Página inicial Explorar Ajuda
Entrar
shanpin
/
chat-server
Observar 3
Favorito 0
Fork 0
Arquivos Issues 0 Pull Requests 0 Wiki
Tree: bf846a7082
Branches Tags
chat-server
/
qq-imsvr
/
node_modules
/
kerberos
/
lib
/
kerberos.js

kerberos.js 8.0 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192 
  1. var kerberos = require('../build/Release/kerberos')
    2. 

  2.   , KerberosNative = kerberos.Kerberos;
    3. 

  3. 

  4. var Kerberos = function() {
    5. 

  5.   this._native_kerberos = new KerberosNative(); 
    6. 

  6. }
    7. 

  7. 

  8. // callback takes two arguments, an error string if defined and a new context
    9. 

  9. // uri should be given as service@host.  Services are not always defined
    10. 

  10. // in a straightforward way.  Use 'HTTP' for SPNEGO / Negotiate authentication. 
    11. 

  11. // If credentialsCache is not specified, the default credentials cache from the 
    12. 

  12. // environment will be used (ie. KRB5CCNAME).  In the case where multiple 
    13. 

  13. // credentials caches may be in use at once (such as for a server doing 
    14. 

  14. // delegation), specify the cache name here and it will be used for this 
    15. 

  15. // exchange. The credentialsCache is optional.
    16. 

  16. Kerberos.prototype.authGSSClientInit = function(uri, flags, credentialsCache, callback) {
    17. 

  17.   if (typeof(credentialsCache) == 'function') {
    18. 

  18.     callback = credentialsCache;
    19. 

  19.     credentialsCache = '';
    20. 

  20.   }
    21. 

  21. 

  22.   if (credentialsCache === undefined) {
    23. 

  23.       credentialsCache = '';
    24. 

  24.   }
    25. 

  25.   
    26. 

  26.   return this._native_kerberos.authGSSClientInit(uri, flags, credentialsCache, callback);
    27. 

  27. }
    28. 

  28. 

  29. // This will obtain credentials using a credentials cache. To override the default
    30. 

  30. // location (posible /tmp/krb5cc_nnnnnn, where nnnn is your numeric uid) use 
    31. 

  31. // the environment variable KRB5CNAME. 
    32. 

  32. // The credentials (suitable for using in an 'Authenticate: ' header, when prefixed
    33. 

  33. // with 'Negotiate ') will be available as context.response inside the callback
    34. 

  34. // if no error is indicated.
    35. 

  35. // callback takes one argument, an error string if defined
    36. 

  36. Kerberos.prototype.authGSSClientStep = function(context, challenge, callback) {
    37. 

  37.   if(typeof challenge == 'function') {
    38. 

  38.     callback = challenge;
    39. 

  39.     challenge = '';
    40. 

  40.   }
    41. 

  41. 

  42.   return this._native_kerberos.authGSSClientStep(context, challenge, callback);
    43. 

  43. }
    44. 

  44. 

  45. Kerberos.prototype.authGSSClientUnwrap = function(context, challenge, callback) {
    46. 

  46.   if(typeof challenge == 'function') {
    47. 

  47.     callback = challenge;
    48. 

  48.     challenge = '';
    49. 

  49.   }
    50. 

  50. 

  51.   return this._native_kerberos.authGSSClientUnwrap(context, challenge, callback);
    52. 

  52. }
    53. 

  53. 

  54. Kerberos.prototype.authGSSClientWrap = function(context, challenge, user_name, callback) {
    55. 

  55.   if(typeof user_name == 'function') {
    56. 

  56.     callback = user_name;
    57. 

  57.     user_name = '';
    58. 

  58.   }
    59. 

  59. 

  60.   return this._native_kerberos.authGSSClientWrap(context, challenge, user_name, callback);
    61. 

  61. }
    62. 

  62. 

  63. // free memory used by a context created using authGSSClientInit.
    64. 

  64. // callback takes one argument, an error string if defined.
    65. 

  65. Kerberos.prototype.authGSSClientClean = function(context, callback) {
    66. 

  66.   return this._native_kerberos.authGSSClientClean(context, callback);
    67. 

