Details
Description
Given a mapping from external resource -> managed user.
Although the mapping does not include "password", all attributes in the managed user object are read in, including the password... and then written out.
If the password is hashed, it cannot be decrypted, and the policy validation fails because the password valid type is supposed to be "string", but the undecrypted password is an object:
WARNING: Failed to update target object org.forgerock.json.resource.ForbiddenException: Policy validation failed ... Caused by: org.forgerock.openidm.script.exception.ScriptThrownException: [object Object] {code=403, detail={result=false, failedPolicyRequirements=[{policyRequirements=[{params={invalidType=object, validTypes=[string, null]}, policyRequirement=VALID_TYPE}], property=password}]}, message=Policy validation failed}
Such problems could be avoided if we skipped policy validation for hashed passwords:
*** policy.js 2018-08-06 16:53:25.000000000 +1000 --- policy.js.new 2018-08-06 16:52:39.000000000 +1000 *************** *** 652,657 **** --- 652,658 ---- if (openidm.isEncrypted(propValueContainer[j])) { propValueContainer[j] = openidm.decrypt(propValueContainer[j]); } + if (!openidm.isHashed(propValueContainer[j])) { failed = validationFunc.call({ "failedPolicyRequirements": policyRequirements, "allPolicyRequirements": allPolicyRequirements }, fullObject, propValueContainer[j], params, propName); if (failed.length > 0) { retObj.property = propName.replace(/\[\*\]$/, "["+j+"]"); *************** *** 664,669 **** --- 665,671 ----
Attachments
Issue Links
- relates to
-
OPENIDM-11455 Allow returnByDefault to be set for all attributes
-
- Closed
-