fix: update scim Operation class to manage multi valued elements usin…

…g Azure AD syntaxe the syntax is not consistent with the RFC 7644 as it is using filter 'emails[type eq "work"].value' instead of a path with an array fixes AM-3041 gravitee-io/issues#9674
gravitee-io · Jun 4, 2024 · 6b89931 · 6b89931
1 parent ed1c74c
commit 6b89931
Show file tree

Hide file tree

Showing 3 changed files with 78 additions and 8 deletions.
diff --git a/...r-scim/src/main/java/io/gravitee/am/gateway/handler/scim/model/MultiValuedAttributes.java b/...r-scim/src/main/java/io/gravitee/am/gateway/handler/scim/model/MultiValuedAttributes.java
@@ -0,0 +1,40 @@
+/**
+ * Copyright (C) 2015 The Gravitee team (http://gravitee.io)
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.gravitee.am.gateway.handler.scim.model;
+
+import java.util.List;
+
+import static org.springframework.util.StringUtils.hasLength;
+
+/**
+ * Helper to identify User & Group attributes which should be managed as list.
+ * This has been introduced to manage https://github.com/gravitee-io/issues/issues/9674
+ */
+class MultiValuedAttributes {
+    private static final List<String> listOfSingularValue = List.of("roles", "entitlements");
+    private static final List<String> listOfMultiAttributeValue = List.of("emails", "phoneNumbers", "ims", "photos", "addresses", "groups", "x509Certificates", "members");
+
+    private MultiValuedAttributes() {}
+
+    static boolean isListOfObjects(String path) {
+        return hasLength(path) && listOfMultiAttributeValue.contains(path);
+    }
+
+    static boolean isListOfSingular(String path) {
+        return hasLength(path) && listOfSingularValue.contains(path);
+    }
+}
diff --git a/...teway-handler-scim/src/main/java/io/gravitee/am/gateway/handler/scim/model/Operation.java b/...teway-handler-scim/src/main/java/io/gravitee/am/gateway/handler/scim/model/Operation.java
@@ -155,16 +155,28 @@ public void apply(ObjectNode node) {
             JsonNode parentNode = node.get(getPath().getAttributePath());
             if (getPath().getSubAttribute() != null) {
                 if (parentNode != null) {
-                    ((ObjectNode) parentNode).set(getPath().getSubAttribute(), value);
+                    if (parentNode.isArray() && MultiValuedAttributes.isListOfObjects(getPath().getAttributePath())) {
+                        fillObjectAttributes(((ArrayNode) parentNode).addObject());
+                    } else {
+                        ((ObjectNode) parentNode).set(getPath().getSubAttribute(), value);
+                    }
                 } else {
-                    node.putObject(getPath().getAttributePath()).set(getPath().getSubAttribute(), value);
+                    if (MultiValuedAttributes.isListOfObjects(getPath().getAttributePath())) {
+                        fillObjectAttributes(node.putArray(getPath().getAttributePath()).addObject());
+                    } else {
+                        node.putObject(getPath().getAttributePath()).set(getPath().getSubAttribute(), value);
+                    }
                 }
             } else if (parentNode == null) {
-                node.set(getPath().getAttributePath(), value);
+                if (MultiValuedAttributes.isListOfSingular(getPath().getAttributePath())) {
+                    node.putArray(getPath().getAttributePath()).add(value);
+                } else {
+                    node.set(getPath().getAttributePath(), value);
+                }
             } else if (parentNode.isArray()) {
                 if (value.isArray()) {
                     value.forEach(n -> ((ArrayNode) parentNode).add(n));
-                } else if (value.isObject()) {
+                } else {
                     ((ArrayNode) parentNode).add(value);
                 }
             } else {
@@ -175,6 +187,19 @@ public void apply(ObjectNode node) {
                 }
             }
         }
+
+        private void fillObjectAttributes(ObjectNode newObjectEntry) {
+            if (getPath().getValuePath() != null && Operator.EQUALITY == getPath().getValuePath().getOperator()) {
+                // manage the Azure AD way of provisioning user emails using filters
+                // ex  "emails[type eq "work"].value"
+                // this looks invalid in regard of the RFC https://datatracker.ietf.org/doc/html/rfc7644#section-3.5.2.1
+                // as we should have an array with a single email object containing a type and value attributes.
+                newObjectEntry.put(getPath().getValuePath().getFilterAttribute().getSubAttributeName() != null ? getPath().getValuePath().getFilterAttribute().getSubAttributeName() : getPath().getValuePath().getFilterAttribute().getAttributeName(), getPath().getValuePath().getFilterValue());
+                newObjectEntry.put(getPath().getSubAttribute(), value);
+            } else {
+                newObjectEntry.set(getPath().getSubAttribute(), value);
+            }
+        }
     }
 
     /**

diff --git a/postman/collections/graviteeio-am-scim-collection-app-version.json b/postman/collections/graviteeio-am-scim-collection-app-version.json
@@ -1,9 +1,10 @@
 {
 	"info": {
-		"_postman_id": "8c2b7d54-677a-48cb-b5d8-acad2688e63f",
+		"_postman_id": "712ac904-a213-4d52-ab81-5f7a75652929",
 		"name": "Gravitee.io - AM - SCIM - app version",
 		"description": "Test System for Cross-domain Identity Management\nSCIM 2.0 is released as RFC7642, RFC7643 and RFC7644",
-		"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
+		"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json",
+		"_exporter_id": "31343100"
 	},
 	"item": [
 		{
@@ -2203,9 +2204,13 @@
 													"    pm.expect(jsonData.schemas).to.eql(['urn:ietf:params:scim:schemas:core:2.0:User']);",
 													"    pm.expect(jsonData).to.have.property('emails');",
 													"    pm.expect(jsonData.emails[0].value).to.eql('bjensen@example.com');",
+													"    pm.expect(jsonData).to.have.property('phoneNumbers');",
+													"    pm.expect(jsonData.phoneNumbers[0].value).to.eql('0606060606');",
+													"    pm.expect(jsonData.phoneNumbers[0].type).to.eql('work');",
 													"});"
 												],
-												"type": "text/javascript"
+												"type": "text/javascript",
+												"packages": {}
 											}
 										}
 									],
@@ -2226,7 +2231,7 @@
 										],
 										"body": {
 											"mode": "raw",
-											"raw": "{\n     \"schemas\":[\"urn:ietf:params:scim:api:messages:2.0:PatchOp\"],\n     \"Operations\": [{\n        \"op\":\"Add\",\n        \"value\" : {\n            \"emails\": [\n                {\n                    \"value\": \"bjensen@example.com\",\n                    \"type\": \"work\",\n                    \"primary\": true\n                }\n            ]\n        }\n     }]\n\n}"
+											"raw": "{\n     \"schemas\":[\"urn:ietf:params:scim:api:messages:2.0:PatchOp\"],\n     \"Operations\": [{\n        \"op\":\"Add\",\n        \"value\" : {\n            \"emails\": [\n                {\n                    \"value\": \"bjensen@example.com\",\n                    \"type\": \"work\",\n                    \"primary\": true\n                }\n            ]\n        }\n     },{\n        \"op\":\"Add\",\n        \"path\" : \"phoneNumbers[type eq \\\"work\\\"].value\",\n        \"value\" : \"0606060606\"\n     }]\n\n}"
 										},
 										"url": {
 											"raw": "{{gateway_url}}/{{domainHrid}}/scim/Users/{{userSCIM}}",