aligning (#1)

* chore(branding): update camunda-welcome screenshots

related to CAM-11683

* fix(engine): empty properties for filter are not stored as null

* Ensure that an empty Tasklist Filter properties object is always
  stored in the same format in the DB. This is done to ensure that
Oracle DB doesn't store NULL instead of an empty string;
* Clean up FilterEntity;
* Convert related JUnit3 to a JUnit4 test.

Related to CAM-11109,
Closes PR (camunda#819)

* chore(distro): remove PermSize property

the property has been removed from Java 8

Related to CAM-11896

* fix(rest): remove unused error details property

* Remove the unused and unset External Task errorDetails property from the OpenAPI docs.
* Remove the property from the ExternalTaskDto class.

Related to CAM-11774

* chore(engine): improve exception message

related to CAM-11819, PR camunda#787

* chore(spring-boot/webapp): change default application path to /camunda

related to CAM-11373

* fix(run): fix CORS with authentication behavior

* execute CORS filter before authentication filter
* do not forward CORS preflight request to succeding filter
* allow all HTTP methods that are used by Camunda REST API

Related to CAM-11840, CAM-11885

* fix(qa): fix large data tests

- since optimize changed the type of op logs it exports, the test setup
  must be adapted accordingly
- doubles the heap size; in a local H2 setup I could observe the max heap
  size being approached and the garbage collector becoming very busy

related to CAM-11899

* chore(release): Prepare release: set version to 7.13.0-alpha5

* chore(release): Prepare next development version: 7.13.0-SNAPSHOT

* chore(license-book): update for 7.13

related to CAM-11764

* fix(engine): remove distinct from fetch and lock on postgres

- leads to bad query plans as the database cannot push the pagination
  much into the query plan when distinct is present
- must be applied with caution: distinct can only be omitted when we do not
  join another table

related to CAM-11887

* fix(rest-openapi): fix string arrays definitions in query parameters

* OpenAPI supports 'array' type in query parameters and
resolves them to idIn=val1&idIn=val2
* the REST API expects a comma-separated lists idIn=val1,val2

Related to CAM-11934

* chore(release): Prepare release: set version to 7.13.0

* chore(release): Prepare next development version: 7.14.0-SNAPSHOT

* chore(project): separate Spring boot build into assembly and distro

- modules with webapp dependencies should not be built as part of the
  distro profile, because that profile is run in the platform-ASSEMBLY
  build, at which point the webapps have not been built yet
- See the Run and Tomcat distro builds for the same pattern, e.g.
  distro/tomcat/pom.xml builds the Tomcat webapp only in the distro-ce
  profile

related to CAM-11950

* feat(engine/rest): add query criteria to several queries

Extended queries:

* Historic incident
  * incidentMessageLike
  * processDefinitionKey
  * createTimeBefore
  * createTimeAfter
  * endTimeBefore
  * endTimeAfter
  * orderByProcessDefinitionKey
* Runtime incident
  * incidentMessageLike
  * incidentTimestampBefore
  * incidentTimestampAfter
* Historic activity instance
  * activityNameLike

related to CAM-11798
closes camunda#825

* fix(rest): filename uses double quotes in content-disposition header

* According to RFC 2616 (19.5.1 Content-Disposition), the value of the `filename` parameter must be a double-quoted string
* Fixes the problem in Mozilla Firefox that files including containing spaces in filenames can be downloaded correctly

Related to CAM-11925
Closes camunda#834

* fix(jboss): revert distro and distro-ce profile merge

* Revert the merging of the 'distro' and 'distro-ce' profiles since it
  creates a cycle in the Maven modules build hierarchy by requiring the
Webapps during the ASSEMBLY phase (uses the 'distro' profile), which breaks the build.

