RubyGems - scimitar - Versions diffs - 2.5.0 → 2.11.0 - Mend

scimitar 2.5.0 → 2.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (53) hide show

checksums.yaml +4 -4
data/LICENSE.txt +21 -0
data/README.md +721 -0
data/app/controllers/scimitar/active_record_backed_resources_controller.rb +72 -18
data/app/controllers/scimitar/application_controller.rb +17 -9
data/app/controllers/scimitar/resource_types_controller.rb +7 -3
data/app/controllers/scimitar/resources_controller.rb +0 -2
data/app/controllers/scimitar/schemas_controller.rb +366 -3
data/app/controllers/scimitar/service_provider_configurations_controller.rb +3 -2
data/app/models/scimitar/complex_types/address.rb +0 -6
data/app/models/scimitar/complex_types/base.rb +2 -2
data/app/models/scimitar/engine_configuration.rb +3 -1
data/app/models/scimitar/lists/query_parser.rb +97 -12
data/app/models/scimitar/resource_invalid_error.rb +1 -1
data/app/models/scimitar/resource_type.rb +4 -6
data/app/models/scimitar/resources/base.rb +52 -8
data/app/models/scimitar/resources/mixin.rb +539 -76
data/app/models/scimitar/schema/attribute.rb +18 -8
data/app/models/scimitar/schema/base.rb +2 -2
data/app/models/scimitar/schema/name.rb +2 -2
data/app/models/scimitar/schema/user.rb +10 -10
data/config/initializers/scimitar.rb +49 -3
data/lib/scimitar/engine.rb +57 -12
data/lib/scimitar/support/hash_with_indifferent_case_insensitive_access.rb +140 -10
data/lib/scimitar/support/utilities.rb +111 -0
data/lib/scimitar/version.rb +2 -2
data/lib/scimitar.rb +1 -0
data/spec/apps/dummy/app/controllers/custom_create_mock_users_controller.rb +25 -0
data/spec/apps/dummy/app/controllers/custom_replace_mock_users_controller.rb +25 -0
data/spec/apps/dummy/app/controllers/custom_save_mock_users_controller.rb +24 -0
data/spec/apps/dummy/app/controllers/custom_update_mock_users_controller.rb +25 -0
data/spec/apps/dummy/app/models/mock_user.rb +20 -3
data/spec/apps/dummy/config/application.rb +8 -0
data/spec/apps/dummy/config/initializers/scimitar.rb +40 -3
data/spec/apps/dummy/config/routes.rb +18 -1
data/spec/apps/dummy/db/migrate/20210304014602_create_mock_users.rb +2 -0
data/spec/apps/dummy/db/schema.rb +3 -1
data/spec/controllers/scimitar/application_controller_spec.rb +56 -2
data/spec/controllers/scimitar/resource_types_controller_spec.rb +8 -4
data/spec/controllers/scimitar/schemas_controller_spec.rb +344 -48
data/spec/controllers/scimitar/service_provider_configurations_controller_spec.rb +1 -0
data/spec/models/scimitar/complex_types/address_spec.rb +3 -4
data/spec/models/scimitar/lists/query_parser_spec.rb +70 -0
data/spec/models/scimitar/resources/base_spec.rb +55 -13
data/spec/models/scimitar/resources/base_validation_spec.rb +16 -3
data/spec/models/scimitar/resources/mixin_spec.rb +781 -124
data/spec/models/scimitar/schema/attribute_spec.rb +22 -0
data/spec/models/scimitar/schema/user_spec.rb +2 -2
data/spec/requests/active_record_backed_resources_controller_spec.rb +723 -40
data/spec/requests/engine_spec.rb +75 -0
data/spec/spec_helper.rb +10 -2
data/spec/support/hash_with_indifferent_case_insensitive_access_spec.rb +108 -0
metadata +42 -34

data/spec/requests/active_record_backed_resources_controller_spec.rb CHANGED Viewed

@@ -13,9 +13,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
     lmt = Time.parse("2023-01-09 14:25:00 +1300")
     ids = 3.times.map { SecureRandom.uuid }.sort()
-    @u1 = MockUser.create(primary_key: ids.shift(), username: '1', first_name: 'Foo', last_name: 'Ark', home_email_address: 'home_1@test.com', scim_uid: '001', created_at: lmt, updated_at: lmt + 1)
-    @u2 = MockUser.create(primary_key: ids.shift(), username: '2', first_name: 'Foo', last_name: 'Bar', home_email_address: 'home_2@test.com', scim_uid: '002', created_at: lmt, updated_at: lmt + 2)
-    @u3 = MockUser.create(primary_key: ids.shift(), username: '3', first_name: 'Foo',                   home_email_address: 'home_3@test.com', scim_uid: '003', created_at: lmt, updated_at: lmt + 3)
+    @u1 = MockUser.create!(primary_key: ids.shift(), username: '1', first_name: 'Foo', last_name: 'Ark', home_email_address: 'home_1@test.com', scim_uid: '001', created_at: lmt, updated_at: lmt + 1)
+    @u2 = MockUser.create!(primary_key: ids.shift(), username: '2', first_name: 'Foo', last_name: 'Bar', home_email_address: 'home_2@test.com', scim_uid: '002', created_at: lmt, updated_at: lmt + 2, password: 'oldpassword')
+    @u3 = MockUser.create!(primary_key: ids.shift(), username: '3', first_name: 'Foo',                   home_email_address: 'home_3@test.com', scim_uid: '003', created_at: lmt, updated_at: lmt + 3)
     @g1 = MockGroup.create!(display_name: 'Group 1')
     @g2 = MockGroup.create!(display_name: 'Group 2')
@@ -26,13 +26,17 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
   context '#index' do
     context 'with no items' do
-      it 'returns empty list' do
+      before :each do
         MockUser.delete_all
+      end
+      it 'returns empty list' do
         expect_any_instance_of(MockUsersController).to receive(:index).once.and_call_original
         get '/Users', params: { format: :scim }
-        expect(response.status).to eql(200)
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
         result = JSON.parse(response.body)
         expect(result['totalResults']).to eql(0)
@@ -46,7 +50,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         it 'returns all items' do
           get '/Users', params: { format: :scim }
-          expect(response.status).to eql(200)
+          expect(response.status                 ).to eql(200)
+          expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
           result = JSON.parse(response.body)
           expect(result['totalResults']).to eql(3)
@@ -64,7 +70,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         it 'returns all items' do
           get '/Groups', params: { format: :scim }
-          expect(response.status).to eql(200)
+          expect(response.status                 ).to eql(200)
+          expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
           result = JSON.parse(response.body)
           expect(result['totalResults']).to eql(3)
@@ -84,7 +92,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
           filter: 'name.givenName eq "FOO" and name.familyName pr and emails ne "home_1@test.com"'
         }
-        expect(response.status).to eql(200)
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
         result = JSON.parse(response.body)
         expect(result['totalResults']).to eql(1)
@@ -97,13 +107,69 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         expect(usernames).to match_array(['2'])
       end
+      it 'returns only the requested attributes' do
+        get '/Users', params: {
+          format: :scim,
+          attributes: "id,name"
+        }
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+        result = JSON.parse(response.body)
+        expect(result['totalResults']).to eql(3)
+        expect(result['Resources'].size).to eql(3)
+        keys = result['Resources'].map { |resource| resource.keys }.flatten.uniq
+        expect(keys).to match_array(%w[
+          id
+          meta
+          name
+          schemas
+          urn:ietf:params:scim:schemas:extension:enterprise:2.0:User
+          urn:ietf:params:scim:schemas:extension:manager:1.0:User
+        ])
+        expect(result.dig('Resources', 0, 'id')).to eql @u1.primary_key.to_s
+        expect(result.dig('Resources', 0, 'name', 'givenName')).to eql 'Foo'
+        expect(result.dig('Resources', 0, 'name', 'familyName')).to eql 'Ark'
+      end
+      # https://github.com/pond/scimitar/issues/37
+      #
       it 'applies a filter, with case-insensitive attribute matching (GitHub issue #37)' do
         get '/Users', params: {
           format: :scim,
           filter: 'name.GIVENNAME eq "Foo" and name.Familyname pr and emails ne "home_1@test.com"'
         }
-        expect(response.status).to eql(200)
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+        result = JSON.parse(response.body)
+        expect(result['totalResults']).to eql(1)
+        expect(result['Resources'].size).to eql(1)
+        ids = result['Resources'].map { |resource| resource['id'] }
+        expect(ids).to match_array([@u2.primary_key.to_s])
+        usernames = result['Resources'].map { |resource| resource['userName'] }
+        expect(usernames).to match_array(['2'])
+      end
+      # https://github.com/pond/scimitar/issues/115
+      #
+      it 'handles broken Microsoft filters (GitHub issue #115)' do
+        get '/Users', params: {
+          format: :scim,
+          filter: 'name[givenName eq "FOO"].familyName pr and emails ne "home_1@test.com"'
+        }
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
         result = JSON.parse(response.body)
         expect(result['totalResults']).to eql(1)
@@ -116,6 +182,7 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         expect(usernames).to match_array(['2'])
       end
       # Strange attribute capitalisation in tests here builds on test coverage
       # for now-fixed GitHub issue #37.
       #
@@ -126,7 +193,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
             filter: "id eq \"#{@u3.primary_key}\""
           }
-          expect(response.status).to eql(200)
+          expect(response.status                 ).to eql(200)
+          expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
           result = JSON.parse(response.body)
           expect(result['totalResults']).to eql(1)
@@ -145,7 +214,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
             filter: "externalID eq \"#{@u2.scim_uid}\""
           }
-          expect(response.status).to eql(200)
+          expect(response.status                 ).to eql(200)
+          expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
           result = JSON.parse(response.body)
           expect(result['totalResults']).to eql(1)
@@ -164,7 +235,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
             filter: "Meta.LastModified eq \"#{@u3.updated_at}\""
           }
-          expect(response.status).to eql(200)
+          expect(response.status                 ).to eql(200)
+          expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
           result = JSON.parse(response.body)
           expect(result['totalResults']).to eql(1)
@@ -184,7 +257,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
           count:  2
         }
-        expect(response.status).to eql(200)
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
         result = JSON.parse(response.body)
         expect(result['totalResults']).to eql(3)
@@ -203,7 +278,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
           startIndex: 2
         }
-        expect(response.status).to eql(200)
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
         result = JSON.parse(response.body)
         expect(result['totalResults']).to eql(3)
@@ -224,8 +301,11 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
           filter: 'name.givenName'
         }
-        expect(response.status).to eql(400)
+        expect(response.status                 ).to eql(400)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
         result = JSON.parse(response.body)
         expect(result['scimType']).to eql('invalidFilter')
       end
     end # "context 'with bad calls' do"
@@ -239,7 +319,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         expect_any_instance_of(MockUsersController).to receive(:show).once.and_call_original
         get "/Users/#{@u2.primary_key}", params: { format: :scim }
-        expect(response.status).to eql(200)
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
         result = JSON.parse(response.body)
         expect(result['id']).to eql(@u2.primary_key.to_s)
@@ -254,7 +336,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         expect_any_instance_of(MockGroupsController).to receive(:show).once.and_call_original
         get "/Groups/#{@g2.id}", params: { format: :scim }
-        expect(response.status).to eql(200)
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
         result = JSON.parse(response.body)
         expect(result['id']).to eql(@g2.id.to_s) # Note - ID was converted String; not Integer
@@ -266,8 +350,11 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
     it 'renders 404' do
       get '/Users/xyz', params: { format: :scim }
-      expect(response.status).to eql(404)
+      expect(response.status                 ).to eql(404)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
       result = JSON.parse(response.body)
       expect(result['status']).to eql('404')
     end
   end # "context '#show' do"
@@ -283,7 +370,12 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
           attributes = { userName: '4' } # Minimum required by schema
           attributes = spec_helper_hupcase(attributes) if force_upper_case
+          # Prove that certain known pathways are called; can then unit test
+          # those if need be and be sure that this covers #create actions.
+          #
           expect_any_instance_of(MockUsersController).to receive(:create).once.and_call_original
+          expect_any_instance_of(MockUsersController).to receive(:save! ).once.and_call_original
           expect {
             post "/Users", params: attributes.merge(format: :scim)
           }.to change { MockUser.count }.by(1)
@@ -291,7 +383,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
           mock_after = MockUser.all.to_a
           new_mock = (mock_after - mock_before).first
-          expect(response.status).to eql(201)
+          expect(response.status                 ).to eql(201)
+          expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
           result = JSON.parse(response.body)
           expect(result['id']).to eql(new_mock.primary_key.to_s)
@@ -306,6 +400,7 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
           attributes = {
             userName: '4',
+            password: 'correcthorsebatterystaple',
             name: {
               givenName: 'Given',
               familyName: 'Family'
@@ -332,17 +427,90 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
           mock_after = MockUser.all.to_a
           new_mock = (mock_after - mock_before).first
-          expect(response.status).to eql(201)
+          expect(response.status                 ).to eql(201)
+          expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
           result = JSON.parse(response.body)
           expect(result['id']).to eql(new_mock.id.to_s)
           expect(result['meta']['resourceType']).to eql('User')
           expect(new_mock.username).to eql('4')
+          expect(new_mock.password).to eql('correcthorsebatterystaple')
           expect(new_mock.first_name).to eql('Given')
           expect(new_mock.last_name).to eql('Family')
           expect(new_mock.home_email_address).to eql('home_4@test.com')
           expect(new_mock.work_email_address).to eql('work_4@test.com')
         end
+        it 'with schema ID value keys without inline attributes' do
+          mock_before = MockUser.all.to_a
+          attributes = {
+            userName: '4',
+            'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User': {
+              organization: 'Foo Bar!',
+              department:   'Bar Foo!'
+            },
+            'urn:ietf:params:scim:schemas:extension:manager:1.0:User': {
+              manager: 'Foo Baz!'
+            }
+          }
+          attributes = spec_helper_hupcase(attributes) if force_upper_case
+          expect {
+            post "/Users", params: attributes.merge(format: :scim)
+          }.to change { MockUser.count }.by(1)
+          mock_after = MockUser.all.to_a
+          new_mock = (mock_after - mock_before).first
+          expect(response.status                 ).to eql(201)
+          expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+          result = JSON.parse(response.body)
+          expect(new_mock.organization).to eql('Foo Bar!')
+          expect(new_mock.department  ).to eql('Bar Foo!')
+          expect(new_mock.manager     ).to eql('Foo Baz!')
+          expect(result['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['organization']).to eql(new_mock.organization)
+          expect(result['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['department'  ]).to eql(new_mock.department  )
+          expect(result['urn:ietf:params:scim:schemas:extension:manager:1.0:User'   ]['manager'     ]).to eql(new_mock.manager     )
+        end
+        it 'with schema ID value keys that have inline attributes' do
+          mock_before = MockUser.all.to_a
+          attributes = {
+            userName: '4',
+            'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization': 'Foo Bar!',
+            'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department':   'Bar Foo!',
+            'urn:ietf:params:scim:schemas:extension:manager:1.0:User:manager':         'Foo Baz!'
+          }
+          attributes = spec_helper_hupcase(attributes) if force_upper_case
+          expect {
+            post "/Users", params: attributes.merge(format: :scim)
+          }.to change { MockUser.count }.by(1)
+          mock_after = MockUser.all.to_a
+          new_mock = (mock_after - mock_before).first
+          expect(response.status                 ).to eql(201)
+          expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+          result = JSON.parse(response.body)
+          expect(new_mock.organization).to eql('Foo Bar!')
+          expect(new_mock.department  ).to eql('Bar Foo!')
+          expect(new_mock.manager     ).to eql('Foo Baz!')
+          expect(result['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['organization']).to eql(new_mock.organization)
+          expect(result['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['department'  ]).to eql(new_mock.department  )
+          expect(result['urn:ietf:params:scim:schemas:extension:manager:1.0:User'   ]['manager'     ]).to eql(new_mock.manager     )
+        end
       end # "shared_examples 'a creator' do | force_upper_case: |"
       context 'using schema-matched case' do
@@ -363,8 +531,11 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         }
       }.to_not change { MockUser.count }
-      expect(response.status).to eql(409)
+      expect(response.status                 ).to eql(409)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
       result = JSON.parse(response.body)
       expect(result['scimType']).to eql('uniqueness')
       expect(result['detail']).to include('already been taken')
     end
@@ -377,8 +548,11 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         }
       }.to_not change { MockUser.count }
-      expect(response.status).to eql(400)
+      expect(response.status                 ).to eql(400)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
       result = JSON.parse(response.body)
       expect(result['scimType']).to eql('invalidValue')
       expect(result['detail']).to include('is required')
     end
@@ -391,12 +565,84 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         }
       }.to_not change { MockUser.count }
-      expect(response.status).to eql(400)
+      expect(response.status                 ).to eql(400)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
       result = JSON.parse(response.body)
       expect(result['scimType']).to eql('invalidValue')
       expect(result['detail']).to include('is reserved')
     end
+    context 'with a block' do
+      it 'invokes the block' do
+        mock_before = MockUser.all.to_a
+        expect_any_instance_of(CustomCreateMockUsersController).to receive(:create).once.and_call_original
+        expect {
+          post "/CustomCreateUsers", params: {
+            format:   :scim,
+            userName: '4' # Minimum required by schema
+          }
+        }.to change { MockUser.count }.by(1)
+        mock_after = MockUser.all.to_a
+        new_mock = (mock_after - mock_before).first
+        expect(response.status                 ).to eql(201)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+        result = JSON.parse(response.body)
+        expect(result['id']).to eql(new_mock.id.to_s)
+        expect(result['meta']['resourceType']).to eql('User')
+        expect(new_mock.first_name).to eql(CustomCreateMockUsersController::OVERRIDDEN_NAME)
+      end
+      it 'returns 409 for duplicates (by Rails validation)' do
+        existing_user = MockUser.create!(
+          username:           '4',
+          first_name:         'Will Be Overridden',
+          last_name:          'Baz',
+          home_email_address: 'random@test.com',
+          scim_uid:           '999'
+        )
+        expect_any_instance_of(CustomCreateMockUsersController).to receive(:create).once.and_call_original
+        expect {
+          post "/CustomCreateUsers", params: {
+            format:   :scim,
+            userName: '4' # Already exists
+          }
+        }.to_not change { MockUser.count }
+        expect(response.status                 ).to eql(409)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+        result = JSON.parse(response.body)
+        expect(result['scimType']).to eql('uniqueness')
+        expect(result['detail']).to include('already been taken')
+      end
+      it 'notes Rails validation failures' do
+        expect_any_instance_of(CustomCreateMockUsersController).to receive(:create).once.and_call_original
+        expect {
+          post "/CustomCreateUsers", params: {
+            format:   :scim,
+            userName: MockUser::INVALID_USERNAME
+          }
+        }.to_not change { MockUser.count }
+        expect(response.status                 ).to eql(400)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+        result = JSON.parse(response.body)
+        expect(result['scimType']).to eql('invalidValue')
+        expect(result['detail']).to include('is reserved')
+      end
+    end # "context 'with a block' do"
   end # "context '#create' do"
   # ===========================================================================
@@ -404,26 +650,64 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
   context '#replace' do
     shared_examples 'a replacer' do | force_upper_case: |
       it 'which replaces all attributes in an instance' do
-        attributes = { userName: '4' }  # Minimum required by schema
+        attributes = { userName: '4' } # Minimum required by schema
         attributes = spec_helper_hupcase(attributes) if force_upper_case
+        # Prove that certain known pathways are called; can then unit test
+        # those if need be and be sure that this covers #replace actions.
