Merge branch 'master' of github.com:Evolveum/midpoint

config/initial-objects/010-value-policy.xml

@@ -23,13 +23,6 @@
         <t:norm>default password policy</t:norm>
     </name>
     <description>Default password policy</description>
-    <lifetime>
-        <expiration>999</expiration>
-        <warnBeforeExpiration>9</warnBeforeExpiration>
-        <lockAfterExpiration>0</lockAfterExpiration>
-        <minPasswordAge>0</minPasswordAge>
-        <passwordHistoryLength>0</passwordHistoryLength>
-    </lifetime>
     <stringPolicy>
         <description>Testing string policy</description>
         <limitations>

config/initial-objects/120-security-policy.xml → config/initial-objects/015-security-policy.xml

@@ -23,6 +23,7 @@
 			<lockoutMaxFailedAttempts>3</lockoutMaxFailedAttempts>
 			<lockoutFailedAttemptsDuration>PT3M</lockoutFailedAttemptsDuration>
 			<lockoutDuration>PT15M</lockoutDuration>
+			<valuePolicyRef oid="00000000-0000-0000-0000-000000000003"/>
 		</password>
 	</credentials>
 </securityPolicy>

config/initial-objects/020-system-configuration.xml

@@ -22,7 +22,6 @@
     <!--         <globalAccountSynchronizationSettings> -->
     <!--         <assignmentPolicyEnforcement>relative</assignmentPolicyEnforcement> -->
     <!--         </globalAccountSynchronizationSettings> -->
-    <globalPasswordPolicyRef oid="00000000-0000-0000-0000-000000000003" type="c:ValuePolicyType"/>
     <globalSecurityPolicyRef oid="00000000-0000-0000-0000-000000000120"/>
     <logging>
         <classLogger>
@@ -61,6 +60,12 @@
             <level>WARN</level>
             <package>org.apache.wicket.resource.PropertiesFactory</package>
         </classLogger>
+        <classLogger>
+            <!-- disabled because we don't need to see every log message for every key
+            when resource bundle doesn't exist for specific locale (unnecessary log pollution) -->
+            <level>ERROR</level>
+            <package>org.springframework.context.support.ResourceBundleMessageSource</package>
+        </classLogger>
         <classLogger>
             <!-- Standard useful logger -->
             <level>INFO</level>
@@ -72,26 +77,26 @@
             <package>com.evolveum.midpoint.model.impl.lens.Clockwork</package>
         </classLogger>
 
-        <appender xsi:type="c:FileAppenderConfigurationType" name="IDM_LOG"
+        <appender xsi:type="c:FileAppenderConfigurationType" name="MIDPOINT_LOG"
                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
             <pattern>%date [%X{subsystem}] [%thread] %level \(%logger\): %msg%n</pattern>
-            <fileName>${midpoint.home}/log/idm.log</fileName>
-            <filePattern>${midpoint.home}/log/idm-%d{yyyy-MM-dd}.%i.log</filePattern>
+            <fileName>${midpoint.home}/log/midpoint.log</fileName>
+            <filePattern>${midpoint.home}/log/midpoint-%d{yyyy-MM-dd}.%i.log</filePattern>
             <maxHistory>10</maxHistory>
             <maxFileSize>100MB</maxFileSize>
             <append>true</append>
         </appender>
         <!-- Appender for profiling purposes -->
-        <appender xsi:type="c:FileAppenderConfigurationType" name="IDM-PROFILE_LOG"
+        <appender xsi:type="c:FileAppenderConfigurationType" name="MIDPOINT_PROFILE_LOG"
                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
             <pattern>%date %level: %msg%n</pattern>
-            <fileName>${midpoint.home}/log/idm-profile.log</fileName>
-            <filePattern>${midpoint.home}/log/idm-profile-%d{yyyy-MM-dd}.%i.log</filePattern>
+            <fileName>${midpoint.home}/log/midpoint-profile.log</fileName>
+            <filePattern>${midpoint.home}/log/midpoint-profile-%d{yyyy-MM-dd}.%i.log</filePattern>
             <maxHistory>10</maxHistory>
             <maxFileSize>100MB</maxFileSize>
             <append>true</append>
         </appender>
-        <rootLoggerAppender>IDM_LOG</rootLoggerAppender>
+        <rootLoggerAppender>MIDPOINT_LOG</rootLoggerAppender>
         <rootLoggerLevel>INFO</rootLoggerLevel>
         <auditing>
             <enabled>false</enabled>
@@ -148,4 +153,4 @@
             <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#resources</authorization>
         </userDashboardLink>
     </adminGuiConfiguration>
-</systemConfiguration>
+</systemConfiguration>

config/initial-objects/040-role-enduser.xml

@@ -51,6 +51,19 @@
             </owner>
         </object>
     </authorization>
+    <authorization>
+    	<name>self-persona-read</name>
+    	<description>
+    		Allow to read all the personas of currently logged-in user.
+    	</description>
+        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+        <object>
+    		<type>UserType</type>
+    		<owner>
+    			<special>self</special>
+    		</owner>
+    	</object>
+    </authorization>
     <authorization>
     	<name>self-credentials-request</name>
     	<description>
@@ -118,8 +131,6 @@
     	</object>
     	<item>credentials</item>
     	<item>assignment</item>
-    	<item>parentOrgRef</item>
-    	<item>roleMembershipRef</item>
     </authorization>
     <authorization>
     	<name>self-shadow-execution-add-modify-delete</name>
@@ -159,6 +170,56 @@
         <object>
             <type>ServiceType</type>
         </object>
+        <object> <!-- Deputy delegations may have users as targets -->
+            <type>UserType</type>
+        </object>
+    </authorization>
+    <authorization>
+    	<name>assignment-target-read-task</name>
+    	<description>
+    		Authorization that allows to read workflow status of tasks. This is used to display requests
+    		to the end users, especially in the "My Requests" box in user dashboard.
+    		This authorization is a temporary solution. It will be replaced by a finer-grained
+    		permissions in the future.
+    	</description>
+        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+        <object>
+            <type>TaskType</type>
+        </object>
+        <item>workflowContext</item>
+    </authorization>
+    <authorization>
+    	<name>self-owned-task-read</name>
+    	<description>
+    		Authorization that allows to see all tasks owned by a currently logged-in user.
+    	</description>
+        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+        <object>
+            <type>TaskType</type>
+    		<owner>
+    			<special>self</special>
+    		</owner>
+        </object>
+    </authorization>
+    <authorization>
+    	<name>self-owned-task-add-execute-changes</name>
+    	<description>
+    		Authorization to create a new 'execute changes' task owned by a currently logged-in user.
+    		This is needed to execute asynchronous operations from the GUI.
+    	</description>
+        <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#add</action>
+        <object>
+            <type>TaskType</type>
+            <filter>
+    			<q:equal>
+    				<q:path>handlerUri</q:path>
+    				<q:value>http://midpoint.evolveum.com/xml/ns/public/model/synchronization/task/execute/handler-3</q:value>
+    			</q:equal>
+    		</filter>
+    		<owner>
+    			<special>self</special>
+    		</owner>
+        </object>
     </authorization>
     <roleType>system</roleType>
-</role>
+</role>

config/initial-objects/041-role-approver.xml

@@ -105,7 +105,7 @@
     	</description>
         <action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
         <object>
-            <type>OrgType</type>
+			<type>OrgType</type>
         </object>
         <item>name</item>
         <item>displayName</item>

config/initial-objects/043-role-delegator.xml

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
-  ~ Copyright (c) 2017 Evolveum
+  ~ Copyright (c) 2016-2017 Evolveum
   ~
   ~ Licensed under the Apache License, Version 2.0 (the "License");
   ~ you may not use this file except in compliance with the License.
@@ -64,4 +64,23 @@
     		<type>ShadowType</type>
     	</object>
     </authorization>
-</role>
+        <authorization>
+    	<name>delegator-read-delagate-assignments</name>
+    	<description>
+    		Authorization to read the assignments and assignment-related items from my delegates.
+    		This authorization is necessary so the self-service GUI can properly display user's
+    		delegations. Delegations are in fact assignments in the delegate object, not delegator
+    		object. Therefore authorization to read just "self" will not display the delegations.
+    	</description>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+    	<object>
+    		<type>UserType</type>
+    		<delegator>
+    			<special>self</special>
+    		</delegator>
+    	</object>
+    	<item>assignment</item>
+    	<item>roleMembershipRef</item>
+    	<item>delegatedRef</item>
+    </authorization>
+</role>

config/initial-objects/200-lookup-languages.xml

@@ -19,6 +19,15 @@
 	xmlns='http://midpoint.evolveum.com/xml/ns/public/common/common-3'>
 
 	<name>Languages</name>
+
+	<description>
+		Lookup table for languages directly supported by midPoint.
+		This lookup table contains language codes that are supported by
+		midPoint product localizations. The idea is that only the list of
+		supported languages will be presented to midPoint user.
+		For full list of language code please see lookup-languages-all.xml
+		in midPoint samples.
+	</description>
 
