[OPENAM-14419] Policy evaluation returns search results for all policies that match outside of specified application Created: 13/Feb/19  Updated: 05/Dec/19  Resolved: 10/May/19

Status: Resolved
Project: OpenAM
Component/s: policy
Affects Version/s: 5.5.1, 6.5.0
Fix Version/s: 6.5.2, 6.0.1, 5.5.2, 7.0.0

Type: Bug Priority: Major
Reporter: Aaron Haskins Assignee: C-Weng C
Resolution: Fixed Votes: 1
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
is related to OPENAM-12338 policies?_action=evaluate checks all ... Resolved
Needs backport:
Yes
Support Ticket IDs:
Verified Version/s:
Needs QA verification:
Yes
Functional tests:
No
Are the reproduction steps defined?:
Yes and I used the same an in the description

 Description   

Bug description

When evaluating a policy and specifying the application (policy set) in the request, search results in the Entitlement log can be seen for policies that match outside of the policy set specified.

How to reproduce the issue

  1. Create PolicySetA and PolicyA (resource can be http://www.example.com:8000/*)
  2. Create PolicySetB and Policy B with the same resource
  3. Set AM logging to message-level
  4. Hit evaluate endpoint, specifying PolicySetA
    curl -s -k -X POST -H 'X-Requested-With: browser' -H 'iPlanetDirectoryPro: <token>' -H 'Content-Type: application/json' --data ' { "resources": ["http://www.example.com:8000/index.html"] }

    ' 'http://openam.example.com/openam/json/policies?_action=evaluate'

  5. In the Entitlement log you'll see search results for both policies (search result: privilege=PolicyA and then again for PolicyB.
    Eg tail -f ws-65x/cfg-app/openam/debug/* | grep "privilege=Policy" when doing the above
Expected behaviour
In this case, one search result for PolicyA
Current behaviour
Both search results returned for PolicyA and PolicyB

Code analysis

com/sun/identity/entitlement/PrivilegeEvaluator.java
private List<Entitlement> evaluate(String realm, SSOToken appToken) throws EntitlementException {
...
final Iterator<IPrivilege> policyIterator = indexStore.search(realm, indexes, subjectIndexes, recursive);
...
// The above returns all the matching resources but is not filtered on ApplicationName (PolicySet)
// This is evaluated later but from a performance wise, one could cut down on this but filtering
// on the applicationName (to be same as the evaluationContext) .
}

With the fix in OPENAM-12338, there should be no functional issue here as printout but will with filter by the that portion.



 Comments   
Comment by Aaron Haskins [ 13/Feb/19 ]

Request used:

curl -X POST \curl -X POST \  'http://openam.example.com:8080/openam/json/policies?_action=evaluate' \  -H 'Accept-API-Version: resource=2.0,protocol=1.0' \  -H 'Content-Type: application/json' \  -H 'cache-control: no-cache' \  -H 'iPlanetDirectoryPro: <tokenId>' \  -d '{ "application": "PolicySetA", "resources": [        "http://www.example.com:8000/index.html"    ]}'

Comment by Ľubomír Mlích [ 30/May/19 ]

I see two search results in AM 6.5.1

 

