@tachybase/module-multi-app 1.6.0 → 1.6.2

package/dist/node_modules/mariadb/lib/cmd/handshake/auth/pam-password-auth.js

@@ -1,14 +1,19 @@
+//  SPDX-License-Identifier: LGPL-2.1-or-later
+//  Copyright (c) 2015-2024 MariaDB Corporation Ab
+
 const PluginAuth = require('./plugin-auth');
 
 /**
  * Use PAM authentication
  */
 class PamPasswordAuth extends PluginAuth {
-  constructor(packSeq, compressPackSeq, pluginData, resolve, reject, multiAuthResolver) {
-    super(resolve, reject, multiAuthResolver);
+  constructor(packSeq, compressPackSeq, pluginData, cmdParam, reject, multiAuthResolver) {
+    super(cmdParam, multiAuthResolver, reject);
     this.pluginData = pluginData;
     this.sequenceNo = packSeq;
+    this.compressSequenceNo = compressPackSeq;
     this.counter = 0;
+    this.multiAuthResolver = multiAuthResolver;
   }
 
   start(out, opts, info) {
@@ -33,7 +38,7 @@ class PamPasswordAuth extends PluginAuth {
 
     if (pwd) out.writeString(pwd);
     out.writeInt8(0);
-    out.flushBuffer(true);
+    out.flushPacket();
   }
 
   response(packet, out, opts, info) {
@@ -45,7 +50,7 @@ class PamPasswordAuth extends PluginAuth {
       case 0x00:
       case 0xff:
         this.emit('send_end');
-        return this.successSend(packet, out, opts, info);
+        return this.multiAuthResolver(packet, out, opts, info);
 
       default:
         let promptData = packet.readBuffer();

package/dist/node_modules/mariadb/lib/cmd/handshake/auth/parsec-auth.js

@@ -0,0 +1,115 @@
+//  SPDX-License-Identifier: LGPL-2.1-or-later
+//  Copyright (c) 2015-2025 MariaDB Corporation Ab
+
+'use strict';
+
+const PluginAuth = require('./plugin-auth');
+const crypto = require('crypto');
+const Errors = require('../../../misc/errors');
+
+const pkcs8Ed25519header = Buffer.from([
+  0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x04, 0x22, 0x04, 0x20
+]);
+
+/**
+ * Standard authentication plugin
+ */
+class ParsecAuth extends PluginAuth {
+  #hash;
+  constructor(packSeq, compressPackSeq, pluginData, cmdParam, reject, multiAuthResolver) {
+    super(cmdParam, multiAuthResolver, reject);
+    this.multiAuthResolver = multiAuthResolver;
+    this.pluginData = pluginData;
+    this.sequenceNo = packSeq;
+    this.compressSequenceNo = compressPackSeq;
+  }
+
+  start(out, opts, info) {
+    if (!info.extSalt) {
+      out.startPacket(this);
+      out.writeEmptyPacket(true); // indicate need salt
+      this.onPacketReceive = this.requestForSalt;
+    } else {
+      this.parseExtSalt(Buffer.from(info.extSalt, 'hex'), info);
+      this.sendScramble(out, opts, info);
+    }
+  }
+
+  requestForSalt(packet, out, opts, info) {
+    this.parseExtSalt(packet.readBufferRemaining(), info);
+    this.sendScramble(out, opts, info);
+  }
+
+  parseExtSalt(extSalt, info) {
+    if (extSalt.length < 2 || extSalt[0] !== 0x50 || extSalt[1] > 3) {
+      // expected 'P' for KDF algorithm (PBKDF2) and maximum iteration of 8192
+      return this.throwError(
+        Errors.createFatalError('Wrong parsec authentication format', Errors.ER_AUTHENTICATION_BAD_PACKET, info),
+        info
+      );
+    }
+    this.iterations = extSalt[1];
+    this.salt = extSalt.slice(2);
+
+    // disable for now until https://jira.mariadb.org/browse/MDEV-34846
+    // info.extSalt = extSalt.toString('hex');
+  }
+
+  sendScramble(out, opts, info) {
+    const derivedKey = crypto.pbkdf2Sync(opts.password || '', this.salt, 1024 << this.iterations, 32, 'sha512');
+    const privateKey = toPkcs8der(derivedKey);
+
+    const rawPublicKey = this.getEd25519PublicKeyFromPrivateKey(derivedKey);
+
+    this.#hash = Buffer.concat([Buffer.from([0x50, this.iterations]), this.salt, rawPublicKey]);
+
+    const client_scramble = crypto.randomBytes(32);
+    const message = Buffer.concat([this.pluginData, client_scramble]);
+    const signature = crypto.sign(null, message, privateKey);
+
+    out.startPacket(this);
+    out.writeBuffer(client_scramble, 0, 32);
+    out.writeBuffer(signature, 0, 64);
+    out.flushPacket();
+    this.emit('send_end');
+    this.onPacketReceive = this.multiAuthResolver;
+  }
+
+  getEd25519PublicKeyFromPrivateKey(privateKeyBuffer) {
+    // Create a KeyObject from the raw private key
+    const privateKey = crypto.createPrivateKey({
+      key: Buffer.concat([pkcs8Ed25519header, privateKeyBuffer]),
+      format: 'der',
+      type: 'pkcs8',
+      name: 'ed25519'
+    });
+
+    // Get the corresponding public key
+    const publicKey = crypto.createPublicKey(privateKey);
+
+    // Export the public key in raw format
+    return publicKey
+      .export({
+        type: 'spki',
+        format: 'der'
+      })
+      .subarray(-32); // The last 32 bytes contain the raw key
+  }
+
+  permitHash() {
+    return true;
+  }
+
+  hash(conf) {
+    return this.#hash;
+  }
+}
+
+const toPkcs8der = (rawB64) => {
+  // prefix for a private Ed25519
+  const prefixPrivateEd25519 = Buffer.from('302e020100300506032b657004220420', 'hex');
+  const der = Buffer.concat([prefixPrivateEd25519, rawB64]);
+  return crypto.createPrivateKey({ key: der, format: 'der', type: 'pkcs8' });
+};
+
+module.exports = ParsecAuth;

