test for inducements having condition "do not induce if user is member

of role xy"

(cherry-picked from 0aff149)

testing/story/src/test/java/com/evolveum/midpoint/testing/story/TestInducement.java

@@ -0,0 +1,217 @@
+/*
+ * Copyright (c) 2019 michael.gruber@wwk.de, Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.evolveum.midpoint.testing.story;
+
+import java.io.File;
+import javax.xml.namespace.QName;
+
+import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.annotation.DirtiesContext.ClassMode;
+import org.springframework.test.context.ContextConfiguration;
+import org.testng.annotations.Test;
+
+import com.evolveum.midpoint.prism.PrismObject;
+import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.task.api.Task;
+import com.evolveum.midpoint.test.util.MidPointTestConstants;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
+
+
+@ContextConfiguration(locations = { "classpath:ctx-story-test-main.xml" })
+@DirtiesContext(classMode = ClassMode.AFTER_CLASS)
+
+
+/**
+ * testing inducements, no ressources, no accounts in use.
+ * role "processor" is assigned to user, it contains inducements for role1, role2, role3 having following conditions
+ * 
+ * role1: no condition
+ * role2: should not be induced when description of user equals "NO"
+ * role3: should not be induced when user is member of role named "lock" (directly or indirectly, therefore condition runs against rolemembershipRef) 
+ */
+
+public class TestInducement extends AbstractStoryTest {
+
+	public static final File TEST_DIR = new File(MidPointTestConstants.TEST_RESOURCES_DIR, "inducement");
+
+	public static final File ROLE_ROLE1_FILE = new File(TEST_DIR, "role-role1.xml");
+	public static final String ROLE_ROLE1_OID = "10000000-0000-0000-0000-100000000001";
+
+	public static final File ROLE_ROLE2_FILE = new File(TEST_DIR, "role-role2.xml");
+	public static final String ROLE_ROLE2_OID = "10000000-0000-0000-0000-100000000002";
+
+	public static final File ROLE_ROLE3_FILE = new File(TEST_DIR, "role-role3.xml");
+	public static final String ROLE_ROLE3_OID = "10000000-0000-0000-0000-100000000003";
+
+	public static final File ROLE_LOCK_FILE = new File(TEST_DIR, "role-lock.xml");
+	public static final String ROLE_LOCK_OID = "10000000-0000-0000-0000-10000000lock";
+
+	public static final File ROLE_PROCESSOR_FILE = new File(TEST_DIR, "role-processor.xml");
+	public static final String ROLE_PROCESSOR_OID = "10000000-0000-0000-0000-100processor";
+
+	public static final File USER_SIMPLE_FILE = new File(TEST_DIR, "user-simple.xml");
+	public static final String USER_SIMPLE_OID = "10000000-0000-0000-0001-100000simple";
+
+	@Override
+	public void initSystem(Task initTask, OperationResult initResult) throws Exception {
+		super.initSystem(initTask, initResult);
+
+		// Roles
+		importObjectFromFile(ROLE_ROLE1_FILE, initResult);
+		importObjectFromFile(ROLE_ROLE2_FILE, initResult);
+		importObjectFromFile(ROLE_ROLE3_FILE, initResult);
+		importObjectFromFile(ROLE_LOCK_FILE, initResult);
+		importObjectFromFile(ROLE_PROCESSOR_FILE, initResult);
+
+		//User
+		importObjectFromFile(USER_SIMPLE_FILE, initResult);
+
+	}
+
+	@Test
+	public void test000Sanity() throws Exception {
+		final String TEST_NAME = "test000Sanity";
+		displayTestTitle(TEST_NAME);
+		//no resource, no extension definition
+		//anything to check?		
+
+	}
+
+	/**
+	 * assign role "processor".
+	 * role "processor" contains inducements for role1, role2, role3
+	 */
+	@Test
+	public void test010InducementConditionsTrue() throws Exception {
+		final String TEST_NAME = "test010InducementConditionsTrue";
+		displayTestTitle(TEST_NAME);
+
+        // GIVEN
+		Task task = createTask(TEST_NAME);
+        OperationResult result = task.getResult();
+        dummyAuditService.clear();
+
+        // WHEN
+        assignRole(USER_SIMPLE_OID, ROLE_PROCESSOR_OID, task, result);
