diff options
-rw-r--r-- | plugins/mod_auth_cyrus.lua | 14 | ||||
-rw-r--r-- | plugins/mod_saslauth.lua | 22 | ||||
-rw-r--r-- | util/sasl_cyrus.lua | 3 |
3 files changed, 22 insertions, 17 deletions
diff --git a/plugins/mod_auth_cyrus.lua b/plugins/mod_auth_cyrus.lua index c1315e7f..ed3d5408 100644 --- a/plugins/mod_auth_cyrus.lua +++ b/plugins/mod_auth_cyrus.lua @@ -8,9 +8,12 @@ local log = require "util.logger".init("auth_cyrus"); +local usermanager_user_exists = require "core.usermanager".user_exists; + local cyrus_service_realm = module:get_option("cyrus_service_realm"); local cyrus_service_name = module:get_option("cyrus_service_name"); local cyrus_application_name = module:get_option("cyrus_application_name"); +local require_provisioning = module:get_option("cyrus_require_provisioning") or false; prosody.unlock_globals(); --FIXME: Figure out why this is needed and -- why cyrussasl isn't caught by the sandbox @@ -41,6 +44,9 @@ function new_default_provider(host) end function provider.user_exists(username) + if require_provisioning then + return usermanager_user_exists(username, module.host); + end return true; end @@ -50,7 +56,13 @@ function new_default_provider(host) function provider.get_sasl_handler() local realm = module:get_option("sasl_realm") or module.host; - return new_sasl(realm); + local handler = new_sasl(realm); + if require_provisioning then + function handler.require_provisioning(username) + return usermanager_user_exists(username, module.host); + end + end + return handler; end return provider; diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index 78420212..732d5d91 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -15,7 +15,6 @@ local base64 = require "util.encodings".base64; local nodeprep = require "util.encodings".stringprep.nodeprep; local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; -local usermanager_user_exists = require "core.usermanager".user_exists; local t_concat, t_insert = table.concat, table.insert; local tostring = tostring; @@ -23,9 +22,6 @@ local secure_auth_only = module:get_option("c2s_require_encryption") or module:g local anonymous_login = module:get_option("anonymous_login"); local allow_unencrypted_plain_auth = module:get_option("allow_unencrypted_plain_auth") --- Cyrus config options -local require_provisioning = module:get_option("cyrus_require_provisioning") or false; - local log = module._log; local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl'; @@ -63,20 +59,14 @@ local function handle_status(session, status, ret, err_msg) elseif status == "success" then local username = nodeprep(session.sasl_handler.username); - if not(require_provisioning) or usermanager_user_exists(username, session.host) then - local ok, err = sm_make_authenticated(session, session.sasl_handler.username); - if ok then - session.sasl_handler = nil; - session:reset_stream(); - else - module:log("warn", "SASL succeeded but username was invalid"); - session.sasl_handler = session.sasl_handler:clean_clone(); - return "failure", "not-authorized", "User authenticated successfully, but username was invalid"; - end + local ok, err = sm_make_authenticated(session, session.sasl_handler.username); + if ok then + session.sasl_handler = nil; + session:reset_stream(); else - module:log("warn", "SASL succeeded but we don't have an account provisioned for %s", username); + module:log("warn", "SASL succeeded but username was invalid"); session.sasl_handler = session.sasl_handler:clean_clone(); - return "failure", "not-authorized", "User authenticated successfully, but not provisioned for XMPP"; + return "failure", "not-authorized", "User authenticated successfully, but username was invalid"; end end return status, ret, err_msg; diff --git a/util/sasl_cyrus.lua b/util/sasl_cyrus.lua index 3ec8adca..aafd5455 100644 --- a/util/sasl_cyrus.lua +++ b/util/sasl_cyrus.lua @@ -143,6 +143,9 @@ function method:process(message) self.username = cyrussasl.get_username(self.cyrus) if (err == 0) then -- SASL_OK + if self.require_provisioning and not self.require_provisioning(self.username) then + return "failure", "not-authorized", "User authenticated successfully, but not provisioned for XMPP"; + end return "success", data elseif (err == 1) then -- SASL_CONTINUE return "challenge", data |