search

simpleidserver / SimpleIdServer

OpenID, OAuth 2.0, SCIM2.0, UMA2.0, FAPI, CIBA & OPENBANKING Framework for ASP.NET Core
https://simpleidserver.com/
Apache License 2.0
716 stars 94 forks source link

SCIM POST /Users with "manager.value" throws error 500 #714

Closed LazaroOnline closed 6 months ago

LazaroOnline commented 6 months ago

In the "SimpleIdServer.Scim" package library, if an enterprise user is created using: POST /Users with a manager.value having the value of another user's SCIM Id (as per the RFC), then SCIM library throws a 500 error with the message: "Sequence contains no matching element".

Also strangely it allows me to set any string in "manager.value" as far as it is not a userId, not sure if it should be validated or not, but it at least should work when the value is a correct userId.

How to reproduce this bug

Here is an example, first creating the user1 that will be the manager:

POST /Users

{
  "userName": "IntegrationTestScim_azAZ@.0123456789\u002B-4431a44c-2190-4d1b-84a7-2c98ae9fbe48",
  "displayName": "IntegrationTestScim_azAZ@.0123456789\u002B-4431a44c-2190-4d1b-84a7-2c98ae9fbe48DisplayName",
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "externalId": "4b62f66b-7439-42c8-8dfb-79081844d4f5",
  "name": {
    "formatted": "IntegrationTestScim_azAZ@.0123456789\u002B-4431a44c-2190-4d1b-84a7-2c98ae9fbe48GivenName FamilyName",
    "familyName": "IntegrationTestScim_azAZ@.0123456789\u002B-4431a44c-2190-4d1b-84a7-2c98ae9fbe48FamilyName",
    "givenName": "IntegrationTestScim_azAZ@.0123456789\u002B-4431a44c-2190-4d1b-84a7-2c98ae9fbe48GivenName"
  },
  "emails": [
    {
      "primary": true,
      "type": "work",
      "value": "IntegrationTestScim_azAZ@.0123456789\u002B-4431a44c-2190-4d1b-84a7-2c98ae9fbe48.work\u0027s@test.com"
    },
    {
      "type": "home",
      "value": "IntegrationTestScim_azAZ@.0123456789\u002B-4431a44c-2190-4d1b-84a7-2c98ae9fbe48.home\u0027s@test.com"
    }
  ]
}

Returns 201 Created:

{
  "id": "b48e12e6-865f-4130-beb0-732d17ba37c5",
  "userName": "IntegrationTestScim_azAZ@.0123456789+-4431a44c-2190-4d1b-84a7-2c98ae9fbe48",
  "displayName": "IntegrationTestScim_azAZ@.0123456789+-4431a44c-2190-4d1b-84a7-2c98ae9fbe48DisplayName",
  "name": {
    "formatted": "IntegrationTestScim_azAZ@.0123456789+-4431a44c-2190-4d1b-84a7-2c98ae9fbe48GivenName FamilyName",
    "familyName": "IntegrationTestScim_azAZ@.0123456789+-4431a44c-2190-4d1b-84a7-2c98ae9fbe48FamilyName",
    "givenName": "IntegrationTestScim_azAZ@.0123456789+-4431a44c-2190-4d1b-84a7-2c98ae9fbe48GivenName"
  },
  "emails": [
    {
      "primary": true,
      "type": "work",
      "value": "IntegrationTestScim_azAZ@.0123456789+-4431a44c-2190-4d1b-84a7-2c98ae9fbe48.work's@test.com"
    },
    {
      "type": "home",
      "value": "IntegrationTestScim_azAZ@.0123456789+-4431a44c-2190-4d1b-84a7-2c98ae9fbe48.home's@test.com"
    }
  ],
  "entitlements": [],
  "groups": [],
  "roles": [],
  "ims": [],
  "addresses": [],
  "photos": [],
  "x509Certificates": [],
  "phoneNumbers": [],
  "meta": {
    "resourceType": "User",
    "created": "2024-03-13T07:01:48.5125431Z",
    "lastModified": "2024-03-13T07:01:48.5125435Z",
    "version": 0,
    "location": "http://127.0.0.1:51631/Users/b48e12e6-865f-4130-beb0-732d17ba37c5"
  },
  "externalId": "4b62f66b-7439-42c8-8dfb-79081844d4f5",
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ]
}

then creating the user2 that will have user1 as manager:

POST /Users

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User",
    "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
  ],
  "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
    "department": "sales",
    "manager": {
      "value": "b48e12e6-865f-4130-beb0-732d17ba37c5"
    }
  },
  "userName": "4e9b338c-b678-4fb7-98cc-477fdf616c4b",
  "active": true,
  "displayName": "4e9b338c-b678-4fb7-98cc-477fdf616c4bDisplayName",
  "externalId": "87756ee1-7491-4612-863e-c12ef30ce37e",
  "name": {
    "formatted": "4e9b338c-b678-4fb7-98cc-477fdf616c4bGivenName FamilyName",
    "familyName": "4e9b338c-b678-4fb7-98cc-477fdf616c4bFamilyName",
    "givenName": "4e9b338c-b678-4fb7-98cc-477fdf616c4bGivenName"
  },
  "emails": [
    {
      "primary": true,
      "type": "work",
      "value": "4e9b338c-b678-4fb7-98cc-477fdf616c4b.work\u0027s@test.com"
    },
    {
      "primary": false,
      "type": "home",
      "value": "4e9b338c-b678-4fb7-98cc-477fdf616c4b.home\u0027s@test.com"
    }
  ]
}

Results in error 500: "Sequence contains no matching element".

This was working fine in v2.0.25 where it wasn't throwing exception but returning 201 Created. We discovered this issue while upgrading to v4.0.3. Couldn't test the currently latest v4.0.7 because that version breaks even more things and couldn't get past all the other errors to test this issue.

simpleidserver commented 6 months ago

Hello,

To assist you in migrating from version 2.0.25 to 4.7, we have summarized the different steps:

  1. Unfortunately, the dotnet ef migrations script cannot be applied to make changes at the database level. Therefore, the code context.Database.Migrate() must be commented out. Please ensure that all tables are properly updated:
ALTER TABLE [dbo].[SCIMRepresentationAttributeLst] ADD [ComputedValueIndex] NVARCHAR(MAX) NULL;  
ALTER TABLE [dbo].[SCIMRepresentationAttributeLst] ADD [IsComputed] BIT NOT NULL DEFAULT 0;
  1. The table SCIMRepresentationIndirectReference has been removed and is no longer used. Before deleting it, make sure that all properties: members.value and groups.value are present in the table SCIMRepresentationAttributeLst.
DROP TABLE [dbo].[SCIMRepresentationIndirectReference]
  1. Uncomment and execute the code MigrateFrom403To404EF. This function updates the properties IsComputed and ComputedValueIndex. These properties are used to enhance performance in searches.

Could you try migrating to version 4.0.7? We are considering migrating the entire SimpleIdServers solution to DOTNET8.0 soon, after the release of 4.0.8 :) If you encounter any other issues with the migration or exceptions, please feel free to share them.

LazaroOnline commented 6 months ago

Hello, thanks a lot for the migration help! About the 3rd step:

3. Uncomment and executethe code MigrateFrom403To404EF. ...

The MigrateFrom403To404EF function is not part of the "SimpleIdServer.Scim" nuget package, which is the only that I use. I'm not even using "SimpleIdServer.Scim.SqlServerMigrations" nor "SimpleIdServer.Scim.MySQLMigrations" packages, which I think are more recent. I have my own "startup" project for SCIM, so I hope it is fine with just copying the method alone into my own project. If the migration was expecting more things from the "SimpleIdServer.Scim.Startup" project other than that, please let me know.

So far I was able to test the "manager.value" issue and it seems to work in the latest v4.0.7 of SCIM, but then I got other 500 errors in other requests like PATCH and PUT /Users and POST /Bulk that I'm trying to find more details on.

LazaroOnline commented 6 months ago

After upgrading to v4.0.7 I get other errors like: https://github.com/simpleidserver/SimpleIdServer/issues/720 and https://github.com/simpleidserver/SimpleIdServer/issues/721, but the "manager.value" issue is solved, so it was fixed at some point between v4.0.3 and v4.0.7 already.

LazaroOnline commented 6 months ago

Since the error in the title and description seems solved in the latest v4.0.7, and the remaining stuff is something else, I created a separate bug here: https://github.com/simpleidserver/SimpleIdServer/issues/720 So we can close this issue.