Brendan Baker
Thursday at 12:00 PM
Hello. We would like to report a bug. We did try via Jira but the Grouper project did not appear on the dropdown list. We're running an old version of Grouper (2.3), however we believe this bug is still present in Grouper 4 from looking at the repo.
The bug is in PSPNG in the class edu.internet2.middleware.grouper.pspng.Provisioner. The effect is that when a full update is running and has reached its clean-up phase, if a call enumerating the groups in the directory in batches fails for some reason, PSPNG deletes all the groups in the batch from the directory. This recently caused a major incident at our University, with users losing access to large numbers of applications.
The faulty code is in the method fetchTargetSystemGroupsInBatches(). This contains fall-back code in the event that the batch-fetch fails, retrying with individual group fetches. Unfortunately, it fails to add these successfully-retried groups to the Map returned by the method, which then triggers LdapGroupProvisioner.doFullSync_cleanupExtraGroups() to delete all the groups in the batch.
In the function ProvisionerfetchTargetSystemGroupsInBatches() there is a missing put operation inside the loop that retrieves the groups individually:

          for ( GrouperGroupInfo grouperGroupInfo : batchOfGroupsToFetch ) {

            try {

              TSGroupClass tsGroup = fetchTargetSystemGroup(grouperGroupInfo);

              cacheGroup(grouperGroupInfo, tsGroup);

            }

            catch (PspException e2) {

              LOG.error("Problem fetching information on group '{}'", grouperGroupInfo, e2);

              throw new RuntimeException("Problem fetching information on group " + grouperGroupInfo);

            }

We think adding the below before or after the cacheGroup call should fix the issue:

result.put(grouperGroupInfo, tsGroup);

Thank you