bug: Request is unparsable, syntactically incorrect, or violates schema.
christiangda opened this issue · 6 comments
Describe the bug
due to limitations in the AWS SSO SCIM API, specifically the patchgroup operation when some groups have more than 100 members
...
* A maximum of 100 membership changes are allowed in a single request.
...
the ACIM API response with:
{"schema":["urn:ietf:params:scim:api:messages:2.0:Error"],"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"Request is unparsable, syntactically incorrect, or violates schema.","status":"400","exceptionRequestId":"f32ad558-5b05-45ea-8135-552a2f254d4f","timeStamp":"2022-04-15 14:09:03.693"}To Reproduce
Have a group in Google Workspace with more than 100 members
Expected behavior
do the sync without any error
Hi there!
This bug appeared again for us; we're using last version (0.0.13).
We're syncing three groups, and one of them have more than 100 users (137 right now).
I deleted the state to force a clean run of the sync app, but it still returns that error (and doesn't recreate the state.json).
Thanks a lot!
hi @snavarro-factorial, could you provide some logs to understand your case?
Sure!
First it starts syncing as it normally does with this:
INFO[0000] starting sync groups codeVersion=v0.0.13
INFO[0000] getting identity provider data group_filter="[name=SysAdmin name=Developers name=Data]"
INFO[0044] getting state data
WARN[0045] no state file found in the state repository, creating a new one
WARN[0045] syncing from scim service, first time syncing
WARN[0045] reconciling the SCIM data with the Identity Provider data
INFO[0045] getting SCIM Groups
INFO[0045] reconciling groups idp=3 scim=3
INFO[0045] no groups to be create
INFO[0045] no groups to be updated
INFO[0045] no groups to be deleted
INFO[0045] getting SCIM Users
INFO[0045] reconciling users idp=137 scim=50
WARN[0045] creating users quantity=87
And then a loop of "creating user -> it already exists":
[...]
WARN[0062] creating user email=xxxx user="xxxx"
WARN[0063] aws CreateOrGetUser: user already exists, trying to get the user information user=xxxx
[...]
After that loop finishes, it continues with this:
INFO[0063] no users to be updated
INFO[0063] no users to be removed
INFO[0063] getting SCIM Groups Members
And then the error:
Error: cannot sync groups and their members: error doing the first sync: error getting groups members from the SCIM service: scim: error listing groups: statusCode: 400, errCode: 400 Bad Request, errMsg: {"schema":["urn:ietf:params:scim:api:messages:2.0:Error"],"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"Request is unparsable, syntactically incorrect, or violates schema.","status":"400","exceptionRequestId":"c3ffe558-256b-478c-bc6e-bc1fdcd8c0da","timeStamp":"2022-07-18 10:28:30.894"}
After that, it just outputs the help usage.
Thanks a lot!
P.S.: Comment edited to add more info and parsing.
More info, I actually deleted some users on SSO, rerun the lambda/CLI, and it recreates users and groups (but not which users are in which groups; I had to do that manually), and in the end throws that error and doesn't create a state file in S3.
@snavarro-factorial this is a new issue, this is not the same issue #64
I opened a new issue with your comment with the number #75, let's continue the traceability there.
@snavarro-factorial could you provide logs for you comment
More info, I actually deleted some users on SSO, rerun the lambda/CLI, and it recreates users and groups (but not which users are in which groups; I had to do that manually), and in the end throws that error and doesn't create a state file in S3.
in the issue #75 please