Keep track of who is allowed to modify users (we vs. SCIM)

[neongreen]

No description provided.

[fisx]

looks good to me so far!

[neongreen]

Changes in this PR

• New field managed_by for all users, with two possible options ("wire" and "scim"). Users with "scim" can't be edited from Brig, but can be edited from Spar. The managed_by field is exposed in the /self profile so that client apps can look at it and decide whether to allow changes to the profile, or not.

• New event ("managed_by was changed").

• New internal endpoint PUT /i/users/:uid/managed-by, intended to be used by Spar to "claim" a user who was not provisioned via SCIM but who will from now on be managed by SCIM.

• Some reshuffling around UserEvent (no visible changes but I would like for whoever is familiar with that code to take a look).

Planned changes in future PRs

• This PR keeps track of managed_by but doesn't enforce it. To enforce it I plan to create endpoints PUT /i/self, PUT /i/self/email, PUT /i/self/phone, ... and use them to make changes from Spar. Public endpoints would be checking managed_by first.

• New error type thrown by public endpoints (403 "read-only").

• New endpoint POST /scim/user-ownership/:uid <Bool> to convert an existing user into a SCIM user or relinquish the ownership. Relinquish. That's a nice word.

[neongreen]

Also pay attention to what exactly counts as a profile change:

-- | Who controls changes to the user profile.
data ManagedBy
      -- | The profile can be changed in-app; user doesn't show up via SCIM at all.
    = ManagedByWire
      -- | The profile can only be changed via SCIM, with several exceptions:
      --
      --  1. User properties can still be set (because they are used internally by clients).
      --  2. Password can be changed by the user (SCIM doesn't support setting passwords yet).
      --  3. The user can still be deleted normally (SCIM doesn't support deleting users yet).
      --
      -- There are some other things that SCIM can't do yet, like setting accent IDs, but they
      -- are not essential, unlike e.g. passwords.
    | ManagedBySCIM

I'm not sure whether these are reasonable exceptions.

[neongreen]

Also, it's not too late to change any of the names.

[fisx]

To enforce it I plan to create endpoints PUT /i/self, PUT /i/self/email, PUT /i/self/phone, ... and use them to make changes from Spar. Public endpoints would be checking managed_by first.

i would also check that the internal end-points only work on users managed by scim.

[fisx]

Nice, i didn't know this when i wrote the swagger DataType for Role, will fix.

Is the following better (automatically keeps in sync with changes in the type) or worse (convoluted and hard to read)? If better, I will change this everywhere in the code-base in a separate PR.

dataTypeFromBoundedEnum :: forall a proxy. (Bounded a, Enum a, Aeson.ToJSON a) => proxy a -> DataType
dataTypeFromBoundedEnum _ = string . enum $ unpack . Aeson.encode <$> [(minBound :: a)..]

role :: DataType
role = dataTypeFromBoundedEnum (Proxy @Role)

[neongreen]

I'd say it's better as long as dataTypeFromBoundedEnum has a haddock explaining that the Aeson instance is used.

I would also prefer to use AllowAmbiguousTypes and dataTypeFromBoundedEnum @Role, but this isn't important.

[neongreen]

i would also check that the internal end-points only work on users managed by scim.

This is reasonable in the context of this PR, but I would say that internal endpoints should try to be general-purpose tools unless there are severe reasons to do otherwise. Strong coupling between services (this is in Spar because Brig needs it, this is in Brig because Spar needs it, etc) makes it harder to reason about them in isolation, and Brig is already hard to reason about.

(Sidenote: ideally I'd have a separation between user-facing services – e.g. Captain and Spar – and everything else. User-facing services don't care about database states and whatever, internal services don't question orders coming down the chain of command. No sure if anybody else would agree with this vision though.)

[fisx]

(Sidenote: ideally I'd have a separation between user-facing services – e.g. Captain and Spar – and everything else. User-facing services don't care about database states and whatever, internal services don't question orders coming down the chain of command. No sure if anybody else would agree with this vision though.)

Sounds possibly reasonable. I would do that after fusing spar and galley, though.

[neongreen]

I would do that after fusing spar and galley, though.

You mean Brig and Galley?

[jschaul]

Can you define the profile? which attributes are part of it, which ones are not?

How do you intend to resolve the inconsistencies happening when at some point SCIM supports more things, but users have changed these already in Wire. Would those user-made changes then simply be reverted? (That's not very nice?).

[neongreen]

The profile = all user-editable attributes.

"properties" aren't a part of that because we (the backend) don't even know what is stored there. It looks like it's mostly per-client settings and therefore not something SCIM should ever be bothered with: https://github.com/wireapp/wire-webapp/blob/dev/app/script/properties/PropertiesType.js#L22-L41

I foresee no inconsistencies. The only user-visible thing we allow changing is passwords, but SCIM only works for SSO-enabled users who (IIRC) don't have passwords anyway. Also users will (should) be notified when their password is changed via SCIM, so it's not like they will have something reverted silently.

[neongreen]

(I will add an expanded version of this comment to the docs.)

[jschaul]

V57. Sorry!

[jschaul]

Couldn't this be set already at the time a user in brig is created, rather than afterwards with another, separate cassandra request?

[neongreen]

Yeah, initially I went that way but then reverted the change. I don't remember what was the reason for reverting it :/

I will try it out again and maybe I'll remember.

[neongreen]

@jschaul if you're still working, can you look at this one?

[neongreen]

(I pushed a commit that does that change)

[neongreen]

Note: setManagedBy is currently unused, but will be used in the next PR.

[fisx]

I would do that after fusing spar and galley, though.

You mean Brig and Galley?

yes, sorry. don't fuse spar! :)

[ChrisPenner]

Is it reasonable to pull out a helper:

typeName :: forall a. Typeable a => String
typeName = show $ typeRep @a

And use something like

withText (typeName @ManagedBy)

So we get a compile-time error here if the type is renamed?

I suppose this should all be covered by tests anyways; probably not worth it 🤷‍♂️

[fisx]

I don't think typeName will compile without a Proxy argument, but then it would work, and I am in favor of the idea.

[ChrisPenner]

@fisx We would need AllowAmbiguousTypes for it to compile; not sure if the team has opinions on that particular extension or not 🤷‍♂️ It's really only to avoid typing Proxy everywhere haha; so not a big deal either way and perhaps more confusing to new folks :P

I personally find it to be fine for small helpers like this

[ChrisPenner]

@neongreen Or am I misunderstanding the purpose of this string; does it need to match the type name exactly or is it actually just for error messages?

[neongreen]

I don't think typeName will compile without a Proxy argument

It will if you enable AllowAmbiguousTypes (which you should)

[neongreen]

This said, the type name doesn't really matter. It only shows up in Aeson error messages and I'm not sure that deviating from this "standard" way of writing JSON instances is worth it.

[ChrisPenner]

Just curious; do we tend to make all data strict? I presume it makes sense in most (if not all) cases; has anyone considered using a global StrictData pragma?

[neongreen]

do we tend to make all data strict

Yes.

has anyone considered using a global StrictData pragma?

I recall considering it when I first got here. Then I got scared of enabling it and decided not to spend more time on figuring out whether it's safe or not. I don't have any specific concerns in mind, though.

[ChrisPenner]

@neongreen It would either speed things up; slow things down, or neither haha; tough to say which without trying it.

[neongreen]

I'm just slightly worried that we might be relying on laziness in some place or other.

[ChrisPenner]

It's certainly possible; but if that's true the result will be either that the integration tests fail; or that we discover some place where we use laziness unexpectedly; If we do require it in some place we can explicitly denote it with ~ to make it lazy again;

Granted, this maybe just takes time that nobody has; just curious :)

[neongreen]

@jschaul did you look at the commit that addresses "couldn't this be set already at the time a user in brig is created"? It's not small enough for me to comfortably say "yeah this code has been reviewed".

45448d6