use of com.evolveum.midpoint.common.refinery.PropertyLimitations in project midpoint by Evolveum.
the class InboundProcessor method processInboundExpressionsForProjection.
private <F extends FocusType> void processInboundExpressionsForProjection(LensContext<F> context, LensProjectionContext projContext, RefinedObjectClassDefinition accountDefinition, ObjectDelta<ShadowType> aPrioriDelta, Task task, XMLGregorianCalendar now, OperationResult result) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, ConfigurationException, CommunicationException, SecurityViolationException {
if (aPrioriDelta == null && projContext.getObjectCurrent() == null) {
LOGGER.trace("Nothing to process in inbound, both a priori delta and current account were null.");
return;
}
PrismObject<ShadowType> accountCurrent = projContext.getObjectCurrent();
PrismObject<ShadowType> accountNew = projContext.getObjectNew();
if (hasAnyStrongMapping(accountDefinition) && !projContext.isFullShadow() && !projContext.isThombstone()) {
LOGGER.trace("There are strong inbound mapping, but the shadow hasn't be fully loaded yet. Trying to load full shadow now.");
accountCurrent = loadProjection(context, projContext, task, result, accountCurrent);
if (projContext.getSynchronizationPolicyDecision() == SynchronizationPolicyDecision.BROKEN) {
return;
}
}
for (QName accountAttributeName : accountDefinition.getNamesOfAttributesWithInboundExpressions()) {
final PropertyDelta<?> attributeAPrioriDelta;
if (aPrioriDelta != null) {
attributeAPrioriDelta = aPrioriDelta.findPropertyDelta(new ItemPath(SchemaConstants.C_ATTRIBUTES), accountAttributeName);
if (attributeAPrioriDelta == null && !projContext.isFullShadow() && !LensUtil.hasDependentContext(context, projContext)) {
LOGGER.trace("Skipping inbound for {} in {}: Not a full shadow and account a priori delta exists, but doesn't have change for processed property.", accountAttributeName, projContext.getResourceShadowDiscriminator());
continue;
}
} else {
attributeAPrioriDelta = null;
}
RefinedAttributeDefinition attrDef = accountDefinition.findAttributeDefinition(accountAttributeName);
if (attrDef.isIgnored(LayerType.MODEL)) {
LOGGER.trace("Skipping inbound for attribute {} in {} because the attribute is ignored", PrettyPrinter.prettyPrint(accountAttributeName), projContext.getResourceShadowDiscriminator());
continue;
}
List<MappingType> inboundMappingTypes = attrDef.getInboundMappingTypes();
if (LOGGER.isTraceEnabled()) {
LOGGER.trace("Processing inbound for {} in {}; ({} mappings)", PrettyPrinter.prettyPrint(accountAttributeName), projContext.getResourceShadowDiscriminator(), inboundMappingTypes.size());
}
if (!inboundMappingTypes.isEmpty()) {
PropertyLimitations limitations = attrDef.getLimitations(LayerType.MODEL);
if (limitations != null) {
PropertyAccessType access = limitations.getAccess();
if (access != null) {
if (access.isRead() == null || !access.isRead()) {
LOGGER.warn("Inbound mapping for non-readable attribute {} in {}, skipping", accountAttributeName, projContext.getHumanReadableName());
continue;
}
}
}
for (MappingType inboundMappingType : inboundMappingTypes) {
// we want to reconcile also the existing attribute value? This probably would not work.
if (inboundMappingType.getStrength() == MappingStrengthType.STRONG) {
LOGGER.trace("There is an inbound mapping with strength == STRONG, trying to load full account now.");
if (!projContext.isFullShadow() && !projContext.isDelete()) {
accountCurrent = loadProjection(context, projContext, task, result, accountCurrent);
if (projContext.getSynchronizationPolicyDecision() == SynchronizationPolicyDecision.BROKEN) {
return;
}
}
}
if (attributeAPrioriDelta == null && !projContext.isFullShadow() && !LensUtil.hasDependentContext(context, projContext)) {
LOGGER.trace("Skipping inbound for {} in {}: Not a full shadow and account a priori delta exists, but doesn't have change for processed property.", accountAttributeName, projContext.getResourceShadowDiscriminator());
continue;
}
PrismObject<F> focus;
if (context.getFocusContext().getObjectCurrent() != null) {
focus = context.getFocusContext().getObjectCurrent();
} else {
focus = context.getFocusContext().getObjectNew();
}
ItemDelta focusItemDelta = null;
if (attributeAPrioriDelta != null) {
LOGGER.trace("Processing inbound from a priori delta: {}", aPrioriDelta);
focusItemDelta = evaluateInboundMapping(context, inboundMappingType, accountAttributeName, null, attributeAPrioriDelta, focus, accountNew, projContext.getResource(), task, result);
} else if (accountCurrent != null) {
if (!projContext.isFullShadow()) {
// todo change to trace level eventually
LOGGER.warn("Attempted to execute inbound expression on account shadow {} WITHOUT full account. Trying to load the account now.", projContext.getOid());
accountCurrent = loadProjection(context, projContext, task, result, accountCurrent);
if (projContext.getSynchronizationPolicyDecision() == SynchronizationPolicyDecision.BROKEN) {
return;
}
if (!projContext.isFullShadow()) {
if (projContext.getResourceShadowDiscriminator().getOrder() > 0) {
// higher-order context. It is OK not to load this
LOGGER.trace("Skipped load of higher-order account with shadow OID {} skipping inbound processing on it", projContext.getOid());
return;
}
// TODO: is it good to mark as broken? what is
// the resorce is down?? if there is no
// assignment and the account was added directly
// it can cause that the account will be
// unlinked from the user FIXME
LOGGER.warn("Couldn't load account with shadow OID {}, setting context as broken and skipping inbound processing on it", projContext.getOid());
projContext.setSynchronizationPolicyDecision(SynchronizationPolicyDecision.BROKEN);
return;
}
}
PrismProperty<?> oldAccountProperty = accountCurrent.findProperty(new ItemPath(ShadowType.F_ATTRIBUTES, accountAttributeName));
LOGGER.trace("Processing inbound from account sync absolute state (currentAccount): {}", oldAccountProperty);
focusItemDelta = evaluateInboundMapping(context, inboundMappingType, accountAttributeName, oldAccountProperty, null, focus, accountNew, projContext.getResource(), task, result);
}
if (focusItemDelta != null && !focusItemDelta.isEmpty()) {
if (LOGGER.isTraceEnabled()) {
LOGGER.trace("Created delta (from inbound expression for {} on {})\n{}", accountAttributeName, projContext.getResource(), focusItemDelta.debugDump(1));
}
context.getFocusContext().swallowToProjectionWaveSecondaryDelta(focusItemDelta);
context.recomputeFocus();
} else {
LOGGER.trace("Created delta (from inbound expression for {} on {}) was null or empty.", accountAttributeName, projContext.getResource());
}
}
}
}
if (isDeleteAccountDelta(projContext)) {
// we don't need to do inbound if account was deleted
return;
}
processSpecialPropertyInbound(accountDefinition.getPasswordInbound(), SchemaConstants.PATH_PASSWORD_VALUE, context.getFocusContext().getObjectNew(), projContext, accountDefinition, context, task, now, result);
processSpecialPropertyInbound(accountDefinition.getActivationBidirectionalMappingType(ActivationType.F_ADMINISTRATIVE_STATUS), SchemaConstants.PATH_ACTIVATION_ADMINISTRATIVE_STATUS, context.getFocusContext().getObjectNew(), projContext, accountDefinition, context, task, now, result);
processSpecialPropertyInbound(accountDefinition.getActivationBidirectionalMappingType(ActivationType.F_VALID_FROM), SchemaConstants.PATH_ACTIVATION_VALID_FROM, context.getFocusContext().getObjectNew(), projContext, accountDefinition, context, task, now, result);
processSpecialPropertyInbound(accountDefinition.getActivationBidirectionalMappingType(ActivationType.F_VALID_TO), SchemaConstants.PATH_ACTIVATION_VALID_TO, context.getFocusContext().getObjectNew(), projContext, accountDefinition, context, task, now, result);
}
use of com.evolveum.midpoint.common.refinery.PropertyLimitations in project midpoint by Evolveum.
