feat: create user scim v2 endpoint (#9132)

# Which Problems Are Solved
- Adds infrastructure code (basic implementation, error handling,
middlewares, ...) to implement the SCIM v2 interface
- Adds support for the user create SCIM v2 endpoint

# How the Problems Are Solved
- Adds support for the user create SCIM v2 endpoint under `POST
/scim/v2/{orgID}/Users`

# Additional Context

Part of #8140

internal/integration/assert.go

@@ -6,6 +6,8 @@ import (
 
 	"github.com/pmezard/go-difflib/difflib"
 	"github.com/stretchr/testify/assert"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/timestamppb"
@@ -128,6 +130,13 @@ func AssertResourceListDetails[D ResourceListDetailsMsg](t assert.TestingT, expe
 	}
 }
 
+func AssertGrpcStatus(t assert.TestingT, expected codes.Code, err error) {
+	assert.Error(t, err)
+	statusErr, ok := status.FromError(err)
+	assert.True(t, ok)
+	assert.Equal(t, expected, statusErr.Code())
+}
+
 // EqualProto is inspired by [assert.Equal], only that it tests equality of a proto message.
 // A message diff is printed on the error test log if the messages are not equal.
 //
@@ -160,3 +169,9 @@ func diffProto(expected, actual proto.Message) string {
 	}
 	return "\n\nDiff:\n" + diff
 }
+
+func AssertMapContains[M ~map[K]V, K comparable, V any](t *testing.T, m M, key K, expectedValue V) {
+	val, exists := m[key]
+	assert.True(t, exists, "Key '%s' should exist in the map", key)
+	assert.Equal(t, expectedValue, val, "Key '%s' should have value '%d'", key, expectedValue)
+}

internal/integration/client.go

@@ -17,6 +17,7 @@ import (
 	"google.golang.org/protobuf/types/known/structpb"
 
 	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/integration/scim"
 	"github.com/zitadel/zitadel/pkg/grpc/admin"
 	"github.com/zitadel/zitadel/pkg/grpc/auth"
 	"github.com/zitadel/zitadel/pkg/grpc/feature/v2"
@@ -67,6 +68,7 @@ type Client struct {
 	IDPv2          idp_pb.IdentityProviderServiceClient
 	UserV3Alpha    user_v3alpha.ZITADELUsersClient
 	SAMLv2         saml_pb.SAMLServiceClient
+	SCIM           *scim.Client
 }
 
 func newClient(ctx context.Context, target string) (*Client, error) {
@@ -99,6 +101,7 @@ func newClient(ctx context.Context, target string) (*Client, error) {
 		IDPv2:          idp_pb.NewIdentityProviderServiceClient(cc),
 		UserV3Alpha:    user_v3alpha.NewZITADELUsersClient(cc),
 		SAMLv2:         saml_pb.NewSAMLServiceClient(cc),
+		SCIM:           scim.NewScimClient(target),
 	}
 	return client, client.pollHealth(ctx)
 }

internal/integration/scim/client.go

@@ -0,0 +1,133 @@
+package scim
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"io"
+	"net/http"
+	"path"
+
+	"github.com/zitadel/logging"
+	"google.golang.org/grpc/metadata"
+
+	zhttp "github.com/zitadel/zitadel/internal/api/http"
+	"github.com/zitadel/zitadel/internal/api/scim/middleware"
+	"github.com/zitadel/zitadel/internal/api/scim/resources"
+	"github.com/zitadel/zitadel/internal/api/scim/schemas"
+)
+
+type Client struct {
+	Users *ResourceClient
+}
+
+type ResourceClient struct {
+	client       *http.Client
+	baseUrl      string
+	resourceName string
+}
+
+type ScimError struct {
+	Schemas       []string            `json:"schemas"`
+	ScimType      string              `json:"scimType"`
+	Detail        string              `json:"detail"`
+	Status        string              `json:"status"`
+	ZitadelDetail *ZitadelErrorDetail `json:"urn:ietf:params:scim:api:zitadel:messages:2.0:ErrorDetail,omitempty"`
+}
+
+type ZitadelErrorDetail struct {
+	ID      string `json:"id"`
+	Message string `json:"message"`
+}
+
+func NewScimClient(target string) *Client {
+	target = "http://" + target + schemas.HandlerPrefix
+	client := &http.Client{}
+	return &Client{
+		Users: &ResourceClient{
+			client:       client,
+			baseUrl:      target,
+			resourceName: "Users",
+		},
+	}
+}
+
+func (c *ResourceClient) Create(ctx context.Context, orgID string, body []byte) (*resources.ScimUser, error) {
+	user := new(resources.ScimUser)
+	err := c.doWithBody(ctx, http.MethodPost, orgID, "", bytes.NewReader(body), user)
+	return user, err
+}
+
+func (c *ResourceClient) doWithBody(ctx context.Context, method, orgID, url string, body io.Reader, responseEntity interface{}) error {
+	req, err := http.NewRequestWithContext(ctx, method, c.buildURL(orgID, url), body)
+	if err != nil {
+		return err
+	}
+
+	req.Header.Set(zhttp.ContentType, middleware.ContentTypeScim)
+	return c.doReq(req, responseEntity)
+}
+
+func (c *ResourceClient) doReq(req *http.Request, responseEntity interface{}) error {
+	addTokenAsHeader(req)
+
+	resp, err := c.client.Do(req)
+	defer func() {
+		err := resp.Body.Close()
+		logging.OnError(err).Error("Failed to close response body")
+	}()
+
+	if err != nil {
+		return err
+	}
+
+	if (resp.StatusCode / 100) != 2 {
+		return readScimError(resp)
+	}
+
+	if responseEntity == nil {
+		return nil
+	}
+
+	err = readJson(responseEntity, resp)
+	return err
+}
+
+func addTokenAsHeader(req *http.Request) {
+	md, ok := metadata.FromOutgoingContext(req.Context())
+	if !ok {
+		return
+	}
+
+	req.Header.Set("Authorization", md.Get("Authorization")[0])
+}
+
+func readJson(entity interface{}, resp *http.Response) error {
+	defer func(body io.ReadCloser) {
+		err := body.Close()
+		logging.OnError(err).Panic("Failed to close response body")
+	}(resp.Body)
+
+	err := json.NewDecoder(resp.Body).Decode(entity)
+	logging.OnError(err).Panic("Failed decoding entity")
+	return err
+}
+
+func readScimError(resp *http.Response) error {
+	scimErr := new(ScimError)
+	readErr := readJson(scimErr, resp)
+	logging.OnError(readErr).Panic("Failed reading scim error")
+	return scimErr
+}
+
+func (c *ResourceClient) buildURL(orgID, segment string) string {
+	if segment == "" {
+		return c.baseUrl + "/" + path.Join(orgID, c.resourceName)
+	}
+
+	return c.baseUrl + "/" + path.Join(orgID, c.resourceName, segment)
+}
+
+func (err *ScimError) Error() string {
+	return "scim error: " + err.Detail
+}