From 60832668bd56ee72794ed606f6332583e8dce4b5 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Wed, 25 Aug 2021 17:02:51 +0000
Subject: [PATCH 1/5] fix for IdPUI and bypass basic auth for grouper WS

---
 Workbench/idp_ui/container_files/idp_ui/application.yml | 4 ++--
 Workbench/webproxy/container_files/httpd/ssl.conf       | 6 ++++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/Workbench/idp_ui/container_files/idp_ui/application.yml b/Workbench/idp_ui/container_files/idp_ui/application.yml
index a7c17b7..cf04975 100644
--- a/Workbench/idp_ui/container_files/idp_ui/application.yml
+++ b/Workbench/idp_ui/container_files/idp_ui/application.yml
@@ -28,7 +28,7 @@ shibui:
     forceServiceProviderMetadataGeneration: false
     callbackUrl: "https://__CSPHOSTNAME__/idpui/callback"
     maximumAuthenticationLifetime: 3600000
-    saml2ProfileMapping:
+    simpleProfileMapping:
       username: urn:oid:0.9.2342.19200300.100.1.1
       firstname: urn:oid:2.5.4.42
       lastname: urn:oid:2.5.4.4
@@ -45,4 +45,4 @@ spring:
     hibernate:
       ddl-auto: update
 
-     
\ No newline at end of file
+     
diff --git a/Workbench/webproxy/container_files/httpd/ssl.conf b/Workbench/webproxy/container_files/httpd/ssl.conf
index fbc437a..a0f150a 100644
--- a/Workbench/webproxy/container_files/httpd/ssl.conf
+++ b/Workbench/webproxy/container_files/httpd/ssl.conf
@@ -152,6 +152,12 @@ SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
     Satisfy any
 </Location>
 
+<Location "/grouper-ws/servicesRest/">
+    Order deny,allow
+    Allow from all
+    Satisfy any
+</Location>
+
 <Location />
   AuthType Basic
   AuthName "Restricted CSP content"

From d7752dd9d6b76b1d359610b16a8d7c72307e8dd6 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Tue, 31 Aug 2021 17:12:13 +0000
Subject: [PATCH 2/5] bump midpoint to 4.3.2

---
 Workbench/idp/Dockerfile                      |   3 +
 Workbench/midpoint_server/Dockerfile          |   3 +-
 .../resources/100-grouper.xml                 |   2 +-
 .../010-system-configuration.xml              | 361 ++++++++++++++++--
 .../webproxy/container_files/httpd/index.html |   2 +-
 5 files changed, 335 insertions(+), 36 deletions(-)

diff --git a/Workbench/idp/Dockerfile b/Workbench/idp/Dockerfile
index 2ab14b2..4309126 100644
--- a/Workbench/idp/Dockerfile
+++ b/Workbench/idp/Dockerfile
@@ -6,6 +6,9 @@ ARG CSPHOSTNAME=localhost
 ENV CSPHOSTNAME=$CSPHOSTNAME
 
 COPY shibboleth-idp/ /opt/shibboleth-idp/
+#rather than copying metadata files included in above folder and including in config, instead upload these files to the IdP UI
+#  API info here: https://documenter.getpostman.com/view/446764/TzzHmCkn
+
 
 RUN mkdir -p /opt/shibboleth-idp/metadata/generated && mkdir -p /opt/shibboleth-idp/conf/generated
 
diff --git a/Workbench/midpoint_server/Dockerfile b/Workbench/midpoint_server/Dockerfile
index a9464b9..82f1cef 100644
--- a/Workbench/midpoint_server/Dockerfile
+++ b/Workbench/midpoint_server/Dockerfile
@@ -1,4 +1,5 @@
-FROM tier/midpoint:latest
+FROM tier/midpoint:4.3.2-SNAPSHOT
+#FROM tier/midpoint:latest
 
 MAINTAINER info@evolveum.com
 
diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-grouper.xml b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-grouper.xml
index 9b5b20e..92ab570 100644
--- a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-grouper.xml
+++ b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-grouper.xml
@@ -14,7 +14,7 @@
           xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
 		  xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"
 		  xmlns:rest="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-grouper-rest/com.evolveum.polygon.connector.grouper.rest.GrouperConnector"
-		  xmlns:conf="http://midpoint.evolveum.com/xml/ns/public/connector/builtin-1/bundle/com.evolveum.midpoint.provisioning.ucf.impl.builtin.async/AsyncUpdateConnector"
+		  xmlns:conf="http://midpoint.evolveum.com/xml/ns/public/connector/builtin-1/bundle/com.evolveum.midpoint.provisioning.ucf.impl.builtin.async.update/AsyncUpdateConnector"
           xmlns:xsd="http://www.w3.org/2001/XMLSchema"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 
diff --git a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/systemConfigurations/010-system-configuration.xml b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/systemConfigurations/010-system-configuration.xml
index 7355929..73b6c7f 100644
--- a/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/systemConfigurations/010-system-configuration.xml
+++ b/Workbench/midpoint_server/container_files/mp-home/post-initial-objects/systemConfigurations/010-system-configuration.xml
@@ -1,51 +1,87 @@
+<?xml version="1.0" encoding="UTF-8"?>
 <!--
-  ~ Copyright (c) 2019 Evolveum and contributors
+  ~ Copyright (c) 2010-2019 Evolveum and contributors
   ~
   ~ This work is dual-licensed under the Apache License 2.0
   ~ and European Union Public License. See LICENSE file for details.
   -->
-
-<systemConfiguration xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" oid="00000000-0000-0000-0000-000000000001" version="2">
+<systemConfiguration oid="00000000-0000-0000-0000-000000000001" version="0"
+                     xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+                     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+                     xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3"
+                     xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
+                     xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+                     xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+                     xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+                     xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+                     xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     <name>SystemConfiguration</name>
-    <globalSecurityPolicyRef xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" oid="00000000-0000-0000-0000-000000000120" relation="org:default" type="tns:SecurityPolicyType"/>
+    <!--         <globalAccountSynchronizationSettings> -->
+    <!--         <assignmentPolicyEnforcement>relative</assignmentPolicyEnforcement> -->
+    <!--         </globalAccountSynchronizationSettings> -->
+    <globalSecurityPolicyRef oid="00000000-0000-0000-0000-000000000120"/>
     <logging>
-        <classLogger id="1">
+        <classLogger>
             <level>ERROR</level>
             <package>ro.isdc.wro.extensions.processor.css.Less4jProcessor</package>
         </classLogger>
-        <classLogger id="2">
+        <classLogger>
+            <!-- disabled because INFO log during of creating
+            new authentication filter chain -->
+            <level>OFF</level>
+            <package>org.springframework.security.web.DefaultSecurityFilterChain</package>
+        </classLogger>
+        <classLogger>
+            <!-- disabled because of MID-744, helper insert messages on ERROR
+            level which should not be there (probably should be on TRACE) -->
             <level>OFF</level>
             <package>org.hibernate.engine.jdbc.spi.SqlExceptionHelper</package>
         </classLogger>
-        <classLogger id="3">
+        <!-- Disabled because we treat locking-related exceptions in the repository.
+             Otherwise the log is filled-in with (innocent but ugly-looking) messages like
+             "ERROR (o.h.engine.jdbc.batch.internal.BatchingBatch): HHH000315: Exception executing batch [Deadlock detected.
+             The current transaction was rolled back." -->
+        <classLogger>
             <level>OFF</level>
             <package>org.hibernate.engine.jdbc.batch.internal.BatchingBatch</package>
         </classLogger>
-        <classLogger id="4">
+        <!-- Disabled because of the same reason; this time concerning messages like
+             "INFO (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl):
+             HHH000010: On release of batch it still contained JDBC statements" -->
+        <classLogger>
             <level>WARN</level>
             <package>org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl</package>
         </classLogger>
-        <classLogger id="5">
+        <!-- Disabled because of MID-4636 -->
+        <classLogger>
             <level>OFF</level>
             <package>org.hibernate.internal.ExceptionMapperStandardImpl</package>
