scimgateway 4.1.0 → 4.1.3

package/README.md

@@ -31,7 +31,7 @@ Latest news:
 
 ## Overview  
  
-With SCIM Gateway we could do user management by using REST based [SCIM](http://www.simplecloud.info/) 1.1 or 2.0 protocol. Gateway will translate incoming SCIM requests and expose CRUD functionality (create, read, update and delete user/group) towards destinations using endpoint specific protocols. In other words, none SCIM-endpoints will become SCIM-endpoints. Gateway do not require SCIM to be used, it's also an API Gateway that could be used for other things than user provisioning.  
+With SCIM Gateway we can manage users and groups by using REST based [SCIM](http://www.simplecloud.info/) 1.1 or 2.0 protocol. Gateway translates incoming SCIM requests and expose CRUD functionality (create, read, update and delete user/group) towards destinations using endpoint specific protocols. In other words, none SCIM-endpoints will become SCIM-endpoints. Gateway do not require SCIM to be used, it's also an API Gateway that could be used for other things than user provisioning.  
 
 SCIM Gateway is a standalone product, however this document shows how the gateway could be used by products like Symatec/Broadcom/CA Identity Manager.
 
@@ -208,7 +208,8 @@ Below shows an example of config\plugin-saphana.json
         "scim": {
           "version": "2.0",
           "customSchema": null,
-          "skipTypeConvert" : false
+          "skipTypeConvert" : false,
+          "usePutSoftSync" : false
         },
         "log": {
           "loglevel": {
@@ -326,6 +327,8 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 		]  
 
 
+- **scim.usePutSoftSync** - true or false, default false. `PUT /Users/bjensen` will replace the user bjensen with body content. If body contains groups, usePutSoftsync=true will prevent removing any existing groups that are not included in body.groups   
+
 - **log.loglevel.file** - off, error, info, or debug. Output to plugin-logfile e.g. `logs\plugin-saphana.log`  
 
 - **log.loglevel.console** - off, error, info, or debug. Output to stdout and errors to stderr.   
@@ -347,7 +350,7 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 
 - **auth.bearerOAuth** - Array of one or more Client Credentials OAuth configuration objects. **`client_id`** and **`client_secret`** are mandatory. client_secret value will become encrypted when gateway is started. OAuth token request url is **/oauth/token** e.g. http://localhost:8880/oauth/token  
 
-- **certificate** - If not using SSL/TLS certificate, set "key", "cert" and "ca" to **null**. When using SSL/TLS, "key" and "cert" have to be defined with the filename corresponding to the primary-key and public-certificate. Both files must be located in the `<package-root>\config\certs` directory e.g:  
+- **certificate** - If not using TLS certificate, set "key", "cert" and "ca" to **null**. When using TLS, "key" and "cert" have to be defined with the filename corresponding to the primary-key and public-certificate. Both files must be located in the `<package-root>\config\certs` directory e.g:  
   
 		"certificate": {
 		  "key": "key.pem",
@@ -1139,28 +1142,84 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
+### v4.1.3  
+[Fixed] 
+
+- createUser response did not include the id that was returned by plugin   
+
+[Added] 
+
+- PUT (Replace User) now includes group handling. Using configuration `scim.usePutSoftsync=true` will prevent removing any existing groups that are not included in body.groups
+
+    Example:  
+
+        PUT /Users/bjensen
+        {
+          ...
+		  "groups": [
+            {"value":"Employees","display":"Employees"},
+            {"value":"Admins","display":"Admins"}
+           ],
+          ...
+        }
+
+
+
+
+### v4.1.2  
+[Added] 
+
+- endpointMapper supporting one to many mappings using a comma separated list of attributes in the `mapTo`  
+
+    Configuration example:  
+
+        "map": {
+          "user": {
+            "PersonnelNumber": {
+              "mapTo": "id,userName",
+              "type": "string"
+            },
+            ...
+          }
+        }
+          
+
+### v4.1.1  
+[Added] 
+
+- plugin-ldap support userFilter/groupFilter configuration for restricting scope  
+
+    Configuration example:  
+
+        {
+          ...
+          "userFilter": "(memberOf=CN=grp1,OU=Groups,DC=test,DC=com)(!(memberOf=CN=Domain Admins,CN=Users,DC=test,DC=com))",
+          "groupFilter": "(!(cn=grp2))",
+          ...
+        }
+
 ### v4.1.0  
 [Added] 
 
