[
https://issues.apache.org/jira/browse/SYNCOPE-136?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Francesco Chicchiriccò updated SYNCOPE-136:
-------------------------------------------
Description:
Currently, cleartext password is always required when subscribing to a new
external resource.
However, in some cases (for example when passwords are stored with some
symmetric algorithm) this can be avoided.
For example, it could be:
Case 1: 2-way (a.k.a. symmetric) password cipher algorithm is configured in
Syncope
Use decrypted password from SyncopeUser to subscribe new resource.
Case 2: 1-way (a.k.a. hash or asymmetric) password cipher algorithm is
configured in Syncope and no clear-text password is available (for example,
passed via UserMod or provided by a synchronizing resource)
Provide, on a resource-basis, a mean to configure how new password should be
generated:
* constant @Test
public void issueSYNCOPE122() {
// 1. create user on testdb and testdb2
UserTO userTO = getSampleTO("[email protected]");
userTO.getResources().clear();
userTO.addResource("resource-testdb");
userTO.addResource("resource-testdb2");
userTO = userService.create(userTO);
assertNotNull(userTO);
assertTrue(userTO.getResources().contains("resource-testdb"));
assertTrue(userTO.getResources().contains("resource-testdb2"));
final String pwdOnSyncope = userTO.getPassword();
ConnObjectTO userOnDb =
resourceService.getConnector("resource-testdb",
AttributableType.USER, userTO.getUsername());
final AttributeTO pwdOnTestDbAttr =
userOnDb.getAttributeMap().get(OperationalAttributes.PASSWORD_NAME);
assertNotNull(pwdOnTestDbAttr);
assertNotNull(pwdOnTestDbAttr.getValues());
assertFalse(pwdOnTestDbAttr.getValues().isEmpty());
final String pwdOnTestDb =
pwdOnTestDbAttr.getValues().iterator().next();
ConnObjectTO userOnDb2 =
resourceService.getConnector("resource-testdb2",
AttributableType.USER, userTO.getUsername());
final AttributeTO pwdOnTestDb2Attr =
userOnDb2.getAttributeMap().get(OperationalAttributes.PASSWORD_NAME);
assertNotNull(pwdOnTestDb2Attr);
assertNotNull(pwdOnTestDb2Attr.getValues());
assertFalse(pwdOnTestDb2Attr.getValues().isEmpty());
final String pwdOnTestDb2 =
pwdOnTestDb2Attr.getValues().iterator().next();
// 2. request to change password only on testdb (no Syncope, no testdb2)
UserMod userMod = new UserMod();
userMod.setId(userTO.getId());
userMod.setPassword(getUUIDString());
PropagationRequestTO pwdPropRequest = new PropagationRequestTO();
pwdPropRequest.addResource("resource-testdb");
userMod.setPwdPropRequest(pwdPropRequest);
userTO = userService.update(userMod.getId(), userMod);
// 3a. verify that password hasn't changed on Syncope
assertEquals(pwdOnSyncope, userTO.getPassword());
// 3b. verify that password *has* changed on testdb
userOnDb = resourceService.getConnector("resource-testdb",
AttributableType.USER, userTO.getUsername());
final AttributeTO pwdOnTestDbAttrAfter =
userOnDb.getAttributeMap().get(OperationalAttributes.PASSWORD_NAME);
assertNotNull(pwdOnTestDbAttrAfter);
assertNotNull(pwdOnTestDbAttrAfter.getValues());
assertFalse(pwdOnTestDbAttrAfter.getValues().isEmpty());
assertNotEquals(pwdOnTestDb,
pwdOnTestDbAttrAfter.getValues().iterator().next());
// 3c. verify that password hasn't changed on testdb2
userOnDb2 = resourceService.getConnector("resource-testdb2",
AttributableType.USER, userTO.getUsername());
final AttributeTO pwdOnTestDb2AttrAfter =
userOnDb2.getAttributeMap().get(OperationalAttributes.PASSWORD_NAME);
assertNotNull(pwdOnTestDb2AttrAfter);
assertNotNull(pwdOnTestDb2AttrAfter.getValues());
assertFalse(pwdOnTestDb2AttrAfter.getValues().isEmpty());
assertEquals(pwdOnTestDb2,
pwdOnTestDb2AttrAfter.getValues().iterator().next());
}
}
* random password generation (compliant with resource password policy, if
present - see SYNCOPE-121)
* provide custom Java class
Discussion thread:
http://syncope-dev.1063484.n5.nabble.com/new-password-issue-td5589622.html
was:
Currently, cleartext password is always required when subscribing to a new
external resource.
However, in some cases (for example when passwords are stored with some
symmetric algorithm) this can be avoided.
For example, it could be:
Case 1: 2-way (a.k.a. symmetric) password cipher algorithm is configured in
Syncope
Use decrypted password from SyncopeUser to subscribe new resource.
