Mercurial > prosody-modules
annotate mod_auth_cyrus/sasl_cyrus.lua @ 5017:96e83b4a93f7
mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Fixes that in trunk, a "prosody:operator" (formerly a global admin) is
not considered a "prosody:admin", so those were not included in the set.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sat, 27 Aug 2022 16:36:22 +0200 |
parents | 099dcdb732b1 |
children |
rev | line source |
---|---|
4710
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 -- sasl.lua v0.4 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 -- Copyright (C) 2008-2009 Tobias Markmann |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 -- |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 -- All rights reserved. |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 -- |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 -- Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 -- |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 -- * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 -- * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 -- * Neither the name of Tobias Markmann nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 -- |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 -- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 local cyrussasl = require "cyrussasl"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 local log = require "util.logger".init("sasl_cyrus"); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 local setmetatable = setmetatable |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 local pcall = pcall |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 local s_match, s_gmatch = string.match, string.gmatch |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 local sasl_errstring = { |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 -- SASL result codes -- |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 [1] = "another step is needed in authentication"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 [0] = "successful result"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 [-1] = "generic failure"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 [-2] = "memory shortage failure"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 [-3] = "overflowed buffer"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 [-4] = "mechanism not supported"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 [-5] = "bad protocol / cancel"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 [-6] = "can't request info until later in exchange"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 [-7] = "invalid parameter supplied"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 [-8] = "transient failure (e.g., weak key)"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 [-9] = "integrity check failed"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 [-12] = "SASL library not initialized"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 -- client only codes -- |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 [2] = "needs user interaction"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 [-10] = "server failed mutual authentication step"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 [-11] = "mechanism doesn't support requested feature"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
42 -- server only codes -- |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 [-13] = "authentication failure"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
44 [-14] = "authorization failure"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
45 [-15] = "mechanism too weak for this user"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
46 [-16] = "encryption needed to use mechanism"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 [-17] = "One time use of a plaintext password will enable requested mechanism for user"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
48 [-18] = "passphrase expired, has to be reset"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
49 [-19] = "account disabled"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
50 [-20] = "user not found"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
51 [-23] = "version mismatch with plug-in"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
52 [-24] = "remote authentication server unavailable"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 [-26] = "user exists, but no verifier for user"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
54 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 -- codes for password setting -- |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
56 [-21] = "passphrase locked"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
57 [-22] = "requested change was not needed"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
58 [-27] = "passphrase is too weak for security policy"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
59 [-28] = "user supplied passwords not permitted"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
60 }; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
61 setmetatable(sasl_errstring, { __index = function() return "undefined error!" end }); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
62 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
63 local _ENV = nil; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
64 -- luacheck: std none |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
65 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
66 local method = {}; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
67 method.__index = method; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
68 local initialized = false; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
69 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
70 local function init(service_name) |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
71 if not initialized then |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
72 local st, errmsg = pcall(cyrussasl.server_init, service_name); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
73 if st then |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
74 initialized = true; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
75 else |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
76 log("error", "Failed to initialize Cyrus SASL: %s", errmsg); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
77 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
78 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
79 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
80 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
81 -- create a new SASL object which can be used to authenticate clients |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
82 -- host_fqdn may be nil in which case gethostname() gives the value. |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
83 -- For GSSAPI, this determines the hostname in the service ticket (after |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
84 -- reverse DNS canonicalization, only if [libdefaults] rdns = true which |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
85 -- is the default). |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
86 local function new(realm, service_name, app_name, host_fqdn) |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
87 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
88 init(app_name or service_name); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
89 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
90 local st, ret = pcall(cyrussasl.server_new, service_name, host_fqdn, realm, nil, nil) |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
91 if not st then |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
92 log("error", "Creating SASL server connection failed: %s", ret); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
93 return nil; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
94 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
95 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
96 local sasl_i = { realm = realm, service_name = service_name, cyrus = ret }; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
97 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
98 if cyrussasl.set_canon_cb then |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
99 local c14n_cb = function (user) |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
100 local node = s_match(user, "^([^@]+)"); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
101 log("debug", "Canonicalizing username %s to %s", user, node) |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
102 return node |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
103 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
104 cyrussasl.set_canon_cb(sasl_i.cyrus, c14n_cb); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
105 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
106 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
107 cyrussasl.setssf(sasl_i.cyrus, 0, 0xffffffff) |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
108 local mechanisms = {}; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
109 local cyrus_mechs = cyrussasl.listmech(sasl_i.cyrus, nil, "", " ", ""); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
110 for w in s_gmatch(cyrus_mechs, "[^ ]+") do |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
111 mechanisms[w] = true; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
112 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
113 sasl_i.mechs = mechanisms; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
114 return setmetatable(sasl_i, method); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
115 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
116 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
117 -- get a fresh clone with the same realm and service name |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
118 function method:clean_clone() |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
119 return new(self.realm, self.service_name) |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
120 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
121 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
122 -- get a list of possible SASL mechanims to use |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
123 function method:mechanisms() |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
124 return self.mechs; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
125 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
126 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
127 -- select a mechanism to use |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
128 function method:select(mechanism) |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
129 if not self.selected and self.mechs[mechanism] then |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
130 self.selected = mechanism; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
131 return true; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
132 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
133 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
134 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
135 -- feed new messages to process into the library |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
136 function method:process(message) |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
137 local err; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
138 local data; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
139 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
140 if not self.first_step_done then |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
141 err, data = cyrussasl.server_start(self.cyrus, self.selected, message or "") |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
142 self.first_step_done = true; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
143 else |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
144 err, data = cyrussasl.server_step(self.cyrus, message or "") |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
145 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
146 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
147 self.username = cyrussasl.get_username(self.cyrus) |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
148 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
149 if (err == 0) then -- SASL_OK |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
150 if self.require_provisioning and not self.require_provisioning(self.username) then |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
151 return "failure", "not-authorized", "User authenticated successfully, but not provisioned for XMPP"; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
152 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
153 return "success", data |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
154 elseif (err == 1) then -- SASL_CONTINUE |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
155 return "challenge", data |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
156 elseif (err == -4) then -- SASL_NOMECH |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
157 log("debug", "SASL mechanism not available from remote end") |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
158 return "failure", "invalid-mechanism", "SASL mechanism not available" |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
159 elseif (err == -13) then -- SASL_BADAUTH |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
160 return "failure", "not-authorized", sasl_errstring[err]; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
161 else |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
162 log("debug", "Got SASL error condition %d: %s", err, sasl_errstring[err]); |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
163 return "failure", "undefined-condition", sasl_errstring[err]; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
164 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
165 end |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
166 |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
167 return { |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
168 new = new; |
099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
169 }; |