scimaenaga 0.5.0 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b1fa2914fdf977f0496f84a023f14ba49f61c893683fd04a85ca7ea4a35c4641
-  data.tar.gz: 0c23e5d65e10a641d965e34a0cc78fc72c0c5d9e80a438ba86a1aa59f70e4360
+  metadata.gz: 6d2d55daa03a9b1e4771b1f2e1287a75075514d57faeb0075ea8784a7dd8cc9e
+  data.tar.gz: b4a38c2c629cce871703a2a1874c3be93e34d55f0d5eacadae8da9b8c5e5c438
 SHA512:
-  metadata.gz: 98e1cecc1b60630c69c78380a59492f9dd293c25b267f16d985bcb76570cac0549648781dd9d3f749713df9e40df329349f88708af1e953ec65b7b18ec560648
-  data.tar.gz: 86d28c8634b38f8af5d85d7670b27e3e7caac314dc90131cd6de9910a284a66dd7a5763ee222c0a8c5adfcafc382b4a919c082fe7f150614359c9f95d1535e59
+  metadata.gz: 43e2ec416e2f9bad5c185042aff3e6fd576437d3d9bff5ac6ad5d1f930246fa0b59b12e1940a5498e386c8c8f385a245d531907e7ab5850cc8ebc5a7c35df607
+  data.tar.gz: 284bead26bc660ca0d4cc229dd5f13102501904b7658e3e780f5ea5657eb367c52cd5399d4a29dcd20af66eee19ce4592af7defa62c2f182bb7b23f76ebe6a31

data/MIT-LICENSE

@@ -1,4 +1,5 @@
 Copyright 2018 Lessonly
+Copyright 2021 Studist Corporation
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md

@@ -2,7 +2,7 @@
 
 # Scimaenaga
 
-NOTE: This Gem is not yet fully SCIM complaint. It was developed with the main function of interfacing with Okta. There are features of SCIM that this Gem does not implement as described in the SCIM documentation or that have been left out completely.
+NOTE: This Gem is not yet fully SCIM complaint. It was developed with the main function of interfacing with Azure AD. There are features of SCIM that this Gem does not implement as described in the SCIM documentation or that have been left out completely.
 
 #### What is SCIM?
 
@@ -10,7 +10,7 @@ SCIM stands for System for Cross-domain Identity Management. At its core, it is
 
 To learn more about SCIM 2.0 you can read the documentation at [RFC 7643](https://tools.ietf.org/html/rfc7643) and [RFC 7644](https://tools.ietf.org/html/rfc7644).
 
-The goal of the Gem is to offer a relatively painless way of adding SCIM 2.0 to your app. This Gem should be fully compatible with Okta's SCIM implementation. This project is ongoing and will hopefully be fully SCIM compliant in time. Pull requests that assist in meeting that goal are welcome!
+The goal of the Gem is to offer a relatively painless way of adding SCIM 2.0 to your app. This Gem should be fully compatible with Azure AD's SCIM implementation. This project is ongoing and will hopefully be fully SCIM compliant in time. Pull requests that assist in meeting that goal are welcome!
 
 ## Installation
 
@@ -236,18 +236,6 @@ Sample request:
 $ curl -X PUT 'http://username:password@localhost:3000/scim/v2/Users/1' -d '{"schemas":["urn:ietf:params:scim:schemas:core:2.0:User"],"userName":"test@example.com","name":{"givenName":"Test","familyName":"User"},"emails":[{"primary":true,"value":"test@example.com","type":"work"}],"displayName":"Test User","active":true}' -H 'Content-Type: application/scim+json'
 ```
 
-### Deprovision / Reprovision
-
-The PATCH request was implemented to work with Okta. Okta updates profiles with PUT and deprovisions / reprovisions with PATCH. This implementation of PATCH is not SCIM compliant as it does not update a single attribute on the user profile but instead only sends a status update request to the record.
-
-We would like to implement PATCH to be fully SCIM compliant in future releases.
-
-Sample request:
-
-```bash
-$ curl -X PATCH 'http://username:password@localhost:3000/scim/v2/Users/1' -d '{"schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], "Operations": [{"op": "replace", "value": { "active": false }}]}' -H 'Content-Type: application/scim+json'
-```
-
 ### Error Handling
 
 By default, scimaenaga will output any unhandled exceptions to your configured rails logs.

data/app/controllers/concerns/scim_rails/exception_handler.rb

@@ -7,6 +7,9 @@ module ScimRails
     class InvalidCredentials < StandardError
     end
 
+    class InvalidRequest < StandardError
+    end
+
     class InvalidQuery < StandardError
     end
 
@@ -16,6 +19,12 @@ module ScimRails
     class UnsupportedDeleteRequest < StandardError
     end
 
+    class InvalidConfiguration < StandardError
+    end
+
+    class UnexpectedError < StandardError
+    end
+
     included do
       if Rails.env.production?
         rescue_from StandardError do |exception|
@@ -47,6 +56,17 @@ module ScimRails
         )
       end
 
+      rescue_from ScimRails::ExceptionHandler::InvalidRequest do |e|
+        json_response(
+          {
+            schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],
+            detail: "Invalid request. #{e.message}",
+            status: "400"
+          },
+          :bad_request
+        )
+      end
+
       rescue_from ScimRails::ExceptionHandler::InvalidQuery do
         json_response(
           {
@@ -63,7 +83,7 @@ module ScimRails
         json_response(
           {
             schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],
-            detail: "Invalid PATCH request. This PATCH endpoint only supports deprovisioning and reprovisioning records.",
+            detail: "Invalid PATCH request.",
             status: "422"
           },
           :unprocessable_entity
@@ -81,6 +101,28 @@ module ScimRails
         )
       end
 
+      rescue_from ScimRails::ExceptionHandler::InvalidConfiguration do |e|
+        json_response(
+          {
+            schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],
+            detail: "Invalid configuration. #{e.message}",
+            status: "500"
+          },
+          :internal_server_error
+        )
+      end
+
+      rescue_from ScimRails::ExceptionHandler::UnexpectedError do |e|
+        json_response(
+          {
+            schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],
+            detail: "Unexpected Error. #{e.message}",
+            status: "500"
+          },
+          :internal_server_error
+        )
+      end
+
       rescue_from ActiveRecord::RecordNotFound do |e|
         json_response(
           {

data/app/controllers/scim_rails/scim_groups_controller.rb

@@ -9,17 +9,19 @@ module ScimRails
         )
 
         groups = @company
-          .public_send(ScimRails.config.scim_groups_scope)
-          .where(
-            "#{ScimRails.config.scim_groups_model.connection.quote_column_name(query.attribute)} #{query.operator} ?",
-            query.parameter
-          )
-          .order(ScimRails.config.scim_groups_list_order)
+                 .public_send(ScimRails.config.scim_groups_scope)
+                 .where(
+                   "#{ScimRails.config.scim_groups_model
+                               .connection.quote_column_name(query.attribute)}
+                               #{query.operator} ?",
+                   query.parameter
+                 )
+                 .order(ScimRails.config.scim_groups_list_order)
       else
         groups = @company
-          .public_send(ScimRails.config.scim_groups_scope)
-          .preload(:users)
-          .order(ScimRails.config.scim_groups_list_order)
+                 .public_send(ScimRails.config.scim_groups_scope)
+                 .preload(:users)
+                 .order(ScimRails.config.scim_groups_list_order)
       end
 
       counts = ScimCount.new(
@@ -33,64 +35,86 @@ module ScimRails
 
     def show
       group = @company
-        .public_send(ScimRails.config.scim_groups_scope)
-        .find(params[:id])
+              .public_send(ScimRails.config.scim_groups_scope)
+              .find(params[:id])
       json_scim_response(object: group)
     end
 
     def create
       group = @company
-        .public_send(ScimRails.config.scim_groups_scope)
-        .create!(permitted_group_params)
+              .public_send(ScimRails.config.scim_groups_scope)
+              .create!(permitted_group_params)
 
       json_scim_response(object: group, status: :created)
     end
 
     def put_update
       group = @company
-        .public_send(ScimRails.config.scim_groups_scope)
-        .find(params[:id])
+              .public_send(ScimRails.config.scim_groups_scope)
+              .find(params[:id])
       group.update!(permitted_group_params)
       json_scim_response(object: group)
     end
 
+    def patch_update
+      group = @company
+              .public_send(ScimRails.config.scim_groups_scope)
+              .find(params[:id])
+      patch = ScimPatch.new(params, ScimRails.config.mutable_group_attributes_schema)
+      patch.save(group)
+
+      json_scim_response(object: group)
+    end
+
     def destroy
       unless ScimRails.config.group_destroy_method
-        raise ScimRails::ExceptionHandler::UnsupportedDeleteRequest
+        raise ScimRails::ExceptionHandler::InvalidConfiguration
       end
+
       group = @company
-        .public_send(ScimRails.config.scim_groups_scope)
-        .find(params[:id])
-      group.public_send(ScimRails.config.group_destroy_method)
+              .public_send(ScimRails.config.scim_groups_scope)
+              .find(params[:id])
+      raise ActiveRecord::RecordNotFound unless group
+
+      begin
+        group.public_send(ScimRails.config.group_destroy_method)
+      rescue NoMethodError => e
+        raise ScimRails::ExceptionHandler::InvalidConfiguration, e.message
+      rescue ActiveRecord::RecordNotDestroyed => e
+        raise ScimRails::ExceptionHandler::InvalidRequest, e.message
+      rescue => e
+        raise ScimRails::ExceptionHandler::UnexpectedError, e.message
+      end
+
       head :no_content
     end
 
     private
 
-    def permitted_group_params
-      converted = mutable_attributes.each.with_object({}) do |attribute, hash|
-        hash[attribute] = find_value_for(attribute)
-      end
-      return converted unless params[:members]
+      def permitted_group_params
+        converted = mutable_attributes.each.with_object({}) do |attribute, hash|
+          hash[attribute] = find_value_for(attribute)
+        end
+        return converted unless params[:members]
 
-      converted.merge(member_params)
-    end
+        converted.merge(member_params)
+      end
 
-    def member_params
-      {
-        ScimRails.config.group_member_relation_attribute =>
-          params[:members].map do |member|
-            member[ScimRails.config.group_member_relation_schema.keys.first]
-          end
-      }
-    end
+      def member_params
+        {
+          ScimRails.config.group_member_relation_attribute =>
+            params[:members].map do |member|
+              member[ScimRails.config.group_member_relation_schema.keys.first]
+            end,
+        }
+      end
 
-    def mutable_attributes
-      ScimRails.config.mutable_group_attributes
-    end
+      def mutable_attributes
+        ScimRails.config.mutable_group_attributes
+      end
 
-    def controller_schema
-      ScimRails.config.mutable_group_attributes_schema
-    end
+      def controller_schema
+        ScimRails.config.mutable_group_attributes_schema
+      end
   end
 end

data/app/controllers/scim_rails/scim_users_controller.rb

@@ -1,9 +1,9 @@
 # frozen_string_literal: true
 
 module ScimRails
-  class ScimUsersController < ScimRails::ApplicationController # rubocop:disable Metrics/ClassLength
-    # rubocop:disable Metrics/AbcSize
-    # rubocop:disable Metrics/MethodLength
+  class ScimUsersController < ScimRails::ApplicationController
+
+
     def index
       if params[:filter].present?
         query = ScimRails::ScimQueryParser.new(
@@ -11,17 +11,17 @@ module ScimRails
         )
 
         users = @company
-          .public_send(ScimRails.config.scim_users_scope)
-          .where(
-            "#{ScimRails.config.scim_users_model
+                .public_send(ScimRails.config.scim_users_scope)
+                .where(
+                  "#{ScimRails.config.scim_users_model
               .connection.quote_column_name(query.attribute)} #{query.operator} ?",
-            query.parameter
-          )
-          .order(ScimRails.config.scim_users_list_order)
+                  query.parameter
+                )
+                .order(ScimRails.config.scim_users_list_order)
       else
         users = @company
-          .public_send(ScimRails.config.scim_users_scope)
-          .order(ScimRails.config.scim_users_list_order)
+                .public_send(ScimRails.config.scim_users_scope)
+                .order(ScimRails.config.scim_users_list_order)
       end
 
       counts = ScimCount.new(
@@ -36,22 +36,21 @@ module ScimRails
     def create
       if ScimRails.config.scim_user_prevent_update_on_create
         user = @company
-          .public_send(ScimRails.config.scim_users_scope)
-          .create!(permitted_user_params)
+               .public_send(ScimRails.config.scim_users_scope)
+               .create!(permitted_user_params)
       else
         username_key = ScimRails.config.queryable_user_attributes[:userName]
         find_by_username = {}
         find_by_username[username_key] = permitted_user_params[username_key]
         user = @company
-          .public_send(ScimRails.config.scim_users_scope)
-          .find_or_create_by(find_by_username)
+               .public_send(ScimRails.config.scim_users_scope)
+               .find_or_create_by(find_by_username)
         user.update!(permitted_user_params)
       end
-      update_status(user) unless put_active_param.nil?
       json_scim_response(object: user, status: :created)
     end
-    # rubocop:enable Metrics/AbcSize
-    # rubocop:enable Metrics/MethodLength
+
+
 
     def show
       user = @company.public_send(ScimRails.config.scim_users_scope).find(params[:id])
@@ -60,7 +59,6 @@ module ScimRails
 
     def put_update
       user = @company.public_send(ScimRails.config.scim_users_scope).find(params[:id])
-      update_status(user) unless put_active_param.nil?
       user.update!(permitted_user_params)
       json_scim_response(object: user)
     end
@@ -68,13 +66,32 @@ module ScimRails
     def patch_update
       user = @company.public_send(ScimRails.config.scim_users_scope).find(params[:id])
       patch = ScimPatch.new(params, ScimRails.config.mutable_user_attributes_schema)
-      patch.apply(user)
-      user.save
+      patch.save(user)
 
-      # update_status(user)
       json_scim_response(object: user)
     end
 
+    def destroy
+      unless ScimRails.config.user_destroy_method
+        raise ScimRails::ExceptionHandler::InvalidConfiguration
+      end
+
+      user = @company.public_send(ScimRails.config.scim_users_scope).find(params[:id])
+      raise ActiveRecord::RecordNotFound unless user
+
+      begin
+        user.public_send(ScimRails.config.user_destroy_method)
+      rescue NoMethodError => e
+        raise ScimRails::ExceptionHandler::InvalidConfiguration, e.message
+      rescue ActiveRecord::RecordNotDestroyed => e
+        raise ScimRails::ExceptionHandler::InvalidRequest, e.message
+      rescue => e
+        raise ScimRails::ExceptionHandler::UnexpectedError, e.message
+      end
+
+      head :no_content
+    end
+
     private
 
       def permitted_user_params
@@ -86,48 +103,5 @@ module ScimRails
       def controller_schema
         ScimRails.config.mutable_user_attributes_schema
       end
-
-      def update_status(user)
-        user.public_send(ScimRails.config.user_reprovision_method) if active?
-        user.public_send(ScimRails.config.user_deprovision_method) unless active?
-      end
-
-      def active?
-        active = put_active_param
-        active = patch_active_param if active.nil?
-
-        case active
-        when true, "true", 1
-          true
-        when false, "false", 0
-          false
-        else
-          raise ActiveRecord::RecordInvalid
-        end
-      end
-
-      def put_active_param
-        params[:active]
-      end
-
-      def patch_active_param
-        handle_invalid = lambda do
-          raise ScimRails::ExceptionHandler::UnsupportedPatchRequest
-        end
-
-        operations = params["Operations"] || {}
-
-        valid_operation = operations.find(handle_invalid) do |operation|
-          valid_patch_operation?(operation)
-        end
-
-        valid_operation.dig("value", "active")
-      end
-
-      def valid_patch_operation?(operation)
-        operation["op"].casecmp("replace") &&
-          operation["value"] &&
-          [true, false].include?(operation["value"]["active"])
-      end
   end
 end

data/app/libraries/scim_patch.rb

@@ -5,24 +5,29 @@ class ScimPatch
   attr_accessor :operations
 
   def initialize(params, mutable_attributes_schema)
-    # FIXME: raise proper error.
-    unless params["schemas"] == ["urn:ietf:params:scim:api:messages:2.0:PatchOp"]
-      raise StandardError
+    unless params['schemas'] == ['urn:ietf:params:scim:api:messages:2.0:PatchOp']
+      raise ScimRails::ExceptionHandler::UnsupportedPatchRequest
     end
-    if params["Operations"].nil?
+    if params['Operations'].nil?
       raise ScimRails::ExceptionHandler::UnsupportedPatchRequest
     end
 
-    @operations = params["Operations"].map do |operation|
-      ScimPatchOperation.new(operation["op"], operation["path"], operation["value"],
+    @operations = params['Operations'].map do |operation|
+      ScimPatchOperation.new(operation['op'], operation['path'], operation['value'],
                              mutable_attributes_schema)
     end
   end
 
-  def apply(model)
-    @operations.each do |operation|
-      operation.apply(model)
+  def save(model)
+    model.transaction do
+      @operations.each do |operation|
+        operation.save(model)
+      end
+      model.save! if model.changed?
     end
-    model
+  rescue ActiveRecord::RecordNotFound
+    raise
+  rescue StandardError
+    raise ScimRails::ExceptionHandler::UnsupportedPatchRequest
   end
 end

data/app/libraries/scim_patch_operation.rb

@@ -2,38 +2,126 @@
 
 # Parse One of "Operations" in PATCH request
 class ScimPatchOperation
-  attr_accessor :op, :path_scim, :path_sp, :value
+
+  # 1 Operation means 1 attribute change
+  # If 1 value is specified, @operations has 1 "Operation" struct.
+  # If 3 value is specified, @operations has 3 "Operation" struct.
+  attr_accessor :operations
+
+  Operation = Struct.new('Operation', :op, :path_scim, :path_sp, :value)
 
   def initialize(op, path, value, mutable_attributes_schema)
-    # FIXME: Raise proper Error
-    raise StandardError unless op.downcase.in? %w[add replace remove]
-
-    # No path is not supported.
-    # FIXME: Raise proper Error
-    raise ScimRails::ExceptionHandler::UnsupportedPatchRequest if path.nil?
-    raise ScimRails::ExceptionHandler::UnsupportedPatchRequest if value.nil?
-
-    @op = op.downcase.to_sym
-    @path_scim = path
-    @path_sp = convert_path(path, mutable_attributes_schema)
-    @value = value
+    op_downcase = op.downcase
+
+    unless op_downcase.in? %w[add replace remove]
+      raise ScimRails::ExceptionHandler::UnsupportedPatchRequest
+    end
+
+    @operations = []
+
+    # To handle request pattern A and B in the same way,
+    # convert complex-value to path + single-value
+    #
+    # pattern A
+    # {
+    #   "op": "replace",
+    #   "value": {
+    #       "displayName": "Suzuki Taro",
+    #       "name.givenName": "taro"
+    #   }
+    # }
+    # => [{path: displayName, value: "Suzuki Taro"}, {path: name.givenName, value: "taro"}]
+    #
+    # pattern B
+    # [
+    #   {
+    #     "op": "replace",
+    #     "path": "displayName"
+    #     "value": "Suzuki Taro",
+    #   },
+    #   {
+    #     "op": "replace",
+    #     "path": "name.givenNAme"
+    #     "value": "taro",
+    #   },
+    # ]
+    if value.instance_of?(Hash) || value.instance_of?(ActionController::Parameters)
+      create_multiple_operations(op_downcase, path, value, mutable_attributes_schema)
+    else
+      create_operation(op_downcase, path, value, mutable_attributes_schema)
+    end
   end
 
-  # WIP
-  def apply(model)
-    case @op
-    when :add
-      model.attributes = { @path_sp => @value }
-    when :replace
-      model.attributes = { @path_sp => @value }
-    when :remove
-      model.attributes = { @path_sp => nil }
+  def save(model)
+    @operations.each do |operation|
+      apply_operation(model, operation)
     end
   end
 
   private
 
+    def apply_operation(model, operation)
+      if operation.path_scim == 'members' # Only members are supported for value is an array
+        update_member_ids = operation.value.map do |v|
+          v[ScimRails.config.group_member_relation_schema.keys.first].to_s
+        end
+
+        current_member_ids = model.public_send(
+          ScimRails.config.group_member_relation_attribute
+        ).map(&:to_s)
+        case operation.op
+        when :add
+          member_ids = current_member_ids.concat(update_member_ids)
+        when :replace
+          member_ids = current_member_ids.concat(update_member_ids)
+        when :remove
+          member_ids = current_member_ids - update_member_ids
+        end
+
+        # Only the member addition process is saved by each ids
+        model.public_send("#{ScimRails.config.group_member_relation_attribute}=",
+                          member_ids.uniq)
+        return
+      end
+
+      case operation.op
+      when :add, :replace
+        model.attributes = { operation.path_sp => operation.value }
+      when :remove
+        model.attributes = { operation.path_sp => nil }
+      end
+    end
+
+    def create_operation(op, path_scim, value, mutable_attributes_schema)
+      path_sp = convert_path(path_scim, mutable_attributes_schema)
+      value = convert_bool_if_string(value, path_scim)
+      @operations << Operation.new(op.to_sym, path_scim, path_sp, value)
+    end
+
+    # convert hash value to 1 path + 1 value
+    # each path is created by path_scim_base + key of value
+    def create_multiple_operations(op, path_scim_base, hash_value, mutable_attributes_schema)
+      hash_value.each do |k, v|
+        # Typical request is path_scim_base = nil and value = complex-value:
+        # {
+        #   "op": "replace",
+        #   "value": {
+        #       "displayName": "Taro Suzuki",
+        #       "name.givenName": "taro"
+        #   }
+        # }
+        path_scim = if path_scim_base.present?
+                      "#{path_scim_base}.#{k}"
+                    else
+                      k
+                    end
+        create_operation(op, path_scim, v, mutable_attributes_schema)
+      end
+    end
+
     def convert_path(path, mutable_attributes_schema)
+      return nil if path.nil?
+
       # For now, library does not support Multi-Valued Attributes properly.
       # examle:
       #   path = 'emails[type eq "work"].value'
@@ -47,9 +135,24 @@ class ScimPatchOperation
       #
       #   Library ignores filter conditions (like [type eq "work"])
       #   and always uses the first element of the array
-      dig_keys = path.gsub(/\[(.+?)\]/, ".0").split(".").map do |step|
-        step == "0" ? 0 : step.to_sym
+      dig_keys = path.gsub(/\[(.+?)\]/, '.0').split('.').map do |step|
+        step == '0' ? 0 : step.to_sym
       end
       mutable_attributes_schema.dig(*dig_keys)
     end
+
+    def convert_bool_if_string(value, path)
+      # This method correct value in requests from Azure AD according to SCIM.
+      # When path is not active, do nothing and return
+      return value if path != 'active'
+
+      case value
+      when 'true', 'True'
+        return true
+      when 'false', 'False'
+        return false
+      else
+        return value
+      end
+    end
 end

data/app/models/scim_rails/scim_query_parser.rb

@@ -5,7 +5,7 @@ module ScimRails
     attr_accessor :query_elements, :query_attributes
 
     def initialize(query_string, queryable_attributes)
-      self.query_elements = query_string.split
+      self.query_elements = query_string.gsub(/\[(.+?)\]/, ".0").split
       self.query_attributes = queryable_attributes
     end
 
@@ -13,9 +13,11 @@ module ScimRails
       attribute = query_elements[0]
       raise ScimRails::ExceptionHandler::InvalidQuery if attribute.blank?
 
-      attribute = attribute.to_sym
+      dig_keys = attribute.split(".").map do |step|
+        step == "0" ? 0 : step.to_sym
+      end
 
-      mapped_attribute = query_attributes[attribute]
+      mapped_attribute = query_attributes.dig(*dig_keys)
       raise ScimRails::ExceptionHandler::InvalidQuery if mapped_attribute.blank?
 
       mapped_attribute