cf-uaac 1.3.4 → 1.3.6

data/cf-uaac.gemspec

@@ -38,7 +38,7 @@ Gem::Specification.new do |s|
   s.add_development_dependency "simplecov"
   s.add_development_dependency "simplecov-rcov"
   s.add_development_dependency "ci_reporter"
-  s.add_runtime_dependency "cf-uaa-lib", ">= 1.3.4", "<= 1.3.4"
+  s.add_runtime_dependency "cf-uaa-lib", ">= 1.3.6", "<= 1.3.6"
   s.add_runtime_dependency "highline"
   s.add_runtime_dependency "eventmachine"
   s.add_runtime_dependency "launchy"

data/lib/cli/client_reg.rb

@@ -47,15 +47,15 @@ class ClientCli < CommonCli
     end
   end
 
-  desc "clients", "List client registrations" do
-    pp scim_request { |cr| cr.all_pages(:client) }
+  desc "clients [filter]", "List client registrations", :attrs, :start, :count do |filter|
+    scim_common_list(:client, filter)
   end
 
-  desc "client get [name]", "Get specific client registration" do |name|
-    pp scim_request { |cr| cr.get(:client, cr.id(:client, clientname(name))) }
+  desc "client get [name]", "Get specific client registration", :attrs do |name|
+    pp scim_request { |sr| scim_get_object(sr, :client, clientname(name), opts[:attrs]) }
   end
 
-  define_option :clone, "--clone <other_client>", "get default client settings from existing client"
+  define_option :clone, "--clone <other>", "get default settings from other"
   define_option :interact, "--[no-]interactive", "-i", "interactively verify all values"
 
   desc "client add [name]", "Add client registration",
@@ -63,7 +63,7 @@ class ClientCli < CommonCli
     pp scim_request { |cr|
       opts[:client_id] = clientname(name)
       opts[:secret] = verified_pwd("New client secret", opts[:secret])
-      defaults = opts[:clone] ? Util.hash_keys!(cr.get(opts[:clone]), :sym) : {}
+      defaults = opts[:clone] ? Util.hash_keys!(cr.get(:client, opts[:clone]), :sym) : {}
       defaults.delete(:client_id)
       cr.add(:client, client_info(defaults))
     }

data/lib/cli/common.rb

@@ -80,6 +80,22 @@ class CommonCli < Topic
     info
   end
 
+  def scim_common_list(type, filter)
+    pp scim_request { |sr|
+      query = { attributes: opts[:attrs], filter: filter }
+      opts[:start] || opts[:count] ?
+        sr.query(type, query.merge!(startIndex: opts[:start], count: opts[:count])):
+        sr.all_pages(type, query)
+    }
+  end
+
+  def scim_get_object(scim, type, name, attrs = nil)
+    query = { attributes: attrs, filter: "#{scim.name_attr(type)} eq \"#{name}\""}
+    info = scim.all_pages(type, query)
+    raise BadResponse unless info.is_a?(Array) && info.length < 2
+    raise NotFound if info.length == 0
+    info[0]
+  end
 end
 
 class MiscCli < CommonCli
@@ -141,8 +157,8 @@ class MiscCli < CommonCli
       update_target_info(info) if info[:prompts]
     end
     return say "no target set" unless Config.target
-    return say "target set to #{Config.target}" unless Config.context
-    say "target set to #{Config.target}, with context #{Config.context}"
+    return say "\nTarget: #{Config.target}\n\n" unless Config.context
+    say "\nTarget: #{Config.target}\nContext: #{Config.context}, from client #{Config[:client_id]}\n\n"
   end
 
   desc "targets", "Display all targets" do

data/lib/cli/config.rb

@@ -120,6 +120,8 @@ class Config
     @config[@target][:contexts][@context][attr]
   end
 
+  def self.[](attr) value(attr) end
+
   def self.delete_attr(attr)
     raise ArgumentError, "target and context not set" unless @target && @context
     @config[@target][:contexts][@context].delete(attr)

data/lib/cli/group.rb

@@ -24,25 +24,20 @@ class GroupCli < CommonCli
   def gname(name) name || ask("Group name") end
 
   desc "groups [filter]", "List groups", :attrs, :start, :count do |filter|
-    pp scim_request { |ua|
-      query = { attributes: opts[:attrs], filter: filter }
-      opts[:start] || opts[:count] ?
-        ua.query_groups(query.merge!(startIndex: opts[:start], count: opts[:count])):
-        ua.all_pages(:group, query)
-    }
+    scim_common_list(:group, filter)
   end
 
-  desc "group get [name]", "Get specific group information" do |name|
-    pp scim_request { |ua| ua.get(:group, ua.id(:group, gname(name))) }
+  desc "group get [name]", "Get specific group information", :attrs do |name|
+    pp scim_request { |sr| scim_get_object(sr, :group, gname(name), opts[:attrs]) }
   end
 
   desc "group add [name]", "Adds a group" do |name|
-    pp scim_request { |ua| ua.add(:group, displayName: gname(name)) }
+    pp scim_request { |scim| scim.add(:group, displayName: gname(name)) }
   end
 
   desc "group delete [name]", "Delete group" do |name|
-    pp scim_request { |ua|
-      ua.delete(:delete, ua.id(:group, gname(name)))
+    pp scim_request { |scim|
+      scim.delete(:group, scim.id(:group, gname(name)))
       "success"
     }
   end
@@ -55,31 +50,46 @@ class GroupCli < CommonCli
     }
   end
 
-  desc "member add [name] [members...]", "add members to a group" do |name, *members|
-    pp scim_request { |ua|
-      group = ua.get(:group, ua.id(:group, gname(name)))
-      old_ids = id_set(group["members"] || [])
-      new_ids = id_set(ua.ids(:user, *members))
-      raise "not all members found, none added" unless new_ids.size == members.size
-      group["members"] = (old_ids + new_ids).to_a
-      raise "no new members given" unless group["members"].size > old_ids.size
-      ua.put(:group, group)
+  def update_members(scim, name, attr, users, add = true)
+      group = scim_get_object(scim, :group, gname(name))
+      old_ids = id_set(group[attr] || [])
+      new_ids = id_set(scim.ids(:user, *users))
+      if add
+        raise "not all users found, none added" unless new_ids.size == users.size
+        group[attr] = (old_ids + new_ids).to_a
+        raise "no new users given" unless group[attr].size > old_ids.size
+      else
+        raise "not all users found, none deleted" unless new_ids.size == users.size
+        group[attr] = (old_ids - new_ids).to_a
+        raise "no existing users to delete" unless group[attr].size < old_ids.size
+        group.delete(attr) if group[attr].empty?
+      end
+      scim.put(:group, group)
       "success"
-    }
   end
 
-  desc "member delete [name] [members...]", "remove members from a group" do |name, *members|
-    pp scim_request { |ua|
-      group = ua.get(:group, ua.id(:group, gname(name)))
-      old_ids = id_set(group["members"] || [])
-      new_ids = id_set(ua.ids(:user, *members))
-      raise "not all members found, none deleted" unless new_ids.size == members.size
-      group["members"] = (old_ids - new_ids).to_a
-      raise "no existing members to delete" unless group["members"].size < old_ids.size
-      group.delete("members") if group["members"].empty?
-      ua.put(:group, group)
-      "success"
-    }
+  desc "member add [name] [users...]", "add members to a group" do |name, *users|
+    pp scim_request { |scim| update_members(scim, name, "members", users) }
+  end
+
+  desc "member delete [name] [users...]", "remove members from a group" do |name, *users|
+    pp scim_request { |scim| update_members(scim, name, "members", users, false) }
+  end
+
+  desc "group reader add [name] [users...]", "add users who can read the members" do |name, *users|
+    pp scim_request { |scim| update_members(scim, name, "readers", users) }
+  end
+
+  desc "group reader delete [name] [users...]", "delete users who can read members" do |name, *users|
+    pp scim_request { |scim| update_members(scim, name, "readers", users, false) }
+  end
+
+  desc "group writer add [name] [users...]", "add users who can modify group" do |name, *users|
+    pp scim_request { |scim| update_members(scim, name, "writers", users) }
+  end
+
+  desc "group writer delete [name] [users...]", "remove user who can modify group" do |name, *users|
+    pp scim_request { |scim| update_members(scim, name, "writers", users, false) }
   end
 
 end

data/lib/cli/token.rb

@@ -66,7 +66,16 @@ class TokenCli < CommonCli
   topic "Tokens", "token", "login"
 
   def say_success(grant)
-    say "\nSuccessfully fetched token via a #{grant} grant.\nTarget: #{Config.target}\nContext: #{Config.context}\n"
+    say "\nSuccessfully fetched token via #{grant} grant.\nTarget: #{Config.target}\nContext: #{Config.context}, from client #{Config[:client_id]}\n\n"
+  end
+
+  def set_context(token_info)
+    return gripe "attempt to get token failed\n" unless token_info && token_info["access_token"]
+    contents = TokenCoder.decode(token_info["access_token"], verify: false)
+    Config.context = contents["user_name"] || contents["client_id"] || "bad_token"
+    Config.add_opts(user_id: contents["user_id"]) if contents["user_id"]
+    Config.add_opts(client_id: contents["client_id"]) if contents["client_id"]
+    Config.add_opts token_info
   end
 
   def issuer_request(client_id, secret = nil)
@@ -83,7 +92,7 @@ class TokenCli < CommonCli
       "Gets a token by posting user credentials with an implicit grant request",
       :client, :scope do |*args|
     client_name = opts[:client] || "vmc"
-    token = issuer_request(client_name, "") { |ti|
+    reply = issuer_request(client_name, "") { |ti|
       prompts = ti.prompts
       creds = {}
       prompts.each do |k, v|
@@ -99,41 +108,31 @@ class TokenCli < CommonCli
       end
       ti.implicit_grant_with_creds(creds, opts[:scope]).info
     }
-    return gripe "attempt to get token failed\n" unless token && token["access_token"]
-    tokinfo = TokenCoder.decode(token["access_token"], verify: false)
-    Config.context = tokinfo["user_name"]
-    Config.add_opts(user_id: tokinfo["user_id"])
-    Config.add_opts token
-    say_success "implicit (with posted credentials)"
+    say_success "implicit (with posted credentials)" if set_context(reply)
   end
 
   define_option :secret, "--secret <secret>", "-s", "client secret"
   desc "token client get [name]",
       "Gets a token with client credentials grant", :secret, :scope do |id|
-    id = clientname(id)
-    return unless info = issuer_request(id, clientsecret) { |ti|
+    reply = issuer_request(clientname(id), clientsecret) { |ti|
       ti.client_credentials_grant(opts[:scope]).info
     }
-    Config.context = id
-    Config.add_opts info
-    say_success "client credentials"
+    say_success "client credentials" if set_context(reply)
   end
 
   define_option :password, "-p", "--password <password>", "user password"
   desc "token owner get [client] [user]", "Gets a token with a resource owner password grant",
       :secret, :password, :scope do |client, user|
-    return unless info = issuer_request(clientname(client), clientsecret) { |ti|
+    reply = issuer_request(clientname(client), clientsecret) { |ti|
         ti.owner_password_grant(user = username(user), userpwd, opts[:scope]).info
     }
-    Config.context = user
-    Config.add_opts info
-    say_success "owner password"
+    say_success "owner password" if set_context(reply)
   end
 
   desc "token refresh [refreshtoken]", "Gets a new access token from a refresh token", :client, :secret, :scope do |rtok|
     rtok ||= Config.value(:refresh_token)
-    Config.add_opts issuer_request(clientname, clientsecret) { |ti| ti.refresh_token_grant(rtok, opts[:scope]).info }
-    say_success "refresh"
+    reply = issuer_request(clientname, clientsecret) { |ti| ti.refresh_token_grant(rtok, opts[:scope]).info }
+    say_success "refresh" if set_context(reply)
   end
 
   VMC_TOKEN_FILE = File.join ENV["HOME"], ".vmc_token"
@@ -156,9 +155,7 @@ class TokenCli < CommonCli
       sleep 5
       print "."
     end
-    Config.context = TokenCoder.decode(catcher.info[:access_token], verify: false)["user_name"]
-    Config.add_opts catcher.info
-    say_success secret ? "authorization code" : "implicit"
+    say_success(secret ? "authorization code" : "implicit") if set_context(catcher.info)
     return unless opts[:vmc]
     begin
       vmc_target = File.open(VMC_TARGET_FILE, 'r') { |f| f.read.strip }

data/lib/cli/user.rb

@@ -39,23 +39,18 @@ class UserCli < CommonCli
   define_option :start, "--start <number>", "start of output page"
   define_option :count, "--count <number>", "max number per page"
   desc "users [filter]", "List user accounts", :attrs, :start, :count do |filter|
-    pp scim_request { |ua|
-      query = { attributes: opts[:attrs], filter: filter }
-      opts[:start] || opts[:count] ?
-        ua.query(:user, query.merge!(startIndex: opts[:start], count: opts[:count])):
-        ua.all_pages(:user, query)
-    }
+    scim_common_list(:user, filter)
   end
 
-  desc "user get [name]", "Get specific user account" do |name|
-    pp scim_request { |ua| ua.get(:user, ua.id(:user, username(name))) }
+  desc "user get [name]", "Get specific user account", :attrs do |name|
+    pp scim_request { |sr| scim_get_object(sr, :user, username(name), opts[:attrs]) }
   end
 
   desc "user add [name]", "Add a user account", *USER_INFO_OPTS, :password do |name|
     info = {userName: username(name), password: verified_pwd("Password", opts[:password])}
-    pp scim_request { |ua| 
+    pp scim_request { |ua|
       ua.add(:user, user_opts(info))
-      "user account successfully added" 
+      "user account successfully added"
     }
   end
 
@@ -97,6 +92,7 @@ class UserCli < CommonCli
   define_option :old_password, "-o", "--old_password <password>", "current password"
   desc "password change", "Change password for authenticated user in current context", :old_password, :password do
     pp scim_request { |ua|
+      raise "no user_id in current context" unless Config.value(:user_id)
       oldpwd = opts[:old_password] || ask_pwd("Current password")
       ua.change_password(Config.value(:user_id), verified_pwd("New password", opts[:password]), oldpwd)
       "password successfully changed"

data/lib/cli/version.rb

@@ -14,6 +14,6 @@
 # Cloud Foundry namespace
 module CF
   module UAA
-    CLI_VERSION = "1.3.4"
+    CLI_VERSION = "1.3.6"
   end
 end

data/lib/stub/scim.rb

@@ -31,8 +31,9 @@ class StubScim
   READ_ONLY_ATTRS = [:rtype, :id, :meta, :groups].to_set
   BOOLEANS = [:active].to_set
   NUMBERS = [:access_token_validity, :refresh_token_validity].to_set
-  GROUPS = [:groups, :auto_approved_scope, :scope, :authorities].to_set
-  REFERENCES = [*GROUPS, :members, :owners, :readers].to_set # users or groups
+  GROUPS = [:groups, :autoapprove, :scope, :authorities].to_set # values must be group ID
+  MEMBERSHIP =  [:members, :writers, :readers].to_set # users or groups
+  REFERENCES = GROUPS + MEMBERSHIP # users or groups
   ENUMS = { authorized_grant_types: ["client_credentials", "implicit",
       "authorization_code", "password", "refresh_token"].to_set }
   GENERAL_MULTI = [:emails, :phonenumbers, :ims, :photos, :entitlements,
@@ -57,9 +58,9 @@ class StubScim
         :entitlements, :roles, :x509certificates, :name, :addresses,
         :authorizations, :groups].to_set,
       client: [*COMMON_ATTRS, :client_id, :client_secret, :authorities,
-        :authorized_grant_types, :scope, :auto_approved_scope,
+        :authorized_grant_types, :scope, :autoapprove,
         :access_token_validity, :refresh_token_validity, :redirect_uri].to_set,
-      group: [*COMMON_ATTRS, :displayname, :members, :owners, :readers].to_set }
+      group: [*COMMON_ATTRS, :displayname, :members, :writers, :readers].to_set }
   VISIBLE_ATTRS = {user: Set.new(LEGAL_ATTRS[:user] - HIDDEN_ATTRS),
       client: Set.new(LEGAL_ATTRS[:client] - HIDDEN_ATTRS),
       group: Set.new(LEGAL_ATTRS[:group] - HIDDEN_ATTRS)}
@@ -123,7 +124,7 @@ class StubScim
         when *NUMBERS then v.is_a?(Integer)
         when *GENERAL_MULTI then valid_multi?(v, GENERAL_SUBATTRS, true)
         when *GROUPS then valid_ids?(v, :group)
-        when *REFERENCES then valid_ids?(v)
+        when *MEMBERSHIP then valid_ids?(v)
         when ENUMS[k] then ENUMS[k].include?(v)
         when *EXPLICIT_SINGLE.keys then valid_complex?(v, EXPLICIT_SINGLE[k])
         when *EXPLICIT_MULTI.keys then valid_multi?(v, EXPLICIT_MULTI[k])
@@ -158,7 +159,11 @@ class StubScim
     attrs.each_with_object({}) {|a, o|
       next unless thing[a]
       case a
-      when *REFERENCES then o[a] = thing[a].to_a
+      when *MEMBERSHIP
+        o[a] = thing[a].each_with_object([]) { |v, a|
+          a << { value: v, type: ref_by_id(v)[:rtype] }
+        }
+      when *GROUPS then o[a] = thing[a].to_a
       when *GENERAL_MULTI then o[a] = thing[a].values
       else o[a] = thing[a]
       end
@@ -169,10 +174,16 @@ class StubScim
     members.each {|m| (m[:groups] ||= Set.new) << gid if m = ref_by_id(m, :user)} if members
   end
 
-  def remove_user_groups(gid, members)
+  def delete_user_groups(gid, members)
     members.each {|m| m[:groups].delete(gid) if m = ref_by_id(m, :user) } if members
   end
 
+  def delete_references(id)
+    @things_by_id.each { |k, v|
+      REFERENCES.each { |a| v.delete(a) if v[a] && v[a].delete(id) && v[a].empty? }
+    }
+  end
+
   public
 
   def initialize; @things_by_id, @things_by_name = {}, {} end
@@ -208,7 +219,7 @@ class StubScim
     if new_thing[:members] || thing[:members]
       old_members = thing[:members] || Set.new
       new_members = new_thing[:members] || Set.new
-      remove_user_groups(id, old_members - new_members)
+      delete_user_groups(id, old_members - new_members)
       add_user_groups(id, new_members - old_members)
     end
     READ_ONLY_ATTRS.each { |a| new_thing[a] = thing[a] if thing[a] }
@@ -225,18 +236,23 @@ class StubScim
     add_user_groups(gid, Set[member])
   end
 
+  def is_member(gid, member, attr = :members)
+    (g = ref_by_id(gid, :group)) && (a = g[attr]) && a.include?(member)
+  end
+
   def set_hidden_attr(id, attr, value)
     raise NotFound unless thing = ref_by_id(id)
     raise ArgumentError unless HIDDEN_ATTRS.include?(attr)
     thing[attr] = value
   end
 
-  def remove(id, rtype = nil)
+  def delete(id, rtype = nil)
     return unless thing = ref_by_id(id, rtype)
     rtype = thing[:rtype]
-    remove_user_groups(id, thing[:members])
+    delete_user_groups(id, thing[:members])
     @things_by_id.delete(id)
     thing = @things_by_name.delete(rtype.to_s + thing[NAME_ATTR[rtype]].downcase)
+    delete_references(id)
     remove_attrs(output(thing))
   end
 
@@ -250,10 +266,12 @@ class StubScim
     output(thing, attrs)
   end
 
-  def find(rtype, start = 0, count = nil, filter_string = nil, attrs = nil)
-    filter, total = ScimFilter.new(filter_string), 0
+  def find(rtype, opts = {})
+    filter, total, start = ScimFilter.new(opts[:filter]), 0, (opts[:start] || 0)
+    count, attrs, acl, acl_id = opts[:count], opts[:attrs], opts[:acl], opts[:acl_id]
     objs = @things_by_id.each_with_object([]) { |(k, v), o|
       next unless rtype == v[:rtype] && filter.match?(v)
+      next if acl && acl_id && !is_member(v[:id], acl_id, acl)
       o << output(v, attrs) if total >= start && (count.nil? || o.length < count)
       total += 1
     }

data/lib/stub/server.rb

@@ -176,7 +176,7 @@ class Base
       request.path.slice!(0..server.root.length - 1)
     end
     @match, handler = self.class.find_route(request)
-    server.logger.debug "processing request to path #{request.path} for route #{@match ? @match.regexp : 'default'}"
+    server.logger.debug "processing #{request.method} to path #{request.path}"
     send handler
     reply.headers['connection'] ||= request.headers['connection'] if request.headers['connection']
     server.logger.debug "replying to path #{request.path} with #{reply.body.length} bytes of #{reply.headers['content-type']}"

data/lib/stub/uaa.rb

@@ -30,23 +30,22 @@ class StubUAAConn < Stub::Base
     end
   end
 
-  def valid_token(required_scope)
-    return nil unless (ah = request.headers["authorization"]) && (ah = ah.split(' '))[0] =~ /^bearer$/i
-    contents = TokenCoder.decode(ah[1], accept_algorithms: "none")
-    contents["scope"], required_scope = Util.arglist(contents["scope"]), Util.arglist(required_scope)
-    return contents if required_scope.nil? || !(required_scope & contents["scope"]).empty?
-    reply_in_kind(403, error: "insufficient_scope",
-        error_description: "required scope #{Util.strlist(required_scope)}")
-    nil
-  end
-
+  def bad_request(msg = nil); reply_in_kind(400, error: "bad request#{msg ? ',' : ''} #{msg}") end
+  def not_found(name = nil); reply_in_kind(404, error: "#{name} not found") end
+  def access_denied(msg = "access denied") reply_in_kind(403, error: "access_denied", error_description: msg) end
   def ids_to_names(ids); ids ? ids.map { |id| server.scim.name(id) } : [] end
   def names_to_ids(names, rtype); names ? names.map { |name| server.scim.id(name, rtype) } : [] end
-  def bad_request(message = nil); reply_in_kind(400, error: "bad request#{message ? ',' : ''} #{message}") end
-  def not_found(name = nil); reply_in_kind(404, error: "#{name} not found") end
   def encode_cookie(obj = {}) Util.json_encode64(obj) end
   def decode_cookie(str) Util.json.decode64(str) end
 
