From 2ef412cda2b2a66d348a65dc0eb87a751a9d1a28 Mon Sep 17 00:00:00 2001
From: Markus Strehle <11627201+strehle@users.noreply.github.com>
Date: Tue, 11 Jun 2024 06:45:12 +0200
Subject: [PATCH]  Fix issue #2917 (#2923)

* IT for testing a fix of issue #2917

Test shows:
SAML OK
OIDC we have an issue

* Fix issue #2917

Perform shadow user creation (NewUserAuthenticatedEvent)
without authorities creation, but rely on event
ExternalGroupAuthorizationEvent later.

Includes: IT for testing a fix of issue #2917
---
 .../manager/ExternalLoginAuthenticationManager.java            | 2 +-
 .../main/java/org/cloudfoundry/identity/uaa/user/UaaUser.java  | 2 +-
 .../identity/uaa/integration/feature/OIDCLoginIT.java          | 1 +
 .../identity/uaa/integration/feature/SamlLoginIT.java          | 3 +++
 4 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/ExternalLoginAuthenticationManager.java b/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/ExternalLoginAuthenticationManager.java
index 676f5722ce2..3bd353fd43f 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/ExternalLoginAuthenticationManager.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/ExternalLoginAuthenticationManager.java
@@ -137,7 +137,7 @@ public Authentication authenticate(Authentication request) throws Authentication
             if (!isAddNewShadowUser()) {
                 throw new AccountNotPreCreatedException("The user account must be pre-created. Please contact your system administrator.");
             }
-            publish(new NewUserAuthenticatedEvent(userFromRequest));
+            publish(new NewUserAuthenticatedEvent(userFromRequest.authorities(List.of())));
             try {
                 userFromDb = userDatabase.retrieveUserByName(userFromRequest.getUsername(), getOrigin());
             } catch (UsernameNotFoundException ex) {
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/user/UaaUser.java b/server/src/main/java/org/cloudfoundry/identity/uaa/user/UaaUser.java
index 2b7120f61bb..2f9a51226b5 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/user/UaaUser.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/user/UaaUser.java
@@ -229,7 +229,7 @@ public UaaUser authorities(Collection<? extends GrantedAuthority> authorities) {
         if (!values.contains(UaaAuthority.UAA_USER)) {
             values.add(UaaAuthority.UAA_USER);
         }
-        return new UaaUser(id, username, getPassword(), email, values, givenName, familyName, created, modified, origin, externalId, verified, zoneId, salt, passwordLastModified);
+        return new UaaUser(new UaaUserPrototype(this).withAuthorities(values));
     }
 
     @Override
diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/OIDCLoginIT.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/OIDCLoginIT.java
index 4202f6fbacf..e55d73ce24d 100644
--- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/OIDCLoginIT.java
+++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/OIDCLoginIT.java
@@ -355,6 +355,7 @@ public void successfulLoginWithOIDCProviderWithExternalGroups() {
 
         ScimGroup updatedCreatedGroup = IntegrationTestUtils.getGroup(adminToken, subdomain, baseUrl, createdGroup.getDisplayName());
         assertTrue(isMember(user.getId(), updatedCreatedGroup));
+        assertTrue("Expect group members to have origin: " + user.getOrigin(), updatedCreatedGroup.getMembers().stream().allMatch(p -> user.getOrigin().equals(p.getOrigin())));
     }
 
     @Test
diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/SamlLoginIT.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/SamlLoginIT.java
index 45555874bae..1b2257eba14 100644
--- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/SamlLoginIT.java
+++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/SamlLoginIT.java
@@ -865,8 +865,11 @@ public void testSamlLogin_Map_Groups_In_Zone1() {
         String samlUserId = IntegrationTestUtils.getUserId(adminTokenInZone, zoneUrl, provider.getOriginKey(), MARISSA4_EMAIL);
         uaaSamlUserGroup = IntegrationTestUtils.getGroup(adminTokenInZone, null, zoneUrl, "uaa.saml.user");
         uaaSamlAdminGroup = IntegrationTestUtils.getGroup(adminTokenInZone, null, zoneUrl, "uaa.saml.admin");
+        IdentityProvider<SamlIdentityProviderDefinition> finalProvider = provider;
         assertTrue(isMember(samlUserId, uaaSamlUserGroup));
+        assertTrue("Expect saml user members to have origin: " + finalProvider.getOriginKey(), uaaSamlUserGroup.getMembers().stream().allMatch(p -> finalProvider.getOriginKey().equals(p.getOrigin())));
         assertTrue(isMember(samlUserId, uaaSamlAdminGroup));
+        assertTrue("Expect admin members to have origin: " + finalProvider.getOriginKey(), uaaSamlAdminGroup.getMembers().stream().allMatch(p -> finalProvider.getOriginKey().equals(p.getOrigin())));
 
     }