+        #
         expect_any_instance_of(MockUsersController).to receive(:replace).once.and_call_original
+        expect_any_instance_of(MockUsersController).to receive(:save!  ).once.and_call_original
         expect {
           put "/Users/#{@u2.primary_key}", params: attributes.merge(format: :scim)
         }.to_not change { MockUser.count }
-        expect(response.status).to eql(200)
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
         result = JSON.parse(response.body)
         expect(result['id']).to eql(@u2.primary_key.to_s)
         expect(result['meta']['resourceType']).to eql('User')
+        expect(result).to     have_key('name')
+        expect(result).to_not have_key('password')
         @u2.reload
         expect(@u2.username).to eql('4')
         expect(@u2.first_name).to be_nil
         expect(@u2.last_name).to be_nil
         expect(@u2.home_email_address).to be_nil
+        expect(@u2.password).to be_nil
+      end
+      it 'can replace passwords' do
+        attributes = { userName: '4', password: 'correcthorsebatterystaple' }
+        attributes = spec_helper_hupcase(attributes) if force_upper_case
+        expect {
+          put "/Users/#{@u2.primary_key}", params: attributes.merge(format: :scim)
+        }.to_not change { MockUser.count }
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+        result = JSON.parse(response.body)
+        expect(result['id']).to eql(@u2.primary_key.to_s)
+        expect(result['meta']['resourceType']).to eql('User')
+        expect(result).to     have_key('name')
+        expect(result).to_not have_key('password')
+        @u2.reload
+        expect(@u2.username).to eql('4')
+        expect(@u2.first_name).to be_nil
+        expect(@u2.last_name).to be_nil
+        expect(@u2.home_email_address).to be_nil
+        expect(@u2.password).to eql('correcthorsebatterystaple')
       end
     end # "shared_examples 'a replacer' do | force_upper_case: |"
@@ -443,8 +727,11 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         }
       }.to_not change { MockUser.count }
-      expect(response.status).to eql(400)
+      expect(response.status                 ).to eql(400)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
       result = JSON.parse(response.body)
       expect(result['scimType']).to eql('invalidValue')
       expect(result['detail']).to include('is required')
@@ -458,13 +745,15 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
     it 'notes Rails validation failures' do
       expect {
-        post "/Users", params: {
+        put "/Users/#{@u2.primary_key}", params: {
           format: :scim,
           userName: MockUser::INVALID_USERNAME
         }
       }.to_not change { MockUser.count }
-      expect(response.status).to eql(400)
+      expect(response.status                 ).to eql(400)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
       result = JSON.parse(response.body)
       expect(result['scimType']).to eql('invalidValue')
@@ -486,17 +775,72 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         }
       }.to_not change { MockUser.count }
-      expect(response.status).to eql(404)
+      expect(response.status                 ).to eql(404)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
       result = JSON.parse(response.body)
       expect(result['status']).to eql('404')
     end
+    context 'with a block' do
+      it 'invokes the block' do
+        attributes = { userName: '4' } # Minimum required by schema
+        expect_any_instance_of(CustomReplaceMockUsersController).to receive(:replace).once.and_call_original
+        expect {
+          put "/CustomReplaceUsers/#{@u2.primary_key}", params: {
+            format:   :scim,
+            userName: '4'
+          }
+        }.to_not change { MockUser.count }
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+        result = JSON.parse(response.body)
+        expect(result['id']).to eql(@u2.primary_key.to_s)
+        expect(result['meta']['resourceType']).to eql('User')
+        @u2.reload
+        expect(@u2.username  ).to eql('4')
+        expect(@u2.first_name).to eql(CustomReplaceMockUsersController::OVERRIDDEN_NAME)
+      end
+      it 'notes Rails validation failures' do
+        expect_any_instance_of(CustomReplaceMockUsersController).to receive(:replace).once.and_call_original
+        expect {
+          put "/CustomReplaceUsers/#{@u2.primary_key}", params: {
+            format:   :scim,
+            userName: MockUser::INVALID_USERNAME
+          }
+        }.to_not change { MockUser.count }
+        expect(response.status                 ).to eql(400)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+        result = JSON.parse(response.body)
+        expect(result['scimType']).to eql('invalidValue')
+        expect(result['detail']).to include('is reserved')
+        @u2.reload
+        expect(@u2.username).to eql('2')
+        expect(@u2.first_name).to eql('Foo')
+        expect(@u2.last_name).to eql('Bar')
+        expect(@u2.home_email_address).to eql('home_2@test.com')
+      end
+    end # "context 'with a block' do"
   end # "context '#replace' do"
   # ===========================================================================
   context '#update' do
     shared_examples 'an updater' do | force_upper_case: |
-      it 'which patches specific attributes' do
+      it 'which patches regular attributes' do
         payload = {
           Operations: [
             {
@@ -514,17 +858,27 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         payload = spec_helper_hupcase(payload) if force_upper_case
+        # Prove that certain known pathways are called; can then unit test
+        # those if need be and be sure that this covers #update actions.
