Two provisioning fixed (GuardedString handling). Password test update.

model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/AbstractPasswordTest.java

@@ -303,7 +303,7 @@ public void test100ModifyUserJackAssignAccount() throws Exception {
         // Check account in dummy resource
         assertDefaultDummyAccount(ACCOUNT_JACK_DUMMY_USERNAME, "Jack Sparrow", true);
 
-        assertDummyPassword(ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_1_CLEAR);
+        assertDummyPasswordConditional(ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_1_CLEAR);
 	}
 
 	/**
@@ -449,10 +449,10 @@ public void test120ModifyUserJackAssignAccountDummyRedAndUgly() throws Exception
 
         // Check account in dummy resource
         assertDummyAccount(RESOURCE_DUMMY_RED_NAME, ACCOUNT_JACK_DUMMY_USERNAME, "Jack Sparrow", true);
-        assertDummyPassword(RESOURCE_DUMMY_RED_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_4_CLEAR);
+        assertDummyPasswordConditional(RESOURCE_DUMMY_RED_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_4_CLEAR);
 
 		assertDummyAccount(RESOURCE_DUMMY_UGLY_NAME, ACCOUNT_JACK_DUMMY_USERNAME, null, true);
-		assertDummyPassword(RESOURCE_DUMMY_UGLY_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_JACK_EMPLOYEE_NUMBER);
+		assertDummyPasswordConditional(RESOURCE_DUMMY_UGLY_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_JACK_EMPLOYEE_NUMBER);
 
 		// User and default dummy account should have unchanged passwords
         assertUserPassword(userJack, USER_PASSWORD_4_CLEAR);
@@ -621,7 +621,7 @@ public void test130ModifyUserJackAssignAccountDummyYellow() throws Exception {
 
         // Check account in dummy resource (yellow)
         assertDummyAccount(RESOURCE_DUMMY_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
-        assertDummyPassword(RESOURCE_DUMMY_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_1_CLEAR);
+        assertDummyPasswordConditional(RESOURCE_DUMMY_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_1_CLEAR);
 
         // Check account in dummy resource (red)
         assertDummyAccount(RESOURCE_DUMMY_RED_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
@@ -671,7 +671,7 @@ public void test132ModifyUserJackPasswordA() throws Exception {
 
         // Check account in dummy resource (yellow): password is too short for this, original password should remain there
         assertDummyAccount(RESOURCE_DUMMY_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
-        assertDummyPassword(RESOURCE_DUMMY_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_1_CLEAR);
+        assertDummyPasswordConditional(RESOURCE_DUMMY_YELLOW_NAME, ACCOUNT_JACK_DUMMY_USERNAME, USER_PASSWORD_1_CLEAR);
 
         // Check account in dummy resource (red)
         assertDummyAccount(RESOURCE_DUMMY_RED_NAME, ACCOUNT_JACK_DUMMY_USERNAME, ACCOUNT_JACK_DUMMY_FULLNAME, true);
@@ -1194,4 +1194,16 @@ private void assertDummyPassword(String userId, String expectedClearPassword) th
 		assertDummyPassword(null, userId, expectedClearPassword);
 	}
 
+	protected void assertDummyPasswordConditional(String userId, String expectedClearPassword) throws SchemaViolationException, ConflictException {
+		if (getPasswordStorageType() == CredentialsStorageTypeType.ENCRYPTION) {
+			assertDummyPassword(null, userId, expectedClearPassword);
+		}
+	}
+
+	protected void assertDummyPasswordConditional(String instance, String userId, String expectedClearPassword) throws SchemaViolationException, ConflictException {
+		if (getPasswordStorageType() == CredentialsStorageTypeType.ENCRYPTION) {
+			super.assertDummyPassword(instance, userId, expectedClearPassword);
+		}
+	}
+
 }

provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/ucf/impl/ConnectorInstanceIcfImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2016 Evolveum
+ * Copyright (c) 2010-2017 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -1403,8 +1403,10 @@ public Collection<ResourceAttribute<?>> addObject(PrismObject<? extends ShadowTy
 				PasswordType password = shadowType.getCredentials().getPassword();
 				ProtectedStringType protectedString = password.getValue();
 				GuardedString guardedPassword = IcfUtil.toGuardedString(protectedString, "new password", protector);
-				attributes.add(AttributeBuilder.build(OperationalAttributes.PASSWORD_NAME,
+				if (guardedPassword != null) {
+					attributes.add(AttributeBuilder.build(OperationalAttributes.PASSWORD_NAME,
 						guardedPassword));
+				}
 			}
 
 			if (ActivationUtil.hasAdministrativeActivation(shadowType)){
@@ -1426,12 +1428,13 @@ public Collection<ResourceAttribute<?>> addObject(PrismObject<? extends ShadowTy
 			if (LOGGER.isTraceEnabled()) {
 				LOGGER.trace("ICF attributes after conversion:\n{}", IcfUtil.dump(attributes));
 			}
-		} catch (SchemaException ex) {
+		} catch (SchemaException | RuntimeException ex) {
 			result.recordFatalError(
 					"Error while converting resource object attributes. Reason: " + ex.getMessage(), ex);
 			throw new SchemaException("Error while converting resource object attributes. Reason: "
 					+ ex.getMessage(), ex);
 		}
+
 		if (attributes == null) {
 			result.recordFatalError("Couldn't set attributes for icf.");
 			throw new IllegalStateException("Couldn't set attributes for icf.");

provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/ucf/impl/IcfUtil.java

@@ -575,10 +575,10 @@ public static Collection<ResourceAttribute<?>> convertToIdentifiers(Uid uid,
 	}
 
 	public static GuardedString toGuardedString(ProtectedStringType ps, String propertyName, Protector protector) {
-		if (ps == null) {
+		if (ps == null || ps.isHashed()) {
 			return null;
 		}
-		if (!protector.isEncrypted(ps)) {
+		if (!ps.isEncrypted()) {
 			if (ps.getClearValue() == null) {
 				return null;
 			}