Extending authorization to import and raw operations.

Evolveum · Mar 15, 2014 · e917116 · e917116
1 parent 5c65a0e
commit e917116
Show file tree

Hide file tree

Showing 11 changed files with 204 additions and 47 deletions.
diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/controller/ModelController.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/controller/ModelController.java
@@ -375,9 +375,12 @@ public void run() {
 						if (ModelExecuteOptions.isOverwrite(options)) {
 							repoOptions.setOverwrite(true);
 						}
+						securityEnforcer.authorize(AUTZ_ADD_URL, delta.getObjectToAdd(), null, null, result);
 						String oid = cacheRepositoryService.addObject(delta.getObjectToAdd(), repoOptions, result);
 						delta.setOid(oid);
 					} else if (delta.isDelete()) {
+						PrismObject<? extends ObjectType> existingObject = cacheRepositoryService.getObject(delta.getObjectTypeClass(), delta.getOid(), null, result);
+						securityEnforcer.authorize(AUTZ_DELETE_URL, existingObject, null, null, result);
 						if (ObjectTypes.isClassManagedByProvisioning(delta.getObjectTypeClass())) {
                             Utils.clearRequestee(task);
 							provisioning.deleteObject(delta.getObjectTypeClass(), delta.getOid(),
@@ -387,6 +390,8 @@ public void run() {
 									result);
 						}
 					} else if (delta.isModify()) {
+						PrismObject existingObject = cacheRepositoryService.getObject(delta.getObjectTypeClass(), delta.getOid(), null, result);
+						securityEnforcer.authorize(AUTZ_MODIFY_URL, existingObject, delta, null, result);
 						cacheRepositoryService.modifyObject(delta.getObjectTypeClass(), delta.getOid(), 
 								delta.getModifications(), result);
 					} else {

diff --git a/model/model-impl/src/main/java/com/evolveum/midpoint/model/importer/ObjectImporter.java b/model/model-impl/src/main/java/com/evolveum/midpoint/model/importer/ObjectImporter.java
@@ -47,6 +47,7 @@
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.task.api.TaskManager;
 import com.evolveum.midpoint.util.DOMUtil;
+import com.evolveum.midpoint.util.exception.CommonException;
 import com.evolveum.midpoint.util.exception.CommunicationException;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
@@ -60,6 +61,7 @@
 import com.evolveum.midpoint.xml.ns._public.common.api_types_2.ImportOptionsType;
 import com.evolveum.midpoint.xml.ns._public.common.common_2a.*;
 import com.evolveum.prism.xml.ns._public.query_2.QueryType;
+
 import org.apache.commons.lang.BooleanUtils;
 import org.apache.commons.lang.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -70,6 +72,7 @@
 import org.w3c.dom.NodeList;
 
 import javax.xml.namespace.QName;
+
 import java.io.InputStream;
 import java.util.Collection;
 import java.util.List;
@@ -138,7 +141,7 @@ public <T extends Objectable> EventResult postMarshall(PrismObject<T> prismObjec
                 object = migrator.migrate(object);
 
                 Utils.resolveReferences(object, repository, 
-                		options.isReferentialIntegrity() == null ? false : options.isReferentialIntegrity(), 
+                		(options == null || options.isReferentialIntegrity() == null) ? false : options.isReferentialIntegrity(), 
                 				prismContext, objectResult);
 
                 objectResult.computeStatus();
@@ -153,7 +156,7 @@ public <T extends Objectable> EventResult postMarshall(PrismObject<T> prismObjec
                 	return EventResult.skipObject(objectResult.getMessage());
                 }
 
-                if (BooleanUtils.isTrue(options.isValidateDynamicSchema())) {
+                if (options != null && BooleanUtils.isTrue(options.isValidateDynamicSchema())) {
                     validateWithDynamicSchemas(object, objectElement, repository, objectResult);
                 }
 
@@ -162,7 +165,7 @@ public <T extends Objectable> EventResult postMarshall(PrismObject<T> prismObjec
                 	return EventResult.skipObject(objectResult.getMessage());
                 }
 
-                if (BooleanUtils.isTrue(options.isEncryptProtectedValues())) {
+                if (options != null && BooleanUtils.isTrue(options.isEncryptProtectedValues())) {
                 	OperationResult opResult = objectResult.createMinorSubresult(ObjectImporter.class.getName()+".encryptValues");
                     try {
 						CryptoUtil.encryptValues(protector, object);
@@ -234,26 +237,33 @@ public void handleGlobalError(OperationResult currentResult) {
 
         Validator validator = new Validator(prismContext, handler);
         validator.setVerbose(true);
-        validator.setValidateSchema(BooleanUtils.isTrue(options.isValidateStaticSchema()));
-        if (options.getStopAfterErrors() != null) {
-            validator.setStopAfterErrors(options.getStopAfterErrors().longValue());
-        }
-        if (options.isSummarizeErrors()) {
-        	parentResult.setSummarizeErrors(true);
-        }
-        if (options.isSummarizeSucceses()) {
-        	parentResult.setSummarizeSuccesses(true);
+        if (options != null) {
+	        validator.setValidateSchema(BooleanUtils.isTrue(options.isValidateStaticSchema()));
+	        if (options.getStopAfterErrors() != null) {
+	            validator.setStopAfterErrors(options.getStopAfterErrors().longValue());
+	        }
+	        if (options.isSummarizeErrors()) {
+	        	parentResult.setSummarizeErrors(true);
+	        }
+	        if (options.isSummarizeSucceses()) {
+	        	parentResult.setSummarizeSuccesses(true);
+	        }
         }
 
         validator.validate(input, parentResult, OperationConstants.IMPORT_OBJECT);
 
     }
 
     private <T extends ObjectType> void importObjectToRepository(PrismObject<T> object, ImportOptionsType options,
-                                         Task task, OperationResult objectResult) throws SchemaException, ObjectAlreadyExistsException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, PolicyViolationException, SecurityViolationException {
+                                         Task task, OperationResult objectResult) throws ObjectNotFoundException, ExpressionEvaluationException, CommunicationException,
+				ConfigurationException, PolicyViolationException, SecurityViolationException, SchemaException, ObjectAlreadyExistsException {
 
         OperationResult result = objectResult.createSubresult(ObjectImporter.class.getName() + ".importObjectToRepository");
 
+        if (options == null) {
+        	options = new ImportOptionsType();
+        }
+
         if (BooleanUtils.isTrue(options.isKeepOid()) && object.getOid() == null) {
 			// Try to check if there is existing object with the same type and name
         	ObjectQuery query = ObjectQueryUtil.createNameQuery(object);
@@ -312,16 +322,10 @@ private <T extends ObjectType> void importObjectToRepository(PrismObject<T> obje
         		result.recordFatalError(e);
              	throw e;
         	}
-        } catch (SchemaException ex){
-        	result.recordFatalError("Schema exception, cannot import object: " + object, ex);
-//        	result.computeStatus();
-        	throw ex;
-//        } catch (CommunicationException ex){
-//        	result.recordFatalError("Communication problem, cannot import object: " + object, ex);
-//        	throw ex;
-//        } catch (CommunicationException ex){
-//        	result.recordFatalError("Communication problem, cannot import object: " + object, ex);
-//        	throw ex;
+        } catch (ObjectNotFoundException | ExpressionEvaluationException | CommunicationException
+				| ConfigurationException | PolicyViolationException | SecurityViolationException | SchemaException e) {
+        	result.recordFatalError("Cannot import " + object + ": "+e.getMessage(), e);
+        	throw e;
         } catch (RuntimeException ex){
         	result.recordFatalError("Couldn't import object: " + object +". Reason: " + ex.getMessage(), ex);
         	throw ex;

diff --git a/...-impl/src/test/java/com/evolveum/midpoint/model/AbstractInternalModelIntegrationTest.java b/...-impl/src/test/java/com/evolveum/midpoint/model/AbstractInternalModelIntegrationTest.java
@@ -91,7 +91,7 @@ public class AbstractInternalModelIntegrationTest extends AbstractModelIntegrati
 	public static final String SYSTEM_CONFIGURATION_FILENAME = COMMON_DIR_NAME + "/system-configuration.xml";
 	public static final String SYSTEM_CONFIGURATION_OID = SystemObjectsType.SYSTEM_CONFIGURATION.value();
 
-	protected static final File USER_ADMINISTRATOR_FILE = new File(COMMON_DIR, "user-administrator.xml");
+	public static final File USER_ADMINISTRATOR_FILE = new File(COMMON_DIR, "user-administrator.xml");
 	protected static final String USER_ADMINISTRATOR_NAME = "administrator";
 	protected static final String USER_ADMINISTRATOR_OID = "00000000-0000-0000-0000-000000000002";
 
@@ -113,7 +113,7 @@ public class AbstractInternalModelIntegrationTest extends AbstractModelIntegrati
 	protected static final String USER_LARGO_FILENAME = COMMON_DIR_NAME + "/user-largo.xml";
 	protected static final String USER_LARGO_OID = "c0c010c0-d34d-b33f-f00d-111111111118";
 
-	protected static final File ROLE_SUPERUSER_FILE = new File(COMMON_DIR, "role-superuser.xml");
+	public static final File ROLE_SUPERUSER_FILE = new File(COMMON_DIR, "role-superuser.xml");
 	protected static final String ROLE_SUPERUSER_OID = "00000000-0000-0000-0000-000000000004";
 
 	protected static final String ACCOUNT_HBARBOSSA_DUMMY_FILENAME = COMMON_DIR_NAME + "/account-hbarbossa-dummy.xml";

diff --git a/model/model-impl/src/test/java/com/evolveum/midpoint/model/expr/TestModelExpressions.java b/model/model-impl/src/test/java/com/evolveum/midpoint/model/expr/TestModelExpressions.java
@@ -37,6 +37,7 @@
 import org.testng.annotations.Test;
 import org.xml.sax.SAXException;
 
+import com.evolveum.midpoint.model.AbstractInternalModelIntegrationTest;
 import com.evolveum.midpoint.model.common.expression.ExpressionVariables;
 import com.evolveum.midpoint.model.common.expression.script.ScriptExpression;
 import com.evolveum.midpoint.model.common.expression.script.ScriptExpressionFactory;
@@ -51,13 +52,15 @@
 import com.evolveum.midpoint.schema.constants.MidPointConstants;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.result.OperationResult;
+import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.task.api.TaskManager;
 import com.evolveum.midpoint.test.util.TestUtil;
 import com.evolveum.midpoint.util.DOMUtil;
 import com.evolveum.midpoint.util.PrettyPrinter;
 import com.evolveum.midpoint.util.exception.SchemaException;
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
+import com.evolveum.midpoint.xml.ns._public.common.common_2a.RoleType;
 import com.evolveum.midpoint.xml.ns._public.common.common_2a.ScriptExpressionEvaluatorType;
 import com.evolveum.midpoint.xml.ns._public.common.common_2a.UserType;
 
@@ -101,6 +104,18 @@ public void setup() throws SchemaException, SAXException, IOException {
 		PrismTestUtil.resetPrismContext(MidPointPrismContextFactory.FACTORY);
 	}
 
+	@Override
+	public void initSystem(Task initTask, OperationResult initResult) throws Exception {
+		super.initSystem(initTask, initResult);
+
+		modelService.postInit(initResult);
+
+		// Administrator
+		PrismObject<UserType> userAdministrator = repoAddObjectFromFile(AbstractInternalModelIntegrationTest.USER_ADMINISTRATOR_FILE, UserType.class, initResult);
+		repoAddObjectFromFile(AbstractInternalModelIntegrationTest.ROLE_SUPERUSER_FILE, RoleType.class, initResult);
+		login(userAdministrator);
+	}
+
 	@Test
 	public void testHello() throws Exception {
 		final String TEST_NAME = "testHello";

diff --git a/.../test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java b/.../test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java
@@ -184,7 +184,7 @@ public class AbstractConfiguredModelIntegrationTest extends AbstractModelIntegra
 	protected static final String USER_LARGO_USERNAME = "largo";
 
 	// Rapp does not have a full name set, employeeType=COOK
-	protected static final String USER_RAPP_FILENAME = COMMON_DIR_NAME + "/user-rapp.xml";
+	protected static final File USER_RAPP_FILE = new File(COMMON_DIR, "user-rapp.xml");
 	protected static final String USER_RAPP_OID = "c0c010c0-d34d-b33f-f00d-11111111c008";
 	protected static final String USER_RAPP_USERNAME = "rapp";
 
@@ -206,7 +206,7 @@ public class AbstractConfiguredModelIntegrationTest extends AbstractModelIntegra
 	// Captain Kate Capsize does not exist in the repo. This user is designed to be added. 
 	// She has account on dummy resources (default, red, blue)
 	// The accounts are also assigned
-	static final String USER_CAPSIZE_FILENAME = COMMON_DIR_NAME + "/user-capsize.xml";
+	static final File USER_CAPSIZE_FILE = new File(COMMON_DIR, "user-capsize.xml");
 	protected static final String USER_CAPSIZE_OID = "c0c010c0-d34d-b33f-f00d-11c1c1c1c11c";
 	protected static final String USER_CAPSIZE_USERNAME = "capsize";
 

diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestPreviewChanges.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestPreviewChanges.java
@@ -1075,7 +1075,7 @@ public void test620AddUserCapsize() throws Exception {
         OperationResult result = task.getResult();
         assumeAssignmentPolicy(AssignmentPolicyEnforcementType.NONE);
 
-        PrismObject<UserType> user = PrismTestUtil.parseObject(new File(USER_CAPSIZE_FILENAME));
+        PrismObject<UserType> user = PrismTestUtil.parseObject(USER_CAPSIZE_FILE);
         ObjectDelta<UserType> userDelta = ObjectDelta.createAddDelta(user);
         Collection<ObjectDelta<? extends ObjectType>> deltas = MiscSchemaUtil.createCollection(userDelta);