Case 2: 1-way (a.k.a. hash or asymmetric) password cipher algorithm is
configured in Syncope and no clear-text password is available (for example,
passed via UserMod or provided by a synchronizing resource)
Provide, on a resource-basis, a mean to configure how new password should be
generated:
* constant
* random password generation (compliant with resource password policy, if
present - see SYNCOPE-121)
* provide custom Java class
Discussion thread:
http://syncope-dev.1063484.n5.nabble.com/new-password-issue-td5589622.html
> Password required for resource subscription
> -------------------------------------------
>
> Key: SYNCOPE-136
> URL: https://issues.apache.org/jira/browse/SYNCOPE-136
> Project: Syncope
> Issue Type: Improvement
> Reporter: Francesco Chicchiriccò
> Assignee: Francesco Chicchiriccò
> Fix For: 1.1.0
>
>
> Currently, cleartext password is always required when subscribing to a new
> external resource.
> However, in some cases (for example when passwords are stored with some
> symmetric algorithm) this can be avoided.
> For example, it could be:
> Case 1: 2-way (a.k.a. symmetric) password cipher algorithm is configured in
> Syncope
> Use decrypted password from SyncopeUser to subscribe new resource.
> Case 2: 1-way (a.k.a. hash or asymmetric) password cipher algorithm is
> configured in Syncope and no clear-text password is available (for example,
> passed via UserMod or provided by a synchronizing resource)
> Provide, on a resource-basis, a mean to configure how new password should be
> generated:
> * constant @Test
> public void issueSYNCOPE122() {
> // 1. create user on testdb and testdb2
> UserTO userTO = getSampleTO("[email protected]");
> userTO.getResources().clear();
> userTO.addResource("resource-testdb");
> userTO.addResource("resource-testdb2");
> userTO = userService.create(userTO);
> assertNotNull(userTO);
> assertTrue(userTO.getResources().contains("resource-testdb"));
> assertTrue(userTO.getResources().contains("resource-testdb2"));
> final String pwdOnSyncope = userTO.getPassword();
> ConnObjectTO userOnDb =
> resourceService.getConnector("resource-testdb",
> AttributableType.USER, userTO.getUsername());
> final AttributeTO pwdOnTestDbAttr =
> userOnDb.getAttributeMap().get(OperationalAttributes.PASSWORD_NAME);
> assertNotNull(pwdOnTestDbAttr);
> assertNotNull(pwdOnTestDbAttr.getValues());
> assertFalse(pwdOnTestDbAttr.getValues().isEmpty());
> final String pwdOnTestDb =
> pwdOnTestDbAttr.getValues().iterator().next();
> ConnObjectTO userOnDb2 =
> resourceService.getConnector("resource-testdb2",
> AttributableType.USER, userTO.getUsername());
> final AttributeTO pwdOnTestDb2Attr =
> userOnDb2.getAttributeMap().get(OperationalAttributes.PASSWORD_NAME);
> assertNotNull(pwdOnTestDb2Attr);
> assertNotNull(pwdOnTestDb2Attr.getValues());
> assertFalse(pwdOnTestDb2Attr.getValues().isEmpty());
> final String pwdOnTestDb2 =
> pwdOnTestDb2Attr.getValues().iterator().next();
> // 2. request to change password only on testdb (no Syncope, no
> testdb2)
> UserMod userMod = new UserMod();
> userMod.setId(userTO.getId());
> userMod.setPassword(getUUIDString());
> PropagationRequestTO pwdPropRequest = new PropagationRequestTO();
> pwdPropRequest.addResource("resource-testdb");
> userMod.setPwdPropRequest(pwdPropRequest);
> userTO = userService.update(userMod.getId(), userMod);
> // 3a. verify that password hasn't changed on Syncope
> assertEquals(pwdOnSyncope, userTO.getPassword());
> // 3b. verify that password *has* changed on testdb
> userOnDb = resourceService.getConnector("resource-testdb",
> AttributableType.USER, userTO.getUsername());
> final AttributeTO pwdOnTestDbAttrAfter =
> userOnDb.getAttributeMap().get(OperationalAttributes.PASSWORD_NAME);
> assertNotNull(pwdOnTestDbAttrAfter);
> assertNotNull(pwdOnTestDbAttrAfter.getValues());
> assertFalse(pwdOnTestDbAttrAfter.getValues().isEmpty());
> assertNotEquals(pwdOnTestDb,
> pwdOnTestDbAttrAfter.getValues().iterator().next());
> // 3c. verify that password hasn't changed on testdb2
> userOnDb2 = resourceService.getConnector("resource-testdb2",
> AttributableType.USER, userTO.getUsername());
> final AttributeTO pwdOnTestDb2AttrAfter =
> userOnDb2.getAttributeMap().get(OperationalAttributes.PASSWORD_NAME);
> assertNotNull(pwdOnTestDb2AttrAfter);
> assertNotNull(pwdOnTestDb2AttrAfter.getValues());
> assertFalse(pwdOnTestDb2AttrAfter.getValues().isEmpty());
> assertEquals(pwdOnTestDb2,
> pwdOnTestDb2AttrAfter.getValues().iterator().next());
> }
> }
> * random password generation (compliant with resource password policy, if
> present - see SYNCOPE-121)
> * provide custom Java class
> Discussion thread:
> http://syncope-dev.1063484.n5.nabble.com/new-password-issue-td5589622.html
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
