update

Nivedithaa Mahendran · Nivedithaa Mahendran · commit 12f1fb61b30d · 2026-03-30T15:15:05.000+05:30
diff --git a/src/mas/devops/users.py b/src/mas/devops/users.py
@@ -539,18 +539,25 @@ def update_user_display_name(self, user_id, display_name):
 
         raise Exception(f"{response.status_code} {response.text}")
 
-    def link_user_to_local_idp(self, user_id, email_password=False):
+    def link_user_to_local_idp(self, user_id, email_password=False, manage_api_key=None, resource_id=None):
         """
         Link a user to the local identity provider (IDP).
 
         This method is idempotent - if the user already has a local identity, no action is taken.
         The method creates a local authentication identity for the user, enabling them to log in
         with username/password.
 
+        For MAS version < 9.1: Uses Core API PUT request
+        For MAS version >= 9.1: Uses Manage API PATCH request
+
         Args:
             user_id (str): The unique identifier of the user to link.
             email_password (bool, optional): Whether to enable email/password authentication.
                                             Defaults to False.
+            manage_api_key (dict, optional): API key record with 'apikey' field for authentication.
+                                            Required for MAS version >= 9.1.
+            resource_id (str, optional): The resource identifier of the user (extracted from href).
+                                        Required for MAS version >= 9.1.
 
         Returns:
             None: Always returns None (authentication token is not exposed).
@@ -563,40 +570,110 @@ def link_user_to_local_idp(self, user_id, email_password=False):
             or returned for security reasons.
         """
 
-        # For the sake of idempotency, check if the user already has a local identity
-        resource_id, user = self.get_user(user_id)
-        if user is None:
-            raise Exception(f"User {user_id} was not found")
+        # Check MAS version to determine which API to use
+        current_version = Version(self.mas_version)
+        version_9_1 = Version("9.1")
 
-        if "identities" in user and "_local" in user["identities"]:
-            self.logger.info(f"User {user_id} already has a local identity")
-            return None
+        if current_version >= version_9_1:
+            # Version >= 9.1: Use Manage API PATCH request
+            if manage_api_key is None:
+                raise Exception("manage_api_key is required for MAS version >= 9.1")
+            if resource_id is None:
+                raise Exception("resource_id is required for MAS version >= 9.1")
 
-        self.logger.info(f"Linking user {user_id} to local IDP (email_password: {email_password})")
-        url = f"{self.mas_api_url_internal}/v3/users/{user_id}/idps/local"
-        querystring = {
-            "emailPassword": email_password
-        }
-        payload = {
-            "idpUserId": user_id,
-        }
-        headers = {
-            "Content-Type": "application/json",
-            "x-access-token": self.superuser_auth_token
-        }
-        response = requests.put(
-            url,
-            json=payload,
-            headers=headers,
-            params=querystring,
-            verify=self.core_internal_ca_pem_file_path
-        )
-        if response.status_code != 200:
-            raise Exception(response.text)
+            # For the sake of idempotency, check if the user already has a local identity
+            _, user = self.get_user(user_id)
+            if user is None:
+                raise Exception(f"User {user_id} was not found")
 
-        # Important: HTTP 200 output will contain generated user token; DO NOT LOG
+            if "identities" in user and "_local" in user["identities"]:
+                self.logger.info(f"User {user_id} already has a local identity")
+                return None
 
