feat: create user scim v2 endpoint (#9132)

# Which Problems Are Solved - Adds infrastructure code (basic implementation, error handling, middlewares, ...) to implement the SCIM v2 interface - Adds support for the user create SCIM v2 endpoint # How the Problems Are Solved - Adds support for the user create SCIM v2 endpoint under `POST /scim/v2/{orgID}/Users` # Additional Context Part of #8140
2025-08-11 21:27:42 +00:00 · 2025-01-09 12:46:36 +01:00
parent 829f4543da
commit e621224ab2
44 changed files with 2412 additions and 48 deletions
--- a/internal/api/http/header.go
+++ b/internal/api/http/header.go
@@ -5,6 +5,8 @@ import (
 	"net"
 	"net/http"
 	"strings"
+
+	"github.com/gorilla/mux"
 )

 const (
@@ -14,6 +16,7 @@ const (
 	CacheControl     = "cache-control"
 	ContentType      = "content-type"
 	ContentLength    = "content-length"
+	ContentLocation  = "content-location"
 	Expires          = "expires"
 	Location         = "location"
 	Origin           = "origin"
@@ -42,6 +45,9 @@ const (
 	PermissionsPolicy       = "permissions-policy"

 	ZitadelOrgID = "x-zitadel-orgid"
+
+	OrgIdInPathVariableName = "orgId"
+	OrgIdInPathVariable     = "{" + OrgIdInPathVariableName + "}"
 )

 type key int
@@ -104,6 +110,12 @@ func GetAuthorization(r *http.Request) string {
 }

 func GetOrgID(r *http.Request) string {
+	// path variable takes precedence over header
+	orgID, ok := mux.Vars(r)[OrgIdInPathVariableName]
+	if ok {
+		return orgID
+	}
+
 	return r.Header.Get(ZitadelOrgID)
 }

--- a/internal/api/http/middleware/auth_interceptor.go
+++ b/internal/api/http/middleware/auth_interceptor.go
@@ -2,12 +2,15 @@ package middleware

 import (
 	"context"
-	"errors"
 	"net/http"
+	"strings"
+
+	"github.com/gorilla/mux"

 	"github.com/zitadel/zitadel/internal/api/authz"
 	http_util "github.com/zitadel/zitadel/internal/api/http"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
+	"github.com/zitadel/zitadel/internal/zerrors"
 )

 type AuthInterceptor struct {
@@ -23,34 +26,40 @@ func AuthorizationInterceptor(verifier authz.APITokenVerifier, authConfig authz.
 }

 func (a *AuthInterceptor) Handler(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		ctx, err := authorize(r, a.verifier, a.authConfig)
-		if err != nil {
-			http.Error(w, err.Error(), http.StatusUnauthorized)
-			return
-		}
-		r = r.WithContext(ctx)
-		next.ServeHTTP(w, r)
-	})
+	return a.HandlerFunc(next)
 }

-func (a *AuthInterceptor) HandlerFunc(next http.HandlerFunc) http.HandlerFunc {
+func (a *AuthInterceptor) HandlerFunc(next http.Handler) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		ctx, err := authorize(r, a.verifier, a.authConfig)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusUnauthorized)
 			return
 		}
+
 		r = r.WithContext(ctx)
 		next.ServeHTTP(w, r)
 	}
 }

+func (a *AuthInterceptor) HandlerFuncWithError(next HandlerFuncWithError) HandlerFuncWithError {
+	return func(w http.ResponseWriter, r *http.Request) error {
+		ctx, err := authorize(r, a.verifier, a.authConfig)
+		if err != nil {
+			return err
+		}
+
+		r = r.WithContext(ctx)
+		return next(w, r)
+	}
+}
+
 type httpReq struct{}

 func authorize(r *http.Request, verifier authz.APITokenVerifier, authConfig authz.Config) (_ context.Context, err error) {
 	ctx := r.Context()
-	authOpt, needsToken := verifier.CheckAuthMethod(r.Method + ":" + r.RequestURI)
+
+	authOpt, needsToken := checkAuthMethod(r, verifier)
 	if !needsToken {
 		return ctx, nil
 	}
@@ -59,7 +68,7 @@ func authorize(r *http.Request, verifier authz.APITokenVerifier, authConfig auth

 	authToken := http_util.GetAuthorization(r)
 	if authToken == "" {
-		return nil, errors.New("auth header missing")
+		return nil, zerrors.ThrowUnauthenticated(nil, "AUT-1179", "auth header missing")
 	}

 	ctxSetter, err := authz.CheckUserAuthorization(authCtx, &httpReq{}, authToken, http_util.GetOrgID(r), "", verifier, authConfig, authOpt, r.RequestURI)
@@ -69,3 +78,30 @@ func authorize(r *http.Request, verifier authz.APITokenVerifier, authConfig auth
 	span.End()
 	return ctxSetter(ctx), nil
 }
+
+func checkAuthMethod(r *http.Request, verifier authz.APITokenVerifier) (authz.Option, bool) {
+	authOpt, needsToken := verifier.CheckAuthMethod(r.Method + ":" + r.RequestURI)
+	if needsToken {
+		return authOpt, true
+	}
+
+	route := mux.CurrentRoute(r)
+	if route == nil {
+		return authOpt, false
+	}
+
+	pathTemplate, err := route.GetPathTemplate()
+	if err != nil || pathTemplate == "" {
+		return authOpt, false
+	}
+
+	// the path prefix is usually handled in a router in upper layer
+	// trim the query and the path of the url to get the correct path prefix
+	pathPrefix := r.RequestURI
+	if i := strings.Index(pathPrefix, "?"); i != -1 {
+		pathPrefix = pathPrefix[0:i]
+	}
+	pathPrefix = strings.TrimSuffix(pathPrefix, r.URL.Path)
+
+	return verifier.CheckAuthMethod(r.Method + ":" + pathPrefix + pathTemplate)
+}
--- a/internal/api/http/middleware/handler.go
+++ b/internal/api/http/middleware/handler.go
@@ -0,0 +1,26 @@
+package middleware
+
+import "net/http"
+
+// HandlerFuncWithError is a http handler func which can return an error
+// the error should then get handled later on in the pipeline by an error handler
+// the error handler can be dependent on the interface standard (e.g. SCIM, Problem Details, ...)
+type HandlerFuncWithError = func(w http.ResponseWriter, r *http.Request) error
+
+// MiddlewareWithErrorFunc is a http middleware which can return an error
+// the error should then get handled later on in the pipeline by an error handler
+// the error handler can be dependent on the interface standard (e.g. SCIM, Problem Details, ...)
+type MiddlewareWithErrorFunc = func(HandlerFuncWithError) HandlerFuncWithError
+
+// ErrorHandlerFunc handles errors and returns a regular http handler
+type ErrorHandlerFunc = func(HandlerFuncWithError) http.Handler
+
+func ChainedWithErrorHandler(errorHandler ErrorHandlerFunc, middlewares ...MiddlewareWithErrorFunc) func(HandlerFuncWithError) http.Handler {
+	return func(next HandlerFuncWithError) http.Handler {
+		for i := len(middlewares) - 1; i >= 0; i-- {
+			next = middlewares[i](next)
+		}
+
+		return errorHandler(next)
+	}
+}
--- a/internal/api/http/middleware/instance_interceptor.go
+++ b/internal/api/http/middleware/instance_interceptor.go
@@ -34,43 +34,57 @@ func InstanceInterceptor(verifier authz.InstanceVerifier, externalDomain string,
 }

 func (a *instanceInterceptor) Handler(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		a.handleInstance(w, r, next)
-	})
+	return a.HandlerFunc(next)
 }

-func (a *instanceInterceptor) HandlerFunc(next http.HandlerFunc) http.HandlerFunc {
+func (a *instanceInterceptor) HandlerFunc(next http.Handler) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		a.handleInstance(w, r, next)
-	}
-}
-
-func (a *instanceInterceptor) handleInstance(w http.ResponseWriter, r *http.Request, next http.Handler) {
-	for _, prefix := range a.ignoredPrefixes {
-		if strings.HasPrefix(r.URL.Path, prefix) {
+		ctx, err := a.setInstanceIfNeeded(r.Context(), r)
+		if err == nil {
+			r = r.WithContext(ctx)
 			next.ServeHTTP(w, r)
 			return
 		}
-	}
-	ctx, err := setInstance(r, a.verifier)
-	if err != nil {
+
 		origin := zitadel_http.DomainContext(r.Context())
 		logging.WithFields("origin", origin.Origin(), "externalDomain", a.externalDomain).WithError(err).Error("unable to set instance")
+
 		zErr := new(zerrors.ZitadelError)
 		if errors.As(err, &zErr) {
 			zErr.SetMessage(a.translator.LocalizeFromRequest(r, zErr.GetMessage(), nil))
 			http.Error(w, fmt.Sprintf("unable to set instance using origin %s (ExternalDomain is %s): %s", origin, a.externalDomain, zErr), http.StatusNotFound)
 			return
 		}
+
 		http.Error(w, fmt.Sprintf("unable to set instance using origin %s (ExternalDomain is %s)", origin, a.externalDomain), http.StatusNotFound)
-		return
 	}
-	r = r.WithContext(ctx)
-	next.ServeHTTP(w, r)
 }

-func setInstance(r *http.Request, verifier authz.InstanceVerifier) (_ context.Context, err error) {
-	ctx := r.Context()
+func (a *instanceInterceptor) HandlerFuncWithError(next HandlerFuncWithError) HandlerFuncWithError {
+	return func(w http.ResponseWriter, r *http.Request) error {
+		ctx, err := a.setInstanceIfNeeded(r.Context(), r)
+		if err != nil {
+			origin := zitadel_http.DomainContext(r.Context())
+			logging.WithFields("origin", origin.Origin(), "externalDomain", a.externalDomain).WithError(err).Error("unable to set instance")
+			return err
+		}
+
+		r = r.WithContext(ctx)
+		return next(w, r)
+	}
+}
+
+func (a *instanceInterceptor) setInstanceIfNeeded(ctx context.Context, r *http.Request) (context.Context, error) {
+	for _, prefix := range a.ignoredPrefixes {
+		if strings.HasPrefix(r.URL.Path, prefix) {
+			return ctx, nil
+		}
+	}
+
+	return setInstance(ctx, a.verifier)
+}
+
+func setInstance(ctx context.Context, verifier authz.InstanceVerifier) (_ context.Context, err error) {
 	authCtx, span := tracing.NewServerInterceptorSpan(ctx)
 	defer func() { span.EndWithError(err) }()

--- a/internal/api/http/middleware/instance_interceptor_test.go
+++ b/internal/api/http/middleware/instance_interceptor_test.go
@@ -72,7 +72,7 @@ func Test_instanceInterceptor_Handler(t *testing.T) {
 				translator: newZitadelTranslator(),
 			}
 			next := &testHandler{}
-			got := a.HandlerFunc(next.ServeHTTP)
+			got := a.HandlerFunc(next)
 			rr := httptest.NewRecorder()
 			got.ServeHTTP(rr, tt.args.request)
 			assert.Equal(t, tt.res.statusCode, rr.Code)
@@ -136,7 +136,7 @@ func Test_instanceInterceptor_HandlerFunc(t *testing.T) {
 				translator: newZitadelTranslator(),
 			}
 			next := &testHandler{}
-			got := a.HandlerFunc(next.ServeHTTP)
+			got := a.HandlerFunc(next)
 			rr := httptest.NewRecorder()
 			got.ServeHTTP(rr, tt.args.request)
 			assert.Equal(t, tt.res.statusCode, rr.Code)
@@ -145,9 +145,78 @@ func Test_instanceInterceptor_HandlerFunc(t *testing.T) {
 	}
 }

+func Test_instanceInterceptor_HandlerFuncWithError(t *testing.T) {
+	type fields struct {
+		verifier authz.InstanceVerifier
+	}
+	type args struct {
+		request *http.Request
+	}
+	type res struct {
+		wantErr bool
+		context context.Context
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			"setInstance error",
+			fields{
+				verifier: &mockInstanceVerifier{},
+			},
+			args{
+				request: httptest.NewRequest("", "/url", nil),
+			},
+			res{
+				wantErr: true,
+				context: nil,
+			},
+		},
+		{
+			"setInstance ok",
+			fields{
+				verifier: &mockInstanceVerifier{instanceHost: "host"},
+			},
+			args{
+				request: func() *http.Request {
+					r := httptest.NewRequest("", "/url", nil)
+					r = r.WithContext(zitadel_http.WithDomainContext(r.Context(), &zitadel_http.DomainCtx{InstanceHost: "host"}))
+					return r
+				}(),
+			},
+			res{
+				context: authz.WithInstance(zitadel_http.WithDomainContext(context.Background(), &zitadel_http.DomainCtx{InstanceHost: "host"}), &mockInstance{}),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			a := &instanceInterceptor{
+				verifier:   tt.fields.verifier,
+				translator: newZitadelTranslator(),
+			}
+			var ctx context.Context
+			got := a.HandlerFuncWithError(func(w http.ResponseWriter, r *http.Request) error {
+				ctx = r.Context()
+				return nil
+			})
+			rr := httptest.NewRecorder()
+			err := got(rr, tt.args.request)
+			if (err != nil) != tt.res.wantErr {
+				t.Errorf("got error %v, want %v", err, tt.res.wantErr)
+			}
+
+			assert.Equal(t, tt.res.context, ctx)
+		})
+	}
+}
+
 func Test_setInstance(t *testing.T) {
 	type args struct {
-		r        *http.Request
+		ctx      context.Context
 		verifier authz.InstanceVerifier
 	}
 	type res struct {
@@ -162,10 +231,7 @@ func Test_setInstance(t *testing.T) {
 		{
 			"no domain context, not found error",
 			args{
-				r: func() *http.Request {
-					r := httptest.NewRequest("", "/url", nil)
-					return r
-				}(),
+				ctx:      context.Background(),
 				verifier: &mockInstanceVerifier{},
 			},
 			res{
@@ -176,10 +242,7 @@ func Test_setInstance(t *testing.T) {
 		{
 			"instanceHost found, ok",
 			args{
-				r: func() *http.Request {
-					r := httptest.NewRequest("", "/url", nil)
-					return r.WithContext(zitadel_http.WithDomainContext(r.Context(), &zitadel_http.DomainCtx{InstanceHost: "host", Protocol: "https"}))
-				}(),
+				ctx:      zitadel_http.WithDomainContext(context.Background(), &zitadel_http.DomainCtx{InstanceHost: "host", Protocol: "https"}),
 				verifier: &mockInstanceVerifier{instanceHost: "host"},
 			},
 			res{
@@ -190,10 +253,7 @@ func Test_setInstance(t *testing.T) {
 		{
 			"instanceHost not found, error",
 			args{
-				r: func() *http.Request {
-					r := httptest.NewRequest("", "/url", nil)
-					return r.WithContext(zitadel_http.WithDomainContext(r.Context(), &zitadel_http.DomainCtx{InstanceHost: "fromorigin:9999", Protocol: "https"}))
-				}(),
+				ctx:      zitadel_http.WithDomainContext(context.Background(), &zitadel_http.DomainCtx{InstanceHost: "fromorigin:9999", Protocol: "https"}),
 				verifier: &mockInstanceVerifier{instanceHost: "unknowndomain"},
 			},
 			res{
@@ -204,7 +264,7 @@ func Test_setInstance(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := setInstance(tt.args.r, tt.args.verifier)
+			got, err := setInstance(tt.args.ctx, tt.args.verifier)
 			if (err != nil) != tt.res.err {
 				t.Errorf("setInstance() error = %v, wantErr %v", err, tt.res.err)
 				return