mirror of
https://github.com/processone/ejabberd.git
synced 2024-06-12 21:52:07 +02:00
Use SASL PLAIN authzid as client identity if auth module permits it
This allows the authentication modules to perform SASL proxy authentication. It puts the onus on them to authorize the authcid to masquerade as the authzid. Doesn't currently implement such functionality in existing auth modules, since they cannot currently codify a relationship between the two identities. Does not permit the authzid to use a domain differently from the one of the connection. Note: digest might not work, but I have no interest in it, being deprecated.
This commit is contained in:
parent
d9814709e2
commit
917d48f30b
|
@ -128,7 +128,7 @@ register_mechanism(Mechanism, Module, PasswordType) ->
|
||||||
%% end.
|
%% end.
|
||||||
|
|
||||||
check_credentials(_State, Props) ->
|
check_credentials(_State, Props) ->
|
||||||
User = proplists:get_value(username, Props, <<>>),
|
User = proplists:get_value(authzid, Props, <<>>),
|
||||||
case jlib:nodeprep(User) of
|
case jlib:nodeprep(User) of
|
||||||
error -> {error, <<"not-authorized">>};
|
error -> {error, <<"not-authorized">>};
|
||||||
<<"">> -> {error, <<"not-authorized">>};
|
<<"">> -> {error, <<"not-authorized">>};
|
||||||
|
|
|
@ -47,7 +47,7 @@
|
||||||
username = <<"">> :: binary(),
|
username = <<"">> :: binary(),
|
||||||
authzid = <<"">> :: binary(),
|
authzid = <<"">> :: binary(),
|
||||||
get_password = fun(_) -> {false, <<>>} end :: get_password_fun(),
|
get_password = fun(_) -> {false, <<>>} end :: get_password_fun(),
|
||||||
check_password = fun(_, _, _, _) -> false end :: check_password_fun(),
|
check_password = fun(_, _, _, _, _) -> false end :: check_password_fun(),
|
||||||
auth_module :: atom(),
|
auth_module :: atom(),
|
||||||
host = <<"">> :: binary(),
|
host = <<"">> :: binary(),
|
||||||
hostfqdn = <<"">> :: binary()}).
|
hostfqdn = <<"">> :: binary()}).
|
||||||
|
@ -95,7 +95,7 @@ mech_step(#state{step = 3, nonce = Nonce} = State,
|
||||||
case (State#state.get_password)(UserName) of
|
case (State#state.get_password)(UserName) of
|
||||||
{false, _} -> {error, <<"not-authorized">>, UserName};
|
{false, _} -> {error, <<"not-authorized">>, UserName};
|
||||||
{Passwd, AuthModule} ->
|
{Passwd, AuthModule} ->
|
||||||
case (State#state.check_password)(UserName, <<"">>,
|
case (State#state.check_password)(UserName, UserName, <<"">>,
|
||||||
proplists:get_value(<<"response">>, KeyVals, <<>>),
|
proplists:get_value(<<"response">>, KeyVals, <<>>),
|
||||||
fun (PW) ->
|
fun (PW) ->
|
||||||
response(KeyVals,
|
response(KeyVals,
|
||||||
|
@ -123,7 +123,11 @@ mech_step(#state{step = 5, auth_module = AuthModule,
|
||||||
username = UserName, authzid = AuthzId},
|
username = UserName, authzid = AuthzId},
|
||||||
<<"">>) ->
|
<<"">>) ->
|
||||||
{ok,
|
{ok,
|
||||||
[{username, UserName}, {authzid, AuthzId},
|
[{username, UserName}, {authzid, case AuthzId of
|
||||||
|
<<"">> -> UserName;
|
||||||
|
_ -> AuthzId
|
||||||
|
end
|
||||||
|
},
|
||||||
{auth_module, AuthModule}]};
|
{auth_module, AuthModule}]};
|
||||||
mech_step(A, B) ->
|
mech_step(A, B) ->
|
||||||
?DEBUG("SASL DIGEST: A ~p B ~p", [A, B]),
|
?DEBUG("SASL DIGEST: A ~p B ~p", [A, B]),
|
||||||
|
|
|
@ -45,7 +45,7 @@ mech_new(_Host, _GetPassword, CheckPassword, _CheckPasswordDigest) ->
|
||||||
mech_step(State, ClientIn) ->
|
mech_step(State, ClientIn) ->
|
||||||
case prepare(ClientIn) of
|
case prepare(ClientIn) of
|
||||||
[AuthzId, User, Password] ->
|
[AuthzId, User, Password] ->
|
||||||
case (State#state.check_password)(User, Password) of
|
case (State#state.check_password)(User, AuthzId, Password) of
|
||||||
{true, AuthModule} ->
|
{true, AuthModule} ->
|
||||||
{ok,
|
{ok,
|
||||||
[{username, User}, {authzid, AuthzId},
|
[{username, User}, {authzid, AuthzId},
|
||||||
|
@ -60,12 +60,17 @@ prepare(ClientIn) ->
|
||||||
[<<"">>, UserMaybeDomain, Password] ->
|
[<<"">>, UserMaybeDomain, Password] ->
|
||||||
case parse_domain(UserMaybeDomain) of
|
case parse_domain(UserMaybeDomain) of
|
||||||
%% <NUL>login@domain<NUL>pwd
|
%% <NUL>login@domain<NUL>pwd
|
||||||
[User, _Domain] -> [UserMaybeDomain, User, Password];
|
[User, _Domain] -> [User, User, Password];
|
||||||
%% <NUL>login<NUL>pwd
|
%% <NUL>login<NUL>pwd
|
||||||
[User] -> [<<"">>, User, Password]
|
[User] -> [User, User, Password]
|
||||||
end;
|
end;
|
||||||
%% login@domain<NUL>login<NUL>pwd
|
[AuthzId, User, Password] ->
|
||||||
[AuthzId, User, Password] -> [AuthzId, User, Password];
|
case parse_domain(AuthzId) of
|
||||||
|
%% login@domain<NUL>login<NUL>pwd
|
||||||
|
[AuthzUser, _Domain] -> [AuthzUser, User, Password];
|
||||||
|
%% login<NUL>login<NUL>pwd
|
||||||
|
[AuthzUser] -> [AuthzUser, User, Password]
|
||||||
|
end;
|
||||||
_ -> error
|
_ -> error
|
||||||
end.
|
end.
|
||||||
|
|
||||||
|
|
|
@ -30,9 +30,9 @@
|
||||||
-author('alexey@process-one.net').
|
-author('alexey@process-one.net').
|
||||||
|
|
||||||
%% External exports
|
%% External exports
|
||||||
-export([start/0, set_password/3, check_password/3,
|
-export([start/0, set_password/3, check_password/4,
|
||||||
check_password/5, check_password_with_authmodule/3,
|
check_password/6, check_password_with_authmodule/4,
|
||||||
check_password_with_authmodule/5, try_register/3,
|
check_password_with_authmodule/6, try_register/3,
|
||||||
dirty_get_registered_users/0, get_vh_registered_users/1,
|
dirty_get_registered_users/0, get_vh_registered_users/1,
|
||||||
get_vh_registered_users/2, export/1, import/1,
|
get_vh_registered_users/2, export/1, import/1,
|
||||||
get_vh_registered_users_number/1, import/3,
|
get_vh_registered_users_number/1, import/3,
|
||||||
|
@ -61,8 +61,8 @@
|
||||||
-callback remove_user(binary(), binary()) -> any().
|
-callback remove_user(binary(), binary()) -> any().
|
||||||
-callback remove_user(binary(), binary(), binary()) -> any().
|
-callback remove_user(binary(), binary(), binary()) -> any().
|
||||||
-callback is_user_exists(binary(), binary()) -> boolean() | {error, atom()}.
|
-callback is_user_exists(binary(), binary()) -> boolean() | {error, atom()}.
|
||||||
-callback check_password(binary(), binary(), binary()) -> boolean().
|
-callback check_password(binary(), binary(), binary(), binary()) -> boolean().
|
||||||
-callback check_password(binary(), binary(), binary(), binary(),
|
-callback check_password(binary(), binary(), binary(), binary(), binary(),
|
||||||
fun((binary()) -> binary())) -> boolean().
|
fun((binary()) -> binary())) -> boolean().
|
||||||
-callback try_register(binary(), binary(), binary()) -> {atomic, atom()} |
|
-callback try_register(binary(), binary(), binary()) -> {atomic, atom()} |
|
||||||
{error, atom()}.
|
{error, atom()}.
|
||||||
|
@ -100,10 +100,10 @@ store_type(Server) ->
|
||||||
end,
|
end,
|
||||||
plain, auth_modules(Server)).
|
plain, auth_modules(Server)).
|
||||||
|
|
||||||
-spec check_password(binary(), binary(), binary()) -> boolean().
|
-spec check_password(binary(), binary(), binary(), binary()) -> boolean().
|
||||||
|
|
||||||
check_password(User, Server, Password) ->
|
check_password(User, AuthzId, Server, Password) ->
|
||||||
case check_password_with_authmodule(User, Server,
|
case check_password_with_authmodule(User, AuthzId, Server,
|
||||||
Password)
|
Password)
|
||||||
of
|
of
|
||||||
{true, _AuthModule} -> true;
|
{true, _AuthModule} -> true;
|
||||||
|
@ -111,15 +111,15 @@ check_password(User, Server, Password) ->
|
||||||
end.
|
end.
|
||||||
|
|
||||||
%% @doc Check if the user and password can login in server.
|
%% @doc Check if the user and password can login in server.
|
||||||
%% @spec (User::string(), Server::string(), Password::string(),
|
%% @spec (User::string(), AuthzId::string(), Server::string(), Password::string(),
|
||||||
%% Digest::string(), DigestGen::function()) ->
|
%% Digest::string(), DigestGen::function()) ->
|
||||||
%% true | false
|
%% true | false
|
||||||
-spec check_password(binary(), binary(), binary(), binary(),
|
-spec check_password(binary(), binary(), binary(), binary(), binary(),
|
||||||
fun((binary()) -> binary())) -> boolean().
|
fun((binary()) -> binary())) -> boolean().
|
||||||
|
|
||||||
check_password(User, Server, Password, Digest,
|
check_password(User, AuthzId, Server, Password, Digest,
|
||||||
DigestGen) ->
|
DigestGen) ->
|
||||||
case check_password_with_authmodule(User, Server,
|
case check_password_with_authmodule(User, AuthzId, Server,
|
||||||
Password, Digest, DigestGen)
|
Password, Digest, DigestGen)
|
||||||
of
|
of
|
||||||
{true, _AuthModule} -> true;
|
{true, _AuthModule} -> true;
|
||||||
|
@ -130,28 +130,28 @@ check_password(User, Server, Password, Digest,
|
||||||
%% The user can login if at least an authentication method accepts the user
|
%% The user can login if at least an authentication method accepts the user
|
||||||
%% and the password.
|
%% and the password.
|
||||||
%% The first authentication method that accepts the credentials is returned.
|
%% The first authentication method that accepts the credentials is returned.
|
||||||
%% @spec (User::string(), Server::string(), Password::string()) ->
|
%% @spec (User::string(), AuthzId::string(), Server::string(), Password::string()) ->
|
||||||
%% {true, AuthModule} | false
|
%% {true, AuthModule} | false
|
||||||
%% where
|
%% where
|
||||||
%% AuthModule = ejabberd_auth_anonymous | ejabberd_auth_external
|
%% AuthModule = ejabberd_auth_anonymous | ejabberd_auth_external
|
||||||
%% | ejabberd_auth_internal | ejabberd_auth_ldap
|
%% | ejabberd_auth_internal | ejabberd_auth_ldap
|
||||||
%% | ejabberd_auth_odbc | ejabberd_auth_pam
|
%% | ejabberd_auth_odbc | ejabberd_auth_pam | ejabberd_auth_riak
|
||||||
-spec check_password_with_authmodule(binary(), binary(), binary()) -> false |
|
-spec check_password_with_authmodule(binary(), binary(), binary(), binary()) -> false |
|
||||||
{true, atom()}.
|
{true, atom()}.
|
||||||
|
|
||||||
check_password_with_authmodule(User, Server,
|
check_password_with_authmodule(User, AuthzId, Server,
|
||||||
Password) ->
|
Password) ->
|
||||||
check_password_loop(auth_modules(Server),
|
check_password_loop(auth_modules(Server),
|
||||||
[User, Server, Password]).
|
[User, AuthzId, Server, Password]).
|
||||||
|
|
||||||
-spec check_password_with_authmodule(binary(), binary(), binary(), binary(),
|
-spec check_password_with_authmodule(binary(), binary(), binary(), binary(), binary(),
|
||||||
fun((binary()) -> binary())) -> false |
|
fun((binary()) -> binary())) -> false |
|
||||||
{true, atom()}.
|
{true, atom()}.
|
||||||
|
|
||||||
check_password_with_authmodule(User, Server, Password,
|
check_password_with_authmodule(User, AuthzId, Server, Password,
|
||||||
Digest, DigestGen) ->
|
Digest, DigestGen) ->
|
||||||
check_password_loop(auth_modules(Server),
|
check_password_loop(auth_modules(Server),
|
||||||
[User, Server, Password, Digest, DigestGen]).
|
[User, AuthzId, Server, Password, Digest, DigestGen]).
|
||||||
|
|
||||||
check_password_loop([], _Args) -> false;
|
check_password_loop([], _Args) -> false;
|
||||||
check_password_loop([AuthModule | AuthModules], Args) ->
|
check_password_loop([AuthModule | AuthModules], Args) ->
|
||||||
|
|
|
@ -38,8 +38,8 @@
|
||||||
|
|
||||||
|
|
||||||
%% Function used by ejabberd_auth:
|
%% Function used by ejabberd_auth:
|
||||||
-export([login/2, set_password/3, check_password/3,
|
-export([login/2, set_password/3, check_password/4,
|
||||||
check_password/5, try_register/3,
|
check_password/6, try_register/3,
|
||||||
dirty_get_registered_users/0, get_vh_registered_users/1,
|
dirty_get_registered_users/0, get_vh_registered_users/1,
|
||||||
get_vh_registered_users/2, get_vh_registered_users_number/1,
|
get_vh_registered_users/2, get_vh_registered_users_number/1,
|
||||||
get_vh_registered_users_number/2, get_password_s/2,
|
get_vh_registered_users_number/2, get_password_s/2,
|
||||||
|
@ -174,11 +174,11 @@ purge_hook(true, LUser, LServer) ->
|
||||||
|
|
||||||
%% When anonymous login is enabled, check the password for permenant users
|
%% When anonymous login is enabled, check the password for permenant users
|
||||||
%% before allowing access
|
%% before allowing access
|
||||||
check_password(User, Server, Password) ->
|
check_password(User, AuthzId, Server, Password) ->
|
||||||
check_password(User, Server, Password, undefined,
|
check_password(User, AuthzId, Server, Password, undefined,
|
||||||
undefined).
|
undefined).
|
||||||
|
|
||||||
check_password(User, Server, _Password, _Digest,
|
check_password(User, _AuthzId, Server, _Password, _Digest,
|
||||||
_DigestGen) ->
|
_DigestGen) ->
|
||||||
case
|
case
|
||||||
ejabberd_auth:is_user_exists_in_other_modules(?MODULE,
|
ejabberd_auth:is_user_exists_in_other_modules(?MODULE,
|
||||||
|
|
|
@ -30,8 +30,8 @@
|
||||||
-behaviour(ejabberd_auth).
|
-behaviour(ejabberd_auth).
|
||||||
|
|
||||||
%% External exports
|
%% External exports
|
||||||
-export([start/1, set_password/3, check_password/3,
|
-export([start/1, set_password/3, check_password/4,
|
||||||
check_password/5, try_register/3,
|
check_password/6, try_register/3,
|
||||||
dirty_get_registered_users/0, get_vh_registered_users/1,
|
dirty_get_registered_users/0, get_vh_registered_users/1,
|
||||||
get_vh_registered_users/2,
|
get_vh_registered_users/2,
|
||||||
get_vh_registered_users_number/1,
|
get_vh_registered_users_number/1,
|
||||||
|
@ -75,16 +75,20 @@ plain_password_required() -> true.
|
||||||
|
|
||||||
store_type() -> external.
|
store_type() -> external.
|
||||||
|
|
||||||
check_password(User, Server, Password) ->
|
check_password(User, AuthzId, Server, Password) ->
|
||||||
case get_cache_option(Server) of
|
if AuthzId /= <<>> andalso AuthzId /= User ->
|
||||||
false -> check_password_extauth(User, Server, Password);
|
false;
|
||||||
{true, CacheTime} ->
|
true ->
|
||||||
check_password_cache(User, Server, Password, CacheTime)
|
case get_cache_option(Server) of
|
||||||
|
false -> check_password_extauth(User, AuthzId, Server, Password);
|
||||||
|
{true, CacheTime} ->
|
||||||
|
check_password_cache(User, AuthzId, Server, Password, CacheTime)
|
||||||
|
end
|
||||||
end.
|
end.
|
||||||
|
|
||||||
check_password(User, Server, Password, _Digest,
|
check_password(User, AuthzId, Server, Password, _Digest,
|
||||||
_DigestGen) ->
|
_DigestGen) ->
|
||||||
check_password(User, Server, Password).
|
check_password(User, AuthzId, Server, Password).
|
||||||
|
|
||||||
set_password(User, Server, Password) ->
|
set_password(User, Server, Password) ->
|
||||||
case extauth:set_password(User, Server, Password) of
|
case extauth:set_password(User, Server, Password) of
|
||||||
|
@ -177,8 +181,8 @@ get_cache_option(Host) ->
|
||||||
CacheTime -> {true, CacheTime}
|
CacheTime -> {true, CacheTime}
|
||||||
end.
|
end.
|
||||||
|
|
||||||
%% @spec (User, Server, Password) -> true | false
|
%% @spec (User, AuthzId, Server, Password) -> true | false
|
||||||
check_password_extauth(User, Server, Password) ->
|
check_password_extauth(User, _AuthzId, Server, Password) ->
|
||||||
extauth:check_password(User, Server, Password) andalso
|
extauth:check_password(User, Server, Password) andalso
|
||||||
Password /= <<"">>.
|
Password /= <<"">>.
|
||||||
|
|
||||||
|
@ -186,35 +190,35 @@ check_password_extauth(User, Server, Password) ->
|
||||||
try_register_extauth(User, Server, Password) ->
|
try_register_extauth(User, Server, Password) ->
|
||||||
extauth:try_register(User, Server, Password).
|
extauth:try_register(User, Server, Password).
|
||||||
|
|
||||||
check_password_cache(User, Server, Password, 0) ->
|
check_password_cache(User, AuthzId, Server, Password, 0) ->
|
||||||
check_password_external_cache(User, Server, Password);
|
check_password_external_cache(User, AuthzId, Server, Password);
|
||||||
check_password_cache(User, Server, Password,
|
check_password_cache(User, AuthzId, Server, Password,
|
||||||
CacheTime) ->
|
CacheTime) ->
|
||||||
case get_last_access(User, Server) of
|
case get_last_access(User, Server) of
|
||||||
online ->
|
online ->
|
||||||
check_password_internal(User, Server, Password);
|
check_password_internal(User, AuthzId, Server, Password);
|
||||||
never ->
|
never ->
|
||||||
check_password_external_cache(User, Server, Password);
|
check_password_external_cache(User, AuthzId, Server, Password);
|
||||||
mod_last_required ->
|
mod_last_required ->
|
||||||
?ERROR_MSG("extauth is used, extauth_cache is enabled "
|
?ERROR_MSG("extauth is used, extauth_cache is enabled "
|
||||||
"but mod_last is not enabled in that "
|
"but mod_last is not enabled in that "
|
||||||
"host",
|
"host",
|
||||||
[]),
|
[]),
|
||||||
check_password_external_cache(User, Server, Password);
|
check_password_external_cache(User, AuthzId, Server, Password);
|
||||||
TimeStamp ->
|
TimeStamp ->
|
||||||
case is_fresh_enough(TimeStamp, CacheTime) of
|
case is_fresh_enough(TimeStamp, CacheTime) of
|
||||||
%% If no need to refresh, check password against Mnesia
|
%% If no need to refresh, check password against Mnesia
|
||||||
true ->
|
true ->
|
||||||
case check_password_internal(User, Server, Password) of
|
case check_password_internal(User, AuthzId, Server, Password) of
|
||||||
%% If password valid in Mnesia, accept it
|
%% If password valid in Mnesia, accept it
|
||||||
true -> true;
|
true -> true;
|
||||||
%% Else (password nonvalid in Mnesia), check in extauth and cache result
|
%% Else (password nonvalid in Mnesia), check in extauth and cache result
|
||||||
false ->
|
false ->
|
||||||
check_password_external_cache(User, Server, Password)
|
check_password_external_cache(User, AuthzId, Server, Password)
|
||||||
end;
|
end;
|
||||||
%% Else (need to refresh), check in extauth and cache result
|
%% Else (need to refresh), check in extauth and cache result
|
||||||
false ->
|
false ->
|
||||||
check_password_external_cache(User, Server, Password)
|
check_password_external_cache(User, AuthzId, Server, Password)
|
||||||
end
|
end
|
||||||
end.
|
end.
|
||||||
|
|
||||||
|
@ -240,8 +244,8 @@ get_password_cache(User, Server, CacheTime) ->
|
||||||
end.
|
end.
|
||||||
|
|
||||||
%% Check the password using extauth; if success then cache it
|
%% Check the password using extauth; if success then cache it
|
||||||
check_password_external_cache(User, Server, Password) ->
|
check_password_external_cache(User, AuthzId, Server, Password) ->
|
||||||
case check_password_extauth(User, Server, Password) of
|
case check_password_extauth(User, AuthzId, Server, Password) of
|
||||||
true ->
|
true ->
|
||||||
set_password_internal(User, Server, Password), true;
|
set_password_internal(User, Server, Password), true;
|
||||||
false -> false
|
false -> false
|
||||||
|
@ -255,9 +259,9 @@ try_register_external_cache(User, Server, Password) ->
|
||||||
_ -> {error, not_allowed}
|
_ -> {error, not_allowed}
|
||||||
end.
|
end.
|
||||||
|
|
||||||
%% @spec (User, Server, Password) -> true | false
|
%% @spec (User, AuthzId, Server, Password) -> true | false
|
||||||
check_password_internal(User, Server, Password) ->
|
check_password_internal(User, AuthzId, Server, Password) ->
|
||||||
ejabberd_auth_internal:check_password(User, Server,
|
ejabberd_auth_internal:check_password(User, AuthzId, Server,
|
||||||
Password).
|
Password).
|
||||||
|
|
||||||
%% @spec (User, Server, Password) -> ok | {error, invalid_jid}
|
%% @spec (User, Server, Password) -> ok | {error, invalid_jid}
|
||||||
|
|
|
@ -30,8 +30,8 @@
|
||||||
-behaviour(ejabberd_auth).
|
-behaviour(ejabberd_auth).
|
||||||
|
|
||||||
%% External exports
|
%% External exports
|
||||||
-export([start/1, set_password/3, check_password/3,
|
-export([start/1, set_password/3, check_password/4,
|
||||||
check_password/5, try_register/3,
|
check_password/6, try_register/3,
|
||||||
dirty_get_registered_users/0, get_vh_registered_users/1,
|
dirty_get_registered_users/0, get_vh_registered_users/1,
|
||||||
get_vh_registered_users/2,
|
get_vh_registered_users/2,
|
||||||
get_vh_registered_users_number/1,
|
get_vh_registered_users_number/1,
|
||||||
|
@ -85,45 +85,53 @@ store_type() ->
|
||||||
true -> scram %% allows: PLAIN SCRAM
|
true -> scram %% allows: PLAIN SCRAM
|
||||||
end.
|
end.
|
||||||
|
|
||||||
check_password(User, Server, Password) ->
|
check_password(User, AuthzId, Server, Password) ->
|
||||||
LUser = jlib:nodeprep(User),
|
if AuthzId /= <<>> andalso AuthzId /= User ->
|
||||||
LServer = jlib:nameprep(Server),
|
false;
|
||||||
US = {LUser, LServer},
|
true ->
|
||||||
case catch mnesia:dirty_read({passwd, US}) of
|
LUser = jlib:nodeprep(User),
|
||||||
[#passwd{password = Password}]
|
LServer = jlib:nameprep(Server),
|
||||||
when is_binary(Password) ->
|
US = {LUser, LServer},
|
||||||
Password /= <<"">>;
|
case catch mnesia:dirty_read({passwd, US}) of
|
||||||
[#passwd{password = Scram}]
|
[#passwd{password = Password}]
|
||||||
when is_record(Scram, scram) ->
|
when is_binary(Password) ->
|
||||||
is_password_scram_valid(Password, Scram);
|
Password /= <<"">>;
|
||||||
_ -> false
|
[#passwd{password = Scram}]
|
||||||
|
when is_record(Scram, scram) ->
|
||||||
|
is_password_scram_valid(Password, Scram);
|
||||||
|
_ -> false
|
||||||
|
end
|
||||||
end.
|
end.
|
||||||
|
|
||||||
check_password(User, Server, Password, Digest,
|
check_password(User, AuthzId, Server, Password, Digest,
|
||||||
DigestGen) ->
|
DigestGen) ->
|
||||||
LUser = jlib:nodeprep(User),
|
if AuthzId /= <<>> andalso AuthzId /= User ->
|
||||||
LServer = jlib:nameprep(Server),
|
false;
|
||||||
US = {LUser, LServer},
|
true ->
|
||||||
case catch mnesia:dirty_read({passwd, US}) of
|
LUser = jlib:nodeprep(User),
|
||||||
[#passwd{password = Passwd}] when is_binary(Passwd) ->
|
LServer = jlib:nameprep(Server),
|
||||||
DigRes = if Digest /= <<"">> ->
|
US = {LUser, LServer},
|
||||||
Digest == DigestGen(Passwd);
|
case catch mnesia:dirty_read({passwd, US}) of
|
||||||
true -> false
|
[#passwd{password = Passwd}] when is_binary(Passwd) ->
|
||||||
end,
|
DigRes = if Digest /= <<"">> ->
|
||||||
if DigRes -> true;
|
Digest == DigestGen(Passwd);
|
||||||
true -> (Passwd == Password) and (Password /= <<"">>)
|
true -> false
|
||||||
end;
|
end,
|
||||||
[#passwd{password = Scram}]
|
if DigRes -> true;
|
||||||
when is_record(Scram, scram) ->
|
true -> (Passwd == Password) and (Password /= <<"">>)
|
||||||
Passwd = jlib:decode_base64(Scram#scram.storedkey),
|
end;
|
||||||
DigRes = if Digest /= <<"">> ->
|
[#passwd{password = Scram}]
|
||||||
Digest == DigestGen(Passwd);
|
when is_record(Scram, scram) ->
|
||||||
true -> false
|
Passwd = jlib:decode_base64(Scram#scram.storedkey),
|
||||||
end,
|
DigRes = if Digest /= <<"">> ->
|
||||||
if DigRes -> true;
|
Digest == DigestGen(Passwd);
|
||||||
true -> (Passwd == Password) and (Password /= <<"">>)
|
true -> false
|
||||||
end;
|
end,
|
||||||
_ -> false
|
if DigRes -> true;
|
||||||
|
true -> (Passwd == Password) and (Password /= <<"">>)
|
||||||
|
end;
|
||||||
|
_ -> false
|
||||||
|
end
|
||||||
end.
|
end.
|
||||||
|
|
||||||
%% @spec (User::string(), Server::string(), Password::string()) ->
|
%% @spec (User::string(), Server::string(), Password::string()) ->
|
||||||
|
|
|
@ -36,7 +36,7 @@
|
||||||
|
|
||||||
%% External exports
|
%% External exports
|
||||||
-export([start/1, stop/1, start_link/1, set_password/3,
|
-export([start/1, stop/1, start_link/1, set_password/3,
|
||||||
check_password/3, check_password/5, try_register/3,
|
check_password/4, check_password/6, try_register/3,
|
||||||
dirty_get_registered_users/0, get_vh_registered_users/1,
|
dirty_get_registered_users/0, get_vh_registered_users/1,
|
||||||
get_vh_registered_users/2,
|
get_vh_registered_users/2,
|
||||||
get_vh_registered_users_number/1,
|
get_vh_registered_users_number/1,
|
||||||
|
@ -115,19 +115,23 @@ plain_password_required() -> true.
|
||||||
|
|
||||||
store_type() -> external.
|
store_type() -> external.
|
||||||
|
|
||||||
check_password(User, Server, Password) ->
|
check_password(User, AuthzId, Server, Password) ->
|
||||||
if Password == <<"">> -> false;
|
if AuthzId /= <<>> andalso AuthzId /= User ->
|
||||||
true ->
|
false;
|
||||||
case catch check_password_ldap(User, Server, Password)
|
true ->
|
||||||
of
|
if Password == <<"">> -> false;
|
||||||
{'EXIT', _} -> false;
|
true ->
|
||||||
Result -> Result
|
case catch check_password_ldap(User, Server, Password)
|
||||||
end
|
of
|
||||||
|
{'EXIT', _} -> false;
|
||||||
|
Result -> Result
|
||||||
|
end
|
||||||
|
end
|
||||||
end.
|
end.
|
||||||
|
|
||||||
check_password(User, Server, Password, _Digest,
|
check_password(User, AuthzId, Server, Password, _Digest,
|
||||||
_DigestGen) ->
|
_DigestGen) ->
|
||||||
check_password(User, Server, Password).
|
check_password(User, AuthzId, Server, Password).
|
||||||
|
|
||||||
set_password(User, Server, Password) ->
|
set_password(User, Server, Password) ->
|
||||||
{ok, State} = eldap_utils:get_state(Server, ?MODULE),
|
{ok, State} = eldap_utils:get_state(Server, ?MODULE),
|
||||||
|
|
|
@ -30,8 +30,8 @@
|
||||||
-behaviour(ejabberd_auth).
|
-behaviour(ejabberd_auth).
|
||||||
|
|
||||||
%% External exports
|
%% External exports
|
||||||
-export([start/1, set_password/3, check_password/3,
|
-export([start/1, set_password/3, check_password/4,
|
||||||
check_password/5, try_register/3,
|
check_password/6, try_register/3,
|
||||||
dirty_get_registered_users/0, get_vh_registered_users/1,
|
dirty_get_registered_users/0, get_vh_registered_users/1,
|
||||||
get_vh_registered_users/2,
|
get_vh_registered_users/2,
|
||||||
get_vh_registered_users_number/1,
|
get_vh_registered_users_number/1,
|
||||||
|
@ -63,89 +63,97 @@ store_type() ->
|
||||||
true -> scram %% allows: PLAIN SCRAM
|
true -> scram %% allows: PLAIN SCRAM
|
||||||
end.
|
end.
|
||||||
|
|
||||||
%% @spec (User, Server, Password) -> true | false | {error, Error}
|
%% @spec (User, AuthzId, Server, Password) -> true | false | {error, Error}
|
||||||
check_password(User, Server, Password) ->
|
check_password(User, AuthzId, Server, Password) ->
|
||||||
LServer = jlib:nameprep(Server),
|
if AuthzId /= <<>> andalso AuthzId /= User ->
|
||||||
LUser = jlib:nodeprep(User),
|
false;
|
||||||
if (LUser == error) or (LServer == error) ->
|
true ->
|
||||||
false;
|
LServer = jlib:nameprep(Server),
|
||||||
(LUser == <<>>) or (LServer == <<>>) ->
|
LUser = jlib:nodeprep(User),
|
||||||
false;
|
if (LUser == error) or (LServer == error) ->
|
||||||
true ->
|
false;
|
||||||
Username = ejabberd_odbc:escape(LUser),
|
(LUser == <<>>) or (LServer == <<>>) ->
|
||||||
case is_scrammed() of
|
false;
|
||||||
true ->
|
true ->
|
||||||
try odbc_queries:get_password_scram(LServer, Username) of
|
Username = ejabberd_odbc:escape(LUser),
|
||||||
{selected, [<<"password">>, <<"serverkey">>,
|
case is_scrammed() of
|
||||||
<<"salt">>, <<"iterationcount">>],
|
true ->
|
||||||
[[StoredKey, ServerKey, Salt, IterationCount]]} ->
|
try odbc_queries:get_password_scram(LServer, Username) of
|
||||||
Scram =
|
{selected, [<<"password">>, <<"serverkey">>,
|
||||||
#scram{storedkey = StoredKey,
|
<<"salt">>, <<"iterationcount">>],
|
||||||
serverkey = ServerKey,
|
[[StoredKey, ServerKey, Salt, IterationCount]]} ->
|
||||||
salt = Salt,
|
Scram =
|
||||||
iterationcount = jlib:binary_to_integer(
|
#scram{storedkey = StoredKey,
|
||||||
IterationCount)},
|
serverkey = ServerKey,
|
||||||
is_password_scram_valid(Password, Scram);
|
salt = Salt,
|
||||||
{selected, [<<"password">>, <<"serverkey">>,
|
iterationcount = jlib:binary_to_integer(
|
||||||
<<"salt">>, <<"iterationcount">>], []} ->
|
IterationCount)},
|
||||||
false; %% Account does not exist
|
is_password_scram_valid(Password, Scram);
|
||||||
{error, _Error} ->
|
{selected, [<<"password">>, <<"serverkey">>,
|
||||||
false %% Typical error is that table doesn't exist
|
<<"salt">>, <<"iterationcount">>], []} ->
|
||||||
catch
|
false; %% Account does not exist
|
||||||
_:_ ->
|
{error, _Error} ->
|
||||||
false %% Typical error is database not accessible
|
false %% Typical error is that table doesn't exist
|
||||||
end;
|
catch
|
||||||
false ->
|
_:_ ->
|
||||||
try odbc_queries:get_password(LServer, Username) of
|
false %% Typical error is database not accessible
|
||||||
{selected, [<<"password">>], [[Password]]} ->
|
end;
|
||||||
Password /= <<"">>;
|
false ->
|
||||||
{selected, [<<"password">>], [[_Password2]]} ->
|
try odbc_queries:get_password(LServer, Username) of
|
||||||
false; %% Password is not correct
|
{selected, [<<"password">>], [[Password]]} ->
|
||||||
{selected, [<<"password">>], []} ->
|
Password /= <<"">>;
|
||||||
false; %% Account does not exist
|
{selected, [<<"password">>], [[_Password2]]} ->
|
||||||
{error, _Error} ->
|
false; %% Password is not correct
|
||||||
false %% Typical error is that table doesn't exist
|
{selected, [<<"password">>], []} ->
|
||||||
catch
|
false; %% Account does not exist
|
||||||
_:_ ->
|
{error, _Error} ->
|
||||||
false %% Typical error is database not accessible
|
false %% Typical error is that table doesn't exist
|
||||||
end
|
catch
|
||||||
end
|
_:_ ->
|
||||||
|
false %% Typical error is database not accessible
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
end.
|
end.
|
||||||
|
|
||||||
%% @spec (User, Server, Password, Digest, DigestGen) -> true | false | {error, Error}
|
%% @spec (User, AuthzId, Server, Password, Digest, DigestGen) -> true | false | {error, Error}
|
||||||
check_password(User, Server, Password, Digest,
|
check_password(User, AuthzId, Server, Password, Digest,
|
||||||
DigestGen) ->
|
DigestGen) ->
|
||||||
LServer = jlib:nameprep(Server),
|
if AuthzId /= <<>> andalso AuthzId /= User ->
|
||||||
LUser = jlib:nodeprep(User),
|
false;
|
||||||
if (LUser == error) or (LServer == error) ->
|
true ->
|
||||||
false;
|
LServer = jlib:nameprep(Server),
|
||||||
(LUser == <<>>) or (LServer == <<>>) ->
|
LUser = jlib:nodeprep(User),
|
||||||
false;
|
if (LUser == error) or (LServer == error) ->
|
||||||
true ->
|
false;
|
||||||
case is_scrammed() of
|
(LUser == <<>>) or (LServer == <<>>) ->
|
||||||
false ->
|
false;
|
||||||
Username = ejabberd_odbc:escape(LUser),
|
true ->
|
||||||
try odbc_queries:get_password(LServer, Username) of
|
case is_scrammed() of
|
||||||
%% Account exists, check if password is valid
|
false ->
|
||||||
{selected, [<<"password">>], [[Passwd]]} ->
|
Username = ejabberd_odbc:escape(LUser),
|
||||||
DigRes = if Digest /= <<"">> ->
|
try odbc_queries:get_password(LServer, Username) of
|
||||||
Digest == DigestGen(Passwd);
|
%% Account exists, check if password is valid
|
||||||
true -> false
|
{selected, [<<"password">>], [[Passwd]]} ->
|
||||||
end,
|
DigRes = if Digest /= <<"">> ->
|
||||||
if DigRes -> true;
|
Digest == DigestGen(Passwd);
|
||||||
true -> (Passwd == Password) and (Password /= <<"">>)
|
true -> false
|
||||||
end;
|
end,
|
||||||
{selected, [<<"password">>], []} ->
|
if DigRes -> true;
|
||||||
false; %% Account does not exist
|
true -> (Passwd == Password) and (Password /= <<"">>)
|
||||||
{error, _Error} ->
|
end;
|
||||||
false %% Typical error is that table doesn't exist
|
{selected, [<<"password">>], []} ->
|
||||||
catch
|
false; %% Account does not exist
|
||||||
_:_ ->
|
{error, _Error} ->
|
||||||
false %% Typical error is database not accessible
|
false %% Typical error is that table doesn't exist
|
||||||
end;
|
catch
|
||||||
true ->
|
_:_ ->
|
||||||
false
|
false %% Typical error is database not accessible
|
||||||
end
|
end;
|
||||||
|
true ->
|
||||||
|
false
|
||||||
|
end
|
||||||
|
end
|
||||||
end.
|
end.
|
||||||
|
|
||||||
%% @spec (User::string(), Server::string(), Password::string()) ->
|
%% @spec (User::string(), Server::string(), Password::string()) ->
|
||||||
|
@ -352,7 +360,7 @@ remove_user(User, Server, Password) ->
|
||||||
true ->
|
true ->
|
||||||
case is_scrammed() of
|
case is_scrammed() of
|
||||||
true ->
|
true ->
|
||||||
case check_password(User, Server, Password) of
|
case check_password(User, <<"">>, Server, Password) of
|
||||||
true ->
|
true ->
|
||||||
remove_user(User, Server),
|
remove_user(User, Server),
|
||||||
ok;
|
ok;
|
||||||
|
|
|
@ -32,8 +32,8 @@
|
||||||
%%====================================================================
|
%%====================================================================
|
||||||
%% API
|
%% API
|
||||||
%%====================================================================
|
%%====================================================================
|
||||||
-export([start/1, set_password/3, check_password/3,
|
-export([start/1, set_password/3, check_password/4,
|
||||||
check_password/5, try_register/3,
|
check_password/6, try_register/3,
|
||||||
dirty_get_registered_users/0, get_vh_registered_users/1,
|
dirty_get_registered_users/0, get_vh_registered_users/1,
|
||||||
get_vh_registered_users/2, get_vh_registered_users_number/1,
|
get_vh_registered_users/2, get_vh_registered_users_number/1,
|
||||||
get_vh_registered_users_number/2,
|
get_vh_registered_users_number/2,
|
||||||
|
@ -47,21 +47,25 @@ start(_Host) ->
|
||||||
set_password(_User, _Server, _Password) ->
|
set_password(_User, _Server, _Password) ->
|
||||||
{error, not_allowed}.
|
{error, not_allowed}.
|
||||||
|
|
||||||
check_password(User, Server, Password, _Digest,
|
check_password(User, AuthzId, Server, Password, _Digest,
|
||||||
_DigestGen) ->
|
_DigestGen) ->
|
||||||
check_password(User, Server, Password).
|
check_password(User, AuthzId, Server, Password).
|
||||||
|
|
||||||
check_password(User, Host, Password) ->
|
check_password(User, AuthzId, Host, Password) ->
|
||||||
Service = get_pam_service(Host),
|
if AuthzId /= <<>> andalso AuthzId /= User ->
|
||||||
UserInfo = case get_pam_userinfotype(Host) of
|
false;
|
||||||
username -> User;
|
true ->
|
||||||
jid -> <<User/binary, "@", Host/binary>>
|
Service = get_pam_service(Host),
|
||||||
end,
|
UserInfo = case get_pam_userinfotype(Host) of
|
||||||
case catch epam:authenticate(Service, UserInfo,
|
username -> User;
|
||||||
Password)
|
jid -> <<User/binary, "@", Host/binary>>
|
||||||
of
|
end,
|
||||||
true -> true;
|
case catch epam:authenticate(Service, UserInfo,
|
||||||
_ -> false
|
Password)
|
||||||
|
of
|
||||||
|
true -> true;
|
||||||
|
_ -> false
|
||||||
|
end
|
||||||
end.
|
end.
|
||||||
|
|
||||||
try_register(_User, _Server, _Password) ->
|
try_register(_User, _Server, _Password) ->
|
||||||
|
|
|
@ -30,8 +30,8 @@
|
||||||
-behaviour(ejabberd_auth).
|
-behaviour(ejabberd_auth).
|
||||||
|
|
||||||
%% External exports
|
%% External exports
|
||||||
-export([start/1, set_password/3, check_password/3,
|
-export([start/1, set_password/3, check_password/4,
|
||||||
check_password/5, try_register/3,
|
check_password/6, try_register/3,
|
||||||
dirty_get_registered_users/0, get_vh_registered_users/1,
|
dirty_get_registered_users/0, get_vh_registered_users/1,
|
||||||
get_vh_registered_users/2,
|
get_vh_registered_users/2,
|
||||||
get_vh_registered_users_number/1,
|
get_vh_registered_users_number/1,
|
||||||
|
@ -66,42 +66,50 @@ store_type() ->
|
||||||
passwd_schema() ->
|
passwd_schema() ->
|
||||||
{record_info(fields, passwd), #passwd{}}.
|
{record_info(fields, passwd), #passwd{}}.
|
||||||
|
|
||||||
check_password(User, Server, Password) ->
|
check_password(User, AuthzId, Server, Password) ->
|
||||||
LUser = jlib:nodeprep(User),
|
if AuthzId /= <<>> andalso AuthzId /= User ->
|
||||||
LServer = jlib:nameprep(Server),
|
false;
|
||||||
case ejabberd_riak:get(passwd, passwd_schema(), {LUser, LServer}) of
|
true ->
|
||||||
{ok, #passwd{password = Password}} when is_binary(Password) ->
|
LUser = jlib:nodeprep(User),
|
||||||
Password /= <<"">>;
|
LServer = jlib:nameprep(Server),
|
||||||
{ok, #passwd{password = Scram}} when is_record(Scram, scram) ->
|
case ejabberd_riak:get(passwd, passwd_schema(), {LUser, LServer}) of
|
||||||
is_password_scram_valid(Password, Scram);
|
{ok, #passwd{password = Password}} when is_binary(Password) ->
|
||||||
_ ->
|
Password /= <<"">>;
|
||||||
false
|
{ok, #passwd{password = Scram}} when is_record(Scram, scram) ->
|
||||||
|
is_password_scram_valid(Password, Scram);
|
||||||
|
_ ->
|
||||||
|
false
|
||||||
|
end
|
||||||
end.
|
end.
|
||||||
|
|
||||||
check_password(User, Server, Password, Digest,
|
check_password(User, AuthzId, Server, Password, Digest,
|
||||||
DigestGen) ->
|
DigestGen) ->
|
||||||
LUser = jlib:nodeprep(User),
|
if AuthzId /= <<>> andalso AuthzId /= User ->
|
||||||
LServer = jlib:nameprep(Server),
|
false;
|
||||||
case ejabberd_riak:get(passwd, passwd_schema(), {LUser, LServer}) of
|
true ->
|
||||||
{ok, #passwd{password = Passwd}} when is_binary(Passwd) ->
|
LUser = jlib:nodeprep(User),
|
||||||
DigRes = if Digest /= <<"">> ->
|
LServer = jlib:nameprep(Server),
|
||||||
Digest == DigestGen(Passwd);
|
case ejabberd_riak:get(passwd, passwd_schema(), {LUser, LServer}) of
|
||||||
true -> false
|
{ok, #passwd{password = Passwd}} when is_binary(Passwd) ->
|
||||||
end,
|
DigRes = if Digest /= <<"">> ->
|
||||||
if DigRes -> true;
|
Digest == DigestGen(Passwd);
|
||||||
true -> (Passwd == Password) and (Password /= <<"">>)
|
true -> false
|
||||||
end;
|
end,
|
||||||
{ok, #passwd{password = Scram}}
|
if DigRes -> true;
|
||||||
when is_record(Scram, scram) ->
|
true -> (Passwd == Password) and (Password /= <<"">>)
|
||||||
Passwd = jlib:decode_base64(Scram#scram.storedkey),
|
end;
|
||||||
DigRes = if Digest /= <<"">> ->
|
{ok, #passwd{password = Scram}}
|
||||||
Digest == DigestGen(Passwd);
|
when is_record(Scram, scram) ->
|
||||||
true -> false
|
Passwd = jlib:decode_base64(Scram#scram.storedkey),
|
||||||
end,
|
DigRes = if Digest /= <<"">> ->
|
||||||
if DigRes -> true;
|
Digest == DigestGen(Passwd);
|
||||||
true -> (Passwd == Password) and (Password /= <<"">>)
|
true -> false
|
||||||
end;
|
end,
|
||||||
_ -> false
|
if DigRes -> true;
|
||||||
|
true -> (Passwd == Password) and (Password /= <<"">>)
|
||||||
|
end;
|
||||||
|
_ -> false
|
||||||
|
end
|
||||||
end.
|
end.
