Issue #11 - Update link on object UID change

WrenSecurity / wrenidm

Community‐developed identity management system with a flexible data model, multiple extension points and scripting support, including JavaScript and Groovy.

https://wrensecurity.org/

Other

40 stars 19 forks source link

Issue #11 - Update link on object UID change #197

Closed tbigby-kristin closed 3 months ago

tbigby-kristin commented 3 months ago

Hi team,

Issue #11 causes object links to be lost when the UID of the target object changes. I recently ran into this with my own project.

@GuyPaddock provided pull request #45 some years ago but there were a few unnecessary changes.

I needed to solve this issue so have attempted to re-implement Guy's work in a pull request with fewer changes. All credit goes to Guy for your work in finding the cause and coming up with both a test case and solution.

I hope this fix can be merged so that it is part of the WrenIDM project.

Many thanks, Tony

pavelhoral commented 3 months ago

We have cleaned Guy's PR as well in #106. However we were sitting on that since then. I will check both PRs again ASAP.

tbigby-kristin commented 3 months ago

Indeed, sorry I missed that before submitting mine. I have no problem if you want to merge #106 instead :)

pavelhoral commented 3 months ago

I have updated your PR and will merge it once the tests are green. I removed the additional method as that code is in a need of a more general refactor (as stated by Guy's original PR) and fixed missing check for NULL ResourceResponse ID.

Btw this PR does not solve #11 completely. My original report was describing situation when the target object's ID changes out of the recon process. I.e. when OpenLDAP administrator mistakenly deletes an LDAP entry and then recreates it with a different entryUUID. But that is a bit more complex scenario to solve.

tbigby-kristin commented 2 months ago

Many thanks @pavelhoral !

Fair enough, a change to a target object's ID outside the reconciliation process would be much more difficult to solve, but this specific issue where the ID changes within the reconciliation process is what I needed to solve currently.

The ID change outside the recon process sounds to me like it would create a different 'Behaviour Situation' - 'Link Moved':

Source links to a target object that doesn't exist, but a different target matches the correlation query

Then a new 'RELINK' action could be taken if configured in the mapping to drop the existing link and create a new link.

Anyway, just some thoughts. Thanks again for merging this fix!