MID-8664: value metadata should not leak to other refs anymore

This was caused by the same ref instance used for both roleMembership
and archetypeRefs, now the ref is cloned before metadata are added.

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/focus/AssignmentProcessor.java

@@ -59,6 +59,7 @@
 import com.evolveum.midpoint.prism.path.ItemName;
 import com.evolveum.midpoint.prism.path.ItemPath;
 import com.evolveum.midpoint.prism.path.PathKeyedMap;
+import com.evolveum.midpoint.prism.util.CloneUtil;
 import com.evolveum.midpoint.prism.util.ObjectDeltaObject;
 import com.evolveum.midpoint.repo.common.ObjectResolver;
 import com.evolveum.midpoint.repo.common.SystemObjectCache;
@@ -1045,6 +1046,8 @@ private void addRoleReferences(
         // If sysconfig enables accesses value metadata, we will add them.
         SystemConfigurationType sysconfig = systemObjectCache.getSystemConfigurationBean(operationResult);
         if (SystemConfigurationTypeUtil.isAccessesMetadataEnabled(sysconfig)) {
+            // Refs can be shared also for archetype refs and we don't want metadata there (MID-8664).
+            membershipRefVals = CloneUtil.cloneCollectionMembers(membershipRefVals);
             for (PrismReferenceValue roleRef : membershipRefVals) {
                 addAssignmentPathValueMetadataValues(roleRef, evaluatedAssignment, focusContext);
             }

model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestAccessesValueMetadata.java

@@ -8,8 +8,7 @@
 
 import static org.assertj.core.api.Assertions.assertThat;
 
-import static com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentHolderType.F_ASSIGNMENT;
-import static com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentHolderType.F_ROLE_MEMBERSHIP_REF;
+import static com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentHolderType.*;
 
 import java.io.File;
 import java.util.Arrays;
@@ -412,6 +411,35 @@ public void test610AddUserWithApproverAssignmentWithTargetRefFilter() throws Exc
         segmentsHaveExpectedRelations(userAsserter, businessRole1Oid, SchemaConstants.ORG_APPROVER);
     }
 
+    @Test(description = "MID-8664")
+    public void test700ValueMetadataShouldNotBeAddedToArchetypeRefs() throws Exception {
+        Task task = getTestTask();
+        OperationResult result = task.getResult();
+
+        given("existing archetype");
+        String archetypeOid = addObject(new ArchetypeType().name("archetype-" + getTestNumber()), task, result);
+
+        when("user with the archetype is added");
+        String userOid = addObject(
+                new UserType()
+                        .name("user-" + getTestNumber())
+                        .assignment(new AssignmentType()
+                                .targetRef(createObjectReference(archetypeOid,
+                                        ArchetypeType.COMPLEX_TYPE, SchemaConstants.ORG_DEFAULT))),
+                task, result);
+
+        then("roleMembershipRef and archetypeRef is populated");
+        UserAsserter<Void> userAsserter = assertUser(userOid, "after")
+                .displayXml() // XML also shows the metadata
+                .assertRoleMembershipRefs(1)
+                .assertArchetypeRefs(1);
+
+        and("only roleMembershipRef has value metadata, archetypeRef does not have any");
+        assertAssignmentPath(userAsserter, archetypeOid, new ExpectedAssignmentPath(archetypeOid));
+        userAsserter.valueMetadata(F_ARCHETYPE_REF, ValueSelector.refEquals(archetypeOid))
+                .assertSize(0);
+    }
+
     @Test
     public void test900AccessesMetadataAreOnByDefault() throws Exception {
         Task task = getTestTask();