-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 13.5.0, 13.5.1, 14.0.0, 14.1.1, 14.5.0
-
Component/s: policy editor, XUI
-
Labels:
Test case :
Create a sub realm demo
Create a new Resource Type : myresourcetype
Add the following pattern : ://:/
Create the next patten with an extra space "://:/?* " before adding the pattern
Proceed to create a new Policy Set ( with the above "myresourcetype" and add a new policy
Run the following policy evaluation
curl -s --request POST --header 'iPlanetDirectoryPro: AQIC5wM2LY4Sfcxvc28ne8PA473sqYeLWeuQLUIhBhy0AEg.*AAJTSQACMDEAAlNLABM1NzQxODQ0MDIzMzE2NjQzNzkxAAJTMQAA*' --header 'Content-Type: application/json' --data '{ "resources": [ "http://openam.internal.example.com/index.html?a=b" <======= ], "subject": { "ssoToken": "AQIC5wM2LY4SfcxAgE0iI_mQcwz07Vu1FjykTGSTenz2fSU.*AAJTSQACMDEAAlNLABQtMzE3MDk2MDI2Njk3Nzc0NTY4OQACUzEAAA..*" }, "application": "myPolicySet" }' 'http://openam.internal.example.com:8080/openam/json/demo/policies?_action=evaluate'
Notice the evaluation fails
[
{
"advices": {},
"ttl": 9223372036854776000,
"resource": "https://testing.visaonline.com/index.html?a=b",
"actions": {}, <===========
"attributes": {}
}
]
Verify by exporting the policy in Json format
ssoadm policy-export --realm demo --servername "http://openam.internal.example.com:8080/openam" --jsonfile export-vol.json --adminid amadmin --password-file /home/iplanet/pass.txt
Observe the extra space in the resourcetype and policy
{
"resourcetypes" : {
"resources" : [ {
"uuid" : "a27adf29-a48c-415c-b167-66cdd79cbc0b",
"name" : "myresourceType",
"description" : "",
"patterns" : [ "*://*:*/*?* ", "*://*:*/*" ], <============= notice the extra ending space between double qoute "*://*:*/*?* "
"actions" : {
"POST" : true,
"GET" : true
},
"createdBy" : "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org",
"creationDate" : 1500881254039,
"lastModifiedBy" : "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org",
"lastModifiedDate" : 1500881254039
} ],
"version" : "1.0"
},
"applications" : {
"resources" : [ {
"createdBy" : "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org",
"conditions" : [ "AuthenticateToService", "Script", "AuthScheme", "IPv6", "SimpleTime", "OAuth2Scope", "IPv4", "AuthenticateToRealm", "OR", "AMIdentityMembership", "LDAPFilter", "AuthLevel", "SessionProperty", "Policy", "LEAuthLevel", "Session", "NOT", "AND", "ResourceEnvIP" ],
"resourceTypeUuids" : [ "a27adf29-a48c-415c-b167-66cdd79cbc0b" ],
"resourceComparator" : null,
"creationDate" : 1500881269112,
"lastModifiedDate" : 1500881269112,
"lastModifiedBy" : "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org",
"applicationType" : "iPlanetAMWebAgentService",
"subjects" : [ "JwtClaim", "AuthenticatedUsers", "Identity", "NOT", "Policy", "AND", "NONE", "OR" ],
"entitlementCombiner" : "DenyOverride",
"saveIndex" : null,
"searchIndex" : null,
"attributeNames" : [ ],
"editable" : true,
"description" : null,
"displayName" : null,
"name" : "myPolicySet"
} ],
"version" : "2.1"
},
"policies" : {
"resources" : [ {
"name" : "myPolicy",
"active" : true,
"description" : "",
"applicationName" : "myPolicySet",
"actionValues" : {
"POST" : true,
"GET" : true
},
"resources" : [ "*://*:*/*?* ", "*://*:*/*" ], <================
"subject" : {
"type" : "AuthenticatedUsers"
},
"resourceTypeUuid" : "a27adf29-a48c-415c-b167-66cdd79cbc0b",
"lastModifiedBy" : "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org",
"lastModifiedDate" : "2017-07-24T07:38:52.396Z",
"createdBy" : "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org",
"creationDate" : "2017-07-24T07:38:35.608Z"
} ],
"version" : "2.1"
}
}
Workaround
- delete that offending resource in all affected policies
- delete the offending resource in the resource type
- recreate the resource pattern again in the resource type ( careful not to add that space again )
- add the new resource into the affected policies,QA
