scimgateway 4.2.1 → 4.2.3

package/README.md

@@ -1165,6 +1165,18 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
+### v4.2.3  
+
+[Fixed]  
+
+- plugin-loki and plugin-mongodb, for multi-value attributes like emails,phoneNumbers,... that includes primary attribute, only one is allowed having primary value set to true in the multi-value set.
+
+### v4.2.2  
+
+[Fixed]  
+
+- some minor SCIM protocol complient adjustments for beeing fully SCIM API complient with [https://scimvalidator.microsoft.com](https://scimvalidator.microsoft.com)
+
 ### v4.2.1  
 
 [Fixed]  

package/lib/plugin-loki.js

@@ -147,7 +147,9 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
     if (getObj.operator === '$eq' && ['id', 'userName', 'externalId'].includes(getObj.attribute)) {
       // mandatory - unique filtering - single unique user to be returned - correspond to getUser() in versions < 4.x.x
       const queryObj = {}
-      queryObj[getObj.attribute] = getObj.value // { userName: 'bjensen } / { externalId: 'bjensen } / { id: 'bjensen }
+      if (getObj.attribute === 'id') queryObj[getObj.attribute] = getObj.value
+      else queryObj[getObj.attribute] = { $regex: [getObj.value, 'i'] } // case insensitive
+      // new RegExp(`^${getObj.value}$`, 'i')
       usersArr = users.find(queryObj)
     } else if (getObj.operator === '$eq' && getObj.attribute === 'group.value') {
       // optional - only used when groups are member of users, not default behavior - correspond to getGroupUsers() in versions < 4.x.x
@@ -265,17 +267,27 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
   const userObj = res[0]
 
   for (const key in attrObj) {
-    if (Array.isArray(attrObj[key])) { // standard, not using type (e.g groups)
-      attrObj[key].forEach(el => {
-        if (el.operation === 'delete') {
-          userObj[key] = userObj[key].filter(e => e.value !== el.value)
-          if (userObj[key].length < 1) delete userObj[key]
-        } else { // add
-          if (!userObj[key]) userObj[key] = []
-          let exists
-          if (el.value) exists = userObj[key].find(e => e.value && e.value === el.value && e.type === el.type) // allowing same value on different type (type not mandatory)
-          if (!exists) userObj[key].push(el)
+    if (Array.isArray(attrObj[key])) { // standard, not using type (e.g roles/groups) or skipTypeConvert=true
+      const delArr = attrObj[key].filter(el => el.operation === 'delete')
+      const addArr = attrObj[key].filter(el => (!el.operation || el.operation !== 'delete'))
+      if (!userObj[key]) userObj[key] = []
+      // delete
+      userObj[key] = userObj[key].filter(el => {
+        if (delArr.findIndex(e => e.value === el.value) >= 0) return false
+        return true
+      })
+      // add
+      addArr.forEach(el => {
+        if (Object.prototype.hasOwnProperty.call(el, 'primary')) {
+          if (el.primary === true || (typeof el.primary === 'string' && el.primary.toLowerCase() === 'true')) {
+            const index = userObj[key].findIndex(e => e.primary === el.primary)
+            if (index >= 0) {
+              if (key === 'roles') userObj[key].splice(index, 1) // roles, delete existing role having primary attribute true (new role with primary will be added)
+              else userObj[key][index].primary = undefined // remove primary attribute, only one primary
+            }
+          }
         }
+        userObj[key].push(el)
       })
     } else if (scimgateway.isMultiValueTypes(key)) { // "type converted object" logic and original blank type having type "undefined"
       if (!attrObj[key]) delete userObj[key] // blank or null
@@ -288,6 +300,15 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
           if (userObj[key].length < 1) delete userObj[key]
         } else { // modify/create multivalue
           if (!userObj[key]) userObj[key] = []
+          if (attrObj[key][el].primary) { // remove any existing primary attribute, should only have one primary set
+            const primVal = attrObj[key][el].primary
+            if (primVal === true || (typeof primVal === 'string' && primVal.toLowerCase() === 'true')) {
+              const index = userObj[key].findIndex(e => e.primary === primVal)
+              if (index >= 0) {
+                userObj[key][index].primary = undefined
+              }
+            }
+          }
           const found = userObj[key].find((e, i) => {
             if (e.type === el || (!e.type && el === 'undefined')) {
               for (const k in attrObj[key][el]) {
@@ -389,7 +410,8 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes, ctx) => {
     if (getObj.operator === '$eq' && ['id', 'displayName', 'externalId'].includes(getObj.attribute)) {
       // mandatory - unique filtering - single unique group to be returned - correspond to getGroup() in versions < 4.x.x
       const queryObj = {}
-      queryObj[getObj.attribute] = getObj.value // { displayName: 'Employees' } / { externalId: 'Employees' } / { id: 'Employees' }
+      if (getObj.attribute === 'id') queryObj[getObj.attribute] = getObj.value
+      else queryObj[getObj.attribute] = { $regex: [getObj.value, 'i'] } // case insensitive
       groupsArr = groups.find(queryObj)
     } else if (getObj.operator === '$eq' && getObj.attribute === 'members.value') {
       // mandatory - return all groups the user 'id' (getObj.value) is member of - correspond to getGroupMembers() in versions < 4.x.x
@@ -477,13 +499,6 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
   const action = 'modifyGroup'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" id=${id} attrObj=${JSON.stringify(attrObj)}`)
 
-  if (!attrObj.members) {
-    throw new Error(`${action} error: only supports modification of members`)
-  }
-  if (!Array.isArray(attrObj.members)) {
-    throw new Error(`${action} error: ${JSON.stringify(attrObj)} - correct syntax is { "members": [...] }`)
-  }
-
   const res = groups.find({ id: id })
   if (res.length === 0) throw new Error(`${action} error: group id=${id} - group does not exist`)
   if (res.length > 1) throw new Error(`${action} error: group id=${id} - group is not unique, more than one have been found`)
@@ -492,25 +507,35 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
   if (!groupObj.members) groupObj.members = []
   const usersNotExist = []
 
-  await attrObj.members.forEach(async el => {
-    if (el.operation && el.operation === 'delete') { // delete member from group
-      if (!el.value) groupObj.members = [] // members=[{"operation":"delete"}] => no value, delete all members
-      else groupObj.members = groupObj.members.filter(element => element.value !== el.value)
-    } else { // Add member to group
-      if (el.value) {
-        const getObj = { attribute: 'id', operator: 'eq', value: el.value }
-        const usrs = await scimgateway.getUsers(baseEntity, getObj, 'id,displayName', ctx) // check if user exist
-        if (usrs && usrs.Resources && usrs.Resources.length === 1 && usrs.Resources[0].id === el.value) {
-          const newMember = {
-            display: usrs.Resources[0].displayName || el.value,
-            value: el.value
-          }
-          const exists = groupObj.members.some(e => (e.value === el.value))
-          if (!exists) groupObj.members.push(newMember)
-        } else usersNotExist.push(el.value)
-      }
+  if (attrObj.members) {
+    if (!Array.isArray(attrObj.members)) {
+      throw new Error(`${action} error: ${JSON.stringify(attrObj)} - correct syntax is { "members": [...] }`)
     }
-  })
+    await attrObj.members.forEach(async el => {
+      if (el.operation && el.operation === 'delete') { // delete member from group
+        if (!el.value) groupObj.members = [] // members=[{"operation":"delete"}] => no value, delete all members
+        else groupObj.members = groupObj.members.filter(element => element.value !== el.value)
+      } else { // Add member to group
+        if (el.value) {
+          const getObj = { attribute: 'id', operator: 'eq', value: el.value }
+          const usrs = await scimgateway.getUsers(baseEntity, getObj, 'id,displayName', ctx) // check if user exist
+          if (usrs && usrs.Resources && usrs.Resources.length === 1 && usrs.Resources[0].id === el.value) {
+            const newMember = {
+              display: usrs.Resources[0].displayName || el.value,
+              value: el.value
+            }
+            const exists = groupObj.members.some(e => (e.value === el.value))
+            if (!exists) groupObj.members.push(newMember)
+          } else usersNotExist.push(el.value)
+        }
+      }
+    })
+  }
+
+  delete attrObj.members
+  for (const key in attrObj) { // displayName/externalId
+    groupObj[key] = attrObj[key]
+  }
 
   groups.update(groupObj)
 
@@ -532,7 +557,7 @@ const stripLoki = (obj) => { // remove loki meta data and insert scim
       delete retObj.meta.updated
     }
     if (retObj.meta.revision !== undefined) {
-      retObj.meta.version = retObj.meta.revision
+      retObj.meta.version = `W/"${retObj.meta.revision}"`
       delete retObj.meta.revision
     }
   }

package/lib/plugin-mongodb.js

@@ -194,7 +194,8 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
     if (getObj.operator === '$eq' && ['id', 'userName', 'externalId'].includes(getObj.attribute)) {
       // mandatory - unique filtering - single unique user to be returned - correspond to getUser() in versions < 4.x.x
       findObj = {}
-      findObj[getObj.attribute] = getObj.value
+      if (getObj.attribute === 'id') findObj[getObj.attribute] = getObj.value
+      else findObj[getObj.attribute] = new RegExp(`^${getObj.value}$`, 'i') // case insensitive
     } else if (getObj.operator === '$eq' && getObj.attribute === 'group.value') {
       // optional - only used when groups are member of users, not default behavior - correspond to getGroupUsers() in versions < 4.x.x
       findObj = { groups: { value: getObj.value } }
@@ -230,9 +231,13 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
   try {
     const projection = attributes.length > 0 ? getProjectionFromAttributes(attributes) : { _id: 0 }
     const usersArr = await users.find(findObj, { projection: projection }).sort({ _id: 1 }).skip(getObj.startIndex - 1).limit(getObj.count).toArray()
-    const totalResults = await users.find(findObj, { projection: projection }).sort({ _id: 1 }).count()
+    const totalResults = await users.countDocuments(findObj, { projection: projection })
     const arr = usersArr.map((obj) => {
-      return decodeDotDate(obj)
+      const o = decodeDotDate(obj)
+      if (o.meta && o.meta.version !== undefined) {
+        o.meta.version = `W/"${o.meta.version}"`
+      }
+      return o
     }) // virtual attribute groups automatically handled by scimgateway
     Array.prototype.push.apply(ret.Resources, arr)
     ret.totalResults = totalResults
@@ -348,17 +353,27 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
   let userObj = decodeDotDate(res[0])
 
   for (const key in attrObj) {
-    if (Array.isArray(attrObj[key])) { // standard, not using type (e.g groups)
-      attrObj[key].forEach(el => {
-        if (el.operation === 'delete') {
-          userObj[key] = userObj[key].filter(e => e.value !== el.value)
-          if (userObj[key].length < 1) delete userObj[key]
-        } else { // add
-          if (!userObj[key]) userObj[key] = []
-          let exists
-          if (el.value) exists = userObj[key].find(e => e.value && e.value === el.value && e.type === el.type) // allowing same value on different type (type not mandatory)
-          if (!exists) userObj[key].push(el)
+    if (Array.isArray(attrObj[key])) { // standard, not using type (e.g roles/groups) or skipTypeConvert=true
+      const delArr = attrObj[key].filter(el => el.operation === 'delete')
+      const addArr = attrObj[key].filter(el => (!el.operation || el.operation !== 'delete'))
+      if (!userObj[key]) userObj[key] = []
+      // delete
+      userObj[key] = userObj[key].filter(el => {
+        if (delArr.findIndex(e => e.value === el.value) >= 0) return false
+        return true
+      })
+      // add
+      addArr.forEach(el => {
+        if (Object.prototype.hasOwnProperty.call(el, 'primary')) {
+          if (el.primary === true || (typeof el.primary === 'string' && el.primary.toLowerCase() === 'true')) {
+            const index = userObj[key].findIndex(e => e.primary === el.primary)
+            if (index >= 0) {
+              if (key === 'roles') userObj[key].splice(index, 1) // roles, delete existing role having primary attribute true (new role with primary will be added)
+              else userObj[key][index].primary = undefined // remove primary attribute, only one primary
+            }
+          }
         }
+        userObj[key].push(el)
       })
     } else if (scimgateway.isMultiValueTypes(key)) { // "type converted object" logic and original blank type having type "undefined"
       if (!attrObj[key]) delete userObj[key] // blank or null
@@ -371,6 +386,15 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
           if (userObj[key].length < 1) delete userObj[key]
         } else { // modify/create multivalue
           if (!userObj[key]) userObj[key] = []
+          if (attrObj[key][el].primary) { // remove any existing primary attribute, should only have one primary set
+            const primVal = attrObj[key][el].primary
+            if (primVal === true || (typeof primVal === 'string' && primVal.toLowerCase() === 'true')) {
+              const index = userObj[key].findIndex(e => e.primary === primVal)
+              if (index >= 0) {
+                userObj[key][index].primary = undefined
+              }
+            }
+          }
           const found = userObj[key].find((e, i) => {
             if (e.type === el || (!e.type && el === 'undefined')) {
               for (const k in attrObj[key][el]) {
@@ -493,7 +517,8 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes, ctx) => {
     if (getObj.operator === '$eq' && ['id', 'displayName', 'externalId'].includes(getObj.attribute)) {
       // mandatory - unique filtering - single unique group to be returned - correspond to getGroup() in versions < 4.x.x
       findObj = {}
-      findObj[getObj.attribute] = getObj.value
+      if (getObj.attribute === 'id') findObj[getObj.attribute] = getObj.value
+      else findObj[getObj.attribute] = new RegExp(`^${getObj.value}$`, 'i') // case insensitive
     } else if (getObj.operator === '$eq' && getObj.attribute === 'members.value') {
       // mandatory - return all groups the user 'id' (getObj.value) is member of - correspond to getGroupMembers() in versions < 4.x.x
       // Resources = [{ id: <id-group>> , displayName: <displayName-group>, members [{value: <id-user>}] }]
@@ -518,7 +543,6 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes, ctx) => {
   // mandatory if-else logic - end
 
   if (!findObj) throw new Error(`${action} error: mandatory if-else logic not fully implemented`)
-
   if (!getObj.startIndex) getObj.startIndex = 1
   if (!getObj.count) getObj.count = 200
 
@@ -530,10 +554,8 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes, ctx) => {
   try {
     const projection = attributes.length > 0 ? getProjectionFromAttributes(attributes) : { _id: 0 }
     const groups = config.entity[baseEntity].collection.groups
-
     const groupsArr = await groups.find(findObj, { projection: projection }).sort({ _id: 1 }).skip(getObj.startIndex - 1).limit(getObj.count).toArray()
-    const totalResults = await groups.find(findObj, { projection: projection }).count()
-
+    const totalResults = await groups.countDocuments(findObj, { projection: projection })
     const arr = groupsArr.map((obj) => {
       return decodeDotDate(obj)
     })
@@ -611,13 +633,6 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
   const action = 'modifyGroup'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" id=${id} attrObj=${JSON.stringify(attrObj)}`)
 
-  if (!attrObj.members) {
-    throw new Error(`${action} error: only supports modification of members`)
-  }
-  if (!Array.isArray(attrObj.members)) {
-    throw new Error(`${action} error: ${JSON.stringify(attrObj)} - correct syntax is { "members": [...] }`)
-  }
-
   const users = config.entity[baseEntity].collection.users
   const groups = config.entity[baseEntity].collection.groups
   let res
@@ -632,40 +647,52 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
   }
 
   let groupObj = decodeDotDate(res[0])
+  if (!groupObj.members) groupObj.members = []
   const usersNotExist = []
 
-  for (const el of attrObj.members) {
-    if (el.operation && el.operation === 'delete') {
+  if (attrObj.members) {
+    if (!Array.isArray(attrObj.members)) {
+      throw new Error(`${action} error: ${JSON.stringify(attrObj)} - correct syntax is { "members": [...] }`)
+    }
+    for (const el of attrObj.members) {
+      if (el.operation && el.operation === 'delete') {
       // delete member from group
-      if (!el.value) {
+        if (!el.value) {
         // members=[{"operation":"delete"}] => no value, delete all members
-        await groups.updateOne({ id: groupObj.id }, { $set: { members: [] } })
-        scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" id=${id} deleted all members`)
-        isModified = true
-      } else {
-        await groups.updateMany({ id: groupObj.id }, { $pull: { members: { value: el.value } } })
-        scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" id=${id} deleted from group: ${el.value}`)
-        isModified = true
-      }
-    } else { // Add member to group
-      if (el.value) {
-        let usrs = []
-        try {
-          usrs = await users.find({ id: el.value }, { projection: { _id: 0 } }).toArray() // check if user exist
-        } catch (err) {
-          throw new Error(`${action} error: failed to find group id=${id} - ${err.message}`)
+          await groups.updateOne({ id: groupObj.id }, { $set: { members: [] } })
+          scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" id=${id} deleted all members`)
+          isModified = true
+        } else {
+          await groups.updateMany({ id: groupObj.id }, { $pull: { members: { value: el.value } } })
+          scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" id=${id} deleted from group: ${el.value}`)
+          isModified = true
         }
-        if (usrs.length === 1 && usrs[0].id === el.value) {
-          if (!groupObj.members.some((element) => element.value === el.value)) {
-            await groups.updateMany({ id: groupObj.id }, { $push: { members: { display: usrs[0].displayName || el.value, value: el.value } } })
-            scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" id=${id} added member to group: ${el.value}`)
-            isModified = true
+      } else { // Add member to group
+        if (el.value) {
+          let usrs = []
+          try {
+            usrs = await users.find({ id: el.value }, { projection: { _id: 0 } }).toArray() // check if user exist
+          } catch (err) {
+            throw new Error(`${action} error: failed to find group id=${id} - ${err.message}`)
           }
-        } else usersNotExist.push(el.value)
+          if (usrs.length === 1 && usrs[0].id === el.value) {
+            if (!groupObj.members.some((element) => element.value === el.value)) {
+              await groups.updateMany({ id: groupObj.id }, { $push: { members: { display: usrs[0].displayName || el.value, value: el.value } } })
+              scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" id=${id} added member to group: ${el.value}`)
+              isModified = true
+            }
+          } else usersNotExist.push(el.value)
+        }
       }
     }
   }
 
+  delete attrObj.members
+  if (Object.keys(attrObj).length > 0) { // displayName/externalId
+    await groups.updateOne({ id: groupObj.id }, { $set: attrObj })
+    isModified = true
+  }
+
   if (!groupObj.meta) {
     const now = Date.now()
     groupObj.meta = {

package/lib/scimgateway.js

@@ -322,6 +322,7 @@ const ScimGateway = function () {
       } else logger.info(`${gwName}[${pluginName}] ${ellapsed} ${ctx.request.ipcli} ${userName} ${ctx.request.method} ${ctx.request.href} Inbound = ${JSON.stringify(ctx.request.body)} Outbound = ${JSON.stringify(res)}${(config.log.loglevel.file === 'debug' && ctx.request.url !== '/ping') ? '\n' : ''}`)
       requestCounter += 1 // logged on exit (not win process termination)
     }
+    if (ctx.response.body && typeof ctx.response.body === 'object') ctx.set('Content-Type', 'application/scim+json; charset=utf-8')
   }
 
   // start auth methods - used by auth
@@ -523,10 +524,7 @@ const ScimGateway = function () {
         authPassThrough(baseEntity, ctx.request.method, authType, authToken, ctx)])
         .catch((err) => { throw (err) })
       for (const i in arrResolve) {
-        if (arrResolve[i]) {
-          ctx.set('Content-Type', 'application/scim+json; charset=utf-8') // IE don't support JSON content to be shown in browser, pre IE/Edge versions did not support 'application/scim+json'
-          return next() // auth OK - continue with routes
-        }
+        if (arrResolve[i]) return next() // auth OK - continue with routes
       }
       // all false - invalid auth method or missing pluging config
       let err
@@ -824,7 +822,7 @@ const ScimGateway = function () {
       }
 
       // check for user attribute groups and include if needed
-      const userObj = scimdata.Resources[0]
+      let userObj = scimdata.Resources[0]
       if (handle.getMethod === handler.users.getMethod && Object.keys(userObj).length > 0 && !userObj.groups && !config.scim.groupMemberOfUser) { // groupMemberOfUser can be set to true for skipping
         let arrAttr = []
         if (ctx.query.attributes) arrAttr = ctx.query.attributes.split(',')
@@ -849,6 +847,7 @@ const ScimGateway = function () {
         }
       }
       const location = ctx.origin + ctx.path
+      userObj = addPrimaryAttrs(userObj)
       scimdata = utils.stripObj(userObj, ctx.query.attributes, ctx.query.excludedAttributes)
       scimdata = addSchemas(scimdata, handle.description, isScimv2)
       if (scimdata.meta) scimdata.meta.location = location
@@ -1056,8 +1055,10 @@ const ScimGateway = function () {
 
       let location = ctx.origin + ctx.path
       if (ctx.query.attributes || (ctx.query.excludedAttributes && ctx.query.excludedAttributes.includes('meta'))) location = null
-
-      scimdata.Resources = utils.stripObj(scimdata.Resources, ctx.query.attributes, ctx.query.excludedAttributes)
+      for (let i = 0; i < scimdata.Resources.length; i++) {
+        scimdata.Resources[i] = addPrimaryAttrs(scimdata.Resources[i])
+        scimdata.Resources[i] = utils.stripObj(scimdata.Resources[i], ctx.query.attributes, ctx.query.excludedAttributes)
+      }
       scimdata = addResources(scimdata, ctx.query.startIndex, ctx.query.sortBy, ctx.query.sortOrder)
       scimdata = addSchemas(scimdata, handle.description, isScimv2, location)
 
@@ -1134,34 +1135,35 @@ const ScimGateway = function () {
         jsonBody[key] = res[key]
       }
 
-      if (!jsonBody.id) { // retrieve id
+      if (!jsonBody.id) { // retrieve all attributes including id
         let obj
         try {
           if (handle.createMethod === 'createUser') {
             if (jsonBody.userName) {
               jsonBody.id = jsonBody.userName
-              obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'userName', operator: 'eq', value: jsonBody.userName }, ['id', 'userName'], ctx.ctxCopy)
+              obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'userName', operator: 'eq', value: jsonBody.userName }, [], ctx.ctxCopy)
             } else if (jsonBody.externalId) {
               jsonBody.id = jsonBody.externalId
-              obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'externalId', operator: 'eq', value: jsonBody.externalId }, ['id', 'externalId'], ctx.ctxCopy)
+              obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'externalId', operator: 'eq', value: jsonBody.externalId }, [], ctx.ctxCopy)
             }
           } else if (handle.createMethod === 'createGroup') {
             if (jsonBody.externalId) {
               jsonBody.id = jsonBody.externalId
-              obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'externalId', operator: 'eq', value: jsonBody.externalId }, ['id', 'externalId'], ctx.ctxCopy)
+              obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'externalId', operator: 'eq', value: jsonBody.externalId }, [], ctx.ctxCopy)
             } else if (jsonBody.displayName) {
               jsonBody.id = jsonBody.displayName
-              obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'displayName', operator: 'eq', value: jsonBody.displayName }, ['id', 'displayName'], ctx.ctxCopy)
+              obj = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'displayName', operator: 'eq', value: jsonBody.displayName }, [], ctx.ctxCopy)
             }
           }
         } catch (err) { }
-        if (obj && obj.id) jsonBody.id = obj.id
+        if (obj && obj.id) jsonBody = obj
       }
 
       const location = `${ctx.origin}${ctx.path}/${jsonBody.id}`
       if (!jsonBody.meta) jsonBody.meta = {}
       jsonBody.meta.location = location
       delete jsonBody.password
+      jsonBody = addPrimaryAttrs(jsonBody)
       ctx.set('Location', location)
       ctx.status = 201
       ctx.body = jsonBody
@@ -1265,30 +1267,32 @@ const ScimGateway = function () {
       logger.debug(`${gwName}[${pluginName}] calling "${handle.modifyMethod}" and awaiting result`)
       try {
         await this[handle.modifyMethod](ctx.params.baseEntity, id, scimdata, ctx.ctxCopy)
-        if (ctx.query.attributes || ctx.query.excludedAttributes) {
-          logger.debug(`${gwName}[${pluginName}] calling "${handle.getMethod}" and awaiting result`)
-
-          const res = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'id', operator: 'eq', value: id }, ctx.query.attributes ? ctx.query.attributes.split(',').map(item => item.trim()) : [], ctx.ctxCopy)
-          let scimdata = {
-            Resources: [],
-            totalResults: null
-          }
-          if (res) {
-            if (res.Resources && Array.isArray(res.Resources)) {
-              scimdata.Resources = res.Resources
-              scimdata.totalResults = res.totalResults
-            } else if (Array.isArray(res)) scimdata.Resources = res
-            else if (typeof (res) === 'object' && Object.keys(res).length > 0) scimdata.Resources[0] = res
-          }
-
-          if (scimdata.Resources.length !== 1) throw new Error(`using ${handle.getMethod} to retrive user ${id} after ${handle.modifyMethod} but response did not include user object`)
-          const location = ctx.origin + ctx.path
-          ctx.set('Location', location)
-          scimdata = utils.stripObj(scimdata.Resources[0], ctx.query.attributes, ctx.query.excludedAttributes)
-          scimdata = addSchemas(scimdata, handle.description, isScimv2)
-          ctx.status = 200
-          ctx.body = scimdata
-        } else ctx.status = 204
+        // include full object in response
+        if (handle.getMethod !== handler.users.getMethod && handle.getMethod !== handler.groups.getMethod) { // getUsers or getGroups not implemented
+          ctx.status = 204
+          return
+        }
+        logger.debug(`${gwName}[${pluginName}] calling "${handle.getMethod}" and awaiting result`)
+        const res = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'id', operator: 'eq', value: id }, ctx.query.attributes ? ctx.query.attributes.split(',').map(item => item.trim()) : [], ctx.ctxCopy)
+        scimdata = {
+          Resources: [],
+          totalResults: null
+        }
+        if (res) {
+          if (res.Resources && Array.isArray(res.Resources)) {
+            scimdata.Resources = res.Resources
+            scimdata.totalResults = res.totalResults
+          } else if (Array.isArray(res)) scimdata.Resources = res
+          else if (typeof (res) === 'object' && Object.keys(res).length > 0) scimdata.Resources[0] = res
+        }
+        if (scimdata.Resources.length !== 1) throw new Error(`using ${handle.getMethod} to retrive user ${id} after ${handle.modifyMethod} but response did not include user object`)
+        const location = ctx.origin + ctx.path
+        ctx.set('Location', location)
+        scimdata.Resources[0] = addPrimaryAttrs(scimdata.Resources[0])
+        scimdata = utils.stripObj(scimdata.Resources[0], ctx.query.attributes, ctx.query.excludedAttributes)
+        scimdata = addSchemas(scimdata, handle.description, isScimv2)
+        ctx.status = 200
+        ctx.body = scimdata
       } catch (err) {
         ctx.status = 500
         const e = jsonErr(config.scim.version, pluginName, ctx.status, err)
@@ -1903,9 +1907,7 @@ const ScimGateway = function () {
       if (Array.isArray(scimdata[key]) && (scimdata[key].length > 0)) {
         if (key === 'groups' || key === 'members' || key === 'roles') {
           scimdata[key].forEach(function (element, index) {
-            if (element.value) {
-              scimdata[key][index].value = decodeURIComponent(element.value)
-            }
+            if (element.value) scimdata[key][index].value = decodeURIComponent(element.value)
           })
         } else if (multiValueTypes.includes(key)) { // "type converted object" // groups, roles, member and scim.excludeTypeConvert are not included
           const tmpAddr = []
@@ -2602,6 +2604,30 @@ const addSchemas = (data, type, isScimv2, location) => {
   return data
 }
 
+// addPrimaryAttrs cheks for primary attributes (only for roles) and add them as standalone attributes
+// some IdP's may check for these e.g. Azure
+// e.g. {roles: [{value: "val1", primary: "True"}]}
+// gives:
+// { roles: [{value: "val1", primary: "True"}],
+//   roles[primary eq "True"].value: "val1",
+//   roles[primary eq "True"].primary: "True"}]
+// }
+const addPrimaryAttrs = (obj) => {
+  const key = 'roles'
+  if (!obj || typeof obj !== 'object') return obj
+  if (!obj[key] || !Array.isArray(obj[key])) return obj
+  const o = utils.copyObj(obj)
+  const index = o[key].findIndex(el => (el.primary === true || (typeof el.primary === 'string' && el.primary.toLowerCase() === 'true')))
+  if (index >= 0) {
+    const prim = o[key][index]
+    for (const k in prim) {
+      const primKey = `${key}[primary eq ${typeof prim.primary === 'string' ? `"${prim.primary}"` : prim.primary}].${k}` // roles[primary eq true].value / roles[primary eq "True"].value``
+      o[primKey] = prim[k] // { roles[primary eq true].value : "some-value" }
+    }
+  }
+  return o
+}
+
 //
 // Check and return none supported attributes
 //
@@ -2634,6 +2660,8 @@ ScimGateway.prototype.convertedScim20 = function convertedScim20 (obj) {
   let scimdata = {}
   if (!obj.Operations || !Array.isArray(obj.Operations)) return scimdata
   const o = utils.copyObj(obj)
+  const arrPrimaryDone = []
+  const primaryOrgType = {}
 
   for (let i = 0; i < o.Operations.length; i++) {
     const element = o.Operations[i]
@@ -2641,33 +2669,43 @@ ScimGateway.prototype.convertedScim20 = function convertedScim20 (obj) {
     let typeElement = null
     let path = null
     let pathRoot = null
-    let rePattern = /^.*(\[type eq .*\]).*$/
+    let rePattern = /^.*\[(.*) eq (.*)\].*$/
     let arrMatches = null
+    let primaryValue = null
 
     if (element.op) element.op = element.op.toLowerCase()
 
     if (element.path) {
       arrMatches = element.path.match(rePattern)
-      if (Array.isArray(arrMatches) && arrMatches.length === 2) { // [type eq "work"]
-        rePattern = /^\[type eq (.*)\]$/
-        arrMatches = arrMatches[1].match(rePattern)
-        if (Array.isArray(arrMatches) && arrMatches.length === 2) { // "work"
-          type = arrMatches[1].replace(/"/g, '') // work
-        }
+
+      if (Array.isArray(arrMatches) && arrMatches.length === 3) { // [type eq "work"]
+        if (arrMatches[1] === 'primary') {
+          type = 'primary'
+          primaryValue = arrMatches[2].replace(/"/g, '') // True
+        } else type = arrMatches[2].replace(/"/g, '') // work
       }
 
