mirror of
https://github.com/bvanroll/yahoo-thing.git
synced 2025-08-29 20:12:46 +00:00
443 lines
12 KiB
JavaScript
443 lines
12 KiB
JavaScript
'use strict';
|
|
|
|
var f = require('util').format,
|
|
crypto = require('crypto'),
|
|
retrieveBSON = require('../connection/utils').retrieveBSON,
|
|
Query = require('../connection/commands').Query,
|
|
MongoError = require('../error').MongoError,
|
|
Buffer = require('safe-buffer').Buffer;
|
|
|
|
let saslprep;
|
|
|
|
try {
|
|
saslprep = require('saslprep');
|
|
} catch (e) {
|
|
// don't do anything;
|
|
}
|
|
|
|
var BSON = retrieveBSON(),
|
|
Binary = BSON.Binary;
|
|
|
|
var AuthSession = function(db, username, password) {
|
|
this.db = db;
|
|
this.username = username;
|
|
this.password = password;
|
|
};
|
|
|
|
AuthSession.prototype.equal = function(session) {
|
|
return (
|
|
session.db === this.db &&
|
|
session.username === this.username &&
|
|
session.password === this.password
|
|
);
|
|
};
|
|
|
|
var id = 0;
|
|
|
|
/**
|
|
* Creates a new ScramSHA authentication mechanism
|
|
* @class
|
|
* @return {ScramSHA} A cursor instance
|
|
*/
|
|
var ScramSHA = function(bson, cryptoMethod) {
|
|
this.bson = bson;
|
|
this.authStore = [];
|
|
this.id = id++;
|
|
this.cryptoMethod = cryptoMethod || 'sha1';
|
|
};
|
|
|
|
var parsePayload = function(payload) {
|
|
var dict = {};
|
|
var parts = payload.split(',');
|
|
|
|
for (var i = 0; i < parts.length; i++) {
|
|
var valueParts = parts[i].split('=');
|
|
dict[valueParts[0]] = valueParts[1];
|
|
}
|
|
|
|
return dict;
|
|
};
|
|
|
|
var passwordDigest = function(username, password) {
|
|
if (typeof username !== 'string') throw new MongoError('username must be a string');
|
|
if (typeof password !== 'string') throw new MongoError('password must be a string');
|
|
if (password.length === 0) throw new MongoError('password cannot be empty');
|
|
// Use node md5 generator
|
|
var md5 = crypto.createHash('md5');
|
|
// Generate keys used for authentication
|
|
md5.update(username + ':mongo:' + password, 'utf8');
|
|
return md5.digest('hex');
|
|
};
|
|
|
|
// XOR two buffers
|
|
function xor(a, b) {
|
|
if (!Buffer.isBuffer(a)) a = Buffer.from(a);
|
|
if (!Buffer.isBuffer(b)) b = Buffer.from(b);
|
|
const length = Math.max(a.length, b.length);
|
|
const res = [];
|
|
|
|
for (let i = 0; i < length; i += 1) {
|
|
res.push(a[i] ^ b[i]);
|
|
}
|
|
|
|
return Buffer.from(res).toString('base64');
|
|
}
|
|
|
|
function H(method, text) {
|
|
return crypto
|
|
.createHash(method)
|
|
.update(text)
|
|
.digest();
|
|
}
|
|
|
|
function HMAC(method, key, text) {
|
|
return crypto
|
|
.createHmac(method, key)
|
|
.update(text)
|
|
.digest();
|
|
}
|
|
|
|
var _hiCache = {};
|
|
var _hiCacheCount = 0;
|
|
var _hiCachePurge = function() {
|
|
_hiCache = {};
|
|
_hiCacheCount = 0;
|
|
};
|
|
|
|
const hiLengthMap = {
|
|
sha256: 32,
|
|
sha1: 20
|
|
};
|
|
|
|
function HI(data, salt, iterations, cryptoMethod) {
|
|
// omit the work if already generated
|
|
const key = [data, salt.toString('base64'), iterations].join('_');
|
|
if (_hiCache[key] !== undefined) {
|
|
return _hiCache[key];
|
|
}
|
|
|
|
// generate the salt
|
|
const saltedData = crypto.pbkdf2Sync(
|
|
data,
|
|
salt,
|
|
iterations,
|
|
hiLengthMap[cryptoMethod],
|
|
cryptoMethod
|
|
);
|
|
|
|
// cache a copy to speed up the next lookup, but prevent unbounded cache growth
|
|
if (_hiCacheCount >= 200) {
|
|
_hiCachePurge();
|
|
}
|
|
|
|
_hiCache[key] = saltedData;
|
|
_hiCacheCount += 1;
|
|
return saltedData;
|
|
}
|
|
|
|
/**
|
|
* Authenticate
|
|
* @method
|
|
* @param {{Server}|{ReplSet}|{Mongos}} server Topology the authentication method is being called on
|
|
* @param {[]Connections} connections Connections to authenticate using this authenticator
|
|
* @param {string} db Name of the database
|
|
* @param {string} username Username
|
|
* @param {string} password Password
|
|
* @param {authResultCallback} callback The callback to return the result from the authentication
|
|
* @return {object}
|
|
*/
|
|
ScramSHA.prototype.auth = function(server, connections, db, username, password, callback) {
|
|
var self = this;
|
|
// Total connections
|
|
var count = connections.length;
|
|
if (count === 0) return callback(null, null);
|
|
|
|
// Valid connections
|
|
var numberOfValidConnections = 0;
|
|
var errorObject = null;
|
|
|
|
const cryptoMethod = this.cryptoMethod;
|
|
let mechanism = 'SCRAM-SHA-1';
|
|
let processedPassword;
|
|
|
|
if (cryptoMethod === 'sha256') {
|
|
mechanism = 'SCRAM-SHA-256';
|
|
|
|
let saslprepFn = (server.s && server.s.saslprep) || saslprep;
|
|
|
|
if (saslprepFn) {
|
|
processedPassword = saslprepFn(password);
|
|
} else {
|
|
console.warn('Warning: no saslprep library specified. Passwords will not be sanitized');
|
|
processedPassword = password;
|
|
}
|
|
} else {
|
|
processedPassword = passwordDigest(username, password);
|
|
}
|
|
|
|
// Execute MongoCR
|
|
var executeScram = function(connection) {
|
|
// Clean up the user
|
|
username = username.replace('=', '=3D').replace(',', '=2C');
|
|
|
|
// Create a random nonce
|
|
var nonce = crypto.randomBytes(24).toString('base64');
|
|
// var nonce = 'MsQUY9iw0T9fx2MUEz6LZPwGuhVvWAhc'
|
|
|
|
// NOTE: This is done b/c Javascript uses UTF-16, but the server is hashing in UTF-8.
|
|
// Since the username is not sasl-prep-d, we need to do this here.
|
|
const firstBare = Buffer.concat([
|
|
Buffer.from('n=', 'utf8'),
|
|
Buffer.from(username, 'utf8'),
|
|
Buffer.from(',r=', 'utf8'),
|
|
Buffer.from(nonce, 'utf8')
|
|
]);
|
|
|
|
// Build command structure
|
|
var cmd = {
|
|
saslStart: 1,
|
|
mechanism: mechanism,
|
|
payload: new Binary(Buffer.concat([Buffer.from('n,,', 'utf8'), firstBare])),
|
|
autoAuthorize: 1
|
|
};
|
|
|
|
// Handle the error
|
|
var handleError = function(err, r) {
|
|
if (err) {
|
|
numberOfValidConnections = numberOfValidConnections - 1;
|
|
errorObject = err;
|
|
return false;
|
|
} else if (r.result['$err']) {
|
|
errorObject = r.result;
|
|
return false;
|
|
} else if (r.result['errmsg']) {
|
|
errorObject = r.result;
|
|
return false;
|
|
} else {
|
|
numberOfValidConnections = numberOfValidConnections + 1;
|
|
}
|
|
|
|
return true;
|
|
};
|
|
|
|
// Finish up
|
|
var finish = function(_count, _numberOfValidConnections) {
|
|
if (_count === 0 && _numberOfValidConnections > 0) {
|
|
// Store the auth details
|
|
addAuthSession(self.authStore, new AuthSession(db, username, password));
|
|
// Return correct authentication
|
|
return callback(null, true);
|
|
} else if (_count === 0) {
|
|
if (errorObject == null)
|
|
errorObject = new MongoError(f('failed to authenticate using scram'));
|
|
return callback(errorObject, false);
|
|
}
|
|
};
|
|
|
|
var handleEnd = function(_err, _r) {
|
|
// Handle any error
|
|
handleError(_err, _r);
|
|
// Adjust the number of connections
|
|
count = count - 1;
|
|
// Execute the finish
|
|
finish(count, numberOfValidConnections);
|
|
};
|
|
|
|
// Write the commmand on the connection
|
|
server(
|
|
connection,
|
|
new Query(self.bson, f('%s.$cmd', db), cmd, {
|
|
numberToSkip: 0,
|
|
numberToReturn: 1
|
|
}),
|
|
function(err, r) {
|
|
// Do we have an error, handle it
|
|
if (handleError(err, r) === false) {
|
|
count = count - 1;
|
|
|
|
if (count === 0 && numberOfValidConnections > 0) {
|
|
// Store the auth details
|
|
addAuthSession(self.authStore, new AuthSession(db, username, password));
|
|
// Return correct authentication
|
|
return callback(null, true);
|
|
} else if (count === 0) {
|
|
if (errorObject == null)
|
|
errorObject = new MongoError(f('failed to authenticate using scram'));
|
|
return callback(errorObject, false);
|
|
}
|
|
|
|
return;
|
|
}
|
|
|
|
// Get the dictionary
|
|
var dict = parsePayload(r.result.payload.value());
|
|
|
|
// Unpack dictionary
|
|
var iterations = parseInt(dict.i, 10);
|
|
var salt = dict.s;
|
|
var rnonce = dict.r;
|
|
|
|
// Set up start of proof
|
|
var withoutProof = f('c=biws,r=%s', rnonce);
|
|
var saltedPassword = HI(
|
|
processedPassword,
|
|
Buffer.from(salt, 'base64'),
|
|
iterations,
|
|
cryptoMethod
|
|
);
|
|
|
|
if (iterations && iterations < 4096) {
|
|
const error = new MongoError(`Server returned an invalid iteration count ${iterations}`);
|
|
return callback(error, false);
|
|
}
|
|
|
|
// Create the client key
|
|
const clientKey = HMAC(cryptoMethod, saltedPassword, 'Client Key');
|
|
|
|
// Create the stored key
|
|
const storedKey = H(cryptoMethod, clientKey);
|
|
|
|
// Create the authentication message
|
|
const authMessage = [
|
|
firstBare,
|
|
r.result.payload.value().toString('base64'),
|
|
withoutProof
|
|
].join(',');
|
|
|
|
// Create client signature
|
|
const clientSignature = HMAC(cryptoMethod, storedKey, authMessage);
|
|
|
|
// Create client proof
|
|
const clientProof = f('p=%s', xor(clientKey, clientSignature));
|
|
|
|
// Create client final
|
|
const clientFinal = [withoutProof, clientProof].join(',');
|
|
|
|
// Create continue message
|
|
const cmd = {
|
|
saslContinue: 1,
|
|
conversationId: r.result.conversationId,
|
|
payload: new Binary(Buffer.from(clientFinal))
|
|
};
|
|
|
|
//
|
|
// Execute sasl continue
|
|
// Write the commmand on the connection
|
|
server(
|
|
connection,
|
|
new Query(self.bson, f('%s.$cmd', db), cmd, {
|
|
numberToSkip: 0,
|
|
numberToReturn: 1
|
|
}),
|
|
function(err, r) {
|
|
if (r && r.result.done === false) {
|
|
var cmd = {
|
|
saslContinue: 1,
|
|
conversationId: r.result.conversationId,
|
|
payload: Buffer.alloc(0)
|
|
};
|
|
|
|
// Write the commmand on the connection
|
|
server(
|
|
connection,
|
|
new Query(self.bson, f('%s.$cmd', db), cmd, {
|
|
numberToSkip: 0,
|
|
numberToReturn: 1
|
|
}),
|
|
function(err, r) {
|
|
handleEnd(err, r);
|
|
}
|
|
);
|
|
} else {
|
|
handleEnd(err, r);
|
|
}
|
|
}
|
|
);
|
|
}
|
|
);
|
|
};
|
|
|
|
var _execute = function(_connection) {
|
|
process.nextTick(function() {
|
|
executeScram(_connection);
|
|
});
|
|
};
|
|
|
|
// For each connection we need to authenticate
|
|
while (connections.length > 0) {
|
|
_execute(connections.shift());
|
|
}
|
|
};
|
|
|
|
// Add to store only if it does not exist
|
|
var addAuthSession = function(authStore, session) {
|
|
var found = false;
|
|
|
|
for (var i = 0; i < authStore.length; i++) {
|
|
if (authStore[i].equal(session)) {
|
|
found = true;
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (!found) authStore.push(session);
|
|
};
|
|
|
|
/**
|
|
* Remove authStore credentials
|
|
* @method
|
|
* @param {string} db Name of database we are removing authStore details about
|
|
* @return {object}
|
|
*/
|
|
ScramSHA.prototype.logout = function(dbName) {
|
|
this.authStore = this.authStore.filter(function(x) {
|
|
return x.db !== dbName;
|
|
});
|
|
};
|
|
|
|
/**
|
|
* Re authenticate pool
|
|
* @method
|
|
* @param {{Server}|{ReplSet}|{Mongos}} server Topology the authentication method is being called on
|
|
* @param {[]Connections} connections Connections to authenticate using this authenticator
|
|
* @param {authResultCallback} callback The callback to return the result from the authentication
|
|
* @return {object}
|
|
*/
|
|
ScramSHA.prototype.reauthenticate = function(server, connections, callback) {
|
|
var authStore = this.authStore.slice(0);
|
|
var count = authStore.length;
|
|
// No connections
|
|
if (count === 0) return callback(null, null);
|
|
// Iterate over all the auth details stored
|
|
for (var i = 0; i < authStore.length; i++) {
|
|
this.auth(
|
|
server,
|
|
connections,
|
|
authStore[i].db,
|
|
authStore[i].username,
|
|
authStore[i].password,
|
|
function(err) {
|
|
count = count - 1;
|
|
// Done re-authenticating
|
|
if (count === 0) {
|
|
callback(err, null);
|
|
}
|
|
}
|
|
);
|
|
}
|
|
};
|
|
|
|
class ScramSHA1 extends ScramSHA {
|
|
constructor(bson) {
|
|
super(bson, 'sha1');
|
|
}
|
|
}
|
|
|
|
class ScramSHA256 extends ScramSHA {
|
|
constructor(bson) {
|
|
super(bson, 'sha256');
|
|
}
|
|
}
|
|
|
|
module.exports = { ScramSHA1, ScramSHA256 };
|