-        return None
+            self.logger.info(f"Linking user {user_id} to local IDP using Manage API (version {self.mas_version})")
+
+            url = f"{self.manage_api_url_internal}/maximo/api/os/masperuser/{resource_id}"
+            querystring = {
+                "lean": 1,
+                "ccm": 1
+            }
+            headers = {
+                "Content-Type": "application/json",
+                "apikey": manage_api_key["apikey"],
+                "x-method-override": "PATCH",
+                "patchtype": "MERGE"
+            }
+
+            payload = {
+                "maxuser": {
+                    "userid": user_id,
+                    "masuseridp": [
+                        {
+                            "emailpassword": email_password,
+                            "idpid": "local",
+                            "logintype": "0",
+                            "idploginid": user_id,
+                            "idptype": "local",
+                            "enabled": True
+                        }
+                    ]
+                }
+            }
+            self.logger.info(f"Sending PATCH request to {url} with payload: {payload}")
+
+            response = requests.post(
+                url,
+                json=payload,
+                headers=headers,
+                params=querystring,
+                cert=self.manage_internal_client_pem_file_path,
+                verify=self.manage_internal_ca_pem_file_path
+            )
+            self.logger.info(f"Response status code: {response.status_code}")
+            self.logger.info(f"Response text: {response.text}")
+
+            if response.status_code in [200, 204]:
+                self.logger.info(f"Successfully linked user {user_id} to local IDP")
+                return None
+
+            raise Exception(f"Failed to link user to local IDP: {response.status_code} {response.text}")
+
+        else:
+            # Version < 9.1: Use Core API PUT request (existing implementation)
+            # For the sake of idempotency, check if the user already has a local identity
+            _, user = self.get_user(user_id)
+            if user is None:
+                raise Exception(f"User {user_id} was not found")
+
+            if "identities" in user and "_local" in user["identities"]:
+                self.logger.info(f"User {user_id} already has a local identity")
+                return None
+
+            self.logger.info(f"Linking user {user_id} to local IDP using Core API (version {self.mas_version}, email_password: {email_password})")
+            url = f"{self.mas_api_url_internal}/v3/users/{user_id}/idps/local"
+            querystring = {
+                "emailPassword": email_password
+            }
+            payload = {
+                "idpUserId": user_id,
+            }
+            headers = {
+                "Content-Type": "application/json",
+                "x-access-token": self.superuser_auth_token
+            }
+            response = requests.put(
+                url,
+                json=payload,
+                headers=headers,
+                params=querystring,
+                verify=self.core_internal_ca_pem_file_path
+            )
+            if response.status_code != 200:
+                raise Exception(response.text)
+
+            # Important: HTTP 200 output will contain generated user token; DO NOT LOG
+
+            return None
 
     def get_user_workspaces(self, user_id):
         """
@@ -1690,7 +1767,17 @@ def create_initial_user_for_saas(self, user, user_type, groupreassign=None):
         self.logger.info(f"Resource ID - {resource_id}")
         self.logger.info(f"User info - {user_info}")
 
-        self.link_user_to_local_idp(user_id, email_password=True)
+        # For version >= 9.1, we always need a Manage API key and resource_id to link user to local IDP
+        # For version < 9.1, we may need it later for manage_security_groups
+        if Version(self.mas_version) >= Version('9.1') or (len(manage_security_groups) > 0 and "manage" in self.mas_workspace_application_ids):
+            maxadmin_manage_api_key = self.create_or_get_manage_api_key_for_user(MASUserUtils.MAXADMIN, temporary=True)
+            self.logger.info(f"Maxadmin manage api key - {maxadmin_manage_api_key}")
+
+        if Version(self.mas_version) >= Version('9.1'):
+            self.link_user_to_local_idp(user_id, email_password=True, manage_api_key=maxadmin_manage_api_key, resource_id=resource_id)
+        else:
+            self.link_user_to_local_idp(user_id, email_password=True)
+
         self.add_user_to_workspace(user_id, is_workspace_admin=is_workspace_admin)
 
         if Version(self.mas_version) < Version('9.1'):
@@ -1709,8 +1796,6 @@ def create_initial_user_for_saas(self, user, user_type, groupreassign=None):
                 self.check_user_sync(user_id, mas_application_id)
 
         if len(manage_security_groups) > 0 and "manage" in self.mas_workspace_application_ids:
-            maxadmin_manage_api_key = self.create_or_get_manage_api_key_for_user(MASUserUtils.MAXADMIN, temporary=True)
-            self.logger.info(f"Maxadmin manage api key - {maxadmin_manage_api_key}")
             if Version(self.mas_version) < Version('9.1'):
                 for manage_security_group in manage_security_groups:
                     self.add_user_to_manage_group(user_id, manage_security_group, maxadmin_manage_api_key)
@@ -1719,7 +1804,3 @@ def create_initial_user_for_saas(self, user, user_type, groupreassign=None):
                     self.set_user_group_reassignment_auth(user_id, resource_id, groupreassign, maxadmin_manage_api_key)
                 else:
                     self.logger.warning(f"Cannot set group reassignment auth: resource_id not found for user {user_id}")
-
-            # # Grant authorization to reassign users to/from ALL security groups (PRIMARY users only)
-            # if user_type == "PRIMARY":
-            #     self.grant_all_group_reassignment_auth(user_id, maxadmin_manage_api_key)
diff --git a/test/src/test_users.py b/test/src/test_users.py
@@ -629,8 +629,10 @@ def test_update_user_display_name_error(user_utils, requests_mock):
 def test_link_user_to_local_idp(user_utils, requests_mock, mock_manage_api_key):
     user_id = "user1"
     email_password = True
+    resource_id = f"{user_id}_resource_id"
     get_core, get_manage, get_manage_personid = mock_get_user_200(requests_mock, user_id, mock_manage_api_key)
 
