Add saml auth logic

ee/app/controllers/concerns/saml_authorization.rb

+# frozen_string_literal: true
+module SamlAuthorization
+  extend ActiveSupport::Concern
+
+  private
+
+  def authorize_manage_saml!
+    render_404 unless can?(current_user, :admin_group_saml, group)
+  end
+
+  def check_group_saml_configured
+    render_404 unless Gitlab::Auth::GroupSaml::Config.enabled?
+  end
+
+  def require_top_level_group
+    render_404 if group.subgroup?
+  end
+end

ee/app/controllers/groups/saml_providers_controller.rb

 # frozen_string_literal: true
+require_relative '../concerns/saml_authorization.rb' # frozen_string_literal: true
 
 class Groups::SamlProvidersController < Groups::ApplicationController
+  include SamlAuthorization
   before_action :require_top_level_group
   before_action :authorize_manage_saml!
   before_action :check_group_saml_available!
   before_action :check_group_saml_configured
 
+  # rubocop: disable CodeReuse/ActiveRecord
   def show
     @saml_provider = @group.saml_provider || @group.build_saml_provider
+
+    @scim_token_exists = ScimOauthAccessToken.exists?(group: @group)
+    @scim_token_url = group_scim_oauth_url(@group)
   end
+  # rubocop: enable CodeReuse/ActiveRecord
 
   def create
     @saml_provider = @group.build_saml_provider(saml_provider_params)
@@ -28,18 +35,6 @@ class Groups::SamlProvidersController < Groups::ApplicationController
 
   private
 
-  def authorize_manage_saml!
-    render_404 unless can?(current_user, :admin_group_saml, @group)
-  end
-
-  def check_group_saml_configured
-    render_404 unless Gitlab::Auth::GroupSaml::Config.enabled?
-  end
-
-  def require_top_level_group
-    render_404 if @group.subgroup?
-  end
-
   def saml_provider_params
     allowed_params = %i[sso_url certificate_fingerprint enabled]
 

ee/app/controllers/groups/scim_oauth_controller.rb

 # frozen_string_literal: true
 
 class Groups::ScimOauthController < Groups::ApplicationController
-  # before_action :require_top_level_group
-  # before_action :authorize_manage_saml!
-  # before_action :check_group_saml_available!
-  # before_action :check_group_saml_configured
-  skip_before_filter :verify_authenticity_token
+  include SamlAuthorization
 
+  before_action :require_top_level_group
+  before_action :authorize_manage_saml!
+  before_action :check_group_saml_available!
+  before_action :check_group_saml_configured
+  before_action :check_group_scim_enabled
 
   def show
     scim_token = ScimOauthAccessToken.find_by_group_id(@group.id)
@@ -22,17 +23,31 @@ class Groups::ScimOauthController < Groups::ApplicationController
     end
   end
 
+  # rubocop: disable CodeReuse/ActiveRecord
   def create
-    scim_token = ScimOauthAccessToken.safe_find_or_create_by(group: @group)
+    scim_token = ScimOauthAccessToken.find_or_initialize_by(group: @group)
+
+    if scim_token.new_record?
+      scim_token.save
+    else
+      scim_token.reset_token!
+    end
 
     respond_to do |format|
       format.json do
-        if scim_token&.valid?
+        if scim_token.valid?
           render json: ScimOauthAccessTokenEntity.new(scim_token).as_json
         else
-          render json: { errors: scim_token&.errors&.full_messages }, status: :unprocessable_entity
+          render json: { errors: scim_token.errors.full_messages }, status: :unprocessable_entity
         end
       end
     end
   end
+  # rubocop: enable CodeReuse/ActiveRecord
+
+  private
+
+  def check_group_scim_enabled
+    route_not_found unless Feature.enabled?(:group_scim, @group)
+  end
 end

ee/app/models/ee/group.rb

@@ -20,7 +20,7 @@ module EE
       has_one :saml_provider
       has_one :insight, foreign_key: :namespace_id
       accepts_nested_attributes_for :insight
-      has_one :scim_ouath_access_token, dependent: :destroy
+      has_one :scim_oauth_access_token, dependent: :destroy
 
       has_many :ldap_group_links, foreign_key: 'group_id', dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
       has_many :hooks, dependent: :destroy, class_name: 'GroupHook' # rubocop:disable Cop/ActiveRecordDependent

ee/app/models/scim_oauth_access_token.rb

 # frozen_string_literal: true
 
-class ScimOauthAccessToken < ActiveRecord::Base
+class ScimOauthAccessToken < ApplicationRecord
   include TokenAuthenticatable
 
   belongs_to :group

ee/app/serializers/scim_oauth_access_token_entity.rb

+# frozen_string_literal: true
+
+class ScimOauthAccessTokenEntity < Grape::Entity
+  include ::API::Helpers::RelatedResourcesHelpers
+
+  SCIM_PATH = '/api/scim/v2/groups'
+
+  expose :scim_api_url do |scim|
+    expose_url("#{SCIM_PATH}/#{scim.group.full_path}")
+  end
+
+  expose :token, as: :scim_token
+end

ee/spec/factories/scim_oauth_access_tokens.rb

+# Read about factories at https://github.com/thoughtbot/factory_bot
+
+FactoryBot.define do
+  factory :scim_oauth_access_token do
+    group
+  end
+end