Reject IdZ deletion if an IdP with alias exists in the zone

server/src/main/java/org/cloudfoundry/identity/uaa/provider/JdbcIdentityProviderProvisioning.java

@@ -1,17 +1,20 @@
 package org.cloudfoundry.identity.uaa.provider;
 
+import static java.sql.Types.VARCHAR;
+
 import org.cloudfoundry.identity.uaa.audit.event.SystemDeletable;
 import org.cloudfoundry.identity.uaa.constants.OriginKeys;
 import org.cloudfoundry.identity.uaa.util.JsonUtils;
 import org.cloudfoundry.identity.uaa.util.ObjectUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.dao.DataAccessException;
 import org.springframework.dao.DataIntegrityViolationException;
 import org.springframework.dao.DuplicateKeyException;
+import org.springframework.dao.EmptyResultDataAccessException;
 import org.springframework.jdbc.core.JdbcTemplate;
 import org.springframework.jdbc.core.RowMapper;
 import org.springframework.stereotype.Component;
-import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 
 import java.sql.ResultSet;
@@ -34,13 +37,15 @@ public class JdbcIdentityProviderProvisioning implements IdentityProviderProvisi
 
     public static final String IDENTITY_ACTIVE_PROVIDERS_QUERY = IDENTITY_PROVIDERS_QUERY + " and active=?";
 
+    public static final String IDP_WITH_ALIAS_EXISTS_QUERY = "select 1 from identity_provider idp where idp.identity_zone_id = ? and idp.alias_zid is not null and idp.alias_zid <> '' limit 1";
+
     public static final String ID_PROVIDER_UPDATE_FIELDS = "version,lastmodified,name,type,config,active,alias_id,alias_zid".replace(",", "=?,") + "=?";
 
     public static final String UPDATE_IDENTITY_PROVIDER_SQL = "update identity_provider set " + ID_PROVIDER_UPDATE_FIELDS + " where id=? and identity_zone_id=?";
 
     public static final String DELETE_IDENTITY_PROVIDER_BY_ORIGIN_SQL = "delete from identity_provider where identity_zone_id=? and origin_key = ?";
 
-    public static final String DELETE_IDENTITY_PROVIDER_BY_ZONE_SQL = "delete from identity_provider where identity_zone_id=? or alias_zid=?";
+    public static final String DELETE_IDENTITY_PROVIDER_BY_ZONE_SQL = "delete from identity_provider where identity_zone_id=?";
 
     public static final String IDENTITY_PROVIDER_BY_ID_QUERY = "select " + ID_PROVIDER_FIELDS + " from identity_provider " + "where id=? and identity_zone_id=?";
 
@@ -56,6 +61,24 @@ public JdbcIdentityProviderProvisioning(JdbcTemplate jdbcTemplate) {
         this.jdbcTemplate = jdbcTemplate;
     }
 
+    public boolean idpWithAliasExistsInZone(final String zoneId) {
+        final Integer idpWithAliasExists;
+        try {
+            idpWithAliasExists = jdbcTemplate.queryForObject(
+                    IDP_WITH_ALIAS_EXISTS_QUERY,
+                    new Object[]{zoneId},
+                    new int[]{VARCHAR},
+                    Integer.class
+            );
+        } catch (final EmptyResultDataAccessException e) {
+            return false;
+        }
+        if (idpWithAliasExists == null) {
+            return false;
+        }
+        return idpWithAliasExists == 1;
+    }
+
     @Override
     public IdentityProvider retrieve(String id, String zoneId) {
         return jdbcTemplate.queryForObject(IDENTITY_PROVIDER_BY_ID_QUERY, mapper, id, zoneId);
@@ -150,12 +173,9 @@ protected void validate(IdentityProvider provider) {
         }
     }
 
-    /**
-     * Delete all identity providers in the given zone as well as all alias identity providers of them.
-     */
     @Override
     public int deleteByIdentityZone(String zoneId) {
-        return jdbcTemplate.update(DELETE_IDENTITY_PROVIDER_BY_ZONE_SQL, zoneId, zoneId);
+        return jdbcTemplate.update(DELETE_IDENTITY_PROVIDER_BY_ZONE_SQL, zoneId);
     }
 
     @Override

server/src/main/java/org/cloudfoundry/identity/uaa/zone/IdentityZoneEndpoints.java

