(syncope) branch 3_0_X updated: [SYNCOPE-1922] raise error while searching by encrypted plain schema, removed suggestion of such schemas on search in console (#1218)

Tue, 28 Oct 2025 09:08:39 -0700 

This is an automated email from the ASF dual-hosted git repository.

andreapatricelli pushed a commit to branch 3_0_X
in repository https://gitbox.apache.org/repos/asf/syncope.git


The following commit(s) were added to refs/heads/3_0_X by this push:
     new 6378ea9a3b [SYNCOPE-1922] raise error while searching by encrypted 
plain schema, removed suggestion of such schemas on search in console (#1218)
6378ea9a3b is described below

commit 6378ea9a3b31aa0bfda829e1ff612276bc84d373
Author: Andrea Patricelli <[email protected]>
AuthorDate: Tue Oct 28 17:08:26 2025 +0100

    [SYNCOPE-1922] raise error while searching by encrypted plain schema, 
removed suggestion of such schemas on search in console (#1218)
---
 .../console/panels/search/AnyObjectSearchPanel.java |  4 +++-
 .../persistence/jpa/dao/AbstractAnySearchDAO.java   |  4 ++++
 .../core/persistence/jpa/inner/AnySearchTest.java   | 21 +++++++++++++++++++++
 .../org/apache/syncope/fit/core/SearchITCase.java   | 19 +++++++++++++++++++
 4 files changed, 47 insertions(+), 1 deletion(-)

diff --git 
a/client/idrepo/console/src/main/java/org/apache/syncope/client/console/panels/search/AnyObjectSearchPanel.java
 
b/client/idrepo/console/src/main/java/org/apache/syncope/client/console/panels/search/AnyObjectSearchPanel.java
index 4045b8f03a..3479bd64f7 100644
--- 
a/client/idrepo/console/src/main/java/org/apache/syncope/client/console/panels/search/AnyObjectSearchPanel.java
+++ 
b/client/idrepo/console/src/main/java/org/apache/syncope/client/console/panels/search/AnyObjectSearchPanel.java
@@ -33,6 +33,7 @@ import org.apache.syncope.common.lib.to.GroupTO;
 import org.apache.syncope.common.lib.to.PlainSchemaTO;
 import org.apache.syncope.common.lib.to.SchemaTO;
 import org.apache.syncope.common.lib.types.AnyTypeKind;
+import org.apache.syncope.common.lib.types.AttrSchemaType;
 import org.apache.syncope.common.lib.types.SchemaType;
 import org.apache.wicket.PageReference;
 import org.apache.wicket.extensions.markup.html.repeater.util.SortParam;
@@ -123,7 +124,8 @@ public class AnyObjectSearchPanel extends 
AbstractSearchPanel {
             protected Map<String, PlainSchemaTO> load() {
                 return schemaRestClient.<PlainSchemaTO>getSchemas(
                         SchemaType.PLAIN, null, 
anyTypeRestClient.read(anyType).getClasses().toArray(String[]::new)).
-                        stream().collect(Collectors.toMap(SchemaTO::getKey, 
Function.identity()));
+                        stream().filter(schema -> AttrSchemaType.Encrypted != 
schema.getType()).
+                        collect(Collectors.toMap(SchemaTO::getKey, 
Function.identity()));
             }
         };
     }
diff --git 
a/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/AbstractAnySearchDAO.java
 
b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/AbstractAnySearchDAO.java
index 124a4c419d..ad2ccfc956 100644
--- 
a/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/AbstractAnySearchDAO.java
+++ 
b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/dao/AbstractAnySearchDAO.java
@@ -202,6 +202,10 @@ public abstract class AbstractAnySearchDAO extends 
AbstractDAO<Any<?>> implement
         PlainSchema schema = 
Optional.ofNullable(plainSchemaDAO.find(cond.getSchema())).
                 orElseThrow(() -> new IllegalArgumentException("Invalid schema 
" + cond.getSchema()));
 
+        if (AttrSchemaType.Encrypted == schema.getType()) {
+            throw new IllegalArgumentException("Cannot search by encrypted 
schema " + cond.getSchema());
+        }
+
         PlainAttrValue attrValue = schema.isUniqueConstraint()
                 ? anyUtils.newPlainAttrUniqueValue()
                 : anyUtils.newPlainAttrValue();
diff --git 
a/core/persistence-jpa/src/test/java/org/apache/syncope/core/persistence/jpa/inner/AnySearchTest.java
 
b/core/persistence-jpa/src/test/java/org/apache/syncope/core/persistence/jpa/inner/AnySearchTest.java
index e49f0d6aba..6bbe1d6720 100644
--- 
a/core/persistence-jpa/src/test/java/org/apache/syncope/core/persistence/jpa/inner/AnySearchTest.java
+++ 
b/core/persistence-jpa/src/test/java/org/apache/syncope/core/persistence/jpa/inner/AnySearchTest.java
@@ -21,6 +21,7 @@ package org.apache.syncope.core.persistence.jpa.inner;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.text.ParseException;
@@ -1067,6 +1068,26 @@ public class AnySearchTest extends AbstractTest {
         assertEquals("bellini", users.get(0).getUsername());
     }
 
+    @Test
+    public void issueSYNCOPE1922() {
+        User bellini = userDAO.findByUsername("bellini");
+        assertNotNull(bellini);
+
+        PlainSchema obscureSchema = plainSchemaDAO.find("obscure");
+        assertNotNull(obscureSchema);
+
+        userDAO.save(addPlainAttr(bellini, obscureSchema, "myobscurevalue"));
+
+        entityManager().flush();
+
+        AttrCond obscureCond = new AttrCond(AttrCond.Type.EQ);
+        obscureCond.setSchema("obscure");
+        obscureCond.setExpression("myobscurevalue");
+
+        assertThrows(IllegalArgumentException.class,
+                () -> searchDAO.search(SearchCond.getLeaf(obscureCond), 
AnyTypeKind.USER));
+    }
+
     private User addPlainAttr(final User user, final PlainSchema plainSchema, 
final String value) {
         user.getPlainAttr(plainSchema.getKey())
                 .ifPresentOrElse(ctype -> 
ctype.getValues().get(0).setStringValue(value), () -> {
diff --git 
a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/SearchITCase.java
 
b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/SearchITCase.java
index 93919052c5..fc1c7faed4 100644
--- 
a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/SearchITCase.java
+++ 
b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/SearchITCase.java
@@ -1142,4 +1142,23 @@ public class SearchITCase extends AbstractITCase {
             deleteUser("user test 182");
         }
     }
+
+    @Test
+    public void issueSYNCOPE1922() {
+        // 1. set encrypted value
+        updateUser(new 
UserUR.Builder(USER_SERVICE.read("bellini").getKey()).plainAttr(
+                attrAddReplacePatch("obscure", "myobscurevalue")).build());
+        // 2. search by encrypted value
+        try {
+            USER_SERVICE.search(new 
AnyQuery.Builder().fiql(SyncopeClient.getUserSearchConditionBuilder()
+                    
.and(List.of(SyncopeClient.getUserSearchConditionBuilder().is("obscure").equalTo("myobscurevalue"),
+                            
SyncopeClient.getUserSearchConditionBuilder().is("surname").equalTo("bellini")))
+                    .query()).page(1).size(1).build());
+            fail("Search should have been blocked, since on encrypted schema");
+        } catch (SyncopeClientException sce) {
+            assertEquals(ClientExceptionType.InvalidSearchParameters, 
sce.getType());
+            assertTrue(
+                    sce.getMessage().contains("IllegalArgumentException: 
Cannot search by encrypted schema obscure"));
+        }
+    }
 }

Reply via email to