bug: Request is unparsable, syntactically incorrect, or violates schema
rknightion opened this issue · 2 comments
Describe the bug
We previously used this tool successfully. However we had some manual users in AWS SSO that would not have groups updated (from before we enabled SCIM). We removed the users thinking they would sync via SCIM but they did not.
So I removed the state file to trigger a full sync, but we get the error in the title.
While at first I thought it similar to #62 , we do not have any groups with more than 100 users in. The state file is also not created.
I've tried removing and re deploying the lambda to no avail.
Error: cannot sync groups and their members: error doing the first sync: error reconciling groups: error updating groups from SCIM provider: scim: error updating groups: statusCode: 400, errCode: 400 Bad Request, errMsg: {
"schema": [
"urn:ietf:params:scim:api:messages:2.0:Error"
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:Error"
],
"detail": "Request is unparsable, syntactically incorrect, or violates schema.",
"status": "400",
"exceptionRequestId": "977d19cb-b1d1-46e7-ba4d-936701dd6d3b",
"timeStamp": "2023-01-03 11:50:22.856"
}
Re ran with trace:
WARN[0051] no state file found in the state repository, creating a new one
WARN[0051] syncing from scim service, first time syncing
WARN[0051] reconciling the SCIM data with the Identity Provider data
INFO[0051] getting SCIM Groups
TRAC[0051] aws newRequest: request body="<nil>" method=GET path=/f3v89cc3d5a-555b-44ec-9efd-69ad987452c0/scim/v2/Groups query= url="https://scim.us-east-1.amazonaws.com/f3v89cc3d5a-555b-44ec-9efd-69ad987452c0/scim/v2/Groups"
INFO[0052] reconciling groups idp=12 scim=20
INFO[0052] no groups to be create
WARN[0052] updating groups quantity=10
TRAC[0052] updating group (details) email=awsssoadmins@.com group="AWSSSO - Administrators" idpid=01x0gk370my64ri scimid=c428a408-8051-7095-bb71-b4fed9584ca8
WARN[0052] updating group email=awsssoadmins@.com group="AWSSSO - Administrators"
TRAC[0052] aws newRequest: request body="{[urn:ietf:params:scim:api:messages:2.0:PatchOp] [0x14000267b90]}" method=PATCH path=/f3v89cc3d5a-555b-44ec-9efd-69ad987452c0/scim/v2/Groups/c428a408-8051-7095-bb71-b4fed9584ca8 query= url="https://scim.us-east-1.amazonaws.com/f3v89cc3d5a-555b-44ec-9efd-69ad987452c0/scim/v2/Groups/c428a408-8051-7095-bb71-b4fed9584ca8"
TRAC[0052] aws checkHTTPResponse: body: {"schema":["urn:ietf:params:scim:api:messages:2.0:Error"],"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"Request is unparsable, syntactically incorrect, or violates schema.","status":"400","exceptionRequestId":"699fef61-45cb-43b7-8896-2f6266b4b19d","timeStamp":"2023-01-03 13:07:42.746"} status="400 Bad Request" statusCode=400
Error: cannot sync groups and their members: error doing the first sync: error reconciling groups: error updating groups from SCIM provider: scim: error updating groups: statusCode: 400, errCode: 400 Bad Request, errMsg: {"schema":["urn:ietf:params:scim:api:messages:2.0:Error"],"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"Request is unparsable, syntactically incorrect, or violates schema.","status":"400","exceptionRequestId":"699fef61-45cb-43b7-8896-2f6266b4b19d","timeStamp":"2023-01-03 13:07:42.746"}```
The group its failing on does contain one of the "manual" users that previously existed (in that group)
So not sure how exactly but manually removing all groups in AWS SSO and then re-running the tool correctly re provisioned all the groups, added in the missing "manual" users and sorted everything out!