diff options
-rw-r--r-- | core/usermanager.lua | 4 | ||||
-rw-r--r-- | plugins/mod_auth_anonymous.lua | 85 | ||||
-rw-r--r-- | plugins/mod_auth_cyrus.lua | 77 | ||||
-rw-r--r-- | plugins/mod_auth_internal.lua | 21 | ||||
-rw-r--r-- | plugins/mod_auth_internal_hashed.lua | 27 | ||||
-rw-r--r-- | plugins/mod_saslauth.lua | 36 |
6 files changed, 210 insertions, 40 deletions
diff --git a/core/usermanager.lua b/core/usermanager.lua index fe525bc1..511ffc84 100644 --- a/core/usermanager.lua +++ b/core/usermanager.lua @@ -81,8 +81,8 @@ function create_user(username, password, host) return hosts[host].users.create_user(username, password); end -function get_supported_methods(host) - return hosts[host].users.get_supported_methods(); +function get_sasl_handler(host) + return hosts[host].users.get_sasl_handler(); end function get_provider(host) diff --git a/plugins/mod_auth_anonymous.lua b/plugins/mod_auth_anonymous.lua new file mode 100644 index 00000000..214611d8 --- /dev/null +++ b/plugins/mod_auth_anonymous.lua @@ -0,0 +1,85 @@ +-- Prosody IM +-- Copyright (C) 2008-2010 Matthew Wild +-- Copyright (C) 2008-2010 Waqas Hussain +-- Copyright (C) 2010 Jeff Mitchell +-- +-- This project is MIT/X11 licensed. Please see the +-- COPYING file in the source package for more information. +-- + +local log = require "util.logger".init("usermanager"); +local type = type; +local ipairs = ipairs; +local jid_bare = require "util.jid".bare; +local config = require "core.configmanager"; +local new_sasl = require "util.sasl".new; +local datamanager = require "util.datamanager"; + +function new_default_provider(host) + local provider = { name = "anonymous" }; + + function provider.test_password(username, password) + return nil, "Password based auth not supported."; + end + + function provider.get_password(username) + return nil, "Password not available."; + end + + function provider.set_password(username, password) + return nil, "Password based auth not supported."; + end + + function provider.user_exists(username) + return nil, "Only anonymous users are supported."; -- FIXME check if anonymous user is connected? + end + + function provider.create_user(username, password) + return nil, "Account creation/modification not supported."; + end + + function provider.get_sasl_handler() + local realm = module:get_option("sasl_realm") or module.host; + local anonymous_authentication_profile = { + anonymous = function(username, realm) + return true; -- for normal usage you should always return true here + end + }; + return new_sasl(realm, anonymous_authentication_profile); + end + + function provider.is_admin(jid) + local admins = config.get(host, "core", "admins"); + if admins ~= config.get("*", "core", "admins") and type(admins) == "table" then + jid = jid_bare(jid); + for _,admin in ipairs(admins) do + if admin == jid then return true; end + end + elseif admins then + log("error", "Option 'admins' for host '%s' is not a table", host); + end + return is_admin(jid); -- Test whether it's a global admin instead + end + return provider; +end + +local function dm_callback(username, host, datastore, data) + if host == module.host then + return false; + end + return username, host, datastore, data; +end +local host = hosts[module.host]; +local _saved_disallow_s2s = host.disallow_s2s; +function module.load() + _saved_disallow_s2s = host.disallow_s2s; + host.disallow_s2s = module:get_option("disallow_s2s") ~= false; + datamanager.add_callback(dm_callback); +end +function module.unload() + host.disallow_s2s = _saved_disallow_s2s; + datamanager.remove_callback(dm_callback); +end + +module:add_item("auth-provider", new_default_provider(module.host)); + diff --git a/plugins/mod_auth_cyrus.lua b/plugins/mod_auth_cyrus.lua new file mode 100644 index 00000000..6b34a541 --- /dev/null +++ b/plugins/mod_auth_cyrus.lua @@ -0,0 +1,77 @@ +-- Prosody IM +-- Copyright (C) 2008-2010 Matthew Wild +-- Copyright (C) 2008-2010 Waqas Hussain +-- Copyright (C) 2010 Jeff Mitchell +-- +-- This project is MIT/X11 licensed. Please see the +-- COPYING