RFC 7644 says we should IGNORE group membership on user create

core/src/in_memory_provider_store.rs

@@ -738,6 +738,44 @@ mod test {
         assert_eq!(error.error_type.unwrap(), crate::ErrorType::Uniqueness)
     }
 
+    #[tokio::test]
+    async fn test_create_user_with_group_membership() {
+        let ctx = setup().await.unwrap();
+        let (group, _) = create_sales_group(&ctx).await.unwrap();
+
+        let user_name = "cbratton";
+        // Test that creating a user with a group membership is still created
+        // and it's memberships are IGNORED
+        let body = json!({
+                    "userName": user_name,
+                    "externalId": "cbratton@dundermifflin.com",
+                    "groups": [
+                        {
+                          "value": group.id,
+                          "display": group.display_name
+        ,                },
+                    ]
+                });
+
+        let result = ctx
+            .client
+            .post(format!("{}/Users", ctx.base_url))
+            .json(&body)
+            .send()
+            .await
+            .unwrap();
+
+        // User is created
+        assert_eq!(result.status(), StatusCode::CREATED);
+
+        let StoredParts::<User> { resource: user, .. } =
+            result_as_resource(result).await.unwrap();
+        assert_eq!(user.name, user_name);
+
+        // Ensure that the user did not end up with any group memberships
+        assert_eq!(user.groups, None);
+    }
+
     #[tokio::test]
     async fn test_list_users() {
         let ctx = setup().await.unwrap();

core/src/provider.rs

@@ -4,7 +4,7 @@
 
 use dropshot::Body;
 use http::Response;
-use slog::{Logger, debug, error};
+use slog::{Logger, debug, error, info};
 
 use crate::in_memory_provider_store::{
     InMemoryProviderStore, InMemoryProviderStoreState,
@@ -91,16 +91,30 @@ impl<T: ProviderStore> Provider<T> {
 
     pub async fn create_user(
         &self,
-        request: CreateUserRequest,
+        mut request: CreateUserRequest,
     ) -> Result<SingleResourceResponse, Error> {
+        // RFC 7643 4.1.1.  Singular Attributes
+        //
         // `groups` is readOnly, so clients cannot add users to groups when
         // creating new users.
-        if let Some(groups) = &request.groups
+        //
+        // RFC 7644 3.3.  Creating Resources
+        //
+        // In the request body, attributes whose mutability is "readOnly"
+        // (see Sections 2.2 and 7 of [RFC7643]) SHALL be ignored.
+        //
+        // If some group memberships were passed in on create we are going to
+        // ignore them like the RFC says to do, but the least we can do is log
+        // that the request had some group memberships present.
+        let maybe_groups = std::mem::take(&mut request.groups);
+        if let Some(groups) = maybe_groups
             && !groups.is_empty()
         {
-            return Err(Error::mutability(
-                "attribute groups is readOnly".to_string(),
-            ));
+            info!(self.log,
+                "CreateUserRequest contained group memberships for readOnly \
+                attribute groups that are being ignored.";
+                "groups" => ?groups,
+            );
         }
 
         let StoredParts { resource, meta } =