Normation · fanf · Mar 4, 2024 · Mar 1, 2024
diff --git a/...sources/rudder/rudder-core/src/main/scala/com/normation/rudder/users/UserRepository.scala b/...sources/rudder/rudder-core/src/main/scala/com/normation/rudder/users/UserRepository.scala
@@ -234,20 +234,22 @@ object UserRepository {
         )
     }.toMap
 
-    // `resurrected` are zombie that get back to live with the new origin.
+    // `resurrected` are zombie that get back to live with the new origin. For users with same origin, we keep them as is.
     // We resurrect users with "active" status because we have nothing to manage "disabled" for now.
-    val resurrected = zombies.map {
+    val resurrectedOrSameOrigin = zombies.map {
       case (k, v) =>
         // check that status is really deleted, just in case
         if (v.status == UserStatus.Deleted) {
           (
             k,
-            v.modify(_.status)
-              .setTo(UserStatus.Active)
-              .modify(_.statusHistory)
-              .using(StatusHistory(UserStatus.Disabled, trace) :: _)
-              .modify(_.managedBy)
-              .setTo(origin)
+            if (v.managedBy != origin) {
+              v.modify(_.status)
+                .setTo(UserStatus.Active)
+                .modify(_.statusHistory)
+                .using(StatusHistory(UserStatus.Disabled, trace) :: _)
+                .modify(_.managedBy)
+                .setTo(origin)
+            } else v
           )
         } else (k, v)
     }
@@ -264,7 +266,7 @@ object UserRepository {
         )
     }
 
-    realNew ++ resurrected ++ deleted
+    realNew ++ resurrectedOrSameOrigin ++ deleted
   }
 
 }
@@ -634,13 +636,23 @@ class JdbcUserRepository(doobie: Doobie) extends UserRepository {
           fr")"
 
         def update(updated: Vector[UserInfo]): ConnectionIO[Int] = {
-          // never update the user personal information and managedby of an existing user which may have been provided and modified by another origin
+          // never update the user personal information of an existing user which may have been provided and modified by another origin
           val sql =
             """insert into users (id, creationdate, status, managedby, name, email, lastlogin, statushistory, otherinfo)
                   values (?,?,?,?,? , ?,?,?,?)
                on conflict (id) do update
-                set (creationdate, status, lastlogin, statushistory) =
-                  (EXCLUDED.creationdate, EXCLUDED.status, EXCLUDED.lastlogin, EXCLUDED.statushistory)"""
+                set (creationdate, status, managedby, lastlogin, statushistory) =
+                  (
+                    EXCLUDED.creationdate,
+                    EXCLUDED.status, 
+                    CASE WHEN users.status = 'active'
+                      THEN users.managedby
+                      ELSE EXCLUDED.managedby
+                    END,
+                    EXCLUDED.lastlogin,
+                    EXCLUDED.statushistory
+                  )
+                  """
 
           Update[UserInfo](sql).updateMany(updated)
         }

diff --git a/...ces/rudder/rudder-core/src/test/scala/com/normation/rudder/users/UserRepositoryTest.scala b/...ces/rudder/rudder-core/src/test/scala/com/normation/rudder/users/UserRepositoryTest.scala
@@ -117,6 +117,11 @@ trait UserRepositoryTest extends Specification with Loggable {
       }
     }
 
+    // BOB is rept removed after setting the users again without BOB
+    val dateBobRemovedIdempotent      = DateTime.parse("2023-09-02T02:03:04Z")
+    val traceBobRemovedIdempotent     = EventTrace(actor, dateBobRemovedIdempotent)
+    val userInfosBobRemovedIdempotent = userInfosBobRemoved
+
     // BOB added back from OIDC
     val dateBobOidc      = DateTime.parse("2023-09-03T03:03:03Z")
     val traceBobOidc     = EventTrace(actor, dateBobOidc)
@@ -182,6 +187,11 @@ trait UserRepositoryTest extends Specification with Loggable {
       repo.getAll().runNow.toUTC must containTheSameElementsAs(userInfosBobRemoved)
     }
 
+    "If an user is reloaded from the same origin, it should be kept as is" >> {
+      repo.setExistingUsers(AUTH_PLUGIN_NAME_LOCAL, userFileBobRemoved, traceBobRemovedIdempotent).runNow
+      repo.getAll().runNow.toUTC must containTheSameElementsAs(userInfosBobRemovedIdempotent)
+    }
+
     "If an user is created by an other module and file reloaded, it's Active and remains so" >> {
       repo.setExistingUsers(AUTH_PLUGIN_NAME_REMOTE, List("bob"), traceBobOidc).runNow
       repo.setExistingUsers(AUTH_PLUGIN_NAME_LOCAL, userFileBobRemoved, traceReload).runNow