Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-9811

Backport OPENIDM-7315: Requests on relationship endpoints should not double-log managed object

    Details

      Description

      If a request is made against a relationship endpoint, the "owning" object may get logged twice.

      1) Configure auditing not to filter out queries/reads by adding query and read to the activity filter actions:

              "activity" : {
                  "filter" : {
                      "actions" : [
                          "read",
                          "query",
                          "create",
                          "update",
                          "delete",
                          "patch",
                          "action"
                      ]
                  },
      

      2) create a first user (boss)

      curl --header "If-None-Match: *" --header "Content-Type: application/json" --header "X-OpenIDM-Password: openidm-admin" --header "X-OpenIDM-Username: openidm-admin" --data '{"userName": "theBoss", "telephoneNumber": "6669876987", "givenName": "rick", "description": "Just another user", "sn": "sutter", "mail": "rick@example.com", "password": "Th3Password"}' --request PUT "http://localhost:8080/openidm/managed/user/boss"
      
      {"_id":"boss","_rev":"1","userName":"theBoss","telephoneNumber":"6669876987","givenName":"rick","description":"Just another user","sn":"sutter","mail":"rick@example.com","accountStatus":"active","effectiveRoles":[],"effectiveAssignments":[]}
      

      3. create a second user (developer) with first user as manager

      curl --header "If-None-Match: *" --header "Content-Type: application/json" --header "X-OpenIDM-Password: openidm-admin" --header "X-OpenIDM-Username: openidm-admin" --data '{"userName": "theDeveloper", "telephoneNumber": "6669876987", "givenName": "rick", "description": "Just another user", "manager": {"_ref": "managed/user/boss"}, "sn": "sutter", "mail": "rick@example.com", "password": "Th3Password"}' --request PUT "http://localhost:8080/openidm/managed/user/developer"
      
      {"_id":"developer","_rev":"1","userName":"theDeveloper","telephoneNumber":"6669876987","givenName":"rick","description":"Just another user","sn":"sutter","mail":"rick@example.com","accountStatus":"active","effectiveRoles":[],"effectiveAssignments":[]}
      

      4. Query the boss' reports:

      url --header "X-OpenIDM-Password: openidm-admin" --header "X-OpenIDM-Username: openidm-admin"  --request GET "http://localhost:8080/openidm/managed/user/boss/reports?_queryFilter=true&_fields=*,*_ref" | jq .
      
      {
        "result": [
          {
            "_id": "developer",
            "_rev": "1",
            "_ref": "managed/user/developer",
            "_refProperties": {
              "_id": "e3f473da-4277-4130-92ea-c5adb670e706",
              "_rev": "1"
            },
            "userName": "theDeveloper",
            "telephoneNumber": "6669876987",
            "givenName": "rick",
            "description": "Just another user",
            "sn": "sutter",
            "mail": "rick@example.com",
            "accountStatus": "active",
            "effectiveRoles": [],
            "effectiveAssignments": [],
            "reports": [],
            "manager": {
              "_ref": "managed/user/boss",
              "_refProperties": {
                "_id": "e3f473da-4277-4130-92ea-c5adb670e706",
                "_rev": "1"
              }
            },
            "roles": [],
            "authzRoles": [
              {
                "_ref": "repo/internal/role/openidm-authorized",
                "_refProperties": {
                  "_id": "4aea96b0-bd22-4685-962b-2b39579a5358",
                  "_rev": "1"
                }
              }
            ]
          }
        ],
        "resultCount": 1,
        "pagedResultsCookie": null,
        "totalPagedResultsPolicy": "NONE",
        "totalPagedResults": -1,
        "remainingPagedResults": -1
      }
      

      Observe the activity log:

