DEV: Add spec for scoped API key

2024-10-10 09:28:13 +01:00 · 2024-10-10 09:28:13 +01:00 · 1ef8cb17d9
commit 1ef8cb17d9
parent 43f3d34c46
6 changed files with 65 additions and 2 deletions
--- a/app/controllers/scim_v2/groups_controller.rb
+++ b/app/controllers/scim_v2/groups_controller.rb
@ -4,6 +4,7 @@ require "scimitar"

 module Scim
  class ScimV2::GroupsController < Scimitar::ActiveRecordBackedResourcesController
+    # TODO: Check why requires_plugin is not available here
    # requires_plugin PLUGIN_NAME
    protect_from_forgery with: :null_session

--- a/app/controllers/scim_v2/users_controller.rb
+++ b/app/controllers/scim_v2/users_controller.rb
@ -4,6 +4,7 @@ require "scimitar"

 module Scim
  class ScimV2::UsersController < Scimitar::ActiveRecordBackedResourcesController
+    # TODO: Check why requires_plugin is not available here
    # requires_plugin PLUGIN_NAME
    protect_from_forgery with: :null_session

--- a/config/initializers/scimitar.rb
+++ b/config/initializers/scimitar.rb
@ -1,6 +1,9 @@
 # frozen_string_literal: true

 Rails.application.config.to_prepare do
+  Scimitar.service_provider_configuration = Scimitar::ServiceProviderConfiguration.new({
+    # TODO: Add configuration about configured services here
+  })
  Scimitar.engine_configuration = Scimitar::EngineConfiguration.new({
    token_authenticator: Proc.new do | token, options |
      api_key = ApiKey.active.with_key(token).first
--- a/plugin.rb
+++ b/plugin.rb
@ -39,6 +39,7 @@ module ::DiscourseScim
 end

 after_initialize do
+  # TODO: Check how to avoid monkey patching here
  class ::User
    def self.scim_resource_type
      Scimitar::Resources::User
--- a/spec/integration/custom_api_key_scopes_spec.rb
+++ b/spec/integration/custom_api_key_scopes_spec.rb
@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+describe "API keys scoped to scim#access_scim_endpoints" do
+  before do
+    SiteSetting.chat_enabled = true
+    SiteSetting.chat_allowed_groups = Group::AUTO_GROUPS[:everyone]
+  end
+  
+  fab!(:admin)
+
+  let(:scim_api_key) do
+    key = ApiKey.create!
+    ApiKeyScope.create!(resource: "scim", action: "access_scim_endpoints", api_key_id: key.id)
+    key
+  end
+
+  it "cannot hit any other endpoints" do
+    get "/admin/users/list/active.json",
+        headers: {
+          "Api-Key" => scim_api_key.key,
+          "Api-Username" => admin.username,
+        }
+    expect(response.status).to eq(404)
+
+    get "/latest.json", headers: { "Api-Key" => scim_api_key.key, "Api-Username" => admin.username }
+    expect(response.status).to eq(403)
+  end
+
+  it "can create a user" do
+    expect {
+      post "/scim_v2/Users",
+        headers: {
+          "Authorization" => "Bearer " + scim_api_key.key,
+          "Content-Type"  => "application/scim+json"
+        },
+        params: {
+          schemas: [
+            "urn:ietf:params:scim:schemas:core:2.0:User"
+          ],
+          userName: "testUser",
+          name: {
+            familyName: "Test",
+            givenName: "User"
+          },
+          emails: [
+            {
+              value: "testuser@example.com",
+              type: "work"
+            },
+          ],
+          active: true
+        },
+        as: :json
+    }.to change { User.count }.by(1)
+    expect(response.status).to eq(201)
+  end
+end