| author | Kim Alvefur <zash@zash.se> |
| Sun, 25 Jan 2015 13:04:02 +0100 | |
| changeset 1593 | 3e4d15ae2133 |
| parent 1202 | 2cce28fe806b |
| permissions | -rw-r--r-- |
|
1196
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 |
-- IMAP authentication backend for Prosody |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 |
-- |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 |
-- Copyright (C) 2011 FIMXE from hg annotate -u |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 |
|
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 |
local name = "IMAP SASL"; |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 |
local log = require "util.logger".init("auth_imap"); |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 |
|
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 |
local imap_host = module:get_option_string("imap_auth_host", "localhost"); |
|
1198
b21bd39c8a12
mod_auth_imap: Leave port nil if not specified in the config, so we can auto-detect based on whether we use SSL
Matthew Wild <mwild1@gmail.com>
parents:
1196
diff
changeset
|
9 |
local imap_port = module:get_option_number("imap_auth_port"); |
|
1196
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 |
|
|
1202
2cce28fe806b
mod_auth_imap: Fix typo in previous commit
Matthew Wild <mwild1@gmail.com>
parents:
1201
diff
changeset
|
11 |
local imap_service_realm = module:get_option_string("imap_auth_realm", module:get_option("sasl_realm")); |
|
1201
744af76b7324
mod_auth_imap: Rename imap_service_realm to imap_auth_realm and inherit from sasl_realm, rename imap_service_name to imap_auth_service_name
Matthew Wild <mwild1@gmail.com>
parents:
1200
diff
changeset
|
12 |
local imap_service_name = module:get_option_string("imap_auth_service_name"); |
|
1200
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
13 |
local append_host = module:get_option_boolean("auth_append_host"); |
|
1593
3e4d15ae2133
mod_storage_gdbm: Use require directly instead of util.import (which is not available in prosodyctl, breaks adduser etc)
Kim Alvefur <zash@zash.se>
parents:
1202
diff
changeset
|
14 |
local strip_host = module:get_option_boolean("auth_strip_host"); |
|
1196
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 |
|
|
1200
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
16 |
local verify_certificate = module:get_option_boolean("auth_imap_verify_certificate", true); |
|
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
17 |
local ssl_params = module:get_option("auth_imap_ssl", { |
|
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
18 |
mode = "client", protocol = "sslv23"; |
|
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
19 |
capath = "/etc/ssl/certs"; |
|
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
20 |
options = { "no_sslv2", "no_sslv3" }; |
|
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
21 |
verify = verify_certificate and { "peer", "fail_if_no_peer_cert" } or nil; |
|
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
22 |
ciphers = "HIGH:!DSS:!aNULL@STRENGTH"; |
|
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
23 |
}); |
|
1196
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 |
|
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 |
local new_imap_sasl = module:require "sasl_imap".new; |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 |
|
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 |
local new_sasl = function(realm) |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 |
return new_imap_sasl( |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 |
imap_service_realm or realm, |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 |
imap_service_name or "xmpp", |
|
1200
34216cdffda6
mod_auth_imap: unfortunately large commit which adds support for SSL (including cert verification), appending the realm to usernames, and various IMAP protocol fixes
Matthew Wild <mwild1@gmail.com>
parents:
1198
diff
changeset
|
31 |
imap_host, imap_port, |
|
1593
3e4d15ae2133
mod_storage_gdbm: Use require directly instead of util.import (which is not available in prosodyctl, breaks adduser etc)
Kim Alvefur <zash@zash.se>
parents:
1202
diff
changeset
|
32 |
ssl_params, append_host, strip_host |
|
1196
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 |
); |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 |
end |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 |
|
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 |
do |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 |
local s = new_sasl(module.host) |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 |
assert(s, "Could not create a new SASL object"); |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 |
assert(s.mechanisms, "SASL object has no mechanims method"); |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 |
local m = {}; |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 |
for k in pairs(s:mechanisms()) do |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
42 |
table.insert(m, k); |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 |
end |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
44 |
log("debug", "Mechanims found: %s", table.concat(m, ", ")); |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
45 |
end |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
46 |
|
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 |
provider = { |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
48 |
name = module.name:gsub("^auth_",""); |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
49 |
}; |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
50 |
|
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
51 |
function provider.test_password(username, password) |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
52 |
return nil, "Legacy auth not supported with "..name; |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 |
end |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
54 |
|
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 |
function provider.get_password(username) |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
56 |
return nil, "Passwords unavailable for "..name; |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
57 |
end |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
58 |
|
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
59 |
function provider.set_password(username, password) |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
60 |
return nil, "Passwords unavailable for "..name; |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
61 |
end |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
62 |
|
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
63 |
function provider.user_exists(username) |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
64 |
-- FIXME |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
65 |
return true |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
66 |
end |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
67 |
|
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
68 |
function provider.create_user(username, password) |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
69 |
return nil, "Account creation/modification not available with "..name; |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
70 |
end |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
71 |
|
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
72 |
function provider.get_sasl_handler() |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
73 |
return new_sasl(module.host); |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
74 |
end |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
75 |
|
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
76 |
module:add_item("auth-provider", provider); |
|
f45ca6edc159
mod_auth_imap: Authentication module that works by passing through SASL to a IMAP connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
77 |