scimgateway 4.5.11 → 4.5.12

package/README.md

@@ -1163,6 +1163,12 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
+### v4.5.12
+
+[Improved]
+
+- plugin-ldap, new configuration { allowModifyDN: true } allows DN being changed based on modified mapping or namingAttribute
+
 ### v4.5.11
   
 [Improved] 

package/config/plugin-ldap.json

@@ -144,16 +144,17 @@
           "groupBase": "OU=Groups,DC=test,DC=com",
           "userFilter": null,
           "groupFilter": null,
+          "allowModifyDN": false,
           "namingAttribute": {
             "user": [
               {
-                "attribute": "CN",
+                "attribute": "cn",
                 "mapTo": "userName"
               }
             ],
             "group": [
               {
-                "attribute": "CN",
+                "attribute": "cn",
                 "mapTo": "displayName"
               }
             ]

package/lib/plugin-ldap.js

@@ -35,6 +35,8 @@
 // be used for national characters and special characters in DN.
 // For Active Directory, default isOpenLdap=false should be used
 //
+// Configuration allowModifyDN=true allows DN being changed based on modified mapping or namingAttribute
+//
 // Attributes according to map definition in the configuration file plugin-ldap.json:
 //
 // GlobalUser   Template                  Scim                                          Endpoint
@@ -466,7 +468,41 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
   }
 
   try {
+    const newDN = checkIfNewDN(baseEntity, base, 'user', attrObj, endpointObj)
     await doRequest(baseEntity, method, base, ldapOptions, ctx)
+    if (newDN && config.entity[baseEntity].ldap.allowModifyDN) {
+      // modify DN
+      await doRequest(baseEntity, 'modifyDN', base, { modification: { newDN } }, ctx)
+      // clean up zoombie group members and use the new user DN incase not handled by ldap server
+      const [memberAttr] = scimgateway.endpointMapper('outbound', 'members.value', config.map.group)
+      if (memberAttr) {
+        const grp = { add: {}, remove: {} }
+        grp.add[memberAttr] = []
+        grp.remove[memberAttr] = []
+        let r
+        try {
+          const ob = { attribute: 'members.value', operator: 'eq', value: base } // base is old DN
+          const attributes = ['id', 'displayName']
+          r = await scimgateway.getGroups(baseEntity, ob, attributes, ctx)
+        } catch (err) { } // ignore errors incase method not implemented
+        if (r && r.Resources && Array.isArray(r.Resources) && r.Resources.length > 0) {
+          for (let i = 0; i < r.Resources.length; i++) {
+            if (!r.Resources[i].id) continue
+            const grpId = decodeURIComponent(r.Resources[i].id)
+            grp.remove[memberAttr] = [base]
+            grp.add[memberAttr] = [newDN]
+            await Promise.all([
+              doRequest(baseEntity, method, grpId, { operation: 'add', modification: grp.add }, ctx),
+              doRequest(baseEntity, method, grpId, { operation: 'delete', modification: grp.remove }, ctx)
+            ])
+          }
+        }
+        // return full user object to avoid scimgateway doing same getUser() using original id/dn that now will fail
+        const getObj = { attribute: 'id', operator: 'eq', value: newDN }
+        const res = await scimgateway.getUsers(baseEntity, getObj, [], ctx)
+        return res
+      }
+    }
     return null
   } catch (err) {
     throw new Error(`${action} error: ${err.message}`)
@@ -740,6 +776,8 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
   try {
     delete attrObj.members
     const [endpointObj] = scimgateway.endpointMapper('outbound', attrObj, config.map.group)
+    const newDN = checkIfNewDN(baseEntity, base, 'group', attrObj, endpointObj)
+
     if (Object.keys(endpointObj).length > 0) {
       const ldapOptions = {
         operation: 'replace',
@@ -761,6 +799,12 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
       }
       await doRequest(baseEntity, method, base, ldapOptions, ctx)
     }
+    if (newDN && config.entity[baseEntity].ldap.allowModifyDN) {
+      await doRequest(baseEntity, 'modifyDN', base, { modification: { newDN } }, ctx)
+      const getObj = { attribute: 'id', operator: 'eq', value: newDN }
+      const res = await scimgateway.getGroups(baseEntity, getObj, [], ctx)
+      return res // return full group object to avoid scimgateway doing same getUser() using original id/dn that now will fail
+    }
     return null
   } catch (err) {
     throw new Error(`${action} error: ${err.message}`)
@@ -1044,7 +1088,7 @@ const getMemberOfGroups = async (baseEntity, id, ctx) => {
 // using Active Directory (none OpenLDAP), DN should not be escaped, but DN retrieved from AD is character escaped
 //
 const ldapEscDn = (isOpenLdap, str) => {
-  if (!str) return str
+  if (typeof str !== 'string' || str.length < 1) return str
 
   if (!isOpenLdap && str.indexOf('\\') > 0) {
     const conv = str.replace(/\\([0-9A-Fa-f]{2})/g, (_, hex) => {
@@ -1200,6 +1244,10 @@ const berDecodeDn = (dn) => {
         }
       }
       if (decoded.length > 0) {
+        // convert any extended ascii to utf8
+        const isoBytes = Uint8Array.from(decoded, c => c.charCodeAt(0))
+        decoded = new TextDecoder('utf-8').decode(isoBytes)
+        decoded = decoded.replace(/,/g, '\\,')
         a.splice(0, 1) // remove element 0 from array
         return `${arr[0]}${decoded},${a.join(',')}` // OU=users,OU=abc
       }
@@ -1224,6 +1272,51 @@ const getNamingAttribute = (baseEntity, type) => {
   return [arr[0].attribute, arr[0].mapTo]
 }
 
+const checkIfNewDN = (baseEntity, base, type, obj, endpointObj) => {
+  if (typeof obj !== 'object' || Object.keys(obj).length < 1) return ''
+  if (typeof endpointObj !== 'object' || Object.keys(endpointObj).length < 1) return ''
+
+  const namingAttr = base.split('=')[0] // cn
+  let scimAttr = ''
+  if (endpointObj[namingAttr]) { // naming attribute can't be modified, have to use modifyDN()
+    delete endpointObj[namingAttr] // modifying original ldapOptions
+    if (config.map[type] && config.map[type][namingAttr]) {
+      scimAttr = config.map[type][namingAttr].mapTo
+    }
+    if (!config.entity[baseEntity].ldap.allowModifyDN) {
+      throw new Error(`changing ldap Naming Attribute ${namingAttr}/${scimAttr} requires configuration ldap.allowModifyDN=true`)
+    }
+  }
+  if (!scimAttr) { // check if namingAttr is defined as namingAttribute configuration having linked scimAttr
+    const [nAttr, sAttr] = getNamingAttribute(baseEntity, type) // ['cn', 'userName']
+    if (namingAttr === nAttr) scimAttr = sAttr
+  }
+  if (!scimAttr) return ''
+  // find and return the new DN
+  let newNamingValue
+  const arr = scimAttr.split('.')
+  if (arr.length < 2) {
+    if (obj[scimAttr]) newNamingValue = obj[scimAttr]
+  } else {
+    if (obj[arr[0]] && obj[arr[0]][arr[1]]) newNamingValue = obj[arr[0]][arr[1]]
+  }
+  if (!newNamingValue) return ''
+  const re = '^([a-zA-Z]+=)(.*?)(?=,[a-zA-Z]+=|$)(.*)$'
+  const rePattern = new RegExp(re, 'i')
+  const a = base.match(rePattern)
+  /*
+  a[1] 'CN='
+  a[2] '<value>'
+  a[3] '<rest> e.g.,: ,OU=mycompany,OU=com'
+  */
+  if (a.length !== 4) return ''
+  if (a[1].toLowerCase() !== namingAttr.toLowerCase() + '=') return ''
+  if (a[2] === newNamingValue) return ''
+  let newDN = a[1] + newNamingValue + a[3]
+  newDN = ldapEscDn(config.entity[baseEntity].ldap.isOpenLdap, newDN)
+  return newDN
+}
+
 //
 // getCtxAuth returns username/secret from ctx header when using Auth PassThrough
 //
@@ -1418,6 +1511,22 @@ const doRequest = async (baseEntity, method, base, options, ctx) => {
         })
         break
 
+      case 'modifyDN':
+        result = await new Promise((resolve, reject) => {
+          let dn = base
+          if (Object.prototype.toString.call(dn) === '[object LdapDn]') dn = base.toString() // needed for client.modifyDN...
+          let newDN = options?.modification?.newDN
+          if (!newDN) return reject(new Error('modifyDN() missing newDN'))
+          if (Object.prototype.toString.call(newDN) === '[object LdapDn]') newDN = newDN.toString()
+          client.modifyDN(dn, newDN, (err) => {
+            if (err) {
+              return reject(err)
+            }
+            resolve()
+          })
+        })
+        break
+
       case 'add':
         result = await new Promise((resolve, reject) => {
           client.add(base, options, (err) => {

package/lib/scimgateway.js

@@ -274,7 +274,7 @@ const ScimGateway = function () {
     if (!fs.existsSync(configDir + '/wsdls')) fs.mkdirSync(configDir + '/wsdls')
     if (!fs.existsSync(configDir + '/certs')) fs.mkdirSync(configDir + '/certs')
     if (!fs.existsSync(configDir + '/schemas')) fs.mkdirSync(configDir + '/schemas')
-  } catch (err) {}
+  } catch (err) { }
 
   let isScimv2 = false
   if (config.scim.version === '2.0' || config.scim.version === 2) {
@@ -1488,6 +1488,7 @@ const ScimGateway = function () {
         }
       }
       try {
+        let res
         if (config.stream.publisher.enabled) {
           let streamObj = {
             handle: handle.modifyMethod,
@@ -1508,14 +1509,14 @@ const ScimGateway = function () {
             }
           }
           logger.debug(`${gwName}[${pluginName}][${ctx?.params?.baseEntity}] publishing "${handle.modifyMethod}" to SCIM Stream and awaiting result`)
-          await this.publish(streamObj)
+          res = await this.publish(streamObj)
         } else {
           if (Array.isArray(scimdata.members) && scimdata.members.length === 0 && handle.modifyMethod === 'modifyGroup') {
             ctx.request.body = scimdata
-            await replaceUsrGrp(ctx, config.scim.usePutSoftSync)
+            res = await replaceUsrGrp(ctx, config.scim.usePutSoftSync)
           } else {
             logger.debug(`${gwName}[${pluginName}][${ctx?.params?.baseEntity}] calling "${handle.modifyMethod}" and awaiting result`)
-            await this[handle.modifyMethod](ctx.params.baseEntity, id, scimdata, ctx.passThrough)
+            res = await this[handle.modifyMethod](ctx.params.baseEntity, id, scimdata, ctx.passThrough)
           }
         }
 
@@ -1545,28 +1546,27 @@ const ScimGateway = function () {
           }
         }
 
-        // include full object in response
-        // TODO: include groups
-        if (handle.getMethod !== handler.users.getMethod && handle.getMethod !== handler.groups.getMethod && !config.stream.publisher.enabled) { // getUsers or getGroups not implemented
-          ctx.status = 204
-          return
-        }
-        let res
-        const ob = { attribute: 'id', operator: 'eq', value: id }
-        const attributes = ctx.query.attributes ? ctx.query.attributes.split(',').map(item => item.trim()) : []
-        if (config.stream.publisher.enabled) {
-          const streamObj = {
-            handle: handle.getMethod,
-            baseEntity: ctx.params.baseEntity,
-            obj: ob,
-            attributes,
-            ctxPassThrough: ctx.passThrough
+        if (!res) { // include full object in response, TODO: include groups
+          if (handle.getMethod !== handler.users.getMethod && handle.getMethod !== handler.groups.getMethod && !config.stream.publisher.enabled) { // getUsers or getGroups not implemented
+            ctx.status = 204
+            return
+          }
+          const ob = { attribute: 'id', operator: 'eq', value: id }
+          const attributes = ctx.query.attributes ? ctx.query.attributes.split(',').map(item => item.trim()) : []
+          if (config.stream.publisher.enabled) {
+            const streamObj = {
+              handle: handle.getMethod,
+              baseEntity: ctx.params.baseEntity,
+              obj: ob,
+              attributes,
+              ctxPassThrough: ctx.passThrough
+            }
+            logger.debug(`${gwName}[${pluginName}][${ctx?.params?.baseEntity}] publishing "${handle.getMethod}" to SCIM Stream and awaiting result`)
+            res = await this.publish(streamObj)
+          } else {
+            logger.debug(`${gwName}[${pluginName}][${ctx?.params?.baseEntity}] calling "${handle.getMethod}" and awaiting result`)
+            res = await this[handle.getMethod](ctx.params.baseEntity, ob, attributes, ctx.passThrough)
           }
-          logger.debug(`${gwName}[${pluginName}][${ctx?.params?.baseEntity}] publishing "${handle.getMethod}" to SCIM Stream and awaiting result`)
-          res = await this.publish(streamObj)
-        } else {
-          logger.debug(`${gwName}[${pluginName}][${ctx?.params?.baseEntity}] calling "${handle.getMethod}" and awaiting result`)
-          res = await this[handle.getMethod](ctx.params.baseEntity, ob, attributes, ctx.passThrough)
         }
 
         scimdata = {
@@ -1686,7 +1686,7 @@ const ScimGateway = function () {
           let res
           try {
             res = await this[handler.groups.getMethod](ctx.params.baseEntity, { attribute: 'members.value', operator: 'eq', value: decodeURIComponent(id) }, ['id', 'displayName'], ctx.passThrough)
-          } catch (err) {} // method may be implemented but throwing error like groups not supported/implemented
+          } catch (err) { } // method may be implemented but throwing error like groups not supported/implemented
           currentGroups = []
           if (res && res.Resources && Array.isArray(res.Resources) && res.Resources.length > 0) {
             for (let i = 0; i < res.Resources.length; i++) {
@@ -1763,7 +1763,7 @@ const ScimGateway = function () {
   this.replaceUsrGrp = replaceUsrGrp
 
   router.put([`/(|scim/)(!${undefined}|Users|Groups|servicePlans)/:id`,
-    `/:baseEntity/(|scim/)(!${undefined}|Users|Groups|servicePlans)/:id`], async (ctx) => {
+  `/:baseEntity/(|scim/)(!${undefined}|Users|Groups|servicePlans)/:id`], async (ctx) => {
     const originalUrl = ctx.request.originalUrl
     if (config.stream.publisher.enabled) {
       const streamObj = {
@@ -2085,7 +2085,7 @@ const ScimGateway = function () {
       const attributes = ['id', 'displayName']
       logger.debug(`${gwName}[${pluginName}][${baseEntity}] calling "${handler.groups.getMethod}" and awaiting result - groups to be included`)
       res = await this[handler.groups.getMethod](baseEntity, ob, attributes, ctxPassThrough)
-    } catch (err) {} // ignore errors
+    } catch (err) { } // ignore errors
     if (res && res.Resources && Array.isArray(res.Resources) && res.Resources.length > 0) {
       for (let i = 0; i < res.Resources.length; i++) {
         if (!res.Resources[i].id) continue
@@ -2121,7 +2121,7 @@ const ScimGateway = function () {
     if (config.localhostonly === true) {
       logger.info(`${gwName}[${pluginName}] denying other clients than localhost (127.0.0.1)`)
       if (config.certificate && config.certificate.key && config.certificate.cert) {
-      // SSL
+        // SSL
         let keyFile = path.join(configDir, '/certs/', config.certificate.key)
         if (config.certificate.key.startsWith('/') || config.certificate.key.includes('\\')) {
           keyFile = config.certificate.key
@@ -2136,7 +2136,7 @@ const ScimGateway = function () {
         }, app.callback()).listen(config.port, 'localhost')
         logger.info(`${gwName}[${pluginName}] now listening SCIM ${config.scim.version} on TLS port ${config.port}...${config.stream.subscriber.enabled ? '' : '\n'}`)
       } else if (config.certificate && config.certificate.pfx && config.certificate.pfx.bundle) {
-      // SSL using PFX / PKCS#12
+        // SSL using PFX / PKCS#12
         let pfxFile = path.join(configDir, '/certs/', config.certificate.pfx.bundle)
         if (config.certificate.pfx.bundle.startsWith('/') || config.certificate.pfx.bundle.includes('\\')) {
           pfxFile = config.certificate.pfx.bundle
@@ -2147,14 +2147,14 @@ const ScimGateway = function () {
         }, app.callback()).listen(config.port, 'localhost')
         logger.info(`${gwName}[${pluginName}] now listening SCIM ${config.scim.version} on TLS port ${config.port}...${config.stream.subscriber.enabled ? '' : '\n'}`)
       } else {
-      // none SSL
