scimgateway 4.1.14 → 4.2.0

package/README.md

@@ -16,9 +16,10 @@ Validated through IdP's:
   
 Latest news:  
 
+- Authentication PassThrough letting plugin pass authentication directly to endpoint for avoid maintaining secrets at the gateway. Kubernetes health checks and shutdown handler support
 - **BREAKING**: [SCIM Stream](https://elshaug.xyz/docs/scim-stream) is the modern way of user provisioning letting clients subscribe to messages instead of traditional IGA top-down provisioning. SCIM Stream includes **SCIM Stream Gateway**, the next generation SCIM Gateway that supports message subscription and automated provisioning
 - Supports OAuth Client Credentials authentication
-- Major version v4.0.0. getUsers() and getGroups() replacing some deprecated methods. No limitations on filtering/sorting. Admin user access can be linked to specific baseEntities. New MongoDB plugin  
+- Major version v4.0.0. getUsers() and getGroups() replacing some deprecated methods. No limitations on filtering/sorting. Admin user access can be linked to specific baseEntities. New MongoDB plugin
 - ipAllowList for restricting access to allowlisted IP addresses or subnets e.g. Azure AD IP-range  
 - General LDAP plugin configured for Active Directory  
 - [PlugSSO](https://elshaug.xyz/docs/plugsso) using SCIM Gateway
@@ -261,7 +262,12 @@ Below shows an example of config\plugin-saphana.json
               "readOnly": false,
               "baseEntities": []
             }
-          ]
+          ],
+          "passThrough": {
+             "enabled": false,
+             "readOnly": false,
+             "baseEntities": []
+          }
         },
 	    "certificate": {
 	      "key": null,
@@ -286,7 +292,12 @@ Below shows an example of config\plugin-saphana.json
 	        "to": null,
 	        "cc": null
 	      }
-	    }
+	    },
+        "kubernetes": {
+          "enabled": false,
+          "shutdownTimeout": 15000,
+          "forceExitTimeout": 1000
+        }
 	  },
 	  "endpoint": {
 	    "host": "hostname",
@@ -300,7 +311,7 @@ Below shows an example of config\plugin-saphana.json
 
 Configuration file have two main JSON objects: `scimgateway` and `endpoint`  
 
-Definitions in `scimgateway` object have fixed attributes, but values can be modified. This object is used by the core functionality of the SCIM Gateway.  
+Definitions in `scimgateway` object have fixed attributes, but values can be modified. Sections not used/configured can be removed. This object is used by the core functionality of the SCIM Gateway.  
 
 Definitions in `endpoint` object are customized according to our plugin code. Plugin typically need this information for communicating with endpoint  
 
@@ -354,6 +365,8 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 
 - **auth.bearerOAuth** - Array of one or more Client Credentials OAuth configuration objects. **`client_id`** and **`client_secret`** are mandatory. client_secret value will become encrypted when gateway is started. OAuth token request url is **/oauth/token** e.g. http://localhost:8880/oauth/token  
 
+- **auth.passThrough** - Setting **auth.passThrough.enabled=true** will bypass SCIM Gateway authentication. Gateway will instead pass ctx containing authentication header to the plugin. Plugin could then use this information for endpoint authentication and we don't have any password/token stored at the gateway. Note, this also requires plugin binary having `scimgateway.authPassThroughAllowed = true` and endpoint logic for handling/passing ctx.request.header.authorization 
+
 - **certificate** - If not using TLS certificate, set "key", "cert" and "ca" to **null**. When using TLS, "key" and "cert" have to be defined with the filename corresponding to the primary-key and public-certificate. Both files must be located in the `<package-root>\config\certs` directory e.g:  
   
 		"certificate": {
@@ -401,6 +414,11 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 - **emailOnError.smtp.to** - Comma separated list of recipients email addresses e.g: "someone@example.com"
 - **emailOnError.smtp.cc** - Comma separated list of cc email addresses
 
+- **kubernetes** - Enable Kubernetes support for healthchecks and graceful shutdown.
+- **kubernetes.enabled** - true or false, true will enable Kubernets health checks and shutdown handler
+- **kubernetes.shutdownTimeout** - Number of milliseconds to wait before shutting down (default 15000).
+- **kubernetes.forceExitTimeout** - Number of milliseconds before forceful exiting (default 1000).
+
 - **endpoint** - Contains endpoint specific configuration according to our **plugin code**.    
  
 #### Configuration notes
@@ -1033,12 +1051,13 @@ Plugins should have following initialization:
 	let validScimAttr = [] // empty array - all attrbutes are supported by endpoint
 	// add any external config process.env and process.file
 	config = scimgateway.processExtConfig(pluginName, config)
+    scimgateway.authPassThroughAllowed = false
 	// mandatory plugin initialization - end
 
 
 ### getUsers  
 
-	scimgateway.getUsers = async (baseEntity, getObj, attributes) => {
+	scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
 	    let ret = {
 	        "Resources": [],
 	        "totalResults": null
@@ -1060,7 +1079,7 @@ ret.totalResults = if supporting pagination, then it should be set to the total
 
 ### deleteUser  
 
-	scimgateway.deleteUser = async (baseEntity, id) => {
+	scimgateway.deleteUser = async (baseEntity, id, ctx) => {
 		...
 		return null
 	} 
@@ -1070,7 +1089,7 @@ ret.totalResults = if supporting pagination, then it should be set to the total
 
 ### modifyUser  
 
-	scimgateway.modifyUser = async (baseEntity, id, attrObj) => {
+	scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
 		...
 		return null
 	} 
@@ -1083,7 +1102,7 @@ Note, multi-value attributes excluding user attribute 'groups' are customized fr
 
 ### getGroups  
 
-	scimgateway.getGroups = async (baseEntity, getObj, attributes) => {
+	scimgateway.getGroups = async (baseEntity, getObj, attributes, ctx) => {
 	    let ret = {
 	        "Resources": [],
 	        "totalResults": null
@@ -1105,7 +1124,7 @@ ret.totalResults = if supporting pagination, then it should be set to the total
 
 
 ### createGroup  
-	scimgateway.createGroup = async (baseEntity, groupObj) => {
+	scimgateway.createGroup = async (baseEntity, groupObj, ctx) => {
 		...
 	    return null
 	})
@@ -1115,7 +1134,7 @@ groupObj.displayName contains the group name to be created
 * return null: null if OK, else throw error  
 
 ### deleteGroup  
-	scimgateway.deleteGroup = async (baseEntity, id) => {
+	scimgateway.deleteGroup = async (baseEntity, id, ctx) => {
 		...
 	    return null
 	}
@@ -1125,7 +1144,7 @@ groupObj.displayName contains the group name to be created
 
 ### modifyGroup  
 
-	scimgateway.modifyGroup = async (baseEntity, id, attrObj) => {
+	scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
 		...
 	    return null
 	}
@@ -1146,6 +1165,53 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
+### v4.2.0  
+
+[Added]  
+
+- Kubernetes health checks and shutdown handler support 
+
+    Plugin configuration prerequisite: **kubernetes.enabled=true**      
+
+        "kubernetes": {
+          "enabled": true,
+          "shutdownTimeout": 15000,
+          "forceExitTimeout": 1000
+        }
+
+    **Thanks to Kevin Osborn**
+
+### v4.1.15  
+
+[Added]  
+
+- Authentication PassThrough for passing the authentication directly to plugin without being processed by scimgateway. Plugin can then pass this authentication to endpoint for avoid maintaining secrets at the gateway.   
+
+    Plugin configuration prerequisites: **auth.passThrough.enabled=true**      
+
+        "auth": {
+           ...
+           "passThrough": {
+             "enabled": true,
+             "readOnly": false,
+             "baseEntities": []
+           }
+           ...
+         }
+
+    Plugin binary prerequisites:
+
+        scimgateway.authPassThroughAllowed = true
+        // also need endpoint logic for handling/passing ctx.request.header.authorization
+
+
+    For upgrading existing custom plugins, above mention prerequisites needs to be included and in addition all plugin methods must include the `ctx` parameter e.g.: 
+
+        scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx)
+        // tip, see provided example plugins
+
+    **Thanks to Kevin Osborn**
+
 ### v4.1.14  
 
 [Fixed]  

package/config/plugin-api.json

@@ -57,7 +57,12 @@
           "readOnly": false,
           "baseEntities": []
         }
-      ]
+      ],
+      "passThrough": {
+        "enabled": false,
+        "readOnly": false,
+        "baseEntities": []
+      }
     },
     "certificate": {
       "key": null,
@@ -82,12 +87,19 @@
         "to": null,
         "cc": null
       }
+    },
+    "kubernetes": {
+      "enabled": false,
+      "shutdownTimeout": 15000,
+      "forceExitTimeout": 1000
     }
   },
   "endpoint": {
     "entity": {
       "undefined": {
-        "baseUrls": ["http://fakerestapi.azurewebsites.net"],
+        "baseUrls": [
+          "http://fakerestapi.azurewebsites.net"
+        ],
         "username": "endpointuser",
         "password": "password",
         "proxy": {

package/config/plugin-azure-ad.json

@@ -57,7 +57,12 @@
           "readOnly": false,
           "baseEntities": []
         }
-      ]
+      ],
+      "passThrough": {
+        "enabled": false,
+        "readOnly": false,
+        "baseEntities": []
+      }
     },
     "certificate": {
       "key": null,
@@ -82,6 +87,11 @@
         "to": null,
         "cc": null
       }
+    },
+    "kubernetes": {
+      "enabled": false,
+      "shutdownTimeout": 15000,
+      "forceExitTimeout": 1000
     }
   },
   "endpoint": {

package/config/plugin-forwardinc.json

@@ -57,7 +57,12 @@
           "readOnly": false,
           "baseEntities": []
         }
-      ]
+      ],
+      "passThrough": {
+        "enabled": false,
+        "readOnly": false,
+        "baseEntities": []
+      }
     },
     "certificate": {
       "key": null,
@@ -82,6 +87,11 @@
         "to": null,
         "cc": null
       }
+    },
+    "kubernetes": {
+      "enabled": false,
+      "shutdownTimeout": 15000,
+      "forceExitTimeout": 1000
     }
   },
   "endpoint": {

package/config/plugin-ldap.json

@@ -57,7 +57,12 @@
           "readOnly": false,
           "baseEntities": []
         }
-      ]
+      ],
+      "passThrough": {
+        "enabled": false,
+        "readOnly": false,
+        "baseEntities": []
+      }
     },
     "certificate": {
       "key": null,
@@ -82,6 +87,11 @@
         "to": null,
         "cc": null
       }
+    },
+    "kubernetes": {
+      "enabled": false,
+      "shutdownTimeout": 15000,
+      "forceExitTimeout": 1000
     }
   },
   "endpoint": {

package/config/plugin-loki.json

@@ -57,7 +57,12 @@
           "readOnly": false,
           "baseEntities": []
         }
-      ]
+      ],
+      "passThrough": {
+        "enabled": false,
+        "readOnly": false,
+        "baseEntities": []
+      }
     },
     "certificate": {
       "key": null,
@@ -82,6 +87,11 @@
         "to": null,
         "cc": null
       }
+    },
+    "kubernetes": {
+      "enabled": false,
+      "shutdownTimeout": 15000,
+      "forceExitTimeout": 1000
     }
   },
   "endpoint": {

package/config/plugin-mongodb.json

@@ -63,7 +63,12 @@
           "readOnly": false,
           "baseEntities": []
         }
-      ]
+      ],
+      "passThrough": {
+        "enabled": false,
+        "readOnly": false,
+        "baseEntities": []
+      }
     },
     "certificate": {
       "key": null,
@@ -88,6 +93,11 @@
         "to": null,
         "cc": null
       }
+    },
+    "kubernetes": {
+      "enabled": false,
+      "shutdownTimeout": 15000,
+      "forceExitTimeout": 1000
     }
   },
   "endpoint": {

package/config/plugin-mssql.json

@@ -57,7 +57,12 @@
           "readOnly": false,
           "baseEntities": []
         }
-      ]
+      ],
+      "passThrough": {
+        "enabled": false,
+        "readOnly": false,
+        "baseEntities": []
+      }
     },
     "certificate": {
       "key": null,
@@ -82,6 +87,11 @@
         "to": null,
         "cc": null
       }
+    },
+    "kubernetes": {
+      "enabled": false,
+      "shutdownTimeout": 15000,
+      "forceExitTimeout": 1000
     }
   },
   "endpoint": {

package/config/plugin-saphana.json

@@ -57,7 +57,12 @@
           "readOnly": false,
           "baseEntities": []
         }
-      ]
+      ],
+      "passThrough": {
+        "enabled": false,
+        "readOnly": false,
+        "baseEntities": []
+      }
     },
     "certificate": {
       "key": null,
@@ -82,6 +87,11 @@
         "to": null,
         "cc": null
       }
+    },
+    "kubernetes": {
+      "enabled": false,
+      "shutdownTimeout": 15000,
+      "forceExitTimeout": 1000
     }
   },
   "endpoint": {

package/config/plugin-scim.json

@@ -57,7 +57,12 @@
           "readOnly": false,
           "baseEntities": []
         }
-      ]
+      ],
+      "passThrough": {
+        "enabled": false,
+        "readOnly": false,
+        "baseEntities": []
+      }
     },
     "certificate": {
       "key": null,
@@ -82,12 +87,19 @@
         "to": null,
         "cc": null
       }
+    },
+    "kubernetes": {
+      "enabled": false,
+      "shutdownTimeout": 15000,
+      "forceExitTimeout": 1000
     }
   },
   "endpoint": {
     "entity": {
       "undefined": {
-        "baseUrls": ["http://localhost:8880"],
+        "baseUrls": [
+          "http://localhost:8880"
+        ],
         "scimVersion": "2.0",
         "username": "gwadmin",
         "password": "password",
@@ -98,7 +110,9 @@
         }
       },
       "clientA": {
-        "baseUrls": ["http://localhost:8880"],
+        "baseUrls": [
+          "http://localhost:8880"
+        ],
         "scimVersion": "2.0",
         "username": "gwadmin",
         "password": "password",

package/lib/plugin-api.js

@@ -46,6 +46,7 @@ const configDir = path.join(__dirname, '..', 'config')
 const configFile = path.join(`${configDir}`, `${pluginName}.json`)
 let config = require(configFile).endpoint
 config = scimgateway.processExtConfig(pluginName, config) // add any external config process.env and process.file
+scimgateway.authPassThroughAllowed = false // true enables auth passThrough (no scimgateway authentication). scimgateway instead includes ctx (ctx.request.header) in plugin methods. Note, requires plugin-logic for handling/passing ctx.request.header.authorization to be used in endpoint communication
 // mandatory plugin initialization - end
 
 const _serviceClient = {}
@@ -58,7 +59,7 @@ const _serviceClient = {}
 // post http://localhost:8890/api
 // body = {"eventName":"AssignAccessRoleEvent","subjectName":"RACF_System-B","userID":"peter01"}
 //
-scimgateway.postApi = async (baseEntity, apiObj) => {
+scimgateway.postApi = async (baseEntity, apiObj, ctx) => {
   const action = 'postApi'
   scimgateway.logger.debug(`${pluginName} handling "${action}" apiObj=${JSON.stringify(apiObj)}`)
 
@@ -92,7 +93,7 @@ scimgateway.postApi = async (baseEntity, apiObj) => {
 // put http://localhost:8890/api/1
 // body = {"eventName":"AssignAccessRoleEvent","subjectName":"RACF_System-B","userID":"peter01"}
 //
-scimgateway.putApi = async (baseEntity, id, apiObj) => {
+scimgateway.putApi = async (baseEntity, id, apiObj, ctx) => {
   const action = 'putApi'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" id=${id} apiObj=${JSON.stringify(apiObj)}`)
 
@@ -126,7 +127,7 @@ scimgateway.putApi = async (baseEntity, id, apiObj) => {
 // patch http://localhost:8890/api/1
 // body = {"eventName":"AssignAccessRoleEvent","subjectName":"RACF_System-B","userID":"peter01"}
 //
-scimgateway.patchApi = async (baseEntity, id, apiObj) => {
+scimgateway.patchApi = async (baseEntity, id, apiObj, ctx) => {
   const action = 'patchApi'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" id=${id} apiObj=${JSON.stringify(apiObj)}`)
 
@@ -160,7 +161,7 @@ scimgateway.patchApi = async (baseEntity, id, apiObj) => {
 // get http://localhost:8890/api/1
 // get http://localhost:8890/api?queries
 //
-scimgateway.getApi = async (baseEntity, id, apiQuery, apiObj) => {
+scimgateway.getApi = async (baseEntity, id, apiQuery, apiObj, ctx) => {
   const action = 'getApi'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" id=${id} apiQuery=${JSON.stringify(apiQuery)} apiObj=${JSON.stringify(apiObj)}`)
 
@@ -191,7 +192,7 @@ scimgateway.getApi = async (baseEntity, id, apiQuery, apiObj) => {
 // example:
 // delete http://localhost:8890/api/1
 //
-scimgateway.deleteApi = async (baseEntity, id) => {
+scimgateway.deleteApi = async (baseEntity, id, ctx) => {
   const action = 'deleteApi'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" id=${id}`)
 

package/lib/plugin-azure-ad.js

@@ -87,6 +87,7 @@ const configDir = path.join(__dirname, '..', 'config')
 const configFile = path.join(`${configDir}`, `${pluginName}.json`)
 let config = require(configFile).endpoint
 config = scimgateway.processExtConfig(pluginName, config) // add any external config process.env and process.file
+scimgateway.authPassThroughAllowed = false // true enables auth passThrough (no scimgateway authentication). scimgateway instead includes ctx (ctx.request.header) in plugin methods. Note, requires plugin-logic for handling/passing ctx.request.header.authorization to be used in endpoint communication
 // mandatory plugin initialization - end
 
 if (config.map) { // having licensDetails map here instead of config file
@@ -135,7 +136,7 @@ const lock = new scimgateway.Lock()
 // =================================================
 // getUsers
 // =================================================
-scimgateway.getUsers = async (baseEntity, getObj, attributes) => {
+scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
   //
   // "getObj" = { attribute: <>, operator: <>, value: <>, rawFilter: <>, startIndex: <>, count: <> }
   // rawFilter is always included when filtering
@@ -238,7 +239,7 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes) => {
 // =================================================
 // createUser
 // =================================================
-scimgateway.createUser = async (baseEntity, userObj) => {
+scimgateway.createUser = async (baseEntity, userObj, ctx) => {
   const action = 'createUser'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" userObj=${JSON.stringify(userObj)}`)
 
@@ -255,7 +256,7 @@ scimgateway.createUser = async (baseEntity, userObj) => {
   try {
     await doRequest(baseEntity, method, path, body)
     if (attrObj.servicePlan) {
-      await scimgateway.modifyUser(baseEntity, userObj.userName, attrObj)
+      await scimgateway.modifyUser(baseEntity, userObj.userName, attrObj, ctx)
       return null
     } else return (null)
   } catch (err) {
@@ -268,7 +269,7 @@ scimgateway.createUser = async (baseEntity, userObj) => {
 // =================================================
 // deleteUser
 // =================================================
-scimgateway.deleteUser = async (baseEntity, id) => {
+scimgateway.deleteUser = async (baseEntity, id, ctx) => {
   const action = 'deleteUser'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" id=${id}`)
   const method = 'DELETE'
@@ -285,7 +286,7 @@ scimgateway.deleteUser = async (baseEntity, id) => {
 // =================================================
 // modifyUser
 // =================================================
-scimgateway.modifyUser = async (baseEntity, id, attrObj) => {
+scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
   const action = 'modifyUser'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" id=${id} attrObj=${JSON.stringify(attrObj)}`)
   const arrLicAdd = []
@@ -517,7 +518,7 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj) => {
 // =================================================
 // getGroups
 // =================================================
-scimgateway.getGroups = async (baseEntity, getObj, attributes) => {
+scimgateway.getGroups = async (baseEntity, getObj, attributes, ctx) => {
   //
   // "getObj" = { attribute: <>, operator: <>, value: <>, rawFilter: <>, startIndex: <>, count: <> }
   // rawFilter is always included when filtering
@@ -652,7 +653,7 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes) => {
 // =================================================
 // createGroup
 // =================================================
-scimgateway.createGroup = async (baseEntity, groupObj) => {
+scimgateway.createGroup = async (baseEntity, groupObj, ctx) => {
   const action = 'createGroup'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" groupObj=${JSON.stringify(groupObj)}`)
   const body = { displayName: groupObj.displayName }
@@ -663,7 +664,7 @@ scimgateway.createGroup = async (baseEntity, groupObj) => {
   const path = '/Groups'
 
