use parameter_service

Author: Andrew Burns

app/controllers/scim_rails/scim_users_controller.rb

@@ -1,5 +1,7 @@
 module ScimRails
   class ScimUsersController < ScimRails::ApplicationController
+    before_action :check_allowed_parameters!, only: %i[create patch_update put_update]
+
     def index
       ScimRails.config.before_scim_response.call(request.params) unless ScimRails.config.before_scim_response.nil?
 
@@ -97,7 +99,7 @@ def patch_update
 
         active_param = extract_active_param(operation, path_params)
         status = patch_status(active_param)
-        
+
         next if status.nil?
 
         provision_method = status ? ScimRails.config.user_reprovision_method : ScimRails.config.user_deprovision_method
@@ -116,7 +118,7 @@ def delete
 
       user = @company.public_send(ScimRails.config.scim_users_scope).find(params[:id])
       user.update!(ScimRails.config.custom_user_attributes)
-      
+
       user.destroy
 
       ScimRails.config.after_scim_response.call(user, "DELETED") unless ScimRails.config.after_scim_response.nil?
@@ -129,5 +131,25 @@ def delete
     def get_multi_value_attrs(operation)
       schema_hash = contains_square_brackets?(operation["path"]) ? multi_attr_type_to_value(process_filter_path(operation)) : {}
     end
+
+    def check_allowed_parameters!
+      schema = ScimRails.config.user_schema.dup
+      if schema.fetch(:schemas, []).include?("urn:ietf:params:scim:schemas:core:2.0:User")
+        schema.delete(:schemas)
+        schema.merge(ParameterService::SCIM_CORE_USER_SCHEMA)
+      end
+
+      bad_fields = ParameterService.invalid_parameters(schema, params)
+      return if bad_fields.empty?
+
+      json_response(
+        {
+          schemas: ["urn:ietf:params:scim:api:messages:2.0:Error"],
+          detail: "Unknown fields: #{bad_fields.join(", ")}",
+          status: "422"
+        },
+        :unprocessable_entity,
+      )
+    end
   end
 end

app/services/parameter_service.rb

@@ -6,15 +6,40 @@ module ParameterService
   # https://datatracker.ietf.org/doc/html/rfc7643#section-4
   SCIM_CORE_USER_SCHEMA = {
     "userName" => String,
+    "displayName" => String,
+    "nickName" => String,
     "name" => {
       "formatted" => String,
       "familyName" => String,
       "givenName" => String,
       "middleName" => String,
+      "honorificPrefix" => String,
+      "honorificSuffix" => String,
     },
+    "profileUrl" => String,
+    "title" => String,
+    "userType" => String,
+    "preferredLanguage" => String,
+    "locale" => String,
+    "timezone" => String,
+    "active" => String,
+    "password" => String,
     "emails" => [],
+    "phoneNumbers" => [],
+    "ims" => String,
+    "photos" => String,
+    "addresses" => {
+      "formatted" => String,
+      "streetAddress" => String,
+      "locality" => String,
+      "region" => String,
+      "postalCode" => String,
+      "country" => String,
+    },
+    "entitlements" => [],
+    "roles" => [],
+    "x509Certificates" => [],
   }
-
   # def invalid_params(params, object_type)
   #   raise "Not supported" unless object_type == "User"
   #   schema = ScimRails.config.user_schema
@@ -37,9 +62,13 @@ def invalid_parameters(schema, parameters, parent_path: nil)
 
       # Okay... both keys exist.. Did either side specify a subtype?
       sub_schema = schema[param_key.to_s]
-      next unless sub_schema.is_a?(Hash) || param_value.is_a?(Hash)
+      param_has_subtype = sub_schema.is_a?(Hash) || param_value.is_a?(Hash)
+      param_has_subtype ||= sub_schema.is_a?(Array) || param_value.is_a?(Array)
+      next unless param_has_subtype
 
-      if param_value.is_a?(Hash) && sub_schema.is_a?(Hash)
+      if param_value.is_a?(Array) && sub_schema.is_a?(Array)
+        next
+      elsif param_value.is_a?(Hash) && sub_schema.is_a?(Hash)
         invalid += invalid_parameters(sub_schema, param_value, parent_path: param_path)
       else
         # One, and only one, of them is a subtype so it is invalid

spec/services/parameter_service_spec.rb

@@ -73,7 +73,7 @@
 
       context "nested" do
         context "array" do
-          it "with valid top-level" do
+          it "top-level" do
             params = good_params.merge(
               "name" => %w[one two]
             )
@@ -82,7 +82,7 @@
             expect(result).to eq ["name"]
           end
 
-          it ">>>" do
+          it "nested hash" do
             params = good_params.merge(
               "name" => {
                 "givenName" => %w[one two]