end
cyrussasl.setssf(sasl_i.cyrus, 0, 0xffffffff)
+ local mechanisms = {};
+ local cyrus_mechs = cyrussasl.listmech(sasl_i.cyrus, nil, "", " ", "");
+ for w in s_gmatch(cyrus_mechs, "[^ ]+") do
+ mechanisms[w] = true;
+ end
+ sasl_i.mechs = mechanisms;
return setmetatable(sasl_i, method);
end
-- get a list of possible SASL mechanims to use
function method:mechanisms()
- local mechanisms = self.mechs;
- if not mechanisms then
- mechanisms = {}
- local cyrus_mechs = cyrussasl.listmech(self.cyrus, nil, "", " ", "")
- for w in s_gmatch(cyrus_mechs, "[^ ]+") do
- mechanisms[w] = true;
- end
- self.mechs = mechanisms
- end
- return mechanisms;
+ return self.mechs;
end
-- select a mechanism to use
function method:select(mechanism)
- self.mechanism = mechanism;
- return self:mechanisms()[mechanism];
+ if not self.selected and self.mechs[mechanism] then
+ self.selected = mechanism;
+ return true;
+ end
end
-- feed new messages to process into the library
local data;
if not self.first_step_done then
- err, data = cyrussasl.server_start(self.cyrus, self.mechanism, message or "")
+ err, data = cyrussasl.server_start(self.cyrus, self.selected, message or "")
self.first_step_done = true;
else
err, data = cyrussasl.server_step(self.cyrus, message or "")
self.username = cyrussasl.get_username(self.cyrus)
if (err == 0) then -- SASL_OK
- return "success", data
+ if self.require_provisioning and not self.require_provisioning(self.username) then
+ return "failure", "not-authorized", "User authenticated successfully, but not provisioned for XMPP";
+ end
+ return "success", data
elseif (err == 1) then -- SASL_CONTINUE
- return "challenge", data
+ return "challenge", data
elseif (err == -4) then -- SASL_NOMECH
- log("debug", "SASL mechanism not available from remote end")
- return "failure", "invalid-mechanism", "SASL mechanism not available"
+ log("debug", "SASL mechanism not available from remote end")
+ return "failure", "invalid-mechanism", "SASL mechanism not available"
elseif (err == -13) then -- SASL_BADAUTH
- return "failure", "not-authorized", sasl_errstring[err];
+ return "failure", "not-authorized", sasl_errstring[err];
else
- log("debug", "Got SASL error condition %d: %s", err, sasl_errstring[err]);
- return "failure", "undefined-condition", sasl_errstring[err];
+ log("debug", "Got SASL error condition %d: %s", err, sasl_errstring[err]);
+ return "failure", "undefined-condition", sasl_errstring[err];
end
end