Software /
code /
prosody-modules
Changeset
1196:f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 26 Sep 2013 13:43:27 +0200 |
parents | 1195:f502cbffbdd4 |
children | 1197:25641c4cab36 |
files | mod_auth_imap/auth_imap/mod_auth_imap.lua mod_auth_imap/auth_imap/sasl_imap.lib.lua |
diffstat | 2 files changed, 238 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mod_auth_imap/auth_imap/mod_auth_imap.lua Thu Sep 26 13:43:27 2013 +0200 @@ -0,0 +1,67 @@ +-- IMAP authentication backend for Prosody +-- +-- Copyright (C) 2011 FIMXE from hg annotate -u + +local name = "IMAP SASL"; +local log = require "util.logger".init("auth_imap"); + +local imap_host = module:get_option_string("imap_auth_host", "localhost"); +local imap_port = module:get_option_number("imap_auth_port", 143); + + +local imap_service_realm = module:get_option("imap_service_realm"); +local imap_service_name = module:get_option("imap_service_name"); + + +local new_imap_sasl = module:require "sasl_imap".new; + +local new_sasl = function(realm) + return new_imap_sasl( + imap_service_realm or realm, + imap_service_name or "xmpp", + imap_host, imap_port + ); +end + +do + local s = new_sasl(module.host) + assert(s, "Could not create a new SASL object"); + assert(s.mechanisms, "SASL object has no mechanims method"); + local m = {}; + for k in pairs(s:mechanisms()) do + table.insert(m, k); + end + log("debug", "Mechanims found: %s", table.concat(m, ", ")); +end + +provider = { + name = module.name:gsub("^auth_",""); +}; + +function provider.test_password(username, password) + return nil, "Legacy auth not supported with "..name; +end + +function provider.get_password(username) + return nil, "Passwords unavailable for "..name; +end + +function provider.set_password(username, password) + return nil, "Passwords unavailable for "..name; +end + +function provider.user_exists(username) + -- FIXME + return true +end + +function provider.create_user(username, password) + return nil, "Account creation/modification not available with "..name; +end + +function provider.get_sasl_handler() + return new_sasl(module.host); +end + +module:add_item("auth-provider", provider); +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mod_auth_imap/auth_imap/sasl_imap.lib.lua Thu Sep 26 13:43:27 2013 +0200 @@ -0,0 +1,171 @@ +-- Dovecot authentication backend for Prosody +-- +-- Copyright (C) 2011 Kim Alvefur +-- + +local log = require "util.logger".init("sasl_imap"); + +local setmetatable = setmetatable; + +local s_match, s_gmatch = string.match, string.gmatch +local t_concat = table.concat; +local m_random = math.random; +local tostring, tonumber = tostring, tonumber; + +local socket = require "socket" +-- TODO -- local ssl = require "ssl" +local base64 = require "util.encodings".base64; +local b64, unb64 = base64.encode, base64.decode; + +local _M = {}; + +local method = {}; +method.__index = method; + +-- For extracting the username. +local mitm = { + PLAIN = function(message) + return s_match(message, "^[^%z]*%z([^%z]+)%z[^%z]+"); + end, + ["SCRAM-SHA-1"] = function(message) + return s_match(message, "^[^,]+,[^,]*,n=([^,]*)"); + end, + ["DIGEST-MD5"] = function(message) + return s_match(message, "username=\"([^\"]*)\""); + end, +} + +local function connect(host, port, ssl) + port = tonumber(port) or (ssl and 993 or 143); + log("debug", "connect() to %s:%s:%d", ssl and "ssl" or "tcp", host, tonumber(port)); + local conn = socket.tcp(); + + -- Create a connection to imap socket + log("debug", "connecting to imap at '%s:%d'", host, port); + local ok, err = conn:connect(host, port); + conn:settimeout(10); + if not ok then + log("error", "error connecting to imap at '%s:%d'. error was '%s'. check permissions", host, port, err); + return false; + end + + -- Parse IMAP handshake + local done = false; + local supported_mechs = {}; + local line = conn:receive("*l"); + log("debug", "imap handshake: '%s'", line); + if not line then + return false; + end + local caps = line:match("^%*%s+OK%s+(%b[])"); + if caps then + caps = caps:sub(2,-2); + for cap in caps:gmatch("%S+") do + log("debug", "Capability: %s", cap); + local mech = cap:match("AUTH=(.*)"); + if mech then + log("debug", "Supported SASL mechanism: %s", mech); + supported_mechs[mech] = mitm[mech] and true or nil; + end + end + end + + return conn, supported_mechs; +end + +-- create a new SASL object which can be used to authenticate clients +function _M.new(realm, service_name, host, port, ssl) + log("debug", "new(%q, %q, %q, %d)", realm or "", service_name or "", host or "", port or 0); + local sasl_i = { + realm = realm, + service_name = service_name, + _host = host, + _port = port, + _ssl = ssl + }; + + local conn, mechs = connect(host, port, ssl); + if not conn then + return nil, "Socket connection failure"; + end + sasl_i.conn, sasl_i.mechs = conn, mechs; + return setmetatable(sasl_i, method); +end + +-- get a fresh clone with the same realm and service name +function method:clean_clone() + if self.conn then + self.conn:close(); + self.conn = nil; + end + log("debug", "method:clean_clone()"); + return _M.new(self.realm, self.service_name, self._host, self._port) +end + +-- get a list of possible SASL mechanisms to use +function method:mechanisms() + log("debug", "method:mechanisms()"); + return self.mechs; +end + +-- select a mechanism to use +function method:select(mechanism) + log("debug", "method:select(%q)", mechanism); + if not self.selected and self.mechs[mechanism] then + self.tag = tostring({}):match("0x(%x*)$"); + self.selected = mechanism; + local selectmsg = t_concat({ self.tag, "AUTHENTICATE", mechanism }, " "); + log("debug", "Sending %d bytes: %q", #selectmsg, selectmsg); + local ok, err = self.conn:send(selectmsg.."\n"); + if not ok then + log("error", "Could not write to socket: %s", err); + return "failure", "internal-server-error", err + end + local line, err = self.conn:receive("*l"); + if not line then + log("error", "Could not read from socket: %s", err); + return "failure", "internal-server-error", err + end + log("debug", "Received %d bytes: %q", #line, line); + return line:match("^+") + end +end + +-- feed new messages to process into the library +function method:process(message) + local username = mitm[self.selected](message); + if username then self.username = username; end + log("debug", "method:process(%d bytes)", #message); + local ok, err = self.conn:send(b64(message).."\n"); + if not ok then + log("error", "Could not write to socket: %s", err); + return "failure", "internal-server-error", err + end + log("debug", "Sent %d bytes to socket", ok); + local line, err = self.conn:receive("*l"); + if not line then + log("error", "Could not read from socket: %s", err); + return "failure", "internal-server-error", err + end + log("debug", "Received %d bytes from socket: %s", #line, line); + + if line:match("^%+") and #line > 2 then + local data = line:sub(3); + data = data and unb64(data); + return "challenge", unb64(data); + elseif line:sub(1, #self.tag) == self.tag then + local ok, rest = line:sub(#self.tag+1):match("(%w+)%s+(.*)"); + ok = ok:lower(); + log("debug", "%s: %s", ok, rest); + if ok == "ok" then + return "success" + elseif ok == "no" then + return "failure", "not-authorized", rest; + end + elseif line:match("^%* BYE") then + local err = line:match("BYE%s*(.*)"); + return "failure", "not-authorized", err; + end +end + +return _M;