scimgateway 4.5.10 → 4.5.12

package/README.md

@@ -9,7 +9,7 @@ Validated through IdP's:
 
 - Symantec/Broadcom/CA Identity Manager
 - Microsoft Entra ID  
-- One Identity/OneLogin  
+- One Identity Manager/OneLogin  
 - Okta 
 - Omada 
 - SailPoint/IdentityNow  
@@ -1163,6 +1163,32 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
+### v4.5.12
+
+[Improved]
+
+- plugin-ldap, new configuration { allowModifyDN: true } allows DN being changed based on modified mapping or namingAttribute
+
+### v4.5.11
+  
+[Improved] 
+
+- deleteUser will try to revoke user from groups before deleting user
+- advanced or-filter (e.g., used by One Identity Manager) will be chunked and handled by scimgateway as separate calls to plugin
+- baseEntity now included in scimgateway log entries like plugin log entries
+
+[Fixed]
+
+- plugin-ldap, using OpenLDAP - configuration { "isOpenLdap": true } and adding an already existing group member returned 500 Error instead of 200 OK.
+- plugin-ldap, using OpenLDAP in combination with endpoint user mapping `"type":"array"` and `"typeInbound":"string"` for handling comma separated SCIM string mapping towards an endpoint array/multivalue attribute, did not return correct sort order of the comma separated string when using OpenLDAP.   Mapping example:
+
+        "<endpointAttr>": {
+          "mapTo": "<scimAttr>",
+          "type": "array",
+          "typeInbound": "string"
+        },
+
+
 ### v4.5.10
   
 [Fixed]  

package/config/plugin-ldap.json

@@ -144,16 +144,17 @@
           "groupBase": "OU=Groups,DC=test,DC=com",
           "userFilter": null,
           "groupFilter": null,
+          "allowModifyDN": false,
           "namingAttribute": {
             "user": [
               {
-                "attribute": "CN",
+                "attribute": "cn",
                 "mapTo": "userName"
               }
             ],
             "group": [
               {
-                "attribute": "CN",
+                "attribute": "cn",
                 "mapTo": "displayName"
               }
             ]

package/lib/plugin-api.js

@@ -57,7 +57,7 @@ scimgateway.authPassThroughAllowed = false // true enables auth passThrough (no
 //
 scimgateway.postApi = async (baseEntity, apiObj, ctx) => {
   const action = 'postApi'
-  scimgateway.logger.debug(`${pluginName} handling "${action}" apiObj=${JSON.stringify(apiObj)}`)
+  scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" apiObj=${JSON.stringify(apiObj)}`)
 
   if ((typeof (apiObj) !== 'object') || (Object.keys(apiObj).length === 0)) {
     throw new Error('unsupported POST syntax')

package/lib/plugin-ldap.js

@@ -35,6 +35,8 @@
 // be used for national characters and special characters in DN.
 // For Active Directory, default isOpenLdap=false should be used
 //
+// Configuration allowModifyDN=true allows DN being changed based on modified mapping or namingAttribute
+//
 // Attributes according to map definition in the configuration file plugin-ldap.json:
 //
 // GlobalUser   Template                  Scim                                          Endpoint
@@ -109,6 +111,7 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
   //
   const action = 'getUsers'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" getObj=${getObj ? JSON.stringify(getObj) : ''} attributes=${attributes}`)
+  if (!config.entity[baseEntity]) throw new Error(`unsupported baseEntity: ${baseEntity}`)
 
   const result = {
     Resources: [],
@@ -465,7 +468,41 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
   }
 
   try {
+    const newDN = checkIfNewDN(baseEntity, base, 'user', attrObj, endpointObj)
     await doRequest(baseEntity, method, base, ldapOptions, ctx)
+    if (newDN && config.entity[baseEntity].ldap.allowModifyDN) {
+      // modify DN
+      await doRequest(baseEntity, 'modifyDN', base, { modification: { newDN } }, ctx)
+      // clean up zoombie group members and use the new user DN incase not handled by ldap server
+      const [memberAttr] = scimgateway.endpointMapper('outbound', 'members.value', config.map.group)
+      if (memberAttr) {
+        const grp = { add: {}, remove: {} }
+        grp.add[memberAttr] = []
+        grp.remove[memberAttr] = []
+        let r
+        try {
+          const ob = { attribute: 'members.value', operator: 'eq', value: base } // base is old DN
+          const attributes = ['id', 'displayName']
+          r = await scimgateway.getGroups(baseEntity, ob, attributes, ctx)
+        } catch (err) { } // ignore errors incase method not implemented
+        if (r && r.Resources && Array.isArray(r.Resources) && r.Resources.length > 0) {
+          for (let i = 0; i < r.Resources.length; i++) {
+            if (!r.Resources[i].id) continue
+            const grpId = decodeURIComponent(r.Resources[i].id)
+            grp.remove[memberAttr] = [base]
+            grp.add[memberAttr] = [newDN]
+            await Promise.all([
+              doRequest(baseEntity, method, grpId, { operation: 'add', modification: grp.add }, ctx),
+              doRequest(baseEntity, method, grpId, { operation: 'delete', modification: grp.remove }, ctx)
+            ])
+          }
+        }
+        // return full user object to avoid scimgateway doing same getUser() using original id/dn that now will fail
+        const getObj = { attribute: 'id', operator: 'eq', value: newDN }
+        const res = await scimgateway.getUsers(baseEntity, getObj, [], ctx)
+        return res
+      }
+    }
     return null
   } catch (err) {
     throw new Error(`${action} error: ${err.message}`)
@@ -490,6 +527,7 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes, ctx) => {
   //
   const action = 'getGroups'
   scimgateway.logger.debug(`${pluginName}[${baseEntity}] handling "${action}" getObj=${getObj ? JSON.stringify(getObj) : ''} attributes=${attributes}`)
+  if (!config.entity[baseEntity]) throw new Error(`unsupported baseEntity: ${baseEntity}`)
 
   const result = {
     Resources: [],
@@ -738,6 +776,8 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
   try {
     delete attrObj.members
     const [endpointObj] = scimgateway.endpointMapper('outbound', attrObj, config.map.group)
+    const newDN = checkIfNewDN(baseEntity, base, 'group', attrObj, endpointObj)
+
     if (Object.keys(endpointObj).length > 0) {
       const ldapOptions = {
         operation: 'replace',
@@ -759,6 +799,12 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
       }
       await doRequest(baseEntity, method, base, ldapOptions, ctx)
     }
+    if (newDN && config.entity[baseEntity].ldap.allowModifyDN) {
+      await doRequest(baseEntity, 'modifyDN', base, { modification: { newDN } }, ctx)
+      const getObj = { attribute: 'id', operator: 'eq', value: newDN }
+      const res = await scimgateway.getGroups(baseEntity, getObj, [], ctx)
+      return res // return full group object to avoid scimgateway doing same getUser() using original id/dn that now will fail
+    }
     return null
   } catch (err) {
     throw new Error(`${action} error: ${err.message}`)
@@ -1042,7 +1088,7 @@ const getMemberOfGroups = async (baseEntity, id, ctx) => {
 // using Active Directory (none OpenLDAP), DN should not be escaped, but DN retrieved from AD is character escaped
 //
 const ldapEscDn = (isOpenLdap, str) => {
-  if (!str) return str
+  if (typeof str !== 'string' || str.length < 1) return str
 
   if (!isOpenLdap && str.indexOf('\\') > 0) {
     const conv = str.replace(/\\([0-9A-Fa-f]{2})/g, (_, hex) => {
@@ -1198,6 +1244,10 @@ const berDecodeDn = (dn) => {
         }
       }
       if (decoded.length > 0) {
+        // convert any extended ascii to utf8
+        const isoBytes = Uint8Array.from(decoded, c => c.charCodeAt(0))
+        decoded = new TextDecoder('utf-8').decode(isoBytes)
+        decoded = decoded.replace(/,/g, '\\,')
         a.splice(0, 1) // remove element 0 from array
         return `${arr[0]}${decoded},${a.join(',')}` // OU=users,OU=abc
       }
@@ -1222,6 +1272,51 @@ const getNamingAttribute = (baseEntity, type) => {
   return [arr[0].attribute, arr[0].mapTo]
 }
 
+const checkIfNewDN = (baseEntity, base, type, obj, endpointObj) => {
+  if (typeof obj !== 'object' || Object.keys(obj).length < 1) return ''
+  if (typeof endpointObj !== 'object' || Object.keys(endpointObj).length < 1) return ''
+
+  const namingAttr = base.split('=')[0] // cn
+  let scimAttr = ''
+  if (endpointObj[namingAttr]) { // naming attribute can't be modified, have to use modifyDN()
+    delete endpointObj[namingAttr] // modifying original ldapOptions
+    if (config.map[type] && config.map[type][namingAttr]) {
+      scimAttr = config.map[type][namingAttr].mapTo
+    }
+    if (!config.entity[baseEntity].ldap.allowModifyDN) {
+      throw new Error(`changing ldap Naming Attribute ${namingAttr}/${scimAttr} requires configuration ldap.allowModifyDN=true`)
+    }
+  }
+  if (!scimAttr) { // check if namingAttr is defined as namingAttribute configuration having linked scimAttr
+    const [nAttr, sAttr] = getNamingAttribute(baseEntity, type) // ['cn', 'userName']
+    if (namingAttr === nAttr) scimAttr = sAttr
+  }
+  if (!scimAttr) return ''
+  // find and return the new DN
+  let newNamingValue
+  const arr = scimAttr.split('.')
+  if (arr.length < 2) {
+    if (obj[scimAttr]) newNamingValue = obj[scimAttr]
+  } else {
+    if (obj[arr[0]] && obj[arr[0]][arr[1]]) newNamingValue = obj[arr[0]][arr[1]]
+  }
+  if (!newNamingValue) return ''
+  const re = '^([a-zA-Z]+=)(.*?)(?=,[a-zA-Z]+=|$)(.*)$'
+  const rePattern = new RegExp(re, 'i')
+  const a = base.match(rePattern)
+  /*
+  a[1] 'CN='
+  a[2] '<value>'
+  a[3] '<rest> e.g.,: ,OU=mycompany,OU=com'
+  */
+  if (a.length !== 4) return ''
+  if (a[1].toLowerCase() !== namingAttr.toLowerCase() + '=') return ''
+  if (a[2] === newNamingValue) return ''
+  let newDN = a[1] + newNamingValue + a[3]
+  newDN = ldapEscDn(config.entity[baseEntity].ldap.isOpenLdap, newDN)
+  return newDN
+}
+
 //
 // getCtxAuth returns username/secret from ctx header when using Auth PassThrough
 //
@@ -1290,6 +1385,7 @@ const getServiceClient = async (baseEntity, ctx) => {
 //       }
 //
 const doRequest = async (baseEntity, method, base, options, ctx) => {
+  if (!config.entity[baseEntity]) throw new Error(`unsupported baseEntity: ${baseEntity}`)
   let result = null
   let client = null
   base = ldapEscDn(config.entity[baseEntity].ldap.isOpenLdap, base)
@@ -1386,10 +1482,11 @@ const doRequest = async (baseEntity, method, base, options, ctx) => {
             if (Array.isArray(options.modification[key])) {
               mod.values = options.modification[key]
               if (mod.values.length > 1) { // delete before replace to keep inbound order
-                changes.push({
+                const multiValueObj = {
                   operation: 'delete',
                   modification: { type: key, values: [] }
-                })
+                }
+                client.modify(dn, multiValueObj, () => {})
               }
             } else {
               if (typeof options.modification[key] === 'string') mod.values = [options.modification[key]]
@@ -1403,8 +1500,9 @@ const doRequest = async (baseEntity, method, base, options, ctx) => {
           }
           client.modify(dn, changes, (err) => {
             if (err) {
-              if (options.operation && options.operation === 'add' && options.modification && options.modification.member) {
-                if (err.message.includes('ENTRY_EXISTS')) return resolve() // add already existing group to user
+              if (options.operation && options.operation === 'add') {
+                const msg = err.message.toLowerCase()
+                if (msg.includes('exists')) return resolve() // "ENTRY_EXISTS" / "Value Exists" - add already existing group to user
               }
               return reject(err)
             }
@@ -1413,6 +1511,22 @@ const doRequest = async (baseEntity, method, base, options, ctx) => {
         })
         break
 
+      case 'modifyDN':
+        result = await new Promise((resolve, reject) => {
+          let dn = base
+          if (Object.prototype.toString.call(dn) === '[object LdapDn]') dn = base.toString() // needed for client.modifyDN...
+          let newDN = options?.modification?.newDN
+          if (!newDN) return reject(new Error('modifyDN() missing newDN'))
+          if (Object.prototype.toString.call(newDN) === '[object LdapDn]') newDN = newDN.toString()
+          client.modifyDN(dn, newDN, (err) => {
+            if (err) {
+              return reject(err)
+            }
+            resolve()
+          })
+        })
+        break
+
       case 'add':
         result = await new Promise((resolve, reject) => {
           client.add(base, options, (err) => {
@@ -1473,12 +1587,23 @@ if (!config?.map?.user) {
   scimgateway.logger.error('configuration map.user is missing')
   throw new Error(`using exception to exit ${pluginName}, please ignore message...`)
 } else {
+  let isOpenLdapFound = false
+  for (const key in config.entity) {
+    if (config.entity[key]?.ldap?.isOpenLdap === true) {
+      isOpenLdapFound = true
+      break
+    }
+  }
   let idFound = false
   let userNameFound = false
   for (const key in config.map.user) {
     if (config.map.user[key].mapTo === 'id') idFound = true
     else if (['userName', 'externalId'].includes(config.map.user[key].mapTo)) userNameFound = true
-    if (idFound && userNameFound) break
+    if (config.map.user[key]?.type === 'array' && config.map.user[key]?.typeInbound === 'string') {
+      if (!Object.prototype.hasOwnProperty.call(config.map.user[key], 'typeOutboundReverse')) {
+        config.map.user[key].typeOutboundReverse = !isOpenLdapFound
+      }
+    }
   }
   if (!idFound || !userNameFound) {
     scimgateway.logger.error('configuration map.user missing mapTo definition for mandatory id/userName')

package/lib/plugin-loki.js

@@ -614,12 +614,12 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
 const stripLoki = (obj) => { // remove loki meta data and insert scim
   const retObj = JSON.parse(JSON.stringify(obj)) // new object - don't modify loki source
   if (retObj.meta) {
-    if (retObj.meta.created) retObj.meta.created = new Date(retObj.meta.created).toISOString()
     delete retObj.meta.lastModified // test users loaded
+    if (retObj.meta.created) retObj.meta.created = new Date(retObj.meta.created).toISOString()
     if (retObj.meta.updated) {
       retObj.meta.lastModified = new Date(retObj.meta.updated).toISOString()
       delete retObj.meta.updated
-    }
+    } else retObj.meta.lastModified = retObj.meta.created
     if (retObj.meta.revision !== undefined) {
       retObj.meta.version = `W/"${retObj.meta.revision}"`
       delete retObj.meta.revision