zitadel/internal/api/scim/integration_test/users_delete_test.go

//go:build integration

package integration_test

import (
	"context"
	"net/http"
	"testing"
	"time"

	"github.com/brianvoe/gofakeit/v6"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
	"google.golang.org/grpc/codes"

	"github.com/zitadel/zitadel/internal/integration"
	"github.com/zitadel/zitadel/internal/integration/scim"
	"github.com/zitadel/zitadel/pkg/grpc/user/v2"
)

func TestDeleteUser_errors(t *testing.T) {
	tests := []struct {
		name        string
		ctx         context.Context
		orgID       string
		errorStatus int
	}{
		{
			name:        "not authenticated",
			ctx:         context.Background(),
			errorStatus: http.StatusUnauthorized,
		},
		{
			name:        "no permissions",
			ctx:         Instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
			errorStatus: http.StatusNotFound,
		},
		{
			name:        "unknown user id",
			errorStatus: http.StatusNotFound,
		},
		{
			name:        "another org",
			orgID:       SecondaryOrganization.OrganizationId,
			errorStatus: http.StatusNotFound,
		},
		{
			name:        "another org with permissions",
			orgID:       SecondaryOrganization.OrganizationId,
			ctx:         Instance.WithAuthorization(CTX, integration.UserTypeIAMOwner),
			errorStatus: http.StatusNotFound,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			ctx := tt.ctx
			if ctx == nil {
				ctx = CTX
			}

			orgID := tt.orgID
			if orgID == "" {
				orgID = Instance.DefaultOrg.Id
			}
			err := Instance.Client.SCIM.Users.Delete(ctx, orgID, "1")

			statusCode := tt.errorStatus
			if statusCode == 0 {
				statusCode = http.StatusBadRequest
			}

			scim.RequireScimError(t, statusCode, err)
		})
	}
}

func TestDeleteUser_ensureReallyDeleted(t *testing.T) {
	// create user and dependencies
	createUserResp := Instance.CreateHumanUser(CTX)
	proj := Instance.CreateProject(CTX, t, "", gofakeit.AppName(), false, false)

	Instance.CreateProjectUserGrant(t, CTX, proj.Id, createUserResp.UserId)

	// delete user via scim
	err := Instance.Client.SCIM.Users.Delete(CTX, Instance.DefaultOrg.Id, createUserResp.UserId)
	assert.NoError(t, err)

	// ensure it is really deleted => try to delete again => should 404
	err = Instance.Client.SCIM.Users.Delete(CTX, Instance.DefaultOrg.Id, createUserResp.UserId)
	scim.RequireScimError(t, http.StatusNotFound, err)

	retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTX, time.Minute)
	require.EventuallyWithT(t, func(tt *assert.CollectT) {
		// try to get user via api => should 404
		_, err = Instance.Client.UserV2.GetUserByID(CTX, &user.GetUserByIDRequest{UserId: createUserResp.UserId})
		integration.AssertGrpcStatus(tt, codes.NotFound, err)
	}, retryDuration, tick)
}
feat: delete user scim v2 endpoint (#9151) # Which Problems Are Solved - Adds support for the user delete SCIM v2 endpoint # How the Problems Are Solved - Adds support for the user delete SCIM v2 endpoint under `DELETE /scim/v2/{orgID}/Users/{id}` # Additional Context Part of #8140 2025-01-09 15:12:13 +01:00			`//go:build integration`

			`package integration_test`

			`import (`
			`"context"`
fix(permissions_v2): add membership fields migration (#9199) # Which Problems Are Solved Memberships did not have a fields table fill migration. # How the Problems Are Solved Add filling of membership fields to the repeatable steps. # Additional Changes - Use the same repeatable step for multiple fill fields handlers. - Fix an error for PostgreSQL 15 where a subquery in a `FROM` clause needs an alias ing the `permitted_orgs` function. # Additional Context - Part of https://github.com/zitadel/zitadel/issues/9188 - Introduced in https://github.com/zitadel/zitadel/pull/9152 2025-01-17 16:16:26 +01:00			`"net/http"`
			`"testing"`
			`"time"`

feat: project v2beta resource API (#9742) # Which Problems Are Solved Resource management of projects and sub-resources was before limited by the context provided by the management API, which would mean you could only manage resources belonging to a specific organization. # How the Problems Are Solved With the addition of a resource-based API, it is now possible to manage projects and sub-resources on the basis of the resources themselves, which means that as long as you have the permission for the resource, you can create, read, update and delete it. - CreateProject to create a project under an organization - UpdateProject to update an existing project - DeleteProject to delete an existing project - DeactivateProject and ActivateProject to change the status of a project - GetProject to query for a specific project with an identifier - ListProject to query for projects and granted projects - CreateProjectGrant to create a project grant with project and granted organization - UpdateProjectGrant to update the roles of a project grant - DeactivateProjectGrant and ActivateProjectGrant to change the status of a project grant - DeleteProjectGrant to delete an existing project grant - ListProjectGrants to query for project grants - AddProjectRole to add a role to an existing project - UpdateProjectRole to change texts of an existing role - RemoveProjectRole to remove an existing role - ListProjectRoles to query for project roles # Additional Changes - Changes to ListProjects, which now contains granted projects as well - Changes to messages as defined in the [API_DESIGN](https://github.com/zitadel/zitadel/blob/main/API_DESIGN.md) - Permission checks for project functionality on query and command side - Added testing to unit tests on command side - Change update endpoints to no error returns if nothing changes in the resource - Changed all integration test utility to the new service - ListProjects now also correctly lists `granted projects` - Permission checks for project grant and project role functionality on query and command side - Change existing pre checks so that they also work resource specific without resourceowner - Added the resourceowner to the grant and role if no resourceowner is provided - Corrected import tests with project grants and roles - Added testing to unit tests on command side - Change update endpoints to no error returns if nothing changes in the resource - Changed all integration test utility to the new service - Corrected some naming in the proto files to adhere to the API_DESIGN # Additional Context Closes #9177 --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2025-05-21 14:40:47 +02:00			`"github.com/brianvoe/gofakeit/v6"`
feat: delete user scim v2 endpoint (#9151) # Which Problems Are Solved - Adds support for the user delete SCIM v2 endpoint # How the Problems Are Solved - Adds support for the user delete SCIM v2 endpoint under `DELETE /scim/v2/{orgID}/Users/{id}` # Additional Context Part of #8140 2025-01-09 15:12:13 +01:00			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`
fix(permissions_v2): add membership fields migration (#9199) # Which Problems Are Solved Memberships did not have a fields table fill migration. # How the Problems Are Solved Add filling of membership fields to the repeatable steps. # Additional Changes - Use the same repeatable step for multiple fill fields handlers. - Fix an error for PostgreSQL 15 where a subquery in a `FROM` clause needs an alias ing the `permitted_orgs` function. # Additional Context - Part of https://github.com/zitadel/zitadel/issues/9188 - Introduced in https://github.com/zitadel/zitadel/pull/9152 2025-01-17 16:16:26 +01:00			`"google.golang.org/grpc/codes"`

feat: delete user scim v2 endpoint (#9151) # Which Problems Are Solved - Adds support for the user delete SCIM v2 endpoint # How the Problems Are Solved - Adds support for the user delete SCIM v2 endpoint under `DELETE /scim/v2/{orgID}/Users/{id}` # Additional Context Part of #8140 2025-01-09 15:12:13 +01:00			`"github.com/zitadel/zitadel/internal/integration"`
			`"github.com/zitadel/zitadel/internal/integration/scim"`
			`"github.com/zitadel/zitadel/pkg/grpc/user/v2"`
			`)`

			`func TestDeleteUser_errors(t *testing.T) {`
			`tests := []struct {`
			`name string`
			`ctx context.Context`
fix: scim v2 endpoints enforce user resource owner (#9273) # Which Problems Are Solved - If a SCIM endpoint is called with an orgID in the URL that is not the resource owner, no error is returned, and the action is executed. # How the Problems Are Solved - The orgID provided in the SCIM URL path must match the resource owner of the target user. Otherwise, an error will be returned. # Additional Context Part of https://github.com/zitadel/zitadel/issues/8140 2025-01-30 16:43:13 +01:00			`orgID string`
feat: delete user scim v2 endpoint (#9151) # Which Problems Are Solved - Adds support for the user delete SCIM v2 endpoint # How the Problems Are Solved - Adds support for the user delete SCIM v2 endpoint under `DELETE /scim/v2/{orgID}/Users/{id}` # Additional Context Part of #8140 2025-01-09 15:12:13 +01:00			`errorStatus int`
			`}{`
			`{`
			`name: "not authenticated",`
			`ctx: context.Background(),`
			`errorStatus: http.StatusUnauthorized,`
			`},`
			`{`
			`name: "no permissions",`
			`ctx: Instance.WithAuthorization(CTX, integration.UserTypeNoPermission),`
			`errorStatus: http.StatusNotFound,`
			`},`
			`{`
			`name: "unknown user id",`
			`errorStatus: http.StatusNotFound,`
			`},`
fix: scim v2 endpoints enforce user resource owner (#9273) # Which Problems Are Solved - If a SCIM endpoint is called with an orgID in the URL that is not the resource owner, no error is returned, and the action is executed. # How the Problems Are Solved - The orgID provided in the SCIM URL path must match the resource owner of the target user. Otherwise, an error will be returned. # Additional Context Part of https://github.com/zitadel/zitadel/issues/8140 2025-01-30 16:43:13 +01:00			`{`
			`name: "another org",`
			`orgID: SecondaryOrganization.OrganizationId,`
			`errorStatus: http.StatusNotFound,`
			`},`
			`{`
			`name: "another org with permissions",`
			`orgID: SecondaryOrganization.OrganizationId,`
			`ctx: Instance.WithAuthorization(CTX, integration.UserTypeIAMOwner),`
			`errorStatus: http.StatusNotFound,`
			`},`
feat: delete user scim v2 endpoint (#9151) # Which Problems Are Solved - Adds support for the user delete SCIM v2 endpoint # How the Problems Are Solved - Adds support for the user delete SCIM v2 endpoint under `DELETE /scim/v2/{orgID}/Users/{id}` # Additional Context Part of #8140 2025-01-09 15:12:13 +01:00			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`ctx := tt.ctx`
			`if ctx == nil {`
			`ctx = CTX`
			`}`

fix: scim v2 endpoints enforce user resource owner (#9273) # Which Problems Are Solved - If a SCIM endpoint is called with an orgID in the URL that is not the resource owner, no error is returned, and the action is executed. # How the Problems Are Solved - The orgID provided in the SCIM URL path must match the resource owner of the target user. Otherwise, an error will be returned. # Additional Context Part of https://github.com/zitadel/zitadel/issues/8140 2025-01-30 16:43:13 +01:00			`orgID := tt.orgID`
			`if orgID == "" {`
			`orgID = Instance.DefaultOrg.Id`
			`}`
			`err := Instance.Client.SCIM.Users.Delete(ctx, orgID, "1")`
feat: delete user scim v2 endpoint (#9151) # Which Problems Are Solved - Adds support for the user delete SCIM v2 endpoint # How the Problems Are Solved - Adds support for the user delete SCIM v2 endpoint under `DELETE /scim/v2/{orgID}/Users/{id}` # Additional Context Part of #8140 2025-01-09 15:12:13 +01:00
			`statusCode := tt.errorStatus`
			`if statusCode == 0 {`
			`statusCode = http.StatusBadRequest`
			`}`

			`scim.RequireScimError(t, statusCode, err)`
			`})`
			`}`
			`}`

			`func TestDeleteUser_ensureReallyDeleted(t *testing.T) {`
			`// create user and dependencies`
			`createUserResp := Instance.CreateHumanUser(CTX)`
feat: project v2beta resource API (#9742) # Which Problems Are Solved Resource management of projects and sub-resources was before limited by the context provided by the management API, which would mean you could only manage resources belonging to a specific organization. # How the Problems Are Solved With the addition of a resource-based API, it is now possible to manage projects and sub-resources on the basis of the resources themselves, which means that as long as you have the permission for the resource, you can create, read, update and delete it. - CreateProject to create a project under an organization - UpdateProject to update an existing project - DeleteProject to delete an existing project - DeactivateProject and ActivateProject to change the status of a project - GetProject to query for a specific project with an identifier - ListProject to query for projects and granted projects - CreateProjectGrant to create a project grant with project and granted organization - UpdateProjectGrant to update the roles of a project grant - DeactivateProjectGrant and ActivateProjectGrant to change the status of a project grant - DeleteProjectGrant to delete an existing project grant - ListProjectGrants to query for project grants - AddProjectRole to add a role to an existing project - UpdateProjectRole to change texts of an existing role - RemoveProjectRole to remove an existing role - ListProjectRoles to query for project roles # Additional Changes - Changes to ListProjects, which now contains granted projects as well - Changes to messages as defined in the [API_DESIGN](https://github.com/zitadel/zitadel/blob/main/API_DESIGN.md) - Permission checks for project functionality on query and command side - Added testing to unit tests on command side - Change update endpoints to no error returns if nothing changes in the resource - Changed all integration test utility to the new service - ListProjects now also correctly lists `granted projects` - Permission checks for project grant and project role functionality on query and command side - Change existing pre checks so that they also work resource specific without resourceowner - Added the resourceowner to the grant and role if no resourceowner is provided - Corrected import tests with project grants and roles - Added testing to unit tests on command side - Change update endpoints to no error returns if nothing changes in the resource - Changed all integration test utility to the new service - Corrected some naming in the proto files to adhere to the API_DESIGN # Additional Context Closes #9177 --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2025-05-21 14:40:47 +02:00			`proj := Instance.CreateProject(CTX, t, "", gofakeit.AppName(), false, false)`
feat: delete user scim v2 endpoint (#9151) # Which Problems Are Solved - Adds support for the user delete SCIM v2 endpoint # How the Problems Are Solved - Adds support for the user delete SCIM v2 endpoint under `DELETE /scim/v2/{orgID}/Users/{id}` # Additional Context Part of #8140 2025-01-09 15:12:13 +01:00
			`Instance.CreateProjectUserGrant(t, CTX, proj.Id, createUserResp.UserId)`

			`// delete user via scim`
feat: project v2beta resource API (#9742) # Which Problems Are Solved Resource management of projects and sub-resources was before limited by the context provided by the management API, which would mean you could only manage resources belonging to a specific organization. # How the Problems Are Solved With the addition of a resource-based API, it is now possible to manage projects and sub-resources on the basis of the resources themselves, which means that as long as you have the permission for the resource, you can create, read, update and delete it. - CreateProject to create a project under an organization - UpdateProject to update an existing project - DeleteProject to delete an existing project - DeactivateProject and ActivateProject to change the status of a project - GetProject to query for a specific project with an identifier - ListProject to query for projects and granted projects - CreateProjectGrant to create a project grant with project and granted organization - UpdateProjectGrant to update the roles of a project grant - DeactivateProjectGrant and ActivateProjectGrant to change the status of a project grant - DeleteProjectGrant to delete an existing project grant - ListProjectGrants to query for project grants - AddProjectRole to add a role to an existing project - UpdateProjectRole to change texts of an existing role - RemoveProjectRole to remove an existing role - ListProjectRoles to query for project roles # Additional Changes - Changes to ListProjects, which now contains granted projects as well - Changes to messages as defined in the [API_DESIGN](https://github.com/zitadel/zitadel/blob/main/API_DESIGN.md) - Permission checks for project functionality on query and command side - Added testing to unit tests on command side - Change update endpoints to no error returns if nothing changes in the resource - Changed all integration test utility to the new service - ListProjects now also correctly lists `granted projects` - Permission checks for project grant and project role functionality on query and command side - Change existing pre checks so that they also work resource specific without resourceowner - Added the resourceowner to the grant and role if no resourceowner is provided - Corrected import tests with project grants and roles - Added testing to unit tests on command side - Change update endpoints to no error returns if nothing changes in the resource - Changed all integration test utility to the new service - Corrected some naming in the proto files to adhere to the API_DESIGN # Additional Context Closes #9177 --------- Co-authored-by: Livio Spring <livio.a@gmail.com> 2025-05-21 14:40:47 +02:00			`err := Instance.Client.SCIM.Users.Delete(CTX, Instance.DefaultOrg.Id, createUserResp.UserId)`
feat: delete user scim v2 endpoint (#9151) # Which Problems Are Solved - Adds support for the user delete SCIM v2 endpoint # How the Problems Are Solved - Adds support for the user delete SCIM v2 endpoint under `DELETE /scim/v2/{orgID}/Users/{id}` # Additional Context Part of #8140 2025-01-09 15:12:13 +01:00			`assert.NoError(t, err)`

			`// ensure it is really deleted => try to delete again => should 404`
			`err = Instance.Client.SCIM.Users.Delete(CTX, Instance.DefaultOrg.Id, createUserResp.UserId)`
			`scim.RequireScimError(t, http.StatusNotFound, err)`

feat: replace user scim v2 endpoint (#9163) # Which Problems Are Solved - Adds support for the replace user SCIM v2 endpoint # How the Problems Are Solved - Adds support for the replace user SCIM v2 endpoint under `PUT /scim/v2/{orgID}/Users/{id}` # Additional Changes - Respect the `Active` field in the SCIM v2 create user endpoint `POST /scim/v2/{orgID}/Users` - Eventually consistent read endpoints used in SCIM tests are wrapped in `assert.EventuallyWithT` to work around race conditions # Additional Context Part of #8140 2025-01-14 15:44:41 +01:00			`retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTX, time.Minute)`
			`require.EventuallyWithT(t, func(tt *assert.CollectT) {`
			`// try to get user via api => should 404`
			`_, err = Instance.Client.UserV2.GetUserByID(CTX, &user.GetUserByIDRequest{UserId: createUserResp.UserId})`
			`integration.AssertGrpcStatus(tt, codes.NotFound, err)`
			`}, retryDuration, tick)`
feat: delete user scim v2 endpoint (#9151) # Which Problems Are Solved - Adds support for the user delete SCIM v2 endpoint # How the Problems Are Solved - Adds support for the user delete SCIM v2 endpoint under `DELETE /scim/v2/{orgID}/Users/{id}` # Additional Context Part of #8140 2025-01-09 15:12:13 +01:00			`}`