Open
Conversation
Contributor
dasarinaidu
commented
Mar 20, 2026
dasarinaidu
commented
- Automated SCIM endpoints
- Started with OpenLdap AuthProvider
- Will add more provider tests in upcoming PRs
dasarinaidu
requested review from
Priyashetty17,
Copilot and
joesims22
and removed request for
Copilot
dasarinaidu
force-pushed
the
scim-card-validations-with-openldap
branch
3 times, most recently
from
572b5f5 to
5356596
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Adds an initial end-to-end SCIM 2.0 automation suite targeting the OpenLDAP auth provider, along with a new SCIM actions client to exercise SCIM endpoints and validate expected Rancher behavior.
Changes:
- Introduces a new SCIM OpenLDAP validation suite covering discovery, CRUD (users/groups), patch semantics, pagination, and RBAC bindings.
- Adds a reusable SCIM actions client/helper utilities for feature-flag handling and SCIM token secret management.
- Documents SCIM test prerequisites and required
cattle-config.yamlinputs.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 11 comments.
| File | Description |
|---|---|
| validation/auth/scim/scim_openldap_test.go | New OpenLDAP-focused SCIM validation suite with extensive endpoint and RBAC coverage. |
| validation/auth/scim/README.md | New documentation for configuring and running the SCIM OpenLDAP test suite. |
| actions/scim/scim.go | New SCIM HTTP client and setup helpers (feature flag + auth provider enablement + token secret handling). |
Comment on lines
+702
to
+721
| func (s *SCIMOpenLDAPTestSuite) TestSCIMCannotDeleteDefaultAdmin() { | ||
| subSession := s.session.NewSession() | ||
| defer subSession.Cleanup() | ||
|
|
||
| logrus.Info("Verifying default admin user is not visible via SCIM (local users are not SCIM-provisioned)") | ||
|
|
||
| params := url.Values{} | ||
| params.Set("filter", `userName eq "admin"`) | ||
|
|
||
| resp, err := s.scim.Users().List(params) | ||
| require.NoError(s.T(), err) | ||
| require.Equal(s.T(), http.StatusOK, resp.StatusCode, "Filter request should return 200, body: %s", string(resp.Body)) | ||
|
|
||
| var body map[string]interface{} | ||
| err = resp.DecodeJSON(&body) | ||
| require.NoError(s.T(), err) | ||
|
|
||
| resources, _ := body["Resources"].([]interface{}) | ||
| require.Empty(s.T(), resources, "Local admin should not appear in SCIM — only SCIM-provisioned users are returned") | ||
| } |
There was a problem hiding this comment.
The test name suggests a delete is attempted, but the test only asserts the local "admin" user does not appear in SCIM list results. Rename the test to reflect the actual assertion (e.g., that local users are not returned by SCIM), or add a delete attempt if that's the intended behavior to verify.
Priyashetty17
requested changes
Mar 23, 2026
dasarinaidu
force-pushed
the
scim-card-validations-with-openldap
branch
from
5356596 to
af1cd19
Compare
actions/go.mod
Outdated
| sigs.k8s.io/yaml v1.6.0 // indirect | ||
| ) | ||
|
|
||
| replace github.com/rancher/shepherd => github.com/dasarinaidu/shepherd v0.0.0-20260324045604-66c21b128aaf |
actions/go.sum
Outdated
| github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= | ||
| github.com/creasty/defaults v1.5.2 h1:/VfB6uxpyp6h0fr7SPp7n8WJBoV8jfxQXPCnkVSjyls= | ||
| github.com/creasty/defaults v1.5.2/go.mod h1:FPZ+Y0WNrbqOVw+c6av63eyHUAl6pMHZwqLPvXUZGfY= | ||
| github.com/dasarinaidu/shepherd v0.0.0-20260324045604-66c21b128aaf/go.mod h1:SJtW8Jqv0rphZzsGnvB965YdyR2FqFtB+TbbzVLt8F4= |
Contributor
There was a problem hiding this comment.
Waiting for shepherd merge to approve
dasarinaidu
force-pushed
the
scim-card-validations-with-openldap
branch
4 times, most recently
from
f779c8c to
e8a2ced
Compare
dasarinaidu
force-pushed
the
scim-card-validations-with-openldap
branch
2 times, most recently
from
d4ae9cd to
17a55b4
Compare
lscalabrini01
previously approved these changes
Apr 1, 2026
dasarinaidu
force-pushed
the
scim-card-validations-with-openldap
branch
from
17a55b4 to
659ab43
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.