and more in a single search tool across platforms. Read the announcement here. |
03/12/2024 04:29 AM
Hi
Facing issue while deleting a Duo account.
FYI...Account creation and updation is working fine.
Following is the configuration and error message pulled from logs. Please let me know in case you require any further information.
DisableAccountJSON
{
"call": [
{
"name": "call1",
"connection": "acctAuth",
"basicUrl":"api.duosecurity.com",
"hostUrl": "${(requestAccessAttributes?.get('Account Type') != null && requestAccessAttributes?.get('Account Type')?.equals('AdminUser')) ?'/admin/v1/admins/'+account.accountID : '/admin/v1/users/'+account.accountID}",
"url": "${(requestAccessAttributes?.get('Account Type') != null && requestAccessAttributes?.get('Account Type')?.equals('AdminUser')) ? 'https://api.duosecurity.com/admin/v1/admins/'+account.accountID : 'https://api.duosecurity.com/admin/v1/users/'+account.accountID}",
"httpMethod": "DELETE",
"httpParams": "{\"status\": \"disabled\"}"
}
]
}
Error message
java.lang.NullPointerException: Cannot invoke method size() on null object at com.saviynt.provisoning.rest.RestProvisioningService$_removeAccount_closure56.doCall(RestProvisioningService.groovy:9207) at com.saviynt.provisoning.rest.RestProvisioningService.removeAccount(RestProvisioningService.groovy:9193) at com.saviynt.ecm.services.ArsTaskService.removeAccountTarget(ArsTaskService.groovy:11979) at com.saviynt.ecm.services.ArsTaskHelperService$_whenTaskTypeIsTwoRemoveAccess_closure52.doCall(ArsTaskHelperService.groovy:3225) at com.saviynt.ecm.services.ArsTaskHelperService.whenTaskTypeIsTwoRemoveAccess(ArsTaskHelperService.groovy:3215) at com.saviynt.ecm.services.ArsTaskHelperService$_completeAutoProvTasksUpgraded_closure1.doCall(ArsTaskHelperService.groovy:170) at com.saviynt.ecm.services.ArsTaskHelperService.completeAutoProvTasksUpgraded(ArsTaskHelperService.groovy:160) at MultipleProvisioningJob.execute(MultipleProvisioningJob.groovy:222) at org.quartz.core.JobRunShell.run(JobRunShell.java:199) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:546)
Regards
Gaurav
03/12/2024 07:33 AM
Hello @GauravJain,
Below is a sample for your reference. Please adjust the value of "customproperty2" according to your configuration in the JSON below, where you are storing the "AdminUser" value in the DUO Account in EIC.
=====================================================================
REMOVE ACCOUNT JSON
=====================================================================
{
"call": [
{
"name": "call1",
"connection": "acctAuth",
"basicUrl": "@BASE_URL@",
"hostUrl": "${(account?.customproperty2.equals('AdminUser')) ? '/admin/v1/admins/'+account.accountID : '/admin/v1/users/'+account.accountID}",
"url": "${(account?.customproperty2.equals('AdminUser')) ? 'https://@BASE_URL@/admin/v1/admins/'+account.accountID : 'https://@BASE_URL@/admin/v1/users/'+account.accountID}",
"httpMethod": "DELETE"
}
]
}
Thanks
03/12/2024 11:55 PM
Hi @sudeshjaiswal this configuration is also giving same error in logs.
FYI..."customproperty2" contains account type by default so i have used the same. on Accounts UI (inside Other Attributes) it shows as "Account Type" but in accounts table its customproperty2 only.
java.lang.NullPointerException: Cannot invoke method size() on null object at com.saviynt.provisoning.rest.RestProvisioningService$_removeAccount_closure56.doCall(RestProvisioningService.groovy:9207) at com.saviynt.provisoning.rest.RestProvisioningService.removeAccount(RestProvisioningService.groovy:9193) at com.saviynt.ecm.services.ArsTaskService.removeAccountTarget(ArsTaskService.groovy:11979) at com.saviynt.ecm.services.ArsTaskHelperService$_whenTaskTypeIsTwoRemoveAccess_closure52.doCall(ArsTaskHelperService.groovy:3225) at com.saviynt.ecm.services.ArsTaskHelperService.whenTaskTypeIsTwoRemoveAccess(ArsTaskHelperService.groovy:3215) at com.saviynt.ecm.services.ArsTaskHelperService$_completeAutoProvTasksUpgraded_closure1.doCall(ArsTaskHelperService.groovy:170) at com.saviynt.ecm.services.ArsTaskHelperService.completeAutoProvTasksUpgraded(ArsTaskHelperService.groovy:160) at MultipleProvisioningJob.execute(MultipleProvisioningJob.groovy:222) at org.quartz.core.JobRunShell.run(JobRunShell.java:199) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:5
Regards
Gaurav
03/13/2024 12:10 AM
Hello @GauravJain,
Is it working in postman if yes, please provide the response and the body of the same.
Thanks.
03/13/2024 12:34 AM
Yes, its working. Below is the response received in postman
{
"response": "",
"stat": "OK"
}
and not passing anything in "body" in postman so its blank.
URL - https://api.duosecurity.com/admin/v1/users/{account_id}
METHOD - DELETE
Basic Auth with username and signature as password.
Let me know if you require any further information.
03/17/2024 08:07 PM
Share saviynt logs to validate what is final url is formed
03/17/2024 08:59 PM
Hi @rushikeshvartak there is no url in logs, strange. it seems its failing before forming the url?
few log lines for reference
Validating tasks for Securitysystem - Duo_SS
accountName = abc , taskType = 2 accountkey = xxxxxx
proceed = true
accountName = asd , taskType = 2 accountkey = yyyyyy
proceed = true
Calling removeAccount in rest with Sec System - Duo_SS and tasklist - [asd:[com.saviynt.ecm.task.ArsTasks : qwerty], abc:[com.saviynt.ecm.task.ArsTasks : yuiopt]]
initializing Provisioning connection
Completing task - qwerty
*****ERROR******
"java.lang.NullPointerException: Cannot invoke method size() on null object at com.saviynt.provisoning.rest.RestProvisioningService$_removeAccount_closure56.doCall(RestProvisioningService.groovy:9207) at com.saviynt.provisoning.rest.RestProvisioningService.removeAccount(RestProvisioningService.groovy:9193) at com.saviynt.ecm.services.ArsTaskService.removeAccountTarget(ArsTaskService.groovy:11979) at com.saviynt.ecm.services.ArsTaskHelperService$_whenTaskTypeIsTwoRemoveAccess_closure52.doCall(ArsTaskHelperService.groovy:3225) at com.saviynt.ecm.services.ArsTaskHelperService.whenTaskTypeIsTwoRemoveAccess(ArsTaskHelperService.groovy:3215) at com.saviynt.ecm.services.ArsTaskHelperService$_completeAutoProvTasksUpgraded_closure1.doCall(ArsTaskHelperService.groovy:170) at com.saviynt.ecm.services.ArsTaskHelperService.completeAutoProvTasksUpgraded(ArsTaskHelperService.groovy:160) at MultipleProvisioningJob.execute(MultipleProvisioningJob.groovy:222) at org.quartz.core.JobRunShell.run(JobRunShell.java:199) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:546)"
Completing task - 152898
*****ERROR******
"java.lang.NullPointerException: Cannot invoke method size() on null object at com.saviynt.provisoning.rest.RestProvisioningService$_removeAccount_closure56.doCall(RestProvisioningService.groovy:9207) at com.saviynt.provisoning.rest.RestProvisioningService.removeAccount(RestProvisioningService.groovy:9193) at com.saviynt.ecm.services.ArsTaskService.removeAccountTarget(ArsTaskService.groovy:11979) at com.saviynt.ecm.services.ArsTaskHelperService$_whenTaskTypeIsTwoRemoveAccess_closure52.doCall(ArsTaskHelperService.groovy:3225) at com.saviynt.ecm.services.ArsTaskHelperService.whenTaskTypeIsTwoRemoveAccess(ArsTaskHelperService.groovy:3215) at com.saviynt.ecm.services.ArsTaskHelperService$_completeAutoProvTasksUpgraded_closure1.doCall(ArsTaskHelperService.groovy:170) at com.saviynt.ecm.services.ArsTaskHelperService.completeAutoProvTasksUpgraded(ArsTaskHelperService.groovy:160) at MultipleProvisioningJob.execute(MultipleProvisioningJob.groovy:222) at org.quartz.core.JobRunShell.run(JobRunShell.java:199) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:546)"
Inside updateProvisioningTries..
Config for ARSTASKCOMPNEWPWDcom.saviynt.ecm.utility.domain.EcmConfig : ARSTASKCOMPNEWPWD
Task Complete Email Template For New Account Password = null
start converting accTasksMap to endpointaccTasksMap
finished converting accTasksMap to endpointaccTasksMap
Let me know if any further info is required.
Regards
Gaurav
03/17/2024 09:02 PM
Does account have accoutid ?
03/17/2024 09:16 PM
Yes, both the accounts i have referred to in logs have valid account id value. one of them i have tried in POSTMAN and that worked fine (response / body shared in above in this forum for reference).
FYI...currently, i am using the remove account config as shared by @sudeshjaiswal above.
Regards
Gaurav
03/17/2024 10:34 PM
Hello @GauravJain,
We have already identified this is a bug for the removeaccoutjson in DUO, this will fixed in the later version. We will let you know if we have any workaround in mean time.
You may use the disable account json (PFA Sample Below), if that fulfil your usecase.
{
"call": [
{
"name": "call1",
"connection": "acctAuth",
"basicUrl": "<BASE_URL>",
"hostUrl": "/admin/v1/users/${account.accountID}",
"url": "https://<BASE_URL>/admin/v1/users/${account.accountID}",
"httpMethod": "POST",
"httpParams": "{\"status\": \"disabled\"}"
}
]
}
Thanks.
03/17/2024 11:57 PM
Hi @sudeshjaiswal i made a mistake here - the config you have shared earlier for "RemoveAccountJSON", i configured it in "DisableAccountJSON". Sorry for the confusion.
Now, i have removed configuration for "DisableAccountJSON" and added below config for "RemoveAccountJSON"
{
"call": [
{
"name": "call1",
"connection": "acctAuth",
"basicUrl": "api.duosecurity.com",
"hostUrl": "${(account?.customproperty2.equals('AdminUser')) ? '/admin/v1/admins/'+account.accountID : '/admin/v1/users/'+account.accountID}",
"url": "${(account?.customproperty2.equals('AdminUser')) ? 'https://api.duosecurity.com/admin/v1/admins/'+account.accountID : 'https://api.duosecurity.com/admin/v1/users/'+account.accountID}",
"httpMethod": "DELETE"
}
]
}
After above change when i execute DUO provisioning job, i get below signRequest error
Total Call: 1
connection: acctAuth
Exception in signRequest :
groovy.lang.GroovyRuntimeException: Ambiguous method overloading for method java.lang.String#<init>.
Cannot resolve which method to invoke for [null] due to overlapping prototypes between:
" [class [B]"
" [class [C]"
" [class java.lang.String]"
" at com.saviynt.provisoning.rest.RestProvisioningService.canonRequest(RestProvisioningService.groovy:3882)"
" at com.saviynt.provisoning.rest.RestProvisioningService.signRequest(RestProvisioningService.groovy:3852)"
" at com.saviynt.provisoning.rest.RestProvisioningService.populateHttpParamsForBasicWithHmac(RestProvisioningService.groovy:3613)"
" at com.saviynt.provisoning.rest.RestProvisioningService.populateHttpParams(RestProvisioningService.groovy:3483)"
" at com.saviynt.provisoning.rest.RestProvisioningService.processWebservice(RestProvisioningService.groovy:8491)"
" at com.saviynt.provisoning.rest.RestProvisioningService$_removeAccount_closure56.doCall(RestProvisioningService.groovy:9238)"
" at com.saviynt.provisoning.rest.RestProvisioningService.removeAccount(RestProvisioningService.groovy:9193)"
" at com.saviynt.ecm.services.ArsTaskService.removeAccountTarget(ArsTaskService.groovy:11979)"
" at com.saviynt.ecm.services.ArsTaskHelperService$_whenTaskTypeIsTwoRemoveAccess_closure52.doCall(ArsTaskHelperService.groovy:3225)"
" at com.saviynt.ecm.services.ArsTaskHelperService.whenTaskTypeIsTwoRemoveAccess(ArsTaskHelperService.groovy:3215)"
" at com.saviynt.ecm.services.ArsTaskHelperService$_completeAutoProvTasksUpgraded_closure1.doCall(ArsTaskHelperService.groovy:170)"
" at com.saviynt.ecm.services.ArsTaskHelperService.completeAutoProvTasksUpgraded(ArsTaskHelperService.groovy:160)"
" at MultipleProvisioningJob.execute(MultipleProvisioningJob.groovy:222)"
" at org.quartz.core.JobRunShell.run(JobRunShell.java:199)"
" at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:546)"
Task Response: null
Result: false
Please let me know if you need any further information to debug this further.
Second question is how one can trigger "DisableAccountJSON" as i don't see such configuration at Endpoint level.
Regards
Gaurav
03/18/2024 08:23 PM
Hello @GauravJain,
Please read my previous comment, as said above this is the known issue, it will be fixed in the later version.
To enable the disableaccountjson functionality, you need to update the configuration at the endpoint level within the "State and Status Fields" configuration. PFA screeshot for reference.
There are various methods available to disable the account. This can be done through ARS, rules, or using actionable analytics, depending on your usecase.
Thanks.
03/18/2024 09:01 PM
Is it possible to share JIRA number so we will be able to find latest release notes once fixed
03/18/2024 09:07 PM - edited 03/18/2024 09:07 PM
Hello @GauravJain @rushikeshvartak,
I will keep you updated here, once it is been fixed.
Thanks
03/18/2024 09:39 PM
Thanks @sudeshjaiswal for your quick revert and update on issue.
03/19/2024 04:29 AM
Hi @sudeshjaiswal i tried below DisableAccountJSON config for a user "qwerty" which worked fine. To verify it, i again used the link "Request access for others" and selected that user "qwerty" - here i cant see the Duo application in users existing access so allows me to raise new account request. so far all good. But, if i check account status under endpoint then it still shows "active" under "MFA Status" which is customproperty1. is it happening because we dont have "responseColsToPropsMap" config missing in below configuration?
{
"call": [
{
"name": "call1",
"connection": "acctAuth",
"basicUrl":"api.duosecurity.com",
"hostUrl": "${(account?.customproperty2.equals('AdminUser')) ? '/admin/v1/admins/'+account.accountID : '/admin/v1/users/'+account.accountID}",
"url": "${(account?.customproperty2.equals('AdminUser')) ? 'https://api.duosecurity.com/admin/v1/admins/'+account.accountID : 'https://api.duosecurity.com/admin/v1/users/'+account.accountID}",
"httpMethod": "POST",
"httpParams": "{\"status\": \"disabled\"}"
}
]
}
03/24/2024 08:17 PM - edited 03/24/2024 10:02 PM
Hello @GauravJain,
You are seeing the MFA Status in the "Other Attributes" Section, Please confirm if you are disabling the account , is it getting disabled in the target, if yes,
Then run the account import, the MFA status will change accordingly.
Please validate and confirm the same.
Thanks.