scimgateway 4.0.0 → 4.0.1

package/.travis.yml

@@ -1,7 +1,7 @@
 language: node_js
 
 node_js:
-  - "8"
+  - "10"
 
 sudo: false
 

package/README.md

@@ -38,8 +38,6 @@ Using Identity Manager, we could setup one or more endpoints of type SCIM pointi
 
 ![](https://jelhub.github.io/images/ScimGateway.svg)
 
-Instead of using IM-SDK for building our own integration for none supported endpoints, we can now build new integration based on SCIM Gateway plugins. SCIM Gateway works with IM as long as IM supports SCIM.
-
 SCIM Gateway is based on the popular asynchronous event driven framework [Node.js](https://nodejs.dev/) using JavaScript. It is firewall friendly using REST webservices. Runs on almost all operating systems, and may load balance between hosts (horizontal) and cpu's (vertical). Could even be uploaded and run as a cloud application.
 
 **Following example plugins are included:**
@@ -56,12 +54,15 @@ Example of a fully functional SCIM Gateway plugin
 Same as plugin "Loki" but using MongoDB  
 Shows how to implement a highly configurable multi tenant or multi endpoint solution through `baseEntity` in URL
 
-* **RESTful** (REST Webservice)  
-Demonstrates user provisioning towards REST-Based endpoint   
-Using plugin "Loki" as a REST endpoint
+* **SCIM** (REST Webservice)  
+Demonstrates user provisioning towards a SCIM endpoint using REST   
+Using plugin "Loki" as SCIM endpoint  
+Can be used as SCIM version-gateway e.g. 1.1=>2.0 or 2.0=>1.1  
+Can be used to chain several SCIM Gateway's  
+
 
 * **Forwardinc** (SOAP Webservice)  
-Demonstrates user provisioning towards SOAP-Based endpoint   
+Demonstrates provisioning towards SOAP-Based endpoint   
 Using endpoint Forwardinc that comes with Broadcom/CA IM SDK (SDKWS) - [wiki.ca.com](https://docops.ca.com/ca-identity-manager/12-6-8/EN/programming/connector-programming-reference/sdk-sample-connectors/sdkws-sdk-web-services-connector/sdkws-sample-connector-build-requirements "wiki.ca.com")    
 Shows how to implement a highly configurable multi tenant or multi endpoint solution through `baseEntity` in URL  
 
@@ -137,7 +138,7 @@ If internet connection is blocked, we could install on another machine and copy
 
     http://localhost:8880/Groups?filter=displayName eq "Admins"&excludedAttributes=members
     http://localhost:8880/Users?filter=userName eq "bjensen"&attributes=userName,id,name.givenName
-    http://localhost:8880/Users?filter=meta.created gte "2010-01-01T00:00:00Z"&attributes=userName,name.familyName,meta.created
+    http://localhost:8880/Users?filter=meta.created ge "2010-01-01T00:00:00Z"&attributes=userName,name.familyName,meta.created
     http://localhost:8880/Users?filter=emails.value co "@example.com"&attributes=userName,name.familyName,emails&sortBy=name.familyName&sortOrder=descending
     => Filtering examples
 
@@ -173,6 +174,10 @@ Note, always backup/copy C:\\my-scimgateway before upgrading. Custom plugins and
 
 To force a major upgrade (version x.\*.\* => y.\*.\*) that will brake compability with any existing custom plugins, we have to include the `@latest` suffix in the install command: `npm install scimgateway@latest`
 
+##### Avoid (re-)adding the files created during `postinstall`
+
+When maintaining a set of modifications it useful to disable the postinstall operations to keep your changes intact by setting the property `scimgateway_postinstall_skip = true` in `.npmrc` or by setting environment `SCIMGATEWAY_POSTINSTALL_SKIP = true`  
+
 ## Configuration  
 
 **index.js** defines one or more plugins to be started. We could comment out those we do not need. Default configuration only starts the loki plugin.  
@@ -385,6 +390,7 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 - Setting environment variable `SEED` will override default password seeding logic.  
 - All configuration can be set based on environment variables. Syntax will then be `"process.env.<ENVIRONMENT>"` where `<ENVIRONMENT>` is the environment variable used. E.g. scimgateway.port could have value "process.env.PORT", then using environment variable PORT.
 - All configuration can be set based on corresponding JSON-content (dot notation) in external file using plugin name as parent JSON object. Syntax will then be `"process.file.<path>"` where `<path>` is the file used. E.g. endpoint.password could have value "process.file./var/run/vault/secrets.json"  
+- Indivudual Secrets can be contained in plain text files. Syntax will then be `"process.text.<path>"` where `<path>` is the file which contains raw (`UTF-8`) character value. E.g. endpoint.password could have value "process.text./var/run/vault/endpoint.password". This enables that the config file itself be loaded from a ConfigMap while specific values are mounted either from `secrets.json` style files as mentioned above OR from traditional secrets files mounted in the file system, one value per file.
 
 	Example:  
 
@@ -404,6 +410,11 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 		        },
 		        ...
 		      ],
+		      "bearerJwt": [
+		         "secret": "process.text./var/run/vault/jwt.secret",
+		         "publicKey": "process.text./var/run/vault/jwt.pub",
+				 ...
+			  ],
 		      ...
 		    },
 		  "endpoint": {
@@ -1117,6 +1128,25 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
+### v4.0.1  
+[Added] 
+
+- create user/group supporting externalId
+- plugin-restful renamed to plugin-scim
+- plugin-ldap having improved SID/GUID support for Active Directory, also supporting domain map of userPrincipalName e.g. Azure AD => Active Directory
+        
+        "userPrincipalName": {
+           "mapTo": "userName",
+           "type": "string",
+	       "mapDomain": {
+	         "inbound": "test.onmicrosoft.com",
+	         "outbound": "my-company.com"
+        }
+
+- postinstall copying example plugins may be skipped by setting the property `scimgateway_postinstall_skip = true` in `.npmrc` or by setting environment `SCIMGATEWAY_POSTINSTALL_SKIP = true`
+- Secrets now also support key-value storage. The key defined in plugin configuration have syntax `process.text.<path>` where `<path>` is the file which contains raw (UTF-8) character value. E.g. configuration `endpoint.password` could have value `process.text./var/run/vault/endpoint.password`, and the corresponding file contains the secret. **Thanks to Raymond Augé**
+
+
 ### v4.0.0  
 **[MAJOR]**  
  

package/index.js

@@ -11,7 +11,7 @@
 
 const loki = require('./lib/plugin-loki')
 // const mongodb = require('./lib/plugin-mongodb')
-// const restful = require('./lib/plugin-restful')
+// const scim = require('./lib/plugin-scim')
 // const forwardinc = require('./lib/plugin-forwardinc')
 // const mssql = require('./lib/plugin-mssql')
 // const saphana = require('./lib/plugin-saphana')  // prereq: npm install hdb --save

