scimaenaga 0.4.1

data/app/controllers/scim_rails/scim_groups_controller.rb

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+
+module ScimRails
+  class ScimGroupsController < ScimRails::ApplicationController
+    def index
+      if params[:filter].present?
+        query = ScimRails::ScimQueryParser.new(
+          params[:filter], ScimRails.config.queryable_group_attributes
+        )
+
+        groups = @company
+          .public_send(ScimRails.config.scim_groups_scope)
+          .where(
+            "#{ScimRails.config.scim_groups_model.connection.quote_column_name(query.attribute)} #{query.operator} ?",
+            query.parameter
+          )
+          .order(ScimRails.config.scim_groups_list_order)
+      else
+        groups = @company
+          .public_send(ScimRails.config.scim_groups_scope)
+          .preload(:users)
+          .order(ScimRails.config.scim_groups_list_order)
+      end
+
+      counts = ScimCount.new(
+        start_index: params[:startIndex],
+        limit: params[:count],
+        total: groups.count
+      )
+
+      json_scim_response(object: groups, counts: counts)
+    end
+
+    def show
+      group = @company
+        .public_send(ScimRails.config.scim_groups_scope)
+        .find(params[:id])
+      json_scim_response(object: group)
+    end
+
+    def create
+      group = @company
+        .public_send(ScimRails.config.scim_groups_scope)
+        .create!(permitted_group_params)
+
+      json_scim_response(object: group, status: :created)
+    end
+
+    def put_update
+      group = @company
+        .public_send(ScimRails.config.scim_groups_scope)
+        .find(params[:id])
+      group.update!(permitted_group_params)
+      json_scim_response(object: group)
+    end
+
+    def destroy
+      unless ScimRails.config.group_destroy_method
+        raise ScimRails::ExceptionHandler::UnsupportedDeleteRequest
+      end
+      group = @company
+        .public_send(ScimRails.config.scim_groups_scope)
+        .find(params[:id])
+      group.public_send(ScimRails.config.group_destroy_method)
+      head :no_content
+    end
+
+    private
+
+    def permitted_group_params
+      converted = mutable_attributes.each.with_object({}) do |attribute, hash|
+        hash[attribute] = find_value_for(attribute)
+      end
+      return converted unless params[:members]
+
+      converted.merge(member_params)
+    end
+
+    def member_params
+      {
+        ScimRails.config.group_member_relation_attribute =>
+          params[:members].map do |member|
+            member[ScimRails.config.group_member_relation_schema.keys.first]
+          end
+      }
+    end
+
+    def mutable_attributes
+      ScimRails.config.mutable_group_attributes
+    end
+
+    def controller_schema
+      ScimRails.config.mutable_group_attributes_schema
+    end
+  end
+end

data/app/controllers/scim_rails/scim_users_controller.rb

@@ -0,0 +1,124 @@
+# frozen_string_literal: true
+
+module ScimRails
+  class ScimUsersController < ScimRails::ApplicationController
+    def index
+      if params[:filter].present?
+        query = ScimRails::ScimQueryParser.new(
+          params[:filter], ScimRails.config.queryable_user_attributes
+        )
+
+        users = @company
+          .public_send(ScimRails.config.scim_users_scope)
+          .where(
+            "#{ScimRails.config.scim_users_model.connection.quote_column_name(query.attribute)} #{query.operator} ?",
+            query.parameter
+          )
+          .order(ScimRails.config.scim_users_list_order)
+      else
+        users = @company
+          .public_send(ScimRails.config.scim_users_scope)
+          .order(ScimRails.config.scim_users_list_order)
+      end
+
+      counts = ScimCount.new(
+        start_index: params[:startIndex],
+        limit: params[:count],
+        total: users.count
+      )
+
+      json_scim_response(object: users, counts: counts)
+    end
+
+    def create
+      if ScimRails.config.scim_user_prevent_update_on_create
+        user = @company.public_send(ScimRails.config.scim_users_scope).create!(permitted_user_params)
+      else
+        username_key = ScimRails.config.queryable_user_attributes[:userName]
+        find_by_username = {}
+        find_by_username[username_key] = permitted_user_params[username_key]
+        user = @company
+          .public_send(ScimRails.config.scim_users_scope)
+          .find_or_create_by(find_by_username)
+        user.update!(permitted_user_params)
+      end
+      update_status(user) unless put_active_param.nil?
+      json_scim_response(object: user, status: :created)
+    end
+
+    def show
+      user = @company.public_send(ScimRails.config.scim_users_scope).find(params[:id])
+      json_scim_response(object: user)
+    end
+
+    def put_update
+      user = @company.public_send(ScimRails.config.scim_users_scope).find(params[:id])
+      update_status(user) unless put_active_param.nil?
+      user.update!(permitted_user_params)
+      json_scim_response(object: user)
+    end
+
+    # TODO: PATCH will only deprovision or reprovision users.
+    # This will work just fine for Okta but is not SCIM compliant.
+    def patch_update
+      user = @company.public_send(ScimRails.config.scim_users_scope).find(params[:id])
+      update_status(user)
+      json_scim_response(object: user)
+    end
+
+    private
+
+    def permitted_user_params
+      ScimRails.config.mutable_user_attributes.each.with_object({}) do |attribute, hash|
+        hash[attribute] = find_value_for(attribute)
+      end
+    end
+
+    def controller_schema
+      ScimRails.config.mutable_user_attributes_schema
+    end
+
+    def update_status(user)
+      user.public_send(ScimRails.config.user_reprovision_method) if active?
+      user.public_send(ScimRails.config.user_deprovision_method) unless active?
+    end
+
+    def active?
+      active = put_active_param
+      active = patch_active_param if active.nil?
+
+      case active
+      when true, "true", 1
+        true
+      when false, "false", 0
+        false
+      else
+        raise ActiveRecord::RecordInvalid
+      end
+    end
+
+    def put_active_param
+      params[:active]
+    end
+
+    def patch_active_param
+      handle_invalid = lambda do
+        raise ScimRails::ExceptionHandler::UnsupportedPatchRequest
+      end
+
+      operations = params["Operations"] || {}
+
+      valid_operation = operations.find(handle_invalid) do |operation|
+        valid_patch_operation?(operation)
+      end
+
+      valid_operation.dig("value", "active")
+    end
+
+    def valid_patch_operation?(operation)
+      operation["op"].casecmp("replace") &&
+        operation["value"] &&
+        [true, false].include?(operation["value"]["active"])
+    end
+  end
+end

data/app/helpers/scim_rails/application_helper.rb

@@ -0,0 +1,4 @@
+module ScimRails
+  module ApplicationHelper
+  end
+end

data/app/models/scim_rails/application_record.rb

@@ -0,0 +1,5 @@
+module ScimRails
+  class ApplicationRecord < ActiveRecord::Base
+    self.abstract_class = true
+  end
+end

data/app/models/scim_rails/authorize_api_request.rb

@@ -0,0 +1,40 @@
+module ScimRails
+  class AuthorizeApiRequest
+
+    def initialize(searchable_attribute:, authentication_attribute:)
+      @searchable_attribute = searchable_attribute
+      @authentication_attribute = authentication_attribute
+
+      raise ScimRails::ExceptionHandler::InvalidCredentials if searchable_attribute.blank? || authentication_attribute.blank?
+
+      @search_parameter = { ScimRails.config.basic_auth_model_searchable_attribute => @searchable_attribute }
+    end
+
+    def company
+      company = find_company
+      authorize(company)
+      company
+    end
+
+    private
+
+    attr_reader :authentication_attribute
+    attr_reader :search_parameter
+    attr_reader :searchable_attribute
+
+    def find_company
+      @company ||= ScimRails.config.basic_auth_model.find_by!(search_parameter)
+
+    rescue ActiveRecord::RecordNotFound
+      raise ScimRails::ExceptionHandler::InvalidCredentials
+    end
+
+    def authorize(authentication_model)
+      authorized = ActiveSupport::SecurityUtils.secure_compare(
+        authentication_model.public_send(ScimRails.config.basic_auth_model_authenticatable_attribute),
+        authentication_attribute
+      )
+      raise ScimRails::ExceptionHandler::InvalidCredentials unless authorized
+    end
+  end
+end

data/app/models/scim_rails/scim_count.rb

@@ -0,0 +1,38 @@
+module ScimRails
+  class ScimCount
+    include ActiveModel::Model
+
+    attr_accessor \
+      :limit,
+      :offset,
+      :start_index,
+      :total
+
+    def limit
+      return 100 if @limit.blank?
+      validate_numericality(@limit)
+      input = @limit.to_i
+      raise if input < 1
+      input
+    end
+
+    def start_index
+      return 1 if @start_index.blank?
+      validate_numericality(@start_index)
+      input = @start_index.to_i
+      return 1 if input < 1
+      input
+    end
+
+    def offset
+      start_index - 1
+    end
+
+    private
+
+    def validate_numericality(input)
+      raise unless input.match?(/\A\d+\z/)
+    end
+
+  end
+end

data/app/models/scim_rails/scim_query_parser.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module ScimRails
+  class ScimQueryParser
+    attr_accessor :query_elements, :query_attributes
+
+    def initialize(query_string, queryable_attributes)
+      self.query_elements = query_string.split
+      self.query_attributes = queryable_attributes
+    end
+
+    def attribute
+      attribute = query_elements[0]
+      raise ScimRails::ExceptionHandler::InvalidQuery if attribute.blank?
+
+      attribute = attribute.to_sym
+
+      mapped_attribute = query_attributes[attribute]
+      raise ScimRails::ExceptionHandler::InvalidQuery if mapped_attribute.blank?
+
+      mapped_attribute
+    end
+
+    def operator
+      sql_comparison_operator(query_elements[1])
+    end
+
+    def parameter
+      parameter = query_elements[2..-1].join(" ")
+      return if parameter.blank?
+
+      parameter.gsub(/"/, "")
+    end
+
+    private
+
+    def sql_comparison_operator(element)
+      case element
+      when "eq"
+        "="
+      else
+        # TODO: implement additional query filters
+        raise ScimRails::ExceptionHandler::InvalidQuery
+      end
+    end
+  end
+end

data/config/initializers/mime_types.rb

@@ -0,0 +1,5 @@
+Mime::Type.register "application/scim+json", :scimjson
+
+ActionDispatch::Request.parameter_parsers[:scimjson] = lambda do |body|
+  ActiveSupport::JSON.decode(body)
+end

data/config/routes.rb

@@ -0,0 +1,12 @@
+ScimRails::Engine.routes.draw do
+  get    'scim/v2/Users',      action: :index,         controller: 'scim_users'
+  post   'scim/v2/Users',      action: :create,        controller: 'scim_users'
+  get    'scim/v2/Users/:id',  action: :show,          controller: 'scim_users'
+  put    'scim/v2/Users/:id',  action: :put_update,    controller: 'scim_users'
+  patch  'scim/v2/Users/:id',  action: :patch_update,  controller: 'scim_users'
+  get    'scim/v2/Groups',     action: :index,         controller: 'scim_groups'
+  post   'scim/v2/Groups',     action: :create,        controller: 'scim_groups'
+  get    'scim/v2/Groups/:id', action: :show,          controller: 'scim_groups'
+  put    'scim/v2/Groups/:id', action: :put_update,    controller: 'scim_groups'
+  delete 'scim/v2/Groups/:id', action: :destroy,       controller: 'scim_groups'
+end

data/lib/generators/scim_rails/USAGE

@@ -0,0 +1,8 @@
+Description:
+    Generates the scim_rails initializer.
+
+Example:
+    rails generate scim_rails config
+
+    This will create:
+        config/initializers/scim_rails_config.rb

data/lib/generators/scim_rails/scim_rails_generator.rb

@@ -0,0 +1,7 @@
+class ScimRailsGenerator < Rails::Generators::NamedBase
+  source_root File.expand_path('../templates', __FILE__)
+
+  def copy_initializer_file
+    copy_file "initializer.rb", "config/initializers/scim_rails_config.rb"
+  end
+end

data/lib/generators/scim_rails/templates/initializer.rb

@@ -0,0 +1,166 @@
+# frozen_string_literal: true
+
+ScimRails.configure do |config|
+  # Model used for authenticating and scoping users.
+  config.basic_auth_model = "Company"
+
+  # Attribute used to search for a given record. This
+  # attribute should be unique as it will return the
+  # first found record.
+  config.basic_auth_model_searchable_attribute = :subdomain
+
+  # Attribute used to compare Basic Auth password value.
+  # Attribute will need to return plaintext for comparison.
+  config.basic_auth_model_authenticatable_attribute = :api_token
+
+  # Model used for user records.
+  config.scim_users_model = "User"
+
+  # Method used for retrieving user records from the
+  # authenticatable model.
+  config.scim_users_scope = :users
+
+  # Determine whether the create endpoint updates users that already exist
+  # or throws an error (returning 409 Conflict in accordance with SCIM spec)
+  config.scim_user_prevent_update_on_create = false
+
+  # Model used for group records.
+  config.scim_groups_model = "Group"
+  # Method used for retrieving user records from the
+  # authenticatable model.
+  config.scim_groups_scope = :groups
+
+  # Cryptographic algorithm used for signing the auth tokens.
+  # It supports all algorithms supported by the jwt gem.
+  # See https://github.com/jwt/ruby-jwt#algorithms-and-usage for supported algorithms
+  # It is "none" by default, hence generated tokens are unsigned
+  # The tokens do not need to be signed if you only need basic authentication.
+  # config.signing_algorithm = "HS256"
+
+  # Secret token used to sign authorization tokens
+  # It is `nil` by default, hence generated tokens are unsigned
+  # The tokens do not need to be signed if you only need basic authentication.
+  # config.signing_secret = SECRET_TOKEN
+
+  # Default sort order for pagination is by id. If you
+  # use non sequential ids for user records, uncomment
+  # the below line and configure a determinate order.
+  # For example, [:created_at, :id] or { created_at: :desc }.
+  # config.scim_users_list_order = :id
+
+  # Method called on user model to deprovision a user.
+  config.user_deprovision_method = :archive!
+
+  # Method called on user model to reprovision a user.
+  config.user_reprovision_method = :unarchive!
+
+  # Hash of queryable attribtues on the user model. If
+  # the attribute is not listed in this hash it cannot
+  # be queried by this Gem. The structure of this hash
+  # is { queryable_scim_attribute => user_attribute }.
+  config.queryable_user_attributes = {
+    userName: :email,
+    givenName: :first_name,
+    familyName: :last_name,
+    email: :email
+  }
+
+  # Array of attributes that can be modified on the
+  # user model. If the attribute is not in this array
+  # the attribute cannot be modified by this Gem.
+  config.mutable_user_attributes = [
+    :first_name,
+    :last_name,
+    :email
+  ]
+
+  # Hash of mutable attributes. This object is the map
+  # for this Gem to figure out where to look in a SCIM
+  # response for mutable values. This object should
+  # include all attributes listed in
+  # config.mutable_user_attributes.
+  config.mutable_user_attributes_schema = {
+    name: {
+      givenName: :first_name,
+      familyName: :last_name
+    },
+    emails: [
+      {
+        value: :email
+      }
+    ]
+  }
+
+  # Hash of SCIM structure for a user schema. This object
+  # is what will be returned for a given user. The keys
+  # in this object should conform to standard SCIM
+  # structures. The values in the object will be
+  # transformed per user record. Strings will be passed
+  # through as is, symbols will be passed to the user
+  # object to return a value.
+  config.user_schema = {
+    schemas: ["urn:ietf:params:scim:schemas:core:2.0:User"],
+    id: :id,
+    userName: :email,
+    name: {
+      givenName: :first_name,
+      familyName: :last_name
+    },
+    emails: [
+      {
+        value: :email
+      }
+    ],
+    active: :active?
+  }
+
+  # Schema for users used in "abbreviated" lists such as in
+  # the `members` field of a Group.
+  config.user_abbreviated_schema = {
+    value: :id,
+    display: :email
+  }
+
+  # Allow filtering Groups based on these parameters
+  config.queryable_group_attributes = {
+    displayName: :name
+  }
+
+  # List of attributes on a Group that can be updated through SCIM
+  config.mutable_group_attributes = [
+    :name
+  ]
+
+  # Hash of mutable Group attributes. This object is the map
+  # for this Gem to figure out where to look in a SCIM
+  # response for mutable values. This object should
+  # include all attributes listed in
+  # config.mutable_group_attributes.
+  config.mutable_group_attributes_schema = {
+    displayName: :name
+  }
+
+  # The User relation's IDs field name on the Group model.
+  # Eg. if the relation is `has_many :users` this will be :user_ids
+  config.group_member_relation_attribute = :user_ids
+  # Which fields from the request's `members` field should be
+  # assigned to the relation IDs field. Should include the field
+  # set in config.group_member_relation_attribute.
+  config.group_member_relation_schema = { value: :user_ids }
+
+  config.group_schema = {
+    schemas: ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+    id: :id,
+    displayName: :name,
+    members: :users
+  }
+
+  config.group_abbreviated_schema = {
+    value: :id,
+    display: :name
+  }
+
+  # Set group_destroy_method to a method on the Group model
+  # to be called on a destroy request
+  # config.group_destroy_method = :destroy!
+end

data/lib/scim_rails/config.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+module ScimRails
+  class << self
+    def configure
+      yield config
+    end
+
+    def config
+      @config ||= Config.new
+    end
+  end
+
+  # Class containing configuration of ScimRails
+  class Config
+    ALGO_NONE = "none"
+
+    attr_writer \
+      :basic_auth_model,
+      :mutable_user_attributes_schema,
+      :mutable_group_attributes_schema,
+      :scim_users_model,
+      :scim_groups_model
+
+    attr_accessor \
+      :basic_auth_model_authenticatable_attribute,
+      :basic_auth_model_searchable_attribute,
+      :mutable_user_attributes,
+      :on_error,
+      :queryable_user_attributes,
+      :queryable_group_attributes,
+      :scim_users_list_order,
+      :scim_users_scope,
+      :scim_user_prevent_update_on_create,
+      :mutable_group_attributes,
+      :scim_groups_list_order,
+      :scim_groups_scope,
+      :group_member_relation_attribute,
+      :group_member_relation_schema,
+      :user_abbreviated_schema,
+      :group_abbreviated_schema,
+      :signing_secret,
+      :signing_algorithm,
+      :user_attributes,
+      :user_deprovision_method,
+      :user_reprovision_method,
+      :user_schema,
+      :group_schema,
+      :group_destroy_method
+
+    def initialize
+      @basic_auth_model = "Company"
+      @scim_users_list_order = :id
+      @scim_users_model = "User"
+      @scim_groups_list_order = :id
+      @scim_groups_model = "Group"
+      @signing_algorithm = ALGO_NONE
+      @user_schema = {}
+      @user_attributes = []
+      @user_abbreviated_schema = {}
+      @group_schema = {}
+      @group_abbreviated_schema = {}
+    end
+
+    def mutable_user_attributes_schema
+      @mutable_user_attributes_schema || @user_schema
+    end
+
+    def mutable_group_attributes_schema
+      @mutable_group_attributes_schema || @group_schema
+    end
+
+    def basic_auth_model
+      @basic_auth_model.constantize
+    end
+
+    def scim_users_model
+      @scim_users_model.constantize
+    end
+
+    def scim_groups_model
+      @scim_groups_model.constantize
+    end
+  end
+end

data/lib/scim_rails/encoder.rb

@@ -0,0 +1,25 @@
+require "jwt"
+
+module ScimRails
+  module Encoder
+    extend self
+
+    def encode(company)
+      payload = {
+        iat: Time.current.to_i,
+        ScimRails.config.basic_auth_model_searchable_attribute =>
+          company.public_send(ScimRails.config.basic_auth_model_searchable_attribute)
+      }
+
+      JWT.encode(payload, ScimRails.config.signing_secret, ScimRails.config.signing_algorithm)
+    end
+
+    def decode(token)
+      verify = ScimRails.config.signing_algorithm != ScimRails::Config::ALGO_NONE
+
+      JWT.decode(token, ScimRails.config.signing_secret, verify, algorithm: ScimRails.config.signing_algorithm).first
+    rescue JWT::VerificationError, JWT::DecodeError
+      raise ScimRails::ExceptionHandler::InvalidCredentials
+    end
+  end
+end

data/lib/scim_rails/engine.rb

@@ -0,0 +1,12 @@
+module ScimRails
+  class Engine < ::Rails::Engine
+    isolate_namespace ScimRails
+
+    config.generators do |g|
+      g.test_framework :rspec, :fixture => false
+      g.fixture_replacement :factory_bot, :dir => "spec/factories"
+      g.assets false
+      g.helper false
+    end
+  end
+end

data/lib/scim_rails/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module ScimRails
+  VERSION = "0.4.1"
+end