How to provide password values to actions (and other task types) securely

Last modified 29 Aug 2024 13:54 +02:00

MidPoint automatically encrypts all protected string values that it recognizes in objects that are to be stored into repository. The key precondition is that such protected strings are recognizable. So, for example, if you provide a password as a part of a Groovy script, midPoint has no chance of detecting it. In a similar way, if you provide it as a part of untyped XML/JSON/REST value, midPoint cannot recognize it, at least not until the time of interpretation of this data (i.e. at the time of task execution), that is obviously too late.

So, in order to ensure that a value is protected, it has to be correctly typed.

For example:

Correct way of marking protected data

Git

<task xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
      xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
      xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
      xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" oid="9de76345-0f02-48de-86bf-e7a887cb374a">
    <name>Task replace password value</name>
    <ownerRef oid="00000000-0000-0000-0000-000000000002" relation="org:default" type="c:UserType">
        <!-- administrator -->
    </ownerRef>
    <executionState>runnable</executionState>
    <binding>tight</binding>
    <activity>
        <work>
            <iterativeScripting>
                <objects>
                    <type>UserType</type>
                    <query>
                        <q:filter>
                            <q:text>
                                name = "jack"
                            </q:text>
                        </q:filter>
                    </query>
                </objects>
                <scriptExecutionRequest>
                    <s:action>
                        <s:type>modify</s:type>
                        <s:parameter>
                            <s:name>delta</s:name>
                            <value xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="t:ObjectDeltaType">  <!-- note xsi:type specification here -->
                                <t:changeType>modify</t:changeType>
                                <t:objectType>UserType</t:objectType>
                                <t:itemDelta>
                                    <t:modificationType>replace</t:modificationType>
                                    <t:path>credentials/password/value</t:path>
                                    <t:value xsi:type="t:ProtectedStringType">  <!-- note xsi:type specification here -->
                                        <t:clearValue>y0uR_P455woR*d</t:clearValue>
                                    </t:value>
                                </t:itemDelta>
                            </value>
                        </s:parameter>
                    </s:action>
                </scriptExecutionRequest>
            </iterativeScripting>
        </work>
    </activity>
</task>

Note the xsi:type declarations on lines 53 and 48. It is necessary to specify item types at all places where arbitrary objects can be used, namely in actions parameters, and in item delta values.

Was this page helpful?

YES NO

Thanks for your feedback