Defect #1074
closed
Script sandbox problem when using custom synchronization filter
100%
Description
It is forbidden to use "not filter" in custom synchronization filter.
Caused by: java.lang.SecurityException: Script wants to use unauthorized class: [class eu.bcvsolutions.idm.ic.filter.impl.IcNotFilter]
at eu.bcvsolutions.idm.core.security.domain.GroovySandboxFilter.filter(GroovySandboxFilter.java:113)
at org.kohsuke.groovy.sandbox.GroovyValueFilter.filterReturnValue(GroovyValueFilter.java:26)
at org.kohsuke.groovy.sandbox.GroovyValueFilter.onStaticCall(GroovyValueFilter.java:63)
Affected version: 7.6.1
Updated by Ondřej Kopr over 6 years ago
You have right in allowed types missing IcNotFilter:
allowTypes.add(IcAndFilter.class); allowTypes.add(IcOrFilter.class); allowTypes.add(IcFilterBuilder.class); allowTypes.add(IcAttributeImpl.class); allowTypes.add(IcAttribute.class);
In higher version you can use script inside this filter. Sorry, you can use script but in account management script, not here.
Updated by Vít Švanda over 6 years ago
- Tracker changed from Task to Defect
- Status changed from New to Needs feedback
- Target version changed from Forsterite (7.6.1) to Jade (8.1.0)
- % Done changed from 0 to 90
By default was allowed only operation from the IcFilterOperationType enumeration (it is enumeration uses above the filter script). This operations works with filterAttribute, but IcNotFilter works with whole filter.
I allowed * IcNotFilter.class* separatlly. IcFilterBuilder.not(filter) can be used now.
Fix will be in the 8.1.0.
Updated by Ondřej Kopr over 6 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Ondřej Kopr to Vít Švanda
- % Done changed from 90 to 100
Thanks for resolve the missing permission. I checked by create new synchronization with filter and negation.
(you are commit hunter :D
https://github.com/bcvsolutions/CzechIdMng/commit/7a49873034d8b7cc6fa47b6893f1f4e7ed02fbd2
https://github.com/bcvsolutions/CzechIdMng/commit/ec9f116264a7e9e08368a27a58bdf1d443e7f5e2)