Defect #1388
closed
Password is not sent when retrying Create operation
100%
Description
Affected version: 9.3.0
When Create operation with generated password is not successful at the first attempt (e.g. the system is read-only, or some other exception occurs on the system), the operation stays in the provisioning queue. When it's retried, it's sent with empty password.
- Create system "Atabulka" with password column "password", default password policy, create a role "Atabulka" which assigns this system
- Set the system to read-only
- Assign the role Atabulka to a user
- The Create operation is not executed, see the provisioning queue (screenshot 1)
- Set the system to read-write and retry the Create operation.
- The password was sent empty (see screenshot 2 of the archive, see screenshot 3 with the system)
- When I delete the account and create it again directly, the password is sent correctly, see screenshot 4.
Files
Related issues
Updated by Alena Peterová over 5 years ago
I don't think so, this can be reproduced without cancelling operations in the queue, #1238 happened only when the previous operation was cancelled. Also I'm 95 % sure this issue didn't happen in previous versions.
Updated by Alena Peterová over 5 years ago
- if the system enables empty password, then the account without password is created and anybody can log into it
- if it's AD connector, then the account in AD is created, but the connector isn't able to set password to it so the operation returns error. The result is inconsistent state of accounts.
Updated by Radek Tomiška over 5 years ago
- Related to Defect #1238: When account creation is cancelled from the provisioning queue, then next account creation doesn't send password for the account added
Updated by Ondřej Kopr over 5 years ago
- % Done changed from 0 to 10
Alca I confirm the issue. The problem is by get value from confidential storage and transform it back to password Attribute. Thanks for report this issue.
Updated by Ondřej Kopr over 5 years ago
- % Done changed from 10 to 70
After consult I add newly generated password also into account object not only in connector object (in frontend detail it is left and right side table in provisioning operation detail).
Next information:- generated password/s will be still stored in confidential storage,
- transformation for password is done only once, during init the provisioning operation,
- in confidential storage is created two records for one password attribute (with these keys: sys:connector:: and sys:account::),
- in account object exists ConfidetialString that contains key for confidential storage,
- in connector object exists instance of guarded string with transformed password,
- password change works same.
Tests missing.
Updated by Ondřej Kopr over 5 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Ondřej Kopr to Vít Švanda
- Priority changed from High to Normal
- Target version set to Opal (9.4.0-rc.1)
- % Done changed from 70 to 90
The bug was fixed. Provisioning operation now contains generated password for connector object and account object. Test is included.
Commit: https://github.com/bcvsolutions/CzechIdMng/commit/bc7370d4bcd63f2a8223530706ea5ee3cb8f910b (branch develop)
commit test: https://github.com/bcvsolutions/CzechIdMng/commit/6c6bc23b876961a7481c7729bc5f47d571f57349 (branch develop)
Please Vitek could you make a review? Issue can be simulated only by read only system.
Updated by Ondřej Kopr over 5 years ago
I must remove TestResource_ from tests because metamodel on jenkins doesn't work as I except.
Commit: https://github.com/bcvsolutions/CzechIdMng/commit/1aee82a7328c0cc6b45372ecc306e66bbfd4f7cc (develop)
Updated by Ondřej Kopr over 5 years ago
- Related to Defect #1392: Audit can't be viewed after retrying a password change or account create added
Updated by Vít Švanda over 5 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Vít Švanda to Ondřej Kopr
- % Done changed from 90 to 100
I did review and tested it. Works fine, thanks for that.