npm - scimgateway - Versions diffs - 6.1.19 → 6.2.0 - Mend

scimgateway 6.1.19 → 6.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/README.md +48 -1
package/config/{plugin-scim.json → plugin-generic.json} +63 -0
package/index.ts +1 -1
package/lib/helper-rest.ts +5 -0
package/lib/plugin-entra-id.ts +4 -2
package/lib/plugin-generic.ts +552 -0
package/lib/postinstall.ts +2 -2
package/lib/scimgateway.ts +10 -1
package/lib/utils-scim.ts +16 -1
package/package.json +1 -1
package/test/index.ts +1 -1
package/test/lib/{plugin-scim_test.ts → plugin-generic_test.ts} +7 -5
package/lib/plugin-scim.ts +0 -493

package/README.md CHANGED Viewed

@@ -17,6 +17,7 @@
 Latest news:
+- New `plugin-generic` replacing previous `plugin-scim`. This new plugin use the endpointMapper for flexible attribute mapping and also supports the new mapper option `valueMap` (e.g., group filtering and mapping).
 - Now supports `GET /Roles` and `GET /Entitlements` endpoint requests, with corresponding user management via the standard SCIM `roles` and `entitlements` attributes. The Entra ID plugin uses `entitlements` for Entra ID licenses (read-only) and `roles` for Entra ID Permanent and Eligible roles (full management).
 - Bun binary build is now supported, allowing SCIM Gateway to be compiled into a single executable binary for simplified deployment and execution. SCIM Gateway can now run as an ES module (TypeScript) in Node.js.
 - Major release **v6.0.0** introduces changes to API method responses (not SCIM-related) and a new method `publicApi()` for handling public path `/pub/api` requests with no authentication required. In addition, the configuration option `bearerJwtAzure.tenantIdGUID` has been replaced by `bearerJwt.azureTenantId`. See the version history for details.
@@ -61,7 +62,7 @@ The following fully functional plugins are included for demonstration and produc
 | **Loki** | NoSQL Database | Transforms the SCIM Gateway into a standalone SCIM endpoint utilizing the internal [LokiJS](https://github.com/techfort/LokiJS) database. Includes two test users and groups |
 | **MongoDB** | NoSQL Database | Similar to the Loki plugin, but using an externally managed MongoDB database, showcasing multi-tenant and multi-endpoint capabilities via `baseEntity` |
 | **Entra ID** | REST Webservices | Entra ID user provisioning via Microsoft Graph API |
-| **SCIM** | REST Webservice | Using plugin Loki as a SCIM provisioning endpoint. May become a SCIM version-gateway (e.g., 1.1 => 2.0) |
+| **Generic** | REST Webservice | Generic template plugin configured to use plugin-loki as a SCIM provisioning endpoint. Supports the endpointMapper `valueMap` option for allowlisting and mapping (e.g., groups). Can also be used as a SCIM version gateway (e.g., 1.1 => 2.0) |
 | **API** | REST Webservices | A non-SCIM plugin demonstrating API Gateway functionality for custom REST specifications |
 | **Soap** | SOAP Webservice | Demonstrates user provisioning to a SOAP-based endpoint with example WSDLs |
 | **MSSQL** | Database | Demonstrates user provisioning to an MSSQL database |
@@ -1304,6 +1305,52 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 ## Change log
+### v6.2.0
+[Fixed]
+- `helper-rest` failed on Bun v1.3.14 due to stricter compliance with Fetch standards.
+[Improved]
+- New `plugin-generic` replacing previous `plugin-scim`. This new plugin use the endpointMapper for flexible attribute mapping and also supports the new mapper option `valueMap` (e.g., group filtering and mapping). The default configuration uses one-to-one SCIM mapping, with plugin-loki as the target SCIM endpoint.
+- endpointMapper now supports the 'valueMap' option
+	Example configuration:
+		"map": {
+		  "group": {
+		    ...
+		    "displayName": {
+		      "mapTo": "displayName",
+		      "type": "string",
+		      "valueMap": {
+		        "outboundEndpointGrp1": "inboundScimGrp1",
+		        "Employees": "Admins"
+		      }
+		    },
+		    ...
+		  }
+		  ...
+		}
+	Using the above settings restricts the client using SCIM Gateway with regard to group management.
+	The client will only see and be able to manage groups with SCIM names "inboundScimGrp1" and "Admins",
+	if their mapped counterparts exist at the target endpoint as "outboundEndpointGrp1" and "Employees".
+	Use case:
+	- Allowlisting specific groups or user objects that includes attribute mapping having the valueMap option configured.
+	- Supporting different inbound/outbound names (e.g., Entra ID group provisioning to SCIM Gateway).
+### v6.1.20
+[Fixed]
+- plugin-entra-id: Roles introduced in v6.1.19 were missing when retrieving a single user.
 ### v6.1.19
 [Fixed]

package/config/{plugin-scim.json → plugin-generic.json} RENAMED Viewed

@@ -156,6 +156,69 @@
           }
         }
       }
+    },
+    "map": {
+      "group": {
+        "id": {
+          "mapTo": "id",
+          "type": "string"
+        },
+        "displayName": {
+          "mapTo": "displayName",
+          "type": "string",
+          "valueMap": {}
+        },
+        "members": {
+          "mapTo": "members",
+          "type": "complexArray"
+        }
+      },
+      "user": {
+        "id": {
+          "mapTo": "id",
+          "type": "string"
+        },
+        "userName": {
+          "mapTo": "userName",
+          "type": "string",
+          "xvalueMap": {
+            "bjensen": "Xbjensen"
+          }
+        },
+        "active": {
+          "mapTo": "active",
+          "type": "boolean"
+        },
+        "password": {
+          "mapTo": "password",
+          "type": "string"
+        },
+        "title": {
+          "mapTo": "title",
+          "type": "string"
+        },
+        "name": {
+          "mapTo": "name",
+          "type": "complexObject",
+          "subAttributes": []
+        },
+        "emails": {
+          "mapTo": "emails",
+          "type": "complexArray"
+        },
+        "phoneNumbers": {
+          "mapTo": "phoneNumbers",
+          "type": "complexArray"
+        },
+        "roles": {
+          "mapTo": "roles",
+          "type": "complexArray"
+        },
+        "entitlements": {
+          "mapTo": "entitlements",
+          "type": "complexArray"
+        }
+      }
     }
   }
 }

package/index.ts CHANGED Viewed

@@ -12,7 +12,7 @@
 //
 // start one or more plugins:
-// import './lib/plugin-scim.ts'
+// import './lib/plugin-generic.ts'
 // import './lib/plugin-entra-id.ts'
 // import './lib/plugin-ldap.ts'
 // import './lib/plugin-mongodb.ts'

package/lib/helper-rest.ts CHANGED Viewed

@@ -702,6 +702,11 @@ export class HelperRest {
           }
         }
+        // Bun v1.3.14 became stricter and more aligned with standards.
+        delete options.host
+        delete options.port
+        delete options.protocol
         // execute request
         const f = await fetch(url, options)
         if (!f.status) throw new Error('Response missing status code')

package/lib/plugin-entra-id.ts CHANGED Viewed

@@ -294,6 +294,7 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
   if (!path) throw new Error(`${action} error: mandatory if-else logic not fully implemented`)
   if (path.includes('$count=true')) { // $count=true requires ConsistencyLevel
+    // note: when using $expand, the $count=true might be ignored by target endpoint and the ctx.paging.totalResults updated by doReqest() will be incremental
     if (!options.headers) options.headers = {}
     options.headers.ConsistencyLevel = 'eventual'
   }
@@ -355,6 +356,7 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
         delete response.body.value[i].signInActivity.lastNonInteractiveSignInRequestId
         delete response.body.value[i].signInActivity.lastSuccessfulSignInRequestId
       }
       if ((attributes.includes('roles') || attributes.length === 0) && mapAttributesTo.includes('roles')) {
         response.body.value[i].roles = await getUserRoles(baseEntity, response.body.value[i].id, response.body.value[i].groups, ctx?.headers ? { headers: ctx?.headers } : undefined)
       }
@@ -729,6 +731,7 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes, ctx) => {
   if (!path) throw new Error(`${action} error: mandatory if-else logic not fully implemented`)
   if (path.includes('$count=true')) { // $count=true requires ConsistencyLevel
+    // note: when using $expand, the $count=true might be ignored by target endpoint and the ctx.paging.totalResults updated by doReqest() will be incremental
     if (!options.headers) options.headers = {}
     options.headers.ConsistencyLevel = 'eventual'
   }
@@ -1356,7 +1359,6 @@ const getUserRoles = async (baseEntity: string, userId: string, groups: Record<s
   })
   const permanentRoles = rolesAssignments.permanent.filter((role: any) => Ids.includes(role.principalId)).map((role: any) => {
-    if (eligibleRoles.filter((r: any) => r.value === role.roleDefinitionId).length > 0) return null // eligible role activated becomes listed as permanent, skip those...
     const roleDef = roleDefs[role.roleDefinitionId]
     if (roleDef) {
       if (includeAssignmentId === true) return { type: 'Permanent', value: roleDef.id, display: roleDef.displayName, assignmentId: role.id }
@@ -1396,7 +1398,7 @@ const fnCunckExecute = async (fnArr: { index?: number, fn: () => Promise<any> }[
         if (statusCode !== 404) throw new Error(errMsg)
       }
       results.forEach((result, idx) => {
-        if (result.status === 'fulfilled' && arrChunk[idx].index && responseValue && key) {
+        if (result.status === 'fulfilled' && typeof arrChunk[idx].index === 'number' && responseValue && key) {
           if (result.value) responseValue[arrChunk[idx].index][key] = result.value
           else responseValue[arrChunk[idx].index][key] = result
         }