Merge remote-tracking branch 'origin/support-3.9' into support-3.9

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/orgs/OrgTreePanel.html

@@ -24,7 +24,7 @@ <h3 class="box-title"><div wicket:id="treeTitle"/></h3>
 				<div class="cog" wicket:id="treeMenu" about="treeMenu"/>
 			</div>
 		</div>
-		<div wicket:id="treeContainer" class="box-body org-tree-container" style="flex: 100 1 40%;">
+		<div wicket:id="treeContainer" class="box-body org-tree-container" style="flex: 100 1 auto;">
 			<div wicket:id="tree"/>
 		</div>
 	</div>	

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/self/RoleCatalogTabPanel.html

@@ -20,7 +20,7 @@
 <body>
 <wicket:extend>
     <div wicket:id="treePanelContainer" class="col-md-3" >
-        <div wicket:id="treePanel"/>
+        <div class="role-catalog" wicket:id="treePanel"/>
     </div>
 </wicket:extend>
 </body>

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/security/MidPointAuthenticationProvider.java

@@ -56,27 +56,39 @@ public void setMessageSource(MessageSource messageSource) {
 	@Override
 	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
 
-		String enteredUsername = (String) authentication.getPrincipal();
-		LOGGER.trace("Authenticating username '{}'", enteredUsername);
-
-		ConnectionEnvironment connEnv = ConnectionEnvironment.create(SchemaConstants.CHANNEL_GUI_USER_URI);
-
-		Authentication token;
-		if (authentication instanceof UsernamePasswordAuthenticationToken) {
-			String enteredPassword = (String) authentication.getCredentials();
-			token = passwordAuthenticationEvaluator.authenticate(connEnv, new PasswordAuthenticationContext(enteredUsername, enteredPassword));
-		} else if (authentication instanceof PreAuthenticatedAuthenticationToken) {
-			token = passwordAuthenticationEvaluator.authenticateUserPreAuthenticated(connEnv, enteredUsername);
-		} else {
-			LOGGER.error("Unsupported authentication {}", authentication);
-			throw new AuthenticationServiceException("web.security.provider.unavailable");
+		try {
+			String enteredUsername = (String) authentication.getPrincipal();
+			LOGGER.trace("Authenticating username '{}'", enteredUsername);
+
+			ConnectionEnvironment connEnv = ConnectionEnvironment.create(SchemaConstants.CHANNEL_GUI_USER_URI);
+
+			try {
+				Authentication token;
+				if (authentication instanceof UsernamePasswordAuthenticationToken) {
+					String enteredPassword = (String) authentication.getCredentials();
+					token = passwordAuthenticationEvaluator.authenticate(connEnv, new PasswordAuthenticationContext(enteredUsername, enteredPassword));
+				} else if (authentication instanceof PreAuthenticatedAuthenticationToken) {
+					token = passwordAuthenticationEvaluator.authenticateUserPreAuthenticated(connEnv, enteredUsername);
+				} else {
+					LOGGER.error("Unsupported authentication {}", authentication);
+					throw new AuthenticationServiceException("web.security.provider.unavailable");
+				}
+
+				MidPointPrincipal principal = (MidPointPrincipal)token.getPrincipal();
+
+				LOGGER.debug("User '{}' authenticated ({}), authorities: {}", authentication.getPrincipal(),
+						authentication.getClass().getSimpleName(), principal.getAuthorities());
+				return token;
+
+			} catch (AuthenticationException e) {
+				LOGGER.info("Authentication failed for {}: {}", enteredUsername, e.getMessage());
+				throw e;
+			}
+		} catch (RuntimeException | Error e) {
+			// Make sure to explicitly log all runtime errors here. Spring security is doing very poor job and does not log this properly.
+			LOGGER.error("Authentication (runtime) error: {}", e.getMessage(), e);
+			throw e;
 		}
-
-		MidPointPrincipal principal = (MidPointPrincipal)token.getPrincipal();
-
-		LOGGER.debug("User '{}' authenticated ({}), authorities: {}", authentication.getPrincipal(),
-				authentication.getClass().getSimpleName(), principal.getAuthorities());
-		return token;
 	}
 