      {
        "transactionId": "aba1654f-4a49-4353-b6e9-1306756915bd-441",
        "timestamp": "2016-12-14T23:49:28.217Z",
        "eventName": "activity",
        "userId": "openidm-admin",
        "runAs": "openidm-admin",
        "operation": "QUERY",
        "before": null,
        "after": [],
        "changedFields": [],
        "revision": null,
        "message": "query: credential-query, parameters: {username=openidm-admin}",
        "objectId": "credential-query",
        "passwordChanged": false,
        "status": "SUCCESS",
        "_id": "aba1654f-4a49-4353-b6e9-1306756915bd-442"
      }
      {
        "transactionId": "aba1654f-4a49-4353-b6e9-1306756915bd-438",
        "timestamp": "2016-12-14T23:49:28.244Z",
        "eventName": "activity",
        "userId": "openidm-admin",
        "runAs": "openidm-admin",
        "operation": "READ",
        "before": null,
        "after": {
          "userName": "theDeveloper",
          "telephoneNumber": "6669876987",
          "givenName": "rick",
          "description": "Just another user",
          "sn": "sutter",
          "mail": "rick@example.com",
          "password": {
            "$crypto": {
              "type": "x-simple-encryption",
              "value": {
                "cipher": "AES/CBC/PKCS5Padding",
                "salt": "Jk+Ny6hY99NUqETBAiAtZA==",
                "data": "FlYh4dyUiotqh9SOt/axUQ==",
                "iv": "GONmI8jrsMt+O2+s2lvrVA==",
                "key": "openidm-sym-default",
                "mac": "ezxuOiOSfDrGJ99kQtTdeA=="
              }
            }
          },
          "accountStatus": "active",
          "effectiveRoles": [],
          "effectiveAssignments": [],
          "_id": "developer",
          "_rev": "1",
          "reports": [],
          "manager": {
            "_ref": "managed/user/boss",
            "_refProperties": {
              "_id": "e3f473da-4277-4130-92ea-c5adb670e706",
              "_rev": "1"
            }
          },
          "roles": [],
          "authzRoles": [
            {
              "_ref": "repo/internal/role/openidm-authorized",
              "_refProperties": {
                "_id": "4aea96b0-bd22-4685-962b-2b39579a5358",
                "_rev": "1"
              }
            }
          ]
        },
        "changedFields": [],
        "revision": "1",
        "message": "read",
        "objectId": "managed/user/developer",
        "passwordChanged": true,
        "status": "SUCCESS",
        "_id": "aba1654f-4a49-4353-b6e9-1306756915bd-448"
      }
      {
        "transactionId": "aba1654f-4a49-4353-b6e9-1306756915bd-438",
        "timestamp": "2016-12-14T23:49:28.263Z",
        "eventName": "activity",
        "userId": "openidm-admin",
        "runAs": "openidm-admin",
        "operation": "READ",
        "before": null,
        "after": {
          "userName": "theBoss",
          "telephoneNumber": "6669876987",
          "givenName": "rick",
          "description": "Just another user",
          "sn": "sutter",
          "mail": "rick@example.com",
          "password": {
            "$crypto": {
              "type": "x-simple-encryption",
              "value": {
                "cipher": "AES/CBC/PKCS5Padding",
                "salt": "gzDCWY5fFpi9epf0u3Homg==",
                "data": "EIQm0JFxseg4Nfd7qCqaXA==",
                "iv": "9qh0Ny1atepejMAAaGjLAA==",
                "key": "openidm-sym-default",
                "mac": "xyZVF9zYWHA7afC2X7HcxQ=="
              }
            }
          },
          "accountStatus": "active",
          "effectiveRoles": [],
          "effectiveAssignments": [],
          "_id": "boss",
          "_rev": "1",
          "reports": [
            {
              "_ref": "managed/user/developer",
              "_refProperties": {
                "_id": "e3f473da-4277-4130-92ea-c5adb670e706",
                "_rev": "1"
              }
            }
          ]
        },
        "changedFields": [],
        "revision": "1",
        "message": "read",
        "objectId": "managed/user/boss",
        "passwordChanged": true,
        "status": "SUCCESS",
        "_id": "aba1654f-4a49-4353-b6e9-1306756915bd-450"
      }
      {
        "transactionId": "aba1654f-4a49-4353-b6e9-1306756915bd-438",
        "timestamp": "2016-12-14T23:49:28.267Z",
        "eventName": "activity",
        "userId": "openidm-admin",
        "runAs": "openidm-admin",
        "operation": "QUERY",
        "before": null,
        "after": {
          "reports": [
            {
              "_ref": "managed/user/developer",
              "_refProperties": {
                "_id": "e3f473da-4277-4130-92ea-c5adb670e706",
                "_rev": "1"
              }
            }
          ],
          "userName": "theBoss",
          "telephoneNumber": "6669876987",
          "givenName": "rick",
          "description": "Just another user",
          "sn": "sutter",
          "mail": "rick@example.com",
          "accountStatus": "active",
          "effectiveRoles": [],
          "effectiveAssignments": [],
          "_id": "boss",
          "_rev": "1"
        },
        "changedFields": [],
        "revision": "1",
        "message": "query",
        "objectId": "managed/user/boss",
        "passwordChanged": false,
        "status": "SUCCESS",
        "_id": "aba1654f-4a49-4353-b6e9-1306756915bd-452"
      }
      {
        "transactionId": "aba1654f-4a49-4353-b6e9-1306756915bd-458",
        "timestamp": "2016-12-14T23:49:28.824Z",
        "eventName": "activity",
        "userId": "openidm-admin",
        "runAs": "openidm-admin",
        "operation": "QUERY",
        "before": null,
        "after": [],
        "changedFields": [],
        "revision": null,
        "message": "query: credential-query, parameters: {username=openidm-admin}",
