Merge branch 'master' of https://github.com/Evolveum/midpoint

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/certification/DefinitionBasicPanel.java

@@ -105,14 +105,14 @@ public void setObject(AccessCertificationRemediationStyleType object) {
 				getModel().getObject().setRemediationStyle(object);
 			}
 		}, WebComponentUtil.createReadonlyModelFromEnum(AccessCertificationRemediationStyleType.class),
-				new EnumChoiceRenderer<AccessCertificationRemediationStyleType>(this));
+				new EnumChoiceRenderer<>(this));
 		add(remediation);
 
 		DropDownChoice outcomeStrategy =
 				new DropDownChoice<>(ID_OUTCOME_STRATEGY,
-						new PropertyModel<AccessCertificationCaseOutcomeStrategyType>(getModel(), CertDefinitionDto.F_OUTCOME_STRATEGY),
+						new PropertyModel<>(getModel(), CertDefinitionDto.F_OUTCOME_STRATEGY),
 						WebComponentUtil.createReadonlyModelFromEnum(AccessCertificationCaseOutcomeStrategyType.class),
-						new EnumChoiceRenderer<AccessCertificationCaseOutcomeStrategyType>(this));
+						new EnumChoiceRenderer<>(this));
 		add(outcomeStrategy);
 
 		add(WebComponentUtil.createHelp(ID_OUTCOME_STRATEGY_HELP));

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/certification/DefinitionStagePanel.java

@@ -134,17 +134,17 @@ protected void initLayout(PageBase pageBase) {
 
         DropDownChoice outcomeStrategy1 =
                 new DropDownChoice<>(ID_OUTCOME_STRATEGY,
-                        new PropertyModel<AccessCertificationCaseOutcomeStrategyType>(getModel(), StageDefinitionDto.F_OUTCOME_STRATEGY),
+						new PropertyModel<>(getModel(), StageDefinitionDto.F_OUTCOME_STRATEGY),
                         WebComponentUtil.createReadonlyModelFromEnum(AccessCertificationCaseOutcomeStrategyType.class),
-                new EnumChoiceRenderer<AccessCertificationCaseOutcomeStrategyType>(this));
+						new EnumChoiceRenderer<>(this));
         add(outcomeStrategy1);
 		add(WebComponentUtil.createHelp(ID_OUTCOME_STRATEGY_HELP));
 
         DropDownChoice<AccessCertificationResponseType> outcomeIfNoReviewers =
                 new DropDownChoice<>(ID_OUTCOME_IF_NO_REVIEWERS,
-                        new PropertyModel<AccessCertificationResponseType>(getModel(), StageDefinitionDto.F_OUTCOME_IF_NO_REVIEWERS),
+						new PropertyModel<>(getModel(), StageDefinitionDto.F_OUTCOME_IF_NO_REVIEWERS),
                         WebComponentUtil.createReadonlyModelFromEnum(AccessCertificationResponseType.class),
-                new EnumChoiceRenderer<AccessCertificationResponseType>(this));
+						new EnumChoiceRenderer<>(this));
         add(outcomeIfNoReviewers);
 		add(WebComponentUtil.createHelp(ID_OUTCOME_IF_NO_REVIEWERS_HELP));
 

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/certification/DefinitionStagesPanel.java

@@ -211,7 +211,7 @@ public WebMarkupContainer getPanel(String panelId) {
 
 	private StageDefinitionDto createNewStageDefinitionDto(){
 		try {
-			AccessCertificationStageDefinitionType def = new AccessCertificationStageDefinitionType();
+			AccessCertificationStageDefinitionType def = new AccessCertificationStageDefinitionType(parentPage.getPrismContext());
 			def.setNumber(getModel().getObject().size() + 1);
 			def.setName(DEFAULT_STAGE_NAME_PREFIX + def.getNumber());
 			return new StageDefinitionDto(def, parentPage.getPrismContext());

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/certification/PageCertDefinition.java

@@ -159,7 +159,7 @@ private CertDefinitionDto createDefinition() throws SchemaException {
 	//region Layout
 	private void initLayout() {
 		CertDefinitionSummaryPanel summaryPanel = new CertDefinitionSummaryPanel(ID_SUMMARY_PANEL,
-				new PropertyModel<PrismObject<AccessCertificationDefinitionType>>(definitionModel, CertDefinitionDto.F_PRISM_OBJECT));
+				new PropertyModel<>(definitionModel, CertDefinitionDto.F_PRISM_OBJECT));
 		add(summaryPanel);
 
 		Form mainForm = new Form(ID_MAIN_FORM);
@@ -181,13 +181,15 @@ public WebMarkupContainer getPanel(String panelId) {
 		tabs.add(new AbstractTab(createStringResource("PageCertDefinition.scopeDefinition")) {
             @Override
             public WebMarkupContainer getPanel(String panelId) {
-                return new DefinitionScopePanel(panelId, new PropertyModel<DefinitionScopeDto>(definitionModel, CertDefinitionDto.F_SCOPE_DEFINITION));
+                return new DefinitionScopePanel(panelId,
+						new PropertyModel<>(definitionModel, CertDefinitionDto.F_SCOPE_DEFINITION));
             }
         });
 		tabs.add(new CountablePanelTab(createStringResource("PageCertDefinition.stagesDefinition")) {
 			@Override
 			public WebMarkupContainer createPanel(String panelId) {
-				return new DefinitionStagesPanel(panelId, new PropertyModel<List<StageDefinitionDto>>(definitionModel, CertDefinitionDto.F_STAGE_DEFINITION), PageCertDefinition.this);
+				return new DefinitionStagesPanel(panelId,
+						new PropertyModel<>(definitionModel, CertDefinitionDto.F_STAGE_DEFINITION), PageCertDefinition.this);
 			}
 			@Override
 			public String getCount() {

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/certification/StageEditorPanel.java

@@ -67,9 +67,9 @@ private void nameClickPerformed(AjaxRequestTarget target) {
         List<ITab> tabsList = tabsModel.getObject();
         PropertyModel<String> tabNameModel;
         if (getModel().getObject().getName() == null || getModel().getObject().getName().trim().equals("")){
-            tabNameModel = new PropertyModel<String>(getModel(), StageDefinitionDto.F_NUMBER);
+            tabNameModel = new PropertyModel<>(getModel(), StageDefinitionDto.F_NUMBER);
         } else {
-            tabNameModel = new PropertyModel<String>(getModel(), StageDefinitionDto.F_NAME);
+            tabNameModel = new PropertyModel<>(getModel(), StageDefinitionDto.F_NAME);
         }
 
         for (ITab tab : tabsList){

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/certification/dto/CertCampaignListItemDto.java

@@ -121,13 +121,9 @@ private String computeDeadlineAsString(PageBase page) {
             if (delta > 0) {
                 String key = stageLevelInfo ? "PageCertCampaigns.inForStage" : "PageCertCampaigns.inForCampaign";
                 return PageBase.createStringResourceStatic(page, key, DurationFormatUtils.formatDurationWords(delta, true, true)).getString();
-//                return new StringResourceModel(key, page, null, null,
-//                        DurationFormatUtils.formatDurationWords(delta, true, true)).getString();
             } else if (delta < 0) {
                 String key = stageLevelInfo ? "PageCertCampaigns.agoForStage" : "PageCertCampaigns.agoForCampaign";
                 return PageBase.createStringResourceStatic(page, key, DurationFormatUtils.formatDurationWords(-delta, true, true)).getString();
-//                return new StringResourceModel(key, page, null, null,
-//                        DurationFormatUtils.formatDurationWords(-delta, true, true)).getString();
             } else {
                 String key = stageLevelInfo ? "PageCertCampaigns.nowForStage" : "PageCertCampaigns.nowForCampaign";
                 return page.getString(key);

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/certification/dto/CertCaseDtoProvider.java

@@ -62,7 +62,7 @@ public CertCaseDtoProvider(Component component) {
 
     @Override
     public Iterator<CertCaseOrDecisionDto> internalIterator(long first, long count) {
-        LOGGER.trace("begin::iterator() from {} count {}.", new Object[]{first, count});
+        LOGGER.trace("begin::iterator() from {} count {}.", first, count);
         getAvailableData().clear();
 
         Task task = getPage().createSimpleTask(OPERATION_SEARCH_OBJECTS);

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/certification/dto/CertCaseOrDecisionDto.java

@@ -177,12 +177,8 @@ private String computeDeadlineAsString(PageBase page) {
             //todo i18n
             if (delta > 0) {
             	return PageBase.createStringResourceStatic(page, "PageCert.in", DurationFormatUtils.formatDurationWords(delta, true, true)).getString();
-//                return new StringResourceModel("PageCert.in", page, null, null,
-//                        DurationFormatUtils.formatDurationWords(delta, true, true)).getString();
             } else if (delta < 0) {
             	return PageBase.createStringResourceStatic(page, "PageCert.ago", DurationFormatUtils.formatDurationWords(-delta, true, true)).getString();
-//                return StringResourceModelMigration.of("PageCert.ago", page, null, null,
-//                        DurationFormatUtils.formatDurationWords(-delta, true, true)).getString();
             } else {
                 return page.getString("PageCert.now");
             }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/certification/dto/CertDecisionDto.java

@@ -38,7 +38,7 @@ public class CertDecisionDto extends CertCaseOrDecisionDto {
     public CertDecisionDto(AccessCertificationCaseType _case, PageBase page) {
         super(_case, page);
         if (_case.getDecision().isEmpty()) {
-            decision = new AccessCertificationDecisionType();
+            decision = new AccessCertificationDecisionType(page.getPrismContext());
         } else if (_case.getDecision().size() == 1) {
             decision = _case.getDecision().get(0);
         } else {

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/certification/dto/CertDecisionDtoProvider.java

@@ -60,7 +60,7 @@ public CertDecisionDtoProvider(Component component) {
 
     @Override
     public Iterator<CertDecisionDto> internalIterator(long first, long count) {
-        LOGGER.trace("begin::iterator() from {} count {}.", new Object[]{first, count});
+        LOGGER.trace("begin::iterator() from {} count {}.", first, count);
         getAvailableData().clear();
 
         OperationResult result = new OperationResult(OPERATION_SEARCH_OBJECTS);

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/certification/dto/CertDefinitionDto.java

@@ -271,27 +271,14 @@ private List<ObjectReferenceType> cloneListObjects(List<ObjectReferenceType> lis
         return list;
     }
 
-    private List<ObjectReferenceType> cloneListObjectsForSave(List<ObjectReferenceType> listToClone){
-        if (listToClone != null){
-            if (listToClone.size() > 0) {
-                List<ObjectReferenceType> list = new ArrayList<>();
-                for (ObjectReferenceType objectReferenceType : listToClone) {
-                    list.add(objectReferenceType.clone());
-                }
-                return list;
-            }
-        }
-        return new ArrayList<ObjectReferenceType>();
-    }
-
     public DefinitionScopeDto getScopeDefinition() {
         return definitionScopeDto;
     }
 
     public void updateScopeDefinition(PrismContext prismContext) {
         AccessCertificationAssignmentReviewScopeType scopeTypeObj = null;
         if (definitionScopeDto != null) {
-            scopeTypeObj = new AccessCertificationAssignmentReviewScopeType();
+            scopeTypeObj = new AccessCertificationAssignmentReviewScopeType(prismContext);
             scopeTypeObj.setName(definitionScopeDto.getName());
             scopeTypeObj.setDescription(definitionScopeDto.getDescription());
             scopeTypeObj.setObjectType(definitionScopeDto.getObjectType() != null ? new QName(definitionScopeDto.getObjectType().name()) : null);
@@ -327,7 +314,7 @@ public void updateStageDefinition(PrismContext prismContext) throws SchemaExcept
 
     private AccessCertificationStageDefinitionType createStageDefinitionType(StageDefinitionDto stageDefDto, PrismContext prismContext)
             throws SchemaException {
-        AccessCertificationStageDefinitionType stageDefType = new AccessCertificationStageDefinitionType();
+        AccessCertificationStageDefinitionType stageDefType = new AccessCertificationStageDefinitionType(prismContext);
         if (stageDefDto != null) {
             stageDefType.setNumber(stageDefDto.getNumber());
             stageDefType.setName(stageDefDto.getName());
@@ -347,7 +334,7 @@ private AccessCertificationStageDefinitionType createStageDefinitionType(StageDe
 
     private AccessCertificationReviewerSpecificationType createAccessCertificationReviewerType(
             AccessCertificationReviewerDto reviewerDto, PrismContext prismContext) throws SchemaException {
-        AccessCertificationReviewerSpecificationType reviewerObject = new AccessCertificationReviewerSpecificationType();
+        AccessCertificationReviewerSpecificationType reviewerObject = new AccessCertificationReviewerSpecificationType(prismContext);
         if (reviewerDto != null) {
             reviewerObject.setName(reviewerDto.getName());
             reviewerObject.setDescription(reviewerDto.getDescription());

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidPointGuiAuthorizationEvaluator.java

@@ -90,8 +90,15 @@ public boolean isAuthenticated() {
 	public MidPointPrincipal getPrincipal() throws SecurityViolationException {
 		return securityEnforcer.getPrincipal();
 	}
-
+    
     @Override
+	public <O extends ObjectType, T extends ObjectType> void failAuthorization(String operationUrl,
+			AuthorizationPhaseType phase, PrismObject<O> object, ObjectDelta<O> delta, PrismObject<T> target,
+			OperationResult result) throws SecurityViolationException {
+    	securityEnforcer.failAuthorization(operationUrl, phase, object, delta, target, result);
+	}
+
+	@Override
 	public <O extends ObjectType, T extends ObjectType> boolean isAuthorized(String operationUrl, AuthorizationPhaseType phase,
 			PrismObject<O> object, ObjectDelta<O> delta, PrismObject<T> target, OwnerResolver ownerResolver) throws SchemaException {
 		return securityEnforcer.isAuthorized(operationUrl, phase, object, delta, target, ownerResolver);

gui/admin-gui/src/main/resources/initial-objects/043-role-delegator.xml

@@ -0,0 +1,67 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2016 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<role oid="00000000-0000-0000-0000-00000000000c"
+      xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
+    <name>Delegator</name>
+    <description>Role authorizing users to delegate their own privileges to any other user.</description>
+    <authorization>
+    	<name>gui-delegator-access</name>
+    	<description>
+    		Allow access to the delegate functionality (e.g. "add delegation" button).
+    	</description>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#delegate</action>
+    </authorization>
+	<authorization>
+		<name>delegator-req</name>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delegate</action>
+    	<phase>request</phase>
+    	<object>
+    		<type>UserType</type>
+    	</object>
+    	<target>
+    		<special>self</special>
+    	</target>
+    </authorization>
+    <authorization>
+    	<name>delegator-exec-user</name>
+    	<description>
+    		Quite strong universal execution rights are needed here. We are going to modify other users
+    		(deputy assignments are in the delegate user, not delegator).
+    	</description>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
+    	<phase>execution</phase>
+    	<object>
+    		<type>UserType</type>
+    	</object>
+    </authorization>
+    <authorization>
+    	<name>delegator-exec-shadow</name>
+    	<description>
+    		Quite strong universal execution rights are needed here. We are going to modify other users
+    		(deputy assignments are in the delegate user, not delegator). Modification of other users
+    		may mean also creation/modification/deletion of their accounts.
+    	</description>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#delete</action>
+    	<phase>execution</phase>
+    	<object>
+    		<type>ShadowType</type>
+    	</object>
+    </authorization>
+</role>

infra/schema/src/main/java/com/evolveum/midpoint/schema/util/FocusTypeUtil.java

@@ -15,8 +15,11 @@
  */
 package com.evolveum.midpoint.schema.util;
 
+import java.util.List;
+
 import javax.xml.namespace.QName;
 
+import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentSelectorType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.OrderConstraintsType;
@@ -88,4 +91,16 @@ public static String dumpInducementConstraints(AssignmentType assignmentType) {
 		sb.setLength(sb.length() - 1);
 		return sb.toString();
 	}
+
+	public static boolean selectorMatches(AssignmentSelectorType assignmentSelector, AssignmentType assignmentType) {
+		if (assignmentType.getTargetRef() == null) {
+			return false;
+		}
+		for (ObjectReferenceType selectorTargetRef: assignmentSelector.getTargetRef()) {
+			if (MiscSchemaUtil.referenceMatches(selectorTargetRef, assignmentType.getTargetRef())) {
+				return true;
+			}
+		}
+		return false;
+	}
 }

infra/schema/src/main/java/com/evolveum/midpoint/schema/util/MiscSchemaUtil.java

@@ -399,4 +399,16 @@ public static void serializeFaultMessage(Detail detail, FaultMessage faultMessag
         }
 	}
 
+	public static boolean referenceMatches(ObjectReferenceType refPattern, ObjectReferenceType ref) {
+		if (refPattern.getOid() != null && !refPattern.getOid().equals(ref.getOid())) {
+			return false;
+		}
+		if (refPattern.getType() != null && !QNameUtil.match(refPattern.getType(), ref.getType())) {
+			return false;
+		}
+		if (!QNameUtil.match(refPattern.getRelation(), ref.getRelation())) {
+			return false;
+		}
+		return true;
+	}
 }

infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd

@@ -2981,6 +2981,19 @@
 		        </xsd:annotation>			
 			</xsd:element>
 
+			<xsd:element name="limitTargerContent" type="tns:AssignmentSelectorType" minOccurs="0" maxOccurs="unbounded">
+		        <xsd:annotation>
+		            <xsd:documentation>
+		                Limitations that selects only some assignments/inducements from the target. It may be used to
+		                incorporate only a part of the subrole in the role hierarchy. But it is most frequently used
+		                to limit the scope of a delegation to the deputy.
+		            </xsd:documentation>
+		            <xsd:appinfo>
+		                <a:since>3.5</a:since>
+		            </xsd:appinfo>
+		        </xsd:annotation>			
+			</xsd:element>
+
 			<xsd:element name="focusType" type="xsd:QName" minOccurs="0"/>
 
 			<xsd:element name="tenantRef" type="c:ObjectReferenceType" minOccurs="0" maxOccurs="1">
@@ -7977,6 +7990,31 @@
         </xsd:complexContent>
 	</xsd:complexType>
 
+	<xsd:complexType name="AssignmentSelectorType">
+        <xsd:annotation>
+            <xsd:documentation>
+                Selects some assignments from all the assignments in the object.
+                E.g. may be used to select only some assignments/inducments for a role.
+            </xsd:documentation>
+            <xsd:appinfo>
+                <a:container/>
+            </xsd:appinfo>
+        </xsd:annotation>
+        <xsd:sequence>
+        	<xsd:element ref="tns:description" minOccurs="0"/>
+        	<xsd:element name="targetRef" type="c:ObjectReferenceType" minOccurs="0" maxOccurs="unbounded">
+               <xsd:annotation>
+                   <xsd:documentation>
+                       Selects assignments that have this target reference.
+                       (Target OID, type and relation is matched.)
+                       Note: Filter in the reference is not yet supported.
+                   </xsd:documentation>
+               </xsd:annotation>
+           </xsd:element>
+        </xsd:sequence>
+        <xsd:attribute name="id" type="xsd:long" use="optional"/>
+	</xsd:complexType>
+
 	<xsd:complexType name="OrgRelationObjectSpecificationType">
         <xsd:annotation>
             <xsd:documentation>
@@ -11682,6 +11720,20 @@
                     </xsd:appinfo>
                 </xsd:annotation>
             </xsd:enumeration>
+            <xsd:enumeration value="00000000-0000-0000-0000-00000000000b">
+                <xsd:annotation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="ROLE_REVIEWER"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+            <xsd:enumeration value="00000000-0000-0000-0000-00000000000c">
+                <xsd:annotation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="ROLE_DELEGATOR"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
             <xsd:enumeration value="00000000-0000-0000-0000-000000000100">
                 <xsd:annotation>
                     <xsd:appinfo>