File: 0001-HA1b-simple-adaptation-to-meet-the-Debian-needs.patch

package info (click to toggle)
prosody-modules 0.0~hg20250316.a1a33f0f6f6e%2Bdfsg-1
  • links: PTS, VCS
  • area: main
  • in suites: sid, trixie
  • size: 6,936 kB
  • sloc: javascript: 3,426; sh: 172; php: 134; python: 118; perl: 50; makefile: 17
file content (107 lines) | stat: -rw-r--r-- 4,073 bytes parent folder | download | duplicates (9) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
 
From: Enrico Tassi <gareuselesinge@debian.org>
Date: Mon, 17 Aug 2015 10:32:11 +0200
Subject: HA1b: simple adaptation to meet the Debian needs

a) the word "authorized" is not meant to be case sensitive

b) in our database, and in the way we compute our hashes the usernames
   include domains, e.g. pocock@debian.org (this is sometimes referred to
   as HA1b)

   new boolean option: auth_ha1_use_ha1b

c) we use a realm name "rtc.debian.org", this is not the same as our
   domain, "debian.org"

   new string option: auth_ha1_realm
---
 mod_auth_ha1/mod_auth_ha1.lua | 37 ++++++++++++++++++++++++++++---------
 1 file changed, 28 insertions(+), 9 deletions(-)

diff --git a/mod_auth_ha1/mod_auth_ha1.lua b/mod_auth_ha1/mod_auth_ha1.lua
index 8392efd..55f62e0 100644
--- a/mod_auth_ha1/mod_auth_ha1.lua
+++ b/mod_auth_ha1/mod_auth_ha1.lua
@@ -10,11 +10,14 @@ local new_sasl = require "util.sasl".new;
 
 local nodeprep = require "util.encodings".stringprep.nodeprep;
 local nameprep = require "util.encodings".stringprep.nameprep;
+local jidprep = require "util.jid".prep;
 local md5 = require "util.hashes".md5;
 
 local host = module.host;
 
 local auth_filename = module:get_option_string("auth_ha1_file", "auth.txt");
+local auth_ha1b = module:get_option_boolean("auth_ha1_use_ha1b", false);
+local auth_realm = module:get_option_string("auth_ha1_realm", host);
 local auth_data = {};
 
 function reload_auth_data()
@@ -33,14 +36,18 @@ function reload_auth_data()
 				module:log("error", "Unable to parse line %d of auth file, skipping", line_number);
 			end
 		else
-			username, realm = nodeprep(username), nameprep(realm);
+			if not auth_ha1b then
+				username, realm = nodeprep(username), nameprep(realm);
+			else
+				username, realm = jidprep(username), nameprep(realm);
+			end
 			if not username then
 				module:log("error", "Invalid username on line %d of auth file, skipping", line_number);
 			elseif not realm then
-				module:log("error", "Invalid hostname/realm on line %d of auth file, skipping", line_number);
-			elseif state ~= "authorized" then
+				module:log("error", "Invalid realm on line %d of auth file, skipping", line_number);
+			elseif state:lower() ~= "authorized" then
 				not_authorized_count = not_authorized_count + 1;
-			elseif realm == host then
+			elseif realm == auth_realm then
 				auth_data[username] = hash;
 				imported_count = imported_count + 1;
 			end
@@ -50,6 +57,14 @@ function reload_auth_data()
 	module:log("debug", "Loaded %d accounts from auth file (%d authorized)", imported_count, imported_count-not_authorized_count);
 end
 
+function make_username(username)
+	if auth_ha1b then
+		return username.."@"..host;
+	else
+		return username;
+	end
+end
+
 function module.load()
 	reload_auth_data();
 end
@@ -60,11 +75,14 @@ module:hook_global("config-reloaded", reload_auth_data);
 local provider = {};
 
 function provider.test_password(username, password)
-	module:log("debug", "test password for user %s at host %s, %s", username, host, password);
+	module:log("debug", "test password for user %s at host %s", username, host);
+
+	local test_username = make_username(username)
+	local test_hash = md5(test_username..":"..auth_realm..":"..password, true);
 
-	local test_hash = md5(username..":"..host..":"..password, true);
+	module:log("debug", "test hash for user %s at realm %s, %s", test_username, auth_realm, test_hash);
 
-	if test_hash == auth_data[username] then
+	if test_hash == auth_data[test_username] then
 		return true;
 	else
 		return nil, "Auth failed. Invalid username or password.";
@@ -76,8 +94,9 @@ function provider.set_password(username, password)
 end
 
 function provider.user_exists(username)
-	if not auth_data[username] then
-		module:log("debug", "account not found for username '%s' at host '%s'", username, host);
+	local test_username = make_username(username)
+	if not auth_data[test_username] then
+		module:log("debug", "account not found for username '%s' at host '%s'", test_username, host);
 		return nil, "Auth failed. Invalid username";
 	end
 	return true;