Check zone id before jdbc access

server/src/main/java/org/cloudfoundry/identity/uaa/scim/jdbc/JdbcScimGroupProvisioning.java

@@ -157,6 +157,7 @@ void createAndIgnoreDuplicate(final String name, final String zoneId) {
         try {
             create(new ScimGroup(null, name, zoneId), zoneId);
         } catch (ScimResourceAlreadyExistsException ignore) {
+            // ignore
         }
     }
 
@@ -185,14 +186,11 @@ public ScimGroup getByName(String displayName, String zoneId) {
 
     @Override
     public void onApplicationEvent(AbstractUaaEvent event) {
-        if (event instanceof IdentityZoneModifiedEvent) {
-            IdentityZoneModifiedEvent zevent = (IdentityZoneModifiedEvent) event;
-            if (zevent.getEventType() == AuditEventType.IdentityZoneCreatedEvent) {
-                final String zoneId = ((IdentityZone) event.getSource()).getId();
-                getSystemScopes().forEach(
-                        scope -> createAndIgnoreDuplicate(scope, zoneId)
-                );
-            }
+        if (event instanceof IdentityZoneModifiedEvent zevent && zevent.getEventType() == AuditEventType.IdentityZoneCreatedEvent) {
+            final String zoneId = ((IdentityZone) event.getSource()).getId();
+            getSystemScopes().forEach(
+                    scope -> createAndIgnoreDuplicate(scope, zoneId)
+            );
         }
         SystemDeletable.super.onApplicationEvent(event);
     }
@@ -224,8 +222,9 @@ public ScimGroup retrieve(String id, final String zoneId) throws ScimResourceNot
 
     @Override
     public ScimGroup create(final ScimGroup group, final String zoneId) throws InvalidScimResourceException {
+        validateZoneId(zoneId);
         final String id = UUID.randomUUID().toString();
-        logger.debug("creating new group with id: " + id);
+        logger.debug("creating new group with id: {}", id);
         try {
             validateGroup(group);
             jdbcTemplate.update(addGroupSql, ps -> {
@@ -249,6 +248,7 @@ public ScimGroup create(final ScimGroup group, final String zoneId) throws Inval
     public ScimGroup update(final String id, final ScimGroup group, final String zoneId) throws InvalidScimResourceException,
             ScimResourceNotFoundException {
         try {
+            validateZoneId(zoneId);
             validateGroup(group);
 
             int updated = jdbcTemplate.update(updateGroupSql, ps -> {
@@ -273,6 +273,7 @@ public ScimGroup update(final String id, final ScimGroup group, final String zon
 
     @Override
     public ScimGroup delete(String id, int version, String zoneId) throws ScimResourceNotFoundException {
+        validateZoneId(zoneId);
         ScimGroup group = retrieve(id, zoneId);
         jdbcScimGroupMembershipManager.removeMembersByGroupId(id, zoneId);
         jdbcScimGroupExternalMembershipManager.unmapAll(id, zoneId);
@@ -288,6 +289,7 @@ public ScimGroup delete(String id, int version, String zoneId) throws ScimResour
         return group;
     }
 
+    @Override
     public int deleteByIdentityZone(String zoneId) {
         jdbcTemplate.update(deleteZoneAdminMembershipByZone, IdentityZone.getUaaZoneId(), "zones." + zoneId + ".%");
         jdbcTemplate.update(deleteZoneAdminGroupsByZone, IdentityZone.getUaaZoneId(), "zones." + zoneId + ".%");
@@ -296,6 +298,7 @@ public int deleteByIdentityZone(String zoneId) {
         return jdbcTemplate.update(deleteGroupByZone, zoneId);
     }
 
+    @Override
     public int deleteByOrigin(String origin, String zoneId) {
         jdbcTemplate.update(deleteExternalGroupByProvider, zoneId, origin);
         return jdbcTemplate.update(deleteGroupMembershipByProvider, zoneId, origin);
@@ -307,7 +310,11 @@ public int deleteByUser(String userId, String zoneId) {
     }
 
     private void validateGroup(ScimGroup group) throws ScimResourceConstraintFailedException {
-        if (!hasText(group.getZoneId())) {
+        validateZoneId(group.getZoneId());
+    }
+
+    private void validateZoneId(String zoneId) throws ScimResourceConstraintFailedException {
+        if (!hasText(zoneId)) {
             throw new ScimResourceConstraintFailedException("zoneId is a required field");
         }
     }

server/src/test/java/org/cloudfoundry/identity/uaa/scim/jdbc/JdbcScimGroupProvisioningTests.java

@@ -7,6 +7,7 @@
 import org.cloudfoundry.identity.uaa.scim.ScimGroupMember;
 import org.cloudfoundry.identity.uaa.scim.ScimUser;
 import org.cloudfoundry.identity.uaa.scim.ScimUserProvisioning;
+import org.cloudfoundry.identity.uaa.scim.exception.ScimResourceConstraintFailedException;
 import org.cloudfoundry.identity.uaa.scim.exception.ScimResourceNotFoundException;
 import org.cloudfoundry.identity.uaa.scim.test.TestUtils;
 import org.cloudfoundry.identity.uaa.util.beans.DbUtils;
@@ -43,6 +44,7 @@
 import static org.hamcrest.Matchers.hasSize;
 import static org.hamcrest.core.Is.is;
 import static org.junit.jupiter.api.Assertions.*;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.mockito.Mockito.*;
 import static org.springframework.util.StringUtils.hasText;
 
@@ -446,6 +448,36 @@ void sqlInjectionAttack5Fails() {
         );
     }
 
+    @Test
+    void createGroupNullZoneId() {
+        ScimGroup g = new ScimGroup(null, "null", null);
+        g.setDescription("description-create");
+        ScimGroupMember m1 = new ScimGroupMember("m1", ScimGroupMember.Type.USER);
+        ScimGroupMember m2 = new ScimGroupMember("m2", ScimGroupMember.Type.USER);
+        g.setMembers(Arrays.asList(m1, m2));
+        ScimGroup errorGroup = g;
+        assertThrows(ScimResourceConstraintFailedException.class, () -> dao.create(errorGroup, null));
+        g.setZoneId(zoneId);
+        assertThrows(ScimResourceConstraintFailedException.class, () -> dao.create(errorGroup, null));
+        g = dao.create(g, zoneId);
+        assertNotNull(g);
+        assertEquals(zoneId, g.getZoneId());
+    }
+
+    @Test
+    void deleteGroupByOrigin() {
+        ScimGroup g = new ScimGroup(UUID.randomUUID().toString(), "null", zoneId);
+        g.setDescription("description-create");
+        ScimGroupMember m1 = new ScimGroupMember("m1", ScimGroupMember.Type.GROUP);
+        m1.setOrigin("custom-origin");
+        ScimGroupMember m2 = new ScimGroupMember("m2", ScimGroupMember.Type.GROUP);
+        m2.setOrigin("custom-origin");
+        g.setMembers(Arrays.asList(m1, m2));
+        g = dao.create(g, zoneId);
+        dao.deleteByOrigin("custom-origin", zoneId);
+        assertEquals(0, memberships.getMembers(g.getId(), true, zoneId).size());
+    }
+
     private void validateGroupCountInZone(int expected, String zoneId) {
         int existingGroupCount = jdbcTemplate.queryForObject("select count(id) from groups where identity_zone_id='" + zoneId + "'", Integer.class);
         assertEquals(expected, existingGroupCount);