Merge remote-tracking branch 'refs/remotes/origin/master'

docs/diag/troubleshooting/mappings/index.adoc

@@ -407,7 +407,7 @@ Provides a lot of details
 
 |===
 
-The second option is available since midPoint 3.4.1 and 3.5. It can be used to enable tracing for any particular mapping:
+The second option can be used to enable tracing for any particular mapping:
 
 [source,xml]
 ----
@@ -639,6 +639,8 @@ The audit is the easiest way to check that.
 
 * xref:/midpoint/reference/diag/troubleshooting/connectors/[Troubleshooting Connectors]
 
+* xref:/midpoint/reference/diag/troubleshooting/troubleshooting-with-traces/[]
+
 * xref:/midpoint/reference/expressions/[Mappings and Expressions]
 
 * xref:/midpoint/reference/diag/troubleshooting/usual-troubleshooting-steps/[Usual Troubleshooting Steps]

docs/expressions/expressions/profiles/configuration.adoc

@@ -6,7 +6,6 @@
 :page-wiki-metadata-create-date: 2019-04-08T14:11:27.298+02:00
 :page-wiki-metadata-modify-user: martin.lizner
 :page-wiki-metadata-modify-date: 2019-09-26T14:54:40.106+02:00
-:page-since: "4.0"
 :page-upkeep-status: green
 :page-toc: top
 
@@ -87,9 +86,6 @@ Expression profiles are defined in xref:/midpoint/reference/concepts/system-conf
 </systemConfiguration>
 ----
 
-In versions 4.0 to 4.7, the configuration consists of two parts: expression profile and permission profile.
-Since 4.8, there are other parts as well, see below.
-
 _Expression profile_ specifies which expression evaluators are allowed.
 E.g. the configuration about specifies that `asIs`, `path` and `script` evaluators are allowed.
 The profile can also parametrize the use of evaluators.
@@ -110,54 +106,44 @@ The following table lists all items in an expression profile.
 .Configuration items in an expression profile
 [%autowidth]
 |===
-| Item | Description | Since | Default value
+| Item | Description | Default value
 
 | `identifier`
 | Profile identifier.
 Usually short string, essentially a simple profile name.
 Custom profiles should consider using URIs instead of simple names to avoid
 conflicts with built-in profiles that may be provided in later versions.
-| 4.0
 | mandatory
 
 | `description`
 | Free-form description (comment).
-| 4.0
 | -
 
 | `decision`
 | Default decision for evaluators in this profile: this is the decision of those evaluators that are not explicitly enumerated within it.
 Currently, this property does NOT apply for other parts of the profile.
-| 4.0
 | mandatory
 
 | `evaluator` (multivalued)
 | Profiles for individual evaluators.
-| 4.0
 | see `decision`
 
 | `bulkActionsProfile`
 | ID of the bulk actions profile to be used with this expression profile.
-| 4.8
 | "allow all bulk actions"
 
 | `functionLibrariesProfile`
 | ID of the function libraries profile to be used with this expression profile.
-| 4.8
 | "allow all function libraries"
 
 | `privilegeElevation`
 | Is the privilege elevation (runAsRef, runPrivileged) feature available in this profile?
-| 4.8
 | `allow`
 |===
 
 === Function Library and Bulk Action Profiles
-++++
-{% include since.html since="4.8" %}
-++++
 
-Since 4.8, we can specify which function libraries (`FunctionLibraryType` objects) and their individual functions are available in given expression profile.
+We can specify which function libraries (`FunctionLibraryType` objects) and their individual functions are available in given expression profile.
 This is done using `functionLibrariesProfile` items.
 
 In the following example, we create a `trusted-functions-only` expression profile that allows only the following:
@@ -285,9 +271,6 @@ Note that if not explicitly specified, the privilege elevation feature is enable
 == Expression Profile Usage
 
 === Archetypes
-++++
-{% include since.html since="4.8" %}
-++++
 
 The primary usage pattern for expression profiles is in conjunction with xref:/midpoint/reference/schema/archetypes/[archetypes].
 The idea is that archetype policy will identify expression profiles that should be applied to all the expressions in archetyped objects.
@@ -332,9 +315,6 @@ An example:
 This is also the method how to specify default expression profile for a particular type of objects.
 
 === Defaults
-++++
-{% include since.html since="4.8" %}
-++++
 
 === For Expressions
 For backwards compatibility reasons, default profile for expressions is built-in "full access" profile.
@@ -347,7 +327,7 @@ Please do not use this character as the first one in your profile identifiers.
 Also, it is not possible to reference built-in profiles from within your configuration.
 So, if you need to create a "full access" profile, you need to create your own.
 
