[SCIM 2/4]: Add SCIM user, group, and IDP (#9162)

Build on #8981 and add the SCIM user provision type to users and groups.
Users must have a user name, and optionally have an external id field
and/or an active field. Groups must have a display name and optionally
have an external id field.

Also add a new SiloIdentityMode named SamlScim.

A few functions have to change to account for these new variants, but
not many. Silos using the SamlScim identity mode will use all the same
SAML code that exists today.

Author: jmpesp

nexus/db-fixed-data/src/silo_user.rs

@@ -16,7 +16,7 @@ use std::sync::LazyLock;
 // not automatically at Nexus startup.  See omicron#2305.
 pub static USER_TEST_PRIVILEGED: LazyLock<model::SiloUser> =
     LazyLock::new(|| {
-        model::SiloUser::new_api_only_user(
+        model::SiloUser::new_api_only(
             DEFAULT_SILO_ID,
             // "4007" looks a bit like "root".
             "001de000-05e4-4000-8000-000000004007".parse().unwrap(),
@@ -51,7 +51,7 @@ pub static ROLE_ASSIGNMENTS_PRIVILEGED: LazyLock<Vec<model::RoleAssignment>> =
 // not automatically at Nexus startup.  See omicron#2305.
 pub static USER_TEST_UNPRIVILEGED: LazyLock<model::SiloUser> =
     LazyLock::new(|| {
-        model::SiloUser::new_api_only_user(
+        model::SiloUser::new_api_only(
             DEFAULT_SILO_ID,
             // 60001 is the decimal uid for "nobody" on Helios.
             "001de000-05e4-4000-8000-000000060001".parse().unwrap(),

nexus/db-model/src/schema_versions.rs

@@ -16,7 +16,7 @@ use std::{collections::BTreeMap, sync::LazyLock};
 ///
 /// This must be updated when you change the database schema.  Refer to
 /// schema/crdb/README.adoc in the root of this repository for details.
-pub const SCHEMA_VERSION: Version = Version::new(196, 0, 0);
+pub const SCHEMA_VERSION: Version = Version::new(197, 0, 0);
 
 /// List of all past database schema versions, in *reverse* order
 ///
@@ -28,6 +28,7 @@ static KNOWN_VERSIONS: LazyLock<Vec<KnownVersion>> = LazyLock::new(|| {
         // |  leaving the first copy as an example for the next person.
         // v
         // KnownVersion::new(next_int, "unique-dirname-with-the-sql-files"),
+        KnownVersion::new(197, "scim-users-and-groups"),
         KnownVersion::new(196, "user-provision-type-for-silo-user-and-group"),
         KnownVersion::new(195, "tuf-pruned-index"),
         KnownVersion::new(194, "tuf-pruned"),

nexus/db-model/src/silo.rs

@@ -56,13 +56,15 @@ impl_enum_type!(
     // Enum values
     ApiOnly => b"api_only"
     Jit => b"jit"
+    Scim => b"scim"
 );
 
 impl From<shared::UserProvisionType> for UserProvisionType {
     fn from(params: shared::UserProvisionType) -> Self {
         match params {
             shared::UserProvisionType::ApiOnly => UserProvisionType::ApiOnly,
             shared::UserProvisionType::Jit => UserProvisionType::Jit,
+            shared::UserProvisionType::Scim => UserProvisionType::Scim,
         }
     }
 }
@@ -72,6 +74,7 @@ impl From<UserProvisionType> for shared::UserProvisionType {
         match model {
             UserProvisionType::ApiOnly => Self::ApiOnly,
             UserProvisionType::Jit => Self::Jit,
+            UserProvisionType::Scim => Self::Scim,
         }
     }
 }
@@ -221,11 +224,16 @@ impl TryFrom<Silo> for views::Silo {
             (AuthenticationMode::Saml, UserProvisionType::Jit) => {
                 Some(SiloIdentityMode::SamlJit)
             }
-            (AuthenticationMode::Saml, UserProvisionType::ApiOnly) => None,
+
             (AuthenticationMode::Local, UserProvisionType::ApiOnly) => {
                 Some(SiloIdentityMode::LocalOnly)
             }
-            (AuthenticationMode::Local, UserProvisionType::Jit) => None,
+
+            (AuthenticationMode::Saml, UserProvisionType::Scim) => {
+                Some(SiloIdentityMode::SamlScim)
+            }
+
+            _ => None,
         }
         .ok_or_else(|| {
             Error::internal_error(&format!(

nexus/db-model/src/silo_group.rs

@@ -26,18 +26,23 @@ pub struct SiloGroup {
 
     /// If the user provision type is ApiOnly or JIT, then the external id is
     /// the identity provider's ID for this group. There is a database
-    /// constraint (`lookup_silo_group_by_silo`) that ensures this field must be
+    /// constraint (`external_id_consistency`) that ensures this field must be
     /// non-null for those provision types.
     ///
     /// For SCIM, this may be null, which would trigger the uniqueness
     /// constraint if that wasn't limited to specific provision types.
     pub external_id: Option<String>,
 
     pub user_provision_type: UserProvisionType,
+
+    /// For SCIM groups, display name must be Some. There is a database
+    /// constraint (`display_name_consistency`) that ensures this field is
+    /// non-null for that provision type.
+    pub display_name: Option<String>,
 }
 
 impl SiloGroup {
-    pub fn new_api_only_group(
+    pub fn new_api_only(
         id: SiloGroupUuid,
         silo_id: Uuid,
         external_id: String,
@@ -48,10 +53,11 @@ impl SiloGroup {
             silo_id,
             user_provision_type: UserProvisionType::ApiOnly,
             external_id: Some(external_id),
+            display_name: None,
         }
     }
 
-    pub fn new_jit_group(
+    pub fn new_jit(
         id: SiloGroupUuid,
         silo_id: Uuid,
         external_id: String,
@@ -62,6 +68,23 @@ impl SiloGroup {
             silo_id,
             user_provision_type: UserProvisionType::Jit,
             external_id: Some(external_id),
+            display_name: None,
+        }
+    }
+
+    pub fn new_scim(
+        id: SiloGroupUuid,
+        silo_id: Uuid,
+        display_name: String,
+        external_id: Option<String>,
+    ) -> Self {
+        Self {
+            identity: SiloGroupIdentity::new(id),
+            time_deleted: None,
+            silo_id,
+            user_provision_type: UserProvisionType::Scim,
+            external_id,
+            display_name: Some(display_name),
         }
     }
 }

nexus/db-model/src/silo_user.rs

@@ -21,18 +21,31 @@ pub struct SiloUser {
 
     /// If the user provision type is ApiOnly or JIT, then the external id is
     /// the identity provider's ID for this user. There is a database constraint
-    /// (`lookup_silo_user_by_silo`) that ensures this field must be non-null
-    /// for those provision types.
+    /// (`external_id_consistency`) that ensures this field must be non-null for
+    /// those provision types.
     ///
     /// For SCIM, this may be null, which would trigger the uniqueness
     /// constraint if that wasn't limited to specific provision types.
     pub external_id: Option<String>,
 
     pub user_provision_type: UserProvisionType,
+
+    /// For SCIM users, user name must be Some. There is a database constraint
+    /// (`user_name_consistency`) that ensures this field is non-null for that
+    /// provision type.
+    pub user_name: Option<String>,
+
+    /// For SCIM users, active describes whether or not the user is allowed to
+    /// have active sessions.
+    ///
+    /// Note this field isn't mandatory for SCIM provisioning clients to
+    /// support. Using an option here lets us determine if the client sent us
+    /// nothing, or of they sent us a value.
+    pub active: Option<bool>,
 }
 
 impl SiloUser {
-    pub fn new_api_only_user(
+    pub fn new_api_only(
         silo_id: Uuid,
         user_id: SiloUserUuid,
         external_id: String,
@@ -43,10 +56,12 @@ impl SiloUser {
             silo_id,
             external_id: Some(external_id),
             user_provision_type: UserProvisionType::ApiOnly,
+            user_name: None,
+            active: None,
         }
     }
 
-    pub fn new_jit_user(
+    pub fn new_jit(
         silo_id: Uuid,
         user_id: SiloUserUuid,
         external_id: String,
@@ -57,6 +72,26 @@ impl SiloUser {
             silo_id,
             external_id: Some(external_id),
             user_provision_type: UserProvisionType::Jit,
+            user_name: None,
+            active: None,
+        }
+    }
+
+    pub fn new_scim(
+        silo_id: Uuid,
+        user_id: SiloUserUuid,
+        user_name: String,
+        external_id: Option<String>,
+        active: Option<bool>,
+    ) -> Self {
+        Self {
+            identity: SiloUserIdentity::new(user_id),
+            time_deleted: None,
+            silo_id,
+            external_id,
+            user_provision_type: UserProvisionType::Scim,
+            user_name: Some(user_name),
+            active,
         }
     }
 }

nexus/db-queries/src/db/datastore/mod.rs

@@ -152,6 +152,7 @@ pub use silo_user::SiloUser;
 pub use silo_user::SiloUserApiOnly;
 pub use silo_user::SiloUserJit;
 pub use silo_user::SiloUserLookup;
+pub use silo_user::SiloUserScim;
 pub use sled::SledTransition;
 pub use sled::TransitionError;
 pub use support_bundle::SupportBundleExpungementReport;

nexus/db-queries/src/db/datastore/rack.rs

@@ -472,13 +472,13 @@ impl DataStore {
         let silo_user_id = SiloUserUuid::new_v4();
 
         let silo_user = match &db_silo.user_provision_type {
-            UserProvisionType::ApiOnly => SiloUser::new_api_only_user(
+            UserProvisionType::ApiOnly => SiloUser::new_api_only(
                 db_silo.id(),
                 silo_user_id,
                 recovery_user_id.as_ref().to_owned(),
             ),
 
-            UserProvisionType::Jit => {
+            UserProvisionType::Jit | UserProvisionType::Scim => {
                 unreachable!("match at start of function should prevent this");
             }
         };
@@ -1266,16 +1266,21 @@ mod test {
             )
             .await
             .expect("failed to list users");
+
         assert_eq!(silo_users.len(), 1);
-        assert_eq!(
-            silo_users[0].external_id(),
-            rack_init.recovery_user_id.as_ref()
-        );
+
+        let db::datastore::SiloUser::ApiOnly(silo_user) = &silo_users[0] else {
+            panic!("wrong user type {:?}", silo_users[0].user_provision_type());
+        };
+
+        assert_eq!(silo_user.external_id, rack_init.recovery_user_id.as_ref());
+
         let authz_silo_user = authz::SiloUser::new(
             authz_silo,
             silo_users[0].id(),
             LookupType::by_id(silo_users[0].id()),
         );
+
         let hash = datastore
             .silo_user_password_hash_fetch(&opctx, &authz_silo_user)
             .await

nexus/db-queries/src/db/datastore/silo.rs

@@ -192,62 +192,73 @@ impl DataStore {
         let silo_admin_group_ensure_query = if let Some(ref admin_group_name) =
             new_silo_params.admin_group_name
         {
-            let silo_admin_group =
+            let maybe_silo_admin_group =
                 match new_silo_params.identity_mode.user_provision_type() {
                     shared::UserProvisionType::ApiOnly => {
-                        db::model::SiloGroup::new_api_only_group(
+                        Some(db::model::SiloGroup::new_api_only(
                             silo_group_id,
                             silo_id,
                             admin_group_name.clone(),
-                        )
+                        ))
                     }
 
                     shared::UserProvisionType::Jit => {
-                        db::model::SiloGroup::new_jit_group(
+                        Some(db::model::SiloGroup::new_jit(
                             silo_group_id,
                             silo_id,
                             admin_group_name.clone(),
-                        )
+                        ))
+                    }
+
+                    shared::UserProvisionType::Scim => {
+                        // Do not create any group automatically, the SCIM
+                        // provisioning client is responsible for all user and
+                        // group CRUD.
+                        None
                     }
                 };
 
-            let silo_admin_group_ensure_query =
-                DataStore::silo_group_ensure_query(
-                    &nexus_opctx,
-                    &authz_silo,
-                    silo_admin_group,
-                )
-                .await?;
+            if let Some(silo_admin_group) = maybe_silo_admin_group {
+                let silo_admin_group_ensure_query =
+                    DataStore::silo_group_ensure_query(
+                        &nexus_opctx,
+                        &authz_silo,
+                        silo_admin_group,
+                    )
+                    .await?;
 
-            Some(silo_admin_group_ensure_query)
+                Some(silo_admin_group_ensure_query)
+            } else {
+                None
+            }
         } else {
             None
         };
 
-        let silo_admin_group_role_assignment_queries = if new_silo_params
-            .admin_group_name
-            .is_some()
-        {
-            // Grant silo admin role for members of the admin group.
-            let policy = shared::Policy {
-                role_assignments: vec![shared::RoleAssignment::for_silo_group(
-                    silo_group_id,
-                    SiloRole::Admin,
-                )],
-            };
+        let silo_admin_group_role_assignment_queries =
+            if silo_admin_group_ensure_query.is_some() {
+                // Grant silo admin role for members of the admin group.
+                let policy = shared::Policy {
+                    role_assignments: vec![
+                        shared::RoleAssignment::for_silo_group(
+                            silo_group_id,
+                            SiloRole::Admin,
+                        ),
+                    ],
+                };
 
-            let silo_admin_group_role_assignment_queries =
-                DataStore::role_assignment_replace_visible_queries(
-                    opctx,
-                    &authz_silo,
-                    &policy.role_assignments,
-                )
-                .await?;
+                let silo_admin_group_role_assignment_queries =
+                    DataStore::role_assignment_replace_visible_queries(
+                        opctx,
+                        &authz_silo,
+                        &policy.role_assignments,
+                    )
+                    .await?;
 
-            Some(silo_admin_group_role_assignment_queries)
-        } else {
-            None
-        };
+                Some(silo_admin_group_role_assignment_queries)
+            } else {
+                None
+            };
 
         // This method uses nested transactions, which are not supported
         // with retryable transactions.