List<EvaluatedPolicyRule> triggeredApprovalActionRules = main.selectTriggeredApprovalActionRules(evaluatedAssignment.getAllTargetsPolicyRules()); logApprovalActions(evaluatedAssignment, triggeredApprovalActionRules, assignmentMode); PrismObject<?> targetObject = evaluatedAssignment.getTarget(); if (targetObject == null) { if (!triggeredApprovalActionRules.isEmpty()) {
private LocalizableMessage processNameFromApprovalActions(ApprovalSchemaBuilder.Result schemaBuilderResult, @Nullable EvaluatedAssignment<?> evaluatedAssignment, ModelInvocationContext<?> ctx, OperationResult result) { if (schemaBuilderResult.approvalDisplayName == null) { return null; } Map<QName, Object> variables = new HashMap<>(); variables.put(ExpressionConstants.VAR_OBJECT, getFocusObjectNewOrOld(ctx.modelContext)); variables.put(ExpressionConstants.VAR_OBJECT_DISPLAY_INFORMATION, createLocalizableMessageType(createDisplayInformation(asPrismObject(getFocusObjectNewOrOld(ctx.modelContext)), false))); if (evaluatedAssignment != null) { variables.put(ExpressionConstants.VAR_TARGET, evaluatedAssignment.getTarget()); variables.put(ExpressionConstants.VAR_TARGET_DISPLAY_INFORMATION, createLocalizableMessageType(createDisplayInformation(evaluatedAssignment.getTarget(), false))); variables.put(ExpressionConstants.VAR_EVALUATED_ASSIGNMENT, evaluatedAssignment); variables.put(ExpressionConstants.VAR_ASSIGNMENT, evaluatedAssignment.getAssignmentType()); } else { variables.put(ExpressionConstants.VAR_TARGET, null); variables.put(ExpressionConstants.VAR_TARGET_DISPLAY_INFORMATION, null); variables.put(ExpressionConstants.VAR_EVALUATED_ASSIGNMENT, null); variables.put(ExpressionConstants.VAR_ASSIGNMENT, null); } LocalizableMessageType localizableMessageType; try { localizableMessageType = modelInteractionService .createLocalizableMessageType(schemaBuilderResult.approvalDisplayName, variables, ctx.taskFromModel, result); } catch (CommonException|RuntimeException e) { throw new SystemException("Couldn't create localizable message for approval display name: " + e.getMessage(), e); } return LocalizationUtil.toLocalizableMessage(localizableMessageType); }
private <T extends ObjectType> ObjectDelta<T> factorOutAssignmentModifications(EvaluatedAssignment<?> evaluatedAssignment, ObjectTreeDeltas<T> objectTreeDeltas) { Long id = evaluatedAssignment.getAssignmentId(); if (id == null) { // Should never occur: assignments to be modified must have IDs. throw new IllegalStateException("None or unnumbered assignment in " + evaluatedAssignment); } ItemPath assignmentValuePath = ItemPath.create(FocusType.F_ASSIGNMENT, id); ObjectDelta<T> focusDelta = objectTreeDeltas.getFocusChange(); assert focusDelta != null; ObjectDelta.FactorOutResultSingle<T> factorOutResult = focusDelta.factorOut(singleton(assignmentValuePath), false); if (factorOutResult.offspring == null) { LOGGER.trace("No modifications for an assignment, skipping approval action(s). Assignment = {}", evaluatedAssignment); return null; } return factorOutResult.offspring; }
private Collection<CertificationPolicyActionType> getAssignmentCertificationActions(ModelContext<?> context) { DeltaSetTriple<? extends EvaluatedAssignment<?>> evaluatedAssignmentTriple = context.getEvaluatedAssignmentTriple(); if (evaluatedAssignmentTriple == null) { return Collections.emptyList(); } else { return evaluatedAssignmentTriple.stream() .flatMap(ea -> getCertificationActions(ea.getAllTargetsPolicyRules()).stream()) .collect(Collectors.toList()); } }
OperationResult result) throws SchemaException { PrismObject<?> targetObject = evaluatedAssignment.getTarget(); ApprovalSchemaBuilder builder = new ApprovalSchemaBuilder(main, approvalSchemaHelper);
if (!conflictingAssignment.isPresentInOldObject()) { SingleLocalizableMessage message = new LocalizableMessageBuilder() .key("PolicyViolationException.message.prunedRolesAssigned") .arg(ObjectTypeUtil.createDisplayInformation(plusAssignment.getTarget(), false)) .arg(ObjectTypeUtil.createDisplayInformation(conflictingAssignment.getTarget(), false)) .build(); targetPolicyRule.addTrigger( enforceOverride = true; } else { PrismContainerValue<AssignmentType> assignmentValueToRemove = conflictingAssignment.getAssignmentType() .asPrismContainerValue().clone(); PrismObjectDefinition<F> focusDef = context.getFocusContext().getObjectDefinition();
assertEquals("Wrong number of evaluated assignments (plus)", 1, evaluatedAssignmentsPlus.size()); EvaluatedAssignment<UserType> evaluatedAssignment = evaluatedAssignmentsPlus.iterator().next(); DeltaSetTriple<? extends EvaluatedAssignmentTarget> rolesTriple = evaluatedAssignment.getRoles(); PrismAsserts.assertTripleNoPlus(rolesTriple); PrismAsserts.assertTripleNoMinus(rolesTriple); assertEquals("Wrong number of evaluated role", 1, evaluatedRoles.size()); assertEvaluatedRole(evaluatedRoles, ROLE_MINISTER_OID); Collection<EvaluatedPolicyRule> allTargetsPolicyRules = evaluatedAssignment.getAllTargetsPolicyRules(); display("Evaluated policy rules", allTargetsPolicyRules); assertEquals("Wrong number of evaluated policy rules", 2, allTargetsPolicyRules.size());
private <AH extends AssignmentHolderType> EvaluatedPolicyRuleTrigger<MultiplicityPolicyConstraintType> checkAssigneeConstraints(JAXBElement<MultiplicityPolicyConstraintType> constraint, LensContext<AH> context, EvaluatedAssignment<AH> assignment, PlusMinusZero plusMinus, AssignmentPolicyRuleEvaluationContext<AH> ctx, OperationResult result) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException { PrismObject<?> target = assignment.getTarget(); if (target == null || !(target.asObjectable() instanceof AbstractRoleType)) { return null; QName relation = assignment.getNormalizedRelation(relationRegistry); if (relation == null || !containsRelation(constraint.getValue(), relation)) { return null;
assignmentIdi.recompute(); EvaluatedAssignment<UserType> assignment = assignmentEvaluator.evaluate(assignmentIdi, PlusMinusZero.ZERO, false, userType, userType.toString(), virtual, task, result); if (assignment.isValid()) { addAuthorizations(authorizations, assignment.getAuthorizations(), authorizationTransformer); adminGuiConfigurations.addAll(assignment.getAdminGuiConfigurations()); for (EvaluatedAssignmentTarget target : assignment.getRoles().getNonNegativeValues()) { if (target.isValid() && target.getTarget() != null && target.getTarget().asObjectable() instanceof UserType && DeputyUtils.isDelegationPath(target.getAssignmentPath(), relationRegistry)) {
private ObjectDelta<? extends ObjectType> factorOutAssignmentValue(EvaluatedAssignment<?> evaluatedAssignment, PlusMinusZero assignmentMode, @NotNull ObjectTreeDeltas<?> objectTreeDeltas, ModelInvocationContext<?> ctx) throws SchemaException { assert assignmentMode == PLUS || assignmentMode == MINUS; @SuppressWarnings("unchecked") PrismContainerValue<AssignmentType> assignmentValue = evaluatedAssignment.getAssignmentType().asPrismContainerValue(); boolean assignmentRemoved = assignmentMode == MINUS; boolean reallyRemoved = objectTreeDeltas.subtractFromFocusDelta(FocusType.F_ASSIGNMENT, assignmentValue, assignmentRemoved, false); if (!reallyRemoved) { ObjectDelta<?> secondaryDelta = ctx.modelContext.getFocusContext().getSecondaryDelta(); if (secondaryDelta != null && secondaryDelta.subtract(FocusType.F_ASSIGNMENT, assignmentValue, assignmentRemoved, true)) { LOGGER.trace("Assignment to be added/deleted was not found in primary delta. It is present in secondary delta, so there's nothing to be approved."); return null; } String message = "Assignment to be added/deleted was not found in primary nor secondary delta." + "\nAssignment:\n" + assignmentValue.debugDump() + "\nPrimary delta:\n" + objectTreeDeltas.debugDump(); throw new IllegalStateException(message); } String objectOid = getFocusObjectOid(ctx.modelContext); return assignmentToDelta(ctx.modelContext.getFocusClass(), evaluatedAssignment.getAssignmentType(), assignmentRemoved, objectOid); }
.evaluate(assignmentIdi, PlusMinusZero.ZERO, false, potentialDeputy.asObjectable(), potentialDeputy.toString(), false, task, result); if (!assignment.isValid()) { continue; for (EvaluatedAssignmentTarget target : assignment.getRoles().getNonNegativeValues()) { if (target.getTarget() != null && target.getTarget().getOid() != null && DeputyUtils.isDelegationPath(target.getAssignmentPath(), relationRegistry)
