fix: scim v2 endpoints enforce user resource owner (#9273)

# Which Problems Are Solved - If a SCIM endpoint is called with an orgID in the URL that is not the resource owner, no error is returned, and the action is executed. # How the Problems Are Solved - The orgID provided in the SCIM URL path must match the resource owner of the target user. Otherwise, an error will be returned. # Additional Context Part of https://github.com/zitadel/zitadel/issues/8140
2025-08-12 01:27:32 +00:00 · 2025-01-30 16:43:13 +01:00
parent 60cfa6cb76
commit 563f74640e
16 changed files with 153 additions and 78 deletions
--- a/internal/api/scim/integration_test/scim_test.go
+++ b/internal/api/scim/integration_test/scim_test.go
@@ -9,12 +9,16 @@ import (
 	"testing"
 	"time"

+	"github.com/brianvoe/gofakeit/v6"
+
 	"github.com/zitadel/zitadel/internal/integration"
+	"github.com/zitadel/zitadel/pkg/grpc/org/v2"
 )

 var (
-	Instance *integration.Instance
-	CTX      context.Context
+	Instance              *integration.Instance
+	SecondaryOrganization *org.AddOrganizationResponse
+	CTX                   context.Context

 	// remove comments in the json, as the default golang json unmarshaler cannot handle them
 	// some test files (e.g. bulk, patch) are much easier to maintain with comments
@@ -29,6 +33,10 @@ func TestMain(m *testing.M) {
 		Instance = integration.NewInstance(ctx)

 		CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner)
+
+		iamOwnerCtx := Instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
+		SecondaryOrganization = Instance.CreateOrganization(iamOwnerCtx, gofakeit.Name(), gofakeit.Email())
+
 		return m.Run()
 	}())
 }