Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-12591

authzMembers can have duplicate entries when added using openidm.create() in scripts

    Details

    • Target Version/s:
    • Verified Version/s:
    • Story Points:
      3
    • Sprint:
      2019.10 - IDM
    • Support Ticket IDs:

      Description

      When using openidm.create() to generate a relationship between a managed user and the authzMembers of a managed role, duplicate entries can be added - this is not possible using the REST endpoint directly.


      To recreate:

      • Unzip IDM 6.0.0 or 6.5.0
      • Start IDM and create a Managed User and a Managed Role
      • Collect their _id values to substitute in to the assign.js script below
      • Create assign.js within your ../openidm/script directory including the substituted values from above:
      assign.js
      (function () {
        if (request.method === "create") {
      
      	var jsonBody = { "_ref": "/managed/user/[Managed User _id Value]",
      		  		"_refProperties": {
      		  			"_grantType": "someGrantType"
      		  		}
      		  	};
      
      	var result = openidm.create("managed/role/[Managed Role _id Value]/authzMembers" , null, jsonBody);
      
          return {
              result: result
          };
       }
      })();
      
      • Add the associated endpoint configuration in to the /conf directory:
      endpoint-assign.json
      {
         "file" : "script/assign.js",
         "type" : "javascript",
         "_id" : "endpoint/assign"
      }
      
      • Call the endpoint twice:
      curl --request POST  --url http://localhost:8080/openidm/endpoint/assign  --header 'authorization: Basic b3BlbmlkbS1hZG1pbjpvcGVuaWRtLWFkbWlu' --header 'content-type: application/json'  --data '{"dummy": "dummy"}'
      
      • Read the managed role and check the authzMembers, e.g.
      GET http://localhost:8080/openidm/managed/role/d2a470de-8f60-4290-a0a1-569de46f8447?_fields=*,*_ref
      
      {
          "_id": "d2a470de-8f60-4290-a0a1-569de46f8447",
          "_rev": "0",
          "privileges": [],
          "name": "testRole",
          "description": "testRole",
          "assignments": [],
          "authzMembers": [
              {
                  "_ref": "managed/user/69f8a085-a054-494c-9000-edf4b9a1a810",
                  "_refResourceCollection": "managed/user",
                  "_refResourceId": "69f8a085-a054-494c-9000-edf4b9a1a810",
                  "_refProperties": {
                      "_id": "32505aae-b615-4eb7-9dbd-c05cf45f1630",
                      "_rev": "0",
                      "_grantType": "someGrantType"
                  }
              },
              {
                  "_ref": "managed/user/69f8a085-a054-494c-9000-edf4b9a1a810",
                  "_refResourceCollection": "managed/user",
                  "_refResourceId": "69f8a085-a054-494c-9000-edf4b9a1a810",
                  "_refProperties": {
                      "_id": "c2dccc48-50b5-423c-8ad2-324bbbb8e5e5",
                      "_rev": "0",
                      "_grantType": "someGrantType"
                  }
              }
          ],
          "members": []
      }
      

      If you attempt to do the same via the UI, the second request to add the same managed user to the authzMembers attribute returns the following error:

      {
        "code": 412,
        "reason": "Precondition Failed",
        "message": "Managed object 'managed/role/d2a470de-8f60-4290-a0a1-569de46f8447' has already been assigned relationship 'managed/user/69f8a085-a054-494c-9000-edf4b9a1a810'."
      }
      

      A .HAR file is attached demonstrating this behaviour.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jbranch Jon Branch
                Reporter:
                tom.wood Tom Wood
              • Votes:
                2 Vote for this issue
                Watchers:
                13 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: