fix: basic authentication and onPrem Connectivity (#1547)

CHANGELOG.md

@@ -26,6 +26,7 @@
 
 ## Fixed Issues
 
+- [core] Fix failing destination retrieval for `OnPremise` proxy type and basic authentication. 
 - [openapi-generator] Fix generation of options per service configuration files to always use POSIX-style file path separators independent of operating system.
 
 

packages/core/src/connectivity/scp-cf/connectivity-service.spec.ts

@@ -52,12 +52,14 @@ describe('connectivity-service', () => {
 
     const input: Destination = {
       url: 'https://example.com',
-      proxyType: 'OnPremise'
+      proxyType: 'OnPremise',
+      authentication: 'PrincipalPropagation'
     };
 
     const expected: Destination = {
       url: 'https://example.com',
       proxyType: 'OnPremise',
+      authentication: 'PrincipalPropagation',
       proxyConfiguration: {
         ...mockedConnectivityServiceProxyConfig,
         headers: {

packages/core/src/connectivity/scp-cf/connectivity-service.ts

@@ -1,10 +1,14 @@
 import { createLogger, ErrorWithCause } from '@sap-cloud-sdk/util';
 import { Protocol } from './protocol';
 import { ProxyConfiguration } from './connectivity-service-types';
-import { Destination } from './destination/destination-service-types';
+import {
+  AuthenticationType,
+  Destination
+} from './destination/destination-service-types';
 import { EnvironmentAccessor } from './environment-accessor';
 import { Service } from './environment-accessor-types';
 import { serviceToken } from './token-accessor';
+import { decodeJwt, isUserToken, JwtPair } from './jwt';
 
 const logger = createLogger({
   package: 'core',
@@ -28,18 +32,30 @@ export function addProxyConfiguration(
 ): Promise<Destination> {
   return Promise.resolve()
     .then(() => proxyHostAndPort())
-    .then(hostAndPort => addHeaders(hostAndPort, jwt))
+    .then(hostAndPort =>
+      addHeaders(hostAndPort, destination.authentication, jwt)
+    )
     .then(proxyConfiguration => ({
       ...destination,
       proxyConfiguration
     }));
 }
 
+// TODO: remove string argument in v2.0
 export function addProxyConfigurationOnPrem(
   destination: Destination,
-  jwt?: string
+  jwt: string | JwtPair | undefined
 ): Promise<Destination> {
-  return addProxyConfiguration(destination, jwt);
+  const jwtPair =
+    typeof jwt === 'string' ? { encoded: jwt, decoded: decodeJwt(jwt) } : jwt;
+  if (
+    destination.authentication === 'PrincipalPropagation' &&
+    !isUserToken(jwtPair)
+  ) {
+    throw new Error('For principal propagation a user JWT is needed.');
+  }
+
+  return addProxyConfiguration(destination, jwtPair?.encoded);
 }
 
 interface HostAndPort {
@@ -73,6 +89,7 @@ function readConnectivityServiceBinding(): Service {
 
 function addHeaders(
   hostAndPort: HostAndPort,
+  authenticationType: AuthenticationType | undefined,
   jwt?: string
 ): Promise<ProxyConfiguration> {
   const connServiceBinding = readConnectivityServiceBinding();
@@ -81,7 +98,7 @@ function addHeaders(
     .then(() => proxyAuthorizationHeader(connServiceBinding, jwt))
     .then(proxyAuthHeader => ({
       ...proxyAuthHeader,
-      ...sapConnectivityAuthenticationHeader(jwt)
+      ...sapConnectivityAuthenticationHeader(authenticationType, jwt)
     }))
     .then(
       headers =>
@@ -109,16 +126,25 @@ function proxyAuthorizationHeader(
 }
 
 function sapConnectivityAuthenticationHeader(
+  authenticationType: AuthenticationType | undefined,
   jwt?: string
 ): Record<string, string> {
-  if (jwt) {
-    return {
-      'SAP-Connectivity-Authentication': `Bearer ${jwt}`
-    };
+  if (authenticationType === 'PrincipalPropagation') {
+    if (jwt) {
+      return {
+        'SAP-Connectivity-Authentication': `Bearer ${jwt}`
+      };
+    }
+    throw new Error(
+      `Unable to create "SAP-Connectivity-Authentication" header: no JWT found on the current request.
+     Connecting to on-premise systems via principle propagation is not possible.`
+    );
+  }
+  if (authenticationType === 'BasicAuthentication') {
+    logger.warn(
+      'You are connecting to an On-Premise system using basic authentication. For productive usage Principal propagation is recommended.'
+    );
   }
-  logger.warn(
-    `Unable to create "SAP-Connectivity-Authentication" header: no JWT found on the current request.
-    Continuing without header. Connecting to on-premise systems may not be possible.`
-  );
+
   return {};
 }