Mercurial > lxmppd-hg-xmllex / file comparison
comparison: plugins/mod_saslauth.lua
plugins/mod_saslauth.lua
- changeset 3983
- 38ec7255b111
- parent 3981
- 2b0b8fe68df2
- child 3997
- ed70d20fc133
equal
deleted
inserted
replaced
| 3982:a20a41e512f8 | 3983:38ec7255b111 |
|---|---|
| 16 | 16 |
| 17 local cert_verify_identity = require "util.x509".verify_identity; | 17 local cert_verify_identity = require "util.x509".verify_identity; |
| 18 | 18 |
| 19 local nodeprep = require "util.encodings".stringprep.nodeprep; | 19 local nodeprep = require "util.encodings".stringprep.nodeprep; |
| 20 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; | 20 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; |
| 21 local t_concat, t_insert = table.concat, table.insert; | |
| 22 local tostring = tostring; | 21 local tostring = tostring; |
| 23 | 22 |
| 24 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption"); | 23 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption"); |
| 25 local anonymous_login = module:get_option("anonymous_login"); | |
| 26 local allow_unencrypted_plain_auth = module:get_option("allow_unencrypted_plain_auth") | 24 local allow_unencrypted_plain_auth = module:get_option("allow_unencrypted_plain_auth") |
| 27 | 25 |
| 28 local log = module._log; | 26 local log = module._log; |
| 29 | 27 |
| 30 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl'; | 28 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl'; |
| 31 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind'; | 29 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind'; |
| 32 local xmlns_stanzas ='urn:ietf:params:xml:ns:xmpp-stanzas'; | 30 local xmlns_stanzas ='urn:ietf:params:xml:ns:xmpp-stanzas'; |
| 33 | |
| 34 local new_sasl = require "util.sasl".new; | |
| 35 | |
| 36 local anonymous_authentication_profile = { | |
| 37 anonymous = function(sasl, username, realm) | |
| 38 return true; -- for normal usage you should always return true here | |
| 39 end | |
| 40 }; | |
| 41 | 31 |
| 42 local function build_reply(status, ret, err_msg) | 32 local function build_reply(status, ret, err_msg) |
| 43 local reply = st.stanza(status, {xmlns = xmlns_sasl}); | 33 local reply = st.stanza(status, {xmlns = xmlns_sasl}); |
| 44 if status == "challenge" then | 34 if status == "challenge" then |
| 45 --log("debug", "CHALLENGE: %s", ret or ""); | 35 --log("debug", "CHALLENGE: %s", ret or ""); |
| 215 | 205 |
| 216 if session.sasl_handler and session.sasl_handler.selected then | 206 if session.sasl_handler and session.sasl_handler.selected then |
| 217 session.sasl_handler = nil; -- allow starting a new SASL negotiation before completing an old one | 207 session.sasl_handler = nil; -- allow starting a new SASL negotiation before completing an old one |
| 218 end | 208 end |
| 219 if not session.sasl_handler then | 209 if not session.sasl_handler then |
| 220 if anonymous_login then | 210 session.sasl_handler = usermanager_get_sasl_handler(module.host); |
| 221 session.sasl_handler = new_sasl(module.host, anonymous_authentication_profile); | |
| 222 else | |
| 223 session.sasl_handler = usermanager_get_sasl_handler(module.host); | |
| 224 end | |
| 225 end | 211 end |
| 226 local mechanism = stanza.attr.mechanism; | 212 local mechanism = stanza.attr.mechanism; |
| 227 if anonymous_login then | |
| 228 if mechanism ~= "ANONYMOUS" then | |
| 229 session.send(build_reply("failure", "invalid-mechanism")); | |
| 230 return true; | |
| 231 end | |
| 232 elseif mechanism == "ANONYMOUS" then | |
| 233 session.send(build_reply("failure", "mechanism-too-weak")); | |
| 234 return true; | |
| 235 end | |
| 236 if not session.secure and (secure_auth_only or (mechanism == "PLAIN" and not allow_unencrypted_plain_auth)) then | 213 if not session.secure and (secure_auth_only or (mechanism == "PLAIN" and not allow_unencrypted_plain_auth)) then |
| 237 session.send(build_reply("failure", "encryption-required")); | 214 session.send(build_reply("failure", "encryption-required")); |
| 238 return true; | 215 return true; |
| 239 end | 216 end |
| 240 local valid_mechanism = session.sasl_handler:select(mechanism); | 217 local valid_mechanism = session.sasl_handler:select(mechanism); |
| 266 local origin, features = event.origin, event.features; | 243 local origin, features = event.origin, event.features; |
| 267 if not origin.username then | 244 if not origin.username then |
| 268 if secure_auth_only and not origin.secure then | 245 if secure_auth_only and not origin.secure then |
| 269 return; | 246 return; |
| 270 end | 247 end |
| 271 if anonymous_login then | 248 origin.sasl_handler = usermanager_get_sasl_handler(module.host); |
| 272 origin.sasl_handler = new_sasl(module.host, anonymous_authentication_profile); | |
| 273 else | |
| 274 origin.sasl_handler = usermanager_get_sasl_handler(module.host); | |
| 275 end | |
| 276 features:tag("mechanisms", mechanisms_attr); | 249 features:tag("mechanisms", mechanisms_attr); |
| 277 for mechanism in pairs(origin.sasl_handler:mechanisms()) do | 250 for mechanism in pairs(origin.sasl_handler:mechanisms()) do |
| 278 if mechanism ~= "PLAIN" or origin.secure or allow_unencrypted_plain_auth then | 251 if mechanism ~= "PLAIN" or origin.secure or allow_unencrypted_plain_auth then |
| 279 features:tag("mechanism"):text(mechanism):up(); | 252 features:tag("mechanism"):text(mechanism):up(); |
| 280 end | 253 end |