        "objectId": "credential-query",
        "passwordChanged": false,
        "status": "SUCCESS",
        "_id": "aba1654f-4a49-4353-b6e9-1306756915bd-459"
      }
      {
        "transactionId": "aba1654f-4a49-4353-b6e9-1306756915bd-455",
        "timestamp": "2016-12-14T23:49:28.857Z",
        "eventName": "activity",
        "userId": "openidm-admin",
        "runAs": "openidm-admin",
        "operation": "READ",
        "before": null,
        "after": {
          "userName": "theDeveloper",
          "telephoneNumber": "6669876987",
          "givenName": "rick",
          "description": "Just another user",
          "sn": "sutter",
          "mail": "rick@example.com",
          "password": {
            "$crypto": {
              "type": "x-simple-encryption",
              "value": {
                "cipher": "AES/CBC/PKCS5Padding",
                "salt": "Jk+Ny6hY99NUqETBAiAtZA==",
                "data": "FlYh4dyUiotqh9SOt/axUQ==",
                "iv": "GONmI8jrsMt+O2+s2lvrVA==",
                "key": "openidm-sym-default",
                "mac": "ezxuOiOSfDrGJ99kQtTdeA=="
              }
            }
          },
          "accountStatus": "active",
          "effectiveRoles": [],
          "effectiveAssignments": [],
          "_id": "developer",
          "_rev": "1",
          "reports": [],
          "manager": {
            "_ref": "managed/user/boss",
            "_refProperties": {
              "_id": "e3f473da-4277-4130-92ea-c5adb670e706",
              "_rev": "1"
            }
          },
          "roles": [],
          "authzRoles": [
            {
              "_ref": "repo/internal/role/openidm-authorized",
              "_refProperties": {
                "_id": "4aea96b0-bd22-4685-962b-2b39579a5358",
                "_rev": "1"
              }
            }
          ]
        },
        "changedFields": [],
        "revision": "1",
        "message": "read",
        "objectId": "managed/user/developer",
        "passwordChanged": true,
        "status": "SUCCESS",
        "_id": "aba1654f-4a49-4353-b6e9-1306756915bd-465"
      }
      {
        "transactionId": "aba1654f-4a49-4353-b6e9-1306756915bd-455",
        "timestamp": "2016-12-14T23:49:28.882Z",
        "eventName": "activity",
        "userId": "openidm-admin",
        "runAs": "openidm-admin",
        "operation": "READ",
        "before": null,
        "after": {
          "userName": "theBoss",
          "telephoneNumber": "6669876987",
          "givenName": "rick",
          "description": "Just another user",
          "sn": "sutter",
          "mail": "rick@example.com",
          "password": {
            "$crypto": {
              "type": "x-simple-encryption",
              "value": {
                "cipher": "AES/CBC/PKCS5Padding",
                "salt": "gzDCWY5fFpi9epf0u3Homg==",
                "data": "EIQm0JFxseg4Nfd7qCqaXA==",
                "iv": "9qh0Ny1atepejMAAaGjLAA==",
                "key": "openidm-sym-default",
                "mac": "xyZVF9zYWHA7afC2X7HcxQ=="
              }
            }
          },
          "accountStatus": "active",
          "effectiveRoles": [],
          "effectiveAssignments": [],
          "_id": "boss",
          "_rev": "1",
          "reports": [
            {
              "_ref": "managed/user/developer",
              "_refProperties": {
                "_id": "e3f473da-4277-4130-92ea-c5adb670e706",
                "_rev": "1"
              }
            }
          ]
        },
        "changedFields": [],
        "revision": "1",
        "message": "read",
        "objectId": "managed/user/boss",
        "passwordChanged": true,
        "status": "SUCCESS",
        "_id": "aba1654f-4a49-4353-b6e9-1306756915bd-467"
      }
      {
        "transactionId": "aba1654f-4a49-4353-b6e9-1306756915bd-455",
        "timestamp": "2016-12-14T23:49:28.885Z",
        "eventName": "activity",
        "userId": "openidm-admin",
        "runAs": "openidm-admin",
        "operation": "QUERY",
        "before": null,
        "after": {
          "reports": [
            {
              "_ref": "managed/user/developer",
              "_refProperties": {
                "_id": "e3f473da-4277-4130-92ea-c5adb670e706",
                "_rev": "1"
              }
            }
          ],
          "userName": "theBoss",
          "telephoneNumber": "6669876987",
          "givenName": "rick",
          "description": "Just another user",
          "sn": "sutter",
          "mail": "rick@example.com",
          "accountStatus": "active",
          "effectiveRoles": [],
          "effectiveAssignments": [],
          "_id": "boss",
          "_rev": "1"
        },
        "changedFields": [],
        "revision": "1",
        "message": "query",
        "objectId": "managed/user/boss",
        "passwordChanged": false,
        "status": "SUCCESS",
        "_id": "aba1654f-4a49-4353-b6e9-1306756915bd-469"
      }
      

      4 Audit activity logs:
      1. one credential-query (from auth process)
      2. managed/user/developer (read as one of boss' reports)
      3. managed/user/boss (read as part of ManagedObjectSet#read)
      4. managed/user/boss (logged from CollectionRelationshipProvider#queryCollection)

      The last two are the same object. CollectionRelationshipProvider#queryCollection reads the object (via getManagedObject) in order to log it. This is a router call to ManagedObjectSet#readInstance whch also logs it. The second one is superfluous.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                mark.offutt Mark Offutt
                Reporter:
                mark.offutt Mark Offutt
                QA Assignee:
                Jakub Janoska
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: