scimaenaga 0.7.0 → 0.9.1

data/app/controllers/scimaenaga/scim_users_controller.rb

@@ -0,0 +1,104 @@
+# frozen_string_literal: true
+
+module Scimaenaga
+  class ScimUsersController < Scimaenaga::ApplicationController
+
+    def index
+      if params[:filter].present?
+        query = Scimaenaga::ScimQueryParser.new(
+          params[:filter], Scimaenaga.config.queryable_user_attributes
+        )
+
+        users = @company
+                .public_send(Scimaenaga.config.scim_users_scope)
+                .where(
+                  "#{Scimaenaga.config.scim_users_model
+              .connection.quote_column_name(query.attribute)} #{query.operator} ?",
+                  query.parameter
+                )
+                .order(Scimaenaga.config.scim_users_list_order)
+      else
+        users = @company
+                .public_send(Scimaenaga.config.scim_users_scope)
+                .order(Scimaenaga.config.scim_users_list_order)
+      end
+
+      counts = ScimCount.new(
+        start_index: params[:startIndex],
+        limit: params[:count],
+        total: users.count
+      )
+
+      json_scim_response(object: users, counts: counts)
+    end
+
+    def create
+      if Scimaenaga.config.scim_user_prevent_update_on_create
+        user = @company
+               .public_send(Scimaenaga.config.scim_users_scope)
+               .create!(permitted_user_params)
+      else
+        username_key = Scimaenaga.config.queryable_user_attributes[:userName]
+        find_by_username = {}
+        find_by_username[username_key] = permitted_user_params[username_key]
+        user = @company
+               .public_send(Scimaenaga.config.scim_users_scope)
+               .find_or_create_by(find_by_username)
+        user.update!(permitted_user_params)
+      end
+      json_scim_response(object: user, status: :created)
+    end
+
+    def show
+      user = @company.public_send(Scimaenaga.config.scim_users_scope).find(params[:id])
+      json_scim_response(object: user)
+    end
+
+    def put_update
+      user = @company.public_send(Scimaenaga.config.scim_users_scope).find(params[:id])
+      user.update!(permitted_user_params)
+      json_scim_response(object: user)
+    end
+
+    def patch_update
+      user = @company.public_send(Scimaenaga.config.scim_users_scope).find(params[:id])
+      patch = ScimPatch.new(params, :user)
+      patch.save(user)
+
+      json_scim_response(object: user)
+    end
+
+    def destroy
+      unless Scimaenaga.config.user_destroy_method
+        raise Scimaenaga::ExceptionHandler::InvalidConfiguration
+      end
+
+      user = @company.public_send(Scimaenaga.config.scim_users_scope).find(params[:id])
+      raise ActiveRecord::RecordNotFound unless user
+
+      begin
+        user.public_send(Scimaenaga.config.user_destroy_method)
+      rescue NoMethodError => e
+        raise Scimaenaga::ExceptionHandler::InvalidConfiguration, e.message
+      rescue ActiveRecord::RecordNotDestroyed => e
+        raise Scimaenaga::ExceptionHandler::InvalidRequest, e.message
+      rescue StandardError => e
+        raise Scimaenaga::ExceptionHandler::UnexpectedError, e.message
+      end
+
+      head :no_content
+    end
+
+    private
+
+      def permitted_user_params
+        Scimaenaga.config.mutable_user_attributes.each.with_object({}) do |attribute, hash|
+          hash[attribute] = find_value_for(attribute)
+        end
+      end
+
+      def controller_schema
+        Scimaenaga.config.mutable_user_attributes_schema
+      end
+  end
+end

data/app/helpers/{scim_rails → scimaenaga}/application_helper.rb

@@ -1,4 +1,4 @@
-module ScimRails
+module Scimaenaga
   module ApplicationHelper
   end
 end

data/app/libraries/scim_patch.rb

@@ -4,17 +4,24 @@
 class ScimPatch
   attr_accessor :operations
 
-  def initialize(params, mutable_attributes_schema)
-    unless params['schemas'] == ['urn:ietf:params:scim:api:messages:2.0:PatchOp']
-      raise ScimRails::ExceptionHandler::UnsupportedPatchRequest
+  def initialize(params, resource_type)
+    if params['schemas'] != ['urn:ietf:params:scim:api:messages:2.0:PatchOp'] ||
+       params['Operations'].nil?
+      raise Scimaenaga::ExceptionHandler::UnsupportedPatchRequest
     end
-    if params['Operations'].nil?
-      raise ScimRails::ExceptionHandler::UnsupportedPatchRequest
+
+    # complex-value(Hash) operation is converted to multiple single-value operations
+    converted_operations = ScimPatchOperationConverter.convert(params['Operations'])
+    @operations = converted_operations.map do |o|
+      create_operation(resource_type, o['op'], o['path'], o['value'])
     end
+  end
 
