scimaenaga 0.4.1 → 0.6.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dea244dd3c4735fe8f156571c07c630dbae4cee67cf46c53757aa77d74afb135
-  data.tar.gz: 52cd9e9e2459231d3b415083f28bbac20beac60952d4e2dc6531412ee419492a
+  metadata.gz: 3959060e28dd1554d42df95f07f0bf311ce1f59da0f0d9bce9a3467193874d9b
+  data.tar.gz: c6ffc092a2584e829db8011b76d7c0e8f73c3ebe2422d993682409db90e59439
 SHA512:
-  metadata.gz: e48ad1a2a9108a211f9bb5d15a258292212556281f30403d0d6d5e19a2a3b3dda882f635e11bbde0260fb16bfde43b926e79ae77faac713e7c494189928609eb
-  data.tar.gz: 9d737fe588c932bae532792c141f54a67f5d952874ea7e32151c17d01cc1d6abf3ef4dd25a8639e029be0781b721c23d70cf468a9945d1e33f84a627552acb1d
+  metadata.gz: 013aba54f061b96a3ebe964f285a0d26bfd41062270ca50572c7633bb1a0a7e40c6668d7a5709da9b80c4883e14b07f75f14bb2e1a18dc44d5c90bcb80abe868
+  data.tar.gz: f31c1577377e803693ba5932ff1c64f794e2de44b5d55fd2ad1e89219a9d020e499002ef8e83a97ce81316e3d267abd44b1bd57639f69060234eeecf301bb730

data/MIT-LICENSE

@@ -1,4 +1,5 @@
 Copyright 2018 Lessonly
+Copyright 2021 Studist Corporation
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md

@@ -1,10 +1,8 @@
-[![Tests](https://github.com/StudistCorporation/scim_rails/actions/workflows/test.yaml/badge.svg)](https://github.com/StudistCorporation/scim_rails/actions/workflows/test.yaml)
-[![Inline docs](http://inch-ci.org/github/lessonly/scim_rails.svg?branch=master)](http://inch-ci.org/github/lessonly/scim_rails)
-[![Maintainability](https://api.codeclimate.com/v1/badges/ddfb6a891d2f0d1122ae/maintainability)](https://codeclimate.com/github/lessonly/scim_rails/maintainability)
+[![Tests](https://github.com/StudistCorporation/scimaenaga/actions/workflows/test.yaml/badge.svg)](https://github.com/StudistCorporation/scimaenaga/actions/workflows/test.yaml)
 
-# ScimRails
+# Scimaenaga
 
-NOTE: This Gem is not yet fully SCIM complaint. It was developed with the main function of interfacing with Okta. There are features of SCIM that this Gem does not implement as described in the SCIM documentation or that have been left out completely.
+NOTE: This Gem is not yet fully SCIM complaint. It was developed with the main function of interfacing with Azure AD. There are features of SCIM that this Gem does not implement as described in the SCIM documentation or that have been left out completely.
 
 #### What is SCIM?
 
@@ -12,14 +10,14 @@ SCIM stands for System for Cross-domain Identity Management. At its core, it is
 
 To learn more about SCIM 2.0 you can read the documentation at [RFC 7643](https://tools.ietf.org/html/rfc7643) and [RFC 7644](https://tools.ietf.org/html/rfc7644).
 
-The goal of the Gem is to offer a relatively painless way of adding SCIM 2.0 to your app. This Gem should be fully compatible with Okta's SCIM implementation. This project is ongoing and will hopefully be fully SCIM compliant in time. Pull requests that assist in meeting that goal are welcome!
+The goal of the Gem is to offer a relatively painless way of adding SCIM 2.0 to your app. This Gem should be fully compatible with Azure AD's SCIM implementation. This project is ongoing and will hopefully be fully SCIM compliant in time. Pull requests that assist in meeting that goal are welcome!
 
 ## Installation
 
 Add this line to your application's Gemfile:
 
 ```ruby
-gem 'scim_rails'
+gem 'scimaenaga', require: 'scim_rails'
 ```
 
 And then execute:
@@ -31,7 +29,7 @@ $ bundle
 Or install it yourself as:
 
 ```bash
-$ gem install scim_rails
+$ gem install scimaenaga
 ```
 
 Generate the config file with:
@@ -238,21 +236,9 @@ Sample request:
 $ curl -X PUT 'http://username:password@localhost:3000/scim/v2/Users/1' -d '{"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"userName":"test@example.com","name":{"givenName":"Test","familyName":"User"},"emails":[{"primary":true,"value":"test@example.com","type":"work"}],"displayName":"Test User","active":true}' -H 'Content-Type: application/scim+json'
 ```
 
-### Deprovision / Reprovision
-
-The PATCH request was implemented to work with Okta. Okta updates profiles with PUT and deprovisions / reprovisions with PATCH. This implementation of PATCH is not SCIM compliant as it does not update a single attribute on the user profile but instead only sends a status update request to the record.
-
-We would like to implement PATCH to be fully SCIM compliant in future releases.
-
-Sample request:
-
-```bash
-$ curl -X PATCH 'http://username:password@localhost:3000/scim/v2/Users/1' -d '{"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], "Operations": [{"op": "replace", "value": { "active": false }}]}' -H 'Content-Type: application/scim+json'
-```
-
 ### Error Handling
 
-By default, scim_rails will output any unhandled exceptions to your configured rails logs.
+By default, scimaenaga will output any unhandled exceptions to your configured rails logs.
 
 If you would like, you can supply a custom handler for exceptions in the initializer. The only requirement is that the value you supply responds to `#call`.
 
@@ -266,7 +252,7 @@ end
 
 ## Contributing
 
-### [Code of Conduct](https://github.com/lessonly/scim_rails/blob/master/CODE_OF_CONDUCT.md)
+### [Code of Conduct](https://github.com/StudistCorporation/scimaenaga/blob/master/CODE_OF_CONDUCT.md)
 
 ### Pull Requests
 

data/app/controllers/scim_rails/scim_groups_controller.rb

@@ -9,17 +9,19 @@ module ScimRails
         )
 
         groups = @company
-          .public_send(ScimRails.config.scim_groups_scope)
-          .where(
-            "#{ScimRails.config.scim_groups_model.connection.quote_column_name(query.attribute)} #{query.operator} ?",
-            query.parameter
-          )
-          .order(ScimRails.config.scim_groups_list_order)
+                 .public_send(ScimRails.config.scim_groups_scope)
+                 .where(
+                   "#{ScimRails.config.scim_groups_model
+                               .connection.quote_column_name(query.attribute)}
+                               #{query.operator} ?",
+                   query.parameter
+                 )
+                 .order(ScimRails.config.scim_groups_list_order)
       else
         groups = @company
-          .public_send(ScimRails.config.scim_groups_scope)
-          .preload(:users)
-          .order(ScimRails.config.scim_groups_list_order)
+                 .public_send(ScimRails.config.scim_groups_scope)
+                 .preload(:users)
+                 .order(ScimRails.config.scim_groups_list_order)
       end
 
       counts = ScimCount.new(
@@ -33,64 +35,75 @@ module ScimRails
 
     def show
       group = @company
-        .public_send(ScimRails.config.scim_groups_scope)
-        .find(params[:id])
+              .public_send(ScimRails.config.scim_groups_scope)
+              .find(params[:id])
       json_scim_response(object: group)
     end
 
     def create
       group = @company
-        .public_send(ScimRails.config.scim_groups_scope)
-        .create!(permitted_group_params)
+              .public_send(ScimRails.config.scim_groups_scope)
+              .create!(permitted_group_params)
 
       json_scim_response(object: group, status: :created)
     end
 
     def put_update
       group = @company
-        .public_send(ScimRails.config.scim_groups_scope)
-        .find(params[:id])
+              .public_send(ScimRails.config.scim_groups_scope)
+              .find(params[:id])
       group.update!(permitted_group_params)
       json_scim_response(object: group)
     end
 
+    def patch_update
+      group = @company
+              .public_send(ScimRails.config.scim_groups_scope)
+              .find(params[:id])
+      patch = ScimPatch.new(params, ScimRails.config.mutable_group_attributes_schema)
+      patch.save(group)
+
+      json_scim_response(object: group)
+    end
+
     def destroy
       unless ScimRails.config.group_destroy_method
         raise ScimRails::ExceptionHandler::UnsupportedDeleteRequest
       end
+
       group = @company
-        .public_send(ScimRails.config.scim_groups_scope)
-        .find(params[:id])
+              .public_send(ScimRails.config.scim_groups_scope)
+              .find(params[:id])
       group.public_send(ScimRails.config.group_destroy_method)
       head :no_content
     end
 
     private
 
-    def permitted_group_params
-      converted = mutable_attributes.each.with_object({}) do |attribute, hash|
-        hash[attribute] = find_value_for(attribute)
-      end
-      return converted unless params[:members]
+      def permitted_group_params
+        converted = mutable_attributes.each.with_object({}) do |attribute, hash|
+          hash[attribute] = find_value_for(attribute)
+        end
+        return converted unless params[:members]
 
-      converted.merge(member_params)
-    end
+        converted.merge(member_params)
+      end
 
-    def member_params
-      {
-        ScimRails.config.group_member_relation_attribute =>
-          params[:members].map do |member|
-            member[ScimRails.config.group_member_relation_schema.keys.first]
-          end
-      }
-    end
+      def member_params
+        {
+          ScimRails.config.group_member_relation_attribute =>
+            params[:members].map do |member|
+              member[ScimRails.config.group_member_relation_schema.keys.first]
+            end,
+        }
+      end
 
-    def mutable_attributes
-      ScimRails.config.mutable_group_attributes
-    end
+      def mutable_attributes
+        ScimRails.config.mutable_group_attributes
+      end
 
-    def controller_schema
-      ScimRails.config.mutable_group_attributes_schema
-    end
+      def controller_schema
+        ScimRails.config.mutable_group_attributes_schema
+      end
   end
 end

data/app/controllers/scim_rails/scim_users_controller.rb

@@ -2,6 +2,8 @@
 
 module ScimRails
   class ScimUsersController < ScimRails::ApplicationController
+
+
     def index
       if params[:filter].present?
         query = ScimRails::ScimQueryParser.new(
@@ -9,16 +11,17 @@ module ScimRails
         )
 
         users = @company
-          .public_send(ScimRails.config.scim_users_scope)
-          .where(
-            "#{ScimRails.config.scim_users_model.connection.quote_column_name(query.attribute)} #{query.operator} ?",
-            query.parameter
-          )
-          .order(ScimRails.config.scim_users_list_order)
+                .public_send(ScimRails.config.scim_users_scope)
+                .where(
+                  "#{ScimRails.config.scim_users_model
+              .connection.quote_column_name(query.attribute)} #{query.operator} ?",
+                  query.parameter
+                )
+                .order(ScimRails.config.scim_users_list_order)
       else
         users = @company
-          .public_send(ScimRails.config.scim_users_scope)
-          .order(ScimRails.config.scim_users_list_order)
+                .public_send(ScimRails.config.scim_users_scope)
+                .order(ScimRails.config.scim_users_list_order)
       end
 
       counts = ScimCount.new(
@@ -32,20 +35,23 @@ module ScimRails
 
     def create
       if ScimRails.config.scim_user_prevent_update_on_create
-        user = @company.public_send(ScimRails.config.scim_users_scope).create!(permitted_user_params)
+        user = @company
+               .public_send(ScimRails.config.scim_users_scope)
+               .create!(permitted_user_params)
       else
         username_key = ScimRails.config.queryable_user_attributes[:userName]
         find_by_username = {}
         find_by_username[username_key] = permitted_user_params[username_key]
         user = @company
-          .public_send(ScimRails.config.scim_users_scope)
-          .find_or_create_by(find_by_username)
+               .public_send(ScimRails.config.scim_users_scope)
+               .find_or_create_by(find_by_username)
         user.update!(permitted_user_params)
       end
-      update_status(user) unless put_active_param.nil?
       json_scim_response(object: user, status: :created)
     end
 
+
+
     def show
       user = @company.public_send(ScimRails.config.scim_users_scope).find(params[:id])
       json_scim_response(object: user)
@@ -53,72 +59,28 @@ module ScimRails
 
     def put_update
       user = @company.public_send(ScimRails.config.scim_users_scope).find(params[:id])
-      update_status(user) unless put_active_param.nil?
       user.update!(permitted_user_params)
       json_scim_response(object: user)
     end
 
-    # TODO: PATCH will only deprovision or reprovision users.
-    # This will work just fine for Okta but is not SCIM compliant.
     def patch_update
       user = @company.public_send(ScimRails.config.scim_users_scope).find(params[:id])
-      update_status(user)
+      patch = ScimPatch.new(params, ScimRails.config.mutable_user_attributes_schema)
+      patch.save(user)
+
       json_scim_response(object: user)
     end
 
     private
 
-    def permitted_user_params
-      ScimRails.config.mutable_user_attributes.each.with_object({}) do |attribute, hash|
-        hash[attribute] = find_value_for(attribute)
+      def permitted_user_params
+        ScimRails.config.mutable_user_attributes.each.with_object({}) do |attribute, hash|
+          hash[attribute] = find_value_for(attribute)
+        end
       end
-    end
 
-    def controller_schema
-      ScimRails.config.mutable_user_attributes_schema
-    end
-
-    def update_status(user)
-      user.public_send(ScimRails.config.user_reprovision_method) if active?
-      user.public_send(ScimRails.config.user_deprovision_method) unless active?
-    end
-
-    def active?
-      active = put_active_param
-      active = patch_active_param if active.nil?
-
-      case active
-      when true, "true", 1
-        true
-      when false, "false", 0
-        false
-      else
-        raise ActiveRecord::RecordInvalid
+      def controller_schema
+        ScimRails.config.mutable_user_attributes_schema
       end
-    end
-
-    def put_active_param
-      params[:active]
-    end
-
-    def patch_active_param
-      handle_invalid = lambda do
-        raise ScimRails::ExceptionHandler::UnsupportedPatchRequest
-      end
-
-      operations = params["Operations"] || {}
-
-      valid_operation = operations.find(handle_invalid) do |operation|
-        valid_patch_operation?(operation)
-      end
-
-      valid_operation.dig("value", "active")
-    end
-
-    def valid_patch_operation?(operation)
-      operation["op"].casecmp("replace") &&
-        operation["value"] &&
-        [true, false].include?(operation["value"]["active"])
-    end
   end
 end

data/app/libraries/scim_patch.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+# Parse PATCH request
+class ScimPatch
+  attr_accessor :operations
+
+  def initialize(params, mutable_attributes_schema)
+    # FIXME: raise proper error.
+    unless params['schemas'] == ['urn:ietf:params:scim:api:messages:2.0:PatchOp']
+      raise StandardError
+    end
+    if params['Operations'].nil?
+      raise ScimRails::ExceptionHandler::UnsupportedPatchRequest
+    end
+
+    @operations = params['Operations'].map do |operation|
+      ScimPatchOperation.new(operation['op'], operation['path'], operation['value'],
+                             mutable_attributes_schema)
+    end
+  end
+
+  def save(model)
+    model.transaction do
+      @operations.each do |operation|
+        operation.save(model)
+      end
+      model.save! if model.changed?
+    end
+  rescue ActiveRecord::RecordNotFound
+    raise
+  rescue StandardError
+    raise ScimRails::ExceptionHandler::UnsupportedPatchRequest
+  end
+end

data/app/libraries/scim_patch_operation.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+# Parse One of "Operations" in PATCH request
+class ScimPatchOperation
+  attr_accessor :op, :path_scim, :path_sp, :value
+
+  def initialize(op, path, value, mutable_attributes_schema)
+    # FIXME: Raise proper Error
+    raise StandardError unless op.downcase.in? %w[add replace remove]
+
+    # No path is not supported.
+    # FIXME: Raise proper Error
+    raise ScimRails::ExceptionHandler::UnsupportedPatchRequest if path.nil?
+    raise ScimRails::ExceptionHandler::UnsupportedPatchRequest if value.nil?
+
+    @op = op.downcase.to_sym
+    @path_scim = path
+    @path_sp = convert_path(path, mutable_attributes_schema)
+    @value = convert_bool_if_string(value, @path_scim)
+  end
+
+  def save(model)
+    if @path_scim == 'members' # Only members are supported for value is an array