package/lib/plugin-ldap.js

@@ -5,9 +5,24 @@
 //
 // Purpose: General ldap plugin having plugin-ldap.json configured for Active Directory.
 //          Using endpointMapper for attribute flexibility. Includes some special logic
-//          for Active Directory specific attributes like userAccountControl, unicodePW
-//          and objectGUID. objectGUID can also be used as id instead of dn
-//          by replacing config.map.user.dn with config.map.user.objectGUID
+//          for Active Directory attributes like userAccountControl, unicodePW
+//          and objectSid/objectGUID. objectSid/objectGUID can be used in mapper configuration.
+//          e.g: replacing config.map.user.dn and config.map.group.dn with
+//          config.map.user.objectSid or config.map.user.objectGUID e.g:
+//
+//          "objectSid": {
+//            "mapTo": "id",
+//            "type": "string"
+//           },
+//           "objectGUID": {
+//             "mapTo": "userName",
+//             "type": "string"
+//            },
+//            "userPrincipalName": {
+//              "mapTo": "externalId",
+//              "type": "string"
+//             }
+//
 //
 // Attributes according to map definition in the configuration file plugin-ldap.json:
 //
@@ -67,6 +82,37 @@ config = scimgateway.processExtConfig(pluginName, config) // add any external co
 
 const _serviceClient = {}
 
+if (!config.map || !config.map.user) {
+  scimgateway.logger.error(`${pluginName} map.user configuration is mandatory`)
+  process.exit(1)
+}
+
+config.useSID_id = config.map.user.objectSid && config.map.user.objectSid.mapTo === 'id' // AD proprietary SID/GUID
+config.useGUID_id = config.map.user.objectGUID && config.map.user.objectGUID.mapTo === 'id'
+if (config.useSID_id && config.map.group) {
+  if (!config.map.group.objectSid || config.map.group.objectSid.mapTo !== 'id') {
+    scimgateway.logger.error(`${pluginName} missing configuration group.objectSid - user and group should be using the same attribute`)
+    process.exit(1)
+  }
+} else if (config.useGUID_id && config.map.group) {
+  if (!config.map.group.objectGUID || config.map.group.objectGUID.mapTo !== 'id') {
+    scimgateway.logger.error(`${pluginName} missing configuration group.objectGUID - user and group should be using the same attribute`)
+    process.exit(1)
+  }
+}
+if (config.map.user.userPrincipalName && config.map.user.userPrincipalName.mapDomain) { // support mapping different inbound/outbound upn domain names
+  if (config.map.user.userPrincipalName.mapDomain.inbound && config.map.user.userPrincipalName.mapDomain.outbound) {
+    let inbound = config.map.user.userPrincipalName.mapDomain.inbound
+    let outbound = config.map.user.userPrincipalName.mapDomain.outbound
+    inbound = inbound.startsWith('@') ? inbound : '@' + inbound
+    outbound = outbound.startsWith('@') ? outbound : '@' + outbound
+    config.upnMapDomain = {
+      inbound: inbound, // "test.onmicrosoft.com
+      outbound: outbound // "my-company.com"
+    }
+  }
+}
+
 // =================================================
 // getUsers
 // =================================================
@@ -110,19 +156,40 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes) => {
   if (getObj.operator) {
     if (getObj.operator === 'eq' && ['id', 'userName', 'externalId'].includes(getObj.attribute)) {
       // mandatory - unique filtering - single unique user to be returned - correspond to getUser() in versions < 4.x.x
-      if (getObj.attribute === 'id') { // using dn or objectGUID (Active Directory) lookup instead of search
-        if (config.map.user.objectGUID && config.map.user.objectGUID.mapTo === 'id') base = `<GUID=${getObj.value}>` // '<GUID=b3975b675d3a21498b4e511e1a8ccb9e>'
-        else base = getObj.value
+      if (getObj.attribute === 'id') { // lookup using dn or objectSid/objectGUID (Active Directory)
+        if (config.useSID_id) {
+          const sid = convertStringToSid(getObj.value) // sid using formatted string instead of default hex
+          if (!sid) throw new Error(`${action} error: ${getObj.attribute}=${getObj.value} - attribute having a none valid SID string`)
+          base = `<SID=${sid}>`
+        } else if (config.useGUID_id) {
+          const guid = Buffer.from(getObj.value, 'base64').toString('hex')
+          base = `<GUID=${guid}>` // '<GUID=b3975b675d3a21498b4e511e1a8ccb9e>'
+        } else base = getObj.value
         ldapOptions = {
           attributes: attrs
         }
       } else {
         const [userIdAttr, err] = scimgateway.endpointMapper('outbound', getObj.attribute, config.map.user) // e.g. 'userName' => 'sAMAccountName'
         if (err) throw new Error(`${action} error: ${err.message}`)
-        ldapOptions = {
-          filter: `&${getObjClassFilter(baseEntity, 'user')}(${userIdAttr}=${getObj.value})`, // &(objectClass=user)(objectClass=person)(objectClass=organizationalPerson)(objectClass=top)(sAMAccountName=bjensen)
-          scope: scope,
-          attributes: attrs
+        if (userIdAttr === 'objectSid') {
+          const sid = convertStringToSid(getObj.value)
+          if (!sid) throw new Error(`${action} error: ${getObj.attribute}=${getObj.value} - attribute having a none valid SID string`)
+          base = `<SID=${sid}>`
+          ldapOptions = {
+            attributes: attrs
+          }
+        } else if (userIdAttr === 'objectGUID') {
+          const guid = Buffer.from(getObj.value, 'base64').toString('hex')
+          base = `<GUID=${guid}>`
+          ldapOptions = {
+            attributes: attrs
+          }
+        } else { // search instead of lookup
+          ldapOptions = {
+            filter: `&${getObjClassFilter(baseEntity, 'user')}(${userIdAttr}=${getObj.value})`, // &(objectClass=user)(objectClass=person)(objectClass=organizationalPerson)(objectClass=top)(sAMAccountName=bjensen)
+            scope: scope,
+            attributes: attrs
+          }
         }
       }
     } else if (getObj.operator === 'eq' && getObj.attribute === 'group.value') {
@@ -163,20 +230,20 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes) => {
 
       if (user.memberOf) {
         if (!config.map.group) user.memberOf = [] // empty any values
-        else if (config.map.group.objectGUID && config.map.group.objectGUID.mapTo === 'id') { // Active Directory using objectGUID - convert memberOf having dn values to objectGUID
+        else if (config.useSID_id || config.useGUID_id) { // Active Directory - convert memberOf having dn values to objectSid/objectGUID
           const arr = []
           try {
             if (Array.isArray(user.memberOf)) {
               for (let i = 0; i < user.memberOf.length; i++) {
-                const guid = await dnToGuid(baseEntity, user.memberOf[i])
-                if (!guid) throw new Error(`dnToGuid did not return any objectGUID value for dn=${user.memberOf[i]}`)
-                arr.push(guid)
+                const id = await dnToSidGuid(baseEntity, user.memberOf[i])
+                if (!id) throw new Error(`dnToGuid did not return any objectGUID value for dn=${user.memberOf[i]}`)
+                arr.push(id)
               }
               user.memberOf = arr
             } else {
-              const guid = await dnToGuid(baseEntity, user.memberOf)
-              if (!guid) throw new Error(`dnToGuid did not return any objectGUID value for dn=${user.memberOf}`)
-              user.memberOf = [guid]
+              const id = await dnToSidGuid(baseEntity, user.memberOf)
+              if (!id) throw new Error(`dnToGuid did not return any objectGUID value for dn=${user.memberOf}`)
+              user.memberOf = [id]
             }
           } catch (err) {
             throw new Error(err.message)
@@ -258,8 +325,14 @@ scimgateway.deleteUser = async (baseEntity, id) => {
 
   const method = 'del'
   let base
-  if (config.map.user.objectGUID && config.map.user.objectGUID.mapTo === 'id') base = `<GUID=${id}>` // AD objectGUID
-  else base = id // dn
+  if (config.useSID_id) {
+    const sid = convertStringToSid(id)
+    if (!sid) throw new Error(`${action} error: id=${id} - attribute having a none valid SID string`)
+    base = `<SID=${sid}>`
+  } else if (config.useGUID_id) {
+    const guid = Buffer.from(id, 'base64').toString('hex')
+    base = `<GUID=${guid}>`
+  } else base = id // dn
   const ldapOptions = {}
 
   try {
@@ -300,8 +373,14 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj) => {
 
     const method = 'modify'
     let base
-    if (config.map.user.objectGUID && config.map.user.objectGUID.mapTo === 'id') base = `<GUID=${id}>` // AD objectGUID
-    else base = id // dn
+    if (config.useSID_id) {
+      const sid = convertStringToSid(id)
+      if (!sid) throw new Error(`${action} error: id=${id} - attribute having a none valid SID string`)
+      base = `<SID=${sid}>`
+    } else if (config.useGUID_id) {
+      const guid = Buffer.from(id, 'base64').toString('hex')
+      base = `<GUID=${guid}>`
+    } else base = id // dn
 
     try {
       if (body.add[groupsAttr].length > 0) {
@@ -336,8 +415,14 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj) => {
     const activeAttr = 'userAccountControl'
     const method = 'search'
     let base
-    if (config.map.user.objectGUID && config.map.user.objectGUID.mapTo === 'id') base = `<GUID=${id}>` // AD objectGUID
-    else base = id // dn
+    if (config.useSID_id) {
+      const sid = convertStringToSid(id)
+      if (!sid) throw new Error(`${action} error: id=${id} - attribute having a none valid SID string`)
+      base = `<SID=${sid}>`
+    } else if (config.useGUID_id) {
+      const guid = Buffer.from(id, 'base64').toString('hex')
+      base = `<GUID=${guid}>`
+    } else base = id // dn
     const ldapOptions = {
       attributes: activeAttr
     }
@@ -366,8 +451,14 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj) => {
 
   const method = 'modify'
   let base
-  if (config.map.user.objectGUID && config.map.user.objectGUID.mapTo === 'id') base = `<GUID=${id}>` // AD objectGUID
-  else base = id // dn
+  if (config.useSID_id) {
+    const sid = convertStringToSid(id)
+    if (!sid) throw new Error(`${action} error: id=${id} - attribute having a none valid SID string`)
+    base = `<SID=${sid}>`
+  } else if (config.useGUID_id) {
+    const guid = Buffer.from(id, 'base64').toString('hex')
+    base = `<GUID=${guid}>`
+  } else base = id // dn
   const ldapOptions = {
     operation: 'replace',
     modification: endpointObj
@@ -433,19 +524,40 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes) => {
   if (getObj.operator) {
     if (getObj.operator === 'eq' && ['id', 'displayName', 'externalId'].includes(getObj.attribute)) {
     // mandatory - unique filtering - single unique user to be returned - correspond to getUser() in versions < 4.x.x
-      if (getObj.attribute === 'id') { // using dn or objectGUID (Active Directory) lookup instead of search
-        if (config.map.group.objectGUID && config.map.group.objectGUID.mapTo === 'id') base = `<GUID=${getObj.value}>` // '<GUID=b3975b675d3a21498b4e511e1a8ccb9e>'
-        else base = getObj.value
+      if (getObj.attribute === 'id') { // lookup using dn or objectSid/objectGUID (Active Directory)
+        if (config.useSID_id) {
+          const sid = convertStringToSid(getObj.value) // sid using formatted string instead of default hex
+          if (!sid) throw new Error(`${action} error: ${getObj.attribute}=${getObj.value} - attribute having a none valid SID string`)
+          base = `<SID=${sid}>`
+        } else if (config.useGUID_id) {
+          const guid = Buffer.from(getObj.value, 'base64').toString('hex')
+          base = `<GUID=${guid}>`
+        } else base = getObj.value
         ldapOptions = {
           attributes: attrs
         }
       } else {
         const [groupIdAttr, err] = scimgateway.endpointMapper('outbound', getObj.attribute, config.map.group)
         if (err) throw new Error(`${action} error: ${err.message}`)
-        ldapOptions = {
-          filter: `&${getObjClassFilter(baseEntity, 'group')}(${groupIdAttr}=${getObj.value})`, // &(objectClass=group)(cn=Group1)
-          scope: scope,
-          attributes: attrs
+        if (groupIdAttr === 'objectSid') {
+          const sid = convertStringToSid(getObj.value)
+          if (!sid) throw new Error(`${action} error: ${getObj.attribute}=${getObj.value} - attribute having a none valid SID string`)
+          base = `<SID=${sid}>`
+          ldapOptions = {
+            attributes: attrs
+          }
+        } else if (groupIdAttr === 'objectGUID') {
+          const guid = Buffer.from(getObj.value, 'base64').toString('hex')
+          base = `<GUID=${guid}>`
+          ldapOptions = {
+            attributes: attrs
+          }
+        } else { // search instead of lookup
+          ldapOptions = {
+            filter: `&${getObjClassFilter(baseEntity, 'group')}(${groupIdAttr}=${getObj.value})`, // &(objectClass=group)(cn=Group1)
+            scope: scope,
+            attributes: attrs
+          }
         }
       }
     } else if (getObj.operator === 'eq' && getObj.attribute === 'members.value') {
@@ -476,20 +588,20 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes) => {
     else {
       const groups = await doRequest(baseEntity, method, base, ldapOptions)
       result.Resources = await Promise.all(groups.map(async (group) => { // Promise.all because of async map
-        if (config.map.user.objectGUID && config.map.user.objectGUID.mapTo === 'id') {
+        if (config.useSID_id || config.useGUID_id) {
           if (group.member) {
             const arr = []
             if (Array.isArray(group.member)) {
               for (let i = 0; i < group.member.length; i++) {
-                const guid = await dnToGuid(baseEntity, group.member[i])
-                if (!guid) throw new Error(`dnToGuid did not return any objectGUID value for dn=${group.member[i]}`)
-                arr.push(guid)
+                const id = await dnToSidGuid(baseEntity, group.member[i])
+                if (!id) throw new Error(`dnToSidGuid() did not return any ${config.useSID_id ? 'objectSid' : 'objectGUID'} value for dn=${group.member[i]}`)
+                arr.push(id)
               }
               group.member = arr
             } else {
-              const guid = await dnToGuid(baseEntity, group.member)
-              if (!guid) throw new Error(`dnToGuid did not return any objectGUID value for dn=${group.member}`)
-              group.member = [guid]
+              const id = await dnToSidGuid(baseEntity, group.member)
+              if (!id) throw new Error(`dnToSidGuid() did not return any ${config.useSID_id ? 'objectSid' : 'objectGUID'} value for ${group.member}`)
+              group.member = [id]
             }
           }
         }
@@ -544,8 +656,14 @@ scimgateway.deleteGroup = async (baseEntity, id) => {
   if (!config.map.group) throw new Error(`${action} error: missing configuration endpoint.map.group`)
   const method = 'del'
   let base
-  if (config.map.group.objectGUID && config.map.group.objectGUID.mapTo === 'id') base = `<GUID=${id}>` // AD objectGUID
-  else base = id // dn
+  if (config.useSID_id) {
+    const sid = convertStringToSid(id)
+    if (!sid) throw new Error(`${action} error: id=${id} - attribute having a none valid SID string`)
+    base = `<SID=${sid}>`
+  } else if (config.useGUID_id) {
+    const guid = Buffer.from(id, 'base64').toString('hex')
+    base = `<GUID=${guid}>`
+  } else base = id // dn
   const ldapOptions = {}
 
   try {
@@ -580,9 +698,9 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj) => {
 
   for (let i = 0; i < attrObj.members.length; i++) {
     const el = attrObj.members[i]
-    if (config.map.user.objectGUID && config.map.user.objectGUID.mapTo === 'id') {
-      const dn = await guidToDn(baseEntity, el.value)
-      if (!dn) throw new Error(`${action} error: dnToGuid did not return any objectGUID value for dn=${el.value}`)
+    if (config.useSID_id || config.useGUID_id) {
+      const dn = await sidGuidToDn(baseEntity, el.value)
+      if (!dn) throw new Error(`${action} error: sidGuidToDn() did not return any objectGUID value for dn=${el.value}`)
       el.value = dn
     }
     if (el.operation && el.operation === 'delete') { // delete member from group
@@ -594,7 +712,8 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj) => {
 
   const method = 'modify'
   let base
-  if (config.map.group.objectGUID && config.map.group.objectGUID.mapTo === 'id') base = `<GUID=${id}>` // AD objectGUID
+  if (config.useSID_id) base = `<SID=${id}>`
+  else if (config.useGUID_id) base = `<GUID=${id}>`
   else base = id // dn
 
   try {
@@ -643,20 +762,23 @@ const getObjClassFilter = (baseEntity, type) => {
 }
 
 //
-// dnToGuid is used for Active Directory to return objectGUID based on dn
+// dnToSidGuid is used for Active Directory to return objectGUID based on dn
 //
-const dnToGuid = async (baseEntity, dn) => {
+const dnToSidGuid = async (baseEntity, dn) => {
   const method = 'search'
-  const ldapOptions = {
-    attributes: ['objectGUID']
-  }
+  const ldapOptions = {}
+  if (config.useSID_id) ldapOptions.attributes = ['objectSid']
+  else if (config.useGUID_id) ldapOptions.attributes = ['objectGUID']
+  else throw new Error('dnToSidGuid() invalid call, configuration not using objectSid or objectGUID')
+
   try {
     const base = dn
     const objects = await doRequest(baseEntity, method, base, ldapOptions)
     if (objects.length !== 1) throw new Error(`did not find unique object having dn=${base}`)
-    return objects[0].objectGUID
+    if (config.useSID_id) return objects[0].objectSid
+    else return objects[0].objectGUID
   } catch (err) {
-    const newErr = err
+    const newErr = new Error(`dnToSidGuid() ${err.message}`)
     throw newErr
   }
 }
@@ -664,41 +786,127 @@ const dnToGuid = async (baseEntity, dn) => {
 //
 // guidToDn is used for Active Directory to return dn based on objectGUID
 //
-const guidToDn = async (baseEntity, guid) => {
+const sidGuidToDn = async (baseEntity, id) => {
   const method = 'search'
   const ldapOptions = {
     attributes: ['dn']
   }
   try {
-    const base = `<GUID=${guid}>`
+    let base
+    if (config.useSID_id) {
+      const sid = convertStringToSid(id)
+      if (!sid) throw new Error(`sidGuidToDn() error: id=${id} - attribute having a none valid SID string`)
+      base = `<SID=${sid}>`
+    } else if (config.useGUID_id) {
+      const guid = Buffer.from(id, 'base64').toString('hex')
+      base = `<GUID=${guid}>`
+    } else throw new Error('invalid call to sidGuidToDn(), configuration not using objectSid or objectGUID')
     const objects = await doRequest(baseEntity, method, base, ldapOptions)
-    if (objects.length !== 1) throw new Error(`did not find unique object having objectGUID=${base}`)
+    if (objects.length !== 1) throw new Error(`did not find unique object having ${config.useSID_id ? 'objectSid' : 'objectGUID'} =${id}`)
     return objects[0].dn
   } catch (err) {
-    const newErr = err
+    const newErr = new Error(`sidGuidToDN() ${err.message}`)
     throw newErr
   }
 }
 
+//
+// convertSidToString converts hex encoded object SID to a string
+// e.g.
+// input: 0105000000000005150000002ec85f9ed78d59fa176c9e9c7a040000
+// output: S-1-5-21-2657077294-4200173015-2627628055-1146
+// ref: https://gist.github.com/Krizzzn/0ae47f280cca9749c67759a9adedc015
+//
+const pad = function (s) { if (s.length < 2) { return `0${s}` } else { return s } }
+const convertSidToString = (buf) => {
+  let asc, end
+  let i
+  if (buf == null) { return null }
+  const version = buf[0]
+  const subAuthorityCount = buf[1]
+  const identifierAuthority = parseInt(((() => {
+    const result = []
+    for (i = 2; i <= 7; i++) {
+      result.push(buf[i].toString(16))
+    }
+    return result
+  })()).join(''), 16)
+  let sidString = `S-${version}-${identifierAuthority}`
+  try {
+    for (i = 0, end = subAuthorityCount - 1, asc = end >= 0; asc ? i <= end : i >= end; asc ? i++ : i--) {
+      const subAuthOffset = i * 4
+      const tmp =
+      pad(buf[11 + subAuthOffset].toString(16)) +
+      pad(buf[10 + subAuthOffset].toString(16)) +
+      pad(buf[9 + subAuthOffset].toString(16)) +
+      pad(buf[8 + subAuthOffset].toString(16))
+      sidString += `-${parseInt(tmp, 16)}`
+    }
+  } catch (err) {
+    return null
+  }
+  return sidString
+}
+
+//
+// convertStringToSid converts SID string to hex encoded object SID
+// e.g.
+// input: S-1-5-21-2127521184-1604012920-1887927527-72713
+// output: 010500000000000515000000a065cf7e784b9b5fe77c8770091c0100
+// ref: https://devblogs.microsoft.com/oldnewthing/20040315-00/?p=40253
+//
+const convertStringToSid = (sidStr) => {
+  const arr = sidStr.split('-')
+  if (arr.length !== 8) return null
+  try {
+    const b0 = 0x0100000000000000n // S-1 = 01
+    const b1 = 0x0005000000000000n // seven dashes, seven minus two = 5
+    const b2 = BigInt(arr[2]) // 0x5n
+    const b02 = b0 | b1 | b2 // big-endian
+    const bufBE = Buffer.alloc(8)
+    bufBE.writeBigUInt64BE(b02, 0)
+    let res = bufBE.toString('hex') // 0105000000000005
+    // rest is little-endian
+    const bufLE = Buffer.alloc(4)
+    for (let i = 3; i < arr.length; i++) {
+      const val = parseInt(arr[i], 10 >>> 0) // int32 to unsigned int
+      bufLE.writeUInt32LE(val.toString(), 0)
+      res += bufLE.toString('hex')
+    }
+    return res
+  } catch (err) {
+    return null
+  }
+}
+
 //
 // getMemberOfGroups returns all groups the user is member of
 // [{ id: <id-group>> , displayName: <displayName-group>, members [{value: <id-user>}] }]
 //
 const getMemberOfGroups = async (baseEntity, id) => {
   const action = 'getMemberOfGroups'
-
   if (!config.map.group) throw new Error('missing configuration endpoint.map.group') // not using groups
 
   let idDn = id
-  if (config.map.user.objectGUID && config.map.user.objectGUID.mapTo === 'id') { // need dn
+  if (config.useSID_id || config.useGUID_id) { // need dn
     const method = 'search'
-    const base = `<GUID=${id}>`
+    let base
+    if (config.useSID_id) {
+      const sid = convertStringToSid(id)
+      if (!sid) throw new Error(`${action} error: ${id}=${id} - attribute having a none valid SID string`)
+      base = `<SID=${sid}>`
+    } else {
+      const guid = Buffer.from(id, 'base64').toString('hex')
+      base = `<GUID=${guid}>`
+    }
+
     const ldapOptions = {
       attributes: ['dn']
     }
+
     try {
       const users = await doRequest(baseEntity, method, base, ldapOptions)
-      if (users.length !== 1) throw new Error(`${action} error: did not find unique user having objectGUID=${id}`)
+      if (users.length !== 1) throw new Error(`${action} error: did not find unique user having ${config.useSID_id ? 'objectSid' : 'objectGUID'} =${id}`)
       idDn = users[0].dn
     } catch (err) {
       const newErr = err
@@ -748,8 +956,6 @@ const getServiceClient = async (baseEntity) => {
   if (!_serviceClient[baseEntity]) _serviceClient[baseEntity] = {}
 
   for (let i = -1; i < config.entity[baseEntity].baseUrls.length; i++) {
-    let useStrictDN = true
-    if (config.map.user.objectGUID && config.map.user.objectGUID.mapTo === 'id') useStrictDN = false
     try {
       const cli = await ldap.createClient({
         url: config.entity[baseEntity].baseUrl,
@@ -757,24 +963,25 @@ const getServiceClient = async (baseEntity) => {
         tlsOptions: {
           rejectUnauthorized: false
         },
-        strictDN: useStrictDN // false => supports objectGUID as dn
+        strictDN: false // false => allows none standard ldap base dn e.g. <SID=...> / <GUID=...>  ref. objectSid/objectGUID
       })
-
       await new Promise((resolve, reject) => {
-        cli.bind(config.entity[baseEntity].username, config.entity[baseEntity].passwordDecrypted, (err) => err ? reject(err) : resolve())
+        cli.bind(config.entity[baseEntity].username, config.entity[baseEntity].passwordDecrypted, (err, res) => err ? reject(err) : resolve(res))
+        cli.on('error', (err) => reject(err))
       })
       return cli // client OK
     } catch (err) {
-      if (i + 1 < config.entity[baseEntity].baseUrls.length) { // failover logic
-        scimgateway.logger.debug(`${pluginName}[${baseEntity}] baseUrl=${config.entity[baseEntity].baseUrl} connection error but will retry`)
+      const retry = err.message.includes('timeout') || err.message.includes('ECONNREFUSED')
+      if (retry && i + 1 < config.entity[baseEntity].baseUrls.length) { // failover logic
+        scimgateway.logger.debug(`${pluginName}[${baseEntity}] baseUrl=${config.entity[baseEntity].baseUrl} connection error - starting retry`)
         config.entity[baseEntity].baseUrl = config.entity[baseEntity].baseUrls[i + 1]
       } else {
-        const newErr = err
-        throw newErr
+        if (err.message.includes('AcceptSecurityContext')) err.message = 'LdapErr: connect failure, invalid user/password'
+        throw err
       }
     }
   }
-  throw new Error('getServiceClient program logic failed for some odd reasons - should not happend...')
+  throw new Error(`${action} logic failed for some odd reasons - should not happend...`)
 }
 
 //
@@ -792,7 +999,16 @@ const getServiceClient = async (baseEntity) => {
 const doRequest = async (baseEntity, method, base, ldapOptions) => {
   let result = null
   let client = null
+
   const options = scimgateway.copyObj(ldapOptions)
+  if (options.filter) {
+    if (options.filter && options.filter.includes('userPrincipalName') && config.upnMapDomain) {
+      const old = options.filter
+      options.filter = options.filter.replace(config.upnMapDomain.inbound, config.upnMapDomain.outbound)
+      scimgateway.logger.debug(`${pluginName}[${baseEntity}] inbound upnMapDomain ${old} => ${options.filter}`)
+    }
+  }
+
   try {
     client = await getServiceClient(baseEntity)
     switch (method) {
@@ -807,9 +1023,20 @@ const doRequest = async (baseEntity, method, base, ldapOptions) => {
             search.on('searchEntry', (entry) => {
               if (entry.attributes) {
                 entry.attributes.find((el, i) => {
-                  if (el.type === 'objectGUID') { // assume Active Directory - can't use default utf-8 when attribute value is hex
-                    const hexStr = Buffer.from(el.buffers[0], 'binary').toString('hex')
-                    entry.attributes[i]._vals = [hexStr]
+                  if (['objectSid', 'objectGUID'].includes(el.type)) { // assume Active Directory - can't use default utf-8 when attribute value is hex
+                    const b = Buffer.from(el.buffers[0], 'hex')
+                    if (el.type === 'objectSid') {
+                      const sidStr = convertSidToString(b) // using string: S-1-5-21-2657077294-4200173015-2627628055-1255
+                      if (!sidStr) throw new Error(`doRequest() error: failed to convert SID ${b.toString('hex')} to string}`)
+                      entry.attributes[i]._vals = [sidStr]
+                    } else {
+                      entry.attributes[i]._vals = [b.toString('base64')] // using base64: nitWLrhokUqKl1DywiavXg==
+                    }
+                  } else if (el.type === 'userPrincipalName' && config.upnMapDomain) {
+                    const val = Buffer.from(el.buffers[0], 'hex').toString('utf8')
+                    const old = val
+                    entry.attributes[i]._vals = [val.replace(config.upnMapDomain.outbound, config.upnMapDomain.inbound)]
+                    scimgateway.logger.debug(`${pluginName}[${baseEntity}] outbound upnMapDomain ${old} => ${entry.attributes[i]._vals}`)
                   }
                   return undefined
                 })
@@ -820,8 +1047,11 @@ const doRequest = async (baseEntity, method, base, ldapOptions) => {
             search.on('page', (entry, cb) => {
               // if (cb) cb() // pagePause = true gives callback
             })
-            search.on('error', (err) => reject(err))
-            search.on('end', (_) => resolve(results))
+            search.on('error', (err) => {
+              if (err.message.includes('LdapErr: DSID-0C0909F2') || err.message.includes('NO_OBJECT')) return resolve([]) // object not found when using base <SID=...> or <GUID=...> ref. objectSid/objectGUID
+              reject(err)
+            })
+            search.on('end', (_) => { resolve(results) })
           })
         })
         break
@@ -831,6 +1061,9 @@ const doRequest = async (baseEntity, method, base, ldapOptions) => {
           const dn = base
           client.modify(dn, options, (err) => {
             if (err) {
+              if (options.operation && options.operation === 'add' && options.modification && options.modification.member) {
+                if (err.message.includes('ENTRY_EXISTS')) return resolve() // add already existing group to user
+              }
               return reject(err)
             }
             resolve()
@@ -866,11 +1099,10 @@ const doRequest = async (baseEntity, method, base, ldapOptions) => {
     client.unbind()
   } catch (err) {
     scimgateway.logger.error(`${pluginName}[${baseEntity}] doRequest method=${method} base=${base} ldapOptions=${JSON.stringify(ldapOptions)} Error Response = ${err.message}`)
-    const newErr = err
     if (client) {
-      try { client.unbind() } catch (err) {}
+      try { client.destroy() } catch (err) {}
     }
-    throw newErr
+    throw err
   }
 
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] doRequest method=${method} base=${base} ldapOptions=${JSON.stringify(ldapOptions)} Response=${JSON.stringify(result)}`)

package/lib/plugin-loki.js

@@ -215,7 +215,10 @@ scimgateway.createUser = async (baseEntity, userObj) => {
     }
   }
 
-  userObj.id = userObj.userName // for loki-plugin (scim endpoint) id is mandatory and set to userName
+  if (userObj.userName) userObj.id = userObj.userName // id set to userName or externalId
+  else if (userObj.externalId) userObj.id = userObj.externalId
+  else throw new Error(`${action} error: missing mandatory userName or externalId`)
+
   try {
     users.insert(userObj)
     return null
@@ -415,10 +418,8 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes) => {
 
   if (!groupsArr) throw new Error(`${action} error: mandatory if-else logic not fully implemented`)
 
-  if (!getObj.startIndex && !getObj.count) { // client request without paging
-    getObj.startIndex = 1
-    getObj.count = groupsArr.length
-  }
+  if (!getObj.startIndex) getObj.startIndex = 1
+  if (!getObj.count) getObj.count = 200
 
   const ret = {
     Resources: [],
@@ -439,7 +440,8 @@ scimgateway.createGroup = async (baseEntity, groupObj) => {
   const action = 'createGroup'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" groupObj=${JSON.stringify(groupObj)}`)
 
-  groupObj.id = groupObj.displayName // for loki-plugin (scim endpoint) id is mandatory and set to displayName
+  if (groupObj.externalId) groupObj.id = groupObj.externalId // for loki-plugin (scim endpoint) id is mandatory and set to displayName
+  else groupObj.id = groupObj.displayName
 
   try {
     groups.insert(groupObj)

package/lib/plugin-mongodb.js

@@ -266,7 +266,9 @@ scimgateway.createUser = async (baseEntity, userObj) => {
     }
   }
 
-  userObj.id = userObj.userName // for loki-plugin (scim endpoint) id is mandatory and set to userName
+  if (userObj.userName) userObj.id = userObj.userName // id set to userName or externalId
+  else if (userObj.externalId) userObj.id = userObj.externalId
+  else throw new Error(`${action} error: missing mandatory userName or externalId`)
 
   if (!userObj.meta) {
     const now = Date.now()
@@ -516,10 +518,8 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes) => {
 
   if (!findObj) throw new Error(`${action} error: mandatory if-else logic not fully implemented`)
 
-  if (!getObj.startIndex && !getObj.count) { // client request without paging
-    getObj.startIndex = 1
-    getObj.count = 200
-  }
+  if (!getObj.startIndex) getObj.startIndex = 1
+  if (!getObj.count) getObj.count = 200
 
   const ret = {
     Resources: [],
@@ -559,7 +559,8 @@ scimgateway.createGroup = async (baseEntity, groupObj) => {
       lastModified: now
     }
   }
-  groupObj.id = groupObj.displayName // for loki-plugin (scim endpoint) id is mandatory and set to displayName
+  if (groupObj.externalId) groupObj.id = groupObj.externalId // for loki-plugin (scim endpoint) id is mandatory and set to displayName
+  else groupObj.id = groupObj.displayName
   groupObj = encodeDotDate(groupObj)
 
   try {

package/lib/postinstall.js

@@ -1,18 +1,24 @@
 //
 // Copy plugins from original scimgateway package to current installation folder
 //
-var fs = require('fs')
 
-function fsExistsSync(f) {
+const fs = require('fs')
+
+function fsExistsSync (f) {
   try {
     fs.accessSync(f)
     return true
   } catch (e) {
-      return false
+    return false
   }
 }
 
-if (fsExistsSync('./node_modules')) return true // global package - quit - no postinstall
+if (process.env.npm_config_scimgateway_postinstall_skip || process.env.SCIMGATEWAY_POSTINSTALL_SKIP) {
+  console.info('The configuration `scimgateway_postinstall_skip` was set to true so `postinstall` activities are going to be skipped!')
+  process.exit(0)
+}
+
+if (fsExistsSync('./node_modules')) process.exit(0) // global package - quit - no postinstall
 
 if (!fsExistsSync('../../config')) fs.mkdirSync('../../config')
 if (!fsExistsSync('../../config/certs')) fs.mkdirSync('../../config/certs')
@@ -22,7 +28,7 @@ if (!fsExistsSync('../../config/docker')) fs.mkdirSync('../../config/docker')
 if (!fsExistsSync('../../lib')) fs.mkdirSync('../../lib')
 
 if (!fsExistsSync('../../config/plugin-loki.json')) fs.writeFileSync('../../config/plugin-loki.json', fs.readFileSync('./config/plugin-loki.json'))
-if (!fsExistsSync('../../config/plugin-restful.json')) fs.writeFileSync('../../config/plugin-restful.json', fs.readFileSync('./config/plugin-restful.json'))
+if (!fsExistsSync('../../config/plugin-scim.json')) fs.writeFileSync('../../config/plugin-scim.json', fs.readFileSync('./config/plugin-scim.json'))
 if (!fsExistsSync('../../config/plugin-forwardinc.json')) fs.writeFileSync('../../config/plugin-forwardinc.json', fs.readFileSync('./config/plugin-forwardinc.json'))
 if (!fsExistsSync('../../config/plugin-mssql.json')) fs.writeFileSync('../../config/plugin-mssql.json', fs.readFileSync('./config/plugin-mssql.json'))
 if (!fsExistsSync('../../config/plugin-saphana.json')) fs.writeFileSync('../../config/plugin-saphana.json', fs.readFileSync('./config/plugin-saphana.json'))
@@ -32,7 +38,7 @@ if (!fsExistsSync('../../config/plugin-ldap.json')) fs.writeFileSync('../../conf
 if (!fsExistsSync('../../config/plugin-mongodb.json')) fs.writeFileSync('../../config/plugin-mongodb.json', fs.readFileSync('./config/plugin-mongodb.json'))
 
 fs.writeFileSync('../../lib/plugin-loki.js', fs.readFileSync('./lib/plugin-loki.js'))
-fs.writeFileSync('../../lib/plugin-restful.js', fs.readFileSync('./lib/plugin-restful.js'))
+fs.writeFileSync('../../lib/plugin-scim.js', fs.readFileSync('./lib/plugin-scim.js'))
 fs.writeFileSync('../../lib/plugin-forwardinc.js', fs.readFileSync('./lib/plugin-forwardinc.js'))
 fs.writeFileSync('../../lib/plugin-mssql.js', fs.readFileSync('./lib/plugin-mssql.js'))
 fs.writeFileSync('../../lib/plugin-saphana.js', fs.readFileSync('./lib/plugin-saphana.js'))
@@ -41,10 +47,12 @@ fs.writeFileSync('../../lib/plugin-azure-ad.js', fs.readFileSync('./lib/plugin-a
 fs.writeFileSync('../../lib/plugin-ldap.js', fs.readFileSync('./lib/plugin-ldap.js'))
 fs.writeFileSync('../../lib/plugin-mongodb.js', fs.readFileSync('./lib/plugin-mongodb.js'))
 
-if (!fsExistsSync('../../config/wsdls/GroupService.wsdl'))
+if (!fsExistsSync('../../config/wsdls/GroupService.wsdl')) {
   fs.writeFileSync('../../config/wsdls/GroupService.wsdl', fs.readFileSync('./config/wsdls/GroupService.wsdl'))
-if (!fsExistsSync('../../config/wsdls/UserService.wsdl'))
+}
+if (!fsExistsSync('../../config/wsdls/UserService.wsdl')) {
   fs.writeFileSync('../../config/wsdls/UserService.wsdl', fs.readFileSync('./config/wsdls/UserService.wsdl'))
+}
 
 fs.writeFileSync('../../config/docker/docker-compose.yml', fs.readFileSync('./config/docker/docker-compose.yml'))
 fs.writeFileSync('../../config/docker/Dockerfile', fs.readFileSync('./config/docker/Dockerfile'))

package/lib/scimgateway.js

@@ -422,7 +422,7 @@ const ScimGateway = function () {
     const arr = ctx.request.url.split('/')
     if (arr.length > 0) {
       const entity = arr[1].split('?')[0]
-      if (!['Users', 'Groups', 'scim'].includes(entity)) baseEntity = entity
+      if (!['Users', 'Groups', 'Schemas', 'ServiceProviderConfigs', 'scim'].includes(entity)) baseEntity = entity
     }
     try { // authenticate
       const arrResolve = await Promise.all([unauth(ctx), basic(baseEntity, ctx.request.method, authType, authToken), bearerToken(baseEntity, ctx.request.method, authType, authToken), bearerJwtAzure(baseEntity, ctx, next, authType, authToken), bearerJwt(baseEntity, ctx.request.method, authType, authToken)]).catch((err) => { throw (err) })
@@ -777,7 +777,7 @@ const ScimGateway = function () {
     // GET /Groups
     // GET /Users?attributes=userName&startIndex=1&count=100
     // GET /Groups?attributes=displayName
-    // GET /Users?filter=meta.created gte "2010-01-01T00:00:00Z"&attributes=userName,id,name.familyName,meta.created
+    // GET /Users?filter=meta.created ge "2010-01-01T00:00:00Z"&attributes=userName,id,name.familyName,meta.created
     // GET /Users?filter=emails.value co "@example.com"&attributes=userName,name.familyName,emails&sortBy=name.familyName&sortOrder=descending
 
     let info = ''
@@ -816,7 +816,7 @@ const ScimGateway = function () {
             logger.debug(`${gwName}[${pluginName}] calling "${handler.groups.getMethod}" and awaiting result - groups to be included`)
             let res
             try {
-              res = await this[handler.groups.getMethod](ctx.params.baseEntity, { attribute: 'members.value', operator: 'eq', value: userObj.id }, ['members.value', 'id', 'displayName']) // await scimgateway.getUserGroups(baseEntity, userObj.id, 'members.value,displayName')
+              res = await this[handler.groups.getMethod](ctx.params.baseEntity, { attribute: 'members.value', operator: 'eq', value: decodeURIComponent(userObj.id) }, ['members.value', 'id', 'displayName']) // await scimgateway.getUserGroups(baseEntity, userObj.id, 'members.value,displayName')
             } catch (err) {} // method may be implemented but throwing error like groups not supported/implemented
             if (res && res.Resources && Array.isArray(res.Resources) && res.Resources.length > 0) {
               userObj.groups = []
@@ -913,18 +913,27 @@ const ScimGateway = function () {
         jsonBody[key] = res[key]
       }
 
