Project

General

Profile

Defect #2210

Provisioning brake removes connector server key when it starts braking

Added by Alena Peterová 8 months ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Category:
Systems
Target version:
Start date:
04/15/2020
Due date:
% Done:

100%

Estimated time:
Affected versions:
Milestones:

Description

Version 9.7.2

  • The system uses the remote connector server and has the provisioning brake for Delete operation, which is just before braking (1 already processed operation, 1 is the max limit)
  • Try to delete an account so the provisionig operation is blocked by the brake
  • The remote connector key of the system is changed, the system is no longer available - Bad password for remote connector server [localhost:8759]

Audit of all that happened in the same transaction:

Detail of the change in the SysSystem - delete operation is blocked (I don't know why it isn't highlighted):

Detail of the change of IdmConfidentialStorageValue - remoteServerPassword:

audit_blocked_operation.png (6.23 KB) audit_blocked_operation.png Alena Peterová, 04/15/2020 04:57 PM
audit.png (31.9 KB) audit.png Alena Peterová, 04/15/2020 04:57 PM
audit_changed_key.png (44.8 KB) audit_changed_key.png Alena Peterová, 04/15/2020 04:57 PM
system.png (50.5 KB) system.png Alena Peterová, 04/15/2020 04:58 PM

Related issues

Related to CzechIdM - Defect #1729: After using Virtual system connector, you can't switch to remote connector server connectorsClosed06/24/2019

History

#1 Updated by Radek Tomiška 8 months ago

  • Related to Defect #1729: After using Virtual system connector, you can't switch to remote connector server connectors added

#2 Updated by Vít Švanda 8 months ago

  • Assignee changed from Vít Švanda to Ondrej Husník
  • Target version set to 10.3.0

#3 Updated by Ondrej Husník 7 months ago

  • Status changed from New to In Progress

#4 Updated by Ondrej Husník 7 months ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Ondrej Husník to Vít Švanda
  • % Done changed from 0 to 90

It was necessary to prevent from overriding of the original password of connector server by asterisks in the confidentialStorage when SystemDto is saved.

https://github.com/bcvsolutions/CzechIdMng/commit/1263c4e2009ab5b874a460ca1b45d0aa0271643e

#5 Updated by Ondrej Husník 7 months ago

  • Status changed from Needs feedback to In Progress
  • Assignee changed from Vít Švanda to Ondrej Husník
  • % Done changed from 90 to 60

#6 Updated by Ondrej Husník 7 months ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Ondrej Husník to Vít Švanda
  • % Done changed from 60 to 90

Previous solution was refactored and currently there is returned substitute string (asterisks) in remote server password only when requested from FE via rest.
There was also added rest test covering current changes in system controller.

https://github.com/bcvsolutions/CzechIdMng/commit/6c0dc4da8c3a4942f13961d7cedd20d27c9a8346

#7 Updated by Vít Švanda 7 months ago

  • Status changed from Needs feedback to In Progress
  • Assignee changed from Vít Švanda to Ondrej Husník

I did review. I think, it works correctly now, but I found this issues:

- I don't aggre with name of your new filter parameter "filterSetOutsideBE". From this I don't know what exactlly this parameter do. I suggest rename it on "includeRemoteServerPassword" with comment "// Ensures check if remote server password exists. Only asterisk will be returned!".
- You loading a password from confidential storage for every get now. This is expensive operation and you can use your new filter parametr. It means, you can load password only if "isFilterSetOutsideBE" == true.
- In ConnId service, you use variable "char pass[]". This is not correct, because password should be save only in guarded string object (for security reason). I can get you better explenation online.

#8 Updated by Ondrej Husník 7 months ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Ondrej Husník to Vít Švanda

Thank you for your feedback. I made suggested changes. Hopefully the new context parameter name won't suffer from another trouble :)

https://github.com/bcvsolutions/CzechIdMng/commit/f6a39afec6e8b56631d2a8a1aec905243f1e45f0

#9 Updated by Vít Švanda 7 months ago

  • Status changed from Needs feedback to Resolved
  • Assignee changed from Vít Švanda to Ondrej Husník
  • % Done changed from 90 to 100

I did review and test. It was hard to simulated this scenario, but now it works correctly. Thanks for this.

#10 Updated by Radek Tomiška 7 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF

Go to top