|
||||||
|
|
||||||
set_password(User, Server, Password) ->
|
set_password(User, Server, Password) ->
|
||||||
|
|
|
@ -397,13 +397,13 @@ wait_for_stream({xmlstreamstart, _Name, Attrs}, StateData) ->
|
||||||
ejabberd_auth:get_password_with_authmodule(
|
ejabberd_auth:get_password_with_authmodule(
|
||||||
U, Server)
|
U, Server)
|
||||||
end,
|
end,
|
||||||
fun(U, P) ->
|
fun(U, AuthzId, P) ->
|
||||||
ejabberd_auth:check_password_with_authmodule(
|
ejabberd_auth:check_password_with_authmodule(
|
||||||
U, Server, P)
|
U, AuthzId, Server, P)
|
||||||
end,
|
end,
|
||||||
fun(U, P, D, DG) ->
|
fun(U, AuthzId, P, D, DG) ->
|
||||||
ejabberd_auth:check_password_with_authmodule(
|
ejabberd_auth:check_password_with_authmodule(
|
||||||
U, Server, P, D, DG)
|
U, AuthzId, Server, P, D, DG)
|
||||||
end),
|
end),
|
||||||
Mechs =
|
Mechs =
|
||||||
case TLSEnabled or not TLSRequired of
|
case TLSEnabled or not TLSRequired of
|
||||||
|
@ -635,7 +635,7 @@ wait_for_auth({xmlstreamelement, El}, StateData) ->
|
||||||
DGen = fun (PW) ->
|
DGen = fun (PW) ->
|
||||||
p1_sha:sha(<<(StateData#state.streamid)/binary, PW/binary>>)
|
p1_sha:sha(<<(StateData#state.streamid)/binary, PW/binary>>)
|
||||||
end,
|
end,
|
||||||
case ejabberd_auth:check_password_with_authmodule(U,
|
case ejabberd_auth:check_password_with_authmodule(U, U,
|
||||||
StateData#state.server,
|
StateData#state.server,
|
||||||
P, D, DGen)
|
P, D, DGen)
|
||||||
of
|
of
|
||||||
|
@ -753,9 +753,7 @@ wait_for_feature_request({xmlstreamelement, El},
|
||||||
of
|
of
|
||||||
{ok, Props} ->
|
{ok, Props} ->
|
||||||
(StateData#state.sockmod):reset_stream(StateData#state.socket),
|
(StateData#state.sockmod):reset_stream(StateData#state.socket),
|
||||||
%U = xml:get_attr_s(username, Props),
|
U = identity(Props),
|
||||||
U = proplists:get_value(username, Props, <<>>),
|
|
||||||
%AuthModule = xml:get_attr_s(auth_module, Props),
|
|
||||||
AuthModule = proplists:get_value(auth_module, Props, undefined),
|
AuthModule = proplists:get_value(auth_module, Props, undefined),
|
||||||
?INFO_MSG("(~w) Accepted authentication for ~s "
|
?INFO_MSG("(~w) Accepted authentication for ~s "
|
||||||
"by ~p from ~s",
|
"by ~p from ~s",
|
||||||
|
@ -906,9 +904,7 @@ wait_for_sasl_response({xmlstreamelement, El},
|
||||||
{ok, Props} ->
|
{ok, Props} ->
|
||||||
catch
|
catch
|
||||||
(StateData#state.sockmod):reset_stream(StateData#state.socket),
|
(StateData#state.sockmod):reset_stream(StateData#state.socket),
|
||||||
% U = xml:get_attr_s(username, Props),
|
U = identity(Props),
|
||||||
U = proplists:get_value(username, Props, <<>>),
|
|
||||||
% AuthModule = xml:get_attr_s(auth_module, Props),
|
|
||||||
AuthModule = proplists:get_value(auth_module, Props, <<>>),
|
AuthModule = proplists:get_value(auth_module, Props, <<>>),
|
||||||
?INFO_MSG("(~w) Accepted authentication for ~s "
|
?INFO_MSG("(~w) Accepted authentication for ~s "
|
||||||
"by ~p from ~s",
|
"by ~p from ~s",
|
||||||
|
@ -929,9 +925,7 @@ wait_for_sasl_response({xmlstreamelement, El},
|
||||||
user = U});
|
user = U});
|
||||||
{ok, Props, ServerOut} ->
|
{ok, Props, ServerOut} ->
|
||||||
(StateData#state.sockmod):reset_stream(StateData#state.socket),
|
(StateData#state.sockmod):reset_stream(StateData#state.socket),
|
||||||
% U = xml:get_attr_s(username, Props),
|
U = identity(Props),
|
||||||
U = proplists:get_value(username, Props, <<>>),
|
|
||||||
% AuthModule = xml:get_attr_s(auth_module, Props),
|
|
||||||
AuthModule = proplists:get_value(auth_module, Props, undefined),
|
AuthModule = proplists:get_value(auth_module, Props, undefined),
|
||||||
?INFO_MSG("(~w) Accepted authentication for ~s "
|
?INFO_MSG("(~w) Accepted authentication for ~s "
|
||||||
"by ~p from ~s",
|
"by ~p from ~s",
|
||||||
|
@ -3126,3 +3120,9 @@ pack_string(String, Pack) ->
|
||||||
|
|
||||||
transform_listen_option(Opt, Opts) ->
|
transform_listen_option(Opt, Opts) ->
|
||||||
[Opt|Opts].
|
[Opt|Opts].
|
||||||
|
|
||||||
|
identity(Props) ->
|
||||||
|
case proplists:get_value(authzid, Props, <<>>) of
|
||||||
|
<<>> -> proplists:get_value(username, Props, <<>>);
|
||||||
|
AuthzId -> AuthzId
|
||||||
|
end.
|
||||||
|
|
|
@ -397,7 +397,7 @@ check_auth(noauth) ->
|
||||||
no_auth_provided;
|
no_auth_provided;
|
||||||
check_auth({User, Server, Password}) ->
|
check_auth({User, Server, Password}) ->
|
||||||
%% Check the account exists and password is valid
|
%% Check the account exists and password is valid
|
||||||
case ejabberd_auth:check_password(User, Server, Password) of
|
case ejabberd_auth:check_password(User, <<"">>, Server, Password) of
|
||||||
true -> {ok, User, Server};
|
true -> {ok, User, Server};
|
||||||
_ -> throw({error, invalid_account_data})
|
_ -> throw({error, invalid_account_data})
|
||||||
end.
|
end.
|
||||||
|
|
|
@ -263,7 +263,7 @@ get_auth_admin(Auth, HostHTTP, RPath, Method) ->
|
||||||
|
|
||||||
get_auth_account(HostOfRule, AccessRule, User, Server,
|
get_auth_account(HostOfRule, AccessRule, User, Server,
|
||||||
Pass) ->
|
Pass) ->
|
||||||
case ejabberd_auth:check_password(User, Server, Pass) of
|
case ejabberd_auth:check_password(User, <<"">>, Server, Pass) of
|
||||||
true ->
|
true ->
|
||||||
case is_acl_match(HostOfRule, AccessRule,
|
case is_acl_match(HostOfRule, AccessRule,
|
||||||
jlib:make_jid(User, Server, <<"">>))
|
jlib:make_jid(User, Server, <<"">>))
|
||||||
|
|
|
@ -154,7 +154,7 @@ wait_for_auth(Packet,
|
||||||
#state{socket = Socket, host = Host} = StateData) ->
|
#state{socket = Socket, host = Host} = StateData) ->
|
||||||
case mod_proxy65_lib:unpack_auth_request(Packet) of
|
case mod_proxy65_lib:unpack_auth_request(Packet) of
|
||||||
{User, Pass} ->
|
{User, Pass} ->
|
||||||
Result = ejabberd_auth:check_password(User, Host, Pass),
|
Result = ejabberd_auth:check_password(User, <<"">>, Host, Pass),
|
||||||
gen_tcp:send(Socket,
|
gen_tcp:send(Socket,
|
||||||
mod_proxy65_lib:make_auth_reply(Result)),
|
mod_proxy65_lib:make_auth_reply(Result)),
|
||||||
case Result of
|
case Result of
|
||||||
|
|
|
@ -437,7 +437,7 @@ check_account_exists(Username, Host) ->
|
||||||
end.
|
end.
|
||||||
|
|
||||||
check_password(Username, Host, Password) ->
|
check_password(Username, Host, Password) ->
|
||||||
case ejabberd_auth:check_password(Username, Host,
|
case ejabberd_auth:check_password(Username, <<"">>, Host,
|
||||||
Password)
|
Password)
|
||||||
of
|
of
|
||||||
true -> password_correct;
|
true -> password_correct;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user