scimgateway 4.1.9 → 4.1.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +20 -0
- package/config/plugin-api.json +3 -4
- package/config/plugin-azure-ad.json +2 -1
- package/config/plugin-forwardinc.json +2 -1
- package/config/plugin-ldap.json +4 -9
- package/config/plugin-loki.json +2 -1
- package/config/plugin-mongodb.json +2 -1
- package/config/plugin-mssql.json +2 -1
- package/config/plugin-saphana.json +2 -1
- package/config/plugin-scim.json +4 -7
- package/lib/scimgateway.js +9 -8
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -206,6 +206,7 @@ Below shows an example of config\plugin-saphana.json
|
|
|
206
206
|
"scimgateway": {
|
|
207
207
|
"port": 8884,
|
|
208
208
|
"localhostonly": false,
|
|
209
|
+
"payloadSize": null,
|
|
209
210
|
"scim": {
|
|
210
211
|
"version": "2.0",
|
|
211
212
|
"customSchema": null,
|
|
@@ -307,6 +308,8 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
|
|
|
307
308
|
|
|
308
309
|
- **localhostonly** - true or false. False means gateway accepts incoming requests from all clients. True means traffic from only localhost (127.0.0.1) is accepted (gateway must then be installed on the CA Connector Server).
|
|
309
310
|
|
|
311
|
+
- **payloadSize** - if not defined, default "1mb" will be used. There are cases which large groups could exceed default size and you may want to increase by setting your own size
|
|
312
|
+
|
|
310
313
|
- **scim.version** - "1.1" or "2.0". Default is "2.0". For Symantec/Broadcom/CA Identity Manager "1.1" should be used.
|
|
311
314
|
|
|
312
315
|
- **scim.customSchema** - filename of JSON file located in `<package-root>\config\schemas` containing custom schema attributes, see configuration notes
|
|
@@ -1143,6 +1146,23 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
|
|
|
1143
1146
|
|
|
1144
1147
|
## Change log
|
|
1145
1148
|
|
|
1149
|
+
### v4.1.11
|
|
1150
|
+
|
|
1151
|
+
[Fixed]
|
|
1152
|
+
|
|
1153
|
+
- basic auth logon dialog should not show up when not configured
|
|
1154
|
+
|
|
1155
|
+
### v4.1.10
|
|
1156
|
+
|
|
1157
|
+
[Added]
|
|
1158
|
+
|
|
1159
|
+
- new plugin configuration `payloadSize`. If not defined, default "1mb" will be used. There are cases which large groups could exceed default size and you may want to increase by setting your own size e.g. "5mb"
|
|
1160
|
+
**Thanks to Sam Murphy**
|
|
1161
|
+
|
|
1162
|
+
[Fixed]
|
|
1163
|
+
|
|
1164
|
+
- using `GET /Users`, scimgateway automatically adds groups if not included by plugin. This operation calls plugin getGroups having attributes=['members.value', 'id', 'displayName']. Now, `members.value` is excluded. This attribute was in use and could cause unneeded load when having many group members.
|
|
1165
|
+
|
|
1146
1166
|
### v4.1.9
|
|
1147
1167
|
|
|
1148
1168
|
[Fixed]
|
package/config/plugin-api.json
CHANGED
|
@@ -2,6 +2,7 @@
|
|
|
2
2
|
"scimgateway": {
|
|
3
3
|
"port": 8890,
|
|
4
4
|
"localhostonly": false,
|
|
5
|
+
"payloadSize": null,
|
|
5
6
|
"scim": {
|
|
6
7
|
"version": "2.0",
|
|
7
8
|
"customSchema": null,
|
|
@@ -86,9 +87,7 @@
|
|
|
86
87
|
"endpoint": {
|
|
87
88
|
"entity": {
|
|
88
89
|
"undefined": {
|
|
89
|
-
"baseUrls": [
|
|
90
|
-
"http://fakerestapi.azurewebsites.net"
|
|
91
|
-
],
|
|
90
|
+
"baseUrls": ["http://fakerestapi.azurewebsites.net"],
|
|
92
91
|
"username": "endpointuser",
|
|
93
92
|
"password": "password",
|
|
94
93
|
"proxy": {
|
|
@@ -99,4 +98,4 @@
|
|
|
99
98
|
}
|
|
100
99
|
}
|
|
101
100
|
}
|
|
102
|
-
}
|
|
101
|
+
}
|
package/config/plugin-ldap.json
CHANGED
|
@@ -2,6 +2,7 @@
|
|
|
2
2
|
"scimgateway": {
|
|
3
3
|
"port": 8883,
|
|
4
4
|
"localhostonly": false,
|
