Merge remote-tracking branch 'refs/remotes/origin/support-4.8' into s…

…upport-4.8

docs/admin-gui/resource-wizard/index.adoc

@@ -232,6 +232,7 @@ More complex configuration is possible by clicking btn:[Edit] button:
 [#use_inbound_for_correlation]
 You can define the inbound mapping as ordinary (default), or you can specify *Use for* parameter with value `Correlation` in the *Optional configuration* of the mapping to use the mapping only during the correlation.
 This is how you can define inbound mappings to be used in <<Correlation>> when item correlator is used, even for target resources where you normally have no inbound mappings at all.
+For more information, please refer to xref:/midpoint/reference/correlation/#example-4-correlation-for-outbound-resources[this example for correlation-only inbound mapping].
 
 Mapping can be deleted by clicking btn:[Delete] button.
 

docs/concepts/activation/index.adoc

@@ -217,7 +217,7 @@ This may be indication that that identity was disabled explicitly, that the disa
 
 | `disableTimestamp`
 | dateTime
-| Timestamp of last modification of the activation status to the disabled state. +
+| Timestamp of last modification of the activation status to the disabled state or the last change of the `disableReason`. +
 Note: This timestamp is used for recording purposes.
 Changing it will NOT change the activation state.
 Use validity dates for that purpose.
@@ -254,4 +254,4 @@ Use validity dates for that purpose.
 
 * xref:/midpoint/reference/resources/resource-configuration/schema-handling/activation/[Resource Schema Handling: Activation]
 
-* xref:/midpoint/reference/concepts/object-lifecycle/[Object Lifecycle]
+* xref:/midpoint/reference/concepts/object-lifecycle/[Object Lifecycle]

docs/correlation/index.adoc

@@ -188,6 +188,42 @@ An example:
 </archetype>
 ----
 
+
+==== Example 4: Correlation for outbound resources
+
+Smart correlation relies on inbound mapping converting resource's attribute to a property of midPoint object.
+Such approach is perfect for inbound resources because it simplifies the configuration.
+Nevertheless, there are use cases with strictly outbound resource with existing accounts that need to be correlater.
+In such cases having an inbound mapping is not desired.
+
+For this situation midPoint supports the option to configure mapping for evaluation only for correlation and not for "standard" processing (by clockwork).
+
+.Listing 4. use inbound mapping only for correlation
+[source,xml]
+----
+<schemaHandling>
+    <objectType>
+        ...
+        <attribute>
+            <ref>icfs:name</ref>
+            <correlator/>
+            <inbound>
+                <target>
+                    <path>name</path>
+                </target>
+                <use>correlation</use> <!--1-->
+            </inbound>
+            <outbound> <!--2-->
+                ...
+            </outbound>
+        </attribute>
+        ...
+    </objectType>
+</schemaHandling>
+----
+<1> Means that the inbound mapping will be used only for correlation and otherwise won't be processed
+<2> Represents the outbound mapping as usual
+
 == Advanced Concepts
 
 === Multiple Correlation Rules

docs/correlation/items-correlator.adoc

@@ -1,18 +1,12 @@
 = The `items` Correlator
 :page-toc: top
-:page-since: "4.6"
-:page-upkeep-status: orange
 
-// TODO: modify to reflect that this is not a new mechanisms any more (e.g remove "newly-introduced")
-// describe correlators as a primary correlation mechanism
-// Missing: general introduction to correlation
 
 == Introduction
 
-In earlier versions of midPoint, the only correlation mechanism available was the filter-based one.
-The administrator had to specify a query based (typically) on the values of the resource object and executed it in order to find its owner.
-
-The newly-introduced `items` correlator makes this process much easier by constructing the filter(s) automatically from the correlator configuration.
+The `items` correlator uses existing inbound mappings to simplify the correlation configuration.
+The inbound mapping converts resource's attribute to a property in midPoint schema and the correlator can simply operate on already converted value.
+In addition, correlator allows you to fine tune its behaviour.
 
 == Simple Examples
 
@@ -49,6 +43,26 @@ The following configuration matches on both `givenName` and `familyName` values,
 </correlators>
 ----
 
+The following configuration matches on either `givenName` or `familyName` values, requiring that at least one of them do match.
+See xref:/midpoint/reference/correlation/rule-composition/[rule composition] for details.
+
+.Listing 3. Matching on either given name or family name
+[source,xml]
+----
+<correlators>
+    <items>
+        <item>
+            <ref>givenName</ref>
+        </item>
+    </items>
+    <items>
+        <item>
+            <ref>familyName</ref>
+        </item>
+    </items>
+</correlators>
+----
+
 == Customizing the Search
 
 Sometimes, we need to fine-tune the search based on individual items.
@@ -89,7 +103,7 @@ But there are cases when it is needed.)
 
 An example:
 
-.Listing 3. Specifying the normalization and then using it for correlation
+.Listing 4. Specifying the normalization and then using it for correlation
 [source,xml]
 ----
 <objectTemplate>
@@ -143,7 +157,7 @@ This is especially true when dealing with values that are not indexed.
 
 For example, we may want to specify that when correlating on `employeeNumber` we want to use `mr:polyStringNorm` matching rule:
 
-.Listing 4. Specifying the matching rule used when correlating
+.Listing 5. Specifying the matching rule used when correlating
 [source,xml]
 ----
 <objectTemplate>
@@ -172,7 +186,7 @@ The fuzzy search can be specified for both custom-indexed and regular items.
 
 An example:
 
-.Listing 4. Specifying the fuzzy search used when correlating
+.Listing 6. Specifying the fuzzy search used when correlating
 [source,xml]
 ----
 <objectTemplate>
@@ -205,7 +219,7 @@ It is also possible to specify correlation search options that are to be applied
 
 For example, let us specify the default search options used when correlating by `givenName`.
 
-.Listing 5. Specifying the fuzzy search used when correlating
+.Listing 7. Specifying the fuzzy search used when correlating
 [source,xml]
 ----
 <objectTemplate>
@@ -256,7 +270,7 @@ NOTE: These search options are completely overridden when `search` element is pr
 In simple scenarios, it is possible to define single-item correlator right on the resource object attribute.
 An example:
 
-.Listing 6. `ri:employeeNumber` serving as a correlation attribute
+.Listing 8. `ri:employeeNumber` serving as a correlation attribute
 [source,xml]
 ----
 <schemaHandling>

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/component/password/PasswordPanel.java

@@ -113,7 +113,7 @@ protected  <F extends FocusType> void initLayout() {
         setOutputMarkupId(true);
 
         final WebMarkupContainer inputContainer = new WebMarkupContainer(ID_INPUT_CONTAINER);
-        inputContainer.add(new VisibleBehaviour(() -> passwordInputVisible));
+        inputContainer.add(new VisibleBehaviour(this::isPasswordInputVisible));
         inputContainer.setOutputMarkupId(true);
         add(inputContainer);
 
@@ -225,6 +225,10 @@ protected void updateAjaxAttributes(AjaxRequestAttributes attributes) {
 
     }
 
+    protected boolean isPasswordInputVisible() {
+        return passwordInputVisible || getParentPage().getPrincipalFocus() == null;
+    }
+
     private String initPasswordValidation() {
         return "initPasswordValidation({\n"
                 + "container: $('#progress-bar-container'),\n"

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/component/password/PasswordPropertyPanel.java

@@ -49,7 +49,7 @@ protected  <F extends FocusType> void initLayout() {
         super.initLayout();
 
         final WebMarkupContainer infoLabelContainer = new WebMarkupContainer(ID_INFO_LABEL_CONTAINER);
-        infoLabelContainer.add(new VisibleBehaviour(() -> !passwordInputVisible));
+        infoLabelContainer.add(new VisibleBehaviour(() -> !isPasswordInputVisible()));
         infoLabelContainer.setOutputMarkupId(true);
         add(infoLabelContainer);
 
@@ -92,7 +92,7 @@ public void onClick(AjaxRequestTarget target) {
     }
 
     private boolean isChangePasswordLinkVisible() {
-        return !isReadOnly && !passwordInputVisible && getPasswordModel() != null && getPasswordModel().getObject() != null;
+        return !isReadOnly && !isPasswordInputVisible() && getPasswordModel() != null && getPasswordModel().getObject() != null;
     }
 
     private void changePasswordLinkClickPerformed(AjaxRequestTarget target) {

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/api/util/WebModelServiceUtils.java

@@ -434,11 +434,11 @@ public static void save(Collection<ObjectDelta<? extends ObjectType>> deltas, Mo
 
             page.getModelService().executeChanges(deltas, options, task, result);
         } catch (Exception ex) {
+            subResult.recordFatalError(ex.getMessage());
+            LoggingUtils.logUnexpectedException(LOGGER, "Couldn't save object", ex);
             if (ex instanceof CommonException) {
                 subResult.setUserFriendlyMessage(((CommonException) ex).getUserFriendlyMessage());
             }
-            subResult.recordFatalError(ex.getMessage());
-            LoggingUtils.logUnexpectedException(LOGGER, "Couldn't save object", ex);
         } finally {
             subResult.computeStatus();
         }

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/login/PageAbstractFlow.java

@@ -78,6 +78,7 @@ private void initLayout() {
         }
 
         fragment.setOutputMarkupId(true);
+        fragment.add(new VisibleBehaviour(() -> !isSubmitted));
         content.setOutputMarkupId(true);
         addOrReplaceCaptcha(fragment);
         initButtons(mainForm);
@@ -117,7 +118,6 @@ private void doRegistration(AjaxRequestTarget target) {
             return;
         }
         submitRegistration(target);
-        isSubmitted = true;
     }
 
     private boolean validateCaptcha(AjaxRequestTarget target) {

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/login/PageRegistrationFinish.html

@@ -11,9 +11,14 @@
 <html xmlns:wicket="http://wicket.apache.org">
 <body>
 <wicket:extend>
-    <div wicket:id="successPanel" class="d-flex">
-        <i class="fa fa-check-circle fa-2x text-success justify-content-center"></i>
-        <h3 wicket:id="successLabel"/>
+    <div wicket:id="successPanel">
+        <div class="d-flex justify-content-center">
+            <i class="fa fa-check-circle fa-2x text-success justify-content-center"></i>
+            <h4 class="login-box-msg" wicket:id="successLabel"></h4>
+        </div>
+        <p class="login-panel-description text-center">
+            <wicket:message key="PageRegistrationFinish.success.description"/>
+        </p>
     </div>
     <div wicket:id="errorPanel" class="d-flex">
         <i class="fa fa-times-circle fa-2x text-error"></i>

gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/login/PageSelfRegistration.java

@@ -230,7 +230,7 @@ protected void submitRegistration(AjaxRequestTarget target) {
                 target.add(PageSelfRegistration.this);
             }
             LOGGER.trace("Registration for user {} was successfull.", getUserModel().getObject());
-
+            isSubmitted = true;
         } else {
             String message;
             if (result.getUserFriendlyMessage() != null) {

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/PagePostAuthentication.java

@@ -206,6 +206,7 @@ protected void submitRegistration(AjaxRequestTarget target) {
         if (!result.isAcceptable()) {
             target.add(PagePostAuthentication.this);
         } else {
+            isSubmitted = true;
             MidPointPrincipal principal = AuthUtil.getPrincipalUser();
             try {
                 getModelInteractionService().refreshPrincipal(principal.getOid(), principal.getFocus().getClass());

infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/SchemaConstants.java

@@ -174,36 +174,32 @@ public abstract class SchemaConstants {
             NonceType.F_VALUE);
 
     public static final ItemPath PATH_SECURITY_QUESTIONS = ItemPath.create(C_CREDENTIALS, CredentialsType.F_SECURITY_QUESTIONS);
-    public static final ItemPath PATH_SECURITY_QUESTIONS_QUESTION_ANSWER = ItemPath.create(C_CREDENTIALS, CredentialsType.F_SECURITY_QUESTIONS,
-            SecurityQuestionsCredentialsType.F_QUESTION_ANSWER);
-    public static final ItemPath PATH_ACTIVATION = ItemPath.create(C_ACTIVATION);
-    public static final ItemPath PATH_ACTIVATION_ADMINISTRATIVE_STATUS = ItemPath.create(C_ACTIVATION,
-            ActivationType.F_ADMINISTRATIVE_STATUS);
-    public static final ItemPath PATH_ACTIVATION_EFFECTIVE_STATUS = ItemPath.create(C_ACTIVATION,
-            ActivationType.F_EFFECTIVE_STATUS);
-    public static final ItemPath PATH_ACTIVATION_VALID_FROM = ItemPath.create(C_ACTIVATION,
-            ActivationType.F_VALID_FROM);
-    public static final ItemPath PATH_ACTIVATION_VALID_TO = ItemPath.create(C_ACTIVATION,
-            ActivationType.F_VALID_TO);
-    public static final ItemPath PATH_ACTIVATION_EXISTENCE = ItemPath.create(C_ACTIVATION,
-            "existence");
-    public static final ItemPath PATH_ACTIVATION_DISABLE_REASON = ItemPath.create(ShadowType.F_ACTIVATION,
-            ActivationType.F_DISABLE_REASON);
-    public static final ItemPath PATH_ACTIVATION_LOCKOUT_STATUS = ItemPath.create(C_ACTIVATION,
-            ActivationType.F_LOCKOUT_STATUS);
-    public static final ItemPath PATH_OPERATIONAL_STATE_LAST_AVAILABILITY_STATUS = ItemPath.create(
-            ResourceType.F_OPERATIONAL_STATE, OperationalStateType.F_LAST_AVAILABILITY_STATUS);
+    public static final ItemPath PATH_SECURITY_QUESTIONS_QUESTION_ANSWER =
+            ItemPath.create(C_CREDENTIALS, CredentialsType.F_SECURITY_QUESTIONS, SecurityQuestionsCredentialsType.F_QUESTION_ANSWER);
+    public static final ItemPath PATH_ACTIVATION = C_ACTIVATION;
+    public static final ItemPath PATH_ACTIVATION_ADMINISTRATIVE_STATUS =
+            ItemPath.create(C_ACTIVATION, ActivationType.F_ADMINISTRATIVE_STATUS);
+    public static final ItemPath PATH_ACTIVATION_EFFECTIVE_STATUS =
+            ItemPath.create(C_ACTIVATION, ActivationType.F_EFFECTIVE_STATUS);
+    public static final ItemPath PATH_ACTIVATION_VALID_FROM = ItemPath.create(C_ACTIVATION, ActivationType.F_VALID_FROM);
+    public static final ItemPath PATH_ACTIVATION_VALID_TO = ItemPath.create(C_ACTIVATION, ActivationType.F_VALID_TO);
+    public static final ItemPath PATH_ACTIVATION_EXISTENCE = ItemPath.create(C_ACTIVATION, "existence");
+    public static final ItemPath PATH_ACTIVATION_DISABLE_REASON =
+            ItemPath.create(ShadowType.F_ACTIVATION, ActivationType.F_DISABLE_REASON);
+    public static final ItemPath PATH_ACTIVATION_LOCKOUT_STATUS = ItemPath.create(C_ACTIVATION, ActivationType.F_LOCKOUT_STATUS);
+    public static final ItemPath PATH_OPERATIONAL_STATE_LAST_AVAILABILITY_STATUS =
+            ItemPath.create(ResourceType.F_OPERATIONAL_STATE, OperationalStateType.F_LAST_AVAILABILITY_STATUS);
     public static final ItemPath PATH_ATTRIBUTES = ItemPath.create(C_ATTRIBUTES);
     public static final ItemPath PATH_ASSIGNMENT = FocusType.F_ASSIGNMENT;
     public static final ItemPath PATH_INDUCEMENT = ItemPath.create(AbstractRoleType.F_INDUCEMENT);
     public static final ItemPath PATH_INDUCEMENT_POLICY_RULE = ItemPath.create(RoleType.F_INDUCEMENT, AssignmentType.F_POLICY_RULE);
 
-    public static final ItemPath PATH_ASSIGNMENT_ACTIVATION_EFFECTIVE_STATUS = ItemPath
-            .create(FocusType.F_ASSIGNMENT, AssignmentType.F_ACTIVATION, ActivationType.F_EFFECTIVE_STATUS);
-    public static final ItemPath PATH_ASSIGNMENT_ACTIVATION_VALID_FROM = ItemPath
-            .create(FocusType.F_ASSIGNMENT, AssignmentType.F_ACTIVATION, ActivationType.F_VALID_FROM);
-    public static final ItemPath PATH_ASSIGNMENT_ACTIVATION_VALID_TO = ItemPath
-            .create(FocusType.F_ASSIGNMENT, AssignmentType.F_ACTIVATION, ActivationType.F_VALID_TO);
+    public static final ItemPath PATH_ASSIGNMENT_ACTIVATION_EFFECTIVE_STATUS =
+            ItemPath.create(FocusType.F_ASSIGNMENT, AssignmentType.F_ACTIVATION, ActivationType.F_EFFECTIVE_STATUS);
+    public static final ItemPath PATH_ASSIGNMENT_ACTIVATION_VALID_FROM =
+            ItemPath.create(FocusType.F_ASSIGNMENT, AssignmentType.F_ACTIVATION, ActivationType.F_VALID_FROM);
+    public static final ItemPath PATH_ASSIGNMENT_ACTIVATION_VALID_TO =
+            ItemPath.create(FocusType.F_ASSIGNMENT, AssignmentType.F_ACTIVATION, ActivationType.F_VALID_TO);
     public static final ItemPath PATH_ASSIGNMENT_TARGET_REF = ItemPath.create(FocusType.F_ASSIGNMENT, AssignmentType.F_TARGET_REF);
     public static final ItemPath PATH_ASSIGNMENT_DESCRIPTION = ItemPath.create(FocusType.F_ASSIGNMENT, AssignmentType.F_DESCRIPTION);
     public static final ItemPath PATH_ASSOCIATION = ItemPath.create(C_ASSOCIATION);

infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ActivationUtil.java

@@ -6,6 +6,9 @@
  */
 package com.evolveum.midpoint.schema.util;
 
+import static com.evolveum.midpoint.schema.util.ObjectTypeUtil.asObjectable;
+
+import com.evolveum.midpoint.prism.PrismObject;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
 
 /**
@@ -15,14 +18,19 @@
 public class ActivationUtil {
 
     public static ActivationStatusType getAdministrativeStatus(FocusType focus) {
-        if (focus == null) {
-            return null;
-        }
-        ActivationType activation = focus.getActivation();
-        if (activation == null) {
-            return null;
-        }
-        return activation.getAdministrativeStatus();
+        return focus != null ? getAdministrativeStatus(focus.getActivation()) : null;
+    }
+
+    public static ActivationStatusType getAdministrativeStatus(ShadowType shadow) {
+        return shadow != null ? getAdministrativeStatus(shadow.getActivation()) : null;
+    }
+
+    public static ActivationStatusType getAdministrativeStatus(PrismObject<ShadowType> shadow) {
+        return getAdministrativeStatus(asObjectable(shadow));
+    }
+
+    private static ActivationStatusType getAdministrativeStatus(ActivationType activation) {
+        return activation != null ? activation.getAdministrativeStatus() : null;
     }
 
     public static boolean hasAdministrativeActivation(ShadowType objectType) {
@@ -79,4 +87,12 @@ public static ActivationType createDisabled() {
         activationType.setAdministrativeStatus(ActivationStatusType.DISABLED);
         return activationType;
     }
+
+    public static String getDisableReason(PrismObject<ShadowType> shadow) {
+        return shadow != null ? getDisableReason(shadow.asObjectable().getActivation()) : null;
+    }
+
+    public static String getDisableReason(ActivationType activation) {
+        return activation != null ? activation.getDisableReason() : null;
+    }
 }

infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd

@@ -3508,7 +3508,9 @@
                 <xsd:annotation>
                     <xsd:documentation>
                         <p>
-                            Timestamp of last modification of the activation status to the disabled state.
+                            Timestamp of the last modification of the activation status to the disabled state
+                            OR of the last change of the disableReason property.
+
                             Note: This timestamp is used for recording purposes. Changing it will NOT change
                             the activation state.
                         </p>