[SCIM 1/4]: Add endpoint stubs (#9070)

First, add endpoint stubs so that console and cli work can start. Use
the recently opened scim2-rs repo's structs to create all necessary
scim_v2_* endpoints, and also add endpoints for managing the SCIM client
bearer tokens (used to authenticate for those SCIM v2 endpoints).

The audit logging for the SCIM client bearer token CRUD will use the
opctx of the silo admin, but the SCIM v2 endpoints do not have an opctx
because they will never authenticate to an Actor: instead, create a new
"external-scim" user that will be used for the audit log, and will have
(in the 3/4 PR) the necessary permissions to authenticate SCIM clients.

Author: jmpesp

Cargo.lock

@@ -795,6 +795,8 @@ newtype-uuid = { version = "1.3.1", default-features = false }
 newtype-uuid-macros = "0.1.0"
 omicron-uuid-kinds = { path = "uuid-kinds", features = ["serde", "schemars08", "uuid-v4"] }
 
+scim2-rs = { git = "https://github.com/oxidecomputer/scim2-rs" }
+
 # NOTE: The test profile inherits from the dev profile, so settings under
 # profile.dev get inherited. AVOID setting anything under profile.test: that
 # will cause dev and test builds to diverge, which will cause more Cargo build

Cargo.toml

@@ -969,6 +969,7 @@ pub enum ResourceType {
     RouterRoute,
     SagaDbg,
     SamlIdentityProvider,
+    ScimClientBearerToken,
     Service,
     ServiceNetworkInterface,
     Silo,

common/src/api/external/mod.rs

@@ -138,6 +138,7 @@ oximeter-producer.workspace = true
 raw-cpuid = { workspace = true, features = ["std"] }
 rustls = { workspace = true }
 rustls-pemfile = { workspace = true }
+scim2-rs.workspace = true
 update-common.workspace = true
 update-engine.workspace = true
 omicron-workspace-hack.workspace = true

nexus/Cargo.toml

@@ -32,6 +32,7 @@ pub use nexus_db_fixed_data::silo_user::USER_TEST_PRIVILEGED;
 pub use nexus_db_fixed_data::silo_user::USER_TEST_UNPRIVILEGED;
 pub use nexus_db_fixed_data::user_builtin::USER_DB_INIT;
 pub use nexus_db_fixed_data::user_builtin::USER_EXTERNAL_AUTHN;
+pub use nexus_db_fixed_data::user_builtin::USER_EXTERNAL_SCIM;
 pub use nexus_db_fixed_data::user_builtin::USER_INTERNAL_API;
 pub use nexus_db_fixed_data::user_builtin::USER_INTERNAL_READ;
 pub use nexus_db_fixed_data::user_builtin::USER_SAGA_RECOVERY;
@@ -199,6 +200,12 @@ impl Context {
         Context::context_for_builtin_user(USER_SERVICE_BALANCER.id)
     }
 
+    /// Returns an authenticated context for use for authenticating SCIM
+    /// requests
+    pub fn external_scim() -> Context {
+        Context::context_for_builtin_user(USER_EXTERNAL_SCIM.id)
+    }
+
     fn context_for_builtin_user(user_builtin_id: BuiltInUserUuid) -> Context {
         Context {
             kind: Kind::Authenticated(
@@ -300,6 +307,7 @@ mod test {
     use super::USER_TEST_PRIVILEGED;
     use super::USER_TEST_UNPRIVILEGED;
     use nexus_db_fixed_data::user_builtin::USER_EXTERNAL_AUTHN;
+    use nexus_db_fixed_data::user_builtin::USER_EXTERNAL_SCIM;
     use nexus_types::identity::Asset;
 
     #[test]
@@ -342,6 +350,10 @@ mod test {
         let authn = Context::internal_api();
         let actor = authn.actor().unwrap();
         assert_eq!(actor.built_in_user_id(), Some(USER_INTERNAL_API.id));
+
+        let authn = Context::external_scim();
+        let actor = authn.actor().unwrap();
+        assert_eq!(actor.built_in_user_id(), Some(USER_EXTERNAL_SCIM.id));
     }
 }
 

nexus/auth/src/authn/mod.rs

@@ -53,5 +53,13 @@ pub static BUILTIN_ROLE_ASSIGNMENTS: LazyLock<Vec<RoleAssignment>> =
                 *FLEET_ID,
                 "external-authenticator",
             ),
+            // The "external-scim" user gets the "external-scim" role on the
+            // sole fleet. This grants them the ability to read SCIM tokens.
+            RoleAssignment::new_for_builtin_user(
+                user_builtin::USER_EXTERNAL_SCIM.id,
+                ResourceType::Fleet,
+                *FLEET_ID,
+                "external-scim",
+            ),
         ]
     });

nexus/db-fixed-data/src/role_assignment.rs

@@ -94,11 +94,22 @@ pub static USER_EXTERNAL_AUTHN: LazyLock<UserBuiltinConfig> =
         )
     });
 
+/// Internal user used by Nexus when authenticating SCIM requests
+pub static USER_EXTERNAL_SCIM: LazyLock<UserBuiltinConfig> =
+    LazyLock::new(|| {
+        UserBuiltinConfig::new_static(
+            "001de000-05e4-4000-8000-000000000004",
+            "external-scim",
+            "used by Nexus when authenticating SCIM requests",
+        )
+    });
+
 #[cfg(test)]
 mod test {
     use super::super::assert_valid_typed_uuid;
     use super::USER_DB_INIT;
     use super::USER_EXTERNAL_AUTHN;
+    use super::USER_EXTERNAL_SCIM;
     use super::USER_INTERNAL_API;
     use super::USER_INTERNAL_READ;
     use super::USER_SAGA_RECOVERY;
@@ -112,5 +123,6 @@ mod test {
         assert_valid_typed_uuid(&USER_EXTERNAL_AUTHN.id);
         assert_valid_typed_uuid(&USER_INTERNAL_READ.id);
         assert_valid_typed_uuid(&USER_SAGA_RECOVERY.id);
+        assert_valid_typed_uuid(&USER_EXTERNAL_SCIM.id);
     }
 }

nexus/db-fixed-data/src/user_builtin.rs

@@ -725,6 +725,7 @@ impl DataStore {
             &authn::USER_INTERNAL_READ,
             &authn::USER_EXTERNAL_AUTHN,
             &authn::USER_SAGA_RECOVERY,
+            &authn::USER_EXTERNAL_SCIM,
         ]
         .iter()
         .map(|u| {
@@ -741,13 +742,15 @@ impl DataStore {
         .collect::<Vec<UserBuiltin>>();
 
         debug!(opctx.log, "attempting to create built-in users");
+
         let count = diesel::insert_into(dsl::user_builtin)
             .values(builtin_users)
             .on_conflict(dsl::id)
             .do_nothing()
             .execute_async(&*self.pool_connection_authorized(opctx).await?)
             .await
             .map_err(|e| public_error_from_diesel(e, ErrorHandler::Server))?;
+
         info!(opctx.log, "created {} built-in users", count);
 
         Ok(())

nexus/db-queries/src/db/datastore/silo_user.rs

@@ -22,3 +22,4 @@ openapiv3.workspace = true
 oximeter-types.workspace = true
 oxql-types.workspace = true
 omicron-uuid-kinds.workspace = true
+scim2-rs.workspace = true

nexus/external-api/Cargo.toml

@@ -272,6 +272,11 @@ local_idp_user_delete                    DELETE   /v1/system/identity-providers/
 local_idp_user_set_password              POST     /v1/system/identity-providers/local/users/{user_id}/set-password
 saml_identity_provider_create            POST     /v1/system/identity-providers/saml
 saml_identity_provider_view              GET      /v1/system/identity-providers/saml/{provider}
+scim_idp_create_token                    POST     /v1/system/scim/tokens
+scim_idp_delete_all_tokens               DELETE   /v1/system/scim/tokens
+scim_idp_delete_token_by_id              DELETE   /v1/system/scim/tokens/{token_id}
+scim_idp_get_token_by_id                 GET      /v1/system/scim/tokens/{token_id}
+scim_idp_get_tokens                      GET      /v1/system/scim/tokens
 silo_create                              POST     /v1/system/silos
 silo_delete                              DELETE   /v1/system/silos/{silo}
 silo_identity_provider_list              GET      /v1/system/identity-providers