|
5
|
+
"payloadSize": null,
|
|
5
6
|
"scim": {
|
|
6
7
|
"version": "2.0",
|
|
7
8
|
"customSchema": null,
|
|
@@ -86,10 +87,7 @@
|
|
|
86
87
|
"endpoint": {
|
|
87
88
|
"entity": {
|
|
88
89
|
"undefined": {
|
|
89
|
-
"baseUrls": [
|
|
90
|
-
"ldaps://dc1.test.com:636",
|
|
91
|
-
"ldaps://dc2.test.com:636"
|
|
92
|
-
],
|
|
90
|
+
"baseUrls": ["ldaps://dc1.test.com:636", "ldaps://dc2.test.com:636"],
|
|
93
91
|
"username": "CN=Administrator,CN=Users,DC=test,DC=com",
|
|
94
92
|
"password": "password",
|
|
95
93
|
"ldap": {
|
|
@@ -105,10 +103,7 @@
|
|
|
105
103
|
"organizationalPerson",
|
|
106
104
|
"top"
|
|
107
105
|
],
|
|
108
|
-
"groupObjectClasses": [
|
|
109
|
-
"group",
|
|
110
|
-
"top"
|
|
111
|
-
]
|
|
106
|
+
"groupObjectClasses": ["group", "top"]
|
|
112
107
|
}
|
|
113
108
|
}
|
|
114
109
|
},
|
|
@@ -223,4 +218,4 @@
|
|
|
223
218
|
}
|
|
224
219
|
}
|
|
225
220
|
}
|
|
226
|
-
}
|
|
221
|
+
}
|
package/config/plugin-loki.json
CHANGED
package/config/plugin-mssql.json
CHANGED
package/config/plugin-scim.json
CHANGED
|
@@ -2,6 +2,7 @@
|
|
|
2
2
|
"scimgateway": {
|
|
3
3
|
"port": 8886,
|
|
4
4
|
"localhostonly": false,
|
|
5
|
+
"payloadSize": null,
|
|
5
6
|
"scim": {
|
|
6
7
|
"version": "2.0",
|
|
7
8
|
"customSchema": null,
|
|
@@ -86,9 +87,7 @@
|
|
|
86
87
|
"endpoint": {
|
|
87
88
|
"entity": {
|
|
88
89
|
"undefined": {
|
|
89
|
-
"baseUrls": [
|
|
90
|
-
"http://localhost:8880"
|
|
91
|
-
],
|
|
90
|
+
"baseUrls": ["http://localhost:8880"],
|
|
92
91
|
"scimVersion": "2.0",
|
|
93
92
|
"username": "gwadmin",
|
|
94
93
|
"password": "password",
|
|
@@ -99,9 +98,7 @@
|
|
|
99
98
|
}
|
|
100
99
|
},
|
|
101
100
|
"clientA": {
|
|
102
|
-
"baseUrls": [
|
|
103
|
-
"http://localhost:8880"
|
|
104
|
-
],
|
|
101
|
+
"baseUrls": ["http://localhost:8880"],
|
|
105
102
|
"scimVersion": "2.0",
|
|
106
103
|
"username": "gwadmin",
|
|
107
104
|
"password": "password",
|
|
@@ -113,4 +110,4 @@
|
|
|
113
110
|
}
|
|
114
111
|
}
|
|
115
112
|
}
|
|
116
|
-
}
|
|
113
|
+
}
|
package/lib/scimgateway.js
CHANGED
|
@@ -123,7 +123,7 @@ const ScimGateway = function () {
|
|
|
123
123
|
logger.error(`${gwName}[${pluginName}] getPassword error: ${err.message}`)
|
|
124
124
|
throw err // above logger.error included because this unhanledExcepton will be handled by winston and may fail with an other internal winston error e.g. related to memoryUsage collection logic when running in unikernel
|
|
125
125
|
}
|
|
126
|
-
if (arr[i].password) foundBasic = true
|
|
126
|
+
if (arr[i].username && arr[i].password) foundBasic = true
|
|
127
127
|
}
|
|
128
128
|
if (!foundBasic) config.auth.basic = []
|
|
129
129
|
}
|
|
@@ -223,7 +223,7 @@ const ScimGateway = function () {
|
|
|
223
223
|
if (config.certificate.pfx.password) pwPfxPassword = ScimGateway.prototype.getPassword('scimgateway.certificate.pfx.password', configFile)
|
|
224
224
|
if (config.emailOnError.smtp.password) config.emailOnError.smtp.password = ScimGateway.prototype.getPassword('scimgateway.emailOnError.smtp.password', configFile)
|
|
225
225
|
|
|
226
|
-
if (!foundBasic && !foundBearerToken && !foundBearerJwtAzure && !foundBearerJwt) {
|
|
226
|
+
if (!foundBasic && !foundBearerToken && !foundBearerJwtAzure && !foundBearerJwt && !foundBearerOAuth) {
|
|
227
227
|
logger.error(`${gwName}[${pluginName}] Scimgateway password decryption failed or no password defined`)
|
|
228
228
|
logger.error(`${gwName}[${pluginName}] stopping...\n`)
|
|
229
229
|
throw (new Error('Using exception to stop further asynchronous code execution (ensure synchronous logger flush to logfile and exit program), please ignore this one...'))
