scimgateway 4.1.2 → 4.1.5

package/README.md

@@ -16,8 +16,9 @@ Validated through IdP's:
   
 Latest news:  
 
+- **BREAKING**: [SCIM Stream](https://elshaug.xyz/docs/scim-stream) is the modern way of user provisioning letting clients subscribe to messages instead of traditional IGA top-down provisioning. SCIM Stream includes **SCIM Stream Gateway**, the next generation SCIM Gateway that supports message subscription and automated provisioning
 - Supporting OAuth Client Credentials authentication
-- Major version v4.0.0. getUsers() and getGroups() replacing some deprecated methods. No limitations on filtering/sorting. Admin user access can be limited to specific baseEntities. New MongoDB plugin  
+- Major version v4.0.0. getUsers() and getGroups() replacing some deprecated methods. No limitations on filtering/sorting. Admin user access can be linked to specific baseEntities. New MongoDB plugin  
 - ipAllowList for restricting access to allowlisted IP addresses or subnets e.g. Azure AD IP-range  
 - General LDAP plugin configured for Active Directory  
 - [PlugSSO](https://elshaug.xyz/docs/plugsso) using SCIM Gateway
@@ -39,7 +40,7 @@ Using Identity Manager, we could setup one or more endpoints of type SCIM pointi
 
 ![](https://jelhub.github.io/images/ScimGateway.svg)
 
-SCIM Gateway is based on the popular asynchronous event driven framework [Node.js](https://nodejs.dev/) using JavaScript. It is firewall friendly using REST webservices. Runs on almost all operating systems, and may load balance between hosts (horizontal) and cpu's (vertical). Could even be uploaded and run as a cloud application.
+SCIM Gateway is based on the popular asynchronous event driven framework [Node.js](https://nodejs.dev/) using JavaScript. It is cloud and firewall friendly using REST webservices. Runs on almost all operating systems, and may load balance between hosts (horizontal) and cpu's (vertical).
 
 **Following example plugins are included:**
 
@@ -52,18 +53,18 @@ Setting `{"persistence": true}` gives persistence file store (no test users)
 Example of a fully functional SCIM Gateway plugin  
 
 * **MongoDB** (NoSQL Document-Oriented Database)  
-Same as plugin "Loki" but using MongoDB  
+Same as plugin "Loki" but using external MongoDB  
 Shows how to implement a highly configurable multi tenant or multi endpoint solution through `baseEntity` in URL
 
 * **SCIM** (REST Webservice)  
-Demonstrates user provisioning towards a SCIM endpoint using REST   
+Demonstrates user provisioning towards REST-Based endpoint (type SCIM) 
 Using plugin "Loki" as SCIM endpoint  
 Can be used as SCIM version-gateway e.g. 1.1=>2.0 or 2.0=>1.1  
 Can be used to chain several SCIM Gateway's  
 
 
 * **Forwardinc** (SOAP Webservice)  
-Demonstrates provisioning towards SOAP-Based endpoint   
+Demonstrates user provisioning towards SOAP-Based endpoint   
 Using endpoint Forwardinc that comes with Broadcom/CA IM SDK (SDKWS) - [wiki.ca.com](https://docops.ca.com/ca-identity-manager/12-6-8/EN/programming/connector-programming-reference/sdk-sample-connectors/sdkws-sdk-web-services-connector/sdkws-sample-connector-build-requirements "wiki.ca.com")    
 Shows how to implement a highly configurable multi tenant or multi endpoint solution through `baseEntity` in URL  
 
@@ -208,7 +209,8 @@ Below shows an example of config\plugin-saphana.json
         "scim": {
           "version": "2.0",
           "customSchema": null,
-          "skipTypeConvert" : false
+          "skipTypeConvert" : false,
+          "usePutSoftSync" : false
         },
         "log": {
           "loglevel": {
@@ -326,6 +328,8 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 		]  
 
 
+- **scim.usePutSoftSync** - true or false, default false. `PUT /Users/bjensen` will replace the user bjensen with body content. If body contains groups, usePutSoftsync=true will prevent removing any existing groups that are not included in body.groups   
+
 - **log.loglevel.file** - off, error, info, or debug. Output to plugin-logfile e.g. `logs\plugin-saphana.log`  
 
 - **log.loglevel.console** - off, error, info, or debug. Output to stdout and errors to stderr.   
@@ -347,7 +351,7 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 
 - **auth.bearerOAuth** - Array of one or more Client Credentials OAuth configuration objects. **`client_id`** and **`client_secret`** are mandatory. client_secret value will become encrypted when gateway is started. OAuth token request url is **/oauth/token** e.g. http://localhost:8880/oauth/token  
 
-- **certificate** - If not using SSL/TLS certificate, set "key", "cert" and "ca" to **null**. When using SSL/TLS, "key" and "cert" have to be defined with the filename corresponding to the primary-key and public-certificate. Both files must be located in the `<package-root>\config\certs` directory e.g:  
+- **certificate** - If not using TLS certificate, set "key", "cert" and "ca" to **null**. When using TLS, "key" and "cert" have to be defined with the filename corresponding to the primary-key and public-certificate. Both files must be located in the `<package-root>\config\certs` directory e.g:  
   
 		"certificate": {
 		  "key": "key.pem",
@@ -1139,6 +1143,44 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
+### v4.1.5  
+[Added]  
+
+Announcing some SCIM Gateway related news:  
+
+- [SCIM Stream](https://elshaug.xyz/docs/scim-stream) is the modern way of user provisioning letting clients subscribe to messages instead of traditional IGA top-down provisioning. SCIM Stream includes **SCIM Stream Gateway**, the next generation SCIM Gateway that supports message subscription and automated provisioning
+
+
+### v4.1.4  
+[Fixed] 
+
+- TypeConvert logic for multivalue attribute `addresses` did not correctly catch duplicate entries  
+- PUT (Replace User) configuration `scim.usePutSoftsync=true` will also prevent removing any existing roles that are not included in body.roles ref. v4.1.3
+
+### v4.1.3  
+[Fixed] 
+
+- createUser response did not include the id that was returned by plugin   
+
+[Added] 
+
+- PUT (Replace User) now includes group handling. Using configuration `scim.usePutSoftsync=true` will prevent removing any existing groups that are not included in body.groups
+
+    Example:  
+
+        PUT /Users/bjensen
+        {
+          ...
+		  "groups": [
+            {"value":"Employees","display":"Employees"},
+            {"value":"Admins","display":"Admins"}
+           ],
+          ...
+        }
+
+
+
+
 ### v4.1.2  
 [Added] 
 

package/config/plugin-api.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "2.0",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/config/plugin-azure-ad.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "1.1",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/config/plugin-forwardinc.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "2.0",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/config/plugin-ldap.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "2.0",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/config/plugin-loki.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "2.0",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/config/plugin-mongodb.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "2.0",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/config/plugin-mssql.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "2.0",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/config/plugin-saphana.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "2.0",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/config/plugin-scim.json

@@ -5,7 +5,8 @@
     "scim": {
       "version": "2.0",
       "customSchema": null,
-      "skipTypeConvert": false
+      "skipTypeConvert": false,
+      "usePutSoftSync": false
     },
     "log": {
       "loglevel": {

package/lib/plugin-loki.js

@@ -272,7 +272,7 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj) => {
         } else { // add
           if (!userObj[key]) userObj[key] = []
           let exists
-          if (el.value) exists = userObj[key].find(e => e.value && e.value === el.value)
+          if (el.value) exists = userObj[key].find(e => e.value && e.value === el.value && e.type === el.type) // allowing same value on different type (type not mandatory)
           if (!exists) userObj[key].push(el)
         }
       })

package/lib/plugin-mongodb.js

@@ -355,7 +355,7 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj) => {
         } else { // add
           if (!userObj[key]) userObj[key] = []
           let exists
-          if (el.value) exists = userObj[key].find(e => e.value && e.value === el.value)
+          if (el.value) exists = userObj[key].find(e => e.value && e.value === el.value && e.type === el.type) // allowing same value on different type (type not mandatory)
           if (!exists) userObj[key].push(el)
         }
       })

package/lib/scimgateway.js

@@ -276,8 +276,8 @@ const ScimGateway = function () {
     }
   }
 
-  this.testmodeusers = scimDef.TestmodeUsers.Resources // exported and used by plugin-loki
-  this.testmodegroups = scimDef.TestmodeGroups.Resources // exported and used by plugin-loki
+  this.testmodeusers = scimDef.TestmodeUsers.Resources // exposed and used by plugin-loki
+  this.testmodegroups = scimDef.TestmodeGroups.Resources // exposed and used by plugin-loki
 
   // multiValueTypes array contains attributes that will be used by "type converted objects" logic
   // groups, roles, and members are excluded
@@ -1083,33 +1083,36 @@ const ScimGateway = function () {
       return
     }
     logger.debug(`${gwName}[${pluginName}] calling "${handle.createMethod}" and awaiting result`)
+    delete jsonBody.id // in case included in request
     try {
       const res = await this[handle.createMethod](ctx.params.baseEntity, scimdata)
-      for (const key in res) { // merge any result e.g: data = {'id': 'xxxx'}
+      for (const key in res) { // merge any result e.g: {'id': 'xxxx'}
         jsonBody[key] = res[key]
       }
 
-      let obj
-      try { // retrieve id
-        if (handle.createMethod === 'createUser') {
-          if (jsonBody.userName) {
-            jsonBody.id = jsonBody.userName
-            obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'userName', operator: 'eq', value: jsonBody.userName }, ['id', 'userName'])
-          } else if (jsonBody.externalId) {
-            jsonBody.id = jsonBody.externalId
-            obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'externalId', operator: 'eq', value: jsonBody.externalId }, ['id', 'externalId'])
-          }
-        } else if (handle.createMethod === 'createGroup') {
-          if (jsonBody.externalId) {
-            jsonBody.id = jsonBody.externalId
-            obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'externalId', operator: 'eq', value: jsonBody.externalId }, ['id', 'externalId'])
-          } else if (jsonBody.displayName) {
-            jsonBody.id = jsonBody.displayName
-            obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'displayName', operator: 'eq', value: jsonBody.displayName }, ['id', 'displayName'])
+      if (!jsonBody.id) { // retrieve id
+        let obj
+        try {
+          if (handle.createMethod === 'createUser') {
+            if (jsonBody.userName) {
+              jsonBody.id = jsonBody.userName
+              obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'userName', operator: 'eq', value: jsonBody.userName }, ['id', 'userName'])
+            } else if (jsonBody.externalId) {
+              jsonBody.id = jsonBody.externalId
+              obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'externalId', operator: 'eq', value: jsonBody.externalId }, ['id', 'externalId'])
+            }
+          } else if (handle.createMethod === 'createGroup') {
+            if (jsonBody.externalId) {
+              jsonBody.id = jsonBody.externalId
+              obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'externalId', operator: 'eq', value: jsonBody.externalId }, ['id', 'externalId'])
+            } else if (jsonBody.displayName) {
+              jsonBody.id = jsonBody.displayName
+              obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'displayName', operator: 'eq', value: jsonBody.displayName }, ['id', 'displayName'])
+            }
           }
-        }
-      } catch (err) { }
-      if (obj && obj.id) jsonBody.id = obj.id
+        } catch (err) { }
+        if (obj && obj.id) jsonBody.id = obj.id
+      }
 
       const location = `${ctx.origin}${ctx.path}/${jsonBody.id}`
       if (!jsonBody.meta) jsonBody.meta = {}
@@ -1206,7 +1209,7 @@ const ScimGateway = function () {
     } else {
       logger.debug(`${gwName}[${pluginName}] [Modify ${handle.description}] id=${id}`)
       let scimdata, err
-      if (jsonBody.Operations) [scimdata, err] = convertedScim20(jsonBody) // v2.0
+      if (jsonBody.Operations) [scimdata, err] = ScimGateway.prototype.convertedScim20(jsonBody) // v2.0
       else [scimdata, err] = ScimGateway.prototype.convertedScim(jsonBody) // v1.1
       logger.debug(`${gwName}[${pluginName}] convertedBody=${JSON.stringify(scimdata)}`)
       if (err) {
@@ -1268,7 +1271,6 @@ const ScimGateway = function () {
       err = jsonErr(config.scim.version, pluginName, ctx.status, err)
       ctx.body = err
     } else {
-      logger.debug(`${gwName}[${pluginName}] [Modify ${handle.description}] id=${id}`)
       logger.debug(`${gwName}[${pluginName}] PUT ${ctx.originalUrl} body=${strBody}`)
       try {
         // get current object
@@ -1286,6 +1288,18 @@ const ScimGateway = function () {
         delete clearedObj.password
         delete clearedObj.meta
 
+        // usePutSoftSync=true prevents removing existing roles (only add roles)
+        if (config.scim.usePutSoftSync) {
+          if (clearedObj.roles && Array.isArray(clearedObj.roles)) {
+            for (let i = 0; i < clearedObj.roles.length; i++) {
+              if (clearedObj.roles[i].operation && clearedObj.roles[i].operation === 'delete') {
+                clearedObj.roles.splice(i, 1) // delete
+                i -= 1
+              }
+            }
+          }
+        }
+
         // merge cleared object with the new
         const newObj = utils.extendObj(clearedObj, jsonBody)
         delete newObj.id
@@ -1302,6 +1316,86 @@ const ScimGateway = function () {
         logger.debug(`${gwName}[${pluginName}] calling "${handle.modifyMethod}" and awaiting result`)
         await this[handle.modifyMethod](ctx.params.baseEntity, id, scimdata)
 
+        // add/remove groups
+        if (jsonBody.groups && Array.isArray(jsonBody.groups)) { // only if groups included, { "groups": [] } will remove all existing
+          if (typeof this[handler.groups.getMethod] !== 'function' || typeof this[handler.groups.modifyMethod] !== 'function') {
+            throw new Error('replaceUser error: put operation can not be fully completed for the user`s groups, methods like getGroups() and modifyGroup() are not implemented')
+          }
+          let currentGroups
+          if (currentObj.groups && Array.isArray(currentObj.groups)) currentGroups = currentObj.groups
+          else { // try to get current groups the standard way
+            let res
+            try {
+              res = await this[handler.groups.getMethod](ctx.params.baseEntity, { attribute: 'members.value', operator: 'eq', value: decodeURIComponent(id) }, ['members.value', 'id', 'displayName']) // await scimgateway.getUserGroups(baseEntity, userObj.id, 'members.value,displayName')
+            } catch (err) {} // method may be implemented but throwing error like groups not supported/implemented
+            currentGroups = []
+            if (res && res.Resources && Array.isArray(res.Resources) && res.Resources.length > 0) {
+              for (let i = 0; i < res.Resources.length; i++) {
+                if (!res.Resources[i].id) continue
+                const el = {}
+                el.value = res.Resources[i].id
+                if (res.Resources[i].displayName) el.display = res.Resources[i].displayName
+                if (el.value) currentGroups.push(el) // { "value": "Admins", "display": "Admins"}
+              }
+            }
+          }
+          const addGrps = []
+          const removeGrps = []
+          // add
+          for (let i = 0; i < jsonBody.groups.length; i++) {
+            let found = false
+            for (let j = 0; j < currentGroups.length; j++) {
+              if (jsonBody.groups[i].value === currentGroups[j].value) {
+                found = true
+                break
+              }
+            }
+            if (!found && jsonBody.groups[i].value) addGrps.push(jsonBody.groups[i].value)
+          }
+          // remove
+          for (let i = 0; i < currentGroups.length; i++) {
+            let found = false
+            for (let j = 0; j < jsonBody.groups.length; j++) {
+              if (currentGroups[i].value === jsonBody.groups[j].value) {
+                found = true
+                break
+              }
+            }
+            if (!found && currentGroups[i].value) removeGrps.push(currentGroups[i].value)
+          }
+
+          const addGroups = async (grp) => {
+            const obj = { members: [{ value: id }] }
+            return await this[handler.groups.modifyMethod](ctx.params.baseEntity, grp, obj)
+          }
+
+          const removeGroups = async (grp) => {
+            const obj = { members: [{ operation: 'delete', value: id }] }
+            return await this[handler.groups.modifyMethod](ctx.params.baseEntity, grp, obj)
+          }
+
+          let errRemove
+          if (!config.scim.usePutSoftSync) { // default will remove any existing groups not included, usePutSoftSync=true prevents removing existing groups (only add groups)
+            await Promise.all(removeGrps.map((grp) => removeGroups(grp)))
+              .then()
+              .catch((err) => {
+                errRemove = err
+              })
+          }
+
+          let errAdd
+          await Promise.all(addGrps.map((grp) => addGroups(grp)))
+            .then()
+            .catch((err) => {
+              errAdd = err
+            })
+
+          let errMsg = ''
+          if (errRemove) errMsg = `removeGroups error: ${errRemove.message}`
+          if (errAdd) errMsg += `${errMsg ? ' ' : ''}addGroups error: ${errAdd.message}`
+          if (errMsg) throw new Error(errMsg)
+        }
+
         // get updated object
         logger.debug(`${gwName}[${pluginName}] calling "${handle.getMethod}" and awaiting result`)
         res = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'id', operator: 'eq', value: id }, [])
@@ -1313,7 +1407,7 @@ const ScimGateway = function () {
         else throw Error(`put using method ${handle.getMethod} got unexpected response: ${JSON.stringify(res)}`)
 
         // include groups
-        if (handle.getMethod === handler.users.getMethod) {
+        if (handle.getMethod === handler.users.getMethod && typeof this[handler.groups.getMethod] === 'function') {
           logger.debug(`${gwName}[${pluginName}] calling "${handler.groups.getMethod}" and awaiting result`)
           const res = await this[handler.groups.getMethod](ctx.params.baseEntity, { attribute: 'members.value', operator: 'eq', value: id }, ['members.value', 'id', 'displayName'])
           let grps = []
@@ -1346,7 +1440,7 @@ const ScimGateway = function () {
         ctx.body = e
       }
     }
-  }) // put
+  })
 
   // ==========================================
   //           API POST (no SCIM)
@@ -1719,13 +1813,27 @@ const ScimGateway = function () {
             }
           })
         } else if (multiValueTypes.includes(key)) { // "type converted object" // groups, roles, member and scim.excludeTypeConvert are not included
+          const tmpAddr = []
           scimdata[key].forEach(function (element, index) {
             if (!element.type) element.type = 'undefined' // "none-type"
             if (element.operation && element.operation === 'delete') { // add as delete if same type not included as none delete
               const arr = scimdata[key].filter(obj => obj.type && obj.type === element.type && !obj.operation)
               if (arr.length < 1) {
                 if (!newMulti[key]) newMulti[key] = {}
-                if (newMulti[key][element.type]) err = new Error(`'type converted object' ${key} - includes more than one element having same type, or type is blank on more than one element - note, setting configuration scim.skipTypeConvert=true will disable this logic/check`)
+                if (newMulti[key][element.type]) {
+                  if (['addresses'].includes(key)) { // not checking type, but the others have to be unique
+                    for (const i in element) {
+                      if (i !== 'type') {
+                        if (tmpAddr.includes(i)) {
+                          err = new Error(`'type converted object' ${key} - includes more than one element having same ${i}, or ${i} is blank on more than one element - note, setting configuration scim.skipTypeConvert=true will disable this logic/check`)
+                        }
+                        tmpAddr.push(i)
+                      }
+                    }
+                  } else {
+                    err = new Error(`'type converted object' ${key} - includes more than one element having same type, or type is blank on more than one element - note, setting configuration scim.skipTypeConvert=true will disable this logic/check`)
+                  }
+                }
                 newMulti[key][element.type] = {}
                 for (const i in element) {
                   newMulti[key][element.type][i] = element[i]
@@ -1734,7 +1842,20 @@ const ScimGateway = function () {
               }
             } else {
               if (!newMulti[key]) newMulti[key] = {}
-              if (newMulti[key][element.type]) err = new Error(`'type converted object' ${key} - includes more than one element having same type, or type is blank on more than one element - note, setting configuration scim.skipTypeConvert=true will disable this logic/check`)
+              if (newMulti[key][element.type]) {
+                if (['addresses'].includes(key)) { // not checking type, but the others have to be unique
+                  for (const i in element) {
+                    if (i !== 'type') {
+                      if (tmpAddr.includes(i)) {
+                        err = new Error(`'type converted object' ${key} - includes more than one element having same ${i}, or ${i} is blank on more than one element - note, setting configuration scim.skipTypeConvert=true will disable this logic/check`)
+                      }
+                      tmpAddr.push(i)
+                    }
+                  }
+                } else {
+                  err = new Error(`'type converted object' ${key} - includes more than one element having same type, or type is blank on more than one element - note, setting configuration scim.skipTypeConvert=true will disable this logic/check`)
+                }
+              }
               newMulti[key][element.type] = {}
               for (const i in element) {
                 newMulti[key][element.type][i] = element[i]
@@ -1782,7 +1903,7 @@ const ScimGateway = function () {
 // exported methods
 //
 ScimGateway.prototype.endpointMap = endpointMap
-ScimGateway.prototype.countries = endpointMap
+ScimGateway.prototype.countries = countries
 
 ScimGateway.prototype.getPassword = (pwEntity, configFile) => {
   return utils.getPassword(pwEntity, configFile) // utils.getPassword('scimgateway.password', './config/plugin-testmode.json');
@@ -2406,7 +2527,7 @@ const notValidAttributes = (obj, validScimAttr) => {
 // "type converted object" and blank deleted values
 // {"name":{"givenName":"Rocky",formatted:""},"emails":{"work":{"value":"user@company.com","type":"work"}}}
 //
-const convertedScim20 = (obj) => {
+ScimGateway.prototype.convertedScim20 = function convertedScim20 (obj) {
   let scimdata = {}
   if (!obj.Operations || !Array.isArray(obj.Operations)) return scimdata
   const o = utils.copyObj(obj)
@@ -2593,7 +2714,7 @@ const convertedScim20 = (obj) => {
 // clearObjectValues returns a new object having values set to blank
 // array values are kept, but includes {"operation" : "delete"} - scim 1.1 formatted
 // boolean values e.g. {"active" : true} are kept "as is"
-// parent only used for internal recursive logic
+// parent used for internal recursive logic
 const clearObjectValues = (o, parent) => {
   if (!o) return {}
   let v, key
@@ -2601,18 +2722,14 @@ const clearObjectValues = (o, parent) => {
   for (key in o) {
     v = o[key]
     if (typeof v === 'object' && v !== null) {
-      const objProp = Object.getPrototypeOf(v) // e.g. HttpsProxyAgent {}
+      const objProp = Object.getPrototypeOf(v)
       if (objProp !== null && objProp !== Object.getPrototypeOf({}) && objProp !== Object.getPrototypeOf([])) {
-        output[key] = Object.assign(Object.create(v), v) // e.g. { HttpsProxyAgent {...} }
+        output[key] = Object.assign(Object.create(v), v)
       } else {
         output[key] = clearObjectValues(v, key)
       }
-    } else if (key === 'type') {
-      output[key] = v
-      output.operation = 'delete'
-      if (output.value) output.value = ''
     } else {
-      if (parent && !isNaN(parent) && key === 'value') { // array
+      if (parent && !isNaN(parent)) { // array
         output.operation = 'delete'
         output[key] = v
       } else {
@@ -2629,7 +2746,7 @@ const clearObjectValues = (o, parent) => {
 //
 const jsonErr = (scimVersion, pluginName, htmlErrCode, err, scimType) => {
   let errJson = {}
-  let msg = `ScimGateway[${pluginName}] `
+  let msg = `scimgateway[${pluginName}] `
   err.constructor === Error ? msg += err.message : msg += err
 
   if (scimVersion !== '2.0' && scimVersion !== 2) { // v1.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "4.1.2",
+  "version": "4.1.5",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",
   "homepage": "https://elshaug.xyz",

package/test/lib/plugin-loki.js

@@ -13,7 +13,6 @@ const options = {
 }
 
 describe('plugin-loki tests', () => {
-
   it('getUsers all test (1)', function (done) {
     server_8880.get('/Users' +
       '?startIndex=1&count=100')
@@ -362,7 +361,7 @@ describe('plugin-loki tests', () => {
   */
 
   it('modifyUser test', (done) => {
-    var user = {
+    let user = {
       Operations: [
         {
           op: 'replace',
@@ -490,7 +489,11 @@ describe('plugin-loki tests', () => {
       }],
       'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User': {
         employeeNumber: '1111'
-      }
+      },
+      groups: [
+        { value: 'Employees', display: 'Employees' },
+        { value: 'Admins', display: 'Admins' }
+      ]
     }
 
     server_8880.put('/Users/jgilber')
@@ -517,6 +520,9 @@ describe('plugin-loki tests', () => {
         expect(user['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].manager).to.equal(undefined) // deleted
         expect(user['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].test1).to.equal(undefined) // deleted
         expect(user['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].test2).to.equal(undefined) // deleted
+        expect(user.groups.length).to.equal(2)
+        expect(user.groups[0].value).to.equal('Admins')
+        expect(user.groups[1].value).to.equal('Employees')
         done()
       })
   })