-    @operations = params['Operations'].map do |operation|
-      ScimPatchOperation.new(operation['op'], operation['path'], operation['value'],
-                             mutable_attributes_schema)
+  def create_operation(resource_type, op, path, value)
+    if resource_type == :user
+      ScimPatchOperationUser.new(op, path, value)
+    else
+      ScimPatchOperationGroup.new(op, path, value)
     end
   end
 
@@ -28,6 +35,6 @@ class ScimPatch
   rescue ActiveRecord::RecordNotFound
     raise
   rescue StandardError
-    raise ScimRails::ExceptionHandler::UnsupportedPatchRequest
+    raise Scimaenaga::ExceptionHandler::UnsupportedPatchRequest
   end
 end

data/app/libraries/scim_patch_operation.rb

@@ -2,157 +2,67 @@
 
 # Parse One of "Operations" in PATCH request
 class ScimPatchOperation
-
-  # 1 Operation means 1 attribute change
-  # If 1 value is specified, @operations has 1 "Operation" struct.
-  # If 3 value is specified, @operations has 3 "Operation" struct.
-  attr_accessor :operations
-
-  Operation = Struct.new('Operation', :op, :path_scim, :path_sp, :value)
-
-  def initialize(op, path, value, mutable_attributes_schema)
-    op_downcase = op.downcase
-
-    unless op_downcase.in? %w[add replace remove]
-      raise ScimRails::ExceptionHandler::UnsupportedPatchRequest
+  attr_reader :op, :path_scim, :path_sp, :value
+
+  # path presence is guaranteed by ScimPatchOperationConverter
+  #
+  # value must be String or Array.
+  # complex-value(Hash) is converted to multiple single-value operations by ScimPatchOperationConverter
+  def initialize(op, path, value)
+    if !op.in?(%w[add replace remove]) || path.nil?
+      raise Scimaenaga::ExceptionHandler::UnsupportedPatchRequest
     end
 
-    @operations = []
+    # define validate method in the inherited class
+    validate(op, path, value)
 
-    # To handle request pattern A and B in the same way,
-    # convert complex-value to path + single-value
-    #
-    # pattern A
-    # {
-    #   "op": "replace",
-    #   "value": {
-    #       "displayName": "Suzuki Taro",
-    #       "name.givenName": "taro"
-    #   }
-    # }
-    # => [{path: displayName, value: "Suzuki Taro"}, {path: name.givenName, value: "taro"}]
-    #
-    # pattern B
-    # [
-    #   {
-    #     "op": "replace",
-    #     "path": "displayName"
-    #     "value": "Suzuki Taro",
-    #   },
-    #   {
-    #     "op": "replace",
-    #     "path": "name.givenNAme"
-    #     "value": "taro",
-    #   },
-    # ]
-    if value.instance_of?(Hash) || value.instance_of?(ActionController::Parameters)
-      create_multiple_operations(op_downcase, path, value, mutable_attributes_schema)
-    else
-      create_operation(op_downcase, path, value, mutable_attributes_schema)
-    end
-  end
+    @op = op
+    @value = value
+    @path_scim = parse_path_scim(path)
+    @path_sp = path_scim_to_path_sp(@path_scim)
 
-  def save(model)
-    @operations.each do |operation|
-      apply_operation(model, operation)
-    end
+    # define parse method in the inherited class
   end
 
   private
 
-    def apply_operation(model, operation)
-      if operation.path_scim == 'members' # Only members are supported for value is an array
-        update_member_ids = operation.value.map do |v|
-          v[ScimRails.config.group_member_relation_schema.keys.first].to_s
-        end
-
-        current_member_ids = model.public_send(
-          ScimRails.config.group_member_relation_attribute
-        ).map(&:to_s)
-        case operation.op
-        when :add
-          member_ids = current_member_ids.concat(update_member_ids)
-        when :replace
-          member_ids = current_member_ids.concat(update_member_ids)
-        when :remove
-          member_ids = current_member_ids - update_member_ids
-        end
-
-        # Only the member addition process is saved by each ids
-        model.public_send("#{ScimRails.config.group_member_relation_attribute}=",
-                          member_ids.uniq)
-        return
-      end
-
-      case operation.op
-      when :add, :replace
-        model.attributes = { operation.path_sp => operation.value }
-      when :remove
-        model.attributes = { operation.path_sp => nil }
-      end
-    end
-
-    def create_operation(op, path_scim, value, mutable_attributes_schema)
-      path_sp = convert_path(path_scim, mutable_attributes_schema)
-      value = convert_bool_if_string(value, path_scim)
-      @operations << Operation.new(op.to_sym, path_scim, path_sp, value)
-    end
-
-    # convert hash value to 1 path + 1 value
-    # each path is created by path_scim_base + key of value
-    def create_multiple_operations(op, path_scim_base, hash_value, mutable_attributes_schema)
-      hash_value.each do |k, v|
-        # Typical request is path_scim_base = nil and value = complex-value:
-        # {
-        #   "op": "replace",
-        #   "value": {
-        #       "displayName": "Taro Suzuki",
-        #       "name.givenName": "taro"
-        #   }
-        # }
-        path_scim = if path_scim_base.present?
-                      "#{path_scim_base}.#{k}"
-                    else
-                      k
-                    end
-        create_operation(op, path_scim, v, mutable_attributes_schema)
-      end
-    end
-
-    def convert_path(path, mutable_attributes_schema)
-      return nil if path.nil?
-
-      # For now, library does not support Multi-Valued Attributes properly.
-      # examle:
-      #   path = 'emails[type eq "work"].value'
-      #   mutable_attributes_schema = {
-      #     emails: [
-      #       {
-      #         value: :mail_address,
-      #      }
-      #     ],
-      #   }
+    def parse_path_scim(path)
+      # 'emails[type eq "work"].value' is parsed as follows:
+      #
+      # {
+      #   attribute: 'emails',
+      #   filter: {
+      #     attribute: 'type',
+      #     operator: 'eq',
+      #     parameter: 'work'
+      #   },
+      #   rest_path: ['value']
+      # }
       #
-      #   Library ignores filter conditions (like [type eq "work"])
-      #   and always uses the first element of the array
-      dig_keys = path.gsub(/\[(.+?)\]/, '.0').split('.').map do |step|
-        step == '0' ? 0 : step.to_sym
+      # This method suport only single operator
+
+      # path: emails.value
+      # filter_string: type eq "work"
+      path_str = path.dup
+      filter_string = path_str.slice!(/\[(.+?)\]/, 0)&.slice(/\[(.+?)\]/, 1)
+
+      # path_elements: ['emails', 'value']
+      path_elements = path_str.split('.')
+
+      # filter_elements: ['type', 'eq', '"work"']
+      filter_elements = filter_string&.split(' ')
+      path_scim = { attribute: path_elements[0],
+                    rest_path: path_elements.slice(1...path_elements.length), }
+      if filter_elements.present?
+        path_scim[:filter] = {
+          attribute: filter_elements[0],
+          operator: filter_elements[1],
+          # delete double quotation
+          parameter: filter_elements[2].slice(1...filter_elements[2].length - 1),
+        }
       end
-      mutable_attributes_schema.dig(*dig_keys)
-    end
 
-    def convert_bool_if_string(value, path)
-      # This method correct value in requests from Azure AD according to SCIM.
-      # When path is not active, do nothing and return
-      return value if path != 'active'
-
-      case value
-      when 'true', 'True'
-        return true
-      when 'false', 'False'
-        return false
-      else
-        return value
-      end
+      path_scim
     end
+
 end

data/app/libraries/scim_patch_operation_converter.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+# 1. Convert each multi-value operation to single-value operations.
+# 2. Fix wrong "value".
+# 3. convert "op" to lower case
+#
+# About #1
+# to handle request pattern A and B in the same way,
+# convert complex-value to path + single-value
+#
+# Typical request is path_base = nil and value = complex-value:
+# {
+#   "op": "replace",
+#   "value": {
+#       "displayName": "Taro Suzuki",
+#       "name.givenName": "taro"
+#   }
+# }
+#
+# This request is converted to:
+# [
+#   {
+#     "op": "replace",
+#     "path": "displayName",
+#     "value": "Taro Suzuki",
+#   }
+#   {
+#     "op": "replace",
+#     "path": "name.givenName",
+#     "value": "taro"
+#   }
+# ]
+class ScimPatchOperationConverter
+  class << self
+    def convert(operations)
+      operations.each_with_object([]) do |o, result|
+        value = o['value']
+        value = value.permit!.to_h if value.instance_of?(ActionController::Parameters)
+
+        if value.is_a?(Hash)
+          converted_operations = convert_to_single_value_operations(o['op'], o['path'],
+                                                                    value)
+          result.concat(converted_operations)
+          next
+        end
+
+        result << fix_operation_format(o['op'], o['path'], value)
+      end
+    end
+
+    private
+
+      def convert_to_single_value_operations(op, path_base, hash_value)
+        hash_value.map do |k, v|
+          path = if path_base.present?
+                   "#{path_base}.#{k}"
+                 else
+                   k
+                 end
+          fix_operation_format(op, path, v)
+        end
+      end
+
+      def fix_operation_format(op, path, value)
+        { 'op' => op.downcase, 'path' => path, 'value' => fix_value(value, path) }
+      end
+
+      def fix_value(value, path)
+        if path == 'active'
+          convert_bool_if_string(value)
+        else
+          value
+        end
+      end
+
+      # According to SCIM, correct value in requests from Azure AD.
+      # When using non-application gallery in Azure AD, and feature flag is not specified,
+      # Azure AD sends string for 'active' attribute
+      def convert_bool_if_string(value)
+        case value
+        when 'true', 'True'
+          return true
+        when 'false', 'False'
+          return false
+        else
+          return value
+        end
+      end
+  end
+end

data/app/libraries/scim_patch_operation_group.rb

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+
+class ScimPatchOperationGroup < ScimPatchOperation
+
+  def save(model)
+    if @path_scim[:attribute] == 'members'
+      save_members(model)
+      return
+    end
+
+    case @op
+    when 'add', 'replace'
+      model.attributes = { @path_sp => @value }
+    when 'remove'
+      model.attributes = { @path_sp => nil }
+    end
+  end
+
+  private
+
+    def save_members(model)
+      current_member_ids = model.public_send(member_relation_attribute).map(&:to_s)
+
+      case @op
+      when 'add'
+        member_ids = add_member_ids(current_member_ids)
+      when 'replace'
+        member_ids = replace_member_ids
+      when 'remove'
+        member_ids = remove_member_ids(current_member_ids)
+      end
+
+      model.public_send("#{member_relation_attribute}=", member_ids.uniq)
+    end
+
+    def add_member_ids(current_member_ids)
+      current_member_ids.concat(member_ids_from_value)
+    end
+
+    def replace_member_ids
+      member_ids_from_value
+    end
+
+    def remove_member_ids(current_member_ids)
+      removed_member_ids = if member_ids_from_value.present?
+                             member_ids_from_value
+                           else
+                             [member_id_from_filter]
+                           end
+      current_member_ids - removed_member_ids
+    end
+
+    def member_ids_from_value
+      @member_ids_from_value ||= @value&.map do |v|
+        v['value'].to_s
+      end
+    end
+
+    def member_id_from_filter
+      @path_scim.dig(:filter, :parameter)
+    end
+
+    def member_relation_attribute
+      Scimaenaga.config.group_member_relation_attribute
+    end
+
+    def validate(_op, _path, _value)
+      return
+    end
+
+    def path_scim_to_path_sp(path_scim)
+      # path_scim example1:
+      # {
+      #   attribute: 'members',
+      #   filter: {
+      #     attribute: 'value',
+      #     operator: 'eq',
+      #     parameter: 'XXXX'
+      #   },
+      #   rest_path: []
+      # }
+
+      # path_scim example2:
+      # {
+      #   attribute: 'displayName',
+      #   filter: nil,
+      #   rest_path: []
+      # }
+      if path_scim[:attribute] == 'members'
+        return Scimaenaga.config.group_member_relation_attribute
+      end
+
+      dig_keys = [path_scim[:attribute].to_sym]
+      dig_keys.concat(path_scim[:rest_path].map(&:to_sym))
+
+      # *dig_keys example: displayName
+      Scimaenaga.config.mutable_group_attributes_schema.dig(*dig_keys)
+    end
+
+end