-      if (!jsonBody.id) { // retrieve id
-        let obj
-        try {
-          if (handle.getMethod === 'getUser') {
+      let obj
+      try { // retrieve id
+        if (handle.createMethod === 'createUser') {
+          if (jsonBody.userName) {
+            jsonBody.id = jsonBody.userName
             obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'userName', operator: 'eq', value: jsonBody.userName }, ['id', 'userName'])
-          } else if (handle.getMethod === 'getGroup') {
+          } else if (jsonBody.externalId) {
+            jsonBody.id = jsonBody.externalId
+            obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'externalId', operator: 'eq', value: jsonBody.externalId }, ['id', 'externalId'])
+          }
+        } else if (handle.createMethod === 'createGroup') {
+          if (jsonBody.externalId) {
+            jsonBody.id = jsonBody.externalId
+            obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'externalId', operator: 'eq', value: jsonBody.externalId }, ['id', 'externalId'])
+          } else if (jsonBody.displayName) {
+            jsonBody.id = jsonBody.displayName
             obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'displayName', operator: 'eq', value: jsonBody.displayName }, ['id', 'displayName'])
           }
-        } catch (err) { }
-        if (obj && obj.id) jsonBody.id = obj.id
-        else jsonBody.id = jsonBody.userName ? jsonBody.userName : jsonBody.displayName
-      }
+        }
+      } catch (err) { }
+      if (obj && obj.id) jsonBody.id = obj.id
 
       const location = `${ctx.origin}${ctx.path}/${jsonBody.id}`
       if (!jsonBody.meta) jsonBody.meta = {}
@@ -1663,9 +1672,10 @@ const getMultivalueTypes = (objName, scimDef) => { // objName = 'User' or 'Group
 ScimGateway.prototype.processExtConfig = function processExtConfig (pluginName, config, isMain) {
   const processEnv = 'process.env.'
   const processFile = 'process.file.'
+  const processText = 'process.text.'
   const dotConfig = dot.dot(config)
-  let content
-  let filePath
+  const processTexts = new Map()
+  const processFiles = new Map()
 
   for (const key in dotConfig) {
     let value = dotConfig[key]
@@ -1678,15 +1688,26 @@ ScimGateway.prototype.processExtConfig = function processExtConfig (pluginName,
         newErr.name = 'processExtConfig'
         throw newErr
       }
+    } else if (value && value.constructor === String && value.includes(processText)) {
+      const filePath = value.substring(processText.length)
+      try {
+        if (!processTexts.has(filePath)) { // avoid reading previous file
+          processTexts.set(filePath, fs.readFileSync(filePath, 'utf8'))
+        }
+        value = processTexts.get(filePath) // directly a string
+      } catch (err) {
+        value = undefined
+        throw new Error(`configuration failed - can't read text from external file: "${filePath}"`)
+      }
+      dotConfig[key] = value
     } else if (value && value.constructor === String && value.includes(processFile)) {
-      const newFilePath = value.substring(processFile.length)
+      const filePath = value.substring(processFile.length)
       try {
-        if (filePath !== newFilePath) { // avoid reading previous file
-          filePath = newFilePath
-          content = fs.readFileSync(filePath, 'utf8')
+        if (!processFiles.has(filePath)) { // avoid reading previous file
+          processFiles.set(filePath, JSON.parse(fs.readFileSync(filePath, 'utf8')))
         }
         try {
-          const jContent = JSON.parse(content) // json or json-dot-notation formatting is supported
+          const jContent = processFiles.get(filePath) // json or json-dot-notation formatting is supported
           const dotContent = dot.dot(dot.object(jContent))
           let newKey = null
           if (isMain) newKey = `${pluginName}.scimgateway.${key}`
@@ -1721,7 +1742,8 @@ ScimGateway.prototype.processExtConfig = function processExtConfig (pluginName,
       dotConfig[key] = value
     }
   }
-  content = null
+  processTexts.clear()
+  processFiles.clear()
   return dot.object(dotConfig)
 }
 

package/lib/utils.js

@@ -69,11 +69,17 @@ module.exports.getPassword = function (pwDotNotation, configFile) {
     if (pw.includes('process.')) { // password based on external reference e.g. environment or json file
       // syntax environment = "process.env.<ENVIRONMENT>" e.g. scimgateway.password could have value "process.env.PORT", then using environment variable PORT
       // syntax file = "process.file.<PATH>" e.g. scimgateway.password could have value "process.file./tmp/myconf.json"
+      const processText = 'process.text.'
       const processEnv = 'process.env.'
       const processFile = 'process.file.'
       if (pw.constructor === String && pw.includes(processEnv)) {
         const envKey = pw.substring(processEnv.length)
         pwclear = process.env[envKey]
+      } else if (pw && pw.constructor === String && pw.includes(processText)) {
+        const filePath = pw.substring(processFile.length)
+        try {
+          pwclear = fs.readFileSync(filePath, 'utf8')
+        } catch (err) { pwclear = undefined } // can't read external configuration file
       } else if (pw && pw.constructor === String && pw.includes(processFile)) {
         const filePath = pw.substring(processFile.length)
         try {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "4.0.0",
+  "version": "4.0.1",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",
   "homepage": "https://elshaug.xyz",
@@ -45,15 +45,15 @@
     "mongodb": "^4.2.0",
     "node-machine-id": "1.1.9",
     "nodemailer": "^6.7.1",
-    "passport": "^0.5.0",
+    "passport": "^0.5.2",
     "passport-azure-ad": "^4.3.1",
     "soap": "^0.43.0",
     "tedious": "^14.0.0",
-    "winston": "^3.3.3"
+    "winston": "^3.4.0"
   },
   "devDependencies": {
     "chai": "^4.2.0",
-    "mocha": "^7.1.1",
+    "mocha": "^9.2.0",
     "supertest": "^4.0.2"
   }
 }

package/test/index.js

@@ -10,6 +10,6 @@
 //
 
 const loki = require('./lib/plugin-loki')
-const restful = require('./lib/plugin-restful')
+const scim = require('./lib/plugin-scim')
 const api = require('./lib/plugin-api')
-// const mongodb = require('./lib/plugin-mongodb')
+// const mongodb = require('./lib/plugin-mongodb')

package/test/lib/{plugin-restful.js → plugin-scim.js}

@@ -1,7 +1,7 @@
 'use strict'
 
 const expect = require('chai').expect
-const scimgateway = require('../../lib/plugin-restful.js')
+const scimgateway = require('../../lib/plugin-scim.js')
 const server_8886 = require('supertest').agent('http://localhost:8886') // module request is an alternative
 
 const auth = 'Basic ' + Buffer.from('gwadmin:password').toString('base64')
@@ -12,7 +12,7 @@ var options = {
   }
 }
 
-describe('plugin-restful tests', () => {
+describe('plugin-scim tests', () => {
 
   it('getUsers all test (1)', function (done) {
     server_8886.get('/Users' +