1 |
|
%%%============================================================================= |
2 |
|
%%% @copyright (C) 1999-2020, Erlang Solutions Ltd |
3 |
|
%%% @doc cyrsasl external verification backend |
4 |
|
%%% |
5 |
|
%%% this module is added only for the demo and testing purposes. |
6 |
|
%%% |
7 |
|
%%% if your custom verification backend requires any initialisation/termination |
8 |
|
%%% logic, it can be added by implementation of 'gen_mod' or 'mongoose_service' |
9 |
|
%%% behaviour. |
10 |
|
%%% |
11 |
|
%%% the next extra fields are added to the mongoose_credentials record by |
12 |
|
%%% the cyrsasl_external module: |
13 |
|
%%% * pem_cert - certificate in PEM format |
14 |
|
%%% * der_cert - certificate in DER format |
15 |
|
%%% * common_name - CN field (bitstring) of the client's cert (if available) |
16 |
|
%%% * xmpp_addresses - list of provided "xmppAddr" fields (bare jids) provided in |
17 |
|
%%% the client's certificate (empty list if not available) |
18 |
|
%%% * auth_id - authorization identity (bare jid, if provided by the client) |
19 |
|
%%% |
20 |
|
%%% this verification module picks user name of a JID provided in one of the following |
21 |
|
%%% sources: |
22 |
|
%%% * auth_id (if provided by the client) |
23 |
|
%%% * xmpp_addresses (ignored if list is empty or contains more than one JID) |
24 |
|
%%% * common_name |
25 |
|
%%% sources are checked in the same order as mentioned in the list above, the first |
26 |
|
%%% successful source is selected. the server part of the JID is verified and it must |
27 |
|
%%% correspond to the host were user is trying to connect. |
28 |
|
%%% @end |
29 |
|
%%%============================================================================= |
30 |
|
-module(cyrsasl_external_verification). |
31 |
|
-behaviour(cyrsasl_external). |
32 |
|
|
33 |
|
%% API |
34 |
|
-export([verify_creds/1]). |
35 |
|
|
36 |
|
-include_lib("jid/include/jid.hrl"). |
37 |
|
-include("mongoose_logger.hrl"). |
38 |
|
|
39 |
|
-spec verify_creds(Creds :: mongoose_credentials:t()) -> |
40 |
|
{ok, Username :: binary()} | {error, Error :: binary()}. |
41 |
|
|
42 |
|
verify_creds(Creds) -> |
43 |
:-( |
AuthId = mongoose_credentials:get(Creds, auth_id, undefined), |
44 |
:-( |
Addrs = mongoose_credentials:get(Creds, xmpp_addresses), |
45 |
:-( |
XmppAddr = case Addrs of |
46 |
:-( |
[Addr] -> Addr; |
47 |
:-( |
_ -> undefined |
48 |
|
end, |
49 |
:-( |
CN = mongoose_credentials:get(Creds, common_name, undefined), |
50 |
:-( |
Sources = [AuthId, XmppAddr, CN, <<"">>], |
51 |
:-( |
[JID | _] = [Name || Name <- Sources, Name =/= undefined], |
52 |
:-( |
Server = mongoose_credentials:lserver(Creds), |
53 |
:-( |
case jid:from_binary(JID) of |
54 |
|
#jid{luser = User, lserver = Server, lresource = <<"">>} when User =/= <<"">> -> |
55 |
:-( |
{ok, User}; |
56 |
|
Result -> |
57 |
:-( |
?LOG_ERROR(#{what => cyrsasl_external_verification_failed, |
58 |
|
xmpp_addresses => Addrs, server => Server, |
59 |
:-( |
auth_sources => Sources, result => Result}), |
60 |
:-( |
{error, <<"not-authorized">>} |
61 |
|
end. |