Examples with ObjectReferenceType com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType used on opensource projects

Example 81 with ObjectReferenceType

use of com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType in project midpoint by Evolveum.

the class LinkedObjectsFunctions method findLinkedTargets.

// Should be used after assignment evaluation!
@Experimental
@NotNull
<T extends AssignmentHolderType> List<T> findLinkedTargets(String linkTypeName) throws CommunicationException, ObjectNotFoundException, SchemaException, SecurityViolationException, ConfigurationException, ExpressionEvaluationException {
    OperationResult currentResult = midpointFunctions.getCurrentResult();
    LensFocusContext<?> focusContext = (LensFocusContext<?>) midpointFunctions.getFocusContext();
    if (focusContext == null) {
        throw new IllegalStateException("No focus context");
    }
    LinkTypeDefinitionType definition = focusContext.getTargetLinkTypeDefinition(linkTypeName, linkManager, currentResult);
    if (definition == null) {
        throw new IllegalStateException("No definition for target link type " + linkTypeName + " for " + focusContext);
    }
    Class<?> expectedClasses = getExpectedClass(definition.getSelector());
    Set<PrismReferenceValue> membership = getMembership();
    List<PrismReferenceValue> assignedWithMatchingRelation = membership.stream().filter(ref -> relationMatches(ref, definition.getSelector()) && objectTypeMatches(ref, expectedClasses)).collect(Collectors.toList());
    // TODO deduplicate w.r.t. member/manager
    // TODO optimize matching
    List<T> objects = new ArrayList<>(assignedWithMatchingRelation.size());
    for (PrismReferenceValue reference : assignedWithMatchingRelation) {
        ObjectReferenceType ort = new ObjectReferenceType();
        ort.setupReferenceValue(reference);
        T object = midpointFunctions.resolveReferenceInternal(ort, true);
        if (objectMatches(object, definition.getSelector())) {
            objects.add(object);
        }
    }
    return objects;
}

Example 82 with ObjectReferenceType

use of com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType in project midpoint by Evolveum.

the class OrgStructFunctionsImpl method getParentOrgs.

@Override
public Collection<OrgType> getParentOrgs(ObjectType object, QName relation, @NotNull Predicate<OrgType> predicate, boolean preAuthorized) throws SchemaException, SecurityViolationException {
    List<ObjectReferenceType> parentOrgRefs = object.getParentOrgRef();
    List<OrgType> parentOrgs = new ArrayList<>(parentOrgRefs.size());
    for (ObjectReferenceType parentOrgRef : parentOrgRefs) {
        if (!prismContext.relationMatches(relation, parentOrgRef.getRelation())) {
            continue;
        }
        OrgType parentOrg;
        try {
            parentOrg = getObject(OrgType.class, parentOrgRef.getOid(), preAuthorized);
        } catch (ObjectNotFoundException e) {
            LOGGER.warn("Org " + parentOrgRef.getOid() + " specified in parentOrgRef in " + object + " was not found: " + e.getMessage(), e);
            // but do not rethrow, just skip this
            continue;
        } catch (CommunicationException | ConfigurationException | ExpressionEvaluationException e) {
            // This should not happen.
            throw new SystemException(e.getMessage(), e);
        }
        if (predicate.test(parentOrg)) {
            parentOrgs.add(parentOrg);
        }
    }
    return parentOrgs;
}

Example 83 with ObjectReferenceType

use of com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType in project midpoint by Evolveum.

the class ClockworkAuthorizationHelper method authorizeAssignmentRequest.

private <F extends ObjectType, O extends ObjectType> void authorizeAssignmentRequest(LensContext<F> context, String operationUrl, String assignActionUrl, ItemName assignmentElementQName, PrismObject<O> object, OwnerResolver ownerResolver, ObjectSecurityConstraints securityConstraints, PlusMinusZero plusMinusZero, boolean prohibitPolicies, Task task, OperationResult result) throws SecurityViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException {
    // This is *request* authorization. Therefore we care only about primary delta.
    ObjectDelta<F> focusPrimaryDelta = context.getFocusContext().getPrimaryDelta();
    if (focusPrimaryDelta == null) {
        return;
    }
    ContainerDelta<AssignmentType> focusAssignmentDelta = focusPrimaryDelta.findContainerDelta(assignmentElementQName);
    if (focusAssignmentDelta == null) {
        return;
    }
    String operationDesc = assignActionUrl.substring(assignActionUrl.lastIndexOf('#') + 1);
    Collection<PrismContainerValue<AssignmentType>> changedAssignmentValues = determineChangedAssignmentValues(context.getFocusContext(), assignmentElementQName, focusAssignmentDelta, plusMinusZero);
    for (PrismContainerValue<AssignmentType> changedAssignmentValue : changedAssignmentValues) {
        AssignmentType changedAssignment = changedAssignmentValue.getRealValue();
        ObjectReferenceType targetRef = changedAssignment.getTargetRef();
        if (targetRef == null || targetRef.getOid() == null) {
            // This may still be allowed by #add and #modify authorizations. We have already checked these, but there may be combinations of
            // assignments, one of the assignments allowed by #assign, other allowed by #modify (e.g. MID-4517).
            // Therefore check the items again. This is not very efficient to check it twice. But this is not a common case
            // so there should not be any big harm in suffering this inefficiency.
            AccessDecision subitemDecision = securityEnforcer.determineSubitemDecision(securityConstraints, changedAssignmentValue, operationUrl, getRequestAuthorizationPhase(context), null, plusMinusZero, operationDesc);
            if (subitemDecision == AccessDecision.ALLOW) {
                LOGGER.debug("{} of policy {} to {} allowed with {} authorization", operationDesc, assignmentElementQName.getLocalPart(), object, operationUrl);
                continue;
            } else {
                LOGGER.debug("{} of non-target {} not allowed", operationDesc, assignmentElementQName.getLocalPart());
                if (LOGGER.isTraceEnabled()) {
                    LOGGER.trace("Denied request for object {}: {} of non-target {} not allowed", object, operationDesc, assignmentElementQName.getLocalPart());
                }
                securityEnforcer.failAuthorization(operationDesc, getRequestAuthorizationPhase(context), AuthorizationParameters.Builder.buildObject(object), result);
            }
        }
        PrismObject<ObjectType> target;
        try {
            // We do not worry about performance here too much. The target was already evaluated. This will be retrieved from repo cache anyway.
            target = objectResolver.resolve(targetRef.asReferenceValue(), "resolving " + assignmentElementQName.getLocalPart() + " target", task, result);
        } catch (ObjectNotFoundException e) {
            LOGGER.warn("Object {} referenced as {} target in {} was not found", targetRef.asReferenceValue().getOid(), assignmentElementQName.getLocalPart(), object);
            target = null;
        }
        ObjectDelta<O> assignmentObjectDelta = object.createModifyDelta();
        ContainerDelta<AssignmentType> assignmentDelta = assignmentObjectDelta.createContainerModification(assignmentElementQName);
        // We do not care if this is add or delete. All that matters for authorization is that it is in a delta.
        assignmentDelta.addValuesToAdd(changedAssignment.asPrismContainerValue().clone());
        QName relation = targetRef.getRelation();
        if (relation == null) {
            relation = prismContext.getDefaultRelation();
        }
        List<OrderConstraintsType> orderConstraints = determineOrderConstraints(assignmentElementQName, changedAssignment);
        AuthorizationParameters<O, ObjectType> autzParams = new AuthorizationParameters.Builder<O, ObjectType>().oldObject(object).delta(assignmentObjectDelta).target(target).relation(relation).orderConstraints(orderConstraints).build();
        if (prohibitPolicies) {
            if (changedAssignment.getPolicyRule() != null || !changedAssignment.getPolicyException().isEmpty() || !changedAssignment.getPolicySituation().isEmpty() || !changedAssignment.getTriggeredPolicyRule().isEmpty()) {
                // This may still be allowed by #add and #modify authorizations. We have already checked these, but there may be combinations of
                // assignments, one of the assignments allowed by #assign, other allowed by #modify (e.g. MID-4517).
                // Therefore check the items again. This is not very efficient to check it twice. But this is not a common case
                // so there should not be any big harm in suffering this inefficiency.
                AccessDecision subitemDecision = securityEnforcer.determineSubitemDecision(securityConstraints, changedAssignmentValue, operationUrl, getRequestAuthorizationPhase(context), null, plusMinusZero, operationDesc);
                if (subitemDecision == AccessDecision.ALLOW) {
                    LOGGER.debug("{} of policy assignment to {} allowed with {} authorization", operationDesc, object, operationUrl);
                    continue;
                } else {
                    securityEnforcer.failAuthorization("with assignment because of policies in the assignment", getRequestAuthorizationPhase(context), autzParams, result);
                }
            }
        }
        if (securityEnforcer.isAuthorized(assignActionUrl, getRequestAuthorizationPhase(context), autzParams, ownerResolver, task, result)) {
            LOGGER.debug("{} of target {} to {} allowed with {} authorization", operationDesc, target, object, assignActionUrl);
            continue;
        }
        if (relationRegistry.isDelegation(relation)) {
            if (securityEnforcer.isAuthorized(ModelAuthorizationAction.DELEGATE.getUrl(), getRequestAuthorizationPhase(context), autzParams, ownerResolver, task, result)) {
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("{} of target {} to {} allowed with {} authorization", operationDesc, target, object, ModelAuthorizationAction.DELEGATE.getUrl());
                }
                continue;
            }
        }
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("{} of target {} to {} denied", operationDesc, target, object);
        }
        securityEnforcer.failAuthorization("with " + assignmentElementQName.getLocalPart(), getRequestAuthorizationPhase(context), autzParams, result);
    }
}

Example 84 with ObjectReferenceType

use of com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType in project midpoint by Evolveum.

the class MissingShadowContextRefresher method reloadFocusAndFindMatchingLink.

private boolean reloadFocusAndFindMatchingLink(OperationResult result) throws SchemaException, ObjectNotFoundException, CommunicationException, ConfigurationException, ExpressionEvaluationException {
    PrismObject<F> reloadedFocusObject = reloadFocus(result);
    if (reloadedFocusObject == null) {
        // reason already logged
        return false;
    }
    FocusType reloadedFocus = (FocusType) reloadedFocusObject.asObjectable();
    // TODO shouldn't we put the reloaded focus back into the focus context? Beware that it was fetched as read-only.
    LensFocusContext<F> focusContext = context.getFocusContextRequired();
    for (ObjectReferenceType linkRef : reloadedFocus.getLinkRef()) {
        if (linkRef.getOid().equals(projectionContext.getOid())) {
            if (projectionContext.isReaping()) {
                LOGGER.trace("Not deleting linkRef for {} because the shadow is being reaped", projectionContext.getOid());
            } else {
                // The deleted shadow is still in the linkRef. This should not happen, but it obviously happens sometimes.
                // Maybe some strange race condition? Anyway, we want a robust behavior and this linkRef should NOT be there.
                // So simply remove it.
                LOGGER.warn("The OID {} of deleted shadow still exists in the linkRef after discovery ({}), removing it", projectionContext.getOid(), reloadedFocusObject);
                swallowUnlinkDelta(focusContext, linkRef);
            }
            continue;
        }
        boolean found = context.getProjectionContexts().stream().anyMatch(pCtx -> linkRef.getOid().equals(pCtx.getOid()));
        if (found) {
            // Continue searching.
            continue;
        }
        // This linkRef is new, it is not in the existing lens context. Is it matching?
        PrismObject<ShadowType> newLinkRepoShadow;
        try {
            // Consider read-only option later (but now the object is inserted into projection context, so using R/W mode).
            newLinkRepoShadow = beans.cacheRepositoryService.getObject(ShadowType.class, linkRef.getOid(), null, result);
        } catch (ObjectNotFoundException e) {
            LoggingUtils.logExceptionAsWarning(LOGGER, "Couldn't resolve {}, unlinking it from the focus {}", e, linkRef.getOid(), reloadedFocus);
            swallowUnlinkDelta(focusContext, linkRef);
            continue;
        }
        if (!ShadowUtil.matches(newLinkRepoShadow, projectionContext.getResourceShadowDiscriminator())) {
            LOGGER.trace("Found new link: {}, but skipping it because it does not match the projection context", newLinkRepoShadow);
            continue;
        }
        LOGGER.trace("Found new matching link: {}, updating projection context", newLinkRepoShadow);
        // MID-3317
        LOGGER.trace("Applying definition from provisioning first.");
        beans.provisioningService.applyDefinition(newLinkRepoShadow, task, result);
        projectionContext.setCurrentObjectAndOid(newLinkRepoShadow);
        // The "exists" information in the projection context can be obsolete - reflecting the fact that
        // resource object couldn't be found.
        projectionContext.setExists(ShadowUtil.isExists(newLinkRepoShadow));
        projectionContext.recompute();
        return true;
    }
    LOGGER.trace(" -> no suitable link found");
    return false;
}

Example 85 with ObjectReferenceType

use of com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType in project midpoint by Evolveum.

the class TestConsistencySimple method cleanUpBeforeTest.

private void cleanUpBeforeTest(Task task, OperationResult result) throws Exception {
    PrismObject<UserType> jack = getUser(USER_JACK_OID);
    display("Jack on start", jack);
    if (!jack.asObjectable().getAssignment().isEmpty()) {
        unassignAccountFromUser(USER_JACK_OID, RESOURCE_DUMMY_OID, SchemaConstants.INTENT_DEFAULT, task, result);
        jack = getUser(USER_JACK_OID);
        display("Jack after initial unassign", jack);
    }
    if (!jack.asObjectable().getLinkRef().isEmpty()) {
        for (ObjectReferenceType ref : jack.asObjectable().getLinkRef()) {
            deleteObject(ShadowType.class, ref.getOid());
        }
        ObjectDelta<UserType> killLinkRefDelta = deltaFor(UserType.class).item(UserType.F_LINK_REF).replace().asObjectDelta(USER_JACK_OID);
        executeChanges(killLinkRefDelta, executeOptions().raw(), task, result);
    }
    List<PrismObject<ShadowType>> jacksShadows = getJacksShadows(result);
    for (PrismObject<ShadowType> shadow : jacksShadows) {
        deleteObject(ShadowType.class, shadow.getOid());
    }
}