fix: user metadata check if already existing (#10430)

# Which Problems Are Solved

If metadata is set, there is no check if it even has to be changed.

# How the Problems Are Solved

Check if metadata already exists, and push no event if nothing changed.

# Additional Changes

Original changes under #10246 amendet for v3.3.x, removed permission
check
Fixes #10434

# Additional Context

none

---------

Co-authored-by: Gayathri Vijayan <66356931+grvijayan@users.noreply.github.com>
Co-authored-by: Marco A. <marco@zitadel.com>
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>

internal/api/scim/integration_test/users_replace_test.go

@@ -5,11 +5,13 @@ package integration_test
 import (
 	"context"
 	_ "embed"
+	"fmt"
 	"net/http"
 	"path"
 	"testing"
 	"time"
 
+	"github.com/brianvoe/gofakeit/v6"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/text/language"
@@ -20,7 +22,6 @@ import (
 	"github.com/zitadel/zitadel/internal/integration/scim"
 	"github.com/zitadel/zitadel/internal/test"
 	"github.com/zitadel/zitadel/pkg/grpc/management"
-	"github.com/zitadel/zitadel/pkg/grpc/user/v2"
 )
 
 var (
@@ -199,28 +200,28 @@ func TestReplaceUser(t *testing.T) {
 		},
 		{
 			name:        "not authenticated",
-			body:        minimalUserJson,
+			body:        withUsername(minimalUserJson, gofakeit.Username()),
 			ctx:         context.Background(),
 			wantErr:     true,
 			errorStatus: http.StatusUnauthorized,
 		},
 		{
 			name:        "no permissions",
-			body:        minimalUserJson,
+			body:        withUsername(minimalUserJson, gofakeit.Username()),
 			ctx:         Instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			wantErr:     true,
 			errorStatus: http.StatusNotFound,
 		},
 		{
 			name:             "another org",
-			body:             minimalUserJson,
+			body:             withUsername(minimalUserJson, gofakeit.Username()),
 			replaceUserOrgID: SecondaryOrganization.OrganizationId,
 			wantErr:          true,
 			errorStatus:      http.StatusNotFound,
 		},
 		{
 			name:             "another org with permissions",
-			body:             minimalUserJson,
+			body:             withUsername(minimalUserJson, gofakeit.Username()),
 			replaceUserOrgID: SecondaryOrganization.OrganizationId,
 			ctx:              Instance.WithAuthorization(CTX, integration.UserTypeIAMOwner),
 			wantErr:          true,
@@ -230,14 +231,9 @@ func TestReplaceUser(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// use iam owner => we don't want to test permissions of the create endpoint.
-			createdUser, err := Instance.Client.SCIM.Users.Create(Instance.WithAuthorization(CTX, integration.UserTypeIAMOwner), Instance.DefaultOrg.Id, fullUserJson)
+			createdUser, err := Instance.Client.SCIM.Users.Create(Instance.WithAuthorization(CTX, integration.UserTypeIAMOwner), Instance.DefaultOrg.Id, withUsername(fullUserJson, gofakeit.Username()))
 			require.NoError(t, err)
 
-			defer func() {
-				_, err = Instance.Client.UserV2.DeleteUser(CTX, &user.DeleteUserRequest{UserId: createdUser.ID})
-				assert.NoError(t, err)
-			}()
-
 			ctx := tt.ctx
 			if ctx == nil {
 				ctx = CTX
@@ -294,10 +290,11 @@ func TestReplaceUser(t *testing.T) {
 
 func TestReplaceUser_removeOldMetadata(t *testing.T) {
 	// ensure old metadata is removed correctly
-	createdUser, err := Instance.Client.SCIM.Users.Create(CTX, Instance.DefaultOrg.Id, fullUserJson)
+	username := gofakeit.Username()
+	createdUser, err := Instance.Client.SCIM.Users.Create(CTX, Instance.DefaultOrg.Id, withUsername(fullUserJson, username))
 	require.NoError(t, err)
 
-	_, err = Instance.Client.SCIM.Users.Replace(CTX, Instance.DefaultOrg.Id, createdUser.ID, minimalUserJson)
+	_, err = Instance.Client.SCIM.Users.Replace(CTX, Instance.DefaultOrg.Id, createdUser.ID, withUsername(minimalUserJson, username))
 	require.NoError(t, err)
 
 	retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTX, time.Minute)
@@ -312,20 +309,17 @@ func TestReplaceUser_removeOldMetadata(t *testing.T) {
 		for i := range md.Result {
 			mdMap[md.Result[i].Key] = string(md.Result[i].Value)
 		}
-
-		test.AssertMapContains(tt, mdMap, "urn:zitadel:scim:emails", "[{\"value\":\"user1@example.com\",\"primary\":true}]")
+		test.AssertMapContains(tt, mdMap, "urn:zitadel:scim:emails", fmt.Sprintf("[{\"value\":\"%s@example.com\",\"primary\":true}]", username))
 	}, retryDuration, tick)
-
-	_, err = Instance.Client.UserV2.DeleteUser(CTX, &user.DeleteUserRequest{UserId: createdUser.ID})
-	require.NoError(t, err)
 }
 
 func TestReplaceUser_emailType(t *testing.T) {
 	// ensure old metadata is removed correctly
-	createdUser, err := Instance.Client.SCIM.Users.Create(CTX, Instance.DefaultOrg.Id, fullUserJson)
+	createdUser, err := Instance.Client.SCIM.Users.Create(CTX, Instance.DefaultOrg.Id, withUsername(fullUserJson, gofakeit.Username()))
 	require.NoError(t, err)
 
-	_, err = Instance.Client.SCIM.Users.Replace(CTX, Instance.DefaultOrg.Id, createdUser.ID, minimalUserWithEmailTypeReplaceJson)
+	replacedUsername := gofakeit.Username()
+	_, err = Instance.Client.SCIM.Users.Replace(CTX, Instance.DefaultOrg.Id, createdUser.ID, withUsername(minimalUserWithEmailTypeReplaceJson, replacedUsername))
 	require.NoError(t, err)
 
 	retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTX, time.Minute)
@@ -341,28 +335,26 @@ func TestReplaceUser_emailType(t *testing.T) {
 			mdMap[md.Result[i].Key] = string(md.Result[i].Value)
 		}
 
-		test.AssertMapContains(tt, mdMap, "urn:zitadel:scim:emails", "[{\"value\":\"user1-minimal-replaced@example.com\",\"primary\":true,\"type\":\"work\"}]")
+		test.AssertMapContains(tt, mdMap, "urn:zitadel:scim:emails", fmt.Sprintf("[{\"value\":\"%s@example.com\",\"primary\":true,\"type\":\"work\"}]", replacedUsername))
 	}, retryDuration, tick)
-
-	_, err = Instance.Client.UserV2.DeleteUser(CTX, &user.DeleteUserRequest{UserId: createdUser.ID})
-	require.NoError(t, err)
 }
 
 func TestReplaceUser_scopedExternalID(t *testing.T) {
-	// create user without provisioning domain set
-	createdUser, err := Instance.Client.SCIM.Users.Create(CTX, Instance.DefaultOrg.Id, fullUserJson)
+	createdUser, err := Instance.Client.SCIM.Users.Create(CTX, Instance.DefaultOrg.Id, withUsername(fullUserJson, gofakeit.Username()))
 	require.NoError(t, err)
-
+	callingUserId, callingUserPat, err := Instance.CreateMachineUserPATWithMembership(CTX, "ORG_OWNER")
+	require.NoError(t, err)
+	ctx := integration.WithAuthorizationToken(CTX, callingUserPat)
 	// set provisioning domain of service user
-	setProvisioningDomain(t, Instance.Users.Get(integration.UserTypeOrgOwner).ID, "fooBazz")
+	setProvisioningDomain(t, callingUserId, "fooBazz")
 
 	// replace the user with provisioning domain set
-	_, err = Instance.Client.SCIM.Users.Replace(CTX, Instance.DefaultOrg.Id, createdUser.ID, minimalUserWithExternalIDJson)
+	_, err = Instance.Client.SCIM.Users.Replace(ctx, Instance.DefaultOrg.Id, createdUser.ID, minimalUserWithExternalIDJson)
 	require.NoError(t, err)
 
-	retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTX, time.Minute)
+	retryDuration, tick := integration.WaitForAndTickWithMaxDuration(ctx, time.Minute)
 	require.EventuallyWithT(t, func(tt *assert.CollectT) {
-		md, err := Instance.Client.Mgmt.ListUserMetadata(CTX, &management.ListUserMetadataRequest{
+		md, err := Instance.Client.Mgmt.ListUserMetadata(ctx, &management.ListUserMetadataRequest{
 			Id: createdUser.ID,
 		})
 		require.NoError(tt, err)
@@ -376,9 +368,4 @@ func TestReplaceUser_scopedExternalID(t *testing.T) {
 		test.AssertMapContains(tt, mdMap, "urn:zitadel:scim:externalId", "701984")
 		test.AssertMapContains(tt, mdMap, "urn:zitadel:scim:fooBazz:externalId", "replaced-external-id")
 	}, retryDuration, tick)
-
-	_, err = Instance.Client.UserV2.DeleteUser(CTX, &user.DeleteUserRequest{UserId: createdUser.ID})
-	require.NoError(t, err)
-
-	removeProvisioningDomain(t, Instance.Users.Get(integration.UserTypeOrgOwner).ID)
 }