import axios from 'axios'; import capitalize from 'lodash/capitalize'; import { assert } from 'chai'; import { TestServer } from 'test/gen-server/apiUtils'; import { configForUser } from 'test/gen-server/testUtils'; import * as testUtils from 'test/server/testUtils'; function scimConfigForUser(user: string) { const config = configForUser(user); return { ...config, headers: { ...config.headers, 'Content-Type': 'application/scim+json' } }; } const chimpy = scimConfigForUser('Chimpy'); const kiwi = scimConfigForUser('Kiwi'); const charon = scimConfigForUser('Charon'); const anon = scimConfigForUser('Anonymous'); const USER_CONFIG_BY_NAME = { chimpy, kiwi, anon, }; type UserConfigByName = typeof USER_CONFIG_BY_NAME; describe('Scim', () => { let oldEnv: testUtils.EnvironmentSnapshot; let server: TestServer; let homeUrl: string; const userIdByName: {[name in keyof UserConfigByName]?: number} = {}; const scimUrl = (path: string) => (homeUrl + '/api/scim/v2' + path); testUtils.setTmpLogLevel('error'); before(async function () { oldEnv = new testUtils.EnvironmentSnapshot(); process.env.GRIST_DEFAULT_EMAIL = 'chimpy@getgrist.com'; process.env.GRIST_SCIM_EMAIL = 'charon@getgrist.com'; process.env.TYPEORM_DATABASE = ':memory:'; server = new TestServer(this); homeUrl = await server.start(); const userNames = Object.keys(USER_CONFIG_BY_NAME) as Array; for (const user of userNames) { userIdByName[user] = await getOrCreateUserId(user); } }); after(async () => { oldEnv.restore(); await server.stop(); }); function personaToSCIMMYUserWithId(user: keyof UserConfigByName) { return toSCIMUserWithId(user, userIdByName[user]!); } function toSCIMUserWithId(user: string, id: number) { return { ...toSCIMUserWithoutId(user), id: String(id), meta: { resourceType: 'User', location: '/api/scim/v2/Users/' + id }, }; } function toSCIMUserWithoutId(user: string) { return { schemas: [ 'urn:ietf:params:scim:schemas:core:2.0:User' ], userName: user + '@getgrist.com', name: { formatted: capitalize(user) }, displayName: capitalize(user), preferredLanguage: 'en', locale: 'en', emails: [ { value: user + '@getgrist.com', primary: true } ] }; } async function getOrCreateUserId(user: string) { return (await server.dbManager.getUserByLogin(user + '@getgrist.com'))!.id; } async function cleanupUser(userId: number) { if (await server.dbManager.getUser(userId)) { await server.dbManager.deleteUser({ userId: userId }, userId); } } function checkEndpointNotAccessibleForNonAdminUsers( method: 'get' | 'post' | 'put' | 'patch' | 'delete', path: string, validBody: object = {} ) { function makeCallWith(user: keyof UserConfigByName) { if (method === 'get' || method === 'delete') { return axios[method](scimUrl(path), USER_CONFIG_BY_NAME[user]); } return axios[method](scimUrl(path), validBody, USER_CONFIG_BY_NAME[user]); } it('should return 401 for anonymous', async function () { const res: any = await makeCallWith('anon'); assert.equal(res.status, 401); }); it('should return 401 for kiwi', async function () { const res: any = await makeCallWith('kiwi'); assert.deepEqual(res.data, { schemas: [ 'urn:ietf:params:scim:api:messages:2.0:Error' ], status: '403', detail: 'You are not authorized to access this resource' }); assert.equal(res.status, 403); }); } describe('/Me', function () { async function checkGetMeAs(user: keyof UserConfigByName, expected: any) { const res = await axios.get(scimUrl('/Me'), USER_CONFIG_BY_NAME[user]); assert.equal(res.status, 200); assert.deepInclude(res.data, expected); } it(`should return the current user for chimpy`, async function () { return checkGetMeAs('chimpy', personaToSCIMMYUserWithId('chimpy')); }); it(`should return the current user for kiwi`, async function () { return checkGetMeAs('kiwi', personaToSCIMMYUserWithId('kiwi')); }); it('should return 401 for anonymous', async function () { const res = await axios.get(scimUrl('/Me'), anon); assert.equal(res.status, 401); }); it.skip('should allow operation like PATCH for kiwi', async function () { // SKIPPING this test: only the GET verb is currently implemented by SCIMMY for the /Me endpoint. // Issue created here: https://github.com/scimmyjs/scimmy/issues/47 const patchBody = { schemas: ['urn:ietf:params:scim:api:messages:2.0:PatchOp'], Operations: [{ op: "replace", path: 'locale', value: 'fr', }], }; const res = await axios.patch(scimUrl('/Me'), patchBody, kiwi); assert.equal(res.status, 200); assert.deepEqual(res.data, { ...personaToSCIMMYUserWithId('kiwi'), locale: 'fr', preferredLanguage: 'en', }); }); }); describe('/Users/{id}', function () { it('should return the user of id=1 for chimpy', async function () { const res = await axios.get(scimUrl('/Users/1'), chimpy); assert.equal(res.status, 200); assert.deepInclude(res.data, { schemas: ['urn:ietf:params:scim:schemas:core:2.0:User'], id: '1', displayName: 'Chimpy', userName: 'chimpy@getgrist.com' }); }); it('should return 404 when the user is not found', async function () { const res = await axios.get(scimUrl('/Users/1000'), chimpy); assert.equal(res.status, 404); assert.deepEqual(res.data, { schemas: [ 'urn:ietf:params:scim:api:messages:2.0:Error' ], status: '404', detail: 'User with ID 1000 not found' }); }); checkEndpointNotAccessibleForNonAdminUsers('get', '/Users/1'); }); describe('GET /Users', function () { it('should return all users for chimpy', async function () { const res = await axios.get(scimUrl('/Users'), chimpy); assert.equal(res.status, 200); assert.isAbove(res.data.totalResults, 0, 'should have retrieved some users'); assert.deepInclude(res.data.Resources, personaToSCIMMYUserWithId('chimpy')); assert.deepInclude(res.data.Resources, personaToSCIMMYUserWithId('kiwi')); }); checkEndpointNotAccessibleForNonAdminUsers('get', '/Users'); }); describe('POST /Users/.search', function () { const SEARCH_SCHEMA = 'urn:ietf:params:scim:api:messages:2.0:SearchRequest'; const searchExample = { schemas: [SEARCH_SCHEMA], sortBy: 'userName', sortOrder: 'descending', }; it('should return all users for chimpy order by userName in descending order', async function () { const res = await axios.post(scimUrl('/Users/.search'), searchExample, chimpy); assert.equal(res.status, 200); assert.isAbove(res.data.totalResults, 0, 'should have retrieved some users'); const users = res.data.Resources.map((r: any) => r.userName); assert.include(users, 'chimpy@getgrist.com'); assert.include(users, 'kiwi@getgrist.com'); const indexOfChimpy = users.indexOf('chimpy@getgrist.com'); const indexOfKiwi = users.indexOf('kiwi@getgrist.com'); assert.isBelow(indexOfKiwi, indexOfChimpy, 'kiwi should come before chimpy'); }); it('should also allow access for user Charon (the one refered in GRIST_SCIM_EMAIL)', async function () { const res = await axios.post(scimUrl('/Users/.search'), searchExample, charon); assert.equal(res.status, 200); }); it('should filter the users by userName', async function () { const res = await axios.post(scimUrl('/Users/.search'), { schemas: [SEARCH_SCHEMA], attributes: ['userName'], filter: 'userName sw "chimpy"', }, chimpy); assert.equal(res.status, 200); assert.equal(res.data.totalResults, 1); assert.deepEqual(res.data.Resources[0], { id: String(userIdByName['chimpy']), userName: 'chimpy@getgrist.com' }, "should have retrieved only chimpy's username and not other attribute"); }); checkEndpointNotAccessibleForNonAdminUsers('post', '/Users/.search', searchExample); }); describe('POST /Users', function () { // Create a new users async function withUserName(userName: string, cb: (userName: string) => Promise) { try { await cb(userName); } finally { const user = await server.dbManager.getExistingUserByLogin(userName + "@getgrist.com"); if (user) { await cleanupUser(user.id); } } } it('should create a new user', async function () { await withUserName('newuser1', async (userName) => { const res = await axios.post(scimUrl('/Users'), toSCIMUserWithoutId(userName), chimpy); assert.equal(res.status, 201); const newUserId = await getOrCreateUserId(userName); assert.deepEqual(res.data, toSCIMUserWithId(userName, newUserId)); }); }); it('should allow creating a new user given only their email passed as username', async function () { await withUserName('new.user2', async (userName) => { const res = await axios.post(scimUrl('/Users'), { schemas: ['urn:ietf:params:scim:schemas:core:2.0:User'], userName: 'new.user2@getgrist.com', }, chimpy); assert.equal(res.status, 201); assert.equal(res.data.userName, userName + '@getgrist.com'); assert.equal(res.data.displayName, userName); }); }); it('should also allow user Charon to create a user (the one refered in GRIST_SCIM_EMAIL)', async function () { await withUserName('new.user.by.charon', async (userName) => { const res = await axios.post(scimUrl('/Users'), toSCIMUserWithoutId(userName), charon); assert.equal(res.status, 201); }); }); it('should reject when passed email differs from username', async function () { await withUserName('username', async (userName) => { const res = await axios.post(scimUrl('/Users'), { schemas: ['urn:ietf:params:scim:schemas:core:2.0:User'], userName: userName + '@getgrist.com', emails: [{ value: 'emails.value@getgrist.com' }], }, chimpy); assert.deepEqual(res.data, { schemas: [ 'urn:ietf:params:scim:api:messages:2.0:Error' ], status: '400', detail: 'Email and userName must be the same', scimType: 'invalidValue' }); assert.equal(res.status, 400); }); }); it('should disallow creating a user with the same email', async function () { const res = await axios.post(scimUrl('/Users'), toSCIMUserWithoutId('chimpy'), chimpy); assert.deepEqual(res.data, { schemas: [ 'urn:ietf:params:scim:api:messages:2.0:Error' ], status: '409', detail: 'An existing user with the passed email exist.', scimType: 'uniqueness' }); assert.equal(res.status, 409); }); checkEndpointNotAccessibleForNonAdminUsers('post', '/Users', toSCIMUserWithoutId('some-user')); }); describe('PUT /Users/{id}', function () { let userToUpdateId: number; const userToUpdateEmailLocalPart = 'user-to-update'; beforeEach(async function () { userToUpdateId = await getOrCreateUserId(userToUpdateEmailLocalPart); }); afterEach(async function () { await cleanupUser(userToUpdateId); }); it('should update an existing user', async function () { const userToUpdateProperties = { schemas: ['urn:ietf:params:scim:schemas:core:2.0:User'], userName: userToUpdateEmailLocalPart + '-now-updated@getgrist.com', displayName: 'User to Update', photos: [{ value: 'https://example.com/photo.jpg', type: 'photo', primary: true }], locale: 'fr', }; const res = await axios.put(scimUrl(`/Users/${userToUpdateId}`), userToUpdateProperties, chimpy); assert.equal(res.status, 200); const refreshedUser = await axios.get(scimUrl(`/Users/${userToUpdateId}`), chimpy); assert.deepEqual(refreshedUser.data, { ...userToUpdateProperties, id: String(userToUpdateId), meta: { resourceType: 'User', location: `/api/scim/v2/Users/${userToUpdateId}` }, emails: [ { value: userToUpdateProperties.userName, primary: true } ], name: { formatted: userToUpdateProperties.displayName }, preferredLanguage: 'fr', }); }); it('should reject when passed email differs from username', async function () { const res = await axios.put(scimUrl(`/Users/${userToUpdateId}`), { schemas: ['urn:ietf:params:scim:schemas:core:2.0:User'], userName: userToUpdateEmailLocalPart + '@getgrist.com', emails: [{ value: 'whatever@getgrist.com', primary: true }], }, chimpy); assert.deepEqual(res.data, { schemas: [ 'urn:ietf:params:scim:api:messages:2.0:Error' ], status: '400', detail: 'Email and userName must be the same', scimType: 'invalidValue' }); assert.equal(res.status, 400); }); it('should disallow updating a user with the same email as another user\'s', async function () { const res = await axios.put(scimUrl(`/Users/${userToUpdateId}`), toSCIMUserWithoutId('chimpy'), chimpy); assert.deepEqual(res.data, { schemas: [ 'urn:ietf:params:scim:api:messages:2.0:Error' ], status: '409', detail: 'An existing user with the passed email exist.', scimType: 'uniqueness' }); assert.equal(res.status, 409); }); it('should return 404 when the user is not found', async function () { const res = await axios.put(scimUrl('/Users/1000'), toSCIMUserWithoutId('whoever'), chimpy); assert.deepEqual(res.data, { schemas: [ 'urn:ietf:params:scim:api:messages:2.0:Error' ], status: '404', detail: 'unable to find user to update' }); assert.equal(res.status, 404); }); it('should deduce the name from the displayEmail when not provided', async function () { const res = await axios.put(scimUrl(`/Users/${userToUpdateId}`), { schemas: ['urn:ietf:params:scim:schemas:core:2.0:User'], userName: 'my-email@getgrist.com', }, chimpy); assert.equal(res.status, 200); assert.deepInclude(res.data, { schemas: ['urn:ietf:params:scim:schemas:core:2.0:User'], id: String(userToUpdateId), userName: 'my-email@getgrist.com', displayName: 'my-email', }); }); it('should normalize the passed email for the userName and keep the case for email.value', async function () { const newEmail = 'my-EMAIL@getgrist.com'; const res = await axios.put(scimUrl(`/Users/${userToUpdateId}`), { schemas: ['urn:ietf:params:scim:schemas:core:2.0:User'], userName: newEmail, }, chimpy); assert.equal(res.status, 200); assert.deepInclude(res.data, { schemas: ['urn:ietf:params:scim:schemas:core:2.0:User'], id: String(userToUpdateId), userName: newEmail.toLowerCase(), displayName: 'my-EMAIL', emails: [{ value: newEmail, primary: true }] }); }); checkEndpointNotAccessibleForNonAdminUsers('put', '/Users/1', toSCIMUserWithoutId('chimpy')); }); describe('PATCH /Users/{id}', function () { let userToPatchId: number; const userToPatchEmailLocalPart = 'user-to-patch'; beforeEach(async function () { userToPatchId = await getOrCreateUserId(userToPatchEmailLocalPart); }); afterEach(async function () { await cleanupUser(userToPatchId); }); const validPatchBody = (newName: string) => ({ schemas: ['urn:ietf:params:scim:api:messages:2.0:PatchOp'], Operations: [{ op: "replace", path: "displayName", value: newName, }, { op: "replace", path: "locale", value: 'fr' }], }); it('should replace values of an existing user', async function () { const newName = 'User to Patch new Name'; const res = await axios.patch(scimUrl(`/Users/${userToPatchId}`), validPatchBody(newName), chimpy); assert.equal(res.status, 200); const refreshedUser = await axios.get(scimUrl(`/Users/${userToPatchId}`), chimpy); assert.deepEqual(refreshedUser.data, { ...toSCIMUserWithId(userToPatchEmailLocalPart, userToPatchId), displayName: newName, name: { formatted: newName }, locale: 'fr', preferredLanguage: 'fr', }); }); checkEndpointNotAccessibleForNonAdminUsers('patch', '/Users/1', validPatchBody('new name2')); }); describe('DELETE /Users/{id}', function () { let userToDeleteId: number; const userToDeleteEmailLocalPart = 'user-to-delete'; beforeEach(async function () { userToDeleteId = await getOrCreateUserId(userToDeleteEmailLocalPart); }); afterEach(async function () { await cleanupUser(userToDeleteId); }); it('should delete some user', async function () { const res = await axios.delete(scimUrl(`/Users/${userToDeleteId}`), chimpy); assert.equal(res.status, 204); const refreshedUser = await axios.get(scimUrl(`/Users/${userToDeleteId}`), chimpy); assert.equal(refreshedUser.status, 404); }); it('should return 404 when the user is not found', async function () { const res = await axios.delete(scimUrl('/Users/1000'), chimpy); assert.deepEqual(res.data, { schemas: [ 'urn:ietf:params:scim:api:messages:2.0:Error' ], status: '404', detail: 'user not found' }); assert.equal(res.status, 404); }); checkEndpointNotAccessibleForNonAdminUsers('delete', '/Users/1'); }); describe('POST /Bulk', function () { let usersToCleanupEmails: string[]; beforeEach(async function () { usersToCleanupEmails = []; }); afterEach(async function () { for (const email of usersToCleanupEmails) { const user = await server.dbManager.getExistingUserByLogin(email); if (user) { await cleanupUser(user.id); } } }); it('should return statuses for each operation', async function () { const putOnUnknownResource = { method: 'PUT', path: '/Users/1000', value: toSCIMUserWithoutId('chimpy') }; const validCreateOperation = { method: 'POST', path: '/Users/', data: toSCIMUserWithoutId('bulk-user3'), bulkId: '1' }; usersToCleanupEmails.push('bulk-user3'); const createOperationWithUserNameConflict = { method: 'POST', path: '/Users/', data: toSCIMUserWithoutId('chimpy'), bulkId: '2' }; const res = await axios.post(scimUrl('/Bulk'), { schemas: ['urn:ietf:params:scim:api:messages:2.0:BulkRequest'], Operations: [ putOnUnknownResource, validCreateOperation, createOperationWithUserNameConflict, ], }, chimpy); assert.equal(res.status, 200); const newUserID = await getOrCreateUserId('bulk-user3'); assert.deepEqual(res.data, { schemas: [ "urn:ietf:params:scim:api:messages:2.0:BulkResponse" ], Operations: [ { method: "PUT", location: "/api/scim/v2/Users/1000", status: "400", response: { schemas: [ "urn:ietf:params:scim:api:messages:2.0:Error" ], status: "400", scimType: "invalidSyntax", detail: "Expected 'data' to be a single complex value in BulkRequest operation #1" } }, { method: "POST", bulkId: "1", location: "/api/scim/v2/Users/" + newUserID, status: "201" }, { method: "POST", bulkId: "2", status: "409", response: { schemas: [ "urn:ietf:params:scim:api:messages:2.0:Error" ], status: "409", scimType: "uniqueness", detail: "An existing user with the passed email exist." } } ] }); }); it('should return 400 when no operations are provided', async function () { const res = await axios.post(scimUrl('/Bulk'), { schemas: ['urn:ietf:params:scim:api:messages:2.0:BulkRequest'], Operations: [], }, chimpy); assert.equal(res.status, 400); assert.deepEqual(res.data, { schemas: [ 'urn:ietf:params:scim:api:messages:2.0:Error' ], status: '400', detail: "BulkRequest request body must contain 'Operations' attribute with at least one operation", scimType: 'invalidValue' }); }); it('should disallow accessing resources to kiwi', async function () { const creationOperation = { method: 'POST', path: '/Users', data: toSCIMUserWithoutId('bulk-user4'), bulkId: '1' }; usersToCleanupEmails.push('bulk-user4'); const selfPutOperation = { method: 'PUT', path: '/Me', value: toSCIMUserWithoutId('kiwi') }; const res = await axios.post(scimUrl('/Bulk'), { schemas: ['urn:ietf:params:scim:api:messages:2.0:BulkRequest'], Operations: [ creationOperation, selfPutOperation, ], }, kiwi); assert.equal(res.status, 200); assert.deepEqual(res.data, { schemas: [ "urn:ietf:params:scim:api:messages:2.0:BulkResponse" ], Operations: [ { method: "POST", bulkId: "1", status: "403", response: { detail: "You are not authorized to access this resource", schemas: [ "urn:ietf:params:scim:api:messages:2.0:Error" ], status: "403" } }, { // When writing this test, the SCIMMY implementation does not yet support PUT operations on /Me. // This reflects the current behavior, but it may change in the future. // Change this test if the behavior changes. // It is probably fine to allow altering oneself even for non-admins. method: "PUT", location: "/Me", status: "400", response: { schemas: [ "urn:ietf:params:scim:api:messages:2.0:Error" ], status: "400", detail: "Invalid 'path' value '/Me' in BulkRequest operation #2", scimType: "invalidValue" } } ] }); }); it('should disallow accessing resources to anonymous', async function () { const creationOperation = { method: 'POST', path: '/Users', data: toSCIMUserWithoutId('bulk-user5'), bulkId: '1' }; usersToCleanupEmails.push('bulk-user5'); const res = await axios.post(scimUrl('/Bulk'), { schemas: ['urn:ietf:params:scim:api:messages:2.0:BulkRequest'], Operations: [creationOperation], }, anon); assert.equal(res.status, 401); }); }); it('should allow fetching the Scim schema when autenticated', async function () { const res = await axios.get(scimUrl('/Schemas'), kiwi); assert.equal(res.status, 200); assert.deepInclude(res.data, { schemas: ['urn:ietf:params:scim:api:messages:2.0:ListResponse'], }); assert.property(res.data, 'Resources'); assert.deepInclude(res.data.Resources[0], { schemas: ['urn:ietf:params:scim:schemas:core:2.0:Schema'], id: 'urn:ietf:params:scim:schemas:core:2.0:User', name: 'User', description: 'User Account', }); }); it('should allow fetching the Scim resource types when autenticated', async function () { const res = await axios.get(scimUrl('/ResourceTypes'), kiwi); assert.equal(res.status, 200); assert.deepInclude(res.data, { schemas: ['urn:ietf:params:scim:api:messages:2.0:ListResponse'], }); assert.property(res.data, 'Resources'); assert.deepInclude(res.data.Resources[0], { schemas: ['urn:ietf:params:scim:schemas:core:2.0:ResourceType'], name: 'User', endpoint: '/Users', }); }); it('should allow fetching the Scim service provider config when autenticated', async function () { const res = await axios.get(scimUrl('/ServiceProviderConfig'), kiwi); assert.equal(res.status, 200); assert.deepInclude(res.data, { schemas: ['urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig'], }); assert.property(res.data, 'patch'); assert.property(res.data, 'bulk'); assert.property(res.data, 'filter'); }); });