  67. }
    68. 

  68. 

  69. // The server will obtain credentials using a keytab.  To override the 
    70. 

  70. // default location (probably /etc/krb5.keytab) set the KRB5_KTNAME
    71. 

  71. // environment variable.
    72. 

  72. // The service name should be in the form service, or service@host.name
    73. 

  73. // e.g. for HTTP, use "HTTP" or "HTTP@my.host.name". See gss_import_name
    74. 

  74. // for GSS_C_NT_HOSTBASED_SERVICE.
    75. 

  75. //
    76. 

  76. // a boolean turns on "constrained_delegation". this enables acquisition of S4U2Proxy 
    77. 

  77. // credentials which will be stored in a credentials cache during the authGSSServerStep
    78. 

  78. // method. this parameter is optional.  The credentials will be stored in 
    79. 

  79. // a new cache, the location of which will be made available as the "delegatedCredentialsCache"
    80. 

  80. // property on the returned context AFTER the authGSSServerStep stage.
    81. 

  81. //
    82. 

  82. // when "constrained_delegation" is enabled, a username can (optionally) be provided and
    83. 

  83. // S4U2Self protocol transition will be initiated. In this case, we will not
    84. 

  84. // require any "auth" data during the authGSSServerStep. This parameter is optional
    85. 

  85. // but constrained_delegation MUST be enabled for this to work. When S4U2Self is
    86. 

  86. // used, the username will be assumed to have been already authenticated, and no
    87. 

  87. // actual authentication will be performed. This is basically a way to "bootstrap"
    88. 

  88. // kerberos credentials (which can then be delegated with S4U2Proxy) for a user
    89. 

  89. // authenticated externally.
    90. 

  90. //
    91. 

  91. // callback takes two arguments, an error string if defined and a new context
    92. 

  92. //
    93. 

  93. Kerberos.prototype.authGSSServerInit = function(service, constrained_delegation, username, callback) {
    94. 

  94.   if(typeof(constrained_delegation) === 'function') {
    95. 

  95. 	  callback = constrained_delegation;
    96. 

  96. 	  constrained_delegation = false;
    97. 

  97. 	  username = null;
    98. 

  98.   }
    99. 

  99. 

  100.   if (typeof(constrained_delegation) === 'string') {
    101. 

  101. 	  throw new Error("S4U2Self protocol transation is not possible without enabling constrained delegation");
    102. 

  102.   }
    103. 

  103. 

  104.   if (typeof(username) === 'function') {
    105. 

  105. 	  callback = username;
    106. 

  106. 	  username = null;
    107. 

  107.   }
    108. 

  108. 

  109.   constrained_delegation = !!constrained_delegation;
    110. 

  110.   
    111. 

  111.   return this._native_kerberos.authGSSServerInit(service, constrained_delegation, username, callback);
    112. 

  112. };
    113. 

  113. 

  114. //callback takes one argument, an error string if defined.
    115. 

  115. Kerberos.prototype.authGSSServerClean = function(context, callback) {
    116. 

  116.   return this._native_kerberos.authGSSServerClean(context, callback);
    117. 

  117. };
    118. 

  118. 

  119. // authData should be the base64 encoded authentication data obtained
    120. 

  120. // from client, e.g., in the Authorization header (without the leading 
    121. 

  121. // "Negotiate " string) during SPNEGO authentication.  The authenticated user 
    122. 

  122. // is available in context.username after successful authentication.
    123. 

  123. // callback takes one argument, an error string if defined.
    124. 

  124. //
    125. 

  125. // Note: when S4U2Self protocol transition was requested in the authGSSServerInit
    126. 

  126. // no actual authentication will be performed and authData will be ignored.
    127. 

  127. //
    128. 

  128. Kerberos.prototype.authGSSServerStep = function(context, authData, callback) {
    129. 

  129.   return this._native_kerberos.authGSSServerStep(context, authData, callback);
    130. 

  130. };
    131. 

  131. 

