Adds validation of internal vs external addresses when exporting member changes

ryannewington · ryannewington · commit a2f62cf1d2fe · 2016-10-31T08:35:03.000+11:00
Fixes an issue where a missing member on a group is reported as a missing csentry in the FIM UI
diff --git a/src/Lithnet.GoogleApps.MA.Setup/Product.wxs b/src/Lithnet.GoogleApps.MA.Setup/Product.wxs
@@ -3,7 +3,7 @@
   <Product Id="*"
            Name="Lithnet GoogleApps Management Agent"
            Language="1033"
-           Version="1.1.6145"
+           Version="1.1.6148"
            Manufacturer="Lithnet"
            UpgradeCode="3410d571b358426281edb2990ae57cae" >
 
diff --git a/src/Lithnet.GoogleApps.MA.UnitTests/GroupMemberInheritedRoleTests.cs b/src/Lithnet.GoogleApps.MA.UnitTests/GroupMemberInheritedRoleTests.cs
@@ -29,8 +29,8 @@ public void RemoveExternalMembers()
                 string member1 = "user1@lithnet.io";
                 string member2 = "user2@lithnet.io";
 
-                GroupMemberRequestFactory.AddMember(e.Email, new Member() {Email = member1});
-                GroupMemberRequestFactory.AddMember(e.Email, new Member() {Email = member2});
+                GroupMemberRequestFactory.AddMember(e.Email, new Member() { Email = member1 });
+                GroupMemberRequestFactory.AddMember(e.Email, new Member() { Email = member2 });
 
                 Thread.Sleep(1000);
 
@@ -75,7 +75,7 @@ public void TestExternalManagerIsExternalMember()
                 Thread.Sleep(1000);
 
                 string member2 = "test@test.com";
-                GroupMemberRequestFactory.AddMember(e.Email, new Member() {Email = member2, Role = "MANAGER"});
+                GroupMemberRequestFactory.AddMember(e.Email, new Member() { Email = member2, Role = "MANAGER" });
 
                 Thread.Sleep(1000);
 
@@ -108,7 +108,7 @@ public void TestManagerIsMember()
 
                 user = UserTests.CreateUser();
 
-                GroupMemberRequestFactory.AddMember(e.Email, new Member() {Email = user.PrimaryEmail, Role = "MANAGER"});
+                GroupMemberRequestFactory.AddMember(e.Email, new Member() { Email = user.PrimaryEmail, Role = "MANAGER" });
 
                 Thread.Sleep(1000);
 
@@ -139,7 +139,7 @@ public void TestExternalOwnerIsExternalManagerAndExternalMember()
                 Thread.Sleep(1000);
 
                 string member2 = "test@test.com";
-                GroupMemberRequestFactory.AddMember(e.Email, new Member() {Email = member2, Role = "OWNER"});
+                GroupMemberRequestFactory.AddMember(e.Email, new Member() { Email = member2, Role = "OWNER" });
 
                 Thread.Sleep(1000);
 
@@ -174,7 +174,7 @@ public void TestOwnerIsManagerAndMember()
 
                 user = UserTests.CreateUser();
 
-                GroupMemberRequestFactory.AddMember(e.Email, new Member() {Email = user.PrimaryEmail, Role = "OWNER"});
+                GroupMemberRequestFactory.AddMember(e.Email, new Member() { Email = user.PrimaryEmail, Role = "OWNER" });
 
                 Thread.Sleep(1000);
 
@@ -218,7 +218,7 @@ public void DowngradeManagerToMember()
                 cs.ObjectType = SchemaConstants.Group;
                 cs.AnchorAttributes.Add(AnchorAttribute.Create("id", e.Email));
 
-                cs.AttributeChanges.Add(AttributeChange.CreateAttributeUpdate("externalManager", new List<ValueChange>() {new ValueChange(member2, ValueModificationType.Delete)}));
+                cs.AttributeChanges.Add(AttributeChange.CreateAttributeUpdate("externalManager", new List<ValueChange>() { new ValueChange(member2, ValueModificationType.Delete) }));
 
