[midPoint-git] [Evolveum/midpoint] 48e266: Support encryption for cached shadow passwords

mederly noreply at github.com
Thu Nov 21 19:12:25 CET 2024 

  Branch: refs/heads/tmp/password-caching-test
  Home:   https://github.com/Evolveum/midpoint
  Commit: 48e266a5fb8e31841bcdcc9fa078a6ba73107baf
      https://github.com/Evolveum/midpoint/commit/48e266a5fb8e31841bcdcc9fa078a6ba73107baf
  Author: Pavol Mederly <mederly at evolveum.com>
  Date:   2024-11-21 (Thu, 21 Nov 2024)

  Changed paths:
    M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/login/PageRegistrationBase.java
    M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/login/module/PageAbstractAuthenticationModule.java
    M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/lostusername/PageIdentityRecovery.java
    M infra/schema/src/main/java/com/evolveum/midpoint/schema/config/AbstractResourceObjectDefinitionConfigItem.java
    M infra/schema/src/main/java/com/evolveum/midpoint/schema/config/ResourceAttributeDefinitionConfigItem.java
    M infra/schema/src/main/java/com/evolveum/midpoint/schema/merger/package-info.java
    A infra/schema/src/main/java/com/evolveum/midpoint/schema/merger/securitypolicy/SecurityPolicyCustomMerger.java
    M infra/schema/src/main/java/com/evolveum/midpoint/schema/processor/ResourceObjectDefinition.java
    M infra/schema/src/main/java/com/evolveum/midpoint/schema/processor/ResourceSchemaParser.java
    M infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ObjectTypeUtil.java
    M infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ShadowBuilder.java
    M infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ShadowUtil.java
    M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/entry/point/HttpSecurityQuestionsAuthenticationEntryPoint.java
    M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/filter/AuthenticationWrapper.java
    M model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelInteractionService.java
    M model/model-common/src/main/java/com/evolveum/midpoint/model/common/archetypes/ArchetypeManager.java
    M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelBeans.java
    M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelObjectResolver.java
    M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.java
    M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/expr/MidpointFunctionsImpl.java
    M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensProjectionContext.java
    M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/construction/EvaluatedAssignedResourceObjectConstructionImpl.java
    M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/executor/FocusChangeExecution.java
    M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/credentials/CredentialsProcessor.java
    M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/credentials/ProjectionCredentialsProcessor.java
    M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/loader/ContextLoader.java
    M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/loader/ProjectionUpdateOperation.java
    M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/GuiProfileCompiler.java
    A model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/ModelSecurityPolicyFinder.java
    M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SecurityHelper.java
    M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java
    M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/AbstractPasswordTest.java
    M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordDefault.java
    M model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
    M provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/shadows/ShadowsLocalBeans.java
    M provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/shadows/manager/OperationResultRecorder.java
    M provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/shadows/manager/ShadowCreator.java
    M provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/shadows/manager/ShadowDeltaComputerAbsolute.java
    M provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/shadows/manager/ShadowDeltaComputerRelative.java
    M provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/shadows/manager/ShadowObjectComputer.java
    M provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/shadows/manager/ShadowUpdater.java
    M provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/dummy/AbstractBasicDummyTest.java
    M provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/dummy/AbstractDummyTest.java
    A provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/dummy/TestDummyPasswordCaching.java
    M provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/opendj/TestOpenDj.java
    M provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/opendj/TestOpenDjIncompletePassword.java
    M provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/opendj/TestOpenDjReadablePassword.java
    A provisioning/provisioning-impl/src/test/resources/dummy/dummy-password-caching/resource-dummy-template.xml
    A provisioning/provisioning-impl/src/test/resources/dummy/dummy-password-caching/security-policy-hashing.xml
    R provisioning/provisioning-impl/src/test/resources/dummy/modify-will-disable.xml
    R provisioning/provisioning-impl/src/test/resources/dummy/modify-will-enable.xml
    A repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/security/CredentialsStorageManager.java
    A repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/security/SecurityPolicyFinder.java
    M repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/AbstractIntegrationTest.java
    M repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/DummyTestResource.java
    R repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/MetadataAsserter.java
    M repo/security-api/src/main/java/com/evolveum/midpoint/security/api/SecurityUtil.java

  Log Message:
  -----------
  Support encryption for cached shadow passwords

This commit improves the shadow password caching, enabling both
encrypted and hashed password storage - driven by either global
or object class/type specific security policy.

It also downgrades the legacy caching mode to the original behavior:
hashed passwords only, and NOT updated on the shadow fetch operation.
It is to avoid unwanted changes for deployments being upgraded.

Related architectural changes:

1. Code for finding appropriate security policy was moved into newly
created SecurityPolicyFinder (repo-common) and ModelSecurityPolicyFinder
(model-impl). Also, related APIs were untangled and clarified, namely
the ModelInteractionService#getSecurityPolicy method that combined
focus+archetype policy lookup in not quite intuitive way.

2. Storage for credentials (focus and shadow) is managed by
CredentialsStorageManager: not directly storing them, but transforming
objects and deltas before they are actually send to the repository.

3. Logic for merging security policies was moved to
SecurityPolicyCustomMerger (schema), to be close to the other mergers.

!!! There are significant differences to the other merging algorithms,
which can cause problems in the long run - similar to those with merging
capabilities. !!!

Work in progress. Some tests are yet to be written; in particular, tests
related to transitions between configuration settings.



To unsubscribe from these emails, change your notification settings at https://github.com/Evolveum/midpoint/settings/notifications

More information about the midPoint-svn mailing list