Towards getting scim production-ready #559
Conversation
correct me if i'm wrong, but NewUser has no Handle field, so this necessarily has to happen in two steps, no?
(Before this branch, it sometimes returned Nothing and something threw an exception. This is not much better. Now, all failures to find the user will yield Nothing, not an exception.)
fisx
force-pushed
the
fisx-resolve-scim-todos
branch
from
18c30b2
to
b937347
Compare
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
fisx
force-pushed
the
fisx-resolve-scim-todos
branch
from
b937347
to
d711cac
Compare
fisx
changed the title
fisx
force-pushed
the
fisx-resolve-scim-todos
branch
from
d711cac
to
b763612
Compare
neongreen
changed the title
services/spar/src/Spar/Data.hs
Outdated
| -- | ||
| -- NB: we can add optional columns in the future and extract parts of the json blob should the need | ||
| -- arise. For instance, if we want to support different versions of SCIM, we could extract | ||
| -- 'SCIM.User.schemas' and, throw an exception if the list of values is not supported, and store it |
There was a problem hiding this comment.
SCIM.User.schemas is no longer a part of User, though it's still present in JSON.
services/spar/src/Spar/Scim.hs
Outdated
| @@ -120,24 +120,26 @@ apiScim = hoistScim (toServant (Scim.siteServer configuration)) | |||
| ---------------------------------------------------------------------------- | |||
| -- UserDB | |||
|
|
|||
| -- | Retrieve 'IdP' from 'ScimTokenInfo' and call 'validateSCIMUser''. | |||
There was a problem hiding this comment.
No changes here, only the renaming.
services/spar/src/Spar/Scim.hs
Outdated
|
|
||
| -- | Map the SCIM data on the spar and brig schemata, and throw errors if | ||
| -- the SCIM data does not comply with the standard / our constraints. | ||
| -- See also: 'ValidSCIMUser'. |
There was a problem hiding this comment.
This comment has been extended.
| -- also ignore this model. Leaving @name@ empty will prevent the confusion that | ||
| -- might appear when somebody tries to set @name@ to some value and the | ||
| -- @displayName@ won't be affected by that change. | ||
| validateScimUser' |
There was a problem hiding this comment.
No changes again, just renaming.
services/spar/src/Spar/Scim.hs
Outdated
| SCIM.badRequest SCIM.InvalidValue (Just "userName is not compliant") | ||
| Scim.badRequest Scim.InvalidValue (Just "userName is not compliant") | ||
|
|
||
| -- See this function's documentation |
There was a problem hiding this comment.
We prohibit emails and phone numbers.
| let userid = scimUserId storedUser | ||
| putUser_ (Just tok) (Just userid) user' (env ^. teSpar) |
| muserid' <- runSparCass $ Data.getUser (vuser' ^. vsuSAMLUserRef) | ||
| liftIO $ do | ||
| muserid' `shouldBe` Just userid | ||
|
|
||
| it "maps ValidSCIMUser to Brig.User completely and correctly (including 'SAML.UserRef')." $ do | ||
| -- See validateScimUser' for why we don't allow this | ||
| it "doesn't allow setting emails or phone numbers" $ do |
There was a problem hiding this comment.
This test is new. Git mixed it up quite a bit so you might just want to read the two tests without the diff: https://github.com/wireapp/wire-server/blob/fisx-resolve-scim-todos/services/spar/test-integration/Test/Spar/ScimSpec.hs#L225-L253.
| @@ -216,10 +273,6 @@ specUsers = describe "operations with users" $ do | |||
| it "sets the 'deleted' flag in brig, and does nothing otherwise." $ do | |||
| pendingWith "really? how do we destroy the data then, and when?" | |||
|
|
|||
| describe "GET /Meta" $ do -- TODO: is that the end-point? it's about the 'getMeta' method. | |||
| suffix <- cs <$> replicateM 5 (getRandomR ('0', '9')) | ||
| emails <- replicateM 3 randomSCIMEmail |
There was a problem hiding this comment.
No emails because no emails.
| @@ -0,0 +1,82 @@ | |||
| {-# LANGUAGE DataKinds #-} | |||
There was a problem hiding this comment.
No changes here but Git thinks the file is new. I can't blame it.
services/spar/src/Spar/Scim.hs
Outdated
| -- __Emails and phone numbers:__ we prohibit emails and phone numbers for now, | ||
| -- because we'd like to ensure that only verified emails and phone numbers end | ||
| -- up in our database, and implementing verification requires design decisions | ||
| -- that we haven't made yet. |
There was a problem hiding this comment.
There is an issue here if we want to support email as the SAML subjectID, but we don't allow to store it. This should at least be mentioned here, and reject it here with a helpful error message, but we can resolve it later.
There was a problem hiding this comment.
actually, never mind the link i just gave. scim should know how to create a valid SubjectID, and if that even can be configured, then setting it to "email" is just not an option for now. so the error happens either in scim setup, or setup doesn't talk about this and there is only one way of computing UserRef from the scim schema.
Then we may still want to have a way to turn off implicit user creation.
| then pure Nothing | ||
| else pure scimuser | ||
| mbBrigUser <- lift (Intra.Brig.getUser uid) | ||
| if isJust mbBrigUser && (userTeam =<< mbBrigUser) == Just stiTeam |
There was a problem hiding this comment.
the isJust is redundant, but if you want to keep it for readability that's fine, too.
There was a problem hiding this comment.
Yeah, I want to keep it for readability.
This reverts commit 9220794.
No description provided.