Software /
code /
prosody-modules
Annotate
mod_auth_external/mod_auth_external.lua @ 1155:40f7a8d152eb
mod_auth_external: Remove is_admin (duplicates usermanager)
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Tue, 13 Aug 2013 19:35:07 +0100 |
parent | 1154:61f95bf51b35 |
child | 1156:3c82984ffa51 |
rev | line source |
---|---|
158
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
1 -- |
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
2 -- Prosody IM |
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
3 -- Copyright (C) 2010 Waqas Hussain |
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
4 -- Copyright (C) 2010 Jeff Mitchell |
1086
50ee38e95e75
Don't store password in temporary file, pipe instead
Mikael Nordfeldth <mmn@hethane.se>
parents:
902
diff
changeset
|
5 -- Copyright (C) 2013 Mikael Nordfeldth |
1154
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
6 -- Copyright (C) 2013 Matthew Wild, finally came to fix it all |
158
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
7 -- |
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
8 -- This project is MIT/X11 licensed. Please see the |
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
9 -- COPYING file in the source package for more information. |
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
10 -- |
152 | 11 |
1154
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
12 local lpty = assert(require "lpty", "mod_auth_external requires lpty: https://code.google.com/p/prosody-modules/wiki/mod_auth_external#Installation"); |
152 | 13 |
168
cd8492748985
mod_auth_external: Renamed from mod_extauth. Update logging and options (external_auth_protocol, external_auth_command)
Matthew Wild <mwild1@gmail.com>
parents:
166
diff
changeset
|
14 local log = module._log; |
158
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
15 local host = module.host; |
1154
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
16 local script_type = module:get_option_string("external_auth_protocol", "generic"); |
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
17 assert(script_type == "ejabberd" or script_type == "generic", "Config error: external_auth_protocol must be 'ejabberd' or 'generic'"); |
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
18 local command = module:get_option_string("external_auth_command", ""); |
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
19 local read_timeout = module:get_option_number("external_auth_timeout", 5); |
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
20 assert(not host:find(":"), "Invalid hostname"); |
158
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
21 local usermanager = require "core.usermanager"; |
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
22 local jid_bare = require "util.jid".bare; |
166
75a85eac3c27
mod_extauth: Updated to provide a SASL handler.
Waqas Hussain <waqas20@gmail.com>
parents:
158
diff
changeset
|
23 local new_sasl = require "util.sasl".new; |
152 | 24 |
1154
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
25 local pty = lpty.new({ throw_errors = false, no_local_echo = true, use_path = false }); |
846
5ddc43ce8993
mod_auth_external: Work even when the LuaProcessCall library isn't available.
Waqas Hussain <waqas20@gmail.com>
parents:
816
diff
changeset
|
26 |
1154
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
27 function send_query(text) |
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
28 if not pty:hasproc() then |
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
29 local status, ret = pty:exitstatus(); |
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
30 if status and (status ~= "exit" or ret ~= 0) then |
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
31 log("warn", "Auth process exited unexpectedly with %s %d, restarting", status, ret or 0); |
846
5ddc43ce8993
mod_auth_external: Work even when the LuaProcessCall library isn't available.
Waqas Hussain <waqas20@gmail.com>
parents:
816
diff
changeset
|
32 return nil; |
5ddc43ce8993
mod_auth_external: Work even when the LuaProcessCall library isn't available.
Waqas Hussain <waqas20@gmail.com>
parents:
816
diff
changeset
|
33 end |
1154
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
34 local ok, err = pty:startproc(command); |
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
35 if not ok then |
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
36 log("error", "Failed to start auth process '%s': %s", command, err); |
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
37 return nil; |
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
38 end |
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
39 log("debug", "Started auth process"); |
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
40 end |
846
5ddc43ce8993
mod_auth_external: Work even when the LuaProcessCall library isn't available.
Waqas Hussain <waqas20@gmail.com>
parents:
816
diff
changeset
|
41 |
1154
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
42 pty:send(text); |
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
43 return pty:read(read_timeout); |
152 | 44 end |
45 | |
46 function do_query(kind, username, password) | |
47 if not username then return nil, "not-acceptable"; end | |
48 | |
49 local query = (password and "%s:%s:%s:%s" or "%s:%s:%s"):format(kind, username, host, password); | |
50 local len = #query | |
51 if len > 1000 then return nil, "policy-violation"; end | |
52 | |
158
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
53 if script_type == "ejabberd" then |
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
54 local lo = len % 256; |
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
55 local hi = (len - lo) / 256; |
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
56 query = string.char(hi, lo)..query; |
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
57 end |
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
58 if script_type == "generic" then |
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
59 query = query..'\n'; |
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
60 end |
152 | 61 |
62 local response = send_query(query); | |
158
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
63 if (script_type == "ejabberd" and response == "\0\2\0\0") or |
1154
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
64 (script_type == "generic" and response:gsub("\r?\n$", "") == "0") then |
158
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
65 return nil, "not-authorized"; |
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
66 elseif (script_type == "ejabberd" and response == "\0\2\0\1") or |
1154
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
67 (script_type == "generic" and response:gsub("\r?\n$", "") == "1") then |
158
1a5d5d4f08fe
Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents:
152
diff
changeset
|
68 return true; |
152 | 69 else |
1154
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
70 if response then |
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
71 log("warn", "Unable to interpret data from auth process, %d bytes beginning with: %s", #response, (response:sub(1,4):gsub(".", function (c) |
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
72 return ("%02X "):format(c:byte()); |
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
73 end))); |
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
74 else |
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
75 log("warn", "Error while waiting for result from auth process: %s", response or "unknown error"); |
61f95bf51b35
mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents:
1086
diff
changeset
|
76 end |
152 | 77 return nil, "internal-server-error"; |
78 end | |
79 end | |
80 | |
816
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
81 local host = module.host; |
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
82 local provider = {}; |
152 | 83 |
816
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
84 function provider.test_password(username, password) |
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
85 return do_query("auth", username, password); |
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
86 end |
152 | 87 |
816
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
88 function provider.set_password(username, password) |
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
89 return do_query("setpass", username, password); |
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
90 end |
152 | 91 |
816
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
92 function provider.user_exists(username) |
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
93 return do_query("isuser", username); |
152 | 94 end |
95 | |
816
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
96 function provider.create_user(username, password) return nil, "Account creation/modification not available."; end |
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
97 |
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
98 function provider.get_sasl_handler() |
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
99 local testpass_authentication_profile = { |
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
100 plain_test = function(sasl, username, password, realm) |
902
490cb9161c81
mod_auth_{external,internal_yubikey,ldap,ldap2,sql}: No need to nodeprep in SASL handler.
Waqas Hussain <waqas20@gmail.com>
parents:
846
diff
changeset
|
101 return usermanager.test_password(username, realm, password), true; |
816
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
102 end, |
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
103 }; |
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
104 return new_sasl(host, testpass_authentication_profile); |
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
105 end |
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
106 |
960007b0901e
mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents:
814
diff
changeset
|
107 module:provides("auth", provider); |