Project

General

Profile

Task #1719

Improve error message

Added by Tomáš Doischer over 1 year ago. Updated 7 months ago.

Status:
Closed
Priority:
Low
Category:
Scripts
Target version:
Start date:
06/12/2019
Due date:
% Done:

100%

Estimated time:
Milestones:

Description

When creating a transformation script, an error is reported in a mysterious way. This is the script:

    import eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto;
    import eu.bcvsolutions.idm.acc.exception.SynchronizationException;
    import eu.bcvsolutions.idm.core.api.dto.filter.IdmIdentityFilter;
    import java.util.Collections$UnmodifiableRandomAccessList;

    IdmIdentityFilter filter = new IdmIdentityFilter();
    filter.setExternalCode(attributeValue);

    List identities = new ArrayList();
    identities = identityService.find(filter, null).getContent();
    if (!identities.isEmpty()) {
        return identities.get(0); //error here, should be return identities.get(0).getId();
    }

    return null;

The issue with the script is that it returns IdmIdentityDto but it should return an ID. However, it returns this error from which this issue is basically impossible to find:

2019-06-12T13:14:27.757+02:00: eu.bcvsolutions.idm.core.security.exception.IdmSecurityException: Script did not pass security inspection!
    at eu.bcvsolutions.idm.core.model.service.impl.DefaultGroovyScriptService.evaluate(DefaultGroovyScriptService.java:87)
    at eu.bcvsolutions.idm.acc.service.impl.DefaultSysSystemAttributeMappingService.transformValueFromResource(DefaultSysSystemAttributeMappingService.java:238)
    at eu.bcvsolutions.idm.acc.service.impl.DefaultSysSystemAttributeMappingService.transformValueFromResource(DefaultSysSystemAttributeMappingService.java:218)
    at eu.bcvsolutions.idm.acc.service.impl.DefaultSysSystemAttributeMappingService.getValueByMappedAttribute(DefaultSysSystemAttributeMappingService.java:635)
    at eu.bcvsolutions.idm.acc.service.impl.DefaultSysSystemAttributeMappingService.getUidValueFromResource(DefaultSysSystemAttributeMappingService.java:642)
    at eu.bcvsolutions.idm.acc.service.impl.DefaultSysSystemAttributeMappingService$$FastClassBySpringCGLIB$$507e7707.invoke(<generated>)
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:651)
    at eu.bcvsolutions.idm.acc.service.impl.DefaultSysSystemAttributeMappingService$$EnhancerBySpringCGLIB$$29f4e3f1.getUidValueFromResource(<generated>)
    at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor.generateUID(AbstractSynchronizationExecutor.java:1800)
    at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor.findAccount(AbstractSynchronizationExecutor.java:1763)
    at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor.doItemSynchronization(AbstractSynchronizationExecutor.java:339)
    at eu.bcvsolutions.idm.acc.service.impl.DefaultSynchronizationService.doItemSynchronization(DefaultSynchronizationService.java:219)
    at eu.bcvsolutions.idm.acc.service.impl.DefaultSynchronizationService$$FastClassBySpringCGLIB$$66d7ee75.invoke(<generated>)
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:720)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
    at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
    at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:281)
    at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:655)
    at eu.bcvsolutions.idm.acc.service.impl.DefaultSynchronizationService$$EnhancerBySpringCGLIB$$65f85efb.doItemSynchronization(<generated>)
    at eu.bcvsolutions.idm.acc.event.processor.synchronization.SynchronizationItemProcessor.process(SynchronizationItemProcessor.java:52)
    at eu.bcvsolutions.idm.core.api.event.AbstractEntityEventProcessor.onApplicationEvent(AbstractEntityEventProcessor.java:243)
    at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:166)
    at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:138)
    at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:381)
    at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:348)
    at eu.bcvsolutions.idm.core.model.service.impl.DefaultEntityEventManager.process(DefaultEntityEventManager.java:245)
    at eu.bcvsolutions.idm.core.model.service.impl.DefaultEntityEventManager.process(DefaultEntityEventManager.java:175)
    at eu.bcvsolutions.idm.core.model.service.impl.DefaultEntityEventManager$$FastClassBySpringCGLIB$$1694e58f.invoke(<generated>)
