Make sure the SCIM user DAO takes zoneId for all its calls

server/src/main/java/org/cloudfoundry/identity/uaa/account/EmailAccountCreationService.java

@@ -109,7 +109,7 @@ public AccountCreationResponse completeActivation(String code) throws IOExceptio
 
         Map<String, String> data = JsonUtils.readValue(expiringCode.getData(), new TypeReference<Map<String, String>>() {});
         ScimUser user = scimUserProvisioning.retrieve(data.get("user_id"), IdentityZoneHolder.get().getId());
-        user = scimUserProvisioning.verifyUser(user.getId(), user.getVersion());
+        user = scimUserProvisioning.verifyUser(user.getId(), user.getVersion(), IdentityZoneHolder.get().getId());
 
         String clientId = data.get("client_id");
         String redirectUri = data.get("redirect_uri") != null ? data.get("redirect_uri") : "";
@@ -156,7 +156,7 @@ public ScimUser createUser(String username, String password, String origin) {
         scimUser.setPassword(password);
         scimUser.setVerified(false);
         try {
-            ScimUser userResponse = scimUserProvisioning.createUser(scimUser, password);
+            ScimUser userResponse = scimUserProvisioning.createUser(scimUser, password, IdentityZoneHolder.get().getId());
             return userResponse;
         } catch (RuntimeException x) {
             if (x instanceof ScimResourceAlreadyExistsException) {

server/src/main/java/org/cloudfoundry/identity/uaa/account/PasswordChangeEndpoint.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- *     Cloud Foundry 
+ *     Cloud Foundry
  *     Copyright (c) [2009-2016] Pivotal Software, Inc. All Rights Reserved.
  *
  *     This product is licensed to you under the Apache License, Version 2.0 (the "License").
@@ -25,6 +25,7 @@
 import org.cloudfoundry.identity.uaa.scim.validate.PasswordValidator;
 import org.cloudfoundry.identity.uaa.security.DefaultSecurityContextAccessor;
 import org.cloudfoundry.identity.uaa.security.SecurityContextAccessor;
+import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.http.converter.HttpMessageConverter;
@@ -82,11 +83,11 @@ void setSecurityContextAccessor(SecurityContextAccessor securityContextAccessor)
     @ResponseBody
     public ActionResult changePassword(@PathVariable String userId, @RequestBody PasswordChangeRequest change) {
         checkPasswordChangeIsAllowed(userId, change.getOldPassword());
-        if (dao.checkPasswordMatches(userId, change.getPassword())) {
+        if (dao.checkPasswordMatches(userId, change.getPassword(), IdentityZoneHolder.get().getId())) {
             throw new InvalidPasswordException("Your new password cannot be the same as the old password.", UNPROCESSABLE_ENTITY);
         }
         passwordValidator.validate(change.getPassword());
-        dao.changePassword(userId, change.getOldPassword(), change.getPassword());
+        dao.changePassword(userId, change.getOldPassword(), change.getPassword(), IdentityZoneHolder.get().getId());
         return new ActionResult("ok", "password updated");
     }
 

server/src/main/java/org/cloudfoundry/identity/uaa/account/UaaChangePasswordService.java

@@ -56,10 +56,10 @@ public void changePassword(String username, String currentPassword, String newPa
         ScimUser user = results.get(0);
         UaaUser uaaUser = getUaaUser(user);
         try {
-            if (scimUserProvisioning.checkPasswordMatches(user.getId(), newPassword)) {
+            if (scimUserProvisioning.checkPasswordMatches(user.getId(), newPassword, IdentityZoneHolder.get().getId())) {
                 throw new InvalidPasswordException("Your new password cannot be the same as the old password.", UNPROCESSABLE_ENTITY);
             }
-            scimUserProvisioning.changePassword(user.getId(), currentPassword, newPassword);
+            scimUserProvisioning.changePassword(user.getId(), currentPassword, newPassword, IdentityZoneHolder.get().getId());
             publish(new PasswordChangeEvent("Password changed", uaaUser, SecurityContextHolder.getContext().getAuthentication()));
         } catch (Exception e) {
             publish(new PasswordChangeFailureEvent(e.getMessage(), uaaUser, SecurityContextHolder.getContext().getAuthentication()));

server/src/main/java/org/cloudfoundry/identity/uaa/account/UaaResetPasswordService.java

@@ -83,12 +83,12 @@ public ResetPasswordResponse resetPassword(ExpiringCode code, String newPassword
 
     @Override
     public void updateLastLogonTime(String userId) {
-        scimUserProvisioning.updateLastLogonTime(userId);
+        scimUserProvisioning.updateLastLogonTime(userId, IdentityZoneHolder.get().getId());
     }
 
