scimitar 2.4.3 → 2.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 243c45d533641c64634fc4c1aac05455c27e92aff2169ed313ba07aacc803bb2
-  data.tar.gz: b9930256cc4681b7025e2c1a6791588ae4a5cef7f574e6ed311f1cf0cdae6791
+  metadata.gz: 13a1cc0fad873f6524c65d4d24c6556d22b75abcd13ecdbb422d074a8ce94afc
+  data.tar.gz: 9244ab9bcf9f32b3a8e9b6b16653c92f0e7a228320f7c3fefe751e7bee290372
 SHA512:
-  metadata.gz: bffee2a6076dac93761cbd10e6f72d2fddd6f1504c6d305869d260df964175ae960a900bbb19d081f88962235885cd47953f04348f749860d028ccdcfe67e74c
-  data.tar.gz: 3f85427568803c6e5f4ebf00bf5759acf85be72b8e38eb26010e93a54afd48879f7dd106e11683c05ddcdb9d89411d674a55ca581be8a91dca6a7c882629a937
+  metadata.gz: bc24687beb3d360e5b548b617b699a9b0a6384f3b1477336b18a95fc4647d1364727dd4bf66984a05efc7d06210689a7ad33f662c82ff42b81abae4e1aa26584
+  data.tar.gz: 9291068aae0c3eb047eedaaf9d2d7587aa49bfd7703b8d4db0235a15a43b2d8d0e3ddeaf5784f432f3f0df0edb6bc8099e85d1eb5937ca262399634d3fc51965

data/app/controllers/scimitar/active_record_backed_resources_controller.rb

@@ -153,7 +153,13 @@ module Scimitar
       # Save a record, dealing with validation exceptions by raising SCIM
       # errors.
       #
-      # +record+:: ActiveRecord subclass to save (via #save!).
+      # +record+:: ActiveRecord subclass to save.
+      #
+      # If you just let this superclass handle things, it'll call the standard
+      # +#save!+ method on the record. If you pass a block, then this block is
+      # invoked and passed the ActiveRecord model instance to be saved. You can
+      # then do things like calling a different method, using a service object of
+      # some kind, perform audit-related operations and so-on.
       #
       # The return value is not used internally, making life easier for
       # overriding subclasses to "do the right thing" / avoid mistakes (instead
@@ -161,10 +167,21 @@ module Scimitar
       # and relying upon this to generate correct response payloads - an early
       # version of the gem did this and it caused a confusing subclass bug).
       #
-      def save!(record)
-        record.save!
-
+      def save!(record, &block)
+        if block_given?
+          yield(record)
+        else
+          record.save!
+        end
       rescue ActiveRecord::RecordInvalid => exception
+        handle_invalid_record(exception.record)
+      end
+
+      # Deal with validation errors by responding with an appropriate SCIM error.
+      #
+      # +record+:: The record with validation errors.
+      #
+      def handle_invalid_record(record)
         joined_errors = record.errors.full_messages.join('; ')
 
         # https://tools.ietf.org/html/rfc7644#page-12

data/app/controllers/scimitar/schemas_controller.rb

@@ -4,6 +4,11 @@ module Scimitar
   class SchemasController < ApplicationController
     def index
       schemas = Scimitar::Engine.schemas
+
+      schemas.each do |schema|
+        schema.meta.location = scim_schemas_url(name: schema.id)
+      end
+
       schemas_by_id = schemas.reduce({}) do |hash, schema|
         hash[schema.id] = schema
         hash

data/app/models/scimitar/lists/query_parser.rb

@@ -192,7 +192,7 @@ module Scimitar
 
             ast.push(self.start_group? ? self.parse_group() : self.pop())
 
-            unless ! ast.last.is_a?(String) || UNARY_OPERATORS.include?(ast.last.downcase)
+            if ast.last.is_a?(String) && !UNARY_OPERATORS.include?(ast.last.downcase) || ast.last.is_a?(Array)
               expect_op ^= true
             end
           end
@@ -601,9 +601,15 @@ module Scimitar
           column_names   = self.activerecord_columns(scim_attribute)
           value          = self.activerecord_parameter(scim_parameter)
           value_for_like = self.sql_modified_value(scim_operator, value)
-          all_supported  = column_names.all? { | column_name | base_scope.model.column_names.include?(column_name.to_s) }
+          arel_columns   = column_names.map do |column|
+            if base_scope.model.column_names.include?(column.to_s)
+              arel_table[column]
+            elsif column.is_a?(Arel::Attribute)
+              column
+            end
+          end
 
-          raise Scimitar::FilterError unless all_supported
+          raise Scimitar::FilterError unless arel_columns.all?
 
           unless case_sensitive
             lc_scim_attribute = scim_attribute.downcase()
@@ -615,8 +621,7 @@ module Scimitar
             )
           end
 
-          column_names.each.with_index do | column_name, index |
-            arel_column    = arel_table[column_name]
+          arel_columns.each.with_index do | arel_column, index |
             arel_operation = case scim_operator
               when 'eq'
                 if case_sensitive
@@ -641,7 +646,7 @@ module Scimitar
               when 'co', 'sw', 'ew'
                 arel_column.matches(value_for_like, nil, case_sensitive)
               when 'pr'
-                arel_table.grouping(arel_column.not_eq_all(['', nil]))
+                arel_column.relation.grouping(arel_column.not_eq_all(['', nil]))
               else
                 raise Scimitar::FilterError.new("Unsupported operator: '#{scim_operator}'")
             end

data/app/models/scimitar/resources/base.rb

@@ -112,7 +112,7 @@ module Scimitar
       end
 
       def self.complex_scim_attributes
-        schema.scim_attributes.select(&:complexType).group_by(&:name)
+        schemas.flat_map(&:scim_attributes).select(&:complexType).group_by(&:name)
       end
 
       def complex_type_from_hash(scim_attribute, attr_value)
@@ -139,13 +139,23 @@ module Scimitar
 
       def as_json(options = {})
         self.meta = Meta.new unless self.meta && self.meta.is_a?(Meta)
-        meta.resourceType = self.class.resource_type_id
-        original_hash = super(options).except('errors')
+        self.meta.resourceType = self.class.resource_type_id
+
+        non_returnable_attributes = self.class
+          .schemas
+          .flat_map(&:scim_attributes)
+          .filter_map { |attribute| attribute.name if attribute.returned == 'never' }
+
+        non_returnable_attributes << 'errors'
+
+        original_hash = super(options).except(*non_returnable_attributes)
         original_hash.merge!('schemas' => self.class.schemas.map(&:id))
+
         self.class.extended_schemas.each do |extension_schema|
           extension_attributes = extension_schema.scim_attributes.map(&:name)
           original_hash.merge!(extension_schema.id => original_hash.extract!(*extension_attributes))
         end
+
         original_hash
       end
 

data/app/models/scimitar/resources/mixin.rb

@@ -220,13 +220,8 @@ module Scimitar
     # allow for different client searching "styles", given ambiguities in RFC
     # 7644 filter examples).
     #
-    # Each value is a Hash with Symbol keys ':column', naming just one simple
-    # column for a mapping; ':columns', with an Array of column names that you
-    # want to map using 'OR' for a single search on the corresponding SCIM
-    # attribute; or ':ignore' with value 'true', which means that a fitler on
-    # the matching attribute is ignored rather than resulting in an "invalid
-    # filter" exception - beware possibilities for surprised clients getting a
-    # broader result set than expected. Example:
+    # Each value is a hash of queryable SCIM attribute options, described
+    # below - for example:
     #
     #     def self.scim_queryable_attributes
     #       return {
@@ -234,10 +229,27 @@ module Scimitar
     #         'name.familyName' => { column: :last_name  },
     #         'emails'          => { columns: [ :work_email_address, :home_email_address ] },
     #         'emails.value'    => { columns: [ :work_email_address, :home_email_address ] },
-    #         'emails.type'     => { ignore: true }
+    #         'emails.type'     => { ignore: true },
+    #         'groups.value'    => { column: Group.arel_table[:id] }
     #       }
     #     end
     #
+    # Column references can be either a Symbol representing a column within
+    # the resource model table, or an <tt>Arel::Attribute</tt> instance via
+    # e.g. <tt>MyModel.arel_table[:my_column]</tt>.
+    #
+    # === Queryable SCIM attribute options
+    #
+    # +:column+::  Just one simple column for a mapping.
+    #
+    # +:columns+:: An Array of columns that you want to map using 'OR' for a
+    #              single search of the corresponding entity.
+    #
+    # +:ignore+::  When set to +true+, the matching attribute is ignored rather
+    #              than resulting in an "invalid filter" exception. Beware
+    #              possibilities for surprised clients getting a broader result
+    #              set than expected, since a constraint may have been ignored.
+    #
     # Filtering is currently limited and searching within e.g. arrays of data
     # is not supported; only simple top-level keys can be mapped.
     #
@@ -406,8 +418,11 @@ module Scimitar
         def from_scim_patch!(patch_hash:)
           frozen_ci_patch_hash = patch_hash.with_indifferent_case_insensitive_access().freeze()
           ci_scim_hash         = self.to_scim(location: '(unused)').as_json().with_indifferent_case_insensitive_access()
+          operations           = frozen_ci_patch_hash['operations']
+
+          raise Scimitar::InvalidSyntaxError.new("Missing PATCH \"operations\"") unless operations
 
-          frozen_ci_patch_hash['operations'].each do |operation|
+          operations.each do |operation|
             nature   = operation['op'   ]&.downcase
             path_str = operation['path' ]
             value    = operation['value']

data/app/models/scimitar/schema/attribute.rb

@@ -93,12 +93,21 @@ module Scimitar
       end
 
       def valid_simple_type?(value)
-        valid = (type == 'string' && value.is_a?(String)) ||
+        if multiValued
+          valid = value.is_a?(Array) && value.all? { |v| simple_type?(v) }
+          errors.add(self.name, "or one of its elements has the wrong type. It has to be an array of #{self.type}s.") unless valid
+        else
+          valid = simple_type?(value)
+          errors.add(self.name, "has the wrong type. It has to be a(n) #{self.type}.") unless valid
+        end
+        valid
+      end
+
+      def simple_type?(value)
+        (type == 'string' && value.is_a?(String)) ||
           (type == 'boolean' && (value.is_a?(TrueClass) || value.is_a?(FalseClass))) ||
           (type == 'integer' && (value.is_a?(Integer))) ||
           (type == 'dateTime' && valid_date_time?(value))
-        errors.add(self.name, "has the wrong type. It has to be a(n) #{self.type}.") unless valid
-        valid
       end
 
       def valid_date_time?(value)

data/app/models/scimitar/schema/base.rb

@@ -13,7 +13,7 @@ module Scimitar
 
       # Converts the schema to its json representation that will be returned by /SCHEMAS end-point of a SCIM service provider.
       def as_json(options = {})
-        @meta.location = Scimitar::Engine.routes.url_helpers.scim_schemas_path(name: id)
+        @meta.location ||= Scimitar::Engine.routes.url_helpers.scim_schemas_path(name: id)
         original = super
         original.merge('attributes' => original.delete('scim_attributes'))
       end

data/config/initializers/scimitar.rb

@@ -37,10 +37,11 @@ Rails.application.config.to_prepare do # (required for >= Rails 7 / Zeitwerk)
   #
   Scimitar.engine_configuration = Scimitar::EngineConfiguration.new({
 
-    # If you have filters you want to run for any Scimitar action/route, you
-    # can define them here. For example, you might use a before-action to set
-    # up some multi-tenancy related state, or skip Rails CSRF token
-    # verification. For example:
+    # If you have filters you want to run for any Scimitar action/route, you can
+    # define them here. You can also override any shared controller methods
+    # here. For example, you might use a before-action to set up some
+    # multi-tenancy related state, skip Rails CSRF token verification, or
+    # customize how Scimitar generates URLs:
     #
     #     application_controller_mixin: Module.new do
     #       def self.included(base)
@@ -54,6 +55,10 @@ Rails.application.config.to_prepare do # (required for >= Rails 7 / Zeitwerk)
     #           prepend_before_action :setup_some_kind_of_multi_tenancy_data
     #         end
     #       end
+    #
+    #       def scim_schemas_url(options)
+    #         super(custom_param: 'value', **options)
+    #       end
     #     end, # ...other configuration entries might follow...
 
