Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-11456

Skip password policy validation if password is hashed

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: OpenIDM 5.5.0, OpenIDM 6.0.0, 6.5.0.2
    • Fix Version/s: 7.0.0, 6.5.1.0
    • Component/s: None
    • Labels:
    • Target Version/s:
    • Verified Version/s:
    • Story Points:
      0.5
    • Sprint:
      2020.06 - IDM, 2020.07 - IDM
    • Support Ticket IDs:

      Description

      Given a mapping from external resource -> managed user.

      Although the mapping does not include "password", all attributes in the managed user object are read in, including the password... and then written out.
      If the password is hashed, it cannot be decrypted, and the policy validation fails because the password valid type is supposed to be "string", but the undecrypted password is an object:

      WARNING: Failed to update target object
      org.forgerock.json.resource.ForbiddenException: Policy validation failed
      ...
      Caused by: org.forgerock.openidm.script.exception.ScriptThrownException: [object Object] {code=403, detail={result=false, failedPolicyRequirements=[{policyRequirements=[{params={invalidType=object, validTypes=[string, null]}, policyRequirement=VALID_TYPE}], property=password}]}, message=Policy validation failed}

       

      Such problems could be avoided if we skipped policy validation for hashed passwords:

       

      *** policy.js    2018-08-06 16:53:25.000000000 +1000
      --- policy.js.new    2018-08-06 16:52:39.000000000 +1000
      ***************
      *** 652,657 ****
      --- 652,658 ----
                                if (openidm.isEncrypted(propValueContainer[j])) {
                                    propValueContainer[j] = openidm.decrypt(propValueContainer[j]);
                                }
      +                        if (!openidm.isHashed(propValueContainer[j])) {
                                    failed = validationFunc.call({ "failedPolicyRequirements": policyRequirements, "allPolicyRequirements": allPolicyRequirements }, fullObject, propValueContainer[j], params, propName);
                                    if (failed.length > 0) {
                                      retObj.property = propName.replace(/\[\*\]$/, "["+j+"]");
      ***************
      *** 664,669 ****
      --- 665,671 ----
      

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              cgdrake Chris Drake
              Reporter:
              wei-yee.lum Wei-Yee Lum
              QA Assignee:
              Ladislav Folta Ladislav Folta
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: