├── .clang-format
├── .eslintrc.json
├── .evergreen
    ├── config.yml
    ├── install-dependencies.sh
    ├── prepare-shell.sh
    ├── run-prebuild.sh
    ├── run-tests-ubuntu.sh
    └── run-tests.sh
├── .github
    ├── CODEOWNERS
    ├── ISSUE_TEMPLATE
    │   ├── Issue_template.md
    │   └── config.yml
    ├── dependabot.yml
    ├── docker
    │   └── Dockerfile.glibc
    ├── pull_request_template.md
    ├── scripts
    │   ├── build.mjs
    │   ├── highlights.mjs
    │   ├── pr_list.mjs
    │   ├── release_notes.mjs
    │   └── util.mjs
    └── workflows
    │   ├── build.yml
    │   ├── codeql.yml
    │   ├── release.yml
    │   ├── release_notes.yml
    │   └── webpack.yml
├── .gitignore
├── .mocharc.json
├── .npmignore
├── .prettierrc.json
├── .release-please-manifest.json
├── HISTORY.md
├── LICENSE
├── README.md
├── binding.gyp
├── etc
    └── README.hbs
├── lib
    ├── auth_processes
    │   └── mongodb.js
    ├── index.js
    ├── kerberos.js
    └── util.js
├── package-lock.json
├── package.json
├── release-please-config.json
├── sbom.json
├── src
    ├── kerberos.cc
    ├── kerberos.h
    ├── kerberos_common.h
    ├── kerberos_worker.h
    ├── unix
    │   ├── base64.cc
    │   ├── base64.h
    │   ├── kerberos_gss.cc
    │   ├── kerberos_gss.h
    │   └── kerberos_unix.cc
    └── win32
    │   ├── kerberos_sspi.cc
    │   ├── kerberos_sspi.h
    │   └── kerberos_win32.cc
└── test
    ├── bundling
        └── webpack
        │   ├── .gitignore
        │   ├── install_kerberos.cjs
        │   ├── package-lock.json
        │   ├── package.json
        │   ├── readme.md
        │   ├── src
        │       └── index.js
        │   └── webpack.config.js
    ├── defineOperation_tests.js
    ├── exports_tests.js
    ├── kerberos_tests.js
    ├── kerberos_win32_tests.js
    └── tools
        ├── hooks
            └── environment_hook.js
        └── mongodb_reporter.js


/.clang-format:
--------------------------------------------------------------------------------
 1 | BasedOnStyle: Google
 2 | AllowShortFunctionsOnASingleLine: Empty
 3 | AllowShortIfStatementsOnASingleLine: false
 4 | AllowShortLoopsOnASingleLine: false
 5 | BinPackArguments: false
 6 | BinPackParameters: false
 7 | ColumnLimit: 100
 8 | Cpp11BracedListStyle: true
 9 | DerivePointerAlignment: false
10 | IndentWidth: 4
11 | MaxEmptyLinesToKeep: 1
12 | NamespaceIndentation: None
13 | SpaceBeforeAssignmentOperators: true
14 | Standard: Cpp11
15 | UseTab: Never
16 | 


--------------------------------------------------------------------------------
/.eslintrc.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "root": true,
 3 |   "extends": [
 4 |     "eslint:recommended",
 5 |     "plugin:prettier/recommended"
 6 |   ],
 7 |   "env": {
 8 |     "node": true,
 9 |     "mocha": true,
10 |     "es6": true
11 |   },
12 |   "parserOptions": {
13 |     "ecmaVersion": 2019
14 |   },
15 |   "plugins": [
16 |     "prettier"
17 |   ],
18 |   "rules": {
19 |     "no-restricted-properties": [
20 |       "error",
21 |       {
22 |         "object": "describe",
23 |         "property": "only"
24 |       },
25 |       {
26 |         "object": "it",
27 |         "property": "only"
28 |       },
29 |       {
30 |         "object": "context",
31 |         "property": "only"
32 |       }
33 |     ],
34 |     "prettier/prettier": "error",
35 |     "no-console": "error",
36 |     "valid-typeof": "error",
37 |     "eqeqeq": ["error", "always", {"null": "ignore"}],
38 |     "strict": ["error", "global"],
39 |     "no-restricted-syntax": [
40 |       "error",
41 |       {
42 |         "selector": "TSEnumDeclaration",
43 |         "message": "Do not declare enums"
44 |       },
45 |       {
46 |         "selector": "BinaryExpression[operator=/[=!]==/] Identifier[name='undefined']",
47 |         "message": "Do not strictly check undefined"
48 |       },
49 |       {
50 |         "selector": "BinaryExpression[operator=/[=!]==/] Literal[raw='null']",
51 |         "message": "Do not strictly check null"
52 |       },
53 |       {
54 |         "selector": "BinaryExpression[operator=/[=!]==?/] Literal[value='undefined']",
55 |         "message": "Do not strictly check typeof undefined (NOTE: currently this rule only detects the usage of 'undefined' string literal so this could be a misfire)"
56 |       }
57 |     ]
58 |   },
59 |   "overrides": [
60 |     {
61 |       // Settings for javascript test files
62 |       "files": [
63 |         "test/**/*.js"
64 |       ],
65 |       "rules": {
66 |         "no-console": "off",
67 |         "no-restricted-syntax": "off"
68 |       }
69 |     }
70 |   ]
71 | }
72 | 


--------------------------------------------------------------------------------
/.evergreen/config.yml:
--------------------------------------------------------------------------------
  1 | # Run previous commits to pinpoint a failure's origin.
  2 | stepback: true
  3 | 
  4 | # Mark failures other than test failures with a purple box.
  5 | command_type: system
  6 | 
  7 | # Limit maximum test running time.
  8 | exec_timeout_secs: 900 # 15 minutes
  9 | 
 10 | # What to do when evergreen hits the timeout
 11 | timeout:
 12 |   - command: shell.exec
 13 |     params:
 14 |       script: |
 15 |         ls -la
 16 | 
 17 | functions:
 18 |   fetch source:
 19 |     - command: git.get_project
 20 |       params:
 21 |         directory: src
 22 |     - command: subprocess.exec
 23 |       params:
 24 |         working_dir: src
 25 |         binary: bash
 26 |         add_expansions_to_env: true
 27 |         args:
 28 |           - '.evergreen/prepare-shell.sh'
 29 |     - command: expansions.update
 30 |       params:
 31 |         file: src/expansion.yml
 32 |   run tests:
 33 |     - command: subprocess.exec
 34 |       type: test
 35 |       params:
 36 |         working_dir: src
 37 |         binary: bash
 38 |         args:
 39 |           - '.evergreen/run-tests.sh'
 40 |         env:
 41 |           PROJECT_DIRECTORY: ${PROJECT_DIRECTORY}
 42 |           NODE_LTS_VERSION: ${NODE_LTS_VERSION}
 43 |   run tests ubuntu:
 44 |     - command: subprocess.exec
 45 |       type: test
 46 |       params:
 47 |         binary: docker
 48 |         working_dir: src
 49 |         env:
 50 |           PROJECT_DIRECTORY: ${PROJECT_DIRECTORY}
 51 |           NODE_LTS_VERSION: ${NODE_LTS_VERSION}
 52 |           PROJECT: ${project}
 53 |           GYP_DEFINES: ${GYP_DEFINES|}
 54 |         args:
 55 |           - run
 56 |           - '--interactive'
 57 |           - '--volume'
 58 |           - ${PROJECT_DIRECTORY}:/app
 59 |           - '--volume'
 60 |           - ${DRIVERS_TOOLS}:/drivers-tools
 61 |           - '--workdir'
 62 |           - /app
 63 |           - '--env'
 64 |           - PROJECT_DIRECTORY=/app
 65 |           - '--env'
 66 |           - DRIVERS_TOOLS=/drivers-tools
 67 |           - '--env'
 68 |           - GYP_DEFINES
 69 |           - '--env'
 70 |           - NODE_LTS_VERSION=${NODE_LTS_VERSION}
 71 |           - '--env'
 72 |           - NPM_VERSION=${NPM_VERSION}
 73 |           - 'ubuntu:22.04'
 74 |           - /bin/bash
 75 |           - /app/.evergreen/run-tests-ubuntu.sh
 76 |   run prebuild:
 77 |     - command: subprocess.exec
 78 |       type: test
 79 |       params:
 80 |         working_dir: src
 81 |         binary: bash
 82 |         args:
 83 |           - '.evergreen/run-prebuild.sh'
 84 |         env:
 85 |           PROJECT_DIRECTORY: ${PROJECT_DIRECTORY}
 86 |           NODE_GITHUB_TOKEN: ${github_token}
 87 |   install dependencies:
 88 |     - command: subprocess.exec
 89 |       type: setup
 90 |       params:
 91 |         working_dir: src
 92 |         binary: bash
 93 |         add_expansions_to_env: true
 94 |         args:
 95 |           - .evergreen/install-dependencies.sh
 96 |         env:
 97 |           PROJECT_DIRECTORY: ${PROJECT_DIRECTORY}
 98 |           NODE_LTS_VERSION: ${NODE_LTS_VERSION}
 99 |           NPM_VERSION: "9"
100 | 
101 | pre:
102 |   - func: fetch source
103 | 
104 | tasks:
105 |   - name: run-tests
106 |     commands:
107 |       - func: install dependencies
108 |       - func: run tests
109 |   - name: run-tests-ubuntu
110 |     commands:
111 |       - func: run tests ubuntu
112 |   - name: run-tests-ubuntu-rtld
113 |     commands:
114 |       - func: run tests ubuntu
115 |         vars:
116 |           GYP_DEFINES: kerberos_use_rtld=false
117 |   - name: run-prebuild
118 |     commands:
119 |       - func: install dependencies
120 |       - func: run prebuild
121 | 
122 | buildvariants:
123 |   - name: ubuntu2204-x64-node-16
124 |     display_name: 'Ubuntu 22.04 x64 - Node 16'
125 |     run_on: ubuntu2204-small
126 |     expansions:
127 |       has_packages: true
128 |       packager_distro: ubuntu2204
129 |       packager_arch: x86_64
130 |       NODE_LTS_VERSION: "16"
131 |       NPM_VERSION: "9"
132 |     tasks:
133 |       - run-tests-ubuntu
134 |       - run-tests-ubuntu-rtld
135 |   - name: ubuntu2204-x64-node-18
136 |     display_name: 'Ubuntu 22.04 x64 - Node 18'
137 |     run_on: ubuntu2204-small
138 |     expansions:
139 |       has_packages: true
140 |       packager_distro: ubuntu2204
141 |       packager_arch: x86_64
142 |       NODE_LTS_VERSION: "18"
143 |     tasks:
144 |       - run-tests-ubuntu
145 |       - run-tests-ubuntu-rtld
146 |   - name: ubuntu2204-x64-node-20
147 |     display_name: 'Ubuntu 22.04 x64 - Node 20'
148 |     run_on: ubuntu2204-small
149 |     expansions:
150 |       has_packages: true
151 |       packager_distro: ubuntu2204
152 |       packager_arch: x86_64
153 |       NODE_LTS_VERSION: "20"
154 |     tasks:
155 |       - run-tests-ubuntu
156 |       - run-tests-ubuntu-rtld
157 |   - name: ubuntu2204-x64-node-22
158 |     display_name: 'Ubuntu 22.04 x64 - Node 22'
159 |     run_on: ubuntu2204-small
160 |     expansions:
161 |       has_packages: true
162 |       packager_distro: ubuntu2204
163 |       packager_arch: x86_64
164 |       NODE_LTS_VERSION: "22"
165 |     tasks:
166 |       - run-tests-ubuntu
167 |       - run-tests-ubuntu-rtld
168 |   - name: ubuntu2204-arm64-node-16
169 |     display_name: 'Ubuntu 22.04 arm64 - Node 16'
170 |     run_on: ubuntu2204-arm64-small
171 |     expansions:
172 |       has_packages: true
173 |       packager_distro: ubuntu2204
174 |       packager_arch: arm64
175 |       NODE_LTS_VERSION: "16"
176 |       NPM_VERSION: "9"
177 |     tasks:
178 |       - run-tests-ubuntu
179 |       - run-tests-ubuntu-rtld
180 |   - name: ubuntu2204-arm64-node-18
181 |     display_name: 'Ubuntu 22.04 arm64 - Node 18'
182 |     run_on: ubuntu2204-arm64-small
183 |     expansions:
184 |       has_packages: true
185 |       packager_distro: ubuntu2204
186 |       packager_arch: arm64
187 |       NODE_LTS_VERSION: "18"
188 |     tasks:
189 |       - run-tests-ubuntu
190 |       - run-tests-ubuntu-rtld
191 |   - name: ubuntu2204-arm64-node-20
192 |     display_name: 'Ubuntu 22.04 arm64 - Node 20'
193 |     run_on: ubuntu2204-arm64-small
194 |     expansions:
195 |       has_packages: true
196 |       packager_distro: ubuntu2204
197 |       packager_arch: arm64
198 |       NODE_LTS_VERSION: "20"
199 |     tasks:
200 |       - run-tests-ubuntu
201 |       - run-tests-ubuntu-rtld
202 |   - name: ubuntu2204-arm64-node-22
203 |     display_name: 'Ubuntu 22.04 arm64 - Node 22'
204 |     run_on: ubuntu2204-arm64-small
205 |     expansions:
206 |       has_packages: true
207 |       packager_distro: ubuntu2204
208 |       packager_arch: arm64
209 |       NODE_LTS_VERSION: "22"
210 |     tasks:
211 |       - run-tests-ubuntu
212 |       - run-tests-ubuntu-rtld
213 | 


--------------------------------------------------------------------------------
/.evergreen/install-dependencies.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | set -o errexit  # Exit the script with error if any of the commands fail
 3 | 
 4 | # allowed values:
 5 | ## a nodejs major version (i.e., 16)
 6 | ## 'latest'
 7 | ## a full nodejs version, in the format v<major>.<minor>.patch
 8 | export NODE_LTS_VERSION=${NODE_LTS_VERSION:-14}
 9 | # npm version can be defined in the environment for cases where we need to install
10 | # a version lower than latest to support EOL Node versions. When not provided will
11 | # be handled by this script in drivers tools.
12 | source $DRIVERS_TOOLS/.evergreen/install-node.sh
13 | 
14 | npm install --build-from-source
15 | ldd build/*/kerberos.node || true
16 | 


--------------------------------------------------------------------------------
/.evergreen/prepare-shell.sh:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env bash
 2 | 
 3 | # Only set errexit and xtrace if shell is NOT interactive
 4 | [[ $- == *i* ]] || set -o xtrace
 5 | [[ $- == *i* ]] || set -o errexit
 6 | 
 7 | PROJECT_DIRECTORY="$(pwd)"
 8 | DRIVERS_TOOLS=$(cd .. && echo "$(pwd)/drivers-tools")
 9 | export PROJECT_DIRECTORY
10 | export DRIVERS_TOOLS
11 | 
12 | if [ ! -d "$DRIVERS_TOOLS" ]; then
13 |   # Only clone driver tools if it does not exist
14 |   git clone --depth=1 "https://github.com/mongodb-labs/drivers-evergreen-tools.git" "${DRIVERS_TOOLS}"
15 | fi
16 | 
17 | echo "installed DRIVERS_TOOLS from commit $(git -C "${DRIVERS_TOOLS}" rev-parse HEAD)"
18 | 
19 | 
20 | # Get the current unique version of this checkout
21 | if [ "${is_patch}" = "true" ]; then
22 |     CURRENT_VERSION=$(git describe)-patch-${version_id}
23 | else
24 |     CURRENT_VERSION=latest
25 | fi
26 | 
27 | # Python has cygwin path problems on Windows. Detect prospective mongo-orchestration home directory
28 | if [ "Windows_NT" = "$OS" ]; then # Magic variable in cygwin
29 |     export PROJECT_DIRECTORY=$(cygpath -m "$PROJECT_DIRECTORY")
30 | fi
31 | 
32 | cat <<EOT > expansion.yml
33 | CURRENT_VERSION: "$CURRENT_VERSION"
34 | PROJECT_DIRECTORY: "$PROJECT_DIRECTORY"
35 | DRIVERS_TOOLS: "$DRIVERS_TOOLS"
36 | PREPARE_SHELL: |
37 |     set -o errexit
38 |     set -o xtrace
39 |     export PROJECT_DIRECTORY="$PROJECT_DIRECTORY"
40 |     export PROJECT="${project}"
41 |     export DRIVERS_TOOLS="$DRIVERS_TOOLS"
42 | EOT
43 | 
44 | # See what we've done
45 | cat expansion.yml
46 | 


--------------------------------------------------------------------------------
/.evergreen/run-prebuild.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | set -o errexit  # Exit the script with error if any of the commands fail
 4 | set -o xtrace
 5 | 
 6 | source $DRIVERS_TOOLS/.evergreen/init-node-and-npm-env.sh
 7 | 
 8 | # mongodbtoolchain is necessary for building on Windows
 9 | export PATH="/opt/mongodbtoolchain/v2/bin:$PATH"
10 | 
11 | echo "Node Version $(node -v)"
12 | 
13 | npm run prebuild
14 | echo "Local prebuild successful."
15 | ls prebuilds
16 | 


--------------------------------------------------------------------------------
/.evergreen/run-tests-ubuntu.sh:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env bash
  2 | 
  3 | set -o errexit
  4 | 
  5 | IP_ADDRESS=$(hostname -I)
  6 | HOSTNAME=$(cat /etc/hostname)
  7 | 
  8 | export KERBEROS_USERNAME="administrator"
  9 | export KERBEROS_PASSWORD="Password01"
 10 | export KERBEROS_REALM="example.com"
 11 | export KERBEROS_HOSTNAME="hostname.example.com"
 12 | export KERBEROS_PORT="80"
 13 | 
 14 | export KERBEROS_HOSTNAME=$HOSTNAME.$KERBEROS_REALM
 15 | export DEBIAN_FRONTEND=noninteractive
 16 | 
 17 | export NODE_LTS_VERSION=$NODE_LTS_VERSION
 18 | 
 19 | echo "Installing all the packages required in this test"
 20 | apt-get update
 21 | apt-get -y -qq install \
 22 |   python3 curl \
 23 |   build-essential libkrb5-dev \
 24 |   krb5-user krb5-kdc krb5-admin-server \
 25 |   apache2 libapache2-mod-auth-gssapi
 26 | 
 27 | set -o xtrace # enable logging after apt install
 28 | 
 29 | echo "Configure the hosts file for Kerberos to work in a container"
 30 | cp /etc/hosts ~/hosts.new
 31 | sed -i "/.*$HOSTNAME/c\\$IP_ADDRESS\t$KERBEROS_HOSTNAME" ~/hosts.new
 32 | cp -f ~/hosts.new /etc/hosts
 33 | 
 34 | echo "Setting up Kerberos config file at /etc/krb5.conf"
 35 | cat > /etc/krb5.conf << EOL
 36 | [libdefaults]
 37 |     default_realm = ${KERBEROS_REALM^^}
 38 |     dns_lookup_realm = false
 39 |     dns_lookup_kdc = false
 40 | [realms]
 41 |     ${KERBEROS_REALM^^} = {
 42 |         kdc = $KERBEROS_HOSTNAME
 43 |         admin_server = $KERBEROS_HOSTNAME
 44 |     }
 45 | [domain_realm]
 46 |     .$KERBEROS_REALM = ${KERBEROS_REALM^^}
 47 | [logging]
 48 |     kdc = FILE:/var/log/krb5kdc.log
 49 |     admin_server = FILE:/var/log/kadmin.log
 50 |     default = FILE:/var/log/krb5lib.log
 51 | EOL
 52 | 
 53 | echo "Setting up kerberos ACL configuration at /etc/krb5kdc/kadm5.acl"
 54 | mkdir -p /etc/krb5kdc
 55 | echo -e "*/*@${KERBEROS_REALM^^}\t*" > /etc/krb5kdc/kadm5.acl
 56 | 
 57 | echo "Creating KDC database"
 58 | # krb5_newrealm returns non-0 return code as it is running in a container, ignore it for this command only
 59 | set +e
 60 | printf "$KERBEROS_PASSWORD\n$KERBEROS_PASSWORD" | krb5_newrealm
 61 | set -e
 62 | 
 63 | echo "Creating principals for tests"
 64 | kadmin.local -q "addprinc -pw $KERBEROS_PASSWORD $KERBEROS_USERNAME"
 65 | 
 66 | echo "Adding principal for Kerberos auth and creating keytabs"
 67 | kadmin.local -q "addprinc -randkey HTTP/$KERBEROS_HOSTNAME"
 68 | kadmin.local -q "addprinc -randkey host/$KERBEROS_HOSTNAME@${KERBEROS_REALM^^}"
 69 | kadmin.local -q "addprinc -randkey host/${KERBEROS_HOSTNAME^^}@${KERBEROS_REALM^^}"
 70 | kadmin.local -q "addprinc -randkey ${KERBEROS_HOSTNAME^^}@${KERBEROS_REALM^^}"
 71 | 
 72 | kadmin.local -q "ktadd -k /etc/krb5.keytab host/$KERBEROS_HOSTNAME@${KERBEROS_REALM^^}"
 73 | kadmin.local -q "ktadd -k /etc/krb5.keytab host/${KERBEROS_HOSTNAME^^}@${KERBEROS_REALM^^}"
 74 | kadmin.local -q "ktadd -k /etc/krb5.keytab ${KERBEROS_HOSTNAME^^}@${KERBEROS_REALM^^}"
 75 | kadmin.local -q "ktadd -k /etc/krb5.keytab HTTP/$KERBEROS_HOSTNAME"
 76 | chmod 777 /etc/krb5.keytab
 77 | 
 78 | echo "Restarting Kerberos KDS service"
 79 | service krb5-kdc restart
 80 | 
 81 | echo "Add ServerName to Apache config"
 82 | grep -q -F "ServerName $KERBEROS_HOSTNAME" /etc/apache2/apache2.conf || echo "ServerName $KERBEROS_HOSTNAME" >> /etc/apache2/apache2.conf
 83 | 
 84 | echo "Deleting default virtual host file"
 85 | rm /etc/apache2/sites-enabled/000-default.conf
 86 | rm /etc/apache2/sites-available/000-default.conf
 87 | rm /etc/apache2/sites-available/default-ssl.conf
 88 | 
 89 | echo "Create website directory structure and pages"
 90 | mkdir -p /var/www/example.com/public_html
 91 | chmod -R 755 /var/www
 92 | echo "<html><head><title>Title</title></head><body>body mesage</body></html>" > /var/www/example.com/public_html/index.html
 93 | 
 94 | echo "Create virtual host files"
 95 | cat > /etc/apache2/sites-available/example.com.conf << EOL
 96 | <VirtualHost *:$KERBEROS_PORT>
 97 |     ServerName $KERBEROS_HOSTNAME
 98 |     ServerAlias $KERBEROS_HOSTNAME
 99 |     DocumentRoot /var/www/example.com/public_html
100 |     ErrorLog ${APACHE_LOG_DIR}/error.log
101 |     CustomLog ${APACHE_LOG_DIR}/access.log combined
102 |     <Directory "/var/www/example.com/public_html">
103 |         AuthType GSSAPI
104 |         AuthName "GSSAPI Single Sign On Login"
105 |         Require user $KERBEROS_USERNAME@${KERBEROS_REALM^^}
106 |         GssapiCredStore keytab:/etc/krb5.keytab
107 |     </Directory>
108 | </VirtualHost>
109 | EOL
110 | 
111 | echo "Enabling virtual host site"
112 | a2ensite example.com.conf
113 | service apache2 restart
114 | 
115 | echo "Getting ticket for Kerberos user"
116 | echo -n "$KERBEROS_PASSWORD" | kinit "$KERBEROS_USERNAME@${KERBEROS_REALM^^}"
117 | 
118 | echo "Try out the curl connection"
119 | CURL_OUTPUT=$(curl --negotiate -u : "http://$KERBEROS_HOSTNAME")
120 | 
121 | if [ "$CURL_OUTPUT" != "<html><head><title>Title</title></head><body>body mesage</body></html>" ]; then
122 |     echo -e "ERROR: Did not get success message, cannot continue with actual tests:\nActual Output:\n$CURL_OUTPUT"
123 |     exit 1
124 | else
125 |     echo -e "SUCCESS: Apache site built and set for Kerberos auth\nActual Output:\n$CURL_OUTPUT"
126 | fi
127 | 
128 | echo "Run: install Node.js"
129 | source "${PROJECT_DIRECTORY}/.evergreen/install-dependencies.sh"
130 | 
131 | npm test
132 | 


--------------------------------------------------------------------------------
/.evergreen/run-tests.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | set -o errexit  # Exit the script with error if any of the commands fail
 4 | set -o xtrace
 5 | 
 6 | source $DRIVERS_TOOLS/.evergreen/init-node-and-npm-env.sh
 7 | 
 8 | npm run check:lint
 9 | npm test
10 | 


--------------------------------------------------------------------------------
/.github/CODEOWNERS:
--------------------------------------------------------------------------------
1 | # Everything
2 | * @mongodb-js/dbx-node-devs
3 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/Issue_template.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Issue
 3 | about: Please use JIRA instead
 4 | title: ''
 5 | labels: ''
 6 | assignees: ''
 7 | ---
 8 | 
 9 | <!-- 🚨 STOP 🚨 STOP 🚨 STOP 🚨
10 | 
11 | You can find assistance at our community forums: https://developer.mongodb.com/community/forums/tags/c/drivers-odms/7/node-js
12 | We use JIRA to track issues and feature requests: https://jira.mongodb.org/browse/NODE
13 | 
14 | Our GitHub Issues are left open for now as we work to deprecate this method of issue reporting.
15 | Thank you for understanding.
16 | -->
17 | 
18 | **Kerberos Version:** 1.1.x
19 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/config.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | blank_issues_enabled: false
 3 | contact_links:
 4 |   -
 5 |     about: "Please ask and answer usage questions on our Community Forums."
 6 |     name: Questions
 7 |     url: "https://developer.mongodb.com/community/forums/tags/c/drivers-odms/7/node-js"
 8 |   -
 9 |     about: "Please submit all issues or feature requests to our JIRA."
10 |     name: Issues & Feature Requests
11 |     url: "https://jira.mongodb.org/browse/NODE"
12 |   -
13 |     about: "Please check the FAQ before filing new issues"
14 |     name: "MongoDB NodeJS FAQ"
15 |     url: "https://docs.mongodb.com/drivers/node/faq"
16 | 


--------------------------------------------------------------------------------
/.github/dependabot.yml:
--------------------------------------------------------------------------------
 1 | # To get started with Dependabot version updates, you'll need to specify which
 2 | # package ecosystems to update and where the package manifests are located.
 3 | # Please see the documentation for all configuration options:
 4 | # https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
 5 | 
 6 | version: 2
 7 | updates:
 8 |   - package-ecosystem: "github-actions" # See documentation for possible values
 9 |     directory: "/" # Location of package manifests
10 |     schedule:
11 |       interval: "monthly"
12 |   - package-ecosystem: "npm" # See documentation for possible values
13 |     directory: "/" # Location of package manifests
14 |     schedule:
15 |       interval: "monthly"
16 |     ignore:
17 |       # chai is esmodule only.
18 |       - dependency-name: "chai"
19 |         versions: [">=5.0.0"]
20 |       # sinon-chai 4.x+ supports chai 5.x+.
21 |       - dependency-name: "sinon-chai"
22 |         versions: [">=4.0.0"]
23 |       # chalk is esmodule only.
24 |       - dependency-name: "chalk"
25 |         versions: [">=5.0.0"]
26 |       # nyc is Node18+ only starting on nyc@16.x.
27 |       - dependency-name: "nyc"
28 |         versions: [">=16.0.0"]
29 |       # we ignore TS as a part of quarterly dependency updates.
30 |       - dependency-name: "typescript"
31 |       # node-gyp now depends on python 3.10, we install 3.6 in our dockerfile
32 |       - dependency-name: "node-gyp"
33 |       - dependency-name: "prebuild"
34 |       
35 |     groups:
36 |       development-dependencies:
37 |         dependency-type: "development"
38 |         applies-to: version-updates
39 |         update-types:
40 |         - "minor"
41 |         - "patch"


--------------------------------------------------------------------------------
/.github/docker/Dockerfile.glibc:
--------------------------------------------------------------------------------
 1 | FROM ubuntu:bionic AS build
 2 | 
 3 | # Possible values: s390x, arm64, x64
 4 | ARG NODE_ARCH
 5 | ADD https://nodejs.org/dist/v16.20.1/node-v16.20.1-linux-${NODE_ARCH}.tar.gz /
 6 | RUN mkdir -p /nodejs && tar -xzf /node-v16.20.1-linux-${NODE_ARCH}.tar.gz --strip-components=1 -C /nodejs
 7 | ENV PATH=$PATH:/nodejs/bin
 8 | 
 9 | WORKDIR /kerberos
10 | COPY . .
11 | 
12 | RUN apt-get -qq update && apt-get -qq install -y python3 build-essential libkrb5-dev && ldd --version
13 | 
14 | RUN node .github/scripts/build.mjs
15 | 
16 | FROM scratch
17 | 
18 | COPY --from=build /kerberos/prebuilds/ /
19 | 


--------------------------------------------------------------------------------
/.github/pull_request_template.md:
--------------------------------------------------------------------------------
 1 | ### Description
 2 | 
 3 | #### What is changing?
 4 | 
 5 | ##### Is there new documentation needed for these changes?
 6 | 
 7 | #### What is the motivation for this change?
 8 | 
 9 | <!-- If this is a bug, it helps to describe the current behavior and a clear outline of the expected behavior -->
10 | <!-- If this is a feature, it helps to describe the new use case enabled by this change -->
11 | 
12 | <!--
13 | Contributors!
14 | First of all, thank you so much!!
15 | If you haven't already, it would greatly help the team review this work in a timely manner if you create a JIRA ticket to track this PR.
16 | You can do that here: https://jira.mongodb.org/projects/NODE
17 | -->
18 | 
19 | ### Release Highlight
20 | 
21 | <!-- RELEASE_HIGHLIGHT_START -->
22 | 
23 | ### Fill in title or leave empty for no highlight
24 | 
25 | <!-- RELEASE_HIGHLIGHT_END -->
26 | 
27 | ### Double check the following
28 | 
29 | - [ ] Ran `npm run check:lint` script
30 | - [ ] Self-review completed using the [steps outlined here](https://github.com/mongodb/node-mongodb-native/blob/HEAD/CONTRIBUTING.md#reviewer-guidelines)
31 | - [ ] PR title follows the [correct format](https://www.conventionalcommits.org/en/v1.0.0/): `type(NODE-xxxx)[!]: description`
32 |   - Example: `feat(NODE-1234)!: rewriting everything in coffeescript`
33 | - [ ] Changes are covered by tests
34 | - [ ] New TODOs have a related JIRA ticket
35 | 


--------------------------------------------------------------------------------
/.github/scripts/build.mjs:
--------------------------------------------------------------------------------
  1 | // @ts-check
  2 | 
  3 | import util from 'node:util';
  4 | import process from 'node:process';
  5 | import fs from 'node:fs/promises';
  6 | import child_process from 'node:child_process';
  7 | import events from 'node:events';
  8 | import path from 'node:path';
  9 | import url from 'node:url';
 10 | 
 11 | const __dirname = path.dirname(url.fileURLToPath(import.meta.url));
 12 | 
 13 | /** Resolves to the root of this repository */
 14 | function resolveRoot(...paths) {
 15 |   return path.resolve(__dirname, '..', '..', ...paths);
 16 | }
 17 | 
 18 | async function parseArguments() {
 19 |   const pkg = JSON.parse(await fs.readFile(resolveRoot('package.json'), 'utf8'));
 20 | 
 21 |   const options = {
 22 |     'kerberos_use_rtld': { type: 'boolean', default: true },
 23 |     help: { short: 'h', type: 'boolean', default: false }
 24 |   };
 25 | 
 26 |   const args = util.parseArgs({ args: process.argv.slice(2), options, allowPositionals: false });
 27 | 
 28 |   if (args.values.help) {
 29 |     console.log(
 30 |       `${path.basename(process.argv[1])} ${[...Object.keys(options)]
 31 |         .filter(k => k !== 'help')
 32 |         .map(k => `[--${k}=${options[k].type}]`)
 33 |         .join(' ')}`
 34 |     );
 35 |     process.exit(0);
 36 |   }
 37 | 
 38 |   return {
 39 |     kerberos_use_rtld: !!args.values.kerberos_use_rtld,
 40 |     pkg
 41 |   };
 42 | }
 43 | 
 44 | /** `xtrace` style command runner, uses spawn so that stdio is inherited */
 45 | async function run(command, args = [], options = {}) {
 46 |   const commandDetails = `+ ${command} ${args.join(' ')}${options.cwd ? ` (in: ${options.cwd})` : ''}`;
 47 |   console.error(commandDetails);
 48 |   const proc = child_process.spawn(command, args, {
 49 |     shell: process.platform === 'win32',
 50 |     stdio: 'inherit',
 51 |     cwd: resolveRoot('.'),
 52 |     ...options
 53 |   });
 54 |   await events.once(proc, 'exit');
 55 | 
 56 |   if (proc.exitCode != 0) throw new Error(`CRASH(${proc.exitCode}): ${commandDetails}`);
 57 | }
 58 | 
 59 | async function buildBindings(args, pkg) {
 60 |   await fs.rm(resolveRoot('build'), { force: true, recursive: true });
 61 |   await fs.rm(resolveRoot('prebuilds'), { force: true, recursive: true });
 62 | 
 63 |   // install with "ignore-scripts" so that we don't attempt to download a prebuild
 64 |   await run('npm', ['install', '--ignore-scripts']);
 65 |   // The prebuild command will make both a .node file in `./build` (local and CI testing will run on current code)
 66 |   // it will also produce `./prebuilds/kerberos-vVERSION-napi-vNAPI_VERSION-OS-ARCH.tar.gz`.
 67 | 
 68 |   let gypDefines = process.env.GYP_DEFINES ?? '';
 69 |   if (!args.kerberos_use_rtld) {
 70 |     gypDefines += ' kerberos_use_rtld=false';
 71 |   }
 72 | 
 73 |   gypDefines = gypDefines.trim();
 74 |   const prebuildOptions =
 75 |     gypDefines.length > 0
 76 |       ? { env: { ...process.env, GYP_DEFINES: gypDefines } }
 77 |       : undefined;
 78 | 
 79 |   await run('npm', ['run', 'prebuild'], prebuildOptions);
 80 | 
 81 |   // TODO(NODE-5140): When we have a TS build step
 82 |   // await run('npm', ['run', 'prepare']);
 83 | 
 84 |   if (process.platform === 'darwin' && process.arch === 'arm64') {
 85 |     // The "arm64" build is actually a universal binary
 86 |     const armTar = `kerberos-v${pkg.version}-napi-v4-darwin-arm64.tar.gz`;
 87 |     const x64Tar = `kerberos-v${pkg.version}-napi-v4-darwin-x64.tar.gz`;
 88 |     await fs.copyFile(resolveRoot('prebuilds', armTar), resolveRoot('prebuilds', x64Tar));
 89 |   }
 90 | 
 91 |   await run('node', ['--print', `require('.')`], { cwd: resolveRoot() })
 92 | }
 93 | 
 94 | async function main() {
 95 |   const { pkg, ...args } = await parseArguments();
 96 |   console.log(args);
 97 |   await buildBindings(args, pkg);
 98 | }
 99 | 
100 | await main();
101 | 


--------------------------------------------------------------------------------
/.github/scripts/highlights.mjs:
--------------------------------------------------------------------------------
 1 | // @ts-check
 2 | import * as process from 'node:process';
 3 | import { output } from './util.mjs';
 4 | 
 5 | const {
 6 |   GITHUB_TOKEN = '',
 7 |   PR_LIST = '',
 8 |   REPOSITORY = ''
 9 | } = process.env;
10 | if (GITHUB_TOKEN === '') throw new Error('GITHUB_TOKEN cannot be empty');
11 | if (REPOSITORY === '') throw new Error('REPOSITORY cannot be empty')
12 | 
13 | const API_REQ_INFO = {
14 |   headers: {
15 |     Accept: 'application/vnd.github.v3+json',
16 |     'X-GitHub-Api-Version': '2022-11-28',
17 |     Authorization: `Bearer ${GITHUB_TOKEN}`
18 |   }
19 | }
20 | 
21 | const prs = PR_LIST.split(',').map(pr => {
22 |   const prNum = Number(pr);
23 |   if (Number.isNaN(prNum))
24 |     throw Error(`expected PR number list: ${PR_LIST}, offending entry: ${pr}`);
25 |   return prNum;
26 | });
27 | 
28 | /** @param {number} pull_number */
29 | async function getPullRequestContent(pull_number) {
30 |   const startIndicator = 'RELEASE_HIGHLIGHT_START -->';
31 |   const endIndicator = '<!-- RELEASE_HIGHLIGHT_END';
32 | 
33 |   let body;
34 |   try {
35 |     const response = await fetch(new URL(`https://api.github.com/repos/${REPOSITORY}/pulls/${pull_number}`), API_REQ_INFO);
36 |     if (!response.ok) throw new Error(await response.text());
37 |     const pr = await response.json();
38 |     body = pr.body;
39 |   } catch (error) {
40 |     console.log(`Could not get PR ${pull_number}, skipping. ${error.status}`);
41 |     return '';
42 |   }
43 | 
44 |   if (body == null || !(body.includes(startIndicator) && body.includes(endIndicator))) {
45 |     console.log(`PR #${pull_number} has no highlight`);
46 |     return '';
47 |   }
48 | 
49 |   const start = body.indexOf('### ', body.indexOf(startIndicator));
50 |   const end = body.indexOf(endIndicator);
51 |   const highlightSection = body.slice(start, end).trim();
52 | 
53 |   console.log(`PR #${pull_number} has a highlight ${highlightSection.length} characters long`);
54 |   return highlightSection;
55 | }
56 | 
57 | /** @param {number[]} prs */
58 | async function pullRequestHighlights(prs) {
59 |   const highlights = [];
60 |   for (const pr of prs) {
61 |     const content = await getPullRequestContent(pr);
62 |     highlights.push(content);
63 |   }
64 |   if (!highlights.length) return '';
65 | 
66 |   highlights.unshift('## Release Notes\n\n');
67 | 
68 |   const highlight = highlights.join('\n\n');
69 |   console.log(`Total highlight is ${highlight.length} characters long`);
70 |   return highlight;
71 | }
72 | 
73 | console.log('List of PRs to collect highlights from:', prs);
74 | const highlights = await pullRequestHighlights(prs);
75 | 
76 | await output('highlights', JSON.stringify({ highlights }));
77 | 


--------------------------------------------------------------------------------
/.github/scripts/pr_list.mjs:
--------------------------------------------------------------------------------
 1 | // @ts-check
 2 | import * as url from 'node:url';
 3 | import * as fs from 'node:fs/promises';
 4 | import * as path from 'node:path';
 5 | import { getCurrentHistorySection, output } from './util.mjs';
 6 | 
 7 | const __dirname = url.fileURLToPath(new URL('.', import.meta.url));
 8 | const historyFilePath = path.join(__dirname, '..', '..', 'HISTORY.md');
 9 | 
10 | /**
11 |  * @param {string} history
12 |  * @returns {string[]}
13 |  */
14 | function parsePRList(history) {
15 |   const prRegexp = /kerberos\/issues\/(?<prNum>\d+)\)/iu;
16 |   return Array.from(
17 |     new Set(
18 |       history
19 |         .split('\n')
20 |         .map(line => prRegexp.exec(line)?.groups?.prNum ?? '')
21 |         .filter(prNum => prNum !== '')
22 |     )
23 |   );
24 | }
25 | 
26 | const historyContents = await fs.readFile(historyFilePath, { encoding: 'utf8' });
27 | 
28 | const currentHistorySection = getCurrentHistorySection(historyContents);
29 | 
30 | const prs = parsePRList(currentHistorySection);
31 | 
32 | await output('pr_list', prs.join(','));
33 | 


--------------------------------------------------------------------------------
/.github/scripts/release_notes.mjs:
--------------------------------------------------------------------------------
 1 | //@ts-check
 2 | import * as url from 'node:url';
 3 | import * as fs from 'node:fs/promises';
 4 | import * as path from 'node:path';
 5 | import * as process from 'node:process';
 6 | import * as semver from 'semver';
 7 | import { getCurrentHistorySection, output } from './util.mjs';
 8 | 
 9 | const { HIGHLIGHTS = '' } = process.env;
10 | if (HIGHLIGHTS === '') throw new Error('HIGHLIGHTS cannot be empty');
11 | 
12 | const { highlights } = JSON.parse(HIGHLIGHTS);
13 | 
14 | const __dirname = url.fileURLToPath(new URL('.', import.meta.url));
15 | const historyFilePath = path.join(__dirname, '..', '..', 'HISTORY.md');
16 | const packageFilePath = path.join(__dirname, '..', '..', 'package.json');
17 | 
18 | const historyContents = await fs.readFile(historyFilePath, { encoding: 'utf8' });
19 | 
20 | const currentHistorySection = getCurrentHistorySection(historyContents);
21 | 
22 | const version = semver.parse(
23 |   JSON.parse(await fs.readFile(packageFilePath, { encoding: 'utf8' })).version
24 | );
25 | if (version == null) throw new Error(`could not create semver from package.json`);
26 | 
27 | console.log('\n\n--- history entry ---\n\n', currentHistorySection);
28 | 
29 | const currentHistorySectionLines = currentHistorySection.split('\n');
30 | const header = currentHistorySectionLines[0];
31 | const history = currentHistorySectionLines.slice(1).join('\n').trim();
32 | 
33 | const releaseNotes = `${header}
34 | 
35 | The MongoDB Node.js team is pleased to announce version ${version.version} of the \`kerberos\` package!
36 | 
37 | ${highlights}
38 | ${history}
39 | ## Documentation
40 | 
41 | * [Changelog](https://github.com/mongodb-js/kerberos/blob/v${version.version}/HISTORY.md)
42 | 
43 | We invite you to try the \`kerberos\` library immediately, and report any issues to the [NODE project](https://jira.mongodb.org/projects/NODE).
44 | `;
45 | 
46 | const releaseNotesPath = path.join(process.cwd(), 'release_notes.md');
47 | 
48 | await fs.writeFile(
49 |   releaseNotesPath,
50 |   `:seedling: A new release!\n---\n${releaseNotes}\n---\n`,
51 |   { encoding:'utf8' }
52 | );
53 | 
54 | await output('release_notes_path', releaseNotesPath)
55 | 


--------------------------------------------------------------------------------
/.github/scripts/util.mjs:
--------------------------------------------------------------------------------
 1 | // @ts-check
 2 | import * as process from 'node:process';
 3 | import * as fs from 'node:fs/promises';
 4 | 
 5 | export async function output(key, value) {
 6 |   const { GITHUB_OUTPUT = '' } = process.env;
 7 |   const output = `${key}=${value}\n`;
 8 |   console.log('outputting:', output);
 9 | 
10 |   if (GITHUB_OUTPUT.length === 0) {
11 |     // This is always defined in Github actions, and if it is not for some reason, tasks that follow will fail.
12 |     // For local testing it's convenient to see what scripts would output without requiring the variable to be defined.
13 |     console.log('GITHUB_OUTPUT not defined, printing only');
14 |     return;
15 |   }
16 | 
17 |   const outputFile = await fs.open(GITHUB_OUTPUT, 'a');
18 |   await outputFile.appendFile(output, { encoding: 'utf8' });
19 |   await outputFile.close();
20 | }
21 | 
22 | /**
23 |  * @param {string} historyContents
24 |  * @returns {string}
25 |  */
26 | export function getCurrentHistorySection(historyContents) {
27 |   /** Markdown version header */
28 |   const VERSION_HEADER = /^#.+\(\d{4}-\d{2}-\d{2}\)$/g;
29 | 
30 |   const historyLines = historyContents.split('\n');
31 | 
32 |   // Search for the line with the first version header, this will be the one we're releasing
33 |   const headerLineIndex = historyLines.findIndex(line => VERSION_HEADER.test(line));
34 |   if (headerLineIndex < 0) throw new Error('Could not find any version header');
35 | 
36 |   console.log('Found markdown header current release', headerLineIndex, ':', historyLines[headerLineIndex]);
37 | 
38 |   // Search lines starting after the first header, and add back the offset we sliced at
39 |   const nextHeaderLineIndex = historyLines
40 |     .slice(headerLineIndex + 1)
41 |     .findIndex(line => VERSION_HEADER.test(line)) + headerLineIndex + 1;
42 |   if (nextHeaderLineIndex < 0) throw new Error(`Could not find previous version header, searched ${headerLineIndex + 1}`);
43 | 
44 |   console.log('Found markdown header previous release', nextHeaderLineIndex, ':', historyLines[nextHeaderLineIndex]);
45 | 
46 |   return historyLines.slice(headerLineIndex, nextHeaderLineIndex).join('\n');
47 | }
48 | 


--------------------------------------------------------------------------------
/.github/workflows/build.yml:
--------------------------------------------------------------------------------
 1 | on:
 2 |   pull_request:
 3 |     branches: [main]
 4 |   workflow_dispatch: {}
 5 |   workflow_call: {}
 6 | 
 7 | name: Build and Test
 8 | 
 9 | permissions:
10 |   contents: write
11 |   pull-requests: write
12 |   id-token: write
13 | 
14 | jobs:
15 |   host_builds:
16 |     strategy:
17 |       matrix:
18 |         os: [macos-latest, windows-2022]
19 |     runs-on: ${{ matrix.os }}
20 |     steps:
21 |       - uses: actions/checkout@v4
22 | 
23 |       - name: Build ${{ matrix.os }} Prebuild
24 |         run: node .github/scripts/build.mjs
25 | 
26 |       - id: upload
27 |         name: Upload prebuild
28 |         uses: actions/upload-artifact@v4
29 |         with:
30 |           name: build-${{ matrix.os }}
31 |           path: prebuilds/
32 |           if-no-files-found: 'error'
33 |           retention-days: 1
34 |           compression-level: 0
35 | 
36 |   container_builds:
37 |     outputs:
38 |       artifact_id: ${{ steps.upload.outputs.artifact-id }}
39 |     runs-on: ubuntu-latest
40 |     strategy:
41 |       matrix:
42 |         linux_arch: [s390x, arm64, amd64]
43 |     steps:
44 |       - uses: actions/checkout@v4
45 | 
46 |       - name: Set up QEMU
47 |         uses: docker/setup-qemu-action@v3
48 | 
49 |       - name: Set up Docker Buildx
50 |         uses: docker/setup-buildx-action@v3
51 | 
52 |       - name: Run Buildx
53 |         run: |
54 |           docker buildx create --name builder --bootstrap --use
55 |           docker buildx build --platform linux/${{ matrix.linux_arch }} --build-arg NODE_ARCH=${{ matrix.linux_arch == 'amd64' && 'x64' || matrix.linux_arch }} --output type=local,dest=./prebuilds,platform-split=false -f ./.github/docker/Dockerfile.glibc .
56 | 
57 |       - id: upload
58 |         name: Upload prebuild
59 |         uses: actions/upload-artifact@v4
60 |         with:
61 |           name: build-linux-${{ matrix.linux_arch }}
62 |           path: prebuilds/
63 |           if-no-files-found: 'error'
64 |           retention-days: 1
65 |           compression-level: 0
66 | 


--------------------------------------------------------------------------------
/.github/workflows/codeql.yml:
--------------------------------------------------------------------------------
 1 | name: "CodeQL"
 2 | 
 3 | on:
 4 |   push:
 5 |     branches: [ "main" ]
 6 |   pull_request:
 7 |     branches: [ "main" ]
 8 | 
 9 | jobs:
10 |   analyze:
11 |     name: Analyze (${{ matrix.language }})
12 |     runs-on: 'ubuntu-latest'
13 |     timeout-minutes: 360
14 |     permissions:
15 |       # required for all workflows
16 |       security-events: write
17 | 
18 |       # required to fetch internal or private CodeQL packs
19 |       packages: read
20 | 
21 |       # only required for workflows in private repositories
22 |       actions: read
23 |       contents: read
24 | 
25 |     strategy:
26 |       fail-fast: false
27 |       matrix:
28 |         include:
29 |           - language: 'c-cpp'
30 |             build-mode: 'manual'
31 |             sourceDirectory: './src'
32 |           - language: 'javascript-typescript'
33 |             build-mode: 'none'
34 |             sourceDirectory: "./lib"
35 |     steps:
36 |     - name: Checkout repository
37 |       uses: actions/checkout@v4
38 | 
39 |     # Initializes the CodeQL tools for scanning.
40 |     - name: Initialize CodeQL
41 |       uses: github/codeql-action/init@v3
42 |       with:
43 |         languages: ${{ matrix.language }}
44 |         build-mode: ${{ matrix.build-mode }}
45 |         source-root: ${{ matrix.sourceDirectory }}
46 | 
47 |     - if: matrix.build-mode == 'manual'
48 |       shell: bash
49 |       run: |
50 |         sudo apt-get update
51 |         sudo apt-get install libkrb5-dev
52 |         npm install
53 |         npm run prebuild
54 | 
55 |     - name: Perform CodeQL Analysis
56 |       uses: github/codeql-action/analyze@v3
57 |       with:
58 |         category: "/language:${{matrix.language}}"
59 | 


--------------------------------------------------------------------------------
/.github/workflows/release.yml:
--------------------------------------------------------------------------------
  1 | on:
  2 |   push:
  3 |     branches: [main]
  4 |   workflow_dispatch: {}
  5 | 
  6 | permissions:
  7 |   contents: write
  8 |   pull-requests: write
  9 |   id-token: write
 10 | 
 11 | name: release-latest
 12 | 
 13 | jobs:
 14 |   release_please:
 15 |     runs-on: ubuntu-latest
 16 |     outputs:
 17 |       release_created: ${{ steps.release.outputs.release_created }}
 18 |     steps:
 19 |       - id: release
 20 |         uses: googleapis/release-please-action@v4
 21 |         with:
 22 |           target-branch: main
 23 | 
 24 |   build:
 25 |     needs: [release_please]
 26 |     name: "Perform any build or bundling steps, as necessary."
 27 |     uses: ./.github/workflows/build.yml
 28 | 
 29 |   ssdlc:
 30 |     needs: [release_please, build]
 31 |     permissions:
 32 |       # required for all workflows
 33 |       security-events: write
 34 |       id-token: write
 35 |       contents: write
 36 |     environment: release
 37 |     runs-on: ubuntu-latest
 38 |     steps:
 39 |       - uses: actions/checkout@v4
 40 | 
 41 |       - name: Install Node and dependencies
 42 |         uses: mongodb-labs/drivers-github-tools/node/setup@v2
 43 |         with:
 44 |           ignore_install_scripts: true
 45 | 
 46 |       - name: Load version and package info
 47 |         uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2
 48 |         with:
 49 |           npm_package_name: kerberos
 50 | 
 51 |       - name: actions/compress_sign_and_upload
 52 |         uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v2
 53 |         with:
 54 |           aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
 55 |           aws_region_name: us-east-1
 56 |           aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
 57 |           npm_package_name: kerberos
 58 |           dry_run: ${{ needs.release_please.outputs.release_created == '' }}
 59 |           sign_native: true
 60 | 
 61 |       - name: Copy sbom file to release assets
 62 |         shell: bash
 63 |         if: ${{ '' == '' }}
 64 |         run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json
 65 | 
 66 |       # only used for mongodb-client-encryption
 67 |       - name: Augment SBOM and copy to release assets
 68 |         if: ${{ '' != '' }}
 69 |         uses: mongodb-labs/drivers-github-tools/sbom@v2
 70 |         with:
 71 |           silk_asset_group: ''
 72 |           sbom_file_name: sbom.json
 73 | 
 74 |       - name: Generate authorized pub report
 75 |         uses: mongodb-labs/drivers-github-tools/full-report@v2
 76 |         with:
 77 |           release_version: ${{ env.package_version }}
 78 |           product_name: kerberos
 79 |           sarif_report_target_ref: main
 80 |           third_party_dependency_tool: n/a
 81 |           dist_filenames: artifacts/*
 82 |           token: ${{ github.token }}
 83 |           sbom_file_name: sbom.json
 84 | 
 85 |       - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
 86 |         with:
 87 |           version: ${{ env.package_version }}
 88 |           product_name: kerberos
 89 |           dry_run: ${{ needs.release_please.outputs.release_created == '' }}
 90 | 
 91 |   publish:
 92 |     needs: [release_please, ssdlc, build]
 93 |     environment: release
 94 |     runs-on: ubuntu-latest
 95 |     steps:
 96 |       - uses: actions/checkout@v4
 97 | 
 98 |       - name: Install Node and dependencies
 99 |         uses: mongodb-labs/drivers-github-tools/node/setup@v2
100 |         with:
101 |           ignore_install_scripts: true
102 | 
103 |       - run: npm publish --provenance
104 |         if: ${{ needs.release_please.outputs.release_created }}
105 |         env:
106 |           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
107 | 


--------------------------------------------------------------------------------
/.github/workflows/release_notes.yml:
--------------------------------------------------------------------------------
 1 | name: release_notes
 2 | 
 3 | on:
 4 |   workflow_dispatch:
 5 |     inputs:
 6 |       releasePr:
 7 |         description: 'Enter release PR number'
 8 |         required: true
 9 |         type: number
10 |   issue_comment:
11 |     types: [created]
12 | 
13 | permissions:
14 |   contents: write
15 |   pull-requests: write
16 | 
17 | jobs:
18 |   release_notes:
19 |     runs-on: ubuntu-latest
20 |     # Run only if dispatched or comment on a pull request
21 |     if: ${{ github.event_name == 'workflow_dispatch' || (github.event_name == 'issue_comment' && github.event.issue.pull_request && github.event.comment.body == 'run release_notes') }}
22 |     steps:
23 |       # Determine if the triggering_actor is allowed to run this action
24 |       # We only permit maintainers
25 |       # Not only is 'triggering_actor' common between the trigger events it will also change if someone re-runs an old job
26 |       - name: check if triggering_actor is allowed to generate notes
27 |         env:
28 |           GITHUB_TOKEN: ${{ github.token }}
29 |           COMMENTER: ${{ github.triggering_actor && github.triggering_actor || 'empty_triggering_actor' }}
30 |           API_ENDPOINT: /repos/${{ github.repository }}/collaborators?permission=maintain
31 |         shell: bash
32 |         run: |
33 |           if [ $COMMENTER = "empty_triggering_actor" ]; then exit 1; fi
34 |           set -o pipefail
35 |           if gh api "$API_ENDPOINT" --paginate --jq ".[].login" | grep -q "^$COMMENTER\$"; then
36 |             echo "$COMMENTER permitted to trigger notes!" && exit 0
37 |           else
38 |             echo "$COMMENTER not permitted to trigger notes" && exit 1
39 |           fi
40 | 
41 |       # checkout the HEAD ref from prNumber
42 |       - uses: actions/checkout@v4
43 |         with:
44 |           ref: refs/pull/${{ github.event_name == 'issue_comment' && github.event.issue.number || inputs.releasePr }}/head
45 | 
46 | 
47 |       - name: Install Node and dependencies
48 |         uses: mongodb-labs/drivers-github-tools/node/setup@v2
49 |         with:
50 |           ignore_install_scripts: true
51 | 
52 |       # See: https://github.com/googleapis/release-please/issues/1274
53 | 
54 |       # Get the PRs that are in this release
55 |       # Outputs a list of comma seperated PR numbers, parsed from HISTORY.md
56 |       - id: pr_list
57 |         run: node .github/scripts/pr_list.mjs
58 |         env:
59 |           GITHUB_TOKEN: ${{ github.token }}
60 | 
61 |       # From the list of PRs, gather the highlight sections of the PR body
62 |       # output JSON with "highlights" key (to preserve newlines)
63 |       - id: highlights
64 |         run: node .github/scripts/highlights.mjs
65 |         env:
66 |           GITHUB_TOKEN: ${{ github.token }}
67 |           PR_LIST: ${{ steps.pr_list.outputs.pr_list }}
68 |           REPOSITORY: ${{ github.repository }}
69 | 
70 |       # The combined output is available
71 |       - id: release_notes
72 |         run: node .github/scripts/release_notes.mjs
73 |         env:
74 |           GITHUB_TOKEN: ${{ github.token }}
75 |           HIGHLIGHTS: ${{ steps.highlights.outputs.highlights }}
76 | 
77 |       # Update the release PR body
78 |       - run: gh pr edit ${{ github.event_name == 'issue_comment' && github.event.issue.number || inputs.releasePr }} --body-file ${{ steps.release_notes.outputs.release_notes_path }}
79 |         shell: bash
80 |         env:
81 |           GITHUB_TOKEN: ${{ github.token }}
82 | 


--------------------------------------------------------------------------------
/.github/workflows/webpack.yml:
--------------------------------------------------------------------------------
 1 | name: Webpack
 2 | 
 3 | on:
 4 |   push:
 5 |     branches: [ "main" ]
 6 |   pull_request:
 7 |     branches: [ "main" ]
 8 | 
 9 | jobs:
10 |   build:
11 |     runs-on: ubuntu-latest
12 | 
13 |     steps:
14 |     - uses: actions/checkout@v4
15 | 
16 |     - name: Use Node.js LTS
17 |       uses: actions/setup-node@v4
18 |       with:
19 |         node-version: 'lts/*'
20 | 
21 |     - name: "Install dependencies"
22 |       shell: bash
23 |       run: |
24 |         npm install
25 | 
26 |     - name: "Install dependencies in the Webpack bundle test package"
27 |       shell: bash
28 |       working-directory: ./test/bundling/webpack
29 |       run: |
30 |         npm install
31 | 
32 |     - name: "Install local kerberos into Webpack bundle test package"
33 |       shell: bash
34 |       working-directory: ./test/bundling/webpack
35 |       run: |
36 |         npm run install:kerberos
37 | 
38 |     - name: "Run webpack build"
39 |       shell: bash
40 |       working-directory: ./test/bundling/webpack
41 |       run: |
42 |         npm run build


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | lib-cov
 2 | *.seed
 3 | *.log
 4 | *.csv
 5 | *.dat
 6 | *.out
 7 | *.pid
 8 | *.gz
 9 | .DS_Store
10 | 
11 | .vscode
12 | 
13 | pids
14 | logs
15 | results
16 | node_modules
17 | build
18 | 
19 | npm-debug.log
20 | 
21 | xunit.xml
22 | 
23 | bindings
24 | .npmrc
25 | 
26 | *.tgz
27 | 
28 | expansion.yml
29 | .drivers-tools/
30 | 


--------------------------------------------------------------------------------
/.mocharc.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "$schema": "https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/mocharc.json",
 3 |     "recursive": true,
 4 |     "failZero": true,
 5 |     "reporter": "test/tools/mongodb_reporter.js",
 6 |     "sort": true,
 7 |     "color": true,
 8 |     "require": [
 9 |       "test/tools/hooks/environment_hook.js"
10 |     ]
11 |   }
12 | 


--------------------------------------------------------------------------------
/.npmignore:
--------------------------------------------------------------------------------
 1 | .npmignore
 2 | .gitignore
 3 | .buildinfo
 4 | .DS_Store
 5 | 
 6 | HISTORY
 7 | Readme.md
 8 | TODO
 9 | 
10 | *.log
11 | 
12 | docs/
13 | docs/sphinx-docs
14 | data/
15 | dev/
16 | examples/
17 | test/
18 | 
19 | build/
20 | node_modules/
21 | 


--------------------------------------------------------------------------------
/.prettierrc.json:
--------------------------------------------------------------------------------
1 | {
2 |   "singleQuote": true,
3 |   "tabWidth": 2,
4 |   "printWidth": 100,
5 |   "arrowParens": "avoid",
6 |   "trailingComma": "none"
7 | }
8 | 


--------------------------------------------------------------------------------
/.release-please-manifest.json:
--------------------------------------------------------------------------------
1 | {
2 |   ".": "2.2.2"
3 | }
4 | 


--------------------------------------------------------------------------------
/HISTORY.md:
--------------------------------------------------------------------------------
  1 | # Changelog
  2 | 
  3 | All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
  4 | 
  5 | ## [2.2.2](https://github.com/mongodb-js/kerberos/compare/v2.2.1...v2.2.2) (2025-02-10)
  6 | 
  7 | 
  8 | ### Bug Fixes
  9 | 
 10 | * **NODE-6732:** test and fix webpack bundling  ([#230](https://github.com/mongodb-js/kerberos/issues/230)) ([81bf1a7](https://github.com/mongodb-js/kerberos/commit/81bf1a7a091016769abbf23d4828d28483380bc7))
 11 | 
 12 | ## [2.2.1](https://github.com/mongodb-js/kerberos/compare/v2.2.0...v2.2.1) (2024-12-10)
 13 | 
 14 | 
 15 | ### Bug Fixes
 16 | 
 17 | * **NODE-6592:** remove dependency on `bindings` ([#220](https://github.com/mongodb-js/kerberos/issues/220)) ([b07a5d2](https://github.com/mongodb-js/kerberos/commit/b07a5d21a219a06303d7be9ad9577d2ffe3aa7c4))
 18 | 
 19 | ## [2.2.0](https://github.com/mongodb-js/kerberos/compare/v2.1.2...v2.2.0) (2024-09-05)
 20 | 
 21 | 
 22 | ### Features
 23 | 
 24 | * **NODE-6333:** Allow callers to specify the 'protect' flag ([#198](https://github.com/mongodb-js/kerberos/issues/198)) ([515f4bf](https://github.com/mongodb-js/kerberos/commit/515f4bfa9ed2f98be2670143d34b2e1356eb7089))
 25 | 
 26 | ## [2.1.2](https://github.com/mongodb-js/kerberos/compare/v2.1.1...v2.1.2) (2024-08-12)
 27 | 
 28 | 
 29 | ### Bug Fixes
 30 | 
 31 | * **NODE-6320:** macos runtime linking name conflict with SSL ([#193](https://github.com/mongodb-js/kerberos/issues/193)) ([d382b56](https://github.com/mongodb-js/kerberos/commit/d382b56f2e55dab25a003c416925ba2967761a72))
 32 | 
 33 | ## [2.1.1](https://github.com/mongodb-js/kerberos/compare/v2.1.1...v2.1.0) (2024-08-06)
 34 | 
 35 | 
 36 | ### Bug Fixes
 37 | 
 38 | * **MONGOSH-1808:** only build universal macos binaries when creating loadable_library ([#186](https://github.com/mongodb-js/kerberos/issues/186)) ([ec3ab7a](https://github.com/mongodb-js/kerberos/commit/ec3ab7a34ea2de587c4a19cb8aad760e793564fc))
 39 | * **NODE-6253:** use runtime linking against system kerberos libraries by default ([#188](https://github.com/mongodb-js/kerberos/issues/188)) ([04044d2](https://github.com/mongodb-js/kerberos/commit/04044d2814ad1d01e77f1ce87f26b03d86692cf2))
 40 | * **NODE-6265:** add Spectre Mitigation and CFG ([#190](https://github.com/mongodb-js/kerberos/issues/190)) ([54b9799](https://github.com/mongodb-js/kerberos/commit/54b97991deaaa04e87e4f3704b0dfcdcdd098a4b))
 41 | * **NODE-6108:** allow building from source on latest Node.js 20.x ([#172](https://github.com/mongodb-js/kerberos/issues/172)) ([c1f7aca](https://github.com/mongodb-js/kerberos/commit/c1f7acafb211d1b449086433578495d4ae0b869f))
 42 | 
 43 | ## [2.1.1-alpha.0](https://github.com/mongodb-js/kerberos/compare/v2.1.1-alpha.0...v2.1.0) (2024-06-28)
 44 | 
 45 | 
 46 | ### Bug Fixes
 47 | 
 48 | * release versioning ([#184](https://github.com/mongodb-js/kerberos/issues/184)) ([a39dfcb](https://github.com/mongodb-js/kerberos/commit/a39dfcb35819ea83642505788e75d91e7f527ca3))
 49 | 
 50 | 
 51 | ## [2.1.0](https://github.com/mongodb-js/kerberos/compare/v2.0.3...v2.1.0) (2023-11-21)
 52 | 
 53 | 
 54 | ### Features
 55 | 
 56 | * **NODE-5746:** allow runtime linking against system kerberos library ([#165](https://github.com/mongodb-js/kerberos/issues/165)) ([ce2feb3](https://github.com/mongodb-js/kerberos/commit/ce2feb3fa100b8bb3fdff502f6444ab331619108))
 57 | 
 58 | ### [2.0.3](https://github.com/mongodb-js/kerberos/compare/v2.0.2...v2.0.3) (2023-09-01)
 59 | 
 60 | 
 61 | ### Bug Fixes
 62 | 
 63 | * **NODE-5600:** use ubuntu 18 to build and publish ([#162](https://github.com/mongodb-js/kerberos/issues/162)) ([c02db0e](https://github.com/mongodb-js/kerberos/commit/c02db0e1f1a9618bb705782771535feb162d1923))
 64 | 
 65 | ### [2.0.2](https://github.com/mongodb-js/kerberos/compare/v2.0.1...v2.0.2) (2023-08-28)
 66 | 
 67 | 
 68 | ### Features
 69 | 
 70 | * **NODE-5505:** add compiler warnings and cast lengths ([#158](https://github.com/mongodb-js/kerberos/issues/158)) ([1e73b98](https://github.com/mongodb-js/kerberos/commit/1e73b98340d244e7c409afa6d293be43ed89080b))
 71 | 
 72 | ### [2.0.1](https://github.com/mongodb-js/kerberos/compare/v2.0.0...v2.0.1) (2022-07-14)
 73 | 
 74 | 
 75 | ### Bug Fixes
 76 | 
 77 | * **NODE-4297:** bump prebuild install to 7.1.1 ([#145](https://github.com/mongodb-js/kerberos/issues/145)) ([142842f](https://github.com/mongodb-js/kerberos/commit/142842fae048e873caac5c83fda43c6b5b45280e))
 78 | 
 79 | ## [2.0.0](https://github.com/mongodb-js/kerberos/compare/v2.0.0-beta.0...v2.0.0) (2022-02-22)
 80 | 
 81 | 
 82 | ### ⚠ BREAKING CHANGES
 83 | 
 84 | * **NODE-3848:** update dependencies (#142)
 85 | 
 86 | ### Bug Fixes
 87 | 
 88 | * **NODE-3982:** only pass username to SSPI if password is set ([#141](https://github.com/mongodb-js/kerberos/issues/141)) ([2d307a3](https://github.com/mongodb-js/kerberos/commit/2d307a3131e546d046b865e6c1d0a256f7612e0d))
 89 | 
 90 | 
 91 | * **NODE-3848:** update dependencies ([#142](https://github.com/mongodb-js/kerberos/issues/142)) ([8c06728](https://github.com/mongodb-js/kerberos/commit/8c067286add33a2b56aeaf10e41f0409c5fe1d5b))
 92 | 
 93 | ## [2.0.0-beta.0](https://github.com/mongodb-js/kerberos/compare/v1.1.7...v2.0.0-beta.0) (2021-10-06)
 94 | 
 95 | 
 96 | ### ⚠ BREAKING CHANGES
 97 | 
 98 | * **NODE-3472:** convert to Node-API (#137)
 99 | 
100 | ### Features
101 | 
102 | * **NODE-3472:** convert to Node-API ([#137](https://github.com/mongodb-js/kerberos/issues/137)) ([f9481a4](https://github.com/mongodb-js/kerberos/commit/f9481a42877c604f8aac961536fc5674ce8baa6c))
103 | 
104 | ### [1.1.7](https://github.com/mongodb-js/kerberos/compare/v1.1.5...v1.1.7) (2021-07-20)
105 | 
106 | 
107 | ### Bug Fixes
108 | 
109 | * **NODE-2129:** fix sporadic AcquireCredentialsHandle error ([#133](https://github.com/mongodb-js/kerberos/issues/133)) ([adf8346](https://github.com/mongodb-js/kerberos/commit/adf834665d7b927778669c1197d53d6f4ed6e797))
110 | * **NODE-3350:** do not export Init function symbol ([#130](https://github.com/mongodb-js/kerberos/issues/130)) ([acdd746](https://github.com/mongodb-js/kerberos/commit/acdd7466c131494e9a2ca36eb9ad64ecda2d1366))
111 | 
112 | <a name="1.1.6"></a>
113 | ## [1.1.6](https://github.com/mongodb-js/kerberos/compare/v1.1.5...v1.1.6) (2021-07-20)
114 | 
115 | 
116 | ### Bug Fixes
117 | 
118 | * **NODE-2129:** fix sporadic AcquireCredentialsHandle error ([#133](https://github.com/mongodb-js/kerberos/issues/133)) ([adf8346](https://github.com/mongodb-js/kerberos/commit/adf834665d7b927778669c1197d53d6f4ed6e797))
119 | * **NODE-3350:** do not export Init function symbol ([#130](https://github.com/mongodb-js/kerberos/issues/130)) ([acdd746](https://github.com/mongodb-js/kerberos/commit/acdd7466c131494e9a2ca36eb9ad64ecda2d1366))
120 | 
121 | 
122 | <a name="1.1.5"></a>
123 | ## [1.1.5](https://github.com/mongodb-js/kerberos/compare/v1.1.4...v1.1.5) (2021-04-06)
124 | 
125 | 
126 | ### Bug Fixes
127 | 
128 | * temporarily roll back node-abi until lgeiger/node-abi/[#90](https://github.com/mongodb-js/kerberos/issues/90) is resolved ([880ae2e](https://github.com/mongodb-js/kerberos/commit/880ae2eee6a8fe565ab627717d1d81ae85896abf))
129 | * **build:** make addon buildable as static library ([#119](https://github.com/mongodb-js/kerberos/issues/119)) ([786e7d8](https://github.com/mongodb-js/kerberos/commit/786e7d83672ad5ff2718c9a440dbd180f8e7b24a))
130 | 
131 | <a name="1.1.4"></a>
132 | ## [1.1.4](https://github.com/mongodb-js/kerberos/compare/v1.1.3...v1.1.4) (2020-10-13)
133 | 
134 | 
135 | 
136 | <a name="1.1.3"></a>
137 | ## [1.1.3](https://github.com/mongodb-js/kerberos/compare/v1.2.0...v1.1.3) (2019-08-27)
138 | 
139 | 
140 | ### Bug Fixes
141 | 
142 | * add support for node 12 ([ae6755d](https://github.com/mongodb-js/kerberos/commit/ae6755d))
143 | 
144 | 
145 | 
146 | <a name="1.1.2"></a>
147 | ## [1.1.2](https://github.com/mongodb-js/kerberos/compare/v1.1.1...v1.1.2) (2018-11-01)
148 | 
149 | 
150 | ### Bug Fixes
151 | 
152 | * **auth-process:** only send username/password if provided ([334ca9c](https://github.com/mongodb-js/kerberos/commit/334ca9c))
153 | * **auth-process:** use canonicalized hostname in client init ([b1802d1](https://github.com/mongodb-js/kerberos/commit/b1802d1))
154 | 
155 | 
156 | 
157 | <a name="1.1.1"></a>
158 | ## [1.1.1](https://github.com/mongodb-js/kerberos/compare/v1.1.0...v1.1.1) (2018-10-30)
159 | 
160 | 
161 | ### Bug Fixes
162 | 
163 | * **sspi:** only add password and domain if they are provided ([bc48814](https://github.com/mongodb-js/kerberos/commit/bc48814))
164 | 
165 | 
166 | 
167 | <a name="1.1.0"></a>
168 | # [1.1.0](https://github.com/mongodb-js/kerberos/compare/v1.0.0...v1.1.0) (2018-10-26)
169 | 
170 | 
171 | ### Bug Fixes
172 | 
173 | * **sspi:** correct invalid null checks for user data ([163bdb9](https://github.com/mongodb-js/kerberos/commit/163bdb9))
174 | 
175 | 
176 | ### Features
177 | 
178 | * **package:** export the package version ([5be618f](https://github.com/mongodb-js/kerberos/commit/5be618f))
179 | 
180 | <a name="1.0.0"></a>
181 | # [1.0.0](https://github.com/christkv/kerberos/compare/v0.0.24...v1.0.0) (2018-08-15)
182 | 
183 | 
184 | ### Bug Fixes
185 | 
186 | * **check-password:** correctly validate parameters, fix test ([b772dde](https://github.com/christkv/kerberos/commit/b772dde))
187 | * **common:** ensure nan is being included everywhere appropriately ([7bddb24](https://github.com/christkv/kerberos/commit/7bddb24))
188 | * **context:** add `NewInstance` methods, and make getters safer ([fd4b852](https://github.com/christkv/kerberos/commit/fd4b852))
189 | * **gss:** fix issue with memory corruption ([ff4167e](https://github.com/christkv/kerberos/commit/ff4167e))
190 | * **kerberos:** provide default gss flags ([b365934](https://github.com/christkv/kerberos/commit/b365934))
191 | * **legacy:** support legacy import expectations ([615b23f](https://github.com/christkv/kerberos/commit/615b23f))
192 | * **response:** ensure null or client/server response is returned ([083518f](https://github.com/christkv/kerberos/commit/083518f))
193 | * **server:** use the correct internal method name for server init ([8c8dd35](https://github.com/christkv/kerberos/commit/8c8dd35))
194 | * **this:** use the correct reference to `this` for object unwrapping ([1acfb20](https://github.com/christkv/kerberos/commit/1acfb20))
195 | * **unique_ptr:** ensure we include <memory> where required ([e3d9afb](https://github.com/christkv/kerberos/commit/e3d9afb))
196 | * **warnings:** set clang compiler pragmas only when clang is detected ([048479d](https://github.com/christkv/kerberos/commit/048479d))
197 | * **win32:** `windows` -> `win32` in bindings.gyp ([0221c06](https://github.com/christkv/kerberos/commit/0221c06))
198 | * **win32:** cleanup client state in addon destructor ([5394561](https://github.com/christkv/kerberos/commit/5394561))
199 | * **win32:** initialize with a domain, if one is provided ([309ba61](https://github.com/christkv/kerberos/commit/309ba61))
200 | 
201 | 
202 | ### Features
203 | 
204 | * **async-worker:** introduce a `KerberosWorker` using lambdas ([1239ef7](https://github.com/christkv/kerberos/commit/1239ef7))
205 | * **checkPassword:** add implementation for checking krb5 passwords ([60f476e](https://github.com/christkv/kerberos/commit/60f476e))
206 | * **clean:** provide implementations for the clean methods ([77a77ce](https://github.com/christkv/kerberos/commit/77a77ce))
207 | * **client:** add final wrap/unwrap api endpoints ([016222f](https://github.com/christkv/kerberos/commit/016222f))
208 | * **client:** add implementation for client wrap/unwrap to win32 ([994604c](https://github.com/christkv/kerberos/commit/994604c))
209 | * **gss:** add `new` methods for constructing state tracking types ([274cad6](https://github.com/christkv/kerberos/commit/274cad6))
210 | * **jsdoc2md:** add jsdoc2md support, and README template ([60e1ee5](https://github.com/christkv/kerberos/commit/60e1ee5))
211 | * **kerberos:** add getters to check for context completeness ([6a9a01d](https://github.com/christkv/kerberos/commit/6a9a01d))
212 | * **kerberos:** implement client/server init, move to worker file ([1c857ea](https://github.com/christkv/kerberos/commit/1c857ea))
213 | * **kerberos:** return value for `step` is the challenge response ([e153d24](https://github.com/christkv/kerberos/commit/e153d24))
214 | * **promises:** allow to access all API by promise or callback ([3b77430](https://github.com/christkv/kerberos/commit/3b77430))
215 | * **serverPrincipalDetails:** add server pricipal details method ([385fcd1](https://github.com/christkv/kerberos/commit/385fcd1))
216 | * **src:** begin to develop the new version of the module in `src` ([f45da50](https://github.com/christkv/kerberos/commit/f45da50))
217 | * **sspi:** introduce client initialization for SSPI ([6a40301](https://github.com/christkv/kerberos/commit/6a40301))
218 | * **sspi:** provide implementation for `initializeClient` ([5943f1c](https://github.com/christkv/kerberos/commit/5943f1c))
219 | * **step:** implement client and server step methods ([5a4327c](https://github.com/christkv/kerberos/commit/5a4327c))
220 | 
221 | 
222 | 0.0.23 07-03-2017
223 | -----------------
224 | - SSPI implemented missing _sspi_FreeCredentialsHandle to correctly cleanup credentials allocation on call to destructor of the C++ instance.
225 | - Updated nan.h dependency to 2.5.x series for Node 7.6.x or higher.
226 | 
227 | 0.0.22 10-11-2016
228 | -----------------
229 | - Updated nan.h dependency to 2.4.x series for Node 6.8.x or higher.
230 | - The length calculations are off by one meaning it impossible to not set the password (Issue #54, http://www.github.com/tlbdk).
231 | 
232 | 0.0.21 04-28-2016
233 | -----------------
234 | - Updated nan.h dependency to 2.3.x series for Node 6.0.
235 | 
236 | 0.0.20 04-26-2016
237 | -----------------
238 | - Updated nan.h dependency to 2.2.x series.
239 | - Fixed minor compilation warnings due to v8 C++ ABI changes.
240 | 
241 | 0.0.19 03-07-2016
242 | -----------------
243 | - Fix installation error (Issue #1).
244 | - Allow passing down off CANONICALIZE_HOST_NAME and SERVICE_REALM options.
245 | 
246 | 0.0.18 01-19-2016
247 | -----------------
248 | - remove builderror.log.
249 | 
250 | 0.0.17 10-30-2015
251 | -----------------
252 | - Reverted changes in package.json from 0.0.16.
253 | 
254 | 0.0.16 10-26-2015
255 | -----------------
256 | - Removed (exit 0) on build to let correct failure happen.
257 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "[]"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright [yyyy] [name of copyright owner]
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | Kerberos
  2 | ========
  3 | The `kerberos` package is a C++ extension for Node.js that provides cross-platform support for kerberos authentication using GSSAPI on linux/osx, and SSPI on windows. Much of the code in this module is adapted from [ccs-kerberos](https://github.com/apple/ccs-pykerberos) and [winkerberos](https://github.com/mongodb-labs/winkerberos).
  4 | 
  5 | ### Requirements
  6 | 
  7 | **Linux**
  8 | - `python` v2.7
  9 | - `make`
 10 | - A proper C/C++ compiler toolchain, like [GCC](https://gcc.gnu.org/)
 11 | - Distribution-specific kerberos packages (e.g. `krb5-dev` on Ubuntu)
 12 | 
 13 | **macOS**
 14 | - `Xcode Command Line Tools`: Can be installed with `xcode-select --install`
 15 | - Distribution-specific kerberos packages (e.g. `krb5` on Homebrew)
 16 | 
 17 | **Windows**
 18 | - **Option 1:** Install all the required tools and configurations using Microsoft's [windows-build-tools](https://github.com/felixrieseberg/windows-build-tools) by running `npm install -g windows-build-tools` from an elevated PowerShell (run as Administrator).
 19 | - **Option 2:** Install dependencies and configuration manually
 20 |    1. Visual C++ Build Environment:
 21 |      * **Option 1:** Install [Visual C++ Build Tools](http://go.microsoft.com/fwlink/?LinkId=691126) using the *Default Install* option.
 22 |      * **Option 2:** Install [Visual Studio 2015](https://www.visualstudio.com/products/visual-studio-community-vs) (or modify an existing installation) and select *Common Tools for Visual C++* during setup.
 23 | 
 24 |   > :bulb: [Windows Vista / 7 only] requires [.NET Framework 4.5.1](http://www.microsoft.com/en-us/download/details.aspx?id=40773)
 25 | 
 26 |   2. Install [Python 2.7](https://www.python.org/downloads/) or [Miniconda 2.7](http://conda.pydata.org/miniconda.html) (`v3.x.x` is not supported), and run `npm config set python python2.7`
 27 |   3. Launch cmd, `npm config set msvs_version 2015`
 28 | 
 29 | ### MongoDB Node.js Driver Version Compatibility
 30 | 
 31 | Only the following version combinations with the [MongoDB Node.js Driver](https://github.com/mongodb/node-mongodb-native) are considered stable.
 32 | 
 33 | |               | `kerberos@1.x` | `kerberos@2.x` |
 34 | | ------------- | -------------- | -------------- |
 35 | | `mongodb@6.x` | N/A            | ✓              |
 36 | | `mongodb@5.x` | ✓              | ✓              |
 37 | | `mongodb@4.x` | ✓              | ✓              |
 38 | | `mongodb@3.x` | ✓              | N/A            |
 39 | 
 40 | ### Installation
 41 | 
 42 | Now you can install `kerberos` with the following:
 43 | 
 44 | ```bash
 45 | npm install kerberos
 46 | ```
 47 | 
 48 | #### Prebuild Platforms
 49 | 
 50 | Below are the platforms that are available as prebuilds on each github release.
 51 | `prebuild-install` downloads these automatically depending on the platform you are running npm install on.
 52 | 
 53 | - Linux GLIBC 2.23 or later
 54 |     - s390x
 55 |     - arm64
 56 |     - x64
 57 | - MacOS universal binary
 58 |     - x64
 59 |     - arm64
 60 | - Windows
 61 |     - x64
 62 | 
 63 | ### Release Integrity
 64 | 
 65 | Releases are created automatically and signed using the [Node team's GPG key](https://pgp.mongodb.com/node-driver.asc). This applies to the git tag as well as all release packages provided as part of a GitHub release. To verify the provided packages, download the key and import it using gpg:
 66 | 
 67 | ```
 68 | gpg --import node-driver.asc
 69 | ```
 70 | 
 71 | The GitHub release contains a detached signature file for the NPM package (named
 72 | `kerberos-X.Y.Z.tgz.sig`).
 73 | 
 74 | The following command returns the link npm package. 
 75 | ```shell
 76 | npm view kerberos@vX.Y.Z dist.tarball 
 77 | ```
 78 | 
 79 | Using the result of the above command, a `curl` command can return the official npm package for the release.
 80 | 
 81 | To verify the integrity of the downloaded package, run the following command:
 82 | ```shell
 83 | gpg --verify kerberos-X.Y.Z.tgz.sig kerberos-X.Y.Z.tgz
 84 | ```
 85 | 
 86 | >[!Note]
 87 | No verification is done when using npm to install the package. To ensure release integrity when using npm, download the tarball manually from the GitHub release, verify the signature, then install the package from the downloaded tarball using npm install mongodb-X.Y.Z.tgz.
 88 | 
 89 | To verify the native `.node` packages, follow the same steps as above. 
 90 | 
 91 | ### Testing
 92 | 
 93 | Run the test suite using:
 94 | 
 95 | ```bash
 96 | docker run -i -v PATH_TO_KERBEROS_REPO:/app -w /app -e PROJECT_DIRECTORY=/app ubuntu:20.04 /bin/bash /app/.evergreen/run-tests-ubuntu.sh
 97 | ```
 98 | 
 99 | NOTE: The test suite requires an active kerberos deployment.
100 | 
101 | # Documentation
102 | 
103 | ## Classes
104 | 
105 | <dl>
106 | <dt><a href="#KerberosClient">KerberosClient</a></dt>
107 | <dd></dd>
108 | <dt><a href="#KerberosServer">KerberosServer</a></dt>
109 | <dd></dd>
110 | </dl>
111 | 
112 | ## Functions
113 | 
114 | <dl>
115 | <dt><a href="#checkPassword">checkPassword(username, password, service, [defaultRealm], [callback])</a> ⇒ <code>Promise</code></dt>
116 | <dd><p>This function provides a simple way to verify that a user name and password
117 | match those normally used for Kerberos authentication.
118 | It does this by checking that the supplied user name and password can be
119 | used to get a ticket for the supplied service.
120 | If the user name does not contain a realm, then the default realm supplied
121 | is used.</p>
122 | <p>For this to work properly the Kerberos must be configured properly on this
123 | machine.
124 | That will likely mean ensuring that the edu.mit.Kerberos preference file
125 | has the correct realms and KDCs listed.</p>
126 | <p>IMPORTANT: This method is vulnerable to KDC spoofing attacks and it should
127 | only be used for testing. Do not use this in any production system - your
128 | security could be compromised if you do.</p>
129 | </dd>
130 | <dt><a href="#principalDetails">principalDetails(service, hostname, [callback])</a> ⇒ <code>Promise</code></dt>
131 | <dd><p>This function returns the service principal for the server given a service type and hostname.</p>
132 | <p>Details are looked up via the <code>/etc/keytab</code> file.</p>
133 | </dd>
134 | <dt><a href="#initializeClient">initializeClient(service, [options], [callback])</a> ⇒ <code>Promise</code></dt>
135 | <dd><p>Initializes a context for client-side authentication with the given service principal.</p>
136 | </dd>
137 | <dt><a href="#initializeServer">initializeServer(service, [callback])</a> ⇒ <code>Promise</code></dt>
138 | <dd><p>Initializes a context for server-side authentication with the given service principal.</p>
139 | </dd>
140 | </dl>
141 | 
142 | <a name="KerberosClient"></a>
143 | 
144 | ## KerberosClient
145 | **Properties**
146 | 
147 | | Name | Type | Description |
148 | | --- | --- | --- |
149 | | username | <code>string</code> | The username used for authentication |
150 | | response | <code>string</code> | The last response received during authentication steps |
151 | | responseConf | <code>string</code> | Indicates whether confidentiality was applied or not (GSSAPI only) |
152 | | contextComplete | <code>boolean</code> | Indicates that authentication has successfully completed or not |
153 | 
154 | 
155 | * [KerberosClient](#KerberosClient)
156 | 
157 |     * [.step(challenge, [callback])](#KerberosClient+step)
158 | 
159 |     * [.wrap(challenge, [options], [callback])](#KerberosClient+wrap)
160 | 
161 |     * [.unwrap(challenge, [callback])](#KerberosClient+unwrap)
162 | 
163 | 
164 | <a name="KerberosClient+step"></a>
165 | 
166 | ### *kerberosClient*.step(challenge, [callback])
167 | 
168 | | Param | Type | Description |
169 | | --- | --- | --- |
170 | | challenge | <code>string</code> | A string containing the base64-encoded server data (which may be empty for the first step) |
171 | | [callback] | <code>function</code> |  |
172 | 
173 | Processes a single kerberos client-side step using the supplied server challenge.
174 | 
175 | **Returns**: <code>Promise</code> - returns Promise if no callback passed  
176 | <a name="KerberosClient+wrap"></a>
177 | 
178 | ### *kerberosClient*.wrap(challenge, [options], [callback])
179 | 
180 | | Param | Type | Description |
181 | | --- | --- | --- |
182 | | challenge | <code>string</code> | The response returned after calling `unwrap` |
183 | | [options] | <code>object</code> | Optional settings |
184 | | [options.user] | <code>string</code> | The user to authorize |
185 | | [options.protect] | <code>boolean</code> | Indicates if the wrap should request message confidentiality |
186 | | [callback] | <code>function</code> |  |
187 | 
188 | Perform the client side kerberos wrap step.
189 | 
190 | **Returns**: <code>Promise</code> - returns Promise if no callback passed  
191 | <a name="KerberosClient+unwrap"></a>
192 | 
193 | ### *kerberosClient*.unwrap(challenge, [callback])
194 | 
195 | | Param | Type | Description |
196 | | --- | --- | --- |
197 | | challenge | <code>string</code> | A string containing the base64-encoded server data |
198 | | [callback] | <code>function</code> |  |
199 | 
200 | Perform the client side kerberos unwrap step
201 | 
202 | **Returns**: <code>Promise</code> - returns Promise if no callback passed  
203 | <a name="KerberosServer"></a>
204 | 
205 | ## KerberosServer
206 | **Properties**
207 | 
208 | | Name | Type | Description |
209 | | --- | --- | --- |
210 | | username | <code>string</code> | The username used for authentication |
211 | | response | <code>string</code> | The last response received during authentication steps |
212 | | targetName | <code>string</code> | The target used for authentication |
213 | | contextComplete | <code>boolean</code> | Indicates that authentication has successfully completed or not |
214 | 
215 | <a name="KerberosServer+step"></a>
216 | 
217 | ### *kerberosServer*.step(challenge, [callback])
218 | 
219 | | Param | Type | Description |
220 | | --- | --- | --- |
221 | | challenge | <code>string</code> | A string containing the base64-encoded client data |
222 | | [callback] | <code>function</code> |  |
223 | 
224 | Processes a single kerberos server-side step using the supplied client data.
225 | 
226 | **Returns**: <code>Promise</code> - returns Promise if no callback passed  
227 | <a name="checkPassword"></a>
228 | 
229 | ## checkPassword(username, password, service, [defaultRealm], [callback])
230 | 
231 | | Param | Type | Description |
232 | | --- | --- | --- |
233 | | username | <code>string</code> | The Kerberos user name. If no realm is supplied, then the `defaultRealm` will be used. |
234 | | password | <code>string</code> | The password for the user. |
235 | | service | <code>string</code> | The Kerberos service to check access for. |
236 | | [defaultRealm] | <code>string</code> | The default realm to use if one is not supplied in the user argument. |
237 | | [callback] | <code>function</code> |  |
238 | 
239 | This function provides a simple way to verify that a user name and password
240 | match those normally used for Kerberos authentication.
241 | It does this by checking that the supplied user name and password can be
242 | used to get a ticket for the supplied service.
243 | If the user name does not contain a realm, then the default realm supplied
244 | is used.
245 | 
246 | For this to work properly the Kerberos must be configured properly on this
247 | machine.
248 | That will likely mean ensuring that the edu.mit.Kerberos preference file
249 | has the correct realms and KDCs listed.
250 | 
251 | IMPORTANT: This method is vulnerable to KDC spoofing attacks and it should
252 | only be used for testing. Do not use this in any production system - your
253 | security could be compromised if you do.
254 | 
255 | **Returns**: <code>Promise</code> - returns Promise if no callback passed  
256 | <a name="principalDetails"></a>
257 | 
258 | ## principalDetails(service, hostname, [callback])
259 | 
260 | | Param | Type | Description |
261 | | --- | --- | --- |
262 | | service | <code>string</code> | The Kerberos service type for the server. |
263 | | hostname | <code>string</code> | The hostname of the server. |
264 | | [callback] | <code>function</code> |  |
265 | 
266 | This function returns the service principal for the server given a service type and hostname.
267 | 
268 | Details are looked up via the `/etc/keytab` file.
269 | 
270 | **Returns**: <code>Promise</code> - returns Promise if no callback passed  
271 | <a name="initializeClient"></a>
272 | 
273 | ## initializeClient(service, [options], [callback])
274 | 
275 | | Param | Type | Description |
276 | | --- | --- | --- |
277 | | service | <code>string</code> | A string containing the service principal in the form 'type@fqdn' (e.g. 'imap@mail.apple.com'). |
278 | | [options] | <code>object</code> | Optional settings |
279 | | [options.principal] | <code>string</code> | Optional string containing the client principal in the form 'user@realm' (e.g. 'jdoe@example.com'). |
280 | | [options.flags] | <code>number</code> | Optional integer used to set GSS flags. (e.g.  `GSS_C_DELEG_FLAG\|GSS_C_MUTUAL_FLAG\|GSS_C_SEQUENCE_FLAG` will allow for forwarding credentials to the remote host) |
281 | | [options.mechOID] | <code>number</code> | Optional GSS mech OID. Defaults to None (`GSS_C_NO_OID`). Other possible values are `GSS_MECH_OID_KRB5`, `GSS_MECH_OID_SPNEGO`. |
282 | | [callback] | <code>function</code> |  |
283 | 
284 | Initializes a context for client-side authentication with the given service principal.
285 | 
286 | **Returns**: <code>Promise</code> - returns Promise if no callback passed  
287 | <a name="initializeServer"></a>
288 | 
289 | ## initializeServer(service, [callback])
290 | 
291 | | Param | Type | Description |
292 | | --- | --- | --- |
293 | | service | <code>string</code> | A string containing the service principal in the form 'type@fqdn' (e.g. 'imap@mail.apple.com'). |
294 | | [callback] | <code>function</code> |  |
295 | 
296 | Initializes a context for server-side authentication with the given service principal.
297 | 
298 | **Returns**: <code>Promise</code> - returns Promise if no callback passed  
299 | 


--------------------------------------------------------------------------------
/binding.gyp:
--------------------------------------------------------------------------------
  1 | {
  2 |   'targets': [
  3 |     {
  4 |       'target_name': 'kerberos',
  5 |       'type': 'loadable_module',
  6 |       'include_dirs': [
  7 |         "<!(node -p \"require('node-addon-api').include_dir\")"
  8 |       ],
  9 |       'sources': [
 10 |         'src/kerberos.cc'
 11 |       ],
 12 |       'variables': {
 13 |         'ARCH': '<(host_arch)',
 14 |         'kerberos_use_rtld%': 'true'
 15 |       },
 16 |       'xcode_settings': {
 17 |         'GCC_ENABLE_CPP_EXCEPTIONS': 'YES',
 18 |         'CLANG_CXX_LIBRARY': 'libc++',
 19 |         'MACOSX_DEPLOYMENT_TARGET': '10.12',
 20 |         'GCC_SYMBOLS_PRIVATE_EXTERN': 'YES', # -fvisibility=hidden
 21 |       },
 22 |       'cflags!': [ '-fno-exceptions' ],
 23 |       'cflags_cc!': [ '-fno-exceptions' ],
 24 |       'msvs_configuration_attributes': {
 25 |         'SpectreMitigation': 'Spectre'
 26 |       },
 27 |       'msvs_settings': {
 28 |         'VCCLCompilerTool': {
 29 |           'ExceptionHandling': 1,
 30 |           'AdditionalOptions': [
 31 |             '/guard:cf',
 32 |             '/w34244',
 33 |             '/w34267',
 34 |             '/ZH:SHA_256'
 35 |           ]
 36 |         },
 37 |         'VCLinkerTool': {
 38 |           'AdditionalOptions': [
 39 |             '/guard:cf'
 40 |           ]
 41 |         }
 42 |       },
 43 |       'conditions': [
 44 |         ['OS=="mac"', { 'cflags+': ['-fvisibility=hidden'] }],
 45 |         ['_type!="static_library" and ARCH=="arm64"', {
 46 |           'xcode_settings': {
 47 |             "OTHER_CFLAGS": [
 48 |               "-arch x86_64",
 49 |               "-arch arm64"
 50 |             ],
 51 |             "OTHER_LDFLAGS": [
 52 |               "-arch x86_64",
 53 |               "-arch arm64"
 54 |             ]
 55 |           }
 56 |         }],
 57 |         ['OS=="mac" or OS=="linux"', {
 58 |           'sources': [
 59 |             'src/unix/base64.cc',
 60 |             'src/unix/kerberos_gss.cc',
 61 |             'src/unix/kerberos_unix.cc'
 62 |           ]
 63 |         }],
 64 |         ['(OS=="mac") or (OS=="linux" and kerberos_use_rtld!="true")', {
 65 |           'link_settings': {
 66 |             'libraries': [
 67 |               '-lkrb5',
 68 |               '-lgssapi_krb5'
 69 |             ]
 70 |           },
 71 |           'conditions': [
 72 |             ['_type=="static_library"', {
 73 |               'link_settings': {
 74 |                 'libraries': [
 75 |                   '-lcom_err'
 76 |                 ]
 77 |               }
 78 |             }]
 79 |           ]
 80 |         }],
 81 |         ['(OS=="linux") and (kerberos_use_rtld=="true")', {
 82 |           'defines': ['KERBEROS_USE_RTLD=1'],
 83 |           'link_settings': {
 84 |             'libraries': [
 85 |               '-ldl',
 86 |             ]
 87 |           },
 88 |         }],
 89 |         ['OS=="win"',  {
 90 |           'sources': [
 91 |             'src/win32/kerberos_sspi.cc',
 92 |             'src/win32/kerberos_win32.cc'
 93 |           ],
 94 |           'link_settings': {
 95 |             'libraries': [
 96 |               '-lcrypt32',
 97 |               '-lsecur32',
 98 |               '-lShlwapi'
 99 |             ]
100 |           }
101 |         }]
102 |       ]
103 |     }
104 |   ]
105 | }
106 | 


--------------------------------------------------------------------------------
/etc/README.hbs:
--------------------------------------------------------------------------------
 1 | Kerberos
 2 | ========
 3 | [![Build Status](https://travis-ci.org/mongodb-js/kerberos.svg?branch=master)](https://travis-ci.org/mongodb-js/kerberos)
 4 | 
 5 | The `kerberos` package is a C++ extension for Node.js that provides cross-platform support for kerberos authentication using GSSAPI on linux/osx, and SSPI on windows. Much of the code in this module is adapted from [ccs-kerberos](https://github.com/apple/ccs-pykerberos) and [winkerberos](https://github.com/mongodb-labs/winkerberos).
 6 | 
 7 | ### Requirements
 8 | 
 9 | **Linux**
10 | - `python` v2.7
11 | - `make`
12 | - A proper C/C++ compiler toolchain, like [GCC](https://gcc.gnu.org/)
13 | - Distribution-specific kerberos packages (e.g. `krb5-dev` on Ubuntu)
14 | 
15 | **macOS**
16 | - `Xcode Command Line Tools`: Can be installed with `xcode-select --install`
17 | - Distribution-specific kerberos packages (e.g. `krb5` on Homebrew)
18 | 
19 | **Windows**
20 | - **Option 1:** Install all the required tools and configurations using Microsoft's [windows-build-tools](https://github.com/felixrieseberg/windows-build-tools) by running `npm install -g windows-build-tools` from an elevated PowerShell (run as Administrator).
21 | - **Option 2:** Install dependencies and configuration manually
22 |    1. Visual C++ Build Environment:
23 |      * **Option 1:** Install [Visual C++ Build Tools](http://go.microsoft.com/fwlink/?LinkId=691126) using the *Default Install* option.
24 |      * **Option 2:** Install [Visual Studio 2015](https://www.visualstudio.com/products/visual-studio-community-vs) (or modify an existing installation) and select *Common Tools for Visual C++* during setup.
25 | 
26 |   > :bulb: [Windows Vista / 7 only] requires [.NET Framework 4.5.1](http://www.microsoft.com/en-us/download/details.aspx?id=40773)
27 | 
28 |   2. Install [Python 2.7](https://www.python.org/downloads/) or [Miniconda 2.7](http://conda.pydata.org/miniconda.html) (`v3.x.x` is not supported), and run `npm config set python python2.7`
29 |   3. Launch cmd, `npm config set msvs_version 2015`
30 | 
31 | ### Installation
32 | 
33 | Now you can install `kerberos` with the following:
34 | 
35 | ```bash
36 | npm install kerberos
37 | ```
38 | 
39 | ### Testing
40 | 
41 | Run the test suite using:
42 | 
43 | ```bash
44 | npm test
45 | ```
46 | 
47 | NOTE: The test suite requires an active kerberos deployment, see `test/scripts/travis.sh` to better understand these requirements.
48 | 
49 | # Documentation
50 | 
51 | {{>main}}
52 | 


--------------------------------------------------------------------------------
/lib/auth_processes/mongodb.js:
--------------------------------------------------------------------------------
  1 | 'use strict';
  2 | const dns = require('dns');
  3 | const kerberos = require('../kerberos');
  4 | 
  5 | class MongoAuthProcess {
  6 |   constructor(host, port, serviceName, options) {
  7 |     options = options || {};
  8 |     this.host = host;
  9 |     this.port = port;
 10 | 
 11 |     // Set up service name
 12 |     this.serviceName = serviceName || options.gssapiServiceName || 'mongodb';
 13 | 
 14 |     // Options
 15 |     this.canonicalizeHostName =
 16 |       typeof options.gssapiCanonicalizeHostName === 'boolean'
 17 |         ? options.gssapiCanonicalizeHostName
 18 |         : false;
 19 | 
 20 |     // Set up first transition
 21 |     this._transition = firstTransition(this);
 22 | 
 23 |     // Number of retries
 24 |     this.retries = 10;
 25 |   }
 26 | 
 27 |   init(username, password, callback) {
 28 |     const self = this;
 29 |     this.username = username;
 30 |     this.password = password;
 31 | 
 32 |     // Canonicialize host name if needed
 33 |     function performGssapiCanonicalizeHostName(canonicalizeHostName, host, callback) {
 34 |       if (!canonicalizeHostName) return callback();
 35 | 
 36 |       // Attempt to resolve the host name
 37 |       dns.resolveCname(host, (err, r) => {
 38 |         if (err) return callback(err);
 39 | 
 40 |         // Get the first resolve host id
 41 |         if (Array.isArray(r) && r.length > 0) {
 42 |           self.host = r[0];
 43 |         }
 44 | 
 45 |         callback();
 46 |       });
 47 |     }
 48 | 
 49 |     // Canonicialize host name if needed
 50 |     performGssapiCanonicalizeHostName(this.canonicalizeHostName, this.host, err => {
 51 |       if (err) return callback(err);
 52 | 
 53 |       const initOptions = {};
 54 |       if (password != null) {
 55 |         Object.assign(initOptions, { user: username, password });
 56 |       }
 57 | 
 58 |       const service =
 59 |         process.platform === 'win32'
 60 |           ? `${this.serviceName}/${this.host}`
 61 |           : `${this.serviceName}@${this.host}`;
 62 | 
 63 |       kerberos.initializeClient(service, initOptions, (err, client) => {
 64 |         if (err) return callback(err, null);
 65 | 
 66 |         self.client = client;
 67 |         callback(null, client);
 68 |       });
 69 |     });
 70 |   }
 71 | 
 72 |   transition(payload, callback) {
 73 |     if (this._transition == null) {
 74 |       return callback(new Error('Transition finished'));
 75 |     }
 76 | 
 77 |     this._transition(payload, callback);
 78 |   }
 79 | }
 80 | 
 81 | function firstTransition(auth) {
 82 |   return (payload, callback) => {
 83 |     auth.client.step('', (err, response) => {
 84 |       if (err) return callback(err);
 85 | 
 86 |       // Set up the next step
 87 |       auth._transition = secondTransition(auth);
 88 | 
 89 |       // Return the payload
 90 |       callback(null, response);
 91 |     });
 92 |   };
 93 | }
 94 | 
 95 | function secondTransition(auth) {
 96 |   return (payload, callback) => {
 97 |     auth.client.step(payload, (err, response) => {
 98 |       if (err && auth.retries === 0) return callback(err);
 99 | 
100 |       // Attempt to re-establish a context
101 |       if (err) {
102 |         // Adjust the number of retries
103 |         auth.retries = auth.retries - 1;
104 | 
105 |         // Call same step again
106 |         return auth.transition(payload, callback);
107 |       }
108 | 
109 |       // Set up the next step
110 |       auth._transition = thirdTransition(auth);
111 | 
112 |       // Return the payload
113 |       callback(null, response || '');
114 |     });
115 |   };
116 | }
117 | 
118 | function thirdTransition(auth) {
119 |   return (payload, callback) => {
120 |     // GSS Client Unwrap
121 |     auth.client.unwrap(payload, (err, response) => {
122 |       if (err) return callback(err, false);
123 | 
124 |       // Wrap the response
125 |       auth.client.wrap(response, { user: auth.username }, (err, wrapped) => {
126 |         if (err) return callback(err, false);
127 | 
128 |         // Set up the next step
129 |         auth._transition = fourthTransition(auth);
130 | 
131 |         // Return the payload
132 |         callback(null, wrapped);
133 |       });
134 |     });
135 |   };
136 | }
137 | 
138 | function fourthTransition(auth) {
139 |   return (payload, callback) => {
140 |     // Set the transition to null
141 |     auth._transition = null;
142 | 
143 |     // Callback with valid authentication
144 |     callback(null, true);
145 |   };
146 | }
147 | 
148 | // Set the process
149 | module.exports = {
150 |   MongoAuthProcess
151 | };
152 | 


--------------------------------------------------------------------------------
/lib/index.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const kerberos = require('./kerberos');
 4 | 
 5 | // Get the Kerberos library
 6 | module.exports = kerberos;
 7 | 
 8 | // Support legacy versions of the mongodb driver which expect this export
 9 | module.exports.Kerberos = kerberos;
10 | 
11 | module.exports.version = require('../package.json').version;
12 | 
13 | // Set up the auth processes
14 | module.exports.processes = {
15 |   MongoAuthProcess: require('./auth_processes/mongodb').MongoAuthProcess
16 | };
17 | 


--------------------------------------------------------------------------------
/lib/kerberos.js:
--------------------------------------------------------------------------------
  1 | 'use strict';
  2 | 
  3 | const { loadBindings, defineOperation } = require('./util');
  4 | 
  5 | const kerberos = loadBindings();
  6 | const KerberosClient = kerberos.KerberosClient;
  7 | const KerberosServer = kerberos.KerberosServer;
  8 | 
  9 | // GSS Flags
 10 | const GSS_C_DELEG_FLAG = 1;
 11 | const GSS_C_MUTUAL_FLAG = 2;
 12 | const GSS_C_REPLAY_FLAG = 4;
 13 | const GSS_C_SEQUENCE_FLAG = 8;
 14 | const GSS_C_CONF_FLAG = 16;
 15 | const GSS_C_INTEG_FLAG = 32;
 16 | const GSS_C_ANON_FLAG = 64;
 17 | const GSS_C_PROT_READY_FLAG = 128;
 18 | const GSS_C_TRANS_FLAG = 256;
 19 | 
 20 | // GSS_OID
 21 | const GSS_C_NO_OID = 0;
 22 | const GSS_MECH_OID_KRB5 = 9;
 23 | const GSS_MECH_OID_SPNEGO = 6;
 24 | 
 25 | /**
 26 |  * @class KerberosClient
 27 |  *
 28 |  * @property {string} username The username used for authentication
 29 |  * @property {string} response The last response received during authentication steps
 30 |  * @property {string} responseConf Indicates whether confidentiality was applied or not (GSSAPI only)
 31 |  * @property {boolean} contextComplete Indicates that authentication has successfully completed or not
 32 |  */
 33 | 
 34 | /**
 35 |  * Processes a single kerberos client-side step using the supplied server challenge.
 36 |  *
 37 |  * @kind function
 38 |  * @memberof KerberosClient
 39 |  * @param {string} challenge A string containing the base64-encoded server data (which may be empty for the first step)
 40 |  * @param {function} [callback]
 41 |  * @return {Promise} returns Promise if no callback passed
 42 |  */
 43 | KerberosClient.prototype.step = defineOperation(KerberosClient.prototype.step, [
 44 |   { name: 'challenge', type: 'string' },
 45 |   { name: 'callback', type: 'function', required: false }
 46 | ]);
 47 | 
 48 | /**
 49 |  * Perform the client side kerberos wrap step.
 50 |  *
 51 |  * @kind function
 52 |  * @memberof KerberosClient
 53 |  * @param {string} challenge The response returned after calling `unwrap`
 54 |  * @param {object} [options] Optional settings
 55 |  * @param {string} [options.user] The user to authorize
 56 |  * @param {boolean} [options.protect] Indicates if the wrap should request message confidentiality
 57 |  * @param {function} [callback]
 58 |  * @return {Promise} returns Promise if no callback passed
 59 |  */
 60 | KerberosClient.prototype.wrap = defineOperation(KerberosClient.prototype.wrap, [
 61 |   { name: 'challenge', type: 'string' },
 62 |   { name: 'options', type: 'object' },
 63 |   { name: 'callback', type: 'function', required: false }
 64 | ]);
 65 | 
 66 | /**
 67 |  * Perform the client side kerberos unwrap step
 68 |  *
 69 |  * @kind function
 70 |  * @memberof KerberosClient
 71 |  * @param {string} challenge A string containing the base64-encoded server data
 72 |  * @param {function} [callback]
 73 |  * @return {Promise} returns Promise if no callback passed
 74 |  */
 75 | KerberosClient.prototype.unwrap = defineOperation(KerberosClient.prototype.unwrap, [
 76 |   { name: 'challenge', type: 'string' },
 77 |   { name: 'callback', type: 'function', required: false }
 78 | ]);
 79 | 
 80 | /**
 81 |  * @class KerberosServer
 82 |  *
 83 |  * @property {string} username The username used for authentication
 84 |  * @property {string} response The last response received during authentication steps
 85 |  * @property {string} targetName The target used for authentication
 86 |  * @property {boolean} contextComplete Indicates that authentication has successfully completed or not
 87 |  */
 88 | 
 89 | /**
 90 |  * Processes a single kerberos server-side step using the supplied client data.
 91 |  *
 92 |  * @kind function
 93 |  * @memberof KerberosServer
 94 |  * @param {string} challenge A string containing the base64-encoded client data
 95 |  * @param {function} [callback]
 96 |  * @return {Promise} returns Promise if no callback passed
 97 |  */
 98 | KerberosServer.prototype.step = defineOperation(KerberosServer.prototype.step, [
 99 |   { name: 'challenge', type: 'string' },
100 |   { name: 'callback', type: 'function', required: false }
101 | ]);
102 | 
103 | /**
104 |  * This function provides a simple way to verify that a user name and password
105 |  * match those normally used for Kerberos authentication.
106 |  * It does this by checking that the supplied user name and password can be
107 |  * used to get a ticket for the supplied service.
108 |  * If the user name does not contain a realm, then the default realm supplied
109 |  * is used.
110 |  *
111 |  * For this to work properly the Kerberos must be configured properly on this
112 |  * machine.
113 |  * That will likely mean ensuring that the edu.mit.Kerberos preference file
114 |  * has the correct realms and KDCs listed.
115 |  *
116 |  * IMPORTANT: This method is vulnerable to KDC spoofing attacks and it should
117 |  * only be used for testing. Do not use this in any production system - your
118 |  * security could be compromised if you do.
119 |  *
120 |  * @kind function
121 |  * @param {string} username The Kerberos user name. If no realm is supplied, then the `defaultRealm` will be used.
122 |  * @param {string} password The password for the user.
123 |  * @param {string} service The Kerberos service to check access for.
124 |  * @param {string} [defaultRealm] The default realm to use if one is not supplied in the user argument.
125 |  * @param {function} [callback]
126 |  * @return {Promise} returns Promise if no callback passed
127 |  */
128 | const checkPassword = defineOperation(kerberos.checkPassword, [
129 |   { name: 'username', type: 'string' },
130 |   { name: 'password', type: 'string' },
131 |   { name: 'service', type: 'string' },
132 |   { name: 'defaultRealm', type: 'string', required: false },
133 |   { name: 'callback', type: 'function', required: false }
134 | ]);
135 | 
136 | /**
137 |  * This function returns the service principal for the server given a service type and hostname.
138 |  *
139 |  * Details are looked up via the `/etc/keytab` file.
140 |  *
141 |  * @kind function
142 |  * @param {string} service The Kerberos service type for the server.
143 |  * @param {string} hostname The hostname of the server.
144 |  * @param {function} [callback]
145 |  * @return {Promise} returns Promise if no callback passed
146 |  */
147 | const principalDetails = defineOperation(kerberos.principalDetails, [
148 |   { name: 'service', type: 'string' },
149 |   { name: 'hostname', type: 'string' },
150 |   { name: 'callback', type: 'function', required: false }
151 | ]);
152 | 
153 | /**
154 |  * Initializes a context for client-side authentication with the given service principal.
155 |  *
156 |  * @kind function
157 |  * @param {string} service A string containing the service principal in the form 'type@fqdn' (e.g. 'imap@mail.apple.com').
158 |  * @param {object} [options] Optional settings
159 |  * @param {string} [options.principal] Optional string containing the client principal in the form 'user@realm' (e.g. 'jdoe@example.com').
160 |  * @param {number} [options.gssFlags] Optional integer used to set GSS flags. (e.g.  GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG|GSS_C_SEQUENCE_FLAG will allow for forwarding credentials to the remote host)
161 |  * @param {number} [options.mechOID] Optional GSS mech OID. Defaults to None (GSS_C_NO_OID). Other possible values are `GSS_MECH_OID_KRB5`, `GSS_MECH_OID_SPNEGO`.
162 |  * @param {function} [callback]
163 |  * @return {Promise} returns Promise if no callback passed
164 |  */
165 | const initializeClient = defineOperation(kerberos.initializeClient, [
166 |   { name: 'service', type: 'string' },
167 |   { name: 'options', type: 'object', default: { mechOID: GSS_C_NO_OID } },
168 |   { name: 'callback', type: 'function', required: false }
169 | ]);
170 | 
171 | /**
172 |  * Initializes a context for server-side authentication with the given service principal.
173 |  *
174 |  * @kind function
175 |  * @param {string} service A string containing the service principal in the form 'type@fqdn' (e.g. 'imap@mail.apple.com').
176 |  * @param {function} [callback]
177 |  * @return {Promise} returns Promise if no callback passed
178 |  */
179 | const initializeServer = defineOperation(kerberos.initializeServer, [
180 |   { name: 'service', type: 'string' },
181 |   { name: 'callback', type: 'function', required: false }
182 | ]);
183 | 
184 | module.exports = {
185 |   initializeClient,
186 |   initializeServer,
187 |   principalDetails,
188 |   checkPassword,
189 | 
190 |   // gss flags
191 |   GSS_C_DELEG_FLAG,
192 |   GSS_C_MUTUAL_FLAG,
193 |   GSS_C_REPLAY_FLAG,
194 |   GSS_C_SEQUENCE_FLAG,
195 |   GSS_C_CONF_FLAG,
196 |   GSS_C_INTEG_FLAG,
197 |   GSS_C_ANON_FLAG,
198 |   GSS_C_PROT_READY_FLAG,
199 |   GSS_C_TRANS_FLAG,
200 |   GSS_C_NO_OID,
201 | 
202 |   // mechanism OIDs
203 |   GSS_MECH_OID_KRB5,
204 |   GSS_MECH_OID_SPNEGO
205 | };
206 | 


--------------------------------------------------------------------------------
/lib/util.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | function validateParameter(parameter, specs, specIndex) {
 4 |   const spec = specs[specIndex];
 5 |   if (parameter == null && spec.required === false) {
 6 |     return;
 7 |   }
 8 | 
 9 |   if (parameter == null) {
10 |     throw new TypeError(`Required parameter \`${spec.name}\` missing`);
11 |   }
12 | 
13 |   const paramType = typeof parameter;
14 |   if (spec.type && paramType !== spec.type) {
15 |     if (spec.required === false) {
16 |       if (specs.slice(specIndex).some(def => def.type === paramType)) {
17 |         return false;
18 |       }
19 |     }
20 | 
21 |     throw new TypeError(
22 |       `Invalid type for parameter \`${spec.name}\`, expected \`${spec.type
23 |       }\` but found \`${typeof parameter}\``
24 |     );
25 |   }
26 | 
27 |   return true;
28 | }
29 | 
30 | function hasOwnProperty(object, property) {
31 |   return Object.prototype.hasOwnProperty.call(object, property);
32 | }
33 | 
34 | /**
35 |  * Monkey-patches an existing method to support parameter validation, as well
36 |  * as adding support for returning Promises if callbacks are not provided.
37 |  *
38 |  * @private
39 |  * @param {function} fn the function to override
40 |  * @param {Array<Object>} paramDefs the definitions of each parameter to the function
41 |  */
42 | function defineOperation(fn, paramDefs) {
43 |   return function () {
44 |     const args = Array.prototype.slice.call(arguments);
45 |     const params = [];
46 |     for (let i = 0, argIdx = 0; i < paramDefs.length; ++i, ++argIdx) {
47 |       const def = paramDefs[i];
48 |       let arg = args[argIdx];
49 | 
50 |       if (hasOwnProperty(def, 'default') && arg == null) arg = def.default;
51 |       if (def.type === 'object' && def.default != null) {
52 |         arg = Object.assign({}, def.default, arg);
53 |       }
54 | 
55 |       // special case to allow `options` to be optional
56 |       if (def.name === 'options' && (typeof arg === 'function' || arg == null)) {
57 |         arg = {};
58 |       }
59 | 
60 |       if (validateParameter(arg, paramDefs, i)) {
61 |         params.push(arg);
62 |       } else {
63 |         argIdx--;
64 |       }
65 |     }
66 | 
67 |     const callback = arguments[arguments.length - 1];
68 |     if (typeof callback !== 'function') {
69 |       return new Promise((resolve, reject) => {
70 |         params.push((err, response) => {
71 |           if (err) return reject(err);
72 |           resolve(response);
73 |         });
74 | 
75 |         fn.apply(this, params);
76 |       });
77 |     }
78 | 
79 |     fn.apply(this, params);
80 |   };
81 | }
82 | 
83 | function loadBindings() {
84 |   try {
85 |     return require('../build/Release/kerberos.node');
86 |   } catch {
87 |     // Webpack will fail when just returning the require, so we need to wrap
88 |     // in a try/catch and rethrow.
89 |     /* eslint no-useless-catch: 0 */
90 |     try {
91 |       return require('../build/Debug/kerberos.node');
92 |     } catch (error) {
93 |       throw error;
94 |     }
95 |   }
96 | }
97 | 
98 | module.exports = { defineOperation, validateParameter, loadBindings };
99 | 


--------------------------------------------------------------------------------
/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "kerberos",
 3 |   "version": "2.2.2",
 4 |   "description": "Kerberos library for Node.js",
 5 |   "main": "lib/index.js",
 6 |   "files": [
 7 |     "lib",
 8 |     "src",
 9 |     "binding.gyp",
10 |     "HISTORY.md",
11 |     "README.md"
12 |   ],
13 |   "repository": {
14 |     "type": "git",
15 |     "url": "https://github.com/mongodb-js/kerberos.git"
16 |   },
17 |   "keywords": [
18 |     "kerberos",
19 |     "security",
20 |     "authentication"
21 |   ],
22 |   "author": {
23 |     "name": "The MongoDB NodeJS Team",
24 |     "email": "dbx-node@mongodb.com"
25 |   },
26 |   "bugs": {
27 |     "url": "https://jira.mongodb.org/projects/NODE/issues/"
28 |   },
29 |   "dependencies": {
30 |     "node-addon-api": "^6.1.0",
31 |     "prebuild-install": "^7.1.2"
32 |   },
33 |   "devDependencies": {
34 |     "@types/node": "^22.15.3",
35 |     "chai": "^4.4.1",
36 |     "chai-string": "^1.6.0",
37 |     "chalk": "^4.1.2",
38 |     "clang-format": "^1.8.0",
39 |     "dmd-clear": "^0.1.2",
40 |     "eslint": "^9.25.1",
41 |     "eslint-config-prettier": "^10.1.2",
42 |     "eslint-plugin-prettier": "^5.2.6",
43 |     "jsdoc-to-markdown": "^9.1.1",
44 |     "mocha": "^11.1.0",
45 |     "mongodb": "^6.16.0",
46 |     "node-gyp": "^10.1.0",
47 |     "prebuild": "^13.0.1",
48 |     "prettier": "^3.5.3",
49 |     "request": "^2.88.2"
50 |   },
51 |   "overrides": {
52 |     "prebuild": {
53 |       "node-gyp": "$node-gyp"
54 |     }
55 |   },
56 |   "scripts": {
57 |     "install": "prebuild-install --runtime napi || node-gyp rebuild",
58 |     "format-cxx": "clang-format -i 'src/**/*'",
59 |     "format-js": "ESLINT_USE_FLAT_CONFIG=false eslint lib test --fix",
60 |     "check:lint": "ESLINT_USE_FLAT_CONFIG=false eslint lib test",
61 |     "precommit": "check-clang-format",
62 |     "docs": "jsdoc2md --template etc/README.hbs --plugin dmd-clear --files lib/kerberos.js > README.md",
63 |     "test": "mocha 'test/*_tests.js'",
64 |     "prebuild": "prebuild --runtime napi --strip --verbose --all"
65 |   },
66 |   "engines": {
67 |     "node": ">=12.9.0"
68 |   },
69 |   "binary": {
70 |     "napi_versions": [
71 |       4
72 |     ]
73 |   },
74 |   "license": "Apache-2.0",
75 |   "readmeFilename": "README.md"
76 | }
77 | 


--------------------------------------------------------------------------------
/release-please-config.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
 3 |   "pull-request-title-pattern": "chore${scope}: release ${version}",
 4 |   "pull-request-header": "Please run the release_notes action before releasing to generate release highlights",
 5 |   "packages": {
 6 |     ".": {
 7 |       "include-component-in-tag": false,
 8 |       "changelog-path": "HISTORY.md",
 9 |       "release-type": "node",
10 |       "bump-minor-pre-major": false,
11 |       "bump-patch-for-minor-pre-major": false,
12 |       "draft": false
13 |     }
14 |   }
15 | }


--------------------------------------------------------------------------------
/sbom.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "metadata": {
 3 |     "timestamp": "2024-05-01T20:48:31.133969+00:00",
 4 |     "tools": [
 5 |       {
 6 |         "externalReferences": [
 7 |           {
 8 |             "type": "build-system",
 9 |             "url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions"
10 |           },
11 |           {
12 |             "type": "distribution",
13 |             "url": "https://pypi.org/project/cyclonedx-python-lib/"
14 |           },
15 |           {
16 |             "type": "documentation",
17 |             "url": "https://cyclonedx-python-library.readthedocs.io/"
18 |           },
19 |           {
20 |             "type": "issue-tracker",
21 |             "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues"
22 |           },
23 |           {
24 |             "type": "license",
25 |             "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE"
26 |           },
27 |           {
28 |             "type": "release-notes",
29 |             "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md"
30 |           },
31 |           {
32 |             "type": "vcs",
33 |             "url": "https://github.com/CycloneDX/cyclonedx-python-lib"
34 |           },
35 |           {
36 |             "type": "website",
37 |             "url": "https://github.com/CycloneDX/cyclonedx-python-lib/#readme"
38 |           }
39 |         ],
40 |         "name": "cyclonedx-python-lib",
41 |         "vendor": "CycloneDX",
42 |         "version": "6.4.4"
43 |       }
44 |     ]
45 |   },
46 |   "serialNumber": "urn:uuid:e2089049-b13e-48ba-8e00-f73b6e252148",
47 |   "version": 1,
48 |   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
49 |   "bomFormat": "CycloneDX",
50 |   "specVersion": "1.5"
51 | }
52 | 


--------------------------------------------------------------------------------
/src/kerberos.cc:
--------------------------------------------------------------------------------
  1 | #include "kerberos.h"
  2 | #include "kerberos_worker.h"
  3 | 
  4 | /// KerberosClient
  5 | namespace node_kerberos {
  6 | 
  7 | using namespace Napi;
  8 | 
  9 | namespace {
 10 | struct InstanceData {
 11 |     Reference<Function> KerberosClientCtor;
 12 |     Reference<Function> KerberosServerCtor;
 13 | };
 14 | 
 15 | static constexpr napi_property_attributes writable_and_configurable =
 16 |     static_cast<napi_property_attributes>(
 17 |         static_cast<int>(napi_writable) | static_cast<int>(napi_configurable));
 18 | 
 19 | inline String NewMaybeWideString(Env env, const char* str) {
 20 |     return String::New(env, str);
 21 | }
 22 | #ifdef _WIN32
 23 | inline String NewMaybeWideString(Env env, const WCHAR* str) {
 24 |     static_assert(sizeof(std::wstring::value_type) == sizeof(std::u16string::value_type),
 25 |         "wstring and u16string have the same value type on Windows");
 26 |     std::wstring wstr(str);
 27 |     std::u16string u16(wstr.begin(), wstr.end());
 28 |     return String::New(env, u16);
 29 | }
 30 | #endif
 31 | }
 32 | 
 33 | std::string ToStringWithNonStringAsEmpty(Napi::Value value) {
 34 |     if (!value.IsString()) {
 35 |         return std::string();
 36 |     }
 37 |     return value.As<String>();
 38 | }
 39 | 
 40 | int KerberosClient::ParseWrapOptionsProtect(const Napi::Object& options) {
 41 |     if (!options.Has("protect"))    return 0;
 42 | 
 43 |     if (!options.Get("protect").IsBoolean()) {
 44 |         throw TypeError::New(options.Env(), "options.protect must be a boolean.");
 45 |     }
 46 | 
 47 |     bool protect = options.Get("protect").As<Boolean>();
 48 |     return protect ? 1 : 0;
 49 | }
 50 | 
 51 | Function KerberosClient::Init(Napi::Env env) {
 52 |     return
 53 |         DefineClass(env,
 54 |                     "KerberosClient",
 55 |                     {
 56 |                       InstanceMethod("step", &KerberosClient::Step, writable_and_configurable),
 57 |                       InstanceMethod("wrap", &KerberosClient::WrapData, writable_and_configurable),
 58 |                       InstanceMethod("unwrap", &KerberosClient::UnwrapData, writable_and_configurable),
 59 |                       InstanceAccessor("username", &KerberosClient::UserNameGetter, nullptr),
 60 |                       InstanceAccessor("response", &KerberosClient::ResponseGetter, nullptr),
 61 |                       InstanceAccessor("responseConf", &KerberosClient::ResponseConfGetter, nullptr),
 62 |                       InstanceAccessor("contextComplete", &KerberosClient::ContextCompleteGetter, nullptr)
 63 |                     });
 64 | }
 65 | 
 66 | Object KerberosClient::NewInstance(Napi::Env env, std::shared_ptr<krb_client_state> state) {
 67 |     InstanceData* instance_data = env.GetInstanceData<InstanceData>();
 68 |     Object obj = instance_data->KerberosClientCtor.Value().New({});
 69 |     KerberosClient* instance = KerberosClient::Unwrap(obj);
 70 |     instance->_state = std::move(state);
 71 |     return obj;
 72 | }
 73 | 
 74 | KerberosClient::KerberosClient(const CallbackInfo& info)
 75 |     : ObjectWrap(info) {}
 76 | 
 77 | std::shared_ptr<krb_client_state> KerberosClient::state() const {
 78 |     return _state;
 79 | }
 80 | 
 81 | Value KerberosClient::UserNameGetter(const CallbackInfo& info) {
 82 |     const auto* username = state()->username;
 83 |     if (username == nullptr)
 84 |         return Env().Null();
 85 |     return NewMaybeWideString(Env(), username);
 86 | }
 87 | 
 88 | Value KerberosClient::ResponseGetter(const CallbackInfo& info) {
 89 |     const auto* response = state()->response;
 90 |     if (response == nullptr)
 91 |         return Env().Null();
 92 |     return NewMaybeWideString(Env(), response);
 93 | }
 94 | 
 95 | Value KerberosClient::ResponseConfGetter(const CallbackInfo& info) {
 96 |     return Number::New(Env(), state()->responseConf);
 97 | }
 98 | 
 99 | Value KerberosClient::ContextCompleteGetter(const CallbackInfo& info) {
100 |     return Boolean::New(Env(), state()->context_complete);
101 | }
102 | 
103 | /// KerberosServer
104 | Function KerberosServer::Init(Napi::Env env) {
105 |     return
106 |         DefineClass(env,
107 |                     "KerberosServer",
108 |                     {
109 |                       InstanceMethod("step", &KerberosServer::Step, writable_and_configurable),
110 |                       InstanceAccessor("username", &KerberosServer::UserNameGetter, nullptr),
111 |                       InstanceAccessor("response", &KerberosServer::ResponseGetter, nullptr),
112 |                       InstanceAccessor("targetName", &KerberosServer::TargetNameGetter, nullptr),
113 |                       InstanceAccessor("contextComplete", &KerberosServer::ContextCompleteGetter, nullptr)
114 |                     });
115 | }
116 | 
117 | Object KerberosServer::NewInstance(Napi::Env env, std::shared_ptr<krb_server_state> state) {
118 |     InstanceData* instance_data = env.GetInstanceData<InstanceData>();
119 |     Object obj = instance_data->KerberosServerCtor.Value().New({});
120 |     KerberosServer* instance = KerberosServer::Unwrap(obj);
121 |     instance->_state = std::move(state);
122 |     return obj;
123 | }
124 | 
125 | KerberosServer::KerberosServer(const CallbackInfo& info)
126 |     : ObjectWrap(info) {}
127 | 
128 | std::shared_ptr<krb_server_state> KerberosServer::state() const {
129 |     return _state;
130 | }
131 | 
132 | Value KerberosServer::UserNameGetter(const CallbackInfo& info) {
133 |     const auto* username = state()->username;
134 |     if (username == nullptr)
135 |         return Env().Null();
136 |     return NewMaybeWideString(Env(), username);
137 | }
138 | 
139 | Value KerberosServer::ResponseGetter(const CallbackInfo& info) {
140 |     const auto* response = state()->response;
141 |     if (response == nullptr)
142 |         return Env().Null();
143 |     return NewMaybeWideString(Env(), response);
144 | }
145 | 
146 | Value KerberosServer::TargetNameGetter(const CallbackInfo& info) {
147 |     const auto* targetname = state()->targetname;
148 |     if (targetname == nullptr)
149 |         return Env().Null();
150 |     return NewMaybeWideString(Env(), targetname);
151 | }
152 | 
153 | Value KerberosServer::ContextCompleteGetter(const CallbackInfo& info) {
154 |     return Boolean::New(Env(), state()->context_complete);
155 | }
156 | 
157 | void TestMethod(const CallbackInfo& info) {
158 |     std::string string = info[0].ToString();
159 |     bool shouldError = info[1].ToBoolean();
160 | 
161 |     std::string optionalString;
162 |     Function callback;
163 |     if (info[2].IsFunction()) {
164 |         callback = info[2].As<Function>();
165 |     } else {
166 |         optionalString = info[2].ToString();
167 |         callback = info[3].As<Function>();
168 |     }
169 | 
170 |     KerberosWorker::Run(callback, "kerberos:TestMethod", [=](KerberosWorker::SetOnFinishedHandler onFinished) {
171 |         return onFinished([=](KerberosWorker* worker) {
172 |             Napi::Env env = worker->Env();
173 |             if (shouldError) {
174 |                 worker->Call(std::initializer_list<napi_value>
175 |                     { Error::New(env).Value(), env.Null() });
176 |             } else {
177 |                 worker->Call(std::initializer_list<napi_value>
178 |                     { env.Null(), String::New(env, optionalString) });
179 |             }
180 |         });
181 |     });
182 | }
183 | 
184 | static Object Init(Env env, Object exports) {
185 |     std::string libraries_unavailable_error;
186 |     if (!kerberos_libraries_available(&libraries_unavailable_error)) {
187 |         throw Error::New(env, libraries_unavailable_error);
188 |     }
189 |     Function KerberosClientCtor = KerberosClient::Init(env);
190 |     Function KerberosServerCtor = KerberosServer::Init(env);
191 |     exports["KerberosClient"] = KerberosClientCtor;
192 |     exports["KerberosServer"] = KerberosServerCtor;
193 |     env.SetInstanceData(new InstanceData {
194 |         Reference<Function>::New(KerberosClientCtor, 1),
195 |         Reference<Function>::New(KerberosServerCtor, 1)
196 |     });
197 |     exports["initializeClient"] = Function::New(env, InitializeClient);
198 |     exports["initializeServer"] = Function::New(env, InitializeServer);
199 |     exports["principalDetails"] = Function::New(env, PrincipalDetails);
200 |     exports["checkPassword"] = Function::New(env, CheckPassword);
201 |     exports["_testMethod"] = Function::New(env, TestMethod);
202 |     return exports;
203 | }
204 | 
205 | NODE_API_MODULE(kerberos, Init)
206 | 
207 | }
208 | 


--------------------------------------------------------------------------------
/src/kerberos.h:
--------------------------------------------------------------------------------
 1 | #ifndef KERBEROS_NATIVE_EXTENSION_H
 2 | #define KERBEROS_NATIVE_EXTENSION_H
 3 | 
 4 | // We generally only target N-API version 4, but the instance data
 5 | // feature is only available in N-API version 6. However, it is
 6 | // available in all Node.js versions that have N-API version 4
 7 | #define NAPI_VERSION 6
 8 | // as an experimental feature (that has not been changed since then).
 9 | #define NAPI_EXPERIMENTAL
10 | #define NODE_API_EXPERIMENTAL_NOGC_ENV_OPT_OUT
11 | 
12 | #include <napi.h>
13 | #include "kerberos_common.h"
14 | 
15 | namespace node_kerberos {
16 | 
17 | bool kerberos_libraries_available(std::string* error_out);
18 | 
19 | class KerberosServer : public Napi::ObjectWrap<KerberosServer> {
20 |    public:
21 |     static Napi::Function Init(Napi::Env env);
22 |     static Napi::Object NewInstance(Napi::Env env, std::shared_ptr<krb_server_state> state);
23 | 
24 |     std::shared_ptr<krb_server_state> state() const;
25 | 
26 |    private:
27 |     Napi::Value UserNameGetter(const Napi::CallbackInfo& info);
28 |     Napi::Value ResponseGetter(const Napi::CallbackInfo& info);
29 |     Napi::Value TargetNameGetter(const Napi::CallbackInfo& info);
30 |     Napi::Value ContextCompleteGetter(const Napi::CallbackInfo& info);
31 | 
32 |     void Step(const Napi::CallbackInfo& info);
33 | 
34 |    private:
35 |     friend class Napi::ObjectWrap<KerberosServer>;
36 |     explicit KerberosServer(const Napi::CallbackInfo& info);
37 | 
38 |     std::shared_ptr<krb_server_state> _state;
39 | };
40 | 
41 | class KerberosClient : public Napi::ObjectWrap<KerberosClient> {
42 |    public:
43 |     static Napi::Function Init(Napi::Env env);
44 |     static Napi::Object NewInstance(Napi::Env env, std::shared_ptr<krb_client_state> state);
45 | 
46 |     std::shared_ptr<krb_client_state> state() const;
47 | 
48 |    private:
49 |     Napi::Value UserNameGetter(const Napi::CallbackInfo& info);
50 |     Napi::Value ResponseGetter(const Napi::CallbackInfo& info);
51 |     Napi::Value ResponseConfGetter(const Napi::CallbackInfo& info);
52 |     Napi::Value ContextCompleteGetter(const Napi::CallbackInfo& info);
53 | 
54 |     void Step(const Napi::CallbackInfo& info);
55 |     void UnwrapData(const Napi::CallbackInfo& info);
56 |     void WrapData(const Napi::CallbackInfo& info);
57 | 
58 |     int ParseWrapOptionsProtect(const Napi::Object& options);
59 | 
60 |    private:
61 |     friend class Napi::ObjectWrap<KerberosClient>;
62 |     explicit KerberosClient(const Napi::CallbackInfo& info);
63 | 
64 |     std::shared_ptr<krb_client_state> _state;
65 | };
66 | 
67 | void PrincipalDetails(const Napi::CallbackInfo& info);
68 | void InitializeClient(const Napi::CallbackInfo& info);
69 | void InitializeServer(const Napi::CallbackInfo& info);
70 | void CheckPassword(const Napi::CallbackInfo& info);
71 | 
72 | // NOTE: explicitly used for unit testing `defineOperation`, not meant to be exported
73 | void TestMethod(const Napi::CallbackInfo& info);
74 | 
75 | std::string ToStringWithNonStringAsEmpty(Napi::Value value);
76 | 
77 | }
78 | 
79 | #endif  // KERBEROS_NATIVE_EXTENSION_H
80 | 


--------------------------------------------------------------------------------
/src/kerberos_common.h:
--------------------------------------------------------------------------------
 1 | #ifndef KERBEROS_COMMON_H
 2 | #define KERBEROS_COMMON_H
 3 | 
 4 | #if defined(__linux__) || defined(__APPLE__)
 5 | #include "unix/kerberos_gss.h"
 6 | 
 7 | namespace node_kerberos {
 8 | typedef gss_client_state krb_client_state;
 9 | typedef gss_server_state krb_server_state;
10 | typedef gss_result krb_result;
11 | }
12 | #else
13 | #include "win32/kerberos_sspi.h"
14 | 
15 | namespace node_kerberos {
16 | typedef sspi_client_state krb_client_state;
17 | typedef sspi_server_state krb_server_state;
18 | typedef sspi_result krb_result;
19 | }
20 | #endif
21 | 
22 | #endif
23 | 


--------------------------------------------------------------------------------
/src/kerberos_worker.h:
--------------------------------------------------------------------------------
 1 | #ifndef KERBEROS_ASYNC_WORKER_H
 2 | #define KERBEROS_ASYNC_WORKER_H
 3 | 
 4 | #include <functional>
 5 | #include "kerberos.h"
 6 | 
 7 | namespace node_kerberos {
 8 | 
 9 | class KerberosWorker final : public Napi::AsyncWorker {
10 |  public:
11 |     ~KerberosWorker() {}
12 | 
13 |     typedef std::function<void(KerberosWorker*)>  OnFinishedHandler;
14 |     typedef std::function<void(OnFinishedHandler)> SetOnFinishedHandler;
15 |     typedef std::function<void(SetOnFinishedHandler)> ExecuteHandler;
16 | 
17 |     template <class... T>
18 |     void Call(T... t) {
19 |       Callback().Call(t...);
20 |     }
21 | 
22 |     static void Run(Napi::Function callback, const char* resource_name, ExecuteHandler handler) {
23 |         auto worker = new KerberosWorker(callback, resource_name, handler);
24 |         worker->Queue();
25 |     }
26 | 
27 |  protected:
28 |     void Execute() final {
29 |         execute_handler([=] (OnFinishedHandler handler) {
30 |             on_finished_handler = handler;
31 |         });
32 |     }
33 | 
34 |     void OnOK() final {
35 |         on_finished_handler(this);
36 |     }
37 | 
38 |  private:
39 |     explicit KerberosWorker(Napi::Function callback, const char* resource_name, ExecuteHandler handler)
40 |         : Napi::AsyncWorker(callback, resource_name), execute_handler(handler) {}
41 | 
42 |     ExecuteHandler execute_handler;
43 |     OnFinishedHandler on_finished_handler;
44 | };
45 | 
46 | }
47 | 
48 | #endif // ASYNC_WORKER_H
49 | 


--------------------------------------------------------------------------------
/src/unix/base64.cc:
--------------------------------------------------------------------------------
  1 | /**
  2 |  * Copyright (c) 2006-2018 Apple Inc. All rights reserved.
  3 |  *
  4 |  * Licensed under the Apache License, Version 2.0 (the "License");
  5 |  * you may not use this file except in compliance with the License.
  6 |  * You may obtain a copy of the License at
  7 |  *
  8 |  *     http://www.apache.org/licenses/LICENSE-2.0
  9 |  *
 10 |  * Unless required by applicable law or agreed to in writing, software
 11 |  * distributed under the License is distributed on an "AS IS" BASIS,
 12 |  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 13 |  * See the License for the specific language governing permissions and
 14 |  * limitations under the License.
 15 |  **/
 16 | 
 17 | #include "base64.h"
 18 | 
 19 | #include <stdlib.h>
 20 | #include <string.h>
 21 | 
 22 | // base64 tables
 23 | static const char basis_64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
 24 | static const signed char index_64[128] = {
 25 |     -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
 26 |     -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62,
 27 |     -1, -1, -1, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -1, -1, -1, -1, 0,
 28 |     1,  2,  3,  4,  5,  6,  7,  8,  9,  10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22,
 29 |     23, 24, 25, -1, -1, -1, -1, -1, -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38,
 30 |     39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1};
 31 | #define CHAR64(c) (((c) < 0 || (c) > 127) ? -1 : index_64[(c)])
 32 | 
 33 | // base64_encode    :    base64 encode
 34 | //
 35 | // value            :    data to encode
 36 | // vlen             :    length of data
 37 | // (result)         :    new char[] - c-str of result
 38 | char* base64_encode(const unsigned char* value, size_t vlen) {
 39 |     char* result = (char*)malloc((vlen * 4) / 3 + 5);
 40 |     if (result == NULL) {
 41 |         return NULL;
 42 |     }
 43 |     char* out = result;
 44 |     while (vlen >= 3) {
 45 |         *out++ = basis_64[value[0] >> 2];
 46 |         *out++ = basis_64[((value[0] << 4) & 0x30) | (value[1] >> 4)];
 47 |         *out++ = basis_64[((value[1] << 2) & 0x3C) | (value[2] >> 6)];
 48 |         *out++ = basis_64[value[2] & 0x3F];
 49 |         value += 3;
 50 |         vlen -= 3;
 51 |     }
 52 |     if (vlen > 0) {
 53 |         *out++ = basis_64[value[0] >> 2];
 54 |         unsigned char oval = (value[0] << 4) & 0x30;
 55 |         if (vlen > 1)
 56 |             oval |= value[1] >> 4;
 57 |         *out++ = basis_64[oval];
 58 |         *out++ = (vlen < 2) ? '=' : basis_64[(value[1] << 2) & 0x3C];
 59 |         *out++ = '=';
 60 |     }
 61 |     *out = '\0';
 62 | 
 63 |     return result;
 64 | }
 65 | 
 66 | // base64_decode    :    base64 decode
 67 | //
 68 | // value            :    c-str to decode
 69 | // rlen             :    length of decoded result
 70 | // (result)         :    new unsigned char[] - decoded result
 71 | unsigned char* base64_decode(const char* value, size_t* rlen) {
 72 |     *rlen = 0;
 73 |     int c1, c2, c3, c4;
 74 | 
 75 |     size_t vlen = strlen(value);
 76 |     unsigned char* result = (unsigned char*)malloc((vlen * 3) / 4 + 1);
 77 |     if (result == NULL) {
 78 |         return NULL;
 79 |     }
 80 |     unsigned char* out = result;
 81 | 
 82 |     while (1) {
 83 |         if (value[0] == 0) {
 84 |             return result;
 85 |         }
 86 |         c1 = value[0];
 87 |         if (CHAR64(c1) == -1) {
 88 |             goto base64_decode_error;
 89 |             ;
 90 |         }
 91 |         c2 = value[1];
 92 |         if (CHAR64(c2) == -1) {
 93 |             goto base64_decode_error;
 94 |             ;
 95 |         }
 96 |         c3 = value[2];
 97 |         if ((c3 != '=') && (CHAR64(c3) == -1)) {
 98 |             goto base64_decode_error;
 99 |             ;
100 |         }
101 |         c4 = value[3];
102 |         if ((c4 != '=') && (CHAR64(c4) == -1)) {
103 |             goto base64_decode_error;
104 |             ;
105 |         }
106 | 
107 |         value += 4;
108 |         *out++ = (CHAR64(c1) << 2) | (CHAR64(c2) >> 4);
109 |         *rlen += 1;
110 | 
111 |         if (c3 != '=') {
112 |             *out++ = ((CHAR64(c2) << 4) & 0xf0) | (CHAR64(c3) >> 2);
113 |             *rlen += 1;
114 | 
115 |             if (c4 != '=') {
116 |                 *out++ = ((CHAR64(c3) << 6) & 0xc0) | CHAR64(c4);
117 |                 *rlen += 1;
118 |             }
119 |         }
120 |     }
121 | 
122 | base64_decode_error:
123 |     *result = 0;
124 |     *rlen = 0;
125 | 
126 |     return result;
127 | }
128 | 


