X-Git-Url: https://git.enpas.org/?a=blobdiff_plain;f=util%2Fsasl_cyrus.lua;h=b5b0e08d0a5adf1662075bf024fc93e85ced0c6a;hb=d1157fba90d49dfe56c340da082bc6a5ce19a8b3;hp=9a81eb97012d9c15783f9a30102aada874d7db41;hpb=1acc8f231b80f3806f99ba20a7bd981cf5c85f63;p=prosody.git diff --git a/util/sasl_cyrus.lua b/util/sasl_cyrus.lua index 9a81eb97..b5b0e08d 100644 --- a/util/sasl_cyrus.lua +++ b/util/sasl_cyrus.lua @@ -25,24 +25,51 @@ local keys = keys; local print = print local pcall = pcall +local s_match, s_gmatch = string.match, string.gmatch module "sasl_cyrus" local method = {}; method.__index = method; - -pcall(cyrussasl.server_init, "prosody") +local initialized = false; + +local function init(service_name) + if not initialized then + local st, errmsg = pcall(cyrussasl.server_init, service_name); + if st then + initialized = true; + else + log("error", "Failed to initialize Cyrus SASL: %s", errmsg); + end + end +end -- create a new SASL object which can be used to authenticate clients function new(realm, service_name) local sasl_i = {}; + + init(service_name); + sasl_i.realm = realm; sasl_i.service_name = service_name; - sasl_i.cyrus = cyrussasl.server_new(service_name, realm, realm, nil, nil) - if sasl_i.cyrus == 0 then - log("error", "got NULL return value from server_new") + + local st, ret = pcall(cyrussasl.server_new, service_name, nil, realm, nil, nil) + if st then + sasl_i.cyrus = ret; + else + log("error", "Creating SASL server connection failed: %s", ret); return nil; end + + if cyrussasl.set_canon_cb then + local c14n_cb = function (user) + local node = s_match(user, "^([^@]+)"); + log("debug", "Canonicalizing username %s to %s", user, node) + return node + end + cyrussasl.set_canon_cb(sasl_i.cyrus, c14n_cb); + end + cyrussasl.setssf(sasl_i.cyrus, 0, 0xffffffff) local s = setmetatable(sasl_i, method); return s; @@ -55,35 +82,37 @@ end -- set the forbidden mechanisms function method:forbidden( restrict ) - log("debug", "Called method:forbidden. NOT IMPLEMENTED.") + log("warn", "Called method:forbidden. NOT IMPLEMENTED.") return {} end -- get a list of possible SASL mechanims to use function method:mechanisms() local mechanisms = {} - local cyrus_mechs = cyrussasl.listmech(self.cyrus) - for w in s_gmatch(cyrus_mechs, "%a+") do + local cyrus_mechs = cyrussasl.listmech(self.cyrus, nil, "", " ", "") + for w in s_gmatch(cyrus_mechs, "[^ ]+") do mechanisms[w] = true; end - self.mechanisms = mechanisms + self.mechs = mechanisms return array.collect(keys(mechanisms)); end -- select a mechanism to use function method:select(mechanism) self.mechanism = mechanism; - return not self.mechanisms[mechanisms]; + if not self.mechs then self:mechanisms(); end + return self.mechs[mechanism]; end -- feed new messages to process into the library function method:process(message) local err; local data; + if self.mechanism then - err, data = cyrussasl.server_start(self.cyrus, self.mechanism, message) + err, data = cyrussasl.server_start(self.cyrus, self.mechanism, message or "") else - err, data = cyrussasl.server_step(self.cyrus, message) + err, data = cyrussasl.server_step(self.cyrus, message or "") end self.username = cyrussasl.get_username(self.cyrus) @@ -94,16 +123,12 @@ function method:process(message) return "challenge", data elseif (err == -4) then -- SASL_NOMECH log("debug", "SASL mechanism not available from remote end") - return "failure", - "undefined-condition", - "SASL mechanism not available" + return "failure", "invalid-mechanism", "SASL mechanism not available" elseif (err == -13) then -- SASL_BADAUTH - return "failure", "not-authorized" + return "failure", "not-authorized", cyrussasl.get_message( self.cyrus ) else log("debug", "Got SASL error condition %d", err) - return "failure", - "undefined-condition", - cyrussasl.get_message( self.cyrus ) + return "failure", "undefined-condition", cyrussasl.get_message( self.cyrus ) end end