Merge branch 'master' of https://github.com/Evolveum/midpoint

Evolveum · Sep 22, 2017 · e41fcb9 · e41fcb9
2 parents 3d32860 + a22b447
commit e41fcb9
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 4 deletions.
diff --git a/...olveum/midpoint/model/impl/lens/projector/policy/evaluators/StateConstraintEvaluator.java b/...olveum/midpoint/model/impl/lens/projector/policy/evaluators/StateConstraintEvaluator.java
@@ -124,7 +124,7 @@ private <F extends FocusType> EvaluatedPolicyRuleTrigger<?> evaluateForObject(St
 			variables.put("ruleEvaluationContext", ctx);
 			ExecutionContext resultingContext;
 			try {
-				resultingContext = scriptingExpressionEvaluator.evaluateExpression(constraint.getExecuteScript(), variables, ctx.task, result);
+				resultingContext = scriptingExpressionEvaluator.evaluateExpressionPrivileged(constraint.getExecuteScript(), variables, ctx.task, result);
 			} catch (ScriptExecutionException e) {
 				throw new SystemException(e);       // TODO
 			}

diff --git a/...model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/ExecutionContext.java b/...model-impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/ExecutionContext.java
@@ -38,6 +38,7 @@
 public class ExecutionContext {
     private static final Trace LOGGER = TraceManager.getTrace(ExecutionContext.class);
 
+    private boolean privileged;
     private final ScriptingExpressionEvaluationOptionsType options;
     private final Task task;
     private final ScriptingExpressionEvaluator scriptingExpressionEvaluator;
@@ -138,4 +139,12 @@ public ModelService getModelService() {
 	public PrismContext getPrismContext() {
 		return scriptingExpressionEvaluator.getPrismContext();
 	}
+
+    public boolean isPrivileged() {
+        return privileged;
+    }
+
+    public void setPrivileged(boolean privileged) {
+        this.privileged = privileged;
+    }
 }
diff --git a/...rc/main/java/com/evolveum/midpoint/model/impl/scripting/ScriptingExpressionEvaluator.java b/...rc/main/java/com/evolveum/midpoint/model/impl/scripting/ScriptingExpressionEvaluator.java
@@ -160,6 +160,16 @@ public ExecutionContext evaluateExpression(@NotNull ExecuteScriptType executeScr
         return context;
     }
 
+    // VERY TEMPORARY!
+	public ExecutionContext evaluateExpressionPrivileged(@NotNull ExecuteScriptType executeScript, @NotNull Map<String, Object> initialVariables, Task task, OperationResult result) throws ScriptExecutionException {
+		Validate.notNull(executeScript.getScriptingExpression(), "Scripting expression must be present");
+        ExecutionContext context = evaluateExpression(executeScript.getScriptingExpression().getValue(),
+                PipelineData.parseFrom(executeScript.getInput(), initialVariables, prismContext), executeScript.getOptions(), initialVariables, task, result);
+        context.setPrivileged(true);
+        context.computeResults();
+        return context;
+    }
+
     // main entry point from the outside
 	private ExecutionContext evaluateExpression(ScriptingExpressionType expression, PipelineData data,
             ScriptingExpressionEvaluationOptionsType options, Map<String, Object> initialVariables,

diff --git a/.../src/main/java/com/evolveum/midpoint/model/impl/scripting/actions/BaseActionExecutor.java b/.../src/main/java/com/evolveum/midpoint/model/impl/scripting/actions/BaseActionExecutor.java
@@ -133,7 +133,11 @@ protected Throwable processActionException(Throwable e, String actionName, Prism
 		}
 	}
 
-	protected void checkRootAuthorization(OperationResult globalResult, String actionName) throws ScriptExecutionException {
+	protected void checkRootAuthorization(ExecutionContext context,
+			OperationResult globalResult, String actionName) throws ScriptExecutionException {
+		if (context.isPrivileged()) {
+			return;
+		}
 		try {
 			securityEnforcer.authorize(AuthorizationConstants.AUTZ_ALL_URL, null, null, null, null, null, globalResult);
 		} catch (SecurityViolationException |SchemaException e) {

diff --git a/...impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/actions/NotifyExecutor.java b/...impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/actions/NotifyExecutor.java
@@ -76,7 +76,7 @@ public PipelineData execute(ActionExpressionType expression, PipelineData input,
         boolean forWholeInput = expressionHelper.getArgumentAsBoolean(expression.getParameter(), PARAM_FOR_WHOLE_INPUT, input, context, false, PARAM_FOR_WHOLE_INPUT, globalResult);
 
         if (handler != null) {
-			checkRootAuthorization(globalResult, NAME);		// TODO explain that the reason is that handler is not null
+			checkRootAuthorization(context, globalResult, NAME);		// TODO explain that the reason is that handler is not null
 		}
 
         if (status == null) {

diff --git a/...impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/actions/ScriptExecutor.java b/...impl/src/main/java/com/evolveum/midpoint/model/impl/scripting/actions/ScriptExecutor.java
@@ -70,7 +70,7 @@ public void init() {
     @Override
     public PipelineData execute(ActionExpressionType expression, PipelineData input, ExecutionContext context, OperationResult globalResult) throws ScriptExecutionException {
 
-		checkRootAuthorization(globalResult, NAME);
+		checkRootAuthorization(context, globalResult, NAME);
 
 		ScriptExpressionEvaluatorType script = expressionHelper.getSingleArgumentValue(expression.getParameter(), PARAM_SCRIPT, true, true,
 				NAME, input, context, ScriptExpressionEvaluatorType.class, globalResult);