feat: create user scim v2 endpoint (#9132)

# Which Problems Are Solved - Adds infrastructure code (basic implementation, error handling, middlewares, ...) to implement the SCIM v2 interface - Adds support for the user create SCIM v2 endpoint # How the Problems Are Solved - Adds support for the user create SCIM v2 endpoint under `POST /scim/v2/{orgID}/Users` # Additional Context Part of #8140
2025-08-12 01:37:31 +00:00 · 2025-01-09 12:46:36 +01:00
parent 829f4543da
commit e621224ab2
44 changed files with 2412 additions and 48 deletions
--- a/internal/api/scim/integration_test/scim_test.go
+++ b/internal/api/scim/integration_test/scim_test.go
@@ -0,0 +1,28 @@
+//go:build integration
+
+package integration_test
+
+import (
+	"context"
+	"github.com/zitadel/zitadel/internal/integration"
+	"os"
+	"testing"
+	"time"
+)
+
+var (
+	Instance *integration.Instance
+	CTX      context.Context
+)
+
+func TestMain(m *testing.M) {
+	os.Exit(func() int {
+		ctx, cancel := context.WithTimeout(context.Background(), 15*time.Minute)
+		defer cancel()
+
+		Instance = integration.NewInstance(ctx)
+
+		CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner)
+		return m.Run()
+	}())
+}
--- a/internal/api/scim/integration_test/testdata/users_create_test_full.json
+++ b/internal/api/scim/integration_test/testdata/users_create_test_full.json
@@ -0,0 +1,116 @@
+{
+  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
+  "externalId": "701984",
+  "userName": "bjensen@example.com",
+  "name": {
+    "formatted": "Ms. Barbara J Jensen, III",
+    "familyName": "Jensen",
+    "givenName": "Barbara",
+    "middleName": "Jane",
+    "honorificPrefix": "Ms.",
+    "honorificSuffix": "III"
+  },
+  "displayName": "Babs Jensen",
+  "nickName": "Babs",
+  "profileUrl": "http://login.example.com/bjensen",
+  "emails": [
+    {
+      "value": "bjensen@example.com",
+      "type": "work",
+      "primary": true
+    },
+    {
+      "value": "babs@jensen.org",
+      "type": "home"
+    }
+  ],
+  "addresses": [
+    {
+      "type": "work",
+      "streetAddress": "100 Universal City Plaza",
+      "locality": "Hollywood",
+      "region": "CA",
+      "postalCode": "91608",
+      "country": "USA",
+      "formatted": "100 Universal City Plaza\nHollywood, CA 91608 USA",
+      "primary": true
+    },
+    {
+      "type": "home",
+      "streetAddress": "456 Hollywood Blvd",
+      "locality": "Hollywood",
+      "region": "CA",
+      "postalCode": "91608",
+      "country": "USA",
+      "formatted": "456 Hollywood Blvd\nHollywood, CA 91608 USA"
+    }
+  ],
+  "phoneNumbers": [
+    {
+      "value": "555-555-5555",
+      "type": "work",
+      "primary": true
+    },
+    {
+      "value": "555-555-4444",
+      "type": "mobile"
+    }
+  ],
+  "ims": [
+    {
+      "value": "someaimhandle",
+      "type": "aim"
+    },
+    {
+      "value": "twitterhandle",
+      "type": "X"
+    }
+  ],
+  "photos": [
+    {
+      "value":
+      "https://photos.example.com/profilephoto/72930000000Ccne/F",
+      "type": "photo"
+    },
+    {
+      "value":
+      "https://photos.example.com/profilephoto/72930000000Ccne/T",
+      "type": "thumbnail"
+    }
+  ],
+  "roles": [
+    {
+      "value": "my-role-1",
+      "display": "Rolle 1",
+      "type": "main-role",
+      "primary": true
+    },
+    {
+      "value": "my-role-2",
+      "display": "Rolle 2",
+      "type": "secondary-role",
+      "primary": false
+    }
+  ],
+  "entitlements": [
+    {
+      "value": "my-entitlement-1",
+      "display": "Entitlement 1",
+      "type": "main-entitlement",
+      "primary": true
+    },
+    {
+      "value": "my-entitlement-2",
+      "display": "Entitlement 2",
+      "type": "secondary-entitlement",
+      "primary": false
+    }
+  ],
+  "userType": "Employee",
+  "title": "Tour Guide",
+  "preferredLanguage": "en-US",
+  "locale": "en-US",
+  "timezone": "America/Los_Angeles",
+  "active":true,
+  "password": "Password1!"
+}
--- a/internal/api/scim/integration_test/testdata/users_create_test_invalid_locale.json
+++ b/internal/api/scim/integration_test/testdata/users_create_test_invalid_locale.json
@@ -0,0 +1,17 @@
+{
+  "schemas": [
+    "urn:ietf:params:scim:schemas:core:2.0:User"
+  ],
+  "userName": "acmeUser1",
+  "name": {
+    "familyName": "Ross",
+    "givenName": "Bethany"
+  },
+  "emails": [
+    {
+      "value": "user1@example.com",
+      "primary": true
+    }
+  ],
+  "locale": "fooBar"
+}
--- a/internal/api/scim/integration_test/testdata/users_create_test_invalid_password.json
+++ b/internal/api/scim/integration_test/testdata/users_create_test_invalid_password.json
@@ -0,0 +1,17 @@
+{
+  "schemas": [
+    "urn:ietf:params:scim:schemas:core:2.0:User"
+  ],
+  "userName": "acmeUser1",
+  "name": {
+    "familyName": "Ross",
+    "givenName": "Bethany"
+  },
+  "emails": [
+    {
+      "value": "user1@example.com",
+      "primary": true
+    }
+  ],
+  "password": "fooBar"
+}
--- a/internal/api/scim/integration_test/testdata/users_create_test_invalid_profile_url.json
+++ b/internal/api/scim/integration_test/testdata/users_create_test_invalid_profile_url.json
@@ -0,0 +1,17 @@
+{
+  "schemas": [
+    "urn:ietf:params:scim:schemas:core:2.0:User"
+  ],
+  "userName": "acmeUser1",
+  "name": {
+    "familyName": "Ross",
+    "givenName": "Bethany"
+  },
+  "emails": [
+    {
+      "value": "user1@example.com",
+      "primary": true
+    }
+  ],
+  "profileUrl": "ftp://login.example.com/bjensen"
+}
--- a/internal/api/scim/integration_test/testdata/users_create_test_invalid_timezone.json
+++ b/internal/api/scim/integration_test/testdata/users_create_test_invalid_timezone.json
@@ -0,0 +1,17 @@
+{
+  "schemas": [
+    "urn:ietf:params:scim:schemas:core:2.0:User"
+  ],
+  "userName": "acmeUser1",
+  "name": {
+    "familyName": "Ross",
+    "givenName": "Bethany"
+  },
+  "emails": [
+    {
+      "value": "user1@example.com",
+      "primary": true
+    }
+  ],
+  "timezone": "fooBar"
+}
--- a/internal/api/scim/integration_test/testdata/users_create_test_minimal.json
+++ b/internal/api/scim/integration_test/testdata/users_create_test_minimal.json
@@ -0,0 +1,16 @@
+{
+  "schemas": [
+    "urn:ietf:params:scim:schemas:core:2.0:User"
+  ],
+  "userName": "acmeUser1",
+  "name": {
+    "familyName": "Ross",
+    "givenName": "Bethany"
+  },
+  "emails": [
+    {
+      "value": "user1@example.com",
+      "primary": true
+    }
+  ]
+}
--- a/internal/api/scim/integration_test/testdata/users_create_test_missing_email.json
+++ b/internal/api/scim/integration_test/testdata/users_create_test_missing_email.json
@@ -0,0 +1,10 @@
+{
+  "schemas": [
+    "urn:ietf:params:scim:schemas:core:2.0:User"
+  ],
+  "userName": "acmeUser1",
+  "name": {
+    "familyName": "Ross",
+    "givenName": "Bethany"
+  }
+}
--- a/internal/api/scim/integration_test/testdata/users_create_test_missing_name.json
+++ b/internal/api/scim/integration_test/testdata/users_create_test_missing_name.json
@@ -0,0 +1,15 @@
+{
+  "schemas": [
+    "urn:ietf:params:scim:schemas:core:2.0:User"
+  ],
+  "userName": "acmeUser1",
+  "name": {
+    "givenName": "Bethany"
+  },
+  "emails": [
+    {
+      "value": "user1@example.com",