                 CSEntryChangeResult result =
                     ExportProcessor.PutCSEntryChange(cs, UnitTestControl.Schema.GetSchema().Types[SchemaConstants.Group], UnitTestControl.TestParameters);
@@ -234,7 +234,7 @@ public void DowngradeManagerToMember()
                 Assert.AreEqual(0, membership.ExternalManagers.Count);
                 Assert.AreEqual(0, membership.Managers.Count);
                 Assert.AreEqual(0, membership.Members.Count);
-                CollectionAssert.AreEquivalent(new string[] {member2}, membership.ExternalMembers.ToArray());
+                CollectionAssert.AreEquivalent(new string[] { member2 }, membership.ExternalMembers.ToArray());
             }
             finally
             {
@@ -243,6 +243,60 @@ public void DowngradeManagerToMember()
 
         }
 
+        [TestMethod]
+        public void DowngradeManagersToMembers()
+        {
+            Group e = null;
+            User member1 = null;
+            User member2 = null;
+            User member3 = null;
+            User member4 = null;
+
+            try
+            {
+                e = UnitTestControl.CreateGroup();
+
+                member1 = UserTests.CreateUser();
+                member2 = UserTests.CreateUser();
+                member3 = UserTests.CreateUser();
+                member4 = UserTests.CreateUser();
+
+                GroupMemberRequestFactory.AddMember(e.Email, member1.PrimaryEmail, "MANAGER");
+                GroupMemberRequestFactory.AddMember(e.Email, member2.PrimaryEmail, "MANAGER");
+                GroupMemberRequestFactory.AddMember(e.Email, member3.PrimaryEmail, "MEMBER");
+                GroupMemberRequestFactory.AddMember(e.Email, member4.PrimaryEmail, "MEMBER");
+                Thread.Sleep(1000);
+
+                CSEntryChange cs = CSEntryChange.Create();
+                cs.ObjectModificationType = ObjectModificationType.Update;
+                cs.DN = e.Email;
+                cs.ObjectType = SchemaConstants.Group;
+                cs.AnchorAttributes.Add(AnchorAttribute.Create("id", e.Email));
+
+                cs.AttributeChanges.Add(AttributeChange.CreateAttributeDelete("manager"));
+
+                CSEntryChangeResult result =
+                    ExportProcessor.PutCSEntryChange(cs, UnitTestControl.Schema.GetSchema().Types[SchemaConstants.Group], UnitTestControl.TestParameters);
+
+                if (result.ErrorCode != MAExportError.Success)
+                {
+                    Assert.Fail(result.ErrorName);
+                }
+
+                Thread.Sleep(1000);
+                GroupMembership membership = GroupMemberRequestFactory.GetMembership(cs.DN);
+
+                Assert.AreEqual(0, membership.ExternalManagers.Count);
+                Assert.AreEqual(0, membership.Managers.Count);
+                Assert.AreEqual(0, membership.ExternalMembers.Count);
+                CollectionAssert.AreEquivalent(new string[] { member1.PrimaryEmail, member2.PrimaryEmail, member3.PrimaryEmail, member4.PrimaryEmail }, membership.Members.ToArray());
+            }
+            finally
+            {
+                UnitTestControl.Cleanup(e, member1, member2, member3, member4);
+            }
+        }
+
         [TestMethod]
         public void DowngradeOwnerToManager()
         {
@@ -265,7 +319,7 @@ public void DowngradeOwnerToManager()
                 cs.ObjectType = SchemaConstants.Group;
                 cs.AnchorAttributes.Add(AnchorAttribute.Create("id", e.Id));
 
-                cs.AttributeChanges.Add(AttributeChange.CreateAttributeUpdate("externalOwner", new List<ValueChange>() {new ValueChange(member2, ValueModificationType.Delete)}));
+                cs.AttributeChanges.Add(AttributeChange.CreateAttributeUpdate("externalOwner", new List<ValueChange>() { new ValueChange(member2, ValueModificationType.Delete) }));
 
