Project

General

Profile

Actions

Task #1719

closed

Improve error message

Added by Tomáš Doischer almost 5 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Low
Assignee:
Ondrej Husník
Category:
Scripts
Target version:
Start date:
06/12/2019
Due date:
% Done:

100%

Estimated time:
Owner:

Description

When creating a transformation script, an error is reported in a mysterious way. This is the script:

    import eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto;
    import eu.bcvsolutions.idm.acc.exception.SynchronizationException;
    import eu.bcvsolutions.idm.core.api.dto.filter.IdmIdentityFilter;
    import java.util.Collections$UnmodifiableRandomAccessList;

    IdmIdentityFilter filter = new IdmIdentityFilter();
    filter.setExternalCode(attributeValue);

    List identities = new ArrayList();
    identities = identityService.find(filter, null).getContent();
    if (!identities.isEmpty()) {
        return identities.get(0); //error here, should be return identities.get(0).getId();
    }

    return null;

The issue with the script is that it returns IdmIdentityDto but it should return an ID. However, it returns this error from which this issue is basically impossible to find:

2019-06-12T13:14:27.757+02:00: eu.bcvsolutions.idm.core.security.exception.IdmSecurityException: Script did not pass security inspection!
    at eu.bcvsolutions.idm.core.model.service.impl.DefaultGroovyScriptService.evaluate(DefaultGroovyScriptService.java:87)
    at eu.bcvsolutions.idm.acc.service.impl.DefaultSysSystemAttributeMappingService.transformValueFromResource(DefaultSysSystemAttributeMappingService.java:238)
    at eu.bcvsolutions.idm.acc.service.impl.DefaultSysSystemAttributeMappingService.transformValueFromResource(DefaultSysSystemAttributeMappingService.java:218)
    at eu.bcvsolutions.idm.acc.service.impl.DefaultSysSystemAttributeMappingService.getValueByMappedAttribute(DefaultSysSystemAttributeMappingService.java:635)
    at eu.bcvsolutions.idm.acc.service.impl.DefaultSysSystemAttributeMappingService.getUidValueFromResource(DefaultSysSystemAttributeMappingService.java:642)
    at eu.bcvsolutions.idm.acc.service.impl.DefaultSysSystemAttributeMappingService$$FastClassBySpringCGLIB$$507e7707.invoke(<generated>)
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:651)
    at eu.bcvsolutions.idm.acc.service.impl.DefaultSysSystemAttributeMappingService$$EnhancerBySpringCGLIB$$29f4e3f1.getUidValueFromResource(<generated>)
    at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor.generateUID(AbstractSynchronizationExecutor.java:1800)
    at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor.findAccount(AbstractSynchronizationExecutor.java:1763)
    at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor.doItemSynchronization(AbstractSynchronizationExecutor.java:339)
    at eu.bcvsolutions.idm.acc.service.impl.DefaultSynchronizationService.doItemSynchronization(DefaultSynchronizationService.java:219)
    at eu.bcvsolutions.idm.acc.service.impl.DefaultSynchronizationService$$FastClassBySpringCGLIB$$66d7ee75.invoke(<generated>)
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:720)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
    at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
    at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:281)
    at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:655)
    at eu.bcvsolutions.idm.acc.service.impl.DefaultSynchronizationService$$EnhancerBySpringCGLIB$$65f85efb.doItemSynchronization(<generated>)
    at eu.bcvsolutions.idm.acc.event.processor.synchronization.SynchronizationItemProcessor.process(SynchronizationItemProcessor.java:52)
    at eu.bcvsolutions.idm.core.api.event.AbstractEntityEventProcessor.onApplicationEvent(AbstractEntityEventProcessor.java:243)
    at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:166)
    at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:138)
    at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:381)
    at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:348)
    at eu.bcvsolutions.idm.core.model.service.impl.DefaultEntityEventManager.process(DefaultEntityEventManager.java:245)
    at eu.bcvsolutions.idm.core.model.service.impl.DefaultEntityEventManager.process(DefaultEntityEventManager.java:175)
    at eu.bcvsolutions.idm.core.model.service.impl.DefaultEntityEventManager$$FastClassBySpringCGLIB$$1694e58f.invoke(<generated>)
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:720)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
    at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
    at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:281)
    at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:655)
    at eu.bcvsolutions.idm.core.model.service.impl.DefaultEntityEventManager$$EnhancerBySpringCGLIB$$394d8489.process(<generated>)
    at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor.startItemSynchronization(AbstractSynchronizationExecutor.java:569)
    at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor.handleIcObject(AbstractSynchronizationExecutor.java:521)
    at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor$DefaultResultHandler.handle(AbstractSynchronizationExecutor.java:2266)
    at eu.bcvsolutions.idm.ic.connid.service.impl.ConnIdIcConnectorService$2.handle(ConnIdIcConnectorService.java:250)
    at org.identityconnectors.framework.impl.api.StreamHandlerUtil$ObjectStreamHandlerAdapter.handle(StreamHandlerUtil.java:101)
    at org.identityconnectors.framework.impl.api.BufferedResultsProxy.invoke(BufferedResultsProxy.java:262)
    at org.identityconnectors.framework.impl.api.DelegatingTimeoutProxy.invoke(DelegatingTimeoutProxy.java:94)
    at com.sun.proxy.$Proxy359.search(Unknown Source)
    at org.identityconnectors.framework.impl.api.AbstractConnectorFacade.search(AbstractConnectorFacade.java:179)
    at eu.bcvsolutions.idm.ic.connid.service.impl.ConnIdIcConnectorService.pageSearch(ConnIdIcConnectorService.java:272)
    at eu.bcvsolutions.idm.ic.connid.service.impl.ConnIdIcConnectorService.search(ConnIdIcConnectorService.java:267)
    at eu.bcvsolutions.idm.ic.service.impl.DefaultIcConnectorFacade.search(DefaultIcConnectorFacade.java:114)
    at eu.bcvsolutions.idm.acc.service.impl.AbstractSynchronizationExecutor.process(AbstractSynchronizationExecutor.java:256)
    at eu.bcvsolutions.idm.acc.service.impl.DefaultSynchronizationService.startSynchronization(DefaultSynchronizationService.java:190)
    at eu.bcvsolutions.idm.acc.service.impl.DefaultSynchronizationService$$FastClassBySpringCGLIB$$66d7ee75.invoke(<generated>)
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
    at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:651)
    at eu.bcvsolutions.idm.acc.service.impl.DefaultSynchronizationService$$EnhancerBySpringCGLIB$$65f85efb.startSynchronization(<generated>)
    at eu.bcvsolutions.idm.acc.scheduler.task.impl.SynchronizationSchedulableTaskExecutor.process(SynchronizationSchedulableTaskExecutor.java:65)
    at eu.bcvsolutions.idm.acc.scheduler.task.impl.SynchronizationSchedulableTaskExecutor.process(SynchronizationSchedulableTaskExecutor.java:28)
    at eu.bcvsolutions.idm.core.scheduler.api.service.AbstractLongRunningTaskExecutor.call(AbstractLongRunningTaskExecutor.java:189)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at org.springframework.security.concurrent.DelegatingSecurityContextRunnable.run(DelegatingSecurityContextRunnable.java:80)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.SecurityException: Script wants to use unauthorized class: [class eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto] 
    at eu.bcvsolutions.idm.core.security.domain.GroovySandboxFilter.filter(GroovySandboxFilter.java:123)
    at org.kohsuke.groovy.sandbox.GroovyValueFilter.filterReturnValue(GroovyValueFilter.java:26)
    at org.kohsuke.groovy.sandbox.GroovyValueFilter.onMethodCall(GroovyValueFilter.java:58)
    at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:148)
    at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:145)
    at org.kohsuke.groovy.sandbox.impl.Checker$checkedCall$0.callStatic(Unknown Source)
    at Script1.run(Script1.groovy:12)
    at eu.bcvsolutions.idm.core.model.service.impl.DefaultGroovyScriptService.evaluate(DefaultGroovyScriptService.java:79)
    ... 66 more

Files

scriptError.png (29.8 KB) scriptError.png Vít Švanda, 05/13/2020 02:06 PM

Related issues

Related to IdStory Identity Manager - Task #479: Show more details on script execution exceptionClosedOndrej Husník06/02/2017

Actions
Actions #1

Updated by Radek Tomiška almost 4 years ago

  • Assignee changed from Ondřej Kopr to Radek Tomiška
Actions #2

Updated by Radek Tomiška almost 4 years ago

  • Assignee changed from Radek Tomiška to Ondrej Husník
Actions #3

Updated by Radek Tomiška almost 4 years ago

  • Related to Task #479: Show more details on script execution exception added
Actions #4

Updated by Vít Švanda almost 4 years ago

  • Target version set to 10.3.0
Actions #5

Updated by Marek Klement almost 4 years ago

Thanks for providing this ticket - helped me with solving of the same issue.

