[jira] [Updated] (SYNCOPE-136) Password required for resource subscription

Fri, 25 Jan 2013 06:17:17 -0800 

     [ 
https://issues.apache.org/jira/browse/SYNCOPE-136?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Francesco Chicchiriccò updated SYNCOPE-136:
-------------------------------------------

    Description: 
Currently, cleartext password is always required when subscribing to a new 
external resource.
However, in some cases (for example when passwords are stored with some 
symmetric algorithm) this can be avoided.

For example, it could be:

Case 1: 2-way (a.k.a. symmetric) password cipher algorithm is configured in 
Syncope

Use decrypted password from SyncopeUser to subscribe new resource.


Case 2: 1-way (a.k.a. hash or asymmetric) password cipher algorithm is 
configured in Syncope and no clear-text password is available (for example, 
passed via UserMod or provided by a synchronizing resource)

Provide, on a resource-basis, a mean to configure how new password should be 
generated:
 * constant
 * random password generation (compliant with resource password policy, if 
present - see SYNCOPE-121)
 * provide custom Java class


Discussion thread: 
http://syncope-dev.1063484.n5.nabble.com/new-password-issue-td5589622.html

  was:
Currently, cleartext password is always required when subscribing to a new 
external resource.
However, in some cases (for example when passwords are stored with some 
symmetric algorithm) this can be avoided.

For example, it could be:

Case 1: 2-way (a.k.a. symmetric) password cipher algorithm is configured in 
Syncope

Use decrypted password from SyncopeUser to subscribe new resource.


Case 2: 1-way (a.k.a. hash or asymmetric) password cipher algorithm is 
configured in Syncope and no clear-text password is available (for example, 
passed via UserMod or provided by a synchronizing resource)

Provide, on a resource-basis, a mean to configure how new password should be 
generated:
 * constant    @Test
    public void issueSYNCOPE122() {
        // 1. create user on testdb and testdb2
        UserTO userTO = getSampleTO("[email protected]");
        userTO.getResources().clear();
        userTO.addResource("resource-testdb");
        userTO.addResource("resource-testdb2");
        userTO = userService.create(userTO);
        assertNotNull(userTO);
        assertTrue(userTO.getResources().contains("resource-testdb"));
        assertTrue(userTO.getResources().contains("resource-testdb2"));

        final String pwdOnSyncope = userTO.getPassword();

        ConnObjectTO userOnDb =
                resourceService.getConnector("resource-testdb", 
AttributableType.USER, userTO.getUsername());
        final AttributeTO pwdOnTestDbAttr = 
userOnDb.getAttributeMap().get(OperationalAttributes.PASSWORD_NAME);
        assertNotNull(pwdOnTestDbAttr);
        assertNotNull(pwdOnTestDbAttr.getValues());
        assertFalse(pwdOnTestDbAttr.getValues().isEmpty());
        final String pwdOnTestDb = 
pwdOnTestDbAttr.getValues().iterator().next();

        ConnObjectTO userOnDb2 =
                resourceService.getConnector("resource-testdb2", 
AttributableType.USER, userTO.getUsername());
        final AttributeTO pwdOnTestDb2Attr = 
userOnDb2.getAttributeMap().get(OperationalAttributes.PASSWORD_NAME);
        assertNotNull(pwdOnTestDb2Attr);
        assertNotNull(pwdOnTestDb2Attr.getValues());
        assertFalse(pwdOnTestDb2Attr.getValues().isEmpty());
        final String pwdOnTestDb2 = 
pwdOnTestDb2Attr.getValues().iterator().next();

        // 2. request to change password only on testdb (no Syncope, no testdb2)
        UserMod userMod = new UserMod();
        userMod.setId(userTO.getId());
        userMod.setPassword(getUUIDString());
        PropagationRequestTO pwdPropRequest = new PropagationRequestTO();
        pwdPropRequest.addResource("resource-testdb");
        userMod.setPwdPropRequest(pwdPropRequest);

        userTO = userService.update(userMod.getId(), userMod);

        // 3a. verify that password hasn't changed on Syncope
        assertEquals(pwdOnSyncope, userTO.getPassword());

        // 3b. verify that password *has* changed on testdb
        userOnDb = resourceService.getConnector("resource-testdb", 
AttributableType.USER, userTO.getUsername());
        final AttributeTO pwdOnTestDbAttrAfter = 
userOnDb.getAttributeMap().get(OperationalAttributes.PASSWORD_NAME);
        assertNotNull(pwdOnTestDbAttrAfter);
        assertNotNull(pwdOnTestDbAttrAfter.getValues());
        assertFalse(pwdOnTestDbAttrAfter.getValues().isEmpty());
        assertNotEquals(pwdOnTestDb, 
pwdOnTestDbAttrAfter.getValues().iterator().next());

        // 3c. verify that password hasn't changed on testdb2
        userOnDb2 = resourceService.getConnector("resource-testdb2", 
AttributableType.USER, userTO.getUsername());
        final AttributeTO pwdOnTestDb2AttrAfter = 
userOnDb2.getAttributeMap().get(OperationalAttributes.PASSWORD_NAME);
        assertNotNull(pwdOnTestDb2AttrAfter);
        assertNotNull(pwdOnTestDb2AttrAfter.getValues());
        assertFalse(pwdOnTestDb2AttrAfter.getValues().isEmpty());
        assertEquals(pwdOnTestDb2, 
pwdOnTestDb2AttrAfter.getValues().iterator().next());
    }
}
 * random password generation (compliant with resource password policy, if 
present - see SYNCOPE-121)
 * provide custom Java class


Discussion thread: 
http://syncope-dev.1063484.n5.nabble.com/new-password-issue-td5589622.html

    
> Password required for resource subscription
> -------------------------------------------
>
>                 Key: SYNCOPE-136
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-136
>             Project: Syncope
>          Issue Type: Improvement
>            Reporter: Francesco Chicchiriccò
>            Assignee: Francesco Chicchiriccò
>             Fix For: 1.1.0
>
>
> Currently, cleartext password is always required when subscribing to a new 
> external resource.
> However, in some cases (for example when passwords are stored with some 
> symmetric algorithm) this can be avoided.
> For example, it could be:
> Case 1: 2-way (a.k.a. symmetric) password cipher algorithm is configured in 
> Syncope
> Use decrypted password from SyncopeUser to subscribe new resource.
> Case 2: 1-way (a.k.a. hash or asymmetric) password cipher algorithm is 
> configured in Syncope and no clear-text password is available (for example, 
> passed via UserMod or provided by a synchronizing resource)
> Provide, on a resource-basis, a mean to configure how new password should be 
> generated:
>  * constant
>  * random password generation (compliant with resource password policy, if 
> present - see SYNCOPE-121)
>  * provide custom Java class
> Discussion thread: 
> http://syncope-dev.1063484.n5.nabble.com/new-password-issue-td5589622.html

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to