From 023be30cef36f30131650091f02a8bbe066f944b Mon Sep 17 00:00:00 2001 From: Victor Lyuboslavsky Date: Fri, 9 May 2025 09:27:23 -0500 Subject: [PATCH] Final fixes after testing with Entra ID. (#28987) For #28196 Demo video of the full feature: https://youtu.be/7PM41LBsnig # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality --- server/datastore/mysql/scim.go | 13 +++++++++++-- server/datastore/mysql/scim_test.go | 7 +++++++ server/worker/apple_mdm.go | 9 ++++++--- 3 files changed, 24 insertions(+), 5 deletions(-) diff --git a/server/datastore/mysql/scim.go b/server/datastore/mysql/scim.go index e71d41adea..ccfbdb6238 100644 --- a/server/datastore/mysql/scim.go +++ b/server/datastore/mysql/scim.go @@ -142,7 +142,16 @@ func (ds *Datastore) ScimUserByUserNameOrEmail(ctx context.Context, userName str return nil, notFound("scim user") } - // Try to find the user by email + // Now, try to find the user by using the email as the userName + user, err := ds.ScimUserByUserName(ctx, email) + switch { + case err == nil: + return user, nil + case !fleet.IsNotFound(err): + return nil, ctxerr.Wrap(ctx, err, "select scim user by userName") + } + + // Next, to find the user by email const query = ` SELECT scim_users.id, external_id, user_name, given_name, family_name, active, scim_users.updated_at @@ -152,7 +161,7 @@ func (ds *Datastore) ScimUserByUserNameOrEmail(ctx context.Context, userName str ` var users []fleet.ScimUser - err := sqlx.SelectContext(ctx, ds.reader(ctx), &users, query, email) + err = sqlx.SelectContext(ctx, ds.reader(ctx), &users, query, email) if err != nil { return nil, ctxerr.Wrap(ctx, err, "select scim user by email") } diff --git a/server/datastore/mysql/scim_test.go b/server/datastore/mysql/scim_test.go index 260cf0f80e..f9461f38c6 100644 --- a/server/datastore/mysql/scim_test.go +++ b/server/datastore/mysql/scim_test.go @@ -1599,6 +1599,13 @@ func testScimUserByUserNameOrEmail(t *testing.T, ds *Datastore) { assert.NotNil(t, err) assert.True(t, fleet.IsNotFound(err)) assert.Nil(t, user) + + // Test 7: Find user when email is used as userName + // This tests the case where the userName field contains an email address + user, err = ds.ScimUserByUserNameOrEmail(t.Context(), "nonexistent-username", "email-test-user1") + require.NoError(t, err) + assert.Equal(t, "email-test-user1", user.UserName) + assert.Equal(t, users[0].ID, user.ID) } func testScimUserReplaceValidation(t *testing.T, ds *Datastore) { diff --git a/server/worker/apple_mdm.go b/server/worker/apple_mdm.go index 26e1a7a731..0a2cdf379b 100644 --- a/server/worker/apple_mdm.go +++ b/server/worker/apple_mdm.go @@ -245,17 +245,20 @@ func (a *AppleMDM) getAppConfig(ctx context.Context, appConfig *fleet.AppConfig) } func (a *AppleMDM) getIdPDisplayName(ctx context.Context, acct *fleet.MDMIdPAccount, args appleMDMArgs) (string, error) { - if acct.Fullname != "" { + if acct.Fullname != "" && !strings.Contains(acct.Fullname, "@") { return acct.Fullname, nil } - // If full name is empty, see if it exists via SCIM integration + // If full name is empty or appears to be an email, see if it exists via SCIM integration scimUser, err := a.Datastore.ScimUserByUserNameOrEmail(ctx, acct.Username, acct.Email) switch { case err != nil && !fleet.IsNotFound(err): return "", ctxerr.Wrap(ctx, err, "getting scim user details for enroll reference %s and host_uuid %s", acct.UUID, args.HostUUID) case scimUser == nil: - return "", nil + return acct.Fullname, nil + } + if scimUser.DisplayName() == "" { + return acct.Fullname, nil } return scimUser.DisplayName(), nil }