mongodb 3.2.5 → 3.3.0-beta2

package/lib/core/auth/scram.js

@@ -0,0 +1,293 @@
+'use strict';
+
+const crypto = require('crypto');
+const Buffer = require('safe-buffer').Buffer;
+const retrieveBSON = require('../connection/utils').retrieveBSON;
+const MongoError = require('../error').MongoError;
+const AuthProvider = require('./auth_provider').AuthProvider;
+
+const BSON = retrieveBSON();
+const Binary = BSON.Binary;
+
+let saslprep;
+try {
+  saslprep = require('saslprep');
+} catch (e) {
+  // don't do anything;
+}
+
+var parsePayload = function(payload) {
+  var dict = {};
+  var parts = payload.split(',');
+
+  for (var i = 0; i < parts.length; i++) {
+    var valueParts = parts[i].split('=');
+    dict[valueParts[0]] = valueParts[1];
+  }
+
+  return dict;
+};
+
+var passwordDigest = function(username, password) {
+  if (typeof username !== 'string') throw new MongoError('username must be a string');
+  if (typeof password !== 'string') throw new MongoError('password must be a string');
+  if (password.length === 0) throw new MongoError('password cannot be empty');
+  // Use node md5 generator
+  var md5 = crypto.createHash('md5');
+  // Generate keys used for authentication
+  md5.update(username + ':mongo:' + password, 'utf8');
+  return md5.digest('hex');
+};
+
+// XOR two buffers
+function xor(a, b) {
+  if (!Buffer.isBuffer(a)) a = Buffer.from(a);
+  if (!Buffer.isBuffer(b)) b = Buffer.from(b);
+  const length = Math.max(a.length, b.length);
+  const res = [];
+
+  for (let i = 0; i < length; i += 1) {
+    res.push(a[i] ^ b[i]);
+  }
+
+  return Buffer.from(res).toString('base64');
+}
+
+function H(method, text) {
+  return crypto
+    .createHash(method)
+    .update(text)
+    .digest();
+}
+
+function HMAC(method, key, text) {
+  return crypto
+    .createHmac(method, key)
+    .update(text)
+    .digest();
+}
+
+var _hiCache = {};
+var _hiCacheCount = 0;
+var _hiCachePurge = function() {
+  _hiCache = {};
+  _hiCacheCount = 0;
+};
+
+const hiLengthMap = {
+  sha256: 32,
+  sha1: 20
+};
+
+function HI(data, salt, iterations, cryptoMethod) {
+  // omit the work if already generated
+  const key = [data, salt.toString('base64'), iterations].join('_');
+  if (_hiCache[key] !== undefined) {
+    return _hiCache[key];
+  }
+
+  // generate the salt
+  const saltedData = crypto.pbkdf2Sync(
+    data,
+    salt,
+    iterations,
+    hiLengthMap[cryptoMethod],
+    cryptoMethod
+  );
+
+  // cache a copy to speed up the next lookup, but prevent unbounded cache growth
+  if (_hiCacheCount >= 200) {
+    _hiCachePurge();
+  }
+
+  _hiCache[key] = saltedData;
+  _hiCacheCount += 1;
+  return saltedData;
+}
+
+/**
+ * Creates a new ScramSHA authentication mechanism
+ * @class
+ * @extends AuthProvider
+ */
+class ScramSHA extends AuthProvider {
+  constructor(bson, cryptoMethod) {
+    super(bson);
+    this.cryptoMethod = cryptoMethod || 'sha1';
+  }
+
+  static _getError(err, r) {
+    if (err) {
+      return err;
+    }
+
+    if (r.$err || r.errmsg) {
+      return new MongoError(r);
+    }
+  }
+
+  /**
+   * @ignore
+   */
+  _executeScram(sendAuthCommand, connection, credentials, nonce, callback) {
+    let username = credentials.username;
+    const password = credentials.password;
+    const db = credentials.source;
+
+    const cryptoMethod = this.cryptoMethod;
+    let mechanism = 'SCRAM-SHA-1';
+    let processedPassword;
+
+    if (cryptoMethod === 'sha256') {
+      mechanism = 'SCRAM-SHA-256';
+
+      processedPassword = saslprep ? saslprep(password) : password;
+    } else {
+      try {
+        processedPassword = passwordDigest(username, password);
+      } catch (e) {
+        return callback(e);
+      }
+    }
+
+    // Clean up the user
+    username = username.replace('=', '=3D').replace(',', '=2C');
+
+    // NOTE: This is done b/c Javascript uses UTF-16, but the server is hashing in UTF-8.
+    // Since the username is not sasl-prep-d, we need to do this here.
+    const firstBare = Buffer.concat([
+      Buffer.from('n=', 'utf8'),
+      Buffer.from(username, 'utf8'),
+      Buffer.from(',r=', 'utf8'),
+      Buffer.from(nonce, 'utf8')
+    ]);
+
+    // Build command structure
+    const saslStartCmd = {
+      saslStart: 1,
+      mechanism,
+      payload: new Binary(Buffer.concat([Buffer.from('n,,', 'utf8'), firstBare])),
+      autoAuthorize: 1
+    };
+
+    // Write the commmand on the connection
+    sendAuthCommand(connection, `${db}.$cmd`, saslStartCmd, (err, r) => {
+      let tmpError = ScramSHA._getError(err, r);
+      if (tmpError) {
+        return callback(tmpError, null);
+      }
+
+      const payload = Buffer.isBuffer(r.payload) ? new Binary(r.payload) : r.payload;
+      const dict = parsePayload(payload.value());
+      const iterations = parseInt(dict.i, 10);
+      const salt = dict.s;
+      const rnonce = dict.r;
+
+      // Set up start of proof
+      const withoutProof = `c=biws,r=${rnonce}`;
+      const saltedPassword = HI(
+        processedPassword,
+        Buffer.from(salt, 'base64'),
+        iterations,
+        cryptoMethod
+      );
+
+      if (iterations && iterations < 4096) {
+        const error = new MongoError(`Server returned an invalid iteration count ${iterations}`);
+        return callback(error, false);
+      }
+
+      const clientKey = HMAC(cryptoMethod, saltedPassword, 'Client Key');
+      const storedKey = H(cryptoMethod, clientKey);
+      const authMessage = [firstBare, payload.value().toString('base64'), withoutProof].join(',');
+
+      const clientSignature = HMAC(cryptoMethod, storedKey, authMessage);
+      const clientProof = `p=${xor(clientKey, clientSignature)}`;
+      const clientFinal = [withoutProof, clientProof].join(',');
+      const saslContinueCmd = {
+        saslContinue: 1,
+        conversationId: r.conversationId,
+        payload: new Binary(Buffer.from(clientFinal))
+      };
+
+      sendAuthCommand(connection, `${db}.$cmd`, saslContinueCmd, (err, r) => {
+        if (!r || r.done !== false) {
+          return callback(err, r);
+        }
+
+        const retrySaslContinueCmd = {
+          saslContinue: 1,
+          conversationId: r.conversationId,
+          payload: Buffer.alloc(0)
+        };
+
+        sendAuthCommand(connection, `${db}.$cmd`, retrySaslContinueCmd, callback);
+      });
+    });
+  }
+
+  /**
+   * Implementation of authentication for a single connection
+   * @override
+   */
+  _authenticateSingleConnection(sendAuthCommand, connection, credentials, callback) {
+    // Create a random nonce
+    crypto.randomBytes(24, (err, buff) => {
+      if (err) {
+        return callback(err, null);
+      }
+
+      return this._executeScram(
+        sendAuthCommand,
+        connection,
+        credentials,
+        buff.toString('base64'),
+        callback
+      );
+    });
+  }
+
+  /**
+   * Authenticate
+   * @override
+   * @method
+   */
+  auth(sendAuthCommand, connections, credentials, callback) {
+    this._checkSaslprep();
+    super.auth(sendAuthCommand, connections, credentials, callback);
+  }
+
+  _checkSaslprep() {
+    const cryptoMethod = this.cryptoMethod;
+
+    if (cryptoMethod === 'sha256') {
+      if (!saslprep) {
+        console.warn('Warning: no saslprep library specified. Passwords will not be sanitized');
+      }
+    }
+  }
+}
+
+/**
+ * Creates a new ScramSHA1 authentication mechanism
+ * @class
+ * @extends ScramSHA
+ */
+class ScramSHA1 extends ScramSHA {
+  constructor(bson) {
+    super(bson, 'sha1');
+  }
+}
+
+/**
+ * Creates a new ScramSHA256 authentication mechanism
+ * @class
+ * @extends ScramSHA
+ */
+class ScramSHA256 extends ScramSHA {
+  constructor(bson) {
+    super(bson, 'sha256');
+  }
+}
+
+module.exports = { ScramSHA1, ScramSHA256 };

package/lib/core/auth/sspi.js

@@ -0,0 +1,131 @@
+'use strict';
+
+const AuthProvider = require('./auth_provider').AuthProvider;
+const retrieveKerberos = require('../utils').retrieveKerberos;
+let kerberos;
+
+/**
+ * Creates a new SSPI authentication mechanism
+ * @class
+ * @extends AuthProvider
+ */
+class SSPI extends AuthProvider {
+  /**
+   * Implementation of authentication for a single connection
+   * @override
+   */
+  _authenticateSingleConnection(sendAuthCommand, connection, credentials, callback) {
+    // TODO: Destructure this
+    const username = credentials.username;
+    const password = credentials.password;
+    const mechanismProperties = credentials.mechanismProperties;
+    const gssapiServiceName =
+      mechanismProperties['gssapiservicename'] ||
+      mechanismProperties['gssapiServiceName'] ||
+      'mongodb';
+
+    SSIPAuthenticate(
+      this,
+      kerberos.processes.MongoAuthProcess,
+      username,
+      password,
+      gssapiServiceName,
+      sendAuthCommand,
+      connection,
+      mechanismProperties,
+      callback
+    );
+  }
+
+  /**
+   * Authenticate
+   * @override
+   * @method
+   */
+  auth(sendAuthCommand, connections, credentials, callback) {
+    if (kerberos == null) {
+      try {
+        kerberos = retrieveKerberos();
+      } catch (e) {
+        return callback(e, null);
+      }
+    }
+
+    super.auth(sendAuthCommand, connections, credentials, callback);
+  }
+}
+
+function SSIPAuthenticate(
+  self,
+  MongoAuthProcess,
+  username,
+  password,
+  gssapiServiceName,
+  sendAuthCommand,
+  connection,
+  options,
+  callback
+) {
+  const authProcess = new MongoAuthProcess(
+    connection.host,
+    connection.port,
+    gssapiServiceName,
+    options
+  );
+
+  function authCommand(command, authCb) {
+    sendAuthCommand(connection, '$external.$cmd', command, authCb);
+  }
+
+  authProcess.init(username, password, err => {
+    if (err) return callback(err, false);
+
+    authProcess.transition('', (err, payload) => {
+      if (err) return callback(err, false);
+
+      const command = {
+        saslStart: 1,
+        mechanism: 'GSSAPI',
+        payload,
+        autoAuthorize: 1
+      };
+
+      authCommand(command, (err, doc) => {
+        if (err) return callback(err, false);
+
+        authProcess.transition(doc.payload, (err, payload) => {
+          if (err) return callback(err, false);
+          const command = {
+            saslContinue: 1,
+            conversationId: doc.conversationId,
+            payload
+          };
+
+          authCommand(command, (err, doc) => {
+            if (err) return callback(err, false);
+
+            authProcess.transition(doc.payload, (err, payload) => {
+              if (err) return callback(err, false);
+              const command = {
+                saslContinue: 1,
+                conversationId: doc.conversationId,
+                payload
+              };
+
+              authCommand(command, (err, response) => {
+                if (err) return callback(err, false);
+
+                authProcess.transition(null, err => {
+                  if (err) return callback(err, null);
+                  callback(null, response);
+                });
+              });
+            });
+          });
+        });
+      });
+    });
+  });
+}
+
+module.exports = SSPI;

package/lib/core/auth/x509.js

@@ -0,0 +1,26 @@
+'use strict';
+
+const AuthProvider = require('./auth_provider').AuthProvider;
+
+/**
+ * Creates a new X509 authentication mechanism
+ * @class
+ * @extends AuthProvider
+ */
+class X509 extends AuthProvider {
+  /**
+   * Implementation of authentication for a single connection
+   * @override
+   */
+  _authenticateSingleConnection(sendAuthCommand, connection, credentials, callback) {
+    const username = credentials.username;
+    const command = { authenticate: 1, mechanism: 'MONGODB-X509' };
+    if (username) {
+      command.user = username;
+    }
+
+    sendAuthCommand(connection, '$external.$cmd', command, callback);
+  }
+}
+
+module.exports = X509;

