fix(jans-config-api): `/api/v1/attributes` `POST` should allow to add attribute only if it is declared in schema

JanssenProject / jans

An open source enterprise digital identity platform for CIAM or workforce... Janssen is a distribution of standards-based, developer friendly, components that are engineered to work together in any cloud. #OAuth #OpenID #FIDO

https://docs.jans.io

Apache License 2.0

427 stars 72 forks source link

fix(jans-config-api): `/api/v1/attributes` `POST` should allow to add attribute only if it is declared in schema #6446

Open duttarnab opened 8 months ago

duttarnab commented 8 months ago

Describe the bug /api/v1/attributes POST should allow to add attribute if it is declared in schema. Otherwise it should throw error like The attribute 'attribute-name' is not defied in LDAP/MySql schema.

For example below step should be performed then only config-api attribute api should allow to add attribute.

in OpenDJ

https://docs.jans.io/v1.0.19/admin/auth-server/openid-features/user-claims/custom-claims/#step-2-make-entry-of-the-claim-in-opendj-schema

In RDBMS

https://docs.jans.io/v1.0.19/admin/auth-server/openid-features/user-claims/custom-claims/#step-2-make-entry-of-the-claim-in-mysql-schema

pujavs commented 7 months ago

Implemented check for LDAP and tested as per https://docs.jans.io/v1.0.19/admin/auth-server/openid-features/user-claims/custom-claims/#step-2-make-entry-of-the-claim-in-opendj-schema

However in Postgresql even though the attribute is added in jansPerson the verification is failing. https://docs.jans.io/v1.0.19/admin/auth-server/openid-features/user-claims/custom-claims/#step-2-make-entry-of-the-claim-in-mysql-schema. Have requested @yurem for guidance

yurem commented 7 months ago

@pujavs I think config-api instead of scanning in schema should try to call ORM add/update method and catch exception. From exception it should get clue if it's schema error or another one. In this case config-api will not depend on ORM specifc implementation.

Can you add stack traces with attempt to call ORM add/update if there is undefined attribute. After that in places which throw exceptions we can add error code to exception or throw another one like UndefinedAttributeInSchemaError, etc.

pujavs commented 7 months ago

@yurem i will share the requested logs.

But i also need guidance how to define new custom attribute.

Like for LDAP one needs to first define new attribute 77-customAttributes.ldif and later create the attribute from UI.
How to test this scenario in other DB type.

yurem commented 7 months ago

In other DB the process is similar to LDAP. We need to add custom attribute to table first and register it in UI. Here is link to docs.

pujavs commented 7 months ago

@yurem, ORM is not throwing any error if the attribute is not defined in DB schema. I have tested with LDAP DB for now. Requirement is should allow to add attribute **only if** it is declared in schema . All DB type.

If I call ORM add/update as per your suggestion then i am able to create an attribute that is not defined in schema

Logs: Search PujaNumber in the logs 6446_logs.zip

2.Screenshots for LDAP

Attribute PujaNumber not defined in 77-customAttributes.ldif yet able to create a random attribute
Able to successfully create the attribute

Request your advice.

yurem commented 7 months ago

ou=attributes is our table to define Jans attributes metadata. DB schema <> ou=attributes. It's admin responsibility to maintain both.

But we can add to EntryManager method:

    private boolean hasSchemaAttribute(String key, String objectClass);

pujavs commented 7 months ago

validateAttributeDefinition code works perfectly well for LDAP https://github.com/GluuFederation/oxTrust/blob/master/server/src/main/java/org/gluu/oxtrust/action/UpdateAttributeAction.java#L354. We need similar common method for All DB types. Will it be possible in ORM?

pujavs commented 7 months ago

@duttarnab, please confirm regarding urgency of this issue.

duttarnab commented 6 months ago

Hi @pujavs This issue does not have high priority.

pujavs commented 5 months ago

As per discussion with @yurem, orm changes will be done for the same

pujavs commented 4 months ago

@yurem getting error when invoking new method. Backend is MySQL

Error: 23-02 15:59:51.019 ERROR configapi.service.auth.AttributeService AttributeService.java:137- Exception by ORM while validating attribute is: io.jans.orm.exception.MappingException: Object class isn't defined!
Code: https://github.com/JanssenProject/jans/blob/jans-config-api-issues/jans-config-api/server/src/main/java/io/jans/configapi/service/auth/AttributeService.java#L117 attribute.getName: emailPromotion.
Code snippet: AttributeType attributeType = persistenceEntryManager.getAttributeType("ou=people,o=jans", SimpleUser.class, attributeName);
Logs: 2024_02_23.jetty.log
DB Screenshot:

pujavs commented 4 months ago

Tested custom attribute creation in MySQL and LDAP. Note: I had to restart LDAP as well as MySQL

MySQL Screenshots

Before declaring new customAttribute in DB
Altered table to add new customAttribute
After declaring new customAttribute in DB

pujavs commented 4 months ago

PR 7814 raised for the same

pujavs commented 4 months ago

@duttarnab, request you to please check and close the issue if the solution works as per expectation

pujavs commented 4 months ago

@duttarnab, assigning the issue to you for verification. In-case of any issue you can re-assign to me