From e42b058b2b4157b2bed2120db82495860fc502d9 Mon Sep 17 00:00:00 2001 From: Waqas Hussain Date: Mon, 7 Jun 2010 02:33:40 +0500 Subject: mod_auth_internal, mod_auth_internal_hashed: Updated to provide get_sasl_handler. --- plugins/mod_auth_internal.lua | 21 +++++++++++++++++++-- plugins/mod_auth_internal_hashed.lua | 17 +++++++++++++++-- 2 files changed, 34 insertions(+), 4 deletions(-) (limited to 'plugins') diff --git a/plugins/mod_auth_internal.lua b/plugins/mod_auth_internal.lua index 78a75a1d..0fc6e487 100644 --- a/plugins/mod_auth_internal.lua +++ b/plugins/mod_auth_internal.lua @@ -16,6 +16,8 @@ local hashes = require "util.hashes"; local jid_bare = require "util.jid".bare; local config = require "core.configmanager"; local usermanager = require "core.usermanager"; +local new_sasl = require "util.sasl".new; +local nodeprep = require "util.encodings".stringprep.nodeprep; local hosts = hosts; local prosody = _G.prosody; @@ -73,8 +75,23 @@ function new_default_provider(host) return datamanager.store(username, host, "accounts", {password = password}); end - function provider.get_supported_methods() - return {["PLAIN"] = true, ["DIGEST-MD5"] = true}; -- TODO this should be taken from the config + function provider.get_sasl_handler() + local realm = module:get_option("sasl_realm") or origin.host; + local getpass_authentication_profile = { + plain = function(username, realm) + local prepped_username = nodeprep(username); + if not prepped_username then + log("debug", "NODEprep failed on username: %s", username); + return "", nil; + end + local password = usermanager.get_password(prepped_username, realm); + if not password then + return "", nil; + end + return password, true; + end + }; + return new_sasl(realm, getpass_authentication_profile); end function provider.is_admin(jid) diff --git a/plugins/mod_auth_internal_hashed.lua b/plugins/mod_auth_internal_hashed.lua index e2c423f2..1741a05a 100644 --- a/plugins/mod_auth_internal_hashed.lua +++ b/plugins/mod_auth_internal_hashed.lua @@ -18,6 +18,8 @@ local saltedPasswordSHA1 = require "util.sasl.scram".saltedPasswordSHA1; local config = require "core.configmanager"; local usermanager = require "core.usermanager"; local generate_uuid = require "util.uuid".generate; +local new_sasl = require "util.sasl".new; +local nodeprep = require "util.encodings".stringprep.nodeprep; local hosts = hosts; local prosody = _G.prosody; @@ -105,8 +107,19 @@ function new_hashpass_provider(host) return datamanager.store(username, host, "accounts", {hashpass = hexpass, salt = salt, iteration_count = iteration_count}); end - function provider.get_supported_methods() - return {["PLAIN"] = true}; -- TODO this should be taken from the config + function provider.get_sasl_handler() + local realm = module:get_option("sasl_realm") or origin.host; + local testpass_authentication_profile = { + plain_test = function(username, password, realm) + local prepped_username = nodeprep(username); + if not prepped_username then + log("debug", "NODEprep failed on username: %s", username); + return "", nil; + end + return usermanager.test_password(prepped_username, password, realm), true; + end + }; + return new_sasl(realm, testpass_authentication_profile); end function provider.is_admin(jid) -- cgit v1.2.3 From 4e378598de3fa5ca92b5cec696966626a41cef5e Mon Sep 17 00:00:00 2001 From: Waqas Hussain Date: Mon, 7 Jun 2010 02:38:20 +0500 Subject: mod_auth_internal, mod_auth_internal_hashed: Fixed a global access. --- plugins/mod_auth_internal.lua | 2 +- plugins/mod_auth_internal_hashed.lua | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'plugins') diff --git a/plugins/mod_auth_internal.lua b/plugins/mod_auth_internal.lua index 0fc6e487..1c426030 100644 --- a/plugins/mod_auth_internal.lua +++ b/plugins/mod_auth_internal.lua @@ -76,7 +76,7 @@ function new_default_provider(host) end function provider.get_sasl_handler() - local realm = module:get_option("sasl_realm") or origin.host; + local realm = module:get_option("sasl_realm") or module.host; local getpass_authentication_profile = { plain = function(username, realm) local prepped_username = nodeprep(username); diff --git a/plugins/mod_auth_internal_hashed.lua b/plugins/mod_auth_internal_hashed.lua index 1741a05a..e793add2 100644 --- a/plugins/mod_auth_internal_hashed.lua +++ b/plugins/mod_auth_internal_hashed.lua @@ -108,7 +108,7 @@ function new_hashpass_provider(host) end function provider.get_sasl_handler() - local realm = module:get_option("sasl_realm") or origin.host; + local realm = module:get_option("sasl_realm") or module.host; local testpass_authentication_profile = { plain_test = function(username, password, realm) local prepped_username = nodeprep(username); -- cgit v1.2.3 From 9e6d86c40215fdd7ff055e3a39fe18651597c0ba Mon Sep 17 00:00:00 2001 From: Waqas Hussain Date: Mon, 7 Jun 2010 02:40:14 +0500 Subject: mod_saslauth: Updated to use usermanager.get_sasl_handler. --- plugins/mod_saslauth.lua | 36 ++---------------------------------- 1 file changed, 2 insertions(+), 34 deletions(-) (limited to 'plugins') diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index c16a14da..99be8c34 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -16,7 +16,7 @@ local base64 = require "util.encodings".base64; local nodeprep = require "util.encodings".stringprep.nodeprep; local datamanager_load = require "util.datamanager".load; local usermanager_get_provider = require "core.usermanager".get_provider; -local usermanager_get_supported_methods = require "core.usermanager".get_supported_methods; +local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; local usermanager_user_exists = require "core.usermanager".user_exists; local usermanager_get_password = require "core.usermanager".get_password; local usermanager_test_password = require "core.usermanager".test_password; @@ -67,32 +67,6 @@ else error("Unknown SASL backend"); end -local getpass_authentication_profile = { - plain = function(username, realm) - local prepped_username = nodeprep(username); - if not prepped_username then - log("debug", "NODEprep failed on username: %s", username); - return "", nil; - end - local password = usermanager_get_password(prepped_username, realm); - if not password then - return "", nil; - end - return password, true; - end -}; - -local testpass_authentication_profile = { - plain_test = function(username, password, realm) - local prepped_username = nodeprep(username); - if not prepped_username then - log("debug", "NODEprep failed on username: %s", username); - return "", nil; - end - return usermanager_test_password(prepped_username, password, realm), true; - end -}; - local anonymous_authentication_profile = { anonymous = function(username, realm) return true; -- for normal usage you should always return true here @@ -195,13 +169,7 @@ module:hook("stream-features", function(event) if module:get_option("anonymous_login") then origin.sasl_handler = new_sasl(realm, anonymous_authentication_profile); else - if usermanager_get_provider(realm).get_password then - origin.sasl_handler = new_sasl(realm, getpass_authentication_profile); - elseif usermanager_get_provider(realm).test_password then - origin.sasl_handler = new_sasl(realm, testpass_authentication_profile); - else - log("warn", "AUTH: Could not load an authentication profile for the given provider."); - end + origin.sasl_handler = usermanager_get_sasl_handler(module.host); if not (module:get_option("allow_unencrypted_plain_auth")) and not origin.secure then origin.sasl_handler:forbidden({"PLAIN"}); end -- cgit v1.2.3 From 21d34b1fb9c0a676b4373c769400e7587471cb01 Mon Sep 17 00:00:00 2001 From: Waqas Hussain Date: Mon, 7 Jun 2010 03:07:58 +0500 Subject: mod_auth_internal_hashed: Added SCRAM-SHA-1 support for SASL. --- plugins/mod_auth_internal_hashed.lua | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'plugins') diff --git