Merge branch 'post-3.7-fixes' of https://github.com/Evolveum/midpoint …

…into post-3.7-fixes

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/prism/ContainerWrapper.java

@@ -109,7 +109,7 @@ public PrismContainerDefinition<C> getItemDefinition() {
 		return container.getDefinition();
 	}
 
-		public ContainerStatus getStatus() {
+	public ContainerStatus getStatus() {
 		return status;
 	}
 

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/prism/ItemWrapper.java

@@ -27,6 +27,7 @@
 import com.evolveum.midpoint.prism.Revivable;
 import com.evolveum.midpoint.prism.path.ItemPath;
 import com.evolveum.midpoint.util.DebugDumpable;
+import org.jetbrains.annotations.Nullable;
 
 /**
  * @author lazyman
@@ -90,7 +91,8 @@ default boolean isEnforceRequiredFields() {
 	    ContainerWrapper cw = getParent();
 	    return cw == null || cw.isEnforceRequiredFields();
     }
-
+
+    @Nullable
 	ContainerWrapper getParent();
 
 	boolean isShowEmpty();

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/prism/PropertyOrReferenceWrapper.java

@@ -41,7 +41,7 @@ public abstract class PropertyOrReferenceWrapper<I extends Item<? extends PrismV
 
 	private static final long serialVersionUID = -179218652752175177L;
 
-	protected ContainerValueWrapper container;
+	@Nullable protected ContainerValueWrapper container;
 	protected I item;
 	protected ValueStatus status;
 	protected List<ValueWrapper> values;
@@ -83,8 +83,9 @@ public ID getItemDefinition() {
 	}
 
 	@Override
+	@Nullable
 	public ContainerWrapper getParent() {
-		return container.getContainer();
+		return container != null ? container.getContainer() : null;
 	}
 
 	public boolean isVisible() {
@@ -96,7 +97,10 @@ public boolean isVisible() {
         if (getItemDefinition().isDeprecated() && isEmpty()) {
         	return false;
         }
-
+
+        if (container == null) {
+        	return false;           // TODO: ok ?
+        }
         switch (container.getObjectStatus()) {
         	case ADDING : 
         		return canAddDefault() || canAddAndShowEmpty();
@@ -204,7 +208,15 @@ public boolean hasChanged() {
 		return false;
 	}
 	private boolean isMetadataContainer() {
-		return getParent().getItemDefinition().getTypeName().equals(MetadataType.COMPLEX_TYPE);
+		ContainerWrapper parent = getParent();
+		if (parent == null) {
+			return false;
+		}
+		ItemDefinition<?> definition = parent.getItemDefinition();
+		if (definition == null) {
+			return false;
+		}
+		return definition.getTypeName().equals(MetadataType.COMPLEX_TYPE);
 	}
 
 	@Override

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/prism/PropertyWrapper.java

@@ -23,9 +23,6 @@
 import com.evolveum.midpoint.util.DebugDumpable;
 import com.evolveum.midpoint.util.DebugUtil;
 import com.evolveum.midpoint.util.PrettyPrinter;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.PasswordType;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
 import org.jetbrains.annotations.Nullable;
 
 import java.io.Serializable;
@@ -77,13 +74,13 @@ public ValueWrapper<T> createAddedValue() {
 
         ValueWrapper wrapper;
         if (SchemaConstants.T_POLY_STRING_TYPE.equals(definition.getTypeName())) {
-            wrapper = new ValueWrapper(this, new PrismPropertyValue(new PolyString("")),
-                    new PrismPropertyValue(new PolyString("")), ValueStatus.ADDED);
+            wrapper = new ValueWrapper(this, new PrismPropertyValue<>(new PolyString("")),
+                    new PrismPropertyValue<>(new PolyString("")), ValueStatus.ADDED);
 //        } else if (isUser() && isThisPropertyActivationEnabled()) {
 //            wrapper = new ValueWrapper(this, new PrismPropertyValue(null),
 //                    new PrismPropertyValue(null), ValueStatus.ADDED);
         } else {
-            wrapper = new ValueWrapper(this, new PrismPropertyValue(null), ValueStatus.ADDED);
+            wrapper = new ValueWrapper(this, new PrismPropertyValue<>(null), ValueStatus.ADDED);
         }
 
         return wrapper;
@@ -102,22 +99,22 @@ public ValueWrapper<T> createAddedValue() {
 //        return UserType.class.isAssignableFrom(object.getCompileTimeClass());
 //    }
 
-    private boolean isThisPropertyActivationEnabled() {
-        if (!new ItemPath(UserType.F_ACTIVATION).equivalent(container.getPath())) {
-            return false;
-        }
-
-        if (!ActivationType.F_ADMINISTRATIVE_STATUS.equals(item.getElementName())) {
-            return false;
-        }
-
-//        if (container.getContainer().getObject() == null || ContainerStatus.MODIFYING.equals(container.getContainer().getObject().getStatus())) {
-//            //when modifying then we don't want to create "true" value for c:activation/c:enabled, only during add
+//    private boolean isThisPropertyActivationEnabled() {
+//        if (!new ItemPath(UserType.F_ACTIVATION).equivalent(container.getPath())) {
 //            return false;
 //        }
-
-        return true;
-    }
+//
+//        if (!ActivationType.F_ADMINISTRATIVE_STATUS.equals(item.getElementName())) {
+//            return false;
+//        }
+//
+////        if (container.getContainer().getObject() == null || ContainerStatus.MODIFYING.equals(container.getContainer().getObject().getStatus())) {
+////            //when modifying then we don't want to create "true" value for c:activation/c:enabled, only during add
+////            return false;
+////        }
+//
+//        return true;
+//    }
 
     @Override
     public String toString() {

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/prism/ReferenceWrapper.java

@@ -22,7 +22,7 @@
 import com.evolveum.midpoint.prism.query.ObjectFilter;
 import com.evolveum.midpoint.util.DebugUtil;
 import com.evolveum.midpoint.util.PrettyPrinter;
-import com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectReferenceType;
+import org.jetbrains.annotations.Nullable;
 
 import java.io.Serializable;
 import java.util.ArrayList;
@@ -38,11 +38,11 @@ public class ReferenceWrapper extends PropertyOrReferenceWrapper<PrismReference,
 
 	private List<QName> targetTypes;
 
-	public ReferenceWrapper(ContainerValueWrapper container, PrismReference reference, boolean readonly, ValueStatus status) {
+	public ReferenceWrapper(@Nullable ContainerValueWrapper container, PrismReference reference, boolean readonly, ValueStatus status) {
 		super(container, reference, readonly, status, null);
 	}
 
-	public ReferenceWrapper(ContainerValueWrapper container, PrismReference reference, boolean readonly, ValueStatus status, ItemPath path) {
+	public ReferenceWrapper(@Nullable ContainerValueWrapper container, PrismReference reference, boolean readonly, ValueStatus status, ItemPath path) {
 		super(container, reference, readonly, status, path);
 	}
 
@@ -54,7 +54,7 @@ public List<ValueWrapper> getValues() {
 	}
 
 	private List<ValueWrapper> createValues() {
-		List<ValueWrapper> values = new ArrayList<ValueWrapper>();
+		List<ValueWrapper> values = new ArrayList<>();
 
 		for (PrismReferenceValue prismValue : item.getValues()) {
 
@@ -84,8 +84,7 @@ public List<QName> getTargetTypes() {
 	@Override
 	public ValueWrapper createAddedValue() {
 		PrismReferenceValue prv = new PrismReferenceValue();
-		ValueWrapper wrapper = new ValueWrapper(this, prv, ValueStatus.ADDED);
-		return wrapper;
+		return new ValueWrapper(this, prv, ValueStatus.ADDED);
 	}
 
 	public ObjectFilter getFilter() {

infra/common/src/main/java/com/evolveum/midpoint/common/refinery/CompositeRefinedObjectClassDefinitionImpl.java

@@ -38,6 +38,7 @@
 import javax.xml.namespace.QName;
 import java.util.*;
 import java.util.function.Consumer;
+import java.util.function.Function;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
@@ -585,10 +586,25 @@ public Collection<? extends QName> getNamesOfAttributesWithInboundExpressions()
 	}
 
 	@Override
-	public ResourcePasswordDefinitionType getPasswordDefinition() {		// TODO what if there is a conflict?
-		return getRefinedObjectClassDefinitionsStream()
-				.map(def -> def.getPasswordDefinition())
-				.findFirst().orElse(null);
+	public ResourcePasswordDefinitionType getPasswordDefinition() {
+		return findInDefinitions(def -> def.getPasswordDefinition());
+	}
+
+	private <T> T findInDefinitions(Function<RefinedObjectClassDefinition,T> transform) {
+		if (structuralObjectClassDefinition != null) {
+			T val = transform.apply(structuralObjectClassDefinition);
+			if (val != null) {
+				return val;
+			}
+		}
+		// TODO what if there is a conflict?
+		for (RefinedObjectClassDefinition auxiliaryObjectClassDefinition: auxiliaryObjectClassDefinitions) {
+			T val = transform.apply(auxiliaryObjectClassDefinition);
+			if (val != null) {
+				return val;
+			}
+		}
+		return null;
 	}
 
     @Override

infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd

@@ -5840,6 +5840,60 @@
         </xsd:restriction>
     </xsd:simpleType>
 
+    <xsd:simpleType name="PasswordCompareStrategyType">
+        <xsd:annotation>
+            <xsd:documentation>
+                The way how an resource password is compared with the current password.
+            </xsd:documentation>
+            <xsd:appinfo>
+                <jaxb:typesafeEnumClass/>
+                <a:since>3.7.1</a:since>
+            </xsd:appinfo>
+        </xsd:annotation>
+        <xsd:restriction base="xsd:string">
+            <xsd:enumeration value="auto">
+                <xsd:annotation>
+                	<xsd:documentation>
+                		Auto-detect comparison method. If no way of comparison
+                		is possible then an error is indicated.
+                		Note: Currently this strategy will end with an error if there
+                		is no cached password value.
+                	</xsd:documentation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="AUTO"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+            <xsd:enumeration value="error">
+                <xsd:annotation>
+                	<xsd:documentation>
+                		There is no way to compare password. Any operation to that
+                		tries to compare the password on the resource should end
+                		up with an error.
+                	</xsd:documentation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="ERROR"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+            <xsd:enumeration value="cached">
+                <xsd:annotation>
+                	<xsd:documentation>
+                		Compare password with the value cached in the shadow.
+                		This setting assumes that passwords for all accounts are
+                		properly cached. Therefore if there is no password value
+                		in the shadow then we assume that there is no resource password.
+                	</xsd:documentation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="CACHED"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+            <!-- TODO: ignore, read (compare password by readin password value), resourceAuthenticate, ... -->
+        </xsd:restriction>
+    </xsd:simpleType>
+
+
     <xsd:complexType name="ResourceCredentialsDefinitionType">
         <xsd:sequence>
             <xsd:element name="password" type="tns:ResourcePasswordDefinitionType" minOccurs="0" maxOccurs="1">
@@ -5860,6 +5914,19 @@
     	</xsd:annotation>
         <xsd:sequence>
         	<xsd:element name="fetchStrategy" type="tns:AttributeFetchStrategyType" minOccurs="0"/>
+        	<xsd:element name="compareStrategy" type="tns:PasswordCompareStrategyType" minOccurs="0" default="auto">
+        		<xsd:annotation>
+        			<xsd:documentation>
+        				The way how an resource password is compared with the current password.
+        				This strategy is used when midPoint needs to compare candidate password
+        				with existing resource passowrd. E.g. used in password policies that state
+        				that passwords on several resources cannot be the same.
+        			</xsd:documentation>
+        			<xsd:appinfo>
+        				<a:since>3.7.1</a:since>
+        			</xsd:appinfo>
+        		</xsd:annotation>
+        	</xsd:element>
             <xsd:element name="outbound" type="tns:MappingType" minOccurs="0" maxOccurs="unbounded">
                 <xsd:annotation>
                     <xsd:documentation>
@@ -5887,6 +5954,23 @@
             		</xsd:appinfo>
                 </xsd:annotation>
             </xsd:element>
+            <xsd:element name="caching" type="tns:CachingPolicyType" minOccurs="0" maxOccurs="1">
+                <xsd:annotation>
+                    <xsd:documentation>
+                        Password caching policy.
+                        Currently, password storage format (encrypted, hashed) will be the same
+                        as the global password storage format used for the entire system.
+                        Definition of a specific password storage format might be added later.
+                    </xsd:documentation>
+                    <xsd:appinfo>
+            			<a:since>3.7.1</a:since>
+            		</xsd:appinfo>
+                </xsd:annotation>
+                <!-- 
+                	TODO: later, create PasswordCachingPolicyType as subtype of CachingPolicyType.
+                	PasswordCachingPolicyType could specify password storage format.
+                 -->
+            </xsd:element>
         </xsd:sequence>
     </xsd:complexType>
 
@@ -12009,6 +12093,16 @@
         <xsd:sequence>
             <xsd:element name="origin" type="tns:ValuePolicyOriginType" minOccurs="0" maxOccurs="1" default="object"/>
             <xsd:element name="path" type="t:ItemPathType" minOccurs="0" maxOccurs="1"/>
+            <xsd:element name="projectionDiscriminator" type="tns:ShadowDiscriminatorType" minOccurs="0" maxOccurs="1">
+            	<xsd:annotation>
+            		<xsd:documentation>
+            			Specifies which projection should be used in case that projection origin is selected.
+            		</xsd:documentation>
+            		<xsd:appinfo>
+            			<a:since>3.7.1</a:since>
+            		</xsd:appinfo>
+            	</xsd:annotation>
+            </xsd:element>
             <!-- TODO: matching (exact, norm, case ignore, partial, ...), matching parameters ( 3 characters difference ) -->
         </xsd:sequence>
     </xsd:complexType>
@@ -12063,6 +12157,23 @@
                     </xsd:appinfo>
                 </xsd:annotation>
             </xsd:enumeration>
+            <xsd:enumeration value="projection">
+                <xsd:annotation>
+                	<xsd:documentation>
+                		One of object's projecion is the origin.
+                		E.g. in case of user password specific projection
+                		linked to the user will be scanned.
+                		If this origin type is selected then also
+                		the projectionDiscriminator must be specified.
+                		Note: Currently the only supported value is
+                		resource password.
+                	</xsd:documentation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="PROJECTION"/>
+                        <a:since>3.7.1</a:since>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
         </xsd:restriction>
     </xsd:simpleType>
 

model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/script/ScriptExpressionFactory.java

@@ -94,7 +94,8 @@ public ScriptExpression createScriptExpression(ScriptExpressionEvaluatorType exp
 		expression.setOutputDefinition(outputDefinition);
 		expression.setObjectResolver(objectResolver);
 		expression.setFunctions(new ArrayList<>(functions));
-
+
+		// TODO make this code synchronized and ensure that searchIterative below is executed under privileged account
 		if (customFunctionLibraryCache != null) {
 			expression.getFunctions().addAll(customFunctionLibraryCache.values());
 		} else {