use of eu.bcvsolutions.idm.core.api.dto.ResolvedIncompatibleRoleDto in project CzechIdMng by bcvsolutions.
the class IdmRoleRequestControllerRestTest method testGetIncompatibleRolesWithoutRemovedInConcept.
@Test
public void testGetIncompatibleRolesWithoutRemovedInConcept() throws Exception {
IdmRoleRequestDto roleRequest = createDto();
IdmRoleDto roleOne = getHelper().createRole();
IdmRoleDto roleTwo = getHelper().createRole();
IdmRoleDto roleThree = getHelper().createRole();
IdmRoleDto roleFour = getHelper().createRole();
IdmRoleDto roleFive = getHelper().createRole();
IdmRoleDto roleSix = getHelper().createRole();
// assign roles
IdmIdentityDto applicant = identityService.get(roleRequest.getApplicant());
getHelper().createIdentityRole(applicant, roleOne);
getHelper().createIdentityRole(applicant, roleTwo);
IdmIdentityRoleDto identityRole = getHelper().createIdentityRole(applicant, roleThree);
getHelper().createIdentityRole(applicant, roleFour);
// create incompatible roles definition
getHelper().createIncompatibleRole(roleOne, roleTwo);
getHelper().createIncompatibleRole(roleThree, roleFour);
getHelper().createIncompatibleRole(roleOne, roleSix);
//
// create concepts
IdmConceptRoleRequestDto concept = new IdmConceptRoleRequestDto();
concept.setRoleRequest(roleRequest.getId());
concept.setIdentityContract(getHelper().getPrimeContract(applicant).getId());
concept.setRole(roleFour.getId());
concept.setIdentityRole(identityRole.getId());
concept.setOperation(ConceptRoleRequestOperation.REMOVE);
conceptRoleRequestService.save(concept);
concept = new IdmConceptRoleRequestDto();
concept.setRoleRequest(roleRequest.getId());
concept.setIdentityContract(getHelper().getPrimeContract(applicant).getId());
concept.setRole(roleFive.getId());
concept.setOperation(ConceptRoleRequestOperation.ADD);
conceptRoleRequestService.save(concept);
//
String response = getMockMvc().perform(get(String.format("%s/incompatible-roles", getDetailUrl(roleRequest.getId()))).with(authentication(getAdminAuthentication())).contentType(TestHelper.HAL_CONTENT_TYPE)).andExpect(status().isOk()).andExpect(content().contentType(TestHelper.HAL_CONTENT_TYPE)).andReturn().getResponse().getContentAsString();
//
Set<IdmIncompatibleRoleDto> incompatibleRoles = toDtos(response, ResolvedIncompatibleRoleDto.class).stream().map(ResolvedIncompatibleRoleDto::getIncompatibleRole).collect(Collectors.toSet());
Assert.assertEquals(0, incompatibleRoles.size());
}
use of eu.bcvsolutions.idm.core.api.dto.ResolvedIncompatibleRoleDto in project CzechIdMng by bcvsolutions.
the class DefaultIdmIncompatibleRoleService method resolveIncompatibleRoles.
@Override
public Set<ResolvedIncompatibleRoleDto> resolveIncompatibleRoles(List<Serializable> rolesOrIdentifiers) {
// search all defined incompatible roles for given roles - business roles can be given
Set<ResolvedIncompatibleRoleDto> incompatibleRoles = new HashSet<>();
if (CollectionUtils.isEmpty(rolesOrIdentifiers)) {
return incompatibleRoles;
}
LOG.debug("Start resolving incompabible roles [{}]", rolesOrIdentifiers);
//
Set<UUID> allRoleIds = new HashSet<>();
Set<IdmRoleDto> roles = new HashSet<>();
// search all sub roles
for (Serializable roleOrIdentifier : rolesOrIdentifiers) {
if (roleOrIdentifier == null) {
continue;
}
roles.clear();
//
IdmRoleDto directRole = null;
if (roleOrIdentifier instanceof IdmRoleDto) {
directRole = (IdmRoleDto) roleOrIdentifier;
} else {
directRole = (IdmRoleDto) lookupService.lookupDto(IdmRoleDto.class, roleOrIdentifier);
}
if (directRole == null) {
throw new EntityNotFoundException(IdmRole.class, roleOrIdentifier);
}
//
roles.add(directRole);
if (directRole.getChildrenCount() > 0) {
roles.addAll(roleCompositionService.resolveDistinctRoles(roleCompositionService.findAllSubRoles(directRole.getId())));
}
//
// resolve incompatible roles
List<UUID> roleIds = roles.stream().map(IdmRoleDto::getId).collect(Collectors.toList());
//
for (IdmIncompatibleRoleDto incompatibleRole : findAllByRoles(roleIds)) {
// find incompatible roles - we need to know, which from the given role is incompatible => ResolvedIncompatibleRoleDto
incompatibleRoles.add(new ResolvedIncompatibleRoleDto(directRole, incompatibleRole));
}
allRoleIds.addAll(roleIds);
}
//
// both sides of incompatible roles should be in the allRoleIds and superior vs. sub role has to be different.
Set<ResolvedIncompatibleRoleDto> resolvedRoles = incompatibleRoles.stream().filter(ir -> {
// superior vs. sub role has to be different.
return !ir.getIncompatibleRole().getSuperior().equals(ir.getIncompatibleRole().getSub());
}).filter(ir -> {
// superior and sub role has to be in all roles.
return allRoleIds.contains(ir.getIncompatibleRole().getSuperior()) && allRoleIds.contains(ir.getIncompatibleRole().getSub());
}).collect(Collectors.toSet());
//
LOG.debug("Resolved incompabible roles [{}]", resolvedRoles.size());
return resolvedRoles;
}
use of eu.bcvsolutions.idm.core.api.dto.ResolvedIncompatibleRoleDto in project CzechIdMng by bcvsolutions.
the class IdmIdentityController method getIncompatibleRoles.
@ResponseBody
@RequestMapping(value = "/{backendId}/incompatible-roles", method = RequestMethod.GET)
@PreAuthorize("hasAuthority('" + CoreGroupPermission.IDENTITY_READ + "')")
@ApiOperation(value = "Incompatible roles assigned to identity", nickname = "getIdentityIncompatibleRoles", tags = { IdmIdentityController.TAG }, authorizations = { @Authorization(value = SwaggerConfig.AUTHENTICATION_BASIC, scopes = { @AuthorizationScope(scope = CoreGroupPermission.IDENTITY_READ, description = "") }), @Authorization(value = SwaggerConfig.AUTHENTICATION_CIDMST, scopes = { @AuthorizationScope(scope = CoreGroupPermission.IDENTITY_READ, description = "") }) }, notes = "Incompatible roles are resolved from assigned identity roles, which can logged used read.")
public Resources<?> getIncompatibleRoles(@ApiParam(value = "Identity's uuid identifier or username.", required = true) @PathVariable String backendId) {
IdmIdentityDto identity = getDto(backendId);
if (identity == null) {
throw new ResultCodeException(CoreResultCode.NOT_FOUND, ImmutableMap.of("entity", backendId));
}
//
IdmIdentityRoleFilter filter = new IdmIdentityRoleFilter();
filter.setIdentityId(identity.getId());
List<IdmIdentityRoleDto> identityRoles = identityRoleService.find(filter, null, IdmBasePermission.READ).getContent();
//
Set<ResolvedIncompatibleRoleDto> incompatibleRoles = incompatibleRoleService.resolveIncompatibleRoles(identityRoles.stream().map(ir -> {
IdmRoleDto role = DtoUtils.getEmbedded(ir, IdmIdentityRole_.role);
//
return role;
}).collect(Collectors.toList()));
//
return toResources(incompatibleRoles, ResolvedIncompatibleRoleDto.class);
}
use of eu.bcvsolutions.idm.core.api.dto.ResolvedIncompatibleRoleDto in project CzechIdMng by bcvsolutions.
the class IdmRequestRoleController method getIncompatibleRoles.
@ResponseBody
@RequestMapping(value = "/{requestId}" + REQUEST_SUB_PATH + "/{backendId}/incompatible-roles", method = RequestMethod.GET)
@PreAuthorize("hasAuthority('" + CoreGroupPermission.ROLE_READ + "')")
@ApiOperation(value = "Incompatible roles from sub roles and the current request", nickname = "getRequestRoleIncompatibleRoles", tags = { IdmIdentityController.TAG }, authorizations = { @Authorization(value = SwaggerConfig.AUTHENTICATION_BASIC, scopes = { @AuthorizationScope(scope = CoreGroupPermission.ROLE_READ, description = "") }), @Authorization(value = SwaggerConfig.AUTHENTICATION_CIDMST, scopes = { @AuthorizationScope(scope = CoreGroupPermission.ROLE_READ, description = "") }) }, notes = "Incompatible roles from sub roles and the current request.")
public Resources<?> getIncompatibleRoles(@PathVariable @NotNull String requestId, @ApiParam(value = "Roles's uuid identifier or code.", required = true) @PathVariable String backendId) {
IdmRoleDto role = getDto(backendId);
if (role == null) {
if (requestId == null) {
// We are not able compute incompatible roles for not approving role.
throw new ResultCodeException(CoreResultCode.NOT_FOUND, ImmutableMap.of("entity", backendId));
} else {
return toResources(Sets.newLinkedHashSet(), ResolvedIncompatibleRoleDto.class);
}
}
//
// find all sub role composition
List<IdmRoleCompositionDto> subRoles = roleCompositionService.findAllSubRoles(role.getId(), IdmBasePermission.READ);
// extract all sub roles - role above is included thx to composition
Set<IdmRoleDto> distinctRoles = roleCompositionService.resolveDistinctRoles(subRoles);
// resolve incompatible roles defined by business role
Set<ResolvedIncompatibleRoleDto> incompatibleRoles = incompatibleRoleService.resolveIncompatibleRoles(Lists.newArrayList(distinctRoles));
//
return toResources(incompatibleRoles, ResolvedIncompatibleRoleDto.class);
}
use of eu.bcvsolutions.idm.core.api.dto.ResolvedIncompatibleRoleDto in project CzechIdMng by bcvsolutions.
the class DefaultIdmIncompatibleRoleServiceIntegrationTest method testResolveIncompatibleRolesInBulkSubRoles.
@Test
public void testResolveIncompatibleRolesInBulkSubRoles() {
IdmRoleDto superior = getHelper().createRole();
IdmRoleDto superiorTwo = getHelper().createRole();
IdmRoleDto subOne = getHelper().createRole();
IdmRoleDto subTwo = getHelper().createRole();
IdmRoleDto subOneSub = getHelper().createRole();
IdmRoleDto subOneSubSub = getHelper().createRole();
IdmRoleDto three = getHelper().createRole();
IdmRoleDto threeSub = getHelper().createRole();
IdmRoleDto threeSubSub = getHelper().createRole();
getHelper().createRoleComposition(superior, subOne);
getHelper().createRoleComposition(superior, subTwo);
getHelper().createRoleComposition(subOne, subOneSub);
getHelper().createRoleComposition(subOneSub, subOneSubSub);
getHelper().createRoleComposition(three, threeSub);
getHelper().createRoleComposition(threeSub, threeSubSub);
// prepare incompatible roles
getHelper().createIncompatibleRole(subOne, subTwo);
getHelper().createIncompatibleRole(subOneSubSub, threeSubSub);
getHelper().createIncompatibleRole(subTwo, threeSub);
getHelper().createIncompatibleRole(subOne, subOne);
// create superior roles
List<IdmRoleDto> assignRoles = Lists.newArrayList(three, superior, superiorTwo);
//
IdmRoleDto role = getHelper().createRole();
// +1 = 751
int count = 750;
for (int i = 1; i <= count; i++) {
// create some sub roles
IdmRoleDto subRole = getHelper().createRole();
getHelper().createRoleComposition(role, subRole);
getHelper().createIncompatibleRole(threeSubSub, subRole);
//
// assign target system - should exist
// FIXME: move to some new acc test, just backup here ...
// SysSystemDto system = systemService.getByCode("manual-vs");
// SysSystemMappingDto systemMapping = AutowireHelper.getBean(SysSystemMappingService.class).findProvisioningMapping(system.getId(), SystemEntityType.IDENTITY);
// SysRoleSystemDto roleSystem = new SysRoleSystemDto();
// roleSystem.setSystem(system.getId());
// roleSystem.setSystemMapping(systemMapping.getId());
// roleSystem.setRole(role.getId());
// //
// // merge attribute - rights + transformation
// AutowireHelper.getBean(SysRoleSystemAttributeService.class).addRoleMappingAttribute(system.getId(),
// role.getId(), "rights", "return [\"value-" + i +"\"]", IcObjectClassInfo.ACCOUNT);
assignRoles.add(role);
}
//
// prepare owner
IdmIdentityDto identity = getHelper().createIdentity((GuardedString) null);
IdmIdentityContractDto contract = getHelper().getPrimeContract(identity);
//
// prepare request
IdmRoleRequestDto roleRequest = new IdmRoleRequestDto();
roleRequest.setState(RoleRequestState.CONCEPT);
// without approval
roleRequest.setExecuteImmediately(true);
roleRequest.setApplicant(identity.getId());
roleRequest.setRequestedByType(RoleRequestedByType.MANUALLY);
roleRequest = getHelper().getService(IdmRoleRequestService.class).save(roleRequest);
//
for (IdmRoleDto assignRole : assignRoles) {
IdmConceptRoleRequestDto concept = new IdmConceptRoleRequestDto();
concept.setIdentityContract(contract.getId());
concept.setValidFrom(contract.getValidFrom());
concept.setValidTill(contract.getValidTill());
concept.setRole(assignRole.getId());
concept.setOperation(ConceptRoleRequestOperation.ADD);
concept.setRoleRequest(roleRequest.getId());
//
getHelper().getService(IdmConceptRoleRequestService.class).save(concept);
}
long start = System.currentTimeMillis();
//
Set<IdmIncompatibleRoleDto> incompatibleRoles = getHelper().getService(IdmRoleRequestService.class).getIncompatibleRoles(roleRequest).stream().map(ResolvedIncompatibleRoleDto::getIncompatibleRole).collect(Collectors.toSet());
//
long duration = System.currentTimeMillis() - start;
Assert.assertTrue(duration < 5000);
Assert.assertEquals(3 + count, incompatibleRoles.size());
Assert.assertTrue(incompatibleRoles.stream().anyMatch(ir -> {
return ir.getSuperior().equals(subOneSubSub.getId()) && ir.getSub().equals(threeSubSub.getId());
}));
Assert.assertTrue(incompatibleRoles.stream().anyMatch(ir -> {
return ir.getSuperior().equals(subOne.getId()) && ir.getSub().equals(subTwo.getId());
}));
Assert.assertTrue(incompatibleRoles.stream().anyMatch(ir -> {
return ir.getSuperior().equals(subTwo.getId()) && ir.getSub().equals(threeSub.getId());
}));
Assert.assertTrue(incompatibleRoles.stream().anyMatch(ir -> {
return ir.getSuperior().equals(threeSubSub.getId());
}));
}
Aggregations