Description:
GroupResourceManager#listWithGET calls GroupResourceManager#processGroupList, and inside supplied list of results is validated and first item is OPTIONALLY can represent totalResults value:

if (tempList.get(0) instanceof Integer)

But GroupResourceManager#listWithPOST explicitly retrieves the totalResults value:

totalResults = (int) tempList.get(0);

I believe these implementations must be aligned.

Affected Product Version:
3.3.38

This is specific to charon v.2.0.5
When a user json object contains a sub-attribute with a boolean value such as emails.primary, org.wso2.charon.core.encoder.json.JSONDecoder fails to decode the string properly to a User object.

code snippet:

    String userJson = "{\n" +
            "  \"schemas\": [\"urn:ietf:params:scim:schemas:core:2.0:User\"],\n" +
            "  \"userName\": \"testUser\",\n" +
            "  \"emails\": [{\n" +
            "      \"value\": \"[email protected]\",\n" +
            "      \"primary\": true\n" +
            "  }]\n" +
            "}";
    SCIMResourceSchema userSchema = SCIMResourceSchemaManager
            .getInstance().getUserResourceSchema();
    User user = new User();
    user = (User) new JSONDecoder()
            .decodeResource(userJson, userSchema, user);

user object from above snippet doesn't contain "primary" sub attribute.

I can't seem to find any references to the EnterpriseUser in the master branch.

Looks like commit 2ef2e27 deleted "modules\charon-core\src\main\java\org\wso2\charon\core\schema\SCIMEnterpriseUserSchemaExtension.java"

When testing it seems to be ignored.
Can we add it back or modify the readme.md file to remove references to it being supported?

Refer https://wso2.org/jira/browse/COMMONS-85

README suggests that get /schema is supported, but getting not implemented response.

I'm using library in my code and wanted to provide response for get /schema. It is returning 'not implemented'. UserManager.java under extensions package also suggest that it's not implemented.

default List<Attribute> getUserSchema() throws CharonException, NotImplementedException, BadRequestException {

    throw new NotImplementedException();
}

Could you please confirm?

according to RFC7644 chapter 3.4.2.2 filter values need to be surrounded by quotemarks

filter=userName eq "bjensen"

but charon rejects such a filter with the following error message:

{"responseStatus":400,"responseMessage":"{"schemas":"urn:ietf:params:scim:api:messages:2.0:Error","scimType":"InvalidFilter","detail":"Given filter operator is not supported.","status":"400"}","headerParamMap":{"Content-Type":"application/scim+json"}}

removing the quotemarks stops the error

Description:

Hi,
I do love your SCIM implementations and micro-services. But only urn:ietf:params:scim:schemas:core:2.0:User is implemented in charon-core. Do you plan to support urn:ietf:params:scim:schemas:extension:enterprise:2.0:User ?

Suggested Labels:

Suggested Assignees:

Affected Product Version:

OS, DB, other environment details and versions:

Steps to reproduce:

Related Issues:

Description:
SchemaResourceManager#get allows only attributes for User resource to be configured. Group resource is missing. According to the spec https://datatracker.ietf.org/doc/html/rfc7643#section-7 all the resources must be listed.

Affected Product Version:
3.3.38

Description:
DateTime handling ignores time zone.
Charon uses java.util.Date internally (which is alway a local zoned date). When parsing and formatting DateTime instances, the time zone is not handled.

To get a correct DateTime handling, charon must be run on a machine with system time zone set to UTC.

I suggest using the new java.time-API instead, e.g. use only java.time.Instant internally.

Suggested Labels:
Type/Bug

Affected Product Version:
3.0.27

Steps to reproduce:

    TimeZone.setDefault(TimeZone.getTimeZone("US/Hawaii"));
    Group group = new Group();
    group.setCreatedDate(new Date(0)); // Date equals 1970-01-01T00:00:00Z
    String json = new JSONEncoder().encodeSCIMObject(group);
    System.out.println(json);

Should print out:
{"meta":{"created":"1970-01-01T00:00:00Z"},"schemas":[]}
but instead prints out:
{"meta":{"created":"1969-12-31T14:00:00Z"},"schemas":[]}

When building the source I get below error.

[INFO] Scanning for projects...
[WARNING]
[WARNING] Some problems were encountered while building the effective model for org.wso2.charon:org.wso2.charon3.samples:jar:3.1.11-SNAPSHOT
[WARNING] 'build.plugins.plugin.version' for org.codehaus.mojo:build-helper-maven-plugin is missing. @ org.wso2.charon:org.wso2.charon3.samples:[unknown-version], /Users/maduranga/Documents/wso2/git/charon/modules/charon-samples/pom.xml, line 60, column 21
[WARNING]
[WARNING] It is highly recommended to fix these problems because they threaten the stability of your build.
[WARNING]
[WARNING] For this reason, future Maven versions might no longer support building such malformed projects.
[WARNING]
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Build Order:
[INFO]
[INFO] WSO2 Charon - Parent                                               [pom]
[INFO] WSO2 Charon - Core                                              [bundle]
[INFO] WSO2 Charon - Utils                                                [jar]
[INFO] WSO2 Charon - impl                                                 [jar]
[INFO] WSO2 Charon - Samples                                              [jar]
[INFO]
[INFO] -------------------< org.wso2.charon:charon-parent >--------------------
[INFO] Building WSO2 Charon - Parent 3.1.11-SNAPSHOT                      [1/5]
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] --- maven-clean-plugin:3.0.0:clean (default-clean) @ charon-parent ---
[INFO] Deleting /Users/maduranga/Documents/wso2/git/charon/target
[INFO]
[INFO] --- maven-checkstyle-plugin:2.17:check (validate) @ charon-parent ---
[INFO] Starting audit...
Audit done.
[INFO]
[INFO] --- buildnumber-maven-plugin:1.4:create (default) @ charon-parent ---
[INFO] Executing: /bin/sh -c cd '/Users/maduranga/Documents/wso2/git/charon' && 'git' 'rev-parse' '--verify' 'HEAD'
[INFO] Working directory: /Users/maduranga/Documents/wso2/git/charon
[INFO] Storing buildNumber: d66165eb8a47454febba64893872e3e820c32fff at timestamp: 1550574191441
[INFO] Storing buildScmBranch: master
[INFO]
[INFO] --- maven-remote-resources-plugin:1.5:process (default) @ charon-parent ---
[INFO]
[INFO] >>> findbugs-maven-plugin:3.0.3:check (analyze-compile) > :findbugs @ charon-parent >>>
[INFO]
[INFO] --- findbugs-maven-plugin:3.0.3:findbugs (findbugs) @ charon-parent ---
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for WSO2 Charon - Parent 3.1.11-SNAPSHOT:
[INFO]
[INFO] WSO2 Charon - Parent ............................... FAILURE [  3.863 s]
[INFO] WSO2 Charon - Core ................................. SKIPPED
[INFO] WSO2 Charon - Utils ................................ SKIPPED
[INFO] WSO2 Charon - impl ................................. SKIPPED
[INFO] WSO2 Charon - Samples .............................. SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  4.864 s
[INFO] Finished at: 2019-02-19T16:33:12+05:30
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.codehaus.mojo:findbugs-maven-plugin:3.0.3:findbugs (findbugs) on project charon-parent: Unable to parse configuration of mojo org.codehaus.mojo:findbugs-maven-plugin:3.0.3:findbugs for parameter pluginArtifacts: Cannot assign configuration entry 'pluginArtifacts' with value '${plugin.artifacts}' of type java.util.Collections.UnmodifiableRandomAccessList to property of type java.util.ArrayList -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/PluginConfigurationException

This is a bug in the findbugs-maven-plugin 3.0.3 version and is fixed in 3.0.4. Refer this mail thread.

findbugs-maven-plugin is comming from the parent pom. At the moment we can fix the issue by overriding the property version in this repo.

Description:
SCIMSchemaDefinitions uses wrong type String for PRIMARY sub-attribute. Should be Boolean
https://github.com/wso2/charon/blob/master/modules/charon-core/src/main/java/org/wso2/charon3/core/schema/SCIMSchemaDefinitions.java

eg.
//A Boolean value indicating the 'primary' or preferred attribute value for this attribute
public static final SCIMAttributeSchema PHOTOS_PRIMARY =
SCIMAttributeSchema.createSCIMAttributeSchema(SCIMConstants.UserSchemaConstants.PHOTOS_PRIMARY_URI,
SCIMConstants.CommonSchemaConstants.PRIMARY,
SCIMDefinitions.DataType.STRING, false, SCIMConstants.UserSchemaConstants
.PHOTOS_PRIMARY_DESC, false, false,
SCIMDefinitions.Mutability.READ_WRITE, SCIMDefinitions.Returned.DEFAULT,
SCIMDefinitions.Uniqueness.NONE, null, null, null);

Should have SCIMDefinitions.DataType.BOOLEAN

IMS_PRIMARY
ENTITLEMENTS_PRIMARY
ROLES_PRIMARY
X509CERTIFICATES_PRIMARY

Are also affected

Description:
Charon trims leading and trailing spaces off of all STRING type attributes. This includes the password attribute of the User object, which implicitly changes the password that the user entered if it contains a leading or trailing space character.

There is nothing (in the RFC)[https://tools.ietf.org/html/rfc7643#section-2.3.1] that suggests that STRING type attributes ought to be trimmed.

Affected Product Version:
3.0.15

Steps to reproduce:
Here's a stack trace that demonstrates the problem:

• org.wso2.charon3.core.protocol.endpoints.UserResourceManager:140
• org.wso2.charon3.core.encoder.JSONDecoder:127
• org.wso2.charon3.core.encoder.JSONDecoder:191
• org.wso2.charon3.core.utils.AttributeUtil:64

we just noticed that the generated "location" attribute returned in the SCIM objects after a create-request do contain the wrong object-ID.

This happens because charon validates the created SCIM object that was sent by the client and generates the meta-attribute right on the fly in the validate-method. The problem here is, that the group object was not yet created by the "UserManager" implementation and therefore charon creates a random pseudo UUID as object ID and appends this ID to the location. The result is that we have to change the location attribute manually again. The creation of the meta-attribute MUST be executed after the actual element was created by the "UserManager" implementation and MUST use the ID attribute that was given to the SCIM object.

ServerSideValidator.validateCreatedSCIMObject(user, schema);
-> String id = UUID.randomUUID().toString();
-> scimObject.setId(id);

Description:
The User object in core does not model entitlements as a getter, yet it is part of the spec: https://tools.ietf.org/html/rfc7643#page-25. You can find ENTITLEMENTS modeled in SCIMSchemaDefinitions, but it's a very cumbersome way to get at them.

this might be a point of arguing but I am reading RFC7643 chapter 4.2

members
A list of members of the Group. While values MAY be added or
removed, sub-attributes of members are "immutable". The "value"
sub-attribute contains the value of an "id" attribute of a SCIM
resource, and the "$ref" sub-attribute must be the URI of a SCIM
resource such as a "User", or a "Group". The intention of the
"Group" type is to allow the service provider to support nested
groups. Service providers MAY require clients to provide a
non-empty value by setting the "required" attribute characteristic
of a sub-attribute of the "members" attribute in the "Group"
resource schema.

like this:

the "type" attribute of the multi-valued complex type may be present and can be used as an alternative to the "$ref" attribute. Like this a client could sent a value and the type telling us of which resource the member is without having to use the whole URL in the "$ref" attribute. So the "type" attribute should be added here as it is defined in the multi-valued-complex type definition in chapter 2.4, I think.

Description:
endpointURLMap is a static field on AbstractResourceManager. This makes impossible to properly process requests if the server publishes multiple SCIM endpoints, f.e.
localhost/scim/v2/companyA/Users and
localhost/scim/v2/companyB/Users
where each request is performed in a "company" context

Suggested Labels:
resources,url

Affected Product Version:
3.0.15

Steps to reproduce:
Try to implement UserManager in a way where requests for companies A and B are processed in isolation from each other.

the last releases are not available in maven central only in the wso2 repository. When can we expect the current releases to be available in maven central?

working with checked exception is really a pain in the a**... it makes working with java8 lambdas almost impossible...

Description:
The SCIM specification RFC 7643, chapter 3.3 states:

Except for the base object schema, the schema extension URI SHALL be used as
a JSON container to distinguish attributes belonging to the extension
namespace from base schema attributes. See Figure 5, which is an
example of the JSON representation of an enterprise User and is also
an example of a User with extended schema.

Currently the JSONEncoder and JSONDecoder do not handle this.

Suggested Labels:
Specification conformance, extension attributes

Affected Product Version:
v3.1.10

Steps to reproduce:

SCIMAttributeSchema attrSchema = SCIMAttributeSchema.createSCIMAttributeSchema(
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization",
"organization",
SCIMDefinitions.DataType.STRING,
false,
UserSchemaConstants.ORGANIZATION_DESC,
false,
false,
SCIMDefinitions.Mutability.READ_WRITE,
SCIMDefinitions.Returned.DEFAULT,
SCIMDefinitions.Uniqueness.NONE,
null,
null,
null);

SCIMSchemaDefinitions.SCIM_USER_SCHEMA.getAttributesList().add(attrSchema);
SCIMSchemaDefinitions.SCIM_USER_SCHEMA.getSchemasList().add("urn:ietf:params:scim:schemas:extension:enterprise:2.0:User");

User user = new User();
user.setSchemas();
user.setUserName("Mickey_Mouse");
SimpleAttribute attr = new SimpleAttribute(attrSchema.getName(), "Universal Studios");
DefaultAttributeFactory.createAttribute(attrSchema, attr);
user.setAttribute(attr);

JSONEncoder encoder = new JSONEncoder();
String encoded = encoder.encodeSCIMObject(user);
System.out.println(encoded);

JSONDecoder decoder = new JSONDecoder();
User decodeUser = decoder.decodeResource(encoded, SCIMSchemaDefinitions.SCIM_USER_SCHEMA, >new User());
Assertions.assertEquals(user, decodeUser);

The code above should print out:

{"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],
"userName":"Mickey_Mouse",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User":{
"organization":"Universal Studios"
}}

Instead it prints out:

{"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],
"organization":"Universal Studios",
"userName":"Mickey_Mouse"}

Description:
The address object not compliant with RFC7643 section 4.1.2 where it is defined as a multivalued complex datatype.

The current release (and probably even older ones) realizes Address just as complex datatype. As such the other mandatory attributes such as value or display are omitted.

Affected Product Version:
Current carbon release.

OS, DB, other environment details and versions:
All OS
Steps to reproduce:
Take a look at https://tools.ietf.org/html/rfc7643#section-4.1.2

Description:

User.validate just returns false, and has comments saying it needs implemented, in the 2.x.x branch and the 2.1.3 release available via maven

Suggested Labels:
Type/Bug

Affected Product Version:
2.1.3, 2.x.x github branch

Steps to reproduce:
call validate on a user which should pass validation - false is always returned

Description:
When creating a user including address details using SCIM v2 APIs, the address details are not getting saved in the LDAP.

Affected Product Version:
SCIM v2.0 on Identity Server 5.3.0

Steps to reproduce:

1. Install SCIM v2 on IS 5.3.0
2. Create a user with address information

curl -v -k --user admin:admin --data '{"schemas":[],"name":{"familyName":"Liyanage","givenName":"Harshan"},"userName":"harshan","password":"harshan","emails":[{"primary":true,"value":"harshss@homecom","type":"home"},{"value":"harshssan_work.com","type":"work"}],"addresses":[{"value":"Pannipitiya","type":"work"},{"value":"Sri Lanka","type":"home","primary":true}]}' --header "Content-Type:application/json" https://localhost:9443/scim2/Users

Description:
The provided client samples just use huge JSON text blobs for objects, instead of using charon-core. As a developer, it would be very helpful to have examples which make use of charon-core for client implementations in the way the Readme suggests is intended.

In the meantime, does any documentation exist elsewhere for this use case?

Suggested Labels:
Type/Docs

Affected Product Version:
github master

Description:
/ResourceTypes return wrong content:

• every resource must on the top level of the response, e.g:

[
  {
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
    "id": "User",
    ...
  },
  {
    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
    "id": "Group",
    ...
  }
]

but currently it looks like this:

{
    "Resources": [ // this is wrong parent object
        {
            "schema": "urn:ietf:params:scim:schemas:core:2.0:User",
            "endpoint": "/Users",
        },
        {
            "schema": "urn:ietf:params:scim:schemas:core:2.0:Group",
            "endpoint": "/Groups",
        }
    ]
}

Specification
https://datatracker.ietf.org/doc/html/rfc7643#section-6

Affected Product Version:
3.4.10

Description:
When using the patch action to remove a single user from a group that contains several users (more than 1) - all group members get deleted

Affected Product Version:
3.3.33 and above

Steps to reproduce:

1. Create a single group
2. Create 2 separate users
3. Add both users to the group (created in step 1)
4. Remove one of of the users from the group via a patch action (example: {"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"Remove","path":"members","value": [{"value": ]}]}

Additional information
The problem seems to be in org.wso2.charon3.core.utils.PatchOperationUtil: in doPatchRemoveWithoutFilters- if the attribute path size is 1 - the entire attribute will be removed (oldResource.deleteAttribute(attributeName)).

Based on the SCIM 2.0 specification, Group's members attribute can have a sub-attribute called "type" with possible values of ("Group", "User") see:
https://tools.ietf.org/html/rfc7643#page-70

This sub-attribute is not registered in group schema , org.wso2.charon3.core.schema.SCIMSchemaDefinitions#SCIM_GROUP_SCHEMA , and therefore,
type attribute is not populated in Group object "charonGroup" in code snippet below:

    String groupJson = "{\n" +
            "     \"schemas\": [\"urn:ietf:params:scim:schemas:core:2.0:Group\"],\n" +
            "     \"displayName\": \"G1\",\n" +
            "     \"members\": [\n" +
            "       {\n" +
            "         \"value\": \"myUserID1495477819810\",\n" +
            "         \"$ref\":  \"http://example.scim.com:8080/SCIM/v2/Users/myUserID1495477819810\",\n" +
            "         \"type\":  \"User\"\n" +
            "       }\n" +
            "     ]\n" +
            "   }";
    SCIMResourceTypeSchema groupSchema = SCIMResourceSchemaManager.getInstance().getGroupResourceSchema();
    Group charonGroup = (Group) new JSONDecoder().decodeResource(groupJson, groupSchema, new Group());
    System.out.println(charonGroup);

Output:

displayName : G1,members:[{value : myUserID1495477819810,$ref : http://example.scim.com:8080/SCIM/v2/Users/myUserID1495477819810}]

Description:
I'm trying to use the org.wso2.charon:org.wso2.charon3.core:3.4.8 library, but while trying to build, it's failing because it can't find the referenced org.json.wso2:json:3.0.0.wso2v1 library. Is this a valid dependency? Should it be removed from the pom.xmls, or should you be publishing it to maven central?

Suggested Labels:

Suggested Assignees:

Affected Product Version:

OS, DB, other environment details and versions:

Steps to reproduce:

Related Issues:

If a userId is not found within the application and null is returned to charon we get a 204 response. This is not exactly correct. In case that a user is not present a 404 must be returned:

RFC7644 chapter 3.6

Service providers MAY
choose not to permanently delete the resource but MUST return a 404
(Not Found) error code for all operations associated with the
previously deleted resource

if the 404 would only be returned in case that the user is not deleted but marked inactive instead the client would get information about the implementation details. So a 404 response code MUST be returned.

Hi WSO2 team!

I've been evaluating Charon-core for use in a project, and while most everything is looking great so far, I have one concern. I noticed that the interfaces for UserManager, as well as the user and group endpoints, seem to force mutual exclusion across the different query parameters. The sample implementation in Charon-impl reinforces this (e.g. I can call GET /users with both the attributes and sortby query parms, but only the attributes parm would be honored).

Am I misunderstanding the code or the SCIM spec, or is there something else I am missing? My understanding of SCIM queries is that I should be able to perform a search using any subset of the four capabilities (filter, attribute, sort, paginate).

Thanks, and keep up the good work with Charon and Identity Server!

When trying to create a user on the default Charon3 implementation, using the following curl command

curl -v --data '{"schemas":[],"name":{"familyName":"jayawardana","givenName":"vindula"},"userName":"vindula","password":"vindula","emails":[{"value":"[email protected]","type":"work"}]}' --header "Content-Type:application/scim+json" http://localhost:8080/scim/v2/Users

I get the following response

100 533 0 161 100 372 0 1 0:06:12 0:06:07 0:00:05 34{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"Schema not present for attribute urn:ietf:params:scim:schemas:core:2.0:meta","status":"500"}

The error is caused by the UserResourceManager.create function, where it, for some reason, fails to add urn:ietf:params:scim:schemas:core:2.0:meta and urn:ietf:params:scim:schemas:core:2.0:id to the schemas of the user object.

Some workarounds I've tried:

I've tried adding the missing schemas to SCIMSchemaDefinitions.SCIM_USER_SCHEMA, and it fixes the issue, but I don't think this is an ideal solution.

Another soltuion was to change the createMetaAttribute() function inside AbstractSCIMObject to the following

protected void createMetaAttribute() throws CharonException, BadRequestException {
        ComplexAttribute metaAttribute =
                (ComplexAttribute) DefaultAttributeFactory.createAttribute(
                        SCIMSchemaDefinitions.META,
                        new ComplexAttribute(SCIMConstants.CommonSchemaConstants.META));
        if (isMetaAttributeExist()) {
            String error = "Read only meta attribute is tried to modify";
            throw new CharonException(error);
        } else {
            attributeList.put(SCIMConstants.CommonSchemaConstants.META, metaAttribute);
            schemaList.add(SCIMSchemaDefinitions.META.getURI());
        }
    }

Which also fixed the issue

Description:
Hi,
I've recently installed scim2 on wso2 api manager v3.2.0 in docker. To do so I just copied everything was needed from a wso2 identity server (v5.10.0) installation on docker to the wso2 api manager container.
Specifically I've moved scim2.war, org.wso2.carbon.identity.scim2.common-1.1.19.jar and org.wso2.charon3.core-3.0.7.jar to the relative locations from wso2is to wso2am.
When I do POST requests, like creating a user or a group, I have no issue whatsoever. But when I try to do a GET request I always get Status 500 - Internal Server Error response.
Logging wso2am container this is the error I get when issuing such request https://<host>:9443/scim2/Groups?filter=displayName+eq+Internal/creator

[2021-08-03 13:58:25,603] ERROR - [SCIM2Servlet] Servlet.service() for servlet [SCIM2Servlet] in context with path [/scim2] threw exception
org.apache.cxf.interceptor.Fault: 'org.wso2.charon3.core.protocol.SCIMResponse org.wso2.charon3.core.protocol.endpoints.GroupResourceManager.listWithGET(org.wso2.charon3.core.extensions.UserManager, java.lang.String, java.lang.Integer, java.lang.Integer, java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String)'
        at org.apache.cxf.service.invoker.AbstractInvoker.createFault(AbstractInvoker.java:162) ~[cxf-core-3.2.8.jar:3.2.8]
        at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:128) ~[cxf-core-3.2.8.jar:3.2.8]
        at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:193) ~[cxf-rt-frontend-jaxrs-3.2.8.jar:3.2.8]
        at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:103) ~[cxf-rt-frontend-jaxrs-3.2.8.jar:3.2.8]
        at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59) ~[cxf-core-3.2.8.jar:3.2.8]
        at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96) ~[cxf-core-3.2.8.jar:3.2.8]
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) ~[cxf-core-3.2.8.jar:3.2.8]
        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) ~[cxf-core-3.2.8.jar:3.2.8]
        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
        at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
        at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:225) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:634) ~[tomcat-servlet-api_9.0.31.wso2v1.jar:?]
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276) ~[cxf-rt-transports-http-3.2.8.jar:3.2.8]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) ~[tomcat_9.0.31.wso2v1.jar:?]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat_9.0.31.wso2v1.jar:?]
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) ~[tomcat_9.0.31.wso2v1.jar:?]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat_9.0.31.wso2v1.jar:?]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat_9.0.31.wso2v1.jar:?]
        at org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter.doFilter(ContentTypeBasedCachePreventionFilter.java:53) ~[org.wso2.carbon.ui_4.6.0.jar:?]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat_9.0.31.wso2v1.jar:?]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat_9.0.31.wso2v1.jar:?]
        at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126) ~[tomcat_9.0.31.wso2v1.jar:?]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat_9.0.31.wso2v1.jar:?]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat_9.0.31.wso2v1.jar:?]
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) [tomcat_9.0.31.wso2v1.jar:?]
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat_9.0.31.wso2v1.jar:?]
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:666) [tomcat_9.0.31.wso2v1.jar:?]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [tomcat_9.0.31.wso2v1.jar:?]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat_9.0.31.wso2v1.jar:?]
        at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:86) [org.wso2.carbon.identity.context.rewrite.valve_1.4.0.jar:?]
        at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:102) [org.wso2.carbon.identity.authz.valve_1.4.0.jar:?]
        at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:125) [org.wso2.carbon.identity.auth.valve_1.4.0.jar:?]
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99) [org.wso2.carbon.tomcat.ext_4.6.0.jar:?]
        at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49) [org.wso2.carbon.tomcat.ext_4.6.0.jar:?]
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62) [org.wso2.carbon.tomcat.ext_4.6.0.jar:?]
        at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:145) [org.wso2.carbon.tomcat.ext_4.6.0.jar:?]
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690) [tomcat_9.0.31.wso2v1.jar:?]
        at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57) [org.wso2.carbon.tomcat.ext_4.6.0.jar:?]
        at org.wso2.carbon.tomcat.ext.valves.RequestCorrelationIdValve.invoke(RequestCorrelationIdValve.java:124) [org.wso2.carbon.tomcat.ext_4.6.0.jar:?]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [tomcat_9.0.31.wso2v1.jar:?]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat_9.0.31.wso2v1.jar:?]
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373) [tomcat_9.0.31.wso2v1.jar:?]
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat_9.0.31.wso2v1.jar:?]
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) [tomcat_9.0.31.wso2v1.jar:?]
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590) [tomcat_9.0.31.wso2v1.jar:?]
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat_9.0.31.wso2v1.jar:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat_9.0.31.wso2v1.jar:?]
        at java.lang.Thread.run(Thread.java:834) [?:?]
Caused by: java.lang.NoSuchMethodError: 'org.wso2.charon3.core.protocol.SCIMResponse org.wso2.charon3.core.protocol.endpoints.GroupResourceManager.listWithGET(org.wso2.charon3.core.extensions.UserManager, java.lang.String, java.lang.Integer, java.lang.Integer, java.lang.String, java.lang.String, java.lang.String, java.lang.String, java.lang.String)'
        at org.wso2.carbon.identity.scim2.provider.resources.GroupResource.processRequest(GroupResource.java:467) ~[classes/:?]
        at org.wso2.carbon.identity.scim2.provider.resources.GroupResource.getGroup(GroupResource.java:315) ~[classes/:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
        at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
        at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:179) ~[cxf-core-3.2.8.jar:3.2.8]
        at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96) ~[cxf-core-3.2.8.jar:3.2.8]
        ... 52 more

How can I solve this? This only happens with GET requests, but with POST ones it works fine.

Suggested Labels:

Suggested Assignees:

Affected Product Version:

OS, DB, other environment details and versions:

Steps to reproduce:

Related Issues:

Refer https://wso2.org/jira/browse/COMMONS-115

when trying to use a filter on the current request the result seems to be completely ignored. For example I got a test database containing 4 test-users. when adding the filter:

filter=userName eq Pascal
(wrong syntax, please see: issue: #116 )

the result is completely ignored and all 4 users are returned

Description:
Charon is currently claiming to be available under the Apache 2 License. However, there two issues with this:

1. Its dependencies files are largely out of date and not a true reflection of the dependencies actually required at runtime.
2. Many of the dependencies are not under the Apache 2 License, or don't have a license at all.

Some simple examples:
/org.wso2.charon3.impl-3.1.30/META-INF/DEPENDENCIES references net.jcip:jcip-annotations - which is unlicensed and doesn't seem to be required at all
/org.wso2.charon3.impl-3.1.30/META-INF/DEPENDENCIES references com.google.code.findbugs:jsr305 - but this is not required at runtime; at best it is a compile or test component

Suggested Labels:
bug, licenses, dependencies

Affected Product Version:
3.1.30

OS, DB, other environment details and versions:
N/A

Steps to reproduce:
N/A

Related Issues:

Description:
When performing a Patch replace operation with extended schema attributes in
https://github.com/wso2/charon/blob/master/modules/charon-core/src/main/java/org/wso2/charon3/core/utils/PatchOperationUtil.java

PatchOperationUtil.doPatchReplaceOnResource line 2453

Attribute subSubAttribute = oldAttribute.getSubAttribute
(subAttrib.getKey()).getSubAttribute(subSubAttrb.getKey());

The subSubAttribute is set to the oldAttribute value rather than the value in attributeHoldingSCIMObject which is the updated version of the attribute.

I've fixed this in my own code base by replacing the above line with the following;
Attribute subSubAttribute = subSubAttrb.getValue();

Steps to reproduce:
Given a User representation

{
    "emails": [
        {
            "type": "work",
            "value": "[email protected]",
            "primary": true
        }
    ],
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
    ],
    "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
        "relyingParty": {
            "user_type": ["business"]
        }
    }
}

And a Patch Operation Request

{
    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
	"Operations":[
    {
        "op":"replace",
        "value": {
            "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
        		"relyingParty": {
            		"user_type": ["marketing"]
        		}
    		}
	    }
    }]
}

The resulting Response returns "business" for the user_type value rather than marketing.

Related Issues:

Description:
According to the spec, value of the patch operation can be either an object or an array. If Add operation contains an array as the value, the attempt to decode the value fails due to the direct cast to JSONObject. Found when working with Azure AD SCIM integration.

Suggested Labels:
patch, crash

Affected Product Version:
3.0.15

Steps to reproduce:
This is a PATCH operation that Azure AD sends to a SCIM Users endpoint
{"schemas":["urn:ietf:params:scim:api:messages:2.0:PatchOp"],"Operations":[{"op":"Add","path":"department","value":[{"$ref":null,"value":"Engineering"}]}]}

Related Issues:

Description:
I've been experimenting with https://github.com/wso2-incubator/scim2-compliance-test-suite

and it generated an error for me that appears to not match the SCIM 2.0 spec, RFC7643

wso2-incubator/scim2-compliance-test-suite#11

The test result suggests that the response to GET /ServiceProviderConfig is missing a value for authenticationSchems.specURI. According to the spec, the field name should be specUri. It is also not required.

Suggested Labels:

Affected Product Version:
3.0.0 / 3.0.7

Related Issues:
wso2-incubator/scim2-compliance-test-suite#11

Description:
In org.wso2.charon3.core.encoder.JSONDecoder there is a method decodeBulkData for decoding BulkRequestData but no one for decoding a BulkResponseData. Clients using the bulk operation need to implement such a method by their own. I am wondering if you would enhance the JSONDecode by that feature.

Suggested Labels:

Suggested Assignees:

Affected Product Version:

OS, DB, other environment details and versions:

Steps to reproduce:

Related Issues:

Refer https://wso2.org/jira/browse/COMMONS-90

Accoding to RFC7643 chapter 2.5 null values in the json request are allowed. But sending them results in Http status code 400 for invalid json syntax

2.5 Unassigned and Null Values

Unassigned attributes, the null value, or an empty array (in the case
of a multi-valued attribute) SHALL be considered to be equivalent in
"state". Assigning an attribute with the value "null" or an empty
array (in the case of multi-valued attributes) has the effect of
making the attribute "unassigned". When a resource is expressed in
JSON format, unassigned attributes, although they are defined in
schema, MAY be omitted for compactness.

When timestamp string without offset is passed as an attribute value Charon throws an exception causing following issues at scim 2.0 inbound provisioning connector

• wso2/product-is#5117
• wso2/product-is#5119
• wso2/product-is#5120

However, this works fine when timestamp value contains an offset component

Affected Version: 5.8.0-beta3

Description:
It looks like schemaExtensions within ResourceType should be an array - i.e. multiValued = true - as the example in the spec shows:

    https://tools.ietf.org/html/rfc7644#page-75

I assume this means that the code in SCIMSchemaDefinitions should be changed below as follows (and any other code that manipulates schema extensions will need to be changed to match):

    public static final SCIMAttributeSchema SCHEMA_EXTENSIONS =
            SCIMAttributeSchema.createSCIMAttributeSchema(
                    SCIMConstants.ResourceTypeSchemaConstants.SCHEMA_EXTENSIONS_URI,
                    SCIMConstants.ResourceTypeSchemaConstants.SCHEMA_EXTENSIONS,
                    SCIMDefinitions.DataType.COMPLEX, **_true_**,
                    SCIMConstants.ResourceTypeSchemaConstants.SCHEMA_EXTENSIONS_DESC, true, false,
                    SCIMDefinitions.Mutability.READ_ONLY, SCIMDefinitions.Returned.DEFAULT,
                    SCIMDefinitions.Uniqueness.NONE, null, null,
                    new ArrayList<SCIMAttributeSchema>(Arrays.asList(SCHEMA_EXTENSION_SCHEMA,
                            SCHEMA_EXTENSION_REQUIRED)));

Suggested Labels:

Suggested Assignees:

Affected Product Version:

OS, DB, other environment details and versions:

Steps to reproduce:
Running the tests at https://github.com/wso2-incubator/scim2-compliance-test-suite fails (also because it is not looking for an array of values as mentioned in the below issue).

Related Issues:
wso2-incubator/scim2-compliance-test-suite#12

Description:
PathcOperationUtil.doPatchAdd "loses" the value for the selection filter and hence the entire patch action fails. This happens when adding a new attribute. When replacing an attribute value (via "add" or "replace") - the old selection filter is used instead of the new one (from the request).

Affected Product Version:
3.3.33 and above

Steps to reproduce:

1. Create a single user
2. Update a multi value attribute for that user with a patch request that contains a selection filter. For example:

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
        {
            "op": "Add",
            "path": "emails[type eq \"work\"].value",
            "value": "[email protected]"
        }
   ]
}

Description:
JSONDecoder.decodeResource currently returns a SCIMObject, but can be made much more type-safe without further code changes - public <T extends AbstractSCIMObject> T decodeResource(String scimResourceString, ResourceTypeSchema resourceSchema, T scimObject)

Affected Product Version:
master, 3.0.x, and 2.x.x branches

Description:
The schema definition for the resource type (SCIMSchemaDefinitions.SCIM_RESOURCE_TYPE_SCHEMA) gets the wrong schemas attribute on creation. According to the specification rfc7643 section 6 the resource type resource should be identified by the schema uri "urn:ietf:params:scim:schemas:core:2.0:ResourceType". This value is saved as SCIMConstants.RESOURCE_TYPE_SCHEMA_URI, but used in the SchemaDefinition is LISTED_RESOURCE_CORE_SCHEMA_URI.

Suggested Labels:
Bug

Affected Product Version:
3.0.30

Steps to reproduce:

SCIMResourceTypeSchema resourceSchema = SCIMResourceSchemaManager
                                                                                                 .getInstance()
                                                                                                 .getResourceTypeResourceSchema();
System.out.println(resourceSchema.getSchemasList().get(0));

Should print out:
urn:ietf:params:scim:schemas:core:2.0:ResourceType
But instead prints out:
urn:ietf:params:scim:api:messages:2.0:ListResponse

Description:
Build with current Maven version 3.8.1 has issues as http access seems to be blocked by default.

Suggested Labels:

Suggested Assignees:

Affected Product Version:
current
windows 10 latest, java 8

Steps to reproduce:
build with maven standard 3.8.1

Related Issues:

RFC7643 describes the member attribute as follows

members
A list of members of the Group. While values MAY be added or
removed, sub-attributes of members are "immutable". The "value"
sub-attribute contains the value of an "id" attribute of a SCIM
resource, and the "$ref" sub-attribute must be the URI of a SCIM
resource such as a "User", or a "Group". The intention of the
"Group" type is to allow the service provider to support nested
groups. Service providers MAY require clients to provide a
non-empty value by setting the "required" attribute characteristic
of a sub-attribute of the "members" attribute in the "Group"
resource schema.

the problem in charon is that when the getMembers() method is called only a list with the values will be returned leaving the developer in the dark if the ID reference is another group, a user or any other resource.
It is possible to validate it by hand by using the method getAttributeList() but a helper sub-class in the groups class would be helpful here resolving the different values into member-objects.

Description:
Replacing a single attribute in a multi-valued complex attribute (i.e. address) results in data lost. All the sub-attributes of that multi-valued complex attribute will be deleted (apart of the single attribute that is being replaced).

Affected Product Version:
3.3.33 and above

Steps to reproduce:
Given a User representation

{
    "addresses": [
        {
            "postalCode": "55555",
            "locality": "New York",
            "region": "NY",
            "type": "work"
            "primary": true
        }
    ],
    "meta": {
        "lastModified": "2021-03-30T15:36:43.132Z"
    },
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
    ],
    "id": "USER:89559d76-e1ce-42b4-8f44-b1e2835a6505"   
}

And a Patch Operation Request

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
    ],
    "Operations": [
       {
            "op": "replace",
            "path": "addresses[type eq \"work\"].postalCode",
            "value": "44444"
        }
    ]
}

Will result in a user with the following representation:

{
    "addresses": [
        {
            "postalCode": "44444",
            "type": "work"
            "primary": true
        }
    ],
    "meta": {
        "lastModified": "2021-03-30T15:36:43.132Z"
    },
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
    ],
    "id": "USER:89559d76-e1ce-42b4-8f44-b1e2835a6505"   
}

Please note that addresses.locality and addresses.region are no longer exist

Related Issues:

Description:

I'm trying to check whether phone number existing in WSO2 IS or not. And the problem is when I provided a number as filter's value and response i got is "'{"schemas":"urn:ietf:params:scim:api:messages:2.0:Error","scimType":"InvalidFilter","detail":"Given filter operator is not supported.","status":"400"}'"

Suggested Labels:

Suggested Assignees:

Affected Product Version:

OS, DB, other environment details and versions:

Steps to reproduce:
POST :" response = requests.get(https://localhost:9443/scim2/Users?filter=phoneNumbers.value+Eq+\"%s\"' % (0912345, ), auth=('admin', 'admin'), verify=False)
and response it's what i'm mention above..
So, Please respond and help me so this issue, thank a lot!!
Related Issues:

For the following patch operation I get operation value type as JSONArray.

{
      "op": "add",
      "path": "members",
      "value": [{
        "value": "23a35c27-23d3-4c03-b4c5-6443c09e7173",
        "display": "[email protected]"
}

As result I get exception:

Caused by: java.lang.ClassCastException: org.json.JSONArray cannot be cast to org.json.JSONObject
at org.wso2.charon3.core.protocol.endpoints.GroupResourceManager.isDeleteAllUsersOperationFound(GroupResourceManager.java:698)
at org.wso2.charon3.core.protocol.endpoints.GroupResourceManager.updateWithPATCH(GroupResourceManager.java:653)