Annotate

mod_auth_external/mod_auth_external.lua @ 1155:40f7a8d152eb

mod_auth_external: Remove is_admin (duplicates usermanager)
author Matthew Wild <mwild1@gmail.com>
date Tue, 13 Aug 2013 19:35:07 +0100
parent 1154:61f95bf51b35
child 1156:3c82984ffa51
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
158
1a5d5d4f08fe Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents: 152
diff changeset
1 --
1a5d5d4f08fe Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents: 152
diff changeset
2 -- Prosody IM
1a5d5d4f08fe Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents: 152
diff changeset
3 -- Copyright (C) 2010 Waqas Hussain
1a5d5d4f08fe Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents: 152
diff changeset
4 -- Copyright (C) 2010 Jeff Mitchell
1086
50ee38e95e75 Don't store password in temporary file, pipe instead
Mikael Nordfeldth <mmn@hethane.se>
parents: 902
diff changeset
5 -- Copyright (C) 2013 Mikael Nordfeldth
1154
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
6 -- Copyright (C) 2013 Matthew Wild, finally came to fix it all
158
1a5d5d4f08fe Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents: 152
diff changeset
7 --
1a5d5d4f08fe Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents: 152
diff changeset
8 -- This project is MIT/X11 licensed. Please see the
1a5d5d4f08fe Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents: 152
diff changeset
9 -- COPYING file in the source package for more information.
1a5d5d4f08fe Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents: 152
diff changeset
10 --
152
4ca382e8a4c5 mod_extauth: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
11
1154
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
12 local lpty = assert(require "lpty", "mod_auth_external requires lpty: https://code.google.com/p/prosody-modules/wiki/mod_auth_external#Installation");
152
4ca382e8a4c5 mod_extauth: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
13
168
cd8492748985 mod_auth_external: Renamed from mod_extauth. Update logging and options (external_auth_protocol, external_auth_command)
Matthew Wild <mwild1@gmail.com>
parents: 166
diff changeset
14 local log = module._log;
158
1a5d5d4f08fe Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents: 152
diff changeset
15 local host = module.host;
1154
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
16 local script_type = module:get_option_string("external_auth_protocol", "generic");
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
17 assert(script_type == "ejabberd" or script_type == "generic", "Config error: external_auth_protocol must be 'ejabberd' or 'generic'");
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
18 local command = module:get_option_string("external_auth_command", "");
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
19 local read_timeout = module:get_option_number("external_auth_timeout", 5);
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
20 assert(not host:find(":"), "Invalid hostname");
158
1a5d5d4f08fe Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents: 152
diff changeset
21 local usermanager = require "core.usermanager";
1a5d5d4f08fe Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents: 152
diff changeset
22 local jid_bare = require "util.jid".bare;
166
75a85eac3c27 mod_extauth: Updated to provide a SASL handler.
Waqas Hussain <waqas20@gmail.com>
parents: 158
diff changeset
23 local new_sasl = require "util.sasl".new;
152
4ca382e8a4c5 mod_extauth: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
24
1154
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
25 local pty = lpty.new({ throw_errors = false, no_local_echo = true, use_path = false });
846
5ddc43ce8993 mod_auth_external: Work even when the LuaProcessCall library isn't available.
Waqas Hussain <waqas20@gmail.com>
parents: 816
diff changeset
26
1154
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
27 function send_query(text)
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
28 if not pty:hasproc() then
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
29 local status, ret = pty:exitstatus();
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
30 if status and (status ~= "exit" or ret ~= 0) then
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
31 log("warn", "Auth process exited unexpectedly with %s %d, restarting", status, ret or 0);
846
5ddc43ce8993 mod_auth_external: Work even when the LuaProcessCall library isn't available.
Waqas Hussain <waqas20@gmail.com>
parents: 816
diff changeset
32 return nil;
5ddc43ce8993 mod_auth_external: Work even when the LuaProcessCall library isn't available.
Waqas Hussain <waqas20@gmail.com>
parents: 816
diff changeset
33 end
1154
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
34 local ok, err = pty:startproc(command);
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
35 if not ok then
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
36 log("error", "Failed to start auth process '%s': %s", command, err);
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
37 return nil;
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
38 end
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
39 log("debug", "Started auth process");
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
40 end
846
5ddc43ce8993 mod_auth_external: Work even when the LuaProcessCall library isn't available.
