Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15758

KeyStore Secret Store fails to start due to secretId having some characters.


    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.5.0, 6.5.1,,
    • Fix Version/s: 6.5.3, 7.0.0
    • Component/s: secrets, XUI
    • Labels:
    • Sprint:
      AM Sustaining Sprint 70, AM Sustaining Sprint 71, AM Sustaining Sprint 72, AM Sustaining Sprint 73
    • Story Points:
    • Support Ticket IDs:
    • Functional tests:
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description, Yes but I used my own steps. (If so, please add them in a new comment)


      Bug description

      Secrets for the secretId say the store password secretId or the key password secretId in the KeyStoreSecretStore happens to be in a set of alphanumeric dot separated string.

      When any other label is used for Id like underscore or hyphen, the secrets will fail. The issue is that there is not UI or software validation to prevent this for be configured and may cause system startup fails (if this happens on the important realm).

      How to reproduce the issue

      Create a Secret keystore but uses the secret password label with say "_" or "hyphen" in as part of the string. When this is used the following exception may be seen

      Caused by: com.google.common.util.concurrent.UncheckedExecutionException: org.forgerock.openam.secrets.SecretInitialisationException: Could not load some secret stores
              at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2050)
              at com.google.common.cache.LocalCache.get(LocalCache.java:3952)
              at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3974)
      Caused by: org.forgerock.openam.secrets.SecretInitialisationException: Could not load some secret stores
              at org.forgerock.openam.secrets.Secrets.resolveSecretStores(Secrets.java:258)
              at org.forgerock.openam.secrets.Secrets.loadSecretStores(Secrets.java:227)
              at org.forgerock.openam.secrets.Secrets.loadRealmSecrets(Secrets.java:196)
              at com.google.common.cache.CacheLoader$FunctionToCacheLoader.load(CacheLoader.java:165)
              at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3528)
      Caused by: java.lang.IllegalArgumentException: Label must match regex: [a-zA-Z0-9]+(\.[a-zA-Z0-9]+)*
              at org.forgerock.util.Reject.ifFalse(Reject.java:183)
              at org.forgerock.secrets.Purpose.<init>(Purpose.java:91)
              at org.forgerock.secrets.Purpose.purpose(Purpose.java:103)
              at org.forgerock.openam.secrets.config.KeyStoreSecretStore.lambda$createStore$2(KeyStoreSecretStore.java:136)
              at java.util.Optional.map(Optional.java:215)
              at org.forgerock.openam.secrets.config.KeyStoreSecretStore.createStore(KeyStoreSecretStore.java:136)
              at org.forgerock.openam.secrets.config.KeyStoreBasedSecretStoreProvider.getStore(KeyStoreBasedSecretStoreProvider.java:50)
              at org.forgerock.openam.secrets.config.KeyStoreBasedSecretStoreProvider.getStore(KeyStoreBasedSecretStoreProvider.java:38)
              at org.forgerock.openam.secrets.Secrets.resolveSecretStores(Secrets.java:245)
              ... 124 more
      Expected behaviour
      At least the XUI Secret UI cannot let one to create or add these illegal lables into the system and value validated first.
      - Have input validation so that user will not find out. Prevent update from happening on UI or input
      - Maybe also add documentaton and on the info-text the possible secretId value format
      Current behaviour
      Fail to load the Secret store and may have the above exception

      Work around

      • Use secretId only with the format
      • There is no documentation to indicate this is the set of valid format.

      Code analysis





            • Assignee:
              lawrence.yarham Lawrence Yarham
              chee-weng.chea C-Weng C
            • Votes:
              0 Vote for this issue
              7 Start watching this issue


              • Created: