Merge branch 'master' into feature/forgot-username

infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/SchemaConstants.java

@@ -710,7 +710,7 @@ public abstract class SchemaConstants {
     public static final String NONE_EXPRESSION_PROFILE_ID = "##none";
 
     /** ID of "legacy unprivileged mode" expression profile for scripting (bulk actions). */
-    public static final String LEGACY_UNPRIVILEGED_SCRIPTING_PROFILE_ID = "##legacyUnprivilegedScripting";
+    public static final String LEGACY_UNPRIVILEGED_BULK_ACTIONS_PROFILE_ID = "##legacyUnprivilegedBulkActions";
 
     /**
      * The ID for built-in Groovy permission and script expression profiles.

infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/ScriptingActionProfile.java → infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/BulkActionProfile.java

@@ -8,9 +8,8 @@
 
 import java.io.Serializable;
 
-import com.evolveum.midpoint.util.MiscUtil;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ScriptingActionProfileType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.BulkActionProfileType;
 
 import org.jetbrains.annotations.NotNull;
 
@@ -19,19 +18,19 @@
 import static com.evolveum.midpoint.util.MiscUtil.*;
 
 /**
- * Specifies limitations on the use of a particular scripting action (e.g. assign, unassign, etc).
+ * Specifies limitations on the use of a particular bulk action (e.g. assign, unassign, etc).
  */
-public record ScriptingActionProfile(@NotNull String action, @NotNull AccessDecision decision)
+public record BulkActionProfile(@NotNull String action, @NotNull AccessDecision decision)
         implements Serializable {
 
-    public static ScriptingActionProfile of(@NotNull ScriptingActionProfileType bean) throws ConfigurationException {
+    public static BulkActionProfile of(@NotNull BulkActionProfileType bean) throws ConfigurationException {
         // TODO error locations
-        return new ScriptingActionProfile(
+        return new BulkActionProfile(
                 configNonNull(
-                        bean.getName(), () -> "No action name in scripting profile at " + bean.asPrismContainerValue().getPath()),
+                        bean.getName(), () -> "No action name in bulk action profile at " + bean.asPrismContainerValue().getPath()),
                 AccessDecision.translate(
                         configNonNull(
                                 bean.getDecision(),
-                                () -> "No action decision in scripting profile at " + bean.asPrismContainerValue().getPath())));
+                                () -> "No action decision in bulk action profile at " + bean.asPrismContainerValue().getPath())));
     }
 }

infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/ScriptingProfile.java → infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/BulkActionsProfile.java

@@ -16,56 +16,56 @@
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.util.MiscUtil;
 import com.evolveum.midpoint.util.exception.ConfigurationException;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ScriptingActionProfileType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ScriptingProfileType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.BulkActionProfileType;
+import com.evolveum.midpoint.xml.ns._public.common.common_3.BulkActionsProfileType;
 import org.jetbrains.annotations.Nullable;
 
 /**
- * Specifies limitations on the use of a scripting actions. It is a compiled form of a {@link ScriptingProfileType}.
+ * Specifies limitations on the use of a scripting actions. It is a compiled form of a {@link BulkActionsProfileType}.
  *
  * Could be named also `ScriptingActionsProfile` but maybe it will contain more than actions in the future.
  */
-public class ScriptingProfile extends AbstractSecurityProfile {
+public class BulkActionsProfile extends AbstractSecurityProfile {
 
     /** Scripting actions profiles, keyed by action name (both legacy and modern ones can be used). Unmodifiable. */
-    @NotNull private final Map<String, ScriptingActionProfile> actionProfiles;
+    @NotNull private final Map<String, BulkActionProfile> actionProfiles;
 
     /** "Allow all" profile. */
-    private static final ScriptingProfile FULL = new ScriptingProfile(
+    private static final BulkActionsProfile FULL = new BulkActionsProfile(
             SchemaConstants.FULL_EXPRESSION_PROFILE_ID,
             AccessDecision.ALLOW,
             Map.of());
 
     /** "Allow nothing" profile. */
-    private static final ScriptingProfile NONE = new ScriptingProfile(
+    private static final BulkActionsProfile NONE = new BulkActionsProfile(
             SchemaConstants.NONE_EXPRESSION_PROFILE_ID,
             AccessDecision.DENY,
             Map.of());
 
-    private ScriptingProfile(
+    private BulkActionsProfile(
             @NotNull String identifier,
             @NotNull AccessDecision defaultDecision,
-            @NotNull Map<String, ScriptingActionProfile> actionProfiles) {
+            @NotNull Map<String, BulkActionProfile> actionProfiles) {
         super(identifier, defaultDecision);
         this.actionProfiles = actionProfiles;
     }
 
-    public static @NotNull ScriptingProfile full() {
+    public static @NotNull BulkActionsProfile full() {
         return FULL;
     }
 
-    public static @NotNull ScriptingProfile none() {
+    public static @NotNull BulkActionsProfile none() {
         return NONE;
     }
 
-    public static ScriptingProfile of(@NotNull ScriptingProfileType bean) throws ConfigurationException {
+    public static BulkActionsProfile of(@NotNull BulkActionsProfileType bean) throws ConfigurationException {
         String identifier = MiscUtil.configNonNull(bean.getIdentifier(), "No identifier in scripting profile %s", bean);
-        Map<String, ScriptingActionProfile> actionProfileMap = new HashMap<>();
-        for (ScriptingActionProfileType actionBean : bean.getAction()) {
-            var actionProfile = ScriptingActionProfile.of(actionBean);
+        Map<String, BulkActionProfile> actionProfileMap = new HashMap<>();
+        for (BulkActionProfileType actionBean : bean.getAction()) {
+            var actionProfile = BulkActionProfile.of(actionBean);
             actionProfileMap.put(actionProfile.action(), actionProfile);
         }
-        return new ScriptingProfile(
+        return new BulkActionsProfile(
                 identifier,
                 AccessDecision.translate(
                         MiscUtil.configNonNull(

infra/schema/src/main/java/com/evolveum/midpoint/schema/expression/ExpressionProfile.java

@@ -8,16 +8,15 @@
 
 import java.io.Serializable;
 
+import com.evolveum.midpoint.schema.AccessDecision;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ExpressionProfileType;
 
 import org.jetbrains.annotations.NotNull;
 
 /**
- * Profile for evaluation of "regular" expressions, scripting expressions, and function libraries.
- *
- * NOTE: This is pretty much throw-away implementation. Just the interface is important now.
+ * Profile for evaluation of "regular" expressions, bulk actions, and function libraries.
  *
  * @author Radovan Semancik
  */
@@ -27,28 +26,31 @@ public class ExpressionProfile implements Serializable { // TODO: DebugDumpable
     private static final ExpressionProfile FULL = new ExpressionProfile(
             SchemaConstants.FULL_EXPRESSION_PROFILE_ID,
             ExpressionEvaluatorsProfile.full(),
-            ScriptingProfile.full(), // TODO what about scripts etc that currently require #all authorization?
-            FunctionLibrariesProfile.full());
+            BulkActionsProfile.full(),
+            FunctionLibrariesProfile.full(),
+            AccessDecision.ALLOW);
 
     /**
      * Profile that mimics the legacy non-root behavior for bulk actions:
      * no expressions - this limits all of "execute-script", "notification" (with unsafe custom event handler), and
      * the new "evaluate-expression" actions.
      */
-    private static final ExpressionProfile SCRIPTING_LEGACY_UNPRIVILEGED = new ExpressionProfile(
-            SchemaConstants.LEGACY_UNPRIVILEGED_SCRIPTING_PROFILE_ID,
+    private static final ExpressionProfile LEGACY_UNPRIVILEGED_BULK_ACTIONS = new ExpressionProfile(
+            SchemaConstants.LEGACY_UNPRIVILEGED_BULK_ACTIONS_PROFILE_ID,
             ExpressionEvaluatorsProfile.none(),
-            ScriptingProfile.full(), // actions without scripts/expressions are safe
-            FunctionLibrariesProfile.none());
+            BulkActionsProfile.full(), // actions without scripts/expressions are safe
+            FunctionLibrariesProfile.none(),
+            AccessDecision.DENY); // actually does not matter
 
     /**
      * Profile that forbids everything.
      */
     private static final ExpressionProfile NONE = new ExpressionProfile(
             SchemaConstants.NONE_EXPRESSION_PROFILE_ID,
             ExpressionEvaluatorsProfile.none(),
-            ScriptingProfile.none(),
-            FunctionLibrariesProfile.none());
+            BulkActionsProfile.none(),
+            FunctionLibrariesProfile.none(),
+            AccessDecision.DENY); // actually does not matter
 
     /**
      * Identifier of the expression profile, referencable from e.g. archetypes on which it is used.
@@ -60,20 +62,25 @@ public class ExpressionProfile implements Serializable { // TODO: DebugDumpable
     @NotNull private final ExpressionEvaluatorsProfile evaluatorsProfile;
 
     /** Profile for midPoint scripting language (bulk actions). */
-    @NotNull private final ScriptingProfile scriptingProfile;
+    @NotNull private final BulkActionsProfile bulkActionsProfile;
 
     /** Profile for using function libraries. */
     @NotNull private final FunctionLibrariesProfile librariesProfile;
 
+    /** Are privilege elevation features (e.g. `runAsRef`) allowed? */
+    @NotNull private final AccessDecision privilegeElevation;
+
     public ExpressionProfile(
             @NotNull String identifier,
             @NotNull ExpressionEvaluatorsProfile evaluatorsProfile,
-            @NotNull ScriptingProfile scriptingProfile,
-            @NotNull FunctionLibrariesProfile librariesProfile) {
+            @NotNull BulkActionsProfile bulkActionsProfile,
+            @NotNull FunctionLibrariesProfile librariesProfile,
+            @NotNull AccessDecision privilegeElevation) {
         this.identifier = identifier;
         this.evaluatorsProfile = evaluatorsProfile;
-        this.scriptingProfile = scriptingProfile;
+        this.bulkActionsProfile = bulkActionsProfile;
         this.librariesProfile = librariesProfile;
+        this.privilegeElevation = privilegeElevation;
     }
 
     public static @NotNull ExpressionProfile full() {
@@ -84,16 +91,16 @@ public ExpressionProfile(
         return NONE;
     }
 
-    public static @NotNull ExpressionProfile scriptingLegacyUnprivileged() {
-        return SCRIPTING_LEGACY_UNPRIVILEGED;
+    public static @NotNull ExpressionProfile legacyUnprivilegedBulkActions() {
+        return LEGACY_UNPRIVILEGED_BULK_ACTIONS;
     }
 
     public @NotNull String getIdentifier() {
         return identifier;
     }
 
-    public @NotNull ScriptingProfile getScriptingProfile() {
-        return scriptingProfile;
+    public @NotNull BulkActionsProfile getScriptingProfile() {
+        return bulkActionsProfile;
     }
 
     public @NotNull FunctionLibrariesProfile getLibrariesProfile() {
@@ -103,10 +110,14 @@ public ExpressionProfile(
     @Override
     public String toString() {
         return "ExpressionProfile(ID: %s; scripting: %s; libraries: %s)".formatted(
-                identifier, scriptingProfile.getIdentifier(), librariesProfile.getIdentifier());
+                identifier, bulkActionsProfile.getIdentifier(), librariesProfile.getIdentifier());
     }
 
     public @NotNull ExpressionEvaluatorsProfile getEvaluatorsProfile() {
         return evaluatorsProfile;
     }
+
+    public @NotNull AccessDecision getPrivilegeElevation() {
+        return privilegeElevation;
+    }
 }