-In 4.8, there are the following built-in profiles: `\\##full` (full access), `##none` (no access), `##legacyUnprivilegedBulkActions` (see below).
+Currently, there are the following built-in profiles: `\\##full` (full access), `##none` (no access), `##legacyUnprivilegedBulkActions` (see below).
 ====
 
 === For Bulk Actions
@@ -366,12 +346,15 @@ If there is no explicitly provided expression profile ID, midPoint looks for the
 | `##full`: full access
 |===
 
+[NOTE]
+====
 These defaults roughly correspond to pre-4.8 behavior.
 The distinction between privileged and unprivileged principal is based on whether it possesses the `#all` authorization.
 Before 4.8, this authorization was checked before execution of `script` bulk action and before execution of `notify` action with the custom event handler.
 In 4.8, it disallows execution of any expressions (including scripts).
 It roughly corresponds to the pre-4.7 behavior, but e.g. allows executing `notify` action with custom event handler that avoids any custom expressions or scripts.
 (Note that before 4.8 there was no bulk action that evaluated arbitrary expression.)
+====
 
 == Security Considerations
 
@@ -421,8 +404,6 @@ Please see xref:/midpoint/features/planned/expression-profiles/[Expression Profi
 
 == Limitations
 
-=== Implementation in midPoint 4.8
-
 . Although the expression profile can be specified in any type of archetype (structural or auxiliary), for a given object, at most _one_ expression profile can be specified.
 If conflicting expression profile identifiers are found, an exception is raised.
 The reason is that we do not have a reasonable way for merging independently defined expression profiles yet.
@@ -434,29 +415,20 @@ Here, the usual "child-overrides-parent-value" approach applies, i.e. if an expr
 . The coverage by expression profiles is *NOT COMPLETE*.
 Please see the xref:coverage.adoc[current status].
 
-=== Implementation in midPoint 4.4.x - 4.7.x
-
-The only type of expression that is constrained by expression profiles are expressions in reports used in midPoint - and even that is partial.
-E.g. the ability to secure audit reports may not be complete currently.
-
-Support for expression profile identification in archetype policy is missing.
-
-=== Common Limitations
-
-For scripting evaluators, the only scripting language that can be constrained by a permission profile is Groovy.
+. For scripting evaluators, the only scripting language that can be constrained by a permission profile is Groovy.
 Other languages do not have this ability yet.
 And even Groovy is only constrained on a "compilation level" (see security considerations above).
 
-There may be performance issues when using expression profiles, especially when used with big and complex permission profiles.
+. There may be performance issues when using expression profiles, especially when used with big and complex permission profiles.
 The code is not yet optimized for performance.
 
-We provide the expression profiles in "AS IS" form.
+. We provide the expression profiles in "AS IS" form.
 We do not make any claims about security or insecurity of expression profiles.
 I.e. we do not claim that expression profiles are completely secure.
 If you are using expression profiles you are doing that completely on your own risk.
 Proper security testing is more than recommended in such case.
 
-See xref:/midpoint/features/planned/expression-profiles/[Expression Profiles: Full Implementation] for the details about our plans for the future of expression profiles.
+. See xref:/midpoint/features/planned/expression-profiles/[Expression Profiles: Full Implementation] for the details about our plans for the future of expression profiles.
 
 == See Also
 

docs/expressions/expressions/profiles/coverage.adoc

@@ -1,5 +1,4 @@
 = Expression Profiles Coverage
-:page-since: "4.8"
 
 The coverage by expression profiles is *NOT COMPLETE*.
 

docs/expressions/expressions/profiles/index.adoc

@@ -5,7 +5,6 @@
 :page-wiki-metadata-create-date: 2019-04-08T13:48:53.764+02:00
 :page-wiki-metadata-modify-user: semancik
 :page-wiki-metadata-modify-date: 2019-04-08T14:36:26.158+02:00
-:page-since: "4.0"
 :page-midpoint-feature: true
 :page-alias: [ { "parent" : "/midpoint/features/current/" }, { "parent" : "/midpoint/reference/security/" } ]
 :page-upkeep-status: yellow

docs/expressions/expressions/script/groovy.adoc

@@ -25,12 +25,12 @@ Therefore the use of safe dereference operator is advised in almost all situatio
 
 [source,groovy]
 ----
-user?.getName();
+focus?.getName();
 ----
 
 === Create fullName
 
 [source,groovy]
 ----
-user.getGivenName() + " " + user.getFamilyName();
-----
+focus.getGivenName() + " " + focus.getFamilyName();
+----

docs/expressions/expressions/script/index.adoc

@@ -17,11 +17,11 @@ Currently supported languages are:
 
 * xref:groovy.adoc[Groovy] (built-in)
 
-* xref:javascript.adoc[JavaScript (ECMAScript)] (optional since 4.4, depending on JDK)
+* xref:javascript.adoc[JavaScript (ECMAScript)] (optional, depending on JDK)
 
-* xref:python.adoc[Python] (built-in until 4.3, optional since 4.4)
+* xref:python.adoc[Python] (optional)
 
-* xref:/midpoint/reference/misc/notifications/velocity/[Velocity] (since 3.4.1) for expressions returning strings/texts
+* xref:/midpoint/reference/misc/notifications/velocity/[Velocity] (built-in) for expressions returning strings/texts
 
 [NOTE]
 ====
@@ -67,7 +67,7 @@ Meaning of individual script expression fields is as follows:
 Specifies the language in which the expression is written.
 If not specified it defaults to Groovy language.
 
-Since midPoint 4.5, it is possible to use the local part after `#` instead of the whole URL;
+It is possible to use the local part after `#` instead of the whole URL;
 for example, you can use just `velocity` or `Groovy`.
 Note that the short name is still case-sensitive!
 
@@ -76,16 +76,13 @@ Note that the short name is still case-sensitive!
 | optional
 | Explicitly trace the execution of this expression.
 The execution will be logged on INFO level if this property is set to true to make sure that it will be visible in the logs. +
-Available since midPoint 3.5.
 
-////
-TODO: this seems not to work now, see MID-8552
-| `returnType`
-| optional
-| The type of the expression result, either "list" or "scalar".
-If not set it will be determined automatically from the target data type for the expression.
-This setting should be used only if the automatic mechanism does not work as expected.
-////
+//TODO: this seems not to work now, see MID-8552
+//| `returnType`
+//| optional
+//| The type of the expression result, either "list" or "scalar".
+//If not set it will be determined automatically from the target data type for the expression.
+//This setting should be used only if the automatic mechanism does not work as expected.
 
 | `relativityMode`
 | optional
@@ -135,7 +132,7 @@ For example, the following expression will evaluate to the content of the `fullN
 [source,xml]
 ----
 <code>
-   user.getFullName()
+   focus.getFullName()
 </code>
 ----
 

docs/expressions/expressions/script/javascript.adoc

@@ -20,12 +20,11 @@ ECMAScript support is provided by https://github.com/openjdk/nashorn[Nashorn] en
 This engine fully supports ECMAScript 5.1 and many features from version 6.
 It was shipped with JDK 11, *but it is not available in JDK 15 and later*.
 If you want to run JDK 17, read on for instructions how to enable it.
-Note, that midPoint is supported only on LTS Java versions 11 and 17.
 ====
 
 == Activation for version 4.4 and JDK 17
 
-Noramlly, to enable Nashorn we would need to download the `nashorn-core.jar` with the dependencies it relies on.
+Normally, to enable Nashorn we would need to download the `nashorn-core.jar` with the dependencies it relies on.
 There are options how to download the whole package, but the provided versions of ASM dependency are older than the one used in midPoint.
 But midPoint doesn't contain all the ASM JARs necessary for Nashorn, so some ASM JARs are still needed.
 To avoid version confusion we provided a convenient download for you in the table below.
@@ -60,7 +59,7 @@ If the engine is not initialized, following warning is emitted - this does not p
 
 Following code returns a `name` property of a user.
 It is using ternary operator (`?` and `:`) to make sure this code works as expected even if user is `null`. User can be `null` is some situations, such as when evaluating outbound expression for a deleted user.
-Therefore the use of similar safe constructs is advised in almost all situations.
+Therefore, the use of similar safe constructs is advised in almost all situations.
 
 [source,javascript]
 ----

docs/expressions/expressions/script/python.adoc

@@ -13,8 +13,7 @@ No support for Python 3.x is available now.
 
 == Activation for version 4.4 and later
 
-Up to version 4.3, Python support was packaged inside midPoint.
-Starting with version 4.4, Python is not built-in and to activate it the following steps are necessary:
+Python support is not built-in and to activate it the following steps are necessary:
 
 * Download the standalone version as JAR from https://repo1.maven.org/maven2/org/python/jython-standalone/2.7.2/jython-standalone-2.7.2.jar[this URL].
 MidPoint 4.4 was tested with Jython 2.7.2 but likely any latest stable version of `jython-standalone` should work.

docs/expressions/mappings/condition/index.adoc

@@ -15,7 +15,9 @@ The mapping will remove the `ExAmPLE, Inc.` value from the `organization` proper
     <expression>
         <value>ExAmPLE, Inc.</value>
     </expression>
-    <target>organization</target>
+    <target>
+        <path>organization</path>
+    </target>
     <condition>
         <script>
             <code>orgCode == "001"</code>
@@ -437,24 +439,6 @@ Weak mappings should be used for that purpose instead.
 
 // TODO: more bad examples?
 
-== Notes
-
-[NOTE]
-.Conditions and ranges in midPoint 4.0 and earlier
-====
-In midPoint 4.0 and earlier, the mapping range was *not* applied consistently when the condition was `false`.
-Some mappings in some cases applied the range, other mappings did not.
-This was incorrect behavior (bug), and it was corrected in midPoint 4.1.
-
-The incorrect behavior was perhaps based on the approach that if the condition evaluates to `false` then the system will "pretend that the mapping does not exist at all".
-This was even documented in this page in earlier versions of midPoint.
-However, this approach was a leftover from the times when midPoint did not have mapping ranges and the documentation was incorrect.
-We understand that some deployments relied on this behavior, and we would like to apologize for any inconvenience.
-However, our policy is not to maintain "compatible bugs", therefore we have corrected the behavior of mappings in all the places to make midPoint behavior consistent.
-
-If you need to "turn off" the mapping completely, the proper way is to set the condition both in the `condition` part of the mapping and in the range specification, i.e. making the mapping non-authoritative (having empty range) when the condition is false.
-====
-
 
 == See Also