 - Supporting OAuth Client Credentials authentication
 
-Configuration example:  
+    Configuration example:  
 
-    "bearerOAuth": [
-      {
-        "client_id": "my_client_id",
-        "client_secret": "my_client_secret",
-        "readOnly": false,
-        "baseEntities": []
-      }
-    ]
+        "bearerOAuth": [
+          {
+            "client_id": "my_client_id",
+            "client_secret": "my_client_secret",
+            "readOnly": false,
+            "baseEntities": []
+          }
+        ]
 
 
-In example above, client using SCIM Gateway must have OAuth configuration:  
+    In example above, client using SCIM Gateway must have OAuth configuration:  
 
-    client_id = my_client_id
-    client_secret = my_client_secret
-    token request url = http(s)://<host>:<port>/oauth/token
+        client_id = my_client_id
+        client_secret = my_client_secret
+        token request url = http(s)://<host>:<port>/oauth/token
 
 
 ### v4.0.1  

package/config/plugin-api.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "2.0",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/config/plugin-azure-ad.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "1.1",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/config/plugin-forwardinc.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "2.0",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/config/plugin-ldap.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "2.0",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {
@@ -94,6 +95,8 @@
         "ldap": {
           "userBase": "CN=Users,DC=test,DC=com",
           "groupBase": "OU=Groups,DC=test,DC=com",
+          "userFilter": null,
+          "groupFilter": null,
           "userNamingAttr": "CN",
           "groupNamingAttr": "CN",
           "userObjectClasses": [

package/config/plugin-loki.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "2.0",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/config/plugin-mongodb.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "2.0",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/config/plugin-mssql.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "2.0",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/config/plugin-saphana.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "2.0",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/config/plugin-scim.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "2.0",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/lib/plugin-ldap.js

@@ -23,6 +23,13 @@
 //              "type": "string"
 //             }
 //
+// Additional user/group filtering for restricting scope may be configured in endpoint.entity.xxx.ldap e.g:
+// {
+//   ...
+//   "userFilter": "(memberOf=CN=grp1,OU=Groups,DC=test,DC=com)(!(memberOf=CN=Domain Admins,CN=Users,DC=test,DC=com))",
+//   "groupFilter": "(!(cn=grp2))",
+//   ...
+//  }
 //
 // Attributes according to map definition in the configuration file plugin-ldap.json:
 //
@@ -190,6 +197,7 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes) => {
             scope: scope,
             attributes: attrs
           }
+          if (config.entity[baseEntity].ldap.userFilter) ldapOptions.filter += config.entity[baseEntity].ldap.userFilter
         }
       }
     } else if (getObj.operator === 'eq' && getObj.attribute === 'group.value') {
@@ -209,6 +217,7 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes) => {
       scope: scope,
       attributes: attrs
     }
+    if (config.entity[baseEntity].ldap.userFilter) ldapOptions.filter += config.entity[baseEntity].ldap.userFilter
   }
   // end mandatory if-else logic
 
@@ -558,6 +567,7 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes) => {
             scope: scope,
             attributes: attrs
           }
+          if (config.entity[baseEntity].ldap.groupFilter) ldapOptions.filter += config.entity[baseEntity].ldap.groupFilter
         }
       }
     } else if (getObj.operator === 'eq' && getObj.attribute === 'members.value') {
@@ -578,6 +588,7 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes) => {
       scope: scope,
       attributes: attrs
     }
+    if (config.entity[baseEntity].ldap.groupFilter) ldapOptions.filter += config.entity[baseEntity].ldap.groupFilter
   }
   // mandatory if-else logic - end
 

package/lib/scimgateway.js

@@ -276,8 +276,8 @@ const ScimGateway = function () {
     }
   }
 
-  this.testmodeusers = scimDef.TestmodeUsers.Resources // exported and used by plugin-loki
-  this.testmodegroups = scimDef.TestmodeGroups.Resources // exported and used by plugin-loki
+  this.testmodeusers = scimDef.TestmodeUsers.Resources // exposed and used by plugin-loki
+  this.testmodegroups = scimDef.TestmodeGroups.Resources // exposed and used by plugin-loki
 
   // multiValueTypes array contains attributes that will be used by "type converted objects" logic
   // groups, roles, and members are excluded
@@ -1083,33 +1083,36 @@ const ScimGateway = function () {
       return
     }
     logger.debug(`${gwName}[${pluginName}] calling "${handle.createMethod}" and awaiting result`)
+    delete jsonBody.id // in case included in request
     try {
       const res = await this[handle.createMethod](ctx.params.baseEntity, scimdata)
-      for (const key in res) { // merge any result e.g: data = {'id': 'xxxx'}
+      for (const key in res) { // merge any result e.g: {'id': 'xxxx'}
         jsonBody[key] = res[key]
       }
 
-      let obj
-      try { // retrieve id
-        if (handle.createMethod === 'createUser') {
-          if (jsonBody.userName) {
-            jsonBody.id = jsonBody.userName
-            obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'userName', operator: 'eq', value: jsonBody.userName }, ['id', 'userName'])
-          } else if (jsonBody.externalId) {
-            jsonBody.id = jsonBody.externalId
-            obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'externalId', operator: 'eq', value: jsonBody.externalId }, ['id', 'externalId'])
-          }
-        } else if (handle.createMethod === 'createGroup') {
-          if (jsonBody.externalId) {
-            jsonBody.id = jsonBody.externalId
-            obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'externalId', operator: 'eq', value: jsonBody.externalId }, ['id', 'externalId'])
-          } else if (jsonBody.displayName) {
-            jsonBody.id = jsonBody.displayName
-            obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'displayName', operator: 'eq', value: jsonBody.displayName }, ['id', 'displayName'])
+      if (!jsonBody.id) { // retrieve id
+        let obj
+        try {
+          if (handle.createMethod === 'createUser') {
+            if (jsonBody.userName) {
+              jsonBody.id = jsonBody.userName
+              obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'userName', operator: 'eq', value: jsonBody.userName }, ['id', 'userName'])
+            } else if (jsonBody.externalId) {
+              jsonBody.id = jsonBody.externalId
+              obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'externalId', operator: 'eq', value: jsonBody.externalId }, ['id', 'externalId'])
+            }
+          } else if (handle.createMethod === 'createGroup') {
+            if (jsonBody.externalId) {
+              jsonBody.id = jsonBody.externalId
+              obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'externalId', operator: 'eq', value: jsonBody.externalId }, ['id', 'externalId'])
+            } else if (jsonBody.displayName) {
+              jsonBody.id = jsonBody.displayName
+              obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'displayName', operator: 'eq', value: jsonBody.displayName }, ['id', 'displayName'])
+            }
           }
-        }
-      } catch (err) { }
-      if (obj && obj.id) jsonBody.id = obj.id
+        } catch (err) { }
+        if (obj && obj.id) jsonBody.id = obj.id
+      }
 
       const location = `${ctx.origin}${ctx.path}/${jsonBody.id}`
       if (!jsonBody.meta) jsonBody.meta = {}
@@ -1256,6 +1259,10 @@ const ScimGateway = function () {
   // ==========================================
   router.put([`/(|scim/)(!${undefined}|Users|Groups|servicePlans)/:id`,
   `/:baseEntity/(|scim/)(!${undefined}|Users|Groups|servicePlans)/:id`], async (ctx) => {
+    await replaceUsrGrp(ctx)
+  })
+
+  const replaceUsrGrp = async (ctx, isExtCaller) => {
     let u = ctx.originalUrl.substr(0, ctx.originalUrl.lastIndexOf('/'))
     u = u.substr(u.lastIndexOf('/') + 1) // u = Users, Groups
     const handle = handler[u]
@@ -1268,7 +1275,7 @@ const ScimGateway = function () {
       err = jsonErr(config.scim.version, pluginName, ctx.status, err)
       ctx.body = err
     } else {
-      logger.debug(`${gwName}[${pluginName}] [Modify ${handle.description}] id=${id}`)
+      if (!isExtCaller) logger.debug(`${gwName}[${pluginName}] [Replace ${handle.description}] id=${id}`)
       logger.debug(`${gwName}[${pluginName}] PUT ${ctx.originalUrl} body=${strBody}`)
       try {
         // get current object
@@ -1302,6 +1309,86 @@ const ScimGateway = function () {
         logger.debug(`${gwName}[${pluginName}] calling "${handle.modifyMethod}" and awaiting result`)
         await this[handle.modifyMethod](ctx.params.baseEntity, id, scimdata)
 
+        // add/remove groups
+        if (jsonBody.groups && Array.isArray(jsonBody.groups)) { // only if groups included, { "groups": [] } will remove all existing
+          if (typeof this[handler.groups.getMethod] !== 'function' || typeof this[handler.groups.modifyMethod] !== 'function') {
+            throw new Error('replaceUser error: put operation can not be fully completed for the user`s groups, methods like getGroups() and modifyGroup() are not implemented')
+          }
+          let currentGroups
+          if (currentObj.groups && Array.isArray(currentObj.groups)) currentGroups = currentObj.groups
+          else { // try to get current groups the standard way
+            let res
+            try {
+              res = await this[handler.groups.getMethod](ctx.params.baseEntity, { attribute: 'members.value', operator: 'eq', value: decodeURIComponent(id) }, ['members.value', 'id', 'displayName']) // await scimgateway.getUserGroups(baseEntity, userObj.id, 'members.value,displayName')
+            } catch (err) {} // method may be implemented but throwing error like groups not supported/implemented
+            currentGroups = []
+            if (res && res.Resources && Array.isArray(res.Resources) && res.Resources.length > 0) {
+              for (let i = 0; i < res.Resources.length; i++) {
+                if (!res.Resources[i].id) continue
+                const el = {}
+                el.value = res.Resources[i].id
+                if (res.Resources[i].displayName) el.display = res.Resources[i].displayName
+                if (el.value) currentGroups.push(el) // { "value": "Admins", "display": "Admins"}
+              }
+            }
+          }
+          const addGrps = []
+          const removeGrps = []
+          // add
+          for (let i = 0; i < jsonBody.groups.length; i++) {
+            let found = false
+            for (let j = 0; j < currentGroups.length; j++) {
+              if (jsonBody.groups[i].value === currentGroups[j].value) {
+                found = true
+                break
+              }
+            }
+            if (!found && jsonBody.groups[i].value) addGrps.push(jsonBody.groups[i].value)
+          }
+          // remove
+          for (let i = 0; i < currentGroups.length; i++) {
+            let found = false
+            for (let j = 0; j < jsonBody.groups.length; j++) {
+              if (currentGroups[i].value === jsonBody.groups[j].value) {
+                found = true
+                break
+              }
+            }
+            if (!found && currentGroups[i].value) removeGrps.push(currentGroups[i].value)
+          }
+
+          const addGroups = async (grp) => {
+            const obj = { members: [{ value: id }] }
+            return await this[handler.groups.modifyMethod](ctx.params.baseEntity, grp, obj)
+          }
+
+          const removeGroups = async (grp) => {
+            const obj = { members: [{ operation: 'delete', value: id }] }
+            return await this[handler.groups.modifyMethod](ctx.params.baseEntity, grp, obj)
+          }
+
+          let errRemove
+          if (!config.scim.usePutSoftSync) { // default will remove any existing groups not included, usePutSoftSync=true prevents removing groups (only add groups)
+            await Promise.all(removeGrps.map((grp) => removeGroups(grp)))
+              .then()
+              .catch((err) => {
+                errRemove = err
+              })
+          }
+
+          let errAdd
+          await Promise.all(addGrps.map((grp) => addGroups(grp)))
+            .then()
+            .catch((err) => {
+              errAdd = err
+            })
+
+          let errMsg = ''
+          if (errRemove) errMsg = `removeGroups error: ${errRemove.message}`
+          if (errAdd) errMsg += `${errMsg ? ' ' : ''}addGroups error: ${errAdd.message}`
+          if (errMsg) throw new Error(errMsg)
+        }
+
         // get updated object
         logger.debug(`${gwName}[${pluginName}] calling "${handle.getMethod}" and awaiting result`)
         res = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'id', operator: 'eq', value: id }, [])
@@ -1313,7 +1400,7 @@ const ScimGateway = function () {
         else throw Error(`put using method ${handle.getMethod} got unexpected response: ${JSON.stringify(res)}`)
 
         // include groups
-        if (handle.getMethod === handler.users.getMethod) {
+        if (handle.getMethod === handler.users.getMethod && typeof this[handler.groups.getMethod] === 'function') {
           logger.debug(`${gwName}[${pluginName}] calling "${handler.groups.getMethod}" and awaiting result`)
           const res = await this[handler.groups.getMethod](ctx.params.baseEntity, { attribute: 'members.value', operator: 'eq', value: id }, ['members.value', 'id', 'displayName'])
           let grps = []
@@ -1346,7 +1433,8 @@ const ScimGateway = function () {
         ctx.body = e
       }
     }
-  }) // put
+  }
+  this.replaceUsrGrp = replaceUsrGrp // exposed
 
   // ==========================================
   //           API POST (no SCIM)
@@ -1782,7 +1870,7 @@ const ScimGateway = function () {
 // exported methods
 //
 ScimGateway.prototype.endpointMap = endpointMap
-ScimGateway.prototype.countries = endpointMap
+ScimGateway.prototype.countries = countries
 
 ScimGateway.prototype.getPassword = (pwEntity, configFile) => {
   return utils.getPassword(pwEntity, configFile) // utils.getPassword('scimgateway.password', './config/plugin-testmode.json');
@@ -1994,7 +2082,7 @@ ScimGateway.prototype.endpointMapper = function endpointMapper (direction, parse
             }
           }
           for (const key2 in mapObj) {
-            if (mapObj[key2].mapTo.toLowerCase() === key.toLowerCase()) {
+            if (mapObj[key2].mapTo.split(',').map(item => item.trim().toLowerCase()).includes(key.toLowerCase())) {
               found = true
               if (mapObj[key2].type === 'array' && arrIndex && arrIndex >= 0) {
                 dotNewObj[`${key2}.${arrIndex}`] = dotObj[keyOrg] // servicePlan.0.value => servicePlan.0 and groups[0].value => memberOf.0
@@ -2007,16 +2095,19 @@ ScimGateway.prototype.endpointMapper = function endpointMapper (direction, parse
         }
       } else { // string (get)
         const resArr = []
-        let strArr
-        if (Array.isArray(str)) strArr = str
-        else strArr = str.split(',').map(item => item.trim())
+        let strArr = []
+        if (Array.isArray(str)) {
+          for (let i = 0; i < str.length; i++) {
+            strArr = strArr.concat(str[i].split(',').map(item => item.trim())) // supports "id,userName" e.g. {"mapTo": "id,userName"}
+          }
+        } else strArr = str.split(',').map(item => item.trim())
         for (let i = 0; i < strArr.length; i++) {
           const attr = strArr[i]
           let found = false
           for (const key in mapObj) {
-            if (mapObj[key].mapTo === attr) {
+            if (mapObj[key].mapTo && mapObj[key].mapTo.split(',').map(item => item.trim()).includes(attr)) { // supports { "mapTo": "userName,id" }
               found = true
-              resArr.push(key)
+              if (!resArr.includes(key)) resArr.push(key)
               break
             } else if (attr === 'roles' && mapObj[key].mapTo === 'roles.value') { // allow get using attribute roles - convert to correct roles.value
               found = true
@@ -2098,7 +2189,10 @@ ScimGateway.prototype.endpointMapper = function endpointMapper (direction, parse
               mapTo = mapTo.replace('.', '##') // only first occurence
               noneCore = true
             }
-            dotNewObj[mapTo] = dotObj[key] // {"active": {"mapTo": "accountEnabled"} => str.replace("accountEnabled", "active")
+            const arrMapTo = mapTo.split(',').map(item => item.trim()) // supports {"mapTo": "id,userName"}
+            for (let i = 0; i < arrMapTo.length; i++) {
+              dotNewObj[arrMapTo[i]] = dotObj[key] // {"active": {"mapTo": "accountEnabled"} => str.replace("accountEnabled", "active")
+            }
           }
           let mapTo = mapObj[key].mapTo
           if (mapTo.startsWith('urn:')) {
@@ -2623,7 +2717,7 @@ const clearObjectValues = (o, parent) => {
 //
 const jsonErr = (scimVersion, pluginName, htmlErrCode, err, scimType) => {
   let errJson = {}
-  let msg = `ScimGateway[${pluginName}] `
+  let msg = `scimgateway[${pluginName}] `
   err.constructor === Error ? msg += err.message : msg += err
 
