@Override protected void throwException(Exception cause, ProvisioningOperationState<? extends AsynchronousOperationResult> opState, OperationResult result) throws PolicyViolationException { recordCompletionError(cause, opState, result); if (cause instanceof PolicyViolationException) { throw (PolicyViolationException)cause; } else { throw new PolicyViolationException(cause.getMessage(), cause); } }
private void checkForCircular(List<ResourceObjectTypeDependencyType> depPath, ResourceObjectTypeDependencyType outDependency, LensProjectionContext projectionContext) throws PolicyViolationException { for (ResourceObjectTypeDependencyType pathElement: depPath) { if (pathElement.equals(outDependency)) { StringBuilder sb = new StringBuilder(); Iterator<ResourceObjectTypeDependencyType> iterator = depPath.iterator(); while (iterator.hasNext()) { ResourceObjectTypeDependencyType el = iterator.next(); ObjectReferenceType resourceRef = el.getResourceRef(); if (resourceRef != null) { sb.append(resourceRef.getOid()); } sb.append("(").append(el.getKind()).append("/"); sb.append(el.getIntent()).append(")"); if (iterator.hasNext()) { sb.append("->"); } } throw new PolicyViolationException("Circular dependency in "+projectionContext.getHumanReadableName()+", path: "+sb.toString()); } } }
private void executeRegular(EvaluationContext evalCtx) throws PolicyViolationException { if (!evalCtx.messages.isEmpty()) { LocalizableMessage message = new LocalizableMessageListBuilder() .messages(evalCtx.messages) .separator(LocalizableMessageList.SEMICOLON) .buildOptimized(); throw localizationService.translate(new PolicyViolationException(message)); } }
private <O extends ObjectType> boolean hasCycle(AssignmentPathSegmentImpl segment, @NotNull PrismObject<O> target, EvaluationContext ctx) throws PolicyViolationException { // TODO reconsider this if (target.getOid().equals(segment.source.getOid())) { throw new PolicyViolationException("The "+segment.source+" refers to itself in assignment/inducement"); } // removed condition "&& segment.getEvaluationOrder().equals(ctx.assignmentPath.getEvaluationOrder())" // as currently it is always true // TODO reconsider this int count = ctx.assignmentPath.countTargetOccurrences(target.asObjectable()); if (count >= MAX_TARGET_OCCURRENCES) { LOGGER.debug("Max # of target occurrences ({}) detected for target {} in {} - stopping evaluation here", MAX_TARGET_OCCURRENCES, ObjectTypeUtil.toShortString(target), ctx.assignmentPath); return true; } else { return false; } }
throw new PolicyViolationException("Cannot set "+itemPath+" to a value different than OID in oid bound mode"); throw new PolicyViolationException("Cannot change "+itemPath+" in oid bound mode"); throw new PolicyViolationException("Cannot set name to a value different than OID in name-oid bound mode"); PropertyDelta<Object> nameDelta = focusDelta.findPropertyDelta(FocusType.F_NAME); if (nameDelta != null) { throw new PolicyViolationException("Cannot change name in name-oid bound mode");
private String getClearValue(ProtectedStringType protectedString) throws SchemaException, PolicyViolationException { try { if (protectedString.isEncrypted()) { return protector.decryptString(protectedString); } else if (protectedString.getClearValue() != null) { return protector.decryptString(protectedString); } else if (protectedString.isHashed()) { throw new SchemaException("Cannot validate value of hashed password"); } } catch (EncryptionException e) { throw new PolicyViolationException(e.getMessage(), e); } return null; }
case ZERO: if (!PrismValueCollectionsUtil.containsRealValue(shouldBeParentOrgRefs, val)) { throw new TunnelException(new PolicyViolationException("Attempt to add parentOrgRef "+val.getOid()+", but it is not allowed by assignments")); throw new TunnelException(new PolicyViolationException("Attempt to delete parentOrgRef "+val.getOid()+", but it is mandated by assignments"));
private void processValidationResult(OperationResult validationResult) throws PolicyViolationException { result.addSubresult(validationResult); if (!validationResult.isAcceptable()) { SingleLocalizableMessage message = new LocalizableMessageBuilder() .key("PolicyViolationException.message.credentials." + getCredentialHumanReadableKey()) .arg(validationResult.getUserFriendlyMessage()) .build(); throw localizationService.translate(new PolicyViolationException(message)); } }
public <F extends ObjectType> void checkForAssignmentConflicts(LensContext<F> context, OperationResult result) throws PolicyViolationException, SchemaException { for(LensProjectionContext projectionContext: context.getProjectionContexts()) { if (AssignmentPolicyEnforcementType.NONE == projectionContext.getAssignmentPolicyEnforcementType()){ continue; } if (projectionContext.isTombstone()) { continue; } if (projectionContext.isAssigned()) { ObjectDelta<ShadowType> projectionPrimaryDelta = projectionContext.getPrimaryDelta(); if (projectionPrimaryDelta != null) { if (projectionPrimaryDelta.isDelete()) { throw new PolicyViolationException("Attempt to delete "+projectionContext.getHumanReadableName()+" while " + "it is assigned violates an assignment policy"); } } } } }
ReferenceDelta archetypeRefDelta = focusPrimaryDelta.findReferenceModification(AssignmentHolderType.F_ARCHETYPE_REF); if (archetypeRefDelta != null) { throw new PolicyViolationException("Attempt to modify archetypeRef directly");
public static void triggerConstraintLegacy(EvaluatedPolicyRuleTrigger trigger, Collection<String> policySituations, LocalizationService localizationService) throws PolicyViolationException { LOGGER.debug("Legacy policy rule triggered: {}", trigger); if (LOGGER.isTraceEnabled()) { LOGGER.trace("Legacy Policy rule triggered:\n{}", trigger.debugDump(1)); } if (trigger.getConstraint().getEnforcement() == null || trigger.getConstraint().getEnforcement() == PolicyConstraintEnforcementType.ENFORCE) { throw localizationService.translate(new PolicyViolationException(trigger.getMessage())); } }
} else { if (!assignmentTenantOid.equals(tenantOid)) { throw new PolicyViolationException("Two different tenants ("+tenantOid+", "+assignmentTenantOid+") applicable to "+context.getFocusContext().getHumanReadableName());
} else { if (!parentTenantRef.getOid().equals(tenantOid)) { throw new PolicyViolationException("Two different tenants ("+tenantOid+", "+parentTenantRef.getOid()+") applicable to "+context.getFocusContext().getHumanReadableName());
RefinedAttributeDefinition rAttrDef = rAccountDef.findAttributeDefinition(attribute.getElementName()); if (!rAttrDef.isTolerant()) { throw new PolicyViolationException("Attempt to add object with non-tolerant attribute "+attribute.getElementName()+" in "+ "account "+accountContext.getResourceShadowDiscriminator()+" during "+activityDescription); RefinedAttributeDefinition rAttrDef = rAccountDef.findAttributeDefinition(attrDelta.getElementName()); if (!rAttrDef.isTolerant()) { throw new PolicyViolationException("Attempt to modify non-tolerant attribute "+attrDelta.getElementName()+" in "+ "account "+accountContext.getResourceShadowDiscriminator()+" during "+activityDescription);
throw new PolicyViolationException("Cannot remove "+accountContext.getHumanReadableName() +" because "+projectionContext.getHumanReadableName()+" depends on it");
LOGGER.trace(" processing (reversed) dependency: {}: unsatisfied strict dependency", PrettyPrinter.prettyPrint(outDependency)); throw new PolicyViolationException("Unsatisfied strict reverse dependency of account " + dependencySourceContext.getResourceShadowDiscriminator()+ " dependent on " + projectionContext.getResourceShadowDiscriminator() + ": Account is provisioned, but the account that it depends on is going to be deprovisioned"); } else if (outDependencyStrictness == ResourceObjectTypeDependencyStrictnessType.LAX) {
throw new PolicyViolationException( new LocalizableMessageBuilder() .key("PolicyViolationException.message.projectionPassword")
parentResult.recordFatalError("Cannot execute reset password. New password doesn't satisfy policy constraints"); LocalizableMessage localizableMessage = builder.fallbackMessage("New password doesn't satisfy policy constraints.").key("execute.reset.credential.validation.failed").build(); throw new PolicyViolationException(localizableMessage);
throw new PolicyViolationException("Projection "+rsd+" already exists in context (existing "+existingShadow+", new "+projection);
throw new PolicyViolationException("Attempt to add projection "+projectionContext.toHumanReadableString() +" while the synchronization enforcement policy is FULL and the projection is not assigned");