--------------------------------------------------------------------------------
/src/unix/base64.h:
--------------------------------------------------------------------------------
 1 | /**
 2 |  * Copyright (c) 2006-2008 Apple Inc. All rights reserved.
 3 |  *
 4 |  * Licensed under the Apache License, Version 2.0 (the "License");
 5 |  * you may not use this file except in compliance with the License.
 6 |  * You may obtain a copy of the License at
 7 |  *
 8 |  *     http://www.apache.org/licenses/LICENSE-2.0
 9 |  *
10 |  * Unless required by applicable law or agreed to in writing, software
11 |  * distributed under the License is distributed on an "AS IS" BASIS,
12 |  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 |  * See the License for the specific language governing permissions and
14 |  * limitations under the License.
15 |  **/
16 | #ifndef BASE64_H
17 | #define BASE64_H
18 | 
19 | #include <stddef.h>
20 | 
21 | char* base64_encode(const unsigned char* value, size_t vlen);
22 | unsigned char* base64_decode(const char* value, size_t* rlen);
23 | 
24 | #endif
25 | 


--------------------------------------------------------------------------------
/src/unix/kerberos_gss.h:
--------------------------------------------------------------------------------
  1 | /**
  2 |  * Copyright (c) 2006-2013 Apple Inc. All rights reserved.
  3 |  *
  4 |  * Licensed under the Apache License, Version 2.0 (the "License");
  5 |  * you may not use this file except in compliance with the License.
  6 |  * You may obtain a copy of the License at
  7 |  *
  8 |  *     http://www.apache.org/licenses/LICENSE-2.0
  9 |  *
 10 |  * Unless required by applicable law or agreed to in writing, software
 11 |  * distributed under the License is distributed on an "AS IS" BASIS,
 12 |  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 13 |  * See the License for the specific language governing permissions and
 14 |  * limitations under the License.
 15 |  **/
 16 | 
 17 | #ifndef KERBEROS_GSS_H
 18 | #define KERBEROS_GSS_H
 19 | 
 20 | extern "C" {
 21 |     #include <gssapi/gssapi.h>
 22 |     #include <gssapi/gssapi_generic.h>
 23 |     #include <gssapi/gssapi_krb5.h>
 24 | }
 25 | 
 26 | #include <string>
 27 | 
 28 | namespace node_kerberos {
 29 | 
 30 | const char* krb5_get_err_text(const krb5_context&, krb5_error_code code);
 31 | 
 32 | #define AUTH_GSS_ERROR -1
 33 | #define AUTH_GSS_COMPLETE 1
 34 | #define AUTH_GSS_CONTINUE 0
 35 | 
 36 | #define GSS_AUTH_P_NONE 1
 37 | #define GSS_AUTH_P_INTEGRITY 2
 38 | #define GSS_AUTH_P_PRIVACY 4
 39 | 
 40 | typedef struct {
 41 |     int code;
 42 |     std::string message;
 43 |     std::string data;
 44 | } gss_result;
 45 | 
 46 | struct gss_client_state {
 47 |     gss_ctx_id_t context;
 48 |     gss_name_t server_name;
 49 |     gss_OID mech_oid;
 50 |     long int gss_flags;
 51 |     gss_cred_id_t client_creds;
 52 |     char* username = nullptr;
 53 |     char* response = nullptr;
 54 |     int responseConf = 0;
 55 |     bool context_complete = false;
 56 | 
 57 |     gss_client_state() {}
 58 |     gss_client_state(const gss_client_state&) = delete;
 59 |     gss_client_state& operator=(const gss_client_state&) = delete;
 60 |     ~gss_client_state();
 61 | };
 62 | 
 63 | struct gss_server_state {
 64 |     gss_ctx_id_t context;
 65 |     gss_name_t server_name;
 66 |     gss_name_t client_name;
 67 |     gss_cred_id_t server_creds;
 68 |     gss_cred_id_t client_creds;
 69 |     char* username = nullptr;
 70 |     char* targetname = nullptr;
 71 |     char* response = nullptr;
 72 |     bool context_complete = false;
 73 | 
 74 |     gss_server_state() {}
 75 |     gss_server_state(const gss_server_state&) = delete;
 76 |     gss_server_state& operator=(const gss_server_state&) = delete;
 77 |     ~gss_server_state();
 78 | };
 79 | 
 80 | gss_result server_principal_details(const char* service, const char* hostname);
 81 | 
 82 | gss_result authenticate_gss_client_init(const char* service,
 83 |                                         const char* principal,
 84 |                                         long int gss_flags,
 85 |                                         gss_server_state* delegatestate,
 86 |                                         gss_OID mech_oid,
 87 |                                         gss_client_state* state);
 88 | 
 89 | gss_result authenticate_gss_client_step(gss_client_state* state,
 90 |                                         const char* challenge,
 91 |                                         struct gss_channel_bindings_struct* channel_bindings);
 92 | gss_result authenticate_gss_client_unwrap(gss_client_state* state, const char* challenge);
 93 | gss_result authenticate_gss_client_wrap(gss_client_state* state,
 94 |                                         const char* challenge,
 95 |                                         const char* user,
 96 |                                         int protect);
 97 | gss_result authenticate_gss_server_init(const char* service, gss_server_state* state);
 98 | gss_result authenticate_gss_server_step(gss_server_state* state, const char* challenge);
 99 | 
100 | gss_result authenticate_user_krb5pwd(const char* user,
101 |                                      const char* pswd,
102 |                                      const char* service,
103 |                                      const char* default_realm);
104 | 
105 | }
106 | 
107 | #endif
108 | 


--------------------------------------------------------------------------------
/src/unix/kerberos_unix.cc:
--------------------------------------------------------------------------------
  1 | #include <memory>
  2 | 
  3 | #include "../kerberos.h"
  4 | #include "../kerberos_worker.h"
  5 | 
  6 | namespace node_kerberos {
  7 | 
  8 | using namespace Napi;
  9 | 
 10 | #define GSS_MECH_OID_KRB5 9
 11 | #define GSS_MECH_OID_SPNEGO 6
 12 | 
 13 | static char krb5_mech_oid_bytes[] = "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02";
 14 | gss_OID_desc krb5_mech_oid = {9, &krb5_mech_oid_bytes};
 15 | 
 16 | static char spnego_mech_oid_bytes[] = "\x2b\x06\x01\x05\x05\x02";
 17 | gss_OID_desc spnego_mech_oid = {6, &spnego_mech_oid_bytes};
 18 | 
 19 | /// KerberosClient
 20 | void KerberosClient::Step(const CallbackInfo& info) {
 21 |     auto state = this->state();
 22 |     std::string challenge = info[0].ToString();
 23 |     Function callback = info[1].As<Function>();
 24 | 
 25 |     KerberosWorker::Run(callback, "kerberos:ClientStep", [=](KerberosWorker::SetOnFinishedHandler onFinished) {
 26 |         gss_result result =
 27 |             authenticate_gss_client_step(state.get(), challenge.c_str(), NULL);
 28 | 
 29 |         return onFinished([=](KerberosWorker* worker) {
 30 |             Napi::Env env = worker->Env();
 31 |             if (result.code == AUTH_GSS_ERROR) {
 32 |                 worker->Call(std::initializer_list<napi_value>
 33 |                     { Error::New(env, result.message).Value(), env.Null() });
 34 |                 return;
 35 |             }
 36 | 
 37 |             Napi::Value response = env.Null();
 38 |             if (state->response != nullptr) {
 39 |                 response = String::New(env, state->response);
 40 |             }
 41 | 
 42 |             worker->Call(std::initializer_list<napi_value>
 43 |                 { env.Null(), response });
 44 |         });
 45 |     });
 46 | }
 47 | 
 48 | void KerberosClient::UnwrapData(const CallbackInfo& info) {
 49 |     auto state = this->state();
 50 |     std::string challenge = info[0].ToString();
 51 |     Function callback = info[1].As<Function>();
 52 | 
 53 |     KerberosWorker::Run(callback, "kerberos:ClientUnwrap", [=](KerberosWorker::SetOnFinishedHandler onFinished) {
 54 |         gss_result result =
 55 |             authenticate_gss_client_unwrap(state.get(), challenge.c_str());
 56 | 
 57 |         return onFinished([=](KerberosWorker* worker) {
 58 |             Napi::Env env = worker->Env();
 59 |             if (result.code == AUTH_GSS_ERROR) {
 60 |                 worker->Call(std::initializer_list<napi_value>
 61 |                     { Error::New(env, result.message).Value(), env.Null() });
 62 |                 return;
 63 |             }
 64 | 
 65 |             worker->Call(std::initializer_list<napi_value>
 66 |                 { env.Null(), String::New(env, state->response) });
 67 |         });
 68 |     });
 69 | }
 70 | 
 71 | void KerberosClient::WrapData(const CallbackInfo& info) {
 72 |     auto state = this->state();
 73 |     std::string challenge = info[0].ToString();
 74 |     Object options = info[1].ToObject();
 75 |     Function callback = info[2].As<Function>();
 76 |     std::string user = ToStringWithNonStringAsEmpty(options["user"]);
 77 |     int protect = ParseWrapOptionsProtect(options);
 78 | 
 79 |     KerberosWorker::Run(callback, "kerberos:ClientWrap", [=](KerberosWorker::SetOnFinishedHandler onFinished) {
 80 |         gss_result result = authenticate_gss_client_wrap(
 81 |             state.get(), challenge.c_str(), user.c_str(), protect);
 82 | 
 83 |         return onFinished([=](KerberosWorker* worker) {
 84 |             Napi::Env env = worker->Env();
 85 |             if (result.code == AUTH_GSS_ERROR) {
 86 |                 worker->Call(std::initializer_list<napi_value>
 87 |                     { Error::New(env, result.message).Value(), env.Null() });
 88 |                 return;
 89 |             }
 90 | 
 91 |             worker->Call(std::initializer_list<napi_value>
 92 |                 { env.Null(), String::New(env, state->response) });
 93 |         });
 94 |     });
 95 | }
 96 | 
 97 | /// KerberosServer
 98 | void KerberosServer::Step(const CallbackInfo& info) {
 99 |     auto state = this->state();
100 |     std::string challenge = info[0].ToString();
101 |     Function callback = info[1].As<Function>();
102 | 
103 |     KerberosWorker::Run(callback, "kerberos:ServerStep", [=](KerberosWorker::SetOnFinishedHandler onFinished) {
104 |         gss_result result =
105 |             authenticate_gss_server_step(state.get(), challenge.c_str());
106 | 
107 |         return onFinished([=](KerberosWorker* worker) {
108 |             Napi::Env env = worker->Env();
109 |             if (result.code == AUTH_GSS_ERROR) {
110 |                 worker->Call(std::initializer_list<napi_value>
111 |                     { Error::New(env, result.message).Value(), env.Null() });
112 |                 return;
113 |             }
114 | 
115 |             Napi::Value response = env.Null();
116 |             if (state->response != nullptr) {
117 |                 response = String::New(env, state->response);
118 |             }
119 | 
120 |             worker->Call(std::initializer_list<napi_value>
121 |                 { env.Null(), response });
122 |         });
123 |     });
124 | }
125 | 
126 | /// Global Methods
127 | void InitializeClient(const CallbackInfo& info) {
128 |     std::string service = info[0].ToString();
129 |     Object options = info[1].ToObject();
130 |     Function callback = info[2].As<Function>();
131 | 
132 |     std::string principal = ToStringWithNonStringAsEmpty(options["principal"]);
133 |     Value flags_v = options["flags"];
134 |     uint32_t gss_flags = flags_v.IsNumber() ? flags_v.As<Number>().Uint32Value() : GSS_C_MUTUAL_FLAG|GSS_C_SEQUENCE_FLAG;
135 |     Value mech_oid_v = options["mechOID"];
136 |     uint32_t mech_oid_int = mech_oid_v.IsNumber() ? mech_oid_v.As<Number>().Uint32Value() : 0;
137 |     gss_OID mech_oid = GSS_C_NO_OID;
138 |     if (mech_oid_int == GSS_MECH_OID_KRB5) {
139 |         mech_oid = &krb5_mech_oid;
140 |     } else if (mech_oid_int == GSS_MECH_OID_SPNEGO) {
141 |         mech_oid = &spnego_mech_oid;
142 |     }
143 | 
144 |     KerberosWorker::Run(callback, "kerberos:InitializeClient", [=](KerberosWorker::SetOnFinishedHandler onFinished) {
145 |         auto client_state = std::make_shared<gss_client_state>();
146 |         gss_result result = authenticate_gss_client_init(
147 |             service.c_str(), principal.c_str(), gss_flags, NULL, mech_oid, client_state.get());
148 | 
149 |         return onFinished([=](KerberosWorker* worker) {
150 |             Napi::Env env = worker->Env();
151 |             if (result.code == AUTH_GSS_ERROR) {
152 |                 worker->Call(std::initializer_list<napi_value>
153 |                     { Error::New(env, result.message).Value(), env.Null() });
154 |                 return;
155 |             }
156 | 
157 |             worker->Call(std::initializer_list<napi_value>
158 |                 { env.Null(), KerberosClient::NewInstance(env, std::move(client_state)) });
159 |         });
160 |     });
161 | }
162 | 
163 | void InitializeServer(const CallbackInfo& info) {
164 |     std::string service = info[0].ToString();
165 |     Function callback = info[1].As<Function>();
166 | 
167 |     KerberosWorker::Run(callback, "kerberos:InitializeServer", [=](KerberosWorker::SetOnFinishedHandler onFinished) {
168 |         auto server_state = std::make_shared<gss_server_state>();
169 |         gss_result result =
170 |             authenticate_gss_server_init(service.c_str(), server_state.get());
171 | 
172 |         return onFinished([=](KerberosWorker* worker) {
173 |             Napi::Env env = worker->Env();
174 |             if (result.code == AUTH_GSS_ERROR) {
175 |                 worker->Call(std::initializer_list<napi_value>
176 |                     { Error::New(env, result.message).Value(), env.Null() });
177 |                 return;
178 |             }
179 | 
180 |             worker->Call(std::initializer_list<napi_value>
181 |                 { env.Null(), KerberosServer::NewInstance(env, std::move(server_state)) });
182 |         });
183 |     });
184 | }
185 | 
186 | void PrincipalDetails(const CallbackInfo& info) {
187 |     std::string service = info[0].ToString();
188 |     std::string hostname = info[1].ToString();
189 |     Function callback = info[2].As<Function>();
190 | 
191 |     KerberosWorker::Run(callback, "kerberos:PrincipalDetails", [=](KerberosWorker::SetOnFinishedHandler onFinished) {
192 |         gss_result result =
193 |             server_principal_details(service.c_str(), hostname.c_str());
194 | 
195 |         return onFinished([=](KerberosWorker* worker) {
196 |             Napi::Env env = worker->Env();
197 |             if (result.code == AUTH_GSS_ERROR) {
198 |                 worker->Call(std::initializer_list<napi_value>
199 |                     { Error::New(env, result.message).Value(), env.Null() });
200 |                 return;
201 |             }
202 | 
203 |             worker->Call(std::initializer_list<napi_value>
204 |                 { env.Null(), String::New(env, result.data) });
205 |         });
206 |     });
207 | }
208 | 
209 | void CheckPassword(const CallbackInfo& info) {
210 |     std::string username = info[0].ToString();
211 |     std::string password = info[1].ToString();
212 |     std::string service = info[2].ToString();
213 | 
214 |     std::string defaultRealm;
215 |     Function callback;
216 |     if (info[3].IsFunction()) {
217 |         callback = info[3].As<Function>();
218 |     } else {
219 |         defaultRealm = info[3].ToString();
220 |         callback = info[4].As<Function>();
221 |     }
222 | 
223 |     KerberosWorker::Run(callback, "kerberos:CheckPassword", [=](KerberosWorker::SetOnFinishedHandler onFinished) {
224 |         gss_result result = authenticate_user_krb5pwd(
225 |             username.c_str(), password.c_str(), service.c_str(), defaultRealm.c_str());
226 | 
227 |         return onFinished([=](KerberosWorker* worker) {
228 |             Napi::Env env = worker->Env();
229 |             if (result.code == AUTH_GSS_ERROR) {
230 |                 worker->Call(std::initializer_list<napi_value>
231 |                     { Error::New(env, result.message).Value(), env.Null() });
232 |             } else {
233 |                 worker->Call(std::initializer_list<napi_value>
234 |                     { env.Null(), env.Null() });
235 |             }
236 |         });
237 |     });
238 | }
239 | 
240 | }
241 | 


--------------------------------------------------------------------------------
/src/win32/kerberos_sspi.cc:
--------------------------------------------------------------------------------
  1 | #include <cwchar>
  2 | #include <cstdio>
  3 | #include "kerberos_sspi.h"
  4 | 
  5 | namespace node_kerberos {
  6 | 
  7 | bool kerberos_libraries_available(std::string*) {
  8 |     return true;
  9 | }
 10 | 
 11 | static sspi_result sspi_success_result(INT ret);
 12 | static sspi_result sspi_error_result(DWORD errCode, const SEC_CHAR* msg);
 13 | static sspi_result sspi_error_result_with_message(const char* message);
 14 | static SEC_CHAR* base64_encode(const SEC_CHAR* value, DWORD vlen);
 15 | static SEC_CHAR* base64_decode(const SEC_CHAR* value, DWORD* rlen);
 16 | static CHAR* wide_to_utf8(WCHAR* value);
 17 | 
 18 | sspi_client_state::~sspi_client_state() {
 19 |     if (haveCtx) {
 20 |         DeleteSecurityContext(&ctx);
 21 |     }
 22 |     if (haveCred) {
 23 |         FreeCredentialsHandle(&cred);
 24 |     }
 25 |     free(spn);
 26 |     free(response);
 27 |     free(username);
 28 | }
 29 | 
 30 | sspi_result
 31 | auth_sspi_client_init(WCHAR* service,
 32 |                       ULONG flags,
 33 |                       WCHAR* user,
 34 |                       ULONG ulen,
 35 |                       WCHAR* domain,
 36 |                       ULONG dlen,
 37 |                       WCHAR* password,
 38 |                       ULONG plen,
 39 |                       WCHAR* mechoid,
 40 |                       sspi_client_state* state) {
 41 |     SECURITY_STATUS status;
 42 |     SEC_WINNT_AUTH_IDENTITY_W authIdentity{};
 43 |     TimeStamp ignored;
 44 | 
 45 |     state->response = NULL;
 46 |     state->username = NULL;
 47 |     state->qop = SECQOP_WRAP_NO_ENCRYPT;
 48 |     state->flags = flags;
 49 |     state->haveCred = 0;
 50 |     state->haveCtx = 0;
 51 |     state->spn = _wcsdup(service);
 52 |     if (state->spn == NULL) {
 53 |         return sspi_error_result_with_message("Ran out of memory assigning service");
 54 |     }
 55 | 
 56 |     if (*user) {
 57 |         authIdentity.User = (unsigned short*)user;
 58 |         authIdentity.UserLength = ulen;
 59 | 
 60 |         if (*password) {
 61 |             authIdentity.Password = (unsigned short*)password;
 62 |             authIdentity.PasswordLength = plen;
 63 |         }
 64 | 
 65 |         if (*domain) {
 66 |             authIdentity.Domain = (unsigned short*)domain;
 67 |             authIdentity.DomainLength = dlen;
 68 |         }
 69 | 
 70 |         authIdentity.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;
 71 |     }
 72 | 
 73 |     /* Note that the first paramater, pszPrincipal, appears to be
 74 |      * completely ignored in the Kerberos SSP. For more details see
 75 |      * https://github.com/mongodb-labs/winkerberos/issues/11.
 76 |      * */
 77 |     status = AcquireCredentialsHandleW(/* Principal */
 78 |                                        NULL,
 79 |                                        /* Security package name */
 80 |                                        mechoid,
 81 |                                        /* Credentials Use */
 82 |                                        SECPKG_CRED_OUTBOUND,
 83 |                                        /* LogonID (We don't use this) */
 84 |                                        NULL,
 85 |                                        /* AuthData */
 86 |                                        authIdentity.Password ? &authIdentity : NULL,
 87 |                                        /* Always NULL */
 88 |                                        NULL,
 89 |                                        /* Always NULL */
 90 |                                        NULL,
 91 |                                        /* CredHandle */
 92 |                                        &state->cred,
 93 |                                        /* Expiry (Required but unused by us) */
 94 |                                        &ignored);
 95 |     if (status != SEC_E_OK) {
 96 |         return sspi_error_result(status, "AcquireCredentialsHandle");
 97 |     }
 98 | 
 99 |     state->haveCred = 1;
100 |     return sspi_success_result(AUTH_GSS_COMPLETE);
101 | }
102 | 
103 | sspi_result
104 | auth_sspi_client_step(sspi_client_state* state, SEC_CHAR* challenge, SecPkgContext_Bindings* sec_pkg_context_bindings) {
105 |     SecBufferDesc inbuf;
106 |     SecBuffer inBufs[2];
107 |     SecBufferDesc outbuf;
108 |     SecBuffer outBufs[1];
109 |     ULONG ignored;
110 |     SECURITY_STATUS status = AUTH_GSS_CONTINUE;
111 |     DWORD len;
112 |     BOOL haveToken = FALSE;
113 |     INT tokenBufferIndex = 0;
114 |     sspi_result result;
115 | 
116 |     if (state->response != NULL) {
117 |         free(state->response);
118 |         state->response = NULL;
119 |     }
120 | 
121 |     inbuf.ulVersion = SECBUFFER_VERSION;
122 |     inbuf.pBuffers = inBufs;
123 |     inbuf.cBuffers = 0;
124 | 
125 |     if (sec_pkg_context_bindings != NULL) {
126 |         inBufs[inbuf.cBuffers].BufferType = SECBUFFER_CHANNEL_BINDINGS;
127 |         inBufs[inbuf.cBuffers].pvBuffer = sec_pkg_context_bindings->Bindings;
128 |         inBufs[inbuf.cBuffers].cbBuffer = sec_pkg_context_bindings->BindingsLength;
129 |         inbuf.cBuffers++;
130 |     }
131 | 
132 |     tokenBufferIndex = inbuf.cBuffers;
133 |     if (state->haveCtx) {
134 |         haveToken = TRUE;
135 |         inBufs[tokenBufferIndex].BufferType = SECBUFFER_TOKEN;
136 |         inBufs[tokenBufferIndex].pvBuffer = base64_decode(challenge, &len);
137 |         if (!inBufs[tokenBufferIndex].pvBuffer) {
138 |            return sspi_error_result_with_message("Unable to base64 decode pvBuffer");
139 |         }
140 | 
141 |         inBufs[tokenBufferIndex].cbBuffer = len;
142 |         inbuf.cBuffers++;
143 |     }
144 | 
145 |     outbuf.ulVersion = SECBUFFER_VERSION;
146 |     outbuf.cBuffers = 1;
147 |     outbuf.pBuffers = outBufs;
148 |     outBufs[0].pvBuffer = NULL;
149 |     outBufs[0].cbBuffer = 0;
150 |     outBufs[0].BufferType = SECBUFFER_TOKEN;
151 | 
152 |     status = InitializeSecurityContextW(/* CredHandle */
153 |                                         &state->cred,
154 |                                         /* CtxtHandle (NULL on first call) */
155 |                                         state->haveCtx ? &state->ctx : NULL,
156 |                                         /* Service Principal Name */
157 |                                         state->spn,
158 |                                         /* Flags */
159 |                                         ISC_REQ_ALLOCATE_MEMORY | state->flags,
160 |                                         /* Always 0 */
161 |                                         0,
162 |                                         /* Target data representation */
163 |                                         SECURITY_NETWORK_DREP,
164 |                                         /* Challenge (Set to NULL if no buffers are set) */
165 |                                         inbuf.cBuffers > 0 ? &inbuf : NULL,
166 |                                         /* Always 0 */
167 |                                         0,
168 |                                         /* CtxtHandle (Set on first call) */
169 |                                         &state->ctx,
170 |                                         /* Output */
171 |                                         &outbuf,
172 |                                         /* Context attributes */
173 |                                         &ignored,
174 |                                         /* Expiry (We don't use this) */
175 |                                         NULL);
176 | 
177 |     if (status != SEC_E_OK && status != SEC_I_CONTINUE_NEEDED) {
178 |         result = sspi_error_result(status, "InitializeSecurityContext");
179 |         goto done;
180 |     }
181 | 
182 |     state->haveCtx = 1;
183 |     state->context_complete = TRUE;
184 |     if (outBufs[0].cbBuffer) {
185 |         state->response = base64_encode((const SEC_CHAR*)outBufs[0].pvBuffer, outBufs[0].cbBuffer);
186 |         if (!state->response) {
187 |             status = AUTH_GSS_ERROR;
188 |             goto done;
189 |         }
190 |     }
191 | 
192 |     if (status == SEC_E_OK) {
193 |         /* Get authenticated username. */
194 |         SecPkgContext_NamesW names;
195 |         status = QueryContextAttributesW(
196 |             &state->ctx, SECPKG_ATTR_NAMES, &names);
197 | 
198 |         if (status != SEC_E_OK) {
199 |             result = sspi_error_result(status, "QueryContextAttributesW");
200 |             goto done;
201 |         }
202 | 
203 |         state->username = wide_to_utf8(names.sUserName);
204 |         if (state->username == NULL) {
205 |             result = sspi_error_result_with_message("Unable to allocate memory for username");
206 |             goto done;
207 |         }
208 | 
209 |         FreeContextBuffer(names.sUserName);
210 |         result = sspi_success_result(AUTH_GSS_COMPLETE);
211 |     } else {
212 |         result = sspi_success_result(AUTH_GSS_CONTINUE);
213 |     }
214 | done:
215 |     if (haveToken) {
216 |         free(inBufs[tokenBufferIndex].pvBuffer);
217 |     }
218 |     if (outBufs[0].pvBuffer) {
219 |         FreeContextBuffer(outBufs[0].pvBuffer);
220 |     }
221 | 
222 |     return result;
223 | }
224 | 
225 | sspi_result
226 | auth_sspi_client_unwrap(sspi_client_state* state, SEC_CHAR* challenge) {
227 |     sspi_result result;
228 |     SECURITY_STATUS status;
229 |     DWORD len;
230 |     SecBuffer wrapBufs[2];
231 |     SecBufferDesc wrapBufDesc;
232 |     wrapBufDesc.ulVersion = SECBUFFER_VERSION;
233 |     wrapBufDesc.cBuffers = 2;
234 |     wrapBufDesc.pBuffers = wrapBufs;
235 | 
236 |     if (state->response != NULL) {
237 |         free(state->response);
238 |         state->response = NULL;
239 |         state->qop = SECQOP_WRAP_NO_ENCRYPT;
240 |     }
241 | 
242 |     if (!state->haveCtx) {
243 |         return sspi_error_result_with_message("Uninitialized security context. You must use authGSSClientStep to initialize the security context before calling this function.");
244 |     }
245 | 
246 |     wrapBufs[0].pvBuffer = base64_decode(challenge, &len);
247 |     if (!wrapBufs[0].pvBuffer) {
248 |         return sspi_error_result_with_message("Unable to decode base64 response");
249 |     }
250 | 
251 |     wrapBufs[0].cbBuffer = len;
252 |     wrapBufs[0].BufferType = SECBUFFER_STREAM;
253 | 
254 |     wrapBufs[1].pvBuffer = NULL;
255 |     wrapBufs[1].cbBuffer = 0;
256 |     wrapBufs[1].BufferType = SECBUFFER_DATA;
257 | 
258 |     status = DecryptMessage(&state->ctx, &wrapBufDesc, 0, &state->qop);
259 |     if (status != SEC_E_OK) {
260 |         result = sspi_error_result(status, "DecryptMessage");
261 |         goto done;
262 |     }
263 | 
264 |     if (wrapBufs[1].cbBuffer) {
265 |         state->response = base64_encode((const SEC_CHAR*)wrapBufs[1].pvBuffer, wrapBufs[1].cbBuffer);
266 |         if (!state->response) {
267 |             result = sspi_error_result_with_message("Unable to base64 encode decrypted message");
268 |             goto done;
269 |         }
270 |     }
271 | 
272 |     result = sspi_success_result(AUTH_GSS_COMPLETE);
273 | done:
274 |     if (wrapBufs[0].pvBuffer) {
275 |         free(wrapBufs[0].pvBuffer);
276 |     }
277 | 
278 |     return result;
279 | }
280 | 
281 | sspi_result
282 | auth_sspi_client_wrap(sspi_client_state* state,
283 |                       SEC_CHAR* data,
284 |                       SEC_CHAR* user,
285 |                       ULONG ulen,
286 |                       INT protect) {
287 |     SECURITY_STATUS status;
288 |     SecPkgContext_Sizes sizes;
289 |     SecBuffer wrapBufs[3];
290 |     SecBufferDesc wrapBufDesc;
291 |     SEC_CHAR* decodedData = NULL;
292 |     SEC_CHAR* inbuf;
293 |     SIZE_T inbufSize;
294 |     SEC_CHAR* outbuf;
295 |     DWORD outbufSize;
296 |     SEC_CHAR* plaintextMessage;
297 |     ULONG plaintextMessageSize;
298 | 
299 |     if (state->response != NULL) {
300 |         free(state->response);
301 |         state->response = NULL;
302 |     }
303 | 
304 |     if (!state->haveCtx) {
305 |         return sspi_error_result_with_message("Uninitialized security context. You must use authGSSClientStep to initialize the security context before calling this function.");
306 |     }
307 | 
308 |     status = QueryContextAttributes(&state->ctx, SECPKG_ATTR_SIZES, &sizes);
309 |     if (status != SEC_E_OK) {
310 |         return sspi_error_result(status, "QueryContextAttributes");
311 |     }
312 | 
313 |     if (*user) {
314 |         /* Length of user + 4 bytes for security layer (see below). */
315 |         plaintextMessageSize = ulen + 4;
316 |     } else {
317 |         decodedData = base64_decode(data, &plaintextMessageSize);
318 |         if (!decodedData) {
319 |             return sspi_error_result_with_message("Unable to base64 decode message");
320 |         }
321 |     }
322 | 
323 |     inbufSize =
324 |         sizes.cbSecurityTrailer + plaintextMessageSize + sizes.cbBlockSize;
325 |     inbuf = (SEC_CHAR*)malloc(inbufSize);
326 |     if (inbuf == NULL) {
327 |         free(decodedData);
328 |         return sspi_error_result_with_message("Unable to allocate memory for buffer");
329 |     }
330 | 
331 |     plaintextMessage = inbuf + sizes.cbSecurityTrailer;
332 |     if (*user) {
333 |         /* Authenticate the provided user. Unlike pykerberos, we don't
334 |          * need any information from "data" to do that.
335 |          */
336 |         plaintextMessage[0] = 1; /* No security layer */
337 |         plaintextMessage[1] = 0;
338 |         plaintextMessage[2] = 0;
339 |         plaintextMessage[3] = 0;
340 |         memcpy_s(
341 |             plaintextMessage + 4,
342 |             inbufSize - sizes.cbSecurityTrailer - 4,
343 |             user,
344 |             strlen(user));
345 |     } else {
346 |         /* No user provided. Just rewrap data. */
347 |         memcpy_s(
348 |             plaintextMessage,
349 |             inbufSize - sizes.cbSecurityTrailer,
350 |             decodedData,
351 |             plaintextMessageSize);
352 |         free(decodedData);
353 |     }
354 | 
355 |     wrapBufDesc.cBuffers = 3;
356 |     wrapBufDesc.pBuffers = wrapBufs;
357 |     wrapBufDesc.ulVersion = SECBUFFER_VERSION;
358 | 
359 |     wrapBufs[0].cbBuffer = sizes.cbSecurityTrailer;
360 |     wrapBufs[0].BufferType = SECBUFFER_TOKEN;
361 |     wrapBufs[0].pvBuffer = inbuf;
362 | 
363 |     wrapBufs[1].cbBuffer = (ULONG)plaintextMessageSize;
364 |     wrapBufs[1].BufferType = SECBUFFER_DATA;
365 |     wrapBufs[1].pvBuffer = inbuf + sizes.cbSecurityTrailer;
366 | 
367 |     wrapBufs[2].cbBuffer = sizes.cbBlockSize;
368 |     wrapBufs[2].BufferType = SECBUFFER_PADDING;
369 |     wrapBufs[2].pvBuffer =
370 |         inbuf + (sizes.cbSecurityTrailer + plaintextMessageSize);
371 | 
372 |     status = EncryptMessage(
373 |         &state->ctx,
374 |         protect ? 0 : SECQOP_WRAP_NO_ENCRYPT,
375 |         &wrapBufDesc,
376 |         0);
377 |     if (status != SEC_E_OK) {
378 |         free(inbuf);
379 |         return sspi_error_result(status, "EncryptMessage");
380 |     }
381 | 
382 |     outbufSize =
383 |         wrapBufs[0].cbBuffer + wrapBufs[1].cbBuffer + wrapBufs[2].cbBuffer;
384 |     outbuf = (SEC_CHAR*)malloc(sizeof(SEC_CHAR) * outbufSize);
385 |     if (outbuf == NULL) {
386 |         free(inbuf);
387 |         return sspi_error_result_with_message("Unable to allocate memory for out buffer");
388 |     }
389 | 
390 |     memcpy_s(outbuf,
391 |              outbufSize,
392 |              wrapBufs[0].pvBuffer,
393 |              wrapBufs[0].cbBuffer);
394 |     memcpy_s(outbuf + wrapBufs[0].cbBuffer,
395 |              outbufSize - wrapBufs[0].cbBuffer,
396 |              wrapBufs[1].pvBuffer,
397 |              wrapBufs[1].cbBuffer);
398 |     memcpy_s(outbuf + wrapBufs[0].cbBuffer + wrapBufs[1].cbBuffer,
399 |              outbufSize - wrapBufs[0].cbBuffer - wrapBufs[1].cbBuffer,
400 |              wrapBufs[2].pvBuffer,
401 |              wrapBufs[2].cbBuffer);
402 |     state->response = base64_encode(outbuf, outbufSize);
403 | 
404 |     sspi_result result;
405 |     if (!state->response) {
406 |         result = sspi_error_result_with_message("Unable to base64 decode outbuf");
407 |     } else {
408 |         result = sspi_success_result(AUTH_GSS_COMPLETE);
409 |     }
410 | 
411 |     free(inbuf);
412 |     free(outbuf);
413 |     return result;
414 | }
415 | 
416 | static sspi_result sspi_success_result(int ret) {
417 |     return { ret, "", "" };
418 | }
419 | 
420 | static sspi_result sspi_error_result(DWORD errCode, const SEC_CHAR* msg) {
421 |     SEC_CHAR* err = NULL;
422 |     DWORD status;
423 |     DWORD flags = (FORMAT_MESSAGE_ALLOCATE_BUFFER |
424 |                    FORMAT_MESSAGE_FROM_SYSTEM |
425 |                    FORMAT_MESSAGE_IGNORE_INSERTS);
426 | 
427 |     status = FormatMessageA(flags,
428 |                             NULL,
429 |                             errCode,
430 |                             MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
431 |                             (LPSTR)&err,
432 |                             0,
433 |                             NULL);
434 | 
435 |     sspi_result result;
436 |     result.code = AUTH_GSS_ERROR;
437 |     if (status) {
438 |         result.message = std::string(msg) + ": " + err;
439 |     } else {
440 |         result.message = msg;
441 |     }
442 |     LocalFree(err);
443 | 
444 |     return result;
445 | }
446 | 
447 | static sspi_result sspi_error_result_with_message(const char* message) {
448 |     return { AUTH_GSS_ERROR, message, "" };
449 | }
450 | 
451 | static SEC_CHAR*
452 | base64_encode(const SEC_CHAR* value, DWORD vlen) {
453 |     SEC_CHAR* out = NULL;
454 |     DWORD len;
455 |     /* Get the correct size for the out buffer. */
456 |     if (CryptBinaryToStringA((BYTE*)value,
457 |                              vlen,
458 |                              CRYPT_STRING_BASE64|CRYPT_STRING_NOCRLF,
459 |                              NULL,
460 |                              &len)) {
461 |         out = (SEC_CHAR*)malloc(sizeof(SEC_CHAR) * len);
462 |         if (out) {
463 |             /* Encode to the out buffer. */
464 |             if (CryptBinaryToStringA((BYTE*)value,
465 |                                      vlen,
466 |                                      CRYPT_STRING_BASE64|CRYPT_STRING_NOCRLF,
467 |                                      out,
468 |                                      &len)) {
469 |                 return out;
470 |             } else {
471 |                 free(out);
472 |             }
473 |         }
474 |     }
475 | 
476 |     return NULL;
477 | }
478 | 
479 | static SEC_CHAR*
480 | base64_decode(const SEC_CHAR* value, DWORD* rlen) {
481 |     SEC_CHAR* out = NULL;
482 |     /* Get the correct size for the out buffer. */
483 |     if (CryptStringToBinaryA(value,
484 |                              0,
485 |                              CRYPT_STRING_BASE64,
486 |                              NULL,
487 |                              rlen,
488 |                              NULL,
489 |                              NULL)) {
490 |         out = (SEC_CHAR*)malloc(sizeof(SEC_CHAR) * *rlen);
491 |         if (out) {
492 |             /* Decode to the out buffer. */
493 |             if (CryptStringToBinaryA(value,
494 |                                      0,
495 |                                      CRYPT_STRING_BASE64,
496 |                                      (BYTE*)out,
497 |                                      rlen,
498 |                                      NULL,
499 |                                      NULL)) {
500 |                 return out;
501 |             } else {
502 |                 free(out);
503 |             }
504 |         }
505 |     }
506 | 
507 |     return NULL;
508 | }
509 | 
510 | static CHAR*
511 | wide_to_utf8(WCHAR* value) {
512 |     CHAR* out;
513 |     INT len = WideCharToMultiByte(CP_UTF8,
514 |                                   0,
515 |                                   value,
516 |                                   -1,
517 |                                   NULL,
518 |                                   0,
519 |                                   NULL,
520 |                                   NULL);
521 |     if (len) {
522 |         out = (CHAR*)malloc(sizeof(CHAR) * len);
523 |         if (!out) {
524 |             return NULL;
525 |         }
526 | 
527 |         if (WideCharToMultiByte(CP_UTF8,
528 |                                 0,
529 |                                 value,
530 |                                 -1,
531 |                                 out,
532 |                                 len,
533 |                                 NULL,
534 |                                 NULL)) {
535 |             return out;
536 |         } else {
537 |             free(out);
538 |         }
539 |     }
540 | 
541 |     return NULL;
542 | }
543 | 
544 | }
545 | 


--------------------------------------------------------------------------------
/src/win32/kerberos_sspi.h:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * Copyright 2016 MongoDB, Inc.
 3 |  *
 4 |  * Licensed under the Apache License, Version 2.0 (the "License");
 5 |  * you may not use this file except in compliance with the License.
 6 |  * You may obtain a copy of the License at
 7 |  *
 8 |  * http://www.apache.org/licenses/LICENSE-2.0
 9 |  *
10 |  * Unless required by applicable law or agreed to in writing, software
11 |  * distributed under the License is distributed on an "AS IS" BASIS,
12 |  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 |  * See the License for the specific language governing permissions and
14 |  * limitations under the License.
15 |  */
16 | 
17 | #ifndef KERBEROS_SSPI_H
18 | #define KERBEROS_SSPI_H
19 | 
20 | #define SECURITY_WIN32 1 /* Required for SSPI */
21 | 
22 | #include <windows.h>
23 | #include <sspi.h>
24 | #include <string>
25 | 
26 | namespace node_kerberos {
27 | 
28 | #define AUTH_GSS_ERROR -1
29 | #define AUTH_GSS_COMPLETE 1
30 | #define AUTH_GSS_CONTINUE 0
31 | 
32 | typedef struct {
33 |     int code;
34 |     std::string message;
35 |     std::string data;
36 | } sspi_result;
37 | 
38 | struct sspi_client_state {
39 |     CredHandle cred;
40 |     CtxtHandle ctx;
41 |     WCHAR* spn = nullptr;
42 |     SEC_CHAR* response = nullptr;
43 |     SEC_CHAR* username = nullptr;
44 |     ULONG flags;
45 |     UCHAR haveCred = 0;
46 |     UCHAR haveCtx = 0;
47 |     ULONG qop;
48 | 
49 |     INT responseConf = 0;
50 |     BOOL context_complete = FALSE;
51 | 
52 |     sspi_client_state() {}
53 |     sspi_client_state(const sspi_client_state&) = delete;
54 |     sspi_client_state& operator=(const sspi_client_state&) = delete;
55 |     ~sspi_client_state();
56 | };
57 | 
58 | struct sspi_server_state {
59 |     // This is unused currently
60 |     WCHAR* username = nullptr;
61 |     WCHAR* response = nullptr;
62 |     BOOL context_complete = FALSE;
63 |     char* targetname = nullptr;
64 | };
65 | 
66 | sspi_client_state* sspi_client_state_new();
67 | VOID auth_sspi_client_clean(sspi_client_state* state);
68 | sspi_result auth_sspi_client_init(WCHAR* service,
69 |                                    ULONG flags,
70 |                                    WCHAR* user,
71 |                                    ULONG ulen,
72 |                                    WCHAR* domain,
73 |                                    ULONG dlen,
74 |                                    WCHAR* password,
75 |                                    ULONG plen,
76 |                                    WCHAR* mechoid,
77 |                                    sspi_client_state* state);
78 | 
79 | sspi_result auth_sspi_client_step(sspi_client_state* state, SEC_CHAR* challenge, SecPkgContext_Bindings* sec_pkg_context_bindings);
80 | sspi_result auth_sspi_client_unwrap(sspi_client_state* state, SEC_CHAR* challenge);
81 | sspi_result auth_sspi_client_wrap(sspi_client_state* state, SEC_CHAR* data, SEC_CHAR* user, ULONG ulen, INT protect);
82 | 
83 | }
84 | 
85 | #endif
86 | 


--------------------------------------------------------------------------------
/src/win32/kerberos_win32.cc:
--------------------------------------------------------------------------------
  1 | #include <memory>
  2 | 
  3 | #include "../kerberos.h"
  4 | #include "../kerberos_worker.h"
  5 | 
  6 | namespace node_kerberos {
  7 | 
  8 | using namespace Napi;
  9 | 
 10 | inline std::wstring ToWStringWithNonStringAsEmpty(Value value) {
 11 |     static_assert(sizeof(std::wstring::value_type) == sizeof(std::u16string::value_type),
 12 |         "wstring and u16string have the same value type on Windows");
 13 |     if (!value.IsString()) {
 14 |         return std::wstring();
 15 |     }
 16 |     std::u16string u16 = value.As<String>();
 17 |     return std::wstring(u16.begin(), u16.end());
 18 | }
 19 | 
 20 | #define GSS_MECH_OID_KRB5 9
 21 | #define GSS_MECH_OID_SPNEGO 6
 22 | #define GSS_MECH_OID_KRB5_STR L"Kerberos"
 23 | #define GSS_MECH_OID_SPNEGO_STR L"Negotiate"
 24 | 
 25 | #define GSS_C_MUTUAL_FLAG 2
 26 | #define GSS_C_REPLAY_FLAG 4
 27 | #define GSS_C_SEQUENCE_FLAG 8
 28 | 
 29 | /// KerberosClient
 30 | void KerberosClient::Step(const CallbackInfo& info) {
 31 |     auto state = this->state();
 32 |     std::string challenge = info[0].ToString();
 33 |     Function callback = info[1].As<Function>();
 34 | 
 35 |     KerberosWorker::Run(callback, "kerberos:ClientStep", [=](KerberosWorker::SetOnFinishedHandler onFinished) {
 36 |         sspi_result result =
 37 |             auth_sspi_client_step(state.get(), (SEC_CHAR*)challenge.c_str(), NULL);
 38 | 
 39 |         return onFinished([=](KerberosWorker* worker) {
 40 |             Napi::Env env = worker->Env();
 41 |             if (result.code == AUTH_GSS_ERROR) {
 42 |                 worker->Call(std::initializer_list<napi_value>
 43 |                     { Error::New(env, result.message).Value(), env.Null() });
 44 |                 return;
 45 |             }
 46 | 
 47 |             Napi::Value response = env.Null();
 48 |             if (state->response != nullptr) {
 49 |                 response = String::New(env, state->response);
 50 |             }
 51 | 
 52 |             worker->Call(std::initializer_list<napi_value>
 53 |                 { env.Null(), response });
 54 |         });
 55 |     });
 56 | }
 57 | 
 58 | void KerberosClient::UnwrapData(const CallbackInfo& info) {
 59 |     auto state = this->state();
 60 |     std::string challenge = info[0].ToString();
 61 |     Function callback = info[1].As<Function>();
 62 | 
 63 |     KerberosWorker::Run(callback, "kerberos:ClientUnwrap", [=](KerberosWorker::SetOnFinishedHandler onFinished) {
 64 |         sspi_result result =
 65 |             auth_sspi_client_unwrap(state.get(), (SEC_CHAR*)challenge.c_str());
 66 | 
 67 |         return onFinished([=](KerberosWorker* worker) {
 68 |             Napi::Env env = worker->Env();
 69 |             if (result.code == AUTH_GSS_ERROR) {
 70 |                 worker->Call(std::initializer_list<napi_value>
 71 |                     { Error::New(env, result.message).Value(), env.Null() });
 72 |                 return;
 73 |             }
 74 | 
 75 |             worker->Call(std::initializer_list<napi_value>
 76 |                 { env.Null(), String::New(env, state->response) });
 77 |         });
 78 |     });
 79 | }
 80 | 
 81 | static bool isStringTooLong(const std::string& str) {
 82 |     return str.length() >= ULONG_MAX;
 83 | }
 84 | 
 85 | static bool isWStringTooLong(const std::wstring& str) {
 86 |     return str.length() >= ULONG_MAX;
 87 | }
 88 | 
 89 | void KerberosClient::WrapData(const CallbackInfo& info) {
 90 |     auto state = this->state();
 91 |     std::string challenge = info[0].ToString();
 92 |     Object options = info[1].ToObject();
 93 |     Function callback = info[2].As<Function>();
 94 |     std::string user = ToStringWithNonStringAsEmpty(options["user"]);
 95 |     int protect = ParseWrapOptionsProtect(options);
 96 | 
 97 |     if (isStringTooLong(user)) {
 98 |         throw Error::New(info.Env(), "User name is too long");
 99 |     }
100 | 
101 |     KerberosWorker::Run(callback, "kerberos:ClientWrap", [=](KerberosWorker::SetOnFinishedHandler onFinished) {
102 |         sspi_result result = auth_sspi_client_wrap(
103 |             state.get(), (SEC_CHAR*)challenge.c_str(), (SEC_CHAR*)user.c_str(), (ULONG)user.length(), protect);
104 | 
105 |         return onFinished([=](KerberosWorker* worker) {
106 |             Napi::Env env = worker->Env();
107 | 
108 |             if (result.code == AUTH_GSS_ERROR) {
109 |                 worker->Call(std::initializer_list<napi_value>
110 |                     { Error::New(env, result.message).Value(), env.Null() });
111 |                 return;
112 |             }
113 | 
114 |             worker->Call(std::initializer_list<napi_value>
115 |                 { env.Null(), String::New(env, state->response) });
116 |         });
117 |     });
118 | }
119 | 
120 | /// KerberosServer
121 | void KerberosServer::Step(const CallbackInfo& info) {
122 |     throw Error::New(info.Env(), "`KerberosServer::Step` is not implemented yet for windows");
123 | }
124 | 
125 | /// Global Methods
126 | void InitializeClient(const CallbackInfo& info) {
127 |     std::wstring service = ToWStringWithNonStringAsEmpty(info[0]);
128 |     Object options = info[1].ToObject();
129 |     Function callback = info[2].As<Function>();
130 | 
131 |     std::wstring user = ToWStringWithNonStringAsEmpty(options["user"]);
132 |     std::wstring domain = ToWStringWithNonStringAsEmpty(options["domain"]);
133 |     std::wstring password = ToWStringWithNonStringAsEmpty(options["password"]);
134 | 
135 |     if (isWStringTooLong(user)) {
136 |         throw Error::New(info.Env(), "User name is too long");
137 |     }
138 |     if (isWStringTooLong(domain)) {
139 |         throw Error::New(info.Env(), "Domain is too long");
140 |     }
141 |     if (isWStringTooLong(password)) {
142 |         throw Error::New(info.Env(), "Password is too long");
143 |     }
144 | 
145 |     Value flags_v = options["flags"];
146 |     ULONG gss_flags = flags_v.IsNumber() ? flags_v.As<Number>().Uint32Value() : GSS_C_MUTUAL_FLAG|GSS_C_SEQUENCE_FLAG;
147 |     Value mech_oid_v = options["mechOID"];
148 |     uint32_t mech_oid_int = mech_oid_v.IsNumber() ? mech_oid_v.As<Number>().Uint32Value() : 0;
149 |     std::wstring mech_oid = GSS_MECH_OID_KRB5_STR;
150 |     if (mech_oid_int == GSS_MECH_OID_SPNEGO) {
151 |         mech_oid = GSS_MECH_OID_SPNEGO_STR;
152 |     }
153 | 
154 |     KerberosWorker::Run(callback, "kerberos:InitializeClient", [=](KerberosWorker::SetOnFinishedHandler onFinished) {
155 |         auto client_state = std::make_shared<sspi_client_state>();
156 |         sspi_result result = auth_sspi_client_init(
157 |             (WCHAR*)service.c_str(), gss_flags, (WCHAR*)user.c_str(), (ULONG)user.length(),
158 |             (WCHAR*)domain.c_str(), (ULONG)domain.length(), (WCHAR*)password.c_str(), (ULONG)password.length(),
159 |             (WCHAR*)mech_oid.c_str(), client_state.get());
160 | 
161 |         return onFinished([=](KerberosWorker* worker) {
162 |             Napi::Env env = worker->Env();
163 |             if (result.code == AUTH_GSS_ERROR) {
164 |                 worker->Call(std::initializer_list<napi_value>
165 |                     { Error::New(env, result.message).Value(), env.Null() });
166 |                 return;
167 |             }
168 | 
169 |             worker->Call(std::initializer_list<napi_value>
170 |                 { env.Null(), KerberosClient::NewInstance(env, std::move(client_state)) });
171 |         });
172 |     });
173 | }
174 | 
175 | void InitializeServer(const CallbackInfo& info) {
176 |     throw Error::New(info.Env(), "`initializeServer` is not implemented yet for windows");
177 | }
178 | 
179 | void PrincipalDetails(const CallbackInfo& info) {
180 |     throw Error::New(info.Env(), "`principalDetails` is not implemented yet for windows");
181 | }
182 | 
183 | void CheckPassword(const CallbackInfo& info) {
184 |     throw Error::New(info.Env(), "`checkPassword` is not implemented yet for windows");
185 | }
186 | 
187 | }
188 | 


--------------------------------------------------------------------------------
/test/bundling/webpack/.gitignore:
--------------------------------------------------------------------------------
1 | dist/


--------------------------------------------------------------------------------
/test/bundling/webpack/install_kerberos.cjs:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const { execSync } = require('node:child_process');
 4 | const { readFileSync } = require('node:fs');
 5 | const { resolve } = require('node:path');
 6 | 
 7 | const xtrace = (...args) => {
 8 |   console.log(`running: ${args[0]}`);
 9 |   return execSync(...args);
10 | };
11 | 
12 | const kerberosRoot = resolve(__dirname, '../../..');
13 | console.log(`kerberos package root: ${kerberosRoot}`);
14 | 
15 | const kerberosVersion = JSON.parse(
16 |   readFileSync(resolve(kerberosRoot, 'package.json'), { encoding: 'utf8' })
17 | ).version;
18 | console.log(`kerberos Version: ${kerberosVersion}`);
19 | 
20 | xtrace('npm pack --pack-destination test/bundling/webpack', { cwd: kerberosRoot });
21 | 
22 | xtrace(`npm install --no-save kerberos-${kerberosVersion}.tgz`);
23 | 
24 | console.log('kerberos installed!');
25 | 


--------------------------------------------------------------------------------
/test/bundling/webpack/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "my-webpack-project",
 3 |   "version": "1.0.0",
 4 |   "private": true,
 5 |   "description": "My webpack project",
 6 |   "main": "index.js",
 7 |   "scripts": {
 8 |     "install:kerberos": "node install_kerberos.cjs",
 9 |     "test": "webpack",
10 |     "build": "webpack --mode=production --node-env=production",
11 |     "build:dev": "webpack --mode=development",
12 |     "build:prod": "webpack --mode=production --node-env=production",
13 |     "watch": "webpack --watch"
14 |   },
15 |   "devDependencies": {
16 |     "@webpack-cli/generators": "^3.0.1",
17 |     "node-loader": "^2.1.0",
18 |     "webpack": "^5.75.0",
19 |     "webpack-cli": "^5.0.1"
20 |   }
21 | }
22 | 


--------------------------------------------------------------------------------
/test/bundling/webpack/readme.md:
--------------------------------------------------------------------------------
 1 | # Webpack kerberos setup example
 2 | 
 3 | In order to use kerberos with webpack there are two changes beyond the default config file needed:
 4 | - Set `experiments: { topLevelAwait: true }` in the top-level config object
 5 | - Set `resolve: { fallback: { crypto: false } }` in the top-level config object
 6 | - `npm install --save-dev node-loader` and use it to handle all .node files.
 7 | 
 8 | ## Testing
 9 | 
10 | To use this bundler test:
11 | - Make changes to bson
12 | - run `npm run build` in the root of the repo to rebuild the kerberos src
13 | - in this directory run `npm run install:kerberos` to install kerberos as if it were from npm
14 |   - We use a `.tgz` install to make sure we're using exactly what will be published to npm
15 | - run `npm run build` to check that webpack can pull in the changes
16 | 


--------------------------------------------------------------------------------
/test/bundling/webpack/src/index.js:
--------------------------------------------------------------------------------
1 | 'use strict';
2 | const kerberos = require('kerberos');
3 | console.log(kerberos);
4 | 


--------------------------------------------------------------------------------
/test/bundling/webpack/webpack.config.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const path = require('path');
 4 | 
 5 | const isProduction = process.env.NODE_ENV === 'production';
 6 | 
 7 | const config = {
 8 |   entry: './src/index.js',
 9 |   output: {
10 |     path: path.resolve(__dirname, 'dist')
11 |   },
12 |   experiments: { topLevelAwait: true },
13 |   target: 'node',
14 |   module: {
15 |     rules: [
16 |       {
17 |         test: /\.node$/i,
18 |         loader: 'node-loader'
19 |       }
20 |     ]
21 |   },
22 |   resolve: {
23 |     extensions: ['.js', '...', '.node'],
24 |     fallback: { crypto: false }
25 |   }
26 | };
27 | 
28 | module.exports = () => {
29 |   if (isProduction) {
30 |     config.mode = 'production';
31 |   } else {
32 |     config.mode = 'development';
33 |   }
34 |   return config;
35 | };
36 | 


--------------------------------------------------------------------------------
/test/defineOperation_tests.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const { loadBindings } = require('../lib/util');
 4 | 
 5 | const kerberos = loadBindings();
 6 | const defineOperation = require('../lib/util').defineOperation;
 7 | const expect = require('chai').expect;
 8 | 
 9 | const testMethod = defineOperation(kerberos._testMethod, [
10 |   { name: 'string', type: 'string' },
11 |   { name: 'shouldError', type: 'boolean', default: false },
12 |   { name: 'optionalString', type: 'string', required: false },
13 |   { name: 'callback', type: 'function', required: false }
14 | ]);
15 | 
16 | describe('defineOperation', () => {
17 |   it('should validate parameters', function () {
18 |     expect(() => testMethod(42)).to.throw(/Invalid type for parameter/);
19 |   });
20 | 
21 |   it('should validate optional parameters, with valid parameters after', function () {
22 |     expect(() => testMethod('llamas', false, true, () => { })).to.throw(
23 |       /Invalid type for parameter `optionalString`/
24 |     );
25 |   });
26 | 
27 |   it('should support defaults', function (done) {
28 |     expect(() => testMethod('testing')).to.not.throw();
29 |     testMethod('testing', true, err => {
30 |       expect(err).to.exist;
31 |       done();
32 |     });
33 |   });
34 | 
35 |   it('should return a promise if no callback is provided', function () {
36 |     const promise = testMethod('llamas', false);
37 |     expect(promise).to.be.instanceOf(Promise);
38 |   });
39 | 
40 |   it('should use a callback if provided', function (done) {
41 |     testMethod('testing', false, 'optional', (err, result) => {
42 |       expect(err).to.not.exist;
43 |       expect(result).to.equal('optional');
44 | 
45 |       testMethod('testing', true, 'optional', (err, result) => {
46 |         expect(err).to.exist;
47 |         expect(result).to.not.exist;
48 | 
49 |         done();
50 |       });
51 |     });
52 |   });
53 | });
54 | 


--------------------------------------------------------------------------------
/test/exports_tests.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const chai = require('chai');
 4 | const expect = chai.expect;
 5 | const api = require('../lib/index');
 6 | 
 7 | describe('module', function () {
 8 |   it('should export version', function () {
 9 |     expect(api.version).to.be.a('string');
10 |     expect(api.version).to.match(/\d+\.\d+/);
11 |   });
12 | 
13 |   it('should export flags and ids', function () {
14 |     [
15 |       api.GSS_C_DELEG_FLAG,
16 |       api.GSS_C_MUTUAL_FLAG,
17 |       api.GSS_C_REPLAY_FLAG,
18 |       api.GSS_C_SEQUENCE_FLAG,
19 |       api.GSS_C_CONF_FLAG,
20 |       api.GSS_C_INTEG_FLAG,
21 |       api.GSS_C_ANON_FLAG,
22 |       api.GSS_C_PROT_READY_FLAG,
23 |       api.GSS_C_TRANS_FLAG,
24 |       api.GSS_C_NO_OID,
25 |       api.GSS_MECH_OID_KRB5,
26 |       api.GSS_MECH_OID_SPNEGO
27 |     ].forEach(flag => expect(flag).to.be.a('number'));
28 |   });
29 | 
30 |   it('should export functions', function () {
31 |     expect(api.initializeClient).to.be.a('function');
32 |     expect(api.initializeServer).to.be.a('function');
33 |     expect(api.principalDetails).to.be.a('function');
34 |     expect(api.checkPassword).to.be.a('function');
35 |   });
36 | 
37 |   it('should export Kerberos', () => {
38 |     expect(api.Kerberos).to.be.an('object');
39 |   });
40 | });
41 | 


--------------------------------------------------------------------------------
/test/kerberos_tests.js:
--------------------------------------------------------------------------------
  1 | 'use strict';
  2 | const kerberos = require('../lib/index');
  3 | const request = require('request');
  4 | const chai = require('chai');
  5 | const expect = chai.expect;
  6 | const os = require('os');
  7 | const { test } = require('mocha');
  8 | chai.use(require('chai-string'));
  9 | 
 10 | // environment variables
 11 | const username = process.env.KERBEROS_USERNAME || 'administrator';
 12 | const password = process.env.KERBEROS_PASSWORD || 'Password01';
 13 | const realm = process.env.KERBEROS_REALM || 'example.com';
 14 | const hostname = process.env.KERBEROS_HOSTNAME || 'hostname.example.com';
 15 | const port = process.env.KERBEROS_PORT || '80';
 16 | 
 17 | describe('Kerberos', function () {
 18 |   before(function () {
 19 |     if (os.type() === 'Windows_NT') this.skip();
 20 |   });
 21 | 
 22 |   it('should lookup principal details on a server', function (done) {
 23 |     const expected = `HTTP/${hostname}@${realm.toUpperCase()}`;
 24 |     kerberos.principalDetails('HTTP', hostname, (err, details) => {
 25 |       expect(err).to.not.exist;
 26 |       expect(details).to.equal(expected);
 27 |       done();
 28 |     });
 29 |   });
 30 | 
 31 |   it('should check a given password against a kerberos server', function (done) {
 32 |     const service = `HTTP/${hostname}`;
 33 |     kerberos.checkPassword(username, password, service, realm.toUpperCase(), err => {
 34 |       expect(err).to.not.exist;
 35 | 
 36 |       kerberos.checkPassword(username, 'incorrect-password', service, realm.toUpperCase(), err => {
 37 |         expect(err).to.exist;
 38 |         done();
 39 |       });
 40 |     });
 41 |   });
 42 | 
 43 |   it('should authenticate against a kerberos server using GSSAPI', function (done) {
 44 |     const service = `HTTP@${hostname}`;
 45 | 
 46 |     kerberos.initializeClient(service, {}, (err, client) => {
 47 |       expect(err).to.not.exist;
 48 | 
 49 |       kerberos.initializeServer(service, (err, server) => {
 50 |         expect(err).to.not.exist;
 51 |         expect(client.contextComplete).to.be.false;
 52 |         expect(server.contextComplete).to.be.false;
 53 | 
 54 |         client.step('', (err, clientResponse) => {
 55 |           expect(err).to.not.exist;
 56 |           expect(client.contextComplete).to.be.false;
 57 | 
 58 |           server.step(clientResponse, (err, serverResponse) => {
 59 |             expect(err).to.not.exist;
 60 |             expect(client.contextComplete).to.be.false;
 61 | 
 62 |             client.step(serverResponse, err => {
 63 |               expect(err).to.not.exist;
 64 |               expect(client.contextComplete).to.be.true;
 65 | 
 66 |               const expectedUsername = `${username}@${realm.toUpperCase()}`;
 67 |               expect(server.username).to.equal(expectedUsername);
 68 |               expect(client.username).to.equal(expectedUsername);
 69 |               expect(server.targetName).to.not.exist;
 70 |               done();
 71 |             });
 72 |           });
 73 |         });
 74 |       });
 75 |     });
 76 |   });
 77 | 
 78 |   it('should authenticate against a kerberos HTTP endpoint', function (done) {
 79 |     const service = `HTTP@${hostname}`;
 80 |     const url = `http://${hostname}:${port}/`;
 81 | 
 82 |     // send the initial request un-authenticated
 83 |     request.get(url, (err, response) => {
 84 |       expect(err).to.not.exist;
 85 |       expect(response).to.have.property('statusCode', 401);
 86 | 
 87 |       // validate the response supports the Negotiate protocol
 88 |       const authenticateHeader = response.headers['www-authenticate'];
 89 |       expect(authenticateHeader).to.exist;
 90 |       expect(authenticateHeader).to.equal('Negotiate');
 91 | 
 92 |       // generate the first Kerberos token
 93 |       const mechOID = kerberos.GSS_MECH_OID_KRB5;
 94 |       kerberos.initializeClient(service, { mechOID }, (err, client) => {
 95 |         expect(err).to.not.exist;
 96 | 
 97 |         client.step('', (err, kerberosToken) => {
 98 |           expect(err).to.not.exist;
 99 | 
100 |           // attach the Kerberos token and resend back to the host
101 |           request.get(
102 |             { url, headers: { Authorization: `Negotiate ${kerberosToken}` } },
103 |             (err, response) => {
104 |               expect(err).to.not.exist;
105 |               expect(response.statusCode).to.equal(200);
106 | 
107 |               // validate the headers exist and contain a www-authenticate message
108 |               const authenticateHeader = response.headers['www-authenticate'];
109 |               expect(authenticateHeader).to.exist;
110 |               expect(authenticateHeader).to.startWith('Negotiate');
111 | 
112 |               // verify the return Kerberos token
113 |               const tokenParts = authenticateHeader.split(' ');
114 |               const serverKerberosToken = tokenParts[tokenParts.length - 1];
115 |               client.step(serverKerberosToken, err => {
116 |                 expect(err).to.not.exist;
117 |                 expect(client.contextComplete).to.be.true;
118 |                 done();
119 |               });
120 |             }
121 |           );
122 |         });
123 |       });
124 |     });
125 |   });
126 | 
127 |   describe('Client.wrap()', function () {
128 |     async function establishConext() {
129 |       const service = `HTTP@${hostname}`;
130 |       client = await kerberos.initializeClient(service, {});
131 |       server = await kerberos.initializeServer(service);
132 |       const clientResponse = await client.step('');
133 |       const serverResponse = await server.step(clientResponse);
134 |       await client.step(serverResponse);
135 |       expect(client.contextComplete).to.be.true;
136 |       return { client, server };
137 |     }
138 | 
139 |     let client;
140 |     let server;
141 | 
142 |     before(establishConext);
143 |     describe('options.protect', function () {
144 |       context('valid values for `protect`', function () {
145 |         test('no options provided', async function () {
146 |           await client.wrap('challenge');
147 |         });
148 | 
149 |         test('options provided (protect omitted)', async function () {
150 |           await client.wrap('challenge', {});
151 |         });
152 | 
153 |         test('protect = false', async function () {
154 |           await client.wrap('challenge', { protect: false });
155 |         });
156 | 
157 |         test('protect = true', async function () {
158 |           await client.wrap('challenge', { protect: true });
159 |         });
160 |       });
161 | 
162 |       context('when set to an invalid value', function () {
163 |         it('throws a TypeError', async function () {
164 |           const error = await client.wrap('challenge', { protect: 'non-boolean' }).catch(e => e);
165 |           expect(error)
166 |             .to.be.instanceOf(TypeError)
167 |             .to.match(/options.protect must be a boolean/);
168 |         });
169 |       });
170 |     });
171 |   });
172 | });
173 | 


--------------------------------------------------------------------------------
/test/kerberos_win32_tests.js:
--------------------------------------------------------------------------------
  1 | 'use strict';
  2 | const kerberos = require('../lib/index');
  3 | const MongoClient = require('mongodb').MongoClient;
  4 | const expect = require('chai').expect;
  5 | 
  6 | const password = process.env.KERBEROS_PASSWORD;
  7 | const realm = process.env.KERBEROS_REALM;
  8 | const hostname = process.env.KERBEROS_HOSTNAME;
  9 | const username = `${process.env.KERBEROS_USERNAME}@${realm}`;
 10 | const service = `mongodb/${hostname}`;
 11 | const port = process.env.KERBEROS_PORT || '27017';
 12 | const upn = username;
 13 | 
 14 | function authenticate(options, callback) {
 15 |   const db = options.db;
 16 |   const krbClient = options.krbClient;
 17 |   const challenge = options.challenge || '';
 18 |   const start = options.start || false;
 19 |   const conversationId = options.conversationId;
 20 | 
 21 |   let promise;
 22 |   if (callback == null || typeof callback !== 'function') {
 23 |     promise = new Promise((resolve, reject) => {
 24 |       callback = function (err, res) {
 25 |         if (err) return reject(err);
 26 |         resolve(res);
 27 |       };
 28 |     });
 29 |   }
 30 | 
 31 |   if (start) {
 32 |     krbClient.step('', (err, payload) => {
 33 |       expect(err).to.not.exist;
 34 | 
 35 |       db.command({ saslStart: 1, mechanism: 'GSSAPI', payload }, (err, dbResponse) => {
 36 |         expect(err).to.not.exist;
 37 | 
 38 |         authenticate(
 39 |           {
 40 |             db,
 41 |             krbClient,
 42 |             challenge: dbResponse.payload,
 43 |             conversationId: dbResponse.conversationId
 44 |           },
 45 |           callback
 46 |         );
 47 |       });
 48 |     });
 49 | 
 50 |     return promise;
 51 |   }
 52 | 
 53 |   krbClient.step(challenge, (err, payload) => {
 54 |     payload = payload || '';
 55 | 
 56 |     db.command({ saslContinue: 1, conversationId, payload }, (err, dbResponse) => {
 57 |       if (krbClient.contextComplete) {
 58 |         callback(null, { challenge: dbResponse.payload, conversationId });
 59 |         return;
 60 |       }
 61 | 
 62 |       if (err) return callback(err, null);
 63 |       authenticate({ db, krbClient, conversationId, challenge: payload }, callback);
 64 |     });
 65 |   });
 66 | 
 67 |   return promise;
 68 | }
 69 | 
 70 | const test = {};
 71 | describe('Kerberos (win32)', function () {
 72 |   this.timeout(60000);
 73 | 
 74 |   beforeEach(function () {
 75 |     if (process.platform !== 'win32') {
 76 |       this.currentTest.skipReason = 'TODO(NODE-4021): Kerberos testing on windows';
 77 |       this.skip();
 78 |     }
 79 |   });
 80 | 
 81 |   beforeEach(function () {
 82 |     test.client = new MongoClient(`mongodb://${hostname}:${port}/`);
 83 |   });
 84 | 
 85 |   afterEach(function () {
 86 |     if (test.client) test.client.close().then(() => delete test.client);
 87 |   });
 88 | 
 89 |   it('should create a kerberos client', function () {
 90 |     // this is a very basic test used to pass appveyor and provide prebuild binaries
 91 |     return kerberos.initializeClient(service, { user: username, password }).then(krbClient => {
 92 |       expect(krbClient).to.exist;
 93 |     });
 94 |   });
 95 | 
 96 |   it('should work from windows', function (done) {
 97 |     test.client.connect((err, client) => {
 98 |       expect(err).to.not.exist;
 99 | 
100 |       const db = client.db('$external');
101 | 
102 |       kerberos.initializeClient(service, { user: username, password }, (err, krbClient) => {
103 |         expect(err).to.not.exist;
104 | 
105 |         authenticate({ db, krbClient, start: true }, (err, authResponse) => {
106 |           expect(err).to.not.exist;
107 | 
108 |           krbClient.unwrap(authResponse.challenge, (err, unwrapped) => {
109 |             expect(err).to.not.exist;
110 | 
111 |             // RFC-4752
112 |             const challengeBytes = Buffer.from(unwrapped, 'base64');
113 |             expect(challengeBytes).to.have.length(4);
114 | 
115 |             // Manually create an authorization message and encrypt it. This
116 |             // is the "no security layer" message as detailed in RFC-4752,
117 |             // section 3.1, final paragraph. This is also the message created
118 |             // by calling authGSSClientWrap with the "user" option.
119 |             // const UPN = Buffer.from(upn, 'utf8').toString('utf8');
120 |             const msg = Buffer.from(`\x01\x00\x00\x00${upn}`).toString('base64');
121 |             krbClient.wrap(msg, (err, custom) => {
122 |               expect(err).to.not.exist;
123 |               expect(custom).to.exist;
124 | 
125 |               // Wrap using unwrapped and user principal
126 |               krbClient.wrap(unwrapped, { user: upn }, (err, wrapped) => {
127 |                 expect(err).to.not.exist;
128 |                 expect(wrapped).to.exist;
129 | 
130 |                 db.command(
131 |                   {
132 |                     saslContinue: 1,
133 |                     conversationId: authResponse.conversationId,
134 |                     payload: wrapped
135 |                   },
136 |                   err => {
137 |                     expect(err).to.not.exist;
138 |                     expect(krbClient.username).to.exist;
139 |                     done();
140 |                   }
141 |                 );
142 |               });
143 |             });
144 |           });
145 |         });
146 |       });
147 |     });
148 |   });
149 | 
150 |   it('should work from windows using promises', function () {
151 |     return test.client.connect().then(client => {
152 |       const db = client.db('$external');
153 | 
154 |       return kerberos.initializeClient(service, { user: username, password }).then(krbClient => {
155 |         return authenticate({ db, krbClient, start: true }).then(authResponse => {
156 |           return krbClient.unwrap(authResponse.challenge).then(unwrapped => {
157 |             // RFC-4752
158 |             const challengeBytes = Buffer.from(unwrapped, 'base64');
159 |             expect(challengeBytes).to.have.length(4);
160 | 
161 |             // Manually create an authorization message and encrypt it. This
162 |             // is the "no security layer" message as detailed in RFC-4752,
163 |             // section 3.1, final paragraph. This is also the message created
164 |             // by calling authGSSClientWrap with the "user" option.
165 |             // const UPN = Buffer.from(upn, 'utf8').toString('utf8');
166 |             const msg = Buffer.from(`\x01\x00\x00\x00${upn}`).toString('base64');
167 |             return krbClient
168 |               .wrap(msg)
169 |               .then(custom => {
170 |                 expect(custom).to.exist;
171 | 
172 |                 // Wrap using unwrapped and user principal
173 |                 return krbClient.wrap(unwrapped, { user: upn });
174 |               })
175 |               .then(wrapped => {
176 |                 expect(wrapped).to.exist;
177 |                 return db.command({
178 |                   saslContinue: 1,
179 |                   conversationId: authResponse.conversationId,
180 |                   payload: wrapped
181 |                 });
182 |               })
183 |               .then(() => {
184 |                 expect(krbClient.username).to.exist;
185 |               });
186 |           });
187 |         });
188 |       });
189 |     });
190 |   });
191 | });
192 | 


--------------------------------------------------------------------------------
/test/tools/hooks/environment_hook.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | const util = require('util');
 4 | 
 5 | function beforeAllEnvironmentLog() {
 6 |   console.error(
 7 |     util.inspect(
 8 |       {
 9 |         node: process.version,
10 |         KERBEROS_USERNAME: process.env.KERBEROS_USERNAME,
11 |         KERBEROS_PASSWORD: process.env.KERBEROS_PASSWORD,
12 |         KERBEROS_HOSTNAME: process.env.KERBEROS_HOSTNAME,
13 |         KERBEROS_PORT: process.env.KERBEROS_PORT,
14 |         KERBEROS_REALM: process.env.KERBEROS_REALM
15 |       },
16 |       { colors: true }
17 |     ) + '\n'
18 |   );
19 | }
20 | 
21 | module.exports = {
22 |   mochaHooks: {
23 |     beforeAll: [beforeAllEnvironmentLog]
24 |   }
25 | };
26 | 


--------------------------------------------------------------------------------
/test/tools/mongodb_reporter.js:
--------------------------------------------------------------------------------
  1 | //@ts-check
  2 | 'use strict';
  3 | const mocha = require('mocha');
  4 | const chalk = require('chalk');
  5 | 
  6 | chalk.level = 3;
  7 | 
  8 | const {
  9 |   EVENT_RUN_BEGIN,
 10 |   EVENT_RUN_END,
 11 |   EVENT_TEST_FAIL,
 12 |   EVENT_TEST_PASS,
 13 |   EVENT_SUITE_BEGIN,
 14 |   EVENT_SUITE_END,
 15 |   EVENT_TEST_PENDING,
 16 |   EVENT_TEST_BEGIN,
 17 |   EVENT_TEST_END
 18 | } = mocha.Runner.constants;
 19 | 
 20 | const fs = require('fs');
 21 | const os = require('os');
 22 | 
 23 | /**
 24 |  * @typedef {object} MongoMochaSuiteExtension
 25 |  * @property {Date} timestamp - suite start date
 26 |  * @property {string} stdout - capture of stdout
 27 |  * @property {string} stderr - capture of stderr
 28 |  * @property {MongoMochaTest} test - capture of stderr
 29 |  * @typedef {object} MongoMochaTestExtension
 30 |  * @property {Date} startTime - test start date
 31 |  * @property {Date} endTime - test end date
 32 |  * @property {number} elapsedTime - difference between end and start
 33 |  * @property {Error} [error] - The possible error from a test
 34 |  * @property {true} [skipped] - Set if test was skipped
 35 |  * @typedef {MongoMochaSuiteExtension & Mocha.Suite} MongoMochaSuite
 36 |  * @typedef {MongoMochaTestExtension & Mocha.Test} MongoMochaTest
 37 |  */
 38 | 
 39 | // Turn this on if you have to debug this custom reporter!
 40 | let REPORT_TO_STDIO = false;
 41 | 
 42 | function captureStream(stream) {
 43 |   var oldWrite = stream.write;
 44 |   var buf = '';
 45 |   stream.write = function (chunk) {
 46 |     buf += chunk.toString(); // chunk is a String or Buffer
 47 |     oldWrite.apply(stream, arguments);
 48 |   };
 49 | 
 50 |   return {
 51 |     unhook: function unhook() {
 52 |       stream.write = oldWrite;
 53 |       return buf;
 54 |     },
 55 |     captured: function () {
 56 |       return buf;
 57 |     }
 58 |   };
 59 | }
 60 | 
 61 | /**
 62 |  * @param {Mocha.Runner} runner
 63 |  * @this {any}
 64 |  */
 65 | class MongoDBMochaReporter extends mocha.reporters.Spec {
 66 |   constructor(runner) {
 67 |     super(runner);
 68 |     /** @type {Map<string, {suite: MongoMochaSuite, stdout?: any, stderr?: any}>} */
 69 |     this.suites = new Map();
 70 |     this.xunitWritten = false;
 71 |     runner.on(EVENT_RUN_BEGIN, () => this.start());
 72 |     runner.on(EVENT_RUN_END, () => this.end());
 73 |     runner.on(EVENT_SUITE_BEGIN, suite => this.onSuite(suite));
 74 |     runner.on(EVENT_TEST_BEGIN, test => this.onTest(test));
 75 |     runner.on(EVENT_TEST_PASS, test => this.pass(test));
 76 |     runner.on(EVENT_TEST_FAIL, (test, error) => this.fail(test, error));
 77 |     runner.on(EVENT_TEST_PENDING, test => this.pending(test));
 78 |     runner.on(EVENT_SUITE_END, suite => this.suiteEnd(suite));
 79 |     runner.on(EVENT_TEST_END, test => this.testEnd(test));
 80 | 
 81 |     process.on('SIGINT', () => this.end(true));
 82 |   }
 83 |   start() {}
 84 | 
 85 |   end(ctrlC) {
 86 |     try {
 87 |       if (ctrlC) console.log('emergency exit!');
 88 |       const output = { testSuites: [] };
 89 | 
 90 |       for (const [id, [className, { suite }]] of [...this.suites.entries()].entries()) {
 91 |         let totalSuiteTime = 0;
 92 |         let testCases = [];
 93 |         let failureCount = 0;
 94 | 
 95 |         const tests = /** @type {MongoMochaTest[]}*/ (suite.tests);
 96 |         for (const test of tests) {
 97 |           let time = test.elapsedTime / 1000;
 98 |           time = Number.isNaN(time) ? 0 : time;
 99 | 
100 |           totalSuiteTime += time;
101 |           failureCount += test.state === 'failed' ? 1 : 0;
102 | 
103 |           /** @type {string | Date | number} */
104 |           let startTime = test.startTime;
105 |           startTime = startTime ? startTime.toISOString() : 0;
106 | 
107 |           /** @type {string | Date | number} */
108 |           let endTime = test.endTime;
109 |           endTime = endTime ? endTime.toISOString() : 0;
110 | 
111 |           let error = test.error;
112 |           let failure = error
113 |             ? {
114 |                 type: error.constructor.name,
115 |                 message: error.message,
116 |                 stack: error.stack
117 |               }
118 |             : undefined;
119 | 
120 |           let skipped = !!test.skipped;
121 | 
122 |           testCases.push({
123 |             name: test.title,
124 |             className,
125 |             time,
126 |             startTime,
127 |             endTime,
128 |             skipped,
129 |             failure
130 |           });
131 |         }
132 | 
133 |         /** @type {string | Date | number} */
134 |         let timestamp = suite.timestamp;
135 |         timestamp = timestamp ? timestamp.toISOString().split('.')[0] : '';
136 | 
137 |         output.testSuites.push({
138 |           package: suite.file.includes('integration') ? 'Integration' : 'Unit',
139 |           id,
140 |           name: className,
141 |           timestamp,
142 |           hostname: os.hostname(),
143 |           tests: suite.tests.length,
144 |           failures: failureCount,
145 |           errors: '0',
146 |           time: totalSuiteTime,
147 |           testCases,
148 |           stdout: suite.stdout,
149 |           stderr: suite.stderr
150 |         });
151 |       }
152 | 
153 |       if (!this.xunitWritten) {
154 |         fs.writeFileSync('xunit.xml', outputToXML(output), { encoding: 'utf8' });
155 |       }
156 |       this.xunitWritten = true;
157 |       console.log(chalk.bold('wrote xunit.xml'));
158 |     } catch (error) {
159 |       console.error(chalk.red(`Failed to output xunit report! ${error}`));
160 |     } finally {
161 |       if (ctrlC) process.exit(1);
162 |     }
163 |   }
164 | 
165 |   /**
166 |    * @param {MongoMochaSuite} suite
167 |    */
168 |   onSuite(suite) {
169 |     if (suite.root) return;
170 |     if (!this.suites.has(suite.fullTitle())) {
171 |       suite.timestamp = new Date();
172 |       this.suites.set(suite.fullTitle(), {
173 |         suite,
174 |         stdout: captureStream(process.stdout),
175 |         stderr: captureStream(process.stderr)
176 |       });
177 |     } else {
178 |       console.warn(`${chalk.yellow('WARNING:')} ${suite.fullTitle()} started twice`);
179 |     }
180 |   }
181 | 
182 |   /**
183 |    * @param {MongoMochaSuite} suite
184 |    */
185 |   suiteEnd(suite) {
186 |     if (suite.root) return;
187 |     const currentSuite = this.suites.get(suite.fullTitle());
188 |     if (!currentSuite) {
189 |       console.error('Suite never started >:(');
190 |       process.exit(1);
191 |     }
192 |     if (currentSuite.stdout || currentSuite.stderr) {
193 |       suite.stdout = currentSuite.stdout.unhook();
194 |       suite.stderr = currentSuite.stderr.unhook();
195 |       delete currentSuite.stdout;
196 |       delete currentSuite.stderr;
197 |     }
198 |   }
199 | 
200 |   /**
201 |    * @param {MongoMochaTest} test
202 |    */
203 |   onTest(test) {
204 |     test.startTime = new Date();
205 |   }
206 | 
207 |   /**
208 |    * @param {MongoMochaTest} test
209 |    */
210 |   testEnd(test) {
211 |     test.endTime = new Date();
212 |     test.elapsedTime = Number(test.endTime) - Number(test.startTime);
213 |   }
214 | 
215 |   /**
216 |    * @param {MongoMochaTest} test
217 |    */
218 |   pass(test) {
219 |     if (REPORT_TO_STDIO) console.log(chalk.green(`✔ ${test.fullTitle()}`));
220 |   }
221 | 
222 |   /**
223 |    * @param {MongoMochaTest} test
224 |    * @param {Error} error
225 |    */
226 |   fail(test, error) {
227 |     if (REPORT_TO_STDIO) console.log(chalk.red(`⨯ ${test.fullTitle()} -- ${error.message}`));
228 |     test.error = error;
229 |   }
230 | 
231 |   /**
232 |    * @param {MongoMochaTest & {skipReason?: string}} test
233 |    */
234 |   pending(test) {
235 |     if (REPORT_TO_STDIO) console.log(chalk.cyan(`↬ ${test.fullTitle()}`));
236 |     if (typeof test.skipReason === 'string') {
237 |       console.log(chalk.cyan(`${'  '.repeat(test.titlePath().length + 1)}↬ ${test.skipReason}`));
238 |     }
239 |     test.skipped = true;
240 |   }
241 | }
242 | 
243 | module.exports = MongoDBMochaReporter;
244 | 
245 | function replaceIllegalXMLCharacters(string) {
246 |   // prettier-ignore
247 |   return String(string)
248 |     .split('"').join('＂')
249 |     .split('<').join('﹤')
250 |     .split('>').join('﹥')
251 |     .split('&').join('﹠');
252 | }
253 | 
254 | const ANSI_ESCAPE_REGEX =
255 |   // eslint-disable-next-line no-control-regex
256 |   /[\u001b\u009b][[()#;?]*(?:[0-9]{1,4}(?:;[0-9]{0,4})*)?[0-9A-ORZcf-nqry=><]/g;
257 | function outputToXML(output) {
258 |   function cdata(str) {
259 |     return `<![CDATA[${String(str)
260 |       .split(ANSI_ESCAPE_REGEX)
261 |       .join('')
262 |       .split(']]>')
263 |       .join('\\]\\]\\>')}]]>`;
264 |   }
265 | 
266 |   function makeTag(name, attributes, selfClose, content) {
267 |     const attributesString = Object.entries(attributes || {})
268 |       .map(([k, v]) => `${k}="${replaceIllegalXMLCharacters(v)}"`)
269 |       .join(' ');
270 |     let tag = `<${name}${attributesString ? ' ' + attributesString : ''}`;
271 |     if (selfClose) return tag + '/>\n';
272 |     else tag += '>';
273 |     if (content) return tag + content + `</${name}>`;
274 |     return tag;
275 |   }
276 | 
277 |   let s =
278 |     '<?xml version="1.0" encoding="UTF-8"?>\n<?xml-model href="./test/tools/reporter/xunit.xsd" ?>\n<testsuites>\n';
279 | 
280 |   for (const suite of output.testSuites) {
281 |     s += makeTag('testsuite', {
282 |       package: suite.package,
283 |       id: suite.id,
284 |       name: suite.name,
285 |       timestamp: suite.timestamp,
286 |       hostname: suite.hostname,
287 |       tests: suite.tests,
288 |       failures: suite.failures,
289 |       errors: suite.errors,
290 |       time: suite.time
291 |     });
292 |     s += '\n\t' + makeTag('properties') + '</properties>\n'; // can put metadata here?
293 |     for (const test of suite.testCases) {
294 |       s +=
295 |         '\t' +
296 |         makeTag(
297 |           'testcase',
298 |           {
299 |             name: test.name,
300 |             classname: test.className,
301 |             time: test.time,
302 |             start: test.startTime,
303 |             end: test.endTime
304 |           },
305 |           !test.failure && !test.skipped
306 |         );
307 |       if (test.failure) {
308 |         s +=
309 |           '\n\t\t' +
310 |           makeTag('failure', { type: test.failure.type }, false, cdata(test.failure.stack)) +
311 |           '\n';
312 |         s += `\t</testcase>\n`;
313 |       }
314 |       if (test.skipped) {
315 |         s += makeTag('skipped', {}, true);
316 |         s += `\t</testcase>\n`;
317 |       }
318 |     }
319 |     s += '\t' + makeTag('system-out', {}, false, cdata(suite.stdout)) + '\n';
320 |     s += '\t' + makeTag('system-err', {}, false, cdata(suite.stderr)) + '\n';
321 |     s += `</testsuite>\n`;
322 |   }
323 | 
324 |   return s + '</testsuites>\n';
325 | }
326 | 


--------------------------------------------------------------------------------