Support LDAP authentication

Author: cplussharp

README.md

@@ -66,7 +66,7 @@ Below is a major feature comparison chart between the two drivers:
 | Password/PBKDF2 Authentication	                |:heavy_check_mark:|:heavy_check_mark:|
 | SAML Authentication	                            |:heavy_check_mark:|:heavy_check_mark:|
 | JWT Authentication	                            |:heavy_check_mark:|:heavy_check_mark:|
-| LDAP Authentication	                            |:heavy_check_mark:|:x:|
+| LDAP Authentication	                            |:heavy_check_mark:|:heavy_check_mark:|
 | Kerberos Authentication	                        |:heavy_check_mark:|:x:|
 | X.509 Authentication	                          |:heavy_check_mark:|:x:|
 | Secure User Store Integration (hdbuserstore)	        |:heavy_check_mark:|:x:|
@@ -195,7 +195,7 @@ This is suitable for multiple-host SAP HANA systems which are distributed over s
 Details about the different authentication methods can be found in the [SAP HANA Security Guide](https://help.sap.com/viewer/6b94445c94ae495c83a19646e7c3fd56/latest/en-US/440f6efe693d4b82ade2d8b182eb1efb.html).
 
 #### User / Password
-Users authenticate themselves with their database `user` and `password`.
+Users authenticate themselves with their database `user` and `password`. 
 
 #### SAML assertion
 SAML bearer assertions as well as unsolicited SAML responses that include an

lib/protocol/auth/LDAP.js

@@ -0,0 +1,133 @@
+// Copyright 2022 SAP SE.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http: //www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+// either express or implied. See the License for the specific
+// language governing permissions and limitations under the License.
+'use strict';
+
+var crypto = require('crypto');
+var util = require('../../util');
+var Fields = require('../data/Fields');
+
+var CLIENT_NONCE_SIZE = 64;
+var CAPABILITIES_SIZE = 8;
+var DEFAULT_CAPABILITIES = 1;
+var SESSION_KEY_SIZE = 32; // AES256 key size
+
+module.exports = LDAP;
+
+/**
+ * Handle LDAP authentication
+ *
+ * @param {object} options
+ * @param {string|Buffer} options.password The LDAP password of the user
+ * @param {Buffer} [options.clientChallenge] (for test only) the client nonce (64 bytes) to use
+ * @param {Buffer} [options.sessionKey] (for test only) the AES256 key (32 bytes) for the encryption of the password
+ */
+function LDAP(options) {
+  this.name = 'LDAP';
+  this.password = options.password;
+  if (util.isString(this.password)) {
+    this.password = new Buffer(this.password, 'utf8');
+  }
+  this.clientNonce = options.clientChallenge || crypto.randomBytes(CLIENT_NONCE_SIZE);
+  this.clientProof = null;
+  this.sessionKey = options.sessionKey;
+}
+
+/**
+ * Return the initial data to send to HANA (client none + capabilities)
+ * @return {Buffer}
+ */
+LDAP.prototype.initialData = function() {
+  // prepare capabilities
+  var capabilities = Buffer.allocUnsafe ? Buffer.allocUnsafe(CAPABILITIES_SIZE) : new Buffer(CAPABILITIES_SIZE);
+  capabilities.writeInt8(DEFAULT_CAPABILITIES, 0);
+  capabilities.fill(0, 1); // fill the remaining 7 bytes with 0
+
+  // write fields
+  var data = Fields.write(null, [this.clientNonce, capabilities]).buffer;
+  return data;
+};
+
+/**
+ * Gets the first response from the server and calculates the data for the next request
+ * @param {Buffer} buffer
+ * @param {function(Error?)} cb
+ */
+LDAP.prototype.initialize = function(buffer, cb) {
+  // read server challenge
+  var serverChallengeData = Fields.read({
+    buffer: buffer
+  });
+
+  // check number of fields
+  if (serverChallengeData.length < 4) {
+    var error = new Error('Unexpected number of fields [' + serverChallengeData.length + '] in server challenge (LDAP authentication)');
+    error.code = 'EHDBAUTHPROTOCOL';
+    cb(error);
+    return;
+  }
+
+  // check client nonce
+  var clientNonceProof = serverChallengeData[0];
+  if (!clientNonceProof.equals(this.clientNonce)) {
+    var error = new Error('Client nonce does not match (LDAP authentication)');
+    error.code = 'EHDBAUTHCLIENTNONCE';
+    cb(error);
+    return;
+  }
+
+  // check capabilities
+  var serverCapabilities = serverChallengeData[3];
+  if (serverCapabilities.readInt8() != DEFAULT_CAPABILITIES) {
+    var error = new Error('Unsupported capabilities (LDAP authentication)');
+    error.code = 'EHDBAUTHCAPABILITIES';
+    cb(error);
+    return;
+  }
+
+  // generate session key (for AES256 encryption of the password)
+  if (!this.sessionKey) {
+    this.sessionKey = crypto.randomBytes(SESSION_KEY_SIZE);
+  }
+
+  // generate the encrypted session key
+  var serverNonce = serverChallengeData[1];
+  var serverPublicKey = serverChallengeData[2].toString('ascii'); // RSA public key (PKCS8 PEM)
+  var sessionKeyContent = Buffer.concat([this.sessionKey, serverNonce]);
+  var encryptedSessionKey = crypto.publicEncrypt({
+      key: serverPublicKey,
+      format: 'pem',
+      type: 'spki'
+    }, sessionKeyContent);
+
+  // encrypt the password
+  var iv = serverNonce.slice(0, 16);
+  var cipher = crypto.createCipheriv("aes-256-cbc", this.sessionKey, iv);
+  var passwordContent = Buffer.concat([this.password, new Buffer(1), serverNonce]);
+  var encryptedPassword = cipher.update(passwordContent);
+  encryptedPassword = Buffer.concat([encryptedPassword, cipher.final()]);
+
+  // generate client proof
+  this.clientProof = Fields.write(null, [encryptedSessionKey, encryptedPassword]).buffer;
+
+  // done
+  cb();
+};
+
+LDAP.prototype.finalData = function finalData() {
+  return this.clientProof;
+};
+
+LDAP.prototype.finalize = function finalize(buffer) {
+  /* jshint unused:false */
+};

lib/protocol/auth/Manager.js

@@ -17,6 +17,7 @@ var SCRAMSHA256 = require('./SCRAMSHA256');
 var SAML = require('./SAML');
 var JWT = require('./JWT');
 var SessionCookie = require('./SessionCookie');
+var LDAP = require('./LDAP');
 
 module.exports = Manager;
 
@@ -35,6 +36,7 @@ function Manager(options) {
     this._authMethods.push(new SessionCookie(options));
   }
   if (options.user && options.password) {
+    this._authMethods.push(new LDAP(options));
     this._authMethods.push(new SCRAMSHA256(options, true));  // with PBKDF2
     this._authMethods.push(new SCRAMSHA256(options, false)); // no PBKDF2
   }

lib/protocol/data/Fields.js

@@ -44,6 +44,9 @@ function read(part) {
       } else if (fieldLength == common.DATA_LENGTH_4BYTE_LENGTH_INDICATOR) {
         fieldLength = buffer.readUInt32LE(offset);
         offset += 4;
+      } else if (fieldLength == 255) {  // indicates that the following two bytes contain the length in big endian (bug?)
+        fieldLength = buffer.readUInt16BE(offset);
+        offset += 2;
       } else {
         throw Error("Unsupported length indicator: " + fieldLength);
       }

test/auth.Manager.js

@@ -26,6 +26,7 @@ describe('Auth', function () {
 
   describe('#SCRAMSHA256', function () {
 
+    var method0 = 'LDAP'
     var method1 = 'SCRAMPBKDF2SHA256';
     var method2 = 'SCRAMSHA256';
     var password = 'secret';
@@ -56,12 +57,69 @@ describe('Auth', function () {
       '01002093cae8d0d3fd9ea7e67da4a09678d504429e67a1cb6197ed3a6a70afbd757a96',
       'hex');
 
+    var ldapClientChallenge = new Buffer(
+      '0200' +
+      // client nonce = clientChallenge
+      '40' +
+      'edbd7cc8b2f26489d65a7cd51e27f2e73fca227d1ab6aafcac0f428ca4d8e10c' +
+      '19e3e38f3aac51075e67bbe52fdb6103a7c34c8a70908ed5be0b3542705f738c' +
+      // supported capabilities
+      '08' +
+      '0100000000000000',
+      'hex');
+    var ldapServerChallenge = new Buffer(
+      '0400' +
+      // client nonce = clientChallenge
+      '40' +
+      'edbd7cc8b2f26489d65a7cd51e27f2e73fca227d1ab6aafcac0f428ca4d8e10c' +
+      '19e3e38f3aac51075e67bbe52fdb6103a7c34c8a70908ed5be0b3542705f738c' +
+      // server nonce
+      '40' +
+      'a16fc718d5fd20aa3febeeeebe34270565ad3818894c6e3b3b674ee71b440c07' +
+      'd6b9329d1860d4e693d9312aaece14bf3eb86d604670c571f2d7445a97949310' +
+      // public key pem
+      'ff01c4' +
+      '2d2d2d2d2d424547494e205055424c4943204b45592d2d2d2d2d0a' +
+      '4d494942496a414e42676b71686b6947397730424151454641414f43415138414d49494243674b43415145416f4e736d494777763554583558473051697076620a' +
+      '435342576645773678546d3230596c555559516262316d5863764831575153475877424c5078313449556b584e67545350435177314a4f7361513075364843680a' +
+      '6e35773063786f4e78367a386e694b3838676c774a476167714c32356536506d47354d586264784d74496c5863736336465a55364a4370384538496d313362650a' +
+      '7776584c4b6c6d7536304238762b462b5877582b5a6b6f693735662f6758626e2f366a723679737a554c4b512f586151524a69535766567468575a71533967540a' +
+      '53645676686e736d4e306261744c7a70705376706c79356447423735596961754b4f66672b753531684e2b4b4d4a5a532f392f415172716d71637678675835740a' +
+      '79624a6b6138796e437164694e4b6d32764d6174766d6f656a4f446d7a61474b5553514754627042357a35654a544636625172796877666850645263692b7a760a' +
+      '7a514944415141420a' +
+      '2d2d2d2d2d454e44205055424c4943204b45592d2d2d2d2d0a00' +
+      // capability to use
+      '01' +
+      '01',
+      'hex');
+/*
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoNsmIGwv5TX5XG0Qipvb
+CSBWfEw6xTm20YlUUYQbb1mXcvH1WQSGXwBLPx14IUkXNgTSPCQw1JOsaQ0u6HCh
+n5w0cxoNx6z8niK88glwJGagqL25e6PmG5MXbdxMtIlXcsc6FZU6JCp8E8Im13be
+wvXLKlmu60B8v+F+XwX+Zkoi75f/gXbn/6jr6yszULKQ/XaQRJiSWfVthWZqS9gT
+SdVvhnsmN0batLzppSvply5dGB75YiauKOfg+u51hN+KMJZS/9/AQrqmqcvxgX5t
+ybJka8ynCqdiNKm2vMatvmoejODmzaGKUSQGTbpB5z5eJTF6bQryhwfhPdRci+zv
+zQIDAQAB
+-----END PUBLIC KEY-----
+*/
+    var ldapSessionKey = new Buffer(
+      '568bdf7b9d8930ea937279326c92f72fc0769205e91d864b7a44868984e2cbb2',
+      'hex');
+    // can't check client proof as RSA encypt has a random factor
+    // so only check the encrypted password
+    var ldapEncryptedPassword = new Buffer('7d78f690a5cff122e72f62f6c07dfea1259098a2ccfa938f42031f2644dba8954aa10d1c0665d7b8ac763353acfd0792cea2a6dea423c85c62efb8448f398bc9425aee548b1cdb22cbb4d6d3a95eaf70', 'hex');
+
     it('should get the corresponding authentication method instances', function () {
       var manager = auth.createManager({
         user: user,
         password: new Buffer(password, 'utf8'),
         clientChallenge: clientChallenge
       });
+      var authMethod0 = manager.getMethod(method0);
+      Buffer.isBuffer(authMethod0.password).should.be.true;
+      authMethod0.password.toString('utf8').should.equal(password);
+
       var authMethod1 = manager.getMethod(method1);
       Buffer.isBuffer(authMethod1.password).should.be.true;
       authMethod1.password.toString('utf8').should.equal(password);
@@ -78,8 +136,8 @@ describe('Auth', function () {
         clientChallenge: clientChallenge
       });
       manager.user.should.equal(user);
-      manager._authMethods.should.have.length(2);
-      var authMethod = manager._authMethods[1];
+      manager._authMethods.should.have.length(3);
+      var authMethod = manager._authMethods[2];
       authMethod.name.should.equal(method2);
       authMethod.password.should.be.instanceof(Buffer);
       authMethod.password.toString('utf8').should.eql(password);
@@ -88,7 +146,7 @@ describe('Auth', function () {
       var initialData = authMethod.initialData();
       initialData.should.equal(clientChallenge);
       initialData = manager.initialData();
-      initialData.should.eql([user, method1, clientChallenge, method2, clientChallenge]);
+      initialData.should.eql([user, method0, ldapClientChallenge, method1, clientChallenge, method2, clientChallenge]);
       // initialize manager
       manager.initialize([method2, serverChallengeDataNoPBKDF2], function(err) {
         manager._authMethod.should.equal(authMethod);
@@ -112,8 +170,8 @@ describe('Auth', function () {
         clientChallenge: clientChallenge
       });
       manager.user.should.equal(user);
-      manager._authMethods.should.have.length(2);
-      var authMethod = manager._authMethods[0];
+      manager._authMethods.should.have.length(3);
+      var authMethod = manager._authMethods[1];
       authMethod.name.should.equal(method1);
       authMethod.password.should.be.instanceof(Buffer);
       authMethod.password.toString('utf8').should.eql(password);
@@ -122,7 +180,7 @@ describe('Auth', function () {
       var initialData = authMethod.initialData();
       initialData.should.equal(clientChallenge);
       initialData = manager.initialData();
-      initialData.should.eql([user, method1, clientChallenge, method2, clientChallenge]);
+      initialData.should.eql([user, method0, ldapClientChallenge, method1, clientChallenge, method2, clientChallenge]);
       // initialize manager
       manager.initialize([method1, serverChallengeDataWithPBKDF2], function(err) {
         manager._authMethod.should.equal(authMethod);
@@ -146,6 +204,45 @@ describe('Auth', function () {
       });
     });
 
+    it('should authenticate and connect successfully with LDAP', function (done) {
+      var manager = auth.createManager({
+        user: user,
+        password: password,
+        clientChallenge: clientChallenge,
+        sessionKey: ldapSessionKey
+      });
+      manager.user.should.equal(user);
+      manager._authMethods.should.have.length(3);
+      var authMethod = manager._authMethods[0];
+      authMethod.name.should.equal(method0);
+      authMethod.password.should.be.instanceof(Buffer);
+      authMethod.password.toString('utf8').should.eql(password);
+      authMethod.clientNonce.should.equal(clientChallenge);
+      authMethod.sessionKey.should.equal(ldapSessionKey);
+      // initial data
+      var initialData = authMethod.initialData();
+      initialData.should.eql(ldapClientChallenge);
+      initialData = manager.initialData();
+      initialData.should.eql([user, method0, ldapClientChallenge, method1, clientChallenge, method2, clientChallenge]);
+      // initialize manager
+      manager.initialize([method0, ldapServerChallenge], function(err) {
+        manager._authMethod.should.equal(authMethod);
+        // clientProof
+        var ldapClientProof = authMethod.clientProof;
+        var clientProofFields = Fields.read({ buffer: ldapClientProof });
+        clientProofFields.length.should.eql(2);
+        clientProofFields[1].should.eql(ldapEncryptedPassword);
+        // final data
+        var finalData = authMethod.finalData();
+        finalData.should.eql(ldapClientProof);
+        finalData = manager.finalData();
+        finalData.should.eql([user, method0, ldapClientProof]);
+        // finalize manager
+        manager.finalize([method0, null]);
+        done();
+      });
+    });
+
     it('should write initial data fields part', function () {
       var part = Fields.write({}, auth.createManager({
         user: user,
@@ -156,7 +253,7 @@ describe('Auth', function () {
       var buffer = part.buffer;
       var offset = 0;
       var field, length;
-      buffer.readUInt16LE(offset).should.equal(5);
+      buffer.readUInt16LE(offset).should.equal(7);
       offset += 2;
       // validate user
       length = buffer[offset];
@@ -165,6 +262,20 @@ describe('Auth', function () {
       offset += length;
       length.should.equal(Buffer.byteLength(user));
       field.should.equal(user);
+      // validate method0 name
+      length = buffer[offset];
+      offset += 1;
+      field = buffer.toString('utf8', offset, offset + length);
+      offset += length;
+      length.should.equal(Buffer.byteLength(method0));
+      field.should.equal(method0);
+      // validate clientChallenge #0
+      length = buffer[offset];
+      offset += 1;
+      field = buffer.slice(offset, offset + length);
+      offset += length;
+      length.should.equal(ldapClientChallenge.length);
+      field.should.eql(ldapClientChallenge);
       // validate method1 name
       length = buffer[offset];
       offset += 1;

test/mock/server.js

@@ -146,8 +146,8 @@ function handleAuthenticate(msg) {
   var fields = Fields.read(msgPart);
   var user = fields[0];
   var algorithm = fields[1].toString('ascii');
-  if (algorithm === "SCRAMPBKDF2SHA256") {
-    var algorithm = fields[3].toString('ascii');
+  if (algorithm === "LDAP") {
+    var algorithm = fields[5].toString('ascii');
   }
   var salt = new Buffer([
     0x80, 0x96, 0x4f, 0xa8, 0x54, 0x28, 0xae, 0x3a,