Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14419

Policy evaluation returns search results for all policies that match outside of specified application

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.1, 6.5.0
    • Fix Version/s: 6.5.2, 6.0.1, 7.0.0, 5.5.2
    • Component/s: policy
    • Labels:
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      When evaluating a policy and specifying the application (policy set) in the request, search results in the Entitlement log can be seen for policies that match outside of the policy set specified.

      How to reproduce the issue

      1. Create PolicySetA and PolicyA (resource can be http://www.example.com:8000/*)
      2. Create PolicySetB and Policy B with the same resource
      3. Set AM logging to message-level
      4. Hit evaluate endpoint, specifying PolicySetA
        curl -s -k -X POST -H 'X-Requested-With: browser' -H 'iPlanetDirectoryPro: <token>' -H 'Content-Type: application/json' --data ' { "resources": ["http://www.example.com:8000/index.html"] }

        ' 'http://openam.example.com/openam/json/policies?_action=evaluate'

      5. In the Entitlement log you'll see search results for both policies (search result: privilege=PolicyA and then again for PolicyB.
        Eg tail -f ws-65x/cfg-app/openam/debug/* | grep "privilege=Policy" when doing the above
      Expected behaviour
      In this case, one search result for PolicyA
      Current behaviour
      Both search results returned for PolicyA and PolicyB

      Code analysis

      com/sun/identity/entitlement/PrivilegeEvaluator.java
      private List<Entitlement> evaluate(String realm, SSOToken appToken) throws EntitlementException {
      ...
      final Iterator<IPrivilege> policyIterator = indexStore.search(realm, indexes, subjectIndexes, recursive);
      ...
      // The above returns all the matching resources but is not filtered on ApplicationName (PolicySet)
      // This is evaluated later but from a performance wise, one could cut down on this but filtering
      // on the applicationName (to be same as the evaluationContext) .
      }
      

      With the fix in OPENAM-12338, there should be no functional issue here as printout but will with filter by the that portion.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                chee-weng.chea C-Weng C
                Reporter:
                aaron.haskins Aaron Haskins
              • Votes:
                1 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: