private void dumpPolicyRule(int indent, StringBuilder sb, EvaluatedPolicyRule rule, boolean alsoMessages) { if (alsoMessages) { sb.append("=============================================== RULE ===============================================\n"); } DebugUtil.indentDebugDump(sb, indent + 1); if (rule.isGlobal()) { sb.append("global "); } sb.append("rule: ").append(rule.toShortString()); dumpTriggersCollection(indent+2, sb, rule.getTriggers()); for (PolicyExceptionType exc : rule.getPolicyExceptions()) { sb.append("\n"); DebugUtil.indentDebugDump(sb, indent + 2); sb.append("exception: ").append(exc); } if (alsoMessages) { if (rule.isTriggered()) { sb.append("\n\n"); sb.append("--------------------------------------------- MESSAGES ---------------------------------------------"); List<TreeNode<LocalizableMessage>> messageTrees = rule.extractMessages(); for (TreeNode<LocalizableMessage> messageTree : messageTrees) { sb.append("\n"); sb.append(messageTree.debugDump(indent)); } } sb.append("\n"); } }
public String getRuleName() { return policyRule.getName(); }
private boolean hasSituationConstraint(EvaluatedPolicyRule policyRule) { return hasSituationConstraint(policyRule.getPolicyConstraints()); }
private Collection<CertificationPolicyActionType> getCertificationActions(Collection<EvaluatedPolicyRule> policyRules) { return policyRules.stream() .filter(r -> r.isTriggered() && r.containsEnabledAction(CertificationPolicyActionType.class)) .map(r -> r.getEnabledAction(CertificationPolicyActionType.class)) .collect(Collectors.toList()); }
private void emitPolicyEventIfPresent(EvaluatedPolicyRule rule, ModelContext<?> context, Task task, OperationResult result) { if (rule.isTriggered()) { for (NotificationPolicyActionType notificationAction : rule.getEnabledActions(NotificationPolicyActionType.class)) { emitPolicyEvent(notificationAction, rule, context, task, result); } } }
List<EvaluatedPolicyRule> selectTriggeredApprovalActionRules(Collection<EvaluatedPolicyRule> rules) { return rules.stream() .filter(r -> r.isTriggered() && r.containsEnabledAction(ApprovalPolicyActionType.class)) .collect(Collectors.toList()); }
default boolean isTriggered() { return !getTriggers().isEmpty(); }
@Test public void test020ActivateIncompleteRole() throws Exception { final String TEST_NAME = "test020ActivateIncompleteRole"; TestUtil.displayTestTitle(this, TEST_NAME); login(userAdministrator); Task task = createTask(TEST_NAME); OperationResult result = task.getResult(); @SuppressWarnings({"unchecked", "raw"}) ObjectDelta<RoleType> activateRoleDelta = prismContext.deltaFor(RoleType.class) .item(RoleType.F_LIFECYCLE_STATE).replace(SchemaConstants.LIFECYCLE_ACTIVE) .asObjectDelta(roleEmployeeOid); RecordingProgressListener recordingListener = new RecordingProgressListener(); try { modelService.executeChanges(Collections.singleton(activateRoleDelta), null, task, Collections.singleton(recordingListener), result); fail("unexpected success"); } catch (PolicyViolationException e) { System.out.println("Got expected exception: " + e.getMessage()); } LensContext<RoleType> context = (LensContext<RoleType>) recordingListener.getModelContext(); System.out.println(context.dumpFocusPolicyRules(0)); EvaluatedPolicyRule incompleteActivationRule = context.getFocusContext().getPolicyRules().stream() .filter(rule -> "disallow-incomplete-role-activation".equals(rule.getName())) .findFirst() .orElseThrow(() -> new AssertionError("rule not found")); assertEquals("Wrong # of triggers in incompleteActivationRule", 2, incompleteActivationRule.getTriggers().size()); // objectState + or }
private void enforceTriggeredRules(EvaluationContext evalCtx, Collection<EvaluatedPolicyRule> policyRules) { for (EvaluatedPolicyRule policyRule: policyRules) { Collection<EvaluatedPolicyRuleTrigger<?>> triggers = policyRule.getTriggers(); if (triggers.isEmpty()) { continue; boolean enforceAll = policyRule.containsEnabledAction(EnforcementPolicyActionType.class); Collection<EvaluatedPolicyRuleTrigger<?>> triggersFiltered; if (enforceAll) { policyRule.addToEvaluatedPolicyRuleTypes(evalCtx.rules, new PolicyRuleExternalizationOptions(FULL, true, true), t -> enforceAll || t.isEnforcementOverride(), prismContext);
throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException { if (LOGGER.isTraceEnabled()) { LOGGER.trace("Evaluating policy rule {} in {}", ctx.policyRule.toShortString(), ctx.getShortDescription()); PolicyConstraintsType constraints = ctx.policyRule.getPolicyConstraints(); JAXBElement<PolicyConstraintsType> conjunction = new JAXBElement<>(F_AND, PolicyConstraintsType.class, constraints); EvaluatedCompositeTrigger trigger = compositeConstraintEvaluator.evaluate(conjunction, ctx, result); LOGGER.trace("Policy rule triggered: {}", ctx.policyRule.isTriggered()); if (ctx.policyRule.isTriggered()) { LOGGER.trace("Start to compute actions"); ((EvaluatedPolicyRuleImpl) ctx.policyRule).computeEnabledActions(ctx, ctx.getObject(), expressionFactory, prismContext, ctx.task, result); if (ctx.policyRule.containsEnabledAction(RecordPolicyActionType.class)) { ctx.record();
private void logApprovalActions(EvaluatedAssignment<?> newAssignment, List<EvaluatedPolicyRule> triggeredApprovalActionRules, PlusMinusZero plusMinusZero) { if (LOGGER.isDebugEnabled() && !triggeredApprovalActionRules.isEmpty()) { LOGGER.trace("-------------------------------------------------------------"); String verb = plusMinusZero == PLUS ? "added" : plusMinusZero == MINUS ? "deleted" : "modified"; LOGGER.debug("Assignment to be {}: {}: {} this target policy rules, {} triggered approval actions:", verb, newAssignment, newAssignment.getThisTargetPolicyRules().size(), triggeredApprovalActionRules.size()); for (EvaluatedPolicyRule t : triggeredApprovalActionRules) { LOGGER.debug(" - Approval actions: {}", t.getEnabledActions(ApprovalPolicyActionType.class)); for (EvaluatedPolicyRuleTrigger trigger : t.getTriggers()) { LOGGER.debug(" - {}", trigger); } } } }
for (EvaluatedAssignmentImpl<F> plusAssignment: plusSet) { for (EvaluatedPolicyRule targetPolicyRule: plusAssignment.getAllTargetsPolicyRules()) { for (EvaluatedPolicyRuleTrigger trigger: new ArrayList<>(targetPolicyRule.getTriggers())) { if (!(trigger instanceof EvaluatedExclusionTrigger)) { continue; if (!targetPolicyRule.containsEnabledAction(PrunePolicyActionType.class)) { continue; .arg(ObjectTypeUtil.createDisplayInformation(conflictingAssignment.getTarget(), false)) .build(); targetPolicyRule.addTrigger( new EvaluatedExclusionTrigger(exclTrigger.getConstraint(), message, null, exclTrigger.getConflictingAssignment(),
private synchronized int checkEvaluatedPolicyRule(Task task, EvaluatedPolicyRule policyRule, int counter, OperationResult result) throws ThresholdPolicyViolationException, ObjectNotFoundException, SchemaException { for (PolicyActionType action : policyRule.getEnabledActions()) { LOGGER.info("action: {}", action); } if (policyRule.containsEnabledAction(SuspendTaskPolicyActionType.class)) { LOGGER.info("counter increment: {}", policyRule); counter++; // SuspendTaskPolicyActionType stopAction = policyRule.getEnabledAction(SuspendTaskPolicyActionType.class); PolicyThresholdType thresholdSettings = policyRule.getPolicyThreshold(); if (thresholdSettings.getCount() != null && thresholdSettings.getCount().intValue() < counter) { // taskManager.suspendTask(task, 10, result); throw new ThresholdPolicyViolationException("Policy rule violation: " + policyRule.getPolicyRule()); } } return counter; } }
private <AH extends AssignmentHolderType> void traceRuleEvaluationResult(EvaluatedPolicyRule rule, PolicyRuleEvaluationContext<AH> ctx) throws SchemaException { if (!LOGGER.isTraceEnabled()) { return; } StringBuilder sb = new StringBuilder(); sb.append("\n---[ POLICY RULE "); if (rule.isTriggered()) { sb.append("# "); } sb.append(rule.toShortString()); sb.append(" for "); sb.append(ctx.getShortDescription()); sb.append(" (").append(ctx.lensContext.getState()).append(")"); sb.append("]---------------------------"); sb.append("\n"); sb.append(rule.debugDump()); //sb.append("\nContext: ").append(ctx.debugDump()); LOGGER.trace("{}", sb.toString()); }
forEvaluatedFocusPolicyRule(context, (r) -> { display("rule", r); rules.put(r.getName(), r); }); EvaluatedPolicyRule rule1 = rules.get("rule1"); assertNotNull("no rule1", rule1); PolicyConstraintsType pc1 = rule1.getPolicyConstraints(); assertEquals(1, pc1.getAnd().size()); PolicyConstraintsType pc1inner = pc1.getAnd().get(0); PolicyConstraintsType pc2 = rule2.getPolicyConstraints(); assertEquals("mod-description-and-riskLevel-and-inducement", pc2.getName()); assertEquals("mod-riskLevel-and-inducement", pc2.getAnd().get(0).getName()); PolicyConstraintsType pc3 = rule3.getPolicyConstraints(); assertEquals("mod-riskLevel-and-inducement", pc3.getName()); assertEquals(2, pc3.getModification().size()); PolicyConstraintsType pc4 = rule4.getPolicyConstraints(); assertEquals(1, pc4.getModification().size()); assertEquals("mod-inducement", pc4.getModification().get(0).getName());
