mongodb 3.5.11 → 3.6.2

package/lib/core/auth/gssapi.js

@@ -1,241 +1,151 @@
 'use strict';
+const dns = require('dns');
 
 const AuthProvider = require('./auth_provider').AuthProvider;
 const retrieveKerberos = require('../utils').retrieveKerberos;
+const MongoError = require('../error').MongoError;
+
+const kGssapiClient = Symbol('GSSAPI_CLIENT');
 let kerberos;
 
-/**
- * Creates a new GSSAPI authentication mechanism
- * @class
- * @extends AuthProvider
- */
 class GSSAPI extends AuthProvider {
-  /**
-   * Implementation of authentication for a single connection
-   * @override
-   */
-  _authenticateSingleConnection(sendAuthCommand, connection, credentials, callback) {
-    const source = credentials.source;
+  prepare(handshakeDoc, authContext, callback) {
+    const host = authContext.options.host;
+    const port = authContext.options.port;
+    const credentials = authContext.credentials;
+    if (!host || !port || !credentials) {
+      return callback(
+        new MongoError(
+          `Connection must specify: ${host ? 'host' : ''}, ${port ? 'port' : ''}, ${
+            credentials ? 'host' : 'credentials'
+          }.`
+        )
+      );
+    }
+    if (kerberos == null) {
+      try {
+        kerberos = retrieveKerberos();
+      } catch (e) {
+        return callback(e);
+      }
+    }
     const username = credentials.username;
     const password = credentials.password;
     const mechanismProperties = credentials.mechanismProperties;
-    const gssapiServiceName =
+    const serviceName =
       mechanismProperties['gssapiservicename'] ||
       mechanismProperties['gssapiServiceName'] ||
       'mongodb';
-
-    GSSAPIInitialize(
-      this,
-      kerberos.processes.MongoAuthProcess,
-      source,
-      username,
-      password,
-      source,
-      gssapiServiceName,
-      sendAuthCommand,
-      connection,
-      mechanismProperties,
-      callback
-    );
-  }
-
-  /**
-   * Authenticate
-   * @override
-   * @method
-   */
-  auth(sendAuthCommand, connections, credentials, callback) {
-    if (kerberos == null) {
-      try {
-        kerberos = retrieveKerberos();
-      } catch (e) {
-        return callback(e, null);
+    performGssapiCanonicalizeHostName(host, mechanismProperties, (err, host) => {
+      if (err) return callback(err);
+      const initOptions = {};
+      if (password != null) {
+        Object.assign(initOptions, { user: username, password: password });
       }
+      kerberos.initializeClient(
+        `${serviceName}${process.platform === 'win32' ? '/' : '@'}${host}`,
+        initOptions,
+        (err, client) => {
+          if (err) return callback(new MongoError(err));
+          if (client == null) return callback();
+          this[kGssapiClient] = client;
+          callback(undefined, handshakeDoc);
+        }
+      );
+    });
+  }
+  auth(authContext, callback) {
+    const connection = authContext.connection;
+    const credentials = authContext.credentials;
+    if (credentials == null) return callback(new MongoError('credentials required'));
+    const username = credentials.username;
+    const client = this[kGssapiClient];
+    if (client == null) return callback(new MongoError('gssapi client missing'));
+    function externalCommand(command, cb) {
+      return connection.command('$external.$cmd', command, cb);
     }
-
-    super.auth(sendAuthCommand, connections, credentials, callback);
+    client.step('', (err, payload) => {
+      if (err) return callback(err);
+      externalCommand(saslStart(payload), (err, response) => {
+        const result = response.result;
+        if (err) return callback(err);
+        negotiate(client, 10, result.payload, (err, payload) => {
+          if (err) return callback(err);
+          externalCommand(saslContinue(payload, result.conversationId), (err, response) => {
+            const result = response.result;
+            if (err) return callback(err);
+            finalize(client, username, result.payload, (err, payload) => {
+              if (err) return callback(err);
+              externalCommand(
+                {
+                  saslContinue: 1,
+                  conversationId: result.conversationId,
+                  payload
+                },
+                (err, result) => {
+                  if (err) return callback(err);
+                  callback(undefined, result);
+                }
+              );
+            });
+          });
+        });
+      });
+    });
   }
 }
+module.exports = GSSAPI;
 
-//
-// Initialize step
-var GSSAPIInitialize = function(
-  self,
-  MongoAuthProcess,
-  db,
-  username,
-  password,
-  authdb,
-  gssapiServiceName,
-  sendAuthCommand,
-  connection,
-  options,
-  callback
-) {
-  // Create authenticator
-  var mongo_auth_process = new MongoAuthProcess(
-    connection.host,
-    connection.port,
-    gssapiServiceName,
-    options
-  );
-
-  // Perform initialization
-  mongo_auth_process.init(username, password, function(err) {
-    if (err) return callback(err, false);
-
-    // Perform the first step
-    mongo_auth_process.transition('', function(err, payload) {
-      if (err) return callback(err, false);
-
-      // Call the next db step
-      MongoDBGSSAPIFirstStep(
-        self,
-        mongo_auth_process,
-        payload,
-        db,
-        username,
-        password,
-        authdb,
-        sendAuthCommand,
-        connection,
-        callback
-      );
-    });
-  });
-};
-
-//
-// Perform first step against mongodb
-var MongoDBGSSAPIFirstStep = function(
-  self,
-  mongo_auth_process,
-  payload,
-  db,
-  username,
-  password,
-  authdb,
-  sendAuthCommand,
-  connection,
-  callback
-) {
-  // Build the sasl start command
-  var command = {
+function saslStart(payload) {
+  return {
     saslStart: 1,
     mechanism: 'GSSAPI',
-    payload: payload,
+    payload,
     autoAuthorize: 1
   };
-
-  // Write the commmand on the connection
-  sendAuthCommand(connection, '$external.$cmd', command, (err, doc) => {
-    if (err) return callback(err, false);
-    // Execute mongodb transition
-    mongo_auth_process.transition(doc.payload, function(err, payload) {
-      if (err) return callback(err, false);
-
-      // MongoDB API Second Step
-      MongoDBGSSAPISecondStep(
-        self,
-        mongo_auth_process,
-        payload,
-        doc,
-        db,
-        username,
-        password,
-        authdb,
-        sendAuthCommand,
-        connection,
-        callback
-      );
-    });
-  });
-};
-
-//
-// Perform first step against mongodb
-var MongoDBGSSAPISecondStep = function(
-  self,
-  mongo_auth_process,
-  payload,
-  doc,
-  db,
-  username,
-  password,
-  authdb,
-  sendAuthCommand,
-  connection,
-  callback
-) {
-  // Build Authentication command to send to MongoDB
-  var command = {
+}
+function saslContinue(payload, conversationId) {
+  return {
     saslContinue: 1,
-    conversationId: doc.conversationId,
-    payload: payload
+    conversationId,
+    payload
   };
-
-  // Execute the command
-  // Write the commmand on the connection
-  sendAuthCommand(connection, '$external.$cmd', command, (err, doc) => {
-    if (err) return callback(err, false);
-    // Call next transition for kerberos
-    mongo_auth_process.transition(doc.payload, function(err, payload) {
-      if (err) return callback(err, false);
-
-      // Call the last and third step
-      MongoDBGSSAPIThirdStep(
-        self,
-        mongo_auth_process,
-        payload,
-        doc,
-        db,
-        username,
-        password,
-        authdb,
-        sendAuthCommand,
-        connection,
-        callback
-      );
-    });
+}
+function negotiate(client, retries, payload, callback) {
+  client.step(payload, (err, response) => {
+    // Retries exhausted, raise error
+    if (err && retries === 0) return callback(err);
+    // Adjust number of retries and call step again
+    if (err) return negotiate(client, retries - 1, payload, callback);
+    // Return the payload
+    callback(undefined, response || '');
   });
-};
-
-var MongoDBGSSAPIThirdStep = function(
-  self,
-  mongo_auth_process,
-  payload,
-  doc,
-  db,
-  username,
-  password,
-  authdb,
-  sendAuthCommand,
-  connection,
-  callback
-) {
-  // Build final command
-  var command = {
-    saslContinue: 1,
-    conversationId: doc.conversationId,
-    payload: payload
-  };
-
-  // Execute the command
-  sendAuthCommand(connection, '$external.$cmd', command, (err, r) => {
-    if (err) return callback(err, false);
-    mongo_auth_process.transition(null, function(err) {
-      if (err) return callback(err, null);
-      callback(null, r);
+}
+function finalize(client, user, payload, callback) {
+  // GSS Client Unwrap
+  client.unwrap(payload, (err, response) => {
+    if (err) return callback(err);
+    // Wrap the response
+    client.wrap(response || '', { user }, (err, wrapped) => {
+      if (err) return callback(err);
+      // Return the payload
+      callback(undefined, wrapped);
     });
   });
-};
-
-/**
- * This is a result from a authentication strategy
- *
- * @callback authResultCallback
- * @param {error} error An error object. Set to null if no error present
- * @param {boolean} result The result of the authentication process
- */
-
-module.exports = GSSAPI;
+}
+function performGssapiCanonicalizeHostName(host, mechanismProperties, callback) {
+  const canonicalizeHostName =
+    typeof mechanismProperties.gssapiCanonicalizeHostName === 'boolean'
+      ? mechanismProperties.gssapiCanonicalizeHostName
+      : false;
+  if (!canonicalizeHostName) return callback(undefined, host);
+  // Attempt to resolve the host name
+  dns.resolveCname(host, (err, r) => {
+    if (err) return callback(err);
+    // Get the first resolve host id
+    if (Array.isArray(r) && r.length > 0) {
+      return callback(undefined, r[0]);
+    }
+    callback(undefined, host);
+  });
+}

package/lib/core/auth/mongo_credentials.js

@@ -47,7 +47,24 @@ class MongoCredentials {
     this.password = options.password;
     this.source = options.source || options.db;
     this.mechanism = options.mechanism || 'default';
-    this.mechanismProperties = options.mechanismProperties;
+    this.mechanismProperties = options.mechanismProperties || {};
+
+    if (this.mechanism.match(/MONGODB-AWS/i)) {
+      if (this.username == null && process.env.AWS_ACCESS_KEY_ID) {
+        this.username = process.env.AWS_ACCESS_KEY_ID;
+      }
+
+      if (this.password == null && process.env.AWS_SECRET_ACCESS_KEY) {
+        this.password = process.env.AWS_SECRET_ACCESS_KEY;
+      }
+
+      if (this.mechanismProperties.AWS_SESSION_TOKEN == null && process.env.AWS_SESSION_TOKEN) {
+        this.mechanismProperties.AWS_SESSION_TOKEN = process.env.AWS_SESSION_TOKEN;
+      }
+    }
+
+    Object.freeze(this.mechanismProperties);
+    Object.freeze(this);
   }
 
   /**
@@ -69,12 +86,21 @@ class MongoCredentials {
    * based on the server version and server supported sasl mechanisms.
    *
    * @param {Object} [ismaster] An ismaster response from the server
+   * @returns {MongoCredentials}
    */
   resolveAuthMechanism(ismaster) {
     // If the mechanism is not "default", then it does not need to be resolved
-    if (this.mechanism.toLowerCase() === 'default') {
-      this.mechanism = getDefaultAuthMechanism(ismaster);
+    if (this.mechanism.match(/DEFAULT/i)) {
+      return new MongoCredentials({
+        username: this.username,
+        password: this.password,
+        source: this.source,
+        mechanism: getDefaultAuthMechanism(ismaster),
+        mechanismProperties: this.mechanismProperties
+      });
     }
+
+    return this;
   }
 }
 

package/lib/core/auth/mongocr.js

@@ -3,27 +3,21 @@
 const crypto = require('crypto');
 const AuthProvider = require('./auth_provider').AuthProvider;
 
-/**
- * Creates a new MongoCR authentication mechanism
- *
- * @extends AuthProvider
- */
 class MongoCR extends AuthProvider {
-  /**
-   * Implementation of authentication for a single connection
-   * @override
-   */
-  _authenticateSingleConnection(sendAuthCommand, connection, credentials, callback) {
+  auth(authContext, callback) {
+    const connection = authContext.connection;
+    const credentials = authContext.credentials;
     const username = credentials.username;
     const password = credentials.password;
     const source = credentials.source;
 
-    sendAuthCommand(connection, `${source}.$cmd`, { getnonce: 1 }, (err, r) => {
+    connection.command(`${source}.$cmd`, { getnonce: 1 }, (err, result) => {
       let nonce = null;
       let key = null;
 
       // Get nonce
       if (err == null) {
+        const r = result.result;
         nonce = r.nonce;
         // Use node md5 generator
         let md5 = crypto.createHash('md5');
@@ -43,7 +37,7 @@ class MongoCR extends AuthProvider {
         key
       };
 
-      sendAuthCommand(connection, `${source}.$cmd`, authenticateCommand, callback);
+      connection.command(`${source}.$cmd`, authenticateCommand, callback);
     });
   }
 }