prosody
fdb2e0568cf8
spec/util_sasl_spec.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

File

spec/util_sasl_spec.lua @ 13587:fdb2e0568cf8

mod_authz_internal: Make 'prosody:guest' default role for all unknown JIDs This fixes an issue where e.g. remote users or even other users on the server were unable to list MUC rooms. We want to define a permission to list MUC rooms, but we want it to be available to everyone by default (the traditional behaviour). prosody:guest is the lowest role we have. I ran a quick check and it isn't really used for anything right now that would be concerning. It was originally designed for anonymous logins. I think it's safe to treat remote JIDs as equivalent, since we have no trust relationship with anonymous users either.
author Matthew Wild <mwild1@gmail.com>
date Tue, 07 Jan 2025 14:41:32 +0000
parent 13113:191fe4866e3e
line wrap: on
line source

local sasl = require "util.sasl";

-- profile * mechanism
-- callbacks could use spies instead

describe("util.sasl", function ()
	describe("plain_test profile", function ()
		local profile = {
			plain_test = function (_, username, password, realm)
				assert.equals("user", username)
				assert.equals("pencil", password)
				assert.equals("sasl.test", realm)
				return true, true;
			end;
		};
		it("works with PLAIN", function ()
			local plain = sasl.new("sasl.test", profile);
			assert.truthy(plain:select("PLAIN"));
			assert.truthy(plain:process("\000user\000pencil"));
			assert.equals("user", plain.username);
		end);
	end);

	describe("plain profile", function ()
		local profile = {
			plain = function (_, username, realm)
				assert.equals("user", username)
				assert.equals("sasl.test", realm)
				return "pencil", true;
			end;
		};

		it("works with PLAIN", function ()
			local plain = sasl.new("sasl.test", profile);
			assert.truthy(plain:select("PLAIN"));
			assert.truthy(plain:process("\000user\000pencil"));
			assert.equals("user", plain.username);
		end);

		-- TODO SCRAM
	end);

	describe("oauthbearer profile", function()
		local profile = {
			oauthbearer = function(_, token, _realm, _authzid)
				if token == "example-bearer-token" then
					return "user", true, {};
				else
					return nil, nil, {}
				end
			end;
		}

		it("works with OAUTHBEARER", function()
			local bearer = sasl.new("sasl.test", profile);

			assert.truthy(bearer:select("OAUTHBEARER"));
			assert.equals("success", bearer:process("n,,\1auth=Bearer example-bearer-token\1\1"));
			assert.equals("user", bearer.username);
		end)


		it("returns extras with OAUTHBEARER", function()
			local bearer = sasl.new("sasl.test", profile);

			assert.truthy(bearer:select("OAUTHBEARER"));
			local status, extra = bearer:process("n,,\1auth=Bearer unknown\1\1");
			assert.equals("challenge", status);
			assert.equals("{\"status\":\"invalid_token\"}", extra);
			assert.equals("failure", bearer:process("\1"));
		end)

	end)
end);