Merge remote-tracking branch 'refs/remotes/origin/master'

NEWS

@@ -1,12 +1,12 @@
-MidPoint 4.6 "Baumgarten"
--------------------------
+MidPoint 4.7 "Johnson" RC2
+--------------------------
 
-Release 4.6 is a forty-third midPoint release code-named Baumgarten.
-The 4.6 release brings substantial GUI improvements, smart correlation, resource inheritance, and many smaller enhancements.
+Release 4.7 is a forty-fifth midPoint release code-named Johnson.
+The 4.7 release brings simulation and preview features, object marks and improvements to identity governance reporting, password reset and user experience.
 
-Release date: 21st October 2022
+Release date: April 2023
 Release type: Feature release
-End of support: 21st October 2023
+End of support: April 2024
 
 Please see the release notes for detailed list of changes:
-https://docs.evolveum.com/midpoint/release/4.6/
+https://docs.evolveum.com/midpoint/release/4.7/

RELEASE-NOTES

@@ -1,3 +1,3 @@
 To see actual releases notes please go to:
 
-https://docs.evolveum.com/midpoint/release/4.6/
+https://docs.evolveum.com/midpoint/release/4.7/

gui/admin-gui/src/frontend/scss/midpoint.scss

@@ -1829,3 +1829,13 @@ th.debug-list-buttons {
     }
   }
 }
+
+.metric-widget {
+  background-color: $white;
+}
+
+@include dark-mode() {
+  .metric-widget {
+    background-color: $dark;
+  }
+}

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/util/WebComponentUtil.java

@@ -34,6 +34,8 @@
 
 import com.evolveum.midpoint.gui.impl.page.admin.user.PageUserHistory;
 
+import com.evolveum.midpoint.web.security.MidPointAuthWebSession;
+
 import org.apache.commons.collections4.CollectionUtils;
 import org.apache.commons.lang3.BooleanUtils;
 import org.apache.commons.lang3.StringUtils;
@@ -5771,4 +5773,9 @@ public static boolean isEnabledExperimentalFeatures() {
 
         return profile != null && BooleanUtils.isTrue(profile.isEnableExperimentalFeatures());
     }
+
+    public static boolean isDarkModeEnabled() {
+        MidPointAuthWebSession session = MidPointAuthWebSession.get();
+        return session.getSessionStorage().getMode() == SessionStorage.Mode.DARK;
+    }
 }

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/admin/simulation/widget/MetricWidgetPanel.html

@@ -27,9 +27,9 @@ <h3 class="mb-0" wicket:id="value"/>
             </div>
         </div>
     </div>
-    <a class="rounded-bottom text-center p-1" wicket:id="moreInfo">
-        <span class="text-white"><wicket:message key="MetricWidgetPanel.open"/></span>
-        <i class="ml-1 fa-solid fa-circle-arrow-right text-white"></i>
+    <a class="rounded-bottom text-center p-1 border-top" wicket:id="moreInfo">
+        <span><wicket:message key="MetricWidgetPanel.open"/></span>
+        <i class="ml-1 fa-solid fa-circle-arrow-right"></i>
     </a>
 </wicket:panel>
 </body>

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/admin/simulation/widget/MetricWidgetPanel.java

@@ -34,7 +34,7 @@
 import com.evolveum.midpoint.gui.api.component.BadgePanel;
 import com.evolveum.midpoint.gui.api.page.PageBase;
 import com.evolveum.midpoint.gui.api.util.GuiDisplayTypeUtil;
-import com.evolveum.midpoint.gui.api.util.WebComponentUtil;
+import com.evolveum.midpoint.gui.api.util.LocalizationUtil;
 import com.evolveum.midpoint.gui.api.util.WebModelServiceUtils;
 import com.evolveum.midpoint.gui.impl.component.data.column.CompositedIconPanel;
 import com.evolveum.midpoint.gui.impl.component.icon.CompositedIcon;
@@ -222,20 +222,21 @@ private ObjectFilter createObjectFilter(CollectionRefSpecificationType collectio
     }
 
     private void initLayout() {
-        add(AttributeModifier.prepend("class", "d-flex flex-column border rounded bg-white"));
+        add(AttributeModifier.prepend("class", "metric-widget d-flex flex-column border rounded"));
 
         IModel<String> titleModel = () -> {
             DisplayType display = getModelObject().getDisplay();
-            return display != null ? WebComponentUtil.getTranslatedPolyString(display.getLabel()) : null;
+            return display != null ? LocalizationUtil.translatePolyString(display.getLabel()) : null;
         };
 
         Label title = new Label(ID_TITLE, titleModel);
         title.add(AttributeAppender.append("title", titleModel));
         add(title);
 
+        // todo implement properly and make visible
         BadgePanel trendBadge = new BadgePanel(ID_TREND_BADGE, () -> {
             Badge badge = new Badge();
-            badge.setCssClass("badge badge-success trend trend-success");   // todo implement properly and make visible
+            badge.setCssClass("badge badge-success trend trend-success");
             badge.setIconCssClass("fa-solid fa-arrow-trend-up mr-1");
             badge.setText("+3,14%");
             return badge;
@@ -251,7 +252,7 @@ private void initLayout() {
         Label valueDescription = new Label(ID_VALUE_DESCRIPTION, createDescriptionModel());
         add(valueDescription);
 
-        IModel<CompositedIcon> iconModel = () -> createIcon();
+        IModel<CompositedIcon> iconModel = this::createIcon;
 
         CompositedIconPanel icon = new CompositedIconPanel(ID_ICON, iconModel);
         icon.add(new VisibleBehaviour(() -> isIconVisible(iconModel)));
@@ -262,14 +263,14 @@ private void initLayout() {
         chartContainer.setOutputMarkupId(true);
         add(chartContainer);
 
-        AjaxLink moreInfo = new AjaxLink<>(ID_MORE_INFO) {
+        AjaxLink<Void> moreInfo = new AjaxLink<>(ID_MORE_INFO) {
             @Override
             public void onClick(AjaxRequestTarget target) {
                 onMoreInfoPerformed(target);
             }
         };
-        moreInfo.add(new VisibleBehaviour(() -> isMoreInfoVisible()));
-        moreInfo.add(AttributeAppender.append("class", () -> hasZeroValue(valueModel) ? "bg-secondary" : "bg-primary"));
+        moreInfo.add(new VisibleBehaviour(this::isMoreInfoVisible));
+        moreInfo.add(AttributeAppender.append("class", () -> hasZeroValue(valueModel) ? "text-secondary" : "text-primary"));
         add(moreInfo);
     }
 
@@ -314,7 +315,7 @@ private IModel<String> createDescriptionModel() {
         return () -> {
             DisplayType display = getModelObject().getDisplay();
             if (display != null && display.getTooltip() != null) {
-                return WebComponentUtil.getTranslatedPolyString(display.getTooltip());
+                return LocalizationUtil.translatePolyString(display.getTooltip());
             }
 
             MarkType mark = markModel.getObject();
@@ -324,7 +325,7 @@ private IModel<String> createDescriptionModel() {
 
             display = mark.getDisplay();
 
-            return WebComponentUtil.getTranslatedPolyString(display.getTooltip());
+            return LocalizationUtil.translatePolyString(display.getTooltip());
         };
     }
 

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/prism/panel/ShadowPanel.html

@@ -35,5 +35,14 @@
             </div>
         </div>
     </wicket:enclosure>
+    <wicket:enclosure child="policyStatement">
+        <div class="row">
+            <div class="col-md-12">
+                <div class="top-level-prism-container">
+                    <div wicket:id="policyStatement"/>
+                </div>
+            </div>
+        </div>
+    </wicket:enclosure>
 </wicket:panel>
 </html>

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/prism/panel/ShadowPanel.java