+        #
         expect_any_instance_of(MockUsersController).to receive(:update).once.and_call_original
+        expect_any_instance_of(MockUsersController).to receive(:save! ).once.and_call_original
         expect {
           patch "/Users/#{@u2.primary_key}", params: payload.merge(format: :scim)
         }.to_not change { MockUser.count }
-        expect(response.status).to eql(200)
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
         result = JSON.parse(response.body)
         expect(result['id']).to eql(@u2.primary_key.to_s)
         expect(result['meta']['resourceType']).to eql('User')
+        expect(result).to     have_key('name')
+        expect(result).to_not have_key('password')
         @u2.reload
         expect(@u2.username).to eql('4')
@@ -532,6 +886,151 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         expect(@u2.last_name).to eql('Bar')
         expect(@u2.home_email_address).to eql('home_2@test.com')
         expect(@u2.work_email_address).to eql('work_4@test.com')
+        expect(@u2.password).to eql('oldpassword')
+      end
+      context 'which' do
+        shared_examples 'it handles not-to-spec in-value Azure/Entra dotted attribute paths' do | operation |
+          it "and performs operation" do
+            payload = {
+              Operations: [
+                {
+                  op: 'add',
+                  value: {
+                    'name.givenName'  => 'Foo!',
+                    'name.familyName' => 'Bar!',
+                    'name.formatted'  => 'Foo! Bar!' # Unrecognised; should be ignored
+                  },
+                },
+              ]
+            }
+            payload = spec_helper_hupcase(payload) if force_upper_case
+            patch "/Users/#{@u2.primary_key}", params: payload.merge(format: :scim)
+            expect(response.status                 ).to eql(200)
+            expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+            @u2.reload
+            result = JSON.parse(response.body)
+            expect(@u2.first_name).to eql('Foo!')
+            expect(@u2.last_name ).to eql('Bar!')
+          end
+        end
+        it_behaves_like 'it handles not-to-spec in-value Azure/Entra dotted attribute paths', 'add'
+        it_behaves_like 'it handles not-to-spec in-value Azure/Entra dotted attribute paths', 'replace'
+        shared_examples 'it handles schema ID value keys without inline attributes' do | operation |
+          it "and performs operation" do
+            payload = {
+              Operations: [
+                {
+                  op: operation,
+                  value: {
+                    'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User': {
+                      'organization' => 'Foo Bar!',
+                      'department'   => 'Bar Foo!'
+                    },
+                    'urn:ietf:params:scim:schemas:extension:manager:1.0:User': {
+                      'manager' => 'Foo Baz!'
+                    }
+                  },
+                },
+              ]
+            }
+            @u2.update!(organization: 'Old org')
+            payload = spec_helper_hupcase(payload) if force_upper_case
+            patch "/Users/#{@u2.primary_key}", params: payload.merge(format: :scim)
+            expect(response.status                 ).to eql(200)
+            expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+            @u2.reload
+            result = JSON.parse(response.body)
+            expect(@u2.organization).to eql('Foo Bar!')
+            expect(@u2.department  ).to eql('Bar Foo!')
+            expect(@u2.manager     ).to eql('Foo Baz!')
+          end
+        end
+        it_behaves_like 'it handles schema ID value keys without inline attributes', 'add'
+        it_behaves_like 'it handles schema ID value keys without inline attributes', 'replace'
+        shared_examples 'it handles schema ID value keys with inline attributes' do
+          it "and performs operation" do
+            payload = {
+              Operations: [
+                {
+                  op: 'add',
+                  value: {
+                    'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization' => 'Foo Bar!',
+                    'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department'   => 'Bar Foo!',
+                    'urn:ietf:params:scim:schemas:extension:manager:1.0:User:manager'         => 'Foo Baz!'
+                  },
+                },
+              ]
+            }
+            @u2.update!(organization: 'Old org')
+            payload = spec_helper_hupcase(payload) if force_upper_case
+            patch "/Users/#{@u2.primary_key}", params: payload.merge(format: :scim)
+            expect(response.status                 ).to eql(200)
+            expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+            @u2.reload
+            result = JSON.parse(response.body)
+            expect(@u2.organization).to eql('Foo Bar!')
+            expect(@u2.department  ).to eql('Bar Foo!')
+            expect(@u2.manager     ).to eql('Foo Baz!')
+          end
+        end
+        it_behaves_like 'it handles schema ID value keys with inline attributes', 'add'
+        it_behaves_like 'it handles schema ID value keys with inline attributes', 'replace'
+      end
+      it 'which patches "returned: \'never\'" fields' do
+        payload = {
+          Operations: [
+            {
+              op: 'replace',
+              path: 'password',
+              value: 'correcthorsebatterystaple'
+            }
+          ]
+        }
+        payload = spec_helper_hupcase(payload) if force_upper_case
+        expect {
+          patch "/Users/#{@u2.primary_key}", params: payload.merge(format: :scim)
+        }.to_not change { MockUser.count }
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+        result = JSON.parse(response.body)
+        expect(result['id']).to eql(@u2.primary_key.to_s)
+        expect(result['meta']['resourceType']).to eql('User')
+        expect(result).to     have_key('name')
+        expect(result).to_not have_key('password')
+        @u2.reload
+        expect(@u2.username).to eql('2')
+        expect(@u2.first_name).to eql('Foo')
+        expect(@u2.last_name).to eql('Bar')
+        expect(@u2.home_email_address).to eql('home_2@test.com')
+        expect(@u2.work_email_address).to be_nil
+        expect(@u2.password).to eql('correcthorsebatterystaple')
       end
       context 'which clears attributes' do
@@ -556,7 +1055,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
             patch "/Users/#{@u2.primary_key}", params: payload.merge(format: :scim)
           }.to_not change { MockUser.count }
-          expect(response.status).to eql(200)
+          expect(response.status                 ).to eql(200)
+          expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
           result = JSON.parse(response.body)
           expect(result['id']).to eql(@u2.primary_key.to_s)
@@ -588,7 +1089,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
             patch "/Users/#{@u2.primary_key}", params: payload.merge(format: :scim)
           }.to_not change { MockUser.count }
-          expect(response.status).to eql(200)
+          expect(response.status                 ).to eql(200)
+          expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
           result = JSON.parse(response.body)
           expect(result['id']).to eql(@u2.primary_key.to_s)
@@ -620,7 +1123,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
             patch "/Users/#{@u2.primary_key}", params: payload.merge(format: :scim)
           }.to_not change { MockUser.count }
-          expect(response.status).to eql(200)
+          expect(response.status                 ).to eql(200)
+          expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
           result = JSON.parse(response.body)
           expect(result['id']).to eql(@u2.primary_key.to_s)
@@ -659,7 +1164,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         }
       }.to_not change { MockUser.count }
-      expect(response.status).to eql(400)
+      expect(response.status                 ).to eql(400)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
       result = JSON.parse(response.body)
       expect(result['scimType']).to eql('invalidValue')
@@ -687,8 +1194,11 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         }
       }.to_not change { MockUser.count }
-      expect(response.status).to eql(404)
+      expect(response.status                 ).to eql(404)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
       result = JSON.parse(response.body)
       expect(result['status']).to eql('404')
     end
@@ -725,7 +1235,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         get "/Groups/#{@g1.id}", params: { format: :scim }
-        expect(response.status).to eql(200)
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
         result = JSON.parse(response.body)
         expect(result['members']).to be_empty
@@ -752,7 +1264,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
           get "/Groups/#{@g1.id}", params: { format: :scim }
-          expect(response.status).to eql(200)
+          expect(response.status                 ).to eql(200)
+          expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
           result = JSON.parse(response.body)
           expect(result['members'].map { |m| m['value'] }.sort()).to eql(expected_remaining_user_ids)
@@ -827,12 +1341,178 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         it_behaves_like 'a user remover'
       end # context 'and using a Salesforce variant payload' do
     end # "context 'when removing users from groups' do"
+    context 'with a block' do
+      it 'invokes the block' do
+        payload = {
+          format: :scim,
+          Operations: [
+            {
+              op: 'add',
+              path: 'userName',
+              value: '4'
+            },
+            {
+              op: 'replace',
+              path: 'emails[type eq "work"]',
+              value: { type: 'work', value: 'work_4@test.com' }
+            }
+          ]
+        }
+        expect_any_instance_of(CustomUpdateMockUsersController).to receive(:update).once.and_call_original
+        expect {
+          patch "/CustomUpdateUsers/#{@u2.primary_key}", params: payload
+        }.to_not change { MockUser.count }
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+        result = JSON.parse(response.body)
+        expect(result['id']).to eql(@u2.primary_key.to_s)
+        expect(result['meta']['resourceType']).to eql('User')
+        @u2.reload
+        expect(@u2.username          ).to eql('4')
+        expect(@u2.first_name        ).to eql(CustomUpdateMockUsersController::OVERRIDDEN_NAME)
+        expect(@u2.work_email_address).to eql('work_4@test.com')
+      end
+      it 'notes Rails validation failures' do
+        expect_any_instance_of(CustomUpdateMockUsersController).to receive(:update).once.and_call_original
+        expect {
+          patch "/CustomUpdateUsers/#{@u2.primary_key}", params: {
+            format: :scim,
+            Operations: [
+              {
+                op: 'add',
+                path: 'userName',
+                value: MockUser::INVALID_USERNAME
+              }
+            ]
+          }
+        }.to_not change { MockUser.count }
+        expect(response.status                 ).to eql(400)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+        result = JSON.parse(response.body)
+        expect(result['scimType']).to eql('invalidValue')
+        expect(result['detail']).to include('is reserved')
+        @u2.reload
+        expect(@u2.username).to eql('2')
+        expect(@u2.first_name).to eql('Foo')
+        expect(@u2.last_name).to eql('Bar')
+        expect(@u2.home_email_address).to eql('home_2@test.com')
+      end
+    end # "context 'with a block' do"
   end # "context '#update' do"
+  # ===========================================================================
+  # In-passing parts of tests above show that #create, #replace and #update all
+  # route through #save!, so now add some unit tests for that and for exception
+  # handling overrides invoked via #save!.
