devise_scim 0.1.11

data/lib/devise_scim/filter/arel_visitor.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+module DeviseScim
+  module Filter
+    # Translates a Filter AST into Arel conditions applied to an AR scope.
+    class ArelVisitor
+      SCIM_TO_AR = {
+        "userName" => "email",
+        "externalId" => "scim_uid",
+        "active" => "scim_active",
+        "id" => "id",
+        "emails" => "email",
+        "emails.value" => "email",
+        "name.givenName" => "first_name",
+        "name.familyName" => "last_name"
+      }.freeze
+
+      def initialize(model)
+        @model = model
+        @table = model.arel_table
+      end
+
+      def apply(ast, scope)
+        scope.where(visit(ast))
+      end
+
+      private
+
+      def visit(node)
+        case node
+        when Comparison  then visit_comparison(node)
+        when Conjunction then visit(node.left).and(visit(node.right))
+        when Disjunction then visit(node.left).or(visit(node.right))
+        when AttrPath    then visit_attr_path(node)
+        else raise InvalidFilter, "Unknown AST node: #{node.class}"
+        end
+      end
+
+      # rubocop:disable Metrics/CyclomaticComplexity
+      def visit_comparison(node)
+        col_name = SCIM_TO_AR[node.attr_path] || node.attr_path
+        col = resolve_column(col_name)
+        val = node.value
+
+        case node.op
+        when "eq" then col.eq(val)
+        when "ne" then col.not_eq(val)
+        when "co" then col.matches("%#{sanitize_like(val)}%")
+        when "sw" then col.matches("#{sanitize_like(val)}%")
+        when "ew" then col.matches("%#{sanitize_like(val)}")
+        when "pr" then col.not_eq(nil)
+        when "gt" then col.gt(val)
+        when "ge" then col.gteq(val)
+        when "lt" then col.lt(val)
+        when "le" then col.lteq(val)
+        else raise InvalidFilter, "Unknown operator '#{node.op}'"
+        end
+      end
+      # rubocop:enable Metrics/CyclomaticComplexity
+
+      def visit_attr_path(node)
+        col_name = SCIM_TO_AR[node.attribute] || node.attribute
+        resolve_column(col_name).not_eq(nil)
+      end
+
+      def resolve_column(col_name)
+        raise InvalidFilter, "Unknown attribute '#{col_name}'" unless @model.column_names.include?(col_name)
+
+        @table[col_name]
+      end
+
+      def sanitize_like(str)
+        str.gsub(/[%_\\]/) { |c| "\\#{c}" }
+      end
+    end
+  end
+end

