Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14829

AuthSchemeCondition doesn't return realm aware policy condition advice

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.1, 6.5.1, 7.0.0
    • Fix Version/s: 6.5.2, 6.0.1, 7.0.0, 5.5.2
    • Component/s: policy
    • Labels:
    • Sprint:
      AM Sustaining Sprint 62
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      AuthSchemeCondition doesn't return realm aware policy condition advice

      How to reproduce the issue

      1. click [REALMS] -> [+ NEW REALM]
        Name: testrealm01
      2. click "testrealm01" -> [Authorization] -> [Policy Sets] -> [+ New Policy Set]
        Id : iPlanetAMWebAgentService
        Name : iPlanetAMWebAgentService
        Resource Types : URL
      3. under "iPlanetAMWebAgentService" Policy Set created above, click [+Add a Policy]
        Name : TestPolicy001
        Resource Type: URL
        Resources: http://openam.example.com:38080/helloworld/*
      4. edit the policy created above :
        Actions : GET/POST allow
        Subjects: Authenticated Users
        Environments: Type: Authentication by Module Instance
        Authentication Scheme : HOTP
        Application Idle Timeout Scheme: 10
        Application Name: iPlanetAMWebAgentService
      5. request REST policy evaluation
        curl --request POST \
        --header "Content-Type: application/json" \
        --header "iPlanetDirectoryPro: <admin_token>" \
        --data '{
            "resources": [
                "http://openam.example.com:38080/helloworld/index.html"
            ],
            "application": "iPlanetAMWebAgentService",
            "subject": { "ssoToken": "<user_token>"}
        }' \
        "http://openam.example.com:18080/openam/json/testrealm01/policies?_action=evaluate"
        
      Expected behaviour

      Response should include realm info in AuthSchemeConditionAdvice

      [{"resource":"http://openam.example.com:38080/helloworld/index.html","actions":{},"attributes":{},"ttl":9223372036854775807,"advices":{"AuthSchemeConditionAdvice":["/testrealm01:HOTP"],"ForceAuth":["true"]}}]
      
      Current behaviour

      Response should include realm info in AuthSchemeConditionAdvice

      [{"resource":"http://openam.example.com:38080/helloworld/index.html","actions":{},"attributes":{},"ttl":9223372036854775807,"advices":{"AuthSchemeConditionAdvice":["HOTP"],"ForceAuth":["true"]}}]
      

      Work around

      N/A

      Code analysis

      This issue seems very similar to OPENAM-3167. However OPENAM-3167 only fixed AuthenticateToServiceCondition. Similar fix should be made to AuthSchemeCondition

      org.forgerock.$AuthSchemeCondition.java
              boolean allowed = true;
              Set<String> adviceMessages = new HashSet<String>(authScheme.size());
              for (String authScheme : this.authScheme) {
                  if (!requestAuthSchemes.contains(authScheme)) {
                      String schemeRealm = AMAuthUtils.getRealmFromRealmQualifiedData(authScheme);
                      if  (StringUtils.isNotEmpty(schemeRealm) || !requestAuthSchemesIgnoreRealm.contains(authScheme)) {
                          allowed = false;
                          final String realmAwareScheme = getRealmAwareScheme(authScheme, realm);
                          adviceMessages.add(realmAwareScheme);
                          if (debug.messageEnabled()) {
                              debug.message("At AuthSchemeCondition.getConditionDecision():authScheme not satisfied = "
                                      + realmAwareScheme);
                          }
                          break;
                      }
                  }
              }

        Attachments

          Activity

            People

            • Assignee:
              sachiko Sachiko Wallace
              Reporter:
              sachiko Sachiko Wallace
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: