[midPoint-git] [Evolveum/midpoint] 48e266: Support encryption for cached shadow passwords
mederly
noreply at github.com
Fri Nov 22 14:12:35 CET 2024
Branch: refs/heads/master
Home: https://github.com/Evolveum/midpoint
Commit: 48e266a5fb8e31841bcdcc9fa078a6ba73107baf
https://github.com/Evolveum/midpoint/commit/48e266a5fb8e31841bcdcc9fa078a6ba73107baf
Author: Pavol Mederly <mederly at evolveum.com>
Date: 2024-11-21 (Thu, 21 Nov 2024)
Changed paths:
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/login/PageRegistrationBase.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/login/module/PageAbstractAuthenticationModule.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/lostusername/PageIdentityRecovery.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/config/AbstractResourceObjectDefinitionConfigItem.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/config/ResourceAttributeDefinitionConfigItem.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/merger/package-info.java
A infra/schema/src/main/java/com/evolveum/midpoint/schema/merger/securitypolicy/SecurityPolicyCustomMerger.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/processor/ResourceObjectDefinition.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/processor/ResourceSchemaParser.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ObjectTypeUtil.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ShadowBuilder.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ShadowUtil.java
M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/entry/point/HttpSecurityQuestionsAuthenticationEntryPoint.java
M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/filter/AuthenticationWrapper.java
M model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelInteractionService.java
M model/model-common/src/main/java/com/evolveum/midpoint/model/common/archetypes/ArchetypeManager.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelBeans.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelObjectResolver.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/expr/MidpointFunctionsImpl.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensProjectionContext.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/construction/EvaluatedAssignedResourceObjectConstructionImpl.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/executor/FocusChangeExecution.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/credentials/CredentialsProcessor.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/credentials/ProjectionCredentialsProcessor.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/loader/ContextLoader.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/loader/ProjectionUpdateOperation.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/GuiProfileCompiler.java
A model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/ModelSecurityPolicyFinder.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SecurityHelper.java
M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java
M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/AbstractPasswordTest.java
M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordDefault.java
M model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
M provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/shadows/ShadowsLocalBeans.java
M provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/shadows/manager/OperationResultRecorder.java
M provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/shadows/manager/ShadowCreator.java
M provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/shadows/manager/ShadowDeltaComputerAbsolute.java
M provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/shadows/manager/ShadowDeltaComputerRelative.java
M provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/shadows/manager/ShadowObjectComputer.java
M provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/shadows/manager/ShadowUpdater.java
M provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/dummy/AbstractBasicDummyTest.java
M provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/dummy/AbstractDummyTest.java
A provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/dummy/TestDummyPasswordCaching.java
M provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/opendj/TestOpenDj.java
M provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/opendj/TestOpenDjIncompletePassword.java
M provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/opendj/TestOpenDjReadablePassword.java
A provisioning/provisioning-impl/src/test/resources/dummy/dummy-password-caching/resource-dummy-template.xml
A provisioning/provisioning-impl/src/test/resources/dummy/dummy-password-caching/security-policy-hashing.xml
R provisioning/provisioning-impl/src/test/resources/dummy/modify-will-disable.xml
R provisioning/provisioning-impl/src/test/resources/dummy/modify-will-enable.xml
A repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/security/CredentialsStorageManager.java
A repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/security/SecurityPolicyFinder.java
M repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/AbstractIntegrationTest.java
M repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/DummyTestResource.java
R repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/MetadataAsserter.java
M repo/security-api/src/main/java/com/evolveum/midpoint/security/api/SecurityUtil.java
Log Message:
-----------
Support encryption for cached shadow passwords
This commit improves the shadow password caching, enabling both
encrypted and hashed password storage - driven by either global
or object class/type specific security policy.
It also downgrades the legacy caching mode to the original behavior:
hashed passwords only, and NOT updated on the shadow fetch operation.
It is to avoid unwanted changes for deployments being upgraded.
Related architectural changes:
1. Code for finding appropriate security policy was moved into newly
created SecurityPolicyFinder (repo-common) and ModelSecurityPolicyFinder
(model-impl). Also, related APIs were untangled and clarified, namely
the ModelInteractionService#getSecurityPolicy method that combined
focus+archetype policy lookup in not quite intuitive way.
2. Storage for credentials (focus and shadow) is managed by
CredentialsStorageManager: not directly storing them, but transforming
objects and deltas before they are actually send to the repository.
3. Logic for merging security policies was moved to
SecurityPolicyCustomMerger (schema), to be close to the other mergers.
!!! There are significant differences to the other merging algorithms,
which can cause problems in the long run - similar to those with merging
capabilities. !!!
Work in progress. Some tests are yet to be written; in particular, tests
related to transitions between configuration settings.
Commit: 3c5dfc23c4eb4731f3db9f59d45adbc9fb731c2c
https://github.com/Evolveum/midpoint/commit/3c5dfc23c4eb4731f3db9f59d45adbc9fb731c2c
Author: Pavol Mederly <mederly at evolveum.com>
Date: 2024-11-21 (Thu, 21 Nov 2024)
Changed paths:
M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestConnectorDummyFake.java
Log Message:
-----------
Fix TestConnectorDummyFake
Now the global policy object must exist for provisioning operations.
Commit: 130ecc9549257c34a4d7b4dd28666ccb58b63591
https://github.com/Evolveum/midpoint/commit/130ecc9549257c34a4d7b4dd28666ccb58b63591
Author: Pavol Mederly <mederly at evolveum.com>
Date: 2024-11-22 (Fri, 22 Nov 2024)
Changed paths:
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/login/PageRegistrationBase.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/login/module/PageAbstractAuthenticationModule.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/gui/impl/page/lostusername/PageIdentityRecovery.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/config/AbstractResourceObjectDefinitionConfigItem.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/config/ResourceAttributeDefinitionConfigItem.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/merger/package-info.java
A infra/schema/src/main/java/com/evolveum/midpoint/schema/merger/securitypolicy/SecurityPolicyCustomMerger.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/processor/ResourceObjectDefinition.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/processor/ResourceSchemaParser.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ObjectTypeUtil.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ShadowBuilder.java
M infra/schema/src/main/java/com/evolveum/midpoint/schema/util/ShadowUtil.java
M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/entry/point/HttpSecurityQuestionsAuthenticationEntryPoint.java
M model/authentication-impl/src/main/java/com/evolveum/midpoint/authentication/impl/filter/AuthenticationWrapper.java
M model/model-api/src/main/java/com/evolveum/midpoint/model/api/ModelInteractionService.java
M model/model-common/src/main/java/com/evolveum/midpoint/model/common/archetypes/ArchetypeManager.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelBeans.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelObjectResolver.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/controller/ModelInteractionServiceImpl.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/expr/MidpointFunctionsImpl.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/LensProjectionContext.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/construction/EvaluatedAssignedResourceObjectConstructionImpl.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/executor/FocusChangeExecution.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/credentials/CredentialsProcessor.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/credentials/ProjectionCredentialsProcessor.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/loader/ContextLoader.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/projector/loader/ProjectionUpdateOperation.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/GuiProfileCompiler.java
A model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/ModelSecurityPolicyFinder.java
M model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/security/SecurityHelper.java
M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/AbstractConfiguredModelIntegrationTest.java
M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/TestConnectorDummyFake.java
M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/AbstractPasswordTest.java
M model/model-intest/src/test/java/com/evolveum/midpoint/model/intest/password/TestPasswordDefault.java
M model/model-test/src/main/java/com/evolveum/midpoint/model/test/AbstractModelIntegrationTest.java
M provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/shadows/ShadowsLocalBeans.java
M provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/shadows/manager/OperationResultRecorder.java
M provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/shadows/manager/ShadowCreator.java
M provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/shadows/manager/ShadowDeltaComputerAbsolute.java
M provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/shadows/manager/ShadowDeltaComputerRelative.java
M provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/shadows/manager/ShadowObjectComputer.java
M provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/shadows/manager/ShadowUpdater.java
M provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/dummy/AbstractBasicDummyTest.java
M provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/dummy/AbstractDummyTest.java
A provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/dummy/TestDummyPasswordCaching.java
M provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/opendj/TestOpenDj.java
M provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/opendj/TestOpenDjIncompletePassword.java
M provisioning/provisioning-impl/src/test/java/com/evolveum/midpoint/provisioning/impl/opendj/TestOpenDjReadablePassword.java
A provisioning/provisioning-impl/src/test/resources/dummy/dummy-password-caching/resource-dummy-template.xml
A provisioning/provisioning-impl/src/test/resources/dummy/dummy-password-caching/security-policy-hashing.xml
R provisioning/provisioning-impl/src/test/resources/dummy/modify-will-disable.xml
R provisioning/provisioning-impl/src/test/resources/dummy/modify-will-enable.xml
A repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/security/CredentialsStorageManager.java
A repo/repo-common/src/main/java/com/evolveum/midpoint/repo/common/security/SecurityPolicyFinder.java
M repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/AbstractIntegrationTest.java
M repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/DummyTestResource.java
R repo/repo-test-util/src/main/java/com/evolveum/midpoint/test/asserter/MetadataAsserter.java
M repo/security-api/src/main/java/com/evolveum/midpoint/security/api/SecurityUtil.java
Log Message:
-----------
Merge branch 'tmp/password-caching-test'
Compare: https://github.com/Evolveum/midpoint/compare/f94505100e3f...130ecc954925
To unsubscribe from these emails, change your notification settings at https://github.com/Evolveum/midpoint/settings/notifications
More information about the midPoint-svn
mailing list