Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SCIM provisioning API basic implementation #17144

Open
wants to merge 56 commits into
base: develop
Choose a base branch
from
Open

SCIM provisioning API basic implementation #17144

wants to merge 56 commits into from

Conversation

azmeuk
Copy link
Contributor

@azmeuk azmeuk commented May 2, 2024
edited
Loading

This is an implementation of MSC4098. It implements a subset of the SCIM provisioning protocol defined in RFC7643 and RFC7644.

It contains:

  • A SCIM servlet implementing the minimal SCIM endpoints.
    • The data edition/retrieval part largely takes inspiration (and shameless copied) from synapse/rest/admin/users.py.
    • The SCIM payload validation and production is achieved with scim2-models, a library based on pydantic which I maintain.
  • Unit tests for those endpoints.
  • Documentation on the state of the SCIM implementation, and examples of requests and response payloads.

The SCIM requires needs python 3.9+ (because of the use of typing.Anotated in scim2-models) and pydantic 2.7.0+

SCIM implementation details

Only a subset of the SCIM endpoints are implemented:

What's implemented:

  • The main endpoints:
    • /Users (GET, POST)
    • /Users/<user_id> (GET, PUT, DELETE)
    • /ServiceProviderConfig (GET)
    • /Schemas (GET)
    • /Schemas/<schema_id> (GET)
    • /ResourceTypes (GET)
    • /ResourceTypes/<resource_type_id>
  • pagination
  • The user attributes:
    • userName
    • password
    • emails
    • phoneNumbers
    • displayName
    • photos (as a MXC URI)
    • active

What is defined in the SCIM specs but not implemented here:

What do you think?

Pull Request Checklist

  • Pull request is based on the develop branch
  • Pull request includes a changelog file. The entry should:
    • Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from EventStore to EventWorkerStore.".
    • Use markdown where necessary, mostly for code blocks.
    • End with either a period (.) or an exclamation mark (!).
    • Start with a capital letter.
    • Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry.
  • Code style is correct
    (run the linters)

@azmeuk azmeuk requested a review from a team as a code owner May 2, 2024 14:49
@azmeuk azmeuk marked this pull request as draft May 2, 2024 14:50
@azmeuk azmeuk mentioned this pull request May 2, 2024
Open
@azmeuk azmeuk force-pushed the msc4098-scim branch 4 times, most recently from ea6a6d6 to dd52360 Compare May 3, 2024 16:06
@erikjohnston erikjohnston removed the request for review from a team May 14, 2024 12:14
@erikjohnston
Copy link
Member

(I've taken this out of the review queue as its in draft, let us know if you want feedback)

@azmeuk
Copy link
Contributor Author

azmeuk commented May 27, 2024
edited
Loading

Hi @erikjohnston
Thank you for your feedback offering. Indeed this is a draft, but I hope to take back the development soon.

There is one design question though. I see that there is a dependency to pydantic in synapse, and I recently published scim2-models that is a library that helps to parse and serialize SCIM2 payloads using pydantic. I think the SCIM implementation would greatly benefit from using scim2-models, as a big part of the specification compliance would be delegated to the library.

Would it be acceptable to add a dependency towards scim2-models in synapse, or should I continue checking and building SCIM2 payloads manually?

@azmeuk azmeuk force-pushed the msc4098-scim branch 4 times, most recently from f893967 to 81d751b Compare June 6, 2024 14:25
@azmeuk azmeuk force-pushed the msc4098-scim branch 3 times, most recently from dcd72ed to 6a1e1b2 Compare July 25, 2024 12:06
@azmeuk azmeuk marked this pull request as ready for review July 25, 2024 12:09
@azmeuk
Copy link
Contributor Author

azmeuk commented Jul 25, 2024

Hi @erikjohnston
I think the PR can be reviewed now. I edited the OP to detail what's in there.
I am available on #synapse-dev too if there are things to discuss.

@azmeuk
feat: SCIM implementation
f0aa456 
Implementation of a subset of SCIM endpoint and capabilities as
described in MSC4098.

Signed-off-by: Éloi Rivard <eloi@yaal.coop>
@github-actions github-actions bot deployed to PR Documentation Preview August 13, 2024 09:03 Active
@anoadragon453 anoadragon453 requested a review from a team August 13, 2024 10:20
@azmeuk

This comment was marked as outdated.

Sign in to view
@azmeuk

This comment was marked as outdated.

Sign in to view
@github-actions github-actions bot deployed to PR Documentation Preview November 15, 2024 14:34 Active
@github-actions github-actions bot deployed to PR Documentation Preview November 17, 2024 15:23 Active
@github-actions github-actions bot deployed to PR Documentation Preview November 17, 2024 15:32 Active
@github-actions github-actions bot deployed to PR Documentation Preview November 17, 2024 17:38 Active
@github-actions github-actions bot deployed to PR Documentation Preview November 17, 2024 19:31 Active
@github-actions github-actions bot deployed to PR Documentation Preview November 20, 2024 09:14 Active
@github-actions github-actions bot deployed to PR Documentation Preview November 20, 2024 09:53 Active
@github-actions github-actions bot deployed to PR Documentation Preview November 22, 2024 09:00 Active
@github-actions github-actions bot deployed to PR Documentation Preview November 22, 2024 10:13 Active
@github-actions github-actions bot deployed to PR Documentation Preview November 22, 2024 13:56 Active
@github-actions github-actions bot deployed to PR Documentation Preview November 22, 2024 13:57 Active
@github-actions github-actions bot deployed to PR Documentation Preview November 22, 2024 14:03 Active
@azmeuk
Copy link
Contributor Author

azmeuk commented Nov 22, 2024

@reivilibre I think all your comments have been addressed now. Most of them have been fixed in the code and I responded to some with new questions.
The implementation have been tested against Keycloak with the keycloak-scim extension.

I am sorry for the many commits, the PR looks like a mess. If it is easier for the review, I can close it and open a new one. Let me know.

@reivilibre reivilibre self-requested a review December 5, 2024 16:54
@github-actions github-actions bot deployed to PR Documentation Preview January 2, 2025 12:51 Active
reivilibre
reivilibre requested changes Jan 24, 2025
View reviewed changes
Copy link
Contributor

@reivilibre reivilibre left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is looking generally good, but a few comments (and some still open from last time).

The CI is also unhappy but hopefully that's nothing too difficult?

docs/usage/administration/admin_api/scim_api.md

```yaml
experimental_features:
msc4098:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if this is no longer tracking an MSC, let's rename this feature to just scim.

I understand what MatMaul is saying but I would still prefer it in an experimental feature that is disabled by default.
That makes it easier to remove later if for some reason we can't commit to supporting it anymore, plus with MAS around the corner it is quite likely to get dropped from Synapse again.
I'm not against people having a SCIM API as long as they are aware of this though.

docs/usage/administration/admin_api/scim_api.md
```
DELETE /_matrix/client/unstable/coop.yaal/scim/Users/@bjensen:test
```

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this was noted on the documentation?

synapse/config/experimental.py
@@ -256,6 +256,19 @@ class MSC3866Config:
require_approval_for_new_accounts: bool = False


@attr.s(auto_attribs=True, frozen=True, slots=True)
class MSC4098Config:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
class MSC4098Config:
class ScimConfig:

synapse/handlers/profile.py
`picture_https_url`.
"""
if media_repo is None:
logger.info(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
logger.info(
logger.warning(

synapse/util/templates.py
@@ -81,6 +81,33 @@ def build_jinja_env(
return env


def mxc_to_http(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suspect this is no longer functional, given authenticated media means you can't just hotlink to media like this anymore.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MatMaul MatMaul MatMaul left review comments

@reivilibre reivilibre reivilibre requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@azmeuk @erikjohnston @CLAassistant @MatMaul @reivilibre