add an integration test for multiple users and groups

Author: david-crespo

nexus/tests/integration_tests/scim.rs

@@ -1993,3 +1993,195 @@ async fn test_scim_user_admin_group_priv_conflict(
     .await
     .expect("expected 200");
 }
+
+#[nexus_test]
+async fn test_scim_list_users_with_groups(cptestctx: &ControlPlaneTestContext) {
+    let client = &cptestctx.external_client;
+    let nexus = &cptestctx.server.server_context().nexus;
+    let opctx = OpContext::for_tests(
+        cptestctx.logctx.log.new(o!()),
+        nexus.datastore().clone(),
+    );
+
+    const SILO_NAME: &str = "saml-scim-silo";
+    create_silo(&client, SILO_NAME, true, shared::SiloIdentityMode::SamlScim)
+        .await;
+
+    grant_iam(
+        client,
+        &format!("/v1/system/silos/{SILO_NAME}"),
+        shared::SiloRole::Admin,
+        opctx.authn.actor().unwrap().silo_user_id().unwrap(),
+        AuthnMode::PrivilegedUser,
+    )
+    .await;
+
+    let created_token: views::ScimClientBearerTokenValue =
+        object_create_no_body(
+            client,
+            &format!("/v1/system/scim/tokens?silo={}", SILO_NAME),
+        )
+        .await;
+
+    // Create 5 users
+    let mut users = Vec::new();
+    for i in 1..=5 {
+        let user: scim2_rs::User = NexusRequest::new(
+            RequestBuilder::new(client, Method::POST, "/scim/v2/Users")
+                .header(http::header::CONTENT_TYPE, "application/scim+json")
+                .header(
+                    http::header::AUTHORIZATION,
+                    format!("Bearer oxide-scim-{}", created_token.bearer_token),
+                )
+                .allow_non_dropshot_errors()
+                .raw_body(Some(
+                    serde_json::to_string(&serde_json::json!({
+                        "userName": format!("user{}", i),
+                        "externalId": format!("user{}@example.com", i),
+                    }))
+                    .unwrap(),
+                ))
+                .expect_status(Some(StatusCode::CREATED)),
+        )
+        .execute_and_parse_unwrap()
+        .await;
+        users.push(user);
+    }
+
+    // Create 3 groups with various membership patterns:
+    // - group1: user1, user2, user3
+    // - group2: user1, user4
+    // - group3: no members
+    let group1: scim2_rs::Group = NexusRequest::new(
+        RequestBuilder::new(client, Method::POST, "/scim/v2/Groups")
+            .header(http::header::CONTENT_TYPE, "application/scim+json")
+            .header(
+                http::header::AUTHORIZATION,
+                format!("Bearer oxide-scim-{}", created_token.bearer_token),
+            )
+            .allow_non_dropshot_errors()
+            .raw_body(Some(
+                serde_json::to_string(&serde_json::json!({
+                    "displayName": "group1",
+                    "externalId": "[email protected]",
+                    "members": [
+                        {"value": users[0].id},
+                        {"value": users[1].id},
+                        {"value": users[2].id},
+                    ],
+                }))
+                .unwrap(),
+            ))
+            .expect_status(Some(StatusCode::CREATED)),
+    )
+    .execute_and_parse_unwrap()
+    .await;
+
+    let group2: scim2_rs::Group = NexusRequest::new(
+        RequestBuilder::new(client, Method::POST, "/scim/v2/Groups")
+            .header(http::header::CONTENT_TYPE, "application/scim+json")
+            .header(
+                http::header::AUTHORIZATION,
+                format!("Bearer oxide-scim-{}", created_token.bearer_token),
+            )
+            .allow_non_dropshot_errors()
+            .raw_body(Some(
+                serde_json::to_string(&serde_json::json!({
+                    "displayName": "group2",
+                    "externalId": "[email protected]",
+                    "members": [
+                        {"value": users[0].id},
+                        {"value": users[3].id},
+                    ],
+                }))
+                .unwrap(),
+            ))
+            .expect_status(Some(StatusCode::CREATED)),
+    )
+    .execute_and_parse_unwrap()
+    .await;
+
+    let _group3: scim2_rs::Group = NexusRequest::new(
+        RequestBuilder::new(client, Method::POST, "/scim/v2/Groups")
+            .header(http::header::CONTENT_TYPE, "application/scim+json")
+            .header(
+                http::header::AUTHORIZATION,
+                format!("Bearer oxide-scim-{}", created_token.bearer_token),
+            )
+            .allow_non_dropshot_errors()
+            .raw_body(Some(
+                serde_json::to_string(&serde_json::json!({
+                    "displayName": "group3",
+                    "externalId": "[email protected]",
+                }))
+                .unwrap(),
+            ))
+            .expect_status(Some(StatusCode::CREATED)),
+    )
+    .execute_and_parse_unwrap()
+    .await;
+
+    // List all users and verify group memberships
+    let response: scim2_rs::ListResponse = NexusRequest::new(
+        RequestBuilder::new(client, Method::GET, "/scim/v2/Users")
+            .header(http::header::CONTENT_TYPE, "application/scim+json")
+            .header(
+                http::header::AUTHORIZATION,
+                format!("Bearer oxide-scim-{}", created_token.bearer_token),
+            )
+            .allow_non_dropshot_errors()
+            .expect_status(Some(StatusCode::OK)),
+    )
+    .execute_and_parse_unwrap()
+    .await;
+
+    let returned_users: Vec<scim2_rs::User> = serde_json::from_value(
+        serde_json::to_value(&response.resources).unwrap(),
+    )
+    .unwrap();
+
+    // Find our created users in the response
+    let find_user = |user_id: &str| {
+        returned_users
+            .iter()
+            .find(|u| u.id == user_id)
+            .expect("user should be in list")
+    };
+
+    // user1 should be in group1 and group2
+    let user1 = find_user(&users[0].id);
+    assert!(user1.groups.is_some());
+    let user1_groups = user1.groups.as_ref().unwrap();
+    assert_eq!(user1_groups.len(), 2);
+    let user1_group_ids: std::collections::HashSet<_> = user1_groups
+        .iter()
+        .map(|g| g.value.as_ref().unwrap().as_str())
+        .collect();
+    assert!(user1_group_ids.contains(group1.id.as_str()));
+    assert!(user1_group_ids.contains(group2.id.as_str()));
+
+    // user2 should be in group1 only
+    let user2 = find_user(&users[1].id);
+    assert!(user2.groups.is_some());
+    let user2_groups = user2.groups.as_ref().unwrap();
+    assert_eq!(user2_groups.len(), 1);
+    assert_eq!(user2_groups[0].value.as_ref().unwrap(), &group1.id);
+
+    // user3 should be in group1 only
+    let user3 = find_user(&users[2].id);
+    assert!(user3.groups.is_some());
+    let user3_groups = user3.groups.as_ref().unwrap();
+    assert_eq!(user3_groups.len(), 1);
+    assert_eq!(user3_groups[0].value.as_ref().unwrap(), &group1.id);
+
+    // user4 should be in group2 only
+    let user4 = find_user(&users[3].id);
+    assert!(user4.groups.is_some());
+    let user4_groups = user4.groups.as_ref().unwrap();
+    assert_eq!(user4_groups.len(), 1);
+    assert_eq!(user4_groups[0].value.as_ref().unwrap(), &group2.id);
+
+    // user5 should have no groups
+    let user5 = find_user(&users[4].id);
+    assert!(user5.groups.is_none());
+}