better_auth-scim 0.2.0 → 0.6.2

data/lib/better_auth/scim/scim_tokens.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+require "base64"
+
+module BetterAuth
+  module Plugins
+    module_function
+
+    def scim_store_token(ctx, config, token)
+      storage = config[:store_scim_token]
+      if storage == "hashed"
+        Crypto.sha256(token, encoding: :base64url)
+      elsif storage == "encrypted"
+        Crypto.symmetric_encrypt(key: ctx.context.secret, data: token)
+      elsif storage.is_a?(Hash) && storage[:hash].respond_to?(:call)
+        storage[:hash].call(token)
+      elsif storage.is_a?(Hash) && storage[:encrypt].respond_to?(:call)
+        storage[:encrypt].call(token)
+      else
+        token
+      end
+    end
+
+    def scim_token_matches?(ctx, config, token, stored)
+      storage = config[:store_scim_token]
+      return Crypto.symmetric_decrypt(key: ctx.context.secret, data: stored) == token if storage == "encrypted"
+      return storage[:decrypt].call(stored) == token if storage.is_a?(Hash) && storage[:decrypt].respond_to?(:call)
+
+      !token.to_s.empty? && scim_store_token(ctx, config, token) == stored
+    end
+
+    def scim_decode_token(encoded)
+      decoded = Base64.urlsafe_decode64(encoded.to_s)
+      token, provider_id, *organization_parts = decoded.split(":")
+      raise scim_error("UNAUTHORIZED", "Invalid SCIM token") if token.to_s.empty? || provider_id.to_s.empty?
+
+      [token, provider_id, organization_parts.join(":").then { |value| value.empty? ? nil : value }]
+    rescue ArgumentError
+      raise scim_error("UNAUTHORIZED", "Invalid SCIM token")
+    end
+
+    def scim_default_provider(config, provider_id, organization_id)
+      Array(config[:default_scim]).find do |provider|
+        candidate = normalize_hash(provider)
+        next true if candidate[:provider_id].to_s == provider_id.to_s && organization_id.to_s.empty?
+
+        candidate[:provider_id].to_s == provider_id.to_s &&
+          !organization_id.to_s.empty? &&
+          candidate[:organization_id].to_s == organization_id.to_s
+      end&.then do |provider|
+        data = normalize_hash(provider)
+        {"providerId" => data[:provider_id], "scimToken" => data[:scim_token], "organizationId" => data[:organization_id]}
+      end
+    end
+  end
+end

data/lib/better_auth/scim/user_schemas.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Plugins
+    module_function
+
+    def scim_user_schema(base_url = nil)
+      {
+        id: SCIM_USER_SCHEMA_ID,
+        schemas: ["urn:ietf:params:scim:schemas:core:2.0:Schema"],
+        name: "User",
+        description: "User Account",
+        attributes: [
+          {name: "id", type: "string", multiValued: false, description: "Unique opaque identifier for the User", required: false, caseExact: true, mutability: "readOnly", returned: "default", uniqueness: "server"},
+          {name: "userName", type: "string", multiValued: false, description: "Unique identifier for the User, typically used by the user to directly authenticate to the service provider", required: true, caseExact: false, mutability: "readWrite", returned: "default", uniqueness: "server"},
+          {name: "displayName", type: "string", multiValued: false, description: "The name of the User, suitable for display to end-users.  The name SHOULD be the full name of the User being described, if known.", required: false, caseExact: true, mutability: "readOnly", returned: "default", uniqueness: "none"},
+          {name: "active", type: "boolean", multiValued: false, description: "A Boolean value indicating the User's administrative status.", required: false, mutability: "readOnly", returned: "default"},
+          {
+            name: "name",
+            type: "complex",
+            multiValued: false,
+            description: "The components of the user's real name.",
+            required: false,
+            subAttributes: [
+              {name: "formatted", type: "string", multiValued: false, description: "The full name, including all middlenames, titles, and suffixes as appropriate, formatted for display(e.g., 'Ms. Barbara J Jensen, III').", required: false, caseExact: false, mutability: "readWrite", returned: "default", uniqueness: "none"},
+              {name: "familyName", type: "string", multiValued: false, description: "The family name of the User, or last name in most Western languages (e.g., 'Jensen' given the fullname 'Ms. Barbara J Jensen, III').", required: false, caseExact: false, mutability: "readWrite", returned: "default", uniqueness: "none"},
+              {name: "givenName", type: "string", multiValued: false, description: "The given name of the User, or first name in most Western languages (e.g., 'Barbara' given the full name 'Ms. Barbara J Jensen, III').", required: false, caseExact: false, mutability: "readWrite", returned: "default", uniqueness: "none"}
+            ]
+          },
+          {
+            name: "emails",
+            type: "complex",
+            multiValued: true,
+            description: "Email addresses for the user.  The value SHOULD be canonicalized by the service provider, e.g., 'bjensen@example.com' instead of 'bjensen@EXAMPLE.COM'. Canonical type values of 'work', 'home', and 'other'.",
+            required: false,
+            mutability: "readWrite",
+            returned: "default",
+            uniqueness: "none",
+            subAttributes: [
+              {name: "value", type: "string", multiValued: false, description: "Email addresses for the user.  The value SHOULD be canonicalized by the service provider, e.g., 'bjensen@example.com' instead of 'bjensen@EXAMPLE.COM'. Canonical type values of 'work', 'home', and 'other'.", required: false, caseExact: false, mutability: "readWrite", returned: "default", uniqueness: "server"},
+              {name: "primary", type: "boolean", multiValued: false, description: "A Boolean value indicating the 'primary' or preferred attribute value for this attribute, e.g., the preferred mailing address or primary email address.  The primary attribute value 'true' MUST appear no more than once.", required: false, mutability: "readWrite", returned: "default"}
+            ]
+          }
+        ],
+        meta: {resourceType: "Schema", location: scim_resource_url(base_url, "/scim/v2/Schemas/#{SCIM_USER_SCHEMA_ID}")}
+      }
+    end
+
+    def scim_user_resource_type(base_url = nil)
+      {
+        schemas: ["urn:ietf:params:scim:schemas:core:2.0:ResourceType"],
+        id: "User",
+        name: "User",
+        endpoint: "/Users",
+        description: "User Account",
+        schema: SCIM_USER_SCHEMA_ID,
+        meta: {resourceType: "ResourceType", location: scim_resource_url(base_url, "/scim/v2/ResourceTypes/User")}
+      }
+    end
+  end
+end

data/lib/better_auth/scim/utils.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Plugins
+    module_function
+
+    def scim_param(ctx, key)
+      ctx.params[key] || ctx.params[key.to_s] || ctx.params[Schema.storage_key(key)] || ctx.params[Schema.storage_key(key).to_sym]
+    end
+
+    def scim_resource_url(base_url, path)
+      return path unless base_url
+
+      "#{base_url}#{path}"
+    end
+  end
+end

data/lib/better_auth/scim/version.rb

@@ -2,6 +2,6 @@
 
 module BetterAuth
   module SCIM
-    VERSION = "0.2.0"
+    VERSION = "0.6.2"
   end
 end

data/lib/better_auth/scim.rb

@@ -2,6 +2,18 @@
 
 require "better_auth"
 require_relative "scim/version"
+require_relative "scim/scim_metadata"
+require_relative "scim/scim_error"
+require_relative "scim/utils"
+require_relative "scim/client"
+require_relative "scim/user_schemas"
+require_relative "scim/scim_resources"
+require_relative "scim/mappings"
+require_relative "scim/scim_filters"
+require_relative "scim/patch_operations"
+require_relative "scim/scim_tokens"
+require_relative "scim/middlewares"
+require_relative "scim/routes"
 require_relative "plugins/scim"
 
 module BetterAuth

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: better_auth-scim
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.6.2
 platform: ruby
 authors:
 - Sebastian Sala
@@ -111,6 +111,18 @@ files:
 - README.md
 - lib/better_auth/plugins/scim.rb
 - lib/better_auth/scim.rb
+- lib/better_auth/scim/client.rb
+- lib/better_auth/scim/mappings.rb
+- lib/better_auth/scim/middlewares.rb
+- lib/better_auth/scim/patch_operations.rb
+- lib/better_auth/scim/routes.rb
+- lib/better_auth/scim/scim_error.rb
+- lib/better_auth/scim/scim_filters.rb
+- lib/better_auth/scim/scim_metadata.rb
+- lib/better_auth/scim/scim_resources.rb
+- lib/better_auth/scim/scim_tokens.rb
+- lib/better_auth/scim/user_schemas.rb
+- lib/better_auth/scim/utils.rb
 - lib/better_auth/scim/version.rb
 homepage: https://github.com/sebasxsala/better-auth
 licenses: