use of com.evolveum.midpoint.util.exception.SecurityViolationException in project midpoint by Evolveum.
the class AssignmentProcessor method processAssignmentsProjections.
/**
* Processing all the assignments to determine which projections should be added, deleted or kept as they are.
* Generic method for all projection types (theoretically).
*/
@SuppressWarnings("unchecked")
public <O extends ObjectType> void processAssignmentsProjections(LensContext<O> context, XMLGregorianCalendar now, Task task, OperationResult parentResult) throws SchemaException, ObjectNotFoundException, ExpressionEvaluationException, PolicyViolationException, CommunicationException, ConfigurationException, SecurityViolationException {
LensFocusContext<O> focusContext = context.getFocusContext();
if (focusContext == null) {
return;
}
if (!FocusType.class.isAssignableFrom(focusContext.getObjectTypeClass())) {
// We can do this only for FocusType.
return;
}
// if (ModelExecuteOptions.isLimitPropagation(context.getOptions()) && SchemaConstants.CHANGE_CHANNEL_DISCOVERY.equals(QNameUtil.uriToQName(context.getChannel()))){
// //do not execute assignment if the execution was triggered by compensation mechanism and limitPropagation is set
// return;
// }
OperationResult result = parentResult.createSubresult(AssignmentProcessor.class.getName() + ".processAssignmentsProjections");
try {
processAssignmentsProjectionsWithFocus((LensContext<? extends FocusType>) context, now, task, result);
} catch (SchemaException | ObjectNotFoundException | ExpressionEvaluationException | PolicyViolationException | CommunicationException | ConfigurationException | SecurityViolationException | RuntimeException | Error e) {
result.recordFatalError(e);
throw e;
}
OperationResultStatus finalStatus = OperationResultStatus.SUCCESS;
String message = null;
int errors = 0;
for (OperationResult subresult : result.getSubresults()) {
if (subresult.isError()) {
errors++;
if (message == null) {
message = subresult.getMessage();
} else {
message = errors + " errors";
}
finalStatus = OperationResultStatus.PARTIAL_ERROR;
}
}
result.setStatus(finalStatus);
result.setMessage(message);
result.cleanupResult();
}
use of com.evolveum.midpoint.util.exception.SecurityViolationException in project midpoint by Evolveum.
the class Projector method projectInternal.
private <F extends ObjectType> void projectInternal(LensContext<F> context, String activityDescription, boolean fromStart, boolean allWaves, Task task, OperationResult parentResult) throws SchemaException, PolicyViolationException, ExpressionEvaluationException, ObjectNotFoundException, ObjectAlreadyExistsException, CommunicationException, ConfigurationException, SecurityViolationException {
context.checkAbortRequested();
if (context.getDebugListener() != null) {
context.getDebugListener().beforeProjection(context);
}
// Read the time at the beginning so all processors have the same notion of "now"
// this provides nicer unified timestamp that can be used in equality checks in tests and also for
// troubleshooting
XMLGregorianCalendar now = clock.currentTimeXMLGregorianCalendar();
String traceTitle = fromStart ? "projector start" : "projector resume";
LensUtil.traceContext(LOGGER, activityDescription, traceTitle, false, context, false);
if (consistencyChecks)
context.checkConsistence();
if (fromStart) {
context.normalize();
context.resetProjectionWave();
}
OperationResult result = parentResult.createSubresult(Projector.class.getName() + ".project");
result.addParam("fromStart", fromStart);
result.addContext("projectionWave", context.getProjectionWave());
result.addContext("executionWave", context.getExecutionWave());
PartialProcessingOptionsType partialProcessingOptions = context.getPartialProcessingOptions();
try {
context.reportProgress(new ProgressInformation(PROJECTOR, ENTERING));
if (fromStart) {
LensUtil.partialExecute("load", () -> {
contextLoader.load(context, activityDescription, task, result);
// Set the "fresh" mark now so following consistency check will be stricter
context.setFresh(true);
if (consistencyChecks)
context.checkConsistence();
}, partialProcessingOptions::getLoad, result);
}
// For now let's pretend to do just one wave. The maxWaves number will be corrected in the
// first wave when dependencies are sorted out for the first time.
int maxWaves = context.getExecutionWave() + 1;
// Start the waves ....
LOGGER.trace("WAVE: Starting the waves.");
boolean firstWave = true;
while ((allWaves && context.getProjectionWave() < maxWaves) || (!allWaves && context.getProjectionWave() <= context.getExecutionWave())) {
boolean inFirstWave = firstWave;
// in order to not forget to reset it ;)
firstWave = false;
context.checkAbortRequested();
LOGGER.trace("WAVE {} (maxWaves={}, executionWave={})", context.getProjectionWave(), maxWaves, context.getExecutionWave());
//just make sure everything is loaded and set as needed
dependencyProcessor.preprocessDependencies(context);
// Process the focus-related aspects of the context. That means inbound, focus activation,
// object template and assignments.
LensUtil.partialExecute("focus", () -> {
focusProcessor.processFocus(context, activityDescription, now, task, result);
context.recomputeFocus();
if (consistencyChecks)
context.checkConsistence();
}, partialProcessingOptions::getFocus, result);
LensUtil.traceContext(LOGGER, activityDescription, "focus processing", false, context, false);
LensUtil.checkContextSanity(context, "focus processing", result);
// a projection is provisioned or deprovisioned only after the activation is processed.
if (fromStart && inFirstWave) {
LOGGER.trace("Processing activation for all contexts");
for (LensProjectionContext projectionContext : context.getProjectionContexts()) {
if (projectionContext.getSynchronizationPolicyDecision() == SynchronizationPolicyDecision.BROKEN || projectionContext.getSynchronizationPolicyDecision() == SynchronizationPolicyDecision.IGNORE) {
continue;
}
activationProcessor.processActivation(context, projectionContext, now, task, result);
projectionContext.recompute();
}
// TODO move implementation of this method elsewhere; but it has to be invoked here, as activationProcessor sets the IGNORE flag
assignmentProcessor.removeIgnoredContexts(context);
}
LensUtil.traceContext(LOGGER, activityDescription, "projection activation of all resources", true, context, true);
if (consistencyChecks)
context.checkConsistence();
dependencyProcessor.sortProjectionsToWaves(context);
maxWaves = dependencyProcessor.computeMaxWaves(context);
LOGGER.trace("Continuing wave {}, maxWaves={}", context.getProjectionWave(), maxWaves);
for (LensProjectionContext projectionContext : context.getProjectionContexts()) {
LensUtil.partialExecute("projection " + projectionContext.getHumanReadableName(), () -> projectProjection(context, projectionContext, partialProcessingOptions, now, activityDescription, task, result), partialProcessingOptions::getProjection);
// TODO: make this condition more complex in the future. We may want the ability
// to select only some projections to process
}
// if there exists some conflicting projection contexts, add them to the context so they will be recomputed in the next wave..
addConflictingContexts(context);
if (consistencyChecks)
context.checkConsistence();
context.incrementProjectionWave();
}
LOGGER.trace("WAVE: Stopping the waves. There was {} waves", context.getProjectionWave());
// We can do this only when computation of all the waves is finished. Before that we do not know
// activation of every account and therefore cannot decide what is OK and what is not
dependencyProcessor.checkDependenciesFinal(context, result);
if (consistencyChecks)
context.checkConsistence();
computeResultStatus(now, result);
} catch (SchemaException | PolicyViolationException | ExpressionEvaluationException | ObjectAlreadyExistsException | ObjectNotFoundException | CommunicationException | ConfigurationException | SecurityViolationException e) {
recordFatalError(e, now, result);
throw e;
} catch (RuntimeException e) {
recordFatalError(e, now, result);
// This should not normally happen unless there is something really bad or there is a bug.
// Make sure that it is logged.
LOGGER.error("Runtime error in projector: {}", e.getMessage(), e);
throw e;
} finally {
if (context.getDebugListener() != null) {
context.getDebugListener().afterProjection(context);
}
context.reportProgress(new ProgressInformation(PROJECTOR, result));
}
}
use of com.evolveum.midpoint.util.exception.SecurityViolationException in project midpoint by Evolveum.
the class Projector method projectProjection.
private <F extends ObjectType> void projectProjection(LensContext<F> context, LensProjectionContext projectionContext, PartialProcessingOptionsType partialProcessingOptions, XMLGregorianCalendar now, String activityDescription, Task task, OperationResult parentResult) throws ObjectNotFoundException, CommunicationException, SchemaException, ConfigurationException, SecurityViolationException, PolicyViolationException, ExpressionEvaluationException, ObjectAlreadyExistsException {
if (projectionContext.getWave() != context.getProjectionWave()) {
// Let's skip accounts that do not belong into this wave.
return;
}
String projectionDesc = getProjectionDesc(projectionContext);
OperationResult result = parentResult.createMinorSubresult(OPERATION_PROJECT_PROJECTION);
result.addParam(OperationResult.PARAM_PROJECTION, projectionDesc);
try {
context.checkAbortRequested();
if (projectionContext.getSynchronizationPolicyDecision() == SynchronizationPolicyDecision.BROKEN || projectionContext.getSynchronizationPolicyDecision() == SynchronizationPolicyDecision.IGNORE) {
result.recordStatus(OperationResultStatus.NOT_APPLICABLE, "Skipping projection because it is " + projectionContext.getSynchronizationPolicyDecision());
return;
}
if (projectionContext.isThombstone()) {
result.recordStatus(OperationResultStatus.NOT_APPLICABLE, "Skipping projection because it is a thombstone");
return;
}
LOGGER.trace("WAVE {} PROJECTION {}", context.getProjectionWave(), projectionDesc);
// Some projections may not be loaded at this point, e.g. high-order dependency projections
contextLoader.makeSureProjectionIsLoaded(context, projectionContext, task, result);
if (consistencyChecks)
context.checkConsistence();
if (!dependencyProcessor.checkDependencies(context, projectionContext, result)) {
result.recordStatus(OperationResultStatus.NOT_APPLICABLE, "Skipping projection because it has unsatisfied dependencies");
return;
}
// TODO: decide if we need to continue
LensUtil.partialExecute("projectionValues", () -> {
// This is a "composite" processor. it contains several more processor invocations inside
projectionValuesProcessor.process(context, projectionContext, activityDescription, task, result);
if (consistencyChecks)
context.checkConsistence();
projectionContext.recompute();
if (consistencyChecks)
context.checkConsistence();
}, partialProcessingOptions::getProjectionValues);
LensUtil.partialExecute("projectionCredentials", () -> {
projectionCredentialsProcessor.processProjectionCredentials(context, projectionContext, now, task, result);
if (consistencyChecks)
context.checkConsistence();
projectionContext.recompute();
LensUtil.traceContext(LOGGER, activityDescription, "projection values and credentials of " + projectionDesc, false, context, true);
if (consistencyChecks)
context.checkConsistence();
}, partialProcessingOptions::getProjectionCredentials);
LensUtil.partialExecute("projectionReconciliation", () -> {
reconciliationProcessor.processReconciliation(context, projectionContext, task, result);
projectionContext.recompute();
LensUtil.traceContext(LOGGER, activityDescription, "projection reconciliation of " + projectionDesc, false, context, false);
if (consistencyChecks)
context.checkConsistence();
}, partialProcessingOptions::getProjectionReconciliation);
LensUtil.partialExecute("projectionLifecycle", () -> {
activationProcessor.processLifecycle(context, projectionContext, now, task, result);
if (consistencyChecks)
context.checkConsistence();
projectionContext.recompute();
// LensUtil.traceContext(LOGGER, activityDescription, "projection lifecycle of "+projectionDesc, false, context, false);
if (consistencyChecks)
context.checkConsistence();
}, partialProcessingOptions::getProjectionLifecycle);
result.recordSuccess();
} catch (ObjectNotFoundException | CommunicationException | SchemaException | ConfigurationException | SecurityViolationException | PolicyViolationException | ExpressionEvaluationException | ObjectAlreadyExistsException | RuntimeException | Error e) {
result.recordFatalError(e);
ResourceType resourceType = projectionContext.getResource();
if (resourceType == null) {
throw e;
} else {
ErrorSelectorType errorSelector = null;
if (resourceType.getConsistency() != null) {
errorSelector = resourceType.getConsistency().getConnectorErrorCriticality();
}
if (errorSelector == null) {
if (e instanceof CommunicationException) {
// Just continue evaluation. The error is recorded in the result.
// The consistency mechanism has (most likely) already done the best.
// We cannot do any better.
} else {
throw e;
}
} else {
if (ExceptionUtil.isSelected(errorSelector, e)) {
throw e;
} else {
// Just continue evaluation. The error is recorded in the result.
}
}
}
}
}
use of com.evolveum.midpoint.util.exception.SecurityViolationException in project midpoint by Evolveum.
the class ContextLoader method finishLoadOfProjectionContext.
/**
* Check reconcile flag in account sync context and set accountOld
* variable if it's not set (from provisioning), load resource (if not set already), etc.
