TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-12-03 19:22:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: scim v2 endpoints enforce user resource owner (#9273)

Browse Source 
# Which Problems Are Solved
- If a SCIM endpoint is called with an orgID in the URL that is not the
resource owner, no error is returned, and the action is executed.

# How the Problems Are Solved
- The orgID provided in the SCIM URL path must match the resource owner
of the target user. Otherwise, an error will be returned.

# Additional Context

Part of https://github.com/zitadel/zitadel/issues/8140
This commit is contained in:
Lars
2025-01-30 16:43:13 +01:00
committed by GitHub
parent 60cfa6cb76
commit 563f74640e
16 changed files with 153 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
internal/query/user.go
View File

@@ -368,6 +368,10 @@ func (q *Queries) GetUserByIDWithPermission(ctx context.Context, shouldTriggerBu
}
func (q *Queries) GetUserByID(ctx context.Context, shouldTriggerBulk bool, userID string) (user *User, err error) {
return q.GetUserByIDWithResourceOwner(ctx, shouldTriggerBulk, userID, "")
}
func (q *Queries) GetUserByIDWithResourceOwner(ctx context.Context, shouldTriggerBulk bool, userID, resourceOwner string) (user *User, err error) {
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
@@ -382,6 +386,7 @@ func (q *Queries) GetUserByID(ctx context.Context, shouldTriggerBulk bool, userI
},
userByIDQuery,
userID,
resourceOwner,
authz.GetInstance(ctx).InstanceID(),
)
return user, err

12
internal/query/user_by_id.sql
View File

@@ -20,8 +20,8 @@ WITH login_names AS (SELECT
WHERE
u.instance_id = p.instance_id
AND (
(p.is_default IS TRUE AND p.instance_id = $2)
OR (p.instance_id = $2 AND p.resource_owner = u.resource_owner)
(p.is_default IS TRUE AND p.instance_id = $3)
OR (p.instance_id = $3 AND p.resource_owner = u.resource_owner)
)
ORDER BY is_default
LIMIT 1
@@ -32,8 +32,9 @@ WITH login_names AS (SELECT
u.instance_id = d.instance_id
AND u.resource_owner = d.resource_owner
WHERE
u.instance_id = $2
AND u.id = $1
u.id = $1
AND (u.resource_owner = $2 OR $2 = '')
AND u.instance_id = $3
)
SELECT
u.id
@@ -80,6 +81,7 @@ LEFT JOIN
AND u.instance_id = m.instance_id
WHERE
u.id = $1
AND u.instance_id = $2
AND (u.resource_owner = $2 OR $2 = '')
AND u.instance_id = $3
LIMIT 1
;