Affects Version/s: 13.5.0, 14.1.0
Fix Version/s: None
OPENAM-9009or when there is no Password policy control (BEHERA).
Sprint:AM Sustaining Sprint 41, AM Sustaining Sprint 42, AM Sustaining Sprint 43, AM Sustaining Sprint 44, AM Sustaining Sprint 45, AM Sustaining Sprint 46, AM Sustaining Sprint 47, AM Sustaining Sprint 48, AM Sustaining Sprint 49, AM Sustaining Sprint 50, AM Sustaining Sprint 51, AM Sustaining Sprint 52, AM Sustaining Sprint 53, AM Sustaining Sprint 54, AM Sustaining Sprint 55, AM Sustaining Sprint 56
Support Ticket IDs:
Needs QA verification:No
Are the reproduction steps defined?:Yes and I used the same an in the description
This is a continuation of
OPENAM-9009 where in the case that the IdRepo does not have Behera (password policy control) and a LDAP constraint violation happens on the REST userid creation portion.
The steps is the same as in
OPENAM-9009 but the different is that
you goto the Datatstore and disable Behera. (In 14.1.0 w/o the
OPENAM-9009 which it is working as non-behera currently) so this can be seen too.
1. Goto the Datastore and disable Behera Support. (or that the Datastore used does not have Behera support)
2. Create a password validator
3, Add the password validator to the Default Password Policy (using dsconfig) to make it simple
4. Create a new user using REST where the user password is same as the user. (which will cause a password validation issue).
1. Create a unique attribute on mail
2. Assign say demo account with demo@example,com
3. Now create a new user again but with firstname.lastname@example.org (note this new user is not uid=demo)
4. So if this is fixed the above should not regress.
Using Password policy (behera) if
OPENAM-9009 is fix will give the very general error.
The fix is to return the message when Constraint violation is made by calling IdRepoException.getConstraintViolationDetails() as this is supposed to sanitize the response and safe to use. (if not then that function itself would be an issue).
The same thing is done already in the IdentityServicesImpl.update() so that's why the self-service forgotPassword provide the details but not the create endpoint.
The supposed fix is:
The above change is tested for both constraint cases and passed.