SCIM cleanup 2 #1172
SCIM cleanup 2 #1172
Conversation
fisx
force-pushed
the
scim-cleanup-2
branch
2 times, most recently
from
8921efc
to
4b3c25e
Compare
|
@arianvp and i tried to follow up on the discussion in #1169 about storing time stamps in brig, and in the end decided that it's best to keep the time stamps in |
|
I think we should soft-reset the entire branch and go through the changes together one more time @arianvp. |
Please add this context to the commit message. Even the context here in the comment is incomplete. Also |
services/spar/src/Spar/Scim/User.hs
Outdated
| @@ -610,6 +605,65 @@ assertHandleNotUsedElsewhere hndl uid = do | |||
| unless ((userHandle =<< musr) == Just hndl) $ | |||
| assertHandleUnused' "userName does not match UserId" hndl uid | |||
|
|
|||
| -- | Helper function that given a brig user, creates a scim user on the fly or returns | |||
There was a problem hiding this comment.
well; it always creates a scim user on the fly now right? as we dont store them anymore. Comment should reflect that new reality
akshaymankar
force-pushed
the
scim-cleanup-2
branch
from
d4da799
to
b97fdb7
Compare
fisx
force-pushed
the
scim-cleanup-2
branch
7 times, most recently
from
50c203c
to
0e8edad
Compare
- keep timestamps in `spar.scim_user_times`. - delete db handles for old table and add ones for the new one. - re-adjust docs. - re-adjust application logic to get user data from brig. - fix some tests in hscim, spar-integration. - simplify ValidScimUser type slightly. - remove some deprecated scim code.
... not if the user was not managed by scim. it's not clear whether the former is a bug, but it's certainly less straight-forward.
When rich info doesn't have any fields, some stuff doesn't get properly tested
There is one less test in hscim now, but that test is already happening in the spar integration tests.
we now store assoc lists everywhere, but do not change behavior in scim (except for bug fixes). see haddocks for details.
docs/developer/scim/storage.md
Outdated
| Currently (2019-04-29) we only implement one-way sync – when a user is modified via SCIM, Spar takes care to update data in Brig. However, user data is _not_ updated on the Spar side when it is changed in Brig, and Brig does not yet prohibit changing user data via its API – it relies on clients to be well-behaved and respect `userManagedBy`. | ||
| SCIM user data is validated by the spar service and stored as brig users. All fields that wire doesn't care about are silently dropped. `GET /scim/v2/Users` will trigger a lookup in brig, and the data thus obtained is synthesized back into a SCIM record. | ||
|
|
||
| Time stamps `created_at` and `last_updated_at` for the SCIM metadata are stored in `spar.scim_user_times`. The are kept in sync with the users that are otherwise stored in brig. (Rationale: we briefly considered using `select writetime(*) from brig.user` for last update and `select writetime(activated) from brig.user` for creation, but this has two drawbacks: (a) it stores data further away from spar where it is needed, and there is a bigger risk of that data going to places where it's not supposed to be; and (b) we don't have the time stamps when storing the record, so the `POST` handler would need to do a database write and a consecutive lookup, or an `insert if not exists`.) |
There was a problem hiding this comment.
Point (a) doesnt make sense given the timestamp is stored by cassandra; not brig
There was a problem hiding this comment.
it's still further away from spar: if ti's in spar-cassandra, it goes from cassandra to spar; if it's in brig cassandra, it goes from cassandra to brig to spar, and brig holds data that it has no business holding.
how can i make this point more clear/
services/spar/src/Spar/Scim/User.hs
Outdated
| getBrigUser' = MaybeT . lift . Brig.getBrigUser | ||
| getUserTeam' = MaybeT . pure . userTeam | ||
| brigUser <- | ||
| lift (Brig.getBrigUser uid) |
There was a problem hiding this comment.
It doesn't check if the user is in the team anymore? that seems bad
| resp :: Response (Maybe LBS) <- | ||
| call $ | ||
| method PUT | ||
| . path "/self/handle" |
|
CI failed for unrelated reasons; integration tests pass locally. |
Follow-up to #1169
Fixes https://github.com/zinfra/backend-issues/issues/1006
TODO: