Alias Handler for SCIM Users #2769
Conversation
…into feature/alias-handler-for-scim-users
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/187191383 The labels on this github issue will be updated when the story is started. |
adrianhoelzl-sap
added
DO NOT MERGE
…s-if-alias-feature-disabled' into feature/alias-handler-for-scim-users
…s-if-alias-feature-disabled' into feature/alias-handler-for-scim-users
…estamps from original user to alias user
|
Hi, as this PR is a stepping stone toward the overall "alias feature," and as it looks like the changes are limited to the specific code paths related to the feature, I would defer the approval of this PR to @strehle, in terms of judging 1) whether this PR accomplishes its goal, and 2) wether this PR has enough test coverage and user docs (if applicable). I'll also approve as well as long as our prior understanding the "alias feature" are still true after this PR: That the functionality & performance of all the existing UAA features are not impacted (do not experience breaking changes / regressions) when the "alias feature" is not turned on (and the feature is off by default). |
| final ScimUser existingAliasEntity | ||
| ) { | ||
| // these three timestamps should not be overwritten by the timestamps of the original user | ||
| newAliasEntity.setPasswordLastModified(existingAliasEntity.getPasswordLastModified()); |
There was a problem hiding this comment.
This should be setPasswordLastModifiedTime to align to the naming of the two following Time setters.
There was a problem hiding this comment.
The setters are already named consistently to the underlying fields in the class as well as its JSON representation (passwordLastModified does not end with "time", lastLogonTime and previousLogonTime do), see for example here:
I would therefore suggest to leave them as they are. What do you think?
There was a problem hiding this comment.
Seems the naming inconsistency is more widespread, maybe this would be a good clean up following this PR.
There was a problem hiding this comment.
Seems the naming inconsistency is more widespread, maybe this would be a good clean up following this PR.
| newAliasEntity.setPasswordLastModified(existingAliasEntity.getPasswordLastModified()); | ||
| newAliasEntity.setLastLogonTime(existingAliasEntity.getLastLogonTime()); | ||
| newAliasEntity.setPreviousLogonTime(existingAliasEntity.getPreviousLogonTime()); | ||
| } |
There was a problem hiding this comment.
Why are these setting the Time to the existingAliasEntity instead of "now" or even null for the 2 logon times - a new Alias should have it's own timestamps. Setting them to the existingAlias seems it would be confusing when it was actually Modified or logged into.
There was a problem hiding this comment.
This method is used for managing the fields that should differ between the "original" user and its alias, i.e., the properties of an alias that should be independent from the original user.
During updates, we build a copy of the original user and leave these three timestamps empty. After that, we call this method to overwrite the timestamps with the values from the version of the alias prior to the update.
There was a problem hiding this comment.
Which one is it,
"the properties of an alias that should be independent from the original user."
which I agree with
But this seems contrary to keeping them independent:
"After that, we call this method to overwrite the timestamps with the values from the version of the alias prior to the update."
There was a problem hiding this comment.
Sorry for the confusion in my explanation, I'll try again:
Let's say there is a user U in the "uaa" zone, which has an alias user A in the zone "custom". Whenever we perform an update on U, we persist the changes, which leads to a newer version U' with the changed properties.
Then, to propagate the changes also to the alias, we build a new clone of U', i.e., A'. This is done here:
However, as you correctly addressed, A' would now have the same timestamp values (last logon, password last modified and previous logon) as U', which is incorrect. Therefore, before persisting A', we look up the version of A' before the update, i.e., A, and overwrite the timestamp values of A' with the timestamp values of A.
This is done in the method of this GitHub conversation. The parameter newAliasEntity corresponds to A', while existingAliasEntity corresponds to A (and not to U or U', as you might have thought when asking the question).
server/src/main/java/org/cloudfoundry/identity/uaa/scim/ScimUserAliasHandler.java
Outdated
Show resolved
Hide resolved
server/src/test/java/org/cloudfoundry/identity/uaa/scim/ScimUserAliasHandlerValidationTest.java
Outdated
Show resolved
Hide resolved
Tallicia
added
in progress
accepted
server/src/main/java/org/cloudfoundry/identity/uaa/scim/ScimUserAliasHandler.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/cloudfoundry/identity/uaa/scim/ScimUserAliasHandler.java
Show resolved
Hide resolved
server/src/main/java/org/cloudfoundry/identity/uaa/alias/EntityAliasHandler.java
Show resolved
Hide resolved
…ture enabled, no IdP exists for original user
…ture enabled, IdP of original user has empty aliasId
|
@adrianhoelzl-sap please cleanup PR , see Rest is ok |
strehle
removed
the
clarification needed
@strehle This link is not showing no results for me:
|
there where updates and now smells are solved |
strehle
removed
in_review
|
@Tallicia do you have open issues here ? |
|
I merge this PR as all questions seem to be addressed and two approvals exist. |
see issue #2505
Preparation for alias feature for SCIM users; adds subclass of
EntityAliasHandlerthat handles alias entities of SCIM users.Prerequisites: