Software /
code /
prosody
Comparison
plugins/mod_saslauth.lua @ 10338:56a0f68b7797
mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms
This makes sets of excluded mechanisms easily available for use later.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 15 Oct 2019 21:58:10 +0200 |
parent | 10337:39111f0e83d0 |
child | 10339:8b06d2d51e04 |
comparison
equal
deleted
inserted
replaced
10337:39111f0e83d0 | 10338:56a0f68b7797 |
---|---|
10 | 10 |
11 local st = require "util.stanza"; | 11 local st = require "util.stanza"; |
12 local sm_bind_resource = require "core.sessionmanager".bind_resource; | 12 local sm_bind_resource = require "core.sessionmanager".bind_resource; |
13 local sm_make_authenticated = require "core.sessionmanager".make_authenticated; | 13 local sm_make_authenticated = require "core.sessionmanager".make_authenticated; |
14 local base64 = require "util.encodings".base64; | 14 local base64 = require "util.encodings".base64; |
15 local set = require "util.set"; | |
15 | 16 |
16 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; | 17 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; |
17 | 18 |
18 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", false)); | 19 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", false)); |
19 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) | 20 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) |
262 log("debug", "Channel binding not supported by SASL handler"); | 263 log("debug", "Channel binding not supported by SASL handler"); |
263 end | 264 end |
264 end | 265 end |
265 local mechanisms = st.stanza("mechanisms", mechanisms_attr); | 266 local mechanisms = st.stanza("mechanisms", mechanisms_attr); |
266 local sasl_mechanisms = sasl_handler:mechanisms() | 267 local sasl_mechanisms = sasl_handler:mechanisms() |
268 local available_mechanisms = set.new(); | |
267 for mechanism in pairs(sasl_mechanisms) do | 269 for mechanism in pairs(sasl_mechanisms) do |
268 if disabled_mechanisms:contains(mechanism) then | 270 available_mechanisms:add(mechanism); |
269 log("debug", "Not offering disabled mechanism %s", mechanism); | 271 end |
270 elseif not origin.secure and insecure_mechanisms:contains(mechanism) then | 272 log("debug", "SASL mechanisms supported by handler: %s", available_mechanisms); |
271 log("debug", "Not offering mechanism %s on insecure connection", mechanism); | 273 |
272 else | 274 local usable_mechanisms = available_mechanisms - disabled_mechanisms; |
273 log("debug", "Offering mechanism %s", mechanism); | 275 |
276 local available_disabled = set.intersection(available_mechanisms, disabled_mechanisms); | |
277 if not available_disabled:empty() then | |
278 log("debug", "Not offering disabled mechanisms: %s", available_disabled); | |
279 end | |
280 | |
281 local available_insecure = set.intersection(available_mechanisms, insecure_mechanisms); | |
282 if not origin.secure and not available_insecure:empty() then | |
283 log("debug", "Session is not secure, not offering insecure mechanisms: %s", available_insecure); | |
284 usable_mechanisms = usable_mechanisms - insecure_mechanisms; | |
285 end | |
286 | |
287 if not usable_mechanisms:empty() then | |
288 log("debug", "Offering usable mechanisms: %s", usable_mechanisms); | |
289 for mechanism in available_mechanisms do | |
274 mechanisms:tag("mechanism"):text(mechanism):up(); | 290 mechanisms:tag("mechanism"):text(mechanism):up(); |
275 end | 291 end |
292 features:add_child(mechanisms); | |
293 return; | |
276 end | 294 end |
277 if mechanisms[1] then | 295 if mechanisms[1] then |
278 features:add_child(mechanisms); | 296 features:add_child(mechanisms); |
279 elseif not next(sasl_mechanisms) then | 297 elseif not next(sasl_mechanisms) then |
280 local authmod = module:get_option_string("authentication", "internal_plain"); | 298 local authmod = module:get_option_string("authentication", "internal_plain"); |