package/dist/node_modules/mariadb/lib/cmd/handshake/auth/plugin-auth.js

@@ -1,3 +1,6 @@
+//  SPDX-License-Identifier: LGPL-2.1-or-later
+//  Copyright (c) 2015-2024 MariaDB Corporation Ab
+
 'use strict';
 
 const Command = require('../../command');
@@ -6,13 +9,17 @@ const Command = require('../../command');
  * Base authentication plugin
  */
 class PluginAuth extends Command {
-  constructor(resolve, reject, multiAuthResolver) {
-    super(resolve, reject);
-    this.multiAuthResolver = multiAuthResolver;
+  constructor(cmdParam, multiAuthResolver, reject) {
+    super(cmdParam, multiAuthResolver, reject);
+    this.onPacketReceive = multiAuthResolver;
+  }
+
+  permitHash() {
+    return true;
   }
 
-  successSend(packet, out, opts, info) {
-    this.multiAuthResolver(packet, out, opts, info);
+  hash(conf) {
+    return null;
   }
 }
 

package/dist/node_modules/mariadb/lib/cmd/handshake/auth/sha256-password-auth.js

@@ -1,18 +1,25 @@
+//  SPDX-License-Identifier: LGPL-2.1-or-later
+//  Copyright (c) 2015-2024 MariaDB Corporation Ab
+
 const PluginAuth = require('./plugin-auth');
 const fs = require('fs');
 const crypto = require('crypto');
 const Errors = require('../../../misc/errors');
+const Crypto = require('crypto');
 
 /**
  * Use Sha256 authentication
  */
 class Sha256PasswordAuth extends PluginAuth {
-  constructor(packSeq, compressPackSeq, pluginData, resolve, reject, multiAuthResolver) {
-    super(resolve, reject, multiAuthResolver);
+  constructor(packSeq, compressPackSeq, pluginData, cmdParam, reject, multiAuthResolver) {
+    super(cmdParam, multiAuthResolver, reject);
     this.pluginData = pluginData;
     this.sequenceNo = packSeq;
+    this.compressSequenceNo = compressPackSeq;
+    this.counter = 0;
     this.counter = 0;
     this.initialState = true;
+    this.multiAuthResolver = multiAuthResolver;
   }
 
   start(out, opts, info) {
@@ -33,7 +40,7 @@ class Sha256PasswordAuth extends PluginAuth {
           out.writeString(opts.password);
         }
         out.writeInt8(0);
-        out.flushBuffer(true);
+        out.flushPacket();
         return;
       } else {
         // retrieve public key from configuration or from server
@@ -44,21 +51,18 @@ class Sha256PasswordAuth extends PluginAuth {
               // rsaPublicKey contain path
               key = fs.readFileSync(key, 'utf8');
             }
-            this.publicKey = Sha256PasswordAuth.retreivePublicKey(key);
+            this.publicKey = Sha256PasswordAuth.retrievePublicKey(key);
           } catch (err) {
             return this.throwError(err, info);
           }
         } else {
           if (!opts.allowPublicKeyRetrieval) {
             return this.throwError(
-              Errors.createError(
+              Errors.createFatalError(
                 'RSA public key is not available client side. Either set option `rsaPublicKey` to indicate' +
                   ' public key path, or allow public key retrieval with option `allowPublicKeyRetrieval`',
-                null,
-                true,
-                info,
-                '08S01',
-                Errors.ER_CANNOT_RETRIEVE_RSA_KEY
+                Errors.ER_CANNOT_RETRIEVE_RSA_KEY,
+                info
               ),
               info
             );
@@ -68,33 +72,21 @@ class Sha256PasswordAuth extends PluginAuth {
           // ask public Key Retrieval
           out.startPacket(this);
           out.writeInt8(0x01);
-          out.flushBuffer(true);
+          out.flushPacket();
           return;
         }
       }
 
       // send Sha256Password Packet
-      Sha256PasswordAuth.sendSha256PwdPacket(
-        this,
-        this.pluginData,
-        this.publicKey,
-        opts.password,
-        out
-      );
+      Sha256PasswordAuth.sendSha256PwdPacket(this, this.pluginData, this.publicKey, opts.password, out);
     } else {
       // has request public key
-      this.publicKey = Sha256PasswordAuth.retreivePublicKey(buffer.toString('utf8', 1));
-      Sha256PasswordAuth.sendSha256PwdPacket(
-        this,
-        this.pluginData,
-        this.publicKey,
-        opts.password,
-        out
-      );
+      this.publicKey = Sha256PasswordAuth.retrievePublicKey(buffer.toString('utf8', 1));
+      Sha256PasswordAuth.sendSha256PwdPacket(this, this.pluginData, this.publicKey, opts.password, out);
     }
   }
 
-  static retreivePublicKey(key) {
+  static retrievePublicKey(key) {
     return key.replace('(-+BEGIN PUBLIC KEY-+\\r?\\n|\\n?-+END PUBLIC KEY-+\\r?\\n?)', '');
   }
 
@@ -103,7 +95,29 @@ class Sha256PasswordAuth extends PluginAuth {
     out.startPacket(cmd);
     const enc = Sha256PasswordAuth.encrypt(truncatedSeed, password, publicKey);
     out.writeBuffer(enc, 0, enc.length);
-    out.flushBuffer(cmd);
+    out.flushPacket();
+  }
+
+  static encryptSha256Password(password, seed) {
+    if (!password) return Buffer.alloc(0);
+
+    let hash = Crypto.createHash('sha256');
+    let stage1 = hash.update(password, 'utf8').digest();
+    hash = Crypto.createHash('sha256');
+
+    let stage2 = hash.update(stage1).digest();
+    hash = Crypto.createHash('sha256');
+
+    // order is different from sha 1 !!!!!
+    hash.update(stage2);
+    hash.update(seed);
+
+    let digest = hash.digest();
+    let returnBytes = Buffer.allocUnsafe(digest.length);
+    for (let i = 0; i < digest.length; i++) {
+      returnBytes[i] = stage1[i] ^ digest[i];
+    }
+    return returnBytes;
   }
 
