scimgateway 4.2.6 → 4.2.8

package/README.md

@@ -64,9 +64,10 @@ Can be used as SCIM version-gateway e.g. 1.1=>2.0 or 2.0=>1.1
 Can be used to chain several SCIM Gateway's  
 
 
-* **Forwardinc** (SOAP Webservice)  
-Demonstrates user provisioning towards SOAP-Based endpoint   
-Using endpoint Forwardinc that comes with Broadcom/CA IM SDK (SDKWS) - [wiki.ca.com](https://docops.ca.com/ca-identity-manager/12-6-8/EN/programming/connector-programming-reference/sdk-sample-connectors/sdkws-sdk-web-services-connector/sdkws-sample-connector-build-requirements "wiki.ca.com")    
+* **Soap** (SOAP Webservice)  
+Demonstrates user provisioning towards SOAP-Based endpoint  
+Excample WSDLs are included  
+Using endpoint "Forwardinc" as an example (comes with Symantec/Broadcom/CA IM SDK - SDKWS)   
 Shows how to implement a highly configurable multi tenant or multi endpoint solution through `baseEntity` in URL  
 
 * **MSSQL** (MSSQL Database)  
@@ -188,7 +189,7 @@ When maintaining a set of modifications it useful to disable the postinstall ope
 	const loki = require('./lib/plugin-loki')
 	// const mongodb = require('./lib/plugin-mongodb')
 	// const scim = require('./lib/plugin-scim')
-	// const forwardinc = require('./lib/plugin-forwardinc')
+	// const soap = require('./lib/plugin-soap')
 	// const mssql = require('./lib/plugin-mssql')
 	// const saphana = require('./lib/plugin-saphana')  // prereq: npm install hdb
 	// const azureAD = require('./lib/plugin-azure-ad')
@@ -212,7 +213,8 @@ Below shows an example of config\plugin-saphana.json
           "version": "2.0",
           "customSchema": null,
           "skipTypeConvert" : false,
-          "usePutSoftSync" : false
+          "usePutSoftSync" : false,
+          "usePutGroupMemberOfUser": false
         },
         "log": {
           "loglevel": {
@@ -342,7 +344,9 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 		]  
 
 
-- **scim.usePutSoftSync** - true or false, default false. `PUT /Users/bjensen` will replace the user bjensen with body content. If body contains groups, usePutSoftsync=true will prevent removing any existing groups that are not included in body.groups   
+- **scim.usePutSoftSync** - true or false, default false. `PUT /Users/bjensen` will replace the user bjensen with body content. If body contains groups, usePutSoftsync=true will prevent removing any existing groups that are not included in body.groups  
+
+- **scim."usePutGroupMemberOfUser** - true or false, default false. `PUT /Users/<user>` will replace the user with body content. If body contains groups and usePutGroupMemberOfUser=true, groups will be set on user object (groups are member of user) instead of default user member of groups  
 
 - **log.loglevel.file** - off, error, info, or debug. Output to plugin-logfile e.g. `logs\plugin-saphana.log`  
 
@@ -462,20 +466,20 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 		}  
 
 
-	secrets.json for plugin-forwardinc - example (dot notation):  
+	secrets.json for plugin-soap - example (dot notation):  
   
 		{
-		  "plugin-forwardinc.scimgateway.auth.basic[0].username": "gwadmin",
-		  "plugin-forwardinc.scimgateway.auth.basic[0].password": "password",
-		  "plugin-forwardinc.endpoint.username": "superuser",
-		  "plugin-forwardinc.endpoint.password": "secret"
+		  "plugin-soap.scimgateway.auth.basic[0].username": "gwadmin",
+		  "plugin-soap.scimgateway.auth.basic[0].password": "password",
+		  "plugin-soap.endpoint.username": "superuser",
+		  "plugin-soap.endpoint.password": "secret"
 		}  
 
 - Custom schema attributes can be added by plugin configuration `scim.customSchema` having value set to filename of a JSON schema-file located in `<package-root>/config/schemas` e.g:  
 
 		"scim": {
 		  "version": "2.0",
-		  "customSchema": "plugin-forwardinc-schema.json"
+		  "customSchema": "plugin-soap-schema.json"
 		},
 
 	JSON file have following syntax:  
@@ -748,7 +752,7 @@ Username, password and port must correspond with plugin configuration file. For
 http://localhost:8880/client-a  
 http://localhost:8880/client-b
 
-Each baseEntity should then be defined in the plugin configuration file with custom attributes needed. Please see examples in plugin-forwardinc.json
+Each baseEntity should then be defined in the plugin configuration file with custom attributes needed. Please see examples in plugin-soap.json
 
 IM 12.6 SP7 (and above) also supports pagination for SCIM endpoint (data transferred in bulks - endpoint explore of users). Loki plugin supports pagination. Other plugin may ignore this setting.  
 
@@ -965,7 +969,7 @@ For JavaScript coding editor you may use [Visual Studio Code](https://code.visua
 
 Preparation:
 
-* Copy "best matching" example plugin e.g. `lib\plugin-mssql.js` and `config\plugin-mssql.json` and rename both copies to your plugin name prefix e.g. plugin-mine.js and plugin-mine.json (for SOAP Webservice endpoint we might use plugin-forwardinc as a template) 
+* Copy "best matching" example plugin e.g. `lib\plugin-mssql.js` and `config\plugin-mssql.json` and rename both copies to your plugin name prefix e.g. plugin-mine.js and plugin-mine.json (for SOAP Webservice endpoint we might use plugin-soap as a template) 
 * Edit plugin-mine.json and define a unique port number for the gateway setting  
 * Edit index.js and add a new line for starting your plugin e.g. `let mine = require('./lib/plugin-mine');`  
 * Start SCIM Gateway and verify. If using CA Provisioning you could setup a SCIM endpoint using the port number you defined  
@@ -988,7 +992,7 @@ Please see plugin-saphana that do not use groups.
 
 Template used by CA Provisioning role should only include endpoint supported attributes defined in our plugin. Template should therefore have no links to global user for none supported attributes (e.g. remove %UT% from "Job Title" if our endpoint/code do not support title)  
 
-CA Provisioning using default SCIM endpoint do not support SCIM Enterprise User Schema Extension (having attributes like employeeNumber, costCenter, organization, division, department and manager). If we need these or other attributes not found in CA Provisioning, we could define our own by using the free-text "type" definition in the multivalue entitlements or roles attribute. In the template entitlements definition, we could for example define type=Company and set value to %UCOMP%. Please see plugin-forwardinc.js using Company as a multivalue "type" definition.  
+CA Provisioning using default SCIM endpoint do not support SCIM Enterprise User Schema Extension (having attributes like employeeNumber, costCenter, organization, division, department and manager). If we need these or other attributes not found in CA Provisioning, we could define our own by using the free-text "type" definition in the multivalue entitlements or roles attribute. In the template entitlements definition, we could for example define type=Company and set value to %UCOMP%. Please see plugin-soap.js using Company as a multivalue "type" definition.  
 
 Using CA Connector Xpress we could create a new SCIM endpoint type based on the original SCIM. We could then add/remove attributes and change from default assign "user to groups" to assign "groups to user". There are also other predefined endpoints based on the original SCIM. You may take a look at "ServiceNow - WSL7" and "Zendesk - WSL7". 
 
@@ -1165,6 +1169,25 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
+### v4.2.8  
+
+[Fixed] 
+
+- PUT did not allow group name to be modified
+
+### v4.2.7  
+
+[Added]  
+
+- new plugin configuration **scim.usePutGroupMemberOfUser** can be set to true or false, default false. `PUT /Users/<user>` will replace user with body content. If body contains groups and usePutGroupMemberOfUser=true, groups will be set on user object (groups are member of user) instead of default user member of groups  
+- plugin-forwardinc renamed to plugin-soap
+- Dependencies bump  
+
+[Fixed] 
+
+- plugin-azure-ad fixed some issues introduced in v4.2.4  
+- plugin-mongodb fixed some issues introduced in v4.2.4  
+
 ### v4.2.6  
 
 [Fixed] 

package/config/plugin-api.json

@@ -7,7 +7,8 @@
       "version": "2.0",
       "customSchema": null,
       "skipTypeConvert": false,
-      "usePutSoftSync": false
+      "usePutSoftSync": false,
+      "usePutGroupMemberOfUser": false
     },
     "log": {
       "loglevel": {

package/config/plugin-azure-ad.json

@@ -7,7 +7,8 @@
       "version": "1.1",
       "customSchema": null,
       "skipTypeConvert": false,
-      "usePutSoftSync": false
+      "usePutSoftSync": false,
+      "usePutGroupMemberOfUser": false
     },
     "log": {
       "loglevel": {

package/config/plugin-ldap.json

@@ -7,7 +7,8 @@
       "version": "2.0",
       "customSchema": null,
       "skipTypeConvert": false,
-      "usePutSoftSync": false
+      "usePutSoftSync": false,
+      "usePutGroupMemberOfUser": false
     },
     "log": {
       "loglevel": {

package/config/plugin-loki.json

@@ -7,7 +7,8 @@
       "version": "2.0",
       "customSchema": null,
       "skipTypeConvert": false,
-      "usePutSoftSync": false
+      "usePutSoftSync": false,
+      "usePutGroupMemberOfUser": false
     },
     "log": {
       "loglevel": {

package/config/plugin-mongodb.json

@@ -7,7 +7,8 @@
       "version": "2.0",
       "customSchema": null,
       "skipTypeConvert": false,
-      "usePutSoftSync": false
+      "usePutSoftSync": false,
+      "usePutGroupMemberOfUser": false
     },
     "log": {
       "loglevel": {

package/config/plugin-mssql.json

@@ -7,7 +7,8 @@
       "version": "2.0",
       "customSchema": null,
       "skipTypeConvert": false,
-      "usePutSoftSync": false
+      "usePutSoftSync": false,
+      "usePutGroupMemberOfUser": false
     },
     "log": {
       "loglevel": {

package/config/plugin-saphana.json

@@ -7,7 +7,8 @@
       "version": "2.0",
       "customSchema": null,
       "skipTypeConvert": false,
-      "usePutSoftSync": false
+      "usePutSoftSync": false,
+      "usePutGroupMemberOfUser": false
     },
     "log": {
       "loglevel": {

package/config/plugin-scim.json

@@ -7,7 +7,8 @@
       "version": "2.0",
       "customSchema": null,
       "skipTypeConvert": false,
-      "usePutSoftSync": false
+      "usePutSoftSync": false,
+      "usePutGroupMemberOfUser": false
     },
     "log": {
       "loglevel": {

package/config/{plugin-forwardinc.json → plugin-soap.json}

@@ -7,7 +7,8 @@
       "version": "2.0",
       "customSchema": null,
       "skipTypeConvert": false,
-      "usePutSoftSync": false
+      "usePutSoftSync": false,
+      "usePutGroupMemberOfUser": false
     },
     "log": {
       "loglevel": {
@@ -156,4 +157,4 @@
       }
     }
   }
-}
+}

package/index.js

@@ -12,7 +12,7 @@
 const loki = require('./lib/plugin-loki')
 // const mongodb = require('./lib/plugin-mongodb')
 // const scim = require('./lib/plugin-scim')
-// const forwardinc = require('./lib/plugin-forwardinc')
+// const soap = require('./lib/plugin-soap')
 // const mssql = require('./lib/plugin-mssql')
 // const saphana = require('./lib/plugin-saphana')  // prereq: npm install hdb --save
 // const azureAD = require('./lib/plugin-azure-ad')

package/lib/plugin-azure-ad.js

@@ -578,7 +578,9 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes, ctx) => {
     } else if (getObj.operator === 'eq' && getObj.attribute === 'members.value') {
       // mandatory - return all groups the user 'id' (getObj.value) is member of - correspond to getGroupMembers() in versions < 4.x.x
       // Resources = [{ id: <id-group>> , displayName: <displayName-group>, members [{value: <id-user>}] }]
-      path = `/users/${getObj.value}/memberOf/microsoft.graph.group?$select=id,displayName&$expand=members($select=id,displayName)`
+      // not using below expand because Azure returns only a maximum of 20 items for the expanded relationship
+      // path = `/users/${getObj.value}/memberOf/microsoft.graph.group?$select=id,displayName&$expand=members($select=id,displayName)`
+      path = `/users/${getObj.value}/memberOf/microsoft.graph.group?$select=id,displayName`
     } else {
       // optional - simpel filtering
       throw new Error(`${action} error: not supporting simpel filtering: ${getObj.rawFilter}`)
@@ -633,6 +635,10 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes, ctx) => {
           }
         })
         delete response.body.value[i].members
+      } else if (getObj.operator === 'eq' && getObj.attribute === 'members.value') { // Not using expand-members. Only includes current user as member, but should have requested all...
+        members = [{
+          value: getObj.value
+        }]
       }
 
       const [scimObj] = scimgateway.endpointMapper('inbound', response.body.value[i], config.map.group) // endpoint => SCIM/CustomSCIM attribute standard
@@ -1174,9 +1180,9 @@ const getAccessToken = async (baseEntity, ctx) => {
   const clientIdentifier = getClientIdentifier(ctx)
   const d = new Date() / 1000 // seconds (unix time)
   if (_serviceClient[baseEntity] && _serviceClient[baseEntity][clientIdentifier] && _serviceClient[baseEntity][clientIdentifier].accessToken &&
-   (_serviceClient[baseEntity].accessToken.validTo >= d + 30)) { // avoid simultaneously token requests
+   (_serviceClient[baseEntity][clientIdentifier].accessToken.validTo >= d + 30)) { // avoid simultaneously token requests
     lock.release()
-    return _serviceClient[baseEntity].accessToken
+    return _serviceClient[baseEntity][clientIdentifier].accessToken
   }
 
   const action = 'getAccessToken'

package/lib/plugin-mongodb.js

@@ -48,15 +48,16 @@ scimgateway.authPassThroughAllowed = false // true enables auth passThrough (no
 
 const validFilterOperators = ['eq', 'ne', 'aeq', 'dteq', 'gt', 'gte', 'lt', 'lte', 'between', 'jgt', 'jgte', 'jlt', 'jlte', 'jbetween', 'regex', 'in', 'nin', 'keyin', 'nkeyin', 'definedin', 'undefinedin', 'contains', 'containsAny', 'type', 'finite', 'size', 'len', 'exists']
 
-if (!config.entity) throw new Error('error: configuration entity is missing')
-if (!scimgateway.authPassThroughAllowed) { // not using Auth PassThrough, loading db handler at startup using username/password from config
-  for (const baseEntity in config.entity) {
-    loadHandler(baseEntity)
-  }
-}
-
 async function loadHandler (baseEntity, ctx) {
   const action = 'loadHander'
+
+  const clientIdentifier = getClientIdentifier(ctx)
+  if (config.entity[baseEntity].isLoaded) { // loadHandler only once
+    if (!clientIdentifier) return clientIdentifier // not using Auth PassThrough
+    if (config.entity[baseEntity][clientIdentifier]) return clientIdentifier // authenticated
+    throw new Error('{"error":"Access denied","statusCode":401}') // string: "statusCode":401 ensure gateway returns 401
+  }
+
   if (!config.entity[baseEntity].baseUrl) { // mongodb://host1[:port1][,...hostN[:portN]][/[defaultauthdb][?options]] - e.g: mongodb://localhost:27017/db?tls=true&tlsInsecure=true
     throw new Error(`${action} error: configuration entity.${baseEntity}.baseUrl is missing`)
   }
@@ -102,6 +103,9 @@ async function loadHandler (baseEntity, ctx) {
       groups.createIndex({ id: 1 }, { unique: true })
     }
   } catch (error) {
+    if (clientIdentifier && error.message.includes('Authentication')) {
+      throw new Error('{"error":"Access denied","statusCode":401}') // string: "statusCode":401 ensure gateway returns 401
+    }
     throw new Error(`${action} error: failed to connect to database '${client.s.options.dbName}' - ${error.message}`)
   }
 
@@ -147,11 +151,12 @@ async function loadHandler (baseEntity, ctx) {
       }
     }
   }
-  const clientIdentifier = getClientIdentifier(ctx)
   if (!config.entity[baseEntity][clientIdentifier]) config.entity[baseEntity][clientIdentifier] = {}
   config.entity[baseEntity][clientIdentifier].collection = {}
   config.entity[baseEntity][clientIdentifier].collection.users = users
   config.entity[baseEntity][clientIdentifier].collection.groups = groups
+  config.entity[baseEntity].isLoaded = true
+  return clientIdentifier
 }
 
 // =================================================
@@ -173,6 +178,8 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
   const action = 'getUsers'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" getObj=${getObj ? JSON.stringify(getObj) : ''} attributes=${attributes}`)
 
+  const clientIdentifier = await loadHandler(baseEntity, ctx) // includes Auth PassThrough logic and loaded only once
+
   if (getObj.operator) { // convert to plugin supported syntax
     switch (getObj.operator) {
       case 'co':
@@ -203,10 +210,6 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
     }
   }
 
-  const clientIdentifier = getClientIdentifier(ctx)
-  if (ctx && !config.entity[baseEntity][clientIdentifier]) { // first (or previous failed) PassThrough attempt - have to load connection
-    await loadHandler(baseEntity, ctx)
-  }
   const users = config.entity[baseEntity][clientIdentifier].collection.users
   let findObj
 
@@ -275,6 +278,8 @@ scimgateway.createUser = async (baseEntity, userObj, ctx) => {
   const action = 'createUser'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" userObj=${JSON.stringify(userObj)}`)
 
+  const clientIdentifier = await loadHandler(baseEntity, ctx) // includes Auth PassThrough logic and loaded only once
+
   const notValid = scimgateway.notValidAttributes(userObj, validScimAttr) // We should check for unsupported endpoint attributes
   if (notValid) {
     throw new Error(`${action} error: unsupported scim attributes: ${notValid} (supporting only these attributes: ${validScimAttr.toString()})`)
@@ -308,7 +313,7 @@ scimgateway.createUser = async (baseEntity, userObj, ctx) => {
   userObj = encodeDotDate(userObj)
 
   try {
-    const users = config.entity[baseEntity].collection.users
+    const users = config.entity[baseEntity][clientIdentifier].collection.users
     await users.insertOne(userObj)
     return null
   } catch (err) {
@@ -327,7 +332,9 @@ scimgateway.deleteUser = async (baseEntity, id, ctx) => {
   const action = 'deleteUser'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" id=${id}`)
 
-  const users = config.entity[baseEntity].collection.users
+  const clientIdentifier = await loadHandler(baseEntity, ctx) // includes Auth PassThrough logic and loaded only once
+
+  const users = config.entity[baseEntity][clientIdentifier].collection.users
   try {
     /*
     const now = Date.now()
@@ -354,6 +361,8 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
   const action = 'modifyUser'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" id=${id} attrObj=${JSON.stringify(attrObj)}`)
 
+  const clientIdentifier = await loadHandler(baseEntity, ctx) // includes Auth PassThrough logic and loaded only once
+
   const notValid = scimgateway.notValidAttributes(attrObj, validScimAttr) // We should check for unsupported endpoint attributes
   if (notValid) {
     throw new Error(`${action} error: unsupported scim attributes: ${notValid} (supporting only these attributes: ${validScimAttr.toString()})`)
@@ -363,7 +372,7 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
   let res
 
   try {
-    const users = config.entity[baseEntity].collection.users
+    const users = config.entity[baseEntity][clientIdentifier].collection.users
     res = await users.find({ id }, { projection: { _id: 0 } }).toArray()
     if (res.length === 0) throw new Error('user does not exist')
     if (res.length > 1) throw new Error('user is not unique, more than one have been found')
@@ -474,7 +483,7 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
   userObj = encodeDotDate(userObj)
 
   try {
-    const users = config.entity[baseEntity].collection.users
+    const users = config.entity[baseEntity][clientIdentifier].collection.users
     await users.replaceOne({ id: id }, userObj)
     return null
   } catch (err) {
@@ -501,6 +510,8 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes, ctx) => {
   const action = 'getGroups'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" getObj=${getObj ? JSON.stringify(getObj) : ''} attributes=${attributes}`)
 
+  const clientIdentifier = await loadHandler(baseEntity, ctx) // includes Auth PassThrough logic and loaded only once
+
   if (getObj.operator) { // convert to plugin supported syntax
     switch (getObj.operator) {
       case 'co':
@@ -574,7 +585,7 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes, ctx) => {
 
   try {
     const projection = attributes.length > 0 ? getProjectionFromAttributes(attributes) : { _id: 0 }
-    const groups = config.entity[baseEntity].collection.groups
+    const groups = config.entity[baseEntity][clientIdentifier].collection.groups
     const groupsArr = await groups.find(findObj, { projection: projection }).sort({ _id: 1 }).skip(getObj.startIndex - 1).limit(getObj.count).toArray()
     const totalResults = await groups.countDocuments(findObj, { projection: projection })
     const arr = groupsArr.map((obj) => {
@@ -595,6 +606,8 @@ scimgateway.createGroup = async (baseEntity, groupObj, ctx) => {
   const action = 'createGroup'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" groupObj=${JSON.stringify(groupObj)}`)
 
+  const clientIdentifier = await loadHandler(baseEntity, ctx) // includes Auth PassThrough logic and loaded only once
+
   if (!groupObj.meta) {
     const now = Date.now()
     groupObj.meta = {
@@ -608,7 +621,7 @@ scimgateway.createGroup = async (baseEntity, groupObj, ctx) => {
   groupObj = encodeDotDate(groupObj)
 
   try {
-    const groups = config.entity[baseEntity].collection.groups
+    const groups = config.entity[baseEntity][clientIdentifier].collection.groups
     await groups.insertOne(groupObj)
     return null
   } catch (err) {
@@ -627,7 +640,9 @@ scimgateway.deleteGroup = async (baseEntity, id, ctx) => {
   const action = 'deleteGroup'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" id=${id}`)
 
-  const groups = config.entity[baseEntity].collection.groups
+  const clientIdentifier = await loadHandler(baseEntity, ctx) // includes Auth PassThrough logic and loaded only once
+
+  const groups = config.entity[baseEntity][clientIdentifier].collection.groups
   try {
     /*
     const now = Date.now()
@@ -654,8 +669,10 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
   const action = 'modifyGroup'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" id=${id} attrObj=${JSON.stringify(attrObj)}`)
 
-  const users = config.entity[baseEntity].collection.users
-  const groups = config.entity[baseEntity].collection.groups
+  const clientIdentifier = await loadHandler(baseEntity, ctx) // includes Auth PassThrough logic and loaded only once
+
+  const users = config.entity[baseEntity][clientIdentifier].collection.users
+  const groups = config.entity[baseEntity][clientIdentifier].collection.groups
   let res
   let isModified = false
 
@@ -851,3 +868,11 @@ process.on('SIGINT', () => {
     }
   }
 })
+
+// connect MongoDb and load users/groups
+if (!config.entity) throw new Error('error: configuration entity is missing')
+if (!scimgateway.authPassThroughAllowed) { // not using Auth PassThrough, loading db handler at startup using username/password from config
+  for (const baseEntity in config.entity) {
+    loadHandler(baseEntity)
+  }
+}

package/lib/plugin-scim.js

@@ -1,5 +1,5 @@
 // =================================================================================
-// File:    plugin-restful.js
+// File:    plugin-scim.js
 //
 // Author:  Jarle Elshaug
 //

package/lib/{plugin-forwardinc.js → plugin-soap.js}

@@ -1,5 +1,5 @@
 // =================================================================================
-// File:    plugin-forwardinc.js
+// File:    plugin-soap.js
 //
 // Author:  Jarle Elshaug
 //

package/lib/postinstall.js

@@ -29,7 +29,7 @@ if (!fsExistsSync('../../lib')) fs.mkdirSync('../../lib')
 
 if (!fsExistsSync('../../config/plugin-loki.json')) fs.writeFileSync('../../config/plugin-loki.json', fs.readFileSync('./config/plugin-loki.json'))
 if (!fsExistsSync('../../config/plugin-scim.json')) fs.writeFileSync('../../config/plugin-scim.json', fs.readFileSync('./config/plugin-scim.json'))
-if (!fsExistsSync('../../config/plugin-forwardinc.json')) fs.writeFileSync('../../config/plugin-forwardinc.json', fs.readFileSync('./config/plugin-forwardinc.json'))
+if (!fsExistsSync('../../config/plugin-soap.json')) fs.writeFileSync('../../config/plugin-soap.json', fs.readFileSync('./config/plugin-soap.json'))
 if (!fsExistsSync('../../config/plugin-mssql.json')) fs.writeFileSync('../../config/plugin-mssql.json', fs.readFileSync('./config/plugin-mssql.json'))
 if (!fsExistsSync('../../config/plugin-saphana.json')) fs.writeFileSync('../../config/plugin-saphana.json', fs.readFileSync('./config/plugin-saphana.json'))
 if (!fsExistsSync('../../config/plugin-api.json')) fs.writeFileSync('../../config/plugin-api.json', fs.readFileSync('./config/plugin-api.json'))
@@ -39,7 +39,7 @@ if (!fsExistsSync('../../config/plugin-mongodb.json')) fs.writeFileSync('../../c
 
 fs.writeFileSync('../../lib/plugin-loki.js', fs.readFileSync('./lib/plugin-loki.js'))
 fs.writeFileSync('../../lib/plugin-scim.js', fs.readFileSync('./lib/plugin-scim.js'))
-fs.writeFileSync('../../lib/plugin-forwardinc.js', fs.readFileSync('./lib/plugin-forwardinc.js'))
+fs.writeFileSync('../../lib/plugin-soap.js', fs.readFileSync('./lib/plugin-soap.js'))
 fs.writeFileSync('../../lib/plugin-mssql.js', fs.readFileSync('./lib/plugin-mssql.js'))
 fs.writeFileSync('../../lib/plugin-saphana.js', fs.readFileSync('./lib/plugin-saphana.js'))
 fs.writeFileSync('../../lib/plugin-api.js', fs.readFileSync('./lib/plugin-api.js'))

package/lib/scimgateway.js

@@ -1280,6 +1280,7 @@ const ScimGateway = function () {
         ctx.body = e
         return
       }
+      delete scimdata.id
       logger.debug(`${gwName}[${pluginName}] calling "${handle.modifyMethod}" and awaiting result`)
       try {
         await this[handle.modifyMethod](ctx.params.baseEntity, id, scimdata, ctx.ctxCopy)
@@ -1290,22 +1291,26 @@ const ScimGateway = function () {
         }
         logger.debug(`${gwName}[${pluginName}] calling "${handle.getMethod}" and awaiting result`)
         const res = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'id', operator: 'eq', value: id }, ctx.query.attributes ? ctx.query.attributes.split(',').map(item => item.trim()) : [], ctx.ctxCopy)
+
         scimdata = {
-          Resources: [],
-          totalResults: null
+          Resources: []
         }
         if (res) {
           if (res.Resources && Array.isArray(res.Resources)) {
             scimdata.Resources = res.Resources
-            scimdata.totalResults = res.totalResults
           } else if (Array.isArray(res)) scimdata.Resources = res
-          else if (typeof (res) === 'object' && Object.keys(res).length > 0) scimdata.Resources[0] = res
+          else if (typeof (res) === 'object') scimdata.Resources[0] = res
+          else scimdata.Resources = []
+        } else scimdata.Resources = []
+        if (scimdata.Resources.length === 0 || scimdata.Resources.length > 1) {
+          ctx.status = 204
+          return
         }
-        if (scimdata.Resources.length !== 1) throw new Error(`using ${handle.getMethod} to retrive user ${id} after ${handle.modifyMethod} but response did not include user object`)
+
         const location = ctx.origin + ctx.path
         ctx.set('Location', location)
-        scimdata.Resources[0] = addPrimaryAttrs(scimdata.Resources[0])
-        scimdata = utils.stripObj(scimdata.Resources[0], ctx.query.attributes, ctx.query.excludedAttributes)
+        const userObj = addPrimaryAttrs(scimdata.Resources[0])
+        scimdata = utils.stripObj(userObj, ctx.query.attributes, ctx.query.excludedAttributes)
         scimdata = addSchemas(scimdata, handle.description, isScimv2)
         ctx.status = 200
         ctx.body = scimdata
@@ -1362,17 +1367,27 @@ const ScimGateway = function () {
               }
             }
           }
+          if (config.scim.usePutGroupMemberOfUser) { // group member of user instead of default user member of group
+            if (clearedObj.groups && Array.isArray(clearedObj.groups)) {
+              for (let i = 0; i < clearedObj.groups.length; i++) {
+                if (clearedObj.groups[i].operation && clearedObj.groups[i].operation === 'delete') {
+                  clearedObj.groups.splice(i, 1) // delete
+                  i -= 1
+                }
+              }
+            }
+          }
         }
 
         // merge cleared object with the new
         const newObj = utils.extendObj(clearedObj, jsonBody)
         delete newObj.id
-        delete newObj.userName
-        delete newObj.externalId
-        delete newObj.groups // do not support "group member of users"
         delete newObj.schemas
         delete newObj.meta
-        if (handle.getMethod === handler.groups.getMethod) delete newObj.displayName
+        if (!config.scim.usePutGroupMemberOfUser) delete newObj.groups
+        // not allowing userName/displayName set to blank
+        if (!newObj.userName) delete newObj.userName
+        if (!newObj.displayName) delete newObj.displayName
 
         let [scimdata, err] = ScimGateway.prototype.convertedScim(newObj)
         if (err) throw err
@@ -1382,125 +1397,139 @@ const ScimGateway = function () {
         await this[handle.modifyMethod](ctx.params.baseEntity, id, scimdata, ctx.ctxCopy)
 
         // add/remove groups
-        if (jsonBody.groups && Array.isArray(jsonBody.groups)) { // only if groups included, { "groups": [] } will remove all existing
-          if (typeof this[handler.groups.getMethod] !== 'function' || typeof this[handler.groups.modifyMethod] !== 'function') {
-            throw new Error('replaceUser error: put operation can not be fully completed for the user`s groups, methods like getGroups() and modifyGroup() are not implemented')
-          }
-          let currentGroups
-          if (currentObj.groups && Array.isArray(currentObj.groups)) currentGroups = currentObj.groups
-          else { // try to get current groups the standard way
-            let res
-            try {
-              res = await this[handler.groups.getMethod](ctx.params.baseEntity, { attribute: 'members.value', operator: 'eq', value: decodeURIComponent(id) }, ['id', 'displayName'], ctx.ctxCopy)
-            } catch (err) {} // method may be implemented but throwing error like groups not supported/implemented
-            currentGroups = []
-            if (res && res.Resources && Array.isArray(res.Resources) && res.Resources.length > 0) {
-              for (let i = 0; i < res.Resources.length; i++) {
-                if (!res.Resources[i].id) continue
-                const el = {}
-                el.value = res.Resources[i].id
-                if (res.Resources[i].displayName) el.display = res.Resources[i].displayName
-                currentGroups.push(el) // { "value": "Admins", "display": "Admins"}
-              }
+        if (!config.scim.usePutGroupMemberOfUser) { // default user member of group
+          if (jsonBody.groups && Array.isArray(jsonBody.groups)) { // only if groups included, { "groups": [] } will remove all existing
+            if (typeof this[handler.groups.getMethod] !== 'function' || typeof this[handler.groups.modifyMethod] !== 'function') {
+              throw new Error('replaceUser error: put operation can not be fully completed for the user`s groups, methods like getGroups() and modifyGroup() are not implemented')
             }
-          }
-          currentGroups = currentGroups.map((el) => {
-            if (el.value) {
-              el.value = decodeURIComponent(el.value)
+            let currentGroups
+            if (currentObj.groups && Array.isArray(currentObj.groups)) currentGroups = currentObj.groups
+            else { // try to get current groups the standard way
+              let res
+              try {
+                res = await this[handler.groups.getMethod](ctx.params.baseEntity, { attribute: 'members.value', operator: 'eq', value: decodeURIComponent(id) }, ['id', 'displayName'], ctx.ctxCopy)
+              } catch (err) {} // method may be implemented but throwing error like groups not supported/implemented
+              currentGroups = []
+              if (res && res.Resources && Array.isArray(res.Resources) && res.Resources.length > 0) {
+                for (let i = 0; i < res.Resources.length; i++) {
+                  if (!res.Resources[i].id) continue
+                  const el = {}
+                  el.value = res.Resources[i].id
+                  if (res.Resources[i].displayName) el.display = res.Resources[i].displayName
+                  currentGroups.push(el) // { "value": "Admins", "display": "Admins"}
+                }
+              }
             }
-            return el
-          })
+            currentGroups = currentGroups.map((el) => {
+              if (el.value) {
+                el.value = decodeURIComponent(el.value)
+              }
+              return el
+            })
 
-          const addGrps = []
-          const removeGrps = []
-          // add
-          for (let i = 0; i < jsonBody.groups.length; i++) {
-            if (!jsonBody.groups[i].value) continue
-            jsonBody.groups[i].value = decodeURIComponent(jsonBody.groups[i].value)
-            let found = false
-            for (let j = 0; j < currentGroups.length; j++) {
-              if (jsonBody.groups[i].value === currentGroups[j].value) {
-                found = true
-                break
+            const addGrps = []
+            const removeGrps = []
+            // add
+            for (let i = 0; i < jsonBody.groups.length; i++) {
+              if (!jsonBody.groups[i].value) continue
+              jsonBody.groups[i].value = decodeURIComponent(jsonBody.groups[i].value)
+              let found = false
+              for (let j = 0; j < currentGroups.length; j++) {
+                if (jsonBody.groups[i].value === currentGroups[j].value) {
+                  found = true
+                  break
+                }
               }
+              if (!found && jsonBody.groups[i].value) addGrps.push(jsonBody.groups[i].value)
             }
-            if (!found && jsonBody.groups[i].value) addGrps.push(jsonBody.groups[i].value)
-          }
-          // remove
-          for (let i = 0; i < currentGroups.length; i++) {
-            let found = false
-            for (let j = 0; j < jsonBody.groups.length; j++) {
-              if (!jsonBody.groups[j].value) continue
-              jsonBody.groups[j].value = decodeURIComponent(jsonBody.groups[j].value)
-              if (currentGroups[i].value === jsonBody.groups[j].value) {
-                found = true
-                break
+            // remove
+            for (let i = 0; i < currentGroups.length; i++) {
+              let found = false
+              for (let j = 0; j < jsonBody.groups.length; j++) {
+                if (!jsonBody.groups[j].value) continue
+                jsonBody.groups[j].value = decodeURIComponent(jsonBody.groups[j].value)
+                if (currentGroups[i].value === jsonBody.groups[j].value) {
+                  found = true
+                  break
+                }
               }
+              if (!found && currentGroups[i].value) removeGrps.push(currentGroups[i].value)
             }
-            if (!found && currentGroups[i].value) removeGrps.push(currentGroups[i].value)
-          }
 
-          const addGroups = async (grp) => {
-            const obj = { members: [{ value: id }] }
-            return await this[handler.groups.modifyMethod](ctx.params.baseEntity, grp, obj, ctx.ctxCopy)
-          }
+            const addGroups = async (grp) => {
+              const obj = { members: [{ value: id }] }
+              return await this[handler.groups.modifyMethod](ctx.params.baseEntity, grp, obj, ctx.ctxCopy)
+            }
 
-          const removeGroups = async (grp) => {
-            const obj = { members: [{ operation: 'delete', value: id }] }
-            return await this[handler.groups.modifyMethod](ctx.params.baseEntity, grp, obj, ctx.ctxCopy)
-          }
+            const removeGroups = async (grp) => {
+              const obj = { members: [{ operation: 'delete', value: id }] }
+              return await this[handler.groups.modifyMethod](ctx.params.baseEntity, grp, obj, ctx.ctxCopy)
+            }
+
+            let errRemove
+            if (!config.scim.usePutSoftSync) { // default will remove any existing groups not included, usePutSoftSync=true prevents removing existing groups (only add groups)
+              await Promise.all(removeGrps.map((grp) => removeGroups(grp)))
+                .then()
+                .catch((err) => {
+                  errRemove = err
+                })
+            }
 
-          let errRemove
-          if (!config.scim.usePutSoftSync) { // default will remove any existing groups not included, usePutSoftSync=true prevents removing existing groups (only add groups)
-            await Promise.all(removeGrps.map((grp) => removeGroups(grp)))
+            let errAdd
+            await Promise.all(addGrps.map((grp) => addGroups(grp)))
               .then()
               .catch((err) => {
-                errRemove = err
+                errAdd = err
               })
-          }
-
-          let errAdd
-          await Promise.all(addGrps.map((grp) => addGroups(grp)))
-            .then()
-            .catch((err) => {
-              errAdd = err
-            })
 
-          let errMsg = ''
-          if (errRemove) errMsg = `removeGroups error: ${errRemove.message}`
-          if (errAdd) errMsg += `${errMsg ? ' ' : ''}addGroups error: ${errAdd.message}`
-          if (errMsg) throw new Error(errMsg)
+            let errMsg = ''
+            if (errRemove) errMsg = `removeGroups error: ${errRemove.message}`
+            if (errAdd) errMsg += `${errMsg ? ' ' : ''}addGroups error: ${errAdd.message}`
+            if (errMsg) throw new Error(errMsg)
+          }
         }
 
         // get updated object
         logger.debug(`${gwName}[${pluginName}] calling "${handle.getMethod}" and awaiting result`)
         res = await this[handle.getMethod](ctx.params.baseEntity, { attribute: 'id', operator: 'eq', value: id }, [], ctx.ctxCopy)
 
-        scimdata = {}
-        if (res && res.Resources && Array.isArray(res.Resources) && res.Resources.length === 1) scimdata = res.Resources[0]
-        else if (Array.isArray(res) && res.length === 1) scimdata = res[0]
-        else if (res && typeof (res) === 'object' && Object.keys(res).length > 0) scimdata = res
-        else throw Error(`put using method ${handle.getMethod} got unexpected response: ${JSON.stringify(res)}`)
+        scimdata = {
+          Resources: []
+        }
+        if (res) {
+          if (res.Resources && Array.isArray(res.Resources)) {
+            scimdata.Resources = res.Resources
+          } else if (Array.isArray(res)) scimdata.Resources = res
+          else if (typeof (res) === 'object') scimdata.Resources[0] = res
+          else scimdata.Resources = []
+        } else scimdata.Resources = []
+        if (scimdata.Resources.length === 0 || scimdata.Resources.length > 1) {
+          ctx.status = 204
+          return
+        }
+        scimdata = scimdata.Resources[0]
 
         // include groups
-        if (handle.getMethod === handler.users.getMethod && typeof this[handler.groups.getMethod] === 'function') {
-          logger.debug(`${gwName}[${pluginName}] calling "${handler.groups.getMethod}" and awaiting result`)
-          const res = await this[handler.groups.getMethod](ctx.params.baseEntity, { attribute: 'members.value', operator: 'eq', value: id }, ['id', 'displayName'], ctx.ctxCopy)
-          let grps = []
-          if (res && res.Resources && Array.isArray(res.Resources)) grps = res.Resources
-          else if (Array.isArray(res)) grps = res
-          else if (res && typeof (res) === 'object' && Object.keys(res).length > 0) grps = [res]
-          else throw Error(`put using method ${handler.groups.getMethod} got unexpected response: ${JSON.stringify(res)}`)
-
-          if (grps.length > 0) {
-            scimdata.groups = []
-            for (let i = 0; i < grps.length; i++) {
-              const el = {}
-              el.value = grps[i].id
-              if (grps[i].displayName) el.display = grps[i].displayName
-              if (isScimv2) el.type = 'direct'
-              else el.type = { value: 'direct' }
-              if (el.value) scimdata.groups.push(el) // { "value": "Admins", "display": "Admins", "type": "direct"}
+        if (!config.scim.usePutGroupMemberOfUser) { // default user member of group
+          if (handle.getMethod === handler.users.getMethod && typeof this[handler.groups.getMethod] === 'function') {
+            logger.debug(`${gwName}[${pluginName}] calling "${handler.groups.getMethod}" and awaiting result`)
+            const res = await this[handler.groups.getMethod](ctx.params.baseEntity, { attribute: 'members.value', operator: 'eq', value: id }, ['id', 'displayName'], ctx.ctxCopy)
+            let grps = []
+            if (res && res.Resources && Array.isArray(res.Resources)) grps = res.Resources
+            else if (Array.isArray(res)) grps = res
+            else if (res && typeof (res) === 'object' && Object.keys(res).length > 0) grps = [res]
+            else throw Error(`put using method ${handler.groups.getMethod} - got unexpected response: ${JSON.stringify(res)}`)
+
+            if (grps.length > 0) {
+              scimdata.groups = []
+              for (let i = 0; i < grps.length; i++) {
+                const el = {}
+                el.value = grps[i].id
+                if (grps[i].displayName) el.display = grps[i].displayName
+                if (isScimv2) el.type = 'direct'
+                else el.type = { value: 'direct' }
+                if (el.value) scimdata.groups.push(el) // { "value": "Admins", "display": "Admins", "type": "direct"}
+              }
             }
           }
         }

package/package.json

@@ -1,60 +1,60 @@
-{
-  "name": "scimgateway",
-  "version": "4.2.6",
-  "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
-  "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",
-  "homepage": "https://elshaug.xyz",
-  "license": "MIT",
-  "main": "lib/scimgateway.js",
-  "scripts": {
-    "postinstall": "node lib/postinstall.js",
-    "start": "node index.js",
-    "test": "mocha -R spec ./test"
-  },
-  "bin": {
-    "scimgateway": "./index.js"
-  },
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/jelhub/scimgateway.git"
-  },
-  "keywords": [
-    "scim",
-    "gateway",
-    "proxy",
-    "azure",
-    "identity",
-    "manager",
-    "provisioning",
-    "iga"
-  ],
-  "engines": {
-    "node": ">=14.0.0"
-  },
-  "dependencies": {
-    "@godaddy/terminus": "^4.11.2",
-    "callsite": "^1.0.0",
-    "dot-object": "^2.1.4",
-    "https-proxy-agent": "^5.0.1",
-    "is-in-subnet": "^4.0.1",
-    "jsonwebtoken": "^9.0.0",
-    "koa": "^2.14.0",
-    "koa-bodyparser": "^4.3.0",
-    "koa-router": "^12.0.0",
-    "ldapjs": "^2.3.3",
-    "lokijs": "^1.5.12",
-    "mongodb": "^4.12.1",
-    "node-machine-id": "1.1.9",
-    "nodemailer": "^6.8.0",
-    "passport": "^0.6.0",
-    "passport-azure-ad": "^4.3.4",
-    "soap": "^0.45.0",
-    "tedious": "^15.1.2",
-    "winston": "^3.8.2"
-  },
-  "devDependencies": {
-    "chai": "^4.2.0",
-    "mocha": "^9.2.0",
-    "supertest": "^4.0.2"
-  }
-}
+{
+  "name": "scimgateway",
+  "version": "4.2.8",
+  "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
+  "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",
+  "homepage": "https://elshaug.xyz",
+  "license": "MIT",
+  "main": "lib/scimgateway.js",
+  "scripts": {
+    "postinstall": "node lib/postinstall.js",
+    "start": "node index.js",
+    "test": "mocha -R spec ./test"
+  },
+  "bin": {
+    "scimgateway": "./index.js"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/jelhub/scimgateway.git"
+  },
+  "keywords": [
+    "scim",
+    "gateway",
+    "proxy",
+    "azure",
+    "identity",
+    "manager",
+    "provisioning",
+    "iga"
+  ],
+  "engines": {
+    "node": ">=14.0.0"
+  },
+  "dependencies": {
+    "@godaddy/terminus": "^4.12.0",
+    "callsite": "^1.0.0",
+    "dot-object": "^2.1.4",
+    "https-proxy-agent": "^5.0.1",
+    "is-in-subnet": "^4.0.1",
+    "jsonwebtoken": "^9.0.0",
+    "koa": "^2.14.2",
+    "koa-bodyparser": "^4.4.0",
+    "koa-router": "^12.0.0",
+    "ldapjs": "^3.0.2",
+    "lokijs": "^1.5.12",
+    "mongodb": "^5.6.0",
+    "node-machine-id": "1.1.9",
+    "nodemailer": "^6.9.3",
+    "passport": "^0.6.0",
+    "passport-azure-ad": "^4.3.5",
+    "soap": "^1.0.0",
+    "tedious": "^16.1.0",
+    "winston": "^3.9.0"
+  },
+  "devDependencies": {
+    "chai": "^4.2.0",
+    "mocha": "^9.2.0",
+    "supertest": "^6.3.3"
+  }
+}