Annotate

mod_auth_dovecot/auth_dovecot/mod_auth_dovecot.lua @ 5185:09d6bbd6c8a4

mod_http_oauth2: Fix treatment of 'redirect_uri' parameter in code flow It's optional and the one stored in the client registration should really be used instead. RFC 6749 says an URI provided as parameter MUST be validated against the stored one but does not say how. Given that the client needs their secret to proceed, it seems fine to leave this for later.
author Kim Alvefur <zash@zash.se>
date Thu, 02 Mar 2023 22:00:42 +0100
parent 1213:544f5a4a8428
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
474
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 -- Dovecot authentication backend for Prosody
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 --
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 -- Copyright (C) 2010-2011 Waqas Hussain
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 -- Copyright (C) 2011 Kim Alvefur
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 --
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7 local name = "Dovecot SASL";
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 local log = require "util.logger".init("auth_dovecot");
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 local socket_path = module:get_option_string("dovecot_auth_socket", "/var/run/dovecot/auth-login");
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11 local socket_host = module:get_option_string("dovecot_auth_host", "127.0.0.1");
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12 local socket_port = module:get_option_string("dovecot_auth_port");
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14 local service_realm = module:get_option("realm");
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15 local service_name = module:get_option("service_name");
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 local append_host = module:get_option_boolean("auth_append_host");
700
0c130c45b7c1 mod_auth_dovecot: Old forgotten changes. Testing appreciated.
Kim Alvefur <zash@zash.se>
parents: 474
diff changeset
17 --assert(not append_host, "auth_append_host does not work");
474
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 local validate_domain = module:get_option_boolean("validate_append_host");
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19 local handle_appended = module:get_option_string("handle_appended");
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 local util_sasl_new = require "util.sasl".new;
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 local new_dovecot_sasl = module:require "sasl_dovecot".new;
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 local new_sasl = function(realm)
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25 return new_dovecot_sasl(
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 service_realm or realm,
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 service_name or "xmpp",
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28
700
0c130c45b7c1 mod_auth_dovecot: Old forgotten changes. Testing appreciated.
Kim Alvefur <zash@zash.se>
parents: 474
diff changeset
29 socket_port and { socket_host, socket_port } or socket_path,
474
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 { --config
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32 handle_domain = handle_appended or
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 (append_host and "split" or "escape"),
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34 validate_domain = validate_domain,
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 }
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36 );
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
37 end
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
39 do
838
c9e2beec4ef6 mod_auth_dovecot: Improved error reporting.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
40 local s, err = new_sasl(module.host)
c9e2beec4ef6 mod_auth_dovecot: Improved error reporting.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
41 if not s then
c9e2beec4ef6 mod_auth_dovecot: Improved error reporting.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
42 log("error", "%s", tostring(err));
c9e2beec4ef6 mod_auth_dovecot: Improved error reporting.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
43 end
474
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
44 assert(s, "Could not create a new SASL object");
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
45 assert(s.mechanisms, "SASL object has no mechanims method");
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
46 local m, _m = {}, s:mechanisms();
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
47 assert(not append_host or _m.PLAIN, "auth_append_host requires PLAIN, but it is unavailable");
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
48 for k in pairs(_m) do
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
49 table.insert(m, k);
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
50 end
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
51 log("debug", "Mechanims found: %s", table.concat(m, ", "));
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
52 end
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
53
814
881ec9919144 mod_auth_*: Use module:provides(), and don't explicitly specify provider.name.
Waqas Hussain <waqas20@gmail.com>
parents: 700
diff changeset
54 provider = {};
474
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
55
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
56 function provider.test_password(username, password)
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
57 return new_sasl(module.host):plain_test(username, password);
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
58 end
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
59
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
60 function provider.get_password(username)
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
61 return nil, "Passwords unavailable for "..name;
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
62 end
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
63
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
64 function provider.set_password(username, password)
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
65 return nil, "Passwords unavailable for "..name;
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
66 end
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
67
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
68 function provider.user_exists(username)
700
0c130c45b7c1 mod_auth_dovecot: Old forgotten changes. Testing appreciated.
Kim Alvefur <zash@zash.se>
parents: 474
diff changeset
69 return true -- FIXME
0c130c45b7c1 mod_auth_dovecot: Old forgotten changes. Testing appreciated.
Kim Alvefur <zash@zash.se>
parents: 474
diff changeset
70 --[[ This, sadly, doesn't work.
474
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
71 local user_test = new_sasl(module.host);
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
72 user_test:select("PLAIN");
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
73 user_test:process(("\0%s\0"):format(username));
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
74 return user_test.username == username;
700
0c130c45b7c1 mod_auth_dovecot: Old forgotten changes. Testing appreciated.
Kim Alvefur <zash@zash.se>
parents: 474
diff changeset
75 --]]
474
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
76 end
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
77
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
78 function provider.create_user(username, password)
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
79 return nil, "Account creation/modification not available with "..name;
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
80 end
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
81
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
82 function provider.get_sasl_handler()
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
83 return new_sasl(module.host);
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
84 end
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
85
700
0c130c45b7c1 mod_auth_dovecot: Old forgotten changes. Testing appreciated.
Kim Alvefur <zash@zash.se>
parents: 474
diff changeset
86 if append_host then
0c130c45b7c1 mod_auth_dovecot: Old forgotten changes. Testing appreciated.
Kim Alvefur <zash@zash.se>
parents: 474
diff changeset
87 function provider.test_password(username, password)
1213
544f5a4a8428 mod_auth_dovecot: Check return value properly
Kim Alvefur <zash@zash.se>
parents: 1212
diff changeset
88 return new_sasl(module.host):plain_test(username .. "@".. (service_realm or module.host), password) == "success";
700
0c130c45b7c1 mod_auth_dovecot: Old forgotten changes. Testing appreciated.
Kim Alvefur <zash@zash.se>
parents: 474
diff changeset
89 end
0c130c45b7c1 mod_auth_dovecot: Old forgotten changes. Testing appreciated.
Kim Alvefur <zash@zash.se>
parents: 474
diff changeset
90
1212
bd88728b0d95 mod_auth_dovecot: Add a proper SASL handler method
Kim Alvefur <zash@zash.se>
parents: 838
diff changeset
91 function provider.get_sasl_handler()
bd88728b0d95 mod_auth_dovecot: Add a proper SASL handler method
Kim Alvefur <zash@zash.se>
parents: 838
diff changeset
92 return util_sasl_new(module.host, {
bd88728b0d95 mod_auth_dovecot: Add a proper SASL handler method
Kim Alvefur <zash@zash.se>
parents: 838
diff changeset
93 plain_test = function(sasl, username, password, realm)
bd88728b0d95 mod_auth_dovecot: Add a proper SASL handler method
Kim Alvefur <zash@zash.se>
parents: 838
diff changeset
94 return provider.test_password(username, password), true
bd88728b0d95 mod_auth_dovecot: Add a proper SASL handler method
Kim Alvefur <zash@zash.se>
parents: 838
diff changeset
95 end;
bd88728b0d95 mod_auth_dovecot: Add a proper SASL handler method
Kim Alvefur <zash@zash.se>
parents: 838
diff changeset
96 });
bd88728b0d95 mod_auth_dovecot: Add a proper SASL handler method
Kim Alvefur <zash@zash.se>
parents: 838
diff changeset
97 end
700
0c130c45b7c1 mod_auth_dovecot: Old forgotten changes. Testing appreciated.
Kim Alvefur <zash@zash.se>
parents: 474
diff changeset
98 end
0c130c45b7c1 mod_auth_dovecot: Old forgotten changes. Testing appreciated.
Kim Alvefur <zash@zash.se>
parents: 474
diff changeset
99
814
881ec9919144 mod_auth_*: Use module:provides(), and don't explicitly specify provider.name.
Waqas Hussain <waqas20@gmail.com>
parents: 700
diff changeset
100 module:provides("auth", provider);
474
942738953ff3 mod_auth_dovecot: Replace with SASL proxying version.
Kim Alvefur <zash@zash.se>
parents:
diff changeset
101