npm - scimgateway - Versions diffs - 4.2.3 → 4.2.5 - Mend

scimgateway 4.2.3 → 4.2.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/.travis.yml +1 -1
package/README.md +12 -0
package/lib/plugin-api.js +55 -21
package/lib/plugin-azure-ad.js +85 -45
package/lib/plugin-forwardinc.js +35 -14
package/lib/plugin-ldap.js +45 -29
package/lib/plugin-mongodb.js +67 -19
package/lib/plugin-mssql.js +58 -6
package/lib/plugin-scim.js +55 -20
package/package.json +2 -2

package/lib/plugin-scim.js CHANGED Viewed

@@ -119,7 +119,7 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
   }
   try {
-    const response = await doRequest(baseEntity, method, path, body)
+    const response = await doRequest(baseEntity, method, path, body, ctx)
     if (response.statusCode < 200 || response.statusCode > 299) {
       throw new Error(`${response.statusMessage} - ${JSON.stringify(response.body)}`)
     } else if (!response.body) {
@@ -220,7 +220,7 @@ scimgateway.createUser = async (baseEntity, userObj, ctx) => {
   }
   try {
-    const response = await doRequest(baseEntity, method, path, body)
+    const response = await doRequest(baseEntity, method, path, body, ctx)
     if (response.statusCode < 200 || response.statusCode > 299) {
       throw new Error(`${response.statusMessage} - ${JSON.stringify(response.body)}`)
     }
@@ -330,7 +330,7 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
   }
   try {
-    const response = await doRequest(baseEntity, method, path, body)
+    const response = await doRequest(baseEntity, method, path, body, ctx)
     if (response.statusCode < 200 || response.statusCode > 299) {
       throw new Error(`${response.statusMessage} - ${JSON.stringify(response.body)}`)
     }
@@ -394,7 +394,7 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes, ctx) => {
   }
   try {
-    const response = await doRequest(baseEntity, method, path, body)
+    const response = await doRequest(baseEntity, method, path, body, ctx)
     if (response.statusCode < 200 || response.statusCode > 299) {
       throw new Error(`${response.statusMessage} - ${JSON.stringify(response.body)}`)
     } else if (!response.body) {
@@ -444,7 +444,7 @@ scimgateway.createGroup = async (baseEntity, groupObj, ctx) => {
   const body = { displayName: groupObj.displayName }
   try {
-    const response = await doRequest(baseEntity, method, path, body)
+    const response = await doRequest(baseEntity, method, path, body, ctx)
     if (response.statusCode < 200 || response.statusCode > 299) {
       throw new Error(`${response.statusMessage} - ${JSON.stringify(response.body)}`)
     }
@@ -466,7 +466,7 @@ scimgateway.deleteGroup = async (baseEntity, id, ctx) => {
   const body = null
   try {
-    const response = await doRequest(baseEntity, method, path, body)
+    const response = await doRequest(baseEntity, method, path, body, ctx)
     if (response.statusCode < 200 || response.statusCode > 299) {
       throw new Error(`${response.statusMessage} - ${JSON.stringify(response.body)}`)
     }
@@ -538,7 +538,7 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
   const path = `/Groups/${id}`
   try {
-    const response = await doRequest(baseEntity, method, path, body)
+    const response = await doRequest(baseEntity, method, path, body, ctx)
     if (response.statusCode < 200 || response.statusCode > 299) {
       throw new Error(`${response.statusMessage} - ${JSON.stringify(response.body)}`)
     }
@@ -552,6 +552,24 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
 // helpers
 // =================================================
+const getClientIdentifier = (ctx) => {
+  if (!ctx?.request?.header?.authorization) return undefined
+  const [user, secret] = getCtxAuth(ctx)
+  return `${encodeURIComponent(user)}_${encodeURIComponent(secret)}` // user_password or undefined_password
+}
+//
+// getCtxAuth returns username/secret from ctx header when using Auth PassThrough
+//
+const getCtxAuth = (ctx) => { // eslint-disable-line
+  if (!ctx?.request?.header?.authorization) return []
+  const [authType, authToken] = (ctx.request.header.authorization || '').split(' ') // [0] = 'Basic' or 'Bearer'
+  let username, password
+  if (authType === 'Basic') [username, password] = (Buffer.from(authToken, 'base64').toString() || '').split(':')
+  if (username) return [username, password] // basic auth
+  else return [undefined, authToken] // bearer auth
+}
 //
 // getServiceClient - returns options needed for connection parameters
 //
@@ -561,7 +579,7 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
 //   path = url e.g. "http(s)://<host>:<port>/xxx/yyy", then using the url host/port/protocol
 //          opt (options) may be needed e.g {auth: {username: "username", password: "password"} }
 //
-const getServiceClient = async (baseEntity, method, path, opt) => {
+const getServiceClient = async (baseEntity, method, path, opt, ctx) => {
   const action = 'getServiceClient'
   let urlObj
@@ -572,7 +590,8 @@ const getServiceClient = async (baseEntity, method, path, opt) => {
     //
     // path (no url) - default approach and client will be cached based on config
     //
-    if (_serviceClient[baseEntity]) { // serviceClient already exist
+    const clientIdentifier = getClientIdentifier(ctx)
+    if (_serviceClient[baseEntity] && _serviceClient[baseEntity][clientIdentifier]) { // serviceClient already exist
       scimgateway.logger.debug(`${pluginName}[${baseEntity}] ${action}: Using existing client`)
     } else {
       scimgateway.logger.debug(`${pluginName}[${baseEntity}] ${action}: Client have to be created`)
@@ -589,7 +608,8 @@ const getServiceClient = async (baseEntity, method, path, opt) => {
           json: true, // json-object response instead of string
           headers: {
             'Content-Type': 'application/json',
-            Authorization: 'Basic ' + Buffer.from(`${config.entity[baseEntity].username}:${scimgateway.getPassword(`endpoint.entity.${baseEntity}.password`, configFile)}`).toString('base64')
+            // Auth PassThrough or configuration, using ctx "AS-IS" header for PassThrough. For more advanced logic use getCtxAuth(ctx) - see examples in other plugins
+            Authorization: ctx?.request?.header?.authorization ? ctx.request.header.authorization : 'Basic ' + Buffer.from(`${config.entity[baseEntity].username}:${scimgateway.getPassword(`endpoint.entity.${baseEntity}.password`, configFile)}`).toString('base64')
           },
           host: urlObj.hostname,
           port: urlObj.port, // null if https and 443 defined in url
@@ -609,13 +629,14 @@ const getServiceClient = async (baseEntity, method, path, opt) => {
       }
       if (!_serviceClient[baseEntity]) _serviceClient[baseEntity] = {}
-      _serviceClient[baseEntity] = param // serviceClient created
+      if (!_serviceClient[baseEntity][clientIdentifier]) _serviceClient[baseEntity][clientIdentifier] = {}
+      _serviceClient[baseEntity][clientIdentifier] = param // serviceClient created
     }
-    const cli = scimgateway.copyObj(_serviceClient[baseEntity]) // client ready
+    const cli = scimgateway.copyObj(_serviceClient[baseEntity][clientIdentifier]) // client ready
     // failover support
-    path = _serviceClient[baseEntity].baseUrl + path
+    path = _serviceClient[baseEntity][clientIdentifier].baseUrl + path
     urlObj = new URL(path)
     cli.options.host = urlObj.hostname
     cli.options.port = urlObj.port
@@ -668,16 +689,16 @@ const getServiceClient = async (baseEntity, method, path, opt) => {
   return cli // final client
 }
-const updateServiceClient = (baseEntity, obj) => {
-  if (_serviceClient[baseEntity]) _serviceClient[baseEntity] = scimgateway.extendObj(_serviceClient[baseEntity], obj) // merge with argument options
+const updateServiceClient = (baseEntity, clientIdentifier, obj) => {
+  if (_serviceClient[baseEntity] && _serviceClient[baseEntity][clientIdentifier]) _serviceClient[baseEntity][clientIdentifier] = scimgateway.extendObj(_serviceClient[baseEntity][clientIdentifier], obj) // merge with argument options
 }
 //
 // doRequest - execute REST service
 //
-const doRequest = async (baseEntity, method, path, body, opt, retryCount) => {
+const doRequest = async (baseEntity, method, path, body, ctx, opt, retryCount) => {
   try {
-    const cli = await getServiceClient(baseEntity, method, path, opt)
+    const cli = await getServiceClient(baseEntity, method, path, opt, ctx)
     const options = cli.options
     const result = await new Promise((resolve, reject) => {
       let dataString = ''
@@ -732,15 +753,18 @@ const doRequest = async (baseEntity, method, path, body, opt, retryCount) => {
     return result
   } catch (err) { // includes failover/retry logic based on config baseUrls array
     scimgateway.logger.error(`${pluginName}[${baseEntity}] doRequest ${method} ${path} Body = ${JSON.stringify(body)} Error Response = ${err.message}`)
+    let statusCode
+    try { statusCode = JSON.parse(err.message).statusCode } catch (e) {}
+    const clientIdentifier = getClientIdentifier(ctx)
     if (!retryCount) retryCount = 0
     let urlObj
     try { urlObj = new URL(path) } catch (err) {}
     if (!urlObj && (err.code === 'ECONNREFUSED' || err.code === 'ENOTFOUND')) {
       if (retryCount < config.entity[baseEntity].baseUrls.length) {
         retryCount++
-        updateServiceClient(baseEntity, { baseUrl: config.entity[baseEntity].baseUrls[retryCount - 1] })
+        updateServiceClient(baseEntity, clientIdentifier, { baseUrl: config.entity[baseEntity].baseUrls[retryCount - 1] })
         scimgateway.logger.debug(`${pluginName}[${baseEntity}] ${(config.entity[baseEntity].baseUrls.length > 1) ? 'failover ' : ''}retry[${retryCount}] using baseUrl = ${_serviceClient[baseEntity].baseUrl}`)
-        const ret = await doRequest(baseEntity, method, path, body, opt, retryCount) // retry
+        const ret = await doRequest(baseEntity, method, path, body, ctx, opt, retryCount) // retry
         return ret // problem fixed
       } else {
         const newerr = new Error(err.message)
@@ -748,7 +772,18 @@ const doRequest = async (baseEntity, method, path, body, opt, retryCount) => {
         newerr.message = newerr.message.replace('ENOTFOUND', 'UnableConnectingHost') // avoid returning ENOTFOUND error
         throw newerr
       }
-    } else throw err // CA IM retries getUsers failure once (retry 6 times on ECONNREFUSED)
+    } else {
+      if (statusCode === 401) {
+        if (_serviceClient[baseEntity]) delete _serviceClient[baseEntity][clientIdentifier]
+        err.message = JSON.stringify( // don't reveal original message
+          {
+            statusCode: 401,
+            error: 'Access denied'
+          }
+        )
+      }
+      throw err // CA IM retries getUsers failure once (retry 6 times on ECONNREFUSED)
+    }
   }
 } // doRequest

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "4.2.3",
+  "version": "4.2.5",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",
   "homepage": "https://elshaug.xyz",
@@ -29,7 +29,7 @@
     "iga"
   ],
   "engines": {
-    "node": ">=7.6.0"
+    "node": ">=14.0.0"
   },
   "dependencies": {
     "@godaddy/terminus": "^4.11.2",