Merge remote-tracking branch 'origin/post-3.7-fixes' into post-3.7-fixes

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/users/component/OrgMemberPanel.java

@@ -480,7 +480,7 @@ private void deleteMemberConfirmPerformed(QueryScope scope, QName relation, Ajax
 	private List<InlineMenuItem> createManagersHeaderInlineMenu() {
 		List<InlineMenuItem> headerMenuItems = new ArrayList<>();
 
-		if (WebComponentUtil.isAuthorized(AuthorizationConstants.AUTZ_UI_ADMIN_ADD_MEMBER_ACTION_URI)) {
+		if (WebComponentUtil.isAuthorized(AuthorizationConstants.AUTZ_UI_ADMIN_ADD_ORG_MEMBER_ACTION_URI)) {
 			headerMenuItems.add(new InlineMenuItem(createStringResource("TreeTablePanel.menu.createManager"),
 					false, new HeaderMenuAction(this) {
 				private static final long serialVersionUID = 1L;
@@ -492,7 +492,7 @@ public void onClick(AjaxRequestTarget target) {
 			}));
 		}
 
-		if (WebComponentUtil.isAuthorized(AuthorizationConstants.AUTZ_UI_ADMIN_ASSIGN_MEMBER_ACTION_URI)) {
+		if (WebComponentUtil.isAuthorized(AuthorizationConstants.AUTZ_UI_ADMIN_ASSIGN_ORG_MEMBER_ACTION_URI)) {
 			headerMenuItems.add(new InlineMenuItem(createStringResource("TreeTablePanel.menu.addManagers"), false,
 					new HeaderMenuAction(this) {
 						private static final long serialVersionUID = 1L;
@@ -516,7 +516,7 @@ public void onClick(AjaxRequestTarget target) {
 			}));
 		}
 
-		if (WebComponentUtil.isAuthorized(AuthorizationConstants.AUTZ_UI_ADMIN_RECOMPUTE_MEMBER_ACTION_URI)) {
+		if (WebComponentUtil.isAuthorized(AuthorizationConstants.AUTZ_UI_ADMIN_RECOMPUTE_ORG_MEMBER_ACTION_URI)) {
 			headerMenuItems
 					.add(new InlineMenuItem(createStringResource("TreeTablePanel.menu.recomputeManagersAll"),
 							false, new HeaderMenuAction(this) {

infra/common/src/main/java/com/evolveum/midpoint/common/refinery/CompositeRefinedObjectClassDefinitionImpl.java

@@ -38,6 +38,7 @@
 import javax.xml.namespace.QName;
 import java.util.*;
 import java.util.function.Consumer;
+import java.util.function.Function;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
@@ -585,10 +586,25 @@ public Collection<? extends QName> getNamesOfAttributesWithInboundExpressions()
 	}
 
 	@Override
-	public ResourcePasswordDefinitionType getPasswordDefinition() {		// TODO what if there is a conflict?
-		return getRefinedObjectClassDefinitionsStream()
-				.map(def -> def.getPasswordDefinition())
-				.findFirst().orElse(null);
+	public ResourcePasswordDefinitionType getPasswordDefinition() {
+		return findInDefinitions(def -> def.getPasswordDefinition());
+	}
+
+	private <T> T findInDefinitions(Function<RefinedObjectClassDefinition,T> transform) {
+		if (structuralObjectClassDefinition != null) {
+			T val = transform.apply(structuralObjectClassDefinition);
+			if (val != null) {
+				return val;
+			}
+		}
+		// TODO what if there is a conflict?
+		for (RefinedObjectClassDefinition auxiliaryObjectClassDefinition: auxiliaryObjectClassDefinitions) {
+			T val = transform.apply(auxiliaryObjectClassDefinition);
+			if (val != null) {
+				return val;
+			}
+		}
+		return null;
 	}
 
     @Override

infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd

@@ -5840,6 +5840,60 @@
         </xsd:restriction>
     </xsd:simpleType>
 
+    <xsd:simpleType name="PasswordCompareStrategyType">
+        <xsd:annotation>
+            <xsd:documentation>
+                The way how an resource password is compared with the current password.
+            </xsd:documentation>
+            <xsd:appinfo>
+                <jaxb:typesafeEnumClass/>
+                <a:since>3.7.1</a:since>
+            </xsd:appinfo>
+        </xsd:annotation>
+        <xsd:restriction base="xsd:string">
+            <xsd:enumeration value="auto">
+                <xsd:annotation>
+                	<xsd:documentation>
+                		Auto-detect comparison method. If no way of comparison
+                		is possible then an error is indicated.
+                		Note: Currently this strategy will end with an error if there
+                		is no cached password value.
+                	</xsd:documentation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="AUTO"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+            <xsd:enumeration value="error">
+                <xsd:annotation>
+                	<xsd:documentation>
+                		There is no way to compare password. Any operation to that
+                		tries to compare the password on the resource should end
+                		up with an error.
+                	</xsd:documentation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="ERROR"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+            <xsd:enumeration value="cached">
+                <xsd:annotation>
+                	<xsd:documentation>
+                		Compare password with the value cached in the shadow.
+                		This setting assumes that passwords for all accounts are
+                		properly cached. Therefore if there is no password value
+                		in the shadow then we assume that there is no resource password.
+                	</xsd:documentation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="CACHED"/>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
+            <!-- TODO: ignore, read (compare password by readin password value), resourceAuthenticate, ... -->
+        </xsd:restriction>
+    </xsd:simpleType>
+
+
     <xsd:complexType name="ResourceCredentialsDefinitionType">
         <xsd:sequence>
             <xsd:element name="password" type="tns:ResourcePasswordDefinitionType" minOccurs="0" maxOccurs="1">
@@ -5860,6 +5914,19 @@
     	</xsd:annotation>
         <xsd:sequence>
         	<xsd:element name="fetchStrategy" type="tns:AttributeFetchStrategyType" minOccurs="0"/>
+        	<xsd:element name="compareStrategy" type="tns:PasswordCompareStrategyType" minOccurs="0" default="auto">
+        		<xsd:annotation>
+        			<xsd:documentation>
+        				The way how an resource password is compared with the current password.
+        				This strategy is used when midPoint needs to compare candidate password
+        				with existing resource passowrd. E.g. used in password policies that state
+        				that passwords on several resources cannot be the same.
+        			</xsd:documentation>
+        			<xsd:appinfo>
+        				<a:since>3.7.1</a:since>
+        			</xsd:appinfo>
+        		</xsd:annotation>
+        	</xsd:element>
             <xsd:element name="outbound" type="tns:MappingType" minOccurs="0" maxOccurs="unbounded">
                 <xsd:annotation>
                     <xsd:documentation>
@@ -5887,6 +5954,23 @@
             		</xsd:appinfo>
                 </xsd:annotation>
             </xsd:element>
+            <xsd:element name="caching" type="tns:CachingPolicyType" minOccurs="0" maxOccurs="1">
+                <xsd:annotation>
+                    <xsd:documentation>
+                        Password caching policy.
+                        Currently, password storage format (encrypted, hashed) will be the same
+                        as the global password storage format used for the entire system.
+                        Definition of a specific password storage format might be added later.
+                    </xsd:documentation>
+                    <xsd:appinfo>
+            			<a:since>3.7.1</a:since>
+            		</xsd:appinfo>
+                </xsd:annotation>
+                <!-- 
+                	TODO: later, create PasswordCachingPolicyType as subtype of CachingPolicyType.
+                	PasswordCachingPolicyType could specify password storage format.
+                 -->
+            </xsd:element>
         </xsd:sequence>
     </xsd:complexType>
 
@@ -12009,6 +12093,16 @@
         <xsd:sequence>
             <xsd:element name="origin" type="tns:ValuePolicyOriginType" minOccurs="0" maxOccurs="1" default="object"/>
             <xsd:element name="path" type="t:ItemPathType" minOccurs="0" maxOccurs="1"/>
+            <xsd:element name="projectionDiscriminator" type="tns:ShadowDiscriminatorType" minOccurs="0" maxOccurs="1">
+            	<xsd:annotation>
+            		<xsd:documentation>
+            			Specifies which projection should be used in case that projection origin is selected.
+            		</xsd:documentation>
+            		<xsd:appinfo>
+            			<a:since>3.7.1</a:since>
+            		</xsd:appinfo>
+            	</xsd:annotation>
+            </xsd:element>
             <!-- TODO: matching (exact, norm, case ignore, partial, ...), matching parameters ( 3 characters difference ) -->
         </xsd:sequence>
     </xsd:complexType>
@@ -12063,6 +12157,23 @@
                     </xsd:appinfo>
                 </xsd:annotation>
             </xsd:enumeration>
+            <xsd:enumeration value="projection">
+                <xsd:annotation>
+                	<xsd:documentation>
+                		One of object's projecion is the origin.
+                		E.g. in case of user password specific projection
+                		linked to the user will be scanned.
+                		If this origin type is selected then also
+                		the projectionDiscriminator must be specified.
+                		Note: Currently the only supported value is
+                		resource password.
+                	</xsd:documentation>
+                    <xsd:appinfo>
+                        <jaxb:typesafeEnumMember name="PROJECTION"/>
+                        <a:since>3.7.1</a:since>
+                    </xsd:appinfo>
+                </xsd:annotation>
+            </xsd:enumeration>
         </xsd:restriction>
     </xsd:simpleType>