syncope-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ilgro...@apache.org
Subject [1/3] syncope git commit: [SYNCOPE-140] Implemented
Date Fri, 08 May 2015 15:03:06 GMT
Repository: syncope
Updated Branches:
  refs/heads/master 84028f115 -> 22839bf37


http://git-wip-us.apache.org/repos/asf/syncope/blob/22839bf3/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/RoleDataBinderImpl.java
----------------------------------------------------------------------
diff --git a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/RoleDataBinderImpl.java b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/RoleDataBinderImpl.java
index de07e3b..2f4fd2d 100644
--- a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/RoleDataBinderImpl.java
+++ b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/RoleDataBinderImpl.java
@@ -20,8 +20,13 @@ package org.apache.syncope.core.provisioning.java.data;
 
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.collections4.Transformer;
+import org.apache.syncope.common.lib.SyncopeClientException;
 import org.apache.syncope.common.lib.to.RoleTO;
+import org.apache.syncope.common.lib.types.ClientExceptionType;
+import org.apache.syncope.core.misc.search.SearchCondConverter;
 import org.apache.syncope.core.persistence.api.dao.RealmDAO;
+import org.apache.syncope.core.persistence.api.dao.search.SearchCond;
+import org.apache.syncope.core.persistence.api.entity.DynRoleMembership;
 import org.apache.syncope.core.persistence.api.entity.EntityFactory;
 import org.apache.syncope.core.persistence.api.entity.Realm;
 import org.apache.syncope.core.persistence.api.entity.Role;
@@ -42,6 +47,25 @@ public class RoleDataBinderImpl implements RoleDataBinder {
     @Autowired
     private EntityFactory entityFactory;
 
+    private void setDynMembership(final Role role, final String dynMembershipFIQL) {
+        SearchCond dynMembershipCond = SearchCondConverter.convert(dynMembershipFIQL);
+        if (!dynMembershipCond.isValid()) {
+            SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.InvalidSearchExpression);
+            sce.getElements().add(dynMembershipFIQL);
+            throw sce;
+        }
+
+        DynRoleMembership dynMembership;
+        if (role.getDynMembership() == null) {
+            dynMembership = entityFactory.newEntity(DynRoleMembership.class);
+            dynMembership.setRole(role);
+            role.setDynMembership(dynMembership);
+        } else {
+            dynMembership = role.getDynMembership();
+        }
+        dynMembership.setFIQLCond(dynMembershipFIQL);
+    }
+
     @Override
     public Role create(final RoleTO roleTO) {
         Role role = entityFactory.newEntity(Role.class);
@@ -65,6 +89,22 @@ public class RoleDataBinderImpl implements RoleDataBinder {
                 role.addRealm(realm);
             }
         }
+
+        // dynamic membership
+        if (role.getKey() == null && roleTO.getDynMembershipCond() != null) {
+            setDynMembership(role, roleTO.getDynMembershipCond());
+        } else {
+            if (role.getDynMembership() != null && roleTO.getDynMembershipCond() == null) {
+                role.setDynMembership(null);
+            } else if (role.getDynMembership() == null && roleTO.getDynMembershipCond() != null) {
+                setDynMembership(role, roleTO.getDynMembershipCond());
+            } else if (role.getDynMembership() != null && roleTO.getDynMembershipCond() != null
+                    && !role.getDynMembership().getFIQLCond().equals(roleTO.getDynMembershipCond())) {
+
+                role.getDynMembership().getUsers().clear();
+                setDynMembership(role, roleTO.getDynMembershipCond());
+            }
+        }
     }
 
     @Override
@@ -83,6 +123,10 @@ public class RoleDataBinderImpl implements RoleDataBinder {
             }
         }, roleTO.getRealms());
 
+        if (role.getDynMembership() != null) {
+            roleTO.setDynMembershipCond(role.getDynMembership().getFIQLCond());
+        }
+
         return roleTO;
     }
 

http://git-wip-us.apache.org/repos/asf/syncope/blob/22839bf3/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/UserDataBinderImpl.java
----------------------------------------------------------------------
diff --git a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/UserDataBinderImpl.java b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/UserDataBinderImpl.java
index 1b1508d..317fce2 100644
--- a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/UserDataBinderImpl.java
+++ b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/data/UserDataBinderImpl.java
@@ -18,8 +18,7 @@
  */
 package org.apache.syncope.core.provisioning.java.data;
 
-import static org.apache.syncope.core.provisioning.java.data.AbstractAttributableDataBinder.LOG;
-
+import java.util.Collection;
 import java.util.Collections;
 import java.util.Date;
 import java.util.HashSet;
@@ -226,7 +225,7 @@ public class UserDataBinderImpl extends AbstractAttributableDataBinder implement
 
         SyncopeClientCompositeException scce = SyncopeClientException.buildComposite();
 
-        Set<String> currentResources = user.getResourceNames();
+        Collection<String> currentResources = userDAO.findAllResourceNames(user);
 
         // fetch account ids before update
         Map<String, String> oldAccountIds = getAccountIds(user, AttributableType.USER);
@@ -421,11 +420,10 @@ public class UserDataBinderImpl extends AbstractAttributableDataBinder implement
 
         connObjectUtils.retrieveVirAttrValues(user, attrUtilsFactory.getInstance(AttributableType.USER));
         fillTO(userTO, user.getRealm().getFullPath(),
-                user.getPlainAttrs(), user.getDerAttrs(), user.getVirAttrs(), user.getResources());
+                user.getPlainAttrs(), user.getDerAttrs(), user.getVirAttrs(), userDAO.findAllResources(user));
 
-        MembershipTO membershipTO;
         for (Membership membership : user.getMemberships()) {
-            membershipTO = new MembershipTO();
+            MembershipTO membershipTO = new MembershipTO();
 
             // set sys info
             membershipTO.setCreator(membership.getCreator());
@@ -447,6 +445,22 @@ public class UserDataBinderImpl extends AbstractAttributableDataBinder implement
             userTO.getMemberships().add(membershipTO);
         }
 
