Software /
code /
prosody
Annotate
util/sasl_cyrus.lua @ 8494:4f75f4da6d4e
certmanager: Check for missing certificate before key in configuration (should be marginally less confusing)
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 28 Dec 2017 17:32:56 +0100 |
parent | 6777:5de6b93d0190 |
child | 8555:4f0f5b49bb03 |
rev | line source |
---|---|
2389
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
1 -- sasl.lua v0.4 |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
2 -- Copyright (C) 2008-2009 Tobias Markmann |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
3 -- |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
4 -- All rights reserved. |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
5 -- |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
6 -- Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
7 -- |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
8 -- * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
9 -- * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
10 -- * Neither the name of Tobias Markmann nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
11 -- |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
12 -- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
13 |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
14 local cyrussasl = require "cyrussasl"; |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
15 local log = require "util.logger".init("sasl_cyrus"); |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
16 |
2394
a2972f9fda6d
util.sasl_cyrus: Further fixing and cleanup.
Tobias Markmann <tm@ayena.de>
parents:
2393
diff
changeset
|
17 local setmetatable = setmetatable |
2389
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
18 |
2394
a2972f9fda6d
util.sasl_cyrus: Further fixing and cleanup.
Tobias Markmann <tm@ayena.de>
parents:
2393
diff
changeset
|
19 local pcall = pcall |
2396
39b2523bcf44
first working version with Cyrus SASL support.
jorj@jorj.org
parents:
2394
diff
changeset
|
20 local s_match, s_gmatch = string.match, string.gmatch |
2389
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
21 |
3298
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
22 local sasl_errstring = { |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
23 -- SASL result codes -- |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
24 [1] = "another step is needed in authentication"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
25 [0] = "successful result"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
26 [-1] = "generic failure"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
27 [-2] = "memory shortage failure"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
28 [-3] = "overflowed buffer"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
29 [-4] = "mechanism not supported"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
30 [-5] = "bad protocol / cancel"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
31 [-6] = "can't request info until later in exchange"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
32 [-7] = "invalid parameter supplied"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
33 [-8] = "transient failure (e.g., weak key)"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
34 [-9] = "integrity check failed"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
35 [-12] = "SASL library not initialized"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
36 |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
37 -- client only codes -- |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
38 [2] = "needs user interaction"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
39 [-10] = "server failed mutual authentication step"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
40 [-11] = "mechanism doesn't support requested feature"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
41 |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
42 -- server only codes -- |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
43 [-13] = "authentication failure"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
44 [-14] = "authorization failure"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
45 [-15] = "mechanism too weak for this user"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
46 [-16] = "encryption needed to use mechanism"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
47 [-17] = "One time use of a plaintext password will enable requested mechanism for user"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
48 [-18] = "passphrase expired, has to be reset"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
49 [-19] = "account disabled"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
50 [-20] = "user not found"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
51 [-23] = "version mismatch with plug-in"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
52 [-24] = "remote authentication server unavailable"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
53 [-26] = "user exists, but no verifier for user"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
54 |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
55 -- codes for password setting -- |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
56 [-21] = "passphrase locked"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
57 [-22] = "requested change was not needed"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
58 [-27] = "passphrase is too weak for security policy"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
59 [-28] = "user supplied passwords not permitted"; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
60 }; |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
61 setmetatable(sasl_errstring, { __index = function() return "undefined error!" end }); |
94087ee7587b
util.sasl_cyrus: Added a table mapping error codes to strings.
Waqas Hussain <waqas20@gmail.com>
parents:
3157
diff
changeset
|
62 |
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
63 local _ENV = nil; |
2389
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
64 |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
65 local method = {}; |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
66 method.__index = method; |
2402
0f884bb1f08a
util.sasl_cyrus: Automatically initialize Cyrus SASL with the first used service name.
Tobias Markmann <tm@ayena.de>
parents:
2401
diff
changeset
|
67 local initialized = false; |
2389
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
68 |
2402
0f884bb1f08a
util.sasl_cyrus: Automatically initialize Cyrus SASL with the first used service name.
Tobias Markmann <tm@ayena.de>
parents:
2401
diff
changeset
|
69 local function init(service_name) |
0f884bb1f08a
util.sasl_cyrus: Automatically initialize Cyrus SASL with the first used service name.
Tobias Markmann <tm@ayena.de>
parents:
2401
diff
changeset
|
70 if not initialized then |
2404
d7abdd6893b8
util.sasl_cyrus: Report an error if Cyrus SASL init fails.
Tobias Markmann <tm@ayena.de>
parents:
2403
diff
changeset
|
71 local st, errmsg = pcall(cyrussasl.server_init, service_name); |
d7abdd6893b8
util.sasl_cyrus: Report an error if Cyrus SASL init fails.
Tobias Markmann <tm@ayena.de>
parents:
2403
diff
changeset
|
72 if st then |
2402
0f884bb1f08a
util.sasl_cyrus: Automatically initialize Cyrus SASL with the first used service name.
Tobias Markmann <tm@ayena.de>
parents:
2401
diff
changeset
|
73 initialized = true; |
2404
d7abdd6893b8
util.sasl_cyrus: Report an error if Cyrus SASL init fails.
Tobias Markmann <tm@ayena.de>
parents:
2403
diff
changeset
|
74 else |
2902
c405486f289c
util.sasl_cyrus: Clarify some log messages and levels
Matthew Wild <mwild1@gmail.com>
parents:
2901
diff
changeset
|
75 log("error", "Failed to initialize Cyrus SASL: %s", errmsg); |
2402
0f884bb1f08a
util.sasl_cyrus: Automatically initialize Cyrus SASL with the first used service name.
Tobias Markmann <tm@ayena.de>
parents:
2401
diff
changeset
|
76 end |
0f884bb1f08a
util.sasl_cyrus: Automatically initialize Cyrus SASL with the first used service name.
Tobias Markmann <tm@ayena.de>
parents:
2401
diff
changeset
|
77 end |
0f884bb1f08a
util.sasl_cyrus: Automatically initialize Cyrus SASL with the first used service name.
Tobias Markmann <tm@ayena.de>
parents:
2401
diff
changeset
|
78 end |
2389
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
79 |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
80 -- create a new SASL object which can be used to authenticate clients |
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5000
diff
changeset
|
81 -- host_fqdn may be nil in which case gethostname() gives the value. |
5000
58c9519dc461
mod_auth_cyrus, util.sasl_cyrus: Add new option 'cyrus_server_fqdn' to override the hostname passed to Cyrus (and used in e.g. GSSAPI/Kerberos) - fixes #295
Matthew Wild <mwild1@gmail.com>
parents:
3550
diff
changeset
|
82 -- For GSSAPI, this determines the hostname in the service ticket (after |
58c9519dc461
mod_auth_cyrus, util.sasl_cyrus: Add new option 'cyrus_server_fqdn' to override the hostname passed to Cyrus (and used in e.g. GSSAPI/Kerberos) - fixes #295
Matthew Wild <mwild1@gmail.com>
parents:
3550
diff
changeset
|
83 -- reverse DNS canonicalization, only if [libdefaults] rdns = true which |
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5000
diff
changeset
|
84 -- is the default). |
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
85 local function new(realm, service_name, app_name, host_fqdn) |
2403
916482cdfb74
util.sasl_cyrus: Removing whitespace.
Tobias Markmann <tm@ayena.de>
parents:
2402
diff
changeset
|
86 |
3063
ca149818083d
util.sasl_cyrus: Support for specifying the application name (to pass to Cyrus SASL's init())
Matthew Wild <mwild1@gmail.com>
parents:
2903
diff
changeset
|
87 init(app_name or service_name); |
2403
916482cdfb74
util.sasl_cyrus: Removing whitespace.
Tobias Markmann <tm@ayena.de>
parents:
2402
diff
changeset
|
88 |
5000
58c9519dc461
mod_auth_cyrus, util.sasl_cyrus: Add new option 'cyrus_server_fqdn' to override the hostname passed to Cyrus (and used in e.g. GSSAPI/Kerberos) - fixes #295
Matthew Wild <mwild1@gmail.com>
parents:
3550
diff
changeset
|
89 local st, ret = pcall(cyrussasl.server_new, service_name, host_fqdn, realm, nil, nil) |
3428
8a12ae696687
util.sasl_cyrus: Cleanup.
Waqas Hussain <waqas20@gmail.com>
parents:
3426
diff
changeset
|
90 if not st then |
2902
c405486f289c
util.sasl_cyrus: Clarify some log messages and levels
Matthew Wild <mwild1@gmail.com>
parents:
2901
diff
changeset
|
91 log("error", "Creating SASL server connection failed: %s", ret); |
2901
5f3ccf7dd3f1
util.sasl_cyrus: Protect the call to cyrussasl.server_new properly.
Paul Aurich <paul@darkrain42.org>
parents:
2895
diff
changeset
|
92 return nil; |
5f3ccf7dd3f1
util.sasl_cyrus: Protect the call to cyrussasl.server_new properly.
Paul Aurich <paul@darkrain42.org>
parents:
2895
diff
changeset
|
93 end |
2895
ea5fe15a82f5
util.sasl_cyrus: If available, use a c14n callback for interoperability with bad clients.
Paul Aurich <paul@darkrain42.org>
parents:
2881
diff
changeset
|
94 |
3428
8a12ae696687
util.sasl_cyrus: Cleanup.
Waqas Hussain <waqas20@gmail.com>
parents:
3426
diff
changeset
|
95 local sasl_i = { realm = realm, service_name = service_name, cyrus = ret }; |
8a12ae696687
util.sasl_cyrus: Cleanup.
Waqas Hussain <waqas20@gmail.com>
parents:
3426
diff
changeset
|
96 |
2895
ea5fe15a82f5
util.sasl_cyrus: If available, use a c14n callback for interoperability with bad clients.
Paul Aurich <paul@darkrain42.org>
parents:
2881
diff
changeset
|
97 if cyrussasl.set_canon_cb then |
ea5fe15a82f5
util.sasl_cyrus: If available, use a c14n callback for interoperability with bad clients.
Paul Aurich <paul@darkrain42.org>
parents:
2881
diff
changeset
|
98 local c14n_cb = function (user) |
ea5fe15a82f5
util.sasl_cyrus: If available, use a c14n callback for interoperability with bad clients.
Paul Aurich <paul@darkrain42.org>
parents:
2881
diff
changeset
|
99 local node = s_match(user, "^([^@]+)"); |
ea5fe15a82f5
util.sasl_cyrus: If available, use a c14n callback for interoperability with bad clients.
Paul Aurich <paul@darkrain42.org>
parents:
2881
diff
changeset
|
100 log("debug", "Canonicalizing username %s to %s", user, node) |
ea5fe15a82f5
util.sasl_cyrus: If available, use a c14n callback for interoperability with bad clients.
Paul Aurich <paul@darkrain42.org>
parents:
2881
diff
changeset
|
101 return node |
ea5fe15a82f5
util.sasl_cyrus: If available, use a c14n callback for interoperability with bad clients.
Paul Aurich <paul@darkrain42.org>
parents:
2881
diff
changeset
|
102 end |
ea5fe15a82f5
util.sasl_cyrus: If available, use a c14n callback for interoperability with bad clients.
Paul Aurich <paul@darkrain42.org>
parents:
2881
diff
changeset
|
103 cyrussasl.set_canon_cb(sasl_i.cyrus, c14n_cb); |
ea5fe15a82f5
util.sasl_cyrus: If available, use a c14n callback for interoperability with bad clients.
Paul Aurich <paul@darkrain42.org>
parents:
2881
diff
changeset
|
104 end |
ea5fe15a82f5
util.sasl_cyrus: If available, use a c14n callback for interoperability with bad clients.
Paul Aurich <paul@darkrain42.org>
parents:
2881
diff
changeset
|
105 |
2389
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
106 cyrussasl.setssf(sasl_i.cyrus, 0, 0xffffffff) |
3549
395d5bb5266e
util.sasl, util.sasl_cyrus: Load mechanisms list early rather than lazily, as they are always loaded anyway.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
107 local mechanisms = {}; |
395d5bb5266e
util.sasl, util.sasl_cyrus: Load mechanisms list early rather than lazily, as they are always loaded anyway.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
108 local cyrus_mechs = cyrussasl.listmech(sasl_i.cyrus, nil, "", " ", ""); |
395d5bb5266e
util.sasl, util.sasl_cyrus: Load mechanisms list early rather than lazily, as they are always loaded anyway.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
109 for w in s_gmatch(cyrus_mechs, "[^ ]+") do |
395d5bb5266e
util.sasl, util.sasl_cyrus: Load mechanisms list early rather than lazily, as they are always loaded anyway.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
110 mechanisms[w] = true; |
395d5bb5266e
util.sasl, util.sasl_cyrus: Load mechanisms list early rather than lazily, as they are always loaded anyway.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
111 end |
395d5bb5266e
util.sasl, util.sasl_cyrus: Load mechanisms list early rather than lazily, as they are always loaded anyway.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
112 sasl_i.mechs = mechanisms; |
3428
8a12ae696687
util.sasl_cyrus: Cleanup.
Waqas Hussain <waqas20@gmail.com>
parents:
3426
diff
changeset
|
113 return setmetatable(sasl_i, method); |
2389
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
114 end |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
115 |
3426
37b9b8e171b9
util.sasl_cyrus: Removed method:forbidden().
Waqas Hussain <waqas20@gmail.com>
parents:
3373
diff
changeset
|
116 -- get a fresh clone with the same realm and service name |
2389
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
117 function method:clean_clone() |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
118 return new(self.realm, self.service_name) |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
119 end |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
120 |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
121 -- get a list of possible SASL mechanims to use |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
122 function method:mechanisms() |
3549
395d5bb5266e
util.sasl, util.sasl_cyrus: Load mechanisms list early rather than lazily, as they are always loaded anyway.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
123 return self.mechs; |
2389
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
124 end |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
125 |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
126 -- select a mechanism to use |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
127 function method:select(mechanism) |
3550
5e5d136d9de0
util.sasl, util.sasl_cyrus: Mechanism selection cleaned up to be more consistent.
Waqas Hussain <waqas20@gmail.com>
parents:
3549
diff
changeset
|
128 if not self.selected and self.mechs[mechanism] then |
5e5d136d9de0
util.sasl, util.sasl_cyrus: Mechanism selection cleaned up to be more consistent.
Waqas Hussain <waqas20@gmail.com>
parents:
3549
diff
changeset
|
129 self.selected = mechanism; |
5e5d136d9de0
util.sasl, util.sasl_cyrus: Mechanism selection cleaned up to be more consistent.
Waqas Hussain <waqas20@gmail.com>
parents:
3549
diff
changeset
|
130 return true; |
5e5d136d9de0
util.sasl, util.sasl_cyrus: Mechanism selection cleaned up to be more consistent.
Waqas Hussain <waqas20@gmail.com>
parents:
3549
diff
changeset
|
131 end |
2389
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
132 end |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
133 |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
134 -- feed new messages to process into the library |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
135 function method:process(message) |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
136 local err; |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
137 local data; |
2396
39b2523bcf44
first working version with Cyrus SASL support.
jorj@jorj.org
parents:
2394
diff
changeset
|
138 |
3443
1159e007cc8f
util.sasl_cyrus: Make multi-step SASL mechanisms work correctly.