assertEquals("Wrong number of evaluated policy rules", 2, allTargetsPolicyRules.size()); EvaluatedPolicyRule evaluatedSodPolicyRule = getEvaluatedPolicyRule(allTargetsPolicyRules, GLOBAL_POLICY_RULE_SOD_APPROVAL_NAME); EvaluatedPolicyRuleTrigger<?> sodTrigger = getSinglePolicyRuleTrigger(evaluatedSodPolicyRule, evaluatedSodPolicyRule.getTriggers()); display("Own trigger", sodTrigger); assertEvaluatedPolicyRuleTriggers(evaluatedSodPolicyRule, evaluatedSodPolicyRule.getAllTriggers(), 2); EvaluatedPolicyRuleTrigger situationTrigger = getEvaluatedPolicyRuleTrigger(evaluatedSodPolicyRule, evaluatedSodPolicyRule.getAllTriggers(), PolicyConstraintKindType.SITUATION); display("Situation trigger", situationTrigger); PolicyActionsType sodActions = evaluatedSodPolicyRule.getActions(); display("Actions", sodActions); assertPolicyActionApproval(evaluatedSodPolicyRule);
private ComputationResult compute(@NotNull List<EvaluatedPolicyRule> rulesToRecord, @NotNull List<String> existingPolicySituation, @NotNull List<EvaluatedPolicyRuleType> existingTriggeredPolicyRule) { ComputationResult cr = new ComputationResult(); for (EvaluatedPolicyRule rule : rulesToRecord) { cr.newPolicySituations.add(rule.getPolicySituation()); RecordPolicyActionType recordAction = rule.getEnabledAction(RecordPolicyActionType.class); if (recordAction.getPolicyRules() != TriggeredPolicyRulesStorageStrategyType.NONE) { PolicyRuleExternalizationOptions externalizationOptions = new PolicyRuleExternalizationOptions( recordAction.getPolicyRules(), false, true); rule.addToEvaluatedPolicyRuleTypes(cr.newTriggeredRules, externalizationOptions, null, prismContext); } } cr.oldPolicySituations.addAll(existingPolicySituation); cr.oldTriggeredRules.addAll(existingTriggeredPolicyRule); cr.situationsNeedUpdate = !Objects.equals(cr.oldPolicySituations, cr.newPolicySituations); cr.rulesNeedUpdate = !Objects.equals(cr.oldTriggeredRules, cr.newTriggeredRules); // hope hashCode is computed well return cr; }
public static void triggerRule(@NotNull EvaluatedPolicyRule rule, Collection<EvaluatedPolicyRuleTrigger<?>> triggers, Collection<String> policySituations) { LOGGER.debug("Policy rule {} triggered: {}", rule.getName(), triggers); if (LOGGER.isTraceEnabled()) { LOGGER.trace("Policy rule {} triggered:\n{}", rule.getName(), DebugUtil.debugDump(triggers, 1)); } ((EvaluatedPolicyRuleImpl) rule).addTriggers(triggers); CollectionUtils.addIgnoreNull(policySituations, rule.getPolicySituation()); }
private <AH extends AssignmentHolderType> Collection<EvaluatedPolicyRule> selectTriggeredRules( PolicyRuleEvaluationContext<AH> rctx, List<String> situations) { Collection<EvaluatedPolicyRule> rules; if (rctx instanceof AssignmentPolicyRuleEvaluationContext) { EvaluatedAssignmentImpl<AH> evaluatedAssignment = ((AssignmentPolicyRuleEvaluationContext<AH>) rctx).evaluatedAssignment; // We consider all rules here, i.e. also those that are triggered on targets induced by this one. // Decision whether to trigger such rules lies on "primary" policy constraints. (E.g. approvals would // not trigger, whereas exclusions probably would.) Overall, our responsibility is simply to collect // all triggered rules. rules = evaluatedAssignment.getAllTargetsPolicyRules(); } else { rules = rctx.focusContext.getPolicyRules(); } return rules.stream() .filter(r -> r.isTriggered() && situations.contains(r.getPolicySituation())) .collect(Collectors.toList()); } }
static void dumpRules(StringBuilder sb, String label, int indent, Collection<EvaluatedPolicyRule> policyRules) { sb.append("\n"); int triggered = getTriggeredRulesCount(policyRules); DebugUtil.debugDumpLabel(sb, label + " (total " + policyRules.size() + ", triggered " + triggered + ")", indent); // not triggered rules are dumped in one line boolean first = true; for (EvaluatedPolicyRule rule : policyRules) { if (rule.isTriggered()) { continue; } if (first) { first = false; sb.append(" "); } else { sb.append("; "); } sb.append(rule.toShortString()); } // now triggered rules, each on separate line for (EvaluatedPolicyRule rule : policyRules) { if (rule.isTriggered()) { sb.append("\n"); DebugUtil.indentDebugDump(sb, indent + 1); sb.append("- triggered: ").append(rule.toShortString()); } } if (policyRules.isEmpty()) { sb.append(" (none)"); } }