Merge branch 'master' of https://github.com/Evolveum/midpoint

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/boot/EmbeddedTomcatAutoConfiguration.java

@@ -17,7 +17,9 @@
 
 import javax.servlet.Servlet;
 
+import org.apache.catalina.connector.Connector;
 import org.apache.catalina.startup.Tomcat;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.AutoConfigureOrder;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
@@ -52,10 +54,27 @@ public class EmbeddedTomcatAutoConfiguration {
 	@ConditionalOnClass({ Servlet.class, Tomcat.class })
 	@ConditionalOnMissingBean(value = TomcatServletWebServerFactory.class, search = SearchStrategy.CURRENT)
 	public static class EmbeddedTomcat {
-
+
+		@Value( "${server.tomcat.ajp.enabled:false}" )
+		private boolean enableAjp;
+
+		@Value( "${server.tomcat.ajp.port:9090}" )
+		private int port;
+
 		@Bean
 		public TomcatServletWebServerFactory tomcatEmbeddedServletContainerFactory() {
-			return new MidPointTomcatServletWebServerFactory();
+			MidPointTomcatServletWebServerFactory tomcat = new MidPointTomcatServletWebServerFactory();
+
+			if(enableAjp) {
+				Connector ajpConnector = new Connector("AJP/1.3");
+				ajpConnector.setPort(port);
+				ajpConnector.setSecure(false);
+				ajpConnector.setScheme("http");
+				ajpConnector.setAllowTrace(false);
+				tomcat.addAdditionalTomcatConnectors(ajpConnector);
+			}
+
+			return tomcat;
 		}
 
 	}

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/data/column/ColumnUtils.java

@@ -506,7 +506,7 @@ public void populateItem(Item<ICellPopulator<SelectableBean<T>>> cellItem,
 				SelectableBean<TaskType> object = (SelectableBean<TaskType>) rowModel.getObject();
 				PrismProperty<QName> pObjectClass = object.getValue() != null ?
 						object.getValue().asPrismObject().findProperty(
-								new ItemPath(TaskType.F_EXTENSION, SchemaConstants.OBJECTCLASS_PROPERTY_NAME))
+								new ItemPath(TaskType.F_EXTENSION, SchemaConstants.MODEL_EXTENSION_OBJECTCLASS))
 						: null;
 				if (pObjectClass != null) {
 					cellItem.add(new Label(componentId, pObjectClass.getRealValue().getLocalPart()));

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/resources/ResourceContentPanel.java

@@ -468,7 +468,7 @@ private List<TaskType> getTasksForKind(List<PrismObject<TaskType>> tasks) {
 
 			if (taskKind == null) {
 				PrismProperty<QName> taskObjectClass = task
-						.findProperty(new ItemPath(TaskType.F_EXTENSION, SchemaConstants.OBJECTCLASS_PROPERTY_NAME));
+						.findProperty(new ItemPath(TaskType.F_EXTENSION, SchemaConstants.MODEL_EXTENSION_OBJECTCLASS));
 
 				if (taskObjectClass == null) {
 					LOGGER.warn("Bad task definition. Task {} doesn't contain definition either of objectClass or kind/intent", task.getOid());

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/resources/ResourceDetailsTabPanel.java

@@ -409,7 +409,7 @@ private List<TaskType> getTaskFor(List<PrismObject<TaskType>> tasks,
 			}
 
 			PrismProperty<QName> taskObjectClass = task.findProperty(
-					new ItemPath(TaskType.F_EXTENSION, SchemaConstants.OBJECTCLASS_PROPERTY_NAME));
+					new ItemPath(TaskType.F_EXTENSION, SchemaConstants.MODEL_EXTENSION_OBJECTCLASS));
 			QName taskObjectClassValue = null;
 			if (taskObjectClass != null) {
 				taskObjectClassValue = taskObjectClass.getRealValue();
@@ -442,7 +442,7 @@ private List<TaskType> getTaskFor(List<PrismObject<TaskType>> tasks,
 			}
 
 			if (SynchronizationUtils.isPolicyApplicable(taskObjectClassValue, taskKindValue, taskIntentValue,
-					synchronizationPolicy, resource)) {
+					synchronizationPolicy, resource, true)) {
 				syncTasks.add(task.asObjectable());
 			}
 		}

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/server/PageTaskAdd.java

@@ -199,7 +199,7 @@ private TaskAddDto loadTask(TaskType taskType) {
 
     	PrismProperty<QName> pObjectClass;
 		try {
-			pObjectClass = taskType.asPrismObject().findOrCreateProperty(new ItemPath(TaskType.F_EXTENSION, SchemaConstants.OBJECTCLASS_PROPERTY_NAME));
+			pObjectClass = taskType.asPrismObject().findOrCreateProperty(new ItemPath(TaskType.F_EXTENSION, SchemaConstants.MODEL_EXTENSION_OBJECTCLASS));
 			QName objectClass = pObjectClass.getRealValue();
 			if (objectClass != null){
 	    		taskAdd.setObjectClass(objectClass.getLocalPart());
@@ -772,7 +772,7 @@ private TaskType createTask(TaskAddDto dto) throws SchemaException {
 
         if(dto.getObjectClass() != null && StringUtils.isNotEmpty(dto.getObjectClass())){
             PrismObject<TaskType> prismTask = task.asPrismObject();
-            ItemPath path = new ItemPath(TaskType.F_EXTENSION, SchemaConstants.OBJECTCLASS_PROPERTY_NAME);
+            ItemPath path = new ItemPath(TaskType.F_EXTENSION, SchemaConstants.MODEL_EXTENSION_OBJECTCLASS);
             PrismProperty objectClassProperty = prismTask.findOrCreateProperty(path);
 
             QName objectClass = null;
@@ -783,7 +783,7 @@ private TaskType createTask(TaskAddDto dto) throws SchemaException {
             }
 
             SchemaRegistry registry = getPrismContext().getSchemaRegistry();
-            PrismPropertyDefinition def = registry.findPropertyDefinitionByElementName(SchemaConstants.OBJECTCLASS_PROPERTY_NAME);
+            PrismPropertyDefinition def = registry.findPropertyDefinitionByElementName(SchemaConstants.MODEL_EXTENSION_OBJECTCLASS);
             objectClassProperty.setDefinition(def);
             objectClassProperty.setRealValue(objectClass);
         }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/server/handlers/dto/ResourceRelatedHandlerDto.java

@@ -90,7 +90,7 @@ private void fillFromExtension(TaskType taskType) {
 			intent = intentItem.getRealValue();
 		}
 
-		PrismProperty<QName> objectClassItem = task.getExtension().findProperty(SchemaConstants.OBJECTCLASS_PROPERTY_NAME);
+		PrismProperty<QName> objectClassItem = task.getExtension().findProperty(SchemaConstants.MODEL_EXTENSION_OBJECTCLASS);
 		if(objectClassItem != null && objectClassItem.getRealValue() != null){
 			objectClass = objectClassItem.getRealValue().getLocalPart();
 		}
@@ -239,7 +239,7 @@ public void setResource(TaskAddResourcesDto resource) {
 					objectClassQName = q;
 				}
 			}
-			addExtensionDelta(rv, SchemaConstants.OBJECTCLASS_PROPERTY_NAME, objectClassQName, prismContext);
+			addExtensionDelta(rv, SchemaConstants.MODEL_EXTENSION_OBJECTCLASS, objectClassQName, prismContext);
 		}
 		return rv;
 	}

gui/admin-gui/src/main/resources/application.yml

@@ -10,6 +10,10 @@ server:
   tomcat:
     basedir: ${midpoint.home}
     max-http-post-size: 104857600 # in bytes
+## Enable and configuration ajp connector for mp
+#    ajp:
+#      enabled: true
+#      port: 9090
   servlet:
     context-path: /midpoint
     application-display-name: MidPoint
@@ -46,14 +50,4 @@ auth:
 #  enable-csrf: false # default for midpoint is true
 
