Mercury-IM/Smack
Mercury-IM/Smack
1
0
Fork 0
mirror of https://codeberg.org/Mercury-IM/Smack synced 2024-11-21 22:02:06 +01:00
Code Issues Releases Wiki Activity

SASL Proxy Auth support

Browse source 
This adds the ability to provide a distinct authorization identifier for use
by SASL mechanisms. Not all SASL mechanisms support this operation, in
particular CRAM-MD5.

Both the javax and provided SASL implementations are extended, and an authzid
parameter added to the authenticate method.

The authorization identifier is passed as a EntityBareJid in order to assure the
correct form.

Resolves SMACK-677.

Minor-Modifications-By: Florian Schmaus <flo@geekplace.eu>
This commit is contained in:
Dave Cridland 2015-06-16 17:50:30 +01:00 committed by Florian Schmaus
parent a00331dbb4
commit 9c772add93
18 changed files with 182 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
smack-bosh/src/main/java/org/jivesoftware/smack/bosh/XMPPBOSHConnection.java
View file

@ -219,7 +219,7 @@ public class XMPPBOSHConnection extends AbstractXMPPConnection {
protected void loginInternal(String username, String password, Resourcepart resource) throws XMPPException,
SmackException, IOException, InterruptedException {
// Authenticate using SASL
saslAuthentication.authenticate(username, password);
saslAuthentication.authenticate(username, password, config.getAuthzid());
bindResourceAndEstablishSession(resource);

38
smack-core/src/main/java/org/jivesoftware/smack/ConnectionConfiguration.java
View file

@ -31,6 +31,7 @@ import org.jivesoftware.smack.util.CollectionUtil;
import org.jivesoftware.smack.util.Objects;
import org.jivesoftware.smack.util.StringUtils;
import org.jxmpp.jid.DomainBareJid;
import org.jxmpp.jid.EntityBareJid;
import org.jxmpp.jid.parts.Resourcepart;
import org.jxmpp.stringprep.XmppStringprepException;
@ -81,6 +82,11 @@ public abstract class ConnectionConfiguration {
private final String password;
private final Resourcepart resource;
/**
* The optional SASL authorization identity (see RFC 6120 § 6.3.8).
*/
private final EntityBareJid authzid;
/**
* Initial presence as of RFC 6121 § 4.2
* @see <a href="http://xmpp.org/rfcs/rfc6121.html#presence-initial">RFC 6121 § 4.2 Initial Presence</a>
@ -110,6 +116,7 @@ public abstract class ConnectionConfiguration {
private final Set<String> enabledSaslMechanisms;
protected ConnectionConfiguration(Builder<?,?> builder) {
authzid = builder.authzid;
username = builder.username;
password = builder.password;
callbackHandler = builder.callbackHandler;
@ -361,6 +368,17 @@ public abstract class ConnectionConfiguration {
return resource;
}
/**
* Returns the optional XMPP address to be requested as the SASL authorization identity.
*
* @return the authorization identifier.
* @see <a href="http://tools.ietf.org/html/rfc6120#section-6.3.8">RFC 6120 § 6.3.8. Authorization Identity</a>
* @since 4.2
*/
public EntityBareJid getAuthzid() {
return authzid;
}
/**
* Returns true if an available presence should be sent when logging in while reconnecting.
*
@ -425,6 +443,7 @@ public abstract class ConnectionConfiguration {
private String[] enabledSSLProtocols;
private String[] enabledSSLCiphers;
private HostnameVerifier hostnameVerifier;
private EntityBareJid authzid;
private CharSequence username;
private String password;
private Resourcepart resource;
@ -803,6 +822,25 @@ public abstract class ConnectionConfiguration {
return getThis();
}
/**
* Set the XMPP address to be used as authorization identity.
* <p>
* In XMPP, authorization identities are bare jids. In general, callers should allow the server to select the
* authorization identifier automatically, and not call this. Note that setting the authzid does not set the XMPP
* service domain, which should typically match.
* Calling this will also SASL CRAM, since this mechanism does not support authzid.
* </p>
*
* @param authzid The BareJid to be requested as the authorization identifier.
* @return a reference to this builder.
* @see <a href="http://tools.ietf.org/html/rfc6120#section-6.3.8">RFC 6120 § 6.3.8. Authorization Identity</a>
* @since 4.2
*/
public B setAuthzid(EntityBareJid authzid) {
this.authzid = authzid;
return getThis();
}
public abstract C build();
protected abstract B getThis();

28
smack-core/src/main/java/org/jivesoftware/smack/SASLAuthentication.java
View file

@ -25,6 +25,7 @@ import org.jivesoftware.smack.sasl.SASLMechanism;
import org.jivesoftware.smack.sasl.packet.SaslStreamElements.SASLFailure;
import org.jivesoftware.smack.sasl.packet.SaslStreamElements.Success;
import org.jxmpp.jid.DomainBareJid;
import org.jxmpp.jid.EntityBareJid;
import javax.security.auth.callback.CallbackHandler;
@ -171,26 +172,27 @@ public final class SASLAuthentication {
*
* @param username the username that is authenticating with the server.
* @param password the password to send to the server.
* @throws XMPPErrorException
* @throws SASLErrorException
* @throws IOException
* @throws SmackException
* @throws InterruptedException
* @param authzid the authorization identifier (typically null).
* @throws XMPPErrorException
* @throws SASLErrorException
* @throws IOException
* @throws SmackException
* @throws InterruptedException
*/
public void authenticate(String username, String password)
public void authenticate(String username, String password, EntityBareJid authzid)
throws XMPPErrorException, SASLErrorException, IOException,
SmackException, InterruptedException {
currentMechanism = selectMechanism();
currentMechanism = selectMechanism(authzid);
final CallbackHandler callbackHandler = configuration.getCallbackHandler();
final String host = connection.getHost();
final DomainBareJid xmppServiceDomain = connection.getXMPPServiceDomain();
synchronized (this) {
if (callbackHandler != null) {
currentMechanism.authenticate(host, xmppServiceDomain, callbackHandler);
currentMechanism.authenticate(host, xmppServiceDomain, callbackHandler, authzid);
}
else {
currentMechanism.authenticate(username, host, xmppServiceDomain, password);
currentMechanism.authenticate(username, host, xmppServiceDomain, password, authzid);
}
final long deadline = System.currentTimeMillis() + connection.getPacketReplyTimeout();
while (!authenticationSuccessful && saslException == null) {
@ -312,7 +314,7 @@ public final class SASLAuthentication {
return lastUsedMech.getName();
}
private SASLMechanism selectMechanism() throws SmackException {
private SASLMechanism selectMechanism(EntityBareJid authzid) throws SmackException {
Iterator<SASLMechanism> it = REGISTERED_MECHANISMS.iterator();
final List<String> serverMechanisms = getServerMechanisms();
if (serverMechanisms.isEmpty()) {
@ -330,6 +332,12 @@ public final class SASLAuthentication {
if (!configuration.isEnabledSaslMechanism(mechanismName)) {
continue;
}
if (authzid != null) {
if (!mechanism.authzidSupported()) {
LOGGER.fine("Skipping " + mechanism + " because authzid is required by not supported by this SASL mechanism");
continue;
}
}
if (serverMechanisms.contains(mechanismName)) {
// Create a new instance of the SASLMechanism for every authentication attempt.
return mechanism.instanceForAuthentication(connection);

33
smack-core/src/main/java/org/jivesoftware/smack/sasl/SASLMechanism.java
View file

@ -25,6 +25,7 @@ import org.jivesoftware.smack.util.StringTransformer;
import org.jivesoftware.smack.util.StringUtils;
import org.jivesoftware.smack.util.stringencoder.Base64;
import org.jxmpp.jid.DomainBareJid;
import org.jxmpp.jid.EntityBareJid;
import javax.security.auth.callback.CallbackHandler;
@ -34,9 +35,9 @@ import javax.security.auth.callback.CallbackHandler;
* <li>{@link #getName()} -- returns the common name of the SASL mechanism.</li>
* </ul>
* Subclasses will likely want to implement their own versions of these methods:
* <li>{@link #authenticate(String, String, DomainBareJid, String)} -- Initiate authentication stanza using the
* <li>{@link #authenticate(String, String, DomainBareJid, String, EntityBareJid)} -- Initiate authentication stanza using the
* deprecated method.</li>
* <li>{@link #authenticate(String, DomainBareJid, CallbackHandler)} -- Initiate authentication stanza
* <li>{@link #authenticate(String, DomainBareJid, CallbackHandler, EntityBareJid)} -- Initiate authentication stanza
* using the CallbackHandler method.</li>
* <li>{@link #challengeReceived(String, boolean)} -- Handle a challenge from the server.</li>
* </ul>
@ -102,6 +103,12 @@ public abstract class SASLMechanism implements Comparable<SASLMechanism> {
*/
protected String authenticationId;
/**
* The authorization identifier (authzid).
* This is always a bare Jid, but can be null.
*/
protected EntityBareJid authorizationId;
/**
* The name of the XMPP service
*/
@ -116,7 +123,7 @@ public abstract class SASLMechanism implements Comparable<SASLMechanism> {
/**
* Builds and sends the <tt>auth</tt> stanza to the server. Note that this method of
* authentication is not recommended, since it is very inflexible. Use
* {@link #authenticate(String, DomainBareJid, CallbackHandler)} whenever possible.
* {@link #authenticate(String, DomainBareJid, CallbackHandler, EntityBareJid)} whenever possible.
*
* Explanation of auth stanza:
*
@ -149,24 +156,27 @@ public abstract class SASLMechanism implements Comparable<SASLMechanism> {
* called "mail3.example.com"; it's "serv-name" would be "example.com", it's "host" would be
* "mail3.example.com". If the service is not replicated, or the serv-name is identical to
* the host, then the serv-name component MUST be omitted
*
* digest-uri verification is needed for ejabberd 2.0.3 and higher
*
*
* digest-uri verification is needed for ejabberd 2.0.3 and higher
*
* @param username the username of the user being authenticated.
* @param host the hostname where the user account resides.
* @param serviceName the xmpp service location - used by the SASL client in digest-uri creation
* serviceName format is: host [ "/" serv-name ] as per RFC-2831
* @param password the password for this account.
* @param authzid the optional authorization identity.
* @throws SmackException If a network error occurs while authenticating.
* @throws NotConnectedException
* @throws InterruptedException
*/
public final void authenticate(String username, String host, DomainBareJid serviceName, String password)
public final void authenticate(String username, String host, DomainBareJid serviceName, String password, EntityBareJid authzid)
throws SmackException, NotConnectedException, InterruptedException {
this.authenticationId = username;
this.host = host;
this.serviceName = serviceName;
this.password = password;
this.authorizationId = authzid;
assert(authorizationId == null || authzidSupported());
authenticateInternal();
authenticate();
}
@ -184,14 +194,17 @@ public abstract class SASLMechanism implements Comparable<SASLMechanism> {
* @param host the hostname where the user account resides.
* @param serviceName the xmpp service location
* @param cbh the CallbackHandler to obtain user information.
* @param authzid the optional authorization identity.
* @throws SmackException
* @throws NotConnectedException
* @throws InterruptedException
*/
public void authenticate(String host, DomainBareJid serviceName, CallbackHandler cbh)
public void authenticate(String host, DomainBareJid serviceName, CallbackHandler cbh, EntityBareJid authzid)
throws SmackException, NotConnectedException, InterruptedException {
this.host = host;
this.serviceName = serviceName;
this.authorizationId = authzid;
assert(authorizationId == null || authzidSupported());
authenticateInternal(cbh);
authenticate();
}
@ -283,6 +296,10 @@ public abstract class SASLMechanism implements Comparable<SASLMechanism> {
return saslMechansim;
}
public boolean authzidSupported() {
return false;
}
protected abstract SASLMechanism newInstance();
protected static byte[] toBytes(String string) {

18
smack-core/src/main/java/org/jivesoftware/smack/sasl/core/SCRAMSHA1Mechanism.java
View file

