-
Notifications
You must be signed in to change notification settings - Fork 325
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1182 from wireapp/release_2020_07_29
Release 2020-07-29
- Loading branch information
Showing
143 changed files
with
3,107 additions
and
1,844 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,51 +1,17 @@ | ||
# Storing SCIM-related data {#DevScimStorage} | ||
|
||
_Author: Artyom Kazak_ | ||
_Author: Artyom Kazak, Matthias Fischmann_ | ||
|
||
--- | ||
|
||
## Storing user data {#DevScimStorageUsers} | ||
|
||
SCIM user data is stored as JSON blobs in the `scim_user` table in Spar, one blob per SCIM-managed user. Those blobs conform to the SCIM standard and are returned by `GET /scim/v2/Users`. | ||
|
||
Note that when a user is created via SCIM, the received blob is not written verbatim to the database – it is first parsed by the [hscim](https://github.com/wireapp/hscim) library, and all unknown fields are removed. | ||
|
||
Sample blob: | ||
|
||
```json | ||
{ | ||
"schemas": [ | ||
"urn:ietf:params:scim:schemas:core:2.0:User", | ||
"urn:wire:scim:schemas:profile:1.0" | ||
], | ||
"id": "ef4bafda-5be8-46e3-bed2-5bcce55cff01", | ||
"externalId": "[email protected]", | ||
"userName": "lana_d", | ||
"displayName": "Lana Donohue", | ||
"urn:wire:scim:schemas:profile:1.0": { | ||
"richInfo": { | ||
"version": 0, | ||
"fields": [ | ||
{ "type": "Title", "value": "Chief Backup Officer" }, | ||
{ "type": "Favorite quote", "value": "Monads are just giant burritos" } | ||
] | ||
} | ||
}, | ||
"meta": { | ||
"resourceType": "User", | ||
"location": "https://staging-nginz-https.zinfra.io/scim/v2/Users/ef4bafda-5be8-46e3-bed2-5bcce55cff01", | ||
"created": "2019-04-21T04:15:12.535509602Z", | ||
"lastModified": "2019-04-21T04:15:18.185055531Z", | ||
"version": "W/\"e051bc17f7e07dec815f4b9314f76f88e2949a62b6aad8c816086cff85de4783\"" | ||
} | ||
} | ||
``` | ||
|
||
### One-way sync from Spar to Brig {#DevScimOneWaySync} | ||
|
||
A user is considered SCIM-managed if they were provisioned with SCIM (when it's the case, `userManagedBy` will be set to `ManagedByScim`). Data about SCIM-managed users is stored both in Brig and Spar, and should always be in sync. | ||
|
||
Currently (2019-04-29) we only implement one-way sync – when a user is modified via SCIM, Spar takes care to update data in Brig. However, user data is _not_ updated on the Spar side when it is changed in Brig, and Brig does not yet prohibit changing user data via its API – it relies on clients to be well-behaved and respect `userManagedBy`. | ||
SCIM user data is validated by the spar service and stored as brig users. All fields that wire doesn't care about are silently dropped. `GET /scim/v2/Users` will trigger a lookup in brig, and the data thus obtained is synthesized back into a SCIM record. | ||
|
||
Time stamps `created_at` and `last_updated_at` for the SCIM metadata are stored in `spar.scim_user_times`. The are kept in sync with the users that are otherwise stored in brig. (Rationale: we briefly considered using `select writetime(*) from brig.user` for last update and `select writetime(activated) from brig.user` for creation, but this has a drawback: we don't have the time stamps when storing the record, so the `POST` handler would need to do a database write and a consecutive lookup, or an `insert if not exists`.) | ||
|
||
Users created by SCIM set the `ManagedBy` field in brig to `ManagedByScim`. This *should* lead to brig disallowing certain update operations (since the single source of truth should be the SCIM peer that has created and is updating the user), but we never got around to implementing that (as of Wed 15 Jul 2020 10:59:11 AM CEST). See also {@SparBrainDump} (grep for `ManagedBy`). | ||
|
||
|
||
## Storing SCIM tokens {#DevScimStorageTokens} | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.