Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11432

Extra space in Policy 's Resource Type will cause policy evaluation to fails

    Details

    • Target Version/s:
    • Sprint:
      AM Sustaining Sprint 45
    • Story Points:
      1
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Test case :

      Create a sub realm demo

      Create a new Resource Type : myresourcetype

      Add the following pattern : ://:/

      Create the next patten with an extra space "://:/?* " before adding the pattern

      Proceed to create a new Policy Set ( with the above "myresourcetype" and add a new policy

      Run the following policy evaluation

       

      curl -s --request POST --header 'iPlanetDirectoryPro: AQIC5wM2LY4Sfcxvc28ne8PA473sqYeLWeuQLUIhBhy0AEg.*AAJTSQACMDEAAlNLABM1NzQxODQ0MDIzMzE2NjQzNzkxAAJTMQAA*' --header 'Content-Type: application/json' --data '{
      "resources": [ "http://openam.internal.example.com/index.html?a=b"   <=======
      ],
      "subject": {
      "ssoToken": "AQIC5wM2LY4SfcxAgE0iI_mQcwz07Vu1FjykTGSTenz2fSU.*AAJTSQACMDEAAlNLABQtMzE3MDk2MDI2Njk3Nzc0NTY4OQACUzEAAA..*" },
      "application": "myPolicySet"
       }' 'http://openam.internal.example.com:8080/openam/json/demo/policies?_action=evaluate'
       
      

      Notice the evaluation fails

      [
       {
       "advices": {},
       "ttl": 9223372036854776000,
       "resource": "https://testing.visaonline.com/index.html?a=b",
       "actions": {},     <===========
       "attributes": {}
       }
      ]

      Verify by exporting the policy in Json format

      ssoadm policy-export --realm demo --servername "http://openam.internal.example.com:8080/openam" --jsonfile export-vol.json --adminid amadmin --password-file /home/iplanet/pass.txt

      Observe the extra space in the resourcetype and policy

      {
       "resourcetypes" : {
       "resources" : [ {
       "uuid" : "a27adf29-a48c-415c-b167-66cdd79cbc0b",
       "name" : "myresourceType",
       "description" : "",
       "patterns" : [ "*://*:*/*?* ", "*://*:*/*" ],    <============= notice the extra ending space between double qoute "*://*:*/*?* " 
       "actions" : {
       "POST" : true,
       "GET" : true
       },
       "createdBy" : "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org",
       "creationDate" : 1500881254039,
       "lastModifiedBy" : "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org",
       "lastModifiedDate" : 1500881254039
       } ],
       "version" : "1.0"
       },
       "applications" : {
       "resources" : [ {
       "createdBy" : "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org",
       "conditions" : [ "AuthenticateToService", "Script", "AuthScheme", "IPv6", "SimpleTime", "OAuth2Scope", "IPv4", "AuthenticateToRealm", "OR", "AMIdentityMembership", "LDAPFilter", "AuthLevel", "SessionProperty", "Policy", "LEAuthLevel", "Session", "NOT", "AND", "ResourceEnvIP" ],
       "resourceTypeUuids" : [ "a27adf29-a48c-415c-b167-66cdd79cbc0b" ],
       "resourceComparator" : null,
       "creationDate" : 1500881269112,
       "lastModifiedDate" : 1500881269112,
       "lastModifiedBy" : "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org",
       "applicationType" : "iPlanetAMWebAgentService",
       "subjects" : [ "JwtClaim", "AuthenticatedUsers", "Identity", "NOT", "Policy", "AND", "NONE", "OR" ],
       "entitlementCombiner" : "DenyOverride",
       "saveIndex" : null,
       "searchIndex" : null,
       "attributeNames" : [ ],
       "editable" : true,
       "description" : null,
       "displayName" : null,
       "name" : "myPolicySet"
       } ],
       "version" : "2.1"
       },
       "policies" : {
       "resources" : [ {
       "name" : "myPolicy",
       "active" : true,
       "description" : "",
       "applicationName" : "myPolicySet",
       "actionValues" : {
       "POST" : true,
       "GET" : true
       },
       "resources" : [ "*://*:*/*?* ", "*://*:*/*" ],   <================
       "subject" : {
       "type" : "AuthenticatedUsers"
       },
       "resourceTypeUuid" : "a27adf29-a48c-415c-b167-66cdd79cbc0b",
       "lastModifiedBy" : "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org",
       "lastModifiedDate" : "2017-07-24T07:38:52.396Z",
       "createdBy" : "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org",
       "creationDate" : "2017-07-24T07:38:35.608Z"
       } ],
       "version" : "2.1"
       }
      }

      Workaround

      1. delete that offending resource in all affected policies
      2. delete the offending resource in the resource type
      3. recreate the resource pattern again in the resource type ( careful not to add that space again )
      4. add the new resource into the affected policies,QA

       

       

       

       

       

       

        Attachments

          Activity

            People

            • Assignee:
              chee-weng.chea C-Weng C
              Reporter:
              sam.phua Sam Phua
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: