scimgateway 4.2.2 → 4.2.5

package/lib/plugin-mssql.js

@@ -66,8 +66,10 @@ config = scimgateway.processExtConfig(pluginName, config) // add any external co
 scimgateway.authPassThroughAllowed = false // true enables auth passThrough (no scimgateway authentication). scimgateway instead includes ctx (ctx.request.header) in plugin methods. Note, requires plugin-logic for handling/passing ctx.request.header.authorization to be used in endpoint communication
 // mandatory plugin initialization - end
 
-const sqlPassword = scimgateway.getPassword('endpoint.connection.authentication.options.password', configFile)
-config.connection.authentication.options.password = sqlPassword // Connection using config.connection
+if (config?.connection?.authentication?.options?.password) {
+  const sqlPassword = scimgateway.getPassword('endpoint.connection.authentication.options.password', configFile)
+  config.connection.authentication.options.password = sqlPassword
+}
 
 // =================================================
 // getUsers
@@ -119,7 +121,17 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
         Resources: [],
         totalResults: null
       }
-      const connection = new Connection(config.connection)
+
+      const connectionCfg = scimgateway.copyObj(config.connection)
+      if (ctx?.request?.header?.authorization) { // Auth PassThrough (don't use configuration password)
+        if (!connectionCfg.authentication) connectionCfg.authentication = {}
+        if (!connectionCfg.authentication.type) connectionCfg.authentication.type = 'default'
+        if (!connectionCfg.authentication.options) connectionCfg.authentication.options = {}
+        const [username, password] = getCtxAuth(ctx)
+        connectionCfg.authentication.options.password = password
+        if (username) connectionCfg.authentication.options.userName = username
+      }
+      const connection = new Connection(connectionCfg)
 
       connection.on('connect', function (err) {
         if (err) {
@@ -190,7 +202,16 @@ scimgateway.createUser = async (baseEntity, userObj, ctx) => {
         Email: (userObj.emails.work.value) ? `'${userObj.emails.work.value}'` : null
       }
 
-      const connection = new Connection(config.connection)
+      const connectionCfg = scimgateway.copyObj(config.connection)
+      if (ctx?.request?.header?.authorization) { // Auth PassThrough (don't use configuration password)
+        if (!connectionCfg.authentication) connectionCfg.authentication = {}
+        if (!connectionCfg.authentication.type) connectionCfg.authentication.type = 'default'
+        if (!connectionCfg.authentication.options) connectionCfg.authentication.options = {}
+        const [username, password] = getCtxAuth(ctx)
+        connectionCfg.authentication.options.password = password
+        if (username) connectionCfg.authentication.options.userName = username
+      }
+      const connection = new Connection(connectionCfg)
 
       connection.on('connect', function (err) {
         if (err) {
@@ -227,7 +248,16 @@ scimgateway.deleteUser = async (baseEntity, id, ctx) => {
 
   try {
     return await new Promise((resolve, reject) => {
-      const connection = new Connection(config.connection)
+      const connectionCfg = scimgateway.copyObj(config.connection)
+      if (ctx?.request?.header?.authorization) { // Auth PassThrough (don't use configuration password)
+        if (!connectionCfg.authentication) connectionCfg.authentication = {}
+        if (!connectionCfg.authentication.type) connectionCfg.authentication.type = 'default'
+        if (!connectionCfg.authentication.options) connectionCfg.authentication.options = {}
+        const [username, password] = getCtxAuth(ctx)
+        connectionCfg.authentication.options.password = password
+        if (username) connectionCfg.authentication.options.userName = username
+      }
+      const connection = new Connection(connectionCfg)
 
       connection.on('connect', function (err) {
         if (err) {
@@ -301,7 +331,17 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
       }
 
       sql = sql.substr(0, sql.length - 1) // remove trailing ","
-      const connection = new Connection(config.connection)
+
+      const connectionCfg = scimgateway.copyObj(config.connection)
+      if (ctx?.request?.header?.authorization) { // Auth PassThrough (don't use configuration password)
+        if (!connectionCfg.authentication) connectionCfg.authentication = {}
+        if (!connectionCfg.authentication.type) connectionCfg.authentication.type = 'default'
+        if (!connectionCfg.authentication.options) connectionCfg.authentication.options = {}
+        const [username, password] = getCtxAuth(ctx)
+        connectionCfg.authentication.options.password = password
+        if (username) connectionCfg.authentication.options.userName = username
+      }
+      const connection = new Connection(connectionCfg)
 
       connection.on('connect', function (err) {
         if (err) {
@@ -397,6 +437,18 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
 // helpers
 // =================================================
 
+//
+// getCtxAuth returns username/secret from ctx header when using Auth PassThrough
+//
+const getCtxAuth = (ctx) => { // eslint-disable-line
+  if (!ctx?.request?.header?.authorization) return []
+  const [authType, authToken] = (ctx.request.header.authorization || '').split(' ') // [0] = 'Basic' or 'Bearer'
+  let username, password
+  if (authType === 'Basic') [username, password] = (Buffer.from(authToken, 'base64').toString() || '').split(':')
+  if (username) return [username, password] // basic auth
+  else return [undefined, authToken] // bearer auth
+}
+
 //
 // Cleanup on exit
 //

package/lib/plugin-scim.js

@@ -119,7 +119,7 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
   }
 
   try {
-    const response = await doRequest(baseEntity, method, path, body)
+    const response = await doRequest(baseEntity, method, path, body, ctx)
     if (response.statusCode < 200 || response.statusCode > 299) {
       throw new Error(`${response.statusMessage} - ${JSON.stringify(response.body)}`)
     } else if (!response.body) {
@@ -220,7 +220,7 @@ scimgateway.createUser = async (baseEntity, userObj, ctx) => {
   }
 
   try {
-    const response = await doRequest(baseEntity, method, path, body)
+    const response = await doRequest(baseEntity, method, path, body, ctx)
     if (response.statusCode < 200 || response.statusCode > 299) {
       throw new Error(`${response.statusMessage} - ${JSON.stringify(response.body)}`)
     }
@@ -330,7 +330,7 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
   }
 
   try {
-    const response = await doRequest(baseEntity, method, path, body)
+    const response = await doRequest(baseEntity, method, path, body, ctx)
     if (response.statusCode < 200 || response.statusCode > 299) {
       throw new Error(`${response.statusMessage} - ${JSON.stringify(response.body)}`)
     }
@@ -394,7 +394,7 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes, ctx) => {
   }
 
   try {
-    const response = await doRequest(baseEntity, method, path, body)
+    const response = await doRequest(baseEntity, method, path, body, ctx)
     if (response.statusCode < 200 || response.statusCode > 299) {
       throw new Error(`${response.statusMessage} - ${JSON.stringify(response.body)}`)
     } else if (!response.body) {
@@ -444,7 +444,7 @@ scimgateway.createGroup = async (baseEntity, groupObj, ctx) => {
   const body = { displayName: groupObj.displayName }
 
   try {
-    const response = await doRequest(baseEntity, method, path, body)
+    const response = await doRequest(baseEntity, method, path, body, ctx)
     if (response.statusCode < 200 || response.statusCode > 299) {
       throw new Error(`${response.statusMessage} - ${JSON.stringify(response.body)}`)
     }
@@ -466,7 +466,7 @@ scimgateway.deleteGroup = async (baseEntity, id, ctx) => {
   const body = null
 
   try {
-    const response = await doRequest(baseEntity, method, path, body)
+    const response = await doRequest(baseEntity, method, path, body, ctx)
     if (response.statusCode < 200 || response.statusCode > 299) {
       throw new Error(`${response.statusMessage} - ${JSON.stringify(response.body)}`)
     }
@@ -538,7 +538,7 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
   const path = `/Groups/${id}`
 
   try {
-    const response = await doRequest(baseEntity, method, path, body)
+    const response = await doRequest(baseEntity, method, path, body, ctx)
     if (response.statusCode < 200 || response.statusCode > 299) {
       throw new Error(`${response.statusMessage} - ${JSON.stringify(response.body)}`)
     }
@@ -552,6 +552,24 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
 // helpers
 // =================================================
 
+const getClientIdentifier = (ctx) => {
+  if (!ctx?.request?.header?.authorization) return undefined
+  const [user, secret] = getCtxAuth(ctx)
+  return `${encodeURIComponent(user)}_${encodeURIComponent(secret)}` // user_password or undefined_password
+}
+
+//
+// getCtxAuth returns username/secret from ctx header when using Auth PassThrough
+//
+const getCtxAuth = (ctx) => { // eslint-disable-line
+  if (!ctx?.request?.header?.authorization) return []
+  const [authType, authToken] = (ctx.request.header.authorization || '').split(' ') // [0] = 'Basic' or 'Bearer'
+  let username, password
+  if (authType === 'Basic') [username, password] = (Buffer.from(authToken, 'base64').toString() || '').split(':')
+  if (username) return [username, password] // basic auth
+  else return [undefined, authToken] // bearer auth
+}
+
 //
 // getServiceClient - returns options needed for connection parameters
 //
@@ -561,7 +579,7 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
 //   path = url e.g. "http(s)://<host>:<port>/xxx/yyy", then using the url host/port/protocol
 //          opt (options) may be needed e.g {auth: {username: "username", password: "password"} }
 //
-const getServiceClient = async (baseEntity, method, path, opt) => {
+const getServiceClient = async (baseEntity, method, path, opt, ctx) => {
   const action = 'getServiceClient'
 
