Password is not sent when retrying Create operation
Affected version: 9.3.0
When Create operation with generated password is not successful at the first attempt (e.g. the system is read-only, or some other exception occurs on the system), the operation stays in the provisioning queue. When it's retried, it's sent with empty password.
- Create system "Atabulka" with password column "password", default password policy, create a role "Atabulka" which assigns this system
- Set the system to read-only
- Assign the role Atabulka to a user
- The Create operation is not executed, see the provisioning queue (screenshot 1)
- Set the system to read-write and retry the Create operation.
- The password was sent empty (see screenshot 2 of the archive, see screenshot 3 with the system)
- When I delete the account and create it again directly, the password is sent correctly, see screenshot 4.
#3 Updated by Alena Peterová 5 months ago
- if the system enables empty password, then the account without password is created and anybody can log into it
- if it's AD connector, then the account in AD is created, but the connector isn't able to set password to it so the operation returns error. The result is inconsistent state of accounts.
#7 Updated by Ondřej Kopr 5 months ago
- % Done changed from 10 to 70
After consult I add newly generated password also into account object not only in connector object (in frontend detail it is left and right side table in provisioning operation detail).Next information:
- generated password/s will be still stored in confidential storage,
- transformation for password is done only once, during init the provisioning operation,
- in confidential storage is created two records for one password attribute (with these keys: sys:connector:: and sys:account::),
- in account object exists ConfidetialString that contains key for confidential storage,
- in connector object exists instance of guarded string with transformed password,
- password change works same.
#8 Updated by Ondřej Kopr 5 months ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Ondřej Kopr to Vít Švanda
- Priority changed from High to Normal
- Target version set to Opal (9.4.0-rc.1)
- % Done changed from 70 to 90
The bug was fixed. Provisioning operation now contains generated password for connector object and account object. Test is included.
Commit: https://github.com/bcvsolutions/CzechIdMng/commit/bc7370d4bcd63f2a8223530706ea5ee3cb8f910b (branch develop)
commit test: https://github.com/bcvsolutions/CzechIdMng/commit/6c6bc23b876961a7481c7729bc5f47d571f57349 (branch develop)
Please Vitek could you make a review? Issue can be simulated only by read only system.
#9 Updated by Ondřej Kopr 5 months ago
I must remove TestResource_ from tests because metamodel on jenkins doesn't work as I except.
Commit: https://github.com/bcvsolutions/CzechIdMng/commit/1aee82a7328c0cc6b45372ecc306e66bbfd4f7cc (develop)