Merge branch 'master' of https://github.com/Evolveum/midpoint

gui/admin-gui/pom.xml

@@ -916,6 +916,7 @@
                         <configuration>
                             <fork>true</fork>
                             <skip>false</skip>
+<!--                             <jvmArguments>-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000 -Dserver.port=${server.port} -Dmidpoint.home=${midpoint.home} -Dmidpoint.schrodinger=${midpoint.schrodinger} -Djavax.net.ssl.trustStore=${javax.net.ssl.trustStore} -Djavax.net.ssl.trustStoreType=${javax.net.ssl.trustStoreType}</jvmArguments> -->
                             <jvmArguments>-Dserver.port=${server.port} -Dmidpoint.home=${midpoint.home} -Dmidpoint.schrodinger=${midpoint.schrodinger} -Djavax.net.ssl.trustStore=${javax.net.ssl.trustStore} -Djavax.net.ssl.trustStoreType=${javax.net.ssl.trustStoreType}</jvmArguments><!-- TODO question: CAN this argument be active by default, or should be there a different profile defined for this? -->
                         </configuration>
                         <executions>

infra/prism/src/main/java/com/evolveum/midpoint/prism/PrismPropertyValue.java

@@ -419,9 +419,12 @@ private PrismPropertyValue<T> parseRawElementToNewValue(PrismPropertyValue<T> or
 
 	private T parseRawElementToNewRealValue(PrismPropertyValue<T> prismPropertyValue, PrismPropertyDefinition<T> definition)
 				throws SchemaException {
-		PrismContext prismContext = definition.getPrismContext();
+		PrismContext prismCtx = definition.getPrismContext() != null ? definition.getPrismContext() : prismContext;
 		//noinspection UnnecessaryLocalVariable
-		T value = prismContext.parserFor(prismPropertyValue.rawElement.toRootXNode()).definition(definition).parseRealValue();
+		if (prismCtx == null) {
+			throw new SchemaException("Unexpected null prism context.");
+		}
+		T value = prismCtx.parserFor(prismPropertyValue.rawElement.toRootXNode()).definition(definition).parseRealValue();
 		return value;
 	}
 

infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd

@@ -12059,7 +12059,22 @@
         			</xsd:appinfo>
         		</xsd:annotation>
     		</xsd:element>
-    		<!-- TODO: order? orderConstraint? assignment=order0, inducement=order1-inf. -->
+    		<xsd:element name="orderConstraints" type="tns:OrderConstraintsType" minOccurs="0" maxOccurs="1">
+	   			<xsd:annotation>
+    				<xsd:documentation>
+    					Order constraints for cases when assignment/inducement is a matter of the authorization
+    					decision. Order constrain may limit the order of assignment/inducement being authorized.
+    					Order constraint of zero (default) means assignment. Order constraint of one or greater
+    					means inducement.
+    					Note: Partially implemented in midPoint 3.9. Only values of zero and one are supported.
+    					Only integer orders are supported.
+    					Assignments/inducements with complex orderConstraints are not supported.
+    				</xsd:documentation>
+        			<xsd:appinfo>
+        				<a:since>3.9</a:since>
+        			</xsd:appinfo>
+        		</xsd:annotation>
+    		</xsd:element>
         	<xsd:element name="limitations" type="tns:AuthorizationLimitationsType" minOccurs="0" maxOccurs="1">
         		<xsd:annotation>
         			<xsd:documentation>

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.java

@@ -1339,10 +1339,10 @@ private <T, O extends ObjectType> boolean validateValue(PrismObject<O> object, V
 
 	private <O extends ObjectType> AbstractValuePolicyOriginResolver<O> getOriginResolver(PrismObject<O> object) {
 		if (object != null && UserType.class.equals(object.getCompileTimeClass())) {
-			new UserValuePolicyOriginResolver((PrismObject<UserType>) object, objectResolver);
+			return (AbstractValuePolicyOriginResolver) new UserValuePolicyOriginResolver((PrismObject<UserType>) object, objectResolver);
 		}
 
-		//TODO not supported yet
+		//TODO not supported yet, throw exception instead of null???
 		return null;
 	}
 

model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestResources.java

@@ -959,7 +959,7 @@ public void test760ModifyConfigurationString() throws Exception {
     			getConfigurationPropertyPath(IntegrationTestTools.RESOURCE_DUMMY_CONFIGURATION_USELESS_STRING_ELEMENT_NAME),
     			"whatever wherever");
 
-    	assertCounterIncrement(InternalCounters.RESOURCE_SCHEMA_PARSE_COUNT, 1);
+    	assertCounterIncrement(InternalCounters.RESOURCE_SCHEMA_PARSE_COUNT, 2);
     }
 
     @Test

model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/rbac/TestMetaMeta.java

@@ -343,7 +343,7 @@ public void test319UnassignBetaAFromJack() throws Exception {
         OperationResult result = task.getResult();
 
         ObjectDelta<UserType> focusDelta = createAssignmentFocusDelta(UserType.class, USER_JACK_OID, getGroupRoleOid(GROUP_BETA_NAME), RoleType.COMPLEX_TYPE, null, (Consumer<AssignmentType>)null, false);
-        focusDelta.addModification(createAssignmentModification(getGroupRoleOid(GROUP_A_NAME), RoleType.COMPLEX_TYPE, null, null, false));
+        focusDelta.addModification(createAssignmentModification(getGroupRoleOid(GROUP_A_NAME), RoleType.COMPLEX_TYPE, null, null, null, false));
 
         // WHEN
 		modelService.executeChanges(MiscSchemaUtil.createCollection(focusDelta), null, task, result);

model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/rbac/TestSegregationOfDuties.java

@@ -612,7 +612,7 @@ public void test191DifferentRelationsDeprecatedCase1() throws Exception {
 		OperationResult result = task.getResult();
 
 		Collection<ItemDelta<?,?>> modifications = new ArrayList<>();
-		modifications.add((createAssignmentModification(ROLE_JUDGE_DEPRECATED_OID, RoleType.COMPLEX_TYPE, SchemaConstants.ORG_APPROVER, null, true)));
+		modifications.add((createAssignmentModification(ROLE_JUDGE_DEPRECATED_OID, RoleType.COMPLEX_TYPE, SchemaConstants.ORG_APPROVER, null, null, true)));
 		modifications.add((createAssignmentModification(ROLE_PIRATE_OID, RoleType.COMPLEX_TYPE, null, null, null, true)));
 		ObjectDelta<UserType> userDelta = ObjectDelta.createModifyDelta(USER_JACK_OID, modifications, UserType.class, prismContext);
 
@@ -635,7 +635,7 @@ public void test192DifferentRelationsDeprecatedCase2() throws Exception {
 		OperationResult result = task.getResult();
 
 		Collection<ItemDelta<?,?>> modifications = new ArrayList<>();
-		modifications.add((createAssignmentModification(ROLE_JUDGE_DEPRECATED_OID, RoleType.COMPLEX_TYPE, null, null, true)));
+		modifications.add((createAssignmentModification(ROLE_JUDGE_DEPRECATED_OID, RoleType.COMPLEX_TYPE, null, null, null, true)));
 		modifications.add((createAssignmentModification(ROLE_PIRATE_OID, RoleType.COMPLEX_TYPE, SchemaConstants.ORG_APPROVER, null, null, true)));
 		ObjectDelta<UserType> userDelta = ObjectDelta.createModifyDelta(USER_JACK_OID, modifications, UserType.class, prismContext);
 

model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityMultitenant.java

@@ -26,7 +26,6 @@
 import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.prism.util.PrismTestUtil;
 import com.evolveum.midpoint.schema.result.OperationResult;
-import com.evolveum.midpoint.schema.util.MiscSchemaUtil;
 import com.evolveum.midpoint.security.api.AuthorizationConstants;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.util.exception.CommunicationException;
@@ -37,11 +36,9 @@
 import com.evolveum.midpoint.util.exception.PolicyViolationException;
 import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.util.exception.SecurityViolationException;
-import com.evolveum.midpoint.xml.ns._public.common.api_types_3.ImportOptionsType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentPolicyEnforcementType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ConnectorType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ModelExecuteOptionsType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType;
@@ -133,6 +130,11 @@ public class TestSecurityMultitenant extends AbstractSecurityTest {
 	protected static final String ROLE_ATREIDES_HACKER_OID = "00000000-8888-6666-a200-100000000003";
 	protected static final File ROLE_ATREIDES_HACKER_FILE = new File(TEST_DIR, "role-atreides-hacker.xml");
 
+	protected static final String ROLE_ATREIDES_SOLDIER_OID = "00000000-8888-6666-a200-100000000004";
+
+	protected static final String ROLE_ATREIDES_SWORDMASTER_OID = "00000000-8888-6666-a200-100000000005";
+	protected static final File ROLE_ATREIDES_SWORDMASTER_FILE = new File(TEST_DIR, "role-atreides-swordmaster.xml");
+
 	protected static final String USER_LETO_ATREIDES_OID = "00000000-8888-6666-a200-200000000000";
 	protected static final String USER_LETO_ATREIDES_NAME = "leto";
 	protected static final String USER_LETO_ATREIDES_FULL_NAME = "Duke Leto Atreides";
@@ -399,8 +401,9 @@ public void test100AutzLetoRead() throws Exception {
         assertGetDeny(RoleType.class, ROLE_TENANT_ADMIN_OID);
         assertGetDeny(UserType.class, USER_EDRIC_OID);
 
+        // Search
         assertSearch(UserType.class, null, USER_LETO_ATREIDES_OID, USER_PAUL_ATREIDES_OID);
-        assertSearch(RoleType.class, null, ROLE_ATREIDES_ADMIN_OID);
+        assertSearch(RoleType.class, null, ROLE_ATREIDES_ADMIN_OID, ROLE_ATREIDES_SOLDIER_OID);
         assertSearch(OrgType.class, null, ORG_ATREIDES_OID, ORG_CALADAN_OID);
 
         // THEN
@@ -761,7 +764,7 @@ public void test116AutzLetoProtectTenantAdminRole() throws Exception {
         cleanupAutzTest(null);
 
         login(USER_LETO_ATREIDES_NAME);
-                
+
         // WHEN
         displayWhen(TEST_NAME);
 
@@ -773,10 +776,37 @@ public void test116AutzLetoProtectTenantAdminRole() throws Exception {
         		(task, result) -> modifyObjectAddContainer(RoleType.class, ROLE_ATREIDES_ADMIN_OID, 
         				RoleType.F_AUTHORIZATION, task, result, superuserAuthorization));
 
+        assertDeny("induce superuser", 
+        		(task, result) -> induceRole(ROLE_ATREIDES_ADMIN_OID, ROLE_SUPERUSER_OID, task, result));
+
         assertDeny("add dummy account", 
         		(task, result) -> assignAccount(UserType.class, USER_PAUL_ATREIDES_OID, RESOURCE_DUMMY_OID, null, task, result));
 
-        // TODO: add superuser inducement to atreides admin -> deny
+        // THEN
+        displayThen(TEST_NAME);
+
+        assertGlobalStateUntouched();
+	}
+
+	/**
+	 * Make sure that tenant admin can manage business roles.
+	 */
+	@Test(enabled=false) // WORK IN PROGRESS
+    public void test118AutzLetoBusinessRoles() throws Exception {
+		final String TEST_NAME = "test118AutzLetoBusinessRoles";
+        displayTestTitle(TEST_NAME);
+        // GIVEN
+        cleanupAutzTest(null);
+
+        login(USER_LETO_ATREIDES_NAME);
+
+        assertAddAllow(ROLE_ATREIDES_GUARD_FILE);
+
+        // WHEN
+        displayWhen(TEST_NAME);
+
+        assertAddAllow(ROLE_ATREIDES_SWORDMASTER_FILE);
+
 
         // THEN
         displayThen(TEST_NAME);
@@ -785,8 +815,6 @@ public void test116AutzLetoProtectTenantAdminRole() throws Exception {
 	}
 
 	// TODO: create tenant business role
-	// TODO: add role with authorizations
-	// TODO: add authorizations to existing role
 	// TODO: add policy exceptions to existing role
 	// TODO: add assignment/inducement with policy rule
 

model/model-intest/src/test/resources/security/multitenant/org-multitenant.xml

@@ -264,6 +264,13 @@
 		</inducement>
 	</role>
 
+	<role oid="00000000-8888-6666-a200-100000000004">
+		<name>Atreides Soldier</name>
+		<assignment id="1">
+			<targetRef oid="00000000-8888-6666-a200-000000000000" type="OrgType"/> <!-- House Atreides -->
+		</assignment>
+	</role>
+
 	<user oid="00000000-8888-6666-a200-200000000000">
 		<name>leto</name>
 		<givenName>Leto</givenName>

model/model-intest/src/test/resources/security/multitenant/role-atreides-swordmaster.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2010-2018 Evolveum
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<role oid="00000000-8888-6666-a200-100000000005"
+     xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
+     xmlns:org='http://midpoint.evolveum.com/xml/ns/public/common/org-3'
+     xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
+	<name>Atreides Swordmaster</name>
+	<assignment id="1">
+		<targetRef oid="00000000-8888-6666-a200-000000000000" type="OrgType"/> <!-- House Atreides -->
+	</assignment>
+	<inducement id="2">
+		<targetRef oid="00000000-8888-6666-a200-100000000002" type="RoleType"/> <!-- Atreides Guard -->
+	</inducement>
+	<inducement id="3">
+		<targetRef oid="00000000-8888-6666-a200-100000000004" type="RoleType"/> <!-- Atreides Soldier -->
+	</inducement>
+</role>