Diff

mod_auth_ccert/mod_auth_ccert.lua @ 1065:3d04d9377a67

mod_auth_ccert: Prepare for supporting more ways to figure out the username
author Kim Alvefur <zash@zash.se>
date Fri, 14 Jun 2013 20:10:33 +0200
parent 1063:b2a4679e7d20
child 1066:83175a6af8c5
line wrap: on
line diff
--- a/mod_auth_ccert/mod_auth_ccert.lua	Fri Jun 14 12:09:00 2013 +0200
+++ b/mod_auth_ccert/mod_auth_ccert.lua	Fri Jun 14 20:10:33 2013 +0200
@@ -10,6 +10,38 @@
 local id_on_xmppAddr = "1.3.6.1.5.5.7.8.5";
 local now = os.time;
 
+local cert_match = module:get_option("certificate_match", "xmppaddr");
+
+local username_extractor = {}
+
+function username_extractor.xmppaddr(cert)
+	local extensions = cert:extensions();
+	local SANs = extensions[subject_alternative_name];
+	local xmppAddrs = SANs and SANs[id_on_xmppAddr];
+
+	if not xmppAddrs then
+		(session.log or log)("warn", "Client certificate contains no xmppAddrs");
+		return nil, false;
+	end
+
+	for i=1,#xmppAddrs do
+		if authz == "" or jid_compare(authz, xmppAddrs[i]) then
+			(session.log or log)("debug", "xmppAddrs[%d] %q matches authz %q", i, xmppAddrs[i], authz)
+			local username, host = jid_split(xmppAddrs[i]);
+			if host == module.host then
+				return username, true
+			end
+		end
+	end
+end
+
+local find_username = username_extractor[cert_match];
+if not find_username then
+	module:log("error", "certificate_match = %q is not supported");
+	return
+end
+
+
 function get_sasl_handler(session)
 	return new_sasl(module.host, {
 		external = session.secure and function(authz)
@@ -39,24 +71,7 @@
 				return nil, false;
 			end
 
-			local extensions = cert:extensions();
-			local SANs = extensions[subject_alternative_name];
-			local xmppAddrs = SANs and SANs[id_on_xmppAddr];
-
-			if not xmppAddrs then
-				(session.log or log)("warn", "Client certificate contains no xmppAddrs");
-				return nil, false;
-			end
-
-			for i=1,#xmppAddrs do
-				if authz == "" or jid_compare(authz, xmppAddrs[i]) then
-					(session.log or log)("debug", "xmppAddrs[%d] %q matches authz %q", i, xmppAddrs[i], authz)
-					local username, host = jid_split(xmppAddrs[i]);
-					if host == module.host then
-						return username, true
-					end
-				end
-			end
+			return find_username(cert);
 		end
 	});
 end