cf-uaac 3.5.0 → 3.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3c37b2ebe3caa99e54b161ddf16ae7621e067753
-  data.tar.gz: 63e43ef4fed0eff9f9dab075a3863589a40ae3f6
+  metadata.gz: 7ad629a17b4992798f2f92eb7c4f6f658220579a
+  data.tar.gz: 69f7b40c269212155448de48f237484d86182486
 SHA512:
-  metadata.gz: be007e6e3dc344260d7248588efbb73a7fbd716c8ed68c082bf7e372cffb1c535d8636db83ce01a7365ec2b33e81e6ca6f127fef28ecbdfd420a0c1f5aaafef0
-  data.tar.gz: c149ebf7f4dfc0ef9324d28d8bd59505fe38af4f41f6a3d49ef1a844b6b239f98489eb4fd73be4a4654b645a4c1b0308c20ad67777f4e1db18831b1899a22f6c
+  metadata.gz: d6ed51ac1f2704d9c6c81f9aae8a05f2c37636697da90e6b7ed253503f6c15d1f7331b3d5b2e98d723cf93b21b6aef06b64d6297b014c98fe87c787ea6ef7bb3
+  data.tar.gz: 7250bf305e3ec5bc959f4b9b61af915b3ef5f3ad247dc44c9568a248b7ccfee6361b0533b324354fd96b303436bc76e1f14f35a15b239ae32437b3a98be90774

data/.travis.yml

@@ -5,7 +5,7 @@ before_install:
   - gem install bundler
 
 rvm:
-  - 1.9.3
+  - 2.2.1
 
 
 

data/cf-uaac.gemspec

@@ -39,7 +39,7 @@ Gem::Specification.new do |s|
   s.add_development_dependency "simplecov", "~> 0.8.2"
   s.add_development_dependency "simplecov-rcov", "~> 0.2.3"
   s.add_development_dependency "ci_reporter", "~> 1.9.2"
-  s.add_runtime_dependency "cf-uaa-lib", "~> 3.7.0"
+  s.add_runtime_dependency "cf-uaa-lib", "~> 3.8.0"
   s.add_runtime_dependency "highline", "~> 1.6.21"
   s.add_runtime_dependency "eventmachine", "~> 1.0.3"
   s.add_runtime_dependency "launchy", "~> 2.4.2"

data/lib/uaa/cli/client_reg.rb

@@ -17,18 +17,18 @@ module CF::UAA
 
 class ClientCli < CommonCli
 
-  topic "Client Application Registrations", "reg"
+  topic 'Client Application Registrations', 'reg'
 
   CLIENT_SCHEMA = {
-      :name => "string",
-      :scope => "list",
-      :authorized_grant_types => "list",
-      :authorities => "list",
-      :access_token_validity => "seconds",
-      :refresh_token_validity => "seconds",
-      :redirect_uri => "list",
-      :autoapprove => "list",
-      :'signup_redirect_url' => "url"
+      :name => 'string',
+      :scope => 'list',
+      :authorized_grant_types => 'list',
+      :authorities => 'list',
+      :access_token_validity => 'seconds',
+      :refresh_token_validity => 'seconds',
+      :redirect_uri => 'list',
+      :autoapprove => 'list',
+      :'signup_redirect_url' => 'url'
   }
   CLIENT_SCHEMA.each { |k, v| define_option(k, "--#{k} <#{v}>") }
 
@@ -45,72 +45,88 @@ class ClientCli < CommonCli
         info[k] = opts[:interact] ?
           info[k] = askd("#{k.to_s.gsub('_', ' ')} (#{p})", default): default
       end
-      if k == :autoapprove && (info[k] == "true" || info[k] == "false")
-        info[k] = !!(info[k] == "true")
+      if k == :autoapprove && (info[k] == 'true' || info[k] == 'false')
+        info[k] = !!(info[k] == 'true')
       else
-        info[k] = Util.arglist(info[k]) if p == "list"
+        info[k] = Util.arglist(info[k]) if p == 'list'
         info.delete(k) unless info[k]
       end
     end
   end
 
-  desc "clients [filter]", "List client registrations", :attrs, :start, :count do |filter|
+  desc 'clients [filter]', 'List client registrations', :attrs, :start, :count do |filter|
     scim_common_list(:client, filter)
   end
 
   desc "client get [id]", "Get specific client registration", :attrs do |id|
-    pp scim_request { |sr| scim_get_object(sr, :client, clientid(id), opts[:attrs]) }
+    pp(scim_request do |sr|
+      client = scim_get_object(sr, :client, clientid(id), opts[:attrs])
+      add_meta_fields_to_client(sr, client)
+    end)
   end
 
-  define_option :clone, "--clone <other>", "get default settings from other"
-  define_option :interact, "--[no-]interactive", "-i", "interactively verify all values"
-  desc "client add [id]", "Add client registration",
+  define_option :clone, '--clone <other>', 'get default settings from other'
+  define_option :interact, '--[no-]interactive', '-i', 'interactively verify all values'
+  desc 'client add [id]', 'Add client registration',
       *CLIENT_SCHEMA.keys, :clone, :secret, :interact do |id|
     pp scim_request { |cr|
       opts[:client_id] = clientid(id)
       opts[:name] = clientname() || opts[:client_id]
-      opts[:secret] = verified_pwd("New client secret", opts[:secret])
+      opts[:secret] = verified_pwd('New client secret', opts[:secret])
       defaults = opts[:clone] ? Util.hash_keys!(cr.get(:client, opts[:clone]), :sym) : {}
       defaults.delete(:client_id)
-      cr.add(:client, client_info(defaults))
+      client = cr.add(:client, client_info(defaults))
+      add_meta_fields_to_client(cr, client)
     }
   end
 
-  desc "client update [id]", "Update client registration", *CLIENT_SCHEMA.keys,
+  desc 'client update [id]', 'Update client registration', *CLIENT_SCHEMA.keys,
       :del_attrs, :interact do |id|
     pp scim_request { |cr|
       opts[:client_id] = clientid(id)
       orig = Util.hash_keys!(cr.get(:client, opts[:client_id]), :sym)
       info = client_info(orig)
-      info.any? { |k, v| v != orig[k] } ? cr.put(:client, info) :
-          gripe("Nothing to update. Use -i for interactive update.")
+      info.any? { |k, v| v != orig[k] } ?
+          update_client(cr, info) :
+          gripe('Nothing to update. Use -i for interactive update.')
     }
   end
 
-  desc "client delete [id]", "Delete client registration" do |id|
+  desc 'client delete [id]', 'Delete client registration' do |id|
     pp scim_request { |cr|
       cr.delete(:client, clientid(id))
-      "client registration deleted"
+      'client registration deleted'
     }
   end
 
-  desc "secret set [id]", "Set client secret", :secret do |id|
+  desc 'secret set [id]', 'Set client secret', :secret do |id|
     pp scim_request { |cr|
-      cr.change_secret(clientid(id), verified_pwd("New secret", opts[:secret]))
-      "client secret successfully set"
+      cr.change_secret(clientid(id), verified_pwd('New secret', opts[:secret]))
+      'client secret successfully set'
     }
   end
 
-  define_option :old_secret, "--old_secret <secret>", "current secret"
-  desc "secret change", "Change secret for authenticated client in current context", :old_secret, :secret do
-    return gripe "context not set" unless client_id = Config.context.to_s
+  define_option :old_secret, '--old_secret <secret>', 'current secret'
+  desc 'secret change', 'Change secret for authenticated client in current context', :old_secret, :secret do
+    return gripe 'context not set' unless client_id = Config.context.to_s
     scim_request { |cr|
-      old = opts[:old_secret] || ask_pwd("Current secret")
-      cr.change_secret(client_id, verified_pwd("New secret", opts[:secret]), old)
-      "client secret successfully changed"
+      old = opts[:old_secret] || ask_pwd('Current secret')
+      cr.change_secret(client_id, verified_pwd('New secret', opts[:secret]), old)
+      'client secret successfully changed'
     }
   end
 
+  private
+
+  def update_client(cr, info)
+    client = cr.put(:client, info)
+    add_meta_fields_to_client(cr, client)
+  end
+
+  def add_meta_fields_to_client(cr, client)
+    meta = cr.get_client_meta(client['client_id'])
+    client.merge({:created_by => meta['createdby']})
+  end
 end
 
 end

data/lib/uaa/cli/user.rb

@@ -17,12 +17,12 @@ module CF::UAA
 
 class UserCli < CommonCli
 
-  topic "User Accounts", "account"
+  topic 'User Accounts', 'account'
 
-  define_option :givenName, "--given_name <name>"
-  define_option :familyName, "--family_name <name>"
-  define_option :emails, "--emails <addresses>"
-  define_option :phoneNumbers, "--phones <phone_numbers>"
+  define_option :givenName, '--given_name <name>'
+  define_option :familyName, '--family_name <name>'
+  define_option :emails, '--emails <addresses>'
+  define_option :phoneNumbers, '--phones <phone_numbers>'
   USER_INFO_OPTS = [:givenName, :familyName, :emails, :phoneNumbers]
 
   def user_opts(info = {})
@@ -35,77 +35,102 @@ class UserCli < CommonCli
     info
   end
 
-  define_option :attrs, "-a", "--attributes <names>", "output for each user"
-  define_option :start, "--start <number>", "start of output page"
-  define_option :count, "--count <number>", "max number per page"
-  desc "users [filter]", "List user accounts", :attrs, :start, :count do |filter|
+  define_option :attrs, '-a', '--attributes <names>', 'output for each user'
+  define_option :start, '--start <number>', 'start of output page'
+  define_option :count, '--count <number>', 'max number per page'
+  desc 'users [filter]', 'List user accounts', :attrs, :start, :count do |filter|
     scim_common_list(:user, filter)
   end
 
-  desc "user get [name]", "Get specific user account", :attrs do |name|
+  desc 'user get [name]', 'Get specific user account', :attrs do |name|
     pp scim_request { |sr| scim_get_object(sr, :user, username(name), opts[:attrs]) }
   end
 
-  desc "user add [name]", "Add a user account", *USER_INFO_OPTS, :password do |name|
-    info = {userName: username(name), password: verified_pwd("Password", opts[:password])}
+  desc 'user add [name]', 'Add a user account', *USER_INFO_OPTS, :password do |name|
+    info = {userName: username(name), password: verified_pwd('Password', opts[:password])}
     pp scim_request { |ua|
       ua.add(:user, user_opts(info))
-      "user account successfully added"
+      'user account successfully added'
     }
   end
 
-  define_option :del_attrs, "--del_attrs <attr_names>", "list of attributes to delete"
-  desc "user update [name]", "Update a user account with specified options",
+  define_option :del_attrs, '--del_attrs <attr_names>', 'list of attributes to delete'
+  desc 'user update [name]', 'Update a user account with specified options',
       *USER_INFO_OPTS, :del_attrs do |name|
-    return say "no user updates specified" if (updates = user_opts).empty?
+    return say 'no user updates specified' if (updates = user_opts).empty?
     pp scim_request { |ua|
       info = ua.get(:user, ua.id(:user, username(name)))
       opts[:del_attrs].each { |a| info.delete(a.to_s) } if opts[:del_attrs]
       ua.put(:user, info.merge(updates))
-      "user account successfully updated"
+      'user account successfully updated'
     }
   end
 
-  desc "user delete [name]", "Delete user account" do |name|
+  desc 'user delete [name]', 'Delete user account' do |name|
     pp scim_request { |ua|
       ua.delete(:user, ua.id(:user, username(name)))
-      "user account successfully deleted"
+      'user account successfully deleted'
     }
   end
 
-  desc "user ids [username|id...]", "Gets user names and ids for the given users" do |*users|
+  desc 'user ids [username|id...]', 'Gets user names and ids for the given users' do |*users|
     pp scim_request { |ua|
-      users = Util.arglist(ask("names or ids of users")) if !users || users.empty?
+      users = Util.arglist(ask('names or ids of users')) if !users || users.empty?
       ids = ua.ids(:user_id, *users)
-      raise NotFound, "no users found" unless ids && ids.length > 0
+      raise NotFound, 'no users found' unless ids && ids.length > 0
       ids
     }
   end
 
-  desc "user unlock [name]", "Unlocks the user account" do |name|
+  desc 'user unlock [name]', 'Unlocks the user account' do |name|
     pp scim_request { |ua|
       ua.unlock_user( ua.id(:user, username(name)))
-      "user account successfully unlocked"
+      'user account successfully unlocked'
     }
   end
 
-  desc "password set [name]", "Set password", :password do |name|
+  desc 'user deactivate [name]', 'Deactivates user' do |name|
     pp scim_request { |ua|
-      ua.change_password(ua.id(:user, username(name)), verified_pwd("New password", opts[:password]))
-      "password successfully set"
+      change_activation(ua, name, false)
+      'user account successfully deactivated'
     }
   end
 
-  define_option :old_password, "-o", "--old_password <password>", "current password"
-  desc "password change", "Change password for authenticated user in current context", :old_password, :password do
+  desc 'user activate [name]', 'Activates user' do |name|
     pp scim_request { |ua|
-      raise "no user_id in current context" unless Config.value(:user_id)
-      oldpwd = opts[:old_password] || ask_pwd("Current password")
-      ua.change_password(Config.value(:user_id), verified_pwd("New password", opts[:password]), oldpwd)
-      "password successfully changed"
+      change_activation(ua, name, true)
+      'user account successfully activated'
     }
   end
 
+  desc 'password set [name]', 'Set password', :password do |name|
+    pp scim_request { |ua|
+      ua.change_password(ua.id(:user, username(name)), verified_pwd('New password', opts[:password]))
+      'password successfully set'
+    }
+  end
+
+  define_option :old_password, '-o', '--old_password <password>', 'current password'
+  desc 'password change', 'Change password for authenticated user in current context', :old_password, :password do
+    pp scim_request { |ua|
+      raise 'no user_id in current context' unless Config.value(:user_id)
+      oldpwd = opts[:old_password] || ask_pwd('Current password')
+      ua.change_password(Config.value(:user_id), verified_pwd('New password', opts[:password]), oldpwd)
+      'password successfully changed'
+    }
+  end
+
+  def change_activation(ua, name, activate)
+    info = ua.get(:user, ua.id(:user, username(name)))
+
+    required_info = ['id', 'username', 'name', 'emails', 'meta'].inject({}) do |res, required_param|
+      res[required_param] = info[required_param]
+      res
+    end
+
+    required_info['active'] = activate
+    ua.patch(:user, required_info)
+  end
 end
 
 end

data/lib/uaa/cli/version.rb

@@ -14,6 +14,6 @@
 # Cloud Foundry namespace
 module CF
   module UAA
-    CLI_VERSION = "3.5.0"
+    CLI_VERSION = "3.6.0"
   end
 end

data/lib/uaa/stub/scim.rb

@@ -27,6 +27,8 @@ class StubScim
 
   private
 
+  CREATOR = 'Stalin'
+
   # attribute types. Anything not listed is case-ignore string
   HIDDEN_ATTRS = [:rtype, :password, :client_secret].to_set
   READ_ONLY_ATTRS = [:rtype, :id, :meta, :groups].to_set
@@ -163,7 +165,7 @@ class StubScim
   def output(thing, attrs = nil)
     attrs = thing.keys if attrs.nil? || attrs.empty?
     attrs.each_with_object({}) {|a, o|
-      next unless thing[a]
+      next if thing[a].nil?
       case a
       when *MEMBERSHIP
         o[a] = thing[a].each_with_object([]) { |v, a|
@@ -192,7 +194,10 @@ class StubScim
 
   public
 
-  def initialize; @things_by_id, @things_by_name = {}, {} end
+  def initialize
+    @things_by_id, @things_by_name, @clients_metadata = {}, {}, {}
+  end
+
   def name(id, rtype = nil) (t = ref_by_id(id, rtype))? t[NAME_ATTR[t[:rtype]]]: nil end
   def id(name, rtype) (t = ref_by_name(name, rtype))? t[:id] : nil end
 
@@ -203,7 +208,10 @@ class StubScim
     raise AlreadyExists if @things_by_name.key?(name = rtype.to_s + name.downcase)
     enforce_schema(rtype, stuff)
     thing = input(stuff).merge!(rtype: rtype, id: (id = SecureRandom.uuid),
-        meta: { created: Time.now.iso8601, last_modified: Time.now.iso8601, version: 1 })
+        meta: { created: Time.now.iso8601, last_modified: Time.now.iso8601, version: 1})
+    if rtype == :client
+      @clients_metadata[stuff['client_id']] = {:createdby => CREATOR}
+    end
     add_user_groups(id, thing[:members])
     @things_by_id[id] = @things_by_name[name] = thing
     id
@@ -236,6 +244,35 @@ class StubScim
     id
   end
 
+  def patch(id, stuff, match_version = nil, match_type = nil)
+    raise NotFound unless thing = ref_by_id(id, match_type)
+    raise BadVersion if match_version && match_version != thing[:meta][:version]
+    enforce_schema(rtype = thing[:rtype], remove_attrs(stuff, READ_ONLY_ATTRS))
+    new_thing = input(stuff)
+    if newname = new_thing[NAME_ATTR[rtype]]
+      oldname = rtype.to_s + thing[NAME_ATTR[rtype]].downcase
+      unless (newname = rtype.to_s + newname.downcase) == oldname
+        raise AlreadyExists if @things_by_name.key?(newname)
+        @things_by_name.delete(oldname)
+        @things_by_name[newname] = thing
+      end
+    end
+    if new_thing[:members] || thing[:members]
+      old_members = thing[:members] || Set.new
+      new_members = new_thing[:members] || Set.new
+      delete_user_groups(id, old_members - new_members)
+      add_user_groups(id, new_members - old_members)
+    end
+    READ_ONLY_ATTRS.each { |a| new_thing[a] = thing[a] if thing[a] }
+    HIDDEN_ATTRS.each { |a| new_thing[a] = thing[a] if thing[a] }
+    new_thing.each do |key, value|
+      thing[key] = value
+    end
+    thing[:meta][:version] += 1
+    thing[:meta][:lastmodified] == Time.now.iso8601
+    id
+  end
+
   def add_member(gid, member)
     return unless g = ref_by_id(gid, :group)
     (g[:members] ||= Set.new) << member
@@ -267,6 +304,10 @@ class StubScim
     output(thing, attrs)
   end
 
+  def get_client_meta(client_id)
+    @clients_metadata[client_id]
+  end
+
   def get_by_name(name, rtype, *attrs)
     return unless thing = ref_by_name(name, rtype)
     output(thing, attrs)

data/lib/uaa/stub/uaa.rb

@@ -23,32 +23,33 @@ class StubUAAConn < Stub::Base
 
   def inject_error(input = nil)
     case server.reply_badly
-    when :non_json then reply.text("non-json reply")
-    when :bad_json then reply.body = %<{"access_token":"good.access.token" "missed a comma":"there"}>
-    when :bad_state then input[:state] = "badstate"
+    when :non_json then reply.text('non-json reply')
+    when :bad_json then reply.body = '{"access_token":"good.access.token" "missed a comma":"there"}'
+    when :bad_state then input[:state] = 'badstate'
     when :no_token_type then input.delete(:token_type)
     end
   end
 
   def bad_request(msg = nil); reply_in_kind(400, error: "bad request#{msg ? ',' : ''} #{msg}") end
   def not_found(name = nil); reply_in_kind(404, error: "#{name} not found") end
-  def access_denied(msg = "access denied") reply_in_kind(403, error: "access_denied", error_description: msg) end
+  def access_denied(msg = 'access denied') reply_in_kind(403, error: 'access_denied', error_description: msg) end
   def ids_to_names(ids); ids ? ids.map { |id| server.scim.name(id) } : [] end
   def names_to_ids(names, rtype); names ? names.map { |name| server.scim.id(name, rtype) } : [] end
   def encode_cookie(obj = {}) Util.json_encode64(obj) end
   def decode_cookie(str) Util.json.decode64(str) end
 
   def valid_token(accepted_scope)
-    return nil unless (ah = request.headers["authorization"]) && (ah = ah.split(' '))[0] =~ /^bearer$/i
-    contents = TokenCoder.decode(ah[1], accept_algorithms: "none")
-    contents["scope"], accepted_scope = Util.arglist(contents["scope"]), Util.arglist(accepted_scope)
-    return contents if accepted_scope.nil? || !(accepted_scope & contents["scope"]).empty?
+    return nil unless (ah = request.headers['authorization']) && (ah = ah.split(' '))[0] =~ /^bearer$/i
+    contents = TokenCoder.decode(ah[1], accept_algorithms: 'none')
+    contents['scope'], accepted_scope = Util.arglist(contents['scope']), Util.arglist(accepted_scope)
+    return contents if accepted_scope.nil? || !(accepted_scope & contents['scope']).empty?
     access_denied("accepted scope #{Util.strlist(accepted_scope)}")
   end
 
   def primary_email(emails)
     return unless emails
-    emails.each {|e| return e[:value] if e[:type] && e[:type] == "primary"}
+    emails.each {|e| return e[:value] if e[:type] && e[:type] == 'primary'
+    }
     emails[0][:value]
   end
 
@@ -61,52 +62,52 @@ class StubUAAConn < Stub::Base
   # miscellaneous endpoints
   #
 
-  def default_route; reply_in_kind(404, error: "not found", error_description: "unknown path #{request.path}") end
+  def default_route; reply_in_kind(404, error: 'not found', error_description: "unknown path #{request.path}") end
 
   route :get, '/favicon.ico' do
-    reply.headers[:content_type] = "image/vnd.microsoft.icon"
+    reply.headers[:content_type] = 'image/vnd.microsoft.icon'
     reply.body = File.read File.expand_path(File.join(__FILE__, '..', '..', 'lib', 'cli', 'favicon.ico'))
   end
 
   route :put, '/another-fake-endpoint' do
-    return unless valid_token("clients.read")
+    return unless valid_token('clients.read')
     parsed = JSON.parse(request.body)
     reply_in_kind(202, parsed.merge(:updated => 42))
   end
 
   route :put, '/fake-endpoint-empty-response' do
-    return unless valid_token("clients.read")
+    return unless valid_token('clients.read')
     reply.empty()
   end
 
   route :get, '/my-fake-endpoint' do
-    return unless valid_token("clients.read")
-    reply_in_kind(200, "some fake response text")
+    return unless valid_token('clients.read')
+    reply_in_kind(200, 'some fake response text')
   end
 
   route :get, '/' do reply_in_kind "welcome to stub UAA, version #{VERSION}" end
   route :get, '/varz' do reply_in_kind(mem: 0, type: 'UAA', app: { version: VERSION } ) end
-  route :get, '/token_key' do reply_in_kind(alg: "none", value: "none") end
+  route :get, '/token_key' do reply_in_kind(alg: 'none', value: 'none') end
 
-  route :post, '/password/score', "content-type" => %r{application/x-www-form-urlencoded} do
+  route :post, '/password/score', 'content-type' => %r{application/x-www-form-urlencoded} do
     info = Util.decode_form(request.body)
-    return bad_request "no password to score" unless pwd = info["password"]
+    return bad_request 'no password to score' unless pwd = info['password']
     score = pwd.length > 10 || pwd.length < 0 ? 10 : pwd.length
     reply_in_kind(score: score, requiredScore: 0)
   end
 
   route :get, %r{^/userinfo(\?|$)(.*)} do
-    return not_found unless (tokn = valid_token("openid")) &&
-        (info = server.scim.get(tokn["user_id"], :user, :username, :id, :emails)) && info[:username]
+    return not_found unless (tokn = valid_token('openid')) &&
+        (info = server.scim.get(tokn['user_id'], :user, :username, :id, :emails)) && info[:username]
     reply_in_kind(user_id: info[:id], user_name: info[:username], email: primary_email(info[:emails]))
   end
 
   route :get, '/login' do
-    return reply_in_kind(server.info) unless request.headers["accept"] =~ /text\/html/
-    session = decode_cookie(request.cookies["stubsession"]) || {}
-    if session["username"]
+    return reply_in_kind(server.info) unless request.headers['accept'] =~ /text\/html/
+    session = decode_cookie(request.cookies['stubsession']) || {}
+    if session['username']
       page = <<-DATA.gsub(/^ +/, '')
-        you are logged in as #{session["username"]}
+        you are logged in as #{session['username']}
         <form id='logout' action='login.do' method='get' accept-charset='UTF-8'>
         <input type='submit' name='submit' value='Logout' /></form>
       DATA
@@ -124,17 +125,17 @@ class StubUAAConn < Stub::Base
     #reply.set_cookie(:stubsession, encode_cookie(session), httponly: nil)
   end
 
