Mercurial > prosody-modules
annotate mod_auth_external/mod_auth_external.lua @ 1155:40f7a8d152eb
mod_auth_external: Remove is_admin (duplicates usermanager)
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Tue, 13 Aug 2013 19:35:07 +0100 |
| parents | 61f95bf51b35 |
| children | 3c82984ffa51 |
| rev | line source |
|---|---|
|
158
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
1 -- |
|
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
2 -- Prosody IM |
|
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
3 -- Copyright (C) 2010 Waqas Hussain |
|
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
4 -- Copyright (C) 2010 Jeff Mitchell |
|
1086
50ee38e95e75
Don't store password in temporary file, pipe instead
Mikael Nordfeldth <mmn@hethane.se>
parents:
902
diff
changeset
|
5 -- Copyright (C) 2013 Mikael Nordfeldth |
|
1154
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
6 -- Copyright (C) 2013 Matthew Wild, finally came to fix it all |
|
158
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
7 -- |
|
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
8 -- This project is MIT/X11 licensed. Please see the |
|
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
9 -- COPYING file in the source package for more information. |
|
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
10 -- |
| 152 | 11 |
|
1154
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
12 local lpty = assert(require "lpty", "mod_auth_external requires lpty: https://code.google.com/p/prosody-modules/wiki/mod_auth_external#Installation"); |
| 152 | 13 |
|
168
cd8492748985
mod_auth_external: Renamed from mod_extauth. Update logging and options (external_auth_protocol, external_auth_command)
Matthew Wild <mwild1@gmail.com>
parents:
166
diff
changeset
|
14 local log = module._log; |
|
158
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
15 local host = module.host; |
|
1154
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
16 local script_type = module:get_option_string("external_auth_protocol", "generic"); |
|
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
17 assert(script_type == "ejabberd" or script_type == "generic", "Config error: external_auth_protocol must be 'ejabberd' or 'generic'"); |
|
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
18 local command = module:get_option_string("external_auth_command", ""); |
|
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
19 local read_timeout = module:get_option_number("external_auth_timeout", 5); |
|
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
20 assert(not host:find(":"), "Invalid hostname"); |
|
158
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
21 local usermanager = require "core.usermanager"; |
|
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
22 local jid_bare = require "util.jid".bare; |
|
166
75a85eac3c27
mod_extauth: Updated to provide a SASL handler.
Waqas Hussain <waqas20@gmail.com>
parents:
158
diff
changeset
|
23 local new_sasl = require "util.sasl".new; |
| 152 | 24 |
|
1154
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
25 local pty = lpty.new({ throw_errors = false, no_local_echo = true, use_path = false }); |
|
846
5ddc43ce8993
mod_auth_external: Work even when the LuaProcessCall library isn't available.
Waqas Hussain <waqas20@gmail.com>
parents:
816
diff
changeset
|
26 |
|
1154
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
27 function send_query(text) |
|
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
28 if not pty:hasproc() then |
|
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
29 local status, ret = pty:exitstatus(); |
|
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
30 if status and (status ~= "exit" or ret ~= 0) then |
|
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
31 log("warn", "Auth process exited unexpectedly with %s %d, restarting", status, ret or 0); |
|
846
5ddc43ce8993
mod_auth_external: Work even when the LuaProcessCall library isn't available.
Waqas Hussain <waqas20@gmail.com>
parents:
816
diff
changeset
|
32 return nil; |
|
5ddc43ce8993
mod_auth_external: Work even when the LuaProcessCall library isn't available.
Waqas Hussain <waqas20@gmail.com>
parents:
816
diff
changeset
|
33 end |
|
1154
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
34 local ok, err = pty:startproc(command); |
|
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
35 if not ok then |
|
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
36 log("error", "Failed to start auth process '%s': %s", command, err); |
|
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
37 return nil; |
|
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
38 end |
|
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
39 log("debug", "Started auth process"); |
|
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
40 end |
|
846
5ddc43ce8993
mod_auth_external: Work even when the LuaProcessCall library isn't available.
Waqas Hussain <waqas20@gmail.com>
parents:
816
diff
changeset
|
41 |
|
1154
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
42 pty:send(text); |
|
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
43 return pty:read(read_timeout); |
| 152 | 44 end |
| 45 | |
| 46 function do_query(kind, username, password) | |
| 47 if not username then return nil, "not-acceptable"; end | |
| 48 | |
| 49 local query = (password and "%s:%s:%s:%s" or "%s:%s:%s"):format(kind, username, host, password); | |
| 50 local len = #query | |
| 51 if len > 1000 then return nil, "policy-violation"; end | |
| 52 | |
|
158
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
53 if script_type == "ejabberd" then |
|
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
54 local lo = len % 256; |
|
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
55 local hi = (len - lo) / 256; |
|
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
56 query = string.char(hi, lo)..query; |
|
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
57 end |
|
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
58 if script_type == "generic" then |
|
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
59 query = query..'\n'; |
|
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
60 end |
| 152 | 61 |
| 62 local response = send_query(query); | |
|
158
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
63 if (script_type == "ejabberd" and response == "\0\2\0\0") or |
|
1154
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
64 (script_type == "generic" and response:gsub("\r?\n$", "") == "0") then |
|
158
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
65 return nil, "not-authorized"; |
|
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
66 elseif (script_type == "ejabberd" and response == "\0\2\0\1") or |
|
1154
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
67 (script_type == "generic" and response:gsub("\r?\n$", "") == "1") then |
|
158
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
68 return true; |
| 152 | 69 else |
|
1154
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
70 if response then |
|
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
71 log("warn", "Unable to interpret data from auth process, %d bytes beginning with: %s", #response, (response:sub(1,4):gsub(".", function (c) |
|
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
72 return ("%02X "):format(c:byte()); |
|
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
73 end))); |
|
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
74 else |
|
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
75 log("warn", "Error while waiting for result from auth process: %s", response or "unknown error"); |
|
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
76 end |
| 152 | 77 return nil, "internal-server-error"; |
| 78 end | |
| 79 end | |
| 80 | |
|
816
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
81 local host = module.host; |
|
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
82 local provider = {}; |
| 152 | 83 |
|
816
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
84 function provider.test_password(username, password) |
|
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
85 return do_query("auth", username, password); |
|
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
86 end |
| 152 | 87 |
|
816
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
88 function provider.set_password(username, password) |
|
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
89 return do_query("setpass", username, password); |
|
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
90 end |
| 152 | 91 |
|
816
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
92 function provider.user_exists(username) |
|
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
93 return do_query("isuser", username); |
| 152 | 94 end |
| 95 | |
|
816
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
96 function provider.create_user(username, password) return nil, "Account creation/modification not available."; end |
|
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
97 |
|
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
98 function provider.get_sasl_handler() |
|
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
99 local testpass_authentication_profile = { |
|
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
100 plain_test = function(sasl, username, password, realm) |
|
902
490cb9161c81
mod_auth_{external,internal_yubikey,ldap,ldap2,sql}: No need to nodeprep in SASL handler.
Waqas Hussain <waqas20@gmail.com>
parents:
846
diff
changeset
|
101 return usermanager.test_password(username, realm, password), true; |
|
816
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
102 end, |
|
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
103 }; |
|
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
104 return new_sasl(host, testpass_authentication_profile); |
|
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
105 end |
|
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
106 |
|
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
107 module:provides("auth", provider); |