Merge branch 'master' into feature/secrets-provider

dist/src/main/bin/midpoint.bat

@@ -30,6 +30,11 @@ if not exist "%BIN_DIR%midpoint.bat" (
 )
 
 set ORIG_JAVA_OPTS=%JAVA_OPTS%
+
+if NOT "%MP_SET_midpoint_administrator_initialPassword%" == "" (
+  set JAVA_OPTS=%JAVA_OPTS% -Dmidpoint.administrator.initialPassword="%MP_SET_midpoint_administrator_initialPassword%"
+)
+
 set JAVA_OPTS=-Xms2048M -Xmx4096M -Dpython.cachedir="%MIDPOINT_HOME%\tmp" -Djavax.net.ssl.trustStore="%MIDPOINT_HOME%\keystore.jceks" -Djavax.net.ssl.trustStoreType=jceks %JAVA_OPTS%
 
 if not exist "%BIN_DIR%setenv.bat" goto :noSetEnv

dist/src/main/bin/midpoint.sh

@@ -236,8 +236,12 @@ while read line; do
   ### exception for *_FILE key name ###
   [ "${_key: -5}" = ".FILE" ] && _key="${_key::$((${#_key} - 5))}_FILE"
   ###
-
-  echo "Processing variable (MAP) ... ${_key} .:. ${_val}" >&2
+  if [ "${_key: -7}" = "assword" ]
+  then
+    echo "Processing variable (MAP) ... ${_key} .:. *****" >&2
+  else
+    echo "Processing variable (MAP) ... ${_key} .:. ${_val}" >&2
+  fi
 
   if [ "${_key:0:1}" = "." ]; then
     JAVA_OPTS="${JAVA_OPTS:-} -D${_key:1}=\"${_val}\""

dist/src/main/bin/ninja.sh

@@ -27,8 +27,6 @@ JAVA_OPTS="${JAVA_OPTS:- }"
 
 JAVA_def_Xms="1g"
 JAVA_def_Xmx="2g"
-JAVA_def_trustStore="keystore.jceks"
-JAVA_def_trustStoreType="jceks"
 ENV_MAP_PREFIX="MP_SET_"
 ENV_UNMAP_PREFIX="MP_UNSET_"
 
@@ -189,8 +187,6 @@ if $(echo "${JAVA_OPTS:-}" | grep -v -q "\-Xms[0-9]"); then
 fi
 
 if $(echo "${JAVA_OPTS:-}" | grep -v -q "\-Dmidpoint.home="); then JAVA_OPTS="${JAVA_OPTS:-} -Dmidpoint.home=\"${MIDPOINT_HOME}\""; fi
-if $(echo "${JAVA_OPTS:-}" | grep -v -q "\-Djavax.net.ssl.trustStore="); then JAVA_OPTS="${JAVA_OPTS:-} -Djavax.net.ssl.trustStore=\"${MIDPOINT_HOME}/${JAVA_def_trustStore}\""; fi
-if $(echo "${JAVA_OPTS:-}" | grep -v -q "\-Djavax.net.ssl.trustStoreType="); then JAVA_OPTS="${JAVA_OPTS:-} -Djavax.net.ssl.trustStoreType=${JAVA_def_trustStoreType}"; fi
 
 # clean up white spaces in case of key/value removal from the original JAVA_OPTS parameter set
 JAVA_OPTS="$(echo "${JAVA_OPTS:-}" | tr -s [[:space:]] " " | sed "s/^[[:space:]]//;s/[[:space:]]$//")"

docs/admin-gui/midpoint-jar-signature-status/index.adoc

@@ -0,0 +1,33 @@
+= MidPoint JAR Signature Status
+
+In order to provide an indication of midPoint build origin, the JAR file is signed by us during the build process.
+This signature is then checked during the startup of midPoint, and the result is displayed on the About page.
+There are currently three options there:
+
+== Official Build
+
+Here `midpoint.jar` has a signature that was made by us, and is valid.
+
+The "Official build by Evolveum" message is displayed, along with the green "tick" icon.
+
+.An example of the official build
+image::jar-official.png[JAR - official build]
+
+== Unofficial Build
+
+Here `midpoint.jar` has either no signature, or an invalid one, or a valid one but not done by us.
+It is also possible that there is no `midpoint.jar` here, e.g. if midPoint is run from IDE.
+
+The "Unofficial build" message is displayed, along with the yellow "exclamation mark" icon.
+
+.An example of an unofficial build
+image::jar-unofficial.png[JAR - unofficial build]
+
+== Overlay
+
+As a special case, overlay build cannot be signed by us, as `midpoint.jar` is re-packaged by the overlay build.
+To avoid the "Unofficial build" message, the overlay should be marked by the presence of `overlay-info.txt` file.
+In such cases, midPoint recognizes it, and displays a special "overlay" message.
+
+.An example of an overlay build
+image::jar-overlay.png[JAR - overlay]

docs/admin-gui/self-service/index.adoc

@@ -228,22 +228,40 @@ Old password field and Password propagation section can be configured (can be hi
 <password>
     <propagationUserControl>mapping</propagationUserControl>
     <passwordChangeSecurity>oldPassword</passwordChangeSecurity>
+    <passwordHintConfigurability>alwaysConfigure</passwordHintConfigurability>
 </password>
 ----
 
 [%autowidth]
 |===
 | Attribute | Description | Possible values
 
-| propagationUserControl
+| *propagationUserControl*
 | Constraints that define how propagation of the credentials can be controlled by the +
 user. E.g. if user can choose where the password change will be propagated.
-| _mapping_ (Credentials propagation will be determined by the mappings. User cannot choose where the credentials will be propagated.The credentials propagation dialog will not be shown.)_userChoice_ (The user can choose where the credentials will be propagated.The propagation dialog will be shown.)onlyMapping(Credentials propagation will be determined by the mappings. User cannot choose where the credentials will be propagated. But the propagation dialog will be shown.)identityManagerMandatory(Identity Manager Repository will be propagated always. The user can choose where the other credentials will be propagated. The propagation dialog will be shown.)
+| _**mapping**_ (Credentials propagation will be determined by the mappings. User cannot choose where the credentials will be propagated.The credentials propagation dialog will not be shown.)
 
+_**userChoice**_ (The user can choose where the credentials will be propagated.The propagation dialog will be shown.)
+
+_**onlyMapping**_(Credentials propagation will be determined by the mappings. User cannot choose where the credentials will be propagated. But the propagation dialog will be shown.)
+
+_**identityManagerMandatory**_(Identity Manager Repository will be propagated always. The user can choose where the other credentials will be propagated. The propagation dialog will be shown.)
 
 | passwordChangeSecurity
-| Additional security applied when changing a password.This applies when user is changing his own password. It does NOT applywhen administrator changes password of other user.
-| _none_ (No additional security. Password can be changed by supplying new value.)_oldPassword_ (User must supply old password to change the password.)
+| Additional security applied when changing a password.This applies when user is changing his own password. It does NOT apply when administrator changes password of other user.
+| _**none**_ (No additional security. Password can be changed by supplying new value.)
+
+_**oldPassword**_ (User must supply old password to change the password.)
+
+_**oldPasswordIfExists**_ (User must supply old password, if exists, to change the password.)
+
+| *passwordHintConfigurability*
+| Additional configurability applied when changing or resetting a password.
+This applies when user is changing or resetting his own password. It does NOT apply
+when administrator changes password of other user. Default value is _**alwaysConfigure**_.
+| _**alwaysConfigure**_ (Always configurable password hint, during changing and resetting password.)
+
+_**neverConfigure**_ (Never configurable password hint, during changing and resetting password.)
 
 |===
 
@@ -284,4 +302,4 @@ image::image2017-1-16-1-34-10.png[]
 
 The view also can be switched to All organizations view - to see all available organizatoins, All roles view - to see all available roles and All services view - to see all available services.
 
-Only requestable items should be displayed on the Request a role page. Requestable is a status which is computed according to Requestable field of the assignable item and according to the authorizations of the user (for now, this requestable status is computed only for Role type objects).
+Only requestable items should be displayed on the Request a role page. Requestable is a status which is computed according to Requestable field of the assignable item and according to the authorizations of the user (for now, this requestable status is computed only for Role type objects).

docs/concepts/query/midpoint-query-language/index.adoc

@@ -37,7 +37,7 @@ Examples how to use the midPoint query in GUI can be found in xref:/midpoint/gui
 
 === Using in Configuration
 
-Advanced query filters can be used in any configuration place. In XML configuration files it is wrapped inside `<text>` element inside `<filter>` element.
+MidPoint Query filters can be used in any configuration place. In XML configuration files it is wrapped inside `<text>` element inside `<filter>` element.
 
 For example query `givenName startsWith "J"` is stored in midPoint configuration this way.
 

docs/concepts/query/midpoint-query-language/introduction.adoc

@@ -136,6 +136,34 @@ You can use round brackets to group logical statements into more readable form.
 familyName = "Doe" and (givenName = "John" or givenName ="Bill")
 ----
 
+=== Object selection
+
+Midpoint performs queries over defined set of objects.
+In GUI, the set is defined by actually opened view.
+
+In configuration, the object type must be *explicitly specified* for the query.
+Not within the query itself.
+See the configuration snippet below. The query will select `User` with name "XYZ".
+
+[source,XML]
+----
+    <activity>
+        <work>
+            <recomputation>
+                <objects>
+                    <type>UserType</type>
+                    <query>
+                        <q:filter>
+                            <q:text>name = "XYZ"</q:text>
+                        </q:filter>
+                    </query>
+                </objects>
+            </recomputation>
+        </work>
+    </activity>
+----
+
+
 == Advanced filters
 
 === matches filter

docs/concepts/query/midpoint-query-language/query-playground/index.adoc

@@ -1,14 +1,16 @@
 = Query Playground and Query Converter
-:page-nav-title: Errors while querying
+:page-nav-title: Query playground and converter
 :page-display-order: 600
 
-To experiment with the query language, there is hardly a better place than the actual running midPoint.
-Log in the GUI as administrator and choose *Query playground* in the main menu on the left, all the way down, just above *About*.
+To experiment with the query language, there is hardly a better place than the actually running midPoint.
+
 
 [#_query_playground]
 == Query playground
 
+Log in the GUI as administrator and choose *Query playground* in the main menu on the left, all the way down, just above *About*.
 
+image:query-playground.png[Query playground]
 
 To test the query, you have to:
 
@@ -63,7 +65,7 @@ To do this, follow these steps:
     </script>
 </expression>
 ----
-* Choose the *Object type*, just like for any other query.
+* Select the *Object type*, just like for any other query.
 Just use the type from `queryFor(...)` call, in our example `FocusType`.
 If the query does not provide expected results, very likely the object type selection is not right.
 * Press *Translate and execute*.
@@ -80,3 +82,49 @@ may need additional imports from packages like `com.evolveum.midpoint.schema`,
 [#_query_converter]
 == Query converter
 
+Midpoint can help you convert your old-fashioned XML queries to midPoint Query Language.
+Query converter allows such conversion.
+
+*Query converter* is available on the second tab of *Query playground*.
+
+image:query-converter.png[Query converter]
+
+To convert the XML query, just:
+
+. Select the *Object type*,
+. Write or paste your original XML query into the query converter text area
+. Press *Convert query*.
+
+Following *hints* can help you while converting:
+
+* Select correct object type. The resulting query depends on object type.
+* When entering XML query please enter whole query starting with `<query>` element as seen on the picture above or example below.
+* Remove namespaces from XML elements, or define required namespaces in `<query>` element. See examples below.
+
+.Example without namespaces
+[source,XML]
+----
+<query>
+    <filter>
+        <substring>
+            <path>emailAddress</path>
+            <value>gmail.com</value>
+            <anchorEnd>true</anchorEnd>
+        </substring>
+    </filter>
+</query>
+----
+
+.Example with namespace definition
+[source,XML]
+----
+<query xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
+    <q:filter>
+        <q:substring>
+            <q:path>emailAddress</q:path>
+            <q:value>gmail.com</q:value>
+            <q:anchorEnd>true</q:anchorEnd>
+        </q:substring>
+    </q:filter>
+</query>
+----