package com.evolveum.midpoint.model.intest.security;

import com.evolveum.midpoint.model.intest.AbstractConfiguredModelIntegrationTest;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.prism.util.PrismTestUtil;
import com.evolveum.midpoint.schema.result.OperationResult;
import com.evolveum.midpoint.security.api.AuthorizationConstants;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.test.asserter.AssignmentsAsserter;
import com.evolveum.midpoint.util.exception.CommunicationException;
import com.evolveum.midpoint.util.exception.ConfigurationException;
import com.evolveum.midpoint.util.exception.ExpressionEvaluationException;
import com.evolveum.midpoint.util.exception.ObjectAlreadyExistsException;
import com.evolveum.midpoint.util.exception.ObjectNotFoundException;
import com.evolveum.midpoint.util.exception.PolicyViolationException;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.exception.SecurityViolationException;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentPolicyEnforcementType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthorizationType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ConnectorType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PolicyExceptionType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.PolicyRuleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import java.io.File;
import java.io.IOException;
import org.springframework.test.annotation.DirtiesContext;
import org.springframework.test.context.ContextConfiguration;
import org.testng.annotations.Test;

@ContextConfiguration(locations = {"classpath:ctx-model-intest-test-main.xml"})
@DirtiesContext(classMode = DirtiesContext.ClassMode.AFTER_CLASS)
/* loaded from: input_file:com/evolveum/midpoint/model/intest/security/TestSecurityMultitenant.class */
public class TestSecurityMultitenant extends AbstractSecurityTest {
    protected static final String ORG_ROOT_OID = "00000000-8888-6666-a000-000000000000";
    protected static final String ROLE_TENANT_ADMIN_OID = "00000000-8888-6666-a000-100000000000";
    protected static final String ORG_GUILD_OID = "00000000-8888-6666-a001-000000000000";
    protected static final String ORG_JUNCTION_OID = "00000000-8888-6666-a001-000000000001";
    protected static final String ORG_JUNCTION_NAME = "Junction";
    protected static final String ORG_JUNCTION_DISPLAY_NAME = "Plannet Junction";
    protected static final String ORG_GUILD_SUBTENANT_OID = "00000000-8888-6666-a001-000000000fff";
    protected static final String ROLE_GUILD_BROKEN_ADMIN_OID = "00000000-8888-6666-a001-100000000001";
    protected static final String ROLE_GUILD_NAVIGATOR_OID = "00000000-8888-6666-a001-100000000002";
    protected static final String USER_EDRIC_OID = "00000000-8888-6666-a001-200000000000";
    protected static final String USER_EDRIC_NAME = "edric";
    protected static final String USER_EDRIC_FULL_NAME = "Navigator Edric";
    protected static final String USER_DMURR_OID = "00000000-8888-6666-a001-200000000001";
    protected static final String USER_DMURR_NAME = "dmurr";
    protected static final String USER_DMURR_FULL_NAME = "D'murr Pilru";
    private static final String RESOURCE_DUMMY_JUNCTION_OID = "00000000-8888-6666-a001-300000000000";
    protected static final String ORG_CORRINO_OID = "00000000-8888-6666-a100-000000000000";
    protected static final String ORG_KAITAIN_OID = "00000000-8888-6666-a100-000000000001";
    protected static final String ORG_IMPERIAL_PALACE_OID = "00000000-8888-6666-a100-000000000002";
    protected static final String ROLE_CORRINO_ADMIN_OID = "00000000-8888-6666-a100-100000000000";
    protected static final String ROLE_CORRINO_EMPEROR_OID = "00000000-8888-6666-a100-100000000001";
    protected static final String USER_SHADDAM_CORRINO_OID = "00000000-8888-6666-a100-200000000000";
    protected static final String USER_SHADDAM_CORRINO_NAME = "shaddam";
    protected static final String USER_SHADDAM_CORRINO_FULL_NAME = "Padishah Emperor Shaddam IV";
    protected static final String ORG_ATREIDES_OID = "00000000-8888-6666-a200-000000000000";
    protected static final String ORG_CALADAN_OID = "00000000-8888-6666-a200-000000000001";
    protected static final String ORG_ARRAKIS_OID = "00000000-8888-6666-a200-000000000002";
    protected static final String ORG_ARRAKIS_NAME = "Arrakis";
    protected static final String ORG_ARRAKIS_DISPLAY_NAME = "Planet Arrakis";
    protected static final String ORG_CASTLE_CALADAN_OID = "00000000-8888-6666-a200-000000000003";
    protected static final String ORG_CASTLE_CALADAN_NAME = "Castle Caladan";
    protected static final String ORG_CASTLE_CALADAN_DISPLAY_NAME = "Castle Caladan";
    protected static final String ORG_ATREIDES_SUBTENANT_OID = "00000000-8888-6666-a200-000000000fff";
    protected static final String ROLE_ATREIDES_ADMIN_OID = "00000000-8888-6666-a200-100000000000";
    protected static final String ROLE_ATREIDES_END_USER_OID = "00000000-8888-6666-a200-100000000006";
    protected static final String ROLE_ATREIDES_ROLE_MANAGER_OID = "00000000-8888-6666-a200-100000000007";
    protected static final String ROLE_ATREIDES_GUARD_OID = "00000000-8888-6666-a200-100000000002";
    protected static final String ROLE_ATREIDES_HACKER_OID = "00000000-8888-6666-a200-100000000003";
    protected static final String ROLE_ATREIDES_SOLDIER_OID = "00000000-8888-6666-a200-100000000004";
    protected static final String ROLE_ATREIDES_SWORDMASTER_OID = "00000000-8888-6666-a200-100000000005";
    protected static final String USER_LETO_ATREIDES_OID = "00000000-8888-6666-a200-200000000000";
    protected static final String USER_LETO_ATREIDES_NAME = "leto";
    protected static final String USER_LETO_ATREIDES_FULL_NAME = "Leto Atreides";
    protected static final String USER_PAUL_ATREIDES_OID = "00000000-8888-6666-a200-200000000001";
    protected static final String USER_PAUL_ATREIDES_NAME = "paul";
    protected static final String USER_PAUL_ATREIDES_FULL_NAME = "Paul Atreides";
    protected static final String USER_DUNCAN_OID = "00000000-8888-6666-a200-200000000002";
    protected static final String USER_DUNCAN_NAME = "duncan";
    protected static final String USER_DUNCAN_FULL_NAME = "Duncan Idaho";
    private static final String RESOURCE_DUMMY_CASTLE_CALADAN_OID = "00000000-8888-6666-a200-300000000000";
    protected static final String ORG_HARKONNEN_OID = "00000000-8888-6666-a300-000000000000";
    protected static final String ORG_GIEDI_PRIME_OID = "00000000-8888-6666-a300-000000000001";
    protected static final String ORG_GIEDI_PRIME_NAME = "Geidi Prime";
    protected static final String ORG_GIEDI_PRIME_DISPLAY_NAME = "Plannet Geidi Prime";
    protected static final String ORG_HARKONNEN_SUBTENANT_OID = "00000000-8888-6666-a300-000000000fff";
    protected static final String ROLE_HARKONNEN_ADMIN_OID = "00000000-8888-6666-a300-100000000000";
    protected static final String USER_VLADIMIR_HARKONNEN_OID = "00000000-8888-6666-a300-200000000000";
    protected static final String USER_PITER_OID = "00000000-8888-6666-a300-200000000001";
    protected static final String USER_PITER_NAME = "piter";
    protected static final String USER_PITER_FULL_NAME = "Piter De Vries";
    private static final String RESOURCE_DUMMY_BARONY_OID = "00000000-8888-6666-a300-300000000000";
    protected PrismObject<ConnectorType> dummyConnector;
    protected static final int NUMBER_OF_IMPORTED_ROLES = 0;
    public static final File TEST_DIR = new File("src/test/resources/security/multitenant");
    protected static final File ORG_MULTITENANT_FILE = new File(TEST_DIR, "org-multitenant.xml");
    protected static final File ORG_JUNCTION_FILE = new File(TEST_DIR, "org-junction.xml");
    protected static final File ORG_GUILD_SUBTENANT_FILE = new File(TEST_DIR, "org-guild-subtenant.xml");
    protected static final File USER_DMURR_FILE = new File(TEST_DIR, "user-dmurr.xml");
    private static final File RESOURCE_DUMMY_JUNCTION_FILE = new File(TEST_DIR, "resource-dummy-junction.xml");
    protected static final File ORG_ARRAKIS_FILE = new File(TEST_DIR, "org-arrakis.xml");
    protected static final File ORG_CASTLE_CALADAN_FILE = new File(TEST_DIR, "org-castle-caladan.xml");
    protected static final File ORG_ATREIDES_SUBTENANT_FILE = new File(TEST_DIR, "org-atreides-subtenant.xml");
    protected static final File ROLE_ATREIDES_GUARD_FILE = new File(TEST_DIR, "role-atreides-guard.xml");
    protected static final File ROLE_ATREIDES_HACKER_FILE = new File(TEST_DIR, "role-atreides-hacker.xml");
    protected static final File ROLE_ATREIDES_SWORDMASTER_FILE = new File(TEST_DIR, "role-atreides-swordmaster.xml");
    protected static final File USER_DUNCAN_FILE = new File(TEST_DIR, "user-duncan.xml");
    private static final File RESOURCE_DUMMY_CASTLE_CALADAN_FILE = new File(TEST_DIR, "resource-dummy-castle-caladan.xml");
    protected static final File ORG_GIEDI_PRIME_FILE = new File(TEST_DIR, "org-giedi-prime.xml");
    protected static final File ORG_HARKONNEN_SUBTENANT_FILE = new File(TEST_DIR, "org-harkonnen-subtenant.xml");
    protected static final File USER_PITER_FILE = new File(TEST_DIR, "user-piter.xml");
    private static final File RESOURCE_DUMMY_BARONY_FILE = new File(TEST_DIR, "resource-dummy-barony.xml");

    @Override // com.evolveum.midpoint.model.intest.security.AbstractSecurityTest, com.evolveum.midpoint.model.intest.AbstractInitializedModelIntegrationTest, com.evolveum.midpoint.model.intest.AbstractConfiguredModelIntegrationTest
    public void initSystem(Task task, OperationResult operationResult) throws Exception {
        super.initSystem(task, operationResult);
        assumeAssignmentPolicy(AssignmentPolicyEnforcementType.RELATIVE);
        this.dummyConnector = findConnectorByTypeAndVersion("com.evolveum.icf.dummy.connector.DummyConnector", "2.0", operationResult);
    }

    @Override // com.evolveum.midpoint.model.intest.AbstractInitializedModelIntegrationTest
    protected boolean doAddOrgstruct() {
        return false;
    }

    @Override // com.evolveum.midpoint.model.intest.AbstractInitializedModelIntegrationTest
    protected String getTopOrgOid() {
        return ORG_ROOT_OID;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.evolveum.midpoint.model.intest.security.AbstractSecurityTest, com.evolveum.midpoint.model.intest.AbstractInitializedModelIntegrationTest, com.evolveum.midpoint.model.intest.AbstractConfiguredModelIntegrationTest
    public int getNumberOfRoles() {
        return super.getNumberOfRoles() + NUMBER_OF_IMPORTED_ROLES;
    }

    @Test
    public void test000Sanity() throws Exception {
        displayTestTitle("test000Sanity");
        cleanupAutzTest(AbstractConfiguredModelIntegrationTest.USER_JACK_OID);
        displayWhen("test000Sanity");
        assertSearch(UserType.class, null, 11);
        assertSearch(RoleType.class, null, getNumberOfRoles());
        assertReadAllow(11);
        assertReadAllowRaw(11);
        assertAddAllow();
        assertAddAllowRaw();
        assertModifyAllow();
        assertDeleteAllow();
        assertGlobalStateUntouched();
    }

    @Test
    public void test010ImportOrgstruct() throws Exception {
        displayTestTitle("test010ImportOrgstruct");
        Task createTask = createTask("test010ImportOrgstruct");
        OperationResult result = createTask.getResult();
        displayWhen("test010ImportOrgstruct");
        importObjectsFromFileNotRaw(ORG_MULTITENANT_FILE, createTask, result);
        displayThen("test010ImportOrgstruct");
        assertSuccess(result);
        dumpOrgTree();
        ((AssignmentsAsserter) assertOrgAfter(ORG_ATREIDES_OID).assertIsTenant().assertTenantRef(ORG_ATREIDES_OID).assignments().single().assertTargetOid(ORG_ROOT_OID).end()).end().assertLinks(NUMBER_OF_IMPORTED_ROLES).assertParentOrgRefs(new String[]{ORG_ROOT_OID});
        ((AssignmentsAsserter) assertOrgAfter(ORG_CALADAN_OID).assertTenant((Boolean) null).assertTenantRef(ORG_ATREIDES_OID).assignments().single().assertTargetOid(ORG_ATREIDES_OID).end()).end().assertLinks(NUMBER_OF_IMPORTED_ROLES).assertParentOrgRefs(new String[]{ORG_ATREIDES_OID});
        assertRoleAfter(ROLE_ATREIDES_ADMIN_OID).assertTenantRef(ORG_ATREIDES_OID).assertParentOrgRefs(new String[]{ORG_ATREIDES_OID});
        assertUserAfter(USER_LETO_ATREIDES_OID).assertName(USER_LETO_ATREIDES_NAME).assertFullName(USER_LETO_ATREIDES_FULL_NAME).assignments().assertOrg(ORG_ATREIDES_OID).assertRole(ROLE_ATREIDES_ADMIN_OID).end().assertTenantRef(ORG_ATREIDES_OID).assertParentOrgRefs(new String[]{ORG_ATREIDES_OID}).assertLinks(NUMBER_OF_IMPORTED_ROLES);
        assertUserAfter(USER_PAUL_ATREIDES_OID).assertName(USER_PAUL_ATREIDES_NAME).assertFullName(USER_PAUL_ATREIDES_FULL_NAME).assignments().assertOrg(ORG_ATREIDES_OID).assertRole(ROLE_ATREIDES_END_USER_OID).end().assertTenantRef(ORG_ATREIDES_OID).assertParentOrgRefs(new String[]{ORG_ATREIDES_OID}).assertLinks(NUMBER_OF_IMPORTED_ROLES);
        ((AssignmentsAsserter) assertOrgAfter(ORG_GUILD_OID).assertTenant((Boolean) null).assertTenantRef((String) null).assignments().single().assertTargetOid(ORG_ROOT_OID).end()).end().assertLinks(NUMBER_OF_IMPORTED_ROLES).assertParentOrgRefs(new String[]{ORG_ROOT_OID});
        assertUserAfter(USER_EDRIC_OID).assertName(USER_EDRIC_NAME).assertFullName(USER_EDRIC_FULL_NAME).assignments().assertOrg(ORG_GUILD_OID).assertRole(ROLE_GUILD_BROKEN_ADMIN_OID).end().assertTenantRef((String) null).assertParentOrgRefs(new String[]{ORG_GUILD_OID}).assertLinks(NUMBER_OF_IMPORTED_ROLES);
        ((AssignmentsAsserter) assertOrgAfter(ORG_CORRINO_OID).assertIsTenant().assertTenantRef(ORG_CORRINO_OID).assignments().single().assertTargetOid(ORG_ROOT_OID).end()).end().assertLinks(NUMBER_OF_IMPORTED_ROLES).assertParentOrgRefs(new String[]{ORG_ROOT_OID});
        ((AssignmentsAsserter) assertOrgAfter(ORG_KAITAIN_OID).assertTenant((Boolean) null).assertTenantRef(ORG_CORRINO_OID).assignments().single().assertTargetOid(ORG_CORRINO_OID).end()).end().assertLinks(NUMBER_OF_IMPORTED_ROLES).assertParentOrgRefs(new String[]{ORG_CORRINO_OID});
        ((AssignmentsAsserter) assertOrgAfter(ORG_IMPERIAL_PALACE_OID).assertTenant((Boolean) null).assertTenantRef(ORG_CORRINO_OID).assignments().single().assertTargetOid(ORG_KAITAIN_OID).end()).end().assertLinks(NUMBER_OF_IMPORTED_ROLES).assertParentOrgRefs(new String[]{ORG_KAITAIN_OID});
        assertGlobalStateUntouched();
    }

    @Test
    public void test100AutzLetoRead() throws Exception {
        displayTestTitle("test100AutzLetoRead");
        cleanupAutzTest(null);
        login(USER_LETO_ATREIDES_NAME);
        displayWhen("test100AutzLetoRead");
        assertGetAllow(UserType.class, USER_LETO_ATREIDES_OID);
        assertGetAllow(UserType.class, USER_PAUL_ATREIDES_OID);
        assertGetAllow(OrgType.class, ORG_ATREIDES_OID);
        assertGetAllow(RoleType.class, ROLE_ATREIDES_ADMIN_OID);
        assertGetDeny(UserType.class, USER_VLADIMIR_HARKONNEN_OID);
        assertGetDeny(OrgType.class, ORG_HARKONNEN_OID);
        assertGetDeny(RoleType.class, ROLE_HARKONNEN_ADMIN_OID);
        assertGetDeny(OrgType.class, ORG_GUILD_OID);
        assertGetDeny(RoleType.class, ROLE_TENANT_ADMIN_OID);
        assertGetDeny(UserType.class, USER_EDRIC_OID);
        assertSearch(UserType.class, null, new String[]{USER_LETO_ATREIDES_OID, USER_PAUL_ATREIDES_OID});
        assertSearch(RoleType.class, null, new String[]{ROLE_ATREIDES_ADMIN_OID, ROLE_ATREIDES_END_USER_OID, ROLE_ATREIDES_ROLE_MANAGER_OID, ROLE_ATREIDES_SOLDIER_OID});
        assertSearch(OrgType.class, null, new String[]{ORG_ATREIDES_OID, ORG_CALADAN_OID});
        displayThen("test100AutzLetoRead");
        assertGlobalStateUntouched();
    }

    @Test
    public void test102AutzLetoAdd() throws Exception {
        displayTestTitle("test102AutzLetoAdd");
        cleanupAutzTest(null);
        login(USER_LETO_ATREIDES_NAME);
        displayWhen("test102AutzLetoAdd");
        assertAddAllow(USER_DUNCAN_FILE);
        assertAddDeny(USER_PITER_FILE);
        assertAddDeny(USER_DMURR_FILE);
        displayThen("test102AutzLetoAdd");
        login("administrator");
        assertUserAfter(USER_DUNCAN_OID).assertName(USER_DUNCAN_NAME).assertFullName(USER_DUNCAN_FULL_NAME).assignments().assertOrg(ORG_ATREIDES_OID).assertNoRole().end().assertTenantRef(ORG_ATREIDES_OID).assertParentOrgRefs(new String[]{ORG_ATREIDES_OID}).assertLinks(NUMBER_OF_IMPORTED_ROLES);
        assertGlobalStateUntouched();
    }

    @Test
    public void test104AutzLetoModify() throws Exception {
        displayTestTitle("test104AutzLetoModify");
        cleanupAutzTest(null);
        login(USER_LETO_ATREIDES_NAME);
        displayWhen("test104AutzLetoModify");
        assertModifyAllow(UserType.class, USER_PAUL_ATREIDES_OID, UserType.F_LOCALITY, createPolyString(ORG_ARRAKIS_NAME));
        assertModifyDeny(UserType.class, USER_VLADIMIR_HARKONNEN_OID, UserType.F_LOCALITY, createPolyString("Deepest hell"));
        assertModifyDeny(UserType.class, USER_EDRIC_OID, UserType.F_LOCALITY, createPolyString("Whatever"));
        displayThen("test104AutzLetoModify");
        assertGlobalStateUntouched();
    }

    @Test
    public void test106AutzLetoAddResourceTask() throws Exception {
        displayTestTitle("test106AutzLetoAddResourceTask");
        cleanupAutzTest(null);
        login(USER_LETO_ATREIDES_NAME);
        displayWhen("test106AutzLetoAddResourceTask");
        assertAddDummyResourceAllow(RESOURCE_DUMMY_CASTLE_CALADAN_FILE);
        assertAddDummyResourceDeny(RESOURCE_DUMMY_BARONY_FILE);
        assertAddDummyResourceDeny(RESOURCE_DUMMY_JUNCTION_FILE);
        displayThen("test106AutzLetoAddResourceTask");
        login("administrator");
        assertGlobalStateUntouched();
    }

    private void assertAddDummyResourceAllow(File file) throws SchemaException, IOException, ObjectAlreadyExistsException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, PolicyViolationException, SecurityViolationException {
        PrismObject parseObject = PrismTestUtil.parseObject(file);
        parseObject.asObjectable().connectorRef(this.dummyConnector.getOid(), ConnectorType.COMPLEX_TYPE);
        assertAddAllow(parseObject, null);
    }

    private void assertAddDummyResourceDeny(File file) throws SchemaException, IOException, ObjectAlreadyExistsException, ObjectNotFoundException, ExpressionEvaluationException, CommunicationException, ConfigurationException, PolicyViolationException, SecurityViolationException {
        PrismObject parseObject = PrismTestUtil.parseObject(file);
        parseObject.asObjectable().connectorRef(this.dummyConnector.getOid(), ConnectorType.COMPLEX_TYPE);
        assertAddDeny(parseObject, null);
    }

    @Test
    public void test109AutzLetoDelete() throws Exception {
        displayTestTitle("test109AutzLetoDelete");
        cleanupAutzTest(null);
        login(USER_LETO_ATREIDES_NAME);
        displayWhen("test109AutzLetoDelete");
        assertDeleteAllow(UserType.class, USER_DUNCAN_OID);
        assertDeleteDeny(UserType.class, USER_PITER_OID);
        assertDeleteDeny(UserType.class, USER_DMURR_OID);
        displayThen("test109AutzLetoDelete");
        assertGlobalStateUntouched();
    }

    @Test
    public void test110AutzLetoAddOrgs() throws Exception {
        displayTestTitle("test110AutzLetoAddOrgs");
        cleanupAutzTest(null);
        login(USER_LETO_ATREIDES_NAME);
        displayWhen("test110AutzLetoAddOrgs");
        assertAddAllow(ORG_ARRAKIS_FILE);
        assertAddAllow(ORG_CASTLE_CALADAN_FILE);
        assertAddDeny(ORG_GIEDI_PRIME_FILE);
        assertAddDeny(ORG_JUNCTION_FILE);
        displayThen("test110AutzLetoAddOrgs");
        login("administrator");
        assertOrgAfter(ORG_ARRAKIS_OID).assertName(ORG_ARRAKIS_NAME).assertDisplayName(ORG_ARRAKIS_DISPLAY_NAME).assignments().assertOrg(ORG_ATREIDES_OID).assertNoRole().end().assertTenantRef(ORG_ATREIDES_OID).assertParentOrgRefs(new String[]{ORG_ATREIDES_OID}).assertLinks(NUMBER_OF_IMPORTED_ROLES);
        assertOrgAfter(ORG_CASTLE_CALADAN_OID).assertName("Castle Caladan").assertDisplayName("Castle Caladan").assignments().assertOrg(ORG_CALADAN_OID).assertNoRole().end().assertTenantRef(ORG_ATREIDES_OID).assertParentOrgRefs(new String[]{ORG_CALADAN_OID}).assertLinks(NUMBER_OF_IMPORTED_ROLES);
        assertGlobalStateUntouched();
    }

    @Test
    public void test112AutzLetoProtectTenant() throws Exception {
        displayTestTitle("test112AutzLetoProtectTenant");
        cleanupAutzTest(null);
        login(USER_LETO_ATREIDES_NAME);
        displayWhen("test112AutzLetoProtectTenant");
        assertAddDeny(ORG_ATREIDES_SUBTENANT_FILE);
        assertModifyDeny(OrgType.class, ORG_ATREIDES_OID, OrgType.F_LOCALITY, createPolyString(ORG_ARRAKIS_NAME));
        assertModifyDeny(OrgType.class, ORG_ATREIDES_OID, OrgType.F_TENANT, false);
        assertModifyDeny(OrgType.class, ORG_ATREIDES_OID, OrgType.F_TENANT, new Object[NUMBER_OF_IMPORTED_ROLES]);
        assertDeny("unassign root", (task, operationResult) -> {
            unassignOrg(OrgType.class, ORG_ATREIDES_OID, ORG_ROOT_OID, task, operationResult);
        });
        assertDeny("assign caladan", (task2, operationResult2) -> {
            assignOrg(OrgType.class, ORG_ATREIDES_OID, ORG_CALADAN_OID, task2, operationResult2);
        });
        assertDeny("assign kaitain", (task3, operationResult3) -> {
            assignOrg(OrgType.class, ORG_ATREIDES_OID, ORG_KAITAIN_OID, task3, operationResult3);
        });
        assertDeleteDeny(OrgType.class, ORG_ATREIDES_OID);
        assertAddDeny(ORG_HARKONNEN_SUBTENANT_FILE);
        assertModifyDeny(OrgType.class, ORG_HARKONNEN_OID, OrgType.F_LOCALITY, createPolyString(ORG_ARRAKIS_NAME));
        assertModifyDeny(OrgType.class, ORG_HARKONNEN_OID, OrgType.F_TENANT, false);
        assertModifyDeny(OrgType.class, ORG_HARKONNEN_OID, OrgType.F_TENANT, new Object[NUMBER_OF_IMPORTED_ROLES]);
        assertDeny("unassign root", (task4, operationResult4) -> {
            unassignOrg(OrgType.class, ORG_HARKONNEN_OID, ORG_ROOT_OID, task4, operationResult4);
        });
        assertDeny("assign caladan", (task5, operationResult5) -> {
            assignOrg(OrgType.class, ORG_HARKONNEN_OID, ORG_CALADAN_OID, task5, operationResult5);
        });
        assertDeny("unassign root", (task6, operationResult6) -> {
            assignOrg(OrgType.class, ORG_HARKONNEN_OID, ORG_KAITAIN_OID, task6, operationResult6);
        });
        assertDeleteDeny(OrgType.class, ORG_HARKONNEN_OID);
        assertAddDeny(ORG_GUILD_SUBTENANT_FILE);
        assertModifyDeny(OrgType.class, ORG_GUILD_OID, OrgType.F_LOCALITY, createPolyString(ORG_ARRAKIS_NAME));
        assertModifyDeny(OrgType.class, ORG_GUILD_OID, OrgType.F_TENANT, false);
        assertModifyDeny(OrgType.class, ORG_GUILD_OID, OrgType.F_TENANT, new Object[NUMBER_OF_IMPORTED_ROLES]);
        assertDeny("unassign root", (task7, operationResult7) -> {
            unassignOrg(OrgType.class, ORG_GUILD_OID, ORG_ROOT_OID, task7, operationResult7);
        });
        assertDeny("assign caladan", (task8, operationResult8) -> {
            assignOrg(OrgType.class, ORG_GUILD_OID, ORG_CALADAN_OID, task8, operationResult8);
        });
        assertDeny("unassign root", (task9, operationResult9) -> {
            assignOrg(OrgType.class, ORG_GUILD_OID, ORG_KAITAIN_OID, task9, operationResult9);
        });
        assertDeleteDeny(OrgType.class, ORG_GUILD_OID);
        displayThen("test112AutzLetoProtectTenant");
        assertGlobalStateUntouched();
    }

    @Test
    public void test114AutzLetoKeepWithinTenant() throws Exception {
        displayTestTitle("test114AutzLetoKeepWithinTenant");
        cleanupAutzTest(null);
        login(USER_LETO_ATREIDES_NAME);
        displayWhen("test114AutzLetoKeepWithinTenant");
        assertAddAllow(ROLE_ATREIDES_GUARD_FILE);
        assertAllow("assign guard to arrakis", (task, operationResult) -> {
            assignOrg(RoleType.class, ROLE_ATREIDES_GUARD_OID, ORG_ARRAKIS_OID, task, operationResult);
        });
        assertRoleAfter(ROLE_ATREIDES_GUARD_OID).assertTenantRef(ORG_ATREIDES_OID);
        assertAllow("unassign guard from caladan", (task2, operationResult2) -> {
            unassignOrg(RoleType.class, ROLE_ATREIDES_GUARD_OID, ORG_CALADAN_OID, task2, operationResult2);
        });
        assertDeny("unassign guard from arrakis", (task3, operationResult3) -> {
            unassignOrg(RoleType.class, ROLE_ATREIDES_GUARD_OID, ORG_ARRAKIS_OID, task3, operationResult3);
        });
        assertAllow("assign guard to house atreides", (task4, operationResult4) -> {
            assignOrg(RoleType.class, ROLE_ATREIDES_GUARD_OID, ORG_ATREIDES_OID, task4, operationResult4);
        });
        assertAllow("assign guard to house atreides", (task5, operationResult5) -> {
            unassignOrg(RoleType.class, ROLE_ATREIDES_GUARD_OID, ORG_ATREIDES_OID, task5, operationResult5);
        });
        assertAllow("assign guard to house atreides", (task6, operationResult6) -> {
            assignOrg(RoleType.class, ROLE_ATREIDES_GUARD_OID, ORG_ATREIDES_OID, task6, operationResult6);
        });
        assertAllow("unassign guard from arrakis", (task7, operationResult7) -> {
            unassignOrg(RoleType.class, ROLE_ATREIDES_GUARD_OID, ORG_ARRAKIS_OID, task7, operationResult7);
        });
        assertDeny("unassign guard from atreides", (task8, operationResult8) -> {
            unassignOrg(RoleType.class, ROLE_ATREIDES_GUARD_OID, ORG_ATREIDES_OID, task8, operationResult8);
        });
        assertRoleAfter(ROLE_ATREIDES_GUARD_OID).assertTenantRef(ORG_ATREIDES_OID);
        assertDeleteAllow(RoleType.class, ROLE_ATREIDES_GUARD_OID);
        assertDeny("unassign caladan castle from caladan", (task9, operationResult9) -> {
            unassignOrg(OrgType.class, ORG_CASTLE_CALADAN_OID, ORG_CALADAN_OID, task9, operationResult9);
        });
        displayThen("test114AutzLetoKeepWithinTenant");
        assertGlobalStateUntouched();
    }

