feat: allow SCIM user deletion (#9190)

Co-authored-by: Gastón Fournier <[email protected]>

Author: sighphyre

frontend/src/component/admin/auth/ScimSettings/ScimDeleteUsersDialog.tsx

@@ -0,0 +1,36 @@
+import { Alert, styled, Typography } from '@mui/material';
+import { Dialogue } from 'component/common/Dialogue/Dialogue';
+
+const StyledAlert = styled(Alert)(({ theme }) => ({
+    marginBottom: theme.spacing(3),
+}));
+
+export type EntityType = 'Users' | 'Groups';
+
+interface IScimDeleteUsersProps {
+    open: boolean;
+    entityType: EntityType;
+    closeDialog: () => void;
+    deleteEntities: () => void;
+}
+
+export const ScimDeleteEntityDialog = ({
+    open,
+    closeDialog,
+    deleteEntities: removeUser,
+    entityType,
+}: IScimDeleteUsersProps) => (
+    <Dialogue
+        open={open}
+        primaryButtonText={`Delete SCIM ${entityType}`}
+        secondaryButtonText='Cancel'
+        title={`Do you really want to delete ALL SCIM ${entityType}?`}
+        onClose={closeDialog}
+        onClick={removeUser}
+    >
+        <Typography variant='body1'>
+            This will delete all {entityType.toLocaleLowerCase()} created or
+            managed by SCIM.
+        </Typography>
+    </Dialogue>
+);

frontend/src/component/admin/auth/ScimSettings/ScimSettings.tsx

@@ -9,6 +9,9 @@ import { formatUnknownError } from 'utils/formatUnknownError';
 import useToast from 'hooks/useToast';
 import { useScimSettingsApi } from 'hooks/api/actions/useScimSettingsApi/useScimSettingsApi';
 import { useScimSettings } from 'hooks/api/getters/useScimSettings/useScimSettings';
+import { ScimDeleteEntityDialog } from './ScimDeleteUsersDialog';
+import useAdminUsersApi from 'hooks/api/actions/useAdminUsersApi/useAdminUsersApi';
+import { useGroupApi } from 'hooks/api/actions/useGroupApi/useGroupApi';
 
 const StyledContainer = styled('div')(({ theme }) => ({
     padding: theme.spacing(3),
@@ -25,8 +28,12 @@ export const ScimSettings = () => {
     const { setToastData, setToastApiError } = useToast();
     const [newToken, setNewToken] = useState('');
     const [tokenGenerationDialog, setTokenGenerationDialog] = useState(false);
+    const [deleteGroupsDialog, setDeleteGroupsDialog] = useState(false);
+    const [deleteUsersDialog, setDeleteUsersDialog] = useState(false);
     const [tokenDialog, setTokenDialog] = useState(false);
     const { settings, refetch } = useScimSettings();
+    const { deleteScimUsers } = useAdminUsersApi();
+    const { deleteScimGroups } = useGroupApi();
     const [enabled, setEnabled] = useState(settings.enabled ?? true);
 
     useEffect(() => {
@@ -40,6 +47,34 @@ export const ScimSettings = () => {
         setTokenGenerationDialog(true);
     };
 
+    const onDeleteScimGroups = async () => {
+        try {
+            await deleteScimGroups();
+            setToastData({
+                text: 'Scim Groups have been deleted',
+                type: 'success',
+            });
+            setDeleteGroupsDialog(false);
+            refetch();
+        } catch (error: unknown) {
+            setToastApiError(formatUnknownError(error));
+        }
+    };
+
+    const onDeleteScimUsers = async () => {
+        try {
+            await deleteScimUsers();
+            setToastData({
+                text: 'Scim Users have been deleted',
+                type: 'success',
+            });
+            setDeleteUsersDialog(false);
+            refetch();
+        } catch (error: unknown) {
+            setToastApiError(formatUnknownError(error));
+        }
+    };
+
     const onGenerateNewTokenConfirm = async () => {
         setTokenGenerationDialog(false);
         const token = await generateNewToken();
@@ -138,6 +173,57 @@ export const ScimSettings = () => {
                         />
                     </Grid>
                 </Grid>
+
+                <Grid container spacing={3}>
+                    <Grid item md={10.5} mb={2}>
+                        <StyledTitleDiv>
+                            <strong>Delete SCIM Users</strong>
+                        </StyledTitleDiv>
+                        <p>
+                            This will remove all SCIM users from the Unleash
+                            database. This action cannot be undone through
+                            Unleash but the upstream SCIM provider may re sync
+                            these users.
+                        </p>
+                    </Grid>
+                    <Grid item md={1.5}>
+                        <Button
+                            variant='outlined'
+                            color='error'
+                            disabled={loading}
+                            onClick={() => {
+                                setDeleteUsersDialog(true);
+                            }}
+                        >
+                            Delete Users
+                        </Button>
+                    </Grid>
+                    <Grid item md={10.5} mb={2}>
+                        <StyledTitleDiv>
+                            <strong>Delete SCIM Groups</strong>
+                        </StyledTitleDiv>
+                        <p>
+                            This will remove all SCIM groups from the Unleash
+                            database. This action cannot be undone through
+                            Unleash but the upstream SCIM provider may re sync
+                            these groups. Note that this may affect the
+                            permissions of users present in those groups.
+                        </p>
+                    </Grid>
+                    <Grid item md={1.5}>
+                        <Button
+                            variant='outlined'
+                            color='error'
+                            disabled={loading}
+                            onClick={() => {
+                                setDeleteGroupsDialog(true);
+                            }}
+                        >
+                            Delete Groups
+                        </Button>
+                    </Grid>
+                </Grid>
+
                 <ScimTokenGenerationDialog
                     open={tokenGenerationDialog}
                     setOpen={setTokenGenerationDialog}
@@ -148,6 +234,20 @@ export const ScimSettings = () => {
                     setOpen={setTokenDialog}
                     token={newToken}
                 />
+
+                <ScimDeleteEntityDialog
+                    open={deleteUsersDialog}
+                    closeDialog={() => setDeleteUsersDialog(false)}
+                    deleteEntities={onDeleteScimUsers}
+                    entityType='Users'
+                />
+
+                <ScimDeleteEntityDialog
+                    open={deleteGroupsDialog}
+                    closeDialog={() => setDeleteGroupsDialog(false)}
+                    deleteEntities={onDeleteScimGroups}
+                    entityType='Groups'
+                />
             </StyledContainer>
         </>
     );

frontend/src/component/admin/groups/Group/Group.tsx

@@ -270,11 +270,8 @@ export const Group: VFC = () => {
                                     onClick={() => setRemoveOpen(true)}
                                     permission={ADMIN}
                                     tooltipProps={{
-                                        title: isScimGroup
-                                            ? scimGroupTooltip
-                                            : 'Delete group',
+                                        title: 'Delete group',
                                     }}
-                                    disabled={isScimGroup}
                                 >
                                     <Delete />
                                 </PermissionIconButton>

frontend/src/component/admin/groups/GroupsList/GroupCard/GroupCardActions.tsx

@@ -125,7 +125,6 @@ export const GroupCardActions: FC<IGroupCardActions> = ({
                             onRemove();
                             handleClose();
                         }}
-                        disabled={isScimGroup}
                     >
                         <ListItemIcon>
                             <Delete />

frontend/src/component/admin/users/UsersList/DeleteUser/DeleteUser.tsx

@@ -77,6 +77,9 @@ const DeleteUser = ({
                           })`
                         : ''}
                     ?
+                    {user.scimId
+                        ? ' This user is currently managed by SCIM and may be re-added by your SCIM provider.'
+                        : ''}
                 </Typography>
             </div>
         </Dialogue>

frontend/src/component/admin/users/UsersList/UsersActionsCell/UsersActionsCell.tsx

@@ -91,9 +91,8 @@ export const UsersActionsCell: VFC<IUsersActionsCellProps> = ({
                 onClick={onDelete}
                 permission={ADMIN}
                 tooltipProps={{
-                    title: isScimUser ? scimTooltip : 'Remove user',
+                    title: 'Remove user',
                 }}
-                disabled={isScimUser}
             >
                 <Delete />
             </PermissionIconButton>

frontend/src/hooks/api/actions/useAdminUsersApi/useAdminUsersApi.ts

@@ -94,13 +94,27 @@ const useAdminUsersApi = () => {
         return makeRequest(req.caller, req.id);
     };
 
+    const deleteScimUsers = async () => {
+        const requestId = 'deleteScimUsers';
+        const req = createRequest(
+            'api/admin/user-admin/scim-users',
+            {
+                method: 'DELETE',
+            },
+            requestId,
+        );
+
+        return makeRequest(req.caller, req.id);
+    };
+
     return {
         addUser,
         updateUser,
         removeUser,
         changePassword,
         validatePassword,
         resetPassword,
+        deleteScimUsers,
         userApiErrors: errors,
         userLoading: loading,
     };

frontend/src/hooks/api/actions/useGroupApi/useGroupApi.ts

@@ -46,10 +46,20 @@ export const useGroupApi = () => {
         await makeRequest(req.caller, req.id);
     };
 
+    const deleteScimGroups = async () => {
+        const path = `api/admin/groups/scim-groups`;
+        const req = createRequest(path, {
+            method: 'DELETE',
+        });
+
+        await makeRequest(req.caller, req.id);
+    };
+
     return {
         createGroup,
         updateGroup,
         removeGroup,
+        deleteScimGroups,
         errors,
         loading,
     };

src/lib/db/group-store.ts

@@ -354,4 +354,8 @@ export default class GroupStore implements IGroupStore {
         const { present } = result.rows[0];
         return present;
     }
+
+    async deleteScimGroups(): Promise<void> {
+        await this.db(T.GROUPS).whereNotNull('scim_id').del();
+    }
 }

src/lib/db/user-store.ts

@@ -274,6 +274,10 @@ class UserStore implements IUserStore {
         await this.activeUsers().del();
     }
 
+    async deleteScimUsers(): Promise<void> {
+        await this.db(TABLE).whereNotNull('scim_id').del();
+    }
+
     async count(): Promise<number> {
         return this.activeUsers()
             .count('*')

src/lib/routes/admin-api/user-admin.ts

@@ -411,6 +411,26 @@ export default class UserAdminController extends Controller {
             ],
         });
 
+        this.route({
+            method: 'delete',
+            path: '/scim-users',
+            acceptAnyContentType: true,
+            handler: this.deleteScimUsers,
+            permission: ADMIN,
+            middleware: [
+                openApiService.validPath({
+                    tags: ['Users'],
+                    operationId: 'deleteScimUsers',
+                    summary: 'Delete all SCIM users',
+                    description: 'Deletes all users managed by SCIM',
+                    responses: {
+                        200: emptyResponse,
+                        ...getStandardResponses(401, 403),
+                    },
+                }),
+            ],
+        });
+
         this.route({
             method: 'delete',
             path: '/:id',
@@ -654,8 +674,6 @@ export default class UserAdminController extends Controller {
         const { user, params } = req;
         const { id } = params;
 
-        await this.throwIfScimUser({ id });
-
         await this.userService.deleteUser(+id, req.audit);
         res.status(200).send();
     }
@@ -766,4 +784,10 @@ export default class UserAdminController extends Controller {
             Boolean((await this.userService.getUser(id)).scimId)
         );
     }
+
+    async deleteScimUsers(req: IAuthRequest, res: Response): Promise<void> {
+        const { audit } = req;
+        await this.userService.deleteScimUsers(audit);
+        res.status(200).send();
+    }
 }

src/lib/services/group-service.ts

@@ -21,6 +21,7 @@ import {
     GROUP_CREATED,
     GroupUserAdded,
     GroupUserRemoved,
+    ScimGroupsDeleted,
     type IBaseEvent,
 } from '../types/events';
 import NameExistsError from '../error/name-exists-error';
@@ -310,6 +311,16 @@ export class GroupService {
         }
     }
 
+    async deleteScimGroups(auditUser: IAuditUser): Promise<void> {
+        await this.groupStore.deleteScimGroups();
+        await this.eventService.storeEvent(
+            new ScimGroupsDeleted({
+                data: null,
+                auditUser,
+            }),
+        );
+    }
+
     private mapGroupWithUsers(
         group: IGroup,
         allGroupUsers: IGroupUser[],

src/lib/services/user-service.ts

@@ -24,6 +24,7 @@ import type SessionService from './session-service';
 import type { IUnleashStores } from '../types/stores';
 import PasswordUndefinedError from '../error/password-undefined';
 import {
+    ScimUsersDeleted,
     UserCreatedEvent,
     UserDeletedEvent,
     UserUpdatedEvent,
@@ -401,6 +402,17 @@ class UserService {
         );
     }
 
+    async deleteScimUsers(auditUser: IAuditUser): Promise<void> {
+        await this.store.deleteScimUsers();
+
+        await this.eventService.storeEvent(
+            new ScimUsersDeleted({
+                data: null,
+                auditUser,
+            }),
+        );
+    }
+
     async loginUser(
         usernameOrEmail: string,
         password: string,