     # If you want to support username/password authentication:

data/lib/scimitar/version.rb

@@ -3,11 +3,11 @@ module Scimitar
   # Gem version. If this changes, be sure to re-run "bundle install" or
   # "bundle update".
   #
-  VERSION = '2.4.3'
+  VERSION = '2.6.0'
 
   # Date for VERSION. If this changes, be sure to re-run "bundle install"
   # or "bundle update".
   #
-  DATE = '2023-09-16'
+  DATE = '2023-11-14'
 
 end

data/spec/apps/dummy/app/controllers/custom_save_mock_users_controller.rb

@@ -0,0 +1,24 @@
+# For tests only - uses custom 'save!' implementation which passes a block to
+# Scimitar::ActiveRecordBackedResourcesController#save!.
+#
+class CustomSaveMockUsersController < Scimitar::ActiveRecordBackedResourcesController
+
+  CUSTOM_SAVE_BLOCK_USERNAME_INDICATOR = 'Custom save-block invoked'
+
+  protected
+
+    def save!(_record)
+      super do | record |
+        record.update!(username: CUSTOM_SAVE_BLOCK_USERNAME_INDICATOR)
+      end
+    end
+
+    def storage_class
+      MockUser
+    end
+
+    def storage_scope
+      MockUser.all
+    end
+
+end

data/spec/apps/dummy/app/models/mock_user.rb

@@ -10,6 +10,7 @@ class MockUser < ActiveRecord::Base
     primary_key
     scim_uid
     username
+    password
     first_name
     last_name
     work_email_address
@@ -17,6 +18,7 @@ class MockUser < ActiveRecord::Base
     work_phone_number
     organization
     department
+    mock_groups
   }
 
   has_and_belongs_to_many :mock_groups
@@ -45,6 +47,7 @@ class MockUser < ActiveRecord::Base
       id:         :primary_key,
       externalId: :scim_uid,
       userName:   :username,
+      password:   :password,
       name:       {
         givenName:  :first_name,
         familyName: :last_name
@@ -92,7 +95,17 @@ class MockUser < ActiveRecord::Base
       # "spec/apps/dummy/config/initializers/scimitar.rb".
       #
       organization: :organization,
-      department:   :department
+      department:   :department,
+      userGroups: [
+        {
+          list:      :mock_groups,
+          find_with: ->(value) { MockGroup.find(value["value"]) },
+          using: {
+            value:   :id,
+            display: :display_name
+          }
+        }
+      ]
     }
   end
 
@@ -107,6 +120,8 @@ class MockUser < ActiveRecord::Base
       'meta.lastModified' => { column: :updated_at },
       'name.givenName'    => { column: :first_name },
       'name.familyName'   => { column: :last_name  },
+      'groups'            => { column: MockGroup.arel_table[:id] },
+      'groups.value'      => { column: MockGroup.arel_table[:id] },
       'emails'            => { columns: [ :work_email_address, :home_email_address ] },
       'emails.value'      => { columns: [ :work_email_address, :home_email_address ] },
       'emails.type'       => { ignore: true } # We can't filter on that; it'll just search all e-mails

data/spec/apps/dummy/config/initializers/scimitar.rb

@@ -19,6 +19,14 @@ Rails.application.config.to_prepare do
           before_action :test_hook
         end
       end
+
+      def scim_schemas_url(options)
+        super(test: 1, **options)
+      end
+
+      def scim_resource_type_url(options)
+        super(test: 1, **options)
+      end
     end
 
   })

data/spec/apps/dummy/config/routes.rb

@@ -21,6 +21,11 @@ Rails.application.routes.draw do
   #
   delete 'CustomDestroyUsers/:id', to: 'custom_destroy_mock_users#destroy'
 
+  # For testing blocks passed to ActiveRecordBackedResourcesController#save!
+  #
+  post 'CustomSaveUsers', to: 'custom_save_mock_users#create'
+  get 'CustomSaveUsers/:id', to: 'custom_save_mock_users#show'
+
   # For testing environment inside Scimitar::ApplicationController subclasses.
   #
   get  'CustomRequestVerifiers', to: 'custom_request_verifiers#index'

data/spec/apps/dummy/db/migrate/20210304014602_create_mock_users.rb

@@ -7,6 +7,7 @@ class CreateMockUsers < ActiveRecord::Migration[6.1]
       #
       t.text :scim_uid
       t.text :username
+      t.text :password
       t.text :first_name
       t.text :last_name
       t.text :work_email_address

data/spec/apps/dummy/db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.0].define(version: 2021_03_08_044214) do
+ActiveRecord::Schema[7.1].define(version: 2021_03_08_044214) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
 
@@ -33,6 +33,7 @@ ActiveRecord::Schema[7.0].define(version: 2021_03_08_044214) do
     t.datetime "updated_at", null: false
     t.text "scim_uid"
     t.text "username"
+    t.text "password"
     t.text "first_name"
     t.text "last_name"
     t.text "work_email_address"

data/spec/controllers/scimitar/resource_types_controller_spec.rb

@@ -9,8 +9,8 @@ RSpec.describe Scimitar::ResourceTypesController do
     it 'renders the resource type for user' do
       get :index, format: :scim
       response_hash = JSON.parse(response.body)
-      expected_response = [ Scimitar::Resources::User.resource_type(scim_resource_type_url(name: 'User')),
-                            Scimitar::Resources::Group.resource_type(scim_resource_type_url(name: 'Group'))
+      expected_response = [ Scimitar::Resources::User.resource_type(scim_resource_type_url(name: 'User', test: 1)),
+                            Scimitar::Resources::Group.resource_type(scim_resource_type_url(name: 'Group', test: 1))
       ].to_json
 
       response_hash = JSON.parse(response.body)

data/spec/controllers/scimitar/schemas_controller_spec.rb

@@ -1,6 +1,7 @@
 require 'spec_helper'
 
 RSpec.describe Scimitar::SchemasController do
+  routes { Scimitar::Engine.routes }
 
   before(:each) { allow(controller).to receive(:authenticated?).and_return(true) }
 
@@ -26,6 +27,13 @@ RSpec.describe Scimitar::SchemasController do
       expect(parsed_body['name']).to eql('User')
     end
 
+    it 'includes the controller customized schema location' do
+      get :index, params: { name: Scimitar::Schema::User.id, format: :scim }
+      expect(response).to be_ok
+      parsed_body = JSON.parse(response.body)
+      expect(parsed_body.dig('meta', 'location')).to eq scim_schemas_url(name: Scimitar::Schema::User.id, test: 1)
+    end
+
     it 'returns only the Group schema when its id is provided' do
       get :index, params: { name: Scimitar::Schema::Group.id, format: :scim }
       expect(response).to be_ok

data/spec/models/scimitar/lists/query_parser_spec.rb

@@ -481,6 +481,66 @@ RSpec.describe Scimitar::Lists::QueryParser do
       end
     end # "context 'when instructed to ignore an attribute' do"
 
+    context 'when an arel column is mapped' do
+      let(:scope_with_groups) { MockUser.left_joins(:mock_groups) }
+
+      context 'with binary operators' do
+        it 'reads across all using OR' do
+          @instance.parse('groups eq "12345"')
+          query = @instance.to_activerecord_query(scope_with_groups)
+
+          expect(query.to_sql).to eql(<<~SQL.squish)
+            SELECT "mock_users".*
+            FROM "mock_users"
+              LEFT OUTER JOIN "mock_groups_users" ON "mock_groups_users"."mock_user_id" = "mock_users"."primary_key"
+              LEFT OUTER JOIN "mock_groups" ON "mock_groups"."id" = "mock_groups_users"."mock_group_id"
+            WHERE "mock_groups"."id" ILIKE 12345
+          SQL
+        end
+
+        it 'works with other query elements using correct precedence' do
+          @instance.parse('groups eq "12345" and emails eq "any@test.com"')
+          query = @instance.to_activerecord_query(scope_with_groups)
+
+          expect(query.to_sql).to eql(<<~SQL.squish)
+            SELECT "mock_users".*
+            FROM "mock_users"
+              LEFT OUTER JOIN "mock_groups_users" ON "mock_groups_users"."mock_user_id" = "mock_users"."primary_key"
+              LEFT OUTER JOIN "mock_groups" ON "mock_groups"."id" = "mock_groups_users"."mock_group_id"
+            WHERE "mock_groups"."id" ILIKE 12345 AND ("mock_users"."work_email_address" ILIKE 'any@test.com' OR "mock_users"."home_email_address" ILIKE 'any@test.com')
+          SQL
+        end
+      end # "context 'with binary operators' do"
+
+      context 'with unary operators' do
+        it 'reads across all using OR' do
+          @instance.parse('groups pr')
+          query = @instance.to_activerecord_query(scope_with_groups)
+
+          expect(query.to_sql).to eql(<<~SQL.squish)
+            SELECT "mock_users".*
+            FROM "mock_users"
+              LEFT OUTER JOIN "mock_groups_users" ON "mock_groups_users"."mock_user_id" = "mock_users"."primary_key"
+              LEFT OUTER JOIN "mock_groups" ON "mock_groups"."id" = "mock_groups_users"."mock_group_id"
+            WHERE ("mock_groups"."id" != NULL AND "mock_groups"."id" IS NOT NULL)
+          SQL
+        end
+
+        it 'works with other query elements using correct precedence' do
+          @instance.parse('name.familyName eq "John" and groups pr')
+          query = @instance.to_activerecord_query(scope_with_groups)
+
+          expect(query.to_sql).to eql(<<~SQL.squish)
+            SELECT "mock_users".*
+            FROM "mock_users"
+              LEFT OUTER JOIN "mock_groups_users" ON "mock_groups_users"."mock_user_id" = "mock_users"."primary_key"
+              LEFT OUTER JOIN "mock_groups" ON "mock_groups"."id" = "mock_groups_users"."mock_group_id"
+            WHERE "mock_users"."last_name" ILIKE 'John' AND ("mock_groups"."id" != NULL AND "mock_groups"."id" IS NOT NULL)
+          SQL
+        end
+      end # "context 'with unary operators' do
+    end # "context 'when an arel column is mapped' do"
+
     context 'with complex cases' do
       context 'using AND' do
         it 'generates expected SQL' do
@@ -532,6 +592,13 @@ RSpec.describe Scimitar::Lists::QueryParser do
           expect(query.to_sql).to eql(%q{SELECT "mock_users".* FROM "mock_users" WHERE "mock_users"."first_name" ILIKE 'Jane' AND ("mock_users"."last_name" ILIKE '%avi%' OR "mock_users"."last_name" ILIKE '%ith')})
         end
 
+        it 'combined parentheses generates expected SQL' do
+          @instance.parse('(name.givenName eq "Jane" OR name.givenName eq "Jaden") and (name.familyName co "avi" or name.familyName ew "ith")')
+          query = @instance.to_activerecord_query(MockUser.all)
+
+          expect(query.to_sql).to eql(%q{SELECT "mock_users".* FROM "mock_users" WHERE ("mock_users"."first_name" ILIKE 'Jane' OR "mock_users"."first_name" ILIKE 'Jaden') AND ("mock_users"."last_name" ILIKE '%avi%' OR "mock_users"."last_name" ILIKE '%ith')})
+        end
+
         it 'finds expected items' do
           user_1 = MockUser.create(username: '1', first_name: 'Jane', last_name: 'Davis')   # Match
           user_2 = MockUser.create(username: '2', first_name: 'Jane', last_name: 'Smith')   # Match

data/spec/models/scimitar/resources/base_spec.rb

@@ -14,7 +14,10 @@ RSpec.describe Scimitar::Resources::Base do
           ),
           Scimitar::Schema::Attribute.new(
             name: 'names', multiValued: true, complexType: Scimitar::ComplexTypes::Name, required: false
-          )
+          ),
+          Scimitar::Schema::Attribute.new(
+            name: 'privateName', complexType: Scimitar::ComplexTypes::Name, required: false, returned: false
+          ),
         ]
       end
     end
@@ -30,6 +33,10 @@ RSpec.describe Scimitar::Resources::Base do
             name: {
               givenName:  'John',
               familyName: 'Smith'
+            },
+            privateName: {
+              givenName:  'Alt John',
+              familyName: 'Alt Smith'
             }
           }
 
@@ -39,6 +46,9 @@ RSpec.describe Scimitar::Resources::Base do
           expect(resource.name.is_a?(Scimitar::ComplexTypes::Name)).to be(true)
           expect(resource.name.givenName).to eql('John')
           expect(resource.name.familyName).to eql('Smith')
+          expect(resource.privateName.is_a?(Scimitar::ComplexTypes::Name)).to be(true)
+          expect(resource.privateName.givenName).to eql('Alt John')
+          expect(resource.privateName.familyName).to eql('Alt Smith')
         end
 
         it 'which builds an array of nested resources' do
@@ -101,14 +111,38 @@ RSpec.describe Scimitar::Resources::Base do
     context '#as_json' do
       it 'renders the json with the resourceType' do
         resource = CustomResourse.new(name: {
-          givenName: 'John',
+          givenName:  'John',
           familyName: 'Smith'
         })
 