/** * Check if all the roles are visible in preview changes */ @Test public void test135PreviewChangesEmptyDelta() throws Exception { final String TEST_NAME = "test135PreviewChangesEmptyDelta"; displayTestTitle(TEST_NAME); Task task = createTask(TEST_NAME); OperationResult result = task.getResult(); PrismObject<UserType> user = getUser(USER_JACK_OID); ObjectDelta<UserType> delta = user.createModifyDelta(); // WHEN ModelContext<ObjectType> modelContext = modelInteractionService.previewChanges(MiscSchemaUtil.createCollection(delta), getDefaultOptions(), task, result); // THEN result.computeStatus(); TestUtil.assertSuccess(result); DeltaSetTriple<? extends EvaluatedAssignment> evaluatedAssignmentTriple = modelContext.getEvaluatedAssignmentTriple(); PrismAsserts.assertTripleNoPlus(evaluatedAssignmentTriple); PrismAsserts.assertTripleNoMinus(evaluatedAssignmentTriple); Collection<? extends EvaluatedAssignment> evaluatedAssignments = evaluatedAssignmentTriple.getZeroSet(); assertEquals("Wrong number of evaluated assignments", 1, evaluatedAssignments.size()); EvaluatedAssignment<UserType> evaluatedAssignment = evaluatedAssignments.iterator().next(); DeltaSetTriple<? extends EvaluatedAssignmentTarget> rolesTriple = evaluatedAssignment.getRoles(); PrismAsserts.assertTripleNoPlus(rolesTriple); PrismAsserts.assertTripleNoMinus(rolesTriple); Collection<? extends EvaluatedAssignmentTarget> evaluatedRoles = rolesTriple.getZeroSet(); assertEquals("Wrong number of evaluated role", 2, evaluatedRoles.size()); assertEvaluatedRole(evaluatedRoles, ROLE_ADRIATIC_PIRATE_OID); assertEvaluatedRole(evaluatedRoles, ROLE_PIRATE_OID); }
private <F extends FocusType> void evaluateAssignmentRules(EvaluationContext evalCtx, ModelContext<F> context) { DeltaSetTriple<? extends EvaluatedAssignment> evaluatedAssignmentTriple = context.getEvaluatedAssignmentTriple(); if (evaluatedAssignmentTriple == null) { return; } evaluatedAssignmentTriple.simpleAccept(assignment -> enforceTriggeredRules(evalCtx, assignment.getAllTargetsPolicyRules())); }
PrismObject<? extends ObjectType> target = (PrismObject<? extends ObjectType>) evaluatedAssignment.getTarget(); Validate.notNull(target, "assignment target is null");
@Override public EvaluatedExclusionTriggerType toEvaluatedPolicyRuleTriggerType(PolicyRuleExternalizationOptions options, PrismContext prismContext) { EvaluatedExclusionTriggerType rv = new EvaluatedExclusionTriggerType(); fillCommonContent(rv); if (options.getTriggeredRulesStorageStrategy() == FULL) { rv.setConflictingObjectRef(ObjectTypeUtil.createObjectRef(conflictingTarget, prismContext)); rv.setConflictingObjectDisplayName(ObjectTypeUtil.getDisplayName(conflictingTarget)); if (conflictingPath != null) { rv.setConflictingObjectPath(conflictingPath.toAssignmentPathType(options.isIncludeAssignmentsContent())); } if (options.isIncludeAssignmentsContent() && conflictingAssignment.getAssignmentType() != null) { rv.setConflictingAssignment(conflictingAssignment.getAssignmentType().clone()); } } return rv; } }
public <O extends ObjectType> void execute(@NotNull ModelContext<O> context, Task task, OperationResult result) { LensFocusContext<?> focusContext = (LensFocusContext<?>) context.getFocusContext(); if (focusContext != null) { for (EvaluatedPolicyRule rule : focusContext.getPolicyRules()) { executeRuleScriptingActions(rule, context, task, result); } DeltaSetTriple<EvaluatedAssignmentImpl<?>> triple = ((LensContext<?>) context).getEvaluatedAssignmentTriple(); if (triple != null) { for (EvaluatedAssignment<?> assignment : triple.getNonNegativeValues()) { for (EvaluatedPolicyRule rule : assignment.getAllTargetsPolicyRules()) { executeRuleScriptingActions(rule, context, task, result); } } } } }
assertEquals("Wrong conflicting assignment in trigger", ROLE_JUDGE_OID, triggerExclusion.getConflictingAssignment().getTarget().getOid()); EvaluatedExclusionTrigger sourceTrigger = (EvaluatedExclusionTrigger) sourceRule.getTriggers().iterator().next(); assertNotNull("No conflicting assignment in source trigger", sourceTrigger.getConflictingAssignment()); assertEquals("Wrong conflicting assignment in source trigger", ROLE_JUDGE_OID, sourceTrigger.getConflictingAssignment().getTarget().getOid());
private void emitPolicyRulesEvents(ModelContext<?> context, Task task, OperationResult result) { LensFocusContext<?> focusContext = (LensFocusContext<?>) context.getFocusContext(); for (EvaluatedPolicyRule rule : focusContext.getPolicyRules()) { emitPolicyEventIfPresent(rule, context, task, result); } DeltaSetTriple<EvaluatedAssignmentImpl<?>> triple = ((LensContext<?>) context).getEvaluatedAssignmentTriple(); if (triple != null) { for (EvaluatedAssignment<?> assignment : triple.getNonNegativeValues()) { for (EvaluatedPolicyRule rule : assignment.getAllTargetsPolicyRules()) { emitPolicyEventIfPresent(rule, context, task, result); } } } }