     @Override
     public void resetUserPassword(String userId, String password) {
-        if (scimUserProvisioning.checkPasswordMatches(userId, password)) {
+        if (scimUserProvisioning.checkPasswordMatches(userId, password, IdentityZoneHolder.get().getId())) {
             throw new InvalidPasswordException(resourcePropertySource.getProperty("force_password_change.same_as_old").toString(), UNPROCESSABLE_ENTITY);
         }
         passwordValidator.validate(password);
@@ -120,14 +120,14 @@ private ResetPasswordResponse changePasswordCodeAuthenticated(ExpiringCode expir
         UaaUser uaaUser = getUaaUser(user);
         Authentication authentication = constructAuthentication(uaaUser);
         try {
-            if (scimUserProvisioning.checkPasswordMatches(userId, newPassword)) {
+            if (scimUserProvisioning.checkPasswordMatches(userId, newPassword, IdentityZoneHolder.get().getId())) {
                 throw new InvalidPasswordException("Your new password cannot be the same as the old password.", UNPROCESSABLE_ENTITY);
             }
             if (isUserModified(user, expiringCode.getExpiresAt(), userName, passwordLastModified)) {
                 throw new UaaException("Invalid password reset request.");
             }
             if (!user.isVerified()) {
-                scimUserProvisioning.verifyUser(userId, -1);
+                scimUserProvisioning.verifyUser(userId, -1, IdentityZoneHolder.get().getId());
             }
 
             updatePasswordAndPublishEvent(scimUserProvisioning, uaaUser, authentication, newPassword);
@@ -210,8 +210,8 @@ private UaaAuthentication constructAuthentication(UaaUser uaaUser) {
     }
 
     private void updatePasswordAndPublishEvent(ScimUserProvisioning scimUserProvisioning, UaaUser uaaUser, Authentication authentication, String newPassword){
-        scimUserProvisioning.changePassword(uaaUser.getId(), null, newPassword);
-        scimUserProvisioning.updatePasswordChangeRequired(uaaUser.getId(), false);
+        scimUserProvisioning.changePassword(uaaUser.getId(), null, newPassword, IdentityZoneHolder.get().getId());
+        scimUserProvisioning.updatePasswordChangeRequired(uaaUser.getId(), false, IdentityZoneHolder.get().getId());
         publish(new PasswordChangeEvent("Password changed", uaaUser, authentication));
     }
 }

server/src/main/java/org/cloudfoundry/identity/uaa/authentication/listener/UserAuthenticationSuccessListener.java

@@ -4,6 +4,7 @@
 import org.cloudfoundry.identity.uaa.authentication.event.UserAuthenticationSuccessEvent;
 import org.cloudfoundry.identity.uaa.scim.ScimUserProvisioning;
 import org.cloudfoundry.identity.uaa.user.UaaUser;
+import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
 import org.springframework.context.ApplicationListener;
 
 /*******************************************************************************
@@ -30,10 +31,10 @@ public UserAuthenticationSuccessListener(ScimUserProvisioning scimUserProvisioni
     public void onApplicationEvent(UserAuthenticationSuccessEvent event) {
         UaaUser user = event.getUser();
         if(user.isLegacyVerificationBehavior() && !user.isVerified()) {
-            scimUserProvisioning.verifyUser(user.getId(), -1);
+            scimUserProvisioning.verifyUser(user.getId(), -1, IdentityZoneHolder.get().getId());
         }
         UaaAuthentication authentication = (UaaAuthentication) event.getAuthentication();
         authentication.setLastLoginSuccessTime(user.getLastLogonTime());
-        scimUserProvisioning.updateLastLogonTime(user.getId());
+        scimUserProvisioning.updateLastLogonTime(user.getId(), IdentityZoneHolder.get().getId());
     }
 }

server/src/main/java/org/cloudfoundry/identity/uaa/invitations/EmailInvitationsService.java

@@ -59,13 +59,13 @@ public AcceptedInvitation acceptInvitation(String code, String password) {
 
         ScimUser user = scimUserProvisioning.retrieve(userId, IdentityZoneHolder.get().getId());
 
-        user = scimUserProvisioning.verifyUser(userId, user.getVersion());
+        user = scimUserProvisioning.verifyUser(userId, user.getVersion(), IdentityZoneHolder.get().getId());
 
 
         if (OriginKeys.UAA.equals(user.getOrigin()) && StringUtils.hasText(password)) {
             PasswordChangeRequest request = new PasswordChangeRequest();
             request.setPassword(password);
-            scimUserProvisioning.changePassword(userId, null, password);
+            scimUserProvisioning.changePassword(userId, null, password, IdentityZoneHolder.get().getId());
         }
 
         String redirectLocation = "/home";

server/src/main/java/org/cloudfoundry/identity/uaa/invitations/InvitationsEndpoint.java

@@ -144,7 +144,7 @@ protected ScimUser findOrCreateUser(String email, String origin) {
             user.setOrigin(origin);
             user.setVerified(false);
             user.setActive(true);
-            return users.createUser(user, new RandomValueStringGenerator(12).generate());
+            return users.createUser(user, new RandomValueStringGenerator(12).generate(), IdentityZoneHolder.get().getId());
         } else if (results.size() == 1) {
             return results.get(0);
         } else {

server/src/main/java/org/cloudfoundry/identity/uaa/scim/ScimUserProvisioning.java

@@ -21,18 +21,18 @@
 
 public interface ScimUserProvisioning extends ResourceManager<ScimUser>, Queryable<ScimUser> {
 
-    ScimUser createUser(ScimUser user, String password) throws InvalidPasswordException, InvalidScimResourceException;
+    ScimUser createUser(ScimUser user, String password, String zoneId) throws InvalidPasswordException, InvalidScimResourceException;
 
-    void changePassword(String id, String oldPassword, String newPassword) throws ScimResourceNotFoundException;
+    void changePassword(String id, String oldPassword, String newPassword, String zoneId) throws ScimResourceNotFoundException;
 
-    void updatePasswordChangeRequired(String userId, boolean passwordChangeRequired) throws ScimResourceNotFoundException;
+    void updatePasswordChangeRequired(String userId, boolean passwordChangeRequired, String zoneId) throws ScimResourceNotFoundException;
 
-    ScimUser verifyUser(String id, int version) throws ScimResourceNotFoundException, InvalidScimResourceException;
+    ScimUser verifyUser(String id, int version, String zoneId) throws ScimResourceNotFoundException, InvalidScimResourceException;
 
-    boolean checkPasswordMatches(String id, String password) throws ScimResourceNotFoundException;
+    boolean checkPasswordMatches(String id, String password, String zoneId) throws ScimResourceNotFoundException;
 
-    boolean checkPasswordChangeIndividuallyRequired(String id) throws ScimResourceNotFoundException;
+    boolean checkPasswordChangeIndividuallyRequired(String id, String zoneId) throws ScimResourceNotFoundException;
 
-    void updateLastLogonTime(String id);
+    void updateLastLogonTime(String id, String zoneId);
 }
 

server/src/main/java/org/cloudfoundry/identity/uaa/scim/bootstrap/ScimUserBootstrap.java

@@ -202,7 +202,7 @@ private void updateUser(ScimUser existingUser, UaaUser updatedUser, boolean upda
         newScimUser.setVersion(existingUser.getVersion());
         scimUserProvisioning.update(id, newScimUser, IdentityZoneHolder.get().getId());
         if (OriginKeys.UAA.equals(newScimUser.getOrigin()) && hasText(updatedUser.getPassword())) { //password is not relevant for non UAA users
-            scimUserProvisioning.changePassword(id, null, updatedUser.getPassword());
+            scimUserProvisioning.changePassword(id, null, updatedUser.getPassword(), IdentityZoneHolder.get().getId());
         }
         if (updateGroups) {
             Collection<String> newGroups = convertToGroups(updatedUser.getAuthorities());
@@ -213,7 +213,7 @@ private void updateUser(ScimUser existingUser, UaaUser updatedUser, boolean upda
 
     private void createNewUser(UaaUser user) {
         logger.debug("Registering new user account: " + user);
-        ScimUser newScimUser = scimUserProvisioning.createUser(convertToScimUser(user), user.getPassword());
+        ScimUser newScimUser = scimUserProvisioning.createUser(convertToScimUser(user), user.getPassword(), IdentityZoneHolder.get().getId());
         addGroups(newScimUser.getId(), convertToGroups(user.getAuthorities()));
     }
 

server/src/main/java/org/cloudfoundry/identity/uaa/scim/endpoints/ScimUserEndpoints.java

@@ -235,7 +235,7 @@ public ScimUser createUser(@RequestBody ScimUser user, HttpServletRequest reques
             passwordValidator.validate(user.getPassword());
         }
 
-        ScimUser scimUser = scimUserProvisioning.createUser(user, user.getPassword());
+        ScimUser scimUser = scimUserProvisioning.createUser(user, user.getPassword(), IdentityZoneHolder.get().getId());
         if (user.getApprovals()!=null) {
             for (Approval approval : user.getApprovals()) {
                 approval.setUserId(scimUser.getId());
@@ -359,7 +359,7 @@ public ScimUser verifyUser(@PathVariable String userId,
                     @RequestHeader(value = "If-Match", required = false) String etag,
                     HttpServletResponse httpServletResponse) {
         int version = etag == null ? -1 : getVersion(userId, etag);
-        ScimUser user = scimUserProvisioning.verifyUser(userId, version);
+        ScimUser user = scimUserProvisioning.verifyUser(userId, version, IdentityZoneHolder.get().getId());
         scimUpdates.incrementAndGet();
         addETagHeader(httpServletResponse, user);
         return user;
@@ -458,7 +458,7 @@ public UserAccountStatus updateAccountStatus(@RequestBody UserAccountStatus stat
             publish(new UserAccountUnlockedEvent(user));
         }
         if(status.isPasswordChangeRequired() != null && status.isPasswordChangeRequired()) {
-            scimUserProvisioning.updatePasswordChangeRequired(userId, true);
+            scimUserProvisioning.updatePasswordChangeRequired(userId, true, IdentityZoneHolder.get().getId());
         }
 
         return status;