+        // none SSL
         server = http.createServer(app.callback()).listen(config.port, 'localhost')
         logger.info(`${gwName}[${pluginName}] now listening SCIM ${config.scim.version} on port ${config.port}...${config.stream.subscriber.enabled ? '' : '\n'}`)
       }
     } else {
       logger.info(`${gwName}[${pluginName}] accepting requests from all clients`)
       if (config.certificate && config.certificate.key && config.certificate.cert) {
-      // SSL self signed cert e.g: openssl req -nodes -newkey rsa:2048 -x509 -sha256 -days 3650 -keyout key.pem -out cert.pem -subj "/O=NodeJS/OU=Testing/CN=<FQDN>"
+        // SSL self signed cert e.g: openssl req -nodes -newkey rsa:2048 -x509 -sha256 -days 3650 -keyout key.pem -out cert.pem -subj "/O=NodeJS/OU=Testing/CN=<FQDN>"
         let keyFile = path.join(configDir, '/certs/', config.certificate.key)
         if (config.certificate.key.startsWith('/') || config.certificate.key.includes('\\')) {
           keyFile = config.certificate.key
@@ -2177,7 +2177,7 @@ const ScimGateway = function () {
         }, app.callback()).listen(config.port)
         logger.info(`${gwName}[${pluginName}] now listening SCIM ${config.scim.version} on TLS port ${config.port}...${config.stream.subscriber.enabled ? '' : '\n'}`)
       } else if (config.certificate && config.certificate.pfx && config.certificate.pfx.bundle) {
-      // SSL using PFX / PKCS#12
+        // SSL using PFX / PKCS#12
         let pfxFile = path.join(configDir, '/certs/', config.certificate.pfx.bundle)
         if (config.certificate.pfx.bundle.startsWith('/') || config.certificate.pfx.bundle.includes('\\')) {
           pfxFile = config.certificate.pfx.bundle
@@ -2188,7 +2188,7 @@ const ScimGateway = function () {
         }, app.callback()).listen(config.port)
         logger.info(`${gwName}[${pluginName}] now listening SCIM ${config.scim.version} on TLS port ${config.port}...${config.stream.subscriber.enabled ? '' : '\n'}`)
       } else {
-      // none SSL
+        // none SSL
         server = http.createServer(app.callback()).listen(config.port)
         logger.info(`${gwName}[${pluginName}] now listening SCIM ${config.scim.version} on port ${config.port}...${config.stream.subscriber.enabled ? '' : '\n'}`)
       }
@@ -2707,7 +2707,7 @@ ScimGateway.prototype.endpointMapper = function endpointMapper (direction, parse
                 if (complexObj[attr]) {
                   found = true
                   resArr.push(keyNotDot)
-                // don't break - check for multiple complex definitions
+                  // don't break - check for multiple complex definitions
                 }
               }
             }
@@ -3191,7 +3191,7 @@ ScimGateway.prototype.convertedScim20 = function convertedScim20 (obj) {
             } else if (typeof el.value === 'string' && el.value.substring(0, 1) === '{') { // "value": [{"value":"{\"id\":\"c20e145e-5459-4a6c-a074-b942bbd4cfe1\",\"value\":\"admin\",\"displayName\":\"Administrator\"}"}}]
               try {
                 element.value[i] = JSON.parse(el.value)
-              } catch (err) {}
+              } catch (err) { }
             }
           }
         })

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "4.5.11",
+  "version": "4.5.12",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",
   "homepage": "https://elshaug.xyz",