Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to pick realm configured custom users tore domain name for the JDBC PRIMARY userstore #15332

Closed
DInuwan97 opened this issue Jan 9, 2023 · 1 comment
Closed

Unable to pick realm configured custom users tore domain name for the JDBC PRIMARY userstore #15332

DInuwan97 opened this issue Jan 9, 2023 · 1 comment
Assignees
@ashanthamara

Comments

@DInuwan97
Copy link

Describe the issue:
The current implementation of org.wso2.carbon.identity.scim2.common is unable to retrieve the user-mgt.xml file.[1] (RelamConfigs) since if the user is in the primary user store it is taking the domain PRIMARY from a hard-coded constant variable from the source code itself.

A similar issue was reported here.[1]

Expected behavior:
Use the default UniqueID JDBC user store as the Primary user store.

[user_store]
type = "database_unique_id"

Change the deployment.toml config set as below in the primary user store. The domain name for the primary user store is "WSO2" for this example.

[user_store.properties]
DomainName = "WSO2"

Add the following configuration to the deployment.toml

[scim2]
enable_complex_multivalued_attribute_support = true
enable_filtering_enhancements = true

Once the above scim2 toml configuration was there, it will go through via the getFilterdedDomainName method.

Execute the following curl command to the user in the PRIMARY user store.

curl --location --request GET 'https://localhost:9443/scim2/Users?filter=userName+eq+<test_user>&startIndex=0&count=10' \
--header 'Authorization: Basic YWRtaW46YWRtaW4=' -kv

TID: [-1234] [scim2] [2023-01-08 13:01:58,518] [dc2c443d-5afe-4a8c-b738-0a5afe48001d] ERROR {org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/scim2].[SCIM2Servlet]} - Servlet.service() for servlet [SCIM2Servlet] in context with path [/scim2] threw exception java.lang.NullPointerException
	at org.wso2.carbon.identity.scim2.common.impl.SCIMUserManager.getMaxLimit(SCIMUserManager.java:1936)
	at org.wso2.carbon.identity.scim2.common.impl.SCIMUserManager.filterUsersBySingleAttribute(SCIMUserManager.java:1298)
	at org.wso2.carbon.identity.scim2.common.impl.SCIMUserManager.filterUsers(SCIMUserManager.java:1241)
	at org.wso2.carbon.identity.scim2.common.impl.SCIMUserManager.listUsersWithGET(SCIMUserManager.java:509)
	at org.wso2.charon3.core.protocol.endpoints.UserResourceManager.listWithGET(UserResourceManager.java:354)
	at org.wso2.carbon.identity.scim2.provider.resources.UserResource.getUser(UserResource.java:215)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:179)
	at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
	at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:201)
	at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:104)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
	at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:265)
	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
	at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:225)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:298)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:222)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:655)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:273)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter.doFilter(ContentTypeBasedCachePreventionFilter.java:53)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:659)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
	at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:107)
	at org.wso2.carbon.identity.cors.valve.CORSValve.invoke(CORSValve.java:93)
	at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:102)
	at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:133)
	at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:101)
	at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49)
	at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
	at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:145)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
	at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
	at org.wso2.carbon.tomcat.ext.valves.RequestEncodingValve.invoke(RequestEncodingValve.java:49)
	at org.wso2.carbon.tomcat.ext.valves.RequestCorrelationIdValve.invoke(RequestCorrelationIdValve.java:126)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:359)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:889)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1735)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:750)

Also 500 error response in http_access_logs as well.

As per the fix, it should be able to get the values from the realm configuration. Then only it would be able to pick the custom domain name of the PRIMARY user store.

How to fix:


private String getFilteredDomainName(ExpressionNode node) {

    String attributeName = node.getAttributeValue();
    String filterOperation = node.getOperation();
    String attributeValue = node.getValue();

    if ((isFilterUsersAndGroupsOnlyFromPrimaryDomainEnabled()) && !StringUtils
            .contains(attributeValue, CarbonConstants.DOMAIN_SEPARATOR)) {
        return carbonUM.getRealmConfiguration().getUserStoreProperty(UserCoreConstants.RealmConfig.
                PROPERTY_DOMAIN_NAME);

    } else if (isFilteringEnhancementsEnabled()) {
        if (SCIMCommonConstants.EQ.equalsIgnoreCase(filterOperation)) {
            if (StringUtils.equals(attributeName, SCIMConstants.UserSchemaConstants.USER_NAME_URI) && !StringUtils
                    .contains(attributeValue, CarbonConstants.DOMAIN_SEPARATOR)) {
                return carbonUM.getRealmConfiguration().getUserStoreProperty(UserCoreConstants.RealmConfig.
                        PROPERTY_DOMAIN_NAME);
            }
        }
    }
    return null;
}

It would be great if we can test this concern proactively and release a fix.

[1] - #15253
@ashanthamara ashanthamara self-assigned this Jan 12, 2023
@DInuwan97
Copy link
Author

Fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ashanthamara ashanthamara

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DInuwan97 @ashanthamara