scimitar 2.5.0 → 2.11.0

data/app/models/scimitar/engine_configuration.rb

@@ -14,6 +14,7 @@ module Scimitar
       :application_controller_mixin,
       :exception_reporter,
       :optional_value_fields_required,
+      :schema_list_from_attribute_mappings,
     )
 
     def initialize(attributes = {})
@@ -22,7 +23,8 @@ module Scimitar
       # Set defaults that may be overridden by the initializer.
       #
       defaults = {
-        optional_value_fields_required: true
+        optional_value_fields_required:      true,
+        schema_list_from_attribute_mappings: []
       }
 
       super(defaults.merge(attributes))

data/app/models/scimitar/lists/query_parser.rb

@@ -59,13 +59,18 @@ module Scimitar
       #
       BINARY_OPERATORS = Set.new(OPERATORS.keys.reject { |op| UNARY_OPERATORS.include?(op) }).freeze
 
+      # Precompiled expression that matches a valid attribute name according to
+      # https://tools.ietf.org/html/rfc7643#section-2.1.
+      #
+      ATTRNAME = /[[:alpha:]][[:alnum:]$-_]*/
+
       # =======================================================================
       # Tokenizing expressions
       # =======================================================================
 
       PAREN       = /[\(\)]/.freeze
       STR         = /"(?:\\"|[^"])*"/.freeze
-      OP          = /#{OPERATORS.keys.join('|')}/i.freeze
+      OP          = /(?:#{OPERATORS.keys.join('|')})\b/i.freeze
       WORD        = /[\w\.]+/.freeze
       SEP         = /\s?/.freeze
       NEXT_TOKEN  = /\A(#{PAREN}|#{STR}|#{OP}|#{WORD})#{SEP}/.freeze
@@ -291,6 +296,10 @@ module Scimitar
         # the part before the "[" as a prefix - "emails[type" to "emails.type",
         # with similar substitutions therein.
         #
+        # Further, via https://github.com/pond/scimitar/issues/115 we see
+        # a requirement to support a broken form emitted by Microsoft; that is
+        # supported herein.
+        #
         # This method tries to flatten things thus. It throws exceptions if any
         # problems arise at all. Some limitations:
         #
@@ -314,6 +323,9 @@ module Scimitar
         #     <- userType ne "Employee" and not (emails[value co "example.com" or (value co "example.org")]) and userName="foo"
         #     => userType ne "Employee" and not (emails.value co "example.com" or (emails.value co "example.org")) and userName="foo"
         #
+        #     <- emails[type eq "work"].value eq "foo@bar.com"   (Microsoft workaround)
+        #     => emails.type eq "work" and emails.value eq "foo@bar.com"
+        #
         # +filter+:: Input filter string. Returns a possibly modified String,
         #            with the hopefully equivalent but flattened filter inside.
         #
@@ -330,14 +342,14 @@ module Scimitar
           skip_next_component       = false
 
           components.each.with_index do | component, index |
-            if skip_next_component == true
+            if skip_next_component
               skip_next_component = false
               next
             end
 
             downcased = component.downcase.strip
 
-            if (expecting_attribute)
+            if expecting_attribute
               if downcased.match?(/[^\\]\[/) # Not backslash then literal '['
                 attribute_prefix       = component.match(/(.*?[^\\])\[/   )[1] # Everything before no-backslash-then-literal (unescaped) '['
                 first_attribute_inside = component.match(    /[^\\]\[(.*)/)[1] # Everything  after no-backslash-then-literal (unescaped) '['
@@ -350,7 +362,7 @@ module Scimitar
               expecting_attribute = false
               expecting_operator  = true
 
-            elsif (expecting_operator)
+            elsif expecting_operator
               rewritten << component
               if BINARY_OPERATORS.include?(downcased)
                 expecting_operator = false
@@ -362,10 +374,54 @@ module Scimitar
                 raise 'Expected operator'
               end
 
-            elsif (expecting_value)
-              matches = downcased.match(/([^\\])\]/) # Contains no-backslash-then-literal (unescaped) ']'
+            elsif expecting_value
+              matches = downcased.match(/([^\\])\](.*)/) # Contains no-backslash-then-literal (unescaped) ']'; also capture anything after
               unless matches.nil? # Contains no-backslash-then-literal (unescaped) ']'
                 character_before_closing_bracket = matches[1]
+                characters_after_closing_bracket = matches[2]
+
+                # https://github.com/pond/scimitar/issues/115 - detect
+                # bad Microsoft filters. After the closing bracket, we expect a
+                # dot then valid attribute characters and at least one white
+                # space character and filter operator, but we split on spaces,
+                # so the next item in the components array must be a recognised
+                # operator for the special case code to kick in.
+                #
+                # If this all works out, we transform this section of the
+                # filter string into a local dotted form, reconstruct the
+                # overall filter with this substitution, and call back to this
+                # method with that modified filter, returning the result.
+                #
+                # So - NOTE RECURSION AND EARLY EXIT POSSIBILITY HEREIN.
+                #
+                if (
+                  !attribute_prefix.nil? &&
+                  OPERATORS.key?(components[index + 1]&.downcase) &&
+                  characters_after_closing_bracket.match?(/^\.#{ATTRNAME}$/)
+                )
+                  # E.g. '"work"' and '.value' from input '"work"].value'
+                  #
+                  component_matches           = component.match(/^(.*?[^\\])\](.*)/)
+                  part_before_closing_bracket = component_matches[1]
+                  part_after_closing_bracket  = component_matches[2]
+
+                  # Produces e.g. '"work"] and emails.value'
+                  #
+                  dotted_version = "#{part_before_closing_bracket}] and #{attribute_prefix}#{part_after_closing_bracket}"
+
+                  # Overwrite the components array entry with this new version.
+                  #
+                  components[index] = dotted_version
+
+                  # Join it back again as a reconstructed valid filter string.
+                  #
+                  hopefully_valid_filter = components.join(' ')
+
+                  # NOTE EARLY EXIT
+                  #
+                  return flatten_filter(hopefully_valid_filter)
+                end
+
                 component.gsub!(/[^\\]\]/, character_before_closing_bracket)
 
                 if expecting_closing_bracket
@@ -381,7 +437,7 @@ module Scimitar
               if downcased.start_with?('"')
                 expecting_closing_quote = true
                 downcased = downcased[1..-1] # Strip off opening '"' to avoid false-positive on 'contains closing quote' check below
-              elsif expecting_closing_quote == false # If not expecting a closing quote, then the component must be the entire no-spaces value
+              elsif !expecting_closing_quote # If not expecting a closing quote, then the component must be the entire no-spaces value
                 expecting_value      = false
                 expecting_logic_word = true
               end
@@ -394,7 +450,7 @@ module Scimitar
                 end
               end
 
-            elsif (expecting_logic_word)
+            elsif expecting_logic_word
               if downcased == 'and' || downcased == 'or'
                 rewritten << component
                 next_downcased_component = components[index + 1].downcase.strip
@@ -410,7 +466,36 @@ module Scimitar
             end
           end
 
-          return rewritten.join(' ')
+          # Handle schema IDs.
+          #
+          # Scimitar currently has a limitation where it strips schema IDs in
+          # things like PATCH operation path traversal; see
+          # https://github.com/pond/scimitar/issues/130. At least that
+          # makes things easy here; use the same approach and strip them out!
+          #
+          # We don't know which resource is being queried at this layer of the
+          # software. If Scimitar were to bump major version, then an extension
+          # to QueryParser#parse to include this information would be wise. In
+          # the mean time, all we can do is enumerate all extension schema
+          # subclasses with IDs and remove those IDs if present in the filter.
+          #
+          # Inbound unrecognised schema IDs will be left behind. If the client
+          # Scimitar application hasn't defined requested schemas, it would
+          # very likely never have been able to handle the filter either way.
+          #
+          rewritten_joined = rewritten.join(' ')
+          if rewritten_joined.include?(':')
+
+            # README.md notes that extensions *must* be a subclass of
+            # Scimitar::Schema::Base and must define IDs.
+            #
+            known_schema_ids = Scimitar::Schema::Base.subclasses.map { |s| s.new.id }.compact
+            known_schema_ids.each do | schema_id |
+              rewritten_joined.gsub!(/#{schema_id}[\:\.]/, '')
+            end
+          end
+
+          return rewritten_joined
         end
 
         # Service method to DRY up #flatten_filter a little. Applies a prefix
@@ -501,11 +586,11 @@ module Scimitar
 
         # Recursively process an expression tree. Calls itself with nested tree
         # fragments. Each inner expression fragment calculates on the given
-        # base scope, with aggregration at each level into a wider query using
+        # base scope, with aggregation at each level into a wider query using
         # AND or OR depending on the expression tree contents.
         #
         # +base_scope+::      Base scope (ActiveRecord::Relation, e.g. User.all
-        #                     - neverchanges during recursion).
+        #                     - never changes during recursion).
         #
         # +expression_tree+:: Top-level expression tree or fragments inside if
         #                     self-calling recursively.
@@ -663,7 +748,7 @@ module Scimitar
 
         # Returns the mapped-to-your-domain column name(s) that a filter string
         # is operating upon, in an Array. If empty, the attribute is to be
-        # ignored. Raises an exception if entirey unmapped (thus unsupported).
+        # ignored. Raises an exception if entirely unmapped (thus unsupported).
         #
         # Note plural - the return value is always an array any of which should
         # be used (implicit 'OR').

data/app/models/scimitar/resource_invalid_error.rb

@@ -2,7 +2,7 @@ module Scimitar
   class ResourceInvalidError < ErrorResponse
 
     def initialize(error_message)
-      super(status: 400, scimType: 'invalidValue', detail:"Operation failed since record has become invalid: #{error_message}")
+      super(status: 400, scimType: 'invalidValue', detail: "Operation failed since record has become invalid: #{error_message}")
     end
 
   end

data/app/models/scimitar/resource_type.rb

@@ -17,12 +17,10 @@ module Scimitar
 
     def as_json(options = {})
       without_extensions = super(except: 'schemaExtensions')
-      if schemaExtensions.present?
-        extensions = schemaExtensions.map{|extension| {"schema" => extension, "required" => false}}
-        without_extensions.merge('schemaExtensions' => extensions)
-      else
-        without_extensions
-      end
+      return without_extensions unless schemaExtensions.present? # NOTE EARLY EXIT
+
+      extensions = schemaExtensions.map{|extension| {"schema" => extension, "required" => false}}
+      without_extensions.merge('schemaExtensions' => extensions)
     end
 
   end

data/app/models/scimitar/resources/base.rb

@@ -35,14 +35,45 @@ module Scimitar
         @errors = ActiveModel::Errors.new(self)
       end
 
+      # Scimitar has at present a general limitation in handling schema IDs,
+      # which just involves stripping them and requiring attributes across all
+      # extension schemas to be overall unique.
+      #
+      # This method takes an options payload for the initializer and strips out
+      # *recognised* schema IDs, so that the resulting attribute data matches
+      # the resource attribute map.
+      #
+      # +attributes+:: Attributes to assign via initializer; typically a POST
+      #                payload of attributes that has been run through Rails
+      #                strong parameters for safety.
+      #
+      # Returns a new object of the same class as +options+ with recognised
+      # schema IDs removed.
+      #
       def flatten_extension_attributes(options)
-        flattened = options.dup
-        self.class.extended_schemas.each do |extended_schema|
-          if extension_attrs = flattened.delete(extended_schema.id)
-            flattened.merge!(extension_attrs)
+        flattened             = options.class.new
+        lower_case_schema_ids = self.class.extended_schemas.map do | schema |
+          schema.id.downcase()
+        end
+
+        options.each do | key, value |
+          path = Scimitar::Support::Utilities::path_str_to_array(
+            self.class.extended_schemas,
+            key
+          )
+
+          if path.first.include?(':') && lower_case_schema_ids.include?(path.first.downcase)
+            path.shift()
+          end
+
+          if path.empty?
+            flattened.merge!(value)
+          else
+            flattened[path.join('.')] = value
           end
         end
-        flattened
+
+        return flattened
       end
 
       # Can be used to extend an existing resource type's schema. For example:
@@ -127,9 +158,9 @@ module Scimitar
         hash.with_indifferent_access.each_pair do |attr_name, attr_value|
           scim_attribute = self.class.complex_scim_attributes[attr_name].try(:first)
 
-          if scim_attribute && scim_attribute.complexType
+          if scim_attribute&.complexType
             if scim_attribute.multiValued
-              self.send("#{attr_name}=", attr_value.map {|attr_for_each_item| complex_type_from_hash(scim_attribute, attr_for_each_item)})
+              self.send("#{attr_name}=", attr_value&.map {|attr_for_each_item| complex_type_from_hash(scim_attribute, attr_for_each_item)})
             else
               self.send("#{attr_name}=", complex_type_from_hash(scim_attribute, attr_value))
             end
@@ -137,15 +168,28 @@ module Scimitar
         end
       end
 
+      # Renders *in full* as JSON; typically used for write-based operations...
+      #
+      #     record = self.storage_class().new
+      #     record.from_scim!(scim_hash: scim_resource.as_json())
+      #     self.save!(record)
+      #
+      # ...so all fields, even those marked "returned: false", are included.
+      # Use Scimitar::Resources::Mixin::to_scim to obtain a SCIM object with
+      # non-returnable fields omitted, rendering *that* as JSON via #to_json.
+      #
       def as_json(options = {})
         self.meta = Meta.new unless self.meta && self.meta.is_a?(Meta)
-        meta.resourceType = self.class.resource_type_id
+        self.meta.resourceType = self.class.resource_type_id
+
         original_hash = super(options).except('errors')
         original_hash.merge!('schemas' => self.class.schemas.map(&:id))
+
         self.class.extended_schemas.each do |extension_schema|
           extension_attributes = extension_schema.scim_attributes.map(&:name)
           original_hash.merge!(extension_schema.id => original_hash.extract!(*extension_attributes))
         end
+
         original_hash
       end