Merge pull request #10 from limosa-io/tests-in-pipeline

Fixes #7

Author: arietimmerman

.github/workflows/ci.yml

@@ -2,12 +2,52 @@ name: CI
 
 on:
   push:
-    branches:
-      - main
+  pull_request:
 
 jobs:
-  build:
+  test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: "18"
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Build image
+        run: docker build -t scimverify-test .
+
+      - name: Test against Laravel SCIM Server
+        run: |
+          # Start the Laravel SCIM server in the background
+          docker run -d -p 8000:8000 --name laravel-scim-server ghcr.io/limosa-io/laravel-scim-server:latest
+          
+          # Wait for server to be ready
+          timeout 60 bash -c 'until curl -f http://localhost:8000/scim/v2/Schemas; do sleep 2; done'
+          
+          sed -i 's/requireAuthentication: true/requireAuthentication: false/' ./site/.vitepress/theme/components/config.yaml
+
+          # Run scimverify tests against the server
+          npx node ./bin/scimverify.js --config ./site/.vitepress/theme/components/config.yaml --base-url http://localhost:8000/scim/v2/ --auth-header "Bearer YOUR_TOKEN" 
+          
+          # Cleanup
+          docker stop laravel-scim-server
+          docker rm laravel-scim-server
+
+  deploy:
+    runs-on: ubuntu-latest
+    needs: test
+    if: github.ref == 'refs/heads/main'
     permissions:
       contents: read
       packages: write
@@ -49,13 +89,10 @@ jobs:
           git_push_flags: '--force'
 
       - name: Build image
-    run: docker build -t scimverify-test .
+        run: docker build -t scimverify-test .
 
       - name: Authenticate to GHCR
         run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $GITHUB_ACTOR --password-stdin
 
       - name: Push image
         run: docker push ghcr.io/${{ github.repository }}:latest
-
-        - name: Test Docker image
-          run: bash ./test-docker.sh

site/.vitepress/theme/components/config.yaml

@@ -2,6 +2,7 @@ detectSchema: true
 detectResourceTypes: true
 verifyPagination: true
 verifySorting: true
+requireAuthentication: false
 
 users:
   enabled: true
@@ -97,8 +98,8 @@ users:
     - request:
         {
           "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
-          "userName": "bjensen",
-          "emails": [{ "value": "barbara.jensen@example.com" }],
+          "userName": "bjonsen",
+          "emails": [{ "value": "barbara.jonsen@example.com" }],
         }
       response:
         {
@@ -119,7 +120,7 @@ users:
                   "type": "object",
                   "properties":
                     {
-                      "userName": { "type": "string", "const": "bjensen" },
+                      "userName": { "type": "string", "const": "bjonsen" },
                       "emails":
                         {
                           "type": "array",
@@ -131,7 +132,7 @@ users:
                                   "value":
                                     {
                                       "type": "string",
-                                      "const": "barbara.jensen@example.com",
+                                      "const": "barbara.jonsen@example.com",
                                     },
                                 },
                             },
@@ -152,7 +153,7 @@ users:
         {
           "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
           "userName": "bdoe",
-          "emails": [{ "value": "barbara.jensen@example.com" }],
+          "emails": [{ "value": "barbara.doe@example.com" }],
         }
       response:
         {
@@ -185,7 +186,7 @@ users:
                                   "value":
                                     {
                                       "type": "string",
-                                      "const": "barbara.jensen@example.com",
+                                      "const": "barbara.doe@example.com",
                                     },
                                 },
                             },
@@ -317,8 +318,7 @@ groups:
                           "items":
                             {
                               "type": "object",
-                              "properties": { "value": { "type": "string" } },
-                            },
+                              "properties": { "value": { "type": ["string", "number"] } },                   },
                         },
                     },
                   "required": ["displayName", "members"],
@@ -365,8 +365,7 @@ groups:
                           "items":
                             {
                               "type": "object",
-                              "properties": { "value": { "type": "string" } },
-                            },
+                              "properties": { "value": { "type": ["string", "number"] } },                   },
                         },
                     },
                   "required": ["displayName", "members"],

src/basics.js

@@ -20,15 +20,17 @@ function runTests(config) {
             );
         });
 
-        test('Authentication should be required for /Users', async function (t) {
-            const axios = getAxiosInstance(config, t);
-            const response = await axios.get('/Users', {
-                headers: {
-                    'Authorization': null
-                }
+        if (config?.requireAuthentication !== false) {
+            test('Authentication should be required for /Users', async function (t) {
+                const axios = getAxiosInstance(config, t);
+                const response = await axios.get('/Users', {
+                    headers: {
+                        'Authorization': null
+                    }
+                });
+                assert.ok([401, 403].includes(response.status), 'Expected 401 Unauthorized or 403 Forbidden status');
             });
-            assert.ok([401, 403].includes(response.status), 'Expected 401 Unauthorized or 403 Forbidden status');
-        });
+        }
     });
 }
 

src/groups.js

@@ -1,6 +1,6 @@
 import test from 'node:test';
 import assert from 'node:assert';
-import { getAxiosInstance, canonicalize } from './helpers.js';
+import { getAxiosInstance, canonicalize, getResourceAttributeValue } from './helpers.js';
 import dotenv from 'dotenv';
 import Ajv from 'ajv';
 
@@ -87,7 +87,7 @@ function runTests(groupSchema, groupSchemaExtensions = [], configuration) {
             assert.strictEqual(response.status, 200, 'GET /Groups/{id} should return status code 200');
             assert.strictEqual(response.data.schemas[0], 'urn:ietf:params:scim:schemas:core:2.0:Group', 'Response should contain the correct schema');
             assert.strictEqual(response.data.id, firstGroup.id, 'Returned group ID should match requested group ID');
-            assert.ok(response.data.displayName, 'Group should contain displayName attribute');
+            assert.ok(getResourceAttributeValue(response.data, 'displayName'), 'Group should contain displayName attribute');
             // Strip content type parameters (charset, boundary) from content-type header
             const contentType = response.headers['content-type']?.split(';')[0].trim();
             assert.ok(
@@ -124,9 +124,23 @@ function runTests(groupSchema, groupSchemaExtensions = [], configuration) {
                 assert.strictEqual(response.status, 200, 'Sort request should return 200 OK');
                 assert.strictEqual(response.data.schemas[0], 'urn:ietf:params:scim:api:messages:2.0:ListResponse', 'Response should use the correct SCIM list response schema');
                 const groups = response.data.Resources;
-                for (let i = 1; i < groups.length; i++) {
-                    assert.ok(groups[i - 1].displayName <= groups[i].displayName, 'Groups should be sorted by displayName');
+
+                const displayNames = groups.map(g => getResourceAttributeValue(g, 'displayName'));
+                const unsortedPairs = [];
+                for (let i = 1; i < displayNames.length; i++) {
+                    if (displayNames[i - 1] > displayNames[i]) {
+                        unsortedPairs.push({ index: i - 1, a: displayNames[i - 1], b: displayNames[i] });
+                    }
+                }
+                if (unsortedPairs.length > 0) {
+                    t.diagnostic(
+                        'Unsorted displayName pairs: ' +
+                        unsortedPairs
+                            .map(p => `(${p.index}->${p.index + 1}: "${p.a}" > "${p.b}")`)
+                            .join(', ')
+                    );
                 }
+                assert.strictEqual(unsortedPairs.length, 0, 'Groups should be sorted by displayName');
             });
         }
 
@@ -162,7 +176,7 @@ function runTests(groupSchema, groupSchemaExtensions = [], configuration) {
                 const response = await testAxios.post('/Groups', newGroup);
                 assert.strictEqual(response.status, 400, 'Creating an invalid group should return status code 400');
                 assert.strictEqual(response.data.scimType, "invalidSyntax", 'Error should have scimType set to invalidSyntax');
-                assert.strictEqual(response.data.status, '400', 'Error response status should match HTTP status code');
+                assert.strictEqual(response.data.status, 400, 'Error response status should match HTTP status code');
                 assert.strictEqual(response.data.schemas[0], 'urn:ietf:params:scim:api:messages:2.0:Error', 'Error response should contain the correct error schema');
             });
         }
@@ -250,7 +264,12 @@ function runTests(groupSchema, groupSchemaExtensions = [], configuration) {
                 });
                 assert.strictEqual(patchResponse.status, 200, 'PATCH /Groups/{id} should return status code 200 when assigning a user to a group');
                 assert.strictEqual(patchResponse.data.schemas[0], 'urn:ietf:params:scim:schemas:core:2.0:Group', 'Response should contain the correct schema');
-                assert.ok(patchResponse.data.members.some(member => member.value === user.id), 'User should be assigned to the group');
+                assert.ok(
+                    getResourceAttributeValue(patchResponse.data, 'members').some(
+                        member => String(member.value) === String(user.id)
+                    ),
+                    'User should be assigned to the group'
+                );
             });
         }
 
@@ -274,4 +293,4 @@ function runTests(groupSchema, groupSchemaExtensions = [], configuration) {
     });
 }
 
-export default runTests;
+export default runTests;

src/helpers.js

@@ -156,3 +156,27 @@ export function canonicalize(resource, schema){
 
     return canonicalizedResource;
 }
+
+/**
+ * Retrieve the value of a SCIM attribute that may be present either at the
+ * resource root or under the main schema object (first entry in `schemas`).
+ * Only supports top-level attributes (no nested path parsing).
+ *
+ * @param {object} resource - SCIM resource object
+ * @param {string} attribute - Attribute name to fetch (e.g., 'userName')
+ * @returns {*} The attribute value or undefined if not found
+ */
+export function getResourceAttributeValue(resource, attribute) {
+    if (!resource || !attribute) return undefined;
+
+    if (Object.prototype.hasOwnProperty.call(resource, attribute) && resource[attribute] !== undefined) {
+        return resource[attribute];
+    }
+
+    const mainSchema = Array.isArray(resource.schemas) ? resource.schemas[0] : undefined;
+    if (mainSchema && resource[mainSchema] && Object.prototype.hasOwnProperty.call(resource[mainSchema], attribute)) {
+        return resource[mainSchema][attribute];
+    }
+
+    return undefined;
+}

src/users.js

@@ -1,6 +1,6 @@
 import test, { skip } from 'node:test';
 import assert from 'node:assert';
-import { getAxiosInstance, canonicalize } from './helpers.js';
+import { getAxiosInstance, canonicalize, getResourceAttributeValue } from './helpers.js';
 import Ajv from 'ajv';
 
 const sharedState = {};
@@ -119,9 +119,25 @@ function runTests(userSchema, userSchemaExtensions = [], configuration) {
                 assert.strictEqual(response.status, 200, 'Sort request should return 200 OK');
                 assert.strictEqual(response.data.schemas[0], 'urn:ietf:params:scim:api:messages:2.0:ListResponse', 'Response should use the correct SCIM list response schema');
                 const users = response.data.Resources;
-                for (let i = 1; i < users.length; i++) {
-                    assert.ok(users[i - 1].userName <= users[i].userName, 'Users should be sorted by userName');
+
+                // Build list of out-of-order username pairs for better diagnostics on failure
+                const userNames = users.map(u => getResourceAttributeValue(u, 'userName'));
+                const unsortedPairs = [];
+                for (let i = 1; i < userNames.length; i++) {
+                    if (userNames[i - 1] > userNames[i]) {
+                        unsortedPairs.push({ index: i - 1, a: userNames[i - 1], b: userNames[i] });
+                    }
                 }
+
+                if (unsortedPairs.length > 0) {
+                    t.diagnostic(
+                        `Unsorted userName pairs: ` +
+                        unsortedPairs
+                            .map(p => `(${p.index}->${p.index + 1}: "${p.a}" > "${p.b}")`)
+                            .join(', ')
+                    );
+                }
+                assert.strictEqual(unsortedPairs.length, 0, 'Users should be sorted by userName');
             });
         }
 
@@ -133,7 +149,8 @@ function runTests(userSchema, userSchemaExtensions = [], configuration) {
             assert.strictEqual(response.data.schemas[0], 'urn:ietf:params:scim:api:messages:2.0:ListResponse', 'Response should use the correct SCIM list response schema');
             const users = response.data.Resources;
             users.forEach(user => {
-                assert.ok(user.hasOwnProperty('userName'), 'User should have userName attribute');
+                const value = getResourceAttributeValue(user, 'userName');
+                assert.ok(value !== undefined, 'User should have userName attribute');
             });
         });
 
@@ -146,13 +163,23 @@ function runTests(userSchema, userSchemaExtensions = [], configuration) {
                 return;
             }
 
+            // Normalize for servers that place core attributes under the main schema object
+            if (user.userName === undefined) {
+                const normalizedUserName = getResourceAttributeValue(user, 'userName');
+                if (normalizedUserName !== undefined) {
+                    user.userName = normalizedUserName;
+                }
+            }
+
+            const targetUserName = user.userName;
+
             const filter = `userName eq "${user.userName}"`;
             const response = await testAxios.get(`/Users?filter=${filter}`);
             assert.strictEqual(response.status, 200, 'Filtered users request should return 200 OK');
             assert.strictEqual(response.data.schemas[0], 'urn:ietf:params:scim:api:messages:2.0:ListResponse', 'Response should use the correct SCIM list response schema');
             const users = response.data.Resources;
-            users.forEach(user => {
-                assert.strictEqual(user.userName, user.userName, 'User should have userName equal to "bjensen"');
+            users.forEach(u => {
+                assert.strictEqual(getResourceAttributeValue(u, 'userName'), targetUserName, 'User should have matching userName');
             });
         });