use of com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationType in project midpoint by Evolveum.
the class TestSecurityAdvanced method test124AutzJackDelagatorPlusValidity.
/**
* Assign a deputy with validity. But this time there is a role that allows
* access to inactive delegations.
* MID-4172
*/
@Test
public void test124AutzJackDelagatorPlusValidity() throws Exception {
// GIVEN
cleanupAutzTest(USER_JACK_OID);
assignRole(USER_JACK_OID, ROLE_DELEGATOR_PLUS_OID);
assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
login(USER_JACK_USERNAME);
// WHEN
when();
PrismObject<UserType> userJack = getUser(USER_JACK_OID);
assertAssignments(userJack, 1);
assertAssignedRole(userJack, ROLE_DELEGATOR_PLUS_OID);
PrismObject<UserType> userBarbossa = getUser(USER_BARBOSSA_OID);
assertNoAssignments(userBarbossa);
XMLGregorianCalendar startTs = clock.currentTimeXMLGregorianCalendar();
ActivationType activationType = new ActivationType();
activationType.setValidFrom(XmlTypeConverter.addDuration(startTs, "PT2H"));
activationType.setValidTo(XmlTypeConverter.addDuration(startTs, "P1D"));
// Good direction
assertAllow("delegate to Barbossa", (task, result) -> assignDeputy(USER_BARBOSSA_OID, USER_JACK_OID, assignment -> assignment.setActivation(activationType), task, result));
userJack = getUser(USER_JACK_OID);
display("Jack delegator", userJack);
assertAssignments(userJack, 1);
userBarbossa = getUser(USER_BARBOSSA_OID);
display("Barbossa delegate", userBarbossa);
assertAssignments(userBarbossa, 1);
assertAssignedDeputy(userBarbossa, USER_JACK_OID);
// delegatorRef is allowed, but returns nothing. The delegation is not yet active, it is not in the delgatorRef.
assertDeputySearchDelegatorRef(USER_JACK_OID);
assertDeputySearchAssignmentTarget(USER_JACK_OID, USER_BARBOSSA_OID);
// Non-delegate. We should be able to read just the name. Not the assignments.
PrismObject<UserType> userRum = getUser(userRumRogersOid);
display("User Rum Rogers", userRum);
assertNoAssignments(userRum);
login(USER_BARBOSSA_USERNAME);
// WHEN
when();
display("Logged in as Barbossa");
// Delegation is not active yet. No access.
assertReadDeny();
assertAddDeny();
assertModifyDeny();
assertDeleteDeny();
clockForward("PT3H");
login(USER_ADMINISTRATOR_USERNAME);
recomputeUser(USER_BARBOSSA_OID);
// Delegation is active now
login(USER_JACK_USERNAME);
// WHEN
userBarbossa = getUser(USER_BARBOSSA_OID);
display("Barbossa delegate", userBarbossa);
assertAssignments(userBarbossa, 1);
assertAssignedDeputy(userBarbossa, USER_JACK_OID);
assertDeputySearchDelegatorRef(USER_JACK_OID, USER_BARBOSSA_OID);
assertDeputySearchAssignmentTarget(USER_JACK_OID, USER_BARBOSSA_OID);
login(USER_BARBOSSA_USERNAME);
// WHEN
when();
display("Logged in as Barbossa");
assertReadAllow(NUMBER_OF_ALL_USERS);
assertAddDeny();
assertModifyDeny();
assertDeleteDeny();
clockForward("P1D");
login(USER_ADMINISTRATOR_USERNAME);
recomputeUser(USER_BARBOSSA_OID);
// Delegation no longer active
login(USER_JACK_USERNAME);
// WHEN
userBarbossa = getUser(USER_BARBOSSA_OID);
display("Barbossa delegate", userBarbossa);
assertAssignments(userBarbossa, 1);
assertAssignedDeputy(userBarbossa, USER_JACK_OID);
// delegatorRef is allowed, but returns nothing. The delegation is not yet active, it is not in the delgatorRef.
assertDeputySearchDelegatorRef(USER_JACK_OID);
assertDeputySearchAssignmentTarget(USER_JACK_OID, USER_BARBOSSA_OID);
login(USER_BARBOSSA_USERNAME);
// WHEN
when();
display("Logged in as Barbossa");
// Delegation is not active any more. No access.
assertReadDeny();
assertAddDeny();
assertModifyDeny();
assertDeleteDeny();
login(USER_JACK_USERNAME);
// WHEN
when();
display("Logged in as Jack");
assertAllow("undelegate from Barbossa", (task, result) -> unassignDeputy(USER_BARBOSSA_OID, USER_JACK_OID, assignment -> assignment.setActivation(activationType), task, result));
userJack = getUser(USER_JACK_OID);
assertAssignments(userJack, 1);
userBarbossa = getUser(USER_BARBOSSA_OID);
assertNoAssignments(userBarbossa);
assertGlobalStateUntouched();
login(USER_BARBOSSA_USERNAME);
// WHEN
when();
display("Logged in as Barbossa");
assertReadDeny();
assertAddDeny();
assertModifyDeny();
assertDeleteDeny();
assertDeny("delegate to Jack", (task, result) -> assignDeputy(USER_JACK_OID, USER_BARBOSSA_OID, task, result));
assertDeny("delegate from Jack to Barbossa", (task, result) -> assignDeputy(USER_BARBOSSA_OID, USER_JACK_OID, task, result));
assertGlobalStateUntouched();
}
use of com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationType in project midpoint by Evolveum.
the class TestSecurityAdvanced method test122AutzJackDelagatorValidity.
/**
* Assign a deputy, but this time with validFrom and validTo set to the future.
* The delegator role does NOT allow access to inactive delegations.
* MID-4172
*/
@Test
public void test122AutzJackDelagatorValidity() throws Exception {
// GIVEN
cleanupAutzTest(USER_JACK_OID);
assignRole(USER_JACK_OID, ROLE_DELEGATOR_OID);
assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
login(USER_JACK_USERNAME);
// WHEN
when();
PrismObject<UserType> userJack = getUser(USER_JACK_OID);
assertAssignments(userJack, 1);
assertAssignedRole(userJack, ROLE_DELEGATOR_OID);
PrismObject<UserType> userBarbossa = getUser(USER_BARBOSSA_OID);
assertNoAssignments(userBarbossa);
XMLGregorianCalendar startTs = clock.currentTimeXMLGregorianCalendar();
ActivationType activationType = new ActivationType();
activationType.setValidFrom(XmlTypeConverter.addDuration(startTs, "PT2H"));
activationType.setValidTo(XmlTypeConverter.addDuration(startTs, "P1D"));
// Good direction
assertAllow("delegate to Barbossa", (task, result) -> assignDeputy(USER_BARBOSSA_OID, USER_JACK_OID, assignment -> assignment.setActivation(activationType), task, result));
userJack = getUser(USER_JACK_OID);
display("Jack delegator", userJack);
assertAssignments(userJack, 1);
userBarbossa = getUser(USER_BARBOSSA_OID);
display("Barbossa delegate", userBarbossa);
// Delegation is not active yet. Therefore jack cannot see it.
assertAssignments(userBarbossa, 0);
assertDeputySearchDelegatorRef(USER_JACK_OID);
// WRONG!!!
assertDeputySearchAssignmentTarget(USER_JACK_OID, USER_BARBOSSA_OID);
// assertDeputySearchAssignmentTarget(USER_JACK_OID /* nothing */);
// Non-delegate. We should be able to read just the name. Not the assignments.
PrismObject<UserType> userRum = getUser(userRumRogersOid);
display("User Rum Rogers", userRum);
assertNoAssignments(userRum);
login(USER_BARBOSSA_USERNAME);
// WHEN
when();
display("Logged in as Barbossa");
// Delegation is not active yet. No access.
assertReadDeny();
assertAddDeny();
assertModifyDeny();
assertDeleteDeny();
clockForward("PT3H");
login(USER_ADMINISTRATOR_USERNAME);
recomputeUser(USER_BARBOSSA_OID);
// Delegation is active now
login(USER_JACK_USERNAME);
// WHEN
userBarbossa = getUser(USER_BARBOSSA_OID);
display("Barbossa delegate", userBarbossa);
assertAssignments(userBarbossa, 1);
assertAssignedDeputy(userBarbossa, USER_JACK_OID);
assertDeputySearchDelegatorRef(USER_JACK_OID, USER_BARBOSSA_OID);
assertDeputySearchAssignmentTarget(USER_JACK_OID, USER_BARBOSSA_OID);
login(USER_BARBOSSA_USERNAME);
// WHEN
when();
display("Logged in as Barbossa");
assertReadAllow(NUMBER_OF_ALL_USERS);
assertAddDeny();
assertModifyDeny();
assertDeleteDeny();
clockForward("P1D");
login(USER_ADMINISTRATOR_USERNAME);
recomputeUser(USER_BARBOSSA_OID);
login(USER_BARBOSSA_USERNAME);
// WHEN
when();
display("Logged in as Barbossa");
// Delegation is not active any more. No access.
assertReadDeny();
assertAddDeny();
assertModifyDeny();
assertDeleteDeny();
login(USER_JACK_USERNAME);
// WHEN
when();
display("Logged in as Jack");
assertAllow("undelegate from Barbossa", (task, result) -> unassignDeputy(USER_BARBOSSA_OID, USER_JACK_OID, assignment -> assignment.setActivation(activationType), task, result));
userJack = getUser(USER_JACK_OID);
assertAssignments(userJack, 1);
userBarbossa = getUser(USER_BARBOSSA_OID);
assertNoAssignments(userBarbossa);
assertGlobalStateUntouched();
login(USER_BARBOSSA_USERNAME);
// WHEN
when();
display("Logged in as Barbossa");
assertReadDeny();
assertAddDeny();
assertModifyDeny();
assertDeleteDeny();
assertDeny("delegate to Jack", (task, result) -> assignDeputy(USER_JACK_OID, USER_BARBOSSA_OID, task, result));
assertDeny("delegate from Jack to Barbossa", (task, result) -> assignDeputy(USER_BARBOSSA_OID, USER_JACK_OID, task, result));
assertGlobalStateUntouched();
}
use of com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationType in project midpoint by Evolveum.
the class SchemaTestUtil method assertFocusDefinition.
public static void assertFocusDefinition(ComplexTypeDefinition complexTypeDefinition, String defDesc, QName expectedExtensionTypeName, int expectedExtensionItemDefs) {
assertNotNull("No " + defDesc + " definition", complexTypeDefinition);
PrismAsserts.assertPropertyDefinition(complexTypeDefinition, ObjectType.F_NAME, PolyStringType.COMPLEX_TYPE, 0, 1);
PrismAsserts.assertItemDefinitionDisplayName(complexTypeDefinition, ObjectType.F_NAME, "ObjectType.name");
PrismAsserts.assertItemDefinitionDisplayOrder(complexTypeDefinition, ObjectType.F_NAME, 0);
PrismAsserts.assertPropertyDefinition(complexTypeDefinition, ObjectType.F_DESCRIPTION, DOMUtil.XSD_STRING, 0, 1);
PrismAsserts.assertItemDefinitionDisplayName(complexTypeDefinition, ObjectType.F_DESCRIPTION, "ObjectType.description");
PrismAsserts.assertItemDefinitionDisplayOrder(complexTypeDefinition, ObjectType.F_DESCRIPTION, 10);
assertFalse("" + defDesc + " definition is marked as runtime", complexTypeDefinition.isRuntimeSchema());
PrismContainerDefinition extensionContainer = complexTypeDefinition.findContainerDefinition(UserType.F_EXTENSION);
PrismAsserts.assertDefinition(extensionContainer, UserType.F_EXTENSION, expectedExtensionTypeName, 0, 1);
assertTrue("Extension is NOT runtime", extensionContainer.isRuntimeSchema());
// assertTrue("Extension is NOT dynamic", extensionContainer.isDynamic());
assertEquals("Extension size", expectedExtensionItemDefs, extensionContainer.getDefinitions().size());
PrismAsserts.assertItemDefinitionDisplayName(complexTypeDefinition, UserType.F_EXTENSION, "ObjectType.extension");
PrismAsserts.assertItemDefinitionDisplayOrder(complexTypeDefinition, UserType.F_EXTENSION, 1000);
PrismContainerDefinition<ActivationType> activationContainer = complexTypeDefinition.findContainerDefinition(UserType.F_ACTIVATION);
PrismAsserts.assertDefinition(activationContainer, UserType.F_ACTIVATION, ActivationType.COMPLEX_TYPE, 0, 1);
assertFalse("Activation is runtime", activationContainer.isRuntimeSchema());
assertEquals("Activation size", 12, activationContainer.getDefinitions().size());
PrismAsserts.assertPropertyDefinition(activationContainer, ActivationType.F_ADMINISTRATIVE_STATUS, SchemaConstants.C_ACTIVATION_STATUS_TYPE, 0, 1);
PrismContainerDefinition<AssignmentType> assignmentContainer = complexTypeDefinition.findContainerDefinition(UserType.F_ASSIGNMENT);
PrismAsserts.assertDefinition(assignmentContainer, UserType.F_ASSIGNMENT, AssignmentType.COMPLEX_TYPE, 0, -1);
assertFalse("Assignment is runtime", assignmentContainer.isRuntimeSchema());
assertEquals("Assignment definition size", 24, assignmentContainer.getDefinitions().size());
PrismContainerDefinition<ConstructionType> constructionContainer = assignmentContainer.findContainerDefinition(AssignmentType.F_CONSTRUCTION);
PrismAsserts.assertDefinition(constructionContainer, AssignmentType.F_CONSTRUCTION, ConstructionType.COMPLEX_TYPE, 0, 1);
assertFalse("Construction is runtime", constructionContainer.isRuntimeSchema());
PrismReferenceDefinition accountRefDef = complexTypeDefinition.findItemDefinition(UserType.F_LINK_REF, PrismReferenceDefinition.class);
PrismAsserts.assertDefinition(accountRefDef, UserType.F_LINK_REF, ObjectReferenceType.COMPLEX_TYPE, 0, -1);
assertEquals("Wrong target type in accountRef", ShadowType.COMPLEX_TYPE, accountRefDef.getTargetTypeName());
PrismContainerDefinition<MetadataType> metadataContainer = complexTypeDefinition.findContainerDefinition(UserType.F_METADATA);
assertFalse("Metadata is runtime", metadataContainer.isRuntimeSchema());
assertFalse("Metadata is dynamic", metadataContainer.isDynamic());
assertTrue("Metadata is NOT operational", metadataContainer.isOperational());
assertEquals("Metadata size", 23, metadataContainer.getDefinitions().size());
PrismReferenceDefinition tenantRefDef = complexTypeDefinition.findItemDefinition(UserType.F_TENANT_REF, PrismReferenceDefinition.class);
PrismAsserts.assertDefinition(tenantRefDef, UserType.F_TENANT_REF, ObjectReferenceType.COMPLEX_TYPE, 0, 1);
assertEquals("Wrong target type in tenantRef", ShadowType.COMPLEX_TYPE, accountRefDef.getTargetTypeName());
}
use of com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationType in project midpoint by Evolveum.
the class ConnIdToMidPointConversion method convertDisableDate.
private void convertDisableDate(Attribute connIdAttr) throws SchemaException {
Long millis = getSingleValue(connIdAttr, Long.class);
if (millis == null) {
return;
}
ActivationType activation = ShadowUtil.getOrCreateActivation(resourceObjectBean);
activation.setValidTo(XmlTypeConverter.createXMLGregorianCalendar(millis));
}
use of com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationType in project midpoint by Evolveum.
the class ConnIdToMidPointConversion method convertEnable.
private void convertEnable(Attribute connIdAttr) throws SchemaException {
Boolean enabled = getSingleValue(connIdAttr, Boolean.class);
if (enabled == null) {
return;
}
ActivationType activation = ShadowUtil.getOrCreateActivation(resourceObjectBean);
ActivationStatusType activationStatus;
if (enabled) {
activationStatus = ActivationStatusType.ENABLED;
} else {
activationStatus = ActivationStatusType.DISABLED;
}
activation.setAdministrativeStatus(activationStatus);
activation.setEffectiveStatus(activationStatus);
LOGGER.trace("Converted activation administrativeStatus/effectiveStatus: {}", activationStatus);
}
Aggregations