a/plugins/mod_auth_internal_hashed.lua b/plugins/mod_auth_internal_hashed.lua index e793add2..9cffcc6e 100644 --- a/plugins/mod_auth_internal_hashed.lua +++ b/plugins/mod_auth_internal_hashed.lua @@ -117,6 +117,16 @@ function new_hashpass_provider(host) return "", nil; end return usermanager.test_password(prepped_username, password, realm), true; + end, + scram_sha_1 = function(username, realm) + local credentials = datamanager.load(username, host, "accounts") or {}; + if credentials.password then + usermanager.set_password(username, credentials.password); + credentials = datamanager.load(username, host, "accounts") or {}; + end + local salted_password, iteration_count, salt = credentials.hashpass, credentials.iteration_count, credentials.salt; + salted_password = salted_password and salted_password:gsub("..", function(x) return string.char(tonumber(x, 16)); end); + return salted_password, iteration_count, salt, true; end }; return new_sasl(realm, testpass_authentication_profile); -- cgit v1.2.3 From 90f1fb98a0d48690a42de0f44cf5c31d2ed0d25e Mon Sep 17 00:00:00 2001 From: Waqas Hussain Date: Mon, 7 Jun 2010 04:07:40 +0500 Subject: mod_auth_anonymous: Auth provider with support for SASL ANONYMOUS. --- plugins/mod_auth_anonymous.lua | 85 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 plugins/mod_auth_anonymous.lua (limited to 'plugins') diff --git a/plugins/mod_auth_anonymous.lua b/plugins/mod_auth_anonymous.lua new file mode 100644 index 00000000..e0a6a6c7 --- /dev/null +++ b/plugins/mod_auth_anonymous.lua @@ -0,0 +1,85 @@ +-- Prosody IM +-- Copyright (C) 2008-2010 Matthew Wild +-- Copyright (C) 2008-2010 Waqas Hussain +-- Copyright (C) 2010 Jeff Mitchell +-- +-- This project is MIT/X11 licensed. Please see the +-- COPYING file in the source package for more information. +-- + +local log = require "util.logger".init("usermanager"); +local type = type; +local ipairs = ipairs; +local jid_bare = require "util.jid".bare; +local config = require "core.configmanager"; +local new_sasl = require "util.sasl".new; +local datamanager = require "util.datamanager"; + +function new_default_provider(host) + local provider = { name = "anonymous" }; + + function provider.test_password(username, password) + return nil, "Password based auth not supported."; + end + + function provider.get_password(username) + return nil, "Password not available."; + end + + function provider.set_password(username, password) + return nil, "Password based auth not supported."; + end + + function provider.user_exists(username) + return nil, "Only anonymous users are supported."; -- FIXME check if anonymous user is connected? + end + + function provider.create_user(username, password) + return nil, "Account creation/modification not supported."; end + end + + function provider.get_sasl_handler() + local realm = module:get_option("sasl_realm") or module.host; + local anonymous_authentication_profile = { + anonymous = function(username, realm) + return true; -- for normal usage you should always return true here + end + }; + return new_sasl(realm, anonymous_authentication_profile); + end + + function provider.is_admin(jid) + local admins = config.get(host, "core", "admins"); + if admins ~= config.get("*", "core", "admins") and type(admins) == "table" then + jid = jid_bare(jid); + for _,admin in ipairs(admins) do + if admin == jid then return true; end + end + elseif admins then + log("error", "Option 'admins' for host '%s' is not a table", host); + end + return is_admin(jid); -- Test whether it's a global admin instead + end + return provider; +end + +local function dm_callback(username, host, datastore, data) + if host == module.host then + return false; + end + return username, host, datastore, data; +end +local host = hosts[module.host]; +local _saved_disallow_s2s = host.disallow_s2s; +function module.load() + _saved_disallow_s2s = host.disallow_s2s; + host.disallow_s2s = module:get_option("disallow_s2s") ~= false; + datamanager.add_callback(dm_callback); +end +function module.unload() + host.disallow_s2s = _saved_disallow_s2s; + datamanager.remove_callback(dm_callback); +end + +module:add_item("auth-provider", new_default_provider(module.host)); + -- cgit v1.2.3 From 7e03b814ec0c9e408d3938a23077ae40a14b8593 Mon Sep 17 00:00:00 2001 From: Waqas Hussain Date: Mon, 7 Jun 2010 04:22:49 +0500 Subject: mod_auth_anonymous: Fixed a syntax error. --- plugins/mod_auth_anonymous.