diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 12b40e1655..6a488b2d13 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -55,8 +55,7 @@ jobs: openidm/startup.sh & timeout 3m bash -c 'until grep -q "OpenIDM ready" openidm/logs/openidm0.log.0 ; do sleep 5; done' || cat openidm/logs/openidm0.log.0 grep -q "OpenIDM ready" openidm/logs/openidm0.log.0 - ! grep "ERROR" openidm/logs/openidm0.log.0 - ! grep "SEVERE" openidm/logs/openidm0.log.0 + ! grep -E "ERROR|SEVERE|Exception|Throwable" openidm/logs/openidm0.log.0 - name: Test on Windows if: runner.os == 'Windows' run: | @@ -66,8 +65,11 @@ jobs: Start-Sleep -s 180 type logs\openidm0.log.0 findstr "OpenIDM ready" logs\openidm0.log.0 - type logs\openidm0.log.0 | find /c '"ERROR"' | findstr "0" - type logs\openidm0.log.0 | find /c '"SEVERE"' | findstr "0" + if (Select-String -Path logs\openidm0.log.0 -Pattern 'ERROR|SEVERE|Exception|Throwable' -CaseSensitive -Quiet) { + Write-Host "Errors or exceptions detected in openidm0.log.0" + Select-String -Path logs\openidm0.log.0 -Pattern 'ERROR|SEVERE|Exception|Throwable' -CaseSensitive + exit 1 + } - name: Upload failure artifacts uses: actions/upload-artifact@v7 if: ${{ failure() }} @@ -127,7 +129,7 @@ jobs: run: | OPTS="" if [ -n "${{ matrix.context_path }}" ]; then - OPTS="-Dlogback.configurationFile=conf/logging-config.groovy -Dopenidm.context.path=${{ matrix.context_path }}" + OPTS="-Dopenidm.context.path=${{ matrix.context_path }}" fi ARGS="" if [ -n "${{ matrix.samples }}" ]; then @@ -136,8 +138,7 @@ jobs: OPENIDM_OPTS="$OPTS" openidm/startup.sh $ARGS & timeout 3m bash -c 'until grep -q "OpenIDM ready" openidm/logs/openidm0.log.0 ; do sleep 5; done' || cat openidm/logs/openidm0.log.0 grep -q "OpenIDM ready" openidm/logs/openidm0.log.0 - ! grep "ERROR" openidm/logs/openidm0.log.0 - ! grep "SEVERE" openidm/logs/openidm0.log.0 + ! grep -E "ERROR|SEVERE|Exception|Throwable" openidm/logs/openidm0.log.0 - name: UI Smoke Tests (Playwright) run: | cd e2e @@ -170,7 +171,23 @@ jobs: done else echo "openidm/logs directory not found" + exit 0 fi + echo "----- Checking logs for errors/exceptions -----" + status=0 + while IFS= read -r f; do + if grep -E -n "ERROR|SEVERE|Exception|Throwable" "$f" > /tmp/log_errors.$$ 2>/dev/null; then + echo "Found errors/exceptions in $f:" + cat /tmp/log_errors.$$ + status=1 + fi + rm -f /tmp/log_errors.$$ + done < <(find openidm/logs -type f) + if [ "$status" -ne 0 ]; then + echo "Errors or exceptions detected in openidm logs" + exit 1 + fi + echo "No errors or exceptions detected in openidm logs" build-docker: runs-on: 'ubuntu-latest' services: diff --git a/Dockerfile b/Dockerfile index 561d723b60..9ea6cdbd46 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,7 @@ FROM eclipse-temurin:25-jre-jammy LABEL org.opencontainers.image.authors="Open Identity Platform Community" ENV USER="openidm" -ENV OPENIDM_OPTS="-server -XX:+UseContainerSupport --add-exports java.base/com.sun.jndi.ldap=ALL-UNNAMED -Dlogback.configurationFile=conf/logging-config.groovy" +ENV OPENIDM_OPTS="-server -XX:+UseContainerSupport --add-exports java.base/com.sun.jndi.ldap=ALL-UNNAMED" ARG VERSION diff --git a/Dockerfile-alpine b/Dockerfile-alpine index e7f32f1ab6..ef3731ff52 100644 --- a/Dockerfile-alpine +++ b/Dockerfile-alpine @@ -16,7 +16,7 @@ FROM alpine:latest LABEL org.opencontainers.image.authors="Open Identity Platform Community" ENV USER="openidm" -ENV OPENIDM_OPTS="-server -XX:+UseContainerSupport -Dlogback.configurationFile=conf/logging-config.groovy" +ENV OPENIDM_OPTS="-server -XX:+UseContainerSupport" ARG VERSION diff --git a/openidm-workflow-activiti/src/main/java/org/forgerock/openidm/workflow/activiti/impl/ActivitiServiceImpl.java b/openidm-workflow-activiti/src/main/java/org/forgerock/openidm/workflow/activiti/impl/ActivitiServiceImpl.java index 49adf3cb9a..0b2022dc70 100644 --- a/openidm-workflow-activiti/src/main/java/org/forgerock/openidm/workflow/activiti/impl/ActivitiServiceImpl.java +++ b/openidm-workflow-activiti/src/main/java/org/forgerock/openidm/workflow/activiti/impl/ActivitiServiceImpl.java @@ -12,7 +12,7 @@ * information: "Portions copyright [year] [name of copyright owner]". * * Copyright 2012-2016 ForgeRock AS. - * Portions Copyrighted 2024 3A Systems LLC. + * Portions Copyrighted 2024-2026 3A Systems LLC. */ package org.forgerock.openidm.workflow.activiti.impl; @@ -34,7 +34,6 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; import java.util.logging.Level; -import javax.script.ScriptEngine; import javax.sql.DataSource; import javax.transaction.TransactionManager; import org.activiti.engine.ProcessEngine; @@ -46,8 +45,6 @@ import org.activiti.engine.impl.scripting.ResolverFactory; import org.activiti.engine.impl.scripting.ScriptBindingsFactory; import org.activiti.engine.impl.scripting.ScriptingEngines; -import org.activiti.osgi.Extender; -import org.activiti.osgi.OsgiScriptingEngines; import org.activiti.osgi.blueprint.ProcessEngineFactory; import org.forgerock.openidm.datasource.DataSourceService; import org.forgerock.openidm.router.IDMConnectionFactory; @@ -77,10 +74,7 @@ import org.forgerock.openidm.workflow.activiti.impl.session.OpenIDMSessionFactory; import org.forgerock.util.promise.Promise; import org.h2.jdbcx.JdbcDataSource; -import org.osgi.framework.Bundle; import org.osgi.framework.Constants; -import org.osgi.framework.ServiceFactory; -import org.osgi.framework.ServiceRegistration; import org.osgi.service.cm.Configuration; import org.osgi.service.cm.ConfigurationAdmin; import org.osgi.service.component.ComponentContext; @@ -320,12 +314,54 @@ void activate(ComponentContext compContext) { processEngineFactory.setBundle(compContext.getBundleContext().getBundle()); processEngineFactory.init(); + // Post-init wiring: variableTypes / resolverFactories / scriptingEngines + // are populated by buildProcessEngine() inside init(), so they must be + // mutated AFTER init(). ScriptTaskActivityBehavior reads + // configuration.getScriptingEngines() on every script execution, so + // replacing it here is effective. //ScriptResolverFactory List resolverFactories = configuration.getResolverFactories(); + if (resolverFactories == null) { + resolverFactories = new ArrayList(); + } resolverFactories.add(new OpenIDMResolverFactory()); configuration.setResolverFactories(resolverFactories); configuration.getVariableTypes().addType(new JsonValueType()); - configuration.setScriptingEngines(new OsgiScriptingEngines(new ScriptBindingsFactory(resolverFactories))); + // Use the stock Activiti ScriptingEngines (which delegates to javax.script + // ScriptEngineManager) instead of OsgiScriptingEngines. The latter routes + // resolution through org.activiti.osgi.Extender, whose + // BundleScriptEngineResolver naively parses + // META-INF/services/javax.script.ScriptEngineFactory line by line and + // attempts to Class.forName each '#'-comment line, producing a noisy + // ClassNotFoundException WARNING for every script-task execution + // (see activiti-osgi 5.15 Extender.java). The Groovy ScriptEngineFactory + // is registered explicitly below because OSGi class loaders prevent the + // JDK ServiceLoader inside ScriptEngineManager from discovering it in + // the groovy-all bundle. + ScriptingEngines scriptingEngines = + new ScriptingEngines(new ScriptBindingsFactory(resolverFactories)); + // GroovyScriptEngineFactory.getEngineName() returns "Groovy" but + // BPMN scriptFormat="groovy" looks up by lowercase language name. + // ScriptingEngines.addScriptEngineFactory only registers under + // getEngineName(); we additionally register all language/short names + // (and mime types/extensions) directly on a pre-built ScriptEngineManager. + javax.script.ScriptEngineFactory groovyFactory = + new