mirror of https://github.com/coder/coder.git
300 lines
8.5 KiB
Go
300 lines
8.5 KiB
Go
package coderd
|
|
|
|
import (
|
|
"crypto/subtle"
|
|
"database/sql"
|
|
"encoding/json"
|
|
"net/http"
|
|
|
|
"github.com/go-chi/chi/v5"
|
|
"github.com/google/uuid"
|
|
"github.com/imulab/go-scim/pkg/v2/handlerutil"
|
|
scimjson "github.com/imulab/go-scim/pkg/v2/json"
|
|
"github.com/imulab/go-scim/pkg/v2/service"
|
|
"github.com/imulab/go-scim/pkg/v2/spec"
|
|
"golang.org/x/xerrors"
|
|
|
|
agpl "github.com/coder/coder/v2/coderd"
|
|
"github.com/coder/coder/v2/coderd/database"
|
|
"github.com/coder/coder/v2/coderd/database/dbauthz"
|
|
"github.com/coder/coder/v2/coderd/database/dbtime"
|
|
"github.com/coder/coder/v2/coderd/httpapi"
|
|
"github.com/coder/coder/v2/codersdk"
|
|
)
|
|
|
|
func (api *API) scimEnabledMW(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
|
api.entitlementsMu.RLock()
|
|
scim := api.entitlements.Features[codersdk.FeatureSCIM].Enabled
|
|
api.entitlementsMu.RUnlock()
|
|
|
|
if !scim {
|
|
httpapi.RouteNotFound(rw)
|
|
return
|
|
}
|
|
|
|
next.ServeHTTP(rw, r)
|
|
})
|
|
}
|
|
|
|
func (api *API) scimVerifyAuthHeader(r *http.Request) bool {
|
|
hdr := []byte(r.Header.Get("Authorization"))
|
|
|
|
return len(api.SCIMAPIKey) != 0 && subtle.ConstantTimeCompare(hdr, api.SCIMAPIKey) == 1
|
|
}
|
|
|
|
// scimGetUsers intentionally always returns no users. This is done to always force
|
|
// Okta to try and create each user individually, this way we don't need to
|
|
// implement fetching users twice.
|
|
//
|
|
// @Summary SCIM 2.0: Get users
|
|
// @ID scim-get-users
|
|
// @Security CoderSessionToken
|
|
// @Produce application/scim+json
|
|
// @Tags Enterprise
|
|
// @Success 200
|
|
// @Router /scim/v2/Users [get]
|
|
//
|
|
//nolint:revive
|
|
func (api *API) scimGetUsers(rw http.ResponseWriter, r *http.Request) {
|
|
if !api.scimVerifyAuthHeader(r) {
|
|
_ = handlerutil.WriteError(rw, spec.Error{Status: http.StatusUnauthorized, Type: "invalidAuthorization"})
|
|
return
|
|
}
|
|
|
|
_ = handlerutil.WriteSearchResultToResponse(rw, &service.QueryResponse{
|
|
TotalResults: 0,
|
|
StartIndex: 1,
|
|
ItemsPerPage: 0,
|
|
Resources: []scimjson.Serializable{},
|
|
})
|
|
}
|
|
|
|
// scimGetUser intentionally always returns an error saying the user wasn't found.
|
|
// This is done to always force Okta to try and create the user, this way we
|
|
// don't need to implement fetching users twice.
|
|
//
|
|
// @Summary SCIM 2.0: Get user by ID
|
|
// @ID scim-get-user-by-id
|
|
// @Security CoderSessionToken
|
|
// @Produce application/scim+json
|
|
// @Tags Enterprise
|
|
// @Param id path string true "User ID" format(uuid)
|
|
// @Failure 404
|
|
// @Router /scim/v2/Users/{id} [get]
|
|
//
|
|
//nolint:revive
|
|
func (api *API) scimGetUser(rw http.ResponseWriter, r *http.Request) {
|
|
if !api.scimVerifyAuthHeader(r) {
|
|
_ = handlerutil.WriteError(rw, spec.Error{Status: http.StatusUnauthorized, Type: "invalidAuthorization"})
|
|
return
|
|
}
|
|
|
|
_ = handlerutil.WriteError(rw, spec.ErrNotFound)
|
|
}
|
|
|
|
// We currently use our own struct instead of using the SCIM package. This was
|
|
// done mostly because the SCIM package was almost impossible to use. We only
|
|
// need these fields, so it was much simpler to use our own struct. This was
|
|
// tested only with Okta.
|
|
type SCIMUser struct {
|
|
Schemas []string `json:"schemas"`
|
|
ID string `json:"id"`
|
|
UserName string `json:"userName"`
|
|
Name struct {
|
|
GivenName string `json:"givenName"`
|
|
FamilyName string `json:"familyName"`
|
|
} `json:"name"`
|
|
Emails []struct {
|
|
Primary bool `json:"primary"`
|
|
Value string `json:"value" format:"email"`
|
|
Type string `json:"type"`
|
|
Display string `json:"display"`
|
|
} `json:"emails"`
|
|
Active bool `json:"active"`
|
|
Groups []interface{} `json:"groups"`
|
|
Meta struct {
|
|
ResourceType string `json:"resourceType"`
|
|
} `json:"meta"`
|
|
}
|
|
|
|
// scimPostUser creates a new user, or returns the existing user if it exists.
|
|
//
|
|
// @Summary SCIM 2.0: Create new user
|
|
// @ID scim-create-new-user
|
|
// @Security CoderSessionToken
|
|
// @Produce json
|
|
// @Tags Enterprise
|
|
// @Param request body coderd.SCIMUser true "New user"
|
|
// @Success 200 {object} coderd.SCIMUser
|
|
// @Router /scim/v2/Users [post]
|
|
func (api *API) scimPostUser(rw http.ResponseWriter, r *http.Request) {
|
|
ctx := r.Context()
|
|
if !api.scimVerifyAuthHeader(r) {
|
|
_ = handlerutil.WriteError(rw, spec.Error{Status: http.StatusUnauthorized, Type: "invalidAuthorization"})
|
|
return
|
|
}
|
|
|
|
var sUser SCIMUser
|
|
err := json.NewDecoder(r.Body).Decode(&sUser)
|
|
if err != nil {
|
|
_ = handlerutil.WriteError(rw, err)
|
|
return
|
|
}
|
|
|
|
email := ""
|
|
for _, e := range sUser.Emails {
|
|
if e.Primary {
|
|
email = e.Value
|
|
break
|
|
}
|
|
}
|
|
|
|
if email == "" {
|
|
_ = handlerutil.WriteError(rw, spec.Error{Status: http.StatusBadRequest, Type: "invalidEmail"})
|
|
return
|
|
}
|
|
|
|
//nolint:gocritic
|
|
dbUser, err := api.Database.GetUserByEmailOrUsername(dbauthz.AsSystemRestricted(ctx), database.GetUserByEmailOrUsernameParams{
|
|
Email: email,
|
|
Username: sUser.UserName,
|
|
})
|
|
if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
|
|
_ = handlerutil.WriteError(rw, err)
|
|
return
|
|
}
|
|
if err == nil {
|
|
sUser.ID = dbUser.ID.String()
|
|
sUser.UserName = dbUser.Username
|
|
|
|
if sUser.Active && dbUser.Status == database.UserStatusSuspended {
|
|
//nolint:gocritic
|
|
_, err = api.Database.UpdateUserStatus(dbauthz.AsSystemRestricted(r.Context()), database.UpdateUserStatusParams{
|
|
ID: dbUser.ID,
|
|
// The user will get transitioned to Active after logging in.
|
|
Status: database.UserStatusDormant,
|
|
UpdatedAt: dbtime.Now(),
|
|
})
|
|
if err != nil {
|
|
_ = handlerutil.WriteError(rw, err)
|
|
return
|
|
}
|
|
}
|
|
|
|
httpapi.Write(ctx, rw, http.StatusOK, sUser)
|
|
return
|
|
}
|
|
|
|
// The username is a required property in Coder. We make a best-effort
|
|
// attempt at using what the claims provide, but if that fails we will
|
|
// generate a random username.
|
|
usernameValid := httpapi.NameValid(sUser.UserName)
|
|
if usernameValid != nil {
|
|
// If no username is provided, we can default to use the email address.
|
|
// This will be converted in the from function below, so it's safe
|
|
// to keep the domain.
|
|
if sUser.UserName == "" {
|
|
sUser.UserName = email
|
|
}
|
|
sUser.UserName = httpapi.UsernameFrom(sUser.UserName)
|
|
}
|
|
|
|
var organizationID uuid.UUID
|
|
//nolint:gocritic
|
|
organizations, err := api.Database.GetOrganizations(dbauthz.AsSystemRestricted(ctx))
|
|
if err != nil {
|
|
_ = handlerutil.WriteError(rw, err)
|
|
return
|
|
}
|
|
|
|
if len(organizations) > 0 {
|
|
// Add the user to the first organization. Once multi-organization
|
|
// support is added, we should enable a configuration map of user
|
|
// email to organization.
|
|
organizationID = organizations[0].ID
|
|
}
|
|
|
|
//nolint:gocritic // needed for SCIM
|
|
dbUser, _, err = api.AGPL.CreateUser(dbauthz.AsSystemRestricted(ctx), api.Database, agpl.CreateUserRequest{
|
|
CreateUserRequest: codersdk.CreateUserRequest{
|
|
Username: sUser.UserName,
|
|
Email: email,
|
|
OrganizationID: organizationID,
|
|
},
|
|
LoginType: database.LoginTypeOIDC,
|
|
})
|
|
if err != nil {
|
|
_ = handlerutil.WriteError(rw, err)
|
|
return
|
|
}
|
|
|
|
sUser.ID = dbUser.ID.String()
|
|
sUser.UserName = dbUser.Username
|
|
|
|
httpapi.Write(ctx, rw, http.StatusOK, sUser)
|
|
}
|
|
|
|
// scimPatchUser supports suspending and activating users only.
|
|
//
|
|
// @Summary SCIM 2.0: Update user account
|
|
// @ID scim-update-user-status
|
|
// @Security CoderSessionToken
|
|
// @Produce application/scim+json
|
|
// @Tags Enterprise
|
|
// @Param id path string true "User ID" format(uuid)
|
|
// @Param request body coderd.SCIMUser true "Update user request"
|
|
// @Success 200 {object} codersdk.User
|
|
// @Router /scim/v2/Users/{id} [patch]
|
|
func (api *API) scimPatchUser(rw http.ResponseWriter, r *http.Request) {
|
|
ctx := r.Context()
|
|
if !api.scimVerifyAuthHeader(r) {
|
|
_ = handlerutil.WriteError(rw, spec.Error{Status: http.StatusUnauthorized, Type: "invalidAuthorization"})
|
|
return
|
|
}
|
|
|
|
id := chi.URLParam(r, "id")
|
|
|
|
var sUser SCIMUser
|
|
err := json.NewDecoder(r.Body).Decode(&sUser)
|
|
if err != nil {
|
|
_ = handlerutil.WriteError(rw, err)
|
|
return
|
|
}
|
|
sUser.ID = id
|
|
|
|
uid, err := uuid.Parse(id)
|
|
if err != nil {
|
|
_ = handlerutil.WriteError(rw, spec.Error{Status: http.StatusBadRequest, Type: "invalidId"})
|
|
return
|
|
}
|
|
|
|
//nolint:gocritic // needed for SCIM
|
|
dbUser, err := api.Database.GetUserByID(dbauthz.AsSystemRestricted(ctx), uid)
|
|
if err != nil {
|
|
_ = handlerutil.WriteError(rw, err)
|
|
return
|
|
}
|
|
|
|
var status database.UserStatus
|
|
if sUser.Active {
|
|
// The user will get transitioned to Active after logging in.
|
|
status = database.UserStatusDormant
|
|
} else {
|
|
status = database.UserStatusSuspended
|
|
}
|
|
|
|
//nolint:gocritic // needed for SCIM
|
|
_, err = api.Database.UpdateUserStatus(dbauthz.AsSystemRestricted(r.Context()), database.UpdateUserStatusParams{
|
|
ID: dbUser.ID,
|
|
Status: status,
|
|
UpdatedAt: dbtime.Now(),
|
|
})
|
|
if err != nil {
|
|
_ = handlerutil.WriteError(rw, err)
|
|
return
|
|
}
|
|
|
|
httpapi.Write(ctx, rw, http.StatusOK, sUser)
|
|
}
|