use of com.evolveum.midpoint.schema.processor.ResourceAttribute in project midpoint by Evolveum.
the class AbstractLdapConnTest method test312AssignRoleEvilToBarbossa.
/**
* MID-3209: Rename does not change group membership for associations, when resource does not implement its own referential integrity
*/
@Test
public void test312AssignRoleEvilToBarbossa() throws Exception {
final String TEST_NAME = "test312AssignRoleEvilToBarbossa";
TestUtil.displayTestTile(this, TEST_NAME);
// GIVEN
Task task = taskManager.createTaskInstance(this.getClass().getName() + "." + TEST_NAME);
OperationResult result = task.getResult();
// WHEN
TestUtil.displayWhen(TEST_NAME);
assignRole(USER_BARBOSSA_OID, ROLE_EVIL_OID, task, result);
// THEN
TestUtil.displayThen(TEST_NAME);
result.computeStatus();
TestUtil.assertSuccess(result);
Entry entry = assertLdapAccount(USER_CPTBARBOSSA_USERNAME, USER_BARBOSSA_FULL_NAME);
display("Account LDAP entry", entry);
PrismObject<UserType> user = getUser(USER_BARBOSSA_OID);
String shadowOid = getSingleLinkOid(user);
PrismObject<ShadowType> shadow = getShadowModel(shadowOid);
display("Shadow (model)", shadow);
accountBarbossaOid = shadow.getOid();
accountBarbossaDn = entry.getDn().toString();
assertNotNull(accountBarbossaDn);
Collection<ResourceAttribute<?>> identifiers = ShadowUtil.getPrimaryIdentifiers(shadow);
accountBarbossaEntryId = (String) identifiers.iterator().next().getRealValue();
assertNotNull("No identifier in " + shadow, accountBarbossaEntryId);
Entry ldapEntryEvil = getLdapEntry(toGroupDn(GROUP_EVIL_CN));
display("Evil group", ldapEntryEvil);
Entry ldapEntryUndead = getLdapEntry(toGroupDn(GROUP_UNDEAD_CN));
display("Undead group", ldapEntryUndead);
assertLdapGroupMember(entry, GROUP_EVIL_CN);
assertLdapNoGroupMember(entry, GROUP_UNDEAD_CN);
IntegrationTestTools.assertAssociation(shadow, getAssociationGroupName(), groupEvilShadowOid);
assertLdapConnectorInstances(1, 2);
}
use of com.evolveum.midpoint.schema.processor.ResourceAttribute in project midpoint by Evolveum.
the class ResourceEventListenerImpl method notifyEvent.
@Override
public void notifyEvent(ResourceEventDescription eventDescription, Task task, OperationResult parentResult) throws SchemaException, CommunicationException, ConfigurationException, SecurityViolationException, ObjectNotFoundException, GenericConnectorException, ObjectAlreadyExistsException, ExpressionEvaluationException {
Validate.notNull(eventDescription, "Event description must not be null.");
Validate.notNull(task, "Task must not be null.");
Validate.notNull(parentResult, "Operation result must not be null");
LOGGER.trace("Received event notification with the description: {}", eventDescription.debugDump());
if (eventDescription.getCurrentShadow() == null && eventDescription.getDelta() == null) {
throw new IllegalStateException("Neither current shadow, nor delta specified. It is required to have at least one of them specified.");
}
applyDefinitions(eventDescription, parentResult);
PrismObject<ShadowType> shadow = null;
shadow = eventDescription.getShadow();
ShadowCache shadowCache = getShadowCache(Mode.STANDARD);
ProvisioningContext ctx = provisioningContextFactory.create(shadow, task, parentResult);
ctx.assertDefinition();
Collection<ResourceAttribute<?>> identifiers = ShadowUtil.getPrimaryIdentifiers(shadow);
Change change = new Change(identifiers, eventDescription.getCurrentShadow(), eventDescription.getOldShadow(), eventDescription.getDelta());
ObjectClassComplexTypeDefinition objectClassDefinition = ShadowUtil.getObjectClassDefinition(shadow);
change.setObjectClassDefinition(objectClassDefinition);
ShadowType shadowType = shadow.asObjectable();
LOGGER.trace("Start to precess change: {}", change.toString());
shadowCache.processChange(ctx, change, null, parentResult);
LOGGER.trace("Change after processing {} . Start synchronizing.", change.toString());
shadowCache.processSynchronization(ctx, change, parentResult);
}
use of com.evolveum.midpoint.schema.processor.ResourceAttribute in project midpoint by Evolveum.
the class EntitlementConverter method postProcessEntitlementEntitlementToSubject.
private <S extends ShadowType, T> void postProcessEntitlementEntitlementToSubject(ProvisioningContext subjectCtx, final PrismObject<S> resourceObject, RefinedAssociationDefinition assocDefType, final ProvisioningContext entitlementCtx, ResourceAttributeContainer attributesContainer, final PrismContainer<ShadowAssociationType> associationContainer, OperationResult parentResult) throws SchemaException, CommunicationException, ObjectNotFoundException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
ResourceType resourceType = subjectCtx.getResource();
final QName associationName = assocDefType.getName();
final RefinedObjectClassDefinition entitlementDef = entitlementCtx.getObjectClassDefinition();
if (associationName == null) {
throw new SchemaException("No name in entitlement association " + assocDefType + " in " + resourceType);
}
QName associationAuxiliaryObjectClass = assocDefType.getAuxiliaryObjectClass();
if (associationAuxiliaryObjectClass != null && associationAuxiliaryObjectClass.getNamespaceURI() != null && !associationAuxiliaryObjectClass.getNamespaceURI().equals(ResourceTypeUtil.getResourceNamespace(resourceType))) {
LOGGER.warn("Auxiliary object class {} in association {} does not have namespace that matches {}", associationAuxiliaryObjectClass, assocDefType.getName(), resourceType);
}
if (associationAuxiliaryObjectClass != null && !subjectCtx.getObjectClassDefinition().hasAuxiliaryObjectClass(associationAuxiliaryObjectClass)) {
LOGGER.trace("Ignoring association {} because subject does not have auxiliary object class {}, it has {}", associationName, associationAuxiliaryObjectClass, subjectCtx.getObjectClassDefinition().getAuxiliaryObjectClassDefinitions());
return;
}
QName assocAttrName = assocDefType.getResourceObjectAssociationType().getAssociationAttribute();
if (assocAttrName == null) {
throw new SchemaException("No association attribute defined in entitlement association '" + associationName + "' in " + resourceType);
}
RefinedAttributeDefinition assocAttrDef = entitlementDef.findAttributeDefinition(assocAttrName);
if (assocAttrDef == null) {
throw new SchemaException("Association attribute '" + assocAttrName + "'defined in entitlement association '" + associationName + "' was not found in schema for " + resourceType);
}
QName valueAttrName = assocDefType.getResourceObjectAssociationType().getValueAttribute();
if (valueAttrName == null) {
throw new SchemaException("No value attribute defined in entitlement association '" + associationName + "' in " + resourceType);
}
ResourceAttribute<T> valueAttr = attributesContainer.findAttribute(valueAttrName);
if (valueAttr == null || valueAttr.isEmpty()) {
LOGGER.trace("Ignoring association {} because subject does not have any value in attribute {}", associationName, valueAttrName);
return;
}
if (valueAttr.size() > 1) {
throw new SchemaException("Value attribute " + valueAttrName + " has no more than one value; attribute defined in entitlement association '" + associationName + "' in " + resourceType);
}
ObjectQuery query = createQuery(assocDefType, assocAttrDef, valueAttr);
AttributesToReturn attributesToReturn = ProvisioningUtil.createAttributesToReturn(entitlementCtx);
SearchHierarchyConstraints searchHierarchyConstraints = null;
ResourceObjectReferenceType baseContextRef = entitlementDef.getBaseContext();
if (baseContextRef != null) {
// TODO: this should be done once per search. Not in every run of postProcessEntitlementEntitlementToSubject
// this has to go outside of this method
PrismObject<ShadowType> baseContextShadow = resourceObjectReferenceResolver.resolve(subjectCtx, baseContextRef, null, "base context specification in " + entitlementDef, parentResult);
RefinedObjectClassDefinition baseContextObjectClassDefinition = subjectCtx.getRefinedSchema().determineCompositeObjectClassDefinition(baseContextShadow);
ResourceObjectIdentification baseContextIdentification = ShadowUtil.getResourceObjectIdentification(baseContextShadow, baseContextObjectClassDefinition);
searchHierarchyConstraints = new SearchHierarchyConstraints(baseContextIdentification, null);
}
ResultHandler<ShadowType> handler = new ResultHandler<ShadowType>() {
@Override
public boolean handle(PrismObject<ShadowType> entitlementShadow) {
PrismContainerValue<ShadowAssociationType> associationCVal = associationContainer.createNewValue();
associationCVal.asContainerable().setName(associationName);
Collection<ResourceAttribute<?>> entitlementIdentifiers = ShadowUtil.getAllIdentifiers(entitlementShadow);
try {
ResourceAttributeContainer identifiersContainer = new ResourceAttributeContainer(ShadowAssociationType.F_IDENTIFIERS, entitlementDef.toResourceAttributeContainerDefinition(), prismContext);
associationCVal.add(identifiersContainer);
identifiersContainer.getValue().addAll(ResourceAttribute.cloneCollection(entitlementIdentifiers));
// Remember the full shadow in user data. This is used later as an optimization to create the shadow in repo
identifiersContainer.setUserData(ResourceObjectConverter.FULL_SHADOW_KEY, entitlementShadow);
if (LOGGER.isTraceEnabled()) {
LOGGER.trace("Processed entitlement-to-subject association for account {} and entitlement {}", ShadowUtil.getHumanReadableName(resourceObject), ShadowUtil.getHumanReadableName(entitlementShadow));
}
} catch (SchemaException e) {
throw new TunnelException(e);
}
return true;
}
};
ConnectorInstance connector = subjectCtx.getConnector(ReadCapabilityType.class, parentResult);
try {
if (LOGGER.isTraceEnabled()) {
LOGGER.trace("Processed entitlement-to-subject association for account {}: query {}", ShadowUtil.getHumanReadableName(resourceObject), query);
}
try {
connector.search(entitlementDef, query, handler, attributesToReturn, null, searchHierarchyConstraints, subjectCtx, parentResult);
} catch (GenericFrameworkException e) {
throw new GenericConnectorException("Generic error in the connector " + connector + ". Reason: " + e.getMessage(), e);
}
} catch (TunnelException e) {
throw (SchemaException) e.getCause();
}
}
use of com.evolveum.midpoint.schema.processor.ResourceAttribute in project midpoint by Evolveum.
the class ConnIdConvertor method convertToResourceObject.
/**
* Converts ICF ConnectorObject to the midPoint ResourceObject.
* <p/>
* All the attributes are mapped using the same way as they are mapped in
* the schema (which is actually no mapping at all now).
* <p/>
* If an optional ResourceObjectDefinition was provided, the resulting
* ResourceObject is schema-aware (getDefinition() method works). If no
* ResourceObjectDefinition was provided, the object is schema-less. TODO:
* this still needs to be implemented.
*
* @param co
* ICF ConnectorObject to convert
* @param def
* ResourceObjectDefinition (from the schema) or null
* @param full
* if true it describes if the returned resource object should
* contain all of the attributes defined in the schema, if false
* the returned resource object will contain only attributed with
* the non-null values.
* @return new mapped ResourceObject instance.
* @throws SchemaException
*/
<T extends ShadowType> PrismObject<T> convertToResourceObject(ConnectorObject co, PrismObjectDefinition<T> objectDefinition, boolean full, boolean caseIgnoreAttributeNames, boolean legacySchema) throws SchemaException {
PrismObject<T> shadowPrism = null;
if (objectDefinition != null) {
shadowPrism = objectDefinition.instantiate();
} else {
throw new SchemaException("No definition");
}
// LOGGER.trace("Instantiated prism object {} from connector object.",
// shadowPrism.debugDump());
T shadow = shadowPrism.asObjectable();
ResourceAttributeContainer attributesContainer = (ResourceAttributeContainer) shadowPrism.findOrCreateContainer(ShadowType.F_ATTRIBUTES);
ResourceAttributeContainerDefinition attributesContainerDefinition = attributesContainer.getDefinition();
shadow.setObjectClass(attributesContainerDefinition.getTypeName());
List<ObjectClassComplexTypeDefinition> auxiliaryObjectClassDefinitions = new ArrayList<>();
for (Attribute icfAttr : co.getAttributes()) {
if (icfAttr.is(PredefinedAttributes.AUXILIARY_OBJECT_CLASS_NAME)) {
List<QName> auxiliaryObjectClasses = shadow.getAuxiliaryObjectClass();
for (Object auxiliaryIcfObjectClass : icfAttr.getValue()) {
QName auxiliaryObjectClassQname = icfNameMapper.objectClassToQname(new ObjectClass((String) auxiliaryIcfObjectClass), resourceSchemaNamespace, legacySchema);
auxiliaryObjectClasses.add(auxiliaryObjectClassQname);
ObjectClassComplexTypeDefinition auxiliaryObjectClassDefinition = icfNameMapper.getResourceSchema().findObjectClassDefinition(auxiliaryObjectClassQname);
if (auxiliaryObjectClassDefinition == null) {
throw new SchemaException("Resource object " + co + " refers to auxiliary object class " + auxiliaryObjectClassQname + " which is not in the schema");
}
auxiliaryObjectClassDefinitions.add(auxiliaryObjectClassDefinition);
}
break;
}
}
for (Attribute icfAttr : co.getAttributes()) {
if (LOGGER.isTraceEnabled()) {
LOGGER.trace("Reading ICF attribute {}: {}", icfAttr.getName(), icfAttr.getValue());
}
if (icfAttr.getName().equals(Uid.NAME)) {
// UID is handled specially (see above)
continue;
}
if (icfAttr.is(PredefinedAttributes.AUXILIARY_OBJECT_CLASS_NAME)) {
// Already processed
continue;
}
if (icfAttr.getName().equals(OperationalAttributes.PASSWORD_NAME)) {
// password has to go to the credentials section
ProtectedStringType password = getSingleValue(icfAttr, ProtectedStringType.class);
if (password == null) {
// equals() instead of == is needed. The AttributeValueCompleteness enum may be loaded by different classloader
if (!AttributeValueCompleteness.INCOMPLETE.equals(icfAttr.getAttributeValueCompleteness())) {
continue;
}
// There is no password value in the ConnId attribute. But it was indicated that
// that attribute is incomplete. Therefore we can assume that there in fact is a value.
// We just do not know it.
ShadowUtil.setPasswordIncomplete(shadow);
LOGGER.trace("Converted password: (incomplete)");
} else {
ShadowUtil.setPassword(shadow, password);
LOGGER.trace("Converted password: {}", password);
}
continue;
}
if (icfAttr.getName().equals(OperationalAttributes.ENABLE_NAME)) {
Boolean enabled = getSingleValue(icfAttr, Boolean.class);
if (enabled == null) {
continue;
}
ActivationType activationType = ShadowUtil.getOrCreateActivation(shadow);
ActivationStatusType activationStatusType;
if (enabled) {
activationStatusType = ActivationStatusType.ENABLED;
} else {
activationStatusType = ActivationStatusType.DISABLED;
}
activationType.setAdministrativeStatus(activationStatusType);
activationType.setEffectiveStatus(activationStatusType);
LOGGER.trace("Converted activation administrativeStatus: {}", activationStatusType);
continue;
}
if (icfAttr.getName().equals(OperationalAttributes.ENABLE_DATE_NAME)) {
Long millis = getSingleValue(icfAttr, Long.class);
if (millis == null) {
continue;
}
ActivationType activationType = ShadowUtil.getOrCreateActivation(shadow);
activationType.setValidFrom(XmlTypeConverter.createXMLGregorianCalendar(millis));
continue;
}
if (icfAttr.getName().equals(OperationalAttributes.DISABLE_DATE_NAME)) {
Long millis = getSingleValue(icfAttr, Long.class);
if (millis == null) {
continue;
}
ActivationType activationType = ShadowUtil.getOrCreateActivation(shadow);
activationType.setValidTo(XmlTypeConverter.createXMLGregorianCalendar(millis));
continue;
}
if (icfAttr.getName().equals(OperationalAttributes.LOCK_OUT_NAME)) {
Boolean lockOut = getSingleValue(icfAttr, Boolean.class);
if (lockOut == null) {
continue;
}
ActivationType activationType = ShadowUtil.getOrCreateActivation(shadow);
LockoutStatusType lockoutStatusType;
if (lockOut) {
lockoutStatusType = LockoutStatusType.LOCKED;
} else {
lockoutStatusType = LockoutStatusType.NORMAL;
}
activationType.setLockoutStatus(lockoutStatusType);
LOGGER.trace("Converted activation lockoutStatus: {}", lockoutStatusType);
continue;
}
QName qname = icfNameMapper.convertAttributeNameToQName(icfAttr.getName(), attributesContainerDefinition);
ResourceAttributeDefinition attributeDefinition = attributesContainerDefinition.findAttributeDefinition(qname, caseIgnoreAttributeNames);
if (attributeDefinition == null) {
// Try to locate definition in auxiliary object classes
for (ObjectClassComplexTypeDefinition auxiliaryObjectClassDefinition : auxiliaryObjectClassDefinitions) {
attributeDefinition = auxiliaryObjectClassDefinition.findAttributeDefinition(qname, caseIgnoreAttributeNames);
if (attributeDefinition != null) {
break;
}
}
if (attributeDefinition == null) {
throw new SchemaException("Unknown attribute " + qname + " in definition of object class " + attributesContainerDefinition.getTypeName() + ". Original ICF name: " + icfAttr.getName(), qname);
}
}
if (caseIgnoreAttributeNames) {
// normalized version
qname = attributeDefinition.getName();
}
ResourceAttribute<Object> resourceAttribute = attributeDefinition.instantiate(qname);
// resource object also with the null-values attributes
if (full) {
if (icfAttr.getValue() != null) {
// of them may need it (e.g. GuardedString)
for (Object icfValue : icfAttr.getValue()) {
Object value = convertValueFromIcf(icfValue, qname);
resourceAttribute.add(new PrismPropertyValue<>(value));
}
}
LOGGER.trace("Converted attribute {}", resourceAttribute);
attributesContainer.getValue().add(resourceAttribute);
// in this case when false, we need only the attributes with the
// non-null values.
} else {
if (icfAttr.getValue() != null && !icfAttr.getValue().isEmpty()) {
// Convert the values. While most values do not need
// conversions, some of them may need it (e.g. GuardedString)
boolean empty = true;
for (Object icfValue : icfAttr.getValue()) {
if (icfValue != null) {
Object value = convertValueFromIcf(icfValue, qname);
empty = false;
resourceAttribute.add(new PrismPropertyValue<>(value));
}
}
if (!empty) {
LOGGER.trace("Converted attribute {}", resourceAttribute);
attributesContainer.getValue().add(resourceAttribute);
}
}
}
}
// Add Uid if it is not there already. It can be already present,
// e.g. if Uid and Name represent the same attribute
Uid uid = co.getUid();
ObjectClassComplexTypeDefinition ocDef = attributesContainerDefinition.getComplexTypeDefinition();
ResourceAttributeDefinition<String> uidDefinition = ConnIdUtil.getUidDefinition(ocDef);
if (uidDefinition == null) {
throw new SchemaException("No definition for ConnId UID attribute found in definition " + ocDef);
}
if (attributesContainer.getValue().findItem(uidDefinition.getName()) == null) {
ResourceAttribute<String> uidRoa = uidDefinition.instantiate();
uidRoa.setValue(new PrismPropertyValue<String>(uid.getUidValue()));
attributesContainer.getValue().add(uidRoa);
}
return shadowPrism;
}
use of com.evolveum.midpoint.schema.processor.ResourceAttribute in project midpoint by Evolveum.
the class ConnIdUtil method convertToIdentifiers.
public static Collection<ResourceAttribute<?>> convertToIdentifiers(Uid uid, ObjectClassComplexTypeDefinition ocDef, ResourceSchema resourceSchema) throws SchemaException {
ObjectClassComplexTypeDefinition concreteObjectClassDefinition = getConcreteObjectClassDefinition(ocDef, resourceSchema);
if (concreteObjectClassDefinition == null) {
throw new SchemaException("Concrete object class of " + ocDef + " cannot be found");
}
ResourceAttributeDefinition<String> uidDefinition = getUidDefinition(concreteObjectClassDefinition);
if (uidDefinition == null) {
throw new SchemaException("No definition for ConnId UID attribute found in definition " + ocDef);
}
Collection<ResourceAttribute<?>> identifiers = new ArrayList<ResourceAttribute<?>>(2);
ResourceAttribute<String> uidRoa = uidDefinition.instantiate();
uidRoa.setValue(new PrismPropertyValue<String>(uid.getUidValue()));
identifiers.add(uidRoa);
if (uid.getNameHint() != null) {
ResourceAttributeDefinition<String> nameDefinition = getNameDefinition(concreteObjectClassDefinition);
if (nameDefinition == null) {
throw new SchemaException("No definition for ConnId NAME attribute found in definition " + ocDef);
}
ResourceAttribute<String> nameRoa = nameDefinition.instantiate();
nameRoa.setValue(new PrismPropertyValue<String>(uid.getNameHintValue()));
identifiers.add(nameRoa);
}
return identifiers;
}
Aggregations