node-expose-sspi-strict
Version:
Expose the Microsoft Windows SSPI interface in order to do NTLM and Kerberos authentication.
256 lines (255 loc) • 11.5 kB
JavaScript
"use strict";
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
var __generator = (this && this.__generator) || function (thisArg, body) {
var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
function verb(n) { return function (v) { return step([n, v]); }; }
function step(op) {
if (f) throw new TypeError("Generator is already executing.");
while (_) try {
if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
if (y = 0, t) op = [op[0] & 2, t.value];
switch (op[0]) {
case 0: case 1: t = op; break;
case 4: _.label++; return { value: op[1], done: false };
case 5: _.label++; y = op[1]; op = [0]; continue;
case 7: op = _.ops.pop(); _.trys.pop(); continue;
default:
if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
if (t[2]) _.ops.pop();
_.trys.pop(); continue;
}
op = body.call(thisArg, _);
} catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
}
};
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
exports.__esModule = true;
exports.getDistinguishedName = exports.getUsers = exports.getUser = exports.init = exports.database = void 0;
var api_1 = require("../../lib/api");
var domain_1 = require("./domain");
var debug_1 = __importDefault(require("debug"));
var mutex_1 = require("./mutex");
var adConnection_1 = require("./adConnection");
var debug = debug_1["default"]('node-expose-sspi:userdb');
exports.database = {
users: []
};
/**
*
* This function is recommanded to be called before starting a server.
*
* Purpose is to cache all Active Directory (AD) users for
* performance during authentication, just for increasing performance.
*
* Useless if you do not use AD.
*
* @export
* @returns {Promise<void>}
*/
function init() {
return __awaiter(this, void 0, void 0, function () {
var users, e_1;
return __generator(this, function (_a) {
switch (_a.label) {
case 0:
if (!domain_1.isOnDomain()) {
return [2 /*return*/];
}
_a.label = 1;
case 1:
_a.trys.push([1, 3, , 4]);
debug('init');
return [4 /*yield*/, getUsers()];
case 2:
users = _a.sent();
if (users)
exports.database.users = users;
return [3 /*break*/, 4];
case 3:
e_1 = _a.sent();
debug('Cannot get users from AD. e: ', e_1);
return [3 /*break*/, 4];
case 4: return [2 /*return*/];
}
});
});
}
exports.init = init;
function getUser(ldapFilter) {
return __awaiter(this, void 0, void 0, function () {
var adRelease, dirsearch, distinguishedName, hr, row, colName, value;
return __generator(this, function (_a) {
switch (_a.label) {
case 0:
debug('getUser start ');
if (!domain_1.isOnDomain()) {
return [2 /*return*/];
}
return [4 /*yield*/, mutex_1.activeDirectoryMutex.acquire()];
case 1:
adRelease = _a.sent();
if (!domain_1.isActiveDirectoryReachable()) {
console.error('Warning: Active Directory not reachable');
return [2 /*return*/];
}
adConnection_1.openADConnection();
_a.label = 2;
case 2:
_a.trys.push([2, , 8, 9]);
return [4 /*yield*/, getDistinguishedName()];
case 3:
distinguishedName = _a.sent();
return [4 /*yield*/, api_1.adsi.ADsOpenObject({
binding: "LDAP://" + distinguishedName,
riid: 'IID_IDirectorySearch'
})];
case 4:
dirsearch = _a.sent();
dirsearch.SetSearchPreference();
dirsearch.ExecuteSearch({
filter: "(&(objectClass=user)(objectCategory=person)" + ldapFilter + ")"
});
hr = dirsearch.GetNextRow();
if (hr === api_1.adsi.S_ADS_NOMORE_ROWS) {
return [2 /*return*/, undefined];
}
row = {};
colName = dirsearch.GetNextColumnName();
_a.label = 5;
case 5:
if (!(colName !== api_1.adsi.S_ADS_NOMORE_COLUMNS)) return [3 /*break*/, 7];
return [4 /*yield*/, dirsearch.GetColumn(colName)];
case 6:
value = _a.sent();
row[colName] = value;
colName = dirsearch.GetNextColumnName();
return [3 /*break*/, 5];
case 7: return [2 /*return*/, row];
case 8:
if (dirsearch) {
dirsearch.Release();
}
adConnection_1.closeADConnection();
adRelease();
debug('getUser end');
return [7 /*endfinally*/];
case 9: return [2 /*return*/];
}
});
});
}
exports.getUser = getUser;
function getUsers() {
return __awaiter(this, void 0, void 0, function () {
var adRelease, result, dirsearch, distinguishedName, row, colName, value, error_1;
return __generator(this, function (_a) {
switch (_a.label) {
case 0:
debug('getUsers start ');
if (!domain_1.isOnDomain()) {
return [2 /*return*/];
}
return [4 /*yield*/, mutex_1.activeDirectoryMutex.acquire()];
case 1:
adRelease = _a.sent();
if (!domain_1.isActiveDirectoryReachable()) {
console.error('Warning: Active Directory not reachable');
return [2 /*return*/];
}
result = [];
adConnection_1.openADConnection();
_a.label = 2;
case 2:
_a.trys.push([2, 10, 11, 12]);
return [4 /*yield*/, getDistinguishedName()];
case 3:
distinguishedName = _a.sent();
return [4 /*yield*/, api_1.adsi.ADsOpenObject({
binding: "LDAP://" + distinguishedName,
riid: 'IID_IDirectorySearch'
})];
case 4:
dirsearch = _a.sent();
dirsearch.SetSearchPreference();
dirsearch.ExecuteSearch({
filter: '(&(objectClass=user)(objectCategory=person)(sn=*))'
});
_a.label = 5;
case 5:
if (!true) return [3 /*break*/, 9];
if (dirsearch.GetNextRow() === api_1.adsi.S_ADS_NOMORE_ROWS) {
return [3 /*break*/, 9];
}
row = {};
colName = dirsearch.GetNextColumnName();
_a.label = 6;
case 6:
if (!(colName !== api_1.adsi.S_ADS_NOMORE_COLUMNS)) return [3 /*break*/, 8];
return [4 /*yield*/, dirsearch.GetColumn(colName)];
case 7:
value = _a.sent();
row[colName] = value;
colName = dirsearch.GetNextColumnName();
return [3 /*break*/, 6];
case 8:
result.push(row);
return [3 /*break*/, 5];
case 9: return [3 /*break*/, 12];
case 10:
error_1 = _a.sent();
console.error('error: ', error_1);
return [3 /*break*/, 12];
case 11:
if (dirsearch) {
dirsearch.Release();
}
adConnection_1.closeADConnection();
adRelease();
debug('getUsers end');
return [7 /*endfinally*/];
case 12: return [2 /*return*/, result];
}
});
});
}
exports.getUsers = getUsers;
function getDistinguishedName() {
return __awaiter(this, void 0, void 0, function () {
var root, distinguishedName;
return __generator(this, function (_a) {
switch (_a.label) {
case 0:
_a.trys.push([0, , 3, 4]);
return [4 /*yield*/, api_1.adsi.ADsGestObject('LDAP://rootDSE')];
case 1:
root = _a.sent();
return [4 /*yield*/, root.Get('defaultNamingContext')];
case 2:
distinguishedName = _a.sent();
return [2 /*return*/, distinguishedName];
case 3:
if (root) {
root.Release();
}
return [7 /*endfinally*/];
case 4: return [2 /*return*/];
}
});
});
}
exports.getDistinguishedName = getDistinguishedName;