Home Explore Help
Register Sign In
shanpin
/
chat-server
Watch 3
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: bf846a7082
Branches Tags
chat-server
/
qq-imsvr
/
node_modules
/
mongodb-core
/
lib
/
auth
/
sspi.js

sspi.js 7.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234 
  1. "use strict";
    2. 

  2. 

  3. var f = require('util').format
    4. 

  4.   , crypto = require('crypto')
    5. 

  5.   , MongoError = require('../error');
    6. 

  6. 

  7. var AuthSession = function(db, username, password, options) {
    8. 

  8.   this.db = db;
    9. 

  9.   this.username = username;
    10. 

  10.   this.password = password;
    11. 

  11.   this.options = options;
    12. 

  12. }
    13. 

  13. 

  14. AuthSession.prototype.equal = function(session) {
    15. 

  15.   return session.db == this.db 
    16. 

  16.     && session.username == this.username
    17. 

  17.     && session.password == this.password;
    18. 

  18. }
    19. 

  19. 

  20. // Kerberos class
    21. 

  21. var Kerberos = null;
    22. 

  22. var MongoAuthProcess = null;
    23. 

  23. 

  24. // Try to grab the Kerberos class
    25. 

  25. try {
    26. 

  26.   Kerberos = require('kerberos').Kerberos
    27. 

  27.   // Authentication process for Mongo
    28. 

  28.   MongoAuthProcess = require('kerberos').processes.MongoAuthProcess
    29. 

  29. } catch(err) {}
    30. 

  30. 

  31. /**
    32. 

  32.  * Creates a new SSPI authentication mechanism
    33. 

  33.  * @class
    34. 

  34.  * @return {SSPI} A cursor instance
    35. 

  35.  */
    36. 

  36. var SSPI = function() {
    37. 

  37.   this.authStore = [];
    38. 

  38. }
    39. 

  39. 

  40. /**
    41. 

  41.  * Authenticate
    42. 

  42.  * @method
    43. 

  43.  * @param {{Server}|{ReplSet}|{Mongos}} server Topology the authentication method is being called on
    44. 

  44.  * @param {Pool} pool Connection pool for this topology
    45. 

  45.  * @param {string} db Name of the database
    46. 

  46.  * @param {string} username Username
    47. 

  47.  * @param {string} password Password
    48. 

  48.  * @param {authResultCallback} callback The callback to return the result from the authentication
    49. 

  49.  * @return {object}
    50. 

  50.  */
    51. 

  51. SSPI.prototype.auth = function(server, pool, db, username, password, options, callback) {
    52. 

  52.   var self = this;
    53. 

  53.   // We don't have the Kerberos library
    54. 

  54.   if(Kerberos == null) return callback(new Error("Kerberos library is not installed"));  
    55. 

  55.   var gssapiServiceName = options['gssapiServiceName'] || 'mongodb';
    56. 

  56.   // Get all the connections
    57. 

  57.   var connections = pool.getAll();
    58. 

  58.   // Total connections
    59. 

  59.   var count = connections.length;
    60. 

  60.   if(count == 0) return callback(null, null);
    61. 

  61. 

  62.   // Valid connections
    63. 

  63.   var numberOfValidConnections = 0;
    64. 

  64.   var credentialsValid = false;
    65. 

  65.   var errorObject = null;
    66. 

  66. 

  67.   // For each connection we need to authenticate
    68. 

  68.   while(connections.length > 0) {    
    69. 

  69.     // Execute MongoCR
    70. 

  70.     var execute = function(connection) {
    71. 

  71.       // Start Auth process for a connection
    72. 

  72.       SSIPAuthenticate(username, password, gssapiServiceName, server, connection, function(err, r) {
    73. 

  73.         // Adjust count
    74. 

  74.         count = count - 1;
    75. 

  75. 

  76.         // If we have an error
    77. 

  77.         if(err) {
    78. 

  78.           errorObject = err;
    79. 

  79.         } else if(r && typeof r == 'object' && r.result['$err']) {
    80. 

  80.           errorObject = r.result;
    81. 

  81.         } else if(r && typeof r == 'object' && r.result['errmsg']) {
    82. 

  82.           errorObject = r.result;
    83. 

  83.         } else {
    84. 

  84.           credentialsValid = true;
    85. 

  85.           numberOfValidConnections = numberOfValidConnections + 1;
    86. 

  86.         }
    87. 

  87. 

  88.         // We have authenticated all connections
    89. 

  89.         if(count == 0 && numberOfValidConnections > 0) {
    90. 

  90.           // Store the auth details
    91. 

  91.           addAuthSession(self.authStore, new AuthSession(db, username, password, options));
    92. 

  92.           // Return correct authentication
    93. 

  93.           callback(null, true);
    94. 

  94.         } else if(count == 0) {
    95. 

  95.           if(errorObject == null) errorObject = new MongoError(f("failed to authenticate using mongocr"));
    96. 

  96.           callback(errorObject, false);
    97. 

  97.         }
    98. 

  98.       });
    99. 

  99.     }
    100. 

  100. 

  101.     // Get the connection
    102. 

  102.     execute(connections.shift());
    103. 

  103.   }
    104. 

  104. }
    105. 

  105. 

  106. var SSIPAuthenticate = function(username, password, gssapiServiceName, server, connection, callback) {
    107. 

  107.   // Build Authentication command to send to MongoDB
    108. 

  108.   var command = {
    109. 

  109.       saslStart: 1
    110. 

  110.     , mechanism: 'GSSAPI'
    111. 

