diff --git a/app/controllers/scim_v2/groups_controller.rb b/app/controllers/scim_v2/groups_controller.rb index 229a42f..1395c6f 100644 --- a/app/controllers/scim_v2/groups_controller.rb +++ b/app/controllers/scim_v2/groups_controller.rb @@ -4,6 +4,7 @@ require "scimitar" module Scim class ScimV2::GroupsController < Scimitar::ActiveRecordBackedResourcesController + # TODO: Check why requires_plugin is not available here # requires_plugin PLUGIN_NAME protect_from_forgery with: :null_session diff --git a/app/controllers/scim_v2/users_controller.rb b/app/controllers/scim_v2/users_controller.rb index 883f8a6..30f3931 100644 --- a/app/controllers/scim_v2/users_controller.rb +++ b/app/controllers/scim_v2/users_controller.rb @@ -4,6 +4,7 @@ require "scimitar" module Scim class ScimV2::UsersController < Scimitar::ActiveRecordBackedResourcesController + # TODO: Check why requires_plugin is not available here # requires_plugin PLUGIN_NAME protect_from_forgery with: :null_session diff --git a/config/initializers/scimitar.rb b/config/initializers/scimitar.rb index 6bc1d92..4d211ab 100644 --- a/config/initializers/scimitar.rb +++ b/config/initializers/scimitar.rb @@ -1,6 +1,9 @@ # frozen_string_literal: true Rails.application.config.to_prepare do + Scimitar.service_provider_configuration = Scimitar::ServiceProviderConfiguration.new({ + # TODO: Add configuration about configured services here + }) Scimitar.engine_configuration = Scimitar::EngineConfiguration.new({ token_authenticator: Proc.new do | token, options | api_key = ApiKey.active.with_key(token).first diff --git a/config/routes.rb b/config/routes.rb index 6e1dc58..e1a28f7 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -5,7 +5,7 @@ require "scimitar" Discourse::Application.routes.draw { namespace :scim_v2 do mount Scimitar::Engine, at: '/' - + get 'Users', to: 'users#index' get 'Users/:id', to: 'users#show' post 'Users', to: 'users#create' diff --git a/plugin.rb b/plugin.rb index 6e84bb4..a724455 100644 --- a/plugin.rb +++ b/plugin.rb @@ -39,6 +39,7 @@ module ::DiscourseScim end after_initialize do + # TODO: Check how to avoid monkey patching here class ::User def self.scim_resource_type Scimitar::Resources::User @@ -152,4 +153,4 @@ after_initialize do include Scimitar::Resources::Mixin end -end \ No newline at end of file +end diff --git a/spec/integration/custom_api_key_scopes_spec.rb b/spec/integration/custom_api_key_scopes_spec.rb new file mode 100644 index 0000000..343ea14 --- /dev/null +++ b/spec/integration/custom_api_key_scopes_spec.rb @@ -0,0 +1,57 @@ +# frozen_string_literal: true + +describe "API keys scoped to scim#access_scim_endpoints" do + before do + SiteSetting.chat_enabled = true + SiteSetting.chat_allowed_groups = Group::AUTO_GROUPS[:everyone] + end + + fab!(:admin) + + let(:scim_api_key) do + key = ApiKey.create! + ApiKeyScope.create!(resource: "scim", action: "access_scim_endpoints", api_key_id: key.id) + key + end + + it "cannot hit any other endpoints" do + get "/admin/users/list/active.json", + headers: { + "Api-Key" => scim_api_key.key, + "Api-Username" => admin.username, + } + expect(response.status).to eq(404) + + get "/latest.json", headers: { "Api-Key" => scim_api_key.key, "Api-Username" => admin.username } + expect(response.status).to eq(403) + end + + it "can create a user" do + expect { + post "/scim_v2/Users", + headers: { + "Authorization" => "Bearer " + scim_api_key.key, + "Content-Type" => "application/scim+json" + }, + params: { + schemas: [ + "urn:ietf:params:scim:schemas:core:2.0:User" + ], + userName: "testUser", + name: { + familyName: "Test", + givenName: "User" + }, + emails: [ + { + value: "testuser@example.com", + type: "work" + }, + ], + active: true + }, + as: :json + }.to change { User.count }.by(1) + expect(response.status).to eq(201) + end +end