diff --git a/backend/app.py b/backend/app.py
index 76958441a6b8e1b9297f9363401fdfc013a06768..5190cf2d5dffd70cd45365b5c7c1ed39e5f42b7a 100644
--- a/backend/app.py
+++ b/backend/app.py
@@ -21,6 +21,7 @@ from areas import resources
from areas import roles
from areas import tags
from cliapp import cliapp
+import config
import helpers.kubernetes
import helpers.provision
import helpers.threads
@@ -49,6 +50,7 @@ import os
import sys
# Configure logging.
+log_level = logging.getLevelName(config.LOG_LEVEL or 'INFO')
from logging.config import dictConfig
dictConfig({
'version': 1,
@@ -59,10 +61,11 @@ dictConfig({
'class': 'logging.StreamHandler',
'stream': 'ext://flask.logging.wsgi_errors_stream',
'formatter': 'default',
+ 'level': log_level,
}},
'root': {
- 'level': 'INFO',
'handlers': ['wsgi'],
+ 'level': log_level,
},
# Loggers are created also by alembic, flask_migrate, etc. Without this
# setting, those loggers seem to be ignored.
@@ -76,8 +79,6 @@ app.config["SQLALCHEMY_DATABASE_URI"] = SQLALCHEMY_DATABASE_URI
app.config["SQLALCHEMY_ENGINE_OPTIONS"] = {'pool_pre_ping': True}
app.config["SQLALCHEMY_TRACK_MODIFICATIONS"] = SQLALCHEMY_TRACK_MODIFICATIONS
-app.logger.setLevel(logging.INFO)
-
cors = CORS(app)
db.init_app(app)
diff --git a/backend/areas/apps/models.py b/backend/areas/apps/models.py
index e9330ab92bafd1eeb36cd93235f405ce68cceb34..88930330bd7289a552ecfa29136431b674f4dd6e 100644
--- a/backend/areas/apps/models.py
+++ b/backend/areas/apps/models.py
@@ -316,3 +316,17 @@ class OAuthClientApp(db.Model): # pylint: disable=too-few-public-methods
def __repr__(self):
return (f"oauthclient_id: {self.oauthclient_id}, app_id: {self.app_id},"
f" app: {self.app}")
+
+class ScimAttribute(db.Model): # pylint: disable=too-few-public-methods
+ """
+ The ScimAttribute object records that a certain user attribute needs to be
+ set in a certain app via SCIM.
+ """
+
+ user_id = db.Column(String(length=64), primary_key=True)
+ app_id = db.Column(Integer, ForeignKey("app.id"), primary_key=True)
+ attribute = db.Column(String(length=64), primary_key=True)
+
+ def __repr__(self):
+ return (f"attribute: {self.attribute}, user_id: {self.user_id},"
+ f" app_id: {self.app_id}")
diff --git a/backend/areas/users/user_service.py b/backend/areas/users/user_service.py
index cb59124f188ee74bcb92121321475b5b249bd773..a123cab15f3ad5012fdfb26ccd0aa7032a0cad12 100644
--- a/backend/areas/users/user_service.py
+++ b/backend/areas/users/user_service.py
@@ -20,6 +20,7 @@ from areas.apps.apps_service import AppsService
from areas.roles import Role
from helpers import KratosApi
from helpers.error_handler import KratosError
+from helpers.provision import Provision
from helpers.threads import request_provision
@@ -123,11 +124,28 @@ class UserService:
@classmethod
def put_user(cls, id, data):
- kratos_data = {
- "schema_id": "default",
- "traits": {"email": data["email"], "name": data.get("name", "")},
- }
- KratosApi.put("/admin/identities/{}".format(id), kratos_data)
+ # Get the old version of the identity. We need that for comparison to
+ # see if some attributes are changed by our update.
+ old_user = KratosApi.get("/admin/identities/{}".format(id)).json()
+ old_name = old_user["traits"].get("name", "")
+ new_name = data.get("name", "")
+ # Create list of patches with our changes.
+ patches = []
+ patches.append(JsonPatch(op="replace", path="/traits/email", value=data['email']))
+ patches.append(JsonPatch(op="replace", path="/traits/name", value=new_name))
+ # Determine whether we're really changing the name, and if so record
+ # that fact in the database in the form of a ScimAttribute. We'll use
+ # that information later during provisioning via SCIM.
+ if old_name != new_name:
+ current_app.logger.info(f"Name changed for: {data['email']}")
+ current_app.logger.info(f" old name: {old_name}")
+ current_app.logger.info(f" new name: {new_name}")
+ Provision.store_attribute(attribute='name', user_id=id)
+ # We used a PUT before, but that deletes any attributes that we don't
+ # specify, which is not so convenient. So we PATCH just the attributes
+ # we're changing instead.
+ patch_doc = JsonPatchDocument(value=patches)
+ kratos_identity_api.patch_identity(id, json_patch_document=patch_doc)
if data["app_roles"]:
app_roles = data["app_roles"]
diff --git a/backend/cliapp/cliapp/cli.py b/backend/cliapp/cliapp/cli.py
index ca93b5e17198d7828ec7785c6cef5736ade3972e..5174e05325264d51af85938ce18abc7a4f6a976d 100644
--- a/backend/cliapp/cliapp/cli.py
+++ b/backend/cliapp/cliapp/cli.py
@@ -319,6 +319,10 @@ def update_user(email, field, value):
else:
current_app.logger.error(f"Field not found: {field}")
+ # TODO: this currently deletes the last_recovery and last_login because
+ # `save` uses a simple PUT and is not aware of those fields. We should
+ # switch to PATCH instead, or refactor so `save` uses the same code as
+ # `put_user`.
user.save()
diff --git a/backend/cluster_config.py b/backend/cluster_config.py
index 4ced17f74f38b6d73d859ade225c8bfaa17214be..7934213f3d32afb9537b553ffc6fc958bb0a006a 100644
--- a/backend/cluster_config.py
+++ b/backend/cluster_config.py
@@ -11,7 +11,7 @@ import helpers.kubernetes as k8s
# Read in two configmaps from the cluster, which specify which apps should be
# present in the database. Returns the list of app slugs.
def populate_apps():
- logging.info("cluster_config: populating apps")
+ logging.debug("cluster_config: populating apps")
database_apps = {}
for app in App.query.all():
slug = app.slug
@@ -29,7 +29,7 @@ def _populate_apps_from(database_apps, configmap_name):
slugs = []
cm_apps = k8s.get_kubernetes_config_map_data(configmap_name, "flux-system")
if cm_apps is None:
- logging.info(f"Could not find configmap '{configmap_name}' in namespace 'flux-system'; ignoring.")
+ logging.debug(f"Could not find configmap '{configmap_name}' in namespace 'flux-system'; ignoring.")
else:
for app_slug, app_data in cm_apps.items():
logging.debug(f"configmap app: {app_slug}")
@@ -54,7 +54,7 @@ def _populate_apps_from(database_apps, configmap_name):
# Read in two configmaps from the cluster, which specify which oauthclients
# should be present in the database.
def populate_oauthclients():
- logging.info("cluster_config: populating oauthclients")
+ logging.debug("cluster_config: populating oauthclients")
database_oauthclients = {}
for client in OAuthClientApp.query.all():
id = client.oauthclient_id
@@ -69,7 +69,7 @@ def populate_oauthclients():
def _populate_oauthclients_from(database_oauthclients, configmap_name):
cm_oauthclients = k8s.get_kubernetes_config_map_data(configmap_name, "flux-system")
if cm_oauthclients is None:
- logging.info(f"Could not find configmap '{configmap_name}' in namespace 'flux-system'; ignoring.")
+ logging.debug(f"Could not find configmap '{configmap_name}' in namespace 'flux-system'; ignoring.")
else:
for client_id, client_app in cm_oauthclients.items():
logging.debug(f"configmap oauthclient: {client_id}")
@@ -96,9 +96,9 @@ def populate_scim_config(apps):
secret_name = f"stackspin-scim-{app}"
scim_config = k8s.get_kubernetes_secret_data(secret_name, "flux-system")
if scim_config is None:
- logging.info(f"Could not find secret '{secret_name}' in namespace 'flux-system'; ignoring.")
+ logging.debug(f"Could not find secret '{secret_name}' in namespace 'flux-system'; ignoring.")
continue
- logging.info(f"Processing secret stackspin-scim-{app}")
+ logging.debug(f"Processing secret stackspin-scim-{app}")
app = App.query.filter_by(slug=app).first()
if not app:
logging.error(f" could not find app with slug {app}")
diff --git a/backend/config.py b/backend/config.py
index ffa0967779be7c91f92e8a0909da91d3d0a4435a..2822fb86fd65f8e1736e9c53bb84564c1033f8fb 100644
--- a/backend/config.py
+++ b/backend/config.py
@@ -1,5 +1,7 @@
import os
+LOG_LEVEL = os.environ.get("LOG_LEVEL")
+
SECRET_KEY = os.environ.get("SECRET_KEY")
HYDRA_CLIENT_ID = os.environ.get("HYDRA_CLIENT_ID")
HYDRA_CLIENT_SECRET = os.environ.get("HYDRA_CLIENT_SECRET")
diff --git a/backend/helpers/kratos_user.py b/backend/helpers/kratos_user.py
index 877aaca68ca70376b3245191163bdd9d3544e8b9..34f0527a57382d3bbde8d3daffad46866f551ccd 100644
--- a/backend/helpers/kratos_user.py
+++ b/backend/helpers/kratos_user.py
@@ -2,6 +2,7 @@
Implement the Kratos model to interact with kratos users
"""
+from flask import current_app
import json
import re
import urllib.parse
@@ -12,6 +13,10 @@ from urllib.request import Request
from ory_kratos_client.model.create_identity_body import CreateIdentityBody
from ory_kratos_client.model.create_recovery_link_for_identity_body \
import CreateRecoveryLinkForIdentityBody
+from ory_kratos_client.model.json_patch \
+ import JsonPatch
+from ory_kratos_client.model.json_patch_document \
+ import JsonPatchDocument
from ory_kratos_client.model.update_identity_body import UpdateIdentityBody
from ory_kratos_client.rest import ApiException as KratosApiException
@@ -33,6 +38,7 @@ class KratosUser():
state = None
created_at = None
updated_at = None
+ metadata_admin = None
def __init__(self, api, uuid = None):
self.api = api
@@ -55,6 +61,9 @@ class KratosUser():
self.state = obj.state
self.created_at = obj.created_at
self.updated_at = obj.updated_at
+ self.metadata_admin = obj.metadata_admin
+ if self.metadata_admin is None:
+ self.metadata_admin = {}
except KratosApiException as error:
raise BackendError(f"Unable to get entry, kratos replied with: {error}", error) from error
@@ -107,6 +116,15 @@ class KratosUser():
except KratosApiException as error:
raise BackendError(f"Unable to save entry, kratos replied with:{error}") from error
+ def set_metadata(self, **kwargs):
+ current_app.logger.info(f"Setting metadata for {self.__uuid}:")
+ patches = []
+ for k, v in kwargs.items():
+ current_app.logger.info(f" {k}={v}")
+ patches.append(JsonPatch(op="replace", path=f"/metadata_admin/{k}", value=v))
+ patch_doc = JsonPatchDocument(value=patches)
+ self.api.patch_identity(self.__uuid, json_patch_document=patch_doc)
+
def delete(self):
"""Deletes the object from kratos
:raise: BackendError if Krator API call fails
diff --git a/backend/helpers/kubernetes.py b/backend/helpers/kubernetes.py
index 2c49d6ec1cf7560b18ed727d7e06435d4d4085f4..3aa3afbbd12d8b61a74b99d3324bfdbe0d0cbc49 100644
--- a/backend/helpers/kubernetes.py
+++ b/backend/helpers/kubernetes.py
@@ -67,7 +67,7 @@ def create_variables_secret(app_slug, variables_filepath):
elif current_secret_data.keys() != new_secret_dict["data"].keys():
# Update current secret with new keys
update_secret = True
- current_app.logger.info(
+ current_app.logger.debug(
f"Secret {secret_name} in namespace {secret_namespace}"
" already exists. Merging..."
)
@@ -75,12 +75,12 @@ def create_variables_secret(app_slug, variables_filepath):
new_secret_dict["data"] |= current_secret_data
else:
# Do Nothing
- current_app.logger.info(
+ current_app.logger.debug(
f"Secret {secret_name} in namespace {secret_namespace}"
" is already in a good state, doing nothing."
)
return True
- current_app.logger.info(
+ current_app.logger.debug(
f"Storing secret {secret_name} in namespace"
f" {secret_namespace} in cluster."
)
@@ -184,9 +184,9 @@ def store_kubernetes_secret(secret_dict, namespace, update=False):
namespace=namespace
)
except FailToCreateError as ex:
- current_app.logger.info(f"Secret not created because of exception {ex}")
+ current_app.logger.warning(f"Secret not created because of exception {ex}")
raise ex
- current_app.logger.info(f"Secret {verb} with api response: {api_response}")
+ current_app.logger.debug(f"Secret {verb} with api response: {api_response}")
def store_kustomization(kustomization_template_filepath, app_slug):
@@ -212,7 +212,7 @@ def store_kustomization(kustomization_template_filepath, app_slug):
plural="kustomizations",
body=kustomization_dict)
except FailToCreateError as ex:
- current_app.logger.info(
+ current_app.logger.warning(
f"Could not create {app_slug} Kustomization because of exception {ex}")
raise ex
current_app.logger.debug(f"Kustomization created with api response: {api_response}")
@@ -244,7 +244,7 @@ def delete_kustomization(kustomization_name):
name=kustomization_name,
body=body)
except ApiException as ex:
- current_app.logger.info(
+ current_app.logger.warning(
f"Could not delete {kustomization_name} Kustomization because of exception {ex}")
raise ex
current_app.logger.debug(f"Kustomization deleted with api response: {api_response}")
@@ -453,7 +453,7 @@ def watch_dashboard_config(app, reload):
label_selector="stackspin.net/scim-config=1",
watch=True
):
- current_app.logger.info(f"{event['type']} SCIM config secret: {event['object'].metadata.name}")
+ current_app.logger.debug(f"{event['type']} SCIM config secret: {event['object'].metadata.name}")
debounced_reload()
threading.Thread(target=watch_scim_secrets).start()
def watch_dashboard_configmaps():
@@ -464,7 +464,7 @@ def watch_dashboard_config(app, reload):
label_selector="stackspin.net/dashboard-config=1",
watch=True
):
- current_app.logger.info(f"{event['type']} dashboard config configmap: {event['object'].metadata.name}")
+ current_app.logger.debug(f"{event['type']} dashboard config configmap: {event['object'].metadata.name}")
debounced_reload()
threading.Thread(target=watch_dashboard_configmaps).start()
diff --git a/backend/helpers/provision.py b/backend/helpers/provision.py
index 4c9c15995395eb06e5a4eaa104bf221a90d31236..41b32edb2968fb3aea67cc3bb652412caaa4935e 100644
--- a/backend/helpers/provision.py
+++ b/backend/helpers/provision.py
@@ -5,8 +5,10 @@ import ory_kratos_client
from ory_kratos_client.api import identity_api
import ory_kratos_client.exceptions
import requests
+from sqlalchemy import exc, select
+from sqlalchemy.sql.expression import literal
-from areas.apps.models import App, AppRole, ProvisionStatus
+from areas.apps.models import App, AppRole, ProvisionStatus, ScimAttribute
from areas.roles.models import Role
import config
from database import db
@@ -34,20 +36,20 @@ class Group:
def add_member(self, user):
if user.scim_id not in self.members:
- logging.info(f"Adding user to dict: {user.displayName} ({user.scim_id})")
+ logging.debug(f"Adding user to dict: {user.displayName} ({user.scim_id})")
self.members[user.scim_id] = user
self.modified = True
def remove_member(self, user):
if user.scim_id in self.members:
- logging.info(f"Found user to remove from dict: {user.displayName} ({user.scim_id})")
+ logging.debug(f"Found user to remove from dict: {user.displayName} ({user.scim_id})")
del self.members[user.scim_id]
self.modified = True
def debug(self):
- logging.info(f"Group {self.displayName} ({self.scim_id})")
+ logging.debug(f"Group {self.displayName} ({self.scim_id})")
for _, member in self.members.items():
- logging.info(f" with user {member.displayName} ({member.scim_id})")
+ logging.debug(f" with user {member.displayName} ({member.scim_id})")
# Read from the database which users need to be provisioned on which apps, and
# do the corresponding SCIM calls to those apps to do the actual provisioning.
@@ -96,7 +98,7 @@ class Provision:
for app_id, app in self.scim_apps.items():
existing_users[app_id] = self._get_existing_users(app)
for userId, u in existing_users[app_id].items():
- logging.info(f"Existing user in {app.slug}: {u.displayName} ({userId})")
+ logging.debug(f"Existing user in {app.slug}: {u.displayName} ({userId})")
if app.scim_group_support:
existing_groups[app_id] = self._get_existing_groups(app)
for _, g in existing_groups[app_id].items():
@@ -118,7 +120,7 @@ class Provision:
AppRole.provision_status.in_((ProvisionStatus.SyncNeeded, ProvisionStatus.ToDelete))
)
for app_role in app_roles:
- # logging.info(f"found app_role: {app_role}")
+ logging.debug(f"found app_role: {app_role}")
# Check if this app supports SCIM at all and is configured for it.
app_role.last_provision_attempt = datetime.now()
app = app_role.app
@@ -131,10 +133,10 @@ class Provision:
# pre-fetched list we got via SCIM.
existing_user = existing_users[app.id].get(app_role.user_id)
if existing_user is not None:
- logging.info(f"User {app_role.user_id} already exists in the app {app.slug}.")
+ logging.debug(f"User {app_role.user_id} already exists in the app {app.slug}.")
if app_role.role_id == Role.NO_ACCESS_ROLE_ID:
if existing_user is None:
- logging.info(f"User without access does not exist yet in {app.slug}, so nothing to do.")
+ logging.debug(f"User without access does not exist yet in {app.slug}, so nothing to do.")
# We have not provisioned this user in this app yet, so we
# don't have to do anything at this point.
app_role.provision_status = ProvisionStatus.Provisioned
@@ -142,7 +144,7 @@ class Provision:
db.session.commit()
continue
else:
- logging.info(f"User without access exists in the app {app.slug}; we continue so we can disable the user in the app.")
+ logging.debug(f"User without access exists in the app {app.slug}; we continue so we can disable the user in the app.")
try:
self._provision_user(app_role, app, existing_user, admin_group.get(app.id))
except ProvisionError as ex:
@@ -152,11 +154,11 @@ class Provision:
for app_id, app in self.scim_apps.items():
if app.scim_group_support:
if admin_group[app_id].modified:
- logging.info(f"Admin group for {app.slug} was modified, so updating it via SCIM.")
+ logging.debug(f"Admin group for {app.slug} was modified, so updating it via SCIM.")
admin_group[app_id].debug()
self._provision_group(admin_group[app_id], app)
else:
- logging.info(f"Admin group for {app.slug} was not modified.")
+ logging.debug(f"Admin group for {app.slug} was not modified.")
# Provision the user via SCIM PUT or POST, based on the user and role
# information in `app_role`, and on the existing user object in the app
@@ -164,7 +166,7 @@ class Provision:
# `admin_group` object so we may later add or remove the user to/from the
# admin group.
def _provision_user(self, app_role, app, existing_user, admin_group):
- logging.info(f"Reconciling user {app_role.user_id}")
+ logging.debug(f"Reconciling user {app_role.user_id}")
app = self.scim_apps[app.id]
scim_headers = {
'Authorization': 'Bearer ' + app.scim_token
@@ -175,9 +177,9 @@ class Provision:
db.session.commit()
else:
logging.info(f"Deleting user {app_role.user_id} from {app.slug}")
- url = f"{app.scim_url}Users/{existing_user.scim_id}"
+ url = f"{app.scim_url}/Users/{existing_user.scim_id}"
response = requests.delete(url, headers=scim_headers)
- logging.info(f"SCIM http status: {response.status_code}")
+ logging.debug(f"SCIM http status: {response.status_code}")
if response.status_code == 204:
db.session.delete(app_role)
db.session.commit()
@@ -187,7 +189,7 @@ class Provision:
return
# Get the related user object
- logging.info(f"Getting user data from Kratos.")
+ logging.debug(f"Getting user data from Kratos.")
try:
kratos_user = KratosUser(self.kratos_identity_api, app_role.user_id)
except BackendError as e:
@@ -202,7 +204,7 @@ class Provision:
active = False
else:
active = True
- logging.info(f"Active user: {active}")
+ logging.debug(f"Active user: {active}")
data = {
'schemas': ['urn:ietf:params:scim:schemas:core:2.0:User'],
'externalId': app_role.user_id,
@@ -210,15 +212,37 @@ class Provision:
# Zulip does not read the `emails` property, instead getting the
# email from the `userName` property.
'userName': kratos_user.email,
- 'displayName': kratos_user.name,
'emails': [{
'value': kratos_user.email,
'primary': True
}],
- 'name': {
- 'formatted': kratos_user.name,
- },
}
+ # Decide whether to include the displayName in the SCIM data. Usually
+ # we want that, but if this is an existing user, and we think the
+ # displayName as stored in Stackspin has not changed since the last
+ # provisioning run, then we do not set it to prevent overwriting a
+ # displayName the user may have set inside the app, bypassing
+ # Stackspin.
+ name_changed = ScimAttribute.query.filter_by(
+ user_id=app_role.user_id,
+ app_id=app_role.app_id,
+ attribute='name',
+ ).first()
+ logging.debug(f"Name changed: {name_changed}")
+ include_name = existing_user is None or name_changed is not None
+ if include_name:
+ logging.debug(f"Setting name in provisioning request.")
+ data['displayName'] = kratos_user.name
+ data['name'] = {
+ 'formatted': kratos_user.name,
+ }
+ # Now clear the `name_changed` attribute so we don't set the name
+ # again -- until it's changed again in Stackspin.
+ Provision.done_attribute(
+ attribute='name',
+ user_id=app_role.user_id,
+ app_id=app_role.app_id,
+ )
# Make some app-specific additions and modifications to the SCIM data.
if app.slug == 'nextcloud':
@@ -230,7 +254,7 @@ class Provision:
data['userName'] = f"stackspin-{app_role.user_id}"
if app.slug == 'zulip':
# Zulip does not accept an empty formatted name.
- if kratos_user.name is None or kratos_user.name == '':
+ if include_name and (kratos_user.name is None or kratos_user.name == ''):
data['name']['formatted'] = "name not set"
# Zulip doesn't support SCIM user groups, but we can set the user
# role as a field on the user object.
@@ -243,18 +267,18 @@ class Provision:
if existing_user is None:
url = f"{app.scim_url}/Users"
response = requests.post(url, headers=scim_headers, json=data)
- logging.info(f"Post SCIM user: {url} with data: {data} getting status: {response.status_code}")
+ logging.debug(f"Post SCIM user: {url} with data: {data} getting status: {response.status_code}")
else:
url = f"{app.scim_url}/Users/{existing_user.scim_id}"
response = requests.put(url, headers=scim_headers, json=data)
- logging.info(f"Put SCIM user: {url} with data: {data} getting status: {response.status_code}")
+ logging.debug(f"Put SCIM user: {url} with data: {data} getting status: {response.status_code}")
try:
response_json = response.json()
except json.decoder.JSONDecodeError as e:
logging.info("SCIM result was not json")
logging.info(response.content)
raise ProvisionError("App returned non-json data in SCIM user put/post.")
- logging.info(f"got: {response_json}")
+ logging.debug(f"got: {response_json}")
if existing_user is None:
# Because this is a new user for the app, we should read off its
# SCIM ID and store that in the Stackspin database.
@@ -263,12 +287,12 @@ class Provision:
user = User(app_role.user_id, response_json['id'], kratos_user.name)
if app.scim_group_support:
if app_role.role_id == Role.ADMIN_ROLE_ID:
- logging.info(f"Adding user to admin group: {user.displayName} ({user.kratos_id})")
+ logging.debug(f"Adding user to admin group: {user.displayName} ({user.kratos_id})")
admin_group.add_member(user)
else:
- logging.info(f"Removing user from admin group: {user.displayName} ({user.kratos_id})")
+ logging.debug(f"Removing user from admin group: {user.displayName} ({user.kratos_id})")
admin_group.remove_member(user)
- logging.info("After adding/removing user:")
+ logging.debug("After adding/removing user:")
admin_group.debug()
app_role.status = ProvisionStatus.Provisioned
@@ -277,7 +301,7 @@ class Provision:
return
def _scim_list_users(self, app):
- logging.info(f"Info: Getting list of current users from {app.slug} via SCIM.")
+ logging.debug(f"Getting list of current users from {app.slug} via SCIM.")
# SCIM prescribes a 1-based index.
startIndex = 1
# Get this many items per request. The application might further reduce
@@ -287,12 +311,12 @@ class Provision:
# Track how many users we've received thus far so we know when to stop.
running_total = 0
while True:
- url = f"{app.scim_url}Users?count={count}&startIndex={startIndex}"
+ url = f"{app.scim_url}/Users?count={count}&startIndex={startIndex}"
scim_headers = {
'Authorization': 'Bearer ' + app.scim_token
}
response = requests.get(url, headers=scim_headers)
- logging.info(f"SCIM http status: {response.status_code}")
+ logging.debug(f"SCIM http status: {response.status_code}")
try:
response_json = response.json()
except json.decoder.JSONDecodeError as e:
@@ -305,7 +329,7 @@ class Provision:
running_total = running_total + added
if running_total == response_json['totalResults'] or added == 0:
# We've got them all.
- logging.info(f"All existing users for {app.slug}: {users}")
+ logging.debug(f"All existing users for {app.slug}: {users}")
return users
else:
startIndex = startIndex + added
@@ -318,7 +342,7 @@ class Provision:
for u in scim_users:
kratos_id = u.get('externalId')
if not kratos_id:
- logging.info(f"Got user without externalId: {u}")
+ logging.debug(f"Got user without externalId: {u}")
# Users that were created just-in-time when logging in to the
# app will not have `externalId` set, so we attempt to look up
# the user from our Stackspin database based on the app ID and
@@ -328,7 +352,7 @@ class Provision:
scim_id=u['id']
).first()
if app_role is None:
- logging.info(f" SCIM ID {u['id']} not listed in database.")
+ logging.debug(f" SCIM ID {u['id']} not listed in database.")
# We can't find this app user in our Stackspin database, at
# least based on the SCIM ID. It could be that it was
# created before the introduction of SCIM, or was created
@@ -350,7 +374,7 @@ class Provision:
if kratos_user is None:
# This user is not known at all by Stackspin, so
# we'll ignore it.
- logging.info(f" SCIM user unknown, ignoring.")
+ logging.debug(f" SCIM user unknown, ignoring.")
continue
# We found the user based on email address. We'll
# store the SCIM ID for this user in the Stackspin
@@ -363,7 +387,7 @@ class Provision:
if app_role is not None:
app_role.scim_id = u['id']
db.session.commit()
- logging.info(f" Stored SCIM ID {u['id']} for user {kratos_user.uuid} for app {app.slug}")
+ logging.debug(f" Stored SCIM ID {u['id']} for user {kratos_user.uuid} for app {app.slug}")
kratos_id = kratos_user.uuid
else:
kratos_id = app_role.user_id
@@ -371,20 +395,20 @@ class Provision:
return users
def _get_existing_groups(self, app):
- logging.info(f"Info: Getting list of current groups from {app.slug} via SCIM.")
+ logging.debug(f"Getting list of current groups from {app.slug} via SCIM.")
url = f"{app.scim_url}/Groups"
scim_headers = {
'Authorization': 'Bearer ' + app.scim_token
}
response = requests.get(url, headers=scim_headers)
- logging.info(f"SCIM http status: {response.status_code}")
+ logging.debug(f"SCIM http status: {response.status_code}")
try:
response_json = response.json()
except json.decoder.JSONDecodeError as e:
logging.info("SCIM result was not json")
logging.info(response.content)
raise ProvisionError("Failed to get existing groups from {app.slug}")
- logging.info(f"got: {response_json}")
+ logging.debug(f"got: {response_json}")
groups = {}
for group in response_json['Resources']:
members = {}
@@ -395,14 +419,14 @@ class Provision:
return groups
def _provision_group(self, group, app):
- logging.info(f"Reconciling group {group.scim_id}")
+ logging.debug(f"Reconciling group {group.scim_id}")
scim_headers = {
'Authorization': 'Bearer ' + app.scim_token
}
member_data = [
{'value': member.scim_id, 'display': member.displayName, '$ref': member.ref(app.scim_url)}
for _, member in group.members.items()]
- logging.info(f"Will update admin group for {app.slug} with member data {member_data}")
+ logging.debug(f"Will update admin group for {app.slug} with member data {member_data}")
data = {
'schemas': ['urn:ietf:params:scim:schemas:core:2.0:Group'],
'displayName': group.displayName,
@@ -410,11 +434,33 @@ class Provision:
}
url = f"{app.scim_url}/Groups/{group.scim_id}"
response = requests.put(url, headers=scim_headers, json=data)
- logging.info(f"SCIM http status: {response.status_code}")
+ logging.debug(f"SCIM http status: {response.status_code}")
try:
response_json = response.json()
except json.decoder.JSONDecodeError as e:
logging.info("SCIM result was not json")
logging.info(response.content)
raise ProvisionError("{app.slug} returned non-json data to SCIM group PUT.")
- logging.info(f"got: {response_json}")
+ logging.debug(f"got: {response_json}")
+
+ @staticmethod
+ def store_attribute(attribute, user_id):
+ select_apps = select(
+ literal(user_id),
+ literal(attribute),
+ App.id
+ ).where(App.scim_url != None)
+ insert = ScimAttribute.__table__.insert().prefix_with('IGNORE').from_select(
+ ['user_id', 'attribute', 'app_id'],
+ select_apps
+ )
+ db.session.execute(insert)
+
+ @staticmethod
+ def done_attribute(attribute, user_id, app_id):
+ logging.debug(f"Deleting ScimAttribute with attribute={attribute} user_id={user_id} app_id={app_id}")
+ db.session.query(ScimAttribute).filter(
+ ScimAttribute.attribute == attribute,
+ ScimAttribute.user_id == user_id,
+ ScimAttribute.app_id == app_id,
+ ).delete()
diff --git a/backend/migrations/versions/9ee5a7d65fa7_scim_app_attributes.py b/backend/migrations/versions/9ee5a7d65fa7_scim_app_attributes.py
new file mode 100644
index 0000000000000000000000000000000000000000..572edc9baff98b2e0509b8e49d6b71f28cc8ddf1
--- /dev/null
+++ b/backend/migrations/versions/9ee5a7d65fa7_scim_app_attributes.py
@@ -0,0 +1,31 @@
+"""Extend SCIM support to include some attributes during provisioning only when
+they are changed, or the user is first created in the app.
+
+Revision ID: 9ee5a7d65fa7
+Revises: 267d280db490
+Create Date: 2024-06-04 15:39:00
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+# revision identifiers, used by Alembic.
+revision = '9ee5a7d65fa7'
+down_revision = '267d280db490'
+branch_labels = None
+depends_on = None
+
+def upgrade():
+ # An entry in this table records that a certain user attribute needs to be
+ # set in a certain app via SCIM.
+ op.create_table(
+ "scim_attribute",
+ sa.Column("user_id", sa.String(length=64), nullable=False),
+ sa.Column("app_id", sa.Integer(), nullable=False),
+ sa.Column("attribute", sa.String(length=64), nullable=False),
+ sa.PrimaryKeyConstraint("user_id", "app_id", "attribute"),
+ sa.ForeignKeyConstraint(["app_id"],["app.id"]),
+ )
+
+def downgrade():
+ op.drop_table("scim_attribute")
diff --git a/dev.sh b/dev.sh
index 38591317eb5b0cce65b96670ee3a8b7c615ff71f..fdf7d7e8733c75b4d58354d80ab0bdfef5c3f6c8 100755
--- a/dev.sh
+++ b/dev.sh
@@ -103,7 +103,7 @@ runBackend() {
echo "Stopping any previous intercept for dashboard-backend..."
telepresence leave dashboard-backend
echo "Starting new intercept for dashboard-backend..."
- telepresence intercept dashboard-backend --service=dashboard-backend --port 5000:80 --mount=true --replace --env-file=./backend.env -- env TELEPRESENCE_MODE=native flask run --reload
+ telepresence intercept dashboard-backend --service=dashboard-backend --port 5000:80 --mount=true --replace --env-file=./backend.env -- env TELEPRESENCE_MODE=native FLASK_DEBUG=1 LOG_LEVEL=DEBUG flask run --reload
deactivate
popd > /dev/null
;;