fix: relax parsing of SCIM user 'active' flag to improve compatibility (#9296)

# Which Problems Are Solved - Microsoft Entra invokes the user patch endpoint with `"active": "True"` / `"active": "False"` when patching a user. This is a well-known bug in MS Entra (see [here](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/application-provisioning-config-problem-scim-compatibility)), but the bug fix has not landed yet and/or the feature flag does not work. # How the Problems Are Solved - To ensure compatibility with MS Entra, the parsing of the the boolean active flag of the scim user is relaxed and accepts strings in any casing that resolve to `true` or `false` as well as raw boolean values. # Additional Context Part of https://github.com/zitadel/zitadel/issues/8140
2025-08-12 01:37:31 +00:00 · 2025-02-05 16:17:20 +01:00
parent 857812bb9e
commit 361f7a2edc
12 changed files with 125 additions and 19 deletions
--- a/internal/api/scim/schemas/bool.go
+++ b/internal/api/scim/schemas/bool.go
@@ -0,0 +1,41 @@
+package schemas
+
+import (
+	"encoding/json"
+	"strings"
+
+	"github.com/muhlemmer/gu"
+
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+// RelaxedBool a bool which is more relaxed when it comes to json (un)marshaling.
+// This ensures compatibility with some bugged scim providers,
+// such as Microsoft Entry, which sends booleans as "True" or "False".
+// See also https://learn.microsoft.com/en-us/entra/identity/app-provisioning/application-provisioning-config-problem-scim-compatibility.
+type RelaxedBool bool
+
+func NewRelaxedBool(value bool) *RelaxedBool {
+	return gu.Ptr(RelaxedBool(value))
+}
+
+func (b *RelaxedBool) MarshalJSON() ([]byte, error) {
+	return json.Marshal(bool(*b))
+}
+
+func (b *RelaxedBool) UnmarshalJSON(bytes []byte) error {
+	str := strings.ToLower(string(bytes))
+	switch {
+	case str == "true" || str == "\"true\"":
+		*b = true
+	case str == "false" || str == "\"false\"":
+		*b = false
+	default:
+		return zerrors.ThrowInvalidArgumentf(nil, "SCIM-BOO1", "bool expected, got %v", str)
+	}
+	return nil
+}
+
+func (b *RelaxedBool) Bool() bool {
+	return bool(*b)
+}
--- a/internal/api/scim/schemas/bool_test.go
+++ b/internal/api/scim/schemas/bool_test.go
@@ -0,0 +1,63 @@
+package schemas
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestRelaxedBool_MarshalJSON(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    bool
+		expected string
+	}{
+		{name: "true", input: true, expected: "true"},
+		{name: "false", expected: "false"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			value := NewRelaxedBool(tt.input)
+			bytes, err := json.Marshal(value)
+			require.NoError(t, err)
+			assert.Equal(t, tt.expected, string(bytes))
+		})
+	}
+}
+
+func TestRelaxedBool_UnmarshalJSON(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected bool
+		wantErr  bool
+	}{
+		{name: "valid true", input: "true", expected: true},
+		{name: "valid false", input: "false"},
+		{name: "quoted true", input: `"true"`, expected: true},
+		{name: "quoted pascal case true", input: `"True"`, expected: true},
+		{name: "quoted upper case true", input: `"TRUE"`, expected: true},
+		{name: "quoted false", input: `"false"`},
+		{name: "quoted pascal case false", input: `"False"`},
+		{name: "quoted upper case false", input: `"FALSE"`},
+		{name: "invalid value", input: "invalid", wantErr: true},
+		{name: "number value", input: "1", wantErr: true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			value := new(RelaxedBool)
+			err := json.Unmarshal([]byte(tt.input), &value)
+
+			if tt.wantErr {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, tt.expected, value.Bool())
+			}
+		})
+	}
+}