Project

General

Profile

Actions
Copy link

Defect #1388

closed

Password is not sent when retrying Create operation

Added by Alena Peterová about 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Ondřej Kopr
Category:
Password
Target version:
Opal (9.4.0-rc.1)
Start date:
11/23/2018
Due date:
% Done:

100%

Estimated time:
Affected versions:
Owner:

Description

Affected version: 9.3.0
When Create operation with generated password is not successful at the first attempt (e.g. the system is read-only, or some other exception occurs on the system), the operation stays in the provisioning queue. When it's retried, it's sent with empty password.

Steps to reproduce:
  • Create system "Atabulka" with password column "password", default password policy, create a role "Atabulka" which assigns this system
  • Set the system to read-only
  • Assign the role Atabulka to a user
  • The Create operation is not executed, see the provisioning queue (screenshot 1)
  • Set the system to read-write and retry the Create operation.
  • The password was sent empty (see screenshot 2 of the archive, see screenshot 3 with the system)
  • When I delete the account and create it again directly, the password is sent correctly, see screenshot 4.

Files

Download all files
01_provisioning_create_readonly.png (39 KB) 01_provisioning_create_readonly.png Alena Peterová, 11/23/2018 11:50 AM
02_provisioning_create_after_retry.png (38.1 KB) 02_provisioning_create_after_retry.png Alena Peterová, 11/23/2018 11:50 AM
03_created_account_after_retry.png (14.2 KB) 03_created_account_after_retry.png Alena Peterová, 11/23/2018 11:50 AM
04_created_account_direct_success.png (14.2 KB) 04_created_account_direct_success.png Alena Peterová, 11/23/2018 11:50 AM

Related issues

Related to IdStory Identity Manager - Defect #1238: When account creation is cancelled from the provisioning queue, then next account creation doesn't send password for the accountClosedRadek Tomiška09/03/2018

Actions
Related to IdStory Identity Manager - Defect #1392: Audit can't be viewed after retrying a password change or account createClosedOndřej Kopr11/27/2018

Actions
Actions
Copy link
 #1

Updated by Radek Tomiška about 6 years ago

Maybe duplicate with #1238?

Actions
Copy link
 #2

Updated by Alena Peterová about 6 years ago

I don't think so, this can be reproduced without cancelling operations in the queue, #1238 happened only when the previous operation was cancelled. Also I'm 95 % sure this issue didn't happen in previous versions.

Actions
Copy link
 #3

Updated by Alena Peterová about 6 years ago

Also this has higher priority, because it brings problems in the systems:
  • if the system enables empty password, then the account without password is created and anybody can log into it
  • if it's AD connector, then the account in AD is created, but the connector isn't able to set password to it so the operation returns error. The result is inconsistent state of accounts.
Actions
Copy link
 #4

Updated by Radek Tomiška about 6 years ago

  • Related to Defect #1238: When account creation is cancelled from the provisioning queue, then next account creation doesn't send password for the account added
Actions
Copy link
 #5

Updated by Ondřej Kopr about 6 years ago

  • Status changed from New to In Progress
Actions
Copy link
 #6

Updated by Ondřej Kopr about 6 years ago

  • % Done changed from 0 to 10

Alca I confirm the issue. The problem is by get value from confidential storage and transform it back to password Attribute. Thanks for report this issue.

Actions
Copy link
 #7

Updated by Ondřej Kopr about 6 years ago

  • % Done changed from 10 to 70

After consult I add newly generated password also into account object not only in connector object (in frontend detail it is left and right side table in provisioning operation detail).

Next information:
  • generated password/s will be still stored in confidential storage,
  • transformation for password is done only once, during init the provisioning operation,
  • in confidential storage is created two records for one password attribute (with these keys: sys:connector:: and sys:account::),
  • in account object exists ConfidetialString that contains key for confidential storage,
  • in connector object exists instance of guarded string with transformed password,
  • password change works same.

Tests missing.

Actions
Copy link
 #8

Updated by Ondřej Kopr about 6 years ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Ondřej Kopr to Vít Švanda
  • Priority changed from High to Normal
  • Target version set to Opal (9.4.0-rc.1)
  • % Done changed from 70 to 90

The bug was fixed. Provisioning operation now contains generated password for connector object and account object. Test is included.

Commit: https://github.com/bcvsolutions/CzechIdMng/commit/bc7370d4bcd63f2a8223530706ea5ee3cb8f910b (branch develop)
commit test: https://github.com/bcvsolutions/CzechIdMng/commit/6c6bc23b876961a7481c7729bc5f47d571f57349 (branch develop)

Please Vitek could you make a review? Issue can be simulated only by read only system.

Actions
Copy link
 #9

Updated by Ondřej Kopr about 6 years ago

I must remove TestResource_ from tests because metamodel on jenkins doesn't work as I except.
Commit: https://github.com/bcvsolutions/CzechIdMng/commit/1aee82a7328c0cc6b45372ecc306e66bbfd4f7cc (develop)

Actions
Copy link
 #10

Updated by Ondřej Kopr about 6 years ago

  • Related to Defect #1392: Audit can't be viewed after retrying a password change or account create added
Actions
Copy link
 #11

Updated by Alena Peterová about 6 years ago

It works now correctly, thank you.

Actions
Copy link
 #12

Updated by Vít Švanda about 6 years ago

  • Status changed from Needs feedback to Resolved
  • Assignee changed from Vít Švanda to Ondřej Kopr
  • % Done changed from 90 to 100

I did review and tested it. Works fine, thanks for that.

Actions
Copy link
 #13

Updated by Ondřej Kopr about 6 years ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF