From d1d305d099dfb5d7bae113fc34adbf12864eb8f1 Mon Sep 17 00:00:00 2001
From: Radovan Semancik <radovan.semancik@evolveum.com>
Date: Mon, 12 Nov 2018 14:17:56 +0100
Subject: [PATCH] Attempt to reproduce MID-4931

---
 .../midpoint/schema/util/ObjectQueryUtil.java |  6 +++
 .../intest/security/TestSecurityAdvanced.java | 37 ++++++++++++++++++-
 .../resources/security/role-read-org-exec.xml | 31 ++++++++++++++++
 .../test/AbstractIntegrationTest.java         |  6 +++
 4 files changed, 79 insertions(+), 1 deletion(-)
 create mode 100644 model/model-intest/src/test/resources/security/role-read-org-exec.xml

diff --git a/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ObjectQueryUtil.java b/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ObjectQueryUtil.java
index c04b69ee70b..6f6b7f50dd1 100644
--- a/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ObjectQueryUtil.java
+++ b/infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ObjectQueryUtil.java
@@ -177,6 +177,12 @@ public static <T extends ObjectType> ObjectQuery createNameQuery(Class<T> clazz,
 				.build();
 	}
 	
+	public static ObjectQuery createOrgSubtreeQuery(PrismContext prismContext, String orgOid) throws SchemaException {
+		return QueryBuilder.queryFor(ObjectType.class, prismContext)
+				.isChildOf(orgOid)
+				.build();
+	}
+	
 	public static ObjectQuery createRootOrgQuery(PrismContext prismContext) throws SchemaException {
 		return QueryBuilder.queryFor(ObjectType.class, prismContext).isRoot().build();
 	}
diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityAdvanced.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityAdvanced.java
index a60d6584cd0..18d51a57a6f 100644
--- a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityAdvanced.java
+++ b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityAdvanced.java
@@ -151,6 +151,9 @@ public class TestSecurityAdvanced extends AbstractSecurityTest {
 	
 	protected static final File ROLE_ASSIGN_ORG_FILE = new File(TEST_DIR, "role-assign-org.xml");
 	protected static final String ROLE_ASSIGN_ORG_OID = "be96f834-2dbb-11e8-b29d-7f5de07e7995";
+	
+	protected static final File ROLE_READ_ORG_EXEC_FILE = new File(TEST_DIR, "role-read-org-exec.xml");
+	protected static final String ROLE_READ_ORG_EXEC_OID = "1ac39d34-e675-11e8-a1ec-37748272d526";
 
 
 	@Override
@@ -176,11 +179,12 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
 		repoAddObjectFromFile(ROLE_READ_ROLE_MEMBERS_FILE, initResult);
 		repoAddObjectFromFile(ROLE_READ_ROLE_MEMBERS_WRONG_FILE, initResult);
 		repoAddObjectFromFile(ROLE_READ_ROLE_MEMBERS_NONE_FILE, initResult);
+		repoAddObjectFromFile(ROLE_READ_ORG_EXEC_FILE, initResult);
 
 		setDefaultObjectTemplate(UserType.COMPLEX_TYPE, USER_TEMPLATE_SECURITY_OID, initResult);
 	}
 	
-	protected static final int NUMBER_OF_IMPORTED_ROLES = 16;
+	protected static final int NUMBER_OF_IMPORTED_ROLES = 17;
 	
 	protected int getNumberOfRoles() {
 		return super.getNumberOfRoles() + NUMBER_OF_IMPORTED_ROLES;
@@ -3167,6 +3171,37 @@ public void test330AutzJackEndUserWithPrivacy() throws Exception {
 		assertGlobalStateUntouched();
 	}
 	
+	/**
+	 * Superuser role should allow everything. Adding another role with any (allow)
+	 * authorizations should not limit superuser. Not even if those authorizations
+	 * are completely loony.
+	 * 
+	 * MID-4931
+	 */
+	@Test
+    public void test340AutzJackSuperUserAndExecRead() throws Exception {
+		final String TEST_NAME = "test340AutzJackSuperUserAndExecRead";
+		displayTestTitle(TEST_NAME);
+		// GIVEN
+		cleanupAutzTest(USER_JACK_OID);
+		
+		assignRole(USER_JACK_OID, ROLE_SUPERUSER_OID);
+		assignRole(USER_JACK_OID, ROLE_READ_ORG_EXEC_OID);
+				
+		assertSearch(UserType.class, createOrgSubtreeQuery(ORG_MINISTRY_OF_OFFENSE_OID), USER_LECHUCK_OID, USER_GUYBRUSH_OID, userCobbOid, USER_ESTEVAN_OID);
+		
+		login(USER_JACK_USERNAME);
+
+		// WHEN
+		displayWhen(TEST_NAME);
+
+		assertSearch(UserType.class, createOrgSubtreeQuery(ORG_MINISTRY_OF_OFFENSE_OID), USER_LECHUCK_OID, USER_GUYBRUSH_OID, userCobbOid, USER_ESTEVAN_OID);
+		
+		assertSuperuserAccess(NUMBER_OF_ALL_USERS);
+		
+		assertGlobalStateUntouched();
+	}
+	
     private void modifyJackValidTo() throws ObjectNotFoundException, SchemaException, ExpressionEvaluationException, CommunicationException, ConfigurationException, ObjectAlreadyExistsException, PolicyViolationException, SecurityViolationException {
     	Task task = createTask("modifyJackValidTo");
     	OperationResult result = task.getResult();
diff --git a/model/model-intest/src/test/resources/security/role-read-org-exec.xml b/model/model-intest/src/test/resources/security/role-read-org-exec.xml
new file mode 100644
index 00000000000..74017cb2c88
--- /dev/null
+++ b/model/model-intest/src/test/resources/security/role-read-org-exec.xml
@@ -0,0 +1,31 @@
+<!--
+  ~ Copyright (c) 2017-2018 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+  <!-- MID-4931 -->
+<role oid="1ac39d34-e675-11e8-a1ec-37748272d526"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+        xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
+    <name>Read org exec</name>
+    <authorization>
+    	<name>read-org-exec</name>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+    	<phase>execution</phase>
+    	<object>
+    		<type>OrgType</type>
+    	</object>
+    </authorization>
+</role>
diff --git a/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/AbstractIntegrationTest.java b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/AbstractIntegrationTest.java
index 3936e220682..a8a4776eeeb 100644
--- a/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/AbstractIntegrationTest.java
+++ b/repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/AbstractIntegrationTest.java
@@ -1142,6 +1142,12 @@ protected ObjectQuery createShadowQueryByAttribute(ObjectClassComplexTypeDefinit
 				.and().item(ShadowType.F_RESOURCE_REF).ref(resource.getOid())
 				.build();
 	}
+	
+	protected ObjectQuery createOrgSubtreeQuery(String orgOid) throws SchemaException {
+		return queryFor(ObjectType.class)
+				.isChildOf(orgOid)
+				.build();
+	}
 
 	protected <O extends ObjectType> PrismObjectDefinition<O> getObjectDefinition(Class<O> type) {
 		return prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(type);