| 1 |
|
%%%============================================================================= |
| 2 |
|
%%% @copyright (C) 1999-2020, Erlang Solutions Ltd |
| 3 |
|
%%% @doc cyrsasl external verification backend |
| 4 |
|
%%% |
| 5 |
|
%%% this module is added only for the demo and testing purposes. |
| 6 |
|
%%% |
| 7 |
|
%%% if your custom verification backend requires any initialisation/termination |
| 8 |
|
%%% logic, it can be added by implementation of 'gen_mod' or 'mongoose_service' |
| 9 |
|
%%% behaviour. |
| 10 |
|
%%% |
| 11 |
|
%%% the next extra fields are added to the mongoose_credentials record by |
| 12 |
|
%%% the cyrsasl_external module: |
| 13 |
|
%%% * pem_cert - certificate in PEM format |
| 14 |
|
%%% * der_cert - certificate in DER format |
| 15 |
|
%%% * common_name - CN field (bitstring) of the client's cert (if available) |
| 16 |
|
%%% * xmpp_addresses - list of provided "xmppAddr" fields (bare jids) provided in |
| 17 |
|
%%% the client's certificate (empty list if not available) |
| 18 |
|
%%% * auth_id - authorization identity (bare jid, if provided by the client) |
| 19 |
|
%%% |
| 20 |
|
%%% this verification module picks user name of a JID provided in one of the following |
| 21 |
|
%%% sources: |
| 22 |
|
%%% * auth_id (if provided by the client) |
| 23 |
|
%%% * xmpp_addresses (ignored if list is empty or contains more than one JID) |
| 24 |
|
%%% * common_name |
| 25 |
|
%%% sources are checked in the same order as mentioned in the list above, the first |
| 26 |
|
%%% successful source is selected. the server part of the JID is verified and it must |
| 27 |
|
%%% correspond to the host were user is trying to connect. |
| 28 |
|
%%% @end |
| 29 |
|
%%%============================================================================= |
| 30 |
|
-module(cyrsasl_external_verification). |
| 31 |
|
-behaviour(cyrsasl_external). |
| 32 |
|
|
| 33 |
|
%% API |
| 34 |
|
-export([verify_creds/1]). |
| 35 |
|
|
| 36 |
|
-include_lib("jid/include/jid.hrl"). |
| 37 |
|
-include("mongoose_logger.hrl"). |
| 38 |
|
|
| 39 |
|
-spec verify_creds(Creds :: mongoose_credentials:t()) -> |
| 40 |
|
{ok, Username :: binary()} | {error, Error :: binary()}. |
| 41 |
|
|
| 42 |
|
verify_creds(Creds) -> |
| 43 |
18 |
AuthId = mongoose_credentials:get(Creds, auth_id, undefined), |
| 44 |
18 |
Addrs = mongoose_credentials:get(Creds, xmpp_addresses), |
| 45 |
18 |
XmppAddr = case Addrs of |
| 46 |
3 |
[Addr] -> Addr; |
| 47 |
15 |
_ -> undefined |
| 48 |
|
end, |
| 49 |
18 |
CN = mongoose_credentials:get(Creds, common_name, undefined), |
| 50 |
18 |
Sources = [AuthId, XmppAddr, CN, <<"">>], |
| 51 |
18 |
[JID | _] = [Name || Name <- Sources, Name =/= undefined], |
| 52 |
18 |
Server = mongoose_credentials:lserver(Creds), |
| 53 |
18 |
case jid:from_binary(JID) of |
| 54 |
|
#jid{luser = User, lserver = Server, lresource = <<"">>} when User =/= <<"">> -> |
| 55 |
12 |
{ok, User}; |
| 56 |
|
Result -> |
| 57 |
6 |
?LOG_ERROR(#{what => cyrsasl_external_verification_failed, |
| 58 |
|
xmpp_addresses => Addrs, server => Server, |
| 59 |
:-( |
auth_sources => Sources, result => Result}), |
| 60 |
6 |
{error, <<"not-authorized">>} |
| 61 |
|
end. |