feat(NODE-7164): add TS definition file to kerberos package

README.md

@@ -283,6 +283,8 @@ Details are looked up via the `/etc/keytab` file.
 | [options.principal] | <code>string</code> | Optional string containing the client principal in the form 'user@realm' (e.g. '[email protected]'). |
 | [options.flags] | <code>number</code> | Optional integer used to set GSS flags. (e.g.  `GSS_C_DELEG_FLAG\|GSS_C_MUTUAL_FLAG\|GSS_C_SEQUENCE_FLAG` will allow for forwarding credentials to the remote host) |
 | [options.mechOID] | <code>number</code> | Optional GSS mech OID. Defaults to None (GSS_C_NO_OID). Other possible values are `GSS_MECH_OID_KRB5`, `GSS_MECH_OID_SPNEGO`. |
+| [options.user] | <code>string</code> | The username with which to authenticate.  Only used on Windows. |
+| [options.pass] | <code>string</code> | The password with which to authenticate.  Only used on Windows. |
 
 Initializes a context for client-side authentication with the given service principal.
 

index.d.ts

@@ -0,0 +1,177 @@
+export const GSS_C_DELEG_FLAG: number;
+export const GSS_C_MUTUAL_FLAG: number;
+export const GSS_C_REPLAY_FLAG: number;
+export const GSS_C_SEQUENCE_FLAG: number;
+export const GSS_C_CONF_FLAG: number;
+export const GSS_C_INTEG_FLAG: number;
+export const GSS_C_ANON_FLAG: number;
+export const GSS_C_PROT_READY_FLAG: number;
+export const GSS_C_TRANS_FLAG: number;
+
+export const GSS_C_NO_OID: number;
+export const GSS_MECH_OID_KRB5: number;
+export const GSS_MECH_OID_SPNEGO: number;
+
+/**
+ * Optional settings for *KerberosClient.wrap* method.
+ */
+export interface WrapOptions {
+    /**
+     * The user to authorize.
+     */
+    user?: string | undefined;
+
+    /**
+     * Indicates if the wrap should request message confidentiality.
+     */
+    protect?: boolean
+}
+
+/**
+ * Options for `initializeClient()`.
+ */
+export interface InitializeClientOptions {
+    /**
+     * Optional string containing the client principal in the form 'user@realm' (e.g. '[email protected]').
+     */
+    principal?: string | undefined;
+    /**
+     * Optional integer used to set GSS flags. (e.g.  `GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG|GSS_C_SEQUENCE_FLAG` will allow for forwarding credentials to the remote host).
+     */
+    gssFlag?: number | undefined;
+    /**
+     * Optional GSS mech OID. Defaults to None (GSS_C_NO_OID). Other possible values are `GSS_MECH_OID_KRB5`, `GSS_MECH_OID_SPNEGO`.
+     */
+    mechOID?: number | undefined;
+
+    /**
+     * The username with which to authenticate.  Only used on Windows.
+     */
+    user?: string;
+
+    /**
+     * The password with which to authenticate.  Only used on Windows.
+     */
+    pass?: string;
+}
+
+export class KerberosClient {
+    /**
+     * The username used for authentication.
+     */
+    username: string;
+    /**
+     * The last response received during authentication steps.
+     */
+    response: string;
+    /**
+     * Indicates whether confidentiality was applied or not (GSSAPI only).
+     */
+    responseConf: string;
+    /**
+     * Indicates that authentication has successfully completed or not.
+     */
+    contextComplete: boolean;
+
+    /**
+     * Processes a single kerberos client-side step using the supplied server challenge.
+     *
+     * @param challenge A string containing the base64-encoded server data (which may be empty for the first step)
+     */
+    step(challenge: string): Promise<string>;
+
+    /**
+     * Perform the client side kerberos wrap step.
+     *
+     * @param challenge The response returned after calling `unwrap`
+     * @param options Optional settings
+     */
+    wrap(challenge: string, options?: WrapOptions): Promise<string>;
+
+    /**
+     * Perform the client side kerberos unwrap step
+     *
+     * @param challenge A string containing the base64-encoded server data
+     */
+    unwrap(challenge: string): Promise<string>;
+}
+
+export class KerberosServer {
+    /**
+     * The username used for authentication
+     */
+    username: string;
+    /**
+     * @description The last response received during authentication steps
+     */
+    response: string;
+    /**
+     * @description The target used for authentication
+     */
+    targetName: string;
+    /**
+     * @description Indicates that authentication has successfully completed or not
+     */
+    contextComplete: boolean;
+
+    /**
+     * Processes a single kerberos server-side step using the supplied client data.
+     *
+     * @param challenge A string containing the base64-encoded client data
+     */
+    step(challenge: string): Promise<string>;
+}
+
+/**
+ * This function provides a simple way to verify that a user name and password
+ * match those normally used for Kerberos authentication.
+ * It does this by checking that the supplied user name and password can be
+ * used to get a ticket for the supplied service.
+ * If the user name does not contain a realm, then the default realm supplied
+ * is used.
+ *
+ * For this to work properly the Kerberos must be configured properly on this
+ * machine.
+ * That will likely mean ensuring that the edu.mit.Kerberos preference file
+ * has the correct realms and KDCs listed.
+ *
+ * IMPORTANT: This method is vulnerable to KDC spoofing attacks and it should
+ * only be used for testing. Do not use this in any production system - your
+ * security could be compromised if you do.
+ *
+ * @param username The Kerberos user name. If no realm is supplied, then the `defaultRealm` will be used.
+ * @param password The password for the user.
+ * @param service The Kerberos service to check access for.
+ * @param defaultRealm The default realm to use if one is not supplied in the user argument.
+ */
+export function checkPassword(name: string, password: string, service: string, defaultRealm?: string): Promise<void>;
+
+/**
+ * This function returns the service principal for the server given a service type and hostname.
+ *
+ * Details are looked up via the `/etc/keytab` file.
+ *
+ * @param service The Kerberos service type for the server.
+ * @param hostname The hostname of the server.
+ */
+export function principalDetails(service: string, hostname: string): Promise<string>;
+
+/**
+ * Initializes a context for client-side authentication with the given service principal.
+ *
+ * @param service A string containing the service principal in the form '`type@fqdn`'.
+ * @param [options] Optional settings
+ */
+export function initializeClient(service: string, options?: InitializeClientOptions): Promise<KerberosClient>;
+
+/**
+ * Initializes a context for server-side authentication with the given service principal.
+ *
+ * @param service A string containing the service principal in the form 'type@fqdn' (e.g. '[email protected]').
+ */
+export function initializeServer(service: string): Promise<KerberosServer>;
+
+/**
+ * The version of the Kerberos package.
+ */
+export const version: string;

lib/kerberos.js

@@ -182,6 +182,8 @@ const promisifiedInitializeClient = promisify(kerberos.initializeClient);
  * @param {string} [options.principal] Optional string containing the client principal in the form 'user@realm' (e.g. '[email protected]').
  * @param {number} [options.flags] Optional integer used to set GSS flags. (e.g.  `GSS_C_DELEG_FLAG\|GSS_C_MUTUAL_FLAG\|GSS_C_SEQUENCE_FLAG` will allow for forwarding credentials to the remote host)
  * @param {number} [options.mechOID] Optional GSS mech OID. Defaults to None (GSS_C_NO_OID). Other possible values are `GSS_MECH_OID_KRB5`, `GSS_MECH_OID_SPNEGO`.
+ * @param {string} [options.user] The username with which to authenticate.  Only used on Windows.
+ * @param {string} [options.pass] The password with which to authenticate.  Only used on Windows.
  * @return {Promise<KerberosClient>} returns Promise
  */
 async function initializeClient(service, options = { mechOID: GSS_C_NO_OID }) {

package.json

@@ -8,8 +8,10 @@
     "src",
     "binding.gyp",
     "HISTORY.md",
-    "README.md"
+    "README.md",
+    "index.d.ts"
   ],
+  "types": "index.d.ts",
   "repository": {
     "type": "git",
     "url": "https://github.com/mongodb-js/kerberos.git"