 # more properties with default values can be found here:
-# https://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html
-
-management:
-  endpoint:
-    health:
-      enabled: true
-
-
-#logging:
-#  level:
-#    org.springframework: TRACE
+# https://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html

gui/admin-gui/src/main/resources/localization/Midpoint.properties

@@ -4170,7 +4170,6 @@ ObjectFormType.details.newValue=New object form
 GuiObjectColumnType.details.newValue=New gui object column
 GuiObjectListViewType.details.newValue=New gui object list view
 DashboardWidgetType.details.newValue=New dashboard widget
-GenericPcpAspectConfigurationType.details.newValue=New generic pcp aspect configuration
 RelationDefinitionType.details.newValue=New relation definition
 GuiActionType.details.newValue=New gui action
 ApprovalStageDefinitionType.details.newValue=New approval stage definition

infra/common/src/main/java/com/evolveum/midpoint/common/SynchronizationUtils.java

@@ -161,8 +161,7 @@ private static List<SynchronizationSituationDescriptionType> getSituationFromSam
 		return valuesToDelete;
 	}
 
-public static boolean isPolicyApplicable(QName objectClass, ShadowKindType kind, String intent, ObjectSynchronizationType synchronizationPolicy, PrismObject<ResourceType> resource) throws SchemaException{
-
+	public static boolean isPolicyApplicable(QName objectClass, ShadowKindType kind, String intent, ObjectSynchronizationType synchronizationPolicy, PrismObject<ResourceType> resource, boolean strictIntent) throws SchemaException {
 		List<QName> policyObjectClasses = synchronizationPolicy.getObjectClass();
 
 		if (policyObjectClasses == null || policyObjectClasses.isEmpty()) {
@@ -198,8 +197,8 @@ public static boolean isPolicyApplicable(QName objectClass, ShadowKindType kind,
 
 		// kind
 		ShadowKindType policyKind = synchronizationPolicy.getKind();
-		LOGGER.trace("Comparing kinds, policy kind: {}, current kind: {}", policyKind, kind);
-		if (policyKind != null && kind != null && !policyKind.equals(kind)) {
+		boolean kindMatch = policyKind != null ? policyKind.equals(kind) : kind == null ? true : false; 
+		if (!kindMatch) {
 			LOGGER.trace("Kinds don't match, skipping policy {}", synchronizationPolicy);
 			return false;
 		}
@@ -208,13 +207,24 @@ public static boolean isPolicyApplicable(QName objectClass, ShadowKindType kind,
 		// TODO is the intent always present in shadow at this time? [med]
 		String policyIntent = synchronizationPolicy.getIntent();
 		LOGGER.trace("Comparing intents, policy intent: {}, current intent: {}", policyIntent, intent);
-		if (policyIntent != null && intent != null
-				&& !MiscSchemaUtil.equalsIntent(intent, policyIntent)) {
-			LOGGER.trace("Intents don't match, skipping policy {}", synchronizationPolicy);
-			return false;
+		if (!strictIntent) {
+			if (intent != null && !MiscSchemaUtil.equalsIntent(intent, policyIntent)) {
+				LOGGER.trace("Intents don't match, skipping policy {}", synchronizationPolicy);
+				return false;
+			}
+		} else {
+			if (!MiscSchemaUtil.equalsIntent(intent, policyIntent)) {
+				LOGGER.trace("Intents don't match, skipping policy {}", synchronizationPolicy);
+				return false;
+			}
 		}
 
 		return true;
 	}
+
+	public static boolean isPolicyApplicable(QName objectClass, ShadowKindType kind, String intent, ObjectSynchronizationType synchronizationPolicy, PrismObject<ResourceType> resource) throws SchemaException{
+		return isPolicyApplicable(objectClass, kind, intent, synchronizationPolicy, resource, false);
+
+	}
 
 }

infra/prism/src/main/java/com/evolveum/midpoint/prism/query/TypeFilter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2014 Evolveum
+ * Copyright (c) 2010-2018 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -53,6 +53,9 @@ public ObjectFilter getFilter() {
     }
 
     public void setFilter(ObjectFilter filter) {
+    	if (filter == this) {
+    		throw new IllegalArgumentException("Type filte has itself as a subfilter");
+    	}
         this.filter = filter;
     }
 

infra/schema/src/main/java/com/evolveum/midpoint/schema/constants/SchemaConstants.java

@@ -291,7 +291,7 @@ public abstract class SchemaConstants {
 	public static final QName MODEL_EXTENSION_FINISH_OPERATIONS_ONLY = new QName(NS_MODEL_EXTENSION, "finishOperationsOnly");
 	public static final QName MODEL_EXTENSION_KIND = new QName(NS_MODEL_EXTENSION, "kind");
 	public static final QName MODEL_EXTENSION_INTENT = new QName(NS_MODEL_EXTENSION, "intent");
-	public static final QName OBJECTCLASS_PROPERTY_NAME = new QName(NS_MODEL_EXTENSION, "objectclass");
+	public static final QName MODEL_EXTENSION_OBJECTCLASS = new QName(NS_MODEL_EXTENSION, "objectclass");
 	public static final QName MODEL_EXTENSION_LAST_SCAN_TIMESTAMP_PROPERTY_NAME = new QName(
 			NS_MODEL_EXTENSION, "lastScanTimestamp");
 

infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd

@@ -12380,6 +12380,9 @@
 
 								LIMITATION: Supported only for TaskType and not for search pre-processing.
 							</xsd:documentation>
+							<xsd:appinfo>
+								<a:since>3.9</a:since>
+							</xsd:appinfo>
 						</xsd:annotation>
 					</xsd:element>
 					<xsd:element name="assignee" type="tns:SubjectedObjectSelectorType" minOccurs="0" maxOccurs="1">
@@ -12391,16 +12394,32 @@
 								LIMITATION: Supported only for TaskType with work items fully fetched; and not for search
 								pre-processing.
 							</xsd:documentation>
+							<xsd:appinfo>
+								<a:since>3.9</a:since>
+							</xsd:appinfo>
 						</xsd:annotation>
 					</xsd:element>
-					<xsd:element name="object" type="tns:SubjectedObjectSelectorType" minOccurs="0" maxOccurs="1">
+					<xsd:element name="relatedObject" type="tns:SubjectedObjectSelectorType" minOccurs="0" maxOccurs="1">
 						<xsd:annotation>
 							<xsd:documentation>
 								The object matches the specification if it has a related object specified by this element.
 								(So it is applicable only for task-, case- and work item-like objects.)
 
 								LIMITATION: Supported only for TaskType; and for search pre-processing it is limited to "self".
 							</xsd:documentation>
+							<xsd:appinfo>
+								<a:since>3.9</a:since>
+							</xsd:appinfo>
+						</xsd:annotation>
+					</xsd:element>
+					<xsd:element name="tenant" type="tns:TenantSelectorType" minOccurs="0" maxOccurs="1">
+						<xsd:annotation>
+							<xsd:documentation>
+								The object matches the specification if it is related to the specified tenant.
+							</xsd:documentation>
+							<xsd:appinfo>
+								<a:since>3.9</a:since>
+							</xsd:appinfo>
 						</xsd:annotation>
 					</xsd:element>
 		        </xsd:sequence>
@@ -12446,6 +12465,32 @@
         <xsd:attribute name="id" type="xsd:long" use="optional"/>
 	</xsd:complexType>
 
+	<xsd:complexType name="TenantSelectorType">
+        <xsd:annotation>
+            <xsd:documentation>
+                Selects an object by comparing tenant information.
+            </xsd:documentation>
+            <xsd:appinfo>
+                <a:container/>
+                <a:since>3.9</a:since>
+            </xsd:appinfo>
+        </xsd:annotation>
+        <xsd:sequence>
+        	<xsd:element name="sameAsSubject" type="xsd:boolean" minOccurs="0" maxOccurs="1" default="false">
+               <xsd:annotation>
+                   <xsd:documentation>
+                       Selects object/target if it has the same tenant as subject.
+                       Subject must be part of the tenant (must have tenantRef set).
+                       This authorization will not select any object if subject tenantRef is empty.
+                   </xsd:documentation>
+               </xsd:annotation>
+           </xsd:element>
+			<!-- allow empty tenant? -->
+			<!-- TODO: add explicit tenantRef? -->
+        </xsd:sequence>
+        <xsd:attribute name="id" type="xsd:long" use="optional"/>
+	</xsd:complexType>
+
 	<xsd:complexType name="OtherPrivilegesLimitationType">
         <xsd:annotation>
             <xsd:documentation>
@@ -18500,6 +18545,23 @@
 					</xsd:appinfo>
 				</xsd:annotation>
 			</xsd:enumeration>
+			<xsd:enumeration value="fetchAll">
+				<xsd:annotation>
+					<xsd:appinfo>
+						<jaxb:typesafeEnumMember name="FETCH_ALL"/>
+						<xsd:documentation>
+							This is a workaround for situations when STRICTLY_SEQUENTIAL_PAGING cannot be used because
+							a client-supplied paging is present. All the objects are fetched as in regular searchObjects()
+							call and then send to the client one-by-one. (This defeats the basic purpose of
+							searchObjectsIterative but can be safely used for small numbers of objects.)
+
+							So this method is a safe fallback that is used when STRICTLY_SEQUENTIAL_PAGING is implicitly
+							chosen but a custom paging exists, provided that the paging contains maxSize clause with a number
+							not greater than a specified limit (maxObjectsForImplicitFetchAllIterationMethod).
+						</xsd:documentation>
+					</xsd:appinfo>
+				</xsd:annotation>
+			</xsd:enumeration>
 		</xsd:restriction>
 	</xsd:simpleType>
 

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentEvaluator.java

@@ -1092,6 +1092,12 @@ private void collectMembership(FocusType targetType, QName relation, EvaluationC
 		refVal.setTargetName(targetType.getName().toPolyString());
 
 		collectMembershipRefVal(refVal, targetType.getClass(), relation, targetType, ctx);
+
+		if (targetType instanceof OrgType) {
+			if (BooleanUtils.isTrue(((OrgType)targetType).isTenant()) && ctx.evalAssignment.getTenantOid() == null) {
+				ctx.evalAssignment.setTenantOid(targetType.getOid());
+			}
+		}
 	}
 
 	private void collectMembership(ObjectReferenceType targetRef, QName relation, EvaluationContext ctx) {

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/EvaluatedAssignmentImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2017 Evolveum
+ * Copyright (c) 2010-2018 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -81,6 +81,7 @@ public class EvaluatedAssignmentImpl<F extends FocusType> implements EvaluatedAs
 	// usually, these rules do not cause direct action (e.g. in the case of approvals);
 	// however, there are situations in which they are used (e.g. for exclusion rules)
 	@NotNull private final Collection<EvaluatedPolicyRule> otherTargetsPolicyRules = new ArrayList<>();
+	private String tenantOid;
 
 	private PrismObject<?> target;
 	private boolean virtual;
@@ -252,6 +253,14 @@ public void addDelegationRefVal(PrismReferenceValue org) {
 		delegationRefVals.add(org);
 	}
 
+	public String getTenantOid() {
+		return tenantOid;
+	}
+
+	public void setTenantOid(String tenantOid) {
+		this.tenantOid = tenantOid;
+	}
+
 	@NotNull
 	@Override
 	public Collection<Authorization> getAuthorizations() {

model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensElementContext.java

@@ -20,6 +20,8 @@
 import com.evolveum.midpoint.prism.ConsistencyCheckScope;
 import com.evolveum.midpoint.prism.Objectable;
 import com.evolveum.midpoint.prism.delta.PlusMinusZero;
+import com.evolveum.midpoint.prism.delta.builder.DeltaBuilder;
+import com.evolveum.midpoint.prism.delta.builder.S_ItemEntry;
 import com.evolveum.midpoint.schema.DeltaConvertor;
 import com.evolveum.midpoint.schema.result.OperationResult;
 import com.evolveum.midpoint.schema.util.ObjectTypeUtil;
@@ -816,4 +818,8 @@ public boolean isOfType(Class<?> aClass) {
 	}
 
 	public abstract void deleteSecondaryDeltas();
+
+	public S_ItemEntry deltaBuilder() throws SchemaException {
+		return DeltaBuilder.deltaFor(getObjectTypeClass(), getPrismContext());
+	}
 }