[SYNCOPE-686] Enriching UserMod's pwdPropRequest when using AES and adding resources to users via roles
Project: http://git-wip-us.apache.org/repos/asf/syncope/repo Commit: http://git-wip-us.apache.org/repos/asf/syncope/commit/a1737d35 Tree: http://git-wip-us.apache.org/repos/asf/syncope/tree/a1737d35 Diff: http://git-wip-us.apache.org/repos/asf/syncope/diff/a1737d35 Branch: refs/heads/SYNCOPE-156 Commit: a1737d35ad33c426e89a48259f0655ba3736ac6c Parents: 4ae3e2c Author: Francesco Chicchiriccò <[email protected]> Authored: Wed Aug 26 16:26:23 2015 +0200 Committer: Francesco Chicchiriccò <[email protected]> Committed: Wed Aug 26 16:26:23 2015 +0200 ---------------------------------------------------------------------- .../core/rest/controller/UserController.java | 3 +- .../syncope/core/rest/data/UserDataBinder.java | 15 +++ .../syncope/core/rest/RoleTestITCase.java | 2 +- .../syncope/core/rest/UserTestITCase.java | 107 ++++++++++++++----- 4 files changed, 97 insertions(+), 30 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/syncope/blob/a1737d35/core/src/main/java/org/apache/syncope/core/rest/controller/UserController.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/syncope/core/rest/controller/UserController.java b/core/src/main/java/org/apache/syncope/core/rest/controller/UserController.java index 5cbd5de..68843a7 100644 --- a/core/src/main/java/org/apache/syncope/core/rest/controller/UserController.java +++ b/core/src/main/java/org/apache/syncope/core/rest/controller/UserController.java @@ -272,7 +272,8 @@ public class UserController extends AbstractSubjectController<UserTO, UserMod> { removeMemberships = true; } } - //Actual operations: workflow, propagation, notification + + // Actual operations: workflow, propagation, notification WorkflowResult<Map.Entry<UserMod, Boolean>> updated = uwfAdapter.update(actual); List<PropagationTask> tasks = propagationManager.getUserUpdateTaskIds(updated); http://git-wip-us.apache.org/repos/asf/syncope/blob/a1737d35/core/src/main/java/org/apache/syncope/core/rest/data/UserDataBinder.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/syncope/core/rest/data/UserDataBinder.java b/core/src/main/java/org/apache/syncope/core/rest/data/UserDataBinder.java index 3ac56fc..fcd67c2 100644 --- a/core/src/main/java/org/apache/syncope/core/rest/data/UserDataBinder.java +++ b/core/src/main/java/org/apache/syncope/core/rest/data/UserDataBinder.java @@ -30,6 +30,7 @@ import org.apache.syncope.common.SyncopeClientCompositeException; import org.apache.syncope.common.SyncopeClientException; import org.apache.syncope.common.mod.AttributeMod; import org.apache.syncope.common.mod.MembershipMod; +import org.apache.syncope.common.mod.StatusMod; import org.apache.syncope.common.mod.UserMod; import org.apache.syncope.common.to.MembershipTO; import org.apache.syncope.common.to.UserTO; @@ -379,6 +380,20 @@ public class UserDataBinder extends AbstractAttributableDataBinder { user.addMembership(membership); toBeProvisioned.addAll(role.getResourceNames()); + + // SYNCOPE-686: if password is invertible and we are adding resources with password mapping, + // ensure that they are counted for password propagation + if (toBeUpdated.canDecodePassword()) { + for (ExternalResource resource : role.getResources()) { + if (resource.getUmapping().getPasswordItem() != null) { + if (userMod.getPwdPropRequest() == null) { + userMod.setPwdPropRequest(new StatusMod()); + } + + userMod.getPwdPropRequest().getResourceNames().add(resource.getName()); + } + } + } } propByRes.merge(fill(membership, membershipMod, http://git-wip-us.apache.org/repos/asf/syncope/blob/a1737d35/core/src/test/java/org/apache/syncope/core/rest/RoleTestITCase.java ---------------------------------------------------------------------- diff --git a/core/src/test/java/org/apache/syncope/core/rest/RoleTestITCase.java b/core/src/test/java/org/apache/syncope/core/rest/RoleTestITCase.java index 6e384d4..5f0feb0 100644 --- a/core/src/test/java/org/apache/syncope/core/rest/RoleTestITCase.java +++ b/core/src/test/java/org/apache/syncope/core/rest/RoleTestITCase.java @@ -71,7 +71,7 @@ import org.junit.runners.MethodSorters; @FixMethodOrder(MethodSorters.JVM) public class RoleTestITCase extends AbstractTest { - private RoleTO buildBasicRoleTO(final String name) { + public static RoleTO buildBasicRoleTO(final String name) { RoleTO roleTO = new RoleTO(); roleTO.setName(name + getUUIDString()); roleTO.setParent(8L); http://git-wip-us.apache.org/repos/asf/syncope/blob/a1737d35/core/src/test/java/org/apache/syncope/core/rest/UserTestITCase.java ---------------------------------------------------------------------- diff --git a/core/src/test/java/org/apache/syncope/core/rest/UserTestITCase.java b/core/src/test/java/org/apache/syncope/core/rest/UserTestITCase.java index 7d5493c..269f0a8 100644 --- a/core/src/test/java/org/apache/syncope/core/rest/UserTestITCase.java +++ b/core/src/test/java/org/apache/syncope/core/rest/UserTestITCase.java @@ -1552,38 +1552,40 @@ public class UserTestITCase extends AbstractTest { pwdCipherAlgo.getValues().set(0, "AES"); configurationService.set(pwdCipherAlgo.getSchema(), pwdCipherAlgo); - // 3. create user with no resources - UserTO userTO = getUniqueSampleTO("[email protected]"); - userTO.getResources().clear(); - - userTO = createUser(userTO); - assertNotNull(userTO); - - // 4. update user, assign a propagation primary resource but don't provide any password - UserMod userMod = new UserMod(); - userMod.setId(userTO.getId()); - userMod.getResourcesToAdd().add(RESOURCE_NAME_WS1); + try { + // 3. create user with no resources + UserTO userTO = getUniqueSampleTO("[email protected]"); + userTO.getResources().clear(); - final StatusMod st = new StatusMod(); - st.setOnSyncope(false); - st.getResourceNames().add(RESOURCE_NAME_WS1); - userMod.setPwdPropRequest(st); + userTO = createUser(userTO); + assertNotNull(userTO); - userTO = updateUser(userMod); - assertNotNull(userTO); + // 4. update user, assign a propagation primary resource but don't provide any password + UserMod userMod = new UserMod(); + userMod.setId(userTO.getId()); + userMod.getResourcesToAdd().add(RESOURCE_NAME_WS1); - // 5. verify that propagation was successful - List<PropagationStatus> props = userTO.getPropagationStatusTOs(); - assertNotNull(props); - assertEquals(1, props.size()); - PropagationStatus prop = props.iterator().next(); - assertNotNull(prop); - assertEquals(RESOURCE_NAME_WS1, prop.getResource()); - assertEquals(PropagationTaskExecStatus.SUBMITTED, prop.getStatus()); + final StatusMod st = new StatusMod(); + st.setOnSyncope(false); + st.getResourceNames().add(RESOURCE_NAME_WS1); + userMod.setPwdPropRequest(st); - // 6. restore initial cipher algorithm - pwdCipherAlgo.getValues().set(0, origpwdCipherAlgo); - configurationService.set(pwdCipherAlgo.getSchema(), pwdCipherAlgo); + userTO = updateUser(userMod); + assertNotNull(userTO); + + // 5. verify that propagation was successful + List<PropagationStatus> props = userTO.getPropagationStatusTOs(); + assertNotNull(props); + assertEquals(1, props.size()); + PropagationStatus prop = props.iterator().next(); + assertNotNull(prop); + assertEquals(RESOURCE_NAME_WS1, prop.getResource()); + assertEquals(PropagationTaskExecStatus.SUBMITTED, prop.getStatus()); + } finally { + // restore initial cipher algorithm + pwdCipherAlgo.getValues().set(0, origpwdCipherAlgo); + configurationService.set(pwdCipherAlgo.getSchema(), pwdCipherAlgo); + } } @Test @@ -2533,4 +2535,53 @@ public class UserTestITCase extends AbstractTest { assertNotNull(connObjectTO); assertEquals("newPostalAddress", connObjectTO.getAttrMap().get("postalAddress").getValues().get(0)); } + + @Test + public void issueSYNCOPE686() { + // 1. read configured cipher algorithm in order to be able to restore it at the end of test + AttributeTO pwdCipherAlgo = configurationService.read("password.cipher.algorithm"); + String origpwdCipherAlgo = pwdCipherAlgo.getValues().get(0); + + // 2. set AES password cipher algorithm + pwdCipherAlgo.getValues().set(0, "AES"); + configurationService.set(pwdCipherAlgo.getSchema(), pwdCipherAlgo); + + try { + // 3. create role with LDAP resource assigned + RoleTO role = RoleTestITCase.buildBasicRoleTO("syncope686"); + role.getResources().add(RESOURCE_NAME_LDAP); + role = createRole(role); + assertNotNull(role); + + // 4. create user with no resources + UserTO userTO = getUniqueSampleTO("[email protected]"); + userTO.getResources().clear(); + + userTO = createUser(userTO); + assertNotNull(userTO); + + // 5. update user with the new role, and don't provide any password + UserMod userMod = new UserMod(); + userMod.setId(userTO.getId()); + MembershipMod membMod = new MembershipMod(); + membMod.setRole(role.getId()); + userMod.getMembershipsToAdd().add(membMod); + + userTO = updateUser(userMod); + assertNotNull(userTO); + + // 5. verify that propagation was successful + List<PropagationStatus> props = userTO.getPropagationStatusTOs(); + assertNotNull(props); + assertEquals(1, props.size()); + PropagationStatus prop = props.iterator().next(); + assertNotNull(prop); + assertEquals(RESOURCE_NAME_LDAP, prop.getResource()); + assertEquals(PropagationTaskExecStatus.SUCCESS, prop.getStatus()); + } finally { + // restore initial cipher algorithm + pwdCipherAlgo.getValues().set(0, origpwdCipherAlgo); + configurationService.set(pwdCipherAlgo.getSchema(), pwdCipherAlgo); + } + } }
