scim_rails 0.2.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 325745eceb9f970c505d036231d3fde95674f05d220d65e02778e346013f44c1
-  data.tar.gz: 2703cf04051e134870be167e9119ef7041b93fa5d77a5eedffb80bae2b707aff
+  metadata.gz: 606745240d4c119078d5694d05da63c4787c6a6f4c1a287c814fdec48e16ea92
+  data.tar.gz: 8b636b98654ed1520cc9d9238e657ac715b1f246d0c406a6811fc4cdb6ec5ba0
 SHA512:
-  metadata.gz: 73975ecfb6499a9a8e155d0817d81c9f8bd1f8c96070b21172610a06a620a46e1bf446a40fcf734f065fa6a1bf17d4b74857ab7443ede69694592f622e8fb6be
-  data.tar.gz: caaa96d37fc4a7e11077afe889b7e0ddb1e7df1518d601552ff26fd471c94e157a7b5672a3f96eb0dae5f75fc66cedbd38b4f5b09d2b5b5365d7d4388a6fc532
+  metadata.gz: 073b1d94a5b17e7586584b78dbcbe39d08aa319db28c83ce9a30e135ed7d33aea3e28fce838a1b36e786c0e4d3f76a3d36832461cef3bf1c811f5f78645386ce
+  data.tar.gz: faef4ff11f04d2586f296c5011b3e3fc1257c336682b5269b2aebfcafaaef7961eb3e3c57add0d693ed6aad22c8642854c031000c4c58d284e55b47ba1d1f83e

data/README.md

@@ -1,3 +1,7 @@
+[![Build Status](https://travis-ci.com/lessonly/scim_rails.svg?branch=master)](https://travis-ci.com/lessonly/scim_rails)
+[![Inline docs](http://inch-ci.org/github/lessonly/scim_rails.svg?branch=master)](http://inch-ci.org/github/lessonly/scim_rails)
+[![Maintainability](https://api.codeclimate.com/v1/badges/ddfb6a891d2f0d1122ae/maintainability)](https://codeclimate.com/github/lessonly/scim_rails/maintainability)
+
 # ScimRails
 
 NOTE: This Gem is not yet fully SCIM complaint. It was developed with the main function of interfacing with Okta. There are features of SCIM that this Gem does not implement as described in the SCIM documentation or that have been left out completely.
@@ -78,6 +82,57 @@ When sending requests to the server the `Content-Type` should be set to `applica
 
 All responses will be sent with a `Content-Type` of `application/scim+json`.
 
+#### Authentication
+
+This gem supports both basic and OAuth bearer authentication.
+
+##### Basic Auth
+###### Username
+The config setting `basic_auth_model_searchable_attribute` is the model attribute used to authenticate as the `username`. It defaults to `:subdomain`.
+
+Ensure it is unique to the model records.
+
+###### Password
+The config setting `basic_auth_model_authenticatable_attribute` is the model attribute used to authenticate as `password`. Defaults to `:api_token`.
+
+Assuming the attribute is `:api_token`, generate the password using:
+```ruby
+token = ScimRails::Encoder.encode(company)
+# use the token as password for requests
+company.api_token = token # required
+company.save! # don't forget to persist the company record
+```
+
+This is necessary irrespective of your authentication choice(s) - basic auth, oauth bearer or both.
+
+###### Sample Request
+
+```bash
+$ curl -X GET 'http://username:password@localhost:3000/scim/v2/Users'
+```
+
+##### OAuth Bearer
+
+###### Signing Algorithm
+In the config settings, ensure you set `signing_algorithm` to a valid JWT signing algorithm, e.g "HS256". Defaults to `"none"` when not set.
+
+###### Signing Secret
+In the config settings, ensure you set `signing_secret` to a secret key that will be used to encode and decode tokens. Defaults to `nil` when not set.
