* src/ejabberd_auth.erl: If anonymous auth is enabled, when

checking if the account already exists in other auth methods, take
into account if the auth method failed (EJAB-882)
* src/ejabberd_auth_anonymous.erl: Likewise
* src/ejabberd_auth_external.erl: Likewise
* src/ejabberd_auth_internal.erl: Likewise
* src/ejabberd_auth_ldap.erl: Likewise
* src/ejabberd_auth_odbc.erl: Likewise
* src/ejabberd_auth_pam.erl: Likewise

SVN Revision: 1966

ChangeLog

@@ -1,5 +1,15 @@
 2009-03-04  Badlop  <badlop@process-one.net>
 
+	* src/ejabberd_auth.erl: If anonymous auth is enabled, when
+	checking if the account already exists in other auth methods, take
+	into account if the auth method failed (EJAB-882)
+	* src/ejabberd_auth_anonymous.erl: Likewise
+	* src/ejabberd_auth_external.erl: Likewise
+	* src/ejabberd_auth_internal.erl: Likewise
+	* src/ejabberd_auth_ldap.erl: Likewise
+	* src/ejabberd_auth_odbc.erl: Likewise
+	* src/ejabberd_auth_pam.erl: Likewise
+
 	* src/mod_caps.erl: Fix two small compilation errors
 
 2009-03-04  Christophe Romain <christophe.romain@process-one.net>

src/ejabberd_auth.erl

@@ -92,10 +92,10 @@ plain_password_required(Server) when is_list(Server) ->
 
 check_password(User, Server, Password)
   when is_list(User), is_list(Server), is_list(Password) ->
-    lists:any(
-      fun(M) ->
-	      M:check_password(User, Server, Password)
-      end, auth_modules(Server)).
+    case check_password_with_authmodule(User, Server, Password) of
+	{true, _AuthModule} -> true;
+	false -> false
+    end.
 
 %% @spec (User, Server, Password, StreamID, Digest) -> bool()
 %%     User = string()
@@ -108,10 +108,11 @@ check_password(User, Server, Password)
 check_password(User, Server, Password, StreamID, Digest)
   when is_list(User), is_list(Server), is_list(Password),
   is_list(StreamID), is_list(Digest) ->
-    lists:any(
-      fun(M) ->
-	      M:check_password(User, Server, Password, StreamID, Digest)
-      end, auth_modules(Server)).
+    case check_password_with_authmodule(User, Server, Password,
+					StreamID, Digest) of
+	{true, _AuthModule} -> true;
+	false -> false
+    end.
 
 %% @spec (User, Server, Password) -> {true, AuthModule} | false
 %%     User = string()
@@ -125,15 +126,7 @@ check_password(User, Server, Password, StreamID, Digest)
 
 check_password_with_authmodule(User, Server, Password)
   when is_list(User), is_list(Server), is_list(Password) ->
-    Res = lists:dropwhile(
-	    fun(M) ->
-		    not apply(M, check_password,
-			      [User, Server, Password])
-	    end, auth_modules(Server)),
-    case Res of
-	[] -> false;
-	[AuthMod | _] -> {true, AuthMod}
-    end.
+    check_password_loop(auth_modules(Server), [User, Server, Password]).
 
 %% @spec (User, Server, Password, StreamID, Digest) -> {true, AuthModule} | false
 %%     User = string()
@@ -149,14 +142,17 @@ check_password_with_authmodule(User, Server, Password)
 check_password_with_authmodule(User, Server, Password, StreamID, Digest)
   when is_list(User), is_list(Server), (is_list(Password) orelse Password == 'undefined'),
   is_list(StreamID), (is_list(Digest) orelse Digest == 'undefined')->
-    Res = lists:dropwhile(
-	    fun(M) ->
-		    not apply(M, check_password,
-			      [User, Server, Password, StreamID, Digest])
-	    end, auth_modules(Server)),
-    case Res of
-	[] -> false;
-	[AuthMod | _] -> {true, AuthMod}
+    check_password_loop(auth_modules(Server), [User, Server, Password,
+					       StreamID, Digest]).
+
+check_password_loop([], _Args) ->
+    false;
+check_password_loop([AuthModule | AuthModules], Args) ->
+    case apply(AuthModule, check_password, Args) of
+	true ->
+	    {true, AuthModule};
+	false ->
+	    check_password_loop(AuthModules, Args)
     end.
 
 %% @spec (User, Server, Password) -> ok | {error, ErrorType}
@@ -347,7 +343,7 @@ is_user_exists(User, Server) when is_list(User), is_list(Server) ->
 	      M:is_user_exists(User, Server)
       end, auth_modules(Server)).
 
-%% @spec (Module, User, Server) -> bool
+%% @spec (Module, User, Server) -> true | false | maybe
 %%     Module = authmodule()
 %%     User = string()
 %%     Server = string()
@@ -356,10 +352,24 @@ is_user_exists(User, Server) when is_list(User), is_list(Server) ->
 
 is_user_exists_in_other_modules(Module, User, Server)
   when is_list(User), is_list(Server) ->
-    lists:any(
-      fun(M) ->
-	      M:is_user_exists(User, Server)
-      end, auth_modules(Server)--[Module]).
+    is_user_exists_in_other_modules_loop(
+      auth_modules(Server)--[Module],
+      User, Server).
+is_user_exists_in_other_modules_loop([], _User, _Server) ->
+    false;
+is_user_exists_in_other_modules_loop([AuthModule|AuthModules], User, Server) ->
+    case AuthModule:is_user_exists(User, Server) of
+	true ->
+	    true;
+	false ->
+	    is_user_exists_in_other_modules_loop(AuthModules, User, Server);
+	{error, Error} ->
+	    ?DEBUG("The authentication module ~p returned an error~nwhen "
+		   "checking user ~p in server ~p~nError message: ~p",
+		   [AuthModule, User, Server, Error]),
+	    maybe
+    end.
+
 
 %% @spec (User, Server) -> ok | error | {error, not_allowed}
 %%     User = string()

src/ejabberd_auth_anonymous.erl

@@ -234,7 +234,10 @@ check_password(User, Server, _Password, _StreamID, _Digest) ->
     %% they however are "reserved")
     case ejabberd_auth:is_user_exists_in_other_modules(?MODULE, 
 						       User, Server) of
+	%% If user exists in other module, reject anonnymous authentication
 	true  -> false;
+	%% If we are not sure whether the user exists in other module, reject anon auth
+	maybe  -> false;
 	false -> login(User, Server)
     end.
 

src/ejabberd_auth_external.erl

@@ -128,8 +128,13 @@ get_password_s(_User, _Server) ->
 %%     User = string()
 %%     Server = string()
 
+%% @spec (User, Server) -> true | false | {error, Error}
 is_user_exists(User, Server) ->
-    extauth:is_user_exists(User, Server).
+    try extauth:is_user_exists(User, Server) of
+	Res -> Res
+    catch
+	_:Error -> {error, Error}
+    end.
 
 %% @spec (User, Server) -> {error, not_allowed}
 %%     User = string()

src/ejabberd_auth_internal.erl

@@ -310,6 +310,7 @@ get_password_s(User, Server) ->
 %%     User = string()
 %%     Server = string()
 
+%% @spec (User, Server) -> true | false | {error, Error}
 is_user_exists(User, Server) ->
     try
 	LUser = exmpp_stringprep:nodeprep(User),
@@ -320,8 +321,8 @@ is_user_exists(User, Server) ->
 		false;
 	    [_] ->
 		true;
-	    _ ->
-		false
+	    Other ->
+		{error, Other}
 	end
     catch
 	_ ->

src/ejabberd_auth_ldap.erl

@@ -242,10 +242,11 @@ get_password_s(_User, _Server) ->
 %%     User = string()
 %%     Server = string()
 
+%% @spec (User, Server) -> true | false | {error, Error}
 is_user_exists(User, Server) ->
     case catch is_user_exists_ldap(User, Server) of
-	{'EXIT', _} ->
-	    false;
+	{'EXIT', Error} ->
+	    {error, Error};
 	Result ->
 	    Result
     end.

src/ejabberd_auth_odbc.erl

@@ -73,11 +73,18 @@ check_password(User, Server, Password) ->
 	LUser = exmpp_stringprep:nodeprep(User),
 	Username = ejabberd_odbc:escape(LUser),
 	LServer = exmpp_stringprep:nameprep(Server),
-	case catch odbc_queries:get_password(LServer, Username) of
+	try odbc_queries:get_password(LServer, Username) of
 	    {selected, ["password"], [{Password}]} ->
-		Password /= "";
-	    _ ->
-		false
+		    Password /= ""; %% Password is correct, and not empty
+		{selected, ["password"], [{_Password2}]} ->
+		    false; %% Password is not correct
+		{selected, ["password"], []} ->
+		    false; %% Account does not exist
+		{error, _Error} ->
+		    false %% Typical error is that table doesn't exist
+	    catch
+		_:_ ->
+		    false %% Typical error is database not accessible
 	end
     catch
 	_ ->
@@ -96,7 +103,8 @@ check_password(User, Server, Password, StreamID, Digest) ->
 	LUser = exmpp_stringprep:nodeprep(User),
 	Username = ejabberd_odbc:escape(LUser),
 	LServer = exmpp_stringprep:nameprep(Server),
-	case catch odbc_queries:get_password(LServer, Username) of
+	try odbc_queries:get_password(LServer, Username) of
+		%% Account exists, check if password is valid
 	    {selected, ["password"], [{Passwd}]} ->
 		DigRes = if
 		    Digest /= "" ->
@@ -109,8 +117,13 @@ check_password(User, Server, Password, StreamID, Digest) ->
 		    true ->
 			(Passwd == Password) and (Password /= "")
 		end;
-	    _ ->
-		false
+		{selected, ["password"], []} ->
+		    false; %% Account does not exist
+		{error, _Error} ->
+		    false %% Typical error is that table doesn't exist
+	    catch
+		_:_ ->
+		    false %% Typical error is database not accessible
 	end
     catch
 	_ ->
@@ -277,16 +290,22 @@ get_password_s(User, Server) ->
 %%     User = string()
 %%     Server = string()
 
+%% @spec (User, Server) -> true | false | {error, Error}
 is_user_exists(User, Server) ->
     try
 	LUser = exmpp_stringprep:nodeprep(User),
 	Username = ejabberd_odbc:escape(LUser),
 	LServer = exmpp_stringprep:nameprep(Server),
-	case catch odbc_queries:get_password(LServer, Username) of
+	try odbc_queries:get_password(LServer, Username) of
 	    {selected, ["password"], [{_Password}]} ->
-		true;
-	    _ ->
-		false
+		    true; %% Account exists
+		{selected, ["password"], []} ->
+		    false; %% Account does not exist
+		{error, Error} ->
+		    {error, Error} %% Typical error is that table doesn't exist
+	    catch
+		_:B ->
+		    {error, B} %% Typical error is database not accessible
 	end
     catch
 	_ ->

src/ejabberd_auth_pam.erl

@@ -125,9 +125,11 @@ get_password(_User, _Server) ->
 get_password_s(_User, _Server) ->
     "".
 
-%% @spec (User, Server) -> bool()
+%% @spec (User, Server) -> true | false | {error, Error}
 %%     User = string()
 %%     Server = string()
+%% TODO: Improve this function to return an error instead of 'false' when
+%% connection to PAM failed
 
 is_user_exists(User, Server) ->
     Service = get_pam_service(Server),