Defect #2210
closed
Provisioning brake removes connector server key when it starts braking
100%
Description
Version 9.7.2
- The system uses the remote connector server and has the provisioning brake for Delete operation, which is just before braking (1 already processed operation, 1 is the max limit)
- Try to delete an account so the provisionig operation is blocked by the brake
- The remote connector key of the system is changed, the system is no longer available - Bad password for remote connector server [localhost:8759]
Audit of all that happened in the same transaction:
Detail of the change in the SysSystem - delete operation is blocked (I don't know why it isn't highlighted):
Detail of the change of IdmConfidentialStorageValue - remoteServerPassword:
Files
Related issues
Updated by Radek Tomiška over 4 years ago
- Related to Defect #1729: After using Virtual system connector, you can't switch to remote connector server connectors added
Updated by Vít Švanda over 4 years ago
- Assignee changed from Vít Švanda to Ondrej Husník
- Target version set to 10.3.0
Updated by Ondrej Husník over 4 years ago
- Status changed from New to In Progress
Updated by Ondrej Husník over 4 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Ondrej Husník to Vít Švanda
- % Done changed from 0 to 90
It was necessary to prevent from overriding of the original password of connector server by asterisks in the confidentialStorage when SystemDto is saved.
https://github.com/bcvsolutions/CzechIdMng/commit/1263c4e2009ab5b874a460ca1b45d0aa0271643e
Updated by Ondrej Husník over 4 years ago
- Status changed from Needs feedback to In Progress
- Assignee changed from Vít Švanda to Ondrej Husník
- % Done changed from 90 to 60
Updated by Ondrej Husník over 4 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Ondrej Husník to Vít Švanda
- % Done changed from 60 to 90
Previous solution was refactored and currently there is returned substitute string (asterisks) in remote server password only when requested from FE via rest.
There was also added rest test covering current changes in system controller.
https://github.com/bcvsolutions/CzechIdMng/commit/6c0dc4da8c3a4942f13961d7cedd20d27c9a8346
Updated by Vít Švanda over 4 years ago
- Status changed from Needs feedback to In Progress
- Assignee changed from Vít Švanda to Ondrej Husník
I did review. I think, it works correctly now, but I found this issues:
- I don't aggre with name of your new filter parameter "filterSetOutsideBE". From this I don't know what exactlly this parameter do. I suggest rename it on "includeRemoteServerPassword" with comment "// Ensures check if remote server password exists. Only asterisk will be returned!".
- You loading a password from confidential storage for every get now. This is expensive operation and you can use your new filter parametr. It means, you can load password only if "isFilterSetOutsideBE" == true.
- In ConnId service, you use variable "char pass[]". This is not correct, because password should be save only in guarded string object (for security reason). I can get you better explenation online.
Updated by Ondrej Husník over 4 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Ondrej Husník to Vít Švanda
Thank you for your feedback. I made suggested changes. Hopefully the new context parameter name won't suffer from another trouble :)
https://github.com/bcvsolutions/CzechIdMng/commit/f6a39afec6e8b56631d2a8a1aec905243f1e45f0
Updated by Vít Švanda over 4 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Vít Švanda to Ondrej Husník
- % Done changed from 90 to 100
I did review and test. It was hard to simulated this scenario, but now it works correctly. Thanks for this.
Updated by Radek Tomiška over 4 years ago
- Status changed from Resolved to Closed