Merge remote-tracking branch 'refs/remotes/origin/support-4.8' into s…

…upport-4.8
Evolveum · Jan 31, 2024 · 1b0b9ab · 1b0b9ab
2 parents 997db2f + da277e0
commit 1b0b9ab
Show file tree

Hide file tree

Showing 78 changed files with 181 additions and 109 deletions.
diff --git a/NEWS b/NEWS
@@ -1,12 +1,12 @@
-MidPoint 4.8 "Curie"
+MidPoint 4.8.1 "Curie" Update 1
 ----------------------
 
-Release 4.8 is a fifty-first midPoint release code-named Curie.
-The 4.8 release brings streamlined upgrade process, role mining, security, stability and miscellaneous improvements.
+Release 4.8.1 is a fifty-third midPoint release code-named Curie.
+The 4.8.1 release brings streamlined upgrade process, role mining, security, stability and miscellaneous improvements.
 
-Release date: 17th October 2023
+Release date: 29th Jan 2024
 Release type: Long-term support release (LTS)
 End of support: 17th October 2028
 
 Please see the release notes for detailed list of changes:
-https://docs.evolveum.com/midpoint/release/4.8/
+https://docs.evolveum.com/midpoint/release/4.8.1/
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
@@ -1,5 +1,5 @@
 To see actual releases notes please go to:
 
-https://docs.evolveum.com/midpoint/release/4.8/
+https://docs.evolveum.com/midpoint/release/4.8.1/
 
 Alternatively, see release-notes.adoc file.
diff --git a/config/initial-objects/role/040-role-enduser.xml b/config/initial-objects/role/040-role-enduser.xml
@@ -243,6 +243,9 @@
         </object>
     </authorization>
     <adminGuiConfiguration>
+        <feedbackMessagesHook>
+            <stackTraceVisibility>hidden</stackTraceVisibility>
+        </feedbackMessagesHook>
         <homePage id="34">
             <type>UserType</type>
             <widget id="35">

diff --git a/config/initial-objects/role/042-role-reviewer.xml b/config/initial-objects/role/042-role-reviewer.xml
@@ -95,4 +95,16 @@
         <item>riskLevel</item>
         <item>serviceType</item>
     </authorization>
+    <authorization>
+        <name>certification-campaign-read</name>
+        <description>
+            Allow to read stageNumber property of certification campaign.
+        </description>
+        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+        <object>
+            <type>AccessCertificationCampaignType</type>
+        </object>
+        <item>name</item>
+        <item>stageNumber</item>
+    </authorization>
 </role>
diff --git a/config/initial-objects/user/050-user-administrator.xml b/config/initial-objects/user/050-user-administrator.xml
@@ -25,11 +25,4 @@
     <activation>
         <administrativeStatus>enabled</administrativeStatus>
     </activation>
-    <credentials xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
-        <password>
-            <value>
-                 <t:clearValue>5ecr3t</t:clearValue>
-             </value>
-        </password>
-    </credentials>
 </user>
diff --git a/config/initial-objects/value-policy/010-value-policy.xml b/config/initial-objects/value-policy/010-value-policy.xml
@@ -9,37 +9,62 @@
         xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
         xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
         version="0">
-    <name>
-        <t:orig>Default Password Policy</t:orig>
-        <t:norm>default password policy</t:norm>
-    </name>
+    <name>Default Password Policy</name>
     <description>Default password policy</description>
     <stringPolicy>
         <description>Testing string policy</description>
         <limitations>
-            <minLength>5</minLength>
-            <!--             <maxLength>8</maxLength> -->
+            <minLength>8</minLength>
+            <maxLength>14</maxLength>
             <minUniqueChars>3</minUniqueChars>
             <checkAgainstDictionary>true</checkAgainstDictionary>
-            <checkPattern />
-            <!--             <limit> -->
-            <!--                 <description>Alphas</description> -->
-            <!--                 <minOccurs>1</minOccurs> -->
-            <!--                 <maxOccurs>5</maxOccurs> -->
-            <!--                 <mustBeFirst>false</mustBeFirst> -->
-            <!--                 <characterClass> -->
-            <!--                     <value>abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ</value> -->
-            <!--                 </characterClass> -->
-            <!--             </limit> -->
-            <!--             <limit> -->
-            <!--                 <description>Numbers</description> -->
-            <!--                 <minOccurs>1</minOccurs> -->
-            <!--                 <maxOccurs>5</maxOccurs> -->
-            <!--                 <mustBeFirst>false</mustBeFirst> -->
-            <!--                 <characterClass> -->
-            <!--                     <value>1234567890</value> -->
-            <!--                 </characterClass> -->
-            <!--             </limit> -->
+            <checkPattern/>
+            <checkExpression>
+                <expression>
+                    <script>
+                        <code>
+                            if (object instanceof com.evolveum.midpoint.xml.ns._public.common.common_3.UserType) {
+                            return !basic.containsIgnoreCase(input, object.getName()) &amp;&amp; !basic.containsIgnoreCase(input, object.getFamilyName()) &amp;&amp; !basic.containsIgnoreCase(input, object.getGivenName()) &amp;&amp; !basic.containsIgnoreCase(input, object.getAdditionalName())
+                            } else {
+                            return true
+                            }
+                        </code>
+                    </script>
+                </expression>
+                <failureMessage>must not contain username, family name and given name and additional names</failureMessage>
+            </checkExpression>
+            <limit>
+                <description>Lowercase characters</description>
+                <minOccurs>1</minOccurs>
+                <mustBeFirst>false</mustBeFirst>
+                <characterClass>
+                    <value>abcdefghijklmnopqrstuvwxyz</value>
+                </characterClass>
+            </limit>
+            <limit>
+                <description>Uppercase characters</description>
+                <minOccurs>1</minOccurs>
+                <mustBeFirst>false</mustBeFirst>
+                <characterClass>
+                    <value>ABCDEFGHIJKLMNOPQRSTUVWXYZ</value>
+                </characterClass>
+            </limit>
+            <limit>
+                <description>Numeric characters</description>
+                <minOccurs>1</minOccurs>
+                <mustBeFirst>false</mustBeFirst>
+                <characterClass>
+                    <value>1234567890</value>
+                </characterClass>
+            </limit>
+            <limit>
+                <description>Special characters</description>
+                <minOccurs>0</minOccurs>
+                <mustBeFirst>false</mustBeFirst>
+                <characterClass>
+                    <value> !"#$%&amp;'()*+,-.:;&lt;&gt;?@[]^_`{|}~</value>
+                </characterClass>
+            </limit>
         </limitations>
     </stringPolicy>
 </valuePolicy>
diff --git a/custom/pom.xml b/custom/pom.xml
@@ -13,7 +13,7 @@
     <parent>
         <artifactId>midpoint</artifactId>
         <groupId>com.evolveum.midpoint</groupId>
-        <version>4.8.1-SNAPSHOT</version>
+        <version>4.8.2-SNAPSHOT</version>
     </parent>
 
