Examples with SysRoleSystemAttributeDto eu.bcvsolutions.idm.acc.dto.SysRoleSystemAttributeDto used on opensource projects

Example 31 with SysRoleSystemAttributeDto

use of eu.bcvsolutions.idm.acc.dto.SysRoleSystemAttributeDto in project CzechIdMng by bcvsolutions.

the class VsProvisioningMergeTest method testSwitchControlledValue.

@Test
public void testSwitchControlledValue() {
    VsSystemDto config = new VsSystemDto();
    config.setName(helper.createName());
    config.setCreateDefaultRole(false);
    SysSystemDto system = helper.createVirtualSystem(config);
    IdmRoleDto roleOne = helper.createRole();
    IdmRoleDto roleTwo = helper.createRole();
    SysRoleSystemDto roleSystemOne = helper.createRoleSystem(roleOne, system);
    SysRoleSystemDto roleSystemTwo = helper.createRoleSystem(roleTwo, system);
    SysSystemMappingDto mapping = mappingService.findProvisioningMapping(system.getId(), SystemEntityType.IDENTITY);
    SysSystemAttributeMappingFilter attributeFilter = new SysSystemAttributeMappingFilter();
    attributeFilter.setSystemMappingId(mapping.getId());
    attributeFilter.setSchemaAttributeName(RIGHTS_ATTRIBUTE);
    List<SysSystemAttributeMappingDto> attributes = attributeMappingService.find(attributeFilter, null).getContent();
    assertEquals(1, attributes.size());
    SysSystemAttributeMappingDto rightsAttribute = attributes.get(0);
    SysRoleSystemAttributeDto roleAttributeOne = new SysRoleSystemAttributeDto();
    roleAttributeOne.setName(RIGHTS_ATTRIBUTE);
    roleAttributeOne.setRoleSystem(roleSystemOne.getId());
    roleAttributeOne.setEntityAttribute(false);
    roleAttributeOne.setExtendedAttribute(false);
    roleAttributeOne.setUid(false);
    roleAttributeOne.setStrategyType(AttributeMappingStrategyType.MERGE);
    roleAttributeOne.setSystemAttributeMapping(rightsAttribute.getId());
    roleAttributeOne.setTransformToResourceScript("return '" + ONE_VALUE + "';");
    roleAttributeOne = roleSystemAttributeService.saveInternal(roleAttributeOne);
    SysRoleSystemAttributeDto roleAttributeTwo = new SysRoleSystemAttributeDto();
    roleAttributeTwo.setName(RIGHTS_ATTRIBUTE);
    roleAttributeTwo.setRoleSystem(roleSystemTwo.getId());
    roleAttributeTwo.setEntityAttribute(false);
    roleAttributeTwo.setExtendedAttribute(false);
    roleAttributeTwo.setUid(false);
    roleAttributeTwo.setStrategyType(AttributeMappingStrategyType.MERGE);
    roleAttributeTwo.setSystemAttributeMapping(rightsAttribute.getId());
    roleAttributeTwo.setTransformToResourceScript("return '" + TWO_VALUE + "';");
    roleAttributeTwo = roleSystemAttributeService.saveInternal(roleAttributeTwo);
    IdmIdentityDto identity = helper.createIdentity();
    helper.createIdentityRole(identity, roleOne);
    helper.createIdentityRole(identity, roleTwo);
    AccAccountFilter accountFilter = new AccAccountFilter();
    accountFilter.setSystemId(system.getId());
    List<AccAccountDto> accounts = accountService.find(accountFilter, null).getContent();
    assertEquals(1, accounts.size());
    AccAccountDto account = accounts.get(0);
    IcConnectorObject connectorObject = accountService.getConnectorObject(account);
    IcAttribute rightsAttributeFromSystem = connectorObject.getAttributeByName(RIGHTS_ATTRIBUTE);
    List<Object> rightsValues = rightsAttributeFromSystem.getValues();
    assertEquals(2, rightsValues.size());
    assertTrue(rightsValues.contains(ONE_VALUE));
    assertTrue(rightsValues.contains(TWO_VALUE));
    // Change controlled value
    roleAttributeOne.setTransformToResourceScript("return '" + ONE_VALUE + "_changed';");
    roleAttributeOne = roleSystemAttributeService.saveInternal(roleAttributeOne);
    SysAttributeControlledValueFilter controlledValueFilter = new SysAttributeControlledValueFilter();
    controlledValueFilter.setHistoricValue(Boolean.TRUE);
    controlledValueFilter.setAttributeMappingId(rightsAttribute.getId());
    List<SysAttributeControlledValueDto> attributeControlledValues = controlledValueService.find(controlledValueFilter, null).getContent();
    // One historic value should be exists
    assertEquals(1, attributeControlledValues.size());
    assertEquals(ONE_VALUE, attributeControlledValues.get(0).getValue());
    // Deleting of old value ... we don't want controlled it from now
    controlledValueService.delete(attributeControlledValues.get(0));
    // Do provisioning
    identityService.save(identity);
    // Check values on target system
    accounts = accountService.find(accountFilter, null).getContent();
    assertEquals(1, accounts.size());
    account = accounts.get(0);
    connectorObject = accountService.getConnectorObject(account);
    rightsAttributeFromSystem = connectorObject.getAttributeByName(RIGHTS_ATTRIBUTE);
    rightsValues = rightsAttributeFromSystem.getValues();
    assertEquals(3, rightsValues.size());
    assertTrue(rightsValues.contains(ONE_VALUE));
    assertTrue(rightsValues.contains(TWO_VALUE));
    assertTrue(rightsValues.contains(ONE_VALUE + "_changed"));
}

Example 32 with SysRoleSystemAttributeDto

use of eu.bcvsolutions.idm.acc.dto.SysRoleSystemAttributeDto in project CzechIdMng by bcvsolutions.

the class VsProvisioningMergeTest method testChangeControlledValue.

@Test
public void testChangeControlledValue() {
    VsSystemDto config = new VsSystemDto();
    config.setName(helper.createName());
    config.setCreateDefaultRole(false);
    SysSystemDto system = helper.createVirtualSystem(config);
    IdmRoleDto roleOne = helper.createRole();
    IdmRoleDto roleTwo = helper.createRole();
    SysRoleSystemDto roleSystemOne = helper.createRoleSystem(roleOne, system);
    SysRoleSystemDto roleSystemTwo = helper.createRoleSystem(roleTwo, system);
    SysSystemMappingDto mapping = mappingService.findProvisioningMapping(system.getId(), SystemEntityType.IDENTITY);
    SysSystemAttributeMappingFilter attributeFilter = new SysSystemAttributeMappingFilter();
    attributeFilter.setSystemMappingId(mapping.getId());
    attributeFilter.setSchemaAttributeName(RIGHTS_ATTRIBUTE);
    List<SysSystemAttributeMappingDto> attributes = attributeMappingService.find(attributeFilter, null).getContent();
    assertEquals(1, attributes.size());
    SysSystemAttributeMappingDto rightsAttribute = attributes.get(0);
    SysRoleSystemAttributeDto roleAttributeOne = new SysRoleSystemAttributeDto();
    roleAttributeOne.setName(RIGHTS_ATTRIBUTE);
    roleAttributeOne.setRoleSystem(roleSystemOne.getId());
    roleAttributeOne.setEntityAttribute(false);
    roleAttributeOne.setExtendedAttribute(false);
    roleAttributeOne.setUid(false);
    roleAttributeOne.setStrategyType(AttributeMappingStrategyType.MERGE);
    roleAttributeOne.setSystemAttributeMapping(rightsAttribute.getId());
    roleAttributeOne.setTransformToResourceScript("return '" + ONE_VALUE + "';");
    roleAttributeOne = roleSystemAttributeService.saveInternal(roleAttributeOne);
    SysRoleSystemAttributeDto roleAttributeTwo = new SysRoleSystemAttributeDto();
    roleAttributeTwo.setName(RIGHTS_ATTRIBUTE);
    roleAttributeTwo.setRoleSystem(roleSystemTwo.getId());
    roleAttributeTwo.setEntityAttribute(false);
    roleAttributeTwo.setExtendedAttribute(false);
    roleAttributeTwo.setUid(false);
    roleAttributeTwo.setStrategyType(AttributeMappingStrategyType.MERGE);
    roleAttributeTwo.setSystemAttributeMapping(rightsAttribute.getId());
    roleAttributeTwo.setTransformToResourceScript("return '" + TWO_VALUE + "';");
    roleAttributeTwo = roleSystemAttributeService.saveInternal(roleAttributeTwo);
    IdmIdentityDto identity = helper.createIdentity();
    helper.createIdentityRole(identity, roleOne);
    helper.createIdentityRole(identity, roleTwo);
    // Change controlled value
    roleAttributeOne.setTransformToResourceScript("return '" + ONE_VALUE + "_changed';");
    roleAttributeOne = roleSystemAttributeService.saveInternal(roleAttributeOne);
    // Do provisioning
    identityService.save(identity);
    // Check values on target system
    AccAccountFilter accountFilter = new AccAccountFilter();
    accountFilter.setSystemId(system.getId());
    List<AccAccountDto> accounts = accountService.find(accountFilter, null).getContent();
    assertEquals(1, accounts.size());
    AccAccountDto account = accounts.get(0);
    IcConnectorObject connectorObject = accountService.getConnectorObject(account);
    IcAttribute rightsAttributeFromSystem = connectorObject.getAttributeByName(RIGHTS_ATTRIBUTE);
    List<Object> rightsValues = rightsAttributeFromSystem.getValues();
    assertEquals(2, rightsValues.size());
    assertTrue(rightsValues.contains(TWO_VALUE));
    assertTrue(rightsValues.contains(ONE_VALUE + "_changed"));
}

Example 33 with SysRoleSystemAttributeDto

use of eu.bcvsolutions.idm.acc.dto.SysRoleSystemAttributeDto in project CzechIdMng by bcvsolutions.

the class RoleSynchronizationExecutor method resolveAssignRole.

private boolean resolveAssignRole(boolean isNew, SynchronizationContext context, IdmRoleDto roleDto, SysSyncRoleConfigDto config, SysSyncItemLogDto logItem, IcConnectorObject connectorObject, SysSystemAttributeMappingDto memberOfAttributeDto, SysSchemaObjectClassDto schemaObjectClassDto) {
    // Find attribute for get members (DNs)
    SysSystemAttributeMappingDto roleMembersAttributeDto = context.getMappedAttributes().stream().filter(attribute -> !attribute.isDisabledAttribute() && attribute.isEntityAttribute() && ROLE_MEMBERS_FIELD.equals(attribute.getIdmPropertyName())).findFirst().orElse(null);
    Assert.notNull(roleMembersAttributeDto, "Mapped attribute with role's members was not found. Please create it!");
    if (!isNew && AttributeMappingStrategyType.CREATE == roleMembersAttributeDto.getStrategyType()) {
        addToItemLog(logItem, "The attribute with role's members has strategy set to 'Set only for new entity'. Role isn't new, so resolving controlling an assignment of roles to users by the external system will be skipped for this role.");
    } else {
        addToItemLog(logItem, "Controlling an assignment of roles to users by the external system is activated.");
        Object membersObj = this.getValueByMappedAttribute(roleMembersAttributeDto, connectorObject.getAttributes(), context);
        if (membersObj == null) {
            membersObj = Lists.newArrayList();
        }
        if (membersObj instanceof String) {
            membersObj = Lists.newArrayList(membersObj);
        }
        Assert.isInstanceOf(List.class, membersObj, "The value from attribute with role's members must be List of Strings!");
        @SuppressWarnings("unchecked") List<String> members = (List<String>) membersObj;
        SysRoleSystemDto roleSystemDto = findRoleSystemDto(roleDto, memberOfAttributeDto, schemaObjectClassDto);
        if (roleSystemDto == null) {
            addToItemLog(logItem, "Relation between this role and system was not found. Assigning of role to users will be skip for this role.");
            return false;
        }
        SysRoleSystemAttributeDto memberAttribute = findMemberAttribute(memberOfAttributeDto, schemaObjectClassDto, roleSystemDto);
        if (memberAttribute == null) {
            addToItemLog(logItem, "The member attribute between this role and system was not found. Assigning of role to users will be skip for this role.");
            return false;
        }
        // Find identities with this role.
        IdmIdentityRoleFilter identityRoleFilter = new IdmIdentityRoleFilter();
        identityRoleFilter.setRoleId(roleDto.getId());
        List<IdmIdentityRoleDto> existsIdentityRoleDtos = identityRoleService.find(identityRoleFilter, null).getContent();
        // Get cache with users (DN vs UID).
        Map<String, String> usersUidCache = getUserUidCache();
        SysSchemaAttributeDto memberIdentifierAttribute = lookupService.lookupEmbeddedDto(config, SysSyncRoleConfig_.memberIdentifierAttribute);
        Assert.notNull(memberIdentifierAttribute, "User identifier attribute cannot be null!");
        Set<String> membersUid = Sets.newHashSet();
        Set<UUID> membersContractIds = Sets.newHashSet();
        // Call user system for every member (if isn't already in the cache).
        SysSystemDto userSystemDto = systemService.get(roleSystemDto.getSystem());
        IcConnectorConfiguration icConfig = systemService.getConnectorConfiguration(userSystemDto);
        IcConnectorInstance connectorInstance = systemService.getConnectorInstance(userSystemDto);
        IcObjectClass objectClass = new IcObjectClassImpl(schemaObjectClassDto.getObjectClassName());
        if (icConfig instanceof IcConnectorConfigurationImpl) {
            // Enable pooling - a performance reason.
            IcConnectorConfigurationImpl icConfigImpl = (IcConnectorConfigurationImpl) icConfig;
            icConfigImpl.setConnectorPoolingSupported(true);
        }
        final int[] count = { 0 };
        for (String member : members) {
            if (!transformDnToUid(config, usersUidCache, memberIdentifierAttribute, membersUid, icConfig, connectorInstance, objectClass, count, member)) {
                return false;
            }
        }
        count[0] = 0;
        membersUid.forEach(uid -> assignMissingIdentityRoles(roleDto, config, logItem, existsIdentityRoleDtos, membersContractIds, userSystemDto, count, uid, context));
        if (!checkForCancelAndFlush(config)) {
            return false;
        }
        // Remove redundant identity roles.
        List<IdmIdentityRoleDto> redundantIdentityRoles = existsIdentityRoleDtos.stream().filter(existsIdentityRole -> !membersContractIds.contains(existsIdentityRole.getIdentityContract())).collect(Collectors.toList());
        count[0] = 0;
        redundantIdentityRoles.forEach(redundantIdentityRole -> removeRedundantIdentityRoles(roleDto, config, logItem, count, redundantIdentityRole));
    }
    return true;
}

Example 34 with SysRoleSystemAttributeDto

use of eu.bcvsolutions.idm.acc.dto.SysRoleSystemAttributeDto in project CzechIdMng by bcvsolutions.

the class RoleSynchronizationExecutor method resolveMembership.

/**
 * Resolve role membership.
 */
private boolean resolveMembership(boolean isNew, SynchronizationContext context, IdmRoleDto roleDto, SysSyncRoleConfigDto config, SysSyncItemLogDto logItem, IcConnectorObject connectorObject, SysSystemAttributeMappingDto memberOfAttributeDto, SysSchemaObjectClassDto schemaObjectClassDto) {
    UUID memberOfAttribute = config.getMemberOfAttribute();
    Assert.notNull(memberOfAttribute, "Member attribute cannot be null!");
    // Find attribute for get role identifier (DN)
    SysSystemAttributeMappingDto roleIdentifierAttributeDto = context.getMappedAttributes().stream().filter(attribute -> !attribute.isDisabledAttribute() && attribute.isEntityAttribute() && ROLE_MEMBERSHIP_ID_FIELD.equals(attribute.getIdmPropertyName())).findFirst().orElse(null);
    Assert.notNull(roleIdentifierAttributeDto, "Role identifier attribute cannot be null!");
    if (!isNew && AttributeMappingStrategyType.CREATE == roleIdentifierAttributeDto.getStrategyType()) {
        addToItemLog(logItem, "The attribute with role identifier has strategy set to 'Set only for new entity'. Role isn't new, so resolving of membership will be skipped for this role.");
    } else {
        addToItemLog(logItem, MessageFormat.format("Resolving of membership is activated for this role {0}.", roleDto.getCode()));
        Object roleIdentifierObj = this.getValueByMappedAttribute(roleIdentifierAttributeDto, connectorObject.getAttributes(), context);
        String roleIdentifier;
        if (roleIdentifierObj != null) {
            Assert.isInstanceOf(String.class, roleIdentifierObj, "Role identifier must be String!");
            roleIdentifier = (String) roleIdentifierObj;
        } else {
            // Identifier form transformation is null -> We will delete role-system relations.
            addToItemLog(logItem, "The role identifier form a transformation is null -> We will try to delete role-system relation and member attribute.");
            SysRoleSystemDto roleSystemDto = findRoleSystemDto(roleDto, memberOfAttributeDto, schemaObjectClassDto);
            if (roleSystemDto != null) {
                // Find member attribute. If exist, then will be deleted.
                SysRoleSystemAttributeDto memberAttribute = findMemberAttribute(memberOfAttributeDto, schemaObjectClassDto, roleSystemDto);
                if (memberAttribute != null) {
                    roleSystemAttributeService.delete(memberAttribute);
                    addToItemLog(logItem, MessageFormat.format("Member attribute {0} was deleted.", memberAttribute.getName()));
                }
                // Check if role-system relationship contains others attribute. If not, the relationship will be deleted.
                SysRoleSystemAttributeDto someOtherAttribute = findMemberAttribute(null, schemaObjectClassDto, roleSystemDto);
                if (someOtherAttribute == null) {
                    roleSystemService.delete(roleSystemDto);
                    addToItemLog(logItem, MessageFormat.format("Role-system relation {0} was deleted.", roleSystemDto.getId()));
                }
            }
            // End of processing.
            return false;
        }
        // Resolve (create or update) relation on a system.
        SysRoleSystemDto roleSystemDto = resolveRoleSystem(roleDto, memberOfAttributeDto, schemaObjectClassDto);
        // Resolve (create or update) relation on member attribute (ldapGroups).
        resolveMemberAttribute(logItem, memberOfAttributeDto, roleIdentifier, schemaObjectClassDto, roleSystemDto);
    }
    return true;
}

Example 35 with SysRoleSystemAttributeDto

use of eu.bcvsolutions.idm.acc.dto.SysRoleSystemAttributeDto in project CzechIdMng by bcvsolutions.

the class IdentityProvisioningExecutor method findOverloadingAttributes.

/**
 * Return list of all overloading attributes for given identity, system and uid
 *
 * @param entity
 * @param system
 * @param entityType
 * @param account
 * @return
 */
@Override
protected List<SysRoleSystemAttributeDto> findOverloadingAttributes(IdmIdentityDto entity, SysSystemDto system, AccAccountDto account, SystemEntityType entityType) {
    SysSystemMappingDto mapping = getMapping(system, entityType);
    List<SysRoleSystemAttributeDto> roleSystemAttributesAll = new ArrayList<>();
    if (mapping == null) {
        return roleSystemAttributesAll;
    }
    // Search overridden attributes for this account.
    SysRoleSystemAttributeFilter roleSystemAttributeFilter = new SysRoleSystemAttributeFilter();
    roleSystemAttributeFilter.setSystemMappingId(mapping.getId());
    // Filtering by identity-account relation.
    roleSystemAttributeFilter.setAccountId(account.getId());
    roleSystemAttributeFilter.setIdentityId(entity.getId());
    List<SysRoleSystemAttributeDto> roleAttributes = roleSystemAttributeService.find(roleSystemAttributeFilter, null).getContent();
    if (!CollectionUtils.isEmpty(roleAttributes)) {
        roleSystemAttributesAll.addAll(roleAttributes);
    }
    // Cross-domains attributes and no-login attributes will be added only for default UID.
    // It means, if some attributes override an UID attribute, then no additional attribute will be used!
    boolean uidIsOverridden = roleSystemAttributesAll.stream().anyMatch(SysRoleSystemAttributeDto::isUid);
    if (!uidIsOverridden) {
        // Add overridden attributes which are in a cross-domain group or is in no-login role.
        // Beware - these attributes are added for every account (overridden attributes are not supported)
        roleSystemAttributeFilter = new SysRoleSystemAttributeFilter();
        roleSystemAttributeFilter.setRoleSystemRelationForIdentityId(entity.getId());
        roleSystemAttributeFilter.setSystemMappingId(mapping.getId());
        roleSystemAttributeFilter.setInCrossDomainGroupOrIsNoLogin(Boolean.TRUE);
        List<SysRoleSystemAttributeDto> roleAttributesInCrossGroup = roleSystemAttributeService.find(roleSystemAttributeFilter, null).getContent();
        if (!CollectionUtils.isEmpty(roleAttributesInCrossGroup)) {
            roleSystemAttributesAll.addAll(roleAttributesInCrossGroup);
        }
    }
    return roleSystemAttributesAll;
}