Waqas Hussain <waqas20@gmail.com>
parents: 816
diff changeset
41
1154
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
42 pty:send(text);
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
43 return pty:read(read_timeout);
152
4ca382e8a4c5 mod_extauth: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
44 end
4ca382e8a4c5 mod_extauth: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
45
4ca382e8a4c5 mod_extauth: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
46 function do_query(kind, username, password)
4ca382e8a4c5 mod_extauth: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
47 if not username then return nil, "not-acceptable"; end
4ca382e8a4c5 mod_extauth: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
48
4ca382e8a4c5 mod_extauth: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
49 local query = (password and "%s:%s:%s:%s" or "%s:%s:%s"):format(kind, username, host, password);
4ca382e8a4c5 mod_extauth: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
50 local len = #query
4ca382e8a4c5 mod_extauth: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
51 if len > 1000 then return nil, "policy-violation"; end
4ca382e8a4c5 mod_extauth: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
52
158
1a5d5d4f08fe Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents: 152
diff changeset
53 if script_type == "ejabberd" then
1a5d5d4f08fe Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents: 152
diff changeset
54 local lo = len % 256;
1a5d5d4f08fe Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents: 152
diff changeset
55 local hi = (len - lo) / 256;
1a5d5d4f08fe Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents: 152
diff changeset
56 query = string.char(hi, lo)..query;
1a5d5d4f08fe Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents: 152
diff changeset
57 end
1a5d5d4f08fe Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents: 152
diff changeset
58 if script_type == "generic" then
1a5d5d4f08fe Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents: 152
diff changeset
59 query = query..'\n';
1a5d5d4f08fe Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents: 152
diff changeset
60 end
152
4ca382e8a4c5 mod_extauth: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
61
4ca382e8a4c5 mod_extauth: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
62 local response = send_query(query);
158
1a5d5d4f08fe Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents: 152
diff changeset
63 if (script_type == "ejabberd" and response == "\0\2\0\0") or
1154
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
64 (script_type == "generic" and response:gsub("\r?\n$", "") == "0") then
158
1a5d5d4f08fe Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents: 152
diff changeset
65 return nil, "not-authorized";
1a5d5d4f08fe Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents: 152
diff changeset
66 elseif (script_type == "ejabberd" and response == "\0\2\0\1") or
1154
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
67 (script_type == "generic" and response:gsub("\r?\n$", "") == "1") then
158
1a5d5d4f08fe Add "generic" script support to mod_extauth, as well as lpc support until waqas fixes process
Jeff Mitchell <jeff@jefferai.org>
parents: 152
diff changeset
68 return true;
152
4ca382e8a4c5 mod_extauth: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
69 else
1154
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
70 if response then
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
71 log("warn", "Unable to interpret data from auth process, %d bytes beginning with: %s", #response, (response:sub(1,4):gsub(".", function (c)
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
72 return ("%02X "):format(c:byte());
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
73 end)));
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
74 else
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
75 log("warn", "Error while waiting for result from auth process: %s", response or "unknown error");
61f95bf51b35 mod_auth_external: Switch to lpty, remove file-based fallback, improve error messages and handling. Should greatly increase compatibility with scripts.
Matthew Wild <mwild1@gmail.com>
parents: 1086
diff changeset
76 end
152
4ca382e8a4c5 mod_extauth: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
77 return nil, "internal-server-error";
4ca382e8a4c5 mod_extauth: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
78 end
4ca382e8a4c5 mod_extauth: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
79 end
4ca382e8a4c5 mod_extauth: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
80
816
960007b0901e mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
81 local host = module.host;
960007b0901e mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
82 local provider = {};
152
4ca382e8a4c5 mod_extauth: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
83
816
960007b0901e mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
84 function provider.test_password(username, password)
960007b0901e mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
85 return do_query("auth", username, password);
960007b0901e mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
86 end
152
4ca382e8a4c5 mod_extauth: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
87
816
960007b0901e mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
88 function provider.set_password(username, password)
960007b0901e mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
89 return do_query("setpass", username, password);
960007b0901e mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
90 end
152
4ca382e8a4c5 mod_extauth: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
91
816
960007b0901e mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
92 function provider.user_exists(username)
960007b0901e mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
93 return do_query("isuser", username);
152
4ca382e8a4c5 mod_extauth: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
94 end
4ca382e8a4c5 mod_extauth: Initial commit.
Waqas Hussain <waqas20@gmail.com>
parents:
diff changeset
95
816
960007b0901e mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
96 function provider.create_user(username, password) return nil, "Account creation/modification not available."; end
960007b0901e mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
97
960007b0901e mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
98 function provider.get_sasl_handler()
960007b0901e mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
99 local testpass_authentication_profile = {
960007b0901e mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
100 plain_test = function(sasl, username, password, realm)
902
490cb9161c81 mod_auth_{external,internal_yubikey,ldap,ldap2,sql}: No need to nodeprep in SASL handler.
Waqas Hussain <waqas20@gmail.com>
parents: 846
diff changeset
101 return usermanager.test_password(username, realm, password), true;
816
960007b0901e mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
102 end,
960007b0901e mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
103 };
960007b0901e mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
104 return new_sasl(host, testpass_authentication_profile);
960007b0901e mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
105 end
960007b0901e mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
106
960007b0901e mod_auth_external, mod_auth_internal_yubikey: Get rid of useless wrapper function around the auth provider.
Waqas Hussain <waqas20@gmail.com>
parents: 814
diff changeset
107 module:provides("auth", provider);