Enable ServiceProviderConfig GET request

README.md

@@ -65,7 +65,18 @@ If connecting from another system, update the ALLOWED_HOSTS line `root/settings.
 ALLOWED_HOSTS = ['192.168.122.221', 'localhost', '127.0.0.1']
 ```
 
-And run the following to have django listen on all interfaces:
+as well as the NETLOC from SCIM_SERVICE_PROVIDER settings:
+
+```bash
+SCIM_SERVICE_PROVIDER = {
+    'NETLOC': 'localhost',
+...
+```
+and replace `localhost` by the IP address or hostname where the service is deployed. This way,
+the /ServiceProviderConfig endpoint will return the location of the app implementing the SCIM
+api.
+
+Finally, run the following to have django listen on all interfaces:
 
 ```bash
 python manage.py runserver 0.0.0.0:8000

src/ipa-tuura/ipatuura/models.py

@@ -2,14 +2,21 @@
 # Copyright (C) 2022  FreeIPA Contributors see COPYING for license
 #
 
+from urllib.parse import urljoin
+
 from django.contrib.auth.models import AbstractBaseUser
 from django.contrib.auth.models import UserManager
 from django.contrib.auth.models import GroupManager
 from django.db import models
 from django.db.utils import NotSupportedError
 from django.utils.translation import gettext_lazy as _
+from django.urls import reverse
 
+from django_scim.models import SCIMServiceProviderConfig
 from django_scim.models import AbstractSCIMGroupMixin, AbstractSCIMUserMixin
+from django_scim import constants
+from django_scim.settings import scim_settings
+from django_scim.utils import get_base_scim_location_getter
 
 from ipatuura.sssd import SSSD, SSSDNotFoundException
 
@@ -321,3 +328,61 @@ def user_set(self):
         else:
             self._user_set = CustomGroupUserRelationManager()
             return self._user_set
+
+
+class ServiceProviderConfig(SCIMServiceProviderConfig):
+    """
+    Service Provider Config model.
+    This overrides SCIMServiceProviderConfig to describe the
+    authentication_schemes and features that are implemented
+    by ipa-tuura.
+    """
+    def __init__(self, request=None):
+        self.request = request
+
+    @property
+    def meta(self):
+        return {
+            'location': self.location,
+            'resourceType': 'ServiceProviderConfig',
+        }
+
+    @property
+    def location(self):
+        path = reverse('scim:service-provider-config')
+        return urljoin(get_base_scim_location_getter()(self.request), path)
+
+    def to_dict(self):
+        return {
+            'schemas': [constants.SchemaURI.SERVICE_PROVIDER_CONFIG],
+            'documentationUri': scim_settings.DOCUMENTATION_URI,
+            # In order to support the PATCH method both:
+            # - ScimUser.handle_add
+            # - ScimUser.handle_replace
+            # must be implemented.
+            'patch': {
+                'supported': False,
+            },
+            'bulk': {
+                'supported': False,
+                'maxOperations': 1000,
+                'maxPayloadSize': 1048576,
+            },
+            # Django-SCIM2 does not fully support the all the
+            # SCIM2.0 filtering options (Section 3.4.2.2 of [RFC7644])
+            'filter': {
+                'supported': False,
+                'maxResults': 50,
+            },
+            'changePassword': {
+                'supported': True,
+            },
+            'sort': {
+                'supported': False,
+            },
+            'etag': {
+                'supported': False,
+            },
+            'authenticationSchemes': scim_settings.AUTHENTICATION_SCHEMES,
+            'meta': self.meta,
+        }

src/ipa-tuura/root/settings.py

@@ -139,10 +139,20 @@
     'USER_ADAPTER': 'ipatuura.adapters.SCIMUser',
     'GROUP_MODEL': 'ipatuura.models.Group',
     'GROUP_ADAPTER': 'ipatuura.adapters.SCIMGroup',
+    'SERVICE_PROVIDER_CONFIG_MODEL': 'ipatuura.models.ServiceProviderConfig',
     'USER_FILTER_PARSER': 'ipatuura.utils.SCIMUserFilterQuery',
     'GROUP_FILTER_PARSER': 'ipatuura.utils.SCIMGroupFilterQuery',
-    # TODO: read from keycloak/sssd.conf
-    # WRITABLE_IFACE values: ipa, ldap, ad
+    'DOCUMENTATION_URI': 'https://www.rfc-editor.org/rfc/rfc7644',
+    'AUTHENTICATION_SCHEMES': [
+        {
+            'type': 'httpbasic',
+            'name': 'HTTP Basic',
+            'description': 'Authentication scheme using the HTTP Basic Standard',
+            'specUri': 'http://www.rfc-editor.org/info/rfc2617',
+            'documentationUri': '',
+        },
+    ],
+    # TODO administrative end-point must configure these values:
     'WRITABLE_IFACE': 'ipa',
     'WRITABLE_USER': 'admin',
 }