Fix SCIM API Application Context

The SCIM API needs to override the Application Context and set the user to nil since the SCIM API doesn't operate in the context of a user. Rather, the SCIM API uses a static token specific to the group enabling SCIM. Without overriding the context saving a user will hang when attempting to resolve the current_user set in the Application Context in the main API (lib/api/api.rb).

Fix SCIM API Application Context
The SCIM API needs to override the Application Context and set the user to nil since the SCIM API doesn't operate in the context of a user. Rather, the SCIM API uses a static token specific to the group enabling SCIM. Without overriding the context saving a user will hang when attempting to resolve the current_user set in the Application Context in the main API (lib/api/api.rb).
e530327a · Drew Blessing · Bob Van Landuyt · e248f6fc · e530327a · e530327a
Commit e530327a authored Mar 06, 2020 by Drew Blessing Committed by Bob Van Landuyt Mar 06, 2020
4 changed files
--- a/ee/changelogs/unreleased/dblessing-scim-api-context.yml
+++ b/ee/changelogs/unreleased/dblessing-scim-api-context.yml
+---
+title: Fix SCIM API not creating new users
+merge_request: 26514
+author:
+type: fixed
--- a/ee/lib/api/scim.rb
+++ b/ee/lib/api/scim.rb
@@ -51,14 +51,16 @@ module API
          unauthorized! unless token && ScimOauthAccessToken.token_matches_for_group?(token, group)
        end
+        # Instance variable `@group` is necessary for the
+        # Gitlab::ApplicationContext in API::API
        def find_and_authenticate_group!(group_path)
-          group = find_group(group_path)
+          @group = find_group(group_path)
-          scim_not_found!(message: "Group #{group_path} not found") unless group
+          scim_not_found!(message: "Group #{group_path} not found") unless @group
-          check_access_to_group!(group)
+          check_access_to_group!(@group)
-          group
+          @group
        end
        # rubocop: disable CodeReuse/ActiveRecord

--- a/ee/spec/requests/api/scim_spec.rb
+++ b/ee/spec/requests/api/scim_spec.rb
@@ -136,6 +136,12 @@ describe API::Scim do
        end
      end
+      it_behaves_like 'storing arguments in the application context' do
+        let(:expected_params) { { root_namespace: group.full_path_components.first } }
+        subject { post scim_api("scim/v2/groups/#{group.full_path}/Users?params=#{post_params}") }
+      end
      context 'with allowed domain setting switched on' do
        let(:new_user) { User.find_by_email('work@example.com') }
        let(:member) { GroupMember.find_by(user: new_user, group: group) }

--- a/lib/api/api.rb
+++ b/lib/api/api.rb
@@ -45,7 +45,7 @@ module API
    before do
      Gitlab::ApplicationContext.push(
-        user: -> { current_user },
+        user: -> { @current_user },
        project: -> { @project },
        namespace: -> { @group },
        caller_id: route.origin