Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-4315

Unable to run queries on managed/user using CLIENT_CERT module with openidm-admin role

    Details

      Description

      I have assigned the openidm-admin role to users authenticating via CLIENT_CERT module. The users can query the ids directly like "managed/user/ricksutter". When I wanted to list all the users in repo via "_queryId=query-all-ids" or "_queryFilter=True" the response is in both cases 403.

      To reproduce:
      1) Use vanilla instalation of IDM
      2) Make a copy of openidm/security/truststore
      3) Import the attached certificate into the truststore
      4) If OPENIDM-4255 is not resolved apply the workaround from that JIRA.
      5) update the "defaultUserRoles" in authentication.json to contain "openidm-admin" role
      6) create ricksutter user in managed repo

      curl --header "If-None-Match: *" --header "Content-Type: application/json" --header "X-OpenIDM-Password: openidm-admin" --header "X-OpenIDM-Username: openidm-admin" --data '{"userName": "rsutter", "telephoneNumber": "6669876987", "givenName": "rick", "description": "Just another John Doe or Joe Smith",  "sn": "sutter", "mail": "rick@example.com", "password": "Th3Password"}' --request PUT "http://localhost:8080/openidm/managed/user/ricksutter"
      

      7) query the rick sutter directly:

      curl -k --cert-type PEM --key key.pem --key-type PEM --tlsv1 --cert cert.pem --request GET "https://localhost:8444/openidm/managed/user/ricksutter"
      

      8) run

      curl -k --cert-type PEM --key key.pem --key-type PEM --tlsv1 --cert cert.pem --request GET "https://localhost:8444/openidm/managed/user/?_queryFilter=True"
      
      {
        "message": "Access denied",
        "reason": "Forbidden",
        "code": 403
      }
      

        Attachments

        1. cert.pem
          0.9 kB
        2. key.pem
          0.9 kB

          Activity

            People

            • Assignee:
              chad.kienle chad.kienle
              Reporter:
              Ladislav.Folta Ladislav Folta
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: