feat: add SCIM provisioning via Okta (#4132)

coadler · bpmct · web-flow · commit 5e2efb68f1cd · 2022-09-20T15:16:26.000-05:00
Co-authored-by: Ben Potter &lt;ben@coder.com&gt;
diff --git a/cli/server_test.go b/cli/server_test.go
@@ -24,7 +24,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/goleak"
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -222,11 +222,7 @@ func New(options *Options) *API {
 	r.Route("/api/v2", func(r chi.Router) {
 		api.APIHandler = r
 
-		r.NotFound(func(rw http.ResponseWriter, r *http.Request) {
-			httpapi.Write(rw, http.StatusNotFound, codersdk.Response{
-				Message: "Route not found.",
-			})
-		})
+		r.NotFound(func(rw http.ResponseWriter, r *http.Request) { httpapi.RouteNotFound(rw) })
 		r.Use(
 			tracing.Middleware(api.TracerProvider),
 			// Specific routes can specify smaller limits.
diff --git a/coderd/httpapi/httpapi.go b/coderd/httpapi/httpapi.go
@@ -75,6 +75,12 @@ func InternalServerError(rw http.ResponseWriter, err error) {
 	})
 }
 
+func RouteNotFound(rw http.ResponseWriter) {
+	Write(rw, http.StatusNotFound, codersdk.Response{
+		Message: "Route not found.",
+	})
+}
+
 // Write outputs a standardized format to an HTTP response body.
 func Write(rw http.ResponseWriter, status int, response interface{}) {
 	buf := &bytes.Buffer{}
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -378,7 +378,7 @@ func (api *API) oauthLogin(r *http.Request, params oauthLoginParams) (*http.Cook
 				organizationID = organizations[0].ID
 			}
 
-			user, _, err = api.createUser(ctx, tx, createUserRequest{
+			user, _, err = api.CreateUser(ctx, tx, CreateUserRequest{
 				CreateUserRequest: codersdk.CreateUserRequest{
 					Email:          params.Email,
 					Username:       params.Username,
diff --git a/coderd/users.go b/coderd/users.go
@@ -83,7 +83,7 @@ func (api *API) postFirstUser(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	user, organizationID, err := api.createUser(r.Context(), api.Database, createUserRequest{
+	user, organizationID, err := api.CreateUser(r.Context(), api.Database, CreateUserRequest{
 		CreateUserRequest: codersdk.CreateUserRequest{
 			Email:    createUser.Email,
 			Username: createUser.Username,
@@ -317,7 +317,7 @@ func (api *API) postUser(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	user, _, err := api.createUser(r.Context(), api.Database, createUserRequest{
+	user, _, err := api.CreateUser(r.Context(), api.Database, CreateUserRequest{
 		CreateUserRequest: req,
 		LoginType:         database.LoginTypePassword,
 	})
@@ -1101,12 +1101,12 @@ func (api *API) createAPIKey(r *http.Request, params createAPIKeyParams) (*http.
 	}, nil
 }
 
-type createUserRequest struct {
+type CreateUserRequest struct {
 	codersdk.CreateUserRequest
 	LoginType database.LoginType
 }
 
-func (api *API) createUser(ctx context.Context, store database.Store, req createUserRequest) (database.User, uuid.UUID, error) {
+func (api *API) CreateUser(ctx context.Context, store database.Store, req CreateUserRequest) (database.User, uuid.UUID, error) {
 	var user database.User
 	return user, req.OrganizationID, store.InTx(func(tx database.Store) error {
 		orgRoles := make([]string, 0)
diff --git a/codersdk/features.go b/codersdk/features.go
@@ -17,9 +17,10 @@ const (
 const (
 	FeatureUserLimit = "user_limit"
 	FeatureAuditLog  = "audit_log"
+	FeatureSCIM      = "scim"
 )
 
-var FeatureNames = []string{FeatureUserLimit, FeatureAuditLog}
+var FeatureNames = []string{FeatureUserLimit, FeatureAuditLog, FeatureSCIM}
 
 type Feature struct {
 	Entitlement Entitlement `json:"entitlement"`
diff --git a/docs/admin/auth.md b/docs/admin/auth.md
@@ -74,3 +74,14 @@ CODER_OIDC_CLIENT_SECRET="G0CSP...7qSM"
 Once complete, run `sudo service coder restart` to reboot Coder.
 
 > When a new user is created, the `preferred_username` claim becomes the username. If this claim is empty, the email address will be stripped of the domain, and become the username (e.g. `example@coder.com` becomes `example`).
+
+## SCIM
+
+Coder supports user provisioning and deprovisioning via SCIM 2.0 with header
+authentication. Upon deactivation, users are [suspended](userd.md#suspend-a-user)
+and are not deleted. [Configure](./configure.md) your SCIM application with an
+auth key and supply it the Coder server.
+
+```console
+CODER_SCIM_API_KEY="your-api-key"
+```
diff --git a/enterprise/cli/server.go b/enterprise/cli/server.go
@@ -14,11 +14,13 @@ import (
 
 func server() *cobra.Command {
 	var (
-		auditLogging bool
+		auditLogging   bool
+		scimAuthHeader string
 	)
 	cmd := agpl.Server(func(ctx context.Context, options *agplcoderd.Options) (*agplcoderd.API, error) {
 		api, err := coderd.New(ctx, &coderd.Options{
 			AuditLogging: auditLogging,
+			SCIMAPIKey:   []byte(scimAuthHeader),
 			Options:      options,
 		})
 		if err != nil {
@@ -28,6 +30,7 @@ func server() *cobra.Command {
 	})
 	cliflag.BoolVarP(cmd.Flags(), &auditLogging, "audit-logging", "", "CODER_AUDIT_LOGGING", true,
 		"Specifies whether audit logging is enabled.")
+	cliflag.StringVarP(cmd.Flags(), &scimAuthHeader, "scim-auth-header", "", "CODER_SCIM_API_KEY", "", "Enables SCIM and sets the authentication header for the built-in SCIM server. New users are automatically created with OIDC authentication.")
 
 	return cmd
 }
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
@@ -63,6 +63,19 @@ func New(ctx context.Context, options *Options) (*API, error) {
 		})
 	})
 
+	if len(options.SCIMAPIKey) != 0 {
+		api.AGPL.RootHandler.Route("/scim/v2", func(r chi.Router) {
+			r.Use(api.scimEnabledMW)
+			r.Post("/Users", api.scimPostUser)
+			r.Route("/Users", func(r chi.Router) {
+				r.Get("/", api.scimGetUsers)
+				r.Post("/", api.scimPostUser)
+				r.Get("/{id}", api.scimGetUser)
+				r.Patch("/{id}", api.scimPatchUser)
+			})
+		})
+	}
+
 	err := api.updateEntitlements(ctx)
 	if err != nil {
 		return nil, xerrors.Errorf("update entitlements: %w", err)
@@ -76,6 +89,7 @@ type Options struct {
 	*coderd.Options
 
 	AuditLogging               bool
+	SCIMAPIKey                 []byte
 	EntitlementsUpdateInterval time.Duration
 	Keys                       map[string]ed25519.PublicKey
 }
@@ -93,6 +107,7 @@ type entitlements struct {
 	hasLicense  bool
 	activeUsers codersdk.Feature
 	auditLogs   codersdk.Entitlement
+	scim        codersdk.Entitlement
 }
 
 func (api *API) Close() error {
@@ -117,6 +132,7 @@ func (api *API) updateEntitlements(ctx context.Context) error {
 			Entitlement: codersdk.EntitlementNotEntitled,
 		},
 		auditLogs: codersdk.EntitlementNotEntitled,
+		scim:      codersdk.EntitlementNotEntitled,
 	}
 
 	// Here we loop through licenses to detect enabled features.
@@ -149,6 +165,9 @@ func (api *API) updateEntitlements(ctx context.Context) error {
 		if claims.Features.AuditLog > 0 {
 			entitlements.auditLogs = entitlement
 		}
+		if claims.Features.SCIM > 0 {
+			entitlements.scim = entitlement
+		}
 	}
 
 	if entitlements.auditLogs != api.entitlements.auditLogs {
diff --git a/enterprise/coderd/coderdenttest/coderdenttest.go b/enterprise/coderd/coderdenttest/coderdenttest.go
@@ -37,6 +37,7 @@ func init() {
 type Options struct {
 	*coderdtest.Options
 	EntitlementsUpdateInterval time.Duration
+	SCIMAPIKey                 []byte
 }
 
 // New constructs a codersdk client connected to an in-memory Enterprise API instance.
@@ -55,6 +56,7 @@ func NewWithAPI(t *testing.T, options *Options) (*codersdk.Client, io.Closer, *c
 	srv, cancelFunc, oop := coderdtest.NewOptions(t, options.Options)
 	coderAPI, err := coderd.New(context.Background(), &coderd.Options{
 		AuditLogging:               true,
+		SCIMAPIKey:                 options.SCIMAPIKey,
 		Options:                    oop,
 		EntitlementsUpdateInterval: options.EntitlementsUpdateInterval,
 		Keys: map[string]ed25519.PublicKey{
@@ -82,6 +84,7 @@ type LicenseOptions struct {
 	ExpiresAt   time.Time
 	UserLimit   int64
 	AuditLog    bool
+	SCIM        bool
 }
 
 // AddLicense generates a new license with the options provided and inserts it.
@@ -105,6 +108,11 @@ func GenerateLicense(t *testing.T, options LicenseOptions) string {
 	if options.AuditLog {
 		auditLog = 1
 	}
+	scim := int64(0)
+	if options.SCIM {
+		scim = 1
+	}
+
 	c := &coderd.Claims{
 		RegisteredClaims: jwt.RegisteredClaims{
 			Issuer:    "test@testing.test",
@@ -119,6 +127,7 @@ func GenerateLicense(t *testing.T, options LicenseOptions) string {
 		Features: coderd.Features{
 			UserLimit: options.UserLimit,
 			AuditLog:  auditLog,
+			SCIM:      scim,
 		},
 	}
 	tok := jwt.NewWithClaims(jwt.SigningMethodEdDSA, c)
diff --git a/enterprise/coderd/licenses.go b/enterprise/coderd/licenses.go
@@ -47,6 +47,7 @@ var Keys = map[string]ed25519.PublicKey{"2022-08-12": ed25519.PublicKey(key20220
 type Features struct {
 	UserLimit int64 `json:"user_limit"`
 	AuditLog  int64 `json:"audit_log"`
+	SCIM      int64 `json:"scim"`
 }
 
 type Claims struct {
diff --git a/enterprise/coderd/licenses_test.go b/enterprise/coderd/licenses_test.go
@@ -80,11 +80,13 @@ func TestGetLicense(t *testing.T) {
 		coderdenttest.AddLicense(t, client, coderdenttest.LicenseOptions{
 			AccountID: "testing",
 			AuditLog:  true,
+			SCIM:      true,
 		})
 
 		coderdenttest.AddLicense(t, client, coderdenttest.LicenseOptions{
 			AccountID: "testing2",
 			AuditLog:  true,
+			SCIM:      true,
 			UserLimit: 200,
 		})
 
@@ -96,12 +98,14 @@ func TestGetLicense(t *testing.T) {
 		assert.Equal(t, map[string]interface{}{
 			codersdk.FeatureUserLimit: json.Number("0"),
 			codersdk.FeatureAuditLog:  json.Number("1"),
+			codersdk.FeatureSCIM:      json.Number("1"),
 		}, licenses[0].Claims["features"])
 		assert.Equal(t, int32(2), licenses[1].ID)
 		assert.Equal(t, "testing2", licenses[1].Claims["account_id"])
 		assert.Equal(t, map[string]interface{}{
 			codersdk.FeatureUserLimit: json.Number("200"),
 			codersdk.FeatureAuditLog:  json.Number("1"),
+			codersdk.FeatureSCIM:      json.Number("1"),
 		}, licenses[1].Claims["features"])
 	})
 }
diff --git a/enterprise/coderd/scim.go b/enterprise/coderd/scim.go
diff --git a/enterprise/coderd/scim_test.go b/enterprise/coderd/scim_test.go
diff --git a/go.mod b/go.mod
diff --git a/go.sum b/go.sum

Original file line number	Diff line number	Diff line change
`@@ -378,7 +378,7 @@ func (api API) oauthLogin(r http.Request, params oauthLoginParams) (*http.Cook`
`378`	`378`	`organizationID = organizations[0].ID`
`379`	`379`	`}`
`380`	`380`
`381`		`- user, _, err = api.createUser(ctx, tx, createUserRequest{`
	`381`	`+ user, _, err = api.CreateUser(ctx, tx, CreateUserRequest{`
`382`	`382`	`CreateUserRequest: codersdk.CreateUserRequest{`
`383`	`383`	`Email: params.Email,`
`384`	`384`	`Username: params.Username,`
Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,7 @@ var Keys = map[string]ed25519.PublicKey{"2022-08-12": ed25519.PublicKey(key20220`
`47`	`47`	`type Features struct {`
`48`	`48`	UserLimit int64 `json:"user_limit"`
`49`	`49`	AuditLog int64 `json:"audit_log"`
	`50`	+ SCIM int64 `json:"scim"`
`50`	`51`	`}`
`51`	`52`
`52`	`53`	`type Claims struct {`