[OPENAM-12245] "Authentication by Module Instance" policy env condition doesn't work in session upgrade case Created: 20/Dec/17  Updated: 04/Sep/19  Resolved: 08/Jan/18

Status: Resolved
Project: OpenAM
Component/s: authentication
Affects Version/s: 5.5.1
Fix Version/s: 6.0.0, 5.5.2

Type: Bug Priority: Major
Reporter: Sachiko Wallace Assignee: Sachiko Wallace
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Target Version/s:
Sprint: AM Sustaining Sprint 46
Story Points: 1
Needs backport:
No
Support Ticket IDs:
Needs QA verification:
Yes
Functional tests:
No
Are the reproduction steps defined?:
Yes and I used the same an in the description

 Description   

Bug description

"Authentication by Module Instance" policy env condition doesn't work in session upgrade case

How to reproduce the issue

NOTE: This issue only happens in case of session upgrade

  1. login to admin console
  2. [Realms] -> select realm -> [Authentication] -> edit [LDAP]
  3. set "Authentication Level=3" and click [Save Changes]
  4. [Authorization] -> [Policy Sets] -> [Default Policy Set] -> "+ Add a Policy"
  5. type in the following data :
    Name : TestPolicy001
    Resource Type: URL
    Resources : http://openam.example.com:38080/helloworld/*
    http://openam.example.com:38080/helloworld/*?*
    click [Create]
  6. click [Action] tab, add GET & POST:allow and click [Save Changes]
  7. click [Subjects] tab and set "Type: Authenticated Users" and click [Save Changes]
  8. click [Environments] tab and click [+ Add an Environment Condition]
    Type: Authentication by Module Instance
    Authentication Scheme: /:LDAP (this is in the form of <realm>:<auth module>)
    Application Name: iPlanetAMWebAgentService (Resource Type for policy evaluation)
    Application Idle Timeout Scheme: 2147483647
    Click "check" icon and click [Save Changes]
  9. login with admin user
    curl --request POST --header "X-OpenAM-Username: amadmin" --header "X-OpenAM-Password: cangetin" --header "Content-Type: application/json" --header "Accept-API-Version:protocol=1.0,resource=2.1" --data "{}" "http://openam.example.com:18080/openam/json/realms/root/authenticate"
    
  10. login with demo user
    curl --request POST --header "X-OpenAM-Username: demo" --header "X-OpenAM-Password: changeit" --header "Content-Type: application/json" --header "Accept-API-Version:protocol=1.0,resource=2.1" --data "{}" "http://openam.example.com:18080/openam/json/realms/root/authenticate?module=DataStore&authIndexType=module&authIndexValue=DataStore"
    
  11. then upgrade demo user's session
    curl --request POST --header "iPlanetDirectoryPro:M2hI2hR..." --header "X-OpenAM-Username: demo" --header "X-OpenAM-Password: changeit" "http://openam.example.com:18080/openam/json/realms/root/authenticate?authIndexType=level&authIndexValue=3"
    
  12. request for policy evaluation
    curl --request POST \
    > --header "Content-Type: application/json" \
    > --header "iPlanetDirectoryPro: <amadmin session>" \
    > --data '{
    >     "resources": [
    >         "http://openam.example.com:38080/helloworld/index.html"
    >     ],
    >     "application": "iPlanetAMWebAgentService",
    >     "subject": { "ssoToken": "<upgraded user session>"}
    > }' \
    > "http://openam.example.com:18080/openam/json/policies?_action=evaluate"
    [{"resource":"http://openam.example.com:38080/helloworld/index.html","actions":{},"attributes":{},"advices":{},"ttl":9223372036854775807}]
    
Expected behaviour

Policy evaluation request to return correct evaluation response

[{"resource":"http://openam.example.com:38080/helloworld/index.html","actions":{"POST":true,"GET":true},"attributes":{},"advices":{},"ttl":1513728110137}]
Current behaviour

Policy evaluation request returns empty response. If you check Entitlement debug log, you will see request user's auth scheme is in wrong format :

At AuthSchemeCondition.getConditionDecision():authScheme not satisfied = /:LDAP
At AuthSchemeCondition.getConditionDecision():authScheme = [/:LDAP], requestAuthSchemes = [/:L, /:/, /:o, /:P, /:A, /:a, /:r, /:S, /:D, /:t, :, /:e],  allowed before applicationIdleTimeout check = false

Work around

None

Code analysis

This seems to be a regression caused by the change implemented via AME-13482.
split("|") should've been escaped as split("\ \ |")

com.sun.identity.authentication.service.$AuthUtils.java
    public static String upgradeModuleList(String prevList, String newList, String realm) {
        newList = getRealmQualifiedList(realm, newList);
        utilDebug.message("newList : {}", newList);
        utilDebug.message("prevList : {}", prevList);
        Set<String> result = new LinkedHashSet<>();
        result.addAll(asList(newList.split("|")));
        if (prevList != null) {
            result.addAll(asList(prevList.split("|")));
        }
        return result.stream().collect(Collectors.joining("|"));
    }


 Comments   
Comment by Ľubomír Mlích [ 04/Sep/19 ]

I created OPENAM-15405 for this disappearing value problem

Generated at Fri Sep 25 23:22:02 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.