Uploaded image for project: 'OpenICF'
  1. OpenICF
  2. OPENICF-848

ServiceNow: user_password is not encrypted and it's shown in plaintext

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: servicenow-connector-1.5.0.0
    • Component/s: ServiceNow Connector
    • Labels:
    • Environment:
      ServiceNowConnector: 1.5.0.0-SNAPSHOT (SCM-Revision: 96ca9ebfbcaf37b00a1b14a547ec844cc023b71f)
      OpenIDM version "6.0.0-SNAPSHOT" (revision: f2587af)
      Linux Mint 18.2 Cinnamon 64-bit
      openjdk version "1.8.0_151"

      Description

      "user_password" is shown plaintext for all request. I am not sure if it should be issue or improvement.
      This may not be connector issue, but issue for serviceNow instance. Because when I create user over web UI so then the created user have encrypted "user_password".

      Steps to reproduce:

      1. Download, unzip openidm, start openidm and set up ServiceNow connector according documentation (for default generated provisioner/schema)
      2. Send POST request for create a new user with password
        curl -X POST   'http://localhost:8080/openidm/system/serviceNow/user?_action=create'   -H 'content-type: application/json'   -H 'x-openidm-password: openidm-admin'   -H 'x-openidm-username: openidm-admin'   -d '{"phone": "555-123-1234", "first_name": "Test", "last_name": "Tester", "user_name": "C_23032018001", "email": "C_001@example.com", "user_password": "P4ssW0rd*001", "__NAME__": ""}' | jq
        • Response:
          {
            "_id": "78de3b810f811300760b06ace1050e5e",
            "user_name": "C_23032018001",
            "vip": "false",
            "sys_mod_count": "0",
            "sys_created_by": "admin",
            "web_service_access_only": false,
            "sys_id": "78de3b810f811300760b06ace1050e5e",
            "sys_class_name": "sys_user",
            "notification": "2",
            "sys_created_on": "2018-03-23 12:35:02",
            "internal_integration_user": false,
            "__NAME__": "C_001@example.com",
            "active": "true",
            "last_name": "Tester",
            "locked_out": "false",
            "sys_domain_path": "/",
            "sys_domain": "global",
            "first_name": "Test",
            "user_password": "P4ssW0rd*001",
            "sys_updated_by": "admin",
            "email": "C_001@example.com",
            "calendar_integration": "1",
            "password_needs_reset": "false",
            "phone": "555-123-1234",
            "sys_updated_on": "2018-03-23 12:35:02"
          }
      3. Send GET request on single user with password
        curl -X GET 'http://localhost:8080/openidm/system/serviceNow/user?_queryFilter=/user_name+sw+"C_"'   -H 'content-type: application/json'   -H 'x-openidm-password: openidm-admin'   -H 'x-openidm-username: openidm-admin' | jq
        • Response:
          {
            "result": [
              {
                "_id": "78de3b810f811300760b06ace1050e5e",
                "user_name": "C_23032018001",
                "vip": "false",
                "sys_mod_count": "0",
                "sys_created_by": "admin",
                "web_service_access_only": false,
                "sys_id": "78de3b810f811300760b06ace1050e5e",
                "sys_class_name": "sys_user",
                "notification": "2",
                "sys_created_on": "2018-03-23 12:35:02",
                "internal_integration_user": false,
                "__NAME__": "C_001@example.com",
                "active": "true",
                "last_name": "Tester",
                "locked_out": "false",
                "sys_domain_path": "/",
                "sys_domain": "global",
                "first_name": "Test",
                "user_password": "P4ssW0rd*001",
                "sys_updated_by": "admin",
                "email": "C_001@example.com",
                "calendar_integration": "1",
                "password_needs_reset": "false",
                "phone": "555-123-1234",
                "sys_updated_on": "2018-03-23 12:35:02"
              }
            ],
            "resultCount": 1,
            "pagedResultsCookie": null,
            "totalPagedResultsPolicy": "NONE",
            "totalPagedResults": -1,
            "remainingPagedResults": -1
          }
      4. Send PUT request on single user with password
        curl -X PUT 'http://localhost:8080/openidm/system/serviceNow/user/78de3b810f811300760b06ace1050e5e'   -H 'content-type: application/json'   -H 'x-openidm-password: openidm-admin'   -H 'x-openidm-username: openidm-admin' -H 'if-match: *' -d '{"phone": "555-123-1234", "first_name": "Test", "last_name": "Tester", "user_name": "C_23032018001", "email": "C_001@example.com", "user_password": "P4ssW0rd*001-Ch4ng3d!", "__NAME__": ""}' | jq
        • Response:
          {
            "_id": "78de3b810f811300760b06ace1050e5e",
            "user_name": "C_23032018001",
            "vip": "false",
            "sys_mod_count": "1",
            "sys_created_by": "admin",
            "web_service_access_only": false,
            "sys_id": "78de3b810f811300760b06ace1050e5e",
            "sys_class_name": "sys_user",
            "notification": "2",
            "sys_created_on": "2018-03-23 12:35:02",
            "internal_integration_user": false,
            "__NAME__": "C_001@example.com",
            "active": "true",
            "last_name": "Tester",
            "locked_out": "false",
            "sys_domain_path": "/",
            "sys_domain": "global",
            "first_name": "Test",
            "user_password": "P4ssW0rd*001-Ch4ng3d!",
            "sys_updated_by": "admin",
            "email": "C_001@example.com",
            "calendar_integration": "1",
            "password_needs_reset": "false",
            "phone": "555-123-1234",
            "sys_updated_on": "2018-03-23 12:44:02"
          }

      Actual result: Everywhere is "user_password" displayed as plaintext, password is not encrypted.

      Expected result: Password should be encrypted or not displayed.

      Note: Created user with password over UI in serviceNow instance. In the picture can see how "user_password" is set.

      Create user over UI: C_23032018002
      GET request:
      curl -X GET 'http://localhost:8080/openidm/system/serviceNow/user/817304d50f411300760b06ace1050eea'   -H 'content-type: application/json'   -H 'x-openidm-password: openidm-admin'   -H 'x-openidm-username: openidm-admin' | jq
      Response:{
        "_id": "817304d50f411300760b06ace1050eea",
        "user_name": "C_23032018002",
        "vip": "false",
        "sys_mod_count": "0",
        "sys_created_by": "admin",
        "web_service_access_only": false,
        "sys_id": "817304d50f411300760b06ace1050eea",
        "sys_class_name": "sys_user",
        "notification": "2",
        "sys_created_on": "2018-03-23 12:56:23",
        "internal_integration_user": false,
        "mobile_phone": "(555) 123-1234",
        "__NAME__": "C_002@example.com",
        "active": "true",
        "last_name": "UI",
        "locked_out": "false",
        "sys_domain_path": "/",
        "sys_domain": "global",
        "first_name": "Test",
        "user_password": "$s$NHsXNOgkPROcvrDelf2IP1rL4eTl7WFr9onmBsLJJwE=$O+ve1bN+4L30N0qopBHc4DM9nY0C5NI238VzxsWvNvc=",
        "sys_updated_by": "admin",
        "email": "C_002@example.com",
        "calendar_integration": "1",
        "password_needs_reset": "false",
        "sys_updated_on": "2018-03-23 12:56:23"
      }
      

        Attachments

          Activity

            People

            • Assignee:
              petr.jurica Petr Jurica [X] (Inactive)
              Reporter:
              miroslav.meca Miroslav Meca
              QA Assignee:
              Miroslav Meca
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: