From 463abf05b9a1183e62fd68d8086637a92e31a712 Mon Sep 17 00:00:00 2001
From: Pavol Mederly
Date: Wed, 13 May 2020 19:56:47 +0200
Subject: [PATCH] Add fragments of common-3 and scripting-3 schemas
Also:
- attempted to factor out Prism concepts from Axiom language
- minor fixes regarding @NotNull/@Nullable
- fixed Java 8 compilability, making checkstyle happy
---
.../evolveum/axiom/lang/api/AxiomBuiltIn.java | 20 +-
.../axiom/lang/impl/AxiomAntlrVisitor.java | 2 +-
.../lang/impl/AxiomIdentifierResolver.java | 6 +-
.../lang/impl/AxiomItemDefinitionImpl.java | 3 +-
.../axiom/lang/impl/AxiomStatementImpl.java | 2 +-
.../lang/impl/AxiomTypeDefinitionImpl.java | 2 +-
.../axiom/lang/impl/ModelReactorContext.java | 4 +-
.../axiom/src/main/resources/axiom-lang.axiom | 91 +-
.../axiom/lang/test/TestAxiomParser.java | 25 +-
.../src/test/resources/base-example.axiom | 37 +-
.../src/test/resources/common-core.axiom | 1218 +++++++++++++++++
.../axiom/src/test/resources/scripting.axiom | 184 +++
.../xml/ns/public/common/common-core-3.xsd | 6 +-
13 files changed, 1532 insertions(+), 68 deletions(-)
create mode 100644 infra/axiom/src/test/resources/common-core.axiom
create mode 100644 infra/axiom/src/test/resources/scripting.axiom
diff --git a/infra/axiom/src/main/java/com/evolveum/axiom/lang/api/AxiomBuiltIn.java b/infra/axiom/src/main/java/com/evolveum/axiom/lang/api/AxiomBuiltIn.java
index 393022c33be..68393300e40 100644
--- a/infra/axiom/src/main/java/com/evolveum/axiom/lang/api/AxiomBuiltIn.java
+++ b/infra/axiom/src/main/java/com/evolveum/axiom/lang/api/AxiomBuiltIn.java
@@ -35,12 +35,8 @@ public static class Item implements AxiomItemDefinition {
public static final AxiomItemDefinition TYPE_DEFINITION = new Item("type", Type.TYPE_DEFINITION, false);
public static final AxiomItemDefinition SUPERTYPE_REFERENCE = new Item("extends", Type.TYPE_REFERENCE, false);
public static final AxiomItemDefinition ROOT_DEFINITION = new Item("root", Type.ITEM_DEFINITION, false);
- public static final AxiomItemDefinition OBJECT_DEFINITION = new Item("object", Type.OBJECT_DEFINITION, false);
- public static final AxiomItemDefinition REFERENCE_DEFINITION = new Item("reference", Type.ITEM_DEFINITION, false);
public static final AxiomItemDefinition ITEM_DEFINITION = new Item("item", Type.ITEM_DEFINITION, false);
- public static final AxiomItemDefinition OBJECT_REFERENCE_DEFINITION = new Item("objectReference", Type.OBJECT_REFERENCE_DEFINITION, false);
public static final AxiomItemDefinition MODEL_DEFINITION = new Item("model", Type.MODEL, false);
- public static final AxiomItemDefinition ITEM_NAME = new Item("itemName", Type.IDENTIFIER, false);
public static final AxiomItemDefinition MIN_OCCURS = new Item("minOccurs", Type.STRING, false);
public static final AxiomItemDefinition MAX_OCCURS = new Item("maxOccurs", Type.STRING, false);
public static final AxiomItemDefinition TARGET_TYPE = new Item("targetType", Type.IDENTIFIER, true);
@@ -99,15 +95,13 @@ public static class Type implements AxiomTypeDefinition {
Item.NAMESPACE,
Item.VERSION,
Item.TYPE_DEFINITION,
- Item.OBJECT_DEFINITION,
Item.ROOT_DEFINITION
));
public static final Type TYPE_DEFINITION =
new Type("AxiomTypeDefinition", BASE_DEFINITION, () -> itemDefs(
Item.ARGUMENT,
Item.SUPERTYPE_REFERENCE,
- Item.ITEM_DEFINITION,
- Item.OBJECT_REFERENCE_DEFINITION
+ Item.ITEM_DEFINITION
));
public static final Type ITEM_DEFINITION =
new Type("AxiomItemDefinition", BASE_DEFINITION, () -> itemDefs(
@@ -115,18 +109,6 @@ public static class Type implements AxiomTypeDefinition {
Item.MIN_OCCURS,
Item.MAX_OCCURS
));
- public static final Type REFERENCE_DEFINITION =
- new Type("AxiomReferenceDefinition", ITEM_DEFINITION, () -> itemDefs(
-
- ));
- public static final Type OBJECT_DEFINITION =
- new Type("AxiomObjectDefinition", TYPE_DEFINITION, () -> itemDefs(
- Item.ITEM_NAME
- ));
- public static final Type OBJECT_REFERENCE_DEFINITION =
- new Type("AxiomObjectReferenceDefinition", ITEM_DEFINITION, () -> itemDefs(
- Item.TARGET_TYPE
- ));
private final AxiomIdentifier identifier;
private final AxiomTypeDefinition superType;
diff --git a/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/AxiomAntlrVisitor.java b/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/AxiomAntlrVisitor.java
index 16c3fed33d5..fa6dc8b4e99 100644
--- a/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/AxiomAntlrVisitor.java
+++ b/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/AxiomAntlrVisitor.java
@@ -43,7 +43,7 @@ public AxiomAntlrVisitor(String name, AxiomIdentifierResolver statements, AxiomS
private AxiomIdentifier statementIdentifier(IdentifierContext identifier) {
String prefix = nullableText(identifier.prefix());
String localName = identifier.localIdentifier().getText();
- return statements.resolveStatementIdentifier(prefix,localName);
+ return statements.resolveStatementIdentifier(prefix, localName);
}
private String nullableText(ParserRuleContext prefix) {
diff --git a/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/AxiomIdentifierResolver.java b/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/AxiomIdentifierResolver.java
index 862a7b49ae6..89650a2cdeb 100644
--- a/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/AxiomIdentifierResolver.java
+++ b/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/AxiomIdentifierResolver.java
@@ -10,13 +10,13 @@
import com.evolveum.axiom.api.AxiomIdentifier;
+import org.jetbrains.annotations.Nullable;
+
public interface AxiomIdentifierResolver {
final AxiomIdentifierResolver AXIOM_DEFAULT_NAMESPACE = defaultNamespace(AxiomIdentifier.AXIOM_NAMESPACE);
- AxiomIdentifier resolveStatementIdentifier(@NotNull String prefix, @NotNull String localName);
-
-
+ AxiomIdentifier resolveStatementIdentifier(@Nullable String prefix, @NotNull String localName);
static AxiomIdentifierResolver defaultNamespace(String namespace) {
return (prefix, localName) -> prefix == null ? AxiomIdentifier.from(namespace, localName) : null;
diff --git a/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/AxiomItemDefinitionImpl.java b/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/AxiomItemDefinitionImpl.java
index fc81bc1488b..8b71f46368f 100644
--- a/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/AxiomItemDefinitionImpl.java
+++ b/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/AxiomItemDefinitionImpl.java
@@ -17,7 +17,8 @@ public class AxiomItemDefinitionImpl extends AbstractAxiomBaseDefinition impleme
public AxiomItemDefinitionImpl(AxiomIdentifier keyword, AxiomIdentifier value, List> children,
Multimap> keywordMap) {
super(keyword, value, children, keywordMap);
- type = first(AxiomBuiltIn.Item.TYPE_DEFINITION.name(), AxiomTypeDefinition.class).get();;
