scimgateway 5.0.7 → 5.0.9

package/README.md

@@ -258,8 +258,8 @@ Below shows an example of config\plugin-saphana.json
           ],
           "bearerOAuth": [
             {
-              "client_id": null,
-              "client_secret": null,
+              "clientId": null,
+              "clientSecret": null,
               "readOnly": false,
               "baseEntities": []
             }
@@ -398,7 +398,7 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 
 - **auth.bearerJwt** - Array of one or more standard JWT objects. Using **secret** or **publicKey** for signature verification. publicKey should be set to the filename of public key or certificate pem-file located in `<package-root>\config\certs` or absolute path being used. Clear text secret will become encrypted when gateway is started. **options.issuer** is mandatory. Other options may also be included according to jsonwebtoken npm package definition.
 
-- **auth.bearerOAuth** - Array of one or more Client Credentials OAuth configuration objects. **`client_id`** and **`client_secret`** are mandatory. client_secret value will become encrypted when gateway is started. OAuth token request url is **/oauth/token** e.g. http://localhost:8880/oauth/token
+- **auth.bearerOAuth** - Array of one or more Client Credentials OAuth configuration objects. **`clientId`** and **`clientSecret`** are mandatory. clientSecret value will become encrypted when gateway is started. OAuth token request url is **/oauth/token** e.g. http://localhost:8880/oauth/token
 
 - **auth.passThrough** - Setting **auth.passThrough.enabled=true** will bypass SCIM Gateway authentication. Gateway will instead pass ctx containing authentication header to the plugin. Plugin could then use this information for endpoint authentication and we don't have any password/token stored at the gateway. Note, this also requires plugin binary having `scimgateway.authPassThroughAllowed = true` and endpoint logic for handling/passing ctx.request.header.authorization
 
@@ -462,18 +462,18 @@ Definitions in `endpoint` object are customized according to our plugin code. Pl
 
 	Configuration notes when using default configuration oauth and tenantIdGUID - Microsoft Exchange Online (ExO):
 
-	- Entra ID application must have application permissions "**Mail.Send**"  
-	- To prevent the sending of emails from any defined mailboxes, an ExO **ApplicationAccessPolicy** must be defined through PowerShell.  
+	- Entra ID application must have application permissions `Mail.Send`  
+	- To prevent the sending of emails from any defined mailboxes, an ExO `ApplicationAccessPolicy` must be defined through PowerShell.  
 	
 		First create a mail-enabled security-group that only includes those users (mailboxes) the application is allowed to send from  
-		Note, "mail enabled security" group cannot be created from portal, only from admin or admin.exchange console
+		Note, `mail enabled security group` cannot be created from portal, only from admin or admin.exchange console
 		  
 			##Connect to Exchange
 			Install-Module -Name ExchangeOnlineManagement
 			Connect-ExchangeOnline
 			 
 			##Create ApplicationAccessPolicy
-			New-ApplicationAccessPolicy -AppId $AppClientID -PolicyScopeGroupId $MailEnabledSecurityGrpId -AccessRight RestrictAccess -Description "Restrict app to specific mailboxes"
+			New-ApplicationAccessPolicy -AppId <AppClientID> -PolicyScopeGroupId <MailEnabledSecurityGrpId> -AccessRight RestrictAccess -Description "Restrict app to specific mailboxes"
 
 - **stream** - See [SCIM Stream](https://elshaug.xyz/docs/scim-stream) for configuration details
 
@@ -1111,6 +1111,21 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
+### v5.0.9
+
+[Improved]
+
+- HelperRest doRequest() now support configuration auth type `oauthSamlAssertion` for OAuth SAML token assertion. Please see code editor method IntelliSense for details
+
+### v5.0.8
+
+[Fixed]
+
+- Ensure Bun compatibility with Azure Reverse Proxy for large and long running response
+- HelperRest was not compatible with Node.js
+- plugin-mssql, some error handling should not throw an error
+- Configuration files updated according to the v5 configuration syntax of `scimgateway.auth.bearerOAuth` - `clientId/clientSecret` now replacing deprecated `client_id/client_secret`
+
 ### v5.0.7
 
 [Improved]
@@ -1155,9 +1170,7 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 
 **new configuration:**  
-Using Microsoft Exchange Online and oauth authencation which also is default and recommended by Microsoft    
-For other mail servers and options like SMTP AUTH (basic/oauth), please see configuration description  
-Plugin may also send mail using method scimgateway.sendMail()  
+Using Microsoft Exchange Online and oauth authencation which also is default and recommended by Microsoft. For other mail servers and options like SMTP AUTH (basic/oauth), please see configuration description. Plugin may also send mail using method scimgateway.sendMail()
 
 	{
 	  "scimgateway": {
@@ -1184,18 +1197,18 @@ Plugin may also send mail using method scimgateway.sendMail()
     
 Configuration notes when using oauth and tenantIdGUID - Microsoft Exchange Online (ExO):  
 
-- Entra ID application must have application permissions "**Mail.Send**"  
-- To prevent the sending of emails from any defined mailboxes, an ExO **ApplicationAccessPolicy** must be defined through PowerShell.  
+- Entra ID application must have application permissions `Mail.Send`  
+- To prevent the sending of emails from any defined mailboxes, an ExO `ApplicationAccessPolicy` must be defined through PowerShell.  
 
