fix: validate schema ID in the provided resource

elimity-com · Mar 20, 2024 · f2efa51 · f2efa51
1 parent 172bf2a
commit f2efa51
Show file tree

Hide file tree

Showing 4 changed files with 191 additions and 98 deletions.
diff --git a/handlers_test.go b/handlers_test.go
@@ -433,40 +433,40 @@ func TestServerResourcePostHandlerValid(t *testing.T) {
 	tests := []struct {
 		name               string
 		target             string
-		body               io.Reader
+		body               string
 		expectedUserName   string
 		expectedExternalID interface{}
 	}{
 		{
 			name:               "Users post request without version",
 			target:             "/Users",
-			body:               strings.NewReader(`{"id": "other", "userName": "test1", "externalId": "external_test1"}`),
+			body:               `{"id": "other", "userName": "test1", "externalId": "external_test1","schemas":["urn:ietf:params:scim:schemas:core:2.0:User"]}`,
 			expectedUserName:   "test1",
 			expectedExternalID: "external_test1",
 		}, {
 			name:               "Users post request with version",
 			target:             "/v2/Users",
-			body:               strings.NewReader(`{"id": "other", "userName": "test2", "externalId": "external_test2"}`),
+			body:               `{"id": "other", "userName": "test2", "externalId": "external_test2","schemas":["urn:ietf:params:scim:schemas:core:2.0:User"]}`,
 			expectedUserName:   "test2",
 			expectedExternalID: "external_test2",
 		}, {
 			name:               "Users post request without externalId",
 			target:             "/v2/Users",
-			body:               strings.NewReader(`{"id": "other", "userName": "test3"}`),
+			body:               `{"id": "other", "userName": "test3","schemas":["urn:ietf:params:scim:schemas:core:2.0:User"]}`,
 			expectedUserName:   "test3",
 			expectedExternalID: nil,
 		}, {
 			name:               "Users post request with immutable attribute",
 			target:             "/v2/Users",
-			body:               strings.NewReader(`{"id": "other", "userName": "test3", "immutableThing": "test"}`),
+			body:               `{"id": "other", "userName": "test3", "immutableThing": "test","schemas":["urn:ietf:params:scim:schemas:core:2.0:User"]}`,
 			expectedUserName:   "test3",
 			expectedExternalID: nil,
 		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			req := httptest.NewRequest(http.MethodPost, test.target, test.body)
+			req := httptest.NewRequest(http.MethodPost, test.target, strings.NewReader(test.body))
 			rr := httptest.NewRecorder()
 			newTestServer(t).ServeHTTP(rr, req)
 
@@ -496,7 +496,8 @@ func TestServerResourcePostHandlerValid(t *testing.T) {
 }
 
 func TestServerResourcePutHandlerNotFound(t *testing.T) {
-	req := httptest.NewRequest(http.MethodPut, "/Users/9999", strings.NewReader(`{"userName": "other"}`))
+	reqBody := `{"userName": "other","schemas":["urn:ietf:params:scim:schemas:core:2.0:User"]}`
+	req := httptest.NewRequest(http.MethodPut, "/Users/9999", strings.NewReader(reqBody))
 	rr := httptest.NewRecorder()
 	newTestServer(t).ServeHTTP(rr, req)
 
@@ -520,34 +521,34 @@ func TestServerResourcePutHandlerValid(t *testing.T) {
 	tests := []struct {
 		name               string
 		target             string
-		body               io.Reader
+		body               string
 		expectedUserName   string
 		expectedExternalID interface{}
 	}{
 		{
 			name:               "Users put request",
 			target:             "/v2/Users/0002",
-			body:               strings.NewReader(`{"id": "other", "userName": "test2", "externalId": "external_test2"}`),
+			body:               `{"id": "other", "userName": "test2", "externalId": "external_test2","schemas":["urn:ietf:params:scim:schemas:core:2.0:User"]}`,
 			expectedUserName:   "test2",
 			expectedExternalID: "external_test2",
 		}, {
 			name:               "Users put request without externalId",
 			target:             "/Users/0003",
-			body:               strings.NewReader(`{"id": "other", "userName": "test3"}`),
+			body:               `{"id": "other", "userName": "test3","schemas":["urn:ietf:params:scim:schemas:core:2.0:User"]}`,
 			expectedUserName:   "test3",
 			expectedExternalID: nil,
 		}, {
 			name:               "Users put request with immutable attribute",
 			target:             "/Users/0003",
-			body:               strings.NewReader(`{"id": "other", "userName": "test3", "immutableThing": "test"}`),
+			body:               `{"id": "other", "userName": "test3", "immutableThing": "test","schemas":["urn:ietf:params:scim:schemas:core:2.0:User"]}`,
 			expectedUserName:   "test3",
 			expectedExternalID: nil,
 		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			req := httptest.NewRequest(http.MethodPut, test.target, test.body)
+			req := httptest.NewRequest(http.MethodPut, test.target, strings.NewReader(test.body))
 			rr := httptest.NewRecorder()
 			newTestServer(t).ServeHTTP(rr, req)
 

diff --git a/schema/schema.go b/schema/schema.go
@@ -127,12 +127,41 @@ func (s Schema) getRawAttributes() []map[string]interface{} {
 	return attributes
 }
 
+func (s Schema) validateSchemaID(resource map[string]interface{}) *errors.ScimError {
+	resourceSchemas, present := resource["schemas"]
+	if !present {
+		return &errors.ScimErrorInvalidSyntax
+	}
+
+	resourceSchemasSlice, ok := resourceSchemas.([]interface{})
+	if !ok {
+		return &errors.ScimErrorInvalidSyntax
+	}
+
+	var schemaFound bool
+	for _, v := range resourceSchemasSlice {
+		if v == s.ID {
+			schemaFound = true
+			break
+		}
+	}
+	if !schemaFound {
+		return &errors.ScimErrorInvalidSyntax
+	}
+
+	return nil
+}
+
 func (s Schema) validate(resource interface{}, checkMutability bool) (map[string]interface{}, *errors.ScimError) {
 	core, ok := resource.(map[string]interface{})
 	if !ok {
 		return nil, &errors.ScimErrorInvalidSyntax
 	}
 
+	if err := s.validateSchemaID(core); err != nil {
+		return nil, err
+	}
+
 	attributes := make(map[string]interface{})
 	for _, attribute := range s.Attributes {
 		var hit interface{}