Scripting allows you to customize various aspects of OpenIDM functionality, for example, by providing custom logic between source and target mappings, defining correlation rules, filters, and triggers, and so on.
You define scripts using script objects, which can either include the code directly in the configuration, or call an external file that contains the script.
Custom scripts should be placed in the script/ folder
for your project, for example path/to/openidm/script/.
Do not modify or remove the script files located in
path/to/openidm/bin/defaults/script/. This folder
contains the default scripts that are required to run specific services.
Scripts in this folder are not guaranteed to remain constant between
product releases.
{
"type" : "text/javascript",
"source": string
}
or
{
"type" : "text/javascript",
"file" : file location
}
string, required
Specifies the type of script to be executed. Currently, OpenIDM
supports only"text/javascript".
string, required if file is not specified
Specifies the source code of the script to be executed.
string, required if source is not specified
Specifies the file containing the source code of the script to execute.
The following example (included in the sync.json
file) returns true if the employeeType
is equal to external, otherwise returns
false. This script can be useful during reconciliation to
establish whether the source object should be a part of the reconciliation,
or ignored.
"validTarget": {
"type" : "text/javascript",
"source": "target.employeeType == 'external'"
}
The following example (included in the sync.json
file) sets the __PASSWORD__ attribute to
defaultpwd when OpenIDM creates a target object.
"onCreate" : {
"type" : "text/javascript",
"source": "target.__PASSWORD__ = 'defaultpwd'"
}
The following example (included in the router.json
file) shows a trigger to create Solaris home directories using a script.
The script is located in a file,
/path/to/openidm/script/createUnixHomeDir.js.
{
"filters" : [ {
"pattern" : "^system/solaris/account$",
"methods" : [ "create" ],
"onResponse" : {
"type" : "text/javascript",
"file" : "script/createUnixHomeDir.js"
}
} ]
}
Functions (access to managed objects, system objects, and
configuration objects) within OpenIDM are accessible to scripts
via the openidm object, which is included in
the top-level scope provided to each script.
OpenIDM also provides a logger object to
access SLF4J facilities. The following code shows an example:
logger.info("Parameters passed in: {} {} {}", param1, param2, param3);
To set the log level, use
org.forgerock.openidm.script.javascript.JavaScript.level
in openidm/conf/logging.properties.
This function creates a new resource object.
string
The identifier of the object to be created.
object
The value of the object to be created.
The created OpenIDM resource object.
An exception is thrown if the object could not be created.
This function performs a partial modification of a managed
object. Unlike the update function, only the
modified attributes are provided, not the entire object.
string
The identifier of the object to be updated.
string
The revision of the object to be updated, or
null if the object is not subject
to revision control.
object
The value of the modifications to be applied to the object.
The modified OpenIDM resource object.
An exception is thrown if the object could not be updated.
This function reads and returns an OpenIDM resource object.
string
The identifier of the object to be read.
The read OpenIDM resource object, or null
if not found.
This function updates a resource object.
string
The identifier of the resource object to be updated.
string
The revision of the object to be updated, or
null if the object is not subject to revision control.
object
The value of the object to be updated.
The modified OpenIDM resource object.
An exception is thrown if the object could not be updated.
This function deletes a resource object.
string
The identifier of the object to be deleted.
string
The revision of the object to be deleted, or
null if the object is not subject to revision control.
A null value if successful.
An exception is thrown if the object could not be deleted.
Note that delete is a reserved word in JavaScript
and this function can therefore not be called in the usual manner. To call
delete from a JavaScript, you must specify the call as shown in the
following example:
openidm['delete']('managed/user/'+ user._id, user._rev)
Calling openidm.delete() directly from a JavaScript
results in an error similar to the following:
org.forgerock.openidm.script.ScriptException: missing name after . operator
This function performs a query on the specified OpenIDM resource object.
string
The identifier of the object to perform the query on.
object
An object containing the query ID and its parameters.
The result of the query. A query result includes the following parameters:
The time, in milliseconds, that OpenIDM took to process the query.
(For an OrientDB repository only) the time, in milliseconds, taken to convert the data to a JSON object.
The list of entries retrieved by the query. The result
includes the revision ("_rev") of the
entry and any other properties that were requested in the
query.
The following example shows the result of a custom query that
requests the ID, user name, and email address of managed users in the
repository. For an OrientDB repository, the query would be something like
select _openidm_id, userName, email from managed_user,.
{
"conversion-time-ms": 0,
"result": [
{
"email": "bjensen@example.com",
"userName": "bjensen",
"_rev": "0",
"_id": "36bbb745-517f-4695-93d0-998e1e7065cf"
},
{
"email": "scarter@example.com",
"userName": "scarter",
"_rev": "0",
"_id": "cc3bf6f0-949e-4699-9b8e-8c78ce04a287"
}
],
"query-time-ms": 1
}
An exception is thrown if the given query could not be processed.
This function performs an action on the specified OpenIDM resource object.
string
The identifier of the object on which the action should be performed.
object
An object containing the parameters to pass to the action.
object
A value that can be provided to the action for processing.
The result of the action. May be null if
no result is provided.
An exception is thrown if the given action could not be executed for any reason.
This function encrypts a value.
any
The value to be encrypted.
string
The cipher with which to encrypt the value, using the form
"algorithm/mode/padding" or just "algorithm". Example:
AES/ECB/PKCS5Padding.
string
The key alias in the key store with which to encrypt the node.
The value, encrypted with the specified cipher and key.
An exception is thrown if the object could not be encrypted for any reason.
This function decrypts a value.
any
The value to be decrypted.
A deep copy of the value, with any encrypted value decrypted.
An exception is thrown if the object could not be decrypted for any reason.
Logs a message at DEBUG level.
string
The message format to log. Params replace {}
in your message.
object
Arguments to include in the message.
A null value if successful.
An exception is thrown if the message could not be logged.
Logs a message at ERROR level.
string
The message format to log. Params replace {}
in your message.
object
Arguments to include in the message.
A null value if successful.
An exception is thrown if the message could not be logged.
Logs a message at INFO level.
string
The message format to log. Params replace
{}
in your message.
object
Arguments to include in the message.
A
null
value if successful.
An exception is thrown if the message could not be logged.
Logs a message at TRACE level.
string
The message format to log. Params replace
{}
in your message.
object
Arguments to include in the message.
A
null
value if successful.
An exception is thrown if the message could not be logged.
Logs a message at WARN level.
string
The message format to log. Params replace
{}
in your message.
object
Arguments to include in the message.
A null value if successful.
An exception is thrown if the message could not be logged.
Scripts can be triggered at different places, by different events.
openidm/conf/sync.json
onCreate, onUpdate, onDelete, onLink, onUnlink
vaildSource, validTarget
correlationQuery
result
condition, transform
sync.json supports only one script
per hook. If multiple scripts are defined for the same hook, only the last
one is kept.
openidm/conf/managed.json
onCreate, onRead, onUpdate, onDelete, onValidate, onRetrieve and onStore
managed.json supports only one script
per hook. If multiple scripts are defined for the same hook, only the last
one is kept.
openidm/conf/router.json
onRequest, onResponse, onFailure
router.json supports multiple scripts per hook.
The variables that are available to scripts depend on the triggers that launch the script. The following section outlines the available variables, per trigger.
object
source
request
object, source, target
object
source, target
object
object, property
object, property
source, target
oldObject, newObject
object, property
source, target
recon.actionParam - the details of
the synchronization operation in progress. This variable can
be used for asynchronous callbacks to execute the action at
a later stage.
sourceAction - a boolean that
indicates whether the situation was assessed during the source phase
source (if found)
target (if found)
The properties from the configured script object.
input, objectID
source
source
target
OpenIDM includes Eclipse JSDT libraries so you can use Eclipse to debug your OpenIDM scripts during development.
Follow these steps to enable debugging using Eclipse.
Install the environment to support JavaScript development in either of the following ways.
Download and install Eclipse IDE for JavaScript Web Developers from the Eclipse download page.
Add JavaScript Development Tools to your existing Eclipse installation.
Create an empty JavaScript project called External JavaScript Source
in Eclipse.
Eclipse then uses the External JavaScript Source
directory in the default workspace location to store sources that it
downloads from OpenIDM.
Stop OpenIDM.
Edit
openidm/conf/boot/boot.properties
to
enable debugging.
Uncomment and edit the following line.
#openidm.script.javascript.debug=transport=socket,suspend=y,address=9888,trace=true
Here suspend=y prevents OpenIDM from starting
until the remote JavaScript debugger has connected. You might therefore
choose to set this to suspend=n.
Uncomment and edit the following line.
#openidm.script.javascript.sources=/Eclipse/workspace/External JavaScript Source/
Adjust /Eclipse/workspace/External JavaScript Source/
to match the absolute path to this folder including the
trailing / character. On Windows, also use forward
slashes, such asC:/Eclipse/workspace/External JavaScript Source/.
Each time OpenIDM loads a new script, it then creates or overwrites
the file in the External JavaScript Source
directory. Before toggling breakpoints, be sure to refresh the source manually in
Eclipse so you have the latest version.
Prepare the Eclipse debugger to allow you to set breakpoints.
In the Eclipse Debug perspective, select the Breakpoints tab, and then click the Add Script Load Breakpoint icon to open the list of scripts.
In the Add Script Load Breakpoint window, select your scripts, and then click OK.
Start OpenIDM, and connect the debugger.
To create a new debug, configuration click Run > Debug Configurations... > Remote JavaScript > New button, and then set the port to 9888 as shown above.