local cyrussasl = require "cyrussasl";
local log = require "util.logger".init("sasl_cyrus");
-local array = require "util.array";
-local tostring = tostring;
-local pairs, ipairs = pairs, ipairs;
-local t_insert, t_concat = table.insert, table.concat;
-local s_match = string.match;
local setmetatable = setmetatable
-local keys = keys;
-
-local print = print
local pcall = pcall
local s_match, s_gmatch = string.match, string.gmatch
local err;
local data;
- if self.mechanism then
+ if not self.first_step_done then
err, data = cyrussasl.server_start(self.cyrus, self.mechanism, message or "")
+ self.first_step_done = true;
else
err, data = cyrussasl.server_step(self.cyrus, message or "")
end
self.username = cyrussasl.get_username(self.cyrus)
if (err == 0) then -- SASL_OK
- return "success", data
+ if self.require_provisioning and not self.require_provisioning(self.username) then
+ return "failure", "not-authorized", "User authenticated successfully, but not provisioned for XMPP";
+ end
+ return "success", data
elseif (err == 1) then -- SASL_CONTINUE
- return "challenge", data
+ return "challenge", data
elseif (err == -4) then -- SASL_NOMECH
- log("debug", "SASL mechanism not available from remote end")
- return "failure", "invalid-mechanism", "SASL mechanism not available"
+ log("debug", "SASL mechanism not available from remote end")
+ return "failure", "invalid-mechanism", "SASL mechanism not available"
elseif (err == -13) then -- SASL_BADAUTH
- return "failure", "not-authorized", sasl_errstring[err];
+ return "failure", "not-authorized", sasl_errstring[err];
else
- log("debug", "Got SASL error condition %d: %s", err, sasl_errstring[err]);
- return "failure", "undefined-condition", sasl_errstring[err];
+ log("debug", "Got SASL error condition %d: %s", err, sasl_errstring[err]);
+ return "failure", "undefined-condition", sasl_errstring[err];
end
end