scimaenaga 0.6.1 → 0.9.0

data/app/libraries/scim_patch_operation_group.rb

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+
+class ScimPatchOperationGroup < ScimPatchOperation
+
+  def save(model)
+    if @path_scim[:attribute] == 'members'
+      save_members(model)
+      return
+    end
+
+    case @op
+    when 'add', 'replace'
+      model.attributes = { @path_sp => @value }
+    when 'remove'
+      model.attributes = { @path_sp => nil }
+    end
+  end
+
+  private
+
+    def save_members(model)
+      current_member_ids = model.public_send(member_relation_attribute).map(&:to_s)
+
+      case @op
+      when 'add'
+        member_ids = add_member_ids(current_member_ids)
+      when 'replace'
+        member_ids = replace_member_ids
+      when 'remove'
+        member_ids = remove_member_ids(current_member_ids)
+      end
+
+      model.public_send("#{member_relation_attribute}=", member_ids.uniq)
+    end
+
+    def add_member_ids(current_member_ids)
+      current_member_ids.concat(member_ids_from_value)
+    end
+
+    def replace_member_ids
+      member_ids_from_value
+    end
+
+    def remove_member_ids(current_member_ids)
+      removed_member_ids = if member_ids_from_value.present?
+                             member_ids_from_value
+                           else
+                             [member_id_from_filter]
+                           end
+      current_member_ids - removed_member_ids
+    end
+
+    def member_ids_from_value
+      @member_ids_from_value ||= @value&.map do |v|
+        v['value'].to_s
+      end
+    end
+
+    def member_id_from_filter
+      @path_scim.dig(:filter, :parameter)
+    end
+
+    def member_relation_attribute
+      ScimRails.config.group_member_relation_attribute
+    end
+
+    def validate(_op, _path, _value)
+      return
+    end
+
+    def path_scim_to_path_sp(path_scim)
+      # path_scim example1:
+      # {
+      #   attribute: 'members',
+      #   filter: {
+      #     attribute: 'value',
+      #     operator: 'eq',
+      #     parameter: 'XXXX'
+      #   },
+      #   rest_path: []
+      # }
+
+      # path_scim example2:
+      # {
+      #   attribute: 'displayName',
+      #   filter: nil,
+      #   rest_path: []
+      # }
+      if path_scim[:attribute] == 'members'
+        return ScimRails.config.group_member_relation_attribute
+      end
+
+      dig_keys = [path_scim[:attribute].to_sym]
+      dig_keys.concat(path_scim[:rest_path].map(&:to_sym))
+
+      # *dig_keys example: displayName
+      ScimRails.config.mutable_group_attributes_schema.dig(*dig_keys)
+    end
+
+end

data/app/libraries/scim_patch_operation_user.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+class ScimPatchOperationUser < ScimPatchOperation
+
+  def save(model)
+    case @op
+    when 'add', 'replace'
+      model.attributes = { @path_sp => @value }
+    when 'remove'
+      model.attributes = { @path_sp => nil }
+    end
+  end
+
+  private
+
+    def validate(_op, _path, value)
+      if value.instance_of? Array
+        raise ScimRails::ExceptionHandler::UnsupportedPatchRequest
+      end
+
+      return
+    end
+
+    def path_scim_to_path_sp(path_scim)
+      # path_scim example1:
+      # {
+      #   attribute: 'emails',
+      #   filter: {
+      #     attribute: 'type',
+      #     operator: 'eq',
+      #     parameter: 'work'
+      #   },
+      #   rest_path: ['value']
+      # }
+      #
+      # path_scim example2:
+      # {
+      #   attribute: 'name',
+      #   filter: nil,
+      #   rest_path: ['givenName']
+      # }
+      dig_keys = [path_scim[:attribute].to_sym]
+
+      # Library ignores filter conditions ([type eq "work"])
+      dig_keys << 0 if path_scim[:attribute] == 'emails'
+
+      dig_keys.concat(path_scim[:rest_path].map(&:to_sym))
+
+      # *dig_keys example: emails, 0, value
+      ScimRails.config.mutable_user_attributes_schema.dig(*dig_keys)
+    end
+
+end