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:720)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
    at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
    at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:281)
    at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:655)
    at eu.bcvsolutions.idm.core.model.service.impl.DefaultEntityEventManager$$EnhancerBySpringCGLIB$$394d8489.process(<generated>)
    at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor.startItemSynchronization(AbstractSynchronizationExecutor.java:569)
    at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor.handleIcObject(AbstractSynchronizationExecutor.java:521)
    at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor$DefaultResultHandler.handle(AbstractSynchronizationExecutor.java:2266)
    at eu.bcvsolutions.idm.ic.connid.service.impl.ConnIdIcConnectorService$2.handle(ConnIdIcConnectorService.java:250)
    at org.identityconnectors.framework.impl.api.StreamHandlerUtil$ObjectStreamHandlerAdapter.handle(StreamHandlerUtil.java:101)
    at org.identityconnectors.framework.impl.api.BufferedResultsProxy.invoke(BufferedResultsProxy.java:262)
    at org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:94)
    at com.sun.proxy.$Proxy359.search(Unknown Source)
    at org.identityconnectors.framework.impl.api.AbstractConnectorFacade.search(AbstractConnectorFacade.java:179)
    at eu.bcvsolutions.idm.ic.connid.service.impl.ConnIdIcConnectorService.pageSearch(ConnIdIcConnectorService.java:272)
    at eu.bcvsolutions.idm.ic.connid.service.impl.ConnIdIcConnectorService.search(ConnIdIcConnectorService.java:267)
    at eu.bcvsolutions.idm.ic.service.impl.DefaultIcConnectorFacade.search(DefaultIcConnectorFacade.java:114)
    at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor.process(AbstractSynchronizationExecutor.java:256)
    at eu.bcvsolutions.idm.acc.service.impl.DefaultSynchronizationService.startSynchronization(DefaultSynchronizationService.java:190)
    at eu.bcvsolutions.idm.acc.service.impl.DefaultSynchronizationService$$FastClassBySpringCGLIB$$66d7ee75.invoke(<generated>)
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:651)
    at eu.bcvsolutions.idm.acc.service.impl.DefaultSynchronizationService$$EnhancerBySpringCGLIB$$65f85efb.startSynchronization(<generated>)
    at eu.bcvsolutions.idm.acc.scheduler.task.impl.SynchronizationSchedulableTaskExecutor.process(SynchronizationSchedulableTaskExecutor.java:65)
    at eu.bcvsolutions.idm.acc.scheduler.task.impl.SynchronizationSchedulableTaskExecutor.process(SynchronizationSchedulableTaskExecutor.java:28)
    at eu.bcvsolutions.idm.core.scheduler.api.service.AbstractLongRunningTaskExecutor.call(AbstractLongRunningTaskExecutor.java:189)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at org.springframework.security.concurrent.DelegatingSecurityContextRunnable.run(DelegatingSecurityContextRunnable.java:80)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.SecurityException: Script wants to use unauthorized class: [class eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto] 
    at eu.bcvsolutions.idm.core.security.domain.GroovySandboxFilter.filter(GroovySandboxFilter.java:123)
    at org.kohsuke.groovy.sandbox.GroovyValueFilter.filterReturnValue(GroovyValueFilter.java:26)
    at org.kohsuke.groovy.sandbox.GroovyValueFilter.onMethodCall(GroovyValueFilter.java:58)
    at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:148)
    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:145)
    at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)
    at Script1.run(Script1.groovy:12)
    at eu.bcvsolutions.idm.core.model.service.impl.DefaultGroovyScriptService.evaluate(DefaultGroovyScriptService.java:79)
    ... 66 more
scriptError.png (29.8 KB) scriptError.png Vít Švanda, 05/13/2020 02:06 PM

Related issues

Related to CzechIdM - Task #479: Show more details on script execution exceptionClosed06/02/2017

History

#1 Updated by Radek Tomiška 8 months ago

  • Assignee changed from Ondřej Kopr to Radek Tomiška

#2 Updated by Radek Tomiška 8 months ago

  • Assignee changed from Radek Tomiška to Ondrej Husník

#3 Updated by Radek Tomiška 8 months ago

  • Related to Task #479: Show more details on script execution exception added

#4 Updated by Vít Švanda 8 months ago

  • Target version set to 10.3.0

#5 Updated by Marek Klement 8 months ago

Thanks for providing this ticket - helped me with solving of the same issue.