*/
private <F extends ObjectType> void finishLoadOfProjectionContext(LensContext<F> context, LensProjectionContext projContext, Task task, OperationResult result) throws ObjectNotFoundException, CommunicationException, SchemaException, ConfigurationException, SecurityViolationException, ExpressionEvaluationException {
String projectionHumanReadableName = projContext.getHumanReadableName();
if (projContext.getSynchronizationPolicyDecision() == SynchronizationPolicyDecision.BROKEN) {
return;
}
// MID-2436 (volatile objects) - as a quick but effective hack, we set reconciliation:=TRUE for volatile accounts
ResourceObjectTypeDefinitionType objectDefinition = projContext.getResourceObjectTypeDefinitionType();
if (objectDefinition != null && objectDefinition.getVolatility() == ResourceObjectVolatilityType.UNPREDICTABLE && !projContext.isDoReconciliation()) {
LOGGER.trace("Resource object volatility is UNPREDICTABLE => setting doReconciliation to TRUE for {}", projContext.getResourceShadowDiscriminator());
projContext.setDoReconciliation(true);
}
// Remember OID before the object could be wiped
String projectionObjectOid = projContext.getOid();
if (projContext.isDoReconciliation() && !projContext.isFullShadow()) {
// The current object is useless here. So lets just wipe it so it will get loaded
projContext.setObjectCurrent(null);
}
// Load current object
boolean thombstone = false;
PrismObject<ShadowType> projectionObject = projContext.getObjectCurrent();
if (projContext.getObjectCurrent() == null || needToReload(context, projContext)) {
if (projContext.isAdd()) {
// No need to load old object, there is none
projContext.setExists(false);
projContext.recompute();
projectionObject = projContext.getObjectNew();
} else {
if (projectionObjectOid == null) {
projContext.setExists(false);
if (projContext.getResourceShadowDiscriminator() == null || projContext.getResourceShadowDiscriminator().getResourceOid() == null) {
throw new SystemException("Projection " + projectionHumanReadableName + " with null OID, no representation and no resource OID in account sync context " + projContext);
}
} else {
projContext.setExists(true);
GetOperationOptions rootOptions = GetOperationOptions.createPointInTimeType(PointInTimeType.FUTURE);
if (projContext.isDoReconciliation()) {
if (SchemaConstants.CHANGE_CHANNEL_DISCOVERY_URI.equals(context.getChannel())) {
// Avoid discovery loops
rootOptions.setDoNotDiscovery(true);
}
} else {
rootOptions.setNoFetch(true);
}
rootOptions.setAllowNotFound(true);
Collection<SelectorOptions<GetOperationOptions>> options = SelectorOptions.createCollection(rootOptions);
if (LOGGER.isTraceEnabled()) {
LOGGER.trace("Loading shadow {} for projection {}, options={}", projectionObjectOid, projectionHumanReadableName, options);
}
try {
PrismObject<ShadowType> objectOld = provisioningService.getObject(projContext.getObjectTypeClass(), projectionObjectOid, options, task, result);
if (LOGGER.isTraceEnabled()) {
if (!GetOperationOptions.isNoFetch(rootOptions) && !GetOperationOptions.isRaw(rootOptions)) {
if (LOGGER.isTraceEnabled()) {
LOGGER.trace("Full shadow loaded for {}:\n{}", projectionHumanReadableName, objectOld.debugDump(1));
}
}
}
Validate.notNull(objectOld.getOid());
if (InternalsConfig.consistencyChecks) {
String resourceOid = projContext.getResourceOid();
if (resourceOid != null && !resourceOid.equals(objectOld.asObjectable().getResourceRef().getOid())) {
throw new IllegalStateException("Loaded shadow with wrong resourceRef. Loading shadow " + projectionObjectOid + ", got " + objectOld.getOid() + ", expected resourceRef " + resourceOid + ", but was " + objectOld.asObjectable().getResourceRef().getOid() + " for context " + projectionHumanReadableName);
}
}
projContext.setLoadedObject(objectOld);
ShadowType oldShadow = objectOld.asObjectable();
if (projContext.isDoReconciliation()) {
projContext.determineFullShadowFlag(oldShadow.getFetchResult());
} else {
projContext.setFullShadow(false);
}
projectionObject = objectOld;
} catch (ObjectNotFoundException ex) {
// This does not mean BROKEN. The projection was there, but it gone now. What we really want here
// is a thombstone projection.
thombstone = true;
projContext.setFullShadow(false);
LOGGER.warn("Could not find object with oid {}. The projection context {} is marked as thombstone.", projectionObjectOid, projectionHumanReadableName);
} catch (CommunicationException | SchemaException | ConfigurationException | SecurityViolationException | RuntimeException | Error e) {
LOGGER.warn("Problem while getting object with oid {}. Projection context {} is marked as broken: {}: {}", projectionObjectOid, projectionHumanReadableName, e.getClass().getSimpleName(), e.getMessage());
projContext.setSynchronizationPolicyDecision(SynchronizationPolicyDecision.BROKEN);
ResourceType resourceType = projContext.getResource();
if (resourceType == null) {
throw e;
} else {
ErrorSelectorType errorSelector = null;
if (resourceType.getConsistency() != null) {
errorSelector = resourceType.getConsistency().getConnectorErrorCriticality();
}
if (errorSelector == null) {
if (e instanceof SchemaException) {
// We cannot do any better.
return;
} else {
throw e;
}
} else {
if (ExceptionUtil.isSelected(errorSelector, e)) {
throw e;
} else {
return;
}
}
}
}
}
projContext.setFresh(true);
}
} else {
projectionObject = projContext.getObjectCurrent();
if (projectionObjectOid != null) {
projContext.setExists(true);
}
}
// Determine Resource
ResourceType resourceType = projContext.getResource();
String resourceOid = null;
if (resourceType == null) {
if (projectionObject != null) {
ShadowType shadowType = projectionObject.asObjectable();
resourceOid = ShadowUtil.getResourceOid(shadowType);
} else if (projContext.getResourceShadowDiscriminator() != null) {
resourceOid = projContext.getResourceShadowDiscriminator().getResourceOid();
} else if (!thombstone) {
throw new IllegalStateException("No shadow, no discriminator and not thombstone? That won't do. Projection " + projectionHumanReadableName);
}
} else {
resourceOid = resourceType.getOid();
}
// Determine discriminator
ResourceShadowDiscriminator discr = projContext.getResourceShadowDiscriminator();
if (discr == null) {
if (projectionObject != null) {
ShadowType accountShadowType = projectionObject.asObjectable();
String intent = ShadowUtil.getIntent(accountShadowType);
ShadowKindType kind = ShadowUtil.getKind(accountShadowType);
discr = new ResourceShadowDiscriminator(resourceOid, kind, intent, thombstone);
} else {
discr = new ResourceShadowDiscriminator(null, null, null, thombstone);
}
projContext.setResourceShadowDiscriminator(discr);
} else {
if (thombstone) {
// We do not want to reset thombstone flag if it was set before
discr.setThombstone(thombstone);
}
}
// Load resource
if (resourceType == null && resourceOid != null) {
resourceType = LensUtil.getResourceReadOnly(context, resourceOid, provisioningService, task, result);
projContext.setResource(resourceType);
}
//Determine refined schema and password policies for account type
RefinedObjectClassDefinition structuralObjectClassDef = projContext.getStructuralObjectClassDefinition();
if (structuralObjectClassDef != null) {
ObjectReferenceType passwordPolicyRef = structuralObjectClassDef.getPasswordPolicy();
if (passwordPolicyRef != null && passwordPolicyRef.getOid() != null) {
PrismObject<ValuePolicyType> passwordPolicy = cacheRepositoryService.getObject(ValuePolicyType.class, passwordPolicyRef.getOid(), null, result);
if (passwordPolicy != null) {
projContext.setAccountPasswordPolicy(passwordPolicy.asObjectable());
}
}
}
//set limitation, e.g. if this projection context should be recomputed and processed by projector
if (ModelExecuteOptions.isLimitPropagation(context.getOptions())) {
if (context.getTriggeredResourceOid() != null) {
if (!context.getTriggeredResourceOid().equals(resourceOid)) {
projContext.setCanProject(false);
}
}
}
setPrimaryDeltaOldValue(projContext);
}
use of com.evolveum.midpoint.util.exception.SecurityViolationException in project midpoint by Evolveum.
the class PageTasks method deleteTaskConfirmedPerformed.
private void deleteTaskConfirmedPerformed(AjaxRequestTarget target, TaskDto task) {
List<TaskDto> taskDtoList = new ArrayList<>();
if (task != null) {
taskDtoList.add(task);
} else {
taskDtoList.addAll(WebComponentUtil.getSelectedData(getTaskTable()));
}
if (!isSomeTaskSelected(taskDtoList, target)) {
return;
}
OperationResult result = new OperationResult(OPERATION_DELETE_TASKS);
try {
getTaskService().suspendAndDeleteTasks(TaskDto.getOids(taskDtoList), WAIT_FOR_TASK_STOP, true, result);
result.computeStatus();
if (result.isSuccess()) {
result.recordStatus(OperationResultStatus.SUCCESS, "The task(s) have been successfully deleted.");
}
} catch (ObjectNotFoundException | SchemaException | SecurityViolationException | RuntimeException e) {
result.recordFatalError("Couldn't delete the task(s)", e);
}
showResult(result);
TaskDtoProvider provider = (TaskDtoProvider) getTaskTable().getDataTable().getDataProvider();
provider.clearCache();
//refresh feedback and table
refreshTables(target);
}
Aggregations