Here is the log before issue:


2020-04-14 19:59:29.731  INFO 141293 --- [task-executor-4] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [core-role-code-environment-processor]([core]) end for [RoleEvent [type: CREATE, content: eu.bcvsolutions.idm.core.api.dto.Idm
RoleDto [code=fs_ustr_SI], properties: {skip_provisioning=true}]] with order [-100].
2020-04-14 19:59:29.731  INFO 141293 --- [task-executor-4] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [role-save-processor]([core]) start for [RoleEvent [type: CREATE, content: eu.bcvsolutions.idm.core.api.dto.IdmRoleDto [code=f
s_ustr_SI], properties: {skip_provisioning=true}]] with order [0].
2020-04-14 19:59:29.737  INFO 141293 --- [task-executor-4] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [role-save-processor]([core]) end for [RoleEvent [type: CREATE, content: eu.bcvsolutions.idm.core.api.dto.IdmRoleDto [code=fs_
ustr_SI], properties: {skip_provisioning=true}]] with order [0].
2020-04-14 19:59:29.737  INFO 141293 --- [task-executor-4] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [core-formable-save-processor]([core]) start for [RoleEvent [type: CREATE, content: eu.bcvsolutions.idm.core.api.dto.IdmRoleDt
o [code=fs_ustr_SI], properties: {skip_provisioning=true}]] with order [50].
2020-04-14 19:59:29.737  INFO 141293 --- [task-executor-4] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [core-formable-save-processor]([core]) end for [RoleEvent [type: CREATE, content: eu.bcvsolutions.idm.core.api.dto.IdmRoleDto 
[code=fs_ustr_SI], properties: {skip_provisioning=true}]] with order [50].
2020-04-14 19:59:29.737  INFO 141293 --- [task-executor-4] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [role-publish-change-processor]([core]) start for [RoleEvent [type: CREATE, content: eu.bcvsolutions.idm.core.api.dto.IdmRoleD
to [code=fs_ustr_SI], properties: {skip_provisioning=true}]] with order [10000].
2020-04-14 19:59:29.739  INFO 141293 --- [task-executor-4] e.b.i.c.a.e.AbstractEntityEventProcessor : Processor [role-publish-change-processor]([core]) end for [RoleEvent [type: CREATE, content: eu.bcvsolutions.idm.core.api.dto.IdmRoleDto
 [code=fs_ustr_SI], properties: {skip_provisioning=true}]] with order [10000].
2020-04-14 19:59:29.739  INFO 141293 --- [task-executor-4] e.b.i.c.m.s.i.DefaultEntityEventManager  : Event [RoleEvent [type: CREATE, content: eu.bcvsolutions.idm.core.api.dto.IdmRoleDto [code=fs_ustr_SI], properties: {skip_provisioning=t
rue}]] is completed
Started script for CN=Klement Marek,OU=Praha,OU=BCV,OU=BCV,DC=bcvcr,DC=cz2020-04-14 19:59:29.761 ERROR 141293 --- [task-executor-4] e.b.i.c.m.s.i.DefaultGroovyScriptService : SecurityException [Script wants to use unauthorized class: [class eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto] ]
2020-04-14 19:59:29.761  WARN 141293 --- [task-executor-4] o.a.e.i.b.b.ScriptTaskActivityBehavior   : Exception while executing scripttask1 : problem evaluating script: javax.script.ScriptException: eu.bcvsolutions.idm.core.security.exception.IdmSecurityException: Script did not pass security inspection!
2020-04-14 19:59:29.765 ERROR 141293 --- [task-executor-4] o.a.e.impl.interceptor.CommandContext    : Error while closing command context

