[midPoint-git] [Evolveum/midpoint] a84fbf: Fix authorization (selector) schema
mederly
noreply at github.com
Tue Aug 22 21:21:22 CEST 2023
Branch: refs/heads/master
Home: https://github.com/Evolveum/midpoint
Commit: a84fbf3d92d4c570acb541c19e4b2feeb3296fde
https://github.com/Evolveum/midpoint/commit/a84fbf3d92d4c570acb541c19e4b2feeb3296fde
Author: Pavol Mederly <mederly at evolveum.com>
Date: 2023-08-22 (Tue, 22 Aug 2023)
Changed paths:
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/factory/wrapper/HeterogenousContainerWrapperFactory.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/eval/FilteringContext.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/eval/MatchingContext.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/eval/SelectorProcessingContext.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/ArchetypeRefClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/AssigneeClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/CandidateAssigneeClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/DelegatorClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/FilterClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/OrgRefClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/OrgRelationClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/OwnerClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/ParentClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/RelatedObjectClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/RequesterClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/RoleRelationClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/SelfClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/SubtypeClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/TenantClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/TypeClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/ValueSelector.java
M infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
M model/model-api/src/main/java/com/evolveum/midpoint/model/api/authentication/CompiledObjectCollectionView.java
M model/model-common/src/main/java/com/evolveum/midpoint/model/common/mapping/AbstractMappingImpl.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/AuthorizationMigrator.java
M model/model-intest/src/test/resources/security/governance/role-approver-standard-legacy.xml
M model/model-intest/src/test/resources/security/governance/role-approver-standard-new.xml
M model/model-intest/src/test/resources/security/governance/role-approver-standard-with-candidates.xml
M model/model-intest/src/test/resources/security/governance/role-reviewer-standard-new.xml
M model/model-intest/src/test/resources/security/role-acc-cert-campaign-complex-read.xml
M model/model-intest/src/test/resources/security/role-acc-cert-case-work-items-assignee-self-read.xml
M model/model-intest/src/test/resources/security/role-case-work-items-assignee-self-read.xml
M model/model-intest/src/test/resources/security/role-case-work-items-event-approved-read.xml
M model/workflow-impl/src/test/resources/approval-task-owner/role-approver.xml
M model/workflow-impl/src/test/resources/common/041-role-approver.xml
M repo/repo-sql-impl/src/main/java/com/evolveum/midpoint/repo/sql/query/restriction/OwnedByRestriction.java
M repo/security-api/src/main/java/com/evolveum/midpoint/security/api/Authorization.java
M repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/SelectorWithItems.java
M testing/story/src/test/resources/strings/roles/role-end-user.xml
Log Message:
-----------
Fix authorization (selector) schema
As decided on June 28th, we will NOT support specification of sub-object
values (e.g. assignments or case work items) by their type alone. We
will require full context information (via "parent" clause), e.g.
AssignmentHolderType:assignment or CaseType:workItem. This commit
implements that. (It still does not strictly require that spec, but
fully supports it.)
(Actually, this makes <type> clause for these values superfluous; so
we no longer need to "publish" - or bind to - specific type names
under the level of prism objects.)
Other changes:
1. The "parent" clause was moved to a more prominent place: into basic
ObjectSelectorType, even before the "type" item. Its meaning is
analogous to the "type" - it establishes the context of the value within
midPoint data model.
2. AuthorizationObjectSelectorType was no longer needed, so it was
removed. AuthorizationObjectSelectorType was renamed to
ObjectParentSelectorType.
3. ParentClause was fixed to support paths of size greater than 1
(given that the repository supports OwnedBy clauses with a single name
only paths).
Commit: 6b965c1a2775f8dd69fe34ef0b46b6bfdb32d81d
https://github.com/Evolveum/midpoint/commit/6b965c1a2775f8dd69fe34ef0b46b6bfdb32d81d
Author: Pavol Mederly <mederly at evolveum.com>
Date: 2023-08-22 (Tue, 22 Aug 2023)
Changed paths:
M config/initial-objects/role/043-role-delegator.xml
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/DelegatorClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/OrgRefClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/OrgRelationClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/OwnerClause.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/GuiProfiledPrincipalManagerImpl.java
Log Message:
-----------
Do cosmetic changes in authorizations
Commit: ac480464f3a4b58d35d27152eaa28c6adec36842
https://github.com/Evolveum/midpoint/commit/ac480464f3a4b58d35d27152eaa28c6adec36842
Author: Pavol Mederly <mederly at evolveum.com>
Date: 2023-08-22 (Tue, 22 Aug 2023)
Changed paths:
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/ValueSelector.java
Log Message:
-----------
Make "parent" required for sub-object selectors
We want maximum preciseness. Selectors of e.g. type=AssignmentType
invite future problems, so this commit forbids them. Exact context
specification (e.g. UserType:assignment) is required.
Commit: f74766a0af0615afc1bd138b84a2addcb9cf8fa2
https://github.com/Evolveum/midpoint/commit/f74766a0af0615afc1bd138b84a2addcb9cf8fa2
Author: Pavol Mederly <mederly at evolveum.com>
Date: 2023-08-22 (Tue, 22 Aug 2023)
Changed paths:
M config/initial-objects/role/043-role-delegator.xml
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/factory/wrapper/HeterogenousContainerWrapperFactory.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/eval/FilteringContext.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/eval/MatchingContext.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/eval/SelectorProcessingContext.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/ArchetypeRefClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/AssigneeClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/CandidateAssigneeClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/DelegatorClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/FilterClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/OrgRefClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/OrgRelationClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/OwnerClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/ParentClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/RelatedObjectClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/RequesterClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/RoleRelationClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/SelfClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/SubtypeClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/TenantClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/TypeClause.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/selector/spec/ValueSelector.java
M infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
M model/model-api/src/main/java/com/evolveum/midpoint/model/api/authentication/CompiledObjectCollectionView.java
M model/model-common/src/main/java/com/evolveum/midpoint/model/common/mapping/AbstractMappingImpl.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/AuthorizationMigrator.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/GuiProfiledPrincipalManagerImpl.java
M model/model-intest/src/test/resources/security/governance/role-approver-standard-legacy.xml
M model/model-intest/src/test/resources/security/governance/role-approver-standard-new.xml
M model/model-intest/src/test/resources/security/governance/role-approver-standard-with-candidates.xml
M model/model-intest/src/test/resources/security/governance/role-reviewer-standard-new.xml
M model/model-intest/src/test/resources/security/role-acc-cert-campaign-complex-read.xml
M model/model-intest/src/test/resources/security/role-acc-cert-case-work-items-assignee-self-read.xml
M model/model-intest/src/test/resources/security/role-case-work-items-assignee-self-read.xml
M model/model-intest/src/test/resources/security/role-case-work-items-event-approved-read.xml
M model/workflow-impl/src/test/resources/approval-task-owner/role-approver.xml
M model/workflow-impl/src/test/resources/common/041-role-approver.xml
M repo/repo-sql-impl/src/main/java/com/evolveum/midpoint/repo/sql/query/restriction/OwnedByRestriction.java
M repo/security-api/src/main/java/com/evolveum/midpoint/security/api/Authorization.java
M repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/SelectorWithItems.java
M testing/story/src/test/resources/strings/roles/role-end-user.xml
Log Message:
-----------
Merge branch 'tmp/autz-type-fix'
Compare: https://github.com/Evolveum/midpoint/compare/ae526dcac98e...f74766a0af06
More information about the midPoint-svn
mailing list