         result = resource.as_json
-        expect(result['schemas']).to eql(['custom-id'])
+
+        expect(result['schemas']             ).to eql(['custom-id'])
+        expect(result['meta']['resourceType']).to eql('CustomResourse')
+        expect(result['errors']              ).to be_nil
+      end
+
+      it 'excludes attributes that are flagged as do-not-return' do
+        resource = CustomResourse.new(
+          name: {
+            givenName:  'John',
+            familyName: 'Smith'
+          },
+          privateName: {
+            givenName:  'Alt John',
+            familyName: 'Alt Smith'
+          }
+        )
+
+        result = resource.as_json
+
+        expect(result['schemas']             ).to eql(['custom-id'])
         expect(result['meta']['resourceType']).to eql('CustomResourse')
-        expect(result['errors']).to be_nil
+        expect(result['errors']              ).to be_nil
+        expect(result['name']                ).to be_present
+        expect(result['name']['givenName']   ).to eql('John')
+        expect(result['name']['familyName']  ).to eql('Smith')
+        expect(result['privateName']         ).to be_present
       end
     end # "context '#as_json' do"
 
@@ -267,7 +301,10 @@ RSpec.describe Scimitar::Resources::Base do
         end
 
         def self.scim_attributes
-          [ Scimitar::Schema::Attribute.new(name: 'relationship', type: 'string', required: true) ]
+          [
+            Scimitar::Schema::Attribute.new(name: 'relationship', type: 'string', required: true),
+            Scimitar::Schema::Attribute.new(name: "userGroups", multiValued: true, complexType: Scimitar::ComplexTypes::ReferenceGroup, mutability: "writeOnly")
+          ]
         end
       end
 
@@ -291,6 +328,12 @@ RSpec.describe Scimitar::Resources::Base do
           resource = resource_class.new('extension-id' => {relationship: 'GAGA'})
           expect(resource.relationship).to eql('GAGA')
         end
+
+        it 'allows setting complex extension attributes' do
+          user_groups = [{ value: '123' }, { value: '456'}]
+          resource = resource_class.new('extension-id' => {userGroups: user_groups})
+          expect(resource.userGroups.map(&:value)).to eql(['123', '456'])
+        end
       end # "context '#initialize' do"
 
       context '#as_json' do

data/spec/models/scimitar/resources/mixin_spec.rb

@@ -160,13 +160,14 @@ RSpec.describe Scimitar::Resources::Mixin do
 
     context '#to_scim' do
       context 'with a UUID, renamed primary key column' do
-        it 'compiles instance attribute values into a SCIM representation' do
+        it 'compiles instance attribute values into a SCIM representation, but omits do-not-return fields' do
           uuid                        = SecureRandom.uuid
 
           instance                    = MockUser.new
           instance.primary_key        = uuid
           instance.scim_uid           = 'AA02984'
           instance.username           = 'foo'
+          instance.password           = 'correcthorsebatterystaple'
           instance.first_name         = 'Foo'
           instance.last_name          = 'Bar'
           instance.work_email_address = 'foo.bar@test.com'
@@ -404,6 +405,7 @@ RSpec.describe Scimitar::Resources::Mixin do
           it 'ignoring read-only lists' do
             hash = {
               'userName'     => 'foo',
+              'password'     => 'staplebatteryhorsecorrect',
               'name'         => {'givenName' => 'Foo', 'familyName' => 'Bar'},
               'active'       => true,
               'emails'       => [{'type' => 'work',  'primary' => true,  'value' => 'foo.bar@test.com'}],
@@ -428,6 +430,7 @@ RSpec.describe Scimitar::Resources::Mixin do
 
             expect(instance.scim_uid          ).to eql('AA02984')
             expect(instance.username          ).to eql('foo')
+            expect(instance.password          ).to eql('staplebatteryhorsecorrect')
             expect(instance.first_name        ).to eql('Foo')
             expect(instance.last_name         ).to eql('Bar')
             expect(instance.work_email_address).to eql('foo.bar@test.com')
@@ -2685,6 +2688,14 @@ RSpec.describe Scimitar::Resources::Mixin do
       #
       context 'public interface' do
         shared_examples 'a patcher' do | force_upper_case: |
+          it 'gives the user a comprehensible error when operations are missing' do
+            patch = { 'schemas' => ['urn:ietf:params:scim:api:messages:2.0:PatchOp'] }
+
+            expect do
+              @instance.from_scim_patch!(patch_hash: patch)
+            end.to raise_error Scimitar::InvalidSyntaxError, "Missing PATCH \"operations\""
+          end
+
           it 'which updates simple values' do
             @instance.update!(username: 'foo')
 

data/spec/models/scimitar/schema/attribute_spec.rb

@@ -46,6 +46,28 @@ RSpec.describe Scimitar::Schema::Attribute do
       expect(attribute.errors.messages.to_h).to eql({userName: ['has the wrong type. It has to be a(n) string.']})
     end
 
+    it 'is valid if multi-valued and type is string and given value is an array of strings' do
+      attribute = described_class.new(name: 'scopes', multiValued: true, type: 'string')
+      expect(attribute.valid?(['something', 'something else'])).to be(true)
+    end
+
+    it 'is valid if multi-valued and type is string and given value is an empty array' do
+      attribute = described_class.new(name: 'scopes', multiValued: true, type: 'string')
+      expect(attribute.valid?([])).to be(true)
+    end
+
+    it 'is invalid if multi-valued and type is string and given value is not an array' do
+      attribute = described_class.new(name: 'scopes', multiValued: true, type: 'string')
+      expect(attribute.valid?('something')).to be(false)
+      expect(attribute.errors.messages.to_h).to eql({scopes: ['or one of its elements has the wrong type. It has to be an array of strings.']})
+    end
+
+    it 'is invalid if multi-valued and type is string and given value is an array containing another type' do
+      attribute = described_class.new(name: 'scopes', multiValued: true, type: 'string')
+      expect(attribute.valid?(['something', 123])).to be(false)
+      expect(attribute.errors.messages.to_h).to eql({scopes: ['or one of its elements has the wrong type. It has to be an array of strings.']})
+    end
+
     it 'is valid if type is boolean and given value is boolean' do
       expect(described_class.new(name: 'name', type: 'boolean').valid?(false)).to be(true)
       expect(described_class.new(name: 'name', type: 'boolean').valid?(true)).to be(true)

data/spec/requests/active_record_backed_resources_controller_spec.rb

@@ -397,6 +397,22 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
       expect(result['scimType']).to eql('invalidValue')
       expect(result['detail']).to include('is reserved')
     end
+
+    it 'invokes a block if given one' do
+      mock_before = MockUser.all.to_a
+      attributes = { userName: '5' } # Minimum required by schema
+
+      expect_any_instance_of(CustomSaveMockUsersController).to receive(:create).once.and_call_original
+      expect {
+        post "/CustomSaveUsers", params: attributes.merge(format: :scim)
+      }.to change { MockUser.count }.by(1)
+
+      mock_after = MockUser.all.to_a
+      new_mock = (mock_after - mock_before).first
+
+      expect(response.status).to eql(201)
+      expect(new_mock.username).to eql(CustomSaveMockUsersController::CUSTOM_SAVE_BLOCK_USERNAME_INDICATOR)
+    end
   end # "context '#create' do"
 
   # ===========================================================================

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: scimitar
 version: !ruby/object:Gem::Version
-  version: 2.4.3
+  version: 2.6.0
 platform: ruby
 authors:
 - RIPA Global
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-09-16 00:00:00.000000000 Z
+date: 2023-11-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -196,6 +196,7 @@ files:
 - lib/scimitar/version.rb
 - spec/apps/dummy/app/controllers/custom_destroy_mock_users_controller.rb
 - spec/apps/dummy/app/controllers/custom_request_verifiers_controller.rb
+- spec/apps/dummy/app/controllers/custom_save_mock_users_controller.rb
 - spec/apps/dummy/app/controllers/mock_groups_controller.rb
 - spec/apps/dummy/app/controllers/mock_users_controller.rb
 - spec/apps/dummy/app/models/mock_group.rb
@@ -260,13 +261,14 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.4
+rubygems_version: 3.4.10
 signing_key:
 specification_version: 4
 summary: SCIM v2 for Rails
 test_files:
 - spec/apps/dummy/app/controllers/custom_destroy_mock_users_controller.rb
 - spec/apps/dummy/app/controllers/custom_request_verifiers_controller.rb
+- spec/apps/dummy/app/controllers/custom_save_mock_users_controller.rb
 - spec/apps/dummy/app/controllers/mock_groups_controller.rb
 - spec/apps/dummy/app/controllers/mock_users_controller.rb
 - spec/apps/dummy/app/models/mock_group.rb