   if (scimVersion !== '2.0' && scimVersion !== 2) { // v1.1

package/lib/utils.js

@@ -373,3 +373,20 @@ module.exports.getEncrypted = function (pw, seed) {
   }
   return undefined
 }
+
+// aadUnExtUpn convert Azure AD guest UPN to origin target UPN
+// john.doe_company.com#EXT#@company.onmicrosoft.com => john.doe@company.com
+module.exports.aadUnExtUpn = function (upn) {
+  const arr = upn.split('#EXT#')
+  if (arr.length === 1) return arr[0]
+  const extArr = arr[0].split('_')
+  if (extArr.length === 1) return extArr[0]
+  else {
+    upn = extArr[0]
+    for (let i = 1; i < extArr.length - 1; i++) {
+      upn += `_${extArr[i]}`
+    }
+    upn += `@${extArr[extArr.length - 1]}`
+  }
+  return upn
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "4.1.0",
+  "version": "4.1.3",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",
   "homepage": "https://elshaug.xyz",

package/test/lib/plugin-loki.js

@@ -13,7 +13,6 @@ const options = {
 }
 
 describe('plugin-loki tests', () => {
-
   it('getUsers all test (1)', function (done) {
     server_8880.get('/Users' +
       '?startIndex=1&count=100')
@@ -362,7 +361,7 @@ describe('plugin-loki tests', () => {
   */
 
   it('modifyUser test', (done) => {
-    var user = {
+    let user = {
       Operations: [
         {
           op: 'replace',
@@ -490,7 +489,11 @@ describe('plugin-loki tests', () => {
       }],
       'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User': {
         employeeNumber: '1111'
-      }
+      },
+      groups: [
+        { value: 'Employees', display: 'Employees' },
+        { value: 'Admins', display: 'Admins' }
+      ]
     }
 
     server_8880.put('/Users/jgilber')
@@ -517,6 +520,9 @@ describe('plugin-loki tests', () => {
         expect(user['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].manager).to.equal(undefined) // deleted
         expect(user['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].test1).to.equal(undefined) // deleted
         expect(user['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].test2).to.equal(undefined) // deleted
+        expect(user.groups.length).to.equal(2)
+        expect(user.groups[0].value).to.equal('Admins')
+        expect(user.groups[1].value).to.equal('Employees')
         done()
       })
   })