data/config/routes.rb

@@ -1,13 +1,16 @@
 ScimRails::Engine.routes.draw do
-  get    'scim/v2/Users',      action: :index,         controller: 'scim_users'
-  post   'scim/v2/Users',      action: :create,        controller: 'scim_users'
-  get    'scim/v2/Users/:id',  action: :show,          controller: 'scim_users'
-  put    'scim/v2/Users/:id',  action: :put_update,    controller: 'scim_users'
-  patch  'scim/v2/Users/:id',  action: :patch_update,  controller: 'scim_users'
-  get    'scim/v2/Groups',     action: :index,         controller: 'scim_groups'
-  post   'scim/v2/Groups',     action: :create,        controller: 'scim_groups'
-  get    'scim/v2/Groups/:id', action: :show,          controller: 'scim_groups'
-  put    'scim/v2/Groups/:id', action: :put_update,    controller: 'scim_groups'
-  patch  'scim/v2/Groups/:id', action: :patch_update,  controller: 'scim_groups'
-  delete 'scim/v2/Groups/:id', action: :destroy,       controller: 'scim_groups'
+  get    'scim/v2/Users',       action: :index,         controller: 'scim_users'
+  post   'scim/v2/Users',       action: :create,        controller: 'scim_users'
+  get    'scim/v2/Users/:id',   action: :show,          controller: 'scim_users'
+  put    'scim/v2/Users/:id',   action: :put_update,    controller: 'scim_users'
+  patch  'scim/v2/Users/:id',   action: :patch_update,  controller: 'scim_users'
+  delete 'scim/v2/Users/:id',   action: :destroy,       controller: 'scim_users'
+  get    'scim/v2/Groups',      action: :index,         controller: 'scim_groups'
+  post   'scim/v2/Groups',      action: :create,        controller: 'scim_groups'
+  get    'scim/v2/Groups/:id',  action: :show,          controller: 'scim_groups'
+  put    'scim/v2/Groups/:id',  action: :put_update,    controller: 'scim_groups'
+  patch  'scim/v2/Groups/:id',  action: :patch_update,  controller: 'scim_groups'
+  delete 'scim/v2/Groups/:id',  action: :destroy,       controller: 'scim_groups'
+  get    'scim/v2/Schemas',     action: :index,         controller: 'scim_schemas'
+  get    'scim/v2/Schemas/:id', action: :show,          controller: 'scim_schemas'
 end

data/lib/generators/scim_rails/templates/initializer.rb

@@ -157,4 +157,110 @@ ScimRails.configure do |config|
   # Set group_destroy_method to a method on the Group model
   # to be called on a destroy request
   # config.group_destroy_method = :destroy!
+
+  # /Schemas settings.
+  # These settings are not used in /Users and /Groups for now.
+  # Configure this only when you need Schemas endpoint.
+  # Schemas endpoint returns the configured values as-is.
+  config.schemas = [
+    # Define User schemas
+    {
+      # Normally you don't have to change schemas/id/name/description
+      schemas: ['urn:ietf:params:scim:schemas:core:2.0:Schema'],
+      id: 'urn:ietf:params:scim:schemas:core:2.0:User',
+      name: 'User',
+      description: 'User Account',
+
+      # Configure 'attributes' as it corresponds with other configurations and your model
+      attributes: [
+        {
+          # Name of SCIM attribute. It must be configured in "user_schema"
+          name: 'userName',
+
+          # "type" must be string/boolan/decimal/integer/dateTime/reference
+          # "complex" value is not supported now
+          type: 'string',
+
+          # Multi value attribute is not supported, must be false
+          multiValued: false,
+
+          description: 'Unique identifier for the User. REQUIRED.',
+
+          # Specify true when you require this attribute
+          required: true,
+
+          # In this Library, String value is always handled as case exact
+          caseExact: true,
+
+          # "mutability" must be readOnly/readWrite/writeOnly
+          # "immutable" is not supported.
+          # readOnly: attribute is defined in queryable_user_attributes but not in mutable_user_attributes and user_schema
+          # readWrite: attribute is defined in queryable_user_attributes, mutable_user_attributes and user_schema
+          # writeOnly: attribute is defined in mutable_user_attributes, and user_schema but not in queryable_user_attributes
+          mutability: 'readWrite',
+
+          # "returned" must be always/never. default and request are not supported
+          # always: attribute is defined in user_schema
+          # never: attribute is not defined in user_schema
+          returned: 'always',
+
+          # "uniqueness" must be none/server/global. It's dependent on your service
+          uniqueness: 'server',
+        }
+      ],
+      meta: {
+        resourceType: 'Schema',
+        location:
+          '/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User',
+      },
+    },
+    # define Group schemas
+    {
+      schemas: ['urn:ietf:params:scim:schemas:core:2.0:Schema'],
+      id: 'urn:ietf:params:scim:schemas:core:2.0:Group',
+      name: 'Group',
+      description: 'Group',
+      attributes: [
+        {
+          # Same as the User attributes
+          name: 'displayName',
+          type: 'string',
+          multiValued: false,
+          description: 'A human-readable name for the Group. REQUIRED.',
+          required: true,
+          caseExact: true,
+          mutability: 'readWrite',
+          returned: 'always',
+          uniqueness: 'none',
+        },
+        {
+          name: 'members',
+
+          # Only "members" can be configured as a complex and multivalued attribute
+          type: 'complex',
+          multiValued: true,
+
+          description: 'A list of members of the Group.',
+          required: false,
+          subAttributes: [
+            {
+              name: 'value',
+              type: 'string',
+              multiValued: false,
+              description: 'Identifier of the member of this Group.',
+              required: false,
+              caseExact: true,
+              mutability: 'immutable',
+              returned: 'default',
+              uniqueness: 'none',
+            }
+          ],
+        }
+      ],
+      meta: {
+        resourceType: 'Schema',
+        location: '/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group',
+      },
+    }
+  ]
 end

data/lib/scim_rails/config.rb

@@ -13,7 +13,7 @@ module ScimRails
 
   # Class containing configuration of ScimRails
   class Config
-    ALGO_NONE = "none"
+    ALGO_NONE = 'none'
 
     attr_writer \
       :basic_auth_model,
@@ -44,20 +44,23 @@ module ScimRails
       :user_attributes,
       :user_schema,
       :group_schema,
-      :group_destroy_method
+      :user_destroy_method,
+      :group_destroy_method,
+      :schemas
 
     def initialize
-      @basic_auth_model = "Company"
+      @basic_auth_model = 'Company'
       @scim_users_list_order = :id
-      @scim_users_model = "User"
+      @scim_users_model = 'User'
       @scim_groups_list_order = :id
-      @scim_groups_model = "Group"
+      @scim_groups_model = 'Group'
       @signing_algorithm = ALGO_NONE
       @user_schema = {}
       @user_attributes = []
       @user_abbreviated_schema = {}
       @group_schema = {}
       @group_abbreviated_schema = {}
+      @schemas = []
     end
 
     def mutable_user_attributes_schema

data/lib/scim_rails/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ScimRails
-  VERSION = '0.6.1'
+  VERSION = '0.9.0'
 end

data/spec/controllers/scim_rails/scim_groups_controller_spec.rb

@@ -505,12 +505,6 @@ RSpec.describe ScimRails::ScimGroupsController, type: :controller do
       end
 
       context 'when Group destroy method is configured' do
-        before do
-          allow(ScimRails.config).to(
-            receive(:group_destroy_method).and_return(:destroy!)
-          )
-        end
-
         it 'returns empty response' do
           delete :destroy, params: { id: 1 }, as: :json
 
@@ -557,7 +551,31 @@ RSpec.describe ScimRails::ScimGroupsController, type: :controller do
             delete :destroy, params: { id: 1 }, as: :json
           end.not_to change { company.groups.reload.count }.from(1)
 
-          expect(response.status).to eq 501
+          expect(response.status).to eq 500
+        end
+      end
+
+      context 'when Group destroy method is invalid' do
+        it 'does not delete Group' do
+          allow(ScimRails.config).to(
+            receive(:group_destroy_method).and_return('destory!')
+          )
+
+          expect do
+            delete :destroy, params: { id: 1 }, as: :json
+          end.not_to change { company.groups.reload.count }.from(1)
+
+          expect(response.status).to eq 500
+        end
+      end
+
+      context 'whenr target Group is not found' do
+        it 'return 404 not found' do
+          expect do
+            delete :destroy, params: { id: 999999 }, as: :json
+          end.not_to change { company.groups.reload.count }.from(1)
+
+          expect(response.status).to eq 404
         end
       end
     end

data/spec/controllers/scim_rails/scim_schemas_controller_spec.rb

@@ -0,0 +1,238 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe ScimRails::ScimSchemasController, type: :controller do
+  include AuthHelper
+
+  routes { ScimRails::Engine.routes }
+
+  let(:schemas) do
+    [
+      {
+        schemas: ['urn:ietf:params:scim:schemas:core:2.0:Schema'],
+        id: 'urn:ietf:params:scim:schemas:core:2.0:User',
+        name: 'User',
+        description: 'User Account',
+        attributes: [
+          {
+            name: 'userName',
+            type: 'string',
+            multiValued: false,
+            description: 'Unique identifier for the User. REQUIRED.',
+            required: true,
+            caseExact: false,
+            mutability: 'readWrite',
+            returned: 'default',
+            uniqueness: 'server',
+          }
+        ],
+        meta: {
+          resourceType: 'Schema',
+          location:
+            '/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:User',
+        },
+      },
+      {
+        schemas: ['urn:ietf:params:scim:schemas:core:2.0:Schema'],
+        id: 'urn:ietf:params:scim:schemas:core:2.0:Group',
+        name: 'Group',
+        description: 'Group',
+        attributes: [
+          {
+            name: 'displayName',
+            type: 'string',
+            multiValued: false,
+            description: 'A human-readable name for the Group. REQUIRED.',
+            required: false,
+            caseExact: false,
+            mutability: 'readWrite',
+            returned: 'default',
+            uniqueness: 'none',
+          }
+        ],
+        meta: {
+          resourceType: 'Schema',
+          location: '/v2/Schemas/urn:ietf:params:scim:schemas:core:2.0:Group',
+        },
+      }
+    ]
+  end
+
+  let(:schemas_110) do
+    [
+      { id: 'dummy1' }, { id: 'dummy2' }, { id: 'dummy3' },
+      { id: 'dummy4' }, { id: 'dummy5' }, { id: 'dummy6' },
+      { id: 'dummy7' }, { id: 'dummy8' }, { id: 'dummy9' },
+      { id: 'dummy10' }, { id: 'dummy11' }, { id: 'dummy12' },
+      { id: 'dummy13' }, { id: 'dummy14' }, { id: 'dummy15' },
+      { id: 'dummy16' }, { id: 'dummy17' }, { id: 'dummy18' },
+      { id: 'dummy19' }, { id: 'dummy20' }, { id: 'dummy21' },
+      { id: 'dummy22' }, { id: 'dummy23' }, { id: 'dummy24' },
+      { id: 'dummy25' }, { id: 'dummy26' }, { id: 'dummy27' },
+      { id: 'dummy28' }, { id: 'dummy29' }, { id: 'dummy30' },
+      { id: 'dummy31' }, { id: 'dummy32' }, { id: 'dummy33' },
+      { id: 'dummy34' }, { id: 'dummy35' }, { id: 'dummy36' },
+      { id: 'dummy37' }, { id: 'dummy38' }, { id: 'dummy39' },
+      { id: 'dummy40' }, { id: 'dummy41' }, { id: 'dummy42' },
+      { id: 'dummy43' }, { id: 'dummy44' }, { id: 'dummy45' },
+      { id: 'dummy46' }, { id: 'dummy47' }, { id: 'dummy48' },
+      { id: 'dummy49' }, { id: 'dummy50' }, { id: 'dummy51' },
+      { id: 'dummy52' }, { id: 'dummy53' }, { id: 'dummy54' },
+      { id: 'dummy55' }, { id: 'dummy56' }, { id: 'dummy57' },
+      { id: 'dummy58' }, { id: 'dummy59' }, { id: 'dummy60' },
+      { id: 'dummy61' }, { id: 'dummy62' }, { id: 'dummy63' },
+      { id: 'dummy64' }, { id: 'dummy65' }, { id: 'dummy66' },
+      { id: 'dummy67' }, { id: 'dummy68' }, { id: 'dummy69' },
+      { id: 'dummy70' }, { id: 'dummy71' }, { id: 'dummy72' },
+      { id: 'dummy73' }, { id: 'dummy74' }, { id: 'dummy75' },
+      { id: 'dummy76' }, { id: 'dummy77' }, { id: 'dummy78' },
+      { id: 'dummy79' }, { id: 'dummy80' }, { id: 'dummy81' },
+      { id: 'dummy82' }, { id: 'dummy83' }, { id: 'dummy84' },
+      { id: 'dummy85' }, { id: 'dummy86' }, { id: 'dummy87' },
+      { id: 'dummy88' }, { id: 'dummy89' }, { id: 'dummy90' },
+      { id: 'dummy91' }, { id: 'dummy92' }, { id: 'dummy93' },
+      { id: 'dummy94' }, { id: 'dummy95' }, { id: 'dummy96' },
+      { id: 'dummy97' }, { id: 'dummy98' }, { id: 'dummy99' },
+      { id: 'dummy100' }, { id: 'dummy101' }, { id: 'dummy102' },
+      { id: 'dummy103' }, { id: 'dummy104' }, { id: 'dummy105' },
+      { id: 'dummy106' }, { id: 'dummy107' }, { id: 'dummy108' },
+      { id: 'dummy109' }, { id: 'dummy110' }
+    ]
+  end
+
+  describe 'index' do
+    let(:company) { create(:company) }
+
+    context 'when unauthorized' do
+      it 'returns scim+json content type' do
+        get :index, as: :json
+
+        expect(response.media_type).to eq 'application/scim+json'
+      end
+
+      it 'fails with no credentials' do
+        get :index, as: :json
+
+        expect(response.status).to eq 401
+      end
+
+      it 'fails with invalid credentials' do
+        request.env['HTTP_AUTHORIZATION'] =
+          ActionController::HttpAuthentication::Basic
+          .encode_credentials('unauthorized', '123456')
+
+        get :index, as: :json
+
+        expect(response.status).to eq 401
+      end
+    end
+
+    context 'when authorized' do
+      before :each do
+        http_login(company)
+      end
+
+      it 'returns scim+json content type' do
+        get :index, as: :json
+
+        expect(response.media_type).to eq 'application/scim+json'
+      end
+
+      it 'is successful with valid credentials' do
+        get :index, as: :json
+
+        expect(response.status).to eq 200
+      end
+
+      it 'returns all results' do
+        allow(ScimRails.config).to(receive(:schemas).and_return(schemas))
+        get :index, as: :json
+        response_body = JSON.parse(response.body)
+        expect(response_body.dig('schemas', 0)).to(
+          eq 'urn:ietf:params:scim:api:messages:2.0:ListResponse'
+        )
+        expect(response_body['totalResults']).to eq 2
+      end
+
+      it 'defaults to 100 results' do
+        allow(ScimRails.config).to(receive(:schemas).and_return(schemas_110))
+
+        get :index, as: :json
+        response_body = JSON.parse(response.body)
