How to provide password values to bulk actions (and other task types) securely

Last modified 22 Apr 2021 17:31 +02:00

MidPoint automatically encrypts all protected string values that it recognizes in objects that are to be stored into repository. The key precondition is that such protected strings are recognizable. So, for example, if you provide a password as a part of a Groovy script, midPoint has no chance of detecting it. In a similar way, if you provide it as a part of untyped XML/JSON/REST value, midPoint cannot recognize it, at least not until the time of interpretation of this data (i.e. at the time of task execution), that is obviously too late.

So, in order to ensure that a value is protected, it has to be correctly typed.

For example:

Correct way of marking protected data
<task xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
      xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
      xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" oid="9de76345-0f02-48de-86bf-e7a887cb374a">
    <name>Task 1555581798624-0-1</name>
    <extension xmlns:se="http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3">
        <se:executeScript xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3">
            <s:pipeline list="true">
                <s:search>
                    <s:type>c:UserType</s:type>
                    <s:searchFilter>
                        <q:equal>
                            <q:path>c:name</q:path>
                            <q:value>jack</q:value>
                        </q:equal>
                    </s:searchFilter>
                </s:search>
                <s:action>
                    <s:type>modify</s:type>
                    <s:parameter>
                        <s:name>delta</s:name>
                        <value xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="t:ObjectDeltaType">  <!-- note xsi:type specification here -->
                            <t:changeType>modify</t:changeType>
                            <t:objectType>UserType</t:objectType>
                            <t:itemDelta>
                                <t:modificationType>replace</t:modificationType>
                                <t:path>credentials/password/value</t:path>
                                <t:value xsi:type="t:ProtectedStringType">  <!-- note xsi:type specification here -->
                                    <t:clearValue>pass1234word</t:clearValue>
                                </t:value>
                            </t:itemDelta>
                        </value>
                    </s:parameter>
                </s:action>
            </s:pipeline>
        </se:executeScript>
    </extension>
    <taskIdentifier>1555581798624-0-1</taskIdentifier>
    <ownerRef oid="00000000-0000-0000-0000-000000000002" relation="org:default" type="c:UserType">
        <!-- administrator -->
    </ownerRef>
    <executionStatus>runnable</executionStatus>
    <category>BulkActions</category>
    <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/scripting/handler-3</handlerUri>
    <recurrence>single</recurrence>
    <binding>tight</binding>
</task>

Note the xsi:type declarations on lines 23 and 29. It is necessary to specify item types at all places where arbitrary objects can be used, namely in bulk actions parameters, and in item delta values.