Merge pull request #209 from cplussharp/ldap_support

Support LDAP authentication

Author: jeffalbion

README.md

@@ -66,7 +66,7 @@ Below is a major feature comparison chart between the two drivers:
 | Password/PBKDF2 Authentication	                |:heavy_check_mark:|:heavy_check_mark:|
 | SAML Authentication	                            |:heavy_check_mark:|:heavy_check_mark:|
 | JWT Authentication	                            |:heavy_check_mark:|:heavy_check_mark:|
-| LDAP Authentication	                            |:heavy_check_mark:|:x:|
+| LDAP Authentication	                            |:heavy_check_mark:|:heavy_check_mark:|
 | Kerberos Authentication	                        |:heavy_check_mark:|:x:|
 | X.509 Authentication	                          |:heavy_check_mark:|:x:|
 | Secure User Store Integration (hdbuserstore)	        |:heavy_check_mark:|:x:|
@@ -195,7 +195,7 @@ This is suitable for multiple-host SAP HANA systems which are distributed over s
 Details about the different authentication methods can be found in the [SAP HANA Security Guide](https://help.sap.com/viewer/6b94445c94ae495c83a19646e7c3fd56/latest/en-US/440f6efe693d4b82ade2d8b182eb1efb.html).
 
 #### User / Password
-Users authenticate themselves with their database `user` and `password`.
+Users authenticate themselves with their database `user` and `password`. 
 
 #### SAML assertion
 SAML bearer assertions as well as unsolicited SAML responses that include an

lib/protocol/Writer.js

@@ -621,21 +621,21 @@ function createReadStreamError() {
 function createBinaryOutBuffer(type, value) {
   var length = value.length;
   var buffer;
-  if (length <= 245) {
+  if (length <= common.DATA_LENGTH_MAX1BYTE_LENGTH) {
     buffer = new Buffer(2 + length);
     buffer[0] = type;
     buffer[1] = length;
     value.copy(buffer, 2);
-  } else if (length <= 32767) {
+  } else if (length <= common.DATA_LENGTH_MAX2BYTE_LENGTH) {
     buffer = new Buffer(4 + length);
     buffer[0] = type;
-    buffer[1] = 246;
+    buffer[1] = common.DATA_LENGTH_2BYTE_LENGTH_INDICATOR;
     buffer.writeInt16LE(length, 2);
     value.copy(buffer, 4);
   } else {
     buffer = new Buffer(6 + length);
     buffer[0] = type;
-    buffer[1] = 247;
+    buffer[1] = common.DATA_LENGTH_4BYTE_LENGTH_INDICATOR;
     buffer.writeInt32LE(length, 2);
     value.copy(buffer, 6);
   }

lib/protocol/auth/LDAP.js

@@ -0,0 +1,133 @@
+// Copyright 2022 SAP SE.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http: //www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+// either express or implied. See the License for the specific
+// language governing permissions and limitations under the License.
+'use strict';
+
+var crypto = require('crypto');
+var util = require('../../util');
+var Fields = require('../data/Fields');
+
+var CLIENT_NONCE_SIZE = 64;
+var CAPABILITIES_SIZE = 8;
+var DEFAULT_CAPABILITIES = 1;
+var SESSION_KEY_SIZE = 32; // AES256 key size
+
+module.exports = LDAP;
+
+/**
+ * Handle LDAP authentication
+ *
+ * @param {object} options
+ * @param {string|Buffer} options.password The LDAP password of the user
+ * @param {Buffer} [options.clientChallenge] (for test only) the client nonce (64 bytes) to use
+ * @param {Buffer} [options.sessionKey] (for test only) the AES256 key (32 bytes) for the encryption of the password
+ */
+function LDAP(options) {
+  this.name = 'LDAP';
+  this.password = options.password;
+  if (util.isString(this.password)) {
+    this.password = new Buffer(this.password, 'utf8');
+  }
+  this.clientNonce = options.clientChallenge || crypto.randomBytes(CLIENT_NONCE_SIZE);
+  this.clientProof = null;
+  this.sessionKey = options.sessionKey;
+}
+
+/**
+ * Return the initial data to send to HANA (client none + capabilities)
+ * @return {Buffer}
+ */
+LDAP.prototype.initialData = function() {
+  // prepare capabilities
+  var capabilities = Buffer.allocUnsafe ? Buffer.allocUnsafe(CAPABILITIES_SIZE) : new Buffer(CAPABILITIES_SIZE);
+  capabilities.writeInt8(DEFAULT_CAPABILITIES, 0);
+  capabilities.fill(0, 1); // fill the remaining 7 bytes with 0
+
+  // write fields
+  var data = Fields.write(null, [this.clientNonce, capabilities]).buffer;
+  return data;
+};
+
+/**
+ * Gets the first response from the server and calculates the data for the next request
+ * @param {Buffer} buffer
+ * @param {function(Error?)} cb
+ */
+LDAP.prototype.initialize = function(buffer, cb) {
+  // read server challenge
+  var serverChallengeData = Fields.read({
+    buffer: buffer
+  });
+
+  // check number of fields
+  if (serverChallengeData.length < 4) {
+    var error = new Error('Unexpected number of fields [' + serverChallengeData.length + '] in server challenge (LDAP authentication)');
+    error.code = 'EHDBAUTHPROTOCOL';
+    cb(error);
+    return;
+  }
+
+  // check client nonce
+  var clientNonceProof = serverChallengeData[0];
+  if (!clientNonceProof.equals(this.clientNonce)) {
+    var error = new Error('Client nonce does not match (LDAP authentication)');
+    error.code = 'EHDBAUTHCLIENTNONCE';
+    cb(error);
+    return;
+  }
+
+  // check capabilities
+  var serverCapabilities = serverChallengeData[3];
+  if (serverCapabilities.readInt8() != DEFAULT_CAPABILITIES) {
+    var error = new Error('Unsupported capabilities (LDAP authentication)');
+    error.code = 'EHDBAUTHCAPABILITIES';
+    cb(error);
+    return;
+  }
+
+  // generate session key (for AES256 encryption of the password)
+  if (!this.sessionKey) {
+    this.sessionKey = crypto.randomBytes(SESSION_KEY_SIZE);
+  }
+
+  // generate the encrypted session key
+  var serverNonce = serverChallengeData[1];
+  var serverPublicKey = serverChallengeData[2].toString('ascii'); // RSA public key (PKCS8 PEM)
+  var sessionKeyContent = Buffer.concat([this.sessionKey, serverNonce]);
+  var encryptedSessionKey = crypto.publicEncrypt({
+      key: serverPublicKey,
+      format: 'pem',
+      type: 'spki'
+    }, sessionKeyContent);
+
+  // encrypt the password
+  var iv = serverNonce.slice(0, 16);
+  var cipher = crypto.createCipheriv("aes-256-cbc", this.sessionKey, iv);
+  var passwordContent = Buffer.concat([this.password, new Buffer(1), serverNonce]);
+  var encryptedPassword = cipher.update(passwordContent);
+  encryptedPassword = Buffer.concat([encryptedPassword, cipher.final()]);
+
+  // generate client proof
+  this.clientProof = Fields.write(null, [encryptedSessionKey, encryptedPassword]).buffer;
+
+  // done
+  cb();
+};
+
+LDAP.prototype.finalData = function finalData() {
+  return this.clientProof;
+};
+
+LDAP.prototype.finalize = function finalize(buffer) {
+  /* jshint unused:false */
+};

lib/protocol/auth/Manager.js

@@ -17,6 +17,7 @@ var SCRAMSHA256 = require('./SCRAMSHA256');
 var SAML = require('./SAML');
 var JWT = require('./JWT');
 var SessionCookie = require('./SessionCookie');
+var LDAP = require('./LDAP');
 
 module.exports = Manager;
 
@@ -35,6 +36,7 @@ function Manager(options) {
     this._authMethods.push(new SessionCookie(options));
   }
   if (options.user && options.password) {
+    this._authMethods.push(new LDAP(options));
     this._authMethods.push(new SCRAMSHA256(options, true));  // with PBKDF2
     this._authMethods.push(new SCRAMSHA256(options, false)); // no PBKDF2
   }

lib/protocol/common/Constants.js

@@ -26,6 +26,10 @@ module.exports = {
   MAX_PACKET_SIZE: Math.pow(2, 17),
   MAX_RESULT_SET_SIZE: Math.pow(2, 20),
   EMPTY_BUFFER: new Buffer(0),
+  DATA_LENGTH_MAX1BYTE_LENGTH: 245,
+  DATA_LENGTH_MAX2BYTE_LENGTH: 32767,
+  DATA_LENGTH_2BYTE_LENGTH_INDICATOR: 246,
+  DATA_LENGTH_4BYTE_LENGTH_INDICATOR: 247,
   DEFAULT_CONNECT_OPTIONS: [{
     name: ConnectOption.CLIENT_LOCALE,
     value: 'en_US',

lib/protocol/data/Fields.js

@@ -13,13 +13,19 @@
 // language governing permissions and limitations under the License.
 'use strict';
 
+const common = require('../../protocol/common');
 var util = require('../../util');
 
 exports.read = read;
 exports.write = write;
 exports.getByteLength = getByteLength;
 exports.getArgumentCount = getArgumentCount;
 
+/**
+ * Read sub-parameters from a buffer (fieldCount, field1Size, field1Data, field2Size, field2Data, ...)
+ * @param {{buffer:Buffer}} part
+ * @returns {Array<Buffer>} the sub-parameters
+ */
 function read(part) {
   var offset = 0;
   var buffer = part.buffer;
@@ -31,16 +37,32 @@ function read(part) {
   for (var i = 0; i < numberOfFields; i++) {
     fieldLength = buffer[offset];
     offset += 1;
-    if (fieldLength > 245) {
-      fieldLength = buffer.readUInt16LE(offset);
-      offset += 2;
+    if (fieldLength > common.DATA_LENGTH_MAX1BYTE_LENGTH) {
+      if (fieldLength == common.DATA_LENGTH_2BYTE_LENGTH_INDICATOR) {
+        fieldLength = buffer.readUInt16LE(offset);
+        offset += 2;
+      } else if (fieldLength == common.DATA_LENGTH_4BYTE_LENGTH_INDICATOR) {
+        fieldLength = buffer.readUInt32LE(offset);
+        offset += 4;
+      } else if (fieldLength == 255) {  // indicates that the following two bytes contain the length in big endian (bug?)
+        fieldLength = buffer.readUInt16BE(offset);
+        offset += 2;
+      } else {
+        throw Error("Unsupported length indicator: " + fieldLength);
+      }
     }
     fields.push(buffer.slice(offset, offset + fieldLength));
     offset += fieldLength;
   }
   return fields;
 }
 
+/**
+ * Write sub-parameters to a buffer
+ * @param {object?} part
+ * @param {Array<Buffer|string>} fields
+ * @returns {{argumentCount:number, buffer:Buffer}}
+ */
 function write(part, fields) {
   /* jshint validthis:true */
 
@@ -65,14 +87,19 @@ function write(part, fields) {
       data = new Buffer(field, 'ascii');
     }
     fieldLength = data.length;
-    if (fieldLength <= 245) {
+    if (fieldLength <= common.DATA_LENGTH_MAX1BYTE_LENGTH) {
       buffer[offset] = fieldLength;
       offset += 1;
-    } else {
-      buffer[offset] = 0xf6;
+    } else if (fieldLength <= common.DATA_LENGTH_MAX2BYTE_LENGTH) {
+      buffer[offset] = common.DATA_LENGTH_2BYTE_LENGTH_INDICATOR;
       offset += 1;
       buffer.writeUInt16LE(fieldLength, offset);
       offset += 2;
+    } else {
+      buffer[offset] = common.DATA_LENGTH_4BYTE_LENGTH_INDICATOR;
+      offset += 1;
+      buffer.writeInt32LE(fieldLength, offset);
+      offset += 4;
     }
     data.copy(buffer, offset);
     offset += fieldLength;
@@ -87,10 +114,12 @@ function getByteLength(fields) {
   var fieldLength;
   for (var i = 0; i < fields.length; i++) {
     fieldLength = getByteLengthOfField(fields[i]);
-    if (fieldLength <= 245) {
+    if (fieldLength <= common.DATA_LENGTH_MAX1BYTE_LENGTH) {
       byteLength += fieldLength + 1;
-    } else {
+    } else if (fieldLength <= common.DATA_LENGTH_MAX2BYTE_LENGTH) {
       byteLength += fieldLength + 3;
+    } else {
+      byteLength += fieldLength + 5;
     }
   }
   return byteLength;

lib/protocol/data/TextList.js

@@ -14,6 +14,7 @@
 'use strict';
 
 var util = require('../../util');
+var common = require('../common');
 
 exports.write = write;
 exports.getByteLength = getByteLength;
@@ -34,11 +35,11 @@ function write(part, fields) {
     data = util.convert.encode(field, part.useCesu8);
 
     fieldLength = data.length;
-    if (fieldLength <= 245) {
+    if (fieldLength <= common.DATA_LENGTH_MAX1BYTE_LENGTH) {
       buffer[offset] = fieldLength;
       offset += 1;
     } else {
-      buffer[offset] = 0xf6;
+      buffer[offset] = common.DATA_LENGTH_2BYTE_LENGTH_INDICATOR;
       offset += 1;
       buffer.writeUInt16LE(fieldLength, offset);
       offset += 2;
@@ -57,7 +58,7 @@ function getByteLength(fields, useCesu8) {
   var fieldLength;
   for (var i = 0; i < fields.length; i++) {
     fieldLength = getByteLengthOfField(fields[i], useCesu8);
-    if (fieldLength <= 245) {
+    if (fieldLength <= common.DATA_LENGTH_MAX1BYTE_LENGTH) {
       byteLength += fieldLength + 1;
     } else {
       byteLength += fieldLength + 3;