From a4b0f8c1092469f2576bf5d2cac7361d24c67c65 Mon Sep 17 00:00:00 2001
From: Slavek Licehammer <slavek@ics.muni.cz>
Date: Mon, 19 Oct 2020 16:40:33 +0200
Subject: [PATCH 1/2] Update to midPoint 4.2-SNAPSHOT

---
 container_files/httpd/conf/midpoint.conf      |   2 +-
 .../httpd/conf/midpoint.conf.auth.internal    |   2 +-
 .../httpd/conf/midpoint.conf.auth.shibboleth  |   2 +-
 .../usr-local-bin/start-midpoint.sh           |   1 +
 .../securityPolicy/000-security-policy.xml    |   8 +-
 .../010-system-configuration.xml              | 288 ++++++++++++++++--
 download-midpoint.sh                          |   2 +-
 7 files changed, 275 insertions(+), 30 deletions(-)

diff --git a/container_files/httpd/conf/midpoint.conf b/container_files/httpd/conf/midpoint.conf
index 2d63bda..656489c 100644
--- a/container_files/httpd/conf/midpoint.conf
+++ b/container_files/httpd/conf/midpoint.conf
@@ -3,4 +3,4 @@ Timeout 2400
 ProxyTimeout 2400
 ProxyBadHeader Ignore
 
-ProxyPass /midpoint ajp://localhost:9090/midpoint  timeout=2400 retry=0
+ProxyPass /midpoint ajp://localhost:9090/midpoint secret=s3cr3t timeout=2400 retry=0
diff --git a/container_files/httpd/conf/midpoint.conf.auth.internal b/container_files/httpd/conf/midpoint.conf.auth.internal
index 2d63bda..57a9992 100644
--- a/container_files/httpd/conf/midpoint.conf.auth.internal
+++ b/container_files/httpd/conf/midpoint.conf.auth.internal
@@ -3,4 +3,4 @@ Timeout 2400
 ProxyTimeout 2400
 ProxyBadHeader Ignore
 
-ProxyPass /midpoint ajp://localhost:9090/midpoint  timeout=2400 retry=0
+ProxyPass /midpoint ajp://localhost:9090/midpoint  secret=s3cr3t timeout=2400 retry=0
diff --git a/container_files/httpd/conf/midpoint.conf.auth.shibboleth b/container_files/httpd/conf/midpoint.conf.auth.shibboleth
index ca38a30..e8fcc24 100644
--- a/container_files/httpd/conf/midpoint.conf.auth.shibboleth
+++ b/container_files/httpd/conf/midpoint.conf.auth.shibboleth
@@ -3,7 +3,7 @@ Timeout 2400
 ProxyTimeout 2400
 ProxyBadHeader Ignore
 
-ProxyPass /midpoint ajp://localhost:9090/midpoint  timeout=2400 retry=0
+ProxyPass /midpoint ajp://localhost:9090/midpoint secret=s3cr3t timeout=2400 retry=0
 
 <Location /midpoint>
   AuthType shibboleth
diff --git a/container_files/usr-local-bin/start-midpoint.sh b/container_files/usr-local-bin/start-midpoint.sh
index e729fec..4b19fb3 100755
--- a/container_files/usr-local-bin/start-midpoint.sh
+++ b/container_files/usr-local-bin/start-midpoint.sh
@@ -52,6 +52,7 @@ java -Xmx$MP_MEM_MAX -Xms$MP_MEM_INIT -Dfile.encoding=UTF8 \
        -Dspring.profiles.active="`$MP_DIR/active-spring-profiles`" \
        -Dserver.tomcat.ajp.enabled=$AJP_ENABLED \
        -Dserver.tomcat.ajp.port=$AJP_PORT \
+       -Dserver.tomcat.ajp.secret=s3cr3t \
        -Dlogging.path=/tmp/logtomcat \
        $MP_JAVA_OPTS \
        -jar $MP_DIR/lib/midpoint.war &>/tmp/logmidpoint-console
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml b/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml
index 4b39fd3..77aa0f3 100644
--- a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml
+++ b/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml
@@ -70,7 +70,7 @@
                 Default GUI authentication sequence.
             </description>
             <channel>
-                <channelId>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</channelId>
+                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
                 <default>true</default>
                 <urlSuffix>gui-default</urlSuffix>
             </channel>
@@ -86,7 +86,7 @@
                 Special GUI authentication sequence that is using just the internal user password.
             </description>
             <channel>
-                <channelId>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</channelId>
+                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
                 <default>false</default>
                 <urlSuffix>emergency</urlSuffix>
             </channel>
@@ -104,7 +104,7 @@
                 Authentication sequence for REST service.
             </description>
             <channel>
-                <channelId>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#rest</channelId>
+                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest</channelId>
                 <default>true</default>
                 <urlSuffix>rest-default</urlSuffix>
             </channel>
@@ -120,7 +120,7 @@
                 Authentication sequence for actuator.
             </description>
             <channel>
-                <channelId>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#actuator</channelId>
+                <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#actuator</channelId>
                 <default>true</default>
                 <urlSuffix>actuator-default</urlSuffix>
             </channel>
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/systemConfigurations/010-system-configuration.xml b/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/systemConfigurations/010-system-configuration.xml
index 7355929..cfe767f 100644
--- a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/systemConfigurations/010-system-configuration.xml
+++ b/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/systemConfigurations/010-system-configuration.xml
@@ -1,51 +1,81 @@
+<?xml version="1.0" encoding="UTF-8"?>
 <!--
-  ~ Copyright (c) 2019 Evolveum and contributors
+  ~ Copyright (c) 2010-2019 Evolveum and contributors
   ~
   ~ This work is dual-licensed under the Apache License 2.0
   ~ and European Union Public License. See LICENSE file for details.
   -->
-
-<systemConfiguration xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" oid="00000000-0000-0000-0000-000000000001" version="2">
+<systemConfiguration oid="00000000-0000-0000-0000-000000000001" version="0"
+                     xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+                     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+                     xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3"
+                     xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
+                     xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+                     xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+                     xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+                     xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+                     xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     <name>SystemConfiguration</name>
-    <globalSecurityPolicyRef xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" oid="00000000-0000-0000-0000-000000000120" relation="org:default" type="tns:SecurityPolicyType"/>
+    <!--         <globalAccountSynchronizationSettings> -->
+    <!--         <assignmentPolicyEnforcement>relative</assignmentPolicyEnforcement> -->
+    <!--         </globalAccountSynchronizationSettings> -->
+    <globalSecurityPolicyRef oid="00000000-0000-0000-0000-000000000120"/>
     <logging>
-        <classLogger id="1">
+        <classLogger>
             <level>ERROR</level>
             <package>ro.isdc.wro.extensions.processor.css.Less4jProcessor</package>
         </classLogger>
-        <classLogger id="2">
+        <classLogger>
+            <!-- disabled because of MID-744, helper insert messages on ERROR
+            level which should not be there (probably should be on TRACE) -->
             <level>OFF</level>
             <package>org.hibernate.engine.jdbc.spi.SqlExceptionHelper</package>
         </classLogger>
-        <classLogger id="3">
+        <!-- Disabled because we treat locking-related exceptions in the repository.
+             Otherwise the log is filled-in with (innocent but ugly-looking) messages like
+             "ERROR (o.h.engine.jdbc.batch.internal.BatchingBatch): HHH000315: Exception executing batch [Deadlock detected.
+             The current transaction was rolled back." -->
+        <classLogger>
             <level>OFF</level>
             <package>org.hibernate.engine.jdbc.batch.internal.BatchingBatch</package>
         </classLogger>
-        <classLogger id="4">
+        <!-- Disabled because of the same reason; this time concerning messages like
+             "INFO (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl):
+             HHH000010: On release of batch it still contained JDBC statements" -->
+        <classLogger>
             <level>WARN</level>
             <package>org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl</package>
         </classLogger>
-        <classLogger id="5">
+        <!-- Diesabled because of MID-4636 -->
+        <classLogger>
             <level>OFF</level>
             <package>org.hibernate.internal.ExceptionMapperStandardImpl</package>
         </classLogger>
-        <classLogger id="6">
+        <classLogger>
+            <!-- disabled because of MID-1612, jasper library needs to be fixed -->
             <level>OFF</level>
             <package>net.sf.jasperreports.engine.fill.JRFillDataset</package>
         </classLogger>
-        <classLogger id="7">
+        <classLogger>
+            <!-- disabled because we don't need to see every property file
+            loading message (unnecessary log pollution) -->
             <level>WARN</level>
             <package>org.apache.wicket.resource.PropertiesFactory</package>
         </classLogger>
-        <classLogger id="8">
+        <classLogger>
+            <!-- disabled because we don't need to see every log message for every key
+            when resource bundle doesn't exist for specific locale (unnecessary log pollution) -->
             <level>ERROR</level>
             <package>org.springframework.context.support.ResourceBundleMessageSource</package>
         </classLogger>
-        <classLogger id="9">
+        <classLogger>
+            <!-- Standard useful logger -->
             <level>INFO</level>
             <package>com.evolveum.midpoint.model.impl.lens.projector.Projector</package>
         </classLogger>
-        <classLogger id="10">
+        <classLogger>
+            <!-- Standard useful logger -->
             <level>INFO</level>
             <package>com.evolveum.midpoint.model.impl.lens.Clockwork</package>
         </classLogger>
@@ -53,18 +83,20 @@
             <level>DEBUG</level>
             <package>com.evolveum.polygon.connector.grouper</package>
         </classLogger>
-        <appender id="11" xsi:type="c:FileAppenderConfigurationType">
+
+        <appender xsi:type="c:FileAppenderConfigurationType" name="MIDPOINT_LOG"
+                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
             <pattern>%date [%X{subsystem}] [%thread] %level \(%logger\): %msg%n</pattern>
-            <name>MIDPOINT_LOG</name>
             <fileName>${midpoint.home}/log/midpoint.log</fileName>
             <filePattern>${midpoint.home}/log/midpoint-%d{yyyy-MM-dd}.%i.log</filePattern>
             <maxHistory>10</maxHistory>
             <maxFileSize>100MB</maxFileSize>
             <append>true</append>
         </appender>
-        <appender id="12" xsi:type="c:FileAppenderConfigurationType">
+        <!-- Appender for profiling purposes -->
+        <appender xsi:type="c:FileAppenderConfigurationType" name="MIDPOINT_PROFILE_LOG"
+                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
             <pattern>%date %level: %msg%n</pattern>
-            <name>MIDPOINT_PROFILE_LOG</name>
             <fileName>${midpoint.home}/log/midpoint-profile.log</fileName>
             <filePattern>${midpoint.home}/log/midpoint-profile-%d{yyyy-MM-dd}.%i.log</filePattern>
             <maxHistory>10</maxHistory>
@@ -212,7 +244,7 @@
         <name>demo/grouper</name>
     </deploymentInformation>
     <adminGuiConfiguration>
-        <userDashboardLink id="13">
+        <userDashboardLink>
             <targetUrl>/self/profile</targetUrl>
             <label>Profile</label>
             <description>View/edit your profile</description>
@@ -223,7 +255,7 @@
             <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfProfile</authorization>
             <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll</authorization>
         </userDashboardLink>
-        <userDashboardLink id="14">
+        <userDashboardLink>
             <targetUrl>/self/credentials</targetUrl>
             <label>Credentials</label>
             <description>View/edit your credentials</description>
@@ -234,7 +266,7 @@
             <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfCredentials</authorization>
             <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll</authorization>
         </userDashboardLink>
-        <userDashboardLink id="15">
+        <userDashboardLink>
             <targetUrl>/admin/users</targetUrl>
             <label>List users</label>
             <icon>
@@ -243,7 +275,7 @@
             <color>red</color>
             <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users</authorization>
         </userDashboardLink>
-        <userDashboardLink id="16">
+        <userDashboardLink>
