Add SCIM API

440d6eac · James Lopez · d4e90e31 · 440d6eac · 440d6eac · 440d6eac
Commit 440d6eac authored Feb 08, 2019 by James Lopez
6 changed files
--- a/ee/lib/api/scim.rb
+++ b/ee/lib/api/scim.rb
+# frozen_string_literal: true
+
+module API
+  class Scim < Grape::API
+    prefix 'api/scim'
+    version 'v2'
+    content_type :json, 'application/scim+json'
+
+    namespace 'groups/:group' do
+      params do
+        requires :group, type: String
+      end
+
+      resource :Users do
+        before do
+          check_group_saml_configured
+          authenticate!
+        end
+
+        desc 'Returns 200 if authenticated'
+        get do
+          group = find_group!(params[:group])
+
+          authorize_manage_saml!(group)
+
+          status 200
+
+          {} # Dummy, just used to verify the connection by IdPs at the moment
+        end
+
+        desc 'Removes a SAML user'
+        params do
+          requires :external_id, type: Integer, desc: 'The external ID of the member'
+        end
+        delete ":external_id" do
+          group = find_group!(params[:group])
+
+          authorize_manage_saml!(group)
+
+          user = User.find_by_email(params[:external_id])
+
+          not_found!('User') unless user
+
+          linked_identity = GroupSamlIdentityFinder.new(user: user).find_linked(group: group)
+
+          GroupSaml::Identity::DestroyService.new(linked_identity).execute
+        end
+      end
+    end
+  end
+end
--- a/ee/lib/ee/api/api_guard.rb
+++ b/ee/lib/ee/api/api_guard.rb
@@ -10,7 +10,8 @@ module EE
        def find_user_from_sources
          find_user_from_access_token ||
            find_user_from_job_token ||
-            find_user_from_warden
+            find_user_from_warden ||
+            find_user_from_scim_token
        end
      end
    end

--- a/ee/lib/ee/api/endpoints.rb
+++ b/ee/lib/ee/api/endpoints.rb
@@ -26,6 +26,7 @@ module EE
        mount ::API::NpmPackages
        mount ::API::Packages
        mount ::API::PackageFiles
+        mount ::API::Scim
        mount ::API::ManagedLicenses
        mount ::API::ProjectApprovals


--- a/ee/lib/ee/api/helpers.rb
+++ b/ee/lib/ee/api/helpers.rb
@@ -130,6 +130,14 @@ module EE
      def geo_token
        ::Gitlab::Geo.current_node.system_hook.token
      end
+
+      def authorize_manage_saml!(group)
+        unauthorized! unless can?(current_user, :admin_group_saml, group)
+      end
+
+      def check_group_saml_configured
+        forbidden!('Group SAML not enabled.') unless ::Gitlab::Auth::GroupSaml::Config.enabled?
+      end
    end
  end
 end
--- a/ee/lib/ee/gitlab/auth/user_auth_finders.rb
+++ b/ee/lib/ee/gitlab/auth/user_auth_finders.rb
@@ -22,6 +22,29 @@ module EE

          job.user
        end
+
+        def find_oauth_access_token
+          return if scim_request?
+
+          super
+        end
+
+        def find_user_from_scim_token
+          return unless scim_request?
+
+          token = Doorkeeper::OAuth::Token.from_request(current_request, *Doorkeeper.configuration.access_token_methods)
+          return unless token
+
+          # TODO Use `ScimOauthAccessToken`
+          scim_token = PersonalAccessToken.find_by_token(token)
+          raise ::Gitlab::Auth::UnauthorizedError unless scim_token
+
+          scim_token.user
+        end
+
+        def scim_request?
+          current_request.path.starts_with?("/api/scim/")
+        end
      end
    end
  end

--- a/ee/spec/requests/api/scim_spec.rb
+++ b/ee/spec/requests/api/scim_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe API::Scim do
+  describe 'GET api/scim/v2/groups/:group/Users' do
+    let(:user) { create(:user) }
+    let(:identity) { create(:group_saml_identity, user: user) }
+    let(:group) { identity.saml_provider.group }
+    let(:token) { create(:personal_access_token, user: user) }
+
+    before do
+      stub_licensed_features(group_saml: true)
+
+      group.add_owner(user)
+    end
+
+    it 'responds with a 200' do
+      get api("scim/v2/groups/#{group.full_path}/Users", user, oauth_access_token: token, version: '')
+
+      expect(response).to have_gitlab_http_status(200)
+    end
+  end
+end