scim-server 0.5.3

A comprehensive SCIM 2.0 server library for Rust with multi-tenant support and type-safe operations
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350

//! Core SCIM server structure and initialization.
//!
//! This module contains the main ScimServer struct definition and its
//! constructor logic, representing the fundamental server structure
//! without specific operational concerns.

use crate::error::ScimError;
use crate::provider_capabilities::{
    CapabilityDiscovery, CapabilityIntrospectable, ProviderCapabilities,
};
use crate::providers::ResourceProvider;
use crate::resource::{ResourceHandler, ScimOperation};
use crate::schema::SchemaRegistry;
use crate::schema_discovery::ServiceProviderConfig;
use crate::scim_server::builder::ScimServerConfig;
use std::collections::HashMap;
use std::sync::Arc;

/// Dynamic SCIM server for handling SCIM protocol operations.
///
/// The server coordinates between storage providers and SCIM protocol requirements,
/// handling schema validation, resource lifecycle, and multi-tenant isolation.
/// Resource types are registered at runtime, allowing for flexible configurations.
///
/// # Type Parameters
///
/// * `P` - The resource provider type that implements [`ResourceProvider`]
///
/// # Examples
///
/// ```rust
/// use scim_server::{ScimServer, providers::StandardResourceProvider};
/// use scim_server::storage::InMemoryStorage;
/// use scim_server::resource::ScimOperation;
///
/// # async fn example() -> Result<(), Box<dyn std::error::Error>> {
/// let storage = InMemoryStorage::new();
/// let provider = StandardResourceProvider::new(storage);
/// let mut server = ScimServer::new(provider)?;
///
/// // Register resource types dynamically
/// // server.register_resource_type("User", handler, vec![ScimOperation::Create])?;
/// # Ok(())
/// # }
/// ```
pub struct ScimServer<P> {
    pub(super) provider: P,
    pub(super) schema_registry: SchemaRegistry,
    pub(super) resource_handlers: HashMap<String, Arc<ResourceHandler>>, // resource_type -> handler
    pub(super) supported_operations: HashMap<String, Vec<ScimOperation>>, // resource_type -> supported ops
    pub(super) config: ScimServerConfig,
}

impl<P: ResourceProvider> ScimServer<P> {
    /// Creates a new SCIM server with the given resource provider.
    ///
    /// Initializes the server with a schema registry containing standard SCIM schemas
    /// and default configuration (single tenant, localhost base URL).
    /// Resource types must be registered separately using [`register_resource_type`].
    ///
    /// # Arguments
    ///
    /// * `provider` - The resource provider for storage operations
    ///
    /// # Errors
    ///
    /// Returns [`ScimError::Internal`] if the schema registry cannot be initialized.
    ///
    /// [`register_resource_type`]: Self::register_resource_type
    pub fn new(provider: P) -> Result<Self, ScimError> {
        Self::with_config(provider, ScimServerConfig::default())
    }

    /// Creates a new SCIM server with the given resource provider and configuration.
    ///
    /// This is the primary constructor used by the builder pattern, but can also
    /// be used directly for more advanced configuration scenarios.
    ///
    /// # Arguments
    ///
    /// * `provider` - The resource provider for storage operations
    /// * `config` - Server configuration for URL generation and tenant handling
    ///
    /// # Errors
    ///
    /// Returns [`ScimError::Internal`] if the schema registry cannot be initialized.
    pub fn with_config(provider: P, config: ScimServerConfig) -> Result<Self, ScimError> {
        let schema_registry = SchemaRegistry::new()
            .map_err(|e| ScimError::internal(format!("Failed to create schema registry: {}", e)))?;

        Ok(Self {
            provider,
            schema_registry,
            resource_handlers: HashMap::new(),
            supported_operations: HashMap::new(),
            config,
        })
    }

    /// Automatically discover provider capabilities from current server configuration
    ///
    /// This method introspects the registered resource types, schemas, and provider
    /// implementation to determine what capabilities are currently supported.
    pub fn discover_capabilities(&self) -> Result<ProviderCapabilities, ScimError> {
        CapabilityDiscovery::discover_capabilities(
            &self.schema_registry,
            &self.resource_handlers,
            &self.supported_operations,
            &self.provider,
        )
    }

    /// Discover capabilities with provider introspection
    ///
    /// This version works with providers that implement CapabilityIntrospectable
    /// to get provider-specific capability information like bulk limits and
    /// authentication schemes.
    pub fn discover_capabilities_with_introspection(
        &self,
    ) -> Result<ProviderCapabilities, ScimError>
    where
        P: CapabilityIntrospectable,
    {
        CapabilityDiscovery::discover_capabilities_with_introspection(
            &self.schema_registry,
            &self.resource_handlers,
            &self.supported_operations,
            &self.provider,
        )
    }

    /// Generate SCIM ServiceProviderConfig from discovered capabilities
    ///
    /// This automatically creates an RFC 7644 compliant ServiceProviderConfig
    /// that accurately reflects the current server capabilities.
    pub fn get_service_provider_config(&self) -> Result<ServiceProviderConfig, ScimError> {
        let capabilities = self.discover_capabilities()?;
        Ok(CapabilityDiscovery::generate_service_provider_config(
            &capabilities,
        ))
    }

    /// Generate ServiceProviderConfig with provider introspection
    ///
    /// This version works with providers that implement CapabilityIntrospectable
    /// for more detailed capability information.
    pub fn get_service_provider_config_with_introspection(
        &self,
    ) -> Result<ServiceProviderConfig, ScimError>
    where
        P: CapabilityIntrospectable,
    {
        let capabilities = self.discover_capabilities_with_introspection()?;
        Ok(CapabilityDiscovery::generate_service_provider_config(
            &capabilities,
        ))
    }

    /// Check if a specific operation is supported for a resource type
    pub fn supports_operation(&self, resource_type: &str, operation: &ScimOperation) -> bool {
        self.supported_operations
            .get(resource_type)
            .map(|ops| ops.contains(operation))
            .unwrap_or(false)
    }

    /// Get a reference to the underlying provider.
    ///
    /// This allows access to provider-specific functionality like conditional operations.
    pub fn provider(&self) -> &P {
        &self.provider
    }

    /// Get a reference to the server configuration.
    ///
    /// This allows access to URL generation and tenant handling configuration.
    pub fn config(&self) -> &ScimServerConfig {
        &self.config
    }

    /// Generate a $ref URL for a resource.
    ///
    /// Combines server configuration with tenant and resource information
    /// to create properly formatted SCIM $ref URLs.
    ///
    /// # Arguments
    ///
    /// * `tenant_id` - Optional tenant identifier from request context
    /// * `resource_type` - SCIM resource type (e.g., "Users", "Groups")
    /// * `resource_id` - Unique identifier of the resource
    ///
    /// # Returns
    ///
    /// A complete $ref URL following SCIM 2.0 specification
    ///
    /// # Errors
    ///
    /// Returns an error if tenant information is required but missing
    pub fn generate_ref_url(
        &self,
        tenant_id: Option<&str>,
        resource_type: &str,
        resource_id: &str,
    ) -> Result<String, ScimError> {
        self.config
            .generate_ref_url(tenant_id, resource_type, resource_id)
    }

    /// Inject $ref fields into resource JSON for SCIM compliance.
    ///
    /// This method post-processes resource JSON to add proper $ref fields
    /// to Group.members and User.groups arrays based on server configuration
    /// and tenant context.
    ///
    /// # Arguments
    ///
    /// * `resource_json` - Mutable JSON object representing the resource
    /// * `tenant_id` - Optional tenant identifier from request context
    ///
    /// # Errors
    ///
    /// Returns an error if $ref URL generation fails due to missing tenant information
    pub fn inject_ref_fields(
        &self,
        resource_json: &mut serde_json::Value,
        tenant_id: Option<&str>,
    ) -> Result<(), ScimError> {
        // Handle Group.members array
        if let Some(members_array) = resource_json.get_mut("members") {
            if let Some(members) = members_array.as_array_mut() {
                for member in members {
                    if let Some(member_obj) = member.as_object_mut() {
                        if let (Some(member_id), Some(member_type)) = (
                            member_obj.get("value").and_then(|v| v.as_str()),
                            member_obj.get("type").and_then(|v| v.as_str()),
                        ) {
                            // Determine resource type for $ref URL
                            let resource_type = match member_type {
                                "User" => "Users",
                                "Group" => "Groups",
                                _ => member_type, // Use as-is for unknown types
                            };

                            let ref_url =
                                self.generate_ref_url(tenant_id, resource_type, member_id)?;
                            member_obj
                                .insert("$ref".to_string(), serde_json::Value::String(ref_url));
                        }
                    }
                }
            }
        }

        // Handle User.groups array
        if let Some(groups_array) = resource_json.get_mut("groups") {
            if let Some(groups) = groups_array.as_array_mut() {
                for group in groups {
                    if let Some(group_obj) = group.as_object_mut() {
                        if let Some(group_id) = group_obj.get("value").and_then(|v| v.as_str()) {
                            let ref_url = self.generate_ref_url(tenant_id, "Groups", group_id)?;
                            group_obj
                                .insert("$ref".to_string(), serde_json::Value::String(ref_url));
                        }
                    }
                }
            }
        }

        Ok(())
    }

    /// Inject proper location field into resource metadata based on server configuration.
    ///
    /// This method updates the meta.location field to use the server's configured
    /// base URL instead of any hardcoded URLs that may have been set during
    /// resource creation by the provider.
    ///
    /// # Arguments
    ///
    /// * `resource_json` - Mutable JSON object representing the resource
    /// * `tenant_id` - Optional tenant identifier from request context
    ///
    /// # Errors
    ///
    /// Returns an error if location URL generation fails due to missing tenant information
    pub fn inject_location_field(
        &self,
        resource_json: &mut serde_json::Value,
        tenant_id: Option<&str>,
    ) -> Result<(), ScimError> {
        // Extract resource_id first to avoid borrowing conflicts
        let resource_id = resource_json
            .get("id")
            .and_then(|id| id.as_str())
            .map(|s| s.to_string());

        if let Some(meta_obj) = resource_json
            .get_mut("meta")
            .and_then(|m| m.as_object_mut())
        {
            if let (Some(resource_type), Some(resource_id)) = (
                meta_obj.get("resourceType").and_then(|rt| rt.as_str()),
                resource_id.as_deref(),
            ) {
                // Generate proper location URL using server configuration
                let resource_type_plural = match resource_type {
                    "User" => "Users",
                    "Group" => "Groups",
                    _ => resource_type, // Use as-is for unknown types
                };

                let location_url =
                    self.generate_ref_url(tenant_id, resource_type_plural, resource_id)?;
                meta_obj.insert(
                    "location".to_string(),
                    serde_json::Value::String(location_url),
                );
            }
        }
        Ok(())
    }

    /// Serialize a resource with proper $ref fields and location URL injected.
    ///
    /// This method combines `Resource::to_json()` with $ref field injection and
    /// location URL correction to ensure SCIM 2.0 compliance for resource references
    /// and proper server configuration usage.
    ///
    /// # Arguments
    ///
    /// * `resource` - The resource to serialize
    /// * `tenant_id` - Optional tenant identifier from request context
    ///
    /// # Returns
    ///
    /// JSON representation of the resource with proper $ref fields and location URL
    pub fn serialize_resource_with_refs(
        &self,
        resource: &crate::resource::Resource,
        tenant_id: Option<&str>,
    ) -> Result<serde_json::Value, ScimError> {
        let mut json = resource
            .to_json()
            .map_err(|e| ScimError::internal(format!("Failed to serialize resource: {}", e)))?;

        self.inject_ref_fields(&mut json, tenant_id)?;
        self.inject_location_field(&mut json, tenant_id)?;
        Ok(json)
    }
}