Project

General

Profile

Actions

Defect #1074

closed

Script sandbox problem when using custom synchronization filter

Added by Peter Štrunc over 6 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Vít Švanda
Category:
Scripts
Target version:
Start date:
04/17/2018
Due date:
% Done:

100%

Estimated time:
Affected versions:
Owner:

Description

It is forbidden to use "not filter" in custom synchronization filter.

Caused by: java.lang.SecurityException: Script wants to use unauthorized class: [class eu.bcvsolutions.idm.ic.filter.impl.IcNotFilter] 
    at eu.bcvsolutions.idm.core.security.domain.GroovySandboxFilter.filter(GroovySandboxFilter.java:113)
    at org.kohsuke.groovy.sandbox.GroovyValueFilter.filterReturnValue(GroovyValueFilter.java:26)
    at org.kohsuke.groovy.sandbox.GroovyValueFilter.onStaticCall(GroovyValueFilter.java:63)

Affected version: 7.6.1

Actions #1

Updated by Ondřej Kopr over 6 years ago

You have right in allowed types missing IcNotFilter:

allowTypes.add(IcAndFilter.class);
allowTypes.add(IcOrFilter.class);
allowTypes.add(IcFilterBuilder.class);
allowTypes.add(IcAttributeImpl.class);
allowTypes.add(IcAttribute.class);

In higher version you can use script inside this filter. Sorry, you can use script but in account management script, not here.

Actions #2

Updated by Vít Švanda over 6 years ago

  • Tracker changed from Task to Defect
  • Status changed from New to Needs feedback
  • Target version changed from Forsterite (7.6.1) to Jade (8.1.0)
  • % Done changed from 0 to 90

By default was allowed only operation from the IcFilterOperationType enumeration (it is enumeration uses above the filter script). This operations works with filterAttribute, but IcNotFilter works with whole filter.

I allowed * IcNotFilter.class* separatlly. IcFilterBuilder.not(filter) can be used now.

Fix will be in the 8.1.0.

Actions #3

Updated by Ondřej Kopr over 6 years ago

  • Status changed from Needs feedback to Resolved
  • Assignee changed from Ondřej Kopr to Vít Švanda
  • % Done changed from 90 to 100

Thanks for resolve the missing permission. I checked by create new synchronization with filter and negation.

(you are commit hunter :D
https://github.com/bcvsolutions/CzechIdMng/commit/7a49873034d8b7cc6fa47b6893f1f4e7ed02fbd2
https://github.com/bcvsolutions/CzechIdMng/commit/ec9f116264a7e9e08368a27a58bdf1d443e7f5e2)

Actions #4

Updated by Vít Švanda over 6 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF