search

WrenSecurity / wrenam

Community fork of OpenAM, an authentication and authorization system originally developed by ForgeRock.
Other
43 stars 27 forks source link

Resource Type without date fields breaks Policy Sets import #142

Open fyrbach opened 1 year ago

fyrbach commented 1 year ago

The Policy Sets import in XUI ends with 500 Internal Server Error when there is a Resource Type without creationDate or lastModifiedDate LDAP attribute.

Such Resource Type can be created using ssoadm create-sub-cfg command and properties file with missing any of the mentioned attributes.

The import fails on following lines:

https://github.com/WrenSecurity/wrenam/blob/a5ffb936667582d2737fb6d41b9aa66cf0868da9/openam-entitlements/src/main/java/org/forgerock/openam/entitlement/configuration/ResourceTypeConfigurationImpl.java#L278-L280

Reproducible example:

#!/usr/bin/env bash

echo "Starting temporary container"
docker run --rm --name wrenam-test -p 8080:8080 -d wrensecurity/wrenam:15.0.0-M5 && sleep 5

echo "Configuring Wren:AM"
docker exec -w /opt/ssoconf wrenam-test bash -c "\
  sed \
  -e 's/server1.example.com/localhost/g' \
  -e 's/.example.com/.localhost/g' \
  -e 's/DEPLOYMENT_URI=\/openam/DEPLOYMENT_URI=\/auth/' \
  -e 's/BASE_DIR=\/openam/BASE_DIR=\/srv\/wrenam/' \
  -e 's/ACCEPT_LICENSES=false/ACCEPT_LICENSES=true/' \
  sampleconfiguration > configuration; \
  java -jar openam-configurator-tool.jar -f configuration"

echo "Installing SSOADM tool"
docker exec -w /opt/ssoadm wrenam-test bash -c "\
  ./setup --acceptLicense -p /srv/wrenam; \
  echo -n 11111111 > /tmp/pwd.txt; \
  chmod 400 /tmp/pwd.txt"

echo "Creating invalid Resource Type"
docker exec wrenam-test bash -c "cat <<EOF > /tmp/resource-type.properties
actions=GET=true
description=Missing date fields
name=Invalid Type
patterns=*://*:*/*
#creationDate=
#lastModifiedDate=
EOF"
docker exec wrenam-test /opt/ssoadm/auth/bin/ssoadm create-sub-cfg -u amAdmin -f /tmp/pwd.txt -e / -s sunEntitlementService -g registeredResourceTypes/resourceType -b InvalidResourceType -D /tmp/resource-type.properties

echo "Authenticating"
token=$(curl -sX POST -H "X-OpenAM-Username: amAdmin" -H "X-OpenAM-Password: 11111111" "http://localhost:8080/auth/json/authenticate" | jq -r .tokenId)

echo "Importing Policy Set (ends with error)"
curl -v "http://localhost:8080/auth/xacml/policies" \
  -H "iPlanetDirectoryPro: $token" \
  -d '<?xml version="1.0" encoding="UTF-8" standalone="yes"?><ns2:PolicySet xmlns:xacml3="classpath:xsd/xacml-core-v3-schema-wd-17.xsd" xmlns:ns2="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="/:2023.07.24.14.49.38.585" Version="2023.07.24.14.49.38.585" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides"><ns2:Target/></ns2:PolicySet>'
echo

echo "Stopping temporary container"
docker kill wrenam-test