Mercurial > prosody-modules
view mod_auth_imap/auth_imap/sasl_imap.lib.lua @ 1196:f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 26 Sep 2013 13:43:27 +0200 |
parents | |
children | 5d46281a5d23 |
line wrap: on
line source
-- Dovecot authentication backend for Prosody -- -- Copyright (C) 2011 Kim Alvefur -- local log = require "util.logger".init("sasl_imap"); local setmetatable = setmetatable; local s_match, s_gmatch = string.match, string.gmatch local t_concat = table.concat; local m_random = math.random; local tostring, tonumber = tostring, tonumber; local socket = require "socket" -- TODO -- local ssl = require "ssl" local base64 = require "util.encodings".base64; local b64, unb64 = base64.encode, base64.decode; local _M = {}; local method = {}; method.__index = method; -- For extracting the username. local mitm = { PLAIN = function(message) return s_match(message, "^[^%z]*%z([^%z]+)%z[^%z]+"); end, ["SCRAM-SHA-1"] = function(message) return s_match(message, "^[^,]+,[^,]*,n=([^,]*)"); end, ["DIGEST-MD5"] = function(message) return s_match(message, "username=\"([^\"]*)\""); end, } local function connect(host, port, ssl) port = tonumber(port) or (ssl and 993 or 143); log("debug", "connect() to %s:%s:%d", ssl and "ssl" or "tcp", host, tonumber(port)); local conn = socket.tcp(); -- Create a connection to imap socket log("debug", "connecting to imap at '%s:%d'", host, port); local ok, err = conn:connect(host, port); conn:settimeout(10); if not ok then log("error", "error connecting to imap at '%s:%d'. error was '%s'. check permissions", host, port, err); return false; end -- Parse IMAP handshake local done = false; local supported_mechs = {}; local line = conn:receive("*l"); log("debug", "imap handshake: '%s'", line); if not line then return false; end local caps = line:match("^%*%s+OK%s+(%b[])"); if caps then caps = caps:sub(2,-2); for cap in caps:gmatch("%S+") do log("debug", "Capability: %s", cap); local mech = cap:match("AUTH=(.*)"); if mech then log("debug", "Supported SASL mechanism: %s", mech); supported_mechs[mech] = mitm[mech] and true or nil; end end end return conn, supported_mechs; end -- create a new SASL object which can be used to authenticate clients function _M.new(realm, service_name, host, port, ssl) log("debug", "new(%q, %q, %q, %d)", realm or "", service_name or "", host or "", port or 0); local sasl_i = { realm = realm, service_name = service_name, _host = host, _port = port, _ssl = ssl }; local conn, mechs = connect(host, port, ssl); if not conn then return nil, "Socket connection failure"; end sasl_i.conn, sasl_i.mechs = conn, mechs; return setmetatable(sasl_i, method); end -- get a fresh clone with the same realm and service name function method:clean_clone() if self.conn then self.conn:close(); self.conn = nil; end log("debug", "method:clean_clone()"); return _M.new(self.realm, self.service_name, self._host, self._port) end -- get a list of possible SASL mechanisms to use function method:mechanisms() log("debug", "method:mechanisms()"); return self.mechs; end -- select a mechanism to use function method:select(mechanism) log("debug", "method:select(%q)", mechanism); if not self.selected and self.mechs[mechanism] then self.tag = tostring({}):match("0x(%x*)$"); self.selected = mechanism; local selectmsg = t_concat({ self.tag, "AUTHENTICATE", mechanism }, " "); log("debug", "Sending %d bytes: %q", #selectmsg, selectmsg); local ok, err = self.conn:send(selectmsg.."\n"); if not ok then log("error", "Could not write to socket: %s", err); return "failure", "internal-server-error", err end local line, err = self.conn:receive("*l"); if not line then log("error", "Could not read from socket: %s", err); return "failure", "internal-server-error", err end log("debug", "Received %d bytes: %q", #line, line); return line:match("^+") end end -- feed new messages to process into the library function method:process(message) local username = mitm[self.selected](message); if username then self.username = username; end log("debug", "method:process(%d bytes)", #message); local ok, err = self.conn:send(b64(message).."\n"); if not ok then log("error", "Could not write to socket: %s", err); return "failure", "internal-server-error", err end log("debug", "Sent %d bytes to socket", ok); local line, err = self.conn:receive("*l"); if not line then log("error", "Could not read from socket: %s", err); return "failure", "internal-server-error", err end log("debug", "Received %d bytes from socket: %s", #line, line); if line:match("^%+") and #line > 2 then local data = line:sub(3); data = data and unb64(data); return "challenge", unb64(data); elseif line:sub(1, #self.tag) == self.tag then local ok, rest = line:sub(#self.tag+1):match("(%w+)%s+(.*)"); ok = ok:lower(); log("debug", "%s: %s", ok, rest); if ok == "ok" then return "success" elseif ok == "no" then return "failure", "not-authorized", rest; end elseif line:match("^%* BYE") then local err = line:match("BYE%s*(.*)"); return "failure", "not-authorized", err; end end return _M;