Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14356

Deleting OAuth 2.0 Client triggers unfiltered search

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 14.5.0, 6.5.0.1
    • Fix Version/s: 6.5.2, 7.0.0, 5.5.2
    • Component/s: None
    • Labels:
    • Sprint:
      AM Sustaining Sprint 61, AM Sustaining Sprint 62
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      Deleting OAuth 2.0 Client triggers unfiltered search, via REST and admin Console

      How to reproduce the issue

      Step 1: Create 1 or more OAuth 2.0 client configurations, i.e.

      curl -X PUT --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{}' 'http://openam.example.com:8080/openam/json/realm-config/agents/OAuth2Client/oauthclient1'

      Step 2: Delete OAuth client configuration, i.e.

      curl -X DELETE --header 'Accept: application/json' 'http://openam.example.com:8080/openam/json/realm-config/agents/OAuth2Client/oauthclient1'

      Step 3: Observe the following LDAP operations:

      {"eventName":"DJ-LDAP","client":{"ip":"127.0.0.1","port":39940},"server":{"ip":"127.0.0.1","port":50389},"request":{"protocol":"LDAP","operation":"DELETE","connId":3,"msgId":1988,"dn":"ou=oauthclient1,ou=default,ou=OrganizationConfig,ou=1.0,ou=AgentService,ou=services,dc=openam,dc=forgerock,dc=org"},"transactionId":"19c1d27a-0137-478f-967b-6de108cbe95f-91473","response":{"status":"SUCCESSFUL","statusCode":"0","elapsedTime":5,"elapsedTimeUnits":"MILLISECONDS"},"timestamp":"2019-01-30T16:19:03.576Z","_id":"19c1d27a-0137-478f-967b-6de108cbe95f-91475"}
      
      {"eventName":"DJ-LDAP","client":{"ip":"127.0.0.1","port":39954},"server":{"ip":"127.0.0.1","port":50389},"request":{"protocol":"LDAP","operation":"SEARCH","connId":10,"msgId":1730,"dn":"ou=oauthclient1,ou=default,ou=OrganizationConfig,ou=1.0,ou=AgentService,ou=services,dc=openam,dc=forgerock,dc=org","scope":"base","filter":"(objectClass=*)","attrs":["ou","sunServiceSchema","sunPluginSchema","sunKeyValue","sunxmlKeyValue","objectclass","sunsmspriority","sunserviceID","labeledURI","modifytimestamp"]},"transactionId":"19c1d27a-0137-478f-967b-6de108cbe95f-91477","response":{"status":"FAILED","statusCode":"32","elapsedTime":1,"elapsedTimeUnits":"MILLISECONDS","detail":"The search base entry 'ou=oauthclient1,ou=default,ou=OrganizationConfig,ou=1.0,ou=AgentService,ou=services,dc=openam,dc=forgerock,dc=org' does not exist","nentries":0},"timestamp":"2019-01-30T16:19:03.578Z","_id":"19c1d27a-0137-478f-967b-6de108cbe95f-91479"}
      
      {"eventName":"DJ-LDAP","client":{"ip":"127.0.0.1","port":39940},"server":{"ip":"127.0.0.1","port":50389},"request":{"protocol":"LDAP","operation":"SEARCH","connId":3,"msgId":1989,"dn":"ou=oauthclient1,ou=default,ou=OrganizationConfig,ou=1.0,ou=AgentService,ou=services,dc=openam,dc=forgerock,dc=org","scope":"base","filter":"(objectClass=*)","attrs":["ou","sunServiceSchema","sunPluginSchema","sunKeyValue","sunxmlKeyValue","objectclass","sunsmspriority","sunserviceID","labeledURI","modifytimestamp"]},"transactionId":"19c1d27a-0137-478f-967b-6de108cbe95f-91480","response":{"status":"FAILED","statusCode":"32","elapsedTime":0,"elapsedTimeUnits":"MILLISECONDS","detail":"The search base entry 'ou=oauthclient1,ou=default,ou=OrganizationConfig,ou=1.0,ou=AgentService,ou=services,dc=openam,dc=forgerock,dc=org' does not exist","nentries":0},"timestamp":"2019-01-30T16:19:03.579Z","_id":"19c1d27a-0137-478f-967b-6de108cbe95f-91482"}
      
      {"eventName":"DJ-LDAP","client":{"ip":"127.0.0.1","port":39954},"server":{"ip":"127.0.0.1","port":50389},"request":{"protocol":"LDAP","operation":"SEARCH","connId":10,"msgId":1731,"dn":"ou=default,ou=OrganizationConfig,ou=1.0,ou=AgentService,ou=services,dc=openam,dc=forgerock,dc=org","scope":"one","filter":"(objectClass=*)","attrs":["o"]},"transactionId":"19c1d27a-0137-478f-967b-6de108cbe95f-91485","response":{"status":"SUCCESSFUL","statusCode":"0","elapsedTime":1,"elapsedTimeUnits":"MILLISECONDS","nentries":2},"timestamp":"2019-01-30T16:19:03.582Z","_id":"19c1d27a-0137-478f-967b-6de108cbe95f-91487"}
      Expected behaviour

      The last (objectClass=*) search seems unnecessary and can cause long etimes and unindexed searches where there is a large number of client configurations. In bulk delete operations, this can cause serious performance issues in AM/DS. The delete operation via REST could do without this search.

      Current behaviour
      {"eventName":"DJ-LDAP","client":{"ip":"127.0.0.1","port":39954},"server":{"ip":"127.0.0.1","port":50389},"request":{"protocol":"LDAP","operation":"SEARCH","connId":10,"msgId":1731,"dn":"ou=default,ou=OrganizationConfig,ou=1.0,ou=AgentService,ou=services,dc=openam,dc=forgerock,dc=org","scope":"one","filter":"(objectClass=*)","attrs":["o"]},"transactionId":"19c1d27a-0137-478f-967b-6de108cbe95f-91485","response":{"status":"SUCCESSFUL","statusCode":"0","elapsedTime":1,"elapsedTimeUnits":"MILLISECONDS","nentries":2},"timestamp":"2019-01-30T16:19:03.582Z","_id":"19c1d27a-0137-478f-967b-6de108cbe95f-91487"}

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                lawrence.yarham Lawrence Yarham
                Reporter:
                john.noble John Noble
              • Votes:
                1 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: