Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SCIM Group PATCH remove fails intermittently #16314

Closed
pandukakarunasena opened this issue Jul 25, 2023 · 1 comment
Closed

SCIM Group PATCH remove fails intermittently #16314

pandukakarunasena opened this issue Jul 25, 2023 · 1 comment
Assignees
@lashinijay
Labels
Type/Bug U2

Comments

@pandukakarunasena
Copy link

pandukakarunasena commented Jul 25, 2023
edited
Loading

Describe the issue:

In the flow of SCIM2 PATCH Groups, remove operation behavior should be re-evaluated for the Active Directory when the below SCIM configuration is enabled.

[scim2]
return_updated_group_in_group_patch_response=false

When having the above configuration the execution paths are different hence this might cause the remove operation to be unsuccess.

How to reproduce:

  1. Set up the user store.
  • Configure an UniqueID Active Directory user store.
  • Change the MaxUserNameListLength in the configurations to a less value than the default for testing purposes.
  1. Set up the Identity Server.
  • Add the below configuration to the deployment.toml
[scim2]
return_updated_group_in_group_patch_response=false
  • Create a couple of users exceeding the MaxUserNameListLength.
  • Create a group and assign the users to that group.
  1. Use the SCIM Group patch remove operation to remove a particular user from the group.
curl --location --request PATCH 'https://localhost:9443/scim2/Groups/<groupid>' \
--header 'Authorization: Basic <auth>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "remove",
            "path": "members[value eq <memberid>]"
        }
    ]
}'

The user group association might not be removed as explained in the More Information section.

Expected behavior:
User Group association should be removed without considering the MaxUserNameListLength configuration.

Environment information

  • Product Version: [e.g., IS 5.11.0]

More Information

The behavior of config Enabling/Disabling executes is discussed below.

In return_updated_group_in_group_patch_response=false flow,

the user list which belongs to a particular group is retrieved from the user store[1] -> [2] -> [3] -> [4] -> [5].

When retrieving the user, the Maximum User List Length(MaxUserNameListLength) user store configuration is honored[6] -> [7].

[1] https://github.com/wso2-extensions/identity-inbound-provisioning-scim2/blob/v1.5.128/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMUserManager.java#L2372
[2] https://github.com/wso2-extensions/identity-inbound-provisioning-scim2/blob/v1.5.128/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMUserManager.java#L2387
[3] https://github.com/wso2-extensions/identity-inbound-provisioning-scim2/blob/v1.5.128/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMUserManager.java#L3851
[4] https://github.com/wso2-extensions/identity-inbound-provisioning-scim2/blob/v1.5.128/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMUserManager.java#L3857
[5] https://github.com/wso2-extensions/identity-inbound-provisioning-scim2/blob/v1.5.128/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMUserManager.java#L3880
[6] https://github.com/wso2/carbon-kernel/blob/v4.6.2/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/ldap/UniqueIDActiveDirectoryUserStoreManager.java#L353

[7] https://github.com/wso2/carbon-kernel/blob/v4.6.2/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/ldap/UniqueIDActiveDirectoryUserStoreManager.java#L406

Honoring the MaxUserNameListLength will cause retrieving only a set of users which belongs to the role hence the remove operation might not be a success because in the implementation the remove operation is carried out by comparing the original group members' values with patched group member values[10].

[10] https://github.com/wso2-extensions/identity-inbound-provisioning-scim2/blob/v1.5.128/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMUserManager.java#L3192

In return_updated_group_in_group_patch_response=true flow,

a user retrieval is not happening. Instead of that, the group is obtained without members[11] and only uses the group Id for the operations.

[11] https://github.com/wso2-extensions/identity-inbound-provisioning-scim2/blob/v1.5.128/components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMUserManager.java#L2385

We can use the above approach for the patch operations without retrieving the members of the group.
@ashendes ashendes added the U2 label Jul 25, 2023
@lashinijay
Copy link
Contributor

This issue has been already fixed in IS-.6.0, IS-6.1 and master branch as well.

public fix

@lashinijay lashinijay self-assigned this Aug 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lashinijay lashinijay

Labels
Type/Bug U2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ashendes @lashinijay @pandukakarunasena