-      rePattern = /^(.*)\[type eq .*\]\.(.*)$/ // "path":"addresses[type eq \"work\"].streetAddress"
+      rePattern = /^(.*)\[(type|primary) eq .*\]\.(.*)$/ // "path":"addresses[type eq \"work\"].streetAddress" - "path":"roles[primary eq \"True\"].streetAddress"
       arrMatches = element.path.match(rePattern)
       if (Array.isArray(arrMatches)) {
         if (arrMatches.length === 2) {
           if (type) path = `${arrMatches[1]}.${type}`
           else path = arrMatches[1]
           pathRoot = arrMatches[1]
-        } else if (arrMatches.length === 3) {
+        } else if (arrMatches.length === 4) {
           if (type) {
-            path = `${arrMatches[1]}.${type}.${arrMatches[2]}`
-            typeElement = arrMatches[2] // streetAddress
-          } else path = `${arrMatches[1]}.${arrMatches[2]}` // NA
+            path = `${arrMatches[1]}.${type}.${arrMatches[3]}`
+            typeElement = arrMatches[3] // streetAddress
+
+            if (type === 'primary' && !arrPrimaryDone.includes(arrMatches[1])) { // make sure primary is included
+              const pObj = utils.copyObj(element)
+              pObj.path = pObj.path.substring(0, pObj.path.lastIndexOf('.')) + '.primary'
+              pObj.value = primaryValue
+              o.Operations.push(pObj)
+              arrPrimaryDone.push(arrMatches[1])
+              primaryOrgType[arrMatches[1]] = 'primary'
+            }
+          } else path = `${arrMatches[1]}.${arrMatches[3]}` // NA
           pathRoot = arrMatches[1]
         }
       } else {
@@ -2735,7 +2773,9 @@ ScimGateway.prototype.convertedScim20 = function convertedScim20 (obj) {
             el[typeElement] = element.value
             scimdata[pathRoot].push(el)
           } else {
-            scimdata[pathRoot][index][typeElement] = element.value
+            if (type === 'primary' && typeElement === 'type') { // type=primary, don't change but store and correct to original type later
+              primaryOrgType[pathRoot] = element.value
+            } else scimdata[pathRoot][index][typeElement] = element.value
             if (element.op && element.op === 'remove') scimdata[pathRoot][index].operation = 'delete'
           }
         }
@@ -2809,6 +2849,16 @@ ScimGateway.prototype.convertedScim20 = function convertedScim20 (obj) {
     }
   }
 
+  for (const key in primaryOrgType) { // revert back to original type when included
+    if (scimdata[key]) {
+      const index = scimdata[key].findIndex(el => el.type === 'primary')
+      if (index >= 0) {
+        if (primaryOrgType[key] === 'primary') delete scimdata[key][index].type // temp have not been changed - remove
+        else scimdata[key][index].type = primaryOrgType[key]
+      }
+    }
+  }
+
   // scimdata now SCIM 1.1 formatted, using convertedScim to get "type converted Object" and blank deleted values
   return ScimGateway.prototype.convertedScim(scimdata)
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "4.2.1",
+  "version": "4.2.3",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",
   "homepage": "https://elshaug.xyz",

package/test/lib/plugin-loki.js

@@ -431,7 +431,7 @@ describe('plugin-loki tests', () => {
       .send(user)
       .end(function (err, res) {
         expect(err).to.equal(null)
-        expect(res.statusCode).to.equal(204)
+        expect(res.statusCode).to.equal(200)
         done()
       })
   })

package/test/lib/plugin-scim.js

@@ -368,7 +368,7 @@ describe('plugin-scim tests', () => {
       .send(user)
       .end(function (err, res) {
         expect(err).to.equal(null)
-        expect(res.statusCode).to.equal(204)
+        expect(res.statusCode).to.equal(200)
         done()
       })
   })