npm - scimgateway - Versions diffs - 4.1.10 → 4.1.12 - Mend

scimgateway 4.1.10 → 4.1.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -17,12 +17,12 @@ Validated through IdP's:
 Latest news:
 - **BREAKING**: [SCIM Stream](https://elshaug.xyz/docs/scim-stream) is the modern way of user provisioning letting clients subscribe to messages instead of traditional IGA top-down provisioning. SCIM Stream includes **SCIM Stream Gateway**, the next generation SCIM Gateway that supports message subscription and automated provisioning
-- Supporting OAuth Client Credentials authentication
+- Supports OAuth Client Credentials authentication
 - Major version v4.0.0. getUsers() and getGroups() replacing some deprecated methods. No limitations on filtering/sorting. Admin user access can be linked to specific baseEntities. New MongoDB plugin
 - ipAllowList for restricting access to allowlisted IP addresses or subnets e.g. Azure AD IP-range
 - General LDAP plugin configured for Active Directory
 - [PlugSSO](https://elshaug.xyz/docs/plugsso) using SCIM Gateway
-- Authentication configuration allowing more than one admin user including option for readOnly
+- Each authentication configuration allowing more than one admin user including option for readOnly
 - Codebase moved from callback of h... to the the promise(d) land of async/await
 - Supports configuration by environments and external files
 - Health monitoring through "/ping" URL, and option for error notifications by email
@@ -379,11 +379,11 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 	Note, we should normally use certificate (https) for communicating with SCIM Gateway unless we install ScimGatway locally on the manager (e.g. on the CA Connector Server). When installed on the manager, we could use `http://localhost:port` or `http://127.0.0.1:port` which will not be passed down to the data link layer for transmission. We could then also set {"localhostonly": true}
-- **ipAllowList** - Array of one or more IPv4/IPv6 subnets (CIDR) allowed for incoming traffic.  E.g. using Azure AD as IdP, we would like to restrict access to IP addresses used by Azure AD. Azure IP-range can be downloaded from: [https://azureipranges.azurewebsites.net](https://azureipranges.azurewebsites.net), enter **AzureActiveDirectory** in the search list and select JSON download. Copy the "addressPrefixes" array content and paste into ipAllowList array. CIDR single IP-host syntax is a.b.c.d/32. Note, front-end HTTP proxy or a load balancer must include **X-Forwarded-For** header. Configuration example:
+- **ipAllowList** - Array of one or more IPv4/IPv6 subnets (CIDR) allowed for incoming traffic.  E.g. using Azure AD as IdP, we would like to restrict access to IP addresses used by Azure AD. Azure IP-range can be downloaded from: [https://azureipranges.azurewebsites.net](https://azureipranges.azurewebsites.net), enter **AzureActiveDirectory** in the search list and select JSON download. Copy the "addressPrefixes" array content and paste into ipAllowList array. CIDR single IP-host syntax is a.b.c.d/32. Note, front-end HTTP proxy or a load balancer must include client IP-address in the **X-Forwarded-For** header. Configuration example:
         "ipAllowList": [
-          "13.66.60.119/32",
-          "13.66.143.220/30",
+          "13.64.151.161/32",
+          "13.66.141.64/27",
           ...
           "2603:1056:2000::/48",
           "2603:1057:2::/48"
@@ -1146,6 +1146,18 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 ## Change log
+### v4.1.12
+[Added]
+- Dependencies bump
+### v4.1.11
+[Fixed]
+- basic auth logon dialog should not show up when not configured
 ### v4.1.10
 [Added]
@@ -1181,13 +1193,16 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 - Symantec/Broadcom/CA ConnectorXpress configuration file `config\resources\Azure - ScimGateway.xml` for defining the Azure endpoint, have been updated with some new attributes according to plugin-azure-ad.json attribute mappings
 ### v4.1.6
-[Added]
+[Added]
 - Dependencies bump
 ### v4.1.5
 [Added]
-Announcing some SCIM Gateway related news:
+SCIM Gateway related news:
 - [SCIM Stream](https://elshaug.xyz/docs/scim-stream) is the modern way of user provisioning letting clients subscribe to messages instead of traditional IGA top-down provisioning. SCIM Stream includes **SCIM Stream Gateway**, the next generation SCIM Gateway that supports message subscription and automated provisioning

package/lib/scimgateway.js CHANGED Viewed

@@ -123,7 +123,7 @@ const ScimGateway = function () {
         logger.error(`${gwName}[${pluginName}] getPassword error: ${err.message}`)
         throw err // above logger.error included because this unhanledExcepton will be handled by winston and may fail with an other internal winston error e.g. related to memoryUsage collection logic when running in unikernel
       }
-      if (arr[i].password) foundBasic = true
+      if (arr[i].username && arr[i].password) foundBasic = true
     }
     if (!foundBasic) config.auth.basic = []
   }
@@ -223,7 +223,7 @@ const ScimGateway = function () {
   if (config.certificate.pfx.password) pwPfxPassword = ScimGateway.prototype.getPassword('scimgateway.certificate.pfx.password', configFile)
   if (config.emailOnError.smtp.password) config.emailOnError.smtp.password = ScimGateway.prototype.getPassword('scimgateway.emailOnError.smtp.password', configFile)
-  if (!foundBasic && !foundBearerToken && !foundBearerJwtAzure && !foundBearerJwt) {
+  if (!foundBasic && !foundBearerToken && !foundBearerJwtAzure && !foundBearerJwt && !foundBearerOAuth) {
     logger.error(`${gwName}[${pluginName}] Scimgateway password decryption failed or no password defined`)
     logger.error(`${gwName}[${pluginName}] stopping...\n`)
     throw (new Error('Using exception to stop further asynchronous code execution (ensure synchronous logger flush to logfile and exit program), please ignore this one...'))
@@ -450,9 +450,9 @@ const ScimGateway = function () {
         if (tokenObj.readOnly === true && method !== 'GET') return reject(new Error('only allowing readOnly for this bearerOAuth according to bearerOAuth configuration readOnly=true'))
         return resolve(true)
       } else {
-        for (let i = 0; i < arr.length; i++) { // resolve if token memory store have been cleared becuase of a gateway restart
-          if (utils.getEncrypted(authToken, arr[i].client_secret) === 'token' && !arr[i].isTokenRequested) {
-            arr[i].isTokenRequested = true // flagged as true to not allow repeated resolvements becuase token will also be cleared when expired
+        for (let i = 0; i < arr.length; i++) { // resolve if token memory store have been cleared because of a gateway restart
+          if (utils.getEncrypted(authToken, arr[i].client_secret) === arr[i].client_secret && !arr[i].isTokenRequested) {
+            arr[i].isTokenRequested = true // flagged as true to not allow repeated resolvements because token will also be cleared when expired
             const baseEntities = utils.copyObj(arr[i].baseEntities)
             let expires
             let readOnly = false
@@ -505,7 +505,7 @@ const ScimGateway = function () {
         logger.debug(`${gwName}[${pluginName}] request jwt.decode(authToken) = ${JSON.stringify(jwt.decode(authToken))}`)
       }
       if (authType === 'Bearer') ctx.set('WWW-Authenticate', 'Bearer realm=""')
-      else ctx.set('WWW-Authenticate', 'Basic realm=""')
+      else if (foundBasic) ctx.set('WWW-Authenticate', 'Basic realm=""')
       ctx.set('Content-Type', 'application/json; charset=utf-8')
       ctx.status = 401
       ctx.body = { error: 'Access denied' }
@@ -658,7 +658,7 @@ const ScimGateway = function () {
       for (let i = 0; i < arr.length; i++) {
         if (!arr[i].client_id || !arr[i].client_secret) continue
         if (arr[i].client_id === jsonBody.client_id && arr[i].client_secret === jsonBody.client_secret) { // authentication OK
-          token = utils.getEncrypted('token', jsonBody.client_secret) // client_secret as seed
+          token = utils.getEncrypted(jsonBody.client_secret, jsonBody.client_secret)
           baseEntities = utils.copyObj(arr[i].baseEntities)
           if (arr[i].readOnly && arr[i].readOnly === true) readOnly = true
           if (arr[i].expires_in && !isNaN(arr[i].expires_in)) expires = arr[i].expires_in
@@ -1327,7 +1327,7 @@ const ScimGateway = function () {
           else { // try to get current groups the standard way
             let res
             try {
-              res = await this[handler.groups.getMethod](ctx.params.baseEntity, { attribute: 'members.value', operator: 'eq', value: decodeURIComponent(id) }, ['members.value', 'id', 'displayName']) // await scimgateway.getUserGroups(baseEntity, userObj.id, 'members.value,displayName')
+              res = await this[handler.groups.getMethod](ctx.params.baseEntity, { attribute: 'members.value', operator: 'eq', value: decodeURIComponent(id) }, ['id', 'displayName'])
             } catch (err) {} // method may be implemented but throwing error like groups not supported/implemented
             currentGroups = []
             if (res && res.Resources && Array.isArray(res.Resources) && res.Resources.length > 0) {
@@ -1421,7 +1421,7 @@ const ScimGateway = function () {
         // include groups
         if (handle.getMethod === handler.users.getMethod && typeof this[handler.groups.getMethod] === 'function') {
           logger.debug(`${gwName}[${pluginName}] calling "${handler.groups.getMethod}" and awaiting result`)
-          const res = await this[handler.groups.getMethod](ctx.params.baseEntity, { attribute: 'members.value', operator: 'eq', value: id }, ['members.value', 'id', 'displayName'])
+          const res = await this[handler.groups.getMethod](ctx.params.baseEntity, { attribute: 'members.value', operator: 'eq', value: id }, ['id', 'displayName'])
           let grps = []
           if (res && res.Resources && Array.isArray(res.Resources)) grps = res.Resources
           else if (Array.isArray(res)) grps = res

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "4.1.10",
+  "version": "4.1.12",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",
   "homepage": "https://elshaug.xyz",
@@ -37,18 +37,18 @@
     "https-proxy-agent": "^5.0.1",
     "is-in-subnet": "^4.0.1",
     "jsonwebtoken": "^8.5.1",
-    "koa": "^2.13.4",
+    "koa": "^2.14.0",
     "koa-bodyparser": "^4.3.0",
     "koa-router": "^12.0.0",
     "ldapjs": "^2.3.3",
     "lokijs": "^1.5.12",
-    "mongodb": "^4.10.0",
+    "mongodb": "^4.12.1",
     "node-machine-id": "1.1.9",
-    "nodemailer": "^6.7.8",
+    "nodemailer": "^6.8.0",
     "passport": "^0.6.0",
     "passport-azure-ad": "^4.3.4",
     "soap": "^0.45.0",
-    "tedious": "^15.1.0",
+    "tedious": "^15.1.2",
     "winston": "^3.8.2"
   },
   "devDependencies": {