Accesses metadata: accesses metadata cumulate even on single ref

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/AssignmentProcessor.java

@@ -1038,10 +1038,24 @@ private void addRoleReferences(Collection<PrismReferenceValue> shouldBeRoleRefs,
                 continue;
             }
 
-            roleRef.setValueMetadata(new ValueMetadataType()
-                    .provenance(new ProvenanceMetadataType()
-                            .assignmentPath(
-                                    evaluatedAssignmentTarget.getAssignmentPath().toAssignmentPathType(false))));
+            AssignmentPathType assignmentPath = evaluatedAssignmentTarget.getAssignmentPath().toAssignmentPathType(false);
+            // There can be some value metadata already created by previous assignment evaluation
+            PrismContainer<ValueMetadataType> valueMetadataContainer = roleRef.getValueMetadataAsContainer();
+            if (valueMetadataContainer.hasAnyValue()) {
+                ValueMetadataType valueMetadata = valueMetadataContainer.getAnyValue().asContainerable();
+                ProvenanceMetadataType provenance = valueMetadata.getProvenance();
+                if (provenance == null) {
+                    // unlikely, but let's handle this case as well
+                    valueMetadata.provenance(new ProvenanceMetadataType()
+                            .assignmentPath(assignmentPath));
+                } else {
+                    provenance.assignmentPath(assignmentPath);
+                }
+            } else {
+                roleRef.setValueMetadata(new ValueMetadataType()
+                        .provenance(new ProvenanceMetadataType()
+                                .assignmentPath(assignmentPath)));
+            }
         }
     }
 

model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestAccessesValueMetadata.java

@@ -6,14 +6,20 @@
  */
 package com.evolveum.midpoint.model.intest;
 
+import static com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentHolderType.F_ROLE_MEMBERSHIP_REF;
+import static com.evolveum.midpoint.xml.ns._public.common.common_3.SystemConfigurationType.F_ROLE_MANAGEMENT;
+
 import java.io.File;
 
-import org.assertj.core.api.Assertions;
+import org.assertj.core.api.SoftAssertions;
+import org.jetbrains.annotations.NotNull;
 import org.springframework.test.annotation.DirtiesContext;
 import org.springframework.test.context.ContextConfiguration;
 import org.testng.annotations.Test;
 
+import com.evolveum.midpoint.prism.PrismContainerValue;
 import com.evolveum.midpoint.prism.ValueSelector;
+import com.evolveum.midpoint.prism.delta.ObjectDelta;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.task.api.Task;
@@ -25,10 +31,15 @@
 @DirtiesContext(classMode = DirtiesContext.ClassMode.AFTER_CLASS)
 public class TestAccessesValueMetadata extends AbstractEmptyModelIntegrationTest {
 
+    // business role 1 inducing app role 1 inducing app service 1
     private String businessRole1Oid;
     private String appRole1Oid;
     private String appService1Oid;
 
+    // alternative business role 1b inducing app role 1b inducing the app service 1 from above
+    private String businessRole1bOid;
+    private String appRole1bOid;
+
     @Override
     public void initSystem(Task initTask, OperationResult initResult)
             throws Exception {
@@ -47,6 +58,19 @@ public void initSystem(Task initTask, OperationResult initResult)
                                 .targetRef(createObjectReference(appRole1Oid,
                                         RoleType.COMPLEX_TYPE, SchemaConstants.ORG_DEFAULT))),
                 initTask, initResult);
+
+        appRole1bOid = addObject(new RoleType()
+                        .name("app-role-1b")
+                        .inducement(new AssignmentType()
+                                .targetRef(createObjectReference(appService1Oid,
+                                        ServiceType.COMPLEX_TYPE, SchemaConstants.ORG_DEFAULT))),
+                initTask, initResult);
+        businessRole1bOid = addObject(new RoleType()
+                        .name("business-role-1b")
+                        .inducement(new AssignmentType()
+                                .targetRef(createObjectReference(appRole1bOid,
+                                        RoleType.COMPLEX_TYPE, SchemaConstants.ORG_DEFAULT))),
+                initTask, initResult);
     }
 
     @Override
@@ -59,59 +83,147 @@ public void test100AddUserWithAssignmentToBusinessRole1() throws Exception {
         Task task = getTestTask();
         OperationResult result = task.getResult();
 
-        given();
+        given("new user with assignment to business role");
+        UserType user = new UserType()
+                .name("user-100")
+                .assignment(new AssignmentType()
+                        .targetRef(createObjectReference(businessRole1Oid,
+                                RoleType.COMPLEX_TYPE, SchemaConstants.ORG_DEFAULT)));
 
-        when();
-        String user1Oid = addObject(new UserType()
-                        .name("user-1")
-                        .assignment(new AssignmentType()
-                                .targetRef(createObjectReference(businessRole1Oid,
-                                        RoleType.COMPLEX_TYPE, SchemaConstants.ORG_DEFAULT))),
-                task, result);
+        when("user is added");
+        String userOid = addObject(user, task, result);
 
-        then();
+        then("roleMembershipRefs contain value metadata with accesses information");
         // @formatter:off
-        assertUser(user1Oid, "after")
+        assertUser(userOid, "after")
             .displayXml() // XML also shows the metadata
-            .valueMetadata(AssignmentHolderType.F_ROLE_MEMBERSHIP_REF, ValueSelector.refEquals(businessRole1Oid))
+            .valueMetadata(F_ROLE_MEMBERSHIP_REF, ValueSelector.refEquals(businessRole1Oid))
                 .singleValue()
                     .provenance()
                         .assertItemsExactly(ProvenanceMetadataType.F_ASSIGNMENT_PATH)
-                            .assertItemValueSatisfies(ProvenanceMetadataType.F_ASSIGNMENT_PATH,
-                                    assertAssignmentPathSegments(businessRole1Oid))
-                        .getReturnAsserter()
-                    .getReturnAsserter()
-                .getReturnAsserter()
-            .valueMetadata(AssignmentHolderType.F_ROLE_MEMBERSHIP_REF, ValueSelector.refEquals(appRole1Oid))
+                        .assertItemValueSatisfies(ProvenanceMetadataType.F_ASSIGNMENT_PATH,
+                            assertAssignmentPathSegments(businessRole1Oid))
+                        .end()
+                    .end()
+                .end()
+            .valueMetadata(F_ROLE_MEMBERSHIP_REF, ValueSelector.refEquals(appRole1Oid))
                 .singleValue()
                     .provenance()
                         .assertItemsExactly(ProvenanceMetadataType.F_ASSIGNMENT_PATH)
-                            .assertItemValueSatisfies(ProvenanceMetadataType.F_ASSIGNMENT_PATH,
-                                    assertAssignmentPathSegments(businessRole1Oid, appRole1Oid))
-                        .getReturnAsserter()
-                    .getReturnAsserter()
-                .getReturnAsserter()
-            .valueMetadata(AssignmentHolderType.F_ROLE_MEMBERSHIP_REF, ValueSelector.refEquals(appService1Oid))
+                        .assertItemValueSatisfies(ProvenanceMetadataType.F_ASSIGNMENT_PATH,
+                            assertAssignmentPathSegments(businessRole1Oid, appRole1Oid))
+                        .end()
+                    .end()
+                .end()
+            .valueMetadata(F_ROLE_MEMBERSHIP_REF, ValueSelector.refEquals(appService1Oid))
                 .singleValue()
                     .provenance()
                         .assertItemsExactly(ProvenanceMetadataType.F_ASSIGNMENT_PATH)
-                            .assertItemValueSatisfies(ProvenanceMetadataType.F_ASSIGNMENT_PATH,
-                                    assertAssignmentPathSegments(businessRole1Oid, appRole1Oid, appService1Oid));
+                        .assertItemValueSatisfies(ProvenanceMetadataType.F_ASSIGNMENT_PATH,
+                            assertAssignmentPathSegments(businessRole1Oid, appRole1Oid, appService1Oid));
         // @formatter:on
     }
 
+    @Test
+    public void test200AddUserWithTwoAssignmentsInducingTheSameRole() throws Exception {
+        Task task = getTestTask();
+        OperationResult result = task.getResult();
+
+        given("new user with assignments to business role 1 and 1b");
+        UserType user = new UserType()
+                .name("user-200")
+                .assignment(new AssignmentType()
+                        .targetRef(createObjectReference(businessRole1Oid,
+                                RoleType.COMPLEX_TYPE, SchemaConstants.ORG_DEFAULT)))
+                .assignment(new AssignmentType()
+                        .targetRef(createObjectReference(businessRole1bOid,
+                                RoleType.COMPLEX_TYPE, SchemaConstants.ORG_DEFAULT)));
+
+        when("user is added");
+        String userOid = addObject(user, task, result);
+
+        then("roleMembershipRefs contain value metadata with accesses information");
+        // @formatter:off
+        assertUser(userOid, "after")
+            .displayXml() // XML also shows the metadata
+            .valueMetadata(F_ROLE_MEMBERSHIP_REF, ValueSelector.refEquals(businessRole1Oid))
+                .singleValue()
+                    .provenance()
+                        .assertItemsExactly(ProvenanceMetadataType.F_ASSIGNMENT_PATH)
+                        .assertItemValueSatisfies(ProvenanceMetadataType.F_ASSIGNMENT_PATH,
+                            assertAssignmentPathSegments(businessRole1Oid))
+                        .end()
+                    .end()
+                .end()
+            .valueMetadata(F_ROLE_MEMBERSHIP_REF, ValueSelector.refEquals(appRole1Oid))
+                .singleValue()
+                    .provenance()
+                        .assertItemsExactly(ProvenanceMetadataType.F_ASSIGNMENT_PATH)
+                        .assertItemValueSatisfies(ProvenanceMetadataType.F_ASSIGNMENT_PATH,
+                            assertAssignmentPathSegments(businessRole1Oid, appRole1Oid))
+                        .end()
+                    .end()
+                .end()
+            .valueMetadata(F_ROLE_MEMBERSHIP_REF, ValueSelector.refEquals(appService1Oid))
+                .singleValue()
+                    .provenance()
+                        .container(ProvenanceMetadataType.F_ASSIGNMENT_PATH, AssignmentPathType.class)
+                            .assertSize(2)
+                            .value(assignmentPathByFirstTargetOidSelector(businessRole1Oid))
+                                .assertValue(assertAssignmentPathSegments(businessRole1Oid, appRole1Oid, appService1Oid))
+                                .end()
+                            .value(assignmentPathByFirstTargetOidSelector(businessRole1bOid))
+                                .assertValue(assertAssignmentPathSegments(businessRole1bOid, appRole1bOid, appService1Oid));
+        // @formatter:on
+    }
+
+    @NotNull
+    private ValueSelector<PrismContainerValue<AssignmentPathType>> assignmentPathByFirstTargetOidSelector(
+            String firstSegmentTargetOid) {
+        return pcv -> pcv.asContainerable().getSegment().get(0)
+                .getTargetRef().getOid().equals(firstSegmentTargetOid);
+    }
+
+    @Test
+    public void test900AccessesMetadataNotStoredWithoutSysconfigOption() throws Exception {
+        Task task = getTestTask();
+        OperationResult result = task.getResult();
+
+        given("sysconfig with accesses metadata option missing");
+        ObjectDelta<SystemConfigurationType> delta = prismContext.deltaFor(SystemConfigurationType.class)
+                .item(F_ROLE_MANAGEMENT, RoleManagementConfigurationType.F_ACCESSES_METADATA_ENABLED).replace()
+                .asObjectDelta(SystemObjectsType.SYSTEM_CONFIGURATION.value());
+        executeChanges(delta, null, task, result);
+
+        when("new user with assignment is added");
+        String userOid = addObject(new UserType()
+                        .name("user-900")
+                        .assignment(new AssignmentType()
+                                .targetRef(createObjectReference(businessRole1Oid,
+                                        RoleType.COMPLEX_TYPE, SchemaConstants.ORG_DEFAULT))),
+                task, result);
+
+        then("roleMembershipRefs have no value metadata for accesses");
+        assertUser(userOid, "after")
+                .displayXml() // XML also shows the metadata
+                .valueMetadata(F_ROLE_MEMBERSHIP_REF, ValueSelector.refEquals(businessRole1Oid))
+                .assertNullOrNoValues().end()
+                .valueMetadata(F_ROLE_MEMBERSHIP_REF, ValueSelector.refEquals(appRole1Oid))
+                .assertNullOrNoValues().end()
+                .valueMetadata(F_ROLE_MEMBERSHIP_REF, ValueSelector.refEquals(appService1Oid))
+                .assertNullOrNoValues();
+    }
+
     private AssertionPredicate<AssignmentPathType> assertAssignmentPathSegments(String... targetOids) {
         // A bit of a hack, we're using AssertionPredicate, but actually leaving failure to the AssertJ here.
         return new SimplifiedGenericAssertionPredicate<>(ap -> {
-            Assertions.assertThat(ap.getSegment())
+            SoftAssertions check = new SoftAssertions();
+            check.assertThat(ap.getSegment())
                     .extracting(s -> s.getTargetRef().getOid())
                     .containsExactly(targetOids);
 
-            return null;
+            return check.wasSuccess() ? null
+                    : "Assignment path segments error " + check.assertionErrorsCollected();
         });
     }
-
-    // TODO test200AddUserWithTwoAssignmentsInducingTheSameRole
-
-    // TODO test900AccessesMetadataNotStoredWithoutSysconfigOption
 }