Test Scenarios

Last modified 22 Feb 2024 13:11 +01:00

Suspending the tasksPlease note that this page is under construction.

Account Tests

The following test scenarios provide account provisioning testing. The accounts are modified in midPoint and the changes are expected to propagate on the target systems. You can use CSV example as demo resource.

# Scenario Description Expected Results

1

Create midPoint User

Click "Users"/"New user", then enter all mandatory attributes. + Click "Save".

The user is created in midPoint repository (with no accounts yet).

2

Add account

Click "Users"/"List users", then click on the user just created. Click on Projections tab.
Click "Add projection" in the "Projections" menu on the right side. Select resource(s) to be added. + Modify account attributes if needed, otherwise default will be used from resource’s outbound expressions. + Click "Save" when done.

Accounts are created on all the selected resources. Account attributes are set according to the user form and resource outbound expressions. + + An error may occur if the resource if unreachable (but there is an automatic consistency mechanism), the account already exists (if the resource is not configured for unique account iterator) or mandatory attributes are empty.

3

Modify account attribute

Click "Users"/"List users", then click on the user just created. Click on Projections tab.
Expand account by clicking on the account header. + Modify account attributes. + Click "Save" when done.

The account is updated with the changes you’ve entered. + + An error may occur if the mandatory attributes are empty

4

Modify account password

Click "Users"/"List users", then click on the user just created. Click on Projections tab.
Expand account by clicking on the account header. + Modify account password. + Click "Save" when done.

The account password is updated with the value you’ve entered. + + An error may occur if the password does not comply with resource’s password complexity policy

5

Disable account

Click "Users", then click on the user just created. Click on Projections tab.
Expand account by clicking on the account header. + Select the "Disabled" option under the "Activation" header. + Click "Save" when done.

The account is disabled.

6

Enable account

Click "Users"/"List users", then click on the user just created. Click on Projections tab.
Expand account by clicking on the account header. + Select the "Enabled" option under the "Activation" header. + Click "Save" when done.

The account is enabled.

7

Delete account

Click "Users"/"List users", then click on the user just created. Click on Projections tab.
Check the account checkbox to mark the account for deletion and select the "Delete" value in the menu on the right. Confirm the action. + + Click "Save" when done.

The account is deleted.

User - Account Tests

# Scenario Description Expected Results

1

Modify user attribute

Click "Users"/"List users", then click on the user just created. + Modify user attribute(s) (e.g. Given Name). + Click "Save" when done.

All accounts (with the outbound expressions for the updated attribute configured) have the attribute updated with the new midPoint value.

2

Modify user password

Click "Users"/"List users", then click on the user just created. + Modify user password. + Click "Save" when done.

All accounts passwords are updated with the new midPoint value.

3

Disable user

Click "Users"/"List users", then click on the user just created. + Select the "Disable" value in the menu on the right. + Click "Save" when done.

All accounts are disabled. + If User had Superuser role assigned, user is now unable to log into midPoint as well as into any resources.

4

Enable user

Click "Users"/"List users", then click on the user just created. + Select the "Enabled" value in the menu on the right. + Click "Save" when done.

All accounts are enabled. + If User has Superuser role assigned, user is now able to log into midPoint as well as into any resources again.

5

(Bulk) Delete user(s)

Click "Users"/"List users", then select user(s). + Click "Delete" when done.

User(s) and all resource accounts are deleted.

6

(Bulk) Disable user(s)

Click "Users"/"List users", then select user(s). + Click "Disable" when done.

User(s) and all resource accounts are disabled. + If user(s) had Superuser role assigned, user(s) is(are) unable to log into midPoint as well as into any resources.

7

(Bulk) Enable user(s)

Click "Users", then select user(s). + Click "Enable" when done.

User(s) and all resource accounts are enabled. + If user(s) had Superuser role assigned, user(s) is(are) able to log into midPoint as well as into any resources again.

8

Search user

Click "Users"/"List users", find the search Property name and click Add. Click on it, put searched value and click Update.

Users matching the search criteria should be returned.

9

Search user from Home

Click "Home", enter the search text in the "Search by name…​" input.
Click "User" when done to run search.

Users matching the search criteria should be returned.9

User Photo Tests

# Scenario Description Expected Results

1

Create a new user with photo

Click "Users", then click "New user", then enter all mandatory attributes.
Fill Jpeg Photo attribute, click on the button "Choose file" and select image file.
Click "Save".

(1) If is image less as 192 Kb, then after uploading file shows message "File upload was successful. Continue with editing and press 'Save' when done.".(2) If is image bigger as 192 Kb, then after uploading file shows an error "Upload must be less than 192K".New user is created in midPoint

2

Delete user photo

Click "Users", then click "List users" and select the user just created.
Click on the trash icon "Remove file". + Click "Save".

After removing file shows message "File was removed.".User is modified, user is without photo

Organization Structure Tests

# Scenario Description Expected Results XML sample

1

Import org. structure

Click "Configuration"/"Import object", then import XML file with org. structure from midpoint\samples\org\org-monkey-island-simple.xml.

Validate imported org. structure through debug pages. Click "Users"/"Organization Structure" then explore and validate rendered tree.

2

Assign org. unit

Click "Users", then edit some user. + Click "Assignments" tab, "Assign. Org" button in local menu to Assign part and choose one or more org. units. + Save user.

User must have assigned selected units. + View user through debug pages and check if org. units were assigned correctly. + Click "Users", then edit user. Assigned org. units must be in assignments tab. + Click "Users"/"Organization Structure" then explore and validate user placement rendered tree.

3

Unassign org. unit

Click "Users", then edit user which has assigned at least one org. unit. + Select one or more assigned org. units. + Click "Unassign" button. + Save user.

User must not have assigned org. units selected during editing. + View user through debug pages and check if org. units were unassigned correctly. + Click "Users", then edit user. Assigned org. units must not be in assignments tab. + Click "Users"/"Organization Structure" then explore and validate user placement rendered tree.

4

Org. unit account inducement

.. Import org. unit from XML sample in this test,

.. Import CSV resource with sync. abilities. Make sure, that resource is available and sync. is working correctly and set correct resource oid into sample <resourceRef>.

.. Create new user in midPoint,

.. Assign org. unit created in step 1 to user created in step 3

After the whole sequence:Account should be created on CSV resource and linked to midPoint user after org. unit has been assigned.

<org xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'       xmlns:c='http://midpoint.evolveum.com/xml/ns/public/common/common-3'
xmlns:org='http://midpoint.evolveum.com/xml/ns/public/common/org-3'>
	<name>testOrgUnit</name>
	<inducement>
        <construction>
            <resourceRef oid="ef2bc95b-76e0-48e2-86d6-3d4f02d3fafe" type="c:ResourceType"/>                  				<kind>account</kind>
        </construction>
    </inducement>
    <displayName>Test Unit</displayName>
	<identifier>0001</identifier>
	<orgType>functional</orgType>
</org>

PolyString Tests

# Scenario Description Expected Results

1

Create a new user with using of diacritic or special national character. (e.g. Jožko Mrkvička).

Click "New user", then write his Name, Full Name, Given Name and Family Name. Type some of them by using diacritic. + Save user.

New user is created in midPoint fully with used diacritics marks.

2

Use Search bar for searching users with PolyString in their names (Name, Full Name, Given Name, Family Name).

Type in Search bar names with diacritic and click on" Search" button or press Enter. + Type is Search bar names of user which contains diacritic, but without diacritical marks (e.g. for name Mrkvička write only mrkvicka)

Search should find all user with written name (or part of name) in search bar and show all of them in the list.

Synchronization Tests

# Scenario Description Expected Results

1

New resource account created

New account is created on the resource (target system).

New user is created in midPoint based on the newly-created account (inbound expressions). + The resource account is linked to midPoint user.

2

New resource account created

New account is created on the resource (target system), that should be linked to an existing midPoint user.

Existing midPoint user is updated based on the newly-created account (inbound expressions). + The resource account is linked to midPoint user.

3

Already linked resource account modified

Resource account attributes are modified.

Existing midPoint user is updated based on resource acount (inbound expressions).

4

Resource account deleted

Resource account not currently linked to midPoint user is deleted.

Nothing is changed in midPoint.

5

Already linked resource account deleted

Resource account is deleted.

Existing midPoint user is either deleted or the resource account is unlinked (according to the resource configuration in <synchronization> part).

6

New resource account added on resource with Protected Accounts configuration matching the newly created account

New account is created on the resource (target system). User should not be created in midPoint, but protected account is visible during listing accounts of this resource and should be marked with yellow color.

User should not be created in midPoint, but protected account is visible during listing accounts of this resource and should be marked with yellow color.

7

New resource account created when resource unreachable for midPoint

New account is created on the resource (target system) while it is unreachable for midPoint (e.g. invalid port is used)

Synchronization should continue to poll for changes even if the resource is unreachable. After the connection is re-established, new user is created in midPoint based on the newly-created account (inbound expressions). + The resource account is linked to midPoint user.

8

New resource account created when resource unreachable for midPoint

New account is created on the resource (target system) that should be linked to an existing midPoint user, while it is unreachable for midPoint (e.g. invalid port is used)

Synchronization should continue to poll for changes even if the resource is unreachable. After the connection is re-established, existing midPoint user is updated based on the newly-created account (inbound expressions). + The resource account is linked to midPoint user.

9

Already linked resource account modified when resource unreachable for midPoint

Resource account attributes are modified while the resource is unreachable for midPoint (e.g. invalid port is used).

Synchronization should continue to poll for changes even if the resource is unreachable. After the connection is re-established, existing midPoint user is updated based on resource acount (inbound expressions).

10

Already linked resource account deleted when resource unreachable for midPoint

Resource account is deleted while the resource is unreachable for midPoint (e.g. invalid port is used).

Synchronization should continue to poll for changes even if the resource is unreachable. After the connection is re-established, existing midPoint user is either deleted or the resource account is unlinked (according to the resource configuration).

Advanced Account Tests

# Scenario Description Expected Results

1

New resource account with already existing name created

New account is created on the resource (target system). Duplicate account name is used.

New account is created on the resource with unique account iterator used instead of duplicate account name (e.g. username1).

2

Import accounts from resource (with no synchronization tasks running, but synchronization enabled + inbound expressions defined)

Import accounts is started for resource, where a few new accounts are created.

New users are created in midPoint based on the newly-created accounts (inbound expressions). + The resource accounts are linked to midPoint users.

3

Import accounts from resource (with no synchronization tasks running, but synchronization enabled + inbound expressions defined)

Import accounts is started for resource, where a few already existing accounts are modified

New users are created in midPoint based on the newly-created accounts (inbound expressions). + The resource accounts are linked to midPoint users. + Existing midPoint users are updated based on resource acounts (inbound expressions).

4

Import accounts from resource (with no synchronization tasks running, but synchronization enabled + inbound expressions defined)

Import accounts is started for resource, where some accounts are created, but configured as Protected Accounts in the resource object configuration

The protected accounts should not be created in midpoint as users, but they can be seen when listing resource accounts in midPoint, they can’t be modified or deleted.

5

List resource accounts

List resource accounts is started for resource

All resource accounts are listed for resource, protected accounts as well.

# Scenario Description Expected Results Activation mapping

1

Positive activation time constraint

.. Add activation mapping with time constrains to schema handling to CSV resource (replace old mapping),

.. Create new user in midpoint, add projection from resource and set value administrative status = disabled.

.. Click "Configuration"/"Internals configuration"/"Time change" and set time to 1 month from current date.

.. Wait for Trigger scan task to perform or activate it manually.

After the whole sequence:Account linked to user, which has been disabled for more or precisely one month should be deleted from midpoint and from target CSV resource

<activation>
    <existence>
        <outbound>
            <name>Default existence</name>
            <description>
                Default existence mapping needs to specified explicitly here.
                It is also set to be weak therefore the other mapping will take precedence.
            </description>
            <strength>weak</strength>
            <expression>
                <asIs/>
            </expression>
        </outbound>
        <outbound>
            <name>Delayed delete</name>
            <description>
                This mapping will be used only one month after the account is disabled.
                It result is constant "false" which causes the account to stop existing.
            </description>
            <timeFrom>
                <referenceTime>
                    <path>$shadow/activation/disableTimestamp</path>
                </referenceTime>
                <offset>P1M</offset>
            </timeFrom>
            <source>
                <path>$shadow/activation/administrativeStatus</path>
            </source>
            <expression>
                <value>false</value>
            </expression>
            <condition>
                <script>
                    <code>
                        import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
                        administrativeStatus == ActivationStatusType.DISABLED;
                    </code>
                </script>
            </condition>
        </outbound>
    </existence>
</activation>

2.

Negative activation time constraint

.. Add activation mapping with time constrains to schema handling to CSV resource,

.. Create new user in midpoint, set the value of validFrom attribute to 5 days after current date + 5 minutes after current time.

.. Assign account on CSV resource (not add projection!),

.. wait few minutes until current system time is the same as time in validFrom attribute,

.. wait for Trigger scan task to perform or activate it manually.

After the whole sequence:Account should be created in midpoint and on CSV resource linked to midpoint user. This account should be disabled.

<activation>
    <existence>
        <outbound>
            <name>Basic existence</name>
            <description>
                The default for account existence in this case is the existence of focus object (user).
                Is user exists, account should exist too. Also note that this mapping is weak which
                lets the other mapping to take precedence.
            </description>
            <strength>weak</strength>
            <expression>
                <path>$focusExists</path>
            </expression>
        </outbound>
        <outbound>
            <name>Pre-create</name>
            <description>
                The mapping above would cause the account to exist as soon as user appears.
                But we want to override that and prohibit account existence all the way up to
                5 days before user's validFrom. This mapping does right that.
            </description>
            <timeTo>
                <referenceTime>
                    <path>$focus/activation/validFrom</path>
                </referenceTime>
                <offset>-P5D</offset>
            </timeTo>
            <source>
                <path>$focus/activation/validFrom</path>
            </source>
            <expression>
                <value>false</value>
            </expression>
            <condition>
                <description>
                    This condition is not really necessary if all the uses will have a validFrom timestamp.
                    But if there is a user without validFrom then this mapping will be applied
                    indefinitely and the account will never be created. We want to avoid that.
                </description>
                <script>
                    <code>validFrom != null</code>
                </script>
            </condition>
        </outbound>
    </existence>
    <administrativeStatus>
        <outbound>
        <description>
            This mapping will make sure that if an account is created without a valid assignment
            (legal=false) then such account will be disabled. We need that because we are pre-provisioning
            accounts and we want them disabled when they are pre-provisioned.
        </description>
        <strength>strong</strength>
        <expression>
            <script>
                <code>
                    import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
                    if (legal) {
                        input;
                    } else {
                        ActivationStatusType.DISABLED;
                    }
                </code>
            </script>
        </expression>
    </outbound>
        <inbound>
            <strength>weak</strength>
        </inbound>
    </administrativeStatus>
</activation>

Reconciliation tests.

Protected accounts test - reconciliation.

Multi-value versus single-value attributes and tests.

Resource capability tests versus GUI (non-existent capabilities).

Approval (experimental) tests.

Outbound Mappings

# Scenario Description Expected Results

1

Configure attribute to be tolerant. Create outbound mapping for that attribute. Manually modify the account (outside midpoint) to add more values than specified by the mapping. Run reconciliation.

All the values should remain, including the manually modified values.

2

Configure attribute to be non-tolerant. Create outbound mapping for that attribute. Manually modify the account (outside midpoint) to add more values than specified by the mapping. Run reconciliation.

The manually configured attribute values should be gone. Only the values specified by the mapping should remain.

Object Template Tests

# Scenario Description Expected Results Object Template mapping

1

Object template supplies default values.

(1) Click "Configuration/Import object", then import XML file with object template. Import file samples/objects/object-template-default.xml.
(2) Click "Configuration/System" and then set it over Object policies: Object type: userType, Object template: Default User Template 3, Save, Save (twice!)(3) Create user and fill required fields and fields given name and family name.
(4) Save user.

Fields full name and nick name are filled.

