bdemers opened a new pull request, #1128:
URL: https://github.com/apache/directory-scimple/pull/1128
## Summary
Adds regression tests locking down the security property that
`Returned.NEVER`
attributes (in the core schema, only `ScimUser.password`) never leak, plus a
small fix to the example extension so it doesn't model a leak.
`Returned.NEVER` attributes must never appear in a serialized SCIM response
(RFC 7643 §2.2 / §8.7.1) nor in a resource's `toString()` (which
`scim-server`
logs at DEBUG). Both held in code, but neither channel was guarded by a
test, so
a future change — regenerating `toString()`, or adding a new `NEVER`
attribute —
could silently reintroduce a leak.
## Changes
- **`scim-spec-schema` — `ScimUserTest` (new):** guards the `toString()` /
logging channel.
- VALUE-channel guard: the password value (a sentinel) must not appear.
- SCHEMA/NAME-channel guard: schema-driven over every `Returned.NEVER`
attribute, asserting its `name=` token is absent, so a future `NEVER` field is
automatically covered.
- null-password case, plus a schema-annotation sanity check.
- **`scim-server` — `AttributeUtilTest` (+3 tests):** guards the response
channel via `AttributeUtil.setAttributesForDisplay()` — `password` stripped on
display and even when explicitly requested, absent from the serialized JSON
(with a present-in-raw baseline proving stripping is causal), and the original
resource is not mutated.
- **`scim-test` — `ExampleObjectExtension`:** `toString()` no longer renders
the `Returned.NEVER` `valueNever` field, mirroring `ScimUser.toString()`
omitting `password`, so implementers who copy the example don't inherit a leak.
Tests use JUnit 5 + AssertJ and a distinctive sentinel value.
## Testing
`./mvnw -Pci -B -ntp -pl scim-spec/scim-spec-schema,scim-server,scim-test
-am test` → green (`ScimUserTest` 4/4, `AttributeUtilTest` 11/11). Verified the
`toString()` guards fail when `password` is appended to `ScimUser.toString()`,
then reverted.
## Follow-ups (not in this PR)
- Remove the "no test guards this" caveat in `THREAT_MODEL.md` §8.1 (that
file is part of separate, currently-uncommitted threat-model work).
- Optional: a generic extension-`toString()` regression guard for any future
`Returned.NEVER`-bearing extension.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
