Merge pull request #5 from coreweave/scim-filtering

feat: Add support for SCIM resource IDs and update documentation and tests

Author: git-it127

examples/nsscache-scim.conf

@@ -34,6 +34,11 @@ scim_auth_token = <token>
 scim_users_endpoint = Users
 scim_groups_endpoint = Groups
 
+# (Optional) SCIM url query parameters
+# Special characters (spaces, quotes, etc.) will be automatically URL encoded
+scim_users_parameters = groups=admin&filter=active eq "true"
+scim_groups_parameters = filter=displayName eq "users" or displayName eq "admin"
+
 # (Optional) SCIM options 
 scim_timeout = 60
 scim_verify_ssl = True

nss_cache/sources/scimsource.py

@@ -5,6 +5,7 @@
 import pycurl
 import os
 from io import StringIO
+from urllib.parse import urlencode
 
 from nss_cache import error
 from nss_cache.maps import group
@@ -66,6 +67,10 @@ def _SetDefaults(self, configuration):
             configuration["users_endpoint"] = self.USERS_ENDPOINT
         if "groups_endpoint" not in configuration:
             configuration["groups_endpoint"] = self.GROUPS_ENDPOINT
+        if "users_parameters" not in configuration:
+            configuration["users_parameters"] = ""
+        if "groups_parameters" not in configuration:
+            configuration["groups_parameters"] = ""
         if "timeout" not in configuration:
             configuration["timeout"] = self.TIMEOUT
         if "verify_ssl" not in configuration:
@@ -78,6 +83,42 @@ def _SetDefaults(self, configuration):
             configuration["default_shell"] = self.DEFAULT_SHELL
         if "auth_token" not in configuration:
             configuration["auth_token"] = os.environ.get('NSSCACHE_SCIM_AUTH_TOKEN', self.AUTH_TOKEN)
+
+    def _BuildUrlWithParameters(self, base_url, parameters):
+        """Build URL with custom parameters, handling proper encoding.
+
+        Args:
+            base_url: The base URL (e.g., "https://api.example.com/scim/Users")
+            parameters: Parameter string (e.g., "groups=admin&filter=active eq \"true\"")
+
+        Returns:
+            URL with parameters properly encoded and appended
+        """
+        if not parameters or not parameters.strip():
+            return base_url
+
+        # Clean up parameters - remove leading ? or & if present
+        clean_params = parameters.strip().lstrip('?&')
+
+        if not clean_params:
+            return base_url
+
+        # Parse the parameters to properly encode them
+        # This preserves the original parameter structure while encoding special characters
+        params_dict = {}
+        for param in clean_params.split('&'):
+            if '=' in param:
+                key, value = param.split('=', 1)
+                params_dict[key] = value
+            else:
+                # Handle case where there's no = sign (shouldn't happen, but just in case)
+                params_dict[param] = ''
+
+        encoded_query = urlencode(params_dict)
+
+        # Add parameters to base URL
+        return f"{base_url}?{encoded_query}"
+
     def GetPasswdMap(self, since=None):
         """Return the passwd map from this source.
 
@@ -88,7 +129,8 @@ def GetPasswdMap(self, since=None):
         Returns:
           instance of passwd.PasswdMap
         """
-        users_url = f"{self.conf['base_url']}/{self.conf['users_endpoint']}"
+        base_users_url = f"{self.conf['base_url']}/{self.conf['users_endpoint']}"
+        users_url = self._BuildUrlWithParameters(base_users_url, self.conf.get('users_parameters', ''))
         return PasswdUpdateGetter(self.conf).GetUpdates(self, users_url, since)
 
     def GetGroupMap(self, since=None):
@@ -101,7 +143,8 @@ def GetGroupMap(self, since=None):
         Returns:
           instance of group.GroupMap
         """
-        groups_url = f"{self.conf['base_url']}/{self.conf['groups_endpoint']}"
+        base_groups_url = f"{self.conf['base_url']}/{self.conf['groups_endpoint']}"
+        groups_url = self._BuildUrlWithParameters(base_groups_url, self.conf.get('groups_parameters', ''))
         return GroupUpdateGetter(self.conf).GetUpdates(self, groups_url, since)
 
     def GetSshkeyMap(self, since=None):
@@ -114,7 +157,8 @@ def GetSshkeyMap(self, since=None):
         Returns:
           instance of sshkey.SshkeyMap
         """
-        users_url = f"{self.conf['base_url']}/{self.conf['users_endpoint']}"
+        base_users_url = f"{self.conf['base_url']}/{self.conf['users_endpoint']}"
+        users_url = self._BuildUrlWithParameters(base_users_url, self.conf.get('users_parameters', ''))
         return SshkeyUpdateGetter(self.conf).GetUpdates(self, users_url, since)
 
 class UpdateGetter(HttpUpdateGetter):

nss_cache/sources/scimsource_test.py

@@ -104,6 +104,61 @@ def testVerifySslDisabled(self):
             mock_conn.setopt.assert_any_call(pycurl.SSL_VERIFYPEER, 0)
             mock_conn.setopt.assert_any_call(pycurl.SSL_VERIFYHOST, 0)
 
+    def testBuildUrlWithParameters(self):
+        """Test that URL parameters are properly handled."""
+        config = {
+            "base_url": "https://api.example.com/scim",
+            "auth_token": "test_token"
+        }
+        source = scimsource.ScimSource(config)
+        
+        # Test with no parameters
+        url = source._BuildUrlWithParameters("https://api.example.com/scim/Users", "")
+        self.assertEqual(url, "https://api.example.com/scim/Users")
+        
+        # Test with simple parameters (comma gets URL encoded)
+        url = source._BuildUrlWithParameters("https://api.example.com/scim/Users", "groups=users,admin")
+        self.assertEqual(url, "https://api.example.com/scim/Users?groups=users%2Cadmin")
+        
+        # Test with parameters that have leading ? or &
+        url = source._BuildUrlWithParameters("https://api.example.com/scim/Users", "?groups=users,admin")
+        self.assertEqual(url, "https://api.example.com/scim/Users?groups=users%2Cadmin")
+        
+        url = source._BuildUrlWithParameters("https://api.example.com/scim/Users", "&groups=users,admin")
+        self.assertEqual(url, "https://api.example.com/scim/Users?groups=users%2Cadmin")
+        
+        # Test with complex SCIM filter that needs encoding
+        url = source._BuildUrlWithParameters("https://api.example.com/scim/Groups", 'filter=displayName eq "users"')
+        self.assertEqual(url, "https://api.example.com/scim/Groups?filter=displayName+eq+%22users%22")
+        
+        # Test with multiple parameters
+        url = source._BuildUrlWithParameters("https://api.example.com/scim/Users", "groups=admin,metrics&filter=active eq \"true\"")
+        self.assertEqual(url, "https://api.example.com/scim/Users?groups=admin%2Cmetrics&filter=active+eq+%22true%22")
+
+    def testParametersConfiguration(self):
+        """Test that users_parameters and groups_parameters are configured properly."""
+        config = {
+            "base_url": "https://api.example.com/scim",
+            "auth_token": "test_token",
+            "users_parameters": "groups=users,admin&filter=active",
+            "groups_parameters": "type=security"
+        }
+        source = scimsource.ScimSource(config)
+        
+        self.assertEqual(source.conf["users_parameters"], "groups=users,admin&filter=active")
+        self.assertEqual(source.conf["groups_parameters"], "type=security")
+
+    def testParametersDefaultsToEmpty(self):
+        """Test that parameters default to empty strings."""
+        config = {
+            "base_url": "https://api.example.com/scim",
+            "auth_token": "test_token"
+        }
+        source = scimsource.ScimSource(config)
+        
+        self.assertEqual(source.conf["users_parameters"], "")
+        self.assertEqual(source.conf["groups_parameters"], "")
+
 
 class TestScimUpdateGetter(unittest.TestCase):
     def setUp(self):
@@ -203,6 +258,103 @@ def mock_get_map(cache_info, data):
             self.assertIn("Users", call_args[0][0][0])  # First call should be to base URL
             self.assertIn("startIndex=51", call_args[1][0][0])  # Second call should have pagination
 
+    def testGetUpdatesWithPaginationAndCustomParameters(self):
+        """Test that pagination works correctly with custom URL parameters."""
+        mock_conn = mock.Mock()
+        mock_conn.getinfo.return_value = 200
+        self.curl_mock.return_value = mock_conn
+        
+        config = {
+            "base_url": "https://api.example.com/scim",
+            "auth_token": "test_token"
+        }
+        source = scimsource.ScimSource(config)
+        
+        # Mock the first page response with pagination info
+        first_page_response = {
+            "totalResults": 75,
+            "itemsPerPage": 50,
+            "startIndex": 1,
+            "Resources": [{"id": str(i), "userName": f"user{i}"} for i in range(1, 51)]
+        }
+        
+        # Mock the second page response
+        second_page_response = {
+            "totalResults": 75,
+            "itemsPerPage": 25,
+            "startIndex": 51,
+            "Resources": [{"id": str(i), "userName": f"user{i}"} for i in range(51, 76)]
+        }
+        
+        with mock.patch.object(curl, 'CurlFetch') as mock_curl_fetch:
+            mock_curl_fetch.side_effect = [
+                (200, "", json.dumps(first_page_response).encode('utf-8')),
+                (200, "", json.dumps(second_page_response).encode('utf-8'))
+            ]
+            
+            getter = scimsource.UpdateGetter()
+            getter.source = source
+            
+            # Mock the parser and its pagination metadata
+            mock_parser = mock.Mock()
+            
+            # Mock the first map returned by GetMap 
+            mock_first_map = mock.Mock()
+            mock_first_map.__len__ = mock.Mock(return_value=50)
+            
+            # Mock the second map returned by GetMap
+            mock_second_map = mock.Mock()
+            mock_second_map.__len__ = mock.Mock(return_value=75)  # Total items after both pages
+            
+            # Track which call we're on
+            call_count = 0
+            
+            # Configure GetMap to return the mocked maps and update pagination metadata
+            def mock_get_map(cache_info, data):
+                nonlocal call_count
+                call_count += 1
+                
+                if call_count == 1:
+                    # First page
+                    mock_parser._pagination_metadata = {
+                        'totalResults': 75,
+                        'itemsPerPage': 50,
+                        'startIndex': 1
+                    }
+                    return mock_first_map
+                else:
+                    # Second page  
+                    mock_parser._pagination_metadata = {
+                        'totalResults': 75,
+                        'itemsPerPage': 25,
+                        'startIndex': 51
+                    }
+                    return mock_second_map
+            
+            mock_parser.GetMap = mock.Mock(side_effect=mock_get_map)
+            
+            getter.GetParser = mock.Mock(return_value=mock_parser)
+            getter.CreateMap = mock.Mock(return_value=mock.Mock())
+            
+            # Test with URL that has custom parameters
+            result = getter.GetUpdates(source, "https://api.example.com/scim/Users?groups=users,admin", None)
+            
+            # Should call CurlFetch twice (first page + second page)
+            self.assertEqual(mock_curl_fetch.call_count, 2)
+            
+            # Should call GetMap twice (first page + second page)  
+            self.assertEqual(mock_parser.GetMap.call_count, 2)
+            
+            # Verify the URLs include both custom parameters and pagination parameters
+            call_args = mock_curl_fetch.call_args_list
+            # First call should include custom parameters and startIndex=1
+            self.assertIn("groups=users,admin", call_args[0][0][0])
+            self.assertIn("startIndex=1", call_args[0][0][0])
+            
+            # Second call should include custom parameters and startIndex=51
+            self.assertIn("groups=users,admin", call_args[1][0][0])
+            self.assertIn("startIndex=51", call_args[1][0][0])
+
 
 class TestScimPasswdUpdateGetter(unittest.TestCase):
     def setUp(self):

nsscache.conf.5

@@ -355,6 +355,18 @@ The SCIM endpoint path for retrieving user data. Defaults to
 The SCIM endpoint path for retrieving group data. Defaults to
 .I Groups
 
+.TP
+.B scim_users_parameters
+Optional url parameters for the users endpoint to be added. 
+Special characters (spaces, quotes, etc.) will be automatically URL encoded.
+Example: 'groups=admin&filter=active eq true'
+
+.TP
+.B scim_groups_parameters
+Optional url parameters for the groups endpoint to be added. 
+Special characters (spaces, quotes, etc.) will be automatically URL encoded.
+Example: 'filter=displayName eq users or displayName eq admin'
+
 .TP
 .B scim_timeout
 Timeout in seconds for SCIM requests. Defaults to 60.