Correct out of order logic in mod_hashpassauth

Make saslauth check the existence of the get_password and test_password functions to determine which authentication profile to use.

3 files changed, 17 insertions, 25 deletions

diff --git a/core/usermanager.lua b/core/usermanager.lua
index ccbf5fb5..01beb27a 100644
--- a/core/usermanager.lua
+++ b/core/usermanager.lua
@@ -78,6 +78,10 @@ function get_supported_methods(host)
 	return hosts[host].users.get_supported_methods();
 end
 
+function get_provider(host)
+	return hosts[host].users;
+end
+
 function is_admin(jid, host)
 	if host and host ~= "*" then
 		return hosts[host].users.is_admin(jid);
diff --git a/plugins/mod_hashpassauth.lua b/plugins/mod_hashpassauth.lua
index 8f38f03f..bea2c67f 100644
--- a/plugins/mod_hashpassauth.lua
+++ b/plugins/mod_hashpassauth.lua
@@ -35,10 +35,6 @@ function new_hashpass_provider(host)
 		if is_cyrus(host) then return nil, "Legacy auth not supported with Cyrus SASL."; end
 		local credentials = datamanager.load(username, host, "accounts") or {};
 	
-		if credentials.iteration_count == nil or credentials.salt == nil or string.len(credentials.salt) == 0 then
-			return nil, "Auth failed. Stored salt and iteration count information is not complete.";
-		end
-
 		if credentials.password ~= nil and string.len(credentials.password) ~= 0 then
 			if credentials.password ~= password then
 				return nil, "Auth failed. Provided password is incorrect.";
@@ -51,6 +47,10 @@ function new_hashpass_provider(host)
 			end
 		end
 
+		if credentials.iteration_count == nil or credentials.salt == nil or string.len(credentials.salt) == 0 then
+			return nil, "Auth failed. Stored salt and iteration count information is not complete.";
+		end
+
 		local valid, binpass = saltedPasswordSHA1(password, credentials.salt, credentials.iteration_count);
 		local hexpass = binpass:gsub(".", function (c) return ("%02x"):format(c:byte()); end);
 
@@ -61,19 +61,6 @@ function new_hashpass_provider(host)
 		end
 	end
 
-	function provider.get_password(username)
-		if is_cyrus(host) then return nil, "Passwords unavailable for Cyrus SASL."; end
-		local credentials = datamanager.load(username, host, "accounts") or {};
-		if(credentials.password ~= nil or (credentials.password ~= nil and string.len(credentials.password) ~= 0)) then
-			if provider.set_password(username, credentials.password) == nil then
-				return nil, "Problem setting plaintext password to hashed password.";
-			end
-			credentials = datamanager.load(username, host, "accounts");
-			return credentials.hashpass;
-		end
-		return credentials.hashpass;
-	end
-	
 	function provider.set_password(username, password)
 		if is_cyrus(host) then return nil, "Passwords unavailable for Cyrus SASL."; end
 		local account = datamanager.load(username, host, "accounts");
diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua
index 4ba0f1fd..6499eafe 100644
--- a/plugins/mod_saslauth.lua
+++ b/plugins/mod_saslauth.lua
@@ -15,6 +15,7 @@ local base64 = require "util.encodings".base64;
 
 local nodeprep = require "util.encodings".stringprep.nodeprep;
 local datamanager_load = require "util.datamanager".load;
+local usermanager_get_provider = require "core.usermanager".get_provider;
 local usermanager_get_supported_methods = require "core.usermanager".get_supported_methods;
 local usermanager_user_exists = require "core.usermanager".user_exists;
 local usermanager_get_password = require "core.usermanager".get_password;
@@ -66,7 +67,7 @@ else
 	error("Unknown SASL backend");
 end
 
-local default_authentication_profile = {
+local getpass_authentication_profile = {
 	plain = function(username, realm)
 		local prepped_username = nodeprep(username);
 		if not prepped_username then
@@ -81,7 +82,7 @@ local default_authentication_profile = {
 	end
 };
 
-local hashpass_authentication_profile = {
+local testpass_authentication_profile = {
 	plain_test = 	function(username, password, realm)
 			local prepped_username = nodeprep(username);
 			if not prepped_username then
@@ -194,12 +195,12 @@ module:hook("stream-features", function(event)
 		if module:get_option("anonymous_login") then
 			origin.sasl_handler = new_sasl(realm, anonymous_authentication_profile);
 		else
-			local authentication = module:get_option("authentication");
-			log("debug", "AUTH: creating handler for '%s' type", authentication);
-			if authentication == nil or authentication == "default" then
-				origin.sasl_handler = new_sasl(realm, default_authentication_profile);
-			elseif authentication == "hashpass" then
-				origin.sasl_handler = new_sasl(realm, hashpass_authentication_profile);
+			if usermanager_get_provider(realm).get_password then
+				origin.sasl_handler = new_sasl(realm, getpass_authentication_profile);
+			elseif usermanager_get_provider(realm).test_password then
+				origin.sasl_handler = new_sasl(realm, testpass_authentication_profile);
+			else
+				log("warning", "AUTH: Could not load an authentication profile for the given provider.");
 			end
 			if not (module:get_option("allow_unencrypted_plain_auth")) and not origin.secure then
 				origin.sasl_handler:forbidden({"PLAIN"});