Features:
- Custom controller mixins can now override more of the Scimitar base controller since the inclusion has been moved to the end of the file. This is particularly useful for overriding
rescue_from
declarations. See #148 for more - thanks to@hrtshu
Fixes:
- The
ResourceTypes
endpoint returned an invalid payload; this is now fixed per RFC 7644 via #147 - thanks to@pbouda
Other notes:
README.md
typo fix via #145 - thanks to@pavelloz
Gem developer notes:
- Local developer Ruby version (for
rbenv
users, at least) bumped to v3.3.5 - Gemspec development dependency versions bumped to latest, where relevant
- Dockerfile bumps PostgreSQL to v17
Features:
- Override which core schema are returned in the
/Schemas
endpoint via new callScimitar::Engine.set_default_resources
(see this code diff) - implements #118 requested by@gsar
via #133 - Opt-in feature to make the
/Schemas
endpoint walk resource attribute maps to determine actual supported attributes and attribute mutability, rather than just reporting the literal schema definition; see the description of theschema_list_from_attribute_mappings
configuration setting inside the templateconfig/initializers/scimitar.rb
file for details (or read it via the code diff here) - implements #119 requested by@gsar
via #135
Fixes:
- The
/Schemas
endpoint used to return a completely non-complaint response, but now returns a compliantListResponse
, as it always should have; there is no major version change to Scimitar with this fix, as it is hoped that this has no impact for most people (surely anyone who had attempted to use the endpoint would have already reported the issue!) - fixes #117 via #133 - thanks to@gsar
- A number of problems with extension schema are fixed so they should work much more reliably now, with
README.md
documentation updated in a few places for clairty; check there if you are still having trouble - fixes #122 via #134 - thanks to@easym0de
Other notes:
- For developers, note that debugging is now via the standard Ruby debugger - use e.g.
debugger
instead ofbyebug
if you want to halt code and reach a debugging prompt during development work
Features:
- Supports the SCIM mechanism for requesting specific attributes (noting however that schema ID URN prefixes are not supported; use only dotted attribute paths without such prefixes) - closes 89 via 102 and 127 - thanks to
@xjunior
- In a moment of déja vu from v2.7.3's Microsoft payload workarounds for 123, handles a different kind of malformed filter sent by Microsoft Azure (Entra) in
GET
requests - implements 115 requested by@gsar
via 128 - Handles schema IDs (URNs) in filters of
GET
requests - implements 116 requested by@gsar
via 131
Fixes:
-
Corrects schema for
name.givenName
andname.familyName
in User, which previously specified these as required, but the SCIM specification says they are not - fixes 113 reported by@s-andringa
via 129. If your code somehow relies uponname.givenName
and/orname.familyName
being required in the User schema, you can patch this in yourconfig/initializers/scimitar.rb
file - for example:Rails.application.config.to_prepare do Scimitar::Schema::Name.scim_attributes.find { |a| a.name == 'familyName' }.required = true Scimitar::Schema::Name.scim_attributes.find { |a| a.name == 'givenName' }.required = true # ... end
Features:
- As part of the above fix, schema ID handling was improved and extended with better test coverage.
PATCH
add
andreplace
operations withvalue
objects containing schema IDs both with or without attributes inline should now work reliably.
Fixes:
- Handles what I think are technically malformed payloads from Azure (Entra), but since they seem unavoidable, it's important to handle them - should fix 123 reported by
@eduardoborba
Fixes:
- The implementation of non-returned SCIM fields turned out to inadvertently prevent their subsequent update (so SCIM updates to e.g. passwords would fail); fixed 105 and (in passing) 6, via 109 - thanks to
@xjunior
- The case-insensitive, String or Symbol access Hash class documented itself as preserving case but did not, reported in 98, also via 109 - thanks to
@s-andringa
Fixes:
- Some dependency chain gems have stopped supporting Ruby 2.7, so a
Gemfile.lock
for local development generated under Ruby 3 does not work under Ruby 2.7. Solved by removingGemfile.lock
entirely, so that an errant Nokogiri lock inscimitar.gemspec
used previously as a workaround could also be removed.
Warning:
- The default
type
value ofwork
in theaddress
complex type has been removed, in line with all other comparable complex types, via 87 / 92 - thanks to@s-andringa
. - This is unlikely to break client code but there is a small chance of issues if you relied upon the default. Please check your implementation if at all concerned. It doesn't seem risky enough to force a major version bump to comply with semantic versioning.
Features:
- Allow a block to be passed to
Scimitar::ActiveRecordBackedResourcesController#create
,#update
and#replace
. This behaves in a manner analogous to passing a block toScimitar::ActiveRecordBackedResourcesController#destroy
, wherein the block implementation becomes responsible for destroying the record the block is given; in the case of#create
,#update
and#replace
, the block is passed the new or updated record and is responsible for persisting it.
Fixes:
- Fix for Microsoft SCIM Validator; pathless
replace
operations can use dot-path notation in thevalue
section, via 69 - thanks to@wooly
- Basic and token authentication blocks now operate in the context of the application's controller, via 88 - thanks to
@tejanium
- Exception handling for records during saving is improved and extensible, via 91
Maintenance:
- Bump local development Ruby to v3.3.0, including it in the test matrix and in effect creating "official" support for that Ruby version.
- Always returns a
Content-Type
header with valueapplication/scim+json; charset=utf-8
in any response, since that's the only format the gem can write. Fixes #59. - Uses the more common header name form of
WWW-Authenticate
rather than the Rack-likeWWW_AUTHENTICATE
in responses.
Features:
- Schema location URLs are generated by the controller, making overrides simpler, via #71 - thanks to
@s-andringa
- A block can be passed to
ActiveRecordBackedResourcesController#save!
, making it easier to override with custom behaviour since you won't have to worry about things like uniqueness constraint exceptions, via #73 - thanks to@s-andringa
- Those who want an invariant local testing setup can now consider using Docker via #77 - thanks to
@osingaatje
Fixes:
- Multi-valued simple types are now correctly rendered via 74 - thanks to
@s-andringa
- Sensitive fields are no longer rendered (fixes #56 via #80 - thanks to
@kuldeepaggarwal
.
Many thanks to @xjunior
, who contributed a series of improvements and fixes present in this version. New features:
- Allow writable complex types in custom extensions via #61
- Allow complex queries via table joins via #62
Fixes:
- Much better error message raised if
PatchOp
misses operations in #65 - Combined logical groups generate working queries with #66
- Maintenance release which merges a warning removal patch in #54 (thanks to
@sobrinho
for the contribution) via #63 and it is the changes in the latter which are brought into Scimitar V2 to keep a minimal overall diff between the V1 and V2.
- Fix shortcoming in
Content-Type
header handling via #51. Thanks to@Flixt
for the contribution.
- Address RIPAGlobal#48 by adapting RIPAGlobal#49, so that extension schemas work properly. Missing documentation in
README.md
addressed. Thanks to@bettysteger
and@MorrisFreeman
for the contribution.
- Address RIPAGlobal#43 - allows Microsoft-style payloads for removing Users from Groups, with a special case exception for hypothetical inbound SCIM calls originating from Salesforce software. For more details of the fix, please see RIPAGlobal#45.
- Address RIPAGlobal#35. Declaring primary key in the ActiveRecord model would solve most of the problems described, but v2.2.0 did introduce a default order clause that would trip up a model with a different primary key name; this is now fixed. In any case, it may be possible to avoid declaring the primary key override in the model entirely if using Scimitar v2.3.0, should that be your wish. This is in effect an edge case new feature, which is why the gem's minor version has been bumped up.
- Bump local development Ruby to v3.2.0, including it in the test matrix and in effect creating "official" support for that Ruby version.
- Fix RIPAGlobal#36 - filters are case-sensitive for special cases of
id
,externalId
andmeta.*
attributes. A model must still declare if and how these are searchable via its::scim_queryable_attributes
implementation, just as with any other attribute.
- Fix RIPAGlobal#37 - filters now correctly support case insensitive attribute names.
- Merged RIPAGlobal#29, fixing an issue caused by an unhandled form of payload sent by Okta. Thanks to
@jasonopslevel
for the contribution.
- Merged RIPAGlobal#17 (more detailed errors), RIPAGlobal#18 (
primary
attribute added to Address schema) and RIPAGlobal#19 (configurable required-or-optionalvalue
attributes in VDTP-derived types). Thanks for the contributions,@pelted
! - Noted closed PR RIPAGlobal#25 and implemented a configurable exception reporting hook for people who might want that kind of feature. See engine configuration option
exception_reporter
for details.
-
Address RIPAGlobal#20 by better handling content type in requests:
- Since https://github.com/MicrosoftDocs/azure-docs/issues/94189#issuecomment-1154227613 indicates that no header is sent for
GET
methods while a correct header is sent for others; that is inline with the RFC and we should handle a lack of content type in theGET
case. This was not the case in Scimitar v2.0.1 and earlier. - Ultimately we must expect attackers to send junk data in attempts to find vulnerabilities in JSON parsing, so the header presence can't really be trusted and the JSON parser must simply be robust. As a result, this patch version of the gem will assume an
application/scim+json
content type for any inbound request that specifies no other type, regardless of HTTP method used. Requests are only rejected if aContent-Type
header explicitly states that the content is of some unsupported type.
- Since https://github.com/MicrosoftDocs/azure-docs/issues/94189#issuecomment-1154227613 indicates that no header is sent for
- Merges RIPAGlobal#15 from
AbeerKhakwani
, fixing an issue with AD and the Meta object.
- Requires Rails 7. Supports Ruby 3, but still works on 2.7.
-
Your
config/initializers/scimitar.rb
might need to be enclosed within aRails.application.config.to_prepare do...
block to avoidNameError: uninitialized constant...
exceptions arising due to autoloader problems:Rails.application.config.to_prepare do Scimitar.engine_configuration = Scimitar::EngineConfiguration.new({ # ... end end
-
If you use
Scimitar::Errors#add_errors_from_hash
, note that the previously-unnamed first parameter is now explicitly namederrors_hash
. This avoids potential ambiguity and confusion/errors with Ruby 3's more strict rules for named parameter and hash mixtures in both method definitions and method calls. For example:# Old code... user.add_errors_from_hash(key: 'some key') # ...becomes: user.add_errors_from_hash(errors_hash: {key: 'some key'}) # Old code... user.add_errors_from_hash({key: 'some key'}, prefix: 'some prefix') # ...becomes: user.add_errors_from_hash(errors_hash: {key: 'some key'}, prefix: 'some prefix')
- Back-ports features from v2.1.1 for Rails 6 users.
- Back-ports features from v2.1.0 for Rails 6 users.
- Back-ports fixes from v2.0.1 and v2.0.2 for Rails 6 users.
- Updated for RIPA branding.
- Ruby and gem version maintenance updates.
- Implement case insensitivity for attributes (fixes issue #7).
- More robust path filter parsing for
PATCH
operations; previously, a path filter such asvalue eq "Something With Spaces"
would have been rejected.
- Add Travis support for CI.
- Adjust
scimitar.gemspec
a bit more for CI and now that we're public in RubyGems, with aGemfile.lock
bump on Scimitar itself (overlooked in 1.0.1).
- Added source code link to
scimitar.gemspec
metadata for RubyGems.
- Initial public release.