Merge pull request #150 from RIPAGlobal/feature/v1.11.0

v1.11.0

.ruby-version

@@ -1 +1 @@
-3.3.0
+3.3.5

CHANGELOG.md

@@ -1,9 +1,43 @@
-# 2.8.0 (2024-06-13)
+# 1.11.0 (2024-10-22)
+
+Features:
+
+* Custom controller mixins can now override more of the Scimitar base controller since the inclusion has been moved to the end of the file. This is particularly useful for overriding `rescue_from` declarations. See [#148](https://github.com/RIPAGlobal/scimitar/pull/148) for more - thanks to `@hrtshu`
+
+Fixes:
+
+* The `ResourceTypes` endpoint returned an invalid payload; this is now fixed per RFC 7644 via [#147](https://github.com/RIPAGlobal/scimitar/pull/147) - thanks to `@pbouda`
+
+Other notes:
+
+* `README.md` typo fix via [#145](https://github.com/RIPAGlobal/scimitar/pull/145) - thanks to `@pavelloz`
+
+Gem developer notes:
+
+* Local developer Ruby version (for `rbenv` users, at least) bumped to v3.3.5
+
+# 1.10.0 (2024-06-27)
+
+Features:
+
+* Override which core schema are returned in the `/Schemas` endpoint via new call `Scimitar::Engine::set_default_resources` (see [this code diff](https://github.com/RIPAGlobal/scimitar/pull/133/files#diff-b8ad01f8ed8a88f41a13938505a2050d3d3ff86af93a78a7690b273ece6b80bdR80)) - implements [#118](https://github.com/RIPAGlobal/scimitar/issues/118) requested by `@gsar` via [#133](https://github.com/RIPAGlobal/scimitar/pull/133)
+* Opt-in feature to make the `/Schemas` endpoint walk resource attribute maps to determine _actual_ supported attributes and attribute mutability, rather than just reporting the literal schema definition; see the description of the `schema_list_from_attribute_mappings` configuration setting inside the template `config/initializers/scimitar.rb` file for details (or read it via the [code diff here](https://github.com/RIPAGlobal/scimitar/pull/135/files#diff-830211b739a7c7398083b7127d648b356f43d298713a2b3f0c13f2271b9d3c82R110)) - implements [#119](https://github.com/RIPAGlobal/scimitar/issues/119) requested by `@gsar` via [#135](https://github.com/RIPAGlobal/scimitar/pull/135)
+
+Fixes:
+
+* The `/Schemas` endpoint used to return a completely non-complaint response, but now returns a compliant `ListResponse`, as it always should have; there is no major version change to Scimitar with this fix, as it is hoped that this has no impact for most people (surely anyone who had attempted to use the endpoint would have already reported the issue!) - fixes [#117](https://github.com/RIPAGlobal/scimitar/issues/117) via [#133](https://github.com/RIPAGlobal/scimitar/pull/133) - thanks to `@gsar`
+* A number of problems with extension schema are fixed so they should work much more reliably now, with `README.md` documentation updated in a few places for clairty; check there if you are still having trouble - fixes [#122](https://github.com/RIPAGlobal/scimitar/issues/122) via [#134](https://github.com/RIPAGlobal/scimitar/pull/134) - thanks to `@easym0de`
+
+Other notes:
+
+* For developers, note that debugging is now via the standard Ruby debugger - use e.g. `debugger` instead of `byebug` if you want to halt code and reach a debugging prompt during development work
+
+# 1.9.0 (unreleased)
 
 Features:
 
