Documentation
¶
Overview ¶
Package scim provides SCIM 2.0 (RFC 7644) compliant handlers for user and group provisioning.
Authentication and Authorization ¶
SCIM endpoints use Bearer token authentication with API tokens. The API token middleware handles authentication and sets the organization context based on the token's owner_id. SCIM operations follow the same authorization rules as other API endpoints.
Handler Implementation ¶
The package uses the elimity-com/scim library which provides:
- RFC-compliant schema definitions for User and Group resources
- Request parsing and validation
- Patch operation handling
- List/filter/pagination support
The UserHandler and GroupHandler implement the scim.ResourceHandler interface and translate between SCIM resources and Openlane's ent entities.
Context Flow ¶
Request context flows through the following middleware chain:
- Base middleware (transaction, logging, etc.)
- Authentication middleware (validates bearer token, creates authenticated user context)
- SCIM handlers (operate within the token's organization scope)
Index ¶
- Variables
- func HandleEntError(err error, operation string, detail string) error
- func NewSCIMServer() (scim.Server, error)
- func ValidateSSOEnforced(ctx context.Context, orgID string) error
- func WrapSCIMServerHTTPHandler(server scim.Server) http.HandlerFunc
- type GroupAttributes
- type GroupHandler
- func (h *GroupHandler) Create(r *http.Request, attributes scim.ResourceAttributes) (scim.Resource, error)
- func (h *GroupHandler) Delete(r *http.Request, id string) error
- func (h *GroupHandler) Get(r *http.Request, id string) (scim.Resource, error)
- func (h *GroupHandler) GetAll(r *http.Request, params scim.ListRequestParams) (scim.Page, error)
- func (h *GroupHandler) Patch(r *http.Request, id string, operations []scim.PatchOperation) (scim.Resource, error)
- func (h *GroupHandler) Replace(r *http.Request, id string, attributes scim.ResourceAttributes) (scim.Resource, error)
- type PatchGroupAttributes
- type PatchUserAttributes
- type UserAttributes
- type UserHandler
- func (h *UserHandler) Create(r *http.Request, attributes scim.ResourceAttributes) (scim.Resource, error)
- func (h *UserHandler) Delete(r *http.Request, id string) error
- func (h *UserHandler) Get(r *http.Request, id string) (scim.Resource, error)
- func (h *UserHandler) GetAll(r *http.Request, params scim.ListRequestParams) (scim.Page, error)
- func (h *UserHandler) Patch(r *http.Request, id string, operations []scim.PatchOperation) (scim.Resource, error)
- func (h *UserHandler) Replace(r *http.Request, id string, attributes scim.ResourceAttributes) (scim.Resource, error)
Constants ¶
This section is empty.
Variables ¶
var ( // ErrUserNotFound is returned when a user is not found. ErrUserNotFound = errors.New("user not found") // ErrGroupNotFound is returned when a group is not found. ErrGroupNotFound = errors.New("group not found") // ErrInvalidAttributes is returned when resource attributes are invalid. ErrInvalidAttributes = errors.New("invalid resource attributes") // ErrOrgNotFound is returned when organization context is missing. ErrOrgNotFound = errors.New("organization not found in context") // ErrUserNotMemberOfOrg is returned when a user is not a member of the organization. ErrUserNotMemberOfOrg = errors.New("user is not a member of organization") // ErrSSONotEnforced is returned when SCIM operations are attempted but SSO is not enforced for the organization. ErrSSONotEnforced = errors.New("SSO must be enforced for the organization to use SCIM provisioning") // ErrOrgSettingsNotFound is returned when organization settings are not found. ErrOrgSettingsNotFound = errors.New("organization settings not found") )
Functions ¶
func HandleEntError ¶
HandleEntError converts ent database errors to SCIM-compliant error responses It maps constraint errors to uniqueness violations and validation errors to invalid value errors
func NewSCIMServer ¶
NewSCIMServer creates a new SCIM server with User and Group resource handlers
func ValidateSSOEnforced ¶
ValidateSSOEnforced checks if SSO is enforced for the organization SCIM provisioning requires SSO to be enforced since SCIM users authenticate via SSO
func WrapSCIMServerHTTPHandler ¶
func WrapSCIMServerHTTPHandler(server scim.Server) http.HandlerFunc
WrapSCIMServerHTTPHandler wraps the SCIM server's HTTP handler with context preservation This ensures that request context (auth, transaction, etc.) flows through to handlers
Types ¶
type GroupAttributes ¶
GroupAttributes holds extracted and validated SCIM group attributes
func ExtractGroupAttributes ¶
func ExtractGroupAttributes(attributes scim.ResourceAttributes) (*GroupAttributes, error)
ExtractGroupAttributes extracts and validates group attributes from SCIM ResourceAttributes
type GroupHandler ¶
type GroupHandler struct{}
GroupHandler implements scim.ResourceHandler for Group resources.
func NewGroupHandler ¶
func NewGroupHandler() *GroupHandler
NewGroupHandler creates a new GroupHandler.
func (*GroupHandler) Create ¶
func (h *GroupHandler) Create(r *http.Request, attributes scim.ResourceAttributes) (scim.Resource, error)
Create stores given attributes and returns a resource with the attributes that are stored and a unique identifier.
func (*GroupHandler) Delete ¶
func (h *GroupHandler) Delete(r *http.Request, id string) error
Delete removes the resource with corresponding ID.
func (*GroupHandler) GetAll ¶
func (h *GroupHandler) GetAll(r *http.Request, params scim.ListRequestParams) (scim.Page, error)
GetAll returns a paginated list of resources.
type PatchGroupAttributes ¶
PatchGroupAttributes holds attributes that can be patched on a group
func ExtractPatchGroupAttribute ¶
func ExtractPatchGroupAttribute(op scim.PatchOperation) *PatchGroupAttributes
ExtractPatchGroupAttribute extracts group attributes from a patch operation value
type PatchUserAttributes ¶
type PatchUserAttributes struct {
Email *string
UserName *string
ExternalID *string
PreferredLanguage *string
Locale *string
ProfileURL *string
FirstName *string
LastName *string
DisplayName *string
Active *bool
}
PatchUserAttributes applies patch operations to update user attributes
func ExtractPatchUserAttribute ¶
func ExtractPatchUserAttribute(op scim.PatchOperation) (*PatchUserAttributes, error)
ExtractPatchUserAttribute extracts a single attribute from a patch operation value
type UserAttributes ¶
type UserAttributes struct {
UserName string
Email string
ExternalID string
FirstName string
LastName string
DisplayName string
PreferredLanguage string
Locale string
ProfileURL string
Active bool
}
UserAttributes holds extracted and validated SCIM user attributes
func ExtractUserAttributes ¶
func ExtractUserAttributes(attributes scim.ResourceAttributes) (*UserAttributes, error)
ExtractUserAttributes extracts and validates user attributes from SCIM ResourceAttributes
type UserHandler ¶
type UserHandler struct{}
UserHandler implements scim.ResourceHandler for User resources.
func (*UserHandler) Create ¶
func (h *UserHandler) Create(r *http.Request, attributes scim.ResourceAttributes) (scim.Resource, error)
Create stores given attributes and returns a resource with the attributes that are stored and a unique identifier.
func (*UserHandler) Delete ¶
func (h *UserHandler) Delete(r *http.Request, id string) error
Delete removes the resource with corresponding ID.
func (*UserHandler) GetAll ¶
func (h *UserHandler) GetAll(r *http.Request, params scim.ListRequestParams) (scim.Page, error)
GetAll returns a paginated list of resources.
Source Files