[midPoint] Custom Schema and ProtectedString

Paul Heaney lists at pheaney.co.uk
Wed Oct 2 20:50:13 CEST 2013


HI Radovan,

Thanks for this, this was a request we've had from a prospective
customer though its still at the early stages so we can wait a bit for
this.  I did attempt changing the stringify function in the
BasicExpressionFunctions class though this resulted with the same lack
of synchronised attribute.

Our main use case for this at the moment is where we need to
synchronise a sensitive value to another system (predominantly a
database) and the value is encrypted in that system using platform
specific functionality so the only way to do this as far as I can see
if to store it encrypted within midPoint and then either pass it
unencrypted (over SSL) to a database specific function or perform the
relevant encryption/hash on the resource.

Cheers
Paul

On 2 October 2013 08:32, Radovan Semancik <radovan.semancik at evolveum.com> wrote:
> Hi,
>
> MidPoint should be able to synchronize properties of type
> ProtectedStringType. However I must confess we have probably never tried to
> do this (except for password obviously, but credentials are using a
> different code path than ordinary attributes).
>
> However, there may be an obvious drawback if you synchronize
> ProtectedStringType with plain string. The value becomes "unprotected"
> during the conversion to string. Also you might need to explicitly decrypt
> the value in some cases (I can provide method for that).
>
> I can have a look at this later:
> https://jira.evolveum.com/browse/MID-1625
> How important is this for you? Is it critical or can you live without it for
> a couple of days?
>
>
> --
>
>                                            Radovan Semancik
>                                           Software Architect
>                                              evolveum.com
>
>
>
> On 10/01/2013 09:11 PM, Paul Heaney wrote:
>>
>> Hi Radovan,
>>
>> Many thanks for this, I'm now trying to synchronise the ProtectedString
>> though it is not synchronising.  I have the following attribute map:
>>
>> <c:attribute>
>> <c:ref
>> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-2">ri:carLicense</c:ref>
>> <c:displayName>Car License</c:displayName>
>> <c:access>create</c:access>
>> <c:access>read</c:access>
>> <c:access>update</c:access>
>> <c:outbound>
>> <c:source>
>> <c:path xmlns:jim="http://justidm.salfordsoftware.co.uk/xml/ns/justIDM"
>>
>> xmlns:gen859="http://midpoint.evolveum.com/xml/ns/fake/sqlRepository-1.xsd"
>> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-2"
>>
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">$user/extension/jim:topSecret</c:path>
>> </c:source>
>> <c:expression>
>> <c:script>
>>
>> <c:language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</c:language>
>> <c:returnType>scalar</c:returnType>
>> <c:code xmlns:jim="http://justidm.salfordsoftware.co.uk/xml/ns/justIDM"
>>
>> xmlns:gen859="http://midpoint.evolveum.com/xml/ns/fake/sqlRepository-1.xsd"
>> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-2"
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>>                           topSecret.getClearValue()
>> </c:code>
>> </c:script>
>> </c:expression>
>> </c:outbound>
>> </c:attribute>
>>
>> though this never appears to attempt to synchronise the value, (if I leave
>> of the getClearValue I get an exception about a type mismatch between String
>> and ProtectedStringType which is what I would expect).
>>
>> Also I suspect this is inteded behaviour though via the UI two text entry
>> boxes appear for protected strings as if it was a password.
>>
>> Thanks
>> Paul
>>
>> On 01/10/13 15:49, Radovan Semancik wrote:
>>>
>>> Hi Paul,
>>>
>>> Yes, it should work. However midPoint schema extension is XSD schema as
>>> any other. If you want to use datatypes from other schema you have to import
>>> it. Therefore use proper <xsd:import>:
>>>
>>> <xsd:schema elementFormDefault="qualified"
>>> targetNamespace="http://justidm.salfordsoftware.co.uk/xml/ns/justIDM"
>>> xmlns:tns="http://justidm.salfordsoftware.co.uk/xml/ns/justIDM"
>>> xmlns:a="http://prism.evolveum.com/xml/ns/public/annotation-2"
>>> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-2a"
>>>             xmlns:xsd="http://www.w3.org/2001/XMLSchema">
>>>
>>> <xsd:import
>>> namespace="http://midpoint.evolveum.com/xml/ns/public/common/common-2a"/>
>>>
>>> <xsd:complexType name="UserExtensionType">
>>>
>>> ................
>>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint



More information about the midPoint mailing list