Adds request specs for the SCIM v2 users index endpoint to make sure
each user is returned only once, even with multiple group memberships
or auth provider links.
Covers the duplicate-record regression caused by joined relations.
This one is defined as optional by RFC 6750, which defines
the usage of bearer tokens. It allows a client to know, which
scopes are required to access a given resource when using Bearer tokens.
- Use custom_authenticator provied by scimitar to do authentication.
- Polish specs a bit.
- Rework OpenProject scimitar modifications structure.
Co-Authored-by: Jan Sandbrink <j.sandbrink@openproject.com>
https://community.openproject.org/work_packages/65855
There is a bug in scimitar which breaks create and replace actions when $ref sub attribute is present.
Before it is fixed we just remove this attribute from params for GroupsController#create and GroupsController#replace
actions.
- Refactor SCIM error handling logic.
- Make SCIM /Schemas reflect real behavior.
Add `id` attribute.
Change caseExact to be false everywhere excerpt `id` and `externalId`.
See https://github.com/pond/scimitar/blob/09b284778340ee067df9e5140d0230386afb9992/README.md#omissions
for details. And I checked actual source code. There is no place where caseExact values specified in schema
are respected. Only `id`, `externalId` and `meta.*` are matched case-sensitively.
- Extend filtering specs with upcased/downcased search terms.
- Change formatting of long spec examples.
https://community.openproject.org/work_packages/65747
- Make /scim_v2/Schemas endpoint return OP required schemas.
Set required field to be required(givenName, familyName, email etc.).
Set caseSensetive to be true where it is case sensetive.
Remove fields that are not used by OpenProject.
Note: making fields as requried make scimitar check their presence and
responds with 400 which is useful.
- Refactor SCIM API controllers by extracting error handling in a general(🫡) method
- Add extra specs
- Restyle SCIM API specs a bit with hope that it makes them more readable...
https://community.openproject.org/work_packages/65747
- Make /scim_v2/Schemas endpoint return OP required schemas.
Set required field to be required(givenName, familyName, email etc.).
Set caseSensetive to be true where it is case sensetive.
Remove fields that are not used by OpenProject.
Note: making fields as requried make scimitar check their presence and
responds with 400 which is useful.
- Refactor SCIM API controllers by extracting error handling in a general(🫡) method
- Add extra specs
- Restyle SCIM API specs a bit with hope that it makes them more readable...
Including a banner for the UI (currently using a placeholder image)
and a check for SCIM API calls.
While it's theoretically possible to setup a client without an enterprise
token (new/edit/create/update are not guarded), there is no click path to
create a client and eventually the API requests would be blocked.
- Fix some Rubocop complains.
- Does not set user.firstname and user.lastname to stupid values.
To avoid confusion.
- Add inverse_of option to user_auth_provider_links -- provider association.
- Extract ScimitarSchemaExtension module to a dedicated file.
- Fix users/delete_service_spec.rb
- Disable Rails/HttpPositionalArguments completely.
It is often not relevant and breaks specs when rubocop -a is used.
- Support excludedAttributes for all enpoints in SCIM Server API
- Fix excludedAttributes to handle nested attributes correctly. e.g. name.givenName
- Respond with 403 whne User can't be deleted due to lack of permissions.
- Refactor scim related code by removing duplication where possible.
- Remove BasicAuth from supported auth schemes.
- Add specific specs to test SCIM authentication.
- Extend specs.
- Use ServiceAccount associated with ScimClient for making user changes
- Remove scoping by scim_client.auth_provider_id
So, SCIM Client has access to any not_builtin User.
- Associate user with AuthProvider configured in ScimModel
instead of choosing the first one.
- Use authenticated ServiceAccount in requests
- Scope User and Group requests by ScimClient related auth_provider_id
- Include ServiceAccount search to doorkeeper_oauth strategy
- Fix SCIM Server API specs.
- Implement excludedAttributes for GET requests.
- Handled uniqueness violations for group creatation.
- Make sure PATCH works with adding/replacing/removing group members.
- Pick one user email from a list: primary => work => first alphabetical.
- Mark group as inactive before DeleteJob is scheduled.
- Enable SCIM Patch.
- Use user_auth_provider_links instead of users.identity_url.
- Extend SCIM ActiveRecord base scopes to join and preload appropriate associations.
- Set a stub for user.firstname and user.lastname if they are not provided by SCIM client.
- Handle user unique constraint vialation according to SCIM spec.
- Move user_auth_provider_links association to principal as group needs it as well.
- Set user.mail dynamically from the list of emails provided by SCIM client.
- Change BaseServices::Create contract to accept model instance as a constructor parameter.
It gives an option to build associations before model creation.
- extend SCIM server API schema to include externalId.
- Adjust specs.
ServiceProviderConfig enpoint will communiczte that PATCH is not supported.
PATCH is optional according to the specificaiton.
Main reason for disabling it:
it requires special treatment of adding/removing group members,
because in OpenProject it should be done through service(Groups::UpdateSerivce which
uses Groups::AddUsersService underneath), not model association.
Madhu Reddy