search

indigo-iam / iam

INDIGO Identity and Access Management Service
https://indigo-iam.github.io/
Other
102 stars 43 forks source link

Unable to delete client when one of its related tokens has null AuthenticationHolder related #684

Closed enricovianello closed 8 months ago

enricovianello commented 8 months ago

All started from getting this error:

2024-01-10 16:02:57.507 ERROR 7 --- [-8080-exec-9338] o.a.c.c.C.[.[.[/].[dispatcherServlet]    : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is java.lang.NullPointerException: Cannot invoke "org.mitre.oauth2.model.AuthenticationHolderEntity.getScope()" because the return value of "org.mitre.oauth2.model.OAuth2AccessTokenEntity.getAuthenticationHolder()" is null] with root cause

java.lang.NullPointerException: Cannot invoke "org.mitre.oauth2.model.AuthenticationHolderEntity.getScope()" because the return value of "org.mitre.oauth2.model.OAuth2AccessTokenEntity.getAuthenticationHolder()" is null
    at it.infn.mw.iam.api.client.service.DefaultClientService.isValidAccessToken(DefaultClientService.java:142)
    at it.infn.mw.iam.api.client.service.DefaultClientService.lambda$deleteTokensByClient$1(DefaultClientService.java:150)
    at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:178)
    at java.base/java.util.Vector$VectorSpliterator.forEachRemaining(Vector.java:1470)
    at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
    at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
    at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
    at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
    at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
    at java.base/java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:596)
    at it.infn.mw.iam.api.client.service.DefaultClientService.deleteTokensByClient(DefaultClientService.java:151)
    at it.infn.mw.iam.api.client.service.DefaultClientService.deleteClient(DefaultClientService.java:137)
...

The code lines that raise this exception are: https://github.com/indigo-iam/iam/blob/master/iam-login-service/src/main/java/it/infn/mw/iam/api/client/service/DefaultClientService.java#L148

Probably switching from a.getAuthenticationHolder().getScope() to a.getScope() should fix but we need to understand how this status has been reached.

We know that the token that cannot be deleted is a Registration Access Token that has a reference to an AutenticationHolderEntity that doesn't exists:

MySQL [iam]> select * from access_token where client_id = "128037";
+---------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+------------------+-----------+----------------+-------------+------------------+
| id      | token_value                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | expiration | token_type | refresh_token_id | client_id | auth_holder_id | id_token_id | approved_site_id |
+---------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+------------------+-----------+----------------+-------------+------------------+
| 9507219 | >>SECRET<<
| NULL       | Bearer     |             NULL |    128037 |        2895438 |        NULL |             NULL |

MySQL [iam]> select * from authentication_holder where id = "2895438";
Empty set (0.001 sec)

Error observed on IAM v1.8.2p2 but potentially all IAM >= 1.8.0 are involved. Needs further investigations.

federicaagostini commented 8 months ago

PR #689

enricovianello commented 8 months ago

The origin of this issue is not clear. No further investigations are necessary because in any case, since v1.8.3 the involved tables of database are now linked by a foreign key constraint. Then, it's no more possible to have an auth_holder_id into access_token which is missing from authentication_holder.