Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-11456

Skip password policy validation if password is hashed

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: OpenIDM 5.5.0, OpenIDM 6.0.0, 6.5.0.2
    • Fix Version/s: 7.0.0
    • Component/s: None
    • Labels:
    • Target Version/s:
    • Verified Version/s:
    • Story Points:
      0.5
    • Sprint:
      2020.06 - IDM, 2020.07 - IDM
    • Support Ticket IDs:

      Description

      Given a mapping from external resource -> managed user.

      Although the mapping does not include "password", all attributes in the managed user object are read in, including the password... and then written out.
      If the password is hashed, it cannot be decrypted, and the policy validation fails because the password valid type is supposed to be "string", but the undecrypted password is an object:

      WARNING: Failed to update target object
      org.forgerock.json.resource.ForbiddenException: Policy validation failed
      ...
      Caused by: org.forgerock.openidm.script.exception.ScriptThrownException: [object Object] {code=403, detail={result=false, failedPolicyRequirements=[{policyRequirements=[{params={invalidType=object, validTypes=[string, null]}, policyRequirement=VALID_TYPE}], property=password}]}, message=Policy validation failed}

       

      Such problems could be avoided if we skipped policy validation for hashed passwords:

       

      *** policy.js    2018-08-06 16:53:25.000000000 +1000
      --- policy.js.new    2018-08-06 16:52:39.000000000 +1000
      ***************
      *** 652,657 ****
      --- 652,658 ----
                                if (openidm.isEncrypted(propValueContainer[j])) {
                                    propValueContainer[j] = openidm.decrypt(propValueContainer[j]);
                                }
      +                        if (!openidm.isHashed(propValueContainer[j])) {
                                    failed = validationFunc.call({ "failedPolicyRequirements": policyRequirements, "allPolicyRequirements": allPolicyRequirements }, fullObject, propValueContainer[j], params, propName);
                                    if (failed.length > 0) {
                                      retObj.property = propName.replace(/\[\*\]$/, "["+j+"]");
      ***************
      *** 664,669 ****
      --- 665,671 ----
      

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                cgdrake Chris Drake
                Reporter:
                wei-yee.lum Wei-Yee Lum
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: