Changeset

2938:07f3b14d38d1

Merge 0.7->trunk
author Matthew Wild <mwild1@gmail.com>
date Wed, 24 Mar 2010 22:41:43 +0000
parents 2926:fc96d439453b (current diff) 2937:9380838a19dc (diff)
children 2940:7486b9216879
files
diffstat 6 files changed, 110 insertions(+), 94 deletions(-) [+]
line wrap: on
line diff
--- a/core/usermanager.lua	Mon Mar 22 17:26:12 2010 +0000
+++ b/core/usermanager.lua	Wed Mar 24 22:41:43 2010 +0000
@@ -14,11 +14,15 @@
 local hashes = require "util.hashes";
 local jid_bare = require "util.jid".bare;
 local config = require "core.configmanager";
+local hosts = hosts;
 
 module "usermanager"
 
+local function is_cyrus(host) return config.get(host, "core", "sasl_backend") == "cyrus"; end
+
 function validate_credentials(host, username, password, method)
 	log("debug", "User '%s' is being validated", username);
+	if is_cyrus(host) then return nil, "Legacy auth not supported with Cyrus SASL."; end
 	local credentials = datamanager.load(username, host, "accounts") or {};
 
 	if method == nil then method = "PLAIN"; end
@@ -48,14 +52,26 @@
 end
 
 function get_password(username, host)
-  return (datamanager.load(username, host, "accounts") or {}).password
+	if is_cyrus(host) then return nil, "Passwords unavailable for Cyrus SASL."; end
+	return (datamanager.load(username, host, "accounts") or {}).password
+end
+function set_password(username, host, password)
+	if is_cyrus(host) then return nil, "Passwords unavailable for Cyrus SASL."; end
+	local account = datamanager.load(username, host, "accounts");
+	if account then
+		account.password = password;
+		return datamanager.store(username, host, "accounts", account);
+	end
+	return nil, "Account not available.";
 end
 
 function user_exists(username, host)
+	if is_cyrus(host) then return true; end
 	return datamanager.load(username, host, "accounts") ~= nil; -- FIXME also check for empty credentials
 end
 
 function create_user(username, password, host)
+	if is_cyrus(host) then return nil, "Account creation/modification not available with Cyrus SASL."; end
 	return datamanager.store(username, host, "accounts", {password = password});
 end
 
--- a/plugins/mod_register.lua	Mon Mar 22 17:26:12 2010 +0000
+++ b/plugins/mod_register.lua	Wed Mar 24 22:41:43 2010 +0000
@@ -12,6 +12,7 @@
 local datamanager = require "util.datamanager";
 local usermanager_user_exists = require "core.usermanager".user_exists;
 local usermanager_create_user = require "core.usermanager".create_user;
+local usermanager_set_password = require "core.usermanager".set_password;
 local datamanager_store = require "util.datamanager".store;
 local os_time = os.time;
 local nodeprep = require "util.encodings".stringprep.nodeprep;
@@ -34,7 +35,7 @@
 				local username, host = session.username, session.host;
 				--session.send(st.error_reply(stanza, "cancel", "not-allowed"));
 				--return;
-				usermanager_create_user(username, nil, host); -- Disable account
+				usermanager_set_password(username, host, nil); -- Disable account
 				-- FIXME the disabling currently allows a different user to recreate the account
 				-- we should add an in-memory account block mode when we have threading
 				session.send(st.reply(stanza));
@@ -69,7 +70,7 @@
 					username = nodeprep(table.concat(username));
 					password = table.concat(password);
 					if username == session.username then
-						if usermanager_create_user(username, password, session.host) then -- password change -- TODO is this the right way?
+						if usermanager_set_password(username, session.host, password) then
 							session.send(st.reply(stanza));
 						else
 							-- TODO unable to write file, file may be locked, etc, what's the correct error?
--- a/plugins/mod_saslauth.lua	Mon Mar 22 17:26:12 2010 +0000
+++ b/plugins/mod_saslauth.lua	Wed Mar 24 22:41:43 2010 +0000
@@ -35,7 +35,9 @@
 local xmlns_stanzas ='urn:ietf:params:xml:ns:xmpp-stanzas';
 
 local new_sasl;
-if sasl_backend == "cyrus" then
+if sasl_backend == "builtin" then
+	new_sasl = require "util.sasl".new;
+elseif sasl_backend == "cyrus" then
 	prosody.unlock_globals(); --FIXME: Figure out why this is needed and
 	                          -- why cyrussasl isn't caught by the sandbox
 	local ok, cyrus = pcall(require, "util.sasl_cyrus");
@@ -46,14 +48,12 @@
 			return cyrus_new(realm, module:get_option("cyrus_service_name") or "xmpp");
 		end
 	else
-		sasl_backend = "builtin";
-		module:log("warn", "Failed to load Cyrus SASL, falling back to builtin auth mechanisms");
-		module:log("debug", "Failed to load Cyrus because: %s", cyrus);
+		module:log("error", "Failed to load Cyrus SASL because: %s", cyrus);
+		error("Failed to load Cyrus SASL");
 	end
-end
-if not new_sasl then
-	if sasl_backend ~= "builtin" then module:log("warn", "Unknown SASL backend %s", sasl_backend); end;
-	new_sasl = require "util.sasl".new;
+else
+	module:log("error", "Unknown SASL backend: %s", sasl_backend);
+	error("Unknown SASL backend");
 end
 
 local default_authentication_profile = {
--- a/plugins/mod_tls.lua	Mon Mar 22 17:26:12 2010 +0000
+++ b/plugins/mod_tls.lua	Wed Mar 24 22:41:43 2010 +0000
@@ -10,6 +10,7 @@
 
 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption");
 local secure_s2s_only = module:get_option("s2s_require_encryption");
+local allow_s2s_tls = module:get_option("s2s_allow_encryption") ~= false;
 
 local xmlns_starttls = 'urn:ietf:params:xml:ns:xmpp-tls';
 local starttls_attr = { xmlns = xmlns_starttls };
@@ -27,9 +28,9 @@
 local function can_do_tls(session)
 	if session.type == "c2s_unauthed" then
 		return session.conn.starttls and host.ssl_ctx_in;
-	elseif session.type == "s2sin_unauthed" then
+	elseif session.type == "s2sin_unauthed" and allow_s2s_tls then
 		return session.conn.starttls and host.ssl_ctx_in;
-	elseif session.direction == "outgoing" then
+	elseif session.direction == "outgoing" and allow_s2s_tls then
 		return session.conn.starttls and host.ssl_ctx;
 	end
 	return false;
--- a/prosody.cfg.lua.dist	Mon Mar 22 17:26:12 2010 +0000
+++ b/prosody.cfg.lua.dist	Wed Mar 24 22:41:43 2010 +0000
@@ -34,85 +34,85 @@
 -- Server-wide settings go in this section
 Host "*"
 
-    -- This is a (by default, empty) list of accounts that are admins for the
-    -- server. Note that you must create the accounts separately (see
-    -- http://prosody.im/doc/creating_accounts)
-    -- Example: admins = { "user1@example.com", "user2@example.net" }
-    admins = { }
+	-- This is a (by default, empty) list of accounts that are admins for the
+	-- server. Note that you must create the accounts separately (see
+	-- http://prosody.im/doc/creating_accounts)
+	-- Example: admins = { "user1@example.com", "user2@example.net" }
+	admins = { }
+
+	-- Enable use of libevent for better performance under high load
+	-- For more information see: http://prosody.im/doc/libevent
+	--use_libevent = true;
 
-    -- Enable use of libevent for better performance under high load
-    -- For more information see: http://prosody.im/doc/libevent
-    --use_libevent = true;
-    
-    -- This is the list of modules Prosody will load on startup. It looks for
-    -- mod_modulename.lua in the plugins folder, so make sure that exists too.
-    -- Documentation on modules can be found at: http://prosody.im/doc/modules
-    modules_enabled = {
-        -- Generally required
-        "roster";   -- Allow users to have a roster. Recommended ;)
-        "saslauth"; -- Authentication for clients and servers. Recommended if
-                    -- you want to log in.
-        "dialback"; -- s2s dialback support
-        "disco";    -- Service discovery
-        "posix";    -- POSIX functionality, daemonizes, enables syslog, etc.
+	-- This is the list of modules Prosody will load on startup. It looks for
+	-- mod_modulename.lua in the plugins folder, so make sure that exists too.
+	-- Documentation on modules can be found at: http://prosody.im/doc/modules
+	modules_enabled = {
+		-- Generally required
+		"roster";   -- Allow users to have a roster. Recommended ;)
+		"saslauth"; -- Authentication for clients and servers. Recommended if
+		            -- you want to log in.
+		"dialback"; -- s2s dialback support
+		"disco";    -- Service discovery
+		"posix";    -- POSIX functionality, daemonizes, enables syslog, etc.
 
-        -- Not essential, but recommended
-        "private";       -- Private XML storage (for room bookmarks, etc.)
-        "vcard";         -- Allow users to set vCards
-        "privacy";       -- Support privacy lists
-        "tls";           -- Support for secure TLS on c2s/s2s connections
-        --"compression"; -- Stream compression for client-to-server streams
+		-- Not essential, but recommended
+		"private";       -- Private XML storage (for room bookmarks, etc.)
+		"vcard";         -- Allow users to set vCards
+		"tls";           -- Support for secure TLS on c2s/s2s connections
+		--"privacy";     -- Support privacy lists
+		--"compression"; -- Stream compression for client-to-server streams
 
-        -- Nice to have
-        "legacyauth"; -- Legacy authentication. Only used by some old
-                      -- clients and bots.
-        "version";    -- Replies to server version requests
-        "uptime";     -- Report how long server has been running
-        "time";       -- Let others know the time here on this server
-        "ping";       -- Replies to XMPP pings with pongs
-        "pep";        -- Enables users to publish their mood, activity, playing
-                      -- music and more
-        "register";   -- Allow users to register on this server using a client
-                      -- and change passwords
+		-- Nice to have
+		"legacyauth"; -- Legacy authentication. Only used by some old
+		              -- clients and bots.
+		"version";    -- Replies to server version requests
+		"uptime";     -- Report how long server has been running
+		"time";       -- Let others know the time here on this server
+		"ping";       -- Replies to XMPP pings with pongs
+		"pep";        -- Enables users to publish their mood, activity, playing
+		              -- music and more
+		"register";   -- Allow users to register on this server using a client
+		              -- and change passwords
 
-        -- Other specific functionality
-        --"console";            -- telnet to port 5582
-                                -- (needs console_enabled = true)
-        --"bosh";               -- Enable BOSH clients, aka "Jabber over HTTP"
-        --"httpserver";         -- Serve static files from a directory over
-                                -- HTTP
-        --"groups";             -- Shared roster support
-        --"announce";           -- Send announcement to all online users
-        --"welcome";            -- Welcome users who register accounts
-        --"watchregistrations"; -- Alert admins of registrations
-    }
+		-- Other specific functionality
+		--"console";            -- telnet to port 5582
+		                        -- (needs console_enabled = true)
+		--"bosh";               -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"httpserver";         -- Serve static files from a directory over
+		                        -- HTTP
+		--"groups";             -- Shared roster support
+		--"announce";           -- Send announcement to all online users
+		--"welcome";            -- Welcome users who register accounts
+		--"watchregistrations"; -- Alert admins of registrations
+	}
 
-    -- These modules are auto-loaded, should you for (for some mad
-    -- reason) want to disable them then uncomment them below.
-    modules_disabled = {
-        --"presence";
-        --"message";
-        --"iq";
-    }
+	-- These modules are auto-loaded, should you for (for some mad
+	-- reason) want to disable them then uncomment them below.
+	modules_disabled = {
+		--"presence";
+		--"message";
+		--"iq";
+	}
 
-    -- Disable account creation by default, for security
-    -- For more information see http://prosody.im/doc/creating_accounts
-    allow_registration = false;
+	-- Disable account creation by default, for security
+	-- For more information see http://prosody.im/doc/creating_accounts
+	allow_registration = false;
 
-    --These are the SSL/TLS-related settings.
-    --ssl = {
-    --    key = "certs/localhost.key";
-    --    certificate = "certs/localhost.cert";
-    --}
+	--These are the SSL/TLS-related settings.
+	--ssl = {
+	--    key = "certs/localhost.key";
+	--    certificate = "certs/localhost.cert";
+	--}
 
-    -- Require encryption on client/server connections?
-    --c2s_require_encryption = false
-    --s2s_require_encryption = false
+	-- Require encryption on client/server connections?
+	--c2s_require_encryption = false
+	--s2s_require_encryption = false
 
-    -- Logging configuration
-    -- For advanced logging see http://prosody.im/doc/logging
-    log = "prosody.log";
-    debug = false; -- Log debug messages?
+	-- Logging configuration
+	-- For advanced logging see http://prosody.im/doc/logging
+	log = "prosody.log";
+	debug = false; -- Log debug messages?
 
 -- This allows clients to connect to localhost. No harm in it.
 Host "localhost"
@@ -120,16 +120,16 @@
 -- Section for example.com
 -- (replace example.com with your domain name)
 Host "example.com"
-    enabled = false -- This will disable the host, preserving the config, but
-                    -- denying connections (remove to enable!)
+	enabled = false -- This will disable the host, preserving the config, but
+	                -- denying connections (remove to enable!)
 
-    -- Assign this host a certificate for TLS, otherwise it would use the one
-    -- set in the global section (if any). Note that old-style SSL on port 5223
-    -- only supports one certificate, and will always use the global one.
-    --ssl = {
-    --    key = "certs/example.com.key";
-    --    certificate = "certs/example.com.crt";
-    --}
+	-- Assign this host a certificate for TLS, otherwise it would use the one
+	-- set in the global section (if any). Note that old-style SSL on port 5223
+	-- only supports one certificate, and will always use the global one.
+	--ssl = {
+	--    key = "certs/example.com.key";
+	--    certificate = "certs/example.com.crt";
+	--}
 
 -- Set up a MUC (multi-user chat) room server on conference.example.com:
 --Component "conference.example.com" "muc"
--- a/util/sasl/digest-md5.lua	Mon Mar 22 17:26:12 2010 +0000
+++ b/util/sasl/digest-md5.lua	Wed Mar 24 22:41:43 2010 +0000
@@ -35,8 +35,6 @@
 	local function serialize(message)
 		local data = ""
 
-		if type(message) ~= "table" then error("serialize needs an argument of type table.") end
-
 		-- testing all possible values
 		if message["realm"] then data = data..[[realm="]]..message.realm..[[",]] end
 		if message["nonce"] then data = data..[[nonce="]]..message.nonce..[[",]] end