1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
|
# Copyright (C) 2014 MongoDB Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
require 'securerandom'
require 'base64'
module Mongo
module Auth
class SCRAM
# Defines behaviour around a single SCRAM-SHA-1 conversation between the
# client and server.
#
# @since 2.0.0
class Conversation
# The base client continue message.
#
# @since 2.0.0
CLIENT_CONTINUE_MESSAGE = { saslContinue: 1 }.freeze
# The base client first message.
#
# @since 2.0.0
CLIENT_FIRST_MESSAGE = { saslStart: 1, autoAuthorize: 1 }.freeze
# The client key string.
#
# @since 2.0.0
CLIENT_KEY = 'Client Key'.freeze
# The digest to use for encryption.
#
# @since 2.0.0
DIGEST = OpenSSL::Digest::SHA1.new.freeze
# The key for the done field in the responses.
#
# @since 2.0.0
DONE = 'done'.freeze
# The conversation id field.
#
# @since 2.0.0
ID = 'conversationId'.freeze
# The iterations key in the responses.
#
# @since 2.0.0
ITERATIONS = /i=(\d+)/.freeze
# The payload field.
#
# @since 2.0.0
PAYLOAD = 'payload'.freeze
# The rnonce key in the responses.
#
# @since 2.0.0
RNONCE = /r=([^,]*)/.freeze
# The salt key in the responses.
#
# @since 2.0.0
SALT = /s=([^,]*)/.freeze
# The server key string.
#
# @since 2.0.0
SERVER_KEY = 'Server Key'.freeze
# The server signature verifier in the response.
#
# @since 2.0.0
VERIFIER = /v=([^,]*)/.freeze
# @return [ String ] nonce The initial user nonce.
attr_reader :nonce
# @return [ Protocol::Message ] reply The current reply in the
# conversation.
attr_reader :reply
# @return [ User ] user The user for the conversation.
attr_reader :user
# Continue the SCRAM conversation. This sends the client final message
# to the server after setting the reply from the previous server
# communication.
#
# @example Continue the conversation.
# conversation.continue(reply)
#
# @param [ Protocol::Message ] reply The reply of the previous
# message.
# @param [ Mongo::Server::Connection ] connection The connection being authenticated.
#
# @return [ Protocol::Query ] The next message to send.
#
# @since 2.0.0
def continue(reply, connection = nil)
validate_first_message!(reply)
# The salted password needs to be calculated now; otherwise, if the
# client key is cached from a previous authentication, the salt in the
# reply will no longer be available for when the salted password is
# needed to calculate the server key.
salted_password
if connection && connection.features.op_msg_enabled?
selector = CLIENT_CONTINUE_MESSAGE.merge(payload: client_final_message, conversationId: id)
selector[Protocol::Msg::DATABASE_IDENTIFIER] = user.auth_source
cluster_time = connection.mongos? && connection.cluster_time
selector[Operation::CLUSTER_TIME] = cluster_time if cluster_time
Protocol::Msg.new([:none], {}, selector)
else
Protocol::Query.new(
user.auth_source,
Database::COMMAND,
CLIENT_CONTINUE_MESSAGE.merge(payload: client_final_message, conversationId: id),
limit: -1
)
end
end
# Finalize the SCRAM conversation. This is meant to be iterated until
# the provided reply indicates the conversation is finished.
#
# @example Finalize the conversation.
# conversation.finalize(reply)
#
# @param [ Protocol::Message ] reply The reply of the previous
# message.
# @param [ Mongo::Server::Connection ] connection The connection being authenticated.
#
# @return [ Protocol::Query ] The next message to send.
#
# @since 2.0.0
def finalize(reply, connection = nil)
validate_final_message!(reply)
if connection && connection.features.op_msg_enabled?
selector = CLIENT_CONTINUE_MESSAGE.merge(payload: client_empty_message, conversationId: id)
selector[Protocol::Msg::DATABASE_IDENTIFIER] = user.auth_source
cluster_time = connection.mongos? && connection.cluster_time
selector[Operation::CLUSTER_TIME] = cluster_time if cluster_time
Protocol::Msg.new([:none], {}, selector)
else
Protocol::Query.new(
user.auth_source,
Database::COMMAND,
CLIENT_CONTINUE_MESSAGE.merge(payload: client_empty_message, conversationId: id),
limit: -1
)
end
end
# Start the SCRAM conversation. This returns the first message that
# needs to be send to the server.
#
# @example Start the conversation.
# conversation.start
#
# @param [ Mongo::Server::Connection ] connection The connection being authenticated.
#
# @return [ Protocol::Query ] The first SCRAM conversation message.
#
# @since 2.0.0
def start(connection = nil)
if connection && connection.features.op_msg_enabled?
selector = CLIENT_FIRST_MESSAGE.merge(payload: client_first_message, mechanism: SCRAM::MECHANISM)
selector[Protocol::Msg::DATABASE_IDENTIFIER] = user.auth_source
cluster_time = connection.mongos? && connection.cluster_time
selector[Operation::CLUSTER_TIME] = cluster_time if cluster_time
Protocol::Msg.new([:none], {}, selector)
else
Protocol::Query.new(
user.auth_source,
Database::COMMAND,
CLIENT_FIRST_MESSAGE.merge(payload: client_first_message, mechanism: SCRAM::MECHANISM),
limit: -1
)
end
end
# Get the id of the conversation.
#
# @example Get the id of the conversation.
# conversation.id
#
# @return [ Integer ] The conversation id.
#
# @since 2.0.0
def id
reply.documents[0][ID]
end
# Create the new conversation.
#
# @example Create the new conversation.
# Conversation.new(user)
#
# @param [ Auth::User ] user The user to converse about.
#
# @since 2.0.0
def initialize(user)
@user = user
@nonce = SecureRandom.base64
@client_key = user.send(:client_key)
end
private
# Auth message algorithm implementation.
#
# @api private
#
# @see http://tools.ietf.org/html/rfc5802#section-3
#
# @since 2.0.0
def auth_message
@auth_message ||= "#{first_bare},#{reply.documents[0][PAYLOAD].data},#{without_proof}"
end
# Get the empty client message.
#
# @api private
#
# @since 2.0.0
def client_empty_message
BSON::Binary.new('')
end
# Get the final client message.
#
# @api private
#
# @see http://tools.ietf.org/html/rfc5802#section-3
#
# @since 2.0.0
def client_final_message
BSON::Binary.new("#{without_proof},p=#{client_final}")
end
# Get the client first message
#
# @api private
#
# @see http://tools.ietf.org/html/rfc5802#section-3
#
# @since 2.0.0
def client_first_message
BSON::Binary.new("n,,#{first_bare}")
end
# Client final implementation.
#
# @api private
#
# @see http://tools.ietf.org/html/rfc5802#section-7
#
# @since 2.0.0
def client_final
@client_final ||= client_proof(client_key, client_signature(stored_key(client_key), auth_message))
end
# Client key algorithm implementation.
#
# @api private
#
# @see http://tools.ietf.org/html/rfc5802#section-3
#
# @since 2.0.0
def client_key
@client_key ||= hmac(salted_password, CLIENT_KEY)
user.instance_variable_set(:@client_key, @client_key) unless user.send(:client_key)
@client_key
end
# Client proof algorithm implementation.
#
# @api private
#
# @see http://tools.ietf.org/html/rfc5802#section-3
#
# @since 2.0.0
def client_proof(key, signature)
@client_proof ||= Base64.strict_encode64(xor(key, signature))
end
# Client signature algorithm implementation.
#
# @api private
#
# @see http://tools.ietf.org/html/rfc5802#section-3
#
# @since 2.0.0
def client_signature(key, message)
@client_signature ||= hmac(key, message)
end
# First bare implementation.
#
# @api private
#
# @see http://tools.ietf.org/html/rfc5802#section-7
#
# @since 2.0.0
def first_bare
@first_bare ||= "n=#{user.encoded_name},r=#{nonce}"
end
# H algorithm implementation.
#
# @api private
#
# @see http://tools.ietf.org/html/rfc5802#section-2.2
#
# @since 2.0.0
def h(string)
digest.digest(string)
end
# HI algorithm implementation.
#
# @api private
#
# @see http://tools.ietf.org/html/rfc5802#section-2.2
#
# @since 2.0.0
def hi(data)
OpenSSL::PKCS5.pbkdf2_hmac_sha1(
data,
Base64.strict_decode64(salt),
iterations,
digest.size
)
end
# HMAC algorithm implementation.
#
# @api private
#
# @see http://tools.ietf.org/html/rfc5802#section-2.2
#
# @since 2.0.0
def hmac(data, key)
OpenSSL::HMAC.digest(digest, data, key)
end
# Get the iterations from the server response.
#
# @api private
#
# @since 2.0.0
def iterations
@iterations ||= payload_data.match(ITERATIONS)[1].to_i
end
# Get the data from the returned payload.
#
# @api private
#
# @since 2.0.0
def payload_data
reply.documents[0][PAYLOAD].data
end
# Get the server nonce from the payload.
#
# @api private
#
# @since 2.0.0
def rnonce
@rnonce ||= payload_data.match(RNONCE)[1]
end
# Gets the salt from the server response.
#
# @api private
#
# @since 2.0.0
def salt
@salt ||= payload_data.match(SALT)[1]
end
# Salted password algorithm implementation.
#
# @api private
#
# @see http://tools.ietf.org/html/rfc5802#section-3
#
# @since 2.0.0
def salted_password
@salted_password ||= hi(user.hashed_password)
end
# Server key algorithm implementation.
#
# @api private
#
# @see http://tools.ietf.org/html/rfc5802#section-3
#
# @since 2.0.0
def server_key
@server_key ||= hmac(salted_password, SERVER_KEY)
end
# Server signature algorithm implementation.
#
# @api private
#
# @see http://tools.ietf.org/html/rfc5802#section-3
#
# @since 2.0.0
def server_signature
@server_signature ||= Base64.strict_encode64(hmac(server_key, auth_message))
end
# Stored key algorithm implementation.
#
# @api private
#
# @see http://tools.ietf.org/html/rfc5802#section-3
#
# @since 2.0.0
def stored_key(key)
h(key)
end
# Get the verifier token from the server response.
#
# @api private
#
# @since 2.0.0
def verifier
@verifier ||= payload_data.match(VERIFIER)[1]
end
# Get the without proof message.
#
# @api private
#
# @see http://tools.ietf.org/html/rfc5802#section-7
#
# @since 2.0.0
def without_proof
@without_proof ||= "c=biws,r=#{rnonce}"
end
# XOR operation for two strings.
#
# @api private
#
# @since 2.0.0
def xor(first, second)
first.bytes.zip(second.bytes).map{ |(a,b)| (a ^ b).chr }.join('')
end
def compare_digest(a, b)
check = a.bytesize ^ b.bytesize
a.bytes.zip(b.bytes){ |x, y| check |= x ^ y.to_i }
check == 0
end
def validate_final_message!(reply)
validate!(reply)
unless compare_digest(verifier, server_signature)
raise Error::InvalidSignature.new(verifier, server_signature)
end
end
def validate_first_message!(reply)
validate!(reply)
raise Error::InvalidNonce.new(nonce, rnonce) unless rnonce.start_with?(nonce)
end
def validate!(reply)
raise Unauthorized.new(user) unless reply.documents[0][Operation::Result::OK] == 1
@reply = reply
end
private
def digest
@digest ||= OpenSSL::Digest::SHA1.new.freeze
end
end
end
end
end
|
