Fixes:
- The implementation of non-returned SCIM fields turned out to inadvertently prevent their subsequent update (so SCIM updates to e.g. passwords would fail); fixed 105 and (in passing) 6, via 109 - thanks to
@xjunior
- The case-insensitive, String or Symbol access Hash class documented itself as preserving case but did not, reported in 98, also via 109 - thanks to
@s-andringa
Fixes:
- Some dependency chain gems have stopped supporting Ruby 2.7, so a
Gemfile.lock
for local development generated under Ruby 3 does not work under Ruby 2.7. Solved by removingGemfile.lock
entirely, so that an errant Nokogiri lock inscimitar.gemspec
used previously as a workaround could also be removed.
Warning:
- The default
type
value ofwork
in theaddress
complex type has been removed, in line with all other comparable complex types, via 87 / 92 - thanks to@s-andringa
. - This is unlikely to break client code but there is a small chance of issues if you relied upon the default. Please check your implementation if at all concerned. It doesn't seem risky enough to force a major version bump to comply with semantic versioning.
Features:
- Allow a block to be passed to
Scimitar::ActiveRecordBackedResourcesController#create
,#update
and#replace
. This behaves in a manner analogous to passing a block toScimitar::ActiveRecordBackedResourcesController#destroy
, wherein the block implementation becomes responsible for destroying the record the block is given; in the case of#create
,#update
and#replace
, the block is passed the new or updated record and is responsible for persisting it.
Fixes:
- Fix for Microsoft SCIM Validator; pathless
replace
operations can use dot-path notation in thevalue
section, via 69 - thanks to@wooly
- Basic and token authentication blocks now operate in the context of the application's controller, via 88 - thanks to
@tejanium
- Exception handling for records during saving is improved and extensible, via 91
Maintenance:
- Bump local development Ruby to v3.3.0, including it in the test matrix and in effect creating "official" support for that Ruby version.
- Always returns a
Content-Type
header with valueapplication/scim+json; charset=utf-8
in any response, since that's the only format the gem can write. Fixes #59. - Uses the more common header name form of
WWW-Authenticate
rather than the Rack-likeWWW_AUTHENTICATE
in responses.
Features:
- Schema location URLs are generated by the controller, making overrides simpler, via #71 - thanks to
@s-andringa
- A block can be passed to
ActiveRecordBackedResourcesController#save!
, making it easier to override with custom behaviour since you won't have to worry about things like uniqueness constraint exceptions, via #73 - thanks to@s-andringa
- Those who want an invariant local testing setup can now consider using Docker via #77 - thanks to
@osingaatje
Fixes:
- Multi-valued simple types are now correctly rendered via 74 - thanks to
@s-andringa
- Sensitive fields are no longer rendered (fixes #56 via #80 - thanks to
@kuldeepaggarwal
.
Many thanks to @xjunior
, who contributed a series of improvements and fixes present in this version. New features:
- Allow writable complex types in custom extensions via #61
- Allow complex queries via table joins via #62
Fixes:
- Much better error message raised if
PatchOp
misses operations in #65 - Combined logical groups generate working queries with #66
- Maintenance release which merges a warning removal patch in #54 (thanks to
@sobrinho
for the contribution) via #63 and it is the changes in the latter which are brought into Scimitar V2 to keep a minimal overall diff between the V1 and V2.
- Fix shortcoming in
Content-Type
header handling via #51. Thanks to@Flixt
for the contribution.
- Address #48 by adapting #49, so that extension schemas work properly. Missing documentation in
README.md
addressed. Thanks to@bettysteger
and@MorrisFreeman
for the contribution.
- Address #43 - allows Microsoft-style payloads for removing Users from Groups, with a special case exception for hypothetical inbound SCIM calls originating from Salesforce software. For more details of the fix, please see #45.
- Address #35. Declaring primary key in the ActiveRecord model would solve most of the problems described, but v2.2.0 did introduce a default order clause that would trip up a model with a different primary key name; this is now fixed. In any case, it may be possible to avoid declaring the primary key override in the model entirely if using Scimitar v2.3.0, should that be your wish. This is in effect an edge case new feature, which is why the gem's minor version has been bumped up.
- Bump local development Ruby to v3.2.0, including it in the test matrix and in effect creating "official" support for that Ruby version.
- Fix #36 - filters are case-sensitive for special cases of
id
,externalId
andmeta.*
attributes. A model must still declare if and how these are searchable via its::scim_queryable_attributes
implementation, just as with any other attribute.
- Fix #37 - filters now correctly support case insensitive attribute names.
- Merged #29, fixing an issue caused by an unhandled form of payload sent by Okta. Thanks to
@jasonopslevel
for the contribution.
- Merged #17 (more detailed errors), #18 (
primary
attribute added to Address schema) and #19 (configurable required-or-optionalvalue
attributes in VDTP-derived types). Thanks for the contributions,@pelted
! - Noted closed PR #25 and implemented a configurable exception reporting hook for people who might want that kind of feature. See engine configuration option
exception_reporter
for details.
-
Address #20 by better handling content type in requests:
- Since MicrosoftDocs/azure-docs#94189 (comment) indicates that no header is sent for
GET
methods while a correct header is sent for others; that is inline with the RFC and we should handle a lack of content type in theGET
case. This was not the case in Scimitar v2.0.1 and earlier. - Ultimately we must expect attackers to send junk data in attempts to find vulnerabilities in JSON parsing, so the header presence can't really be trusted and the JSON parser must simply be robust. As a result, this patch version of the gem will assume an
application/scim+json
content type for any inbound request that specifies no other type, regardless of HTTP method used. Requests are only rejected if aContent-Type
header explicitly states that the content is of some unsupported type.
- Since MicrosoftDocs/azure-docs#94189 (comment) indicates that no header is sent for
- Merges #15 from
AbeerKhakwani
, fixing an issue with AD and the Meta object.
- Requires Rails 7. Supports Ruby 3, but still works on 2.7.
-
Your
config/initializers/scimitar.rb
might need to be enclosed within aRails.application.config.to_prepare do...
block to avoidNameError: uninitialized constant...
exceptions arising due to autoloader problems:Rails.application.config.to_prepare do Scimitar.engine_configuration = Scimitar::EngineConfiguration.new({ # ... end end
-
If you use
Scimitar::Errors#add_errors_from_hash
, note that the previously-unnamed first parameter is now explicitly namederrors_hash
. This avoids potential ambiguity and confusion/errors with Ruby 3's more strict rules for named parameter and hash mixtures in both method definitions and method calls. For example:# Old code... user.add_errors_from_hash(key: 'some key') # ...becomes: user.add_errors_from_hash(errors_hash: {key: 'some key'}) # Old code... user.add_errors_from_hash({key: 'some key'}, prefix: 'some prefix') # ...becomes: user.add_errors_from_hash(errors_hash: {key: 'some key'}, prefix: 'some prefix')
- Back-ports features from v2.1.1 for Rails 6 users.
- Back-ports features from v2.1.0 for Rails 6 users.
- Back-ports fixes from v2.0.1 and v2.0.2 for Rails 6 users.
- Updated for RIPA branding.
- Ruby and gem version maintenance updates.
- Implement case insensitivity for attributes (fixes issue #7).
- More robust path filter parsing for
PATCH
operations; previously, a path filter such asvalue eq "Something With Spaces"
would have been rejected.
- Add Travis support for CI.
- Adjust
scimitar.gemspec
a bit more for CI and now that we're public in RubyGems, with aGemfile.lock
bump on Scimitar itself (overlooked in 1.0.1).
- Added source code link to
scimitar.gemspec
metadata for RubyGems.
- Initial public release.