@@ -44,6 +44,7 @@ public class ShadowPanel extends BasePanel<ShadowWrapper> {
     private static final String ID_ASSOCIATIONS = "associations";
     private static final String ID_ACTIVATION = "activation";
     private static final String ID_PASSWORD = "password";
+    private static final String ID_POLICY_STATEMENT = "policyStatement";
 
     private ContainerPanelConfigurationType config;
     private IModel<ResourceType> resourceModel;
@@ -132,6 +133,14 @@ protected ItemVisibility getVisibility(ItemWrapper itemWrapper) {
                     passwordSettingsBuilder.build());
             passwordPanel.add(new VisibleBehaviour(() -> isCredentialsSupported()));
             add(passwordPanel);
+
+            ItemPanelSettingsBuilder markSettingsBuilder = new ItemPanelSettingsBuilder()
+                    .visibilityHandler(itemWrapper -> checkShadowContainerVisibility(itemWrapper, getModel()));
+            Panel markPanel = getPageBase().initItemPanel(ID_POLICY_STATEMENT, PolicyStatementType.COMPLEX_TYPE,
+                    PrismContainerWrapperModel.fromContainerWrapper(getModel(), ItemPath.create(ShadowType.F_POLICY_STATEMENT)),
+                    markSettingsBuilder.build());
+            markPanel.add(new VisibleBehaviour(() -> isPolicyStatementSupported()));
+            add(markPanel);
         } catch (SchemaException e) {
             getSession().error("Cannot create panels for shadow, reason: " + e.getMessage());
             LOGGER.trace("Cannot create panels for shadow, reason: {}", e.getMessage(), e);
@@ -162,4 +171,8 @@ private boolean isCredentialsSupported() {
         ShadowType shadowType = getModelObject().getObjectOld().asObjectable();
         return WebComponentUtil.isPasswordSupported(shadowType, resourceModel);
     }
+
+    private boolean isPolicyStatementSupported() {
+        return getPageBase().getRepositoryService().supportsMarks();
+    }
 }

infra/schema/src/main/resources/xml/ns/public/common/common-policy-3.xsd

@@ -3147,6 +3147,9 @@
 
     <xsd:complexType name="PolicyStatementType">
       <xsd:annotation>
+          <xsd:documentation>
+              Statement specifying explicit include (marking) of object or exclude from specified policy.
+          </xsd:documentation>
           <xsd:appinfo>
               <a:container/>
           </xsd:appinfo>
@@ -3159,11 +3162,20 @@
                 </xsd:documentation>
                 <xsd:appinfo>
                     <a:objectReferenceTargetType>tns:MarkType</a:objectReferenceTargetType>
-                    <a:experimental>true</a:experimental>
+                    <a:displayName>PolicyStatementType.markRef</a:displayName>
                 </xsd:appinfo>
             </xsd:annotation>
          </xsd:element>
-         <xsd:element name="type" type="tns:PolicyStatementTypeType" />
+         <xsd:element name="type" type="tns:PolicyStatementTypeType">
+            <xsd:annotation>
+                <xsd:documentation>
+                   Type of policy statement.
+                   apply: mark is applied to object explicitly.
+                   exclude: mark is not applied to object even if it matches policy specific for mark.
+                </xsd:documentation>
+            </xsd:annotation>
+         </xsd:element>
+
          <xsd:element name="metadata" type="tns:MetadataType" minOccurs="0"/>
       </xsd:sequence>
     </xsd:complexType>

model/report-impl/src/test/resources/reports/report-indirect-assignments.xml

@@ -120,7 +120,7 @@ If enhanced, add the features into 200-report-indirect-assignments.xml as well.
             <column>
                 <name>nameColumn</name>
                 <display>
-                    <label>Role</label>
+                    <label>Name</label>
                 </display>
                 <previousColumn>user</previousColumn>
                 <export>

pom.xml

@@ -998,7 +998,7 @@
                 <groupId>com.evolveum.polygon</groupId>
                 <artifactId>connector-ldap</artifactId>
                 <!-- Do not forget to update provisioning/ucf-impl-connid/src/test/resources/connector-ldap.xml when changing connector version. -->
-                <version>3.6.1-SNAPSHOT</version>
+                <version>3.6.1</version>
                 <exclusions>
                     <!-- Needed otherwise the JDK14 SLF4J binding can override the midpoint's logback binding -->
                     <exclusion>

provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/shadows/manager/ShadowDeltaComputerAbsolute.java

@@ -19,6 +19,7 @@
 import com.evolveum.midpoint.provisioning.impl.ProvisioningContext;
 import com.evolveum.midpoint.provisioning.impl.shadows.ShadowsNormalizationUtil;
 import com.evolveum.midpoint.provisioning.util.ProvisioningUtil;
+import com.evolveum.midpoint.repo.common.ObjectOperationPolicyHelper;
 import com.evolveum.midpoint.schema.constants.SchemaConstants;
 import com.evolveum.midpoint.schema.processor.ResourceAttributeDefinition;
 import com.evolveum.midpoint.schema.processor.ResourceObjectDefinition;
@@ -137,6 +138,7 @@ private DeltaComputation(
             }
 
             if (fromResource) { // TODO reconsider this
+                updateEffectiveMarks();
                 if (cachingStrategy == CachingStrategyType.NONE) {
                     clearCachingMetadata();
                 } else if (cachingStrategy == CachingStrategyType.PASSIVE) {
@@ -149,6 +151,19 @@ private DeltaComputation(
             return computedShadowDelta;
         }
 
+        private void updateEffectiveMarks() throws SchemaException {
+            // protected status of resourceShadow was computed without exclusions present in
+            // original shadow
+            if (!resourceObject.getEffectiveMarkRef().isEmpty()) {
+                // We should check if marks computed on resourceObject without exclusions should
+                // be excluded and not propagated to repository layer.
+                ItemDelta<?, ?> delta = ObjectOperationPolicyHelper.get().computeEffectiveMarkDelta(repoShadow, resourceObject.getEffectiveMarkRef());
+                if (delta != null) {
+                    computedShadowDelta.addModification(delta);
+                }
+            }
+        }
+
         private void updateShadowName() throws SchemaException {
             PolyString resourceObjectName = ShadowUtil.determineShadowName(resourceObject);
             PolyString repoShadowName = PolyString.toPolyString(repoShadow.getName());

provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/dummy/TestDummy.java

@@ -3652,6 +3652,13 @@ public void test501GetProtectedAccountShadow() throws Exception {
         assertEquals("" + account + " is not protected", Boolean.TRUE, account.asObjectable().isProtectedObject());
         checkUniqueness(account);
 
+        if (areMarksSupported()) {
+            // Check if effective mark is applied in repository
+            PrismObject<ShadowType> repoAccount = repositoryService.getObject(ShadowType.class, ACCOUNT_DAEMON_OID, null, result);
+            var effectiveMarks = repoAccount.asObjectable().getEffectiveMarkRef();
+            assertTrue("Effective marks should not be empty", effectiveMarks.stream().anyMatch(r -> SystemObjectsType.MARK_PROTECTED.value().equals(r.getOid())));
+        }
+
         assertSuccess(result);
         assertSteadyResource();
     }

provisioning/ucf-impl-connid/src/test/resources/connector-ldap.xml

@@ -12,7 +12,7 @@
     <name>ICF com.evolveum.polygon.connector.ldap.LdapConnector</name>
     <framework>http://midpoint.evolveum.com/xml/ns/public/connector/icf-1</framework>
     <connectorType>com.evolveum.polygon.connector.ldap.LdapConnector</connectorType>
-    <connectorVersion>3.6.1-SNAPSHOT</connectorVersion>
+    <connectorVersion>3.6.1</connectorVersion>
     <connectorBundle>com.evolveum.polygon.connector-ldap</connectorBundle>
     <namespace>http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.LdapConnector</namespace>
     <schema>

repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/ObjectOperationPolicyHelper.java

@@ -56,6 +56,11 @@ private abstract class Impl {
             return null;
         }
 
+        public ItemDelta<?, ?> computeEffectiveMarkDelta(@NotNull ShadowType repoShadow,
+                List<ObjectReferenceType> effectiveMarkRef) throws SchemaException {
+            return null;
+        }
+
     }
 
     private static final String MARK_PROTECTED_SHADOW_OID = SystemObjectsType.MARK_PROTECTED.value();
@@ -315,6 +320,41 @@ protected boolean containsPolicyStatement(@NotNull ObjectType shadow, @NotNull S
                     .asItemDelta();
         }
 
+        @Override
+        public ItemDelta<?, ?> computeEffectiveMarkDelta(@NotNull ShadowType repoShadow,
+                List<ObjectReferenceType> effectiveMarks) throws SchemaException {
+            List<ObjectReferenceType> refsToDelete = new ArrayList<>();
+            List<ObjectReferenceType> refsToAdd = new ArrayList<>();
+            for (ObjectReferenceType mark : effectiveMarks) {
+                if (policyNotExcluded(repoShadow, mark.getOid()) && !containsRef(repoShadow.getEffectiveMarkRef(), mark)) {
+                    // Computed mark is not explicitly excluded, we may need to add it
+                    // if not present in repository
+                    refsToAdd.add(mark.clone());
+
+                }
+            }
+
+            // Shadow is not protected by resource policy
+            //   - We need to check repository shadow if it contains protected mark,
+            //   - which was maybe introduced by previously being protected by resource policy
+            if (!containsOid(effectiveMarks, MARK_PROTECTED_SHADOW_OID)
+                    && isProtectedByResourcePolicy(repoShadow, repoShadow.getEffectiveMarkRef())) {
+                refsToDelete.add(new ObjectReferenceType().oid(MARK_PROTECTED_SHADOW_OID).type(MarkType.COMPLEX_TYPE));
+            }
+
+            if (refsToDelete.isEmpty() && refsToAdd.isEmpty()) {
+                // Nothing to add or remove.
+                return null;
+            }
+            return PrismContext.get().deltaFor(ObjectType.class)
+                    .item(ObjectType.F_EFFECTIVE_MARK_REF)
+                    .deleteRealValues(refsToDelete)
+                    .addRealValues(refsToAdd)
+                    .asItemDelta();
+
+
+        }
+
         private ObjectReferenceType findEffectiveImpliedByStatement(ArrayList<ObjectReferenceType> effectiveMarks, String oid) {
             for (ObjectReferenceType mark : effectiveMarks) {
                 if (oid.equals(mark.getOid()) && isImpliedByStatement(mark)) {
@@ -412,4 +452,8 @@ public static OperationPolicyConfigurationType firstNonDefaultValue(Collection<M
     public ItemDelta<?, ?> computeEffectiveMarkDelta(ObjectType repoShadow, ItemDelta<?, ?> modification) throws SchemaException {
         return behaviour.computeEffectiveMarkDelta(repoShadow, modification);
     }
+
+    public ItemDelta<?, ?> computeEffectiveMarkDelta(@NotNull ShadowType repoShadow, List<ObjectReferenceType> effectiveMarkRef) throws SchemaException {
+        return behaviour.computeEffectiveMarkDelta(repoShadow, effectiveMarkRef);
+    }
 }

repo/system-init/src/main/resources/initial-objects/report/200-report-indirect-assignments.xml

@@ -95,7 +95,7 @@
             <column>
                 <name>nameColumn</name>
                 <display>
-                    <label>Role</label>
+                    <label>Name</label>
                 </display>
                 <previousColumn>user</previousColumn>
                 <export>

tools/jenkins/midpoint-conntest-pipeline

@@ -64,9 +64,12 @@ podTemplate(
                     """
                     currentBuild.result = 'SUCCESS'
 
-                    step([$class: 'Publisher', reportFilenamePattern: '**/testng-results.xml'])
+                    step([$class: 'Publisher',
+                        reportFilenamePattern: '**/testng-results.xml',
+                        failureOnFailedTestConfig: true // TODO we don't want failure, but how can we make it unstable?
+                    ])
 
-                    if (currentBuild.result == 'UNSTABLE' || params.ARCHIVE_LOGS) {
+                    if (currentBuild.result == 'UNSTABLE' || currentBuild.result == 'FAILURE' || params.ARCHIVE_LOGS) {
                         sh "tar --transform \"s-.*/--g\" -cvzf conntest-log.tgz testing/conntest/target/test.log"
 	                    archiveArtifacts allowEmptyArchive: true, artifacts: "conntest-log.tgz", followSymlinks: false
                     }