sources/scim: fix duplicate service account users and changing token…

… (cherry-pick goauthentik#10735) (goauthentik#10737) sources/scim: fix duplicate service account users and changing token (goauthentik#10735) Signed-off-by: Jens Langhammer <[email protected]> Co-authored-by: Jens L. <[email protected]>
mayflower · Aug 2, 2024 · fb9aa9d · fb9aa9d
1 parent fe7662f
commit fb9aa9d
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 25 deletions.
diff --git a/authentik/sources/scim/models.py b/authentik/sources/scim/models.py
@@ -1,7 +1,5 @@
 """SCIM Source"""
 
-from uuid import uuid4
-
 from django.db import models
 from django.templatetags.static import static
 from django.utils.translation import gettext_lazy as _
@@ -19,8 +17,6 @@ class SCIMSource(Source):
 
     @property
     def service_account_identifier(self) -> str:
-        if not self.pk:
-            self.pk = uuid4()
         return f"ak-source-scim-{self.pk}"
 
     @property

diff --git a/authentik/sources/scim/signals.py b/authentik/sources/scim/signals.py
@@ -1,41 +1,44 @@
 from django.db.models import Model
-from django.db.models.signals import pre_delete, pre_save
+from django.db.models.signals import post_delete, post_save
 from django.dispatch import receiver
 
 from authentik.core.models import USER_PATH_SYSTEM_PREFIX, Token, TokenIntents, User, UserTypes
+from authentik.events.middleware import audit_ignore
 from authentik.sources.scim.models import SCIMSource
 
 USER_PATH_SOURCE_SCIM = USER_PATH_SYSTEM_PREFIX + "/sources/scim"
 
 
-@receiver(pre_save, sender=SCIMSource)
-def scim_source_pre_save(sender: type[Model], instance: SCIMSource, **_):
+@receiver(post_save, sender=SCIMSource)
+def scim_source_post_save(sender: type[Model], instance: SCIMSource, created: bool, **_):
     """Create service account before source is saved"""
-    # .service_account_identifier will auto-assign a primary key uuid to the source
-    # if none is set yet, just so we can get the identifier before we save
     identifier = instance.service_account_identifier
-    user = User.objects.create(
+    user, _ = User.objects.update_or_create(
         username=identifier,
-        name=f"SCIM Source {instance.name} Service-Account",
-        type=UserTypes.INTERNAL_SERVICE_ACCOUNT,
-        path=USER_PATH_SOURCE_SCIM,
+        defaults={
+            "name": f"SCIM Source {instance.name} Service-Account",
+            "type": UserTypes.INTERNAL_SERVICE_ACCOUNT,
+            "path": USER_PATH_SOURCE_SCIM,
+        },
     )
-    token = Token.objects.create(
-        user=user,
+    token, token_created = Token.objects.update_or_create(
         identifier=identifier,
-        intent=TokenIntents.INTENT_API,
-        expiring=False,
-        managed=f"goauthentik.io/sources/scim/{instance.pk}",
+        defaults={
+            "user": user,
+            "intent": TokenIntents.INTENT_API,
+            "expiring": False,
+            "managed": f"goauthentik.io/sources/scim/{instance.pk}",
+        },
     )
-    instance.token = token
+    if created or token_created:
+        with audit_ignore():
+            instance.token = token
+            instance.save()
 
 
-@receiver(pre_delete, sender=SCIMSource)
-def scim_source_pre_delete(sender: type[Model], instance: SCIMSource, **_):
-    """Delete SCIM Source service account before deleting source"""
-    Token.objects.filter(
-        identifier=instance.service_account_identifier, intent=TokenIntents.INTENT_API
-    ).delete()
+@receiver(post_delete, sender=SCIMSource)
+def scim_source_post_delete(sender: type[Model], instance: SCIMSource, **_):
+    """Delete SCIM Source service account after deleting source"""
     User.objects.filter(
         username=instance.service_account_identifier, type=UserTypes.INTERNAL_SERVICE_ACCOUNT
     ).delete()