data/app/libraries/scim_patch_operation_user.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+class ScimPatchOperationUser < ScimPatchOperation
+
+  def save(model)
+    case @op
+    when 'add', 'replace'
+      model.attributes = { @path_sp => @value }
+    when 'remove'
+      model.attributes = { @path_sp => nil }
+    end
+  end
+
+  private
+
+    def validate(_op, _path, value)
+      if value.instance_of? Array
+        raise Scimaenaga::ExceptionHandler::UnsupportedPatchRequest
+      end
+
+      return
+    end
+
+    def path_scim_to_path_sp(path_scim)
+      # path_scim example1:
+      # {
+      #   attribute: 'emails',
+      #   filter: {
+      #     attribute: 'type',
+      #     operator: 'eq',
+      #     parameter: 'work'
+      #   },
+      #   rest_path: ['value']
+      # }
+      #
+      # path_scim example2:
+      # {
+      #   attribute: 'name',
+      #   filter: nil,
+      #   rest_path: ['givenName']
+      # }
+      dig_keys = [path_scim[:attribute].to_sym]
+
+      # Library ignores filter conditions ([type eq "work"])
+      dig_keys << 0 if path_scim[:attribute] == 'emails'
+
+      dig_keys.concat(path_scim[:rest_path].map(&:to_sym))
+
+      # *dig_keys example: emails, 0, value
+      Scimaenaga.config.mutable_user_attributes_schema.dig(*dig_keys)
+    end
+
+end

data/app/models/{scim_rails → scimaenaga}/application_record.rb

@@ -1,4 +1,4 @@
-module ScimRails
+module Scimaenaga
   class ApplicationRecord < ActiveRecord::Base
     self.abstract_class = true
   end

data/app/models/scimaenaga/authorize_api_request.rb

@@ -0,0 +1,39 @@
+module Scimaenaga
+  class AuthorizeApiRequest
+
+    def initialize(searchable_attribute:, authentication_attribute:)
+      @searchable_attribute = searchable_attribute
+      @authentication_attribute = authentication_attribute
+
+      if searchable_attribute.blank? || authentication_attribute.blank?
+        raise Scimaenaga::ExceptionHandler::InvalidCredentials
+      end
+
+      @search_parameter = { Scimaenaga.config.basic_auth_model_searchable_attribute => @searchable_attribute }
+    end
+
+    def company
+      company = find_company
+      authorize(company)
+      company
+    end
+
+    private
+
+      attr_reader :authentication_attribute, :search_parameter, :searchable_attribute
+
+      def find_company
+        @company ||= Scimaenaga.config.basic_auth_model.find_by!(search_parameter)
+      rescue ActiveRecord::RecordNotFound
+        raise Scimaenaga::ExceptionHandler::InvalidCredentials
+      end
+
+      def authorize(authentication_model)
+        authorized = ActiveSupport::SecurityUtils.secure_compare(
+          authentication_model.public_send(Scimaenaga.config.basic_auth_model_authenticatable_attribute),
+          authentication_attribute
+        )
+        raise Scimaenaga::ExceptionHandler::InvalidCredentials unless authorized
+      end
+  end
+end

data/app/models/{scim_rails → scimaenaga}/scim_count.rb

@@ -1,4 +1,4 @@
-module ScimRails
+module Scimaenaga
   class ScimCount
     include ActiveModel::Model
 
@@ -10,17 +10,21 @@ module ScimRails
 
     def limit
       return 100 if @limit.blank?
+
       validate_numericality(@limit)
       input = @limit.to_i
       raise if input < 1
+
       input
     end
 
     def start_index
       return 1 if @start_index.blank?
+
       validate_numericality(@start_index)
       input = @start_index.to_i
       return 1 if input < 1
+
       input
     end
 
@@ -30,9 +34,9 @@ module ScimRails
 
     private
 
-    def validate_numericality(input)
-      raise unless input.match?(/\A\d+\z/)
-    end
+      def validate_numericality(input)
+        raise unless input.match?(/\A\d+\z/)
+      end
 
   end
 end