package/lib/core/connection/apm.js

@@ -0,0 +1,236 @@
+'use strict';
+const Msg = require('../connection/msg').Msg;
+const KillCursor = require('../connection/commands').KillCursor;
+const GetMore = require('../connection/commands').GetMore;
+const calculateDurationInMs = require('../utils').calculateDurationInMs;
+
+/** Commands that we want to redact because of the sensitive nature of their contents */
+const SENSITIVE_COMMANDS = new Set([
+  'authenticate',
+  'saslStart',
+  'saslContinue',
+  'getnonce',
+  'createUser',
+  'updateUser',
+  'copydbgetnonce',
+  'copydbsaslstart',
+  'copydb'
+]);
+
+// helper methods
+const extractCommandName = commandDoc => Object.keys(commandDoc)[0];
+const namespace = command => command.ns;
+const databaseName = command => command.ns.split('.')[0];
+const collectionName = command => command.ns.split('.')[1];
+const generateConnectionId = pool => `${pool.options.host}:${pool.options.port}`;
+const maybeRedact = (commandName, result) => (SENSITIVE_COMMANDS.has(commandName) ? {} : result);
+
+const LEGACY_FIND_QUERY_MAP = {
+  $query: 'filter',
+  $orderby: 'sort',
+  $hint: 'hint',
+  $comment: 'comment',
+  $maxScan: 'maxScan',
+  $max: 'max',
+  $min: 'min',
+  $returnKey: 'returnKey',
+  $showDiskLoc: 'showRecordId',
+  $maxTimeMS: 'maxTimeMS',
+  $snapshot: 'snapshot'
+};
+
+const LEGACY_FIND_OPTIONS_MAP = {
+  numberToSkip: 'skip',
+  numberToReturn: 'batchSize',
+  returnFieldsSelector: 'projection'
+};
+
+const OP_QUERY_KEYS = [
+  'tailable',
+  'oplogReplay',
+  'noCursorTimeout',
+  'awaitData',
+  'partial',
+  'exhaust'
+];
+
+/**
+ * Extract the actual command from the query, possibly upconverting if it's a legacy
+ * format
+ *
+ * @param {Object} command the command
+ */
+const extractCommand = command => {
+  if (command instanceof GetMore) {
+    return {
+      getMore: command.cursorId,
+      collection: collectionName(command),
+      batchSize: command.numberToReturn
+    };
+  }
+
+  if (command instanceof KillCursor) {
+    return {
+      killCursors: collectionName(command),
+      cursors: command.cursorIds
+    };
+  }
+
+  if (command instanceof Msg) {
+    return command.command;
+  }
+
+  if (command.query && command.query.$query) {
+    let result;
+    if (command.ns === 'admin.$cmd') {
+      // upconvert legacy command
+      result = Object.assign({}, command.query.$query);
+    } else {
+      // upconvert legacy find command
+      result = { find: collectionName(command) };
+      Object.keys(LEGACY_FIND_QUERY_MAP).forEach(key => {
+        if (typeof command.query[key] !== 'undefined')
+          result[LEGACY_FIND_QUERY_MAP[key]] = command.query[key];
+      });
+    }
+
+    Object.keys(LEGACY_FIND_OPTIONS_MAP).forEach(key => {
+      if (typeof command[key] !== 'undefined') result[LEGACY_FIND_OPTIONS_MAP[key]] = command[key];
+    });
+
+    OP_QUERY_KEYS.forEach(key => {
+      if (command[key]) result[key] = command[key];
+    });
+
+    if (typeof command.pre32Limit !== 'undefined') {
+      result.limit = command.pre32Limit;
+    }
+
+    if (command.query.$explain) {
+      return { explain: result };
+    }
+
+    return result;
+  }
+
+  return command.query ? command.query : command;
+};
+
+const extractReply = (command, reply) => {
+  if (command instanceof GetMore) {
+    return {
+      ok: 1,
+      cursor: {
+        id: reply.message.cursorId,
+        ns: namespace(command),
+        nextBatch: reply.message.documents
+      }
+    };
+  }
+
+  if (command instanceof KillCursor) {
+    return {
+      ok: 1,
+      cursorsUnknown: command.cursorIds
+    };
+  }
+
+  // is this a legacy find command?
+  if (command.query && typeof command.query.$query !== 'undefined') {
+    return {
+      ok: 1,
+      cursor: {
+        id: reply.message.cursorId,
+        ns: namespace(command),
+        firstBatch: reply.message.documents
+      }
+    };
+  }
+
+  // in the event of a `noResponse` command, just return
+  if (reply === null) return reply;
+
+  return reply.result;
+};
+
+/** An event indicating the start of a given command */
+class CommandStartedEvent {
+  /**
+   * Create a started event
+   *
+   * @param {Pool} pool the pool that originated the command
+   * @param {Object} command the command
+   */
+  constructor(pool, command) {
+    const cmd = extractCommand(command);
+    const commandName = extractCommandName(cmd);
+
+    // NOTE: remove in major revision, this is not spec behavior
+    if (SENSITIVE_COMMANDS.has(commandName)) {
+      this.commandObj = {};
+      this.commandObj[commandName] = true;
+    }
+
+    Object.assign(this, {
+      command: cmd,
+      databaseName: databaseName(command),
+      commandName,
+      requestId: command.requestId,
+      connectionId: generateConnectionId(pool)
+    });
+  }
+}
+
+/** An event indicating the success of a given command */
+class CommandSucceededEvent {
+  /**
+   * Create a succeeded event
+   *
+   * @param {Pool} pool the pool that originated the command
+   * @param {Object} command the command
+   * @param {Object} reply the reply for this command from the server
+   * @param {Array} started a high resolution tuple timestamp of when the command was first sent, to calculate duration
+   */
+  constructor(pool, command, reply, started) {
+    const cmd = extractCommand(command);
+    const commandName = extractCommandName(cmd);
+
+    Object.assign(this, {
+      duration: calculateDurationInMs(started),
+      commandName,
+      reply: maybeRedact(commandName, extractReply(command, reply)),
+      requestId: command.requestId,
+      connectionId: generateConnectionId(pool)
+    });
+  }
+}
+
+/** An event indicating the failure of a given command */
+class CommandFailedEvent {
+  /**
+   * Create a failure event
+   *
+   * @param {Pool} pool the pool that originated the command
+   * @param {Object} command the command
+   * @param {MongoError|Object} error the generated error or a server error response
+   * @param {Array} started a high resolution tuple timestamp of when the command was first sent, to calculate duration
+   */
+  constructor(pool, command, error, started) {
+    const cmd = extractCommand(command);
+    const commandName = extractCommandName(cmd);
+
+    Object.assign(this, {
+      duration: calculateDurationInMs(started),
+      commandName,
+      failure: maybeRedact(commandName, error),
+      requestId: command.requestId,
+      connectionId: generateConnectionId(pool)
+    });
+  }
+}
+
+module.exports = {
+  CommandStartedEvent,
+  CommandSucceededEvent,
+  CommandFailedEvent
+};

package/lib/core/connection/command_result.js

@@ -0,0 +1,36 @@
+'use strict';
+
+/**
+ * Creates a new CommandResult instance
+ * @class
+ * @param {object} result CommandResult object
+ * @param {Connection} connection A connection instance associated with this result
+ * @return {CommandResult} A cursor instance
+ */
+var CommandResult = function(result, connection, message) {
+  this.result = result;
+  this.connection = connection;
+  this.message = message;
+};
+
+/**
+ * Convert CommandResult to JSON
+ * @method
+ * @return {object}
+ */
+CommandResult.prototype.toJSON = function() {
+  let result = Object.assign({}, this, this.result);
+  delete result.message;
+  return result;
+};
+
+/**
+ * Convert CommandResult to String representation
+ * @method
+ * @return {string}
+ */
+CommandResult.prototype.toString = function() {
+  return JSON.stringify(this.toJSON());
+};
+
+module.exports = CommandResult;