+        // dynamic memberships
+        CollectionUtils.collect(userDAO.findDynRoleMemberships(user), new Transformer<Role, Long>() {
+
+            @Override
+            public Long transform(final Role role) {
+                return role.getKey();
+            }
+        }, userTO.getDynRoles());
+        CollectionUtils.collect(userDAO.findDynGroupMemberships(user), new Transformer<Group, Long>() {
+
+            @Override
+            public Long transform(final Group group) {
+                return group.getKey();
+            }
+        }, userTO.getDynGroups());
+
         return userTO;
     }
 

http://git-wip-us.apache.org/repos/asf/syncope/blob/22839bf3/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/AbstractPropagationTaskExecutor.java
----------------------------------------------------------------------
diff --git a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/AbstractPropagationTaskExecutor.java b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/AbstractPropagationTaskExecutor.java
index 3856324..6408987 100644
--- a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/AbstractPropagationTaskExecutor.java
+++ b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/AbstractPropagationTaskExecutor.java
@@ -20,6 +20,7 @@ package org.apache.syncope.core.provisioning.java.propagation;
 
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.Date;
 import java.util.HashSet;
 import java.util.List;
@@ -50,6 +51,8 @@ import org.apache.syncope.core.misc.AuditManager;
 import org.apache.syncope.core.misc.spring.ApplicationContextProvider;
 import org.apache.syncope.core.misc.ConnObjectUtils;
 import org.apache.syncope.core.misc.ExceptionUtils2;
+import org.apache.syncope.core.persistence.api.entity.group.Group;
+import org.apache.syncope.core.persistence.api.entity.user.User;
 import org.apache.syncope.core.provisioning.api.notification.NotificationManager;
 import org.identityconnectors.framework.common.exceptions.ConnectorException;
 import org.identityconnectors.framework.common.objects.Attribute;
@@ -280,7 +283,12 @@ public abstract class AbstractPropagationTaskExecutor implements PropagationTask
              * two different memberships with the same resource).
              */
             Subject<?, ?, ?> subject = getSubject(task);
-            if (subject == null || !subject.getResourceNames().contains(task.getResource().getKey())) {
+            Collection<String> resources = subject instanceof User
+                    ? userDAO.findAllResourceNames((User) subject)
+                    : subject instanceof Group
+                            ? ((Group) subject).getResourceNames()
+                            : Collections.<String>emptySet();
+            if (!resources.contains(task.getResource().getKey())) {
                 LOG.debug("Delete {} on {}", beforeObj.getUid(), task.getResource().getKey());
 
                 connector.delete(

http://git-wip-us.apache.org/repos/asf/syncope/blob/22839bf3/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java
----------------------------------------------------------------------
diff --git a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java
index 6600e44..c246d8f 100644
--- a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java
+++ b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/LDAPMembershipPropagationActions.java
@@ -71,7 +71,7 @@ public class LDAPMembershipPropagationActions extends DefaultPropagationActions
             User user = userDAO.find(task.getSubjectKey());
             if (user != null) {
                 List<String> groupAccountLinks = new ArrayList<>();
-                for (Group group : user.getGroups()) {
+                for (Group group : userDAO.findAllGroups(user)) {
                     if (group.getResourceNames().contains(task.getResource().getKey())
                             && StringUtils.isNotBlank(task.getResource().getGmapping().getAccountLink())) {
 

http://git-wip-us.apache.org/repos/asf/syncope/blob/22839bf3/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/PropagationManagerImpl.java
----------------------------------------------------------------------
diff --git a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/PropagationManagerImpl.java b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/PropagationManagerImpl.java
index d7c59a4..2939095 100644
--- a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/PropagationManagerImpl.java
+++ b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/propagation/PropagationManagerImpl.java
@@ -264,7 +264,7 @@ public class PropagationManagerImpl implements PropagationManager {
             origPropByRes.merge(wfResult.getPropByRes());
 
             Set<String> pwdResourceNames = new HashSet<>(userMod.getPwdPropRequest().getResourceNames());
-            Set<String> currentResourceNames = userDAO.authFetch(userMod.getKey()).getResourceNames();
+            Collection<String> currentResourceNames = userDAO.findAllResourceNames(userDAO.authFetch(userMod.getKey()));
             pwdResourceNames.retainAll(currentResourceNames);
             PropagationByResource pwdPropByRes = new PropagationByResource();
             pwdPropByRes.addAll(ResourceOperation.UPDATE, pwdResourceNames);
@@ -312,8 +312,10 @@ public class PropagationManagerImpl implements PropagationManager {
                         : vAttrsToBeUpdated, attrUtilsFactory.getInstance(subject));
 
         // SYNCOPE-458 fill membership virtual attributes
+        Collection<String> resourceNames;
         if (subject instanceof User) {
-            final User user = (User) subject;
+            User user = (User) subject;
+            resourceNames = userDAO.findAllResourceNames(user);
             for (final Membership membership : user.getMemberships()) {
                 if (membership.getVirAttrs() != null && !membership.getVirAttrs().isEmpty()) {
                     final MembershipMod membershipMod = CollectionUtils.find(membershipsToAdd,
@@ -334,10 +336,12 @@ public class PropagationManagerImpl implements PropagationManager {
                     }
                 }
             }
+        } else {
+            resourceNames = subject.getResourceNames();
         }
 
         if (propByRes == null || propByRes.isEmpty()) {
-            localPropByRes.addAll(ResourceOperation.UPDATE, subject.getResourceNames());
+            localPropByRes.addAll(ResourceOperation.UPDATE, resourceNames);
         } else {
             localPropByRes.merge(propByRes);
         }
@@ -377,7 +381,7 @@ public class PropagationManagerImpl implements PropagationManager {
     public List<PropagationTask> getUserDeleteTasks(final Long userKey, final Collection<String> noPropResourceNames) {
 
         User user = userDAO.authFetch(userKey);
-        return getDeleteTaskIds(user, user.getResourceNames(), noPropResourceNames);
+        return getDeleteTaskIds(user, userDAO.findAllResourceNames(user), noPropResourceNames);
     }
 
     @Override
@@ -424,7 +428,7 @@ public class PropagationManagerImpl implements PropagationManager {
 
     protected List<PropagationTask> getDeleteTaskIds(
             final Subject<?, ?, ?> subject,
-            final Set<String> resourceNames,
+            final Collection<String> resourceNames,
             final Collection<String> noPropResourceNames) {
 
         final PropagationByResource propByRes = new PropagationByResource();

http://git-wip-us.apache.org/repos/asf/syncope/blob/22839bf3/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/sync/AbstractPushResultHandler.java
----------------------------------------------------------------------
diff --git a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/sync/AbstractPushResultHandler.java b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/sync/AbstractPushResultHandler.java
index 5a63f8e..e15f526 100644
--- a/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/sync/AbstractPushResultHandler.java
+++ b/core/provisioning-java/src/main/java/org/apache/syncope/core/provisioning/java/sync/AbstractPushResultHandler.java
@@ -19,6 +19,7 @@
 package org.apache.syncope.core.provisioning.java.sync;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
@@ -43,6 +44,7 @@ import org.apache.syncope.core.persistence.api.entity.user.User;
 import org.apache.syncope.core.provisioning.api.sync.ProvisioningResult;
 import org.apache.syncope.core.provisioning.api.sync.PushActions;
 import org.apache.syncope.core.misc.MappingUtils;
+import org.apache.syncope.core.persistence.api.entity.group.Group;
 import org.apache.syncope.core.provisioning.api.sync.IgnoreProvisionException;
 import org.apache.syncope.core.provisioning.api.sync.SyncopePushResultHandler;
 import org.identityconnectors.framework.common.objects.ConnectorObject;
@@ -347,20 +349,21 @@ public abstract class AbstractPushResultHandler extends AbstractSyncopeResultHan
             vattrToBeUpdated.add(mod);
         }
 
-        final boolean changepwd;
-
+        boolean changepwd;
+        Collection<String> resourceNames;
         if (sbj instanceof User) {
             changepwd = true;
+            resourceNames = userDAO.findAllResourceNames((User) sbj);
 
             // Search for memberships
             for (Membership membership : User.class.cast(sbj).getMemberships()) {
-                final MembershipMod membershipMod = new MembershipMod();
+                MembershipMod membershipMod = new MembershipMod();
                 membershipMod.setKey(membership.getKey());
                 membershipMod.setGroup(membership.getGroup().getKey());
 
                 for (VirAttr vattr : membership.getVirAttrs()) {
                     membVattrToBeRemoved.remove(vattr.getSchema().getKey());
-                    final AttrMod mod = new AttrMod();
+                    AttrMod mod = new AttrMod();
                     mod.setSchema(vattr.getSchema().getKey());
                     mod.getValuesToBeAdded().addAll(vattr.getValues());
                     membershipMod.getVirAttrsToUpdate().add(mod);
@@ -374,9 +377,10 @@ public abstract class AbstractPushResultHandler extends AbstractSyncopeResultHan
             }
         } else {
             changepwd = false;
+            resourceNames = ((Group) sbj).getResourceNames();
         }
 
-        final List<String> noPropResources = new ArrayList<>(sbj.getResourceNames());
+        List<String> noPropResources = new ArrayList<>(resourceNames);
         noPropResources.remove(profile.getTask().getResource().getKey());
 
         final PropagationByResource propByRes = new PropagationByResource();

http://git-wip-us.apache.org/repos/asf/syncope/blob/22839bf3/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/ActivitiUserWorkflowAdapter.java
----------------------------------------------------------------------
diff --git a/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/ActivitiUserWorkflowAdapter.java b/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/ActivitiUserWorkflowAdapter.java
index a356ad8..1849bd6 100644
--- a/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/ActivitiUserWorkflowAdapter.java
+++ b/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/ActivitiUserWorkflowAdapter.java
@@ -295,7 +295,7 @@ public class ActivitiUserWorkflowAdapter extends AbstractUserWorkflowAdapter {
         }
 
         PropagationByResource propByRes = new PropagationByResource();
-        propByRes.set(ResourceOperation.CREATE, user.getResourceNames());
+        propByRes.set(ResourceOperation.CREATE, userDAO.findAllResourceNames(user));
 
         saveForFormSubmit(user, userTO.getPassword(), propByRes);
 
@@ -415,7 +415,7 @@ public class ActivitiUserWorkflowAdapter extends AbstractUserWorkflowAdapter {
         doExecuteTask(user, "delete", null);
 
         PropagationByResource propByRes = new PropagationByResource();
-        propByRes.set(ResourceOperation.DELETE, user.getResourceNames());
+        propByRes.set(ResourceOperation.DELETE, userDAO.findAllResourceNames(user));
 
         saveForFormSubmit(user, null, propByRes);
 
@@ -695,7 +695,7 @@ public class ActivitiUserWorkflowAdapter extends AbstractUserWorkflowAdapter {
                     taskCandidateOrAssigned(user.getKey().toString())));
 
             List<String> candidateGroups = new ArrayList<>();
-            for (Long groupId : user.getGroupKeys()) {
+            for (Long groupId : userDAO.findAllGroupKeys(user)) {
                 candidateGroups.add(groupId.toString());
             }
             if (!candidateGroups.isEmpty()) {

http://git-wip-us.apache.org/repos/asf/syncope/blob/22839bf3/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/SyncopeGroupManager.java
----------------------------------------------------------------------
diff --git a/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/SyncopeGroupManager.java b/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/SyncopeGroupManager.java
index 0033824..b1f1c8c 100644
--- a/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/SyncopeGroupManager.java
+++ b/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/SyncopeGroupManager.java
@@ -67,7 +67,7 @@ public class SyncopeGroupManager implements GroupIdentityManager, SyncopeSession
         User user = userDAO.find(userId);
         if (user != null) {
             result = new ArrayList<>();
-            for (Long groupId : user.getGroupKeys()) {
+            for (Long groupId : userDAO.findAllGroupKeys(user)) {
                 result.add(new GroupEntity(groupId.toString()));
             }
         }

http://git-wip-us.apache.org/repos/asf/syncope/blob/22839bf3/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/SyncopeUserManager.java
----------------------------------------------------------------------
diff --git a/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/SyncopeUserManager.java b/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/SyncopeUserManager.java
index 72be4e3..2b568b1 100644
--- a/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/SyncopeUserManager.java
+++ b/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/SyncopeUserManager.java
@@ -75,7 +75,7 @@ public class SyncopeUserManager implements UserIdentityManager, SyncopeSession {
         org.apache.syncope.core.persistence.api.entity.user.User user = userDAO.find(userKey);
         if (user != null) {
             result = new ArrayList<>();
-            for (Long groupId : user.getGroupKeys()) {
+            for (Long groupId : userDAO.findAllGroupKeys(user)) {
                 result.add(new GroupEntity(groupId.toString()));
             }
         }

http://git-wip-us.apache.org/repos/asf/syncope/blob/22839bf3/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/SyncopeUserQueryImpl.java
----------------------------------------------------------------------
diff --git a/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/SyncopeUserQueryImpl.java b/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/SyncopeUserQueryImpl.java
index 55d8d5d..506455f 100644
--- a/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/SyncopeUserQueryImpl.java
+++ b/core/workflow-activiti/src/main/java/org/apache/syncope/core/workflow/activiti/SyncopeUserQueryImpl.java
@@ -141,7 +141,7 @@ public class SyncopeUserQueryImpl implements UserQuery {
             if (user == null) {
                 result = Collections.<User>emptyList();
             } else {
-                if (memberOf == null || user.getGroupKeys().contains(memberOf)) {
+                if (memberOf == null || userDAO.findAllGroupKeys(user).contains(memberOf)) {
                     result = Collections.singletonList(fromSyncopeUser(user));
                 }
             }

http://git-wip-us.apache.org/repos/asf/syncope/blob/22839bf3/core/workflow-java/src/main/java/org/apache/syncope/core/workflow/java/DefaultGroupWorkflowAdapter.java
----------------------------------------------------------------------
diff --git a/core/workflow-java/src/main/java/org/apache/syncope/core/workflow/java/DefaultGroupWorkflowAdapter.java b/core/workflow-java/src/main/java/org/apache/syncope/core/workflow/java/DefaultGroupWorkflowAdapter.java
index 041234f..fa765ed 100644
--- a/core/workflow-java/src/main/java/org/apache/syncope/core/workflow/java/DefaultGroupWorkflowAdapter.java
+++ b/core/workflow-java/src/main/java/org/apache/syncope/core/workflow/java/DefaultGroupWorkflowAdapter.java
@@ -44,7 +44,7 @@ public class DefaultGroupWorkflowAdapter extends AbstractGroupWorkflowAdapter {
         dataBinder.create(group, groupTO);
         group = groupDAO.save(group);
 
-        final PropagationByResource propByRes = new PropagationByResource();
+        PropagationByResource propByRes = new PropagationByResource();
         propByRes.set(ResourceOperation.CREATE, group.getResourceNames());
 
         return new WorkflowResult<>(group.getKey(), propByRes, "create");

http://git-wip-us.apache.org/repos/asf/syncope/blob/22839bf3/core/workflow-java/src/main/java/org/apache/syncope/core/workflow/java/DefaultUserWorkflowAdapter.java
----------------------------------------------------------------------
diff --git a/core/workflow-java/src/main/java/org/apache/syncope/core/workflow/java/DefaultUserWorkflowAdapter.java b/core/workflow-java/src/main/java/org/apache/syncope/core/workflow/java/DefaultUserWorkflowAdapter.java
index 6691541..78360a9 100644
--- a/core/workflow-java/src/main/java/org/apache/syncope/core/workflow/java/DefaultUserWorkflowAdapter.java
+++ b/core/workflow-java/src/main/java/org/apache/syncope/core/workflow/java/DefaultUserWorkflowAdapter.java
@@ -87,7 +87,7 @@ public class DefaultUserWorkflowAdapter extends AbstractUserWorkflowAdapter {
         user = userDAO.save(user);
 
         final PropagationByResource propByRes = new PropagationByResource();
-        propByRes.set(ResourceOperation.CREATE, user.getResourceNames());
+        propByRes.set(ResourceOperation.CREATE, userDAO.findAllResourceNames(user));
 
         return new WorkflowResult<Pair<Long, Boolean>>(
                 new ImmutablePair<>(user.getKey(), propagateEnable), propByRes, "create");

http://git-wip-us.apache.org/repos/asf/syncope/blob/22839bf3/ext/camel/provisioning-camel/src/main/java/org/apache/syncope/core/provisioning/camel/processor/UserDeprovisionProcessor.java
----------------------------------------------------------------------
diff --git a/ext/camel/provisioning-camel/src/main/java/org/apache/syncope/core/provisioning/camel/processor/UserDeprovisionProcessor.java b/ext/camel/provisioning-camel/src/main/java/org/apache/syncope/core/provisioning/camel/processor/UserDeprovisionProcessor.java
index e59bec6..031e451 100644
--- a/ext/camel/provisioning-camel/src/main/java/org/apache/syncope/core/provisioning/camel/processor/UserDeprovisionProcessor.java
+++ b/ext/camel/provisioning-camel/src/main/java/org/apache/syncope/core/provisioning/camel/processor/UserDeprovisionProcessor.java
@@ -18,7 +18,6 @@
  */
 package org.apache.syncope.core.provisioning.camel.processor;
 
-import java.util.Collection;
 import java.util.HashSet;
 import java.util.List;
 import org.apache.camel.Exchange;
@@ -59,10 +58,10 @@ public class UserDeprovisionProcessor implements Processor {
 
         User user = userDAO.authFetch(userKey);
 
-        Collection<String> noPropResourceNames = CollectionUtils.removeAll(user.getResourceNames(), resources);
-
-        List<PropagationTask> tasks =
-                propagationManager.getUserDeleteTasks(userKey, new HashSet<>(resources), noPropResourceNames);
+        List<PropagationTask> tasks = propagationManager.getUserDeleteTasks(
+                userKey,
+                new HashSet<>(resources),
+                CollectionUtils.removeAll(userDAO.findAllResourceNames(user), resources));
         PropagationReporter propagationReporter =
                 ApplicationContextProvider.getApplicationContext().getBean(PropagationReporter.class);
         try {

