefinition).setCanRead(false);
+		}
+		if (addDecision != AuthorizationDecisionType.ALLOW) {
+			((ItemDefinitionImpl) itemDefinition).setCanAdd(false);
+		}
+		if (modifyDecision != AuthorizationDecisionType.ALLOW) {
+			((ItemDefinitionImpl) itemDefinition).setCanModify(false);
+		}
+
+		if (anySubElementRead) {
+			((ItemDefinitionImpl) itemDefinition).setCanRead(true);
+		}
+		if (anySubElementAdd) {
+			((ItemDefinitionImpl) itemDefinition).setCanAdd(true);
+		}
+		if (anySubElementModify) {
+			((ItemDefinitionImpl) itemDefinition).setCanModify(true);
+		}
 	}
 
     public AuthorizationDecisionType computeItemDecision(ObjectSecurityConstraints securityConstraints, ItemPath itemPath, String actionUrl,

diff --git a/...odel-impl/src/main/java/com/evolveum/midpoint/model/impl/expr/OrgStructFunctionsImpl.java b/...odel-impl/src/main/java/com/evolveum/midpoint/model/impl/expr/OrgStructFunctionsImpl.java
@@ -107,6 +107,9 @@ public Collection<UserType> getManagersByOrgType(UserType user, String orgType,
     @Override
     public Collection<UserType> getManagers(UserType user, String orgType, boolean allowSelf, boolean preAuthorized) throws SchemaException, ObjectNotFoundException, SecurityViolationException {
         Set<UserType> retval = new HashSet<UserType>();
+        if (user == null) {
+        	return retval;
+        }
         Collection<String> orgOids = getOrgUnits(user, null, preAuthorized);
         while (!orgOids.isEmpty()) {
             LOGGER.trace("orgOids: {}", orgOids);

diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java
@@ -44,6 +44,7 @@
 import com.evolveum.midpoint.prism.query.TypeFilter;
 import com.evolveum.midpoint.prism.util.PrismAsserts;
 import com.evolveum.midpoint.prism.util.PrismTestUtil;
+import com.evolveum.midpoint.prism.xml.XmlTypeConverter;
 import com.evolveum.midpoint.schema.GetOperationOptions;
 import com.evolveum.midpoint.schema.ResultHandler;
 import com.evolveum.midpoint.schema.SelectorOptions;
@@ -74,6 +75,7 @@
 import org.testng.AssertJUnit;
 import org.testng.annotations.Test;
 
+import javax.xml.datatype.XMLGregorianCalendar;
 import javax.xml.namespace.QName;
 
 import java.io.File;
@@ -246,6 +248,8 @@ public class TestSecurity extends AbstractInitializedModelIntegrationTest {
     protected static final File CAMPAIGNS_FILE = new File(TEST_DIR, "campaigns.xml");
 
 	private static final ItemPath PASSWORD_PATH = new ItemPath(UserType.F_CREDENTIALS, CredentialsType.F_PASSWORD, PasswordType.F_VALUE);
+
+	private static final XMLGregorianCalendar JACK_VALID_FROM_LONG_AGO = XmlTypeConverter.createXMLGregorianCalendar(10000L);
 
 	String userRumRogersOid;
 
@@ -1003,15 +1007,17 @@ public void test216AutzJackPropReadSomeModifySomeUser() throws Exception {
 
 		assertAddDeny();
 
-		assertModifyAllow(UserType.class, USER_JACK_OID, UserType.F_FULL_NAME, PrismTestUtil.createPolyString("Captain Jack Sparrow"));
+		assertModifyAllow(UserType.class, USER_JACK_OID, UserType.F_FULL_NAME, createPolyString("Captain Jack Sparrow"));
+		assertModifyAllow(UserType.class, USER_JACK_OID, SchemaConstants.PATH_ACTIVATION_VALID_FROM, 
+				JACK_VALID_FROM_LONG_AGO);
 		assertModifyDeny(UserType.class, USER_GUYBRUSH_OID, UserType.F_DESCRIPTION, "Pirate wannabe");
 
-		assertModifyDeny(UserType.class, USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Captain"));
-		assertModifyDeny(UserType.class, USER_GUYBRUSH_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Pirate"));
-		assertModifyDeny(UserType.class, USER_BARBOSSA_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Mutinier"));
+		assertModifyDeny(UserType.class, USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, createPolyString("Captain"));
+		assertModifyDeny(UserType.class, USER_GUYBRUSH_OID, UserType.F_HONORIFIC_PREFIX, createPolyString("Pirate"));
+		assertModifyDeny(UserType.class, USER_BARBOSSA_OID, UserType.F_HONORIFIC_PREFIX, createPolyString("Mutinier"));
 
 		assertModifyDeny(UserType.class, USER_JACK_OID, UserType.F_COST_CENTER, "V3RYC0STLY");
-		assertModifyDeny(UserType.class, USER_JACK_OID, UserType.F_ORGANIZATION, PrismTestUtil.createPolyString("Brethren of the Coast"));
+		assertModifyDeny(UserType.class, USER_JACK_OID, UserType.F_ORGANIZATION, createPolyString("Brethren of the Coast"));
 
 		assertDeleteDeny();
 
@@ -1046,6 +1052,7 @@ private void assertJackEditSchemaReadSomeModifySome(PrismObject<UserType> userJa
 		assertItemFlags(userJackEditSchema, UserType.F_ASSIGNMENT, true, false, false);
 		assertItemFlags(userJackEditSchema, new ItemPath(UserType.F_ASSIGNMENT, UserType.F_METADATA), true, false, false);
 		assertItemFlags(userJackEditSchema, new ItemPath(UserType.F_ASSIGNMENT, UserType.F_METADATA, MetadataType.F_CREATE_TIMESTAMP), true, false, false);
+		assertItemFlags(userJackEditSchema, UserType.F_ACTIVATION, true, false, true);
 		assertItemFlags(userJackEditSchema, new ItemPath(UserType.F_ACTIVATION, ActivationType.F_ADMINISTRATIVE_STATUS), true, false, false);
 		assertItemFlags(userJackEditSchema, new ItemPath(UserType.F_ACTIVATION, ActivationType.F_EFFECTIVE_STATUS), false, false, false);
     }
@@ -1084,15 +1091,17 @@ public void testAutzJackPropReadSomeModifySome(final String TEST_NAME, String ro
 
         assertAddDeny();
 
-        assertModifyAllow(UserType.class, USER_JACK_OID, UserType.F_FULL_NAME, PrismTestUtil.createPolyString("Captain Jack Sparrow"));
+        assertModifyAllow(UserType.class, USER_JACK_OID, UserType.F_FULL_NAME, createPolyString("Captain Jack Sparrow"));
+        assertModifyAllow(UserType.class, USER_JACK_OID, SchemaConstants.PATH_ACTIVATION_VALID_FROM, 
+				JACK_VALID_FROM_LONG_AGO);
         assertModifyAllow(UserType.class, USER_GUYBRUSH_OID, UserType.F_DESCRIPTION, "Pirate wannabe");
 
-        assertModifyDeny(UserType.class, USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Captain"));
-        assertModifyDeny(UserType.class, USER_GUYBRUSH_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Pirate"));
-        assertModifyDeny(UserType.class, USER_BARBOSSA_OID, UserType.F_HONORIFIC_PREFIX, PrismTestUtil.createPolyString("Mutinier"));
+        assertModifyDeny(UserType.class, USER_JACK_OID, UserType.F_HONORIFIC_PREFIX, createPolyString("Captain"));
+        assertModifyDeny(UserType.class, USER_GUYBRUSH_OID, UserType.F_HONORIFIC_PREFIX, createPolyString("Pirate"));
+        assertModifyDeny(UserType.class, USER_BARBOSSA_OID, UserType.F_HONORIFIC_PREFIX, createPolyString("Mutinier"));
 
         assertModifyDeny(UserType.class, USER_JACK_OID, UserType.F_COST_CENTER, "V3RYC0STLY");
-        assertModifyDeny(UserType.class, USER_JACK_OID, UserType.F_ORGANIZATION, PrismTestUtil.createPolyString("Brethren of the Coast"));
+        assertModifyDeny(UserType.class, USER_JACK_OID, UserType.F_ORGANIZATION, createPolyString("Brethren of the Coast"));
 
         assertDeleteDeny();
 
@@ -3120,6 +3129,7 @@ private void cleanupAutzTest(String userOid) throws ObjectNotFoundException, Sch
         modifyUserReplace(USER_JACK_OID, UserType.F_FULL_NAME, task, result, PrismTestUtil.createPolyString(USER_JACK_FULL_NAME));
         modifyUserReplace(userRumRogersOid, UserType.F_TITLE, task, result);
         modifyUserReplace(USER_GUYBRUSH_OID, UserType.F_HONORIFIC_PREFIX, task, result, PrismTestUtil.createPolyString("Wannabe"));
+        modifyUserReplace(USER_JACK_OID, SchemaConstants.PATH_ACTIVATION_VALID_FROM, task, result);
 
         unassignOrg(USER_JACK_OID, ORG_MINISTRY_OF_RUM_OID, SchemaConstants.ORG_MANAGER, task, result);
         unassignOrg(USER_JACK_OID, ORG_MINISTRY_OF_RUM_OID, null, task, result);

diff --git a/model/model-intest/src/test/resources/logback-test.xml b/model/model-intest/src/test/resources/logback-test.xml
@@ -84,15 +84,15 @@
  	<logger name="com.evolveum.midpoint.model.common.expression.evaluator.AssociationExpressionEvaluator" level="DEBUG" />
 	<logger name="com.evolveum.midpoint.model.impl.controller.ObjectMerger" level="DEBUG" />
     <logger name="com.evolveum.midpoint.notifications" level="DEBUG" />
-    <logger name="com.evolveum.midpoint.security" level="DEBUG" />
-    <logger name="com.evolveum.midpoint.security.impl.SecurityEnforcerImpl" level="DEBUG" />
+    <logger name="com.evolveum.midpoint.security" level="TRACE" />
+    <logger name="com.evolveum.midpoint.security.impl.SecurityEnforcerImpl" level="TRACE" />
     <logger name="com.evolveum.midpoint.model.impl.util.AbstractSearchIterativeTaskHandler" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.sync.SynchronizationServiceImpl" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.sync.ReconciliationTaskHandler" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.sync.FocusValidityScannerTaskHandler" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.controller.ModelController" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.controller.ModelInteractionServiceImpl" level="DEBUG" />
-    <logger name="com.evolveum.midpoint.model.impl.controller.SchemaTransformer" level="DEBUG" />
+    <logger name="com.evolveum.midpoint.model.impl.controller.SchemaTransformer" level="TRACE" />
     <logger name="com.evolveum.icf.dummy" level="INFO" />
     <logger name="com.evolveum.midpoint.model.impl.expr" level="DEBUG" />
     <logger name="com.evolveum.midpoint.model.impl.util.DeleteTaskHandler" level="DEBUG" />

diff --git a/model/model-intest/src/test/resources/security/role-prop-read-some-modify-some-req-exec.xml b/model/model-intest/src/test/resources/security/role-prop-read-some-modify-some-req-exec.xml
@@ -1,5 +1,5 @@
 <!--
-  ~ Copyright (c) 2014 Evolveum
+  ~ Copyright (c) 2014-2016 Evolveum
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -19,6 +19,7 @@
         xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3">
     <name>Prop Read Some Modify Some Req Exec</name>    
     <authorization>
+    	<name>read-some-req</name>
     	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
     	<phase>request</phase>
     	<item>c:name</item>
@@ -28,28 +29,45 @@
     	<item>c:familyName</item> <!-- Not in exec autz -->
     </authorization>
     <authorization>
+    	<name>read-some-exec</name>
     	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
     	<phase>execution</phase>
     	<item>c:name</item>
     	<item>c:fullName</item>
     	<item>c:additionalName</item> <!-- Not in request autz -->
     	<item>c:activation/c:administrativeStatus</item>
     	<item>c:assignment</item>
+    	<item>activation/validTo</item> <!-- Not in request autz -->
     </authorization>
     <authorization>
+    	<name>modify-some-req</name>
     	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
     	<phase>request</phase>
     	<item>c:fullName</item>
     	<item>c:additionalName</item>
     	<item>c:description</item>
     	<item>c:costCenter</item> <!-- Not in exec autz -->
+    	<item>activation/validFrom</item>
     </authorization>
     <authorization>
+    	<name>modify-some-exec</name>
     	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
     	<phase>execution</phase>
     	<item>c:fullName</item>
     	<item>c:additionalName</item>
     	<item>c:description</item>
     	<item>c:organization</item> <!-- Not in request autz -->
+    	<item>activation/validFrom</item>
+    	<item>activation/validTo</item> <!-- Not in request autz -->
+    	<item>activation/effectiveStatus</item> <!-- Not in request autz -->
+    </authorization>
+    <authorization>
+    	<name>modify-some-operational-exec</name>
+    	<description>Required, these are operational properties that midPoint changes automatically</description>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
+    	<phase>execution</phase>
+    	<item>activation/validityStatus</item>
+    	<item>activation/validityChangeTimestamp</item>
+    	<item>activation/effectiveStatus</item>
     </authorization>
 </role>
diff --git a/model/model-intest/src/test/resources/security/role-prop-read-some-modify-some-user.xml b/model/model-intest/src/test/resources/security/role-prop-read-some-modify-some-user.xml
@@ -51,5 +51,24 @@
     	<item>fullName</item>
     	<item>additionalName</item>
     	<item>description</item>
+    	<item>activation/validFrom</item>
+    </authorization>
+    <authorization>
+    	<name>modify-some-operational-exec</name>
+    	<description>Required, these are operational properties that midPoint changes automatically</description>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
+    	<phase>execution</phase>
+    	<object>
+    		<type>UserType</type>
+    		<filter>
+	            <q:equal>
+	               <q:path>employeeType</q:path>
+	               <q:value>CAPTAIN</q:value>
+	            </q:equal>
+	        </filter>
+    	</object>
+    	<item>activation/validityStatus</item>
+    	<item>activation/validityChangeTimestamp</item>
+    	<item>activation/effectiveStatus</item>
     </authorization>
 </role>
diff --git a/model/model-intest/src/test/resources/security/role-prop-read-some-modify-some.xml b/model/model-intest/src/test/resources/security/role-prop-read-some-modify-some.xml
@@ -19,16 +19,28 @@
         xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3">
     <name>Prop Read Some Modify Some</name>    
     <authorization>
+    	<name>read-some</name>
     	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
     	<item>c:name</item>
     	<item>fullName</item>
     	<item>activation/administrativeStatus</item>
     	<item>assignment</item>
     </authorization>
     <authorization>
+    	<name>modify-some</name>
     	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
     	<item>fullName</item>
     	<item>additionalName</item>
     	<item>description</item>
+    	<item>activation/validFrom</item>
+    </authorization>
+    <authorization>
+    	<name>modify-some-operational-exec</name>
+    	<description>Required, these are operational properties that midPoint changes automatically</description>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
+    	<phase>execution</phase>
+    	<item>activation/validityStatus</item>
+    	<item>activation/validityChangeTimestamp</item>
+    	<item>activation/effectiveStatus</item>
     </authorization>
 </role>