Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-4034

AM REST needs delegation support

    XMLWordPrintable

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 11.0.0, 11.0.1, 12.0.0, 13.5.0, 13.5.2, 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.5.0, 6.0.0.6, 6.5.0.1, 6.0.0.7, 6.5.1, 6.5.0.2, 6.5.2, 6.5.2.1, 6.5.2.2, 6.5.2.3, 5.5.2, 7.0.0, 6.5.3, 7.0.1
    • None
    • rest
    • None
    • All
    • Rank:
      1|hzpycv:
    • 0
    • No
    • None

    Description

      Only the super user (amadmin) is authorized to perform most REST calls; for example the creation and deletion of an OAuth 2.0 Client Agent in the default realm can only be done with amadmin. Furthermore not even amadmin can delete an OAuth 2.0 Client Agent in a sub-realm.

      There are two problems here:
      1. For all REST calls the authorize method is called in org.forgerock.openam.authz.filter.AdminAuthorizationFilter#authorize(). This method only checks to see if the user is the super user. So regardless of the privilege of non-super users they will never be able to perform some REST calls; only the super user will be able to perform the REST call.

      2. If a patch is applied to check for adequate privilege of a non-super user in the authorize method, the REST call to delete, for example, does not consider the realm. Look at ClientResourceManager#delete(). The realm parameter when creating a AMIdentityRepository is null. It is also null when adding the identity to the set of identities that will be deleted. This results in only being able to delete identities from the root realm regardless of the user.

      I coded up several fixes but none were sufficient to allow non-super users to perform all REST calls from sub-realms.

      The attached files and code below are a start to solving this but are certainly not a final solution.

      Additionally, in my debugging I discovered that AMIdentity#equals does not test for membership in a group.

      Index: AMIdentity.java
      ===================================================================
      --- AMIdentity.java     (revision 8856)
      +++ AMIdentity.java     (working copy)
      @@ -1218,7 +1218,7 @@
                       if (dn != null && dn.equalsIgnoreCase(univDN)) {
                           isEqual = true;
                       }
      -            }
      +            }
       
                   if (!isEqual && !type.equals(IdType.REALM) &&
                       type.equals(compareTo.getType())) {
      @@ -1237,6 +1237,20 @@
                           }
                       }
                   }
      +           
      +            if (!isEqual && type.equals(IdType.GROUP) &&
      +                !type.equals(compareTo.getType())) {
      +                // Check to see if user is in a group
      +                try {
      +                   if (compareTo.isMember(this)) {
      +                       isEqual = true;
      +                   }
      +               } catch (IdRepoException e) {
      +                   debug.error( "AMIdentity.equals: IDRepoException", e);
      +               } catch (SSOException e) {
      +                   debug.error( "AMIdentity.equals: SSOException", e);
      +               }
      +           }
               }
               return (isEqual);
           }
      

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              trenthampton trenthampton [X] (Inactive)
              Votes:
              16 Vote for this issue
              Watchers:
              20 Start watching this issue

              Dates

                Created:
                Updated: