@Override public void triggerRule(@NotNull EvaluatedPolicyRule rule, Collection<EvaluatedPolicyRuleTrigger<?>> triggers) { boolean hasException = processRuleExceptions(this, rule, triggers); for (EvaluatedPolicyRuleTrigger<?> trigger : triggers) { if (trigger instanceof EvaluatedExclusionTrigger) { EvaluatedExclusionTrigger exclTrigger = (EvaluatedExclusionTrigger) trigger; if (exclTrigger.getConflictingAssignment() != null) { hasException = hasException || processRuleExceptions((EvaluatedAssignmentImpl<AH>) exclTrigger.getConflictingAssignment(), rule, triggers); } } } if (!hasException) { LensUtil.triggerRule(rule, triggers, policySituations); } }
private <AH extends AssignmentHolderType> EvaluatedExclusionTrigger createTrigger(EvaluatedAssignmentImpl<AH> assignmentA, @NotNull EvaluatedAssignmentImpl<AH> assignmentB, EvaluatedAssignmentTargetImpl targetB, JAXBElement<ExclusionPolicyConstraintType> constraintElement, EvaluatedPolicyRule policyRule, AssignmentPolicyRuleEvaluationContext<AH> ctx, OperationResult result) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException { AssignmentPath pathA = policyRule.getAssignmentPath(); AssignmentPath pathB = targetB.getAssignmentPath(); LocalizableMessage infoA = createObjectInfo(pathA, assignmentA.getTarget(), true); LocalizableMessage infoB = createObjectInfo(pathB, targetB.getTarget(), false); ObjectType objectA = getConflictingObject(pathA, assignmentA.getTarget()); ObjectType objectB = getConflictingObject(pathB, targetB.getTarget()); LocalizableMessage message = createMessage(infoA, infoB, constraintElement, ctx, result); LocalizableMessage shortMessage = createShortMessage(infoA, infoB, constraintElement, ctx, result); return new EvaluatedExclusionTrigger(constraintElement.getValue(), message, shortMessage, assignmentB, objectA, objectB, pathA, pathB); }
continue; EvaluatedAssignment<FocusType> conflictingAssignment = exclTrigger.getConflictingAssignment(); if (conflictingAssignment == null) { throw new SystemException("Added assignment "+plusAssignment .build(); targetPolicyRule.addTrigger( new EvaluatedExclusionTrigger(exclTrigger.getConstraint(), message, null, exclTrigger.getConflictingAssignment(), exclTrigger.getConflictingTarget(), exclTrigger.getConflictingPath(), true) ); enforceOverride = true;
assertNotNull("No conflicting assignment in trigger", engineerTrigger.getConflictingAssignment()); assertEquals("Wrong conflicting assignment in trigger", ROLE_CORP_CONTRACTOR_OID, engineerTrigger.getConflictingAssignment().getTarget().getOid()); assertTriggeredTargetPolicyRule(context, ROLE_CORP_ENGINEER_OID, PolicyConstraintKindType.ASSIGNMENT_MODIFICATION, 1, false); assertTriggeredTargetPolicyRule(context, ROLE_CORP_ENGINEER_OID, PolicyConstraintKindType.SITUATION, 1, false); display("exclusion trigger for Engineer", engineerTrigger); display("Engineer: assignmentPath", engineerRule.getAssignmentPath()); display("Engineer: conflictingPath", engineerTrigger.getConflictingPath()); assertAssignmentPath(engineerRule.getAssignmentPath(), ROLE_CORP_ENGINEER_OID, ROLE_CORP_EMPLOYEE_OID, null); assertAssignmentPath(engineerTrigger.getConflictingPath(), ROLE_CORP_CONTRACTOR_OID); display("exclusion trigger for Contractor", contractorTrigger); display("Contractor: assignmentPath", contractorRule.getAssignmentPath()); display("Contractor: conflictingPath", contractorTrigger.getConflictingPath()); assertAssignmentPath(contractorRule.getAssignmentPath(), ROLE_CORP_CONTRACTOR_OID, null); assertAssignmentPath(contractorTrigger.getConflictingPath(), ROLE_CORP_ENGINEER_OID, ROLE_CORP_EMPLOYEE_OID);
@Override public EvaluatedExclusionTriggerType toEvaluatedPolicyRuleTriggerType(PolicyRuleExternalizationOptions options, PrismContext prismContext) { EvaluatedExclusionTriggerType rv = new EvaluatedExclusionTriggerType(); fillCommonContent(rv); if (options.getTriggeredRulesStorageStrategy() == FULL) { rv.setConflictingObjectRef(ObjectTypeUtil.createObjectRef(conflictingTarget, prismContext)); rv.setConflictingObjectDisplayName(ObjectTypeUtil.getDisplayName(conflictingTarget)); if (conflictingPath != null) { rv.setConflictingObjectPath(conflictingPath.toAssignmentPathType(options.isIncludeAssignmentsContent())); } if (options.isIncludeAssignmentsContent() && conflictingAssignment.getAssignmentType() != null) { rv.setConflictingAssignment(conflictingAssignment.getAssignmentType().clone()); } } return rv; } }
private void dumpTriggersCollection(int indent, StringBuilder sb, Collection<EvaluatedPolicyRuleTrigger<?>> triggers) { for (EvaluatedPolicyRuleTrigger trigger : triggers) { sb.append("\n"); DebugUtil.indentDebugDump(sb, indent); sb.append("trigger: ").append(trigger); if (trigger instanceof EvaluatedExclusionTrigger && ((EvaluatedExclusionTrigger) trigger).getConflictingAssignment() != null) { sb.append("\n"); DebugUtil.indentDebugDump(sb, indent + 1); sb.append("conflict: ") .append(((EvaluatedAssignmentImpl) ((EvaluatedExclusionTrigger) trigger) .getConflictingAssignment()).toHumanReadableString()); } if (trigger instanceof EvaluatedCompositeTrigger) { dumpTriggersCollection(indent + 1, sb, ((EvaluatedCompositeTrigger) trigger).getInnerTriggers()); } else if (trigger instanceof EvaluatedTransitionTrigger) { dumpTriggersCollection(indent + 1, sb, ((EvaluatedTransitionTrigger) trigger).getInnerTriggers()); } } }
private <F extends AssignmentHolderType> void checkAndTriggerExclusionConstraintViolationLegacy(EvaluatedAssignmentImpl<F> assignmentA, @NotNull EvaluatedAssignmentImpl<F> assignmentB, EvaluatedAssignmentTargetImpl roleA, EvaluatedAssignmentTargetImpl roleB, ExclusionPolicyConstraintType constraint) throws PolicyViolationException { ObjectReferenceType targetRef = constraint.getTargetRef(); if (roleB.getOid().equals(targetRef.getOid())) { EvaluatedExclusionTrigger trigger = new EvaluatedExclusionTrigger( constraint, buildFallbackMessage("Violation of SoD policy: " + roleA.getTarget() + " excludes " + roleB.getTarget() + ", they cannot be assigned at the same time"), buildFallbackMessage(roleA.getTarget().getName() + " excludes " + roleB.getTarget().getName()), assignmentB, roleA.getTarget() != null ? roleA.getTarget().asObjectable() : null, roleB.getTarget() != null ? roleB.getTarget().asObjectable() : null, roleA.getAssignmentPath(), roleB.getAssignmentPath()); assignmentA.triggerConstraintLegacy(trigger, localizationService); } }
assertNotNull("No conflicting assignment in trigger", triggerExclusion.getConflictingAssignment()); assertEquals("Wrong conflicting assignment in trigger", ROLE_JUDGE_OID, triggerExclusion.getConflictingAssignment().getTarget().getOid()); EvaluatedPolicyRule sourceRule = triggerSituation.getSourceRules().iterator().next(); EvaluatedExclusionTrigger sourceTrigger = (EvaluatedExclusionTrigger) sourceRule.getTriggers().iterator().next(); assertNotNull("No conflicting assignment in source trigger", sourceTrigger.getConflictingAssignment()); assertEquals("Wrong conflicting assignment in source trigger", ROLE_JUDGE_OID, sourceTrigger.getConflictingAssignment().getTarget().getOid());
assertEvaluatedTargetPolicyRules(context, 7); EvaluatedExclusionTrigger trigger = (EvaluatedExclusionTrigger) assertTriggeredTargetPolicyRule(context, null, PolicyConstraintKindType.EXCLUSION, 1, true); assertNotNull("No conflicting assignment in trigger", trigger.getConflictingAssignment()); assertEquals("Wrong conflicting assignment in trigger", ROLE_PIRATE_OID, trigger.getConflictingAssignment().getTarget().getOid());
assertNotNull("No conflicting assignment in trigger", trigger.getConflictingAssignment()); assertEquals("Wrong conflicting assignment in trigger", ROLE_CORP_CONTRACTOR_OID, trigger.getConflictingAssignment().getTarget().getOid());