X-Git-Url: https://git.enpas.org/?a=blobdiff_plain;f=util%2Fsasl_cyrus.lua;h=4e9a4af5c72798db85b6f3bee69ed95e874a683f;hb=1fa258876ff1445ae9bf738f87793de1ebde71dc;hp=3ec8adca6029598117df40d4c618d5c25251fe5e;hpb=7657e63e5e6c3c1fb9c5481cbd6cda0b067a00cc;p=prosody.git

diff --git a/util/sasl_cyrus.lua b/util/sasl_cyrus.lua
index 3ec8adca..4e9a4af5 100644
--- a/util/sasl_cyrus.lua
+++ b/util/sasl_cyrus.lua
@@ -60,7 +60,7 @@ local sasl_errstring = {
 };
 setmetatable(sasl_errstring, { __index = function() return "undefined error!" end });
 
-module "sasl_cyrus"
+local _ENV = nil;
 
 local method = {};
 method.__index = method;
@@ -78,11 +78,15 @@ local function init(service_name)
 end
 
 -- create a new SASL object which can be used to authenticate clients
-function new(realm, service_name, app_name)
+-- host_fqdn may be nil in which case gethostname() gives the value.
+--      For GSSAPI, this determines the hostname in the service ticket (after
+--      reverse DNS canonicalization, only if [libdefaults] rdns = true which
+--      is the default).
+local function new(realm, service_name, app_name, host_fqdn)
 
 	init(app_name or service_name);
 
-	local st, ret = pcall(cyrussasl.server_new, service_name, nil, realm, nil, nil)
+	local st, ret = pcall(cyrussasl.server_new, service_name, host_fqdn, realm, nil, nil)
 	if not st then
 		log("error", "Creating SASL server connection failed: %s", ret);
 		return nil;
@@ -100,6 +104,12 @@ function new(realm, service_name, app_name)
 	end
 
 	cyrussasl.setssf(sasl_i.cyrus, 0, 0xffffffff)
+	local mechanisms = {};
+	local cyrus_mechs = cyrussasl.listmech(sasl_i.cyrus, nil, "", " ", "");
+	for w in s_gmatch(cyrus_mechs, "[^ ]+") do
+		mechanisms[w] = true;
+	end
+	sasl_i.mechs = mechanisms;
 	return setmetatable(sasl_i, method);
 end
 
@@ -110,22 +120,15 @@ end
 
 -- get a list of possible SASL mechanims to use
 function method:mechanisms()
-	local mechanisms = self.mechs;
-	if not mechanisms then
-		mechanisms = {}
-		local cyrus_mechs = cyrussasl.listmech(self.cyrus, nil, "", " ", "")
-		for w in s_gmatch(cyrus_mechs, "[^ ]+") do
-			mechanisms[w] = true;
-		end
-		self.mechs = mechanisms
-	end
-	return mechanisms;
+	return self.mechs;
 end
 
 -- select a mechanism to use
 function method:select(mechanism)
-	self.mechanism = mechanism;
-	return self:mechanisms()[mechanism];
+	if not self.selected and self.mechs[mechanism] then
+		self.selected = mechanism;
+		return true;
+	end
 end
 
 -- feed new messages to process into the library
@@ -134,7 +137,7 @@ function method:process(message)
 	local data;
 
 	if not self.first_step_done then
-		err, data = cyrussasl.server_start(self.cyrus, self.mechanism, message or "")
+		err, data = cyrussasl.server_start(self.cyrus, self.selected, message or "")
 		self.first_step_done = true;
 	else
 		err, data = cyrussasl.server_step(self.cyrus, message or "")
@@ -143,6 +146,9 @@ function method:process(message)
 	self.username = cyrussasl.get_username(self.cyrus)
 
 	if (err == 0) then -- SASL_OK
+		if self.require_provisioning and not self.require_provisioning(self.username) then
+			return "failure", "not-authorized", "User authenticated successfully, but not provisioned for XMPP";
+		end
 		return "success", data
 	elseif (err == 1) then -- SASL_CONTINUE
 		return "challenge", data
@@ -157,4 +163,6 @@ function method:process(message)
 	end
 end
 
-return _M;
+return {
+	new = new;
+};