 	<row>
 		<key>cs</key>
@@ -40,6 +49,10 @@
 		<key>es</key>
 		<label>Español</label>
 	</row>
+	<row>
+		<key>fi</key>
+		<label>Suomi</label>
+	</row>
 	<row>
 		<key>hu</key>
 		<label>Magyar</label>
@@ -64,5 +77,9 @@
 		<key>tr</key>
 		<label>Türkçe</label>
 	</row>
+	<row>
+		<key>zh_CN</key>
+		<label>中文</label>
+	</row>
 
 </lookupTable>

config/initial-objects/210-lookup-locales.xml

@@ -40,6 +40,10 @@
 		<key>es</key>
 		<label>Español</label>
 	</row>
+	<row>
+		<key>fi</key>
+		<label>Suomi</label>
+	</row>
 	<row>
 		<key>hu</key>
 		<label>Magyar</label>
@@ -64,5 +68,9 @@
 		<key>tr</key>
 		<label>Türkçe</label>
 	</row>
+	<row>
+		<key>zh_CN</key>
+		<label>中文</label>
+	</row>
 
 </lookupTable>

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/configuration/PageDebugList.java

@@ -1050,14 +1050,10 @@ protected List<ObjectTypes> load() {
 					Collections.addAll(choices, ObjectTypes.values());
 					choices.remove(ObjectTypes.OBJECT);
 
-					Collections.sort(choices, new Comparator<ObjectTypes>() {
-
-						@Override
-						public int compare(ObjectTypes o1, ObjectTypes o2) {
-							String str1 = (String) renderer.getDisplayValue(o1);
-							String str2 = (String) renderer.getDisplayValue(o2);
-							return String.CASE_INSENSITIVE_ORDER.compare(str1, str2);
-						}
+					choices.sort((o1, o2) -> {
+						String str1 = (String) renderer.getDisplayValue(o1);
+						String str2 = (String) renderer.getDisplayValue(o2);
+						return String.CASE_INSENSITIVE_ORDER.compare(str1, str2);
 					});
 
 					return choices;

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/util/ObjectTypeGuiDescriptor.java

@@ -79,7 +79,9 @@ public enum ObjectTypeGuiDescriptor {
 
     SERVICE(ObjectTypes.SERVICE, "ObjectTypeGuiDescriptor.service", GuiStyleConstants.CLASS_OBJECT_SERVICE_ICON_COLORED, GuiStyleConstants.CLASS_OBJECT_SERVICE_ICON),
 
-    CASE(ObjectTypes.CASE, "ObjectTypeGuiDescriptor.case", "", "");             // TODO icons
+    CASE(ObjectTypes.CASE, "ObjectTypeGuiDescriptor.case", "", ""),             // TODO icons
+
+    FUNCTION_LIBRARY(ObjectTypes.FUNCTION_LIBRARY, "ObjectTypeGuiDescriptor.functionLibrary", "", "");      // TODO icons
 
     public static final String ERROR_ICON = "silk-error";
     public static final String ERROR_LOCALIZATION_KEY = "ObjectTypeGuiDescriptor.unknown";

gui/admin-gui/src/main/resources/localization/Midpoint.properties

@@ -667,6 +667,7 @@ ObjectTypeGuiDescriptor.user=User
 ObjectTypeGuiDescriptor.service=Service
 ObjectTypeGuiDescriptor.case=Case
 ObjectTypeGuiDescriptor.valuePolicy=Value policy
+ObjectTypeGuiDescriptor.functionLibrary=Function library
 ObjectTypeGuiDescriptor.unknown=Not defined
 operation.com.evolveum.midpoint.common.crypto.CryptoUtil.securitySelfTest=Security self test
 operation.com.evolveum.midpoint.common.operation.import.object=Import object

infra/schema/src/main/resources/xml/ns/public/common/common-core-3.xsd

@@ -3294,6 +3294,8 @@
 					<xsd:appinfo>
 						<a:displayName>AbstractCredentialType.forceChange</a:displayName>
 						<a:operational>true</a:operational>
+						<a:experimental>true</a:experimental>
+						<a:since>3.6</a:since>
 					</xsd:appinfo>
 				</xsd:annotation>
             </xsd:element>

samples/model-client-sample/src/main/java/com/evolveum/midpoint/testing/model/client/sample/Main.java

@@ -86,7 +86,7 @@ public class Main {
 	// Configuration
 	public static final String ADM_USERNAME = "administrator";
 	public static final String ADM_PASSWORD = "5ecr3t";
-	private static final String DEFAULT_ENDPOINT_URL = "http://localhost:8080/midpoint/model/model-3";
+	private static final String DEFAULT_ENDPOINT_URL = "http://localhost:8080/model/model-3";
 
 	// Object OIDs
 	private static final String ROLE_PIRATE_OID = "2de6a600-636f-11e4-9cc7-3c970e467874";