2016-04-07 12:28:19 +02:00
|
|
|
# ----------------------------------------------------------------------
|
|
|
|
#
|
|
|
|
# ejabberd, Copyright (C) 2002-2016 ProcessOne
|
|
|
|
#
|
|
|
|
# This program is free software; you can redistribute it and/or
|
|
|
|
# modify it under the terms of the GNU General Public License as
|
|
|
|
# published by the Free Software Foundation; either version 2 of the
|
|
|
|
# License, or (at your option) any later version.
|
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
# General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License along
|
|
|
|
# with this program; if not, write to the Free Software Foundation, Inc.,
|
|
|
|
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
|
#
|
|
|
|
# ----------------------------------------------------------------------
|
|
|
|
|
|
|
|
defmodule EjabberdCyrsaslTest do
|
|
|
|
@author "pawel@process-one.net"
|
|
|
|
|
|
|
|
use ExUnit.Case, async: true
|
|
|
|
|
|
|
|
setup_all do
|
2016-04-07 16:47:01 +02:00
|
|
|
:p1_sha.load_nif()
|
2016-04-07 12:28:19 +02:00
|
|
|
:mnesia.start
|
|
|
|
:ok = start_module(:stringprep)
|
2016-11-21 12:25:50 +01:00
|
|
|
{:ok, _} = start_module(:jid)
|
2016-04-07 16:47:01 +02:00
|
|
|
:ok = :ejabberd_config.start(["domain1"], [])
|
2016-04-07 12:28:19 +02:00
|
|
|
:ok = :cyrsasl.start
|
2016-04-07 16:47:01 +02:00
|
|
|
cyrstate = :cyrsasl.server_new("domain1", "domain1", "domain1", :ok, &get_password/1,
|
2016-04-07 12:28:19 +02:00
|
|
|
&check_password/3, &check_password_digest/5)
|
|
|
|
{:ok, cyrstate: cyrstate}
|
|
|
|
end
|
|
|
|
|
|
|
|
test "Plain text (correct user and pass)", context do
|
|
|
|
step1 = :cyrsasl.server_start(context[:cyrstate], "PLAIN", <<0,"user1",0,"pass">>)
|
|
|
|
assert {:ok, _} = step1
|
|
|
|
{:ok, kv} = step1
|
|
|
|
assert kv[:authzid] == "user1", "got correct user"
|
|
|
|
end
|
|
|
|
|
|
|
|
test "Plain text (correct user wrong pass)", context do
|
|
|
|
step1 = :cyrsasl.server_start(context[:cyrstate], "PLAIN", <<0,"user1",0,"badpass">>)
|
2016-11-18 12:54:06 +01:00
|
|
|
assert step1 == {:error, :"not-authorized", "user1"}
|
2016-04-07 12:28:19 +02:00
|
|
|
end
|
|
|
|
|
|
|
|
test "Plain text (wrong user wrong pass)", context do
|
|
|
|
step1 = :cyrsasl.server_start(context[:cyrstate], "PLAIN", <<0,"nouser1",0,"badpass">>)
|
2016-11-18 12:54:06 +01:00
|
|
|
assert step1 == {:error, :"not-authorized", "nouser1"}
|
2016-04-07 12:28:19 +02:00
|
|
|
end
|
|
|
|
|
2016-04-07 16:47:01 +02:00
|
|
|
test "Anonymous", context do
|
|
|
|
setup_anonymous_mocks()
|
|
|
|
step1 = :cyrsasl.server_start(context[:cyrstate], "ANONYMOUS", "domain1")
|
|
|
|
assert {:ok, _} = step1
|
|
|
|
end
|
|
|
|
|
|
|
|
test "Digest-MD5 (correct user and pass)", context do
|
2016-11-25 14:37:59 +01:00
|
|
|
assert {:ok, _list} = process_digest_md5(context[:cyrstate], "user1", "domain1", "pass")
|
|
|
|
end
|
|
|
|
|
|
|
|
test "Digest-MD5 (correct user wrong pass)", context do
|
|
|
|
assert {:error, :"not-authorized", "user1"} = process_digest_md5(context[:cyrstate], "user1", "domain1", "badpass")
|
|
|
|
end
|
|
|
|
|
|
|
|
test "Digest-MD5 (wrong user correct pass)", context do
|
|
|
|
assert {:error, :"not-authorized", "baduser"} = process_digest_md5(context[:cyrstate], "baduser", "domain1", "pass")
|
|
|
|
end
|
|
|
|
|
|
|
|
test "Digest-MD5 (wrong user and pass)", context do
|
|
|
|
assert {:error, :"not-authorized", "baduser"} = process_digest_md5(context[:cyrstate], "baduser", "domain1", "badpass")
|
|
|
|
end
|
|
|
|
|
|
|
|
defp process_digest_md5(cyrstate, user, domain, pass) do
|
|
|
|
assert {:continue, init_str, state1} = :cyrsasl.server_start(cyrstate, "DIGEST-MD5", "")
|
2016-04-07 16:47:01 +02:00
|
|
|
assert [_, nonce] = Regex.run(~r/nonce="(.*?)"/, init_str)
|
|
|
|
digest_uri = "xmpp/#{domain}"
|
|
|
|
cnonce = "abcd"
|
|
|
|
nc = "00000001"
|
2016-11-25 14:37:59 +01:00
|
|
|
response_hash = calc_digest_md5(user, domain, pass, nc, nonce, cnonce)
|
2016-04-07 16:47:01 +02:00
|
|
|
response = "username=\"#{user}\",realm=\"#{domain}\",nonce=\"#{nonce}\",cnonce=\"#{cnonce}\"," <>
|
|
|
|
"nc=\"#{nc}\",qop=auth,digest-uri=\"#{digest_uri}\",response=\"#{response_hash}\"," <>
|
|
|
|
"charset=utf-8,algorithm=md5-sess"
|
2016-11-25 14:37:59 +01:00
|
|
|
case :cyrsasl.server_step(state1, response) do
|
|
|
|
{:continue, _calc_str, state2} -> :cyrsasl.server_step(state2, "")
|
|
|
|
other -> other
|
|
|
|
end
|
2016-04-07 16:47:01 +02:00
|
|
|
end
|
|
|
|
|
2016-11-25 14:37:59 +01:00
|
|
|
defp calc_digest_md5(user, domain, pass, nc, nonce, cnonce) do
|
|
|
|
digest_uri = "xmpp/#{domain}"
|
|
|
|
a0 = "#{user}:#{domain}:#{pass}"
|
|
|
|
a1 = "#{str_md5(a0)}:#{nonce}:#{cnonce}"
|
|
|
|
a2 = "AUTHENTICATE:#{digest_uri}"
|
|
|
|
hex_md5("#{hex_md5(a1)}:#{nonce}:#{nc}:#{cnonce}:auth:#{hex_md5(a2)}")
|
|
|
|
end
|
2016-04-07 16:47:01 +02:00
|
|
|
|
|
|
|
defp str_md5(str) do
|
|
|
|
:erlang.md5(str)
|
|
|
|
end
|
|
|
|
|
|
|
|
defp hex_md5(str) do
|
|
|
|
:p1_sha.to_hexlist(:erlang.md5(str))
|
|
|
|
end
|
|
|
|
|
|
|
|
defp setup_anonymous_mocks() do
|
|
|
|
:meck.unload
|
|
|
|
mock(:ejabberd_auth_anonymous, :is_sasl_anonymous_enabled,
|
2016-07-26 12:17:37 +02:00
|
|
|
fn (_host) ->
|
2016-04-07 16:47:01 +02:00
|
|
|
true
|
|
|
|
end)
|
|
|
|
mock(:ejabberd_auth, :is_user_exists,
|
|
|
|
fn (user, domain) ->
|
2016-11-25 14:37:59 +01:00
|
|
|
domain == "domain1" and get_password(user) != {:false, :internal}
|
2016-04-07 16:47:01 +02:00
|
|
|
end)
|
|
|
|
end
|
|
|
|
|
2016-04-07 12:28:19 +02:00
|
|
|
defp start_module(module) do
|
|
|
|
case apply(module, :start, []) do
|
|
|
|
:ok -> :ok
|
|
|
|
{:error, {:already_started, _}} -> :ok
|
|
|
|
other -> other
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
defp get_password(user) do
|
|
|
|
if user == "user1" or user == "user2" do
|
|
|
|
{"pass", :internal}
|
|
|
|
else
|
2016-11-25 14:37:59 +01:00
|
|
|
{:false, :internal}
|
2016-04-07 12:28:19 +02:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2016-07-26 12:17:37 +02:00
|
|
|
defp check_password(_user, authzid, pass) do
|
2016-04-07 12:28:19 +02:00
|
|
|
case get_password(authzid) do
|
|
|
|
{^pass, mod} ->
|
|
|
|
{true, mod}
|
|
|
|
_ ->
|
|
|
|
false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2016-07-26 12:17:37 +02:00
|
|
|
defp check_password_digest(_user, authzid, _pass, digest, digest_gen) do
|
2016-04-07 12:28:19 +02:00
|
|
|
case get_password(authzid) do
|
2016-11-25 14:37:59 +01:00
|
|
|
{:false, _} ->
|
|
|
|
false
|
2016-04-07 12:28:19 +02:00
|
|
|
{spass, mod} ->
|
2016-04-07 16:47:01 +02:00
|
|
|
v = digest_gen.(spass)
|
|
|
|
if v == digest do
|
2016-04-07 12:28:19 +02:00
|
|
|
{true, mod}
|
|
|
|
else
|
|
|
|
false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2016-04-07 16:47:01 +02:00
|
|
|
|
|
|
|
defp mock(module, function, fun) do
|
|
|
|
try do
|
|
|
|
:meck.new(module, [:non_strict])
|
|
|
|
catch
|
|
|
|
:error, {:already_started, _pid} -> :ok
|
|
|
|
end
|
|
|
|
:meck.expect(module, function, fun)
|
|
|
|
end
|
2016-04-07 12:28:19 +02:00
|
|
|
end
|