scimitar 1.5.2 → 1.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b55b1f0a0a700b57690cb05fc02241cf47f60a4ad8c92946a32366c90ee56d8c
-  data.tar.gz: a7143dcd7d1381250e66529c70288659a2018fb26fc16639c14ba796acc805d5
+  metadata.gz: 7bed3013773832fde9275ba69b622a8538beb2d8ff6b6ffe506e1c9453480ec5
+  data.tar.gz: e51c811619169e64f3a373a56670514d37ac2823b7ed8b1bedd5c9b9c282576e
 SHA512:
-  metadata.gz: fb740b528770a918fc3237cabdc953affcde23fa7787cc9e9383a6d71b104e2d6325c2829545d367983a3bb64435179a0523b6d785d8e6d3eb7b2bfdb6c82748
-  data.tar.gz: 9f73bcafefbd7de57f258d1dc1c18e020b8dd7bca6330f7b288e308168daf7cb698051a9f2d4eaee9717139978df4e7a9fe854ba269ab94b2b46f1030d2ab9db
+  metadata.gz: 697b3299edb4752baf38b68574191b72528a5e69467aa1a097c9b8c92928d57cff9d21afa50d7c66c15fc66220e52469f2b602ef3a5051489f734717f3489955
+  data.tar.gz: 7d7a7bcb8fa0a9881ad7b77b6b81a4ec096e56300e8b5594fb0538adb76f7ee06b65fb56e319f1b7872738e4807d667e534f5c99b60d86b8bf5125e0d2972dc8

data/app/controllers/scimitar/application_controller.rb

@@ -25,7 +25,6 @@ module Scimitar
       #
       # ...to "globally" invoke this handler if you wish.
       #
-      #
       # +exception+:: Exception instance, used for a configured error reporter
       #               via #handle_scim_error (if present).
       #

data/app/models/scimitar/engine_configuration.rb

@@ -7,13 +7,17 @@ module Scimitar
   class EngineConfiguration
     include ActiveModel::Model
 
-    attr_accessor :basic_authenticator,
-                  :token_authenticator,
-                  :application_controller_mixin,
-                  :exception_reporter,
-                  :optional_value_fields_required
+    attr_accessor(
+      :uses_defaults,
+      :basic_authenticator,
+      :token_authenticator,
+      :application_controller_mixin,
+      :exception_reporter,
+      :optional_value_fields_required,
+    )
 
     def initialize(attributes = {})
+      @uses_defaults = attributes.empty?
 
       # Set defaults that may be overridden by the initializer.
       #

data/app/models/scimitar/lists/query_parser.rb

@@ -192,7 +192,7 @@ module Scimitar
 
             ast.push(self.start_group? ? self.parse_group() : self.pop())
 
-            unless ! ast.last.is_a?(String) || UNARY_OPERATORS.include?(ast.last.downcase)
+            if ast.last.is_a?(String) && !UNARY_OPERATORS.include?(ast.last.downcase) || ast.last.is_a?(Array)
               expect_op ^= true
             end
           end
@@ -601,9 +601,15 @@ module Scimitar
           column_names   = self.activerecord_columns(scim_attribute)
           value          = self.activerecord_parameter(scim_parameter)
           value_for_like = self.sql_modified_value(scim_operator, value)
-          all_supported  = column_names.all? { | column_name | base_scope.model.column_names.include?(column_name.to_s) }
+          arel_columns   = column_names.map do |column|
+            if base_scope.model.column_names.include?(column.to_s)
+              arel_table[column]
+            elsif column.is_a?(Arel::Attribute)
+              column
+            end
+          end
 
-          raise Scimitar::FilterError unless all_supported
+          raise Scimitar::FilterError unless arel_columns.all?
 
           unless case_sensitive
             lc_scim_attribute = scim_attribute.downcase()
@@ -615,8 +621,7 @@ module Scimitar
             )
           end
 
-          column_names.each.with_index do | column_name, index |
-            arel_column    = arel_table[column_name]
+          arel_columns.each.with_index do | arel_column, index |
             arel_operation = case scim_operator
               when 'eq'
                 if case_sensitive
@@ -641,7 +646,7 @@ module Scimitar
               when 'co', 'sw', 'ew'
                 arel_column.matches(value_for_like, nil, case_sensitive)
               when 'pr'
-                arel_table.grouping(arel_column.not_eq_all(['', nil]))
+                arel_column.relation.grouping(arel_column.not_eq_all(['', nil]))
               else
                 raise Scimitar::FilterError.new("Unsupported operator: '#{scim_operator}'")
             end

data/app/models/scimitar/resources/base.rb

@@ -112,7 +112,7 @@ module Scimitar
       end
 
       def self.complex_scim_attributes
-        schema.scim_attributes.select(&:complexType).group_by(&:name)
+        schemas.flat_map(&:scim_attributes).select(&:complexType).group_by(&:name)
       end
 
       def complex_type_from_hash(scim_attribute, attr_value)

data/app/models/scimitar/resources/mixin.rb

@@ -220,13 +220,8 @@ module Scimitar
     # allow for different client searching "styles", given ambiguities in RFC
     # 7644 filter examples).
     #
-    # Each value is a Hash with Symbol keys ':column', naming just one simple
-    # column for a mapping; ':columns', with an Array of column names that you
-    # want to map using 'OR' for a single search on the corresponding SCIM
-    # attribute; or ':ignore' with value 'true', which means that a fitler on
-    # the matching attribute is ignored rather than resulting in an "invalid
-    # filter" exception - beware possibilities for surprised clients getting a
-    # broader result set than expected. Example:
+    # Each value is a hash of queryable SCIM attribute options, described
+    # below - for example:
     #
     #     def self.scim_queryable_attributes
     #       return {
@@ -234,10 +229,27 @@ module Scimitar
     #         'name.familyName' => { column: :last_name  },
     #         'emails'          => { columns: [ :work_email_address, :home_email_address ] },
     #         'emails.value'    => { columns: [ :work_email_address, :home_email_address ] },
-    #         'emails.type'     => { ignore: true }
+    #         'emails.type'     => { ignore: true },
+    #         'groups.value'    => { column: Group.arel_table[:id] }
     #       }
     #     end
     #
+    # Column references can be either a Symbol representing a column within
+    # the resource model table, or an <tt>Arel::Attribute</tt> instance via
+    # e.g. <tt>MyModel.arel_table[:my_column]</tt>.
+    #
+    # === Queryable SCIM attribute options
+    #
+    # +:column+::  Just one simple column for a mapping.
+    #
+    # +:columns+:: An Array of columns that you want to map using 'OR' for a
+    #              single search of the corresponding entity.
+    #
+    # +:ignore+::  When set to +true+, the matching attribute is ignored rather
+    #              than resulting in an "invalid filter" exception. Beware
+    #              possibilities for surprised clients getting a broader result
+    #              set than expected, since a constraint may have been ignored.
+    #
     # Filtering is currently limited and searching within e.g. arrays of data
     # is not supported; only simple top-level keys can be mapped.
     #
@@ -406,8 +418,11 @@ module Scimitar
         def from_scim_patch!(patch_hash:)
           frozen_ci_patch_hash = patch_hash.with_indifferent_case_insensitive_access().freeze()
           ci_scim_hash         = self.to_scim(location: '(unused)').as_json().with_indifferent_case_insensitive_access()
+          operations           = frozen_ci_patch_hash['operations']
+
+          raise Scimitar::InvalidSyntaxError.new("Missing PATCH \"operations\"") unless operations
 
-          frozen_ci_patch_hash['operations'].each do |operation|
+          operations.each do |operation|
             nature   = operation['op'   ]&.downcase
             path_str = operation['path' ]
             value    = operation['value']

data/app/models/scimitar/service_provider_configuration.rb

@@ -9,11 +9,22 @@ module Scimitar
   class ServiceProviderConfiguration
     include ActiveModel::Model
 
-    attr_accessor :patch, :bulk, :filter, :changePassword,
-      :sort, :etag, :authenticationSchemes,
-      :schemas, :meta
+    attr_accessor(
+      :uses_defaults,
+      :patch,
+      :bulk,
+      :filter,
+      :changePassword,
+      :sort,
+      :etag,
+      :authenticationSchemes,
+      :schemas,
+      :meta,
+    )
 
     def initialize(attributes = {})
+      @uses_defaults = attributes.empty?
+
       defaults = {
         bulk:           Supportable.unsupported,
         changePassword: Supportable.unsupported,

data/config/initializers/scimitar.rb

@@ -2,101 +2,105 @@
 #
 # For supporting information and rationale, please see README.md.
 
-# =============================================================================
-# SERVICE PROVIDER CONFIGURATION
-# =============================================================================
-#
-# This is a Ruby abstraction over a SCIM entity that declares the capabilities
-# supported by a particular implementation.
-#
-# Typically this is used to declare parts of the standard unsupported, if you
-# don't need them and don't want to provide subclass support.
-#
-Scimitar.service_provider_configuration = Scimitar::ServiceProviderConfiguration.new({
+Rails.application.config.to_prepare do # (required for >= Rails 7 / Zeitwerk)
 
-  # See https://tools.ietf.org/html/rfc7643#section-8.5 for properties.
+  # ===========================================================================
+  # SERVICE PROVIDER CONFIGURATION
+  # ===========================================================================
   #
-  # See Gem source file 'app/models/scimitar/service_provider_configuration.rb'
-  # for defaults. Define Hash keys here that override defaults; e.g. to declare
-  # that filters are not supported so that calling clients shouldn't use them:
+  # This is a Ruby abstraction over a SCIM entity that declares the
+  # capabilities supported by a particular implementation.
   #
-  #   filter: Scimitar::Supported.unsupported
+  # Typically this is used to declare parts of the standard unsupported, if you
+  # don't need them and don't want to provide subclass support.
+  #
+  Scimitar.service_provider_configuration = Scimitar::ServiceProviderConfiguration.new({
 
-})
+    # See https://tools.ietf.org/html/rfc7643#section-8.5 for properties.
+    #
+    # See Gem file 'app/models/scimitar/service_provider_configuration.rb'
+    # for defaults. Define Hash keys here that override defaults; e.g. to
+    # declare that filters are not supported so that calling clients shouldn't
+    # use them:
+    #
+    #   filter: Scimitar::Supported.unsupported
 
-# =============================================================================
-# ENGINE CONFIGURATION
-# =============================================================================
-#
-# This is where you provide callbacks for things like authorisation or mixins
-# that get included into all Scimitar-derived controllers (for things like
-# before-actions that apply to all Scimitar controller-based routes).
-#
-Scimitar.engine_configuration = Scimitar::EngineConfiguration.new({
+  })
 
-  # If you have filters you want to run for any Scimitar action/route, you can
-  # define them here. For example, you might use a before-action to set up some
-  # multi-tenancy related state, or skip Rails CSRF token verification/
-  #
-  # For example:
-  #
-  #     application_controller_mixin: Module.new do
-  #       def self.included(base)
-  #         base.class_eval do
+  # ===========================================================================
+  # ENGINE CONFIGURATION
+  # ===========================================================================
   #
-  #           # Anything here is written just as you'd write it at the top of
-  #           # one of your controller classes, but it gets included in all
-  #           # Scimitar classes too.
+  # This is where you provide callbacks for things like authorisation or mixins
+  # that get included into all Scimitar-derived controllers (for things like
+  # before-actions that apply to all Scimitar controller-based routes).
   #
-  #           skip_before_action    :verify_authenticity_token
-  #           prepend_before_action :setup_some_kind_of_multi_tenancy_data
-  #         end
-  #       end
-  #     end, # ...other configuration entries might follow...
+  Scimitar.engine_configuration = Scimitar::EngineConfiguration.new({
 
-  # If you want to support username/password authentication:
-  #
-  #     basic_authenticator: Proc.new do | username, password |
-  #       # Check username/password and return 'true' if valid, else 'false'.
-  #     end, # ...other configuration entries might follow...
-  #
-  # The 'username' and 'password' parameters come from Rails:
-  #
-  #   https://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Basic.html
-  #   https://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Basic/ControllerMethods.html#method-i-authenticate_with_http_basic
+    # If you have filters you want to run for any Scimitar action/route, you
+    # can define them here. For example, you might use a before-action to set
+    # up some multi-tenancy related state, or skip Rails CSRF token
+    # verification. For example:
+    #
+    #     application_controller_mixin: Module.new do
+    #       def self.included(base)
+    #         base.class_eval do
+    #
+    #           # Anything here is written just as you'd write it at the top of
+    #           # one of your controller classes, but it gets included in all
+    #           # Scimitar classes too.
+    #
+    #           skip_before_action    :verify_authenticity_token
+    #           prepend_before_action :setup_some_kind_of_multi_tenancy_data
+    #         end
+    #       end
+    #     end, # ...other configuration entries might follow...
 
-  # If you want to support HTTP bearer token (OAuth-style) authentication:
-  #
-  #     token_authenticator: Proc.new do | token, options |
-  #       # Check token and return 'true' if valid, else 'false'.
-  #     end, # ...other configuration entries might follow...
-  #
-  # The 'token' and 'options' parameters come from Rails:
-  #
-  #   https://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token.html
-  #   https://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token/ControllerMethods.html#method-i-authenticate_with_http_token
-  #
-  # Note that both basic and token authentication can be declared, with the
-  # parameters in the inbound HTTP request determining which is invoked.
+    # If you want to support username/password authentication:
+    #
+    #     basic_authenticator: Proc.new do | username, password |
+    #       # Check username/password and return 'true' if valid, else 'false'.
+    #     end, # ...other configuration entries might follow...
+    #
+    # The 'username' and 'password' parameters come from Rails:
+    #
+    #   https://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Basic.html
+    #   https://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Basic/ControllerMethods.html#method-i-authenticate_with_http_basic
 
-  # Scimitar rescues certain error cases and exceptions, in order to return a
-  # JSON response to the API caller. If you want exceptions to also be
-  # reported to a third party system such as sentry.io or raygun.com, you can
-  # configure a Proc to do so. It is passed a Ruby exception subclass object.
-  # For example, a minimal sentry.io reporter might do this:
-  #
-  #     exception_reporter: Proc.new do | exception |
-  #       Sentry.capture_exception(exception)
-  #     end
-  #
-  # You will still need to configure your reporting system according to its
-  # documentation (e.g. via a Rails "config/initializers/<foo>.rb" file).
+    # If you want to support HTTP bearer token (OAuth-style) authentication:
+    #
+    #     token_authenticator: Proc.new do | token, options |
+    #       # Check token and return 'true' if valid, else 'false'.
+    #     end, # ...other configuration entries might follow...
+    #
+    # The 'token' and 'options' parameters come from Rails:
+    #
+    #   https://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token.html
+    #   https://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token/ControllerMethods.html#method-i-authenticate_with_http_token
+    #
+    # Note that both basic and token authentication can be declared, with the
+    # parameters in the inbound HTTP request determining which is invoked.
 
-  # Scimilar treats "VDTP" (Value, Display, Type, Primary) attribute values,
-  # used for e.g. e-mail addresses or phone numbers, as required by default.
-  # If you encounter a service which calls these with e.g. "null" value data,
-  # you can configure all values to be optional. You'll need to deal with
-  # whatever that means for you receiving system in your model code.
-  #
-  #     optional_value_fields_required: false
-})
+    # Scimitar rescues certain error cases and exceptions, in order to return a
+    # JSON response to the API caller. If you want exceptions to also be
+    # reported to a third party system such as sentry.io or raygun.com, you can
+    # configure a Proc to do so. It is passed a Ruby exception subclass object.
+    # For example, a minimal sentry.io reporter might do this:
+    #
+    #     exception_reporter: Proc.new do | exception |
+    #       Sentry.capture_exception(exception)
+    #     end
+    #
+    # You will still need to configure your reporting system according to its
+    # documentation (e.g. via a Rails "config/initializers/<foo>.rb" file).
+
+    # Scimilar treats "VDTP" (Value, Display, Type, Primary) attribute values,
+    # used for e.g. e-mail addresses or phone numbers, as required by default.
+    # If you encounter a service which calls these with e.g. "null" value data,
+    # you can configure all values to be optional. You'll need to deal with
+    # whatever that means for you receiving system in your model code.
+    #
+    #     optional_value_fields_required: false
+  })
+
+end

data/lib/scimitar/version.rb

@@ -3,11 +3,11 @@ module Scimitar
   # Gem version. If this changes, be sure to re-run "bundle install" or
   # "bundle update".
   #
-  VERSION = '1.5.2'
+  VERSION = '1.6.0'
 
   # Date for VERSION. If this changes, be sure to re-run "bundle install"
   # or "bundle update".
   #
-  DATE = '2023-03-21'
+  DATE = '2023-09-25'
 
 end

data/lib/scimitar.rb

@@ -4,7 +4,9 @@ require 'scimitar/engine'
 
 module Scimitar
   def self.service_provider_configuration=(custom_configuration)
-    @service_provider_configuration = custom_configuration
+    if @service_provider_configuration.nil? || ! custom_configuration.uses_defaults
+      @service_provider_configuration = custom_configuration
+    end
   end
 
   def self.service_provider_configuration(location:)
@@ -14,7 +16,9 @@ module Scimitar
   end
 
   def self.engine_configuration=(custom_configuration)
-    @engine_configuration = custom_configuration
+    if @engine_configuration.nil? || ! custom_configuration.uses_defaults
+      @engine_configuration = custom_configuration
+    end
   end
 
   def self.engine_configuration

data/spec/apps/dummy/app/models/mock_user.rb

@@ -15,6 +15,7 @@ class MockUser < ActiveRecord::Base
     work_phone_number
     organization
     department
+    mock_groups
   }
 
   has_and_belongs_to_many :mock_groups
@@ -90,7 +91,17 @@ class MockUser < ActiveRecord::Base
       # "spec/apps/dummy/config/initializers/scimitar.rb".
       #
       organization: :organization,
-      department:   :department
+      department:   :department,
+      userGroups: [
+        {
+          list:      :mock_groups,
+          find_with: ->(value) { MockGroup.find(value["value"]) },
+          using: {
+            value:   :id,
+            display: :display_name
+          }
+        }
+      ]
     }
   end
 
@@ -105,6 +116,8 @@ class MockUser < ActiveRecord::Base
       'meta.lastModified' => { column: :updated_at },
       'name.givenName'    => { column: :first_name },
       'name.familyName'   => { column: :last_name  },
+      'groups'            => { column: MockGroup.arel_table[:id] },
+      'groups.value'      => { column: MockGroup.arel_table[:id] },
       'emails'            => { columns: [ :work_email_address, :home_email_address ] },
       'emails.value'      => { columns: [ :work_email_address, :home_email_address ] },
       'emails.type'       => { ignore: true } # We can't filter on that; it'll just search all e-mails

data/spec/apps/dummy/config/initializers/scimitar.rb

@@ -9,6 +9,14 @@
 #
 # All related schema tests are written with this in mind.
 #
+# Further, https://github.com/RIPAGlobal/scimitar/pull/54 fixed warning
+# messages in a way that worked on Rails 6+ but, for V1 Scimitar, it would
+# break existing working setups that didn't use the +to_prepare+ wrapper. Their
+# application configuration would be written *first* but then *overwritten* by
+# the default +to_prepare+ block in Scimitar itself, since that runs later. The
+# file below does *not* use +to_prepare+ in order to test the workaround that
+# was produced; it should work on all Ruby versions as-is.
+#
 Scimitar.engine_configuration = Scimitar::EngineConfiguration.new({
 
   application_controller_mixin: Module.new do

data/spec/apps/dummy/config/routes.rb

@@ -6,12 +6,12 @@
 Rails.application.routes.draw do
   mount Scimitar::Engine, at: '/'
 
-  get    'Users',     to: 'mock_users#index'
-  get    'Users/:id', to: 'mock_users#show'
-  post   'Users',     to: 'mock_users#create'
-  put    'Users/:id', to: 'mock_users#replace'
-  patch  'Users/:id', to: 'mock_users#update'
-  delete 'Users/:id', to: 'mock_users#destroy'
+  get    'Users',      to: 'mock_users#index'
+  get    'Users/:id',  to: 'mock_users#show'
+  post   'Users',      to: 'mock_users#create'
+  put    'Users/:id',  to: 'mock_users#replace'
+  patch  'Users/:id',  to: 'mock_users#update'
+  delete 'Users/:id',  to: 'mock_users#destroy'
 
   get    'Groups',     to: 'mock_groups#index'
   get    'Groups/:id', to: 'mock_groups#show'

data/spec/models/scimitar/lists/query_parser_spec.rb

@@ -481,6 +481,66 @@ RSpec.describe Scimitar::Lists::QueryParser do
       end
     end # "context 'when instructed to ignore an attribute' do"
 
+    context 'when an arel column is mapped' do
+      let(:scope_with_groups) { MockUser.left_joins(:mock_groups) }
+
+      context 'with binary operators' do
+        it 'reads across all using OR' do
+          @instance.parse('groups eq "12345"')
+          query = @instance.to_activerecord_query(scope_with_groups)
+
+          expect(query.to_sql).to eql(<<~SQL.squish)
+            SELECT "mock_users".*
+            FROM "mock_users"
+              LEFT OUTER JOIN "mock_groups_users" ON "mock_groups_users"."mock_user_id" = "mock_users"."primary_key"
+              LEFT OUTER JOIN "mock_groups" ON "mock_groups"."id" = "mock_groups_users"."mock_group_id"
+            WHERE "mock_groups"."id" ILIKE 12345
+          SQL
+        end
+
+        it 'works with other query elements using correct precedence' do
+          @instance.parse('groups eq "12345" and emails eq "any@test.com"')
+          query = @instance.to_activerecord_query(scope_with_groups)
+
+          expect(query.to_sql).to eql(<<~SQL.squish)
+            SELECT "mock_users".*
+            FROM "mock_users"
+              LEFT OUTER JOIN "mock_groups_users" ON "mock_groups_users"."mock_user_id" = "mock_users"."primary_key"
+              LEFT OUTER JOIN "mock_groups" ON "mock_groups"."id" = "mock_groups_users"."mock_group_id"
+            WHERE "mock_groups"."id" ILIKE 12345 AND ("mock_users"."work_email_address" ILIKE 'any@test.com' OR "mock_users"."home_email_address" ILIKE 'any@test.com')
+          SQL
+        end
+      end # "context 'with binary operators' do"
+
+      context 'with unary operators' do
+        it 'reads across all using OR' do
+          @instance.parse('groups pr')
+          query = @instance.to_activerecord_query(scope_with_groups)
+
+          expect(query.to_sql).to eql(<<~SQL.squish)
+            SELECT "mock_users".*
+            FROM "mock_users"
+              LEFT OUTER JOIN "mock_groups_users" ON "mock_groups_users"."mock_user_id" = "mock_users"."primary_key"
+              LEFT OUTER JOIN "mock_groups" ON "mock_groups"."id" = "mock_groups_users"."mock_group_id"
+            WHERE ("mock_groups"."id" != NULL AND "mock_groups"."id" IS NOT NULL)
+          SQL
+        end
+
+        it 'works with other query elements using correct precedence' do
+          @instance.parse('name.familyName eq "John" and groups pr')
+          query = @instance.to_activerecord_query(scope_with_groups)
+
+          expect(query.to_sql).to eql(<<~SQL.squish)
+            SELECT "mock_users".*
+            FROM "mock_users"
+              LEFT OUTER JOIN "mock_groups_users" ON "mock_groups_users"."mock_user_id" = "mock_users"."primary_key"
+              LEFT OUTER JOIN "mock_groups" ON "mock_groups"."id" = "mock_groups_users"."mock_group_id"
+            WHERE "mock_users"."last_name" ILIKE 'John' AND ("mock_groups"."id" != NULL AND "mock_groups"."id" IS NOT NULL)
+          SQL
+        end
+      end # "context 'with unary operators' do
+    end # "context 'when an arel column is mapped' do"
+
     context 'with complex cases' do
       context 'using AND' do
         it 'generates expected SQL' do
@@ -532,6 +592,13 @@ RSpec.describe Scimitar::Lists::QueryParser do
           expect(query.to_sql).to eql(%q{SELECT "mock_users".* FROM "mock_users" WHERE "mock_users"."first_name" ILIKE 'Jane' AND ("mock_users"."last_name" ILIKE '%avi%' OR "mock_users"."last_name" ILIKE '%ith')})
         end
 
+        it 'combined parentheses generates expected SQL' do
+          @instance.parse('(name.givenName eq "Jane" OR name.givenName eq "Jaden") and (name.familyName co "avi" or name.familyName ew "ith")')
+          query = @instance.to_activerecord_query(MockUser.all)
+
+          expect(query.to_sql).to eql(%q{SELECT "mock_users".* FROM "mock_users" WHERE ("mock_users"."first_name" ILIKE 'Jane' OR "mock_users"."first_name" ILIKE 'Jaden') AND ("mock_users"."last_name" ILIKE '%avi%' OR "mock_users"."last_name" ILIKE '%ith')})
+        end
+
         it 'finds expected items' do
           user_1 = MockUser.create(username: '1', first_name: 'Jane', last_name: 'Davis')   # Match
           user_2 = MockUser.create(username: '2', first_name: 'Jane', last_name: 'Smith')   # Match

data/spec/models/scimitar/resources/base_spec.rb

@@ -267,7 +267,10 @@ RSpec.describe Scimitar::Resources::Base do
         end
 
         def self.scim_attributes
-          [ Scimitar::Schema::Attribute.new(name: 'relationship', type: 'string', required: true) ]
+          [
+            Scimitar::Schema::Attribute.new(name: 'relationship', type: 'string', required: true),
+            Scimitar::Schema::Attribute.new(name: "userGroups", multiValued: true, complexType: Scimitar::ComplexTypes::ReferenceGroup, mutability: "writeOnly")
+          ]
         end
       end
 
@@ -291,6 +294,12 @@ RSpec.describe Scimitar::Resources::Base do
           resource = resource_class.new('extension-id' => {relationship: 'GAGA'})
           expect(resource.relationship).to eql('GAGA')
         end
+
+        it 'allows setting complex extension attributes' do
+          user_groups = [{ value: '123' }, { value: '456'}]
+          resource = resource_class.new('extension-id' => {userGroups: user_groups})
+          expect(resource.userGroups.map(&:value)).to eql(['123', '456'])
+        end
       end # "context '#initialize' do"
 
       context '#as_json' do

data/spec/models/scimitar/resources/mixin_spec.rb

@@ -2685,6 +2685,14 @@ RSpec.describe Scimitar::Resources::Mixin do
       #
       context 'public interface' do
         shared_examples 'a patcher' do | force_upper_case: |
+          it 'gives the user a comprehensible error when operations are missing' do
+            patch = { 'schemas' => ['urn:ietf:params:scim:api:messages:2.0:PatchOp'] }
+
+            expect do
+              @instance.from_scim_patch!(patch_hash: patch)
+            end.to raise_error Scimitar::InvalidSyntaxError, "Missing PATCH \"operations\""
+          end
+
           it 'which updates simple values' do
             @instance.update!(username: 'foo')
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: scimitar
 version: !ruby/object:Gem::Version
-  version: 1.5.2
+  version: 1.6.0
 platform: ruby
 authors:
 - RIPA Global
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-03-21 00:00:00.000000000 Z
+date: 2023-09-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails