Examples with ValuePolicyType com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType used on opensource projects

Example 1 with ValuePolicyType

use of com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType in project midpoint by Evolveum.

the class TestMappingDynamicSimple method generatePolicyNumeric.

private <T> void generatePolicyNumeric(final String TEST_NAME, String mappingFileName, String policyFileName, String extensionPropName, Class<T> clazz) throws Exception {
    TestUtil.displayTestTile(TEST_NAME);
    // This is just for validation. The expression has to resolve reference of its own
    PrismObject<ValuePolicyType> valuePolicy = PrismTestUtil.parseObject(new File(MidPointTestConstants.OBJECTS_DIR, policyFileName));
    final StringPolicyType stringPolicy = valuePolicy.asObjectable().getStringPolicy();
    // GIVEN
    Mapping<PrismPropertyValue<T>, PrismPropertyDefinition<T>> mapping = evaluator.<T>createMappingBuilder(mappingFileName, TEST_NAME, stringPolicy, new ItemPath(UserType.F_EXTENSION, new QName(NS_EXTENSION, extensionPropName)), null).build();
    OperationResult opResult = new OperationResult(TEST_NAME);
    // WHEN (1)
    mapping.evaluate(null, opResult);
    // THEN (1)
    PrismValueDeltaSetTriple<PrismPropertyValue<T>> outputTriple = mapping.getOutputTriple();
    outputTriple.checkConsistence();
    T value1 = MappingTestEvaluator.getSingleValue("plus set", outputTriple.getZeroSet());
    PrismAsserts.assertTripleNoPlus(outputTriple);
    PrismAsserts.assertTripleNoMinus(outputTriple);
    System.out.println("Generated value (1): " + value1);
    assertNotNull("Generated null value", value1);
    // We need to ignore the minLength. Conversion string -> number -> string may lose the leading zeroes
    assertGeneratedValue(value1.toString(), stringPolicy, PATTERN_NUMERIC, true, false);
    // GIVEN (2)
    mapping = evaluator.<T>createMappingBuilder(mappingFileName, TEST_NAME, stringPolicy, new ItemPath(UserType.F_EXTENSION, new QName(NS_EXTENSION, extensionPropName)), null).build();
    // WHEN (2)
    mapping.evaluate(null, opResult);
    // THEN (2)
    outputTriple = mapping.getOutputTriple();
    outputTriple.checkConsistence();
    T value2 = MappingTestEvaluator.getSingleValue("plus set", outputTriple.getZeroSet());
    System.out.println("Generated value (2): " + value2);
    assertNotNull("Generated null value", value2);
    PrismAsserts.assertTripleNoPlus(outputTriple);
    PrismAsserts.assertTripleNoMinus(outputTriple);
    assertFalse("Generated the same value", value1.equals(value2));
    assertGeneratedValue(value1.toString(), stringPolicy, PATTERN_NUMERIC, true, false);
}

Example 2 with ValuePolicyType

use of com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType in project midpoint by Evolveum.

the class ProjectionCredentialsProcessor method processProjectionPasswordMapping.

private <F extends FocusType> void processProjectionPasswordMapping(LensContext<F> context, final LensProjectionContext projCtx, final ValuePolicyType passwordPolicy, XMLGregorianCalendar now, Task task, OperationResult result) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException {
    LensFocusContext<F> focusContext = context.getFocusContext();
    PrismObject<F> userNew = focusContext.getObjectNew();
    if (userNew == null) {
        // This must be a user delete or something similar. No point in proceeding
        LOGGER.trace("userNew is null, skipping credentials processing");
        return;
    }
    PrismObjectDefinition<ShadowType> accountDefinition = prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(ShadowType.class);
    PrismPropertyDefinition<ProtectedStringType> projPasswordPropertyDefinition = accountDefinition.findPropertyDefinition(SchemaConstants.PATH_PASSWORD_VALUE);
    ResourceShadowDiscriminator rsd = projCtx.getResourceShadowDiscriminator();
    RefinedObjectClassDefinition refinedProjDef = projCtx.getStructuralObjectClassDefinition();
    if (refinedProjDef == null) {
        LOGGER.trace("No RefinedObjectClassDefinition, therefore also no password outbound definition, skipping credentials processing for projection {}", rsd);
        return;
    }
    List<MappingType> outboundMappingTypes = refinedProjDef.getPasswordOutbound();
    if (outboundMappingTypes == null || outboundMappingTypes.isEmpty()) {
        LOGGER.trace("No outbound password mapping for {}, skipping credentials processing", rsd);
        return;
    }
    // HACK
    if (!projCtx.isDoReconciliation() && !projCtx.isAdd() && !isActivated(outboundMappingTypes, focusContext.getDelta())) {
        LOGGER.trace("Outbound password mappings not activated for type {}, skipping credentials processing", rsd);
        return;
    }
    final ObjectDelta<ShadowType> projDelta = projCtx.getDelta();
    final PropertyDelta<ProtectedStringType> projPasswordDelta;
    if (projDelta != null && projDelta.getChangeType() == MODIFY) {
        projPasswordDelta = projDelta.findPropertyDelta(SchemaConstants.PATH_PASSWORD_VALUE);
    } else {
        projPasswordDelta = null;
    }
    checkExistingDeltaSanity(projCtx, projPasswordDelta);
    boolean evaluateWeak = getEvaluateWeak(projCtx);
    final ItemDeltaItem<PrismPropertyValue<PasswordType>, PrismPropertyDefinition<ProtectedStringType>> userPasswordIdi = focusContext.getObjectDeltaObject().findIdi(SchemaConstants.PATH_PASSWORD_VALUE);
    StringPolicyResolver stringPolicyResolver = new StringPolicyResolver() {

        @Override
        public void setOutputPath(ItemPath outputPath) {
        }

        @Override
        public void setOutputDefinition(ItemDefinition outputDefinition) {
        }

        @Override
        public StringPolicyType resolve() {
            if (passwordPolicy == null) {
                return null;
            }
            return passwordPolicy.getStringPolicy();
        }
    };
    MappingInitializer<PrismPropertyValue<ProtectedStringType>, PrismPropertyDefinition<ProtectedStringType>> initializer = (builder) -> {
        builder.defaultTargetDefinition(projPasswordPropertyDefinition);
        builder.defaultSource(new Source<>(userPasswordIdi, ExpressionConstants.VAR_INPUT));
        builder.stringPolicyResolver(stringPolicyResolver);
        return builder;
    };
    MappingOutputProcessor<PrismPropertyValue<ProtectedStringType>> processor = (mappingOutputPath, outputStruct) -> {
        PrismValueDeltaSetTriple<PrismPropertyValue<ProtectedStringType>> outputTriple = outputStruct.getOutputTriple();
        if (outputTriple == null) {
            LOGGER.trace("Credentials 'password' expression resulted in null output triple, skipping credentials processing for {}", rsd);
            return false;
        }
        boolean projectionIsNew = projDelta != null && (projDelta.getChangeType() == ChangeType.ADD || projCtx.getSynchronizationPolicyDecision() == SynchronizationPolicyDecision.ADD);
        Collection<PrismPropertyValue<ProtectedStringType>> newValues = outputTriple.getPlusSet();
        if (projectionIsNew) {
            newValues = outputTriple.getNonNegativeValues();
        } else {
            newValues = outputTriple.getPlusSet();
        }
        if (!canGetCleartext(newValues)) {
            ObjectDelta<ShadowType> projectionPrimaryDelta = projCtx.getPrimaryDelta();
            if (projectionPrimaryDelta != null) {
                PropertyDelta<ProtectedStringType> passwordPrimaryDelta = projectionPrimaryDelta.findPropertyDelta(SchemaConstants.PATH_PASSWORD_VALUE);
                if (passwordPrimaryDelta != null) {
                    // We have only hashed value coming from the mapping. There are not very useful
                    // for provisioning. But we have primary projection delta - and that is very likely
                    // to be better.
                    // Skip all password mappings in this case. Primary delta trumps everything. 
                    // No weak, normal or even strong mapping can change that.
                    // We need to disregard even strong mapping in this case. If we would heed the strong
                    // mapping then account initialization won't be possible.
                    LOGGER.trace("We have primary password delta in projection, skipping credentials processing");
                    return false;
                }
            }
        }
        return true;
    };
    mappingEvaluator.evaluateOutboundMapping(context, projCtx, outboundMappingTypes, SchemaConstants.PATH_PASSWORD_VALUE, SchemaConstants.PATH_PASSWORD_VALUE, initializer, processor, now, true, evaluateWeak, "password mapping", task, result);
}

Example 3 with ValuePolicyType

use of com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType in project midpoint by Evolveum.

the class SecurityHelper method postProcessCredentialPolicy.

private ValuePolicyType postProcessCredentialPolicy(SecurityPolicyType securityPolicyType, CredentialPolicyType credPolicy, String credShortDesc, Task task, OperationResult result) {
    ObjectReferenceType valuePolicyRef = credPolicy.getValuePolicyRef();
    if (valuePolicyRef == null) {
        return null;
    }
    ValuePolicyType valuePolicyType;
    try {
        valuePolicyType = objectResolver.resolve(valuePolicyRef, ValuePolicyType.class, null, credShortDesc + " in " + securityPolicyType, task, result);
    } catch (ObjectNotFoundException | SchemaException e) {
        LOGGER.warn("{} {} referenced from {} was not found", credShortDesc, valuePolicyRef.getOid(), securityPolicyType);
        return null;
    }
    valuePolicyRef.asReferenceValue().setObject(valuePolicyType.asPrismObject());
    return valuePolicyType;
}

Example 4 with ValuePolicyType

use of com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType in project midpoint by Evolveum.

the class SecurityHelper method resolveGlobalPasswordPolicy.

private <F extends FocusType> SecurityPolicyType resolveGlobalPasswordPolicy(PrismObject<F> user, SystemConfigurationType systemConfiguration, Task task, OperationResult result) {
    ObjectReferenceType globalPasswordPolicyRef = systemConfiguration.getGlobalPasswordPolicyRef();
    if (globalPasswordPolicyRef != null) {
        try {
            ValuePolicyType globalPasswordPolicyType = objectResolver.resolve(globalPasswordPolicyRef, ValuePolicyType.class, null, "global security policy reference in system configuration", task, result);
            LOGGER.trace("Using global password policy: {}", globalPasswordPolicyType);
            SecurityPolicyType policy = postProcessPasswordPolicy(globalPasswordPolicyType);
            traceSecurityPolicy(policy, user);
            return policy;
        } catch (ObjectNotFoundException | SchemaException e) {
            LOGGER.error(e.getMessage(), e);
            traceSecurityPolicy(null, user);
            return null;
        }
    }
    return null;
}

Example 5 with ValuePolicyType

use of com.evolveum.midpoint.xml.ns._public.common.common_3.ValuePolicyType in project midpoint by Evolveum.

the class SecurityHelper method locateSecurityPolicy.

/**
     * Returns security policy applicable for the specified user. It looks for organization and global policies and takes into account
     * deprecated properties and password policy references. The resulting security policy has all the (non-deprecated) properties set.
     * If there is also referenced value policy, it is will be stored as "object" in the value policy reference inside the
     * returned security policy.
     */
public <F extends FocusType> SecurityPolicyType locateSecurityPolicy(PrismObject<F> user, PrismObject<SystemConfigurationType> systemConfiguration, Task task, OperationResult result) throws SchemaException {
    PrismObject<SecurityPolicyType> orgSecurityPolicy = objectResolver.searchOrgTreeWidthFirstReference(user, o -> o.asObjectable().getSecurityPolicyRef(), "security policy", task, result);
    LOGGER.trace("Found organization security policy: {}", orgSecurityPolicy);
    if (orgSecurityPolicy != null) {
        SecurityPolicyType orgSecurityPolicyType = orgSecurityPolicy.asObjectable();
        postProcessSecurityPolicy(orgSecurityPolicyType, task, result);
        traceSecurityPolicy(orgSecurityPolicyType, user);
        return orgSecurityPolicyType;
    }
    if (systemConfiguration != null) {
        SecurityPolicyType globalSecurityPolicy = resolveGlobalSecurityPolicy(user, systemConfiguration.asObjectable(), task, result);
        if (globalSecurityPolicy != null) {
            return globalSecurityPolicy;
        }
    }
    // DEPRECATED, legacy
    PrismObject<ValuePolicyType> orgPasswordPolicy = objectResolver.searchOrgTreeWidthFirstReference(user, o -> o.asObjectable().getPasswordPolicyRef(), "security policy", task, result);
    LOGGER.trace("Found organization password policy: {}", orgPasswordPolicy);
    if (orgPasswordPolicy != null) {
        SecurityPolicyType policy = postProcessPasswordPolicy(orgPasswordPolicy.asObjectable());
        traceSecurityPolicy(policy, user);
        return policy;
    }
    if (systemConfiguration != null) {
        SecurityPolicyType globalPasswordPolicy = resolveGlobalPasswordPolicy(user, systemConfiguration.asObjectable(), task, result);
        if (globalPasswordPolicy != null) {
            return globalPasswordPolicy;
        }
    }
    return null;
}