Mercurial > prosody-modules
annotate mod_auth_imap/auth_imap/mod_auth_imap.lua @ 4203:c4002aae4ad3
mod_s2s_keepalive: Use timestamp as iq @id
RFC 6120 implies that the id attribute must be unique within a stream.
This should fix problems with remote servers that enforce uniqueness and
don't answer duplicated ids.
If it doesn't do that, then at least you can get a guesstimate at
round-trip time from the difference between the result iq stanza and the
timestamp it was logged without having to go look for when it was sent,
or needing to keep state.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Wed, 14 Oct 2020 18:02:10 +0200 |
parents | 2cce28fe806b |
children |
rev | line source |
---|---|
1196
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 -- IMAP authentication backend for Prosody |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 -- |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 -- Copyright (C) 2011 FIMXE from hg annotate -u |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 local name = "IMAP SASL"; |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 local log = require "util.logger".init("auth_imap"); |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 local imap_host = module:get_option_string("imap_auth_host", "localhost"); |
1198
b21bd39c8a12
mod_auth_imap: Leave port nil if not specified in the config, so we can auto-detect based on whether we use SSL
Matthew Wild <mwild1@gmail.com>
parents:
1196
diff
changeset
|
9 local imap_port = module:get_option_number("imap_auth_port"); |
1196
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 |
1202
2cce28fe806b
mod_auth_imap: Fix typo in previous commit
Matthew Wild <mwild1@gmail.com>
parents:
1201
diff
changeset
|
11 local imap_service_realm = module:get_option_string("imap_auth_realm", module:get_option("sasl_realm")); |
1201
744af76b7324
mod_auth_imap: Rename imap_service_realm to imap_auth_realm and inherit from sasl_realm, rename imap_service_name to imap_auth_service_name
Matthew Wild <mwild1@gmail.com>
parents:
1200
diff
changeset
|
12 local imap_service_name = module:get_option_string("imap_auth_service_name"); |
1200
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
13 local append_host = module:get_option_boolean("auth_append_host"); |
1196
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 |
1200
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
15 local verify_certificate = module:get_option_boolean("auth_imap_verify_certificate", true); |
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
16 local ssl_params = module:get_option("auth_imap_ssl", { |
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
17 mode = "client", protocol = "sslv23"; |
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
18 capath = "/etc/ssl/certs"; |
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
19 options = { "no_sslv2", "no_sslv3" }; |
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
20 verify = verify_certificate and { "peer", "fail_if_no_peer_cert" } or nil; |
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
21 ciphers = "HIGH:!DSS:!aNULL@STRENGTH"; |
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
22 }); |
1196
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 local new_imap_sasl = module:require "sasl_imap".new; |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 local new_sasl = function(realm) |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 return new_imap_sasl( |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 imap_service_realm or realm, |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 imap_service_name or "xmpp", |
1200
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
30 imap_host, imap_port, |
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
31 ssl_params, append_host |
1196
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 ); |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 end |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 do |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 local s = new_sasl(module.host) |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 assert(s, "Could not create a new SASL object"); |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 assert(s.mechanisms, "SASL object has no mechanims method"); |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 local m = {}; |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 for k in pairs(s:mechanisms()) do |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 table.insert(m, k); |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
42 end |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 log("debug", "Mechanims found: %s", table.concat(m, ", ")); |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
44 end |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
45 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
46 provider = { |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 name = module.name:gsub("^auth_",""); |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
48 }; |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
49 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
50 function provider.test_password(username, password) |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
51 return nil, "Legacy auth not supported with "..name; |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
52 end |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
54 function provider.get_password(username) |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 return nil, "Passwords unavailable for "..name; |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
56 end |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
57 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
58 function provider.set_password(username, password) |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
59 return nil, "Passwords unavailable for "..name; |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
60 end |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
61 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
62 function provider.user_exists(username) |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
63 -- FIXME |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
64 return true |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
65 end |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
66 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
67 function provider.create_user(username, password) |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
68 return nil, "Account creation/modification not available with "..name; |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
69 end |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
70 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
71 function provider.get_sasl_handler() |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
72 return new_sasl(module.host); |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
73 end |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
74 |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
75 module:add_item("auth-provider", provider); |
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
76 |