         </classLogger>
-        <classLogger id="6">
+        <classLogger>
+            <!-- disabled because of MID-1612, jasper library needs to be fixed -->
             <level>OFF</level>
             <package>net.sf.jasperreports.engine.fill.JRFillDataset</package>
         </classLogger>
-        <classLogger id="7">
+        <classLogger>
+            <!-- disabled because we don't need to see every property file
+            loading message (unnecessary log pollution) -->
             <level>WARN</level>
             <package>org.apache.wicket.resource.PropertiesFactory</package>
         </classLogger>
-        <classLogger id="8">
+        <classLogger>
+            <!-- disabled because we don't need to see every log message for every key
+            when resource bundle doesn't exist for specific locale (unnecessary log pollution) -->
             <level>ERROR</level>
             <package>org.springframework.context.support.ResourceBundleMessageSource</package>
         </classLogger>
-        <classLogger id="9">
+        <classLogger>
+            <!-- Standard useful logger -->
             <level>INFO</level>
             <package>com.evolveum.midpoint.model.impl.lens.projector.Projector</package>
         </classLogger>
-        <classLogger id="10">
+        <classLogger>
+            <!-- Standard useful logger -->
             <level>INFO</level>
             <package>com.evolveum.midpoint.model.impl.lens.Clockwork</package>
         </classLogger>
@@ -53,18 +89,20 @@
             <level>DEBUG</level>
             <package>com.evolveum.polygon.connector.grouper</package>
         </classLogger>
-        <appender id="11" xsi:type="c:FileAppenderConfigurationType">
+
+        <appender xsi:type="c:FileAppenderConfigurationType" name="MIDPOINT_LOG"
+                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
             <pattern>%date [%X{subsystem}] [%thread] %level \(%logger\): %msg%n</pattern>
-            <name>MIDPOINT_LOG</name>
             <fileName>${midpoint.home}/log/midpoint.log</fileName>
             <filePattern>${midpoint.home}/log/midpoint-%d{yyyy-MM-dd}.%i.log</filePattern>
             <maxHistory>10</maxHistory>
             <maxFileSize>100MB</maxFileSize>
             <append>true</append>
         </appender>
-        <appender id="12" xsi:type="c:FileAppenderConfigurationType">
+        <!-- Appender for profiling purposes -->
+        <appender xsi:type="c:FileAppenderConfigurationType" name="MIDPOINT_PROFILE_LOG"
+                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
             <pattern>%date %level: %msg%n</pattern>
-            <name>MIDPOINT_PROFILE_LOG</name>
             <fileName>${midpoint.home}/log/midpoint-profile.log</fileName>
             <filePattern>${midpoint.home}/log/midpoint-profile-%d{yyyy-MM-dd}.%i.log</filePattern>
             <maxHistory>10</maxHistory>
@@ -209,13 +247,13 @@
         </tracing>
     </internals>
     <deploymentInformation>
-        <name>demo/grouper</name>
+        <name>CSP-Workbench</name>
     </deploymentInformation>
     <adminGuiConfiguration>
-        <userDashboardLink id="13">
+        <userDashboardLink>
             <targetUrl>/self/profile</targetUrl>
-            <label>Profile</label>
-            <description>View/edit your profile</description>
+            <label>PageSelfDashboard.profile</label>
+            <description>PageSelfDashboard.profile.description</description>
             <icon>
                 <cssClass>fa fa-user</cssClass>
             </icon>
@@ -223,10 +261,10 @@
             <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfProfile</authorization>
             <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll</authorization>
         </userDashboardLink>
-        <userDashboardLink id="14">
+        <userDashboardLink>
             <targetUrl>/self/credentials</targetUrl>
-            <label>Credentials</label>
-            <description>View/edit your credentials</description>
+            <label>PageSelfDashboard.credentials</label>
+            <description>PageSelfDashboard.credentials.description</description>
             <icon>
                 <cssClass>fa fa-shield</cssClass>
             </icon>
@@ -234,18 +272,18 @@
             <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfCredentials</authorization>
             <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll</authorization>
         </userDashboardLink>
-        <userDashboardLink id="15">
+        <userDashboardLink>
             <targetUrl>/admin/users</targetUrl>
-            <label>List users</label>
+            <label>PageSelfDashboard.listUsers</label>
             <icon>
                 <cssClass>fa fa-users</cssClass>
             </icon>
             <color>red</color>
             <authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users</authorization>
         </userDashboardLink>
-        <userDashboardLink id="16">
+        <userDashboardLink>
             <targetUrl>/admin/resources</targetUrl>
-            <label>List resources</label>
+            <label>PageSelfDashboard.listResources</label>
             <icon>
                 <cssClass>fa fa-database</cssClass>
             </icon>
@@ -258,7 +296,12 @@
                 <display>
                     <label>My cases</label>
                     <!-- We need to explicitly specify plural label here. Otherwise it will be overwritten by a plural label from archetype. -->
-                    <pluralLabel>My cases</pluralLabel>
+                    <pluralLabel>
+                        <orig>My cases</orig>
+                        <translation>
+                            <key>MyCases.title</key>
+                        </translation>
+                    </pluralLabel>
                     <singularLabel>My case</singularLabel>
                     <icon>
                         <cssClass>fe fe-case-object</cssClass>
@@ -276,7 +319,12 @@
                 <display>
                     <label>Manual cases</label> <!-- "Manual provisioning cases" is too long for the menu -->
                     <!-- We need to explicitly specify plural label here. Otherwise it will be overwritten by a plural label from archetype. -->
-                    <pluralLabel>All manual cases</pluralLabel>
+                    <pluralLabel>
+                        <orig>All manual cases</orig>
+                        <translation>
+                            <key>AllManualCases.title</key>
+                        </translation>
+                    </pluralLabel>
                     <singularLabel>Manual case</singularLabel>
                     <tooltip>Manual provisioning cases</tooltip>
                 </display>
@@ -292,7 +340,12 @@
                 <display>
                     <label>Requests</label> <!-- "Operation requests" is too long for the menu -->
                     <!-- We need to explicitly specify plural label here. Otherwise it will be overwritten by a plural label from archetype. -->
-                    <pluralLabel>All requests</pluralLabel>
+                    <pluralLabel>
+                        <orig>All requests</orig>
+                        <translation>
+                            <key>AllRequests.title</key>
+                        </translation>
+                    </pluralLabel>
                     <singularLabel>Request</singularLabel>
                     <tooltip>Operation requests</tooltip>
                 </display>
@@ -308,7 +361,12 @@
                 <display>
                     <label>Approvals</label> <!-- "Approval cases" is too long for the menu -->
                     <!-- We need to explicitly specify plural label here. Otherwise it will be overwritten by a plural label from archetype. -->
-                    <pluralLabel>All approvals</pluralLabel>
+                    <pluralLabel>
+                        <orig>All approvals</orig>
+                        <translation>
+                            <key>AllApprovals.title</key>
+                        </translation>
+                    </pluralLabel>
                     <singularLabel>Approval</singularLabel>
                     <tooltip>Approval cases</tooltip>
                 </display>
@@ -423,6 +481,20 @@
                     <collectionRef oid="00000000-0000-0000-0000-000000000529" relation="org:default" type="c:ArchetypeType"/>
                 </collection>
             </objectCollectionView>
+            <objectCollectionView>
+                <identifier>dashboard-reports-view</identifier>
+                <type>ReportType</type>
+                <collection>
+                    <collectionRef oid="00000000-0000-0000-0000-000000000170" relation="org:default" type="c:ArchetypeType"/>
+                </collection>
+            </objectCollectionView>
+            <objectCollectionView>
+                <identifier>collection-reports-view</identifier>
+                <type>ReportType</type>
+                <collection>
+                    <collectionRef oid="00000000-0000-0000-0000-000000000171" relation="org:default" type="c:ArchetypeType"/>
+                </collection>
+            </objectCollectionView>
         </objectCollectionViews>
         <objectDetails>
             <objectDetailsPage>
@@ -453,6 +525,9 @@
                     <item>
                         <c:path>executionStatus</c:path>
                     </item>
+                    <item>
+                        <c:path>schedulingState</c:path>
+                    </item>
                     <item>
                         <c:path>node</c:path>
                     </item>
@@ -486,6 +561,9 @@
                     <item>
                         <c:path>stateBeforeSuspend</c:path>
                     </item>
+                    <item>
+                        <path>schedulingStateBeforeSuspend</path>
+                    </item>
                     <item>
                         <c:path>category</c:path>
                     </item>
@@ -531,9 +609,226 @@
             </objectDetailsPage>
         </objectDetails>
         <enableExperimentalFeatures>true</enableExperimentalFeatures>
+        <configurableUserDashboard>
+            <identifier>admin-dashboard</identifier>
+            <configurableDashboardRef oid="00000000-0000-0000-0001-000000000001" relation="org:default" type="c:DashboardType"/>
+        </configurableUserDashboard>
     </adminGuiConfiguration>
     <workflowConfiguration>
         <useLegacyApproversSpecification>never</useLegacyApproversSpecification>
         <useDefaultApprovalPolicyRules>never</useDefaultApprovalPolicyRules>
     </workflowConfiguration>
+
+    <expressions>
+        <expressionProfile>
+            <identifier>safe</identifier>
+            <description>
+                "Safe" expression profile. It is supposed to contain only operations that are "safe",
+                i.e. operations that have very little risk to harm the system, circumvent midPoint security
+                and so on. Use of those operations should be reasonably safe in all expressions.
+                However, there are limitations. This profile may incomplete or it may even be not completely secure.
+                Proper security testing of this profile was not yet conducted. It is provided here "AS IS",
+                without any guarantees. Use at your own risk.
+            </description>
+            <decision>deny</decision> <!-- default decision of those evaluators that are not explicitly enumerated. -->
+            <evaluator>
+                <type>asIs</type>
+                <decision>allow</decision>
+            </evaluator>
+            <evaluator>
+                <type>path</type>
+                <decision>allow</decision>
+            </evaluator>
+            <evaluator>
+                <type>value</type>
+                <decision>allow</decision>
+            </evaluator>
+            <evaluator>
+                <type>const</type>
+                <decision>allow</decision>
+            </evaluator>
+            <evaluator>
+                <type>script</type>
+                <decision>deny</decision> <!-- default decision of those script languages that are not explicitly enumerated. -->
+                <script>
+                    <language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
+                    <decision>allow</decision>
+                    <typeChecking>true</typeChecking>
+                    <permissionProfile>script-safe</permissionProfile>
+                </script>
+            </evaluator>
+        </expressionProfile>
+        <permissionProfile>
+            <identifier>script-safe</identifier>
+            <decision>deny</decision> <!-- Default decision for those classes that are not explicitly enumerated. -->
+            <package>
+                <name>com.evolveum.midpoint.xml.ns._public.common.common_3</name>
+                <description>MidPoint common schema - generated bean classes</description>
+                <decision>allow</decision>
+            </package>
+            <package>
+                <name>com.evolveum.prism.xml.ns._public.types_3</name>
+                <description>Prism schema - bean classes</description>
+                <decision>allow</decision>
+            </package>
+            <class>
+                <name>java.lang.Integer</name>
+                <decision>allow</decision>
+            </class>
+            <class>
+                <name>java.lang.Object</name>
+                    <description>Basic Java operations.</description>
+                    <decision>deny</decision>
+                    <method>
+                        <name>equals</name>
+                        <decision>allow</decision>
+                    </method><method>
+                        <name>hashCode</name>
+                        <decision>allow</decision>
+                    </method>
+            </class>
+            <class>
+                <name>java.lang.String</name>
+                    <description>String operations are generally safe. But Groovy is adding execute() method which is very dangerous.</description>
+                    <decision>allow</decision> <!-- Default decision for those methods that are not explicitly enumerated. -->
+                    <method>
+                        <name>execute</name>
+                        <decision>deny</decision>
+                    </method>
+            </class>
+            <class>
+                <name>java.lang.CharSequence</name>
+                    <decision>allow</decision>
+            </class>
+            <class>
+                <name>java.lang.Enum</name>
+                    <decision>allow</decision>
+            </class>
+            <class>
+                <name>java.util.List</name>
+                    <description>List operations are generally safe. But Groovy is adding execute() method which is very dangerous.</description>
+                    <decision>allow</decision>
+                    <method>
+                        <name>execute</name>
+                        <decision>deny</decision>
+                    </method>
+            </class>
+            <class>
+                <name>java.util.ArrayList</name>
+                    <description>List operations are generally safe. But Groovy is adding execute() method which is very dangerous.</description>
+                    <decision>allow</decision>
+                    <method>
+                        <name>execute</name>
+                        <decision>deny</decision>
+                    </method>
+            </class>
+            <class>
+                <name>java.util.Map</name>
+                <decision>allow</decision>
+            </class>
+            <class>
+                <name>java.util.HashMap</name>
+                <decision>allow</decision>
+            </class>
+            <class>
+                <name>java.util.Date</name>
+                <decision>allow</decision>
+            </class>
+            <class>
+                <name>javax.xml.namespace.QName</name>
+                <decision>allow</decision>
+            </class>
+            <class>
+                <name>javax.xml.datatype.XMLGregorianCalendar</name>
+                <decision>allow</decision>
+            </class>
+            <class>
+                <name>java.lang.System</name>
+                <description>Just a few methods of System are safe enough.</description>
+                <decision>deny</decision>
+                <method>
+                    <name>currentTimeMillis</name>
+                    <decision>allow</decision>
+                </method>
+            </class>
+            <class>
+                <name>java.lang.IllegalStateException</name>
+                <description>Basic Java exception. Also used in test.</description>
+                <decision>allow</decision>
+            </class>
+            <class>
+                <name>java.lang.IllegalArgumentException</name>
+                <description>Basic Java exception.</description>
+                <decision>allow</decision>
+            </class>
+            <class>
+                <name>com.evolveum.midpoint.model.common.expression.functions.BasicExpressionFunctions</name>
+                <description>MidPoint basic functions library</description>
+                <decision>allow</decision>
+            </class>
+            <class>
+                <name>com.evolveum.midpoint.model.common.expression.functions.LogExpressionFunctions</name>
+                <description>MidPoint logging functions library</description>
+                <decision>allow</decision>
+            </class>
+            <class>
+                <name>com.evolveum.midpoint.report.impl.ReportFunctions</name>
+                <description>MidPoint report functions library</description>
+                <decision>allow</decision>
+            </class>
+            <class>
+                <name>org.apache.commons.lang.StringUtils</name>
+                <description>Apache Commons: Strings</description>
+                <decision>allow</decision>
+            </class>
+
+            <!-- Following may be needed for audit reports. But they may not be completely safe.
+                 Therefore the following section is commented out. Please closely evaluate those rules
+                 before using them. -->
+            <!--  <class>
+                <name>com.evolveum.midpoint.schema.expression.VariablesMap</name>
+                <description>Expression variables map.</description>
+                <decision>deny</decision>
+                <method>
+                    <name>get</name>
+                    <decision>allow</decision>
+                </method>
+                <method>
+                    <name>remove</name>
+                    <decision>allow</decision>
+                </method>
+            </class>
+            <class>
+                <name>com.evolveum.midpoint.schema.expression.TypedValue</name>
+                <description>Typed values, holding expression variables. Read-only access.</description>
+                <decision>deny</decision>
+                <method>
+                    <name>getValue</name>
+                    <decision>allow</decision>
+                </method>
+            </class>
+            <class>
+                <name>com.evolveum.midpoint.report.impl.ReportUtils</name>
+                <decision>deny</decision>
+                <method>
+                    <name>convertDateTime</name>
+                    <decision>allow</decision>
+                </method>
+                <method>
+                    <name>getPropertyString</name>
+                    <decision>allow</decision>
+                </method>
+                <method>
+                    <name>printDelta</name>
+                    <decision>allow</decision>
+                </method>
+            </class>
+            <class>
+                <name>com.evolveum.midpoint.prism.PrismReferenceValue</name>
+                <decision>allow</decision>
+            </class> -->
+        </permissionProfile>
+    </expressions>
+
 </systemConfiguration>
+
diff --git a/Workbench/webproxy/container_files/httpd/index.html b/Workbench/webproxy/container_files/httpd/index.html
index 99be771..32773f7 100644
--- a/Workbench/webproxy/container_files/httpd/index.html
+++ b/Workbench/webproxy/container_files/httpd/index.html
@@ -9,7 +9,7 @@ <h3>Welcome to the InCommon TAP Workbench!</h3>
 The system contains the following TAP components (click the links to access each component in its own tab):
 <ul>
 <li><a href="https://__CSPHOSTNAME__/grouper" target="TAP-WB-GROUPER">Grouper (2.5.37.1)</a></li>
-<li><a href="https://__CSPHOSTNAME__/midpoint" target="TAP-WB-MIDPOINT">midPoint (4.2)</a></li>
+<li><a href="https://__CSPHOSTNAME__/midpoint" target="TAP-WB-MIDPOINT">midPoint (4.3.2)</a></li>
 <li><a href="https://__CSPHOSTNAME__/registry" target="TAP-WB-COMANAGE">COmanage Registry (3.3.2)</a></li>
 <li><a href="https://__CSPHOSTNAME__/idpui/" target="TAP-WB-IDPUI">Shibboleth IdP UI (1.8.0)</a></li>
 </ul>

From a4ca90bb6e0aceec8e25376e37ee4f076693b37e Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Fri, 3 Sep 2021 20:11:02 +0000
Subject: [PATCH 3/5] IdP UI update

---
 Workbench/comanage_cron/Dockerfile                  | 2 +-
 Workbench/idp_ui/Dockerfile                         | 2 +-
 Workbench/webproxy/container_files/httpd/index.html | 2 +-
 Workbench/webproxy/container_files/httpd/ssl.conf   | 6 ++++++
 4 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/Workbench/comanage_cron/Dockerfile b/Workbench/comanage_cron/Dockerfile
index e819b2c..597e2c6 100644
--- a/Workbench/comanage_cron/Dockerfile
+++ b/Workbench/comanage_cron/Dockerfile
@@ -21,7 +21,7 @@ ENV COMANAGE_REGISTRY_EMAIL_HOST=smtp.example.edu
 #ENV SHIBBOLETH_SP_METADATA_PROVIDER_XML=sdf
 #ENV SHIBBOLETH_SP_SAMLDS_URL=thing
 
-RUN apt-get update
+RUN apt-get update --allow-releaseinfo-change && apt-get update
 
 ARG maintainer=my
 ARG imagename=comanage
diff --git a/Workbench/idp_ui/Dockerfile b/Workbench/idp_ui/Dockerfile
index b00be05..f5452b4 100644
--- a/Workbench/idp_ui/Dockerfile
+++ b/Workbench/idp_ui/Dockerfile
@@ -1,4 +1,4 @@
-FROM i2incommon/shib-idp-ui:1.8.0
+FROM i2incommon/shib-idp-ui:1.9.0
 
