devise_scim 0.1.14 → 0.1.16
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/AGENTS.md +4 -1
- data/CHANGELOG.md +33 -0
- data/README.md +5 -1
- data/SECURITY.md +64 -0
- data/app/controllers/devise_scim/users_controller.rb +2 -2
- data/lib/devise_scim/filter/arel_visitor.rb +2 -2
- data/lib/devise_scim/version.rb +1 -1
- metadata +2 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 0daf9bbbcf53781199f6b6da65b933572550bac83fac908a2ea3323aec8c4ffa
|
|
4
|
+
data.tar.gz: 280c378bc22a1656809231c559b7084d005e83eace7725648ef1e2a3d5f729f6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: fca1f8259c135d750e900349228a3fcbd5b2591ba47eae74c07fe9b243b13f97e040b6133d134182e8f38ce32246d761720e4aa150ab7eaead1afbba2e0dcf38
|
|
7
|
+
data.tar.gz: 347e03ba2f3c208e65ad164d9afa7ce83a7ef9a1afb094f3063b385a5b650b41567b93e9ea9022155e334defd50ee50f3a4741061bbc42a792c17ddda471f047
|
data/AGENTS.md
CHANGED
|
@@ -12,6 +12,7 @@ This is `devise_scim` — a SCIM 2.0 server engine for Rails + Devise applicatio
|
|
|
12
12
|
| `spec/` | RSpec suite — unit specs for every subsystem, request specs for all endpoints |
|
|
13
13
|
| `spec/internal/` | Combustion test app: `db/schema.rb`, `config/routes.rb`, minimal models, warden initializer |
|
|
14
14
|
| `lib/devise_scim/rspec/` | Host-app test harness: shared examples for Users/Groups/discovery endpoints, `ScimHelpers`, FactoryBot factories |
|
|
15
|
+
| `lib/devise_scim/minitest.rb` | Host-app Minitest assertions (`assert_scim_status`, `assert_scim_error`, payload/header helpers) |
|
|
15
16
|
|
|
16
17
|
## Required checks before any commit
|
|
17
18
|
|
|
@@ -68,13 +69,15 @@ The multi-tenant templates reference the `tenant_fk_column` helper method define
|
|
|
68
69
|
```
|
|
69
70
|
lib/devise_scim/auth/
|
|
70
71
|
base_strategy.rb # extracts Bearer token from Authorization header
|
|
71
|
-
token_strategy.rb # compares against config.token (single) or
|
|
72
|
+
token_strategy.rb # compares against config.token (single) or tenant_model.authenticate_token (multi)
|
|
72
73
|
oauth_strategy.rb # validates Doorkeeper access tokens
|
|
73
74
|
lib/devise_scim/middleware/authenticator.rb
|
|
74
75
|
```
|
|
75
76
|
|
|
76
77
|
`Authenticator` is a Rack middleware inserted early in the stack. It intercepts every request whose path starts with `route_prefix`, delegates to the appropriate strategy, and either sets `env["devise_scim.tenant"]` (multi-tenant) or returns a 401 SCIM error response. It also calls `warden.custom_failure!` so Warden does not swallow the 401.
|
|
77
78
|
|
|
79
|
+
In multi-tenant mode with a custom `tenant_model`, auth strategies call class methods/columns on that model (`authenticate_token`, `doorkeeper_application_id`, `active`). Include `DeviseScim::Concerns::ScimTenant` on custom tenant models to satisfy that contract.
|
|
80
|
+
|
|
78
81
|
Do not move auth logic into controllers — the middleware layer is the single authentication boundary.
|
|
79
82
|
|
|
80
83
|
## Filter system
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,38 @@
|
|
|
1
1
|
## [Unreleased]
|
|
2
2
|
|
|
3
|
+
## [0.1.16] - 2026-05-31
|
|
4
|
+
|
|
5
|
+
- Bump ruby/setup-ruby from 1.308.0 to 1.310.0
|
|
6
|
+
- Bump doorkeeper from 5.9.0 to 5.9.1
|
|
7
|
+
- Bump codecov/codecov-action from 6.0.0 to 6.0.1
|
|
8
|
+
- Bump rubocop from 1.86.1 to 1.86.2
|
|
9
|
+
- Bump ruby/setup-ruby from 1.306.0 to 1.308.0
|
|
10
|
+
- fix: improve error handling for unknown AST nodes and comparison operators
|
|
11
|
+
- chore: update CHANGELOG.md with recent dependency updates and CI changes
|
|
12
|
+
- chore: update dependencies in Gemfile.lock
|
|
13
|
+
- Bump devise from 5.0.3 to 5.0.4 in the bundler group across 1 directory
|
|
14
|
+
- Bump actions/checkout
|
|
15
|
+
- ci: add auto-approval for Dependabot PRs
|
|
16
|
+
- ci: skip Codecov upload on Dependabot PRs
|
|
17
|
+
- ci: pin dependabot actions, add cooldown and auto-merge
|
|
18
|
+
- Bump ruby/setup-ruby from 1.302.0 to 1.306.0
|
|
19
|
+
- chore: update CHANGELOG.md with recent dependency updates and CI changes
|
|
20
|
+
- chore: update dependencies in Gemfile.lock
|
|
21
|
+
- Bump devise from 5.0.3 to 5.0.4 in the bundler group across 1 directory
|
|
22
|
+
- Bump actions/checkout
|
|
23
|
+
- ci: add auto-approval for Dependabot PRs
|
|
24
|
+
- ci: skip Codecov upload on Dependabot PRs
|
|
25
|
+
- ci: pin dependabot actions, add cooldown and auto-merge
|
|
26
|
+
|
|
27
|
+
## [0.1.15] - 2026-05-02
|
|
28
|
+
|
|
29
|
+
- docs: update AGENTS.md with Minitest assertions and clarify auth strategies
|
|
30
|
+
- chore: create SECURITY.md for security policy and guidelines
|
|
31
|
+
- Update issue templates
|
|
32
|
+
- fix: correct link to contributing guidelines in README
|
|
33
|
+
- fix: correct link to contributing guidelines in README
|
|
34
|
+
- Remove test log and ignoring it
|
|
35
|
+
|
|
3
36
|
## [0.1.14] - 2026-04-28
|
|
4
37
|
|
|
5
38
|
- ci: populate CHANGELOG with commits on release
|
data/README.md
CHANGED
|
@@ -2,6 +2,10 @@
|
|
|
2
2
|
|
|
3
3
|
**SCIM 2.0 server for Rails + Devise**
|
|
4
4
|
|
|
5
|
+
[](https://codecov.io/gh/vertigo-prime/devise_scim)
|
|
6
|
+
[](https://badge.fury.io/rb/devise_scim)
|
|
7
|
+
|
|
8
|
+
|
|
5
9
|
## What is this?
|
|
6
10
|
|
|
7
11
|
`devise_scim` mounts a fully compliant SCIM 2.0 server inside any Rails + Devise application, handling user and group provisioning from identity providers like Okta, Azure AD, and OneLogin. Unlike most existing gems it supports both single- and multi-tenant architectures out of the box, is actively maintained, makes no external API calls (pure Ruby — no third-party SCIM SDK), and conforms strictly to RFC 7643 and RFC 7644.
|
|
@@ -344,5 +348,5 @@ MIT. Used at your own risk. No liability is held by the author.
|
|
|
344
348
|
|
|
345
349
|
This gem was developed with significant assistance from Claude (Anthropic). Contributions and audits welcome, AI or otherwise.
|
|
346
350
|
|
|
347
|
-
1. Please follow the [contributing guidelines](
|
|
351
|
+
1. Please follow the [contributing guidelines](docs/contributing.md) for submitting pull requests and reporting issues.
|
|
348
352
|
2. Ensure your code adheres to the [code of conduct](CODE_OF_CONDUCT.md) and is tested with the provided test harness.
|
data/SECURITY.md
ADDED
|
@@ -0,0 +1,64 @@
|
|
|
1
|
+
# Security Policy
|
|
2
|
+
|
|
3
|
+
`devise_scim` handles authentication and authorization for SCIM 2.0 endpoints — bearer token validation, OAuth 2.0 client-credentials flows, and tenant isolation. Security issues in this library can directly affect identity provisioning pipelines, so responsible disclosure is taken seriously.
|
|
4
|
+
|
|
5
|
+
## Supported Versions
|
|
6
|
+
|
|
7
|
+
This project is pre-1.0. Only the **latest released version** receives security fixes. There are no backport commitments to older patch or minor versions.
|
|
8
|
+
|
|
9
|
+
| Version | Supported |
|
|
10
|
+
| ------- | --------- |
|
|
11
|
+
| Latest `0.1.x` | ✅ |
|
|
12
|
+
| Older `0.1.x` | ❌ |
|
|
13
|
+
|
|
14
|
+
Once the gem reaches 1.0, the policy will be updated to cover the latest minor series.
|
|
15
|
+
|
|
16
|
+
## Scope
|
|
17
|
+
|
|
18
|
+
**In scope** — vulnerabilities in this gem's code:
|
|
19
|
+
|
|
20
|
+
- Bearer token validation bypass or timing attacks
|
|
21
|
+
- OAuth 2.0 client-credentials flow weaknesses
|
|
22
|
+
- Tenant isolation failures (cross-tenant data leakage in multi-tenant mode)
|
|
23
|
+
- SCIM filter injection or attribute exposure beyond configured mappings
|
|
24
|
+
- Authentication bypasses in `ScimAdapter` hooks
|
|
25
|
+
- Input validation gaps that allow privilege escalation via provisioned attributes
|
|
26
|
+
- RFC 7643 / RFC 7644 non-conformance that creates a security boundary violation
|
|
27
|
+
|
|
28
|
+
**Out of scope:**
|
|
29
|
+
|
|
30
|
+
- Vulnerabilities in your own application's Devise configuration
|
|
31
|
+
- Weaknesses in the identity provider (Okta, Azure AD, OneLogin, etc.)
|
|
32
|
+
- Issues requiring a misconfigured `devise_scim` initializer to reproduce (e.g., storing tokens in source control)
|
|
33
|
+
- General Rails or Devise security issues unrelated to SCIM handling
|
|
34
|
+
|
|
35
|
+
If you are unsure whether an issue is in scope, report it anyway — it will be evaluated.
|
|
36
|
+
|
|
37
|
+
## Reporting a Vulnerability
|
|
38
|
+
|
|
39
|
+
**Use GitHub's private vulnerability reporting.** Do not open a public issue.
|
|
40
|
+
|
|
41
|
+
1. Go to the [Security tab](https://github.com/vertigo-prime/devise_scim/security) of this repository.
|
|
42
|
+
2. Click **"Report a vulnerability"**.
|
|
43
|
+
3. Fill in: affected version(s), steps to reproduce, potential impact, and any suggested fix.
|
|
44
|
+
|
|
45
|
+
This opens a private channel visible only to the maintainer.
|
|
46
|
+
|
|
47
|
+
## Response Timeline
|
|
48
|
+
|
|
49
|
+
This is a solo-maintained project. Responses are best-effort, not guaranteed within a business SLA.
|
|
50
|
+
|
|
51
|
+
| Event | Target |
|
|
52
|
+
| ----- | ------ |
|
|
53
|
+
| Acknowledgement | Within 7 days |
|
|
54
|
+
| Severity assessment | Within 14 days |
|
|
55
|
+
| Patch for critical issues | Within 30 days |
|
|
56
|
+
| Patch for moderate issues | Within 60 days |
|
|
57
|
+
|
|
58
|
+
If a critical vulnerability has not received acknowledgement within 7 days, a follow-up in the private thread is welcome.
|
|
59
|
+
|
|
60
|
+
## Coordinated Disclosure
|
|
61
|
+
|
|
62
|
+
Please allow time to patch before any public disclosure. A 90-day window from initial report is the standard expectation. For critical issues with active exploitation, a shorter timeline can be negotiated — mention it in the report.
|
|
63
|
+
|
|
64
|
+
Once a fix is released, credit will be given in the CHANGELOG and release notes unless anonymity is requested.
|
|
@@ -32,7 +32,7 @@ module DeviseScim
|
|
|
32
32
|
when Conjunction then visit(node.left).and(visit(node.right))
|
|
33
33
|
when Disjunction then visit(node.left).or(visit(node.right))
|
|
34
34
|
when AttrPath then visit_attr_path(node)
|
|
35
|
-
else raise InvalidFilter, "Unknown AST node: #{node.class}"
|
|
35
|
+
else raise InvalidFilter, "Unknown AST node: #{node.class}"
|
|
36
36
|
end
|
|
37
37
|
end
|
|
38
38
|
|
|
@@ -53,7 +53,7 @@ module DeviseScim
|
|
|
53
53
|
when "ge" then col.gteq(val)
|
|
54
54
|
when "lt" then col.lt(val)
|
|
55
55
|
when "le" then col.lteq(val)
|
|
56
|
-
else raise InvalidFilter, "Unknown operator '#{node.op}'"
|
|
56
|
+
else raise InvalidFilter, "Unknown operator '#{node.op}'"
|
|
57
57
|
end
|
|
58
58
|
end
|
|
59
59
|
# rubocop:enable Metrics/CyclomaticComplexity
|
data/lib/devise_scim/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: devise_scim
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.16
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Vertigo-Prime
|
|
@@ -84,6 +84,7 @@ files:
|
|
|
84
84
|
- LICENSE.txt
|
|
85
85
|
- README.md
|
|
86
86
|
- Rakefile
|
|
87
|
+
- SECURITY.md
|
|
87
88
|
- app/controllers/devise_scim/application_controller.rb
|
|
88
89
|
- app/controllers/devise_scim/groups_controller.rb
|
|
89
90
|
- app/controllers/devise_scim/resource_types_controller.rb
|