/node_modules/mongoose/node_modules/mongodb-core/lib/auth/scram.js
JavaScript | 367 lines | 245 code | 48 blank | 74 comment | 42 complexity | ddb3f61fe4a8da150a8f1da36a07e4d3 MD5 | raw file
1'use strict'; 2 3var f = require('util').format, 4 crypto = require('crypto'), 5 retrieveBSON = require('../connection/utils').retrieveBSON, 6 Query = require('../connection/commands').Query, 7 MongoError = require('../error').MongoError; 8 9var BSON = retrieveBSON(), 10 Binary = BSON.Binary; 11 12var AuthSession = function(db, username, password) { 13 this.db = db; 14 this.username = username; 15 this.password = password; 16}; 17 18AuthSession.prototype.equal = function(session) { 19 return ( 20 session.db === this.db && 21 session.username === this.username && 22 session.password === this.password 23 ); 24}; 25 26var id = 0; 27 28/** 29 * Creates a new ScramSHA1 authentication mechanism 30 * @class 31 * @return {ScramSHA1} A cursor instance 32 */ 33var ScramSHA1 = function(bson) { 34 this.bson = bson; 35 this.authStore = []; 36 this.id = id++; 37}; 38 39var parsePayload = function(payload) { 40 var dict = {}; 41 var parts = payload.split(','); 42 43 for (var i = 0; i < parts.length; i++) { 44 var valueParts = parts[i].split('='); 45 dict[valueParts[0]] = valueParts[1]; 46 } 47 48 return dict; 49}; 50 51var passwordDigest = function(username, password) { 52 if (typeof username !== 'string') throw new MongoError('username must be a string'); 53 if (typeof password !== 'string') throw new MongoError('password must be a string'); 54 if (password.length === 0) throw new MongoError('password cannot be empty'); 55 // Use node md5 generator 56 var md5 = crypto.createHash('md5'); 57 // Generate keys used for authentication 58 md5.update(username + ':mongo:' + password, 'utf8'); 59 return md5.digest('hex'); 60}; 61 62// XOR two buffers 63var xor = function(a, b) { 64 if (!Buffer.isBuffer(a)) a = new Buffer(a); 65 if (!Buffer.isBuffer(b)) b = new Buffer(b); 66 var res = []; 67 if (a.length > b.length) { 68 for (var i = 0; i < b.length; i++) { 69 res.push(a[i] ^ b[i]); 70 } 71 } else { 72 for (i = 0; i < a.length; i++) { 73 res.push(a[i] ^ b[i]); 74 } 75 } 76 return new Buffer(res); 77}; 78 79var _hiCache = {}; 80var _hiCacheCount = 0; 81var _hiCachePurge = function() { 82 _hiCache = {}; 83 _hiCacheCount = 0; 84}; 85 86var hi = function(data, salt, iterations) { 87 // omit the work if already generated 88 var key = [data, salt.toString('base64'), iterations].join('_'); 89 if (_hiCache[key] !== undefined) { 90 return _hiCache[key]; 91 } 92 93 // generate the salt 94 var saltedData = crypto.pbkdf2Sync(data, salt, iterations, 20, 'sha1'); 95 96 // cache a copy to speed up the next lookup, but prevent unbounded cache growth 97 if (_hiCacheCount >= 200) { 98 _hiCachePurge(); 99 } 100 101 _hiCache[key] = saltedData; 102 _hiCacheCount += 1; 103 return saltedData; 104}; 105 106/** 107 * Authenticate 108 * @method 109 * @param {{Server}|{ReplSet}|{Mongos}} server Topology the authentication method is being called on 110 * @param {[]Connections} connections Connections to authenticate using this authenticator 111 * @param {string} db Name of the database 112 * @param {string} username Username 113 * @param {string} password Password 114 * @param {authResultCallback} callback The callback to return the result from the authentication 115 * @return {object} 116 */ 117ScramSHA1.prototype.auth = function(server, connections, db, username, password, callback) { 118 var self = this; 119 // Total connections 120 var count = connections.length; 121 if (count === 0) return callback(null, null); 122 123 // Valid connections 124 var numberOfValidConnections = 0; 125 var errorObject = null; 126 127 // Execute MongoCR 128 var executeScram = function(connection) { 129 // Clean up the user 130 username = username.replace('=', '=3D').replace(',', '=2C'); 131 132 // Create a random nonce 133 var nonce = crypto.randomBytes(24).toString('base64'); 134 // var nonce = 'MsQUY9iw0T9fx2MUEz6LZPwGuhVvWAhc' 135 var firstBare = f('n=%s,r=%s', username, nonce); 136 137 // Build command structure 138 var cmd = { 139 saslStart: 1, 140 mechanism: 'SCRAM-SHA-1', 141 payload: new Binary(f('n,,%s', firstBare)), 142 autoAuthorize: 1 143 }; 144 145 // Handle the error 146 var handleError = function(err, r) { 147 if (err) { 148 numberOfValidConnections = numberOfValidConnections - 1; 149 errorObject = err; 150 return false; 151 } else if (r.result['$err']) { 152 errorObject = r.result; 153 return false; 154 } else if (r.result['errmsg']) { 155 errorObject = r.result; 156 return false; 157 } else { 158 numberOfValidConnections = numberOfValidConnections + 1; 159 } 160 161 return true; 162 }; 163 164 // Finish up 165 var finish = function(_count, _numberOfValidConnections) { 166 if (_count === 0 && _numberOfValidConnections > 0) { 167 // Store the auth details 168 addAuthSession(self.authStore, new AuthSession(db, username, password)); 169 // Return correct authentication 170 return callback(null, true); 171 } else if (_count === 0) { 172 if (errorObject == null) 173 errorObject = new MongoError(f('failed to authenticate using scram')); 174 return callback(errorObject, false); 175 } 176 }; 177 178 var handleEnd = function(_err, _r) { 179 // Handle any error 180 handleError(_err, _r); 181 // Adjust the number of connections 182 count = count - 1; 183 // Execute the finish 184 finish(count, numberOfValidConnections); 185 }; 186 187 // Write the commmand on the connection 188 server( 189 connection, 190 new Query(self.bson, f('%s.$cmd', db), cmd, { 191 numberToSkip: 0, 192 numberToReturn: 1 193 }), 194 function(err, r) { 195 // Do we have an error, handle it 196 if (handleError(err, r) === false) { 197 count = count - 1; 198 199 if (count === 0 && numberOfValidConnections > 0) { 200 // Store the auth details 201 addAuthSession(self.authStore, new AuthSession(db, username, password)); 202 // Return correct authentication 203 return callback(null, true); 204 } else if (count === 0) { 205 if (errorObject == null) 206 errorObject = new MongoError(f('failed to authenticate using scram')); 207 return callback(errorObject, false); 208 } 209 210 return; 211 } 212 213 // Get the dictionary 214 var dict = parsePayload(r.result.payload.value()); 215 216 // Unpack dictionary 217 var iterations = parseInt(dict.i, 10); 218 var salt = dict.s; 219 var rnonce = dict.r; 220 221 // Set up start of proof 222 var withoutProof = f('c=biws,r=%s', rnonce); 223 var passwordDig = passwordDigest(username, password); 224 var saltedPassword = hi(passwordDig, new Buffer(salt, 'base64'), iterations); 225 226 // Create the client key 227 var hmac = crypto.createHmac('sha1', saltedPassword); 228 hmac.update(new Buffer('Client Key')); 229 var clientKey = new Buffer(hmac.digest('base64'), 'base64'); 230 231 // Create the stored key 232 var hash = crypto.createHash('sha1'); 233 hash.update(clientKey); 234 var storedKey = new Buffer(hash.digest('base64'), 'base64'); 235 236 // Create the authentication message 237 var authMsg = [firstBare, r.result.payload.value().toString('base64'), withoutProof].join( 238 ',' 239 ); 240 241 // Create client signature 242 hmac = crypto.createHmac('sha1', storedKey); 243 hmac.update(new Buffer(authMsg)); 244 var clientSig = new Buffer(hmac.digest('base64'), 'base64'); 245 246 // Create client proof 247 var clientProof = f('p=%s', new Buffer(xor(clientKey, clientSig)).toString('base64')); 248 249 // Create client final 250 var clientFinal = [withoutProof, clientProof].join(','); 251 252 // 253 // Create continue message 254 var cmd = { 255 saslContinue: 1, 256 conversationId: r.result.conversationId, 257 payload: new Binary(new Buffer(clientFinal)) 258 }; 259 260 // 261 // Execute sasl continue 262 // Write the commmand on the connection 263 server( 264 connection, 265 new Query(self.bson, f('%s.$cmd', db), cmd, { 266 numberToSkip: 0, 267 numberToReturn: 1 268 }), 269 function(err, r) { 270 if (r && r.result.done === false) { 271 var cmd = { 272 saslContinue: 1, 273 conversationId: r.result.conversationId, 274 payload: new Buffer(0) 275 }; 276 277 // Write the commmand on the connection 278 server( 279 connection, 280 new Query(self.bson, f('%s.$cmd', db), cmd, { 281 numberToSkip: 0, 282 numberToReturn: 1 283 }), 284 function(err, r) { 285 handleEnd(err, r); 286 } 287 ); 288 } else { 289 handleEnd(err, r); 290 } 291 } 292 ); 293 } 294 ); 295 }; 296 297 var _execute = function(_connection) { 298 process.nextTick(function() { 299 executeScram(_connection); 300 }); 301 }; 302 303 // For each connection we need to authenticate 304 while (connections.length > 0) { 305 _execute(connections.shift()); 306 } 307}; 308 309// Add to store only if it does not exist 310var addAuthSession = function(authStore, session) { 311 var found = false; 312 313 for (var i = 0; i < authStore.length; i++) { 314 if (authStore[i].equal(session)) { 315 found = true; 316 break; 317 } 318 } 319 320 if (!found) authStore.push(session); 321}; 322 323/** 324 * Remove authStore credentials 325 * @method 326 * @param {string} db Name of database we are removing authStore details about 327 * @return {object} 328 */ 329ScramSHA1.prototype.logout = function(dbName) { 330 this.authStore = this.authStore.filter(function(x) { 331 return x.db !== dbName; 332 }); 333}; 334 335/** 336 * Re authenticate pool 337 * @method 338 * @param {{Server}|{ReplSet}|{Mongos}} server Topology the authentication method is being called on 339 * @param {[]Connections} connections Connections to authenticate using this authenticator 340 * @param {authResultCallback} callback The callback to return the result from the authentication 341 * @return {object} 342 */ 343ScramSHA1.prototype.reauthenticate = function(server, connections, callback) { 344 var authStore = this.authStore.slice(0); 345 var count = authStore.length; 346 // No connections 347 if (count === 0) return callback(null, null); 348 // Iterate over all the auth details stored 349 for (var i = 0; i < authStore.length; i++) { 350 this.auth( 351 server, 352 connections, 353 authStore[i].db, 354 authStore[i].username, 355 authStore[i].password, 356 function(err) { 357 count = count - 1; 358 // Done re-authenticating 359 if (count === 0) { 360 callback(err, null); 361 } 362 } 363 ); 364 } 365}; 366 367module.exports = ScramSHA1;