refactor(kerberos): move MongoAuthProcess into driver

NODE-2730

Author: emadum

src/cmap/auth/gssapi.ts

@@ -1,12 +1,27 @@
 import { AuthProvider, AuthContext } from './auth_provider';
 import { MongoError } from '../../error';
-import { Kerberos } from '../../deps';
+import { Kerberos, KerberosClient } from '../../deps';
 import type { Callback } from '../../utils';
+import type { HandshakeDocument } from '../connect';
+import type { Document } from '../../bson';
+
+const kGssapiClient = Symbol('GSSAPI_CLIENT');
+
+type MechanismProperties = {
+  gssapiCanonicalizeHostName?: boolean;
+};
+
+import * as dns from 'dns';
 
 export class GSSAPI extends AuthProvider {
-  auth(authContext: AuthContext, callback: Callback): void {
+  [kGssapiClient]: KerberosClient;
+  prepare(
+    handshakeDoc: HandshakeDocument,
+    authContext: AuthContext,
+    callback: Callback<HandshakeDocument>
+  ): void {
     const { host, port } = authContext.options;
-    const { connection, credentials } = authContext;
+    const { credentials } = authContext;
     if (!host || !port || !credentials) {
       return callback(
         new MongoError(
@@ -21,65 +36,154 @@ export class GSSAPI extends AuthProvider {
       return callback(Kerberos['kModuleError']);
     }
 
-    const username = credentials.username;
-    const password = credentials.password;
-    const mechanismProperties = credentials.mechanismProperties;
-    const gssapiServiceName =
+    const { username, password, mechanismProperties } = credentials;
+    const serviceName =
       mechanismProperties['gssapiservicename'] ||
       mechanismProperties['gssapiServiceName'] ||
       'mongodb';
 
-    const MongoAuthProcess = Kerberos.processes.MongoAuthProcess;
-
-    const authProcess = new MongoAuthProcess(host, port, gssapiServiceName, mechanismProperties);
+    performGssapiCanonicalizeHostName(
+      host,
+      mechanismProperties as MechanismProperties,
+      (err?: Error | MongoError, host?: string) => {
+        if (err) return callback(err);
 
-    authProcess.init(username, password, err => {
-      if (err) return callback(err, false);
-      authProcess.transition('', (err, payload) => {
-        if (err) return callback(err, false);
+        const initOptions = {};
+        if (password != null) {
+          Object.assign(initOptions, { user: username, password: password });
+        }
 
-        const command = {
-          saslStart: 1,
-          mechanism: 'GSSAPI',
-          payload,
-          autoAuthorize: 1
-        };
+        Kerberos.initializeClient(
+          `${serviceName}${process.platform === 'win32' ? '/' : '@'}${host}`,
+          initOptions,
+          (err: string, client: KerberosClient): void => {
+            if (err) return callback(new MongoError(err));
+            if (client == null) return callback();
+            this[kGssapiClient] = client;
+            callback(undefined, handshakeDoc);
+          }
+        );
+      }
+    );
+  }
 
-        connection.command('$external.$cmd', command, (err, doc) => {
-          if (err) return callback(err, false);
+  auth(authContext: AuthContext, callback: Callback): void {
+    const { connection, credentials } = authContext;
+    if (credentials == null) return callback(new MongoError('credentials required'));
+    const { username } = credentials;
+    const client = this[kGssapiClient];
+    if (client == null) return callback(new MongoError('gssapi client missing'));
+    function externalCommand(
+      command: Document,
+      cb: Callback<{ payload: string; conversationId: any }>
+    ) {
+      return connection.command('$external.$cmd', command, cb);
+    }
+    client.step('', (err, payload) => {
+      if (err) return callback(err);
 
-          authProcess.transition(doc.payload, (err, payload) => {
-            if (err) return callback(err, false);
-            const command = {
-              saslContinue: 1,
-              conversationId: doc.conversationId,
-              payload
-            };
+      externalCommand(saslStart(payload), (err, result) => {
+        if (err) return callback(err);
+        if (result == null) return callback();
+        negotiate(client, 10, result.payload, (err, payload) => {
+          if (err) return callback(err);
 
-            connection.command('$external.$cmd', command, (err, doc) => {
-              if (err) return callback(err, false);
+          externalCommand(saslContinue(payload, result.conversationId), (err, result) => {
+            if (err) return callback(err);
+            if (result == null) return callback();
+            finalize(client, username, result.payload, (err, payload) => {
+              if (err) return callback(err);
 
-              authProcess.transition(doc.payload, (err, payload) => {
-                if (err) return callback(err, false);
-                const command = {
+              externalCommand(
+                {
                   saslContinue: 1,
-                  conversationId: doc.conversationId,
+                  conversationId: result.conversationId,
                   payload
-                };
+                },
+                (err, result) => {
+                  if (err) return callback(err);
 
-                connection.command('$external.$cmd', command, (err, response) => {
-                  if (err) return callback(err, false);
-
-                  authProcess.transition(null, err => {
-                    if (err) return callback(err);
-                    callback(undefined, response);
-                  });
-                });
-              });
+                  callback(undefined, result);
+                }
+              );
             });
           });
         });
       });
     });
   }
 }
+function saslStart(payload?: string): Document {
+  return {
+    saslStart: 1,
+    mechanism: 'GSSAPI',
+    payload,
+    autoAuthorize: 1
+  };
+}
+
+function saslContinue(payload?: string, conversationId?: number): Document {
+  return {
+    saslContinue: 1,
+    conversationId,
+    payload
+  };
+}
+
+function negotiate(
+  client: KerberosClient,
+  retries: number,
+  payload: string,
+  callback: Callback<string>
+): void {
+  client.step(payload, (err, response) => {
+    // Retries exhausted, raise error
+    if (err && retries === 0) return callback(err);
+
+    // Adjust number of retries and call step again
+    if (err) return negotiate(client, retries - 1, payload, callback);
+
+    // Return the payload
+    callback(undefined, response || '');
+  });
+}
+
+function finalize(
+  client: KerberosClient,
+  user: string,
+  payload: string,
+  callback: Callback<string>
+): void {
+  // GSS Client Unwrap
+  client.unwrap(payload, (err, response) => {
+    if (err) return callback(err);
+
+    // Wrap the response
+    client.wrap(response || '', { user }, (err, wrapped) => {
+      if (err) return callback(err);
+
+      // Return the payload
+      callback(undefined, wrapped);
+    });
+  });
+}
+
+function performGssapiCanonicalizeHostName(
+  host: string,
+  mechanismProperties: MechanismProperties,
+  callback: Callback<string>
+): void {
+  if (!mechanismProperties.gssapiCanonicalizeHostName) return callback(undefined, host);
+
+  // Attempt to resolve the host name
+  dns.resolveCname(host, (err, r) => {
+    if (err) return callback(err);
+
+    // Get the first resolve host id
+    if (Array.isArray(r) && r.length > 0) {
+      return callback(undefined, r[0]);
+    }
+
+    callback(undefined, host);
+  });
+}

src/deps.ts

@@ -28,6 +28,16 @@ try {
   Kerberos = require('kerberos');
 } catch {} // eslint-disable-line
 
+export interface KerberosClient {
+  step: (challenge: string, callback?: Callback<string>) => Promise<string> | void;
+  wrap: (
+    challenge: string,
+    options?: { user: string },
+    callback?: Callback<string>
+  ) => Promise<string> | void;
+  unwrap: (challenge: string, callback?: Callback<string>) => Promise<string> | void;
+}
+
 export let Snappy: typeof import('snappy') = makeErrorModule(
   new MongoError(
     'Optional module `snappy` not found. Please install it to enable snappy compression'
@@ -124,21 +134,3 @@ export interface AutoEncrypter {
   encrypt(ns: string, cmd: Document, options: any, callback: Callback<Document>): void;
   decrypt(cmd: Document, options: any, callback: Callback<Document>): void;
 }
-
-/** Declaration Merging block for MongoDB specific functionality in Kerberos */
-declare module 'kerberos' {
-  export const processes: {
-    MongoAuthProcess: {
-      new (host: string, port: number, serviceName: string, options: unknown): {
-        host: string;
-        port: number;
-        serviceName: string;
-        canonicalizeHostName: boolean;
-        retries: number;
-
-        init: (username: string, password: string, callback: Callback) => void;
-        transition: (payload: unknown, callback: Callback) => void;
-      };
-    };
-  };
-}

test/unit/optional_require.test.js

@@ -41,7 +41,7 @@ describe('optionalRequire', function () {
         return this.skip();
       }
       const gssapi = new GSSAPI();
-      gssapi.auth(new AuthContext(null, true, { host: true, port: true }), error => {
+      gssapi.prepare('', new AuthContext(null, true, { host: true, port: true }), error => {
         expect(error).to.exist;
         expect(error.message).includes('not found');
       });