@ -38,7 +38,6 @@ public class SCRAMSHA1Mechanism extends SASLMechanism {
public static final String NAME = "SCRAM-SHA-1";
private static final int RANDOM_ASCII_BYTE_COUNT = 32;
private static final String DEFAULT_GS2_HEADER = "n,,";
private static final byte[] CLIENT_KEY_BYTES = toBytes("Client Key");
private static final byte[] SERVER_KEY_BYTES = toBytes("Server Key");
private static final byte[] ONE = new byte[] { 0, 0, 0, 1 };
@ -77,7 +76,7 @@ public class SCRAMSHA1Mechanism extends SASLMechanism {
clientRandomAscii = getRandomAscii();
String saslPrepedAuthcId = saslPrep(authenticationId);
clientFirstMessageBare = "n=" + escape(saslPrepedAuthcId) + ",r=" + clientRandomAscii;
String clientFirstMessage = DEFAULT_GS2_HEADER + clientFirstMessageBare;
String clientFirstMessage = getGS2Header() + clientFirstMessageBare;
state = State.AUTH_TEXT_SENT;
return toBytes(clientFirstMessage);
}
@ -105,6 +104,11 @@ public class SCRAMSHA1Mechanism extends SASLMechanism {
}
}
@Override
public boolean authzidSupported() {
return true;
}
@Override
protected byte[] evaluateChallenge(byte[] challenge) throws SmackException {
final String challengeString = new String(challenge);
@ -148,7 +152,7 @@ public class SCRAMSHA1Mechanism extends SASLMechanism {
// Parsing and error checking is done, we can now begin to calculate the values
// First the client-final-message-without-proof
String clientFinalMessageWithoutProof = "c=" + Base64.encode(DEFAULT_GS2_HEADER) + ",r=" + rvalue;
String clientFinalMessageWithoutProof = "c=" + Base64.encode(getGS2Header()) + ",r=" + rvalue;
// AuthMessage := client-first-message-bare + "," + server-first-message + "," +
// client-final-message-without-proof
@ -209,6 +213,14 @@ public class SCRAMSHA1Mechanism extends SASLMechanism {
return null;
}
private final String getGS2Header() {
String authzidPortion = "";
if (authorizationId != null) {
authzidPortion = "a=" + authorizationId;
}
return "n," + authzidPortion + ",";
}
private static Map<Character, String> parseAttributes(String string) throws SmackException {
if (string.length() == 0) {
return Collections.emptyMap();

17
smack-core/src/test/java/org/jivesoftware/smack/sasl/DigestMd5SaslTest.java
View file

@ -27,6 +27,7 @@ import org.jivesoftware.smack.SmackException.NotConnectedException;
import org.jivesoftware.smack.util.StringUtils;
import org.jxmpp.jid.impl.JidCreate;
import org.jxmpp.stringprep.XmppStringprepException;
import org.jxmpp.jid.EntityBareJid;
public class DigestMd5SaslTest extends AbstractSaslTest {
@ -37,9 +38,12 @@ public class DigestMd5SaslTest extends AbstractSaslTest {
super(saslMechanism);
}
protected void runTest() throws NotConnectedException, SmackException, InterruptedException, XmppStringprepException {
saslMechanism.authenticate("florian", "irrelevant", JidCreate.domainBareFrom("xmpp.org"), "secret");
protected void runTest(boolean useAuthzid) throws NotConnectedException, SmackException, InterruptedException, XmppStringprepException {
EntityBareJid authzid = null;
if (useAuthzid) {
authzid = JidCreate.entityBareFrom("shazbat@xmpp.org");
}
saslMechanism.authenticate("florian", "irrelevant", JidCreate.domainBareFrom("xmpp.org"), "secret", authzid);
byte[] response = saslMechanism.evaluateChallenge(challengeBytes);
String responseString = new String(response);
String[] responseParts = responseString.split(",");
@ -51,6 +55,11 @@ public class DigestMd5SaslTest extends AbstractSaslTest {
String value = keyValue[1].replace("\"", "");
responsePairs.put(key, value);
}
if (useAuthzid) {
assertMapValue("authzid", "shazbat@xmpp.org", responsePairs);
} else {
assert(!responsePairs.containsKey("authzid"));
}
assertMapValue("username", "florian", responsePairs);
assertMapValue("realm", "xmpp.org", responsePairs);
assertMapValue("digest-uri", "xmpp/xmpp.org", responsePairs);
@ -58,6 +67,6 @@ public class DigestMd5SaslTest extends AbstractSaslTest {
}
private static void assertMapValue(String key, String value, Map<String, String> map) {
assertEquals(map.get(key), value);
assertEquals(value, map.get(key));
}
}

2
smack-core/src/test/java/org/jivesoftware/smack/sasl/core/SCRAMSHA1MechanismTest.java
View file

@ -48,7 +48,7 @@ public class SCRAMSHA1MechanismTest extends SmackTestSuite {
}
};
mech.authenticate(USERNAME, "unusedFoo", JidTestUtil.DOMAIN_BARE_JID_1, PASSWORD);
mech.authenticate(USERNAME, "unusedFoo", JidTestUtil.DOMAIN_BARE_JID_1, PASSWORD, null);
AuthMechanism authMechanism = con.getSentPacket();
assertEquals(SCRAMSHA1Mechanism.NAME, authMechanism.getMechanism());
assertEquals(CLIENT_FIRST_MESSAGE, saslLayerString(authMechanism.getAuthenticationText()));

5
smack-sasl-javax/src/main/java/org/jivesoftware/smack/sasl/javax/SASLDigestMD5Mechanism.java
View file

@ -25,6 +25,11 @@ public class SASLDigestMD5Mechanism extends SASLJavaXMechanism {
public static final String NAME = DIGESTMD5;
@Override
public boolean authzidSupported() {
return true;
}
public String getName() {
return NAME;
}

5
smack-sasl-javax/src/main/java/org/jivesoftware/smack/sasl/javax/SASLExternalMechanism.java
View file

@ -46,6 +46,11 @@ public class SASLExternalMechanism extends SASLJavaXMechanism {
public static final String NAME = EXTERNAL;
@Override
public boolean authzidSupported() {
return true;
}
@Override
public String getName() {
return EXTERNAL;

5
smack-sasl-javax/src/main/java/org/jivesoftware/smack/sasl/javax/SASLGSSAPIMechanism.java
View file

@ -34,6 +34,11 @@ public class SASLGSSAPIMechanism extends SASLJavaXMechanism {
System.setProperty("java.security.auth.login.config","gss.conf");
}
@Override
public boolean authzidSupported() {
return true;
}
@Override
public String getName() {
return NAME;

6
smack-sasl-javax/src/main/java/org/jivesoftware/smack/sasl/javax/SASLJavaXMechanism.java
View file

@ -53,8 +53,12 @@ public abstract class SASLJavaXMechanism extends SASLMechanism {
throws SmackException {
String[] mechanisms = { getName() };
Map<String, String> props = getSaslProps();
String authzid = null;
if (authorizationId != null) {
authzid = authorizationId.toString();
}
try {
sc = Sasl.createSaslClient(mechanisms, null, "xmpp", getServerName().toString(), props,
sc = Sasl.createSaslClient(mechanisms, authzid, "xmpp", getServerName().toString(), props,
new CallbackHandler() {
@Override
public void handle(Callback[] callbacks) throws IOException,

5
smack-sasl-javax/src/main/java/org/jivesoftware/smack/sasl/javax/SASLPlainMechanism.java
View file

@ -29,6 +29,11 @@ public class SASLPlainMechanism extends SASLJavaXMechanism {
return NAME;
}
@Override
public boolean authzidSupported() {
return true;
}
@Override
public int getPriority() {
return 400;

7
smack-sasl-javax/src/test/java/org/jivesoftware/smack/sasl/javax/SASLDigestMD5Test.java
View file

@ -30,6 +30,11 @@ public class SASLDigestMD5Test extends DigestMd5SaslTest {
@Test
public void testDigestMD5() throws NotConnectedException, SmackException, InterruptedException, XmppStringprepException {
runTest();
runTest(false);
}
@Test
public void testDigestMD5Authzid() throws NotConnectedException, SmackException, InterruptedException, XmppStringprepException {
runTest(true);
}
}

12
smack-sasl-provided/src/main/java/org/jivesoftware/smack/sasl/provided/SASLDigestMD5Mechanism.java
View file

@ -83,6 +83,11 @@ public class SASLDigestMD5Mechanism extends SASLMechanism {
return new SASLDigestMD5Mechanism();
}
@Override
public boolean authzidSupported() {
return true;
}
@Override
public void checkIfSuccessfulOrThrow() throws SmackException {
@ -141,7 +146,14 @@ public class SASLDigestMD5Mechanism extends SASLMechanism {
String responseValue = calcResponse(DigestType.ClientResponse);
// @formatter:off
// See RFC 2831 2.1.2 digest-response
String authzid;
if (authorizationId == null) {
authzid = "";
} else {
authzid = ",authzid=\"" + authorizationId + '"';
}
String saslString = "username=\"" + authenticationId + '"'
+ authzid
+ ",realm=\"" + serviceName + '"'
+ ",nonce=\"" + nonce + '"'
+ ",cnonce=\"" + cnonce + '"'

9
smack-sasl-provided/src/main/java/org/jivesoftware/smack/sasl/provided/SASLExternalMechanism.java
View file

@ -40,6 +40,10 @@ public class SASLExternalMechanism extends SASLMechanism {
@Override
protected byte[] getAuthenticationText() throws SmackException {
if (authorizationId != null) {
return toBytes(authorizationId.toString());
}
if (StringUtils.isNullOrEmpty(authenticationId)) {
return null;
}
@ -67,4 +71,9 @@ public class SASLExternalMechanism extends SASLMechanism {
// No check performed
}
@Override
public boolean authzidSupported() {
return true;
}
}

13
smack-sasl-provided/src/main/java/org/jivesoftware/smack/sasl/provided/SASLPlainMechanism.java
View file

@ -34,7 +34,13 @@ public class SASLPlainMechanism extends SASLMechanism {
@Override
protected byte[] getAuthenticationText() throws SmackException {
// concatenate and encode username (authcid) and password
byte[] authcid = toBytes('\u0000' + authenticationId);
String authzid;
if (authorizationId == null) {
authzid = "";
} else {
authzid = authorizationId.toString();
}
byte[] authcid = toBytes(authzid + '\u0000' + authenticationId);
byte[] passw = toBytes('\u0000' + password);
return ByteUtils.concact(authcid, passw);
@ -59,4 +65,9 @@ public class SASLPlainMechanism extends SASLMechanism {
public void checkIfSuccessfulOrThrow() throws SmackException {
// No check performed
}
@Override
public boolean authzidSupported() {
return true;
}
}

7
smack-sasl-provided/src/test/java/org/jivesoftware/smack/sasl/provided/SASLDigestMD5Test.java
View file

@ -29,6 +29,11 @@ public class SASLDigestMD5Test extends DigestMd5SaslTest {
@Test
public void testDigestMD5() throws NotConnectedException, SmackException, InterruptedException, XmppStringprepException {
runTest();
runTest(false);
}
@Test
public void testDigestMD5Authzid() throws NotConnectedException, SmackException, InterruptedException, XmppStringprepException {
runTest(true);
}
}

2
smack-tcp/src/main/java/org/jivesoftware/smack/tcp/XMPPTCPConnection.java
View file

@ -376,7 +376,7 @@ public class XMPPTCPConnection extends AbstractXMPPConnection {
protected synchronized void loginInternal(String username, String password, Resourcepart resource) throws XMPPException,
SmackException, IOException, InterruptedException {
// Authenticate using SASL
saslAuthentication.authenticate(username, password);
saslAuthentication.authenticate(username, password, config.getAuthzid());
// If compression is enabled then request the server to use stream compression. XEP-170
// recommends to perform stream compression before resource binding.