Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13550

Incorrect policy condition script run when application property is defined

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 14.1.1
    • Fix Version/s: None
    • Component/s: authentication, rest, scripting
    • Labels:
      None
    • Support Ticket IDs:

      Description

      Bug description

      When policy evaluation is requested via the polices endpoint and the resource exists in two policy sets, even though the application property defines one policy set, scripted environment conditions configured in both policy sets will run.

      How to reproduce the issue

      1. Install AM with embedded stores.
      2. Create realm: myrealm
      3. Create POLICY_CONDITION script : scriptA (example attached)
      4. Create POLICY_CONDITION script : scriptB (example attached)
      5. Create resource type: MyResourceType with pattern: MyResource
      6. Create policy set: PolicySetA with policy:PolicyA, Resources: MyResource, Subjects: AuthenticatedUsers, Environments: scriptA
      7. Create policy set: PolicySetB with policy:PolicyB, Resources: MyResource, Subjects: AuthenticatedUsers, Environments: scriptB
      8. Add privilege 'Read and write access to all realm and policy properties' for user making request
      9. Enable message level debugging for the server
      10. Request policy evaluation specifying application property: PolicySetA  and resource MyResource (example attached)
      Expected behaviour
      Only scriptA will run
      
      Current behaviour
      Both scriptA and scriptB run which can been seen in the Entitlement debug file using the example scripts
      

      Work around

      This issue does not occur in AM versions 6.x

      Code analysis

      None

       

        Attachments

        1. scriptA.js
          0.3 kB
        2. scriptB.js
          0.3 kB
        3. test.sh
          1 kB

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                tim.chandler Tim Chandler
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: