@itentialopensource/adapter-utils 5.5.1 → 5.6.0

package/CHANGELOG.md

@@ -1,4 +1,14 @@
 
+## 5.6.0 [07-31-2024]
+
+* Add abilities to refresh token and set msa query
+
+Closes ADAPT-3629
+
+See merge request itentialopensource/adapter-utils!294
+
+---
+
 ## 5.5.1 [07-30-2024]
 
 * Fix gzip conditional in propertyUtils

package/lib/connectorRest.js

@@ -108,6 +108,9 @@ const healthchecklock = 0;
 let encodeUri = true;
 let authQueryEncode = null;
 let addCreds = true;
+let refTokenReq = null;
+let refTokenTimeout = -1;
+let runRefreshToken = false;
 
 // Other global variables
 let id = null;
@@ -1269,6 +1272,7 @@ async function getToken(reqPath, options, tokenSchema, bodyString, callPropertie
         const currResult = {
           token: null,
           tokenp2: null,
+          refreshToken: null,
           front: tokenSchema.responseSchema.properties.token.front,
           end: tokenSchema.responseSchema.properties.token.end
         };
@@ -1558,6 +1562,10 @@ async function getToken(reqPath, options, tokenSchema, bodyString, callPropertie
           && tokenSchema.responseSchema.properties.expires.placement && tokenSchema.responseSchema.properties.expires.placement.toUpperCase() === 'BODY') {
           currResult.expires = translated.expires;
         }
+        if (tokenSchema.responseSchema && tokenSchema.responseSchema.properties && tokenSchema.responseSchema.properties.refreshToken
+          && tokenSchema.responseSchema.properties.refreshToken.placement && tokenSchema.responseSchema.properties.refreshToken.placement.toUpperCase() === 'BODY') {
+          currResult.refreshToken = translated.refreshToken;
+        }
         // return the token that we find in the translated object
         return resolve(currResult);
       });
@@ -1587,6 +1595,9 @@ async function buildTokenRequest(reqPath, reqBody, callProperties, callback) {
       if (callProperties && callProperties.mfa) {
         entity = callProperties.mfa.stepAtionName;
       }
+      if (runRefreshToken) {
+        entity = 'getRefreshToken';
+      }
       // Get the entity schema from the file system
       return propUtilInst.getEntitySchema('.system', entity, choosepath, this.dbUtil, async (tokenSchema, healthError) => {
         if (healthError || !tokenSchema || Object.keys(tokenSchema).length === 0) {
@@ -2062,19 +2073,37 @@ async function buildTokenRequest(reqPath, reqBody, callProperties, callback) {
             options.path = options.path.replace('{password}', usePass);
           }
 
-          // if this is not a get, need to add the info to the request
           let creds = {};
-          if (authMethod === 'multi_step_authentication') {
-            const { stepBody, stepHeaders } = callProperties.mfa;
+          if (authMethod === 'multi_step_authentication' && !runRefreshToken) {
+            const { stepBody, stepHeaders, stepQuery } = callProperties.mfa;
             Object.assign(creds, stepBody);
             Object.assign(options.headers, stepHeaders);
+            // If there are query variables, add them to the path
+            if (Object.keys(stepQuery).length > 0) {
+              let mfaQueryString = '';
+              if (encodeUri === true) {
+                mfaQueryString += querystring.stringify(stepQuery);
+              } else {
+                const mfaQqueryKeys = Object.keys(stepQuery);
+                for (let k = 0; k < mfaQqueryKeys.length; k += 1) {
+                  if (k > 0) {
+                    mfaQueryString += '&';
+                  }
+                  mfaQueryString += `${mfaQqueryKeys[k]}=${stepQuery[mfaQqueryKeys[k]]}`;
+                }
+              }
+              // append to the path
+              if (options.path.indexOf('?') < 0) {
+                options.path = `${options.path}?${mfaQueryString}`;
+              } else {
+                options.path = `${options.path}&${mfaQueryString}`;
+              }
+            }
           }
+
+          // if this is not a get, need to add the info to the request
           if (options.method !== 'GET') {
-            if (authMethod === 'multi_step_authentication') {
-              const { stepBody, stepHeaders } = callProperties.mfa;
-              Object.assign(creds, stepBody);
-              Object.assign(options.headers, stepHeaders);
-            } else {
+            if (authMethod !== 'multi_step_authentication') {
               creds = {
                 username: useUser,
                 password: usePass
@@ -2139,6 +2168,34 @@ async function buildTokenRequest(reqPath, reqBody, callProperties, callback) {
               }
             }
 
+            // Update request info if run refresh token
+            if (runRefreshToken && callProperties.refRequest && Object.keys(callProperties.refRequest).length > 0) {
+              const { headers, query, body } = callProperties.refRequest;
+              Object.assign(options.headers, headers);
+              Object.assign(creds, body);
+              // If there are query variables, add them to the path
+              if (Object.keys(query).length > 0) {
+                let refTokenQueryString = '';
+                if (encodeUri === true) {
+                  refTokenQueryString += querystring.stringify(query);
+                } else {
+                  const refTokenQueryKeys = Object.keys(query);
+                  for (let k = 0; k < refTokenQueryKeys.length; k += 1) {
+                    if (k > 0) {
+                      refTokenQueryString += '&';
+                    }
+                    refTokenQueryString += `${refTokenQueryKeys[k]}=${query[refTokenQueryKeys[k]]}`;
+                  }
+                }
+                // append to the path
+                if (options.path.indexOf('?') < 0) {
+                  options.path = `${options.path}?${refTokenQueryString}`;
+                } else {
+                  options.path = `${options.path}&${refTokenQueryString}`;
+                }
+              }
+            }
+
             // map the data we received to an Entity - will get back the defaults
             const tokenEntity = transUtilInst.mapToOutboundEntity(creds, tokenSchema.requestSchema);
             bodyString = tokenEntity;
@@ -2267,7 +2324,12 @@ function addTokenItem(user, reqBody, token, timeout, callback) {
 
     // add the token item to the tokenlist and return it
     if (tokenCache === 'local') {
-      tokenList.push(tokenItem);
+      const index = tokenList.findIndex((obj) => obj.tkey === tokenItem.tkey);
+      if (index === -1) {
+        tokenList.push(tokenItem);
+      } else {
+        tokenList[index] = tokenItem;
+      }
       return callback(token);
     }
 
@@ -2344,13 +2406,21 @@ function validToken(user, reqBody, invalidToken, callback) {
       if (tokenList[i].tkey === tkey) {
         // if the token expired (or will expire within a minute),
         // or it is invalid (failed) remove it from the token list
-        if (tokenList[i].expire < expireCheck
-          || tokenList[i].token.token === invalidToken) {
+        if ((tokenList[i].expire < expireCheck
+          || tokenList[i].token.token === invalidToken) && !tokenList[i].token.refreshToken) {
           tokenList.splice(i, 1);
           break;
+        } else if ((tokenList[i].expire < expireCheck
+          || tokenList[i].token.token === invalidToken) && tokenList[i].token.refreshToken) {
+          // Just keep refreshToken for future token refresh
+          delete tokenList[i].expire;
+          delete tokenList[i].token.token;
+          delete tokenList[i].token.tokenp2;
+          break;
+        }
+        if (tokenList[i].token.token || tokenList[i].token.tokenp2) {
+          retToken = tokenList[i].token;
         }
-
-        retToken = tokenList[i].token;
         break;
       }
     }
@@ -2362,6 +2432,71 @@ function validToken(user, reqBody, invalidToken, callback) {
   }
 }
 
+/*
+ * INTERNAL FUNCTION: retrieve the refresh token from cache and determine if
+ * it valid. if valid, return it otherwise return null
+ */
+function validRefreshToken(user, reqBody, invalidToken, callback) {
+  const origin = `${id}-connectorRest-validRefreshToken`;
+  log.trace(origin);
+
+  try {
+    // get the token from redis
+    let tkey = `${id}__%%__${user}`;
+
+    if (reqBody) {
+      tkey += `__%%__${JSON.stringify(reqBody)}`;
+    }
+
+    if (refTokenReq && refTokenReq.refresh_token && refTokenReq.refresh_token.token_timeout) {
+      refTokenTimeout = refTokenReq.refresh_token.token_timeout;
+    }
+
+    // Return null if refresh token timeout is -1
+    if (refTokenTimeout === -1) {
+      return callback(null);
+    }
+
+    const currentTime = new Date().getTime();
+
+    // To check if refresh token will expire within a minute
+    const refTokenTimeoutMillis = refTokenTimeout - 60000;
+
+    let refToken = null;
+
+    // find user's refresh token in the list
+    for (let i = 0; i < tokenList.length; i += 1) {
+      if (tokenList[i].tkey === tkey) {
+        if (currentTime - tokenList[i].start < refTokenTimeoutMillis && tokenList[i].token.refreshToken) {
+          refToken = tokenList[i].token.refreshToken;
+          break;
+        }
+        break;
+      }
+    }
+    return callback(refToken);
+  } catch (e) {
+    // handle any exception
+    const errorObj = transUtilInst.checkAndReturn(e, origin, 'Issue validating cached refresh token');
+    return callback(null, errorObj);
+  }
+}
+
+function getCachedRefToken(cachedTokenIdentifier, invalidToken) {
+  const origin = `${id}-connectorRest-getCachedRefToken`;
+  log.trace(origin);
+
+  return new Promise((resolve, reject) => {
+    validRefreshToken(id, cachedTokenIdentifier, invalidToken, (refToken, error) => {
+      if (error) {
+        reject(error);
+      } else {
+        resolve(refToken);
+      }
+    });
+  });
+}
+
 /*
  * INTERNAL FUNCTION: getTokenItem is used to retrieve a token items from
  *    memory based on the user provided
@@ -2382,6 +2517,27 @@ function getTokenItem(pathForToken, user, reqBody, invalidToken, callProperties,
         if (retToken !== null) {
           done(retToken, null);
         } else {
+          // If primary token not found or invalid, check if there is refresh token
+          validRefreshToken(user, reqBody, invalidToken, (refToken, rerror) => {
+            if (rerror) {
+              done(null, rerror);
+            }
+            if (refToken !== null) {
+              log.debug(`${origin}-returning cached refresh token`);
+              if (!callProperties) {
+                callProperties = {};
+              }
+              callProperties.refRequest = {};
+              buildRefTokenData(refToken, callProperties);
+              // Check if getRefreshToken entity exists
+              propUtilInst.getEntitySchema('.system', 'getRefreshToken', choosepath, this.dbUtil, async (tokenSchema, error) => {
+                // Refresh the token if getRefreshToken entity exists
+                if (tokenSchema) {
+                  runRefreshToken = true;
+                }
+              });
+            } else runRefreshToken = false;
+          });
           // No valid token found, Need to get a new token and add it to the token list
           buildTokenRequest(pathForToken, reqBody, callProperties, (dyntoken, berror) => {
             if (berror) {
@@ -2405,7 +2561,8 @@ function getTokenItem(pathForToken, user, reqBody, invalidToken, callProperties,
 
             const tokenObj = {
               token: findPrimaryTokenInResult(dyntoken, dyntoken.front, dyntoken.end),
-              tokenp2: findSecondaryTokenInResult(dyntoken, dyntoken.front, dyntoken.end)
+              tokenp2: findSecondaryTokenInResult(dyntoken, dyntoken.front, dyntoken.end),
+              refreshToken: dyntoken.refreshToken
             };
 
             // if this is worth caching
@@ -2679,6 +2836,24 @@ function buildMfaSso(prop, mfaStepConfiguration, callProperties) {
   }
 }
 
+function buildMfaQuery(prop, mfaStepConfiguration, callProperties) {
+  const origin = `${id}-connectorRest-buildMfaQuery`;
+  log.trace(origin);
+  const fullPropertyValue = mfaStepConfiguration.requestFields[prop];
+  // Check if fullPropertyValue has reference in curly braces (e.g., {getSession.responseFields.session})
+  let propertyValue = fullPropertyValue;
+  const matching = searchTextInCurlyBraces(fullPropertyValue);
+  const queryParam = prop.split('.')[1];
+  if (matching) {
+    const matchedText = matching[0];
+    propertyValue = matching[1];
+    const resolvedValue = getReferencedMfaValue(propertyValue);
+    callProperties.mfa.stepQuery[queryParam] = fullPropertyValue.replace(matchedText, resolvedValue);
+  } else {
+    callProperties.mfa.stepQuery[queryParam] = mfaStepConfiguration.requestFields[prop];
+  }
+}
+
 /*  */
 function getReferencedMfaValue(propertyValue) {
   const origin = `${id}-connectorRest-getReferencedMfaValue`;
@@ -2702,6 +2877,7 @@ function buildMfaStepData(step, callProperties) {
   const mfaStepConfiguration = multiStepAuthCalls[step];
   callProperties.mfa.stepBody = {};
   callProperties.mfa.stepHeaders = {};
+  callProperties.mfa.stepQuery = {};
   if (mfaStepConfiguration.sso) {
     callProperties.mfa.host = '';
     callProperties.mfa.port = '';
@@ -2715,6 +2891,8 @@ function buildMfaStepData(step, callProperties) {
     Object.keys(mfaStepConfiguration.requestFields).forEach((prop) => {
       if (prop.startsWith('header')) {
         buildMfaHeader(prop, mfaStepConfiguration, callProperties);
+      } else if (prop.startsWith('query')) {
+        buildMfaQuery(prop, mfaStepConfiguration, callProperties);
       } else {
         buildMfaBody(prop, mfaStepConfiguration, callProperties);
       }
@@ -2722,6 +2900,35 @@ function buildMfaStepData(step, callProperties) {
   }
 }
 
+function buildRefTokenData(cachedRefToken, callProperties) {
+  const origin = `${id}-connectorRest-buildRefTokenData`;
+  log.trace(origin);
+  if (refTokenReq && refTokenReq.requestFields && Object.keys(refTokenReq.requestFields).length > 0) {
+    callProperties.refRequest.headers = {};
+    callProperties.refRequest.query = {};
+    callProperties.refRequest.body = {};
+    Object.keys(refTokenReq.requestFields).forEach((prop) => {
+      if (prop.startsWith('header')) {
+        const headerName = prop.split('.')[1];
+        callProperties.refRequest.headers[headerName] = refTokenReq.requestFields[prop];
+      } else if (prop.startsWith('query')) {
+        const queryName = prop.split('.')[1];
+        callProperties.refRequest.query[queryName] = refTokenReq.requestFields[prop];
+      } else {
+        callProperties.refRequest.body[prop] = refTokenReq.requestFields[prop];
+      }
+    });
+  }
+
+  if (refTokenReq && refTokenReq.refresh_token && Object.keys(refTokenReq.refresh_token).length > 0) {
+    if (refTokenReq.refresh_token.placement && refTokenReq.refresh_token.placement.toLowerCase() === 'query') {
+      callProperties.refRequest.query.refreshToken = cachedRefToken;
+    } else {
+      callProperties.refRequest.body.refreshToken = cachedRefToken;
+    }
+  }
+}
+
 /*  */
 async function translateMfaStepResult(step, stepResult, callProperties) {
   const origin = `${id}-connectorRest-translateMfaStepResult`;
@@ -2738,7 +2945,7 @@ async function translateMfaStepResult(step, stepResult, callProperties) {
       allProperties.forEach((prop) => {
         if (Object.prototype.hasOwnProperty.call(stepResult, prop)) {
           const externalName = tokenSchema.responseSchema.properties[prop].external_name;
-          if (!stepResult[prop]) {
+          if (!stepResult[prop] && prop !== 'refreshToken') {
             log.error(`No step-${step + 1} result for responseSchema (prop=>external_name): (${prop}=>${externalName}) found in step response`);
             return reject(new Error(`Response schema for step-${step + 1} misconfiguration`));
           }
@@ -2820,8 +3027,43 @@ async function getMfaFinalTokens(request, callProperties, invalidToken) {
       log.debug(`${origin}-returning cached MFA token`);
       finalTokens = cachedToken;
       return;
-    } mfaStepsResults.length = 0;
-    // no cached token found, trigger auth steps to obtain new token
+    }
+    // Get cached refresh token if primary token is not valid
+    const cachedRefToken = await getCachedRefToken(cachedTokenIdentifier, invalidToken)
+      .catch((error) => {
+        log.error(error);
+        throw error;
+      });
+    if (cachedRefToken) {
+      log.debug(`${origin}-returning cached MFA refresh token`);
+      if (!callProperties) {
+        callProperties = {};
+      }
+      callProperties.refRequest = {};
+      buildRefTokenData(cachedRefToken, callProperties);
+      propUtilInst.getEntitySchema('.system', 'getRefreshToken', choosepath, this.dbUtil, async (tokenSchema, error) => {
+        if (error || !tokenSchema || Object.keys(tokenSchema).length === 0) {
+          tokenSchema = null;
+        }
+        // If cached refresh token is valid and there is action for getRefreshToken, run refresh token
+        if (tokenSchema) {
+          runRefreshToken = true;
+        }
+      });
+      if (runRefreshToken) {
+        finalTokens = await buildTokenRequest(request.header.path, request.authData, callProperties).catch((error) => { // eslint-disable-line no-await-in-loop
+          log.error(error);
+          throw error;
+        });
+        if (finalTokens) {
+          await cacheMfaToken(cachedTokenIdentifier, finalTokens).catch((error) => log.error(error));
+        }
+        return;
+      }
+    }
+    runRefreshToken = false;
+    mfaStepsResults.length = 0;
+    // no cached primary token or refresh token found, trigger auth steps to obtain new token
     for (let step = 0; step < multiStepAuthCalls.length; step += 1) {
       const stepAtionName = `MFA_Step_${step + 1}`;
       log.debug(`${origin}-Executing MFA step-${step + 1}, action: ${stepAtionName}`);
@@ -4028,6 +4270,11 @@ class ConnectorRest {
       if (typeof props.authentication.addCreds === 'boolean') {
         addCreds = props.authentication.addCreds;
       }
+
+      // set the refresh token request (optional - default is null)
+      if (props.authentication.refresh_token_request && typeof props.authentication.refresh_token_request === 'object') {
+        refTokenReq = props.authentication.refresh_token_request;
+      }
     }
 
     // set the stub mode (optional - default is false)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@itentialopensource/adapter-utils",
-  "version": "5.5.1",
+  "version": "5.6.0",
   "description": "Itential Adapter Utility Libraries",
   "scripts": {
     "postinstall": "node utils/setup.js",
@@ -27,7 +27,7 @@
   "dependencies": {
     "ajv": "^8.12.0",
     "async-lock": "^1.4.0",
-    "aws-sdk": "^2.1363.0",
+    "aws-sdk": "^2.1665.0",
     "aws4": "^1.9.1",
     "cookie": "^0.5.0",
     "crypto-js": "^4.1.1",