 	First create a mail-enabled security-group that only includes those users (mailboxes) the application is allowed to send from  
-	Note, "mail enabled security" group cannot be created from portal, only from admin or admin.exchange console
+	Note, `mail enabled security group` cannot be created from portal, only from admin or admin.exchange console
 	  
 		##Connect to Exchange
 		Install-Module -Name ExchangeOnlineManagement
 		Connect-ExchangeOnline
 		 
 		##Create ApplicationAccessPolicy
-		New-ApplicationAccessPolicy -AppId $AppClientID -PolicyScopeGroupId $MailEnabledSecurityGrpId -AccessRight RestrictAccess -Description "Restrict app to specific mailboxes"
+		New-ApplicationAccessPolicy -AppId <AppClientID> -PolicyScopeGroupId <MailEnabledSecurityGrpId> -AccessRight RestrictAccess -Description "Restrict app to specific mailboxes"
 
 
 ### v5.0.5  
@@ -1308,7 +1321,7 @@ Besides going from JavaScript to TypeScript, following can be mentioned:
 
 * Use scimgateway.HelperRest() for REST functionlity, also supports Auth PassThrough
 * scimgateway.endpointMapper() may be used for inbound/outbound attribute mappings
-* In general when using TypeScript, variables should be type defined: `let isDone: boolean = false`, `catch (err: any)`, ...
+* In general when using TypeScript, variables should be type-defined: `let isDone: boolean = false`, `catch (err: any)`, ...
 
 ### v4.5.12
 

package/config/plugin-api.json

@@ -52,8 +52,8 @@
       ],
       "bearerOAuth": [
         {
-          "client_id": null,
-          "client_secret": null,
+          "clientId": null,
+          "clientSecret": null,
           "readOnly": false,
           "baseEntities": []
         }

package/config/plugin-entra-id.json

@@ -52,8 +52,8 @@
       ],
       "bearerOAuth": [
         {
-          "client_id": null,
-          "client_secret": null,
+          "clientId": null,
+          "clientSecret": null,
           "readOnly": false,
           "baseEntities": []
         }

package/config/plugin-ldap.json

@@ -52,8 +52,8 @@
       ],
       "bearerOAuth": [
         {
-          "client_id": null,
-          "client_secret": null,
+          "clientId": null,
+          "clientSecret": null,
           "readOnly": false,
           "baseEntities": []
         }

package/config/plugin-loki.json

@@ -52,8 +52,8 @@
       ],
       "bearerOAuth": [
         {
-          "client_id": null,
-          "client_secret": null,
+          "clientId": null,
+          "clientSecret": null,
           "readOnly": false,
           "baseEntities": []
         }

package/config/plugin-mongodb.json

@@ -58,8 +58,8 @@
       ],
       "bearerOAuth": [
         {
-          "client_id": null,
-          "client_secret": null,
+          "clientId": null,
+          "clientSecret": null,
           "readOnly": false,
           "baseEntities": []
         }

package/config/plugin-mssql.json

@@ -52,8 +52,8 @@
       ],
       "bearerOAuth": [
         {
-          "client_id": null,
-          "client_secret": null,
+          "clientId": null,
+          "clientSecret": null,
           "readOnly": false,
           "baseEntities": []
         }

package/config/plugin-saphana.json

@@ -52,8 +52,8 @@
       ],
       "bearerOAuth": [
         {
-          "client_id": null,
-          "client_secret": null,
+          "clientId": null,
+          "clientSecret": null,
           "readOnly": false,
           "baseEntities": []
         }

package/config/plugin-scim.json

@@ -52,8 +52,8 @@
       ],
       "bearerOAuth": [
         {
-          "client_id": null,
-          "client_secret": null,
+          "clientId": null,
+          "clientSecret": null,
           "readOnly": false,
           "baseEntities": []
         }

package/config/plugin-soap.json

@@ -52,8 +52,8 @@
       ],
       "bearerOAuth": [
         {
-          "client_id": null,
-          "client_secret": null,
+          "clientId": null,
+          "clientSecret": null,
           "readOnly": false,
           "baseEntities": []
         }

package/lib/helper-rest.ts

@@ -1,24 +1,24 @@
 import { HttpsProxyAgent } from 'https-proxy-agent'
 import { URL } from 'url'
 import { Buffer } from 'node:buffer'
+import { samlAssertion } from './samlAssertion.ts' // prereq: saml
 import fs from 'node:fs'
 import querystring from 'querystring'
 import * as utils from './utils.ts'
-import ScimGateway from 'scimgateway'
 
 /**
- * HelperRest includes function doRequest() for doing REST calls
+ * HelperRest includes function doRequest() for executing REST calls
  */
 export class HelperRest {
   private lock = new utils.Lock()
   private _serviceClient: Record<string, any> = {}
   private config_entity: any
-  private scimgateway: ScimGateway
+  private scimgateway: any
   private idleTimeout: number
   private graphUrl = 'https://graph.microsoft.com/beta' // beta instead of 'v1.0' gives all user attributes when no $select
 
-  constructor(scimgateway: ScimGateway, optionalEntities?: Record<string, any>) {
-    if (!(scimgateway instanceof ScimGateway)) throw new Error('HelperRest initialization error: argument scimgateway is not of type ScimGateway')
+  constructor(scimgateway: any, optionalEntities?: Record<string, any>) {
+    if (!scimgateway || !scimgateway.gwName) throw new Error('HelperRest initialization error: argument scimgateway is not of type ScimGateway')
     this.scimgateway = scimgateway
     this.idleTimeout = (scimgateway as any)?.config?.scimgateway.idleTimeout || 120
     this.idleTimeout = this.idleTimeout - 1
@@ -118,6 +118,31 @@ export class HelperRest {
         }
         break
 
+      case 'oauthSamlAssertion':
+        tokenUrl = this.config_entity[baseEntity].connection.auth.options.tokenUrl
+        const context = null
+        const cert = fs.readFileSync(this.config_entity[baseEntity].connection.auth.options.certificate.cert).toString()
+        const key = fs.readFileSync(this.config_entity[baseEntity].connection.auth.options.certificate.key).toString()
+
+        const issuer = `scimgateway/${this.scimgateway.pluginName}`
+        const lifetime = 3600
+        const clientId = this.config_entity[baseEntity].connection.auth.options.clientId
+        const nameId = this.config_entity[baseEntity].connection.auth.options.userId
+        const userIdentifierFormat = 'userName'
+        const tokenEndpoint = tokenUrl
+        const audience = `scimgateway/${this.scimgateway.pluginName}`
+        const delay = 1
+
+        const assertion = await samlAssertion.run(context, cert, key, issuer, lifetime, clientId, nameId, userIdentifierFormat, tokenEndpoint, audience, delay)
+        form = {
+          token_url: tokenUrl,
+          grant_type: 'urn:ietf:params:oauth:grant-type:saml2-bearer',
+          client_id: clientId,
+          company_id: this.config_entity[baseEntity].connection.auth.options.companyId,
+          assertion: assertion,
+        }
+        break
+
       default:
         this.lock.release()
         throw new Error(`getAccessToken() none supported entity.${baseEntity}.connection.auth.type: '${this.config_entity[baseEntity]?.connection?.auth?.type}'`)
@@ -176,7 +201,7 @@ export class HelperRest {
    * @param baseEntity baseEntity
    * @param method GET/PATCH/PUT/DELETE
    * @param path e.g., /Users having baseUrl from configuration added, or full url e.g. https://mycompany.com/Users
-   * @param opt optional, connection optios
+   * @param opt optional, connection options
    * @param ctx optional, ctx included if using Auth PassThrough
    * @returns client.options needed for connect
    */
@@ -255,7 +280,7 @@ export class HelperRest {
                 const err = new Error(`auth type 'oauth' - missing configuration entity.${baseEntity}.connection.auth.options.clientId/clientSecret`)
                 throw err
               }
-              param.accessToken = await this.getAccessToken(baseEntity, ctx) // support Auth PassThrough
+              param.accessToken = await this.getAccessToken(baseEntity, ctx)
               param.options.headers['Authorization'] = `Bearer ${param.accessToken.access_token}`
               break
             case 'token':
@@ -263,7 +288,7 @@ export class HelperRest {
                 const err = new Error(`missing configuration entity.${baseEntity}.connection.auth.options.tokenUrl/password`)
                 throw err
               }
-              param.accessToken = await this.getAccessToken(baseEntity, ctx) // support Auth PassThrough
+              param.accessToken = await this.getAccessToken(baseEntity, ctx)
               param.options.headers['Authorization'] = `Bearer ${param.accessToken.access_token}`
               break
             case 'bearer':
@@ -273,6 +298,15 @@ export class HelperRest {
               }
               param.options.headers['Authorization'] = 'Bearer ' + Buffer.from(this.config_entity[baseEntity].connection.auth.options.token).toString('base64')
               break
+            case 'oauthSamlAssertion':
+              if (!this.config_entity[baseEntity]?.connection?.auth?.options?.clientId || !this.config_entity[baseEntity]?.connection?.auth?.options?.companyId
+                || !this.config_entity[baseEntity]?.connection?.auth?.options?.certificate?.key) {
+                const err = new Error(`auth type 'oauthSamlAssertion' - missing configuration entity.${baseEntity}.connection.auth.options...`)
+                throw err
+              }
+              param.accessToken = await this.getAccessToken(baseEntity, ctx)
+              param.options.headers['Authorization'] = `Bearer ${param.accessToken.access_token}`
+              break
             default:
             // no auth
           }
@@ -426,6 +460,7 @@ export class HelperRest {
       const timeout = setTimeout(() => controller.abort(), options.abortTimeout ? options.abortTimeout * 1000 : this.idleTimeout * 1000) // 120 seconds default abort timeout
       options.signal = signal
       const url = `${options.protocol}//${options.host}${options.port ? ':' + options.port : ''}${options.path}`
+      if (path.includes(')?$') && !options.headers['Accept-Encoding']) options.headers['Accept-Encoding'] = 'identity' // workaround for bun fetch error: "Decompression error: ShortRead" - have seen this error using OData with "<some-path>('xxx')?$expand=" or "<some-path>('xxx')?$select=" ref: https://github.com/oven-sh/bun/issues/8017
       // execute request
       const f = await fetch(url, options)
       clearTimeout(timeout)
@@ -534,15 +569,20 @@ export class HelperRest {
   *     "entity": {
   *       "undefined": {
   *         "connection": {
-  *           "baseUrls": [
+  *           "baseUrls": [  // ignored when using option tenantIdGUID
   *             "<baseUrl>", // "https://host1.company.com:8880",
   *             "<baseUrl2>" // optional using several baseUrls for failover
   *           ],
   *          "auth": {
-  *            "type": "<type>"",
+  *            "type": "<type>",
   *            "options": { <auth.options> }
   *           },
   *           "options": { <connection.options> }
+  *           "proxy": {
+  *             "host": "<host>", // http://proxy-host:1234
+  *             "username": "<username>", // username if authentication is required
+  *             "password": "<password>" // password if authentication is required
+  *           }
   *         }
   *       }
   *     }
@@ -551,11 +591,11 @@ export class HelperRest {
   * ```
   * type defines authentication being used  
   * if type not defined, no authentication used  
-  * valid type is: `basic`, `oauth`, `token` or `bearer`   
+  * valid type is: `basic`, `oauth`, `token`, `bearer` or `oauthSamlAssertion`  
   * 
   * for each valid type there are different auth.options  
   * 
-  * type=**basic**, auth.options:
+  * type=**"basic"** having auth.options:
   * ```
   * {
   *   "options": {
@@ -565,11 +605,11 @@ export class HelperRest {
   * }
   * ```
   * 
-  * type=**oauth**, auth.options:
+  * type=**"oauth"** having auth.options:
   * ```
   * {
   *   "options": {
-  *     "tenantIdGUID": "<Entra ID tenantIdGUID", // only defined when using Entra ID
+  *     "tenantIdGUID": "<Entra ID tenantIdGUID", // simplified configuration for using Microsoft Graph API
   *     "tokenUrl": "<tokenUrl>", // not used when tenantIdGUID defined
   *     "clientId": "<clientId",
   *     "clientSecret": "<clientSecret>"
@@ -577,7 +617,7 @@ export class HelperRest {
   * }
   * ```
   * 
-  * type=**token**, auth.options:
+  * type=**"token"** having auth.options:
   * ```
   * {
   *   "options": {
@@ -588,7 +628,7 @@ export class HelperRest {
   * }
   * ```
   * 
-  * type=**bearer**, auth.options:
+  * type=**"bearer"** having auth.options:
   * ```
   * {
   *   "options": {
@@ -597,6 +637,22 @@ export class HelperRest {
   * }
   * ```
   * 
+  * type=**"oauthSamlAssertion"** having auth.options:
+  * ```
+  * {
+  *   "options": {
+  *     "tokenUrl": "<tokenUrl>",
+  *     "clientId": "<clientId>",
+  *     "companyId": "<companyId>",
+  *     "userId": "<userId>",
+  *     "certificate": {
+  *       "key": "<key-file-name>", // location: config/certs
+  *       "cert": "<cert-file-name>", // location: config/certs
+  *     }
+  *   }
+  * }
+  * ```
+  * 
   * **connection.options** can be set according to web-standard fetch client options  
   * examples:  
   * ```

