search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
748 stars 728 forks source link

Multiple issues with SCIM 2.0 Users & Groups endpoints #11807

Closed sumedhe closed 1 week ago

sumedhe commented 3 years ago

The identified issues listed here are,

Issue 1: Filtering for application/hybrid roles does not work with multi attribute filtering.

How to reproduce: Create application/hybrid role and assign to a user. Filter users with application/hybrid roles with the created role as shown below. The expected result would be returned

curl --location --request GET 'https://localhost:9443/scim2/Users?attributes=username,groups,roles,active&filter=groups+co+MyApp' \
--header 'Authorization: Basic YWRtaW46YWRtaW4='
{
    "totalResults": 2,
    "startIndex": 1,
    "itemsPerPage": 2,
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ],
    "Resources": [
        {
            "groups": [
                {
                    "display": "Application/MyApp",
                    "value": "d5eab0ca-8fb8-4d6f-ba4d-9aa705c0b250",
                    "$ref": "https://localhost:9443/scim2/Groups/d5eab0ca-8fb8-4d6f-ba4d-9aa705c0b250"
                }
            ],
            "id": "c1863f39-8e79-4eca-a44d-005d54c2b814",
            "userName": "sumedhe"
        },
        {
            "groups": [
                {
                    "display": "admin",
                    "value": "12b4de2e-5668-4444-9c27-b000fdbe7b48",
                    "$ref": "https://localhost:9443/scim2/Groups/12b4de2e-5668-4444-9c27-b000fdbe7b48"
                }
            ],
            "id": "4333f29b-5e2e-4923-9944-ca7fca4b4c8d",
            "userName": "admin"
        }
    ]
}

Filter users with application/hybrid roles with multi-attribute filtering as below.

curl --location --request GET 'https://localhost:9443/scim2/Users?attributes=username,groups,roles,active&filter=groups+co+MyApp+and+userName+co+sume' \
--header 'Authorization: Basic YWRtaW46YWRtaW4='
{
    "totalResults": 0,
    "startIndex": 1,
    "itemsPerPage": 0,
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ]
}

Expected behavior:

{
    "totalResults": 1,
    "startIndex": 1,
    "itemsPerPage": 1,
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ],
    "Resources": [
        {
            "groups": [
                {
                    "display": "Application/MyApp",
                    "value": "d5eab0ca-8fb8-4d6f-ba4d-9aa705c0b250",
                    "$ref": "https://localhost:9443/scim2/Groups/d5eab0ca-8fb8-4d6f-ba4d-9aa705c0b250"
                }
            ],
            "id": "c1863f39-8e79-4eca-a44d-005d54c2b814",
            "userName": "sumedhe"
        }
    ]
}

Issue 2: Multiattribute filtering with group and username filtering is not working with secondary userstore (MySQL)

How to reproduce: Create a MySQL secondary userstore. Create a user (john) and a role (manager) in that userstore and assign the role to the user.

curl --location --request GET 'https://localhost:9443/scim2/Users?attributes=username,groups,roles,active&filter=groups+co+man+and+userName+co+john' \
--header 'Authorization: Basic YWRtaW46YWRtaW4='
{
    "totalResults": 0,
    "startIndex": 1,
    "itemsPerPage": 0,
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ]
}

Expected behavior:

{
    "totalResults": 1,
    "startIndex": 1,
    "itemsPerPage": 1,
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ],
    "Resources": [
        {
            "groups": [
                {
                    "display": "USA/manager",
                    "value": "67b4b0d9-6186-42f4-ac62-5be4f73977eb",
                    "$ref": "https://localhost:9443/scim2/Groups/67b4b0d9-6186-42f4-ac62-5be4f73977eb"
                }
            ],
            "id": "458d1e93-303c-433d-a4e4-48da47b81b40",
            "userName": "USA/john1"
        }
    ]
}

Issue 3: Filtering for application/hybrid roles with the domain name (ex: Application/MyApp) is not working.

How to reproduce: Create an application/hybrid role and a user and assign that role to the user.

curl --location --request GET 'https://localhost:9443/scim2/Users?attributes=username,groups,roles,active&filter=groups+co+Application/MyApp' \
--header 'Authorization: Basic YWRtaW46YWRtaW4='
{
    "totalResults": 0,
    "startIndex": 1,
    "itemsPerPage": 0,
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ]
}

Expected behavior:

{
    "totalResults": 1,
    "startIndex": 1,
    "itemsPerPage": 1,
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ],
    "Resources": [
        {
            "groups": [
                {
                    "display": "Application/MyApp",
                    "value": "d5eab0ca-8fb8-4d6f-ba4d-9aa705c0b250",
                    "$ref": "https://localhost:9443/scim2/Groups/d5eab0ca-8fb8-4d6f-ba4d-9aa705c0b250"
                }
            ],
            "id": "458d1e93-303c-433d-a4e4-48da47b81b40",
            "userName": "USA/john1"
        }
    ]
}

Issue 4: The roles created in the secondary userstore are not fetching properly via SCIM.

How to reproduce:

  1. Create a secondary userstore (US-A) (Tested for MySQL).
  2. Create a role in that secondary userstore (manager).
  3. Get users using the following command. It will return the newly created role also (US-A/manager) which is expected. 
    curl --location --request GET 'https://localhost:9443/scim2/Groups' --header 'Authorization: Basic YWRtaW46YWRtaW4='
  4. Go to the Management console and remove the userstore (US-A).
  5. Connect the same userstore with a new name (US-B).
  6. Run the Step 3 again and you will not see the created role in that userstore. (US-B/manager)

Note: However you can see that role in the management console even it is not coming with the SCIM call.

Expected behavior: In the Step 5, you should receive the created role in that userstore.

Environment information :

VivekVinushanth commented 3 years ago

Issue 5: Case Insensitive nature of 'and' operation for multi-attribute filtering.

  1. Create a user and assign values for username [Eg.kim] and email [Eg. kim@abc.com]
  2. Try the following CURL that uses 'AND' as the multi-attribute filter conjunction 
    curl --location --request GET 'https://localhost:9443/scim2/Users?attributes=username&filter=username+EQ+kim+AND+emails+EQ+kim@abc.com' \
--header 'Authorization: Basic YWRtaW46YWRtaW4='
  3. The above request only considers the first part of the filter. i.e username+EQ+man
  4. Try the following CURL that uses 'and' as the multi-attribute filter conjunction and the operation works. 
    curl --location --request GET 'https://localhost:9443/scim2/Users?attributes=username&filter=username+EQ+kim+and+emails+EQ+kim@abc.com' \
--header 'Authorization: Basic YWRtaW46YWRtaW4='
  5. The concern here is whether is it good to have a case-sensitive filter operation.
tharakawijekoon commented 3 years ago

Issue 5: Case Insensitive nature of 'and' operation for multi-attribute filtering.

  1. Create a user and assign values for username [Eg.kim] and email [Eg. kim@abc.com]
  2. Try the following CURL that uses 'AND' as the multi-attribute filter conjunction
curl --location --request GET 'https://localhost:9443/scim2/Users?attributes=username&filter=username+EQ+kim+AND+emails+EQ+kim@abc.com' \
--header 'Authorization: Basic YWRtaW46YWRtaW4='
  1. The above request only considers the first part of the filter. i.e username+EQ+man
  2. Try the following CURL that uses 'and' as the multi-attribute filter conjunction and the operation works.
curl --location --request GET 'https://localhost:9443/scim2/Users?attributes=username&filter=username+EQ+kim+and+emails+EQ+kim@abc.com' \
--header 'Authorization: Basic YWRtaW46YWRtaW4='
  1. The concern here is whether is it good to have a case-sensitive filter operation.

Quoting from the specification[1]

Attribute names and attribute operators used in filters are case
   insensitive.  For example, the following two expressions will
   evaluate to the same logical value:

   filter=userName Eq "john"

   filter=Username eq "john"

[1]https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2

ImalshaG commented 2 years ago

Filtering with the count parameter retrieves only the entries in lowercase.

Ex: Even though the userName Kim is present, for the scim2 GET request 

https://localhost:9443/scim2/Users?filter=userName%20Eq%20Kim&count=5

the response is 

{
    "totalResults": 0,
    "startIndex": 1,
    "itemsPerPage": 0,
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ]
}

For the userName tim, the GET request

https://localhost:9443/scim2/Users?filter=userName%20Eq%20tim&count=5

returns the correct user details of user tim.

isharak commented 1 week ago

This issue is being closed due to extended inactivity. Please feel free to reopen it if further attention is needed. Thank you for helping us keep the issue list relevant and focused!