Examples with MidPointPrincipal com.evolveum.midpoint.security.api.MidPointPrincipal used on opensource projects

Example 16 with MidPointPrincipal

use of com.evolveum.midpoint.security.api.MidPointPrincipal in project midpoint by Evolveum.

the class TestSecurityPrincipal method test060GuybrushConditionalRoleFalse.

@Test
public void test060GuybrushConditionalRoleFalse() throws Exception {
    final String TEST_NAME = "test060GuybrushConditionalRoleFalse";
    TestUtil.displayTestTile(this, TEST_NAME);
    login(USER_ADMINISTRATOR_USERNAME);
    assignRole(USER_GUYBRUSH_OID, ROLE_CONDITIONAL_OID);
    resetAuthentication();
    // WHEN
    MidPointPrincipal principal = userProfileService.getPrincipal(USER_GUYBRUSH_USERNAME);
    // THEN
    display("Principal guybrush", principal);
    assertEquals("wrong username", USER_GUYBRUSH_USERNAME, principal.getUsername());
    assertEquals("wrong oid", USER_GUYBRUSH_OID, principal.getOid());
    assertTrue("Unexpected authorizations", principal.getAuthorities().isEmpty());
    display("User in principal guybrush", principal.getUser().asPrismObject());
    principal.getUser().asPrismObject().checkConsistence(true, true);
    assertNotAuthorized(principal, AUTZ_LOOT_URL);
    assertNotAuthorized(principal, AUTZ_COMMAND_URL);
    assertNotAuthorized(principal, AUTZ_SUPERSPECIAL_URL);
    assertNotAuthorized(principal, AUTZ_NONSENSE_URL);
}

Example 17 with MidPointPrincipal

use of com.evolveum.midpoint.security.api.MidPointPrincipal in project midpoint by Evolveum.

the class TestSecurityPrincipal method test061GuybrushConditionalRoleTrue.

@Test
public void test061GuybrushConditionalRoleTrue() throws Exception {
    final String TEST_NAME = "test061GuybrushConditionalRoleTrue";
    TestUtil.displayTestTile(this, TEST_NAME);
    login(USER_ADMINISTRATOR_USERNAME);
    Task task = taskManager.createTaskInstance(TestRbac.class.getName() + "." + TEST_NAME);
    OperationResult result = task.getResult();
    modifyUserReplace(USER_GUYBRUSH_OID, UserType.F_EMPLOYEE_TYPE, task, result, "special");
    resetAuthentication();
    // WHEN
    TestUtil.displayWhen(TEST_NAME);
    MidPointPrincipal principal = userProfileService.getPrincipal(USER_GUYBRUSH_USERNAME);
    // THEN
    TestUtil.displayThen(TEST_NAME);
    display("Principal guybrush", principal);
    assertEquals("wrong username", USER_GUYBRUSH_USERNAME, principal.getUsername());
    assertEquals("wrong oid", USER_GUYBRUSH_OID, principal.getOid());
    display("User in principal guybrush", principal.getUser().asPrismObject());
    principal.getUser().asPrismObject().checkConsistence(true, true);
    assertAuthorized(principal, AUTZ_SUPERSPECIAL_URL);
    assertNotAuthorized(principal, AUTZ_LOOT_URL);
    assertNotAuthorized(principal, AUTZ_COMMAND_URL);
    assertNotAuthorized(principal, AUTZ_CAPSIZE_URL);
    assertNotAuthorized(principal, AUTZ_NONSENSE_URL);
}

Example 18 with MidPointPrincipal

use of com.evolveum.midpoint.security.api.MidPointPrincipal in project midpoint by Evolveum.

the class AbstractModelIntegrationTest method assertNoAuthorizations.

protected void assertNoAuthorizations(PrismObject<UserType> user) throws ObjectNotFoundException, SchemaException {
    MidPointPrincipal principal = userProfileService.getPrincipal(user);
    assertNotNull("No principal for " + user, principal);
    assertNoAuthorizations(principal);
}

Example 19 with MidPointPrincipal

use of com.evolveum.midpoint.security.api.MidPointPrincipal in project midpoint by Evolveum.

the class AbstractModelIntegrationTest method login.

protected void login(String principalName) throws ObjectNotFoundException, SchemaException {
    MidPointPrincipal principal = userProfileService.getPrincipal(principalName);
    login(principal);
}

Example 20 with MidPointPrincipal

use of com.evolveum.midpoint.security.api.MidPointPrincipal in project midpoint by Evolveum.

the class WfTaskController method onTaskEvent.

//endregion
//region Processing work item (task) events
// workItem contains taskRef, assignee, candidates resolved (if possible)
// workItem can be freely modified (e.g. by overriding result, etc.)
@SuppressWarnings("unchecked")
public void onTaskEvent(WorkItemType workItem, TaskEvent taskEvent, OperationResult result) throws WorkflowException, SchemaException {
    final TaskType shadowTaskType = WfContextUtil.getTask(workItem);
    if (shadowTaskType == null) {
        LOGGER.warn("No task in workItem " + workItem + ", audit and notifications couldn't be performed.");
        return;
    }
    final Task shadowTask = taskManager.createTaskInstance(shadowTaskType.asPrismObject(), result);
    final WfTask wfTask = recreateWfTask(shadowTask);
    // auditing & notifications & event
    if (taskEvent instanceof TaskCreatedEvent) {
        AuditEventRecord auditEventRecord = getChangeProcessor(taskEvent).prepareWorkItemCreatedAuditRecord(workItem, taskEvent, wfTask, result);
        auditService.audit(auditEventRecord, wfTask.getTask());
        try {
            notifyWorkItemCreated(workItem.getOriginalAssigneeRef(), workItem, wfTask, result);
            if (workItem.getAssigneeRef() != null) {
                WorkItemAllocationChangeOperationInfo operationInfo = new WorkItemAllocationChangeOperationInfo(null, Collections.emptyList(), workItem.getAssigneeRef());
                notifyWorkItemAllocationChangeNewActors(workItem, operationInfo, null, wfTask.getTask(), result);
            }
        } catch (SchemaException e) {
            LoggingUtils.logUnexpectedException(LOGGER, "Couldn't send notification about work item create event", e);
        }
    } else if (taskEvent instanceof TaskDeletedEvent) {
        // this might be cancellation because of:
        //  (1) user completion of this task
        //  (2) timed completion of this task
        //  (3) user completion of another task
        //  (4) timed completion of another task
        //  (5) process stop/deletion
        //
        // Actually, when the source is (4) timed completion of another task, it is quite probable that this task
        // would be closed for the same reason. For a user it would be misleading if we would simply view this task
        // as 'cancelled', while, in fact, it is e.g. approved/rejected because of a timed action.
        WorkItemOperationKindType operationKind = BooleanUtils.isTrue(ActivitiUtil.getVariable(taskEvent.getVariables(), CommonProcessVariableNames.VARIABLE_WORK_ITEM_WAS_COMPLETED, Boolean.class, prismContext)) ? WorkItemOperationKindType.COMPLETE : WorkItemOperationKindType.CANCEL;
        WorkItemEventCauseInformationType cause = ActivitiUtil.getVariable(taskEvent.getVariables(), CommonProcessVariableNames.VARIABLE_CAUSE, WorkItemEventCauseInformationType.class, prismContext);
        boolean genuinelyCompleted = operationKind == WorkItemOperationKindType.COMPLETE;
        MidPointPrincipal user;
        try {
            user = SecurityUtil.getPrincipal();
        } catch (SecurityViolationException e) {
            throw new SystemException("Couldn't determine current user: " + e.getMessage(), e);
        }
        // partial fallback
        ObjectReferenceType userRef = user != null ? user.toObjectReference() : workItem.getPerformerRef();
        if (!genuinelyCompleted) {
            TaskType task = wfTask.getTask().getTaskPrismObject().asObjectable();
            int foundTimedActions = 0;
            for (TriggerType trigger : task.getTrigger()) {
                if (!WfTimedActionTriggerHandler.HANDLER_URI.equals(trigger.getHandlerUri())) {
                    continue;
                }
                String workItemId = ObjectTypeUtil.getExtensionItemRealValue(trigger.getExtension(), SchemaConstants.MODEL_EXTENSION_WORK_ITEM_ID);
                if (!taskEvent.getTaskId().equals(workItemId)) {
                    continue;
                }
                Duration timeBeforeAction = ObjectTypeUtil.getExtensionItemRealValue(trigger.getExtension(), SchemaConstants.MODEL_EXTENSION_TIME_BEFORE_ACTION);
                if (timeBeforeAction != null) {
                    continue;
                }
                WorkItemActionsType actions = ObjectTypeUtil.getExtensionItemRealValue(trigger.getExtension(), SchemaConstants.MODEL_EXTENSION_WORK_ITEM_ACTIONS);
                if (actions == null || actions.getComplete() == null) {
                    continue;
                }
                long diff = XmlTypeConverter.toMillis(trigger.getTimestamp()) - clock.currentTimeMillis();
                if (diff >= COMPLETION_TRIGGER_EQUALITY_THRESHOLD) {
                    continue;
                }
                CompleteWorkItemActionType completeAction = actions.getComplete();
                operationKind = WorkItemOperationKindType.COMPLETE;
                cause = new WorkItemEventCauseInformationType();
                cause.setType(WorkItemEventCauseTypeType.TIMED_ACTION);
                cause.setName(completeAction.getName());
                cause.setDisplayName(completeAction.getDisplayName());
                foundTimedActions++;
                WorkItemResultType workItemOutput = new WorkItemResultType();
                workItemOutput.setOutcome(completeAction.getOutcome() != null ? completeAction.getOutcome() : SchemaConstants.MODEL_APPROVAL_OUTCOME_REJECT);
                workItem.setOutput(workItemOutput);
            }
            if (foundTimedActions > 1) {
                LOGGER.warn("Multiple 'work item complete' timed actions ({}) for {}: {}", foundTimedActions, ObjectTypeUtil.toShortString(task), task.getTrigger());
            }
        }
        // We don't pass userRef (initiator) to the audit method. It does need the whole object (not only the reference),
        // so it fetches it directly from the security enforcer (logged-in user). This could change in the future.
        AuditEventRecord auditEventRecord = getChangeProcessor(taskEvent).prepareWorkItemDeletedAuditRecord(workItem, cause, taskEvent, wfTask, result);
        auditService.audit(auditEventRecord, wfTask.getTask());
        try {
            WorkItemAllocationChangeOperationInfo operationInfo = new WorkItemAllocationChangeOperationInfo(operationKind, workItem.getAssigneeRef(), null);
            WorkItemOperationSourceInfo sourceInfo = new WorkItemOperationSourceInfo(userRef, cause, null);
            if (workItem.getAssigneeRef().isEmpty()) {
                notifyWorkItemDeleted(null, workItem, operationInfo, sourceInfo, wfTask, result);
            } else {
                for (ObjectReferenceType assignee : workItem.getAssigneeRef()) {
                    notifyWorkItemDeleted(assignee, workItem, operationInfo, sourceInfo, wfTask, result);
                }
            }
            notifyWorkItemAllocationChangeCurrentActors(workItem, operationInfo, sourceInfo, null, wfTask.getTask(), result);
        } catch (SchemaException e) {
            LoggingUtils.logUnexpectedException(LOGGER, "Couldn't audit work item complete event", e);
        }
        AbstractWorkItemOutputType output = workItem.getOutput();
        if (genuinelyCompleted || output != null) {
            WorkItemCompletionEventType event = new WorkItemCompletionEventType();
            ActivitiUtil.fillInWorkItemEvent(event, user, taskEvent.getTaskId(), taskEvent.getVariables(), prismContext);
            event.setCause(cause);
            event.setOutput(output);
            ObjectDeltaType additionalDelta = output instanceof WorkItemResultType && ((WorkItemResultType) output).getAdditionalDeltas() != null ? ((WorkItemResultType) output).getAdditionalDeltas().getFocusPrimaryDelta() : null;
            MidpointUtil.recordEventInTask(event, additionalDelta, wfTask.getTask().getOid(), result);
        }
        MidpointUtil.removeTriggersForWorkItem(wfTask.getTask(), taskEvent.getTaskId(), result);
    }
}