feat: list users scim v2 endpoint (#9187)

# Which Problems Are Solved - Adds support for the list users SCIM v2 endpoint # How the Problems Are Solved - Adds support for the list users SCIM v2 endpoints under `GET /scim/v2/{orgID}/Users` and `POST /scim/v2/{orgID}/Users/.search` # Additional Changes - adds a new function `SearchUserMetadataForUsers` to the query layer to query a metadata keyset for given user ids - adds a new function `NewUserMetadataExistsQuery` to the query layer to query a given metadata key value pair exists - adds a new function `CountUsers` to the query layer to count users without reading any rows - handle `ErrorAlreadyExists` as scim errors `uniqueness` - adds `NumberLessOrEqual` and `NumberGreaterOrEqual` query comparison methods - adds `BytesQuery` with `BytesEquals` and `BytesNotEquals` query comparison methods # Additional Context Part of #8140 Supported fields for scim filters: * `meta.created` * `meta.lastModified` * `id` * `username` * `name.familyName` * `name.givenName` * `emails` and `emails.value` * `active` only eq and ne * `externalId` only eq and ne
2025-08-12 00:47:33 +00:00 · 2025-01-21 13:31:54 +01:00
parent 926e7169b2
commit 1915d35605
37 changed files with 4173 additions and 417 deletions
--- a/internal/api/scim/serrors/errors.go
+++ b/internal/api/scim/serrors/errors.go
@@ -49,6 +49,13 @@ const (
 	// ScimTypeInvalidSyntax The request body message structure was invalid or did
 	// not conform to the request schema.
 	ScimTypeInvalidSyntax scimErrorType = "invalidSyntax"
+
+	// ScimTypeInvalidFilter The specified filter syntax as invalid, or the
+	// specified attribute and filter comparison combination is not supported.
+	ScimTypeInvalidFilter scimErrorType = "invalidFilter"
+
+	// ScimTypeUniqueness One or more of the attribute values are already in use or are reserved.
+	ScimTypeUniqueness scimErrorType = "uniqueness"
 )

 var translator *i18n.Translator
@@ -85,6 +92,22 @@ func ThrowInvalidSyntax(parent error) error {
 	}
 }

+func ThrowInvalidFilter(parent error) error {
+	return &wrappedScimError{
+		Parent:   parent,
+		ScimType: ScimTypeInvalidFilter,
+	}
+}
+
+func IsScimOrZitadelError(err error) bool {
+	return IsScimError(err) || zerrors.IsZitadelError(err)
+}
+
+func IsScimError(err error) bool {
+	var scimErr *wrappedScimError
+	return errors.As(err, &scimErr)
+}
+
 func (err *scimError) Error() string {
 	return fmt.Sprintf("SCIM Error: %s: %s", err.ScimType, err.Detail)
 }
@@ -134,6 +157,8 @@ func mapErrorToScimErrorType(err error) scimErrorType {
 	switch {
 	case zerrors.IsErrorInvalidArgument(err):
 		return ScimTypeInvalidValue
+	case zerrors.IsErrorAlreadyExists(err):
+		return ScimTypeUniqueness
 	default:
 		return ""
 	}