Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-11795

IDM gets encrypted password and doesn't decrypted it

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: 6.5.0
    • Fix Version/s: 6.5.0
    • Component/s: Module - Cryptography
    • Labels:
    • Environment:
      OpenDJ: 6.5.0-SNAPSHOT (78c3927ccd3)
      OpenIDM: 6.5.0-SNAPSHOT (94fa1fa)
    • Target Version/s:
    • Verified Version/s:
    • Story Points:
      3
    • Sprint:
      OpenIDM Sprint 6.5-10.1

      Description

      After OPENIDM-11433 was merged, we started to have issues with changing password. When changing the password IDM gets encrypted passwords, however IDM does not decrypted it.

      To reproduce:

      1. Start opendj and openidm (set up like at sync-with-ldap sample)
      2. Run recon 'mapping=systemLdapAccounts_managedUser
      3. add trigger action to 'managed.json>objects[0]>onRead'
                    'type': 'groovy',
                    'source': 'if(object.testpwdAttr.size() > 0){object.put(\'testpwdAttr\',openidm.decrypt(object.testpwdAttr))};object.put(\'samePassword\', \'false\');def pwd=openidm.decrypt(object.password); def pwd2=openidm.decrypt(object.password2);if(pwd.equals(\'žlutáDoga123\')) {object.put(\'unicodePassword\', \'true\')}else{object.put(\'unicodePassword\', \'false\')};if(pwd.equals(pwd2)) {object.put(\'samePassword\', \'true\');}'
      4. Send GET request with queryId
        curl --header "X-OpenIDM-Username: openidm-admin" --header "X-OpenIDM-Password: openidm-admin" --request GET "http://localhost:8080/openidm/managed/user/?_queryId=query-all-ids" | jq
        
        {
          "result": [
            {
              "_id": "3dcd7e86-5710-4b31-9a22-1c31e1f780e8",
              "_rev": "00000000fe219db1"
            },
            {
              "_id": "150f9879-21d2-4220-9893-310d497b56d4",
              "_rev": "0000000007d910ab"
            }
          ],
          "resultCount": 2,
          "pagedResultsCookie": null,
          "totalPagedResultsPolicy": "NONE",
          "totalPagedResults": -1,
          "remainingPagedResults": -1
        }
        
      5. Send GET request on 'jdoe' user
        curl --header "X-OpenIDM-Username: openidm-admin" --header "X-OpenIDM-Password: openidm-admin" --request GET "http://localhost:8080/openidm/managed/user/150f9879-21d2-4220-9893-310d497b56d4" | jq
        
        {
          "_id": "150f9879-21d2-4220-9893-310d497b56d4",
          "_rev": "00000000dfe3957a",
          "displayName": "John Doe",
          "description": "Created for OpenIDM",
          "givenName": "John",
          "mail": "jdoe@example.com",
          "sn": "Doe",
          "telephoneNumber": "1-415-599-1100",
          "userName": "jdoe",
          "accountStatus": "active",
          "effectiveRoles": [],
          "effectiveAssignments": [],
          "samePassword": "true",
          "unicodePassword": "false"
        }
      6. Send PATCH request where we're changing password
        curl --header "X-OpenIDM-Username: openidm-admin" --header "X-OpenIDM-Password: openidm-admin" --header "Content-Type: application/json" --header "If-Match:*" --request PATCH "http://localhost:8080/openidm/managed/user/150f9879-21d2-4220-9893-310d497b56d4" --data '[{"operation":"replace", "field":"password", "value":""}]' | jq
        
        {
          "_id": "150f9879-21d2-4220-9893-310d497b56d4",
          "_rev": "0000000007d910ab",
          "displayName": "John Doe",
          "description": "Created for OpenIDM",
          "givenName": "John",
          "mail": "jdoe@example.com",
          "sn": "Doe",
          "telephoneNumber": "1-415-599-1100",
          "userName": "jdoe",
          "accountStatus": "active",
          "effectiveRoles": [],
          "effectiveAssignments": []
        }
      7. Send GET request on 'jdoe' user again
        curl --header "X-OpenIDM-Username: openidm-admin" --header "X-OpenIDM-Password: openidm-admin" --request GET "http://localhost:8080/openidm/managed/user/150f9879-21d2-4220-9893-310d497b56d4" | jq
        
        {
          "_id": "150f9879-21d2-4220-9893-310d497b56d4",
          "_rev": "0000000007d910ab",
          "displayName": "John Doe",
          "description": "Created for OpenIDM",
          "givenName": "John",
          "mail": "jdoe@example.com",
          "sn": "Doe",
          "telephoneNumber": "1-415-599-1100",
          "userName": "jdoe",
          "accountStatus": "active",
          "effectiveRoles": [],
          "effectiveAssignments": [],
          "samePassword": "false",
          "unicodePassword": "false"
        }
        
      8. Modify password at ldap
        ~ldappasswordmodify -h localhost -p 1636 -D "cn=Directory Manage
        r" -w password --authzId "dn:uid=jdoe,ou=People,dc=example,dc=com" --newPassword "" --trustAll --useSSL --noPropertiesFile
        
