fix: scim v2 endpoints enforce user resource owner (#9273)

# Which Problems Are Solved - If a SCIM endpoint is called with an orgID in the URL that is not the resource owner, no error is returned, and the action is executed. # How the Problems Are Solved - The orgID provided in the SCIM URL path must match the resource owner of the target user. Otherwise, an error will be returned. # Additional Context Part of https://github.com/zitadel/zitadel/issues/8140
2025-08-12 00:47:33 +00:00 · 2025-01-30 16:43:13 +01:00
parent 60cfa6cb76
commit 563f74640e
16 changed files with 153 additions and 78 deletions
--- a/internal/api/scim/integration_test/users_delete_test.go
+++ b/internal/api/scim/integration_test/users_delete_test.go
@@ -8,7 +8,6 @@ import (
 	"testing"
 	"time"

-	"github.com/brianvoe/gofakeit/v6"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
@@ -22,6 +21,7 @@ func TestDeleteUser_errors(t *testing.T) {
 	tests := []struct {
 		name        string
 		ctx         context.Context
+		orgID       string
 		errorStatus int
 	}{
 		{
@@ -38,6 +38,17 @@ func TestDeleteUser_errors(t *testing.T) {
 			name:        "unknown user id",
 			errorStatus: http.StatusNotFound,
 		},
+		{
+			name:        "another org",
+			orgID:       SecondaryOrganization.OrganizationId,
+			errorStatus: http.StatusNotFound,
+		},
+		{
+			name:        "another org with permissions",
+			orgID:       SecondaryOrganization.OrganizationId,
+			ctx:         Instance.WithAuthorization(CTX, integration.UserTypeIAMOwner),
+			errorStatus: http.StatusNotFound,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -46,7 +57,11 @@ func TestDeleteUser_errors(t *testing.T) {
 				ctx = CTX
 			}

-			err := Instance.Client.SCIM.Users.Delete(ctx, Instance.DefaultOrg.Id, "1")
+			orgID := tt.orgID
+			if orgID == "" {
+				orgID = Instance.DefaultOrg.Id
+			}
+			err := Instance.Client.SCIM.Users.Delete(ctx, orgID, "1")

 			statusCode := tt.errorStatus
 			if statusCode == 0 {
@@ -81,10 +96,3 @@ func TestDeleteUser_ensureReallyDeleted(t *testing.T) {
 		integration.AssertGrpcStatus(tt, codes.NotFound, err)
 	}, retryDuration, tick)
 }
-
-func TestDeleteUser_anotherOrg(t *testing.T) {
-	createUserResp := Instance.CreateHumanUser(CTX)
-	org := Instance.CreateOrganization(Instance.WithAuthorization(CTX, integration.UserTypeIAMOwner), gofakeit.Name(), gofakeit.Email())
-	err := Instance.Client.SCIM.Users.Delete(CTX, org.OrganizationId, createUserResp.UserId)
-	scim.RequireScimError(t, http.StatusNotFound, err)
-}