scimitar 2.3.0 → 2.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3904e389b3b00b4c49df6d9267cc0b5413613ed56b544ee888dd4b3bfa9d7489
-  data.tar.gz: 93b14676bda6d86d4add6c0bcbf8ae6415ff49177b384f2b75571a304485d87f
+  metadata.gz: 7db2b533d9bc2fe1e359a12ad51fea89bdd5498589451b16b99987ca0cd99f09
+  data.tar.gz: 7b30102df8ee36d8bac2698ef150a3537c7b40f6193a64e3baed7e8d6c8386d4
 SHA512:
-  metadata.gz: f1fad29d6ba090ad00b55bdf59f1050aacd1858d4e511e726d3fa501a37389e57777cd2cb2253c20972106e567a3f4b5e07ecd53a17723dcab2517f0c8ab99cf
-  data.tar.gz: 30a1c3ad4c6653b347cf00228cad99b88a3dc4a2da45fe311b61d0a0f2d08db723fabf2041e3d72f1d1cea28d633c540322394841723bdd8db7d805e49819eb4
+  metadata.gz: 238c6bdebc57c0d8c186ad77d8222a79c7f9fad98b86a1d564c2c27d62a58dd809c1a4b2a7a9c57af535728f6a23d36821c12e74be81e8191d96960cdd1d1db9
+  data.tar.gz: 684c778f5e3d03719b3df872ca8efcb29a18cd802360964282e38ed914b095676aeec4556a625c99f2a3de86f898cae1dd989be67614711194fd176a1c5895c1

data/app/models/scimitar/resources/mixin.rb

@@ -443,9 +443,30 @@ module Scimitar
               ci_scim_hash = { 'root' => ci_scim_hash }.with_indifferent_case_insensitive_access()
             end
 
+            # Handle extension schema. Contributed by @bettysteger and
+            # @MorrisFreeman via:
+            #
+            #   https://github.com/RIPAGlobal/scimitar/issues/48
+            #   https://github.com/RIPAGlobal/scimitar/pull/49
+            #
+            # Note the ":" separating the schema ID (URN) from the attribute.
+            # The nature of JSON rendering / other payloads might lead you to
+            # expect a "." as with any complex types, but that's not the case;
+            # see https://tools.ietf.org/html/rfc7644#section-3.10, or
+            # https://tools.ietf.org/html/rfc7644#section-3.5.2 of which in
+            # particular, https://tools.ietf.org/html/rfc7644#page-35.
+            #
+            paths = []
+            self.class.scim_resource_type.extended_schemas.each do |schema|
+              path_str.downcase.split(schema.id.downcase + ':').drop(1).each do |path|
+                paths += [schema.id] + path.split('.')
+              end
+            end
+            paths = path_str.split('.') if paths.empty?
+
             self.from_patch_backend!(
               nature:        nature,
-              path:          (path_str || '').split('.'),
+              path:          paths,
               value:         value,
               altering_hash: ci_scim_hash
             )
@@ -616,7 +637,19 @@ module Scimitar
                 attrs_map_or_leaf_value.each do | scim_attribute, sub_attrs_map_or_leaf_value |
                   next if scim_attribute&.to_s&.downcase == 'id' && path.empty?
 
-                  sub_scim_hash_or_leaf_value = scim_hash_or_leaf_value&.dig(scim_attribute.to_s)
+                  # Handle extension schema. Contributed by @bettysteger and
+                  # @MorrisFreeman via:
+                  #
+                  #   https://github.com/RIPAGlobal/scimitar/issues/48
+                  #   https://github.com/RIPAGlobal/scimitar/pull/49
+                  #
+                  attribute_tree = []
+                  resource_class.extended_schemas.each do |schema|
+                    attribute_tree << schema.id and break if schema.scim_attributes.any? { |attribute| attribute.name == scim_attribute.to_s }
+                  end
+                  attribute_tree << scim_attribute.to_s
+
+                  sub_scim_hash_or_leaf_value = scim_hash_or_leaf_value&.dig(*attribute_tree)
 
                   self.from_scim_backend!(
                     attrs_map_or_leaf_value: sub_attrs_map_or_leaf_value,
@@ -901,14 +934,86 @@ module Scimitar
                   else
                     altering_hash[path_component] = value
                   end
+
                 when 'replace'
                   if path_component == 'root'
                     altering_hash[path_component].merge!(value)
                   else
                     altering_hash[path_component] = value
                   end
+
+                # The array check handles payloads seen from e.g. Microsoft for
+                # remove-user-from-group, where contrary to examples in the RFC
+                # which would imply "payload removes all users", there is the
+                # clear intent to remove just one.
+                #
+                # https://tools.ietf.org/html/rfc7644#section-3.5.2.2
+                # https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#update-group-remove-members
+                #
+                # Since remove-all in the face of remove-one is destructive, we
+                # do a special check here to see if there's an array value for
+                # the array path that the payload yielded. If so, we can match
+                # each value against array items and remove just those items.
+                #
+                # There is an additional special case to handle a bad example
+                # from Salesforce:
+                #
+                #   https://help.salesforce.com/s/articleView?id=sf.identity_scim_manage_groups.htm&type=5
+                #
                 when 'remove'
-                  altering_hash.delete(path_component)
+                  if altering_hash[path_component].is_a?(Array) && value.present?
+
+                    # Handle bad Salesforce example. That might be simply a
+                    # documentation error, but just in case...
+                    #
+                    value = value.values.first if (
+                      path_component&.downcase == 'members' &&
+                      value.is_a?(Hash)                     &&
+                      value.keys.size == 1                  &&
+                      value.keys.first&.downcase == 'members'
+                    )
+
+                    # The Microsoft example provides an array of values, but we
+                    # may as well cope with a value specified 'flat'. Promote
+                    # such a thing to an Array to simplify the following code.
+                    #
+                    value = [value] unless value.is_a?(Array)
+
+                    # For each value item, delete matching array entries. The
+                    # concept of "matching" is:
+                    #
+                    # * For simple non-Hash values (if possible) just delete on
+                    #   an exact match
+                    #
+                    # * For Hash-based values, only delete if all 'patch' keys
+                    #   are present in the resource and all values thus match.
+                    #
+                    # Special case to ignore '$ref' from the Microsoft payload.
+                    #
+                    # Note coercion to strings to account for SCIM vs the usual
+                    # tricky case of underlying implementations with (say)
+                    # integer primary keys, which all end up as strings anyway.
+                    #
+                    value.each do | value_item |
+                      altering_hash[path_component].delete_if do | item |
+                        if item.is_a?(Hash) && value_item.is_a?(Hash)
+                          matched_all = true
+                          value_item.each do | value_key, value_value |
+                            next if value_key == '$ref'
+                            if ! item.key?(value_key) || item[value_key]&.to_s != value_value&.to_s
+                              matched_all = false
+                            end
+                          end
+                          matched_all
+                        else
+                          item&.to_s == value_item&.to_s
+                        end
+                      end
+                    end
+                  else
+                    altering_hash.delete(path_component)
+                  end
+
               end
             end
           end

data/lib/scimitar/version.rb

@@ -3,11 +3,11 @@ module Scimitar
   # Gem version. If this changes, be sure to re-run "bundle install" or
   # "bundle update".
   #
-  VERSION = '2.3.0'
+  VERSION = '2.4.1'
 
   # Date for VERSION. If this changes, be sure to re-run "bundle install"
   # or "bundle update".
   #
-  DATE = '2023-01-17'
+  DATE = '2023-03-02'
 
 end

data/spec/apps/dummy/app/models/mock_user.rb

@@ -15,6 +15,8 @@ class MockUser < ActiveRecord::Base
     work_email_address
     home_email_address
     work_phone_number
+    organization
+    department
   }
 
   has_and_belongs_to_many :mock_groups
@@ -84,7 +86,13 @@ class MockUser < ActiveRecord::Base
           }
         }
       ],
-      active: :is_active
+      active: :is_active,
+
+      # Custom extension schema - see configuration in
+      # "spec/apps/dummy/config/initializers/scimitar.rb".
+      #
+      organization: :organization,
+      department:   :department
     }
   end
 

data/spec/apps/dummy/config/initializers/scimitar.rb

@@ -1,5 +1,14 @@
 # Test app configuration.
 #
+# Note that as a result of https://github.com/RIPAGlobal/scimitar/issues/48,
+# tests include a custom extension of the core User schema. A shortcoming of
+# some of the code from which Scimitar was originally built is that those
+# extensions are done with class-level ivars, so it is largely impossible (or
+# at least, impractical in tests) to avoid polluting the core class itself
+# with the extension.
+#
+# All related schema tests are written with this in mind.
+#
 Rails.application.config.to_prepare do
   Scimitar.engine_configuration = Scimitar::EngineConfiguration.new({
 
@@ -13,4 +22,32 @@ Rails.application.config.to_prepare do
     end
 
   })
+
+  module ScimSchemaExtensions
+    module User
+      class Enterprise < Scimitar::Schema::Base
+        def initialize(options = {})
+          super(
+            name:            'ExtendedUser',
+            description:     'Enterprise extension for a User',
+            id:              self.class.id,
+            scim_attributes: self.class.scim_attributes
+          )
+        end
+
+        def self.id
+          'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'
+        end
+
+        def self.scim_attributes
+          [
+            Scimitar::Schema::Attribute.new(name: 'organization', type: 'string'),
+            Scimitar::Schema::Attribute.new(name: 'department',   type: 'string')
+          ]
+        end
+      end
+    end
+  end
+
+  Scimitar::Resources::User.extend_schema ScimSchemaExtensions::User::Enterprise
 end

data/spec/apps/dummy/config/routes.rb

@@ -15,6 +15,7 @@ Rails.application.routes.draw do
 
   get    'Groups',     to: 'mock_groups#index'
   get    'Groups/:id', to: 'mock_groups#show'
+  patch  'Groups/:id', to: 'mock_groups#update'
 
   # For testing blocks passed to ActiveRecordBackedResourcesController#destroy
   #

data/spec/apps/dummy/db/migrate/20210304014602_create_mock_users.rb

@@ -3,6 +3,8 @@ class CreateMockUsers < ActiveRecord::Migration[6.1]
     create_table :mock_users, id: :uuid, primary_key: :primary_key do |t|
       t.timestamps
 
+      # Support part of the core schema
+      #
       t.text :scim_uid
       t.text :username
       t.text :first_name
@@ -10,6 +12,12 @@ class CreateMockUsers < ActiveRecord::Migration[6.1]
       t.text :work_email_address
       t.text :home_email_address
       t.text :work_phone_number
+
+      # Support the custom extension schema - see configuration in
+      # "spec/apps/dummy/config/initializers/scimitar.rb".
+      #
+      t.text :organization
+      t.text :department
     end
   end
 end

data/spec/apps/dummy/db/schema.rb

@@ -38,6 +38,8 @@ ActiveRecord::Schema[7.0].define(version: 2021_03_08_044214) do
     t.text "work_email_address"
     t.text "home_email_address"
     t.text "work_phone_number"
+    t.text "organization"
+    t.text "department"
   end
 
   add_foreign_key "mock_groups_users", "mock_groups"

data/spec/controllers/scimitar/schemas_controller_spec.rb

@@ -14,9 +14,9 @@ RSpec.describe Scimitar::SchemasController do
       get :index, params: { format: :scim }
       expect(response).to be_ok
       parsed_body = JSON.parse(response.body)
-      expect(parsed_body.length).to eql(2)
+      expect(parsed_body.length).to eql(3)
       schema_names = parsed_body.map {|schema| schema['name']}
-      expect(schema_names).to match_array(['User', 'Group'])
+      expect(schema_names).to match_array(['User', 'ExtendedUser', 'Group'])
     end
 
     it 'returns only the User schema when its id is provided' do

data/spec/models/scimitar/resources/base_spec.rb

@@ -250,90 +250,185 @@ RSpec.describe Scimitar::Resources::Base do
   end # "context 'dynamic setters based on schema' do"
 
   context 'schema extension' do
-    ThirdCustomSchema = Class.new(Scimitar::Schema::Base) do
-      def self.id
-        'custom-id'
-      end
+    context 'of custom schema' do
+      ThirdCustomSchema = Class.new(Scimitar::Schema::Base) do
+        def self.id
+          'custom-id'
+        end
 
-      def self.scim_attributes
-        [ Scimitar::Schema::Attribute.new(name: 'name', type: 'string') ]
+        def self.scim_attributes
+          [ Scimitar::Schema::Attribute.new(name: 'name', type: 'string') ]
+        end
       end
-    end
 
-    ExtensionSchema = Class.new(Scimitar::Schema::Base) do
-      def self.id
-        'extension-id'
-      end
+      ExtensionSchema = Class.new(Scimitar::Schema::Base) do
+        def self.id
+          'extension-id'
+        end
 
-      def self.scim_attributes
-        [ Scimitar::Schema::Attribute.new(name: 'relationship', type: 'string', required: true) ]
+        def self.scim_attributes
+          [ Scimitar::Schema::Attribute.new(name: 'relationship', type: 'string', required: true) ]
+        end
       end
-    end
 
-    let(:resource_class) {
-      Class.new(Scimitar::Resources::Base) do
-        set_schema ThirdCustomSchema
-        extend_schema ExtensionSchema
+      let(:resource_class) {
+        Class.new(Scimitar::Resources::Base) do
+          set_schema ThirdCustomSchema
+          extend_schema ExtensionSchema
 
-        def self.endpoint
-          '/gaga'
+          def self.endpoint
+            '/gaga'
+          end
+
+          def self.resource_type_id
+            'CustomResource'
+          end
         end
+      }
 
-        def self.resource_type_id
-          'CustomResource'
+      context '#initialize' do
+        it 'allows setting extension attributes' do
+          resource = resource_class.new('extension-id' => {relationship: 'GAGA'})
+          expect(resource.relationship).to eql('GAGA')
         end
-      end
-    }
+      end # "context '#initialize' do"
+
+      context '#as_json' do
+        it 'namespaces the extension attributes' do
+          resource = resource_class.new(relationship: 'GAGA')
+          hash = resource.as_json
+          expect(hash["schemas"]).to eql(['custom-id', 'extension-id'])
+          expect(hash["extension-id"]).to eql("relationship" => 'GAGA')
+        end
+      end # "context '#as_json' do"
 
-    context '#initialize' do
-      it 'allows setting extension attributes' do
-        resource = resource_class.new('extension-id' => {relationship: 'GAGA'})
-        expect(resource.relationship).to eql('GAGA')
-      end
-    end # "context '#initialize' do"
+      context '.resource_type' do
+        it 'appends the extension schemas' do
+          resource_type = resource_class.resource_type('http://gaga')
+          expect(resource_type.meta.location).to eql('http://gaga')
+          expect(resource_type.schemaExtensions.count).to eql(1)
+        end
 
-    context '#as_json' do
-      it 'namespaces the extension attributes' do
-        resource = resource_class.new(relationship: 'GAGA')
-        hash = resource.as_json
-        expect(hash["schemas"]).to eql(['custom-id', 'extension-id'])
-        expect(hash["extension-id"]).to eql("relationship" => 'GAGA')
-      end
-    end # "context '#as_json' do"
+        context 'validation' do
+          it 'validates into custom schema' do
+            resource = resource_class.new('extension-id' => {})
+            expect(resource.valid?).to eql(false)
 
-    context '.resource_type' do
-      it 'appends the extension schemas' do
-        resource_type = resource_class.resource_type('http://gaga')
-        expect(resource_type.meta.location).to eql('http://gaga')
-        expect(resource_type.schemaExtensions.count).to eql(1)
-      end
+            resource = resource_class.new('extension-id' => {relationship: 'GAGA'})
+            expect(resource.relationship).to eql('GAGA')
+            expect(resource.valid?).to eql(true)
+          end
+        end # context 'validation'
+      end # "context '.resource_type' do"
 
-      context 'validation' do
-        it 'validates into custom schema' do
-          resource = resource_class.new('extension-id' => {})
-          expect(resource.valid?).to eql(false)
+      context '.find_attribute' do
+        it 'finds in first schema' do
+          found = resource_class().find_attribute('name') # Defined in ThirdCustomSchema
+          expect(found).to be_present
+          expect(found.name).to eql('name')
+          expect(found.type).to eql('string')
+        end
 
-          resource = resource_class.new('extension-id' => {relationship: 'GAGA'})
-          expect(resource.relationship).to eql('GAGA')
-          expect(resource.valid?).to eql(true)
+        it 'finds across schemas' do
+          found = resource_class().find_attribute('relationship') # Defined in ExtensionSchema
+          expect(found).to be_present
+          expect(found.name).to eql('relationship')
+          expect(found.type).to eql('string')
         end
-      end # context 'validation'
-    end # "context '.resource_type' do"
+      end # "context '.find_attribute' do"
+    end # "context 'of custom schema' do"
 
-    context '.find_attribute' do
-      it 'finds in first schema' do
-        found = resource_class().find_attribute('name') # Defined in ThirdCustomSchema
-        expect(found).to be_present
-        expect(found.name).to eql('name')
-        expect(found.type).to eql('string')
-      end
+    context 'of core schema' do
+      EnterpriseExtensionSchema = Class.new(Scimitar::Schema::Base) do
+        def self.id
+          'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'
+        end
 
-      it 'finds across schemas' do
-        found = resource_class().find_attribute('relationship') # Defined in ExtensionSchema
-        expect(found).to be_present
-        expect(found.name).to eql('relationship')
-        expect(found.type).to eql('string')
+        def self.scim_attributes
+          [
+            Scimitar::Schema::Attribute.new(name: 'organization', type: 'string'),
+            Scimitar::Schema::Attribute.new(name: 'department',   type: 'string')
+          ]
+        end
       end
-    end # "context '.find_attribute' do"
+
+      let(:resource_class) {
+        Class.new(Scimitar::Resources::Base) do
+          set_schema Scimitar::Schema::User
+          extend_schema EnterpriseExtensionSchema
+
+          def self.endpoint
+            '/Users'
+          end
+
+          def self.resource_type_id
+            'User'
+          end
+        end
+      }
+
+      context '#initialize' do
+        it 'allows setting extension attributes' do
+          resource = resource_class.new('urn:ietf:params:scim:schemas:extension:enterprise:2.0:User' => {organization: 'SOMEORG', department: 'SOMEDPT'})
+
+          expect(resource.organization).to eql('SOMEORG')
+          expect(resource.department  ).to eql('SOMEDPT')
+        end
+      end # "context '#initialize' do"
+
+      context '#as_json' do
+        it 'namespaces the extension attributes' do
+          resource = resource_class.new(organization: 'SOMEORG', department: 'SOMEDPT')
+          hash = resource.as_json
+
+          expect(hash['schemas']).to eql(['urn:ietf:params:scim:schemas:core:2.0:User', 'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'])
+          expect(hash['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']).to eql('organization' => 'SOMEORG', 'department' => 'SOMEDPT')
+        end
+      end # "context '#as_json' do"
+
+      context '.resource_type' do
+        it 'appends the extension schemas' do
+          resource_type = resource_class.resource_type('http://example.com')
+          expect(resource_type.meta.location).to eql('http://example.com')
+          expect(resource_type.schemaExtensions.count).to eql(1)
+        end
+
+        context 'validation' do
+          it 'validates into custom schema' do
+            resource = resource_class.new('urn:ietf:params:scim:schemas:extension:enterprise:2.0:User' => {})
+            expect(resource.valid?).to eql(false)
+
+            resource = resource_class.new(
+              'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User' => {
+                userName:     'SOMEUSR',
+                organization: 'SOMEORG',
+                department:   'SOMEDPT'
+              }
+            )
+
+            expect(resource.organization).to eql('SOMEORG')
+            expect(resource.department  ).to eql('SOMEDPT')
+            expect(resource.valid?      ).to eql(true)
+          end
+        end # context 'validation'
+      end # "context '.resource_type' do"
+
+      context '.find_attribute' do
+        it 'finds in first schema' do
+          found = resource_class().find_attribute('userName') # Defined in Scimitar::Schema::User
+
+          expect(found).to be_present
+          expect(found.name).to eql('userName')
+          expect(found.type).to eql('string')
+        end
+
+        it 'finds across schemas' do
+          found = resource_class().find_attribute('organization') # Defined in EnterpriseExtensionSchema
+          expect(found).to be_present
+          expect(found.name).to eql('organization')
+          expect(found.type).to eql('string')
+        end
+      end # "context '.find_attribute' do"
+    end # "context 'of core schema' do"
   end # "context 'schema extension' do"
 end