Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-10387

Backport OPENIDM-10365: Temporal constraints on roles are not working anymore

    Details

      Description

      Since this commit done for OPENIDM-9940, the temporal constraints on provisioning roles is not working anymore.

      Note that the error I see "javax.script.ScriptException: TypeError: Cannot read property "external" from null" is similar to the problem raised in OPENIDM-10357 ("Sample sync-asynchronous and some other scripting+workflow use cases are not working anymore"). But this new issue on roles appeared only in revision 6720bab.

      The problem can be reproduced with PyForge test sync_user_when_role_becomes_active.
      Here are the essential steps to reproduce the issue:

      1) launch OpenDJ and OpenIDM with a sync.json between managed users and LDAP

      2) create an assignment that set "ou" to ForgeRock

      curl --header "If-None-Match: *" --header "Content-Type: application/json" --header "X-OpenIDM-Password: openidm-admin" --header "X-OpenIDM-Username: openidm-admin" --data '{ "name": "ldap", "description": "assignment description", "mapping": "managedUser_systemLdapAccounts", "attributes": [ { "name": "ou", "value": ["forgerock"], "assignmentOperation": "replaceTarget", "unassignmentOperation": "removeFromTarget" } ] }' --request PUT "http://localhost:8080/openidm/managed/assignment/new_ou"
      

      3) create a role with the assignement with a temporal constraint on the role that is starting in close future (like 1 minute)

      curl --header "If-None-Match: *" --header "Content-Type: application/json" --header "X-OpenIDM-Password: openidm-admin" --header "X-OpenIDM-Username: openidm-admin" --data '{ "name": "role_employee", "description": "Employee Role", "temporalConstraints": [{"duration" : "2018-03-03T09:24:49.725185/2018-03-23T09:24:44.726480"}], "assignments": [{"_ref":"managed/assignment/new_ou"}] }' --request PUT "http://localhost:8080/openidm/managed/role/employee"
      

      4) create a managed user with this role

      curl --header "If-None-Match: *" --header "Content-Type: application/json" --header "X-OpenIDM-Password: openidm-admin" --header "X-OpenIDM-Username: openidm-admin" --data '{"userName": "dblue", "telephoneNumber": "6669876987", "givenName": "rick", "description": "Just another user", "roles": [{"_ref": "managed/role/employee"}], "sn": "sutter", "mail": "rick@example.com", "password": "Th3Password"}' --request PUT "http://localhost:8080/openidm/managed/user/dblue"
      

      5) a sync is triggered and a user is created in LDAP with an empty "ou" (because the role is not yet valid)

      curl --header "X-OpenIDM-Password: openidm-admin" --header "X-OpenIDM-Username: openidm-admin"  --request GET "http://localhost:8080/openidm/system/ldap/account/?_queryFilter=dn%20eq%20%22uid=dblue,ou=People,dc=example,dc=com%22"
      {"result":[{"_id":"eab07096-9785-454a-b321-bcfdf394cfea","dn":"uid=dblue,ou=People,dc=example,dc=com","uid":"dblue","aliasList":[],"kbaInfo":[],"description":"Just another user","mail":"rick@example.com","telephoneNumber":"6669876987","employeeType":[],"sn":"sutter","cn":"rick sutter","objectClass":["top","inetOrgPerson","organizationalPerson","person"],"givenName":"rick","ldapGroups":[],"ou":[]}],"resultCount":1,"pagedResultsCookie":null,"totalPagedResultsPolicy":"NONE","totalPagedResults":-1,"remainingPagedResults":-1}
      

      6) after one minute, the role should become active and the "ou" should be changed to "ForgeRock".
      It was working OK until revision 6720bab, now the schedule (for the temporal condition) fails and in the log we see:

      Mar 03, 2018 9:28:04 AM org.forgerock.openidm.util.LogUtil logAtLevel
      INFO: Scheduled service "scheduler-service-group.managed-role-employee-temporalConstraint-0-start" found, invoking.
      Mar 03, 2018 9:28:04 AM org.forgerock.openidm.router.impl.RouterConfig$1 matches
      WARNING: Failed to evaluate filter condition: 
      javax.script.ScriptException: TypeError: Cannot read property "external" from null
      	at org.forgerock.openidm.script.javascript.RhinoScriptEngine$3.newScriptException(RhinoScriptEngine.java:393)
      	at org.forgerock.openidm.script.javascript.RhinoScript.eval(RhinoScript.java:315)
      	at sun.reflect.GeneratedMethodAccessor94.invoke(Unknown Source)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.forgerock.openidm.script.registry.ScriptRegistryImpl$LibraryRecord.invoke(ScriptRegistryImpl.java:539)
      	at com.sun.proxy.$Proxy30.eval(Unknown Source)
      	at org.forgerock.openidm.script.registry.ScriptRegistryImpl$ScriptImpl.eval(ScriptRegistryImpl.java:814)
      	at org.forgerock.openidm.script.registry.ScriptRegistryImpl$ScriptImpl.eval(ScriptRegistryImpl.java:825)
      	at org.forgerock.openidm.router.impl.RouterConfig$1.matches(RouterConfig.java:232)
      	at org.forgerock.json.resource.Filters$ConditionalFilter.filterCreate(Filters.java:51)
      	at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:63)
      	at org.forgerock.json.resource.Filters$ConditionalFilter.filterCreate(Filters.java:54)
      	at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:63)
      	at org.forgerock.openidm.servlet.internal.ServletConnectionFactory$3.lambda$filterCreate$1(ServletConnectionFactory.java:395)
      	at org.forgerock.openidm.servlet.internal.ServletConnectionFactory$3.handleRequestWithLogging(ServletConnectionFactory.java:446)
      	at org.forgerock.openidm.servlet.internal.ServletConnectionFactory$3.filterCreate(ServletConnectionFactory.java:395)
      	at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:63)
      	at org.forgerock.openidm.filter.PassthroughFilter.filterCreate(PassthroughFilter.java:48)
      	at org.forgerock.openidm.filter.MutableFilterDecorator.filterCreate(MutableFilterDecorator.java:72)
      	at org.forgerock.openidm.filter.MutableFilterDecorator.filterCreate(MutableFilterDecorator.java:72)
      	at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:63)
      	at org.forgerock.json.resource.Filters$ConditionalFilter.filterCreate(Filters.java:54)
      	at org.forgerock.json.resource.FilterChain$Cursor.handleCreate(FilterChain.java:63)
      	at org.forgerock.json.resource.FilterChain.handleCreate(FilterChain.java:228)
      	at org.forgerock.json.resource.InternalConnection.createAsync(InternalConnection.java:40)
      	at org.forgerock.json.resource.AbstractAsynchronousConnection.create(AbstractAsynchronousConnection.java:42)
      	at org.forgerock.json.resource.AbstractConnectionWrapper.create(AbstractConnectionWrapper.java:92)
      	at org.forgerock.openidm.servlet.internal.ServletConnectionFactory$InternalConnectionWrapper.create(ServletConnectionFactory.java:272)
      	at org.forgerock.openidm.script.impl.ScriptRegistryService.auditScheduledService(ScriptRegistryService.java:718)
      	at org.forgerock.openidm.quartz.impl.SchedulerServiceJob.execute(SchedulerServiceJob.java:136)
      	at org.quartz.core.JobRunShell.run(JobRunShell.java:223)
      	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:549)
      Caused by: org.mozilla.javascript.EcmaError: TypeError: Cannot read property "external" from null (CF38C6AE6198ACFBEA56802A499614AE678A81CA#1)
      	at org.mozilla.javascript.ScriptRuntime.constructError(ScriptRuntime.java:3687)
      	at org.mozilla.javascript.ScriptRuntime.constructError(ScriptRuntime.java:3665)
      	at org.mozilla.javascript.ScriptRuntime.typeError(ScriptRuntime.java:3693)
      	at org.mozilla.javascript.ScriptRuntime.typeError2(ScriptRuntime.java:3712)
      	at org.mozilla.javascript.ScriptRuntime.undefReadError(ScriptRuntime.java:3725)
      	at org.mozilla.javascript.ScriptRuntime.getObjectProp(ScriptRuntime.java:1483)
      	at org.mozilla.javascript.gen.CF38C6AE6198ACFBEA56802A499614AE678A81CA_47._c_script_0(CF38C6AE6198ACFBEA56802A499614AE678A81CA:1)
      	at org.mozilla.javascript.gen.CF38C6AE6198ACFBEA56802A499614AE678A81CA_47.call(CF38C6AE6198ACFBEA56802A499614AE678A81CA)
      	at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394)
      	at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091)
      	at org.mozilla.javascript.gen.CF38C6AE6198ACFBEA56802A499614AE678A81CA_47.call(CF38C6AE6198ACFBEA56802A499614AE678A81CA)
      	at org.mozilla.javascript.gen.CF38C6AE6198ACFBEA56802A499614AE678A81CA_47.exec(CF38C6AE6198ACFBEA56802A499614AE678A81CA)
      	at org.forgerock.openidm.script.javascript.RhinoScript.eval(RhinoScript.java:285)
      	... 31 more
      
      Mar 03, 2018 9:28:04 AM org.forgerock.openidm.util.LogUtil logAtLevel
      INFO: Scheduled service "scheduler-service-group.managed-role-employee-temporalConstraint-0-start" invoke completed successfully.
      Mar 03, 2018 9:28:04 AM org.forgerock.openidm.quartz.impl.RepoJobStore getTriggersForJob
      INFO: Could not find Trigger for jobName managed-role-employee-temporalConstraint-0-start in group scheduler-service-group in getTriggersForJob
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                mark.offutt Mark Offutt
                Reporter:
                mark.offutt Mark Offutt
                QA Assignee:
                Jakub Janoska
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: