Refactoring role exclusion schema (needed for MID-2210)

Evolveum · Feb 18, 2015 · ee61924 · ee61924
1 parent 214420c
commit ee61924
Show file tree

Hide file tree

Showing 5 changed files with 133 additions and 26 deletions.
diff --git a/infra/schema/src/main/resources/xml/ns/public/common/common-3.xsd b/infra/schema/src/main/resources/xml/ns/public/common/common-3.xsd
@@ -6259,11 +6259,15 @@
                     		</xsd:documentation>
                     	</xsd:annotation>
                     </xsd:element>
-					<xsd:element name="exclusion" type="tns:ExclusionType" minOccurs="0" maxOccurs="unbounded">
+					<xsd:element name="exclusion" type="tns:ExclusionPolicyConstraintType" minOccurs="0" maxOccurs="unbounded">
 						<xsd:annotation>
 							<xsd:documentation>
 								Specification of excluded roles (part of Segregation of Duties policy).
+								DEPRECATED. Use policyConstraints instead.
 							</xsd:documentation>
+							<xsd:appinfo>
+								<a:deprecated>true</a:deprecated>
+							</xsd:appinfo>
 						</xsd:annotation>
 					</xsd:element>
 					<xsd:element name="riskLevel" type="xsd:string" minOccurs="0">
@@ -6336,6 +6340,14 @@
 		                   </xsd:documentation>
 		               </xsd:annotation>
 		           </xsd:element>
+		           <xsd:element name="policyConstraints" type="tns:PolicyConstraintsType" minOccurs="0" maxOccurs="unbounded">
+						<xsd:annotation>
+							<xsd:documentation>
+								Set of governance, risk management, compliance (GRC) and similar policy contraints
+								that influence the identity model.
+							</xsd:documentation>
+						</xsd:annotation>
+					</xsd:element>
                 </xsd:sequence>
             </xsd:extension>
         </xsd:complexContent>
@@ -6707,30 +6719,118 @@
         </xsd:restriction>
     </xsd:simpleType>
 
-    <xsd:complexType name="ExclusionType">
+    <xsd:complexType name="PolicyConstraintsType">
     	<xsd:annotation>
     		<xsd:documentation>
-    			Container that defines exclusion of entities (e.g. roles).
-    			It is a part of Segregation of Duties (SoD) mechanism.
+    			Set of governance, risk management, compliance (GRC) and similar policy contraints
+				that influence the identity model.
+    		</xsd:documentation>
+    		<xsd:appinfo>
+                <a:container/>
+            </xsd:appinfo>
+    	</xsd:annotation>
+    	<xsd:sequence>
+    		<xsd:element name="exclusion" type="tns:ExclusionPolicyConstraintType" minOccurs="0" maxOccurs="unbounded"/>
+    	</xsd:sequence>
+        <xsd:attribute name="id" type="xsd:long" use="optional"/>
+    </xsd:complexType>
+
+	<xsd:complexType name="AbstractPolicyConstraintType">
+    	<xsd:annotation>
+    		<xsd:documentation>
+    			Basic data structure for all policy constraints.
     		</xsd:documentation>
     		<xsd:appinfo>
                 <a:container/>
             </xsd:appinfo>
     	</xsd:annotation>
     	<xsd:sequence>
     		<xsd:element ref="tns:description" minOccurs="0"/>
-    		<xsd:element name="targetRef" type="tns:ObjectReferenceType">
-    			<xsd:annotation>
-    				<xsd:documentation>
-    					Target of exclusion. The object defining this "exclustion" and
-    					the object defined as target cannot be assigned at the same time.
-    				</xsd:documentation>
-    			</xsd:annotation>
-    		</xsd:element>
-    		<xsd:element name="policy" type="tns:ExclusionPolicyType" minOccurs="0"/>
+    		<xsd:element name="enforcement" type="tns:PolicyConstraintEnforcementType" minOccurs="0" default="enforce"/>
+    		<!-- TODO: remediation -->
     	</xsd:sequence>
         <xsd:attribute name="id" type="xsd:long" use="optional"/>
     </xsd:complexType>
+
+    <xsd:complexType name="ExclusionPolicyConstraintType">
+    	<xsd:annotation>
+    		<xsd:documentation>
+    			Container that defines exclusion of entities (e.g. roles).
+    			It is a part of Segregation of Duties (SoD) mechanism.
+    		</xsd:documentation>
+    		<xsd:appinfo>
+                <a:container/>
+            </xsd:appinfo>
+    	</xsd:annotation>
+    	<xsd:complexContent>
+    		<xsd:extension base="tns:AbstractPolicyConstraintType">
+		    	<xsd:sequence>
+		    		<xsd:element name="targetRef" type="tns:ObjectReferenceType">
+		    			<xsd:annotation>
+		    				<xsd:documentation>
+		    					Target of exclusion. The object defining this "exclustion" and
+		    					the object defined as target cannot be assigned at the same time.
+		    				</xsd:documentation>
+		    			</xsd:annotation>
+		    		</xsd:element>
+		    		<xsd:element name="policy" type="tns:ExclusionPolicyType" minOccurs="0">
+		    			<xsd:annotation>
+		    				<xsd:appinfo>
+		    					<a:deprecated>true</a:deprecated>
+		    				</xsd:appinfo>
+		    			</xsd:annotation>
+		    		</xsd:element>
+		    	</xsd:sequence>
+		    </xsd:extension>
+		</xsd:complexContent>
+    </xsd:complexType>
+
+    <xsd:simpleType name="PolicyConstraintEnforcementType">
+        <xsd:annotation>
+            <xsd:documentation>
+                Enumeration of exclustion policy enforcement types.
+            </xsd:documentation>
+            <xsd:appinfo>
+                <jaxb:typesafeEnumClass/>
+            </xsd:appinfo>
+        </xsd:annotation>
+        <xsd:restriction base="xsd:string">
+            <xsd:enumeration value="enforce">
+                <xsd:annotation>
+                	<xsd:documentation>
+                		Strictly enforce the policy. Any operation that attempts to violate
+                		the policy will fail.
+                	</xsd:documentation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="ENFORCE"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+            <xsd:enumeration value="remediate">
+                <xsd:annotation>
+                	<xsd:documentation>
+                		The operation that attempts to violate the policy will be suspended.
+                		Remediation action will take place. This may be used e.g. to approve the
+                		exceptions from the policy. 
+                	</xsd:documentation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="REMEDIATE"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+            <xsd:enumeration value="report">
+                <xsd:annotation>
+                	<xsd:documentation>
+                		Policy will not be enforced in any way, the violations will only
+                		be reported.
+                	</xsd:documentation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="REPORT"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+        </xsd:restriction>
+    </xsd:simpleType>
 
     <xsd:simpleType name="ExclusionPolicyType">
         <xsd:annotation>
@@ -6739,6 +6839,7 @@
             </xsd:documentation>
             <xsd:appinfo>
                 <jaxb:typesafeEnumClass/>
+                <a:deprecated>true</a:deprecated>
             </xsd:appinfo>
         </xsd:annotation>
         <xsd:restriction base="xsd:string">
@@ -6776,7 +6877,6 @@
             </xsd:enumeration>
         </xsd:restriction>
     </xsd:simpleType>
-
 
     <xsd:complexType name="ConstructionType">
        <xsd:annotation>

diff --git a/...pl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/AssignmentProcessor.java b/...pl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/AssignmentProcessor.java
@@ -95,7 +95,7 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentPolicyEnforcementType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ConstructionType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ExclusionType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ExclusionPolicyConstraintType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
@@ -1309,7 +1309,7 @@ private void checkExclusion(AbstractRoleType roleA, AbstractRoleType roleB) thro
 	}
 
 	private void checkExclusionOneWay(AbstractRoleType roleA, AbstractRoleType roleB) throws PolicyViolationException {
-		for (ExclusionType exclusionA :roleA.getExclusion()) {
+		for (ExclusionPolicyConstraintType exclusionA :roleA.getExclusion()) {
 			ObjectReferenceType targetRef = exclusionA.getTargetRef();
 			if (roleB.getOid().equals(targetRef.getOid())) {
 				throw new PolicyViolationException("Violation of SoD policy: "+roleA+" excludes "+roleB+

diff --git a/...repo-sql-impl/src/main/java/com/evolveum/midpoint/repo/sql/data/common/RAbstractRole.java b/...repo-sql-impl/src/main/java/com/evolveum/midpoint/repo/sql/data/common/RAbstractRole.java
@@ -32,7 +32,7 @@
 import com.evolveum.midpoint.repo.sql.util.RUtil;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractRoleType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ExclusionType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ExclusionPolicyConstraintType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
 
 import org.hibernate.annotations.Cascade;
@@ -164,7 +164,7 @@ public static <T extends AbstractRoleType> void copyFromJAXB(AbstractRoleType ja
             repo.getAssignments().add(rInducement);
         }
 