                 CSEntryChangeResult result =
                     ExportProcessor.PutCSEntryChange(cs, UnitTestControl.Schema.GetSchema().Types[SchemaConstants.Group], UnitTestControl.TestParameters);
@@ -282,7 +336,7 @@ public void DowngradeOwnerToManager()
                 Assert.AreEqual(0, membership.Owners.Count);
                 Assert.AreEqual(0, membership.Managers.Count);
                 Assert.AreEqual(0, membership.Members.Count);
-                CollectionAssert.AreEquivalent(new string[] {member2}, membership.ExternalManagers.ToArray());
+                CollectionAssert.AreEquivalent(new string[] { member2 }, membership.ExternalManagers.ToArray());
             }
             finally
             {
@@ -301,7 +355,7 @@ public void UpgradeMemberToManager()
                 Thread.Sleep(1000);
 
                 string member2 = "test@test.com";
-                GroupMemberRequestFactory.AddMember(e.Email, new Member() {Email = member2});
+                GroupMemberRequestFactory.AddMember(e.Email, new Member() { Email = member2 });
 
                 Thread.Sleep(1000);
 
@@ -311,7 +365,7 @@ public void UpgradeMemberToManager()
                 cs.ObjectType = SchemaConstants.Group;
                 cs.AnchorAttributes.Add(AnchorAttribute.Create("id", e.Id));
 
-                cs.AttributeChanges.Add(AttributeChange.CreateAttributeUpdate("externalManager", new List<ValueChange>() {new ValueChange(member2, ValueModificationType.Add)}));
+                cs.AttributeChanges.Add(AttributeChange.CreateAttributeUpdate("externalManager", new List<ValueChange>() { new ValueChange(member2, ValueModificationType.Add) }));
 
                 CSEntryChangeResult result =
                     ExportProcessor.PutCSEntryChange(cs, UnitTestControl.Schema.GetSchema().Types[SchemaConstants.Group], UnitTestControl.TestParameters);
@@ -323,7 +377,7 @@ public void UpgradeMemberToManager()
 
                 Thread.Sleep(1000);
 
-                CollectionAssert.AreEquivalent(new string[] {member2}, GroupMemberRequestFactory.GetMembership(cs.DN).ExternalManagers.ToArray());
+                CollectionAssert.AreEquivalent(new string[] { member2 }, GroupMemberRequestFactory.GetMembership(cs.DN).ExternalManagers.ToArray());
             }
             finally
             {
@@ -342,7 +396,7 @@ public void UpgradeManagerToOwner()
                 Thread.Sleep(1000);
 
                 string member2 = "test@test.com";
-                GroupMemberRequestFactory.AddMember(e.Email, new Member() {Email = member2, Role = "MANAGER"});
+                GroupMemberRequestFactory.AddMember(e.Email, new Member() { Email = member2, Role = "MANAGER" });
 
                 Thread.Sleep(1000);
 
@@ -352,7 +406,7 @@ public void UpgradeManagerToOwner()
                 cs.ObjectType = SchemaConstants.Group;
                 cs.AnchorAttributes.Add(AnchorAttribute.Create("id", e.Id));
 
-                cs.AttributeChanges.Add(AttributeChange.CreateAttributeUpdate("externalOwner", new List<ValueChange>() {new ValueChange(member2, ValueModificationType.Add)}));
+                cs.AttributeChanges.Add(AttributeChange.CreateAttributeUpdate("externalOwner", new List<ValueChange>() { new ValueChange(member2, ValueModificationType.Add) }));
 
                 CSEntryChangeResult result =
                     ExportProcessor.PutCSEntryChange(cs, UnitTestControl.Schema.GetSchema().Types[SchemaConstants.Group], UnitTestControl.TestParameters);
@@ -364,7 +418,7 @@ public void UpgradeManagerToOwner()
 
                 Thread.Sleep(1000);
 
-                CollectionAssert.AreEquivalent(new string[] {member2}, GroupMemberRequestFactory.GetMembership(cs.DN).ExternalOwners.ToArray());
+                CollectionAssert.AreEquivalent(new string[] { member2 }, GroupMemberRequestFactory.GetMembership(cs.DN).ExternalOwners.ToArray());
             }
             finally
             {
diff --git a/src/Lithnet.GoogleApps.MA.UnitTests/GroupTests.cs b/src/Lithnet.GoogleApps.MA.UnitTests/GroupTests.cs
@@ -236,6 +236,55 @@ public void Update()
             }
         }
 
+        [TestMethod]
+        public void UpdateDescription()
+        {
+            string id = null;
+            string dn = $"{Guid.NewGuid()}@{UnitTestControl.TestParameters.Domain}";
+            Group e = new Group
+            {
+                Email = dn,
+                Name = "name",
+                Description = "description"
+            };
+
+            e = GroupRequestFactory.Add(e);
+            id = e.Id;
+
+            CSEntryChange cs = CSEntryChange.Create();
+            cs.ObjectModificationType = ObjectModificationType.Update;
+            cs.DN = dn;
+            cs.ObjectType = SchemaConstants.Group;
+            cs.AnchorAttributes.Add(AnchorAttribute.Create("id", id));
+
+            cs.AttributeChanges.Add(AttributeChange.CreateAttributeDelete("description"));
+
+            try
+            {
+                CSEntryChangeResult result =
+                    ExportProcessor.PutCSEntryChange(cs, UnitTestControl.Schema.GetSchema().Types[SchemaConstants.Group], UnitTestControl.TestParameters);
+
+                if (result.ErrorCode != MAExportError.Success)
+                {
+                    Assert.Fail($"{result.ErrorName}\n{result.ErrorDetail}");
+                }
+
+                e = GroupRequestFactory.Get(id);
+                Assert.AreEqual(cs.DN, e.Email);
+
+                Assert.AreEqual(true, e.AdminCreated);
+                Assert.AreEqual(null, e.Description);
+                Assert.AreEqual("name", e.Name);
+            }
+            finally
+            {
+                if (id != null)
+                {
+                   // GroupRequestFactory.Delete(id);
+                    CSEntryChangeQueue.SaveQueue("D:\\temp\\group-update.xml", UnitTestControl.MmsSchema);
+                }
+            }
+        }
         [TestMethod]
         public void UpdateNoneCanPostOn()
         {
@@ -706,7 +755,7 @@ public void ReplaceAliases()
             }
 
         }
-       
+
         private string CreateGroup(out Group e)
         {
             string dn = $"{Guid.NewGuid()}@{UnitTestControl.TestParameters.Domain}";
diff --git a/src/Lithnet.GoogleApps.MA.UnitTests/Lithnet.GoogleApps.MA.UnitTests.csproj b/src/Lithnet.GoogleApps.MA.UnitTests/Lithnet.GoogleApps.MA.UnitTests.csproj
@@ -89,8 +89,8 @@
       <HintPath>..\packages\Google.GData.Extensions.2.2.0.0\lib\Google.GData.Extensions.dll</HintPath>
       <Private>True</Private>
     </Reference>
-    <Reference Include="Lithnet.GoogleApps, Version=1.0.6144.23555, Culture=neutral, processorArchitecture=MSIL">
-      <HintPath>..\packages\Lithnet.GoogleApps.1.0.6144.23555\lib\net452\Lithnet.GoogleApps.dll</HintPath>
+    <Reference Include="Lithnet.GoogleApps, Version=1.0.6146.35517, Culture=neutral, processorArchitecture=MSIL">
+      <HintPath>..\packages\Lithnet.GoogleApps.1.0.6146.35517\lib\net452\Lithnet.GoogleApps.dll</HintPath>
       <Private>True</Private>
     </Reference>
     <Reference Include="Lithnet.Logging, Version=1.0.5774.20685, Culture=neutral, processorArchitecture=MSIL">
diff --git a/src/Lithnet.GoogleApps.MA.UnitTests/packages.config b/src/Lithnet.GoogleApps.MA.UnitTests/packages.config
@@ -11,7 +11,7 @@
   <package id="Google.GData.Client" version="2.2.0.0" targetFramework="net452" />
   <package id="Google.GData.Contacts" version="2.2.0.0" targetFramework="net452" />
   <package id="Google.GData.Extensions" version="2.2.0.0" targetFramework="net452" />
-  <package id="Lithnet.GoogleApps" version="1.0.6144.23555" targetFramework="net452" />
+  <package id="Lithnet.GoogleApps" version="1.0.6146.35517" targetFramework="net452" />
   <package id="Lithnet.Logging" version="1.0.5774.20685" targetFramework="net452" />
   <package id="Lithnet.MetadirectoryServices" version="1.0.6017.24789" targetFramework="net452" />
   <package id="log4net" version="2.0.5" targetFramework="net452" />
diff --git a/src/Lithnet.GoogleApps.MA/ApiInterfaces/ApiInterfaceGroupMembership.cs b/src/Lithnet.GoogleApps.MA/ApiInterfaces/ApiInterfaceGroupMembership.cs
@@ -1,6 +1,7 @@
 ﻿using System;
 using System.Collections.Generic;
 using System.Linq;
+using Google;
 using Google.Apis.Admin.Directory.directory_v1.Data;
 using Lithnet.Logging;
 using Lithnet.GoogleApps.ManagedObjects;
@@ -70,13 +71,22 @@ public IList<AttributeChange> ApplyChanges(CSEntryChange csentry, SchemaType typ
                     {
                         foreach (Member change in roleChanges)
                         {
-                            GroupMemberRequestFactory.ChangeMemberRole(csentry.DN, change);
-                        }
-
-                        foreach (Member member in roleChanges)
-                        {
-                            Logger.WriteLine($"Changed member role {member.Email} to {member.Role}", LogLevel.Debug);
+                            try
+                            {
+                                GroupMemberRequestFactory.ChangeMemberRole(csentry.DN, change);
+                                Logger.WriteLine($"Changed member role {change.Email} to {change.Role}", LogLevel.Debug);
+                            }
+                            catch (GoogleApiException ex)
+                            {
+                                if (ex.HttpStatusCode == System.Net.HttpStatusCode.NotFound)
+                                {
+                                    throw new UnexpectedDataException($"Member {change.Email} cannot be assigned {change.Role} without being made a member", ex);
+                                }
+
+                                throw;
+                            }
                         }
+                        
                     }
                     catch (AggregateGroupUpdateException ex)
                     {
@@ -469,13 +479,15 @@ private static void GetMemberChangesFromCSEntryChange(CSEntryChange csentry, Has
                     case AttributeModificationType.Add:
                         foreach (string address in csentry.GetValueAdds<string>(attributeName))
                         {
+                            ApiInterfaceGroupMembership.ValidateAddress(address, attributeName);
                             adds.Add(address);
                         }
                         break;
 
                     case AttributeModificationType.Delete:
                         foreach (string member in existingMembers)
                         {
+                            ApiInterfaceGroupMembership.ValidateAddress(member, attributeName);
                             deletes.Add(member);
                         }
 
@@ -485,11 +497,13 @@ private static void GetMemberChangesFromCSEntryChange(CSEntryChange csentry, Has
                         IList<string> newMembers = csentry.GetValueAdds<string>(attributeName);
                         foreach (string address in newMembers)
                         {
+                            ApiInterfaceGroupMembership.ValidateAddress(address, attributeName);
                             adds.Add(address);
                         }
 
                         foreach (string member in existingMembers.Except(newMembers))
                         {
+                            ApiInterfaceGroupMembership.ValidateAddress(member, attributeName);
                             deletes.Add(member);
                         }
 