org.activiti.engine.ActivitiException: problem evaluating script: javax.script.ScriptException: eu.bcvsolutions.idm.core.security.exception.IdmSecurityException: Script did not pass security inspection!
        at org.activiti.engine.impl.scripting.ScriptingEngines.evaluate(ScriptingEngines.java:89)
        at org.activiti.engine.impl.scripting.ScriptingEngines.evaluate(ScriptingEngines.java:73)
        at org.activiti.engine.impl.bpmn.behavior.ScriptTaskActivityBehavior.execute(ScriptTaskActivityBehavior.java:78)
        at org.activiti.engine.impl.pvm.runtime.AtomicOperationActivityExecute.execute(AtomicOperationActivityExecute.java:60)
        at org.activiti.engine.impl.interceptor.CommandContext.performOperation(CommandContext.java:97)
        at org.activiti.engine.impl.persistence.entity.ExecutionEntity.performOperationSync(ExecutionEntity.java:650)
        at org.activiti.engine.impl.persistence.entity.ExecutionEntity.performOperation(ExecutionEntity.java:643)
        at org.activiti.engine.impl.pvm.runtime.AtomicOperationTransitionNotifyListenerStart.eventNotificationsCompleted(AtomicOperationTransitionNotifyListenerStart.java:52)
        at org.activiti.engine.impl.pvm.runtime.AbstractEventAtomicOperation.execute(AbstractEventAtomicOperation.java:56)
        at org.activiti.engine.impl.interceptor.CommandContext.performOperation(CommandContext.java:97)
        at org.activiti.engine.impl.persistence.entity.ExecutionEntity.performOperationSync(ExecutionEntity.java:650)

Actions #6

Updated by Ondrej Husník almost 4 years ago

  • Status changed from New to In Progress
Actions #7

Updated by Ondrej Husník almost 4 years ago

  • Assignee changed from Ondrej Husník to Radek Tomiška
  • % Done changed from 0 to 80

In this task there were added some additional information to an exception raised when transformation script fails. This information contains original message, location of script invocation (system, mapping, attribute) and the name of used script (or all invoked scripts when failing script was nested).

Please could you provide me a feedback.

https://github.com/bcvsolutions/CzechIdMng/commit/8ee258c872a7387bb70a88f78cabb2c39b59dfbb

Actions #8

Updated by Radek Tomiška almost 4 years ago

  • Assignee changed from Radek Tomiška to Vít Švanda
Actions #9

Updated by Vít Švanda almost 4 years ago

  • Status changed from In Progress to Needs feedback
Actions #10

Updated by Vít Švanda almost 4 years ago

  • Status changed from Needs feedback to In Progress
  • Assignee changed from Vít Švanda to Ondrej Husník

I did review and i found this issues:

  • ExceptionUtils.getParameterChainByKey ... get parameter (scriptCode) should be based on the IdmSecurityException and GROOVY_SCRIPT_EXCEPTION ... no on the parameter name.
  • "scriptCode" and other should be constant.
  • AbstractScriptEvaluator .. you changing result model ... it is not correct.
  • AbstractSynchronizationExecutor.loggingException - I want to see trace of result code ... if exists.
  • DefaultSysSystemAttributeMappingService.transformValueToResource - You catch only result code exception, why?
  • GROOVY_SCRIPT_ATTR_TRANSFORMATION_FAILED - transformation are a part of ACC module -> this result code cannot be in Core module.
  • May be some tests missing (for example for case where exception is not secured or not resultcode..)
Actions #11

Updated by Ondrej Husník almost 4 years ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Ondrej Husník to Vít Švanda

There were changed parts according to the code review, fixed tests broken by changed approach and added some new tests of implemented changes.
Default behavior when throwing an exception was slightly changed. During transformation script failure there was often thrown SecurityException (as a reaction to using a class which is not listed in allowed ones) which was enveloped into IdmSecurityException and propagated further. This Exception is now also caught and enveloped into ResultCodeException of the GROOVY_SCRIPT_ATTR_TRANSFORMATION_FAILED type. This exception carries additional information saying where problem occurred.

Please could you provide me a feedback?

https://github.com/bcvsolutions/CzechIdMng/commit/602eb2d955ca460c11dbe489011ac7c87146492d

Actions #12

Updated by Vít Švanda almost 4 years ago

  • File scriptError.png scriptError.png added
  • Status changed from Needs feedback to Resolved
  • Assignee changed from Vít Švanda to Ondrej Husník
  • % Done changed from 80 to 100

I did review and test. I like this feature ... especially location of the wrong script is awesome and useful.

From the UX view, I have one suggestion on future improvments.
FE error message isn't nice now. I could like to see some unordered list here. I know, using of <ul><li> is not possible in error messages (for security reason), but it could be nicer. I can help with this.

Actions #13

Updated by Radek Tomiška almost 4 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF