X-Git-Url: https://git.enpas.org/?a=blobdiff_plain;f=util%2Fsasl_cyrus.lua;h=f5bfcbe9f4ea749a387d9df660e95c0dd0eeee26;hb=33d132acecdb68f769087e8f47937bc365f7979f;hp=610257ca124f8252b6955f0e815b699764ec166f;hpb=7aa58ae9d7679f28752638a5ab7831c246b54d55;p=prosody.git

diff --git a/util/sasl_cyrus.lua b/util/sasl_cyrus.lua
index 610257ca..f5bfcbe9 100644
--- a/util/sasl_cyrus.lua
+++ b/util/sasl_cyrus.lua
@@ -27,6 +27,47 @@ local print = print
 local pcall = pcall
 local s_match, s_gmatch = string.match, string.gmatch
 
+local sasl_errstring = {
+	-- SASL result codes --
+	[1]   = "another step is needed in authentication";
+	[0]   = "successful result";
+	[-1]  = "generic failure";
+	[-2]  = "memory shortage failure";
+	[-3]  = "overflowed buffer";
+	[-4]  = "mechanism not supported";
+	[-5]  = "bad protocol / cancel";
+	[-6]  = "can't request info until later in exchange";
+	[-7]  = "invalid parameter supplied";
+	[-8]  = "transient failure (e.g., weak key)";
+	[-9]  = "integrity check failed";
+	[-12] = "SASL library not initialized";
+
+	-- client only codes --
+	[2]   = "needs user interaction";
+	[-10] = "server failed mutual authentication step";
+	[-11] = "mechanism doesn't support requested feature";
+
+	-- server only codes --
+	[-13] = "authentication failure";
+	[-14] = "authorization failure";
+	[-15] = "mechanism too weak for this user";
+	[-16] = "encryption needed to use mechanism";
+	[-17] = "One time use of a plaintext password will enable requested mechanism for user";
+	[-18] = "passphrase expired, has to be reset";
+	[-19] = "account disabled";
+	[-20] = "user not found";
+	[-23] = "version mismatch with plug-in";
+	[-24] = "remote authentication server unavailable";
+	[-26] = "user exists, but no verifier for user";
+
+	-- codes for password setting --
+	[-21] = "passphrase locked";
+	[-22] = "requested change was not needed";
+	[-27] = "passphrase is too weak for security policy";
+	[-28] = "user supplied passwords not permitted";
+};
+setmetatable(sasl_errstring, { __index = function() return "undefined error!" end });
+
 module "sasl_cyrus"
 
 local method = {};
@@ -35,25 +76,41 @@ local initialized = false;
 
 local function init(service_name)
 	if not initialized then
-		if pcall(cyrussasl.server_init, service_name) then
+		local st, errmsg = pcall(cyrussasl.server_init, service_name);
+		if st then
 			initialized = true;
+		else
+			log("error", "Failed to initialize Cyrus SASL: %s", errmsg);
 		end
 	end
 end
 
 -- create a new SASL object which can be used to authenticate clients
-function new(realm, service_name)
+function new(realm, service_name, app_name)
 	local sasl_i = {};
 
-	init(service_name);
+	init(app_name or service_name);
 
 	sasl_i.realm = realm;
 	sasl_i.service_name = service_name;
-	sasl_i.cyrus = cyrussasl.server_new(service_name, nil, nil, nil, nil)
-	if sasl_i.cyrus == 0 then
-		log("error", "got NULL return value from server_new")
+
+	local st, ret = pcall(cyrussasl.server_new, service_name, nil, realm, nil, nil)
+	if st then
+		sasl_i.cyrus = ret;
+	else
+		log("error", "Creating SASL server connection failed: %s", ret);
 		return nil;
 	end
+
+	if cyrussasl.set_canon_cb then
+		local c14n_cb = function (user)
+			local node = s_match(user, "^([^@]+)");
+			log("debug", "Canonicalizing username %s to %s", user, node)
+			return node
+		end
+		cyrussasl.set_canon_cb(sasl_i.cyrus, c14n_cb);
+	end
+
 	cyrussasl.setssf(sasl_i.cyrus, 0, 0xffffffff)
 	local s = setmetatable(sasl_i, method);
 	return s;
@@ -66,25 +123,28 @@ end
 
 -- set the forbidden mechanisms
 function method:forbidden( restrict )
-	log("debug", "Called method:forbidden. NOT IMPLEMENTED.")
+	log("warn", "Called method:forbidden. NOT IMPLEMENTED.")
 	return {}
 end
 
 -- get a list of possible SASL mechanims to use
 function method:mechanisms()
-	local mechanisms = {}
-	local cyrus_mechs = cyrussasl.listmech(self.cyrus, nil, "", " ", "")
-	for w in s_gmatch(cyrus_mechs, "[^ ]+") do
-		mechanisms[w] = true;
+	local mechanisms = self.mechs;
+	if not mechanisms then
+		mechanisms = {}
+		local cyrus_mechs = cyrussasl.listmech(self.cyrus, nil, "", " ", "")
+		for w in s_gmatch(cyrus_mechs, "[^ ]+") do
+			mechanisms[w] = true;
+		end
+		self.mechs = mechanisms
 	end
-	self.mechs = mechanisms
-	return array.collect(keys(mechanisms));
+	return mechanisms;
 end
 
 -- select a mechanism to use
 function method:select(mechanism)
 	self.mechanism = mechanism;
-	return self.mechs[mechanism];
+	return self:mechanisms()[mechanism];
 end
 
 -- feed new messages to process into the library
@@ -106,16 +166,12 @@ function method:process(message)
 	   return "challenge", data
 	elseif (err == -4) then -- SASL_NOMECH
 	   log("debug", "SASL mechanism not available from remote end")
-	   return "failure", 
-	     "undefined-condition",
-	     "SASL mechanism not available"
+	   return "failure", "invalid-mechanism", "SASL mechanism not available"
 	elseif (err == -13) then -- SASL_BADAUTH
-	   return "failure", "not-authorized"
+	   return "failure", "not-authorized", sasl_errstring[err];
 	else
-	   log("debug", "Got SASL error condition %d", err)
-	   return "failure", 
-	     "undefined-condition",
-	     cyrussasl.get_message( self.cyrus )
+	   log("debug", "Got SASL error condition %d: %s", err, sasl_errstring[err]);
+	   return "failure", "undefined-condition", sasl_errstring[err];
 	end
 end