refactor: run SCIM jobs in context of gocron instead of custom implementation

2026-02-14 21:40:06 +00:00 · 2026-01-04 19:00:18 +01:00
parent d6a7b503ff
commit 4881130ead
16 changed files with 177 additions and 190 deletions
--- a/backend/internal/service/oidc_service.go
+++ b/backend/internal/service/oidc_service.go
@@ -56,6 +56,7 @@ type OidcService struct {
 	auditLogService    *AuditLogService
 	customClaimService *CustomClaimService
 	webAuthnService    *WebAuthnService
+	scimService        *ScimService

 	httpClient  *http.Client
 	jwkCache    *jwk.Cache
@@ -70,6 +71,7 @@ func NewOidcService(
 	auditLogService *AuditLogService,
 	customClaimService *CustomClaimService,
 	webAuthnService *WebAuthnService,
+	scimService *ScimService,
 	httpClient *http.Client,
 	fileStorage storage.FileStorage,
 ) (s *OidcService, err error) {
@@ -80,6 +82,7 @@ func NewOidcService(
 		auditLogService:    auditLogService,
 		customClaimService: customClaimService,
 		webAuthnService:    webAuthnService,
+		scimService:        scimService,
 		httpClient:         httpClient,
 		fileStorage:        fileStorage,
 	}
@@ -1088,6 +1091,7 @@ func (s *OidcService) UpdateAllowedUserGroups(ctx context.Context, id string, in
 		return model.OidcClient{}, err
 	}

+	s.scimService.ScheduleSync()
 	return client, nil
 }

--- a/backend/internal/service/scim_scheduler_service.go
+++ b/backend/internal/service/scim_scheduler_service.go
@@ -1,136 +0,0 @@
-package service
-
-import (
-	"context"
-	"errors"
-	"log/slog"
-	"sync"
-	"time"
-
-	"gorm.io/gorm"
-)
-
-// ScimSchedulerService schedules and triggers periodic synchronization
-// of SCIM service providers. Each provider is tracked independently,
-// and sync operations are run at or after their scheduled time.
-type ScimSchedulerService struct {
-	scimService      *ScimService
-	providerSyncTime map[string]time.Time
-	mu               sync.RWMutex
-}
-
-func NewScimSchedulerService(ctx context.Context, scimService *ScimService) (*ScimSchedulerService, error) {
-	s := &ScimSchedulerService{
-		scimService:      scimService,
-		providerSyncTime: make(map[string]time.Time),
-	}
-
-	err := s.start(ctx)
-	return s, err
-}
-
-// ScheduleSync forces the given provider to be synced soon by
-// moving its next scheduled time to 5 minutes from now.
-func (s *ScimSchedulerService) ScheduleSync(providerID string) {
-	s.setSyncTime(providerID, 5*time.Minute)
-}
-
-// start initializes the scheduler and begins the synchronization loop.
-// Syncs happen every hour by default, but ScheduleSync can be called to schedule a sync sooner.
-func (s *ScimSchedulerService) start(ctx context.Context) error {
-	if err := s.refreshProviders(ctx); err != nil {
-		return err
-	}
-
-	go func() {
-		const (
-			syncCheckInterval    = 5 * time.Second
-			providerRefreshDelay = time.Minute
-		)
-
-		ticker := time.NewTicker(syncCheckInterval)
-		defer ticker.Stop()
-		lastProviderRefresh := time.Now()
-
-		for {
-			select {
-			case <-ctx.Done():
-				return
-				// Runs every 5 seconds to check if any provider is due for sync
-			case <-ticker.C:
-				now := time.Now()
-				if now.Sub(lastProviderRefresh) >= providerRefreshDelay {
-					err := s.refreshProviders(ctx)
-					if err != nil {
-						slog.Error("Error refreshing SCIM service providers",
-							slog.Any("error", err),
-						)
-					} else {
-						lastProviderRefresh = now
-					}
-				}
-
-				var due []string
-				s.mu.RLock()
-				for providerID, syncTime := range s.providerSyncTime {
-					if !syncTime.After(now) {
-						due = append(due, providerID)
-					}
-				}
-				s.mu.RUnlock()
-
-				s.syncProviders(ctx, due)
-
-			}
-		}
-	}()
-
-	return nil
-}
-
-func (s *ScimSchedulerService) refreshProviders(ctx context.Context) error {
-	providers, err := s.scimService.ListServiceProviders(ctx)
-	if err != nil {
-		return err
-	}
-
-	inAHour := time.Now().Add(time.Hour)
-
-	s.mu.Lock()
-	for _, provider := range providers {
-		if _, exists := s.providerSyncTime[provider.ID]; !exists {
-			s.providerSyncTime[provider.ID] = inAHour
-		}
-	}
-	s.mu.Unlock()
-
-	return nil
-}
-
-func (s *ScimSchedulerService) syncProviders(ctx context.Context, providerIDs []string) {
-	for _, providerID := range providerIDs {
-		err := s.scimService.SyncServiceProvider(ctx, providerID)
-		if err != nil {
-			if errors.Is(err, gorm.ErrRecordNotFound) {
-				// Remove the provider from the schedule if it no longer exists
-				s.mu.Lock()
-				delete(s.providerSyncTime, providerID)
-				s.mu.Unlock()
-			} else {
-				slog.Error("Error syncing SCIM client",
-					slog.String("provider_id", providerID),
-					slog.Any("error", err),
-				)
-			}
-			continue
-		}
-		// A successful sync schedules the next sync in an hour
-		s.setSyncTime(providerID, time.Hour)
-	}
-}
-
-func (s *ScimSchedulerService) setSyncTime(providerID string, t time.Duration) {
-	s.mu.Lock()
-	s.providerSyncTime[providerID] = time.Now().Add(t)
-	s.mu.Unlock()
-}
--- a/backend/internal/service/scim_service.go
+++ b/backend/internal/service/scim_service.go
@@ -15,6 +15,7 @@ import (
 	"strings"
 	"time"

+	"github.com/go-co-op/gocron/v2"
 	"github.com/pocket-id/pocket-id/backend/internal/dto"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
@@ -32,6 +33,11 @@ const scimErrorBodyLimit = 4096

 type scimSyncAction int

+type Scheduler interface {
+	RegisterJob(ctx context.Context, name string, def gocron.JobDefinition, job func(ctx context.Context) error, runImmediately bool, extraOptions ...gocron.JobOption) error
+	RemoveJob(name string) error
+}
+
 const (
 	scimActionNone scimSyncAction = iota
 	scimActionCreated
@@ -48,15 +54,16 @@ type scimSyncStats struct {
 // ScimService handles SCIM provisioning to external service providers.
 type ScimService struct {
 	db         *gorm.DB
+	scheduler  Scheduler
 	httpClient *http.Client
 }

-func NewScimService(db *gorm.DB, httpClient *http.Client) *ScimService {
+func NewScimService(db *gorm.DB, scheduler Scheduler, httpClient *http.Client) *ScimService {
 	if httpClient == nil {
 		httpClient = &http.Client{Timeout: 20 * time.Second}
 	}

-	return &ScimService{db: db, httpClient: httpClient}
+	return &ScimService{db: db, scheduler: scheduler, httpClient: httpClient}
 }

 func (s *ScimService) GetServiceProvider(
@@ -132,6 +139,41 @@ func (s *ScimService) DeleteServiceProvider(ctx context.Context, serviceProvider
 		Error
 }

+//nolint:contextcheck
+func (s *ScimService) ScheduleSync() {
+	jobName := "ScheduledScimSync"
+	start := time.Now().Add(5 * time.Minute)
+
+	_ = s.scheduler.RemoveJob(jobName)
+
+	err := s.scheduler.RegisterJob(
+		context.Background(), jobName,
+		gocron.OneTimeJob(gocron.OneTimeJobStartDateTime(start)), s.SyncAll, false)
+
+	if err != nil {
+		slog.Error("Failed to schedule SCIM sync", slog.Any("error", err))
+	}
+}
+
+func (s *ScimService) SyncAll(ctx context.Context) error {
+	providers, err := s.ListServiceProviders(ctx)
+	if err != nil {
+		return err
+	}
+
+	var errs []error
+	for _, provider := range providers {
+		if ctx.Err() != nil {
+			errs = append(errs, ctx.Err())
+			break
+		}
+		if err := s.SyncServiceProvider(ctx, provider.ID); err != nil {
+			errs = append(errs, fmt.Errorf("failed to sync SCIM provider %s: %w", provider.ID, err))
+		}
+	}
+	return errors.Join(errs...)
+}
+
 func (s *ScimService) SyncServiceProvider(ctx context.Context, serviceProviderID string) error {
 	start := time.Now()
 	provider, err := s.GetServiceProvider(ctx, serviceProviderID)
--- a/backend/internal/service/user_group_service.go
+++ b/backend/internal/service/user_group_service.go
@@ -16,11 +16,12 @@ import (

 type UserGroupService struct {
 	db               *gorm.DB
+	scimService      *ScimService
 	appConfigService *AppConfigService
 }

-func NewUserGroupService(db *gorm.DB, appConfigService *AppConfigService) *UserGroupService {
-	return &UserGroupService{db: db, appConfigService: appConfigService}
+func NewUserGroupService(db *gorm.DB, appConfigService *AppConfigService, scimService *ScimService) *UserGroupService {
+	return &UserGroupService{db: db, appConfigService: appConfigService, scimService: scimService}
 }

 func (s *UserGroupService) List(ctx context.Context, name string, listRequestOptions utils.ListRequestOptions) (groups []model.UserGroup, response utils.PaginationResponse, err error) {
@@ -90,7 +91,13 @@ func (s *UserGroupService) Delete(ctx context.Context, id string) error {
 		return err
 	}

-	return tx.Commit().Error
+	err = tx.Commit().Error
+	if err != nil {
+		return err
+	}
+
+	s.scimService.ScheduleSync()
+	return nil
 }

 func (s *UserGroupService) Create(ctx context.Context, input dto.UserGroupCreateDto) (group model.UserGroup, err error) {
@@ -118,6 +125,8 @@ func (s *UserGroupService) createInternal(ctx context.Context, input dto.UserGro
 		}
 		return model.UserGroup{}, err
 	}
+
+	s.scimService.ScheduleSync()
 	return group, nil
 }

@@ -165,6 +174,8 @@ func (s *UserGroupService) updateInternal(ctx context.Context, id string, input
 	} else if err != nil {
 		return model.UserGroup{}, err
 	}
+
+	s.scimService.ScheduleSync()
 	return group, nil
 }

@@ -227,6 +238,7 @@ func (s *UserGroupService) updateUsersInternal(ctx context.Context, id string, u
 		return model.UserGroup{}, err
 	}

+	s.scimService.ScheduleSync()
 	return group, nil
 }

@@ -303,5 +315,6 @@ func (s *UserGroupService) UpdateAllowedOidcClient(ctx context.Context, id strin
 		return model.UserGroup{}, err
 	}

+	s.scimService.ScheduleSync()
 	return group, nil
 }
--- a/backend/internal/service/user_service.go
+++ b/backend/internal/service/user_service.go
@@ -37,10 +37,11 @@ type UserService struct {
 	appConfigService   *AppConfigService
 	customClaimService *CustomClaimService
 	appImagesService   *AppImagesService
+	scimService        *ScimService
 	fileStorage        storage.FileStorage
 }

-func NewUserService(db *gorm.DB, jwtService *JwtService, auditLogService *AuditLogService, emailService *EmailService, appConfigService *AppConfigService, customClaimService *CustomClaimService, appImagesService *AppImagesService, fileStorage storage.FileStorage) *UserService {
+func NewUserService(db *gorm.DB, jwtService *JwtService, auditLogService *AuditLogService, emailService *EmailService, appConfigService *AppConfigService, customClaimService *CustomClaimService, appImagesService *AppImagesService, scimService *ScimService, fileStorage storage.FileStorage) *UserService {
 	return &UserService{
 		db:                 db,
 		jwtService:         jwtService,
@@ -49,6 +50,7 @@ func NewUserService(db *gorm.DB, jwtService *JwtService, auditLogService *AuditL
 		appConfigService:   appConfigService,
 		customClaimService: customClaimService,
 		appImagesService:   appImagesService,
+		scimService:        scimService,
 		fileStorage:        fileStorage,
 	}
 }
@@ -226,6 +228,7 @@ func (s *UserService) deleteUserInternal(ctx context.Context, tx *gorm.DB, userI
 		return fmt.Errorf("failed to delete user: %w", err)
 	}

+	s.scimService.ScheduleSync()
 	return nil
 }

@@ -309,6 +312,7 @@ func (s *UserService) createUserInternal(ctx context.Context, input dto.UserCrea
 		}
 	}

+	s.scimService.ScheduleSync()
 	return user, nil
 }

@@ -447,6 +451,7 @@ func (s *UserService) updateUserInternal(ctx context.Context, userID string, upd
 		return user, err
 	}

+	s.scimService.ScheduleSync()
 	return user, nil
 }

@@ -663,6 +668,7 @@ func (s *UserService) UpdateUserGroups(ctx context.Context, id string, userGroup
 		return model.User{}, err
 	}

+	s.scimService.ScheduleSync()
 	return user, nil
 }

@@ -753,12 +759,19 @@ func (s *UserService) ResetProfilePicture(ctx context.Context, userID string) er
 }

 func (s *UserService) disableUserInternal(ctx context.Context, tx *gorm.DB, userID string) error {
-	return tx.
+	err := tx.
 		WithContext(ctx).
 		Model(&model.User{}).
 		Where("id = ?", userID).
 		Update("disabled", true).
 		Error
+
+	if err != nil {
+		return err
+	}
+
+	s.scimService.ScheduleSync()
+	return nil
 }

 func (s *UserService) CreateSignupToken(ctx context.Context, ttl time.Duration, usageLimit int, userGroupIDs []string) (model.SignupToken, error) {