From 2cab4b7cdabb3aeb4cef76b8483be2159a967e5c Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Mon, 15 Nov 2021 11:49:08 +0100 Subject: [PATCH] initial Signed-off-by: Jens Langhammer --- .vscode/settings.json | 2 +- authentik/api/schema.py | 11 + authentik/root/settings.py | 6 +- authentik/sources/scim/__init__.py | 0 authentik/sources/scim/api.py | 26 + authentik/sources/scim/apps.py | 12 + .../sources/scim/migrations/0001_initial.py | 42 + authentik/sources/scim/migrations/__init__.py | 0 authentik/sources/scim/models.py | 26 + authentik/sources/scim/schemas/schema.json | 1796 +++++++++++++++++ authentik/sources/scim/urls.py | 58 + authentik/sources/scim/views/__init__.py | 0 authentik/sources/scim/views/v2/__init__.py | 0 authentik/sources/scim/views/v2/auth.py | 41 + authentik/sources/scim/views/v2/base.py | 30 + authentik/sources/scim/views/v2/groups.py | 103 + .../sources/scim/views/v2/resource_types.py | 153 ++ authentik/sources/scim/views/v2/schemas.py | 52 + .../scim/views/v2/service_provider_config.py | 35 + authentik/sources/scim/views/v2/users.py | 151 ++ web/src/admin/sources/SourceViewPage.ts | 4 + web/src/pages/sources/scim/SCIMSourceForm.ts | 79 + .../pages/sources/scim/SCIMSourceViewPage.ts | 125 ++ 23 files changed, 2750 insertions(+), 2 deletions(-) create mode 100644 authentik/sources/scim/__init__.py create mode 100644 authentik/sources/scim/api.py create mode 100644 authentik/sources/scim/apps.py create mode 100644 authentik/sources/scim/migrations/0001_initial.py create mode 100644 authentik/sources/scim/migrations/__init__.py create mode 100644 authentik/sources/scim/models.py create mode 100644 authentik/sources/scim/schemas/schema.json create mode 100644 authentik/sources/scim/urls.py create mode 100644 authentik/sources/scim/views/__init__.py create mode 100644 authentik/sources/scim/views/v2/__init__.py create mode 100644 authentik/sources/scim/views/v2/auth.py create mode 100644 authentik/sources/scim/views/v2/base.py create mode 100644 authentik/sources/scim/views/v2/groups.py create mode 100644 authentik/sources/scim/views/v2/resource_types.py create mode 100644 authentik/sources/scim/views/v2/schemas.py create mode 100644 authentik/sources/scim/views/v2/service_provider_config.py create mode 100644 authentik/sources/scim/views/v2/users.py create mode 100644 web/src/pages/sources/scim/SCIMSourceForm.ts create mode 100644 web/src/pages/sources/scim/SCIMSourceViewPage.ts diff --git a/.vscode/settings.json b/.vscode/settings.json index e674c02b5..ab61102ba 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -17,7 +17,7 @@ "kubernetes", "sso", "slo", - "scim", + "scim" ], "python.linting.pylintEnabled": true, "todo-tree.tree.showCountsInTree": true, diff --git a/authentik/api/schema.py b/authentik/api/schema.py index e70caaf3e..67c4058d4 100644 --- a/authentik/api/schema.py +++ b/authentik/api/schema.py @@ -13,6 +13,8 @@ from rest_framework.settings import api_settings from authentik.api.pagination import PAGINATION_COMPONENT_NAME, PAGINATION_SCHEMA +from authentik.api.apps import AuthentikAPIConfig + def build_standard_type(obj, **kwargs): """Build a basic type with optional add owns.""" @@ -100,3 +102,12 @@ def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs): comp = result["components"]["schemas"][component] comp["additionalProperties"] = {} return result + + +def preprocess_schema_exclude_non_api(endpoints, **kwargs): + """Filter out all API Views which are not mounted under /api""" + return [ + (path, path_regex, method, callback) + for path, path_regex, method, callback in endpoints + if path.startswith("/" + AuthentikAPIConfig.mountpoint) + ] diff --git a/authentik/root/settings.py b/authentik/root/settings.py index 5c9e5bf45..19b9cc07e 100644 --- a/authentik/root/settings.py +++ b/authentik/root/settings.py @@ -82,8 +82,9 @@ INSTALLED_APPS = [ "authentik.sources.oauth", "authentik.sources.plex", "authentik.sources.saml", - "authentik.stages.authenticator", + "authentik.sources.scim", "authentik.stages.authenticator_duo", + "authentik.stages.authenticator", "authentik.stages.authenticator_sms", "authentik.stages.authenticator_static", "authentik.stages.authenticator_totp", @@ -146,6 +147,9 @@ SPECTACULAR_SETTINGS = { "UserTypeEnum": "authentik.core.models.UserTypes", }, "ENUM_ADD_EXPLICIT_BLANK_NULL_CHOICE": False, + "PREPROCESSING_HOOKS": [ + "authentik.api.schema.preprocess_schema_exclude_non_api", + ], "POSTPROCESSING_HOOKS": [ "authentik.api.schema.postprocess_schema_responses", "drf_spectacular.hooks.postprocess_schema_enums", diff --git a/authentik/sources/scim/__init__.py b/authentik/sources/scim/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/authentik/sources/scim/api.py b/authentik/sources/scim/api.py new file mode 100644 index 000000000..98d665692 --- /dev/null +++ b/authentik/sources/scim/api.py @@ -0,0 +1,26 @@ +"""SCIMSource API Views""" +from rest_framework.viewsets import ModelViewSet + +from authentik.core.api.sources import SourceSerializer +from authentik.core.api.used_by import UsedByMixin +from authentik.sources.scim.models import SCIMSource + + +class SCIMSourceSerializer(SourceSerializer): + """SCIMSource Serializer""" + + class Meta: + + model = SCIMSource + fields = SourceSerializer.Meta.fields + ["token"] + + +class SCIMSourceViewSet(UsedByMixin, ModelViewSet): + """SCIMSource Viewset""" + + queryset = SCIMSource.objects.all() + serializer_class = SCIMSourceSerializer + lookup_field = "slug" + filterset_fields = "__all__" + search_fields = ["name", "slug"] + ordering = ["name"] diff --git a/authentik/sources/scim/apps.py b/authentik/sources/scim/apps.py new file mode 100644 index 000000000..89f943180 --- /dev/null +++ b/authentik/sources/scim/apps.py @@ -0,0 +1,12 @@ +"""Authentik SCIM app config""" + +from django.apps import AppConfig + + +class AuthentikSourceSCIMConfig(AppConfig): + """authentik SCIM Source app config""" + + name = "authentik.sources.scim" + label = "authentik_sources_scim" + verbose_name = "authentik Sources.SCIM" + mountpoint = "source/scim/" diff --git a/authentik/sources/scim/migrations/0001_initial.py b/authentik/sources/scim/migrations/0001_initial.py new file mode 100644 index 000000000..caee869d8 --- /dev/null +++ b/authentik/sources/scim/migrations/0001_initial.py @@ -0,0 +1,42 @@ +# Generated by Django 3.2.9 on 2021-11-15 12:51 + +import django.db.models.deletion +from django.db import migrations, models + + +class Migration(migrations.Migration): + + initial = True + + dependencies = [ + ("authentik_core", "0018_auto_20210330_1345_squashed_0028_alter_token_intent"), + ] + + operations = [ + migrations.CreateModel( + name="SCIMSource", + fields=[ + ( + "source_ptr", + models.OneToOneField( + auto_created=True, + on_delete=django.db.models.deletion.CASCADE, + parent_link=True, + primary_key=True, + serialize=False, + to="authentik_core.source", + ), + ), + ( + "token", + models.ForeignKey( + on_delete=django.db.models.deletion.CASCADE, to="authentik_core.token" + ), + ), + ], + options={ + "abstract": False, + }, + bases=("authentik_core.source",), + ), + ] diff --git a/authentik/sources/scim/migrations/__init__.py b/authentik/sources/scim/migrations/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/authentik/sources/scim/models.py b/authentik/sources/scim/models.py new file mode 100644 index 000000000..e487f7298 --- /dev/null +++ b/authentik/sources/scim/models.py @@ -0,0 +1,26 @@ +"""SCIM Source""" +from django.db import models +from rest_framework.serializers import BaseSerializer + +from authentik.core.models import Source, Token + +USER_ATTRIBUTE_SCIM_ID = "goauthentik.io/sources/scim/id" +USER_ATTRIBUTE_SCIM_ADDRESS = "goauthentik.io/sources/scim/address" +USER_ATTRIBUTE_SCIM_ENTERPRISE = "goauthentik.io/sources/scim/enterprise" + + +class SCIMSource(Source): + """SCIM Source""" + + token = models.ForeignKey(Token, on_delete=models.CASCADE) + + @property + def component(self) -> str: + """Return component used to edit this object""" + return "ak-source-scim-form" + + @property + def serializer(self) -> BaseSerializer: + from authentik.sources.scim.api import SCIMSourceSerializer + + return SCIMSourceSerializer diff --git a/authentik/sources/scim/schemas/schema.json b/authentik/sources/scim/schemas/schema.json new file mode 100644 index 000000000..dc9cc2c9a --- /dev/null +++ b/authentik/sources/scim/schemas/schema.json @@ -0,0 +1,1796 @@ +[ + { + "id": "urn:ietf:params:scim:schemas:core:2.0:Meta", + "name": "Meta", + "description": "A complex attribute containing resource metadata. All \"meta\" sub-attributes are assigned, by the service provider (have a \"mutability\" of \"readOnly\"), and all of these sub-attributes have a \"returned\" characteristic of \"default\". This attribute SHALL be ignored when provided by clients. ", + "attributes": [ + { + "name": "meta", + "type": "complex", + "multiValued": false, + "description": "the meta attribute", + "required": false, + "caseExact": true, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none", + "subAttributes": [ + { + "name": "resourceType", + "type": "string", + "multiValued": false, + "description": "The name of the resource type of the resource. This attribute has a mutability of \"readOnly\" and \"caseExact\" as \"True\".", + "required": false, + "caseExact": true, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "created", + "type": "dateTime", + "multiValued": false, + "description": "The \"DateTime\" that the resource was added to the service provider. This attribute MUST be a DateTime.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "lastModified", + "type": "dateTime", + "multiValued": false, + "description": "The most recent DateTime that the details of this resource were updated at the service provider. If this resource has never been modified since its initial creation, the value MUST be the same as the value of \"created\".", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "location", + "type": "reference", + "multiValued": false, + "description": "The URI of the resource being returned. This value MUST be the same as the \"Content-Location\" HTTP response header (see Section 3.1.4.2 of [RFC7231])", + "required": false, + "caseExact": true, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none", + "referenceTypes": ["uri"] + }, + { + "name": "version", + "type": "string", + "multiValued": false, + "description": "The version of the resource being returned. This value must be the same as the entity-tag (ETag) HTTP response header (see Sections 2.1 and 2.3 of [RFC7232]). This attribute has \"caseExact\" as \"True\". Service provider support for this attribute is optional and subject to the service provider's support for versioning (see Section 3.14 of [RFC7644]). If a service provider provides \"version\" (entity-tag) for a representation and the generation of that entity-tag does not satisfy all of the characteristics of a strong validator (see Section 2.1 of [RFC7232]), then the origin server MUST mark the \"version\" (entity-tag) as weak by prefixing its opaque value with \"W/\" (case sensitive).", + "required": false, + "caseExact": true, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + } + ] + } + ], + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Schema"], + "meta": { + "resourceType": "Schema" + } + }, + { + "id": "urn:ietf:params:scim:schemas:core:2.0:Group", + "name": "Group", + "description": "Group", + "attributes": [ + { + "name": "id", + "type": "string", + "multiValued": false, + "description": "Unique identifier for the SCIM Resource as defined by the Service Provider.", + "required": true, + "caseExact": true, + "mutability": "readOnly", + "returned": "always", + "uniqueness": "server" + }, + { + "name": "externalId", + "type": "string", + "multiValued": false, + "description": "A String that is an identifier for the resource as defined by the provisioning client.The service provider MUST always interpret the externalId as scoped to the provisioning domain.", + "required": false, + "caseExact": true, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "displayName", + "type": "string", + "multiValued": false, + "description": "A human-readable name for the Group. REQUIRED.", + "required": true, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "members", + "type": "complex", + "multiValued": true, + "description": "A list of members of the Group.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none", + "subAttributes": [ + { + "name": "value", + "type": "string", + "multiValued": false, + "description": "Identifier of the member of this Group.", + "required": true, + "caseExact": false, + "mutability": "immutable", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "$ref", + "type": "reference", + "multiValued": false, + "description": "The uri corresponding to a SCIM resource that is a member of this Group.", + "required": false, + "caseExact": false, + "mutability": "immutable", + "returned": "default", + "uniqueness": "none", + "referenceTypes": ["resource"] + }, + { + "name": "display", + "type": "string", + "multiValued": false, + "description": "A human-readable name for the Member", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "type", + "type": "string", + "multiValued": false, + "description": "A label indicating the type of resource, e.g. 'User' or 'Group'", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + } + ] + } + ], + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Schema"], + "meta": { + "resourceType": "Schema" + } + }, + { + "id": "urn:ietf:params:scim:schemas:core:2.0:Schema", + "name": "Schema", + "description": "Specifies the schema that describes a SCIM schema", + "attributes": [ + { + "name": "id", + "type": "string", + "multiValued": false, + "description": "The unique URI of the schema. When applicable, service providers MUST specify the URI.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "name", + "type": "string", + "multiValued": false, + "description": "The schema's human-readable name. When applicable, service providers MUST specify the name, e.g., 'User'.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "description", + "type": "string", + "multiValued": false, + "description": "The schema's human-readable name. When applicable, service providers MUST specify the name, e.g., 'User'.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "attributes", + "type": "complex", + "multiValued": true, + "description": "A complex attribute that includes the attributes of a schema.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none", + "subAttributes": [ + { + "name": "name", + "type": "string", + "multiValued": false, + "description": "The attribute's name.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "type", + "type": "string", + "multiValued": false, + "description": "The attribute's data type. Valid values include 'string', 'complex', 'boolean', 'decimal', 'integer', 'dateTime', 'reference'.", + "required": true, + "canonicalValues": [ + "string", + "complex", + "boolean", + "decimal", + "integer", + "dateTime", + "reference", + "any" + ], + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "multiValued", + "type": "boolean", + "multiValued": false, + "description": "A Boolean value indicating an attribute's plurality.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "description", + "type": "string", + "multiValued": false, + "description": "A human-readable description of the attribute.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "required", + "type": "boolean", + "multiValued": false, + "description": "A boolean value indicating whether or not the attribute is required.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "canonicalValues", + "type": "string", + "multiValued": true, + "description": "A collection of canonical values. When applicable, service providers MUST specify the canonical types, e.g., 'work', 'home'.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "caseExact", + "type": "boolean", + "multiValued": false, + "description": "A Boolean value indicating whether or not a string attribute is case sensitive.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "mutability", + "type": "string", + "multiValued": false, + "description": "Indicates whether or not an attribute is modifiable.", + "required": false, + "canonicalValues": [ + "readOnly", + "readWrite", + "immutable", + "writeOnly" + ], + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "returned", + "type": "string", + "multiValued": false, + "description": "Indicates when an attribute is returned in a response (e.g., to a query).", + "required": false, + "canonicalValues": [ + "always", + "never", + "default", + "request" + ], + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "uniqueness", + "type": "string", + "multiValued": false, + "description": "Indicates how unique a value must be.", + "required": false, + "canonicalValues": ["none", "server", "global"], + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "referenceTypes", + "type": "string", + "multiValued": true, + "description": "Used only with an attribute of type 'reference'. Specifies a SCIM resourceType that a reference attribute MAY refer to, e.g., 'User'.", + "required": false, + "canonicalValues": [ + "resource", + "external", + "uri", + "url" + ], + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "multipleOf", + "type": "decimal", + "multiValued": false, + "description": "The value of \"multipleOf\" MUST be a number, strictly greater than 0. A numeric instance is valid only if division by this keyword's value results in an integer.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "minimum", + "type": "decimal", + "multiValued": false, + "description": "The value of \"minimum\" MUST be a number, representing an inclusive lower limit for a numeric instance. If the instance is a number, then this keyword validates only if the instance is greater than or exactly equal to \"minimum\".", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "maximum", + "type": "decimal", + "multiValued": false, + "description": "The value of \"maximum\" MUST be a number, representing an inclusive upper limit for a numeric instance. If the instance is a number, then this keyword validates only if the instance is less than or exactly equal to \"maximum\".", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "maxLength", + "type": "integer", + "multiValued": false, + "description": "The value of this keyword MUST be a non-negative integer. A string instance is valid against this keyword if its length is less than, or equal to, the value of this keyword. The length of a string instance is defined as the number of its characters as defined by RFC 8259 [RFC8259].", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "minLength", + "type": "integer", + "multiValued": false, + "description": "The value of this keyword MUST be a non-negative integer. A string instance is valid against this keyword if its length is greater than, or equal to, the value of this keyword. The length of a string instance is defined as the number of its characters as defined by RFC 8259 [RFC8259]. Omitting this keyword has the same behavior as a value of 0.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "pattern", + "type": "string", + "multiValued": false, + "description": "The value of this keyword MUST be a string. This string SHOULD be a valid regular expression, according to the Java regular expression dialect. A string instance is considered valid if the regular expression matches the instance successfully.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "minItems", + "type": "integer", + "multiValued": false, + "description": "The value of this keyword MUST be a non-negative integer. An array instance is valid against \"minItems\" if its size is greater than, or equal to, the value of this keyword. Omitting this keyword has the same behavior as a value of 0.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "maxItems", + "type": "integer", + "multiValued": false, + "description": "The value of this keyword MUST be a non-negative integer. An array instance is valid against \"maxItems\" if its size is less than, or equal to, the value of this keyword.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "notBefore", + "type": "dateTime", + "multiValued": false, + "description": "The value of this keyword MUST be a dateTime. It will verify that a given dateTime will not a have a value that is before this dateTime.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "notAfter", + "type": "dateTime", + "multiValued": false, + "description": "The value of this keyword MUST be a dateTime. It will verify that a given dateTime will not a have a value that is after this dateTime.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "subAttributes", + "type": "complex", + "multiValued": true, + "description": "Used to define the sub-attributes of a complex attribute.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + } + ] + } + ], + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Schema"], + "meta": { + "resourceType": "Schema" + } + }, + { + "id": "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig", + "name": "Service Provider Configuration", + "description": "Schema for representing the service provider's configuration", + "attributes": [ + { + "name": "documentationUri", + "type": "reference", + "multiValued": false, + "description": "An HTTP-addressable URL pointing to the service provider's human-consumable help documentation.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none", + "referenceTypes": ["external"] + }, + { + "name": "patch", + "type": "complex", + "multiValued": false, + "description": "A complex type that specifies PATCH configuration options.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none", + "subAttributes": [ + { + "name": "supported", + "type": "boolean", + "multiValued": false, + "description": "A Boolean value specifying whether or not the operation is supported.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + } + ] + }, + { + "name": "etag", + "type": "complex", + "multiValued": false, + "description": "A complex type that specifies ETag configuration options.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none", + "subAttributes": [ + { + "name": "supported", + "type": "boolean", + "multiValued": false, + "description": "A Boolean value specifying whether or not the operation is supported.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + } + ] + }, + { + "name": "bulk", + "type": "complex", + "multiValued": false, + "description": "A complex type that specifies bulk configuration options.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none", + "subAttributes": [ + { + "name": "supported", + "type": "boolean", + "multiValued": false, + "description": "A Boolean value specifying whether or not the operation is supported.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "maxOperations", + "type": "integer", + "multiValued": false, + "description": "An integer value specifying the maximum number of operations.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "maxPayloadSize", + "type": "integer", + "multiValued": false, + "description": "An integer value specifying the maximum payload size in bytes.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + } + ] + }, + { + "name": "filter", + "type": "complex", + "multiValued": false, + "description": "A complex type that specifies FILTER options.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none", + "subAttributes": [ + { + "name": "supported", + "type": "boolean", + "multiValued": false, + "description": "A Boolean value specifying whether or not the operation is supported.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "maxResults", + "type": "integer", + "multiValued": false, + "description": "An integer value specifying the maximum number of resources returned in a response.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + } + ] + }, + { + "name": "changePassword", + "type": "complex", + "multiValued": false, + "description": "A complex type that specifies configuration options related to changing a password.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none", + "subAttributes": [ + { + "name": "supported", + "type": "boolean", + "multiValued": false, + "description": "A Boolean value specifying whether or not the operation is supported.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + } + ] + }, + { + "name": "sort", + "type": "complex", + "multiValued": false, + "description": "A complex type that specifies sort result options.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none", + "subAttributes": [ + { + "name": "supported", + "type": "boolean", + "multiValued": false, + "description": "A Boolean value specifying whether or not the operation is supported.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + } + ] + }, + { + "name": "authenticationSchemes", + "type": "complex", + "multiValued": true, + "description": "A complex type that specifies supported authentication scheme properties.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none", + "subAttributes": [ + { + "name": "name", + "type": "string", + "multiValued": false, + "description": "The common authentication scheme name, e.g., HTTP Basic.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "description", + "type": "string", + "multiValued": false, + "description": "A description of the authentication scheme.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "specUri", + "type": "reference", + "multiValued": false, + "description": "An HTTP-addressable URL pointing to the authentication scheme's specification.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none", + "referenceTypes": ["external"] + }, + { + "name": "documentationUri", + "type": "reference", + "multiValued": false, + "description": "An HTTP-addressable URL pointing to the authentication scheme's usage documentation.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none", + "referenceTypes": ["external"] + }, + { + "name": "type", + "type": "string", + "multiValued": false, + "description": "The authentication scheme. This specification defines the values \"oauth\", \"oauth2\", \"oauthbearertoken\", \"httpbasic\", and \"httpdigest\". REQUIRED.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + } + ] + } + ], + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Schema"], + "meta": { + "resourceType": "Schema" + } + }, + { + "id": "urn:ietf:params:scim:schemas:core:2.0:ResourceType", + "name": "ResourceType", + "description": "Specifies the schema that describes a SCIM resource type", + "attributes": [ + { + "name": "id", + "type": "string", + "multiValued": false, + "description": "The resource type's server unique id. May be the same as the 'name' attribute.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "name", + "type": "string", + "multiValued": false, + "description": "The resource type name. When applicable, service providers MUST specify the name, e.g., 'User'.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "description", + "type": "string", + "multiValued": false, + "description": "The resource type's human-readable description. When applicable, service providers MUST specify the description.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "endpoint", + "type": "reference", + "multiValued": false, + "description": "The resource type's HTTP-addressable endpoint relative to the Base URL, e.g., '/Users'.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none", + "referenceTypes": ["uri"] + }, + { + "name": "schema", + "type": "reference", + "multiValued": false, + "description": "The resource type's primary/base schema URI.", + "required": true, + "caseExact": true, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none", + "referenceTypes": ["uri"] + }, + { + "name": "schemaExtensions", + "type": "complex", + "multiValued": true, + "description": "A list of URIs of the resource type's schema extensions.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none", + "subAttributes": [ + { + "name": "schema", + "type": "reference", + "multiValued": false, + "description": "The URI of a schema extension.", + "required": true, + "caseExact": true, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none", + "referenceTypes": ["uri"] + }, + { + "name": "required", + "type": "boolean", + "multiValued": false, + "description": "A Boolean value that specifies whether or not the schema extension is required for the resource type. If True, a resource of this type MUST include this schema extension and also include any attributes declared as required in this schema extension. If False, a resource of this type MAY omit this schema extension.", + "required": true, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + } + ] + } + ], + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Schema"], + "meta": { + "resourceType": "Schema" + } + }, + { + "id": "urn:ietf:params:scim:schemas:core:2.0:User", + "name": "User", + "description": "User Account", + "attributes": [ + { + "name": "id", + "type": "string", + "multiValued": false, + "description": "Unique identifier for the SCIM Resource as defined by the Service Provider.", + "required": true, + "caseExact": true, + "mutability": "readOnly", + "returned": "always", + "uniqueness": "server" + }, + { + "name": "externalId", + "type": "string", + "multiValued": false, + "description": "A String that is an identifier for the resource as defined by the provisioning client.The service provider MUST always interpret the externalId as scoped to the provisioning domain.", + "required": false, + "caseExact": true, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "userName", + "type": "string", + "multiValued": false, + "description": "A service provider's unique identifier for the user, typically\nused by the user to directly authenticate to the service provider.Each User MUST include a non-empty userName value. This identifier\nMUST be unique across the service provider's entire set of Users.", + "required": true, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "server", + "pattern": "^(?!\\s*$).+" + }, + { + "name": "name", + "type": "complex", + "multiValued": false, + "description": "The components of the user's real name.Providers MAY return just the full name as a single string in the\nformatted sub-attribute, or they MAY return just the individual component attributes using the other sub-attributes, or they MAY\nreturn both. If both variants are returned, they SHOULD be describing the same name, with the formatted name indicating how the\ncomponent attributes should be combined.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none", + "subAttributes": [ + { + "name": "formatted", + "type": "string", + "multiValued": false, + "description": "The full name, including all middle names, titles, and suffixes as appropriate, formatted for display\n(e.g., 'Ms. Barbara J Jensen, III').", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "familyName", + "type": "string", + "multiValued": false, + "description": "The family name of the User, or last name in most Western languages (e.g., 'Jensen' given the full\nname 'Ms. Barbara J Jensen, III').", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "givenName", + "type": "string", + "multiValued": false, + "description": "The given name of the User, or first name in most Western languages (e.g., 'Barbara' given the\nfull name 'Ms. Barbara J Jensen, III').", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "middleName", + "type": "string", + "multiValued": false, + "description": "The middle name(s) of the User (e.g., 'Jane' given the full name 'Ms. Barbara J Jensen, III').", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "honorificPrefix", + "type": "string", + "multiValued": false, + "description": "The honorific prefix(es) of the User, or title in most Western languages (e.g., 'Ms.' given the full name\n'Ms. Barbara J Jensen, III').", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "honorificSuffix", + "type": "string", + "multiValued": false, + "description": "The honorific suffix(es) of the User, or suffix in most Western languages (e.g., 'III' given the full name\n'Ms. Barbara J Jensen, III').", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + } + ] + }, + { + "name": "displayName", + "type": "string", + "multiValued": false, + "description": "The name of the User, suitable for display\nto end-users. The name SHOULD be the full name of the User being described, if known.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "nickName", + "type": "string", + "multiValued": false, + "description": "The casual way to address the user in real life, e.g., 'Bob' or 'Bobby' instead of 'Robert'. This attribute\nSHOULD NOT be used to represent a User's username (e.g., 'bjensen' or 'mpepperidge').", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "profileUrl", + "type": "reference", + "multiValued": false, + "description": "A fully qualified URL pointing to a page\nrepresenting the User's online profile.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none", + "referenceTypes": ["external"] + }, + { + "name": "title", + "type": "string", + "multiValued": false, + "description": "The user's title, such as \\\"VicePresident.\\\"", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "userType", + "type": "string", + "multiValued": false, + "description": "Used to identify the relationship between the organization and the user. Typical values used might be\n'Contractor', 'Employee', 'Intern', 'Temp', 'External', and 'Unknown', but any value may be used.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "preferredLanguage", + "type": "string", + "multiValued": false, + "description": "Indicates the User's preferred written or\nspoken language. Generally used for selecting a localized user interface; e.g., 'en_US' specifies the language English and country", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "locale", + "type": "string", + "multiValued": false, + "description": "Used to indicate the User's default location\nfor purposes of localizing items such as currency, date time format, or numerical representations.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "timezone", + "type": "string", + "multiValued": false, + "description": "The User's time zone in the 'Olson' time zone\ndatabase format, e.g., 'America/Los_Angeles'.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "active", + "type": "boolean", + "multiValued": false, + "description": "A Boolean value indicating the User's administrative status.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "password", + "type": "string", + "multiValued": false, + "description": "The User's cleartext password. This attribute is intended to be used as a means to specify an initial\npassword when creating a new User or to reset an existing User's password.", + "required": false, + "caseExact": false, + "mutability": "writeOnly", + "returned": "never", + "uniqueness": "none" + }, + { + "name": "emails", + "type": "complex", + "multiValued": true, + "description": "Email addresses for the user. The value SHOULD be canonicalized by the service provider, e.g.,\n'bjensen@example.com' instead of 'bjensen@EXAMPLE.COM'.Canonical type values of 'work', 'home', and 'other'.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none", + "subAttributes": [ + { + "name": "value", + "type": "string", + "multiValued": false, + "description": "Email addresses for the user. The value SHOULD be canonicalized by the service provider, e.g.,\n'bjensen@example.com' instead of 'bjensen@EXAMPLE.COM'.Canonical type values of 'work', 'home', and 'other'.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "display", + "type": "string", + "multiValued": false, + "description": "A human-readable name, primarily used for display purposes. READ-ONLY.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "type", + "type": "string", + "multiValued": false, + "description": "A label indicating the attribute's function, e.g., 'work' or 'home'.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "primary", + "type": "boolean", + "multiValued": false, + "description": "A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g., the psreferred mailing address or primary email address. The primary attribute value 'True' MUST appear no more than once.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + } + ] + }, + { + "name": "phoneNumbers", + "type": "complex", + "multiValued": true, + "description": "Phone numbers for the User. The value SHOULD be canonicalized by the service provider according to the\nformat specified in RFC 3966, e.g., 'tel:+1-201-555-0123'.Canonical type values of 'work', 'home', 'mobile', 'fax', 'pager", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none", + "subAttributes": [ + { + "name": "value", + "type": "string", + "multiValued": false, + "description": "Phone number of the User.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "display", + "type": "string", + "multiValued": false, + "description": "A human-readable name, primarily used for display purposes. READ-ONLY.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "type", + "type": "string", + "multiValued": false, + "description": "A label indicating the attribute's function, e.g., 'work', 'home', 'mobile'.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "primary", + "type": "boolean", + "multiValued": false, + "description": "A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g., the preferred\nphone number or primary phone number. The primary attribute value 'True' MUST appear no more than once.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + } + ] + }, + { + "name": "ims", + "type": "complex", + "multiValued": true, + "description": "Instant messaging addresses for the User.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none", + "subAttributes": [ + { + "name": "value", + "type": "string", + "multiValued": false, + "description": "Instant messaging address for the User.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "display", + "type": "string", + "multiValued": false, + "description": "A human-readable name, primarily used for display purposes. READ-ONLY.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "type", + "type": "string", + "multiValued": false, + "description": "A label indicating the attribute's function, e.g., 'aim', 'gtalk', 'xmpp'.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "primary", + "type": "boolean", + "multiValued": false, + "description": "A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g., the preferred\nmessenger or primary messenger. The primary attribute value 'True' MUST appear no more than once.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + } + ] + }, + { + "name": "photos", + "type": "complex", + "multiValued": true, + "description": "URLs of photos of the User.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none", + "subAttributes": [ + { + "name": "value", + "type": "reference", + "multiValued": false, + "description": "URLs of photos of the User.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none", + "referenceTypes": ["external"] + }, + { + "name": "display", + "type": "string", + "multiValued": false, + "description": "A human-readable name, primarily used for display purposes. READ-ONLY.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "type", + "type": "string", + "multiValued": false, + "description": "A label indicating the attribute's function, i.e., 'photo' or 'thumbnail'.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "primary", + "type": "boolean", + "multiValued": false, + "description": "A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g., the preferred\nphone number or primary phone number. The primary attribute value 'True' MUST appear no more than once.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + } + ] + }, + { + "name": "addresses", + "type": "complex", + "multiValued": true, + "description": "A physical mailing address for this User.\nCanonical type values of 'work', 'home', and 'other'. This attribute is a complex type with the following sub-attributes.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none", + "subAttributes": [ + { + "name": "formatted", + "type": "string", + "multiValued": false, + "description": "The full mailing address, formatted for display or use with a mailing label. This attribute MAY contain\nnewlines.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "streetAddress", + "type": "string", + "multiValued": false, + "description": "The full street address component, which may include house number, street name, P.O. box, and multi-line\nextended street address information. This attribute MAY contain newlines.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "locality", + "type": "string", + "multiValued": false, + "description": "The city or locality component.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "region", + "type": "string", + "multiValued": false, + "description": "The state or region component.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "postalCode", + "type": "string", + "multiValued": false, + "description": "The zip code or postal code component.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "country", + "type": "string", + "multiValued": false, + "description": "The country name component.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "type", + "type": "string", + "multiValued": false, + "description": "A label indicating the attribute's function, e.g., 'work' or 'home'.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "primary", + "type": "boolean", + "multiValued": false, + "description": "A Boolean value indicating the 'primary' or preferred attribute value for this attribute. The primary\nattribute value 'True' MUST appear no more than once.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + } + ] + }, + { + "name": "groups", + "type": "complex", + "multiValued": true, + "description": "A list of groups to which the user belongs,\neither through direct membership, through nested groups, or dynamically calculated.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none", + "subAttributes": [ + { + "name": "value", + "type": "string", + "multiValued": false, + "description": "The identifier of the User's group.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "$ref", + "type": "reference", + "multiValued": false, + "description": "The uri of the corresponding 'Group' resource to which the user belongs.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none", + "referenceTypes": ["resource"] + }, + { + "name": "display", + "type": "string", + "multiValued": false, + "description": "A human-readable name, primarily used for display purposes. READ-ONLY.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "type", + "type": "string", + "multiValued": false, + "description": "A label indicating the attribute's function, e.g., 'direct' or 'indirect'.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + } + ] + }, + { + "name": "entitlements", + "type": "complex", + "multiValued": true, + "description": "A list of entitlements for the User that represent a thing the User has.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none", + "subAttributes": [ + { + "name": "value", + "type": "string", + "multiValued": false, + "description": "The value of an entitlement.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "display", + "type": "reference", + "multiValued": false, + "description": "A human-readable name, primarily used for display purposes. READ-ONLY.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none", + "referenceTypes": ["external"] + }, + { + "name": "type", + "type": "string", + "multiValued": false, + "description": "A label indicating the attribute's function.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "primary", + "type": "boolean", + "multiValued": false, + "description": "A Boolean value indicating the 'primary' or preferred attribute value for this attribute. The primary\nattribute value 'True' MUST appear no more than once.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + } + ] + }, + { + "name": "roles", + "type": "complex", + "multiValued": true, + "description": "A list of roles for the User that collectively represent who the User is, e.g., 'Student', 'Faculty'.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none", + "subAttributes": [ + { + "name": "value", + "type": "string", + "multiValued": false, + "description": "The value of a role.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "display", + "type": "reference", + "multiValued": false, + "description": "A human-readable name, primarily used for display purposes. READ-ONLY.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none", + "referenceTypes": ["external"] + }, + { + "name": "type", + "type": "string", + "multiValued": false, + "description": "A label indicating the attribute's function.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "primary", + "type": "boolean", + "multiValued": false, + "description": "A Boolean value indicating the 'primary' or preferred attribute value for this attribute. The primary attribute value 'True' MUST appear no more than once.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + } + ] + }, + { + "name": "x509Certificates", + "type": "complex", + "multiValued": true, + "description": "A list of certificates issued to the User.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "server", + "subAttributes": [ + { + "name": "value", + "type": "string", + "multiValued": false, + "description": "The value of an X.509 certificate.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "display", + "type": "reference", + "multiValued": false, + "description": "A human-readable name, primarily used for display purposes. READ-ONLY.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none", + "referenceTypes": ["external"] + }, + { + "name": "type", + "type": "string", + "multiValued": false, + "description": "A label indicating the attribute's function.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "primary", + "type": "boolean", + "multiValued": false, + "description": "A Boolean value indicating the 'primary' or preferred attribute value for this attribute.The primary attribute value 'True' MUST appear no more than once.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + } + ] + } + ], + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Schema"], + "meta": { + "resourceType": "Schema" + } + }, + { + "id": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", + "name": "EnterpriseUser", + "description": "Enterprise User", + "attributes": [ + { + "name": "employeeNumber", + "type": "string", + "multiValued": false, + "description": "Numeric or alphanumeric identifier assigned to a person, typically based on order of hire or association with an organization.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "costCenter", + "type": "string", + "multiValued": false, + "description": "Identifies the name of a cost center.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "organization", + "type": "string", + "multiValued": false, + "description": "Identifies the name of an organization.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "division", + "type": "string", + "multiValued": false, + "description": "Identifies the name of a division.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "department", + "type": "string", + "multiValued": false, + "description": "Identifies the name of a department.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "manager", + "type": "complex", + "multiValued": false, + "description": "The User's manager. A complex type that optionally allows service providers to represent organizational hierarchy by referencing the 'id' attribute of another User.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none", + "subAttributes": [ + { + "name": "value", + "type": "string", + "multiValued": false, + "description": "The id of the SCIM resource representing the User's manager. REQUIRED.", + "required": true, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none" + }, + { + "name": "$ref", + "type": "reference", + "multiValued": false, + "description": "The URI of the SCIM resource representing the User's manager. REQUIRED.", + "required": false, + "caseExact": false, + "mutability": "readWrite", + "returned": "default", + "uniqueness": "none", + "referenceTypes": ["resource"] + }, + { + "name": "displayName", + "type": "string", + "multiValued": false, + "description": "The displayName of the User's manager. OPTIONAL and READ-ONLY.", + "required": false, + "caseExact": false, + "mutability": "readOnly", + "returned": "default", + "uniqueness": "none" + } + ] + } + ], + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Schema"], + "meta": { + "resourceType": "Schema" + } + } +] diff --git a/authentik/sources/scim/urls.py b/authentik/sources/scim/urls.py new file mode 100644 index 000000000..0ca409ee6 --- /dev/null +++ b/authentik/sources/scim/urls.py @@ -0,0 +1,58 @@ +"""SCIM URLs""" +from django.urls import path + +from authentik.sources.scim.views.v2 import ( + groups, + resource_types, + schemas, + service_provider_config, + users, +) + +urlpatterns = [ + path( + "/v2/Users", + users.UsersView.as_view(), + name="v2-users", + ), + path( + "/v2/Users/", + users.UsersView.as_view(), + name="v2-users", + ), + path( + "/v2/Groups", + groups.GroupsView.as_view(), + name="v2-groups", + ), + path( + "/v2/Groups/", + groups.GroupsView.as_view(), + name="v2-groups", + ), + path( + "/v2/Schemas", + schemas.SchemaView.as_view(), + name="v2-schema", + ), + path( + "/v2/Schemas/", + schemas.SchemaView.as_view(), + name="v2-schema", + ), + path( + "/v2/ServiceProviderConfig", + service_provider_config.ServiceProviderConfigView.as_view(), + name="v2-service-provider-config", + ), + path( + "/v2/ResourceTypes", + resource_types.ResourceTypesView.as_view(), + name="v2-resource-types", + ), + path( + "/v2/ResourceTypes/", + resource_types.ResourceTypesView.as_view(), + name="v2-resource-types", + ), +] diff --git a/authentik/sources/scim/views/__init__.py b/authentik/sources/scim/views/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/authentik/sources/scim/views/v2/__init__.py b/authentik/sources/scim/views/v2/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/authentik/sources/scim/views/v2/auth.py b/authentik/sources/scim/views/v2/auth.py new file mode 100644 index 000000000..72462c9b9 --- /dev/null +++ b/authentik/sources/scim/views/v2/auth.py @@ -0,0 +1,41 @@ +"""SCIM Token auth""" +from base64 import b64decode +from typing import Any, Optional, Union + +from rest_framework.authentication import BaseAuthentication, get_authorization_header +from rest_framework.request import Request + +from authentik.core.models import Token, TokenIntents, User + + +class SCIMTokenAuth(BaseAuthentication): + """SCIM Token auth""" + + def legacy(self, key: str, source_slug: str) -> Optional[Token]: + """Legacy HTTP-Basic auth for testing""" + _username, _, password = b64decode(key.encode()).decode().partition(":") + token = self.check_token(password, source_slug) + if token: + return (token.user, token) + return None + + def check_token(self, key: str, source_slug: str) -> Optional[Token]: + """Check that a token exists, is not expired, and is assigned to the correct source""" + token = Token.filter_not_expired(key=key, intent=TokenIntents.INTENT_API).first() + if not token: + return None + if not token.scimsource_set.exists(): + return None + if token.scimsource_set.first().slug != source_slug: + return None + return token + + def authenticate(self, request: Request) -> Union[tuple[User, Any], None]: + kwargs = request._request.resolver_match.kwargs + source_slug = kwargs.get("source_slug", None) + auth = get_authorization_header(request).decode() + auth_type, _, key = auth.partition(" ") + if auth_type != "Bearer": + return self.legacy(key, source_slug) + token = self.check_token(key, source_slug) + return (token.user, token) diff --git a/authentik/sources/scim/views/v2/base.py b/authentik/sources/scim/views/v2/base.py new file mode 100644 index 000000000..e9527f08a --- /dev/null +++ b/authentik/sources/scim/views/v2/base.py @@ -0,0 +1,30 @@ +"""SCIM Utils""" +from rest_framework.parsers import JSONParser +from rest_framework.permissions import IsAuthenticated +from rest_framework.renderers import JSONRenderer +from rest_framework.views import APIView + +from authentik.sources.scim.views.v2.auth import SCIMTokenAuth + +SCIM_CONTENT_TYPE = "application/scim+json" + + +class SCIMParser(JSONParser): + """SCIM clients use a custom content type""" + + media_type = SCIM_CONTENT_TYPE + + +class SCIMRenderer(JSONRenderer): + """SCIM clients also expect a custom content type""" + + media_type = SCIM_CONTENT_TYPE + + +class SCIMView(APIView): + """Base class for SCIM Views""" + + authentication_classes = [SCIMTokenAuth] + permission_classes = [IsAuthenticated] + parser_classes = [SCIMParser] + renderer_classes = [SCIMRenderer] diff --git a/authentik/sources/scim/views/v2/groups.py b/authentik/sources/scim/views/v2/groups.py new file mode 100644 index 000000000..e3effd3ba --- /dev/null +++ b/authentik/sources/scim/views/v2/groups.py @@ -0,0 +1,103 @@ +"""SCIM Group Views""" +from typing import Optional + +from django.core.paginator import Paginator +from django.http import Http404, QueryDict +from django.urls import reverse +from rest_framework.request import Request +from rest_framework.response import Response +from structlog.stdlib import get_logger + +from authentik.core.models import Group +from authentik.sources.scim.views.v2.base import SCIM_CONTENT_TYPE, SCIMView + +LOGGER = get_logger() + + +class GroupsView(SCIMView): + """SCIM Group View""" + + def group_to_scim(self, group: Group) -> dict: + """Convert group to SCIM""" + return { + "id": str(group.pk), + "meta": { + "resourceType": "Group", + "location": self.request.build_absolute_uri( + reverse( + "authentik_sources_scim:v2-groups", + kwargs={ + "source_slug": self.kwargs["source_slug"], + "group_id": str(group.pk), + }, + ) + ), + }, + "displayName": group.name, + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], + } + + def get(self, request: Request, group_id: Optional[str] = None, **kwargs) -> Response: + """List Group handler""" + if group_id: + group = Group.objects.filter(pk=group_id).first() + if not group: + raise Http404 + return Response(self.group_to_scim(group)) + groups = Group.objects.all().order_by("pk") + per_page = 50 + paginator = Paginator(groups, per_page=per_page) + start_index = int(request.query_params.get("startIndex", 1)) + page = paginator.page(int(max(start_index / per_page, 1))) + return Response( + { + "totalResults": paginator.count, + "itemsPerPage": per_page, + "startIndex": page.start_index(), + "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"], + "Resources": [self.group_to_scim(group) for group in page], + } + ) + + def update_group(self, group: Group, data: QueryDict) -> Group: + """Partial update a group""" + if "displayName" in data: + group.name = data.get("displayName") + return group + + def post(self, request: Request, **kwargs) -> Response: + """Create group handler""" + group = Group.objects.filter(name=request.data.get("displayName")).first() + if group: + LOGGER.debug("Found existing group") + return Response(status=409) + group = self.update_group(Group(), request.data) + group.save() + return Response(self.group_to_scim(group), status=201) + + def patch(self, request: Request, group_id: str, **kwargs) -> Response: + """Update group handler""" + return self.put(request, group_id, **kwargs) + + def put(self, request: Request, group_id: str, **kwargs) -> Response: + """Update group handler""" + group: Optional[Group] = Group.objects.filter(pk=group_id).first() + if not group: + raise Http404 + self.update_group(group, request.data) + group.save() + return Response(self.group_to_scim(group), status=200) + + def delete(self, request: Request, group_id: str, **kwargs) -> Response: + """Delete group handler""" + group: Optional[Group] = Group.objects.filter(pk=group_id).first() + if not group: + raise Http404 + group.delete() + return Response( + {}, + status=204, + headers={ + "Content-Type": SCIM_CONTENT_TYPE, + }, + ) diff --git a/authentik/sources/scim/views/v2/resource_types.py b/authentik/sources/scim/views/v2/resource_types.py new file mode 100644 index 000000000..ee35cf7e9 --- /dev/null +++ b/authentik/sources/scim/views/v2/resource_types.py @@ -0,0 +1,153 @@ +"""SCIM Meta views""" +from typing import Optional + +from django.http import Http404 +from django.urls import reverse +from rest_framework.request import Request +from rest_framework.response import Response + +from authentik.sources.scim.views.v2.base import SCIMView + + +class ResourceTypesView(SCIMView): + """https://ldapwiki.com/wiki/SCIM%20ResourceTypes%20endpoint""" + + def get_resource_types(self): + """List all resource types""" + return [ + { + "id": "ServiceProviderConfig", + "name": "ServiceProviderConfig", + "description": "the service providers configuration", + "endpoint": "/ServiceProviderConfig", + "schema": "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig", + "schemas": [ + "urn:ietf:params:scim:schemas:core:2.0:ResourceType", + ], + "meta": { + "resourceType": "ResourceType", + "location": self.request.build_absolute_uri( + reverse( + "authentik_sources_scim:v2-resource-types", + kwargs={ + "source_slug": self.kwargs["source_slug"], + "resource_type": "ServiceProviderConfig", + }, + ) + ), + }, + }, + { + "id": "ResourceType", + "name": "ResourceType", + "description": "ResourceType", + "endpoint": "/ResourceTypes", + "schema": "urn:ietf:params:scim:schemas:core:2.0:ResourceType", + "schemas": [ + "urn:ietf:params:scim:schemas:core:2.0:ResourceType", + ], + "meta": { + "resourceType": "ResourceType", + "location": self.request.build_absolute_uri( + reverse( + "authentik_sources_scim:v2-resource-types", + kwargs={ + "source_slug": self.kwargs["source_slug"], + "resource_type": "ResourceType", + }, + ) + ), + }, + }, + { + "id": "Schema", + "name": "Schema", + "description": "Schema endpoint description", + "endpoint": "/Schemas", + "schema": "urn:ietf:params:scim:schemas:core:2.0:Schema", + "schemas": [ + "urn:ietf:params:scim:schemas:core:2.0:ResourceType", + ], + "meta": { + "resourceType": "ResourceType", + "location": self.request.build_absolute_uri( + reverse( + "authentik_sources_scim:v2-resource-types", + kwargs={ + "source_slug": self.kwargs["source_slug"], + "resource_type": "Schema", + }, + ) + ), + }, + }, + { + "id": "User", + "name": "User", + "endpoint": "/Users", + "description": "https://tools.ietf.org/html/rfc7643#section-8.7.1", + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"], + "schema": "urn:ietf:params:scim:schemas:core:2.0:User", + "schemaExtensions": [ + { + "schema": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", + "required": True, + } + ], + "meta": { + "location": self.request.build_absolute_uri( + reverse( + "authentik_sources_scim:v2-resource-types", + kwargs={ + "source_slug": self.kwargs["source_slug"], + "resource_type": "User", + }, + ) + ), + "resourceType": "ResourceType", + }, + }, + { + "id": "Group", + "name": "Group", + "description": "Group", + "endpoint": "/Groups", + "schema": "urn:ietf:params:scim:schemas:core:2.0:Group", + "schemas": [ + "urn:ietf:params:scim:schemas:core:2.0:ResourceType", + ], + "meta": { + "resourceType": "ResourceType", + "location": self.request.build_absolute_uri( + reverse( + "authentik_sources_scim:v2-resource-types", + kwargs={ + "source_slug": self.kwargs["source_slug"], + "resource_type": "Group", + }, + ) + ), + }, + }, + ] + + # pylint: disable=unused-argument + def get( + self, request: Request, source_slug: str, resource_type: Optional[str] = None + ) -> Response: + """Get resource types as SCIM response""" + resource_types = self.get_resource_types() + if resource_type: + resource = [x for x in resource_types if x.get("id") == resource_type] + if resource: + return Response(resource[0]) + raise Http404 + return Response( + { + "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"], + "totalResults": len(resource_types), + "itemsPerPage": len(resource_types), + "startIndex": 1, + "Resources": resource_types, + } + ) diff --git a/authentik/sources/scim/views/v2/schemas.py b/authentik/sources/scim/views/v2/schemas.py new file mode 100644 index 000000000..bcbbdb440 --- /dev/null +++ b/authentik/sources/scim/views/v2/schemas.py @@ -0,0 +1,52 @@ +"""Schema Views""" +from json import loads +from typing import Optional + +from django.http import Http404 +from django.urls import reverse +from rest_framework.request import Request +from rest_framework.response import Response + +from authentik.sources.scim.views.v2.base import SCIMView + +with open("authentik/sources/scim/schemas/schema.json", "r", encoding="utf-8") as SCHEMA_FILE: + _raw_schemas = loads(SCHEMA_FILE.read()) + + +class SchemaView(SCIMView): + """https://ldapwiki.com/wiki/SCIM%20Schemas%20Attribute""" + + def get_schemas(self): + """List of all schemas""" + schemas = [] + for raw_schema in _raw_schemas: + raw_schema["meta"]["location"] = self.request.build_absolute_uri( + reverse( + "authentik_sources_scim:v2-schema", + kwargs={ + "source_slug": self.kwargs["source_slug"], + "schema_uri": raw_schema["id"], + }, + ) + ) + schemas.append(raw_schema) + return schemas + + # pylint: disable=unused-argument + def get(self, request: Request, source_slug: str, schema_uri: Optional[str] = None) -> Response: + """Get schemas as SCIM response""" + schemas = self.get_schemas() + if schema_uri: + schema = [x for x in schemas if x.get("id") == schema_uri] + if schema: + return Response(schema[0]) + raise Http404 + return Response( + { + "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"], + "totalResults": len(schemas), + "itemsPerPage": len(schemas), + "startIndex": 1, + "Resources": schemas, + } + ) diff --git a/authentik/sources/scim/views/v2/service_provider_config.py b/authentik/sources/scim/views/v2/service_provider_config.py new file mode 100644 index 000000000..61fab889b --- /dev/null +++ b/authentik/sources/scim/views/v2/service_provider_config.py @@ -0,0 +1,35 @@ +"""SCIM Meta views""" +from rest_framework.request import Request +from rest_framework.response import Response + +from authentik.sources.scim.views.v2.base import SCIMView + + +class ServiceProviderConfigView(SCIMView): + """ServiceProviderConfig, https://ldapwiki.com/wiki/SCIM%20ServiceProviderConfig%20endpoint""" + + # pylint: disable=unused-argument + def get(self, request: Request, source_slug: str) -> Response: + """Get ServiceProviderConfig""" + return Response( + { + "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"], + "authenticationSchemes": [ + { + "type": "oauthbearertoken", + "name": "OAuth Bearer Token", + "description": ( + "Authentication scheme using the OAuth Bearer Token Standard" + ), + "specUri": "https://www.rfc-editor.org/info/rfc6750", + "primary": True, + }, + ], + "patch": {"supported": True}, + "bulk": {"supported": False, "maxOperations": 0, "maxPayloadSize": 0}, + "filter": {"supported": False, "maxResults": 200}, + "changePassword": {"supported": True}, + "sort": {"supported": False}, + "etag": {"supported": False}, + } + ) diff --git a/authentik/sources/scim/views/v2/users.py b/authentik/sources/scim/views/v2/users.py new file mode 100644 index 000000000..030548575 --- /dev/null +++ b/authentik/sources/scim/views/v2/users.py @@ -0,0 +1,151 @@ +"""SCIM User Views""" +from typing import Optional + +from django.core.paginator import Paginator +from django.http import Http404, QueryDict +from django.urls import reverse +from guardian.shortcuts import get_anonymous_user +from rest_framework.request import Request +from rest_framework.response import Response +from structlog.stdlib import get_logger + +from authentik.core.models import User +from authentik.sources.scim.models import ( + USER_ATTRIBUTE_SCIM_ADDRESS, + USER_ATTRIBUTE_SCIM_ENTERPRISE, + USER_ATTRIBUTE_SCIM_ID, +) +from authentik.sources.scim.views.v2.base import SCIM_CONTENT_TYPE, SCIMView + +LOGGER = get_logger() + + +class UsersView(SCIMView): + """SCIM User view""" + + def get_email(self, data: list[dict]) -> str: + """Wrapper to get primary email or first email""" + for email in data: + if email.get("primary", False): + return email.get("value") + return data[0].get("value") + + def user_to_scim(self, user: User) -> dict: + """Convert User to SCIM data""" + payload = { + "id": str(user.pk), + "meta": { + "resourceType": "User", + "created": user.date_joined, + # TODO: use events to find last edit? + "lastModified": user.date_joined, + "location": self.request.build_absolute_uri( + reverse( + "authentik_sources_scim:v2-users", + kwargs={ + "source_slug": self.kwargs["source_slug"], + "user_id": str(user.pk), + }, + ) + ), + }, + "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": user.attributes.get( + USER_ATTRIBUTE_SCIM_ENTERPRISE, {} + ), + "schemas": [ + "urn:ietf:params:scim:schemas:core:2.0:User", + "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", + ], + "userName": user.username, + "name": {}, + "displayName": user.name, + "active": user.is_active, + "emails": [{"value": user.email, "type": "work", "primary": True}], + } + if USER_ATTRIBUTE_SCIM_ID in user.attributes: + payload["externalId"] = user.attributes[USER_ATTRIBUTE_SCIM_ID] + return payload + + def get(self, request: Request, user_id: Optional[str] = None, **kwargs) -> Response: + """List User handler""" + if user_id: + user = User.objects.filter(pk=user_id).first() + if not user: + raise Http404 + return Response(self.user_to_scim(user)) + users = User.objects.all().exclude(pk=get_anonymous_user().pk).order_by("pk") + per_page = 50 + paginator = Paginator(users, per_page=per_page) + start_index = int(request.query_params.get("startIndex", 1)) + page = paginator.page(int(max(start_index / per_page, 1))) + return Response( + { + "totalResults": paginator.count, + "itemsPerPage": per_page, + "startIndex": page.start_index(), + "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"], + "Resources": [self.user_to_scim(user) for user in page], + } + ) + + def update_user(self, user: User, data: QueryDict) -> User: + """Partial update a user""" + if "userName" in data: + user.username = data.get("userName") + if "name" in data: + user.name = data.get("name", {}).get("formatted", data.get("displayName")) + if "emails" in data: + user.email = self.get_email(data.get("emails")) + if "active" in data: + user.is_active = data.get("active") + if "externalId" in data: + user.attributes[USER_ATTRIBUTE_SCIM_ID] = data.get("externalId") + if "addresses" in data: + user.attributes[USER_ATTRIBUTE_SCIM_ADDRESS] = data.get("addresses") + if "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" in data: + user.attributes[USER_ATTRIBUTE_SCIM_ENTERPRISE] = data.get( + "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" + ) + return user + + def post(self, request: Request, **kwargs) -> Response: + """Create user handler""" + user = User.objects.filter( + **{ + f"attributes__{USER_ATTRIBUTE_SCIM_ID}": request.data.get("externalId"), + "username": request.data.get("userName"), + } + ).first() + if user: + LOGGER.debug("Found existing user") + return Response(status=409) + user = self.update_user(User(), request.data) + user.save() + return Response(self.user_to_scim(user), status=201) + + def patch(self, request: Request, user_id: str, **kwargs) -> Response: + """Update user handler""" + return self.put(request, user_id, **kwargs) + + def put(self, request: Request, user_id: str, **kwargs) -> Response: + """Update user handler""" + user: Optional[User] = User.objects.filter(pk=user_id).first() + if not user: + raise Http404 + self.update_user(user, request.data) + user.save() + return Response(self.user_to_scim(user), status=200) + + def delete(self, request: Request, user_id: str, **kwargs) -> Response: + """Delete user handler""" + user: Optional[User] = User.objects.filter(pk=user_id).first() + if not user: + raise Http404 + user.delete() + return Response( + {}, + status=204, + headers={ + "Content-Type": SCIM_CONTENT_TYPE, + }, + ) diff --git a/web/src/admin/sources/SourceViewPage.ts b/web/src/admin/sources/SourceViewPage.ts index d0050fdf9..b6ffcf6ab 100644 --- a/web/src/admin/sources/SourceViewPage.ts +++ b/web/src/admin/sources/SourceViewPage.ts @@ -51,6 +51,10 @@ export class SourceViewPage extends AKElement { return html``; + case "ak-source-scim-form": + return html``; default: return html`

Invalid source type ${this.source.component}

`; } diff --git a/web/src/pages/sources/scim/SCIMSourceForm.ts b/web/src/pages/sources/scim/SCIMSourceForm.ts new file mode 100644 index 000000000..073b3497d --- /dev/null +++ b/web/src/pages/sources/scim/SCIMSourceForm.ts @@ -0,0 +1,79 @@ +import { t } from "@lingui/macro"; + +import { TemplateResult, html } from "lit"; +import { customElement } from "lit/decorators.js"; +import { ifDefined } from "lit/directives/if-defined.js"; + +import { SCIMSource, SCIMSourceRequest, SourcesApi } from "@goauthentik/api"; + +import { DEFAULT_CONFIG } from "../../../api/Config"; +import "../../../elements/CodeMirror"; +import "../../../elements/forms/FormGroup"; +import "../../../elements/forms/HorizontalFormElement"; +import { ModelForm } from "../../../elements/forms/ModelForm"; +import { first } from "../../../utils"; + +@customElement("ak-source-scim-form") +export class SCIMSourceForm extends ModelForm { + loadInstance(pk: string): Promise { + return new SourcesApi(DEFAULT_CONFIG) + .sourcesScimRetrieve({ + slug: pk, + }) + .then((source) => { + return source; + }); + } + + getSuccessMessage(): string { + if (this.instance) { + return t`Successfully updated source.`; + } else { + return t`Successfully created source.`; + } + } + + send = (data: SCIMSource): Promise => { + if (this.instance?.slug) { + return new SourcesApi(DEFAULT_CONFIG).sourcesScimPartialUpdate({ + slug: this.instance.slug, + patchedSCIMSourceRequest: data, + }); + } else { + return new SourcesApi(DEFAULT_CONFIG).sourcesScimCreate({ + sCIMSourceRequest: data as unknown as SCIMSourceRequest, + }); + } + }; + + renderForm(): TemplateResult { + return html`
+ + + + + + + +
+ + +
+
+
`; + } +} diff --git a/web/src/pages/sources/scim/SCIMSourceViewPage.ts b/web/src/pages/sources/scim/SCIMSourceViewPage.ts new file mode 100644 index 000000000..fb679d343 --- /dev/null +++ b/web/src/pages/sources/scim/SCIMSourceViewPage.ts @@ -0,0 +1,125 @@ +import { t } from "@lingui/macro"; + +import { CSSResult, LitElement, TemplateResult, html } from "lit"; +import { customElement, property } from "lit/decorators.js"; + +import AKGlobal from "../../../authentik.css"; +import PFButton from "@patternfly/patternfly/components/Button/button.css"; +import PFCard from "@patternfly/patternfly/components/Card/card.css"; +import PFContent from "@patternfly/patternfly/components/Content/content.css"; +import PFDescriptionList from "@patternfly/patternfly/components/DescriptionList/description-list.css"; +import PFPage from "@patternfly/patternfly/components/Page/page.css"; +import PFGrid from "@patternfly/patternfly/layouts/Grid/grid.css"; +import PFBase from "@patternfly/patternfly/patternfly-base.css"; + +import { SCIMSource, SourcesApi } from "@goauthentik/api"; + +import { DEFAULT_CONFIG } from "../../../api/Config"; +import { EVENT_REFRESH } from "../../../constants"; +import "../../../elements/CodeMirror"; +import "../../../elements/Tabs"; +import "../../../elements/buttons/SpinnerButton"; +import "../../../elements/events/ObjectChangelog"; +import "../../../elements/forms/ModalForm"; +import "../../policies/BoundPoliciesList"; +import "./SCIMSourceForm"; + +@customElement("ak-source-scim-view") +export class SCIMSourceViewPage extends LitElement { + @property({ type: String }) + set sourceSlug(value: string) { + new SourcesApi(DEFAULT_CONFIG) + .sourcesScimRetrieve({ + slug: value, + }) + .then((source) => { + this.source = source; + }); + } + + @property({ attribute: false }) + source?: SCIMSource; + + static get styles(): CSSResult[] { + return [PFBase, PFPage, PFButton, PFGrid, PFContent, PFCard, PFDescriptionList, AKGlobal]; + } + + constructor() { + super(); + this.addEventListener(EVENT_REFRESH, () => { + if (!this.source?.pk) return; + this.sourceSlug = this.source?.slug; + }); + } + + render(): TemplateResult { + if (!this.source) { + return html``; + } + return html` +
+
+
+
+
+
+
+ ${t`Name`} +
+
+
+ ${this.source.name} +
+
+
+
+
+ ${t`Callback URL`} +
+
+ +
+
+
+
+ +
+
+
+
+
+
+
+ + +
+
+
+
+
`; + } +}