+      update_member_ids = @value.map do |v|
+        v[ScimRails.config.group_member_relation_schema.keys.first].to_s
+      end
+
+      current_member_ids = model
+                           .public_send(ScimRails.config.group_member_relation_attribute).map(&:to_s)
+      case @op
+      when :add
+        member_ids = current_member_ids.concat(update_member_ids)
+      when :replace
+        member_ids = current_member_ids.concat(update_member_ids)
+      when :remove
+        member_ids = current_member_ids - update_member_ids
+      end
+
+      # Only the member addition process is saved by each ids
+      model.public_send("#{ScimRails.config.group_member_relation_attribute}=",
+                        member_ids.uniq)
+      return
+    end
+
+    case @op
+    when :add, :replace
+      model.attributes = { @path_sp => @value }
+    when :remove
+      model.attributes = { @path_sp => nil }
+    end
+  end
+
+  private
+
+    def convert_path(path, mutable_attributes_schema)
+      # For now, library does not support Multi-Valued Attributes properly.
+      # examle:
+      #   path = 'emails[type eq "work"].value'
+      #   mutable_attributes_schema = {
+      #     emails: [
+      #       {
+      #         value: :mail_address,
+      #      }
+      #     ],
+      #   }
+      #
+      #   Library ignores filter conditions (like [type eq "work"])
+      #   and always uses the first element of the array
+      dig_keys = path.gsub(/\[(.+?)\]/, '.0').split('.').map do |step|
+        step == '0' ? 0 : step.to_sym
+      end
+      mutable_attributes_schema.dig(*dig_keys)
+    end
+
+    def convert_bool_if_string(value, path)
+      # This method correct value in requests from Azure AD according to SCIM.
+      # When path is not active, do nothing and return
+      return value if path != 'active'
+
+      case value
+      when 'true', 'True'
+        return true
+      when 'false', 'False'
+        return false
+      else
+        return value
+      end
+    end
+end

data/app/models/scim_rails/scim_query_parser.rb

@@ -5,7 +5,7 @@ module ScimRails
     attr_accessor :query_elements, :query_attributes
 
     def initialize(query_string, queryable_attributes)
-      self.query_elements = query_string.split
+      self.query_elements = query_string.gsub(/\[(.+?)\]/, ".0").split
       self.query_attributes = queryable_attributes
     end
 
@@ -13,9 +13,11 @@ module ScimRails
       attribute = query_elements[0]
       raise ScimRails::ExceptionHandler::InvalidQuery if attribute.blank?
 
-      attribute = attribute.to_sym
+      dig_keys = attribute.split(".").map do |step|
+        step == "0" ? 0 : step.to_sym
+      end
 
-      mapped_attribute = query_attributes[attribute]
+      mapped_attribute = query_attributes.dig(*dig_keys)
       raise ScimRails::ExceptionHandler::InvalidQuery if mapped_attribute.blank?
 
       mapped_attribute

data/config/routes.rb

@@ -8,5 +8,6 @@ ScimRails::Engine.routes.draw do
   post   'scim/v2/Groups',     action: :create,        controller: 'scim_groups'
   get    'scim/v2/Groups/:id', action: :show,          controller: 'scim_groups'
   put    'scim/v2/Groups/:id', action: :put_update,    controller: 'scim_groups'
+  patch  'scim/v2/Groups/:id', action: :patch_update,  controller: 'scim_groups'
   delete 'scim/v2/Groups/:id', action: :destroy,       controller: 'scim_groups'
 end

data/lib/generators/scim_rails/templates/initializer.rb

@@ -48,12 +48,6 @@ ScimRails.configure do |config|
   # For example, [:created_at, :id] or { created_at: :desc }.
   # config.scim_users_list_order = :id
 
-  # Method called on user model to deprovision a user.
-  config.user_deprovision_method = :archive!
-
-  # Method called on user model to reprovision a user.
-  config.user_reprovision_method = :unarchive!
-
   # Hash of queryable attribtues on the user model. If
   # the attribute is not listed in this hash it cannot
   # be queried by this Gem. The structure of this hash

data/lib/scim_rails/config.rb

@@ -42,8 +42,6 @@ module ScimRails
       :signing_secret,
       :signing_algorithm,
       :user_attributes,
-      :user_deprovision_method,
-      :user_reprovision_method,
       :user_schema,
       :group_schema,
       :group_destroy_method

data/lib/scim_rails/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ScimRails
-  VERSION = "0.4.1"
+  VERSION = '0.6.2'
 end