You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
191 lines
8.0 KiB
191 lines
8.0 KiB
var kerberos = require('../build/Release/kerberos') |
|
, KerberosNative = kerberos.Kerberos; |
|
|
|
var Kerberos = function() { |
|
this._native_kerberos = new KerberosNative(); |
|
} |
|
|
|
// callback takes two arguments, an error string if defined and a new context |
|
// uri should be given as service@host. Services are not always defined |
|
// in a straightforward way. Use 'HTTP' for SPNEGO / Negotiate authentication. |
|
// If credentialsCache is not specified, the default credentials cache from the |
|
// environment will be used (ie. KRB5CCNAME). In the case where multiple |
|
// credentials caches may be in use at once (such as for a server doing |
|
// delegation), specify the cache name here and it will be used for this |
|
// exchange. The credentialsCache is optional. |
|
Kerberos.prototype.authGSSClientInit = function(uri, flags, credentialsCache, callback) { |
|
if (typeof(credentialsCache) == 'function') { |
|
callback = credentialsCache; |
|
credentialsCache = ''; |
|
} |
|
|
|
if (credentialsCache === undefined) { |
|
credentialsCache = ''; |
|
} |
|
|
|
return this._native_kerberos.authGSSClientInit(uri, flags, credentialsCache, callback); |
|
} |
|
|
|
// This will obtain credentials using a credentials cache. To override the default |
|
// location (posible /tmp/krb5cc_nnnnnn, where nnnn is your numeric uid) use |
|
// the environment variable KRB5CNAME. |
|
// The credentials (suitable for using in an 'Authenticate: ' header, when prefixed |
|
// with 'Negotiate ') will be available as context.response inside the callback |
|
// if no error is indicated. |
|
// callback takes one argument, an error string if defined |
|
Kerberos.prototype.authGSSClientStep = function(context, challenge, callback) { |
|
if(typeof challenge == 'function') { |
|
callback = challenge; |
|
challenge = ''; |
|
} |
|
|
|
return this._native_kerberos.authGSSClientStep(context, challenge, callback); |
|
} |
|
|
|
Kerberos.prototype.authGSSClientUnwrap = function(context, challenge, callback) { |
|
if(typeof challenge == 'function') { |
|
callback = challenge; |
|
challenge = ''; |
|
} |
|
|
|
return this._native_kerberos.authGSSClientUnwrap(context, challenge, callback); |
|
} |
|
|
|
Kerberos.prototype.authGSSClientWrap = function(context, challenge, user_name, callback) { |
|
if(typeof user_name == 'function') { |
|
callback = user_name; |
|
user_name = ''; |
|
} |
|
|
|
return this._native_kerberos.authGSSClientWrap(context, challenge, user_name, callback); |
|
} |
|
|
|
// free memory used by a context created using authGSSClientInit. |
|
// callback takes one argument, an error string if defined. |
|
Kerberos.prototype.authGSSClientClean = function(context, callback) { |
|
return this._native_kerberos.authGSSClientClean(context, callback); |
|
} |
|
|
|
// The server will obtain credentials using a keytab. To override the |
|
// default location (probably /etc/krb5.keytab) set the KRB5_KTNAME |
|
// environment variable. |
|
// The service name should be in the form service, or service@host.name |
|
// e.g. for HTTP, use "HTTP" or "HTTP@my.host.name". See gss_import_name |
|
// for GSS_C_NT_HOSTBASED_SERVICE. |
|
// |
|
// a boolean turns on "constrained_delegation". this enables acquisition of S4U2Proxy |
|
// credentials which will be stored in a credentials cache during the authGSSServerStep |
|
// method. this parameter is optional. The credentials will be stored in |
|
// a new cache, the location of which will be made available as the "delegatedCredentialsCache" |
|
// property on the returned context AFTER the authGSSServerStep stage. |
|
// |
|
// when "constrained_delegation" is enabled, a username can (optionally) be provided and |
|
// S4U2Self protocol transition will be initiated. In this case, we will not |
|
// require any "auth" data during the authGSSServerStep. This parameter is optional |
|
// but constrained_delegation MUST be enabled for this to work. When S4U2Self is |
|
// used, the username will be assumed to have been already authenticated, and no |
|
// actual authentication will be performed. This is basically a way to "bootstrap" |
|
// kerberos credentials (which can then be delegated with S4U2Proxy) for a user |
|
// authenticated externally. |
|
// |
|
// callback takes two arguments, an error string if defined and a new context |
|
// |
|
Kerberos.prototype.authGSSServerInit = function(service, constrained_delegation, username, callback) { |
|
if(typeof(constrained_delegation) === 'function') { |
|
callback = constrained_delegation; |
|
constrained_delegation = false; |
|
username = null; |
|
} |
|
|
|
if (typeof(constrained_delegation) === 'string') { |
|
throw new Error("S4U2Self protocol transation is not possible without enabling constrained delegation"); |
|
} |
|
|
|
if (typeof(username) === 'function') { |
|
callback = username; |
|
username = null; |
|
} |
|
|
|
constrained_delegation = !!constrained_delegation; |
|
|
|
return this._native_kerberos.authGSSServerInit(service, constrained_delegation, username, callback); |
|
}; |
|
|
|
//callback takes one argument, an error string if defined. |
|
Kerberos.prototype.authGSSServerClean = function(context, callback) { |
|
return this._native_kerberos.authGSSServerClean(context, callback); |
|
}; |
|
|
|
// authData should be the base64 encoded authentication data obtained |
|
// from client, e.g., in the Authorization header (without the leading |
|
// "Negotiate " string) during SPNEGO authentication. The authenticated user |
|
// is available in context.username after successful authentication. |
|
// callback takes one argument, an error string if defined. |
|
// |
|
// Note: when S4U2Self protocol transition was requested in the authGSSServerInit |
|
// no actual authentication will be performed and authData will be ignored. |
|
// |
|
Kerberos.prototype.authGSSServerStep = function(context, authData, callback) { |
|
return this._native_kerberos.authGSSServerStep(context, authData, callback); |
|
}; |
|
|
|
// authenticate the username and password against the KDC, and verify the KDC using a local |
|
// service key stored in the keytab. See above for details on providing the keytab. |
|
// The service should be the service principal name for a key available in the local keytab, |
|
// e.g. HTTP/somehost.example.com. If service is an empty tring, KDC verification will |
|
// be skipped. DON'T DO THIS - it's a possible security vulnerability if an attacker |
|
// can spoof your KDC (see: https://github.com/qesuto/node-krb5/issues/13) |
|
// callback receives error and boolean |
|
Kerberos.prototype.authUserKrb5Password = function(username, password, service, callback) { |
|
return this._native_kerberos.authUserKrb5Password(username, password, service, callback); |
|
}; |
|
|
|
Kerberos.prototype.acquireAlternateCredentials = function(user_name, password, domain) { |
|
return this._native_kerberos.acquireAlternateCredentials(user_name, password, domain); |
|
} |
|
|
|
Kerberos.prototype.prepareOutboundPackage = function(principal, inputdata) { |
|
return this._native_kerberos.prepareOutboundPackage(principal, inputdata); |
|
} |
|
|
|
Kerberos.prototype.decryptMessage = function(challenge) { |
|
return this._native_kerberos.decryptMessage(challenge); |
|
} |
|
|
|
Kerberos.prototype.encryptMessage = function(challenge) { |
|
return this._native_kerberos.encryptMessage(challenge); |
|
} |
|
|
|
Kerberos.prototype.queryContextAttribute = function(attribute) { |
|
if(typeof attribute != 'number' && attribute != 0x00) throw new Error("Attribute not supported"); |
|
return this._native_kerberos.queryContextAttribute(attribute); |
|
} |
|
|
|
// Some useful result codes |
|
Kerberos.AUTH_GSS_CONTINUE = 0; |
|
Kerberos.AUTH_GSS_COMPLETE = 1; |
|
|
|
// Some useful gss flags |
|
Kerberos.GSS_C_DELEG_FLAG = 1; |
|
Kerberos.GSS_C_MUTUAL_FLAG = 2; |
|
Kerberos.GSS_C_REPLAY_FLAG = 4; |
|
Kerberos.GSS_C_SEQUENCE_FLAG = 8; |
|
Kerberos.GSS_C_CONF_FLAG = 16; |
|
Kerberos.GSS_C_INTEG_FLAG = 32; |
|
Kerberos.GSS_C_ANON_FLAG = 64; |
|
Kerberos.GSS_C_PROT_READY_FLAG = 128; |
|
Kerberos.GSS_C_TRANS_FLAG = 256; |
|
|
|
// Export Kerberos class |
|
exports.Kerberos = Kerberos; |
|
|
|
// If we have SSPI (windows) |
|
if(kerberos.SecurityCredentials) { |
|
// Put all SSPI classes in it's own namespace |
|
exports.SSIP = { |
|
SecurityCredentials: require('./win32/wrappers/security_credentials').SecurityCredentials |
|
, SecurityContext: require('./win32/wrappers/security_context').SecurityContext |
|
, SecurityBuffer: require('./win32/wrappers/security_buffer').SecurityBuffer |
|
, SecurityBufferDescriptor: require('./win32/wrappers/security_buffer_descriptor').SecurityBufferDescriptor |
|
} |
|
}
|
|
|