feat: list users scim v2 endpoint

zitadel · Jan 15, 2025 · c87fc99 · c87fc99
1 parent d01d003
commit c87fc99
Show file tree

Hide file tree

Showing 33 changed files with 3,684 additions and 415 deletions.
diff --git a/go.mod b/go.mod
@@ -10,6 +10,7 @@ require (
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/trace v1.24.0
 	github.com/Masterminds/squirrel v1.5.4
 	github.com/ajstarks/svgo v0.0.0-20211024235047-1546f124cd8b
+	github.com/alecthomas/participle/v2 v2.1.1
 	github.com/alicebob/miniredis/v2 v2.33.0
 	github.com/benbjohnson/clock v1.3.5
 	github.com/boombuler/barcode v1.0.2

diff --git a/go.sum b/go.sum
@@ -49,6 +49,12 @@ github.com/ajstarks/deck v0.0.0-20200831202436-30c9fc6549a9/go.mod h1:JynElWSGnm
 github.com/ajstarks/deck/generate v0.0.0-20210309230005-c3f852c02e19/go.mod h1:T13YZdzov6OU0A1+RfKZiZN9ca6VeKdBdyDV+BY97Tk=
 github.com/ajstarks/svgo v0.0.0-20211024235047-1546f124cd8b h1:slYM766cy2nI3BwyRiyQj/Ud48djTMtMebDqepE95rw=
 github.com/ajstarks/svgo v0.0.0-20211024235047-1546f124cd8b/go.mod h1:1KcenG0jGWcpt8ov532z81sp/kMMUG485J2InIOyADM=
+github.com/alecthomas/assert/v2 v2.3.0 h1:mAsH2wmvjsuvyBvAmCtm7zFsBlb8mIHx5ySLVdDZXL0=
+github.com/alecthomas/assert/v2 v2.3.0/go.mod h1:pXcQ2Asjp247dahGEmsZ6ru0UVwnkhktn7S0bBDLxvQ=
+github.com/alecthomas/participle/v2 v2.1.1 h1:hrjKESvSqGHzRb4yW1ciisFJ4p3MGYih6icjJvbsmV8=
+github.com/alecthomas/participle/v2 v2.1.1/go.mod h1:Y1+hAs8DHPmc3YUFzqllV+eSQ9ljPTk0ZkPMtEdAx2c=
+github.com/alecthomas/repr v0.2.0 h1:HAzS41CIzNW5syS8Mf9UwXhNH1J9aix/BvDRf1Ml2Yk=
+github.com/alecthomas/repr v0.2.0/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
@@ -400,6 +406,8 @@ github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO
 github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
 github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
 github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
+github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
+github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSow5/V2vxeg=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/hudl/fargo v1.3.0/go.mod h1:y3CKSmjA+wD2gak7sUSXTAoopbhU08POFhmITJgmKTg=
 github.com/improbable-eng/grpc-web v0.15.0 h1:BN+7z6uNXZ1tQGcNAuaU1YjsLTApzkjt2tzCixLaUPQ=

diff --git a/internal/api/http/parser.go b/internal/api/http/parser.go
@@ -1,6 +1,7 @@
 package http
 
 import (
+	"errors"
 	"net/http"
 
 	"github.com/gorilla/schema"
@@ -26,3 +27,24 @@ func (p *Parser) Parse(r *http.Request, data interface{}) error {
 
 	return p.decoder.Decode(data, r.Form)
 }
+
+func (p *Parser) UnwrapParserError(err error) error {
+	if err == nil {
+		return nil
+	}
+
+	// try to unwrap the error
+	var multiErr schema.MultiError
+	if errors.As(err, &multiErr) && len(multiErr) == 1 {
+		for _, v := range multiErr {
+			var schemaErr schema.ConversionError
+			if errors.As(v, &schemaErr) {
+				return schemaErr.Err
+			}
+
+			return v
+		}
+	}
+
+	return err
+}
diff --git a/internal/api/scim/authz.go b/internal/api/scim/authz.go
@@ -10,6 +10,12 @@ var AuthMapping = authz.MethodMapping{
 	"POST:/scim/v2/" + http.OrgIdInPathVariable + "/Users": {
 		Permission: domain.PermissionUserWrite,
 	},
+	"POST:/scim/v2/" + http.OrgIdInPathVariable + "/Users/.search": {
+		Permission: domain.PermissionUserRead,
+	},
+	"GET:/scim/v2/" + http.OrgIdInPathVariable + "/Users": {
+		Permission: domain.PermissionUserRead,
+	},
 	"GET:/scim/v2/" + http.OrgIdInPathVariable + "/Users/{id}": {
 		Permission: domain.PermissionUserRead,
 	},

diff --git a/internal/api/scim/integration_test/users_create_test.go b/internal/api/scim/integration_test/users_create_test.go
@@ -13,6 +13,7 @@ import (
 	"github.com/zitadel/zitadel/internal/api/scim/schemas"
 	"github.com/zitadel/zitadel/internal/integration"
 	"github.com/zitadel/zitadel/internal/integration/scim"
+	"github.com/zitadel/zitadel/internal/test"
 	"github.com/zitadel/zitadel/pkg/grpc/management"
 	"github.com/zitadel/zitadel/pkg/grpc/user/v2"
 	"golang.org/x/text/language"
@@ -53,6 +54,104 @@ var (
 
 	//go:embed testdata/users_create_test_invalid_timezone.json
 	invalidTimeZoneUserJson []byte
+
+	fullUser = &resources.ScimUser{
+		ExternalID: "701984",
+		UserName:   "bjensen@example.com",
+		Name: &resources.ScimUserName{
+			Formatted:       "Babs Jensen", // DisplayName takes precedence in Zitadel
+			FamilyName:      "Jensen",
+			GivenName:       "Barbara",
+			MiddleName:      "Jane",
+			HonorificPrefix: "Ms.",
+			HonorificSuffix: "III",
+		},
+		DisplayName: "Babs Jensen",
+		NickName:    "Babs",
+		ProfileUrl:  test.Must(schemas.ParseHTTPURL("http://login.example.com/bjensen")),
+		Emails: []*resources.ScimEmail{
+			{
+				Value:   "bjensen@example.com",
+				Primary: true,
+			},
+		},
+		Addresses: []*resources.ScimAddress{
+			{
+				Type:          "work",
+				StreetAddress: "100 Universal City Plaza",
+				Locality:      "Hollywood",
+				Region:        "CA",
+				PostalCode:    "91608",
+				Country:       "USA",
+				Formatted:     "100 Universal City Plaza\nHollywood, CA 91608 USA",
+				Primary:       true,
+			},
+			{
+				Type:          "home",
+				StreetAddress: "456 Hollywood Blvd",
+				Locality:      "Hollywood",
+				Region:        "CA",
+				PostalCode:    "91608",
+				Country:       "USA",
+				Formatted:     "456 Hollywood Blvd\nHollywood, CA 91608 USA",
+			},
+		},
+		PhoneNumbers: []*resources.ScimPhoneNumber{
+			{
+				Value:   "+415555555555",
+				Primary: true,
+			},
+		},
+		Ims: []*resources.ScimIms{
+			{
+				Value: "someaimhandle",
+				Type:  "aim",
+			},
+			{
+				Value: "twitterhandle",
+				Type:  "X",
+			},
+		},
+		Photos: []*resources.ScimPhoto{
+			{
+				Value: *test.Must(schemas.ParseHTTPURL("https://photos.example.com/profilephoto/72930000000Ccne/F")),
+				Type:  "photo",
+			},
+		},
+		Roles: []*resources.ScimRole{
+			{
+				Value:   "my-role-1",
+				Display: "Rolle 1",
+				Type:    "main-role",
+				Primary: true,
+			},
+			{
+				Value:   "my-role-2",
+				Display: "Rolle 2",
+				Type:    "secondary-role",
+				Primary: false,
+			},
+		},
+		Entitlements: []*resources.ScimEntitlement{
+			{
+				Value:   "my-entitlement-1",
+				Display: "Entitlement 1",
+				Type:    "main-entitlement",
+				Primary: true,
+			},
+			{
+				Value:   "my-entitlement-2",
+				Display: "Entitlement 2",
+				Type:    "secondary-entitlement",
+				Primary: false,
+			},
+		},
+		Title:             "Tour Guide",
+		PreferredLanguage: language.MustParse("en-US"),
+		Locale:            "en-US",
+		Timezone:          "America/Los_Angeles",
+		Active:            gu.Ptr(true),
+	}
 )
 
 func TestCreateUser(t *testing.T) {
@@ -93,103 +192,7 @@ func TestCreateUser(t *testing.T) {
 		{
 			name: "full user",
 			body: fullUserJson,
-			want: &resources.ScimUser{
-				ExternalID: "701984",
-				UserName:   "bjensen@example.com",
-				Name: &resources.ScimUserName{
-					Formatted:       "Babs Jensen", // DisplayName takes precedence in Zitadel
-					FamilyName:      "Jensen",
-					GivenName:       "Barbara",
-					MiddleName:      "Jane",
-					HonorificPrefix: "Ms.",
-					HonorificSuffix: "III",
-				},
-				DisplayName: "Babs Jensen",
-				NickName:    "Babs",
-				ProfileUrl:  integration.Must(schemas.ParseHTTPURL("http://login.example.com/bjensen")),
-				Emails: []*resources.ScimEmail{
-					{
-						Value:   "bjensen@example.com",
-						Primary: true,
-					},
-				},
-				Addresses: []*resources.ScimAddress{
-					{
-						Type:          "work",
-						StreetAddress: "100 Universal City Plaza",
-						Locality:      "Hollywood",
-						Region:        "CA",
-						PostalCode:    "91608",
-						Country:       "USA",
-						Formatted:     "100 Universal City Plaza\nHollywood, CA 91608 USA",
-						Primary:       true,
-					},
-					{
-						Type:          "home",
-						StreetAddress: "456 Hollywood Blvd",
-						Locality:      "Hollywood",
-						Region:        "CA",
-						PostalCode:    "91608",
-						Country:       "USA",
-						Formatted:     "456 Hollywood Blvd\nHollywood, CA 91608 USA",
-					},
-				},
-				PhoneNumbers: []*resources.ScimPhoneNumber{
-					{
-						Value:   "+415555555555",
-						Primary: true,
-					},
-				},
-				Ims: []*resources.ScimIms{
-					{
-						Value: "someaimhandle",
-						Type:  "aim",
-					},
-					{
-						Value: "twitterhandle",
-						Type:  "X",
-					},
-				},
-				Photos: []*resources.ScimPhoto{
-					{
-						Value: *integration.Must(schemas.ParseHTTPURL("https://photos.example.com/profilephoto/72930000000Ccne/F")),
-						Type:  "photo",
-					},
-				},
-				Roles: []*resources.ScimRole{
-					{
-						Value:   "my-role-1",
-						Display: "Rolle 1",
-						Type:    "main-role",
-						Primary: true,
-					},
-					{
-						Value:   "my-role-2",
-						Display: "Rolle 2",
-						Type:    "secondary-role",
-						Primary: false,
-					},
-				},
-				Entitlements: []*resources.ScimEntitlement{
-					{
-						Value:   "my-entitlement-1",
-						Display: "Entitlement 1",
-						Type:    "main-entitlement",
-						Primary: true,
-					},
-					{
-						Value:   "my-entitlement-2",
-						Display: "Entitlement 2",
-						Type:    "secondary-entitlement",
-						Primary: false,
-					},
-				},
-				Title:             "Tour Guide",
-				PreferredLanguage: language.MustParse("en-US"),
-				Locale:            "en-US",
-				Timezone:          "America/Los_Angeles",
-				Active:            gu.Ptr(true),
-			},
+			want: fullUser,
 		},
 		{
 			name:          "missing userName",
@@ -288,7 +291,7 @@ func TestCreateUser(t *testing.T) {
 			assert.Nil(t, createdUser.Password)
 
 			if tt.want != nil {
-				if !integration.PartiallyDeepEqual(tt.want, createdUser) {
+				if !test.PartiallyDeepEqual(tt.want, createdUser) {
 					t.Errorf("CreateUser() got = %v, want %v", createdUser, tt.want)
 				}
 
@@ -297,7 +300,7 @@ func TestCreateUser(t *testing.T) {
 					// ensure the user is really stored and not just returned to the caller
 					fetchedUser, err := Instance.Client.SCIM.Users.Get(CTX, Instance.DefaultOrg.Id, createdUser.ID)
 					require.NoError(ttt, err)
-					if !integration.PartiallyDeepEqual(tt.want, fetchedUser) {
+					if !test.PartiallyDeepEqual(tt.want, fetchedUser) {
 						ttt.Errorf("GetUser() got = %v, want %v", fetchedUser, tt.want)
 					}
 				}, retryDuration, tick)
@@ -313,6 +316,7 @@ func TestCreateUser_duplicate(t *testing.T) {
 	_, err = Instance.Client.SCIM.Users.Create(CTX, Instance.DefaultOrg.Id, minimalUserJson)
 	scimErr := scim.RequireScimError(t, http.StatusConflict, err)
 	assert.Equal(t, "User already exists", scimErr.Error.Detail)
+	assert.Equal(t, "uniqueness", scimErr.Error.ScimType)
 
 	_, err = Instance.Client.UserV2.DeleteUser(CTX, &user.DeleteUserRequest{UserId: createdUser.ID})
 	require.NoError(t, err)
@@ -339,19 +343,19 @@ func TestCreateUser_metadata(t *testing.T) {
 			mdMap[md.Result[i].Key] = string(md.Result[i].Value)
 		}
 
-		integration.AssertMapContains(tt, mdMap, "urn:zitadel:scim:name.honorificPrefix", "Ms.")
-		integration.AssertMapContains(tt, mdMap, "urn:zitadel:scim:timezone", "America/Los_Angeles")
-		integration.AssertMapContains(tt, mdMap, "urn:zitadel:scim:photos", `[{"value":"https://photos.example.com/profilephoto/72930000000Ccne/F","type":"photo"},{"value":"https://photos.example.com/profilephoto/72930000000Ccne/T","type":"thumbnail"}]`)
-		integration.AssertMapContains(tt, mdMap, "urn:zitadel:scim:addresses", `[{"type":"work","streetAddress":"100 Universal City Plaza","locality":"Hollywood","region":"CA","postalCode":"91608","country":"USA","formatted":"100 Universal City Plaza\nHollywood, CA 91608 USA","primary":true},{"type":"home","streetAddress":"456 Hollywood Blvd","locality":"Hollywood","region":"CA","postalCode":"91608","country":"USA","formatted":"456 Hollywood Blvd\nHollywood, CA 91608 USA"}]`)
-		integration.AssertMapContains(tt, mdMap, "urn:zitadel:scim:entitlements", `[{"value":"my-entitlement-1","display":"Entitlement 1","type":"main-entitlement","primary":true},{"value":"my-entitlement-2","display":"Entitlement 2","type":"secondary-entitlement"}]`)
-		integration.AssertMapContains(tt, mdMap, "urn:zitadel:scim:externalId", "701984")
-		integration.AssertMapContains(tt, mdMap, "urn:zitadel:scim:name.middleName", "Jane")
-		integration.AssertMapContains(tt, mdMap, "urn:zitadel:scim:name.honorificSuffix", "III")
-		integration.AssertMapContains(tt, mdMap, "urn:zitadel:scim:profileURL", "http://login.example.com/bjensen")
-		integration.AssertMapContains(tt, mdMap, "urn:zitadel:scim:title", "Tour Guide")
-		integration.AssertMapContains(tt, mdMap, "urn:zitadel:scim:locale", "en-US")
-		integration.AssertMapContains(tt, mdMap, "urn:zitadel:scim:ims", `[{"value":"someaimhandle","type":"aim"},{"value":"twitterhandle","type":"X"}]`)
-		integration.AssertMapContains(tt, mdMap, "urn:zitadel:scim:roles", `[{"value":"my-role-1","display":"Rolle 1","type":"main-role","primary":true},{"value":"my-role-2","display":"Rolle 2","type":"secondary-role"}]`)
+		test.AssertMapContains(tt, mdMap, "urn:zitadel:scim:name.honorificPrefix", "Ms.")
+		test.AssertMapContains(tt, mdMap, "urn:zitadel:scim:timezone", "America/Los_Angeles")
+		test.AssertMapContains(tt, mdMap, "urn:zitadel:scim:photos", `[{"value":"https://photos.example.com/profilephoto/72930000000Ccne/F","type":"photo"},{"value":"https://photos.example.com/profilephoto/72930000000Ccne/T","type":"thumbnail"}]`)
+		test.AssertMapContains(tt, mdMap, "urn:zitadel:scim:addresses", `[{"type":"work","streetAddress":"100 Universal City Plaza","locality":"Hollywood","region":"CA","postalCode":"91608","country":"USA","formatted":"100 Universal City Plaza\nHollywood, CA 91608 USA","primary":true},{"type":"home","streetAddress":"456 Hollywood Blvd","locality":"Hollywood","region":"CA","postalCode":"91608","country":"USA","formatted":"456 Hollywood Blvd\nHollywood, CA 91608 USA"}]`)
+		test.AssertMapContains(tt, mdMap, "urn:zitadel:scim:entitlements", `[{"value":"my-entitlement-1","display":"Entitlement 1","type":"main-entitlement","primary":true},{"value":"my-entitlement-2","display":"Entitlement 2","type":"secondary-entitlement"}]`)
+		test.AssertMapContains(tt, mdMap, "urn:zitadel:scim:externalId", "701984")
+		test.AssertMapContains(tt, mdMap, "urn:zitadel:scim:name.middleName", "Jane")
+		test.AssertMapContains(tt, mdMap, "urn:zitadel:scim:name.honorificSuffix", "III")
+		test.AssertMapContains(tt, mdMap, "urn:zitadel:scim:profileURL", "http://login.example.com/bjensen")
+		test.AssertMapContains(tt, mdMap, "urn:zitadel:scim:title", "Tour Guide")
+		test.AssertMapContains(tt, mdMap, "urn:zitadel:scim:locale", "en-US")
+		test.AssertMapContains(tt, mdMap, "urn:zitadel:scim:ims", `[{"value":"someaimhandle","type":"aim"},{"value":"twitterhandle","type":"X"}]`)
+		test.AssertMapContains(tt, mdMap, "urn:zitadel:scim:roles", `[{"value":"my-role-1","display":"Rolle 1","type":"main-role","primary":true},{"value":"my-role-2","display":"Rolle 2","type":"secondary-role"}]`)
 	}, retryDuration, tick)
 }
 

diff --git a/internal/api/scim/integration_test/users_get_test.go b/internal/api/scim/integration_test/users_get_test.go
@@ -12,6 +12,7 @@ import (
 	"github.com/zitadel/zitadel/internal/api/scim/schemas"
 	"github.com/zitadel/zitadel/internal/integration"
 	"github.com/zitadel/zitadel/internal/integration/scim"
+	"github.com/zitadel/zitadel/internal/test"
 	"github.com/zitadel/zitadel/pkg/grpc/management"
 	"github.com/zitadel/zitadel/pkg/grpc/user/v2"
 	"golang.org/x/text/language"
@@ -91,7 +92,7 @@ func TestGetUser(t *testing.T) {
 				},
 				DisplayName:       "Babs Jensen",
 				NickName:          "Babs",
-				ProfileUrl:        integration.Must(schemas.ParseHTTPURL("http://login.example.com/bjensen")),
+				ProfileUrl:        test.Must(schemas.ParseHTTPURL("http://login.example.com/bjensen")),
 				Title:             "Tour Guide",
 				PreferredLanguage: language.Make("en-US"),
 				Locale:            "en-US",
@@ -142,11 +143,11 @@ func TestGetUser(t *testing.T) {
 				},
 				Photos: []*resources.ScimPhoto{
 					{
-						Value: *integration.Must(schemas.ParseHTTPURL("https://photos.example.com/profilephoto/72930000000Ccne/F")),
+						Value: *test.Must(schemas.ParseHTTPURL("https://photos.example.com/profilephoto/72930000000Ccne/F")),
 						Type:  "photo",
 					},
 					{
-						Value: *integration.Must(schemas.ParseHTTPURL("https://photos.example.com/profilephoto/72930000000Ccne/T")),
+						Value: *test.Must(schemas.ParseHTTPURL("https://photos.example.com/profilephoto/72930000000Ccne/T")),
 						Type:  "thumbnail",
 					},
 				},
@@ -254,7 +255,7 @@ func TestGetUser(t *testing.T) {
 				assert.Equal(ttt, schemas.ScimResourceTypeSingular("User"), fetchedUser.Resource.Meta.ResourceType)
 				assert.Equal(ttt, "http://"+Instance.Host()+path.Join(schemas.HandlerPrefix, Instance.DefaultOrg.Id, "Users", fetchedUser.ID), fetchedUser.Resource.Meta.Location)
 				assert.Nil(ttt, fetchedUser.Password)
-				if !integration.PartiallyDeepEqual(tt.want, fetchedUser) {
+				if !test.PartiallyDeepEqual(tt.want, fetchedUser) {
 					ttt.Errorf("GetUser() got = %#v, want %#v", fetchedUser, tt.want)
 				}
 			}, retryDuration, tick)