+  def valid_token(accepted_scope)
+    return nil unless (ah = request.headers["authorization"]) && (ah = ah.split(' '))[0] =~ /^bearer$/i
+    contents = TokenCoder.decode(ah[1], accept_algorithms: "none")
+    contents["scope"], accepted_scope = Util.arglist(contents["scope"]), Util.arglist(accepted_scope)
+    return contents if accepted_scope.nil? || !(accepted_scope & contents["scope"]).empty?
+    access_denied("accepted scope #{Util.strlist(accepted_scope)}")
+  end
+
   def primary_email(emails)
     return unless emails
     emails.each {|e| return e[:value] if e[:type] && e[:type] == "primary"}
@@ -325,12 +324,12 @@ class StubUAAConn < Stub::Base
   # client endpoints
   #
   def client_to_scim(info)
-    ['authorities', 'scope', 'auto_approve_scope'].each { |a| info[a] = names_to_ids(info[a], :group) if info.key?(a) }
+    ['authorities', 'scope', 'autoapprove'].each { |a| info[a] = names_to_ids(info[a], :group) if info.key?(a) }
     info
   end
 
   def scim_to_client(info)
-    [:authorities, :scope, :auto_approve_scope].each { |a| info[a] = ids_to_names(info[a]) if info.key?(a) }
+    [:authorities, :scope, :autoapprove].each { |a| info[a] = ids_to_names(info[a]) if info.key?(a) }
     info.delete(:id)
     info
   end
@@ -362,7 +361,7 @@ class StubUAAConn < Stub::Base
 
   route :delete, %r{^/oauth/clients/([^/]+)$} do
     return unless valid_token("clients.write")
-    return not_found(match[1]) unless server.scim.remove(server.scim.id(match[1], :client))
+    return not_found(match[1]) unless server.scim.delete(server.scim.id(match[1], :client))
   end
 
   route :put, %r{^/oauth/clients/([^/]+)/secret$}, "content-type" => %r{application/json} do
@@ -390,11 +389,25 @@ class StubUAAConn < Stub::Base
     reply_in_kind server.scim.get(id, rtype, *StubScim::VISIBLE_ATTRS[rtype])
   end
 
+  def obj_access?(rtype, oid, perm)
+    major_scope = perm == :writers ? "scim.write" : "scim.read"
+    return unless tkn = valid_token("#{major_scope} scim.me")
+    return tkn if tkn["scope"].include?(major_scope) ||
+        rtype == :group && server.scim.is_member(oid, tkn["user_id"], perm)
+    access_denied
+  end
+
   route :put, %r{^/(Users|Groups)/([^/]+)$}, "content-type" => %r{application/json} do
-    return unless valid_token("scim.write")
     rtype = match[1] == "Users"? :user : :group
-    id = server.scim.update(match[2], Util.json_parse(request.body, :down), request.headers[:match_if], rtype)
-    reply_in_kind server.scim.get(id, rtype, *StubScim::VISIBLE_ATTRS[rtype])
+    return unless obj_access?(rtype, match[2], :writers)
+    version = request.headers['if-match']
+    version = version.to_i if version.to_i.to_s == version
+    begin
+      id = server.scim.update(match[2], Util.json_parse(request.body, :down), version, rtype)
+      reply_in_kind server.scim.get(id, rtype, *StubScim::VISIBLE_ATTRS[rtype])
+    rescue BadVersion; reply_in_kind(409, error: "invalid object version")
+    rescue NotFound; not_found(match[2])
+    end
   end
 
   def sanitize_int(arg, default, min, max = nil)
@@ -403,7 +416,7 @@ class StubUAAConn < Stub::Base
     max && i > max ? max : i
   end
 
-  def page_query(rtype, query, attrs)
+  def page_query(rtype, query, attrs, acl = nil, acl_id = nil)
     if query['attributes']
       attrs = attrs & Util.arglist(query['attributes']).each_with_object([]) {|a, o|
         o << a.to_sym if StubScim::ATTR_NAMES.include?(a = a.downcase)
@@ -412,26 +425,33 @@ class StubUAAConn < Stub::Base
     start = sanitize_int(query['startindex'], 1, 1)
     count = sanitize_int(query['count'], 15, 1, 3000)
     return bad_request("invalid startIndex or count") unless start && count
-    info, total = server.scim.find(rtype, start - 1, count, query['filter'], attrs)
+    info, total = server.scim.find(rtype, start: start - 1, count: count,
+        filter: query['filter'], attrs: attrs, acl: acl, acl_id: acl_id)
     reply_in_kind(resources: info, itemsPerPage: info.length, startIndex: start, totalResults: total)
   end
 
   route :get, %r{^/(Users|Groups)(\?|$)(.*)} do
-    return unless valid_token("scim.read")
     rtype = match[1] == "Users"? :user : :group
-    page_query(rtype, Util.decode_form(match[3], :down), StubScim::VISIBLE_ATTRS[rtype])
+    return unless tkn = valid_token("scim.read scim.me")
+    acl = acl_id = nil
+    unless tkn["scope"].include?("scim.read")
+      acl, acl_id = :readers, tkn["user_id"]
+      return access_denied unless rtype == :group && acl_id
+    end
+    page_query(rtype, Util.decode_form(match[3], :down),
+        StubScim::VISIBLE_ATTRS[rtype], acl, acl_id)
   end
 
   route :get, %r{^/(Users|Groups)/([^/]+)$} do
-    return unless valid_token("scim.read")
     rtype = match[1] == "Users"? :user : :group
+    return unless obj_access?(rtype, match[2], :readers)
     return not_found(match[2]) unless obj = server.scim.get(match[2], rtype, *StubScim::VISIBLE_ATTRS[rtype])
     reply_in_kind(obj)
   end
 
   route :delete, %r{^/(Users|Groups)/([^/]+)$} do
     return unless valid_token("scim.write")
-    not_found(match[2]) unless server.scim.remove(match[2], match[1] == "Users"? :user : :group)
+    not_found(match[2]) unless server.scim.delete(match[2], match[1] == "Users"? :user : :group)
   end
 
   route :put, %r{^/Users/([^/]+)/password$}, "content-type" => %r{application/json} do
@@ -465,7 +485,7 @@ class StubUAA < Stub::Server
     @scim = StubScim.new
     @auto_groups = ["password.write", "openid"]
         .each_with_object([]) { |g, o| o << @scim.add(:group, 'displayname' => g) }
-    ["scim.read", "scim.write", "uaa.resource"]
+    ["scim.read", "scim.write", "scim.me", "uaa.resource"]
         .each { |g| @scim.add(:group, 'displayname' => g) }
     gids = ["clients.write", "clients.read", "clients.secret", "uaa.admin"]
         .each_with_object([]) { |s, o| o << @scim.add(:group, 'displayname' => s) }

data/spec/client_reg_spec.rb

@@ -56,7 +56,7 @@ describe ClientCli do
 
     it "fails to create a user account as test client" do
       Cli.run("user add #{@test_user} -p #{@test_pwd}").should be_nil
-      Cli.output.string.should include "insufficient_scope"
+      Cli.output.string.should include "access_denied"
     end
 
     context "as updated client" do
@@ -73,7 +73,7 @@ describe ClientCli do
       it "fails to create a user account with old token" do
         Cli.run("context #{@test_client}").should be
         Cli.run("user add #{@test_user} -p #{@test_pwd}").should be_nil
-        Cli.output.string.should include "insufficient_scope"
+        Cli.output.string.should include "access_denied"
       end
 
       it "creates a user account with a new token" do
@@ -81,7 +81,7 @@ describe ClientCli do
         Cli.run("token client get #{@test_client} -s #{@test_secret}").should be
         Cli.run("token decode")
         Cli.run("user add #{@test_user.capitalize} -p #{@test_pwd} --email #{@test_user}@example.com --family_name #{@test_user.capitalize} --given_name joe").should be
-        Cli.output.string.should_not include "insufficient_scope"
+        Cli.output.string.should_not include "access_denied"
         Cli.run("user get #{@test_user}").should be
         Cli.output.string.should include @test_user.capitalize
       end
@@ -89,15 +89,15 @@ describe ClientCli do
 
   end
 
-  context "as admin client" do
-    it "deletes a client registration" do
-      client = @test_client.dup
-      @test_client.replace("")
-      Cli.run("context #{@admin_client}").should be
-      Cli.run("client delete #{client}").should be
-      Cli.output.string.should include "deleted"
-    end
-  end
+#  context "as admin client" do
+#    it "deletes a client registration" do
+#      client = @test_client.dup
+#      @test_client.replace("")
+#      Cli.run("context #{@admin_client}").should be
+#      Cli.run("client delete #{client}").should be
+#      Cli.output.string.should include "deleted"
+#    end
+#  end
 
 end
 

data/spec/group_spec.rb

@@ -25,67 +25,141 @@ describe GroupCli do
     Cli.configure("", nil, StringIO.new, true)
     setup_target(authorities: "clients.read,scim.read,scim.write,uaa.admin")
     Cli.run("token client get #{@test_client} -s #{@test_secret}").should be
-    @test_user, @test_pwd = "sam_#{Time.now.to_i}", "correcthorsebatterystaple"
+    @test_user, @test_pwd = "SaM_#{Time.now.to_i}_", "correcthorsebatterystaple"
     @test_group = "JaNiToRs_#{Time.now.to_i}"
+    @users = ["w", "r", "m", "n"].map { |v| @test_user + v }
+    5.times { |i| @users << @test_user + i.to_s }
+    @users.each { |u| Cli.run("user add #{u} -p #{@test_pwd} --email sam@example.com").should be }
+    Cli.run("group add #{@test_group}").should be
+    Cli.run("groups -a displayName").should be
+    Cli.output.string.should include @test_group
   end
 
-  after :all do cleanup_target end
-  before :each do Cli.output.string = "" end
+  after :all do
+    Cli.run "context #{@test_client}"
+    @users.each { |u| Cli.run("user delete #{u}") }
+    @users.each { |u| Cli.run("user get #{u}").should be_nil }
+    Cli.run("group delete #{@test_group}").should be
+    cleanup_target
+  end
 
+  # actual user and group creation happens in before_all
   it "creates many users and a group as the test client" do
-    Cli.run "context #{@test_client}"
-    Cli.run("user add #{@test_user.upcase} -p #{@test_pwd} " +
-        "--email joey@example.com --family_name JONES --given_name JOE").should be
-    29.times { |i| Cli.run("user add #{@test_user.capitalize}-#{i} -p #{@test_pwd} " +
-        "--email #{@test_user}+#{i}@example.com " +
-        "--family_name #{@test_user.capitalize} --given_name joe").should be }
-    Cli.run("group add #{@test_group}").should be
+    @users.each { |u|
+      Cli.run("user get #{u}").should be
+      Cli.output.string.should include u
+    }
+    @users.each { |u| Cli.run("member add scim.me #{u}").should be }
     Cli.run("groups -a displayName").should be
     Cli.output.string.should include @test_group
+    Cli.run("group get #{@test_group.upcase}").should be
+    Cli.output.string.should include @test_group
+    pending "real uaa can't add members to scim.read group yet" unless @stub_uaa
+    Cli.run("member add scim.read #{@test_user}w").should be
   end
 
   it "gets attributes with case-insensitive attribute names" do
-    Cli.run("groups -a displayname").should be
+    Cli.run("groups -a dISPLAYNAME").should be
     Cli.output.string.should include @test_group
   end
 
   it "lists all users" do
     Cli.run("users -a UsernamE").should be
-    29.times { |i| Cli.output.string.should =~ /#{@test_user.capitalize}-#{i}/i }
-  end
-
-  it "preserves case in names" do
-    Cli.run("users -a username").should be
-    29.times { |i| Cli.output.string.should =~ /#{@test_user.capitalize}-#{i}/ }
+    @users.each { |u| Cli.output.string.should include u }
   end
 
   it "lists a page of users" do
-    Cli.run("users -a userName --count 13 --start 5").should be
-    Cli.output.string.should match /itemsPerPage: 13/i
+    Cli.run("users -a userName --count 4 --start 5").should be
+    Cli.output.string.should match /itemsPerPage: 4/i
     Cli.output.string.should match /startIndex: 5/i
   end
 
+  it "adds one user to the group" do
+    Cli.run("member add #{@test_group} #{@users[0]}").should be
+    Cli.output.string.should include "success"
+  end
+
   it "adds users to the group" do
     cmd = "member add #{@test_group}"
-    29.times { |i| cmd << " #{@test_user.capitalize}-#{i}" }
+    @users.each { |u| cmd << " #{u.upcase}" }
     Cli.run(cmd).should be
     Cli.output.string.should include "success"
   end
 
-  it "adds one user to the group" do
-    Cli.run("member add #{@test_group} #{@test_user}").should be
+  def check_members
+    ids = Cli.output.string.scan(/.*value:\s+([^\s]+)/).flatten
+    ids.size.should == @users.size
+    @users.each { |u|
+      Cli.run("user get #{u} -a id").should be
+      Cli.output.string =~ /.*id:\s+([^\s]+)/
+      ids.delete($1).should == $1
+    }
+    ids.should be_empty
+  end
+
+  it "lists all group members" do
+    Cli.run("group get #{@test_group} -a memBers").should be
+    check_members
+  end
+
+  it "adds one reader to the group" do
+    Cli.run("group reader add #{@test_group} #{@test_user}r").should be
+    Cli.output.string.should include "success"
+  end
+
+  it "adds one writer to the group" do
+    Cli.run("group writer add #{@test_group} #{@test_user}w").should be
+    Cli.run("group reader add #{@test_group} #{@test_user}w").should be
     Cli.output.string.should include "success"
   end
 
+  it "gets readers and writers in the group" do
+    Cli.run("group get #{@test_group}").should be
+    Cli.output.string.should be
+    #puts Cli.output.string
+  end
+
+  it "reads members as a reader" do
+    Cli.run("token owner get #{@test_client} -s #{@test_secret} #{@test_user}r -p #{@test_pwd}").should be
+    Cli.run("group get #{@test_group} -a memBers").should be
+    ids = Cli.output.string.scan(/.*value:\s+([^\s]+)/).flatten
+    @users.size.should == ids.size
+  end
+
+  it "can't write members as a reader" do
+    pending "real uaa can't search for groups by name by scim.me/readers" unless @stub_uaa
+    Cli.run("token owner get #{@test_client} -s #{@test_secret} #{@test_user}r -p #{@test_pwd}").should be
+    Cli.run("member add #{@test_group} #{@test_user}z").should_not be
+    Cli.output.string.should include "access_denied"
+  end
+
+  it "adds a member as a writer" do
+    Cli.run "context #{@test_client}"
+    Cli.run("user add #{@test_user}z -p #{@test_pwd} --email sam@example.com").should be
+    @users << "#{@test_user}z"
+    Cli.run("token owner get #{@test_client} -s #{@test_secret} #{@test_user}w -p #{@test_pwd}").should be
+    Cli.run("member add #{@test_group} #{@test_user}z").should be
+    Cli.run("group get #{@test_group} -a memBers").should be
+    ids = Cli.output.string.scan(/.*value:\s+([^\s]+)/).flatten
+    @users.size.should == ids.size
+    # check_members
+  end
+
+  it "can't read members as a non-reader" do
+    pending "real uaa still returns members even if user is not in readers list" unless @stub_uaa
+    Cli.run("token owner get #{@test_client} -s #{@test_secret} #{@test_user}m -p #{@test_pwd}").should be
+    Cli.run("group get #{@test_group}").should be_nil
+    Cli.output.string.should include "NotFound"
+  end
+
   it "deletes all members from a group" do
-    pending "waiting on bug fix in uaa, [40594865]" if ENV["UAA_CLIENT_TARGET"]
-    cmd = "member delete #{@test_group} #{@test_user.capitalize}"
-    29.times { |i| cmd << " #{@test_user.capitalize}-#{i}" }
+    Cli.run "context #{@test_client}"
+    cmd = "member delete #{@test_group.downcase} "
+    @users.each { |u| cmd << " #{u.downcase}" }
     Cli.run(cmd).should be
     Cli.output.string.should include "success"
-    # and they should really be gone
     Cli.run("group get #{@test_group}")
-    Cli.output.string.should_not match /members/i
+    Cli.output.string.should_not match /members/i # they should really be gone
   end
 
 end

data/spec/spec_helper.rb

@@ -42,8 +42,7 @@ module SpecHelper
   # restriction that the given block cannot include rspec matchers.
   def frequest(on_fiber, &blk)
     return capture_exception(&blk) unless on_fiber
-    result = nil
-    cthred = Thread.current
+    result, cthred = nil, Thread.current
     EM.schedule { Fiber.new { result = capture_exception(&blk); cthred.run }.resume }
     Thread.stop
     result
@@ -51,8 +50,9 @@ module SpecHelper
 
   def setup_target(opts = {})
     opts = { authorities: "clients.read,scim.read,scim.write,uaa.resource",
-      grant_types: "client_credentials,password",
-      scope: "openid,password.write"}.update(opts)
+      grant_types: "client_credentials,password,refresh_token",
+      scope: "openid,password.write,scim.me,scim.read",
+      autoapprove: "openid,password.write,scim.me,scim.read"}.update(opts)
     @admin_client = ENV["UAA_CLIENT_ID"] || "admin"
     @admin_secret = ENV["UAA_CLIENT_SECRET"] || "adminsecret"
     if ENV["UAA_CLIENT_TARGET"]
@@ -68,12 +68,16 @@ module SpecHelper
     @test_secret = "+=tEsTsEcRet~!@"
     Cli.run("client add #{test_client} -s #{@test_secret} " +
         "--authorities #{opts[:authorities]} --scope #{opts[:scope]} " +
-        "--authorized_grant_types #{opts[:grant_types]}").should be
+        "--authorized_grant_types #{opts[:grant_types]} " +
+        "--autoapprove #{opts[:autoapprove]}").should be
     opts.each { |k, a| Util.arglist(a).each {|v| Cli.output.string.should include(v) }}
     @test_client = test_client
   end
 
   def cleanup_target
+    #Cli.run "context #{@test_client}"
+    #Cli.run("groups"); puts Cli.output.string
+    #Cli.run("users"); puts Cli.output.string
     Cli.run("context #{@admin_client}")
     if @test_client && !@test_client.empty?
       Cli.run("client delete #{@test_client}").should be

data/spec/token_spec.rb

@@ -26,14 +26,19 @@ describe TokenCli do
     setup_target(authorities: "clients.read,scim.read,scim.write,uaa.resource")
     Cli.run("token client get #{@test_client} -s #{@test_secret}").should be
     Config.yaml.should include("access_token")
-    @test_pwd = "TesTpwd$%^"
-    @test_user = "tEst_UseR+-#{Time.now.to_i}"
+    @test_pwd = "@~`!$@%#%^$^&*)(|}{[]\":';?><,./"
+    @test_user = "test_user_#{Time.now.to_i}"
     Cli.run("user add #{@test_user} -p #{@test_pwd} " +
         "--emails sam@example.com,joNES@sample.com --given_name SamueL " +
         "--phones 801-555-1212 --family_name jonES").should be
   end
 
-  after :all do cleanup_target end
+  after :all do
+    Cli.run "context #{@test_client}"
+    Cli.run("user delete #{@test_user}").should be
+    Cli.run("user get #{@test_user}").should be_nil
+    cleanup_target
+  end
 
   it "logs in with implicit grant & posted credentials as a user" do
     Cli.run("token get #{@test_user} #{@test_pwd}").should be

data/spec/user_spec.rb

@@ -28,12 +28,15 @@ describe UserCli do
     Config.yaml.should include("access_token")
     @test_pwd = "TesTpwd$%^"
     @test_user = "tEst_UseR_#{Time.now.to_i}"
-    Cli.run("user add #{@test_user} -p #{@test_pwd} " + 
+    Cli.run("user add #{@test_user} -p #{@test_pwd} " +
         "--emails sam@example.com,joNES@sample.com --given_name SamueL " +
         "--phones 801-555-1212 --family_name jonES").should be
   end
 
-  after :all do cleanup_target end
+  after :all do
+    Cli.run("user delete #{@test_user}")
+    cleanup_target
+  end
 
   it "creates a user" do
     Cli.output.string.should include "success"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cf-uaac
 version: !ruby/object:Gem::Version
-  version: 1.3.4
+  version: 1.3.6
   prerelease: 
 platform: ruby
 authors:
@@ -13,7 +13,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-01-05 00:00:00.000000000 Z
+date: 2013-01-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -118,10 +118,10 @@ dependencies:
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
-        version: 1.3.4
+        version: 1.3.6
     - - <=
       - !ruby/object:Gem::Version
-        version: 1.3.4
+        version: 1.3.6
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -129,10 +129,10 @@ dependencies:
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
-        version: 1.3.4
+        version: 1.3.6
     - - <=
       - !ruby/object:Gem::Version
-        version: 1.3.4
+        version: 1.3.6
 - !ruby/object:Gem::Dependency
   name: highline
   requirement: !ruby/object:Gem::Requirement
@@ -282,7 +282,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 2590273810398717520
+      hash: 4530157202147700966
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -291,7 +291,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 2590273810398717520
+      hash: 4530157202147700966
 requirements: []
 rubyforge_project: cf-uaac
 rubygems_version: 1.8.23