prosody
d343a76431cf
plugins/mod_saslauth.lua
Software / code / prosody
Comparison
plugins/mod_saslauth.lua @ 4051:d343a76431cf
mod_saslauth: Remove special handling for SASL ANONYMOUS, and let mod_auth_anonymous handle it.
| author | Waqas Hussain <waqas20@gmail.com> |
|---|---|
| date | Tue, 28 Dec 2010 05:28:15 +0500 |
| parent | 4049:fe6f4a255fd8 |
| child | 4078:05a58497a903 |
comparison
equal
deleted
inserted
replaced
| 4050:f380c998353b | 4051:d343a76431cf |
|---|---|
| 13 local sm_make_authenticated = require "core.sessionmanager".make_authenticated; | 13 local sm_make_authenticated = require "core.sessionmanager".make_authenticated; |
| 14 local base64 = require "util.encodings".base64; | 14 local base64 = require "util.encodings".base64; |
| 15 | 15 |
| 16 local nodeprep = require "util.encodings".stringprep.nodeprep; | 16 local nodeprep = require "util.encodings".stringprep.nodeprep; |
| 17 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; | 17 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; |
| 18 local t_concat, t_insert = table.concat, table.insert; | |
| 19 local tostring = tostring; | 18 local tostring = tostring; |
| 20 | 19 |
| 21 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption"); | 20 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption"); |
| 22 local anonymous_login = module:get_option("anonymous_login"); | |
| 23 local allow_unencrypted_plain_auth = module:get_option("allow_unencrypted_plain_auth") | 21 local allow_unencrypted_plain_auth = module:get_option("allow_unencrypted_plain_auth") |
| 24 | 22 |
| 25 local log = module._log; | 23 local log = module._log; |
| 26 | 24 |
| 27 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl'; | 25 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl'; |
| 28 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind'; | 26 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind'; |
| 29 local xmlns_stanzas ='urn:ietf:params:xml:ns:xmpp-stanzas'; | 27 local xmlns_stanzas ='urn:ietf:params:xml:ns:xmpp-stanzas'; |
| 30 | |
| 31 local new_sasl = require "util.sasl".new; | |
| 32 | |
| 33 local anonymous_authentication_profile = { | |
| 34 anonymous = function(sasl, username, realm) | |
| 35 return true; -- for normal usage you should always return true here | |
| 36 end | |
| 37 }; | |
| 38 | 28 |
| 39 local function build_reply(status, ret, err_msg) | 29 local function build_reply(status, ret, err_msg) |
| 40 local reply = st.stanza(status, {xmlns = xmlns_sasl}); | 30 local reply = st.stanza(status, {xmlns = xmlns_sasl}); |
| 41 if status == "challenge" then | 31 if status == "challenge" then |
| 42 --log("debug", "CHALLENGE: %s", ret or ""); | 32 --log("debug", "CHALLENGE: %s", ret or ""); |
| 97 | 87 |
| 98 if session.sasl_handler and session.sasl_handler.selected then | 88 if session.sasl_handler and session.sasl_handler.selected then |
| 99 session.sasl_handler = nil; -- allow starting a new SASL negotiation before completing an old one | 89 session.sasl_handler = nil; -- allow starting a new SASL negotiation before completing an old one |
| 100 end | 90 end |
| 101 if not session.sasl_handler then | 91 if not session.sasl_handler then |
| 102 if anonymous_login then | 92 session.sasl_handler = usermanager_get_sasl_handler(module.host); |
| 103 session.sasl_handler = new_sasl(module.host, anonymous_authentication_profile); | |
| 104 else | |
| 105 session.sasl_handler = usermanager_get_sasl_handler(module.host); | |
| 106 end | |
| 107 end | 93 end |
| 108 local mechanism = stanza.attr.mechanism; | 94 local mechanism = stanza.attr.mechanism; |
| 109 if anonymous_login then | |
| 110 if mechanism ~= "ANONYMOUS" then | |
| 111 session.send(build_reply("failure", "invalid-mechanism")); | |
| 112 return true; | |
| 113 end | |
| 114 elseif mechanism == "ANONYMOUS" then | |
| 115 session.send(build_reply("failure", "mechanism-too-weak")); | |
| 116 return true; | |
| 117 end | |
| 118 if not session.secure and (secure_auth_only or (mechanism == "PLAIN" and not allow_unencrypted_plain_auth)) then | 95 if not session.secure and (secure_auth_only or (mechanism == "PLAIN" and not allow_unencrypted_plain_auth)) then |
| 119 session.send(build_reply("failure", "encryption-required")); | 96 session.send(build_reply("failure", "encryption-required")); |
| 120 return true; | 97 return true; |
| 121 end | 98 end |
| 122 local valid_mechanism = session.sasl_handler:select(mechanism); | 99 local valid_mechanism = session.sasl_handler:select(mechanism); |
| 148 local origin, features = event.origin, event.features; | 125 local origin, features = event.origin, event.features; |
| 149 if not origin.username then | 126 if not origin.username then |
| 150 if secure_auth_only and not origin.secure then | 127 if secure_auth_only and not origin.secure then |
| 151 return; | 128 return; |
| 152 end | 129 end |
| 153 if anonymous_login then | 130 origin.sasl_handler = usermanager_get_sasl_handler(module.host); |
| 154 origin.sasl_handler = new_sasl(module.host, anonymous_authentication_profile); | |
| 155 else | |
| 156 origin.sasl_handler = usermanager_get_sasl_handler(module.host); | |
| 157 end | |
| 158 features:tag("mechanisms", mechanisms_attr); | 131 features:tag("mechanisms", mechanisms_attr); |
| 159 for mechanism in pairs(origin.sasl_handler:mechanisms()) do | 132 for mechanism in pairs(origin.sasl_handler:mechanisms()) do |
| 160 if mechanism ~= "PLAIN" or origin.secure or allow_unencrypted_plain_auth then | 133 if mechanism ~= "PLAIN" or origin.secure or allow_unencrypted_plain_auth then |
| 161 features:tag("mechanism"):text(mechanism):up(); | 134 features:tag("mechanism"):text(mechanism):up(); |
| 162 end | 135 end |