Waqas Hussain <waqas20@gmail.com>
parents:
3441
diff
changeset
|
139 if not self.first_step_done then |
3550
5e5d136d9de0
util.sasl, util.sasl_cyrus: Mechanism selection cleaned up to be more consistent.
Waqas Hussain <waqas20@gmail.com>
parents:
3549
diff
changeset
|
140 err, data = cyrussasl.server_start(self.cyrus, self.selected, message or "") |
3443
1159e007cc8f
util.sasl_cyrus: Make multi-step SASL mechanisms work correctly.
Waqas Hussain <waqas20@gmail.com>
parents:
3441
diff
changeset
|
141 self.first_step_done = true; |
2389
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
142 else |
2396
39b2523bcf44
first working version with Cyrus SASL support.
jorj@jorj.org
parents:
2394
diff
changeset
|
143 err, data = cyrussasl.server_step(self.cyrus, message or "") |
2389
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
144 end |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
145 |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
146 self.username = cyrussasl.get_username(self.cyrus) |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
147 |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
148 if (err == 0) then -- SASL_OK |
3468
d50e2c937717
mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents:
3467
diff
changeset
|
149 if self.require_provisioning and not self.require_provisioning(self.username) then |
d50e2c937717
mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents:
3467
diff
changeset
|
150 return "failure", "not-authorized", "User authenticated successfully, but not provisioned for XMPP"; |
d50e2c937717
mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents:
3467
diff
changeset
|
151 end |
3467
c9f4c3aa14a1
util.sasl_cyrus: Spaces -> tabs.
Waqas Hussain <waqas20@gmail.com>
parents:
3443
diff
changeset
|
152 return "success", data |
2389
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
153 elseif (err == 1) then -- SASL_CONTINUE |
3467
c9f4c3aa14a1
util.sasl_cyrus: Spaces -> tabs.
Waqas Hussain <waqas20@gmail.com>
parents:
3443
diff
changeset
|
154 return "challenge", data |
2389
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
155 elseif (err == -4) then -- SASL_NOMECH |
3467
c9f4c3aa14a1
util.sasl_cyrus: Spaces -> tabs.
Waqas Hussain <waqas20@gmail.com>
parents:
3443
diff
changeset
|
156 log("debug", "SASL mechanism not available from remote end") |
c9f4c3aa14a1
util.sasl_cyrus: Spaces -> tabs.
Waqas Hussain <waqas20@gmail.com>
parents:
3443
diff
changeset
|
157 return "failure", "invalid-mechanism", "SASL mechanism not available" |
2389
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
158 elseif (err == -13) then -- SASL_BADAUTH |
3467
c9f4c3aa14a1
util.sasl_cyrus: Spaces -> tabs.
Waqas Hussain <waqas20@gmail.com>
parents:
3443
diff
changeset
|
159 return "failure", "not-authorized", sasl_errstring[err]; |
2389
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
160 else |
3467
c9f4c3aa14a1
util.sasl_cyrus: Spaces -> tabs.
Waqas Hussain <waqas20@gmail.com>
parents:
3443
diff
changeset
|
161 log("debug", "Got SASL error condition %d: %s", err, sasl_errstring[err]); |
c9f4c3aa14a1
util.sasl_cyrus: Spaces -> tabs.
Waqas Hussain <waqas20@gmail.com>
parents:
3443
diff
changeset
|
162 return "failure", "undefined-condition", sasl_errstring[err]; |
2389
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
163 end |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
164 end |
8f6526da4757
Adding sasl_cyrus.lua. A sasl.lua drop-in replacement to use CyrusSASL for all c2s authentication.
Tobias Markmann <tm@ayena.de>
parents:
diff
changeset
|
165 |
6777
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
166 return { |
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
167 new = new; |
5de6b93d0190
util.*: Remove use of module() function, make all module functions local and return them in a table at the end
Kim Alvefur <zash@zash.se>
parents:
5776
diff
changeset
|
168 }; |