Project

General

Profile

Defect #1388

Password is not sent when retrying Create operation

Added by Alena Peterová 5 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Password
Target version:
Start date:
11/23/2018
Due date:
% Done:

100%


Description

Affected version: 9.3.0
When Create operation with generated password is not successful at the first attempt (e.g. the system is read-only, or some other exception occurs on the system), the operation stays in the provisioning queue. When it's retried, it's sent with empty password.

Steps to reproduce:
  • Create system "Atabulka" with password column "password", default password policy, create a role "Atabulka" which assigns this system
  • Set the system to read-only
  • Assign the role Atabulka to a user
  • The Create operation is not executed, see the provisioning queue (screenshot 1)
  • Set the system to read-write and retry the Create operation.
  • The password was sent empty (see screenshot 2 of the archive, see screenshot 3 with the system)
  • When I delete the account and create it again directly, the password is sent correctly, see screenshot 4.

01_provisioning_create_readonly.png View (39 KB) Alena Peterová, 11/23/2018 11:50 AM

02_provisioning_create_after_retry.png View (38.1 KB) Alena Peterová, 11/23/2018 11:50 AM

03_created_account_after_retry.png View (14.2 KB) Alena Peterová, 11/23/2018 11:50 AM

04_created_account_direct_success.png View (14.2 KB) Alena Peterová, 11/23/2018 11:50 AM


Related issues

Related to CzechIdM - Defect #1238: When account creation is cancelled from the provisioning queue, then next account creation doesn't send password for the account New 09/03/2018
Related to CzechIdM - Defect #1392: Audit can't be viewed after retrying a password change or account create Closed 11/27/2018

History

#1 Updated by Radek Tomiška 5 months ago

Maybe duplicate with #1238?

#2 Updated by Alena Peterová 5 months ago

I don't think so, this can be reproduced without cancelling operations in the queue, #1238 happened only when the previous operation was cancelled. Also I'm 95 % sure this issue didn't happen in previous versions.

#3 Updated by Alena Peterová 5 months ago

Also this has higher priority, because it brings problems in the systems:
  • if the system enables empty password, then the account without password is created and anybody can log into it
  • if it's AD connector, then the account in AD is created, but the connector isn't able to set password to it so the operation returns error. The result is inconsistent state of accounts.

#4 Updated by Radek Tomiška 5 months ago

  • Related to Defect #1238: When account creation is cancelled from the provisioning queue, then next account creation doesn't send password for the account added

#5 Updated by Ondřej Kopr 5 months ago

  • Status changed from New to In Progress

#6 Updated by Ondřej Kopr 5 months ago

  • % Done changed from 0 to 10

Alca I confirm the issue. The problem is by get value from confidential storage and transform it back to password Attribute. Thanks for report this issue.

#7 Updated by Ondřej Kopr 5 months ago

  • % Done changed from 10 to 70

After consult I add newly generated password also into account object not only in connector object (in frontend detail it is left and right side table in provisioning operation detail).

Next information:
  • generated password/s will be still stored in confidential storage,
  • transformation for password is done only once, during init the provisioning operation,
  • in confidential storage is created two records for one password attribute (with these keys: sys:connector:: and sys:account::),
  • in account object exists ConfidetialString that contains key for confidential storage,
  • in connector object exists instance of guarded string with transformed password,
  • password change works same.

Tests missing.

#8 Updated by Ondřej Kopr 5 months ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Ondřej Kopr to Vít Švanda
  • Priority changed from High to Normal
  • Target version set to Opal (9.4.0-rc.1)
  • % Done changed from 70 to 90

The bug was fixed. Provisioning operation now contains generated password for connector object and account object. Test is included.

Commit: https://github.com/bcvsolutions/CzechIdMng/commit/bc7370d4bcd63f2a8223530706ea5ee3cb8f910b (branch develop)
commit test: https://github.com/bcvsolutions/CzechIdMng/commit/6c6bc23b876961a7481c7729bc5f47d571f57349 (branch develop)

Please Vitek could you make a review? Issue can be simulated only by read only system.

#9 Updated by Ondřej Kopr 5 months ago

I must remove TestResource_ from tests because metamodel on jenkins doesn't work as I except.
Commit: https://github.com/bcvsolutions/CzechIdMng/commit/1aee82a7328c0cc6b45372ecc306e66bbfd4f7cc (develop)

#10 Updated by Ondřej Kopr 5 months ago

  • Related to Defect #1392: Audit can't be viewed after retrying a password change or account create added

#11 Updated by Alena Peterová 5 months ago

It works now correctly, thank you.

#12 Updated by Vít Švanda 4 months ago

  • Status changed from Needs feedback to Resolved
  • Assignee changed from Vít Švanda to Ondřej Kopr
  • % Done changed from 90 to 100

I did review and tested it. Works fine, thanks for that.

#13 Updated by Ondřej Kopr 4 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF