Examples with PolicyViolationException com.evolveum.midpoint.util.exception.PolicyViolationException used on opensource projects

Example 1 with PolicyViolationException

use of com.evolveum.midpoint.util.exception.PolicyViolationException in project midpoint by Evolveum.

the class AccCertUpdateHelper method addObject.

//endregion
//region ================================ Model and repository operations ================================
void addObject(ObjectType objectType, Task task, OperationResult result) throws ObjectAlreadyExistsException, SchemaException, ObjectNotFoundException {
    ObjectDelta<? extends ObjectType> objectDelta = ObjectDelta.createAddDelta(objectType.asPrismObject());
    Collection<ObjectDeltaOperation<? extends ObjectType>> ops;
    try {
        ops = modelService.executeChanges(Collections.singleton(objectDelta), ModelExecuteOptions.createRaw().setPreAuthorized(), task, result);
    } catch (ExpressionEvaluationException | CommunicationException | ConfigurationException | PolicyViolationException | SecurityViolationException e) {
        throw new SystemException("Unexpected exception when adding object: " + e.getMessage(), e);
    }
    ObjectDeltaOperation odo = ops.iterator().next();
    objectType.setOid(odo.getObjectDelta().getOid());
/* ALTERNATIVELY, we can go directly into the repository. (No audit there.)
        String oid = repositoryService.addObject(objectType.asPrismObject(), null, result);
        objectType.setOid(oid);
         */
}

Example 2 with PolicyViolationException

use of com.evolveum.midpoint.util.exception.PolicyViolationException in project midpoint by Evolveum.

the class AssignmentProcessor method finishLegalDecisions.

/**
	 * Set 'legal' flag for the accounts that does not have it already 
	 */
private <F extends FocusType> void finishLegalDecisions(LensContext<F> context) throws PolicyViolationException, SchemaException {
    for (LensProjectionContext projectionContext : context.getProjectionContexts()) {
        if (projectionContext.isLegal() != null) {
            // already have decision
            propagateLegalDecisionToHigherOrders(context, projectionContext);
            continue;
        }
        String desc = projectionContext.toHumanReadableString();
        if (projectionContext.isLegalize()) {
            LOGGER.trace("Projection {} legal: legalized", desc);
            createAssignmentDelta(context, projectionContext);
            projectionContext.setAssigned(true);
            projectionContext.setAssignedOld(false);
            projectionContext.setLegal(true);
            projectionContext.setLegalOld(false);
        } else {
            AssignmentPolicyEnforcementType enforcementType = projectionContext.getAssignmentPolicyEnforcementType();
            if (enforcementType == AssignmentPolicyEnforcementType.FULL) {
                LOGGER.trace("Projection {} illegal: no assignment in FULL enforcement", desc);
                // What is not explicitly allowed is illegal in FULL enforcement mode
                projectionContext.setLegal(false);
                // We need to set the old value for legal to false. There was no assignment delta for it.
                // If it were then the code could not get here.
                projectionContext.setLegalOld(false);
                if (projectionContext.isAdd()) {
                    throw new PolicyViolationException("Attempt to add projection " + projectionContext.toHumanReadableString() + " while the synchronization enforcement policy is FULL and the projection is not assigned");
                }
            } else if (enforcementType == AssignmentPolicyEnforcementType.NONE && !projectionContext.isThombstone()) {
                if (projectionContext.isAdd()) {
                    LOGGER.trace("Projection {} legal: added in NONE policy", desc);
                    projectionContext.setLegal(true);
                    projectionContext.setLegalOld(false);
                } else {
                    if (projectionContext.isExists()) {
                        LOGGER.trace("Projection {} legal: exists in NONE policy", desc);
                    } else {
                        LOGGER.trace("Projection {} illegal: does not exists in NONE policy", desc);
                    }
                    // Everything that exists was legal and is legal. Nothing really changes.
                    projectionContext.setLegal(projectionContext.isExists());
                    projectionContext.setLegalOld(projectionContext.isExists());
                }
            } else if (enforcementType == AssignmentPolicyEnforcementType.POSITIVE && !projectionContext.isThombstone()) {
                // Everything that is not yet dead is legal in POSITIVE enforcement mode
                LOGGER.trace("Projection {} legal: not dead in POSITIVE policy", desc);
                projectionContext.setLegal(true);
                projectionContext.setLegalOld(true);
            } else if (enforcementType == AssignmentPolicyEnforcementType.RELATIVE && !projectionContext.isThombstone() && projectionContext.isLegal() == null && projectionContext.isLegalOld() == null) {
                // RELATIVE mode and nothing has changed. Maintain status quo. Pretend that it is legal.
                LOGGER.trace("Projection {} legal: no change in RELATIVE policy", desc);
                projectionContext.setLegal(true);
                projectionContext.setLegalOld(true);
            }
        }
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("Finishing legal decision for {}, thombstone {}, enforcement mode {}, legalize {}: {} -> {}", projectionContext.toHumanReadableString(), projectionContext.isThombstone(), projectionContext.getAssignmentPolicyEnforcementType(), projectionContext.isLegalize(), projectionContext.isLegalOld(), projectionContext.isLegal());
        }
        propagateLegalDecisionToHigherOrders(context, projectionContext);
    }
}

Example 3 with PolicyViolationException

use of com.evolveum.midpoint.util.exception.PolicyViolationException in project midpoint by Evolveum.

the class AssignmentProcessor method processAssignmentsProjections.

/**
     * Processing all the assignments to determine which projections should be added, deleted or kept as they are.
     * Generic method for all projection types (theoretically). 
     */
@SuppressWarnings("unchecked")
public <O extends ObjectType> void processAssignmentsProjections(LensContext<O> context, XMLGregorianCalendar now, Task task, OperationResult parentResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, PolicyViolationException, CommunicationException, ConfigurationException, SecurityViolationException {
    LensFocusContext<O> focusContext = context.getFocusContext();
    if (focusContext == null) {
        return;
    }
    if (!FocusType.class.isAssignableFrom(focusContext.getObjectTypeClass())) {
        // We can do this only for FocusType.
        return;
    }
    //    	if (ModelExecuteOptions.isLimitPropagation(context.getOptions()) && SchemaConstants.CHANGE_CHANNEL_DISCOVERY.equals(QNameUtil.uriToQName(context.getChannel()))){
    //    		//do not execute assignment if the execution was triggered by compensation mechanism and limitPropagation is set
    //    		return;
    //    	}
    OperationResult result = parentResult.createSubresult(AssignmentProcessor.class.getName() + ".processAssignmentsProjections");
    try {
        processAssignmentsProjectionsWithFocus((LensContext<? extends FocusType>) context, now, task, result);
    } catch (SchemaException | ObjectNotFoundException | ExpressionEvaluationException | PolicyViolationException | CommunicationException | ConfigurationException | SecurityViolationException | RuntimeException | Error e) {
        result.recordFatalError(e);
        throw e;
    }
    OperationResultStatus finalStatus = OperationResultStatus.SUCCESS;
    String message = null;
    int errors = 0;
    for (OperationResult subresult : result.getSubresults()) {
        if (subresult.isError()) {
            errors++;
            if (message == null) {
                message = subresult.getMessage();
            } else {
                message = errors + " errors";
            }
            finalStatus = OperationResultStatus.PARTIAL_ERROR;
        }
    }
    result.setStatus(finalStatus);
    result.setMessage(message);
    result.cleanupResult();
}

Example 4 with PolicyViolationException

use of com.evolveum.midpoint.util.exception.PolicyViolationException in project midpoint by Evolveum.

the class ProjectionValuesProcessor method checkSchemaAndPolicies.

/**
	 * Check that the primary deltas do not violate schema and policies
	 * TODO: implement schema check 
	 */
public <F extends ObjectType> void checkSchemaAndPolicies(LensContext<F> context, LensProjectionContext accountContext, String activityDescription, OperationResult result) throws SchemaException, PolicyViolationException {
    ObjectDelta<ShadowType> primaryDelta = accountContext.getPrimaryDelta();
    if (primaryDelta == null || primaryDelta.isDelete()) {
        return;
    }
    RefinedObjectClassDefinition rAccountDef = accountContext.getCompositeObjectClassDefinition();
    if (rAccountDef == null) {
        throw new SchemaException("No definition for account type '" + accountContext.getResourceShadowDiscriminator() + "' in " + accountContext.getResource());
    }
    if (primaryDelta.isAdd()) {
        PrismObject<ShadowType> accountToAdd = primaryDelta.getObjectToAdd();
        ResourceAttributeContainer attributesContainer = ShadowUtil.getAttributesContainer(accountToAdd);
        if (attributesContainer != null) {
            for (ResourceAttribute<?> attribute : attributesContainer.getAttributes()) {
                RefinedAttributeDefinition rAttrDef = rAccountDef.findAttributeDefinition(attribute.getElementName());
                if (!rAttrDef.isTolerant()) {
                    throw new PolicyViolationException("Attempt to add object with non-tolerant attribute " + attribute.getElementName() + " in " + "account " + accountContext.getResourceShadowDiscriminator() + " during " + activityDescription);
                }
            }
        }
    } else if (primaryDelta.isModify()) {
        for (ItemDelta<?, ?> modification : primaryDelta.getModifications()) {
            if (modification.getParentPath().equivalent(SchemaConstants.PATH_ATTRIBUTES)) {
                PropertyDelta<?> attrDelta = (PropertyDelta<?>) modification;
                RefinedAttributeDefinition rAttrDef = rAccountDef.findAttributeDefinition(attrDelta.getElementName());
                if (!rAttrDef.isTolerant()) {
                    throw new PolicyViolationException("Attempt to modify non-tolerant attribute " + attrDelta.getElementName() + " in " + "account " + accountContext.getResourceShadowDiscriminator() + " during " + activityDescription);
                }
            }
        }
    } else {
        throw new IllegalStateException("Whoops!");
    }
}

Example 5 with PolicyViolationException

use of com.evolveum.midpoint.util.exception.PolicyViolationException in project midpoint by Evolveum.

the class Projector method projectInternal.

private <F extends ObjectType> void projectInternal(LensContext<F> context, String activityDescription, boolean fromStart, boolean allWaves, Task task, OperationResult parentResult) throws SchemaException, PolicyViolationException, ExpressionEvaluationException, ObjectNotFoundException, ObjectAlreadyExistsException, CommunicationException, ConfigurationException, SecurityViolationException {
    context.checkAbortRequested();
    if (context.getDebugListener() != null) {
        context.getDebugListener().beforeProjection(context);
    }
    // Read the time at the beginning so all processors have the same notion of "now"
    // this provides nicer unified timestamp that can be used in equality checks in tests and also for
    // troubleshooting
    XMLGregorianCalendar now = clock.currentTimeXMLGregorianCalendar();
    String traceTitle = fromStart ? "projector start" : "projector resume";
    LensUtil.traceContext(LOGGER, activityDescription, traceTitle, false, context, false);
    if (consistencyChecks)
        context.checkConsistence();
    if (fromStart) {
        context.normalize();
        context.resetProjectionWave();
    }
    OperationResult result = parentResult.createSubresult(Projector.class.getName() + ".project");
    result.addParam("fromStart", fromStart);
    result.addContext("projectionWave", context.getProjectionWave());
    result.addContext("executionWave", context.getExecutionWave());
    PartialProcessingOptionsType partialProcessingOptions = context.getPartialProcessingOptions();
    try {
        context.reportProgress(new ProgressInformation(PROJECTOR, ENTERING));
        if (fromStart) {
            LensUtil.partialExecute("load", () -> {
                contextLoader.load(context, activityDescription, task, result);
                // Set the "fresh" mark now so following consistency check will be stricter
                context.setFresh(true);
                if (consistencyChecks)
                    context.checkConsistence();
            }, partialProcessingOptions::getLoad, result);
        }
        // For now let's pretend to do just one wave. The maxWaves number will be corrected in the
        // first wave when dependencies are sorted out for the first time.
        int maxWaves = context.getExecutionWave() + 1;
        // Start the waves ....
        LOGGER.trace("WAVE: Starting the waves.");
        boolean firstWave = true;
        while ((allWaves && context.getProjectionWave() < maxWaves) || (!allWaves && context.getProjectionWave() <= context.getExecutionWave())) {
            boolean inFirstWave = firstWave;
            // in order to not forget to reset it ;)
            firstWave = false;
            context.checkAbortRequested();
            LOGGER.trace("WAVE {} (maxWaves={}, executionWave={})", context.getProjectionWave(), maxWaves, context.getExecutionWave());
            //just make sure everything is loaded and set as needed
            dependencyProcessor.preprocessDependencies(context);
            // Process the focus-related aspects of the context. That means inbound, focus activation,
            // object template and assignments.
            LensUtil.partialExecute("focus", () -> {
                focusProcessor.processFocus(context, activityDescription, now, task, result);
                context.recomputeFocus();
                if (consistencyChecks)
                    context.checkConsistence();
            }, partialProcessingOptions::getFocus, result);
            LensUtil.traceContext(LOGGER, activityDescription, "focus processing", false, context, false);
            LensUtil.checkContextSanity(context, "focus processing", result);
            // a projection is provisioned or deprovisioned only after the activation is processed.
            if (fromStart && inFirstWave) {
                LOGGER.trace("Processing activation for all contexts");
                for (LensProjectionContext projectionContext : context.getProjectionContexts()) {
                    if (projectionContext.getSynchronizationPolicyDecision() == SynchronizationPolicyDecision.BROKEN || projectionContext.getSynchronizationPolicyDecision() == SynchronizationPolicyDecision.IGNORE) {
                        continue;
                    }
                    activationProcessor.processActivation(context, projectionContext, now, task, result);
                    projectionContext.recompute();
                }
                // TODO move implementation of this method elsewhere; but it has to be invoked here, as activationProcessor sets the IGNORE flag
                assignmentProcessor.removeIgnoredContexts(context);
            }
            LensUtil.traceContext(LOGGER, activityDescription, "projection activation of all resources", true, context, true);
            if (consistencyChecks)
                context.checkConsistence();
            dependencyProcessor.sortProjectionsToWaves(context);
            maxWaves = dependencyProcessor.computeMaxWaves(context);
            LOGGER.trace("Continuing wave {}, maxWaves={}", context.getProjectionWave(), maxWaves);
            for (LensProjectionContext projectionContext : context.getProjectionContexts()) {
                LensUtil.partialExecute("projection " + projectionContext.getHumanReadableName(), () -> projectProjection(context, projectionContext, partialProcessingOptions, now, activityDescription, task, result), partialProcessingOptions::getProjection);
            // TODO: make this condition more complex in the future. We may want the ability
            // to select only some projections to process
            }
            // if there exists some conflicting projection contexts, add them to the context so they will be recomputed in the next wave..
            addConflictingContexts(context);
            if (consistencyChecks)
                context.checkConsistence();
            context.incrementProjectionWave();
        }
        LOGGER.trace("WAVE: Stopping the waves. There was {} waves", context.getProjectionWave());
        // We can do this only when computation of all the waves is finished. Before that we do not know
        // activation of every account and therefore cannot decide what is OK and what is not
        dependencyProcessor.checkDependenciesFinal(context, result);
        if (consistencyChecks)
            context.checkConsistence();
        computeResultStatus(now, result);
    } catch (SchemaException | PolicyViolationException | ExpressionEvaluationException | ObjectAlreadyExistsException | ObjectNotFoundException | CommunicationException | ConfigurationException | SecurityViolationException e) {
        recordFatalError(e, now, result);
        throw e;
    } catch (RuntimeException e) {
        recordFatalError(e, now, result);
        // This should not normally happen unless there is something really bad or there is a bug.
        // Make sure that it is logged.
        LOGGER.error("Runtime error in projector: {}", e.getMessage(), e);
        throw e;
    } finally {
        if (context.getDebugListener() != null) {
            context.getDebugListener().afterProjection(context);
        }
        context.reportProgress(new ProgressInformation(PROJECTOR, result));
    }
}