aserto-dev · florindragos · Apr 30, 2025 · Apr 23, 2025 · Apr 23, 2025 · Apr 24, 2025
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -57,6 +57,7 @@ jobs:
           gotestsum --format short-verbose -- -count=1 -v ${{ matrix.package }}/...
 
   push:
+    needs: [test]
     runs-on: ubuntu-latest
     # when on a branch only push if the branch is main
     # always push when ref is a tag
@@ -107,18 +108,6 @@ jobs:
           git config --global user.name "Aserto Bot"
           eval `ssh-agent`
           ssh-add $HOME/.ssh/id_rsa
-      -
-        name: Wait for tests to succeed
-        uses: fountainhead/action-wait-for-check@v1.1.0
-        id: wait-for-tests
-        with:
-          token: ${{ env.READ_WRITE_TOKEN }}
-          checkName: test
-          ref: ${{ github.event.pull_request.head.sha || github.sha }}
-      -
-        name: Stop if tests fail
-        if: steps.wait-for-tests.outputs.conclusion != 'success'
-        run: exit 1
       -
         name: Push image to GitHub Container Registry
         uses: goreleaser/goreleaser-action@v6

diff --git a/README.md b/README.md
@@ -5,7 +5,6 @@ The Aserto SCIM service uses the SCIM 2.0 protocol to import data into the Asert
 ```yaml
 ---
 logging:
-  prod: true
   log_level: info
 server:
   listen_address: ":8080"
@@ -18,17 +17,30 @@ server:
       enabled: true
       token: "scim"
 directory:
-  address: "directory.prod.aserto.com:8443"
-  tenant_id: "your_tenant_id"
-  api_key: "your_directory_rw_api_key"
+  address: "localhost:9292"
+  no_tls: true
 scim:
-  create_email_identities: true
-  create_role_groups: true
-  group_mappings:
-    - subject_id: app-admin
+  user:
+    object_type: user
+    identity_object_type: identity
+    identity_relation: user#identifier
+    property_mapping: 
+      enabled: active
+    source_object_type: scim_user
+    manager_relation: manager
+  group:
+    object_type: group
+    group_member_relation: member
+    source_object_type: scim_group
+  role:
+    object_type: group
+    role_relation: member
+  relations:
+    - object_id: system
       object_type: system
-      object_id: administrators
-      relation: member
+      relation: admin
+      subject_id: admins
+      subject_type: group
       subject_relation: member
 ```
 
@@ -78,6 +90,8 @@ curl  -X POST \
 }'
 ```
 
+The create operation will return a user ID, which will be used to identify the user from now on
+
 ### get a user
 `curl -X 'GET' 'http://127.0.0.1:8080/Users/{user id}' `
 
@@ -139,13 +153,14 @@ curl  -X PATCH \
 ]}'
 ```
 
-### create a relation from an imported group to a aserto user (e.g. giving admin permission to users that are port of an imported group)
+### create a relation from an imported group to a user (e.g. giving admin permission to users that are port of an imported group)
 ```
-  group_mappings:
-    - subject_id: app-admin
+  relations:
+    - object_id: system
       object_type: system
-      object_id: administrators
       relation: admin
+      subject_id: admins
+      subject_type: group
       subject_relation: member
 ```
-This will create a `admin` relation with `member` subject relation between the imported `add-admin` group and the already created object with id `administrators` ant type `system`
+This will create a `admin` relation with `member` subject relation between the `admins` group and the object with id `system` and type `system`
diff --git a/common/assets.go b/common/assets.go
@@ -1,14 +1,12 @@
 package common
 
 import (
-	"embed"
-	"fmt"
+	_ "embed"
 )
 
-//go:embed assets/*
-var staticAssets embed.FS
+//go:embed assets/template.tmpl
+var template []byte
 
-func LoadTemplate(templateName string) ([]byte, error) {
-	templateFile := fmt.Sprintf("assets/%s.tmpl", templateName)
-	return staticAssets.ReadFile(templateFile)
+func LoadDefaultTemplate() []byte {
+	return template
 }
diff --git a/common/assets/users-groups-roles.tmpl → common/assets/template.tmpl b/common/assets/users-groups-roles.tmpl → common/assets/template.tmpl
@@ -2,7 +2,7 @@
   "objects": [
   {{- if eq .objectType "user" }}
     {
-      "id": "{{ $.input.userName }}",
+      "id": "{{ $.objectId }}",
       "type": "{{ $.vars.user.object_type }}",
       "displayName": "{{ $.input.displayName }}"
     },
@@ -50,7 +50,7 @@
     {{- end }}
   {{- else }}
     {
-      "id": "{{ $.input.displayName }}",
+      "id": "{{ $.objectId }}",
       "type": "{{ $.vars.group.object_type }}",
       "displayName": "{{ $.input.displayName }}"
     }
@@ -61,14 +61,10 @@
     {{- $idRelationMap := splitn "#" 2 $.vars.user.identity_relation }}
     {{- $idObjType := $idRelationMap._0 }}
     {{- $idRelation := $idRelationMap._1 }}
-    {{- $idSubjType := $.vars.user.object_type }}
-    {{- $objId := $.input.userName }}
-    {{- $subjId := $.input.userName }}
-
-    {{- if eq $idObjType $.vars.user.object_type }}
-    {{- $idSubjType = $.vars.user.identity_object_type }}
-    {{- $subjId = $.input.userName }}
-    {{- end }}
+    {{- $idSubjType := ternary $.vars.user.identity_object_type $.vars.user.object_type (eq $idObjType $.vars.user.object_type) }}  
+
+    {{- $objId := ternary $.objectId $.input.userName (eq $idObjType $.vars.user.object_type) }}
+    {{- $subjId := ternary $.input.userName $.objectId (eq $idObjType $.vars.user.object_type) }}
     {
       "object_type": "{{ $idObjType }}",
       "object_id": "{{ $objId }}",
@@ -77,14 +73,9 @@
       "subject_id": "{{ $subjId }}"
     },
    {{- range $i, $element := $.input.emails }}
-      {{- if $i }},{{ end }}
-      {{- if eq $idObjType $.vars.user.object_type }}
-      {{- $subjId = $element.value }}
-      {{- $objId := $.input.userName }}
-    {{- else }}
-      {{- $subjId := $.input.userName }}
-      {{- $objId = $element.value }}
-    {{- end }}
+      {{- $objId := ternary $.objectId $element.value (eq $idObjType $.vars.user.object_type) }}
+      {{- $subjId := ternary $element.value $.objectId (eq $idObjType $.vars.user.object_type) }}
+      {{ if $i }},{{ end }}
     {
       "object_type": "{{ $idObjType }}",
       "object_id": "{{ $objId }}",
@@ -95,13 +86,8 @@
     {{- end }}
     {{- if $.input.externalId }}
     ,
-    {{- if eq $idObjType $.vars.user.object_type }}
-      {{- $objId := $.input.userName }}
-      {{- $subjId = $.input.externalId }}
-    {{- else }}
-      {{- $objId = $.input.externalId }}
-      {{- $subjId = $.input.userName }}
-    {{- end }}
+    {{- $objId := ternary $.objectId $.input.externalId (eq $idObjType $.vars.user.object_type) }}
+    {{- $subjId := ternary $.input.externalId $.objectId (eq $idObjType $.vars.user.object_type) }}
     {
       "object_type": "{{ $idObjType }}",
       "object_id": "{{ $objId }}",
@@ -117,7 +103,7 @@
     ,
     {
       "object_type": "{{ $.vars.user.object_type }}",
-      "object_id": "{{ $.input.userName }}",
+      "object_id": "{{ $.objectId }}",
       "relation": "{{ $.vars.user.manager_relation }}",
       "subject_type": "{{ $.vars.user.object_type }}",
       "subject_id": "{{ $manager.manager.value }}"
@@ -133,7 +119,7 @@
       "object_id": "{{ $element.value }}",
       "relation": "{{ $.vars.role.role_relation }}",
       "subject_type": "{{ $.vars.user.object_type }}",
-      "subject_id": "{{ $.input.userName }}"
+      "subject_id": "{{ $.objectId }}"
     }
     {{- end }}
     {{- end }}
@@ -144,7 +130,7 @@
     {{ if $i }},{{ end }}
     {
       "object_type": "{{ $.vars.group.object_type }}",
-      "object_id": "{{ $.input.displayName }}",
+      "object_id": "{{ $.objectId }}",
       "relation": "{{ $.vars.group.group_member_relation }}",
       "subject_type": "{{ $.vars.user.object_type }}",
       "subject_id": "{{ $member.value }}"

diff --git a/common/assets/users-groups.tmpl b/common/assets/users-groups.tmpl