scimaenaga 0.6.1 → 0.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 348227d90785d1980e12b0f2d6ff1c71a6861761a4b35c5c10b5147894f949de
-  data.tar.gz: 8bc3cfb0ba591b1eff717044b91c9db4d34f9fbc13285d234bf526a52be8ce48
+  metadata.gz: 58fc798213cd88360e3f55430717995ad195c6bac873128907233e82261fa4b1
+  data.tar.gz: 5e0e88484123fb42ffd42e1174439c88773615b4be4b1c8aa2e3f7eb38f7b8c3
 SHA512:
-  metadata.gz: d1ed9e73ffc03e6362f2bd498ad37f5f4a915a7fd09c64470700ee729e8baec062a43e91f1f6a937f37fec325533351fc12bd1d2f1e2b5f067efd5c5c209871d
-  data.tar.gz: a7810a0c341f779cb8be98213d3c9eb6d5ac98669b5dea67e389bec787a3f65a8ed1e378a005e3d0415d0b7563f49fa0cf3dafdda2917220c92d38ce3a7c65d0
+  metadata.gz: 66e68eba027f29f0f87bb94c339356c9b6bb5dce37561f1a9f35a96fd8d34d8fc2f7fbb7d0901106b2cf66fdc7fef18cf3861c593c6795c68834e8d67793ba32
+  data.tar.gz: 6809bbeab71b8cb0bf645ecdca6819c43e2bbfa5bf26936b8772a28fdace71b47c63b1211c5454033168b8812b4ba249c7ae0423c6a1b047faafb16b6caf69ee

data/README.md

@@ -250,6 +250,21 @@ ScimRails.configure do |config|
 end
 ```
 
+### Schemas endpoint
+
+If you need Schemas endpoint configure `schemas`.
+(Azure AD requires Schemas endpoint when registering to Application Gallery.)
+
+You have to configure `schemas` as
+- corresponding with other configurations.
+e.g.) When `userName` is defined in `mutable_user_attributes`, configure `userName` as `mutability: 'readWrite'`.
+
+- corresponding with your model.
+e.g.) When `userName` must be specified configure `userName` as `required: true`
+
+Sample config (with comment) is written in lib/generators/scim_rails/templates/initializer.rb.
+For more details, read [Schema Definition](https://datatracker.ietf.org/doc/html/rfc7643#section-7), and [Schema Representation](https://datatracker.ietf.org/doc/html/rfc7643#section-8.7)
+
 ## Contributing
 
 ### [Code of Conduct](https://github.com/StudistCorporation/scimaenaga/blob/master/CODE_OF_CONDUCT.md)

data/app/controllers/concerns/scim_rails/exception_handler.rb

@@ -7,6 +7,9 @@ module ScimRails
     class InvalidCredentials < StandardError
     end
 
+    class InvalidRequest < StandardError
+    end
+
     class InvalidQuery < StandardError
     end
 
@@ -16,6 +19,21 @@ module ScimRails
     class UnsupportedDeleteRequest < StandardError
     end
 
+    class InvalidConfiguration < StandardError
+    end
+
+    class UnexpectedError < StandardError
+    end
+
+    class ResourceNotFound < StandardError
+      attr_reader :id
+
+      def initialize(id)
+        super
+        @id = id
+      end
+    end
+
     included do
       if Rails.env.production?
         rescue_from StandardError do |exception|
@@ -28,8 +46,8 @@ module ScimRails
 
           json_response(
             {
-              schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],
-              status: "500"
+              schemas: ['urn:ietf:params:scim:api:messages:2.0:Error'],
+              status: '500',
             },
             :internal_server_error
           )
@@ -39,21 +57,32 @@ module ScimRails
       rescue_from ScimRails::ExceptionHandler::InvalidCredentials do
         json_response(
           {
-            schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],
-            detail: "Authorization failure. The authorization header is invalid or missing.",
-            status: "401"
+            schemas: ['urn:ietf:params:scim:api:messages:2.0:Error'],
+            detail: 'Authorization failure. The authorization header is invalid or missing.',
+            status: '401',
           },
           :unauthorized
         )
       end
 
+      rescue_from ScimRails::ExceptionHandler::InvalidRequest do |e|
+        json_response(
+          {
+            schemas: ['urn:ietf:params:scim:api:messages:2.0:Error'],
+            detail: "Invalid request. #{e.message}",
+            status: '400',
+          },
+          :bad_request
+        )
+      end
+
       rescue_from ScimRails::ExceptionHandler::InvalidQuery do
         json_response(
           {
-            schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],
-            scimType: "invalidFilter",
-            detail: "The specified filter syntax was invalid, or the specified attribute and filter comparison combination is not supported.",
-            status: "400"
+            schemas: ['urn:ietf:params:scim:api:messages:2.0:Error'],
+            scimType: 'invalidFilter',
+            detail: 'The specified filter syntax was invalid, or the specified attribute and filter comparison combination is not supported.',
+            status: '400',
           },
           :bad_request
         )
@@ -62,9 +91,9 @@ module ScimRails
       rescue_from ScimRails::ExceptionHandler::UnsupportedPatchRequest do
         json_response(
           {
-            schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],
-            detail: "Invalid PATCH request. This PATCH endpoint only supports deprovisioning and reprovisioning records.",
-            status: "422"
+            schemas: ['urn:ietf:params:scim:api:messages:2.0:Error'],
+            detail: 'Invalid PATCH request.',
+            status: '422',
           },
           :unprocessable_entity
         )
@@ -73,20 +102,43 @@ module ScimRails
       rescue_from ScimRails::ExceptionHandler::UnsupportedDeleteRequest do
         json_response(
           {
-            schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],
-            detail: "Delete operation is disabled for the requested resource.",
-            status: "501"
+            schemas: ['urn:ietf:params:scim:api:messages:2.0:Error'],
+            detail: 'Delete operation is disabled for the requested resource.',
+            status: '501',
           },
           :not_implemented
         )
       end
 
-      rescue_from ActiveRecord::RecordNotFound do |e|
+      rescue_from ScimRails::ExceptionHandler::InvalidConfiguration do |e|
+        json_response(
+          {
+            schemas: ['urn:ietf:params:scim:api:messages:2.0:Error'],
+            detail: "Invalid configuration. #{e.message}",
+            status: '500',
+          },
+          :internal_server_error
+        )
+      end
+
+      rescue_from ScimRails::ExceptionHandler::UnexpectedError do |e|
+        json_response(
+          {
+            schemas: ['urn:ietf:params:scim:api:messages:2.0:Error'],
+            detail: "Unexpected Error. #{e.message}",
+            status: '500',
+          },
+          :internal_server_error
+        )
+      end
+
+      rescue_from ActiveRecord::RecordNotFound,
+                  ScimRails::ExceptionHandler::ResourceNotFound do |e|
         json_response(
           {
-            schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],
+            schemas: ['urn:ietf:params:scim:api:messages:2.0:Error'],
             detail: "Resource #{e.id} not found.",
-            status: "404"
+            status: '404',
           },
           :not_found
         )
@@ -97,18 +149,18 @@ module ScimRails
         when /has already been taken/
           json_response(
             {
-              schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],
+              schemas: ['urn:ietf:params:scim:api:messages:2.0:Error'],
               detail: e.message,
-              status: "409"
+              status: '409',
             },
             :conflict
           )
         else
           json_response(
             {
-              schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],
+              schemas: ['urn:ietf:params:scim:api:messages:2.0:Error'],
               detail: e.message,
-              status: "422"
+              status: '422',
             },
             :unprocessable_entity
           )

data/app/controllers/scim_rails/scim_groups_controller.rb

@@ -60,7 +60,7 @@ module ScimRails
       group = @company
               .public_send(ScimRails.config.scim_groups_scope)
               .find(params[:id])
-      patch = ScimPatch.new(params, ScimRails.config.mutable_group_attributes_schema)
+      patch = ScimPatch.new(params, :group)
       patch.save(group)
 
       json_scim_response(object: group)
@@ -68,13 +68,24 @@ module ScimRails
 
     def destroy
       unless ScimRails.config.group_destroy_method
-        raise ScimRails::ExceptionHandler::UnsupportedDeleteRequest
+        raise ScimRails::ExceptionHandler::InvalidConfiguration
       end
 
       group = @company
               .public_send(ScimRails.config.scim_groups_scope)
               .find(params[:id])
-      group.public_send(ScimRails.config.group_destroy_method)
+      raise ActiveRecord::RecordNotFound unless group
+
+      begin
+        group.public_send(ScimRails.config.group_destroy_method)
+      rescue NoMethodError => e
+        raise ScimRails::ExceptionHandler::InvalidConfiguration, e.message
+      rescue ActiveRecord::RecordNotDestroyed => e
+        raise ScimRails::ExceptionHandler::InvalidRequest, e.message
+      rescue => e
+        raise ScimRails::ExceptionHandler::UnexpectedError, e.message
+      end
+
       head :no_content
     end
 

data/app/controllers/scim_rails/scim_schemas_controller.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module ScimRails
+  class ScimSchemasController < ScimRails::ApplicationController
+    def index
+      schemas = ScimRails.config.schemas
+
+      counts = ScimCount.new(
+        start_index: params[:startIndex],
+        limit: params[:count],
+        total: schemas.count
+      )
+
+      list_schemas_response(schemas, counts)
+    end
+
+    def show
+      schema = ScimRails.config.schemas.find do |s|
+        s[:id] == params[:id]
+      end
+
+      raise ScimRails::ExceptionHandler::ResourceNotFound, params[:id] if schema.nil?
+
+      json_response(schema)
+    end
+
+    private
+
+      def list_schemas_response(schemas, counts)
+        response = {
+          schemas: [
+            'urn:ietf:params:scim:api:messages:2.0:ListResponse'
+          ],
+          totalResults: counts.total,
+          startIndex: counts.start_index,
+          itemsPerPage: counts.limit,
+          Resources: schemas[counts.offset...counts.offset + counts.limit],
+        }
+        json_response(response)
+      end
+  end
+end

data/app/controllers/scim_rails/scim_users_controller.rb

@@ -3,7 +3,6 @@
 module ScimRails
   class ScimUsersController < ScimRails::ApplicationController
 
-
     def index
       if params[:filter].present?
         query = ScimRails::ScimQueryParser.new(
@@ -50,8 +49,6 @@ module ScimRails
       json_scim_response(object: user, status: :created)
     end
 
-
-
     def show
       user = @company.public_send(ScimRails.config.scim_users_scope).find(params[:id])
       json_scim_response(object: user)
@@ -65,12 +62,33 @@ module ScimRails
 
     def patch_update
       user = @company.public_send(ScimRails.config.scim_users_scope).find(params[:id])
-      patch = ScimPatch.new(params, ScimRails.config.mutable_user_attributes_schema)
+      patch = ScimPatch.new(params, :user)
       patch.save(user)
 
       json_scim_response(object: user)
     end
 
+    def destroy
+      unless ScimRails.config.user_destroy_method
+        raise ScimRails::ExceptionHandler::InvalidConfiguration
+      end
+
+      user = @company.public_send(ScimRails.config.scim_users_scope).find(params[:id])
+      raise ActiveRecord::RecordNotFound unless user
+
+      begin
+        user.public_send(ScimRails.config.user_destroy_method)
+      rescue NoMethodError => e
+        raise ScimRails::ExceptionHandler::InvalidConfiguration, e.message
+      rescue ActiveRecord::RecordNotDestroyed => e
+        raise ScimRails::ExceptionHandler::InvalidRequest, e.message
+      rescue => e
+        raise ScimRails::ExceptionHandler::UnexpectedError, e.message
+      end
+
+      head :no_content
+    end
+
     private
 
       def permitted_user_params

data/app/libraries/scim_patch.rb

@@ -4,18 +4,24 @@
 class ScimPatch
   attr_accessor :operations
 
-  def initialize(params, mutable_attributes_schema)
-    # FIXME: raise proper error.
-    unless params['schemas'] == ['urn:ietf:params:scim:api:messages:2.0:PatchOp']
-      raise StandardError
-    end
-    if params['Operations'].nil?
+  def initialize(params, resource_type)
+    if params['schemas'] != ['urn:ietf:params:scim:api:messages:2.0:PatchOp'] ||
+       params['Operations'].nil?
       raise ScimRails::ExceptionHandler::UnsupportedPatchRequest
     end
 
-    @operations = params['Operations'].map do |operation|
-      ScimPatchOperation.new(operation['op'], operation['path'], operation['value'],
-                             mutable_attributes_schema)
+    # complex-value(Hash) operation is converted to multiple single-value operations
+    converted_operations = ScimPatchOperationConverter.convert(params['Operations'])
+    @operations = converted_operations.map do |o|
+      create_operation(resource_type, o['op'], o['path'], o['value'])
+    end
+  end
+
+  def create_operation(resource_type, op, path, value)
+    if resource_type == :user
+      ScimPatchOperationUser.new(op, path, value)
+    else
+      ScimPatchOperationGroup.new(op, path, value)
     end
   end
 

data/app/libraries/scim_patch_operation.rb

@@ -2,88 +2,67 @@
 
 # Parse One of "Operations" in PATCH request
 class ScimPatchOperation
-  attr_accessor :op, :path_scim, :path_sp, :value
+  attr_reader :op, :path_scim, :path_sp, :value
 
-  def initialize(op, path, value, mutable_attributes_schema)
-    # FIXME: Raise proper Error
-    raise StandardError unless op.downcase.in? %w[add replace remove]
-
-    # No path is not supported.
-    # FIXME: Raise proper Error
-    raise ScimRails::ExceptionHandler::UnsupportedPatchRequest if path.nil?
-    raise ScimRails::ExceptionHandler::UnsupportedPatchRequest if value.nil?
-
-    @op = op.downcase.to_sym
-    @path_scim = path
-    @path_sp = convert_path(path, mutable_attributes_schema)
-    @value = convert_bool_if_string(value, @path_scim)
-  end
-
-  def save(model)
-    if @path_scim == 'members' # Only members are supported for value is an array
-      update_member_ids = @value.map do |v|
-        v[ScimRails.config.group_member_relation_schema.keys.first]
-      end
+  # path presence is guaranteed by ScimPatchOperationConverter
+  #
+  # value must be String or Array.
+  # complex-value(Hash) is converted to multiple single-value operations by ScimPatchOperationConverter
+  def initialize(op, path, value)
+    if !op.in?(%w[add replace remove]) || path.nil?
+      raise ScimRails::ExceptionHandler::UnsupportedPatchRequest
+    end
 
-      current_member_ids = model
-                           .public_send(ScimRails.config.group_member_relation_attribute)
-      case @op
-      when :add
-        member_ids = current_member_ids.concat(update_member_ids)
-      when :replace
-        member_ids = current_member_ids.concat(update_member_ids)
-      when :remove
-        member_ids = current_member_ids - update_member_ids
-      end
+    # define validate method in the inherited class
+    validate(op, path, value)
 
-      # Only the member addition process is saved by each ids
-      model.public_send("#{ScimRails.config.group_member_relation_attribute}=",
-                        member_ids.uniq)
-      return
-    end
+    @op = op
+    @value = value
+    @path_scim = parse_path_scim(path)
+    @path_sp = path_scim_to_path_sp(@path_scim)
 
-    case @op
-    when :add, :replace
-      model.attributes = { @path_sp => @value }
-    when :remove
-      model.attributes = { @path_sp => nil }
-    end
+    # define parse method in the inherited class
   end
 
   private
 
-    def convert_path(path, mutable_attributes_schema)
-      # For now, library does not support Multi-Valued Attributes properly.
-      # examle:
-      #   path = 'emails[type eq "work"].value'
-      #   mutable_attributes_schema = {
-      #     emails: [
-      #       {
-      #         value: :mail_address,
-      #      }
-      #     ],
-      #   }
+    def parse_path_scim(path)
+      # 'emails[type eq "work"].value' is parsed as follows:
       #
-      #   Library ignores filter conditions (like [type eq "work"])
-      #   and always uses the first element of the array
-      dig_keys = path.gsub(/\[(.+?)\]/, '.0').split('.').map do |step|
-        step == '0' ? 0 : step.to_sym
-      end
-      mutable_attributes_schema.dig(*dig_keys)
-    end
+      # {
+      #   attribute: 'emails',
+      #   filter: {
+      #     attribute: 'type',
+      #     operator: 'eq',
+      #     parameter: 'work'
+      #   },
+      #   rest_path: ['value']
+      # }
+      #
+      # This method suport only single operator
 
-    def convert_bool_if_string(value, path)
-      # This method correct value in requests from Azure AD according to SCIM.
-      # When path is not active, do nothing and return
-      return value if path != 'active'
+      # path: emails.value
+      # filter_string: type eq "work"
+      path_str = path.dup
+      filter_string = path_str.slice!(/\[(.+?)\]/, 0)&.slice(/\[(.+?)\]/, 1)
 
-      case value
-      when 'true', 'True' then
-        return true
-      when 'false', 'False' then
-        return false
-      else
-        return value
+      # path_elements: ['emails', 'value']
+      path_elements = path_str.split('.')
+
+      # filter_elements: ['type', 'eq', '"work"']
+      filter_elements = filter_string&.split(' ')
+      path_scim = { attribute: path_elements[0],
+                    rest_path: path_elements.slice(1...path_elements.length), }
+      if filter_elements.present?
+        path_scim[:filter] = {
+          attribute: filter_elements[0],
+          operator: filter_elements[1],
+          # delete double quotation
+          parameter: filter_elements[2].slice(1...filter_elements[2].length - 1),
+        }
       end
+
+      path_scim
     end
+
 end

data/app/libraries/scim_patch_operation_converter.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+# 1. Convert each multi-value operation to single-value operations.
+# 2. Fix wrong "value".
+# 3. convert "op" to lower case
+#
+# About #1
+# to handle request pattern A and B in the same way,
+# convert complex-value to path + single-value
+#
+# Typical request is path_base = nil and value = complex-value:
+# {
+#   "op": "replace",
+#   "value": {
+#       "displayName": "Taro Suzuki",
+#       "name.givenName": "taro"
+#   }
+# }
+#
+# This request is converted to:
+# [
+#   {
+#     "op": "replace",
+#     "path": "displayName",
+#     "value": "Taro Suzuki",
+#   }
+#   {
+#     "op": "replace",
+#     "path": "name.givenName",
+#     "value": "taro"
+#   }
+# ]
+class ScimPatchOperationConverter
+  class << self
+    def convert(operations)
+      operations.each_with_object([]) do |o, result|
+        value = o['value']
+        value = value.permit!.to_h if value.instance_of?(ActionController::Parameters)
+
+        if value.is_a?(Hash)
+          converted_operations = convert_to_single_value_operations(o['op'], o['path'],
+                                                                    value)
+          result.concat(converted_operations)
+          next
+        end
+
+        result << fix_operation_format(o['op'], o['path'], value)
+      end
+    end
+
+    private
+
+      def convert_to_single_value_operations(op, path_base, hash_value)
+        hash_value.map do |k, v|
+          path = if path_base.present?
+                   "#{path_base}.#{k}"
+                 else
+                   k
+                 end
+          fix_operation_format(op, path, v)
+        end
+      end
+
+      def fix_operation_format(op, path, value)
+        { 'op' => op.downcase, 'path' => path, 'value' => fix_value(value, path) }
+      end
+
+      def fix_value(value, path)
+        if path == 'active'
+          convert_bool_if_string(value)
+        else
+          value
+        end
+      end
+
+      # According to SCIM, correct value in requests from Azure AD.
+      # When using non-application gallery in Azure AD, and feature flag is not specified,
+      # Azure AD sends string for 'active' attribute
+      def convert_bool_if_string(value)
+        case value
+        when 'true', 'True'
+          return true
+        when 'false', 'False'
+          return false
+        else
+          return value
+        end
+      end
+  end
+end