fix: add scim schemas (#157)

fix bad SCIM request error

Author: sqin2019

pkg/github/enterpriseuserwriter_test.go

@@ -87,6 +87,7 @@ func TestEnterpriseUserWriter_SetMembers(t *testing.T) {
 					ID:       github.String("scim-id-user.new"),
 					UserName: "user.new",
 					Active:   github.Bool(true),
+					Schemas:  []string{"urn:ietf:params:scim:schemas:core:2.0:User"},
 				},
 			},
 		},
@@ -109,6 +110,7 @@ func TestEnterpriseUserWriter_SetMembers(t *testing.T) {
 					ID:       github.String("scim-id-user.one"),
 					UserName: "user.one",
 					Active:   github.Bool(true),
+					Schemas:  []string{"urn:ietf:params:scim:schemas:core:2.0:User"},
 				},
 			},
 		},
@@ -243,6 +245,8 @@ func TestEnterpriseUserWriter_SetMembers(t *testing.T) {
 				"scim-id-user.one": {
 					ID:       github.String("scim-id-user.one"),
 					UserName: "user.one",
+					Active:   github.Bool(true),
+					Schemas:  []string{"urn:ietf:params:scim:schemas:core:2.0:User"},
 				},
 			},
 		},

pkg/github/scim.go

@@ -37,6 +37,21 @@ type SCIMClient struct {
 	baseURL    *url.URL
 }
 
+// scimPatchOp represents a single SCIM patch operation.
+// https://datatracker.ietf.org/doc/html/rfc7644#section-3.5.2
+type scimPatchOp struct {
+	Op    string `json:"op"`
+	Path  string `json:"path,omitempty"`
+	Value any    `json:"value,omitempty"`
+}
+
+// scimPatchPayload is the body of a SCIM PATCH request.
+// https://datatracker.ietf.org/doc/html/rfc7644#section-3.5.2
+type scimPatchPayload struct {
+	Schemas    []string      `json:"schemas"`
+	Operations []scimPatchOp `json:"Operations"`
+}
+
 // NewSCIMClient creates a new client for the GHES SCIM API.
 func NewSCIMClient(httpClient *http.Client, baseURL string) (*SCIMClient, error) {
 	u, err := url.Parse(strings.TrimSuffix(baseURL, "/") + ghesSCIMURLPath)
@@ -79,6 +94,9 @@ func (c *SCIMClient) ListUsers(ctx context.Context) (map[string]*github.SCIMUser
 // CreateUser provisions a new user.
 func (c *SCIMClient) CreateUser(ctx context.Context, user *github.SCIMUserAttributes) (*github.SCIMUserAttributes, *github.Response, error) {
 	path := "Users"
+	// Schema for POST: https://datatracker.ietf.org/doc/html/rfc7644#section-3.3
+	user.Schemas = append(user.Schemas, "urn:ietf:params:scim:schemas:core:2.0:User")
+	user.Active = github.Bool(true)
 	var createdUser github.SCIMUserAttributes
 	resp, err := c.do(ctx, http.MethodPost, c.baseURL.ResolveReference(&url.URL{Path: path}).String(), user, &createdUser)
 	if err != nil {
@@ -101,6 +119,8 @@ func (c *SCIMClient) GetUser(ctx context.Context, scimID string) (*github.SCIMUs
 // UpdateUser updates a user's attributes.
 func (c *SCIMClient) UpdateUser(ctx context.Context, scimID string, user *github.SCIMUserAttributes) (*github.SCIMUserAttributes, *github.Response, error) {
 	path := fmt.Sprintf("Users/%s", scimID)
+	// Schema for PUT: https://datatracker.ietf.org/doc/html/rfc7644#section-3.5.1
+	user.Schemas = append(user.Schemas, "urn:ietf:params:scim:schemas:core:2.0:User")
 	var updatedUser github.SCIMUserAttributes
 	resp, err := c.do(ctx, http.MethodPut, c.baseURL.ResolveReference(&url.URL{Path: path}).String(), user, &updatedUser)
 	if err != nil {
@@ -113,7 +133,16 @@ func (c *SCIMClient) UpdateUser(ctx context.Context, scimID string, user *github
 // https://docs.github.com/en/enterprise-server@3.17/admin/managing-iam/provisioning-user-accounts-with-scim/provisioning-users-and-groups-with-scim-using-the-rest-api#soft-deprovisioning-users-with-the-rest-api
 func (c *SCIMClient) DeactivateUser(ctx context.Context, scimID string) (*github.SCIMUserAttributes, *github.Response, error) {
 	path := fmt.Sprintf("Users/%s", scimID)
-	payload := &github.SCIMUserAttributes{Active: github.Bool(false)}
+	// Schema for PATCH: https://datatracker.ietf.org/doc/html/rfc7644#section-3.5.2
+	payload := &scimPatchPayload{
+		Schemas: []string{"urn:ietf:params:scim:api:messages:2.0:PatchOp"},
+		Operations: []scimPatchOp{
+			{
+				Op:    "replace",
+				Value: map[string]bool{"active": false},
+			},
+		},
+	}
 	var deactivatedUser github.SCIMUserAttributes
 	resp, err := c.do(ctx, http.MethodPatch, c.baseURL.ResolveReference(&url.URL{Path: path}).String(), payload, &deactivatedUser)
 	if err != nil {
@@ -126,7 +155,15 @@ func (c *SCIMClient) DeactivateUser(ctx context.Context, scimID string) (*github
 // https://docs.github.com/en/enterprise-server@3.17/admin/managing-iam/provisioning-user-accounts-with-scim/deprovisioning-and-reinstating-users#reinstating-a-user-account-that-was-soft-deprovisioned
 func (c *SCIMClient) ReactivateUser(ctx context.Context, scimID string) (*github.SCIMUserAttributes, *github.Response, error) {
 	path := fmt.Sprintf("Users/%s", scimID)
-	payload := &github.SCIMUserAttributes{Active: github.Bool(true)}
+	payload := &scimPatchPayload{
+		Schemas: []string{"urn:ietf:params:scim:api:messages:2.0:PatchOp"},
+		Operations: []scimPatchOp{
+			{
+				Op:    "replace",
+				Value: map[string]bool{"active": true},
+			},
+		},
+	}
 	var reactivatedUser github.SCIMUserAttributes
 	resp, err := c.do(ctx, http.MethodPatch, c.baseURL.ResolveReference(&url.URL{Path: path}).String(), payload, &reactivatedUser)
 	if err != nil {

pkg/github/scim_test.go

@@ -111,12 +111,22 @@ func fakeEnterprise(t *testing.T, data *EnterpriseUserData) *httptest.Server {
 				http.Error(w, "not found", http.StatusNotFound)
 				return
 			}
-			var patch github.SCIMUserAttributes
+			var patch scimPatchPayload
 			if err := json.NewDecoder(r.Body).Decode(&patch); err != nil {
 				http.Error(w, err.Error(), http.StatusBadRequest)
 				return
 			}
-			user.Active = patch.Active
+			if len(patch.Operations) > 0 {
+				op := patch.Operations[0]
+				if op.Op == "replace" {
+					if value, ok := op.Value.(map[string]interface{}); ok {
+						if active, ok := value["active"].(bool); ok {
+							user.Active = github.Bool(active)
+						}
+					}
+				}
+			}
+
 			if err := json.NewEncoder(w).Encode(user); err != nil {
 				t.Fatalf("failed to encode create response: %v", err)
 			}
@@ -217,6 +227,9 @@ func TestSCIMClient_UpdateUser(t *testing.T) {
 			wantFinalUser: &github.SCIMUserAttributes{
 				ID:   github.String("id1"),
 				Name: github.SCIMUserName{GivenName: "New", FamilyName: "Name"},
+				Schemas: []string{
+					"urn:ietf:params:scim:schemas:core:2.0:User",
+				},
 			},
 			wantServerCount: 1,
 		},
@@ -327,6 +340,10 @@ func TestSCIMClient_CreateUser(t *testing.T) {
 			wantUserOnServer: &github.SCIMUserAttributes{
 				ID:       github.String("scim-id-new.user"),
 				UserName: "new.user",
+				Schemas: []string{
+					"urn:ietf:params:scim:schemas:core:2.0:User",
+				},
+				Active: github.Bool(true),
 			},
 			wantServerUserCount: 1,
 		},