  132. // authenticate the username and password against the KDC, and verify the KDC using a local
    133. 

  133. // service key stored in the keytab.  See above for details on providing the keytab.
    134. 

  134. // The service should be the service principal name for a key available in the local keytab,
    135. 

  135. // e.g. HTTP/somehost.example.com.  If service is an empty tring, KDC verification will
    136. 

  136. // be skipped.  DON'T DO THIS - it's a possible security vulnerability if an attacker
    137. 

  137. // can spoof your KDC  (see: https://github.com/qesuto/node-krb5/issues/13)
    138. 

  138. // callback receives error and boolean
    139. 

  139. Kerberos.prototype.authUserKrb5Password = function(username, password, service, callback) {
    140. 

  140.     return this._native_kerberos.authUserKrb5Password(username, password, service, callback);
    141. 

  141. };
    142. 

  142. 

  143. Kerberos.prototype.acquireAlternateCredentials = function(user_name, password, domain) {
    144. 

  144.   return this._native_kerberos.acquireAlternateCredentials(user_name, password, domain); 
    145. 

  145. }
    146. 

  146. 

  147. Kerberos.prototype.prepareOutboundPackage = function(principal, inputdata) {
    148. 

  148.   return this._native_kerberos.prepareOutboundPackage(principal, inputdata); 
    149. 

  149. }
    150. 

  150. 

  151. Kerberos.prototype.decryptMessage = function(challenge) {
    152. 

  152.   return this._native_kerberos.decryptMessage(challenge);
    153. 

  153. }
    154. 

  154. 

  155. Kerberos.prototype.encryptMessage = function(challenge) {
    156. 

  156.   return this._native_kerberos.encryptMessage(challenge); 
    157. 

  157. }
    158. 

  158. 

  159. Kerberos.prototype.queryContextAttribute = function(attribute) {
    160. 

  160.   if(typeof attribute != 'number' && attribute != 0x00) throw new Error("Attribute not supported");
    161. 

  161.   return this._native_kerberos.queryContextAttribute(attribute);
    162. 

  162. }
    163. 

  163. 

  164. // Some useful result codes
    165. 

  165. Kerberos.AUTH_GSS_CONTINUE     = 0;
    166. 

  166. Kerberos.AUTH_GSS_COMPLETE     = 1;
    167. 

  167.      
    168. 

  168. // Some useful gss flags 
    169. 

  169. Kerberos.GSS_C_DELEG_FLAG      = 1;
    170. 

  170. Kerberos.GSS_C_MUTUAL_FLAG     = 2;
    171. 

  171. Kerberos.GSS_C_REPLAY_FLAG     = 4;
    172. 

  172. Kerberos.GSS_C_SEQUENCE_FLAG   = 8;
    173. 

  173. Kerberos.GSS_C_CONF_FLAG       = 16; 
    174. 

  174. Kerberos.GSS_C_INTEG_FLAG      = 32;
    175. 

  175. Kerberos.GSS_C_ANON_FLAG       = 64;
    176. 

  176. Kerberos.GSS_C_PROT_READY_FLAG = 128; 
    177. 

  177. Kerberos.GSS_C_TRANS_FLAG      = 256;
    178. 

  178. 

  179. // Export Kerberos class
    180. 

  180. exports.Kerberos = Kerberos;
    181. 

  181. 

  182. // If we have SSPI (windows)
    183. 

  183. if(kerberos.SecurityCredentials) {
    184. 

  184.   // Put all SSPI classes in it's own namespace
    185. 

  185.   exports.SSIP = {
    186. 

  186.       SecurityCredentials: require('./win32/wrappers/security_credentials').SecurityCredentials
    187. 

  187.     , SecurityContext: require('./win32/wrappers/security_context').SecurityContext
    188. 

  188.     , SecurityBuffer: require('./win32/wrappers/security_buffer').SecurityBuffer
    189. 

  189.     , SecurityBufferDescriptor: require('./win32/wrappers/security_buffer_descriptor').SecurityBufferDescriptor
    190. 

  190.   }
    191. 

  191. }
    192. 

  192.