http://git-wip-us.apache.org/repos/asf/syncope/blob/22839bf3/ext/camel/provisioning-camel/src/main/java/org/apache/syncope/core/provisioning/camel/processor/UserStatusPropagationProcessor.java
----------------------------------------------------------------------
diff --git a/ext/camel/provisioning-camel/src/main/java/org/apache/syncope/core/provisioning/camel/processor/UserStatusPropagationProcessor.java b/ext/camel/provisioning-camel/src/main/java/org/apache/syncope/core/provisioning/camel/processor/UserStatusPropagationProcessor.java
index 0df97b8..cb0bb82 100644
--- a/ext/camel/provisioning-camel/src/main/java/org/apache/syncope/core/provisioning/camel/processor/UserStatusPropagationProcessor.java
+++ b/ext/camel/provisioning-camel/src/main/java/org/apache/syncope/core/provisioning/camel/processor/UserStatusPropagationProcessor.java
@@ -26,6 +26,7 @@ import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.lang3.tuple.ImmutablePair;
 import org.apache.syncope.common.lib.mod.StatusMod;
 import org.apache.syncope.core.misc.spring.ApplicationContextProvider;
+import org.apache.syncope.core.persistence.api.dao.UserDAO;
 import org.apache.syncope.core.persistence.api.entity.task.PropagationTask;
 import org.apache.syncope.core.persistence.api.entity.user.User;
 import org.apache.syncope.core.provisioning.api.WorkflowResult;
@@ -49,6 +50,9 @@ public class UserStatusPropagationProcessor implements Processor {
     @Autowired
     protected PropagationTaskExecutor taskExecutor;
 
+    @Autowired
+    protected UserDAO userDAO;
+    
     @SuppressWarnings("unchecked")
     @Override
     public void process(final Exchange exchange) {
@@ -58,7 +62,7 @@ public class UserStatusPropagationProcessor implements Processor {
         StatusMod statusMod = exchange.getProperty("statusMod", StatusMod.class);
 
         Collection<String> resourcesToBeExcluded =
-                CollectionUtils.removeAll(user.getResourceNames(), statusMod.getResourceNames());
+                CollectionUtils.removeAll(userDAO.findAllResourceNames(user), statusMod.getResourceNames());
 
         List<PropagationTask> tasks = propagationManager.getUserUpdateTasks(
                 user, statusMod.getType() != StatusMod.ModType.SUSPEND, resourcesToBeExcluded);

http://git-wip-us.apache.org/repos/asf/syncope/blob/22839bf3/fit/core-reference/src/main/resources/userWorkflow.bpmn20.xml
----------------------------------------------------------------------
diff --git a/fit/core-reference/src/main/resources/userWorkflow.bpmn20.xml b/fit/core-reference/src/main/resources/userWorkflow.bpmn20.xml
index d0b5604..9a6ee5b 100644
--- a/fit/core-reference/src/main/resources/userWorkflow.bpmn20.xml
+++ b/fit/core-reference/src/main/resources/userWorkflow.bpmn20.xml
@@ -34,10 +34,10 @@ under the License.
     <sequenceFlow id="flow2" sourceRef="create" targetRef="createGW"/>
     <exclusiveGateway id="createGW"/>
     <sequenceFlow id="createAsAnonymous2Approval" sourceRef="createGW" targetRef="createApproval">
-      <conditionExpression xsi:type="tFormalExpression"><![CDATA[${wfExecutor == 'anonymous' || user.getGroupKeys().contains(9)}]]></conditionExpression>
+      <conditionExpression xsi:type="tFormalExpression"><![CDATA[${wfExecutor == 'anonymous' || user.getStaticGroupKeys().contains(9)}]]></conditionExpression>
     </sequenceFlow>
     <sequenceFlow id="create2Activate" sourceRef="createGW" targetRef="enableGW">
-      <conditionExpression xsi:type="tFormalExpression"><![CDATA[${!user.getGroupKeys().contains(9)}]]></conditionExpression>
+      <conditionExpression xsi:type="tFormalExpression"><![CDATA[${!user.getStaticGroupKeys().contains(9)}]]></conditionExpression>
     </sequenceFlow>
     <userTask id="createApproval" name="Create approval" activiti:candidateGroups="7" activiti:formKey="createApproval">
       <extensionElements>
@@ -56,7 +56,7 @@ under the License.
     </sequenceFlow>
     <exclusiveGateway id="enableGW"/>
     <sequenceFlow id="createApprovalGW2OptIn" sourceRef="enableGW" targetRef="generateToken">
-      <conditionExpression xsi:type="tFormalExpression"><![CDATA[${user.getGroupKeys().contains(11)}]]></conditionExpression>
+      <conditionExpression xsi:type="tFormalExpression"><![CDATA[${user.getStaticGroupKeys().contains(11)}]]></conditionExpression>
     </sequenceFlow>
     <sequenceFlow id="createApprovalGW2Activate" sourceRef="enableGW" targetRef="activate">
       <conditionExpression xsi:type="tFormalExpression"><![CDATA[${enabled == null}]]></conditionExpression>

http://git-wip-us.apache.org/repos/asf/syncope/blob/22839bf3/fit/core-reference/src/test/java/org/apache/syncope/fit/core/reference/AbstractTaskITCase.java
----------------------------------------------------------------------
diff --git a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/reference/AbstractTaskITCase.java b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/reference/AbstractTaskITCase.java
index 6545be5..5dc3f5c 100644
--- a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/reference/AbstractTaskITCase.java
+++ b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/reference/AbstractTaskITCase.java
@@ -18,7 +18,6 @@
  */
 package org.apache.syncope.fit.core.reference;
 
-import static org.apache.syncope.fit.core.reference.AbstractITCase.taskService;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;

http://git-wip-us.apache.org/repos/asf/syncope/blob/22839bf3/fit/core-reference/src/test/java/org/apache/syncope/fit/core/reference/ConfigurationITCase.java
----------------------------------------------------------------------
diff --git a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/reference/ConfigurationITCase.java b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/reference/ConfigurationITCase.java
index 5dd5ce8..6ae349c 100644
--- a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/reference/ConfigurationITCase.java
+++ b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/reference/ConfigurationITCase.java
@@ -18,7 +18,6 @@
  */
 package org.apache.syncope.fit.core.reference;
 
-import static org.apache.commons.lang3.StringUtils.isEmpty;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
@@ -157,7 +156,7 @@ public class ConfigurationITCase extends AbstractITCase {
     }
 
     private static String[] substringsBetween(final String str, final String open, final String close) {
-        if (str == null || isEmpty(open) || isEmpty(close)) {
+        if (str == null || StringUtils.isEmpty(open) || StringUtils.isEmpty(close)) {
             return null;
         }
         final int strLen = str.length();

http://git-wip-us.apache.org/repos/asf/syncope/blob/22839bf3/fit/core-reference/src/test/java/org/apache/syncope/fit/core/reference/GroupITCase.java
----------------------------------------------------------------------
diff --git a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/reference/GroupITCase.java b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/reference/GroupITCase.java
index 7071c22..9be9a28 100644
--- a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/reference/GroupITCase.java
+++ b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/reference/GroupITCase.java
@@ -35,6 +35,8 @@ import javax.naming.directory.DirContext;
 import javax.naming.directory.SearchControls;
 import javax.naming.directory.SearchResult;
 import javax.ws.rs.core.Response;
+import org.apache.commons.collections4.CollectionUtils;
+import org.apache.commons.collections4.Predicate;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.syncope.client.lib.SyncopeClient;
@@ -71,15 +73,15 @@ import org.junit.runners.MethodSorters;
 @FixMethodOrder(MethodSorters.JVM)
 public class GroupITCase extends AbstractITCase {
 
-    private GroupTO buildBasicGroupTO(final String name) {
+    public static GroupTO getBasicSampleTO(final String name) {
         GroupTO groupTO = new GroupTO();
         groupTO.setRealm("/");
         groupTO.setName(name + getUUIDString());
         return groupTO;
     }
 
-    private GroupTO buildGroupTO(final String name) {
-        GroupTO groupTO = buildBasicGroupTO(name);
+    public static GroupTO getSampleTO(final String name) {
+        GroupTO groupTO = getBasicSampleTO(name);
 
         groupTO.getGPlainAttrTemplates().add("icon");
         groupTO.getPlainAttrs().add(attrTO("icon", "anIcon"));
@@ -91,7 +93,7 @@ public class GroupITCase extends AbstractITCase {
     @Test
     @Ignore
     public void create() {
-        GroupTO groupTO = buildGroupTO("lastGroup");
+        GroupTO groupTO = getSampleTO("lastGroup");
         groupTO.getGVirAttrTemplates().add("rvirtualdata");
         groupTO.getVirAttrs().add(attrTO("rvirtualdata", "rvirtualvalue"));
         groupTO.setGroupOwner(8L);
@@ -185,14 +187,18 @@ public class GroupITCase extends AbstractITCase {
 
         List<GroupTO> groups = groupService2.own();
         assertNotNull(groups);
-        assertFalse(groups.isEmpty());
-        assertNotNull(groups.get(0).getPlainAttrs());
-        assertFalse(groups.get(0).getPlainAttrs().isEmpty());
+        assertTrue(CollectionUtils.exists(groups, new Predicate<GroupTO>() {
+
+            @Override
+            public boolean evaluate(final GroupTO group) {
+                return 1L == group.getKey();
+            }
+        }));
     }
 
     @Test
     public void update() {
-        GroupTO groupTO = buildGroupTO("latestGroup" + getUUIDString());
+        GroupTO groupTO = getSampleTO("latestGroup" + getUUIDString());
         groupTO.getGPlainAttrTemplates().add("show");
         groupTO = createGroup(groupTO);
 
@@ -204,9 +210,6 @@ public class GroupITCase extends AbstractITCase {
         groupMod.setName(modName);
         groupMod.getPlainAttrsToUpdate().add(attrMod("show", "FALSE"));
 
-        // change password policy inheritance
-        groupMod.setInheritPasswordPolicy(Boolean.FALSE);
-
         groupTO = updateGroup(groupMod);
 
         assertEquals(modName, groupTO.getName());
@@ -215,7 +218,7 @@ public class GroupITCase extends AbstractITCase {
 
     @Test
     public void updateRemovingVirAttribute() {
-        GroupTO groupTO = buildBasicGroupTO("withvirtual" + getUUIDString());
+        GroupTO groupTO = getBasicSampleTO("withvirtual" + getUUIDString());
         groupTO.getGVirAttrTemplates().add("rvirtualdata");
         groupTO.getVirAttrs().add(attrTO("rvirtualdata", null));
 
@@ -235,7 +238,7 @@ public class GroupITCase extends AbstractITCase {
 
     @Test
     public void updateRemovingDerAttribute() {
-        GroupTO groupTO = buildBasicGroupTO("withderived" + getUUIDString());
+        GroupTO groupTO = getBasicSampleTO("withderived" + getUUIDString());
         groupTO.getGDerAttrTemplates().add("rderivedschema");
         groupTO.getDerAttrs().add(attrTO("rderivedschema", null));
 
@@ -319,7 +322,7 @@ public class GroupITCase extends AbstractITCase {
 
     @Test
     public void unlink() {
-        GroupTO actual = createGroup(buildGroupTO("unlink"));
+        GroupTO actual = createGroup(getSampleTO("unlink"));
         assertNotNull(actual);
 
         assertNotNull(resourceService.getConnectorObject(RESOURCE_NAME_LDAP, SubjectType.GROUP, actual.getKey()));
@@ -338,7 +341,7 @@ public class GroupITCase extends AbstractITCase {
 
     @Test
     public void link() {
-        GroupTO groupTO = buildGroupTO("link");
+        GroupTO groupTO = getSampleTO("link");
         groupTO.getResources().clear();
 
         GroupTO actual = createGroup(groupTO);
@@ -369,7 +372,7 @@ public class GroupITCase extends AbstractITCase {
 
     @Test
     public void unassign() {
-        GroupTO actual = createGroup(buildGroupTO("unassign"));
+        GroupTO actual = createGroup(getSampleTO("unassign"));
         assertNotNull(actual);
 
         assertNotNull(resourceService.getConnectorObject(RESOURCE_NAME_LDAP, SubjectType.GROUP, actual.getKey()));
@@ -393,7 +396,7 @@ public class GroupITCase extends AbstractITCase {
 
     @Test
     public void assign() {
-        GroupTO groupTO = buildGroupTO("assign");
+        GroupTO groupTO = getSampleTO("assign");
         groupTO.getResources().clear();
 
         GroupTO actual = createGroup(groupTO);
@@ -418,7 +421,7 @@ public class GroupITCase extends AbstractITCase {
 
     @Test
     public void deprovision() {
-        GroupTO actual = createGroup(buildGroupTO("deprovision"));
+        GroupTO actual = createGroup(getSampleTO("deprovision"));
         assertNotNull(actual);
 
         assertNotNull(resourceService.getConnectorObject(RESOURCE_NAME_LDAP, SubjectType.GROUP, actual.getKey()));
@@ -442,7 +445,7 @@ public class GroupITCase extends AbstractITCase {
 
     @Test
     public void provision() {
-        GroupTO groupTO = buildGroupTO("assign" + getUUIDString());
+        GroupTO groupTO = getSampleTO("assign" + getUUIDString());
         groupTO.getResources().clear();
 
         GroupTO actual = createGroup(groupTO);
@@ -468,7 +471,7 @@ public class GroupITCase extends AbstractITCase {
 
     @Test
     public void deprovisionUnlinked() {
-        GroupTO groupTO = buildGroupTO("assign" + getUUIDString());
+        GroupTO groupTO = getSampleTO("assign" + getUUIDString());
         groupTO.getResources().clear();
 
         GroupTO actual = createGroup(groupTO);
@@ -517,7 +520,7 @@ public class GroupITCase extends AbstractITCase {
         schemaService.create(AttributableType.GROUP, SchemaType.PLAIN, badge);
 
         // 2. create a group *without* an attribute for that schema: it works
-        GroupTO groupTO = buildGroupTO("lastGroup");
+        GroupTO groupTO = getSampleTO("lastGroup");
         assertFalse(groupTO.getPlainAttrMap().containsKey(badge.getKey()));
         groupTO = createGroup(groupTO);
         assertNotNull(groupTO);
@@ -549,14 +552,16 @@ public class GroupITCase extends AbstractITCase {
     public void anonymous() {
         GroupService unauthenticated = clientFactory.createAnonymous().getService(GroupService.class);
         try {
-            unauthenticated.list(SyncopeClient.getSubjectSearchQueryBuilder().realm(SyncopeConstants.ROOT_REALM).build());
+            unauthenticated.
+                    list(SyncopeClient.getSubjectSearchQueryBuilder().realm(SyncopeConstants.ROOT_REALM).build());
             fail();
         } catch (AccessControlException e) {
             assertNotNull(e);
         }
 
         GroupService anonymous = clientFactory.create(ANONYMOUS_UNAME, ANONYMOUS_KEY).getService(GroupService.class);
-        assertFalse(anonymous.list(SyncopeClient.getSubjectSearchQueryBuilder().realm(SyncopeConstants.ROOT_REALM).build()).
+        assertFalse(anonymous.list(SyncopeClient.getSubjectSearchQueryBuilder().realm(SyncopeConstants.ROOT_REALM).
+                build()).
                 getResult().isEmpty());
     }
 
@@ -565,7 +570,7 @@ public class GroupITCase extends AbstractITCase {
         SyncopeClient noContentclient = clientFactory.create(ADMIN_UNAME, ADMIN_PWD);
         GroupService noContentService = noContentclient.prefer(GroupService.class, Preference.RETURN_NO_CONTENT);
 
-        GroupTO group = buildGroupTO("noContent");
+        GroupTO group = getSampleTO("noContent");
 
         Response response = noContentService.create(group);
         assertEquals(Response.Status.CREATED.getStatusCode(), response.getStatus());
@@ -613,7 +618,7 @@ public class GroupITCase extends AbstractITCase {
             assertNotNull(newLDAP);
 
             // 2. create a group and give the resource created above
-            groupTO = buildGroupTO("lastGroup" + getUUIDString());
+            groupTO = getSampleTO("lastGroup" + getUUIDString());
             groupTO.getGPlainAttrTemplates().add("icon");
             groupTO.getPlainAttrs().add(attrTO("icon", "anIcon"));
             groupTO.getGPlainAttrTemplates().add("show");
@@ -671,4 +676,23 @@ public class GroupITCase extends AbstractITCase {
             resourceService.delete("new-ldap");
         }
     }
+
+    @Test
+    public void dynMembership() {
+        assertTrue(userService.read(4L).getDynGroups().isEmpty());
+
+        GroupTO group = getBasicSampleTO("dynMembership");
+        group.setDynMembershipCond("cool==true");
+        group = createGroup(group);
+        assertNotNull(group);
+
+        assertTrue(userService.read(4L).getDynGroups().contains(group.getKey()));
+
+        GroupMod mod = new GroupMod();
+        mod.setKey(group.getKey());
+        mod.setDynMembershipCond("cool==false");
+        groupService.update(mod.getKey(), mod);
+
+        assertTrue(userService.read(4L).getDynGroups().isEmpty());
+    }
 }

http://git-wip-us.apache.org/repos/asf/syncope/blob/22839bf3/fit/core-reference/src/test/java/org/apache/syncope/fit/core/reference/RoleITCase.java
----------------------------------------------------------------------
diff --git a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/reference/RoleITCase.java b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/reference/RoleITCase.java
index 0c1aa85..4d61644 100644
--- a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/reference/RoleITCase.java
+++ b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/reference/RoleITCase.java
@@ -39,6 +39,15 @@ import org.junit.runners.MethodSorters;
 @FixMethodOrder(MethodSorters.JVM)
 public class RoleITCase extends AbstractITCase {
 
+    public static RoleTO getSampleRoleTO(final String name) {
+        RoleTO role = new RoleTO();
+        role.setName(name + getUUIDString());
+        role.getRealms().add("/even");
+        role.getEntitlements().add(Entitlement.LOG_SET_LEVEL);
+
+        return role;
+    }
+
     @Test
     public void list() {
         List<RoleTO> roleTOs = roleService.list();
@@ -56,15 +65,6 @@ public class RoleITCase extends AbstractITCase {
         assertTrue(roleTO.getEntitlements().contains(Entitlement.GROUP_READ));
     }
 
-    private RoleTO buildRoleTO(final String name) {
-        RoleTO role = new RoleTO();
-        role.setName(name + getUUIDString());
-        role.getRealms().add("/even");
-        role.getEntitlements().add(Entitlement.LOG_SET_LEVEL);
-
-        return role;
-    }
-
     @Test
     public void create() {
         RoleTO role = new RoleTO();
@@ -82,7 +82,7 @@ public class RoleITCase extends AbstractITCase {
 
     @Test
     public void update() {
-        RoleTO role = buildRoleTO("update");
+        RoleTO role = getSampleRoleTO("update");
         Response response = roleService.create(role);
 
         RoleTO actual = getObject(response.getLocation(), RoleService.class, RoleTO.class);
@@ -104,7 +104,7 @@ public class RoleITCase extends AbstractITCase {
 
     @Test
     public void delete() {
-        RoleTO role = buildRoleTO("delete");
+        RoleTO role = getSampleRoleTO("delete");
         Response response = roleService.create(role);
 
         RoleTO actual = getObject(response.getLocation(), RoleService.class, RoleTO.class);
@@ -119,4 +119,22 @@ public class RoleITCase extends AbstractITCase {
             assertEquals(ClientExceptionType.NotFound, e.getType());
         }
     }
+
+    @Test
+    public void dynMembership() {
+        assertTrue(userService.read(4L).getDynRoles().isEmpty());
+
+        RoleTO role = getSampleRoleTO("dynMembership");
+        role.setDynMembershipCond("cool==true");
+        Response response = roleService.create(role);
+        role = getObject(response.getLocation(), RoleService.class, RoleTO.class);
+        assertNotNull(role);
+
+        assertTrue(userService.read(4L).getDynRoles().contains(role.getKey()));
+
+        role.setDynMembershipCond("cool==false");
+        roleService.update(role.getKey(), role);
+
+        assertTrue(userService.read(4L).getDynGroups().isEmpty());
+    }
 }

http://git-wip-us.apache.org/repos/asf/syncope/blob/22839bf3/fit/core-reference/src/test/java/org/apache/syncope/fit/core/reference/SearchITCase.java
----------------------------------------------------------------------
diff --git a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/reference/SearchITCase.java b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/reference/SearchITCase.java
index b17d7f3..0f56510 100644
--- a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/reference/SearchITCase.java
+++ b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/reference/SearchITCase.java
@@ -18,12 +18,14 @@
  */
 package org.apache.syncope.fit.core.reference;
 
+import static org.apache.syncope.fit.core.reference.AbstractITCase.userService;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
 
 import java.util.Collection;
+import javax.ws.rs.core.Response;
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.collections4.Predicate;
 import org.apache.syncope.client.lib.SyncopeClient;
@@ -31,7 +33,9 @@ import org.apache.syncope.common.lib.CollectionUtils2;
 import org.apache.syncope.common.lib.SyncopeConstants;
 import org.apache.syncope.common.lib.to.PagedResult;
 import org.apache.syncope.common.lib.to.GroupTO;
+import org.apache.syncope.common.lib.to.RoleTO;
 import org.apache.syncope.common.lib.to.UserTO;
+import org.apache.syncope.common.rest.api.service.RoleService;
 import org.junit.FixMethodOrder;
 import org.junit.Test;
 import org.junit.runners.MethodSorters;
@@ -95,6 +99,89 @@ public class SearchITCase extends AbstractITCase {
     }
 
     @Test
+    public void searchByGroup() {
+        PagedResult<UserTO> matchedUsers = userService.search(
+                SyncopeClient.getSubjectSearchQueryBuilder().realm(SyncopeConstants.ROOT_REALM).
+                fiql(SyncopeClient.getUserSearchConditionBuilder().inGroups(1L).query()).
+                build());
+        assertNotNull(matchedUsers);
+        assertFalse(matchedUsers.getResult().isEmpty());
+
+        assertTrue(CollectionUtils.exists(matchedUsers.getResult(), new Predicate<UserTO>() {
+
+            @Override
+            public boolean evaluate(final UserTO user) {
+                return user.getKey() == 1;
+            }
+        }));
+    }
+
+    @Test
+    public void searchByDynGroup() {
+        GroupTO group = GroupITCase.getBasicSampleTO("dynMembership");
+        group.setDynMembershipCond("cool==true");
+        group = createGroup(group);
+        assertNotNull(group);
+
+        PagedResult<UserTO> matchedUsers = userService.search(
+                SyncopeClient.getSubjectSearchQueryBuilder().realm(SyncopeConstants.ROOT_REALM).
+                fiql(SyncopeClient.getUserSearchConditionBuilder().inGroups(group.getKey()).query()).
+                build());
+        assertNotNull(matchedUsers);
+        assertFalse(matchedUsers.getResult().isEmpty());
+
+        assertTrue(CollectionUtils.exists(matchedUsers.getResult(), new Predicate<UserTO>() {
+
+            @Override
+            public boolean evaluate(final UserTO user) {
+                return user.getKey() == 4;
+            }
+        }));
+    }
+
+    @Test
+    public void searchByRole() {
+        PagedResult<UserTO> matchedUsers = userService.search(
+                SyncopeClient.getSubjectSearchQueryBuilder().realm(SyncopeConstants.ROOT_REALM).
+                fiql(SyncopeClient.getUserSearchConditionBuilder().inRoles(3L).query()).
+                build());
+        assertNotNull(matchedUsers);
+        assertFalse(matchedUsers.getResult().isEmpty());
+
+        assertTrue(CollectionUtils.exists(matchedUsers.getResult(), new Predicate<UserTO>() {
+
+            @Override
+            public boolean evaluate(final UserTO user) {
+                return user.getKey() == 1;
+            }
+        }));
+    }
+
+    @Test
+    public void searchByDynRole() {
+        RoleTO role = RoleITCase.getSampleRoleTO("dynMembership");
+        role.setDynMembershipCond("cool==true");
+        Response response = roleService.create(role);
+        role = getObject(response.getLocation(), RoleService.class, RoleTO.class);
+        assertNotNull(role);
+
+        PagedResult<UserTO> matchedUsers = userService.search(
+                SyncopeClient.getSubjectSearchQueryBuilder().realm(SyncopeConstants.ROOT_REALM).
+                fiql(SyncopeClient.getUserSearchConditionBuilder().inRoles(role.getKey()).query()).
+                build());
+        assertNotNull(matchedUsers);
+        assertFalse(matchedUsers.getResult().isEmpty());
+
+        assertTrue(CollectionUtils.exists(matchedUsers.getResult(), new Predicate<UserTO>() {
+
+            @Override
+            public boolean evaluate(final UserTO user) {
+                return user.getKey() == 4;
+            }
+        }));
+    }
+
+    @Test
     public void searchUserByResourceName() {
         PagedResult<UserTO> matchedUsers = userService.search(
                 SyncopeClient.getSubjectSearchQueryBuilder().realm(SyncopeConstants.ROOT_REALM).


Mime
View raw message