Protoype of kerberos support (non parameterized with TODOs)

Author: blackentropy

packages/pg-protocol/src/parser.ts

@@ -327,6 +327,13 @@ export class Parser {
           return new AuthenticationMD5Password(length, salt)
         }
         break
+      case 7: // GSS Init (Kerberos)
+          message.name = 'GSSInit';
+          break;
+      case 8: // GSSAPI Continue (Kerberos)
+          message.name = 'GSSContinue';
+          message.inToken = this.reader.bytes(length - 8).toString('base64');
+          return message
       case 10: // AuthenticationSASL
         message.name = 'authenticationSASL'
         message.mechanisms = []

packages/pg-protocol/src/serializer.ts

@@ -239,6 +239,10 @@ const copyData = (chunk: Buffer): Buffer => {
   return writer.add(chunk).flush(code.copyFromChunk)
 }
 
+const sendBinaryPassword = (chunk: Buffer): Buffer => {
+  return writer.add(chunk).flush(code.startup)
+}
+
 const copyFail = (message: string): Buffer => {
   return cstringMessage(code.copyFail, message)
 }
@@ -266,6 +270,7 @@ const serialize = {
   sync: () => syncBuffer,
   end: () => endBuffer,
   copyData,
+  sendBinaryPassword,
   copyDone: () => copyDoneBuffer,
   copyFail,
   cancel,

packages/pg/lib/client.js

@@ -174,6 +174,10 @@ class Client extends EventEmitter {
   }
 
   _attachListeners(con) {
+    // kerberos
+    con.on('GSSInit', this._handleGSSInit.bind(this))
+    con.on('GSSContinue', this._handleGSSContinue.bind(this))
+
     // password request handling
     con.on('authenticationCleartextPassword', this._handleAuthCleartextPassword.bind(this))
     // password request handling
@@ -198,6 +202,40 @@ class Client extends EventEmitter {
     con.on('notification', this._handleNotification.bind(this))
   }
 
+  async _handleGSSInit(msg) {
+    try {
+      // TODO: Below needs to be parameterized
+      this.client = await kerberos.initializeClient('postgres@pg.US-WEST-2.COMPUTE.INTERNAL', {
+        mechOID: kerberos.GSS_MECH_OID_SPNEGO,
+      })
+
+      // TODO: below this might need to be a recursive loop to step multiple times.
+      const token = await this.client.step('')
+
+      const buf = Buffer.from(token, 'base64')
+      this.connection.sendBinaryPassword(buf)
+    } catch (e) {
+      this.emit('error', e)
+    }
+  }
+
+  async _handleGSSContinue(msg) {
+    try {
+      // TODO: Below needs to be parameterized
+      const inToken = msg.inToken
+      const token = await this.client.step(inToken)
+
+      // TODO: probably a better way to handle this.
+      if (token == null) {
+        return
+      }
+      const buf = Buffer.from(token, 'base64')
+      this.connection.sendBinaryPassword(buf)
+    } catch (e) {
+      this.emit('error', e)
+    }
+  }
+
   // TODO(bmc): deprecate pgpass "built in" integration since this.password can be a function
   // it can be supplied by the user if required - this is a breaking change!
   _checkPgPass(cb) {

packages/pg/lib/connection.js

@@ -133,6 +133,10 @@ class Connection extends EventEmitter {
     this._send(serialize.password(password))
   }
 
+  sendBinaryPassword(password) {
+    this._send(serialize.sendBinaryPassword(password))
+  }
+
   sendSASLInitialResponseMessage(mechanism, initialResponse) {
     this._send(serialize.sendSASLInitialResponseMessage(mechanism, initialResponse))
   }

packages/pg/package.json

@@ -20,6 +20,7 @@
   "author": "Brian Carlson <brian.m.carlson@gmail.com>",
   "main": "./lib",
   "dependencies": {
+    "kerberos": "^2.1.0",
     "pg-connection-string": "^2.6.4",
     "pg-pool": "^3.6.2",
     "pg-protocol": "^1.6.1",