search

WrenSecurity / wrenam

Community fork of OpenAM, an authentication and authorization system originally developed by ForgeRock.
Other
43 stars 27 forks source link

Ssoadm sometimes tries to use closed LDAP connection #116

Closed pavelhoral closed 1 year ago

pavelhoral commented 1 year ago

There is an apparent race condition in ssoadm when running get-sub-cfg:

$ auth/bin/ssoadm get-sub-cfg -u amadmin -f pwd.txt -e /test -s sunEntitlementService -g registeredResourceTypes/UrlResourceType

lastModifiedDate=1684484002331
createdBy=id=dsameuser,ou=user,ou=wrenam,dc=wrensecurity,dc=org
lastModifiedBy=id=dsameuser,ou=user,ou=wrenam,dc=wrensecurity,dc=org
patterns=*://*:*/*
patterns=*://*:*/*?*
name=URL
description=
creationDate=1684484002331
actions=OPTIONS=true
actions=PUT=true
actions=PATCH=true
actions=POST=true
actions=DELETE=true
actions=HEAD=true
actions=GET=true

Sub Configuration registeredResourceTypes/UrlResourceType was retrieved from realm /test
Exception in thread "SystemTimer" java.lang.Error: java.lang.ExceptionInInitializerError
        at com.sun.identity.common.TimerPool$WorkerThread.run(TimerPool.java:542)
Caused by: java.lang.ExceptionInInitializerError
        at com.sun.identity.idm.IdRepoListener.getChangedIds(IdRepoListener.java:278)
        at com.sun.identity.idm.IdRepoListener.objectChanged(IdRepoListener.java:174)
        at com.sun.identity.idm.remote.IdRemoteEventListener.sendIdRepoNotification(IdRemoteEventListener.java:317)
        at com.sun.identity.idm.remote.IdRemoteEventListener$NotificationRunnable.run(IdRemoteEventListener.java:400)
        at com.sun.identity.common.TimerPool$WorkerThread.run(TimerPool.java:434)
Caused by: java.lang.IllegalStateException: CachedConnectionPool is already closed
        at org.forgerock.opendj.ldap.CachedConnectionPool.getConnectionAsync(CachedConnectionPool.java:792)
        at org.forgerock.opendj.ldap.CachedConnectionPool.getConnection(CachedConnectionPool.java:779)
        at com.sun.identity.sm.ldap.SMDataLayer.getConnection(SMDataLayer.java:107)
        at com.sun.identity.sm.ldap.SMSLdapObject.getConnection(SMSLdapObject.java:575)
        at com.sun.identity.sm.ldap.SMSLdapObject.read(SMSLdapObject.java:275)
        at com.sun.identity.sm.SMSEntry.read(SMSEntry.java:699)
        at com.sun.identity.sm.SMSEntry.read(SMSEntry.java:676)
        at com.sun.identity.sm.SMSEntry.<init>(SMSEntry.java:469)
        at com.sun.identity.sm.CachedSMSEntry.getInstance(CachedSMSEntry.java:377)
        at com.sun.identity.sm.ServiceConfigImpl.checkAndUpdatePermission(ServiceConfigImpl.java:643)
        at com.sun.identity.sm.ServiceConfigImpl.getFromCache(ServiceConfigImpl.java:634)
        at com.sun.identity.sm.ServiceConfigImpl.getInstance(ServiceConfigImpl.java:503)
        at com.sun.identity.sm.ServiceConfigImpl.getInstance(ServiceConfigImpl.java:481)
        at com.sun.identity.sm.ServiceConfigManagerImpl.getGlobalConfig(ServiceConfigManagerImpl.java:204)
        at com.sun.identity.sm.ServiceConfigManager.getGlobalConfig(ServiceConfigManager.java:253)
        at com.sun.identity.idm.IdUtils.initialize(IdUtils.java:124)
        at com.sun.identity.idm.IdUtils.<clinit>(IdUtils.java:112)
        ... 5 more
pavelhoral commented 1 year ago

I should note that the specific command in the example above is not important.

pavelhoral commented 1 year ago

The issue can be workarounded by disabling polling interval with com.iplanet.am.sdk.remote.pollingTime=0:

https://github.com/WrenSecurity/wrenam/blob/a9c25645fc87e33aa92b7a49203c3eb08c62bed5/openam-core/src/main/java/com/sun/identity/idm/remote/IdRemoteEventListener.java#L184-L200

https://github.com/WrenSecurity/wrenam/blob/a9c25645fc87e33aa92b7a49203c3eb08c62bed5/openam-core/src/main/java/com/sun/identity/idm/remote/IdRemoteEventListener.java#L202-L220

This might be also the right solution because it does not make much sense to use change polling with ssoadm as that is not supposed to be long lived application.

pavelhoral commented 1 year ago

Fixed in #117