[midPoint-git] [Evolveum/midpoint] c55b06: Check indirect assignments during authentication

[mederly]

  Branch: refs/heads/master
  Home:   https://github.com/Evolveum/midpoint
  Commit: c55b06e90cc49b25365e8a7cf6f5086aaacb987b
      https://github.com/Evolveum/midpoint/commit/c55b06e90cc49b25365e8a7cf6f5086aaacb987b
  Author: Pavol Mederly <mederly at evolveum.com>
  Date:   2022-09-23 (Fri, 23 Sep 2022)

  Changed paths:
    M infra/schema/src/main/resources/xml/ns/public/common/common-security-3.xsd
    M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/evaluator/AuthenticationEvaluatorImpl.java
    M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/provider/MidPointAbstractAuthenticationProvider.java
    M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/provider/MidPointLdapAuthenticationProvider.java
    M model/authentication-impl/src/test/java/com/evolveum/midpoint/authentication/evaluator/TestAbstractAuthenticationEvaluator.java
    M model/authentication-impl/src/test/java/com/evolveum/midpoint/authentication/evaluator/TestNonceAuthenticationEvaluator.java
    M model/authentication-impl/src/test/java/com/evolveum/midpoint/authentication/evaluator/TestPasswordAuthenticationEvaluator.java
    M model/authentication-impl/src/test/java/com/evolveum/midpoint/authentication/evaluator/TestSecurityQuestionsAuthenticationEvaluator.java
    A model/authentication-impl/src/test/resources/common/role-blue.xml
    A model/authentication-impl/src/test/resources/common/role-red.xml
    A model/authentication-impl/src/test/resources/common/role-yellow.xml
    M model/authentication-impl/src/test/resources/common/user-guybrush.xml
    M model/authentication-impl/src/test/resources/common/user-jack.xml
    A model/authentication-impl/src/test/resources/common/user-painter.xml
    M model/model-api/src/main/java/com/evolveum/midpoint/model/api/context/AbstractAuthenticationContext.java
    M model/model-api/src/main/java/com/evolveum/midpoint/model/api/context/NonceAuthenticationContext.java
    M model/model-api/src/main/java/com/evolveum/midpoint/model/api/context/PreAuthenticationContext.java
    M model/model-api/src/main/java/com/evolveum/midpoint/model/api/util/AuthenticationEvaluatorUtil.java

  Log Message:
  -----------
  Check indirect assignments during authentication

Targets mentioned in "requireAssignmentTarget" were checked among
direct ones. This might be inconvenient for deployments that use role
inducements. Moreover, it did not take validity and conditions into
account. (The actual implementation also ignored relations.)

This is now fixed, and the matching is done on roleMembershipRef.
OID, type, and relation are checked. Resource assignments are not
supported.

!!! This commit can be considered a behavior change. !!!

This fixes MID-8123.

Unrelated change: Added PCV ID attribute to containers in
common-security-3.xsd. This should fix XSD compliance in MidPoint
Studio.