Mercurial > prosody-modules
annotate mod_auth_imap/auth_imap/mod_auth_imap.lua @ 3503:882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
This deprecates the default "superuser" actor model and makes the
default equivalent to the previous "request.id".
A single actor and secret per node is supported because HTTP and
WebHooks don't normally include any authorization identity.
Allowing authentication bypass when no secret is given should be
relatively safe when the actor is unprivileged, as will be unless
explicitly configured otherwise.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sat, 30 Mar 2019 21:16:13 +0100 |
parents | 2cce28fe806b |
children |
rev | line source |
---|---|
1196
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 -- IMAP authentication backend for Prosody |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 -- |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 -- Copyright (C) 2011 FIMXE from hg annotate -u |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 local name = "IMAP SASL"; |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 local log = require "util.logger".init("auth_imap"); |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 local imap_host = module:get_option_string("imap_auth_host", "localhost"); |
1198
b21bd39c8a12
mod_auth_imap: Leave port nil if not specified in the config, so we can auto-detect based on whether we use SSL
Matthew Wild <mwild1@gmail.com>
parents:
1196
diff
changeset
|
9 local imap_port = module:get_option_number("imap_auth_port"); |
1196
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 |
1202
2cce28fe806b
mod_auth_imap: Fix typo in previous commit
Matthew Wild <mwild1@gmail.com>
parents:
1201
diff
changeset
|
11 local imap_service_realm = module:get_option_string("imap_auth_realm", module:get_option("sasl_realm")); |
1201
744af76b7324
mod_auth_imap: Rename imap_service_realm to imap_auth_realm and inherit from sasl_realm, rename imap_service_name to imap_auth_service_name
Matthew Wild <mwild1@gmail.com>
parents:
1200
diff
changeset
|
12 local imap_service_name = module:get_option_string("imap_auth_service_name"); |
1200
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
13 local append_host = module:get_option_boolean("auth_append_host"); |
1196
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 |
1200
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
15 local verify_certificate = module:get_option_boolean("auth_imap_verify_certificate", true); |
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
16 local ssl_params = module:get_option("auth_imap_ssl", { |
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
17 mode = "client", protocol = "sslv23"; |
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
18 capath = "/etc/ssl/certs"; |
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
19 options = { "no_sslv2", "no_sslv3" }; |
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
20 verify = verify_certificate and { "peer", "fail_if_no_peer_cert" } or nil; |
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
21 ciphers = "HIGH:!DSS:!aNULL@STRENGTH"; |
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
22 }); |
1196
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 local new_imap_sasl = module:require "sasl_imap".new; |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 local new_sasl = function(realm) |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 return new_imap_sasl( |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 imap_service_realm or realm, |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 imap_service_name or "xmpp", |
1200
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
30 imap_host, imap_port, |
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
31 ssl_params, append_host |
1196
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 ); |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 end |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 do |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 local s = new_sasl(module.host) |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 assert(s, "Could not create a new SASL object"); |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 assert(s.mechanisms, "SASL object has no mechanims method"); |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 local m = {}; |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 for k in pairs(s:mechanisms()) do |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 table.insert(m, k); |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
42 end |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 log("debug", "Mechanims found: %s", table.concat(m, ", ")); |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
44 end |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
45 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
46 provider = { |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 name = module.name:gsub("^auth_",""); |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
48 }; |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
49 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
50 function provider.test_password(username, password) |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
51 return nil, "Legacy auth not supported with "..name; |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
52 end |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
54 function provider.get_password(username) |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 return nil, "Passwords unavailable for "..name; |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
56 end |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
57 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
58 function provider.set_password(username, password) |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
59 return nil, "Passwords unavailable for "..name; |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
60 end |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
61 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
62 function provider.user_exists(username) |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
63 -- FIXME |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
64 return true |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
65 end |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
66 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
67 function provider.create_user(username, password) |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
68 return nil, "Account creation/modification not available with "..name; |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
69 end |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
70 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
71 function provider.get_sasl_handler() |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
72 return new_sasl(module.host); |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
73 end |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
74 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
75 module:add_item("auth-provider", provider); |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
76 |