        The LDAP password modify operation was successful
      9. Send GET request on 'jdoe' user again
        curl --header "X-OpenIDM-Username: openidm-admin" --header "X-OpenIDM-Password: openidm-admin" --request GET "http://localhost:8080/openidm/managed/user/150f9879-21d2-4220-9893-310d497b56d4" | jq
        
        {
          "_id": "150f9879-21d2-4220-9893-310d497b56d4",
          "_rev": "0000000007d910ab",
          "displayName": "John Doe",
          "description": "Created for OpenIDM",
          "givenName": "John",
          "mail": "jdoe@example.com",
          "sn": "Doe",
          "telephoneNumber": "1-415-599-1100",
          "userName": "jdoe",
          "accountStatus": "active",
          "effectiveRoles": [],
          "effectiveAssignments": [],
          "samePassword": "false",
          "unicodePassword": "false"
        }
        

      Actual result: OpenIDM console and logs displayed Warning Resource exception: 500 Internal Server Error messages. Field "samePassword" was not "True".

      SEVERE: Unable to find key
      org.forgerock.secrets.NoSuchSecretException: No secret with id openidm-localhost for purpose decrypt
      	at org.forgerock.secrets.keystore.KeyStoreSecretStore.getNamed(KeyStoreSecretStore.java:274)...at java.lang.Thread.run(Thread.java:748)
      
      org.forgerock.openidm.servlet.internal.ServletConnectionFactory$3 lambda$handleRequestWithLogging$8
      WARNING: Resource exception: 500 Internal Server Error: "/password: org.forgerock.json.crypto.JsonCryptoException: Unable to find decryption key"
      org.forgerock.json.resource.InternalServerErrorException: /password: org.forgerock.json.crypto.JsonCryptoException: Unable to find decryption key
      	at org.forgerock.openidm.managed.ManagedObjectSet.decrypt(ManagedObjectSet.java:643)...at java.lang.Thread.run(Thread.java:748)
      
      Caused by: org.forgerock.json.JsonValueException: /password: org.forgerock.json.crypto.JsonCryptoException: Unable to find decryption key
      	at org.forgerock.json.crypto.JsonDecryptFunction.traverseMap(JsonDecryptFunction.java:48)
      	at org.forgerock.json.JsonValueTraverseFunction.traverse(JsonValueTraverseFunction.java:49)
      	at org.forgerock.json.JsonValueTraverseFunction.apply(JsonValueTraverseFunction.java:42)
      	at org.forgerock.json.JsonValueTraverseFunction.traverseMap(JsonValueTraverseFunction.java:79)
      	at org.forgerock.json.crypto.JsonDecryptFunction.traverseMap(JsonDecryptFunction.java:52)
      	at org.forgerock.json.JsonValueTraverseFunction.traverse(JsonValueTraverseFunction.java:49)
      	at org.forgerock.json.JsonValueTraverseFunction.apply(JsonValueTraverseFunction.java:42)
      	at org.forgerock.json.JsonValueTraverseFunction.apply(JsonValueTraverseFunction.java:25)
      	at org.forgerock.openidm.crypto.impl.CryptoServiceImpl.decrypt(CryptoServiceImpl.java:194)
      	at org.forgerock.openidm.managed.ManagedObjectSet.decrypt(ManagedObjectSet.java:641)
      	... 121 more
      Caused by: org.forgerock.json.crypto.JsonCryptoException: Unable to find decryption key
      	at org.forgerock.openidm.crypto.impl.CryptoServiceImpl.lambda$selectDecryptionKeyByAlias$1(CryptoServiceImpl.java:335)
      	at java.util.Optional.orElseThrow(Optional.java:290)
      	at org.forgerock.openidm.crypto.impl.CryptoServiceImpl.selectDecryptionKeyByAlias(CryptoServiceImpl.java:335)
      	at org.forgerock.json.crypto.simple.SimpleDecryptor.selectByKeyAlias(SimpleDecryptor.java:224)
      	at org.forgerock.json.crypto.simple.SimpleDecryptor.getTopLevelKey(SimpleDecryptor.java:192)
      	at org.forgerock.json.crypto.simple.SimpleDecryptor.getEmbeddedKey(SimpleDecryptor.java:156)
      	at org.forgerock.json.crypto.simple.SimpleDecryptor.decrypt(SimpleDecryptor.java:89)
      	at org.forgerock.json.crypto.JsonDecryptFunction.traverseMap(JsonDecryptFunction.java:42)
      	... 130 more

      openidm0.log.0

      Expected result: OpenIDM console and logs should not contain warning and error messages. IDM should decrypted password or get it decrypted password. Field "samePassword" should be "True",

        Attachments

        1. openidm0.log.0
          1.07 MB
        2. openidm0.log.1
          4 kB
        3. openidm0.log.3
          10 kB

          Issue Links

            Activity

              People

              • Assignee:
                jason Jason Lemay
                Reporter:
                miroslav.meca Miroslav Meca
                QA Assignee:
                Miroslav Meca
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: