Skip to content

Commit

Permalink
Merge remote-tracking branch 'refs/remotes/origin/master'
Browse files Browse the repository at this point in the history
  • Loading branch information
@skublik
skublik committed Aug 24, 2023
2 parents 6a373bc + 96b6795 commit d541012
Show file tree
Hide file tree
Showing 220 changed files with 1,822 additions and 1,645 deletions.
6 changes: 3 additions & 3 deletions gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/page/PageAdminLTE.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,7 @@ public abstract class PageAdminLTE extends WebPage implements ModelServiceLocato
// size.

@SpringBean(name = "modelController")
private ScriptingService scriptingService;
private BulkActionsService bulkActionsService;

@SpringBean(name = "modelController")
private ModelService modelService;
Expand Down Expand Up @@ -491,8 +491,8 @@ public ObjectResolver getModelObjectResolver() {
return modelObjectResolver;
}

public ScriptingService getScriptingService() {
return scriptingService;
public BulkActionsService getBulkActionsService() {
return bulkActionsService;
}

public TaskService getTaskService() {
Expand Down
13 changes: 6 additions & 7 deletions ...veum/midpoint/gui/impl/page/admin/abstractrole/component/MemberOperationsTaskCreator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,6 @@
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
import com.evolveum.midpoint.schema.util.task.ActivityDefinitionBuilder;
import com.evolveum.midpoint.security.enforcer.api.AuthorizationParameters;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.exception.CommonException;
import com.evolveum.midpoint.util.exception.SchemaException;
Expand Down Expand Up @@ -129,14 +128,14 @@ public String getOperationKey() {
* of a given abstract role.
*/
void createAndSubmitTask(Task task, OperationResult result) throws CommonException {
checkScriptingAuthorization(task, result);
checkBulkActionsAuthorization(task, result);
submitTask(
createUnassignMembersActivity(), task, result);
}

/** Creates the member unassignment task. */
@NotNull PrismObject<TaskType> createTask(Task task, OperationResult result) throws CommonException {
checkScriptingAuthorization(task, result);
checkBulkActionsAuthorization(task, result);
return createTask(
createUnassignMembersActivity(), task, result);
}
Expand Down Expand Up @@ -197,7 +196,7 @@ public String getOperationKey() {

/** Returns task OID */
public String createAndSubmitTask(Task task, OperationResult result) throws CommonException {
checkScriptingAuthorization(task, result);
checkBulkActionsAuthorization(task, result);
return submitTask(
createActivity(), task, result);
}
Expand Down Expand Up @@ -234,7 +233,7 @@ public String getOperationKey() {
}

void createAndSubmitTask(Task task, OperationResult result) throws CommonException {
checkScriptingAuthorization(task, result);
checkBulkActionsAuthorization(task, result);
submitTask(
createActivity(), task, result);
}
Expand Down Expand Up @@ -332,9 +331,9 @@ private ActivitySubmissionOptions createSubmissionOptions() {
getOperationName())));
}

void checkScriptingAuthorization(Task task, OperationResult result) throws CommonException {
void checkBulkActionsAuthorization(Task task, OperationResult result) throws CommonException {
pageBase.getSecurityEnforcer().authorize(
ModelAuthorizationAction.EXECUTE_SCRIPT.getUrl(), task, result);
ModelAuthorizationAction.EXECUTE_BULK_ACTIONS.getUrl(), task, result);
}

void checkRecomputationAuthorization(@NotNull Task task, @NotNull OperationResult result) throws CommonException {
Expand Down
12 changes: 6 additions & 6 deletions gui/admin-gui/src/main/java/com/evolveum/midpoint/init/PostInitialDataImport.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,8 @@
import org.apache.commons.lang3.Validate;
import org.springframework.security.core.context.SecurityContext;

import com.evolveum.midpoint.model.api.ScriptExecutionResult;
import com.evolveum.midpoint.model.api.ScriptingService;
import com.evolveum.midpoint.model.api.BulkActionExecutionResult;
import com.evolveum.midpoint.model.api.BulkActionsService;
import com.evolveum.midpoint.prism.Item;
import com.evolveum.midpoint.prism.PrismProperty;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
Expand Down Expand Up @@ -49,9 +49,9 @@ public class PostInitialDataImport extends DataImport {
private static final String SUFFIX_FOR_IMPORTED_FILE = "done";
private static final String XML_SUFFIX = "xml";

private ScriptingService scripting;
private BulkActionsService scripting;

public void setScripting(ScriptingService scripting) {
public void setScripting(BulkActionsService scripting) {
Validate.notNull(scripting, "Scripting service must not be null.");
this.scripting = scripting;
}
Expand Down Expand Up @@ -154,8 +154,8 @@ private boolean executeScript(PrismProperty<Object> expression, File file, Task
ScriptingBeansUtil.asExecuteScriptCommand(
expression.getAnyValue().getValue());

ScriptExecutionResult executionResult =
scripting.evaluateExpression(
BulkActionExecutionResult executionResult =
scripting.executeBulkAction(
ExecuteScriptConfigItem.of(
parsed,
// TODO or should we create some "fully trusted origin"?
Expand Down
6 changes: 3 additions & 3 deletions ...-gui/src/main/java/com/evolveum/midpoint/web/page/admin/configuration/PageBulkAction.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
import org.apache.wicket.model.PropertyModel;

import com.evolveum.midpoint.util.exception.ScriptExecutionException;
import com.evolveum.midpoint.model.api.ScriptExecutionResult;
import com.evolveum.midpoint.model.api.BulkActionExecutionResult;
import com.evolveum.midpoint.schema.expression.VariablesMap;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.schema.result.OperationResultStatus;
Expand Down Expand Up @@ -148,8 +148,8 @@ private void startPerformed(AjaxRequestTarget target) {
} else {
try {
//noinspection ConstantConditions
ScriptExecutionResult executionResult =
getScriptingService().evaluateExpression(
BulkActionExecutionResult executionResult =
getBulkActionsService().executeBulkAction(
ExecuteScriptConfigItem.of(typed, ConfigurationItemOrigin.user()),
VariablesMap.emptyMap(),
false,
Expand Down
18 changes: 15 additions & 3 deletions infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11777,16 +11777,28 @@
Free-form description (comment).
</xsd:documentation>
<xsd:appinfo>
<a:displayName>ExpressionProfileType.name</a:displayName>
<a:displayName>ExpressionProfileType.description</a:displayName>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
<xsd:element ref="tns:documentation" minOccurs="0"/>
<!-- TODO because of the symmetry reasons, we could put the decision + evaluator items into a separate type -->
<!--
TODO because of the symmetry reasons, we may consider putting the decision + evaluator items
into a separate type; this would also help with the clear interpretation of what "default decision" means,
see the comment below.
-->
<xsd:element name="decision" type="tns:AuthorizationDecisionType">
<xsd:annotation>
<xsd:documentation>
Default decision for the profile. I.e. decision of those evaluators that are not explicitly enumerated.
Default decision for evaluators in this profile: this is the decision of those evaluators that
are not explicitly enumerated within it.

Currently, this property does NOT apply for other parts of the profile.

In particular, bulkActionsProfile and functionLibrariesProfile have their own defaults: If not
specified, the "allow all" values are applied for them.

Also, the "privilegeElevation" has a separate default of "allow".
</xsd:documentation>
<xsd:appinfo>
<a:displayName>ExpressionProfileType.decision</a:displayName>
Expand Down
30 changes: 29 additions & 1 deletion infra/schema/src/main/resources/xml/ns/public/common/common-security-3.xsd
View file
Original file line number Diff line number Diff line change
Expand Up @@ -452,6 +452,14 @@
</xsd:documentation>
</xsd:annotation>
</xsd:element>
<xsd:element name="thresholds" type="tns:CorrelationModuleThresholds" minOccurs="0">
<xsd:annotation>
<xsd:documentation>
Thresholds for correlation module. For example, restriction for the number of users which can be found by
correlation.
</xsd:documentation>
</xsd:annotation>
</xsd:element>
</xsd:sequence>
</xsd:extension>
</xsd:complexContent>
Expand All @@ -477,7 +485,6 @@
</xsd:annotation>
</xsd:element>
<xsd:element name="order" type="xsd:int"/>
<!-- TODO thresholds-->
</xsd:sequence>
<xsd:attribute name="id" type="xsd:long"/>
</xsd:complexType>
Expand Down Expand Up @@ -3376,4 +3383,25 @@
</xsd:element>
</xsd:sequence>
</xsd:complexType>

<xsd:complexType name="CorrelationModuleThresholds">
<xsd:annotation>
<xsd:documentation>
Defines some restrictions for the correlation authentication module.
</xsd:documentation>
<xsd:appinfo>
<a:container/>
<a:since>4.8</a:since>
</xsd:appinfo>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="correlationResultMaxUsersNumber" type="xsd:int" minOccurs="0" >
<xsd:annotation>
<xsd:documentation>
Defines the maximum number of users which can be found by the correlation module.
</xsd:documentation>
</xsd:annotation>
</xsd:element>
</xsd:sequence>
</xsd:complexType>
</xsd:schema>
2 changes: 1 addition & 1 deletion infra/schema/src/test/resources/common/xml/ns/script-output.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@
</credentials>
</s:value>
<s:result>
<operation xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">com.evolveum.midpoint.model.impl.scripting.ScriptingExpressionEvaluator.process</operation>
<operation xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">com.evolveum.midpoint.model.impl.scripting.BulkActionsExecutor.process</operation>
<status xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">success</status>
<token xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">1000000000000000752</token>
</s:result>
Expand Down
11 changes: 11 additions & 0 deletions ...va/com/evolveum/midpoint/authentication/impl/factory/module/CorrelationModuleFactory.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@

import com.evolveum.midpoint.schema.constants.SchemaConstants;

import com.evolveum.midpoint.xml.ns._public.common.common_3.CorrelationModuleThresholds;

import jakarta.servlet.ServletRequest;
import org.springframework.security.config.annotation.ObjectPostProcessor;
import org.springframework.stereotype.Component;
Expand Down Expand Up @@ -55,9 +57,18 @@ protected CorrelationModuleAuthentication createEmptyModuleAuthentication(Correl
moduleAuthentication.setPrefix(configuration.getPrefixOfModule());
moduleAuthentication.setNameOfModule(configuration.getModuleIdentifier());
moduleAuthentication.setCorrelators(moduleType.getCorrelator());
moduleAuthentication.setCorrelationMaxUsersNumber(getCorrelationMaxUserNumber(moduleType.getThresholds()));
return moduleAuthentication;
}

private Integer getCorrelationMaxUserNumber(CorrelationModuleThresholds thresholds) {
if (thresholds == null) {
return null;
}
return thresholds.getCorrelationResultMaxUsersNumber();
}


@Override
protected void isSupportedChannel(AuthenticationChannel authenticationChannel) {
if (authenticationChannel == null) {
Expand Down
15 changes: 15 additions & 0 deletions ...dpoint/authentication/impl/module/authentication/CorrelationModuleAuthenticationImpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ public class CorrelationModuleAuthenticationImpl extends ModuleAuthenticationImp
private FocusType preFocus;
private Map<ItemPath, String> processedAttributes = new HashMap<>();

private Integer correlationMaxUsersNumber;

public CorrelationModuleAuthenticationImpl(AuthenticationSequenceModuleType sequenceModule) {
super(AuthenticationModuleNameConstants.CORRELATION, sequenceModule);
setType(ModuleType.LOCAL);
Expand All @@ -41,6 +43,7 @@ public ModuleAuthenticationImpl clone() {
CorrelationModuleAuthenticationImpl module = new CorrelationModuleAuthenticationImpl(this.getSequenceModule());
module.setAuthentication(this.getAuthentication());
module.setCorrelators(this.correlators);
module.setCorrelationMaxUsersNumber(this.correlationMaxUsersNumber);
super.clone(module);
return module;
}
Expand Down Expand Up @@ -105,4 +108,16 @@ public FocusType getPreFocus() {
return preFocus;
}

public boolean isCorrelationMaxUsersNumberSet() {
return correlationMaxUsersNumber != null;
}

public Integer getCorrelationMaxUsersNumber() {
return correlationMaxUsersNumber;
}

public void setCorrelationMaxUsersNumber(Integer correlationMaxUsersNumber) {
this.correlationMaxUsersNumber = correlationMaxUsersNumber;
}

}
38 changes: 29 additions & 9 deletions ...src/main/java/com/evolveum/midpoint/authentication/impl/provider/CorrelationProvider.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.*;

import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
Expand Down Expand Up @@ -78,16 +79,15 @@ public Authentication doAuthenticate(
correlationModuleAuthentication.addOwner(owner);
return createAuthenticationToken(owner, focusType);
} else if (correlationModuleAuthentication.isLastCorrelator()) {
CandidateOwnersMap ownersMap = correlationResult.getCandidateOwnersMap();
if (ownersMap != null && !ownersMap.isEmpty()) {
correlationResult.getCandidateOwnersMap().values()
.forEach(c -> correlationModuleAuthentication.addOwner(c.getObject()));
return createAuthenticationToken(correlationModuleAuthentication.getOwners().get(0), focusType); //todo FIXME
} else {
correlationModuleAuthentication
.setPreFocus(correlationVerificationToken.getPreFocus(focusType,
correlationModuleAuthentication.getProcessedAttributes()));
if (candidateOwnerExist(correlationResult)) {
writeCandidatesToOwners(correlationResult.getCandidateOwnersMap(), correlationModuleAuthentication);
}

isOwnersNumberUnderRestriction(correlationModuleAuthentication);

correlationModuleAuthentication.setPreFocus(correlationVerificationToken.getPreFocus(focusType,
correlationModuleAuthentication.getProcessedAttributes()));
return createAuthenticationToken(correlationModuleAuthentication.getOwners().get(0), focusType); //todo FIXME
}

CandidateOwnersMap ownersMap = correlationResult.getCandidateOwnersMap();
Expand All @@ -109,6 +109,26 @@ private String determineArchetypeOid() {
return null;
}

private boolean candidateOwnerExist(CompleteCorrelationResult correlationResult) {
return correlationResult.getCandidateOwnersMap() != null && !correlationResult.getCandidateOwnersMap().isEmpty();
}

private void writeCandidatesToOwners(@NotNull CandidateOwnersMap candidateOwnersMap,
CorrelationModuleAuthenticationImpl correlationModuleAuthentication) {
candidateOwnersMap.values()
.forEach(c -> correlationModuleAuthentication.addOwner(c.getObject()));
}

private void isOwnersNumberUnderRestriction(CorrelationModuleAuthenticationImpl correlationModuleAuthentication) {
if (correlationModuleAuthentication.getCorrelationMaxUsersNumber() == null) {
return;
}
if (correlationModuleAuthentication.getOwners().size() > correlationModuleAuthentication.getCorrelationMaxUsersNumber()) {
LOGGER.error("Correlation result owners number exceeds the threshold.");
throw new AuthenticationServiceException("web.security.provider.unavailable");
}
}

private Authentication createAuthenticationToken(ObjectType owner, Class<? extends FocusType> focusType) {
try {
MidPointPrincipal principal = focusProfileService.getPrincipalByOid(owner.getOid(), focusType);
Expand Down

0 comments on commit d541012

Please sign in to comment.