Uploaded image for project: 'Kuali Rice Development'
  1. Kuali Rice Development
  2. KULRICE-4152

KIM allows you to create infinite loops of role memberships

    Details

    • Type: Bug Fix
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: KFS Release 4.0, 1.0.3
    • Component/s: Development
    • Labels:
      None
    • Rice Module:
      KIM
    • Application Requirement:
      KFS

      Description

      It's possible to create a role membership that causes a loop.

      For example, Role A is a member of Role B.

      But then the system will allow you to make Role B a member of Role A.

      This creates a cycle, which will cause the KIM roleservices to fail, with a stack overflow error, as they go into an infinite loop.

      The system should stop you from creating this, as this will make large portions of KFS unusable.

        Attachments

          Issue Links

            Activity

            Hide
            dsiebert Daniel Seibert (Inactive) added a comment -

            The KIM Role Maintenance screen should be OK, I am currently testing trying to create a circular role membership via the RoleUpdateService. I anticipate closing this item by the end of the day.

            Show
            dsiebert Daniel Seibert (Inactive) added a comment - The KIM Role Maintenance screen should be OK, I am currently testing trying to create a circular role membership via the RoleUpdateService. I anticipate closing this item by the end of the day.
            Hide
            dsiebert Daniel Seibert (Inactive) added a comment -

            Modified RoleUpdateServiceImpl to prevent the circular role membership assignments when made from the service api.
            Also added a Unit test to RoleServiceImplTest which exercises the new check.

            Show
            dsiebert Daniel Seibert (Inactive) added a comment - Modified RoleUpdateServiceImpl to prevent the circular role membership assignments when made from the service api. Also added a Unit test to RoleServiceImplTest which exercises the new check.
            Hide
            dsiebert Daniel Seibert (Inactive) added a comment -

            Since we cannot guarantee that circular roles memberships will not ever exist, we not only should check when creating memberships, but also should modify the resolution of roles to handle the circular reference without infinite looping if one should happen to exist.
            Also, we should apply the same handling to groups.
            Expanding the effort on this item to include these issues.

            Show
            dsiebert Daniel Seibert (Inactive) added a comment - Since we cannot guarantee that circular roles memberships will not ever exist, we not only should check when creating memberships, but also should modify the resolution of roles to handle the circular reference without infinite looping if one should happen to exist. Also, we should apply the same handling to groups. Expanding the effort on this item to include these issues.
            Hide
            dsiebert Daniel Seibert (Inactive) added a comment - - edited

            In addition to checking for circular memberships, we should also check to see if an identical role membership already exists.

            Actually, this check already is performed in KimDocumentMemberRule.processAddMember().
            It will prevent duplicate members (even if the qualifiers are different). Is this behavior correct? Or should it allow duplicate member ids if the qualifiers are different?

            Show
            dsiebert Daniel Seibert (Inactive) added a comment - - edited In addition to checking for circular memberships, we should also check to see if an identical role membership already exists. Actually, this check already is performed in KimDocumentMemberRule.processAddMember(). It will prevent duplicate members (even if the qualifiers are different). Is this behavior correct? Or should it allow duplicate member ids if the qualifiers are different?
            Hide
            dsiebert Daniel Seibert (Inactive) added a comment - - edited

            Modified RoleServiceImpl getMember methods to handle a circular role membership should one exist. Public methods impacted: getRoleMembers(), getRoleMemberPrincipalIds(). Protected methods affected: getNestedRoleMembers(), getRoleMembers(), resolveDelegationMembers().

            Also added a unit test to create a circular membership via SQL statements and verify that the getRoleMemberPrincipalIds() no longer loops infinitely.

            Show
            dsiebert Daniel Seibert (Inactive) added a comment - - edited Modified RoleServiceImpl getMember methods to handle a circular role membership should one exist. Public methods impacted: getRoleMembers(), getRoleMemberPrincipalIds(). Protected methods affected: getNestedRoleMembers(), getRoleMembers(), resolveDelegationMembers(). Also added a unit test to create a circular membership via SQL statements and verify that the getRoleMemberPrincipalIds() no longer loops infinitely.

              People

              • Assignee:
                dsiebert Daniel Seibert (Inactive)
                Reporter:
                dlemus Dan Lemus (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 4 days
                  4d
                  Remaining:
                  Remaining Estimate - 4 days
                  4d
                  Logged:
                  Time Spent - Not Specified
                  Not Specified