     <artifactId>custom</artifactId>

diff --git a/dist/javadoc/pom.xml b/dist/javadoc/pom.xml
@@ -13,7 +13,7 @@
     <parent>
         <artifactId>dist</artifactId>
         <groupId>com.evolveum.midpoint</groupId>
-        <version>4.8.1-SNAPSHOT</version>
+        <version>4.8.2-SNAPSHOT</version>
     </parent>
 
     <artifactId>javadoc</artifactId>

diff --git a/dist/midpoint-api/pom.xml b/dist/midpoint-api/pom.xml
@@ -13,7 +13,7 @@
     <parent>
         <artifactId>dist</artifactId>
         <groupId>com.evolveum.midpoint</groupId>
-        <version>4.8.1-SNAPSHOT</version>
+        <version>4.8.2-SNAPSHOT</version>
     </parent>
 
     <artifactId>midpoint-api</artifactId>

diff --git a/dist/pom.xml b/dist/pom.xml
@@ -13,7 +13,7 @@
     <parent>
         <artifactId>midpoint</artifactId>
         <groupId>com.evolveum.midpoint</groupId>
-        <version>4.8.1-SNAPSHOT</version>
+        <version>4.8.2-SNAPSHOT</version>
     </parent>
 
     <artifactId>dist</artifactId>

diff --git a/docs/org/organizational-structure/index.adoc b/docs/org/organizational-structure/index.adoc
@@ -172,7 +172,7 @@ Users (and other objects) are linked to the org using OID-based references there
 .XML structure of a basic organizational unit
 [source,xml]
 ----
-    <org oid="c74a7d86-7798-11e2-964e-100000000100">
+    <org oid="c74a7d86-7798-11e2-964e-100000000000">
         <name>F0000</name>
         <description>Famous workshop of Leonardo da Vinci</description>
         <displayName>Leonardo's Workshop</displayName>
@@ -264,4 +264,4 @@ If a user is assigned to such org the org behaves as a role and automatically co
 
 * xref:/midpoint/reference/roles-policies/assignment/[Assignment]
 
-* xref:/midpoint/reference/roles-policies/rbac/[Advanced Hybrid RBAC]
+* xref:/midpoint/reference/roles-policies/rbac/[Advanced Hybrid RBAC]
diff --git a/docs/security/advisories/021-not-invited-user-able-to-register.adoc b/docs/security/advisories/021-not-invited-user-able-to-register.adoc
@@ -0,0 +1,28 @@
+= Security Advisory: Not Invited User able to register if Invitation flow is configured
+:page-display-order: 21
+:page-upkeep-status: green
+
+*Date:* 29. 01. 2024
+
+*Severity:* High (CVSS 8.0)
+
+*Affected versions:* 4.8
+
+*Fixed in versions:* 4.8.1
+
+
+== Description
+
+If the invitation registration is was configured along with custom registration form or object template which generated `name` property, user which was not invited was able to register even without invitation email.
+
+== Severity and Impact
+
+This is High Severity Issue
+
+The invitation feature is turned off by default, only specific configuration combination (invitation flow and custom form with name property) is needed to expose this vulnerability.
+
+== Mitigation
+
+Users of affected MidPoint versions are advised to upgrade their deployments to the latest maintenance release 4.8.1.
+
+In the meantime users are advised to disable invitation registration or remove `name` property from custom registration form.
diff --git a/docs/security/advisories/index.adoc b/docs/security/advisories/index.adoc
@@ -151,4 +151,10 @@
 | MidPoint may be vulnerable to CSRF attacks if user was authenticated using SAML 2 or OIDC.
 
 
+| 21
+| xref:/midpoint/reference/security/advisories/021-not-invited-user-able-to-register/[Not Invited User able to register if Invitation flow is configured]
+| 29 January 2024
+| High
+| MidPoint 4.8 may be vulnerable to unauthorized registration if invitation flow is enabled with custom registration form.
+
 |===
diff --git a/gui/admin-gui/pom.xml b/gui/admin-gui/pom.xml
@@ -13,7 +13,7 @@
     <parent>
         <artifactId>gui</artifactId>
         <groupId>com.evolveum.midpoint.gui</groupId>
-        <version>4.8.1-SNAPSHOT</version>
+        <version>4.8.2-SNAPSHOT</version>
     </parent>
 
     <artifactId>admin-gui</artifactId>

diff --git a/gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/util/WebComponentUtil.java b/gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/util/WebComponentUtil.java
@@ -423,9 +423,14 @@ private static String resolveLocalizableMessage(SingleLocalizableMessage localiz
             }
         }
         String key = localizableMessage.getKey() != null ? localizableMessage.getKey() : localizableMessage.getFallbackMessage();
+        String defaultValue = localizableMessage.getFallbackMessage();
+        if (defaultValue != null) {
+            defaultValue = defaultValue.replace('{', '(').replace('}', ')');
+        }
+
         StringResourceModel stringResourceModel = new StringResourceModel(key, component)
                 .setModel(new Model<String>())
-                .setDefaultValue(localizableMessage.getFallbackMessage().replace('{', '(').replace('}', ')'))
+                .setDefaultValue(defaultValue)
                 .setParameters(resolveArguments(localizableMessage.getArgs(), component));
         //System.out.println("GUI: Resolving [" + key + "]: to [" + rv + "]");
         return stringResourceModel.getString();

diff --git a/gui/midpoint-jar/pom.xml b/gui/midpoint-jar/pom.xml
@@ -13,7 +13,7 @@
     <parent>
         <artifactId>gui</artifactId>
         <groupId>com.evolveum.midpoint.gui</groupId>
-        <version>4.8.1-SNAPSHOT</version>
+        <version>4.8.2-SNAPSHOT</version>
     </parent>
 
     <artifactId>midpoint-jar</artifactId>

diff --git a/gui/pom.xml b/gui/pom.xml
@@ -13,7 +13,7 @@
     <parent>
         <artifactId>midpoint</artifactId>
         <groupId>com.evolveum.midpoint</groupId>
-        <version>4.8.1-SNAPSHOT</version>
+        <version>4.8.2-SNAPSHOT</version>
     </parent>
 
     <groupId>com.evolveum.midpoint.gui</groupId>

diff --git a/icf-connectors/dummy-connector-fake/pom.xml b/icf-connectors/dummy-connector-fake/pom.xml
@@ -13,7 +13,7 @@
     <parent>
         <artifactId>icf-connectors</artifactId>
         <groupId>com.evolveum.icf</groupId>
-        <version>4.8.1-SNAPSHOT</version>
+        <version>4.8.2-SNAPSHOT</version>
     </parent>
 