             <targetUrl>/admin/resources</targetUrl>
             <label>List resources</label>
             <icon>
@@ -536,4 +568,216 @@
         <useLegacyApproversSpecification>never</useLegacyApproversSpecification>
         <useDefaultApprovalPolicyRules>never</useDefaultApprovalPolicyRules>
     </workflowConfiguration>
+
+    <expressions>
+        <expressionProfile>
+            <identifier>safe</identifier>
+            <description>
+                "Safe" expression profile. It is supposed to contain only operations that are "safe",
+                i.e. operations that have very little risk to harm the system, circumvent midPoint security
+                and so on. Use of those operations should be reasonably safe in all expressions.
+                However, there are limitations. This profile may incomplete or it may even be not completely secure.
+                Proper security testing of this profile was not yet conducted. It is provided here "AS IS",
+                without any guarantees. Use at your own risk.
+            </description>
+            <decision>deny</decision> <!-- default decision of those evaluators that are not explicitly enumerated. -->
+            <evaluator>
+                <type>asIs</type>
+                <decision>allow</decision>
+            </evaluator>
+            <evaluator>
+                <type>path</type>
+                <decision>allow</decision>
+            </evaluator>
+            <evaluator>
+                <type>value</type>
+                <decision>allow</decision>
+            </evaluator>
+            <evaluator>
+                <type>const</type>
+                <decision>allow</decision>
+            </evaluator>
+            <evaluator>
+                <type>script</type>
+                <decision>deny</decision> <!-- default decision of those script languages that are not explicitly enumerated. -->
+                <script>
+                    <language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
+                    <decision>allow</decision>
+                    <typeChecking>true</typeChecking>
+                    <permissionProfile>script-safe</permissionProfile>
+                </script>
+            </evaluator>
+        </expressionProfile>
+        <permissionProfile>
+            <identifier>script-safe</identifier>
+            <decision>deny</decision> <!-- Default decision for those classes that are not explicitly enumerated. -->
+            <package>
+                <name>com.evolveum.midpoint.xml.ns._public.common.common_3</name>
+                <description>MidPoint common schema - generated bean classes</description>
+                <decision>allow</decision>
+            </package>
+            <package>
+                <name>com.evolveum.prism.xml.ns._public.types_3</name>
+                <description>Prism schema - bean classes</description>
+                <decision>allow</decision>
+            </package>
+            <class>
+                <name>java.lang.Integer</name>
+                <decision>allow</decision>
+            </class>
+            <class>
+                <name>java.lang.Object</name>
+                    <description>Basic Java operations.</description>
+                    <decision>deny</decision>
+                    <method>
+                        <name>equals</name>
+                        <decision>allow</decision>
+                    </method><method>
+                        <name>hashCode</name>
+                        <decision>allow</decision>
+                    </method>
+            </class>
+            <class>
+                <name>java.lang.String</name>
+                    <description>String operations are generally safe. But Groovy is adding execute() method which is very dangerous.</description>
+                    <decision>allow</decision> <!-- Default decision for those methods that are not explicitly enumerated. -->
+                    <method>
+                        <name>execute</name>
+                        <decision>deny</decision>
+                    </method>
+            </class>
+            <class>
+                <name>java.lang.CharSequence</name>
+                    <decision>allow</decision>
+            </class>
+            <class>
+                <name>java.lang.Enum</name>
+                    <decision>allow</decision>
+            </class>
+            <class>
+                <name>java.util.List</name>
+                    <description>List operations are generally safe. But Groovy is adding execute() method which is very dangerous.</description>
+                    <decision>allow</decision>
+                    <method>
+                        <name>execute</name>
+                        <decision>deny</decision>
+                    </method>
+            </class>
+            <class>
+                <name>java.util.ArrayList</name>
+                    <description>List operations are generally safe. But Groovy is adding execute() method which is very dangerous.</description>
+                    <decision>allow</decision>
+                    <method>
+                        <name>execute</name>
+                        <decision>deny</decision>
+                    </method>
+            </class>
+            <class>
+                <name>java.util.Map</name>
+                <decision>allow</decision>
+            </class>
+            <class>
+                <name>java.util.HashMap</name>
+                <decision>allow</decision>
+            </class>
+            <class>
+                <name>java.util.Date</name>
+                <decision>allow</decision>
+            </class>
+            <class>
+                <name>javax.xml.namespace.QName</name>
+                <decision>allow</decision>
+            </class>
+            <class>
+                <name>javax.xml.datatype.XMLGregorianCalendar</name>
+                <decision>allow</decision>
+            </class>
+            <class>
+                <name>java.lang.System</name>
+                <description>Just a few methods of System are safe enough.</description>
+                <decision>deny</decision>
+                <method>
+                    <name>currentTimeMillis</name>
+                    <decision>allow</decision>
+                </method>
+            </class>
+            <class>
+                <name>java.lang.IllegalStateException</name>
+                <description>Basic Java exception. Also used in test.</description>
+                <decision>allow</decision>
+            </class>
+            <class>
+                <name>java.lang.IllegalArgumentException</name>
+                <description>Basic Java exception.</description>
+                <decision>allow</decision>
+            </class>
+            <class>
+                <name>com.evolveum.midpoint.model.common.expression.functions.BasicExpressionFunctions</name>
+                <description>MidPoint basic functions library</description>
+                <decision>allow</decision>
+            </class>
+            <class>
+                <name>com.evolveum.midpoint.model.common.expression.functions.LogExpressionFunctions</name>
+                <description>MidPoint logging functions library</description>
+                <decision>allow</decision>
+            </class>
+            <class>
+                <name>com.evolveum.midpoint.report.impl.ReportFunctions</name>
+                <description>MidPoint report functions library</description>
+                <decision>allow</decision>
+            </class>
+            <class>
+                <name>org.apache.commons.lang.StringUtils</name>
+                <description>Apache Commons: Strings</description>
+                <decision>allow</decision>
+            </class>
+
+            <!-- Following may be needed for audit reports. But they may not be completely safe.
+                 Therefore the following section is commented out. Please closely evaluate those rules
+                 before using them. -->
+            <!--  <class>
+                <name>com.evolveum.midpoint.schema.expression.VariablesMap</name>
+                <description>Expression variables map.</description>
+                <decision>deny</decision>
+                <method>
+                    <name>get</name>
+                    <decision>allow</decision>
+                </method>
+                <method>
+                    <name>remove</name>
+                    <decision>allow</decision>
+                </method>
+            </class>
+            <class>
+                <name>com.evolveum.midpoint.schema.expression.TypedValue</name>
+                <description>Typed values, holding expression variables. Read-only access.</description>
+                <decision>deny</decision>
+                <method>
+                    <name>getValue</name>
+                    <decision>allow</decision>
+                </method>
+            </class>
+            <class>
+                <name>com.evolveum.midpoint.report.impl.ReportUtils</name>
+                <decision>deny</decision>
+                <method>
+                    <name>convertDateTime</name>
+                    <decision>allow</decision>
+                </method>
+                <method>
+                    <name>getPropertyString</name>
+                    <decision>allow</decision>
+                </method>
+                <method>
+                    <name>printDelta</name>
+                    <decision>allow</decision>
+                </method>
+            </class>
+            <class>
+                <name>com.evolveum.midpoint.prism.PrismReferenceValue</name>
+                <decision>allow</decision>
+            </class> -->
+        </permissionProfile>
+    </expressions>
+
 </systemConfiguration>
diff --git a/download-midpoint.sh b/download-midpoint.sh
index c317e1b..0f808e0 100755
--- a/download-midpoint.sh
+++ b/download-midpoint.sh
@@ -10,7 +10,7 @@ else
     # But if we need to incorporate interim changes to I2 distribution during
     # midPoint development cycle, we can specify concrete file from "midpoint-tier"
     # download directory by using its name (like "latest-stable").
-    MP_VERSION="4.1"
+    MP_VERSION="4.2-SNAPSHOT"
   else
     MP_VERSION=$tag
   fi

From 64a6506f0df1f4ccce4bbf0a2fa7c8ae4655e95a Mon Sep 17 00:00:00 2001
From: Keith Hazelton <khazelton@gmail.com>
Date: Mon, 19 Oct 2020 13:29:03 -0500
Subject: [PATCH 2/2] Update Dockerfile

---
 demo/grouper/midpoint_server/Dockerfile | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/demo/grouper/midpoint_server/Dockerfile b/demo/grouper/midpoint_server/Dockerfile
index 34ce0cd..982407b 100644
--- a/demo/grouper/midpoint_server/Dockerfile
+++ b/demo/grouper/midpoint_server/Dockerfile
@@ -1,4 +1,6 @@
-FROM tier/midpoint:latest
+# FROM tier/midpoint:latest
+
+FROM docker/midpoint:latest
 
 MAINTAINER info@evolveum.com