package/lib/logger.ts

@@ -96,7 +96,7 @@ export class Log {
       customMaskXml = customMasking.join('"?|')
       customMaskXml = '|' + customMaskXml + '"?'
     }
-    this.reJson = `^.*"(password|access_token|client_secret${customMaskJson})" ?: ?"([^"]+)".*`
+    this.reJson = `^.*"(password|access_token|client_secret|assertion${customMaskJson})" ?: ?"([^"]+)".*`
     this.reXml = `^.*(credentials"?|PasswordText"?|PasswordDigest"?|password"?${customMaskXml})>([^<]+)</.*`
 
     const trans: any = [

package/lib/plugin-mssql.ts

@@ -6,7 +6,7 @@
 // Purpose: SQL user-provisioning
 //
 // Prereq:
-// CREATE TABLE [User] (
+// CREATE TABLE [Users] (
 //     [UserID] VARCHAR(50) NOT NULL,
 //     [Enabled] VARCHAR(50) NULL,
 //     [Password] VARCHAR(50) NULL,
@@ -19,7 +19,7 @@
 //         PRIMARY KEY ([UserID])
 // );
 //
-// CREATE TABLE [Group] (
+// CREATE TABLE [Groups] (
 //     [GroupID] VARCHAR(50) NOT NULL,
 //     [Enabled] VARCHAR(50) NULL,
 //     CONSTRAINT [PK_Group]
@@ -33,11 +33,11 @@
 //         PRIMARY KEY ([GroupID],[UserID]),
 //     CONSTRAINT [FK_U2G_Group]
 //         FOREIGN KEY ([GroupID])
-//         REFERENCES [Group]([GroupID])
+//         REFERENCES [Groups]([GroupID])
 //         ON DELETE CASCADE,
 //     CONSTRAINT [FK_U2G_Users]
 //         FOREIGN KEY ([UserID])
-//         REFERENCES [User]([UserID])
+//         REFERENCES [Users]([UserID])
 //         ON DELETE CASCADE
 // );
 //
@@ -66,7 +66,7 @@ import { Connection, Request } from 'tedious'
 const ScimGateway: typeof import('scimgateway').ScimGateway = await (async () => {
   try {
     return (await import('scimgateway')).ScimGateway
-  } catch (err) {
+  } catch (err: any) {
     const source = './scimgateway.ts'
     return (await import(source)).ScimGateway
   }
@@ -113,17 +113,13 @@ scimgateway.getUsers = async (baseEntity, getObj, attributes, ctx) => {
   if (!sqlQuery) throw new Error(`${action} error: mandatory if-else logic not fully implemented`)
 
   try {
-    return await new Promise(async (resolve, reject) => {
+    return await new Promise(async (resolve) => {
       const ret: any = { // itemsPerPage will be set by scimgateway
         Resources: [],
         totalResults: null,
       }
 
-      const users: any[] = await query(sqlQuery, ctx).catch((err: any) => {
-        const e = new Error(`${action} error: ${err.message}`)
-        return reject(e)
-      })
-
+      const users: any[] = await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))
       for (const user of users) {
         const scimUser = {
           id: user.UserID.value ? user.UserID.value : undefined,
@@ -155,7 +151,7 @@ scimgateway.createUser = async (baseEntity, userObj, ctx) => {
   scimgateway.logDebug(baseEntity, `handling "${action}" userObj=${JSON.stringify(userObj)}`)
 
   try {
-    return await new Promise(async (resolve, reject) => {
+    return await new Promise(async (resolve) => {
       if (!userObj.name) userObj.name = {}
       if (!userObj.emails) userObj.emails = { work: {} }
       if (!userObj.phoneNumbers) userObj.phoneNumbers = { work: {} }
@@ -174,10 +170,7 @@ scimgateway.createUser = async (baseEntity, userObj, ctx) => {
       const sqlQuery = `insert into [Users] (UserID, Enabled, Password, FirstName, MiddleName, LastName, Email, MobilePhone)
                 values (${insert.UserID}, ${insert.Enabled}, ${insert.Password}, ${insert.FirstName}, ${insert.MiddleName}, ${insert.LastName}, ${insert.Email}, ${insert.MobilePhone})`
 
-      await query(sqlQuery, ctx).catch((err: any) => {
-        const e = new Error(`${action} error: ${err.message}`)
-        return reject(e)
-      })
+      await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))
 
       resolve(null)
     }) // Promise
@@ -194,12 +187,9 @@ scimgateway.deleteUser = async (baseEntity, id, ctx) => {
   scimgateway.logDebug(baseEntity, `handling "${action}" id=${id}`)
 
   try {
-    return await new Promise(async (resolve, reject) => {
+    return await new Promise(async (resolve) => {
       const sqlQuery = `delete from [Users] where UserID = '${id}'`
-      await query(sqlQuery, ctx).catch((err: any) => {
-        const e = new Error(`${action} error: ${err.message}`)
-        return reject(e)
-      })
+      await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))
 
       resolve(null)
     }) // Promise
@@ -216,7 +206,7 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
   scimgateway.logDebug(baseEntity, `handling "${action}" id=${id} attrObj=${JSON.stringify(attrObj)}`)
 
   try {
-    return await new Promise(async (resolve, reject) => {
+    return await new Promise(async (resolve) => {
       if (!attrObj.name) attrObj.name = {}
       if (!attrObj.emails) attrObj.emails = { work: {} }
       if (!attrObj.phoneNumbers) attrObj.phoneNumbers = { work: {} }
@@ -252,10 +242,7 @@ scimgateway.modifyUser = async (baseEntity, id, attrObj, ctx) => {
       sql = sql.substr(0, sql.length - 1) // remove trailing ","
 
       const sqlQuery = `update [Users] set ${sql} where UserID like '${id}'`
-      await query(sqlQuery, ctx).catch((err: any) => {
-        const e = new Error(`${action} error: ${err.message}`)
-        return reject(e)
-      })
+      await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))
 
       resolve(null)
     }) // Promise
@@ -296,16 +283,13 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes, ctx) => {
   if (!sqlQuery) throw new Error(`${action} error: mandatory if-else logic not fully implemented`)
 
   try {
-    return await new Promise(async (resolve, reject) => {
+    return await new Promise(async (resolve) => {
       const ret: any = { // itemsPerPage will be set by scimgateway
         Resources: [],
         totalResults: null,
       }
 
-      const groups = await query(sqlQuery, ctx).catch((err: any) => {
-        const e = new Error(`${action} error: ${err.message}`)
-        return reject(e)
-      })
+      const groups: any[] = await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))
 
       for (const group of groups) {
         const scimGroup: Record<string, any> = {
@@ -316,7 +300,7 @@ scimgateway.getGroups = async (baseEntity, getObj, attributes, ctx) => {
         }
 
         const sqlQuery = `select UserID from [Users2Group] where GroupID = '${scimGroup.id}'`
-        const members = await query(sqlQuery, ctx).catch(e => console.warn(`${e}`))
+        const members = await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))
         for (const member of members) {
           const scimMember = {
             value: member.UserID.value,
@@ -343,21 +327,20 @@ scimgateway.createGroup = async (baseEntity, groupObj, ctx) => {
   scimgateway.logDebug(baseEntity, `handling "${action}" groupObj=${JSON.stringify(groupObj)}`)
 
   try {
-    return await new Promise(async (resolve, reject) => {
+    return await new Promise(async (resolve) => {
       const insert = {
         GroupID: `'${groupObj.displayName}'`,
         Enabled: (groupObj.active) ? `'${groupObj.active}'` : '\'false\'',
       }
 
       const sqlQuery = `insert into [Groups] (GroupID, Enabled) values (${insert.GroupID}, ${insert.Enabled})`
-      await query(sqlQuery, ctx).catch(e => console.warn(`${e}`))
-
-      for (const member of groupObj.members) {
-        const sqlQuery = `insert into [Users2Group] (UserID, GroupID) values ('${member.value}', ${insert.GroupID})`
-        await query(sqlQuery, ctx).catch((err: any) => {
-          const e = new Error(`${action} error: ${err.message}`)
-          return reject(e)
-        })
+      await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))
+
+      if (Array.isArray(groupObj.members) && groupObj.members) {
+        for (const member of groupObj.members) {
+          const sqlQuery = `insert into [Users2Group] (UserID, GroupID) values ('${member.value}', ${insert.GroupID})`
+          await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))
+        }
       }
 
       resolve(null)
@@ -375,12 +358,9 @@ scimgateway.deleteGroup = async (baseEntity, id, ctx) => {
   scimgateway.logDebug(baseEntity, `handling "${action}" id=${id}`)
 
   try {
-    return await new Promise(async (resolve, reject) => {
+    return await new Promise(async (resolve) => {
       const sqlQuery = `delete from [Groups] where GroupID = '${id}'`
-      await query(sqlQuery, ctx).catch((err: any) => {
-        const e = new Error(`${action} error: ${err.message}`)
-        return reject(e)
-      })
+      await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))
 
       resolve(null)
     }) // Promise
@@ -409,25 +389,22 @@ scimgateway.modifyGroup = async (baseEntity, id, attrObj, ctx) => {
   // This BLINDLY inserts all user/groups and gracefully breaks on PK violation
   // for each existing membership
   if (Array.isArray(attrObj.members) && attrObj.members) {
-    attrObj.members.forEach((member) => {
+    for (const member of attrObj.members) {
       if (member.operation == 'delete') {
         queries.push(`delete from [Users2Group] where GroupID='${id}' and UserID='${member.value}'`)
       } else {
         queries.push(`insert into [Users2Group] (UserID, GroupID) values ('${member.value}','${id}')`)
       }
-    })
+    }
   }
 
   const sqlQuery = queries.join(';')
 
   try {
-    return await new Promise(async (resolve, reject) => {
+    return await new Promise(async (resolve) => {
       if (sqlQuery) {
         scimgateway.logDebug(baseEntity, `sqlQuery: ${sqlQuery}`)
-        await query(sqlQuery, ctx).catch((err: any) => {
-          const e = new Error(`${action} error: ${err.message}`)
-          return reject(e)
-        })
+        await query(sqlQuery, ctx).catch(err => scimgateway.logWarn(baseEntity, `${action} warning: ${err.message}`))
       }
 
       resolve(null)

package/lib/samlAssertion.ts

@@ -0,0 +1,220 @@
+//
+// Purpose: create SAML token assertion that can be used by OAuth token request having grant type saml2-bearer
+// Based on: https://github.com/edersouza38/insomnia-plugin-sfsf-samlassertion
+//
+// MIT License
+//
+// Copyright (c) 2023 edersouza38
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in all
+// copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+// SOFTWARE.
+//
+
+// @ts-expect-error type declaration file not found
+import { Saml20 as saml } from 'saml'
+import crypto from 'node:crypto'
+
+export const samlAssertionUtils = {
+  formatPrivateKey: function (input: string) {
+    // Validate PEM keys:
+    const keyArmor = /-----(BEGIN |END )(.*?) KEY-----/g
+    let v: any = [...input.matchAll(keyArmor)]
+    if (v.length > 0) {
+      if (v.length !== 2 || v[0][2] !== v[1][2] || v[0][2] !== 'PRIVATE') {
+        throw new Error('Invalid PEM private key. Make sure that the armoring is consistent and the PEM key is from the type "PRIVATE".')
+      }
+      return input.replace(/\r?\n|\r/g, '')
+    }
+
+    // Verify whether key was generated directly in SFSF:
+    const d = Buffer.from(input, 'base64').toString('utf-8')
+    v = d.split('###')
+    if (v.length === 2) {
+      input = v[0]
+    }
+    return `-----BEGIN PRIVATE KEY-----${input}-----END PRIVATE KEY-----`
+  },
+
+  formatCertificate: function (input: string) {
+    // Validate PEM keys:
+    const keyArmor = /-----(BEGIN |END )(.*?)-----/g
+    let v: any = [...input.matchAll(keyArmor)]
+    if (v.length > 0) {
+      if (v.length !== 2 || v[0][2] !== v[1][2]) {
+        throw new Error('Invalid PEM certificate. Make sure that the armoring is consistent.')
+      }
+      return input.replace(/\r?\n|\r/g, '')
+    }
+
+    // Verify whether key was generated directly in SFSF:
+    const d = Buffer.from(input, 'base64').toString('utf-8')
+    v = d.split('###')
+    if (v.length === 2) {
+      input = v[0]
+    }
+    return `-----BEGIN CERTIFICATE-----${input}-----END CERTIFICATE-----`
+  },
+
+  delay: function (time: number) {
+    return new Promise(resolve => setTimeout(resolve, time))
+  },
+
+  userIdentifierFormat: {
+    userId: 'userId',
+    userName: 'userName',
+    eMail: 'e-Mail',
+  },
+}
+
+export const samlAssertion = {
+  name: 'samlAssertionSFSF',
+  displayName: 'SAML Assertion - SFSF',
+  description: 'Create a SAML Assertion for SFSF OAuth2SAMLAssertion flow.',
+  args: [
+    {
+      displayName: 'X.509 Certificate',
+      description: 'X.509 Certificate used to identify the SAML IdP',
+      type: 'string',
+      placeholder: '-----BEGIN CERTIFICATE-----',
+    },
+    {
+      displayName: 'Private Key',
+      description: 'Private Key used to sign the SAML Assertion',
+      type: 'string',
+      placeholder: '-----BEGIN PRIVATE KEY-----',
+    },
+    {
+      displayName: 'SAML Issuer',
+      description: 'Name of the IdP issuing the SAML Assertion',
+      type: 'string',
+      defaultValue: 'local.insomnia.com',
+    },
+    {
+      displayName: 'Lifetime in seconds',
+      description: 'Lifetime of the SAML Assertion in seconds',
+      type: 'number',
+      defaultValue: 600,
+    },
+    {
+      displayName: 'Client Id',
+      description: 'Registered Client Id in SFSF',
+      type: 'string',
+      placeholder: 'OWE1Yzg0NTMyOGJlY2M4NWRiZGFiMGE3MTI5MA',
+    },
+    {
+      displayName: 'User Identifier',
+      description: 'User Identifier',
+      type: 'string',
+      placeholder: 'Username',
+    },
+    {
+      displayName: 'User Identifier Format',
+      description: 'User Identifier Format',
+      type: 'enum',
+      placeholder: 'User Identifier Format',
+      defaultValue: samlAssertionUtils.userIdentifierFormat.userId,
+      options: [
+        {
+          displayName: 'User ID',
+          value: samlAssertionUtils.userIdentifierFormat.userId,
+        },
+        {
+          displayName: 'Username',
+          value: samlAssertionUtils.userIdentifierFormat.userName,
+        },
+        {
+          displayName: 'E-Mail',
+          value: samlAssertionUtils.userIdentifierFormat.eMail,
+        },
+      ],
+    },
+    {
+      displayName: 'OAuth Token Endpoint',
+      description: 'SFSF OAuth Token Endpoint',
+      type: 'string',
+      placeholder: 'Username',
+    },
+    {
+      displayName: 'Audience',
+      description: 'Audience of the SAML Assertion',
+      type: 'string',
+      defaultValue: 'www.successfactors.com',
+    },
+    {
+      displayName: 'Delay (Seconds)',
+      description: 'Useful when the request is reaching the endpoint before the "validNotBefore" date from SAML assertion.',
+      type: 'number',
+      defaultValue: 0,
+    },
+  ],
+
+  async run(
+    context: any,
+    cert: any,
+    key: any,
+    issuer: any,
+    lifetime: any,
+    clientId: any,
+    nameId: any,
+    userIdentifierFormat: any,
+    tokenEndpoint: any,
+    audience: any,
+    delay: any,
+  ) {
+    const samlAttributes: Record<string, any> = {
+      api_key: clientId,
+    }
+
+    let nameIdentifierFormat
+      = 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'
+
+    switch (userIdentifierFormat) {
+      case samlAssertionUtils.userIdentifierFormat.eMail:
+        nameIdentifierFormat
+          = 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
+        break
+      case samlAssertionUtils.userIdentifierFormat.userName:
+        samlAttributes.use_username = 'true'
+        break
+      default:
+        break
+    }
+    const options = {
+      cert: samlAssertionUtils.formatCertificate(cert),
+      key: samlAssertionUtils.formatPrivateKey(key),
+      issuer: issuer,
+      lifetimeInSeconds: lifetime,
+      audiences: audience,
+      attributes: samlAttributes,
+      nameIdentifier: nameId,
+      nameIdentifierFormat: nameIdentifierFormat,
+      recipient: tokenEndpoint,
+      sessionIndex: '_' + crypto.randomUUID(),
+    }
+
+    const assertionBuff = Buffer.from(saml.create(options))
+    const assertion = assertionBuff.toString('base64')
+
+    if (delay > 0) {
+      await samlAssertionUtils.delay(delay * 1000)
+    }
+    return assertion
+  },
+}
+
+export default samlAssertion

package/lib/scimgateway.ts

@@ -2367,13 +2367,25 @@ export class ScimGateway {
           if (!ctx.response.body) ctx.response.body = 'NOT_FOUND'
           break
       }
-      const response = new Response(ctx.response.body, { status: ctx.response.status, headers: ctx.response.headers })
-      if (ctx.response.body) {
+      const body = ctx.response.body
+      if (body) {
         try {
-          JSON.parse(ctx.response.body)
-          response.headers.set('content-type', 'application/scim+json; charset=utf-8')
+          JSON.parse(body)
+          ctx.response.headers.set('content-type', 'application/scim+json; charset=utf-8')
         } catch (err) { void 0 }
       }
+      let response: Response
+      if (typeof Bun !== 'undefined') {
+        const stream = new ReadableStream({ // ensure Bun compatibility with Azure Reverse Proxy for large and long running response - header set by Bun: Transfer-Encoding: 'chunked'
+          start(controller) {
+            controller.enqueue(body)
+            controller.close()
+          },
+        })
+        response = new Response(body ? stream : body, { status: ctx.response.status, headers: ctx.response.headers })
+      } else {
+        response = new Response(body, { status: ctx.response.status, headers: ctx.response.headers })
+      }
       logResult(ctx)
       return response
     }
@@ -2698,6 +2710,13 @@ export class ScimGateway {
     this.logger.info(`${this.pluginName}[${baseEntity}] ${msg}`)
   }
 
+  /**
+  * logWarn logs warning message
+  **/
+  logWarn(baseEntity: string | undefined, msg: string) {
+    this.logger.warn(`${this.pluginName}[${baseEntity}] ${msg}`)
+  }
+
   /**
   * logError logs error message
   **/

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "5.0.7",
+  "version": "5.0.9",
   "type": "module",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",
@@ -52,6 +52,7 @@
     "nodemailer": "^6.9.13",
     "passport": "^0.7.0",
     "passport-azure-ad": "^4.3.5",
+    "saml": "^3.0.1",
     "winston": "^3.13.0"
   },
   "peerDependencies": {