package coderd import ( "crypto/subtle" "encoding/json" "net/http" "github.com/go-chi/chi/v5" "github.com/google/uuid" "github.com/imulab/go-scim/pkg/v2/handlerutil" scimjson "github.com/imulab/go-scim/pkg/v2/json" "github.com/imulab/go-scim/pkg/v2/service" "github.com/imulab/go-scim/pkg/v2/spec" agpl "github.com/coder/coder/coderd" "github.com/coder/coder/coderd/database" "github.com/coder/coder/coderd/httpapi" "github.com/coder/coder/codersdk" ) func (api *API) scimEnabledMW(next http.Handler) http.Handler { return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { api.entitlementsMu.RLock() scim := api.entitlements.Features[codersdk.FeatureSCIM].Enabled api.entitlementsMu.RUnlock() if !scim { httpapi.RouteNotFound(rw) return } next.ServeHTTP(rw, r) }) } func (api *API) scimVerifyAuthHeader(r *http.Request) bool { hdr := []byte(r.Header.Get("Authorization")) return len(api.SCIMAPIKey) != 0 && subtle.ConstantTimeCompare(hdr, api.SCIMAPIKey) == 1 } // scimGetUsers intentionally always returns no users. This is done to always force // Okta to try and create each user individually, this way we don't need to // implement fetching users twice. // // @Summary SCIM 2.0: Get users // @ID scim-get-users // @Security CoderSessionToken // @Produce application/scim+json // @Tags Enterprise // @Success 200 // @Router /scim/v2/Users [post] // //nolint:revive func (api *API) scimGetUsers(rw http.ResponseWriter, r *http.Request) { if !api.scimVerifyAuthHeader(r) { _ = handlerutil.WriteError(rw, spec.Error{Status: http.StatusUnauthorized, Type: "invalidAuthorization"}) return } _ = handlerutil.WriteSearchResultToResponse(rw, &service.QueryResponse{ TotalResults: 0, StartIndex: 1, ItemsPerPage: 0, Resources: []scimjson.Serializable{}, }) } // scimGetUser intentionally always returns an error saying the user wasn't found. // This is done to always force Okta to try and create the user, this way we // don't need to implement fetching users twice. // // scimGetUsers intentionally always returns no users. This is done to always force // Okta to try and create each user individually, this way we don't need to // implement fetching users twice. // // @Summary SCIM 2.0: Get user by ID // @ID scim-get-user-by-id // @Security CoderSessionToken // @Produce application/scim+json // @Tags Enterprise // @Param id path string true "User ID" format(uuid) // @Failure 404 // @Router /scim/v2/Users/{id} [get] // //nolint:revive func (api *API) scimGetUser(rw http.ResponseWriter, r *http.Request) { if !api.scimVerifyAuthHeader(r) { _ = handlerutil.WriteError(rw, spec.Error{Status: http.StatusUnauthorized, Type: "invalidAuthorization"}) return } _ = handlerutil.WriteError(rw, spec.ErrNotFound) } // We currently use our own struct instead of using the SCIM package. This was // done mostly because the SCIM package was almost impossible to use. We only // need these fields, so it was much simpler to use our own struct. This was // tested only with Okta. type SCIMUser struct { Schemas []string `json:"schemas"` ID string `json:"id"` UserName string `json:"userName"` Name struct { GivenName string `json:"givenName"` FamilyName string `json:"familyName"` } `json:"name"` Emails []struct { Primary bool `json:"primary"` Value string `json:"value" format:"email"` Type string `json:"type"` Display string `json:"display"` } `json:"emails"` Active bool `json:"active"` Groups []interface{} `json:"groups"` Meta struct { ResourceType string `json:"resourceType"` } `json:"meta"` } // scimPostUser creates a new user, or returns the existing user if it exists. // // @Summary SCIM 2.0: Create new user // @ID scim-create-new-user // @Security CoderSessionToken // @Produce json // @Tags Enterprise // @Param request body coderd.SCIMUser true "New user" // @Success 200 {object} coderd.SCIMUser // @Router /scim/v2/Users [post] func (api *API) scimPostUser(rw http.ResponseWriter, r *http.Request) { ctx := r.Context() if !api.scimVerifyAuthHeader(r) { _ = handlerutil.WriteError(rw, spec.Error{Status: http.StatusUnauthorized, Type: "invalidAuthorization"}) return } var sUser SCIMUser err := json.NewDecoder(r.Body).Decode(&sUser) if err != nil { _ = handlerutil.WriteError(rw, err) return } email := "" for _, e := range sUser.Emails { if e.Primary { email = e.Value break } } if email == "" { _ = handlerutil.WriteError(rw, spec.Error{Status: http.StatusBadRequest, Type: "invalidEmail"}) return } user, _, err := api.AGPL.CreateUser(ctx, api.Database, agpl.CreateUserRequest{ CreateUserRequest: codersdk.CreateUserRequest{ Username: sUser.UserName, Email: email, }, LoginType: database.LoginTypeOIDC, }) if err != nil { _ = handlerutil.WriteError(rw, err) return } sUser.ID = user.ID.String() sUser.UserName = user.Username httpapi.Write(ctx, rw, http.StatusOK, sUser) } // scimPatchUser supports suspending and activating users only. // // @Summary SCIM 2.0: Update user account // @ID scim-update-user-status // @Security CoderSessionToken // @Produce application/scim+json // @Tags Enterprise // @Param id path string true "User ID" format(uuid) // @Param request body coderd.SCIMUser true "Update user request" // @Success 200 {object} codersdk.User // @Router /scim/v2/Users/{id} [patch] func (api *API) scimPatchUser(rw http.ResponseWriter, r *http.Request) { ctx := r.Context() if !api.scimVerifyAuthHeader(r) { _ = handlerutil.WriteError(rw, spec.Error{Status: http.StatusUnauthorized, Type: "invalidAuthorization"}) return } id := chi.URLParam(r, "id") var sUser SCIMUser err := json.NewDecoder(r.Body).Decode(&sUser) if err != nil { _ = handlerutil.WriteError(rw, err) return } sUser.ID = id uid, err := uuid.Parse(id) if err != nil { _ = handlerutil.WriteError(rw, spec.Error{Status: http.StatusBadRequest, Type: "invalidId"}) return } dbUser, err := api.Database.GetUserByID(ctx, uid) if err != nil { _ = handlerutil.WriteError(rw, err) return } var status database.UserStatus if sUser.Active { status = database.UserStatusActive } else { status = database.UserStatusSuspended } _, err = api.Database.UpdateUserStatus(r.Context(), database.UpdateUserStatusParams{ ID: dbUser.ID, Status: status, UpdatedAt: database.Now(), }) if err != nil { _ = handlerutil.WriteError(rw, err) return } httpapi.Write(ctx, rw, http.StatusOK, sUser) }