 	@Override

gui/admin-gui/src/main/resources/initial-objects/040-role-enduser.xml

@@ -18,7 +18,7 @@
       xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
       xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3">
     <name>End user</name>
-    <description>Role authorizing end users to log in, change their passwords and review assigned accounts.</description>
+    <description>Role authorizing end users to log in, change their passwords and review assigned accounts. Note: This role definition is just an example. It should be tailored for each specific deployment.</description>
     <authorization>
     	<name>gui-self-service-access</name>
     	<description>
@@ -93,13 +93,39 @@
     	</object>
     	<item>credentials</item>
     </authorization>
+    <authorization>
+    	<name>read-requestable-roles</name>
+    	<description>
+    		Allow to read requestable roles. This allows to search for requestable roles in user interface.
+    	</description>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#read</action>
+    	<object>
+    		<type>RoleType</type>
+    		<filter>
+    			<q:equal>
+    				<q:path>requestable</q:path>
+    				<q:value>true</q:value>
+    			</q:equal>
+    		</filter>
+    	</object>
+    	<!-- Note: for production use you should consider limiting the items that can be read. -->
+    </authorization>
+     <authorization>
+    	<name>requestable-role-details</name>
+    	<description>
+    		Allow to show details of requestable roles in the user interface.
+    	</description>
+    	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#roleDetails</action>
+    	<!-- Note: object specification should be here to limit this authorization to requestable roles. 
+    	     But this is not yet supported. -->
+    </authorization>
     <authorization>
     	<name>assign-requestable-roles</name>
     	<description>
     		Allow to assign requestable roles. This allows to request roles in a request-and-approve process.
     	    The requestable roles will be displayed in the role request dialog by default.
-    	    Please note that the roles also need an approved definition to go through the approval process.
-    	    Otherwise they will be assigned automatically wihout any approval. 
+    	    Please note that the roles also need an approval definition to go through the approval process.
+    	    Otherwise they will be assigned automatically without any approval. 
     	</description>
     	<action>http://midpoint.evolveum.com/xml/ns/public/security/authorization-model-3#assign</action>
     	<phase>request</phase>
@@ -173,6 +199,7 @@
         <object> <!-- Deputy delegations may have users as targets -->
             <type>UserType</type>
         </object>
+        <!-- Note: for production use you should consider limiting the items that can be read. -->
     </authorization>
     <authorization>
     	<name>assignment-target-read-task</name>

gui/admin-gui/src/main/resources/static/less/midpoint-theme.less

@@ -1416,4 +1416,15 @@ th.countLabel{
   .content-wrapper {
     width: 100%;
   }
+}
+
+.role-catalog > .object-org-box > .org-tree-container{
+	max-height: 50vh;
+}
+
+.skin-red > .wrapper > .main-header > .navbar-static-top > .navbar-custom-menu > .shopping-cart-icon > .badge,
+.skin-red-light > .wrapper > .main-header > .navbar-static-top > .navbar-custom-menu > .shopping-cart-icon > .badge{
+	border-style: solid;
+	padding: 2px 5px;
+	border-color: #f4f4f4;
 }

infra/schema/src/main/java/com/evolveum/midpoint/schema/util/AdminGuiConfigTypeUtil.java

@@ -56,8 +56,8 @@ private static void applyAdminGuiConfiguration(AdminGuiConfigurationType composi
 		if (adminGuiConfiguration == null) {
 			return;
 		}
-		adminGuiConfiguration.getAdditionalMenuLink().forEach(additionalMenuLink -> composite.getAdditionalMenuLink().add(additionalMenuLink.clone()));
-		adminGuiConfiguration.getUserDashboardLink().forEach(userDashboardLink -> composite.getUserDashboardLink().add(userDashboardLink.clone()));
+		adminGuiConfiguration.getAdditionalMenuLink().forEach(additionalMenuLink -> composite.getAdditionalMenuLink().add(clone(additionalMenuLink)));
+		adminGuiConfiguration.getUserDashboardLink().forEach(userDashboardLink -> composite.getUserDashboardLink().add(clone(userDashboardLink)));
 		if (adminGuiConfiguration.getDefaultTimezone() != null) {
 			composite.setDefaultTimezone(adminGuiConfiguration.getDefaultTimezone());
 		}
@@ -143,14 +143,32 @@ private static void applyAdminGuiConfiguration(AdminGuiConfigurationType composi
 		}
 	}
 
+	private static RichHyperlinkType clone(RichHyperlinkType additionalMenuLink) {
+		RichHyperlinkType clone = additionalMenuLink.clone();
+		clone.asPrismContainerValue().setId(null);
+		return clone;
+	}
+
 	private static void joinForms(ObjectFormsType objectForms, ObjectFormType newForm) {
 		objectForms.getObjectForm().removeIf(currentForm -> isTheSameObjectForm(currentForm, newForm));
-		objectForms.getObjectForm().add(newForm.clone());
+		objectForms.getObjectForm().add(clone(newForm));
+	}
+
+	private static ObjectFormType clone(ObjectFormType form) {
+		ObjectFormType clone = form.clone();
+		clone.asPrismContainerValue().setId(null);
+		return clone;
 	}
 
 	private static void joinObjectDetails(GuiObjectDetailsSetType objectDetailsSet, GuiObjectDetailsPageType newObjectDetails) {
 		objectDetailsSet.getObjectDetailsPage().removeIf(currentDetails -> isTheSameObjectType(currentDetails, newObjectDetails));
-		objectDetailsSet.getObjectDetailsPage().add(newObjectDetails.clone());
+		objectDetailsSet.getObjectDetailsPage().add(clone(newObjectDetails));
+	}
+
+	private static GuiObjectDetailsPageType clone(GuiObjectDetailsPageType objectDetails) {
+		GuiObjectDetailsPageType clone = objectDetails.clone();
+		clone.asPrismContainerValue().setId(null);
+		return clone;
 	}
 
 	private static boolean isTheSameObjectType(AbstractObjectTypeConfigurationType oldConf, AbstractObjectTypeConfigurationType newConf) {
@@ -193,19 +211,31 @@ private static void mergeList(GuiObjectListViewsType objectLists, GuiObjectListV
 		// We support only the default object lists now, so simply replace the existing definition with the
 		// latest definition. We will need a more sophisticated merging later.
 		objectLists.getObjectList().removeIf(currentList -> currentList.getType().equals(newList.getType()));
-		objectLists.getObjectList().add(newList.clone());
+		objectLists.getObjectList().add(clone(newList));
+	}
+
+	private static GuiObjectListViewType clone(GuiObjectListViewType newList) {
+		GuiObjectListViewType clone = newList.clone();
+		clone.asPrismContainerValue().setId(null);
+		return clone;
 	}
 
 	private static void mergeWidget(DashboardLayoutType compositeDashboard, DashboardWidgetType newWidget) {
 		String newWidgetIdentifier = newWidget.getIdentifier();
 		DashboardWidgetType compositeWidget = findWidget(compositeDashboard, newWidgetIdentifier);
 		if (compositeWidget == null) {
-			compositeDashboard.getWidget().add(newWidget.clone());
+			compositeDashboard.getWidget().add(clone(newWidget));
 		} else {
 			mergeWidget(compositeWidget, newWidget);
 		}
 	}
 
+	private static DashboardWidgetType clone(DashboardWidgetType newWidget) {
+		DashboardWidgetType clone = newWidget.clone();
+		clone.asPrismContainerValue().setId(null);
+		return clone;
+	}
+
 	public static DashboardWidgetType findWidget(DashboardLayoutType dashboard, String widgetIdentifier) {
 		return findFeature(dashboard.getWidget(), widgetIdentifier);
 	}
@@ -219,12 +249,18 @@ private static void mergeFeature(List<UserInterfaceFeatureType> compositeFeature
 		String newIdentifier = newFeature.getIdentifier();
 		UserInterfaceFeatureType compositeFeature = findFeature(compositeFeatures, newIdentifier);
 		if (compositeFeature == null) {
-			compositeFeatures.add(newFeature.clone());
+			compositeFeatures.add(clone(newFeature));
 		} else {
 			mergeFeature(compositeFeature, newFeature, UserInterfaceElementVisibilityType.AUTOMATIC);
 		}
 	}
 
+	private static UserInterfaceFeatureType clone(UserInterfaceFeatureType newFeature) {
+		UserInterfaceFeatureType clone = newFeature.clone();
+		clone.asPrismContainerValue().setId(null);
+		return clone;
+	}
+
 	private static <T extends UserInterfaceFeatureType> void mergeFeature(T compositeFeature, T newFeature, UserInterfaceElementVisibilityType defaultVisibility) {
 		UserInterfaceElementVisibilityType newCompositeVisibility = mergeVisibility(compositeFeature.getVisibility(), newFeature.getVisibility(), defaultVisibility);
 		compositeFeature.setVisibility(newCompositeVisibility);

repo/repo-sql-impl/src/main/java/com/evolveum/midpoint/repo/sql/data/common/other/RReferenceOwner.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2013 Evolveum
+ * Copyright (c) 2010-2018 Evolveum
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
 
 package com.evolveum.midpoint.repo.sql.data.common.other;
 
+import com.evolveum.midpoint.util.QNameUtil;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
 import org.apache.commons.lang.Validate;
 
@@ -76,7 +77,7 @@ public static RReferenceOwner getOwnerByQName(Class<? extends ObjectType> typeCl
         Validate.notNull(qname, "QName must not be null");
 
         for (RReferenceOwner owner : values()) {
-            if (qname.equals(owner.getElementName()) && owner.getTypeClass().isAssignableFrom(typeClass)) {
+            if (QNameUtil.match(qname, owner.getElementName()) && owner.getTypeClass().isAssignableFrom(typeClass)) {
                 return owner;
             }
         }