PageRenderTime 70ms CodeModel.GetById 11ms app.highlight 53ms RepoModel.GetById 1ms app.codeStats 0ms

/node_modules/mongoose/node_modules/mongodb-core/lib/auth/scram.js

https://bitbucket.org/coleman333/smartsite
JavaScript | 367 lines | 245 code | 48 blank | 74 comment | 42 complexity | ddb3f61fe4a8da150a8f1da36a07e4d3 MD5 | raw file
  1'use strict';
  2
  3var f = require('util').format,
  4  crypto = require('crypto'),
  5  retrieveBSON = require('../connection/utils').retrieveBSON,
  6  Query = require('../connection/commands').Query,
  7  MongoError = require('../error').MongoError;
  8
  9var BSON = retrieveBSON(),
 10  Binary = BSON.Binary;
 11
 12var AuthSession = function(db, username, password) {
 13  this.db = db;
 14  this.username = username;
 15  this.password = password;
 16};
 17
 18AuthSession.prototype.equal = function(session) {
 19  return (
 20    session.db === this.db &&
 21    session.username === this.username &&
 22    session.password === this.password
 23  );
 24};
 25
 26var id = 0;
 27
 28/**
 29 * Creates a new ScramSHA1 authentication mechanism
 30 * @class
 31 * @return {ScramSHA1} A cursor instance
 32 */
 33var ScramSHA1 = function(bson) {
 34  this.bson = bson;
 35  this.authStore = [];
 36  this.id = id++;
 37};
 38
 39var parsePayload = function(payload) {
 40  var dict = {};
 41  var parts = payload.split(',');
 42
 43  for (var i = 0; i < parts.length; i++) {
 44    var valueParts = parts[i].split('=');
 45    dict[valueParts[0]] = valueParts[1];
 46  }
 47
 48  return dict;
 49};
 50
 51var passwordDigest = function(username, password) {
 52  if (typeof username !== 'string') throw new MongoError('username must be a string');
 53  if (typeof password !== 'string') throw new MongoError('password must be a string');
 54  if (password.length === 0) throw new MongoError('password cannot be empty');
 55  // Use node md5 generator
 56  var md5 = crypto.createHash('md5');
 57  // Generate keys used for authentication
 58  md5.update(username + ':mongo:' + password, 'utf8');
 59  return md5.digest('hex');
 60};
 61
 62// XOR two buffers
 63var xor = function(a, b) {
 64  if (!Buffer.isBuffer(a)) a = new Buffer(a);
 65  if (!Buffer.isBuffer(b)) b = new Buffer(b);
 66  var res = [];
 67  if (a.length > b.length) {
 68    for (var i = 0; i < b.length; i++) {
 69      res.push(a[i] ^ b[i]);
 70    }
 71  } else {
 72    for (i = 0; i < a.length; i++) {
 73      res.push(a[i] ^ b[i]);
 74    }
 75  }
 76  return new Buffer(res);
 77};
 78
 79var _hiCache = {};
 80var _hiCacheCount = 0;
 81var _hiCachePurge = function() {
 82  _hiCache = {};
 83  _hiCacheCount = 0;
 84};
 85
 86var hi = function(data, salt, iterations) {
 87  // omit the work if already generated
 88  var key = [data, salt.toString('base64'), iterations].join('_');
 89  if (_hiCache[key] !== undefined) {
 90    return _hiCache[key];
 91  }
 92
 93  // generate the salt
 94  var saltedData = crypto.pbkdf2Sync(data, salt, iterations, 20, 'sha1');
 95
 96  // cache a copy to speed up the next lookup, but prevent unbounded cache growth
 97  if (_hiCacheCount >= 200) {
 98    _hiCachePurge();
 99  }
100
101  _hiCache[key] = saltedData;
102  _hiCacheCount += 1;
103  return saltedData;
104};
105
106/**
107 * Authenticate
108 * @method
109 * @param {{Server}|{ReplSet}|{Mongos}} server Topology the authentication method is being called on
110 * @param {[]Connections} connections Connections to authenticate using this authenticator
111 * @param {string} db Name of the database
112 * @param {string} username Username
113 * @param {string} password Password
114 * @param {authResultCallback} callback The callback to return the result from the authentication
115 * @return {object}
116 */
117ScramSHA1.prototype.auth = function(server, connections, db, username, password, callback) {
118  var self = this;
119  // Total connections
120  var count = connections.length;
121  if (count === 0) return callback(null, null);
122
123  // Valid connections
124  var numberOfValidConnections = 0;
125  var errorObject = null;
126
127  // Execute MongoCR
128  var executeScram = function(connection) {
129    // Clean up the user
130    username = username.replace('=', '=3D').replace(',', '=2C');
131
132    // Create a random nonce
133    var nonce = crypto.randomBytes(24).toString('base64');
134    // var nonce = 'MsQUY9iw0T9fx2MUEz6LZPwGuhVvWAhc'
135    var firstBare = f('n=%s,r=%s', username, nonce);
136
137    // Build command structure
138    var cmd = {
139      saslStart: 1,
140      mechanism: 'SCRAM-SHA-1',
141      payload: new Binary(f('n,,%s', firstBare)),
142      autoAuthorize: 1
143    };
144
145    // Handle the error
146    var handleError = function(err, r) {
147      if (err) {
148        numberOfValidConnections = numberOfValidConnections - 1;
149        errorObject = err;
150        return false;
151      } else if (r.result['$err']) {
152        errorObject = r.result;
153        return false;
154      } else if (r.result['errmsg']) {
155        errorObject = r.result;
156        return false;
157      } else {
158        numberOfValidConnections = numberOfValidConnections + 1;
159      }
160
161      return true;
162    };
163
164    // Finish up
165    var finish = function(_count, _numberOfValidConnections) {
166      if (_count === 0 && _numberOfValidConnections > 0) {
167        // Store the auth details
168        addAuthSession(self.authStore, new AuthSession(db, username, password));
169        // Return correct authentication
170        return callback(null, true);
171      } else if (_count === 0) {
172        if (errorObject == null)
173          errorObject = new MongoError(f('failed to authenticate using scram'));
174        return callback(errorObject, false);
175      }
176    };
177
178    var handleEnd = function(_err, _r) {
179      // Handle any error
180      handleError(_err, _r);
181      // Adjust the number of connections
182      count = count - 1;
183      // Execute the finish
184      finish(count, numberOfValidConnections);
185    };
186
187    // Write the commmand on the connection
188    server(
189      connection,
190      new Query(self.bson, f('%s.$cmd', db), cmd, {
191        numberToSkip: 0,
192        numberToReturn: 1
193      }),
194      function(err, r) {
195        // Do we have an error, handle it
196        if (handleError(err, r) === false) {
197          count = count - 1;
198
199          if (count === 0 && numberOfValidConnections > 0) {
200            // Store the auth details
201            addAuthSession(self.authStore, new AuthSession(db, username, password));
202            // Return correct authentication
203            return callback(null, true);
204          } else if (count === 0) {
205            if (errorObject == null)
206              errorObject = new MongoError(f('failed to authenticate using scram'));
207            return callback(errorObject, false);
208          }
209
210          return;
211        }
212
213        // Get the dictionary
214        var dict = parsePayload(r.result.payload.value());
215
216        // Unpack dictionary
217        var iterations = parseInt(dict.i, 10);
218        var salt = dict.s;
219        var rnonce = dict.r;
220
221        // Set up start of proof
222        var withoutProof = f('c=biws,r=%s', rnonce);
223        var passwordDig = passwordDigest(username, password);
224        var saltedPassword = hi(passwordDig, new Buffer(salt, 'base64'), iterations);
225
226        // Create the client key
227        var hmac = crypto.createHmac('sha1', saltedPassword);
228        hmac.update(new Buffer('Client Key'));
229        var clientKey = new Buffer(hmac.digest('base64'), 'base64');
230
231        // Create the stored key
232        var hash = crypto.createHash('sha1');
233        hash.update(clientKey);
234        var storedKey = new Buffer(hash.digest('base64'), 'base64');
235
236        // Create the authentication message
237        var authMsg = [firstBare, r.result.payload.value().toString('base64'), withoutProof].join(
238          ','
239        );
240
241        // Create client signature
242        hmac = crypto.createHmac('sha1', storedKey);
243        hmac.update(new Buffer(authMsg));
244        var clientSig = new Buffer(hmac.digest('base64'), 'base64');
245
246        // Create client proof
247        var clientProof = f('p=%s', new Buffer(xor(clientKey, clientSig)).toString('base64'));
248
249        // Create client final
250        var clientFinal = [withoutProof, clientProof].join(',');
251
252        //
253        // Create continue message
254        var cmd = {
255          saslContinue: 1,
256          conversationId: r.result.conversationId,
257          payload: new Binary(new Buffer(clientFinal))
258        };
259
260        //
261        // Execute sasl continue
262        // Write the commmand on the connection
263        server(
264          connection,
265          new Query(self.bson, f('%s.$cmd', db), cmd, {
266            numberToSkip: 0,
267            numberToReturn: 1
268          }),
269          function(err, r) {
270            if (r && r.result.done === false) {
271              var cmd = {
272                saslContinue: 1,
273                conversationId: r.result.conversationId,
274                payload: new Buffer(0)
275              };
276
277              // Write the commmand on the connection
278              server(
279                connection,
280                new Query(self.bson, f('%s.$cmd', db), cmd, {
281                  numberToSkip: 0,
282                  numberToReturn: 1
283                }),
284                function(err, r) {
285                  handleEnd(err, r);
286                }
287              );
288            } else {
289              handleEnd(err, r);
290            }
291          }
292        );
293      }
294    );
295  };
296
297  var _execute = function(_connection) {
298    process.nextTick(function() {
299      executeScram(_connection);
300    });
301  };
302
303  // For each connection we need to authenticate
304  while (connections.length > 0) {
305    _execute(connections.shift());
306  }
307};
308
309// Add to store only if it does not exist
310var addAuthSession = function(authStore, session) {
311  var found = false;
312
313  for (var i = 0; i < authStore.length; i++) {
314    if (authStore[i].equal(session)) {
315      found = true;
316      break;
317    }
318  }
319
320  if (!found) authStore.push(session);
321};
322
323/**
324 * Remove authStore credentials
325 * @method
326 * @param {string} db Name of database we are removing authStore details about
327 * @return {object}
328 */
329ScramSHA1.prototype.logout = function(dbName) {
330  this.authStore = this.authStore.filter(function(x) {
331    return x.db !== dbName;
332  });
333};
334
335/**
336 * Re authenticate pool
337 * @method
338 * @param {{Server}|{ReplSet}|{Mongos}} server Topology the authentication method is being called on
339 * @param {[]Connections} connections Connections to authenticate using this authenticator
340 * @param {authResultCallback} callback The callback to return the result from the authentication
341 * @return {object}
342 */
343ScramSHA1.prototype.reauthenticate = function(server, connections, callback) {
344  var authStore = this.authStore.slice(0);
345  var count = authStore.length;
346  // No connections
347  if (count === 0) return callback(null, null);
348  // Iterate over all the auth details stored
349  for (var i = 0; i < authStore.length; i++) {
350    this.auth(
351      server,
352      connections,
353      authStore[i].db,
354      authStore[i].username,
355      authStore[i].password,
356      function(err) {
357        count = count - 1;
358        // Done re-authenticating
359        if (count === 0) {
360          callback(err, null);
361        }
362      }
363    );
364  }
365};
366
367module.exports = ScramSHA1;