zitadel/internal/api/scim/server.go

package scim

import (
	"encoding/json"
	"net/http"
	"path"

	"github.com/gorilla/mux"
	"github.com/zitadel/logging"

	"github.com/zitadel/zitadel/internal/api/authz"
	zhttp "github.com/zitadel/zitadel/internal/api/http"
	zhttp_middlware "github.com/zitadel/zitadel/internal/api/http/middleware"
	sconfig "github.com/zitadel/zitadel/internal/api/scim/config"
	smiddleware "github.com/zitadel/zitadel/internal/api/scim/middleware"
	sresources "github.com/zitadel/zitadel/internal/api/scim/resources"
	"github.com/zitadel/zitadel/internal/api/scim/schemas"
	"github.com/zitadel/zitadel/internal/api/scim/serrors"
	"github.com/zitadel/zitadel/internal/command"
	"github.com/zitadel/zitadel/internal/crypto"
	"github.com/zitadel/zitadel/internal/query"
)

func NewServer(
	command *command.Commands,
	query *query.Queries,
	verifier *authz.ApiTokenVerifier,
	userCodeAlg crypto.EncryptionAlgorithm,
	config *sconfig.Config,
	middlewares ...zhttp_middlware.MiddlewareWithErrorFunc) http.Handler {
	verifier.RegisterServer("SCIM-V2", schemas.HandlerPrefix, AuthMapping)
	return buildHandler(command, query, userCodeAlg, config, middlewares...)
}

func buildHandler(
	command *command.Commands,
	query *query.Queries,
	userCodeAlg crypto.EncryptionAlgorithm,
	cfg *sconfig.Config,
	middlewares ...zhttp_middlware.MiddlewareWithErrorFunc) http.Handler {

	router := mux.NewRouter()

	// content type middleware needs to run at the very beginning to correctly set content types of errors
	middlewares = append([]zhttp_middlware.MiddlewareWithErrorFunc{smiddleware.ContentTypeMiddleware}, middlewares...)
	middlewares = append(middlewares, smiddleware.ScimContextMiddleware(query))
	scimMiddleware := zhttp_middlware.ChainedWithErrorHandler(serrors.ErrorHandler, middlewares...)
	mapResource(router, scimMiddleware, sresources.NewUsersHandler(command, query, userCodeAlg, cfg))
	return router
}

func mapResource[T sresources.ResourceHolder](router *mux.Router, mw zhttp_middlware.ErrorHandlerFunc, handler sresources.ResourceHandler[T]) {
	adapter := sresources.NewResourceHandlerAdapter[T](handler)
	resourceRouter := router.PathPrefix("/" + path.Join(zhttp.OrgIdInPathVariable, string(handler.ResourceNamePlural()))).Subrouter()

	resourceRouter.Handle("", mw(handleResourceCreatedResponse(adapter.Create))).Methods(http.MethodPost)
	resourceRouter.Handle("", mw(handleJsonResponse(adapter.List))).Methods(http.MethodGet)
	resourceRouter.Handle("/.search", mw(handleJsonResponse(adapter.List))).Methods(http.MethodPost)
	resourceRouter.Handle("/{id}", mw(handleResourceResponse(adapter.Get))).Methods(http.MethodGet)
	resourceRouter.Handle("/{id}", mw(handleResourceResponse(adapter.Replace))).Methods(http.MethodPut)
	resourceRouter.Handle("/{id}", mw(handleEmptyResponse(adapter.Update))).Methods(http.MethodPatch)
	resourceRouter.Handle("/{id}", mw(handleEmptyResponse(adapter.Delete))).Methods(http.MethodDelete)
}

func handleJsonResponse[T any](next func(r *http.Request) (T, error)) zhttp_middlware.HandlerFuncWithError {
	return func(w http.ResponseWriter, r *http.Request) error {
		entity, err := next(r)
		if err != nil {
			return err
		}

		err = json.NewEncoder(w).Encode(entity)
		logging.OnError(err).Warn("scim json response encoding failed")
		return nil
	}
}

func handleResourceCreatedResponse[T sresources.ResourceHolder](next func(*http.Request) (T, error)) zhttp_middlware.HandlerFuncWithError {
	return func(w http.ResponseWriter, r *http.Request) error {
		entity, err := next(r)
		if err != nil {
			return err
		}

		resource := entity.GetResource()
		w.Header().Set(zhttp.Location, resource.Meta.Location)
		w.WriteHeader(http.StatusCreated)

		err = json.NewEncoder(w).Encode(entity)
		logging.OnError(err).Warn("scim json response encoding failed")
		return nil
	}
}

func handleResourceResponse[T sresources.ResourceHolder](next func(*http.Request) (T, error)) zhttp_middlware.HandlerFuncWithError {
	return func(w http.ResponseWriter, r *http.Request) error {
		entity, err := next(r)
		if err != nil {
			return err
		}

		resource := entity.GetResource()
		w.Header().Set(zhttp.ContentLocation, resource.Meta.Location)

		err = json.NewEncoder(w).Encode(entity)
		logging.OnError(err).Warn("scim json response encoding failed")
		return nil
	}
}

func handleEmptyResponse(next func(*http.Request) error) zhttp_middlware.HandlerFuncWithError {
	return func(w http.ResponseWriter, r *http.Request) error {
		err := next(r)
		if err != nil {
			return err
		}

		w.WriteHeader(http.StatusNoContent)
		return nil
	}
}
feat: create user scim v2 endpoint (#9132) # Which Problems Are Solved - Adds infrastructure code (basic implementation, error handling, middlewares, ...) to implement the SCIM v2 interface - Adds support for the user create SCIM v2 endpoint # How the Problems Are Solved - Adds support for the user create SCIM v2 endpoint under `POST /scim/v2/{orgID}/Users` # Additional Context Part of #8140 2025-01-09 12:46:36 +01:00			`package scim`

			`import (`
			`"encoding/json"`
			`"net/http"`
			`"path"`

			`"github.com/gorilla/mux"`
			`"github.com/zitadel/logging"`

			`"github.com/zitadel/zitadel/internal/api/authz"`
			`zhttp "github.com/zitadel/zitadel/internal/api/http"`
			`zhttp_middlware "github.com/zitadel/zitadel/internal/api/http/middleware"`
			`sconfig "github.com/zitadel/zitadel/internal/api/scim/config"`
			`smiddleware "github.com/zitadel/zitadel/internal/api/scim/middleware"`
			`sresources "github.com/zitadel/zitadel/internal/api/scim/resources"`
			`"github.com/zitadel/zitadel/internal/api/scim/schemas"`
			`"github.com/zitadel/zitadel/internal/api/scim/serrors"`
			`"github.com/zitadel/zitadel/internal/command"`
			`"github.com/zitadel/zitadel/internal/crypto"`
			`"github.com/zitadel/zitadel/internal/query"`
			`)`

			`func NewServer(`
			`command *command.Commands,`
			`query *query.Queries,`
			`verifier *authz.ApiTokenVerifier,`
			`userCodeAlg crypto.EncryptionAlgorithm,`
			`config *sconfig.Config,`
			`middlewares ...zhttp_middlware.MiddlewareWithErrorFunc) http.Handler {`
			`verifier.RegisterServer("SCIM-V2", schemas.HandlerPrefix, AuthMapping)`
			`return buildHandler(command, query, userCodeAlg, config, middlewares...)`
			`}`

			`func buildHandler(`
			`command *command.Commands,`
			`query *query.Queries,`
			`userCodeAlg crypto.EncryptionAlgorithm,`
			`cfg *sconfig.Config,`
			`middlewares ...zhttp_middlware.MiddlewareWithErrorFunc) http.Handler {`

			`router := mux.NewRouter()`

			`// content type middleware needs to run at the very beginning to correctly set content types of errors`
			`middlewares = append([]zhttp_middlware.MiddlewareWithErrorFunc{smiddleware.ContentTypeMiddleware}, middlewares...)`
			`middlewares = append(middlewares, smiddleware.ScimContextMiddleware(query))`
			`scimMiddleware := zhttp_middlware.ChainedWithErrorHandler(serrors.ErrorHandler, middlewares...)`
			`mapResource(router, scimMiddleware, sresources.NewUsersHandler(command, query, userCodeAlg, cfg))`
			`return router`
			`}`

			`func mapResource[T sresources.ResourceHolder](router *mux.Router, mw zhttp_middlware.ErrorHandlerFunc, handler sresources.ResourceHandler[T]) {`
			`adapter := sresources.NewResourceHandlerAdapter[T](handler)`
			`resourceRouter := router.PathPrefix("/" + path.Join(zhttp.OrgIdInPathVariable, string(handler.ResourceNamePlural()))).Subrouter()`

			`resourceRouter.Handle("", mw(handleResourceCreatedResponse(adapter.Create))).Methods(http.MethodPost)`
feat: list users scim v2 endpoint (#9187) # Which Problems Are Solved - Adds support for the list users SCIM v2 endpoint # How the Problems Are Solved - Adds support for the list users SCIM v2 endpoints under `GET /scim/v2/{orgID}/Users` and `POST /scim/v2/{orgID}/Users/.search` # Additional Changes - adds a new function `SearchUserMetadataForUsers` to the query layer to query a metadata keyset for given user ids - adds a new function `NewUserMetadataExistsQuery` to the query layer to query a given metadata key value pair exists - adds a new function `CountUsers` to the query layer to count users without reading any rows - handle `ErrorAlreadyExists` as scim errors `uniqueness` - adds `NumberLessOrEqual` and `NumberGreaterOrEqual` query comparison methods - adds `BytesQuery` with `BytesEquals` and `BytesNotEquals` query comparison methods # Additional Context Part of #8140 Supported fields for scim filters: * `meta.created` * `meta.lastModified` * `id` * `username` * `name.familyName` * `name.givenName` * `emails` and `emails.value` * `active` only eq and ne * `externalId` only eq and ne 2025-01-21 13:31:54 +01:00			`resourceRouter.Handle("", mw(handleJsonResponse(adapter.List))).Methods(http.MethodGet)`
			`resourceRouter.Handle("/.search", mw(handleJsonResponse(adapter.List))).Methods(http.MethodPost)`
feat: get user scim v2 endpoint (#9161) # Which Problems Are Solved - Adds support for the get user SCIM v2 endpoint # How the Problems Are Solved - Adds support for the get user SCIM v2 endpoint under `GET /scim/v2/{orgID}/Users/{id}` # Additional Context Part of #8140 Replaces https://github.com/zitadel/zitadel/pull/9154 as requested by the maintainers, discussions see https://github.com/zitadel/zitadel/pull/9154. 2025-01-10 12:15:06 +01:00			`resourceRouter.Handle("/{id}", mw(handleResourceResponse(adapter.Get))).Methods(http.MethodGet)`
feat: replace user scim v2 endpoint (#9163) # Which Problems Are Solved - Adds support for the replace user SCIM v2 endpoint # How the Problems Are Solved - Adds support for the replace user SCIM v2 endpoint under `PUT /scim/v2/{orgID}/Users/{id}` # Additional Changes - Respect the `Active` field in the SCIM v2 create user endpoint `POST /scim/v2/{orgID}/Users` - Eventually consistent read endpoints used in SCIM tests are wrapped in `assert.EventuallyWithT` to work around race conditions # Additional Context Part of #8140 2025-01-14 15:44:41 +01:00			`resourceRouter.Handle("/{id}", mw(handleResourceResponse(adapter.Replace))).Methods(http.MethodPut)`
feat: patch user scim v2 endpoint (#9219) # Which Problems Are Solved * Adds support for the patch user SCIM v2 endpoint # How the Problems Are Solved * Adds support for the patch user SCIM v2 endpoint under `PATCH /scim/v2/{orgID}/Users/{id}` # Additional Context Part of #8140 2025-01-27 13:36:07 +01:00			`resourceRouter.Handle("/{id}", mw(handleEmptyResponse(adapter.Update))).Methods(http.MethodPatch)`
feat: delete user scim v2 endpoint (#9151) # Which Problems Are Solved - Adds support for the user delete SCIM v2 endpoint # How the Problems Are Solved - Adds support for the user delete SCIM v2 endpoint under `DELETE /scim/v2/{orgID}/Users/{id}` # Additional Context Part of #8140 2025-01-09 15:12:13 +01:00			`resourceRouter.Handle("/{id}", mw(handleEmptyResponse(adapter.Delete))).Methods(http.MethodDelete)`
feat: create user scim v2 endpoint (#9132) # Which Problems Are Solved - Adds infrastructure code (basic implementation, error handling, middlewares, ...) to implement the SCIM v2 interface - Adds support for the user create SCIM v2 endpoint # How the Problems Are Solved - Adds support for the user create SCIM v2 endpoint under `POST /scim/v2/{orgID}/Users` # Additional Context Part of #8140 2025-01-09 12:46:36 +01:00			`}`

feat: list users scim v2 endpoint (#9187) # Which Problems Are Solved - Adds support for the list users SCIM v2 endpoint # How the Problems Are Solved - Adds support for the list users SCIM v2 endpoints under `GET /scim/v2/{orgID}/Users` and `POST /scim/v2/{orgID}/Users/.search` # Additional Changes - adds a new function `SearchUserMetadataForUsers` to the query layer to query a metadata keyset for given user ids - adds a new function `NewUserMetadataExistsQuery` to the query layer to query a given metadata key value pair exists - adds a new function `CountUsers` to the query layer to count users without reading any rows - handle `ErrorAlreadyExists` as scim errors `uniqueness` - adds `NumberLessOrEqual` and `NumberGreaterOrEqual` query comparison methods - adds `BytesQuery` with `BytesEquals` and `BytesNotEquals` query comparison methods # Additional Context Part of #8140 Supported fields for scim filters: * `meta.created` * `meta.lastModified` * `id` * `username` * `name.familyName` * `name.givenName` * `emails` and `emails.value` * `active` only eq and ne * `externalId` only eq and ne 2025-01-21 13:31:54 +01:00			`func handleJsonResponse[T any](next func(r *http.Request) (T, error)) zhttp_middlware.HandlerFuncWithError {`
			`return func(w http.ResponseWriter, r *http.Request) error {`
			`entity, err := next(r)`
			`if err != nil {`
			`return err`
			`}`

			`err = json.NewEncoder(w).Encode(entity)`
			`logging.OnError(err).Warn("scim json response encoding failed")`
			`return nil`
			`}`
			`}`

feat: create user scim v2 endpoint (#9132) # Which Problems Are Solved - Adds infrastructure code (basic implementation, error handling, middlewares, ...) to implement the SCIM v2 interface - Adds support for the user create SCIM v2 endpoint # How the Problems Are Solved - Adds support for the user create SCIM v2 endpoint under `POST /scim/v2/{orgID}/Users` # Additional Context Part of #8140 2025-01-09 12:46:36 +01:00			`func handleResourceCreatedResponse[T sresources.ResourceHolder](next func(*http.Request) (T, error)) zhttp_middlware.HandlerFuncWithError {`
			`return func(w http.ResponseWriter, r *http.Request) error {`
			`entity, err := next(r)`
			`if err != nil {`
			`return err`
			`}`

			`resource := entity.GetResource()`
			`w.Header().Set(zhttp.Location, resource.Meta.Location)`
			`w.WriteHeader(http.StatusCreated)`

			`err = json.NewEncoder(w).Encode(entity)`
			`logging.OnError(err).Warn("scim json response encoding failed")`
			`return nil`
			`}`
			`}`
feat: delete user scim v2 endpoint (#9151) # Which Problems Are Solved - Adds support for the user delete SCIM v2 endpoint # How the Problems Are Solved - Adds support for the user delete SCIM v2 endpoint under `DELETE /scim/v2/{orgID}/Users/{id}` # Additional Context Part of #8140 2025-01-09 15:12:13 +01:00
feat: get user scim v2 endpoint (#9161) # Which Problems Are Solved - Adds support for the get user SCIM v2 endpoint # How the Problems Are Solved - Adds support for the get user SCIM v2 endpoint under `GET /scim/v2/{orgID}/Users/{id}` # Additional Context Part of #8140 Replaces https://github.com/zitadel/zitadel/pull/9154 as requested by the maintainers, discussions see https://github.com/zitadel/zitadel/pull/9154. 2025-01-10 12:15:06 +01:00			`func handleResourceResponse[T sresources.ResourceHolder](next func(*http.Request) (T, error)) zhttp_middlware.HandlerFuncWithError {`
			`return func(w http.ResponseWriter, r *http.Request) error {`
			`entity, err := next(r)`
			`if err != nil {`
			`return err`
			`}`

			`resource := entity.GetResource()`
			`w.Header().Set(zhttp.ContentLocation, resource.Meta.Location)`

			`err = json.NewEncoder(w).Encode(entity)`
			`logging.OnError(err).Warn("scim json response encoding failed")`
			`return nil`
			`}`
			`}`

feat: delete user scim v2 endpoint (#9151) # Which Problems Are Solved - Adds support for the user delete SCIM v2 endpoint # How the Problems Are Solved - Adds support for the user delete SCIM v2 endpoint under `DELETE /scim/v2/{orgID}/Users/{id}` # Additional Context Part of #8140 2025-01-09 15:12:13 +01:00			`func handleEmptyResponse(next func(*http.Request) error) zhttp_middlware.HandlerFuncWithError {`
			`return func(w http.ResponseWriter, r *http.Request) error {`
			`err := next(r)`
			`if err != nil {`
			`return err`
			`}`

			`w.WriteHeader(http.StatusNoContent)`
			`return nil`
			`}`
			`}`