25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-11-30 16:36:29 +01:00

Detect auth errors and report in log file. Support auth when domain not provided.

SVN Revision: 2331
This commit is contained in:
Badlop 2009-06-22 23:14:18 +00:00
parent 0aca6920a7
commit b9cbb7a72b

View File

@ -45,7 +45,6 @@
?XMLATTR('name', Name), ?XMLATTR('name', Name),
?XMLATTR('value', Value)])). ?XMLATTR('value', Value)])).
process(["doc", LocalFile], _Request) -> process(["doc", LocalFile], _Request) ->
DocPath = case os:getenv("EJABBERD_DOC_PATH") of DocPath = case os:getenv("EJABBERD_DOC_PATH") of
P when is_list(P) -> P; P when is_list(P) -> P;
@ -70,71 +69,87 @@ process(["doc", LocalFile], _Request) ->
end end
end; end;
process(["server", SHost | RPath], #request{auth = Auth} = Request) -> process(["server", SHost | RPath], #request{auth = Auth, lang = Lang, host = HostHTTP} = Request) ->
Host = exmpp_stringprep:nameprep(SHost), Host = exmpp_stringprep:nameprep(SHost),
case lists:member(Host, ?MYHOSTS) of case lists:member(Host, ?MYHOSTS) of
true -> true ->
case get_auth(Auth) of case get_auth_admin(Auth, Host, HostHTTP) of
{User, Server} -> {ok, {User, Server}} ->
case acl:match_rule( process_admin(Host, Request#request{path = RPath,
Host, configure, exmpp_jid:make(User, Server)) of us = {User, Server}});
deny -> {unauthorized, "no-auth-provided"} ->
ejabberd_web:error(not_allowed);
allow ->
process_admin(
Host, Request#request{path = RPath,
us = {User, Server}})
end;
unauthorized ->
{401, {401,
[{"WWW-Authenticate", "basic realm=\"ejabberd\""}], [{"WWW-Authenticate", "basic realm=\"ejabberd\""}],
ejabberd_web:make_xhtml([#xmlel{ns = ?NS_XHTML, name = 'h1', children = ejabberd_web:make_xhtml([?XCT('h1', "Unauthorized")])};
[#xmlcdata{cdata = <<"401 Unauthorized">>}]}])} {unauthorized, Error} ->
?WARNING_MSG("Access ~p failed with error: ~p~n~p",
[Auth, Error, Request]),
{401,
[{"WWW-Authenticate",
"basic realm=\"auth error, retry login to ejabberd\""}],
ejabberd_web:make_xhtml([?XCT('h1', "Unauthorized")])}
end; end;
false -> false ->
ejabberd_web:error(not_found) ejabberd_web:error(not_found)
end; end;
process(RPath, #request{auth = Auth} = Request) -> process(RPath, #request{auth = Auth, lang = Lang, host = HostHTTP} = Request) ->
case get_auth(Auth) of case get_auth_admin(Auth, global, HostHTTP) of
{User, Server} -> {ok, {User, Server}} ->
case acl:match_rule( process_admin(global, Request#request{path = RPath,
global, configure, exmpp_jid:make(User, Server)) of us = {User, Server}});
deny -> {unauthorized, "no-auth-provided"} ->
ejabberd_web:error(not_allowed);
allow ->
process_admin(
global, Request#request{path = RPath,
us = {User, Server}})
end;
unauthorized ->
%% XXX bard: any reason to send this data now and not
%% always in case of an 401? ought to check http specs...
{401, {401,
[{"WWW-Authenticate", "basic realm=\"ejabberd\""}], [{"WWW-Authenticate", "basic realm=\"ejabberd\""}],
ejabberd_web:make_xhtml([#xmlel{ns = ?NS_XHTML, name = 'h1', children = ejabberd_web:make_xhtml([?XCT('h1', "Unauthorized")])};
[#xmlcdata{cdata = <<"401 Unauthorized">>}]}])} {unauthorized, Error} ->
?WARNING_MSG("Access ~p failed with error: ~p~n~p",
[Auth, Error, Request]),
{401,
[{"WWW-Authenticate",
"basic realm=\"auth error, retry login to ejabberd\""}],
ejabberd_web:make_xhtml([?XCT('h1', "Unauthorized")])}
end. end.
get_auth(Auth) -> get_auth_admin(Auth, Host, HostHTTP) ->
case Auth of case Auth of
{SJID, P} -> {SJID, Pass} ->
try try
JID = exmpp_jid:parse(SJID), JID = exmpp_jid:parse(SJID),
U = exmpp_jid:node_as_list(JID), User = exmpp_jid:node_as_list(JID),
S = exmpp_jid:domain_as_list(JID), Server = exmpp_jid:domain_as_list(JID),
case ejabberd_auth:check_password(U, S, P) of case User == undefined of
true -> true ->
{U, S}; %% If only specified username, not username@server
get_auth_account(Host, Server, HostHTTP, Pass);
false -> false ->
unauthorized get_auth_account(Host, User, Server, Pass)
end end
catch catch
_ -> _ ->
unauthorized {unauthorized, "badformed-jid"}
end; end;
_ -> _ ->
unauthorized {unauthorized, "no-auth-provided"}
end.
get_auth_account(Host, User, Server, Pass) ->
case ejabberd_auth:check_password(User, Server, Pass) of
true ->
case acl:match_rule(Host, configure,
exmpp_jid:make(User, Server)) of
deny ->
{unauthorized, "unprivileged-account"};
allow ->
{ok, {User, Server}}
end;
false ->
case ejabberd_auth:is_user_exists(User, Server) of
true ->
{unauthorized, "bad-password"};
false ->
{unauthorized, "inexistent-account"}
end
end. end.
make_xhtml(Els, Host, Lang) -> make_xhtml(Els, Host, Lang) ->