fix: scim v2 endpoints enforce user resource owner (#9273)

# Which Problems Are Solved - If a SCIM endpoint is called with an orgID in the URL that is not the resource owner, no error is returned, and the action is executed. # How the Problems Are Solved - The orgID provided in the SCIM URL path must match the resource owner of the target user. Otherwise, an error will be returned. # Additional Context Part of https://github.com/zitadel/zitadel/issues/8140
2025-08-12 00:47:33 +00:00 · 2025-01-30 16:43:13 +01:00
parent 60cfa6cb76
commit 563f74640e
16 changed files with 153 additions and 78 deletions
--- a/internal/api/scim/integration_test/users_create_test.go
+++ b/internal/api/scim/integration_test/users_create_test.go
@@ -10,7 +10,6 @@ import (
 	"testing"
 	"time"

-	"github.com/brianvoe/gofakeit/v6"
 	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -164,6 +163,7 @@ func TestCreateUser(t *testing.T) {
 		name          string
 		body          []byte
 		ctx           context.Context
+		orgID         string
 		want          *resources.ScimUser
 		wantErr       bool
 		scimErrorType string
@@ -275,6 +275,13 @@ func TestCreateUser(t *testing.T) {
 			wantErr:     true,
 			errorStatus: http.StatusNotFound,
 		},
+		{
+			name:        "another org",
+			body:        minimalUserJson,
+			orgID:       SecondaryOrganization.OrganizationId,
+			wantErr:     true,
+			errorStatus: http.StatusNotFound,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -283,7 +290,12 @@ func TestCreateUser(t *testing.T) {
 				ctx = CTX
 			}

-			createdUser, err := Instance.Client.SCIM.Users.Create(ctx, Instance.DefaultOrg.Id, tt.body)
+			orgID := tt.orgID
+			if orgID == "" {
+				orgID = Instance.DefaultOrg.Id
+			}
+
+			createdUser, err := Instance.Client.SCIM.Users.Create(ctx, orgID, tt.body)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("CreateUser() error = %v, wantErr %v", err, tt.wantErr)
 				return
@@ -311,7 +323,7 @@ func TestCreateUser(t *testing.T) {

 			assert.EqualValues(t, []schemas.ScimSchemaType{"urn:ietf:params:scim:schemas:core:2.0:User"}, createdUser.Resource.Schemas)
 			assert.Equal(t, schemas.ScimResourceTypeSingular("User"), createdUser.Resource.Meta.ResourceType)
-			assert.Equal(t, "http://"+Instance.Host()+path.Join(schemas.HandlerPrefix, Instance.DefaultOrg.Id, "Users", createdUser.ID), createdUser.Resource.Meta.Location)
+			assert.Equal(t, "http://"+Instance.Host()+path.Join(schemas.HandlerPrefix, orgID, "Users", createdUser.ID), createdUser.Resource.Meta.Location)
 			assert.Nil(t, createdUser.Password)

 			if tt.want != nil {
@@ -423,9 +435,3 @@ func TestCreateUser_scopedExternalID(t *testing.T) {
 		assert.Equal(tt, "701984", string(md.Metadata.Value))
 	}, retryDuration, tick)
 }
-
-func TestCreateUser_anotherOrg(t *testing.T) {
-	org := Instance.CreateOrganization(Instance.WithAuthorization(CTX, integration.UserTypeIAMOwner), gofakeit.Name(), gofakeit.Email())
-	_, err := Instance.Client.SCIM.Users.Create(CTX, org.OrganizationId, fullUserJson)
-	scim.RequireScimError(t, http.StatusNotFound, err)
-}