Software / code / prosody
Annotate
spec/util_sasl_spec.lua @ 13843:87dd8639f08f 13.0
mod_invites_register: Stricter validation of registration events
This fixes two problems:
1) Account invites that were created with a specific username were not
in fact restricted to that username.
2) Password reset invites were not restricted to resetting passwords,
but could be used to create an arbitrary new account if the client
or registration frontend (e.g. mod_invites_register_web) doesn't
handle/enforce the username.
This new validation ensures that registrations and resets are always for the
username specified in the invitation.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 10 Apr 2025 16:07:32 +0100 |
| parent | 13113:191fe4866e3e |
| rev | line source |
|---|---|
| 10502 | 1 local sasl = require "util.sasl"; |
| 2 | |
| 3 -- profile * mechanism | |
| 4 -- callbacks could use spies instead | |
| 5 | |
| 6 describe("util.sasl", function () | |
| 7 describe("plain_test profile", function () | |
| 8 local profile = { | |
| 9 plain_test = function (_, username, password, realm) | |
| 10 assert.equals("user", username) | |
| 11 assert.equals("pencil", password) | |
| 12 assert.equals("sasl.test", realm) | |
| 13 return true, true; | |
| 14 end; | |
| 15 }; | |
| 16 it("works with PLAIN", function () | |
| 17 local plain = sasl.new("sasl.test", profile); | |
| 18 assert.truthy(plain:select("PLAIN")); | |
| 19 assert.truthy(plain:process("\000user\000pencil")); | |
| 20 assert.equals("user", plain.username); | |
| 21 end); | |
| 22 end); | |
| 23 | |
| 24 describe("plain profile", function () | |
| 25 local profile = { | |
| 26 plain = function (_, username, realm) | |
| 27 assert.equals("user", username) | |
| 28 assert.equals("sasl.test", realm) | |
| 29 return "pencil", true; | |
| 30 end; | |
| 31 }; | |
| 32 | |
| 33 it("works with PLAIN", function () | |
| 34 local plain = sasl.new("sasl.test", profile); | |
| 35 assert.truthy(plain:select("PLAIN")); | |
| 36 assert.truthy(plain:process("\000user\000pencil")); | |
| 37 assert.equals("user", plain.username); | |
| 38 end); | |
| 39 | |
| 40 -- TODO SCRAM | |
| 41 end); | |
|
13113
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
42 |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
43 describe("oauthbearer profile", function() |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
44 local profile = { |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
45 oauthbearer = function(_, token, _realm, _authzid) |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
46 if token == "example-bearer-token" then |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
47 return "user", true, {}; |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
48 else |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
49 return nil, nil, {} |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
50 end |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
51 end; |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
52 } |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
53 |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
54 it("works with OAUTHBEARER", function() |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
55 local bearer = sasl.new("sasl.test", profile); |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
56 |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
57 assert.truthy(bearer:select("OAUTHBEARER")); |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
58 assert.equals("success", bearer:process("n,,\1auth=Bearer example-bearer-token\1\1")); |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
59 assert.equals("user", bearer.username); |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
60 end) |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
61 |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
62 |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
63 it("returns extras with OAUTHBEARER", function() |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
64 local bearer = sasl.new("sasl.test", profile); |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
65 |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
66 assert.truthy(bearer:select("OAUTHBEARER")); |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
67 local status, extra = bearer:process("n,,\1auth=Bearer unknown\1\1"); |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
68 assert.equals("challenge", status); |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
69 assert.equals("{\"status\":\"invalid_token\"}", extra); |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
70 assert.equals("failure", bearer:process("\1")); |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
71 end) |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
72 |
|
191fe4866e3e
util.sasl: Add basic tests for OAUTHBEARER
Kim Alvefur <zash@zash.se>
parents:
10502
diff
changeset
|
73 end) |
| 10502 | 74 end); |
| 75 |
