chore: keep active users active in scim (#13955)

* chore: scim should keep active users active * chore: add a unit test to excercise dormancy bug * audit log should not be dropped when there is no change * add ability to cancel audit log
2025-07-13 21:36:50 +00:00 · 2024-07-19 11:30:02 -10:00
parent 49d6d0f41b
commit 03c5d42233
3 changed files with 130 additions and 14 deletions
--- a/enterprise/coderd/scim_test.go
+++ b/enterprise/coderd/scim_test.go
@ -8,11 +8,13 @@ import (
 	"net/http"
 	"testing"

+	"github.com/golang-jwt/jwt/v4"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

 	"github.com/coder/coder/v2/coderd/audit"
 	"github.com/coder/coder/v2/coderd/coderdtest"
+	"github.com/coder/coder/v2/coderd/coderdtest/oidctest"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/cryptorand"
@ -364,5 +366,82 @@ func TestScim(t *testing.T) {
 			require.Len(t, userRes.Users, 1)
 			assert.Equal(t, codersdk.UserStatusSuspended, userRes.Users[0].Status)
 		})
+
+		// Create a user via SCIM, which starts as dormant.
+		// Log in as the user, making them active.
+		// Then patch the user again and the user should still be active.
+		t.Run("ActiveIsActive", func(t *testing.T) {
+			t.Parallel()
+
+			ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+			defer cancel()
+
+			scimAPIKey := []byte("hi")
+
+			mockAudit := audit.NewMock()
+			fake := oidctest.NewFakeIDP(t, oidctest.WithServing())
+			client, _ := coderdenttest.New(t, &coderdenttest.Options{
+				Options: &coderdtest.Options{
+					Auditor:    mockAudit,
+					OIDCConfig: fake.OIDCConfig(t, []string{}),
+				},
+				SCIMAPIKey:   scimAPIKey,
+				AuditLogging: true,
+				LicenseOptions: &coderdenttest.LicenseOptions{
+					AccountID: "coolin",
+					Features: license.Features{
+						codersdk.FeatureSCIM:     1,
+						codersdk.FeatureAuditLog: 1,
+					},
+				},
+			})
+			mockAudit.ResetLogs()
+
+			// User is dormant on create
+			sUser := makeScimUser(t)
+			res, err := client.Request(ctx, "POST", "/scim/v2/Users", sUser, setScimAuth(scimAPIKey))
+			require.NoError(t, err)
+			defer res.Body.Close()
+			assert.Equal(t, http.StatusOK, res.StatusCode)
+
+			err = json.NewDecoder(res.Body).Decode(&sUser)
+			require.NoError(t, err)
+
+			// Check the audit log
+			aLogs := mockAudit.AuditLogs()
+			require.Len(t, aLogs, 1)
+			assert.Equal(t, database.AuditActionCreate, aLogs[0].Action)
+
+			// Verify the user is dormant
+			scimUser, err := client.User(ctx, sUser.UserName)
+			require.NoError(t, err)
+			require.Equal(t, codersdk.UserStatusDormant, scimUser.Status, "user starts as dormant")
+
+			// Log in as the user, making them active
+			//nolint:bodyclose
+			scimUserClient, _ := fake.Login(t, client, jwt.MapClaims{
+				"email": sUser.Emails[0].Value,
+			})
+			scimUser, err = scimUserClient.User(ctx, codersdk.Me)
+			require.NoError(t, err)
+			require.Equal(t, codersdk.UserStatusActive, scimUser.Status, "user should now be active")
+
+			// Patch the user
+			mockAudit.ResetLogs()
+			res, err = client.Request(ctx, "PATCH", "/scim/v2/Users/"+sUser.ID, sUser, setScimAuth(scimAPIKey))
+			require.NoError(t, err)
+			_, _ = io.Copy(io.Discard, res.Body)
+			_ = res.Body.Close()
+			assert.Equal(t, http.StatusOK, res.StatusCode)
+
+			// Should be no audit logs since there is no diff
+			aLogs = mockAudit.AuditLogs()
+			require.Len(t, aLogs, 0)
+
+			// Verify the user is still active.
+			scimUser, err = client.User(ctx, sUser.UserName)
+			require.NoError(t, err)
+			require.Equal(t, codersdk.UserStatusActive, scimUser.Status, "user is still active")
+		})
 	})
 }