WebServiceBeforeOperation Rule doesnt seem to do anything

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

I am creating a WebServiceBeforeOperation rule that interceps the Password during the Change Password operation and encodes it with Base64 and then salts which is an attribute on the application account itself. But the operation doesnt seem to do anything at all, where am I missing the point:

import java.util.ArrayList;
import java.util.HashMap;
import java.util.Map;
import connector.common.JsonUtil;
import connector.common.Util;
import sailpoint.connector.webservices.EndPoint;
import sailpoint.connector.webservices.WebServicesClient;
import sailpoint.object.Application;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;              
               
log.error("Rule - Provisioning Body: running");
Map body = requestEndPoint.getBody();
 
try {
    Map jsonMap = JsonUtil.toMap(jsonBody);
    password = "";
    if (provisioningPlan != null) {
        for (AccountRequest accReq : Util.iterate(provisioningPlan.getAccountRequests())) {
            for (ProvisioningPlan.AttributeRequest attReq : Util.iterate(accReq.getAttributeRequests())) {
                String attrName = attReq.getName();
                if (attrName != null && "password".equalsIgnoreCase(attrName)) {
                    password = (String) attReq.getValue();
                    log.error("Rule - Modify Body: password is present in plan = " + password);
					try {
                            // Hash the password with the salt using SHA-256
                            MessageDigest md = MessageDigest.getInstance("SHA-256");
                            byte[] hash = md.digest((password + salt).getBytes("UTF-8"));

                            // Convert the hash bytes to a hex string
                            StringBuilder hexString = new StringBuilder();
                            for (byte b : hash) {
                                hexString.append(String.format("%02x", b));
                            }
                            log.error("[BeforeOperation] NewPassword: " + hexString.toString());
                            // Replace the plain password with the salted hash
                            attrReq.setValue(hexString.toString());
                            jsonMap.put("newPassword", hexString.toString());
							String finalBody = JsonUtil.render(jsonMap);
							body.put("jsonBody", finalBody);
							requestEndPoint.setBody(body);

                    } catch (Exception e) {
                            logger.debug("Error in BeforeOperation rule: " + e.getMessage(), e);
                    }
                }
            }
        }
    }

} catch (Exception ex) {
    log.error("Rule - Modify Body: " + ex);
}
 
return requestEndPoint;
2

do you know what is the datatype for “jsonBody“?

try to do something like : String jsonBody = (String) body.get(“jsonBody”) before using in your jsonMap.

3

Is your log output being generated in the ccg.log file? I can’t tell from your post if the rule is being executed, so checking for the logging would help to determine that. I assume that you attached the rule to the HTTP operation, but that’s a possible oversight that would prevent your code from being executed.

1 Like
4

As Matt said above

  1. Ensure you can see your rule writing to ccg.log, that way you know it is running
  2. Add a line near the end to write out requestEndPoint, or at least the jsonBody, so you know you set the body correctly
5

Hi Matt,

This was something I noticed as well it was not showing in the logs although I did have the connector log config set to debug specifically for this connector type (Webservices)

6

You’re using log.error which should generate output to ccg.log without having to do anything to the log config. Can you confirm that your source config shows the “beforeRule” property for this HTTP operation with your rule set to the value?

Secondly, I noticed that line 37 contains attrReq.setValue(hexString.toString()); but everywhere else you refer to attReq:

image

It might be worth double checking what you are trying to do with attrReq.

Matt

7

Just a sanity check here but you do have the rule attached to the operation in the config right?

8

@BFrescoKB There is some good advice in this thread already. Please let us know what you try and the results so we can help further if needed.

As @MattUribe pointed out, I would correct this first, as this is the likely issue as to why you are not seeing a change if the rule is running.

I would also check this if you are not getting any error messages out. @mcheek provided a link to the documentation for it.

To have the rule function:

  • Make sure the latest rule code is deployed. You can verify this with the API.
  • Make sure that the rule is configured as the BeforeRule for the HTTP Operation that it is supposed to run on. The Operations are indexed, so if you added/removed/reordered them, the index of your desired operation may have changed.
  • Also, verify that you configured the correct operation type. You mentioned a password change, so verify that there is not another operation specifically for that operation (I did not check this myself.) This could be a reason that you are not seeing the logs or changes if you updated the wrong HTTP Operation’s BeforeRule.