[OPENAM-11432] Extra space in Policy 's Resource Type will cause policy evaluation to fails Created: 24/Jul/17  Updated: 06/Sep/19  Resolved: 20/Nov/17

Status: Closed
Project: OpenAM
Component/s: policy editor, XUI
Affects Version/s: 13.5.0, 13.5.1, 14.0.0, 14.1.1, 14.5.0
Fix Version/s: 13.5.2, 6.0.0, 14.1.2, 5.5.2

Type: Bug Priority: Major
Reporter: Sam Phua Assignee: C-Weng C
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File Screen Shot 2017-07-24 at 3.34.09 PM.png    
Target Version/s:
Rank: 1|hztwcn:
Sprint: AM Sustaining Sprint 45
Story Points: 1
Needs backport:
No
Support Ticket IDs:
Verified Version/s:
Needs QA verification:
Yes
Functional tests:
No
Are the reproduction steps defined?:
Yes and I used the same an in the description

 Description   

Test case :

Create a sub realm demo

Create a new Resource Type : myresourcetype

Add the following pattern : ://:/

Create the next patten with an extra space "://:/?* " before adding the pattern

Proceed to create a new Policy Set ( with the above "myresourcetype" and add a new policy

Run the following policy evaluation

 

curl -s --request POST --header 'iPlanetDirectoryPro: AQIC5wM2LY4Sfcxvc28ne8PA473sqYeLWeuQLUIhBhy0AEg.*AAJTSQACMDEAAlNLABM1NzQxODQ0MDIzMzE2NjQzNzkxAAJTMQAA*' --header 'Content-Type: application/json' --data '{
"resources": [ "http://openam.internal.example.com/index.html?a=b"   <=======
],
"subject": {
"ssoToken": "AQIC5wM2LY4SfcxAgE0iI_mQcwz07Vu1FjykTGSTenz2fSU.*AAJTSQACMDEAAlNLABQtMzE3MDk2MDI2Njk3Nzc0NTY4OQACUzEAAA..*" },
"application": "myPolicySet"
 }' 'http://openam.internal.example.com:8080/openam/json/demo/policies?_action=evaluate'
 

Notice the evaluation fails

[
 {
 "advices": {},
 "ttl": 9223372036854776000,
 "resource": "https://testing.visaonline.com/index.html?a=b",
 "actions": {},     <===========
 "attributes": {}
 }
]

Verify by exporting the policy in Json format

ssoadm policy-export --realm demo --servername "http://openam.internal.example.com:8080/openam" --jsonfile export-vol.json --adminid amadmin --password-file /home/iplanet/pass.txt

Observe the extra space in the resourcetype and policy

{
 "resourcetypes" : {
 "resources" : [ {
 "uuid" : "a27adf29-a48c-415c-b167-66cdd79cbc0b",
 "name" : "myresourceType",
 "description" : "",
 "patterns" : [ "*://*:*/*?* ", "*://*:*/*" ],    <============= notice the extra ending space between double qoute "*://*:*/*?* " 
 "actions" : {
 "POST" : true,
 "GET" : true
 },
 "createdBy" : "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org",
 "creationDate" : 1500881254039,
 "lastModifiedBy" : "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org",
 "lastModifiedDate" : 1500881254039
 } ],
 "version" : "1.0"
 },
 "applications" : {
 "resources" : [ {
 "createdBy" : "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org",
 "conditions" : [ "AuthenticateToService", "Script", "AuthScheme", "IPv6", "SimpleTime", "OAuth2Scope", "IPv4", "AuthenticateToRealm", "OR", "AMIdentityMembership", "LDAPFilter", "AuthLevel", "SessionProperty", "Policy", "LEAuthLevel", "Session", "NOT", "AND", "ResourceEnvIP" ],
 "resourceTypeUuids" : [ "a27adf29-a48c-415c-b167-66cdd79cbc0b" ],
 "resourceComparator" : null,
 "creationDate" : 1500881269112,
 "lastModifiedDate" : 1500881269112,
 "lastModifiedBy" : "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org",
 "applicationType" : "iPlanetAMWebAgentService",
 "subjects" : [ "JwtClaim", "AuthenticatedUsers", "Identity", "NOT", "Policy", "AND", "NONE", "OR" ],
 "entitlementCombiner" : "DenyOverride",
 "saveIndex" : null,
 "searchIndex" : null,
 "attributeNames" : [ ],
 "editable" : true,
 "description" : null,
 "displayName" : null,
 "name" : "myPolicySet"
 } ],
 "version" : "2.1"
 },
 "policies" : {
 "resources" : [ {
 "name" : "myPolicy",
 "active" : true,
 "description" : "",
 "applicationName" : "myPolicySet",
 "actionValues" : {
 "POST" : true,
 "GET" : true
 },
 "resources" : [ "*://*:*/*?* ", "*://*:*/*" ],   <================
 "subject" : {
 "type" : "AuthenticatedUsers"
 },
 "resourceTypeUuid" : "a27adf29-a48c-415c-b167-66cdd79cbc0b",
 "lastModifiedBy" : "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org",
 "lastModifiedDate" : "2017-07-24T07:38:52.396Z",
 "createdBy" : "id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org",
 "creationDate" : "2017-07-24T07:38:35.608Z"
 } ],
 "version" : "2.1"
 }
}

Workaround

  1. delete that offending resource in all affected policies
  2. delete the offending resource in the resource type
  3. recreate the resource pattern again in the resource type ( careful not to add that space again )
  4. add the new resource into the affected policies,QA

 

 

 

 

 

 



 Comments   
Comment by Ľubomír Mlích [ 01/Nov/17 ]

Reproduced on OpenAM 13.5.2-M7 Build 1d3e4900c0 (2017-October-20 09:14) 
Verified on OpenAM 13.5.2-M8 Build 1e79511bcb (2017-October-30 15:13)

Comment by Ľubomír Mlích [ 06/Nov/17 ]

Verified on OpenAM 14.1.2-M2 Build e8116f5a64 (2017-November-06 11:10) 

Comment by Ľubomír Mlích [ 06/Sep/19 ]

Reproduced in ForgeRock Access Management 5.5.1 Build 96b47ad4f1 (2017-October-26 15:41) 

Verified as fixed in ForgeRock Access Management 5.5.2-M7 Build 965200a558 (2019-August-20 08:11) 

Generated at Mon Mar 01 03:54:44 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.