goauthentik · BeryJu · Apr 15, 2024 · Nov 15, 2021 · Jun 6, 2022 · Jun 6, 2022
@@ -160,6 +160,8 @@ jobs:
             glob: tests/e2e/test_provider_ldap* tests/e2e/test_source_ldap*
           - name: radius
             glob: tests/e2e/test_provider_radius*
+          - name: scim
+            glob: tests/e2e/test_source_scim*
           - name: flows
             glob: tests/e2e/test_flows*
     steps:

@@ -12,6 +12,7 @@
 from drf_spectacular.types import OpenApiTypes
 from rest_framework.settings import api_settings
 
+from authentik.api.apps import AuthentikAPIConfig
 from authentik.api.pagination import PAGINATION_COMPONENT_NAME, PAGINATION_SCHEMA
 
 
@@ -101,3 +102,12 @@ def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
             comp = result["components"]["schemas"][component]
             comp["additionalProperties"] = {}
     return result
+
+
+def preprocess_schema_exclude_non_api(endpoints, **kwargs):
+    """Filter out all API Views which are not mounted under /api"""
+    return [
+        (path, path_regex, method, callback)
+        for path, path_regex, method, callback in endpoints
+        if path.startswith("/" + AuthentikAPIConfig.mountpoint)
+    ]
@@ -51,6 +51,7 @@
 from authentik.policies.reputation.models import Reputation
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
 from authentik.providers.scim.models import SCIMGroup, SCIMUser
+from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
 from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
 from authentik.tenants.models import Tenant
 
@@ -97,6 +98,8 @@ def excluded_models() -> list[type[Model]]:
         RefreshToken,
         Reputation,
         WebAuthnDeviceType,
+        SCIMSourceUser,
+        SCIMSourceGroup,
     )
 
 

@@ -659,7 +659,7 @@ def expire_action(self, *args, **kwargs):
         return self.delete(*args, **kwargs)
 
     @classmethod
-    def filter_not_expired(cls, **kwargs) -> QuerySet:
+    def filter_not_expired(cls, **kwargs) -> QuerySet["Token"]:
         """Filer for tokens which are not expired yet or are not expiring,
         and match filters in `kwargs`"""
         for obj in cls.objects.filter(**kwargs).filter(Q(expires__lt=now(), expiring=True)):

@@ -39,6 +39,7 @@ class Migration(migrations.Migration):
                     ("authentik.sources.oauth", "authentik Sources.OAuth"),
                     ("authentik.sources.plex", "authentik Sources.Plex"),
                     ("authentik.sources.saml", "authentik Sources.SAML"),
+                    ("authentik.sources.scim", "authentik Sources.SCIM"),
                     ("authentik.stages.authenticator_duo", "authentik Stages.Authenticator.Duo"),
                     ("authentik.stages.authenticator_sms", "authentik Stages.Authenticator.SMS"),
                     (

@@ -17,6 +17,7 @@ class User(BaseUser):
         "urn:ietf:params:scim:schemas:core:2.0:User",
     ]
     externalId: str | None = None
+    meta: dict | None = None
 
 
 class Group(BaseGroup):
@@ -26,6 +27,7 @@ class Group(BaseGroup):
         "urn:ietf:params:scim:schemas:core:2.0:Group",
     ]
     externalId: str | None = None
+    meta: dict | None = None
 
 
 class ServiceProviderConfiguration(BaseServiceProviderConfiguration):

@@ -90,6 +90,7 @@
     "authentik.sources.oauth",
     "authentik.sources.plex",
     "authentik.sources.saml",
+    "authentik.sources.scim",
     "authentik.stages.authenticator",
     "authentik.stages.authenticator_duo",
     "authentik.stages.authenticator_sms",
@@ -157,6 +158,9 @@
     },
     "ENUM_ADD_EXPLICIT_BLANK_NULL_CHOICE": False,
     "ENUM_GENERATE_CHOICE_DESCRIPTION": False,
+    "PREPROCESSING_HOOKS": [
+        "authentik.api.schema.preprocess_schema_exclude_non_api",
+    ],
     "POSTPROCESSING_HOOKS": [
         "authentik.api.schema.postprocess_schema_responses",
         "drf_spectacular.hooks.postprocess_schema_enums",

@@ -0,0 +1,35 @@
+"""SCIMSourceGroup API Views"""
+
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.sources import SourceSerializer
+from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.users import UserGroupSerializer
+from authentik.sources.scim.models import SCIMSourceGroup
+
+
+class SCIMSourceGroupSerializer(SourceSerializer):
+    """SCIMSourceGroup Serializer"""
+
+    group_obj = UserGroupSerializer(source="group", read_only=True)
+
+    class Meta:
+
+        model = SCIMSourceGroup
+        fields = [
+            "id",
+            "group",
+            "group_obj",
+            "source",
+            "attributes",
+        ]
+
+
+class SCIMSourceGroupViewSet(UsedByMixin, ModelViewSet):
+    """SCIMSourceGroup Viewset"""
+
+    queryset = SCIMSourceGroup.objects.all().select_related("group")
+    serializer_class = SCIMSourceGroupSerializer
+    filterset_fields = ["source__slug", "group__name", "group__group_uuid"]
+    search_fields = ["source__slug", "group__name", "attributes"]
+    ordering = ["group__name"]
@@ -0,0 +1,77 @@
+"""SCIMSource API Views"""
+
+from django.urls import reverse_lazy
+from rest_framework.fields import SerializerMethodField
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.sources import SourceSerializer
+from authentik.core.api.tokens import TokenSerializer
+from authentik.core.api.used_by import UsedByMixin
+from authentik.core.models import Token, TokenIntents, User, UserTypes
+from authentik.sources.scim.models import SCIMSource
+
+
+class SCIMSourceSerializer(SourceSerializer):
+    """SCIMSource Serializer"""
+
+    root_url = SerializerMethodField()
+    token_obj = TokenSerializer(source="token", required=False, read_only=True)
+
+    def get_root_url(self, instance: SCIMSource) -> str:
+        """Get Root URL"""
+        relative_url = reverse_lazy(
+            "authentik_sources_scim:v2-root",
+            kwargs={"source_slug": instance.slug},
+        )
+        if "request" not in self.context:
+            return relative_url
+        return self.context["request"].build_absolute_uri(relative_url)
+
+    def create(self, validated_data):
+        instance: SCIMSource = super().create(validated_data)
+        identifier = f"ak-source-scim-{instance.pk}"
+        user = User.objects.create(
+            username=identifier,
+            name=f"SCIM Source {instance.name} Service-Account",
+            type=UserTypes.SERVICE_ACCOUNT,
+        )
+        token = Token.objects.create(
+            user=user,
+            identifier=identifier,
+            intent=TokenIntents.INTENT_API,
+            expiring=False,
+            managed=f"goauthentik.io/sources/scim/{instance.pk}",
+        )
+        instance.token = token
+        instance.save()
+        return instance
+
+    class Meta:
+
+        model = SCIMSource
+        fields = [
+            "pk",
+            "name",
+            "slug",
+            "enabled",
+            "component",
+            "verbose_name",
+            "verbose_name_plural",
+            "meta_model_name",
+            "user_matching_mode",
+            "managed",
+            "user_path_template",
+            "root_url",
+            "token_obj",
+        ]
+
+
+class SCIMSourceViewSet(UsedByMixin, ModelViewSet):
+    """SCIMSource Viewset"""
+
+    queryset = SCIMSource.objects.all()
+    serializer_class = SCIMSourceSerializer
+    lookup_field = "slug"
+    filterset_fields = ["name", "slug"]
+    search_fields = ["name", "slug", "token__identifier", "token__user__username"]
+    ordering = ["name"]
@@ -0,0 +1,35 @@
+"""SCIMSourceUser API Views"""
+
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.groups import GroupMemberSerializer
+from authentik.core.api.sources import SourceSerializer
+from authentik.core.api.used_by import UsedByMixin
+from authentik.sources.scim.models import SCIMSourceUser
+
+
+class SCIMSourceUserSerializer(SourceSerializer):
+    """SCIMSourceUser Serializer"""
+
+    user_obj = GroupMemberSerializer(source="user", read_only=True)
+
+    class Meta:
+
+        model = SCIMSourceUser
+        fields = [
+            "id",
+            "user",
+            "user_obj",
+            "source",
+            "attributes",
+        ]
+
+
+class SCIMSourceUserViewSet(UsedByMixin, ModelViewSet):
+    """SCIMSourceUser Viewset"""
+
+    queryset = SCIMSourceUser.objects.all().select_related("user")
+    serializer_class = SCIMSourceUserSerializer
+    filterset_fields = ["source__slug", "user__username", "user__id"]
+    search_fields = ["source__slug", "user__username", "attributes"]
+    ordering = ["user__username"]
@@ -0,0 +1,12 @@
+"""Authentik SCIM app config"""
+
+from django.apps import AppConfig
+
+
+class AuthentikSourceSCIMConfig(AppConfig):
+    """authentik SCIM Source app config"""
+
+    name = "authentik.sources.scim"
+    label = "authentik_sources_scim"
+    verbose_name = "authentik Sources.SCIM"
+    mountpoint = "source/scim/"
@@ -0,0 +1,8 @@
+"""SCIM Errors"""
+
+from authentik.lib.sentry import SentryIgnoredException
+
+
+class PatchError(SentryIgnoredException):
+    """Error raised within an atomic block when an error happened
+    so nothing is saved"""
@@ -0,0 +1,94 @@
+# Generated by Django 5.0.4 on 2024-04-07 14:34
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("authentik_core", "0033_alter_user_options"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="SCIMSource",
+            fields=[
+                (
+                    "source_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_core.source",
+                    ),
+                ),
+                (
+                    "token",
+                    models.ForeignKey(
+                        default=None,
+                        null=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_core.token",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "SCIM Source",
+                "verbose_name_plural": "SCIM Sources",
+            },
+            bases=("authentik_core.source",),
+        ),
+        migrations.CreateModel(
+            name="SCIMSourceGroup",
+            fields=[
+                ("id", models.TextField(primary_key=True, serialize=False)),
+                ("attributes", models.JSONField(default=dict)),
+                (
+                    "group",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.group"
+                    ),
+                ),
+                (
+                    "source",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_sources_scim.scimsource",
+                    ),
+                ),
+            ],
+            options={
+                "unique_together": {("id", "group", "source")},
+            },
+        ),
+        migrations.CreateModel(
+            name="SCIMSourceUser",
+            fields=[
+                ("id", models.TextField(primary_key=True, serialize=False)),
+                ("attributes", models.JSONField(default=dict)),
+                (
+                    "source",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_sources_scim.scimsource",
+                    ),
+                ),
+                (
+                    "user",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL
+                    ),
+                ),
+            ],
+            options={
+                "unique_together": {("id", "user", "source")},
+            },
+        ),
+    ]