   try {
-    const res = await scimgateway.getGroups(baseEntity, { attribute: 'displayName', operator: 'eq', value: groupObj.displayName }, ['id', 'displayName'])
+    const res = await scimgateway.getGroups(baseEntity, { attribute: 'displayName', operator: 'eq', value: groupObj.displayName }, ['id', 'displayName'], ctx)
     if (res && res.Resources && res.Resources.length > 0) {
       throw new Error(`group ${groupObj.displayName} already exist`)
     }
@@ -679,7 +680,7 @@ scimgateway.createGroup = async (baseEntity, groupObj) => {
 // =================================================
 // deleteGroup
 // =================================================
-scimgateway.deleteGroup = async (baseEntity, id) => {
+scimgateway.deleteGroup = async (baseEntity, id, ctx) => {
   const action = 'deleteGroup'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" id=${id}`)
   throw new Error(`${action} error: ${action} is not supported`)
@@ -688,7 +689,7 @@ scimgateway.deleteGroup = async (baseEntity, id) => {
 // =================================================
 // modifyGroup
 // =================================================
-scimgateway.modifyGroup = async (baseEntity, id, attrObj) => {
+scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
   const action = 'modifyGroup'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" id=${id} attrObj=${JSON.stringify(attrObj)}`)
 
@@ -755,7 +756,7 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj) => {
 // =================================================
 // getServicePlans
 // =================================================
-scimgateway.getServicePlans = async (baseEntity, getObj, attributes) => {
+scimgateway.getServicePlans = async (baseEntity, getObj, attributes, ctx) => {
   //
   // "getObj" = { attribute: <>, operator: <>, value: <>, rawFilter: <>, startIndex: <>, count: <> }
   // rawFilter is always included when filtering - attribute, operator and value are included when requesting unique object or simpel filtering
@@ -875,7 +876,7 @@ scimgateway.getServicePlans = async (baseEntity, getObj, attributes) => {
 // =================================================
 // createServicePlan
 // =================================================
-scimgateway.createServicePlan = async (baseEntity, id) => {
+scimgateway.createServicePlan = async (baseEntity, id, ctx) => {
   const action = 'createServicePlan'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" id=${id}`)
   throw new Error(`${action} error: ${action} is not supported`)
@@ -884,7 +885,7 @@ scimgateway.createServicePlan = async (baseEntity, id) => {
 // =================================================
 // deleteServicePlan
 // =================================================
-scimgateway.deleteServicePlan = async (baseEntity, id) => {
+scimgateway.deleteServicePlan = async (baseEntity, id, ctx) => {
   const action = 'deleteServicePlan'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" id=${id}`)
   throw new Error(`${action} error: ${action} is not supported`)
@@ -893,7 +894,7 @@ scimgateway.deleteServicePlan = async (baseEntity, id) => {
 // =================================================
 // modifyServicePlan
 // =================================================
-scimgateway.modifyServicePlan = async (baseEntity, id) => {
+scimgateway.modifyServicePlan = async (baseEntity, id, ctx) => {
   const action = 'modifyServicePlan'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" id=${id}`)
   throw new Error(`${action} error: ${action} is not supported`)