     <artifactId>dummy-connector-fake</artifactId>

diff --git a/icf-connectors/dummy-connector/pom.xml b/icf-connectors/dummy-connector/pom.xml
@@ -13,7 +13,7 @@
     <parent>
         <artifactId>icf-connectors</artifactId>
         <groupId>com.evolveum.icf</groupId>
-        <version>4.8.1-SNAPSHOT</version>
+        <version>4.8.2-SNAPSHOT</version>
     </parent>
 
     <artifactId>dummy-connector</artifactId>

diff --git a/icf-connectors/dummy-resource/pom.xml b/icf-connectors/dummy-resource/pom.xml
@@ -13,7 +13,7 @@
     <parent>
         <artifactId>icf-connectors</artifactId>
         <groupId>com.evolveum.icf</groupId>
-        <version>4.8.1-SNAPSHOT</version>
+        <version>4.8.2-SNAPSHOT</version>
     </parent>
 
     <artifactId>dummy-resource</artifactId>

diff --git a/icf-connectors/pom.xml b/icf-connectors/pom.xml
@@ -13,7 +13,7 @@
     <parent>
         <artifactId>midpoint</artifactId>
         <groupId>com.evolveum.midpoint</groupId>
-        <version>4.8.1-SNAPSHOT</version>
+        <version>4.8.2-SNAPSHOT</version>
     </parent>
 
     <groupId>com.evolveum.icf</groupId>

diff --git a/infra/common/pom.xml b/infra/common/pom.xml
@@ -12,7 +12,7 @@
     <parent>
         <artifactId>infra</artifactId>
         <groupId>com.evolveum.midpoint.infra</groupId>
-        <version>4.8.1-SNAPSHOT</version>
+        <version>4.8.2-SNAPSHOT</version>
     </parent>
 
     <artifactId>common</artifactId>

diff --git a/infra/pom.xml b/infra/pom.xml
@@ -11,7 +11,7 @@
     <parent>
         <artifactId>midpoint</artifactId>
         <groupId>com.evolveum.midpoint</groupId>
-        <version>4.8.1-SNAPSHOT</version>
+        <version>4.8.2-SNAPSHOT</version>
     </parent>
 
     <groupId>com.evolveum.midpoint.infra</groupId>

diff --git a/infra/schema-pure-jaxb/pom.xml b/infra/schema-pure-jaxb/pom.xml
@@ -12,7 +12,7 @@
     <parent>
         <artifactId>infra</artifactId>
         <groupId>com.evolveum.midpoint.infra</groupId>
-        <version>4.8.1-SNAPSHOT</version>
+        <version>4.8.2-SNAPSHOT</version>
     </parent>
 
     <artifactId>schema-pure-jaxb</artifactId>

diff --git a/infra/schema/pom.xml b/infra/schema/pom.xml
@@ -12,7 +12,7 @@
     <parent>
         <artifactId>infra</artifactId>
         <groupId>com.evolveum.midpoint.infra</groupId>
-        <version>4.8.1-SNAPSHOT</version>
+        <version>4.8.2-SNAPSHOT</version>
     </parent>
 
     <artifactId>schema</artifactId>

diff --git a/infra/test-util/pom.xml b/infra/test-util/pom.xml
@@ -12,7 +12,7 @@
     <parent>
         <artifactId>infra</artifactId>
         <groupId>com.evolveum.midpoint.infra</groupId>
-        <version>4.8.1-SNAPSHOT</version>
+        <version>4.8.2-SNAPSHOT</version>
     </parent>
 
     <artifactId>test-util</artifactId>

diff --git a/model/authentication-api/pom.xml b/model/authentication-api/pom.xml
@@ -13,7 +13,7 @@
     <parent>
         <artifactId>model</artifactId>
         <groupId>com.evolveum.midpoint.model</groupId>
-        <version>4.8.1-SNAPSHOT</version>
+        <version>4.8.2-SNAPSHOT</version>
     </parent>
 
     <artifactId>authentication-api</artifactId>

diff --git a/model/authentication-impl/pom.xml b/model/authentication-impl/pom.xml
@@ -13,7 +13,7 @@
     <parent>
         <artifactId>model</artifactId>
         <groupId>com.evolveum.midpoint.model</groupId>
-        <version>4.8.1-SNAPSHOT</version>
+        <version>4.8.2-SNAPSHOT</version>
     </parent>
 
     <artifactId>authentication-impl</artifactId>

diff --git a/model/cases-api/pom.xml b/model/cases-api/pom.xml
@@ -13,7 +13,7 @@
     <parent>
         <artifactId>model</artifactId>
         <groupId>com.evolveum.midpoint.model</groupId>
-        <version>4.8.1-SNAPSHOT</version>
+        <version>4.8.2-SNAPSHOT</version>
     </parent>
 
     <artifactId>cases-api</artifactId>