scimgateway 5.0.6 → 5.0.7

package/README.md

@@ -13,14 +13,14 @@ Validated through IdP's:
 - Okta 
 - Omada 
 - SailPoint/IdentityNow  
-  
+
 Latest news:  
 
-- Major version **v5** marks a shift to native TypeScript support and prioritizes [Bun](https://bun.sh/) over Node.js. This upgrade requires some modifications to existing plugins.  
+- Major version **v5.0.0** marks a shift to native TypeScript support and prioritizes [Bun](https://bun.sh/) over Node.js. This upgrade requires some modifications to existing plugins.  
 - **BREAKING**: [SCIM Stream](https://elshaug.xyz/docs/scim-stream) is the modern way of user provisioning letting clients subscribe to messages instead of traditional IGA top-down provisioning. SCIM Gateway now offers enhanced functionality with support for message subscription and automated provisioning using SCIM Stream
 - Authentication PassThrough letting plugin pass authentication directly to endpoint for avoid maintaining secrets at the gateway
 - Supports OAuth Client Credentials authentication
-- Major version **v4** getUsers() and getGroups() replacing some deprecated methods. No limitations on filtering/sorting. Admin user access can be linked to specific baseEntities. New MongoDB plugin
+- Major version **v4.0.0** getUsers() and getGroups() replacing some deprecated methods. No limitations on filtering/sorting. Admin user access can be linked to specific baseEntities. New MongoDB plugin
 - ipAllowList for restricting access to allowlisted IP addresses or subnets e.g. Azure IP-range  
 - General LDAP plugin configured for Active Directory  
 - [PlugSSO](https://elshaug.xyz/docs/plugsso) using SCIM Gateway
@@ -460,6 +460,21 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 - **email.emailOnError.cc** - Optional comma separated list of cc mail addresses
 - **email.emailOnError.subject** - Optional mail subject, default `SCIM Gateway error message`
 
+	Configuration notes when using default configuration oauth and tenantIdGUID - Microsoft Exchange Online (ExO):
+
+	- Entra ID application must have application permissions "**Mail.Send**"  
+	- To prevent the sending of emails from any defined mailboxes, an ExO **ApplicationAccessPolicy** must be defined through PowerShell.  
+	
+		First create a mail-enabled security-group that only includes those users (mailboxes) the application is allowed to send from  
+		Note, "mail enabled security" group cannot be created from portal, only from admin or admin.exchange console
+		  
+			##Connect to Exchange
+			Install-Module -Name ExchangeOnlineManagement
+			Connect-ExchangeOnline
+			 
+			##Create ApplicationAccessPolicy
+			New-ApplicationAccessPolicy -AppId $AppClientID -PolicyScopeGroupId $MailEnabledSecurityGrpId -AccessRight RestrictAccess -Description "Restrict app to specific mailboxes"
+
 - **stream** - See [SCIM Stream](https://elshaug.xyz/docs/scim-stream) for configuration details
 
 - **endpoint** - Contains endpoint specific configuration according to our **plugin code**. 
@@ -589,8 +604,7 @@ docker-compose**
 	**Dockerfile**   <== Main dockerfile  
 	**DataDockerfile**   <== Handles volume mapping   
 	**docker-compose-debug.yml** <== Debugging  
-
-
+	**docker-compose-mssql.yml** <== Example including MSSQL docker image
 
 - Create a scimgateway user on your Linux VM.   
 
@@ -1097,14 +1111,92 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
-### v5.0.6  
+### v5.0.7
+
+[Improved]
+
+- plugin-mssql all methods now implemented, also includes docker and dbinit configuration, **thanks to [@Peter Havekes](https://github.com/phavekes) and [@mrvanes](https://github.com/mrvanes)**
+
+[Fixed]
+
+- mail sending option introduced in v5.0.6 did not fully support national special charcters when using Microsoft Exchange Online and html formatted email
+
+### v5.0.6
 
 [Improved]
 
 - new configuration option: `scimgateway.idleTimeout` default 120, sets the the number of seconds to wait before timing out a connection due to inactivity
-- new configuration option: `scimgateway.email` replacing legacy `scimgateway.emailOnError` (legacy still supported). Email now support oauth authentication configuration which is default and recommended for Microsoft Exchange Online.
-- removed configuration option: `scimgateway.payloadSize` Bun using default maxRequestBodySize 128MB
-- plugin may send email using method scimgateway.sendMail()
+- deprecated configuration option: `scimgateway.payloadSize` Bun using default maxRequestBodySize 128MB
+- new configuration option: `scimgateway.email` replacing legacy `scimgateway.emailOnError` (legacy still supported). Email now support oauth authentication  
+
+**old configuration:**
+
+	{
+	  "scimgateway": {
+	    ...
+	    "emailOnError": {
+	      "smtp": {
+	        "enabled": false,
+	        "host": null,
+	        "port": 587,
+	        "proxy": null,
+	        "authenticate": true,
+	        "username": null,
+	        "password": null,
+	        "sendInterval": 15,
+	        "to": null,
+	        "cc": null
+	      }
+	    },
+	    ...
+	  },
+	  ...
+	}
+
+
+**new configuration:**  
+Using Microsoft Exchange Online and oauth authencation which also is default and recommended by Microsoft    
+For other mail servers and options like SMTP AUTH (basic/oauth), please see configuration description  
+Plugin may also send mail using method scimgateway.sendMail()  
+
+	{
+	  "scimgateway": {
+	    ...
+	    "email": {
+	      "auth": {
+	        "type": "oauth",
+	        "options": {
+	          "tenantIdGUID": null,
+	          "clientId": null,
+	          "clientSecret": null
+	        }
+	      },
+	      "emailOnError": {
+	        "enabled": false,
+	        "from": null,
+	        "to": null
+	      }
+	    },
+	    ...
+	  },
+	  ...
+	}
+    
+Configuration notes when using oauth and tenantIdGUID - Microsoft Exchange Online (ExO):  
+
+- Entra ID application must have application permissions "**Mail.Send**"  
+- To prevent the sending of emails from any defined mailboxes, an ExO **ApplicationAccessPolicy** must be defined through PowerShell.  
+
+	First create a mail-enabled security-group that only includes those users (mailboxes) the application is allowed to send from  
+	Note, "mail enabled security" group cannot be created from portal, only from admin or admin.exchange console
+	  
+		##Connect to Exchange
+		Install-Module -Name ExchangeOnlineManagement
+		Connect-ExchangeOnline
+		 
+		##Create ApplicationAccessPolicy
+		New-ApplicationAccessPolicy -AppId $AppClientID -PolicyScopeGroupId $MailEnabledSecurityGrpId -AccessRight RestrictAccess -Description "Restrict app to specific mailboxes"
+
 
 ### v5.0.5  
 
@@ -1573,7 +1665,7 @@ Note, obsolete - see v4.2.15 comments
           "forceExitTimeout": 1000
         }
 
-    **Thanks to Kevin Osborn**
+    **Thanks to [@Kevin Osborn](https://github.com/osbornk)**
 
 ### v4.1.15  
 
@@ -1604,7 +1696,7 @@ Note, obsolete - see v4.2.15 comments
         scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx)
         // tip, see provided example plugins
 
-    **Thanks to Kevin Osborn**
+    **Thanks to [@Kevin Osborn](https://github.com/osbornk)**
 
 ### v4.1.14  
 
@@ -1629,7 +1721,7 @@ Note, obsolete - see v4.2.15 comments
 [Improved]  
 
 - new plugin configuration `payloadSize`. If not defined, default "1mb" will be used. There are cases which large groups could exceed default size and you may want to increase by setting your own size e.g. "5mb"  
-    **Thanks to Sam Murphy**
+    **Thanks to [@Sam Murphy*](https://github.com/SamMurphyDev)**
 
 [Fixed]  
   
@@ -1775,7 +1867,7 @@ SCIM Gateway related news:
         }
 
 - postinstall copying example plugins may be skipped by setting the property `scimgateway_postinstall_skip = true` in `.npmrc` or by setting environment `SCIMGATEWAY_POSTINSTALL_SKIP = true`
-- Secrets now also support key-value storage. The key defined in plugin configuration have syntax `process.text.<path>` where `<path>` is the file which contains raw (UTF-8) character value. E.g. configuration `endpoint.password` could have value `process.text./var/run/vault/endpoint.password`, and the corresponding file contains the secret. **Thanks to Raymond Augé**
+- Secrets now also support key-value storage. The key defined in plugin configuration have syntax `process.text.<path>` where `<path>` is the file which contains raw (UTF-8) character value. E.g. configuration `endpoint.password` could have value `process.text./var/run/vault/endpoint.password`, and the corresponding file contains the secret. **Thanks to [@Raymond Augé](https://github.com/rotty3000)**
 
 
 ### v4.0.0  
@@ -1785,7 +1877,7 @@ SCIM Gateway related news:
 - New `getGroups()` replacing deprecated exploreGroups(), getGroup() and getGroupMembers()
 - Fully filter and sort support
 - Authentication configuration may now include a baseEntities array containing one or more `baseEntity` allowed for corresponding admin user
-- New plugin-mongodb, **thanks to Filipe Ribeiro and Miguel Ferreira (KEEP SOLUTIONS)**
+- New plugin-mongodb, **Thanks to [@Filipe Ribeiro](https://github.com/fribeiro-keeps) and [@Miguel Ferreira](https://github.com/jmaferreira) (KEEP SOLUTIONS)**
 
 Note, using this major version **require existing custom plugins to be upgraded**. If you do not want to upgrade your custom plugins, the old version have to be installed using: `npm install scimgateway@3.2.11`  
 
@@ -1893,7 +1985,7 @@ We also need to add logic from existing getGroup() and getGroupMembers()
 [Fixed]  
 
 - Return 500 on GET handler error instead of 404  
-  **Thanks to Nipun Dayanath**
+  **Thanks to [@Nipun Dayanath](https://github.com/nipund)**
 - createUser/createRole response now includes id retrieved by getUser/getRole instead of using posted userName/displayName value
 
 ### v3.2.6  
@@ -2373,7 +2465,7 @@ Custom plugins needs some changes (please see included example plugins)
 
 - Some minor compliance fixes  
 
-**Thanks to ywchuang** 
+**Thanks to [@ywchuang](https://github.com/ywchuang)** 
 
 ### v1.0.4  
 [Improved]  
@@ -2473,7 +2565,7 @@ With:
 
 - Document updated on how to run SCIM Gateway as a Docker container  
 - `config\docker` includes docker configuration examples  
-**Thanks to Charley Watson and Jeffrey Gilbert**  
+**Thanks to [@cwatsonc](https://github.com/cwatsonc) and [@visualjeff](https://github.com/visualjeff)**  
 
 
 ### v0.4.5  
@@ -2494,7 +2586,7 @@ With:
 
 - NoSQL Document-Oriented Database plugin: `plugin-loki`  
 This plugin now replace previous `plugin-testmode`  
-**Thanks to Jeffrey Gilbert**  
+**Thanks to [@visualjeff](https://github.com/visualjeff)**  
 - Minor code/comment reorganizations in provided plugins  
 - Minor adjustments to multi-value logic introduced in v0.4.0  
 
@@ -2513,7 +2605,7 @@ This plugin now replace previous `plugin-testmode`
 
 - Mocha test scripts for automated testing of plugin-testmode  
 - Automated tests run on Travis-ci.org (click on build badge) 
-- **Thanks to Jeffrey Gilbert**
+- **Thanks to [@visualjeff](https://github.com/visualjeff)**
 
 
   

package/config/docker/dbinit/init.sql

@@ -0,0 +1,43 @@
+USE [master];
+GO
+
+IF NOT EXISTS (SELECT * FROM sys.sql_logins WHERE name = 'scimgateway')
+BEGIN
+    CREATE LOGIN [scimgateway] WITH PASSWORD = 'password', CHECK_POLICY = OFF;
+    ALTER SERVER ROLE [sysadmin] ADD MEMBER [scimgateway];
+END
+GO
+
+IF DB_ID('scimgateway') IS NULL
+BEGIN
+    CREATE DATABASE [scimgateway];
+END
+GO
+
+IF NOT EXISTS (SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = 'User')
+BEGIN
+    USE [scimgateway]
+    CREATE TABLE [User] (
+        [UserID] VARCHAR(50) NOT NULL,
+        [Enabled] VARCHAR(50) NULL,
+        [Password] VARCHAR(50) NULL,
+        [FirstName] VARCHAR(50) NULL,
+        [MiddleName] VARCHAR(50) NULL,
+        [LastName] VARCHAR(50) NULL,
+        [Email] VARCHAR(50) NULL,
+        [MobilePhone] VARCHAR(50) NULL,
+        CONSTRAINT [PK_User] PRIMARY KEY ([UserID])
+    );
+END
+GO
+
+IF NOT EXISTS (SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = 'Group')
+BEGIN
+    USE [scimgateway]
+    CREATE TABLE [Group] (
+        [GroupID] VARCHAR(50) NOT NULL,
+        [Enabled] VARCHAR(50) NULL,
+        CONSTRAINT [PK_Group] PRIMARY KEY ([GroupID])
+    );
+END
+GO

package/config/docker/docker-compose-mssql.yml

@@ -0,0 +1,58 @@
+version: '2'
+services:
+#   scimgateway:
+#     build:
+#       context: .
+#       dockerfile: ./Dockerfile
+#     image: scimgateway:latest
+#     container_name: scimgateway
+#     depends_on:
+#       scimgateway-sqlserver:
+#         condition: service_healthy
+#     hostname:
+#       scimgateway
+#     volumes:
+#       - ./config:/home/scimgateway/config:rw
+#       - /var/lib/dbus:/var/lib/dbus:ro
+#     ports:
+#       - "8880:8880"
+# #    environment:
+# #      - NODE_ENV=production
+# #      - PORT=8880
+# #      - SEED=changeit
+#     restart: on-failure:3
+
+  scimgateway-sqlserver:
+    image: mcr.microsoft.com/mssql/server:2019-latest
+    hostname:
+      MySqlHost
+    environment:
+      - ACCEPT_EULA=Y
+      - SA_PASSWORD=p@ssw0rd!
+      - MSSQL_PID=Developer
+    ports:
+      - 1433:1433
+    volumes:
+      - ./sqlserver_data:/var/opt/mssql
+    user: root
+    restart: always
+    healthcheck:
+      test: ["CMD-SHELL", "/opt/mssql-tools18/bin/sqlcmd -C -S localhost -U sa -P \"p@ssw0rd!\" -Q 'SELECT 1' || exit 1"]
+      interval: 10s
+      retries: 10
+      start_period: 10s
+      timeout: 3s
+
+  scimgateway-sqlserver-configurator:
+    image: mcr.microsoft.com/mssql/server:2019-latest
+    volumes:
+      - ./dbinit:/docker-entrypoint-initdb.d
+    depends_on:
+      scimgateway-sqlserver:
+        condition: service_healthy
+    restart: no
+    command: >
+      bash -c '
+      /opt/mssql-tools18/bin/sqlcmd -C -S MySqlHost -U sa -P "p@ssw0rd!" -d master -i docker-entrypoint-initdb.d/init.sql;
+      echo "All done!";
+      '

package/lib/helper-rest.ts

@@ -297,7 +297,7 @@ export class HelperRest {
           } catch (err: any) {
             throw new Error(`tls configuration error: ${err.message}`)
           }
-          if (Object.prototype.hasOwnProperty.call(connOpt?.tls, 'rejectUnauthorized')) {
+          if (connOpt.tls && Object.prototype.hasOwnProperty.call(connOpt.tls, 'rejectUnauthorized')) {
             if (connOpt.tls.rejectUnauthorized !== false && connOpt.tls.rejectUnauthorized !== true) {
               delete connOpt.tls.rejectUnauthorized
             }
@@ -405,13 +405,18 @@ export class HelperRest {
       let dataString = ''
       if (body) {
         if (options.headers['Content-Type']) {
-          if (options.headers['Content-Type'].toLowerCase() === 'application/x-www-form-urlencoded') {
+          const type: string = options.headers['Content-Type'].toLowerCase().trim()
+          if (type.startsWith('application/x-www-form-urlencoded')) {
             if (typeof body === 'string') dataString = body
             else dataString = querystring.stringify(body) // JSON to query string syntax + URL encoded
-          } else dataString = JSON.stringify(body)
+          } else {
+            if (typeof body === 'string') dataString = body
+            else dataString = JSON.stringify(body)
+          }
         } else {
           options.headers['Content-Type'] = 'application/json; charset=utf-8'
-          dataString = JSON.stringify(body)
+          if (typeof body === 'string') dataString = body
+          else dataString = JSON.stringify(body)
         }
         options.headers['Content-Length'] = Buffer.byteLength(dataString, 'utf8')
         options.body = dataString

package/lib/plugin-mssql.ts

@@ -6,16 +6,40 @@
 // Purpose: SQL user-provisioning
 //
 // Prereq:
-// TABLE [dbo].[User](
-//  [UserID] [varchar](50) NOT NULL,
-//  [Enabled] [varchar](50) NULL,
-//  [Password] [varchar](50) NULL,
-//  [FirstName] [varchar](50) NULL,
-//  [MiddleName] [varchar](50) NULL,
-//  [LastName] [varchar](50) NULL,
-//  [Email] [varchar](50) NULL,
-//  [MobilePhone] [varchar](50) NULL
-// )
+// CREATE TABLE [User] (
+//     [UserID] VARCHAR(50) NOT NULL,
+//     [Enabled] VARCHAR(50) NULL,
+//     [Password] VARCHAR(50) NULL,
+//     [FirstName] VARCHAR(50) NULL,
+//     [MiddleName] VARCHAR(50) NULL,
+//     [LastName] VARCHAR(50) NULL,
+//     [Email] VARCHAR(50) NULL,
+//     [MobilePhone] VARCHAR(50) NULL,
+//     CONSTRAINT [PK_User]
+//         PRIMARY KEY ([UserID])
+// );
+//
+// CREATE TABLE [Group] (
+//     [GroupID] VARCHAR(50) NOT NULL,
+//     [Enabled] VARCHAR(50) NULL,
+//     CONSTRAINT [PK_Group]
+//         PRIMARY KEY ([GroupID])
+// );
+//
+// CREATE TABLE [Users2Group] (
+//     [GroupID] VARCHAR(50) NOT NULL,
+//     [UserID] VARCHAR(50) NOT NULL,
+//     CONSTRAINT [PK_Users2Group]
+//         PRIMARY KEY ([GroupID],[UserID]),
+//     CONSTRAINT [FK_U2G_Group]
+//         FOREIGN KEY ([GroupID])
+//         REFERENCES [Group]([GroupID])
+//         ON DELETE CASCADE,
+//     CONSTRAINT [FK_U2G_Users]
+//         FOREIGN KEY ([UserID])
+//         REFERENCES [User]([UserID])
+//         ON DELETE CASCADE
+// );
 //
 // Supported attributes:
 //
@@ -69,7 +93,7 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
   if (getObj.operator) {
     if (getObj.operator === 'eq' && ['id', 'userName', 'externalId'].includes(getObj.attribute)) {
       // mandatory - unique filtering - single unique user to be returned - correspond to getUser() in versions < 4.x.x
-      sqlQuery = `select * from [User] where UserID = '${getObj.value}'`
+      sqlQuery = `select * from [Users] where UserID = '${getObj.value}'`
     } else if (getObj.operator === 'eq' && getObj.attribute === 'group.value') {
       // optional - only used when groups are member of users, not default behavior - correspond to getGroupUsers() in versions < 4.x.x
       throw new Error(`${action} error: not supporting groups member of user filtering: ${getObj.rawFilter}`)
@@ -82,64 +106,41 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
     throw new Error(`${action} not error: supporting advanced filtering: ${getObj.rawFilter}`)
   } else {
     // mandatory - no filtering (!getObj.operator && !getObj.rawFilter) - all users to be returned - correspond to exploreUsers() in versions < 4.x.x
-    sqlQuery = 'select * from [User]'
+    sqlQuery = 'select * from [Users]'
   }
   // mandatory if-else logic - end
 
   if (!sqlQuery) throw new Error(`${action} error: mandatory if-else logic not fully implemented`)
 
   try {
-    return await new Promise((resolve, reject) => {
+    return await new Promise(async (resolve, reject) => {
       const ret: any = { // itemsPerPage will be set by scimgateway
         Resources: [],
         totalResults: null,
       }
 
-      const connectionCfg: any = scimgateway.copyObj(config.connection)
-      if (ctx?.request?.header?.authorization) { // Auth PassThrough (don't use configuration password)
-        if (!connectionCfg.authentication) connectionCfg.authentication = {}
-        if (!connectionCfg.authentication.type) connectionCfg.authentication.type = 'default'
-        if (!connectionCfg.authentication.options) connectionCfg.authentication.options = {}
-        const [username, password] = getCtxAuth(ctx)
-        connectionCfg.authentication.options.password = password
-        if (username) connectionCfg.authentication.options.userName = username
-      }
-
-      const connection = new Connection(connectionCfg)
-
-      connection.on('connect', function (err) {
-        if (err) {
-          const e = new Error(`exploreUsers MSSQL client connect error: ${err.message}`)
-          return reject(e)
+      const users: any[] = await query(sqlQuery, ctx).catch((err: any) => {
+        const e = new Error(`${action} error: ${err.message}`)
+        return reject(e)
+      })
+
+      for (const user of users) {
+        const scimUser = {
+          id: user.UserID.value ? user.UserID.value : undefined,
+          userName: user.UserID.value ? user.UserID.value : undefined,
+          active: user.Enabled.value === 'true' || false,
+          name: {
+            givenName: user.FirstName.value ? user.FirstName.value : undefined,
+            middleName: user.MiddleName.value ? user.MiddleName.value : undefined,
+            familyName: user.LastName.value ? user.LastName.value : undefined,
+          },
+          phoneNumbers: user.MobilePhone.value ? [{ type: 'work', value: user.MobilePhone.value }] : undefined,
+          emails: user.Email.value ? [{ type: 'work', value: user.Email.value }] : undefined,
         }
-        const request = new Request(sqlQuery, function (err, rowCount, rows) {
-          if (err) {
-            connection.close()
-            const e = new Error(`exploreUsers MSSQL client request: ${sqlQuery} Error: ${err.message}`)
-            return reject(e)
-          }
+        ret.Resources.push(scimUser)
+      }
 
-          for (const row in rows) {
-            const scimUser = {
-              id: rows[row].UserID.value ? rows[row].UserID.value : undefined,
-              userName: rows[row].UserID.value ? rows[row].UserID.value : undefined,
-              active: rows[row].Enabled.value === 'true' || false,
-              name: {
-                givenName: rows[row].FirstName.value ? rows[row].FirstName.value : undefined,
-                middleName: rows[row].MiddleName.value ? rows[row].MiddleName.value : undefined,
-                familyName: rows[row].LastName.value ? rows[row].LastName.value : undefined,
-              },
-              phoneNumbers: rows[row].MobilePhone.value ? [{ type: 'work', value: rows[row].MobilePhone.value }] : undefined,
-              emails: rows[row].Email.value ? [{ type: 'work', value: rows[row].Email.value }] : undefined,
-            }
-            ret.Resources.push(scimUser)
-          }
-          connection.close()
-          resolve(ret) // all explored users
-        }) // request
-        connection.execSql(request)
-      }) // connection
-      connection.connect() // initialize the connection
+      resolve(ret) // all explored users
     }) // Promise
   } catch (err: any) {
     throw new Error(`${action} error: ${err.message}`)
@@ -154,7 +155,7 @@ scimgateway.createUser = async (baseEntity, userObj, ctx) => {
   scimgateway.logDebug(baseEntity, `handling "${action}" userObj=${JSON.stringify(userObj)}`)
 
   try {
-    return await new Promise((resolve, reject) => {
+    return await new Promise(async (resolve, reject) => {
       if (!userObj.name) userObj.name = {}
       if (!userObj.emails) userObj.emails = { work: {} }
       if (!userObj.phoneNumbers) userObj.phoneNumbers = { work: {} }
@@ -170,37 +171,15 @@ scimgateway.createUser = async (baseEntity, userObj, ctx) => {
         Email: (userObj.emails.work.value) ? `'${userObj.emails.work.value}'` : null,
       }
 
-      const connectionCfg: any = scimgateway.copyObj(config.connection)
-      if (ctx?.request?.header?.authorization) { // Auth PassThrough (don't use configuration password)
-        if (!connectionCfg.authentication) connectionCfg.authentication = {}
-        if (!connectionCfg.authentication.type) connectionCfg.authentication.type = 'default'
-        if (!connectionCfg.authentication.options) connectionCfg.authentication.options = {}
-        const [username, password] = getCtxAuth(ctx)
-        connectionCfg.authentication.options.password = password
-        if (username) connectionCfg.authentication.options.userName = username
-      }
-      const connection = new Connection(connectionCfg)
-
-      connection.on('connect', function (err) {
-        if (err) {
-          const e = new Error(`createUser MSSQL client connect error: ${err.message}`)
-          return reject(e)
-        }
-        const sqlQuery = `insert into [User] (UserID, Enabled, Password, FirstName, MiddleName, LastName, Email, MobilePhone) 
+      const sqlQuery = `insert into [Users] (UserID, Enabled, Password, FirstName, MiddleName, LastName, Email, MobilePhone)
                 values (${insert.UserID}, ${insert.Enabled}, ${insert.Password}, ${insert.FirstName}, ${insert.MiddleName}, ${insert.LastName}, ${insert.Email}, ${insert.MobilePhone})`
 
-        const request = new Request(sqlQuery, function (err) {
-          if (err) {
-            connection.close()
-            const e = new Error(`createUser MSSQL client request: ${sqlQuery} error: ${err.message}`)
-            return reject(e)
-          }
-          connection.close()
-          resolve(null)
-        }) // request
-        connection.execSql(request)
-      }) // connection
-      connection.connect() // initialize the connection
+      await query(sqlQuery, ctx).catch((err: any) => {
+        const e = new Error(`${action} error: ${err.message}`)
+        return reject(e)
+      })
+
+      resolve(null)
     }) // Promise
   } catch (err: any) {
     throw new Error(`${action} error: ${err.message}`)
@@ -215,36 +194,14 @@ scimgateway.deleteUser = async (baseEntity, id, ctx) => {
   scimgateway.logDebug(baseEntity, `handling "${action}" id=${id}`)
 
   try {
-    return await new Promise((resolve, reject) => {
-      const connectionCfg: any = scimgateway.copyObj(config.connection)
-      if (ctx?.request?.header?.authorization) { // Auth PassThrough (don't use configuration password)
-        if (!connectionCfg.authentication) connectionCfg.authentication = {}
-        if (!connectionCfg.authentication.type) connectionCfg.authentication.type = 'default'
-        if (!connectionCfg.authentication.options) connectionCfg.authentication.options = {}
-        const [username, password] = getCtxAuth(ctx)
-        connectionCfg.authentication.options.password = password
-        if (username) connectionCfg.authentication.options.userName = username
-      }
-      const connection = new Connection(connectionCfg)
-
-      connection.on('connect', function (err) {
-        if (err) {
-          const e = new Error(`deleteUser MSSQL client connect error: ${err.message}`)
-          return reject(e)
-        }
-        const sqlQuery = `delete from [User] where UserID = '${id}'`
-        const request = new Request(sqlQuery, function (err) {
-          if (err) {
-            connection.close()
-            const e = new Error(`deleteUser MSSQL client request: ${sqlQuery} error: ${err.message}`)
-            return reject(e)
-          }
-          connection.close()
-          resolve(null)
-        }) // request
-        connection.execSql(request)
-      }) // connection
-      connection.connect() // initialize the connection
+    return await new Promise(async (resolve, reject) => {
+      const sqlQuery = `delete from [Users] where UserID = '${id}'`
+      await query(sqlQuery, ctx).catch((err: any) => {
+        const e = new Error(`${action} error: ${err.message}`)
+        return reject(e)
+      })
+
+      resolve(null)
     }) // Promise
   } catch (err: any) {
     throw new Error(`${action} error: ${err.message}`)
@@ -259,7 +216,7 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
   scimgateway.logDebug(baseEntity, `handling "${action}" id=${id} attrObj=${JSON.stringify(attrObj)}`)
 
   try {
-    return await new Promise((resolve, reject) => {
+    return await new Promise(async (resolve, reject) => {
       if (!attrObj.name) attrObj.name = {}
       if (!attrObj.emails) attrObj.emails = { work: {} }
       if (!attrObj.phoneNumbers) attrObj.phoneNumbers = { work: {} }
@@ -294,35 +251,13 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
 
       sql = sql.substr(0, sql.length - 1) // remove trailing ","
 
-      const connectionCfg: any = scimgateway.copyObj(config.connection)
-      if (ctx?.request?.header?.authorization) { // Auth PassThrough (don't use configuration password)
-        if (!connectionCfg.authentication) connectionCfg.authentication = {}
-        if (!connectionCfg.authentication.type) connectionCfg.authentication.type = 'default'
-        if (!connectionCfg.authentication.options) connectionCfg.authentication.options = {}
-        const [username, password] = getCtxAuth(ctx)
-        connectionCfg.authentication.options.password = password
-        if (username) connectionCfg.authentication.options.userName = username
-      }
-      const connection = new Connection(connectionCfg)
+      const sqlQuery = `update [Users] set ${sql} where UserID like '${id}'`
+      await query(sqlQuery, ctx).catch((err: any) => {
+        const e = new Error(`${action} error: ${err.message}`)
+        return reject(e)
+      })
 
-      connection.on('connect', function (err) {
-        if (err) {
-          const e = new Error(`modifyUser MSSQL client connect error: ${err.message}`)
-          return reject(e)
-        }
-        const sqlQuery = `update [User] set ${sql} where UserID like '${id}'`
-        const request = new Request(sqlQuery, function (err) {
-          if (err) {
-            connection.close()
-            const e = new Error(`modifyUser MSSQL client request: ${sqlQuery} error: ${err.message}`)
-            return reject(e)
-          }
-          connection.close()
-          resolve(null)
-        }) // request
-        connection.execSql(request)
-      }) // connection
-      connection.connect() // initialize the connection
+      resolve(null)
     }) // Promise
   } catch (err: any) {
     throw new Error(`${action} error: ${err.message}`)
@@ -332,55 +267,174 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
 // =================================================
 // getGroups
 // =================================================
-scimgateway.getGroups = async (baseEntity, getObj, attributes) => {
+scimgateway.getGroups = async (baseEntity, getObj, attributes, ctx) => {
   const action = 'getGroups'
   scimgateway.logDebug(baseEntity, `handling "${action}" getObj=${getObj ? JSON.stringify(getObj) : ''} attributes=${attributes}`)
 
+  let sqlQuery
+
   // mandatory if-else logic - start
   if (getObj.operator) {
     if (getObj.operator === 'eq' && ['id', 'displayName', 'externalId'].includes(getObj.attribute)) {
-      // mandatory - unique filtering - single unique user to be returned - correspond to getUser() in versions < 4.x.x
+      // mandatory - unique filtering - single unique user to be returned - correspond to getGroup() in versions < 4.x.x
+      sqlQuery = `select * from [Groups] where GroupID = '${getObj.value}'`
     } else if (getObj.operator === 'eq' && getObj.attribute === 'members.value') {
       // mandatory - return all groups the user 'id' (getObj.value) is member of - correspond to getGroupMembers() in versions < 4.x.x
-      // Resources = [{ id: <id-group>> , displayName: <displayName-group>, members [{value: <id-user>}] }]
+      sqlQuery = `select * from [Groups] join [Users2Group] on Groups.GroupID = Users2Group.GroupID where Users2Group.UserID = '${getObj.value}'`
     } else {
       // optional - simpel filtering
+      throw new Error(`${action} error: not supporting simple filtering: ${getObj.rawFilter}`)
     }
   } else if (getObj.rawFilter) {
     // optional - advanced filtering having and/or/not - use getObj.rawFilter
+    throw new Error(`${action} not error: supporting advanced filtering: ${getObj.rawFilter}`)
   } else {
     // mandatory - no filtering (!getObj.operator && !getObj.rawFilter) - all groups to be returned - correspond to exploreGroups() in versions < 4.x.x
+    sqlQuery = 'select * from [Groups]'
   }
   // mandatory if-else logic - end
+  if (!sqlQuery) throw new Error(`${action} error: mandatory if-else logic not fully implemented`)
 
-  return { Resources: [] } // groups not supported - returning empty Resources
+  try {
+    return await new Promise(async (resolve, reject) => {
+      const ret: any = { // itemsPerPage will be set by scimgateway
+        Resources: [],
+        totalResults: null,
+      }
+
+      const groups = await query(sqlQuery, ctx).catch((err: any) => {
+        const e = new Error(`${action} error: ${err.message}`)
+        return reject(e)
+      })
+
+      for (const group of groups) {
+        const scimGroup: Record<string, any> = {
+          id: group.GroupID.value ? group.GroupID.value : undefined,
+          displayName: group.GroupID.value ? group.GroupID.value : undefined,
+          active: group.Enabled.value === 'true' || false,
+          members: [],
+        }
+
+        const sqlQuery = `select UserID from [Users2Group] where GroupID = '${scimGroup.id}'`
+        const members = await query(sqlQuery, ctx).catch(e => console.warn(`${e}`))
+        for (const member of members) {
+          const scimMember = {
+            value: member.UserID.value,
+            display: member.UserID.value,
+          }
+          scimGroup.members.push(scimMember)
+        }
+
+        ret.Resources.push(scimGroup)
+      }
+
+      resolve(ret)
+    }) // Promise
+  } catch (err: any) {
+    throw new Error(`${action} error: ${err.message}`)
+  }
 }
 
 // =================================================
 // createGroup
 // =================================================
-scimgateway.createGroup = async (baseEntity, groupObj) => {
+scimgateway.createGroup = async (baseEntity, groupObj, ctx) => {
   const action = 'createGroup'
   scimgateway.logDebug(baseEntity, `handling "${action}" groupObj=${JSON.stringify(groupObj)}`)
-  throw new Error(`${action} error: ${action} is not supported`)
+
+  try {
+    return await new Promise(async (resolve, reject) => {
+      const insert = {
+        GroupID: `'${groupObj.displayName}'`,
+        Enabled: (groupObj.active) ? `'${groupObj.active}'` : '\'false\'',
+      }
+
+      const sqlQuery = `insert into [Groups] (GroupID, Enabled) values (${insert.GroupID}, ${insert.Enabled})`
+      await query(sqlQuery, ctx).catch(e => console.warn(`${e}`))
+
+      for (const member of groupObj.members) {
+        const sqlQuery = `insert into [Users2Group] (UserID, GroupID) values ('${member.value}', ${insert.GroupID})`
+        await query(sqlQuery, ctx).catch((err: any) => {
+          const e = new Error(`${action} error: ${err.message}`)
+          return reject(e)
+        })
+      }
+
+      resolve(null)
+    }) // Promise
+  } catch (err: any) {
+    throw new Error(`${action} error: ${err.message}`)
+  }
 }
 
 // =================================================
 // deleteGroup
 // =================================================
-scimgateway.deleteGroup = async (baseEntity, id) => {
+scimgateway.deleteGroup = async (baseEntity, id, ctx) => {
   const action = 'deleteGroup'
   scimgateway.logDebug(baseEntity, `handling "${action}" id=${id}`)
-  throw new Error(`${action} error: ${action} is not supported`)
+
+  try {
+    return await new Promise(async (resolve, reject) => {
+      const sqlQuery = `delete from [Groups] where GroupID = '${id}'`
+      await query(sqlQuery, ctx).catch((err: any) => {
+        const e = new Error(`${action} error: ${err.message}`)
+        return reject(e)
+      })
+
+      resolve(null)
+    }) // Promise
+  } catch (err: any) {
+    throw new Error(`${action} error: ${err.message}`)
+  }
 }
 
