Add support for TLS external passwordless authentication

Author: sharadraju

doc/src/release_notes.rst

@@ -28,6 +28,8 @@ Common Changes
 Thin Mode Changes
 +++++++++++++++++
 
+#)  Added support for External Authentication using Transport Layer Security(TLS).
+
 #)  Fixed issue that does not throw Authentication error for FastAuth
     when invalid token is used with external authentication.
 

lib/errors.js

@@ -1,5 +1,4 @@
 // Copyright (c) 2022, 2025, Oracle and/or its affiliates.
-
 //-----------------------------------------------------------------------------
 //
 // This software is dual-licensed to you under the Universal Permissive License
@@ -204,6 +203,9 @@ const ERR_AZURE_VAULT_AUTH_FAILED = 527;
 const ERR_AZURE_SERVICE_PRINCIPAL_AUTH_FAILED = 528;
 const ERR_WALLET_TYPE_NOT_SUPPORTED = 529;
 const ERR_HOST_NOT_FOUND = 530;
+const ERR_ANO_PACKET = 531;
+const ERR_ANO_STATUS = 532;
+const ERR_ANO_NEGOTIATION = 533;
 
 // Oracle SUCCESS_WITH_INFO warning start from 700
 const WRN_COMPILATION_CREATE = 700;
@@ -540,23 +542,29 @@ messages.set(ERR_AZURE_CONFIG_PROVIDER_AUTH_FAILED,     // NJS-522
   'Azure Authentication Failed: The authentication parameter value %s may be incorrect');
 messages.set(ERR_CONFIG_PROVIDER_FAILED_TO_RETRIEVE_CONFIG,   // NJS-523
   'Failed to retrieve configuration from Centralized Configuration Provider:\n %s');
-messages.set(ERR_CONFIG_PROVIDER_NOT_SUPPORTED,               // NJS-524
+messages.set(ERR_CONFIG_PROVIDER_NOT_SUPPORTED,         // NJS-524
   'Configuration Provider not supported: %s');
-messages.set(ERR_CONFIG_PROVIDER_LOAD_FAILED,                 // NJS-525
+messages.set(ERR_CONFIG_PROVIDER_LOAD_FAILED,           // NJS-525
   'Centralized Config Provider failed to load required libraries. Please install the required libraries.\n %s');
-messages.set(ERR_OCIOBJECT_CONFIG_PROVIDER_AUTH_FAILED,       // NJS-526
+messages.set(ERR_OCIOBJECT_CONFIG_PROVIDER_AUTH_FAILED, // NJS-526
   'OCI authentication failed: The authentication parameter value %s may be incorrect');
-messages.set(ERR_AZURE_VAULT_AUTH_FAILED,                     // NJS-527
+messages.set(ERR_AZURE_VAULT_AUTH_FAILED,               // NJS-527
   'Azure Vault: Provide correct Azure Vault authentication details');
-messages.set(ERR_AZURE_SERVICE_PRINCIPAL_AUTH_FAILED,         // NJS-528
+messages.set(ERR_AZURE_SERVICE_PRINCIPAL_AUTH_FAILED,   // NJS-528
   'Azure service principal authentication requires either a client certificate path or a client secret string');
-messages.set(ERR_WALLET_TYPE_NOT_SUPPORTED,                   // NJS-529
+messages.set(ERR_WALLET_TYPE_NOT_SUPPORTED,             // NJS-529
   'Invalid wallet content format. Supported format is PEM');
-messages.set(ERR_HOST_NOT_FOUND,                          // NJS-530
+messages.set(ERR_HOST_NOT_FOUND,                        // NJS-530
   'The host addresses or URLs provided by the connect string are incorrect or unresolvable in your network.');
+messages.set(ERR_ANO_PACKET,                            // NJS-531
+  'Error in Advanced Networking Option packet received from the server');
+messages.set(ERR_ANO_STATUS,                            // NJS-532
+  '%s service recieved status failure');
+messages.set(ERR_ANO_NEGOTIATION,                       // NJS-533
+  'Advanced Networking Option service negotiation failed. Native Network Encryption and DataIntegrity only supported in node-oracledb thick mode.\nCause: ORA-%s');
 
 // Oracle SUCCESS_WITH_INFO warning
-messages.set(WRN_COMPILATION_CREATE,                          // NJS-700
+messages.set(WRN_COMPILATION_CREATE,                    // NJS-700
   'creation succeeded with compilation errors');
 
 //-----------------------------------------------------------------------------
@@ -721,6 +729,14 @@ function throwErr() {
   throw (getErr(...arguments));
 }
 
+function throwErrWithORAError() {
+  const err =  (getErr(...arguments));
+  const pos = err.message.indexOf("ORA-");
+  const oraError = err.message.substring(pos + 4, pos + 9);
+  err.message = err.message + '\nHelp: https://docs.oracle.com/error-help/db/ora-' + oraError;
+  throw err;
+}
+
 //-----------------------------------------------------------------------------
 // throwNotImplemented()
 //
@@ -730,6 +746,7 @@ function throwNotImplemented(feature) {
   throwErr(ERR_NOT_IMPLEMENTED, feature);
 }
 
+
 //-----------------------------------------------------------------------------
 // transformErr()
 //
@@ -872,6 +889,9 @@ module.exports = {
   ERR_CONFIG_PROVIDER_LOAD_FAILED,
   ERR_WALLET_TYPE_NOT_SUPPORTED,
   ERR_HOST_NOT_FOUND,
+  ERR_ANO_PACKET,
+  ERR_ANO_STATUS,
+  ERR_ANO_NEGOTIATION,
   ERR_INVALID_BIND_NAME,
   ERR_WRONG_NUMBER_OF_BINDS,
   ERR_BUFFER_LENGTH_INSUFFICIENT,
@@ -955,6 +975,7 @@ module.exports = {
   assertPropValue,
   getErr,
   throwErr,
+  throwErrWithORAError,
   throwNotImplemented,
   transformErr
 };

lib/thin/connection.js

@@ -839,7 +839,7 @@ class ThinConnectionImpl extends ConnectionImpl {
         this.nscon.endOfRequestSupport = endOfRequestSupport;
         await this._protocol._processMessage(authMessage);
       }
-      if (!params.token) { // non-token Authentication
+      if (!params.externalAuth) { // non-token Authentication
         await this._protocol._processMessage(authMessage); // OAUTH
       }
     } catch (err) {

lib/thin/protocol/messages/auth.js

@@ -94,8 +94,10 @@ class AuthMessage extends Message {
       this.userByteLen = 0;
     }
     this.token = config.token;
-    if (this.token)
+    if (config.externalAuth) {
       this.functionCode = constants.TNS_FUNC_AUTH_PHASE_TWO;
+      this.externalAuth = true;
+    }
     this.privateKey = config.privateKey;
     if (this.privateKey) {
       this.privateKey = util.normalizePrivateKey(this.privateKey);
@@ -146,7 +148,7 @@ class AuthMessage extends Message {
     if (this.newPassword) {
       this.authMode |= constants.TNS_AUTH_MODE_CHANGE_PASSWORD;
     }
-    if (!this.token) {
+    if (!config.externalAuth) {
       this.authMode |= constants.TNS_AUTH_MODE_WITH_PASSWORD;
     }
   }
@@ -204,8 +206,10 @@ class AuthMessage extends Message {
         numPairs = 2;
       } else {
         numPairs = 4;
-        if (this.token) {
-          numPairs += 1;
+        if (this.externalAuth) {
+          numPairs += 5;
+          if (this.token)
+            numPairs += 1;
         } else {
           numPairs += 2;
           if (this.verifierType === constants.TNS_VERIFIER_TYPE_11G_1 ||
@@ -254,10 +258,17 @@ class AuthMessage extends Message {
       buf.writeUInt8(1);
       if (this.userByteLen > 0)
         buf.writeBytesWithLength(Buffer.from(this.username));
+      if (this.externalAuth) {
+        buf.writeKeyValue("AUTH_TERMINAL", this.terminal ?? cInfo.terminal);
+        buf.writeKeyValue("AUTH_PROGRAM_NM", this.program ?? cInfo.program);
+        buf.writeKeyValue("AUTH_MACHINE", this.machine ?? cInfo.hostName);
+        buf.writeKeyValue("AUTH_PID", cInfo.pid);
+        buf.writeKeyValue("AUTH_SID", this.osUser ?? cInfo.userName);
+      }
       if (this.token) {
         buf.writeKeyValue("AUTH_TOKEN", this.token);
       } else {
-        if (!this.changePassword) {
+        if (!this.changePassword && !this.externalAuth) {
           buf.writeKeyValue("AUTH_SESSKEY", this.sessionKey, 1);
           if (!verifier11G) {
             buf.writeKeyValue("AUTH_PBKDF2_SPEEDY_KEY", this.speedyKey);