@@ -7,7 +7,7 @@
 import org.cloudfoundry.identity.uaa.error.UaaException;
 import org.cloudfoundry.identity.uaa.provider.ClientAlreadyExistsException;
 import org.cloudfoundry.identity.uaa.provider.IdentityProvider;
-import org.cloudfoundry.identity.uaa.provider.IdentityProviderProvisioning;
+import org.cloudfoundry.identity.uaa.provider.JdbcIdentityProviderProvisioning;
 import org.cloudfoundry.identity.uaa.provider.NoSuchClientException;
 import org.cloudfoundry.identity.uaa.provider.UaaIdentityProviderDefinition;
 import org.cloudfoundry.identity.uaa.saml.SamlKey;
@@ -68,7 +68,7 @@ public class IdentityZoneEndpoints implements ApplicationEventPublisherAware {
     private static final String ID_SUBDOMAIN_LOGGING = "[{}] subdomain [{}]";
 
     private final IdentityZoneProvisioning zoneDao;
-    private final IdentityProviderProvisioning idpDao;
+    private final JdbcIdentityProviderProvisioning idpDao;
     private final IdentityZoneEndpointClientRegistrationService clientRegistrationService;
     private final ScimGroupProvisioning groupProvisioning;
     private final IdentityZoneValidator validator;
@@ -77,7 +77,7 @@ public class IdentityZoneEndpoints implements ApplicationEventPublisherAware {
     private ApplicationEventPublisher publisher;
 
     public IdentityZoneEndpoints(final IdentityZoneProvisioning zoneDao,
-                                 final @Qualifier("identityProviderProvisioning") IdentityProviderProvisioning idpDao,
+                                 final @Qualifier("identityProviderProvisioning") JdbcIdentityProviderProvisioning idpDao,
                                  final IdentityZoneEndpointClientRegistrationService clientRegistrationService,
                                  final ScimGroupProvisioning groupProvisioning,
                                  final IdentityZoneValidator validator,
@@ -336,7 +336,15 @@ public ResponseEntity<IdentityZone> deleteIdentityZone(@PathVariable String id)
             IdentityZone zone = zoneDao.retrieveIgnoreActiveFlag(id);
             // ignore the id in the body, the id in the path is the only one that matters
             IdentityZoneHolder.set(zone);
-            if (publisher != null && zone != null) {
+
+            /* reject deletion if an IdP with alias exists in the zone - checking for users with alias is not required
+             * here, since they can only exist if their origin IdP has an alias as well */
+            final boolean idpWithAliasExists = idpDao.idpWithAliasExistsInZone(zone.getId());
+            if (idpWithAliasExists) {
+                return new ResponseEntity<>(UNPROCESSABLE_ENTITY);
+            }
+
+            if (publisher != null) {
                 publisher.publishEvent(new EntityDeletedEvent<>(zone, SecurityContextHolder.getContext().getAuthentication(), IdentityZoneHolder.getCurrentZoneId()));
                 logger.debug("Zone - deleted id[" + zone.getId() + "]");
                 return new ResponseEntity<>(removeKeys(zone), OK);

server/src/main/resources/org/cloudfoundry/identity/uaa/db/hsqldb/V4_109__AliasZid_Indexes.sql

@@ -0,0 +1,2 @@
+CREATE INDEX identity_provider_alias_zid__idx ON identity_provider (alias_zid);
+CREATE INDEX users_alias_zid__idx ON users (alias_zid);

server/src/main/resources/org/cloudfoundry/identity/uaa/db/mysql/V4_109__AliasZid_Indexes.sql

@@ -0,0 +1,2 @@
+CREATE INDEX identity_provider_alias_zid__idx ON identity_provider (alias_zid);
+CREATE INDEX users_alias_zid__idx ON users (alias_zid);

server/src/main/resources/org/cloudfoundry/identity/uaa/db/postgresql/V4_109__AliasZid_Indexes.sql

@@ -0,0 +1,2 @@
+CREATE INDEX CONCURRENTLY IF NOT EXISTS identity_provider_alias_zid__idx on identity_provider (alias_zid);
+CREATE INDEX CONCURRENTLY IF NOT EXISTS users_alias_zid__idx on users (alias_zid);

server/src/test/java/org/cloudfoundry/identity/uaa/provider/JdbcIdentityProviderProvisioningTests.java

@@ -69,7 +69,7 @@ void deleteProvidersInZone() {
     }
 
     @Test
-    void deleteByIdentityZone_ShouldAlsoDeleteAliasIdentityProviders() {
+    void deleteByIdentityZone_ShouldNotDeleteAliasIdentityProviders() {
         final String originSuffix = generator.generate();
 
         // IdP 1: created in custom zone, no alias
@@ -105,13 +105,13 @@ void deleteByIdentityZone_ShouldAlsoDeleteAliasIdentityProviders() {
         // delete by zone
         final int rowsDeleted = jdbcIdentityProviderProvisioning.deleteByIdentityZone(otherZoneId1);
 
-        // number should also include the alias IdP
-        Assertions.assertThat(rowsDeleted).isEqualTo(3);
+        // number should not include the alias IdP
+        Assertions.assertThat(rowsDeleted).isEqualTo(2);
 
-        // check if all three entries are gone
+        // the two IdPs in the custom zone should be deleted, the alias should still be present
         assertIdentityProviderDoesNotExist(createdIdp1.getId(), otherZoneId1);
         assertIdentityProviderDoesNotExist(createdIdp2.getId(), otherZoneId1);
-        assertIdentityProviderDoesNotExist(createdIdp2Alias.getId(), uaaZoneId);
+        assertIdentityProviderExists(createdIdp2Alias.getId(), uaaZoneId);
     }
 
     private void assertIdentityProviderExists(final String id, final String zoneId) {
@@ -317,4 +317,16 @@ void retrieveIdentityProviderByOriginInDifferentZone() {
         IdentityProvider idp1 = jdbcIdentityProviderProvisioning.create(idp, otherZoneId1);
         assertThrows(EmptyResultDataAccessException.class, () -> jdbcIdentityProviderProvisioning.retrieveByOrigin(idp1.getOriginKey(), otherZoneId2));
     }
+
+    @Test
+    void testIdpWithAliasExistsInZone() {
+        final IdentityProvider<AbstractIdentityProviderDefinition> idpWithAlias = MultitenancyFixture.identityProvider(
+                generator.generate(),
+                otherZoneId1
+        );
+        idpWithAlias.setAliasZid(IdentityZone.getUaaZoneId());
+        idpWithAlias.setAliasId(UUID.randomUUID().toString());
+        jdbcIdentityProviderProvisioning.create(idpWithAlias, otherZoneId1);
+        assertTrue(jdbcIdentityProviderProvisioning.idpWithAliasExistsInZone(otherZoneId1));
+    }
 }

server/src/test/java/org/cloudfoundry/identity/uaa/zone/IdentityZoneEndpointsTests.java

@@ -1,18 +1,24 @@
 package org.cloudfoundry.identity.uaa.zone;
 
+import org.cloudfoundry.identity.uaa.audit.event.EntityDeletedEvent;
 import org.cloudfoundry.identity.uaa.error.UaaException;
 import org.cloudfoundry.identity.uaa.extensions.PollutionPreventionExtension;
-import org.cloudfoundry.identity.uaa.provider.IdentityProviderProvisioning;
+import org.cloudfoundry.identity.uaa.provider.JdbcIdentityProviderProvisioning;
 import org.cloudfoundry.identity.uaa.saml.SamlKey;
 import org.cloudfoundry.identity.uaa.scim.ScimGroup;
 import org.cloudfoundry.identity.uaa.scim.ScimGroupProvisioning;
+import org.cloudfoundry.identity.uaa.util.AlphanumericRandomValueStringGenerator;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.ArgumentCaptor;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.Mockito;
 import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
 import org.springframework.validation.BindingResult;
 
 import java.util.List;
@@ -49,14 +55,22 @@ class IdentityZoneEndpointsTests {
     private IdentityZoneValidator mockIdentityZoneValidator;
 
     @Mock
-    private IdentityProviderProvisioning mockIdentityProviderProvisioning;
+    private JdbcIdentityProviderProvisioning mockIdentityProviderProvisioning;
 
     @Mock
     private IdentityZoneEndpointClientRegistrationService mockIdentityZoneEndpointClientRegistrationService;
 
+    @Mock
+    private ApplicationEventPublisher mockApplicationEventPublisher;
+
     @InjectMocks
     private IdentityZoneEndpoints endpoints;
 
+    @BeforeEach
+    void setUp() {
+        endpoints.setApplicationEventPublisher(mockApplicationEventPublisher);
+    }
+
     @Test
     void create_zone() throws InvalidIdentityZoneDetailsException {
         when(mockIdentityZoneProvisioning.create(any())).then(invocation -> invocation.getArgument(0));
@@ -169,6 +183,45 @@ void reduce_zone_allowed_groups_on_update_should_fail() throws InvalidIdentityZo
             is("The identity zone user configuration contains not-allowed groups."));
     }
 
+    @Test
+    void deleteIdentityZone_ShouldReject_IfIdpWithAliasExists() {
+        final IdentityZone idz = new IdentityZone();
+        final String idzId = new AlphanumericRandomValueStringGenerator(5).generate();
+        idz.setName(idzId);
+        idz.setId(idzId);
+        idz.setSubdomain(idzId);
+        when(mockIdentityZoneProvisioning.retrieveIgnoreActiveFlag(idzId)).thenReturn(idz);
+
+        // arrange IdP with alias exists in zone
+        when(mockIdentityProviderProvisioning.idpWithAliasExistsInZone(idzId)).thenReturn(true);
+
+        final ResponseEntity<IdentityZone> response = endpoints.deleteIdentityZone(idzId);
+        assertNotNull(response);
+        assertEquals(HttpStatus.UNPROCESSABLE_ENTITY, response.getStatusCode());
+    }
+
+    @Test
+    void deleteIdentityZone_ShouldEmitEntityDeletedEvent_WhenNoAliasIdpExists() {
+        final IdentityZone idz = new IdentityZone();
+        final String idzId = new AlphanumericRandomValueStringGenerator(5).generate();
+        idz.setName(idzId);
+        idz.setId(idzId);
+        idz.setSubdomain(idzId);
+        when(mockIdentityZoneProvisioning.retrieveIgnoreActiveFlag(idzId)).thenReturn(idz);
+
+        // arrange no IdP with alias exists in zone
+        when(mockIdentityProviderProvisioning.idpWithAliasExistsInZone(idzId)).thenReturn(false);
+
+        final ResponseEntity<IdentityZone> response = endpoints.deleteIdentityZone(idzId);
+        assertNotNull(response);
+        assertEquals(HttpStatus.OK, response.getStatusCode());
+
+        final ArgumentCaptor<EntityDeletedEvent<IdentityZone>> eventArgument = ArgumentCaptor.forClass(EntityDeletedEvent.class);
+        verify(mockApplicationEventPublisher).publishEvent(eventArgument.capture());
+        final var capturedEvent = eventArgument.getValue();
+        assertEquals(idz, capturedEvent.getDeleted());
+    }
+
     private static IdentityZone createZone() {
         IdentityZone zone = MultitenancyFixture.identityZone("id", "subdomain");
         IdentityZoneConfiguration config = zone.getConfig();

uaa/slateCustomizations/source/index.html.md.erb

@@ -871,6 +871,7 @@ _Error Codes_
 | 401        | Unauthorized - Invalid token                                                |
 | 403        | Forbidden - Insufficient scope (zone admins can only delete their own zone) |
 | 404        | Not Found - Zone does not exist                                             |
+| 422        | Unprocessable Entity - at least one IdP with alias exists in the zone       |
 
 
 # Identity Providers

uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/zones/IdentityZoneEndpointsMockMvcTests.java

@@ -11,13 +11,15 @@
 import org.cloudfoundry.identity.uaa.client.UaaClientDetails;
 import org.cloudfoundry.identity.uaa.client.event.ClientCreateEvent;
 import org.cloudfoundry.identity.uaa.client.event.ClientDeleteEvent;
+import org.cloudfoundry.identity.uaa.constants.OriginKeys;
 import org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils;
 import org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils.IdentityZoneCreationResult;
 import org.cloudfoundry.identity.uaa.oauth.client.ClientConstants;
 import org.cloudfoundry.identity.uaa.oauth.provider.ClientRegistrationService;
 import org.cloudfoundry.identity.uaa.provider.IdentityProvider;
 import org.cloudfoundry.identity.uaa.provider.IdentityProviderProvisioning;
 import org.cloudfoundry.identity.uaa.provider.JdbcIdentityProviderProvisioning;
+import org.cloudfoundry.identity.uaa.provider.OIDCIdentityProviderDefinition;
 import org.cloudfoundry.identity.uaa.scim.*;
 import org.cloudfoundry.identity.uaa.scim.event.GroupModifiedEvent;
 import org.cloudfoundry.identity.uaa.scim.event.UserModifiedEvent;
@@ -1697,6 +1699,33 @@ void testDeleteZonePublishesEvent() throws Exception {
         assertThat(auditedIdentityZone, containsString(id));
     }
 
+    @Test
+    void testDeleteZone_ShouldFail_WhenIdpWithAliasExistsInZone() throws Exception {
+        // create zone
+        final String idzId = generator.generate();
+        createZone(idzId, HttpStatus.CREATED, identityClientToken, new IdentityZoneConfiguration());
+
+        // create IdP with alias (via DB, since alias feature is disabled by default)
+        final JdbcIdentityProviderProvisioning idpProvisioning = webApplicationContext
+                .getBean(JdbcIdentityProviderProvisioning.class);
+        final IdentityProvider<OIDCIdentityProviderDefinition> idp = new IdentityProvider<>();
+        idp.setName("some-idp");
+        idp.setId(UUID.randomUUID().toString());
+        idp.setIdentityZoneId(idzId);
+        idp.setOriginKey("some-origin-key");
+        idp.setAliasZid(IdentityZone.getUaaZoneId());
+        idp.setAliasId(UUID.randomUUID().toString());
+        idp.setType(OriginKeys.OIDC10);
+        idpProvisioning.create(idp, idzId);
+
+        // deleting zone should fail
+        mockMvc.perform(
+                delete("/identity-zones/" + idzId)
+                        .header("Authorization", "Bearer " + identityClientToken)
+                        .accept(APPLICATION_JSON)
+        ).andExpect(status().isUnprocessableEntity());
+    }
+
     @Test
     void testCreateAndDeleteLimitedClientInNewZoneUsingZoneEndpoint() throws Exception {
         String id = generator.generate();