Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12245

"Authentication by Module Instance" policy env condition doesn't work in session upgrade case

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.1
    • Fix Version/s: 6.0.0, 5.5.2
    • Component/s: authentication
    • Labels:
    • Sprint:
      AM Sustaining Sprint 46
    • Story Points:
      1
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      "Authentication by Module Instance" policy env condition doesn't work in session upgrade case

      How to reproduce the issue

      NOTE: This issue only happens in case of session upgrade

      1. login to admin console
      2. [Realms] -> select realm -> [Authentication] -> edit [LDAP]
      3. set "Authentication Level=3" and click [Save Changes]
      4. [Authorization] -> [Policy Sets] -> [Default Policy Set] -> "+ Add a Policy"
      5. type in the following data :
        Name : TestPolicy001
        Resource Type: URL
        Resources : http://openam.example.com:38080/helloworld/*
        http://openam.example.com:38080/helloworld/*?*
        click [Create]
      6. click [Action] tab, add GET & POST:allow and click [Save Changes]
      7. click [Subjects] tab and set "Type: Authenticated Users" and click [Save Changes]
      8. click [Environments] tab and click [+ Add an Environment Condition]
        Type: Authentication by Module Instance
        Authentication Scheme: /:LDAP (this is in the form of <realm>:<auth module>)
        Application Name: iPlanetAMWebAgentService (Resource Type for policy evaluation)
        Application Idle Timeout Scheme: 2147483647
        Click "check" icon and click [Save Changes]
      9. login with admin user
        curl --request POST --header "X-OpenAM-Username: amadmin" --header "X-OpenAM-Password: cangetin" --header "Content-Type: application/json" --header "Accept-API-Version:protocol=1.0,resource=2.1" --data "{}" "http://openam.example.com:18080/openam/json/realms/root/authenticate"
        
      10. login with demo user
        curl --request POST --header "X-OpenAM-Username: demo" --header "X-OpenAM-Password: changeit" --header "Content-Type: application/json" --header "Accept-API-Version:protocol=1.0,resource=2.1" --data "{}" "http://openam.example.com:18080/openam/json/realms/root/authenticate?module=DataStore&authIndexType=module&authIndexValue=DataStore"
        
      11. then upgrade demo user's session
        curl --request POST --header "iPlanetDirectoryPro:M2hI2hR..." --header "X-OpenAM-Username: demo" --header "X-OpenAM-Password: changeit" "http://openam.example.com:18080/openam/json/realms/root/authenticate?authIndexType=level&authIndexValue=3"
        
      12. request for policy evaluation
        curl --request POST \
        > --header "Content-Type: application/json" \
        > --header "iPlanetDirectoryPro: <amadmin session>" \
        > --data '{
        >     "resources": [
        >         "http://openam.example.com:38080/helloworld/index.html"
        >     ],
        >     "application": "iPlanetAMWebAgentService",
        >     "subject": { "ssoToken": "<upgraded user session>"}
        > }' \
        > "http://openam.example.com:18080/openam/json/policies?_action=evaluate"
        [{"resource":"http://openam.example.com:38080/helloworld/index.html","actions":{},"attributes":{},"advices":{},"ttl":9223372036854775807}]
        
      Expected behaviour

      Policy evaluation request to return correct evaluation response

      [{"resource":"http://openam.example.com:38080/helloworld/index.html","actions":{"POST":true,"GET":true},"attributes":{},"advices":{},"ttl":1513728110137}]
      
      Current behaviour

      Policy evaluation request returns empty response. If you check Entitlement debug log, you will see request user's auth scheme is in wrong format :

      At AuthSchemeCondition.getConditionDecision():authScheme not satisfied = /:LDAP
      At AuthSchemeCondition.getConditionDecision():authScheme = [/:LDAP], requestAuthSchemes = [/:L, /:/, /:o, /:P, /:A, /:a, /:r, /:S, /:D, /:t, :, /:e],  allowed before applicationIdleTimeout check = false
      

      Work around

      None

      Code analysis

      This seems to be a regression caused by the change implemented via AME-13482.
      split("|") should've been escaped as split("\ \ |")

      com.sun.identity.authentication.service.$AuthUtils.java
          public static String upgradeModuleList(String prevList, String newList, String realm) {
              newList = getRealmQualifiedList(realm, newList);
              utilDebug.message("newList : {}", newList);
              utilDebug.message("prevList : {}", prevList);
              Set<String> result = new LinkedHashSet<>();
              result.addAll(asList(newList.split("|")));
              if (prevList != null) {
                  result.addAll(asList(prevList.split("|")));
              }
              return result.stream().collect(Collectors.joining("|"));
          }
      

        Attachments

          Activity

            People

            • Assignee:
              sachiko Sachiko Wallace
              Reporter:
              sachiko Sachiko Wallace
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: