scimPutUser supports suspending and activating users only. TODO: SCIM specification requires that the PUT method should replace the entire user object. At present, our fields read as 'immutable' except for the 'active' field. See: https://datatracker.ietf.org/doc/html/rfc7644#section-3.5.1 @Summary
(rw http.ResponseWriter, r *http.Request)
| 430 | // @Success 200 {object} codersdk.User |
| 431 | // @Router /scim/v2/Users/{id} [put] |
| 432 | func (api *API) scimPutUser(rw http.ResponseWriter, r *http.Request) { |
| 433 | ctx := r.Context() |
| 434 | if !api.scimVerifyAuthHeader(r) { |
| 435 | scimUnauthorized(rw) |
| 436 | return |
| 437 | } |
| 438 | |
| 439 | auditor := *api.AGPL.Auditor.Load() |
| 440 | aReq, commitAudit := audit.InitRequestWithCancel[database.User](rw, &audit.RequestParams{ |
| 441 | Audit: auditor, |
| 442 | Log: api.Logger, |
| 443 | Request: r, |
| 444 | Action: database.AuditActionWrite, |
| 445 | }) |
| 446 | |
| 447 | defer commitAudit(true) |
| 448 | |
| 449 | id := chi.URLParam(r, "id") |
| 450 | |
| 451 | var sUser SCIMUser |
| 452 | err := json.NewDecoder(r.Body).Decode(&sUser) |
| 453 | if err != nil { |
| 454 | _ = handlerutil.WriteError(rw, scim.NewHTTPError(http.StatusBadRequest, "invalidRequest", err)) |
| 455 | return |
| 456 | } |
| 457 | sUser.ID = id |
| 458 | if sUser.Active == nil { |
| 459 | _ = handlerutil.WriteError(rw, scim.NewHTTPError(http.StatusBadRequest, "invalidRequest", xerrors.New("active field is required"))) |
| 460 | return |
| 461 | } |
| 462 | |
| 463 | uid, err := uuid.Parse(id) |
| 464 | if err != nil { |
| 465 | _ = handlerutil.WriteError(rw, scim.NewHTTPError(http.StatusBadRequest, "invalidId", xerrors.Errorf("id must be a uuid: %w", err))) |
| 466 | return |
| 467 | } |
| 468 | |
| 469 | //nolint:gocritic // needed for SCIM |
| 470 | dbUser, err := api.Database.GetUserByID(dbauthz.AsSystemRestricted(ctx), uid) |
| 471 | if err != nil { |
| 472 | _ = handlerutil.WriteError(rw, err) // internal error |
| 473 | return |
| 474 | } |
| 475 | aReq.Old = dbUser |
| 476 | aReq.UserID = dbUser.ID |
| 477 | |
| 478 | // Technically our immutability rules dictate that we should not allow |
| 479 | // fields to be changed. According to the SCIM specification, this error should |
| 480 | // be returned. |
| 481 | // This immutability enforcement only exists because we have not implemented it |
| 482 | // yet. If these rules are causing errors, this code should be updated to allow |
| 483 | // the fields to be changed. |
| 484 | // TODO: Currently ignoring a lot of the SCIM fields. Coder's SCIM implementation |
| 485 | // is very basic and only supports active status changes. |
| 486 | if immutabilityViolation(dbUser.Username, sUser.UserName) { |
| 487 | _ = handlerutil.WriteError(rw, scim.NewHTTPError(http.StatusBadRequest, "mutability", xerrors.Errorf("username is currently an immutable field, and cannot be changed. Current: %s, New: %s", dbUser.Username, sUser.UserName))) |
| 488 | return |
| 489 | } |
nothing calls this directly
no test coverage detected