Project

General

Profile

Actions

Defect #2210

closed

Provisioning brake removes connector server key when it starts braking

Added by Alena Peterová almost 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Ondrej Husník
Category:
Systems
Target version:
Start date:
04/15/2020
Due date:
% Done:

100%

Estimated time:
Affected versions:
Owner:

Description

Version 9.7.2

  • The system uses the remote connector server and has the provisioning brake for Delete operation, which is just before braking (1 already processed operation, 1 is the max limit)
  • Try to delete an account so the provisionig operation is blocked by the brake
  • The remote connector key of the system is changed, the system is no longer available - Bad password for remote connector server [localhost:8759]

Audit of all that happened in the same transaction:

Detail of the change in the SysSystem - delete operation is blocked (I don't know why it isn't highlighted):

Detail of the change of IdmConfidentialStorageValue - remoteServerPassword:


Files

audit_blocked_operation.png (6.23 KB) audit_blocked_operation.png Alena Peterová, 04/15/2020 04:57 PM
audit.png (31.9 KB) audit.png Alena Peterová, 04/15/2020 04:57 PM
audit_changed_key.png (44.8 KB) audit_changed_key.png Alena Peterová, 04/15/2020 04:57 PM
system.png (50.5 KB) system.png Alena Peterová, 04/15/2020 04:58 PM

Related issues

Related to IdStory Identity Manager - Defect #1729: After using Virtual system connector, you can't switch to remote connector server connectorsClosedOndrej Husník06/24/2019

Actions
Actions #1

Updated by Radek Tomiška almost 4 years ago

  • Related to Defect #1729: After using Virtual system connector, you can't switch to remote connector server connectors added
Actions #2

Updated by Vít Švanda almost 4 years ago

  • Assignee changed from Vít Švanda to Ondrej Husník
  • Target version set to 10.3.0
Actions #3

Updated by Ondrej Husník almost 4 years ago

  • Status changed from New to In Progress
Actions #4

Updated by Ondrej Husník almost 4 years ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Ondrej Husník to Vít Švanda
  • % Done changed from 0 to 90

It was necessary to prevent from overriding of the original password of connector server by asterisks in the confidentialStorage when SystemDto is saved.

https://github.com/bcvsolutions/CzechIdMng/commit/1263c4e2009ab5b874a460ca1b45d0aa0271643e

Actions #5

Updated by Ondrej Husník almost 4 years ago

  • Status changed from Needs feedback to In Progress
  • Assignee changed from Vít Švanda to Ondrej Husník
  • % Done changed from 90 to 60
Actions #6

Updated by Ondrej Husník almost 4 years ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Ondrej Husník to Vít Švanda
  • % Done changed from 60 to 90

Previous solution was refactored and currently there is returned substitute string (asterisks) in remote server password only when requested from FE via rest.
There was also added rest test covering current changes in system controller.

https://github.com/bcvsolutions/CzechIdMng/commit/6c0dc4da8c3a4942f13961d7cedd20d27c9a8346

Actions #7

Updated by Vít Švanda almost 4 years ago

  • Status changed from Needs feedback to In Progress
  • Assignee changed from Vít Švanda to Ondrej Husník

I did review. I think, it works correctly now, but I found this issues:

- I don't aggre with name of your new filter parameter "filterSetOutsideBE". From this I don't know what exactlly this parameter do. I suggest rename it on "includeRemoteServerPassword" with comment "// Ensures check if remote server password exists. Only asterisk will be returned!".
- You loading a password from confidential storage for every get now. This is expensive operation and you can use your new filter parametr. It means, you can load password only if "isFilterSetOutsideBE" == true.
- In ConnId service, you use variable "char pass[]". This is not correct, because password should be save only in guarded string object (for security reason). I can get you better explenation online.

Actions #8

Updated by Ondrej Husník almost 4 years ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Ondrej Husník to Vít Švanda

Thank you for your feedback. I made suggested changes. Hopefully the new context parameter name won't suffer from another trouble :)

https://github.com/bcvsolutions/CzechIdMng/commit/f6a39afec6e8b56631d2a8a1aec905243f1e45f0

Actions #9

Updated by Vít Švanda almost 4 years ago

  • Status changed from Needs feedback to Resolved
  • Assignee changed from Vít Švanda to Ondrej Husník
  • % Done changed from 90 to 100

I did review and test. It was hard to simulated this scenario, but now it works correctly. Thanks for this.

Actions #10

Updated by Radek Tomiška almost 4 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF