Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exception when oxOTPDevices is set. Prevents users' edition #1476

Closed
jgomer2001 opened this issue Jan 21, 2019 · 2 comments

Comments

@jgomer2001
Copy link
Contributor

commented Jan 21, 2019

Parsing of extra info for OTP devices is throwing exceptions like this:

2019-01-18 20:24:38,915 ERROR [qtp804611486-1067] [org.gluu.oxtrust.action.SearchPersonAction] (SearchPersonAction.java:79) - Failed to find persons
org.gluu.site.ldap.persistence.exception.MappingException: Failed to convert json value '{"devices":[{"nickName":"Will's Google Authenticator","addedOn":1513356709934,"id":-1446127981},{"nickName":"wills autrhw]emntizor","addedOn":1513379736935,"id":-1096318736},{"nickName":"iOS FreeOTP","addedOn":1515194736557,"id":955771149},{"nickName":"iOS Authy","addedOn":1515194974032,"id":-1687078274},{"nickName":"Pixel2 Smart Authenticator","addedOn":1538580407629,"id":-799738797,"soft":true},{"nickName":"Will's Google Authenticator Pixel 2","addedOn":1538621976956,"id":1306191736,"soft":true},{"nickName":"Yuriy's Google OTP","addedOn":1539264391897,"id":787102439,"soft":true},{"nickName":"Nat's Duo","addedOn":1541552496457,"id":-2070827088,"soft":true},{"nickName":"admin","addedOn":1542207561080,"id":-806460768,"soft":true}]}' to object
	at org.gluu.site.ldap.persistence.AbstractEntryManager.convertStringToJson(AbstractEntryManager.java:1115) ~[oxcore-ldap-3.1.5.Final.jar:?]
	at org.gluu.site.ldap.persistence.AbstractEntryManager.setPropertyValue(AbstractEntryManager.java:1100) ~[oxcore-ldap-3.1.5.Final.jar:?]
	at org.gluu.site.ldap.persistence.AbstractEntryManager.createEntities(AbstractEntryManager.java:655) ~[oxcore-ldap-3.1.5.Final.jar:?]
	at org.gluu.site.ldap.persistence.AbstractEntryManager.createEntities(AbstractEntryManager.java:588) ~[oxcore-ldap-3.1.5.Final.jar:?]
	at org.gluu.site.ldap.persistence.LdapEntryManager.createEntities(LdapEntryManager.java:595) ~[oxcore-ldap-3.1.5.Final.jar:?]
	at org.gluu.site.ldap.persistence.LdapEntryManager.findEntries(LdapEntryManager.java:413) ~[oxcore-ldap-3.1.5.Final.jar:?]
	at org.gluu.site.ldap.persistence.LdapEntryManager.findEntries(LdapEntryManager.java:373) ~[oxcore-ldap-3.1.5.Final.jar:?]
	at org.gluu.site.ldap.persistence.LdapEntryManager.findEntries(LdapEntryManager.java:369) ~[oxcore-ldap-3.1.5.Final.jar:?]
	at org.gluu.site.ldap.persistence.LdapEntryManager.findEntries(LdapEntryManager.java:353) ~[oxcore-ldap-3.1.5.Final.jar:?]
	at org.gluu.site.ldap.persistence.LdapEntryManager$Proxy$_$$_WeldClientProxy.findEntries(Unknown Source) ~[oxcore-ldap-3.1.5.Final.jar:?]
	at org.gluu.oxtrust.ldap.service.PersonService.searchPersons(PersonService.java:188) ~[classes/:?]
	at org.gluu.oxtrust.action.SearchPersonAction.search(SearchPersonAction.java:74) [classes/:?]
	at org.gluu.oxtrust.action.SearchPersonAction$Proxy$_$$_WeldSubclass.search$$super(Unknown Source) [classes/:?]

This occurs when supplying a search string in the "manage people" form, if any of the potential candidates to be displayed has the optional attribute oxOTPDevices set. This attribute is used by Casa to attach extra information to the oxExternalUid when the enrollment is an OTP device (ie. oxExternalUid starts with hotp: or totp:).

In this case the user is bumped to the home page so there is no way to edit the user(s):

error_after_search

Here is an example of how oxOTPDevices looks like for a user:

{"devices":[
{"nickName":"Will's Google Authenticator","addedOn":1544651679614,"id":607491823,"soft":true},
{"nickName":"Will's pink keyfob","addedOn":1544651679634,"id":607491829,"soft":false}
]}

addedOn is a time stamp relative to unix epoch
soft indicates whether this is a soft or hard token (the type of OTP credential)
id is obtained from the following operation:

            String str = uid.replaceFirst("hotp:", "").replaceFirst("totp:", "");
            int idx = str.indexOf(";");
            if (idx > 0) {
                str = str.substring(0, idx);
            }
            id = str.hashCode();

where uid is the value of oxExternalUid attribute.

Overall, it's similar to how oxMobileDevices is handled....

When there is no oxOTPDevices set, and there is still value in oxExternalUId, something like this is shown:
creds_otp_simple

"Modality" shows "passport" which is not appropriate. "passport" should be used when oxExternalUid starts with passport-. In the case of the image above there should be no nickname (as in date added), and the modality should be "totp".

@jgomer2001

This comment has been minimized.

Copy link
Contributor Author

commented Jan 23, 2019

@syntrydy I still don't see the improvements discussed:

  1. I'd prefer the key displayed, not the hash
    key

  2. You are still treating oxExternalUid and oxOTPDevices as separate entities when it has to do with HOTP/TOTP:
    duplicated

(-1505838864 is twice in this example). Also, what's the idea of the link in the last row?, when clicked, it takes to the oops page...

Account wrt to oxOTPDevices:

This attribute is used by Casa to attach extra information to the oxExternalUid when the enrollment is an OTP device

Please login to oxTrust in dc host and check how the admin user is looking for instance... it lists 18 enrollments of this kind, that's not right.

@syntrydy

This comment has been minimized.

Copy link
Collaborator

commented Jan 24, 2019

@jgomer2001 check the current result on dc

syntrydy added a commit that referenced this issue Jan 24, 2019

Merge pull request #1487 from /issues/1476
Exception when oxOTPDevices is set. Prevents users' edition #1476

@jgomer2001 jgomer2001 closed this Jan 30, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.