   let urlObj
@@ -572,7 +590,8 @@ const getServiceClient = async (baseEntity, method, path, opt) => {
     //
     // path (no url) - default approach and client will be cached based on config
     //
-    if (_serviceClient[baseEntity]) { // serviceClient already exist
+    const clientIdentifier = getClientIdentifier(ctx)
+    if (_serviceClient[baseEntity] && _serviceClient[baseEntity][clientIdentifier]) { // serviceClient already exist
       scimgateway.logger.debug(`${pluginName}[${baseEntity}] ${action}: Using existing client`)
     } else {
       scimgateway.logger.debug(`${pluginName}[${baseEntity}] ${action}: Client have to be created`)
@@ -589,7 +608,8 @@ const getServiceClient = async (baseEntity, method, path, opt) => {
           json: true, // json-object response instead of string
           headers: {
             'Content-Type': 'application/json',
-            Authorization: 'Basic ' + Buffer.from(`${config.entity[baseEntity].username}:${scimgateway.getPassword(`endpoint.entity.${baseEntity}.password`, configFile)}`).toString('base64')
+            // Auth PassThrough or configuration, using ctx "AS-IS" header for PassThrough. For more advanced logic use getCtxAuth(ctx) - see examples in other plugins
+            Authorization: ctx?.request?.header?.authorization ? ctx.request.header.authorization : 'Basic ' + Buffer.from(`${config.entity[baseEntity].username}:${scimgateway.getPassword(`endpoint.entity.${baseEntity}.password`, configFile)}`).toString('base64')
           },
           host: urlObj.hostname,
           port: urlObj.port, // null if https and 443 defined in url
@@ -609,13 +629,14 @@ const getServiceClient = async (baseEntity, method, path, opt) => {
       }
 
       if (!_serviceClient[baseEntity]) _serviceClient[baseEntity] = {}
-      _serviceClient[baseEntity] = param // serviceClient created
+      if (!_serviceClient[baseEntity][clientIdentifier]) _serviceClient[baseEntity][clientIdentifier] = {}
+      _serviceClient[baseEntity][clientIdentifier] = param // serviceClient created
     }
 
-    const cli = scimgateway.copyObj(_serviceClient[baseEntity]) // client ready
+    const cli = scimgateway.copyObj(_serviceClient[baseEntity][clientIdentifier]) // client ready
 
     // failover support
-    path = _serviceClient[baseEntity].baseUrl + path
+    path = _serviceClient[baseEntity][clientIdentifier].baseUrl + path
     urlObj = new URL(path)
     cli.options.host = urlObj.hostname
     cli.options.port = urlObj.port
@@ -668,16 +689,16 @@ const getServiceClient = async (baseEntity, method, path, opt) => {
   return cli // final client
 }
 
-const updateServiceClient = (baseEntity, obj) => {
-  if (_serviceClient[baseEntity]) _serviceClient[baseEntity] = scimgateway.extendObj(_serviceClient[baseEntity], obj) // merge with argument options
+const updateServiceClient = (baseEntity, clientIdentifier, obj) => {
+  if (_serviceClient[baseEntity] && _serviceClient[baseEntity][clientIdentifier]) _serviceClient[baseEntity][clientIdentifier] = scimgateway.extendObj(_serviceClient[baseEntity][clientIdentifier], obj) // merge with argument options
 }
 
 //
 // doRequest - execute REST service
 //
-const doRequest = async (baseEntity, method, path, body, opt, retryCount) => {
+const doRequest = async (baseEntity, method, path, body, ctx, opt, retryCount) => {
   try {
-    const cli = await getServiceClient(baseEntity, method, path, opt)
+    const cli = await getServiceClient(baseEntity, method, path, opt, ctx)
     const options = cli.options
     const result = await new Promise((resolve, reject) => {
       let dataString = ''
@@ -732,15 +753,18 @@ const doRequest = async (baseEntity, method, path, body, opt, retryCount) => {
     return result
   } catch (err) { // includes failover/retry logic based on config baseUrls array
     scimgateway.logger.error(`${pluginName}[${baseEntity}] doRequest ${method} ${path} Body = ${JSON.stringify(body)} Error Response = ${err.message}`)
+    let statusCode
+    try { statusCode = JSON.parse(err.message).statusCode } catch (e) {}
+    const clientIdentifier = getClientIdentifier(ctx)
     if (!retryCount) retryCount = 0
     let urlObj
     try { urlObj = new URL(path) } catch (err) {}
     if (!urlObj && (err.code === 'ECONNREFUSED' || err.code === 'ENOTFOUND')) {
       if (retryCount < config.entity[baseEntity].baseUrls.length) {
         retryCount++
-        updateServiceClient(baseEntity, { baseUrl: config.entity[baseEntity].baseUrls[retryCount - 1] })
+        updateServiceClient(baseEntity, clientIdentifier, { baseUrl: config.entity[baseEntity].baseUrls[retryCount - 1] })
         scimgateway.logger.debug(`${pluginName}[${baseEntity}] ${(config.entity[baseEntity].baseUrls.length > 1) ? 'failover ' : ''}retry[${retryCount}] using baseUrl = ${_serviceClient[baseEntity].baseUrl}`)
-        const ret = await doRequest(baseEntity, method, path, body, opt, retryCount) // retry
+        const ret = await doRequest(baseEntity, method, path, body, ctx, opt, retryCount) // retry
         return ret // problem fixed
       } else {
         const newerr = new Error(err.message)
@@ -748,7 +772,18 @@ const doRequest = async (baseEntity, method, path, body, opt, retryCount) => {
         newerr.message = newerr.message.replace('ENOTFOUND', 'UnableConnectingHost') // avoid returning ENOTFOUND error
         throw newerr
       }
-    } else throw err // CA IM retries getUsers failure once (retry 6 times on ECONNREFUSED)
+    } else {
+      if (statusCode === 401) {
+        if (_serviceClient[baseEntity]) delete _serviceClient[baseEntity][clientIdentifier]
+        err.message = JSON.stringify( // don't reveal original message
+          {
+            statusCode: 401,
+            error: 'Access denied'
+          }
+        )
+      }
+      throw err // CA IM retries getUsers failure once (retry 6 times on ECONNREFUSED)
+    }
   }
 } // doRequest
 

package/lib/scimgateway.js

@@ -2604,7 +2604,7 @@ const addSchemas = (data, type, isScimv2, location) => {
   return data
 }
 
-// addPrimaryAttrs cheks for primary attributes and add them as standalone attributes
+// addPrimaryAttrs cheks for primary attributes (only for roles) and add them as standalone attributes
 // some IdP's may check for these e.g. Azure
 // e.g. {roles: [{value: "val1", primary: "True"}]}
 // gives:
@@ -2613,33 +2613,19 @@ const addSchemas = (data, type, isScimv2, location) => {
 //   roles[primary eq "True"].primary: "True"}]
 // }
 const addPrimaryAttrs = (obj) => {
+  const key = 'roles'
   if (!obj || typeof obj !== 'object') return obj
-  let arrObj
-  if (!Array.isArray(obj)) arrObj = [obj]
-  else {
-    if (obj.length < 1) return obj
-    arrObj = obj
-  }
-  let arrRet = []
-  arrRet = arrObj.map(obj => {
-    const o = utils.copyObj(obj)
-    for (const key in o) {
-      if (Array.isArray(o[key]) && key !== 'groups' && key !== 'members') {
-        // check for primary attribute
-        const index = o[key].findIndex(el => (el.primary === true || (typeof el.primary === 'string' && el.primary.toLowerCase() === 'true')))
-        if (index >= 0) {
-          const prim = o[key][index]
-          for (const k in prim) {
-            const primKey = `${key}[primary eq ${typeof prim.primary === 'string' ? `"${prim.primary}"` : prim.primary}].${k}` // roles[primary eq true].value / roles[primary eq "True"].value``
-            o[primKey] = prim[k] // { roles[primary eq true].value : "some-value" }
-          }
-        }
-      }
+  if (!obj[key] || !Array.isArray(obj[key])) return obj
+  const o = utils.copyObj(obj)
+  const index = o[key].findIndex(el => (el.primary === true || (typeof el.primary === 'string' && el.primary.toLowerCase() === 'true')))
+  if (index >= 0) {
+    const prim = o[key][index]
+    for (const k in prim) {
+      const primKey = `${key}[primary eq ${typeof prim.primary === 'string' ? `"${prim.primary}"` : prim.primary}].${k}` // roles[primary eq true].value / roles[primary eq "True"].value``
+      o[primKey] = prim[k] // { roles[primary eq true].value : "some-value" }
     }
-    return o
-  })
-  if (!Array.isArray(obj)) return arrRet[0]
-  return arrRet
+  }
+  return o
 }
 
 //

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "4.2.2",
+  "version": "4.2.5",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",
   "homepage": "https://elshaug.xyz",
@@ -29,7 +29,7 @@
     "iga"
   ],
   "engines": {
-    "node": ">=7.6.0"
+    "node": ">=14.0.0"
   },
   "dependencies": {
     "@godaddy/terminus": "^4.11.2",