[jira] [Resolved] (SYNCOPE-501) Virtual attribute propagation not working when updating only virtual attributes
[ https://issues.apache.org/jira/browse/SYNCOPE-501?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andrea Patricelli resolved SYNCOPE-501. --- Resolution: Fixed Virtual attribute propagation not working when updating only virtual attributes --- Key: SYNCOPE-501 URL: https://issues.apache.org/jira/browse/SYNCOPE-501 Project: Syncope Issue Type: Bug Components: core Affects Versions: 1.1.8, 1.2.0 Reporter: Andrea Patricelli Assignee: Andrea Patricelli Fix For: 1.1.8, 1.2.0 During User update, if updating ONLY mapped virtual attributes, are they really propagated? It seems that core doesn't track these changes and virtual attribute modifications (in this case) aren't propagated. If, instead, we update also other normal attribute(s), mapped with resource, virtual attributes changes are really propagated. Aren't modification made by solution of issue [1] enough to satisfy this requirement? [1] https://issues.apache.org/jira/browse/SYNCOPE-459 -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Assigned] (SYNCOPE-391) Make password management optional
[ https://issues.apache.org/jira/browse/SYNCOPE-391?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Marco Di Sabatino Di Diodoro reassigned SYNCOPE-391: Assignee: Marco Di Sabatino Di Diodoro Make password management optional - Key: SYNCOPE-391 URL: https://issues.apache.org/jira/browse/SYNCOPE-391 Project: Syncope Issue Type: Improvement Reporter: Francesco Chicchiriccò Assignee: Marco Di Sabatino Di Diodoro Fix For: 1.2.0 Currently, SyncopeUser#password is annotated as @NotNull - this has several consequences to propagation / synchronization and even to admin console. However, it would be a nice addition to make the password storage and management optional - in complex IdM scenarios, in fact, it might even be a business requirement to NOT store passwords in Syncope internal storage. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (SYNCOPE-505) Support propagating non-cleartext passwords to external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14033805#comment-14033805
]
ASF subversion and git services commented on SYNCOPE-505:
-
Commit 1603171 from [~coheigea] in branch 'syncope/trunk'
[ https://svn.apache.org/r1603171 ]
[SYNCOPE-505] - Adding an initial PropagationActions implementation for DBs
Support propagating non-cleartext passwords to external resources
-
Key: SYNCOPE-505
URL: https://issues.apache.org/jira/browse/SYNCOPE-505
Project: Syncope
Issue Type: Improvement
Components: core
Reporter: Francesco Chicchiriccò
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Similarly to SYNCOPE-313 during synchronization, it seems feasible to provide
some Propagation Actions classes (say {{DBPasswordPropagationActions}} and
{{LDAPPasswordPropagationActions}} that will propagate non-cleartext password
values to external resources.
This might require some changes in the related connector bundles.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-505) Support propagating non-cleartext passwords to external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14033813#comment-14033813
]
Colm O hEigeartaigh commented on SYNCOPE-505:
-
I added an initial prototype implementation for DBPasswordPropagationActions.
It checks to see if there is a mandatory missing attribute that corresponds to
password, and then just writes out the password from SyncopeUser as is in
this case. What do you think about this approach?
I've tested the prototype + it works. One issue is that it only works if the
Connector uses CLEARTEXT, as otherwise the supplied password gets hashed.
Should we add another Connector property so that we can tell it to only
hash/encrypt if the supplied password is plaintext?
Colm.
Support propagating non-cleartext passwords to external resources
-
Key: SYNCOPE-505
URL: https://issues.apache.org/jira/browse/SYNCOPE-505
Project: Syncope
Issue Type: Improvement
Components: core
Reporter: Francesco Chicchiriccò
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Similarly to SYNCOPE-313 during synchronization, it seems feasible to provide
some Propagation Actions classes (say {{DBPasswordPropagationActions}} and
{{LDAPPasswordPropagationActions}} that will propagate non-cleartext password
values to external resources.
This might require some changes in the related connector bundles.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-505) Support propagating non-cleartext passwords to external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14033839#comment-14033839
]
ASF subversion and git services commented on SYNCOPE-505:
-
Commit 1603184 from [~ilgrosso] in branch 'syncope/trunk'
[ https://svn.apache.org/r1603184 ]
[SYNCOPE-505] Using known constants
Support propagating non-cleartext passwords to external resources
-
Key: SYNCOPE-505
URL: https://issues.apache.org/jira/browse/SYNCOPE-505
Project: Syncope
Issue Type: Improvement
Components: core
Reporter: Francesco Chicchiriccò
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Similarly to SYNCOPE-313 during synchronization, it seems feasible to provide
some Propagation Actions classes (say {{DBPasswordPropagationActions}} and
{{LDAPPasswordPropagationActions}} that will propagate non-cleartext password
values to external resources.
This might require some changes in the related connector bundles.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-505) Support propagating non-cleartext passwords to external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14033843#comment-14033843
]
Francesco Chicchiriccò commented on SYNCOPE-505:
As you can see, I've just committed some changes to the class in order to use
some known constants.
About the proposal of adding a property to the DBTable connector, is there any
safe method to understand whether a string is plaintext or not?
Support propagating non-cleartext passwords to external resources
-
Key: SYNCOPE-505
URL: https://issues.apache.org/jira/browse/SYNCOPE-505
Project: Syncope
Issue Type: Improvement
Components: core
Reporter: Francesco Chicchiriccò
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Similarly to SYNCOPE-313 during synchronization, it seems feasible to provide
some Propagation Actions classes (say {{DBPasswordPropagationActions}} and
{{LDAPPasswordPropagationActions}} that will propagate non-cleartext password
values to external resources.
This might require some changes in the related connector bundles.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-505) Support propagating non-cleartext passwords to external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14033863#comment-14033863
]
Francesco Chicchiriccò commented on SYNCOPE-505:
The logic for hashing the password value according to the relevant
configuration lays in DBTable connector's code, not Syncope's.
This means that normally Syncope passes the password as clear text (wrapped in
{{GuardedString}}) and then the connector will hash it according to the
configured algorithm before writing to the underlying db table.
We should find a way then to instruct the connector that the specific password
value we are passing is already hashed: unfortunately, connector configuration
properties are only evaluated when creating a connector instance, so they
cannot be changed on-the-fly.
BTW, writing out the password only if {{SyncopeUser#getCipherAlgorithm}}
matches the configured value for the DB Connector hash algorithm (e.g. the same
logic of SYNCOPE-313) seems correct to me.
Support propagating non-cleartext passwords to external resources
-
Key: SYNCOPE-505
URL: https://issues.apache.org/jira/browse/SYNCOPE-505
Project: Syncope
Issue Type: Improvement
Components: core
Reporter: Francesco Chicchiriccò
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Similarly to SYNCOPE-313 during synchronization, it seems feasible to provide
some Propagation Actions classes (say {{DBPasswordPropagationActions}} and
{{LDAPPasswordPropagationActions}} that will propagate non-cleartext password
values to external resources.
This might require some changes in the related connector bundles.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-505) Support propagating non-cleartext passwords to external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14033918#comment-14033918
]
Colm O hEigeartaigh commented on SYNCOPE-505:
-
{quote}
We should find a way then to instruct the connector that the specific password
value we are passing is already hashed: unfortunately, connector configuration
properties are only evaluated when creating a connector instance, so they
cannot be changed on-the-fly.
{quote}
Could we have a new (boolean) attribute (__HASHED_PASSWORD__) or something?
Alternatively, we could use a predefined prefix/suffix on the _PASSWORD_. Any
preferences?
{quote}
BTW, writing out the password only if SyncopeUser#getCipherAlgorithm matches
the configured value for the DB Connector hash algorithm (e.g. the same logic
of SYNCOPE-313) seems correct to me.
{quote}
Ok, sounds good. One query would be whether we should also follow this logic if
the DB Connector has a CLEARTEXT value? I think we should, but want to verify
it.
Colm.
Support propagating non-cleartext passwords to external resources
-
Key: SYNCOPE-505
URL: https://issues.apache.org/jira/browse/SYNCOPE-505
Project: Syncope
Issue Type: Improvement
Components: core
Reporter: Francesco Chicchiriccò
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Similarly to SYNCOPE-313 during synchronization, it seems feasible to provide
some Propagation Actions classes (say {{DBPasswordPropagationActions}} and
{{LDAPPasswordPropagationActions}} that will propagate non-cleartext password
values to external resources.
This might require some changes in the related connector bundles.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-505) Support propagating non-cleartext passwords to external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14033931#comment-14033931
]
Francesco Chicchiriccò commented on SYNCOPE-505:
{quote}
Could we have a new (boolean) attribute __HASHED_PASSWORD__ or something?
Alternatively, we could use a predefined prefix/suffix on the __PASSWORD__. Any
preferences?
{quote}
A special {{__HASHED_PASSWORD__}} boolean attribute - defaults to {{true}} when
missing - could be added to the DBTable connector configuration: sounds good.
We need to open an issue on [ConnId's
JIRA|https://connid.atlassian.net/browse/DB] then, targeted to DBTable
connector 2.1.7.
{quote}
One query would be whether we should also follow this logic if the DB Connector
has a CLEARTEXT value? I think we should, but want to verify it.
{quote}
Agree.
Support propagating non-cleartext passwords to external resources
-
Key: SYNCOPE-505
URL: https://issues.apache.org/jira/browse/SYNCOPE-505
Project: Syncope
Issue Type: Improvement
Components: core
Reporter: Francesco Chicchiriccò
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Similarly to SYNCOPE-313 during synchronization, it seems feasible to provide
some Propagation Actions classes (say {{DBPasswordPropagationActions}} and
{{LDAPPasswordPropagationActions}} that will propagate non-cleartext password
values to external resources.
This might require some changes in the related connector bundles.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
Errored: apache/syncope#595 (trunk - f8a627f)
Build Update for apache/syncope - Build: #595 Status: Errored Duration: 3 minutes and 23 seconds Commit: f8a627f (trunk) Author: Francesco Chicchiriccò Message: [SYNCOPE-505] Using known constants git-svn-id: https://svn.apache.org/repos/asf/syncope/trunk@1603184 13f79535-47bb-0310-9956-ffa450edef68 View the changeset: https://github.com/apache/syncope/compare/29f6b7936568...f8a627f0fff6 View the full build log and details: https://travis-ci.org/apache/syncope/builds/2937 -- You can configure recipients for build notifications in your .travis.yml file. See http://docs.travis-ci.com/user/notifications
[jira] [Commented] (SYNCOPE-505) Support propagating non-cleartext passwords to external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14033936#comment-14033936
]
Colm O hEigeartaigh commented on SYNCOPE-505:
-
{quote}
A special _HASHED_PASSWORD_ boolean attribute - defaults to true when missing -
could be added to the DBTable connector configuration: sounds good.
{quote}
Shouldn't it default to false when missing? I.e. _HASHED_PASSWORD_ being
present and true means that the value under _PASSWORD_ should be treated as
hashed + not subsequently hashed with the configured Connector hash algorithm.
Otherwise, the Connector hash algorithm applies.
Colm.
Support propagating non-cleartext passwords to external resources
-
Key: SYNCOPE-505
URL: https://issues.apache.org/jira/browse/SYNCOPE-505
Project: Syncope
Issue Type: Improvement
Components: core
Reporter: Francesco Chicchiriccò
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Similarly to SYNCOPE-313 during synchronization, it seems feasible to provide
some Propagation Actions classes (say {{DBPasswordPropagationActions}} and
{{LDAPPasswordPropagationActions}} that will propagate non-cleartext password
values to external resources.
This might require some changes in the related connector bundles.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
[jira] [Commented] (SYNCOPE-505) Support propagating non-cleartext passwords to external resources
[
https://issues.apache.org/jira/browse/SYNCOPE-505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14033937#comment-14033937
]
Francesco Chicchiriccò commented on SYNCOPE-505:
{quote}
Shouldn't it default to false when missing?
{quote}
Ouch, you are clearly right! o_O
Support propagating non-cleartext passwords to external resources
-
Key: SYNCOPE-505
URL: https://issues.apache.org/jira/browse/SYNCOPE-505
Project: Syncope
Issue Type: Improvement
Components: core
Reporter: Francesco Chicchiriccò
Assignee: Colm O hEigeartaigh
Fix For: 1.2.0
Similarly to SYNCOPE-313 during synchronization, it seems feasible to provide
some Propagation Actions classes (say {{DBPasswordPropagationActions}} and
{{LDAPPasswordPropagationActions}} that will propagate non-cleartext password
values to external resources.
This might require some changes in the related connector bundles.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