+

2

Object template replace fields values with default values.

(1) Edit user and fill required fields and fields given name and family name and full name, where full name is different as given and family name. Save user.
(2) Click "Configuration/Repository objects" and then set Object template. Edit Default User Template 3 and use strong mappings for full name. <strength>strong</strength>
(3) Edit user, you can change something and save user.

After (1) full name is filled with user defined value.After (3) full name is replaced with default value.

+

3

Make sure that you *have *imported resource Localhost OpenDJ (no extension schema) test from samples and if not then: Click "Configuration/Import object", then import XML file with resource. Import file samples/resources/opendj/opendj-localhost-resource-sync-no-extension-advanced-test.xml.(1) Click "Configuration/Repository objects" and then set Object template. Edit Default User Template 3 and insert mappings from example (Automatic assignment of OpenDJ resource).
(3) Create user and fill required fields.
(4) Save user.

User is created and an account is assigned to user.

<!-- Unconditional automatic assignment of OpenDJ resource -->
    <mapping>
        <expression>
            <value>
                <construction>
                    <resourceRef oid="ef2bc95b-76e0-48e2-86d6-3d4f02d3e1a3" type="ResourceType"/>
                </construction>
            </value>
        </expression>
        <target>
            <path>assignment</path>
        </target>
    </mapping>

4

Conditional mapping in object template that creates role assignment.

Make sure that you *have *imported roles Sailor OpenDJ and Pirate OpenDJ from samples and if not then: Click "Configuration/Import object", then import XML files with role. Import files samples/roles/role-sailor-opendj.xml and then samples/roles/role-pirate-opendj.xml.(1) Click "Configuration/Repository objects" and then set Object template. Edit Default User Template 3 and insert mappings from example (Automatic assignment of Pirate role).
(3) Create user and fill required fields and fill field Employee Type = "PIRATE".
(4) Save user.

User is created and a role is assigned to user.

<!-- RB-RBAC functionality. The Pirate role is automatically assigned based on the value of employeeType property -->
    <mapping>
        <source>
            <path>employeeType</path>
        </source>
        <expression>
            <value>
                <targetRef oid="12345678-d34d-b33f-f00d-222222222222" type="RoleType"/>
            </value>
        </expression>
        <target>
            <path>assignment</path>
        </target>
        <condition>
            <script>
                <language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
                <code>employeeType == 'PIRATE'</code>
            </script>
        </condition>
    </mapping>

5

Object template as situation reaction in synchronization.

Make sure that you have imported resource Localhost OpenDJ (no extension schema) test from samples and if not then: Click "Configuration/Import object", then import XML file with resource. Import file samples/resources/opendj/opendj-localhost-resource-sync-no-extension-advanced-test.xml.Make sure that you have imported Default User Template 2 from samples and if not then: Click "Configuration/Import object", then import XML file with object template. Import file samples/objects/object-template-action.xml.Make sure that you have imported task Reconciliation: OpenDJ from samples and if not then: Click "Configuration/Import object", then import XML file with task. Import file samples/tasks/recon-task-opendj-test.xml(1) Click "Resources" and then click on Localhost OpenDJ (no extension schema) test and edit resource. Insert objectTemplateRef from example (reaction part).
(2) Manually create some accounts in the OpenDJ - make sure you fill in also User ID (besides Last Name and Common Name), set Naming Attribute to uid.
(3) Click "Server Tasks" and check Reconciliation: OpenDJ test and click Run now on the bottom.

Users are created and accounts are linked to users and additional name is filled according to rules mapping.

<synchronization>
    ...
    <reaction>
        <situation>unmatched</situation>
        <objectTemplateRef oid="c0c010c0-d34d-b33f-f00d-777222222222"/>
        <action>
            <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action-3#addUser</handlerUri>
        </action>

    </reaction>
    ...
</synchronization>

6

Object template includes another object template.

In this test, we will use configuration from previous test.(1) Add element from XML strip in this test to object template Default User Template 2, specifically before <mapping> elements.
(3) Add some users to OpenDJ resource manually (from OpenDJ console). (4) Run recon task (or, if synchronization is active, simply wait for next sync round).

Users are created and accounts are linked to users and full name, nick name and additional name are filled according to rules mapping.

<objectTemplate  oid="c0c010c0-d34d-b33f-f00d-777222222222">
   <name>Default User Template 2</name>
   <includeRef oid="c0c010c0-d34d-b33f-f00d-777333333333"/>
   <mapping>  ... </mapping>
</objectTemplate>

7

Resource specific object template test.

In this test, we will use configuration from previous test.(1) Remove <objectTemplateRef> from <reaction> to addUser action.
(2) Add element from XML strip in this test to OpenDJ resource object, specifically to part <synchronization>, <objectSynchronization> after elements <correlation> or <confirmation> (Depends on your configuration) just before <reaction> elements.
(3) Add some users to OpenDJ resource manually (from OpenDJ console). (4) Run recon task (or, if synchronization is active, simply wait for next sync round).

After the whole sequence:New users should be added to midpoint with linked accounts to OpenDJ resource. These users should containt additional name attribute with value defined by used object template.

<synchronization>
	<objectSynchronization>
		<correlation> ... </correlation>
			<objectTemplateRef oid="c0c010c0-d34d-b33f-f00d-777222222222"/>
		<reaction> ... </reaction>
	</objectSynchronization>
</synchronization>

Password Policy Tests

# Scenario Description Expected Results

1

Testing of actual Password Policy in midPoint

Click "Configuration/Repository objects" (Debug Pages) in midPoint. Then set Value Policy. Open Default Password Policy. Read points in the xml file, then create users with passwords which satisfy actual Password Policy.

User is created in midPoint without any error about satisfy Password Policy.

2

Negative testing.

Make mistakes in password (opposite of points in Password Policy) while creating user to see. if error messages are right.For example:
(1) set password = "s"
(2) set different password into password fields
(3) don’t set password

User is not created in midPoint after (1) and (2). midPoint shows error about every specific mistakes which is opposite to Password Policy.After (1) you should get an error like "Create user failed, reason: Provided password does not satisfy password policies. Required minimal size (5) of password is not met (password length: 1) Required minimal count of unique characters (3) in password are not met (unique characters in password 1)".After (2) you should get an error like "Passwords don’t match.".After (3) user should be created without credentials.

3

Testing own Password Policy.

Click "Configuration/Import object", then import XML file with password policy. Import file samples/policy/complex-password-policy.xml. + When import is done and successful click on "Configuration"/"System" and change Global password policy to "Complex Password Policy", Save.
Create users with new Password Policy.Complex Password Policy requires at least one lowercase letter, at least one uppercase letter, at least one digit and at least on special character in the password. The password must start with a lowercase letter and must be at least 6 characters long.Positive test - for example: set password = "skus*T2\*"Negative tests - for example from test scenario 2:

Import of Complex Password Policy should be successful.After Positive test user is created in midPoint.After Negative tests you should get an analogy or identical error messages.

Password Changing Tests

To configure Credentials page, please, make the following steps:

  1. Import Security Policy object (e.g. midpoint/sampRolesles/objects/security-policy-security-questions.xml)

  2. Open Configuration → Repository objects → select Security policy from dropdown list. Open Security Policy object for editing

  3. Inside <credentials> tag put the following xml code

<password>
<resetMethod>
<resetType>securityQuestions</resetType>
</resetMethod>
<propagationUserControl>mapping</propagationUserControl>
<passwordChangeSecurity>oldPassword</passwordChangeSecurity>
</password>

  • <propagationUserControl> tag can have values:
    "mapping" Credentials propagation will be determined by the mappings. User cannot choose where the credentials will be propagated. The credentials propagation dialog will not be shown.
    "userChoice" The user can choose where the credentials will be propagated. The propagation dialog will be shown.
    By default (in case if there is no Security Policy settings for propagationUserControl) the propagation dialog is shown.

  • <passwordChangeSecurity> tag can have values:
    "none" Password can be changed by supplying new value, no additional security.
    "oldPassword" User must supply old password to change the password.
    By default (in case if there is no Security Policy settings for passwordChangeSecurity) Old Password field is displayed for user.

    1. Add SecurityPolicyType reference to SystemConfiguration object

<globalSecurityPolicyRef xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" oid="{set here oid of the security policy object imported in the step 1}" type="tns:SecurityPolicyType">

# Scenario Description Expected Results

1

Invalid old password

On the Credentials page, fill in Old Password field with incorrect value. Fill in Password and Confirm Password fields with correct values.Try to save changes

Warning message that Old Password is incorrect is shown, new password isn’t changed

2

Valid old password, invalid new password

On the Credentials page, fill in Old Password field with correct value. Fill in Password and Confirm Password fields with values which don’t sutisfy Password Policy. Try to save changes

Warning message that Password doesn’t sutisfy Password policy is shown, new password isn’t changed

3

Valid old password, Valid new password.

On the Credentials page, fill in Old Password, Password and Confirm Password fields with correct values. Save changes

New password is saved successfully. Password has been changed for all accounts which have outbound mapping as well.

4

Valid old password, Valid new password. Account is selected in propagation dialog.

On the Credentials page, fill in Old Password, Password and Confirm Password fields with correct values. Expand Password propagation table. Select some account which doesn’t have any outbound mapping.Save changes

New password is saved successfully. Password has been changed for the selected account.

5

Changing password when resource is down

Prerequirement: some of accounts is to have resource with down connectionOn the Credentials page, fill in Old Password, Password and Confirm Password fields with correct values. Save changes

Password is changed for midpoint and for all accounts which have alive connection and have outbound mapping. Password isn’t changed for the account which has down resource connection. After connection comes alive, password is to be changed during reconcilation task or during some account update execution.

Provisioning Errors And Consistency Tests

Preparation:

  1. Clean the repo.

  2. Install and start OpenDJ.

  3. Import OpenDJ resource (opendj-localhost-resource-sync-no-extension-advanced.xml) and test this resource (this is important, as otherwise you would not get the schema of the resource, which causes severe problems to midPoint).

  4. Remove or suspend the synchronization task for this resource.

  5. Put OpenDJ down.

Then you can start testing:

# Scenario Description Expected Results

1

Create an account on unreachable resource

Create midPoint user "u1" and ADD (not assign) an projection on OpenDJ to him. + + As for attributes, fill-in Name, Full Name, Family Name, and Password.

(1) Yellow message "Could not create account on the resource, because resource: Localhost OpenDJ (no extension schema) (OID:ef2bc95b-76e0-48e2-86d6-3d4f02d3e1a2) is unreachable at the moment. Shadow is stored in the repository and the account will be created when the resource goes online: Add object failed" should be displayed. + + (2) MidPoint user "u1" should be created. + + (3) Account shadow for "u1" should be created, with OperationResult of FATAL_ERROR.

2

Assign an account on unreachable resource

Create midPoint user "u2" and ASSIGN an account on OpenDJ to him.

The same as above.

3

Really create accounts in OpenDJ

(1) Start OpenDJ
(2) Test connection on OpenDJ resource
(3) Open "u1" and close it back. + (4) Open "u2" and close it back.

(1) No error messages should be displayed. + (2) Accounts "u1" and "u2" should be created in OpenDJ (verify via OpenDJ Control Panel / Manage Entries)
(3) Account shadows for "u1" and "u2" should have no OperationResult in them.

4

Modify account on unreachable resource

(1) Put OpenDJ down
(2) Modify u1 by changing Full Name to "u1a"

(1) Yellow message "Could not apply modifications to account on the resource: Localhost OpenDJ (no extension schema) (OID:ef2bc95b-76e0-48e2-86d6-3d4f02d3e1a2), because resource is unreachable. Modifications will be applied when the resource goes online: Adding attribute values failed: Adding attribute values failed" should be displayed and you should be redirected back to the list of users. + (2) MidPoint user "u1" should be changed to have full name = u1a
(3) Account shadow for "u1" should have OpResult with FATAL_ERROR.

5

Really modify account in OpenDJ

(1) Start OpenDJ + execute Test Resource
(2) Open "u1" and close it back.

(1) No error messages should be displayed. + (2) "u1" should have Common Name set to "u1a" in OpenDJ (verify via OpenDJ Control Panel / Manage Entries)
(3) Account shadow for "u1" should have no OperationResult in it.

6

Delete an account on unreachable resource

(1) Put down OpenDJ
(2) Delete midpoint users "u1" and "u2"

(1) Warning should appear
(2) Account shadows for "u1" and "u2" should indicate a failed operation.

7

Really delete the accounts.

(1) Start OpenDJ
(2) Import samples/tasks/recon-task-opendj.xml (or resume/schedule the task, if it’s already imported)
(3) After a while, suspend recon task

(1) Account shadows for "u1" and "u2" should disappear from repository. + (2) Accounts "u1" and "u2" should disappear from OpenDJ.

8

Creation + modification

(1) Stop OpenDJ
(2) Create user "u3" (name=fullname=familyname=u3) with assigned account on OpenDJ + Save it
(3) Open "u3" and modify fullname=u3a + Save it
(4) Start OpenDJ + test connection
(5) Open "u3" + Save it

After the whole sequence:
(1) user u3 (having fullname=u3a) with account on OpenDJ should exist
(2) AccountShadow for u3 should exist, with no OperationResult information
(3) account for u3 with CN=u3a should exist on OpenDJ

9

Series of modifications

(1) Stop OpenDJ
(2) Open "u3" and change fullname=u3b + Save it
(3) Open "u3" and change fullname=u3c, givenname=u3c + Save it
(4) Start OpenDJ
(5) Run reconciliation task on OpenDJ (and suspend it after finishing)

After the whole sequence:
(1) user u3 (having fullname=u3c, givenname=u3c) with account on OpenDJ should exist
(2) AccountShadow for u3 should exist, with no OperationResult information
(3) account for u3 with CN=u3c should exist on OpenDJ

10

Disable account on unreachable resource

(1) Create user "u4" in midPoint+OpenDJ
(2) Stop OpenDJ
(3) Disable account "u4" on OpenDJ + click Save
(4) Start OpenDJ
(5) Run reconciliation task on OpenDJ (once)

After (3):
- a warning "Could not apply modifications to account on the resource:" should be issued
After (5):
- account on OpenDJ should be disabled
- AccountShadow for u4 should be clear of any error notices

11

Assigning an already existing account

Prerequisites:
- OpenDJ running
- account with dn: uid=a,ou=People,dc=example,dc=com existing
- midPoint user nor account "a" existing
+ Steps:
(1) create user "a": name=fullname=familyname=a, assigned account on OpenDJ + Save

Account on OpenDJ should be linked to created midPoint user.

12

Automatically creating missing account

Prerequisites:
- OpenDJ running
- midPoint user "a" having account on OpenDJ
- OpenDJ account for "a" manually removed
- synchronization task disabled
+ Steps:
(1) open midPoint user "a"
(2) go back

Account for "a" should be recreated, and user should be notified about this.

13

Removing missing account

Prerequisites:
- OpenDJ running
- midPoint user "a" having account on OpenDJ
- OpenDJ account for "a" manually removed
- synchronization task disabled
+ Steps:
(1) remove midPoint user "a"

User "a" should be deleted with an appropriate message to the user.

14

Assigning an already existing account when resource is down

Prerequisites:
- OpenDJ stopped
- account with dn: uid=c,ou=People,dc=example,dc=com existing
- midPoint user nor account "c" existing
+ Steps:
(1) create user "c": name=fullname=familyname=c, assigned account on OpenDJ + Save
(2) start OpenDJ(3) Test connection(4) run reconciliation

After (1) :- a error "Communication error: javax.naming.CommunicationException(localhost:1389)→java.net.ConnectException(Connection refused: connect)"After (4) : midPoint user "c" should be linked to OpenDJ account "uid=c,…​there should be a reasonable message in the log file
(currently there are misleading errors reported, see MID-1085, comment)

15

Removing already deleted account when resource is down

Prerequisites:
- midPoint user "c" having account on OpenDJ
- OpenDJ account for "c" manually removed
- synchronization task disabled
- OpenDJ put down
+ Steps:
(1) remove midPoint user "c"
(2) start OpenDJ(3) Test connection(4) run reconciliation

After (1) :- a warning "Could not delete shadow from the resource resource: Localhost OpenDJ (no extension schema) (OID:ef2bc95b-76e0-48e2-86d6-3d4f02d3e1a2), because resource is unreachable. Account will be delete when the resource goes online: Removing attribute values failed
After (4) : midPoint user "c" nor OpenDJ account "uid=c,…​" should exist (2) there should be reasonable message(s) in log file
(currently there is an error without indication that it was in fact handled, see MID-1085, comment)

16

Synchronization of a change to resource which is down

TODO

Multi-node task manager component with HA support

Multi-node midPoint setup is a bit more complex than the single-node one; in the following aspects:

  1. Database must not be embedded - because it is shared, it must be started independently of the two (or more) nodes.

  2. There are some parameters that have to be filled-in, namely node name and JMX-related parameters, which are necessary for inter-node communication.

For more information, see Task Manager Configuration article. For best testing results, set the threads parameter of both nodes to 6 (i.e. a value lower than the number of tasks).

Clustering and basic task failover

# Scenario Description Expected results

1

Basic setup of a cluster

(1) Start an independent database and two cluster nodes. + (2) Go to Tasks section and see the list of nodes.

There should be two nodes, both in the "running" state, "clustered" marked as true, with last check-in time under "10 seconds ago".

2

Distribute work within cluster

(1) Import samples/tasks/clustering-and-basic-failover.xml file
(2) Wait a few seconds

The tasks should be distributed on Node1 and Node2. (The distribution would probably be not much fair, but you should be able to see that some tasks are running on Node1 and some on Node2; maybe during a few refreshes of the task list. Generally, the node that imported the tasks will be a bit preferred in their execution.)

3

Failover tasks to a node

(1) Click "Configuration/Basic" in midPoint. Set tab page "Logging", press button "Add logger" and insert loggers com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor, com.evolveum.midpoint.task.quartzimpl.handlers.NoOpTaskHandler. Then click "Save".(2) Stop Node1, by shutting down its tomcat (CTRL + C). Try to stop Node1 while one or more tasks are executing on it.(3) Wait a few seconds

All tasks should be moved to Node2. Node1’s status should be "Stopped" and then "Turned off". + + The log at Node1 should contain a couple of messages similar to the following (one for each task executing at Node1):
+ 2012-12-01 23:32:00,515 [] [midPointScheduler_Worker-7] INFO (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor): Node going down:*Rescheduling resilient task to run immediately; task = Task(id:10000001-0000-0000-0000-123450000004, name:*Task4: every 26 seconds, takes 24x1 sec, oid:00000001-0000-0000-0000-123450000004)
+ …​and, these tasks should be started on Node2 almost immediately, e.g.:
+ 2012-12-01 23:32:01,265 [] [midPointScheduler_Worker-4] INFO (com.evolveum.midpoint.task.quartzimpl.handlers.NoOpTaskHandler): NoOpTaskHandler*run starting; progress = 332, steps to be executed = 24, delay for one step = 1000 in task *Task4: every 26 seconds, takes 24x1 sec

4

Redistribute work after node goes up

(1) Start Node1 back
(2) Wait a few seconds

The tasks should be again distributed on Node1 and Node2. Node1’s status should be "Running".

5

Failover tasks to a node, by killing the tomcat

(1) Click "Configuration/Basic" in midPoint. Set tab page "Logging", press button "Add logger" and insert loggers org.quartz.impl.jdbcjobstore.JobStoreTX. Then click "Save".(2) As (3) & (4) but by stopping the tomcat abruptly via OS (kill, process deletion).

as (3) & (4) with an exception that
+ (1) Node1’s status after being killed should be "Unreachable", with an error message like "Cannot connect to the remote node: Failed to retrieve RMIServer stub: javax.naming.ServiceUnavailableException (…​)", after a while (~30 seconds) changing to "Turned off"
+ (2) The log at Node2 should contain messages similar to the following:
+ 2012-12-01 23:54:16,687 [TASKMANAGER] [QuartzScheduler_midPointScheduler-Node2_ClusterManager] INFO (org.quartz.impl.jdbcjobstore.JobStoreTX): ClusterManager: detected 1 failed or restarted instances.
2012-12-01 23:54:16,687 [TASKMANAGER] [QuartzScheduler_midPointScheduler-Node2_ClusterManager] INFO (org.quartz.impl.jdbcjobstore.JobStoreTX): ClusterManager: Scanning for instance "Node1"'s failed in-progress jobs. + 2012-12-01 23:54:16,703 [TASKMANAGER] [QuartzScheduler_midPointScheduler-Node2_ClusterManager] INFO (org.quartz.impl.jdbcjobstore.JobStoreTX): ClusterManager: …​…​Scheduled 6 recoverable job(s) for recovery.
2012-12-01 23:54:16,765 [] [midPointScheduler_Worker-3] INFO (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor):Recovering resilient taskTask(id:10000001-0000-0000-0000-123450000001, name:Task1: every 20 seconds, takes 18x1 sec, oid:00000001-0000-0000-0000-123450000001)
2012-12-01 23:54:16,781 [] [midPointScheduler_Worker-4] INFO (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor):Recovering resilient taskTask(id:10000001-0000-0000-0000-123450000004, name:Task4: every 26 seconds, takes 24x1 sec, oid:00000001-0000-0000-0000-123450000004)
2012-12-01 23:54:16,937 [] [midPointScheduler_Worker-5] INFO (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor):Recovering resilient task Task(id:10000001-0000-0000-0000-123450000003, name:Task3: every 24 seconds, takes 22x1 sec, oid:00000001-0000-0000-0000-123450000003)
2012-12-01 23:54:16,984 [] [midPointScheduler_Worker-5] INFO (com.evolveum.midpoint.task.quartzimpl.handlers.NoOpTaskHandler): NoOpTaskHandler run starting; progress = 1455, steps to be executed = 22, delay for one step = 1000 in task Task3: every 24 seconds, takes 22x1 sec
2012-12-01 23:54:17,000 [] [midPointScheduler_Worker-6] INFO (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor): Recovering resilient task Task(id:10000001-0000-0000-0000-123450000002, name:Task2: every 22 seconds, takes 20x1 sec, oid:00000001-0000-0000-0000-123450000002)
2012-12-01 23:54:17,156 [] [midPointScheduler_Worker-4] INFO (com.evolveum.midpoint.task.quartzimpl.handlers.NoOpTaskHandler): NoOpTaskHandler run starting; progress = 1464, steps to be executed = 24, delay for one step = 1000 in task Task4: every 26 seconds, takes 24x1 sec
2012-12-01 23:54:17,156 [] [midPointScheduler_Worker-4] INFO (com.evolveum.midpoint.task.quartzimpl.handlers.NoOpTaskHandler): NoOpTaskHandler: executing step 1 of 24 in task Task4: every 26 seconds, takes 24x1 sec
…​

6

Stop scheduler on Node1

Select Node1 and stop the scheduler on it. (Or, do this test on a node that executes a majority of tasks at the particular moment.)

The node status goes to "Stopped", but tasks remain running on it. After completion, tasks are scheduled on the other node.

7

Start scheduler on Node1

Select the node and click on "Start scheduler"

Tasks should be distributed on both nodes again.

8

Stop scheduler and tasks

The same as #6 but select "Stop scheduler + tasks" instead.

The node status goes to "Stopped" and all tasks are immediately rescheduled on the other node. In the log there should be messages like this:
+ 2012-12-02 00:05:35,031 [] [midPointScheduler_Worker-4] INFO (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor): *Node going down:*Rescheduling resilient task to run immediately; task = Task(id:10000001-0000-0000-0000-123450000002, name:Task2: every 22 seconds, takes 20x1 sec, oid:00000001-0000-0000-0000-123450000002)

9

Abrupt shutdown of whole cluster

Run two-nodes cluster. Kill both tomcats. Restart both tomcats.

Tasks should be restarted. In logs on two nodes there should be something like this:
+ 2012-12-03 12:07:59,869 [] [midPointScheduler_Worker-1] INFO (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor): Recovering resilient task Task(id:10000001-0000-0000-0000-123450000005, name:Task5: every 19 seconds, takes 18x1 sec, oid:00000001-0000-0000-0000-123450000005)
2012-12-03 12:08:00,072 [] [midPointScheduler_Worker-2] INFO (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor): Recovering resilient task Task(id:10000001-0000-0000-0000-123450000002, name:Task2: every 22 seconds, takes 20x1 sec, oid:00000001-0000-0000-0000-123450000002)
2012-12-03 12:08:00,103 [] [midPointScheduler_Worker-5] INFO (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor): Recovering resilient task Task(id:10000001-0000-0000-0000-123450000004, name:Task4: every 26 seconds, takes 24x1 sec, oid:00000001-0000-0000-0000-123450000004)
2012-12-03 12:08:00,103 [] [midPointScheduler_Worker-4] INFO (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor): Recovering resilient task Task(id:10000001-0000-0000-0000-123450000001, name:Task1: every 20 seconds, takes 18x1 sec, oid:00000001-0000-0000-0000-123450000001)
+ 2012-12-03 12:07:59,916 [] [midPointScheduler_Worker-1] INFO (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor): Recovering resilient task Task(id:10000001-0000-0000-0000-123450000003, name:Task3: every 24 seconds, takes 22x1 sec, oid:00000001-0000-0000-0000-123450000003)
2012-12-03 12:08:00,135 [] [midPointScheduler_Worker-2] INFO (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor): Recovering resilient task Task(id:10000001-0000-0000-0000-123450000007, name:Task7: every 2 seconds, takes 1 sec, oid:00000001-0000-0000-0000-123450000007)
+ Each task that was running at the moment of tomcat killing should be listed there - each task in one of the logs (but not in both).

Task suspension, resuming, deletion

# Scenario Description Expected results

1

Preparing the environment

(1) Start an independent database and two cluster nodes. + (2) Remove all existing tasks
(3) Import samples/tasks/task-suspension.xml

There should be 4 tasks running.

2

Suspending the tasks

Select all tasks and click "suspend". Do it from the node on which tasks are executing.

Yellow message "
Task(s) suspension has been successfully requested; please check for its completion using task list." should be displayed, because one of the tasks is ill-behaving, i.e. not checking the "stop" flag frequently enough.Tasks 1, 3, 4 should be marked as "Suspended", Task 2 probably as "Running".
When refreshing after ~10 seconds, all tasks should be marked as "Suspended".

3

Resuming the tasks

Select all tasks and click "resume".

Green message should appear and all tasks should be marked as "Running" (if they are "Runnable", refresh the screen after a second or two).

4

Suspending the tasks remotely

Log-in on the other node (i.e. on a node which is not executing the tasks, or, at least, which is not executing the majority of tasks) and suspend the tasks.

The result should be the same as in #2.

5

Deleting the tasks.

Resume all tasks and after a while, delete them.

Yellow message "Deleting a task that seems to be currently executing on node NodeX" should appear. It is because Task2 cannot be suspended (it is not checking its stop flag frequently enough). + All tasks should be deleted. + However, in log file there should be something like this:
2012-12-03 13:10:31,916 [] [midPointScheduler_Worker-6] INFO (com.evolveum.midpoint.task.quartzimpl.handlers.NoOpTaskHandler): NoOpTaskHandler: got a shutdown request, finishing task Task4: non-resilient task
(3600x1s, a 3600s)
2012-12-03 13:10:32,619 [] [midPointScheduler_Worker-3] INFO (com.evolveum.midpoint.task.quartzimpl.handlers.NoOpTaskHandler): NoOpTaskHandler: got a shutdown request, finishing task Task1: long-running task (3600x1s, a 3600s)
2012-12-03 13:10:35,838 [] [midPointScheduler_Worker-1] INFO (com.evolveum.midpoint.task.quartzimpl.handlers.NoOpTaskHandler): NoOpTaskHandler: got a shutdown request, finishing task Task2: long-running, ill-behaved task (360x10s, a 3600s)
2012-12-03 13:10:35,916 [] [midPointScheduler_Worker-1] ERROR (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor): Task handler threw unexpected exception: com.evolveum.midpoint.util.exception.SystemException: Set property has thrown an exception
com.evolveum.midpoint.util.exception.SystemException: Set property has thrown an exception
at com.evolveum.midpoint.task.quartzimpl.handlers.NoOpTaskHandler.run(NoOpTaskHandler.java:142) ~[task-quartz-impl-2.1-SNAPSHOT.jar:na]
at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeHandler(JobExecutor.java:396) [task-quartz-impl-2.1-SNAPSHOT.jar:na]
at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.executeRecurrentTask(JobExecutor.java:284) [task-quartz-impl-2.1-SNAPSHOT.jar:na]
at com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor.execute(JobExecutor.java:110) [task-quartz-impl-2.1-SNAPSHOT.jar:na]
at org.quartz.core.JobRunShell.run(JobRunShell.java:213) [quartz-2.1.3.jar:na]
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557) [quartz-2.1.3.jar:na]
Caused by: com.evolveum.midpoint.util.exception.ObjectNotFoundException: Object of type 'TaskType' with oid '00000002-0000-0000-0000-123450000002' was not found.
at com.evolveum.midpoint.repo.sql.SqlRepositoryServiceImpl.getObject(SqlRepositoryServiceImpl.java:104) ~[repo-sql-impl-2.1-SNAPSHOT.jar:na]
(…​)
(and a couple of related errors).Please note that the error messages may or may not be present, depending on exact timing of deletion operation and task executions.

6

Deleting the task tree.

(1) Import samples/tasks/task-tree.xml.(2) Go to Tasks, and delete task named DeleteTaskTree-parent.

After (2), the green message bar should appear.The subtasks should be gone as well - check the "show subtasks" box and verify that there are no tasks named DeleteTaskTree-{parent, child1, child2} present.

Non-resilient tasks

# Scenario Description Expected results

1

Preparing the environment

(1) Start an independent database and two cluster nodes. + (2) Remove all existing tasks. + (3) Import samples/tasks/non-resilient-tasks.xml

There should be 5 tasks running.

2

Stop the scheduler

Execute "Stop scheduler + tasks" function on node on which the tasks are running. (We suppose all tasks are running on single node; if they are not, it is possible to cause this by importing the tasks while only one of the nodes is up.)

Yellow message "Selected node scheduler(s) have been successfully paused; however, some of the tasks they were executing are still running on them. Please check their completion using task list."Tasks 1 and 2 should be suspended. + Task 3 should be closed. + Task 4 should be running on the other node. + Task 5 should be scheduled to start approximately in 1 hour.

3

Stop the node.

Delete and reimport the tasks, and then shutdown the tomcat on which the tasks are executing.

The status of tasks should be the same as in #2.
+ By the way, as part of node shutdown messages, there should be something like this in the log of node being shut down:
+ 2012-12-03 13:27:42,041 [] [midPointScheduler_Worker-4] INFO (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor): Suspending non-resilient task on node shutdown; task = Task(id:10000003-0000-0000-0000-123450000002, name:*Task2*: single-run, TSA=suspend (3600x1s), oid:00000003-0000-0000-0000-123450000002)
…​
2012-12-03 13:27:43,041 [] [midPointScheduler_Worker-2] INFO (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor): Closing non-resilient task on node shutdown; task = Task(id:10000003-0000-0000-0000-123450000003, name:*Task3*: recurring, TSA=close (3600x1s, a 3600s), oid:00000003-0000-0000-0000-123450000003)
…​
2012-12-03 13:27:43,213 [] [midPointScheduler_Worker-1] INFO (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor): Suspending non-resilient task on node shutdown; task = Task(id:10000003-0000-0000-0000-123450000001, name:*Task1*: recurring, TSA=suspend (3600x1s, a 3600s), oid:00000003-0000-0000-0000-123450000001)
…​
2012-12-03 13:27:43,525 [] [midPointScheduler_Worker-3] INFO (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor): Node going down: Rescheduling resilient task to run immediately; task = Task(id:10000003-0000-0000-0000-123450000004, name:*Task4*: recurring, TSA=restart (3600x1s, a 3600s), oid:00000003-0000-0000-0000-123450000004)

4

Kill the node.

The same as #3 but stop the tomcat using OS (kill/process deletion).

The same as in #2 (but wait ~10 seconds before trying, in order to let the quartz detect node problem). + + There should be something like this in the log of node where the tasks are restarting:
+ 2012-12-03 13:43:38,619 [TASKMANAGER] [QuartzScheduler_midPointScheduler-Node2_ClusterManager] INFO (org.quartz.impl.jdbcjobstore.JobStoreTX): ClusterManager: detected 1 failed or restarted instances.
…​
2012-12-03 13:43:43,197 [TASKMANAGER] [QuartzScheduler_midPointScheduler-Node2_ClusterManager] INFO (org.quartz.impl.jdbcjobstore.JobStoreTX): ClusterManager: …​…​Scheduled 5 recoverable job(s) for recovery.
2012-12-03 13:43:43,260 [] [midPointScheduler_Worker-1] INFO (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor): Suspending recovered non-resilient task Task(id:10000003-0000-0000-0000-123450000002, name:*Task2*: single-run, TSA=suspend (3600x1s), oid:00000003-0000-0000-0000-123450000002)
…​
2012-12-03 13:43:43,275 [] [midPointScheduler_Worker-4] INFO (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor): Closing recovered non-resilient task Task(id:10000003-0000-0000-0000-123450000003, name:*Task3*: recurring, TSA=close (3600x1s, a 3600s), oid:00000003-0000-0000-0000-123450000003)
…​
2012-12-03 13:43:43,306 [] [midPointScheduler_Worker-3] INFO (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor): Recovering resilient task Task(id:10000003-0000-0000-0000-123450000004, name:*Task4*: recurring, TSA=restart (3600x1s, a 3600s), oid:00000003-0000-0000-0000-123450000004)
…​
2012-12-03 13:43:43,306 [] [midPointScheduler_Worker-2] INFO (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor): Suspending recovered non-resilient task Task(id:10000003-0000-0000-0000-123450000001, name:*Task1*: recurring, TSA=suspend (3600x1s, a 3600s), oid:00000003-0000-0000-0000-123450000001)
…​
2012-12-03 13:43:43,306 [] [midPointScheduler_Worker-5] INFO (com.evolveum.midpoint.task.quartzimpl.execution.JobExecutor): Recovering resilient task with RESCHEDULE thread stop action - exiting the execution, the task will be rescheduled; task = Task(id:10000003-0000-0000-0000-123450000005, name:*Task5*: recurring, TSA=reschedule (3600x1s, a 3600s), oid:00000003-0000-0000-0000-123450000005)=

Advanced scheduling features

# Scenario Description Expected results

1

Basic test

(1) Start an independent database and two cluster nodes. + (2) Remove all existing tasks. + (3) Edit samples/tasks/advanced-task-scheduling.xml and set earliest and latest start time of Task3 to values in the near future. + (4) Import that file.

Task1 should be executed every 5 seconds. + Task2 should be executed every 5 minutes, namely on 00, 05, 10, …​, 55-th minute of every hour. + Task3 should be executed only within time interval you specified. + Task4 and Task5 should be executed.

2

MisfireAction test

(1) Stop schedulers on all nodes (use "stop scheduler", not "stop scheduler + tasks")
(2) Wait ~5 minutes (long enough for Task4 and Task5 to miss their scheduled start time by 60 seconds or more). + (3) Start at least one scheduler.

Task5 should execute almost immediately after starting the scheduler; you should not wait more than ~60 seconds. + Task4 should execute only after its next scheduled time (occurring every 5 minutes) comes.

3

MisfireAction test with node down

the same as #2, except that the whole node is put down for the waiting time
+ Be sure, however, to stop the tomcat while tasks are not running. (They run for 60 seconds each.) Otherwise, threadStopAction would get into play, which, because of its default value of executeImmediately, would mean that both tasks would start immediately after bringing the node up.

the same as #2

Limiting tasks executing in parallel (MID-2925)

# Scenario Description Expected results

1

Task exclusion in non-clustered environment

(1) Create a non-clustered environment (default midPoint installation, with default config - not using clustering nor JDBC job store)
(2) Remove all existing tasks.
(3) Make sure the node allows execution of any tasks e.g. by removing taskExecutionLimitations item from it (via Repository Objects).
(4) Import samples/tasks/limiting-parallel-execution.xml

Only one of Task1, Task2 should execute at any given moment.The other one should display "retry in NNN seconds" in the "Scheduled to start again" column.

2

Suspending one of the tasks

(1) Choose a task from the pair that is currently executing and suspend it
(2) Wait until the retry time for the second task arrives

The task that was waiting should start.

3

Task exclusion in clustered environment

Repeat tests 1 and 2 in two-nodes cluster. Also here remove taskExecutionLimitations from all nodes.

The tests should behave in the same way as in non-clustered environment.

4

Running 2 out of 3 tasks - non-clustered

(1) Create a non-clustered environment. Remove taskExecutionLimitations from the node.
(2) Remove all existing tasks.
(3) Import samples/tasks/limiting-parallel-execution-2.xml

Only two of Task1, Task2, Task3 should execute at any given moment.The other one should display "retry in NNN seconds". The NNN should go down from 17 to 1.

5

Suspending one of the tasks

(1) Choose a task from the three that is currently executing and suspend it
(2) Wait until the retry time for the waiting task arrives

The task that was waiting should start.

6

"2 of 3" task exclusion in clustered environment

Repeat tests 4 and 5 in two-nodes cluster.

The tests should behave in the same way as in non-clustered environment.

Node-sticky tasks (MID-4062)

# Scenario Description Expected results

1

No groups defined

  1. Start with 2-nodes cluster, without any custom tasks.

  2. Import samples/tasks/clustering-and-basic-failover.xml file.

  3. Delete Task6 and Task7, we won’t need them.

  4. Wait a few seconds

The tasks should be (in any way) distributed on Node1 and Node2.

2

Groups defined

  1. Set Execution group for Task1 and Task2 to Node2 (see Node-sticky tasks HOWTO)

  2. Wait around 30 seconds

When editing the tasks via GUI, Node2 should be shown in "nodes allowed to run tasks in this group".
These tasks should then really execute on Node2 only.

3

Not executable group name

  1. Set Execution group for Task1 to some non-existing value, like abcdef.

  2. Wait around 30 seconds.

Task1 should be Runnable but not Running. There’s no node it could run on. In GUI, "nodes allowed to run tasks in this group" should be empty.

3

Stopping tomcat (Ctrl+C)

  1. Set Execution group for Task1..5 to Node2.

  2. Wait until all these tasks run on Node2.

  3. Stop Node2, by shutting down its tomcat (CTRL + C). Try to stop Node2 while one or more tasks are executing on it.

  4. Wait a few seconds.

Tasks 1..5 should not run. *In the idm.log file for Node1 there must not be any trace of running these tasks!*Node2’s status should be "Stopped" and then "Turned off".

4

Resuming tasks on correct node

  1. Start Node2 back

  2. Wait a few seconds

Node2’s status should be "Running". Tasks 1..5 should be executing on Node2. In the idm.log file for Node1 still must not be any trace of running these tasks!

5

Killing tomcat

  1. Make sure that execution group for Task1..5 is still set to Node2.

  2. Wait until all these tasks run on Node2.

  3. Stop Node2, by stopping the tomcat abruptly via OS (kill, process deletion). Try to stop Node2 while one or more tasks are executing on it.

  4. Wait a few seconds.

Again, make sure that in the idm.log file for Node1 there is no trace of running these tasks!

6

Resuming tasks on correct node

  1. Start Node2 back

  2. Wait a few seconds

Node2’s status should be "Running". Tasks 1..5 should be executing on Node2. In the idm.log file for Node1 still must not be any trace of running these tasks!

Import From File And Resource Tests

Import from file

# Scenario Description Expected results

1

Successful import from file.

Click "Configuration/Import object", then import XML file with user. Import file samples/objects/user-jack-with-password-no-oid.xml.

You should get success message and user "jack1" should be created. + Note the OID of jack1. The password of jack1 should be encrypted.

2

Importing already existing object

Click "Configuration/Import object", then import same XML file with user. Import file samples/objects/user-jack-with-password-no-oid.xml.

An error message describing that object already exists should be shown.

3

Importing existing object with override.

Click "Configuration/Import object", then import same XML file with user. Check the "Overwrite existing object". Import file samples/objects/user-jack-with-password-no-oid.xml.

Success message should be displayed. The OID of user jack1 should be different from the one in scenario #1.

4

Disable "protected by encryption", enable "keep OID".

Click "Configuration/Import object", then import same XML file with user. Check the "Overwrite existing object" and "Keep OID" and uncheck "Protected by encryption". Import file samples/objects/user-jack-with-password-no-oid.xml.

Success message should be displayed. User jack1 should be overwritten by an object having password "a123456" stored in plain text. OID of user jack1 should stay the same.

5

Referential integrity.

Make sure that you have not imported OpenDJ resource from samples and then:
Click "Configuration/Import object", then import XML file with task.(1) Check the "Referential integrity" and import file samples/tasks/recon-task-opendj.xml.
(2) Uncheck the "Referential integrity" and repeat the operation.

After (1) you should get an error like "Reference (midpoint.evolveum.com/xml/ns/public/common/common-3)objectRef refers to a non-existing object ef2bc95b-76e0-48e2-86d6-3d4f02d3e1a2" and the object should not be created. + After (2) you should get a warning instead and the object should be created.

6

Fetch resource schema.

Click "Configuration/Import object", then import XML file with resource. Check the "Fetch resource schema". Import file samples/resources/opendj/opendj-localhost-basic.xml.

Success message should be displayed. See Basic Localhost OpenDJ resource in debug pages ("Configuration/Repository objects/Resource"); it should contain schema information. + Currently this seems not to work (MID-1069).

7

Summarize successes.

Make sure that you have not imported Localhost CSV file resource from samples and then:
Click "Configuration/Import object", then import XML file with resource.(1) Check the "Summarize successes" and import file samples/resources/csvfile/localhost-csvfile-resource-advanced-sync.xml.
(2) Check the "Overwrite existing object". Uncheck the "Summarize successes" and repeat the operation.

After (1) success message should be displayed. After expand message you should see message "Import object (4 times)".After (2) success message should be displayed. After expand message you should see four messages "Import object".

8

Summarize errors.

Make sure that you* have* imported Localhost CSVfile resource from samples and then:
Click "Configuration/Import object", then import XML file with resource.
(1) Check the "Summarize errors" and import file samples/resources/csvfile/localhost-csvfile-resource-advanced-sync.xml.
(2) Uncheck the "Summarize errors" and repeat the operation.

After (1) you should get an error like "4 errors, 0 passed". After expand message you should see message "Import object (4 times)".After (2) you should get an error like "4 errors, 0 passed". After expand message you should see four messages "Import object".

9

Validate dynamic schema.

10

Validate static schema.

11

Stop after NNN errors.

Click "Configuration/Import object", then import XML file with tasks.(1) Import file samples/tasks/task-suspension.xml. + (2) Set "Stop after errors" to "2" and import it again.

After (2) you should get a message "Too many errors (2)" and see that only two objects were attempted to be imported.

Import from resource

# Scenario Description Expected results

1

Import from resource

(1) Import samples/resources/opendj/opendj-localhost-resource-sync-no-extension-advanced.xml
(2) Delete or suspend synchronization task for this resource - "Synchronization: Embedded Test OpenDJ (no extensions schema)".
(3) Manually create some accounts in the OpenDJ - make sure you fill in also User ID (besides Last Name and Common Name)
(4) Import accounts from that resource (Resources → select the resource → Import Accounts)

After carrying steps 1-4 from the description, the following should occur:
(1) Blue message "Task running in background" should be shown. + (2) A task named "Import from resource Localhost OpenDJ (no extension schema)" should be created. + (3) After a while, the task should successfully complete. + (4) Users who you have created in OpenDJ, should be stored as midPoint users, with OpenDJ accounts linked to them. + + In log file there should be a message like this:
Finished Import from resource (Task(id:xxxx, name:Import from resource Localhost OpenDJ (no extension schema), oid:xxxxx)). Processed 7 objects, got 0 errors.

Assignment Enforcement Policy Options Tests

Prerequisites

  • Imported Resource, Object Template and synchronization task from sample: localhost-csvfile-resource-advanced-sync.xml,

  • Synchronization task works correctly and performs expected functionality,

  • If not present, add following part of xml code into system configuration object:

AEP configuration
<globalAccountSynchronizationSettings>
	<assignmentPolicyEnforcement>none</assignmentPolicyEnforcement>
</globalAccountSynchronizationSettings>

This will configure Assignment Policy Enforcement in midpoint. We will start with value none and we will change it during this test session.

Scenarios

# Scenario Expected results

1

.. Create new user in midpoint.

.. Assign CSV account to this user.

.. Operation should be performed successfully. New user should be in midpoint.

.. Account assignment should be created, but it should be ignored. No account should be created in midpoint or on the resource.

2

.. Add account on CSV resource to user created in test 1.

.. Account should be created in midpoint and on the resource.

3

.. Unassign account assignment created in test 1.

.. Account should be unassigned. Account itself should remain in midpoint and on the resource.

4

.. Delete account created in test 2.

.. Account should be deleted from midpoint and from the CSV resource.

Now, set the Assignment Enforcement Policy value to: positive

# Scenario Expected results

5

.. Create new user in midpoint.

.. Assign account on CSV resource to this user.

.. Operation should be performed successfully,

.. Account assignment and account itself should be created. Account should be present on the resource.

6

.. Unassign account created in test 5.

.. Account should be unassigned but it should remain in midpoint and CSV resource as well.

7

.. Delete account created in test 5. (Account is without assignment right now)

.. Assign account on CSV resource to user created in test 5.

.. Try to delete this account now. (Account is with assignment right now)

.. Account should be deleted on resource and in midpoint.

.. Account should be created with assignment.

.. Account should not be deleted. Assignment policy violation error should be displayed.

8

.. Unassign account from previous test.

.. Delete this account.

.. Add new projection.

.. Assignment should be deleted.

.. Account should be deleted.

.. New account should be created on resource and in midpoint WITHOUT assignment.

Now, set the Assignment Enforcement Policy value to: relative

# Scenario Expected results

9

.. Create new user in midpoint.

.. Add projection on CSV resource to this user.

.. Operation should be performed successfully.

.. Account should be created in midpoint and on the CSV resource.

10

.. Delete account created in previous test. (should be without assignment right now)

.. Account should be deleted from midpoint and from resource.

11

.. Assign account to user created in test 9.

.. Account should be created both in midpoint and on the CSV resource.

12

.. Try to delete account created in previous test. (should contain assignment).

.. Unassign account.

.. Assignment policy validation error should be displayed

.. Account should be deleted in midpoint and on the CSV resource.

Now, set the Assignment Enforcement Policy value to: full

# Scenario Expected results

13

.. Create new user in midpoint.

.. Add projection to this user.

.. User should be created in midpoint.

.. Synchronization enforcement policy violation ERROR should be displayed.

14

.. Assign account to user created in previous test.

.. Account should be created in midpoint and on the resource.

15

.. Delete projection created in previous test (should have assignment now)

.. Assignment policy violation ERROR should be displayed. Account should not be deleted.

16

.. Unassign account created in test 14.

.. Account should be deleted in midpoint as well as on the resource.

Account behavior based on Assignment Enforcement Policy

AEP value Add Assign Delete (with assignment) Delete (without assignment) Unassign

none

created

ignored

deleted (assignment remains)

deleted

ignored
(unassigned)

positive

created

created

error

deleted

ignored
(unassigned)

relative

created

created

error

deleted

deleted

full

error

created

error

deleted

deleted

Mapping Features Tests

Prerequisites

  • Imported Resource, Object Template and synchronization task from sample: localhost-csvfile-resource-advanced-sync.xml,

  • Synchronization task works correctly and performs expected functionality.

  • Assignment policy enforcement should be set to "relative"

  • Manually import the following template

<objectTemplate oid="c0c010c0-d34d-b33f-f00d-777222222333">
        <name>User Template CSV sync</name>

        <description>
            Alternative User Template Object.
            This object is used when creating a new account, to set it up as needed.
        </description>

        <mapping>
            <description>
                Property mapping.
                Defines how properties of user object are set up.
                This specific definition sets a full name as a concatenation
                of givenName and familyName.
            </description>
            <strength>weak</strength>
            <source>
                <path>$user/givenName</path>
            </source>
            <source>
                <path>$user/familyName</path>
            </source>
            <expression>
                <script>
                    <language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
                    <code>
                        givenName + ' ' + familyName
                    </code>
                </script>
            </expression>
            <target>
                <path>fullName</path>
            </target>
        </mapping>

    </objectTemplate>

…​and set the CSV resource so that it’s applied on unmatched situation (<objectTemplateRef oid="c0c010c0-d34d-b33f-f00d-777222222333"/> after <reaction><situation>unmatched</situation>). == Scenarios

# Scenario Description Expected results Mapping

1

Simple mapping test

.. Add mapping from appendix A to User Template CSV sync file‟:

.. manually create user on resource with name mappingTestOne,

.. wait for synchronization task to perform or manually import accounts from resource (do not forget to suspend sync task before manual account import).

1. Operation should be performed successfully.
3. New user should be created with linked account. Description attribute in user should contain:
User identified by name: mappingTestOne

<mapping>
	<source>
		<path>$user/name</path>
	</source>
	<expression>
		<script>
			<language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
			<code>
				'User identified by name: ' + name
			</code>
		</script>
	</expression>
	<target>
		<path>$user/description</path>
	</target>
</mapping>

2

Simple outbound and inbound mapping test(contains 2 tests)

.. Add mapping from appendix B to schemaHandling in csv resource Localhost CSVfile‟ (feel free to modify mapping with expression).

.. Create user in midpoint, fill recognizable description.

.. Manually add column description in csv file.

.. Old schema from Localhost CSVfile has to be deleted. After saving new schema is loaded automatically.

.. Add account on csv resource to this user.

1. Operation should be performed successfully.
3. CSV resource should contain account with filled description attribute.
4. User in midpoint should be created with filled description attribute.

<attribute>
	<ref>ri:description</ref>
	<displayName>Description</displayName>
	<description>Description attribute handling</description>
	<outbound>
		<source>
			<path>$user/description</path>
		</source>
	</outbound>
	<inbound>
		<target>
			<path>$user/description</path>
		</target>
	</inbound>
</attribute>

3

Complex mapping test, also tests groovy script evaluation

.. Replace description complex mapping from appendix C to object template User Template CSV sync file‟,

.. Manually create account on CSV resource, be sure to fill firstname and lastname attributes.

.. Operation should be performed successfully,

.. User should be created in midpoint. Users description attribute should contain value described by expression script.

<mapping>
	<source>
		<path>$user/name</path>
	</source>
	<source>
		<path>$user/givenName</path>
	</source>
	<source>
		<path>$user/familyName</path>
	</source>
	<expression>
		<script>
			<language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
			<code>
				'User identified by name: ' + name + ', Initials: ' + givenName?.getAt(0) + '.' + familyName?.getAt(0) + '.'
			</code>
		</script>
	</expression>
	<target>
		<path>$user/description</path>
	</target>
</mapping>

4

Complex mapping test with condition(contains 2 tests)

.. Add mapping from appendix D to object template User Template CSV sync file‟ (feel free to modify mapping with expression). Take a good look at conditions in this mapping.

.. Manually add account with name test1 on CSV resource, be sure to fill firstname and lastname attributes.

.. Manually add another account with name test2 on CSV resource, this time, do not fill firstname attribute.

.. Operation should be performed successfully,

.. User should be added to midpoint. Users‟ description attribute should be filled with value defined by mapping expression.

.. User should be created with empty description attribute.

<mapping>
	<source>
		<path>$user/name</path>
	</source>
	<source>
		<path>$user/givenName</path>
	</source>
	<source>
		<path>$user/familyName</path>
	</source>
	<expression>
		<script>
			<language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
			<code>
				'User identified by name: ' + name + ', Initials: ' + givenName?.getAt(0) + '.' + familyName?.getAt(0) + '.'
			</code>
		</script>
	</expression>
	<target>
		<path>$user/description</path>
	</target>
	<condition>
		<script>
			<code>!basic.isEmpty(givenName)</code>
		</script>
	</condition>
</mapping>

5

XPath expression script test scenario

.. Add complex mapping from appendix E to object template User Template CSV sync file‟,

.. Manually create account on CSV resource, be sure to fill firstname and lastname attributes.

.. Operation should be performed successfully,

.. User should be created in midpoint. Users description attribute should contain value described by expression script.

   <mapping>
      <source>
         <c:path>$user/c:name</c:path>
      </source>
      <source>
         <c:path>$user/c:givenName</c:path>
      </source>
      <source>
         <c:path>$user/c:familyName</c:path>
      </source>
      <expression>
         <script>
            <language>http://www.w3.org/TR/xpath/</language>
            <returnType>scalar</returnType>
            <code>
                declare namespace t="http://prism.evolveum.com/xml/ns/public/types-3";
                declare namespace c="http://midpoint.evolveum.com/xml/ns/public/common/common-3";
                concat('User identified by name: ', $c:name,' Full Name: ', $c:givenName, ' ' ,$c:familyName,'.')
            </code>
         </script>
      </expression>
      <target>
         <c:path>$user/description</c:path>
      </target>
   </mapping>

6

Javascript expression script test scenario

.. Replace expression in complex mapping from previous test with expression in appendix F in object template User Template CSV sync file‟,

.. Manually create account on CSV resource, be sure to fill firstname and lastname attributes.

.. Operation should be performed successfully,

.. User should be created in midpoint. Users description attribute should contain value described by expression script.

<expression>
	<script>
		<language>http://midpoint.evolveum.com/xml/ns/public/expression/language#ECMAScript</language>
		<code>
			'User identified by name: ' + name + ', Full Name: ' + givenName + ' ' + familyName + '.'
		</code>
	</script>
</expression>

7

Literal value expression test scenario

.. Replace description mapping from appendix G to object template User Template CSV sync file‟,

.. Manually create account on CSV resource.

.. Operation should be performed successfully,

.. User should be created in midpoint. Users description attribute should contain value Literal Value Description

<mapping>
	<expression>
		<value>Literal Value Description</value>
	</expression>
	<target>
		<path>$user/description</path>
	</target>
</mapping>

8

Multi literal value expression test scenario

.. Add mapping from appendix H to object template User Template CSV sync file‟,

.. Manually create account on CSV resource.

.. Operation should be performed successfully,

.. User should be created in midpoint. User should contain these Employee Type values: Owner, CEO, Administrator

<mapping>
	<expression>
		<value>Administrator</value>
		<value>CEO</value>
		<value>Owner</value>
	</expression>
	<target>
		<path>$user/employeeType</path>
	</target>
</mapping>

9

asIs expression test scenario

.. Add mapping from appendix I to object template User Template CSV sync file‟,

.. Manually create account on CSV resource.

.. Operation should be performed successfully,

.. User should be created in midpoint. User should contain same nickname value as is user name.

<mapping>
	<source>
		<path>$user/name</path>
	</source>
	<expression>
		<asIs/>
	</expression>
	<target>
		<path>$user/nickName</path>
	</target>
</mapping>

10

path expression test scenario

.. Replace nickName mapping from appendix J to object template User Template CSV sync file‟,

.. Manually create account on CSV resource.

.. Operation should be performed successfully,

.. User should be created in midpoint. User should contain same nickname value as is user name.

<mapping>
	<expression>
		<path>$user/name</path>
	</expression>
	<target>
		<path>$user/nickName</path>
	</target>
</mapping>

11

generate expression test scenario

.. Replace description mapping from appendix K to object template User Template CSV sync file‟,

.. Manually create account on CSV resource.

.. Operation should be performed successfully,

.. User should be created in midpoint. Attribute description of this user should contain generate value based on provided value policy.

   <mapping>
      <strength>strong</strength>
      <expression>
         <generate>
            <valuePolicyRef oid="00000000-0000-0000-0000-000000000003"/>
         </generate>
      </expression>
      <target>
         <path>$user/description</path>
      </target>
   </mapping>

12

channel in mappings test

.. Add mapping from appendix L to schemaHandling in CSV resource object. Remove description mapping from object template User Template CSV sync file‟

.. Manually create account on the CSV resource. Be sure to fill description attribute.

.. Suspend Synchronization: CSV File task in Server Tasks section in midpoint.

.. Manually create another user on the CSV resource. Be sure to fill description attribute.

.. Go to Resource section, click on Localhost CSVfile resource in resources list and click import accounts button.

.. Operation should perform successfully.

.. User should be created in midpoint with linked account on the CSV resource. Description attribute of created user should contain value SYNC.

.. Operation should perform successfully.

.. -

GUI authorization

Prerequisites

  • Get yourself familiar with the concept of role-based GUI authorization, read Authorization section from our wiki,

  • Create new user, fill out the very minimum and be sure to set Administrative Status value to enabled.

  • Create new role from Configuration - Repository Pages - Import - embedded editor using this XML sample:

<role oid="00000000-d34d-b33f-f00d-100000000001"
      xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
      <name>testRole</name>
      <description>GUI authorization sanity test role</description>
      <authorization>
          <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#all</action>
      </authorization>
</role>

Scenarios

# Scenario Description Expected results

1

Log in without permission test

1. Log out from midpoint.
2. Try to log to midpoint with user created during prerequisites phase.

After:
Red message: Access denied. You don’t have permission to access, please contact midPoint’s administrators, should be displayed

2

Log in and interact with midpoint with maximum GUI access rights test

1. Log to midpoint as administrator, 2. Assign created test role to created test user, 3. Log out from midpoint, 4. Log in as test user, 5. Try to access to every possible part of midpoint GUI.

2. Operation should perform successfully, 4. Log in should be successful,5. Every page of midpoint GUI should be accessible.

3

Log in and interact with certain parts of midpoint depending on GUI access rights

1. Unassign test role from test user, 2. Assign End User role to this user, 3. Log out from midpoint, 4. Try to log in to midpoint.

1. And 2. Operation should perform successfully, 4. You should be logged to midpoint, but only be able to see your personal information in dashboard, Profile, interact with your passwords and Request a role.

4

Attempt to access restricted parts of midpoint GUI while logged in

1. Continue from state, in which previous test ended. Check, if you are still logged in with created test user. 2. Try to enter to for you restricted pages via direct URL access = paste URL http://localhost:8080/midpoint/admin/usersand hit enter.
(The URL can differ depending on your web container and midpoint deployment configuration)

2. You should be given following error message: HTTP Status 403 - Access denied, insufficient authorization, …​, Followed by more explanatory information.

5

Attempt to access restricted parts of midpoint GUI while logged out

1. Continue from state, in which previous test ended. 2. Log out from midpoint.3. Try to enter midpoint via direct URL access (be sure you are NOT logged in), e.g.
http://localhost:8080/midpoint/admin/users,

3. You should be redirected to login page.

6

Reload allowed actions for logged user after changes in roles definitions test

1. Log as administrator and assign created testRole to our user, please save. 2. Log out administrator from midpoint. 3. Log in to midpoint as user. 4. Open different web browser and log in as administrator. 5. Unassign testRole from logged test user (or restrict GUI access actions), please save.6. Log out user and try to log as user again.

6. The user (step 6) should be able perform all activities with midPoint while is still logged. As soon as user logs out his access is denied because of unassigning testRole by administrator in another web browser.This is currently not functional - MID-1420

Roles

Prerequisites

  • Imported resource from localhost-dbtable-advanced-nosync.xml or localhost-dbtable-advanced-sync.xml. Running synchronization is not needed.

  • Imported resource from localhost-csvfile-resource-advanced-nosync.xml or localhost-csvfile-resource-advanced-sync.xml. Running synchronization is not needed.

  • created new test user, this user will be used with following tests:

# Scenario Description Expected results XML strip

1

Create simple role

.. In user GUI, go to Configuration - Import object and use embedded editor to add XML from XML strip in this test,

.. Click save

Role should be saved successfully and shown in the list of roles in Roles - List roles in user GUI.

<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
   <name>SimpleRole</name>
 <authorization>      <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-3#all</action>
   </authorization>
</role>

2

Assign simple role

.. Assign SimpleRole created in previous test to our test user,

.. log out from midpoint,

.. try to log in with test user

After 1: Role should be assigned successfully.

After 3: login should be successful, you should be able to browse to every part of midpoint GUI.

3

Unassign simple role

.. Unassign role from our test user.

.. Try to log out from midpoint and log back with test user

Unassignment should be succesfull and after it, you should not be able to log in with test user. Access denied. You don’t have permission to access, …​ message should be displayed.

4

Delete simple role

.. Simply delete our SimpleRole

SimpleRole should be deleted successfully

5

Role with inducement

.. Create new CSVrole by using XML strip from this test,

.. Assign this role to our test user.

After 2: Account should be created on CSV resource - this account should be linked to our test user.

<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
   <name>CSVrole</name>
   <inducement>
        <construction>
            <resourceRef oid="ef2bc95b-76e0-48e2-86d6-3d4f02d3fafe" type="c:ResourceType"/>
            <kind>account</kind>
        </construction>
    </inducement>
</role>

6

Role with inducement and expression

  1. Create new DBtableRole by using XML strip from this test,

  2. Assign this role to our test user.

After 2: Account should be created in database - this account should be linked to our test user. Also, accounts attribute description should contain value Anakin

<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
   <name>DBtableRole</name>
   <inducement>
      <construction>
         <resourceRef oid="ef2bc95b-76e0-48e2-86d6-3d4f02d3eeee" type="c:ResourceType"/>
         <kind>account</kind>
         <attribute>
            <ref>ri:description</ref>
            <outbound>
               <expression>
                  <value>Anakin</value>
               </expression>
            </outbound>
         </attribute>
      </construction>
   </inducement>
</role>

7

Role with inducement to another role

.. Unassign both previously assigned roles from our test user,

.. Create new role using XML strip in this test (be sure to provide correct oids from CSVrole and DBtableRole),

.. Assign new role to test user

After 1: Roles should be unassigned successfully and both accounts should be deleted from midpoint and from resource.

After 3: Role assignment should be successful and accounts should be created in midpoint and on both resources.

<role oid="12345678-d34d-b33f-f00d-988888888889"
        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
        xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
        xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
    <name>SuperRole</name>
    <inducement>
        <targetRef oid="4fdea2ea-9595-4e13-9ac2-83bde2a8cc98" type="RoleType"/>
    </inducement>
    <inducement>
        <targetRef oid="63a3fa23-9cd6-46e4-ab4c-d8aee9e924b7" type="RoleType"/>
    </inducement>
</role>

8

Role exclusion test

  1. Unassign role from our test user,

  2. Create new role using XML strip from this test,

  3. Assign new ExclusionRole to our test user (be sure to provide correct OID from CSVrole),

  4. Try to assign CVSrole to test user,

  5. Unassign ExclusionRole,

  6. Assign CSVrole,

  7. Try to assign Exclusion role

After 4: Update user failed: Violation of SoD policy error should be displayed and CSVrole should not be assigned to user.

After 7: Same as after 4.

   <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
    <name>ExclusionRole</name>
    <inducement>
        <construction>
            <resourceRef oid="ef2bc95b-76e0-48e2-86d6-3d4f02d3eeee" type="c:ResourceType"/>
            <kind>account</kind>
        </construction>
    </inducement>
    <exclusion>
        <targetRef oid="63a3fa23-9cd6-46e4-ab4c-d8aee9e924b7" type="c:RoleType"/>
        <policy>enforce</policy>
    </exclusion>
</role>

9

Parametric role test

.. Unassign role from our test user,

.. Create one more test user, provide unique name,

.. Assign SuperRole to first test user, fill the description attribute during assignment,

.. Assign SuperRole to second test user, fill the description attribute during assignment with different value than in previous step.

