Unable to set user's challenge answers when a workflow management task is setup for "User Claim Update"

[ayshsandu]

Steps to reproduce:

1. Log in to the management console and add a workflow engagement for "User Claim Update Task"

2. Add a workflow definition which allows the user's in admin role can approve the task and associate it with the engagement created in step1

3. Login to the /dashboard and open "Account Recovery" Gadget and try to set answeres for the challenge questions and click update. Upon viewing the "Account Recovery" gadget again, we can observe that answers are not set. Instead of step3

In the console, the following error is printed,

[2019-08-12 21:50:46,252] ERROR {org.wso2.carbon.identity.recovery.services.ChallengeQuestionManagementAdminService} -  Error while persisting user challenges for user : admin

org.wso2.carbon.identity.recovery.IdentityRecoveryServerException: Error while removing challenge questions of user 'admin.

    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)

    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)

    at java.lang.reflect.Constructor.newInstance(Constructor.java:423)

    at org.wso2.carbon.identity.base.IdentityException.error(IdentityException.java:103)

    at org.wso2.carbon.identity.recovery.util.Utils.handleServerException(Utils.java:195)

    at org.wso2.carbon.identity.recovery.ChallengeQuestionManager.setChallengesOfUser(ChallengeQuestionManager.java:601)

    at org.wso2.carbon.identity.recovery.services.ChallengeQuestionManagementAdminService.setUserChallengeAnswers(ChallengeQuestionManagementAdminService.java:200)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

    at java.lang.reflect.Method.invoke(Method.java:498)

    at org.apache.axis2.rpc.receivers.RPCUtil.invokeServiceClass(RPCUtil.java:212)

    at org.apache.axis2.rpc.receivers.RPCMessageReceiver.invokeBusinessLogic(RPCMessageReceiver.java:117)

    at org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:40)

    at org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:110)

    at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)

    at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:173)

    at org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:148)

    at org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:238)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)

    at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)

    at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)

    at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:68)

    at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)

    at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)

    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)

    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

    at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88)

    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

    at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126)

    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

    at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:65)

    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

    at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126)

    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)

    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)

    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:494)

    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)

    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)

    at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:80)

    at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:100)

    at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:74)

    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)

    at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)

    at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)

    at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)

    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)

    at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)

    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:1025)

    at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)

    at org.wso2.carbon.tomcat.ext.valves.RequestCorrelationIdValve.invoke(RequestCorrelationIdValve.java:112)

    at org.wso2.carbon.tomcat.ext.valves.RequestEncodingValve.invoke(RequestEncodingValve.java:49)

    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)

    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1137)

    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)

    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1780)

    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1739)

    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

    at java.lang.Thread.run(Thread.java:748)

Caused by: org.wso2.carbon.user.core.UserStoreException: http://wso2.org/claims/challengeQuestion1 of user is already in a workflow to delete or update.

    at org.wso2.carbon.user.mgt.workflow.userstore.UserStoreActionListener.doPreSetUserClaimValues(UserStoreActionListener.java:180)

    at org.wso2.carbon.user.core.common.AbstractUserStoreManager.setUserClaimValues(AbstractUserStoreManager.java:2426)

    at org.wso2.carbon.identity.recovery.util.Utils.setClaimInUserStoreManager(Utils.java:272)

    at org.wso2.carbon.identity.recovery.ChallengeQuestionManager.setChallengesOfUser(ChallengeQuestionManager.java:583)

    ... 65 more

Caused by: org.wso2.carbon.identity.workflow.mgt.exception.WorkflowException: http://wso2.org/claims/challengeQuestion1 of user is already in a workflow to delete or update.

    at org.wso2.carbon.user.mgt.workflow.userstore.SetMultipleClaimsWFRequestHandler.isValidOperation(SetMultipleClaimsWFRequestHandler.java:215)

    at org.wso2.carbon.user.mgt.workflow.userstore.SetMultipleClaimsWFRequestHandler.startSetMultipleClaimsWorkflow(SetMultipleClaimsWFRequestHandler.java:94)

    at org.wso2.carbon.user.mgt.workflow.userstore.UserStoreActionListener.doPreSetUserClaimValues(UserStoreActionListener.java:177)

    ... 68 more

I believe this behaviour should be available in previous product versions as well since we are using some user claims to store the challenge question answers. When the corresponding values are getting stored as claims, workflow gets engaged and operation become on-hold until an authorized user approves it. Hence, the challenge question update fails.

This behaviour might affect some other use cases as well that involves storing user management features related information in claims. Better to redesign the flow to accommodate to enable both of the above cases in the same server.

[johannnallathamby]

I think the ideal fix here would be, to be able to add multiple conditions with AND/OR grouping to apply a workflow to a request. This will improve the filtering capability of workflow engagements. Fixing just claim update issue by providing some kind of configuration is a short sighted solution.

[darshanasbg]

Rather applying to all claim updates, can't we use 'Advance' workflow applying policy which uses xpath?

[isharak]

This issue is being closed due to extended inactivity. Please feel free to reopen it if further attention is needed. Thank you for helping us keep the issue list relevant and focused!