    @Test
    public void test116AutzLetoProtectTenantAdminRole() throws Exception {
        displayTestTitle("test114AutzLetoKeepWithinTenant");
        cleanupAutzTest(null);
        login(USER_LETO_ATREIDES_NAME);
        displayWhen("test114AutzLetoKeepWithinTenant");
        assertAddDeny(ROLE_ATREIDES_HACKER_FILE);
        AuthorizationType action = new AuthorizationType().action(AuthorizationConstants.AUTZ_ALL_URL);
        assertDeny("add authorizations to atreides admin", (task, operationResult) -> {
            modifyObjectAddContainer(RoleType.class, ROLE_ATREIDES_ADMIN_OID, RoleType.F_AUTHORIZATION, task, operationResult, new AuthorizationType[]{action});
        });
        assertDeny("induce superuser", (task2, operationResult2) -> {
            induceRole(ROLE_ATREIDES_ADMIN_OID, "00000000-0000-0000-0000-000000000004", task2, operationResult2);
        });
        assertDeny("add dummy account", (task3, operationResult3) -> {
            assignAccount(UserType.class, USER_PAUL_ATREIDES_OID, "10000000-0000-0000-0000-000000000004", null, task3, operationResult3);
        });
        PolicyRuleType policyRuleType = new PolicyRuleType();
        policyRuleType.beginPolicyConstraints().beginMinAssignees().multiplicity("1");
        assertDeny("assign policy rule", (task4, operationResult4) -> {
            assignPolicyRule(RoleType.class, ROLE_ATREIDES_ADMIN_OID, policyRuleType, task4, operationResult4);
        });
        AssignmentType assignmentType = new AssignmentType();
        assignmentType.beginPolicyException().ruleName("foobar");
        assertDeny("assign policy exception", (task5, operationResult5) -> {
            assign(RoleType.class, ROLE_ATREIDES_ADMIN_OID, assignmentType, task5, operationResult5);
        });
        PolicyExceptionType ruleName = new PolicyExceptionType().ruleName("foofoo");
        assertDeny("add policyException to atreides admin", (task6, operationResult6) -> {
            modifyObjectAddContainer(RoleType.class, ROLE_ATREIDES_ADMIN_OID, RoleType.F_POLICY_EXCEPTION, task6, operationResult6, new PolicyExceptionType[]{ruleName});
        });
        displayThen("test114AutzLetoKeepWithinTenant");
        assertGlobalStateUntouched();
    }

    @Test
    public void test118AutzLetoBusinessRoles() throws Exception {
        displayTestTitle("test118AutzLetoBusinessRoles");
        cleanupAutzTest(null);
        login(USER_LETO_ATREIDES_NAME);
        assertAddAllow(ROLE_ATREIDES_GUARD_FILE);
        displayWhen("test118AutzLetoBusinessRoles");
        assertAddAllow(ROLE_ATREIDES_SWORDMASTER_FILE);
        assertDeny("induce superuser", (task, operationResult) -> {
            induceRole(ROLE_ATREIDES_SWORDMASTER_OID, "00000000-0000-0000-0000-000000000004", task, operationResult);
        });
        assertAllow("uninduce soldier from swordmaster", (task2, operationResult2) -> {
            uninduceRole(ROLE_ATREIDES_SWORDMASTER_OID, ROLE_ATREIDES_SOLDIER_OID, task2, operationResult2);
        });
        assertAllow("induce soldier to swordmaster", (task3, operationResult3) -> {
            induceRole(ROLE_ATREIDES_SWORDMASTER_OID, ROLE_ATREIDES_SOLDIER_OID, task3, operationResult3);
        });
        assertDeny("unassign swordmaster from atreides", (task4, operationResult4) -> {
            unassignOrg(RoleType.class, ROLE_ATREIDES_SWORDMASTER_OID, ORG_ATREIDES_OID, task4, operationResult4);
        });
        assertDeleteAllow(RoleType.class, ROLE_ATREIDES_SWORDMASTER_OID);
        displayThen("test118AutzLetoBusinessRoles");
        assertGlobalStateUntouched();
    }

    @Test
    public void test120AutzPaulEndUser() throws Exception {
        displayTestTitle("test120AutzPaulEndUser");
        cleanupAutzTest(null);
        addObject(ROLE_ATREIDES_SWORDMASTER_FILE);
        login(USER_PAUL_ATREIDES_NAME);
        displayWhen("test120AutzPaulEndUser");
        assertAllow("assign guard to paul", (task, operationResult) -> {
            assignRole(USER_PAUL_ATREIDES_OID, ROLE_ATREIDES_GUARD_OID, task, operationResult);
        });
        assertDeny("assign swordmaster to paul", (task2, operationResult2) -> {
            assignRole(USER_PAUL_ATREIDES_OID, ROLE_ATREIDES_SWORDMASTER_OID, task2, operationResult2);
        });
        assertDeny("assign swordmaster to paul", (task3, operationResult3) -> {
            assignRole(USER_PAUL_ATREIDES_OID, ROLE_GUILD_NAVIGATOR_OID, task3, operationResult3);
        });
        assertDeny("assign swordmaster to paul", (task4, operationResult4) -> {
            assignRole(USER_PAUL_ATREIDES_OID, ROLE_CORRINO_EMPEROR_OID, task4, operationResult4);
        });
        displayThen("test120AutzPaulEndUser");
        assertGlobalStateUntouched();
    }

    @Test
    public void test122AutzDuncanRoleManager() throws Exception {
        displayTestTitle("test122AutzDuncanRoleManager");
        cleanupAutzTest(null);
        addObject(USER_DUNCAN_FILE);
        assignRole(USER_DUNCAN_OID, ROLE_ATREIDES_ROLE_MANAGER_OID);
        login(USER_DUNCAN_NAME);
        displayWhen("test122AutzDuncanRoleManager");
        assertDeny("assign guard to paul", (task, operationResult) -> {
            assignRole(USER_PAUL_ATREIDES_OID, ROLE_ATREIDES_GUARD_OID, task, operationResult);
        });
        assertAllow("induce swordmaster end user", (task2, operationResult2) -> {
            induceRole(ROLE_ATREIDES_SWORDMASTER_OID, ROLE_ATREIDES_END_USER_OID, task2, operationResult2);
        });
        assertDeny("induce superuser", (task3, operationResult3) -> {
            induceRole(ROLE_ATREIDES_SWORDMASTER_OID, "00000000-0000-0000-0000-000000000004", task3, operationResult3);
        });
        assertDeny("assign swordmaster to admin", (task4, operationResult4) -> {
            assignRole(RoleType.class, ROLE_ATREIDES_SWORDMASTER_OID, ROLE_ATREIDES_ADMIN_OID, task4, operationResult4);
        });
        assertAllow("assign swordmaster to castle caladan", (task5, operationResult5) -> {
            assignOrg(RoleType.class, ROLE_ATREIDES_SWORDMASTER_OID, ORG_CASTLE_CALADAN_OID, task5, operationResult5);
        });
        assertDeny("induce caladan", (task6, operationResult6) -> {
            induceOrg(RoleType.class, ROLE_ATREIDES_SWORDMASTER_OID, ORG_CALADAN_OID, task6, operationResult6);
        });
        displayThen("test122AutzDuncanRoleManager");
        assertGlobalStateUntouched();
    }

    @Test
    public void test130AutzEdricRead() throws Exception {
        displayTestTitle("test120AutzEdricRead");
        cleanupAutzTest(null);
        login(USER_EDRIC_NAME);
        displayWhen("test120AutzEdricRead");
        assertGetDeny(UserType.class, USER_LETO_ATREIDES_OID);
        assertGetDeny(UserType.class, USER_PAUL_ATREIDES_OID);
        assertGetDeny(OrgType.class, ORG_ATREIDES_OID);
        assertGetDeny(RoleType.class, ROLE_ATREIDES_ADMIN_OID);
        assertGetDeny(OrgType.class, ORG_GUILD_OID);
        assertGetDeny(RoleType.class, ROLE_TENANT_ADMIN_OID);
        assertGetDeny(UserType.class, USER_EDRIC_OID);
        assertSearch(UserType.class, null, NUMBER_OF_IMPORTED_ROLES);
        assertSearch(RoleType.class, null, NUMBER_OF_IMPORTED_ROLES);
        assertSearch(OrgType.class, null, NUMBER_OF_IMPORTED_ROLES);
        displayThen("test120AutzEdricRead");
        assertGlobalStateUntouched();
    }
}
