SimpleIdServer icon indicating copy to clipboard operation
SimpleIdServer copied to clipboard
verified publisher icon simpleidserver

Get user return deleted group detail

Open xinxin-sympli opened this issue 3 years ago • 9 comments

Hi,

We noticed a weird behavior in getting a user endpoint

"id": "dc1d384f-0e57-4b6d-629b-08da3161b81a",
   "active": true,
   "groups": [
       {
           "display": "group1",
           "type": "Group",
           "value": "0bd5cfe1-c844-431c-8b74-4f7d9f9703be",
           "$ref": "http://localhost:4000/scim/Groups/0bd5cfe1-c844-431c-8b74-4f7d9f9703be"
       },
       {
           "value": "6394a9ac-7d9f-48ee-b5c1-4fe017b86258",
           "display": "group2",
           "type": "Group",
           "$ref": "http://localhost:4000/scim/Groups/6394a9ac-7d9f-48ee-b5c1-4fe017b86258"
       },
       {
           "type": "group3",
           "value": "5ca09250-6449-4d4c-94ec-f2852664e4e2",
           "display": "Discharges Vic",
           "$ref": "http://localhost:4000/scim/Groups/5ca09250-6449-4d4c-94ec-f2852664e4e2"
       },
       {
           "display": "group4",
           "type": "Group",
           "value": "bc047098-208d-4152-a753-06c469335bfa",
           "$ref": "http://localhost:4000/scim/Groups/bc047098-208d-4152-a753-06c469335bfa"
       }

and when we do a patch OP for the group1

{"Operations":[{"op":1,
"path":"members",
"value":[{"value":"dc1d384f-0e57-4b6d-629b-08da3161b81a"}]}]
,"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"]
}

and then we query the same user again, all 4 groups still returned but the removed group object missing the type attribute,

    "id": "dc1d384f-0e57-4b6d-629b-08da3161b81a",
    "active": true,
    "groups": [
        {
            "display": "group1", 
            "value": "0bd5cfe1-c844-431c-8b74-4f7d9f9703be",
            "$ref": "http://localhost:4000/scim/Groups/0bd5cfe1-c844-431c-8b74-4f7d9f9703be"
        },
        {
            "value": "6394a9ac-7d9f-48ee-b5c1-4fe017b86258",
            "display": "group2",
            "type": "Group",
            "$ref": "http://localhost:4000/scim/Groups/6394a9ac-7d9f-48ee-b5c1-4fe017b86258"
        },
        {
            "type": "group3",
            "value": "5ca09250-6449-4d4c-94ec-f2852664e4e2",
            "display": "Discharges Vic",
            "$ref": "http://localhost:4000/scim/Groups/5ca09250-6449-4d4c-94ec-f2852664e4e2"
        },
        {
            "display": "group4",
            "type": "Group",
            "value": "bc047098-208d-4152-a753-06c469335bfa",
            "$ref": "http://localhost:4000/scim/Groups/bc047098-208d-4152-a753-06c469335bfa"
        }

Is not the group should be remove in this case?

xinxin-sympli avatar May 26 '22 10:05 xinxin-sympli

Did bit more investigating, the IsSimilar in the SCIMRepresentationExtensions looks suspicious, when the group has similar name and once we remove user from a group and get the user again, the group detail in the groups array is not stable, sometime returns group with missing attribute and sometime the group been removed.

xinxin-sympli avatar May 27 '22 04:05 xinxin-sympli

Hello,

Indeed there is an issue in the PATCH operation. I'm going to take a look and fix it ASAP.

Kind regards,

SimpleIdServer

simpleidserver avatar May 27 '22 19:05 simpleidserver

The issue should be fixed in the branch "release/2.0.9". There was an issue with the IsSimilar algorithm.

simpleidserver avatar May 28 '22 16:05 simpleidserver

thanks for prompt fix. In the commit, RemoveUnusedAttributes this method has been updated, but it does not been called in any places, maybe should we remove it from patch command? if it is an accident, we might need to add it back?

xinxin-sympli avatar May 30 '22 00:05 xinxin-sympli

Indeed the "RemoveUnusedAttributed" method is not used anymore. This method has been removed from the "Pach" operation.

simpleidserver avatar May 30 '22 11:05 simpleidserver

Hi Team,

Just wanted to quickly check if this issue is still being looked upon.

Thanks, Geeta

GGSympli avatar May 31 '22 00:05 GGSympli

Hello,

The issue is fixed in the master and release\2.0.9 branch. The following pre-release Nuget package can be used :

dotnet add package SimpleIdServer.Scim --version 2.0.9-ci-00283 --source https://www.myget.org/F/advance-ict/api/v3/index.json

Kind regards,

SimpleIdServer

simpleidserver avatar May 31 '22 06:05 simpleidserver

Hi,

I pulled in the fix for this issue. I still see the traces of group unassigned for a user from GetUser endpoint. What I saw was that the group's details which was unassociated for the user is returned with value and $ref properties while all the other groups which are associated for this user returns value, type, display and $ref properties.

My understanding is that I should not be seeing any property associated with the group deleted for the user in the response.

Can you please confirm?

Thanks, Geeta

GGSympli avatar May 31 '22 23:05 GGSympli

Hello,

I think you still have the issue because the parameters members.value and members.type are still present in your Database (table : dbo.SCIMRepresentationAttributeLst). If you are using SQLServer. Please execute this SQL script to remove the unused parameters members.value and members.types.

SQL Script : https://github.com/simpleidserver/SimpleIdServer/blob/release/2.0.9/Migrations/SCIM/2.0.5To2.0.9/1-RemoveUnusedGroups.sql

Kind regards,

SimpleIdServer.

simpleidserver avatar Jun 01 '22 10:06 simpleidserver