+
+If you have already generated the `api_token` in the "Basic Auth" section, then use that as your bearer token and ignore the steps below:
+```ruby
+token = ScimRails::Encoder.encode(company)
+# use the token as bearer token for requests
+company.api_token = token #required
+company.save! # don't forget to persist the company record
+```
+
+##### Sample Request
+
+```bash
+$ curl -H 'Authorization: Bearer xxxxxxx.xxxxxx' -X GET 'http://localhost:3000/scim/v2/Users'
+```
+
 ### List
 
 ##### All
@@ -195,6 +250,20 @@ Sample request:
 $ curl -X PATCH 'http://username:password@localhost:3000/scim/v2/Users/1' -d '{"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], "Operations": [{"op": "replace", "value": { "active": false }}]}' -H 'Content-Type: application/scim+json'
 ```
 
+### Error Handling
+
+By default, scim_rails will output any unhandled exceptions to your configured rails logs.
+
+If you would like, you can supply a custom handler for exceptions in the initializer. The only requirement is that the value you supply responds to `#call`.
+
+For example, you might want to notify Honeybadger:
+
+```ruby
+ScimRails.configure do |config|
+  config.on_error = ->(e) { Honeybadger.notify(e) }
+end
+```
+
 ## Contributing
 
 ### [Code of Conduct](https://github.com/lessonly/scim_rails/blob/master/CODE_OF_CONDUCT.md)

data/Rakefile

@@ -14,7 +14,7 @@ RDoc::Task.new(:rdoc) do |rdoc|
   rdoc.rdoc_files.include('lib/**/*.rb')
 end
 
-APP_RAKEFILE = File.expand_path("../test/dummy/Rakefile", __FILE__)
+APP_RAKEFILE = File.expand_path("../spec/dummy/Rakefile", __FILE__)
 load 'rails/tasks/engine.rake'
 
 

data/app/controllers/concerns/scim_rails/exception_handler.rb

@@ -12,12 +12,15 @@ module ScimRails
     end
 
     included do
-      # StandardError must be ordered _first_ or it will catch all exceptions
-      #
-      # TODO: Build a plugin/configuration for error handling so that the
-      # detailed production errors are logged somewhere if desired.
       if Rails.env.production?
-        rescue_from StandardError do
+        rescue_from StandardError do |exception|
+          on_error = ScimRails.config.on_error
+          if on_error.respond_to?(:call)
+            on_error.call(exception)
+          else
+            Rails.logger.error(exception.inspect)
+          end
+
           json_response(
             {
               schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],

data/app/controllers/scim_rails/application_controller.rb

@@ -9,14 +9,30 @@ module ScimRails
     private
 
     def authorize_request
-      authenticate_with_http_basic do |username, password|
+      send(authentication_strategy) do |searchable_attribute, authentication_attribute|
         authorization = AuthorizeApiRequest.new(
-          searchable_attribute: username,
-          authentication_attribute: password
+          searchable_attribute: searchable_attribute,
+          authentication_attribute: authentication_attribute
         )
         @company = authorization.company
       end
-      raise  ScimRails::ExceptionHandler::InvalidCredentials if @company.blank?
+      raise ScimRails::ExceptionHandler::InvalidCredentials if @company.blank?
+    end
+
+    def authentication_strategy
+      if request.headers["Authorization"]&.include?("Bearer")
+        :authenticate_with_oauth_bearer
+      else
+        :authenticate_with_http_basic
+      end
+    end
+
+    def authenticate_with_oauth_bearer
+      authentication_attribute = request.headers["Authorization"].split(" ").last
+      payload = ScimRails::Encoder.decode(authentication_attribute).with_indifferent_access
+      searchable_attribute = payload[ScimRails.config.basic_auth_model_searchable_attribute]
+
+      yield searchable_attribute, authentication_attribute
     end
   end
 end

data/app/controllers/scim_rails/scim_users_controller.rb

@@ -27,13 +27,17 @@ module ScimRails
     end
 
     def create
-      username_key = ScimRails.config.queryable_user_attributes[:userName]
-      find_by_username = Hash.new
-      find_by_username[username_key] = permitted_user_params[username_key]
-      user = @company
-        .public_send(ScimRails.config.scim_users_scope)
-        .find_or_create_by(find_by_username)
-      user.update!(permitted_user_params)
+      if ScimRails.config.scim_user_prevent_update_on_create
+        user = @company.public_send(ScimRails.config.scim_users_scope).create!(permitted_user_params)
+      else
+        username_key = ScimRails.config.queryable_user_attributes[:userName]
+        find_by_username = Hash.new
+        find_by_username[username_key] = permitted_user_params[username_key]
+        user = @company
+          .public_send(ScimRails.config.scim_users_scope)
+          .find_or_create_by(find_by_username)
+        user.update!(permitted_user_params)
+      end
       update_status(user) unless put_active_param.nil?
       json_scim_response(object: user, status: :created)
     end
@@ -122,9 +126,23 @@ module ScimRails
     end
 
     def patch_active_param
-      active = params.dig("Operations", 0, "value", "active")
-      raise ScimRails::ExceptionHandler::UnsupportedPatchRequest if active.nil?
-      active
+      handle_invalid = lambda do
+        raise ScimRails::ExceptionHandler::UnsupportedPatchRequest
+      end
+
+      operations = params["Operations"] || {}
+
+      valid_operation = operations.find(handle_invalid) do |operation|
+        valid_patch_operation?(operation)
+      end
+
+      valid_operation.dig("value", "active")
+    end
+
+    def valid_patch_operation?(operation)
+      operation["op"].casecmp("replace") &&
+        operation["value"] &&
+        [true, false].include?(operation["value"]["active"])
     end
   end
 end

data/lib/generators/scim_rails/templates/initializer.rb

@@ -14,10 +14,26 @@ ScimRails.configure do |config|
   # Model used for user records.
   config.scim_users_model = "User"
 
-  # Metod used for retriving user records from the
+  # Method used for retrieving user records from the
   # authenticatable model.
   config.scim_users_scope = :users
 
+  # Determine whether the create endpoint updates users that already exist
+  # or throws an error (returning 409 Conflict in accordance with SCIM spec)
+  config.scim_user_prevent_update_on_create = false
+
+  # Cryptographic algorithm used for signing the auth tokens.
+  # It supports all algorithms supported by the jwt gem.
+  # See https://github.com/jwt/ruby-jwt#algorithms-and-usage for supported algorithms
+  # It is "none" by default, hence generated tokens are unsigned
+  # The tokens do not need to be signed if you only need basic authentication.
+  # config.signing_algorithm = "HS256"
+
+  # Secret token used to sign authorization tokens
+  # It is `nil` by default, hence generated tokens are unsigned
+  # The tokens do not need to be signed if you only need basic authentication.
+  # config.signing_secret = SECRET_TOKEN
+
   # Default sort order for pagination is by id. If you
   # use non sequential ids for user records, uncomment
   # the below line and configure a determinate order.
@@ -33,7 +49,7 @@ ScimRails.configure do |config|
   # Hash of queryable attribtues on the user model. If
   # the attribute is not listed in this hash it cannot
   # be queried by this Gem. The structure of this hash
-  # is { queryable_scim_attribute => user_attribute }. 
+  # is { queryable_scim_attribute => user_attribute }.
   config.queryable_user_attributes = {
     userName: :email,
     givenName: :first_name,
@@ -54,7 +70,7 @@ ScimRails.configure do |config|
   # for this Gem to figure out where to look in a SCIM
   # response for mutable values. This object should
   # include all attributes listed in
-  # config.mutable_user_attributes. 
+  # config.mutable_user_attributes.