file in the source package for more information. +-- + +local log = require "util.logger".init("usermanager"); +local type = type; +local ipairs = ipairs; +local jid_bare = require "util.jid".bare; +local config = require "core.configmanager"; + +local cyrus_service_realm = module:get_option("cyrus_service_realm"); +local cyrus_service_name = module:get_option("cyrus_service_name"); +local cyrus_application_name = module:get_option("cyrus_application_name"); + +prosody.unlock_globals(); --FIXME: Figure out why this is needed and + -- why cyrussasl isn't caught by the sandbox +local cyrus_new = require "util.sasl_cyrus".new; +prosody.lock_globals(); +local new_sasl = function(realm) + return cyrus_new( + cyrus_service_realm or realm, + cyrus_service_name or "xmpp", + cyrus_application_name or "prosody" + ); +end + +function new_default_provider(host) + local provider = { name = "cyrus" }; + log("debug", "initializing default authentication provider for host '%s'", host); + + function provider.test_password(username, password) + return nil, "Legacy auth not supported with Cyrus SASL."; + end + + function provider.get_password(username) + return nil, "Passwords unavailable for Cyrus SASL."; + end + + function provider.set_password(username, password) + return nil, "Passwords unavailable for Cyrus SASL."; + end + + function provider.user_exists(username) + return true; + end + + function provider.create_user(username, password) + return nil, "Account creation/modification not available with Cyrus SASL."; + end + + function provider.get_sasl_handler() + local realm = module:get_option("sasl_realm") or module.host; + return new_sasl(realm); + end + + function provider.is_admin(jid) + local admins = config.get(host, "core", "admins"); + if admins ~= config.get("*", "core", "admins") and type(admins) == "table" then + jid = jid_bare(jid); + for _,admin in ipairs(admins) do + if admin == jid then return true; end + end + elseif admins then + log("error", "Option 'admins' for host '%s' is not a table", host); + end + return is_admin(jid); -- Test whether it's a global admin instead + end + return provider; +end + +module:add_item("auth-provider", new_default_provider(module.host)); + diff --git a/plugins/mod_auth_internal.lua b/plugins/mod_auth_internal.lua index 78a75a1d..1c426030 100644 --- a/plugins/mod_auth_internal.lua +++ b/plugins/mod_auth_internal.lua @@ -16,6 +16,8 @@ local hashes = require "util.hashes"; local jid_bare = require "util.jid".bare; local config = require "core.configmanager"; local usermanager = require "core.usermanager"; +local new_sasl = require "util.sasl".new; +local nodeprep = require "util.encodings".stringprep.nodeprep; local hosts = hosts; local prosody = _G.prosody; @@ -73,8 +75,23 @@ function new_default_provider(host) return datamanager.store(username, host, "accounts", {password = password}); end - function provider.get_supported_methods() - return {["PLAIN"] = true, ["DIGEST-MD5"] = true}; -- TODO this should be taken from the config + function provider.get_sasl_handler() + local realm = module:get_option("sasl_realm") or module.host; + local getpass_authentication_profile = { + plain = function(username, realm) + local prepped_username = nodeprep(username); + if not prepped_username then + log("debug", "NODEprep failed on username: %s", username); + return "", nil; + end + local password = usermanager.get_password(prepped_username, realm); + if not password then + return "", nil; + end + return password, true; + end + }; + return new_sasl(realm, getpass_authentication_profile); end function provider.is_admin(jid) diff --git a/plugins/mod_auth_internal_hashed.lua b/plugins/mod_auth_internal_hashed.lua index e2c423f2..9cffcc6e 100644 --- a/plugins/mod_auth_internal_hashed.lua +++ b/plugins/mod_auth_internal_hashed.lua @@ -18,6 +18,8 @@ local saltedPasswordSHA1 = require "util.sasl.scram".saltedPasswordSHA1; local config = require "core.configmanager"; local usermanager = require "core.usermanager"; local generate_uuid = require "util.uuid".generate; +local