prosody
7a5ddbaf758d
plugins/mod_auth_internal_hashed.lua
Software / code / prosody
Comparison
plugins/mod_auth_internal_hashed.lua @ 6054:7a5ddbaf758d
Merge 0.9->0.10
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Wed, 02 Apr 2014 17:41:38 +0100 |
| parent | 6019:e9147a16059d |
| child | 6707:06cdd4afaaf9 |
comparison
equal
deleted
inserted
replaced
| 6053:2f93a04564b2 | 6054:7a5ddbaf758d |
|---|---|
| 5 -- | 5 -- |
| 6 -- This project is MIT/X11 licensed. Please see the | 6 -- This project is MIT/X11 licensed. Please see the |
| 7 -- COPYING file in the source package for more information. | 7 -- COPYING file in the source package for more information. |
| 8 -- | 8 -- |
| 9 | 9 |
| 10 local log = require "util.logger".init("auth_internal_hashed"); | 10 local max = math.max; |
| 11 | |
| 11 local getAuthenticationDatabaseSHA1 = require "util.sasl.scram".getAuthenticationDatabaseSHA1; | 12 local getAuthenticationDatabaseSHA1 = require "util.sasl.scram".getAuthenticationDatabaseSHA1; |
| 12 local usermanager = require "core.usermanager"; | 13 local usermanager = require "core.usermanager"; |
| 13 local generate_uuid = require "util.uuid".generate; | 14 local generate_uuid = require "util.uuid".generate; |
| 14 local new_sasl = require "util.sasl".new; | 15 local new_sasl = require "util.sasl".new; |
| 16 | |
| 17 local log = module._log; | |
| 18 local host = module.host; | |
| 15 | 19 |
| 16 local accounts = module:open_store("accounts"); | 20 local accounts = module:open_store("accounts"); |
| 17 | 21 |
| 18 local to_hex; | 22 local to_hex; |
| 19 do | 23 do |
| 35 end | 39 end |
| 36 end | 40 end |
| 37 | 41 |
| 38 | 42 |
| 39 -- Default; can be set per-user | 43 -- Default; can be set per-user |
| 40 local iteration_count = 4096; | 44 local default_iteration_count = 4096; |
| 41 | 45 |
| 42 local host = module.host; | |
| 43 -- define auth provider | 46 -- define auth provider |
| 44 local provider = {}; | 47 local provider = {}; |
| 45 log("debug", "initializing internal_hashed authentication provider for host '%s'", host); | |
| 46 | 48 |
| 47 function provider.test_password(username, password) | 49 function provider.test_password(username, password) |
| 50 log("debug", "test password for user '%s'", username); | |
| 48 local credentials = accounts:get(username) or {}; | 51 local credentials = accounts:get(username) or {}; |
| 49 | 52 |
| 50 if credentials.password ~= nil and string.len(credentials.password) ~= 0 then | 53 if credentials.password ~= nil and string.len(credentials.password) ~= 0 then |
| 51 if credentials.password ~= password then | 54 if credentials.password ~= password then |
| 52 return nil, "Auth failed. Provided password is incorrect."; | 55 return nil, "Auth failed. Provided password is incorrect."; |
| 60 end | 63 end |
| 61 | 64 |
| 62 if credentials.iteration_count == nil or credentials.salt == nil or string.len(credentials.salt) == 0 then | 65 if credentials.iteration_count == nil or credentials.salt == nil or string.len(credentials.salt) == 0 then |
| 63 return nil, "Auth failed. Stored salt and iteration count information is not complete."; | 66 return nil, "Auth failed. Stored salt and iteration count information is not complete."; |
| 64 end | 67 end |
| 65 | 68 |
| 66 local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, credentials.salt, credentials.iteration_count); | 69 local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, credentials.salt, credentials.iteration_count); |
| 67 | 70 |
| 68 local stored_key_hex = to_hex(stored_key); | 71 local stored_key_hex = to_hex(stored_key); |
| 69 local server_key_hex = to_hex(server_key); | 72 local server_key_hex = to_hex(server_key); |
| 70 | 73 |
| 71 if valid and stored_key_hex == credentials.stored_key and server_key_hex == credentials.server_key then | 74 if valid and stored_key_hex == credentials.stored_key and server_key_hex == credentials.server_key then |
| 72 return true; | 75 return true; |
| 73 else | 76 else |
| 74 return nil, "Auth failed. Invalid username, password, or password hash information."; | 77 return nil, "Auth failed. Invalid username, password, or password hash information."; |
| 75 end | 78 end |
| 76 end | 79 end |
| 77 | 80 |
| 78 function provider.set_password(username, password) | 81 function provider.set_password(username, password) |
| 82 log("debug", "set_password for username '%s'", username); | |
| 79 local account = accounts:get(username); | 83 local account = accounts:get(username); |
| 80 if account then | 84 if account then |
| 81 account.salt = account.salt or generate_uuid(); | 85 account.salt = generate_uuid(); |
| 82 account.iteration_count = account.iteration_count or iteration_count; | 86 account.iteration_count = max(account.iteration_count or 0, default_iteration_count); |
| 83 local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, account.salt, account.iteration_count); | 87 local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, account.salt, account.iteration_count); |
| 84 local stored_key_hex = to_hex(stored_key); | 88 local stored_key_hex = to_hex(stored_key); |
| 85 local server_key_hex = to_hex(server_key); | 89 local server_key_hex = to_hex(server_key); |
| 86 | 90 |
| 87 account.stored_key = stored_key_hex | 91 account.stored_key = stored_key_hex |
| 88 account.server_key = server_key_hex | 92 account.server_key = server_key_hex |
| 89 | 93 |
| 90 account.password = nil; | 94 account.password = nil; |
| 91 return accounts:set(username, account); | 95 return accounts:set(username, account); |
| 94 end | 98 end |
| 95 | 99 |
| 96 function provider.user_exists(username) | 100 function provider.user_exists(username) |
| 97 local account = accounts:get(username); | 101 local account = accounts:get(username); |
| 98 if not account then | 102 if not account then |
| 99 log("debug", "account not found for username '%s' at host '%s'", username, host); | 103 log("debug", "account not found for username '%s'", username); |
| 100 return nil, "Auth failed. Invalid username"; | 104 return nil, "Auth failed. Invalid username"; |
| 101 end | 105 end |
| 102 return true; | 106 return true; |
| 103 end | 107 end |
| 104 | 108 |
| 109 function provider.create_user(username, password) | 113 function provider.create_user(username, password) |
| 110 if password == nil then | 114 if password == nil then |
| 111 return accounts:set(username, {}); | 115 return accounts:set(username, {}); |
| 112 end | 116 end |
| 113 local salt = generate_uuid(); | 117 local salt = generate_uuid(); |
| 114 local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, salt, iteration_count); | 118 local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, salt, default_iteration_count); |
| 115 local stored_key_hex = to_hex(stored_key); | 119 local stored_key_hex = to_hex(stored_key); |
| 116 local server_key_hex = to_hex(server_key); | 120 local server_key_hex = to_hex(server_key); |
| 117 return accounts:set(username, {stored_key = stored_key_hex, server_key = server_key_hex, salt = salt, iteration_count = iteration_count}); | 121 return accounts:set(username, {stored_key = stored_key_hex, server_key = server_key_hex, salt = salt, iteration_count = default_iteration_count}); |
| 118 end | 122 end |
| 119 | 123 |
| 120 function provider.delete_user(username) | 124 function provider.delete_user(username) |
| 121 return accounts:set(username, nil); | 125 return accounts:set(username, nil); |
| 122 end | 126 end |
| 132 if credentials.password then | 136 if credentials.password then |
| 133 usermanager.set_password(username, credentials.password, host); | 137 usermanager.set_password(username, credentials.password, host); |
| 134 credentials = accounts:get(username); | 138 credentials = accounts:get(username); |
| 135 if not credentials then return; end | 139 if not credentials then return; end |
| 136 end | 140 end |
| 137 | 141 |
| 138 local stored_key, server_key, iteration_count, salt = credentials.stored_key, credentials.server_key, credentials.iteration_count, credentials.salt; | 142 local stored_key, server_key, iteration_count, salt = credentials.stored_key, credentials.server_key, credentials.iteration_count, credentials.salt; |
| 139 stored_key = stored_key and from_hex(stored_key); | 143 stored_key = stored_key and from_hex(stored_key); |
| 140 server_key = server_key and from_hex(server_key); | 144 server_key = server_key and from_hex(server_key); |
| 141 return stored_key, server_key, iteration_count, salt, true; | 145 return stored_key, server_key, iteration_count, salt, true; |
| 142 end | 146 end |
| 143 }; | 147 }; |
| 144 return new_sasl(host, testpass_authentication_profile); | 148 return new_sasl(host, testpass_authentication_profile); |
| 145 end | 149 end |
| 146 | 150 |
| 147 module:provides("auth", provider); | 151 module:provides("auth", provider); |
| 148 | 152 |
