RubyGems - scimitar - Versions diffs - 2.6.0 → 2.7.0 - Mend

scimitar 2.6.0 → 2.7.0

Files changed (24) hide show

checksums.yaml +4 -4
data/LICENSE.txt +21 -0
data/README.md +710 -0
data/app/controllers/scimitar/active_record_backed_resources_controller.rb +53 -17
data/app/controllers/scimitar/application_controller.rb +13 -4
data/app/models/scimitar/complex_types/address.rb +0 -6
data/app/models/scimitar/resource_invalid_error.rb +1 -1
data/app/models/scimitar/resources/mixin.rb +4 -1
data/app/models/scimitar/schema/attribute.rb +3 -3
data/config/initializers/scimitar.rb +3 -3
data/lib/scimitar/support/utilities.rb +51 -0
data/lib/scimitar/version.rb +2 -2
data/lib/scimitar.rb +1 -0
data/spec/apps/dummy/app/controllers/custom_create_mock_users_controller.rb +25 -0
data/spec/apps/dummy/app/controllers/custom_replace_mock_users_controller.rb +25 -0
data/spec/apps/dummy/app/controllers/custom_update_mock_users_controller.rb +25 -0
data/spec/apps/dummy/config/routes.rb +15 -3
data/spec/controllers/scimitar/application_controller_spec.rb +56 -2
data/spec/controllers/scimitar/schemas_controller_spec.rb +1 -1
data/spec/models/scimitar/complex_types/address_spec.rb +3 -4
data/spec/models/scimitar/resources/mixin_spec.rb +22 -0
data/spec/requests/active_record_backed_resources_controller_spec.rb +410 -50
data/spec/spec_helper.rb +9 -1
metadata +34 -11

data/spec/requests/active_record_backed_resources_controller_spec.rb CHANGED Viewed

@@ -13,9 +13,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
     lmt = Time.parse("2023-01-09 14:25:00 +1300")
     ids = 3.times.map { SecureRandom.uuid }.sort()
-    @u1 = MockUser.create(primary_key: ids.shift(), username: '1', first_name: 'Foo', last_name: 'Ark', home_email_address: 'home_1@test.com', scim_uid: '001', created_at: lmt, updated_at: lmt + 1)
-    @u2 = MockUser.create(primary_key: ids.shift(), username: '2', first_name: 'Foo', last_name: 'Bar', home_email_address: 'home_2@test.com', scim_uid: '002', created_at: lmt, updated_at: lmt + 2)
-    @u3 = MockUser.create(primary_key: ids.shift(), username: '3', first_name: 'Foo',                   home_email_address: 'home_3@test.com', scim_uid: '003', created_at: lmt, updated_at: lmt + 3)
+    @u1 = MockUser.create!(primary_key: ids.shift(), username: '1', first_name: 'Foo', last_name: 'Ark', home_email_address: 'home_1@test.com', scim_uid: '001', created_at: lmt, updated_at: lmt + 1)
+    @u2 = MockUser.create!(primary_key: ids.shift(), username: '2', first_name: 'Foo', last_name: 'Bar', home_email_address: 'home_2@test.com', scim_uid: '002', created_at: lmt, updated_at: lmt + 2)
+    @u3 = MockUser.create!(primary_key: ids.shift(), username: '3', first_name: 'Foo',                   home_email_address: 'home_3@test.com', scim_uid: '003', created_at: lmt, updated_at: lmt + 3)
     @g1 = MockGroup.create!(display_name: 'Group 1')
     @g2 = MockGroup.create!(display_name: 'Group 2')
@@ -26,13 +26,17 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
   context '#index' do
     context 'with no items' do
-      it 'returns empty list' do
+      before :each do
         MockUser.delete_all
+      end
+      it 'returns empty list' do
         expect_any_instance_of(MockUsersController).to receive(:index).once.and_call_original
         get '/Users', params: { format: :scim }
-        expect(response.status).to eql(200)
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
         result = JSON.parse(response.body)
         expect(result['totalResults']).to eql(0)
@@ -46,7 +50,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         it 'returns all items' do
           get '/Users', params: { format: :scim }
-          expect(response.status).to eql(200)
+          expect(response.status                 ).to eql(200)
+          expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
           result = JSON.parse(response.body)
           expect(result['totalResults']).to eql(3)
@@ -64,7 +70,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         it 'returns all items' do
           get '/Groups', params: { format: :scim }
-          expect(response.status).to eql(200)
+          expect(response.status                 ).to eql(200)
+          expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
           result = JSON.parse(response.body)
           expect(result['totalResults']).to eql(3)
@@ -84,7 +92,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
           filter: 'name.givenName eq "FOO" and name.familyName pr and emails ne "home_1@test.com"'
         }
-        expect(response.status).to eql(200)
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
         result = JSON.parse(response.body)
         expect(result['totalResults']).to eql(1)
@@ -103,7 +113,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
           filter: 'name.GIVENNAME eq "Foo" and name.Familyname pr and emails ne "home_1@test.com"'
         }
-        expect(response.status).to eql(200)
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
         result = JSON.parse(response.body)
         expect(result['totalResults']).to eql(1)
@@ -126,7 +138,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
             filter: "id eq \"#{@u3.primary_key}\""
           }
-          expect(response.status).to eql(200)
+          expect(response.status                 ).to eql(200)
+          expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
           result = JSON.parse(response.body)
           expect(result['totalResults']).to eql(1)
@@ -145,7 +159,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
             filter: "externalID eq \"#{@u2.scim_uid}\""
           }
-          expect(response.status).to eql(200)
+          expect(response.status                 ).to eql(200)
+          expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
           result = JSON.parse(response.body)
           expect(result['totalResults']).to eql(1)
@@ -164,7 +180,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
             filter: "Meta.LastModified eq \"#{@u3.updated_at}\""
           }
-          expect(response.status).to eql(200)
+          expect(response.status                 ).to eql(200)
+          expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
           result = JSON.parse(response.body)
           expect(result['totalResults']).to eql(1)
@@ -184,7 +202,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
           count:  2
         }
-        expect(response.status).to eql(200)
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
         result = JSON.parse(response.body)
         expect(result['totalResults']).to eql(3)
@@ -203,7 +223,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
           startIndex: 2
         }
-        expect(response.status).to eql(200)
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
         result = JSON.parse(response.body)
         expect(result['totalResults']).to eql(3)
@@ -224,8 +246,11 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
           filter: 'name.givenName'
         }
-        expect(response.status).to eql(400)
+        expect(response.status                 ).to eql(400)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
         result = JSON.parse(response.body)
         expect(result['scimType']).to eql('invalidFilter')
       end
     end # "context 'with bad calls' do"
@@ -239,7 +264,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         expect_any_instance_of(MockUsersController).to receive(:show).once.and_call_original
         get "/Users/#{@u2.primary_key}", params: { format: :scim }
-        expect(response.status).to eql(200)
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
         result = JSON.parse(response.body)
         expect(result['id']).to eql(@u2.primary_key.to_s)
@@ -254,7 +281,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         expect_any_instance_of(MockGroupsController).to receive(:show).once.and_call_original
         get "/Groups/#{@g2.id}", params: { format: :scim }
-        expect(response.status).to eql(200)
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
         result = JSON.parse(response.body)
         expect(result['id']).to eql(@g2.id.to_s) # Note - ID was converted String; not Integer
@@ -266,8 +295,11 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
     it 'renders 404' do
       get '/Users/xyz', params: { format: :scim }
-      expect(response.status).to eql(404)
+      expect(response.status                 ).to eql(404)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
       result = JSON.parse(response.body)
       expect(result['status']).to eql('404')
     end
   end # "context '#show' do"
@@ -283,7 +315,12 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
           attributes = { userName: '4' } # Minimum required by schema
           attributes = spec_helper_hupcase(attributes) if force_upper_case
+          # Prove that certain known pathways are called; can then unit test
+          # those if need be and be sure that this covers #create actions.
+          #
           expect_any_instance_of(MockUsersController).to receive(:create).once.and_call_original
+          expect_any_instance_of(MockUsersController).to receive(:save! ).once.and_call_original
           expect {
             post "/Users", params: attributes.merge(format: :scim)
           }.to change { MockUser.count }.by(1)
@@ -291,7 +328,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
           mock_after = MockUser.all.to_a
           new_mock = (mock_after - mock_before).first
-          expect(response.status).to eql(201)
+          expect(response.status                 ).to eql(201)
+          expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
           result = JSON.parse(response.body)
           expect(result['id']).to eql(new_mock.primary_key.to_s)
@@ -332,7 +371,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
           mock_after = MockUser.all.to_a
           new_mock = (mock_after - mock_before).first
-          expect(response.status).to eql(201)
+          expect(response.status                 ).to eql(201)
+          expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
           result = JSON.parse(response.body)
           expect(result['id']).to eql(new_mock.id.to_s)
@@ -363,8 +404,11 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         }
       }.to_not change { MockUser.count }
-      expect(response.status).to eql(409)
+      expect(response.status                 ).to eql(409)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
       result = JSON.parse(response.body)
       expect(result['scimType']).to eql('uniqueness')
       expect(result['detail']).to include('already been taken')
     end
@@ -377,8 +421,11 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         }
       }.to_not change { MockUser.count }
-      expect(response.status).to eql(400)
+      expect(response.status                 ).to eql(400)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
       result = JSON.parse(response.body)
       expect(result['scimType']).to eql('invalidValue')
       expect(result['detail']).to include('is required')
     end
@@ -391,28 +438,84 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         }
       }.to_not change { MockUser.count }
-      expect(response.status).to eql(400)
+      expect(response.status                 ).to eql(400)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
       result = JSON.parse(response.body)
       expect(result['scimType']).to eql('invalidValue')
       expect(result['detail']).to include('is reserved')
     end
-    it 'invokes a block if given one' do
-      mock_before = MockUser.all.to_a
-      attributes = { userName: '5' } # Minimum required by schema
+    context 'with a block' do
+      it 'invokes the block' do
+        mock_before = MockUser.all.to_a
-      expect_any_instance_of(CustomSaveMockUsersController).to receive(:create).once.and_call_original
-      expect {
-        post "/CustomSaveUsers", params: attributes.merge(format: :scim)
-      }.to change { MockUser.count }.by(1)
+        expect_any_instance_of(CustomCreateMockUsersController).to receive(:create).once.and_call_original
+        expect {
+          post "/CustomCreateUsers", params: {
+            format:   :scim,
+            userName: '4' # Minimum required by schema
+          }
+        }.to change { MockUser.count }.by(1)
-      mock_after = MockUser.all.to_a
-      new_mock = (mock_after - mock_before).first
+        mock_after = MockUser.all.to_a
+        new_mock = (mock_after - mock_before).first
-      expect(response.status).to eql(201)
-      expect(new_mock.username).to eql(CustomSaveMockUsersController::CUSTOM_SAVE_BLOCK_USERNAME_INDICATOR)
-    end
+        expect(response.status                 ).to eql(201)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+        result = JSON.parse(response.body)
+        expect(result['id']).to eql(new_mock.id.to_s)
+        expect(result['meta']['resourceType']).to eql('User')
+        expect(new_mock.first_name).to eql(CustomCreateMockUsersController::OVERRIDDEN_NAME)
+      end
+      it 'returns 409 for duplicates (by Rails validation)' do
+        existing_user = MockUser.create!(
+          username:           '4',
+          first_name:         'Will Be Overridden',
+          last_name:          'Baz',
+          home_email_address: 'random@test.com',
+          scim_uid:           '999'
+        )
+        expect_any_instance_of(CustomCreateMockUsersController).to receive(:create).once.and_call_original
+        expect {
+          post "/CustomCreateUsers", params: {
+            format:   :scim,
+            userName: '4' # Already exists
+          }
+        }.to_not change { MockUser.count }
+        expect(response.status                 ).to eql(409)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+        result = JSON.parse(response.body)
+        expect(result['scimType']).to eql('uniqueness')
+        expect(result['detail']).to include('already been taken')
+      end
+      it 'notes Rails validation failures' do
+        expect_any_instance_of(CustomCreateMockUsersController).to receive(:create).once.and_call_original
+        expect {
+          post "/CustomCreateUsers", params: {
+            format:   :scim,
+            userName: MockUser::INVALID_USERNAME
+          }
+        }.to_not change { MockUser.count }
+        expect(response.status                 ).to eql(400)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+        result = JSON.parse(response.body)
+        expect(result['scimType']).to eql('invalidValue')
+        expect(result['detail']).to include('is reserved')
+      end
+    end # "context 'with a block' do"
   end # "context '#create' do"
   # ===========================================================================
@@ -423,12 +526,18 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         attributes = { userName: '4' }  # Minimum required by schema
         attributes = spec_helper_hupcase(attributes) if force_upper_case
+        # Prove that certain known pathways are called; can then unit test
+        # those if need be and be sure that this covers #replace actions.
+        #
         expect_any_instance_of(MockUsersController).to receive(:replace).once.and_call_original
+        expect_any_instance_of(MockUsersController).to receive(:save! ).once.and_call_original
         expect {
           put "/Users/#{@u2.primary_key}", params: attributes.merge(format: :scim)
         }.to_not change { MockUser.count }
-        expect(response.status).to eql(200)
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
         result = JSON.parse(response.body)
         expect(result['id']).to eql(@u2.primary_key.to_s)
@@ -459,8 +568,11 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         }
       }.to_not change { MockUser.count }
-      expect(response.status).to eql(400)
+      expect(response.status                 ).to eql(400)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
       result = JSON.parse(response.body)
       expect(result['scimType']).to eql('invalidValue')
       expect(result['detail']).to include('is required')
@@ -474,13 +586,15 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
     it 'notes Rails validation failures' do
       expect {
-        post "/Users", params: {
+        put "/Users/#{@u2.primary_key}", params: {
           format: :scim,
           userName: MockUser::INVALID_USERNAME
         }
       }.to_not change { MockUser.count }
-      expect(response.status).to eql(400)
+      expect(response.status                 ).to eql(400)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
       result = JSON.parse(response.body)
       expect(result['scimType']).to eql('invalidValue')
@@ -502,10 +616,65 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         }
       }.to_not change { MockUser.count }
-      expect(response.status).to eql(404)
+      expect(response.status                 ).to eql(404)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
       result = JSON.parse(response.body)
       expect(result['status']).to eql('404')
     end
+    context 'with a block' do
+      it 'invokes the block' do
+        attributes = { userName: '4' }  # Minimum required by schema
+        expect_any_instance_of(CustomReplaceMockUsersController).to receive(:replace).once.and_call_original
+        expect {
+          put "/CustomReplaceUsers/#{@u2.primary_key}", params: {
+            format:   :scim,
+            userName: '4'
+          }
+        }.to_not change { MockUser.count }
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+        result = JSON.parse(response.body)
+        expect(result['id']).to eql(@u2.primary_key.to_s)
+        expect(result['meta']['resourceType']).to eql('User')
+        @u2.reload
+        expect(@u2.username  ).to eql('4')
+        expect(@u2.first_name).to eql(CustomReplaceMockUsersController::OVERRIDDEN_NAME)
+      end
+      it 'notes Rails validation failures' do
+        expect_any_instance_of(CustomReplaceMockUsersController).to receive(:replace).once.and_call_original
+        expect {
+          put "/CustomReplaceUsers/#{@u2.primary_key}", params: {
+            format:   :scim,
+            userName: MockUser::INVALID_USERNAME
+          }
+        }.to_not change { MockUser.count }
+        expect(response.status                 ).to eql(400)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+        result = JSON.parse(response.body)
+        expect(result['scimType']).to eql('invalidValue')
+        expect(result['detail']).to include('is reserved')
+        @u2.reload
+        expect(@u2.username).to eql('2')
+        expect(@u2.first_name).to eql('Foo')
+        expect(@u2.last_name).to eql('Bar')
+        expect(@u2.home_email_address).to eql('home_2@test.com')
+      end
+    end # "context 'with a block' do"
   end # "context '#replace' do"
   # ===========================================================================
@@ -530,12 +699,19 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         payload = spec_helper_hupcase(payload) if force_upper_case
+        # Prove that certain known pathways are called; can then unit test
+        # those if need be and be sure that this covers #update actions.
+        #
         expect_any_instance_of(MockUsersController).to receive(:update).once.and_call_original
+        expect_any_instance_of(MockUsersController).to receive(:save! ).once.and_call_original
         expect {
           patch "/Users/#{@u2.primary_key}", params: payload.merge(format: :scim)
         }.to_not change { MockUser.count }
-        expect(response.status).to eql(200)
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
         result = JSON.parse(response.body)
         expect(result['id']).to eql(@u2.primary_key.to_s)
@@ -572,7 +748,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
             patch "/Users/#{@u2.primary_key}", params: payload.merge(format: :scim)
           }.to_not change { MockUser.count }
-          expect(response.status).to eql(200)
+          expect(response.status                 ).to eql(200)
+          expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
           result = JSON.parse(response.body)
           expect(result['id']).to eql(@u2.primary_key.to_s)
@@ -604,7 +782,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
             patch "/Users/#{@u2.primary_key}", params: payload.merge(format: :scim)
           }.to_not change { MockUser.count }
-          expect(response.status).to eql(200)
+          expect(response.status                 ).to eql(200)
+          expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
           result = JSON.parse(response.body)
           expect(result['id']).to eql(@u2.primary_key.to_s)
@@ -636,7 +816,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
             patch "/Users/#{@u2.primary_key}", params: payload.merge(format: :scim)
           }.to_not change { MockUser.count }
-          expect(response.status).to eql(200)
+          expect(response.status                 ).to eql(200)
+          expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
           result = JSON.parse(response.body)
           expect(result['id']).to eql(@u2.primary_key.to_s)
@@ -675,7 +857,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         }
       }.to_not change { MockUser.count }
-      expect(response.status).to eql(400)
+      expect(response.status                 ).to eql(400)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
       result = JSON.parse(response.body)
       expect(result['scimType']).to eql('invalidValue')
@@ -703,8 +887,11 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         }
       }.to_not change { MockUser.count }
-      expect(response.status).to eql(404)
+      expect(response.status                 ).to eql(404)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
       result = JSON.parse(response.body)
       expect(result['status']).to eql('404')
     end
@@ -741,7 +928,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         get "/Groups/#{@g1.id}", params: { format: :scim }
-        expect(response.status).to eql(200)
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
         result = JSON.parse(response.body)
         expect(result['members']).to be_empty
@@ -768,7 +957,9 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
           get "/Groups/#{@g1.id}", params: { format: :scim }
-          expect(response.status).to eql(200)
+          expect(response.status                 ).to eql(200)
+          expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
           result = JSON.parse(response.body)
           expect(result['members'].map { |m| m['value'] }.sort()).to eql(expected_remaining_user_ids)
@@ -843,12 +1034,178 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         it_behaves_like 'a user remover'
       end # context 'and using a Salesforce variant payload' do
     end # "context 'when removing users from groups' do"
+    context 'with a block' do
+      it 'invokes the block' do
+        payload = {
+          format: :scim,
+          Operations: [
+            {
+              op: 'add',
+              path: 'userName',
+              value: '4'
+            },
+            {
+              op: 'replace',
+              path: 'emails[type eq "work"]',
+              value: { type: 'work', value: 'work_4@test.com' }
+            }
+          ]
+        }
+        expect_any_instance_of(CustomUpdateMockUsersController).to receive(:update).once.and_call_original
+        expect {
+          patch "/CustomUpdateUsers/#{@u2.primary_key}", params: payload
+        }.to_not change { MockUser.count }
+        expect(response.status                 ).to eql(200)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+        result = JSON.parse(response.body)
+        expect(result['id']).to eql(@u2.primary_key.to_s)
+        expect(result['meta']['resourceType']).to eql('User')
+        @u2.reload
+        expect(@u2.username          ).to eql('4')
+        expect(@u2.first_name        ).to eql(CustomUpdateMockUsersController::OVERRIDDEN_NAME)
+        expect(@u2.work_email_address).to eql('work_4@test.com')
+      end
+      it 'notes Rails validation failures' do
+        expect_any_instance_of(CustomUpdateMockUsersController).to receive(:update).once.and_call_original
+        expect {
+          patch "/CustomUpdateUsers/#{@u2.primary_key}", params: {
+            format: :scim,
+            Operations: [
+              {
+                op: 'add',
+                path: 'userName',
+                value: MockUser::INVALID_USERNAME
+              }
+            ]
+          }
+        }.to_not change { MockUser.count }
+        expect(response.status                 ).to eql(400)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+        result = JSON.parse(response.body)
+        expect(result['scimType']).to eql('invalidValue')
+        expect(result['detail']).to include('is reserved')
+        @u2.reload
+        expect(@u2.username).to eql('2')
+        expect(@u2.first_name).to eql('Foo')
+        expect(@u2.last_name).to eql('Bar')
+        expect(@u2.home_email_address).to eql('home_2@test.com')
+      end
+    end # "context 'with a block' do"
   end # "context '#update' do"
+  # ===========================================================================
+  # In-passing parts of tests above show that #create, #replace and #update all
+  # route through #save!, so now add some unit tests for that and for exception
+  # handling overrides invoked via #save!.
+  # ===========================================================================
+  context 'overriding #save!' do
+    it 'invokes a block if given one' do
+      mock_before = MockUser.all.to_a
+      attributes = { userName: '5' } # Minimum required by schema
+      expect_any_instance_of(CustomSaveMockUsersController).to receive(:create).once.and_call_original
+      expect {
+        post "/CustomSaveUsers", params: attributes.merge(format: :scim)
+      }.to change { MockUser.count }.by(1)
+      mock_after = MockUser.all.to_a
+      new_mock = (mock_after - mock_before).first
+      expect(response.status                 ).to eql(201)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+      expect(new_mock.username).to eql(CustomSaveMockUsersController::CUSTOM_SAVE_BLOCK_USERNAME_INDICATOR)
+    end
+  end # "context 'overriding #save!' do
+  context 'custom on-save exceptions' do
+    MockUsersController.new.send(:scimitar_rescuable_exceptions).each do | exception_class |
+      it "handles out-of-box exception #{exception_class}" do
+        expect_any_instance_of(MockUsersController).to receive(:create).once.and_call_original
+        expect_any_instance_of(MockUsersController).to receive(:save! ).once.and_call_original
+        expect_any_instance_of(MockUser).to receive(:save!).once { raise exception_class }
+        expect {
+          post "/Users", params: { format: :scim, userName: SecureRandom.uuid }
+        }.to_not change { MockUser.count }
+        expected_status, expected_prefix = if exception_class == ActiveRecord::RecordNotUnique
+          [409, 'Operation failed due to a uniqueness constraint: ']
+        else
+          [400, 'Operation failed since record has become invalid: ']
+        end
+        expect(response.status                 ).to eql(expected_status)
+        expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+        result = JSON.parse(response.body)
+        # Check basic SCIM error rendering - good enough given other tests
+        # elsewhere. Exact message varies by exception.
+        #
+        expect(result['detail']).to start_with(expected_prefix)
+      end
+    end
+    it 'handles custom exceptions' do
+      exception_class = RuntimeError # (for testing only; usually, this would provoke a 500 response)
+      expect_any_instance_of(MockUsersController).to receive(:create).once.and_call_original
+      expect_any_instance_of(MockUsersController).to receive(:save! ).once.and_call_original
+      expect_any_instance_of(MockUsersController).to receive(:scimitar_rescuable_exceptions).once { [ exception_class ] }
+      expect_any_instance_of(MockUser           ).to receive(:save!                        ).once { raise exception_class }
+      expect {
+        post "/Users", params: { format: :scim, userName: SecureRandom.uuid }
+      }.to_not change { MockUser.count }
+      expect(response.status                 ).to eql(400)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+      result = JSON.parse(response.body)
+      expect(result['detail']).to start_with('Operation failed since record has become invalid: ')
+    end
+    it 'reports other exceptions as 500s' do
+      expect_any_instance_of(MockUsersController).to receive(:create).once.and_call_original
+      expect_any_instance_of(MockUsersController).to receive(:save! ).once.and_call_original
+      expect_any_instance_of(MockUser).to receive(:save!).once { raise RuntimeError }
+      expect {
+        post "/Users", params: { format: :scim, userName: SecureRandom.uuid }
+      }.to_not change { MockUser.count }
+      expect(response.status                 ).to eql(500)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
+      result = JSON.parse(response.body)
+      expect(result['detail']).to eql('RuntimeError')
+    end
+  end
   # ===========================================================================
   context '#destroy' do
-    it 'deletes an item if given no blok' do
+    it 'deletes an item if given no block' do
       expect_any_instance_of(MockUsersController).to receive(:destroy).once.and_call_original
       expect_any_instance_of(MockUser).to receive(:destroy!).once.and_call_original
       expect {
@@ -879,8 +1236,11 @@ RSpec.describe Scimitar::ActiveRecordBackedResourcesController do
         delete '/Users/xyz', params: { format: :scim }
       }.to_not change { MockUser.count }
-      expect(response.status).to eql(404)
+      expect(response.status                 ).to eql(404)
+      expect(response.headers['Content-Type']).to eql('application/scim+json; charset=utf-8')
       result = JSON.parse(response.body)
       expect(result['status']).to eql('404')
     end
   end # "context '#destroy' do"