Examples with ResourceShadowDiscriminator com.evolveum.midpoint.schema.ResourceShadowDiscriminator used on opensource projects

Example 11 with ResourceShadowDiscriminator

use of com.evolveum.midpoint.schema.ResourceShadowDiscriminator in project midpoint by Evolveum.

the class DependencyProcessor method checkDependencies.

/**
	 * Check that the dependencies are still satisfied. Also check for high-ordes vs low-order operation consistency
	 * and stuff like that. 
	 */
public <F extends ObjectType> boolean checkDependencies(LensContext<F> context, LensProjectionContext projContext, OperationResult result) throws PolicyViolationException {
    if (projContext.isDelete()) {
        // It is OK if we depend on something that is not there if we are being removed ... for now
        return true;
    }
    if (projContext.getOid() == null || projContext.getSynchronizationPolicyDecision() == SynchronizationPolicyDecision.ADD) {
        // Check for lower-order contexts
        LensProjectionContext lowerOrderContext = null;
        for (LensProjectionContext projectionContext : context.getProjectionContexts()) {
            if (projContext == projectionContext) {
                continue;
            }
            if (projectionContext.compareResourceShadowDiscriminator(projContext.getResourceShadowDiscriminator(), false) && projectionContext.getResourceShadowDiscriminator().getOrder() < projContext.getResourceShadowDiscriminator().getOrder()) {
                if (projectionContext.getOid() != null) {
                    lowerOrderContext = projectionContext;
                    break;
                }
            }
        }
        if (lowerOrderContext != null) {
            if (lowerOrderContext.getOid() != null) {
                if (projContext.getOid() == null) {
                    projContext.setOid(lowerOrderContext.getOid());
                }
                if (projContext.getSynchronizationPolicyDecision() == SynchronizationPolicyDecision.ADD) {
                    // This context cannot be ADD. There is a lower-order context with an OID
                    // it means that the lower-order projection exists, we cannot add it twice
                    projContext.setSynchronizationPolicyDecision(SynchronizationPolicyDecision.KEEP);
                }
            }
            if (lowerOrderContext.isDelete()) {
                projContext.setSynchronizationPolicyDecision(SynchronizationPolicyDecision.DELETE);
            }
        }
    }
    for (ResourceObjectTypeDependencyType dependency : projContext.getDependencies()) {
        ResourceShadowDiscriminator refRat = new ResourceShadowDiscriminator(dependency, projContext.getResource().getOid(), projContext.getKind());
        LOGGER.trace("LOOKING FOR {}", refRat);
        LensProjectionContext dependencyAccountContext = context.findProjectionContext(refRat);
        ResourceObjectTypeDependencyStrictnessType strictness = ResourceTypeUtil.getDependencyStrictness(dependency);
        if (dependencyAccountContext == null) {
            if (strictness == ResourceObjectTypeDependencyStrictnessType.STRICT) {
                // This should not happen, it is checked before projection
                throw new PolicyViolationException("Unsatisfied strict dependency of " + projContext.getResourceShadowDiscriminator().toHumanReadableDescription() + " dependent on " + refRat.toHumanReadableDescription() + ": No context in dependency check");
            } else if (strictness == ResourceObjectTypeDependencyStrictnessType.LAX) {
                // independent object not in the context, just ignore it
                LOGGER.trace("Unsatisfied lax dependency of account " + projContext.getResourceShadowDiscriminator().toHumanReadableDescription() + " dependent on " + refRat.toHumanReadableDescription() + "; dependency skipped");
            } else if (strictness == ResourceObjectTypeDependencyStrictnessType.RELAXED) {
                // independent object not in the context, just ignore it
                LOGGER.trace("Unsatisfied relaxed dependency of account " + projContext.getResourceShadowDiscriminator().toHumanReadableDescription() + " dependent on " + refRat.toHumanReadableDescription() + "; dependency skipped");
            } else {
                throw new IllegalArgumentException("Unknown dependency strictness " + dependency.getStrictness() + " in " + refRat);
            }
        } else {
            // We have the context of the object that we depend on. We need to check if it was provisioned.
            if (strictness == ResourceObjectTypeDependencyStrictnessType.STRICT || strictness == ResourceObjectTypeDependencyStrictnessType.RELAXED) {
                if (wasProvisioned(dependencyAccountContext, context.getExecutionWave())) {
                // everything OK
                } else {
                    // We do not want to throw exception here. That will stop entire projection.
                    // Let's just mark the projection as broken and skip it.
                    LOGGER.warn("Unsatisfied dependency of account " + projContext.getResourceShadowDiscriminator() + " dependent on " + refRat + ": Account not provisioned in dependency check (execution wave " + context.getExecutionWave() + ", account wave " + projContext.getWave() + ", dependency account wave " + dependencyAccountContext.getWave() + ")");
                    projContext.setSynchronizationPolicyDecision(SynchronizationPolicyDecision.BROKEN);
                    return false;
                }
            } else if (strictness == ResourceObjectTypeDependencyStrictnessType.LAX) {
                // TODO why return here? shouldn't we check other dependencies as well? [med]
                return true;
            } else {
                throw new IllegalArgumentException("Unknown dependency strictness " + dependency.getStrictness() + " in " + refRat);
            }
        }
    }
    return true;
}

Example 12 with ResourceShadowDiscriminator

use of com.evolveum.midpoint.schema.ResourceShadowDiscriminator in project midpoint by Evolveum.

the class DependencyProcessor method determineProjectionWaveDeprovision.

private <F extends ObjectType> LensProjectionContext determineProjectionWaveDeprovision(LensContext<F> context, LensProjectionContext projectionContext, ResourceObjectTypeDependencyType inDependency, List<ResourceObjectTypeDependencyType> depPath) throws PolicyViolationException {
    if (depPath == null) {
        depPath = new ArrayList<ResourceObjectTypeDependencyType>();
    }
    int determinedWave = 0;
    int determinedOrder = 0;
    // This needs to go in the reverse. We need to figure out who depends on us.
    for (DependencyAndSource ds : findReverseDependecies(context, projectionContext)) {
        LensProjectionContext dependencySourceContext = ds.sourceProjectionContext;
        ResourceObjectTypeDependencyType outDependency = ds.dependency;
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("DEP(rev): {}", outDependency);
        }
        if (inDependency != null && isHigerOrder(outDependency, inDependency)) {
            // otherwise we can end up in endless loop even for legal dependencies.
            continue;
        }
        checkForCircular(depPath, outDependency);
        depPath.add(outDependency);
        ResourceShadowDiscriminator refDiscr = new ResourceShadowDiscriminator(outDependency, projectionContext.getResource().getOid(), projectionContext.getKind());
        dependencySourceContext = determineProjectionWave(context, dependencySourceContext, outDependency, depPath);
        if (dependencySourceContext.getWave() + 1 > determinedWave) {
            determinedWave = dependencySourceContext.getWave() + 1;
            if (outDependency.getOrder() == null) {
                determinedOrder = 0;
            } else {
                determinedOrder = outDependency.getOrder();
            }
        }
        depPath.remove(outDependency);
    }
    LensProjectionContext resultAccountContext = projectionContext;
    if (projectionContext.getWave() >= 0 && projectionContext.getWave() != determinedWave) {
        // therefore there is a circular dependency. Therefore we need to create another context to split it.
        if (!projectionContext.isDelete()) {
            resultAccountContext = createAnotherContext(context, projectionContext, determinedOrder);
        }
    }
    //			LOGGER.trace("Wave for {}: {}", resultAccountContext.getResourceAccountType(), wave);
    resultAccountContext.setWave(determinedWave);
    return resultAccountContext;
}

Example 13 with ResourceShadowDiscriminator

use of com.evolveum.midpoint.schema.ResourceShadowDiscriminator in project midpoint by Evolveum.

the class DependencyProcessor method findDependencyTargetContext.

/**
	 * Find context that has the closest order to the dependency.
	 */
private <F extends ObjectType> LensProjectionContext findDependencyTargetContext(LensContext<F> context, LensProjectionContext sourceProjContext, ResourceObjectTypeDependencyType dependency) {
    ResourceShadowDiscriminator refDiscr = new ResourceShadowDiscriminator(dependency, sourceProjContext.getResource().getOid(), sourceProjContext.getKind());
    LensProjectionContext selected = null;
    for (LensProjectionContext projectionContext : context.getProjectionContexts()) {
        if (!projectionContext.compareResourceShadowDiscriminator(refDiscr, false)) {
            continue;
        }
        int ctxOrder = projectionContext.getResourceShadowDiscriminator().getOrder();
        if (ctxOrder > refDiscr.getOrder()) {
            continue;
        }
        if (selected == null) {
            selected = projectionContext;
        } else {
            if (ctxOrder > selected.getResourceShadowDiscriminator().getOrder()) {
                selected = projectionContext;
            }
        }
    }
    return selected;
}

Example 14 with ResourceShadowDiscriminator

use of com.evolveum.midpoint.schema.ResourceShadowDiscriminator in project midpoint by Evolveum.

the class ProjectionCredentialsProcessor method processProjectionPasswordMapping.

private <F extends FocusType> void processProjectionPasswordMapping(LensContext<F> context, final LensProjectionContext projCtx, final ValuePolicyType passwordPolicy, XMLGregorianCalendar now, Task task, OperationResult result) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException {
    LensFocusContext<F> focusContext = context.getFocusContext();
    PrismObject<F> userNew = focusContext.getObjectNew();
    if (userNew == null) {
        // This must be a user delete or something similar. No point in proceeding
        LOGGER.trace("userNew is null, skipping credentials processing");
        return;
    }
    PrismObjectDefinition<ShadowType> accountDefinition = prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(ShadowType.class);
    PrismPropertyDefinition<ProtectedStringType> projPasswordPropertyDefinition = accountDefinition.findPropertyDefinition(SchemaConstants.PATH_PASSWORD_VALUE);
    ResourceShadowDiscriminator rsd = projCtx.getResourceShadowDiscriminator();
    RefinedObjectClassDefinition refinedProjDef = projCtx.getStructuralObjectClassDefinition();
    if (refinedProjDef == null) {
        LOGGER.trace("No RefinedObjectClassDefinition, therefore also no password outbound definition, skipping credentials processing for projection {}", rsd);
        return;
    }
    List<MappingType> outboundMappingTypes = refinedProjDef.getPasswordOutbound();
    if (outboundMappingTypes == null || outboundMappingTypes.isEmpty()) {
        LOGGER.trace("No outbound password mapping for {}, skipping credentials processing", rsd);
        return;
    }
    // HACK
    if (!projCtx.isDoReconciliation() && !projCtx.isAdd() && !isActivated(outboundMappingTypes, focusContext.getDelta())) {
        LOGGER.trace("Outbound password mappings not activated for type {}, skipping credentials processing", rsd);
        return;
    }
    final ObjectDelta<ShadowType> projDelta = projCtx.getDelta();
    final PropertyDelta<ProtectedStringType> projPasswordDelta;
    if (projDelta != null && projDelta.getChangeType() == MODIFY) {
        projPasswordDelta = projDelta.findPropertyDelta(SchemaConstants.PATH_PASSWORD_VALUE);
    } else {
        projPasswordDelta = null;
    }
    checkExistingDeltaSanity(projCtx, projPasswordDelta);
    boolean evaluateWeak = getEvaluateWeak(projCtx);
    final ItemDeltaItem<PrismPropertyValue<PasswordType>, PrismPropertyDefinition<ProtectedStringType>> userPasswordIdi = focusContext.getObjectDeltaObject().findIdi(SchemaConstants.PATH_PASSWORD_VALUE);
    StringPolicyResolver stringPolicyResolver = new StringPolicyResolver() {

        @Override
        public void setOutputPath(ItemPath outputPath) {
        }

        @Override
        public void setOutputDefinition(ItemDefinition outputDefinition) {
        }

        @Override
        public StringPolicyType resolve() {
            if (passwordPolicy == null) {
                return null;
            }
            return passwordPolicy.getStringPolicy();
        }
    };
    MappingInitializer<PrismPropertyValue<ProtectedStringType>, PrismPropertyDefinition<ProtectedStringType>> initializer = (builder) -> {
        builder.defaultTargetDefinition(projPasswordPropertyDefinition);
        builder.defaultSource(new Source<>(userPasswordIdi, ExpressionConstants.VAR_INPUT));
        builder.stringPolicyResolver(stringPolicyResolver);
        return builder;
    };
    MappingOutputProcessor<PrismPropertyValue<ProtectedStringType>> processor = (mappingOutputPath, outputStruct) -> {
        PrismValueDeltaSetTriple<PrismPropertyValue<ProtectedStringType>> outputTriple = outputStruct.getOutputTriple();
        if (outputTriple == null) {
            LOGGER.trace("Credentials 'password' expression resulted in null output triple, skipping credentials processing for {}", rsd);
            return false;
        }
        boolean projectionIsNew = projDelta != null && (projDelta.getChangeType() == ChangeType.ADD || projCtx.getSynchronizationPolicyDecision() == SynchronizationPolicyDecision.ADD);
        Collection<PrismPropertyValue<ProtectedStringType>> newValues = outputTriple.getPlusSet();
        if (projectionIsNew) {
            newValues = outputTriple.getNonNegativeValues();
        } else {
            newValues = outputTriple.getPlusSet();
        }
        if (!canGetCleartext(newValues)) {
            ObjectDelta<ShadowType> projectionPrimaryDelta = projCtx.getPrimaryDelta();
            if (projectionPrimaryDelta != null) {
                PropertyDelta<ProtectedStringType> passwordPrimaryDelta = projectionPrimaryDelta.findPropertyDelta(SchemaConstants.PATH_PASSWORD_VALUE);
                if (passwordPrimaryDelta != null) {
                    // We have only hashed value coming from the mapping. There are not very useful
                    // for provisioning. But we have primary projection delta - and that is very likely
                    // to be better.
                    // Skip all password mappings in this case. Primary delta trumps everything. 
                    // No weak, normal or even strong mapping can change that.
                    // We need to disregard even strong mapping in this case. If we would heed the strong
                    // mapping then account initialization won't be possible.
                    LOGGER.trace("We have primary password delta in projection, skipping credentials processing");
                    return false;
                }
            }
        }
        return true;
    };
    mappingEvaluator.evaluateOutboundMapping(context, projCtx, outboundMappingTypes, SchemaConstants.PATH_PASSWORD_VALUE, SchemaConstants.PATH_PASSWORD_VALUE, initializer, processor, now, true, evaluateWeak, "password mapping", task, result);
}

Example 15 with ResourceShadowDiscriminator

use of com.evolveum.midpoint.schema.ResourceShadowDiscriminator in project midpoint by Evolveum.

the class TestDependencies method findAccountContext.

private LensProjectionContext findAccountContext(LensContext<UserType> context, String resourceOid, int order) {
    ResourceShadowDiscriminator discr = new ResourceShadowDiscriminator(resourceOid, ShadowKindType.ACCOUNT, null);
    discr.setOrder(order);
    return context.findProjectionContext(discr);
}