+ type = first(AxiomBuiltIn.Item.TYPE_DEFINITION.name(), AxiomTypeDefinition.class)
+ .orElseThrow(() -> new IllegalStateException("No 'type' declaration in " + super.toString()));
}
@Override
diff --git a/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/AxiomStatementImpl.java b/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/AxiomStatementImpl.java
index 3d7795660b3..9bcf42362ad 100644
--- a/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/AxiomStatementImpl.java
+++ b/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/AxiomStatementImpl.java
@@ -74,7 +74,7 @@ protected void putAll(Builder builder,
Collection children) {
for (AxiomItemDefinition definition : children) {
builder.put(definition.name(), definition);
- };
+ }
}
public static > Factory factory() {
diff --git a/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/AxiomTypeDefinitionImpl.java b/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/AxiomTypeDefinitionImpl.java
index 59f9b912a09..ad957c1bbca 100644
--- a/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/AxiomTypeDefinitionImpl.java
+++ b/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/AxiomTypeDefinitionImpl.java
@@ -38,7 +38,7 @@ public AxiomTypeDefinitionImpl(AxiomIdentifier keyword, AxiomIdentifier value, L
@Override
public Optional argument() {
- if(argument.isEmpty() && superType().isPresent()) {
+ if (!argument.isPresent() && superType().isPresent()) {
return superType().get().argument();
}
return argument;
diff --git a/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/ModelReactorContext.java b/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/ModelReactorContext.java
index ff43618ae1e..0c8ed9579af 100644
--- a/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/ModelReactorContext.java
+++ b/infra/axiom/src/main/java/com/evolveum/axiom/lang/impl/ModelReactorContext.java
@@ -28,6 +28,8 @@
import com.evolveum.axiom.lang.impl.AxiomStatementImpl.Factory;
import com.google.common.collect.ImmutableMap;
+import org.jetbrains.annotations.Nullable;
+
public class ModelReactorContext implements AxiomIdentifierResolver {
@@ -202,7 +204,7 @@ public void loadModelFromSource(AxiomStatementSource statementSource) {
}
@Override
- public AxiomIdentifier resolveStatementIdentifier(@NotNull String prefix, @NotNull String localName) {
+ public AxiomIdentifier resolveStatementIdentifier(@Nullable String prefix, @NotNull String localName) {
return AxiomIdentifier.axiom(localName);
}
diff --git a/infra/axiom/src/main/resources/axiom-lang.axiom b/infra/axiom/src/main/resources/axiom-lang.axiom
index 2aa5baa7c6a..438931a51bc 100644
--- a/infra/axiom/src/main/resources/axiom-lang.axiom
+++ b/infra/axiom/src/main/resources/axiom-lang.axiom
@@ -9,27 +9,45 @@ model axiom-lang {
type AxiomModel {
extends AxiomBaseDefinition;
-
+
item root {
type AxiomItemDefinition;
}
-
+
item type {
documentation """
Type Declaration
""";
type AxiomTypeDefinition;
}
-
- item object {
- type AxiomObjectDefinition;
- }
+
item namespace {
type string;
}
+
item version {
type string;
}
+
+ // TODO move to prism schema; consider renaming to objectType?
+ item object {
+ type PrismObjectDefinition;
+ }
+
+ // TODO move to prism schema; consider renaming to containerType?
+ item container {
+ type PrismContainerDefinition;
+ }
+
+ // TODO move to prism schema; consider renaming to referenceType?
+ item reference {
+ type PrismReferenceDefinition;
+ }
+
+ // TODO move to prism schema
+ item item {
+ type PrismItemDefinition;
+ }
}
type AxiomBaseDefinition {
@@ -37,11 +55,12 @@ model axiom-lang {
item name {
type AxiomIdentifier;
- }
-
+ }
+
item identifier {
type AxiomIdentifier;
}
+
item documentation {
type string;
}
@@ -53,30 +72,61 @@ model axiom-lang {
item argument {
type AxiomIdentifier;
}
+
item extends { // Should be reference
type AxiomIdentifier; // Should be AxiomTypeIdentifier in future
}
-
+
item identifier {
type AxiomIdentifier;
}
+
+ // TODO move to prism schema
+ item object {
+ type boolean;
+ }
+
+ // TODO move to prism schema
+ item container {
+ type boolean;
+ }
+
+ // TODO move to prism schema
+ item objectReference {
+ type boolean;
+ }
+
+ // TODO reconsider this - strictly speaking this is part of "global type+item definition combo"
+ item itemName {
+ type AxiomIdentifier;
+ }
+
item item {
type AxiomItemDefinition;
}
}
- type AxiomObjectDefinition {
+ // TODO move to prism schema; probably should be prism:ObjectDefinition
+ type PrismObjectDefinition {
extends AxiomTypeDefinition;
- item itemName {
- type AxiomIdentifier; // This should be probably at dif
- }
}
-
- type AxiomIdentifier {
+
+ // TODO move to prism schema; probably should be prism:ContainerDefinition
+ type PrismContainerDefinition {
+ extends AxiomTypeDefinition;
+ }
+
+ // TODO move to prism schema; probably should be prism:ReferenceDefinition
+ type PrismReferenceDefinition {
+ extends AxiomTypeDefinition;
}
- type string {
-
+ // TODO move to prism schema; probably should be prism:ItemDefinition
+ type PrismItemDefinition {
+ extends AxiomItemDefinition;
+ }
+
+ type AxiomIdentifier {
}
type AxiomItemDefinition {
@@ -99,4 +149,9 @@ model axiom-lang {
}
type AxiomTypeReference;
-}
\ No newline at end of file
+
+ // "Type library" (temporary)
+
+ type string;
+ type boolean;
+}
diff --git a/infra/axiom/src/test/java/com/evolveum/axiom/lang/test/TestAxiomParser.java b/infra/axiom/src/test/java/com/evolveum/axiom/lang/test/TestAxiomParser.java
index 98d0930bef9..4a040e1d1a6 100644
--- a/infra/axiom/src/test/java/com/evolveum/axiom/lang/test/TestAxiomParser.java
+++ b/infra/axiom/src/test/java/com/evolveum/axiom/lang/test/TestAxiomParser.java
@@ -14,8 +14,6 @@
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
-import java.util.Collection;
-import java.util.List;
import java.util.Optional;
import org.testng.annotations.Test;
@@ -28,24 +26,22 @@
import com.evolveum.axiom.lang.api.AxiomTypeDefinition;
import com.evolveum.axiom.lang.api.AxiomBuiltIn.Item;
import com.evolveum.axiom.lang.api.AxiomBuiltIn.Type;
-import com.evolveum.axiom.lang.api.stmt.AxiomStatement;
-import com.evolveum.axiom.lang.impl.AxiomItemDefinitionImpl;
import com.evolveum.axiom.lang.impl.AxiomStatementSource;
import com.evolveum.axiom.lang.impl.AxiomSyntaxException;
-import com.evolveum.axiom.lang.impl.AxiomTypeDefinitionImpl;
-import com.evolveum.axiom.lang.impl.BasicStatementRule;
import com.evolveum.axiom.lang.impl.ModelReactorContext;
import com.evolveum.midpoint.tools.testng.AbstractUnitTest;
-import com.google.common.collect.Iterables;
public class TestAxiomParser extends AbstractUnitTest {
private static final String COMMON_DIR_PATH = "src/test/resources/";
- private static final String NAME = "base-example.axiom";
private static final String AXIOM_LANG = "/axiom-lang.axiom";
+ private static final String BASE_EXAMPLE = "base-example.axiom";
+ private static final String COMMON_CORE = "common-core.axiom";
+ private static final String SCRIPTING = "scripting.axiom";
+
@Test
public void axiomSelfDescribingTest() throws IOException, AxiomSyntaxException {
@@ -76,16 +72,23 @@ private void assertTypedefBasetype(Optional optional) {
private void assertInstanceOf(Class> clz, Object value) {
assertTrue(clz.isInstance(value));
-
}
-
@Test
public void moduleHeaderTest() throws IOException, AxiomSyntaxException {
- AxiomSchemaContext context = parseFile(NAME);
+ AxiomSchemaContext context = parseFile(BASE_EXAMPLE);
assertNotNull(context.getType(AxiomIdentifier.axiom("Example")).get());
}
+ @Test
+ public void commonCoreTest() throws IOException, AxiomSyntaxException {
+ AxiomSchemaContext context = parseFile(COMMON_CORE);
+ }
+
+ @Test
+ public void scriptingTest() throws IOException, AxiomSyntaxException {
+ AxiomSchemaContext context = parseFile(SCRIPTING);
+ }
private AxiomSchemaContext parseFile(String name) throws AxiomSyntaxException, FileNotFoundException, IOException {
return parseInputStream(name, new FileInputStream(COMMON_DIR_PATH + name));
diff --git a/infra/axiom/src/test/resources/base-example.axiom b/infra/axiom/src/test/resources/base-example.axiom
index d8673249e39..bbbc7046ebd 100644
--- a/infra/axiom/src/test/resources/base-example.axiom
+++ b/infra/axiom/src/test/resources/base-example.axiom
@@ -1,35 +1,39 @@
+// Copyright (c) 2020 Evolveum and contributors
+//
+// This work is dual-licensed under the Apache License 2.0
+// and European Union Public License. See LICENSE file for details.
+
model model-header {
documentation """
This is showcase of baseline Axiom model header.
-
+
Standard model header should contain:
- description (optional)
- namespace (required)
- version (required)
- - prefix (optional
+ - prefix (optional)
""";
namespace "https://ns.evolveum.com/example/axiom/model-header";
version "0.0.1";
-
+
type string;
type Address;
type Link;
type PolyString;
-
+
type Example {
documentation """
Example complex type. This type does not have supertype.
Type may contain items.
-
""";
-
+
item name {
type string;
}
}
-
+
object User {
itemName user;
item address { // shorthand syntax 'container address type Address';
@@ -45,9 +49,24 @@ model model-header {
maxOccurs unbounded;
}
}
-
+
object {
name User2;
itemName user;
}
-}
\ No newline at end of file
+
+ // Alternative representation of a prism object definition
+ // (doesn't interfere with item { type ... } in structured types)
+ object {
+ name User2;
+ itemName user2;
+ // ...
+ }
+
+ // Yet another alternative representation of a prism object definition.
+ // To be decided.
+ type User3 {
+ object;
+ // ...
+ }
+}
diff --git a/infra/axiom/src/test/resources/common-core.axiom b/infra/axiom/src/test/resources/common-core.axiom
new file mode 100644
index 00000000000..bc00833a711
--- /dev/null
+++ b/infra/axiom/src/test/resources/common-core.axiom
@@ -0,0 +1,1218 @@
+// Copyright (c) 2020 Evolveum and contributors
+//
+// This work is dual-licensed under the Apache License 2.0
+// and European Union Public License. See LICENSE file for details.
+
+// This is "common-core.axiom" file containing core definitions from the common-3 namespace.
+// Due to its size the common-3 schema is distributed across multiple files.
+
+model common-core {
+
+ namespace "http://midpoint.evolveum.com/xml/ns/public/common/common-3";
+ version "3.0.0";
+
+ type Object {
+ object;
+ itemName object;
+ documentation """
+ Common supertype for all identity objects. Defines basic properties
+ that each object must have to live in our system (identifier, name).
+
+ All objects are identified by OID. The OID is an immutable identifier
+ (usually UUID). Except the OID all the objects have human-readable name.
+ The name is usually unique for each object type, but this is not a
+ strict requirement.
+
+ Note: object type is fixed, it cannot be changed. The object retains its
+ type from the time it was created to the end of its life.
+ """;
+ item name {
+ type PolyString;
+ documentation """
+ Human-readable, mutable name of the object. It
+ may also be an identifier (login name, group name).
+ It is usually unique in the respective context of
+ interpretation. E.g. the name of the UserType subtype
+ is usually unique in the whole system.
+ The name of the ShadowType subtype is usually unique in the
+ scope of resource (target system) that it belongs to.
+
+ The name may not be human-readable in a sense to display
+ to a common end-user. It is intended to be displayed to
+ IDM system administrator. Therefore it may contain quite
+ a "ugly" structures such as LDAP DN or URL.
+
+ Name is mutable. It is considered to be ordinary property
+ of the object. Therefore it can be changed by invoking
+ usual modifyObject operations. However, change of the name
+ may have side effects (rename process).
+
+ Although name is specified as optional by this schema, it
+ is in fact mandatory for most object types. The reason for
+ specifying the name as optional is that the name may be
+ generated by the system instead of supplied by the clients.
+ However, all objects stored in the repository must have a name.
+ """;
+ // ObjectType.name
+ // 0
+ // true
+ }
+
+ // Note: the description property is referenced from various contexts (e.g. Object and Assignment).
+ // To avoid duplication we use global property definition.
+ // item description; // TODO make this work
+
+ // The same is true for documentation.
+ // item documentation; // TODO make this work
+
+ item subtype {
+ type string;
+ maxOccurs unbounded;
+ documentation """
+ Type of the object. It is used to distinguish what a specific object
+ represents. Whether it is a different kind of organizational unit, project,
+ team, or different kind of user, etc.
+ """;
+ // ObjectType.subtype
+ // 15
+ }
+
+ item fetchResult {
+ type OperationResult;
+ documentation """
+ Result of the operation that fetched this instance of the object.
+ It is mostly used to indicate that the object is not complete or
+ there is some problem with the object. This is used instead of
+ exception if the object is part of larger structures (lists as in
+ list/search operations or composite objects). If not present then
+ the "SUCCESS" state is assumed.
+
+ This field is TRANSIENT. It must only be used in runtime. It should
+ never be stored in the repository.
+ """;
+ // a:operational
+ }
+
+ // item extension; // TODO make this work
+
+ item trigger {
+ type Trigger;
+ maxOccurs unbounded;
+ documentation """
+ Triggers for this object. They drive invocations of corresponding trigger handlers
+ at specified time.
+ """;
+ // a:operational
+ }
+
+ item parentOrg { // TODO or should we use 'Ref' suffix i.e. 'parentOrgRef'?
+ type ObjectReference;
+ maxOccurs unbounded;
+ documentation """
+ Set of the orgs (organizational units, projects, teams) that the object relates to.
+ This usually means that the object belongs to them but it may have other meanings as well
+ (e.g. user manages an organizational unit).
+ """;
+ // tns:OrgType
+ // OrgType.parentOrganization
+ // 240
+ //
+ }
+
+ item tenant {
+ type ObjectReference;
+ documentation """
+ Reference to the tenant to which this object belongs. It is a computed value set automatically
+ by midPoint. It is determined from the organizational structure. Even though this value is
+ computed it is also stored in the repository due to performance reasons.
+ """;
+ // tns:OrgType
+ // OrgType.tenant
+ // 250
+ // true
+ }
+
+ item lifecycleState {
+ type string;
+ documentation """
+ Lifecycle state of the object. This property defines whether the
+ object represents a draft, proposed definition, whether it is active,
+ deprecated, and so on.
+
+ There are few pre-defined lifecycle states. But custom lifecycle states
+ may also be defined. Pre-defined lifecycle states are:
+
+ - draft: Definition of the new object in progress. The object is
+ NOT active. The definition may change at any moment. It is
+ not ready yet.
+ - proposed: Definition of a new object is ready for use, but there
+ is still a review process to be applied (e.g. approval).
+ The object is NOT active. However the definition should
+ not change in this state.
+ - active: Active and working definition. Ready to be used without
+ any unusual limitations.
+ - deprecated: Active definition which is being phased out. The
+ definition is still fully operational. But it should not
+ be used for new assignments. E.g. it should not be requested,
+ it should not be approved, etc.
+ - archived: Inactive historical definition. It is no longer used.
+ It is maintained only for historical, auditing and
+ sentimental reasons.
+ - failed: Unexpected error has occurred during object lifecycle. Result
+ of that event is that the object is rendered inactive.
+ The situation cannot be automatically remedied. Manual action
+ is needed.
+ """;
+ // ObjectType.lifecycleState
+ // 20
+ // 3.5
+ //
+ }
+
+ item operationExecution {
+ type OperationExecution;
+ maxOccurs unbounded;
+ documentation """
+ Description of recent operations executed on this object (or related objects, e.g. shadows
+ in case of a focal object). The number of operations to be kept here is configurable.
+ """;
+ // 3.6
+ // true
+ }
+
+ item lensContext {
+ type LensContext;
+ documentation """
+ Model context describing executed operation.
+ """;
+ // 4.0
+ // true
+ }
+
+ item policySituation {
+ type uri;
+ maxOccurs unbounded;
+ documentation """
+ The policy situation(s) of this object. The situations are result of
+ evaluation of the policy rules. This property is recorded for each object
+ and can be used for reporting, diagnostics, target selection in certification
+ campaigns, etc.
+ """;
+ // 3.5
+ // true
+ }
+
+ item policyException {
+ type PolicyException;
+ maxOccurs unbounded;
+ documentation """
+ Recorded exception from a policy rule. The exceptions that are approved are
+ recoded here to avoid re-evaluating and re-approving them all the time.
+ This is EXPERIMENTAL functionality. It is likely to change in the near future.
+ """;
+ // 3.5
+ // true
+ }
+
+ item diagnosticInformation {
+ type DiagnosticInformation;
+ maxOccurs unbounded;
+ documentation """
+ Diagnostic information attached to this object.
+ """;
+ // 4.0
+ // true
+ }
+
+ // Note that oid and version are not defined here. These are intrinsic parts of prism objects
+ // so they do not have to be mentioned in the schema.
+ // TODO: is this OK? See also related questions in ObjectReference type.
+ }
+
+ type AssignmentHolder {
+ extends Object;
+ itemName assignmentHolder;
+ documentation """
+ Abstract supertype for all object types that can have assignments.
+ """;
+
+ item assignment {
+ type Assignment;
+ maxOccurs unbounded;
+ documentation """
+ Set of object's assignments.
+ Assignments define the privileges and "features" that this object should have, that
+ this object is entitled to. Typical assignment will point to a role or define
+ a construction of an account.
+
+ Assignments represent what the object SHOULD HAVE. The assignments represent a policy,
+ a desired state of things (cf. linkRef).
+ """;
+ // FocusType.assignmentKey
+ }
+
+ item iteration {
+ type int; // TODO
+ documentation """
+ Iteration number. Starts with 0. It is used to iteratively find unique identifier
+ for the object.
+ """;
+ // true
+ }
+
+ item iterationToken {
+ type string;
+ documentation """
+ Iteration token. String value that is usually a suffix to the identifier based
+ on iteration number. E.g. ".007". It is used to iteratively find unique identifier
+ for the object.
+ """;
+ // true
+ }
+
+ item archetype {
+ type ObjectReference;
+ maxOccurs unbounded;
+ documentation """
+ References to all applicable archetypes, including "indirect" archetypes such as archetype supertypes.
+ Contains references to active archetypes only.
+
+ Note: the value of this reference is only updated when object is recomputed.
+ Therefore if a role definition changes then all the affected objects must be recomputed
+ for this reference to be consistent.
+
+ This is an operational property. It is set and managed by the system. It is used
+ for efficient use of archetypes.
+ """;
+ // tns:ArchetypeType
+ // true
+ // AssignmentHolderType.archetypeRef
+ // 4.0
+ }
+
+ item roleMembership {
+ type ObjectReference;
+ maxOccurs unbounded;
+ documentation """
+ References to abstract roles (roles, orgs, services) that this focus currently belongs to - directly
+ or indirectly. This reference points to all the roles in the role hierarchy. It only points to
+ the roles that were evaluated as active during last recompute (conditions were true, validity
+ constraints not violated).
+
+ Note: the value of this reference is only updated when a focal object is recomputed.
+ Therefore if a role definition changes then all the affected focal objects must be recomputed
+ for this reference to be consistent.
+
+ Roles mentioned here are those that are NOT obtained via delegation, i.e. "deputy" relations.
+ Relations acquired by delegation are listed in delegatedRef item.
+
+ This is an operational property. It is set and managed by the system. It is used
+ for efficient search of all current role members, e.g. for the purpose of displaying this
+ information in the GUI.
+ """;
+ // tns:AbstractRoleType
+ // true
+ // FocusType.roleMembershipRef
+ }
+
+ item delegated {
+ type ObjectReference;
+ maxOccurs unbounded;
+ documentation """
+ References to objects (abstract roles as well as users) obtained via delegation.
+ If A1 is a deputy of A, its delegatedRef contains a union of A, A.roleMembershipRef and
+ A.delegatedRef.
+
+ This is an operational property. It is set and managed by the system. It is used
+ for efficient search of all current role members, e.g. for the purpose of displaying this
+ information in the GUI.
+ """;
+ // tns:FocusType
+ // true
+ // 3.5
+ }
+
+ item roleInfluence {
+ type ObjectReference;
+ maxOccurs unbounded;
+ documentation """
+ References to abstract roles (roles and orgs) that this focus may directly belong to.
+ This reference only points to the next role in the hierarchy. However, it is backed by
+ a "closure" index in the repository subsystem. Therefore it can efficiently support tree-like
+ queries. This reference points to the roles for whose the condition is not true.
+ Therefore it does not reliably show
+ who actually has a role. It shows potential role members - all the object that are possibly
+ influenced when a role definition changes.
+
+ This is an operational property. It is set and managed by the system. It is used
+ for efficient search of all possible role members, e.g. for the purpose of recomputing
+ all role members after the role definition is changed.
+
+ TODO. NOT IMPLEMENTED YET. EXPERIMENTAL. UNSTABLE.
+ """;
+ // tns:AbstractRoleType
+ // true
+ }
+ }
+
+ type Focus {
+ extends AssignmentHolder;
+ itemName focus;
+ documentation """
+ Abstract supertype for all object types that can be focus of full midPoint computation.
+ This basically means objects that have projections. But focal objects also have
+ activation, they may have personas, etc.
+ """;
+ item link {
+ type ObjectReference;
+ maxOccurs unbounded;
+ documentation """
+ Set of shadows (projections) linked to this focal object.
+ E.g. a set of accounts linked to a user. This is the set of
+ shadows that belongs to the focal object in a sense
+ that these shadows represents the focal object on the resource.
+ E.g. The set of accounts that represent the same midPoint user (the
+ same physical person, they are "analogous").
+
+ Links define what the object HAS. The links reflect real state of things
+ (cf. assignment).
+ """;
+ // tns:ShadowType
+ }
+
+ item persona {
+ type ObjectReference;
+ maxOccurs unbounded;
+ documentation """
+ Set of personas linked to this focal object.
+ E.g. a set of virtual identities linked to a user. This is the set of
+ "secondary" focal objects that belongs to this focal object in a sense
+ that the current focal object is in control over the linked focal objects.
+ E.g. this reference can be used to link user object which specified a physical
+ person with his virtual identities (personas) that specify his identity as an
+ employee, system administrator, customer, etc.
+ The default meaning is that the personas are "analogous", i.e. the represent
+ different facets of the same physical person. However, this meaning may be
+ theoretically overridden by using various relation parameters in this reference.
+
+ This reference define what the object HAS. The links reflect real state of
+ things (cf. assignment).
+ """;
+ // tns:FocusType
+ // 3.6
+ }
+
+ item activation {
+ type Activation;
+ }
+
+ item jpegPhoto {
+ type binary;
+ documentation """
+ Photo corresponding to the user / org / role / service.
+ """;
+ // FocusType.jpegPhoto
+ }
+
+ item costCenter {
+ type string;
+ documentation """
+ The name, identifier or code of the cost center to which the object belongs.
+
+ Please note that organization objects (OrgType) also have a costCenter property.
+ Therefore it is usual that if a user belongs to an organization the costCenter from
+ the organization is used. Therefore this property is usually used only for users that
+ do not belong to any organization or for users that have different cost center than
+ the one defined by the organization.
+ """;
+ // FocusType.costCenter
+ // 420
+ }
+
+ item locality {
+ type PolyString;
+ documentation """
+ Primary locality of the object, the place where
+ the (e.g.) user usually works, the country, city or
+ building that he belongs to. The specific meaning
+ and form of this property is deployment-specific.
+ """;
+ // FocusType.locality
+ // 450
+ }
+
+ item preferredLanguage {
+ type string;
+ documentation """
+ Indicates user's preferred language, usually for the purpose of localizing
+ user interfaces. The format is IETF language tag defined in BCP 47, where
+ underscore is used as a subtag separator. This is usually a ISO 639-1 two-letter
+ language code optionally followed by ISO 3166-1 two letter country code
+ separated by underscore. The languages that do not have country-specific
+ variants are usually specified by using a two-letter country code ("sk",
+ "cs", "tr"). Languages with country-specific variants have country-specific
+ subtags ("pt_BR", "zn_CN").
+ If no value is specified in this property then system default locale is assumed.
+
+ Examples:
+ - en_US
+ - sk
+ - cs
+ - pt_BR
+ """;
+ // FocusType.preferredLanguage
+ // 200
+ //
+ }
+
+ item locale {
+ type string;
+ documentation """
+ Defines user's preference in displaying currency, dates and other items
+ related to location and culture. The format is IETF language tag defined in BCP 47, where
+ underscore is used as a subtag separator. This is usually a ISO 639-1 two-letter
+ language code optionally followed by ISO 3166-1 two letter country code
+ separated by underscore. The languages that do not have country-specific
+ variants are usually specified by using a two-letter country code ("sk",
+ "cs", "tr"). Languages with country-specific variants have country-specific
+ subtags ("pt_BR", "zn_CN").
+ If not specified then system default locale is assumed.
+
+ Examples:
+ - en_US
+ - sk
+ - cs
+ - pt_BR
+ """;
+ // FocusType.locale
+ // 210
+ //
+ }
+
+ item timezone {
+ type string;
+ documentation """
+ User's preferred timezone. It is specified in the "tz database" (a.k.a "Olson")
+ format. If not specified then system default timezone is assumed.
+
+ Examples:
+ - Europe/Bratislava
+ """;
+ // FocusType.timezone
+ // 220
+ //
+ }
+
+ item emailAddress {
+ type string;
+ documentation """
+ E-Mail address of the user, org. unit, etc. This is the address
+ supposed to be used for communication with the
+ user, org. unit, etc. E.g. IDM system may send notifications
+ to the e-mail address. It is NOT supposed to be
+ full-featured e-mail address data structure
+ e.g. for the purpose of complex address-book application.
+ """;
+ // FocusType.emailAddress
+ // 300
+ }
+
+ item telephoneNumber {
+ type string;
+ documentation """
+ Primary telephone number of the user, org. unit, etc.
+ """;
+ // FocusType.telephoneNumber
+ // 310
+ }
+
+ item credentials {
+ type Credentials;
+ documentation """
+ The set of focus's credentials (such as passwords).
+ """;
+ // FocusType.credentials
+ }
+ }
+
+ type User {
+ extends Focus;
+ documentation """
+ User object represents a physical user of the system.
+ It differs from the account, as "account" represents a data structure in a target system while
+ "user" represents data structure in midPoint. One user typically has many accounts.
+ Properties of User object typically describe the user as a physical person.
+ Therefore the user object defines handful of properties that are commonly used to describe users
+ in the IDM solutions (employees, customers, partners, etc.) Custom extensions are possible by utilizing
+ the "extension" container.
+ """;
+
+ item fullName {
+ type PolyString;
+ documentation """
+ Full name of the user with all the decorations,
+ middle name initials, honorific title and any
+ other structure that is usual in the cultural
+ environment that the system operates in. This
+ element is intended to be displayed to
+ a common user of the system.
+
+ Examples:
+ - cpt. Jack Sparrow
+ - William "Bootstrap" Turner
+ - James W. Random, PhD.
+ - Vladimir Iljic Lenin
+ - Josip Broz Tito
+ - Chuck Norris
+ """;
+ // UserType.fullName
+ // 100
+ // true
+ }
+
+ item givenName {
+ type PolyString;
+ documentation """
+ Given name of the user. It is usually the first
+ name of the user, but the order of names may
+ differ in various cultural environments. This
+ element will always contain the name that was
+ given to the user at birth or was chosen
+ by the user.
+
+ Examples:
+ - Jack
+ - Chuck
+ """;
+ // UserType.givenName
+ // 110
+ // true
+ }
+
+ item familyName {
+ type PolyString;
+ documentation """
+ Family name of the user. It is usually the last
+ name of the user, but the order of names may
+ differ in various cultural environments. This
+ element will always contain the name that was
+ inherited from the family or was assigned
+ to a user by some other means.
+
+ Examples:
+ - Sparrow
+ - Norris
+ """;
+ // UserType.familyName
+ // 120
+ // true
+ }
+
+ item additionalName {
+ type PolyString;
+ documentation """
+ Middle name, patronymic, matronymic or any other name of a person. It is usually the
+ middle component of the name, however that may be culture-dependent.
+
+ Examples:
+ - Walker
+ - John
+ - Iljic
+ """;
+ // UserType.additionalName
+ // 130
+ }
+
+ item nickName {
+ type PolyString;
+ documentation """
+ Familiar or otherwise informal way to address a person.
+
+ Examples:
+ - Bootstrap
+ - Bobby<
+
+ The meaning of this property is to take part in the formatted full
+ name of the person, e.g. William "Bootstrap" Turner. It is not intended
+ to be used as a username or login name. This value is usually changeable
+ by the user itself and it defines how the user wants other to address him.
+ Therefore it is not ideal for use as an identifier.
+ """;
+ // UserType.nickname
+ // 140
+ }
+
+ item honorificPrefix {
+ type PolyString;
+ documentation """
+ Honorific titles that go before the name.
+ Examples:
+ - cpt.
+ - Ing.
+ - Sir
+
+ This property is single-valued. If more
+ than one title is applicable, they have to be represented in
+ a single string (concatenated) form in the correct order.
+ """;
+ // UserType.honorificPrefix
+ // 150
+ }
+
+ item honorificSuffix {
+ type PolyString;
+ documentation """
+ Honorific titles that go after the name.
+
+ Examples:
+ - PhD.
+ - KBE
+
+ This property is single-valued. If more
+ than one title is applicable, they have to be represented in
+ a single string (concatenated) form in the correct order.
+ """;
+ // UserType.honorificSuffix
+ // 160
+ }
+
+ item title {
+ type PolyString;
+ documentation """
+ User's title defining a work position or a primary role in the
+ organization.
+ Examples:
+ - CEO
+ - Security Officer
+ - Assistant
+ """;
+ // UserType.title
+ // 170
+ }
+
+ item employeeNumber {
+ type string;
+ documentation """
+ Unique, business-oriented identifier of the employee.
+ Typically used as correlation identifier and for
+ auditing purposes. Should be immutable, but the
+ specific properties and usage are deployment-specific.
+ """;
+ // UserType.employeeNumber
+ // 400
+ }
+
+ item employeeType {
+ type string;
+ maxOccurs unbounded;
+ documentation """
+ Employee type specification such as internal employee,
+ external or partner. The specific values are
+ deployment-specific. However it is generally assumed that this
+ will be enumeration of several type names or codes that define
+ "classes" of users.
+
+ Even though this property is named "employeeType" due to the historical
+ reasons it is used in a more generic way to mean general type of user.
+ Therefore it can be used to distinguish employees from customers, etc.
+
+ DEPRECATED: Use ObjectType.subtype
+ """;
+ // UserType.employeeType
+ // 410
+ // true
+ // 3.8
+ }
+ item organization {
+ type PolyString;
+ maxOccurs unbounded;
+ documentation """
+ Name or (preferably) immutable identifier of organization that the user belongs to.
+ The format is deployment-specific. This property together with organizationalUnit
+ may be used to provide easy-to-use data about organizational membership of the user.
+
+ This is multi-valued property to allow membership of a user to several
+ organizations. Please note that midPoint does not maintain ordering in
+ multi-value properties therefore this is not usable to model a complex
+ organization hierarchies. Use OrgType instead.
+ """;
+ // UserType.organization
+ // 430
+ }
+
+ item organizationalUnit {
+ type PolyString;
+ maxOccurs unbounded;
+ documentation """
+ Name or (preferably) immutable identifier of organizational unit that the user belongs to.
+ The format is deployment-specific. This property together with organization
+ may be used to provide easy-to-use data about organizational membership of the user.
+
+ This is multi-valued property to allow membership of a user to several
+ organizational units. Please note that midPoint does not maintain ordering in
+ multi-value properties therefore this is not usable to model a complex
+ organization hierarchies. Use OrgType instead.
+ """;
+ // UserType.organizationalUnit
+ // 440
+ }
+ item adminGuiConfiguration {
+ type AdminGuiConfiguration;
+ documentation """
+ Specifies the admin GUI configuration that should be used
+ by this user.
+ """;
+ // 3.5
+ // AdminGuiConfigurationType.adminGuiConfiguration
+ }
+ }
+
+ type ObjectReference {
+ objectReference;
+ documentation """
+ Reference to an object. It contains OID of the object that it
+ refers to.
+ """;
+
+ // item description; // TODO make this work
+
+ // item documentation; // TODO make this work
+
+ item filter {
+ type SearchFilter; // TODO namespace of "query-3"
+ documentation """
+ Filter that can be used to dynamically lookup the reference OID e.g. during imports.
+ It must not be used for normal operations. The filter may be stored in the repository
+ to avoid data loss. But even if it is stored it will not be used beyond initial
+ import or unless explicitly requested (e.g. by setting resolutionTime).
+
+ Note: The filter will NOT be used if the OID in the reference is set. The OID always takes
+ precedence.
+ """;
+ }
+
+ item resolutionTime {
+ type EvaluationTime;
+ // TODO defaultValue "import";
+ documentation """
+ Definition of the "time" when the reference will be resolved. Resolving the reference means using
+ the filter to get object(s) or OID(s).
+
+ Import-time resolution means that the reference will be resolved once when the file is imported.
+ OID will be recorded in the reference and then only the OID will be used to follow the reference.
+ This is a very efficient method and it is the default.
+
+ Run-time resolution means that the reference will be resolved every time that the reference is
+ evaluated. This is less efficient but it provides great flexibility as the filter may contain
+ expressions and therefore the reference target may dynamically change.
+ """;
+ }
+
+ item referentialIntegrity {
+ type ReferentialIntegrity;
+ // TODO defaultValue "default";
+ documentation """
+ Definition of the behavior related to non-existence of object with specified target OID.
+ (Currently supported only at selected places in midPoint.)
+ """;
+ // 4.1
+ }
+
+ item targetName {
+ type PolyString;
+ documentation """
+ Cached name of the target object.
+ This is a ephemeral value. It is not stored in the repository.
+ It may be computed at object retrieval time or it may not be present at all.
+ This is NOT an authoritative information. Setting it or changing it will
+ not influence the reference meaning. OID is the only authoritative linking
+ mechanism.
+ """;
+ }
+
+ // TODO what about (attributes) oid, type, and relation?
+ // Should they be listed here even if they are defined in PrismReferenceValue?
+ // But if not, why should we list filter, resolution time, referential integrity here,
+ // as they are also defined in PrismReferenceValue.
+ }
+
+ item description {
+ type string;
+ documentation """
+ Free-form textual description of the object. It is supposed to describe
+ the object or a construct that it is attached to.
+
+ This information may be presented to midPoint users, even to ordinary end users.
+ For example role description may be presented to users when they are selecting
+ roles to request. Therefore the description should be written in a language that
+ the users can understand.
+
+ Description is assumed to be a plan, non-formatted text.
+ Amount of white space is considered insignificant. E.g. leading and trailing
+ white space may be skipped, multiple spaces can be collapsed to one and so on.
+ """;
+ // ObjectType.description
+ // 10
+ }
+
+ item documentation {
+ type string;
+ documentation """
+ Technical documentation for a particular object or construct.
+
+ The purpose of this element is to document system configuration and behavior.
+ The documentation will not be presented to end users. In fact, it will probably
+ not be presented at all in midPoint user interface. This documentation element
+ is supposed to be a part of the technical documentation of midPoint deployment.
+ The tools than generate deployment configuration will look for these elements
+ and combine them to compiled documentation document.
+
+ AsciiDoc formatting is assumed for this element. Any leading or trailing
+ whitespace is skipped. Indentation equivalent to he indentation of the first
+ non-blank line of text is also skipped.
+ """;
+ // ObjectType.documentation
+ // 11
+ }
+
+ // Example of short version of container definition.
+ container {
+ name Assignment;
+ itemName assignment;
+
+ // item description; // TODO make this work
+ // item documentation; // TODO make this work
+ // item extension; // TODO make this work
+
+ // ...
+ }
+
+ container {
+ name Extension;
+ itemName extension;
+ documentation """
+ Extension container that provides generic extensibility mechanism.
+ Almost any extension property can be placed in this container.
+ This mechanism is used to extend objects with new properties.
+ The extension is treated exactly the same as other object
+ properties by the code (storage, modifications, etc), except
+ that the system may not be able to understand their meaning.
+ """;
+ // ObjectType.extension
+ // 1000
+ }
+
+ object GenericObject {
+ extends Focus;
+ itemName genericObject;
+ documentation """
+ Generic object for storing unknown (unexpected) object types.
+
+ The generic object should be used if there is a need to
+ store a custom object (e.g KangarooType) at deployment-time.
+ The properties of such custom objects are to be placed in the
+ extension part of this object. The schema is not checked or
+ enforced for this type of objects if technically possible.
+ """;
+ item objectType {
+ type uri; // TODO
+ // deprecated
+ }
+ }
+
+ container Trigger {
+ itemName trigger;
+ documentation """
+ Defines triggers for an object. Trigger is an action that should take place
+ at specified time or under some other condition.
+ """;
+ item timestamp {
+ type dateTime; // TODO
+ documentation """
+ The time when a trigger needs to be activated.
+ """;
+ }
+ item handlerUri {
+ type uri; // TODO
+ documentation """
+ Handler URI indirectly specifies which class is responsible to handle the task. The handler will
+ to be used to handle trigger activation.
+ """;
+ }
+ item originDescription {
+ type string;
+ documentation """
+ Short description of trigger origin, e.g. name of the mapping.
+ Used for diagnostic purposes.
+ """;
+ // true
+ // 4.0
+ }
+ item extension { // TODO
+ type Extension;
+ documentation """
+ Extension container used to provide additional situation-specific information to the trigger.
+ """;
+ }
+ }
+
+ container Metadata {
+ itemName metadata;
+ documentation """
+ Meta-data about data creation, modification, etc.
+ It may apply to objects but also parts of the object (e.g. assignments).
+
+ Meta-data only apply to successful operations. That is obvious for create, but it also applies
+ to modify. For obvious reasons there are no metadata about delete.
+ We keep no metadata about reading. That would be a huge performance hit.
+
+ Meta-data only describe the last operation of its kind. E.g. there is a record of last
+ modification, last approval, etc. There is no history. The last operation overwrites data
+ about the previous operation.
+
+ These data are informational only. They should not be used for security purposes (use auditing
+ subsystem for that). But presence of metadata simplifies system administration and may provide
+ some basic information "at the glance" which may be later confirmed by the audit logs.
+
+ Meta-data are also supposed to be searchable. Therefore they may be used to quickly find
+ "candidate" objects for a closer examination.
+ """;
+ // true
+ //
+ // Metadata
+
+ item requestTimestamp {
+ type dateTime;
+ documentation """
+ The timestamp of "create" operation request. It is set once and should never be changed.
+
+ In case of "background" processes to create object (e.g. create with approval)
+ this should be the timestamp when the process started. I.e. the timestamp when
+ the operation was requested.
+ """;
+ // MetadataType.requestTimestamp
+ // true
+ // 3.5
+ //
+ }
+
+ item requestor {
+ type ObjectReference;
+ documentation """
+ Reference to the user that requested the "create" operation for this object or assignment.
+ """;
+ // MetadataType.requestorRef
+ // true
+ // tns:UserType
+ //
+ }
+
+ item requestorComment {
+ type string;
+ documentation """
+ Comment of the user that requested the "create" operation for this object or assignment.
+ """;
+ // MetadataType.requestorComment
+ // true
+ // 3.7
+ }
+
+ item createTimestamp {
+ type dateTime;
+ documentation """
+ The timestamp of data creation. It is set once and should never be changed.
+
+ In case of "background" processes to create object (e.g. create with approval)
+ this should be the timestamp when the process ended. I.e. the timestamp when
+ the operation was executed.
+ """;
+ // MetadataType.createTimestamp
+ // true
+ // true
+ // 3.5
+ }
+
+ item creator {
+ type ObjectReference;
+ maxOccurs unbounded;
+ documentation """
+ Reference to the user that approved the creation of the data (if there was such a user).
+ This is multi-value reference therefore multiple approvers may be recorded. However the order and
+ hierarchy of the approvers is lost.
+ """;
+ // MetadataType.createApproverRef
+ // true
+ // true
+ // tns:UserType
+ }
+
+ item createApproverComment {
+ type string;
+ maxOccurs unbounded;
+ documentation """
+ Comments of the approvers during the creation of the data. Note that these comments are in no
+ particular order, so basically it is not known who entered which comment.
+ """;
+ // MetadataType.createApprovalComment
+ // true
+ // 3.7
+ }
+
+ item createApprovalTimestamp {
+ type dateTime;
+ documentation """
+ The timestamp of creation approval.
+ """;
+ // MetadataType.createApprovalTimestamp
+ // true
+ // 3.5
+ }
+
+ item createChannel {
+ type uri;
+ documentation """
+ Channel in which the object was created.
+ """;
+ // MetadataType.createChannel
+ // true
+ // true
+ }
+
+ item createTask {
+ type ObjectReference;
+ documentation """
+ Reference to the task that created the object (if it was a persistent one).
+ """;
+ // MetadataType.createTaskRef
+ // true
+ // tns:TaskType
+ // 3.7
+ }
+
+ item modifyTimestamp {
+ type dateTime;
+ // MetadataType.modifyTimestamp
+ // true
+ // true
+ }
+
+ item modifier {
+ type ObjectReference;
+ // MetadataType.modifierRef
+ // true
+ // true
+ // tns:UserType
+ }
+
+ item modifyApprover {
+ type ObjectReference;
+ maxOccurs unbounded;
+ // MetadataType.modifyApproverRef
+ // true
+ // true
+ // tns:UserType
+ }
+
+ item modifyApprovalComment {
+ type string;
+ maxOccurs unbounded;
+ // MetadataType.modifyApprovalComment
+ // true
+ // 3.7
+ }
+
+ item modifyChannel {
+ type uri;
+ // MetadataType.modifyChannel
+ // true
+ // true
+ }
+
+ item modifyTask {
+ type ObjectReference;
+ // MetadataType.modifyTaskRef
+ // true
+ // tns:TaskType
+ // 3.7
+ }
+
+ item lastProvisioningTimestamp {
+ type dateTime;
+ // MetadataType.lastProvisioningTimestamp
+ // true
+ // 3.6.1
+ }
+
+ item certificationFinishedTimestamp {
+ type dateTime;
+ // MetadataType.certificationFinishedTimestamp
+ // true
+ // 3.7
+ }
+
+ item certificationOutcome {
+ type string;
+ // MetadataType.certificationOutcome
+ // true
+ // 3.7
+ }
+
+ item certifier {
+ type ObjectReference;
+ // MetadataType.certifierRef
+ // true
+ // tns:UserType
+ // 3.7
+ }
+
+ item certifierComment {
+ type string;
+ maxOccurs unbounded;
+ // MetadataType.certifierComment
+ // true
+ // 3.7
+ }
+
+ item originMappingName {
+ type string;
+ // MetadataType.originMappingName
+ // true
+ // 3.7
+ }
+ }
+
+ // axiom
+ type uri;
+ type int;
+ type binary;
+ type dateTime;
+
+ // types-3
+ type PolyString;
+
+ // query-3
+ type SearchFilter;
+ type EvaluationTime;
+ type ReferentialIntegrity;
+
+ // ???
+ type Extension;
+
+ // common-3
+ type OperationResult;
+ type ObjectReference;
+ type OperationExecution;
+ type LensContext;
+ type PolicyException;
+ type DiagnosticInformation;
+ type Credentials;
+ type AdminGuiConfiguration;
+ type Activation;
+
+ // should exist because of "container XXX"
+ type Trigger;
+ type Assignment;
+
+ // why these are not found?
+ type string;
+}
diff --git a/infra/axiom/src/test/resources/scripting.axiom b/infra/axiom/src/test/resources/scripting.axiom
new file mode 100644
index 00000000000..8c25026d492
--- /dev/null
+++ b/infra/axiom/src/test/resources/scripting.axiom
@@ -0,0 +1,184 @@
+// Copyright (c) 2020 Evolveum and contributors
+//
+// This work is dual-licensed under the Apache License 2.0
+// and European Union Public License. See LICENSE file for details.
+
+model scripting {
+
+ namespace "http://midpoint.evolveum.com/xml/ns/public/model/scripting-3";
+ version "3.0.0";
+
+ type ScriptingExpressionEvaluationOptions {
+ documentation """
+ Options related to evaluation of scripting expression.
+ EXPERIMENTAL
+ In the future, these may become part of any scripting expression, allowing parts of a complex expression
+ to be evaluated differently from its other parts.
+ """;
+ item continueOnAnyError {
+ type boolean;
+ }
+ item hideOperationResults {
+ type boolean;
+ }
+ }
+
+ type ScriptingVariablesDefinition {
+ documentation """
+ Definition of scripting variables.
+ """;
+ item variable {
+ type ScriptingVariableDefinition;
+ maxOccurs unbounded;
+ }
+ }
+
+ type ScriptingVariableDefinition {
+ documentation """
+ Definition of a scripting variable.
+ Expression types other than path-based ones are to be considered EXPERIMENTAL.
+ """;
+ item name {
+ type string;
+ minOccurs 1;
+ }
+ item description {
+ type string;
+ }
+ item type {
+ type QName;
+ }
+ item maxOccurs {
+ type string;
+ }
+ item expression {
+ type Expression;
+ minOccurs 1;
+ }
+ }
+
+ type ScriptingExpression {
+ itemName scriptingExpression;
+ documentation """
+ Root of the expression type inheritance hierarchy.
+ """;
+ }
+
+ type ExpressionPipeline {
+ extends ScriptingExpression;
+ documentation """
+ Pipeline of expressions - they are executed one after another,
+ input sent to the pipeline as a whole is sent to the first expression.
+ Output from the N-th expression is sent as an input to the N+1-th expression.
+ Output of the last expression is considered to be the output of the whole
+ pipeline.
+ """;
+ item scriptingExpression {
+ type ScriptingExpression; // TODO make it works without this (i.e. as item ref)
+ maxOccurs unbounded;
+ }
+ }
+
+ item pipeline {
+ type ExpressionPipeline;
+ // substitution of scriptingExpression, heterogeneous list item
+ }
+
+ type ExpressionSequence {
+ extends ScriptingExpression;
+ documentation """
+ Sequence of expressions - they are executed one after another,
+ input sent to the sequence as a whole is then sent individually
+ to each expression. Output of the last expression is considered
+ to be the output of the whole sequence.
+ """;
+ item scriptingExpression {
+ type ScriptingExpression; // TODO make it works without this (i.e. as item ref)
+ maxOccurs unbounded;
+ }
+ }
+
+ item sequence {
+ type ExpressionSequence;
+ // substitution of scriptingExpression, heterogeneous list item
+ }
+
+ type SearchExpression {
+ extends ScriptingExpression;
+ documentation """
+ Queries the model for objects of a given type, optionally fulfilling given condition.
+ """;
+
+ item type {
+ type QName;
+ documentation """
+ Type whose instances are searched for.
+ """;
+ }
+
+ item query {
+ type Query;
+ documentation """
+ Query to apply when searching for instances. (Alternative to searchFilter. This is tried as the first one.)
+ """;
+ }
+
+ item searchFilter {
+ type SearchFilter;
+ documentation """
+ Filter to apply when searching for instances. (Alternative to query. This is tried as second one.)
+ """;
+ }
+
+ item options {
+ type SelectorQualifiedGetOptions;
+ }
+
+ item parameter {
+ type ActionParameterValue;
+ maxOccurs unbounded;
+ }
+
+ item scriptingExpression {
+ type ScriptingExpression; // TODO make it works without this (i.e. as item ref)
+ documentation """
+ Expression to evaluate for each object found.
+ """;
+ }
+
+ item aggregateOutput {
+ type boolean;
+ documentation """
+ Whether to aggregate and pass forward the output of expression evaluations that are done
+ for each object found. (Meaningful only if scriptingExpression is specified.)
+ Default is true for compatibility reasons. Set to false to optimize memory consumption.
+ """;
+ // since 3.7.1
+ }
+ }
+
+ item search {
+ type SearchExpression;
+ // substitution of scriptingExpression, heterogeneous list item
+ }
+
+ // and so on ...
+
+ // Types (temporary)
+
+ type ActionParameterValue;
+
+ // query-3
+ type Query;
+ type SearchFilter;
+
+ // common-3
+ type Expression;
+ type SelectorQualifiedGetOptions;
+
+ // basic
+ type QName;
+ type boolean;
+ type string;
+}
+
diff --git a/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd b/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
index d8d4453e3bc..b8a76d7de55 100755
--- a/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
+++ b/infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd
@@ -83,9 +83,6 @@
white space may be skipped, multiple spaces can be collapsed to one and so on.
-
- 4.1
-
@@ -109,6 +106,9 @@
non-blank line of text is also skipped.
+
+ 4.1
+