X-Git-Url: https://git.enpas.org/?a=blobdiff_plain;f=util%2Fsasl_cyrus.lua;h=002118fdc07c86f14b8f0c0686e8c70537e73db0;hb=62e24f323209d90f117e65f964630369cfd03165;hp=ef1bf3d0d738ce9dae146fa29b305bc04f8fff76;hpb=3057cdad27e7bd4d81712c95982822b3e8c3cedd;p=prosody.git

diff --git a/util/sasl_cyrus.lua b/util/sasl_cyrus.lua
index ef1bf3d0..002118fd 100644
--- a/util/sasl_cyrus.lua
+++ b/util/sasl_cyrus.lua
@@ -100,6 +100,12 @@ function new(realm, service_name, app_name)
 	end
 
 	cyrussasl.setssf(sasl_i.cyrus, 0, 0xffffffff)
+	local mechanisms = {};
+	local cyrus_mechs = cyrussasl.listmech(sasl_i.cyrus, nil, "", " ", "");
+	for w in s_gmatch(cyrus_mechs, "[^ ]+") do
+		mechanisms[w] = true;
+	end
+	sasl_i.mechs = mechanisms;
 	return setmetatable(sasl_i, method);
 end
 
@@ -110,22 +116,15 @@ end
 
 -- get a list of possible SASL mechanims to use
 function method:mechanisms()
-	local mechanisms = self.mechs;
-	if not mechanisms then
-		mechanisms = {}
-		local cyrus_mechs = cyrussasl.listmech(self.cyrus, nil, "", " ", "")
-		for w in s_gmatch(cyrus_mechs, "[^ ]+") do
-			mechanisms[w] = true;
-		end
-		self.mechs = mechanisms
-	end
-	return mechanisms;
+	return self.mechs;
 end
 
 -- select a mechanism to use
 function method:select(mechanism)
-	self.mechanism = mechanism;
-	return self:mechanisms()[mechanism];
+	if not self.selected and self.mechs[mechanism] then
+		self.selected = mechanism;
+		return true;
+	end
 end
 
 -- feed new messages to process into the library
@@ -133,8 +132,9 @@ function method:process(message)
 	local err;
 	local data;
 
-	if self.mechanism then
-		err, data = cyrussasl.server_start(self.cyrus, self.mechanism, message or "")
+	if not self.first_step_done then
+		err, data = cyrussasl.server_start(self.cyrus, self.selected, message or "")
+		self.first_step_done = true;
 	else
 		err, data = cyrussasl.server_step(self.cyrus, message or "")
 	end
@@ -142,17 +142,20 @@ function method:process(message)
 	self.username = cyrussasl.get_username(self.cyrus)
 
 	if (err == 0) then -- SASL_OK
-	   return "success", data
+		if self.require_provisioning and not self.require_provisioning(self.username) then
+			return "failure", "not-authorized", "User authenticated successfully, but not provisioned for XMPP";
+		end
+		return "success", data
 	elseif (err == 1) then -- SASL_CONTINUE
-	   return "challenge", data
+		return "challenge", data
 	elseif (err == -4) then -- SASL_NOMECH
-	   log("debug", "SASL mechanism not available from remote end")
-	   return "failure", "invalid-mechanism", "SASL mechanism not available"
+		log("debug", "SASL mechanism not available from remote end")
+		return "failure", "invalid-mechanism", "SASL mechanism not available"
 	elseif (err == -13) then -- SASL_BADAUTH
-	   return "failure", "not-authorized", sasl_errstring[err];
+		return "failure", "not-authorized", sasl_errstring[err];
 	else
-	   log("debug", "Got SASL error condition %d: %s", err, sasl_errstring[err]);
-	   return "failure", "undefined-condition", sasl_errstring[err];
+		log("debug", "Got SASL error condition %d: %s", err, sasl_errstring[err]);
+		return "failure", "undefined-condition", sasl_errstring[err];
 	end
 end