Entitlement:05/30/2019 09:42:26:874 AM BST: Thread[http-nio-8080-exec-3,5,main]: TransactionId[dd86c671-5dec-4e75-8f72-b3bf8109182b-21387]
[PolicyEval] SmsPolicyDataService.searchPrivileges
Entitlement:05/30/2019 09:42:26:874 AM BST: Thread[http-nio-8080-exec-3,5,main]: TransactionId[dd86c671-5dec-4e75-8f72-b3bf8109182b-21387]
[PolicyEval] search filter: (&(|(sunxmlKeyValue=hostindex=:\2f\2f.example.com)(sunxmlKeyValue=hostindex=:\2f\2f.com)(sunxmlKeyValue=hostindex=:\2f\2f)(sunxmlKeyValue=hostindex=:\2f\2fwww.example.com))(|(sunxmlKeyValue=pathindex=http:\2f\2fwww.example.com:8000\2f\2a)))
Entitlement:05/30/2019 09:42:26:875 AM BST: Thread[http-nio-8080-exec-3,5,main]: TransactionId[dd86c671-5dec-4e75-8f72-b3bf8109182b-21387]
[PolicyEval] search DN: ou=default,ou=default,ou=OrganizationConfig,ou=1.0,ou=sunEntitlementIndexes,ou=services,dc=openam,dc=forgerock,dc=org
Entitlement:05/30/2019 09:42:26:882 AM BST: Thread[http-nio-8080-exec-3,5,main]: TransactionId[dd86c671-5dec-4e75-8f72-b3bf8109182b-21387]
[PolicyEval] PolicyEvaluator.evaluate
Entitlement:05/30/2019 09:42:26:882 AM BST: Thread[http-nio-8080-exec-3,5,main]: TransactionId[dd86c671-5dec-4e75-8f72-b3bf8109182b-21387]
[PolicyEval] search result: privilege=PolicyA
Entitlement:05/30/2019 09:42:26:882 AM BST: Thread[http-nio-8080-exec-3,5,main]: TransactionId[dd86c671-5dec-4e75-8f72-b3bf8109182b-21387]
[PolicyEval] PolicyEvaluator.evaluate
Entitlement:05/30/2019 09:42:26:882 AM BST: Thread[http-nio-8080-exec-3,5,main]: TransactionId[dd86c671-5dec-4e75-8f72-b3bf8109182b-21387]
[PolicyEval] search result: privilege=PolicyB
Entitlement:05/30/2019 09:42:26:882 AM BST: Thread[http-nio-8080-exec-3,5,main]: TransactionId[dd86c671-5dec-4e75-8f72-b3bf8109182b-21387]
[PolicyEval] Privilege.doesSubjectMatch: false
Entitlement:05/30/2019 09:42:26:883 AM BST: Thread[http-nio-8080-exec-3,5,main]: TransactionId[dd86c671-5dec-4e75-8f72-b3bf8109182b-21387]
[PolicyEval] Advices: {}

and one search result in AM 6.5.2-M3

 

Entitlement:05/30/2019 09:42:50:204 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[2127ef35-34ea-4d41-8d61-5381acd60960-21138]
[PolicyEval] SmsPolicyDataService.searchPrivileges
Entitlement:05/30/2019 09:42:50:204 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[2127ef35-34ea-4d41-8d61-5381acd60960-21138]
[PolicyEval] search filter: (&(|(sunxmlKeyValue=hostindex=:\2f\2f.example.com)(sunxmlKeyValue=hostindex=:\2f\2f.com)(sunxmlKeyValue=hostindex=:\2f\2f)(sunxmlKeyValue=hostindex=:\2f\2fwww.example.com))(|(sunxmlKeyValue=pathindex=http:\2f\2fwww.example.com:8000\2f\2a))(ou=application=PolicySetA))
Entitlement:05/30/2019 09:42:50:204 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[2127ef35-34ea-4d41-8d61-5381acd60960-21138]
[PolicyEval] search DN: ou=default,ou=default,ou=OrganizationConfig,ou=1.0,ou=sunEntitlementIndexes,ou=services,dc=openam,dc=forgerock,dc=org
Entitlement:05/30/2019 09:42:50:210 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[2127ef35-34ea-4d41-8d61-5381acd60960-21138]
[PolicyEval] PolicyEvaluator.evaluate
Entitlement:05/30/2019 09:42:50:210 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[2127ef35-34ea-4d41-8d61-5381acd60960-21138]
[PolicyEval] search result: privilege=PolicyA
Entitlement:05/30/2019 09:42:50:220 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[2127ef35-34ea-4d41-8d61-5381acd60960-21138]
[PolicyEval] Privilege.doesSubjectMatch: false
Entitlement:05/30/2019 09:42:50:220 AM BST: Thread[http-nio-8080-exec-5,5,main]: TransactionId[2127ef35-34ea-4d41-8d61-5381acd60960-21138]
[PolicyEval] Advices: {}

using

curl -X POST "${URL}/json/policies?_action=evaluate" -H 'Accept-API-Version: resource=2.0,protocol=1.0' -H 'Content-Type: application/json' -H 'cache-control: no-cache' -H "iPlanetDirectoryPro: ${AMADMIN_TOKEN}" -d "{ \"application\": \"PolicySetA\", \"resources\": [\"http://www.example.com:8000/index.html\"]}"

and see this as fixed in AM 6.5.2-M3

Generated at Thu Jan 28 14:32:30 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.