@@ -498,11 +512,13 @@ private static void GetMemberChangesFromCSEntryChange(CSEntryChange csentry, Has
                     case AttributeModificationType.Update:
                         foreach (string address in csentry.GetValueDeletes<string>(attributeName))
                         {
+                            ApiInterfaceGroupMembership.ValidateAddress(address, attributeName);
                             deletes.Add(address);
                         }
 
                         foreach (string address in csentry.GetValueAdds<string>(attributeName))
                         {
+                            ApiInterfaceGroupMembership.ValidateAddress(address, attributeName);
                             adds.Add(address);
                         }
 
@@ -515,6 +531,24 @@ private static void GetMemberChangesFromCSEntryChange(CSEntryChange csentry, Has
             }
         }
 
+        private static void ValidateAddress(string address, string attributeName)
+        {
+            if (attributeName.StartsWith("external"))
+            {
+                if (GroupMembership.IsAddressInternal(address))
+                {
+                    throw new UnexpectedDataException($"The value {address} cannot be exported as {attributeName} as it is a known internal domain. It should be exported as {attributeName.Replace("external", string.Empty)}");
+                }
+            }
+            else
+            {
+                if (GroupMembership.IsAddressExternal(address))
+                {
+                    throw new UnexpectedDataException($"The value {address} cannot be exported as {attributeName} as it is not a known internal domain. It should be exported as external{attributeName}");
+                }
+            }
+        }
+
         private static bool ExistingMembershipRequiredForUpdate(CSEntryChange csentry, IManagementAgentParameters config)
         {
             if (csentry.ObjectModificationType == ObjectModificationType.Add)
diff --git a/src/Lithnet.GoogleApps.MA/ExportProcessor.cs b/src/Lithnet.GoogleApps.MA/ExportProcessor.cs
diff --git a/src/Lithnet.GoogleApps.MA/Lithnet.GoogleApps.MA.csproj b/src/Lithnet.GoogleApps.MA/Lithnet.GoogleApps.MA.csproj
diff --git a/src/Lithnet.GoogleApps.MA/packages.config b/src/Lithnet.GoogleApps.MA/packages.config

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`using System;`
`2`	`2`	`using System.Collections.Generic;`
`3`	`3`	`using System.Linq;`
	`4`	`+using Google;`
`4`	`5`	`using Google.Apis.Admin.Directory.directory_v1.Data;`
`5`	`6`	`using Lithnet.Logging;`
`6`	`7`	`using Lithnet.GoogleApps.ManagedObjects;`
`@@ -70,13 +71,22 @@ public IList<AttributeChange> ApplyChanges(CSEntryChange csentry, SchemaType typ`
`70`	`71`	`{`
`71`	`72`	`foreach (Member change in roleChanges)`
`72`	`73`	`{`
`73`		`- GroupMemberRequestFactory.ChangeMemberRole(csentry.DN, change);`
`74`		`- }`
`75`		`-`
`76`		`- foreach (Member member in roleChanges)`
`77`		`- {`
`78`		`- Logger.WriteLine($"Changed member role {member.Email} to {member.Role}", LogLevel.Debug);`
	`74`	`+ try`
	`75`	`+ {`
	`76`	`+ GroupMemberRequestFactory.ChangeMemberRole(csentry.DN, change);`
	`77`	`+ Logger.WriteLine($"Changed member role {change.Email} to {change.Role}", LogLevel.Debug);`
	`78`	`+ }`
	`79`	`+ catch (GoogleApiException ex)`
	`80`	`+ {`
	`81`	`+ if (ex.HttpStatusCode == System.Net.HttpStatusCode.NotFound)`
	`82`	`+ {`
	`83`	`+ throw new UnexpectedDataException($"Member {change.Email} cannot be assigned {change.Role} without being made a member", ex);`
	`84`	`+ }`
	`85`	`+`
	`86`	`+ throw;`
	`87`	`+ }`
`79`	`88`	`}`
	`89`	`+`
`80`	`90`	`}`
`81`	`91`	`catch (AggregateGroupUpdateException ex)`
`82`	`92`	`{`
`@@ -469,13 +479,15 @@ private static void GetMemberChangesFromCSEntryChange(CSEntryChange csentry, Has`
`469`	`479`	`case AttributeModificationType.Add:`
`470`	`480`	`foreach (string address in csentry.GetValueAdds<string>(attributeName))`
`471`	`481`	`{`
	`482`	`+ ApiInterfaceGroupMembership.ValidateAddress(address, attributeName);`
`472`	`483`	`adds.Add(address);`
`473`	`484`	`}`
`474`	`485`	`break;`
`475`	`486`
`476`	`487`	`case AttributeModificationType.Delete:`
`477`	`488`	`foreach (string member in existingMembers)`
`478`	`489`	`{`
	`490`	`+ ApiInterfaceGroupMembership.ValidateAddress(member, attributeName);`
`479`	`491`	`deletes.Add(member);`
`480`	`492`	`}`
`481`	`493`
`@@ -485,11 +497,13 @@ private static void GetMemberChangesFromCSEntryChange(CSEntryChange csentry, Has`
`485`	`497`	`IList<string> newMembers = csentry.GetValueAdds<string>(attributeName);`
`486`	`498`	`foreach (string address in newMembers)`
`487`	`499`	`{`
	`500`	`+ ApiInterfaceGroupMembership.ValidateAddress(address, attributeName);`
`488`	`501`	`adds.Add(address);`
`489`	`502`	`}`
`490`	`503`
`491`	`504`	`foreach (string member in existingMembers.Except(newMembers))`
`492`	`505`	`{`
	`506`	`+ ApiInterfaceGroupMembership.ValidateAddress(member, attributeName);`
`493`	`507`	`deletes.Add(member);`
`494`	`508`	`}`
`495`	`509`
`@@ -498,11 +512,13 @@ private static void GetMemberChangesFromCSEntryChange(CSEntryChange csentry, Has`
`498`	`512`	`case AttributeModificationType.Update:`
`499`	`513`	`foreach (string address in csentry.GetValueDeletes<string>(attributeName))`
`500`	`514`	`{`
	`515`	`+ ApiInterfaceGroupMembership.ValidateAddress(address, attributeName);`
`501`	`516`	`deletes.Add(address);`
`502`	`517`	`}`
`503`	`518`
`504`	`519`	`foreach (string address in csentry.GetValueAdds<string>(attributeName))`
`505`	`520`	`{`
	`521`	`+ ApiInterfaceGroupMembership.ValidateAddress(address, attributeName);`
`506`	`522`	`adds.Add(address);`
`507`	`523`	`}`
`508`	`524`
`@@ -515,6 +531,24 @@ private static void GetMemberChangesFromCSEntryChange(CSEntryChange csentry, Has`
`515`	`531`	`}`
`516`	`532`	`}`
`517`	`533`
	`534`	`+ private static void ValidateAddress(string address, string attributeName)`
	`535`	`+ {`
	`536`	`+ if (attributeName.StartsWith("external"))`
	`537`	`+ {`
	`538`	`+ if (GroupMembership.IsAddressInternal(address))`
	`539`	`+ {`
	`540`	`+ throw new UnexpectedDataException($"The value {address} cannot be exported as {attributeName} as it is a known internal domain. It should be exported as {attributeName.Replace("external", string.Empty)}");`
	`541`	`+ }`
	`542`	`+ }`
	`543`	`+ else`
	`544`	`+ {`
	`545`	`+ if (GroupMembership.IsAddressExternal(address))`
	`546`	`+ {`
	`547`	`+ throw new UnexpectedDataException($"The value {address} cannot be exported as {attributeName} as it is not a known internal domain. It should be exported as external{attributeName}");`
	`548`	`+ }`
	`549`	`+ }`
	`550`	`+ }`
	`551`	`+`
`518`	`552`	`private static bool ExistingMembershipRequiredForUpdate(CSEntryChange csentry, IManagementAgentParameters config)`
`519`	`553`	`{`
`520`	`554`	`if (csentry.ObjectModificationType == ObjectModificationType.Add)`