scimgateway 5.0.15 → 5.1.1

package/.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"

package/.github/workflows/test-master.yml

@@ -0,0 +1,28 @@
+name: Test Master Branch
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Install Bun
+        run: |
+          curl -fsSL https://bun.sh/install | bash
+          echo "$HOME/.bun/bin" >> $GITHUB_PATH
+
+      - name: Install dependencies
+        run: bun install
+
+      - name: Run master tests
+        run: bun run test

package/.github/workflows/test-release.yml

@@ -0,0 +1,25 @@
+name: Test Release Workflow
+
+on:
+  release:
+    types:
+      - published
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Install Bun
+        run: |
+          curl -fsSL https://bun.sh/install | bash
+          echo "$HOME/.bun/bin" >> $GITHUB_PATH
+
+      - name: Install dependencies
+        run: bun install
+
+      - name: Run release tests
+        run: bun run test

package/.travis.yml

@@ -13,4 +13,4 @@ install:
 
 # Run the Bun test runner
 script:
-  - bun test
+  - bun run test

package/README.md

@@ -16,6 +16,7 @@ Validated through IdP's:
 
 Latest news:  
 
+- By configuring the chainingBaseUrl, it is now possible to chain multiple gateways in sequence, such as `gateway1->gateway2->gateway3->endpoint`. In this setup, gateway beave much like a reverse proxy, validating authorization at each step unless PassThrough mode is enabled. Chaining is also supported in stream subscriber mode
 - Email, onError and sendMail() supports more secure RESTful OAuth for Microsoft Exchange Online (ExO) and Google Workspace Gmail, alongside traditional SMTP Auth for all mail systems. HelperRest supports a wide range of common authentication methods, including basicAuth, bearerAuth, tokenAuth, oauth, oauthSamlBearer, oauthJwtBearer and Auth PassTrough 
 - Major version **v5.0.0** marks a shift to native TypeScript support and prioritizes [Bun](https://bun.sh/) over Node.js. This upgrade requires some modifications to existing plugins.  
 - **BREAKING**: [SCIM Stream](https://elshaug.xyz/docs/scim-stream) is the modern way of user provisioning letting clients subscribe to messages instead of traditional IGA top-down provisioning. SCIM Gateway now offers enhanced functionality with support for message subscription and automated provisioning using SCIM Stream
@@ -58,10 +59,8 @@ Shows how to implement a highly configurable multi tenant or multi endpoint solu
 
 * **SCIM** (REST Webservice)  
 Demonstrates user provisioning towards REST-Based endpoint (type SCIM)  
-Using plugin Loki as SCIM endpoint  
+Using plugin Loki as SCIM endpoint through HelperRest  
 Can be used as SCIM version-gateway e.g. 1.1=>2.0 or 2.0=>1.1  
-Can be used to chain several gateways  
-
 
 * **Soap** (SOAP Webservice)  
 Demonstrates user provisioning towards SOAP-Based endpoint  
@@ -77,7 +76,7 @@ Demonstrates SAP HANA specific user provisioning
 
 * **Entra ID** (REST Webservices)  
 Entra ID user provisioning including license management (App Service plans) e.g. Office 365  
-Using Microsoft Graph API  
+Using Microsoft Graph API through HelperRest  
 Using customized SCIM attributes according to Microsoft Graph API  
 Includes Symantec/Broadcom/CA ConnectorXpress metafile for creating provisioning "Azure - ScimGateway" endpoint type  
 
@@ -87,7 +86,7 @@ Pre-configured for Microsoft Active Directory
 Using endpointMapper (like plugin-entra-id) for attribute mapping flexibility  
 
 * **API** (REST Webservices)  
-Demonstrates API Gateway/plugin functionality using post/put/patch/get/delete  
+Demonstrates API Gateway/plugin functionality using post/put/patch/get/delete combined with HelperRest  
 None SCIM plugin, becomes what you want it to become.  
 Methods included can also be used in standard SCIM plugins  
 Endpoint complexity could be put in this plugin, and client could instead communicate through Gateway using your own simplified REST specification.  
@@ -185,7 +184,7 @@ For Node.js (and also Bun), we might set the property `scimgateway_postinstall_s
 	// example starting all default plugins:
 	// const plugins = ['loki', 'scim', 'entra-id', 'ldap', 'mssql', 'api', 'mongodb', 'saphana', 'soap']
 
-	const plugins = ['ldap']
+	const plugins = ['loki']
 	
 	for (const plugin of plugins) {
 	  try {
@@ -209,6 +208,7 @@ Below shows an example of config\plugin-saphana.json
 	  "scimgateway": {
 	    "port": 8884,
 	    "localhostonly": false,
+	    "chainingBaseUrl": null,
         "scim": {
           "version": "2.0",
           "skipTypeConvert" : false,
@@ -354,6 +354,8 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 
 - **localhostonly** - true or false. False means gateway accepts incoming requests from all clients. True means traffic from only localhost (127.0.0.1) is accepted.
 
+- **chainingBaseUrl** - baseUrl for chaining anohter gateway, syntax: `http(s)://host:port`. If defined, gateway beave much like a reverse proxy, validating authorization unless PassThrough mode is enabled. See `Configuration notes` for details
+
 - **idleTimeout** - default 120, sets the the number of seconds to wait before timing out a connection due to inactivity
 
 - **scim.version** - "1.1" or "2.0". Default is "2.0".
@@ -399,7 +401,7 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 
 - **auth.bearerJwt** - Array of one or more standard JWT objects. Using **secret** or **publicKey** for signature verification. publicKey should be set to the filename of public key or certificate pem-file located in `<package-root>\config\certs` or absolute path being used. Clear text secret will become encrypted when gateway is started. **options.issuer** is mandatory. Other options may also be included according to jsonwebtoken npm package definition.
 
-- **auth.bearerOAuth** - Array of one or more Client Credentials OAuth configuration objects. **`clientId`** and **`clientSecret`** are mandatory. clientSecret value will become encrypted when gateway is started. OAuth token request url is **/oauth/token** e.g. http://localhost:8880/oauth/token
+- **auth.bearerOAuth** - Array of one or more Client Credentials OAuth configuration objects. **`clientId`** and **`clientSecret`** are mandatory. clientSecret value will become encrypted when gateway is started. OAuth token request url is **/oauth/token** e.g. `http://localhost:8880/oauth/token`
 
 - **auth.passThrough** - Setting **auth.passThrough.enabled=true** will bypass SCIM Gateway authentication. Gateway will instead pass ctx containing authentication header to the plugin. Plugin could then use this information for endpoint authentication and we don't have any password/token stored at the gateway. Note, this also requires plugin binary having `scimgateway.authPassThroughAllowed = true` and endpoint logic for handling/passing ctx.request.header.authorization
 
@@ -441,9 +443,9 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 - **email.auth** - Authentication configuration
 - **email.auth.type** - `oauth` or `smtp`
 - **email.auth.options** - Authentication options - note, different options for type oauth and smtp
-- **email.auth.options.tenantIdGUID (oauth/ExO)** - Entra ID tenant id, mandatory/recommended when using Microsoft Exchange Online
-- **email.auth.options.clientId (oauth/ExO)** - Client ID
-- **email.auth.options.clientSecret (oauth/ExO)** - Client Secret
+- **email.auth.options.tenantIdGUID (oauth/ExO)** - Entra tenant id or domain name
+- **email.auth.options.clientId (oauth/ExO)** - Entra OAuth application Client ID
+- **email.auth.options.clientSecret (oauth/ExO)** - Entra OAuth application Client Secret
 - **email.auth.options.serviceAccountKeyFile (oauth/Gmail)** - Google Service Account key json-file name located in the `package-root>\config\certs` directory unless absolute path being defined
 - **email.auth.options.host (smtp)** - Mailserver e.g. "smtp.gmail.com" - mandatory for smtp
 - **email.auth.options.port (smtp)** - Port used by mailserver e.g. 587, 25 or 465 - mandatory for smtp
@@ -561,6 +563,50 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 		- Licenses > Edit > enable Google Workspace license  
 		`email.emailOnError.from` mail address must have Google Workspace license
 