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'plugins') diff --git a/plugins/mod_auth_anonymous.lua b/plugins/mod_auth_anonymous.lua index e0a6a6c7..214611d8 100644 --- a/plugins/mod_auth_anonymous.lua +++ b/plugins/mod_auth_anonymous.lua @@ -35,7 +35,7 @@ function new_default_provider(host) end function provider.create_user(username, password) - return nil, "Account creation/modification not supported."; end + return nil, "Account creation/modification not supported."; end function provider.get_sasl_handler() -- cgit v1.2.3 From d471482a87ac4914c3555f543e4c120bdb15467a Mon Sep 17 00:00:00 2001 From: Waqas Hussain Date: Mon, 7 Jun 2010 04:23:08 +0500 Subject: mod_auth_cyrus: Auth provider with support for Cyrus SASL. --- plugins/mod_auth_cyrus.lua | 77 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 plugins/mod_auth_cyrus.lua (limited to 'plugins') diff --git a/plugins/mod_auth_cyrus.lua b/plugins/mod_auth_cyrus.lua new file mode 100644 index 00000000..6b34a541 --- /dev/null +++ b/plugins/mod_auth_cyrus.lua @@ -0,0 +1,77 @@ +-- Prosody IM +-- Copyright (C) 2008-2010 Matthew Wild +-- Copyright (C) 2008-2010 Waqas Hussain +-- Copyright (C) 2010 Jeff Mitchell +-- +-- This project is MIT/X11 licensed. Please see the +-- COPYING file in the source package for more information. +-- + +local log = require "util.logger".init("usermanager"); +local type = type; +local ipairs = ipairs; +local jid_bare = require "util.jid".bare; +local config = require "core.configmanager"; + +local cyrus_service_realm = module:get_option("cyrus_service_realm"); +local cyrus_service_name = module:get_option("cyrus_service_name"); +local cyrus_application_name = module:get_option("cyrus_application_name"); + +prosody.unlock_globals(); --FIXME: Figure out why this is needed and + -- why cyrussasl isn't caught by the sandbox +local cyrus_new = require "util.sasl_cyrus".new; +prosody.lock_globals(); +local new_sasl = function(realm) + return cyrus_new( + cyrus_service_realm or realm, + cyrus_service_name or "xmpp", + cyrus_application_name or "prosody" + ); +end + +function new_default_provider(host) + local provider = { name = "cyrus" }; + log("debug", "initializing default authentication provider for host '%s'", host); + + function provider.test_password(username, password) + return nil, "Legacy auth not supported with Cyrus SASL."; + end + + function provider.get_password(username) + return nil, "Passwords unavailable for Cyrus SASL."; + end + + function provider.set_password(username, password) + return nil, "Passwords unavailable for Cyrus SASL."; + end + + function provider.user_exists(username) + return true; + end + + function provider.create_user(username, password) + return nil, "Account creation/modification not available with Cyrus SASL."; + end + + function provider.get_sasl_handler() + local realm = module:get_option("sasl_realm") or module.host; + return new_sasl(realm); + end + + function provider.is_admin(jid) + local admins = config.get(host, "core", "admins"); + if admins ~= config.get("*", "core", "admins") and type(admins) == "table" then + jid = jid_bare(jid); + for _,admin in ipairs(admins) do + if admin == jid then return true; end + end + elseif admins then + log("error", "Option 'admins' for host '%s' is not a table", host); + end + return is_admin(jid); -- Test whether it's a global admin instead + end + return provider; +end + +module:add_item("auth-provider", new_default_provider(module.host)); + -- cgit v1.2.3