+        expect(response_body['totalResults']).to eq 110
+        expect(response_body['startIndex']).to eq 1
+        expect(response_body['Resources'].count).to eq 100
+      end
+
+      it 'paginates results' do
+        allow(ScimRails.config).to(receive(:schemas).and_return(schemas_110))
+        get :index, params: {
+          startIndex: 101,
+          count: 5,
+        }, as: :json
+        response_body = JSON.parse(response.body)
+        expect(response_body['totalResults']).to eq 110
+        expect(response_body['startIndex']).to eq 101
+        expect(response_body['Resources'].count).to eq 5
+        expect(response_body.dig('Resources', 0, 'id')).to eq 'dummy101'
+      end
+    end
+  end
+
+  describe 'show' do
+    let(:company) { create(:company) }
+
+    context 'when unauthorized' do
+      it 'returns scim+json content type' do
+        get :show, params: { id: 1 }, as: :json
+
+        expect(response.media_type).to eq 'application/scim+json'
+      end
+
+      it 'fails with no credentials' do
+        get :show, params: { id: 1 }, as: :json
+
+        expect(response.status).to eq 401
+      end
+
+      it 'fails with invalid credentials' do
+        request.env['HTTP_AUTHORIZATION'] =
+          ActionController::HttpAuthentication::Basic
+          .encode_credentials('unauthorized', '123456')
+
+        get :show, params: { id: 1 }, as: :json
+
+        expect(response.status).to eq 401
+      end
+    end
+
+    context 'when authorized' do
+      before :each do
+        http_login(company)
+      end
+
+      it 'returns scim+json content type' do
+        allow(ScimRails.config).to(receive(:schemas).and_return(schemas))
+        get :show, params: { id: 'urn:ietf:params:scim:schemas:core:2.0:User' }, as: :json
+
+        expect(response.media_type).to eq 'application/scim+json'
+      end
+
+      it 'is successful with valid credentials' do
+        allow(ScimRails.config).to(receive(:schemas).and_return(schemas))
+        get :show, params: { id: 'urn:ietf:params:scim:schemas:core:2.0:User' }, as: :json
+
+        response_body = JSON.parse(response.body)
+        expect(response.status).to eq 200
+        expect(response_body['name']).to eq 'User'
+      end
+
+      it 'returns :not_found for id that cannot be found' do
+        get :show, params: { id: 'fake_id' }, as: :json
+
+        expect(response.status).to eq 404
+      end
+    end
+  end
+end

data/spec/controllers/scim_rails/scim_schemas_request_spec.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe ScimRails::ScimSchemasController, type: :request do
+  let(:company) { create(:company) }
+  let(:credentials) do
+    Base64.encode64("#{company.subdomain}:#{company.api_token}")
+  end
+  let(:authorization) { "Basic #{credentials}" }
+
+  def get_request(content_type = 'application/scim+json')
+    get '/scim/v2/Schemas',
+        headers: {
+          Authorization: authorization,
+          'Content-Type': content_type,
+        }
+  end
+
+  context 'OAuth Bearer Authorization' do
+    context 'with valid token' do
+      let(:authorization) { "Bearer #{company.api_token}" }
+
+      it 'supports OAuth bearer authorization and succeeds' do
+        get_request
+        expect(response.status).to eq 200
+      end
+    end
+
+    context 'with invalid token' do
+      let(:authorization) { "Bearer #{SecureRandom.hex}" }
+
+      it 'The request fails' do
+        get_request
+        expect(response.status).to eq 401
+      end
+    end
+  end
+end