@api-client/core 0.3.2 → 0.3.5

package/src/runtime/http-engine/ntlm/NtlmAuth.ts

@@ -0,0 +1,186 @@
+import { Des } from './Des.js';
+import { MD4 } from './MD4.js';
+import { NtlmMessage } from './NtlmMessage.js';
+
+export interface INtlmAuthConfig {
+  domain?: string;
+  username: string;
+  password: string;
+  url: string;
+}
+
+/**
+ * A base class for auth methods used in the library.
+ * On the base of https://github.com/erlandranvinge/ntlm.js/blob/master/ntlm.js
+ */
+ export class NtlmAuth {
+  domain: string;
+  uid: string;
+  passwd: string;
+  url: string;
+  lmHashedPassword?: string;
+  ntHashedPassword?: string;
+
+  constructor(opts: INtlmAuthConfig) {
+    this.domain = opts.domain || '';
+    this.uid = opts.username;
+    this.passwd = opts.password;
+    this.url = opts.url;
+
+    this.setCredentials();
+  }
+
+  createMessage1(hostname: string): NtlmMessage {
+    const msg1 = new NtlmMessage();
+    msg1.addString('NTLMSSP\0');
+    msg1.addByte(1);
+    msg1.addString('\0\0\0');
+    msg1.addShort(0xb203);
+    msg1.addString('\0\0');
+    msg1.addShort(this.domain.length);
+    msg1.addShort(this.domain.length);
+    msg1.addShort(32 + hostname.length);
+    msg1.addString('\0\0');
+    msg1.addShort(hostname.length);
+    msg1.addShort(hostname.length);
+    msg1.addShort(32);
+    msg1.addString('\0\0');
+    msg1.addString(hostname.toUpperCase());
+    msg1.addString(this.domain.toUpperCase());
+    return msg1;
+  }
+
+  getChallenge(data: string): string {
+    const msg2 = new NtlmMessage(data);
+    if (msg2.getString(0, 8) !== 'NTLMSSP\0') {
+      throw new Error('Invalid NTLM response header.');
+    }
+    if (msg2.getByte(8) !== 2) {
+      throw new Error('Invalid NTLM response type.');
+    }
+    const challenge = msg2.getString(24, 8);
+    return challenge;
+  }
+
+  createMessage3(challenge: string, hostname: string): NtlmMessage {
+    const lmResponse = this.buildResponse(this.lmHashedPassword as string, challenge);
+    const ntResponse = this.buildResponse(this.ntHashedPassword as string, challenge);
+    const username = this.uid;
+    const domain = this.domain;
+    const msg3 = new NtlmMessage();
+
+    msg3.addString('NTLMSSP\0');
+    msg3.addByte(3);
+    msg3.addString('\0\0\0');
+
+    msg3.addShort(24); // lmResponse
+    msg3.addShort(24);
+    msg3.addShort(64 + (domain.length + username.length + hostname.length) * 2);
+    msg3.addString('\0\0');
+
+    msg3.addShort(24); // ntResponse
+    msg3.addShort(24);
+    msg3.addShort(88 + (domain.length + username.length + hostname.length) * 2);
+    msg3.addString('\0\0');
+
+    msg3.addShort(domain.length * 2); // Domain.
+    msg3.addShort(domain.length * 2);
+    msg3.addShort(64);
+    msg3.addString('\0\0');
+
+    msg3.addShort(username.length * 2); // Username.
+    msg3.addShort(username.length * 2);
+    msg3.addShort(64 + domain.length * 2);
+    msg3.addShort('\0\0');
+
+    msg3.addShort(hostname.length * 2); // Hostname.
+    msg3.addShort(hostname.length * 2);
+    msg3.addShort(64 + (domain.length + username.length) * 2);
+    msg3.addString('\0\0');
+
+    msg3.addString('\0\0\0\0');
+    msg3.addShort(112 + (domain.length + username.length + hostname.length) * 2);
+    msg3.addString('\0\0');
+    msg3.addShort(0x8201);
+    msg3.addString('\0\0');
+
+    msg3.addString(domain.toUpperCase(), true); // "Some" string are passed as UTF-16.
+    msg3.addString(username, true);
+    msg3.addString(hostname.toUpperCase(), true);
+    msg3.addString(lmResponse);
+    msg3.addString(ntResponse);
+
+    return msg3;
+  }
+
+  createKey(str: string): string {
+    const key56: number[] = [];
+    while (str.length < 7) {
+      str += '\0';
+    }
+    str = str.substr(0, 7);
+    str.split('').map((c) => {
+      key56.push(c.charCodeAt(0));
+    });
+    const key = [0, 0, 0, 0, 0, 0, 0, 0];
+    key[0] = key56[0]; // Convert 56 bit key to 64 bit.
+    key[1] = ((key56[0] << 7) & 0xFF) | (key56[1] >> 1);
+    key[2] = ((key56[1] << 6) & 0xFF) | (key56[2] >> 2);
+    key[3] = ((key56[2] << 5) & 0xFF) | (key56[3] >> 3);
+    key[4] = ((key56[3] << 4) & 0xFF) | (key56[4] >> 4);
+    key[5] = ((key56[4] << 3) & 0xFF) | (key56[5] >> 5);
+    key[6] = ((key56[5] << 2) & 0xFF) | (key56[6] >> 6);
+    key[7] = (key56[6] << 1) & 0xFF;
+    for (let i = 0; i < key.length; i++) { // Fix DES key parity bits.
+      let bit = 0;
+      for (let k = 0; k < 7; k++) {
+        const t = key[i] >> k;
+        bit = (t ^ bit) & 0x1;
+      }
+      key[i] = (key[i] & 0xFE) | bit;
+    }
+
+    let result = '';
+    key.forEach((i) => {
+      result += String.fromCharCode(i);
+    });
+    return result;
+  }
+
+  buildResponse(key: string, text: string): string {
+    while (key.length < 21) {
+      key += '\0';
+    }
+    const key1 = this.createKey(key.substr(0, 7));
+    const key2 = this.createKey(key.substr(7, 7));
+    const key3 = this.createKey(key.substr(14, 7));
+    return Des.des(key1, text, 1, 0) +
+      Des.des(key2, text, 1, 0) +
+      Des.des(key3, text, 1, 0);
+  }
+
+  // to be called by constructor
+  setCredentials(): void {
+    const domain = this.domain;
+    const password = this.passwd;
+    const magic = 'KGS!@#$%'; // Create LM password hash.
+    let lmPassword = password.toUpperCase().substr(0, 14);
+    while (lmPassword.length < 14) {
+      lmPassword += '\0';
+    }
+    const key1 = this.createKey(lmPassword);
+    const key2 = this.createKey(lmPassword.substr(7));
+    const lmHashedPassword = Des.des(key1, magic, 1, 0) +
+      Des.des(key2, magic, 1, 0);
+
+    let ntPassword = ''; // Create NT password hash.
+    for (let i = 0; i < password.length; i++) {
+      ntPassword += password.charAt(i) + '\0';
+    }
+    const ntHashedPassword = MD4.str(ntPassword);
+
+    this.domain = domain;
+    this.lmHashedPassword = lmHashedPassword;
+    this.ntHashedPassword = ntHashedPassword;
+  }
+}

package/src/runtime/http-engine/ntlm/NtlmMessage.ts

@@ -0,0 +1,57 @@
+export class NtlmMessage {
+  data:number[] = [];
+
+  constructor(data?: string) {
+    if (!data) {
+      return;
+    }
+    if (data.indexOf('NTLM ') === 0) {
+      data = data.substr(5);
+    }
+    atob(data).split('').map((c) => {
+      this.data.push(c.charCodeAt(0));
+    });
+  }
+
+  addByte(b: number): void {
+    this.data.push(b);
+  }
+
+  addShort(s: number | string): void {
+    const typed = s as number;
+    this.data.push(typed & 0xFF);
+    this.data.push((typed >> 8) & 0xFF);
+  }
+
+  addString(str: string, utf16?: boolean): void {
+    if (utf16) {
+      // Fake UTF16 by padding each character in string.
+      str = str.split('').map(function(c) {
+        return (c + '\0');
+      }).join('');
+    }
+    for (let i = 0; i < str.length; i++) {
+      this.data.push(str.charCodeAt(i));
+    }
+  }
+
+  getString(offset: number, length: number): string {
+    let result = '';
+    for (let i = 0; i < length; i++) {
+      if (offset + i >= this.data.length) {
+        return '';
+      }
+      result += String.fromCharCode(this.data[offset + i]);
+    }
+    return result;
+  }
+
+  getByte(offset: number): number {
+    return this.data[offset];
+  }
+
+  toBase64(): string {
+    const str = String.fromCharCode.apply(null, this.data);
+    return Buffer.from(str).toString('base64').replace(/.{76}(?=.)/g, '$&');
+  }
+}

package/src/runtime/modules/BasicAuthCache.ts

@@ -0,0 +1,133 @@
+import { Headers } from '../../lib/headers/Headers.js';
+import { IHttpRequest } from '../../models/HttpRequest.js';
+import { INtlmAuthorization, IBasicAuthorization } from '../../models/Authorization.js';
+import { ExecutionContext } from './ModulesRegistry.js';
+import { IRequestAuthorization } from '../../models/RequestAuthorization.js';
+
+const cache: any = {};
+
+/**
+ * Removes query parameters and the fragment part from the URL
+ * @param url The URL to process.
+ * @returns The canonical URL.
+ */
+export function computeUrlPath(url: string): string {
+  if (!url) {
+    return '';
+  }
+  try {
+    const u = new URL(url);
+    u.hash = '';
+    u.search = '';
+    let result = u.toString();
+    // polyfill library has some error and leaves '?#' if was set
+    result = result.replace('?', '');
+    result = result.replace('#', '');
+    return result;
+  } catch (e) {
+    return url;
+  }
+}
+
+/**
+ * Finds an auth data for given `url`.
+ *
+ * @param type Authorization type.
+ * @param url The URL of the request.
+ * @return Auth data if exists in the cache.
+ */
+export function findCachedAuthData(type: string, url: string): IBasicAuthorization|INtlmAuthorization|undefined {
+  const key = computeUrlPath(url);
+  if (!cache || !type || !key || !cache[type]) {
+    return undefined;
+  }
+  return cache[type][key];
+}
+
+/**
+ * Updates cached authorization data
+ *
+ * @param type Authorization type.
+ * @param url The URL of the request.
+ * @param value Auth data to set
+ */
+export function updateCache(type: string, url: string, value: IBasicAuthorization|INtlmAuthorization): void {
+  const key = computeUrlPath(url);
+  if (!cache[type]) {
+    cache[type] = {};
+  }
+  cache[type][key] = value;
+}
+
+/**
+ * Applies the basic authorization data to the request.
+ *
+ * If the header value have changed then it fires `request-headers-changed` custom event.
+ * It sets computed value of the readers to the event's detail object.
+ *
+ * @param request The event's detail object. Changes made here will be propagated to the event.
+ * @param data The authorization data to apply.
+ */
+export function applyRequestBasicAuthData(request: IHttpRequest, data: IBasicAuthorization): void {
+  const { username='', password='' } = data;
+  const headers = new Headers(request.headers || '');
+  let hash: string;
+  let decoded = `${username}:${password}`;
+  if (typeof Buffer === 'function' && typeof Buffer.from === 'function') {
+    hash = Buffer.from(decoded).toString('base64');
+  } else {
+    hash = btoa(decoded);
+  }
+  headers.set('authorization', `Basic ${hash}`);
+  request.headers = headers.toString();
+}
+
+/**
+ * Applies the NTLM authorization data to the request.
+ *
+ * Because NTLM requires certain operations on a socket it's bot just about setting a headers
+ * but whole NTLM configuration object.
+ *
+ * Applied the `auth` object to the event's `detail.auth` object.
+ *
+ * @param {ArcBaseRequest} request The event's detail object. Changes made here will be propagated to
+ * the event.
+ * @param {NtlmAuthorization} values The authorization data to apply.
+ */
+function applyRequestNtlmAuthData(authorization: IRequestAuthorization[], values: INtlmAuthorization): void {
+  let ntlm: IRequestAuthorization | undefined = authorization.find(((method) => method.type === 'ntlm'));
+  if (!ntlm) {
+    ntlm = {
+      kind: '',
+      enabled: true,
+      type: 'ntlm',
+      config: {},
+      valid: true,
+    };
+    authorization.push(ntlm);
+  }
+  const cnf = ntlm.config as INtlmAuthorization;
+  if (cnf.username) {
+    return;
+  }
+  cnf.username = values.username;
+  cnf.password = values.password;
+  cnf.domain = values.domain;
+}
+
+/**
+ * Adds basic authorization data to the request, when during this session basic auth was used
+ */
+export default function applyCachedBasicAuthData(request: IHttpRequest, context: ExecutionContext): void {
+  // Try to find an auth data for the URL. If has a match, apply it to the request
+  let authData = findCachedAuthData('basic', request.url);
+  if (authData) {
+    applyRequestBasicAuthData(request, authData);
+    return;
+  }
+  // Try NTLM
+  authData = findCachedAuthData('ntlm', request.url);
+  if (authData && Array.isArray(context.authorization)) {
+    applyRequestNtlmAuthData(context.authorization, authData as INtlmAuthorization);
+  }
+}

package/src/runtime/modules/ExecutionResponse.ts

@@ -0,0 +1,4 @@
+export enum ExecutionResponse {
+  OK,
+  ABORT,
+}

package/src/runtime/modules/ModulesRegistry.ts

@@ -0,0 +1,136 @@
+import { IHttpRequest } from '../../models/HttpRequest.js';
+import { EnvironmentEvents } from '../../events/environment/EnvironmentEvents.js';
+import { CookieEvents } from '../../events/cookies/CookieEvents.js';
+import { EncryptionEvents } from '../../events/encryption/EncryptionEvents.js';
+import { ProcessEvents } from '../../events/process/ProcessEvents.js';
+import { AuthorizationEvents } from '../../events/authorization/AuthorizationEvents.js';
+import { ClientCertificateEvents } from '../../events/models/ClientCertificateEvents.js';
+import { IRequestAuthorization } from '../../models/RequestAuthorization.js';
+import { IRequestConfig } from '../../models/RequestConfig.js';
+import { IRequestLog } from '../../models/RequestLog.js';
+import { IRequestCertificate } from '../../models/ClientCertificate.js';
+
+export interface RegisteredRequestModule {
+  fn: (request: IHttpRequest, context: ExecutionContext) => Promise<number>;
+  permissions: RegistryPermission[];
+}
+
+export interface RegisteredResponseModule {
+  fn: (log: IRequestLog, context: ExecutionContext) => Promise<number>;
+  permissions: RegistryPermission[];
+}
+
+export enum RegistryPermission {
+  environment = 'environment',
+  events = 'events',
+}
+
+export interface ExecutionContext {
+  /**
+   * The event target for events
+   */
+  eventsTarget: EventTarget;
+  /**
+   * The events to use to communicate with the context store(s)
+   */
+  Events?: ExecutionEvents;
+  /**
+   * The environment variables to use when executing the module.
+   */
+  variables?: Record<string, string>;
+  /**
+   * Request authorization configuration
+   */
+  authorization?: IRequestAuthorization[];
+  /**
+   * Optional request configuration.
+   */
+  config?: IRequestConfig;
+  /**
+   * Can be altered by the actions.
+   */
+  certificates?: IRequestCertificate[];
+}
+
+export interface ExecutionEvents {
+  Authorization: typeof AuthorizationEvents;
+  Environment: typeof EnvironmentEvents;
+  Cookie: typeof CookieEvents;
+  Encryption: typeof EncryptionEvents;
+  Process: typeof ProcessEvents;
+  ClientCertificate: typeof ClientCertificateEvents;
+}
+
+/**
+ * The list of registered request processing modules.
+ */
+const requestModules = new Map<string, RegisteredRequestModule>();
+
+/**
+ * The list of registered response processing modules.
+ */
+const responseModules = new Map<string, RegisteredResponseModule>();
+
+export type RequestModule = 'request';
+export type ResponseModule = 'response';
+
+/**
+ * A registry for modules.
+ */
+export class ModulesRegistry {
+  static get request(): RequestModule { return 'request' }
+
+  static get response(): ResponseModule { return 'response' }
+
+  /**
+   * Registers a new request or response module in the registry.
+   * @param context The name of the execution context
+   * @param id The identifier of the module
+   * @param fn The function to execute
+   * @param permissions The list of permissions for the module
+   * @throws {Error} When the module is already registered
+   */
+  static register(context: ResponseModule|RequestModule, id: string, fn: Function, permissions?: string[]): void {
+    const data = {
+      fn,
+      permissions: Array.isArray(permissions) ? permissions : [],
+    };
+    const map = context === ModulesRegistry.request ? requestModules : responseModules;
+    if (map.has(id)) {
+      throw new Error(`Module ${id} already exists`);
+    }
+    // @ts-ignore
+    map.set(id, data);
+  }
+
+  /**
+   * Checks whether a module is already registered for the given context.
+   * @param {ModulesRegistry.request|ModulesRegistry.response} context The name of the execution context
+   * @param id The identifier of the module
+   */
+  static has(context: ResponseModule|RequestModule, id: string): boolean {
+    const map = context === ModulesRegistry.request ? requestModules : responseModules;
+    return map.has(id);
+  }
+
+  /**
+   * Removes a registered module
+   * @param {ModulesRegistry.request|ModulesRegistry.response} context The name of the execution context
+   * @param {string} id The identifier of the module
+   */
+  static unregister(context: ResponseModule|RequestModule, id: string): void {
+    const map = context === ModulesRegistry.request ? requestModules : responseModules;
+    map.delete(id);
+  }
+
+  /**
+   * Reads the list of registered modules
+   * @param  context The name of the execution context
+   * @returns The copy of the map of actions.
+   */
+  static get(context: ResponseModule|RequestModule): Map<string, RegisteredRequestModule|RegisteredResponseModule> {
+    const map = context === ModulesRegistry.request ? requestModules : responseModules;
+    // @ts-ignore
+    return new Map(map);
+  }
+}

package/src/runtime/modules/RequestAuthorization.ts

@@ -0,0 +1,110 @@
+import { Headers } from '../../lib/headers/Headers.js';
+import { ExecutionResponse } from './ExecutionResponse.js';
+import applyCachedBasicAuthData, { applyRequestBasicAuthData } from './BasicAuthCache.js';
+import { IHttpRequest } from '../../models/HttpRequest.js';
+import { IBearerAuthorization, IBasicAuthorization, IOidcAuthorization, IOAuth2Authorization, ICCAuthorization } from '../../models/Authorization.js';
+import { ExecutionContext } from './ModulesRegistry.js';
+
+/**
+ * Injects client certificate object into the request object
+ */
+async function processClientCertificate(config: ICCAuthorization, context: ExecutionContext): Promise<void> {
+  const { id } = config;
+  if (!id || !context.Events) {
+    return;
+  }
+  const result = await context.Events.ClientCertificate.read(context.eventsTarget, id);
+  if (!result) {
+    return;
+  }
+  if (!Array.isArray(context.certificates)) {
+    context.certificates = [];
+  }
+  context.certificates.push(result);
+}
+
+/**
+ * Injects basic auth header into the request headers.
+ */
+function processBasicAuth(request: IHttpRequest, config: IBasicAuthorization): void {
+  const { username } = config;
+  if (!username) {
+    return;
+  }
+  applyRequestBasicAuthData(request, config);
+}
+
+/**
+ * Injects oauth 2 auth header into the request headers.
+ */
+function processOAuth2(request: IHttpRequest, config: IOAuth2Authorization): void {
+  const { accessToken, tokenType='Bearer', deliveryMethod='header', deliveryName='authorization' } = config;
+  if (!accessToken) {
+    return;
+  }
+  const value = `${tokenType} ${accessToken}`;
+  if (deliveryMethod === 'header') {
+    const headers = new Headers(request.headers || '');
+    headers.append(deliveryName, value);
+    request.headers = headers.toString();
+  } else if (deliveryMethod === 'query') {
+    const { url } = request;
+    try {
+      const parsed = new URL(url);
+      parsed.searchParams.append(deliveryName, value);
+      request.url = parsed.toString();
+    } catch (e) {
+      // ...
+    }
+  }
+}
+
+/**
+ * Injects OpenID Connect auth header into the request headers.
+ */
+function processOpenId(request: IHttpRequest, config: IOidcAuthorization): void {
+  const { accessToken } = config;
+  if (accessToken) {
+    processOAuth2(request, config);
+  }
+  // todo - if AT is missing find the current token from the tokens list in the passed configuration.
+  // Currently the authorization method UI sets the token when the requests is generated so it's not as much important.
+}
+
+/**
+ * Injects bearer auth header into the request headers.
+ */
+function processBearer(request: IHttpRequest, config: IBearerAuthorization): void {
+  const { token } = config;
+  const value = `Bearer ${token}`;
+  const headers = new Headers(request.headers || '');
+  headers.append('authorization', value);
+  request.headers = headers.toString();
+}
+
+/**
+ * Processes authorization data from the authorization configuration and injects data into the request object when necessary.
+ */
+export default async function processAuth(request: IHttpRequest, context: ExecutionContext): Promise<number> {
+  if (!Array.isArray(context.authorization) || !context.authorization.length) {
+    return ExecutionResponse.OK;
+  }
+  for (const auth of context.authorization) {
+    if (!auth.enabled || !auth.config) {
+      continue;
+    }
+    switch (auth.type) {
+      case 'client certificate': await processClientCertificate(auth.config as ICCAuthorization, context); break;
+      case 'basic': processBasicAuth(request, auth.config as IBasicAuthorization); break;
+      case 'oauth 2': processOAuth2(request, auth.config as IOAuth2Authorization); break;
+      case 'open id': processOpenId(request, auth.config as IOidcAuthorization); break;
+      case 'bearer': processBearer(request, auth.config as IBearerAuthorization); break;
+      default:
+    }
+  }
+  if (request.url && !/^authorization:\s?.+$/gim.test(request.headers || '')) {
+    // Try to apply basic auth from the cached during this session values.
+    applyCachedBasicAuthData(request, context);
+  }
+  return ExecutionResponse.OK;
+}