scimgateway 4.0.0 → 4.1.1

package/.travis.yml

@@ -1,7 +1,7 @@
 language: node_js
 
 node_js:
-  - "8"
+  - "10"
 
 sudo: false
 

package/README.md

@@ -16,7 +16,8 @@ Validated through IdP's:
   
 Latest news:  
 
-- New major version v4.0.0. getUsers() and getGroups() replacing some deprecated methods. No limitations on filtering/sorting. Admin user access can be limited to specific baseEntities. New MongoDB plugin  
+- Supporting OAuth Client Credentials authentication
+- Major version v4.0.0. getUsers() and getGroups() replacing some deprecated methods. No limitations on filtering/sorting. Admin user access can be limited to specific baseEntities. New MongoDB plugin  
 - ipAllowList for restricting access to allowlisted IP addresses or subnets e.g. Azure AD IP-range  
 - General LDAP plugin configured for Active Directory  
 - [PlugSSO](https://elshaug.xyz/docs/plugsso) using SCIM Gateway
@@ -38,8 +39,6 @@ Using Identity Manager, we could setup one or more endpoints of type SCIM pointi
 
 ![](https://jelhub.github.io/images/ScimGateway.svg)
 
-Instead of using IM-SDK for building our own integration for none supported endpoints, we can now build new integration based on SCIM Gateway plugins. SCIM Gateway works with IM as long as IM supports SCIM.
-
 SCIM Gateway is based on the popular asynchronous event driven framework [Node.js](https://nodejs.dev/) using JavaScript. It is firewall friendly using REST webservices. Runs on almost all operating systems, and may load balance between hosts (horizontal) and cpu's (vertical). Could even be uploaded and run as a cloud application.
 
 **Following example plugins are included:**
@@ -56,12 +55,15 @@ Example of a fully functional SCIM Gateway plugin
 Same as plugin "Loki" but using MongoDB  
 Shows how to implement a highly configurable multi tenant or multi endpoint solution through `baseEntity` in URL
 
-* **RESTful** (REST Webservice)  
-Demonstrates user provisioning towards REST-Based endpoint   
-Using plugin "Loki" as a REST endpoint
+* **SCIM** (REST Webservice)  
+Demonstrates user provisioning towards a SCIM endpoint using REST   
+Using plugin "Loki" as SCIM endpoint  
+Can be used as SCIM version-gateway e.g. 1.1=>2.0 or 2.0=>1.1  
+Can be used to chain several SCIM Gateway's  
+
 
 * **Forwardinc** (SOAP Webservice)  
-Demonstrates user provisioning towards SOAP-Based endpoint   
+Demonstrates provisioning towards SOAP-Based endpoint   
 Using endpoint Forwardinc that comes with Broadcom/CA IM SDK (SDKWS) - [wiki.ca.com](https://docops.ca.com/ca-identity-manager/12-6-8/EN/programming/connector-programming-reference/sdk-sample-connectors/sdkws-sdk-web-services-connector/sdkws-sample-connector-build-requirements "wiki.ca.com")    
 Shows how to implement a highly configurable multi tenant or multi endpoint solution through `baseEntity` in URL  
 
@@ -137,7 +139,7 @@ If internet connection is blocked, we could install on another machine and copy
 
     http://localhost:8880/Groups?filter=displayName eq "Admins"&excludedAttributes=members
     http://localhost:8880/Users?filter=userName eq "bjensen"&attributes=userName,id,name.givenName
-    http://localhost:8880/Users?filter=meta.created gte "2010-01-01T00:00:00Z"&attributes=userName,name.familyName,meta.created
+    http://localhost:8880/Users?filter=meta.created ge "2010-01-01T00:00:00Z"&attributes=userName,name.familyName,meta.created
     http://localhost:8880/Users?filter=emails.value co "@example.com"&attributes=userName,name.familyName,emails&sortBy=name.familyName&sortOrder=descending
     => Filtering examples
 
@@ -173,13 +175,17 @@ Note, always backup/copy C:\\my-scimgateway before upgrading. Custom plugins and
 
 To force a major upgrade (version x.\*.\* => y.\*.\*) that will brake compability with any existing custom plugins, we have to include the `@latest` suffix in the install command: `npm install scimgateway@latest`
 
+##### Avoid (re-)adding the files created during `postinstall`
+
+When maintaining a set of modifications it useful to disable the postinstall operations to keep your changes intact by setting the property `scimgateway_postinstall_skip = true` in `.npmrc` or by setting environment `SCIMGATEWAY_POSTINSTALL_SKIP = true`  
+
 ## Configuration  
 
 **index.js** defines one or more plugins to be started. We could comment out those we do not need. Default configuration only starts the loki plugin.  
   
 	const loki = require('./lib/plugin-loki')
 	// const mongodb = require('./lib/plugin-mongodb')
-	// const restful = require('./lib/plugin-restful')
+	// const scim = require('./lib/plugin-scim')
 	// const forwardinc = require('./lib/plugin-forwardinc')
 	// const mssql = require('./lib/plugin-mssql')
 	// const saphana = require('./lib/plugin-saphana')  // prereq: npm install hdb
@@ -244,6 +250,14 @@ Below shows an example of config\plugin-saphana.json
               "readOnly": false,
               "baseEntities": []
             }
+          ],
+          "bearerOAuth": [
+            {
+              "client_id": null,
+              "client_secret": null,
+              "readOnly": false,
+              "baseEntities": []
+            }
           ]
         },
 	    "certificate": {
@@ -331,6 +345,8 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 
 - **auth.bearerJwt** - Array of one or more standard JWT objects. Using **secret** or **publicKey** for signature verification. publicKey should be set to the filename of public key or certificate pem-file located in `<package-root>\config\certs`. Clear text secret will become encrypted when gateway is started. **options.issuer** is mandatory. Other options may also be included according to jsonwebtoken npm package definition.   
 
+- **auth.bearerOAuth** - Array of one or more Client Credentials OAuth configuration objects. **`client_id`** and **`client_secret`** are mandatory. client_secret value will become encrypted when gateway is started. OAuth token request url is **/oauth/token** e.g. http://localhost:8880/oauth/token  
+
 - **certificate** - If not using SSL/TLS certificate, set "key", "cert" and "ca" to **null**. When using SSL/TLS, "key" and "cert" have to be defined with the filename corresponding to the primary-key and public-certificate. Both files must be located in the `<package-root>\config\certs` directory e.g:  
   
 		"certificate": {
@@ -385,6 +401,7 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 - Setting environment variable `SEED` will override default password seeding logic.  
 - All configuration can be set based on environment variables. Syntax will then be `"process.env.<ENVIRONMENT>"` where `<ENVIRONMENT>` is the environment variable used. E.g. scimgateway.port could have value "process.env.PORT", then using environment variable PORT.
 - All configuration can be set based on corresponding JSON-content (dot notation) in external file using plugin name as parent JSON object. Syntax will then be `"process.file.<path>"` where `<path>` is the file used. E.g. endpoint.password could have value "process.file./var/run/vault/secrets.json"  
+- Indivudual Secrets can be contained in plain text files. Syntax will then be `"process.text.<path>"` where `<path>` is the file which contains raw (`UTF-8`) character value. E.g. endpoint.password could have value "process.text./var/run/vault/endpoint.password". This enables that the config file itself be loaded from a ConfigMap while specific values are mounted either from `secrets.json` style files as mentioned above OR from traditional secrets files mounted in the file system, one value per file.
 
 	Example:  
 
@@ -404,6 +421,11 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 		        },
 		        ...
 		      ],
+		      "bearerJwt": [
+		         "secret": "process.text./var/run/vault/jwt.secret",
+		         "publicKey": "process.text./var/run/vault/jwt.pub",
+				 ...
+			  ],
 		      ...
 		    },
 		  "endpoint": {
@@ -1117,6 +1139,63 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
+### v4.1.1  
+[Added] 
+
+- plugin-ldap support userFilter/groupFilter configuration for restricting scope  
+
+    Configuration example:  
+
+        {
+          ...
+          "userFilter": "(memberOf=CN=grp1,OU=Groups,DC=test,DC=com)(!(memberOf=CN=Domain Admins,CN=Users,DC=test,DC=com))",
+          "groupFilter": "(!(cn=grp2))",
+          ...
+        }
+
+### v4.1.0  
+[Added] 
+
+- Supporting OAuth Client Credentials authentication
+
+    Configuration example:  
+
+        "bearerOAuth": [
+          {
+            "client_id": "my_client_id",
+            "client_secret": "my_client_secret",
+            "readOnly": false,
+            "baseEntities": []
+          }
+        ]
+
+
+    In example above, client using SCIM Gateway must have OAuth configuration:  
+
+        client_id = my_client_id
+        client_secret = my_client_secret
+        token request url = http(s)://<host>:<port>/oauth/token
+
+
+### v4.0.1  
+[Added] 
+
+- create user/group supporting externalId
+- plugin-restful renamed to plugin-scim
+- plugin-ldap having improved SID/GUID support for Active Directory, also supporting domain map of userPrincipalName e.g. Azure AD => Active Directory
+        
+        "userPrincipalName": {
+           "mapTo": "userName",
+           "type": "string",
+	       "mapDomain": {
+	         "inbound": "test.onmicrosoft.com",
+	         "outbound": "my-company.com"
+        }
+
+- postinstall copying example plugins may be skipped by setting the property `scimgateway_postinstall_skip = true` in `.npmrc` or by setting environment `SCIMGATEWAY_POSTINSTALL_SKIP = true`
+- Secrets now also support key-value storage. The key defined in plugin configuration have syntax `process.text.<path>` where `<path>` is the file which contains raw (UTF-8) character value. E.g. configuration `endpoint.password` could have value `process.text./var/run/vault/endpoint.password`, and the corresponding file contains the secret. **Thanks to Raymond Augé**
+
+
 ### v4.0.0  
 **[MAJOR]**  
  

package/config/plugin-api.json

@@ -47,6 +47,14 @@
           "readOnly": false,
           "baseEntities": []
         }
+      ],
+      "bearerOAuth": [
+        {
+          "client_id": null,
+          "client_secret": null,
+          "readOnly": false,
+          "baseEntities": []
+        }
       ]
     },
     "certificate": {

package/config/plugin-azure-ad.json

@@ -47,6 +47,14 @@
           "readOnly": false,
           "baseEntities": []
         }
+      ],
+      "bearerOAuth": [
+        {
+          "client_id": null,
+          "client_secret": null,
+          "readOnly": false,
+          "baseEntities": []
+        }
       ]
     },
     "certificate": {

package/config/plugin-forwardinc.json

@@ -47,6 +47,14 @@
           "readOnly": false,
           "baseEntities": []
         }
+      ],
+      "bearerOAuth": [
+        {
+          "client_id": null,
+          "client_secret": null,
+          "readOnly": false,
+          "baseEntities": []
+        }
       ]
     },
     "certificate": {

package/config/plugin-ldap.json

@@ -47,6 +47,14 @@
           "readOnly": false,
           "baseEntities": []
         }
+      ],
+      "bearerOAuth": [
+        {
+          "client_id": null,
+          "client_secret": null,
+          "readOnly": false,
+          "baseEntities": []
+        }
       ]
     },
     "certificate": {
@@ -86,6 +94,8 @@
         "ldap": {
           "userBase": "CN=Users,DC=test,DC=com",
           "groupBase": "OU=Groups,DC=test,DC=com",
+          "userFilter": null,
+          "groupFilter": null,
           "userNamingAttr": "CN",
           "groupNamingAttr": "CN",
           "userObjectClasses": [

package/config/plugin-loki.json

@@ -47,6 +47,14 @@
           "readOnly": false,
           "baseEntities": []
         }
+      ],
+      "bearerOAuth": [
+        {
+          "client_id": null,
+          "client_secret": null,
+          "readOnly": false,
+          "baseEntities": []
+        }
       ]
     },
     "certificate": {

package/config/plugin-mongodb.json

@@ -53,6 +53,14 @@
           "readOnly": false,
           "baseEntities": []
         }
+      ],
+      "bearerOAuth": [
+        {
+          "client_id": null,
+          "client_secret": null,
+          "readOnly": false,
+          "baseEntities": []
+        }
       ]
     },
     "certificate": {

package/config/plugin-mssql.json

@@ -47,6 +47,14 @@
           "readOnly": false,
           "baseEntities": []
         }
+      ],
+      "bearerOAuth": [
+        {
+          "client_id": null,
+          "client_secret": null,
+          "readOnly": false,
+          "baseEntities": []
+        }
       ]
     },
     "certificate": {

package/config/plugin-saphana.json

@@ -47,6 +47,14 @@
           "readOnly": false,
           "baseEntities": []
         }
+      ],
+      "bearerOAuth": [
+        {
+          "client_id": null,
+          "client_secret": null,
+          "readOnly": false,
+          "baseEntities": []
+        }
       ]
     },
     "certificate": {

package/config/{plugin-restful.json → plugin-scim.json}

@@ -47,6 +47,14 @@
           "readOnly": false,
           "baseEntities": []
         }
+      ],
+      "bearerOAuth": [
+        {
+          "client_id": null,
+          "client_secret": null,
+          "readOnly": false,
+          "baseEntities": []
+        }
       ]
     },
     "certificate": {

package/index.js

@@ -11,7 +11,7 @@
 
 const loki = require('./lib/plugin-loki')
 // const mongodb = require('./lib/plugin-mongodb')
-// const restful = require('./lib/plugin-restful')
+// const scim = require('./lib/plugin-scim')
 // const forwardinc = require('./lib/plugin-forwardinc')
 // const mssql = require('./lib/plugin-mssql')
 // const saphana = require('./lib/plugin-saphana')  // prereq: npm install hdb --save