Comparison

plugins/mod_saslauth.lua @ 10338:56a0f68b7797

mod_saslauth: Use the power of Set Theory to mange sets of SASL mechanisms This makes sets of excluded mechanisms easily available for use later.
author Kim Alvefur <zash@zash.se>
date Tue, 15 Oct 2019 21:58:10 +0200
parent 10337:39111f0e83d0
child 10339:8b06d2d51e04
comparison
equal deleted inserted replaced
10337:39111f0e83d0 10338:56a0f68b7797
10 10
11 local st = require "util.stanza"; 11 local st = require "util.stanza";
12 local sm_bind_resource = require "core.sessionmanager".bind_resource; 12 local sm_bind_resource = require "core.sessionmanager".bind_resource;
13 local sm_make_authenticated = require "core.sessionmanager".make_authenticated; 13 local sm_make_authenticated = require "core.sessionmanager".make_authenticated;
14 local base64 = require "util.encodings".base64; 14 local base64 = require "util.encodings".base64;
15 local set = require "util.set";
15 16
16 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; 17 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler;
17 18
18 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", false)); 19 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", false));
19 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) 20 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false)
262 log("debug", "Channel binding not supported by SASL handler"); 263 log("debug", "Channel binding not supported by SASL handler");
263 end 264 end
264 end 265 end
265 local mechanisms = st.stanza("mechanisms", mechanisms_attr); 266 local mechanisms = st.stanza("mechanisms", mechanisms_attr);
266 local sasl_mechanisms = sasl_handler:mechanisms() 267 local sasl_mechanisms = sasl_handler:mechanisms()
268 local available_mechanisms = set.new();
267 for mechanism in pairs(sasl_mechanisms) do 269 for mechanism in pairs(sasl_mechanisms) do
268 if disabled_mechanisms:contains(mechanism) then 270 available_mechanisms:add(mechanism);
269 log("debug", "Not offering disabled mechanism %s", mechanism); 271 end
270 elseif not origin.secure and insecure_mechanisms:contains(mechanism) then 272 log("debug", "SASL mechanisms supported by handler: %s", available_mechanisms);
271 log("debug", "Not offering mechanism %s on insecure connection", mechanism); 273
272 else 274 local usable_mechanisms = available_mechanisms - disabled_mechanisms;
273 log("debug", "Offering mechanism %s", mechanism); 275
276 local available_disabled = set.intersection(available_mechanisms, disabled_mechanisms);
277 if not available_disabled:empty() then
278 log("debug", "Not offering disabled mechanisms: %s", available_disabled);
279 end
280
281 local available_insecure = set.intersection(available_mechanisms, insecure_mechanisms);
282 if not origin.secure and not available_insecure:empty() then
283 log("debug", "Session is not secure, not offering insecure mechanisms: %s", available_insecure);
284 usable_mechanisms = usable_mechanisms - insecure_mechanisms;
285 end
286
287 if not usable_mechanisms:empty() then
288 log("debug", "Offering usable mechanisms: %s", usable_mechanisms);
289 for mechanism in available_mechanisms do
274 mechanisms:tag("mechanism"):text(mechanism):up(); 290 mechanisms:tag("mechanism"):text(mechanism):up();
275 end 291 end
292 features:add_child(mechanisms);
293 return;
276 end 294 end
277 if mechanisms[1] then 295 if mechanisms[1] then
278 features:add_child(mechanisms); 296 features:add_child(mechanisms);
279 elseif not next(sasl_mechanisms) then 297 elseif not next(sasl_mechanisms) then
280 local authmod = module:get_option_string("authentication", "internal_plain"); 298 local authmod = module:get_option_string("authentication", "internal_plain");