UNPKG

mongodb

Version:

The official MongoDB driver for Node.js

github.com/mongodb/node-mongodb-native

mongodb/node-mongodb-native

183 lines 8.79 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.MongoCredentials = exports.DEFAULT_ALLOWED_HOSTS = void 0; const error_1 = require("../../error"); const gssapi_1 = require("./gssapi"); const providers_1 = require("./providers"); /** * @see https://github.com/mongodb/specifications/blob/master/source/auth/auth.md */ function getDefaultAuthMechanism(hello) { if (hello) { // If hello contains saslSupportedMechs, use scram-sha-256 // if it is available, else scram-sha-1 if (Array.isArray(hello.saslSupportedMechs)) { return hello.saslSupportedMechs.includes(providers_1.AuthMechanism.MONGODB_SCRAM_SHA256) ? providers_1.AuthMechanism.MONGODB_SCRAM_SHA256 : providers_1.AuthMechanism.MONGODB_SCRAM_SHA1; } } // Default auth mechanism for 4.0 and higher. return providers_1.AuthMechanism.MONGODB_SCRAM_SHA256; } const ALLOWED_ENVIRONMENT_NAMES = [ 'test', 'azure', 'gcp', 'k8s' ]; const ALLOWED_HOSTS_ERROR = 'Auth mechanism property ALLOWED_HOSTS must be an array of strings.'; /** @internal */ exports.DEFAULT_ALLOWED_HOSTS = [ '*.mongodb.net', '*.mongodb-qa.net', '*.mongodb-dev.net', '*.mongodbgov.net', 'localhost', '127.0.0.1', '::1' ]; /** Error for when the token audience is missing in the environment. */ const TOKEN_RESOURCE_MISSING_ERROR = 'TOKEN_RESOURCE must be set in the auth mechanism properties when ENVIRONMENT is azure or gcp.'; /** * A representation of the credentials used by MongoDB * @public */ class MongoCredentials { constructor(options) { this.username = options.username ?? ''; this.password = options.password; this.source = options.source; if (!this.source && options.db) { this.source = options.db; } this.mechanism = options.mechanism || providers_1.AuthMechanism.MONGODB_DEFAULT; this.mechanismProperties = options.mechanismProperties || {}; if (this.mechanism.match(/MONGODB-AWS/i)) { if (!this.username && process.env.AWS_ACCESS_KEY_ID) { this.username = process.env.AWS_ACCESS_KEY_ID; } if (!this.password && process.env.AWS_SECRET_ACCESS_KEY) { this.password = process.env.AWS_SECRET_ACCESS_KEY; } if (this.mechanismProperties.AWS_SESSION_TOKEN == null && process.env.AWS_SESSION_TOKEN != null) { this.mechanismProperties = { ...this.mechanismProperties, AWS_SESSION_TOKEN: process.env.AWS_SESSION_TOKEN }; } } if (this.mechanism === providers_1.AuthMechanism.MONGODB_OIDC && !this.mechanismProperties.ALLOWED_HOSTS) { this.mechanismProperties = { ...this.mechanismProperties, ALLOWED_HOSTS: exports.DEFAULT_ALLOWED_HOSTS }; } Object.freeze(this.mechanismProperties); Object.freeze(this); } /** Determines if two MongoCredentials objects are equivalent */ equals(other) { return (this.mechanism === other.mechanism && this.username === other.username && this.password === other.password && this.source === other.source); } /** * If the authentication mechanism is set to "default", resolves the authMechanism * based on the server version and server supported sasl mechanisms. * * @param hello - A hello response from the server */ resolveAuthMechanism(hello) { // If the mechanism is not "default", then it does not need to be resolved if (this.mechanism.match(/DEFAULT/i)) { return new MongoCredentials({ username: this.username, password: this.password, source: this.source, mechanism: getDefaultAuthMechanism(hello), mechanismProperties: this.mechanismProperties }); } return this; } validate() { if ((this.mechanism === providers_1.AuthMechanism.MONGODB_GSSAPI || this.mechanism === providers_1.AuthMechanism.MONGODB_PLAIN || this.mechanism === providers_1.AuthMechanism.MONGODB_SCRAM_SHA1 || this.mechanism === providers_1.AuthMechanism.MONGODB_SCRAM_SHA256) && !this.username) { throw new error_1.MongoMissingCredentialsError(`Username required for mechanism '${this.mechanism}'`); } if (this.mechanism === providers_1.AuthMechanism.MONGODB_OIDC) { if (this.username && this.mechanismProperties.ENVIRONMENT && this.mechanismProperties.ENVIRONMENT !== 'azure') { throw new error_1.MongoInvalidArgumentError(`username and ENVIRONMENT '${this.mechanismProperties.ENVIRONMENT}' may not be used together for mechanism '${this.mechanism}'.`); } if (this.username && this.password) { throw new error_1.MongoInvalidArgumentError(`No password is allowed in ENVIRONMENT '${this.mechanismProperties.ENVIRONMENT}' for '${this.mechanism}'.`); } if ((this.mechanismProperties.ENVIRONMENT === 'azure' || this.mechanismProperties.ENVIRONMENT === 'gcp') && !this.mechanismProperties.TOKEN_RESOURCE) { throw new error_1.MongoInvalidArgumentError(TOKEN_RESOURCE_MISSING_ERROR); } if (this.mechanismProperties.ENVIRONMENT && !ALLOWED_ENVIRONMENT_NAMES.includes(this.mechanismProperties.ENVIRONMENT)) { throw new error_1.MongoInvalidArgumentError(`Currently only a ENVIRONMENT in ${ALLOWED_ENVIRONMENT_NAMES.join(',')} is supported for mechanism '${this.mechanism}'.`); } if (!this.mechanismProperties.ENVIRONMENT && !this.mechanismProperties.OIDC_CALLBACK && !this.mechanismProperties.OIDC_HUMAN_CALLBACK) { throw new error_1.MongoInvalidArgumentError(`Either a ENVIRONMENT, OIDC_CALLBACK, or OIDC_HUMAN_CALLBACK must be specified for mechanism '${this.mechanism}'.`); } if (this.mechanismProperties.ALLOWED_HOSTS) { const hosts = this.mechanismProperties.ALLOWED_HOSTS; if (!Array.isArray(hosts)) { throw new error_1.MongoInvalidArgumentError(ALLOWED_HOSTS_ERROR); } for (const host of hosts) { if (typeof host !== 'string') { throw new error_1.MongoInvalidArgumentError(ALLOWED_HOSTS_ERROR); } } } } if (providers_1.AUTH_MECHS_AUTH_SRC_EXTERNAL.has(this.mechanism)) { if (this.source != null && this.source !== '$external') { // TODO(NODE-3485): Replace this with a MongoAuthValidationError throw new error_1.MongoAPIError(`Invalid source '${this.source}' for mechanism '${this.mechanism}' specified.`); } } if (this.mechanism === providers_1.AuthMechanism.MONGODB_PLAIN && this.source == null) { // TODO(NODE-3485): Replace this with a MongoAuthValidationError throw new error_1.MongoAPIError('PLAIN Authentication Mechanism needs an auth source'); } if (this.mechanism === providers_1.AuthMechanism.MONGODB_X509 && this.password != null) { if (this.password === '') { Reflect.set(this, 'password', undefined); return; } // TODO(NODE-3485): Replace this with a MongoAuthValidationError throw new error_1.MongoAPIError(`Password not allowed for mechanism MONGODB-X509`); } const canonicalization = this.mechanismProperties.CANONICALIZE_HOST_NAME ?? false; if (!Object.values(gssapi_1.GSSAPICanonicalizationValue).includes(canonicalization)) { throw new error_1.MongoAPIError(`Invalid CANONICALIZE_HOST_NAME value: ${canonicalization}`); } } static merge(creds, options) { return new MongoCredentials({ username: options.username ?? creds?.username ?? '', password: options.password ?? creds?.password ?? '', mechanism: options.mechanism ?? creds?.mechanism ?? providers_1.AuthMechanism.MONGODB_DEFAULT, mechanismProperties: options.mechanismProperties ?? creds?.mechanismProperties ?? {}, source: options.source ?? options.db ?? creds?.source ?? 'admin' }); } } exports.MongoCredentials = MongoCredentials; //# sourceMappingURL=mongo_credentials.js.map