public static String toShortString(PolicyConstraintsType constraints) { return toShortString(constraints, JOIN_AND); }
@Override public <T extends PolicyActionType> List<T> getEnabledActions(Class<T> clazz) { return PolicyRuleTypeUtil.filterActions(enabledActions, clazz); }
public static void resolveReferences(List<PolicyRuleType> rules, Collection<? extends PolicyRuleType> otherRules, PrismContext prismContext) throws SchemaException, ObjectNotFoundException { LazyMapConstraintsResolver resolver = new LazyMapConstraintsResolver(prismContext, createConstraintsSupplier(rules), createConstraintsSupplier(otherRules)); for (PolicyRuleType rule : rules) { resolveReferences(rule.getPolicyConstraints(), resolver); } }
public static List<JAXBElement<AbstractPolicyConstraintType>> toConstraintsList(PolicyConstraintsType pc, boolean deep, boolean ignoreRefs) { List<JAXBElement<AbstractPolicyConstraintType>> rv = new ArrayList<>(); accept(pc, (name, c) -> { rv.add(toConstraintJaxbElement(name, c)); return true; }, deep, false, null, ignoreRefs); return rv; }
public static void resolveReferences(PolicyConstraintsType pc, ConstraintResolver resolver) throws ObjectNotFoundException, SchemaException { // This works even on chained rules because on any PolicyConstraintsType the visitor is called on a root // (thus resolving the references) before it is called on children. And those children are already resolved; // so, any references contained within them get also resolved. accept(pc, (name, c) -> { if (c instanceof PolicyConstraintsType) { try { resolveLocalReferences((PolicyConstraintsType) c, resolver); } catch (ObjectNotFoundException | SchemaException e) { MiscUtil.throwExceptionAsUnchecked(e); } } return true; }, true, true, F_AND, true); }
for (JAXBElement<AbstractPolicyConstraintType> constraint : toConstraintsList(constraints, false, true)) { QName name = constraint.getName(); String abbreviation = CONSTRAINT_NAMES.get(name.getLocalPart()); sb.append(toShortString((PolicyConstraintsType) constraint.getValue(), JOIN_AND)); sb.append(')'); } else if (QNameUtil.match(name, PolicyConstraintsType.F_OR)) { sb.append('('); sb.append(toShortString((PolicyConstraintsType) constraint.getValue(), JOIN_OR)); sb.append(')'); } else if (QNameUtil.match(name, PolicyConstraintsType.F_NOT)) { sb.append('('); sb.append(toShortString((PolicyConstraintsType) constraint.getValue(), JOIN_AND)); sb.append(')'); } else if (QNameUtil.match(name, PolicyConstraintsType.F_TRANSITION)) { TransitionPolicyConstraintType trans = (TransitionPolicyConstraintType) constraint.getValue(); sb.append(SYMBOL_TRANSITION); sb.append(toTransSymbol(trans.isStateBefore())); sb.append(toTransSymbol(trans.isStateAfter())); sb.append('('); sb.append(toShortString(trans.getConstraints(), JOIN_AND)); sb.append(')'); } else {
private void resolveReferences(Collection<EvaluatedPolicyRule> evaluatedRules, Collection<? extends PolicyRuleType> otherRules) throws SchemaException, ObjectNotFoundException { List<PolicyRuleType> rules = evaluatedRules.stream().map(er -> er.getPolicyRule()).collect(Collectors.toList()); PolicyRuleTypeUtil.resolveReferences(rules, otherRules, prismContext); }
if (alsoRoots) { assert rootElementName != null; rv = visit(Collections.singletonList(pc), rootElementName, visitor); } else { rv = true; rv = rv && visit(pc.getMinAssignees(), F_MIN_ASSIGNEES, visitor) && visit(pc.getMaxAssignees(), F_MAX_ASSIGNEES, visitor) && visit(pc.getObjectMinAssigneesViolation(), F_OBJECT_MIN_ASSIGNEES_VIOLATION, visitor) && visit(pc.getObjectMaxAssigneesViolation(), F_OBJECT_MAX_ASSIGNEES_VIOLATION, visitor) && visit(pc.getExclusion(), F_EXCLUSION, visitor) && visit(pc.getAssignment(), F_ASSIGNMENT, visitor) && visit(pc.getHasAssignment(), F_HAS_ASSIGNMENT, visitor) && visit(pc.getHasNoAssignment(), F_HAS_NO_ASSIGNMENT, visitor) && visit(pc.getModification(), F_MODIFICATION, visitor) && visit(pc.getObjectTimeValidity(), F_OBJECT_TIME_VALIDITY, visitor) && visit(pc.getAssignmentTimeValidity(), F_ASSIGNMENT_TIME_VALIDITY, visitor) && visit(pc.getAssignmentState(), F_ASSIGNMENT_STATE, visitor) && visit(pc.getObjectState(), F_OBJECT_STATE, visitor) && visit(pc.getSituation(), F_SITUATION, visitor) && visit(pc.getTransition(), F_TRANSITION, visitor) && visit(pc.getAnd(), F_AND, visitor) && visit(pc.getOr(), F_OR, visitor) && visit(pc.getNot(), F_NOT, visitor); rv = rv && accept(transitionConstraint.getConstraints(), visitor, true, alsoRoots, F_AND, ignoreRefs); && accept(pc.getAnd(), visitor, alsoRoots, F_AND, ignoreRefs) && accept(pc.getOr(), visitor, alsoRoots, F_OR, ignoreRefs)
@SuppressWarnings("unchecked") @NotNull public <AH extends AssignmentHolderType> List<EvaluatedPolicyRuleTrigger<?>> evaluateConstraints(PolicyConstraintsType constraints, boolean allMustApply, PolicyRuleEvaluationContext<AH> ctx, OperationResult result) throws SchemaException, ExpressionEvaluationException, ObjectNotFoundException, CommunicationException, ConfigurationException, SecurityViolationException { if (constraints == null) { return Collections.emptyList(); } List<EvaluatedPolicyRuleTrigger<?>> triggers = new ArrayList<>(); for (JAXBElement<AbstractPolicyConstraintType> constraint : toConstraintsList(constraints, false, false)) { PolicyConstraintEvaluator<AbstractPolicyConstraintType> evaluator = (PolicyConstraintEvaluator<AbstractPolicyConstraintType>) getConstraintEvaluator(constraint); EvaluatedPolicyRuleTrigger<?> trigger = evaluator.evaluate(constraint, ctx, result); LOGGER.trace("Evaluated policy rule trigger: {}", trigger); traceConstraintEvaluationResult(constraint, ctx, trigger); if (trigger != null) { triggers.add(trigger); } else { if (allMustApply) { return Collections.emptyList(); // constraint that does not apply => skip this rule } } } return triggers; }
private static boolean accept(List<PolicyConstraintsType> constraintsList, ConstraintVisitor matcher, boolean alsoRoots, QName rootElementName, boolean ignoreRefs) { for (PolicyConstraintsType constraints : constraintsList) { if (!accept(constraints, matcher, true, alsoRoots, rootElementName, ignoreRefs)) { return false; } } return true; }
@SuppressWarnings("unchecked") private static List<String> getPathToRoot(PolicyConstraintsType pc) { List<String> rv = new ArrayList<>(); computePathToRoot(rv, pc.asPrismContainerValue()); return rv; }
public <AH extends AssignmentHolderType> void computeEnabledActions(@Nullable PolicyRuleEvaluationContext<AH> rctx, PrismObject<AH> object, ExpressionFactory expressionFactory, PrismContext prismContext, Task task, OperationResult result) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException { LOGGER.trace("$$$$COmpute enabled actions"); List<PolicyActionType> allActions = PolicyRuleTypeUtil.getAllActions(policyRuleType.getPolicyActions()); LOGGER.trace("Actions defined for policy rule: {}", allActions); for (PolicyActionType action : allActions) { if (action.getCondition() != null) { ExpressionVariables variables = createExpressionVariables(rctx, object); if (!LensUtil.evaluateBoolean(action.getCondition(), variables, "condition in action " + action.getName() + " (" + action.getClass().getSimpleName() + ")", expressionFactory, prismContext, task, result)) { LOGGER.trace("Skipping action {} ({}) because the condition evaluated to false", action.getName(), action.getClass().getSimpleName()); continue; } else { LOGGER.trace("Accepting action {} ({}) because the condition evaluated to true", action.getName(), action.getClass().getSimpleName()); } } LOGGER.trace("Adding action {} into the enabled action list.", action); enabledActions.add(action); } } }
private void assertTriggers(AssignmentType assignment, int exclusionExpected, int situationExpected) { int exclusion = 0, situation = 0; for (EvaluatedPolicyRuleType rule : assignment.getTriggeredPolicyRule()) { for (EvaluatedPolicyRuleTriggerType trigger : rule.getTrigger()) { //assertNotNull("Identifier not null in base trigger: " + trigger, trigger.getTriggerId()); if (trigger instanceof EvaluatedSituationTriggerType) { EvaluatedSituationTriggerType situationTrigger = (EvaluatedSituationTriggerType) trigger; int sourceTriggers = 0; for (EvaluatedPolicyRuleType sourceRule : situationTrigger.getSourceRule()) { for (EvaluatedPolicyRuleTriggerType sourceTrigger : sourceRule.getTrigger()) { sourceTriggers++; //assertNotNull("Ref not null in situation source trigger: " + sourceTrigger, sourceTrigger.getRef()); } } assertEquals("Wrong # of exclusion triggers in situation trigger", exclusionExpected, sourceTriggers); situation++; } else if (trigger instanceof EvaluatedExclusionTriggerType) { exclusion++; } else { fail("Unexpected trigger: " + trigger); } } } assertEquals("Wrong # of exclusion triggers", 0, exclusion); assertEquals("Wrong # of situation triggers", situationExpected, situation); List<EvaluatedExclusionTriggerType> exclusionTriggers = PolicyRuleTypeUtil .getAllExclusionTriggers(assignment.getTriggeredPolicyRule()); display("Exclusion triggers for " + assignment, exclusionTriggers); assertEquals("Wrong # of extracted exclusion triggers", exclusionExpected, exclusionTriggers.size()); }
@NotNull private static Supplier<List<Map.Entry<String, JAXBElement<? extends AbstractPolicyConstraintType>>>> createConstraintsSupplier( Collection<? extends PolicyRuleType> rules) { return () -> { List<Map.Entry<String, JAXBElement<? extends AbstractPolicyConstraintType>>> constraints = new ArrayList<>(); for (PolicyRuleType rule : rules) { accept(rule.getPolicyConstraints(), (elementName, c) -> { if (StringUtils.isNotEmpty(c.getName())) { constraints.add(new AbstractMap.SimpleEntry<>(c.getName(), toConstraintJaxbElement(elementName, c))); } return true; }, true, true, F_AND, true); } return constraints; }; }
private static boolean hasObjectRelatedConstraint(PolicyRuleType rule) { // 'accept' continues until isNotObjectRelated is false; and returns false then --> so we return true in that case (i.e. we have found object-related constraint) return !accept(rule.getPolicyConstraints(), PolicyRuleTypeUtil::isNotObjectRelated, true, true, F_AND, false); }
@SuppressWarnings("unchecked") private static void computePathToRoot(List<String> path, PrismContainerValue<? extends AbstractPolicyConstraintType> pc) { path.add(pc.asContainerable().getName()); if (pc.getParent() instanceof PrismContainer) { PrismContainer<? extends AbstractPolicyConstraintType> container = (PrismContainer<? extends AbstractPolicyConstraintType>) pc.getParent(); PrismValue containerParentValue = container.getParent(); if (containerParentValue instanceof PrismContainerValue && ((PrismContainerValue) containerParentValue).asContainerable() instanceof AbstractPolicyConstraintType) { computePathToRoot(path, ((PrismContainerValue) container.getParent())); } } }
@Override public String toDiagShortcut() { return super.toDiagShortcut() + sourceRules.stream() .map(sr -> PolicyRuleTypeUtil.toShortString(sr.getPolicyConstraints())) .distinct() .collect(Collectors.joining("+", "(", ")")); }
if (actions.getEnforcement() != null) { sb.append("enforce"); if (filterActions(enabledActions, EnforcementPolicyActionType.class).isEmpty()) { sb.append("X"); if (filterActions(enabledActions, ApprovalPolicyActionType.class).isEmpty()) { sb.append("X"); if (filterActions(enabledActions, RemediationPolicyActionType.class).isEmpty()) { sb.append("X"); if (filterActions(enabledActions, CertificationPolicyActionType.class).isEmpty()) { sb.append("X"); if (filterActions(enabledActions, NotificationPolicyActionType.class).isEmpty()) { sb.append("X"); if (filterActions(enabledActions, ScriptExecutionPolicyActionType.class).isEmpty()) { sb.append("X");
private static boolean hasAssignmentOnlyConstraint(PolicyRuleType rule) { // 'accept' continues until isNotAssignmentOnly is false; and returns false then --> so we return true in that case (i.e. we have found assignmentOnly-constraint) return !accept(rule.getPolicyConstraints(), PolicyRuleTypeUtil::isNotAssignmentOnly, true, true, F_AND, false); }
@Override public String toShortString() { StringBuilder sb = new StringBuilder(); if (isGlobal()) { sb.append("G:"); } if (getName() != null) { sb.append(getName()).append(":"); } sb.append("(").append(PolicyRuleTypeUtil.toShortString(getPolicyConstraints())).append(")"); sb.append("->"); sb.append("(").append(PolicyRuleTypeUtil.toShortString(getActions(), enabledActions)).append(")"); if (!getTriggers().isEmpty()) { sb.append(" # {T:"); sb.append(getTriggers().stream().map(EvaluatedPolicyRuleTrigger::toDiagShortcut) .collect(Collectors.joining(", "))); sb.append("}"); } return sb.toString(); }