data/lib/devise_scim/filter/parser.rb

@@ -0,0 +1,190 @@
+# frozen_string_literal: true
+
+module DeviseScim
+  module Filter
+    Comparison = Struct.new(:attr_path, :op, :value, keyword_init: true)
+    Conjunction = Struct.new(:left, :right, keyword_init: true)
+    Disjunction = Struct.new(:left, :right, keyword_init: true)
+    AttrPath    = Struct.new(:attribute, :sub_filter, :sub_attr, keyword_init: true)
+
+    # Recursive descent parser for SCIM filter expressions (RFC 7644 §3.4.2.2).
+    # Supported: eq/ne/co/sw/ew/pr/gt/ge/lt/le, and/or, attr[sub-filter].sub-attr comparisons.
+    class Parser # rubocop:disable Metrics/ClassLength
+      class ParseError < ::DeviseScim::InvalidFilter; end
+
+      Token = Struct.new(:type, :value, keyword_init: true)
+
+      COMP_OPS = %w[eq ne co sw ew pr gt ge lt le].freeze
+
+      def self.parse(str)
+        new(str).parse
+      end
+
+      def initialize(str)
+        @tokens = tokenize(str)
+        @pos    = 0
+      end
+
+      def parse
+        ast = parse_or
+        raise ParseError, "Unexpected token '#{current&.value}'" unless at_end?
+
+        ast
+      end
+
+      private
+
+      # rubocop:disable Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/MethodLength, Metrics/PerceivedComplexity
+      def tokenize(str)
+        tokens = []
+        s = str.strip
+        until s.empty?
+          s = s.lstrip
+          break if s.empty?
+
+          # Use explicit match objects so String#gsub doesn't clobber $&.
+          if (m = /\A"((?:[^"\\]|\\.)*)"/.match(s))
+            tokens << Token.new(type: :string, value: m[1].gsub('\\"', '"'))
+            s = s[m[0].length..]
+          elsif (m = /\Atrue\b/i.match(s))
+            tokens << Token.new(type: :boolean, value: true)
+            s = s[m[0].length..]
+          elsif (m = /\Afalse\b/i.match(s))
+            tokens << Token.new(type: :boolean, value: false)
+            s = s[m[0].length..]
+          elsif (m = /\Anull\b/i.match(s))
+            tokens << Token.new(type: :null, value: nil)
+            s = s[m[0].length..]
+          elsif (m = /\Anot\b/i.match(s))
+            tokens << Token.new(type: :not, value: "not")
+            s = s[m[0].length..]
+          elsif (m = /\Aand\b/i.match(s))
+            tokens << Token.new(type: :and, value: "and")
+            s = s[m[0].length..]
+          elsif (m = /\Aor\b/i.match(s))
+            tokens << Token.new(type: :or, value: "or")
+            s = s[m[0].length..]
+          elsif (m = /\A(eq|ne|co|sw|ew|pr|gt|ge|lt|le)\b/i.match(s))
+            tokens << Token.new(type: :op, value: m[1].downcase)
+            s = s[m[0].length..]
+          elsif s.start_with?("(")
+            tokens << Token.new(type: :lparen, value: "(")
+            s = s[1..]
+          elsif s.start_with?(")")
+            tokens << Token.new(type: :rparen, value: ")")
+            s = s[1..]
+          elsif s.start_with?("[")
+            tokens << Token.new(type: :lbracket, value: "[")
+            s = s[1..]
+          elsif s.start_with?("]")
+            tokens << Token.new(type: :rbracket, value: "]")
+            s = s[1..]
+          elsif s.start_with?(".")
+            tokens << Token.new(type: :dot, value: ".")
+            s = s[1..]
+          elsif (m = /\A[\w:-]+/.match(s))
+            tokens << Token.new(type: :identifier, value: m[0])
+            s = s[m[0].length..]
+          elsif (m = /\A-?\d+(\.\d+)?/.match(s))
+            tokens << Token.new(type: :number, value: m[0].to_f)
+            s = s[m[0].length..]
+          else
+            raise ParseError, "Unexpected character '#{s[0]}'"
+          end
+        end
+        tokens
+      end
+      # rubocop:enable Metrics/CyclomaticComplexity, Metrics/AbcSize, Metrics/MethodLength, Metrics/PerceivedComplexity
+
+      def parse_or
+        left = parse_and
+        while current&.type == :or
+          advance
+          left = Disjunction.new(left: left, right: parse_and)
+        end
+        left
+      end
+
+      def parse_and
+        left = parse_primary
+        while current&.type == :and
+          advance
+          left = Conjunction.new(left: left, right: parse_primary)
+        end
+        left
+      end
+
+      # rubocop:disable Metrics/AbcSize, Metrics/MethodLength, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+      def parse_primary
+        if current&.type == :lparen
+          advance
+          node = parse_or
+          expect!(:rparen)
+          return node
+        end
+
+        attr = expect!(:identifier).value
+
+        if current&.type == :lbracket
+          advance
+          sub_filter = parse_or
+          expect!(:rbracket)
+          sub_attr = extract_sub_attr
+          if current&.type == :op
+            op  = advance.value
+            val = parse_value
+            Comparison.new(attr_path: sub_attr ? "#{attr}.#{sub_attr}" : attr, op: op, value: val)
+          else
+            AttrPath.new(attribute: attr, sub_filter: sub_filter, sub_attr: sub_attr)
+          end
+        elsif current&.type == :op
+          op  = advance.value
+          val = op == "pr" ? nil : parse_value
+          Comparison.new(attr_path: attr, op: op, value: val)
+        else
+          raise ParseError, "Expected comparator after '#{attr}', got #{current&.value.inspect}"
+        end
+      end
+      # rubocop:enable Metrics/AbcSize, Metrics/MethodLength, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+
+      def extract_sub_attr
+        return nil unless current&.type == :dot
+
+        advance
+        expect!(:identifier).value
+      end
+
+      def parse_value
+        tok = current
+        case tok&.type
+        when :string, :boolean, :null, :number
+          advance
+          tok.value
+        else
+          raise ParseError, "Expected value, got #{tok&.value.inspect}"
+        end
+      end
+
+      def current
+        @tokens[@pos]
+      end
+
+      def advance
+        tok = @tokens[@pos]
+        @pos += 1
+        tok
+      end
+
+      def at_end?
+        @pos >= @tokens.length
+      end
+
+      def expect!(type)
+        tok = advance
+        raise ParseError, "Expected #{type}, got #{tok&.type} (#{tok&.value.inspect})" unless tok&.type == type
+
+        tok
+      end
+    end
+  end
+end

data/lib/devise_scim/middleware/authenticator.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module DeviseScim
+  module Middleware
+    class Authenticator
+      SCIM_CONTENT_TYPE = "application/scim+json"
+
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        return @app.call(env) unless scim_path?(env["PATH_INFO"])
+
+        result = build_strategy.authenticate(env)
+
+        if result.nil?
+          unauthorized_response(env)
+        else
+          env["devise_scim.tenant"] = result unless result == :ok
+          @app.call(env)
+        end
+      end
+
+      private
+
+      def scim_path?(path)
+        path.start_with?(DeviseScim.configuration.route_prefix)
+      end
+
+      def build_strategy
+        if DeviseScim.configuration.auth_method == :oauth
+          Auth::OauthStrategy.new
+        else
+          Auth::TokenStrategy.new
+        end
+      end
+
+      def unauthorized_response(env)
+        # Prevent Warden from intercepting the 401 and attempting its failure app.
+        env["warden"].custom_failure! if env["warden"].respond_to?(:custom_failure!)
+        body = {
+          schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],
+          status: "401",
+          detail: "Unauthorized"
+        }.to_json
+        [401, { "Content-Type" => SCIM_CONTENT_TYPE }, [body]]
+      end
+    end
+  end
+end

data/lib/devise_scim/minitest.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+module DeviseScim
+  module Minitest
+    module ScimAssertions
+      def assert_scim_status(response, expected_status)
+        assert_equal expected_status.to_s, response.status.to_s,
+                     "Expected SCIM status #{expected_status}, got #{response.status}\n#{response.body}"
+      end
+
+      def assert_scim_content_type(response)
+        assert_includes response.content_type, "application/scim+json",
+                        "Expected Content-Type application/scim+json"
+      end
+
+      def assert_scim_schema(response, expected_schema)
+        body = JSON.parse(response.body)
+        assert_includes body["schemas"], expected_schema,
+                        "Expected schema #{expected_schema.inspect} in #{body["schemas"].inspect}"
+      end
+
+      def assert_scim_list_response(response)
+        body = JSON.parse(response.body)
+        assert_scim_schema(response, DeviseScim::Scim::LIST_RESPONSE_SCHEMA)
+        assert body.key?("totalResults"), "Expected totalResults key in ListResponse"
+        assert body.key?("Resources"),    "Expected Resources key in ListResponse"
+      end
+
+      def assert_scim_error(response, expected_status: nil)
+        body = JSON.parse(response.body)
+        assert_includes body["schemas"], DeviseScim::Scim::ERROR_SCHEMA,
+                        "Expected SCIM error schema in response"
+        assert_equal expected_status.to_s, body["status"] if expected_status
+      end
+
+      def scim_json(response)
+        JSON.parse(response.body)
+      end
+
+      def scim_auth_headers(token)
+        { "Authorization" => "Bearer #{token}", "Content-Type" => "application/json" }
+      end
+
+      def scim_user_payload(user_name:, **attrs)
+        { "schemas" => [DeviseScim::Scim::USER_SCHEMA], "userName" => user_name }
+          .merge(attrs.transform_keys(&:to_s))
+      end
+
+      def scim_patch_payload(*operations)
+        {
+          "schemas" => ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+          "Operations" => operations
+        }
+      end
+    end
+  end
+end

data/lib/devise_scim/models/scim_tenant.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module DeviseScim
+  class ScimTenant < ActiveRecord::Base
+    self.table_name = "scim_tenants"
+
+    include DeviseScim::Concerns::ScimTenant
+
+    has_many :scim_tenant_users, class_name: "DeviseScim::ScimTenantUser",
+                                 foreign_key: :scim_tenant_id, dependent: :destroy
+    belongs_to :doorkeeper_application,
+               class_name: "Doorkeeper::Application", optional: true
+  end
+end

data/lib/devise_scim/models/scim_tenant_user.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module DeviseScim
+  class ScimTenantUser < ActiveRecord::Base
+    self.table_name = "scim_tenant_users"
+
+    # Default associations use built-in DeviseScim::ScimTenant and the host app's
+    # User model. When config.tenant_model is customized, host apps override these
+    # associations (and the FK) in their own initializer.
+    belongs_to :scim_tenant,
+               class_name: "DeviseScim::ScimTenant",
+               foreign_key: :scim_tenant_id
+    belongs_to :user, foreign_key: :user_id
+  end
+end

data/lib/devise_scim/routing.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module DeviseScim
+  module Routing
+    def scim_for(_resource, at: DeviseScim.configuration.route_prefix)
+      config = DeviseScim.configuration
+      scope at, format: false do
+        draw_user_routes
+        draw_group_routes if config.enable_groups
+        post "oauth/token", to: "doorkeeper/tokens#create" if config.auth_method == :oauth
+        draw_discovery_routes
+      end
+    end
+
+    private
+
+    def draw_user_routes
+      get    "Users",     to: "devise_scim/users#index"
+      post   "Users",     to: "devise_scim/users#create"
+      get    "Users/:id", to: "devise_scim/users#show"
+      put    "Users/:id", to: "devise_scim/users#replace"
+      patch  "Users/:id", to: "devise_scim/users#update"
+      delete "Users/:id", to: "devise_scim/users#destroy"
+    end
+
+    def draw_group_routes
+      get    "Groups",     to: "devise_scim/groups#index"
+      post   "Groups",     to: "devise_scim/groups#create"
+      get    "Groups/:id", to: "devise_scim/groups#show"
+      put    "Groups/:id", to: "devise_scim/groups#replace"
+      patch  "Groups/:id", to: "devise_scim/groups#update"
+      delete "Groups/:id", to: "devise_scim/groups#destroy"
+    end
+
+    def draw_discovery_routes
+      get "ServiceProviderConfig", to: "devise_scim/service_provider#show"
+      get "Schemas",               to: "devise_scim/schemas#index"
+      get "ResourceTypes",         to: "devise_scim/resource_types#index"
+    end
+  end
+end
+
+ActionDispatch::Routing::Mapper.include DeviseScim::Routing

data/lib/devise_scim/rspec/factories.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+return unless defined?(FactoryBot)
+
+FactoryBot.define do
+  factory :scim_tenant, class: "DeviseScim::ScimTenant" do
+    sequence(:name) { |n| "Test Tenant #{n}" }
+    auth_method { "token" }
+    active { true }
+  end
+
+  factory :scim_tenant_user, class: "DeviseScim::ScimTenantUser" do
+    association :scim_tenant
+    active { true }
+    provisioned_at { Time.current }
+  end
+end

data/lib/devise_scim/rspec/scim_helpers.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module DeviseScim
+  module RSpec
+    module ScimHelpers
+      def scim_json(body)
+        JSON.parse(body)
+      end
+
+      def scim_prefix
+        DeviseScim.configuration.route_prefix
+      end
+
+      def scim_auth_headers(token)
+        { "Authorization" => "Bearer #{token}", "Content-Type" => "application/json" }
+      end
+
+      def scim_user_payload(user_name:, **attrs)
+        base = { "schemas" => [DeviseScim::Scim::USER_SCHEMA], "userName" => user_name }
+        base.merge(attrs.transform_keys(&:to_s))
+      end
+
+      def scim_patch_payload(*operations)
+        {
+          "schemas" => ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+          "Operations" => operations
+        }
+      end
+
+      def scim_replace_op(path, value)
+        { "op" => "replace", "path" => path, "value" => value }
+      end
+
+      def scim_add_op(path, value)
+        { "op" => "add", "path" => path, "value" => value }
+      end
+
+      def scim_remove_op(path)
+        { "op" => "remove", "path" => path }
+      end
+    end
+  end
+end

data/lib/devise_scim/rspec/shared_examples/discovery_endpoints.rb

@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+# rubocop:disable Metrics/BlockLength
+RSpec.shared_examples "SCIM discovery endpoints" do |_options = {}|
+  include DeviseScim::RSpec::ScimHelpers
+
+  let(:_scim_test_token) { "scim-test-token-#{SecureRandom.hex(8)}" }
+  let(:_scim_headers)    { scim_auth_headers(_scim_test_token) }
+
+  before do
+    DeviseScim.configure do |c|
+      c.tenancy     = :single
+      c.auth_method = :token
+      c.token       = _scim_test_token
+    end
+  end
+
+  after { DeviseScim.reset_configuration! }
+
+  # ── ServiceProviderConfig ────────────────────────────────────────────────────
+
+  describe "GET /ServiceProviderConfig" do
+    it "returns 200 with the correct schema" do
+      get "#{scim_prefix}/ServiceProviderConfig", headers: _scim_headers
+      expect(response).to have_http_status(:ok)
+      body = scim_json(response.body)
+      expect(body["schemas"]).to include("urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig")
+    end
+
+    it "advertises patch support" do
+      get "#{scim_prefix}/ServiceProviderConfig", headers: _scim_headers
+      body = scim_json(response.body)
+      expect(body.dig("patch", "supported")).to be(true)
+    end
+
+    it "advertises filter support" do
+      get "#{scim_prefix}/ServiceProviderConfig", headers: _scim_headers
+      body = scim_json(response.body)
+      expect(body.dig("filter", "supported")).to be(true)
+    end
+
+    it "sets Content-Type to application/scim+json" do
+      get "#{scim_prefix}/ServiceProviderConfig", headers: _scim_headers
+      expect(response.content_type).to include("application/scim+json")
+    end
+  end
+
+  # ── Schemas ──────────────────────────────────────────────────────────────────
+
+  describe "GET /Schemas" do
+    it "returns 200 with the User schema" do
+      get "#{scim_prefix}/Schemas", headers: _scim_headers
+      expect(response).to have_http_status(:ok)
+      body = scim_json(response.body)
+      ids = body["Resources"].map { |r| r["id"] }
+      expect(ids).to include(DeviseScim::Scim::USER_SCHEMA)
+    end
+
+    context "with groups enabled" do
+      before { DeviseScim.configure { |c| c.enable_groups = true } }
+
+      it "includes the Group schema" do
+        get "#{scim_prefix}/Schemas", headers: _scim_headers
+        body = scim_json(response.body)
+        ids = body["Resources"].map { |r| r["id"] }
+        expect(ids).to include(DeviseScim::Scim::GROUP_SCHEMA)
+      end
+    end
+  end
+
+  # ── ResourceTypes ────────────────────────────────────────────────────────────
+
+  describe "GET /ResourceTypes" do
+    it "returns 200 with the User resource type" do
+      get "#{scim_prefix}/ResourceTypes", headers: _scim_headers
+      expect(response).to have_http_status(:ok)
+      body = scim_json(response.body)
+      names = body["Resources"].map { |r| r["name"] }
+      expect(names).to include("User")
+    end
+
+    context "with groups enabled" do
+      before { DeviseScim.configure { |c| c.enable_groups = true } }
+
+      it "includes the Group resource type" do
+        get "#{scim_prefix}/ResourceTypes", headers: _scim_headers
+        body = scim_json(response.body)
+        names = body["Resources"].map { |r| r["name"] }
+        expect(names).to include("Group")
+      end
+    end
+  end
+end
+# rubocop:enable Metrics/BlockLength