Here is the log before issue:


2020-04-14 19:59:29.731  INFO 141293 --- [task-executor-4] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [core-role-code-environment-processor]([core]) end for [RoleEvent [type: CREATE, content: eu.bcvsolutions.idm.core.api.dto.Idm
RoleDto [code=fs_ustr_SI], properties: {skip_provisioning=true}]] with order [-100].
2020-04-14 19:59:29.731  INFO 141293 --- [task-executor-4] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [role-save-processor]([core]) start for [RoleEvent [type: CREATE, content: eu.bcvsolutions.idm.core.api.dto.IdmRoleDto [code=f
s_ustr_SI], properties: {skip_provisioning=true}]] with order [0].
2020-04-14 19:59:29.737  INFO 141293 --- [task-executor-4] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [role-save-processor]([core]) end for [RoleEvent [type: CREATE, content: eu.bcvsolutions.idm.core.api.dto.IdmRoleDto [code=fs_
ustr_SI], properties: {skip_provisioning=true}]] with order [0].
2020-04-14 19:59:29.737  INFO 141293 --- [task-executor-4] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [core-formable-save-processor]([core]) start for [RoleEvent [type: CREATE, content: eu.bcvsolutions.idm.core.api.dto.IdmRoleDt
o [code=fs_ustr_SI], properties: {skip_provisioning=true}]] with order [50].
2020-04-14 19:59:29.737  INFO 141293 --- [task-executor-4] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [core-formable-save-processor]([core]) end for [RoleEvent [type: CREATE, content: eu.bcvsolutions.idm.core.api.dto.IdmRoleDto 
[code=fs_ustr_SI], properties: {skip_provisioning=true}]] with order [50].
2020-04-14 19:59:29.737  INFO 141293 --- [task-executor-4] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [role-publish-change-processor]([core]) start for [RoleEvent [type: CREATE, content: eu.bcvsolutions.idm.core.api.dto.IdmRoleD
to [code=fs_ustr_SI], properties: {skip_provisioning=true}]] with order [10000].
2020-04-14 19:59:29.739  INFO 141293 --- [task-executor-4] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [role-publish-change-processor]([core]) end for [RoleEvent [type: CREATE, content: eu.bcvsolutions.idm.core.api.dto.IdmRoleDto
 [code=fs_ustr_SI], properties: {skip_provisioning=true}]] with order [10000].
2020-04-14 19:59:29.739  INFO 141293 --- [task-executor-4] e.b.i.c.m.s.i.DefaultEntityEventManager  : Event [RoleEvent [type: CREATE, content: eu.bcvsolutions.idm.core.api.dto.IdmRoleDto [code=fs_ustr_SI], properties: {skip_provisioning=t
rue}]] is completed
Started script for CN=Klement Marek,OU=Praha,OU=BCV,OU=BCV,DC=bcvcr,DC=cz2020-04-14 19:59:29.761 ERROR 141293 --- [task-executor-4] e.b.i.c.m.s.i.DefaultGroovyScriptService : SecurityException [Script wants to use unauthorized class: [class eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto] ]
2020-04-14 19:59:29.761  WARN 141293 --- [task-executor-4] o.a.e.i.b.b.ScriptTaskActivityBehavior   : Exception while executing scripttask1 : problem evaluating script: javax.script.ScriptException: eu.bcvsolutions.idm.core.security.exception.IdmSecurityException: Script did not pass security inspection!
2020-04-14 19:59:29.765 ERROR 141293 --- [task-executor-4] o.a.e.impl.interceptor.CommandContext    : Error while closing command context

org.activiti.engine.ActivitiException: problem evaluating script: javax.script.ScriptException: eu.bcvsolutions.idm.core.security.exception.IdmSecurityException: Script did not pass security inspection!
        at org.activiti.engine.impl.scripting.ScriptingEngines.evaluate(ScriptingEngines.java:89)
        at org.activiti.engine.impl.scripting.ScriptingEngines.evaluate(ScriptingEngines.java:73)
        at org.activiti.engine.impl.bpmn.behavior.ScriptTaskActivityBehavior.execute(ScriptTaskActivityBehavior.java:78)
        at org.activiti.engine.impl.pvm.runtime.AtomicOperationActivityExecute.execute(AtomicOperationActivityExecute.java:60)
        at org.activiti.engine.impl.interceptor.CommandContext.performOperation(CommandContext.java:97)
        at org.activiti.engine.impl.persistence.entity.ExecutionEntity.performOperationSync(ExecutionEntity.java:650)
        at org.activiti.engine.impl.persistence.entity.ExecutionEntity.performOperation(ExecutionEntity.java:643)
        at org.activiti.engine.impl.pvm.runtime.AtomicOperationTransitionNotifyListenerStart.eventNotificationsCompleted(AtomicOperationTransitionNotifyListenerStart.java:52)
        at org.activiti.engine.impl.pvm.runtime.AbstractEventAtomicOperation.execute(AbstractEventAtomicOperation.java:56)
        at org.activiti.engine.impl.interceptor.CommandContext.performOperation(CommandContext.java:97)
        at org.activiti.engine.impl.persistence.entity.ExecutionEntity.performOperationSync(ExecutionEntity.java:650)

#6 Updated by Ondrej Husník 7 months ago

  • Status changed from New to In Progress

#7 Updated by Ondrej Husník 7 months ago

  • Assignee changed from Ondrej Husník to Radek Tomiška
  • % Done changed from 0 to 80

In this task there were added some additional information to an exception raised when transformation script fails. This information contains original message, location of script invocation (system, mapping, attribute) and the name of used script (or all invoked scripts when failing script was nested).

Please could you provide me a feedback.

https://github.com/bcvsolutions/CzechIdMng/commit/8ee258c872a7387bb70a88f78cabb2c39b59dfbb

#8 Updated by Radek Tomiška 7 months ago

  • Assignee changed from Radek Tomiška to Vít Švanda

#9 Updated by Vít Švanda 7 months ago

  • Status changed from In Progress to Needs feedback

#10 Updated by Vít Švanda 7 months ago

  • Status changed from Needs feedback to In Progress
  • Assignee changed from Vít Švanda to Ondrej Husník

I did review and i found this issues:

  • ExceptionUtils.getParameterChainByKey ... get parameter (scriptCode) should be based on the IdmSecurityException and GROOVY_SCRIPT_EXCEPTION ... no on the parameter name.
  • "scriptCode" and other should be constant.
  • AbstractScriptEvaluator .. you changing result model ... it is not correct.
  • AbstractSynchronizationExecutor.loggingException - I want to see trace of result code ... if exists.
  • DefaultSysSystemAttributeMappingService.transformValueToResource - You catch only result code exception, why?
  • GROOVY_SCRIPT_ATTR_TRANSFORMATION_FAILED - transformation are a part of ACC module -> this result code cannot be in Core module.
  • May be some tests missing (for example for case where exception is not secured or not resultcode..)

#11 Updated by Ondrej Husník 7 months ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Ondrej Husník to Vít Švanda

There were changed parts according to the code review, fixed tests broken by changed approach and added some new tests of implemented changes.
Default behavior when throwing an exception was slightly changed. During transformation script failure there was often thrown SecurityException (as a reaction to using a class which is not listed in allowed ones) which was enveloped into IdmSecurityException and propagated further. This Exception is now also caught and enveloped into ResultCodeException of the GROOVY_SCRIPT_ATTR_TRANSFORMATION_FAILED type. This exception carries additional information saying where problem occurred.

Please could you provide me a feedback?

https://github.com/bcvsolutions/CzechIdMng/commit/602eb2d955ca460c11dbe489011ac7c87146492d

#12 Updated by Vít Švanda 7 months ago

  • File scriptError.png scriptError.png added
  • Status changed from Needs feedback to Resolved
  • Assignee changed from Vít Švanda to Ondrej Husník
  • % Done changed from 80 to 100

I did review and test. I like this feature ... especially location of the wrong script is awesome and useful.

From the UX view, I have one suggestion on future improvments.
FE error message isn't nice now. I could like to see some unordered list here. I know, using of <ul><li> is not possible in error messages (for security reason), but it could be nicer. I can help with this.

#13 Updated by Radek Tomiška 7 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF

Go to top