+  # ===========================================================================
+  context 'overriding #save!' do
+    it 'invokes a block if given one' do
+      mock_before = MockUser.all.to_a
+      attributes = { userName: '5' } # Minimum required by schema
+      expect_any_instance_of(CustomSaveMockUsersController).to receive(:create).once.and_call_original
+      expect {
+        post "/CustomSaveUsers", params: attributes.merge(format: :scim)
+      }.to change { MockUser.count }.by(1)
+      mock_after = MockUser.all.to_a
+      new_mock = (mock_after - mock_before).first
+      expect(response.status                 ).to eql(201)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+      expect(new_mock.username).to eql(CustomSaveMockUsersController::CUSTOM_SAVE_BLOCK_USERNAME_INDICATOR)
+    end
+  end # "context 'overriding #save!' do
+  context 'custom on-save exceptions' do
+    MockUsersController.new.send(:scimitar_rescuable_exceptions).each do | exception_class |
+      it "handles out-of-box exception #{exception_class}" do
+        expect_any_instance_of(MockUsersController).to receive(:create).once.and_call_original
+        expect_any_instance_of(MockUsersController).to receive(:save! ).once.and_call_original
+        expect_any_instance_of(MockUser).to receive(:save!).once { raise exception_class }
+        expect {
+          post "/Users", params: { format: :scim, userName: SecureRandom.uuid }
+        }.to_not change { MockUser.count }
+        expected_status, expected_prefix = if exception_class == ActiveRecord::RecordNotUnique
+          [409, 'Operation failed due to a uniqueness constraint: ']
+        else
+          [400, 'Operation failed since record has become invalid: ']
+        end
+        expect(response.status                 ).to eql(expected_status)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+        result = JSON.parse(response.body)
+        # Check basic SCIM error rendering - good enough given other tests
+        # elsewhere. Exact message varies by exception.
+        #
+        expect(result['detail']).to start_with(expected_prefix)
+      end
+    end
+    it 'handles custom exceptions' do
+      exception_class = RuntimeError # (for testing only; usually, this would provoke a 500 response)
+      expect_any_instance_of(MockUsersController).to receive(:create).once.and_call_original
+      expect_any_instance_of(MockUsersController).to receive(:save! ).once.and_call_original
+      expect_any_instance_of(MockUsersController).to receive(:scimitar_rescuable_exceptions).once { [ exception_class ] }
+      expect_any_instance_of(MockUser           ).to receive(:save!                        ).once { raise exception_class }
+      expect {
+        post "/Users", params: { format: :scim, userName: SecureRandom.uuid }
+      }.to_not change { MockUser.count }
+      expect(response.status                 ).to eql(400)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+      result = JSON.parse(response.body)
+      expect(result['detail']).to start_with('Operation failed since record has become invalid: ')
+    end
+    it 'reports other exceptions as 500s' do
+      expect_any_instance_of(MockUsersController).to receive(:create).once.and_call_original
+      expect_any_instance_of(MockUsersController).to receive(:save! ).once.and_call_original
+      expect_any_instance_of(MockUser).to receive(:save!).once { raise RuntimeError }
+      expect {
+        post "/Users", params: { format: :scim, userName: SecureRandom.uuid }
+      }.to_not change { MockUser.count }
+      expect(response.status                 ).to eql(500)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+      result = JSON.parse(response.body)
+      expect(result['detail']).to eql('RuntimeError')
+    end
+  end
   # ===========================================================================
   context '#destroy' do
-    it 'deletes an item if given no blok' do
+    it 'deletes an item if given no block' do
       expect_any_instance_of(MockUsersController).to receive(:destroy).once.and_call_original
       expect_any_instance_of(MockUser).to receive(:destroy!).once.and_call_original
       expect {
@@ -863,8 +1543,11 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         delete '/Users/xyz', params: { format: :scim }
       }.to_not change { MockUser.count }
-      expect(response.status).to eql(404)
+      expect(response.status                 ).to eql(404)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
       result = JSON.parse(response.body)
       expect(result['status']).to eql('404')
     end
   end # "context '#destroy' do"