 ARG CSPHOSTNAME=localhost
 ENV CSPHOSTNAME=$CSPHOSTNAME
diff --git a/Workbench/webproxy/container_files/httpd/index.html b/Workbench/webproxy/container_files/httpd/index.html
index 32773f7..5c8ab3b 100644
--- a/Workbench/webproxy/container_files/httpd/index.html
+++ b/Workbench/webproxy/container_files/httpd/index.html
@@ -11,7 +11,7 @@ <h3>Welcome to the InCommon TAP Workbench!</h3>
 <li><a href="https://__CSPHOSTNAME__/grouper" target="TAP-WB-GROUPER">Grouper (2.5.37.1)</a></li>
 <li><a href="https://__CSPHOSTNAME__/midpoint" target="TAP-WB-MIDPOINT">midPoint (4.3.2)</a></li>
 <li><a href="https://__CSPHOSTNAME__/registry" target="TAP-WB-COMANAGE">COmanage Registry (3.3.2)</a></li>
-<li><a href="https://__CSPHOSTNAME__/idpui/" target="TAP-WB-IDPUI">Shibboleth IdP UI (1.8.0)</a></li>
+<li><a href="https://__CSPHOSTNAME__/idpui/" target="TAP-WB-IDPUI">Shibboleth IdP UI (1.9.0)</a></li>
 </ul>
 <br />
 The system also contains the following downstream/target applications:
diff --git a/Workbench/webproxy/container_files/httpd/ssl.conf b/Workbench/webproxy/container_files/httpd/ssl.conf
index a0f150a..a5b9877 100644
--- a/Workbench/webproxy/container_files/httpd/ssl.conf
+++ b/Workbench/webproxy/container_files/httpd/ssl.conf
@@ -158,6 +158,12 @@ SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
     Satisfy any
 </Location>
 
+<Location "/idpui/">
+    Order deny,allow
+    Allow from all
+    Satisfy any
+</Location>
+
 <Location />
   AuthType Basic
   AuthName "Restricted CSP content"

From abf6efc568f8b110ac805fc5d8ad0810b2e52e22 Mon Sep 17 00:00:00 2001
From: Ethan Kromhout <kromhout@unc.edu>
Date: Wed, 8 Sep 2021 02:48:44 -0400
Subject: [PATCH 4/5] Graphviz dot support for graphics

---
 Workbench/midpoint_server/Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Workbench/midpoint_server/Dockerfile b/Workbench/midpoint_server/Dockerfile
index 82f1cef..876daca 100644
--- a/Workbench/midpoint_server/Dockerfile
+++ b/Workbench/midpoint_server/Dockerfile
@@ -24,6 +24,7 @@ COPY container_files/system/setservername.sh /usr/local/bin/
 RUN chmod 755 /usr/local/bin/setservername.sh
 #set hostname
 RUN /usr/local/bin/setservername.sh
+RUN yum install -y graphviz
 
 #COPY container_files/supervisor/supervisord.conf /etc/supervisor/
 

From 46aba78fb529bcb6e9f73515ef9ab33e052e4845 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Thu, 9 Sep 2021 20:26:18 +0000
Subject: [PATCH 5/5] bump mP postgres to ver 12

---
 Workbench/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Workbench/docker-compose.yml b/Workbench/docker-compose.yml
index c14d4d5..75f0300 100644
--- a/Workbench/docker-compose.yml
+++ b/Workbench/docker-compose.yml
@@ -223,7 +223,7 @@ services:
      - CREATE_NEW_DATABASE=if_needed
 
   midpoint_data:
-    image: postgres:11
+    image: postgres:12
     environment:
      - POSTGRES_PASSWORD_FILE=/run/secrets/mp_database_password.txt
      - POSTGRES_USER=midpoint