From 860f3b7320c62555f71f8192d4daa4f80e56848f Mon Sep 17 00:00:00 2001
From: vramik <vramik@redhat.com>
Date: Thu, 18 Apr 2024 11:55:45 +0200
Subject: [PATCH] Prevent updating IdP via organization API not linked with the
 organization

Closes #28833

Signed-off-by: vramik <vramik@redhat.com>
---
 .../OrganizationIdentityProviderResource.java |  2 +-
 .../OrganizationIdentityProviderTest.java     | 20 +++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/services/src/main/java/org/keycloak/organization/admin/resource/OrganizationIdentityProviderResource.java b/services/src/main/java/org/keycloak/organization/admin/resource/OrganizationIdentityProviderResource.java
index 08eda71c06..4bafab1188 100644
--- a/services/src/main/java/org/keycloak/organization/admin/resource/OrganizationIdentityProviderResource.java
+++ b/services/src/main/java/org/keycloak/organization/admin/resource/OrganizationIdentityProviderResource.java
@@ -134,7 +134,7 @@ public class OrganizationIdentityProviderResource {
     public Response update(IdentityProviderRepresentation rep) {
         IdentityProviderModel identityProvider = getIdentityProviderModel();
 
-        if (!rep.getAlias().equals(identityProvider.getAlias())) {
+        if (!rep.getAlias().equals(identityProvider.getAlias()) || (rep.getInternalId() != null && !Objects.equals(rep.getInternalId(), identityProvider.getInternalId()))) {
             throw ErrorResponse.error("Identity provider not assigned to the organization.", Status.NOT_FOUND);
         }
 
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/admin/OrganizationIdentityProviderTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/admin/OrganizationIdentityProviderTest.java
index f498ce725a..996ac9f4d1 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/admin/OrganizationIdentityProviderTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/admin/OrganizationIdentityProviderTest.java
@@ -125,6 +125,26 @@ public class OrganizationIdentityProviderTest extends AbstractOrganizationTest {
         }
     }
 
+    @Test
+    public void tryUpdateIdPWithValidAliasInvalidInternalId() {
+        OrganizationRepresentation orgRep = createOrganization();
+        OrganizationResource orgResource = testRealm().organizations().get(orgRep.getId());
+
+        OrganizationIdentityProviderResource orgIdPResource = orgResource.identityProvider();
+
+        IdentityProviderRepresentation idpRepresentation = createRep("some-broker", "oidc");
+        //create IdP in realm not bound to Org and get created internalId
+        testRealm().identityProviders().create(idpRepresentation).close();
+        String internalId = testRealm().identityProviders().get("some-broker").toRepresentation().getInternalId();
+
+        IdentityProviderRepresentation orgIdPRep = orgIdPResource.toRepresentation();
+        orgIdPRep.setInternalId(internalId);
+
+        try (Response response = orgIdPResource.update(orgIdPRep)) {
+            assertThat(response.getStatus(), equalTo(Response.Status.NOT_FOUND.getStatusCode()));
+        }
+    }
+
     private IdentityProviderRepresentation createRep(String alias, String providerId) {
         IdentityProviderRepresentation idp = new IdentityProviderRepresentation();