Allow non null username for external proxy authentication and non-token authentication - Issue #1628

Author: sharadraju

doc/src/release_notes.rst

@@ -86,6 +86,10 @@ Thin Mode Changes
 Thick Mode Changes
 ++++++++++++++++++
 
+#)  Fixed bug that causes an 'NJS-136' exception to be thrown
+    when a proxy user is used for external authentication.
+    `Issue #1628 <https://github.com/oracle/node-oracledb/issues/1628>`__.
+
 #)  Fixed bug resulting in a segfault on some platforms when using two-phase
     commit. (`ODPI-C change
     <https://github.com/oracle/odpi/commit/3102b45c6712c9b6d53eb770b1314c06102c69e0>`__).

lib/errors.js

@@ -137,6 +137,7 @@ const ERR_WRONG_CRED_FOR_EXTAUTH = 136;
 const ERR_MISSING_BIND_VALUE = 137;
 const ERR_SERVER_VERSION_NOT_SUPPORTED = 138;
 const ERR_UNEXPECTED_XML_TYPE = 139;
+const ERR_WRONG_USER_FORMAT_EXTAUTH_PROXY = 140;
 
 // Oracle Net layer errors start from 500
 const ERR_CONNECTION_CLOSED = 500;
@@ -396,6 +397,8 @@ messages.set(ERR_SERVER_VERSION_NOT_SUPPORTED,          // NJS-138
   'connections to this database server version are not supported by node-oracledb in Thin mode');
 messages.set(ERR_UNEXPECTED_XML_TYPE,                   // NJS-139
   'unexpected XML type with flag %d');
+messages.set(ERR_WRONG_USER_FORMAT_EXTAUTH_PROXY,       // NJS-140
+  'user name must be enclosed in [] when using external authentication with a proxy user');
 
 // Oracle Net layer errors
 
@@ -776,6 +779,7 @@ module.exports = {
   ERR_MISSING_BIND_VALUE,
   ERR_SERVER_VERSION_NOT_SUPPORTED,
   ERR_UNEXPECTED_XML_TYPE,
+  ERR_WRONG_USER_FORMAT_EXTAUTH_PROXY,
   ERR_CONNECTION_CLOSED_CODE: `${ERR_PREFIX}-${ERR_CONNECTION_CLOSED}`,
   assert,
   assertArgCount,

lib/oracledb.js

@@ -497,9 +497,20 @@ async function _verifyOptions(options, inCreatePool) {
 
   }
 
-  // Check external Auth config
-  if (outOptions.token === undefined && outOptions.externalAuth && (outOptions.user || outOptions.password)) {
-    errors.throwErr(errors.ERR_WRONG_CRED_FOR_EXTAUTH);
+  // Check external Auth config.
+  // Allow Session User enclosed in [] for proxy authentication.
+  if (outOptions.token === undefined && outOptions.externalAuth) {
+    if (outOptions.password) {
+      errors.throwErr(errors.ERR_WRONG_CRED_FOR_EXTAUTH);
+    }
+    if (outOptions.user) {
+      if (inCreatePool) {
+        errors.throwErr(errors.ERR_WRONG_CRED_FOR_EXTAUTH);
+      } else if (outOptions.user[0] !== '[' || outOptions.user.slice(-1) !== ']') {
+        // username is not enclosed in [].
+        errors.throwErr(errors.ERR_WRONG_USER_FORMAT_EXTAUTH_PROXY);
+      }
+    }
   }
 
   return outOptions;

lib/pool.js

@@ -192,10 +192,20 @@ class Pool extends EventEmitter {
       outOptions.user = options.username;
     }
 
+    if (this.externalAuth &&
+      outOptions.user && (outOptions.user[0] !== '['
+        || outOptions.user.slice(-1) !== ']')) {
+      // username is not enclosed in [].
+      errors.throwErr(errors.ERR_WRONG_USER_FORMAT_EXTAUTH_PROXY);
+    }
+
     // password must be a string
     if (options.password !== undefined) {
       errors.assertParamPropValue(typeof options.password === 'string', 1,
         "password");
+      if (this.externalAuth) {
+        errors.throwErr(errors.ERR_WRONG_CRED_FOR_EXTAUTH);
+      }
       outOptions.password = options.password;
     }
 

test/externalAuth.js

@@ -92,8 +92,8 @@ const dbConfig = require('./dbconfig.js');
             }
           );
         },
-        // NJS-136: user and password should not be set when using external authentication
-        /NJS-136:/
+        // ORA-01017: ORA-01017: invalid credential or not authorized; logon denied'
+        /ORA-01017:/
       );
     }); // 5.1.3
 

test/externalProxyAuth.js

@@ -120,9 +120,27 @@ describe('180. externalProxyAuth.js', function() {
             externalAuth: true,
           });
         },
-        /DPI-1069:/
+        /NJS-140:/
       );
     });
+
+    it('180.1.6 Non-Pool Connect: External Auth with proxy and session user', async function() {
+      if (!dbConfig.test.externalAuth || !dbConfig.test.proxySessionUser) {
+        this.skip();
+      }
+
+      await assert.rejects(
+        async () => {
+          await oracledb.getConnection({
+            connectString: dbConfig.connectString,
+            user: `${dbConfig.user}[${dbConfig.test.proxySessionUser}]`,
+            externalAuth: true,
+          });
+        },
+        /NJS-140:/
+      );
+    });
+
   });
 
   describe('180.2 Pooled Connect', function() {
@@ -262,7 +280,7 @@ describe('180. externalProxyAuth.js', function() {
         async () => {
           await pool.getConnection({user: dbConfig.test.proxySessionUser});
         },
-        /DPI-1069:/
+        /NJS-140:/
       );
       await pool.close(0);
     });

test/list.txt

@@ -4344,6 +4344,7 @@ oracledb.OUT_FORMAT_OBJECT and resultSet =  true
         180.1.3 Non-Pool Connect: Basic Auth with proxy
         180.1.4 Non-Pool Connect: External Auth with proxy
         180.1.5 Non-Pool Connect: External Auth with proxy no brackets
+        180.1.6 Non-Pool Connect: External Auth with proxy and session user
    180.2 Pooled Connect
         180.2.1 Pooled Connect: Basic Auth
         180.2.2 Pooled Connect: External Auth