Thanks to visit codestin.com
Credit goes to github.com

Skip to content

chore: add scim service provider config endpoint #15235

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Oct 25, 2024
Merged

chore: add scim service provider config endpoint #15235

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5091edb
chore: add scim service provider config endpoint
Emyrk Oct 25, 2024
c87c5b7
make gen
Emyrk Oct 25, 2024
5944163
linting
Emyrk Oct 25, 2024
ee31335
add route'
Emyrk Oct 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions coderd/apidoc/docs.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

13 changes: 13 additions & 0 deletions coderd/apidoc/swagger.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

18 changes: 18 additions & 0 deletions docs/reference/api/enterprise.md
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions enterprise/coderd/coderd.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -457,6 +457,7 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
r.Use(
api.scimEnabledMW,
)
r.Get("/ServiceProviderConfig", api.scimServiceProviderConfig)
r.Post("/Users", api.scimPostUser)
r.Route("/Users", func(r chi.Router) {
r.Get("/", api.scimGetUsers)
Expand Down
65 changes: 65 additions & 0 deletions enterprise/coderd/scim.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"database/sql"
"encoding/json"
"net/http"
"time"

"github.com/go-chi/chi/v5"
"github.com/google/uuid"
Expand All @@ -21,6 +22,7 @@ import (
"github.com/coder/coder/v2/coderd/database/dbtime"
"github.com/coder/coder/v2/coderd/httpapi"
"github.com/coder/coder/v2/codersdk"
"github.com/coder/coder/v2/enterprise/coderd/scim"
)

func (api *API) scimEnabledMW(next http.Handler) http.Handler {
Expand All @@ -40,6 +42,69 @@ func (api *API) scimVerifyAuthHeader(r *http.Request) bool {
return len(api.SCIMAPIKey) != 0 && subtle.ConstantTimeCompare(hdr, api.SCIMAPIKey) == 1
}

// scimServiceProviderConfig returns a static SCIM service provider configuration.
//
// @Summary SCIM 2.0: Service Provider Config
// @ID scim-get-service-provider-config
// @Produce application/scim+json
Comment on lines +47 to +49
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be able to use this now

Suggested change
// @Summary SCIM 2.0: Service Provider Config
// @ID scim-get-service-provider-config
// @Produce application/scim+json
// @Summary SCIM 2.0: Service Provider Config
// @ID scim-get-service-provider-config
// @Security Authorization
// @Produce application/scim+json

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh wait I'm stupid, disregard

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup no auth for this endpoint 👍

// @Tags Enterprise
// @Success 200
// @Router /scim/v2/ServiceProviderConfig [get]
func (api *API) scimServiceProviderConfig(rw http.ResponseWriter, _ *http.Request) {
// No auth needed to query this endpoint.

rw.Header().Set("Content-Type", spec.ApplicationScimJson)
rw.WriteHeader(http.StatusOK)

// providerUpdated is the last time the static provider config was updated.
// Increment this time if you make any changes to the provider config.
providerUpdated := time.Date(2024, 10, 25, 17, 0, 0, 0, time.UTC)
var location string
locURL, err := api.AccessURL.Parse("/scim/v2/ServiceProviderConfig")
if err == nil {
location = locURL.String()
}

enc := json.NewEncoder(rw)
enc.SetEscapeHTML(true)
_ = enc.Encode(scim.ServiceProviderConfig{
Schemas: []string{"urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"},
DocURI: "https://coder.com/docs/admin/users/oidc-auth#scim-enterprise-premium",
Patch: scim.Supported{
Supported: true,
},
Bulk: scim.BulkSupported{
Supported: false,
},
Filter: scim.FilterSupported{
Supported: false,
},
ChangePassword: scim.Supported{
Supported: false,
},
Sort: scim.Supported{
Supported: false,
},
ETag: scim.Supported{
Supported: false,
},
AuthSchemes: []scim.AuthenticationScheme{
{
Type: "oauthbearertoken",
Name: "HTTP Header Authentication",
Description: "Authentication scheme using the Authorization header with the shared token",
DocURI: "https://coder.com/docs/admin/users/oidc-auth#scim-enterprise-premium",
},
},
Meta: scim.ServiceProviderMeta{
Created: providerUpdated,
LastModified: providerUpdated,
Location: location,
ResourceType: "ServiceProviderConfig",
},
})
}

// scimGetUsers intentionally always returns no users. This is done to always force
// Okta to try and create each user individually, this way we don't need to
// implement fetching users twice.
Expand Down
46 changes: 46 additions & 0 deletions enterprise/coderd/scim/scimtypes.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
package scim

import "time"

type ServiceProviderConfig struct {
Schemas []string `json:"schemas"`
DocURI string `json:"documentationUri"`
Patch Supported `json:"patch"`
Bulk BulkSupported `json:"bulk"`
Filter FilterSupported `json:"filter"`
ChangePassword Supported `json:"changePassword"`
Sort Supported `json:"sort"`
ETag Supported `json:"etag"`
AuthSchemes []AuthenticationScheme `json:"authenticationSchemes"`
Meta ServiceProviderMeta `json:"meta"`
}

type ServiceProviderMeta struct {
Created time.Time `json:"created"`
LastModified time.Time `json:"lastModified"`
Location string `json:"location"`
ResourceType string `json:"resourceType"`
}

type Supported struct {
Supported bool `json:"supported"`
}

type BulkSupported struct {
Supported bool `json:"supported"`
MaxOp int `json:"maxOperations"`
MaxPayload int `json:"maxPayloadSize"`
}

type FilterSupported struct {
Supported bool `json:"supported"`
MaxResults int `json:"maxResults"`
}

type AuthenticationScheme struct {
Type string `json:"type"`
Name string `json:"name"`
Description string `json:"description"`
SpecURI string `json:"specUri"`
DocURI string `json:"documentationUri"`
}
8 changes: 7 additions & 1 deletion enterprise/coderd/scim_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,9 +134,15 @@ func TestScim(t *testing.T) {
})
mockAudit.ResetLogs()

// verify scim is enabled
res, err := client.Request(ctx, http.MethodGet, "/scim/v2/ServiceProviderConfig", nil)
require.NoError(t, err)
defer res.Body.Close()
require.Equal(t, http.StatusOK, res.StatusCode)

// when
sUser := makeScimUser(t)
res, err := client.Request(ctx, "POST", "/scim/v2/Users", sUser, setScimAuth(scimAPIKey))
res, err = client.Request(ctx, http.MethodPost, "/scim/v2/Users", sUser, setScimAuth(scimAPIKey))
require.NoError(t, err)
defer res.Body.Close()
require.Equal(t, http.StatusOK, res.StatusCode)
Expand Down
Loading