fix: external group memberships should have correct origin

server/src/main/java/org/cloudfoundry/identity/uaa/scim/bootstrap/ScimUserBootstrap.java

@@ -193,19 +193,19 @@ private void updateUser(ScimUser existingUser, UaaUser updatedUser, boolean upda
         if (updateGroups) {
             Collection<String> newGroups = convertToGroups(updatedUser.getAuthorities());
             logger.debug("Adding new groups " + newGroups);
-            addGroups(id, newGroups);
+            addGroups(id, newGroups, newScimUser.getOrigin());
         }
     }
 
     private void createNewUser(UaaUser user) {
         logger.debug("Registering new user account: " + user);
         ScimUser newScimUser = scimUserProvisioning.createUser(convertToScimUser(user), user.getPassword(), IdentityZoneHolder.get().getId());
-        addGroups(newScimUser.getId(), convertToGroups(user.getAuthorities()));
+        addGroups(newScimUser.getId(), convertToGroups(user.getAuthorities()), newScimUser.getOrigin());
     }
 
-    private void addGroups(String scimUserid, Collection<String> groups) {
+    private void addGroups(String scimUserid, Collection<String> groups, String origin) {
         for (String group : groups) {
-            addToGroup(scimUserid, group);
+            addToGroup(scimUserid, group, origin, true);
         }
     }
 
@@ -274,10 +274,6 @@ public void onApplicationEvent(AuthEvent event) {
         }
     }
 
-    private void addToGroup(String scimUserId, String gName) {
-        addToGroup(scimUserId, gName, OriginKeys.UAA, true);
-    }
-
     private void addToGroup(String scimUserId, String gName, String origin, boolean addGroup) {
         if (!StringUtils.hasText(gName)) {
             return;
@@ -296,7 +292,7 @@ private void addToGroup(String scimUserId, String gName, String origin, boolean
         }
         try {
             ScimGroupMember groupMember = new ScimGroupMember(scimUserId);
-            groupMember.setOrigin(origin);
+            groupMember.setOrigin(ofNullable(origin).orElse(OriginKeys.UAA));
             membershipManager.addMember(group.getId(), groupMember, IdentityZoneHolder.get().getId());
         } catch (MemberAlreadyExistsException ex) {
             // do nothing

server/src/test/java/org/cloudfoundry/identity/uaa/scim/bootstrap/ScimUserBootstrapTests.java

@@ -684,7 +684,6 @@ void doNotAddNonExistentUsers() throws Exception {
     @Test
     void canUpdateEmailThroughEvent() {
         String[] externalAuthorities = new String[]{"extTest1", "extTest2", "extTest3"};
-        String[] userAuthorities = new String[]{"usrTest1", "usrTest2", "usrTest3"};
         String origin = "testOrigin";
         addIdentityProvider(jdbcTemplate, origin);
         String email = "test@test.org";
@@ -695,20 +694,19 @@ void canUpdateEmailThroughEvent() {
         String externalId = null;
         String userId = new RandomValueStringGenerator().generate();
         String username = new RandomValueStringGenerator().generate();
-        UaaUser user = getUaaUser(userAuthorities, origin, email, firstName, lastName, password, externalId, userId, username);
+        UaaUser user = getUaaUser(externalAuthorities, origin, email, firstName, lastName, password, externalId, userId, username);
         ScimUserBootstrap bootstrap = new ScimUserBootstrap(jdbcScimUserProvisioning, scimUserService, jdbcScimGroupProvisioning, jdbcScimGroupMembershipManager, Collections.singletonList(user), false, Collections.emptyList(), false);
         bootstrap.afterPropertiesSet();
 
         List<ScimUser> users = jdbcScimUserProvisioning.query("userName eq \"" + username + "\" and origin eq \"" + origin + "\"", IdentityZone.getUaaZoneId());
         assertEquals(1, users.size());
         userId = users.get(0).getId();
-        user = getUaaUser(userAuthorities, origin, newEmail, firstName, lastName, password, externalId, userId, username);
+        user = getUaaUser(externalAuthorities, origin, newEmail, firstName, lastName, password, externalId, userId, username);
 
         bootstrap.onApplicationEvent(new ExternalGroupAuthorizationEvent(user, true, getAuthorities(externalAuthorities), true));
         users = jdbcScimUserProvisioning.query("userName eq \"" + username + "\" and origin eq \"" + origin + "\"", IdentityZone.getUaaZoneId());
         assertEquals(1, users.size());
         ScimUser created = users.get(0);
-        validateAuthoritiesCreated(externalAuthorities, userAuthorities, origin, created, jdbcScimGroupMembershipManager);
         assertEquals(newEmail, created.getPrimaryEmail());
 
         user = user.modifyEmail("test123@test.org");
@@ -717,14 +715,12 @@ void canUpdateEmailThroughEvent() {
         users = jdbcScimUserProvisioning.query("userName eq \"" + username + "\" and origin eq \"" + origin + "\"", IdentityZone.getUaaZoneId());
         assertEquals(1, users.size());
         created = users.get(0);
-        validateAuthoritiesCreated(externalAuthorities, userAuthorities, origin, created, jdbcScimGroupMembershipManager);
         assertEquals(newEmail, created.getPrimaryEmail());
 
         bootstrap.onApplicationEvent(new ExternalGroupAuthorizationEvent(user, true, getAuthorities(externalAuthorities), true));
         users = jdbcScimUserProvisioning.query("userName eq \"" + username + "\" and origin eq \"" + origin + "\"", IdentityZone.getUaaZoneId());
         assertEquals(1, users.size());
         created = users.get(0);
-        validateAuthoritiesCreated(externalAuthorities, userAuthorities, origin, created, jdbcScimGroupMembershipManager);
         assertEquals("test123@test.org", created.getPrimaryEmail());
     }
 
@@ -877,7 +873,7 @@ private static void nonExistentGroupThroughEvent(
         String externalId = null;
         String userId = new RandomValueStringGenerator().generate();
         String username = new RandomValueStringGenerator().generate();
-        UaaUser user = getUaaUser(userAuthorities, origin, email, firstName, lastName, password, externalId, userId, username);
+        UaaUser user = getUaaUser(new String[] {}, origin, email, firstName, lastName, password, externalId, userId, username);
         ScimUserBootstrap bootstrap = new ScimUserBootstrap(
                 jdbcScimUserProvisioning,
                 scimUserService,
@@ -893,12 +889,25 @@ private static void nonExistentGroupThroughEvent(
         List<ScimUser> users = jdbcScimUserProvisioning.query("userName eq \"" + username + "\" and origin eq \"" + origin + "\"", IdentityZone.getUaaZoneId());
         assertEquals(1, users.size());
         userId = users.get(0).getId();
+
+        // add all the user authorities on the uaa origin
+        for (String userAuthority : userAuthorities) {
+            ScimGroup group = new ScimGroup(null, userAuthority, IdentityZoneHolder.get().getId());
+            group = jdbcScimGroupProvisioning.createOrGet(group, IdentityZoneHolder.get().getId());
+            ScimGroupMember groupMember = new ScimGroupMember(userId);
+            groupMember.setOrigin(OriginKeys.UAA);
+            jdbcScimGroupMembershipManager.addMember(group.getId(), groupMember, IdentityZoneHolder.get().getId());
+        }
+
+        ScimUser created = users.get(0);
+        validateAuthoritiesCreated(new String[0], userAuthorities, origin, created, jdbcScimGroupMembershipManager);
+
         user = getUaaUser(userAuthorities, origin, email, firstName, lastName, password, externalId, userId, username);
         bootstrap.onApplicationEvent(new ExternalGroupAuthorizationEvent(user, false, getAuthorities(externalAuthorities), add));
 
         users = jdbcScimUserProvisioning.query("userName eq \"" + username + "\" and origin eq \"" + origin + "\"", IdentityZone.getUaaZoneId());
         assertEquals(1, users.size());
-        ScimUser created = users.get(0);
+        created = users.get(0);
         validateAuthoritiesCreated(add ? externalAuthorities : new String[0], userAuthorities, origin, created, jdbcScimGroupMembershipManager);
 
         externalAuthorities = new String[]{"extTest1", "extTest2"};