Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-15049

Delegated Admin failed privilege requirement

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 7.0.0
    • Fix Version/s: 7.0.0
    • Component/s: None
    • Labels:
      None
    • Target Version/s:
    • Verified Version/s:

      Description

      Manual Reproduction:

      Start IDM with OotB config and create a user that will be granted some admin privileges:

      curl --location --request PUT 'http://localhost:8080/openidm/managed/user/fuser?_fields=*,authzRoles' \
      --header 'X-OpenIDM-Username: openidm-admin' \
      --header 'X-OpenIDM-Password: openidm-admin' \
      --header 'Content-Type: application/json' \
      --header 'If-None-Match: *' \
      --data-raw '{"userName": "fuser", "password": "Passw0rd", "givenName": "Foe", "sn": "User", "mail": "fuser@fr.com", "telephoneNumber": "18005551212", "description": "A user who will be delegated some administrative privileges"}'
      

      Create a test role for the user: 

      curl --location --request PUT 'http://localhost:8080/openidm/internal/role/user-admin-1-id' \
      --header 'X-OpenIDM-Username: openidm-admin' \
      --header 'X-OpenIDM-Password: openidm-admin' \
      --header 'Content-Type: application/json' \
      --data-raw '{
          "name": "user-admin-1",
          "description": "an internal role for delegated admin",
          "privileges": [
              {
                  "name": "managed-user-priv",
                  "description": "a test privilege",
                  "path": "managed/user",
                  "permissions": [
                      "CREATE",
                      "VIEW"
                  ],
                  "actions": [],
                  "accessFlags": [
                      {
                          "attribute": "userName",
                          "readOnly": false
                      },
                      {
                          "attribute": "password",
                          "readOnly": false
                      },
                      {
                          "attribute": "givenName",
                          "readOnly": false
                      },
                      {
                          "attribute": "sn",
                          "readOnly": false
                      },
                      {
                          "attribute": "mail",
                          "readOnly": false
                      },
                      {
                          "attribute": "description",
                          "readOnly": false
                      },
                      {
                          "attribute": "telephoneNumber",
                          "readOnly": false
                      },
                      {
                          "attribute": "city",
                          "readOnly": false
                      }
                  ]
              },
              {
                  "name": "internal_role_openidm_authorized",
                  "description": "a test privilege",
                  "path": "internal/role",
                  "permissions": [
                      "VIEW"
                  ],
                  "actions": [],
                  "accessFlags": [
                      {
                          "attribute": "name",
                          "readOnly": true
                      }
                  ],
                  "filter": "/_id eq '\''openidm-authorized'\''"
              }
          ]
      }'

      Grant the new role as an authzRole for the user:

      curl --location --request POST 'http://localhost:8080/openidm/managed/user/fuser/authzRoles?_action=create' \
      --header 'X-OpenIDM-Username: openidm-admin' \
      --header 'X-OpenIDM-Password: openidm-admin' \
      --header 'Content-Type: application/json' \
      --data-raw '{"_ref": "internal/role/user-admin-1-id"}'
      

      Finally attempt to create a user with the above user's credentials: 

      curl --location --request PUT 'http://localhost:8080/openidm/managed/user/user2' \
      --header 'X-OpenIDM-Username: fuser' \
      --header 'X-OpenIDM-Password: Passw0rd' \
      --header 'Content-Type: application/json' \
      --header 'If-None-Match: *' \
      --data-raw '{"userName": "user2", "givenName": "Test", "sn": "User2", "mail": "user2@test.com", "telephoneNumber": "18005551212", "password": "Passw0rd", "city": "San Francisco", "description": "A user in San Francisco"}'

      The return payload throws a 403 no matching privileges found:

      {
          "code": 403,
          "reason": "Forbidden",
          "message": "No matching privileges found",
          "detail": {
              "failedPrivilegeRequirements": []
          }
      }
      

       

      PyForge Command for reproduction:

      ./run-pybot.py -s delegated_admin \
      -t DA_can_create_managed_user_with_correct_privilege \
      openidm

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                cgdrake Chris Drake
                Reporter:
                brayden.roth-white Brayden Roth-White
                QA Assignee:
                Brayden Roth-White
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: