bug: Cannot sync groups and their members

[dalepaul-RL]

Describe the bug Error when trying to sync users and groups. The users import, as do the groups. However, during the add members to groups phase a fatal error is returned. Version: v0.0.14

To Reproduce CloudWatch trace logs for a sample request

{ "idp": 2, "level": "info", "msg": "reconciling groups members", "scim": 2, "time": "2022-09-02T17:05:53Z" }

{ "level": "warning", "msg": "joining users to groups", "quantity": 2, "time": "2022-09-02T17:05:53Z" }

{ "body": null, "level": "trace", "method": "GET", "msg": "aws newRequest: request", "path": "/xxxxxxxxxxxxxxxxx/scim/v2/Users", "query": "filter=userName+eq+%22first.last%40example.com%22", "time": "2022-09-02T17:05:53Z", "url": "https://scim.us-east-1.amazonaws.com/xxxxxxxxxxxxxxxxx/scim/v2/Users?filter=userName+eq+%22first.last%40example.com%22" }

{ "body": "{"totalResults":1,"itemsPerPage":1,"startIndex":1,"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"Resources":[{"id":"xxxxxxxxxxxxxxxxx","externalId":"xxxxxxxxxxxxxxxxx","meta":{"resourceType":"User","created":"2022-09-02T16:56:28Z","lastModified":"2022-09-02T16:56:28Z"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"userName":"[email protected]","name":{"familyName\”:\”Last\”,\”givenName\”:\”First "},"displayName\”:\”First Last\”,\”active":true,"emails":[{"value":"[email protected]","type":"work","primary":true}]}]}", "level": "trace", "msg": "aws GetUserByUserName: response raw body data", "time": "2022-09-02T17:05:53Z" }

Error: cannot sync groups and their members: error doing the first sync: error reconciling groups members: error creating groups members in SCIM provider: scim: error getting user by email: aws GetUserByUserName: userName: [email protected], error decoding response body: EOF

Expected behavior User would be added to group

Additional context There appears to be an error when parsing the json response data in module: pkg/aws/scim.go around Line 500

Note: This had been working earlier this week, but started throwing this error. I tried deleting the state file with no luck. (State File does not recreate due to failed run). Deleted the entire CF Stack and recreated with no resolution. I don't see anything wrong with the response JSON so I don't know why it would be throwing the EOF error suddenly unless Google has a problem suddenly.

[christiangda]

hi @dalepaul-RL , Let me check this.

Unfortunately, your log doesn't tell too much. I need to understand how to replicate this in my environment, so could you help me do that?

I do several manual tests before releasing a new version, I create, change, delete, etc users and groups on both sides, but I need a clue to understand your error better.

I need to understand if this is a corner case, what you did is always good, I mean delete the state file and try to recreate this again the first time.

There are corner cases when you change the user or group in the source (google) and then back to the previous state and all these between the sync time (usually 10/15 min). I fixed the case when you change the user email (primary key for users) and groups name (primary key for groups) in the source (google).

Did you change any of these users or groups at some moment? or do you have an idea of what could generate your error?

[dalepaul-RL]

Christian, As mentioned in prior post, a fresh sync adds the users and the groups OK, but fails on the very first user every time in attempting to process the return results from the request: "url": "https://scim.us-east-1.amazonaws.com/xxxxxxxxxxxxxxxxx/scim/v2/Users?filter=userName+eq+%22first.last%40example.com%22" return result: { "body": "{"totalResults":1,"itemsPerPage":1,"startIndex":1,"schemas":["urn:ietf:params:scim:api:messages:2.0:ListResponse"],"Resources":[{"id":"xxxxxxxxxxxxxxxxx","externalId":"xxxxxxxxxxxxxxxxx","meta":{"resourceType":"User","created":"2022-09-02T16:56:28Z","lastModified":"2022-09-02T16:56:28Z"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"userName":"[email protected]","name":{"familyName\”:\”Last\”,\”givenName\”:\”First "},"displayName\”:\”First Last\”,\”active":true,"emails":[{"value":"[email protected]","type":"work","primary":true}]}]}", "level": "trace", "msg": "aws GetUserByUserName: response raw body data", "time": "2022-09-02T17:05:53Z" } The error is occurring in the parse JSON "resources" by returning an EOF error. Just doing a code reading, this would indicate that the JSON is malformed in some manner, but it is not.

The user and group SCIMID and ExternalID's are all the same so there isn't a possibility that those ID's changed as indicated in one of your earlier issue responses.

If you are unable to figure this out in your environment, then I will have to clone your repo and troubleshoot this more for you. As mentioned before, I have completely deleted and reinstalled the Lambda CF Stack, all users and groups, all state, and also recreated my Identity Center SCIM with no results. This was working fine, until one day it was not. It suddenly stopped creating group members. I do not know at this time whether this was due to a code change in AWS or Google (but that is possible).

I will go ahead and clone your repo and attempt to troubleshoot this myself if you are not able to recreate.

[dalepaul-RL]

Figured out the problem. While I was correct about the problem being a parser error, it was caused by a user who has a primary username of "[email protected]" and a secondary email of "[email protected]". The Google user group was using his secondary email address for his membership". This caused the error in the addusernametogroup function when it could not reconcile the user by email address properly.

I suspect that this happened when our IT allowed him to use the shorter email address and changed it. However, our AWS Groups were configured using his older (secondary), longer email. Apparently, adding members to groups in google will accept any alternate emails, where the SCIM is just the primary.

I will consider this a false report so it can be closed. I do wish your app was a little more robust in the event of an email being changed and to print a warning and not just do a fatal error. Since no state file is produced on the later, it makes it hard to diagnose.

Thank you for your time

[christiangda]

Thank you @dalepaul-RL , I'll try to implement this corner case too.