scimitar 1.0.0

data/spec/apps/dummy/app/controllers/mock_users_controller.rb

@@ -0,0 +1,13 @@
+class MockUsersController < Scimitar::ActiveRecordBackedResourcesController
+
+  protected
+
+    def storage_class
+      MockUser
+    end
+
+    def storage_scope
+      MockUser.all
+    end
+
+end

data/spec/apps/dummy/app/models/mock_group.rb

@@ -0,0 +1,83 @@
+class MockGroup < ActiveRecord::Base
+
+  # ===========================================================================
+  # TEST ATTRIBUTES - see db/migrate/20210308020313_create_mock_groups.rb etc.
+  # ===========================================================================
+
+  READWRITE_ATTRS = %w{
+    id
+    scim_uid
+    display_name
+    scim_users_and_groups
+  }
+
+  has_and_belongs_to_many :mock_users
+
+  has_many :child_mock_groups, class_name: 'MockGroup', foreign_key: 'parent_id'
+
+  # ===========================================================================
+  # SCIM ADAPTER ACCESSORS
+  #
+  # Groups in SCIM can contain users or other groups. That's why the :find_with
+  # key in the Hash returned by ::scim_attributes_map has to check the type of
+  # thing it needs to find. Since the mappings only support a single read/write
+  # accessor, we need custom accessors to do what SCIM is expecting by turning
+  # the Rails associations to/from mixed, flat arrays of mock users and groups.
+  # ===========================================================================
+
+  def scim_users_and_groups
+    self.mock_users.to_a + self.child_mock_groups.to_a
+  end
+
+  def scim_users_and_groups=(mixed_array)
+    self.mock_users        = mixed_array.select { |item| item.is_a?(MockUser)  }
+    self.child_mock_groups = mixed_array.select { |item| item.is_a?(MockGroup) }
+  end
+
+  # ===========================================================================
+  # SCIM MIXIN AND REQUIRED METHODS
+  # ===========================================================================
+
+  def self.scim_resource_type
+    return Scimitar::Resources::Group
+  end
+
+  def self.scim_attributes_map
+    return {
+      id:          :id,
+      externalId:  :scim_uid,
+      displayName: :display_name,
+      members:     [ # NB read-write, though individual items' attributes are immutable
+        list:  :scim_users_and_groups, # See adapter accessors, earlier in this file
+        using: {
+          value: :id
+        },
+        find_with: -> (scim_list_entry) {
+          id   = scim_list_entry['value']
+          type = scim_list_entry['type' ] || 'User' # Some online examples omit 'type' and believe 'User' will be assumed
+
+          case type.downcase
+            when 'user'
+              MockUser.find_by_id(id)
+            when 'group'
+              MockGroup.find_by_id(id)
+            else
+              raise Scimitar::InvalidSyntaxError.new("Unrecognised type #{type.inspect}")
+          end
+        }
+      ]
+    }
+  end
+
+  def self.scim_mutable_attributes
+    return nil
+  end
+
+  def self.scim_queryable_attributes
+    return {
+      displayName: :display_name
+    }
+  end
+
+  include Scimitar::Resources::Mixin
+end

data/spec/apps/dummy/app/models/mock_user.rb

@@ -0,0 +1,104 @@
+class MockUser < ActiveRecord::Base
+
+  # ===========================================================================
+  # TEST ATTRIBUTES - see db/migrate/20210304014602_create_mock_users.rb etc.
+  # ===========================================================================
+
+  READWRITE_ATTRS = %w{
+    id
+    scim_uid
+    username
+    first_name
+    last_name
+    work_email_address
+    home_email_address
+    work_phone_number
+  }
+
+  has_and_belongs_to_many :mock_groups
+
+  # A fixed value read-only attribute, in essence.
+  #
+  def is_active
+    true
+  end
+
+  # A test hook to force validation failures.
+  #
+  INVALID_USERNAME = 'invalid username'
+  validates :username, uniqueness: true, exclusion: { in: [INVALID_USERNAME] }
+
+  # ===========================================================================
+  # SCIM MIXIN AND REQUIRED METHODS
+  # ===========================================================================
+
+  def self.scim_resource_type
+    return Scimitar::Resources::User
+  end
+
+  def self.scim_attributes_map
+    return {
+      id:         :id,
+      externalId: :scim_uid,
+      userName:   :username,
+      name:       {
+        givenName:  :first_name,
+        familyName: :last_name
+      },
+      emails: [
+        {
+          match: 'type',
+          with:  'work',
+          using: {
+            value:   :work_email_address,
+            primary: true
+          }
+        },
+        {
+          match: 'type',
+          with:  'home',
+          using: {
+            value:   :home_email_address,
+            primary: false
+          }
+        },
+      ],
+      phoneNumbers: [
+        {
+          match: 'type',
+          with:  'work',
+          using: {
+            value:   :work_phone_number,
+            primary: false
+          }
+        },
+      ],
+      groups: [ # NB read-only, so no :find_with key
+        {
+          list:  :mock_groups,
+          using: {
+            value:   :id,
+            display: :display_name
+          }
+        }
+      ],
+      active: :is_active
+    }
+  end
+
+  def self.scim_mutable_attributes
+    return nil
+  end
+
+  def self.scim_queryable_attributes
+    return {
+      'name.givenName'  => { column: :first_name },
+      'name.familyName' => { column: :last_name  },
+      'emails'          => { columns: [ :work_email_address, :home_email_address ] },
+      'emails.value'    => { columns: [ :work_email_address, :home_email_address ] },
+      'emails.type'     => { ignore: true } # We can't filter on that; it'll just search all e-mails
+    }
+  end
+
+  include Scimitar::Resources::Mixin
+end

data/spec/apps/dummy/config/application.rb

@@ -0,0 +1,17 @@
+require_relative 'boot'
+
+require 'rails'
+require 'active_model/railtie'
+require 'active_record/railtie'
+require 'action_controller/railtie'
+require 'action_view/railtie'
+
+Bundler.require(*Rails.groups)
+
+require 'scimitar'
+
+module Dummy
+  class Application < Rails::Application
+  end
+end
+

data/spec/apps/dummy/config/boot.rb

@@ -0,0 +1,2 @@
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../../../../Gemfile', __FILE__)
+require 'bundler/setup'

data/spec/apps/dummy/config/environment.rb

@@ -0,0 +1,2 @@
+require_relative 'application'
+Rails.application.initialize!

data/spec/apps/dummy/config/environments/test.rb

@@ -0,0 +1,15 @@
+Rails.application.configure do
+  config.cache_classes = true
+  config.eager_load = false
+  config.serve_static_files = true
+  config.static_cache_control = 'public, max-age=3600'
+  config.consider_all_requests_local = true
+
+  config.action_dispatch.show_exceptions = false
+
+  config.action_controller.perform_caching = false
+  config.action_controller.allow_forgery_protection = false
+
+  config.active_support.test_order = :random
+  config.active_support.deprecation = :stderr
+end

data/spec/apps/dummy/config/initializers/cookies_serializer.rb

@@ -0,0 +1,3 @@
+# Be sure to restart your server when you modify this file.
+
+Rails.application.config.action_dispatch.cookies_serializer = :json

data/spec/apps/dummy/config/initializers/scimitar.rb

@@ -0,0 +1,14 @@
+# Test app configuration.
+#
+Scimitar.engine_configuration = Scimitar::EngineConfiguration.new({
+
+  application_controller_mixin: Module.new do
+    def self.included(base)
+      base.class_eval do
+        def test_hook; end
+        before_action :test_hook
+      end
+    end
+  end
+
+})

data/spec/apps/dummy/config/initializers/session_store.rb

@@ -0,0 +1,3 @@
+# Be sure to restart your server when you modify this file.
+
+Rails.application.config.session_store :cookie_store, key: '_dummy_session'

data/spec/apps/dummy/config/routes.rb

@@ -0,0 +1,24 @@
+# This test app mounts everything at the root level, but you'd usually be doing
+# more in your Rails app than just SCIM! Wrapping with 'namespace :foo do' is
+# strongly recommended to avoid routing namespace collisions. See README.md for
+# an example.
+#
+Rails.application.routes.draw do
+  mount Scimitar::Engine, at: '/'
+
+  get    'Users',     to: 'mock_users#index'
+  get    'Users/:id', to: 'mock_users#show'
+  post   'Users',     to: 'mock_users#create'
+  put    'Users/:id', to: 'mock_users#replace'
+  patch  'Users/:id', to: 'mock_users#update'
+  delete 'Users/:id', to: 'mock_users#destroy'
+
+  # For testing blocks passed to ActiveRecordBackedResourcesController#destroy
+  #
+  delete 'CustomDestroyUsers/:id', to: 'custom_destroy_mock_users#destroy'
+
+  # For testing environment inside Scimitar::ApplicationController subclasses.
+  #
+  get  'CustomRequestVerifiers', to: 'custom_request_verifiers#index'
+  post 'CustomRequestVerifiers', to: 'custom_request_verifiers#create'
+end

data/spec/apps/dummy/db/migrate/20210304014602_create_mock_users.rb

@@ -0,0 +1,15 @@
+class CreateMockUsers < ActiveRecord::Migration[6.1]
+  def change
+    create_table :mock_users do |t|
+
+      t.text :scim_uid
+      t.text :username
+      t.text :first_name
+      t.text :last_name
+      t.text :work_email_address
+      t.text :home_email_address
+      t.text :work_phone_number
+
+    end
+  end
+end

data/spec/apps/dummy/db/migrate/20210308020313_create_mock_groups.rb

@@ -0,0 +1,10 @@
+class CreateMockGroups < ActiveRecord::Migration[6.1]
+  def change
+    create_table :mock_groups do |t|
+      t.text :scim_uid
+      t.text :display_name
+
+      t.references :parent
+    end
+  end
+end

data/spec/apps/dummy/db/migrate/20210308044214_create_join_table_mock_groups_mock_users.rb

@@ -0,0 +1,8 @@
+class CreateJoinTableMockGroupsMockUsers < ActiveRecord::Migration[6.1]
+  def change
+    create_join_table :mock_groups, :mock_users do |t|
+      t.index [:mock_group_id, :mock_user_id]
+      t.index [:mock_user_id, :mock_group_id]
+    end
+  end
+end

data/spec/apps/dummy/db/schema.rb

@@ -0,0 +1,42 @@
+# This file is auto-generated from the current state of the database. Instead
+# of editing this file, please use the migrations feature of Active Record to
+# incrementally modify your database, and then regenerate this schema definition.
+#
+# This file is the source Rails uses to define your schema when running `bin/rails
+# db:schema:load`. When creating a new database, `bin/rails db:schema:load` tends to
+# be faster and is potentially less error prone than running all of your
+# migrations from scratch. Old migrations may fail to apply correctly if those
+# migrations use external dependencies or application code.
+#
+# It's strongly recommended that you check this file into your version control system.
+
+ActiveRecord::Schema.define(version: 2021_03_08_044214) do
+
+  # These are extensions that must be enabled in order to support this database
+  enable_extension "plpgsql"
+
+  create_table "mock_groups", force: :cascade do |t|
+    t.text "scim_uid"
+    t.text "display_name"
+    t.bigint "parent_id"
+    t.index ["parent_id"], name: "index_mock_groups_on_parent_id"
+  end
+
+  create_table "mock_groups_users", id: false, force: :cascade do |t|
+    t.bigint "mock_group_id", null: false
+    t.bigint "mock_user_id", null: false
+    t.index ["mock_group_id", "mock_user_id"], name: "index_mock_groups_users_on_mock_group_id_and_mock_user_id"
+    t.index ["mock_user_id", "mock_group_id"], name: "index_mock_groups_users_on_mock_user_id_and_mock_group_id"
+  end
+
+  create_table "mock_users", force: :cascade do |t|
+    t.text "scim_uid"
+    t.text "username"
+    t.text "first_name"
+    t.text "last_name"
+    t.text "work_email_address"
+    t.text "home_email_address"
+    t.text "work_phone_number"
+  end
+
+end

data/spec/controllers/scimitar/application_controller_spec.rb

@@ -0,0 +1,173 @@
+require 'spec_helper'
+
+RSpec.describe Scimitar::ApplicationController do
+  context 'basic authentication' do
+    before do
+      Scimitar.engine_configuration = Scimitar::EngineConfiguration.new(
+        basic_authenticator: Proc.new do | username, password |
+          username == 'A' && password == 'B'
+        end
+      )
+    end
+
+    controller do
+      rescue_from StandardError, with: :handle_resource_not_found
+
+      def index
+        render json: { 'message' => 'cool, cool!' }, format: :scim
+      end
+    end
+
+    it 'renders success when valid creds are given' do
+      request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials('A', 'B')
+
+      get :index, params: { format: :scim }
+      expect(response).to be_ok
+      expect(JSON.parse(response.body)).to eql({ 'message' => 'cool, cool!' })
+      expect(response.headers['WWW_AUTHENTICATE']).to eql('Basic')
+    end
+
+    it 'renders failure with bad password' do
+      request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials('A', 'C')
+
+      get :index, params: { format: :scim }
+      expect(response).not_to be_ok
+    end
+
+    it 'renders failure with bad user name' do
+      request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials('C', 'B')
+
+      get :index, params: { format: :scim }
+      expect(response).not_to be_ok
+    end
+
+    it 'renders failure with bad user name and password' do
+      request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials('C', 'D')
+
+      get :index, params: { format: :scim }
+      expect(response).not_to be_ok
+    end
+
+    it 'renders failure with blank password' do
+      request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials('A', '')
+
+      get :index, params: { format: :scim }
+      expect(response).not_to be_ok
+    end
+
+    it 'renders failure with missing header' do
+      get :index, params: { format: :scim }
+      expect(response).not_to be_ok
+    end
+  end
+
+  context 'token authentication' do
+    before do
+      Scimitar.engine_configuration = Scimitar::EngineConfiguration.new(
+        token_authenticator: Proc.new do | token, options |
+          token == 'A'
+        end
+      )
+    end
+
+    controller do
+      rescue_from StandardError, with: :handle_resource_not_found
+
+      def index
+        render json: { 'message' => 'cool, cool!' }, format: :scim
+      end
+    end
+
+    it 'renders success when valid creds are given' do
+      request.env['HTTP_AUTHORIZATION'] = 'Bearer A'
+
+      get :index, params: { format: :scim }
+      expect(response).to be_ok
+      expect(JSON.parse(response.body)).to eql({ 'message' => 'cool, cool!' })
+      expect(response.headers['WWW_AUTHENTICATE']).to eql('Bearer')
+    end
+
+    it 'renders failure with bad token' do
+      request.env['HTTP_AUTHORIZATION'] = 'Bearer Invalid'
+
+      get :index, params: { format: :scim }
+      expect(response).not_to be_ok
+    end
+
+    it 'renders failure with blank token' do
+      request.env['HTTP_AUTHORIZATION'] = 'Bearer'
+
+      get :index, params: { format: :scim }
+      expect(response).not_to be_ok
+    end
+
+    it 'renders failure with missing header' do
+      get :index, params: { format: :scim }
+      expect(response).not_to be_ok
+    end
+  end
+
+  context 'authenticated' do
+    controller do
+      rescue_from StandardError, with: :handle_resource_not_found
+
+      def index
+        render json: { 'message' => 'cool, cool!' }, format: :scim
+      end
+
+      def authenticated?
+        true
+      end
+    end
+
+    context 'authenticate' do
+      it 'renders index if authenticated' do
+        get :index, params: { format: :scim }
+        expect(response).to be_ok
+        expect(JSON.parse(response.body)).to eql({ 'message' => 'cool, cool!' })
+      end
+
+      it 'renders not authorized response if not authenticated' do
+        allow(controller()).to receive(:authenticated?) { false }
+        get :index, params: { format: :scim }
+        expect(response).to have_http_status(:unauthorized)
+        parsed_body = JSON.parse(response.body)
+        expect(parsed_body).to include('schemas' => ['urn:ietf:params:scim:api:messages:2.0:Error'])
+        expect(parsed_body).to include('detail' => 'Requires authentication')
+        expect(parsed_body).to include('status' => '401')
+      end
+
+      it 'renders resource not found response when resource cannot be found for the given id' do
+        allow(controller()).to receive(:index).and_raise(StandardError)
+        get :index, params: { id: 10, format: :scim }
+        expect(response).to have_http_status(:not_found)
+        parsed_body = JSON.parse(response.body)
+        expect(parsed_body).to include('schemas' => ['urn:ietf:params:scim:api:messages:2.0:Error'])
+        expect(parsed_body).to include('detail' => 'Resource "10" not found')
+        expect(parsed_body).to include('status' => '404')
+      end
+    end
+  end
+
+  context 'error handling' do
+    controller do
+      def index
+        raise 'Bang'
+      end
+
+      def authenticated?
+        true
+      end
+    end
+
+    it 'handles general exceptions automatically' do
+      get :index, params: { format: :scim }
+
+      expect(response).to have_http_status(:internal_server_error)
+      parsed_body = JSON.parse(response.body)
+      expect(parsed_body).to include('schemas' => ['urn:ietf:params:scim:api:messages:2.0:Error'])
+      expect(parsed_body).to include('status' => '500')
+      expect(parsed_body).to include('detail' => 'Bang')
+    end
+  end
+end