feat: delete user scim v2 endpoint (#9151)

# Which Problems Are Solved - Adds support for the user delete SCIM v2 endpoint # How the Problems Are Solved - Adds support for the user delete SCIM v2 endpoint under `DELETE /scim/v2/{orgID}/Users/{id}` # Additional Context Part of #8140
2025-08-12 04:57:33 +00:00 · 2025-01-09 15:12:13 +01:00
parent e621224ab2
commit af09e51b1e
10 changed files with 277 additions and 50 deletions
--- a/internal/api/scim/integration_test/users_create_test.go
+++ b/internal/api/scim/integration_test/users_create_test.go
@@ -5,7 +5,7 @@ package integration_test
 import (
 	"context"
 	_ "embed"
-	"errors"
+	"github.com/brianvoe/gofakeit/v6"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/zitadel/zitadel/internal/api/scim/schemas"
@@ -16,7 +16,6 @@ import (
 	"google.golang.org/grpc/codes"
 	"net/http"
 	"path"
-	"strconv"
 	"testing"
 )

@@ -139,20 +138,14 @@ func TestCreateUser(t *testing.T) {
 			}

 			if err != nil {
-				assert.IsType(t, new(scim.ScimError), err)
-
-				var scimErr *scim.ScimError
-				errors.As(err, &scimErr)
-				assert.Equal(t, tt.scimErrorType, scimErr.ScimType)
-
 				statusCode := tt.errorStatus
 				if statusCode == 0 {
 					statusCode = http.StatusBadRequest
 				}
-				assert.Equal(t, strconv.Itoa(statusCode), scimErr.Status)
-
+				scimErr := scim.RequireScimError(t, statusCode, err)
+				assert.Equal(t, tt.scimErrorType, scimErr.Error.ScimType)
 				if tt.zitadelErrID != "" {
-					assert.Equal(t, tt.zitadelErrID, scimErr.ZitadelDetail.ID)
+					assert.Equal(t, tt.zitadelErrID, scimErr.Error.ZitadelDetail.ID)
 				}

 				return
@@ -175,13 +168,8 @@ func TestCreateUser_duplicate(t *testing.T) {
 	require.NoError(t, err)

 	_, err = Instance.Client.SCIM.Users.Create(CTX, Instance.DefaultOrg.Id, minimalUserJson)
-	require.Error(t, err)
-	assert.IsType(t, new(scim.ScimError), err)
-
-	var scimErr *scim.ScimError
-	errors.As(err, &scimErr)
-	assert.Equal(t, strconv.Itoa(http.StatusConflict), scimErr.Status)
-	assert.Equal(t, "User already exists", scimErr.Detail)
+	scimErr := scim.RequireScimError(t, http.StatusConflict, err)
+	assert.Equal(t, "User already exists", scimErr.Error.Detail)

 	_, err = Instance.Client.UserV2.DeleteUser(CTX, &user.DeleteUserRequest{UserId: createdUser.ID})
 	require.NoError(t, err)
@@ -248,3 +236,9 @@ func TestCreateUser_scopedExternalID(t *testing.T) {
 	_, err = Instance.Client.UserV2.DeleteUser(CTX, &user.DeleteUserRequest{UserId: createdUser.ID})
 	require.NoError(t, err)
 }
+
+func TestCreateUser_anotherOrg(t *testing.T) {
+	org := Instance.CreateOrganization(Instance.WithAuthorization(CTX, integration.UserTypeIAMOwner), gofakeit.Name(), gofakeit.Email())
+	_, err := Instance.Client.SCIM.Users.Create(CTX, org.OrganizationId, fullUserJson)
+	scim.RequireScimError(t, http.StatusNotFound, err)
+}
--- a/internal/api/scim/integration_test/users_delete_test.go
+++ b/internal/api/scim/integration_test/users_delete_test.go
@@ -0,0 +1,84 @@
+//go:build integration
+
+package integration_test
+
+import (
+	"context"
+	"github.com/brianvoe/gofakeit/v6"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/zitadel/zitadel/internal/integration"
+	"github.com/zitadel/zitadel/internal/integration/scim"
+	"github.com/zitadel/zitadel/pkg/grpc/user/v2"
+	"google.golang.org/grpc/codes"
+	"net/http"
+	"testing"
+)
+
+func TestDeleteUser_errors(t *testing.T) {
+	tests := []struct {
+		name        string
+		ctx         context.Context
+		errorStatus int
+	}{
+		{
+			name:        "not authenticated",
+			ctx:         context.Background(),
+			errorStatus: http.StatusUnauthorized,
+		},
+		{
+			name:        "no permissions",
+			ctx:         Instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
+			errorStatus: http.StatusNotFound,
+		},
+		{
+			name:        "unknown user id",
+			errorStatus: http.StatusNotFound,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctx := tt.ctx
+			if ctx == nil {
+				ctx = CTX
+			}
+
+			err := Instance.Client.SCIM.Users.Delete(ctx, Instance.DefaultOrg.Id, "1")
+
+			statusCode := tt.errorStatus
+			if statusCode == 0 {
+				statusCode = http.StatusBadRequest
+			}
+
+			scim.RequireScimError(t, statusCode, err)
+		})
+	}
+}
+
+func TestDeleteUser_ensureReallyDeleted(t *testing.T) {
+	// create user and dependencies
+	createUserResp := Instance.CreateHumanUser(CTX)
+	proj, err := Instance.CreateProject(CTX)
+	require.NoError(t, err)
+
+	Instance.CreateProjectUserGrant(t, CTX, proj.Id, createUserResp.UserId)
+
+	// delete user via scim
+	err = Instance.Client.SCIM.Users.Delete(CTX, Instance.DefaultOrg.Id, createUserResp.UserId)
+	assert.NoError(t, err)
+
+	// ensure it is really deleted => try to delete again => should 404
+	err = Instance.Client.SCIM.Users.Delete(CTX, Instance.DefaultOrg.Id, createUserResp.UserId)
+	scim.RequireScimError(t, http.StatusNotFound, err)
+
+	// try to get user via api => should 404
+	_, err = Instance.Client.UserV2.GetUserByID(CTX, &user.GetUserByIDRequest{UserId: createUserResp.UserId})
+	integration.AssertGrpcStatus(t, codes.NotFound, err)
+}
+
+func TestDeleteUser_anotherOrg(t *testing.T) {
+	createUserResp := Instance.CreateHumanUser(CTX)
+	org := Instance.CreateOrganization(Instance.WithAuthorization(CTX, integration.UserTypeIAMOwner), gofakeit.Name(), gofakeit.Email())
+	err := Instance.Client.SCIM.Users.Delete(CTX, org.OrganizationId, createUserResp.UserId)
+	scim.RequireScimError(t, http.StatusNotFound, err)
+}