-        for (ExclusionType exclusion : jaxb.getExclusion()) {
+        for (ExclusionPolicyConstraintType exclusion : jaxb.getExclusion()) {
             RExclusion rExclusion = new RExclusion(repo);
             RExclusion.copyFromJAXB(exclusion, rExclusion, jaxb, prismContext, generatorResult);
 

diff --git a/...l-impl/src/main/java/com/evolveum/midpoint/repo/sql/data/common/container/RExclusion.java b/...l-impl/src/main/java/com/evolveum/midpoint/repo/sql/data/common/container/RExclusion.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2013 Evolveum
+ * Copyright (c) 2010-2015 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -25,7 +25,7 @@
 import com.evolveum.midpoint.repo.sql.util.DtoTranslationException;
 import com.evolveum.midpoint.repo.sql.util.IdGeneratorResult;
 import com.evolveum.midpoint.repo.sql.util.RUtil;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ExclusionType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.ExclusionPolicyConstraintType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
 
 import org.apache.commons.lang.Validate;
@@ -36,11 +36,15 @@
 
 /**
  * @author lazyman
+ * 
+ * DEPRECATED. This does not need to be stored in the database any more.
+ * 
  */
-@JaxbType(type = ExclusionType.class)
+@JaxbType(type = ExclusionPolicyConstraintType.class)
 @Entity
 @IdClass(RContainerId.class)
 @ForeignKey(name = "fk_exclusion")
+@Deprecated
 public class RExclusion implements Container {
 
     public static final String F_OWNER = "owner";
@@ -150,7 +154,7 @@ public int hashCode() {
         return result;
     }
 
-    public static void copyToJAXB(RExclusion repo, ExclusionType jaxb, PrismContext prismContext) throws
+    public static void copyToJAXB(RExclusion repo, ExclusionPolicyConstraintType jaxb, PrismContext prismContext) throws
             DtoTranslationException {
         Validate.notNull(repo, "Repo object must not be null.");
         Validate.notNull(jaxb, "JAXB object must not be null.");
@@ -165,7 +169,7 @@ public static void copyToJAXB(RExclusion repo, ExclusionType jaxb, PrismContext
         }
     }
 
-    public static void copyFromJAXB(ExclusionType jaxb, RExclusion repo, ObjectType parent, PrismContext prismContext,
+    public static void copyFromJAXB(ExclusionPolicyConstraintType jaxb, RExclusion repo, ObjectType parent, PrismContext prismContext,
                                     IdGeneratorResult generatorResult) throws DtoTranslationException {
         Validate.notNull(repo, "Repo object must not be null.");
         Validate.notNull(jaxb, "JAXB object must not be null.");
@@ -178,8 +182,8 @@ public static void copyFromJAXB(ExclusionType jaxb, RExclusion repo, ObjectType
         repo.setTargetRef(RUtil.jaxbRefToEmbeddedRepoRef(jaxb.getTargetRef(), prismContext));
     }
 
-    public ExclusionType toJAXB(PrismContext prismContext) throws DtoTranslationException {
-        ExclusionType object = new ExclusionType();
+    public ExclusionPolicyConstraintType toJAXB(PrismContext prismContext) throws DtoTranslationException {
+        ExclusionPolicyConstraintType object = new ExclusionPolicyConstraintType();
         RExclusion.copyToJAXB(this, object, prismContext);
         return object;
     }

diff --git a/...impl/src/main/java/com/evolveum/midpoint/repo/sql/data/common/enums/RExclusionPolicy.java b/...impl/src/main/java/com/evolveum/midpoint/repo/sql/data/common/enums/RExclusionPolicy.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2013 Evolveum
+ * Copyright (c) 2010-2015 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,8 +21,11 @@
 
 /**
  * @author lazyman
+ * 
+ * DEPRECATED. This does not need to be stored in the database any more.
  */
 @JaxbType(type = ExclusionPolicyType.class)
+@Deprecated
 public enum RExclusionPolicy implements SchemaEnum<ExclusionPolicyType> {
 
     ENFORCE(ExclusionPolicyType.ENFORCE),