-  route :post, '/login.do', "content-type" => %r{application/x-www-form-urlencoded} do
+  route :post, '/login.do', 'content-type' => %r{application/x-www-form-urlencoded} do
     creds = Util.decode_form(request.body)
     user = find_user(creds['username'], creds['password'])
-    reply.headers[:location] = "login"
+    reply.headers[:location] = 'login'
     reply.status = 302
     reply.set_cookie(:stubsession, encode_cookie(username: user[:username], httponly: nil))
   end
 
   route :get, %r{^/logout.do(\?|$)(.*)} do
     query = Util.decode_form(match[2])
-    reply.headers[:location] = query['redirect_uri'] || "login"
+    reply.headers[:location] = query['redirect_uri'] || 'login'
     reply.status = 302
     reply.set_cookie(:stubsession, encode_cookie, max_age: -1)
   end
@@ -156,9 +157,9 @@ class StubUAAConn < Stub::Base
       token_body[:user_name] = user[:username]
     end
     info = { access_token: TokenCoder.encode(token_body, :algorithm => 'none'),
-        token_type: "bearer", expires_in: interval, scope: scope}
+        token_type: 'bearer', expires_in: interval, scope: scope}
     info[:state] = state if state
-    info[:refresh_token] = "universal_refresh_token" if refresh
+    info[:refresh_token] = 'universal_refresh_token' if refresh
     inject_error(info)
     info
   end
@@ -211,45 +212,45 @@ class StubUAAConn < Stub::Base
 
   route [:post, :get], %r{^/oauth/authorize\?(.*)} do
     query = Util.decode_form(match[1])
-    client = server.scim.get_by_name(query["client_id"], :client)
-    cburi, state = query["redirect_uri"], query["state"]
+    client = server.scim.get_by_name(query['client_id'], :client)
+    cburi, state = query['redirect_uri'], query['state']
 
     # if invalid client_id or redir_uri: inform resource owner, do not redirect
     unless client && valid_redir_uri?(client, cburi)
-      return bad_request "invalid client_id or redirect_uri"
+      return bad_request 'invalid client_id or redirect_uri'
     end
-    if query["response_type"] == 'token'
-      unless client[:authorized_grant_types].include?("implicit")
-        return redir_err_f(cburi, state, "unauthorized_client")
+    if query['response_type'] == 'token'
+      unless client[:authorized_grant_types].include?('implicit')
+        return redir_err_f(cburi, state, 'unauthorized_client')
       end
-      if request.method == "post"
-        unless request.headers["content-type"] =~ %r{application/x-www-form-urlencoded} &&
+      if request.method == 'post'
+        unless request.headers['content-type'] =~ %r{application/x-www-form-urlencoded} &&
             (creds = Util.decode_form(request.body)) &&
-            creds["source"] && creds["source"] == "credentials"
-          return redir_err_f(cburi, state, "invalid_request")
+            creds['source'] && creds['source'] == 'credentials'
+          return redir_err_f(cburi, state, 'invalid_request')
         end
-        unless user = find_user(creds["username"], creds["password"])
-          return redir_err_f(cburi, state, "access_denied")
+        unless user = find_user(creds['username'], creds['password'])
+          return redir_err_f(cburi, state, 'access_denied')
         end
       else
         return reply.status = 501 # TODO: how to authN user and ask for authorizations?
       end
-      unless (granted_scope = calc_scope(client, user, query["scope"]))
-        return redir_err_f(cburi, state, "invalid_scope")
+      unless (granted_scope = calc_scope(client, user, query['scope']))
+        return redir_err_f(cburi, state, 'invalid_scope')
       end
       # TODO: how to stub any remaining scopes that are not auto-approve?
-      token_reply_info = token_reply_info(client, granted_scope, user, query["state"])
-      token_reply_info.delete(:scope) if query["scope"]
+      token_reply_info = token_reply_info(client, granted_scope, user, query['state'])
+      token_reply_info.delete(:scope) if query['scope']
       return redir_with_fragment(cburi, token_reply_info)
     end
-    return redir_err_q(cburi, state, "invalid_request") unless request.method == "get"
-    return redir_err_q(cburi, state, "unsupported_response_type") unless query["response_type"] == 'code'
-    unless client[:authorized_grant_types].include?("authorization_code")
-      return redir_err_f(cburi, state, "unauthorized_client")
+    return redir_err_q(cburi, state, 'invalid_request') unless request.method == 'get'
+    return redir_err_q(cburi, state, 'unsupported_response_type') unless query['response_type'] == 'code'
+    unless client[:authorized_grant_types].include?('authorization_code')
+      return redir_err_f(cburi, state, 'unauthorized_client')
     end
-    return reply.status = 501 unless query["emphatic_user"] # TODO: how to authN user and ask for authorizations?
-    return redir_err_f(cburi, state, "access_denied") unless user = find_user(query["emphatic_user"])
-    scope = calc_scope(client, user, query["scope"])
+    return reply.status = 501 unless query['emphatic_user'] # TODO: how to authN user and ask for authorizations?
+    return redir_err_f(cburi, state, 'access_denied') unless user = find_user(query['emphatic_user'])
+    scope = calc_scope(client, user, query['scope'])
     redir_with_query(cburi, state: state, code: assign_auth_code(client[:id], user[:id], scope, cburi))
   end
 
@@ -257,13 +258,13 @@ class StubUAAConn < Stub::Base
   def bad_params?(params, required, optional = nil)
     required.each {|r|
       next if params[r]
-      reply.json(400, error: "invalid_request", error_description: "no #{r} in request")
+      reply.json(400, error: 'invalid_request', error_description: "no #{r} in request")
       return true
     }
     return false unless optional
     params.each {|k, v|
       next if required.include?(k) || optional.include?(k)
-      reply.json(400, error: "invalid_request", error_description: "#{k} not allowed")
+      reply.json(400, error: 'invalid_request', error_description: "#{k} not allowed")
       return true
     }
     false
@@ -275,7 +276,7 @@ class StubUAAConn < Stub::Base
   class << self; attr_accessor :authcode_store end
   def assign_auth_code(client_id, user_id, scope, redir_uri)
     code = SecureRandom.base64(8)
-    raise "authcode collision" if self.class.authcode_store[code]
+    raise 'authcode collision' if self.class.authcode_store[code]
     self.class.authcode_store[code] = {client_id: client_id, user_id: user_id,
         scope: scope, redir_uri: redir_uri}
     code
@@ -286,25 +287,25 @@ class StubUAAConn < Stub::Base
     [info[:user_id], info[:scope]]
   end
 
-  route :post, "/oauth/token", "content-type" => %r{application/x-www-form-urlencoded},
-        "accept" => %r{application/json} do
-    unless client = auth_client(request.headers["authorization"])
-      reply.headers[:www_authenticate] = "basic"
-      return reply.json(401, error: "invalid_client")
+  route :post, '/oauth/token', 'content-type' => %r{application/x-www-form-urlencoded},
+        'accept' => %r{application/json} do
+    unless client = auth_client(request.headers['authorization'])
+      reply.headers[:www_authenticate] = 'basic'
+      return reply.json(401, error: 'invalid_client')
     end
     return if bad_params?(params = Util.decode_form(request.body), ['grant_type'])
     unless client[:authorized_grant_types].include?(params['grant_type'])
-      return reply.json(400, error: "unauthorized_client")
+      return reply.json(400, error: 'unauthorized_client')
     end
     case params.delete('grant_type')
-    when "authorization_code"
+    when 'authorization_code'
        # TODO: need authcode store with requested scope, redir_uri must match
       return if bad_params?(params, ['code', 'redirect_uri'], [])
       user_id, scope = redeem_auth_code(client[:id], params['redirect_uri'], params['code'])
-      return reply.json(400, error: "invalid_grant") unless user_id && scope
+      return reply.json(400, error: 'invalid_grant') unless user_id && scope
       user = server.scim.get(user, :user, :id, :emails, :username)
       reply.json(token_reply_info(client, scope, user, nil, true))
-    when "password"
+    when 'password'
       notPassword = bad_params?(params, ['username', 'password'], ['scope'])
       notPasscode = bad_params?(params, ['passcode'], ['scope'])
       return if notPasscode && notPassword
@@ -316,33 +317,33 @@ class StubUAAConn < Stub::Base
         username, password = Base64::urlsafe_decode64(params['passcode']).split
       end
       user = find_user(username, password)
-      return reply.json(400, error: "invalid_grant") unless user
+      return reply.json(400, error: 'invalid_grant') unless user
       scope = calc_scope(client, user, params['scope'])
-      return reply.json(400, error: "invalid_scope") unless scope
+      return reply.json(400, error: 'invalid_scope') unless scope
       reply.json(200, token_reply_info(client, scope, user))
-    when "client_credentials"
+    when 'client_credentials'
       return if bad_params?(params, [], ['scope'])
       scope = calc_scope(client, nil, params['scope'])
-      return reply.json(400, error: "invalid_scope") unless scope
+      return reply.json(400, error: 'invalid_scope') unless scope
       reply.json(token_reply_info(client, scope))
-    when "refresh_token"
+    when 'refresh_token'
       return if bad_params?(params, ['refresh_token'], ['scope'])
-      return reply.json(400, error: "invalid_grant") unless params['refresh_token'] == "universal_refresh_token"
+      return reply.json(400, error: 'invalid_grant') unless params['refresh_token'] == 'universal_refresh_token'
       # TODO: max scope should come from refresh token, or user from refresh token
       # this should use calc_scope when we know the user
       scope = ids_to_names(client[:scope])
       scope = Util.strlist(Util.arglist(params['scope'], scope) & scope)
-      return reply.json(400, error: "invalid_scope") if scope.empty?
+      return reply.json(400, error: 'invalid_scope') if scope.empty?
       reply.json(token_reply_info(client, scope))
     else
-      reply.json(400, error: "unsupported_grant_type")
+      reply.json(400, error: 'unsupported_grant_type')
     end
     inject_error
   end
 
-  route :post, "/alternate/oauth/token", "content-type" => %r{application/x-www-form-urlencoded},
-        "accept" => %r{application/json} do
-    request.path.replace("/oauth/token")
+  route :post, '/alternate/oauth/token', 'content-type' => %r{application/x-www-form-urlencoded},
+        'accept' => %r{application/json} do
+    request.path.replace('/oauth/token')
     server.info.delete(:token_endpoint) # this indicates this was executed for a unit test
     process
   end
@@ -362,101 +363,106 @@ class StubUAAConn < Stub::Base
   end
 
   route :get, %r{^/oauth/clients(\?|$)(.*)} do
-    return unless valid_token("clients.read")
+    return unless valid_token('clients.read')
     info, _ = server.scim.find(:client)
     reply_in_kind(info.each_with_object({}) {|c, o| o[c[:client_id]] = scim_to_client(c)})
   end
 
-  route :post, '/oauth/clients', "content-type" => %r{application/json} do
-    return unless valid_token("clients.write")
+  route :post, '/oauth/clients', 'content-type' => %r{application/json} do
+    return unless valid_token('clients.write')
     id = server.scim.add(:client, client_to_scim(Util.json_parse(request.body, :down)))
     reply_in_kind scim_to_client(server.scim.get(id, :client, *StubScim::VISIBLE_ATTRS[:client]))
   end
 
-  route :put, %r{^/oauth/clients/([^/]+)$}, "content-type" => %r{application/json} do
-    return unless valid_token("clients.write")
+  route :put, %r{^/oauth/clients/([^/]+)$}, 'content-type' => %r{application/json} do
+    return unless valid_token('clients.write')
     info = client_to_scim(Util.json_parse(request.body, :down))
     server.scim.update(server.scim.id(match[1], :client), info)
     reply.json(scim_to_client(info))
   end
 
   route :get, %r{^/oauth/clients/([^/]+)$} do
-    return unless valid_token("clients.read")
+    return unless valid_token('clients.read')
     return not_found(match[1]) unless client = server.scim.get_by_name(match[1], :client, *StubScim::VISIBLE_ATTRS[:client])
     reply_in_kind(scim_to_client(client))
   end
 
+  route :get, %r{^/oauth/clients/([^/]+)/meta$} do
+    return unless valid_token('clients.read')
+    reply_in_kind(server.scim.get_client_meta(match[1]))
+  end
+
   route :delete, %r{^/oauth/clients/([^/]+)$} do
-    return unless valid_token("clients.write")
+    return unless valid_token('clients.write')
     return not_found(match[1]) unless server.scim.delete(server.scim.id(match[1], :client))
   end
 
-  route :put, %r{^/oauth/clients/([^/]+)/secret$}, "content-type" => %r{application/json} do
+  route :put, %r{^/oauth/clients/([^/]+)/secret$}, 'content-type' => %r{application/json} do
     info = Util.json_parse(request.body, :down)
     return not_found(match[1]) unless id = server.scim.id(match[1], :client)
-    return bad_request("no new secret given") unless info['secret']
+    return bad_request('no new secret given') unless info['secret']
     if oldsecret = info['oldsecret']
-      return unless valid_token("clients.secret")
+      return unless valid_token('clients.secret')
       return not_found(match[1]) unless client = server.scim.get(id, :client, :client_secret)
-      return bad_request("old secret does not match") unless oldsecret == client[:client_secret]
+      return bad_request('old secret does not match') unless oldsecret == client[:client_secret]
     else
-      return unless valid_token("uaa.admin")
+      return unless valid_token('uaa.admin')
     end
     server.scim.set_hidden_attr(id, :client_secret, info['secret'])
-    reply.json(status: "ok", message: "secret updated")
+    reply.json(status: 'ok', message: 'secret updated')
   end
 
   #----------------------------------------------------------------------------
   # users and groups endpoints
   #
-  route :post, %r{^/(Users|Groups)$}, "content-type" => %r{application/json} do
-    return unless valid_token("scim.write")
-    rtype = match[1] == "Users"? :user : :group
+  route :post, %r{^/(Users|Groups)$}, 'content-type' => %r{application/json} do
+    return unless valid_token('scim.write')
+    rtype = match[1] == 'Users' ? :user : :group
     id = server.scim.add(rtype, Util.json_parse(request.body, :down))
     server.auto_groups.each {|g| server.scim.add_member(g, id)} if rtype == :user && server.auto_groups
     reply_in_kind server.scim.get(id, rtype, *StubScim::VISIBLE_ATTRS[rtype])
   end
 
   def obj_access?(rtype, oid, perm)
-    major_scope = perm == :writers ? "scim.write" : "scim.read"
+    major_scope = perm == :writers ? 'scim.write' : 'scim.read'
     return unless tkn = valid_token("#{major_scope} scim.me")
-    return tkn if tkn["scope"].include?(major_scope) ||
-        rtype == :group && server.scim.is_member(oid, tkn["user_id"], perm)
+    return tkn if tkn['scope'].include?(major_scope) ||
+        rtype == :group && server.scim.is_member(oid, tkn['user_id'], perm)
     access_denied
   end
 
-  route :put, %r{^/(Users|Groups)/([^/]+)$}, "content-type" => %r{application/json} do
-    rtype = match[1] == "Users"? :user : :group
+  route :put, %r{^/(Users|Groups)/([^/]+)$}, 'content-type' => %r{application/json} do
+    rtype = match[1] == 'Users' ? :user : :group
     return unless obj_access?(rtype, match[2], :writers)
     version = request.headers['if-match']
     version = version.to_i if version.to_i.to_s == version
     begin
       id = server.scim.update(match[2], Util.json_parse(request.body, :down), version, rtype)
       reply_in_kind server.scim.get(id, rtype, *StubScim::VISIBLE_ATTRS[rtype])
-    rescue BadVersion; reply_in_kind(409, error: "invalid object version")
+    rescue BadVersion; reply_in_kind(409, error: 'invalid object version')
     rescue NotFound; not_found(match[2])
     end
   end
 
-  route :post, %r{^/Groups/External$}, "content-type" => %r{application/json} do
+  route :post, %r{^/Groups/External$}, 'content-type' => %r{application/json} do
     json = Util.json_parse(request.body, :down)
-    external_group = json["externalgroup"]
-    group_name = json["displayname"]
-    group_id = json["groupid"]
-    origin = json["origin"]
+    external_group = json['externalgroup']
+    group_name = json['displayname']
+    group_id = json['groupid']
+    origin = json['origin']
     group = server.scim.add_group_mapping(external_group, group_id, group_name, origin)
     reply_in_kind(displayName: group[:displayname], externalGroup: external_group, groupId: group[:id], origin: origin)
   end
 
   route :get, %r{^/Groups/External/list(\?|$)(.*)} do
-    return unless valid_token("scim.read")
+    return unless valid_token('scim.read')
 
     query_params = CGI::parse(match[2])
 
-    start_index_param = query_params["startIndex"].first
+    start_index_param = query_params['startIndex'].first
     start_index = start_index_param.empty? ? 1 : start_index_param.to_i
 
-    count_param = query_params["count"].first
+    count_param = query_params['count'].first
     count = count_param.empty? ? 100 : count_param.to_i
 
     group_mappings = server.scim.get_group_mappings
@@ -466,7 +472,7 @@ class StubUAAConn < Stub::Base
   end
 
   route :delete, %r{^/Groups/External/groupId/([^/]+)/externalGroup/([^/]+)/origin/([^/]+)$} do
-    return unless valid_token("scim.write")
+    return unless valid_token('scim.write')
 
     group_id = match[1]
     external_group = match[2]
@@ -492,18 +498,18 @@ class StubUAAConn < Stub::Base
     end
     start = sanitize_int(query['startindex'], 1, 1)
     count = sanitize_int(query['count'], 15, 1, 3000)
-    return bad_request("invalid startIndex or count") unless start && count
+    return bad_request('invalid startIndex or count') unless start && count
     info, total = server.scim.find(rtype, start: start - 1, count: count,
         filter: query['filter'], attrs: attrs, acl: acl, acl_id: acl_id)
     reply_in_kind(resources: info, itemsPerPage: info.length, startIndex: start, totalResults: total)
   end
 
   route :get, %r{^/(Users|Groups)(\?|$)(.*)} do
-    rtype = match[1] == "Users"? :user : :group
-    return unless tkn = valid_token("scim.read scim.me")
+    rtype = match[1] == 'Users' ? :user : :group
+    return unless tkn = valid_token('scim.read scim.me')
     acl = acl_id = nil
-    unless tkn["scope"].include?("scim.read")
-      acl, acl_id = :readers, tkn["user_id"]
+    unless tkn['scope'].include?('scim.read')
+      acl, acl_id = :readers, tkn['user_id']
       return access_denied unless rtype == :group && acl_id
     end
     page_query(rtype, Util.decode_form(match[3], :down),
@@ -511,7 +517,7 @@ class StubUAAConn < Stub::Base
   end
 
   route :get, %r{^/(Users|Groups)/([^/]+)$} do
-    rtype = match[1] == "Users"? :user : :group
+    rtype = match[1] == 'Users' ? :user : :group
     return unless obj_access?(rtype, match[2], :readers)
     return not_found(match[2]) unless obj = server.scim.get(match[2], rtype, *StubScim::VISIBLE_ATTRS[rtype])
     reply_in_kind(obj)
@@ -521,23 +527,35 @@ class StubUAAConn < Stub::Base
     reply_in_kind('"locked":false')
   end
 
+  route :patch, %r{^/(Users)/([^/]+)$}, 'content-type' => %r{application/json} do
+    return unless obj_access?(:user, match[2], :writers)
+    version = request.headers['if-match']
+    version = version.to_i if version.to_i.to_s == version
+    begin
+      id = server.scim.patch(match[2], Util.json_parse(request.body, :down), version, :user)
+      reply_in_kind server.scim.get(id, :user, *StubScim::VISIBLE_ATTRS[:user])
+    rescue BadVersion; reply_in_kind(409, error: 'invalid object version')
+    rescue NotFound; not_found(match[2])
+    end
+  end
+
   route :delete, %r{^/(Users|Groups)/([^/]+)$} do
-    return unless valid_token("scim.write")
-    not_found(match[2]) unless server.scim.delete(match[2], match[1] == "Users"? :user : :group)
+    return unless valid_token('scim.write')
+    not_found(match[2]) unless server.scim.delete(match[2], match[1] == 'Users' ? :user : :group)
   end
 
-  route :put, %r{^/Users/([^/]+)/password$}, "content-type" => %r{application/json} do
+  route :put, %r{^/Users/([^/]+)/password$}, 'content-type' => %r{application/json} do
     info = Util.json_parse(request.body, :down)
     if oldpwd = info['oldpassword']
-      return unless valid_token("password.write")
+      return unless valid_token('password.write')
       return not_found(match[1]) unless user = server.scim.get(match[1], :user, :password)
-      return bad_request("old password does not match") unless oldpwd == user[:password]
+      return bad_request('old password does not match') unless oldpwd == user[:password]
     else
-      return unless valid_token("scim.write")
+      return unless valid_token('scim.write')
     end
-    return bad_request("no new password given") unless newpwd = info['password']
+    return bad_request('no new password given') unless newpwd = info['password']
     server.scim.set_hidden_attr(match[1], :password, newpwd)
-    reply.json(status: "ok", message: "password updated")
+    reply.json(status: 'ok', message: 'password updated')
   end
 
   route :get, %r{^/ids/Users(\?|$)(.*)} do
@@ -552,25 +570,25 @@ class StubUAA < Stub::Server
   attr_reader :scim, :auto_groups
 
   def initialize(options = {})
-    client = options[:boot_client] || "admin"
-    secret = options[:boot_secret] || "adminsecret"
+    client = options[:boot_client] || 'admin'
+    secret = options[:boot_secret] || 'adminsecret'
     @scim = StubScim.new
-    @auto_groups = ["password.write", "openid"]
+    @auto_groups = ['password.write', 'openid']
         .each_with_object([]) { |g, o| o << @scim.add(:group, 'displayname' => g) }
-    ["scim.read", "scim.write", "scim.me", "uaa.resource"]
+    ['scim.read', 'scim.write', 'scim.me', 'uaa.resource']
         .each { |g| @scim.add(:group, 'displayname' => g) }
-    gids = ["clients.write", "clients.read", "clients.secret", "uaa.admin"]
+    gids = ['clients.write', 'clients.read', 'clients.secret', 'uaa.admin']
         .each_with_object([]) { |s, o| o << @scim.add(:group, 'displayname' => s) }
     @scim.add(:client, 'client_id' => client, 'client_secret' => secret,
-        'authorized_grant_types' => ["client_credentials"], 'authorities' => gids,
+        'authorized_grant_types' => ['client_credentials'], 'authorities' => gids,
         'access_token_validity' => 60 * 60 * 24 * 7)
-    @scim.add(:client, 'client_id' => "cf", 'authorized_grant_types' => ["implicit"],
-        'scope' => [@scim.id("openid", :group), @scim.id("password.write", :group)],
+    @scim.add(:client, 'client_id' => 'cf', 'authorized_grant_types' => ['implicit'],
+        'scope' => [@scim.id('openid', :group), @scim.id('password.write', :group)],
         'access_token_validity' => 5 * 60 )
-    info = { commit_id: "not implemented",
-        app: {name: "Stub UAA", version: CLI_VERSION,
-            description: "User Account and Authentication Service, test server"},
-        prompts: {username: ["text", "Username"], password: ["password","Password"]} }
+    info = { commit_id: 'not implemented',
+        app: {name: 'Stub UAA', version: CLI_VERSION,
+            description: 'User Account and Authentication Service, test server'},
+        prompts: {username: ['text', 'Username'], password: ['password', 'Password']} }
     super(StubUAAConn, options.merge(info: info, logger: options[:logger] || Util.default_logger))
   end