mongodb 5.1.0 → 5.3.0

package/src/cmap/auth/gssapi.ts

@@ -1,15 +1,9 @@
 import * as dns from 'dns';
 
-import type { Document } from '../../bson';
 import { Kerberos, KerberosClient } from '../../deps';
-import {
-  MongoError,
-  MongoInvalidArgumentError,
-  MongoMissingCredentialsError,
-  MongoMissingDependencyError,
-  MongoRuntimeError
-} from '../../error';
-import { Callback, ns } from '../../utils';
+import { MongoInvalidArgumentError, MongoMissingCredentialsError } from '../../error';
+import { ns } from '../../utils';
+import type { Connection } from '../connection';
 import { AuthContext, AuthProvider } from './auth_provider';
 
 /** @public */
@@ -23,7 +17,7 @@ export const GSSAPICanonicalizationValue = Object.freeze({
 
 /** @public */
 export type GSSAPICanonicalizationValue =
-  typeof GSSAPICanonicalizationValue[keyof typeof GSSAPICanonicalizationValue];
+  (typeof GSSAPICanonicalizationValue)[keyof typeof GSSAPICanonicalizationValue];
 
 type MechanismProperties = {
   CANONICALIZE_HOST_NAME?: GSSAPICanonicalizationValue;
@@ -32,70 +26,59 @@ type MechanismProperties = {
   SERVICE_REALM?: string;
 };
 
+async function externalCommand(
+  connection: Connection,
+  command: ReturnType<typeof saslStart> | ReturnType<typeof saslContinue>
+): Promise<{ payload: string; conversationId: any }> {
+  return connection.commandAsync(ns('$external.$cmd'), command, undefined) as Promise<{
+    payload: string;
+    conversationId: any;
+  }>;
+}
+
 export class GSSAPI extends AuthProvider {
-  override auth(authContext: AuthContext, callback: Callback): void {
+  override async auth(authContext: AuthContext): Promise<void> {
     const { connection, credentials } = authContext;
-    if (credentials == null)
-      return callback(
-        new MongoMissingCredentialsError('Credentials required for GSSAPI authentication')
-      );
-    const { username } = credentials;
-    function externalCommand(
-      command: Document,
-      cb: Callback<{ payload: string; conversationId: any }>
-    ) {
-      return connection.command(ns('$external.$cmd'), command, undefined, cb);
+    if (credentials == null) {
+      throw new MongoMissingCredentialsError('Credentials required for GSSAPI authentication');
     }
-    makeKerberosClient(authContext, (err, client) => {
-      if (err) return callback(err);
-      if (client == null) return callback(new MongoMissingDependencyError('GSSAPI client missing'));
-      client.step('', (err, payload) => {
-        if (err) return callback(err);
-
-        externalCommand(saslStart(payload), (err, result) => {
-          if (err) return callback(err);
-          if (result == null) return callback();
-          negotiate(client, 10, result.payload, (err, payload) => {
-            if (err) return callback(err);
-
-            externalCommand(saslContinue(payload, result.conversationId), (err, result) => {
-              if (err) return callback(err);
-              if (result == null) return callback();
-              finalize(client, username, result.payload, (err, payload) => {
-                if (err) return callback(err);
-
-                externalCommand(
-                  {
-                    saslContinue: 1,
-                    conversationId: result.conversationId,
-                    payload
-                  },
-                  (err, result) => {
-                    if (err) return callback(err);
-
-                    callback(undefined, result);
-                  }
-                );
-              });
-            });
-          });
-        });
-      });
+
+    const { username } = credentials;
+
+    const client = await makeKerberosClient(authContext);
+
+    const payload = await client.step('');
+
+    const saslStartResponse = await externalCommand(connection, saslStart(payload));
+
+    const negotiatedPayload = await negotiate(client, 10, saslStartResponse.payload);
+
+    const saslContinueResponse = await externalCommand(
+      connection,
+      saslContinue(negotiatedPayload, saslStartResponse.conversationId)
+    );
+
+    const finalizePayload = await finalize(client, username, saslContinueResponse.payload);
+
+    await externalCommand(connection, {
+      saslContinue: 1,
+      conversationId: saslContinueResponse.conversationId,
+      payload: finalizePayload
     });
   }
 }
 
-function makeKerberosClient(authContext: AuthContext, callback: Callback<KerberosClient>): void {
+async function makeKerberosClient(authContext: AuthContext): Promise<KerberosClient> {
   const { hostAddress } = authContext.options;
   const { credentials } = authContext;
   if (!hostAddress || typeof hostAddress.host !== 'string' || !credentials) {
-    return callback(
-      new MongoInvalidArgumentError('Connection must have host and port and credentials defined.')
+    throw new MongoInvalidArgumentError(
+      'Connection must have host and port and credentials defined.'
     );
   }
 
   if ('kModuleError' in Kerberos) {
-    return callback(Kerberos['kModuleError']);
+    throw Kerberos['kModuleError'];
   }
   const { initializeClient } = Kerberos;
 
@@ -104,95 +87,71 @@ function makeKerberosClient(authContext: AuthContext, callback: Callback<Kerbero
 
   const serviceName = mechanismProperties.SERVICE_NAME ?? 'mongodb';
 
-  performGSSAPICanonicalizeHostName(
-    hostAddress.host,
-    mechanismProperties,
-    (err?: Error | MongoError, host?: string) => {
-      if (err) return callback(err);
-
-      const initOptions = {};
-      if (password != null) {
-        Object.assign(initOptions, { user: username, password: password });
-      }
-
-      const spnHost = mechanismProperties.SERVICE_HOST ?? host;
-      let spn = `${serviceName}${process.platform === 'win32' ? '/' : '@'}${spnHost}`;
-      if ('SERVICE_REALM' in mechanismProperties) {
-        spn = `${spn}@${mechanismProperties.SERVICE_REALM}`;
-      }
-
-      initializeClient(spn, initOptions, (err: string, client: KerberosClient): void => {
-        // TODO(NODE-3483)
-        if (err) return callback(new MongoRuntimeError(err));
-        callback(undefined, client);
-      });
-    }
-  );
+  const host = await performGSSAPICanonicalizeHostName(hostAddress.host, mechanismProperties);
+
+  const initOptions = {};
+  if (password != null) {
+    // TODO(NODE-5139): These do not match the typescript options in initializeClient
+    Object.assign(initOptions, { user: username, password: password });
+  }
+
+  const spnHost = mechanismProperties.SERVICE_HOST ?? host;
+  let spn = `${serviceName}${process.platform === 'win32' ? '/' : '@'}${spnHost}`;
+  if ('SERVICE_REALM' in mechanismProperties) {
+    spn = `${spn}@${mechanismProperties.SERVICE_REALM}`;
+  }
+
+  return initializeClient(spn, initOptions);
 }
 
-function saslStart(payload?: string): Document {
+function saslStart(payload: string) {
   return {
     saslStart: 1,
     mechanism: 'GSSAPI',
     payload,
     autoAuthorize: 1
-  };
+  } as const;
 }
 
-function saslContinue(payload?: string, conversationId?: number): Document {
+function saslContinue(payload: string, conversationId: number) {
   return {
     saslContinue: 1,
     conversationId,
     payload
-  };
+  } as const;
 }
 
-function negotiate(
+async function negotiate(
   client: KerberosClient,
   retries: number,
-  payload: string,
-  callback: Callback<string>
-): void {
-  client.step(payload, (err, response) => {
-    // Retries exhausted, raise error
-    if (err && retries === 0) return callback(err);
-
+  payload: string
+): Promise<string> {
+  try {
+    const response = await client.step(payload);
+    return response || '';
+  } catch (error) {
+    if (retries === 0) {
+      // Retries exhausted, raise error
+      throw error;
+    }
     // Adjust number of retries and call step again
-    if (err) return negotiate(client, retries - 1, payload, callback);
-
-    // Return the payload
-    callback(undefined, response || '');
-  });
+    return negotiate(client, retries - 1, payload);
+  }
 }
 
-function finalize(
-  client: KerberosClient,
-  user: string,
-  payload: string,
-  callback: Callback<string>
-): void {
+async function finalize(client: KerberosClient, user: string, payload: string): Promise<string> {
   // GSS Client Unwrap
-  client.unwrap(payload, (err, response) => {
-    if (err) return callback(err);
-
-    // Wrap the response
-    client.wrap(response || '', { user }, (err, wrapped) => {
-      if (err) return callback(err);
-
-      // Return the payload
-      callback(undefined, wrapped);
-    });
-  });
+  const response = await client.unwrap(payload);
+  return client.wrap(response || '', { user });
 }
 
-export function performGSSAPICanonicalizeHostName(
+export async function performGSSAPICanonicalizeHostName(
   host: string,
-  mechanismProperties: MechanismProperties,
-  callback: Callback<string>
-): void {
+  mechanismProperties: MechanismProperties
+): Promise<string> {
   const mode = mechanismProperties.CANONICALIZE_HOST_NAME;
   if (!mode || mode === GSSAPICanonicalizationValue.none) {
-    return callback(undefined, host);
+    return host;
   }
 
   // If forward and reverse or true
@@ -201,39 +160,33 @@ export function performGSSAPICanonicalizeHostName(
     mode === GSSAPICanonicalizationValue.forwardAndReverse
   ) {
     // Perform the lookup of the ip address.
-    dns.lookup(host, (error, address) => {
-      // No ip found, return the error.
-      if (error) return callback(error);
+    const { address } = await dns.promises.lookup(host);
 
+    try {
       // Perform a reverse ptr lookup on the ip address.
-      dns.resolvePtr(address, (err, results) => {
-        // This can error as ptr records may not exist for all ips. In this case
-        // fallback to a cname lookup as dns.lookup() does not return the
-        // cname.
-        if (err) {
-          return resolveCname(host, callback);
-        }
-        // If the ptr did not error but had no results, return the host.
-        callback(undefined, results.length > 0 ? results[0] : host);
-      });
-    });
+      const results = await dns.promises.resolvePtr(address);
+      // If the ptr did not error but had no results, return the host.
+      return results.length > 0 ? results[0] : host;
+    } catch (error) {
+      // This can error as ptr records may not exist for all ips. In this case
+      // fallback to a cname lookup as dns.lookup() does not return the
+      // cname.
+      return resolveCname(host);
+    }
   } else {
     // The case for forward is just to resolve the cname as dns.lookup()
     // will not return it.
-    resolveCname(host, callback);
+    return resolveCname(host);
   }
 }
 
-export function resolveCname(host: string, callback: Callback<string>): void {
+export async function resolveCname(host: string): Promise<string> {
   // Attempt to resolve the host name
-  dns.resolveCname(host, (err, r) => {
-    if (err) return callback(undefined, host);
-
-    // Get the first resolve host id
-    if (r.length > 0) {
-      return callback(undefined, r[0]);
-    }
-
-    callback(undefined, host);
-  });
+  try {
+    const results = await dns.promises.resolveCname(host);
+    // Get the first resolved host id
+    return results.length > 0 ? results[0] : host;
+  } catch {
+    return host;
+  }
 }

package/src/cmap/auth/mongo_credentials.ts

@@ -30,25 +30,19 @@ function getDefaultAuthMechanism(hello?: Document): AuthMechanism {
   return AuthMechanism.MONGODB_CR;
 }
 
-/**
- * TODO: NODE-5035: Make OIDC properties public.
- *
- * @public
- * */
+/** @public */
 export interface AuthMechanismProperties extends Document {
   SERVICE_HOST?: string;
   SERVICE_NAME?: string;
   SERVICE_REALM?: string;
   CANONICALIZE_HOST_NAME?: GSSAPICanonicalizationValue;
   AWS_SESSION_TOKEN?: string;
-  /** @internal Name for the OIDC device workflow */
-  DEVICE_NAME?: 'aws' | 'azure' | 'gcp';
-  /** @internal Similar to a username, is require by OIDC when more than one IDP is configured. */
-  PRINCIPAL_NAME?: string;
-  /** @internal User provided callback to get OIDC auth credentials */
+  /** @experimental */
   REQUEST_TOKEN_CALLBACK?: OIDCRequestFunction;
-  /** @internal User provided callback to refresh OIDC auth credentials */
+  /** @experimental */
   REFRESH_TOKEN_CALLBACK?: OIDCRefreshFunction;
+  /** @experimental */
+  PROVIDER_NAME?: 'aws';
 }
 
 /** @public */
@@ -155,21 +149,18 @@ export class MongoCredentials {
     }
 
     if (this.mechanism === AuthMechanism.MONGODB_OIDC) {
-      if (this.username) {
+      if (this.username && this.mechanismProperties.PROVIDER_NAME) {
         throw new MongoInvalidArgumentError(
-          `Username not permitted for mechanism '${this.mechanism}'. Use PRINCIPAL_NAME instead.`
+          `username and PROVIDER_NAME may not be used together for mechanism '${this.mechanism}'.`
         );
       }
 
-      if (this.mechanismProperties.PRINCIPAL_NAME && this.mechanismProperties.DEVICE_NAME) {
-        throw new MongoInvalidArgumentError(
-          `PRINCIPAL_NAME and DEVICE_NAME may not be used together for mechanism '${this.mechanism}'.`
-        );
-      }
-
-      if (this.mechanismProperties.DEVICE_NAME && this.mechanismProperties.DEVICE_NAME !== 'aws') {
+      if (
+        this.mechanismProperties.PROVIDER_NAME &&
+        this.mechanismProperties.PROVIDER_NAME !== 'aws'
+      ) {
         throw new MongoInvalidArgumentError(
-          `Currently only a DEVICE_NAME of 'aws' is supported for mechanism '${this.mechanism}'.`
+          `Currently only a PROVIDER_NAME of 'aws' is supported for mechanism '${this.mechanism}'.`
         );
       }
 
@@ -183,11 +174,11 @@ export class MongoCredentials {
       }
 
       if (
-        !this.mechanismProperties.DEVICE_NAME &&
+        !this.mechanismProperties.PROVIDER_NAME &&
         !this.mechanismProperties.REQUEST_TOKEN_CALLBACK
       ) {
         throw new MongoInvalidArgumentError(
-          `Either a DEVICE_NAME or a REQUEST_TOKEN_CALLBACK must be specified for mechanism '${this.mechanism}'.`
+          `Either a PROVIDER_NAME or a REQUEST_TOKEN_CALLBACK must be specified for mechanism '${this.mechanism}'.`
         );
       }
     }

package/src/cmap/auth/mongocr.ts

@@ -1,47 +1,42 @@
 import * as crypto from 'crypto';
 
 import { MongoMissingCredentialsError } from '../../error';
-import { Callback, ns } from '../../utils';
+import { ns } from '../../utils';
 import { AuthContext, AuthProvider } from './auth_provider';
 
 export class MongoCR extends AuthProvider {
-  override auth(authContext: AuthContext, callback: Callback): void {
+  override async auth(authContext: AuthContext): Promise<void> {
     const { connection, credentials } = authContext;
     if (!credentials) {
-      return callback(new MongoMissingCredentialsError('AuthContext must provide credentials.'));
+      throw new MongoMissingCredentialsError('AuthContext must provide credentials.');
     }
-    const username = credentials.username;
-    const password = credentials.password;
-    const source = credentials.source;
-    connection.command(ns(`${source}.$cmd`), { getnonce: 1 }, undefined, (err, r) => {
-      let nonce = null;
-      let key = null;
-
-      // Get nonce
-      if (err == null) {
-        nonce = r.nonce;
-
-        // Use node md5 generator
-        let md5 = crypto.createHash('md5');
-
-        // Generate keys used for authentication
-        md5.update(`${username}:mongo:${password}`, 'utf8');
-        const hash_password = md5.digest('hex');
-
-        // Final key
-        md5 = crypto.createHash('md5');
-        md5.update(nonce + username + hash_password, 'utf8');
-        key = md5.digest('hex');
-      }
-
-      const authenticateCommand = {
-        authenticate: 1,
-        user: username,
-        nonce,
-        key
-      };
-
-      connection.command(ns(`${source}.$cmd`), authenticateCommand, undefined, callback);
-    });
+
+    const { username, password, source } = credentials;
+
+    const { nonce } = await connection.commandAsync(
+      ns(`${source}.$cmd`),
+      { getnonce: 1 },
+      undefined
+    );
+
+    const hashPassword = crypto
+      .createHash('md5')
+      .update(`${username}:mongo:${password}`, 'utf8')
+      .digest('hex');
+
+    // Final key
+    const key = crypto
+      .createHash('md5')
+      .update(`${nonce}${username}${hashPassword}`, 'utf8')
+      .digest('hex');
+
+    const authenticateCommand = {
+      authenticate: 1,
+      user: username,
+      nonce,
+      key
+    };
+
+    await connection.commandAsync(ns(`${source}.$cmd`), authenticateCommand, undefined);
   }
 }