scimgateway 4.1.2 → 4.1.3

package/README.md

@@ -208,7 +208,8 @@ Below shows an example of config\plugin-saphana.json
         "scim": {
           "version": "2.0",
           "customSchema": null,
-          "skipTypeConvert" : false
+          "skipTypeConvert" : false,
+          "usePutSoftSync" : false
         },
         "log": {
           "loglevel": {
@@ -326,6 +327,8 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 		]  
 
 
+- **scim.usePutSoftSync** - true or false, default false. `PUT /Users/bjensen` will replace the user bjensen with body content. If body contains groups, usePutSoftsync=true will prevent removing any existing groups that are not included in body.groups   
+
 - **log.loglevel.file** - off, error, info, or debug. Output to plugin-logfile e.g. `logs\plugin-saphana.log`  
 
 - **log.loglevel.console** - off, error, info, or debug. Output to stdout and errors to stderr.   
@@ -347,7 +350,7 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 
 - **auth.bearerOAuth** - Array of one or more Client Credentials OAuth configuration objects. **`client_id`** and **`client_secret`** are mandatory. client_secret value will become encrypted when gateway is started. OAuth token request url is **/oauth/token** e.g. http://localhost:8880/oauth/token  
 
-- **certificate** - If not using SSL/TLS certificate, set "key", "cert" and "ca" to **null**. When using SSL/TLS, "key" and "cert" have to be defined with the filename corresponding to the primary-key and public-certificate. Both files must be located in the `<package-root>\config\certs` directory e.g:  
+- **certificate** - If not using TLS certificate, set "key", "cert" and "ca" to **null**. When using TLS, "key" and "cert" have to be defined with the filename corresponding to the primary-key and public-certificate. Both files must be located in the `<package-root>\config\certs` directory e.g:  
   
 		"certificate": {
 		  "key": "key.pem",
@@ -1139,6 +1142,30 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
+### v4.1.3  
+[Fixed] 
+
+- createUser response did not include the id that was returned by plugin   
+
+[Added] 
+
+- PUT (Replace User) now includes group handling. Using configuration `scim.usePutSoftsync=true` will prevent removing any existing groups that are not included in body.groups
+
+    Example:  
+
+        PUT /Users/bjensen
+        {
+          ...
+		  "groups": [
+            {"value":"Employees","display":"Employees"},
+            {"value":"Admins","display":"Admins"}
+           ],
+          ...
+        }
+
+
+
+
 ### v4.1.2  
 [Added] 
 

package/config/plugin-api.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "2.0",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/config/plugin-azure-ad.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "1.1",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/config/plugin-forwardinc.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "2.0",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/config/plugin-ldap.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "2.0",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/config/plugin-loki.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "2.0",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/config/plugin-mongodb.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "2.0",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/config/plugin-mssql.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "2.0",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/config/plugin-saphana.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "2.0",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/config/plugin-scim.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "2.0",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/lib/scimgateway.js

@@ -276,8 +276,8 @@ const ScimGateway = function () {
     }
   }
 
-  this.testmodeusers = scimDef.TestmodeUsers.Resources // exported and used by plugin-loki
-  this.testmodegroups = scimDef.TestmodeGroups.Resources // exported and used by plugin-loki
+  this.testmodeusers = scimDef.TestmodeUsers.Resources // exposed and used by plugin-loki
+  this.testmodegroups = scimDef.TestmodeGroups.Resources // exposed and used by plugin-loki
 
   // multiValueTypes array contains attributes that will be used by "type converted objects" logic
   // groups, roles, and members are excluded
@@ -1083,33 +1083,36 @@ const ScimGateway = function () {
       return
     }
     logger.debug(`${gwName}[${pluginName}] calling "${handle.createMethod}" and awaiting result`)
+    delete jsonBody.id // in case included in request
     try {
       const res = await this[handle.createMethod](ctx.params.baseEntity, scimdata)
-      for (const key in res) { // merge any result e.g: data = {'id': 'xxxx'}
+      for (const key in res) { // merge any result e.g: {'id': 'xxxx'}
         jsonBody[key] = res[key]
       }
 
-      let obj
-      try { // retrieve id
-        if (handle.createMethod === 'createUser') {
-          if (jsonBody.userName) {
-            jsonBody.id = jsonBody.userName
-            obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'userName', operator: 'eq', value: jsonBody.userName }, ['id', 'userName'])
-          } else if (jsonBody.externalId) {
-            jsonBody.id = jsonBody.externalId
-            obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'externalId', operator: 'eq', value: jsonBody.externalId }, ['id', 'externalId'])
-          }
-        } else if (handle.createMethod === 'createGroup') {
-          if (jsonBody.externalId) {
-            jsonBody.id = jsonBody.externalId
-            obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'externalId', operator: 'eq', value: jsonBody.externalId }, ['id', 'externalId'])
-          } else if (jsonBody.displayName) {
-            jsonBody.id = jsonBody.displayName
-            obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'displayName', operator: 'eq', value: jsonBody.displayName }, ['id', 'displayName'])
+      if (!jsonBody.id) { // retrieve id
+        let obj
+        try {
+          if (handle.createMethod === 'createUser') {
+            if (jsonBody.userName) {
+              jsonBody.id = jsonBody.userName
+              obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'userName', operator: 'eq', value: jsonBody.userName }, ['id', 'userName'])
+            } else if (jsonBody.externalId) {
+              jsonBody.id = jsonBody.externalId
+              obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'externalId', operator: 'eq', value: jsonBody.externalId }, ['id', 'externalId'])
+            }
+          } else if (handle.createMethod === 'createGroup') {
+            if (jsonBody.externalId) {
+              jsonBody.id = jsonBody.externalId
+              obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'externalId', operator: 'eq', value: jsonBody.externalId }, ['id', 'externalId'])
+            } else if (jsonBody.displayName) {
+              jsonBody.id = jsonBody.displayName
+              obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'displayName', operator: 'eq', value: jsonBody.displayName }, ['id', 'displayName'])
+            }
           }
-        }
-      } catch (err) { }
-      if (obj && obj.id) jsonBody.id = obj.id
+        } catch (err) { }
+        if (obj && obj.id) jsonBody.id = obj.id
+      }
 
       const location = `${ctx.origin}${ctx.path}/${jsonBody.id}`
       if (!jsonBody.meta) jsonBody.meta = {}
@@ -1256,6 +1259,10 @@ const ScimGateway = function () {
   // ==========================================
   router.put([`/(|scim/)(!${undefined}|Users|Groups|servicePlans)/:id`,
   `/:baseEntity/(|scim/)(!${undefined}|Users|Groups|servicePlans)/:id`], async (ctx) => {
+    await replaceUsrGrp(ctx)
+  })
+
+  const replaceUsrGrp = async (ctx, isExtCaller) => {
     let u = ctx.originalUrl.substr(0, ctx.originalUrl.lastIndexOf('/'))
     u = u.substr(u.lastIndexOf('/') + 1) // u = Users, Groups
     const handle = handler[u]
@@ -1268,7 +1275,7 @@ const ScimGateway = function () {
       err = jsonErr(config.scim.version, pluginName, ctx.status, err)
       ctx.body = err
     } else {
-      logger.debug(`${gwName}[${pluginName}] [Modify ${handle.description}] id=${id}`)
+      if (!isExtCaller) logger.debug(`${gwName}[${pluginName}] [Replace ${handle.description}] id=${id}`)
       logger.debug(`${gwName}[${pluginName}] PUT ${ctx.originalUrl} body=${strBody}`)
       try {
         // get current object
@@ -1302,6 +1309,86 @@ const ScimGateway = function () {
         logger.debug(`${gwName}[${pluginName}] calling "${handle.modifyMethod}" and awaiting result`)
         await this[handle.modifyMethod](ctx.params.baseEntity, id, scimdata)
 
+        // add/remove groups
+        if (jsonBody.groups && Array.isArray(jsonBody.groups)) { // only if groups included, { "groups": [] } will remove all existing
+          if (typeof this[handler.groups.getMethod] !== 'function' || typeof this[handler.groups.modifyMethod] !== 'function') {
+            throw new Error('replaceUser error: put operation can not be fully completed for the user`s groups, methods like getGroups() and modifyGroup() are not implemented')
+          }
+          let currentGroups
+          if (currentObj.groups && Array.isArray(currentObj.groups)) currentGroups = currentObj.groups
+          else { // try to get current groups the standard way
+            let res
+            try {
+              res = await this[handler.groups.getMethod](ctx.params.baseEntity, { attribute: 'members.value', operator: 'eq', value: decodeURIComponent(id) }, ['members.value', 'id', 'displayName']) // await scimgateway.getUserGroups(baseEntity, userObj.id, 'members.value,displayName')
+            } catch (err) {} // method may be implemented but throwing error like groups not supported/implemented
+            currentGroups = []
+            if (res && res.Resources && Array.isArray(res.Resources) && res.Resources.length > 0) {
+              for (let i = 0; i < res.Resources.length; i++) {
+                if (!res.Resources[i].id) continue
+                const el = {}
+                el.value = res.Resources[i].id
+                if (res.Resources[i].displayName) el.display = res.Resources[i].displayName
+                if (el.value) currentGroups.push(el) // { "value": "Admins", "display": "Admins"}
+              }
+            }
+          }
+          const addGrps = []
+          const removeGrps = []
+          // add
+          for (let i = 0; i < jsonBody.groups.length; i++) {
+            let found = false
+            for (let j = 0; j < currentGroups.length; j++) {
+              if (jsonBody.groups[i].value === currentGroups[j].value) {
+                found = true
+                break
+              }
+            }
+            if (!found && jsonBody.groups[i].value) addGrps.push(jsonBody.groups[i].value)
+          }
+          // remove
+          for (let i = 0; i < currentGroups.length; i++) {
+            let found = false
+            for (let j = 0; j < jsonBody.groups.length; j++) {
+              if (currentGroups[i].value === jsonBody.groups[j].value) {
+                found = true
+                break
+              }
+            }
+            if (!found && currentGroups[i].value) removeGrps.push(currentGroups[i].value)
+          }
+
+          const addGroups = async (grp) => {
+            const obj = { members: [{ value: id }] }
+            return await this[handler.groups.modifyMethod](ctx.params.baseEntity, grp, obj)
+          }
+
+          const removeGroups = async (grp) => {
+            const obj = { members: [{ operation: 'delete', value: id }] }
+            return await this[handler.groups.modifyMethod](ctx.params.baseEntity, grp, obj)
+          }
+
+          let errRemove
+          if (!config.scim.usePutSoftSync) { // default will remove any existing groups not included, usePutSoftSync=true prevents removing groups (only add groups)
+            await Promise.all(removeGrps.map((grp) => removeGroups(grp)))
+              .then()
+              .catch((err) => {
+                errRemove = err
+              })
+          }
+
+          let errAdd
+          await Promise.all(addGrps.map((grp) => addGroups(grp)))
+            .then()
+            .catch((err) => {
+              errAdd = err
+            })
+
+          let errMsg = ''
+          if (errRemove) errMsg = `removeGroups error: ${errRemove.message}`
+          if (errAdd) errMsg += `${errMsg ? ' ' : ''}addGroups error: ${errAdd.message}`
+          if (errMsg) throw new Error(errMsg)
+        }
+
         // get updated object
         logger.debug(`${gwName}[${pluginName}] calling "${handle.getMethod}" and awaiting result`)
         res = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'id', operator: 'eq', value: id }, [])
@@ -1313,7 +1400,7 @@ const ScimGateway = function () {
         else throw Error(`put using method ${handle.getMethod} got unexpected response: ${JSON.stringify(res)}`)
 
         // include groups
-        if (handle.getMethod === handler.users.getMethod) {
+        if (handle.getMethod === handler.users.getMethod && typeof this[handler.groups.getMethod] === 'function') {
           logger.debug(`${gwName}[${pluginName}] calling "${handler.groups.getMethod}" and awaiting result`)
           const res = await this[handler.groups.getMethod](ctx.params.baseEntity, { attribute: 'members.value', operator: 'eq', value: id }, ['members.value', 'id', 'displayName'])
           let grps = []
@@ -1346,7 +1433,8 @@ const ScimGateway = function () {
         ctx.body = e
       }
     }
-  }) // put
+  }
+  this.replaceUsrGrp = replaceUsrGrp // exposed
 
   // ==========================================
   //           API POST (no SCIM)
@@ -1782,7 +1870,7 @@ const ScimGateway = function () {
 // exported methods
 //
 ScimGateway.prototype.endpointMap = endpointMap
-ScimGateway.prototype.countries = endpointMap
+ScimGateway.prototype.countries = countries
 
 ScimGateway.prototype.getPassword = (pwEntity, configFile) => {
   return utils.getPassword(pwEntity, configFile) // utils.getPassword('scimgateway.password', './config/plugin-testmode.json');
@@ -2629,7 +2717,7 @@ const clearObjectValues = (o, parent) => {
 //
 const jsonErr = (scimVersion, pluginName, htmlErrCode, err, scimType) => {
   let errJson = {}
-  let msg = `ScimGateway[${pluginName}] `
+  let msg = `scimgateway[${pluginName}] `
   err.constructor === Error ? msg += err.message : msg += err
 
   if (scimVersion !== '2.0' && scimVersion !== 2) { // v1.1

package/lib/utils.js

@@ -373,3 +373,20 @@ module.exports.getEncrypted = function (pw, seed) {
   }
   return undefined
 }
+
+// aadUnExtUpn convert Azure AD guest UPN to origin target UPN
+// john.doe_company.com#EXT#@company.onmicrosoft.com => john.doe@company.com
+module.exports.aadUnExtUpn = function (upn) {
+  const arr = upn.split('#EXT#')
+  if (arr.length === 1) return arr[0]
+  const extArr = arr[0].split('_')
+  if (extArr.length === 1) return extArr[0]
+  else {
+    upn = extArr[0]
+    for (let i = 1; i < extArr.length - 1; i++) {
+      upn += `_${extArr[i]}`
+    }
+    upn += `@${extArr[extArr.length - 1]}`
+  }
+  return upn
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "4.1.2",
+  "version": "4.1.3",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",
   "homepage": "https://elshaug.xyz",

package/test/lib/plugin-loki.js

@@ -13,7 +13,6 @@ const options = {
 }
 
 describe('plugin-loki tests', () => {
-
   it('getUsers all test (1)', function (done) {
     server_8880.get('/Users' +
       '?startIndex=1&count=100')
@@ -362,7 +361,7 @@ describe('plugin-loki tests', () => {
   */
 
   it('modifyUser test', (done) => {
-    var user = {
+    let user = {
       Operations: [
         {
           op: 'replace',
@@ -490,7 +489,11 @@ describe('plugin-loki tests', () => {
       }],
       'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User': {
         employeeNumber: '1111'
-      }
+      },
+      groups: [
+        { value: 'Employees', display: 'Employees' },
+        { value: 'Admins', display: 'Admins' }
+      ]
     }
 
     server_8880.put('/Users/jgilber')
@@ -517,6 +520,9 @@ describe('plugin-loki tests', () => {
         expect(user['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].manager).to.equal(undefined) // deleted
         expect(user['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].test1).to.equal(undefined) // deleted
         expect(user['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].test2).to.equal(undefined) // deleted
+        expect(user.groups.length).to.equal(2)
+        expect(user.groups[0].value).to.equal('Admins')
+        expect(user.groups[1].value).to.equal('Employees')
         done()
       })
   })