+    # Mock Core API PUT request for version < 9.1
     put = requests_mock.put(
         f"{MAS_API_URL}/v3/users/{user_id}/idps/local?emailPassword={email_password}",
         request_headers={"x-access-token": TOKEN},
@@ -639,28 +641,75 @@ def test_link_user_to_local_idp(user_utils, requests_mock, mock_manage_api_key):
         additional_matcher=lambda req: additional_matcher(req, json={"idpUserId": user_id})
     )
 
-    user_utils.link_user_to_local_idp(user_id, email_password=email_password)
+    # Mock Manage API PATCH request for version >= 9.1
+    patch = requests_mock.post(
+        f"{MANAGE_API_URL}/maximo/api/os/masperuser/{resource_id}?lean=1&ccm=1",
+        request_headers={
+            "Content-Type": "application/json",
+            "apikey": mock_manage_api_key["apikey"],
+            "x-method-override": "PATCH",
+            "patchtype": "MERGE"
+        },
+        json={"id": user_id},
+        status_code=200,
+        additional_matcher=lambda req: additional_matcher(
+            req,
+            json={
+                "maxuser": {
+                    "userid": user_id,
+                    "masuseridp": [{
+                        "emailpassword": True,
+                        "idpid": "local",
+                        "logintype": "0",
+                        "idploginid": user_id,
+                        "idptype": "local",
+                        "enabled": True
+                    }]
+                }
+            },
+            cert=PEM_PATH
+        )
+    )
+
+    # Call the function with appropriate parameters based on version
+    if Version(user_utils.mas_version) >= Version('9.1'):
+        user_utils.link_user_to_local_idp(user_id, email_password=email_password, manage_api_key=mock_manage_api_key, resource_id=resource_id)
+    else:
+        user_utils.link_user_to_local_idp(user_id, email_password=email_password)
 
     # Check that the correct endpoint was called based on version
     if Version(user_utils.mas_version) >= Version('9.1'):
         assert get_core.call_count == 0
         assert get_manage.call_count == 1
+        assert put.call_count == 0
+        assert patch.call_count == 1
     else:
         assert get_core.call_count == 1
         assert get_manage.call_count == 0
-    assert put.call_count == 1
+        assert put.call_count == 1
+        assert patch.call_count == 0
 
 
 def test_link_user_to_local_idp_usernotfound(user_utils, requests_mock, mock_manage_api_key):
     user_id = "user1"
+    resource_id = f"{user_id}_resource_id"
     get_core, get_manage, get_manage_personid = mock_get_user_404(requests_mock, user_id, mock_manage_api_key)
+
     put = requests_mock.put(
         f"{MAS_API_URL}/v3/users/{user_id}/idps/local",
         additional_matcher=lambda req: additional_matcher(req, json={"idpUserId": user_id})
     )
 
+    patch = requests_mock.post(
+        f"{MANAGE_API_URL}/maximo/api/os/masperuser/{resource_id}?lean=1&ccm=1",
+        additional_matcher=lambda req: additional_matcher(req, cert=PEM_PATH)
+    )
+
     with pytest.raises(Exception):
-        user_utils.link_user_to_local_idp(user_id)
+        if Version(user_utils.mas_version) >= Version('9.1'):
+            user_utils.link_user_to_local_idp(user_id, manage_api_key=mock_manage_api_key, resource_id=resource_id)
+        else:
+            user_utils.link_user_to_local_idp(user_id)
 
     # Check that the correct endpoint was called based on version
     if Version(user_utils.mas_version) >= Version('9.1'):
@@ -670,6 +719,7 @@ def test_link_user_to_local_idp_usernotfound(user_utils, requests_mock, mock_man
         assert get_core.call_count == 1
         assert get_manage.call_count == 0
     assert put.call_count == 0
+    assert patch.call_count == 0
 
 
 def test_link_user_to_local_idp_already_linked(user_utils, requests_mock, mock_manage_api_key):
@@ -700,7 +750,16 @@ def test_link_user_to_local_idp_already_linked(user_utils, requests_mock, mock_m
         additional_matcher=lambda req: additional_matcher(req, json={"idpUserId": user_id})
     )
 
-    user_utils.link_user_to_local_idp(user_id, email_password=email_password)
+    patch = requests_mock.post(
+        f"{MANAGE_API_URL}/maximo/api/os/masperuser/{resource_id}?lean=1&ccm=1",
+        additional_matcher=lambda req: additional_matcher(req, cert=PEM_PATH)
+    )
+
+    # Call the function with appropriate parameters based on version
+    if Version(user_utils.mas_version) >= Version('9.1'):
+        user_utils.link_user_to_local_idp(user_id, email_password=email_password, manage_api_key=mock_manage_api_key, resource_id=resource_id)
+    else:
+        user_utils.link_user_to_local_idp(user_id, email_password=email_password)
 
     # Check that the correct endpoint was called based on version
     if Version(user_utils.mas_version) >= Version('9.1'):
@@ -710,6 +769,7 @@ def test_link_user_to_local_idp_already_linked(user_utils, requests_mock, mock_m
         assert get_core.call_count == 1
         assert get_manage.call_count == 0
     assert put.call_count == 0
+    assert patch.call_count == 0
 
 
 def test_get_user_workspaces(user_utils, requests_mock):
@@ -2206,7 +2266,14 @@ def test_create_initial_user_for_saas(
         }
 
     user_utils.get_or_create_user.assert_called_once_with(expected_user_def)
-    user_utils.link_user_to_local_idp.assert_called_once_with(user_id, email_password=True)
+
+    # Check link_user_to_local_idp call based on version
+    if mas_version == '9.1':
+        resource_id = f"_{actual_user_id.replace('@', '_').replace('.', '_')}_resource_id"
+        user_utils.link_user_to_local_idp.assert_called_once_with(user_id, email_password=True, manage_api_key=manage_api_key, resource_id=resource_id)
+    else:
+        user_utils.link_user_to_local_idp.assert_called_once_with(user_id, email_password=True)
+
     user_utils.add_user_to_workspace.assert_called_once_with(user_id, is_workspace_admin=is_workspace_admin)
 
     # For version < 9.1, await_mas_application_availability and set_user_application_permission are called
@@ -2233,9 +2300,14 @@ def test_create_initial_user_for_saas(
     else:  # 9.1
         user_utils.check_user_sync.assert_not_called()
 
-    if len(manage_security_groups) > 0:
+    # For version >= 9.1, API key is always created (needed for link_user_to_local_idp)
+    # For version < 9.1, API key is only created if there are manage_security_groups
+    if mas_version == '9.1' or len(manage_security_groups) > 0:
         user_utils.create_or_get_manage_api_key_for_user.assert_called_once_with("MAXADMIN", temporary=True)
+    else:
+        user_utils.create_or_get_manage_api_key_for_user.assert_not_called()
 
+    if len(manage_security_groups) > 0:
         # For version < 9.1, add_user_to_manage_group is called
         # For version >= 9.1, set_user_group_reassignment_auth is called for PRIMARY users
         if mas_version == '9.0':
@@ -2252,10 +2324,6 @@ def test_create_initial_user_for_saas(
                 user_utils.set_user_group_reassignment_auth.assert_called_once_with(actual_user_id, resource_id, [{"groupname": "USERMANAGEMENT"}], manage_api_key)
             else:
                 user_utils.set_user_group_reassignment_auth.assert_not_called()
-    else:
-        user_utils.create_or_get_manage_api_key_for_user.assert_not_called()
-        user_utils.add_user_to_manage_group.assert_not_called()
-        user_utils.set_user_group_reassignment_auth.assert_not_called()
 
 
 def test_create_initial_users_for_saas_invalid_inputs(user_utils):