   config.mutable_user_attributes_schema = {
     name: {
       givenName: :first_name,

data/lib/scim_rails.rb

@@ -1,5 +1,6 @@
 require "scim_rails/engine"
 require "scim_rails/config"
+require "scim_rails/encoder"
 
 module ScimRails
 end

data/lib/scim_rails/config.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ScimRails
   class << self
     def configure
@@ -5,30 +7,40 @@ module ScimRails
     end
 
     def config
-      @_config ||= Config.new
+      @config ||= Config.new
     end
   end
 
+  # Class containing configuration of ScimRails
   class Config
-    attr_accessor \
+    ALGO_NONE = "none"
+
+    attr_writer \
       :basic_auth_model,
+      :mutable_user_attributes_schema,
+      :scim_users_model
+
+    attr_accessor \
       :basic_auth_model_authenticatable_attribute,
       :basic_auth_model_searchable_attribute,
       :mutable_user_attributes,
-      :mutable_user_attributes_schema,
+      :on_error,
       :queryable_user_attributes,
       :scim_users_list_order,
-      :scim_users_model,
       :scim_users_scope,
+      :scim_user_prevent_update_on_create,
+      :signing_secret,
+      :signing_algorithm,
       :user_attributes,
       :user_deprovision_method,
       :user_reprovision_method,
       :user_schema
-      
+
     def initialize
       @basic_auth_model = "Company"
       @scim_users_list_order = :id
       @scim_users_model = "User"
+      @signing_algorithm = ALGO_NONE
       @user_schema = {}
       @user_attributes = []
     end

data/lib/scim_rails/encoder.rb

@@ -0,0 +1,25 @@
+require "jwt"
+
+module ScimRails
+  module Encoder
+    extend self
+
+    def encode(company)
+      payload = {
+        iat: Time.current.to_i,
+        ScimRails.config.basic_auth_model_searchable_attribute =>
+          company.public_send(ScimRails.config.basic_auth_model_searchable_attribute)
+      }
+
+      JWT.encode(payload, ScimRails.config.signing_secret, ScimRails.config.signing_algorithm)
+    end
+
+    def decode(token)
+      verify = ScimRails.config.signing_algorithm != ScimRails::Config::ALGO_NONE
+
+      JWT.decode(token, ScimRails.config.signing_secret, verify, algorithm: ScimRails.config.signing_algorithm).first
+    rescue JWT::VerificationError, JWT::DecodeError
+      raise ScimRails::ExceptionHandler::InvalidCredentials
+    end
+  end
+end

data/lib/scim_rails/version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ScimRails
-  VERSION = '0.2.0'
+  VERSION = "0.4.0"
 end

data/spec/controllers/scim_rails/scim_users_controller_spec.rb

@@ -10,13 +10,13 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
 
     context "when unauthorized" do
       it "returns scim+json content type" do
-        get :index
+        get :index, as: :json
 
-        expect(response.content_type).to eq "application/scim+json"
+        expect(response.media_type).to eq "application/scim+json"
       end
 
       it "fails with no credentials" do
-        get :index
+        get :index, as: :json
 
         expect(response.status).to eq 401
       end
@@ -24,7 +24,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
       it "fails with invalid credentials" do
         request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials("unauthorized","123456")
 
-        get :index
+        get :index, as: :json
 
         expect(response.status).to eq 401
       end
@@ -36,13 +36,13 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
       end
 
       it "returns scim+json content type" do
-        get :index
+        get :index, as: :json
 
-        expect(response.content_type).to eq "application/scim+json"
+        expect(response.media_type).to eq "application/scim+json"
       end
 
       it "is successful with valid credentials" do
-        get :index
+        get :index, as: :json
 
         expect(response.status).to eq 200
       end
@@ -50,7 +50,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
       it "returns all results" do
         create_list(:user, 10, company: company)
 
-        get :index
+        get :index, as: :json
         response_body = JSON.parse(response.body)
         expect(response_body.dig("schemas", 0)).to eq "urn:ietf:params:scim:api:messages:2.0:ListResponse"
         expect(response_body["totalResults"]).to eq 10
@@ -59,7 +59,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
       it "defaults to 100 results" do
         create_list(:user, 300, company: company)
 
-        get :index
+        get :index, as: :json
         response_body = JSON.parse(response.body)
         expect(response_body["totalResults"]).to eq 300
         expect(response_body["Resources"].count).to eq 100
@@ -72,7 +72,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
         get :index, params: {
           startIndex: 101,
           count: 200,
-        }
+        }, as: :json
         response_body = JSON.parse(response.body)
         expect(response_body["totalResults"]).to eq 400
         expect(response_body["Resources"].count).to eq 200
@@ -88,7 +88,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
         get :index, params: {
           startIndex: 1,
           count: 10,
-        }
+        }, as: :json
         response_body = JSON.parse(response.body)
         expect(response_body["totalResults"]).to eq 400
         expect(response_body["Resources"].count).to eq 10
@@ -101,7 +101,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
 
         get :index, params: {
           filter: "email eq test1@example.com"
-        }
+        }, as: :json
         response_body = JSON.parse(response.body)
         expect(response_body["totalResults"]).to eq 1
         expect(response_body["Resources"].count).to eq 1
@@ -113,7 +113,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
 
         get :index, params: {
           filter: "familyName eq Shellstrop"
-        }
+        }, as: :json
         response_body = JSON.parse(response.body)
         expect(response_body["totalResults"]).to eq 1
         expect(response_body["Resources"].count).to eq 1
@@ -122,7 +122,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
       it "returns no results for unfound filter parameters" do
         get :index, params: {
           filter: "familyName eq fake_not_there"
-        }
+        }, as: :json
         response_body = JSON.parse(response.body)
         expect(response_body["totalResults"]).to eq 0
         expect(response_body["Resources"].count).to eq 0
@@ -131,7 +131,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
       it "returns no results for undefined filter queries" do
         get :index, params: {
           filter: "address eq 101 Nowhere USA"
-        }
+        }, as: :json
         expect(response.status).to eq 400
         response_body = JSON.parse(response.body)
         expect(response_body.dig("schemas", 0)).to eq "urn:ietf:params:scim:api:messages:2.0:Error"
@@ -145,13 +145,13 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
 
     context "when unauthorized" do
       it "returns scim+json content type" do
-        get :show, params: { id: 1 }
+        get :show, params: { id: 1 }, as: :json
 
-        expect(response.content_type).to eq "application/scim+json"
+        expect(response.media_type).to eq "application/scim+json"
       end
 
       it "fails with no credentials" do
-        get :show, params: { id: 1 }
+        get :show, params: { id: 1 }, as: :json
 
         expect(response.status).to eq 401
       end
@@ -159,7 +159,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
       it "fails with invalid credentials" do
         request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials("unauthorized","123456")
 
-        get :show, params: { id: 1 }
+        get :show, params: { id: 1 }, as: :json
 
         expect(response.status).to eq 401
       end
@@ -171,20 +171,20 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
       end
 
       it "returns scim+json content type" do
-        get :show, params: { id: 1 }
+        get :show, params: { id: 1 }, as: :json
 
-        expect(response.content_type).to eq "application/scim+json"
+        expect(response.media_type).to eq "application/scim+json"
       end
 
       it "is successful with valid credentials" do
         create(:user, id: 1, company: company)
-        get :show, params: { id: 1 }
+        get :show, params: { id: 1 }, as: :json
 
         expect(response.status).to eq 200
       end
 
       it "returns :not_found for id that cannot be found" do
-        get :show, params: { id: "fake_id" }
+        get :show, params: { id: "fake_id" }, as: :json
 
         expect(response.status).to eq 404
       end
@@ -193,7 +193,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
         new_company = create(:company)
         create(:user, company: new_company, id: 1)
 
-        get :show, params: { id: 1 }
+        get :show, params: { id: 1 }, as: :json
 
         expect(response.status).to eq 404
       end
@@ -206,13 +206,13 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
 
     context "when unauthorized" do
       it "returns scim+json content type" do
-        post :create
+        post :create, as: :json
 
-        expect(response.content_type).to eq "application/scim+json"
+        expect(response.media_type).to eq "application/scim+json"
       end
 
       it "fails with no credentials" do
-        post :create
+        post :create, as: :json
 
         expect(response.status).to eq 401
       end
@@ -220,7 +220,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
       it "fails with invalid credentials" do
         request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials("unauthorized","123456")
 
-        post :create
+        post :create, as: :json
 
         expect(response.status).to eq 401
       end
@@ -242,9 +242,9 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
               value: "new@example.com"
             }
           ]
-        }
+        }, as: :json
 
-        expect(response.content_type).to eq "application/scim+json"
+        expect(response.media_type).to eq "application/scim+json"
       end
 
       it "is successful with valid credentials" do
@@ -260,7 +260,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
               value: "new@example.com"
             }
           ]
-        }
+        }, as: :json
 
         expect(response.status).to eq 201
         expect(company.users.count).to eq 1
@@ -283,7 +283,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
               value: "new@example.com"
             }
           ]
-        }
+        }, as: :json
 
         expect(response.status).to eq 201
         expect(company.users.count).to eq 1
@@ -299,7 +299,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
               value: "new@example.com"
             }
           ]
-        }
+        }, as: :json
 
         expect(response.status).to eq 422
         expect(company.users.count).to eq 0
@@ -318,13 +318,33 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
               value: "new@example.com"
             }
           ]
-        }
+        }, as: :json
 
         expect(response.status).to eq 201
         expect(company.users.count).to eq 1
         expect(company.users.first.first_name).to eq "Not New"
       end
 
+      it "returns 409 if user already exists and config.scim_user_prevent_update_on_create is set to true" do
+        allow(ScimRails.config).to receive(:scim_user_prevent_update_on_create).and_return(true)
+        create(:user, email: "new@example.com", company: company)
+
+        post :create, params: {
+          name: {
+            givenName: "Not New",
+            familyName: "User"
+          },
+          emails: [
+            {
+              value: "new@example.com"
+            }
+          ]
+        }, as: :json
+
+        expect(response.status).to eq 409
+        expect(company.users.count).to eq 1
+      end
+
       it "creates and archives inactive user" do
         post :create, params: {
           id: 1,
@@ -339,7 +359,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
             },
           ],
           active: "false"
-        }
+        }, as: :json
 
         expect(response.status).to eq 201
         expect(company.users.count).to eq 1
@@ -355,13 +375,13 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
 
     context "when unauthorized" do
       it "returns scim+json content type" do
-        put :put_update, params: { id: 1 }
+        put :put_update, params: { id: 1 }, as: :json
 
-        expect(response.content_type).to eq "application/scim+json"
+        expect(response.media_type).to eq "application/scim+json"
       end
 
       it "fails with no credentials" do
-        put :put_update, params: { id: 1 }
+        put :put_update, params: { id: 1 }, as: :json
 
         expect(response.status).to eq 401
       end
@@ -369,7 +389,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
       it "fails with invalid credentials" do
         request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials("unauthorized","123456")
 
-        put :put_update, params: { id: 1 }
+        put :put_update, params: { id: 1 }, as: :json
 
         expect(response.status).to eq 401
       end
@@ -383,20 +403,20 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
       end
 
       it "returns scim+json content type" do
-        put :put_update, params: put_params
+        put :put_update, params: put_params, as: :json
 
-        expect(response.content_type).to eq "application/scim+json"
+        expect(response.media_type).to eq "application/scim+json"
       end
 
       it "is successful with with valid credentials" do
-        put :put_update, params: put_params
+        put :put_update, params: put_params, as: :json
 
         expect(response.status).to eq 200
       end
 
       it "deprovisions an active record" do
         request.content_type = "application/scim+json"
-        put :put_update, params: put_params(active: false)
+        put :put_update, params: put_params(active: false), as: :json
 
         expect(response.status).to eq 200
         expect(user.reload.active?).to eq false
@@ -406,14 +426,14 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
         user.archive!
         expect(user.reload.active?).to eq false
         request.content_type = "application/scim+json"
-        put :put_update, params: put_params(active: true)
+        put :put_update, params: put_params(active: true), as: :json
 
         expect(response.status).to eq 200
         expect(user.reload.active?).to eq true
       end
 
       it "returns :not_found for id that cannot be found" do
-        get :put_update, params: { id: "fake_id" }
+        get :put_update, params: { id: "fake_id" }, as: :json
 
         expect(response.status).to eq 404
       end
@@ -422,7 +442,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
         new_company = create(:company)
         create(:user, company: new_company, id: 1000)
 
-        get :put_update, params: { id: 1000 }
+        get :put_update, params: { id: 1000 }, as: :json
 
         expect(response.status).to eq 404
       end
@@ -437,7 +457,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
             },
           ],
           active: "true"
-        }
+        }, as: :json
 
         expect(response.status).to eq 422
       end
@@ -450,13 +470,13 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
 
     context "when unauthorized" do
       it "returns scim+json content type" do
-        patch :patch_update, params: patch_params(id: 1)
+        patch :patch_update, params: patch_params(id: 1), as: :json
 
-        expect(response.content_type).to eq "application/scim+json"
+        expect(response.media_type).to eq "application/scim+json"
       end
 
       it "fails with no credentials" do
-        patch :patch_update, params: patch_params(id: 1)
+        patch :patch_update, params: patch_params(id: 1), as: :json
 
         expect(response.status).to eq 401
       end
@@ -464,7 +484,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
       it "fails with invalid credentials" do
         request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials("unauthorized","123456")
 
-        patch :patch_update, params: patch_params(id: 1)
+        patch :patch_update, params: patch_params(id: 1), as: :json
 
         expect(response.status).to eq 401
       end
@@ -478,19 +498,19 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
       end
 
       it "returns scim+json content type" do
-        patch :patch_update, params: patch_params(id: 1)
+        patch :patch_update, params: patch_params(id: 1), as: :json
 
-        expect(response.content_type).to eq "application/scim+json"
+        expect(response.media_type).to eq "application/scim+json"
       end
 
       it "is successful with valid credentials" do
-        patch :patch_update, params: patch_params(id: 1)
+        patch :patch_update, params: patch_params(id: 1), as: :json
 
         expect(response.status).to eq 200
       end
 
       it "returns :not_found for id that cannot be found" do
-        get :patch_update, params: patch_params(id: "fake_id")
+        get :patch_update, params: patch_params(id: "fake_id"), as: :json
 
         expect(response.status).to eq 404
       end
@@ -499,7 +519,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
         new_company = create(:company)
         create(:user, company: new_company, id: 1000)
 
-        get :patch_update, params: patch_params(id: 1000)
+        get :patch_update, params: patch_params(id: 1000), as: :json
 
         expect(response.status).to eq 404
       end
@@ -509,7 +529,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
         user = company.users.first
         expect(user.archived?).to eq false
 
-        patch :patch_update, params: patch_params(id: 1)
+        patch :patch_update, params: patch_params(id: 1), as: :json
 
         expect(response.status).to eq 200
         expect(company.users.count).to eq 1
@@ -517,12 +537,12 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
         expect(user.archived?).to eq true
       end
 
-      it "sucessfully restores user" do
+      it "successfully restores user" do
         expect(company.users.count).to eq 1
         user = company.users.first.tap(&:archive!)
         expect(user.archived?).to eq true
 
-        patch :patch_update, params: patch_params(id: 1,  active: true)
+        patch :patch_update, params: patch_params(id: 1,  active: true), as: :json
 
         expect(response.status).to eq 200
         expect(company.users.count).to eq 1
@@ -530,6 +550,24 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
         expect(user.archived?).to eq false
       end
 
+      it "is case insensetive for op value" do
+        # Note, this is for backward compatibility. op should always
+        # be lower case and support for case insensitivity will be removed
+        patch :patch_update, params: {
+          id: 1,
+          Operations: [
+            {
+              op: "Replace",
+              value: {
+                active: false
+              }
+            }
+          ]
+        }, as: :json
+
+        expect(response.status).to eq 200
+      end
+
       it "throws an error for non status updates" do
         patch :patch_update, params: {
           id: 1,
@@ -543,12 +581,59 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
               }
             }
           ]
+        }, as: :json
+
+        expect(response.status).to eq 422
+        response_body = JSON.parse(response.body)
+        expect(response_body.dig("schemas", 0)).to eq "urn:ietf:params:scim:api:messages:2.0:Error"
+      end
+
+      it "returns 422 when value is not an object" do
+        patch :patch_update, params: {
+          id: 1,
+          Operations: [
+            {
+              op: "replace",
+              path: "displayName",
+              value: "Francis"
+            }
+          ]
         }
 
         expect(response.status).to eq 422
         response_body = JSON.parse(response.body)
         expect(response_body.dig("schemas", 0)).to eq "urn:ietf:params:scim:api:messages:2.0:Error"
       end
+
+      it "returns 422 when value is missing" do
+        patch :patch_update, params: {
+          id: 1,
+          Operations: [
+            {
+              op: "replace"
+            }
+          ]
+        }, as: :json
+
+        expect(response.status).to eq 422
+        response_body = JSON.parse(response.body)
+        expect(response_body.dig("schemas", 0)).to eq "urn:ietf:params:scim:api:messages:2.0:Error"
+      end
+
+      it "returns 422 operations key is missing" do
+        patch :patch_update, params: {
+          id: 1,
+          Foobars: [
+            {
+              op: "replace"
+            }
+          ]
+        }, as: :json
+
+        expect(response.status).to eq 422
+        response_body = JSON.parse(response.body)
+        expect(response_body.dig("schemas", 0)).to eq "urn:ietf:params:scim:api:messages:2.0:Error"
+      end
     end
   end