scimgateway 5.3.0 → 5.3.2

package/README.md

@@ -16,7 +16,7 @@ Validated through IdP's:
 
 Latest news:  
  
-- [SCIM Bulk Operations](https://datatracker.ietf.org/doc/html/rfc7644#section-3.7) now supported
+- [Bulk Operations](https://datatracker.ietf.org/doc/html/rfc7644#section-3.7) now supported
 - Remote real-time log subscription for monitoring and centralized logging  
 using browser and url: `https://<host>/logger`  
 `curl -N https://<host>/logger -u user:password`  
@@ -159,7 +159,7 @@ If internet connection is blocked, we could install on another machine and copy
 >Tip, take a look at bun test scripts located in `node_modules\scimgateway\test\lib`
 
 > If using Node.js instead of Bun, scimgateway must be downloaded from github because Node.js does not support native typescript used by modules. Startup will then be:  
-node --experimental-strip-types c:\my-scimgateway\index.ts
+`node --experimental-strip-types c:\my-scimgateway\index.ts`
 
 #### Upgrade SCIM Gateway  
 
@@ -1351,10 +1351,10 @@ Plugins should have following initialization:
 	// start - mandatory plugin initialization
 	const ScimGateway: typeof import('scimgateway').ScimGateway = await (async () => {
 	  try {
-		return (await import('scimgateway')).ScimGateway
+	    return (await import('scimgateway')).ScimGateway
 	  } catch (err) {
-		const source = './scimgateway.ts'
-		return (await import(source)).ScimGateway
+	    const source = './scimgateway.ts'
+	    return (await import(source)).ScimGateway
 	  }
 	})()
 	const scimgateway = new ScimGateway()
@@ -1368,10 +1368,10 @@ If using REST, we could also include the HelperRest:
 	...
 	const HelperRest: typeof import('scimgateway').HelperRest = await (async () => {
 	  try {
-		return (await import('scimgateway')).HelperRest
+	    return (await import('scimgateway')).HelperRest
 	  } catch (err) {
-		const source = './scimgateway.ts'
-		return (await import(source)).HelperRest
+	    const source = './scimgateway.ts'
+	    return (await import(source)).HelperRest
 	  }
 	})()
 	...
@@ -1405,11 +1405,25 @@ MIT © [Jarle Elshaug](https://www.elshaug.xyz)
 
 ## Change log  
 
+### v5.3.2
+
+[Improved]  
+
+- helper-rest, retry on request error 504 Gateway Timeout
+- performance micro-optimization on log mask logic
+
+### v5.3.1
+
+[Fixed]  
+
+- Incorrect log masking of SCIM 2.0 PATCH Operations
+- plugin-ldap, create user/group having DN special character `#` failed on OpenLDAP
+
 ### v5.3.0
 
 [Improved]  
 
-- [SCIM Bulk Operations](https://datatracker.ietf.org/doc/html/rfc7644#section-3.7) now supported
+- [Bulk Operations](https://datatracker.ietf.org/doc/html/rfc7644#section-3.7) now supported
 - Dependencies bump
 
 ### v5.2.5

package/lib/helper-rest.ts

@@ -699,7 +699,7 @@ export class HelperRest {
       try { urlObj = new URL(path) } catch (err) { void 0 }
       let isServiceClient = !urlObj && this._serviceClient[baseEntity] && !this.lock.isLocked() // !isLocked to avoid retry ongoing doRequest with failing getAccessToken()
       let oAuthTokeErr = statusCode === 401 && this.config_entity[baseEntity].connection?.auth?.type && this.config_entity[baseEntity].connection.auth.type.startsWith('oauth')
-      if (isServiceClient && (err.code === 'ECONNREFUSED' || err.code === 'ENOTFOUND' || err.code === 'ABORT_ERR' || err.code === 'ETIMEDOUT' || oAuthTokeErr || retryAfter)) {
+      if (isServiceClient && (err.code === 'ECONNREFUSED' || err.code === 'ENOTFOUND' || err.code === 'ABORT_ERR' || err.code === 'ETIMEDOUT' || statusCode === 504 || oAuthTokeErr || retryAfter)) {
         this.scimgateway.logDebug(baseEntity, `doRequest ${method} ${path} Body = ${JSON.stringify(body)} Error Response = ${err.message}`)
         if (retryAfter) {
           this.scimgateway.logDebug(baseEntity, `doRequest ${method} ${path} throttle/ratelimit error - awaiting ${retryAfter} seconds before automatic retry`)

package/lib/logger.ts

@@ -81,6 +81,7 @@ export class Logger {
   private rotating = false
   private buffer: string[] = []
   private reJson: RegExp
+  private reJsonPathValue: RegExp
   private reXml: RegExp
   private callbacks: Set<(message: any) => Promise<void>> = new Set()
   private LOG_DIR: string
@@ -128,20 +129,26 @@ export class Logger {
       if (option.customMasking) this.customMasking = option.customMasking
     }
 
-    let customMaskJson = ''
-    let customMaskXml = ''
-    if (this.customMasking && Array.isArray(this.customMasking) && this.customMasking.length > 0) {
-      customMaskJson = this.customMasking.join('|')
-      customMaskJson = '|' + customMaskJson
-      customMaskXml = this.customMasking.join('"?|')
-      customMaskXml = '|' + customMaskXml + '"?'
-    }
+    let customMask = this.customMasking || []
+    if (!Array.isArray(customMask)) customMask = []
+    const jsonMaskKeys = ['password', 'access_token', 'client_secret', 'assertion', 'client_assertion']
+    const jsonJoinedKeys = jsonMaskKeys.concat(customMask).join('|')
+    const xmlMaskKeys = ['credentials', 'PasswordText', 'PasswordDigest', 'password']
+    const xmlJoinedKeys = xmlMaskKeys.concat(customMask).join('"?|') + '"?'
+
     this.reJson = new RegExp(
-      `("(password|access_token|client_secret|assertion|client_assertion|${customMaskJson})"\\s*:\\s*)"([^"]+)"`,
+      `("(?:${jsonJoinedKeys})"\\s*:\\s*)"([^"]+)"`,
       'gi',
     )
+
+    // matches "path":"<maskKey>", then finds "value":"<value>" to mask it - SCIM 2.0 PATCH Operations
+    this.reJsonPathValue = new RegExp(
+      `("path"\\s*:\\s*"(?:${jsonJoinedKeys})"[^{}]*?"value"\\s*:\\s*")([^"]+)(")`,
+      'gi',
+    )
+
     this.reXml = new RegExp(
-      `(<(?:\\w+:)?(credentials"?|PasswordText"?|PasswordDigest"?|password"?|${customMaskXml})[^>]*>)([^<]+)(<\\/(:?\\w+:)?\\2>)`,
+      `(<(?:\\w+:)?(${xmlJoinedKeys})[^>]*>)([^<]+)(<\\/(:?\\w+:)?\\2>)`,
       'gi',
     )
 
@@ -164,18 +171,30 @@ export class Logger {
 
   private maskSecret(msg: string): string {
     if (!msg) return msg
+
     // Mask JSON secrets
     msg = msg.replace(
       this.reJson,
       // eslint-disable-next-line @typescript-eslint/no-unused-vars
-      (_, keyValuePair, key) => `${keyValuePair}"********"`,
+      (_, keyValuePair, value) => `${keyValuePair}"******"`,
     )
+
+    // Mask JSON path/value secrets (SCIM 2.0 PATCH Operations)
+    if (msg.includes('"path"')) {
+      msg = msg.replace(
+        this.reJsonPathValue,
+        (_, prefix, value, suffix) => `${prefix}******${suffix}`,
+      )
+    }
+
     // Mask XML/Soap secrets
     // console.log('XML matches found:', msg.match(this.reXml)
-    msg = msg.replace(
-      this.reXml,
-      (_, startTag, tagName, value, endTag) => `${startTag}********${endTag}`,
-    )
+    if (msg.includes('<?xml')) {
+      msg = msg.replace(
+        this.reXml,
+        (_, startTag, tagName, value, endTag) => `${startTag}******${endTag}`,
+      )
+    }
 
     return msg
   }

package/lib/plugin-ldap.ts

@@ -1221,6 +1221,10 @@ const ldapEsc = (str: any) => {
         if (isEsc) c = ')'
         else c = '\\)'
         break
+      case '#':
+        if (isEsc) c = '#'
+        else c = '\\#'
+        break
     }
     newStr += c
   }

package/lib/scimgateway.ts

@@ -570,10 +570,18 @@ export class ScimGateway {
       if (authType === 'Basic') [userName] = (Buffer.from(authToken, 'base64').toString() || '').split(':')
       if (!userName && authType === 'Bearer') userName = 'token'
       let outbound = ctx.response.body
-      if (typeof outbound === 'string' && outbound.length > 1000) {
-        outbound = outbound.slice(0, 1000)
-        outbound += '...truncated because of length'
+
+      if (typeof outbound === 'string' && outbound.length > 1500 && outbound.includes('"Resources":')) {
+        try {
+          const o = JSON.parse(outbound)
+          if (o?.Resources?.length > 1) {
+            o.Resources = [o.Resources[0]]
+            o.Resources.push({ loggerComment: '===REST OF OBJECTS TRUNCATED BECAUSE OF LOG LENGTH===' })
+            outbound = JSON.stringify(o)
+          }
+        } catch (err) {}
       }
+
       if (ctx.response.status && (ctx.response.status < 200 || ctx.response.status > 299)) {
         if (ctx.response.status === 404) logger.warn(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] ${ellapsed} ${ctx.ip} ${userName} ${ctx.response.status} ${ctx.request.method} ${ctx.request.url} Inbound=${JSON.stringify(ctx.request.body)} Outbound=${outbound}`)
         else logger.error(`${gwName}[${pluginName}][${ctx?.routeObj?.baseEntity}] ${ellapsed} ${ctx.ip} ${userName} ${ctx.response.status} ${ctx.request.method} ${ctx.request.url} Inbound=${JSON.stringify(ctx.request.body)} Outbound=${outbound}`)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scimgateway",
-  "version": "5.3.0",
+  "version": "5.3.2",
   "type": "module",
   "description": "Using SCIM protocol as a gateway for user provisioning to other endpoints",
   "author": "Jarle Elshaug <jarle.elshaug@gmail.com> (https://elshaug.xyz)",