+      "primary": true
+    }
+  ]
+}
--- a/internal/api/scim/integration_test/testdata/users_create_test_missing_username.json
+++ b/internal/api/scim/integration_test/testdata/users_create_test_missing_username.json
@@ -0,0 +1,15 @@
+{
+  "schemas": [
+    "urn:ietf:params:scim:schemas:core:2.0:User"
+  ],
+  "name": {
+    "familyName": "Ross",
+    "givenName": "Bethany"
+  },
+  "emails": [
+    {
+      "value": "user1@example.com",
+      "primary": true
+    }
+  ]
+}
--- a/internal/api/scim/integration_test/users_create_test.go
+++ b/internal/api/scim/integration_test/users_create_test.go
@@ -0,0 +1,250 @@
+//go:build integration
+
+package integration_test
+
+import (
+	"context"
+	_ "embed"
+	"errors"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/zitadel/zitadel/internal/api/scim/schemas"
+	"github.com/zitadel/zitadel/internal/integration"
+	"github.com/zitadel/zitadel/internal/integration/scim"
+	"github.com/zitadel/zitadel/pkg/grpc/management"
+	"github.com/zitadel/zitadel/pkg/grpc/user/v2"
+	"google.golang.org/grpc/codes"
+	"net/http"
+	"path"
+	"strconv"
+	"testing"
+)
+
+var (
+	//go:embed testdata/users_create_test_minimal.json
+	minimalUserJson []byte
+
+	//go:embed testdata/users_create_test_full.json
+	fullUserJson []byte
+
+	//go:embed testdata/users_create_test_missing_username.json
+	missingUserNameUserJson []byte
+
+	//go:embed testdata/users_create_test_missing_name.json
+	missingNameUserJson []byte
+
+	//go:embed testdata/users_create_test_missing_email.json
+	missingEmailUserJson []byte
+
+	//go:embed testdata/users_create_test_invalid_password.json
+	invalidPasswordUserJson []byte
+
+	//go:embed testdata/users_create_test_invalid_profile_url.json
+	invalidProfileUrlUserJson []byte
+
+	//go:embed testdata/users_create_test_invalid_locale.json
+	invalidLocaleUserJson []byte
+
+	//go:embed testdata/users_create_test_invalid_timezone.json
+	invalidTimeZoneUserJson []byte
+)
+
+func TestCreateUser(t *testing.T) {
+	tests := []struct {
+		name          string
+		body          []byte
+		ctx           context.Context
+		wantErr       bool
+		scimErrorType string
+		errorStatus   int
+		zitadelErrID  string
+	}{
+		{
+			name: "minimal user",
+			body: minimalUserJson,
+		},
+		{
+			name: "full user",
+			body: fullUserJson,
+		},
+		{
+			name:          "missing userName",
+			wantErr:       true,
+			scimErrorType: "invalidValue",
+			body:          missingUserNameUserJson,
+		},
+		{
+			// this is an expected schema violation
+			name:          "missing name",
+			wantErr:       true,
+			scimErrorType: "invalidValue",
+			body:          missingNameUserJson,
+		},
+		{
+			name:          "missing email",
+			wantErr:       true,
+			scimErrorType: "invalidValue",
+			body:          missingEmailUserJson,
+		},
+		{
+			name:          "password complexity violation",
+			wantErr:       true,
+			scimErrorType: "invalidValue",
+			body:          invalidPasswordUserJson,
+		},
+		{
+			name:          "invalid profile url",
+			wantErr:       true,
+			scimErrorType: "invalidValue",
+			zitadelErrID:  "SCIM-htturl1",
+			body:          invalidProfileUrlUserJson,
+		},
+		{
+			name:          "invalid time zone",
+			wantErr:       true,
+			scimErrorType: "invalidValue",
+			body:          invalidTimeZoneUserJson,
+		},
+		{
+			name:          "invalid locale",
+			wantErr:       true,
+			scimErrorType: "invalidValue",
+			body:          invalidLocaleUserJson,
+		},
+		{
+			name:        "not authenticated",
+			body:        minimalUserJson,
+			ctx:         context.Background(),
+			wantErr:     true,
+			errorStatus: http.StatusUnauthorized,
+		},
+		{
+			name:        "no permissions",
+			body:        minimalUserJson,
+			ctx:         Instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
+			wantErr:     true,
+			errorStatus: http.StatusNotFound,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctx := tt.ctx
+			if ctx == nil {
+				ctx = CTX
+			}
+
+			createdUser, err := Instance.Client.SCIM.Users.Create(ctx, Instance.DefaultOrg.Id, tt.body)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("CreateUser() error = %v, wantErr %v", err, tt.wantErr)
+			}
+
+			if err != nil {
+				assert.IsType(t, new(scim.ScimError), err)
+
+				var scimErr *scim.ScimError
+				errors.As(err, &scimErr)
+				assert.Equal(t, tt.scimErrorType, scimErr.ScimType)
+
+				statusCode := tt.errorStatus
+				if statusCode == 0 {
+					statusCode = http.StatusBadRequest
+				}
+				assert.Equal(t, strconv.Itoa(statusCode), scimErr.Status)
+
+				if tt.zitadelErrID != "" {
+					assert.Equal(t, tt.zitadelErrID, scimErr.ZitadelDetail.ID)
+				}
+
+				return
+			}
+
+			assert.NotEmpty(t, createdUser.ID)
+			assert.EqualValues(t, []schemas.ScimSchemaType{"urn:ietf:params:scim:schemas:core:2.0:User"}, createdUser.Resource.Schemas)
+			assert.Equal(t, schemas.ScimResourceTypeSingular("User"), createdUser.Resource.Meta.ResourceType)
+			assert.Equal(t, "http://"+Instance.Host()+path.Join(schemas.HandlerPrefix, Instance.DefaultOrg.Id, "Users", createdUser.ID), createdUser.Resource.Meta.Location)
+			assert.Nil(t, createdUser.Password)
+
+			_, err = Instance.Client.UserV2.DeleteUser(CTX, &user.DeleteUserRequest{UserId: createdUser.ID})
+			assert.NoError(t, err)
+		})
+	}
+}
+
+func TestCreateUser_duplicate(t *testing.T) {
+	createdUser, err := Instance.Client.SCIM.Users.Create(CTX, Instance.DefaultOrg.Id, minimalUserJson)
+	require.NoError(t, err)
+
+	_, err = Instance.Client.SCIM.Users.Create(CTX, Instance.DefaultOrg.Id, minimalUserJson)
+	require.Error(t, err)
+	assert.IsType(t, new(scim.ScimError), err)
+
+	var scimErr *scim.ScimError
+	errors.As(err, &scimErr)
+	assert.Equal(t, strconv.Itoa(http.StatusConflict), scimErr.Status)
+	assert.Equal(t, "User already exists", scimErr.Detail)
+
+	_, err = Instance.Client.UserV2.DeleteUser(CTX, &user.DeleteUserRequest{UserId: createdUser.ID})
+	require.NoError(t, err)
+}
+
+func TestCreateUser_metadata(t *testing.T) {
+	createdUser, err := Instance.Client.SCIM.Users.Create(CTX, Instance.DefaultOrg.Id, fullUserJson)
+	require.NoError(t, err)
+
+	md, err := Instance.Client.Mgmt.ListUserMetadata(CTX, &management.ListUserMetadataRequest{
+		Id: createdUser.ID,
+	})
+	require.NoError(t, err)
+
+	mdMap := make(map[string]string)
+	for i := range md.Result {
+		mdMap[md.Result[i].Key] = string(md.Result[i].Value)
+	}
+
+	integration.AssertMapContains(t, mdMap, "urn:zitadel:scim:name.honorificPrefix", "Ms.")
+	integration.AssertMapContains(t, mdMap, "urn:zitadel:scim:timezone", "America/Los_Angeles")
+	integration.AssertMapContains(t, mdMap, "urn:zitadel:scim:photos", `[{"value":"https://photos.example.com/profilephoto/72930000000Ccne/F","type":"photo"},{"value":"https://photos.example.com/profilephoto/72930000000Ccne/T","type":"thumbnail"}]`)
+	integration.AssertMapContains(t, mdMap, "urn:zitadel:scim:addresses", `[{"type":"work","streetAddress":"100 Universal City Plaza","locality":"Hollywood","region":"CA","postalCode":"91608","country":"USA","formatted":"100 Universal City Plaza\nHollywood, CA 91608 USA","primary":true},{"type":"home","streetAddress":"456 Hollywood Blvd","locality":"Hollywood","region":"CA","postalCode":"91608","country":"USA","formatted":"456 Hollywood Blvd\nHollywood, CA 91608 USA"}]`)
+	integration.AssertMapContains(t, mdMap, "urn:zitadel:scim:entitlements", `[{"value":"my-entitlement-1","display":"Entitlement 1","type":"main-entitlement","primary":true},{"value":"my-entitlement-2","display":"Entitlement 2","type":"secondary-entitlement"}]`)
+	integration.AssertMapContains(t, mdMap, "urn:zitadel:scim:externalId", "701984")
+	integration.AssertMapContains(t, mdMap, "urn:zitadel:scim:name.middleName", "Jane")
+	integration.AssertMapContains(t, mdMap, "urn:zitadel:scim:name.honorificSuffix", "III")
+	integration.AssertMapContains(t, mdMap, "urn:zitadel:scim:profileURL", "http://login.example.com/bjensen")
+	integration.AssertMapContains(t, mdMap, "urn:zitadel:scim:title", "Tour Guide")
+	integration.AssertMapContains(t, mdMap, "urn:zitadel:scim:locale", "en-US")
+	integration.AssertMapContains(t, mdMap, "urn:zitadel:scim:ims", `[{"value":"someaimhandle","type":"aim"},{"value":"twitterhandle","type":"X"}]`)
+	integration.AssertMapContains(t, mdMap, "urn:zitadel:scim:roles", `[{"value":"my-role-1","display":"Rolle 1","type":"main-role","primary":true},{"value":"my-role-2","display":"Rolle 2","type":"secondary-role"}]`)
+
+	_, err = Instance.Client.UserV2.DeleteUser(CTX, &user.DeleteUserRequest{UserId: createdUser.ID})
+	require.NoError(t, err)
+}
+
+func TestCreateUser_scopedExternalID(t *testing.T) {
+	_, err := Instance.Client.Mgmt.SetUserMetadata(CTX, &management.SetUserMetadataRequest{
+		Id:    Instance.Users.Get(integration.UserTypeOrgOwner).ID,
+		Key:   "urn:zitadel:scim:provisioning_domain",
+		Value: []byte("fooBar"),
+	})
+	require.NoError(t, err)
+
+	createdUser, err := Instance.Client.SCIM.Users.Create(CTX, Instance.DefaultOrg.Id, fullUserJson)
+	require.NoError(t, err)
+
+	// unscoped externalID should not exist
+	_, err = Instance.Client.Mgmt.GetUserMetadata(CTX, &management.GetUserMetadataRequest{
+		Id:  createdUser.ID,
+		Key: "urn:zitadel:scim:externalId",
+	})
+	integration.AssertGrpcStatus(t, codes.NotFound, err)
+
+	// scoped externalID should exist
+	md, err := Instance.Client.Mgmt.GetUserMetadata(CTX, &management.GetUserMetadataRequest{
+		Id:  createdUser.ID,
+		Key: "urn:zitadel:scim:fooBar:externalId",
+	})
+	require.NoError(t, err)
+	assert.Equal(t, "701984", string(md.Metadata.Value))
+
+	_, err = Instance.Client.UserV2.DeleteUser(CTX, &user.DeleteUserRequest{UserId: createdUser.ID})
+	require.NoError(t, err)
+}