Implement `PATCH /Groups/:id` SCIM endpoint for self-managed

Paulo Barrosrequested to merge
pb/509428/scim-self-managed-put-groups-id into master

This is part of Implement `PUT /Groups/:id` and `PATCH /Groups/... (#509428 - closed).

What does this MR do and why?

This MR implements the PATCH /Groups/:id SCIM endpoint for self-managed instances. This endpoint allows identity providers to update SCIM group membership by adding users to groups. This is part of the SCIM group sync functionality being developed in epic &15990 (closed).

The work here is behind the same feature flag as previous SCIM group endpoints (self_managed_scim_group_sync), which default disabled. The endpoint:

  • Supports adding users to groups based on their SCIM identities
  • Handles the "Add" operation for both "members" and "externalId" paths (no-op)
  • Works with multiple group links that share the same SCIM group ID
  • Follows SCIM protocol standards for case-insensitive operations and paths

NOTE: Removing members will be implemented separately once the overall approach suggested here is validated.

References

How to set up and validate locally

  1. Make sure you have SAML enabled on your GDK.
  2. Enter the Rails console:
gdk rails c
  1. Create test SAML group links and user identities:
# Create a group and SAML link with SCIM ID
group = Group.first # or create a specific test group
  saml_group_link = SamlGroupLink.create!(
  group: group,
  saml_group_name: "engineering",
  access_level: Gitlab::Access::DEVELOPER,
  scim_group_uid: SecureRandom.uuid
)
puts saml_group_link.scim_group_uid # Copy this UUID for the curl command

# Create a user with SCIM identity
user = User.first # or create a specific test user
identity = ScimIdentity.create!(
  user: user,
  extern_uid: "user-scim-id",
  active: true
)
puts identity.extern_uid # Copy this ID for the request payload
  1. Enable the required feature flag:
Feature.enable(:self_managed_scim_group_sync)
  1. Create a SCIM access token if needed:
token = ScimOauthAccessToken.create!
puts token.token  # Copy this token for the curl command
  1. Make the API request to add a user to the group:
curl --location --XPATCH 'http://localhost:3000/api/scim/v2/application/Groups/YOUR_GROUP_UUID' 
--header 'Accept: application/scim+json' 
--header 'Authorization: Bearer YOUR_TOKEN' 
--data '{
    "schemas": ["urn:ietf:params:scim:api:messages:2.0"],
    "Operations": [
        {
            "op": "Add",
            "path": "members",
            "value": [
                { "value": "user-scim-id" }
            ]
        }
    ]
}'

Expected Results

  • API call should return 204 No Content status code when successful
  • The specified user should be added to the SAML group-linked GitLab group
  • Multiple SAML group links with the same SCIM ID should all have the user added
  • Non-existent group IDs should return 404
  • Invalid operations should be gracefully handled

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Paulo Barros

Merge request reports