search

apache / directory-scimple

Apache Directory - SCIMple
https://directory.apache.org/scimple/
Apache License 2.0
66 stars 38 forks source link

Missing validation request #559

Open jaggaer-c-adepasca opened 5 months ago

jaggaer-c-adepasca commented 5 months ago

I'm trying scim-server-spring-boot example and everything is working fine. But i noticed that SCIMple library doesn't do any kind of validation on JSON request provided. For example If i create user using below JSON request naming userName__ field instead of userName (by standard User standard Schema the correct name to be userName) i get 201 created instead of 400 bad request. The same result if i remove userName field although it is mandatory. Why? Is there something I'm not configuring well or that needs to be implemented by me? Please let me know.

Thanks

{
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User",
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
    ],
    "externalId": "extId",
    "userName__": "username_1",
    "name": {
        "familyName": "XXX",
        "givenName": "YYY"
    },
    "active": true,
    "emails": [
        {
            "value": "email_3101_1417@gmail.com"
        }
    ],
    "addresses": [
        {
            "country": "US"
        }
    ],
    "phoneNumbers": [
        {
            "value": "+390833186005",
            "type": "work"
        },
        {
            "value": "+32802213916",
            "type": "mobile",
            "primary": false
        }
    ],
    "timezone": "Europe/London",
    //"preferredLanguage": "ita",
    "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
        "organization": "Buyer_guru",
        "division": "Division",
        "department": ""
    }
}
bdemers commented 2 months ago

Sorry for the delay here, These are good points, IIRC there were some earlier non-compliant SCIM servers (from a large player or two) that were not fully spec compliant, I could be miss remembering that though.

Either way, this is something that should be handled in SCIMple

bdemers commented 3 weeks ago

I've been kicking a few things around in the back of my head related to this for a while. The big one was validation via Jakarta Validation.

There are a few annotations present on some of the resources, but it's minimal. My thought was we should be able to process validations based on the @ScimAttribute annotation.

This is possible, but it's probably overkill... There were a few options:

  1. Mix concerns/implementations, and turn @ScimAttribute into a valid Jakarta validation annotation.

    This added additional fields to the annotation, which I didn't think belonged there, it increased the complexity of that annotation, and I think it makes it more difficult for a user.

  2. Define Validation in XML

    I created an Annotation processor that created a constraints XML file that configures the basic @NotNull and @Size(min=1) annotations. Usage wise, this is probably the cleanest, we could make it just work.

    The downside is, this would a bunch of code for probably little value. ~1000 loc (with my poorly tested prototype) All that to save us (and any custom extensions) from needing to add a couple of extra annotations

  3. Add more Jakarta Validation Annotations

    We could add the few missing Jakarta Validation annotations, e.g. anywhere @ScimAttribute(required = true, ...)

The real question I should ask... Does anyone truly need support for Jakarta Validation? If so how complex, does your support need to be?