Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: parse scim query filters #3408

Merged
merged 11 commits into from
Oct 21, 2022
Merged

feat: parse scim query filters #3408

merged 11 commits into from
Oct 21, 2022

Conversation

BruceMacD
Copy link
Collaborator

Summary

Parse SCIM query filters into SQL.

Branched from #3405

Checklist

  • Wrote appropriate unit tests
  • Considered security implications of the change
  • Updated associated docs where necessary
  • Updated associated configuration where necessary
  • Change is backwards compatible if it needs to be (user can upgrade without manual steps?)
  • Nothing sensitive logged
  • Considered data migrations for smooth upgrades

Related Issues

Part of #3378

dnephin
dnephin reviewed Oct 12, 2022
View reviewed changes
Copy link
Contributor

@dnephin dnephin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! This definitely looks like the most complicated part of the SCIM API so far.

I took a quick look at the scim2/filter-parser. The test coverage looks a little light, so we should make sure we have good coverage for the main cases we care about.

Do the identity providers document which filters they use, or are we kind of forced to support the entire spec?

I think the approach you've taken here to translate the expression into SQL should work well. I left some comments for making it more resilient to injection attacks (and also appease the querylinter at the same time).

internal/server/data/provideruser.go Outdated Show resolved Hide resolved
internal/server/data/scim.go Outdated Show resolved Hide resolved
internal/server/data/scim.go Outdated Show resolved Hide resolved
internal/server/data/scim.go Outdated Show resolved Hide resolved
@BruceMacD
Copy link
Collaborator Author

BruceMacD commented Oct 13, 2022
edited
Loading

@dnephin

Do the identity providers document which filters they use, or are we kind of forced to support the entire spec?

They don't document the filters super clearly, the most common one seems to be the "email eq x" filter to see if a user exists yet. Many other inbound scim implementations dont implement all filters though, so this seems like a good base.

@BruceMacD BruceMacD marked this pull request as ready for review October 13, 2022 15:50
dnephin
dnephin approved these changes Oct 20, 2022
View reviewed changes
Copy link
Contributor

@dnephin dnephin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! One suggestion for removing the pointer to interface

internal/server/scim.go Show resolved Hide resolved
internal/server/data/provideruser.go Outdated Show resolved Hide resolved
internal/server/data/provideruser.go Outdated Show resolved Hide resolved
internal/server/scim.go Outdated Show resolved Hide resolved
internal/server/data/provideruser_test.go Outdated Show resolved Hide resolved
@BruceMacD BruceMacD enabled auto-merge (squash) October 21, 2022 13:49
@BruceMacD BruceMacD merged commit d6704e0 into main Oct 21, 2022
@BruceMacD BruceMacD deleted the brucemacd/scim_filters branch October 21, 2022 13:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dnephin dnephin dnephin approved these changes

@jmorganca jmorganca Awaiting requested review from jmorganca

@pdevine pdevine Awaiting requested review from pdevine

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@BruceMacD @dnephin