+
+        // THEN
+        assertSuccess(result);
+
+        PrismObject<UserType> user = getUser(USER_SIMPLE_OID);
+        display("User simple after role assignment", user);
+
+        assertAssignedRole(user, ROLE_PROCESSOR_OID);
+        assertNotAssignedRole(user, ROLE_LOCK_OID);
+        assertNotAssignedRole(user, ROLE_ROLE1_OID);
+        assertNotAssignedRole(user, ROLE_ROLE2_OID);
+        assertNotAssignedRole(user, ROLE_ROLE3_OID);
+        assertRoleMembershipRef(user, ROLE_PROCESSOR_OID, ROLE_ROLE1_OID, ROLE_ROLE2_OID, ROLE_ROLE3_OID);
+	}
+
+	/**
+	 * modify description of user 
+	 * condition in "processor" for inducing role2 returns false if description equals "NO" 
+	 */
+	@Test
+	public void test020InducementRole2ConditionFalse() throws Exception {
+		final String TEST_NAME = "test020InducementRole2ConditionFalse";
+		displayTestTitle(TEST_NAME);
+
+        // GIVEN
+		Task task = createTask(TEST_NAME);
+        OperationResult result = task.getResult();
+        dummyAuditService.clear();
+
+        // WHEN
+        modifyUserReplace(USER_SIMPLE_OID, UserType.F_DESCRIPTION, task, result, "NO");
+
+        // THEN
+        assertSuccess(result);
+
+        PrismObject<UserType> user = getUser(USER_SIMPLE_OID);
+        display("User simple having description 'NO'", user);
+
+        assertUserProperty(USER_SIMPLE_OID, new QName("description"), "NO");
+        assertAssignedRole(user, ROLE_PROCESSOR_OID);
+        assertNotAssignedRole(user, ROLE_LOCK_OID);
+        assertNotAssignedRole(user, ROLE_ROLE1_OID);
+        assertNotAssignedRole(user, ROLE_ROLE2_OID);
+        assertNotAssignedRole(user, ROLE_ROLE3_OID);
+        assertRoleMembershipRef(user, ROLE_PROCESSOR_OID, ROLE_ROLE1_OID, ROLE_ROLE3_OID);
+	}
+
+	/**
+	 * assign role "lock" to user 
+	 * condition in "processor" for inducing role3 returns false if lock is contained in rolemembership
+	 */
+	@Test
+	public void test030InducementRole3ConditionFalse() throws Exception {
+		final String TEST_NAME = "test030InducementRole3ConditionFalse";
+		displayTestTitle(TEST_NAME);
+
+        // GIVEN
+		Task task = createTask(TEST_NAME);
+        OperationResult result = task.getResult();
+        dummyAuditService.clear();
+
+        // WHEN
+        assignRole(USER_SIMPLE_OID, ROLE_LOCK_OID, task, result);
+
+
+        // THEN
+        assertSuccess(result);
+
+        PrismObject<UserType> user = getUser(USER_SIMPLE_OID);
+        display("User simple having role lock assigned'", user);
+
+        assertAssignedRole(user, ROLE_PROCESSOR_OID);
+        assertAssignedRole(user, ROLE_LOCK_OID);
+        assertNotAssignedRole(user, ROLE_ROLE1_OID);
+        assertNotAssignedRole(user, ROLE_ROLE2_OID);
+        assertNotAssignedRole(user, ROLE_ROLE3_OID);
+        assertRoleMembershipRef(user, ROLE_PROCESSOR_OID, ROLE_LOCK_OID, ROLE_ROLE1_OID);
+	}
+
+	/**
+	 * same as Test30, just recomputed again
+	 */
+	@Test
+	public void test040Recomputed() throws Exception {
+		final String TEST_NAME = "test040Recomputed";
+		displayTestTitle(TEST_NAME);
+
+        // GIVEN
+		Task task = createTask(TEST_NAME);
+        OperationResult result = task.getResult();
+        dummyAuditService.clear();
+
+        // WHEN
+        recomputeUser(USER_SIMPLE_OID);
+
+        // THEN
+        assertSuccess(result);
+
+        PrismObject<UserType> user = getUser(USER_SIMPLE_OID);
+        display("User simple having role lock assigned'", user);
+
+        assertAssignedRole(user, ROLE_PROCESSOR_OID);
+        assertAssignedRole(user, ROLE_LOCK_OID);
+        assertNotAssignedRole(user, ROLE_ROLE1_OID);
+        assertNotAssignedRole(user, ROLE_ROLE2_OID);
+        assertNotAssignedRole(user, ROLE_ROLE3_OID);
+        assertRoleMembershipRef(user, ROLE_PROCESSOR_OID, ROLE_LOCK_OID, ROLE_ROLE1_OID);
+	}
+}

testing/story/src/test/resources/inducement/role-lock.xml

@@ -0,0 +1,20 @@
+<role
+	xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+	xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+	xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+	xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+	xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
+	xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+	xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+	xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	oid="10000000-0000-0000-0000-10000000lock"
+	version="1">
+	<name>Lock</name>
+	<activation>
+		<effectiveStatus>enabled</effectiveStatus>
+		<enableTimestamp>2019-05-23T13:31:24.828+02:00</enableTimestamp>
+	</activation>
+	<iteration>0</iteration>
+	<iterationToken />
+</role>

testing/story/src/test/resources/inducement/role-processor.xml

@@ -0,0 +1,55 @@
+<role
+	xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+	xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+	xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+	xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+	xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
+	xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+	xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+	xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	oid="10000000-0000-0000-0000-100processor"
+	version="1">
+        <name>INDUCEPROCESSOR</name>
+        <activation>
+            <effectiveStatus>enabled</effectiveStatus>
+            <enableTimestamp>2019-05-23T13:30:47.650+02:00</enableTimestamp>
+        </activation>
+        <iteration>0</iteration>
+        <iterationToken/>
+        <inducement>
+            <targetRef oid="10000000-0000-0000-0000-100000000001" relation="org:default" type="c:RoleType"/>
+        </inducement>
+        <inducement>
+            <targetRef oid="10000000-0000-0000-0000-100000000002" relation="org:default" type="c:RoleType"/>
+            <condition>
+            <source>
+            	<path>description</path>
+            </source>
+            <expression>
+            	<script>
+            		<code>
+            			//log.error("TESTINDUCE does DESC equal 'NO'? result: {} ", description?.equals("NO"))
+            			!description?.equals("NO")
+            		</code>
+            	</script>
+            </expression>
+            </condition>
+        </inducement>
+        <inducement>
+            <targetRef oid="10000000-0000-0000-0000-100000000003" relation="org:default" type="c:RoleType"/>
+            <condition>
+            <source>
+            	<path>roleMembershipRef</path>
+            </source>
+            <expression>
+            	<script>
+            		<relativityMode>absolute</relativityMode>
+            		<code>
+            			!roleMembershipRef?.oid?.contains("10000000-0000-0000-0000-10000000lock")
+            		</code>
+            	</script>
+            </expression>
+            </condition>
+        </inducement>
+    </role>

testing/story/src/test/resources/inducement/role-role1.xml

@@ -0,0 +1,20 @@
+<role
+	xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+	xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+	xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+	xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+	xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
+	xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+	xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+	xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	oid="10000000-0000-0000-0000-100000000001"
+	version="1">
+	<name>Role1</name>
+	<activation>
+		<effectiveStatus>enabled</effectiveStatus>
+		<enableTimestamp>2019-05-23T13:31:24.828+02:00</enableTimestamp>
+	</activation>
+	<iteration>0</iteration>
+	<iterationToken />
+</role>

testing/story/src/test/resources/inducement/role-role2.xml

@@ -0,0 +1,20 @@
+<role
+	xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+	xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+	xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+	xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+	xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
+	xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+	xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+	xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	oid="10000000-0000-0000-0000-100000000002"
+	version="1">
+	<name>Role2</name>
+	<activation>
+		<effectiveStatus>enabled</effectiveStatus>
+		<enableTimestamp>2019-05-23T13:31:24.828+02:00</enableTimestamp>
+	</activation>
+	<iteration>0</iteration>
+	<iterationToken />
+</role>

testing/story/src/test/resources/inducement/role-role3.xml

@@ -0,0 +1,20 @@
+<role
+	xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+	xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+	xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+	xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+	xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
+	xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+	xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+	xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	oid="10000000-0000-0000-0000-100000000003"
+	version="1">
+	<name>Role3</name>
+	<activation>
+		<effectiveStatus>enabled</effectiveStatus>
+		<enableTimestamp>2019-05-23T13:31:24.828+02:00</enableTimestamp>
+	</activation>
+	<iteration>0</iteration>
+	<iterationToken />
+</role>

testing/story/src/test/resources/inducement/user-simple.xml

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum, mythoss
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<user oid="10000000-0000-0000-0001-100000simple" 
+		xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
+		xmlns:c='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
+		xmlns:t='http://prism.evolveum.com/xml/ns/public/types-3'
+		xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+		xmlns:xsd='http://www.w3.org/2001/XMLSchema'>
+    <name>simple</name>
+    <fullName>Simple User</fullName>
+    <givenName>Simple</givenName>
+    <familyName>User</familyName>
+    <activation>
+    	<administrativeStatus>enabled</administrativeStatus>
+    </activation>
+</user>