feat: use as ClientCertificateas object property

Author: marianfoo

packages/ui5-middleware-onelogin/README.md

@@ -27,19 +27,36 @@ npm install ui5-middleware-onelogin --save-dev
 
 ## Configuration options (in `$yourapp/ui5.yaml`)
 
-Currently you can define the properties in the configuration (see below) or the following environment variables are used.
+You can define the properties either in the configuration (YAML file) or using environment variables. The order of precedence is:
+
+1. YAML file configuration
+2. Environment variables
+3. Default configuration
+
+**Important:** When configuring `ClientCertificate`, you must define all its properties either in the YAML file or in environment variables. Mixing definitions between YAML and environment variables for `ClientCertificate` is not supported.
+
+Currently, you can define the following properties:
 
 - path: `string` either the url or the hostname and port of the SAP system
 - subdirectory`(optional)`: `string` the subdirectory that is appended to the path, defaults to the fiori launchpad at /sap/bc/ui2/flp
 - username`(optional)`: `string` Username to be used to login to the launchpad
-- password`(optional)`: `string`Password used to login
+- password`(optional)`: `string` Password used to login
 - useCertificate`(optional)`: `boolean` use a certificate to login instead of username and password
 - debug`(optional)`: `boolean` true will open up the playwright browser so you can see what's going on
 
 **NB1:** If you choose to use the certificate login then check the property AutoSelectCertificateForUrls in chrome://policy if it holds the url pattern for your system. [Playwright](https://github.com/microsoft/playwright/issues/1799) has an issue to handle the certificate prompt. Another workaround is to set debug and useCertificate to true in the configuration and press ok when the prompt opens
 
 **NB2:** If your system does not host a fiori launchpad, you will have to adjust the subdirectory to point to a different login protected page. In the case of a MII java stack that hosts an OData service, try setting subdirectory to XMII/PropertyAccessServlet?Mode=List
 
+- ClientCertificate`(optional)`: `object` Configuration for client certificate authentication
+  - origin: `string` Exact origin that the certificate is valid for. Origin includes https protocol, a hostname and optionally a port.
+  - certPath: `string` Path to the file with the certificate in PEM format.
+  - keyPath: `string` Path to the file with the private key in PEM format.
+  - pfxPath: `string` Path to the PFX or PKCS12 encoded private key and certificate chain.
+  - passphrase: `string` Passphrase for the private key (PEM or PFX).
+
+You can set the following environment variables in your .env file (remember to add it to your .gitignore):
+
 You can either add the following properties to your .env file, remember to add that to your .gitignore
 
 - UI5_MIDDLEWARE_ONELOGIN_LOGIN_URL or UI5_MIDDLEWARE_SIMPLE_PROXY_BASEURI

packages/ui5-middleware-onelogin/lib/cookieGetter.js

@@ -0,0 +1,4 @@
+UI5_MIDDLEWARE_ONELOGIN_LOGIN_URL=https://example.com/login
+UI5_MIDDLEWARE_ONELOGIN_USE_CERTIFICATE=true
+UI5_MIDDLEWARE_ONELOGIN_CLIENT_CERTIFICATES=[{"origin": "https://accounts.sap.com","pfxPath": "sap.pfx","passphrase": "XXX"}]
+UI5_MIDDLEWARE_ONELOGIN_DEBUG=true

packages/ui5-middleware-onelogin/lib/cookieGetter.js.map

@@ -22,6 +22,12 @@ server:
         path: https://emea.cockpit.btp.cloud.sap
         subdirectory: cockpit#/
         useCertificate: true
-        clientCertificatesOrigin: "https://accounts.sap.com"
-        clientCertificatesPfxPath: "sap.pfx"
-        # clientCertificatesPfxPpassphrase: used from environment variable
+        # clientCertificates:
+        #   - origin: "https://accounts.sap.com"
+        #     #certPath: "path/to/cert.pem"
+        #     # cert: Buffer value (not applicable in YAML)
+        #     #keyPath: "path/to/key.pem"
+        #     # key: Buffer value (not applicable in YAML)
+        #     pfxPath: "sap.pfx"
+        #     # pfx: Buffer value (not applicable in YAML)
+        #     #passphrase: "your_passphrase_here"

packages/ui5-middleware-onelogin/lib/index.js

@@ -81,9 +81,7 @@ export default class CookieGetter {
 				username: process.env.UI5_MIDDLEWARE_ONELOGIN_USERNAME,
 				password: process.env.UI5_MIDDLEWARE_ONELOGIN_PASSWORD,
 				useCertificate: process.env.UI5_MIDDLEWARE_ONELOGIN_USE_CERTIFICATE === "true",
-				clientCertificatesOrigin: process.env.UI5_MIDDLEWARE_ONELOGIN_CLIENT_CERTIFICATES_ORIGIN,
-				clientCertificatesPfxPath: process.env.UI5_MIDDLEWARE_ONELOGIN_CLIENT_CERTIFICATES_PFX_PATH,
-				clientCertificatesPfxPpassphrase: process.env.UI5_MIDDLEWARE_ONELOGIN_CLIENT_CERTIFICATES_PFX_PASSPHRASE,
+				clientCertificates: this.parseJSON(process.env.UI5_MIDDLEWARE_ONELOGIN_CLIENT_CERTIFICATES),
 				debug: process.env.UI5_MIDDLEWARE_ONELOGIN_DEBUG === "true",
 				query: this.parseJSON(process.env.UI5_MIDDLEWARE_ONELOGIN_QUERY),
 			},
@@ -92,6 +90,12 @@ export default class CookieGetter {
 		const effectiveOptions = Object.assign({}, options);
 		effectiveOptions.configuration = Object.assign({}, defaultOptions.configuration, envOptions.configuration, options.configuration);
 
+		// Check if clientCertificates should be used: useCertificate is true and clientCertificates is defined or clientCertificates contains any certificate
+		const useClientCertificates =
+			effectiveOptions.configuration.useCertificate ||
+			(effectiveOptions.configuration.clientCertificates &&
+				effectiveOptions.configuration.clientCertificates.some((cert) => cert.certPath || cert.cert || cert.keyPath || cert.key || cert.pfxPath || cert.pfx));
+
 		if (effectiveOptions.configuration.debug) {
 			log.info("Default options:");
 			log.info(defaultOptions);
@@ -101,6 +105,7 @@ export default class CookieGetter {
 			log.info(options);
 			log.info("Effective options:");
 			log.info(effectiveOptions);
+			log.info(`Using client certificates: ${useClientCertificates}`);
 		}
 
 		const attr: Attributes = {
@@ -109,7 +114,7 @@ export default class CookieGetter {
 			password: effectiveOptions.configuration.password!,
 		};
 
-		if ((!attr.username || !attr.password) && !effectiveOptions.configuration.useCertificate) {
+		if ((!attr.username || !attr.password) && !useClientCertificates) {
 			log.warn("No credentials provided. Please answer the following prompts");
 			if (!attr.username) {
 				attr.username = await prompt("Username: ");
@@ -141,20 +146,19 @@ export default class CookieGetter {
 			const browser = await chromium.launch(playwrightOpt);
 			const contextOptions: any = { ignoreHTTPSErrors: true };
 
-			if (effectiveOptions.configuration.useCertificate) {
-				contextOptions.clientCertificates = [
-					{
-						origin: effectiveOptions.configuration.clientCertificatesOrigin,
-						pfxPath: effectiveOptions.configuration.clientCertificatesPfxPath,
-						passphrase: effectiveOptions.configuration.clientCertificatesPfxPpassphrase,
-					},
-				];
+			if (useClientCertificates && effectiveOptions.configuration.clientCertificates) {
+				contextOptions.clientCertificates = effectiveOptions.configuration.clientCertificates;
+			}
+
+			if (effectiveOptions.configuration.debug) {
+				log.info("Client certificates configuration:");
+				log.info(contextOptions.clientCertificates);
 			}
 
 			const context = await browser.newContext(contextOptions);
 
 			const page = await context.newPage();
-			if (!effectiveOptions.configuration.useCertificate) {
+			if (!useClientCertificates) {
 				await page.goto(attr.url, { waitUntil: "domcontentloaded" });
 
 				const elem = await this.getUserInput(page);

packages/ui5-middleware-onelogin/lib/index.js.map

@@ -15,15 +15,25 @@ var firstTime: boolean = true;
 // key: string
 // }
 
+/**
+ * @typedef {Object} ClientCertificate
+ * @property {string} origin - Exact origin that the certificate is valid for. Origin includes https protocol, a hostname and optionally a port.
+ * @property {string} [certPath] - Path to the file with the certificate in PEM format.
+ * @property {Buffer} [cert] - Direct value of the certificate in PEM format.
+ * @property {string} [keyPath] - Path to the file with the private key in PEM format.
+ * @property {Buffer} [key] - Direct value of the private key in PEM format.
+ * @property {string} [pfxPath] - Path to the PFX or PKCS12 encoded private key and certificate chain.
+ * @property {Buffer} [pfx] - Direct value of the PFX or PKCS12 encoded private key and certificate chain.
+ * @property {string} [passphrase] - Passphrase for the private key (PEM or PFX).
+ */
+
 /**
  * @typedef {Object} [configuration] configuration
  * @property {string} path - The path to use => env:UI5_MIDDLEWARE_ONELOGIN_LOGIN_URL
  * @property {string} [username] the username => env:UI5_MIDDLEWARE_ONELOGIN_USERNAME
  * @property {string|yo<password>} [password] the password => env:UI5_MIDDLEWARE_ONELOGIN_PASSWORD
  * @property {boolean|yo<confirm|false>} [useCertificate] use certificate login instead of username/password
- * @property {string} [clientCertificatesOrigin] the origin of the client certificates => env:UI5_MIDDLEWARE_ONELOGIN_CLIENT_CERTIFICATES_ORIGIN
- * @property {string} [clientCertificatesPfxPath] the path to the client certificates => env:UI5_MIDDLEWARE_ONELOGIN_CLIENT_CERTIFICATES_PFX_PATH
- * @property {string} [clientCertificatesPfxPpassphrase] the passphrase to the client certificates => env:UI5_MIDDLEWARE_ONELOGIN_CLIENT_CERTIFICATES_PFX_PASSPHRASE
+ * @property {ClientCertificate[]} [clientCertificates] Array of client certificate configurations
  * @property {boolean|yo<confirm|false>} [debug] see output
  */
 /**

packages/ui5-middleware-onelogin/sample/certificate/.envTEMPLATE

@@ -7,8 +7,15 @@ export interface Options {
 		useCertificate: boolean;
 		debug?: boolean;
 		query?: unknown;
-		clientCertificatesOrigin?: string;
-		clientCertificatesPfxPath?: string;
-		clientCertificatesPfxPpassphrase?: string;
+		clientCertificates?: Array<{
+			origin: string;
+			certPath?: string;
+			cert?: Buffer;
+			keyPath?: string;
+			key?: Buffer;
+			pfxPath?: string;
+			pfx?: Buffer;
+			passphrase?: string;
+		}>;
 	};
 }