[jboss-jira] [JBoss JIRA] (WFLY-7437) Inconsistencies in otp-credential-mapper attribute of Elytron ldap-realm

Fri Nov 4 02:33:00 EDT 2016

    [ https://issues.jboss.org/browse/WFLY-7437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13317248#comment-13317248 ] 

Ondrej Lukas commented on WFLY-7437:
------------------------------------

I think inconsistency here is between having required attributes in otp-credential-mapper object and allowing to use adding otp-credential-mapper without these required attributes.

Having ldap-realm without otp-credential-mapper is definitely ok, but adding otp-credential-mapper without required algorithm-from, hash-from, seed-from, sequence-from is wrong.

In other parts of Elytron subsystem someObjectAttribute={} does not mean undefined. Take a look at command:
{code}
/subsystem=elytron/properties-realm=realm:add(users-properties={path=$SOME_PATH},groups-properties={})
{
    "outcome" => "failed",
    "failure-description" => "WFLYCTL0155: path may not be null",
    "rolled-back" => true
}
{code}

It validates whether required attribute {{path}} from groups-properties is set. IMHO it is correct behavior - it does not allow to use groups-properties without required attribute. Or is there any difference between otp-credential-mapper and groups-properties? I think it should be unified for whole subsystem.

> Inconsistencies in otp-credential-mapper attribute of Elytron ldap-realm
> ------------------------------------------------------------------------
>
>                 Key: WFLY-7437
>                 URL: https://issues.jboss.org/browse/WFLY-7437
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 11.0.0.Alpha1
>            Reporter: Ondrej Lukas
>            Assignee: Jan Kalina
>            Priority: Minor
>              Labels: user_experience
>
> Attribute {{identity-mapping.otp-credential-mapper}} from Elytron ldap-realm should include Object which should contain four required attributes - algorithm-from, hash-from, seed-from, sequence-from. All of these attributes are set as nillable=false.
> However CLI allows to run command where otp-credential-mapper attribute is added without any attributes which is inconsistent with their nillable=false. See following command:
> {code}
> /subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap,identity-mapping={rdn-identifier=uid,otp-credential-mapper={}})
> {code}
> Moreover, this command results to configuration xml without any otp-credential-mapper:
> {code}
> <ldap-realm name="ldap-realm" dir-context="ldap">
>     <identity-mapping rdn-identifier="uid"/>
> </ldap-realm>
> {code}
> In case when at least one of otp-credential-mapper required attribute is added, then CLI command correctly fails:
> {code}
> /subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap,identity-mapping={rdn-identifier=uid,otp-credential-mapper={algorithm-from=atr}})
> {
>     "outcome" => "failed",
>     "failure-description" => "WFLYCTL0155: hash-from may not be null",
>     "rolled-back" => true
> }
> {code}
> Suggestion:
> Do not allow to add {{identity-mapping.otp-credential-mapper}} without required attributes.

--
This message was sent by Atlassian JIRA
(v7.2.3#72005)