org.codehaus.groovy.jsr223.GroovyScriptEngineFactory(); + javax.script.ScriptEngineManager mgr = new javax.script.ScriptEngineManager(); + mgr.registerEngineName(groovyFactory.getEngineName(), groovyFactory); + for (String name : groovyFactory.getNames()) { + mgr.registerEngineName(name, groovyFactory); + } + for (String mime : groovyFactory.getMimeTypes()) { + mgr.registerEngineMimeType(mime, groovyFactory); + } + for (String ext : groovyFactory.getExtensions()) { + mgr.registerEngineExtension(ext, groovyFactory); + } + scriptingEngines = new ScriptingEngines(mgr); + scriptingEngines.setScriptBindingsFactory(new ScriptBindingsFactory(resolverFactories)); + configuration.setScriptingEngines(scriptingEngines); + //We are done!! processEngine = processEngineFactory.getObject(); @@ -477,29 +513,11 @@ protected void unbindProcessEngine(ProcessEngine processEngine) { target = "(service.pid=org.forgerock.openidm.script)") protected void bindScriptRegistry(ScriptRegistry scriptRegistry) { this.idmSessionFactory.setScriptRegistry(scriptRegistry); - if (Extender.getBundleContext()!=null) { - Extender.getBundleContext().registerService(Extender.ScriptEngineResolver.class, new ServiceFactory() { - @Override - public Extender.ScriptEngineResolver getService(Bundle bundle, ServiceRegistration serviceRegistration) { - return new Extender.ScriptEngineResolver() { - @Override - public ScriptEngine resolveScriptEngine(String s) { - if (!"groovy".equalsIgnoreCase(s)) { - throw new RuntimeException("unknown resolveScriptEngine " + s); - } - return new org.codehaus.groovy.jsr223.GroovyScriptEngineImpl(); - } - }; - } - - ; - - @Override - public void ungetService(Bundle bundle, ServiceRegistration serviceRegistration, Extender.ScriptEngineResolver scriptEngineResolver) { - - } - }, null); - } + // The previous registration of an Extender.ScriptEngineResolver OSGi service was + // tied to OsgiScriptingEngines (now replaced by stock Activiti ScriptingEngines). + // Without OsgiScriptingEngines nothing invokes Extender.resolveScriptEngine, so the + // resolver service is no longer needed and the noisy + // BundleScriptEngineResolver code path is no longer reached at script execution time. } protected void unbindScriptRegistry(ScriptRegistry scriptRegistry) { diff --git a/openidm-zip/pom.xml b/openidm-zip/pom.xml index b5b889f96d..2b84098d54 100644 --- a/openidm-zip/pom.xml +++ b/openidm-zip/pom.xml @@ -22,7 +22,7 @@ ~ your own identifying information: ~ "Portions Copyrighted [year] [name of copyright owner]" ~ - ~ Portions Copyrighted 2019-2025 3A Systems LLC. + ~ Portions Copyrighted 2019-2026 3A Systems LLC. --> 4.0.0 @@ -272,6 +272,10 @@ org.apache.felix org.apache.felix.webconsole.plugins.packageadmin + + org.apache.felix + org.apache.felix.prefs + org.apache.geronimo.bundles json @@ -897,7 +901,6 @@ - -Dlogback.configurationFile=conf/logging-config.groovy diff --git a/openidm-zip/src/main/resources/bin/install-service.bat b/openidm-zip/src/main/resources/bin/install-service.bat index 24b09a299a..049246a0dc 100644 --- a/openidm-zip/src/main/resources/bin/install-service.bat +++ b/openidm-zip/src/main/resources/bin/install-service.bat @@ -28,7 +28,7 @@ set OPENIDM_OPTS_SERVICE=%OPENIDM_OPTS: =;% rem set SERVER_START_PARAMS="-c;bin/launcher.json" set CP=bin/launcher.jar;bin/felix.jar rem JAVA_OPTS_SERVICE will be fed to the prunmgr.exe which requires all semi-colon delimiters -set JAVA_OPTS_SERVICE=%OPENIDM_OPTS_SERVICE%;-Djava.util.logging.config.file=conf\logging.properties;-Dlogback.configurationFile=conf\logging-config.xml; +set JAVA_OPTS_SERVICE=%OPENIDM_OPTS_SERVICE%;-Djava.util.logging.config.file=conf\logging.properties; rem Enable debugging uncomment the line below rem set JAVA_OPTS_SERVICE=%JAVA_OPTS_SERVICE%;-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005; diff --git a/openidm-zip/src/main/resources/conf/logging.properties b/openidm-zip/src/main/resources/conf/logging.properties index c96e84681f..413daa50cb 100644 --- a/openidm-zip/src/main/resources/conf/logging.properties +++ b/openidm-zip/src/main/resources/conf/logging.properties @@ -73,6 +73,9 @@ org.identityconnectors.framework.impl.api.local.LocalConnectorInfoManagerImpl.le # Suppress warnings of failed error page model validation org.ops4j.pax.web.service.spi.model.elements.ErrorPageModel.level=SEVERE +# Suppress noisy INFO records from pax-web bundle (servlet/error-page registration) +org.ops4j.pax.web.level=WARNING + # OrientDB 3.x: suppress harmless WARNINGs that we cannot act on # - OScriptManager logs "ECMAScript engine not found" when no JSR-223 javascript # engine is on the classpath (we don't ship one and don't use OrientDB JS). diff --git a/openidm-zip/src/main/resources/samples/workflow/conf/sync.json b/openidm-zip/src/main/resources/samples/workflow/conf/sync.json index 5a4e80de85..8c13751489 100644 --- a/openidm-zip/src/main/resources/samples/workflow/conf/sync.json +++ b/openidm-zip/src/main/resources/samples/workflow/conf/sync.json @@ -89,7 +89,7 @@ "source" : "roles", "transform" : { "type" : "text/javascript", - "source" : "source.split(',').map(function (r) { return {'_ref' : (r.indexOf('openidm-') === 0 ? 'repo/internal/role/' : 'managed/role/') + r }; })" + "file" : "script/rolesToAuthzRoles.js" }, "target" : "authzRoles" }, @@ -216,7 +216,7 @@ "source" : "", "transform" : { "type" : "text/javascript", - "source" : "openidm.query('managed/user/' + source._id + '/authzRoles', {'_queryFilter': 'true'}).result.map(function (r) { return r._ref.split('/').pop(); } ).join(',')" + "file" : "script/authzRolesToRoles.js" }, "target" : "roles" }, diff --git a/openidm-zip/src/main/resources/samples/workflow/script/authzRolesToRoles.js b/openidm-zip/src/main/resources/samples/workflow/script/authzRolesToRoles.js new file mode 100644 index 0000000000..fcc81da7e0 --- /dev/null +++ b/openidm-zip/src/main/resources/samples/workflow/script/authzRolesToRoles.js @@ -0,0 +1,37 @@ +/* + * The contents of this file are subject to the terms of the Common Development and + * Distribution License (the License). You may not use this file except in compliance with the + * License. + * + * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the + * specific language governing permission and limitations under the License. + * + * When distributing Covered Software, include this CDDL Header Notice in each file and include + * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL + * Header, with the fields enclosed by brackets [] replaced by your own identifying + * information: "Portions copyright [year] [name of copyright owner]". + * + * Copyright 2026 3A Systems, LLC. + */ +/*global source, openidm */ +// Flatten the managed/user authzRoles relationship into the comma-separated +// "roles" attribute consumed by the XML connector. +// +// File-based (vs inline in sync.json) for the same race-condition reason +// documented in rolesToAuthzRoles.js: avoids ScriptRegistry STARTING-state +// ("Script status is 8") errors during the first reconciliation after boot. +(function () { + if (source === null || source === undefined || source._id === null || source._id === undefined) { + return ""; + } + var result = openidm.query( + 'managed/user/' + source._id + '/authzRoles', + {'_queryFilter': 'true'} + ); + if (!result || !result.result) { + return ""; + } + return result.result.map(function (r) { + return r._ref.split('/').pop(); + }).join(','); +}()); diff --git a/openidm-zip/src/main/resources/samples/workflow/script/rolesToAuthzRoles.js b/openidm-zip/src/main/resources/samples/workflow/script/rolesToAuthzRoles.js new file mode 100644 index 0000000000..22e1acc418 --- /dev/null +++ b/openidm-zip/src/main/resources/samples/workflow/script/rolesToAuthzRoles.js @@ -0,0 +1,39 @@ +/* + * The contents of this file are subject to the terms of the Common Development and + * Distribution License (the License). You may not use this file except in compliance with the + * License. + * + * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the + * specific language governing permission and limitations under the License. + * + * When distributing Covered Software, include this CDDL Header Notice in each file and include + * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL + * Header, with the fields enclosed by brackets [] replaced by your own identifying + * information: "Portions copyright [year] [name of copyright owner]". + * + * Copyright 2026 3A Systems, LLC. + */ + +/*global source */ + +// Transform a comma-separated XML "roles" attribute into the array form +// expected by the managed/user "authzRoles" relationship. +// +// Lives in a separate file (rather than as an inline transform inside +// sync.json) so the script is registered through the file-based code path of +// ScriptRegistry. Inline scripts embedded in mapping configs can be invoked +// during the very first reconciliation while the registry is still moving the +// freshly compiled script from STARTING (status=8) to ACTIVE (status=32), +// producing a transient "Script status is 8" ScriptException that gets +// flagged by the strict CI log scan. +(function () { + if (source === null || source === undefined || String(source).length === 0) { + return []; + } + return String(source).split(',').map(function (r) { + return { + "_ref": (r.indexOf('openidm-') === 0 ? 'repo/internal/role/' : 'managed/role/') + r + }; + }); +}()); + diff --git a/openidm-zip/src/main/resources/samples/workflow/workflow/contractorOnboarding.bpmn20.xml b/openidm-zip/src/main/resources/samples/workflow/workflow/contractorOnboarding.bpmn20.xml index ea5ddfd9c4..1189345cae 100644 --- a/openidm-zip/src/main/resources/samples/workflow/workflow/contractorOnboarding.bpmn20.xml +++ b/openidm-zip/src/main/resources/samples/workflow/workflow/contractorOnboarding.bpmn20.xml @@ -13,6 +13,7 @@ information: "Portions Copyrighted [year] [name of copyright owner]". Copyright (c) 2011-2015 ForgeRock AS. All rights reserved. + Portions Copyright 2026 3A Systems, LLC. --> @@ -98,8 +99,12 @@ // Automatically send the user a password reset email // Current limitation with supplying locale via http headers requires the call to be made via http + def openidmContextPath = identityServer.getProperty('openidm.context.path', '/openidm') + if (!openidmContextPath.startsWith('/')) { + openidmContextPath = '/' + openidmContextPath + } openidm.action("external/rest", "call", [ - "url": "https://localhost:"+identityServer.getProperty('openidm.port.https')+"/openidm/selfservice/reset?_action=submitRequirements", + "url": "https://localhost:"+identityServer.getProperty('openidm.port.https')+openidmContextPath+"/selfservice/reset?_action=submitRequirements", "method": "POST", "headers": [ "Content-Type": "application/json", diff --git a/openidm-zip/src/main/resources/startup.sh b/openidm-zip/src/main/resources/startup.sh index 1ef748319e..0da8279ff7 100755 --- a/openidm-zip/src/main/resources/startup.sh +++ b/openidm-zip/src/main/resources/startup.sh @@ -95,7 +95,7 @@ PRGDIR=`dirname "$PRG"` [ -z "$OPENIDM_PID_FILE" ] && OPENIDM_PID_FILE="$OPENIDM_HOME"/.openidm.pid # Only set OPENIDM_OPTS if not already set -[ -z "$OPENIDM_OPTS" ] && OPENIDM_OPTS="-Dlogback.configurationFile=conf/logging-config.groovy" +[ -z "$OPENIDM_OPTS" ] && OPENIDM_OPTS="" # Set JDK Logger config file if it is present and an override has not been issued PROJECT_HOME=$OPENIDM_HOME diff --git a/pom.xml b/pom.xml index 8d4ca3b33e..029722aa5c 100644 --- a/pom.xml +++ b/pom.xml @@ -518,6 +518,11 @@ org.apache.felix.webconsole.plugins.packageadmin ${felix.webconsole.packageadmin.version} + + org.apache.felix + org.apache.felix.prefs + 1.1.0 + org.apache.felix