scimgateway 4.2.9 → 4.2.11

package/README.md

@@ -1169,6 +1169,18 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
+### v4.2.11  
+
+[Added] 
+
+- Plugin can set error statusCode returned by scimgateway through error message. Error message must then contain string `"statusCode":xxx` where xxx is HTTP status code e.g., 401. Plugin using REST will have statusCode automatically included in error message thrown by plugin. This could be useful for auth.PassThrough.
+
+### v4.2.10  
+
+[Fixed] 
+
+- plugin-ldap broken after dependencies bump of ldapjs (from 2.x.x to 3.x.x) in version 4.2.7
+
 ### v4.2.9  
 
 [Fixed] 

package/lib/plugin-ldap.js

@@ -110,15 +110,11 @@ if (config.useSID_id && config.map.group) {
 }
 if (config.map.user.userPrincipalName && config.map.user.userPrincipalName.mapDomain) { // support mapping different inbound/outbound upn domain names
   if (config.map.user.userPrincipalName.mapDomain.inbound && config.map.user.userPrincipalName.mapDomain.outbound) {
-    let inbound = config.map.user.userPrincipalName.mapDomain.inbound
-    let outbound = config.map.user.userPrincipalName.mapDomain.outbound
-    inbound = inbound.startsWith('@') ? inbound : '@' + inbound
-    outbound = outbound.startsWith('@') ? outbound : '@' + outbound
-    config.upnMapDomain = {
-      inbound: inbound, // "test.onmicrosoft.com
-      outbound: outbound // "my-company.com"
-    }
-  }
+    const inbound = config.map.user.userPrincipalName.mapDomain.inbound
+    const outbound = config.map.user.userPrincipalName.mapDomain.outbound
+    config.map.user.userPrincipalName.mapDomain.inbound = inbound.startsWith('@') ? inbound : '@' + inbound // "@my-company.com"
+    config.map.user.userPrincipalName.mapDomain.outbound = outbound.startsWith('@') ? outbound : '@' + outbound // "@test.onmicrosoft.com
+  } else delete config.map.user.userPrincipalName.mapDomain
 }
 
 // =================================================
@@ -1034,13 +1030,12 @@ const doRequest = async (baseEntity, method, base, ldapOptions, ctx) => {
   let client = null
 
   const options = scimgateway.copyObj(ldapOptions)
-  if (config.upnMapDomain) {
-    for (const key in options) {
-      if ((typeof options[key] === 'string') && options[key].includes(config.upnMapDomain.inbound)) {
-        const old = options[key]
-        options[key] = options[key].replace(config.upnMapDomain.inbound, config.upnMapDomain.outbound)
-        scimgateway.logger.debug(`${pluginName}[${baseEntity}] inbound upnMapDomain ${old} => ${options[key]}`)
-      }
+  // support having different upn-domain on IdP and target
+  if (options.modification && options.modification.userPrincipalName && config.map.user.userPrincipalName && config.map.user.userPrincipalName.mapDomain) {
+    if (options.modification.userPrincipalName.endsWith(config.map.user.userPrincipalName.mapDomain.outbound)) {
+      const old = options.modification.userPrincipalName
+      options.modification.userPrincipalName = options.modification.userPrincipalName.replace(config.map.user.userPrincipalName.mapDomain.outbound, config.map.user.userPrincipalName.mapDomain.inbound)
+      scimgateway.logger.debug(`${pluginName}[${baseEntity}] inbound upnMapDomain ${old} => ${options.modification.userPrincipalName}`)
     }
   }
 
@@ -1055,37 +1050,45 @@ const doRequest = async (baseEntity, method, base, ldapOptions, ctx) => {
             if (err) {
               return reject(err)
             }
+
             search.on('searchEntry', (entry) => {
-              if (entry.attributes) {
-                entry.attributes.find((el, i) => {
-                  if (['objectSid', 'objectGUID'].includes(el.type)) { // assume Active Directory - can't use default utf-8 when attribute value is hex
-                    const b = Buffer.from(el.buffers[0], 'hex')
-                    if (el.type === 'objectSid') {
-                      const sidStr = convertSidToString(b) // using string: S-1-5-21-2657077294-4200173015-2627628055-1255
-                      if (!sidStr) throw new Error(`doRequest() error: failed to convert SID ${b.toString('hex')} to string}`)
-                      entry.attributes[i]._vals = [sidStr]
-                    } else {
-                      entry.attributes[i]._vals = [b.toString('base64')] // using base64: nitWLrhokUqKl1DywiavXg==
-                    }
-                  } else if (el.type === 'userPrincipalName' && config.upnMapDomain) {
-                    const val = Buffer.from(el.buffers[0], 'hex').toString('utf8')
-                    const old = val
-                    entry.attributes[i]._vals = [val.replace(config.upnMapDomain.outbound, config.upnMapDomain.inbound)]
-                    scimgateway.logger.debug(`${pluginName}[${baseEntity}] outbound upnMapDomain ${old} => ${entry.attributes[i]._vals}`)
-                  }
-                  return undefined
-                })
+              if (!entry.pojo || !entry.pojo.attributes) return
+              const obj = { dn: entry.pojo.objectName }
+              entry.pojo.attributes.map((el) => {
+                if (el.values.length > 1) obj[el.type] = el.values
+                else obj[el.type] = el.values[0]
+                return null
+              })
+              // objectSid/objectGUID - assume Active Directory - can't use default utf-8 when attribute value is hex
+              if (obj.objectSid) {
+                const b = Buffer.from(obj.objectSid, 'utf-8')
+                const sidStr = convertSidToString(b) // using string: S-1-5-21-2657077294-4200173015-2627628055-1255
+                if (!sidStr) throw new Error(`doRequest() error: failed to convert SID ${b.toString('hex')} to string}`)
+                obj.objectSid = sidStr
+              }
+              if (obj.objectGUID) {
+                const b = Buffer.from(obj.objectGUID, 'utf-8')
+                obj.objectGUID = b.toString('base64') // using base64: nitWLrhokUqKl1DywiavXg==
+              }
+              if (obj.userPrincipalName && config.map.user.userPrincipalName && config.map.user.userPrincipalName.mapDomain) {
+                if (obj.userPrincipalName.endsWith(config.map.user.userPrincipalName.mapDomain.inbound)) {
+                  const old = obj.userPrincipalName
+                  obj.userPrincipalName = obj.userPrincipalName.replace(config.map.user.userPrincipalName.mapDomain.inbound, config.map.user.userPrincipalName.mapDomain.outbound)
+                  scimgateway.logger.debug(`${pluginName}[${baseEntity}] outbound upnMapDomain ${old} => ${obj.userPrincipalName}`)
+                }
               }
-              results.push(entry.object)
+              results.push(obj)
             })
 
             search.on('page', (entry, cb) => {
               // if (cb) cb() // pagePause = true gives callback
             })
+
             search.on('error', (err) => {
               if (err.message.includes('LdapErr: DSID-0C0909F2') || err.message.includes('NO_OBJECT')) return resolve([]) // object not found when using base <SID=...> or <GUID=...> ref. objectSid/objectGUID
               reject(err)
             })
+
             search.on('end', (_) => { resolve(results) })
           })
         })
@@ -1094,7 +1097,22 @@ const doRequest = async (baseEntity, method, base, ldapOptions, ctx) => {
       case 'modify':
         result = await new Promise((resolve, reject) => {
           const dn = base
-          client.modify(dn, options, (err) => {
+          const changes = []
+          for (const key in options.modification) {
+            const mod = {}
+            mod.type = key
+            if (Array.isArray(options.modification[key])) mod.values = options.modification[key]
+            else {
+              if (typeof options.modification[key] === 'string') mod.values = [options.modification[key]]
+              else mod.values = [options.modification[key].toString()]
+            }
+            const change = new ldap.Change({
+              operation: options.operation || 'replace',
+              modification: mod // { type: "givenName", values: ["Joe"] }
+            })
+            changes.push(change)
+          }
+          client.modify(dn, changes, (err) => {
             if (err) {
               if (options.operation && options.operation === 'add' && options.modification && options.modification.member) {
                 if (err.message.includes('ENTRY_EXISTS')) return resolve() // add already existing group to user

package/lib/scimgateway.js

@@ -318,22 +318,35 @@ const ScimGateway = function () {
     if (!userName && authType === 'Bearer') userName = 'token'
     if (ctx.request.url !== '/favicon.ico') {
       if (ctx.response.status < 200 || ctx.response.status > 299) {
-        let isEndpointAccessDenied = false
+        // statusCode check in logResult method...
+        // "statusCode":xxx in error messages let plugin set error statusCode returned by scimgateway
+        let pluginStatusCode = 0
+        const reJson = '^.*"(statusCode)" *: *([0-9][0-9][0-9]).*'
+        const rePattern = new RegExp(reJson, 'i')
         if (res.body.detail) {
-          if (res.body.detail.includes('\"statusCode\":401')) isEndpointAccessDenied= true // eslint-disable-line
+          const arrMatches = res.body.detail.match(rePattern)
+          if (Array.isArray(arrMatches) && arrMatches.length === 3) {
+            pluginStatusCode = parseInt(arrMatches[2])
+          }
         } else if (res.body.Errors) {
-          if (Array.isArray(res.body.Errors) && res.body.Errors[0].description && res.body.Errors[0].description.includes('\"statusCode\":401')) { // eslint-disable-line
-            isEndpointAccessDenied = true
+          if (Array.isArray(res.body.Errors) && res.body.Errors[0].description && res.body.Errors[0].description) {
+            const arrMatches = res.body.Errors[0].description.match(rePattern)
+            if (Array.isArray(arrMatches) && arrMatches.length === 3) {
+              pluginStatusCode = parseInt(arrMatches[2])
+            }
           }
         }
-        if (isEndpointAccessDenied) { // don't reveal original SCIM error message details related to access denied (e.g. using Auth PassThrough)
-          ctx.response.set('Content-Type', 'application/json; charset=utf-8')
-          ctx.response.status = 401 // ctx.response.message becomes default 'Unauthorized'
-          ctx.response.body = { error: 'Access denied' }
+        if (pluginStatusCode > 0) {
+          ctx.response.status = pluginStatusCode // auto change ctx.response.message
           res.statusCode = ctx.response.status
           res.statusMessage = ctx.response.message
-          res.body = ctx.response.body
+          if (pluginStatusCode === 401 || pluginStatusCode === 403) { // don't reveal original SCIM error message details related to access denied (e.g. using Auth PassThrough)
+            ctx.response.set('Content-Type', 'application/json; charset=utf-8')
+            ctx.response.body = { error: 'Access denied' }
+            res.body = ctx.response.body
+          }
         }
+        // back to logResult...
         logger.error(`${gwName}[${pluginName}] ${ellapsed} ${ctx.request.ipcli} ${userName} ${ctx.request.method} ${ctx.request.href} Inbound = ${JSON.stringify(ctx.request.body)} Outbound = ${JSON.stringify(res)}${(config.log.loglevel.file === 'debug' && ctx.request.url !== '/ping') ? '\n' : ''}`)
       } else logger.info(`${gwName}[${pluginName}] ${ellapsed} ${ctx.request.ipcli} ${userName} ${ctx.request.method} ${ctx.request.href} Inbound = ${JSON.stringify(ctx.request.body)} Outbound = ${JSON.stringify(res)}${(config.log.loglevel.file === 'debug' && ctx.request.url !== '/ping') ? '\n' : ''}`)
       requestCounter += 1 // logged on exit (not win process termination)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "4.2.9",
+  "version": "4.2.11",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",
   "homepage": "https://elshaug.xyz",