Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-8944

PolicyRequestHandler does not take ignore profile into account when looking up profile attributes

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 13.0.0, 14.0.0
    • Fix Version/s: 12.0.4, 13.5.0
    • Component/s: policy
    • Environment:
      A sub-realm defined in OpenAM where the profile is set to ignore and there is no user store defined. Policy evaluation request includes attribute request.
    • Sprint:
      AM Sustaining Sprint 22, AM Sustaining Sprint 23
    • Support Ticket IDs:

      Description

      Steps to reproduce: 12.0.3

      1) Create a test ream policyrealm
      2) Create chain with LDAP module and DataStore module - both Sufficient - set as default Organization Authentication Configuration.
      3) Set ignore profile Authentication > All Core Settings > User Profile in policyrealm
      4) Create agent profile in policyrealm
      5) Delete DataStore in policyrealm
      6) In 12.0.3 disable XUI to prevent OPENAM-4499 and you can log back in as Admin.
      7) Create a test policy - all authenticated users - in top level realm (saves some agent settings - can be done policyrealm this realm if necessary)

      Get token for user and an appToken for agent

      curl --request POST --header "X-OpenAM-Username: testuser" --header "X-OpenAM-Password: password" --header "Content-Type: application/json" --data "{}" http://openam-local.example.com:8080/openam/json/policyrealm/authenticate
      curl --request POST --header "X-OpenAM-Username: testagent" --header "X-OpenAM-Password: password" --header "Content-Type: application/json" --data "{}" http://openam-local.example.com:8080/openam/json/authenticate
      

      Make a policy request - invoking GetResponseDecisions and using previous tokens

      curl -s -D - -X POST -H 'Content-Type: text/xml' --data '<?xml version="1.0" encoding="UTF-8"?>
      <RequestSet vers="1.0" svcid="Policy" reqid="3">
      <Request><![CDATA[<PolicyService version="1.0">
      <PolicyRequest requestId="4" appSSOToken="AQ..TY3NQ..*">
      <GetResourceResults userSSOToken="AQ..zMx*" serviceName="iPlanetAMWebAgentService" resourceName="http://one.two:80/index.pl" resourceScope="self">
      <EnvParameters><AttributeValuePair><Attribute name="cn"/><Value></Value></AttributeValuePair></EnvParameters>
      <GetResponseDecisions>
      <Attribute name="uid"/>
      </GetResponseDecisions>
      </GetResourceResults>
      </PolicyRequest>
      </PolicyService>]]>
      </Request>
      </RequestSet>' http://openam-local.example.com:8080/openam/policyservice
      

      When triggering a policy evaluation request, that includes a profile attribute request, to a realm that has no user store defined and profile mode is set to ignore, attribute lookup causes a policy evaluation failure due to lookup exception.

      Agent mapping example:

      com.sun.identity.agents.config.profile.attribute.fetch.mode=HTTP_HEADER
      com.sun.identity.agents.config.profile.attribute.mapping[cn]=cn
      

      Exception example:

      amPolicy:05/24/2016 07:59:18:813 AM NZST: Thread[http-nio-11000-exec-6,5,main]: TransactionId[14c3315a-c9a9-446e-9483-aae925325399-2268]
      ERROR: PolicyRequestHandler: failed to get user attributes.
      Message:Identity user.0 of type user not found.
      	at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.getDN(DJLDAPv3Repo.java:2345)
      	at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.getDN(DJLDAPv3Repo.java:2291)
      	at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.getAttributes(DJLDAPv3Repo.java:778)
      	at org.forgerock.openam.idrepo.ldap.DJLDAPv3Repo.getAttributes(DJLDAPv3Repo.java:727)
      	at com.sun.identity.idm.server.IdServicesImpl.getAttributes(IdServicesImpl.java:702)
      	at com.sun.identity.idm.server.IdCachedServicesImpl.getAttributes(IdCachedServicesImpl.java:384)
      	at com.sun.identity.idm.AMIdentity.getAttributes(AMIdentity.java:347)
      	at com.sun.identity.policy.remote.PolicyRequestHandler.getResponseDecisions(PolicyRequestHandler.java:494)
      	at com.sun.identity.policy.remote.PolicyRequestHandler.processPolicyRequest(PolicyRequestHandler.java:410)
      	at com.sun.identity.policy.remote.PolicyRequestHandler.processPolicyServiceRequest(PolicyRequestHandler.java:244)
      	at com.sun.identity.policy.remote.PolicyRequestHandler.processRequest(PolicyRequestHandler.java:198)
      	at com.sun.identity.policy.remote.PolicyRequestHandler.process(PolicyRequestHandler.java:135)
      	at com.iplanet.services.comm.server.PLLRequestServlet.handleRequest(PLLRequestServlet.java:202)
      	at com.iplanet.services.comm.server.PLLRequestServlet.doPost(PLLRequestServlet.java:140)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                markdr Mark de Reeper
                Reporter:
                markdr Mark de Reeper
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: