k2hr3-api 1.0.4 → 1.0.8

package/ChangeLog

@@ -1,3 +1,28 @@
+k2hr3-api (1.0.8) unstable; urgency=low
+
+  * Added some host information for adding to Role member - #56
+
+ -- Takeshi Nakatani <ggtakec@gmail.com>  Mon, 13 Jun 2022 09:52:47 +0900
+
+k2hr3-api (1.0.7) unstable; urgency=low
+
+  * Bumpup version number for npm package
+
+ -- Takeshi Nakatani <ggtakec@gmail.com>  Fri, 29 Oct 2021 14:32:17 +0900
+
+k2hr3-api (1.0.6) unstable; urgency=low
+
+  * Uses OpenID Connect Discovery to set jwks_uri - #53
+  * Changed the workaround for the publish-please audit error - #52
+
+ -- Takeshi Nakatani <ggtakec@gmail.com>  Fri, 29 Oct 2021 13:33:54 +0900
+
+k2hr3-api (1.0.5) unstable; urgency=low
+
+  * Updated dependencies - #49
+
+ -- Takeshi Nakatani <ggtakec@gmail.com>  Mon, 27 Sep 2021 15:42:39 +0900
+
 k2hr3-api (1.0.4) unstable; urgency=low
 
   * Enhanced the automatic registration for containers on Kubernetes - #47

package/lib/basicipcheck.js

@@ -34,13 +34,15 @@ var r3logger	= require('./dbglogging');
 //---------------------------------------------------------
 // ipdata:		IP address information
 //				{
-//					ip:		ip,			-> ip address string
-//					cuk:	cuk,		-> cuk string					(not use)
-//					port:	port,		-> port number or *				(not use)
-//					extra:	string		-> 'openstack-auto-v1' or etc	(not use)
-//					tag:	string		-> null or string				(not use)
-//					key:	string		-> this ip address yrn full path(not use)
-//					alive: 	boolean		-> true or false
+//					ip:			ip,		-> ip address string
+//					cuk:		cuk,	-> cuk string					(not use)
+//					port:		port,	-> port number or *				(not use)
+//					extra:		string	-> 'openstack-auto-v1' or etc	(not use)
+//					tag:		string	-> null or string				(not use)
+//					inboundip:	ip,		-> inbound ip address			(not use)
+//					outboundip:	ip,		-> outbound ip address			(not use)
+//					key:		string	-> this ip address yrn full path(not use)
+//					alive: 		boolean	-> true or false
 //				}
 //
 function checkAddressAliveByPing(ipdata, chkipconfig, callback)
@@ -103,13 +105,15 @@ function checkAddressAliveByPing(ipdata, chkipconfig, callback)
 //---------------------------------------------------------
 // ipdata:		IP address information
 //				{
-//					ip:		ip,			-> ip address string
-//					cuk:	cuk,		-> cuk string					(not use)
-//					port:	port,		-> port number or *				(not use)
-//					extra:	string		-> 'openstack-auto-v1' or etc	(not use)
-//					tag:	string		-> null or string				(not use)
-//					key:	string		-> this ip address yrn full path(not use)
-//					alive: 	boolean		-> true or false
+//					ip:			ip,		-> ip address string
+//					cuk:		cuk,	-> cuk string					(not use)
+//					port:		port,	-> port number or *				(not use)
+//					extra:		string	-> 'openstack-auto-v1' or etc	(not use)
+//					tag:		string	-> null or string				(not use)
+//					inboundip:	ip,		-> inbound ip address			(not use)
+//					outboundip:	ip,		-> outbound ip address			(not use)
+//					key:		string	-> this ip address yrn full path(not use)
+//					alive: 		boolean	-> true or false
 //				}
 //
 function checkAddressAlive(ipdata, chkipconfig, callback)
@@ -199,6 +203,8 @@ function checkAddressAlive(ipdata, chkipconfig, callback)
 //					cuk:			<string>,			-> cuk string								(not use)
 //					port:			<number or *>,		-> port number or *							(not use)
 //					extra:			<string>,			-> 'openstack-auto-v1' or etc				(not use)
+//					inboundip:		<string>,			-> inbound ip address						(not use)
+//					outboundip:		<string>,			-> outbound ip address						(not use)
 //					tag:			<string>,			-> null or string							(not use)
 //					key:			<string>,			-> this ip address yrn full path			(not use)
 //					alive: 			<boolean>			-> true or false
@@ -286,6 +292,8 @@ function checkAddressesAliveParallel(ipdatas, start, chkipconfig, callback)
 //					port:			<number or *>,		-> port number or *							(not use)
 //					extra:			<string>,			-> 'openstack-auto-v1' or etc				(not use)
 //					tag:			<string>,			-> null or string							(not use)
+//					inboundip:		<string>,			-> inbound ip address						(not use)
+//					outboundip:		<string>,			-> outbound ip address						(not use)
 //					key:			<string>,			-> this ip address yrn full path			(not use)
 //					alive: 			<boolean>			-> true or false
 //				}, ...]

package/lib/k2hr3dkc.js

@@ -99,6 +99,8 @@ var	is_allow_dummy_tenant = !(apiConf.isConfirmTenantForService());
 //									cuk:		container unique key(or null/undefined)
 //									extra:		string(or null/undefined)
 //									tag:		string(or null/undefined)
+//									inboundip:	ip address string(or null/undefined)
+//									outboundip:	ip address string(or null/undefined)
 //								  }
 //					(3) array	= [ object, object, ...]
 //
@@ -111,6 +113,8 @@ var	is_allow_dummy_tenant = !(apiConf.isConfirmTenantForService());
 //							cuk:		"any string"		(if not specify, the value is null or undefined)
 //							extra:		"explain, etc"		(if not specify, the value is null or undefined)
 //							tag:		"tag string"		(if not specify, the value is null or undefined)
+//							inboundip:	"192.168.1.1"		(if not specify, the value is null or undefined)
+//							outboundip:	"192.168.1.1"		(if not specify, the value is null or undefined)
 //						},
 //						....
 //					]
@@ -143,6 +147,8 @@ function getSafeHosts(input_info)
 				result	= result.concat(tmp);
 			}
 		}else{
+			var	host_info;
+
 			// A case of object
 			if(apiutil.isSafeString(input_info.ip) && apiutil.isIpAddressString(input_info.ip)){
 				ipaddr	= input_info.ip;
@@ -162,13 +168,24 @@ function getSafeHosts(input_info)
 			if(apiutil.isSafeString(input_info.tag)){
 				tag		= input_info.tag;
 			}
+
 			// add to array(if hostname and ip address is existed, push two array)
 			if(apiutil.isSafeString(ipaddr)){
-				result.push({ip: ipaddr, hostname: null, port: portnum, cuk: cuk, extra: extra, tag: tag});
+				host_info = {ip: ipaddr, hostname: null, port: portnum, cuk: cuk, extra: extra, tag: tag};
 			}
 			if(apiutil.isSafeString(hostname)){
-				result.push({ip: null, hostname: hostname, port: portnum, cuk: cuk, extra: extra, tag: tag});
+				host_info = {ip: null, hostname: hostname, port: portnum, cuk: cuk, extra: extra, tag: tag};
+			}
+
+			// optional keys
+			if(apiutil.isSafeString(input_info.inboundip) && apiutil.isIpAddressString(input_info.inboundip)){
+				host_info.inboundip = input_info.inboundip;
+			}
+			if(apiutil.isSafeString(input_info.outboundip) && apiutil.isIpAddressString(input_info.outboundip)){
+				host_info.outboundip = input_info.outboundip;
 			}
+
+			result.push(host_info);
 		}
 	}else{
 		// A case of one host name(or ip address)
@@ -2900,6 +2917,8 @@ function rawRemoveComprehensionByNewTenants(user, tenant_list)
 //								cuk:		"any string"		(if not specify, the value is null or undefined)
 //								extra:		"explain, etc"		(if not specify, the value is null or undefined)
 //								tag:		"tag string"		(if not specify, the value is null or undefined)
+//								inboundip:	"192.168.1.1"		(if not specify, the value is null or undefined)
+//								outboundip:	"192.168.1.1"		(if not specify, the value is null or undefined)
 //							}
 //
 // [NOTE]				:	if parent role key does not have this role key, set role key
@@ -3667,11 +3686,11 @@ function rawRemoveRoleSubkeyParentKey(dkcobj_permanent, current_key, role_top_ke
 //				aliases:	array								<--- only not expand
 //				hosts: {										<--- only not expand
 //					'hostnames': [								hostname array or empty array
-//						<hostname> <port> <cuk> <extra> <tag>,	(if any port, port is *)
+//						<hostname> <port> <cuk> <extra> <tag> <inboundip> <outboundip>,		(if any port, port is *)
 //						...
 //					],
 //					'ips': [									ip address array or empty array
-//						<ip address> <port> <cuk> <extra> <tag>,(if any port, port is *)
+//						<ip address> <port> <cuk> <extra> <tag> <inboundip> <outboundip>,	(if any port, port is *)
 //						...
 //					]
 //				}
@@ -3732,11 +3751,11 @@ function rawGetRole(role, is_expand)
 //					aliases:	array								<--- only not expand
 //					hosts: {										<--- only not expand
 //						'hostnames': [								hostname array or empty array
-//							<hostname> <port> <cuk> <extra> <tag>,	(if any port, port is *)
+//							<hostname> <port> <cuk> <extra> <tag> <inboundip> <outboundip>,		(if any port, port is *)
 //							...
 //						],
 //						'ips': [									ip address array or empty array
-//							<ip address> <port> <cuk> <extra> <tag>,(if any port, port is *)
+//							<ip address> <port> <cuk> <extra> <tag> <inboundip> <outboundip>,	(if any port, port is *)
 //							...
 //						]
 //					}
@@ -3870,6 +3889,8 @@ function rawGetRoles(dkcobj_permanent, role, roledata, is_expand, checked_roles,
 // cuk				:	container unique key(undefined, null means any)
 // extra			:	extra data
 // tag				:	tag data
+// inboundip		:	inbound ip address(optional)
+// outboundip		:	outbound ip address(optional)
 //
 // [NOTE]
 // Please specify either hostname or ip.
@@ -3879,7 +3900,7 @@ function rawGetRoles(dkcobj_permanent, role, roledata, is_expand, checked_roles,
 // the host is added to tenant role under service.
 // The service name can be allowed undefined and null.
 //
-function rawAddHost(tenant, role, service, hostname, ip, port, cuk, extra, tag)
+function rawAddHost(tenant, role, service, hostname, ip, port, cuk, extra, tag, inboundip, outboundip)
 {
 	var	resobj = {result: true, message: null};
 
@@ -3917,6 +3938,26 @@ function rawAddHost(tenant, role, service, hostname, ip, port, cuk, extra, tag)
 	}else{
 		service			= null;
 	}
+	if(apiutil.isSafeString(inboundip)){
+		if(!apiutil.isIpAddressString(inboundip)){
+			resobj.result	= false;
+			resobj.message	= 'inbound ip address is not ignore ip address string: ' + inboundip;
+			r3logger.elog(resobj.message);
+			return resobj;
+		}
+	}else{
+		inboundip		= null;
+	}
+	if(apiutil.isSafeString(outboundip)){
+		if(!apiutil.isIpAddressString(outboundip)){
+			resobj.result	= false;
+			resobj.message	= 'outbound ip address is not ignore ip address string: ' + outboundip;
+			r3logger.elog(resobj.message);
+			return resobj;
+		}
+	}else{
+		outboundip		= null;
+	}
 
 	// check role name is only name or full yrn path
 	var	keys		= r3keys(null, tenant, service);
@@ -4011,6 +4052,14 @@ function rawAddHost(tenant, role, service, hostname, ip, port, cuk, extra, tag)
 						tag:		apiutil.getSafeString(tag)
 					  };
 			/* eslint-enable indent, no-mixed-spaces-and-tabs */
+
+			// add optional keys
+			if(apiutil.isSafeString(inboundip)){
+				onehost.inboundip = inboundip;
+			}
+			if(apiutil.isSafeString(outboundip)){
+				onehost.outboundip = outboundip;
+			}
 			hostarr.push(onehost);
 		}
 	}
@@ -4026,6 +4075,14 @@ function rawAddHost(tenant, role, service, hostname, ip, port, cuk, extra, tag)
 						tag:		apiutil.getSafeString(tag)
 					  };
 			/* eslint-enable indent, no-mixed-spaces-and-tabs */
+
+			// add optional keys
+			if(apiutil.isSafeString(inboundip)){
+				onehost.inboundip = inboundip;
+			}
+			if(apiutil.isSafeString(outboundip)){
+				onehost.outboundip = outboundip;
+			}
 			hostarr.push(onehost);
 		}
 	}
@@ -4064,6 +4121,8 @@ function rawAddHost(tenant, role, service, hostname, ip, port, cuk, extra, tag)
 //							cuk:		"any string"		(if not specify, the value is null or undefined)
 //							extra:		"explain, etc"		(if not specify, the value is null or undefined)
 //							tag:		"tag string"		(if not specify, the value is null or undefined)
+//							inboundip:	"192.168.1.1"		(if not specify, the value is null or undefined)
+//							outboundip:	"192.168.1.1"		(if not specify, the value is null or undefined)
 //						}
 //
 // [NOTE]
@@ -5300,13 +5359,15 @@ function rawRemoveIpsByCuk(cuk, host, remove_under_role)
 //		error:						-> null or Error object(if error)
 //		data: [						-> data array includes ip address etc
 //			{
-//				ip:		ip,			-> ip address string
-//				port:	port,		-> port number or *
-//				cuk:	cuk,		-> cuk string
-//				extra:	string		-> 'openstack-auto-v1' or 'k8s-auto-v1'
-//				tag:	string		-> tag string
-//				key:	string		-> this ip address yrn full path
-//				alive: 	true		-> always true
+//				ip:			ip,		-> ip address string
+//				port:		port,	-> port number or *
+//				cuk:		cuk,	-> cuk string
+//				extra:		string,	-> 'openstack-auto-v1' or 'k8s-auto-v1'
+//				tag:		string,	-> tag string
+//				inboundip:	ip,		-> inbound ip address
+//				outboundip:	ip,		-> outbound ip address
+//				key:		string,	-> this ip address yrn full path
+//				alive: 		true	-> always true
 //			},
 //			.
 //			.
@@ -5412,6 +5473,14 @@ function rawGetAllIpDatasByCuk(extra)
 			host_info.key	= cuk_subkeys[cnt2];
 			host_info.alive	= true;
 
+			// Add optional keys
+			if(!apiutil.isSafeString(ipvalue.inboundip) && apiutil.isIpAddressString(ipvalue.inboundip)){
+				host_info.inboundip = apiutil.getSafeString(ipvalue.inboundip);
+			}
+			if(!apiutil.isSafeString(ipvalue.outboundip) && apiutil.isIpAddressString(ipvalue.outboundip)){
+				host_info.outboundip = apiutil.getSafeString(ipvalue.outboundip);
+			}
+
 			if(!is_openstack){
 				host_info[keys.K8S_NAMESPACE_INCUK_KEY]		= apiutil.getSafeString(ipvalue[keys.K8S_NAMESPACE_INCUK_KEY]);
 				host_info[keys.K8S_SA_INCUK_KEY]			= apiutil.getSafeString(ipvalue[keys.K8S_SA_INCUK_KEY]);
@@ -5608,13 +5677,16 @@ function rawRemoveIpAddressWithCuk(ipdatas, pendingsec, logger)
 //	[
 //		{
 //			'host_normal':	'<hostname(ip)>{:<port>}'						if any port, port value is empty
-//			'host_all':		'<hostname(ip)> <port> <cuk> <extra> <tag>'		if any port, port is *
+//			'host_all':		'<hostname(ip)> <port> <cuk> <extra> <tag> <inboundip> <outboundip>'
+//																			if any port, port is *
 //			'detail_key':	'<hostname(ip)>,<port>,<cuk>'					if any port, port is 0
 //			'detail':		{
 //								'host':					<string>			hostanme or IP address string
 //								'port':					<number>			port number(if any, set 0)
 //								'extra':				<string>			'k8s-auto-v1' or 'openstack-auto-v1' or undefined(if it does not exist)
 //								'tag':					<string>			tag string            (or undefined if it does not exist)
+//								'inboundip':			<string>			inbound ip address    (or undefined if it does not exist)
+//								'outboundip':			<string>			outbound ip address   (or undefined if it does not exist)
 //								'cuk':					<string>			cuk string            (or undefined if it does not exist)
 //								'k8s_namespace':        <string>			namespace on k8s      (or undefined unless registering from k8s)
 //								'k8s_service_account':  <string>			service account on k8s(or undefined unless registering from k8s)
@@ -5681,12 +5753,14 @@ function rawGetRoleHostListsEx(dkcobj_permanent, keylist, is_hostname)
 				r3logger.wlog('could not get key(' + JSON.stringify(keylist[cnt]) + ') value, so skip this.');
 				continue;
 			}
-			detailval			= JSON.parse(detailval);
-			var	detail_host		= (is_hostname ? (apiutil.isSafeString(detailval.hostname) ? detailval.hostname : null) : (apiutil.isSafeString(detailval.ip) ? detailval.ip : null));
-			var	detail_port		= (rawIsPortAny(detailval.port) ? 0 : parseInt(detailval.port));
-			var	detail_cuk		= (apiutil.isSafeString(detailval.cuk) ? detailval.cuk : null);
-			var	detail_extra	= (apiutil.isSafeString(detailval.extra) ? detailval.extra : null);
-			var	detail_tag		= (apiutil.isSafeString(detailval.tag) ? detailval.tag : null);
+			detailval				= JSON.parse(detailval);
+			var	detail_host			= (is_hostname ? (apiutil.isSafeString(detailval.hostname) ? detailval.hostname : null) : (apiutil.isSafeString(detailval.ip) ? detailval.ip : null));
+			var	detail_port			= (rawIsPortAny(detailval.port) ? 0 : parseInt(detailval.port));
+			var	detail_cuk			= (apiutil.isSafeString(detailval.cuk) ? detailval.cuk : null);
+			var	detail_extra		= (apiutil.isSafeString(detailval.extra) ? detailval.extra : null);
+			var	detail_tag			= (apiutil.isSafeString(detailval.tag) ? detailval.tag : null);
+			var	detail_inboundip	= (apiutil.isSafeString(detailval.inboundip) && apiutil.isIpAddressString(detailval.inboundip) ? detailval.inboundip : null);
+			var	detail_outboundip	= (apiutil.isSafeString(detailval.outboundip) && apiutil.isIpAddressString(detailval.outboundip) ? detailval.outboundip : null);
 
 			// check the consistency of both values
 			if(host !== detail_host || port !== detail_port || cuk !== detail_cuk){
@@ -5711,10 +5785,17 @@ function rawGetRoleHostListsEx(dkcobj_permanent, keylist, is_hostname)
 				if(apiutil.isSafeString(detailval[keys.K8S_CONTAINERID_INCUK_KEY])){k8s_details[keys.K8S_CONTAINERID_INCUK_KEY]	= detailval[keys.K8S_CONTAINERID_INCUK_KEY];}
 			}
 
+			// make parts of host_all
+			var	host_all_ext	= (null === detail_outboundip	? '' : detail_outboundip);
+			host_all_ext		= (null === detail_inboundip	? '' : detail_inboundip)	+ keys.VALUE_HOST_SEP + host_all_ext;
+			host_all_ext		= (null === detail_tag			? '' : detail_tag)			+ keys.VALUE_HOST_SEP + host_all_ext.trimEnd();
+			host_all_ext		= (null === extra				? '' : extra)				+ keys.VALUE_HOST_SEP + host_all_ext.trimEnd();
+			host_all_ext		= host_all_ext.trim();
+
 			// make one result object
 			var	onehost			= {};
 			onehost.host_normal	= host + (is_any_port ? '' : (keys.VALUE_HOST_REGSEP + String(port)));
-			onehost.host_all	= host + keys.VALUE_HOST_SEP + (is_any_port ? keys.VALUE_ANY_PORT : String(port)) + keys.VALUE_HOST_SEP + (null === cuk ? '' : cuk) + (null === extra ? (null === detail_tag ? '' : keys.VALUE_HOST_SEP) : (keys.VALUE_HOST_SEP + extra)) + (null === detail_tag ? '' : (keys.VALUE_HOST_SEP + detail_tag));
+			onehost.host_all	= host + keys.VALUE_HOST_SEP + (is_any_port ? keys.VALUE_ANY_PORT : String(port)) + keys.VALUE_HOST_SEP + (null === cuk ? '' : cuk) + (apiutil.isSafeString(host_all_ext) ? (keys.VALUE_HOST_SEP + host_all_ext) : '');
 			onehost.detail_key	= host + keys.VALUE_HOST_DETAILSEP + (is_any_port ? '0' : String(port)) + keys.VALUE_HOST_DETAILSEP + (null === cuk ? '' : cuk);
 			onehost.detail		= k8s_details;
 			onehost.detail.host	= host;
@@ -5723,6 +5804,13 @@ function rawGetRoleHostListsEx(dkcobj_permanent, keylist, is_hostname)
 			onehost.detail.tag	= detail_tag;
 			onehost.detail.cuk	= cuk;
 
+			if(apiutil.isSafeString(detail_inboundip)){
+				onehost.detail.inboundip = detail_inboundip;
+			}
+			if(apiutil.isSafeString(detail_outboundip)){
+				onehost.detail.outboundip = detail_outboundip;
+			}
+
 			// add result
 			resultarr.push(onehost);
 		}
@@ -5755,11 +5843,11 @@ function rawGetRoleHostListsEx(dkcobj_permanent, keylist, is_hostname)
 //		},
 //		'all': {									all information
 //			'hostnames': [								hostname array or empty array
-//				'<hostname> <port> <cuk> <extra>',		(if any port, port is *)
+//				'<hostname> <port> <cuk> <extra> <tag> <inboundip> <outboundip>',		(if any port, port is *)
 //				...
 //			],
 //			'ips': [									ip address array or empty array
-//				'<ip address> <port> <cuk> <extra>',	(if any port, port is *)
+//				'<ip address> <port> <cuk> <extra> <tag> <inboundip> <outboundip>',		(if any port, port is *)
 //				...
 //			]
 //		},
@@ -5771,6 +5859,8 @@ function rawGetRoleHostListsEx(dkcobj_permanent, keylist, is_hostname)
 //					'extra':				<string>			'k8s-auto-v1' or 'openstack-auto-v1' or undefined(if it does not exist)
 //					'tag':					<string>			tag string            (or undefined if it does not exist)
 //					'cuk':					<string>			cuk string            (or undefined if it does not exist)
+//					'inboundip':			<string>			inbound ip address    (or undefined if it does not exist)
+//					'outboundip':			<string>			outbound ip address   (or undefined if it does not exist)
 //					'k8s_namespace':        <string>			namespace on k8s      (or undefined unless registering from k8s)
 //					'k8s_service_account':  <string>			service account on k8s(or undefined unless registering from k8s)
 //					'k8s_node_name':        <string>			node name on k8s      (or undefined unless registering from k8s)
@@ -5972,6 +6062,8 @@ function rawGetRoleHostLists(dkcobj_permanent, role_key, is_expand, base_role_to
 //												port:		port
 //												cuk:		cuk
 //												extra:		extra
+//												inboundip:	inbound ip address
+//												outboundip:	outbound ip address
 //												tag:		tag
 //											},
 //											...
@@ -6091,6 +6183,8 @@ function rawFindHost(tenant, service, role, hostname, ip, port, cuk, is_strict)
 //								cuk:		container unique key
 //								extra:		extra
 //								tag:		tag
+//								inboundip:	inbound ip address
+//								outboundip:	outbound ip address
 //							},
 //							...
 //						]
@@ -6232,6 +6326,8 @@ function rawFindRoleHost(dkcobj_permanent, role_key, hostname, ip, port, cuk, is
 //							cuk:		container unique key
 //							extra:		extra
 //							tag:		tag
+//							inboundip:	inbound ip address
+//							outboundip:	outbound ip address
 //						},
 //						...
 //					]
@@ -6319,6 +6415,14 @@ function rawMatchHost(dkcobj_permanent, key_array, target, port, cuk, is_strict)
 		hostobj.tag			= apiutil.isSafeString(host_value.tag)						? host_value.tag		: null;
 		hostobj.hostname	= apiutil.isSafeString(host_value.hostname)					? host_value.hostname	: null;
 		hostobj.ip			= apiutil.isSafeString(host_value.ip)						? host_value.ip			: null;
+
+		if(apiutil.isSafeString(host_value.inboundip) && apiutil.isIpAddressString(host_value.inboundip)){
+			hostobj.inboundip = host_value.inboundip;
+		}
+		if(apiutil.isSafeString(host_value.outboundip) && apiutil.isIpAddressString(host_value.outboundip)){
+			hostobj.outboundip = host_value.outboundip;
+		}
+
 		var	host_or_ip		= apiutil.isSafeString(matches[4])							? matches[4]			: null;
 
 		// check in target
@@ -10982,11 +11086,11 @@ exports.clearRoleAlias = function(user, tenant, role)
 //				aliases:	array								<--- only not expand
 //				hosts: {										<--- only not expand
 //					'hostnames': [								hostname array or empty array
-//						<hostname> <port> <cuk> <extra> <tag>,	(if any port, port is *)
+//						<hostname> <port> <cuk> <extra> <tag> <inboundip> <outboundip>,		(if any port, port is *)
 //						...
 //					],
 //					'ips': [									ip address array or empty array
-//						<ip address> <port> <cuk> <extra> <tag>,(if any port, port is *)
+//						<ip address> <port> <cuk> <extra> <tag> <inboundip> <outboundip>,	(if any port, port is *)
 //						...
 //					]
 //				}
@@ -11002,13 +11106,13 @@ exports.getRole = function(role, is_expand)
 	return rawGetRole(role, is_expand);
 };
 
-exports.addHost = function(tenant, role, hostname, ip, port, cuk, extra, tag)
+exports.addHost = function(tenant, role, hostname, ip, port, cuk, extra, tag, inboundip, outboundip)
 {
 	// [NOTE]
 	// Now do not set hosts to role under service.
 	// But if need to set hosts to it, you can set role as full yrn role path.
 	//
-	return rawAddHost(tenant, role, null, hostname, ip, port, cuk, extra, tag);
+	return rawAddHost(tenant, role, null, hostname, ip, port, cuk, extra, tag, inboundip, outboundip);
 };
 
 exports.removeHost = function(tenant, role, target, tg_port, tg_cuk, req_ip, req_port, req_cuk)

package/lib/k8soidc.js

@@ -39,7 +39,6 @@
 //		'k8soidc': {
 //			'audience':		'<client id for open id connect>',
 //			'issuer':		'<issue url for open id connect>',
-//			'jwks_uri':		'<jwks url for open id connect>',
 //			'usernamekey':	'<user name key name in token>',
 //			'k8sapi_url':	'<kubernetes api url>',
 //			'k8s_ca_path':	'<CA cert file path for kubernetes api url>',
@@ -56,10 +55,6 @@
 //	[issuer]
 //		Set the issuer URL of Open id connect. This key and value are
 //		required.
-//	[jwks_uri]
-//		Set the JWKS URL for Open id connect. This value is usually the
-//		issuer URL plus '/keys'(ex. '<issuer>/keys'). This key and value
-//		are required.
 //	[usernamekey]
 //		Specify the key name that is the Username set in the Token of
 //		Open id connect. If there is no key representing Username in
@@ -95,16 +90,19 @@ var	r3logger	= require('../lib/dbglogging');
 // decode oidc token libraries
 var	{ decode }					= require('jose/util/base64url');
 var	{ jwtVerify }				= require('jose/jwt/verify');
-var	{ decodeProtectedHeader }	= require('jose/util/decode_protected_header');
 var	{ createRemoteJWKSet }		= require('jose/jwks/remote');
 
 // kubernetes client api
 var	k8sclientapi				= require('@kubernetes/client-node');
 var	fs							= require('fs');
 
+// https library
+var https	= require('https');
+
 // const variables
 var	K8S_PUBLISHER_NAME			= 'K8SOIDC';
 var	K8S_REGION_NAME				= 'K8sCluster';
+var	OIDC_JWKS_URI_KEYNAME		= 'jwks_uri';
 
 //
 // Global variables from configuration file
@@ -127,7 +125,6 @@ var	k2hr3_k8s_sa_token	= null;
 	if(apiutil.isSafeEntity(oidc_config)){
 		oidc_audience	= oidc_config.audience;
 		oidc_issuer		= oidc_config.issuer;
-		oidc_jwks_uri	= oidc_config.jwks_uri;
 		oidc_username	= oidc_config.usernamekey;
 		k8s_api_url		= oidc_config.k8sapi_url;
 		k8s_ca_cert		= oidc_config.k8s_ca_path;
@@ -651,27 +648,70 @@ async function rawVerifyTokenAndGetUsername(token)
 		issuer:		oidc_issuer,
 		audience:	oidc_audience
 	};
-	var protectedHeader = decodeProtectedHeader(token);
-	var JWKS = createRemoteJWKSet(new URL(oidc_jwks_uri));
-	var { payload, protectedHeader } = await jwtVerify(token, JWKS, jwtParam).catch(function(err){		// eslint-disable-line no-unused-vars, no-redeclare
-		r3logger.elog(err.message);
-		throw err;
-	});
 
-	var	userName	= null;
-	if(apiutil.isSafeString(oidc_username)){
-		userName = payload[oidc_username];
-	}else{
-		if(apiutil.isSafeString(payload.sub)){
-			userName = payload.sub;
+	var myPromise = function(issuer_url, conf_key){
+		return new Promise(function(resolve, reject){
+			https.get(oidc_issuer + '/.well-known/openid-configuration', function(res){
+				if(res.statusCode !== 200){
+					res.resume();
+					reject('statusCode should be 200, not ', res.statusCode);
+				}
+				res.setEncoding('utf8');
+				let rawData = '';
+				res.on('data', function(chunk){ rawData += chunk; });
+				res.on('end', function(){
+					var parsedData = apiutil.parseJSON(rawData);
+					if(apiutil.isSafeEntity(parsedData[conf_key])){
+						resolve(parsedData[conf_key]);
+					}else{
+						var errorMsg = ('the ' + conf_key + ' key should exist, but no such a key');
+						r3logger.elog(errorMsg);
+						reject(errorMsg);
+					}
+				});
+			}).on('error', function(err){
+				r3logger.elog(err.message);
+				reject(err.message);
+			});
+		});
+	};
+
+	// 1. Calls async here.
+	async function asyncFunction(){
+		// 2. Calls await() here.
+		try{
+			oidc_jwks_uri = await myPromise(oidc_issuer, OIDC_JWKS_URI_KEYNAME);
+			if(!apiutil.isSafeString(oidc_jwks_uri)){
+				var	error = new Error('oidc_jwks_uri should be defined, but no oidc_jwks_uri.');
+				r3logger.elog(error.message);
+				throw error;
+			}
+		}catch(err){
+			r3logger.elog(err.message);
+			throw err;
 		}
+		var JWKS = createRemoteJWKSet(new URL(oidc_jwks_uri));
+		var { payload, protectedHeader } = await jwtVerify(token, JWKS, jwtParam).catch(function(err){		// eslint-disable-line no-unused-vars
+			r3logger.elog(err.message);
+			throw err;
+		});
+
+		var	userName	= null;
+		if(apiutil.isSafeString(oidc_username)){
+			userName = payload[oidc_username];
+		}else{
+			if(apiutil.isSafeString(payload.sub)){
+				userName = payload.sub;
+			}
+		}
+		if(!apiutil.isSafeString(userName)){
+			error = new Error('failed to verify token for getting user name.');
+			r3logger.elog(error.message);
+			throw error;
+		}
+		return userName;
 	}
-	if(!apiutil.isSafeString(userName)){
-		var	error = new Error('failed to verify token for getting user name.');
-		r3logger.elog(error.message);
-		throw error;
-	}
-	return userName;
+	return asyncFunction();
 }
 
 function rawGetUserUnscopedTokenK8s(token, callback)

package/package.json

@@ -1,18 +1,18 @@
 {
   "name": "k2hr3-api",
-  "version": "1.0.4",
+  "version": "1.0.8",
   "dependencies": {
-    "@kubernetes/client-node": "^0.15.0",
-    "body-parser": "^1.19.0",
-    "config": "^3.3.6",
-    "cookie-parser": "~1.4.5",
-    "dateformat": "^4.5.1",
-    "debug": "~4.3.2",
-    "express": "^4.17.1",
-    "jose": "^3.14.0",
+    "@kubernetes/client-node": "^0.16.3",
+    "body-parser": "^1.20.0",
+    "config": "^3.3.7",
+    "cookie-parser": "~1.4.6",
+    "dateformat": "^4.6.3",
+    "debug": "~4.3.4",
+    "express": "^4.18.1",
+    "jose": "^4.8.1",
     "k2hdkc": "^1.0.2",
     "morgan": "~1.10.0",
-    "rotating-file-stream": "^2.1.5"
+    "rotating-file-stream": "^2.1.6"
   },
   "bin": {
     "k2hr3-api": "./bin/www",
@@ -28,10 +28,10 @@
     "test": "test"
   },
   "devDependencies": {
-    "chai": "^4.3.4",
+    "chai": "^4.3.6",
     "chai-http": "^4.3.0",
-    "eslint": "^7.32.0",
-    "mocha": "^9.1.0",
+    "eslint": "^8.17.0",
+    "mocha": "^10.0.0",
     "nyc": "^15.1.0",
     "publish-please": "^5.5.2"
   },
@@ -68,30 +68,30 @@
     "test:lint": "eslint lib/*.js app.js bin/www bin/watcher routes/*.js test/*.js",
     "test:cover": "echo 'Test with coverage' && nyc --reporter=lcov --reporter=text npm run test:auto:all",
     "test:auto": "echo 'Auto test : npm run test:auto:*\n      test:auto:all{:dbg}\n      test:auto:version{:dbg}\n      test:auto:usertokens{:dbg}\n      test:auto:list{:dbg}\n      test:auto:resource{:dbg}\n      test:auto:policy{:dbg}\n      test:auto:role{:dbg}\n      test:auto:service{:dbg}\n      test:auto:acr{:dbg}\n      test:auto:userdata{:dbg}\n      test:auto:extdata{:dbg}\n      test:auto:watcher{:dbg}\n      test:auto:templengine\n      test:auto:templengine:async\n'",
-    "test:auto:all": "echo 'All test' && npm run test:lint && test/auto_test.sh -t 4000 all && npm run test:auto:templengine && npm run test:auto:templengine:async && echo 'Succeed test' && echo ''",
-    "test:auto:all:dbg": "echo 'All test with debugging' && npm run test:lint && test/auto_test.sh -t 4000 -d dbg all && echo 'Succeed test' && echo ''",
-    "test:auto:version": "echo 'Test Version' && test/auto_test.sh -t 4000 version && echo 'Succeed test' && echo ''",
-    "test:auto:version:dbg": "echo 'Test Version with debugging' && test/auto_test.sh -t 4000 -d dbg version && echo 'Succeed test' && echo ''",
-    "test:auto:usertokens": "echo 'Test UserTokens' && test/auto_test.sh -t 4000 usertokens && echo 'Succeed test' && echo ''",
-    "test:auto:usertokens:dbg": "echo 'Test UserTokens with debugging' && test/auto_test.sh -t 4000 -d dbg usertokens && echo 'Succeed test' && echo ''",
-    "test:auto:list": "echo 'Test List' && test/auto_test.sh -t 4000 list && echo 'Succeed test' && echo ''",
-    "test:auto:list:dbg": "echo 'Test List with debugging' && test/auto_test.sh -t 4000 -d dbg list && echo 'Succeed test' && echo ''",
-    "test:auto:resource": "echo 'Test Resource' && test/auto_test.sh -t 4000 resource && echo 'Succeed test' && echo ''",
-    "test:auto:resource:dbg": "echo 'Test Resource with debugging' && test/auto_test.sh -t 4000 -d dbg resource && echo 'Succeed test' && echo ''",
-    "test:auto:policy": "echo 'Test Policy' && test/auto_test.sh -t 4000 policy && echo 'Succeed test' && echo ''",
-    "test:auto:policy:dbg": "echo 'Test Policy with debugging' && test/auto_test.sh -t 4000 -d dbg policy && echo 'Succeed test' && echo ''",
-    "test:auto:role": "echo 'Test Role' && test/auto_test.sh -t 4000 role && echo 'Succeed test' && echo ''",
-    "test:auto:role:dbg": "echo 'Test Role with debugging' && test/auto_test.sh -t 4000 -d dbg role && echo 'Succeed test' && echo ''",
-    "test:auto:service": "echo 'Test Service' && test/auto_test.sh -t 4000 service && echo 'Succeed test' && echo ''",
-    "test:auto:service:dbg": "echo 'Test Service with debugging' && test/auto_test.sh -t 4000 -d dbg service && echo 'Succeed test' && echo ''",
-    "test:auto:acr": "echo 'Test ACR' && test/auto_test.sh -t 4000 acr && echo 'Succeed test' && echo ''",
-    "test:auto:acr:dbg": "echo 'Test ACR with debugging' && test/auto_test.sh -t 4000 -d dbg acr && echo 'Succeed test' && echo ''",
-    "test:auto:userdata": "echo 'Test Userdata' && test/auto_test.sh -t 4000 userdata && echo 'Succeed test' && echo ''",
-    "test:auto:userdata:dbg": "echo 'Test Userdata with debugging' && test/auto_test.sh -t 4000 -d dbg userdata && echo 'Succeed test' && echo ''",
-    "test:auto:extdata": "echo 'Test Extdata' && test/auto_test.sh -t 4000 extdata && echo 'Succeed test' && echo ''",
-    "test:auto:extdata:dbg": "echo 'Test Extdata with debugging' && test/auto_test.sh -t 4000 -d dbg extdata && echo 'Succeed test' && echo ''",
-    "test:auto:watcher": "echo 'Test Watcher Process' && test/auto_test.sh -t 4000 watcher && echo 'Succeed test' && echo ''",
-    "test:auto:watcher:dbg": "echo 'Test Watcher Process with debugging' && test/auto_test.sh -t 4000 -d dbg watcher && echo 'Succeed test' && echo ''",
+    "test:auto:all": "echo 'All test' && npm run test:lint && test/auto_test.sh -t 8000 all && npm run test:auto:templengine && npm run test:auto:templengine:async && echo 'Succeed test' && echo ''",
+    "test:auto:all:dbg": "echo 'All test with debugging' && npm run test:lint && test/auto_test.sh -t 8000 -d dbg all && echo 'Succeed test' && echo ''",
+    "test:auto:version": "echo 'Test Version' && test/auto_test.sh -t 8000 version && echo 'Succeed test' && echo ''",
+    "test:auto:version:dbg": "echo 'Test Version with debugging' && test/auto_test.sh -t 8000 -d dbg version && echo 'Succeed test' && echo ''",
+    "test:auto:usertokens": "echo 'Test UserTokens' && test/auto_test.sh -t 8000 usertokens && echo 'Succeed test' && echo ''",
+    "test:auto:usertokens:dbg": "echo 'Test UserTokens with debugging' && test/auto_test.sh -t 8000 -d dbg usertokens && echo 'Succeed test' && echo ''",
+    "test:auto:list": "echo 'Test List' && test/auto_test.sh -t 8000 list && echo 'Succeed test' && echo ''",
+    "test:auto:list:dbg": "echo 'Test List with debugging' && test/auto_test.sh -t 8000 -d dbg list && echo 'Succeed test' && echo ''",
+    "test:auto:resource": "echo 'Test Resource' && test/auto_test.sh -t 8000 resource && echo 'Succeed test' && echo ''",
+    "test:auto:resource:dbg": "echo 'Test Resource with debugging' && test/auto_test.sh -t 8000 -d dbg resource && echo 'Succeed test' && echo ''",
+    "test:auto:policy": "echo 'Test Policy' && test/auto_test.sh -t 8000 policy && echo 'Succeed test' && echo ''",
+    "test:auto:policy:dbg": "echo 'Test Policy with debugging' && test/auto_test.sh -t 8000 -d dbg policy && echo 'Succeed test' && echo ''",
+    "test:auto:role": "echo 'Test Role' && test/auto_test.sh -t 8000 role && echo 'Succeed test' && echo ''",
+    "test:auto:role:dbg": "echo 'Test Role with debugging' && test/auto_test.sh -t 8000 -d dbg role && echo 'Succeed test' && echo ''",
+    "test:auto:service": "echo 'Test Service' && test/auto_test.sh -t 8000 service && echo 'Succeed test' && echo ''",
+    "test:auto:service:dbg": "echo 'Test Service with debugging' && test/auto_test.sh -t 8000 -d dbg service && echo 'Succeed test' && echo ''",
+    "test:auto:acr": "echo 'Test ACR' && test/auto_test.sh -t 8000 acr && echo 'Succeed test' && echo ''",
+    "test:auto:acr:dbg": "echo 'Test ACR with debugging' && test/auto_test.sh -t 8000 -d dbg acr && echo 'Succeed test' && echo ''",
+    "test:auto:userdata": "echo 'Test Userdata' && test/auto_test.sh -t 8000 userdata && echo 'Succeed test' && echo ''",
+    "test:auto:userdata:dbg": "echo 'Test Userdata with debugging' && test/auto_test.sh -t 8000 -d dbg userdata && echo 'Succeed test' && echo ''",
+    "test:auto:extdata": "echo 'Test Extdata' && test/auto_test.sh -t 8000 extdata && echo 'Succeed test' && echo ''",
+    "test:auto:extdata:dbg": "echo 'Test Extdata with debugging' && test/auto_test.sh -t 8000 -d dbg extdata && echo 'Succeed test' && echo ''",
+    "test:auto:watcher": "echo 'Test Watcher Process' && test/auto_test.sh -t 8000 watcher && echo 'Succeed test' && echo ''",
+    "test:auto:watcher:dbg": "echo 'Test Watcher Process with debugging' && test/auto_test.sh -t 8000 -d dbg watcher && echo 'Succeed test' && echo ''",
     "test:auto:templengine": "echo 'Test template engine' && test/auto_template.sh && echo 'Succeed test' && echo ''",
     "test:auto:templengine:async": "echo 'Test asynchronous template engine' && test/auto_template.sh -a && echo 'Succeed test' && echo ''",
     "test:manual": "echo 'Manual test : npm run test:manual:*\n      test:manual:apis:version_get\n      test:manual:apis:usertoken_postput\n      test:manual:apis:usertoken_gethead\n      test:manual:apis:policy_postput\n      test:manual:apis:policy_gethead\n      test:manual:apis:policy_delete\n      test:manual:apis:resource_postput\n      test:manual:apis:resource_gethead\n      test:manual:apis:resource_delete\n      test:manual:apis:role_postput\n      test:manual:apis:role_gethead\n      test:manual:apis:role_delete\n      test:manual:apis:service_postput\n      test:manual:apis:service_gethead\n      test:manual:apis:service_delete\n      test:manual:apis:acr_postput\n      test:manual:apis:acr_get\n      test:manual:apis:acr_delete\n      test:manual:apis:list_gethead\n      test:manual:apis:userdata_get\n      test:manual:apis:extdata_get\n      test:manual:apis:allusertenant_get\n      test:manual:apis:k2hr3keys_get\n      test:manual:load:k2hdkcdata:auto\n      test:manual:load:k2hdkcdata:local\n      test:manual:templengine\n      test:manual:templengine:async\n'",

package/routes/role.js

@@ -560,6 +560,10 @@ function putRole(req, res, next)										// eslint-disable-line no-unused-vars
 //																extra is any string including Control code, allowed null and '' for  this value.
 //			"tag":			<string data>					=>	key is "yrn:yahoo:<service>::<tenant>:role:<role>/hosts/..."
 //																tag is any string including Control code, allowed null and '' for  this value.
+//			"inboundip":	<ip address>					=>	key is "yrn:yahoo:<service>::<tenant>:role:<role>/hosts/..."
+//																inboundip is set ip address string. if you do not use proxy/gateway/bridge/etc, you do not need to set this key.
+//			"outboundip":	<ip address>					=>	key is "yrn:yahoo:<service>::<tenant>:role:<role>/hosts/..."
+//																outboundip is set ip address string. if you do not use proxy/gateway/bridge/etc, you do not need to set this key.
 //		}
 //		"clear_hostname":	<true/false>
 //		"clear_ips":		<true/false>
@@ -568,11 +572,13 @@ function putRole(req, res, next)										// eslint-disable-line no-unused-vars
 //	{
 //		"host":	[											=>	specified host as Array(only POST request has this type)
 //			{
-//				"host":		<hostname / ip address>
-//				"port":		<port number>
-//				"cuk":		<container unique key>
-//				"extra":	<extra string data>
-//				"tag":		<string data>
+//				"host":			<hostname / ip address>
+//				"port":			<port number>
+//				"cuk":			<container unique key>
+//				"extra":		<extra string data>
+//				"tag":			<string data>
+//				"inboundip":	<ip address>
+//				"outboundip":	<ip address>
 //			}
 //			...
 //		]
@@ -592,6 +598,10 @@ function putRole(req, res, next)										// eslint-disable-line no-unused-vars
 //																extra is any string including Control code, allowed null and '' for  this value.
 //			"tag":			<string data>					=>	key is "yrn:yahoo:<service>::<tenant>:role:<role>/hosts/..."
 //																tag is any string including Control code, allowed null and '' for  this value.
+//			"inboundip":	<ip address>					=>	key is "yrn:yahoo:<service>::<tenant>:role:<role>/hosts/..."
+//																inboundip is set ip address string. if you do not use proxy/gateway/bridge/etc, you do not need to set this key.
+//			"outboundip":	<ip address>					=>	key is "yrn:yahoo:<service>::<tenant>:role:<role>/hosts/..."
+//																outboundip is set ip address string. if you do not use proxy/gateway/bridge/etc, you do not need to set this key.
 //		}
 //	}
 //
@@ -671,6 +681,7 @@ function postRoleHost(role, req, res, next)								// eslint-disable-line no-unu
 	var	cuk;
 	var	extra;
 	var	tag;
+	var	host_info;
 	if(!is_host_req){
 		//
 		// request from user token
@@ -745,25 +756,63 @@ function postRoleHost(role, req, res, next)								// eslint-disable-line no-unu
 				tag = apiutil.getSafeString(hostArray[cnt].tag);
 			}
 
-			// set to array
+			// set base host information
 			if(null !== tg_host){
-				hostnameArray.push({
+				host_info = {
 					ip:			null,
 					hostname:	tg_host,
 					port:		port,
 					cuk:		cuk,
 					extra:		extra,
 					tag:		tag
-				});
+				};
 			}else{	// null !== tg_ip
-				ipArray.push({
+				host_info = {
 					ip:			tg_ip,
 					hostname:	null,
 					port:		port, 
 					cuk:		cuk,
 					extra:		extra,
 					tag:		tag
-				});
+				};
+			}
+
+			// set optional keys
+			if(apiutil.isSafeString(hostArray[cnt].inboundip)){
+				if(!apiutil.isIpAddressString(hostArray[cnt].inboundip)){
+					/* eslint-disable indent, no-mixed-spaces-and-tabs */
+					result = {
+								result: 	false,
+								message:	'POST request has inbound ip address which is not ignore ip address string: ' + JSON.stringify(hostArray[cnt].inboundip)
+							 };
+					/* eslint-enable indent, no-mixed-spaces-and-tabs */
+					r3logger.elog(result.message);
+					resutil.errResponse(req, res, 400, result);				// 400: Bad Request
+					return;
+				}
+				host_info.inboundip = apiutil.getSafeString(hostArray[cnt].inboundip);
+			}
+
+			if(apiutil.isSafeString(hostArray[cnt].outboundip)){
+				if(!apiutil.isIpAddressString(hostArray[cnt].outboundip)){
+					/* eslint-disable indent, no-mixed-spaces-and-tabs */
+					result = {
+								result: 	false,
+								message:	'POST request has outbound ip address which is not ignore ip address string: ' + JSON.stringify(hostArray[cnt].outboundip)
+							 };
+					/* eslint-enable indent, no-mixed-spaces-and-tabs */
+					r3logger.elog(result.message);
+					resutil.errResponse(req, res, 400, result);				// 400: Bad Request
+					return;
+				}
+				host_info.outboundip = apiutil.getSafeString(hostArray[cnt].outboundip);
+			}
+
+			// push array
+			if(null !== tg_host){
+				hostnameArray.push(host_info);
+			}else{	// null !== tg_ip
+				ipArray.push(host_info);
 			}
 		}
 		if(apiutil.isEmptyArray(hostnameArray)){
@@ -849,10 +898,44 @@ function postRoleHost(role, req, res, next)								// eslint-disable-line no-unu
 			}
 		}
 
+		// inboundip(optional)
+		var	inboundip = null;
+		if(apiutil.isSafeString(req.body.host.inboundip)){
+			if(!apiutil.isIpAddressString(req.body.host.inboundip)){
+				/* eslint-disable indent, no-mixed-spaces-and-tabs */
+				result = {
+							result: 	false,
+							message:	'POST request has inbound ip address which is not ignore ip address string: ' + JSON.stringify(req.body.host.inboundip)
+						 };
+				/* eslint-enable indent, no-mixed-spaces-and-tabs */
+				r3logger.elog(result.message);
+				resutil.errResponse(req, res, 400, result);				// 400: Bad Request
+				return;
+			}
+			inboundip = apiutil.getSafeString(req.body.host.inboundip);
+		}
+
+		// outboundip(optional)
+		var	outboundip = null;
+		if(apiutil.isSafeString(req.body.host.outboundip)){
+			if(!apiutil.isIpAddressString(req.body.host.outboundip)){
+				/* eslint-disable indent, no-mixed-spaces-and-tabs */
+				result = {
+							result: 	false,
+							message:	'POST request has outbound ip address which is not ignore ip address string: ' + JSON.stringify(req.body.host.outboundip)
+						 };
+				/* eslint-enable indent, no-mixed-spaces-and-tabs */
+				r3logger.elog(result.message);
+				resutil.errResponse(req, res, 400, result);				// 400: Bad Request
+				return;
+			}
+			outboundip = apiutil.getSafeString(req.body.host.outboundip);
+		}
+
 		//
 		// Add ip address ---> Role Token or User Token
 		//
-		result = k2hr3.addHost(token_info.tenant, name, null, ip, port, cuk, extra, tag);
+		result = k2hr3.addHost(token_info.tenant, name, null, ip, port, cuk, extra, tag, inboundip, outboundip);
 	}
 
 	//------------------------------
@@ -905,6 +988,10 @@ function postRoleHost(role, req, res, next)								// eslint-disable-line no-unu
 //	"tag":			<string data>					=>	key is "yrn:yahoo:<service>::<tenant>:role:<role>/hosts/..."
 //														This value must be encoded by JSON.
 //														tag is any string including Control code, allowed null and '' for  this value.
+//	"inboundip":	<ip address>					=>	key is "yrn:yahoo:<service>::<tenant>:role:<role>/hosts/..."
+//														inboundip is set ip address string. if you do not use proxy/gateway/bridge/etc, you do not need to set this key.
+//	"outboundip":	<ip address>					=>	key is "yrn:yahoo:<service>::<tenant>:role:<role>/hosts/..."
+//														outboundip is set ip address string. if you do not use proxy/gateway/bridge/etc, you do not need to set this key.
 //
 // [RoleToken] url argument
 //	"port":			<port number>					=>	key is "yrn:yahoo:<service>::<tenant>:role:<role>/hosts/ip/<ip port cuk>"
@@ -918,6 +1005,10 @@ function postRoleHost(role, req, res, next)								// eslint-disable-line no-unu
 //	"tag":			<string data>					=>	key is "yrn:yahoo:<service>::<tenant>:role:<role>/hosts/..."
 //														This value must be encoded by JSON.
 //														tag is any string including Control code, allowed null and '' for  this value.
+//	"inboundip":	<ip address>					=>	key is "yrn:yahoo:<service>::<tenant>:role:<role>/hosts/..."
+//														inboundip is set ip address string. if you do not use proxy/gateway/bridge/etc, you do not need to set this key.
+//	"outboundip":	<ip address>					=>	key is "yrn:yahoo:<service>::<tenant>:role:<role>/hosts/..."
+//														outboundip is set ip address string. if you do not use proxy/gateway/bridge/etc, you do not need to set this key.
 //
 // [NOTE]
 // This API only set(add/create) host into role. Ether hostname or ip address must be specified.
@@ -1079,9 +1170,45 @@ function putRoleHost(role, req, res, next)								// eslint-disable-line no-unus
 		tag		= null;
 	}
 
-	// make host information
+	// make base host information
 	var	host_info = { ip: ip, hostname: hostname, port: port, cuk: cuk, extra: extra, tag: tag };
 
+	// set inboundip(optional)
+	var inboundip = null;
+	if(apiutil.isSafeString(req.query.inboundip)){
+		if(!apiutil.isIpAddressString(req.query.inboundip)){
+			/* eslint-disable indent, no-mixed-spaces-and-tabs */
+			result = {
+						result: 	false,
+						message:	'PUT request has inbound ip address which is not ignore ip address string: ' + JSON.stringify(req.query.inboundip)
+					 };
+			/* eslint-enable indent, no-mixed-spaces-and-tabs */
+			r3logger.elog(result.message);
+			resutil.errResponse(req, res, 400, result);				// 400: Bad Request
+			return;
+		}
+		inboundip			= apiutil.getSafeString(req.query.inboundip);
+		host_info.inboundip	= inboundip;
+	}
+
+	// set outboundip(optional)
+	var outboundip = null;
+	if(apiutil.isSafeString(req.query.outboundip)){
+		if(!apiutil.isIpAddressString(req.query.outboundip)){
+			/* eslint-disable indent, no-mixed-spaces-and-tabs */
+			result = {
+						result: 	false,
+						message:	'PUT request has outbound ip address which is not ignore ip address string: ' + JSON.stringify(req.query.outboundip)
+					 };
+			/* eslint-enable indent, no-mixed-spaces-and-tabs */
+			r3logger.elog(result.message);
+			resutil.errResponse(req, res, 400, result);				// 400: Bad Request
+			return;
+		}
+		outboundip			= apiutil.getSafeString(req.query.outboundip);
+		host_info.outboundip= outboundip;
+	}
+
 	//------------------------------
 	// add host to role
 	//------------------------------
@@ -1094,7 +1221,7 @@ function putRoleHost(role, req, res, next)								// eslint-disable-line no-unus
 		}
 	}else{
 		// Add ip address ---> Role Token or User Token
-		result = k2hr3.addHost(token_info.tenant, name, null, ip, port, cuk, extra, tag);
+		result = k2hr3.addHost(token_info.tenant, name, null, ip, port, cuk, extra, tag, inboundip, outboundip);
 	}
 	if(!apiutil.isSafeEntity(result) || !apiutil.isSafeEntity(result.result) || false === result.result){
 		if(!apiutil.isSafeEntity(result)){

package/test/auto_subprocesses.js

@@ -40,19 +40,19 @@ exports.start = function(parentobj)
 	//
 	// Run chmpx for server node
 	//
-	var	result = execSync('test/auto_control_subprocess.sh -start -key server -int 1 chmpx -conf test/auto_k2hdkc_server.ini -ctlport 18021 -d msg');
+	var	result = execSync('test/auto_control_subprocess.sh -start -key server -int 3 chmpx -conf test/auto_k2hdkc_server.ini -ctlport 18021 -d msg');
 	console.log('    - run chmpx for server node: ' + String(result).replace(/\r?\n$/g, ''));
 
 	//
 	// Run k2hdkc
 	//
-	result = execSync('test/auto_control_subprocess.sh -start -key server -int 1 k2hdkc -conf test/auto_k2hdkc_server.ini -ctlport 18021 -d msg');
+	result = execSync('test/auto_control_subprocess.sh -start -key server -int 3 k2hdkc -conf test/auto_k2hdkc_server.ini -ctlport 18021 -d msg');
 	console.log('    - run k2hdkc: ' + String(result).replace(/\r?\n$/g, ''));
 
 	//
 	// Run chmpx for slave node
 	//
-	result = execSync('test/auto_control_subprocess.sh -start -key slave -int 1 chmpx -conf test/auto_k2hdkc_slave.ini -ctlport 18031 -d msg');
+	result = execSync('test/auto_control_subprocess.sh -start -key slave -int 3 chmpx -conf test/auto_k2hdkc_slave.ini -ctlport 18031 -d msg');
 	console.log('    - run chmpx for slave node: ' + String(result).replace(/\r?\n$/g, ''));
 
 	//
@@ -83,19 +83,19 @@ exports.stop = function(parentobj)
 	//
 	// Stop chmpx for slave node
 	//
-	var	result = execSync('test/auto_control_subprocess.sh -stop -key slave -int 1 chmpx');
+	var	result = execSync('test/auto_control_subprocess.sh -stop -key slave -int 3 chmpx');
 	console.log('    - stop chmpx for slave node: ' + String(result).replace(/\r?\n$/g, ''));
 
 	//
 	// Stop k2hdkc
 	//
-	result = execSync('test/auto_control_subprocess.sh -stop -key server -int 1 k2hdkc');
+	result = execSync('test/auto_control_subprocess.sh -stop -key server -int 3 k2hdkc');
 	console.log('    - stop k2hdkc: ' + String(result).replace(/\r?\n$/g, ''));
 
 	//
 	// Stop chmpx for slave node
 	//
-	result = execSync('test/auto_control_subprocess.sh -stop -key server -int 1 chmpx');
+	result = execSync('test/auto_control_subprocess.sh -stop -key server -int 3 chmpx');
 	console.log('    - stop chmpx for server node: ' + String(result).replace(/\r?\n$/g, ''));
 
 	//

package/test/manual_role_postput.js

@@ -146,7 +146,7 @@ function postV1Role(method, token, name, policies, alias)
 	req.end();
 }
 
-function postV1RoleHost(method, is_user_token, token, name, target_host, port, cuk, extra, tag)
+function postV1RoleHost(method, is_user_token, token, name, target_host, port, cuk, extra, tag, inboundip, outboundip)
 {
 	/* eslint-disable indent, no-mixed-spaces-and-tabs */
 	var	strbody		= '';
@@ -172,6 +172,13 @@ function postV1RoleHost(method, is_user_token, token, name, target_host, port, c
 		host_info.extra				= extra;
 		host_info.tag				= tag;
 
+		if(apiutil.isSafeString(inboundip)){		// not need to check ip address
+			host_info.inboundip		= inboundip;
+		}
+		if(apiutil.isSafeString(outboundip)){		// not need to check ip address
+			host_info.outboundip	= outboundip;
+		}
+
 		var	body					= {	'host': host_info };
 
 		strbody						= JSON.stringify(body);
@@ -208,6 +215,17 @@ function postV1RoleHost(method, is_user_token, token, name, target_host, port, c
 			urlarg		+= JSON.stringify(tag);				// if tag is existing, it includes control codes, so it is converted to JSON.
 			already_set	= true;
 		}
+		if(apiutil.isSafeString(inboundip)){				// not need to check ip address
+			urlarg		+= already_set ? '&inboundip=' : '?inboundip=';
+			urlarg		+= inboundip;
+			already_set	= true;
+		}
+		if(apiutil.isSafeString(outboundip)){				// not need to check ip address
+			urlarg		+= already_set ? '&outboundip=' : '?outboundip=';
+			urlarg		+= outboundip;
+			already_set	= true;
+		}
+
 		headers['Content-Length']	= 0;
 		options.headers				= headers;
 		options.path				= '/v1/role/' + name + encodeURI(urlarg);
@@ -425,25 +443,51 @@ function inputHostType(method)
 									_tag = tag;
 								}
 
-								if(!_is_user_token){
-									// run
-									postV1RoleHost(_method, _is_user_token, _token, _name, null, _port, _cuk, _extra, _tag);
-								}else{
-
-									cliutil.getConsoleInput('     Host(specify hostname or ip address)             : ', true, false, function(isbreak, target_host)
+								cliutil.getConsoleInput('     Inbound IP address - null or string              : ', true, false, function(isbreak, inbound)
+								{
+									if(isbreak){
+										process.exit(0);
+									}
+									var	_inbound;
+									if('' === apiutil.getSafeString(inbound) || apiutil.compareCaseString('null', apiutil.getSafeString(inbound))){
+										_inbound = null;
+									}else{
+										_inbound = inbound;
+									}
+
+									cliutil.getConsoleInput('     Outbound IP address - null or string             : ', true, false, function(isbreak, outbound)
 									{
 										if(isbreak){
 											process.exit(0);
 										}
-										if(!apiutil.isSafeString(target_host)){
-											process.exit(0);
+										var	_outbound;
+										if('' === apiutil.getSafeString(outbound) || apiutil.compareCaseString('null', apiutil.getSafeString(outbound))){
+											_outbound = null;
+										}else{
+											_outbound = outbound;
 										}
-										var	_target_host = target_host;
 
-										// run
-										postV1RoleHost(_method, _is_user_token, _token, _name, _target_host, _port, _cuk, _extra, _tag);
+										if(!_is_user_token){
+											// run
+											postV1RoleHost(_method, _is_user_token, _token, _name, null, _port, _cuk, _extra, _tag, _inbound, _outbound);
+										}else{
+
+											cliutil.getConsoleInput('     Host(specify hostname or ip address)             : ', true, false, function(isbreak, target_host)
+											{
+												if(isbreak){
+													process.exit(0);
+												}
+												if(!apiutil.isSafeString(target_host)){
+													process.exit(0);
+												}
+												var	_target_host = target_host;
+
+												// run
+												postV1RoleHost(_method, _is_user_token, _token, _name, _target_host, _port, _cuk, _extra, _tag, _inbound, _outbound);
+											});
+										}
 									});
-								}
+								});
 							});
 						});
 					});

package/test/run_local_test_k2hdkc.sh

@@ -84,7 +84,7 @@ if [ ${IS_SCRIPT_MODE} -eq 1 ]; then
 	#
 	echo "*** Start : chmpx server node for k2hdkc"
 	echo -n "            "
-	${SRCTOP}/test/auto_control_subprocess.sh -start -key server${KEYWORD} -int 1 chmpx -conf ${SRCTOP}/test/auto_k2hdkc_server.ini -ctlport 18021 -d msg
+	${SRCTOP}/test/auto_control_subprocess.sh -start -key server${KEYWORD} -int 3 chmpx -conf ${SRCTOP}/test/auto_k2hdkc_server.ini -ctlport 18021 -d msg
 	if [ $? -ne 0 ]; then
 		echo "ERROR: could not run chmpx server node for k2hdkc"
 		exit 1
@@ -92,7 +92,7 @@ if [ ${IS_SCRIPT_MODE} -eq 1 ]; then
 
 	echo "*** Start : one k2hdkc process"
 	echo -n "            "
-	${SRCTOP}/test/auto_control_subprocess.sh -start -key server${KEYWORD} -int 1 k2hdkc -conf ${SRCTOP}/test/auto_k2hdkc_server.ini -ctlport 18021 -d msg
+	${SRCTOP}/test/auto_control_subprocess.sh -start -key server${KEYWORD} -int 3 k2hdkc -conf ${SRCTOP}/test/auto_k2hdkc_server.ini -ctlport 18021 -d msg
 	if [ $? -ne 0 ]; then
 		echo "ERROR: one k2hdkc process"
 		exit 1
@@ -100,7 +100,7 @@ if [ ${IS_SCRIPT_MODE} -eq 1 ]; then
 
 	echo "*** Start : chmpx slave node for k2hdkc"
 	echo -n "            "
-	${SRCTOP}/test/auto_control_subprocess.sh -start -key slave${KEYWORD} -int 1 chmpx -conf ${SRCTOP}/test/auto_k2hdkc_slave.ini -ctlport 18031 -d msg
+	${SRCTOP}/test/auto_control_subprocess.sh -start -key slave${KEYWORD} -int 3 chmpx -conf ${SRCTOP}/test/auto_k2hdkc_slave.ini -ctlport 18031 -d msg
 	if [ $? -ne 0 ]; then
 		echo "ERROR: chmpx slave node for k2hdkc"
 		exit 1
@@ -120,7 +120,7 @@ else
 	#
 	echo "*** Stop : chmpx slave node for k2hdkc"
 	echo -n "           "
-	${SRCTOP}/test/auto_control_subprocess.sh -stop -key slave${KEYWORD} -int 1 chmpx
+	${SRCTOP}/test/auto_control_subprocess.sh -stop -key slave${KEYWORD} -int 3 chmpx
 	if [ $? -ne 0 ]; then
 		echo "ERROR: chmpx slave node for k2hdkc"
 		exit 1
@@ -128,7 +128,7 @@ else
 
 	echo "*** Stop : one k2hdkc process"
 	echo -n "           "
-	${SRCTOP}/test/auto_control_subprocess.sh -stop -key server${KEYWORD} -int 1 k2hdkc
+	${SRCTOP}/test/auto_control_subprocess.sh -stop -key server${KEYWORD} -int 3 k2hdkc
 	if [ $? -ne 0 ]; then
 		echo "ERROR: one k2hdkc process"
 		exit 1
@@ -136,7 +136,7 @@ else
 
 	echo "*** Stop : chmpx server node for k2hdkc"
 	echo -n "           "
-	${SRCTOP}/test/auto_control_subprocess.sh -stop -key server${KEYWORD} -int 1 chmpx
+	${SRCTOP}/test/auto_control_subprocess.sh -stop -key server${KEYWORD} -int 3 chmpx
 	if [ $? -ne 0 ]; then
 		echo "ERROR: could not run chmpx server node for k2hdkc"
 		exit 1

package/.auditignore

@@ -1 +0,0 @@
-https://npmjs.com/advisories/1673