annotate mod_auth_cyrus/sasl_cyrus.lua @ 5017:96e83b4a93f7

mod_admin_blocklist: Add config option for which role(s) to consider (0.12+) Fixes that in trunk, a "prosody:operator" (formerly a global admin) is not considered a "prosody:admin", so those were not included in the set.
author Kim Alvefur <zash@zash.se>
date Sat, 27 Aug 2022 16:36:22 +0200
parents 099dcdb732b1
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
4710
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 -- sasl.lua v0.4
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 -- Copyright (C) 2008-2009 Tobias Markmann
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 --
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 -- All rights reserved.
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 --
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 -- Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7 --
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 -- * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9 -- * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 -- * Neither the name of Tobias Markmann nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11 --
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12 -- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14 local cyrussasl = require "cyrussasl";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15 local log = require "util.logger".init("sasl_cyrus");
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17 local setmetatable = setmetatable
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19 local pcall = pcall
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 local s_match, s_gmatch = string.match, string.gmatch
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 local sasl_errstring = {
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 -- SASL result codes --
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 [1] = "another step is needed in authentication";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25 [0] = "successful result";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 [-1] = "generic failure";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 [-2] = "memory shortage failure";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 [-3] = "overflowed buffer";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29 [-4] = "mechanism not supported";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 [-5] = "bad protocol / cancel";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 [-6] = "can't request info until later in exchange";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32 [-7] = "invalid parameter supplied";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 [-8] = "transient failure (e.g., weak key)";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34 [-9] = "integrity check failed";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 [-12] = "SASL library not initialized";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
37 -- client only codes --
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38 [2] = "needs user interaction";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
39 [-10] = "server failed mutual authentication step";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
40 [-11] = "mechanism doesn't support requested feature";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
42 -- server only codes --
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
43 [-13] = "authentication failure";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
44 [-14] = "authorization failure";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
45 [-15] = "mechanism too weak for this user";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
46 [-16] = "encryption needed to use mechanism";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
47 [-17] = "One time use of a plaintext password will enable requested mechanism for user";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
48 [-18] = "passphrase expired, has to be reset";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
49 [-19] = "account disabled";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
50 [-20] = "user not found";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
51 [-23] = "version mismatch with plug-in";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
52 [-24] = "remote authentication server unavailable";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
53 [-26] = "user exists, but no verifier for user";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
54
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
55 -- codes for password setting --
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
56 [-21] = "passphrase locked";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
57 [-22] = "requested change was not needed";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
58 [-27] = "passphrase is too weak for security policy";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
59 [-28] = "user supplied passwords not permitted";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
60 };
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
61 setmetatable(sasl_errstring, { __index = function() return "undefined error!" end });
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
62
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
63 local _ENV = nil;
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
64 -- luacheck: std none
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
65
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
66 local method = {};
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
67 method.__index = method;
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
68 local initialized = false;
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
69
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
70 local function init(service_name)
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
71 if not initialized then
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
72 local st, errmsg = pcall(cyrussasl.server_init, service_name);
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
73 if st then
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
74 initialized = true;
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
75 else
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
76 log("error", "Failed to initialize Cyrus SASL: %s", errmsg);
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
77 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
78 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
79 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
80
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
81 -- create a new SASL object which can be used to authenticate clients
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
82 -- host_fqdn may be nil in which case gethostname() gives the value.
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
83 -- For GSSAPI, this determines the hostname in the service ticket (after
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
84 -- reverse DNS canonicalization, only if [libdefaults] rdns = true which
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
85 -- is the default).
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
86 local function new(realm, service_name, app_name, host_fqdn)
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
87
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
88 init(app_name or service_name);
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
89
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
90 local st, ret = pcall(cyrussasl.server_new, service_name, host_fqdn, realm, nil, nil)
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
91 if not st then
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
92 log("error", "Creating SASL server connection failed: %s", ret);
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
93 return nil;
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
94 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
95
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
96 local sasl_i = { realm = realm, service_name = service_name, cyrus = ret };
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
97
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
98 if cyrussasl.set_canon_cb then
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
99 local c14n_cb = function (user)
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
100 local node = s_match(user, "^([^@]+)");
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
101 log("debug", "Canonicalizing username %s to %s", user, node)
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
102 return node
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
103 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
104 cyrussasl.set_canon_cb(sasl_i.cyrus, c14n_cb);
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
105 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
106
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
107 cyrussasl.setssf(sasl_i.cyrus, 0, 0xffffffff)
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
108 local mechanisms = {};
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
109 local cyrus_mechs = cyrussasl.listmech(sasl_i.cyrus, nil, "", " ", "");
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
110 for w in s_gmatch(cyrus_mechs, "[^ ]+") do
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
111 mechanisms[w] = true;
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
112 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
113 sasl_i.mechs = mechanisms;
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
114 return setmetatable(sasl_i, method);
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
115 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
116
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
117 -- get a fresh clone with the same realm and service name
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
118 function method:clean_clone()
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
119 return new(self.realm, self.service_name)
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
120 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
121
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
122 -- get a list of possible SASL mechanims to use
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
123 function method:mechanisms()
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
124 return self.mechs;
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
125 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
126
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
127 -- select a mechanism to use
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
128 function method:select(mechanism)
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
129 if not self.selected and self.mechs[mechanism] then
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
130 self.selected = mechanism;
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
131 return true;
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
132 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
133 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
134
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
135 -- feed new messages to process into the library
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
136 function method:process(message)
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
137 local err;
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
138 local data;
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
139
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
140 if not self.first_step_done then
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
141 err, data = cyrussasl.server_start(self.cyrus, self.selected, message or "")
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
142 self.first_step_done = true;
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
143 else
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
144 err, data = cyrussasl.server_step(self.cyrus, message or "")
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
145 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
146
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
147 self.username = cyrussasl.get_username(self.cyrus)
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
148
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
149 if (err == 0) then -- SASL_OK
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
150 if self.require_provisioning and not self.require_provisioning(self.username) then
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
151 return "failure", "not-authorized", "User authenticated successfully, but not provisioned for XMPP";
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
152 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
153 return "success", data
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
154 elseif (err == 1) then -- SASL_CONTINUE
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
155 return "challenge", data
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
156 elseif (err == -4) then -- SASL_NOMECH
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
157 log("debug", "SASL mechanism not available from remote end")
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
158 return "failure", "invalid-mechanism", "SASL mechanism not available"
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
159 elseif (err == -13) then -- SASL_BADAUTH
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
160 return "failure", "not-authorized", sasl_errstring[err];
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
161 else
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
162 log("debug", "Got SASL error condition %d: %s", err, sasl_errstring[err]);
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
163 return "failure", "undefined-condition", sasl_errstring[err];
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
164 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
165 end
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
166
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
167 return {
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
168 new = new;
099dcdb732b1 mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
Kim Alvefur <zash@zash.se>
parents:
diff changeset
169 };