Project

General

Profile

Actions

Defect #3306

closed

For technical and other accounts is not possible to set password

Added by David Štekl almost 2 years ago. Updated over 1 year ago.

Status:
Rejected
Priority:
Normal
Assignee:
Peter Štrunc
Category:
Technical and other accounts
Target version:
Start date:
03/21/2023
Due date:
% Done:

100%

Estimated time:
Affected versions:
Owner:

Description

When creating a technical account technical or other accounts is not possible to set a password even if the attribute "__PASSWORD__" is part of the system mapping.
After creating technical or other account, the password is generated according to policies.

In the case of a technical account, it is not possible to change the password anywhere in IdM and the generated password cannot be determined.

For other user accounts is generated password sent by acc:newPassword notification and it is possible to change the password by standard way:

Example:


Files

clipboard-202303211326-w3ec8.png (113 KB) clipboard-202303211326-w3ec8.png David Štekl, 03/21/2023 12:26 PM
Actions #1

Updated by Tomáš Doischer almost 2 years ago

  • Sprint set to Sprint 13.1-3 (bře 22 - dub 05)
  • Target version set to 13.1.0
Actions #2

Updated by Peter Štrunc over 1 year ago

  • Status changed from New to In Progress
Actions #3

Updated by Peter Štrunc over 1 year ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Peter Štrunc to Tomáš Doischer
  • Priority changed from High to Normal
  • % Done changed from 0 to 50

I fixed an issue that would cause some attributes to not show in the wizard for systems, which have multiple schemas.

Now it is possible to set a password when creating a new account because the attribute is correctly displayed in the wizard. During an edit, however, the _ PASSWORD _ attribute is not shown, because it is not returned from the system by default.

Changing the password will be enabled by implementing password management for technical accounts, or overriding empty attributes from the schema.

Implementing those features will be implemented later, as the feature is not critical for our current projects. This is also the reason for lowering the priority of this ticket.

The Fix of the previously mentioned bug is here: hhttps://github.com/bcvsolutions/CzechIdMng/pull/360
@doischert could you check it out?

Actions #4

Updated by Tomáš Doischer over 1 year ago

  • Status changed from Needs feedback to In Progress
  • Assignee changed from Tomáš Doischer to Peter Štrunc

The bugfix was merged, LGTM.

We will need to add pwd management for technical accounts so I'll leave this ticket open.

Actions #5

Updated by Tomáš Doischer over 1 year ago

  • Sprint changed from Sprint 13.1-3 (bře 22 - dub 05) to Sprint 13.1-4 (dub 05 - dub 19)
Actions #6

Updated by Peter Štrunc over 1 year ago

here is my analysis of what has to be done in order to implement password management for Technical accounts.

Password management for technical accounts

Current state

Backend

PasswordChangeController
  • main entry point for password changes
  • passwordChange(UUID, PasswordChangeDto)
    • hardcoded IdmIdentityDto lookup
    • authenticates, if identity is not authenticated
      • for unauthenticated password change, or mustChange when logging in with expired password
    • Checks permission for password change after authentication
    • Calls identityService.passwordChange(identity, PasswordChangeDto)
      IdmIdentityService
  • Publishes IdmIdentityEvent.PASSWORD
    • identity-password-validate-processor(acc)
      • Fetches all identity accounts
      • Validates provided accounts (password change type)
      • Validates against system password policies for each account
    • identity-password-validate-processor(core)
      • Validates all aspects of password change (original pwd requirement, policies, change type)
    • identity-uniform-password-processor
      • Handles uniform password stuff and password filter echo
      • Uses identity only for account searches
    • identity-password-processor
      • saves PasswordDto and handles password age from idm password policy
    • core-identity-demo-change-processor
      • for monitoring changes on admin identity
    • identity-password-provisioning-processor
      • setup echo
      • call provisioningService.changePassword(identity, passwordChangeDto)
      • process results and handle password filter
    • identity-password-change-notification
      • Notifies identity of password change
        ProvisioningService
  • Calls provisioning executor changePassword
    • uses dto and PasswordChangeDto as input (no need for identity)

Frontend

All of frontend only works with identity and its accounts

PasswordChangeComponent
  • Renders form and sends requests to backend controller
  • hard coupling on identityManager and identityService
    PasswordChangeRoute
    PasswordRoute
    PasswordChangeForm

Requirements

Enable use case of changing account’s password from account detail
Support identity account and Technical accounts
Support accounts without owner (AccAccount)

Proposed changes

Backend

Introduce a new interface PasswordManageable
Extract common password management logic into common predecessors for all password processors
Move logic from PasswordController somewhere, where it can be generalized for different PasswordManageables
Move event type PASSWORD from IdmIdentityEventType to a new event type, which is not tied to IdmIdentity
  • Make all password processors react to this new event
    Update tests and write new ones for tech account password management

Frontend

Make PasswordChangeComponent take managers as a prop, so that we can supply correct managers
introduce new routes for password change on account detail
  • No need for other tabs such as Password details and Tokens, just change form
Actions #7

Updated by Tomáš Doischer over 1 year ago

  • Status changed from In Progress to Needs feedback
Actions #8

Updated by Tomáš Doischer over 1 year ago

  • Status changed from Needs feedback to In Progress
Actions #9

Updated by Tomáš Doischer over 1 year ago

  • Sprint deleted (Sprint 13.1-4 (dub 05 - dub 19))
Actions #10

Updated by Peter Štrunc over 1 year ago

  • Target version changed from 13.1.0 to 13.0.5
Actions #11

Updated by Peter Štrunc over 1 year ago

  • Status changed from In Progress to Rejected
  • % Done changed from 50 to 100

Implementation of password management is a new feature and will be implemented in a separate ticket https://redmine.czechidm.com/issues/3349

Actions

Also available in: Atom PDF