 * Supports the [SCIM mechanism for requesting specific attributes](https://datatracker.ietf.org/doc/html/rfc7644#section-3.9) (noting however that schema ID URN prefixes are not supported; use only dotted attribute paths without such prefixes) - closes [89](https://github.com/RIPAGlobal/scimitar/issues/89) via [102](https://github.com/RIPAGlobal/scimitar/pull/102) and [127](https://github.com/RIPAGlobal/scimitar/pull/127) - thanks to `@xjunior`
-* In a moment of déja vu from v2.7.3's Microsoft payload workarounds for [123](https://github.com/RIPAGlobal/scimitar/issues/123), handles a different kind of malformed filter sent by Microsoft Azure (Entra) in `GET` requests - implements [115](https://github.com/RIPAGlobal/scimitar/issues/115) requested by `@gsar` via [128](https://github.com/RIPAGlobal/scimitar/pull/128)
+* In a moment of déja vu from v1.8.3's Microsoft payload workarounds for [123](https://github.com/RIPAGlobal/scimitar/issues/123), handles a different kind of malformed filter sent by Microsoft Azure (Entra) in `GET` requests - implements [115](https://github.com/RIPAGlobal/scimitar/issues/115) requested by `@gsar` via [128](https://github.com/RIPAGlobal/scimitar/pull/128)
 * Handles schema IDs (URNs) in filters of `GET` requests - implements [116](https://github.com/RIPAGlobal/scimitar/issues/116) requested by `@gsar` via [131](https://github.com/RIPAGlobal/scimitar/pull/131)
 
 Fixes:
@@ -19,7 +53,7 @@ Fixes:
     end
     ```
 
-# 2.7.3 (2024-06-11)
+# 1.8.3 (unreleased)
 
 Features:
 
@@ -29,20 +63,20 @@ Fixes:
 
 * Handles what I _think_ are technically malformed payloads from Azure (Entra), but since they seem unavoidable, it's important to handle them - should fix [123](https://github.com/RIPAGlobal/scimitar/issues/123) reported by `@eduardoborba`
 
-# 2.7.2 (2024-03-27)
+# 1.8.2 (2024-03-27)
 
 Fixes:
 
 * The implementation of non-returned SCIM fields turned out to inadvertently prevent their subsequent update (so SCIM _updates_ to e.g. passwords would fail); fixed [105](https://github.com/RIPAGlobal/scimitar/issues/105) and (in passing) [6](https://github.com/RIPAGlobal/scimitar/issues/6), via [109](https://github.com/RIPAGlobal/scimitar/pull/109) - thanks to `@xjunior`
 * The case-insensitive, String or Symbol access Hash class documented itself as preserving case but did not, reported in [98](https://github.com/RIPAGlobal/scimitar/issues/98), also via [109](https://github.com/RIPAGlobal/scimitar/pull/109) - thanks to `@s-andringa`
 
-# 2.7.1 (2024-01-16)
+# 1.8.1 (2024-01-16)
 
 Fixes:
 
 * Some dependency chain gems have stopped supporting Ruby 2.7, so a `Gemfile.lock` for local development generated under Ruby 3 does not work under Ruby 2.7. Solved by removing `Gemfile.lock` entirely, so that an errant Nokogiri lock in `scimitar.gemspec` used previously as a workaround could also be removed.
 
-# 2.7.0 (2024-01-15)
+# 1.8.0 (2024-01-15)
 
 Warning:
 
@@ -63,12 +97,12 @@ Maintenance:
 
 * Bump local development Ruby to v3.3.0, including it in the test matrix and in effect creating "official" support for that Ruby version.
 
-# 2.6.1 (2023-11-15)
+# 1.7.1 (2023-11-15)
 
 * Always returns a `Content-Type` header with value `application/scim+json; charset=utf-8` in any response, since that's the only format the gem can write. Fixes [#59](https://github.com/RIPAGlobal/scimitar/issues/59).
 * Uses the more common header name form of `WWW-Authenticate` rather than the Rack-like `WWW_AUTHENTICATE` in responses.
 
-# 2.6.0 (2023-11-14)
+# 1.7.0 (2023-11-15)
 
 Features:
 
@@ -81,9 +115,9 @@ Fixes:
 * Multi-valued simple types are now correctly rendered via [74](https://github.com/RIPAGlobal/scimitar/pull/74) - thanks to `@s-andringa`
 * Sensitive fields are no longer rendered (fixes [#56](https://github.com/RIPAGlobal/scimitar/issues/56) via [#80](https://github.com/RIPAGlobal/scimitar/pull/80) - thanks to `@kuldeepaggarwal`.
 
-# 2.5.0 (2023-09-25)
+# 1.6.0 (2023-09-25)
 
-Many thanks to `@xjunior`, who contributed a series of improvements and fixes present in this version. New features:
+Many thanks to `@xjunior`, who contributed a series of improvements and fixes back-ported into this version. New features:
 
 * Allow writable complex types in custom extensions via [#61](https://github.com/RIPAGlobal/scimitar/pull/61)
 * Allow complex queries via table joins via [#62](https://github.com/RIPAGlobal/scimitar/pull/62)
@@ -93,89 +127,33 @@ Fixes:
 * Much better error message raised if `PatchOp` misses operations in [#65](https://github.com/RIPAGlobal/scimitar/pull/65)
 * Combined logical groups generate working queries with [#66](https://github.com/RIPAGlobal/scimitar/pull/66)
 
-# 2.4.3 (2023-09-16)
-
-* Maintenance release which merges a warning removal patch in [#54](https://github.com/RIPAGlobal/scimitar/pull/54) (thanks to `@sobrinho` for the contribution) via [#63](https://github.com/RIPAGlobal/scimitar/pull/63) and it is the changes in the latter which are brought into Scimitar V2 to keep a minimal overall diff between the V1 and V2.
-
-# 2.4.2 (2023-03-21)
-
-* Fix shortcoming in `Content-Type` header handling via [#51](https://github.com/RIPAGlobal/scimitar/pull/51). Thanks to `@Flixt` for the contribution.
+# 1.5.3 (2023-09-16)
 
-# 2.4.1 (2023-03-02)
+* Fix warning messages for Rails 6 and Zeitwerk. Thanks to `@sobrinho` for the contribution.
 
-* Address https://github.com/RIPAGlobal/scimitar/issues/48 by adapting https://github.com/RIPAGlobal/scimitar/issues/49, so that extension schemas work properly. Missing documentation in `README.md` addressed. Thanks to `@bettysteger` and `@MorrisFreeman` for the contribution.
+# 1.5.2 (2023-03-21)
 
-# 2.4.0 (2023-01-27)
+* Back-ports fix in [#51](https://github.com/RIPAGlobal/scimitar/pull/51) from v2.4.1. Thanks to `@Flixt` for the contribution.
 
-* Address https://github.com/RIPAGlobal/scimitar/issues/43 - allows Microsoft-style payloads for removing Users from Groups, with a special case exception for hypothetical inbound SCIM calls originating from Salesforce software. For more details of the fix, please see https://github.com/RIPAGlobal/scimitar/pull/45.
+# 1.5.1 (2023-03-20)
 
-# 2.3.0 (2023-01-17)
+* Back-ports features from v2.3.1 (addressing https://github.com/RIPAGlobal/scimitar/issues/48 by incorporating https://github.com/RIPAGlobal/scimitar/issues/49 into https://github.com/RIPAGlobal/scimitar/issues/50), for Rails 6 users.
 
-* Address https://github.com/RIPAGlobal/scimitar/issues/35. Declaring primary key in the ActiveRecord model would solve most of the problems described, but v2.2.0 did introduce a default order clause that would trip up a model with a different primary key name; this is now fixed. In any case, it may be possible to avoid declaring the primary key override in the model entirely if using Scimitar v2.3.0, should that be your wish. This is in effect an edge case new feature, which is why the gem's minor version has been bumped up.
+# 1.5.0 (2023-01-27)
 
-# 2.2.0 (2023-01-13)
+* Back-ports features from v2.3.0 (addressing https://github.com/RIPAGlobal/scimitar/issues/43) for Rails 6 users.
 
-* Bump local development Ruby to v3.2.0, including it in the test matrix and in effect creating "official" support for that Ruby version.
+# 1.4.0 (2023-01-26)
 
-# 2.1.3 (2023-01-09)
+* Back-ports fixes from v2.2.0 (Ruby v3.2.0 local development support and move to GitHub actions, mostly for this repo's sake) and v2.3.0 (fixes https://github.com/RIPAGlobal/scimitar/issues/35), for Rails 6 users.
 
-* Fix https://github.com/RIPAGlobal/scimitar/issues/36 - filters are case-sensitive for special cases of `id`, `externalId` and `meta.*` attributes. A model must still declare if and how these are searchable via its `::scim_queryable_attributes` implementation, just as with any other attribute.
+# 1.3.3 (2023-01-10)
 
-# 2.1.2 (2023-01-09)
-
-* Fix https://github.com/RIPAGlobal/scimitar/issues/37 - filters now correctly support case insensitive attribute names.
-
-# 2.1.1 (2022-11-04)
-
-* Merged https://github.com/RIPAGlobal/scimitar/pull/29, fixing an issue caused by an unhandled form of payload sent by Okta. Thanks to `@jasonopslevel` for the contribution.
-
-# 2.1.0 (2022-07-14)
-
-* Merged https://github.com/RIPAGlobal/scimitar/pull/17 (more detailed errors), https://github.com/RIPAGlobal/scimitar/pull/18 (`primary` attribute added to Address schema) and https://github.com/RIPAGlobal/scimitar/pull/19 (configurable required-or-optional `value` attributes in VDTP-derived types). Thanks for the contributions, `@pelted`!
-* Noted closed PR https://github.com/RIPAGlobal/scimitar/pull/25 and implemented a configurable exception reporting hook for people who might want that kind of feature. See [engine configuration option `exception_reporter`](https://github.com/RIPAGlobal/scimitar/blob/main/config/initializers/scimitar.rb) for details.
-
-# 2.0.2 (2022-06-15)
-
-* Address https://github.com/RIPAGlobal/scimitar/issues/20 by better handling content type in requests:
-
-  - Since https://github.com/MicrosoftDocs/azure-docs/issues/94189#issuecomment-1154227613 indicates that _no_ header is sent for `GET` methods while a correct header is sent for others; that is inline with the RFC and we should handle a lack of content type in the `GET` case. This was not the case in Scimitar v2.0.1 and earlier.
-  - Ultimately we must expect attackers to send junk data in attempts to find vulnerabilities in JSON parsing, so the header presence can't really be trusted and the JSON parser must simply be robust. As a result, this patch version of the gem will assume an `application/scim+json` content type for _any_ inbound request that specifies no other type, regardless of HTTP method used. Requests are only rejected if a `Content-Type` header explicitly states that the content is of some unsupported type.
-
-# 2.0.1 (2022-04-20)
-
-* Merges https://github.com/RIPAGlobal/scimitar/pull/15 from `AbeerKhakwani`, fixing an issue with AD and the Meta object.
-
-# 2.0.0 (2022-03-04)
-
-* Requires Rails 7. Supports Ruby 3, but still works on 2.7.
-
-## Upgrading from Scimitar 1.x.y
-
-* Your `config/initializers/scimitar.rb` might need to be enclosed within a `Rails.application.config.to_prepare do...` block to avoid `NameError: uninitialized constant...` exceptions arising due to autoloader problems:
-
-    ```ruby
-    Rails.application.config.to_prepare do
-      Scimitar.engine_configuration = Scimitar::EngineConfiguration.new({
-        # ...
-      end
-    end
-    ```
-
-* If you use `Scimitar::Errors#add_errors_from_hash`, note that the previously-unnamed first parameter is now explicitly named `errors_hash`. This avoids potential ambiguity and confusion/errors with Ruby 3's more strict rules for named parameter and hash mixtures in both method definitions and method calls. For example:
-
-    ```ruby
-    # Old code...
-    user.add_errors_from_hash(key: 'some key')
-    # ...becomes:
-    user.add_errors_from_hash(errors_hash: {key: 'some key'})
-
-    # Old code...
-    user.add_errors_from_hash({key: 'some key'}, prefix: 'some prefix')
-    # ...becomes:
-    user.add_errors_from_hash(errors_hash: {key: 'some key'}, prefix: 'some prefix')
-    ```
+* Back-ports fixes from v2.1.3 for Rails 6 users.
 
+# 1.3.2 (2023-01-10)
 
+* Back-ports fixes from v2.1.2 for Rails 6 users.
 
 # 1.3.1 (2022-11-04)
 

Dockerfile

@@ -1,4 +1,4 @@
-FROM ruby:3.3.0
+FROM ruby:3.3.5
 
 WORKDIR /app
 

LICENSE.txt

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2021 RIPA Global
+Copyright (c) 2024 RIPA Global
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -321,7 +321,7 @@ end
 
 #### Other source types
 
-If you do _not_ use ActiveRecord to store data, or if you have very esoteric read-write requirements, you can subclass [`Scimigar::ResourcesController`](https://www.rubydoc.info/gems/scimitar/Scimitar/ResourcesController) in a manner similar to this:
+If you do _not_ use ActiveRecord to store data, or if you have very esoteric read-write requirements, you can subclass [`Scimitar::ResourcesController`](https://www.rubydoc.info/gems/scimitar/Scimitar/ResourcesController) in a manner similar to this:
 
 ```ruby
 class UsersController < Scimitar::ResourcesController

app/controllers/scimitar/application_controller.rb

@@ -9,10 +9,6 @@ class ApplicationController < ActionController::Base
     before_action :add_mandatory_response_headers
     before_action :authenticate
 
-    if Scimitar.engine_configuration.application_controller_mixin
-      include Scimitar.engine_configuration.application_controller_mixin
-    end
-
     # =========================================================================
     # PROTECTED INSTANCE METHODS
     # =========================================================================
@@ -153,5 +149,8 @@ def authenticated?
         return result
       end
 
+    if Scimitar.engine_configuration.application_controller_mixin
+      include Scimitar.engine_configuration.application_controller_mixin
+    end
   end
 end

app/controllers/scimitar/resource_types_controller.rb

@@ -5,7 +5,13 @@ def index
         resource.resource_type(scim_resource_type_url(name: resource.resource_type_id))
       end
 
-      render json: resource_types
+      render json: {
+        schemas: [
+            'urn:ietf:params:scim:api:messages:2.0:ListResponse'
+        ],
+        totalResults: resource_types.size,
+        Resources:    resource_types
+      }
     end
 
     def show

lib/scimitar/version.rb

@@ -3,11 +3,11 @@ module Scimitar
   # Gem version. If this changes, be sure to re-run "bundle install" or
   # "bundle update".
   #
-  VERSION = '1.10.0'
+  VERSION = '1.11.0'
 
   # Date for VERSION. If this changes, be sure to re-run "bundle install"
   # or "bundle update".
   #
-  DATE = '2024-06-27'
+  DATE = '2024-10-22'
 
 end

spec/controllers/scimitar/resource_types_controller_spec.rb

@@ -9,11 +9,15 @@
     it 'renders the resource type for user' do
       get :index, format: :scim
       response_hash = JSON.parse(response.body)
-      expected_response = [ Scimitar::Resources::User.resource_type(scim_resource_type_url(name: 'User', test: 1)),
-                            Scimitar::Resources::Group.resource_type(scim_resource_type_url(name: 'Group', test: 1))
-      ].to_json
+      expected_response = {
+        schemas: ['urn:ietf:params:scim:api:messages:2.0:ListResponse'],
+        totalResults: 2,
+        Resources: [
+          Scimitar::Resources::User.resource_type(scim_resource_type_url(name: 'User', test: 1)),
+          Scimitar::Resources::Group.resource_type(scim_resource_type_url(name: 'Group', test: 1))
+        ]
+      }.to_json
 
-      response_hash = JSON.parse(response.body)
       expect(response_hash).to eql(JSON.parse(expected_response))
     end