Skip to content

fix: scim-provisioned user can edit locked attributes (WPB-22292) #4543

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sbakhtiarov merged 4 commits into from
Jan 27, 2026
Merged

fix: scim-provisioned user can edit locked attributes (WPB-22292) #4543

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d01521c
fix: scim-provisioned user can edit locked attributes (WPB-22292)
sbakhtiarov Jan 21, 2026
7af75a1
Merge branch 'develop' into fix/scim-user-edit
sbakhtiarov Jan 27, 2026
e0cd8b8
updating kalium (WPB-22292)
sbakhtiarov Jan 27, 2026
669eba2
fixing detekt issues (WPB-22292)
sbakhtiarov Jan 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions app/src/main/kotlin/com/wire/android/ui/authentication/login/email/LoginEmailViewModel.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,7 @@ class LoginEmailViewModel @Inject constructor(
addAuthenticatedUser(
authTokens = loginResult.authData,
ssoId = loginResult.ssoID,
managedBy = loginResult.managedBy,
serverConfigId = loginResult.serverConfigId,
proxyCredentials = loginResult.proxyCredentials,
replace = false
Expand Down
1 change: 1 addition & 0 deletions ...rc/main/kotlin/com/wire/android/ui/authentication/login/sso/LoginSSOViewModelExtension.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,7 @@
ssoId = ssoLoginResult.ssoId,
serverConfigId = serverConfigId,
proxyCredentials = ssoLoginResult.proxyCredentials,
managedBy = ssoLoginResult.managedBy,

Check warning on line 102 in app/src/main/kotlin/com/wire/android/ui/authentication/login/sso/LoginSSOViewModelExtension.kt

View check run for this annotation

Codecov / codecov/patch

app/src/main/kotlin/com/wire/android/ui/authentication/login/sso/LoginSSOViewModelExtension.kt#L102 

Added line #L102 was not covered by tests
replace = false
).let { authenticatedUserResult ->
when (authenticatedUserResult) {
Expand Down
50 changes: 34 additions & 16 deletions ...src/test/kotlin/com/wire/android/ui/authentication/login/email/LoginEmailViewModelTest.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ import com.wire.kalium.logic.data.id.QualifiedID
import com.wire.kalium.logic.data.id.QualifiedIdMapper
import com.wire.kalium.logic.data.logout.LogoutReason
import com.wire.kalium.logic.data.user.SsoId
import com.wire.kalium.logic.data.user.SsoManagedBy
import com.wire.kalium.logic.data.user.UserId
import com.wire.kalium.logic.feature.auth.AddAuthenticatedUserUseCase
import com.wire.kalium.logic.feature.auth.AuthenticationResult
Expand Down Expand Up @@ -138,7 +139,15 @@ class LoginEmailViewModelTest {
@Test
fun `given button is clicked and initial sync is completed, when login returns Success, then navigate to home screen`() = runTest {
val (arrangement, loginViewModel) = Arrangement()
.withLoginReturning(AuthenticationResult.Success(AUTH_TOKEN, SSO_ID, SERVER_CONFIG.id, null))
.withLoginReturning(
AuthenticationResult.Success(
authData = AUTH_TOKEN,
ssoID = SSO_ID,
managedBy = MANAGED_BY,
serverConfigId = SERVER_CONFIG.id,
proxyCredentials = null
)
)
.withAddAuthenticatedUserReturning(AddAuthenticatedUserUseCase.Result.Success(USER_ID))
.withValidateEmailReturning(true)
.withPersistEmailReturning(PersistSelfUserEmailResult.Success)
Expand All @@ -165,7 +174,7 @@ class LoginEmailViewModelTest {
runTest {
val password = "abc"
val (arrangement, loginViewModel) = Arrangement()
.withLoginReturning(AuthenticationResult.Success(AUTH_TOKEN, SSO_ID, SERVER_CONFIG.id, null))
.withLoginReturning(AuthenticationResult.Success(AUTH_TOKEN, SSO_ID, MANAGED_BY, SERVER_CONFIG.id, null))
.withAddAuthenticatedUserReturning(AddAuthenticatedUserUseCase.Result.Success(USER_ID))
.withValidateEmailReturning(true)
.withPersistEmailReturning(PersistSelfUserEmailResult.Success)
Expand Down Expand Up @@ -239,7 +248,7 @@ class LoginEmailViewModelTest {
@Test
fun `given button is clicked, when addAuthenticatedUser returns UserAlreadyExists error, then UserAlreadyExists is passed`() = runTest {
val (arrangement, loginViewModel) = Arrangement()
.withLoginReturning(AuthenticationResult.Success(AUTH_TOKEN, SSO_ID, SERVER_CONFIG.id, null))
.withLoginReturning(AuthenticationResult.Success(AUTH_TOKEN, SSO_ID, MANAGED_BY, SERVER_CONFIG.id, null))
.withAddAuthenticatedUserReturning(AddAuthenticatedUserUseCase.Result.Failure.UserAlreadyExists)
.arrange()

Expand Down Expand Up @@ -375,7 +384,7 @@ class LoginEmailViewModelTest {
val email = "some.email@example.org"
val code = "123456"
val (arrangement, loginViewModel) = Arrangement()
.withLoginReturning(AuthenticationResult.Success(AUTH_TOKEN, SSO_ID, SERVER_CONFIG.id, null))
.withLoginReturning(AuthenticationResult.Success(AUTH_TOKEN, SSO_ID, MANAGED_BY, SERVER_CONFIG.id, null))
.withAddAuthenticatedUserReturning(AddAuthenticatedUserUseCase.Result.Success(USER_ID))
.withValidateEmailReturning(true)
.withPersistEmailReturning(PersistSelfUserEmailResult.Success)
Expand All @@ -398,7 +407,7 @@ class LoginEmailViewModelTest {
val email = "some.email@example.org"
val code = "123456"
val (arrangement, loginViewModel) = Arrangement()
.withLoginReturning(AuthenticationResult.Success(AUTH_TOKEN, SSO_ID, SERVER_CONFIG.id, null))
.withLoginReturning(AuthenticationResult.Success(AUTH_TOKEN, SSO_ID, MANAGED_BY, SERVER_CONFIG.id, null))
.withAddAuthenticatedUserReturning(AddAuthenticatedUserUseCase.Result.Success(USER_ID))
.withValidateEmailReturning(true)
.withPersistEmailReturning(PersistSelfUserEmailResult.Success)
Expand All @@ -419,7 +428,7 @@ class LoginEmailViewModelTest {
val email = "some.email@example.org"
val code = "123456"
val (arrangement, loginViewModel) = Arrangement()
.withLoginReturning(AuthenticationResult.Success(AUTH_TOKEN, SSO_ID, SERVER_CONFIG.id, null))
.withLoginReturning(AuthenticationResult.Success(AUTH_TOKEN, SSO_ID, MANAGED_BY, SERVER_CONFIG.id, null))
.withAddAuthenticatedUserReturning(AddAuthenticatedUserUseCase.Result.Success(USER_ID))
.withValidateEmailReturning(true)
.withPersistEmailReturning(PersistSelfUserEmailResult.Success)
Expand Down Expand Up @@ -453,7 +462,7 @@ class LoginEmailViewModelTest {
fun `given email, when logging in, then persist email`() = runTest {
val email = "some.email@example.org"
val (arrangement, loginViewModel) = Arrangement()
.withLoginReturning(AuthenticationResult.Success(AUTH_TOKEN, SSO_ID, SERVER_CONFIG.id, null))
.withLoginReturning(AuthenticationResult.Success(AUTH_TOKEN, SSO_ID, MANAGED_BY, SERVER_CONFIG.id, null))
.withAddAuthenticatedUserReturning(AddAuthenticatedUserUseCase.Result.Success(USER_ID))
.withValidateEmailReturning(true)
.withPersistEmailReturning(PersistSelfUserEmailResult.Success)
Expand All @@ -472,7 +481,7 @@ class LoginEmailViewModelTest {
fun `given handle, when logging in, then do not persist email`() = runTest {
val handle = "some.handle"
val (arrangement, loginViewModel) = Arrangement()
.withLoginReturning(AuthenticationResult.Success(AUTH_TOKEN, SSO_ID, SERVER_CONFIG.id, null))
.withLoginReturning(AuthenticationResult.Success(AUTH_TOKEN, SSO_ID, MANAGED_BY, SERVER_CONFIG.id, null))
.withAddAuthenticatedUserReturning(AddAuthenticatedUserUseCase.Result.Success(USER_ID))
.withValidateEmailReturning(false)
.withGetOrRegisterClientReturning(RegisterClientResult.Success(CLIENT))
Expand All @@ -491,7 +500,7 @@ class LoginEmailViewModelTest {
val email = "some.email@example.org"
val failure = CoreFailure.Unknown(null)
val (arrangement, loginViewModel) = Arrangement()
.withLoginReturning(AuthenticationResult.Success(AUTH_TOKEN, SSO_ID, SERVER_CONFIG.id, null))
.withLoginReturning(AuthenticationResult.Success(AUTH_TOKEN, SSO_ID, MANAGED_BY, SERVER_CONFIG.id, null))
.withAddAuthenticatedUserReturning(AddAuthenticatedUserUseCase.Result.Success(USER_ID))
.withValidateEmailReturning(true)
.withPersistEmailReturning(PersistSelfUserEmailResult.Failure(failure))
Expand All @@ -514,7 +523,15 @@ class LoginEmailViewModelTest {
val newUserId = UserId("newUserId", "domain")
val (arrangement, loginViewModel) = Arrangement()
.withCurrentSessionReturning(CurrentSessionResult.Success(AccountInfo.Valid(previousUserId)))
.withLoginReturning(AuthenticationResult.Success(AUTH_TOKEN.copy(userId = newUserId), SSO_ID, SERVER_CONFIG.id, null))
.withLoginReturning(
AuthenticationResult.Success(
authData = AUTH_TOKEN.copy(userId = newUserId),
ssoID = SSO_ID,
managedBy = MANAGED_BY,
serverConfigId = SERVER_CONFIG.id,
proxyCredentials = null
)
)
.withAddAuthenticatedUserReturning(AddAuthenticatedUserUseCase.Result.Success(newUserId))
.withValidateEmailReturning(true)
.withPersistEmailReturning(PersistSelfUserEmailResult.Success)
Expand Down Expand Up @@ -651,7 +668,7 @@ class LoginEmailViewModelTest {
.withDeleteSessionReturning(DeleteSessionUseCase.Result.Success)
.withUpdateCurrentSessionReturning(UpdateCurrentSessionUseCase.Result.Success)
.withCurrentSessionReturning(CurrentSessionResult.Success(AccountInfo.Valid(previousUserId)))
.withLoginReturning(AuthenticationResult.Success(authToken2, SSO_ID, SERVER_CONFIG.id, null))
.withLoginReturning(AuthenticationResult.Success(authToken2, SSO_ID, MANAGED_BY, SERVER_CONFIG.id, null))
.withAddAuthenticatedUserReturning(AddAuthenticatedUserUseCase.Result.Success(newUserId2))
.withValidateEmailReturning(true)
.withPersistEmailReturning(PersistSelfUserEmailResult.Success)
Expand All @@ -672,7 +689,7 @@ class LoginEmailViewModelTest {
}
coVerify(exactly = 1) { // verify that the second login job has been started
arrangement.loginUseCase(any(), any(), any(), any(), any())
arrangement.addAuthenticatedUserUseCase(any(), any(), eq(authToken2), any())
arrangement.addAuthenticatedUserUseCase(any(), any(), eq(authToken2), any(), any())
}
}

Expand All @@ -686,7 +703,7 @@ class LoginEmailViewModelTest {
.withDeleteSessionReturning(DeleteSessionUseCase.Result.Success)
.withUpdateCurrentSessionReturning(UpdateCurrentSessionUseCase.Result.Success)
.withCurrentSessionReturning(CurrentSessionResult.Success(AccountInfo.Valid(previousUserId)))
.withLoginReturning(AuthenticationResult.Success(authToken, SSO_ID, SERVER_CONFIG.id, null))
.withLoginReturning(AuthenticationResult.Success(authToken, SSO_ID, MANAGED_BY, SERVER_CONFIG.id, null))
.withAddAuthenticatedUserReturning(AddAuthenticatedUserUseCase.Result.Success(newUserId))
.withValidateEmailReturning(true)
.withPersistEmailReturning(PersistSelfUserEmailResult.Success)
Expand All @@ -713,7 +730,7 @@ class LoginEmailViewModelTest {
.withDeleteSessionReturning(DeleteSessionUseCase.Result.Success)
.withUpdateCurrentSessionReturning(UpdateCurrentSessionUseCase.Result.Success)
.withCurrentSessionReturning(CurrentSessionResult.Success(AccountInfo.Valid(previousUserId)))
.withLoginReturning(AuthenticationResult.Success(authToken, SSO_ID, SERVER_CONFIG.id, null))
.withLoginReturning(AuthenticationResult.Success(authToken, SSO_ID, MANAGED_BY, SERVER_CONFIG.id, null))
.withAddAuthenticatedUserReturning(AddAuthenticatedUserUseCase.Result.Success(newUserId))
.withValidateEmailReturning(true)
.withPersistEmailReturning(PersistSelfUserEmailResult.Success)
Expand Down Expand Up @@ -752,7 +769,7 @@ class LoginEmailViewModelTest {
val (arrangement, loginViewModel) = Arrangement()
.withCurrentSessionReturning(CurrentSessionResult.Failure.SessionNotFound)
.withValidateEmailReturning(true)
.withLoginReturning(AuthenticationResult.Success(AUTH_TOKEN, SSO_ID, SERVER_CONFIG.id, null))
.withLoginReturning(AuthenticationResult.Success(AUTH_TOKEN, SSO_ID, MANAGED_BY, SERVER_CONFIG.id, null))
.withAddAuthenticatedUserReturning(AddAuthenticatedUserUseCase.Result.Success(USER_ID))
.withPersistEmailReturning(PersistSelfUserEmailResult.Success)
.withGetOrRegisterClientReturning(RegisterClientResult.Success(CLIENT))
Expand Down Expand Up @@ -874,7 +891,7 @@ class LoginEmailViewModelTest {

fun withAddAuthenticatedUserReturning(result: AddAuthenticatedUserUseCase.Result) = apply {
coEvery {
addAuthenticatedUserUseCase(any(), any(), any(), any())
addAuthenticatedUserUseCase(any(), any(), any(), any(), any())
} returns result
}

Expand Down Expand Up @@ -931,6 +948,7 @@ class LoginEmailViewModelTest {
val CLIENT = TestClient.CLIENT
val USER_ID: QualifiedID = QualifiedID("userId", "domain")
val SSO_ID: SsoId = SsoId("scim_id", null, null)
val MANAGED_BY: SsoManagedBy = SsoManagedBy.WIRE
val AUTH_TOKEN = AccountTokens(
userId = UserId("user_id", "domain"),
accessToken = "access_token",
Expand Down
2 changes: 1 addition & 1 deletion kalium
Open in desktop
Submodule kalium updated 35 files
+32 −0 core/data/src/commonMain/kotlin/com/wire/kalium/logic/data/message/reaction/MessageReactions.kt
+4 −0 core/data/src/commonMain/kotlin/com/wire/kalium/logic/data/user/UserModel.kt
+2 −2 data/persistence/src/commonMain/db_global/com/wire/kalium/persistence/Accounts.sq
+14 −0 data/persistence/src/commonMain/db_user/com/wire/kalium/persistence/Reactions.sq
+18 −0 data/persistence/src/commonMain/kotlin/com/wire/kalium/persistence/dao/message/MessageMapper.kt
+35 −0 data/persistence/src/commonMain/kotlin/com/wire/kalium/persistence/dao/reaction/ReactionDAO.kt
+14 −0 data/persistence/src/commonMain/kotlin/com/wire/kalium/persistence/dao/reaction/ReactionsEntity.kt
+4 −1 data/persistence/src/commonMain/kotlin/com/wire/kalium/persistence/daokaliumdb/AccountsDAO.kt
+12 −10 data/persistence/src/commonTest/kotlin/com/wire/kalium/persistence/globalDB/AccountsDAOTest.kt
+2 −0 domain/backup/src/commonMain/kotlin/com/wire/backup/data/BackupData.kt
+2 −0 domain/backup/src/commonMain/kotlin/com/wire/backup/ingest/MPBackupMapper.kt
+2 −0 domain/backup/src/commonTest/kotlin/com/wire/backup/BackupEndToEndTest.kt
+2 −0 domain/backup/src/commonTest/kotlin/com/wire/backup/ingest/BackupImportPagerTest.kt
+7 −0 logic/src/commonMain/kotlin/com/wire/kalium/logic/data/auth/AuthSession.kt
+14 −9 logic/src/commonMain/kotlin/com/wire/kalium/logic/data/auth/login/LoginRepository.kt
+67 −9 logic/src/commonMain/kotlin/com/wire/kalium/logic/data/backup/BackupRepository.kt
+14 −5 logic/src/commonMain/kotlin/com/wire/kalium/logic/data/session/SessionRepository.kt
+8 −0 logic/src/commonMain/kotlin/com/wire/kalium/logic/data/user/UserMapper.kt
+1 −0 logic/src/commonMain/kotlin/com/wire/kalium/logic/feature/UserSessionScope.kt
+12 −5 logic/src/commonMain/kotlin/com/wire/kalium/logic/feature/auth/AddAuthenticatedUserUseCase.kt
+19 −16 logic/src/commonMain/kotlin/com/wire/kalium/logic/feature/auth/LoginUseCase.kt
+10 −6 logic/src/commonMain/kotlin/com/wire/kalium/logic/feature/auth/sso/GetSSOLoginSessionUseCase.kt
+8 −0 logic/src/commonMain/kotlin/com/wire/kalium/logic/feature/backup/CreateMPBackupUseCase.kt
+28 −0 logic/src/commonMain/kotlin/com/wire/kalium/logic/feature/backup/RestoreMPBackupUseCase.kt
+32 −4 logic/src/commonMain/kotlin/com/wire/kalium/logic/feature/backup/mapper/BackupDataMappers.kt
+19 −2 logic/src/commonMain/kotlin/com/wire/kalium/logic/feature/backup/mapper/RestoreDataMappers.kt
+6 −0 logic/src/commonMain/kotlin/com/wire/kalium/logic/feature/backup/provider/MPBackupExporterProvider.kt
+9 −3 logic/src/commonTest/kotlin/com/wire/kalium/logic/data/backup/BackupDataSourceTest.kt
+13 −11 logic/src/commonTest/kotlin/com/wire/kalium/logic/feature/auth/AddAuthenticatedUserUseCaseTest.kt
+33 −12 logic/src/commonTest/kotlin/com/wire/kalium/logic/feature/auth/LoginUseCaseTest.kt
+34 −6 logic/src/commonTest/kotlin/com/wire/kalium/logic/feature/backup/CreateMPBackupUseCaseTest.kt
+23 −0 logic/src/commonTest/kotlin/com/wire/kalium/logic/feature/backup/RestoreMPBackupUseCaseTest.kt
+1 −1 sample/cli/src/commonMain/kotlin/com/wire/kalium/cli/commands/LoginCommand.kt
+2 −1 tools/protobuf-codegen/src/main/proto/backup.proto
+1 −0 tools/testservice/src/main/kotlin/com/wire/kalium/testservice/managed/InstanceService.kt