Test for MID-3636 and modification of ModelInteractionServiceImpl

Evolveum · Apr 12, 2017 · f6e1be9 · f6e1be9
1 parent 7af6a0b
commit f6e1be9
Show file tree

Hide file tree

Showing 3 changed files with 189 additions and 12 deletions.
diff --git a/...rc/main/java/com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.java b/...rc/main/java/com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.java
@@ -411,7 +411,7 @@ public <F extends FocusType> RoleSelectionSpecification getAssignableRoleSpecifi
 
 		try {
 			ObjectFilter filter = securityEnforcer.preProcessObjectFilter(ModelAuthorizationAction.ASSIGN.getUrl(), 
-					AuthorizationPhaseType.REQUEST, RoleType.class, focus, AllFilter.createAll());
+					AuthorizationPhaseType.REQUEST, AbstractRoleType.class, focus, AllFilter.createAll());
 			LOGGER.trace("assignableRoleSpec filter: {}", filter);
 			spec.setFilter(filter);
 			if (filter instanceof NoneFilter) {

diff --git a/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java b/model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestSecurity.java
@@ -36,11 +36,7 @@
 import com.evolveum.midpoint.prism.delta.ItemDelta;
 import com.evolveum.midpoint.prism.delta.ObjectDelta;
 import com.evolveum.midpoint.prism.path.ItemPath;
-import com.evolveum.midpoint.prism.query.NoneFilter;
-import com.evolveum.midpoint.prism.query.ObjectFilter;
-import com.evolveum.midpoint.prism.query.ObjectQuery;
-import com.evolveum.midpoint.prism.query.RefFilter;
-import com.evolveum.midpoint.prism.query.TypeFilter;
+import com.evolveum.midpoint.prism.query.*;
 import com.evolveum.midpoint.prism.util.PrismAsserts;
 import com.evolveum.midpoint.prism.util.PrismTestUtil;
 import com.evolveum.midpoint.prism.xml.XmlTypeConverter;
@@ -54,12 +50,10 @@
 import com.evolveum.midpoint.schema.util.ObjectQueryUtil;
 import com.evolveum.midpoint.security.api.Authorization;
 import com.evolveum.midpoint.security.api.AuthorizationConstants;
-import com.evolveum.midpoint.security.api.ItemSecurityDecisions;
 import com.evolveum.midpoint.security.api.MidPointPrincipal;
 import com.evolveum.midpoint.task.api.Task;
 import com.evolveum.midpoint.test.util.TestUtil;
 import com.evolveum.midpoint.util.Producer;
-import com.evolveum.midpoint.util.QNameUtil;
 import com.evolveum.midpoint.util.exception.CommunicationException;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
 import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
@@ -86,11 +80,8 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Collection;
 import java.util.List;
-import java.util.Map.Entry;
-import java.util.Set;
 
 import static com.evolveum.midpoint.test.IntegrationTestTools.display;
 import static org.testng.AssertJUnit.assertEquals;
@@ -252,6 +243,9 @@ public class TestSecurity extends AbstractInitializedModelIntegrationTest {
 	protected static final File ROLE_LIMITED_USER_ADMIN_FILE = new File(TEST_DIR, "role-limited-user-admin.xml");
 	protected static final String ROLE_LIMITED_USER_ADMIN_OID = "66ee3a78-1b8a-11e7-aac6-5f43a0a86116";
 
+	protected static final File ROLE_END_USER_REQUESTABLE_ORGS_FILE = new File(TEST_DIR,"role-end-user-requestable-orgs.xml");
+	protected static final String ROLE_END_USER_REQUESTABLE_ORGS_OID = "9434bf5b-c088-456f-9286-84a1e5a0223c";
+
 	private static final String LOG_PREFIX_FAIL = "SSSSS=X ";
 	private static final String LOG_PREFIX_ATTEMPT = "SSSSS=> ";
 	private static final String LOG_PREFIX_DENY = "SSSSS=- ";
@@ -322,7 +316,9 @@ public void initSystem(Task initTask, OperationResult initResult) throws Excepti
 		repoAddObjectFromFile(ROLE_MANAGER_FULL_CONTROL_FILE, initResult);
 		repoAddObjectFromFile(ROLE_ROLE_OWNER_FULL_CONTROL_FILE, initResult);
 		repoAddObjectFromFile(ROLE_ROLE_OWNER_ASSIGN_FILE, initResult);
-
+
+		repoAddObjectFromFile(ROLE_END_USER_REQUESTABLE_ORGS_FILE, initResult);
+
 		assignOrg(USER_GUYBRUSH_OID, ORG_SWASHBUCKLER_SECTION_OID, initTask, initResult);
 
 		PrismObject<UserType> userRum = createUser(USER_RUM_ROGERS_NAME, "Rum Rogers");
@@ -2344,6 +2340,42 @@ public void run(Task task, OperationResult result) throws Exception {
         assertGlobalStateUntouched();
 	}
 
+	/**
+	 * MID-3636
+	 */
+	@Test
+	public void test275AutzJackAssignRequestableOrgs() throws Exception { // TODO mod test name
+		final String TEST_NAME = "test275bAutzJackAssignRequestableOrgs";
+		TestUtil.displayTestTile(this, TEST_NAME);
+		// GIVEN
+		cleanupAutzTest(USER_JACK_OID);
+		assignRole(USER_JACK_OID, ROLE_END_USER_REQUESTABLE_ORGS_OID);
+
+		assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
+
+		login(USER_JACK_USERNAME);
+
+		// WHEN
+		TestUtil.displayWhen(TEST_NAME);
+
+
+		PrismObject<UserType> user = getUser(USER_JACK_OID);
+		assertAssignments(user, 2);
+		assertAssignedRole(user, ROLE_END_USER_REQUESTABLE_ORGS_OID);
+
+		ObjectQuery query = new ObjectQuery();
+		EqualFilter equalFilter = EqualFilter.createEqual(new ItemPath(AbstractRoleType.F_REQUESTABLE),null,null, user.getPrismContext(),true);
+
+		ObjectFilter filterRoleTypeRequestable=TypeFilter.createType(RoleType.COMPLEX_TYPE, equalFilter);
+		ObjectFilter filterOrgTypeRequestable=TypeFilter.createType(OrgType.COMPLEX_TYPE, equalFilter);
+		ObjectFilter orFilter =  ObjectQueryUtil.filterOr(filterRoleTypeRequestable,filterOrgTypeRequestable);
+		query.addFilter(TypeFilter.createType(RoleType.COMPLEX_TYPE, orFilter));
+
+		assertSearch(AbstractRoleType.class,query,1);
+
+		assertGlobalStateUntouched();
+	}
+
 	/**
 	 * MID-3136
 	 */

diff --git a/model/model-intest/src/test/resources/security/role-end-user-requestable-orgs.xml b/model/model-intest/src/test/resources/security/role-end-user-requestable-orgs.xml
@@ -0,0 +1,145 @@
+<role  oid="9434bf5b-c088-456f-9286-84a1e5a0223c"
+         xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+      xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+      xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+      xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
+    <name>Assign Requestable orgs</name>
+   <description>Role authorizing end users to log in, change their passwords and review assigned accounts.</description>
+   <authorization id="1">
+      <name>gui-self-service-access</name>
+      <description>
+    		Allow access to all self-service operations in GUI.
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll</action>
+   </authorization>
+   <authorization id="2">
+      <name>self-read</name>
+      <description>
+    		Allow to read all the properties of "self" object. I.e. every logged-in user can read
+    		object that represent his own identity.
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+      <object>
+         <special>self</special>
+      </object>
+   </authorization>
+   <authorization id="3">
+      <name>self-shadow-read</name>
+      <description>
+    		Allow to read all the properties of all the shadows that belong to "self" object. 
+    		I.e. every logged-in user can read all his accounts.
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+      <object>
+         <type>ShadowType</type>
+         <owner>
+            <special>self</special>
+         </owner>
+      </object>
+   </authorization>
+   <authorization id="4">
+      <name>self-credentials-request</name>
+      <description>
+    		Allow to modify user's own credentials.
+    		Note that this is a request phase authorization. It also requires corresponding execution-phase authorization.
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials</action>
+      <phase>request</phase>
+      <object>
+         <special>self</special>
+      </object>
+      <c:item>credentials</c:item>
+   </authorization>
+   <authorization id="5">
+      <name>self-shadow-credentials-request</name>
+      <description>
+    		Allow to modify credentials of all users accounts.
+    		Note that this is a request phase authorization. It also requires corresponding execution-phase authorization.
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#changeCredentials</action>
+      <phase>request</phase>
+      <object>
+         <type>ShadowType</type>
+         <owner>
+            <special>self</special>
+         </owner>
+      </object>
+      <c:item>credentials</c:item>
+   </authorization>
+   <authorization id="6">
+      <name>assign-requestable-roles</name>
+      <description>
+    		Allow to assign requestable roles. This allows to request roles in a request-and-approve process.
+    	    The requestable roles will be displayed in the role request dialog by default.
+    	    Please note that the roles also need an approved definition to go through the approval process.
+    	    Otherwise they will be assigned automatically wihout any approval. 
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action>
+      <phase>request</phase>
+      <object>
+         <special>self</special>
+      </object>
+      <target>
+         <type>RoleType</type>
+         <filter>
+            <q:equal>
+               <q:path>requestable</q:path>
+               <q:value>true</q:value>
+            </q:equal>
+         </filter>
+      </target>
+   </authorization>
+   <authorization id="7">
+      <name>assignment-target-read</name>
+      <description>
+    		Authorization that allows to read all the object that are possible assignment targets. We want that
+    		to display the targets in the selection windows.
+    		Note that this authorization may be too broad for production use. Normally it should be limited to just
+    		selected properties such as name and description.
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+      <object>
+         <type>OrgType</type>
+      </object>
+      <object>
+         <type>ResourceType</type>
+      </object>
+      <object>
+         <type>RoleType</type>
+      </object>
+      <object>
+         <type>ServiceType</type>
+      </object>
+   </authorization>
+   <authorization id="8">
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#modify</action>
+      <phase>execution</phase>
+   </authorization>
+   <authorization id="9">
+      <name>assign-requestable-orgs</name>
+      <description>
+    		Allow to assign requestable roles. This allows to request roles in a request-and-approve process.
+    	    The requestable roles will be displayed in the role request dialog by default.
+    	    Please note that the roles also need an approved definition to go through the approval process.
+    	    Otherwise they will be assigned automatically wihout any approval. 
+    	</description>
+      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action>
+      <phase>request</phase>
+      <object>
+         <special>self</special>
+      </object>
+      <target>
+         <type>OrgType</type>
+         <filter>
+            <q:equal>
+               <q:path>requestable</q:path>
+               <q:value>true</q:value>
+            </q:equal>
+         </filter>
+      </target>
+   </authorization>
+   <roleType>system</roleType>
+</role>