After 4: Description is a role parameter. It’s value is not stored within role object, but within each user, to whom this role is assigned. Description attribute should be seen when browsing user.

Reports

Prerequisites

  • Imported initial reports (reconciliation report, users report, audit logs report

# Scenario Description Expected results XML strip

1

Run default AuditLog report

.. Log in as administrator

.. Go to Reports - List reports

.. Click Run Run report button for Audit Logs report

.. (wait for the task completion, see Server Tasks)

.. Go to Reports - Created Reports

.. Click Download for the report that has been just generated

.. View report

Report should contain audit log entries from the beginning of auditing until now.

2

Run default User report

.. Log in as administrator

.. Go to Reports - List Reports

.. Click Run Run report button for Users in midPoint report

.. (wait for the task completion, see Server Tasks)

.. Go to Reports - Created Reports

.. Click Download for the report that has been just generated

.. View report

Report should contain information about all users in midPoint, their assigned organizations, roles, accounts and linked accounts.

3

Run Reconciliation report

TODO

4

Change paremeters

TODO

5

Create report

TODO

Workflow Features

Prerequisites

Import users and roles from sample file: samples/roles/approvals-complete.xml

Scenarios

# Scenario Description Expected results Role XML

1

Basic single-user approval test (positive)

  1. Create new user for test purposes.

  2. Assign Sensitive Role 1 to the user created.

  3. Click to Work Items, you should see one process waiting for approval. Click approve.

After 2: You should see blue information message with information about start of the approval process. Role should not be assigned yet. In work items, you should see approval process containing information about all important aspects of this concrete approval process. When you open the user again, you should see there is one running task that concerns this user.

After 3: Role should be assigned to our test user. The information about task that concerns the user should be gone. The user’s metadata should contain modifyApproverRef pointing to the administrator (oid 000…​..0002).

2

Basic single-user approval test (negative)

  1. Create new user for test purposes.

  2. Assign Sensitive role 1 to this user.

  3. As Administrator, reject this approval.

After 2: same results as in previous test after step 3.

After 3: Role should not be assigned to our test user.

3

more approvers - all must agree strategy test

  1. Add role from XML strip in this test.

  2. Add new test user.

  3. Assign new role to our test user.

  4. Logged as administrator, approve this assignment on Work Items page.

  5. For user security assign Superuser role, Logged as Security User (security, pass: 123456), approve this assignment as well.

(Try to play more with this scenario, e.g. switching the order of assignments, or rejecting assignment by administrator or security user. Try this scenario with more approvals needed as well)

After 3: Approval process should be created, role should not be assigned yet.

After 4: Test user and security manager should see approval made by administrator, but role should not be assigned yet.

After 5: Role should be assigned to our test user. Element modifyApproverRef should contain both oids (administrator as well as security).

<role oid="12345678-d34d-b33f-f00d-000287987955"      xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
    <name>Test Role 2</name>
    <approvalSchema>
        <name>All must agree schema</name>
		<level>
            <name>Administrators</name>
            <approverRef oid="00000000-0000-0000-0000-000000000002"
                         type="c:UserType">
            </approverRef>
            <approverRef oid="c168470c-bfef-414f-88b5-5d144f4f3d6c"
                         type="c:UserType">
            </approverRef>
            <evaluationStrategy>allMustApprove</evaluationStrategy>
        </level>
    </approvalSchema>
</role>

4

more approvers - first decides strategy test

  1. Add new role based on XML strip in this test.

  2. Create new user for test purposes.

  3. Assign role created in step 1 to user created in step 2.

  4. Assign Superuser ole to boss1 and boss2, Log in as boss1 or boss2 user and approve the role (passwords: 123456).

(experiment with this test, try to reject this role with one of the approvers etc.)

After 3: Approval process instance should be created, role should not be assigned to user yet.

After 4: Role should be assigned to user no matter if boss1 or boss2 approved this assignment.

<role oid="12345678-d34d-b33f-f00d-000287987990"      xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
    <name>Test Role 3</name>
    <approvalSchema>
        <name>Sample Complex Schema 1</name>
        <level>
            <name>Bosses</name>
            <approverRef oid="75f2806d-e31b-40c9-8133-85ed4d9e6252"
            type="c:UserType">
            </approverRef>
            <approverRef oid="0e030e0c-a37d-47b2-bde8-f8e61e4a2bfb"
            type="c:UserType">
            </approverRef>
            <evaluationStrategy>firstDecides</evaluationStrategy>
        </level>
    </approvalSchema>
</role>

5

multi-level approval strategy test

  1. Import Sensitive Role 2 from samples/roles/sensitive-role-2.xml file,

  2. Create new test user,

  3. Assign this role to our user,

  4. Log in as either boss1 or boss2 and approve this assignment in Work Items section,

  5. Log in as administrator and approve this assignment,

  6. Log in as security and approve this assignment

(Experiment with this scenario, try to change the order of approvals or even add another level or more approvals, also, try to reject approval process in every step of approval processing)

After 3: Approval process instance should be created, role should not be assigned to user yet, approval task should be waiting for users boss1 and boss2, users administrator and security should not see new approval task yet.

After 4: Role assignment should continue with second level of security process, user administrator and security now can see new approval task.

After 6: Role should be assigned to user

6

execute after all approvals test

TODO

7

execute ASAP mode test

TODO

8

Condition in approvals test with org. struct.

  1. Import org-monkey-island-simple.xml from samples/org directory and the code from the XML snippet.

  2. Assign Sensitive Role 3 to Carla.

  3. Approve the assignment (as Guybrush)

After 2: Carla’s manager in Ministry of Rum, namely Guybrush Threepwood, gets a work item asking him to approve the role.

After 3: Carla gets Sensitive Role 3 assigned.

<role oid="12345678-d34d-b33f-f00d-000387987988"
      xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
    <name>Sensitive Role 3</name>
    <approverExpression>
        <description>Get user's managers (except the user itself)</description>
        <script>
            <code>midpoint.getManagersOidsExceptUser(object)</code>
        </script>
    </approverExpression>
    <automaticallyApproved>
        <description>If the user works in F0006 (Scumm Bar), the assignment of this role is automatically approved for him.</description>
        <script>
            <code>midpoint.isMemberOf(object, midpoint.getOrgByName("F0006").getOid())</code>
        </script>
    </automaticallyApproved>
 </role>

9

Approver specification by expression test

Same as above, but this time assign this role to Scumm Bar Chef.

Because he is a member of F0006, you will see that even if approval process starts, it quickly finishes, and the role gets assigned to the user.

Workflow with deputies

Create users administrator-deputy, boss1-deputy, boss2-deputy, security-deputy as deputies of administrator, boss1, boss2, security respectively.

Repeat tests 1, 2, 3, 4, 5 but this time using deputies to approve/reject work items instead of original users.

# Scenario Description Expected Results Configuration

1

Basic Deputy Setup

1. Create new Deputy User.
2. Make sure that boss1 has a Superuser role.
3. List Roles and select the role Superuser that you want to delegate.
4. Set this role as delegable by setting the Delegable parameter.
5. Select user boss1 and add new delegation.
6. Set this delegation to Deputy User that you created at step 1. and limit privileges if needed.

+ After step 6. you are able to see delegation delegated to Deputy User created at step 1.

2

Delegation of Sensitive role approval

1. Create new Deputy User.
2. Assign the Sensitive Role 1 to boss2 and at properties set Relation to Approver
3. Approve the assign of the role in Work items.
4. Assign for user created at step 1. at least End user role (if other not required).
5. List Roles and select the Sensitive Role 1 that you want to delegate.
6. Set this role as delegable by setting the Delegable parameter.
7. Select boss2 user and add new delegation.
8. Set this delegation to Deputy User that you created at step 1. and limit privileges only for Sensitive Role 1.

After step 2. You should see blue information message with information about start of the approval process. Role should not be assigned yet. In work items, you should see approval process containing information about all important aspects of this concrete approval process.
When you open the user again, you should see there is one running task that concerns this user.After step 3. Role should be assigned to boss2 user.
After step 4. User created at step 1. should have assign a new role.
After step 8. You are able to see delegation delegated to Deputy User created at step 1. Now you are able to sign in as user from step 1. with Sensitive Role 1 - Approver permission.

Notifications

Prerequisites and instructions

For test purposes, we will work with notifications that are all sent to log file, so edit SystemConfiguration object in debug pages and add XML code seen below just after the logging element. This configuration tells midpoint, that all created notifications are routed to log files, specifically to mail-notifications.log and sms-notifications.log files located on C:\ partition. Feel free to configure this depending on your operating system and other preferences.

<notificationConfiguration>
	 <mail>
        <redirectToFile>C:\mail-notifications.log</redirectToFile>
    </mail>
    <sms>
        <redirectToFile>C:\sms-notifications.log</redirectToFile>
    </sms>
</notificationConfiguration>

With every user created, be sure to fill both telephone Number and e-mail user attributes.

When adding notification configuration code to system configuration file during every test, be sure to delete configuration code from previous test (or simply replace old code with new code).

Add CSV resource with synchronization capabilities to midPoint. Make sure synchronization task is running correctly.

Tests

# Scenario Description Expected results Configuration

1

Basic mail notification test

  1. Add xml code from configuration column to notificationConfiguration in systemConfiguration object,

  2. Create a user in midpoint, do not forget to fill e-mail address. Save this user.

  3. Modify this user, e.g. change description attribute. Save changes,

  4. Delete our user.

After 2: Notification containing user creation information should be logged to mail-notifications.log file.

After 3: Notification containing user modification information should be logged to mail-notifications.log file.

After 4: Notification containing user deletion information should be logged to mail-notifications.log file.

<handler>
  <simpleUserNotifier>
    <transport>mail</transport>
  </simpleUserNotifier>
</handler>

2

Basic sms notification test

  1. Add xml code from configuration column to notificationConfiguration in systemConfiguration object,

  2. Create a user in midpoint, do not forget to fill telephone number. Save this user.

  3. Modify this user, e.g. change description attribute. Save changes,

  4. Delete our user.

After 2: Notification containing user creation information should be logged to sms-notifications.log file.

After 3: Notification containing user modification information should be logged to sms-notifications.log.

After 4: Notification containing user deletion information should be logged to sms-notifications.log.

<handler>
  <simpleUserNotifier>
    <transport>sms</transport>
  </simpleUserNotifier>
</handler>

3

Simple account notifier test

  1. Add xml code from configuration column to notificationConfiguration in systemConfiguration object,

  2. Create a user in midpoint, do not forget to fill mail address. Save this user.

  3. Assign account to CSV resource.

  4. Modify this account, e.g. change description attribute. Save changes.

  5. Unassign account.

After 3: Notification containing account creation information should be logged to mail-notifications.log file.

After 4: Notification containing account modification information should be logged to mail-notifications.log.

After 5: Notification containing account deletion information should be logged to mail-notifications.log.

<handler>
  <simpleResourceObjectNotifier>
    <transport>mail</transport>
  </simpleResourceObjectNotifier>
</handler>

4

Simple user password notifier test

  1. Change password of user from previous test

After 1: Password notification change should be logged to mail-notifications.log.

<handler>
  <userPasswordNotifier>
    <transport>mail</transport>
  </userPasswordNotifier>
</handler>

5

Simple Workflow Notifier test

  1. Import Sensitive Role 1 from sample trunk\samples\roles\sensitive-role-1.

  2. Create new user with email address.

  3. Assign Sensitive Role 1 to created user.

  4. Approve this assignment with administrator in GUI in section Work Items. Be sure that administrator has email address set.

After 3: Notifications about workflow process instance start and work item created should be logged to mail-notifications.log file.

After 4: Notifications about workflow process instance end and work item end should be logged to mail-notifications.log file,

  • process related notifications should go to the requester,

  • work item related notifications should go to the approver

<handler>
  <simpleWorkflowNotifier>
    <transport>mail</transport>
  </simpleWorkflowNotifier>
</handler>

6

Notifications with status filter test

  1. Create new user in midpoint, fill email address attribute.

  2. Assign Sensitive Role 1 to this user.

  3. As administrator, reject this request in GUI in Work Items section.

(Try to experiment with this test, e.g. setting different value in statusFilter and observe what will happen, e.g. notifications should be generated only in case of successful approvals when status filter is set to 'success' value etc.)

After 2: No notifications should be generated.

After 3: Notifications about workflow items and workflow process end should be created and sent to approver and the requester, respectively.

<handler>
  <simpleWorkflowNotifier>
    <status>failure</status>
    <transport>mail</transport>
  </simpleWorkflowNotifier>
</handler>

7

Notifications with operation filter test

  1. Add new user to midpoint, fill email address,

  2. Modify this user,

  3. Delete this user.

(Same as in previous test, try to be creative and experiment. Try operation filter values like 'modify' and 'delete' and observer, if notifications are generated as expected.)

After 1: Notification should be generated.

After 2 and 3: Notifications should not be generated.

<handler>
<simpleUserNotifier>
     <operation>add</operation>
     <transport>mail</transport>
      </simpleUserNotifier>
</handler>

Generic Synchronization

Prerequisites and instructions
  1. Install and start OpenDJ server.

  2. Import resource from samples/resources/csvfile/HR-csvfile-resource.xml, set correct path to midpoint-HR.csv.

  3. Import task from samples/tasks/task-HR-livesync.xml and running Live Synchronization: HR Resource task,

  4. Copy schema file from samples/schema/extension-genericsync.xsd to $midpointhome$/schema. This requirest restart of midPoint.

  5. Import resource from samples/resources/opendj/opendj-resource-genericsync.xml.

  6. Import role from samples/roles/role-basic-user.xml.

  7. Import object template from `samples/objects/object-template-user.xml. `The first mapping computes user’s full name (this information is not stored in HR). The basic role mapping in user template is processed. This just assigns the Basic User role . This is a simple role that assigns an LDAP account to the user.

  8. Go to Configuration - System and click Edit in Object Policies line. Set UserType and User Template, then Save. Alternatively: edit SystemConfiguration object in debug pages (Configuration/Repository objects) and add XML code seen below just after the /logging element. This configuration tells for all user actions are used rules from object template.[source,xml]

<defaultObjectPolicyConfiguration>
   <type>UserType</type>
   <objectTemplateRef oid="10000000-0000-0000-0000-000000000222" type="ObjectTemplateType"><!-- User Template --></objectTemplateRef>
</defaultObjectPolicyConfiguration>

Tests

# Scenario Description Expected results Configuration

1

Create user and use the HR organizational structure information to create midpoint org structure. Automatic create accounts and LDAP organizationalUnit.

.. Insert mapping (Code 1) into object template User Template after first mapping.The Org mapping is trying to look up an Org into which the user should belong. It is using a query inside assignmentTargetSearch `expression to do so. The expression inside the query is using the first segment of the `orgpath as a value.If the query didn’t find no matching Org, the expression, which is set to createOnDemand it will try to create the Org. A new empty Org object is created in memory. Then the populateItem expressions are used to fill in this object. Please note how the orgpath value is copied from the user extension to the extension of the new Org object. Then midPoint calls itself internally to create a new Org object. element.

.. Import object template from samples/objects/object-template-org.xml.(Configuration/Import object)

The mapping Org-org mapping tries to locate the parent for the new Org object. Similarly to the previous case assignmentTargetSearch `expression with a query is used. Second segment of `orgpath value is used (segment with index 1). If the query finds nothing and the createOnDemand is set to true therefore midPoint will try to create such object. It will use populateItem expressions to fill it in and it will call itself to create new Org.
…​. and the Org object template starts again recursivelly until all segments of orgpath are processed, all corresponding Org objects are created and correctly assigned to each other. Org template takes over the processing of the new Org object.

Edit SystemConfiguration object in debug pages (Configuration/Repository objects) and add XML code (Code 2) after the /objectTemplate element.

.. Import org from samples/`org/org-top.xm`l.(Configuration/Import object). It is top organization of organization structure. It is need for correct generation organizational tree.

.. Import role from samples/roles/`role-meta-replicated-org.xm`l.(Configuration/Import object)

Insert mapping (Code 3) into object template Org Template after first mapping. This mapping assigns a meta-role to each created orgstruct. This meta-role contains inducement which specifies that a new ou resource object should be created as a projection for each Org.

The projections are computed for an LDAP resource and they have a form of LDAP organizationalUnit objects. This is defined in the schema handling part of LDAP resource definition. The inducement specifies an (kind, intent) tuple which is used to locate a matching definition in the schemaHandling.

The outbound mappings are used to compute a correct DN for the new ou object in LDAP. The orgpath property is once again used to compute a correct DN.

.. Create new employee record in HR resource, e.g.:guybrush,Guybrush,Threepwood,Freelance/Ministry of Rum,,

.. Created new midpoint user guybrush from the HR employee record (basic inbound synchronization).

.. Created LDAP account (basic outbound provisioning).

.. Used the HR organizational structure information to create midPoint Orgs on demand and therefore opportunistically synchronize organizational structure from HR to midPoint.

.. Replicated midPoint organizational structure to LDAP organizational structure (generic synchronization).

.. Assigned users to appropriate organizational units.

.. The assignment of users to organizational units is used to determine the LDAP organizationalUnit in which the user should be placed.

.. Use of object template and meta-role as a configuration of organizational structure generic synchronization policy.

.. LDAP groups are created automatically from midPoint roles.

.. LDAP account is added to the LDAP groups where it belong.

Code 1:

<mapping>
    	<name>Org mapping</name>
    	<description>
    		Look for appropriate Org objects by using the user's organizationalUnit property
    		as the name of the org object. When no such object is found we want to create it on
    		demand. We want to populate new Org object with a name and description derived from
    		the user.
    	</description>
    	<authoritative>true</authoritative>
    	<source>
    		<path xmlns:ext="http://midpoint.evolveum.com/xml/ns/story/orgsync/ext">extension/ext:orgpath</path>
    	</source>
    	<expression>
            <assignmentTargetSearch>
            	 <targetType xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">c:OrgType</targetType>
        		<filter>
					<q:equal xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
						<q:path>c:name</q:path>
						<expression>
							<script>
								<code>
									orgpath.tokenize('/')[0]
								</code>
							</script>
						</expression>
					</q:equal>
				</filter>
				<createOnDemand>true</createOnDemand>
				<populateObject>
					<populateItem>
						<expression>
							<script>
								<code>
									orgpath.tokenize('/')[0]
								</code>
							</script>
						</expression>
						<target>
							<path>name</path>
						</target>
					</populateItem>
					<populateItem>
						<expression>
							<value>replicated</value>
						</expression>
						<target>
							<path>orgType</path>
						</target>
					</populateItem>
					<populateItem>
						<expression>
							<path xmlns:ext="http://midpoint.evolveum.com/xml/ns/story/orgsync/ext">$ext:orgpath</path>
						</expression>
						<target>
							<path xmlns:ext="http://midpoint.evolveum.com/xml/ns/story/orgsync/ext">extension/ext:orgpath</path>
						</target>
					</populateItem>
				</populateObject>
            </assignmentTargetSearch>
    	</expression>
    	<target>
    		<path>assignment</path>
    	</target>
    </mapping>

Code 2:

<defaultObjectPolicyConfiguration>
   <type>OrgType</type>
   <objectTemplateRef oid="10000000-0000-0000-0000-000000000231" type="ObjectTemplateType"><!-- Org Template --></objectTemplateRef>
</defaultObjectPolicyConfiguration>

Code 3:

<mapping>
        <name>Org metarole assignment</name>
        <authoritative>true</authoritative>
        <source>
            <path>orgType</path>
        </source>
        <expression>
            <assignmentTargetSearch>
                 <targetType xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">c:RoleType</targetType>
                <oid>10000000-0000-0000-0000-000000006601</oid>
            </assignmentTargetSearch>
        </expression>
        <target>
            <path>assignment</path>
        </target>
        <condition>
            <script>
                <code>orgType == 'replicated'</code>
            </script>
        </condition>
    </mapping>

2

Create user, where the HR responsibility attribute is copied to custom multi-valued property responsibility in user extension.

.. Insert mapping (Code 1) into object template User Template after third mapping.

The responsibility role assignment mapping is trying to look up a Role which the user should have assigned. It is using a query inside assignmentTargetSearch expression to do so. The expression inside the query is using the value of responsibility property from user extension to look up the role. The query is constructed in a such a way that this value should match with the value of responsibility property in role extension. Note that there are two properties that should match: the (multi-valued) responsibility in user extension and the (single-valued) responsibility in role extension. The mapping is smart enough to take care of handling multiple values of the property if they are present.

If the query didn’t find no matching Role. The expression is set to createOnDemand therefore it will try to create the role. A new empty role object is created in memory. Then the populateItem expressions are used to fill in this object. Please note how the responsibility value is used to construct a name of the new role. The R_ prefix is used to avoid collistion with other roles in the system.

.. Import object template from samples/objects/`object-template-role.xm`l. Import role from samples/roles/`role-meta-responsibility.xm`l.(Configuration/Import object).

This role object template takes over the processing of the new role object before it is actually stored and it has only one mapping which assigns a meta-role to the newly created role.The meta-role contains an inducement which specifies that a projection should be created for the role on the LDAP resource. The projection should be a group entitlement. This is specified by (kind, intent) tuple which points to the schema handling part of LDAP resource definition.The outbound mappings are used to compute a correct DN for the new group object in LDAP.The meta-role also contains a second-order inducement. This is ignored right now.
Edit SystemConfiguration object in debug pages (Configuration/Repository objects) and add XML code (Code 2) after the /objectTemplate element.

.. Create new employee record in HR resource, e.g.:lemonhead,Lemonhead,Canibal,Freelance/Ministry of Rum,canibalism,



.. Created new midpoint user lemonhead from the HR employee record (basic inbound synchronization).

.. Created LDAP account (basic outbound provisioning).

.. Created new role for canibalism responsibility.

.. LDAP group is created as a projection of the role.

.. Midpoint user is assigned to the canibalistic role.

.. LDAP account is added as member of the canibalistic LDAP group.

Code 1:

[source,xml] ---- <mapping> <name>responsibility role assignment</name> <authoritative>true</authoritative> <source> <path xmlns:ext="http://midpoint.evolveum.com/xml/ns/story/orgsync/ext">extension/ext:responsibility</path> </source> <expression> <assignmentTargetSearch> <targetType xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3">c:RoleType</targetType> <filter xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"> <q:equal> <q:path xmlns:ext="http://midpoint.evolveum.com/xml/ns/story/orgsync/ext">c:extension/ext:responsibility</q:path> <expression> <path xmlns:ext="http://midpoint.evolveum.com/xml/ns/story/orgsync/ext">$ext:responsibility</path> </expression> </q:equal> </filter> <createOnDemand>true</createOnDemand> <populateObject> <populateItem> <expression> <script> <code> 'R_'+responsibility </code> </script> </expression> <target> <path>name</path> </target> </populateItem> <populateItem> <expression> <path xmlns:ext="http://midpoint.evolveum.com/xml/ns/story/orgsync/ext">$ext:responsibility</path> </expression> <target> <path xmlns:ext="http://midpoint.evolveum.com/xml/ns/story/orgsync/ext">extension/ext:responsibility</path> </target> </populateItem> </populateObject> </assignmentTargetSearch> </expression> <target> <path>assignment</path> </target> </mapping> ----

Code 2:

[source,xml] ---- <defaultObjectPolicyConfiguration> <type>RoleType</type> <objectTemplateRef oid="10000000-0000-0000-0000-000000000241" type="ObjectTemplateType"><!-- Role Template -→</objectTemplateRef> </defaultObjectPolicyConfiguration> ----

Bulk actions

# Scenario Description Expected results Extension Schema

1

Extend Users with nickName

.. Import resource localhost-csvfile-resource-bulk-action.xml from C:\.\midpoint\samples\resources\csvfile into midpoint via /Configuration/Import objects/Choose File/Import object/

.. Set path to the midpoint-flatfile-bulk-action.csv (located in C:\.\midpoint\samples\resources\csvfile) into resource via /Configuration/Repository Objects/click Resource in bar menu/click Localhost CSVfile/click Edit/replace path to .csv file in connectorConfiguration/click Save/

.. Set up synchronization via /Server Tasks/List Tasks/click into square on the left side of Synchronization: CSV File/select Resume in bar menu in the right corner.

.. Insert object-template-user-nickname.xml from C:\.\midpoint\samples\objects into midpoint via /Configuration/Import objects/Choose File/Import object/

.. Import users from .csv into midpoint via /Resources/List Resources/click Localhost CSVfile/Accounts/Import/ Create new, fill Task name + Save

.. Check if users with accounts were created in midpoint by /Users/List Users/

.. Import task recompute-users-without-nickname.xml from C:\.\midpoint\samples\tasks\bulk-actions\ via /Configuration/Import objects/Choose File/Import object/

.. Insert extension schema from Code after /logging element in System Configuration /Configuration/Repository Objects/click System Configuration in bar menu/click System Configuration/click Edit/Save/

.. Set up task by /Server Tasks/List Tasks/click into square on the left side of Recompute users without nickName/select Run now in bar menu in the right corner.

.. Verify if nicknames were created by Users/List Users/click on users/

After 6: Users should be created.

After 10: nickNames should be created for all users.

   <defaultUserTemplateRef oid="10000000-0000-0000-0000-000000000223"/>

2

Extend Users starting with b letter with nickName

.. Import resource localhost-csvfile-resource-bulk-action.xml from C:\.\midpoint\samples\resources\csvfile into midpoint via /Configuration/Import objects/Choose File/Import object/

.. Set path to the midpoint-flatfile-bulk-action.csv (located in C:\.\midpoint\samples\resources\csvfile) into resource via /Configuration/Repository Objects/click Resource in bar menu/click Localhost CSVfile/click Edit/replace path to .csv file in connectorConfiguration/click Save/

.. Set up synchronization via /Server Tasks/List Tasks/click into square on the left side of Synchronization: CSV File/select Resume in bar menu in the right corner.

.. Insert object-template-user-nickname.xml from C:\.\midpoint\samples\objects into midpoint via /Configuration/Import objects/Choose File/Import object/

.. Import users from .csv into midpoint via /Resources/List Resources/click Localhost CSVfile/Import Accounts/

.. Check if users with accounts were created in midpoint by /Users/List Users/

.. Import task recompute-users-without-nickname-starting-on-b.xml from C:\.\midpoint\samples\tasks\bulk-actions\ via /Configuration/Import objects/Choose File/Import object/

.. Insert extension schema after /logging element in System Configuration /Configuration/Repository Objects/click System Configuration in bar menu/click System Configuration/click Edit/Save/

.. Set up task by /Server Tasks/List Tasks/click into square on the left side of Recompute users without nickName/select Run now in bar menu in the right corner.

.. Verify if nicknames were created by Users/List Users/click on users/

After 6: Users should be created.

After 10: nickNames should be created for all users starting with b letter.

   <defaultUserTemplateRef oid="10000000-0000-0000-0000-000000000223"/>

3

Assign role to Users starting with a letter

.. Import resource localhost-csvfile-resource-bulk-action.xml from C:\.\midpoint\samples\resources\csvfile into midpoint via /Configuration/Import objects/Choose File/Import object/

.. Set path to the midpoint-flatfile-bulk-action.csv (located in C:\.\midpoint\samples\resources\csvfile) into resource via /Configuration/Repository Objects/click Resource in bar menu/click Localhost CSVfile/click Edit/replace path to .csv file in connectorConfiguration/click Save/

.. Set up synchronization via /Server Tasks/List Tasks/click into square on the left side of Synchronization: CSV File/select Resume in bar menu in the right corner.

.. Import users from .csv into midpoint via /Resources/List Resources/click Localhost CSVfile/Import Accounts/

.. Check if users with accounts were created in midpoint by /Users/List Users/

.. Import task assign-enduser-role-to-selected-users.xml from C:\.\midpoint\samples\tasks\bulk-actions\ via /Configuration/Import objects/Choose File/Import object/

.. Set up task by /Server Tasks/List Tasks/click into square on the left side of Assign Enduser role to users starting with 'a'/select Run now in bar menu in the right corner.

.. Verify if enduser roles were created by Users/List Users/click on users/

After 5: Users should be created.

After 8: Role enduser should be created for all users starting with a letter.

+

4

Assign openDJ account to Users starting with a letter

.. Import resource localhost-csvfile-resource-bulk-action.xml from C:\.\midpoint\samples\resources\csvfile into midpoint via /Configuration/Import objects/Choose File/Import object/

.. Set path to the midpoint-flatfile-bulk-action.csv (located in C:\.\midpoint\samples\resources\csvfile) into resource via /Configuration/Repository Objects/click Resource in bar menu/click Localhost CSVfile/click Edit/replace path to .csv file in connectorConfiguration/click Save/

.. Set up synchronization via /Server Tasks/List Tasks/click into square on the left side of Synchronization: CSV File/select Resume in bar menu in the right corner.

.. Import users from .csv into midpoint via /Resources/List Resources/click Localhost CSVfile/Import Accounts/

.. Check if users with accounts were created in midpoint by /Users/List Users/

.. Import task assign-resource-to-selected-users.xml from C:\.\midpoint\samples\tasks\bulk-actions\ via /Configuration/Import objects/Choose File/Import object/

.. Set up task by /Server Tasks/List Tasks/click into square on the left side of Assign OpenDJ account to users starting with 'a'/select Run now in bar menu in the right corner.

.. Verify if accounts were assigned by Users/List Users/click on users/

After 5: Users should be created.

After 8: OpenDJ accounts should be assigned for all users starting with a letter.

5

Disable administrative status of Users starting with b letter

.. Import resource localhost-csvfile-resource-bulk-action.xml from C:\.\midpoint\samples\resources\csvfile into midpoint via /Configuration/Import objects/Choose File/Import object/

.. Set path to the midpoint-flatfile-bulk-action.csv (located in C:\.\midpoint\samples\resources\csvfile) into resource via /Configuration/Repository Objects/click Resource in bar menu/click Localhost CSVfile/click Edit/replace path to .csv file in connectorConfiguration/click Save/

.. Set up synchronization via /Server Tasks/List Tasks/click into square on the left side of Synchronization: CSV File/select Resume in bar menu in the right corner.

.. Import users from .csv into midpoint via /Resources/List Resources/click Localhost CSVfile/Import Accounts/

.. Check if users with accounts were created in midpoint by /Users/List Users/

.. Import task disable-selected-users.xml from C:\.\midpoint\samples\tasks\bulk-actions\ via /Configuration/Import objects/Choose File/Import object/

.. Set up task by /Server Tasks/List Tasks/click into square on the left side of Disable users starting with 'b'/select Run now in bar menu in the right corner.

.. Verify if administrative status of users were disabled by Users/List Users/click on users/

After 5: Users should be created.

After 8: Administrative status should be disabled for all users starting with b letter.

6

Display information about Users starting with b letter in idm.log file

  1. Import resource localhost-csvfile-resource-bulk-action.xml from C:\.\midpoint\samples\resources\csvfile into midpoint via /Configuration/Import objects/Choose File/Import object/

  2. Set path to the midpoint-flatfile-bulk-action.csv (located in C:\.\midpoint\samples\resources\csvfile) into resource via /Configuration/Repository Objects/click Resource in bar menu/click Localhost CSVfile/click Edit/replace path to .csv file in connectorConfiguration/click Save/

  3. Set up synchronization via /Server Tasks/List Tasks/click into square on the left side of Synchronization: CSV File/select Resume in bar menu in the right corner.

  4. Import users from .csv into midpoint via /Resources/List Resources/click Localhost CSVfile/Import Accounts/

  5. Check if users with accounts were created in midpoint by /Users/List Users/

  6. Import task log-selected-users.xml from C:\.\midpoint\samples\tasks\bulk-actions\ via /Configuration/Import objects/Choose File/Import object/

  7. Set up task by /Server Tasks/List Tasks/click into square on the left side of Log information on users starting with 'b'/select Run now in bar menu in the right corner.

  8. Verify if information about users were listed in idm.log file located in C:\apache.*\logs

After 5: Users should be created.

After 8: Information about users starting with b letter should be displayed in idm.log file (example is stored in expand source)

   2014-05-30 16:01:42,635 [] [midPointScheduler_Worker-10] INFO (com.evolveum.midpoint.model.impl.scripting.actions.LogExecutor): Current data: [
  user: (68328295-1477-4b63-9be9-fde197d5e826, v1, UserType)
      name: btester03
      metadata:
          createTimestamp: 2014-05-30T16:00:28.852+02:00
          creatorRef: oid=00000000-0000-0000-0000-000000000002(UserType)
          createChannel:
            http://midpoint.evolveum.com/xml/ns/public/provisioning/channels-3#liveSync
      linkRef:
        oid=a8da2f72-881d-4c5b-b058-00db0bf2ede9(ShadowType)
      activation:
          administrativeStatus: ENABLED
          effectiveStatus: ENABLED
          enableTimestamp: 2014-05-30T16:00:28.761+02:00
      iteration: 0
      iterationToken:
      givenName: Besti
      familyName: Bestini
      credentials:
          password:
              value: ProtectedStringType(encrypted=EncryptedDataType(encryptionMethod=EncryptionMethodType(algorithm=http://www.w3.org/2001/04/xmlenc#aes128-cbc), keyInfo=KeyInfoType(keyName=4HXeUejV93Vd3JuIZz7sbs5bVko=), cipherData=CipherDataType(cipherValue=[32 bytes])))
]

7

Set preferred language for users starting with b letter

.. Import resource localhost-csvfile-resource-bulk-action.xml from C:\.\midpoint\samples\resources\csvfile into midpoint via /Configuration/Import objects/Choose File/Import object/

.. Set path to the midpoint-flatfile-bulk-action.csv (located in C:\.\midpoint\samples\resources\csvfile) into resource via /Configuration/Repository Objects/click Resource in bar menu/click Localhost CSVfile/click Edit/replace path to .csv file in connectorConfiguration/click Save/

.. Set up synchronization via /Server Tasks/List Tasks/click into square on the left side of Synchronization: CSV File/select Resume in bar menu in the right corner.

.. Import users from .csv into midpoint via /Resources/List Resources/click Localhost CSVfile/Import Accounts/

.. Check if users with accounts were created in midpoint by /Users/List Users/

.. Import task modify-selected-users.xml from C:\.\midpoint\samples\tasks\bulk-actions\ via /Configuration/Import objects/Choose File/Import object/

.. Set up task by /Server Tasks/List Tasks/click into square on the left side of Set preferredLanguage for users starting with 'b'/select Run now in bar menu in the right corner.

.. Verify if prefferred Language of users was changed.

After 5: Users should be created.

After 8: Preferred language of users should be changed.

Misc Features

Export objects to XML

# Scenario Description Expected results

1

Export objects of given type to XML

.. Create 3 or more users in midpoint GUI, fill some information,

.. Go to Configuration - Repository objects and select User in the select box,

.. Click the wheel in the table header and choose Export all of selected type (Zip check button should not be selected)

After the whole sequence:You should be offered with download of an .xml file containing all User objects. Check this files for consistency with Users in midpoint, it should be consistent.

2

Export objects of given type to compressed XML

.. Create 3 or more users in midpoint GUI, fill some information,

.. Go to Configuration - Repository objects and select User in the select box,

.. Click the wheel in the table header and choose Export all of selected type , be sure that you have selected Zip check button.

After the whole sequence:You should be offered with download of an .zip file containing .xml file containing all User objects. Check this files for consistency with Users in midpoint, it should be consistent.

3

Export all objects

.. You should have some users and other default objects in midPoint repository. Go to Configuration - Repository objects and click the wheel in the table header and choose Export all objects

.. Try the same, but this time be sure to check 'Zip' checkbox

After 1: All objects from midPoint repository should be exported.

After 2: Result should be the same, except this time, .xml containing all objects should be packed in .zip file.

Custom Schema Extension

# Scenario Description Expected results Extension Schema

1

Extend User with custom schema

.. Go to your midpoint home directory (if you have trouble locating it, please refer to MidPoint Home Directory),

.. In schema directory, create an .XSD file containing schema extension from this example,

.. restart midpoint (restart web container you are using, e. g. Tomcat),

.. Log in to midpoint and try to create new user,

.. You should notice new attribute category, extension while creating new user. Fill these attributes.

.. Save user,

After 4: New extension category should exist when creating new user, containing attributes office number and favorite color.

After 6: Attributes defined by extension should contain values you provided. Check this in debug pages as well as in midpoint repository

   <xsd:schema elementFormDefault="qualified"
            targetNamespace="http://example.com/xml/ns/mySchema"
            xmlns:tns="http://example.com/xml/ns/mySchema"
            xmlns:a="http://prism.evolveum.com/xml/ns/public/annotation-3"
            xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
            xmlns:xsd="http://www.w3.org/2001/XMLSchema">

    <xsd:complexType name="UserExtensionType">
        <xsd:annotation>
            <xsd:appinfo>
                <a:extension ref="c:UserType"/>
            </xsd:appinfo>
        </xsd:annotation>
        <xsd:sequence>
            <xsd:element name="officeNumber" type="xsd:string" minOccurs="0" maxOccurs="1">
                <xsd:annotation>
                    <xsd:appinfo>
                        <a:indexed>true</a:indexed>
                        <a:displayName>office number</a:displayName>
                        <a:displayOrder>120</a:displayOrder>
                    </xsd:appinfo>
                </xsd:annotation>
            </xsd:element>
            <xsd:element name="favoriteColor" type="xsd:string" minOccurs="0" maxOccurs="unbounded">
                <xsd:annotation>
                    <xsd:appinfo>
                        <a:indexed>true</a:indexed>
                        <a:displayName>favorite color</a:displayName>
                        <a:displayOrder>130</a:displayOrder>
                        <a:help>The favorite color</a:help>
                    </xsd:appinfo>
                </xsd:annotation>
            </xsd:element>
        </xsd:sequence>
    </xsd:complexType>
</xsd:schema>

Automatic generation and caching of resource schema from the connector

Make sure, you have imported localhost-csvfile-resource-advanced-nosync.xml resource

# Scenario Description Expected results

1

Resource schema change test

.. Locate .csv file on your hard drive. For this sample, it should be in your C:\csv\ folder, make sure that .csv file does not contain any account records,

.. change the first line of .csv file, add another attribute, e.g. customAttribute1 and separate it with commas,

.. save the file,

.. In midpoint, go to debug pages and open Resource object for this CSV resource,

.. locate schema and delete everything between them including schema tags,

.. go to Resources and click the status icon to test the connection and refresh schema

After the whole sequence:Midpoint should automatically and immediately generate new schema based on changes in the .csv file, thus containing new customAttribute1. This can be checked in debug pages in Configuration - Repository objects - Resource - Localhost CSV in the schema.

Cleanup task test

Make sure, you have imported localhost-csvfile-resource-advanced-sync.xml resource, you can stop the live synchronization task for this resource.

# Scenario Description Expected results

1

Cleanup task test - deleting closed Tasks

.. In Configuration section of midPoint, open SystemConfiguration object,

.. locate cleanupPolicy and set property maxAge to PT120S, Save changes,

.. In Resources section, locate CSV resource and Import accounts,

.. Go to Server Tasks section, you should see closed task Import from resource Localhost CSVfile,

.. wait for 120 seconds

.. Run Cleanup task.

(Test audit cleanup as well)

After the whole sequence:`Import from resource Localhost CSVfile` task should be deleted from midpoint.

Profiling tests

# Scenario Description Expected results

1

Dump Interval and Servlet Request test

.. In Configuration section on Profiling section

.. Write value '1' in dump interval text field.

.. Check Request filter checkbox

.. Click on save button located in the bottom section of the page

.. set profilingEnabled=true in config.xml, restart midPoint

.. Create several requests (simply click on various GUI pages)

.. Wait for cca 1 minute

After the whole sequence:Open idm-profile.log located in the same directory, where you can find idm.log (e.g., in Tomcat, in tomcat-home/logs directory). After opening, you should see summary information about every unique (in means of HTTP URL) request + 5 slowest requests containing information about execution time, time and daNotificationste of execution and user’s session ID.

2

Performance statistics profiling test

.. On same page as in test one, leave the dump interval with value 1. Uncheck Request Filter and check Performance Statistics checkbox.

.. Save your configuration

.. Wait for cca 10 minutes

After the whole sequence:After opening idm-profile.log file, you should see single line of performance information containing basic information about CPU, memory and thread usage.

3

Subsystem profiling test

.. On the same page as in tests above, unselect performance statistics and select model checkbox in Subsystems section.

.. Leave the dump interval value 1

.. Save your configuration

.. Perform some actions, that will invoke model methods, for example, click on Users page several times (user listing will invoke model methods),

.. Wait for cca 1 minute.

After the whole sequence:After opening idm-profile.log file, you should see summary statistics about performance of each invoked model method (Min, Max, Mean invocation time etc.) and for each method, 5 lines containing five slowest method calls. These lines should contain information about execution time, time and date of execution and list of all method call parameters.

Universal checks

Check the following aspects for all the tests scenarios:

  1. Auditing: Check that audit records are created for every modification. There should be one REQUEST audit record and one or more EXECUTION records. This holds even if the operation fails. Set auditing to log files as well and check logged audits with audits in repository. They should represent same level of information.

  2. Logging: Check that the logging on INFO or DEBUG level provides at least some information about the executed operation. Make sure that there is not more than one or two lines on INFO level. Check that there is not too much information on DEBUG level. See also Log Levels.

Security checks

ID Scenario Description Expected results

1

Users without passwords

.. Create a user with no password (and no other credentials) and Superuser role.

.. Try to login as this user using:

…​ GUI

…​ SOAP client

…​ REST client

None of the attempts should be successful.

Forgotten password functionality

ID Scenario Description Expected results

1

Users with filled security questions

.. Import object samples\objects\security-policy-security-questions.xml

.. On Configuration/System/Global security policy set Security policy and Save

.. Create new user, fill Name, email address, password, assign end user role and Save

.. Log out and log in as new user

.. Open in right up menu Security Questions (above Log out button)

.. Fill answers, remember it, save it, log out

.. Forget password

.. On login page click to Forgot Password

.. Fill in Username and e-mail click Reset Password

.. Fill answers for security questions

.. Log in with new password what you see

please also try wrong answers to sequrity questions

after 10 you see a new passwordafter 11 you successfully logged in with new password

userChoice
Default User Template 3

c0c010c0-d34d-b33f-f00d-777222222333

Log in and interact with certain parts of midpoint depending on GUI access rights

profilingEnabled

Saved filters

Most of tests check if a filter is saved to a correct place for different user variation. For now filter is always saved to logged in user into admin gui configuration container value.

ID Scenario Description XML example Expected results

1

User without admin gui configuration.

User doesn’t have admin gui configuration container value. The test is produced on the page of default object collection view (e.g. All users).

Simple user created in midPoint authorized for self editing.

Admin gui configuration container value is created. New object collection view container value is created (with default identifier). Filter is saved. After relogin, the saved filter is displayed in the saved filters list for All users table.

2

User with admin gui configuration but no object collection views.

User has admin gui configuration but doesn’t have object collection views container value. The test is produced on the page of default object collection view (e.g. All users).

<adminGuiConfiguration> <useNewDesign>true</useNewDesign> </adminGuiConfiguration>

Object collection views container value is created. New object collection view container value is created (with default identifier). Filter is saved.

3

User with empty object collection views.

User has empty object collection views container value. The test is produced on the page of default object collection view (e.g. All users).

<adminGuiConfiguration> <useNewDesign>true</useNewDesign> <objectCollectionViews/> </adminGuiConfiguration>

New object collection view container value is created (with default identifier). Filter is saved. After relogin, the saved filter is displayed in the saved filters list for All users table.

4

User with default object collection view but no search box configuration.

User default object collection view configured but no search box configuration in it. The test is produced on the page of default object collection view (e.g. All users).

<adminGuiConfiguration> <useNewDesign>true</useNewDesign> <objectCollectionViews> <objectCollectionView> <identifier>allUsers</identifier> <type>UserType</type> </objectCollectionView> </objectCollectionViews> </adminGuiConfiguration>

Search box configuration container value is created. Filter is saved. After relogin, the saved filter is displayed in the saved filters list for All users table.

5

User with default object collection view but no search box configuration.

User default object collection view configured but no search box configuration in it. The test is produced on the page of default object collection view (e.g. All users).

<adminGuiConfiguration> <useNewDesign>true</useNewDesign> <objectCollectionViews> <objectCollectionView> <identifier>allUsers</identifier> <type>UserType</type> </objectCollectionView> </objectCollectionViews> </adminGuiConfiguration>

Search box configuration container value is created. Filter is saved. After relogin, the saved filter is displayed in the saved filters list for All users table.

6

User with a configured default object collection view and search box configuration.

User has a configured default object collection view and search box configuration presents. The test is produced on the page of default object collection view (e.g. All users).

<adminGuiConfiguration> <useNewDesign>true</useNewDesign> <objectCollectionViews> <objectCollectionView> <identifier>allUsers</identifier> <type>UserType</type> <searchBoxConfiguration> <defaultMode>basic</defaultMode> </searchBoxConfiguration> </objectCollectionView> </objectCollectionViews> </adminGuiConfiguration>

New filter is added to existing default object collection view. After relogin, the saved filter is displayed in the saved filters list for All users table.

7

User with already existing search filter.

User already has saved filter in default object collection view. The test is produced on the page of default object collection view (e.g. All users).

<adminGuiConfiguration> <useNewDesign>true</useNewDesign> <objectCollectionViews> <objectCollectionView> <identifier>allUsers</identifier> <type>UserType</type> <searchBoxConfiguration> <defaultMode>basic</defaultMode> <availableFilter> <display> <label>Name contains "ad"</label> </display> <searchMode>basic</searchMode> <searchItem> <path>c:name</path> <filter> <q:substring> <q:matching>polyStringNorm</q:matching> <q:path>c:name</q:path> <q:value xsi:type="t:PolyStringType">ad</q:value> </q:substring> </filter> <display> <label>Name</label> <help> Human-readable, mutable name of the object. It may also be an identifier (login name, group name). It is usually unique in the respective context of interpretation. E.g. the name of the UserType subtype is usually unique in the whole system. The name of the ShadowType subtype is usually unique in the scope of resource (target system) that it belongs to. The name may not be human-readable in a sense to display to a common end-user. It is intended to be displayed to IDM system administrator. Therefore it may contain quite a "ugly" structures such as LDAP DN or URL. Name is mutable. It is considered to be ordinary property of the object. Therefore it can be changed by invoking usual modifyObject operations. However, change of the name may have side effects (rename process). Although name is specified as optional by this schema, it is in fact mandatory for most object types. The reason for specifying the name as optional is that the name may be generated by the system instead of supplied by the clients. However, all objects stored in the repository must have a name. </help> </display> <visibleByDefault>true</visibleByDefault> </searchItem> </availableFilter> </searchBoxConfiguration> </objectCollectionView> </objectCollectionViews> </adminGuiConfiguration>

New filter is added to existing default object collection view. After relogin, the saved filter is displayed in the saved filters list for All users table.

8

Save filter for non-default object collection view

Employees collection view should be preconfigured. Test is produced from Employees collection view page. Logged in ser doesn’t have Employees collection view configured in its xml

Employees object collection view is created in logged in user’s xml, saved filter is added there. After relogin, the saved filter is displayed in the saved filters list only for Employees table and not displayed for All users table.

9

Extend saved filter from role.

End user role has saved filter configured for default object collection view of UserType. End user has End user role assigned.

End user sees saved filter from assigned to him End user role on the All user page.

Was this page helpful?
YES NO
Thanks for your feedback