scimgateway 4.1.11 → 4.1.13

package/README.md

@@ -17,12 +17,12 @@ Validated through IdP's:
 Latest news:  
 
 - **BREAKING**: [SCIM Stream](https://elshaug.xyz/docs/scim-stream) is the modern way of user provisioning letting clients subscribe to messages instead of traditional IGA top-down provisioning. SCIM Stream includes **SCIM Stream Gateway**, the next generation SCIM Gateway that supports message subscription and automated provisioning
-- Supporting OAuth Client Credentials authentication
+- Supports OAuth Client Credentials authentication
 - Major version v4.0.0. getUsers() and getGroups() replacing some deprecated methods. No limitations on filtering/sorting. Admin user access can be linked to specific baseEntities. New MongoDB plugin  
 - ipAllowList for restricting access to allowlisted IP addresses or subnets e.g. Azure AD IP-range  
 - General LDAP plugin configured for Active Directory  
 - [PlugSSO](https://elshaug.xyz/docs/plugsso) using SCIM Gateway
-- Authentication configuration allowing more than one admin user including option for readOnly
+- Each authentication configuration allowing more than one admin user including option for readOnly
 - Codebase moved from callback of h... to the the promise(d) land of async/await
 - Supports configuration by environments and external files
 - Health monitoring through "/ping" URL, and option for error notifications by email
@@ -49,7 +49,7 @@ SCIM Gateway becomes a standalone SCIM endpoint
 Demonstrates user provisioning towards document-oriented database  
 Using [LokiJS](https://github.com/techfort/LokiJS) for a fast, in-memory document-oriented database (much like MongoDB/PouchDB)  
 Default gives two predefined test users loaded using in-memory only (no persistence)  
-Setting `{"persistence": true}` gives persistence file store (no test users)  
+Configuration `{"persistence": true}` gives persistence file store (no test users)  
 Example of a fully functional SCIM Gateway plugin  
 
 * **MongoDB** (NoSQL Document-Oriented Database)  
@@ -379,11 +379,11 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 
 	Note, we should normally use certificate (https) for communicating with SCIM Gateway unless we install ScimGatway locally on the manager (e.g. on the CA Connector Server). When installed on the manager, we could use `http://localhost:port` or `http://127.0.0.1:port` which will not be passed down to the data link layer for transmission. We could then also set {"localhostonly": true}  
 
-- **ipAllowList** - Array of one or more IPv4/IPv6 subnets (CIDR) allowed for incoming traffic.  E.g. using Azure AD as IdP, we would like to restrict access to IP addresses used by Azure AD. Azure IP-range can be downloaded from: [https://azureipranges.azurewebsites.net](https://azureipranges.azurewebsites.net), enter **AzureActiveDirectory** in the search list and select JSON download. Copy the "addressPrefixes" array content and paste into ipAllowList array. CIDR single IP-host syntax is a.b.c.d/32. Note, front-end HTTP proxy or a load balancer must include **X-Forwarded-For** header. Configuration example:  
+- **ipAllowList** - Array of one or more IPv4/IPv6 subnets (CIDR) allowed for incoming traffic.  E.g. using Azure AD as IdP, we would like to restrict access to IP addresses used by Azure AD. Azure IP-range can be downloaded from: [https://azureipranges.azurewebsites.net](https://azureipranges.azurewebsites.net), enter **AzureActiveDirectory** in the search list and select JSON download. Copy the "addressPrefixes" array content and paste into ipAllowList array. CIDR single IP-host syntax is a.b.c.d/32. Note, front-end HTTP proxy or a load balancer must include client IP-address in the **X-Forwarded-For** header. Configuration example:  
 
         "ipAllowList": [
-          "13.66.60.119/32",
-          "13.66.143.220/30",
+          "13.64.151.161/32",
+          "13.66.141.64/27",
           ...
           "2603:1056:2000::/48",
           "2603:1057:2::/48"
@@ -1146,6 +1146,18 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
+### v4.1.13  
+
+[Fixed]  
+
+- Do not create logs directory or log-file when configuration `log.loglevel.file` not defined or set to `"off"`. This fix will allow SCIM Gateway to run on systems having read-only disk like Google Cloud App Engine Standard    
+
+### v4.1.12  
+
+[Added]  
+
+- Dependencies bump  
+
 ### v4.1.11  
 
 [Fixed]  
@@ -1187,13 +1199,16 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 - Symantec/Broadcom/CA ConnectorXpress configuration file `config\resources\Azure - ScimGateway.xml` for defining the Azure endpoint, have been updated with some new attributes according to plugin-azure-ad.json attribute mappings
 
 ### v4.1.6  
-[Added]
+
+[Added]  
+
 - Dependencies bump  
 
 ### v4.1.5  
+
 [Added]  
 
-Announcing some SCIM Gateway related news:  
+SCIM Gateway related news:  
 
 - [SCIM Stream](https://elshaug.xyz/docs/scim-stream) is the modern way of user provisioning letting clients subscribe to messages instead of traditional IGA top-down provisioning. SCIM Stream includes **SCIM Stream Gateway**, the next generation SCIM Gateway that supports message subscription and automated provisioning
 

package/lib/logger.js

@@ -44,12 +44,12 @@ const Log = function (config, logfile, _this) { // { loglevel: { file: "debug",
 
   const maskSecret = winston.format((info, opts) => {
     // mask json secrets
-    var rePattern = new RegExp(reJson, 'i')
+    let rePattern = new RegExp(reJson, 'i')
     let msg = info.message
     let endPos = msg.length - 1
     let found = false
     do {
-      var arrMatches = msg.substring(0, endPos).match(rePattern)
+      const arrMatches = msg.substring(0, endPos).match(rePattern)
       if (Array.isArray(arrMatches) && arrMatches.length === 3) {
         arrMatches[2] = arrMatches[2].replace(/[-\/\\^$*+?.()|[\]{}]/g, '\\$&') // escaping special regexp characters
         msg = msg.replace(new RegExp(arrMatches[2], 'g'), '********')
@@ -62,7 +62,7 @@ const Log = function (config, logfile, _this) { // { loglevel: { file: "debug",
     rePattern = new RegExp(reXml, 'i')
     endPos = msg.length - 1
     do {
-      arrMatches = msg.substring(0, endPos).match(rePattern)
+      const arrMatches = msg.substring(0, endPos).match(rePattern)
       if (Array.isArray(arrMatches) && arrMatches.length === 3) {
         arrMatches[2] = arrMatches[2].replace(/[-\/\\^$*+?.()|[\]{}]/g, '\\$&')
         msg = msg.replace(new RegExp('>' + arrMatches[2] + '<', 'g'), '>********<')
@@ -98,38 +98,48 @@ const Log = function (config, logfile, _this) { // { loglevel: { file: "debug",
     )
   }
 
-  Log.prototype.logger = winston.createLogger({
-    format: winston.format.combine(
-      maskSecret()
-    ),
-    transports: [
-      new winston.transports.File({
-        level: (config.loglevel.file && arrValidLevel.includes(config.loglevel.file.toLowerCase())) ? config.loglevel.file : 'debug',
-        filename: logfile,
-        handleExceptions: true,
-        format: fileFormat,
-        maxsize: 1024 * 1024 * 20, // 20 MB
-        maxFiles: 5
-      }),
-      new winston.transports.Console({ // note, console logging is synchronous e.g. node.js halts when console window is scrolled
-        level: (config.loglevel.console && arrValidLevel.includes(config.loglevel.console.toLowerCase())) ? config.loglevel.console : 'debug',
-        handleExceptions: true,
-        stderrLevels: ['error'],
-        format: (config.colorize) ? consoleFormat : Log.prototype.unColorize()
+  Log.prototype.logger = () => {
+    if (config.loglevel.file) {
+      return winston.createLogger({
+        format: winston.format.combine(
+          maskSecret()
+        ),
+        transports: [
+          new winston.transports.Console({ // note, console logging is synchronous e.g. node.js halts when console window is scrolled
+            level: (config.loglevel.console && arrValidLevel.includes(config.loglevel.console.toLowerCase())) ? config.loglevel.console : 'debug',
+            handleExceptions: true,
+            stderrLevels: ['error'],
+            format: (config.colorize) ? consoleFormat : Log.prototype.unColorize()
+          }),
+          new winston.transports.File({
+            level: (config.loglevel.file && arrValidLevel.includes(config.loglevel.file.toLowerCase())) ? config.loglevel.file : 'debug',
+            filename: logfile,
+            handleExceptions: true,
+            format: fileFormat,
+            maxsize: 1024 * 1024 * 20, // 20 MB
+            maxFiles: 5
+          })
+        ],
+        exitOnError: false
       })
-    ],
-    exitOnError: false
-  })
-
-  // flush to disk before exit (process.exit in main code will terminate logger and we may have unflushed logfile updates)
-  // note, still asynchronous (using exception is an alternative that gives synchronous flush and program exit)
-  Log.prototype.exitAfterFlush = (code) => {
-    Log.prototype.logger.transports[0].on('flush', function () {
-      process.exit(code)
+    }
+    return winston.createLogger({
+      format: winston.format.combine(
+        maskSecret()
+      ),
+      transports: [
+        new winston.transports.Console({
+          level: (config.loglevel.console && arrValidLevel.includes(config.loglevel.console.toLowerCase())) ? config.loglevel.console : 'debug',
+          handleExceptions: true,
+          stderrLevels: ['error'],
+          format: (config.colorize) ? consoleFormat : Log.prototype.unColorize()
+        })
+      ],
+      exitOnError: false
     })
   }
 
-  const logger = Log.prototype.logger // fix multiple loggers using stream
+  const logger = Log.prototype.logger() // fix multiple loggers using stream
   Log.prototype.stream = {
     write: function (message, encoding) {
       logger.info(message)

package/lib/scimgateway.js

@@ -46,8 +46,8 @@ const ScimGateway = function () {
   const gwName = path.basename(__filename, '.js') // prefix of current file
   const logDir = path.join(path.dirname(requester), '..', 'logs')
   const Log = require('../lib/logger').Log
-  const log = new Log(utils.extendObj(utils.copyObj(config.log), { category: pluginName, colorize: process.stdout.isTTY || false, loglevel: { file: 'debug', console: 'debug' } }), path.join(`${logDir}`, `${pluginName}.log`))
-  const logger = log.logger
+  const log = new Log(utils.extendObj(utils.copyObj(config.log), { category: pluginName, colorize: process.stdout.isTTY || false, loglevel: { file: (!config.log.loglevel.file || config.log.loglevel.file === 'off') ? null : 'debug', console: 'debug' } }), path.join(`${logDir}`, `${pluginName}.log`))
+  const logger = log.logger()
   this.logger = logger // exposed to plugin-code
   this.notValidAttributes = notValidAttributes // exposed to plugin-code
   let pwErrCount = 0
@@ -228,10 +228,12 @@ const ScimGateway = function () {
     logger.error(`${gwName}[${pluginName}] stopping...\n`)
     throw (new Error('Using exception to stop further asynchronous code execution (ensure synchronous logger flush to logfile and exit program), please ignore this one...'))
   }
-  if (!fs.existsSync(logDir)) fs.mkdirSync(logDir)
-  if (!fs.existsSync(configDir + '/wsdls')) fs.mkdirSync(configDir + '/wsdls')
-  if (!fs.existsSync(configDir + '/certs')) fs.mkdirSync(configDir + '/certs')
-  if (!fs.existsSync(configDir + '/schemas')) fs.mkdirSync(configDir + '/schemas')
+
+  try {
+    if (!fs.existsSync(configDir + '/wsdls')) fs.mkdirSync(configDir + '/wsdls')
+    if (!fs.existsSync(configDir + '/certs')) fs.mkdirSync(configDir + '/certs')
+    if (!fs.existsSync(configDir + '/schemas')) fs.mkdirSync(configDir + '/schemas')
+  } catch (err) {}
 
   let isScimv2 = false
   if (config.scim.version === '2.0' || config.scim.version === 2) {
@@ -450,9 +452,9 @@ const ScimGateway = function () {
         if (tokenObj.readOnly === true && method !== 'GET') return reject(new Error('only allowing readOnly for this bearerOAuth according to bearerOAuth configuration readOnly=true'))
         return resolve(true)
       } else {
-        for (let i = 0; i < arr.length; i++) { // resolve if token memory store have been cleared becuase of a gateway restart
-          if (utils.getEncrypted(authToken, arr[i].client_secret) === 'token' && !arr[i].isTokenRequested) {
-            arr[i].isTokenRequested = true // flagged as true to not allow repeated resolvements becuase token will also be cleared when expired
+        for (let i = 0; i < arr.length; i++) { // resolve if token memory store have been cleared because of a gateway restart
+          if (utils.getEncrypted(authToken, arr[i].client_secret) === arr[i].client_secret && !arr[i].isTokenRequested) {
+            arr[i].isTokenRequested = true // flagged as true to not allow repeated resolvements because token will also be cleared when expired
             const baseEntities = utils.copyObj(arr[i].baseEntities)
             let expires
             let readOnly = false
@@ -658,7 +660,7 @@ const ScimGateway = function () {
       for (let i = 0; i < arr.length; i++) {
         if (!arr[i].client_id || !arr[i].client_secret) continue
         if (arr[i].client_id === jsonBody.client_id && arr[i].client_secret === jsonBody.client_secret) { // authentication OK
-          token = utils.getEncrypted('token', jsonBody.client_secret) // client_secret as seed
+          token = utils.getEncrypted(jsonBody.client_secret, jsonBody.client_secret)
           baseEntities = utils.copyObj(arr[i].baseEntities)
           if (arr[i].readOnly && arr[i].readOnly === true) readOnly = true
           if (arr[i].expires_in && !isNaN(arr[i].expires_in)) expires = arr[i].expires_in
@@ -1327,7 +1329,7 @@ const ScimGateway = function () {
           else { // try to get current groups the standard way
             let res
             try {
-              res = await this[handler.groups.getMethod](ctx.params.baseEntity, { attribute: 'members.value', operator: 'eq', value: decodeURIComponent(id) }, ['members.value', 'id', 'displayName']) // await scimgateway.getUserGroups(baseEntity, userObj.id, 'members.value,displayName')
+              res = await this[handler.groups.getMethod](ctx.params.baseEntity, { attribute: 'members.value', operator: 'eq', value: decodeURIComponent(id) }, ['id', 'displayName'])
             } catch (err) {} // method may be implemented but throwing error like groups not supported/implemented
             currentGroups = []
             if (res && res.Resources && Array.isArray(res.Resources) && res.Resources.length > 0) {
@@ -1421,7 +1423,7 @@ const ScimGateway = function () {
         // include groups
         if (handle.getMethod === handler.users.getMethod && typeof this[handler.groups.getMethod] === 'function') {
           logger.debug(`${gwName}[${pluginName}] calling "${handler.groups.getMethod}" and awaiting result`)
-          const res = await this[handler.groups.getMethod](ctx.params.baseEntity, { attribute: 'members.value', operator: 'eq', value: id }, ['members.value', 'id', 'displayName'])
+          const res = await this[handler.groups.getMethod](ctx.params.baseEntity, { attribute: 'members.value', operator: 'eq', value: id }, ['id', 'displayName'])
           let grps = []
           if (res && res.Resources && Array.isArray(res.Resources)) grps = res.Resources
           else if (Array.isArray(res)) grps = res

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "4.1.11",
+  "version": "4.1.13",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",
   "homepage": "https://elshaug.xyz",
@@ -37,18 +37,18 @@
     "https-proxy-agent": "^5.0.1",
     "is-in-subnet": "^4.0.1",
     "jsonwebtoken": "^8.5.1",
-    "koa": "^2.13.4",
+    "koa": "^2.14.0",
     "koa-bodyparser": "^4.3.0",
     "koa-router": "^12.0.0",
     "ldapjs": "^2.3.3",
     "lokijs": "^1.5.12",
-    "mongodb": "^4.10.0",
+    "mongodb": "^4.12.1",
     "node-machine-id": "1.1.9",
-    "nodemailer": "^6.7.8",
+    "nodemailer": "^6.8.0",
     "passport": "^0.6.0",
     "passport-azure-ad": "^4.3.4",
     "soap": "^0.45.0",
-    "tedious": "^15.1.0",
+    "tedious": "^15.1.2",
     "winston": "^3.8.2"
   },
   "devDependencies": {