How to provide password values to actions (and other task types) securely

Last modified 29 Aug 2024 13:54 +02:00

MidPoint automatically encrypts all protected string values that it recognizes in objects that are to be stored into repository. The key precondition is that such protected strings are recognizable. So, for example, if you provide a password as a part of a Groovy script, midPoint has no chance of detecting it. In a similar way, if you provide it as a part of untyped XML/JSON/REST value, midPoint cannot recognize it, at least not until the time of interpretation of this data (i.e. at the time of task execution), that is obviously too late.

So, in order to ensure that a value is protected, it has to be correctly typed.

For example:

Correct way of marking protected data

Git

<?xml version="1.0" encoding="UTF-8"?>

<!--

  ~ Copyright (c) 2010-2024 Evolveum

  ~

  ~ Licensed under the Apache License, Version 2.0 (the "License");

  ~ you may not use this file except in compliance with the License.

  ~ You may obtain a copy of the License at

  ~

  ~     http://www.apache.org/licenses/LICENSE-2.0

  ~

  ~ Unless required by applicable law or agreed to in writing, software

  ~ distributed under the License is distributed on an "AS IS" BASIS,

  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  ~ See the License for the specific language governing permissions and

  ~ limitations under the License.

  -->

<task xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"

      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"

      xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"

      xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"

      xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"

      xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" oid="9de76345-0f02-48de-86bf-e7a887cb374a">

    <name>Task replace password value</name>

    <ownerRef oid="00000000-0000-0000-0000-000000000002" relation="org:default" type="c:UserType">

        <!-- administrator -->

    </ownerRef>

    <executionState>runnable</executionState>

    <binding>tight</binding>

    <activity>

        <work>

            <iterativeScripting>

                <objects>

                    <type>UserType</type>

                    <query>

                        <q:filter>

                            <q:text>

                                name = "jack"

                            </q:text>

                        </q:filter>

                    </query>

                </objects>

                <scriptExecutionRequest>

                    <s:action>

                        <s:type>modify</s:type>

                        <s:parameter>

                            <s:name>delta</s:name>

                            <value xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="t:ObjectDeltaType">  <!-- note xsi:type specification here -->

                                <t:changeType>modify</t:changeType>

                                <t:objectType>UserType</t:objectType>

                                <t:itemDelta>

                                    <t:modificationType>replace</t:modificationType>

                                    <t:path>credentials/password/value</t:path>

                                    <t:value xsi:type="t:ProtectedStringType">  <!-- note xsi:type specification here -->

                                        <t:clearValue>y0uR_P455woR*d</t:clearValue>

                                    </t:value>

                                </t:itemDelta>

                            </value>

                        </s:parameter>

                    </s:action>

                </scriptExecutionRequest>

            </iterativeScripting>

        </work>

    </activity>

</task>

Note the xsi:type declarations on lines 53 and 48. It is necessary to specify item types at all places where arbitrary objects can be used, namely in actions parameters, and in item delta values.

Was this page helpful?
YES NO
Thanks for your feedback