Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-4771

Check expressions in password policy does not apply when validating password

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.7.2
    • Fix Version/s: backlog
    • Component/s: Model
    • Labels:
      None
    • Subscription:
      No subscription (community)

      Description

      I've been testing this approach mentioned in MID-1657 and I think I may have found a bug.
      When validating a password the check expressions do not applies.

      Example:
      Using this check expression in my password value policy:

      <checkExpression>
          <expression>
                          <script>
                              <code>
                                  assert input != null
                                  assert object != null
                                  // object.getName() may be null (e.g. new shadow)
                                  if (object instanceof com.evolveum.midpoint.xml.ns._public.common.common_3.UserType) {
                                      return !basic.containsIgnoreCase(input, object.getName())
                                  } else {
                                      return true
                                  }
                              </code>
                          </script>
                      </expression>
                      <failureMessage>must not contain username</failureMessage>
                  </checkExpression>
      

      Works when changing the password, however do not work when validating a password against a user:
      REST API call:

      https://127.0.0.1:8080/midpoint/ws/rest/users/400ab585-7d0d-44ea-acbb-4834c8b9dd8a/validate
      

      For this body:
      (being my value policy: 34a0d749-ea53-4095-8c90-6a89d1faeb51)

      <?xml version="1.0" encoding="UTF-8"?>
      <policyItemsDefinition xmlns="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
                xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
                xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
                xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
                xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
       <policyItemDefinition>
        <c:value>Abc@123#guybrush</c:value>
        <c:valuePolicyRef oid="34a0d749-ea53-4095-8c90-6a89d1faeb51" type="c:ValuePolicyType"/>
       </policyItemDefinition>
      </policyItemsDefinition>
      

      Seems like it does not recognises object as usertype and return true via else conditional:

      object instanceof ... UserType
      

      And the asserts break the processing

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              alexandre.zia Alexandre Zia
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: