scimgateway 4.3.0 → 4.4.0

package/lib/plugin-api.js

@@ -33,7 +33,6 @@ const URL = require('url').URL
 const querystring = require('querystring')
 
 // mandatory plugin initialization - start
-const path = require('path')
 let ScimGateway = null
 try {
   ScimGateway = require('scimgateway')
@@ -41,15 +40,16 @@ try {
   ScimGateway = require('./scimgateway')
 }
 const scimgateway = new ScimGateway()
-const pluginName = path.basename(__filename, '.js')
-const configDir = path.join(__dirname, '..', 'config')
-const configFile = path.join(`${configDir}`, `${pluginName}.json`)
+const pluginName = scimgateway.pluginName
+// const configDir = scimgateway.configDir
+const configFile = scimgateway.configFile
 let config = require(configFile).endpoint
 config = scimgateway.processExtConfig(pluginName, config) // add any external config process.env and process.file
 scimgateway.authPassThroughAllowed = false // true enables auth passThrough (no scimgateway authentication). scimgateway instead includes ctx (ctx.request.header) in plugin methods. Note, requires plugin-logic for handling/passing ctx.request.header.authorization to be used in endpoint communication
 // mandatory plugin initialization - end
 
 const _serviceClient = {}
+const lock = new scimgateway.Lock()
 
 // =================================================
 // postApi
@@ -213,6 +213,10 @@ scimgateway.deleteApi = async (baseEntity, id, ctx) => {
 // helpers
 // =================================================
 
+//
+// start - REST endpoint template
+//
+
 const getClientIdentifier = (ctx) => {
   if (!ctx?.request?.header?.authorization) return undefined
   const [user, secret] = getCtxAuth(ctx)
@@ -222,7 +226,7 @@ const getClientIdentifier = (ctx) => {
 //
 // getCtxAuth returns username/secret from ctx header when using Auth PassThrough
 //
-const getCtxAuth = (ctx) => { // eslint-disable-line
+const getCtxAuth = (ctx) => {
   if (!ctx?.request?.header?.authorization) return []
   const [authType, authToken] = (ctx.request.header.authorization || '').split(' ') // [0] = 'Basic' or 'Bearer'
   let username, password
@@ -231,6 +235,85 @@ const getCtxAuth = (ctx) => { // eslint-disable-line
   else return [undefined, authToken] // bearer auth
 }
 
+//
+// getAccessToken - returns oauth accesstoken
+//
+const getAccessToken = async (baseEntity, ctx) => {
+  await lock.acquire()
+  const clientIdentifier = getClientIdentifier(ctx)
+  const d = new Date() / 1000 // seconds (unix time)
+  if (_serviceClient[baseEntity] && _serviceClient[baseEntity][clientIdentifier] && _serviceClient[baseEntity][clientIdentifier].accessToken &&
+   (_serviceClient[baseEntity][clientIdentifier].accessToken.validTo >= d + 30)) { // avoid simultaneously token requests
+    lock.release()
+    return _serviceClient[baseEntity][clientIdentifier].accessToken
+  }
+
+  const action = 'getAccessToken'
+  scimgateway.logger.debug(`${pluginName}[${baseEntity}] ${action}: Retrieving accesstoken`)
+
+  const method = 'POST'
+  const [, secret] = getCtxAuth(ctx) // if Auth PassTrough, secret from basic or bearer auth
+  let tokenUrl
+  let form
+
+  if (config.entity[baseEntity].oauth) {
+    let resource
+    try {
+      const urlObj = new URL(config.entity[baseEntity].baseUrls[0])
+      resource = urlObj.origin
+    } catch (err) {
+      resource = null
+    }
+    if (config.entity[baseEntity].oauth.tenantIdGUID) { // Azure
+      tokenUrl = `https://login.microsoftonline.com/${config.entity[baseEntity].oauth.tenantIdGUID}/oauth2/token`
+    } else {
+      tokenUrl = `https://login.microsoftonline.com/${config.entity[baseEntity].oauth.tokenUrl}`
+    }
+    form = {
+      grant_type: 'client_credentials',
+      client_id: config.entity[baseEntity].oauth.clientId,
+      client_secret: secret || scimgateway.getPassword(`endpoint.entity.${baseEntity}.oauth.clientSecret`, configFile), // using config if no Auth PassThrough
+      resource: resource // "https://graph.microsoft.com"
+    }
+  } else {
+    const err = new Error(`[${action}] missing supported endpoint authentication configuration`)
+    lock.release()
+    throw (err)
+  }
+
+  const options = {
+    headers: {
+      'Content-Type': 'application/x-www-form-urlencoded' // body must be query string formatted (no JSON)
+    }
+  }
+
+  try {
+    const response = await doRequest(baseEntity, method, tokenUrl, form, ctx, options)
+    if (!response.body) {
+      const err = new Error(`[${action}] No data retrieved from: ${method} ${tokenUrl}`)
+      throw (err)
+    }
+    const jbody = response.body
+    if (jbody.error) {
+      const err = new Error(`[${action}] Error message: ${jbody.error_description}`)
+      throw (err)
+    } else if (!jbody.access_token || !jbody.expires_in) {
+      const err = new Error(`[${action}] Error message: Retrieved invalid token response`)
+      throw (err)
+    }
+
+    const d = new Date() / 1000 // seconds (unix time)
+    jbody.validTo = d + parseInt(jbody.expires_in) // instead of using expires_on (clock may not be in sync with NTP, AAD default expires_in = 3600 seconds)
+    scimgateway.logger.silly(`${pluginName}[${baseEntity}] ${action}: AccessToken =  ${jbody.access_token}`)
+
+    lock.release()
+    return jbody
+  } catch (err) {
+    lock.release()
+    throw (err)
+  }
+}
+
 //
 // getServiceClient - returns options needed for connection parameters
 //
@@ -243,6 +326,11 @@ const getCtxAuth = (ctx) => { // eslint-disable-line
 const getServiceClient = async (baseEntity, method, path, opt, ctx) => {
   const action = 'getServiceClient'
 
+  let authType
+  if (config.entity[baseEntity].basicAuth) authType = 'basicAuth'
+  else if (config.entity[baseEntity].oauth) authType = 'oauth'
+  else if (config.entity[baseEntity].bearerAuth) authType = 'bearerAuth'
+
   let urlObj
   if (!path) path = ''
   try {
@@ -251,17 +339,38 @@ const getServiceClient = async (baseEntity, method, path, opt, ctx) => {
     //
     // path (no url) - default approach and client will be cached based on config
     //
+
     const clientIdentifier = getClientIdentifier(ctx)
-    if (_serviceClient[baseEntity] && _serviceClient[baseEntity][clientIdentifier]) { // serviceClient already exist
+    if (_serviceClient[baseEntity] && _serviceClient[baseEntity][clientIdentifier]) { // serviceClient already exist - Azure plugin specific
       scimgateway.logger.debug(`${pluginName}[${baseEntity}] ${action}: Using existing client`)
+      if (_serviceClient[baseEntity][clientIdentifier].accessToken) {
+      // check if token refresh is needed when using oauth
+        const d = new Date() / 1000 // seconds (unix time)
+        if (_serviceClient[baseEntity][clientIdentifier].accessToken.validTo < d + 30) { // less than 30 sec before token expiration
+          scimgateway.logger.debug(`${pluginName}[${baseEntity}] ${action}: Accesstoken about to expire in ${_serviceClient[baseEntity][clientIdentifier].accessToken.validTo - d} seconds`)
+          try {
+            const accessToken = await getAccessToken(baseEntity, ctx)
+            _serviceClient[baseEntity][clientIdentifier].accessToken = accessToken
+            _serviceClient[baseEntity][clientIdentifier].options.headers.Authorization = ` Bearer ${accessToken.access_token}`
+          } catch (err) {
+            delete _serviceClient[baseEntity][clientIdentifier]
+            const newErr = err
+            throw newErr
+          }
+        }
+      }
     } else {
       scimgateway.logger.debug(`${pluginName}[${baseEntity}] ${action}: Client have to be created`)
       let client = null
       if (config.entity && config.entity[baseEntity]) client = config.entity[baseEntity]
       if (!client) {
-        throw new Error(`Base URL have baseEntity=${baseEntity}, and configuration file ${pluginName}.json is missing required baseEntity configuration for ${baseEntity}`)
+        const err = new Error(`Base URL have baseEntity=${baseEntity}, and configuration file ${pluginName}.json is missing required baseEntity configuration for ${baseEntity}`)
+        throw err
+      }
+      if (!config.entity[baseEntity].baseUrls || !Array.isArray(config.entity[baseEntity].baseUrls) || config.entity[baseEntity].baseUrls.length < 1) {
+        const err = new Error(`missing configuration entity.${baseEntity}.baseUrls`)
+        throw err
       }
-
       urlObj = new URL(config.entity[baseEntity].baseUrls[0])
       const param = {
         baseUrl: config.entity[baseEntity].baseUrls[0],
@@ -269,17 +378,46 @@ const getServiceClient = async (baseEntity, method, path, opt, ctx) => {
           json: true, // json-object response instead of string
           headers: {
             'Content-Type': 'application/json',
-            // Auth PassThrough or configuration, using ctx "AS-IS" header for PassThrough. For more advanced logic use getCtxAuth(ctx) - see examples in other plugins
-            Authorization: ctx?.request?.header?.authorization ? ctx.request.header.authorization : 'Basic ' + Buffer.from(`${config.entity[baseEntity].username}:${scimgateway.getPassword(`endpoint.entity.${baseEntity}.password`, configFile)}`).toString('base64')
+            Accept: 'application/json'
           },
           host: urlObj.hostname,
           port: urlObj.port, // null if https and 443 defined in url
-          protocol: urlObj.protocol, // http: or https:
-          rejectUnauthorized: false // accepts self-siged certificates
+          protocol: urlObj.protocol // http: or https:
           // 'method' and 'path' added at the end
         }
       }
 
+      if (ctx?.request?.header?.authorization) { // Auth PassThrough using ctx header
+        param.options.headers.Authorization = ctx.request.header.authorization
+      } else {
+        switch (authType) {
+          case 'basicAuth':
+            if (!config.entity[baseEntity].basicAuth.username || !config.entity[baseEntity].basicAuth.password) {
+              const err = new Error(`missing configuration entity.${baseEntity}.basicAuth.username/password`)
+              throw err
+            }
+            param.options.headers.Authorization = 'Basic ' + Buffer.from(`${config.entity[baseEntity].basicAuth.username}:${scimgateway.getPassword(`endpoint.entity.${baseEntity}.basicAuth.password`, configFile)}`).toString('base64')
+            break
+          case 'oauth':
+            if (!config.entity[baseEntity].oauth.clientId || !config.entity[baseEntity].oauth.clientSecret) {
+              const err = new Error(`missing configuration entity.${baseEntity}.oauth.clientId/clientSecret`)
+              throw err
+            }
+            param.accessToken = await getAccessToken(baseEntity, ctx)
+            param.options.headers.Authorization = `Bearer ${param.accessToken.access_token}`
+            break
+          case 'bearerAuth':
+            if (!config.entity[baseEntity].bearerAuth.token) {
+              const err = new Error(`missing configuration entity.${baseEntity}.bearerAuth.token`)
+              throw err
+            }
+            param.options.headers.Authorization = 'Bearer ' + Buffer.from(`${scimgateway.getPassword(`endpoint.entity.${baseEntity}.bearerAuth.token`, configFile)}`).toString('base64')
+            break
+          default:
+            // no auth
+        }
+      }
+
       // proxy
       if (config.entity[baseEntity].proxy && config.entity[baseEntity].proxy.host) {
         const agent = new HttpsProxyAgent(config.entity[baseEntity].proxy.host)
@@ -289,9 +427,17 @@ const getServiceClient = async (baseEntity, method, path, opt, ctx) => {
         }
       }
 
+      // config options
+      if (config.entity[baseEntity].options) param.options = scimgateway.extendObj(param.options, config.entity[baseEntity].options)
+
       if (!_serviceClient[baseEntity]) _serviceClient[baseEntity] = {}
       if (!_serviceClient[baseEntity][clientIdentifier]) _serviceClient[baseEntity][clientIdentifier] = {}
       _serviceClient[baseEntity][clientIdentifier] = param // serviceClient created
+
+      // OData support - note, not using [clientIdentifier]
+      _serviceClient[baseEntity].nextLink = {}
+      _serviceClient[baseEntity].nextLink.users = null // Azure users pagination
+      _serviceClient[baseEntity].nextLink.groups = null // Azure groups pagination
     }
 
     const cli = scimgateway.copyObj(_serviceClient[baseEntity][clientIdentifier]) // client ready
@@ -358,9 +504,11 @@ const updateServiceClient = (baseEntity, clientIdentifier, obj) => {
 // doRequest - execute REST service
 //
 const doRequest = async (baseEntity, method, path, body, ctx, opt, retryCount) => {
+  let retryAfter = 0
   try {
     const cli = await getServiceClient(baseEntity, method, path, opt, ctx)
     const options = cli.options
+
     const result = await new Promise((resolve, reject) => {
       let dataString = ''
       if (body) {
@@ -391,7 +539,14 @@ const doRequest = async (baseEntity, method, path, body, ctx, opt, retryCount) =
           try {
             if (responseString) response.body = JSON.parse(responseString)
           } catch (err) { response.body = responseString }
-          if (statusCode < 200 || statusCode > 299) reject(new Error(JSON.stringify(response)))
+          if (statusCode < 200 || statusCode > 299) {
+            if (statusCode === 429) { // throttle
+              const v = res.headers['retry-after']
+              if (!isNaN(v)) retryAfter = parseInt(v, 10) + 1
+              else retryAfter = 10
+            }
+            reject(new Error(JSON.stringify(response)))
+          }
           resolve(response)
         })
       }) // req
@@ -410,17 +565,28 @@ const doRequest = async (baseEntity, method, path, body, ctx, opt, retryCount) =
       req.end()
     }) // Promise
 
-    scimgateway.logger.debug(`${pluginName}[${baseEntity}] doRequest ${method} ${options.protocol}//${options.host}${(options.port ? `:${options.port}` : '')}${path} Body = ${JSON.stringify(body)} Response = ${JSON.stringify(result)}`)
+    scimgateway.logger.debug(`${pluginName}[${baseEntity}] doRequest ${method} ${options.protocol}//${options.host}${(options.port ? `:${options.port}` : '')}${options.path} Body = ${JSON.stringify(body)} Response = ${JSON.stringify(result)}`)
     return result
   } catch (err) { // includes failover/retry logic based on config baseUrls array
-    scimgateway.logger.error(`${pluginName}[${baseEntity}] doRequest ${method} ${path} Body = ${JSON.stringify(body)} Error Response = ${err.message}`)
     let statusCode
     try { statusCode = JSON.parse(err.message).statusCode } catch (e) {}
+    if (statusCode === 404) { // not logged as error, let caller decide e.g. getUser-manager
+      scimgateway.logger.debug(`${pluginName}[${baseEntity}] doRequest ${method} ${path} Body = ${JSON.stringify(body)} Error Response = ${err.message}`)
+    } else scimgateway.logger.error(`${pluginName}[${baseEntity}] doRequest ${method} ${path} Body = ${JSON.stringify(body)} Error Response = ${err.message}`)
     const clientIdentifier = getClientIdentifier(ctx)
+    if (err.message.includes('ratelimit')) { // have seen throttling not follow standard 429/retry-after, but instead using 500 and error message only
+      if (!retryAfter) retryAfter = 60
+    }
     if (!retryCount) retryCount = 0
     let urlObj
     try { urlObj = new URL(path) } catch (err) {}
-    if (!urlObj && (err.code === 'ECONNREFUSED' || err.code === 'ENOTFOUND')) {
+    if (!urlObj && (err.code === 'ECONNREFUSED' || err.code === 'ENOTFOUND' || err.code === 'ETIMEDOUT' || retryAfter)) {
+      if (retryAfter) {
+        scimgateway.logger.debug(`${pluginName}[${baseEntity}] doRequest ${method} ${path} throttle/ratelimit error - awaiting ${retryAfter} seconds before automatic retry`)
+        await new Promise((resolve, reject) => setTimeout(function () {
+          resolve()
+        }, retryAfter * 1000))
+      }
       if (retryCount < config.entity[baseEntity].baseUrls.length) {
         retryCount++
         updateServiceClient(baseEntity, clientIdentifier, { baseUrl: config.entity[baseEntity].baseUrls[retryCount - 1] })
@@ -435,11 +601,15 @@ const doRequest = async (baseEntity, method, path, body, ctx, opt, retryCount) =
       }
     } else {
       if (statusCode === 401 && _serviceClient[baseEntity]) delete _serviceClient[baseEntity][clientIdentifier]
-      throw err // CA IM retries getUsers failure once (retry 6 times on ECONNREFUSED)
+      throw err // CA IM retries getUser failure once (retry 6 times on ECONNREFUSED)
     }
   }
 } // doRequest
 
+//
+// end - REST endpoint template
+//
+
 //
 // Cleanup on exit
 //

package/lib/plugin-entra-id.js

@@ -74,7 +74,6 @@ const URL = require('url').URL
 const querystring = require('querystring')
 
 // mandatory plugin initialization - start
-const path = require('path')
 let ScimGateway = null
 try {
   ScimGateway = require('scimgateway')
@@ -82,9 +81,9 @@ try {
   ScimGateway = require('./scimgateway')
 }
 const scimgateway = new ScimGateway()
-const pluginName = path.basename(__filename, '.js')
-const configDir = path.join(__dirname, '..', 'config')
-const configFile = path.join(`${configDir}`, `${pluginName}.json`)
+const pluginName = scimgateway.pluginName
+// const configDir = scimgateway.configDir
+const configFile = scimgateway.configFile
 let config = require(configFile).endpoint
 config = scimgateway.processExtConfig(pluginName, config) // add any external config process.env and process.file
 scimgateway.authPassThroughAllowed = false // true enables auth passThrough (no scimgateway authentication). scimgateway instead includes ctx (ctx.request.header) in plugin methods. Note, requires plugin-logic for handling/passing ctx.request.header.authorization to be used in endpoint communication
@@ -1301,6 +1300,7 @@ const updateServiceClient = (baseEntity, clientIdentifier, obj) => {
 // doRequest - execute REST service
 //
 const doRequest = async (baseEntity, method, path, body, ctx, opt, retryCount) => {
+  let retryAfter = 0
   try {
     const cli = await getServiceClient(baseEntity, method, path, opt, ctx)
     const options = cli.options
@@ -1335,7 +1335,14 @@ const doRequest = async (baseEntity, method, path, body, ctx, opt, retryCount) =
           try {
             if (responseString) response.body = JSON.parse(responseString)
           } catch (err) { response.body = responseString }
-          if (statusCode < 200 || statusCode > 299) reject(new Error(JSON.stringify(response)))
+          if (statusCode < 200 || statusCode > 299) {
+            if (statusCode === 429) { // throttle
+              const v = res.headers['retry-after']
+              if (!isNaN(v)) retryAfter = parseInt(v, 10) + 1
+              else retryAfter = 10
+            }
+            reject(new Error(JSON.stringify(response)))
+          }
           resolve(response)
         })
       }) // req
@@ -1363,10 +1370,19 @@ const doRequest = async (baseEntity, method, path, body, ctx, opt, retryCount) =
       scimgateway.logger.debug(`${pluginName}[${baseEntity}] doRequest ${method} ${path} Body = ${JSON.stringify(body)} Error Response = ${err.message}`)
     } else scimgateway.logger.error(`${pluginName}[${baseEntity}] doRequest ${method} ${path} Body = ${JSON.stringify(body)} Error Response = ${err.message}`)
     const clientIdentifier = getClientIdentifier(ctx)
+    if (err.message.includes('ratelimit')) { // have seen throttling not follow standard 429/retry-after, but instead using 500 and error message only
+      if (!retryAfter) retryAfter = 60
+    }
     if (!retryCount) retryCount = 0
     let urlObj
     try { urlObj = new URL(path) } catch (err) {}
-    if (!urlObj && (err.code === 'ECONNREFUSED' || err.code === 'ENOTFOUND' || err.code === 'ETIMEDOUT')) {
+    if (!urlObj && (err.code === 'ECONNREFUSED' || err.code === 'ENOTFOUND' || err.code === 'ETIMEDOUT' || retryAfter)) {
+      if (retryAfter) {
+        scimgateway.logger.debug(`${pluginName}[${baseEntity}] doRequest ${method} ${path} throttle/ratelimit error - awaiting ${retryAfter} seconds before automatic retry`)
+        await new Promise((resolve, reject) => setTimeout(function () {
+          resolve()
+        }, retryAfter * 1000))
+      }
       if (retryCount < config.entity[baseEntity].baseUrls.length) {
         retryCount++
         updateServiceClient(baseEntity, clientIdentifier, { baseUrl: config.entity[baseEntity].baseUrls[retryCount - 1] })

package/lib/plugin-ldap.js

@@ -72,7 +72,6 @@
 const ldap = require('ldapjs')
 
 // mandatory plugin initialization - start
-const path = require('path')
 let ScimGateway = null
 try {
   ScimGateway = require('scimgateway')
@@ -80,9 +79,9 @@ try {
   ScimGateway = require('./scimgateway')
 }
 const scimgateway = new ScimGateway()
-const pluginName = path.basename(__filename, '.js')
-const configDir = path.join(__dirname, '..', 'config')
-const configFile = path.join(`${configDir}`, `${pluginName}.json`)
+const pluginName = scimgateway.pluginName
+// const configDir = scimgateway.configDir
+const configFile = scimgateway.configFile
 let config = require(configFile).endpoint
 config = scimgateway.processExtConfig(pluginName, config) // add any external config process.env and process.file
 scimgateway.authPassThroughAllowed = false // true enables auth passThrough (no scimgateway authentication). scimgateway instead includes ctx (ctx.request.header) in plugin methods. Note, requires plugin-logic for handling/passing ctx.request.header.authorization to be used in endpoint communication
@@ -1055,7 +1054,7 @@ const doRequest = async (baseEntity, method, base, ldapOptions, ctx) => {
         options.paged = { pageSize: 200, pagePause: false } // parse entire directory calling 'page' method for each page
         result = await new Promise((resolve, reject) => {
           const results = []
-          client.search(base, options, (err, search) => {
+          client.search(base, scimgateway.copyObj(options), (err, search) => {
             if (err) {
               return reject(err)
             }

package/lib/plugin-loki.js

@@ -27,9 +27,9 @@
 'use strict'
 
 const Loki = require('lokijs')
+const path = require('path')
 
 // mandatory plugin initialization - start
-const path = require('path')
 let ScimGateway = null
 try {
   ScimGateway = require('scimgateway')
@@ -37,10 +37,9 @@ try {
   ScimGateway = require('./scimgateway')
 }
 const scimgateway = new ScimGateway()
-const pluginName = path.basename(__filename, '.js')
-const configDir = path.join(__dirname, '..', 'config')
-const configFile = path.join(`${configDir}`, `${pluginName}.json`)
-const validScimAttr = [] // empty array - all attrbutes are supported by endpoint
+const pluginName = scimgateway.pluginName
+const configDir = scimgateway.configDir
+const configFile = scimgateway.configFile
 let config = require(configFile).endpoint
 config = scimgateway.processExtConfig(pluginName, config) // add any external config process.env and process.file
 scimgateway.authPassThroughAllowed = false // true enables auth passThrough (no scimgateway authentication). scimgateway instead includes ctx (ctx.request.header) in plugin methods. Note, requires plugin-logic for handling/passing ctx.request.header.authorization to be used in endpoint communication
@@ -105,7 +104,6 @@ for (const baseEntity in config.entity) {
     config.entity[baseEntity].groups = groups
   }
 
-  // if (db.options.autoload === false) loadHandler(baseEntity)
   if (!isPersisence) loadHandler()
 }
 
@@ -222,10 +220,6 @@ scimgateway.createUser = async (baseEntity, userObj, ctx) => {
 
   if (!config.entity[baseEntity]) throw new Error(`unsupported baseEntity=${baseEntity}`)
   const users = config.entity[baseEntity].users
-  const notValid = scimgateway.notValidAttributes(userObj, validScimAttr) // We should check for unsupported endpoint attributes
-  if (notValid) {
-    throw new Error(`${action} error: unsupported scim attributes: ${notValid} (supporting only these attributes: ${validScimAttr.toString()})`)
-  }
 
   if (userObj.password) delete userObj.password // exclude password db not ecrypted
   for (const key in userObj) {
@@ -281,10 +275,6 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
 
   if (!config.entity[baseEntity]) throw new Error(`unsupported baseEntity=${baseEntity}`)
   const users = config.entity[baseEntity].users
-  const notValid = scimgateway.notValidAttributes(attrObj, validScimAttr) // We should check for unsupported endpoint attributes
-  if (notValid) {
-    throw new Error(`${action} error: unsupported scim attributes: ${notValid} (supporting only these attributes: ${validScimAttr.toString()})`)
-  }
   if (attrObj.password) delete attrObj.password // exclude password db not ecrypted
 
   const res = users.find({ id: id })

package/lib/plugin-mongodb.js

@@ -27,7 +27,6 @@
 const MongoClient = require('mongodb').MongoClient
 
 // mandatory plugin initialization - start
-const path = require('path')
 let ScimGateway = null
 try {
   ScimGateway = require('./scimgateway')
@@ -35,10 +34,9 @@ try {
   ScimGateway = require('scimgateway')
 }
 const scimgateway = new ScimGateway()
-const pluginName = path.basename(__filename, '.js')
-const configDir = path.join(__dirname, '..', 'config')
-const configFile = path.join(`${configDir}`, `${pluginName}.json`)
-const validScimAttr = [] // empty array - all attrbutes are supported by endpoint
+const pluginName = scimgateway.pluginName
+// const configDir = scimgateway.configDir
+const configFile = scimgateway.configFile
 let config = require(configFile).endpoint
 config = scimgateway.processExtConfig(pluginName, config) // add any external config process.env and process.file
 scimgateway.authPassThroughAllowed = false // true enables auth passThrough (no scimgateway authentication). scimgateway instead includes ctx (ctx.request.header) in plugin methods. Note, requires plugin-logic for handling/passing ctx.request.header.authorization to be used in endpoint communication
@@ -280,11 +278,6 @@ scimgateway.createUser = async (baseEntity, userObj, ctx) => {
 
   const clientIdentifier = await loadHandler(baseEntity, ctx) // includes Auth PassThrough logic and loaded only once
 
-  const notValid = scimgateway.notValidAttributes(userObj, validScimAttr) // We should check for unsupported endpoint attributes
-  if (notValid) {
-    throw new Error(`${action} error: unsupported scim attributes: ${notValid} (supporting only these attributes: ${validScimAttr.toString()})`)
-  }
-
   if (userObj.password) delete userObj.password // exclude password db not ecrypted
   for (const key in userObj) {
     if (!Array.isArray(userObj[key]) && scimgateway.isMultiValueTypes(key)) { // true if attribute is "type converted object" => convert to standard array
@@ -363,14 +356,8 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
 
   const clientIdentifier = await loadHandler(baseEntity, ctx) // includes Auth PassThrough logic and loaded only once
 
-  const notValid = scimgateway.notValidAttributes(attrObj, validScimAttr) // We should check for unsupported endpoint attributes
-  if (notValid) {
-    throw new Error(`${action} error: unsupported scim attributes: ${notValid} (supporting only these attributes: ${validScimAttr.toString()})`)
-  }
   if (attrObj.password) delete attrObj.password // exclude password db not ecrypted
-
   let res
-
   try {
     const users = config.entity[baseEntity][clientIdentifier].collection.users
     res = await users.find({ id }, { projection: { _id: 0 } }).toArray()

package/lib/plugin-mssql.js

@@ -38,7 +38,6 @@ const Connection = require('tedious').Connection
 const Request = require('tedious').Request
 
 // mandatory plugin initialization - start
-const path = require('path')
 let ScimGateway = null
 try {
   ScimGateway = require('scimgateway')
@@ -46,21 +45,9 @@ try {
   ScimGateway = require('./scimgateway')
 }
 const scimgateway = new ScimGateway()
-const pluginName = path.basename(__filename, '.js')
-const configDir = path.join(__dirname, '..', 'config')
-const configFile = path.join(`${configDir}`, `${pluginName}.json`)
-const validScimAttr = [ // array containing scim attributes supported by our plugin code. Empty array - all attrbutes are supported by endpoint
-  'userName', // userName is mandatory
-  'active', // active is mandatory
-  'password',
-  'name.givenName',
-  'name.middleName',
-  'name.familyName',
-  // "emails",         // accepts all multivalues for this key
-  'emails.work', // accepts multivalues if type value equal work (lowercase)
-  // "phoneNumbers",
-  'phoneNumbers.work'
-]
+const pluginName = scimgateway.pluginName
+// const configDir = scimgateway.configDir
+const configFile = scimgateway.configFile
 let config = require(configFile).endpoint
 config = scimgateway.processExtConfig(pluginName, config) // add any external config process.env and process.file
 scimgateway.authPassThroughAllowed = false // true enables auth passThrough (no scimgateway authentication). scimgateway instead includes ctx (ctx.request.header) in plugin methods. Note, requires plugin-logic for handling/passing ctx.request.header.authorization to be used in endpoint communication
@@ -181,12 +168,6 @@ scimgateway.createUser = async (baseEntity, userObj, ctx) => {
 
   try {
     return await new Promise((resolve, reject) => {
-      const notValid = scimgateway.notValidAttributes(userObj, validScimAttr)
-      if (notValid) {
-        const err = Error(`unsupported scim attributes: ${notValid} (supporting only these attributes: ${validScimAttr.toString()})`)
-        return reject(err)
-      }
-
       if (!userObj.name) userObj.name = {}
       if (!userObj.emails) userObj.emails = { work: {} }
       if (!userObj.phoneNumbers) userObj.phoneNumbers = { work: {} }
@@ -292,12 +273,6 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
 
   try {
     return await new Promise((resolve, reject) => {
-      const notValid = scimgateway.notValidAttributes(attrObj, validScimAttr)
-      if (notValid) {
-        const err = new Error(`unsupported scim attributes: ${notValid} (supporting only these attributes: ${validScimAttr.toString()})`)
-        return reject(err)
-      }
-
       if (!attrObj.name) attrObj.name = {}
       if (!attrObj.emails) attrObj.emails = { work: {} }
       if (!attrObj.phoneNumbers) attrObj.phoneNumbers = { work: {} }

package/lib/plugin-saphana.js

@@ -22,7 +22,6 @@
 const hdb = require('hdb')
 
 // mandatory plugin initialization - start
-const path = require('path')
 let ScimGateway = null
 try {
   ScimGateway = require('scimgateway')
@@ -30,13 +29,9 @@ try {
   ScimGateway = require('./scimgateway')
 }
 const scimgateway = new ScimGateway()
-const pluginName = path.basename(__filename, '.js')
-const configDir = path.join(__dirname, '..', 'config')
-const configFile = path.join(`${configDir}`, `${pluginName}.json`)
-const validScimAttr = [ // array containing scim attributes supported by our plugin code. Empty array - all attrbutes are supported by endpoint
-  'userName', // userName is mandatory
-  'active' // active is mandatory
-]
+const pluginName = scimgateway.pluginName
+// const configDir = scimgateway.configDir
+const configFile = scimgateway.configFile
 let config = require(configFile).endpoint
 config = scimgateway.processExtConfig(pluginName, config) // add any external config process.env and process.file
 scimgateway.authPassThroughAllowed = false // true enables auth passThrough (no scimgateway authentication). scimgateway instead includes ctx (ctx.request.header) in plugin methods. Note, requires plugin-logic for handling/passing ctx.request.header.authorization to be used in endpoint communication
@@ -143,13 +138,6 @@ scimgateway.createUser = async (baseEntity, userObj, ctx) => {
 
   try {
     return await new Promise((resolve, reject) => {
-      const notValid = scimgateway.notValidAttributes(userObj, validScimAttr)
-
-      if (notValid) {
-        const err = new Error(`unsupported scim attributes: ${notValid} (supporting only these attributes: ${validScimAttr.toString()})`)
-        return reject(err)
-      }
-
       hdbClient.connect(function (err) {
         if (err) {
           const newErr = new Error('createUser hdbcClient.connect: SAP Hana client connect error: ' + err.message)
@@ -221,12 +209,6 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
 
   try {
     return await new Promise((resolve, reject) => {
-      const notValid = scimgateway.notValidAttributes(attrObj, validScimAttr)
-      if (notValid) {
-        const err = new Error(`unsupported scim attributes: ${notValid} (supporting only these attributes: ${validScimAttr.toString()})`)
-        return reject(err)
-      }
-
       let sqlAction = ''
       if (attrObj.active !== undefined) {
         if (sqlAction.length === 0) sqlAction = (attrObj.active === true) ? 'ACTIVATE' : 'DEACTIVATE'