Changeset

3468:d50e2c937717

mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
author Waqas Hussain <waqas20@gmail.com>
date Mon, 23 Aug 2010 16:54:56 +0500
parents 3467:c9f4c3aa14a1
children 3469:011566d72331
files plugins/mod_auth_cyrus.lua plugins/mod_saslauth.lua util/sasl_cyrus.lua
diffstat 3 files changed, 22 insertions(+), 17 deletions(-) [+]
line wrap: on
line diff
--- a/plugins/mod_auth_cyrus.lua	Mon Aug 23 16:42:27 2010 +0500
+++ b/plugins/mod_auth_cyrus.lua	Mon Aug 23 16:54:56 2010 +0500
@@ -8,9 +8,12 @@
 
 local log = require "util.logger".init("auth_cyrus");
 
+local usermanager_user_exists = require "core.usermanager".user_exists;
+
 local cyrus_service_realm = module:get_option("cyrus_service_realm");
 local cyrus_service_name = module:get_option("cyrus_service_name");
 local cyrus_application_name = module:get_option("cyrus_application_name");
+local require_provisioning = module:get_option("cyrus_require_provisioning") or false;
 
 prosody.unlock_globals(); --FIXME: Figure out why this is needed and
 						  -- why cyrussasl isn't caught by the sandbox
@@ -41,6 +44,9 @@
 	end
 
 	function provider.user_exists(username)
+		if require_provisioning then
+			return usermanager_user_exists(username, module.host);
+		end
 		return true;
 	end
 
@@ -50,7 +56,13 @@
 
 	function provider.get_sasl_handler()
 		local realm = module:get_option("sasl_realm") or module.host;
-		return new_sasl(realm);
+		local handler = new_sasl(realm);
+		if require_provisioning then
+			function handler.require_provisioning(username)
+				return usermanager_user_exists(username, module.host);
+			end
+		end
+		return handler;
 	end
 
 	return provider;
--- a/plugins/mod_saslauth.lua	Mon Aug 23 16:42:27 2010 +0500
+++ b/plugins/mod_saslauth.lua	Mon Aug 23 16:54:56 2010 +0500
@@ -15,7 +15,6 @@
 
 local nodeprep = require "util.encodings".stringprep.nodeprep;
 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler;
-local usermanager_user_exists = require "core.usermanager".user_exists;
 local t_concat, t_insert = table.concat, table.insert;
 local tostring = tostring;
 
@@ -23,9 +22,6 @@
 local anonymous_login = module:get_option("anonymous_login");
 local allow_unencrypted_plain_auth = module:get_option("allow_unencrypted_plain_auth")
 
--- Cyrus config options
-local require_provisioning = module:get_option("cyrus_require_provisioning") or false;
-
 local log = module._log;
 
 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl';
@@ -63,20 +59,14 @@
 	elseif status == "success" then
 		local username = nodeprep(session.sasl_handler.username);
 
-		if not(require_provisioning) or usermanager_user_exists(username, session.host) then
-			local ok, err = sm_make_authenticated(session, session.sasl_handler.username);
-			if ok then
-				session.sasl_handler = nil;
-				session:reset_stream();
-			else
-				module:log("warn", "SASL succeeded but username was invalid");
-				session.sasl_handler = session.sasl_handler:clean_clone();
-				return "failure", "not-authorized", "User authenticated successfully, but username was invalid";
-			end
+		local ok, err = sm_make_authenticated(session, session.sasl_handler.username);
+		if ok then
+			session.sasl_handler = nil;
+			session:reset_stream();
 		else
-			module:log("warn", "SASL succeeded but we don't have an account provisioned for %s", username);
+			module:log("warn", "SASL succeeded but username was invalid");
 			session.sasl_handler = session.sasl_handler:clean_clone();
-			return "failure", "not-authorized", "User authenticated successfully, but not provisioned for XMPP";
+			return "failure", "not-authorized", "User authenticated successfully, but username was invalid";
 		end
 	end
 	return status, ret, err_msg;
--- a/util/sasl_cyrus.lua	Mon Aug 23 16:42:27 2010 +0500
+++ b/util/sasl_cyrus.lua	Mon Aug 23 16:54:56 2010 +0500
@@ -143,6 +143,9 @@
 	self.username = cyrussasl.get_username(self.cyrus)
 
 	if (err == 0) then -- SASL_OK
+		if self.require_provisioning and not self.require_provisioning(self.username) then
+			return "failure", "not-authorized", "User authenticated successfully, but not provisioned for XMPP";
+		end
 		return "success", data
 	elseif (err == 1) then -- SASL_CONTINUE
 		return "challenge", data