Alias Handler for SCIM Users

server/src/main/java/org/cloudfoundry/identity/uaa/alias/EntityAliasHandler.java

@@ -3,6 +3,7 @@
 import static org.cloudfoundry.identity.uaa.constants.OriginKeys.UAA;
 import static org.springframework.util.StringUtils.hasText;
 
+import java.util.Objects;
 import java.util.Optional;
 
 import org.cloudfoundry.identity.uaa.EntityWithAlias;
@@ -154,6 +155,7 @@ public final T ensureConsistencyOfAliasEntity(
         // update the existing alias entity
         if (existingAliasEntity != null) {
             setId(aliasEntity, existingAliasEntity.getId());
+            setPropertiesFromExistingAliasEntity(aliasEntity, existingAliasEntity);
             updateEntity(aliasEntity, originalEntity.getAliasZid());
             return originalEntity;
         }
@@ -177,6 +179,12 @@ public final T ensureConsistencyOfAliasEntity(
         return updateEntity(originalEntity, originalEntity.getZoneId());
     }
 
+    /**
+     * Set properties from the existing alias entity in the new alias entity before it is updated. Can be used if
+     * certain properties should differ between the original and the alias entity.
+     */
+    protected abstract void setPropertiesFromExistingAliasEntity(final T newAliasEntity, final T existingAliasEntity);
+
     private T buildAliasEntity(final T originalEntity) {
         final T aliasEntity = cloneEntity(originalEntity);
         aliasEntity.setAliasId(originalEntity.getId());
@@ -208,4 +216,23 @@ public final Optional<T> retrieveAliasEntity(final T originalEntity) {
     protected abstract T updateEntity(final T entity, final String zoneId);
 
     protected abstract T createEntity(final T entity, final String zoneId) throws EntityAliasFailedException;
+
+    protected static <T extends EntityWithAlias> boolean isValidAliasPair(
+            @NonNull final T entity1,
+            @NonNull final T entity2
+    ) {
+        // check if both entities have an alias
+        final boolean entity1HasAlias = hasText(entity1.getAliasId()) && hasText(entity1.getAliasZid());
+        final boolean entity2HasAlias = hasText(entity2.getAliasId()) && hasText(entity2.getAliasZid());
+        if (!entity1HasAlias || !entity2HasAlias) {
+            return false;
+        }
+
+        // check if they reference each other
+        final boolean entity1ReferencesEntity2 = Objects.equals(entity1.getAliasId(), entity2.getId()) &&
+                Objects.equals(entity1.getAliasZid(), entity2.getZoneId());
+        final boolean entity2ReferencesEntity1 = Objects.equals(entity2.getAliasId(), entity1.getId()) &&
+                Objects.equals(entity2.getAliasZid(), entity1.getZoneId());
+        return entity1ReferencesEntity2 && entity2ReferencesEntity1;
+    }
 }

server/src/main/java/org/cloudfoundry/identity/uaa/provider/IdentityProviderAliasHandler.java

@@ -45,6 +45,14 @@ protected boolean additionalValidationChecksForNewAlias(@NonNull final IdentityP
         return IDP_TYPES_ALIAS_SUPPORTED.contains(requestBody.getType());
     }
 
+    @Override
+    protected void setPropertiesFromExistingAliasEntity(
+            final IdentityProvider<?> newAliasEntity,
+            final IdentityProvider<?> existingAliasEntity
+    ) {
+        // not required for identity providers
+    }
+
     @Override
     protected void setId(final IdentityProvider<?> entity, final String id) {
         entity.setId(id);

server/src/main/java/org/cloudfoundry/identity/uaa/scim/ScimUserAliasHandler.java

@@ -0,0 +1,158 @@
+package org.cloudfoundry.identity.uaa.scim;
+
+import static org.cloudfoundry.identity.uaa.util.UaaStringUtils.EMPTY_STRING;
+
+import java.util.Optional;
+
+import org.cloudfoundry.identity.uaa.alias.EntityAliasFailedException;
+import org.cloudfoundry.identity.uaa.alias.EntityAliasHandler;
+import org.cloudfoundry.identity.uaa.provider.IdentityProvider;
+import org.cloudfoundry.identity.uaa.provider.IdentityProviderProvisioning;
+import org.cloudfoundry.identity.uaa.scim.exception.ScimResourceAlreadyExistsException;
+import org.cloudfoundry.identity.uaa.scim.exception.ScimResourceNotFoundException;
+import org.cloudfoundry.identity.uaa.zone.IdentityZoneProvisioning;
+import org.cloudfoundry.identity.uaa.zone.beans.IdentityZoneManager;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.dao.EmptyResultDataAccessException;
+import org.springframework.http.HttpStatus;
+import org.springframework.stereotype.Component;
+
+@Component
+public class ScimUserAliasHandler extends EntityAliasHandler<ScimUser> {
+    private final ScimUserProvisioning scimUserProvisioning;
+    private final IdentityProviderProvisioning identityProviderProvisioning;
+    private final IdentityZoneManager identityZoneManager;
+
+    protected ScimUserAliasHandler(
+            @Qualifier("identityZoneProvisioning") final IdentityZoneProvisioning identityZoneProvisioning,
+            final ScimUserProvisioning scimUserProvisioning,
+            final IdentityProviderProvisioning identityProviderProvisioning,
+            final IdentityZoneManager identityZoneManager,
+            @Value("${login.aliasEntitiesEnabled:false}") final boolean aliasEntitiesEnabled
+    ) {
+        super(identityZoneProvisioning, aliasEntitiesEnabled);
+        this.scimUserProvisioning = scimUserProvisioning;
+        this.identityProviderProvisioning = identityProviderProvisioning;
+        this.identityZoneManager = identityZoneManager;
+    }
+
+    @Override
+    protected boolean additionalValidationChecksForNewAlias(final ScimUser requestBody) {
+        /* check if an IdP with the user's origin exists in both the current and the alias zone and that they are
+         * aliases of each other */
+        final String origin = requestBody.getOrigin();
+        final Optional<IdentityProvider<?>> idpInAliasZone = retrieveIdpByOrigin(origin, requestBody.getAliasZid());
+        if (idpInAliasZone.isEmpty()) {
+            return false;
+        }
+        final Optional<IdentityProvider<?>> idpInCurrentZone = retrieveIdpByOrigin(origin, identityZoneManager.getCurrentIdentityZoneId());
+        if (idpInCurrentZone.isEmpty()) {
+            return false;
+        }
+        return EntityAliasHandler.isValidAliasPair(idpInCurrentZone.get(), idpInAliasZone.get());
+    }
+
+    @Override
+    protected void setPropertiesFromExistingAliasEntity(
+            final ScimUser newAliasEntity,
+            final ScimUser existingAliasEntity
+    ) {
+        // these three timestamps should not be overwritten by the timestamps of the original user
+        newAliasEntity.setPasswordLastModified(existingAliasEntity.getPasswordLastModified());
+        newAliasEntity.setLastLogonTime(existingAliasEntity.getLastLogonTime());
+        newAliasEntity.setPreviousLogonTime(existingAliasEntity.getPreviousLogonTime());
+    }
+
+    private Optional<IdentityProvider<?>> retrieveIdpByOrigin(final String originKey, final String zoneId) {
+        final IdentityProvider<?> idpInAliasZone;
+        try {
+            idpInAliasZone = identityProviderProvisioning.retrieveByOrigin(originKey, zoneId);
+        } catch (final EmptyResultDataAccessException e) {
+            return Optional.empty();
+        }
+        return Optional.ofNullable(idpInAliasZone);
+    }
+
+    @Override
+    protected void setId(final ScimUser entity, final String id) {
+        entity.setId(id);
+    }
+
+    @Override
+    protected void setZoneId(final ScimUser entity, final String zoneId) {
+        entity.setZoneId(zoneId);
+    }
+
+    @Override
+    protected ScimUser cloneEntity(final ScimUser originalEntity) {
+        final ScimUser aliasUser = new ScimUser();
+
+        aliasUser.setId(null);
+        aliasUser.setExternalId(originalEntity.getExternalId());
+
+        /* we only allow alias users to be created if their origin IdP has an alias to the same zone, therefore, an IdP
+         * with the same origin key will exist in the alias zone  */
+        aliasUser.setOrigin(originalEntity.getOrigin());
+
+        aliasUser.setUserName(originalEntity.getUserName());
+        aliasUser.setName(new ScimUser.Name(originalEntity.getGivenName(), originalEntity.getFamilyName()));
+
+        aliasUser.setEmails(originalEntity.getEmails());
+        aliasUser.setPhoneNumbers(originalEntity.getPhoneNumbers());
+
+        aliasUser.setActive(originalEntity.isActive());
+        aliasUser.setVerified(originalEntity.isVerified());
+
+        // idzId and alias properties will be set later
+        aliasUser.setZoneId(null);
+        aliasUser.setAliasId(null);
+        aliasUser.setAliasZid(null);
+
+        /* these timestamps will be overwritten:
+         *  - creation: with current timestamp during persistence (JdbcScimUserProvisioning)
+         *  - update: with values from existing alias entity */
+        aliasUser.setPasswordLastModified(null);
+        aliasUser.setLastLogonTime(null);
+        aliasUser.setPreviousLogonTime(null);
+
+        /* password: empty string
+         *  - alias users are only allowed for IdPs that also have an alias
+         *  - IdPs can only have an alias if they are of type SAML, OIDC or OAuth 2.0
+         *  - users with such IdPs as their origin always have an empty password
+         */
+        aliasUser.setPassword(EMPTY_STRING);
+        aliasUser.setSalt(null);
+
+        return aliasUser;
+    }
+
+    @Override
+    protected Optional<ScimUser> retrieveEntity(final String id, final String zoneId) {
+        final ScimUser user;
+        try {
+            user = scimUserProvisioning.retrieve(id, zoneId);
+        } catch (final ScimResourceNotFoundException e) {
+            return Optional.empty();
+        }
+        return Optional.ofNullable(user);
+    }
+
+    @Override
+    protected ScimUser updateEntity(final ScimUser entity, final String zoneId) {
+        return scimUserProvisioning.update(entity.getId(), entity, zoneId);
+    }
+
+    @Override
+    protected ScimUser createEntity(final ScimUser entity, final String zoneId) {
+        try {
+            return scimUserProvisioning.createUser(entity, entity.getPassword(), zoneId);
+        } catch (final ScimResourceAlreadyExistsException e) {
+            final String errorMessage = String.format(
+                    "Could not create %s. A user with the same username already exists in the alias zone.",
+                    entity.getAliasDescription()
+            );
+            throw new EntityAliasFailedException(errorMessage, HttpStatus.CONFLICT.value(), e);
+        }
+    }
+}