Comparison

mod_sasl2_fast/mod_sasl2_fast.lua @ 5082:ddb1940b08e0

mod_sasl2_fast: Clean up backend return values (fixes constant rotation)
author Matthew Wild <mwild1@gmail.com>
date Mon, 07 Nov 2022 10:19:10 +0000
parent 5078:36d3f11724c8
child 5083:4837232474ca
comparison
equal deleted inserted replaced
5081:660160fe97fa 5082:ddb1940b08e0
61 if invalidate then 61 if invalidate then
62 token_store:set(username, key, nil); 62 token_store:set(username, key, nil);
63 elseif current_time - token.issued_at > fast_token_min_ttl then 63 elseif current_time - token.issued_at > fast_token_min_ttl then
64 rotation_needed = true; 64 rotation_needed = true;
65 end 65 end
66 return true, username, hmac_f(token.secret, "Responder"..cb_data), token, rotation_needed; 66 return true, username, hmac_f(token.secret, "Responder"..cb_data), rotation_needed;
67 end 67 end
68 end 68 end
69 if not tried_current_token then 69 if not tried_current_token then
70 log("debug", "Trying next token..."); 70 log("debug", "Trying next token...");
71 -- Try again with the current token instead 71 -- Try again with the current token instead
171 -- HT-* mechanisms 171 -- HT-* mechanisms
172 172
173 local function new_ht_mechanism(mechanism_name, backend_profile_name, cb_name) 173 local function new_ht_mechanism(mechanism_name, backend_profile_name, cb_name)
174 return function (sasl_handler, message) 174 return function (sasl_handler, message)
175 local backend = sasl_handler.profile[backend_profile_name]; 175 local backend = sasl_handler.profile[backend_profile_name];
176 local username, token_hash = message:match("^([^%z]+)%z(.+)$"); 176 local authc_username, token_hash = message:match("^([^%z]+)%z(.+)$");
177 if not username then 177 if not authc_username then
178 return "failure", "malformed-request"; 178 return "failure", "malformed-request";
179 end 179 end
180 local cb_data = cb_name and sasl_handler.profile.cb[cb_name](sasl_handler) or ""; 180 local cb_data = cb_name and sasl_handler.profile.cb[cb_name](sasl_handler) or "";
181 local ok, status, response, rotation_needed = backend( 181 local ok, authz_username, response, rotation_needed = backend(
182 mechanism_name, 182 mechanism_name,
183 username, 183 authc_username,
184 sasl_handler.client_id, 184 sasl_handler.client_id,
185 token_hash, 185 token_hash,
186 cb_data, 186 cb_data,
187 sasl_handler.invalidate 187 sasl_handler.invalidate
188 ); 188 );
189 if not ok then 189 if not ok then
190 return "failure", status or "not-authorized"; 190 -- authz_username is error condition
191 end 191 return "failure", authz_username or "not-authorized";
192 sasl_handler.username = status; 192 end
193 sasl_handler.username = authz_username;
193 sasl_handler.rotation_needed = rotation_needed; 194 sasl_handler.rotation_needed = rotation_needed;
194 return "success", response; 195 return "success", response;
195 end 196 end
196 end 197 end
197 198