Related to CAM-11950

* feat(rest-openapi): add user endpoints

Related to CAM-11527
Closes PR (camunda#818)

* chore(release): add 7.14 upgrade scripts & adjust create scripts


Closes camunda#843
Related to CAM-11980

* chore(release): add camunda-qa-upgrade-test-fixture-714


Closes camunda#842
Related to CAM-11979

* chore(release): update camunda.version.old prop

* chore(release): update camunda versions in qa projects

* update old camunda version in /database
* update old camunda version in /qa/test-db-rolling-update/create-new-engine
* update old camunda version in /qa/test-db-upgrade
* update old camunda version in /qa-db-test-old-engine
* update camunda version in /qa/test-db-rolling-update/create-old-engine
* update camunda version in /qa/test-db-rolling-update/rolling-update-util
* update camunda version in /qa/test-db-rolling-update/test-old-engine

Closes camunda#841
Related to CAM-11978

* chore(pom): introduce distro-starter profile

- used in release jobs to build the enterprise artifacts

Related to CAM-11950

* fix(pom): fix distro-starter profile module

Related to CAM-11950

* chore(pom): introduce distro-starter profile

- used in release jobs to build the enterprise artifacts

Related to CAM-11950

* fix(starter): fix distro-starter profile scope

Related to CAM-11950

* chore(invoice): update DMN to 1.3 standard

related to CAM-11915

* chore(starter): add distro-starter profile to qa

Related to CAM-11950

* chore(starter): add distro-starter profile to qa

Related to CAM-11950

* fix(starter): fix distro-starter profile module

Related to CAM-11950

* chore(brand): update favicon with new brand colors

related to CAM-11949

* chore(db): make all assignee column sizes consistent

Related to CAM-11779

* fix(spring-boot): respect app path in csrf prevention filter

related to CAM-11993

* chore(sql): add hint to consider auth checks in webapps as well

related to CAM-11954

* chore(rest-openapi): add User global tag 

Related to CAM-11527

* chore(deps): update tomcat to 9.0.35

related to CAM-12017

* chore(deps): update tomcat to 9.0.36

related to CAM-12017

* chore(deps): update spring boot to 2.2.8

Related to CAM-12016
Closes camunda#856

* fix(engine): ensure correct sql exception logs 

Related to CAM-11761
Closes PR (camunda#846)

* fix(dmn): date conversion issue in multithreading mode (camunda#827)

* The SimpleDateFormat class, used in the DateDataTypeTransformer is not thread-safe and causes the DMN Engine to behave incorrectly in a multi-threaded environment.

Related to CAM-11897

* chore(engine): allow update of calledProcessInstanceId

* in historic activity instances, the calledProcessInstanceId can be
  updated in case the new value is not null
* enables custom behavior of the call activity, e.g. by calling a service
  first and a process only upon a failing service by retrying the call activity
* add a test for calledProcessInstanceId with wait state in called process

related to CAM-12030

* chore(spring-boot): make hsts header configurable

related to CAM-11602

* chore(distro/webapp): add commented hsts header section

related to CAM-11602

* feat(rest/open-api): add historic activity instance endpoints

Related to CAM-11555
Closes camunda#854

* chore(dmn): bump feel scala and add test coverage

* Add test coverage for the bug fix in the feel-scala#110 issue.

Related to CAM-11304

* chore(dmn): add test coverage for feel-scala bugfix

* Add test coverage for the bug fix in the feel-scala#90 issue.

Related to CAM-11382

Co-authored-by: Martin Stamm <martin.stamm@camunda.com>
Co-authored-by: Nikola Koevski <nikola.koevski@camunda.com>
Co-authored-by: yanavasileva <yanavasileva@users.noreply.github.com>
Co-authored-by: David Hodges <david.hodges@ecogyenergy.com>
Co-authored-by: Tassilo Weidner <tassilo.weidner@camunda.com>
Co-authored-by: Miklas Boskamp <miklas.boskamp@camunda.com>
Co-authored-by: Thorben Lindhauer <thorben.lindhauer@camunda.com>
Co-authored-by: camunda-jenkins <ci_automation@camunda.com>
Co-authored-by: Yana Vasileva <yana.vasileva@camunda.com>
Co-authored-by: Andrey Osipkov <osipkov_a@mail.ru>
Co-authored-by: Juan C Calderon <juan.calderon@borealixsec.com>
Co-authored-by: Emma Emma Emma <emma.pollum@camunda.com>

bom/pom.xml

@@ -5,7 +5,7 @@
   <parent>
     <groupId>org.camunda.bpm</groupId>
     <artifactId>camunda-root</artifactId>
-    <version>7.13.0-SNAPSHOT</version>
+    <version>7.14.0-SNAPSHOT</version>
     <relativePath>../</relativePath>
   </parent>
 

database/pom.xml

@@ -6,7 +6,7 @@
     <groupId>org.camunda.bpm</groupId>
     <artifactId>camunda-parent</artifactId>
     <relativePath>../parent</relativePath>
-    <version>7.13.0-SNAPSHOT</version>
+    <version>7.14.0-SNAPSHOT</version>
   </parent>
 
   <artifactId>camunda-database-settings</artifactId>
@@ -33,7 +33,7 @@
     <version.postgresql>9.4.1212</version.postgresql>
 
     <!-- needed for sql script and backward compatibility checks -->
-    <camunda.version.old>7.12.0</camunda.version.old>
+    <camunda.version.old>7.13.0</camunda.version.old>
   </properties>
 
   <dependencyManagement>

distro/jbossas7/modules/pom.xml

@@ -8,7 +8,7 @@
   <parent>
     <groupId>org.camunda.bpm.jboss</groupId>
     <artifactId>camunda-jboss</artifactId>
-    <version>7.13.0-SNAPSHOT</version>
+    <version>7.14.0-SNAPSHOT</version>
   </parent>
 
   <properties>

distro/jbossas7/pom.xml

@@ -5,7 +5,7 @@
     <groupId>org.camunda.bpm</groupId>
     <artifactId>camunda-database-settings</artifactId>
     <relativePath>../../database</relativePath>
-    <version>7.13.0-SNAPSHOT</version>
+    <version>7.14.0-SNAPSHOT</version>
   </parent>
 
   <groupId>org.camunda.bpm.jboss</groupId>
@@ -23,10 +23,17 @@
       <modules>
         <module>modules</module>
         <module>subsystem</module>
+      </modules>
+    </profile>
+    <profile>
+      <id>distro-ce</id>
+      <activation>
+        <activeByDefault>true</activeByDefault>
+      </activation>
+      <modules>
         <module>webapp</module>
         <module>webapp-standalone</module>
       </modules>
     </profile>
   </profiles>
-
 </project>

distro/jbossas7/subsystem/pom.xml

@@ -9,7 +9,7 @@
   <parent>
     <groupId>org.camunda.bpm.jboss</groupId>
     <artifactId>camunda-jboss</artifactId>
-    <version>7.13.0-SNAPSHOT</version>
+    <version>7.14.0-SNAPSHOT</version>
   </parent>
 
   <dependencyManagement>

distro/jbossas7/webapp-standalone/pom.xml

@@ -5,7 +5,7 @@
   <parent>
     <groupId>org.camunda.bpm.jboss</groupId>
     <artifactId>camunda-jboss</artifactId>
-    <version>7.13.0-SNAPSHOT</version>
+    <version>7.14.0-SNAPSHOT</version>
   </parent>
 
   <groupId>org.camunda.bpm.webapp</groupId>

distro/jbossas7/webapp/pom.xml

@@ -3,7 +3,7 @@
   <parent>
     <groupId>org.camunda.bpm.jboss</groupId>
     <artifactId>camunda-jboss</artifactId>
-    <version>7.13.0-SNAPSHOT</version>
+    <version>7.14.0-SNAPSHOT</version>
   </parent>
 
   <modelVersion>4.0.0</modelVersion>

distro/jbossas7/webapp/src/main/webapp/WEB-INF/web.xml

@@ -98,6 +98,20 @@
   <filter>
     <filter-name>HttpHeaderSecurity</filter-name>
     <filter-class>org.camunda.bpm.webapp.impl.security.filter.headersec.HttpHeaderSecurityFilter</filter-class>
+
+    <!--
+    The Strict Transport Security header is disabled by default.
+    You can enable it by uncommenting the configuration below.
+    Read more about it in the documentation
+    https://docs.camunda.org/manual/latest/webapps/shared-options/header-security/#strict-transport-security
+    -->
+
+    <!--
+    <init-param>
+      <param-name>hstsDisabled</param-name>
+      <param-value>false</param-value>
+    </init-param>
+    -->
   </filter>
 
   <filter-mapping>

distro/license-book/pom.xml

@@ -5,7 +5,7 @@
     <groupId>org.camunda.bpm</groupId>
     <artifactId>camunda-database-settings</artifactId>
     <relativePath>../../database</relativePath>
-    <version>7.13.0-SNAPSHOT</version>
+    <version>7.14.0-SNAPSHOT</version>
   </parent>
 
   <artifactId>license-book</artifactId>

distro/run/assembly/pom.xml

@@ -5,7 +5,7 @@
   <parent>
     <groupId>org.camunda.bpm.run</groupId>
     <artifactId>camunda-bpm-run-root</artifactId>
-    <version>7.13.0-SNAPSHOT</version>
+    <version>7.14.0-SNAPSHOT</version>
     <relativePath>..</relativePath>
   </parent>
 

distro/run/assembly/resources/production.yml

@@ -5,9 +5,12 @@
 camunda.bpm:
 # https://docs.camunda.org/manual/latest/user-guide/security/#http-header-security-in-webapps
 # https://docs.camunda.org/manual/latest/webapps/shared-options/header-security/
-  webapp.csrf:
-    enable-same-site-cookie: true
-    same-site-cookie-option: STRICT
+  webapp:
+    csrf:
+      enable-same-site-cookie: true
+      same-site-cookie-option: STRICT
+    header-security:
+      hsts-disabled: false
 
 # https://docs.camunda.org/manual/latest/user-guide/security/#authorization
 # https://docs.camunda.org/manual/latest/user-guide/process-engine/authorization-service/

distro/run/core/pom.xml

@@ -5,7 +5,7 @@
   <parent>
     <groupId>org.camunda.bpm.run</groupId>
     <artifactId>camunda-bpm-run-root</artifactId>
-    <version>7.13.0-SNAPSHOT</version>
+    <version>7.14.0-SNAPSHOT</version>
     <relativePath>..</relativePath>
   </parent>
 

distro/run/core/src/main/java/org/camunda/bpm/run/CamundaBpmRunRestConfiguration.java

@@ -25,10 +25,8 @@
 import org.camunda.bpm.spring.boot.starter.rest.CamundaBpmRestInitializer;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.AutoConfigureAfter;
-import org.springframework.boot.autoconfigure.AutoConfigureBefore;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
-import org.springframework.boot.autoconfigure.jersey.JerseyAutoConfiguration;
 import org.springframework.boot.autoconfigure.web.servlet.JerseyApplicationPath;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
@@ -46,12 +44,29 @@ public class CamundaBpmRunRestConfiguration {
   @Autowired
   CamundaBpmRunProperties camundaBpmRunProperties;
 
+  /*
+   * The CORS and Authentication filters need to run before other camunda
+   * filters because they potentially block the request and this should be done
+   * as early as possible.
+   * 
+   * The default order parameter for spring-boot managed filters is
+   * org.springframework.core.Ordered.LOWEST_PRECEDENCE = Integer.MAX_VALUE.
+   * Order can range from -Integer.MAX_VALUE to Integer.MAX_VALUE.
+   * 
+   * The CORS filter must run before the Authentication filter because CORS
+   * preflight requests must not contain authentication. The CORS filter will
+   * not invoke the next filter in the chain for preflight requests.
+   */
+  private static int CORS_FILTER_PRECEDENCE = 0;
+  private static int AUTH_FILTER_PRECEDENCE = 1;
+
   @Bean
   @ConditionalOnProperty(name = "enabled", havingValue = "true", prefix = CamundaBpmRunAuthenticationProperties.PREFIX)
   public FilterRegistrationBean<Filter> processEngineAuthenticationFilter(JerseyApplicationPath applicationPath) {
     FilterRegistrationBean<Filter> registration = new FilterRegistrationBean<>();
     registration.setName("camunda-auth");
     registration.setFilter(new ProcessEngineAuthenticationFilter());
+    registration.setOrder(AUTH_FILTER_PRECEDENCE);
 
     String restApiPathPattern = applicationPath.getUrlMapping();
     registration.addUrlPatterns(restApiPathPattern);
@@ -71,11 +86,14 @@ public FilterRegistrationBean<Filter> corsFilter(JerseyApplicationPath applicati
     registration.setName("camunda-cors");
     CorsFilter corsFilter = new CorsFilter();
     registration.setFilter(corsFilter);
+    registration.setOrder(CORS_FILTER_PRECEDENCE);
 
     String restApiPathPattern = applicationPath.getUrlMapping();
     registration.addUrlPatterns(restApiPathPattern);
 
     registration.addInitParameter(CorsFilter.PARAM_CORS_ALLOWED_ORIGINS, camundaBpmRunProperties.getCors().getAllowedOrigins());
+    registration.addInitParameter(CorsFilter.PARAM_CORS_ALLOWED_METHODS, CamundaBpmRunCorsProperty.DEFAULT_HTTP_METHODS);
+
     return registration;
   }
 

distro/run/core/src/main/java/org/camunda/bpm/run/property/CamundaBpmRunCorsProperty.java

@@ -20,6 +20,7 @@ public class CamundaBpmRunCorsProperty {
 
   public static final String PREFIX = CamundaBpmRunProperties.PREFIX + ".cors";
   public static final String DEFAULT_ORIGINS = "*";
+  public static final String DEFAULT_HTTP_METHODS = "GET,POST,HEAD,OPTIONS,PUT,DELETE";
 
   boolean enabled;
   String allowedOrigins;

distro/run/core/src/test/java/org/camunda/bpm/run/test/AbstractRestTest.java

@@ -35,6 +35,8 @@
 @ActiveProfiles(profiles = { "test-auth-disabled" })
 public abstract class AbstractRestTest {
 
+  public static String CONTEXT_PATH = "/engine-rest";
+
   @Autowired
   protected TestRestTemplate testRestTemplate;
 

distro/run/core/src/test/java/org/camunda/bpm/run/test/config/cors/CorsAccessControlHeadersTest.java

@@ -0,0 +1,67 @@
+/*
+ * Copyright Camunda Services GmbH and/or licensed to Camunda Services GmbH
+ * under one or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership. Camunda licenses this file to you under the Apache License,
+ * Version 2.0; you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.camunda.bpm.run.test.config.cors;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import org.camunda.bpm.engine.ProcessEngine;
+import org.camunda.bpm.run.test.AbstractRestTest;
+import org.junit.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.test.context.ActiveProfiles;
+
+/**
+ * Note: To run this test via an IDE you must set the system property
+ * {@code sun.net.http.allowRestrictedHeaders} to {@code true}. (e.g.
+ * System.setProperty("sun.net.http.allowRestrictedHeaders", "true");)
+ * 
+ * @see https://jira.camunda.com/browse/CAM-11290
+ */
+@ActiveProfiles(profiles = { "test-cors-enabled" }, inheritProfiles = true)
+public class CorsAccessControlHeadersTest extends AbstractRestTest {
+
+  @Autowired
+  ProcessEngine processEngine;
+
+  @Test
+  public void shouldRespondWithAccessControlHeaders() {
+    // given
+    // preflight request
+    String origin = "http://other.origin";
+
+    HttpHeaders headers = new HttpHeaders();
+    headers.add(HttpHeaders.HOST, "localhost");
+    headers.add(HttpHeaders.ORIGIN, origin);
+    headers.add(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpMethod.PUT.name());
+    headers.add(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS, HttpHeaders.ORIGIN);
+
+    // when
+    ResponseEntity<String> response = testRestTemplate.exchange(CONTEXT_PATH + "/task", HttpMethod.OPTIONS, new HttpEntity<>(headers), String.class);
+
+    // then
+    assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK);
+    assertThat(response.getHeaders().getAccessControlAllowMethods()).containsExactlyInAnyOrder(HttpMethod.GET, HttpMethod.POST, HttpMethod.HEAD,
+        HttpMethod.OPTIONS, HttpMethod.PUT, HttpMethod.DELETE);
+    assertThat(response.getHeaders().getAccessControlAllowHeaders()).containsExactlyInAnyOrder("origin", "accept", "x-requested-with", "content-type",
+        "access-control-request-method", "access-control-request-headers");
+  }
+}