the class ReconciliationProcessor method reconcileProjectionAttribute.
private <T> void reconcileProjectionAttribute(QName attrName, LensProjectionContext projCtx, Map<QName, DeltaSetTriple<ItemValueWithOrigin<PrismPropertyValue<?>, PrismPropertyDefinition<?>>>> squeezedAttributes, RefinedObjectClassDefinition rOcDef, PrismObject<ShadowType> shadowNew, PrismContainer attributesContainer) throws SchemaException {
// LOGGER.trace("Attribute reconciliation processing attribute {}",attrName);
RefinedAttributeDefinition<T> attributeDefinition = projCtx.findAttributeDefinition(attrName);
if (attributeDefinition == null) {
String msg = "No definition for attribute " + attrName + " in " + projCtx.getResourceShadowDiscriminator();
throw new SchemaException(msg);
}
DeltaSetTriple<ItemValueWithOrigin<PrismPropertyValue<T>, PrismPropertyDefinition<T>>> pvwoTriple = squeezedAttributes != null ? (DeltaSetTriple) squeezedAttributes.get(attrName) : null;
if (attributeDefinition.isIgnored(LayerType.MODEL)) {
LOGGER.trace("Skipping reconciliation of attribute {} because it is ignored", attrName);
return;
}
PropertyLimitations limitations = attributeDefinition.getLimitations(LayerType.MODEL);
if (limitations != null) {
PropertyAccessType access = limitations.getAccess();
if (access != null) {
if (projCtx.isAdd() && (access.isAdd() == null || !access.isAdd())) {
LOGGER.trace("Skipping reconciliation of attribute {} because it is non-createable", attrName);
return;
}
if (projCtx.isModify() && (access.isModify() == null || !access.isModify())) {
LOGGER.trace("Skipping reconciliation of attribute {} because it is non-updateable", attrName);
return;
}
}
}
Collection<ItemValueWithOrigin<PrismPropertyValue<T>, PrismPropertyDefinition<T>>> shouldBePValues;
if (pvwoTriple == null) {
shouldBePValues = new HashSet<>();
} else {
shouldBePValues = new HashSet<>(pvwoTriple.getNonNegativeValues());
}
// We consider values explicitly requested by user to be among "should be values".
addPropValuesFromDelta(shouldBePValues, projCtx.getPrimaryDelta(), attrName);
// But we DO NOT take values from sync delta (because they just reflect what's on the resource),
// nor from secondary delta (because these got there from mappings).
boolean hasStrongShouldBePValue = false;
for (ItemValueWithOrigin<? extends PrismPropertyValue<T>, PrismPropertyDefinition<T>> shouldBePValue : shouldBePValues) {
if (shouldBePValue.getMapping() != null && shouldBePValue.getMapping().getStrength() == MappingStrengthType.STRONG) {
hasStrongShouldBePValue = true;
break;
}
}
PrismProperty<T> attribute = attributesContainer.findProperty(attrName);
Collection<PrismPropertyValue<T>> arePValues;
if (attribute != null) {
arePValues = attribute.getValues();
} else {
arePValues = new HashSet<>();
}
// Too loud :-)
// if (LOGGER.isTraceEnabled()) {
// StringBuilder sb = new StringBuilder();
// sb.append("Reconciliation\nATTR: ").append(PrettyPrinter.prettyPrint(attrName));
// sb.append("\n Should be:");
// for (ItemValueWithOrigin<?,?> shouldBePValue : shouldBePValues) {
// sb.append("\n ");
// sb.append(shouldBePValue.getItemValue());
// PrismValueDeltaSetTripleProducer<?, ?> shouldBeMapping = shouldBePValue.getMapping();
// if (shouldBeMapping.getStrength() == MappingStrengthType.STRONG) {
// sb.append(" STRONG");
// }
// if (shouldBeMapping.getStrength() == MappingStrengthType.WEAK) {
// sb.append(" WEAK");
// }
// if (!shouldBePValue.isValid()) {
// sb.append(" INVALID");
// }
// }
// sb.append("\n Is:");
// for (PrismPropertyValue<Object> isPVal : arePValues) {
// sb.append("\n ");
// sb.append(isPVal);
// }
// LOGGER.trace("{}", sb.toString());
// }
ValueMatcher<T> valueMatcher = ValueMatcher.createMatcher(attributeDefinition, matchingRuleRegistry);
boolean hasValue = false;
for (ItemValueWithOrigin<? extends PrismPropertyValue<T>, PrismPropertyDefinition<T>> shouldBePvwo : shouldBePValues) {
PrismValueDeltaSetTripleProducer<?, ?> shouldBeMapping = shouldBePvwo.getMapping();
if (shouldBeMapping == null) {
continue;
}
T shouldBeRealValue = shouldBePvwo.getItemValue().getValue();
if (shouldBeMapping.getStrength() != MappingStrengthType.STRONG && (!arePValues.isEmpty() || hasStrongShouldBePValue)) {
// weak or normal value and the attribute already has a
// value. Skip it.
// we cannot override it as it might have been legally
// changed directly on the projection resource object
LOGGER.trace("Skipping reconciliation of value {} of the attribute {}: the mapping is not strong", shouldBeRealValue, attributeDefinition.getName().getLocalPart());
continue;
}
if (!isInValues(valueMatcher, shouldBeRealValue, arePValues)) {
if (attributeDefinition.isSingleValue()) {
if (hasValue) {
throw new SchemaException("Attempt to set more than one value for single-valued attribute " + attrName + " in " + projCtx.getResourceShadowDiscriminator());
}
recordDelta(valueMatcher, projCtx, SchemaConstants.PATH_ATTRIBUTES, attributeDefinition, ModificationType.REPLACE, shouldBeRealValue, shouldBePvwo.getSource(), "it is given by a mapping");
} else {
recordDelta(valueMatcher, projCtx, SchemaConstants.PATH_ATTRIBUTES, attributeDefinition, ModificationType.ADD, shouldBeRealValue, shouldBePvwo.getSource(), "it is given by a mapping");
}
hasValue = true;
}
}
decideIfTolerate(projCtx, attributeDefinition, arePValues, shouldBePValues, valueMatcher);
}
use of com.evolveum.midpoint.common.refinery.PropertyLimitations in project midpoint by Evolveum.
the class AccessChecker method filterGetAttributes.
public void filterGetAttributes(ResourceAttributeContainer attributeContainer, RefinedObjectClassDefinition objectClassDefinition, OperationResult parentResult) throws SchemaException {
OperationResult result = parentResult.createMinorSubresult(OPERATION_NAME);
for (ResourceAttribute<?> attribute : attributeContainer.getAttributes()) {
QName attrName = attribute.getElementName();
RefinedAttributeDefinition attrDef = objectClassDefinition.findAttributeDefinition(attrName);
if (attrDef == null) {
String message = "Unknown attribute " + attrName + " in objectclass " + objectClassDefinition;
result.recordFatalError(message);
throw new SchemaException(message);
}
// Need to check model layer, not schema. Model means IDM logic which can be overridden in schemaHandling,
// schema layer is the original one.
PropertyLimitations limitations = attrDef.getLimitations(LayerType.MODEL);
if (limitations == null) {
continue;
}
// We cannot throw error here. At least not now. Provisioning will internally use ignored attributes
// e.g. for simulated capabilities. This is not a problem for normal operations, but it is a problem
// for delayed operations (e.g. consistency) that are passing through this code again.
