From 1d2b8a073bfb81c0e70732d273bcede5bd6ce67c Mon Sep 17 00:00:00 2001
From: Tobias Markmann <tm@ayena.de>
Date: Fri, 28 Aug 2009 13:04:38 +0200
Subject: Making mod_saslauth use the new SASL API.

---
 plugins/mod_saslauth.lua | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

(limited to 'plugins')

diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua
index 8d3b4ae4..ec3857b8 100644
--- a/plugins/mod_saslauth.lua
+++ b/plugins/mod_saslauth.lua
@@ -34,6 +34,12 @@ local xmlns_stanzas ='urn:ietf:params:xml:ns:xmpp-stanzas';
 
 local new_sasl = require "util.sasl".new;
 
+default_authentication_profile = {
+	plain = function(username, realm)
+			return usermanager_get_password(username, realm), true;
+		end
+};
+
 local function build_reply(status, ret, err_msg)
 	local reply = st.stanza(status, {xmlns = xmlns_sasl});
 	if status == "challenge" then
@@ -101,8 +107,8 @@ local function sasl_handler(session, stanza)
 		elseif stanza.attr.mechanism == "ANONYMOUS" then
 			return session.send(build_reply("failure", "mechanism-too-weak"));
 		end
-		session.sasl_handler = new_sasl(stanza.attr.mechanism, session.host, credentials_callback);
-		if not session.sasl_handler then
+		local valid_mechanism = session.sasl_handler:select(stanza.attr.mechanism);
+		if not valid_mechanism then
 			return session.send(build_reply("failure", "invalid-mechanism"));
 		end
 	elseif not session.sasl_handler then
@@ -118,7 +124,7 @@ local function sasl_handler(session, stanza)
 			return;
 		end
 	end
-	local status, ret, err_msg = session.sasl_handler:feed(text);
+	local status, ret, err_msg = session.sasl_handler:process(text);
 	handle_status(session, status);
 	local s = build_reply(status, ret, err_msg);
 	log("debug", "sasl reply: %s", tostring(s));
@@ -138,14 +144,14 @@ module:add_event_hook("stream-features",
 				if secure_auth_only and not session.secure then
 					return;
 				end
+				session.sasl_handler = new_sasl(session.host, default_authentication_profile);
 				features:tag("mechanisms", mechanisms_attr);
 				-- TODO: Provide PLAIN only if TLS is active, this is a SHOULD from the introduction of RFC 4616. This behavior could be overridden via configuration but will issuing a warning or so.
 					if config.get(session.host or "*", "core", "anonymous_login") then
 						features:tag("mechanism"):text("ANONYMOUS"):up();
 					else
-						mechanisms = usermanager_get_supported_methods(session.host or "*");
-						for k, v in pairs(mechanisms) do
-							features:tag("mechanism"):text(k):up();
+						for k, v in pairs(session.sasl_handler:mechanisms()) do
+							features:tag("mechanism"):text(v):up();
 						end
 					end
 				features:up();
-- 
cgit v1.2.3


From 74de4e38040d61d111b875a65bcb705a7047ef77 Mon Sep 17 00:00:00 2001
From: Tobias Markmann <tm@ayena.de>
Date: Wed, 18 Nov 2009 23:26:35 +0100
Subject: Provide SASL PLAIN mechanism only if TLS is active.

---
 plugins/mod_saslauth.lua | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'plugins')

diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua
index 641b08f0..d595fd24 100644
--- a/plugins/mod_saslauth.lua
+++ b/plugins/mod_saslauth.lua
@@ -141,9 +141,11 @@ module:add_event_hook("stream-features",
 					session.sasl_handler = new_sasl(session.host, anonymous_authentication_profile);
 				else
 					session.sasl_handler = new_sasl(session.host, default_authentication_profile);
+					if not session.secure then 
+						session.sasl_handler:forbidden({"PLAIN"});
+					end
 				end
 				features:tag("mechanisms", mechanisms_attr);
-				-- TODO: Provide PLAIN only if TLS is active, this is a SHOULD from the introduction of RFC 4616. This behavior could be overridden via configuration but will issuing a warning or so.
 				for k, v in pairs(session.sasl_handler:mechanisms()) do
 					features:tag("mechanism"):text(v):up();
 				end
-- 
cgit v1.2.3


From 5ee762728b5acc38906ae3ba5523ded1f0d7005c Mon Sep 17 00:00:00 2001
From: Tobias Markmann <tm@ayena.de>
Date: Thu, 19 Nov 2009 16:43:38 +0100
Subject: Allow SASL PLAIN over unsecure connections when intended by admin.

---
 plugins/mod_saslauth.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'plugins')

diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua
index d595fd24..2223f056 100644
--- a/plugins/mod_saslauth.lua
+++ b/plugins/mod_saslauth.lua
@@ -141,7 +141,7 @@ module:add_event_hook("stream-features",
 					session.sasl_handler = new_sasl(session.host, anonymous_authentication_profile);
 				else
 					session.sasl_handler = new_sasl(session.host, default_authentication_profile);
-					if not session.secure then 
+					if not (module:get_option("allow_unencrypted_plain_auth")) and not session.secure then
 						session.sasl_handler:forbidden({"PLAIN"});
 					end
 				end
-- 
cgit v1.2.3


From c52c4021b0c8e890bb7334fdbf00b9550b17e21f Mon Sep 17 00:00:00 2001
From: Tobias Markmann <tm@ayena.de>
Date: Thu, 19 Nov 2009 16:44:37 +0100
Subject: Use new cofig option reading API.

---
 plugins/mod_saslauth.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'plugins')

diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua
index 2223f056..04e33b29 100644
--- a/plugins/mod_saslauth.lua
+++ b/plugins/mod_saslauth.lua
@@ -137,7 +137,7 @@ module:add_event_hook("stream-features",
 				if secure_auth_only and not session.secure then
 					return;
 				end
-				if config.get(session.host or "*", "core", "anonymous_login") then
+				if module:get_option("anonymous_login") then
 					session.sasl_handler = new_sasl(session.host, anonymous_authentication_profile);
 				else
 					session.sasl_handler = new_sasl(session.host, default_authentication_profile);
-- 
cgit v1.2.3