Skip to Content
Technical Articles
Author's profile photo Laszlo Kajan

Using the TCP Protocol for Node.js Cloud Applications

Goal

Complement the Java example on the SAP help page ‘Consuming the Connectivity Service / Using the TCP Protocol for Cloud Applications‘ with a Node.js example.

Keywords: ‘how to use the SAP BTP CF connectivity service SOCKS5, TCP proxy from a Node.js application?’, ‘how to reach an on-premises TCP service from a BTP CF Node.js application?’

Node.js example

This example provides a SOCKS5 client implementation that uses the connectivity service available in the Business Technology Platform (BTP) Cloud Foundry (CF) environment.

The code defines a connection utility module ‘btp-cf-socks5-proxy-utils’, with type information using JSDoc annotations. Thanks to the JSDoc typing, the module provides TypeScript checks and inline hints when used in the Business Application Studio (BAS):

// @ts-check
'use strict';
/** @type {import('assert/strict')} */
const assert = require('assert').strict;
const SocksClient = require('socks').SocksClient;

let btpCfSocks5ProxyUtils = {

    // See the implementation of assertAuthenticationResponse() at Using the TCP Protocol for Cloud Applications | https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-US/cd1583775afa43f0bb9ec69d9dbcc880.html
    SOCKS5_AUTHENTICATION_SUCCESS_BYTE: 0x00,
    SOCKS5_CUSTOM_RESP_SIZE: 2,
    SOCKS5_JWT_AUTHENTICATION_METHOD_VERSION: 0x01,

    /**
     * @typedef {object} ConnectionOptions
     * @prop {string}           [cc_location=""] - cloud connector location, optional
     * @prop {string}           conn_svc_token - JWT token obtained via client_credentials grant for bound connectivity service
     * @prop {string}           remote_host - proxy destination host
     * @prop {number}           remote_port - proxy destination port
     * @prop {string}           onpremise_proxy_host - SOCKS5 proxy host
     * @prop {number | string}  onpremise_socks5_proxy_port - SOCKS5 proxy port
     */

    /**
     * @typedef {import('socks/typings/common/constants').SocksClientEstablishedEvent} SocksClientEstablishedEvent
     */

    /**
     * Creates a new SOCKS connection.
     * @param {ConnectionOptions} opts
     * @returns {Promise<SocksClientEstablishedEvent>}
     */
    createConnection: function (opts) {
        const ccLocation = opts.cc_location || "";

        /**
         * @type {import('socks').SocksClientOptions}
         */
        const options = {
            proxy: {
                host: opts.onpremise_proxy_host,
                port: typeof opts.onpremise_socks5_proxy_port === 'number' ? opts.onpremise_socks5_proxy_port : parseInt(opts.onpremise_socks5_proxy_port, 10),
                type: 5, // Proxy version (4 or 5)
                //
                // SOCKS5 Custom authentication
                custom_auth_method: 0x80,
                custom_auth_request_handler: btpCfSocks5ProxyUtils.getCustomAuthRequestHandler(
                    opts.conn_svc_token, ccLocation),
                custom_auth_response_size: btpCfSocks5ProxyUtils.SOCKS5_CUSTOM_RESP_SIZE,
                custom_auth_response_handler: btpCfSocks5ProxyUtils.customAuthResponseHandler
            },

            command: 'connect', // SOCKS command (createConnection factory function only supports the connect command)

            destination: {
                host: opts.remote_host,
                port: opts.remote_port
            }
        };

        return SocksClient.createConnection(options);
    },

    /**
     * @callback CustomAuthRequestHandler
     * @param {string} connSvcToken - JWT token obtained via client_credentials grant for bound connectivity service
     * @param {string} cloudConnectorLocation - cloud connector location or ""
     * @returns {Promise<Buffer>}
     */
    /** @type {CustomAuthRequestHandler} */
    customAuthRequestHandler: async function (connSvcToken, cloudConnectorLocation) {

        // This will be called when it's time to send the custom auth handshake. You must return a Buffer containing the data to send as your authentication.
        const _1_authMethodVersion = Buffer.from([btpCfSocks5ProxyUtils.SOCKS5_JWT_AUTHENTICATION_METHOD_VERSION]);           // Authentication method version
        const _3_jwtBuf = Buffer.from(connSvcToken, 'binary');      // X bytes: The actual value of the JWT in its encoded form
        const _2_jwtBufLength = Buffer.allocUnsafe(4);              // 4 bytes: Length of the JWT
        _2_jwtBufLength.writeInt32BE(_3_jwtBuf.length);
        const _5_ccNameB64 = Buffer.from(Buffer.from(cloudConnectorLocation).toString('base64'), 'binary');
        // Y - The value of the Cloud Connector location ID in base64-encoded form
        const _4_ccNameLength = Buffer.allocUnsafe(1);              // 1 byte: Length of the Cloud Connector location ID (0 if no Cloud Connector location ID is used)
        _4_ccNameLength.writeUInt8(_5_ccNameB64.length);

        let retBuf = Buffer.alloc(
            _1_authMethodVersion.length +
            _2_jwtBufLength.length +
            _3_jwtBuf.length +
            _4_ccNameLength.length +
            _5_ccNameB64.length
        );

        /**
         * @type {number}
         */
        let offset = 0;
        _1_authMethodVersion.copy(retBuf, offset); offset += _1_authMethodVersion.length;
        _2_jwtBufLength.copy(retBuf, offset); offset += _2_jwtBufLength.length;
        _3_jwtBuf.copy(retBuf, offset); offset += _3_jwtBuf.length;
        _4_ccNameLength.copy(retBuf, offset); offset += _4_ccNameLength.length;
        if (_5_ccNameB64.length > 0) {
            _5_ccNameB64.copy(retBuf, offset); offset += _5_ccNameB64.length;
        }

        assert.equal(offset, retBuf.length);

        return retBuf;
    },

    /**
     * @param {Buffer} data SOCKS proxy authentication response
     * @returns Promise<boolean>
     */
    customAuthResponseHandler: async function (data) {

        assert.equal(data.length, btpCfSocks5ProxyUtils.SOCKS5_CUSTOM_RESP_SIZE);

        const authenticationMethodVersion = data[0];
        const authenticationStatus = data[1];
        // console.log(data);

        if (btpCfSocks5ProxyUtils.SOCKS5_JWT_AUTHENTICATION_METHOD_VERSION !== authenticationMethodVersion) {
            throw new Error(`Unsupported authentication method version - expected ${btpCfSocks5ProxyUtils.SOCKS5_JWT_AUTHENTICATION_METHOD_VERSION}, but received ${authenticationMethodVersion}`);
        }
        if (btpCfSocks5ProxyUtils.SOCKS5_AUTHENTICATION_SUCCESS_BYTE !== authenticationStatus) {
            throw new Error(`Authentication failed (${authenticationStatus})!`);
        }
        return btpCfSocks5ProxyUtils.SOCKS5_AUTHENTICATION_SUCCESS_BYTE === authenticationStatus;
    },

    /**
     * @param {string} connSvcToken - JWT token obtained via client_credentials grant for bound connectivity service
     * @param {string} cloudConnectorLocation - cloud connector location or ""
     * @returns {() => Promise<Buffer>}
     */
    getCustomAuthRequestHandler: function (connSvcToken, cloudConnectorLocation) {
        return btpCfSocks5ProxyUtils.customAuthRequestHandler.bind(null, connSvcToken, cloudConnectorLocation);
    }
};

module.exports = btpCfSocks5ProxyUtils;

This example shows how the ‘btp-cf-socks5-proxy-utils’ module can be used to connect to the SOCKS5 proxy provided by a bound connectivity service:

const btpCfSocks5ProxyUtils = require('btp-cf-socks5-proxy-utils');
const sdkCore = require('@sap-cloud-sdk/core');
const xsenv = require('@sap/xsenv');

// Connectivity service
const connServiceCredentials = xsenv.serviceCredentials({ tag: 'connectivity' });
const connSvcToken = await sdkCore.serviceToken('connectivity', {
                    isolationStrategy: sdkCore.IsolationStrategy.No_Isolation, // there's just one bound connectivity service, no tenants
                    useCache: true
                });

// SOCKS proxy
const info = await btpCfSocks5ProxyUtils.createConnection({
                    cc_location: options.ldapsVirtualLocation,
                    conn_svc_token: connSvcToken,
                    remote_host: options.ldapsVirtualHost,
                    remote_port: options.ldapsVirtualPort,
                    onpremise_proxy_host: connServiceCredentials.onpremise_proxy_host,
                    onpremise_socks5_proxy_port: connServiceCredentials.onpremise_socks5_proxy_port
                });

// Example LDAP client that uses the socket - info.socket - from above
const newLdapClient = new LdapClient({
                        idleTimeout: options.idleTimeoutMillisec || 0,
                        tlsOptions: Object.assign({}, tlsOptions, { socket: info.socket }),
                        url: [ldapUrl]
                    });

Summary

In this blog I presented a to-the-point Node.js example for using the SOCK5 TCP proxy with SAP BTP cloud applications.

(A public, open source module – ‘btp-cf-socks5-proxy-utils’ – of the code presented here is soon to be published.)

Author and motivation

Laszlo Kajan is a full stack SAP developer present on the field since 2015, diversifying into the area of SAP Business Technology Platform (BTP) development.

The motivation behind this blog post is to complement the Java ‘Using the TCP Protocol for Cloud Applications’ example available on help.sap.com with a Node.js example. This is done in the hope that it will same fellow developers some time.

Further reading

Assigned Tags

      9 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Pieter Janssens
      Pieter Janssens

      Hi Laszlo,

      I've been working on a similar module: https://github.com/piejanssens/sap-cf-socks

      Have you tested your client application (ldap in this case) after a longer period of time?

      In my experience the BTP Connectivity service was closing the socket: socket 'end' event after 60s or 10s after last activity. So if you have activity at 55s, it will end at 1m5s.

      Best regards,

      Pieter

      Author's profile photo Manol Valchev
      Manol Valchev

      Hi Laszlo,

      BTP Connectivity service shall not be closing the connection with no reason for this. In fact, there are analytics scenarios based on SOCKS5 proxy feature which serve long-running connections, e.g. ask a database to do complex work and respond back.

      In case the socket is really idle and there's no traffic going on, even lower level hearth beats, then the service would perceive that socket as not used and would close/reset the connection after the threshold is reached.

      Beware that connection re-establishment shall be fast, as the tunnel between the cloud app and premise is kept alive, only the first and last mile of the connection chains are closed.

      Regards,
      Manol

      Author's profile photo Laszlo Kajan
      Laszlo Kajan
      Blog Post Author

      Dear Pieter!

      What a nice module, 'sap-cf-socks', thanks for that! 🙂

      I have an 'idleTimeout' set on my LDAP client, which is 9 seconds at the moment, and then I have logic that re-opens the proxy and then the LDAP connection, when there is a need to search the directory again.

      With this setup, I have not (yet?) observed unexpected losses of connection. Nevertheless I do have one re-attempt programmed using 'backoff' (not shown in this blog post).

      Best regards,
      Laszlo

      Author's profile photo Former Member
      Former Member

      Hi Laszlo,

      First of all very nice blog with good explanation. I followed the blog and tried to connect to ldap but getting an error in connection creation step i.e  "SocksClient.createConnection(options)". The error is "Socks5 proxy rejected connection - NotAllowed". I am passing the options in below format. I enabled the path with LDAP protocol in cloud connector and I have the doubt in destination host and port format. Can you please suggest what I am doing wrong here?

      const options = {
                  proxy: {
                      host: opts.onpremise_proxy_host,
                      port: typeof opts.onpremise_socks5_proxy_port === 'number' ? opts.onpremise_socks5_proxy_port : parseInt(opts.onpremise_socks5_proxy_port, 10),
                      type: 5, // Proxy version (4 or 5)
                      //
                      // SOCKS5 Custom authentication
                      custom_auth_method: 0x80,
                      custom_auth_request_handler: btpCfSocks5ProxyUtils.getCustomAuthRequestHandler(
                          opts.conn_svc_token, ccLocation),
                      custom_auth_response_size: btpCfSocks5ProxyUtils.SOCKS5_CUSTOM_RESP_SIZE,
                      custom_auth_response_handler: btpCfSocks5ProxyUtils.customAuthResponseHandler
                  },
      
                  command: 'connect', // SOCKS command (createConnection factory function only supports the connect command)
      
                  destination: {
                      host: "xxxx.xx.sap",
                      port: 636
                  }
              };
      
      Regards,
      Bharadwaj

       

      Author's profile photo Laszlo Kajan
      Laszlo Kajan
      Blog Post Author

      Hello Bharadwaj!

      You write: "I enabled the path with LDAP protocol in cloud connector". I'm afraid this blog post, as the title says, is about "Using the TCP Protocol".

      I'm not sure SAP published an example for using the LDAP protocol.

      Best regards,
      Laszlo

      Author's profile photo Former Member
      Former Member

      Hi  Laszlo,

      Thank you for your response. Can you please tell me the protocol, host and port to be passed in options.ldapsVirtualHost and options.ldapsVirtualPort. By looking at names I initially thought that you are accessing a service which is enabled in Cloud connector with ldap protocol. If we want to enable the TCP protocol in cloud connector then please let me know the way to find the port of it.

       

      Regards,

      Bharadwaj

      Author's profile photo Laszlo Kajan
      Laszlo Kajan
      Blog Post Author

      Dear Bharadwaj!

      Yes, I used a TCP virtual host and port configured in the cloud connector: Configure Access Control (TCP).

      You can set any virtual host and port that is not yet used.

      For internal host and port, you need to give the host and port of the TCP server, e.g. an LDAP server. The standard port for LDAP is 389, for LDAPS 636.

      Best regards,
      Laszlo

      Author's profile photo Former Member
      Former Member

      Hi Laszlo,

       

      I have attached the steps in the file.Could you please check and let me know where I am doing wrong?

       

      https://docs.google.com/document/d/13dGkU8ySU2btOGa2yHNlf9L1SpZmPRDq/edit?usp=sharing&ouid=116853498742638882493&rtpof=true&sd=true

       

      Regards,

      Bharadwaj

      Author's profile photo Gregor Wolf
      Gregor Wolf

      Hi

      do you have a pointer to the btp-cf-socks5-proxy-utils module? The repository https://github.com/Roche/btp-cf-socks5-proxy-utils is empty. Have you tried https://github.com/jowavp/sap-cf-proxy which just got also an additon for SOCKS5 proxying directly to SAP Cloud Connector #27.

      Best Regards
      Gregor