scim_rails 0.2.2 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ffb0afaa648c6bf2e0daf0836313e1b5c37203642588922296489b7f87dc8a78
-  data.tar.gz: e4d007055da4ae528a9953ad43737df15b85c44490d5c7ca5bb97954ddf7d9cf
+  metadata.gz: 69ddfe751f11e33adf91e96b99ccaaa7258bb1468ea8463511ae0b04eaeca4bf
+  data.tar.gz: ac7a95b8e8f7c5455bdf7b9a64d3b2c88c015974530077f80ab37a1e6751e468
 SHA512:
-  metadata.gz: 1293946a2411ad4855301adb70c24350808f3a35c38c5b66ee833f7330e622efee2ebacc94218ce577551bda4794e1e329cee311518fc60316289022738f4e4f
-  data.tar.gz: a6317481acf35c7640c834a81b8676dc80899c9cebaa36ff74dd2139cbfafa7b9167d423f4e201f7a637284458981a942315a842f14dcfd224736c422e139259
+  metadata.gz: 05d83eb5dee1ecbfa49116f5d1f70e5f4e600393419055d93dfdff8e735e865ef2eeedf15b73c5899543f47168763b7f7cf13b897ba53e80332d7d813b427219
+  data.tar.gz: be1735ff8d1de4d79d5aa70c39b0cffdbc22f26d7adc105e5c03ec2fc61953d00a7ba363b0e59b57adf3aae3f32a880275eac00eaf5874adae789954ea22c3f1

data/README.md

@@ -78,6 +78,57 @@ When sending requests to the server the `Content-Type` should be set to `applica
 
 All responses will be sent with a `Content-Type` of `application/scim+json`.
 
+#### Authentication
+
+This gem supports both basic and OAuth bearer authentication.
+
+##### Basic Auth
+###### Username
+The config setting `basic_auth_model_searchable_attribute` is the model attribute used to authenticate as the `username`. It defaults to `:subdomain`.
+
+Ensure it is unique to the model records.
+
+###### Password
+The config setting `basic_auth_model_authenticatable_attribute` is the model attribute used to authenticate as `password`. Defaults to `:api_token`.
+
+Assuming the attribute is `:api_token`, generate the password using:
+```ruby
+token = ScimRails::Encoder.encode(company)
+# use the token as password for requests
+company.api_token = token # required
+company.save! # don't forget to persist the company record
+```
+
+This is necessary irrespective of your authentication choice(s) - basic auth, oauth bearer or both.
+
+###### Sample Request
+
+```bash
+$ curl -X GET 'http://username:password@localhost:3000/scim/v2/Users'
+```
+
+##### OAuth Bearer
+
+###### Signing Algorithm
+In the config settings, ensure you set `signing_algorithm` to a valid JWT signing algorithm, e.g "HS256". Defaults to `"none"` when not set.
+
+###### Signing Secret
+In the config settings, ensure you set `signing_secret` to a secret key that will be used to encode and decode tokens. Defaults to `nil` when not set.
+
+If you have already generated the `api_token` in the "Basic Auth" section, then use that as your bearer token and ignore the steps below:
+```ruby
+token = ScimRails::Encoder.encode(company)
+# use the token as bearer token for requests
+company.api_token = token #required
+company.save! # don't forget to persist the company record
+```
+
+##### Sample Request
+
+```bash
+$ curl -H 'Authorization: Bearer xxxxxxx.xxxxxx' -X GET 'http://localhost:3000/scim/v2/Users'
+```
+
 ### List
 
 ##### All

data/app/controllers/scim_rails/application_controller.rb

@@ -9,14 +9,30 @@ module ScimRails
     private
 
     def authorize_request
-      authenticate_with_http_basic do |username, password|
+      send(authentication_strategy) do |searchable_attribute, authentication_attribute|
         authorization = AuthorizeApiRequest.new(
-          searchable_attribute: username,
-          authentication_attribute: password
+          searchable_attribute: searchable_attribute,
+          authentication_attribute: authentication_attribute
         )
         @company = authorization.company
       end
-      raise  ScimRails::ExceptionHandler::InvalidCredentials if @company.blank?
+      raise ScimRails::ExceptionHandler::InvalidCredentials if @company.blank?
+    end
+
+    def authentication_strategy
+      if request.headers["Authorization"]&.include?("Bearer")
+        :authenticate_with_oauth_bearer
+      else
+        :authenticate_with_http_basic
+      end
+    end
+
+    def authenticate_with_oauth_bearer
+      authentication_attribute = request.headers["Authorization"].split(" ").last
+      payload = ScimRails::Encoder.decode(authentication_attribute).with_indifferent_access
+      searchable_attribute = payload[ScimRails.config.basic_auth_model_searchable_attribute]
+
+      yield searchable_attribute, authentication_attribute
     end
   end
 end

data/lib/generators/scim_rails/templates/initializer.rb

@@ -22,6 +22,18 @@ ScimRails.configure do |config|
   # or throws an error (returning 409 Conflict in accordance with SCIM spec)
   config.scim_user_prevent_update_on_create = false
 
+  # Cryptographic algorithm used for signing the auth tokens.
+  # It supports all algorithms supported by the jwt gem.
+  # See https://github.com/jwt/ruby-jwt#algorithms-and-usage for supported algorithms
+  # It is "none" by default, hence generated tokens are unsigned
+  # The tokens do not need to be signed if you only need basic authentication.
+  # config.signing_algorithm = "HS256"
+
+  # Secret token used to sign authorization tokens
+  # It is `nil` by default, hence generated tokens are unsigned
+  # The tokens do not need to be signed if you only need basic authentication.
+  # config.signing_secret = SECRET_TOKEN
+
   # Default sort order for pagination is by id. If you
   # use non sequential ids for user records, uncomment
   # the below line and configure a determinate order.

data/lib/scim_rails/config.rb

@@ -10,6 +10,8 @@ module ScimRails
   end
 
   class Config
+    ALGO_NONE = "none".freeze
+
     attr_accessor \
       :basic_auth_model,
       :basic_auth_model_authenticatable_attribute,
@@ -21,6 +23,8 @@ module ScimRails
       :scim_users_model,
       :scim_users_scope,
       :scim_user_prevent_update_on_create,
+      :signing_secret,
+      :signing_algorithm,
       :user_attributes,
       :user_deprovision_method,
       :user_reprovision_method,
@@ -30,6 +34,7 @@ module ScimRails
       @basic_auth_model = "Company"
       @scim_users_list_order = :id
       @scim_users_model = "User"
+      @signing_algorithm = ALGO_NONE
       @user_schema = {}
       @user_attributes = []
     end

data/lib/scim_rails/encoder.rb

@@ -0,0 +1,25 @@
+require "jwt"
+
+module ScimRails
+  module Encoder
+    extend self
+
+    def encode(company)
+      payload = {
+        iat: Time.current.to_i,
+        ScimRails.config.basic_auth_model_searchable_attribute =>
+          company.public_send(ScimRails.config.basic_auth_model_searchable_attribute)
+      }
+
+      JWT.encode(payload, ScimRails.config.signing_secret, ScimRails.config.signing_algorithm)
+    end
+
+    def decode(token)
+      verify = ScimRails.config.signing_algorithm != ScimRails::Config::ALGO_NONE
+
+      JWT.decode(token, ScimRails.config.signing_secret, verify, algorithm: ScimRails.config.signing_algorithm).first
+    rescue JWT::VerificationError, JWT::DecodeError
+      raise ScimRails::ExceptionHandler::InvalidCredentials
+    end
+  end
+end

data/lib/scim_rails/version.rb

@@ -1,3 +1,3 @@
 module ScimRails
-  VERSION = '0.2.2'
+  VERSION = '0.3.0'
 end

data/lib/scim_rails.rb

@@ -1,5 +1,6 @@
 require "scim_rails/engine"
 require "scim_rails/config"
+require "scim_rails/encoder"
 
 module ScimRails
 end

data/spec/controllers/scim_rails/scim_users_controller_spec.rb

@@ -537,7 +537,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :controller do
         expect(user.archived?).to eq true
       end
 
-      it "sucessfully restores user" do
+      it "successfully restores user" do
         expect(company.users.count).to eq 1
         user = company.users.first.tap(&:archive!)
         expect(user.archived?).to eq true

data/spec/controllers/scim_rails/scim_users_request_spec.rb

@@ -5,7 +5,7 @@ RSpec.describe ScimRails::ScimUsersController, type: :request do
   let(:credentials) { Base64::encode64("#{company.subdomain}:#{company.api_token}") }
   let(:authorization) { "Basic #{credentials}" }
 
-  def post_request(content_type)
+  def post_request(content_type = "application/scim+json")
     # params need to be transformed into a string to test if they are being parsed by Rack
 
     post "/scim_rails/scim/v2/Users",
@@ -48,4 +48,26 @@ RSpec.describe ScimRails::ScimUsersController, type: :request do
       expect(company.users.count).to eq 0
     end
   end
+
+  context "OAuth Bearer Authorization" do
+    context "with valid token" do
+      let(:authorization) { "Bearer #{company.api_token}" }
+
+      it "supports OAuth bearer authorization and succeeds" do
+        expect { post_request }.to change(company.users, :count).from(0).to(1)
+
+        expect(response.status).to eq 201
+      end
+    end
+
+    context "with invalid token" do
+      let(:authorization) { "Bearer #{SecureRandom.hex}" }
+
+      it "The request fails" do
+        expect { post_request }.not_to change(company.users, :count)
+
+        expect(response.status).to eq 401
+      end
+    end
+  end
 end

data/spec/dummy/config/initializers/scim_rails_config.rb

@@ -7,6 +7,9 @@ ScimRails.configure do |config|
   config.scim_users_scope = :users
   config.scim_users_list_order = :id
 
+  config.signing_algorithm = "HS256"
+  config.signing_secret = "2d6806dd11c2fece2e81b8ca76dcb0062f5b08e28e3264e8ba1c44bbd3578b70"
+
   config.user_deprovision_method = :archive!
   config.user_reprovision_method = :unarchive!