[midPoint-git] [Evolveum/prism] 9d6ea1: MID-10206 backported improvements from master bran...

Viliam Repan noreply at github.com
Mon Oct 13 10:47:49 CEST 2025 

  Branch: refs/heads/support-4.8
  Home:   https://github.com/Evolveum/prism
  Commit: 9d6ea1cd70c302949ae74cecca8ec7de2cccc97d
      https://github.com/Evolveum/prism/commit/9d6ea1cd70c302949ae74cecca8ec7de2cccc97d
  Author: Viliam Repan <vilo.repan at evolveum.com>
  Date:   2025-09-26 (Fri, 26 Sep 2025)

  Changed paths:
    A infra/prism-api/src/main/java/com/evolveum/midpoint/prism/path/TypedItemPath.java
    M infra/prism-api/src/main/java/com/evolveum/midpoint/prism/query/LogicalFilter.java
    M infra/prism-api/src/main/java/com/evolveum/midpoint/prism/query/ObjectFilter.java
    M infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/query/AllFilterImpl.java
    M infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/query/ExistsFilterImpl.java
    M infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/query/FullTextFilterImpl.java
    M infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/query/InOidFilterImpl.java
    M infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/query/NoneFilterImpl.java
    M infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/query/OrgFilterImpl.java
    M infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/query/OwnedByFilterImpl.java
    M infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/query/ReferencedByFilterImpl.java
    M infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/query/TypeFilterImpl.java
    M infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/query/UndefinedFilterImpl.java
    M infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/query/ValueFilterImpl.java

  Log Message:
  -----------
  MID-10206 backported improvements from master branch to collect used item paths


  Commit: fd0a3d8984057a93bc84526f598aa8859301add2
      https://github.com/Evolveum/prism/commit/fd0a3d8984057a93bc84526f598aa8859301add2
  Author: Viliam Repan <vilo.repan at evolveum.com>
  Date:   2025-10-13 (Mon, 13 Oct 2025)

  Changed paths:
    M infra/prism-api/src/main/java/com/evolveum/midpoint/prism/query/PrismQuerySerialization.java
    M infra/prism-api/src/main/java/com/evolveum/midpoint/prism/query/QueryConverter.java
    M infra/prism-api/src/main/java/com/evolveum/prism/xml/ns/_public/query_3/SearchFilterType.java
    M infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/marshaller/QueryConverterImpl.java
    M infra/prism-impl/src/main/java/com/evolveum/midpoint/prism/impl/query/lang/PrismQuerySerializerImpl.java

  Log Message:
  -----------
  Improve search autz dealing w/ multiple obj. types

This change improves handling of authorizations in case there are
different items allowed/denied for different object types, as part of
fixing MID-10206.

For example, let's have a `service-read` authorization that allows
searching by `requestable` and `riskLevel` items on `ServiceType`
objects (amongst others), and `roles-read` authorization that doesn't
allow searching by `requestable` and `riskLevel` items. These are
present in a single role. See the file
`model/model-intest/src/test/resources/security/role-requester.xml`.

Previously, search for `AbstractRoleType` with a filter that uses
both `requestable` and `riskLevel` items returned roles and services
matching the filter, since types were not taken into account when
comparing required items against allowed/denied items.

This was wrong. Now it returns nothing, since authorization doesn't
allow search with `requestable` and `riskLevel` items for `RoleType`
objects.

See also MID-3916 and MID-9670 for broader picture.

Implementation:

This is a partial backport of the fix for MID-9638 present in commits:
 - 4cd16d59cc0c49c1aec61263eb151ed53816e7b7
 - 60928672b8e51946edf01fcbe0d253e4ae65c4cf
with the intent of minimizing changes in authorization behavior while
fixing the problem reported in MID-10206.

Main change were done in EnforcerFilterOperation.computeFilter() method
where we now put items required by original search filter into Map keyed
by object type using QueryObjectsAutzCoverage instead of Set of items
as before (without object type information).

Required items are later on compared against applicable authorization
and its evaluated allowed/denied items via
QueryObjectAutzCoverage.processSearchItems() method.

Limitations:

This change does not fix situation when original filter contains
a composite query using `or` clause containing multiple `type` filters.
EnforcerFilterOperation will compare required items for each type filter
against applicable authorizations separately, but will deny operation
if there's at least one filter whose required items don't match allowed
items. It currently doesn't take into account logical operations between
type filters.

Example filter evaluated on `AbstractRoleType`:

(. type ServiceType and requestable = "true" and riskLevel = "low")
or
(. type RoleType and requestable = "true" and riskLevel = "high")

The correct behavior is to allow evaluation of those parts
of the filter that we have authorizations for (i.e., ServiceType if
we have the setup mentioned above). However, midPoint authorization
mechanism is not there yet.

Merge remote-tracking branch 'origin/support-4.8' into feature/mid-10206-partial-backport


Compare: https://github.com/Evolveum/prism/compare/59488e97bfc3...fd0a3d898405

To unsubscribe from these emails, change your notification settings at https://github.com/Evolveum/prism/settings/notifications

More information about the midPoint-svn mailing list