public String getRuleName() { return policyRule.getName(); }
private boolean checkApplicabilityToAssignment(EvaluatedPolicyRule policyRule) { if (isApplicableToAssignment(policyRule)) { return true; } else { LOGGER.trace("Skipping rule {} because it is not applicable to assignment: {}", policyRule.getName(), policyRule); return false; } }
public static void processRuleWithException(@NotNull EvaluatedPolicyRule rule, Collection<EvaluatedPolicyRuleTrigger <?>> triggers, PolicyExceptionType policyException) { LOGGER.debug("Policy rule {} would be triggered, but there is an exception for it. Not triggering", rule.getName()); if (LOGGER.isTraceEnabled()) { LOGGER.trace("Policy rule {} would be triggered, but there is an exception for it:\nTriggers:\n{}\nException:\n{}", rule.getName(), DebugUtil.debugDump(triggers, 1), policyException); } ((EvaluatedPolicyRuleImpl)rule).addPolicyException(policyException); }
private boolean processRuleExceptions(EvaluatedAssignmentImpl<AH> evaluatedAssignment, @NotNull EvaluatedPolicyRule rule, Collection<EvaluatedPolicyRuleTrigger<?>> triggers) { boolean hasException = false; for (PolicyExceptionType policyException: evaluatedAssignment.getAssignmentType().getPolicyException()) { if (policyException.getRuleName().equals(rule.getName())) { LensUtil.processRuleWithException(rule, triggers, policyException); hasException = true; } } return hasException; }
private EvaluatedPolicyRule getEvaluatedPolicyRule(Collection<EvaluatedPolicyRule> evaluatedPolicyRules, String ruleName) { return evaluatedPolicyRules.stream().filter(rule -> ruleName.equals(rule.getName())).findFirst().get(); }
public static void triggerRule(@NotNull EvaluatedPolicyRule rule, Collection<EvaluatedPolicyRuleTrigger<?>> triggers, Collection<String> policySituations) { LOGGER.debug("Policy rule {} triggered: {}", rule.getName(), triggers); if (LOGGER.isTraceEnabled()) { LOGGER.trace("Policy rule {} triggered:\n{}", rule.getName(), DebugUtil.debugDump(triggers, 1)); } ((EvaluatedPolicyRuleImpl) rule).addTriggers(triggers); CollectionUtils.addIgnoreNull(policySituations, rule.getPolicySituation()); }
private void assertEvaluatedPolicyRuleTriggers(EvaluatedPolicyRule evaluatedPolicyRule, Collection<EvaluatedPolicyRuleTrigger<?>> triggers, int expectedNumberOfTriggers) { assertEquals("Wrong number of triggers in evaluated policy rule "+evaluatedPolicyRule.getName(), expectedNumberOfTriggers, triggers.size()); }
private void assertFocusPolicyRules(EvaluatedAssignmentImpl<? extends FocusType> evaluatedAssignment, Collection<String> expectedItems) { assertUnsortedListsEquals("Wrong focus policy rules", expectedItems, evaluatedAssignment.getFocusPolicyRules(), r -> r.getName()); }
LOGGER.trace("Rule {} is not applicable to an object, skipping: {}", rule.getName(), rule);
private void assertTargetPolicyRules(EvaluatedAssignmentImpl<? extends FocusType> evaluatedAssignment, Collection<String> expectedThisTargetItems, Collection<String> expectedOtherTargetsItems) { expectedOtherTargetsItems = CollectionUtils.emptyIfNull(expectedOtherTargetsItems); expectedThisTargetItems = CollectionUtils.emptyIfNull(expectedThisTargetItems); assertUnsortedListsEquals("Wrong other targets policy rules", expectedOtherTargetsItems, evaluatedAssignment.getOtherTargetsPolicyRules(), r -> r.getName()); assertUnsortedListsEquals("Wrong this target policy rules", expectedThisTargetItems, evaluatedAssignment.getThisTargetPolicyRules(), r -> r.getName()); }
private void executeScript(ScriptExecutionPolicyActionType action, EvaluatedPolicyRule rule, ModelContext<?> context, Task task, OperationResult parentResult, ExecuteScriptType executeScriptBean) { OperationResult result = parentResult.createSubresult(EXECUTE_SCRIPT_OPERATION); try { Map<String, Object> initialVariables = createInitialVariables(action, rule, context); if (executeScriptBean.getInput() == null && context.getFocusContext() != null) { PrismObject objectAny = ((LensFocusContext) context.getFocusContext()).getObjectAny(); if (objectAny != null) { ValueListType input = new ValueListType(); input.getValue().add(objectAny.getValue().clone()); executeScriptBean.setInput(input); } } scriptingExpressionEvaluator.evaluateExpression(executeScriptBean, initialVariables, false, task, result); } catch (ScriptExecutionException | RuntimeException e) { result.recordFatalError("Couldn't execute script policy action: " + e.getMessage(), e); LoggingUtils.logUnexpectedException(LOGGER, "Couldn't execute script with id={} in scriptExecution policy action '{}' (rule '{}'): {}", e, action.getId(), action.getName(), rule.getName(), e.getMessage()); } finally { result.computeStatusIfUnknown(); } }
@Test public void test020ActivateIncompleteRole() throws Exception { final String TEST_NAME = "test020ActivateIncompleteRole"; TestUtil.displayTestTitle(this, TEST_NAME); login(userAdministrator); Task task = createTask(TEST_NAME); OperationResult result = task.getResult(); @SuppressWarnings({"unchecked", "raw"}) ObjectDelta<RoleType> activateRoleDelta = prismContext.deltaFor(RoleType.class) .item(RoleType.F_LIFECYCLE_STATE).replace(SchemaConstants.LIFECYCLE_ACTIVE) .asObjectDelta(roleEmployeeOid); RecordingProgressListener recordingListener = new RecordingProgressListener(); try { modelService.executeChanges(Collections.singleton(activateRoleDelta), null, task, Collections.singleton(recordingListener), result); fail("unexpected success"); } catch (PolicyViolationException e) { System.out.println("Got expected exception: " + e.getMessage()); } LensContext<RoleType> context = (LensContext<RoleType>) recordingListener.getModelContext(); System.out.println(context.dumpFocusPolicyRules(0)); EvaluatedPolicyRule incompleteActivationRule = context.getFocusContext().getPolicyRules().stream() .filter(rule -> "disallow-incomplete-role-activation".equals(rule.getName())) .findFirst() .orElseThrow(() -> new AssertionError("rule not found")); assertEquals("Wrong # of triggers in incompleteActivationRule", 2, incompleteActivationRule.getTriggers().size()); // objectState + or }
System.out.println(context.dumpFocusPolicyRules(0)); EvaluatedPolicyRule incompleteActivationRule = context.getFocusContext().getPolicyRules().stream() .filter(rule -> "disallow-incomplete-role-activation".equals(rule.getName())) .findFirst() .orElseThrow(() -> new AssertionError("rule not found"));
private <AH extends AssignmentHolderType> boolean modificationConstraintMatches(JAXBElement<ModificationPolicyConstraintType> constraintElement, ObjectPolicyRuleEvaluationContext<AH> ctx, OperationResult result) throws SchemaException, ConfigurationException, ObjectNotFoundException, CommunicationException, SecurityViolationException, ExpressionEvaluationException { ModificationPolicyConstraintType constraint = constraintElement.getValue(); if (!operationMatches(ctx.focusContext, constraint.getOperation())) { LOGGER.trace("Rule {} operation not applicable", ctx.policyRule.getName()); return false; } if (!ctx.focusContext.hasAnyDelta()) { return false; } if (!constraint.getItem().isEmpty()) { ObjectDelta<?> summaryDelta = ObjectDeltaCollectionsUtil.union(ctx.focusContext.getPrimaryDelta(), ctx.focusContext.getSecondaryDelta()); if (summaryDelta == null) { return false; } boolean exactPathMatch = isTrue(constraint.isExactPathMatch()); for (ItemPathType path : constraint.getItem()) { if (!pathMatches(summaryDelta, ctx.focusContext.getObjectOld(), prismContext.toPath(path), exactPathMatch)) { return false; } } } return expressionPasses(constraintElement, ctx, result); }
forEvaluatedFocusPolicyRule(context, (r) -> { display("rule", r); rules.put(r.getName(), r); });