Sasl Authentication Challenge Handling with gremlin-javascript 3.2.9

[matt....@globesbusinessenterprises.com]

Hi All,

I am working on my first project trying to access an Azure Cosmo DB Gremlin Graph from nodejs. I am using the official driver as this will be supported going forward. I am trying to implement authorisation as my Cosmbo DB has this implemented. Currently there is no support for authentication with the official driver, it does however seem to support response handlers on the DriverRemoteConnection object. I have therefore tried to implement authentication using this functionality. 

The issue I currently have, having written but not tested my code, is that I cannot access the requestId for my response. In the DriverRemoteConnection implementation the _handleMessage function calls handlers with a status code >= 400 with an error and does not pass the message response to the callback. My understanding is that a sasl challenge returns a 407 status code.

if (response.status.code >= 400) {
 // callback in error
 return handler.callback(
 new Error(util.format('Server error: %s (%d)', response.status.message, response.status.code)));
 }

I could traverse the _responseHandlers array but this doesn't strike me as the correct way to get the requestId and could easily be prone to problems, more than 1 response for instance.

My question is, is there a reference implementation for Sasl Authentication with gremlin-javascript 3.2.9. If not, can we work on one here :)

My current code looks like this,  it is untested so might not work at all right now, but I need to know how best to get the requestId:

const Gremlin = require('gremlin')
const connection = new Gremlin.driver.DriverRemoteConnection(`ws://${process.env.DOCDB_SERVER}:443/gremlin`)
const graph = new Gremlin.structure.Graph()

connection._responseHandlers[407] = {
 callback: function () {
  const saslresponse = new Buffer(`\0/dbs/${process.env.DOCDB_DATABASE}/colls/${process.env.DOCDB_GRAPH}\0${process.env.DOCDB_PASSWORD}`).toString('base64')
  const response = {
   'requestId': { '@type': 'g:UUID', '@value': needRequestIdHere },
   'op': 'bytecode',
   'processor': 'traversal',
   'args': {
    'aliases': { 'g': this.traversalSource },
    'sasl': saslresponse
   }
  }
  const message = new Buffer(this._header + JSON.stringify(response), 'utf8')
  this._ws.send(message)
 },
 result: []
}

const g = graph.traversal().withRemote(connection)

Any help is really greatly appreciated.

Thanks,

Matt

[Jorge Bay]

Hi Matt,

SASL authentication is not supported yet, I've created a ticket for it that includes a suggested API and a pull request is definitely welcomed!

https://issues.apache.org/jira/browse/TINKERPOP-1977

Your first attempt to solve this issue is looking good, just note that _responseHandlers is a map of handlers per requestId (not by status code).

Regarding generating ids for requests, we should reuse the existing mechanism for request/response bookkeeping:

- https://github.com/apache/tinkerpop/blob/59ad63ae1474af0d75d3cccb403a77671b95be37/gremlin-javascript/src/main/javascript/gremlin-javascript/lib/driver/driver-remote-connection.js#L105-L111

- https://github.com/apache/tinkerpop/blob/59ad63ae1474af0d75d3cccb403a77671b95be37/gremlin-javascript/src/main/javascript/gremlin-javascript/lib/driver/driver-remote-connection.js#L115-L124

To understand how it should work, we can use the java or C# counterparts: 

https://github.com/apache/tinkerpop/blob/59ad63ae1474af0d75d3cccb403a77671b95be37/gremlin-dotnet/src/Gremlin.Net/Driver/Connection.cs#L126-L133

Jorge

[Globes Engagement Services]

Thanks Jorge. I'll take another look and see if I can get a pull request together. 

--
You received this message because you are subscribed to the Google Groups "Gremlin-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gremlin-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gremlin-users/7da3f1cf-65e4-4e11-90cf-9fa8731010ed%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Denver Hayward]

Any luck with this?

[Stephen Mallette]

Please find the PR here:

https://github.com/apache/tinkerpop/pull/889

Should merge soon....

On Sat, Aug 18, 2018 at 1:06 PM Denver Hayward <dwpha...@gmail.com> wrote:

Any luck with this?

--
You received this message because you are subscribed to the Google Groups "Gremlin-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gremlin-user...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/gremlin-users/187660e0-7900-4457-a4e3-6ac75703713d%40googlegroups.com.