Details
-
Documentation
-
Resolution: Unresolved
-
Minor
-
None
-
None
-
None
Description
Either the Confluence search isn't working, the page for morphString usage got reworked into oblivion, or there never was a page. I thought there used to be documentation for this, but I am not seeing it. There is only a brief mention in the gsh page on how to encrypt a value.
Digging into the code for a customer, I uncovered a lot about how morphString works. It would be useful to have a page somewhere since there are recommendations to use it.
- Pretty much all the provisioning and external systems can read an encrypted value from a file, although this is something each provider implements independently.
- If a password value is a file, it must be encrypted. Grouper expects to decrypt it, and will error if it can't
- This doesn't apply to the morphstring key itself, which can be in a file, but obviously not encrypted
- I don't see anything in the source that treats slashes in a password special. Maybe it got factored out? It will always try to read the value as a file, and fall back to a string if it can't
- How to replicate the encryption if Grouper is totally down and you need to encrypt a string offline (note, Grouper appends a "w" to the raw string so you need to do this too)
- the encryption pads the encrypt key to 16 or 32 characters with "x" characters, and truncates to 32 characters. Note that this happens after adding the "w", so people should be generating 15 or 31 character strings, not 16 or 32. They also don't need to make strings longer than 32 characters.