Skip to content

Commit

Permalink
SCIM: Allow max. 1 IdP (#1332)
Browse files Browse the repository at this point in the history
  • Loading branch information
@fisx
fisx authored Jan 15, 2021
1 parent 6e3fb26 commit 458b9fe
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 1 deletion.
14 changes: 14 additions & 0 deletions services/spar/src/Spar/API.hs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -283,13 +283,27 @@ idpCreateXML :: Maybe UserId -> Text -> SAML.IdPMetadata -> Maybe SAML.IdPId ->
idpCreateXML zusr raw idpmeta mReplaces = withDebugLog "idpCreate" (Just . show . (^. SAML.idpId)) $ do
teamid <- Brig.getZUsrOwnedTeam zusr
Galley.assertSSOEnabled teamid
assertNoScimOrNoIdP teamid
idp <- validateNewIdP idpmeta teamid mReplaces
wrapMonadClient $ Data.storeIdPRawMetadata (idp ^. SAML.idpId) raw
SAML.storeIdPConfig idp
forM_ mReplaces $ \replaces -> wrapMonadClient $ do
Data.setReplacedBy (Data.Replaced replaces) (Data.Replacing (idp ^. SAML.idpId))
pure idp

-- | In teams with a scim access token, only one IdP is allowed. The reason is that scim user
-- data contains no information about the idp issuer, only the user name, so no valid saml
-- credentials can be created. To fix this, we need to implement a way to associate scim
-- tokens with IdPs. https://wearezeta.atlassian.net/browse/SQSERVICES-165
assertNoScimOrNoIdP :: TeamId -> Spar ()
assertNoScimOrNoIdP teamid = do
numTokens <- length <$> wrapMonadClient (Data.getScimTokens teamid)
numIdps <- length <$> wrapMonadClientWithEnv (Data.getIdPConfigsByTeam teamid)
when (numTokens > 0 && numIdps > 0) $ do
throwSpar $
SparProvisioningMoreThanOneIdP
"Teams with SCIM tokens can only have at most one IdP"

-- | Check that issuer is not used for any team in the system (it is a database keys for
-- finding IdPs), and request URI is https.
--
Expand Down
2 changes: 1 addition & 1 deletion services/spar/src/Spar/Scim/Auth.hs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,7 @@ createScimToken zusr CreateScimToken {..} = do
[] -> caseOneOrNoIdP Nothing
-- NB: if the following case does not result in errors, 'validateScimUser' needs to
-- be changed. currently, it relies on the fact that there is never more than one IdP.
-- https://github.com/zinfra/backend-issues/issues/1377
-- https://wearezeta.atlassian.net/browse/SQSERVICES-165
_ ->
E.throwSpar $
E.SparProvisioningMoreThanOneIdP
Expand Down

0 comments on commit 458b9fe

Please sign in to comment.