[OAK-4397] DefaultSyncContext.syncMembership may sync group of a foreign IDP - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.2.19, 1.4.7, 1.5.3, 1.6.0
Component/s: auth-external
Labels:
- security

Description

With the following scenario the DefaultSyncContext.syncMembership may end up synchronizing (i.e. updating) a group defined by an foreign IDP and even add the user to be synchronized as a new member:

configuration with different IDPs
foreign IDP synchronizes a given external group 'groupA' => rep:externalID points to foreign-IDP (e.g. rep:externalId = 'groupA;foreignIDP')
my-IDP contains a group with the same ID (but obviously with a different rep:externalID) and user that has declared group membership pointing to 'groupA' from my IDP

if synchronizing my user first the groupA will be created with a rep:externalId = 'groupA;myIDP'.
however, if the group has been synced before by the foreignIDP the code fails to verify that an existing group 'groupA' really belongs to the same IDP and thus may end up synchronizing the group and updating it's members.

IMHO that's a critical issue as it violates the IDP boundaries.
the fix is pretty trivial as it only requires testing for the IDP of the existing group as we do it in other places (even in the same method).

Attachments

Issue Links

is related to

OAK-4845 Regression: DefaultSyncContext does not sync membership to a local group

Resolved

relates to

OAK-4301 Missing protection for system-maintained rep:externalId

Closed

OAK-4215 Improve test-coverage for External Authentication

Closed

Activity

People

Assignee:: Angela Schreiber

Reporter:: Angela Schreiber

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 24/May/16 09:18

Updated:: 03/Nov/17 13:50

Resolved:: 24/May/16 09:25