plugins/mod_auth_internal_hashed.lua

   1 -- Prosody IM
   2 -- Copyright (C) 2008-2010 Matthew Wild
   3 -- Copyright (C) 2008-2010 Waqas Hussain
   4 -- Copyright (C) 2010 Jeff Mitchell
   5 --
   6 -- This project is MIT/X11 licensed. Please see the
   7 -- COPYING file in the source package for more information.
   8 --
   9
  10 local max = math.max;
  11
  12 local getAuthenticationDatabaseSHA1 = require "util.sasl.scram".getAuthenticationDatabaseSHA1;
  13 local usermanager = require "core.usermanager";
  14 local generate_uuid = require "util.uuid".generate;
  15 local new_sasl = require "util.sasl".new;
  16 local hex = require"util.hex";
  17 local to_hex, from_hex = hex.to, hex.from;
  18
  19 local log = module._log;
  20 local host = module.host;
  21
  22 local accounts = module:open_store("accounts");
  23
  24
  25
  26 -- Default; can be set per-user
  27 local default_iteration_count = 4096;
  28
  29 -- define auth provider
  30 local provider = {};
  31
  32 function provider.test_password(username, password)
  33         log("debug", "test password for user '%s'", username);
  34         local credentials = accounts:get(username) or {};
  35
  36         if credentials.password ~= nil and string.len(credentials.password) ~= 0 then
  37                 if credentials.password ~= password then
  38                         return nil, "Auth failed. Provided password is incorrect.";
  39                 end
  40
  41                 if provider.set_password(username, credentials.password) == nil then
  42                         return nil, "Auth failed. Could not set hashed password from plaintext.";
  43                 else
  44                         return true;
  45                 end
  46         end
  47
  48         if credentials.iteration_count == nil or credentials.salt == nil or string.len(credentials.salt) == 0 then
  49                 return nil, "Auth failed. Stored salt and iteration count information is not complete.";
  50         end
  51
  52         local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, credentials.salt, credentials.iteration_count);
  53
  54         local stored_key_hex = to_hex(stored_key);
  55         local server_key_hex = to_hex(server_key);
  56
  57         if valid and stored_key_hex == credentials.stored_key and server_key_hex == credentials.server_key then
  58                 return true;
  59         else
  60                 return nil, "Auth failed. Invalid username, password, or password hash information.";
  61         end
  62 end
  63
  64 function provider.set_password(username, password)
  65         log("debug", "set_password for username '%s'", username);
  66         local account = accounts:get(username);
  67         if account then
  68                 account.salt = generate_uuid();
  69                 account.iteration_count = max(account.iteration_count or 0, default_iteration_count);
  70                 local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, account.salt, account.iteration_count);
  71                 local stored_key_hex = to_hex(stored_key);
  72                 local server_key_hex = to_hex(server_key);
  73
  74                 account.stored_key = stored_key_hex
  75                 account.server_key = server_key_hex
  76
  77                 account.password = nil;
  78                 return accounts:set(username, account);
  79         end
  80         return nil, "Account not available.";
  81 end
  82
  83 function provider.user_exists(username)
  84         local account = accounts:get(username);
  85         if not account then
  86                 log("debug", "account not found for username '%s'", username);
  87                 return nil, "Auth failed. Invalid username";
  88         end
  89         return true;
  90 end
  91
  92 function provider.users()
  93         return accounts:users();
  94 end
  95
  96 function provider.create_user(username, password)
  97         if password == nil then
  98                 return accounts:set(username, {});
  99         end
 100         local salt = generate_uuid();
 101         local valid, stored_key, server_key = getAuthenticationDatabaseSHA1(password, salt, default_iteration_count);
 102         local stored_key_hex = to_hex(stored_key);
 103         local server_key_hex = to_hex(server_key);
 104         return accounts:set(username, {stored_key = stored_key_hex, server_key = server_key_hex, salt = salt, iteration_count = default_iteration_count});
 105 end
 106
 107 function provider.delete_user(username)
 108         return accounts:set(username, nil);
 109 end
 110
 111 function provider.get_sasl_handler()
 112         local testpass_authentication_profile = {
 113                 plain_test = function(sasl, username, password, realm)
 114                         return usermanager.test_password(username, realm, password), true;
 115                 end,
 116                 scram_sha_1 = function(sasl, username, realm)
 117                         local credentials = accounts:get(username);
 118                         if not credentials then return; end
 119                         if credentials.password then
 120                                 usermanager.set_password(username, credentials.password, host);
 121                                 credentials = accounts:get(username);
 122                                 if not credentials then return; end
 123                         end
 124
 125                         local stored_key, server_key, iteration_count, salt = credentials.stored_key, credentials.server_key, credentials.iteration_count, credentials.salt;
 126                         stored_key = stored_key and from_hex(stored_key);
 127                         server_key = server_key and from_hex(server_key);
 128                         return stored_key, server_key, iteration_count, salt, true;
 129                 end
 130         };
 131         return new_sasl(host, testpass_authentication_profile);
 132 end
 133
 134 module:provides("auth", provider);
 135