// TODO: we need to figure a way how to avoid this loop
// if (limitations.isIgnore()) {
// String message = "Attempt to create shadow with ignored attribute "+attribute.getName();
// LOGGER.error(message);
// throw new SchemaException(message);
// }
PropertyAccessType access = limitations.getAccess();
if (access == null) {
continue;
}
if (access.isRead() == null || !access.isRead()) {
LOGGER.trace("Removing non-readable attribute {}", attrName);
attributeContainer.remove(attribute);
}
}
result.recordSuccess();
}
use of com.evolveum.midpoint.common.refinery.PropertyLimitations in project midpoint by Evolveum.
the class AccessChecker method checkModify.
public void checkModify(ResourceType resource, PrismObject<ShadowType> shadow, Collection<? extends ItemDelta> modifications, RefinedObjectClassDefinition objectClassDefinition, OperationResult parentResult) throws SecurityViolationException, SchemaException {
OperationResult result = parentResult.createMinorSubresult(OPERATION_NAME);
for (ItemDelta modification : modifications) {
if (!(modification instanceof PropertyDelta<?>)) {
continue;
}
PropertyDelta<?> attrDelta = (PropertyDelta<?>) modification;
if (!SchemaConstants.PATH_ATTRIBUTES.equivalent(attrDelta.getParentPath())) {
// Not an attribute
continue;
}
QName attrName = attrDelta.getElementName();
RefinedAttributeDefinition attrDef = objectClassDefinition.findAttributeDefinition(attrName);
if (attrDef == null) {
throw new SchemaException("Cannot find definition of attribute " + attrName + " in " + objectClassDefinition);
}
PropertyLimitations limitations = attrDef.getLimitations(LayerType.MODEL);
if (limitations == null) {
continue;
}
// We cannot throw error here. At least not now. Provisioning will internally use ignored attributes
// e.g. for simulated capabilities. This is not a problem for normal operations, but it is a problem
// for delayed operations (e.g. consistency) that are passing through this code again.
// TODO: we need to figure a way how to avoid this loop
// if (limitations.isIgnore()) {
// String message = "Attempt to create shadow with ignored attribute "+attribute.getName();
// LOGGER.error(message);
// throw new SchemaException(message);
// }
PropertyAccessType access = limitations.getAccess();
if (access == null) {
continue;
}
if (access.isModify() == null || !access.isModify()) {
String message = "Attempt to modify non-updateable attribute " + attrName;
LOGGER.error(message);
result.recordFatalError(message);
throw new SecurityViolationException(message);
}
}
result.recordSuccess();
}
use of com.evolveum.midpoint.common.refinery.PropertyLimitations in project midpoint by Evolveum.
the class AccessChecker method checkAdd.
public void checkAdd(ProvisioningContext ctx, PrismObject<ShadowType> shadow, OperationResult parentResult) throws SchemaException, SecurityViolationException, ConfigurationException, ObjectNotFoundException, CommunicationException, ExpressionEvaluationException {
OperationResult result = parentResult.createMinorSubresult(OPERATION_NAME);
ResourceAttributeContainer attributeCont = ShadowUtil.getAttributesContainer(shadow);
for (ResourceAttribute<?> attribute : attributeCont.getAttributes()) {
RefinedAttributeDefinition attrDef = ctx.getObjectClassDefinition().findAttributeDefinition(attribute.getElementName());
// schema layer is the original one.
if (attrDef == null) {
String msg = "No definition for attribute " + attribute.getElementName() + " in " + ctx.getObjectClassDefinition();
result.recordFatalError(msg);
throw new SchemaException(msg);
}
PropertyLimitations limitations = attrDef.getLimitations(LayerType.MODEL);
if (limitations == null) {
continue;
}
// We cannot throw error here. At least not now. Provisioning will internally use ignored attributes
// e.g. for simulated capabilities. This is not a problem for normal operations, but it is a problem
// for delayed operations (e.g. consistency) that are passing through this code again.
// TODO: we need to figure a way how to avoid this loop
// if (limitations.isIgnore()) {
// String message = "Attempt to create shadow with ignored attribute "+attribute.getName();
// LOGGER.error(message);
// throw new SchemaException(message);
// }
PropertyAccessType access = limitations.getAccess();
if (access == null) {
continue;
}
if (access.isAdd() == null || !access.isAdd()) {
String message = "Attempt to add shadow with non-createable attribute " + attribute.getElementName();
LOGGER.error(message);
result.recordFatalError(message);
throw new SecurityViolationException(message);
}
}
result.recordSuccess();
}
Aggregations