Improve domain qualified username handling when filter users by group with PRIMARY domain

components/org.wso2.carbon.identity.scim2.common/src/main/java/org/wso2/carbon/identity/scim2/common/impl/SCIMUserManager.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017-2024, WSO2 LLC. (http://www.wso2.com).
+ * Copyright (c) 2017-2025, WSO2 LLC. (http://www.wso2.com).
  *
  * WSO2 LLC. licenses this file to you under the Apache License,
  * Version 2.0 (the "License"); you may not use this file except
@@ -1481,9 +1481,11 @@ private UsersGetResponse filterUsersBySingleAttribute(ExpressionNode node, Map<S
             // Check that total user count matching the client query needs to be calculated.
             if (isJDBCUSerStore(domainName) || isAllConfiguredUserStoresJDBC()
                     || SCIMCommonUtils.isConsiderTotalRecordsForTotalResultOfLDAPEnabled()) {
-                int maxLimit = getMaxLimit(domainName);
+                int maxLimit;
                 if (!SCIMCommonUtils.isConsiderMaxLimitForTotalResultEnabled()) {
                     maxLimit = Integer.MAX_VALUE;
+                } else {
+                    maxLimit = getMaxLimit(domainName);
                 }
                 // Get total users based on the filter query without depending on pagination params.
                 if (SCIMCommonUtils.isGroupBasedUserFilteringImprovementsEnabled() &&
@@ -1791,7 +1793,10 @@ private int getUserCountByGroup(Node node, String domainName)
         If there is a domain and if the domain separator is not found in the attribute value, append the domain
         with the domain separator in front of the new attribute value.
         */
-        attributeValue = UserCoreUtil.addDomainToName(((ExpressionNode) node).getValue(), domainName);
+        if (StringUtils.isNotEmpty(domainName) && StringUtils
+                .containsNone(attributeValue, CarbonConstants.DOMAIN_SEPARATOR)) {
+            attributeValue = domainName.toUpperCase() + CarbonConstants.DOMAIN_SEPARATOR + attributeValue;
+        }
 
         try {
             List<String> roleNames = getRoleNames(attributeName, filterOperation, attributeValue);

components/org.wso2.carbon.identity.scim2.common/src/test/java/org/wso2/carbon/identity/scim2/common/impl/SCIMUserManagerTest.java

@@ -48,6 +48,7 @@
 import org.wso2.carbon.identity.scim2.common.internal.SCIMCommonComponentHolder;
 import org.wso2.carbon.user.core.UserStoreClientException;
 import org.wso2.carbon.user.core.common.PaginatedUserResponse;
+import org.wso2.carbon.user.core.model.UniqueIDUserClaimSearchEntry;
 import org.wso2.charon3.core.exceptions.NotImplementedException;
 import org.wso2.charon3.core.extensions.UserManager;
 import org.wso2.charon3.core.objects.plainobjects.UsersGetResponse;
@@ -94,6 +95,7 @@
 import org.wso2.charon3.core.utils.codeutils.SearchRequest;
 import org.wso2.carbon.identity.configuration.mgt.core.model.Resource;
 
+import java.io.IOException;
 import java.lang.reflect.Field;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -148,6 +150,8 @@ public class SCIMUserManagerTest {
 
     @Mock
     private AbstractUserStoreManager mockedUserStoreManager;
+    @Mock
+    private JDBCUserStoreManager mockedJDBCUserStoreManager;
 
     @Mock
     private ClaimManager mockedClaimManager;
@@ -613,6 +617,45 @@ public void testFilteringUsersWithGET(List<org.wso2.carbon.user.core.common.User
         assertEquals(result.getUsers().size(), expectedResultCount);
     }
 
+    @Test
+    public void testFilteringUsersOfGroupWithGET() throws UserStoreException, IOException, BadRequestException,
+            NotImplementedException, CharonException {
+
+        String domain = "PRIMARY";
+        SCIMUserManager scimUserManager = new SCIMUserManager(mockedUserStoreManager, mockedClaimManager);
+        SCIMResourceTypeSchema schema = SCIMResourceSchemaManager.getInstance().getUserResourceSchema();
+        FilterTreeManager filterTreeManager = new FilterTreeManager("groups eq admin", schema);
+        Node node = filterTreeManager.buildTree();
+
+        org.wso2.carbon.user.core.common.User testUser1 = new org.wso2.carbon.user.core.common.User(UUID.randomUUID()
+                .toString(), "testUser1", "testUser1");
+        testUser1.setUserStoreDomain("PRIMARY");
+        List<org.wso2.carbon.user.core.common.User> filteredUsers = new ArrayList<>();
+        filteredUsers.add(testUser1);
+
+        scimCommonUtils.when(() -> SCIMCommonUtils.convertLocalToSCIMDialect(anyMap(), anyMap())).thenReturn(new HashMap<String, String>() {{
+            put(SCIMConstants.CommonSchemaConstants.ID_URI, "1f70378a-69bb-49cf-aa51-a0493c09110c");
+        }});
+
+        when(mockedUserStoreManager.getSecondaryUserStoreManager(domain)).thenReturn(mockedJDBCUserStoreManager);
+        when(mockedJDBCUserStoreManager.isSCIMEnabled()).thenReturn(true);
+        scimCommonUtils.when(SCIMCommonUtils::isGroupBasedUserFilteringImprovementsEnabled).thenReturn(true);
+        when(mockedUserStoreManager.getRoleNames(anyString(), anyInt(), anyBoolean(), anyBoolean(), anyBoolean()))
+                .thenReturn(new String[]{"admin"});
+        when(mockedUserStoreManager.getUserCountForGroup(anyString())).thenReturn(filteredUsers.size());
+        when(mockedUserStoreManager.getUserListOfGroupWithID(anyString())).thenReturn(filteredUsers);
+
+        UniqueIDUserClaimSearchEntry uniqueIDUserClaimSearchEntry = new UniqueIDUserClaimSearchEntry();
+        List<UniqueIDUserClaimSearchEntry> uniqueIDUserClaimSearchEntries = new ArrayList<>();
+        uniqueIDUserClaimSearchEntries.add(uniqueIDUserClaimSearchEntry);
+        when(mockedUserStoreManager.getUsersClaimValuesWithID(any(), any(), nullable(String.class)))
+                .thenReturn(uniqueIDUserClaimSearchEntries);
+
+        UsersGetResponse result = scimUserManager.listUsersWithGET(node, 1, null, null, null, domain, new HashMap<>());
+        assertEquals(result.getUsers().size(), filteredUsers.size());
+
+    }
+
     @DataProvider(name = "userInfoForFiltering")
     public Object[][] userInfoForFiltering() {