   // encrypt password with public key
@@ -114,10 +128,7 @@ class Sha256PasswordAuth extends PluginAuth {
     for (let i = 0; i < xorBytes.length; i++) {
       xorBytes[i] = nullFinishedPwd[i] ^ seed[i % seedLength];
     }
-    return crypto.publicEncrypt(
-      { key: publicKey, padding: crypto.constants.RSA_PKCS1_OAEP_PADDING },
-      xorBytes
-    );
+    return crypto.publicEncrypt({ key: publicKey, padding: crypto.constants.RSA_PKCS1_OAEP_PADDING }, xorBytes);
   }
 
   response(packet, out, opts, info) {
@@ -129,7 +140,7 @@ class Sha256PasswordAuth extends PluginAuth {
       case 0x00:
       case 0xff:
         this.emit('send_end');
-        return this.successSend(packet, out, opts, info);
+        return this.multiAuthResolver(packet, out, opts, info);
 
       default:
         let promptData = packet.readBufferRemaining();

package/dist/node_modules/mariadb/lib/cmd/handshake/authentication.js

@@ -0,0 +1,335 @@
+//  SPDX-License-Identifier: LGPL-2.1-or-later
+//  Copyright (c) 2015-2025 MariaDB Corporation Ab
+
+'use strict';
+
+const Command = require('../command');
+const Errors = require('../../misc/errors');
+const Capabilities = require('../../const/capabilities');
+const Handshake = require('./auth/handshake');
+const ServerStatus = require('../../const/server-status');
+const StateChange = require('../../const/state-change');
+const Collations = require('../../const/collations');
+const Crypto = require('crypto');
+const utils = require('../../misc/utils');
+const tls = require('tls');
+const authenticationPlugins = {
+  mysql_native_password: require('./auth/native-password-auth.js'),
+  mysql_clear_password: require('./auth/clear-password-auth'),
+  client_ed25519: require('./auth/ed25519-password-auth'),
+  parsec: require('./auth/parsec-auth'),
+  dialog: require('./auth/pam-password-auth'),
+  sha256_password: require('./auth/sha256-password-auth'),
+  caching_sha2_password: require('./auth/caching-sha2-password-auth')
+};
+
+/**
+ * Handle handshake.
+ * see https://mariadb.com/kb/en/library/1-connecting-connecting/
+ */
+class Authentication extends Command {
+  constructor(cmdParam, resolve, reject, _createSecureContext, getSocket) {
+    super(cmdParam, resolve, reject);
+    this.cmdParam = cmdParam;
+    this._createSecureContext = _createSecureContext;
+    this.getSocket = getSocket;
+    this.plugin = new Handshake(this, getSocket, this.handshakeResult, reject);
+  }
+
+  onPacketReceive(packet, out, opts, info) {
+    this.plugin.sequenceNo = this.sequenceNo;
+    this.plugin.compressSequenceNo = this.compressSequenceNo;
+    this.plugin.onPacketReceive(packet, out, opts, info);
+  }
+
+  /**
+   * Fast-path handshake results :
+   *  - if plugin was the one expected by server, server will send OK_Packet / ERR_Packet.
+   *  - if not, server send an AuthSwitchRequest packet, indicating the specific PLUGIN to use with this user.
+   *    dispatching to plugin handler then.
+   *
+   * @param packet    current packet
+   * @param out       output buffer
+   * @param opts      options
+   * @param info      connection info
+   * @returns {*}     return null if authentication succeed, depending on plugin conversation if not finished
+   */
+  handshakeResult(packet, out, opts, info) {
+    const marker = packet.peek();
+    switch (marker) {
+      //*********************************************************************************************************
+      //* AuthSwitchRequest packet
+      //*********************************************************************************************************
+      case 0xfe:
+        this.dispatchAuthSwitchRequest(packet, out, opts, info);
+        return;
+
+      //*********************************************************************************************************
+      //* OK_Packet - authentication succeeded
+      //*********************************************************************************************************
+      case 0x00:
+        this.plugin.onPacketReceive = null;
+        packet.skip(1); //skip header
+        packet.skipLengthCodedNumber(); //skip affected rows
+        packet.skipLengthCodedNumber(); //skip last insert id
+        info.status = packet.readUInt16();
+
+        if (info.requireValidCert) {
+          if (info.selfSignedCertificate) {
+            // TLS was forced to trust, and certificate validation is required
+            packet.skip(2); //skip warning count
+            if (packet.remaining()) {
+              const validationHash = packet.readBufferLengthEncoded();
+              if (validationHash.length > 0) {
+                if (!this.plugin.permitHash() || !Boolean(this.cmdParam.opts.password)) {
+                  return this.throwNewError(
+                    'Self signed certificates. Either set `ssl: { rejectUnauthorized: false }` (trust mode) or provide server certificate to client',
+                    true,
+                    info,
+                    '08000',
+                    Errors.ER_SELF_SIGNED_NO_PWD
+                  );
+                }
+                if (this.validateFingerPrint(validationHash, info)) {
+                  return this.successEnd();
+                }
+              }
+            }
+            return this.throwNewError('self-signed certificate', true, info, '08000', Errors.ER_SELF_SIGNED);
+          } else {
+            // certificate is not self signed, validate server identity
+            const validationFunction =
+              opts.ssl === true || typeof opts.ssl.checkServerIdentity !== 'function'
+                ? tls.checkServerIdentity
+                : opts.ssl.checkServerIdentity;
+            const identityError = validationFunction(
+              typeof opts.ssl === 'object' && opts.ssl.servername ? opts.ssl.servername : opts.host,
+              info.tlsCert
+            );
+            if (identityError) {
+              return this.throwNewError(
+                'certificate identify Error: ' + identityError.message,
+                true,
+                info,
+                '08000',
+                Errors.ER_TLS_IDENTITY_ERROR
+              );
+            }
+          }
+        }
+
+        let mustRedirect = false;
+        if (info.status & ServerStatus.SESSION_STATE_CHANGED) {
+          packet.skip(2); //skip warning count
+          packet.skipLengthCodedNumber();
+          while (packet.remaining()) {
+            const len = packet.readUnsignedLength();
+            if (len > 0) {
+              const subPacket = packet.subPacketLengthEncoded(len);
+              while (subPacket.remaining()) {
+                const type = subPacket.readUInt8();
+                switch (type) {
+                  case StateChange.SESSION_TRACK_SYSTEM_VARIABLES:
+                    let subSubPacket;
+                    do {
+                      subSubPacket = subPacket.subPacketLengthEncoded(subPacket.readUnsignedLength());
+                      const variable = subSubPacket.readStringLengthEncoded();
+                      const value = subSubPacket.readStringLengthEncoded();
+
+                      switch (variable) {
+                        case 'character_set_client':
+                          info.collation = Collations.fromCharset(value);
+                          if (info.collation === undefined) {
+                            this.throwError(new Error("unknown charset : '" + value + "'"), info);
+                            return;
+                          }
+                          opts.emit('collation', info.collation);
+                          break;
+
+                        case 'redirect_url':
+                          if (value !== '') {
+                            mustRedirect = true;
+                            info.redirect(value, this.successEnd.bind(this));
+                          }
+                          break;
+
+                        case 'maxscale':
+                          info.maxscaleVersion = value;
+                          break;
+
+                        case 'connection_id':
+                          info.threadId = parseInt(value);
+                          break;
+
+                        default:
+                        //variable not used by driver
+                      }
+                    } while (subSubPacket.remaining() > 0);
+                    break;
+
+                  case StateChange.SESSION_TRACK_SCHEMA:
+                    const subSubPacket2 = subPacket.subPacketLengthEncoded(subPacket.readUnsignedLength());
+                    info.database = subSubPacket2.readStringLengthEncoded();
+                    break;
+                }
+              }
+            }
+          }
+        }
+        if (!mustRedirect) this.successEnd();
+        return;
+
+      //*********************************************************************************************************
+      //* ERR_Packet
+      //*********************************************************************************************************
+      case 0xff:
+        this.plugin.onPacketReceive = null;
+        const authErr = packet.readError(info, this.displaySql(), undefined);
+        authErr.fatal = true;
+        if (info.requireValidCert && info.selfSignedCertificate) {
+          // TLS was forced to trust, and certificate validation is required
+          return this.plugin.throwNewError(
+            'Self signed certificates. Either set `ssl: { rejectUnauthorized: false }` (trust mode) or provide server certificate to client',
+            true,
+            info,
+            '08000',
+            Errors.ER_SELF_SIGNED_NO_PWD
+          );
+        }
+        return this.plugin.throwError(authErr, info);
+
+      //*********************************************************************************************************
+      //* unexpected
+      //*********************************************************************************************************
+      default:
+        this.throwNewError(
+          `Unexpected type of packet during handshake phase : ${marker}`,
+          true,
+          info,
+          '42000',
+          Errors.ER_AUTHENTICATION_BAD_PACKET
+        );
+    }
+  }
+
+  validateFingerPrint(validationHash, info) {
+    if (validationHash.length === 0 || !info.tlsFingerprint) return false;
+
+    // 0x01 = SHA256 encryption
+    if (validationHash[0] !== 0x01) {
+      const err = Errors.createFatalError(
+        `Unexpected hash format for fingerprint hash encoding`,
+        Errors.ER_UNEXPECTED_PACKET,
+        this.info
+      );
+      if (this.opts.logger.error) this.opts.logger.error(err);
+      return false;
+    }
+
+    const pwdHash = this.plugin.hash(this.cmdParam.opts);
+
+    let hash = Crypto.createHash('sha256');
+    let digest = hash.update(pwdHash).update(info.seed).update(Buffer.from(info.tlsFingerprint, 'hex')).digest();
+    const hashHex = utils.toHexString(digest);
+    const serverValidationHex = validationHash.toString('ascii', 1, validationHash.length).toLowerCase();
+    return hashHex === serverValidationHex;
+  }
+
+  /**
+   * Handle authentication switch request : dispatch to plugin handler.
+   *
+   * @param packet  packet
+   * @param out     output writer
+   * @param opts    options
+   * @param info    connection information
+   */
+  dispatchAuthSwitchRequest(packet, out, opts, info) {
+    let pluginName, pluginData;
+    if (info.clientCapabilities & Capabilities.PLUGIN_AUTH) {
+      packet.skip(1); //header
+      if (packet.remaining()) {
+        //AuthSwitchRequest packet.
+        pluginName = packet.readStringNullEnded();
+        pluginData = packet.readBufferRemaining();
+      } else {
+        //OldAuthSwitchRequest
+        pluginName = 'mysql_old_password';
+        pluginData = info.seed.subarray(0, 8);
+      }
+    } else {
+      pluginName = packet.readStringNullEnded('ascii');
+      pluginData = packet.readBufferRemaining();
+    }
+
+    if (
+      info.requireValidCert &&
+      info.selfSignedCertificate &&
+      Boolean(this.cmdParam.opts.password) &&
+      !this.plugin.permitHash()
+    ) {
+      return this.throwNewError(
+        `Unsupported authentication plugin ${pluginName} with Self signed certificates. Either set 'ssl: { rejectUnauthorized: false }' (trust mode) or provide server certificate to client`,
+        true,
+        info,
+        '08000',
+        Errors.ER_SELF_SIGNED_BAD_PLUGIN
+      );
+    }
+
+    if (opts.restrictedAuth && !opts.restrictedAuth.includes(pluginName)) {
+      this.throwNewError(
+        `Unsupported authentication plugin ${pluginName}. Authorized plugin: ${opts.restrictedAuth.toString()}`,
+        true,
+        info,
+        '42000',
+        Errors.ER_NOT_SUPPORTED_AUTH_PLUGIN
+      );
+      return;
+    }
+    try {
+      this.plugin.emit('end');
+      this.plugin.onPacketReceive = null;
+      this.plugin = Authentication.pluginHandler(
+        pluginName,
+        this.plugin.sequenceNo,
+        this.plugin.compressSequenceNo,
+        pluginData,
+        info,
+        opts,
+        out,
+        this.cmdParam,
+        this.reject,
+        this.handshakeResult.bind(this)
+      );
+      this.plugin.start(out, opts, info);
+    } catch (err) {
+      this.reject(err);
+    }
+  }
+
+  static pluginHandler(
+    pluginName,
+    packSeq,
+    compressPackSeq,
+    pluginData,
+    info,
+    opts,
+    out,
+    cmdParam,
+    authReject,
+    multiAuthResolver
+  ) {
+    let pluginAuth = authenticationPlugins[pluginName];
+    if (!pluginAuth) {
+      throw Errors.createFatalError(
+        `Client does not support authentication protocol '${pluginName}' requested by server.`,
+        Errors.ER_AUTHENTICATION_PLUGIN_NOT_SUPPORTED,
+        info,
+        '08004'
+      );
+    }
+    return new pluginAuth(packSeq, compressPackSeq, pluginData, cmdParam, authReject, multiAuthResolver);
+  }
+}
+
+module.exports = Authentication;