Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15892

ScriptingSchemaStep clears whitelist customisations on upgrade

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 7.0.0
    • Fix Version/s: None
    • Component/s: scripting, upgrade
    • Labels:
    • Target Version/s:

      Description

      Bug description

      When upgrading Express environments from gcr.io/forgerock-io/am:7.0.0-b33f5b14758a42cfc02c2e36b084955d5453bc74 to gcr.io/forgerock-io/am:7.0.0-2f528d0a3626b8dfcefec1d1c6405c6317a24d35 the upgrade step org.forgerock.openam.upgrade.steps.scripting.ScriptingSchemaStep is run because Express' OIDC claims script whitelist does not include all of the classes that the upgrade step wants it to have.

      Unfortunately, rather than adding to the existing whitelist stored in AM's config the upgrade step completely replaces the whitelist. This means that additional classes needed for Express' customised OIDC claims script are no longer present and the script cannot be run.

      How to reproduce the issue

      1. Setup a default installation of AM using gcr.io/forgerock-io/am:7.0.0-b33f5b14758a42cfc02c2e36b084955d5453bc74
      2. Update the OIDC claims whitelist using the attached script
      3. Upgrade AM to gcr.io/forgerock-io/am:7.0.0-2f528d0a3626b8dfcefec1d1c6405c6317a24d35
      Expected behaviour
      The OIDC claims whitelist is extended to include the following classes:
      org.forgerock.util.promise.PromiseImpl
      org.forgerock.http.protocol.Request
      org.forgerock.http.protocol.Entity
      org.forgerock.openam.scripting.api.http.JavaScriptHttpClient
      org.forgerock.http.protocol.Response
      org.forgerock.openam.scripting.api.http.GroovyHttpClient
      
      Current behaviour
      The OIDC claims whitelist is completely replaced and the following classes are no longer present:
      java.util.Date
      java.math.BigDecimal
      org.apache.groovy.json.internal.LazyMap
      java.text.SimpleDateFormat
      

      Work around

      Manually update the OIDC whitelist after AM's upgrade completes

      Code analysis

      This change is applied by the upgrade step org.forgerock.openam.upgrade.steps.scripting.ScriptingSchemaStep

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                craig.mcdonnell Craig McDonnell
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: