[midPoint-git] [Evolveum/midpoint] a5cc2d: MID-10206 test
Viliam Repan
noreply at github.com
Mon Oct 13 10:49:06 CEST 2025
Branch: refs/heads/support-4.8
Home: https://github.com/Evolveum/midpoint
Commit: a5cc2dcd2afb81de8955f3d8f7884d3b43d8404e
https://github.com/Evolveum/midpoint/commit/a5cc2dcd2afb81de8955f3d8f7884d3b43d8404e
Author: Viliam Repan <vilo.repan at evolveum.com>
Date: 2025-09-26 (Fri, 26 Sep 2025)
Changed paths:
M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityAdvanced.java
A model/model-intest/src/test/resources/security/role-requestable-high-risk.xml
A model/model-intest/src/test/resources/security/role-requester.xml
A model/model-intest/src/test/resources/security/service-requestable-high-risk.xml
A model/model-intest/src/test/resources/security/service-requestable-low-risk.xml
Log Message:
-----------
MID-10206 test
Commit: 9064c847d8dc793b3abf7cf64efa79efe406f604
https://github.com/Evolveum/midpoint/commit/9064c847d8dc793b3abf7cf64efa79efe406f604
Author: Viliam Repan <vilo.repan at evolveum.com>
Date: 2025-09-26 (Fri, 26 Sep 2025)
Changed paths:
M repo/repo-sqale/src/main/java/com/evolveum/midpoint/repo/sqale/filtering/RefFilterWithRepoPath.java
M repo/security-enforcer-api/src/main/java/com/evolveum/midpoint/security/enforcer/api/PositiveNegativeItemPaths.java
M repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/AuthorizationEvaluation.java
A repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/AuthorizationSearchItemsEvaluation.java
M repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/EnforcerFilterOperation.java
R repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/QueryAutzItemPaths.java
A repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/QueryObjectAutzCoverage.java
A repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/QueryObjectsAutzCoverage.java
M repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/SecurityTraceEvent.java
M repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/SelectorWithItems.java
M repo/security-enforcer-impl/src/main/java/com/evolveum/midpoint/security/enforcer/impl/TieredSelectorWithItems.java
Log Message:
-----------
MID-10206 updated EnforcerFilterOperation to evaluate required items based on type
Commit: 320fa3183f4e96fdc6ceb7be050c6267bc2abc65
https://github.com/Evolveum/midpoint/commit/320fa3183f4e96fdc6ceb7be050c6267bc2abc65
Author: Viliam Repan <vilo.repan at evolveum.com>
Date: 2025-10-03 (Fri, 03 Oct 2025)
Changed paths:
M docs/expressions/mappings/outbound-mapping/index.adoc
M gui/admin-gui/src/frontend/scss/midpoint.scss
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/component/search/SearchConfigurationMerger.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/component/search/panel/BasicSearchPanel.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/component/search/panel/SaveSearchPanel.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/component/search/panel/SearchPanel.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/admin/resource/component/ShadowStatisticsModel.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/admin/role/mining/model/RoleAnalysisAggregateChartModel.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/self/requestAccess/ShoppingCartEditPanel.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/certification/PageCertCampaign.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/server/dto/ActivityItemProcessingDto.java
M model/workflow-impl/src/test/java/com/evolveum/midpoint/wf/impl/assignments/TestAssignmentsAdvanced.java
M pom.xml
M repo/repo-sqale/src/main/java/com/evolveum/midpoint/repo/sqale/mapping/SqaleTableMapping.java
M repo/repo-sql-impl-test/src/test/resources/delete/shadow.xml
M repo/repo-sql-impl/src/main/java/com/evolveum/midpoint/repo/sql/helpers/ObjectUpdater.java
Log Message:
-----------
Merge remote-tracking branch 'origin/support-4.8' into feature/mid-10206-partial-backport
Commit: 94fc1a2a7c1f0e42c49846267f46e0e0cc45107f
https://github.com/Evolveum/midpoint/commit/94fc1a2a7c1f0e42c49846267f46e0e0cc45107f
Author: Pavol Mederly <mederly at evolveum.com>
Date: 2025-10-03 (Fri, 03 Oct 2025)
Changed paths:
M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/AbstractInitializedSecurityTest.java
M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityBasic.java
A model/model-intest/src/test/resources/security/role-limited-role-search.xml
A model/model-intest/src/test/resources/security/role-risk-low.xml
A model/model-intest/src/test/resources/security/service-risk-high.xml
A model/model-intest/src/test/resources/security/service-risk-low.xml
Log Message:
-----------
Add a test for MID-10206 (disabled)
(cherry picked from commit 13229f80c0ec9ad05bf3b6112bff3f51b29920ed)
Commit: df9c57a39b342697e3005aa3cd7399bec54840bb
https://github.com/Evolveum/midpoint/commit/df9c57a39b342697e3005aa3cd7399bec54840bb
Author: Pavol Mederly <mederly at evolveum.com>
Date: 2025-10-03 (Fri, 03 Oct 2025)
Changed paths:
M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityBasic.java
Log Message:
-----------
Improve the test for MID-10206
Now the test is enabled; only a part of it is commented out (for now).
(cherry picked from commit 6eea86c51b530986ef12a1301a0a875204a30631)
Commit: 0fd07f10f9d24ac135452e6e1fa8b216ea122823
https://github.com/Evolveum/midpoint/commit/0fd07f10f9d24ac135452e6e1fa8b216ea122823
Author: Viliam Repan <vilo.repan at evolveum.com>
Date: 2025-10-03 (Fri, 03 Oct 2025)
Changed paths:
M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityAdvanced.java
M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/security/TestSecurityBasic.java
Log Message:
-----------
MID-10206 some cleanup, docs
Commit: 28ab1c8196a66caba9a7aeb76b6ad29e890bd5f6
https://github.com/Evolveum/midpoint/commit/28ab1c8196a66caba9a7aeb76b6ad29e890bd5f6
Author: Viliam Repan <vilo.repan at evolveum.com>
Date: 2025-10-13 (Mon, 13 Oct 2025)
Changed paths:
M docs/admin-gui/resource-wizard/index.adoc
M docs/admin-gui/role-wizard/index.adoc
M docs/expressions/mappings/index.adoc
M docs/resources/shadow/dead.adoc
M docs/resources/shadow/index.adoc
A docs/resources/shadow/purpose.adoc
M docs/schema/archetypes/configuration-gui/archetypes-in-object-type-wizard.adoc
M docs/schema/archetypes/configuration-gui/index.adoc
M docs/schema/archetypes/person.adoc
M docs/tasks/shadow-reclassification-task.adoc
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/prism/wrapper/ItemWrapper.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/self/dashboard/PageSelfDashboard.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/prism/panel/ItemHeaderPanel.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/prism/wrapper/ItemWrapperImpl.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/prism/wrapper/PrismContainerWrapperImpl.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/prism/wrapper/ValueMetadataWrapperImpl.java
M model/authentication-api/src/main/java/com/evolveum/midpoint/authentication/api/util/AuthUtil.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelObjectResolver.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/assignments/AssignmentPathImpl.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/assignments/AssignmentPathSegmentImpl.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/assignments/PathSegmentEvaluation.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/assignments/PayloadEvaluation.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/GuiProfileCompiler.java
M model/model-impl/src/test/java/com/evolveum/midpoint/model/impl/lens/TestPolicyRules2.java
M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestLifecycle.java
M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestLifecycleBasic.java
A model/model-intest/src/test/resources/lifecycle/resource-dummy-10813.xml
A model/model-intest/src/test/resources/lifecycle/role-a.xml
A model/model-intest/src/test/resources/lifecycle/role-b.xml
M release-notes.adoc
M repo/security-api/src/main/java/com/evolveum/midpoint/security/api/MidPointPrincipal.java
Log Message:
-----------
Improve search autz dealing w/ multiple obj. types
This change improves handling of authorizations in case there are
different items allowed/denied for different object types, as part of
fixing MID-10206.
For example, let's have a `service-read` authorization that allows
searching by `requestable` and `riskLevel` items on `ServiceType`
objects (amongst others), and `roles-read` authorization that doesn't
allow searching by `requestable` and `riskLevel` items. These are
present in a single role. See the file
`model/model-intest/src/test/resources/security/role-requester.xml`.
Previously, search for `AbstractRoleType` with a filter that uses
both `requestable` and `riskLevel` items returned roles and services
matching the filter, since types were not taken into account when
comparing required items against allowed/denied items.
This was wrong. Now it returns nothing, since authorization doesn't
allow search with `requestable` and `riskLevel` items for `RoleType`
objects.
See also MID-3916 and MID-9670 for broader picture.
Implementation:
This is a partial backport of the fix for MID-9638 present in commits:
- 4cd16d59cc0c49c1aec61263eb151ed53816e7b7
- 60928672b8e51946edf01fcbe0d253e4ae65c4cf
with the intent of minimizing changes in authorization behavior while
fixing the problem reported in MID-10206.
Main change were done in EnforcerFilterOperation.computeFilter() method
where we now put items required by original search filter into Map keyed
by object type using QueryObjectsAutzCoverage instead of Set of items
as before (without object type information).
Required items are later on compared against applicable authorization
and its evaluated allowed/denied items via
QueryObjectAutzCoverage.processSearchItems() method.
Limitations:
This change does not fix situation when original filter contains
a composite query using `or` clause containing multiple `type` filters.
EnforcerFilterOperation will compare required items for each type filter
against applicable authorizations separately, but will deny operation
if there's at least one filter whose required items don't match allowed
items. It currently doesn't take into account logical operations between
type filters.
Example filter evaluated on `AbstractRoleType`:
(. type ServiceType and requestable = "true" and riskLevel = "low")
or
(. type RoleType and requestable = "true" and riskLevel = "high")
The correct behavior is to allow evaluation of those parts
of the filter that we have authorizations for (i.e., ServiceType if
we have the setup mentioned above). However, midPoint authorization
mechanism is not there yet.
Merge remote-tracking branch 'origin/support-4.8' into feature/mid-10206-partial-backport
Compare: https://github.com/Evolveum/midpoint/compare/add33b7fc68a...28ab1c8196a6
To unsubscribe from these emails, change your notification settings at https://github.com/Evolveum/midpoint/settings/notifications
More information about the midPoint-svn
mailing list