+- Gateway chainging and chainingBaseUrl configuration
+
+	By configuring the `chainingBaseUrl`, it is possible to chain multiple gateways in sequence, such as `gateway1->gateway2->gateway3->endpoint`. In this setup, gateway behave much like a reverse proxy, validating authorization at each step unless PassThrough mode is enabled. Chaining is also supported in stream subscriber mode
+	
+		{
+		  "scimgateway": {
+		    ...
+		    "chainingBaseUrl": "https:\\gateway2:8880",
+		    ...
+		    "auth": {
+		      ...
+		      "passThrough": {
+		        "enabled": false,
+		        "readOnly": false,
+		        "baseEntities": []
+		      }
+			  ...
+		    }
+		  },
+		  ...
+		}
+	
+	
+	Using above configuration example on gateway1, incoming requests will be routed to `https:\\gateway2:8880`
+	
+	The plugin and its associated authentication configuration can mirror the setup running on the final gateway. However, in chaining mode, the plugin binary is used solely for initializing and configuring the gateway. This allows for the use of a simplified `plugin-<name>.ts` binary containing only the essential mandatory components:
+		
+		// start - mandatory plugin initialization
+		const ScimGateway: typeof import('scimgateway').ScimGateway = await (async () => {
+		  try {
+		    return (await import('scimgateway')).ScimGateway
+		  } catch (err) {
+		    const source = './scimgateway.ts'
+		    return (await import(source)).ScimGateway
+		  }
+		})()
+		const scimgateway = new ScimGateway()
+		const config = scimgateway.getConfig()
+		scimgateway.authPassThroughAllowed = false
+		// end - mandatory plugin initialization
+
+	Using `scimgateway.authPassThroughAllowed = true` and `plugin-<name>.json` configuration `scimgateway.auth.passThrough=true` enables Authentication PassTrhough
+
+
 
 ## Manual startup    
 
@@ -1136,6 +1182,21 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
+### v5.1.1
+
+[Fixed]
+
+- SCIM Gateway failed to start on linux using Bun >= v1.1.43
+
+### v5.1.0
+
+[Improved]
+
+- By configuring the `chainingBaseUrl`, it is now possible to chain multiple gateways in sequence, such as `gateway1->gateway2->gateway3->endpoint`. In this setup, gateway beave much like a reverse proxy, validating authorization at each step unless PassThrough mode is enabled. Chaining is also supported in stream subscriber mode
+
+	Please see `Configuration notes` for details	
+
+
 ### v5.0.15
 
 [Improved]

package/config/plugin-api.json

@@ -2,6 +2,7 @@
   "scimgateway": {
     "port": 8890,
     "localhostonly": false,
+    "chainingBaseUrl": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,

package/config/plugin-entra-id.json

@@ -2,6 +2,7 @@
   "scimgateway": {
     "port": 8881,
     "localhostonly": false,
+    "chainingBaseUrl": null,
     "scim": {
       "version": "2.0",
       "customSchema": null,

package/config/plugin-ldap.json

@@ -2,6 +2,7 @@
   "scimgateway": {
     "port": 8883,
     "localhostonly": false,
+    "chainingBaseUrl": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,

package/config/plugin-loki.json

@@ -2,6 +2,7 @@
   "scimgateway": {
     "port": 8880,
     "localhostonly": false,
+    "chainingBaseUrl": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,

package/config/plugin-mongodb.json

@@ -2,6 +2,7 @@
   "scimgateway": {
     "port": 8885,
     "localhostonly": false,
+    "chainingBaseUrl": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,

package/config/plugin-mssql.json

@@ -2,6 +2,7 @@
   "scimgateway": {
     "port": 8888,
     "localhostonly": false,
+    "chainingBaseUrl": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,

package/config/plugin-saphana.json

@@ -2,6 +2,7 @@
   "scimgateway": {
     "port": 8884,
     "localhostonly": false,
+    "chainingBaseUrl": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,

package/config/plugin-scim.json

@@ -2,6 +2,7 @@
   "scimgateway": {
     "port": 8886,
     "localhostonly": false,
+    "chainingBaseUrl": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,

package/config/plugin-soap.json

@@ -2,6 +2,7 @@
   "scimgateway": {
     "port": 8882,
     "localhostonly": false,
+    "chainingBaseUrl": null,
     "scim": {
       "version": "2.0",
       "skipTypeConvert": false,

package/lib/helper-rest.ts

@@ -1,8 +1,17 @@
+// =================================================================================
+// File:    helper-rest.ts
+//
+// Author:  Jarle Elshaug
+//
+// Purpose: HelperRest class for executing REST calls supporting various auth types
+//          Plugins may use this class: import { HelperRest } from 'scimgateway'
+// =================================================================================
+
 import { HttpsProxyAgent } from 'https-proxy-agent'
 import { URL } from 'url'
 import { Buffer } from 'node:buffer'
-import { samlAssertion } from './samlAssertion.ts' // prereq: saml
-import { sign as jwtSign } from 'jsonwebtoken'
+import { samlAssertion } from './samlAssertion.ts'
+import * as jsonwebtoken from 'jsonwebtoken'
 import fs from 'node:fs'
 import querystring from 'querystring'
 import * as utils from './utils.ts'
@@ -164,7 +173,7 @@ export class HelperRest {
 
         form = {
           grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
-          assertion: jwtSign(jwtAttr, privateKey, { algorithm: 'RS256' }),
+          assertion: jsonwebtoken.sign(jwtAttr, privateKey, { algorithm: 'RS256' }),
         }
         break
 
@@ -428,9 +437,9 @@ export class HelperRest {
       return cli // final client
     }
     //
-    // url path - none config based and used as is (no cache)
+    // url path - none config based (enpoint.entity) and used as is (no cache)
     //
-    this.scimgateway.logDebug(baseEntity, `${action}: Using none config based client`)
+    this.scimgateway.logDebug(baseEntity, `${action}: Using raw client`)
     let options: any = {
       json: true,
       headers: {
@@ -440,7 +449,7 @@ export class HelperRest {
       port: urlObj.port,
       protocol: urlObj.protocol,
       method: method,
-      path: urlObj.pathname,
+      path: urlObj.pathname + urlObj.search,
     }
 
     // proxy
@@ -516,7 +525,6 @@ export class HelperRest {
       const timeout = setTimeout(() => controller.abort(), options.abortTimeout ? options.abortTimeout * 1000 : this.idleTimeout * 1000) // 120 seconds default abort timeout
       options.signal = signal
       const url = `${options.protocol}//${options.host}${options.port ? ':' + options.port : ''}${options.path}`
-      if (path.includes(')?$') && !options.headers['Accept-Encoding']) options.headers['Accept-Encoding'] = 'identity' // workaround for bun fetch error: "Decompression error: ShortRead" - have seen this error using OData with "<some-path>('xxx')?$expand=" or "<some-path>('xxx')?$select=" ref: https://github.com/oven-sh/bun/issues/8017
       // execute request
       const f = await fetch(url, options)
       clearTimeout(timeout)

package/lib/samlAssertion.ts

@@ -1,4 +1,5 @@
 //
+// File: samlAssertion.ts
 // Purpose: create SAML token assertion that can be used by OAuth token request having grant type saml2-bearer
 // Based on: https://github.com/edersouza38/insomnia-plugin-sfsf-samlassertion
 //