@Override protected void throwException(Exception cause, ProvisioningOperationState<? extends AsynchronousOperationResult> opState, OperationResult result) throws PolicyViolationException { recordCompletionError(cause, opState, result); if (cause instanceof PolicyViolationException) { throw (PolicyViolationException)cause; } else { throw new PolicyViolationException(cause.getMessage(), cause); } }
@Test public void test020ActivateIncompleteRole() throws Exception { final String TEST_NAME = "test020ActivateIncompleteRole"; TestUtil.displayTestTitle(this, TEST_NAME); login(userAdministrator); Task task = createTask(TEST_NAME); OperationResult result = task.getResult(); @SuppressWarnings({"unchecked", "raw"}) ObjectDelta<RoleType> activateRoleDelta = prismContext.deltaFor(RoleType.class) .item(RoleType.F_LIFECYCLE_STATE).replace(SchemaConstants.LIFECYCLE_ACTIVE) .asObjectDelta(roleEmployeeOid); RecordingProgressListener recordingListener = new RecordingProgressListener(); try { modelService.executeChanges(Collections.singleton(activateRoleDelta), null, task, Collections.singleton(recordingListener), result); fail("unexpected success"); } catch (PolicyViolationException e) { System.out.println("Got expected exception: " + e.getMessage()); } LensContext<RoleType> context = (LensContext<RoleType>) recordingListener.getModelContext(); System.out.println(context.dumpFocusPolicyRules(0)); EvaluatedPolicyRule incompleteActivationRule = context.getFocusContext().getPolicyRules().stream() .filter(rule -> "disallow-incomplete-role-activation".equals(rule.getName())) .findFirst() .orElseThrow(() -> new AssertionError("rule not found")); assertEquals("Wrong # of triggers in incompleteActivationRule", 2, incompleteActivationRule.getTriggers().size()); // objectState + or }
private void activateRoleAssertFailure(String roleOid, Holder<LensContext<?>> contextHolder, OperationResult result, Task task) throws SchemaException, CommunicationException, ObjectAlreadyExistsException, ExpressionEvaluationException, SecurityViolationException, ConfigurationException, ObjectNotFoundException { try { activateRole(roleOid, contextHolder, task, result); fail("unexpected success"); } catch (PolicyViolationException e) { System.out.println("Got expected exception:"); e.printStackTrace(System.out); } }
private void checkForCircular(List<ResourceObjectTypeDependencyType> depPath, ResourceObjectTypeDependencyType outDependency, LensProjectionContext projectionContext) throws PolicyViolationException { for (ResourceObjectTypeDependencyType pathElement: depPath) { if (pathElement.equals(outDependency)) { StringBuilder sb = new StringBuilder(); Iterator<ResourceObjectTypeDependencyType> iterator = depPath.iterator(); while (iterator.hasNext()) { ResourceObjectTypeDependencyType el = iterator.next(); ObjectReferenceType resourceRef = el.getResourceRef(); if (resourceRef != null) { sb.append(resourceRef.getOid()); } sb.append("(").append(el.getKind()).append("/"); sb.append(el.getIntent()).append(")"); if (iterator.hasNext()) { sb.append("->"); } } throw new PolicyViolationException("Circular dependency in "+projectionContext.getHumanReadableName()+", path: "+sb.toString()); } } }
@Test public void test140SimpleExclusionBoth2() throws Exception { final String TEST_NAME = "test140SimpleExclusionBoth2"; displayTestTitle(TEST_NAME); Task task = createTask(TEST_NAME); OperationResult result = task.getResult(); Collection<ItemDelta<?,?>> modifications = new ArrayList<>(); modifications.add((createAssignmentModification(ROLE_PIRATE_OID, RoleType.COMPLEX_TYPE, null, null, null, true))); modifications.add((createAssignmentModification(ROLE_JUDGE_OID, RoleType.COMPLEX_TYPE, null, null, null, true))); ObjectDelta<UserType> userDelta = prismContext.deltaFactory().object() .createModifyDelta(USER_JACK_OID, modifications, UserType.class); try { modelService.executeChanges(MiscSchemaUtil.createCollection(userDelta), null, task, result); AssertJUnit.fail("Expected policy violation, but it went well"); } catch (PolicyViolationException e) { System.out.println("Got expected exception: " + e.getMessage()); } assertAssignedNoRole(USER_JACK_OID, task, result); }
@Test public void test300ModifyInducement() throws Exception { final String TEST_NAME = "test300ModifyInducement"; TestUtil.displayTestTitle(this, TEST_NAME); // GIVEN Task task = taskManager.createTaskInstance(TestPolicyRules2.class.getName() + "." + TEST_NAME); OperationResult result = task.getResult(); ObjectDelta<RoleType> delta = prismContext.deltaFor(RoleType.class) .item(RoleType.F_INDUCEMENT, 1L, AssignmentType.F_DESCRIPTION).replace("hi") .asObjectDeltaCast(roleImmutableInducementsOid); LensContext<RoleType> context = createLensContext(RoleType.class); context.createFocusContext().setPrimaryDelta(delta); display("Input context", context); assertFocusModificationSanity(context); // WHEN TestUtil.displayWhen(TEST_NAME); try { clockwork.run(context, task, result); TestUtil.displayThen(TEST_NAME); fail("unexpected success"); } catch (PolicyViolationException e) { TestUtil.displayThen(TEST_NAME); System.out.println("Expected exception: " + e); e.printStackTrace(System.out); if (!getTranslatedMessage(e).contains("Role \"Immutable inducements\" is to be modified")) { fail("Exception message was not as expected: " + getTranslatedMessage(e)); } } }
private void executeRegular(EvaluationContext evalCtx) throws PolicyViolationException { if (!evalCtx.messages.isEmpty()) { LocalizableMessage message = new LocalizableMessageListBuilder() .messages(evalCtx.messages) .separator(LocalizableMessageList.SEMICOLON) .buildOptimized(); throw localizationService.translate(new PolicyViolationException(message)); } }
@Test public void test150SimpleExclusionBothBidirectional1() throws Exception { final String TEST_NAME = "test150SimpleExclusionBothBidirectional1"; displayTestTitle(TEST_NAME); Task task = createTask(TEST_NAME); OperationResult result = task.getResult(); Collection<ItemDelta<?,?>> modifications = new ArrayList<>(); modifications.add((createAssignmentModification(ROLE_THIEF_OID, RoleType.COMPLEX_TYPE, null, null, null, true))); modifications.add((createAssignmentModification(ROLE_JUDGE_OID, RoleType.COMPLEX_TYPE, null, null, null, true))); ObjectDelta<UserType> userDelta = prismContext.deltaFactory().object() .createModifyDelta(USER_JACK_OID, modifications, UserType.class); try { modelService.executeChanges(MiscSchemaUtil.createCollection(userDelta), null, task, result); AssertJUnit.fail("Expected policy violation, but it went well"); } catch (PolicyViolationException e) { System.out.println("Got expected exception: " + e.getMessage()); } assertAssignedNoRole(USER_JACK_OID, task, result); }
@Test public void test330AddInducement() throws Exception { final String TEST_NAME = "test330AddInducement"; TestUtil.displayTestTitle(this, TEST_NAME); // GIVEN Task task = taskManager.createTaskInstance(TestPolicyRules2.class.getName() + "." + TEST_NAME); OperationResult result = task.getResult(); ObjectDelta<RoleType> delta = prismContext.deltaFor(RoleType.class) .item(RoleType.F_INDUCEMENT).add(new AssignmentType(prismContext).targetRef("1", OrgType.COMPLEX_TYPE)) .asObjectDeltaCast(roleNoInducementsAddDeleteOid); LensContext<RoleType> context = createLensContext(RoleType.class); context.createFocusContext().setPrimaryDelta(delta); display("Input context", context); assertFocusModificationSanity(context); // WHEN TestUtil.displayWhen(TEST_NAME); try { clockwork.run(context, task, result); TestUtil.displayThen(TEST_NAME); fail("unexpected success"); } catch (PolicyViolationException e) { TestUtil.displayThen(TEST_NAME); System.out.println("Expected exception: " + e); e.printStackTrace(System.out); if (!getTranslatedMessage(e).contains("Role \"No inducements add or delete\" is to be modified")) { fail("Exception message was not as expected: " + getTranslatedMessage(e)); } } }
private <O extends ObjectType> boolean hasCycle(AssignmentPathSegmentImpl segment, @NotNull PrismObject<O> target, EvaluationContext ctx) throws PolicyViolationException { // TODO reconsider this if (target.getOid().equals(segment.source.getOid())) { throw new PolicyViolationException("The "+segment.source+" refers to itself in assignment/inducement"); } // removed condition "&& segment.getEvaluationOrder().equals(ctx.assignmentPath.getEvaluationOrder())" // as currently it is always true // TODO reconsider this int count = ctx.assignmentPath.countTargetOccurrences(target.asObjectable()); if (count >= MAX_TARGET_OCCURRENCES) { LOGGER.debug("Max # of target occurrences ({}) detected for target {} in {} - stopping evaluation here", MAX_TARGET_OCCURRENCES, ObjectTypeUtil.toShortString(target), ctx.assignmentPath); return true; } else { return false; } }
@Test public void test160SimpleExclusionBothBidirectional2() throws Exception { final String TEST_NAME = "test160SimpleExclusionBothBidirectional2"; displayTestTitle(TEST_NAME); Task task = createTask(TEST_NAME); OperationResult result = task.getResult(); Collection<ItemDelta<?,?>> modifications = new ArrayList<>(); modifications.add((createAssignmentModification(ROLE_JUDGE_OID, RoleType.COMPLEX_TYPE, null, null, null, true))); modifications.add((createAssignmentModification(ROLE_THIEF_OID, RoleType.COMPLEX_TYPE, null, null, null, true))); ObjectDelta<UserType> userDelta = prismContext.deltaFactory().object() .createModifyDelta(USER_JACK_OID, modifications, UserType.class); try { modelService.executeChanges(MiscSchemaUtil.createCollection(userDelta), null, task, result); AssertJUnit.fail("Expected policy violation, but it went well"); } catch (PolicyViolationException e) { System.out.println("Got expected exception: " + e.getMessage()); } assertAssignedNoRole(USER_JACK_OID, task, result); }
@Test public void test340AddInducementViaExpression() throws Exception { final String TEST_NAME = "test340AddInducementViaExpression"; TestUtil.displayTestTitle(this, TEST_NAME); // GIVEN Task task = taskManager.createTaskInstance(TestPolicyRules2.class.getName() + "." + TEST_NAME); OperationResult result = task.getResult(); ObjectDelta<RoleType> delta = prismContext.deltaFor(RoleType.class) .item(RoleType.F_INDUCEMENT).replace(new AssignmentType(prismContext).targetRef("1", OrgType.COMPLEX_TYPE)) .asObjectDeltaCast(roleNoInducementsAddDeleteViaExpressionOid); LensContext<RoleType> context = createLensContext(RoleType.class); context.createFocusContext().setPrimaryDelta(delta); display("Input context", context); assertFocusModificationSanity(context); // WHEN TestUtil.displayWhen(TEST_NAME); try { clockwork.run(context, task, result); TestUtil.displayThen(TEST_NAME); fail("unexpected success"); } catch (PolicyViolationException e) { TestUtil.displayThen(TEST_NAME); System.out.println("Expected exception: " + e); e.printStackTrace(System.out); if (!getTranslatedMessage(e).contains("Role \"No inducements add or delete (expression)\" is to be modified")) { fail("Exception message was not as expected: " + getTranslatedMessage(e)); } } }
throw new PolicyViolationException("Cannot set "+itemPath+" to a value different than OID in oid bound mode"); throw new PolicyViolationException("Cannot change "+itemPath+" in oid bound mode"); throw new PolicyViolationException("Cannot set name to a value different than OID in name-oid bound mode"); PropertyDelta<Object> nameDelta = focusDelta.findPropertyDelta(FocusType.F_NAME); if (nameDelta != null) { throw new PolicyViolationException("Cannot change name in name-oid bound mode");
@Test public void test132SimpleExclusionBoth1Deprecated() throws Exception { final String TEST_NAME = "test132SimpleExclusionBoth1Deprecated"; displayTestTitle(TEST_NAME); Task task = createTask(TEST_NAME); OperationResult result = task.getResult(); Collection<ItemDelta<?,?>> modifications = new ArrayList<>(); modifications.add((createAssignmentModification(ROLE_JUDGE_DEPRECATED_OID, RoleType.COMPLEX_TYPE, null, null, null, true))); modifications.add((createAssignmentModification(ROLE_PIRATE_OID, RoleType.COMPLEX_TYPE, null, null, null, true))); ObjectDelta<UserType> userDelta = prismContext.deltaFactory().object() .createModifyDelta(USER_JACK_OID, modifications, UserType.class); try { modelService.executeChanges(MiscSchemaUtil.createCollection(userDelta), null, task, result); AssertJUnit.fail("Expected policy violation, but it went well"); } catch (PolicyViolationException e) { System.out.println("Got expected exception: " + e.getMessage()); } assertAssignedNoRole(USER_JACK_OID, task, result); }
private String getClearValue(ProtectedStringType protectedString) throws SchemaException, PolicyViolationException { try { if (protectedString.isEncrypted()) { return protector.decryptString(protectedString); } else if (protectedString.getClearValue() != null) { return protector.decryptString(protectedString); } else if (protectedString.isHashed()) { throw new SchemaException("Cannot validate value of hashed password"); } } catch (EncryptionException e) { throw new PolicyViolationException(e.getMessage(), e); } return null; }
@Test public void test130SimpleExclusionBoth1() throws Exception { final String TEST_NAME = "test130SimpleExclusionBoth1"; displayTestTitle(TEST_NAME); Task task = createTask(TEST_NAME); OperationResult result = task.getResult(); Collection<ItemDelta<?,?>> modifications = new ArrayList<>(); modifications.add((createAssignmentModification(ROLE_JUDGE_OID, RoleType.COMPLEX_TYPE, null, null, null, true))); modifications.add((createAssignmentModification(ROLE_PIRATE_OID, RoleType.COMPLEX_TYPE, null, null, null, true))); ObjectDelta<UserType> userDelta = prismContext.deltaFactory().object() .createModifyDelta(USER_JACK_OID, modifications, UserType.class); try { modelService.executeChanges(MiscSchemaUtil.createCollection(userDelta), null, task, result); AssertJUnit.fail("Expected policy violation, but it went well"); } catch (PolicyViolationException e) { System.out.println("Got expected exception: " + e.getMessage()); } assertAssignedNoRole(USER_JACK_OID, task, result); }
case ZERO: if (!PrismValueCollectionsUtil.containsRealValue(shouldBeParentOrgRefs, val)) { throw new TunnelException(new PolicyViolationException("Attempt to add parentOrgRef "+val.getOid()+", but it is not allowed by assignments")); throw new TunnelException(new PolicyViolationException("Attempt to delete parentOrgRef "+val.getOid()+", but it is mandated by assignments"));
@Test public void test142SimpleExclusionBoth2Deprecated() throws Exception { final String TEST_NAME = "test142SimpleExclusionBoth2Deprecated"; displayTestTitle(TEST_NAME); Task task = createTask(TEST_NAME); OperationResult result = task.getResult(); Collection<ItemDelta<?,?>> modifications = new ArrayList<>(); modifications.add((createAssignmentModification(ROLE_PIRATE_OID, RoleType.COMPLEX_TYPE, null, null, null, true))); modifications.add((createAssignmentModification(ROLE_JUDGE_DEPRECATED_OID, RoleType.COMPLEX_TYPE, null, null, null, true))); ObjectDelta<UserType> userDelta = prismContext.deltaFactory().object() .createModifyDelta(USER_JACK_OID, modifications, UserType.class); try { modelService.executeChanges(MiscSchemaUtil.createCollection(userDelta), null, task, result); AssertJUnit.fail("Expected policy violation, but it went well"); } catch (PolicyViolationException e) { System.out.println("Got expected exception: " + e.getMessage()); } assertAssignedNoRole(USER_JACK_OID, task, result); }
private void processValidationResult(OperationResult validationResult) throws PolicyViolationException { result.addSubresult(validationResult); if (!validationResult.isAcceptable()) { SingleLocalizableMessage message = new LocalizableMessageBuilder() .key("PolicyViolationException.message.credentials." + getCredentialHumanReadableKey()) .arg(validationResult.getUserFriendlyMessage()) .build(); throw localizationService.translate(new PolicyViolationException(message)); } }
@Test public void test112SimpleExclusion1Deprecated() throws Exception { final String TEST_NAME = "test112SimpleExclusion1Deprecated"; displayTestTitle(TEST_NAME); Task task = createTask(TEST_NAME); OperationResult result = task.getResult(); // This should go well assignRole(USER_JACK_OID, ROLE_PIRATE_OID, task, result); try { // This should die assignRole(USER_JACK_OID, ROLE_JUDGE_DEPRECATED_OID, task, result); AssertJUnit.fail("Expected policy violation after adding judge role, but it went well"); } catch (PolicyViolationException e) { System.out.println("Got expected exception: " + e.getMessage()); } unassignRole(USER_JACK_OID, ROLE_PIRATE_OID, task, result); assertAssignedNoRole(USER_JACK_OID, task, result); }