Add a test for assignment removal w/ rules

Related to MID-7039. This bug was fixed in the meanwhile,
so this is only an explicit test for it.

model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/rbac/TestRbac.java

@@ -8,12 +8,17 @@
 
 import static org.testng.AssertJUnit.*;
 
+import java.io.File;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 import javax.xml.datatype.XMLGregorianCalendar;
 import javax.xml.namespace.QName;
 
+import com.evolveum.midpoint.prism.*;
+
+import com.evolveum.midpoint.test.TestResource;
+
 import org.springframework.test.annotation.DirtiesContext;
 import org.springframework.test.annotation.DirtiesContext.ClassMode;
 import org.springframework.test.context.ContextConfiguration;
@@ -27,10 +32,6 @@
 import com.evolveum.midpoint.model.api.context.EvaluatedResourceObjectConstruction;
 import com.evolveum.midpoint.model.api.context.ModelContext;
 import com.evolveum.midpoint.notifications.api.transports.Message;
-import com.evolveum.midpoint.prism.PrismContainer;
-import com.evolveum.midpoint.prism.PrismObject;
-import com.evolveum.midpoint.prism.PrismProperty;
-import com.evolveum.midpoint.prism.PrismPropertyDefinition;
 import com.evolveum.midpoint.prism.delta.DeltaSetTriple;
 import com.evolveum.midpoint.prism.delta.ItemDelta;
 import com.evolveum.midpoint.prism.delta.ObjectDelta;
@@ -59,6 +60,9 @@ public class TestRbac extends AbstractRbacTest {
 
     private static final String LOCALITY_TORTUGA = "Tortuga";
 
+    private static final TestResource<RoleType> ROLE_NON_UNASSIGNABLE = new TestResource<>(TEST_DIR, "role-non-unassignable.xml", "26081889-83e2-461f-a8cc-4c9ef415a4ff");
+    private static final File GLOBAL_POLICY_RULES_ASSIGNMENT_DELETION = new File(TEST_DIR, "global-policy-rules-assignment-deletion.xml");
+
     private String userSharptoothOid;
     private String userRedskullOid;
     private String userBignoseOid;
@@ -72,7 +76,7 @@ public void initSystem(Task initTask, OperationResult initResult)
             throws Exception {
         super.initSystem(initTask, initResult);
 
-//        setGlobalTracingOverride(createModelLoggingTracingProfile());
+        repoAdd(ROLE_NON_UNASSIGNABLE, initResult);
     }
 
     @Test
@@ -4516,7 +4520,40 @@ public void test920AddRecomputeTrigger() throws Exception {
                         .assertOriginDescription("added by role");
     }
 
-    protected boolean testMultiplicityConstraintsForNonDefaultRelations() {
+    /**
+     * MID-7093
+     */
+    @Test
+    public void test930NonUnassignableRole() throws Exception {
+        given();
+        Task task = getTestTask();
+        OperationResult result = task.getResult();
+
+        UserType user = new UserType(PrismContext.get())
+                .name("test930")
+                .beginAssignment()
+                    .targetRef(ROLE_NON_UNASSIGNABLE.oid, RoleType.COMPLEX_TYPE)
+                .end();
+        repoAddObject(user.asPrismObject(), result);
+
+        transplantGlobalPolicyRulesAdd(GLOBAL_POLICY_RULES_ASSIGNMENT_DELETION, task, result);
+
+        when();
+
+        try {
+            unassignRole(user.getOid(), ROLE_NON_UNASSIGNABLE.oid, task, result);
+            fail("unexpected success");
+        } catch (PolicyViolationException e) {
+            then();
+            displayExpectedException(e);
+        } catch (Exception e) {
+            then();
+            throw new AssertionError("Unexpected exception: " + e.getMessage(), e);
+        }
+    }
+
+    @SuppressWarnings("BooleanMethodIsAlwaysInverted")
+    private boolean testMultiplicityConstraintsForNonDefaultRelations() {
         return true;
     }
 }

model/model-intest/src/test/resources/rbac/global-policy-rules-assignment-deletion.xml

@@ -0,0 +1,48 @@
+<?xml version="1.0"?>
+<!--
+  ~ Copyright (c) 2010-2017 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+<systemConfiguration
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+        xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
+
+    <globalPolicyRule>
+        <name>Assignment delete policy</name>
+        <policyConstraints>
+            <and>
+                <assignment>
+                    <presentation>
+                        <message>
+                            <fallbackMessageExpression>
+                                <script>
+                                    <code><![CDATA[
+                                        return "Delete policy"
+                                        ]]></code>
+                                </script>
+                            </fallbackMessageExpression>
+                        </message>
+                    </presentation>
+                    <operation>delete</operation>
+                </assignment>
+            </and>
+        </policyConstraints>
+        <policyActions>
+            <enforcement />
+        </policyActions>
+        <focusSelector>
+            <type>UserType</type>
+        </focusSelector>
+        <targetSelector>
+            <type>RoleType</type>
+            <filter>
+                <q:equal>
+                    <q:path>costCenter</q:path>
+                    <q:value>non-unassignable</q:value>
+                </q:equal>
+            </filter>
+        </targetSelector>
+    </globalPolicyRule>
+</systemConfiguration>

model/model-intest/src/test/resources/rbac/role-non-unassignable.xml

@@ -0,0 +1,12 @@
+<!--
+  ~ Copyright (c) 2017 Evolveum and contributors
+  ~
+  ~ This work is dual-licensed under the Apache License 2.0
+  ~ and European Union Public License. See LICENSE file for details.
+  -->
+<role oid="26081889-83e2-461f-a8cc-4c9ef415a4ff"
+        xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
+    <name>Non-unassignable</name>
+    <description>Role that cannot be unassigned because of global policy rule</description>
+    <costCenter>non-unassignable</costCenter>
+</role>