new_sasl = require "util.sasl".new; +local nodeprep = require "util.encodings".stringprep.nodeprep; local hosts = hosts; local prosody = _G.prosody; @@ -105,8 +107,29 @@ function new_hashpass_provider(host) return datamanager.store(username, host, "accounts", {hashpass = hexpass, salt = salt, iteration_count = iteration_count}); end - function provider.get_supported_methods() - return {["PLAIN"] = true}; -- TODO this should be taken from the config + function provider.get_sasl_handler() + local realm = module:get_option("sasl_realm") or module.host; + local testpass_authentication_profile = { + plain_test = function(username, password, realm) + local prepped_username = nodeprep(username); + if not prepped_username then + log("debug", "NODEprep failed on username: %s", username); + return "", nil; + end + return usermanager.test_password(prepped_username, password, realm), true; + end, + scram_sha_1 = function(username, realm) + local credentials = datamanager.load(username, host, "accounts") or {}; + if credentials.password then + usermanager.set_password(username, credentials.password); + credentials = datamanager.load(username, host, "accounts") or {}; + end + local salted_password, iteration_count, salt = credentials.hashpass, credentials.iteration_count, credentials.salt; + salted_password = salted_password and salted_password:gsub("..", function(x) return string.char(tonumber(x, 16)); end); + return salted_password, iteration_count, salt, true; + end + }; + return new_sasl(realm, testpass_authentication_profile); end function provider.is_admin(jid) diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index c16a14da..99be8c34 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -16,7 +16,7 @@ local base64 = require "util.encodings".base64; local nodeprep = require "util.encodings".stringprep.nodeprep; local datamanager_load = require "util.datamanager".load; local usermanager_get_provider = require "core.usermanager".get_provider; -local usermanager_get_supported_methods = require "core.usermanager".get_supported_methods; +local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; local usermanager_user_exists = require "core.usermanager".user_exists; local usermanager_get_password = require "core.usermanager".get_password; local usermanager_test_password = require "core.usermanager".test_password; @@ -67,32 +67,6 @@ else error("Unknown SASL backend"); end -local getpass_authentication_profile = { - plain = function(username, realm) - local prepped_username = nodeprep(username); - if not prepped_username then - log("debug", "NODEprep failed on username: %s", username); - return "", nil; - end - local password = usermanager_get_password(prepped_username, realm); - if not password then - return "", nil; - end - return password, true; - end -}; - -local testpass_authentication_profile = { - plain_test = function(username, password, realm) - local prepped_username = nodeprep(username); - if not prepped_username then - log("debug", "NODEprep failed on username: %s", username); - return "", nil; - end - return usermanager_test_password(prepped_username, password, realm), true; - end -}; - local anonymous_authentication_profile = { anonymous = function(username, realm) return true; -- for normal usage you should always return true here @@ -195,13 +169,7 @@ module:hook("stream-features", function(event) if module:get_option("anonymous_login") then origin.sasl_handler = new_sasl(realm, anonymous_authentication_profile); else - if usermanager_get_provider(realm).get_password then - origin.sasl_handler = new_sasl(realm, getpass_authentication_profile); - elseif usermanager_get_provider(realm).test_password then - origin.sasl_handler = new_sasl(realm, testpass_authentication_profile); - else - log("warn", "AUTH: Could not load an authentication profile for the given provider."); - end + origin.sasl_handler = usermanager_get_sasl_handler(module.host); if not (module:get_option("allow_unencrypted_plain_auth")) and not origin.secure then origin.sasl_handler:forbidden({"PLAIN"}); end |