 // =================================================
 // modifyGroup
 // =================================================
-scimgateway.modifyGroup = async (baseEntity, id, attrObj) => {
+scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
   const action = 'modifyGroup'
   scimgateway.logDebug(baseEntity, `handling "${action}" id=${id} attrObj=${JSON.stringify(attrObj)}`)
-  throw new Error(`${action} error: ${action} is not supported`)
+
+  let sql = ''
+
+  if (attrObj.active !== undefined) sql += `Enabled='${attrObj.active}',`
+  sql = sql.substr(0, sql.length - 1) // remove trailing ","
+
+  const queries = []
+  if (sql) {
+    queries.push(`update [Groups] set ${sql} where GroupID like '${id}'`)
+  }
+
+  // This BLINDLY inserts all user/groups and gracefully breaks on PK violation
+  // for each existing membership
+  if (Array.isArray(attrObj.members) && attrObj.members) {
+    attrObj.members.forEach((member) => {
+      if (member.operation == 'delete') {
+        queries.push(`delete from [Users2Group] where GroupID='${id}' and UserID='${member.value}'`)
+      } else {
+        queries.push(`insert into [Users2Group] (UserID, GroupID) values ('${member.value}','${id}')`)
+      }
+    })
+  }
+
+  const sqlQuery = queries.join(';')
+
+  try {
+    return await new Promise(async (resolve, reject) => {
+      if (sqlQuery) {
+        scimgateway.logDebug(baseEntity, `sqlQuery: ${sqlQuery}`)
+        await query(sqlQuery, ctx).catch((err: any) => {
+          const e = new Error(`${action} error: ${err.message}`)
+          return reject(e)
+        })
+      }
+
+      resolve(null)
+    }) // Promise
+  } catch (err: any) {
+    throw new Error(`${action} error: ${err.message}`)
+  }
 }
 
 // =================================================
@@ -399,6 +453,42 @@ const getCtxAuth = (ctx: undefined | Record<string, any>) => {
   else return [undefined, authToken] // bearer auth
 }
 
+const connectionCfg = (ctx: undefined | Record<string, any>) => {
+  const connectionCfg = scimgateway.copyObj(config.connection)
+  if (ctx?.request?.header?.authorization) { // Auth PassThrough (don't use configuration password)
+    if (!connectionCfg.authentication) connectionCfg.authentication = {}
+    if (!connectionCfg.authentication.type) connectionCfg.authentication.type = 'default'
+    if (!connectionCfg.authentication.options) connectionCfg.authentication.options = {}
+    const [username, password] = getCtxAuth(ctx)
+    connectionCfg.authentication.options.password = password
+    if (username) connectionCfg.authentication.options.userName = username
+  }
+  return connectionCfg
+}
+
+const query: (sql: string, ctx: any) => Promise<any> = (sql, ctx) => new Promise((resolve, reject) => {
+  const connection = new Connection(connectionCfg(ctx))
+
+  connection.connect((err) => {
+    if (err) {
+      const e = new Error(`MSSQL client connect error: ${err.message}`)
+      reject(e)
+    } else {
+      const request = new Request(sql, (err, rowCount, rows) => {
+        if (err) {
+          connection.close()
+          const e = new Error(`MSSQL client request: ${sql} Error: ${err.message}`)
+          reject(e)
+        } else {
+          connection.close()
+          resolve(rows)
+        }
+      })
+      connection.execSql(request)
+    }
+  })
+})
+
 //
 // Cleanup on exit
 //

package/lib/scimgateway.ts

@@ -2688,21 +2688,21 @@ export class ScimGateway {
   * logDebug logs debug message
   **/
   logDebug(baseEntity: string | undefined, msg: string) {
-    this.logger.debug(`${this.pluginName}[${baseEntity}]} ${msg}`)
+    this.logger.debug(`${this.pluginName}[${baseEntity}] ${msg}`)
   }
 
   /**
   * logInfo logs info message
   **/
   logInfo(baseEntity: string | undefined, msg: string) {
-    this.logger.info(`${this.pluginName}[${baseEntity}]} ${msg}`)
+    this.logger.info(`${this.pluginName}[${baseEntity}] ${msg}`)
   }
 
   /**
   * logError logs error message
   **/
   logError(baseEntity: string | undefined, msg: string) {
-    this.logger.error(`${this.pluginName}[${baseEntity}]} ${msg}`)
+    this.logger.error(`${this.pluginName}[${baseEntity}] ${msg}`)
   }
 
   /**
@@ -2919,15 +2919,28 @@ export class ScimGateway {
       if (!this.helperRest) this.helperRest = new HelperRest(this, { entity: { undefined: { connection: this.config.scimgateway.email } } })
       if (this.config.scimgateway.email.auth?.options?.tenantIdGUID) {
         // Graph API
+        let content: string
+        if (isHtml) { // ExO workaround for national special caracters in html content - require singleValueExtendedProperties being used
+          var enc = new TextEncoder() // utf-8
+          const buf = enc.encode(msgObj.content)
+          content = new TextDecoder('windows-1252').decode(buf)
+        } else content = msgObj.content
+
         const emailMessage: Record<string, any> = {
           message: {
             subject: msgObj.subject ? msgObj.subject : 'SCIM Gateway message',
             body: {
-              content: msgObj.content,
+              content,
               contentType: isHtml ? 'HTML' : 'Text',
             },
             toRecipients: [],
             ccRecipients: [],
+            singleValueExtendedProperties: [ // force using ExO header: Content-Type: text/plain; charset="utf-8"
+              {
+                id: 'Integer 0x3fde', // Content-Type header - can be verifed by checking raw mail
+                value: '65001', // text/plain; charset="utf-8"
+              },
+            ],
           },
           saveToSentItems: 'false',
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "5.0.6",
+  "version": "5.0.7",
   "type": "module",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",