|
|
@@ -505,7 +505,7 @@ const ScimGateway = function () {
|
|
|
505
505
|
logger.debug(`${gwName}[${pluginName}] request jwt.decode(authToken) = ${JSON.stringify(jwt.decode(authToken))}`)
|
|
506
506
|
}
|
|
507
507
|
if (authType === 'Bearer') ctx.set('WWW-Authenticate', 'Bearer realm=""')
|
|
508
|
-
else ctx.set('WWW-Authenticate', 'Basic realm=""')
|
|
508
|
+
else if (foundBasic) ctx.set('WWW-Authenticate', 'Basic realm=""')
|
|
509
509
|
ctx.set('Content-Type', 'application/json; charset=utf-8')
|
|
510
510
|
ctx.status = 401
|
|
511
511
|
ctx.body = { error: 'Access denied' }
|
|
@@ -578,7 +578,8 @@ const ScimGateway = function () {
|
|
|
578
578
|
app.use(bodyParser({ // parsed body store in ctx.request.body
|
|
579
579
|
enableTypes: ['json', 'form'],
|
|
580
580
|
extendTypes: { json: ['application/scim+json', 'text/plain'] },
|
|
581
|
-
formTypes: { form: ['application/x-www-form-urlencoded'] }
|
|
581
|
+
formTypes: { form: ['application/x-www-form-urlencoded'] },
|
|
582
|
+
jsonLimit: (!config.payloadSize) ? undefined : config.payloadSize // default '1mb'
|
|
582
583
|
}))
|
|
583
584
|
app.use(ipAllowList)
|
|
584
585
|
app.use(auth) // authentication before routes
|
|
@@ -787,7 +788,7 @@ const ScimGateway = function () {
|
|
|
787
788
|
logger.debug(`${gwName}[${pluginName}] calling "${handler.groups.getMethod}" and awaiting result - groups to be included`)
|
|
788
789
|
let res
|
|
789
790
|
try {
|
|
790
|
-
res = await this[handler.groups.getMethod](ctx.params.baseEntity, { attribute: 'members.value', operator: 'eq', value: getObj.value }, ['
|
|
791
|
+
res = await this[handler.groups.getMethod](ctx.params.baseEntity, { attribute: 'members.value', operator: 'eq', value: getObj.value }, ['id', 'displayName'])
|
|
791
792
|
} catch (err) {} // method may be implemented but throwing error like groups not supported/implemented
|
|
792
793
|
if (res && res.Resources && Array.isArray(res.Resources) && res.Resources.length > 0) {
|
|
793
794
|
userObj.groups = []
|
|
@@ -798,7 +799,7 @@ const ScimGateway = function () {
|
|
|
798
799
|
if (res.Resources[i].displayName) el.display = res.Resources[i].displayName
|
|
799
800
|
if (isScimv2) el.type = 'direct'
|
|
800
801
|
else el.type = { value: 'direct' }
|
|
801
|
-
|
|
802
|
+
userObj.groups.push(el) // { "value": "Admins", "display": "Admins", "type": "direct"}
|
|
802
803
|
}
|
|
803
804
|
}
|
|
804
805
|
}
|
|
@@ -991,7 +992,7 @@ const ScimGateway = function () {
|
|
|
991
992
|
logger.debug(`${gwName}[${pluginName}] calling "${handler.groups.getMethod}" and awaiting result - groups to be included`)
|
|
992
993
|
let res
|
|
993
994
|
try {
|
|
994
|
-
res = await this[handler.groups.getMethod](ctx.params.baseEntity, { attribute: 'members.value', operator: 'eq', value: decodeURIComponent(userObj.id) }, ['
|
|
995
|
+
res = await this[handler.groups.getMethod](ctx.params.baseEntity, { attribute: 'members.value', operator: 'eq', value: decodeURIComponent(userObj.id) }, ['id', 'displayName']) // await scimgateway.getUserGroups(baseEntity, userObj.id, 'members.value,displayName')
|
|
995
996
|
} catch (err) {} // method may be implemented but throwing error like groups not supported/implemented
|
|
996
997
|
if (res && res.Resources && Array.isArray(res.Resources) && res.Resources.length > 0) {
|
|
997
998
|
userObj.groups = []
|
|
@@ -1002,7 +1003,7 @@ const ScimGateway = function () {
|
|
|
1002
1003
|
if (res.Resources[i].displayName) el.display = res.Resources[i].displayName
|
|
1003
1004
|
if (isScimv2) el.type = 'direct'
|
|
1004
1005
|
else el.type = { value: 'direct' }
|
|
1005
|
-
|
|
1006
|
+
userObj.groups.push(el) // { "value": "Admins", "display": "Admins", "type": "direct"}
|
|
1006
1007
|
}
|
|
1007
1008
|
}
|
|
1008
1009
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "scimgateway",
|
|
3
|
-
"version": "4.1.
|
|
3
|
+
"version": "4.1.11",
|
|
4
4
|
"description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
|
|
5
5
|
"author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",
|
|
6
6
|
"homepage": "https://elshaug.xyz",
|