scim_engine 2.1.1

data/app/models/scim_engine/resources/group.rb

@@ -0,0 +1,13 @@
+module ScimEngine
+  module Resources
+    class Group < Base
+
+      set_schema Schema::Group
+
+      def self.endpoint
+        "/Groups"
+      end
+
+    end
+  end
+end

data/app/models/scim_engine/resources/user.rb

@@ -0,0 +1,13 @@
+module ScimEngine
+  module Resources
+    class User < Base
+
+      set_schema Schema::User
+
+      def self.endpoint
+        "/Users"
+      end
+
+    end
+  end
+end

data/app/models/scim_engine/schema/attribute.rb

@@ -0,0 +1,91 @@
+module ScimEngine
+  module Schema
+    # Represents an attribute of a SCIM resource that is declared in its schema.
+    # Attributes can be simple or complex. A complex attribute needs to have its own schema that is passed to the initilize method when the attribute is instantiated.
+    # @example
+    #  Attribute.new(name: 'userName', type: 'string', uniqueness: 'server')
+    #  Attribute.new(name: 'name', complexType: ScimEngine::ComplexTypes::Name)
+    class Attribute
+      include ActiveModel::Model
+      include ScimEngine::Errors
+      attr_accessor :name, :type, :multiValued, :required, :caseExact, :mutability, :returned, :uniqueness, :subAttributes, :complexType, :canonicalValues
+
+      # @param options [Hash] a hash of values to be used for instantiating the attribute object. Some of the instance variables of the objects will have default values if this hash does not contain anything for them.
+      def initialize(options = {})
+        defaults = {
+          multiValued: false,
+          required: true,
+          caseExact: false,
+          mutability: 'readWrite',
+          uniqueness: 'none',
+          returned: 'default',
+          canonicalValues: []
+        }
+
+        if options[:complexType]
+          defaults.merge!(type: 'complex', subAttributes: options[:complexType].schema.scim_attributes)
+        end
+
+        super(defaults.merge(options || {}))
+      end
+
+      # Validates a value against this attribute object. For simple attributes, it checks if blank is valid or not and if the type matches. For complex attributes, it delegates it to the valid? method of the complex type schema.
+      # If the value is not valid, validation message(s) are added to the errors attribute of this object.
+      # @return [Boolean] whether or not the value is valid for this attribute
+      def valid?(value)
+        return valid_blank? if value.blank? && !value.is_a?(FalseClass)
+
+        if type == 'complex'
+          return all_valid?(complexType, value) if multiValued
+          valid_complex_type?(value)
+        else
+          valid_simple_type?(value)
+        end
+      end
+
+      def valid_blank?
+        return true unless self.required
+        errors.add(self.name, "is required")
+        false
+      end
+
+      def valid_complex_type?(value)
+        if !value.class.respond_to?(:schema) || value.class.schema != complexType.schema
+          errors.add(self.name, "has to follow the complexType format.")
+          return false
+        end
+        value.class.schema.valid?(value)
+        return true if value.errors.empty?
+        add_errors_from_hash(value.errors.to_hash, prefix: self.name)
+        false
+      end
+
+      def valid_simple_type?(value)
+        valid = (type == 'string' && value.is_a?(String)) ||
+          (type == 'boolean' && (value.is_a?(TrueClass) || value.is_a?(FalseClass))) ||
+          (type == 'integer' && (value.is_a?(Integer))) ||
+          (type == 'dateTime' && valid_date_time?(value))
+        errors.add(self.name, "has the wrong type. It has to be a(n) #{self.type}.") unless valid
+        valid
+      end
+
+      def valid_date_time?(value)
+        !!Time.iso8601(value)
+      rescue ArgumentError
+        false
+      end
+
+      def all_valid?(complex_type, value)
+        validations = value.map {|value_in_array| valid_complex_type?(value_in_array)}
+        validations.all?
+      end
+
+      def as_json(options = {})
+        options[:except] ||= ['complexType']
+        options[:except] << 'canonicalValues' if canonicalValues.empty?
+        super.except(options)
+      end
+
+    end
+  end
+end

data/app/models/scim_engine/schema/base.rb

@@ -0,0 +1,35 @@
+module ScimEngine
+  module Schema
+    # The base class that each schema class must inherit from.
+    # These classes represent the schema of a SCIM resource or a complex type that could be used in a resource.
+    class Base
+      include ActiveModel::Model
+      attr_accessor :id, :name, :description, :scim_attributes, :meta
+
+      def initialize(options = {})
+        super
+        @meta = Meta.new(resourceType: "Schema")
+      end
+
+      # Converts the schema to its json representation that will be returned by /SCHEMAS end-point of a SCIM service provider.
+      def as_json(options = {})
+        @meta.location = ScimEngine::Engine.routes.url_helpers.scim_schemas_path(name: id)
+        original = super
+        original.merge('attributes' => original.delete('scim_attributes'))
+      end
+
+      # Validates the resource against specific validations of each attribute,for example if the type of the attribute matches the one defined in the schema.
+      # @param resource [Object] a resource object that uses this schema
+      def self.valid?(resource)
+        cloned_scim_attributes.each do |scim_attribute|
+          resource.add_errors_from_hash(scim_attribute.errors.to_hash) unless scim_attribute.valid?(resource.send(scim_attribute.name))
+        end
+      end
+
+      def self.cloned_scim_attributes
+        scim_attributes.map { |scim_attribute| scim_attribute.clone }
+      end
+
+    end
+  end
+end

data/app/models/scim_engine/schema/derived_attributes.rb

@@ -0,0 +1,24 @@
+module ScimEngine
+  module Schema
+    module DerivedAttributes
+      extend ActiveSupport::Concern
+
+      class_methods do
+        def set_schema(schema)
+          @schema = schema
+          derive_attributes_from_schema(schema)
+          schema
+        end
+
+        def derive_attributes_from_schema(schema)
+          attr_accessor *schema.scim_attributes.map(&:name)
+        end
+
+        def schema
+          @schema
+        end
+      end
+
+    end
+  end
+end

data/app/models/scim_engine/schema/email.rb

@@ -0,0 +1,15 @@
+module ScimEngine
+  module Schema
+    # Represnts the schema for the Email complex type
+    # @see ScimEngine::ComplexTypes::Email
+    class Email < Base
+      def self.scim_attributes
+        @scim_attributes ||= [
+          Attribute.new(name: 'value', type: 'string'),
+          Attribute.new(name: 'primary', type: 'boolean', required: false),
+          Attribute.new(name: 'type', type: 'string', required: false)
+        ]
+      end
+    end
+  end
+end

data/app/models/scim_engine/schema/group.rb

@@ -0,0 +1,27 @@
+module ScimEngine
+  module Schema
+    # Represnts the schema for the Group resource
+    # @see ScimEngine::Resources::Group
+    class Group < Base
+
+      def initialize(options = {})
+        super(name: 'Group',
+              id: self.class.id,
+              description: 'Represents a Group',
+              scim_attributes: self.class.scim_attributes)
+      end
+
+      def self.id
+        'urn:ietf:params:scim:schemas:core:2.0:Group'
+      end
+
+      def self.scim_attributes
+        [
+          Attribute.new(name: 'displayName', type: 'string'),
+          Attribute.new(name: 'members', multiValued: true, complexType: ScimEngine::ComplexTypes::Reference, mutability: 'readOnly', required: false)
+        ]
+      end
+
+    end
+  end
+end

data/app/models/scim_engine/schema/name.rb

@@ -0,0 +1,17 @@
+module ScimEngine
+  module Schema
+    # Represnts the schema for the Name complex type
+    # @see ScimEngine::ComplexTypes::Name
+    class Name < Base
+
+      def self.scim_attributes
+        @scim_attributes ||= [
+          Attribute.new(name: 'familyName', type: 'string'),
+          Attribute.new(name: 'givenName', type: 'string'),
+          Attribute.new(name: 'formatted', type: 'string', required: false)
+        ]
+      end
+
+    end
+  end
+end

data/app/models/scim_engine/schema/reference.rb

@@ -0,0 +1,14 @@
+module ScimEngine
+  module Schema
+    # Represnts the schema for the Reference complex type
+    # @see ScimEngine::ComplexTypes::Reference
+    class Reference < Base
+      def self.scim_attributes
+        @scim_attributes ||= [
+          Attribute.new(name: 'value', type: 'string', mutability: 'readOnly'),
+          Attribute.new(name: 'display', type: 'string', mutability: 'readOnly', required: false)
+        ]
+      end
+    end
+  end
+end

data/app/models/scim_engine/schema/user.rb

@@ -0,0 +1,30 @@
+module ScimEngine
+  module Schema
+    # Represnts the schema for the User resource
+    # @see ScimEngine::Resources::User
+    class User < Base
+
+      def initialize(options = {})
+        super(name: 'User',
+              id: self.class.id,
+              description: 'Represents a User',
+              scim_attributes: self.class.scim_attributes)
+
+      end
+
+      def self.id
+        'urn:ietf:params:scim:schemas:core:2.0:User'
+      end
+
+      def self.scim_attributes
+        [
+          Attribute.new(name: 'userName', type: 'string', uniqueness: 'server'),
+          Attribute.new(name: 'name', complexType: ScimEngine::ComplexTypes::Name),
+          Attribute.new(name: 'emails', multiValued: true, complexType: ScimEngine::ComplexTypes::Email),
+          Attribute.new(name: 'groups', multiValued: true, mutability: 'immutable', complexType: ScimEngine::ComplexTypes::Reference)
+        ]
+      end
+
+    end
+  end
+end

data/app/models/scim_engine/service_provider_configuration.rb

@@ -0,0 +1,31 @@
+module ScimEngine
+  # Represnts the service provider info. Used by the /ServiceProviderConfig endpoint to privide specification compliance, authentication schemes, data models.
+  class ServiceProviderConfiguration
+    include ActiveModel::Model
+
+    attr_accessor :patch, :bulk, :filter, :changePassword,
+      :sort, :etag, :authenticationSchemes,
+      :schemas, :meta
+
+    def initialize(attributes = {})
+      defaults = {
+        bulk: Supportable.unsupported,
+        patch: Supportable.unsupported,
+        filter: Supportable.unsupported,
+        changePassword: Supportable.unsupported,
+        sort: Supportable.unsupported,
+        etag: Supportable.unsupported,
+        schemas: ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],
+        meta: Meta.new(
+          resourceType: 'ServiceProviderConfig',
+          created: Time.now,
+          lastModified: Time.now,
+          version: '1'
+        ),
+        authenticationSchemes: [AuthenticationScheme.basic]
+      }
+      super(defaults.merge(attributes))
+    end
+
+  end
+end

data/app/models/scim_engine/supportable.rb

@@ -0,0 +1,10 @@
+module ScimEngine
+  class Supportable
+    include ActiveModel::Model
+    attr_accessor :supported
+
+    def self.unsupported
+      new(supported: false)
+    end
+  end
+end

data/app/views/layouts/scim_engine/application.html.erb

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>ScimEngine</title>
+  <%= stylesheet_link_tag    "scim_engine/application", media: "all" %>
+  <%= javascript_include_tag "scim_engine/application" %>
+  <%= csrf_meta_tags %>
+</head>
+<body>
+
+<%= yield %>
+
+</body>
+</html>

data/config/routes.rb

@@ -0,0 +1,6 @@
+ScimEngine::Engine.routes.draw do
+  get 'ServiceProviderConfig', to: 'service_provider_configurations#show'
+  get 'ResourceTypes', to: 'resource_types#index'
+  get 'ResourceTypes/:name', to: 'resource_types#show', as: :scim_resource_type
+  get 'Schemas', to: 'schemas#index', as: :scim_schemas
+end

data/lib/scim_engine.rb

@@ -0,0 +1,13 @@
+require "scim_engine/engine"
+
+module ScimEngine
+  def self.service_provider_configuration=(custom_configuration)
+    @service_provider_configuration = custom_configuration
+  end
+
+  def self.service_provider_configuration(location:)
+    @service_provider_configuration ||= ServiceProviderConfiguration.new
+    @service_provider_configuration.meta.location = location
+    @service_provider_configuration
+  end
+end

data/lib/scim_engine/engine.rb

@@ -0,0 +1,51 @@
+module ScimEngine
+  class Engine < ::Rails::Engine
+    isolate_namespace ScimEngine
+
+    Mime::Type.register "application/scim+json",:scim
+
+    ActionDispatch::Request.parameter_parsers[Mime::Type.lookup('application/scim+json').symbol] = lambda do |body|
+      JSON.parse(body)
+    end
+
+    mattr_accessor :username
+    mattr_accessor :password
+
+    def self.resources
+      default_resources + custom_resources
+    end
+
+    # Can be used to add a new resource type which is not provided by the gem.
+    # @example
+    #  module Scim
+    #    module Resources
+    #      class ShinyResource < ScimEngine::Resources::Base
+    #        set_schema Scim::Schema::Shiny
+    #
+    #        def self.endpoint
+    #          "/Shinies"
+    #        end
+    #      end
+    #    end
+    #  end
+    #  ScimEngine::Engine.add_custom_resource Scim::Resources::ShinyResource
+    def self.add_custom_resource(resource)
+      custom_resources << resource
+    end
+
+    # Returns the list of custom resources, if any.
+    def self.custom_resources
+      @custom_resources ||= []
+    end
+
+    # Returns the default resources added in this gem: User and Group.
+    def self.default_resources
+      [ Resources::User, Resources::Group ]
+    end
+
+    def self.schemas
+      resources.map(&:schemas).flatten.uniq.map(&:new)
+    end
+
+  end
+end

data/lib/scim_engine/version.rb

@@ -0,0 +1,3 @@
+module ScimEngine
+  VERSION = "2.1.1"
+end

data/lib/tasks/scim_engine_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :scim_engine do
+#   # Task goes here
+# end

data/spec/controllers/scim_engine/application_controller_spec.rb

@@ -0,0 +1,104 @@
+require 'rails_helper'
+
+describe ScimEngine::ApplicationController do
+
+  context 'custom authentication' do
+    before do
+      allow(ScimEngine::Engine).to receive(:username) { 'A' }
+      allow(ScimEngine::Engine).to receive(:password) { 'B' }
+    end
+
+    controller do
+      rescue_from StandardError, with: :handle_resource_not_found
+
+      def index
+        render json: { 'message' => 'cool, cool!' }, format: :scim
+      end
+    end
+
+    it 'renders success when valid creds are given' do
+      request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials('A', 'B')
+
+      get :index, params: { format: :scim }
+      expect(response).to be_ok
+      expect(JSON.parse(response.body)).to eql({ 'message' => 'cool, cool!' })
+    end
+
+    it 'renders failure with bad password' do
+      request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials('A', 'C')
+
+      get :index, params: { format: :scim }
+      expect(response).not_to be_ok
+    end
+
+    it 'renders failure with bad user name' do
+      request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials('C', 'B')
+
+      get :index, params: { format: :scim }
+      expect(response).not_to be_ok
+    end
+
+
+    it 'renders failure with bad user name and password' do
+      request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials('C', 'D')
+
+      get :index, params: { format: :scim }
+      expect(response).not_to be_ok
+    end
+
+
+
+  end
+
+
+  context 'authenticated' do
+    controller do
+      rescue_from StandardError, with: :handle_resource_not_found
+
+      def index
+        render json: { 'message' => 'cool, cool!' }, format: :scim
+      end
+
+      def authenticated?
+        true
+      end
+    end
+
+    describe 'authenticate' do
+      it 'renders index if authenticated' do
+        get :index, params: { format: :scim }
+        expect(response).to be_ok
+        expect(JSON.parse(response.body)).to eql({ 'message' => 'cool, cool!' })
+      end
+
+      it 'renders not authorized response if not authenticated' do
+        allow(controller).to receive(:authenticated?) { false }
+        get :index, params: { format: :scim }
+        expect(response).to have_http_status(:unauthorized)
+        parsed_body = JSON.parse(response.body)
+        expect(parsed_body).to include('schemas' => ['urn:ietf:params:scim:api:messages:2.0:Error'])
+        expect(parsed_body).to include('detail' => 'Requires authentication')
+        expect(parsed_body).to include('status' => '401')
+      end
+
+      it 'renders resource not found response when resource cannot be found for the given id' do
+        allow(controller).to receive(:index).and_raise(StandardError)
+        get :index, params: { id: 10, format: :scim }
+        expect(response).to have_http_status(:not_found)
+        parsed_body = JSON.parse(response.body)
+        expect(parsed_body).to include('schemas' => ['urn:ietf:params:scim:api:messages:2.0:Error'])
+        expect(parsed_body).to include('detail' => 'Resource 10 not found')
+        expect(parsed_body).to include('status' => '404')
+      end
+    end
+
+    describe 'require_scim' do
+      it 'renders not acceptable if the request does not use scim type' do
+        get :index
+        expect(response).to have_http_status(:not_acceptable)
+
+        expect(JSON.parse(response.body)['detail']).to eql('Only application/scim+json type is accepted.')
+      end
+    end
+  end
+end