  111.     , payload: ''
    112. 

  112.     , autoAuthorize: 1
    113. 

  113.   };
    114. 

  114. 

  115.   // Create authenticator
    116. 

  116.   var mongo_auth_process = new MongoAuthProcess(connection.host, connection.port, gssapiServiceName);
    117. 

  117. 

  118.   // Execute first sasl step
    119. 

  119.   server.command("$external.$cmd"
    120. 

  120.     , command
    121. 

  121.     , { connection: connection }, function(err, r) {
    122. 

  122.     if(err) return callback(err, false);    
    123. 

  123.     var doc = r.result;
    124. 

  124. 

  125.     mongo_auth_process.init(username, password, function(err) {
    126. 

  126.       if(err) return callback(err);
    127. 

  127. 

  128.       mongo_auth_process.transition(doc.payload, function(err, payload) {
    129. 

  129.         if(err) return callback(err);
    130. 

  130. 

  131.         // Perform the next step against mongod
    132. 

  132.         var command = {
    133. 

  133.             saslContinue: 1
    134. 

  134.           , conversationId: doc.conversationId
    135. 

  135.           , payload: payload
    136. 

  136.         };
    137. 

  137. 

  138.         // Execute the command
    139. 

  139.         server.command("$external.$cmd"
    140. 

  140.           , command
    141. 

  141.           , { connection: connection }, function(err, r) {
    142. 

  142.           if(err) return callback(err, false);
    143. 

  143.           var doc = r.result;
    144. 

  144. 

  145.           mongo_auth_process.transition(doc.payload, function(err, payload) {
    146. 

  146.             if(err) return callback(err);
    147. 

  147. 

  148.             // Perform the next step against mongod
    149. 

  149.             var command = {
    150. 

  150.                 saslContinue: 1
    151. 

  151.               , conversationId: doc.conversationId
    152. 

  152.               , payload: payload
    153. 

  153.             };
    154. 

  154. 

  155.             // Execute the command
    156. 

  156.             server.command("$external.$cmd"
    157. 

  157.               , command
    158. 

  158.               , { connection: connection }, function(err, r) {
    159. 

  159.               if(err) return callback(err, false);
    160. 

  160.               var doc = r.result;
    161. 

  161.               
    162. 

  162.               mongo_auth_process.transition(doc.payload, function(err, payload) {
    163. 

  163.                 // Perform the next step against mongod
    164. 

  164.                 var command = {
    165. 

  165.                     saslContinue: 1
    166. 

  166.                   , conversationId: doc.conversationId
    167. 

  167.                   , payload: payload
    168. 

  168.                 };
    169. 

  169. 

  170.                 // Execute the command
    171. 

  171.                 server.command("$external.$cmd"
    172. 

  172.                   , command
    173. 

  173.                   , { connection: connection }, function(err, r) {
    174. 

  174.                   if(err) return callback(err, false);
    175. 

  175.                   var doc = r.result;
    176. 

  176. 

  177.                   if(doc.done) return callback(null, true);
    178. 

  178.                   callback(new Error("Authentication failed"), false);
    179. 

  179.                 });        
    180. 

  180.               });
    181. 

  181.             });
    182. 

  182.           });
    183. 

  183.         });
    184. 

  184.       });
    185. 

  185.     });
    186. 

  186.   });  
    187. 

  187. }
    188. 

  188. 

  189. // Add to store only if it does not exist
    190. 

  190. var addAuthSession = function(authStore, session) {
    191. 

  191.   var found = false;
    192. 

  192. 

  193.   for(var i = 0; i < authStore.length; i++) {
    194. 

  194.     if(authStore[i].equal(session)) {
    195. 

  195.       found = true;
    196. 

  196.       break;
    197. 

  197.     }
    198. 

  198.   }
    199. 

  199. 

  200.   if(!found) authStore.push(session);
    201. 

  201. }
    202. 

  202. 

  203. /**
    204. 

  204.  * Re authenticate pool
    205. 

  205.  * @method
    206. 

  206.  * @param {{Server}|{ReplSet}|{Mongos}} server Topology the authentication method is being called on
    207. 

  207.  * @param {Pool} pool Connection pool for this topology
    208. 

  208.  * @param {authResultCallback} callback The callback to return the result from the authentication
    209. 

  209.  * @return {object}
    210. 

  210.  */
    211. 

  211. SSPI.prototype.reauthenticate = function(server, pool, callback) {
    212. 

  212.   var count = this.authStore.length;
    213. 

  213.   if(count == 0) return callback(null, null);
    214. 

  214.   // Iterate over all the auth details stored
    215. 

  215.   for(var i = 0; i < this.authStore.length; i++) {
    216. 

  216.     this.auth(server, pool, this.authStore[i].db, this.authStore[i].username, this.authStore[i].password, this.authStore[i].options, function(err, r) {
    217. 

  217.       count = count - 1;
    218. 

  218.       // Done re-authenticating
    219. 

  219.       if(count == 0) {
    220. 

  220.         callback(null, null);
    221. 

  221.       }
    222. 

  222.     });
    223. 

  223.   }
    224. 

  224. }
    225. 

  225. 

  226. /**
    227. 

  227.  * This is a result from a authentication strategy
    228. 

  228.  *
    229. 

  229.  * @callback authResultCallback
    230. 

  230.  * @param {error} error An error object. Set to null if no error present
    231. 

  231.  * @param {boolean} result The result of the authentication process
    232. 

  232.  */
    233. 

  233. 

  234. module.exports = SSPI;
    235.