WPB-20056: Add support for SCIM managed UserGroup deletion #4833
Conversation
zebot
added
the
ok-to-test
blackheaven
force-pushed
the
gdifolco/WPB-20056-scim-group-delete
branch
2 times, most recently
from
195c665 to
8684fb6
Compare
blackheaven
force-pushed
the
WPB-20053-scim-groups-create-2
branch
from
277dac2 to
638da63
Compare
blackheaven
force-pushed
the
gdifolco/WPB-20056-scim-group-delete
branch
from
8684fb6 to
9a76805
Compare
eyeinsky
force-pushed
the
WPB-20053-scim-groups-create-2
branch
3 times, most recently
from
42d669b to
797766b
Compare
fisx
force-pushed
the
WPB-20053-scim-groups-create-2
branch
2 times, most recently
from
c5929df to
69310c6
Compare
blackheaven
changed the base branch from
WPB-20053-scim-groups-create-2
to
ml/WPB-20054-scim-get-group
blackheaven
force-pushed
the
gdifolco/WPB-20056-scim-group-delete
branch
2 times, most recently
from
438c361 to
b233796
Compare
fisx
force-pushed
the
ml/WPB-20054-scim-get-group
branch
from
0b04971 to
e93e1a8
Compare
blackheaven
force-pushed
the
gdifolco/WPB-20056-scim-group-delete
branch
3 times, most recently
from
1c6bac3 to
eef24c5
Compare
There was a problem hiding this comment.
Pull Request Overview
This pull request implements support for deleting SCIM-managed user groups through the SCIM API, enabling proper lifecycle management of groups created via SCIM provisioning.
- Adds a new
scimDeleteUserGroupfunction to delete SCIM-managed groups with proper validation - Implements
deleteGroupManagedinternal API endpoint to handle deletion based onmanagedByfield - Adds comprehensive unit tests for both successful deletions and failure scenarios
Reviewed Changes
Copilot reviewed 13 out of 15 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| services/spar/src/Spar/Scim/Group.hs | Implements the SCIM group deletion handler, replacing the previous undefined stub |
| services/spar/src/Spar/Error.hs | Adds error mapping for internal errors during SCIM group operations |
| services/brig/src/Brig/API/Internal.hs | Adds internal API endpoint for deleting managed groups |
| libs/wire-subsystems/src/Wire/UserGroupSubsystem/Interpreter.hs | Implements deleteGroupManagedImpl with managedBy validation and notification logic |
| libs/wire-subsystems/src/Wire/UserGroupSubsystem.hs | Adds DeleteGroupManaged operation to the subsystem interface |
| libs/wire-subsystems/src/Wire/ScimSubsystem/Interpreter.hs | Implements SCIM deletion logic with proper error handling for not found and permission errors |
| libs/wire-subsystems/src/Wire/ScimSubsystem.hs | Adds ScimDeleteUserGroup operation to the SCIM subsystem interface |
| libs/wire-subsystems/src/Wire/BrigAPIAccess/Rpc.hs | Implements RPC call to brig's internal delete endpoint |
| libs/wire-subsystems/src/Wire/BrigAPIAccess.hs | Adds DeleteGroupManaged to the Brig API access interface |
| libs/wire-api/src/Wire/API/User/Profile.hs | Adds HTTP API data serialization support for ManagedBy type |
| libs/wire-api/src/Wire/API/Routes/Internal/Brig.hs | Defines the internal API route for managed group deletion |
| libs/wire-api/src/Wire/API/Error/Brig.hs | Adds UserGroupManagedByMismatch error type for validation failures |
| libs/wire-subsystems/test/unit/Wire/ScimSubsystem/InterpreterSpec.hs | Adds comprehensive test coverage for SCIM group deletion scenarios |
| libs/wire-subsystems/test/unit/Wire/UserGroupSubsystem/InterpreterSpec.hs | Minor formatting cleanup in test setup |
| integration/test/API/Spar.hs | Minor formatting cleanup in test helper function |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
blackheaven
force-pushed
the
gdifolco/WPB-20056-scim-group-delete
branch
from
e1d7099 to
154f9e8
Compare
battermann
left a comment
battermann
left a comment
There was a problem hiding this comment.
I would like to have an integration test.
Are brig errors corrected mapped to SCIM errors? (Integration tests might show)
libs/wire-subsystems/src/Wire/UserGroupSubsystem/Interpreter.hs
Outdated
Show resolved
Hide resolved
libs/wire-subsystems/src/Wire/UserGroupSubsystem/Interpreter.hs
Outdated
Show resolved
Hide resolved
libs/wire-subsystems/test/unit/Wire/ScimSubsystem/InterpreterSpec.hs
Outdated
Show resolved
Hide resolved
| [User] -> | ||
| Map TeamId [TeamMember] -> | ||
| Sem AllDependencies a -> | ||
| Either UGS.UserGroupSubsystemError (Either ScimSubsystemError a) |
There was a problem hiding this comment.
please don't involve user group subsystem here, this is supposed to work on spar, so the interpreter should use brig internal api instead.
the errors returned from there should be translated into errors from the hscim library wrapped in ScimSubsystemError.
(i want to remove ScimSubsystemError and replace it with ScimError, but in a different PR.)
There was a problem hiding this comment.
I disagree, in tests I need to check it throws.
| Scim.notFound "group members" badIds | ||
| ScimSubsystemScimGroupWithNonScimMembers badIds -> | ||
| Scim.badRequest Scim.InvalidValue (Just $ "These users are not \"managed_by\" = \"scim\": " <> renderIds badIds) | ||
| ScimSubsystemInternalError _ -> |
There was a problem hiding this comment.
i think there is also a scim error for that ("serverError" or something?), so you can use ScimSubsystemError here as well.
There was a problem hiding this comment.
I'm not sure to understand, it's defined as:
serverError ::
-- | Error details
Text ->
ScimError
serverError details =
ScimError
{ schemas = [Error20],
status = Status 500,
scimType = Nothing,
detail = pure details
}There was a problem hiding this comment.
please ignore me, still making up my mind about errors... 🙈
libs/wire-subsystems/test/unit/Wire/ScimSubsystem/InterpreterSpec.hs
Outdated
Show resolved
Hide resolved
| decodeBodyOrThrow ctx r = either (throw . ParseException ctx) pure (responseJsonEither r) | ||
|
|
||
| -- | Get statuses of all connections between two groups of users (the usual | ||
| -- \| Get statuses of all connections between two groups of users (the usual |
There was a problem hiding this comment.
is this a typo? anyway this should be haddocks documentation.
There was a problem hiding this comment.
It's the formater
There was a problem hiding this comment.
ormolu? hum, it seems wrong, but i don't want to fight ormolu... 👍
blackheaven
force-pushed
the
gdifolco/WPB-20056-scim-group-delete
branch
4 times, most recently
from
e4e4b9a to
37e2ad2
Compare
| (owner, tid, []) <- createTeam OwnDomain 1 | ||
| tok <- createScimToken owner def >>= getJSON 200 >>= (%. "token") >>= asString | ||
| (owner, tid, _) <- createTeam OwnDomain 1 | ||
| tok <- createScimTokenV6 owner def >>= \resp -> resp.json %. "token" >>= asString |
There was a problem hiding this comment.
hum, didn't the other work? if so we should probably fix it, right? (probably not in this PR, though)
There was a problem hiding this comment.
I have applied #4833 (comment) should I revert it?
| decodeBodyOrThrow ctx r = either (throw . ParseException ctx) pure (responseJsonEither r) | ||
|
|
||
| -- | Get statuses of all connections between two groups of users (the usual | ||
| -- \| Get statuses of all connections between two groups of users (the usual |
There was a problem hiding this comment.
ormolu? hum, it seems wrong, but i don't want to fight ormolu... 👍
| [User] -> | ||
| Map TeamId [TeamMember] -> | ||
| Sem AllDependencies a -> | ||
| Either UGS.UserGroupSubsystemError (Either ScimSubsystemError a) |
| Scim.notFound "group members" badIds | ||
| ScimSubsystemScimGroupWithNonScimMembers badIds -> | ||
| Scim.badRequest Scim.InvalidValue (Just $ "These users are not \"managed_by\" = \"scim\": " <> renderIds badIds) | ||
| ScimSubsystemInternalError _ -> |
There was a problem hiding this comment.
please ignore me, still making up my mind about errors... 🙈
There was a problem hiding this comment.
yes, you win, this is at least as nice as what we had before! :)
blackheaven
force-pushed
the
gdifolco/WPB-20056-scim-group-delete
branch
from
d2504a8 to
66b2313
Compare
blackheaven
force-pushed
the
gdifolco/WPB-20056-scim-group-delete
branch
from
66b2313 to
91e928a
Compare
https://wearezeta.atlassian.net/browse/WPB-20056
Checklist
changelog.d