E-MailRelay
Public Member Functions | List of all members
GAuth::SaslServer Class Referenceabstract

An interface for implementing the server-side SASL challenge/response concept. More...

#include <gsaslserver.h>

+ Inheritance diagram for GAuth::SaslServer:

Public Member Functions

virtual ~SaslServer ()=default
 Destructor.
 
virtual bool requiresEncryption () const =0
 Returns true if the implementation requires that the challenge/response dialog should only take place over an encrypted transport.
 
virtual bool active () const =0
 Returns true if the constructor's "secrets" object was valid. More...
 
virtual std::string mechanisms (char space_separator) const =0
 Returns a list of supported, standard mechanisms that can be advertised to the client. More...
 
virtual bool init (const std::string &mechanism)=0
 Initialiser. More...
 
virtual std::string mechanism () const =0
 Returns the mechanism, as passed to the last init() call to return true.
 
virtual bool mustChallenge () const =0
 Returns true if authentication using the current mechanism must always start with a non-empty server challenge, ie. More...
 
virtual std::string initialChallenge () const =0
 Returns the possibly-empty initial server challenge.
 
virtual std::string apply (const std::string &response, bool &done)=0
 Applies the client response and returns the next challenge and a 'done' flag by reference. More...
 
virtual bool authenticated () const =0
 Returns true if authenticated sucessfully. More...
 
virtual std::string id () const =0
 Returns the authenticated or trusted identity. More...
 
virtual bool trusted (const GNet::Address &) const =0
 Returns true if a trusted client that does not need to authenticate.
 

Detailed Description

An interface for implementing the server-side SASL challenge/response concept.

In practice there is one derived class for basic authentication mechanisms using a secrets file, and another for PAM.

Usage:

SaslServer sasl( secrets ) ;
peer.advertise( sasl.mechanisms() ) ;
if( sasl.init(peer.preferred()) )
{
if( peer.haveInitialResponse() && sasl.mustChallenge() ) throw ProtocolError() ;
bool done = false ;
string challenge = peer.haveInitialResponse() ?
sasl.apply(peer.initialResponse(),done) : sasl.initialChallenge() ;
while( !done )
{
peer.send( challenge ) ;
string response = peer.receive() ;
challenge = sasl.apply( response , done ) ;
}
bool ok = sasl.authenticated() ;
}
See also
GAuth::SaslClient, RFC-2554, RFC-4422

Definition at line 66 of file gsaslserver.h.

Member Function Documentation

◆ active()

virtual bool GAuth::SaslServer::active ( ) const
pure virtual

Returns true if the constructor's "secrets" object was valid.

See also Secrets::valid().

◆ apply()

virtual std::string GAuth::SaslServer::apply ( const std::string &  response,
bool &  done 
)
pure virtual

Applies the client response and returns the next challenge and a 'done' flag by reference.

Note that some mechanisms generate an extra round-trip even after the authentication status has been settled. In this case the 'done' flag will be set true only when the final empty response from the client is apply()d.

◆ authenticated()

virtual bool GAuth::SaslServer::authenticated ( ) const
pure virtual

Returns true if authenticated sucessfully.

Precondition: apply() 'done'

◆ id()

virtual std::string GAuth::SaslServer::id ( ) const
pure virtual

Returns the authenticated or trusted identity.

Returns the empty string if not authenticated and not trusted.

◆ init()

virtual bool GAuth::SaslServer::init ( const std::string &  mechanism)
pure virtual

Initialiser.

Returns true if the mechanism is in the mechanisms() list, or if it is some other supported mechanism (like "APOP") that the derived-class object allows implicitly. May be used more than once. The initialChallenge() is re-initialised on each successful init().

◆ mechanisms()

virtual std::string GAuth::SaslServer::mechanisms ( char  space_separator) const
pure virtual

Returns a list of supported, standard mechanisms that can be advertised to the client.

Some mechanisms (like "APOP") may be accepted by init() even though they are not advertised.

◆ mustChallenge()

virtual bool GAuth::SaslServer::mustChallenge ( ) const
pure virtual

Returns true if authentication using the current mechanism must always start with a non-empty server challenge, ie.

it is a "server-first" mechanism as per RFC-4422.

Returns false for the "LOGIN" mechanism since the initial challenge ("Username:") is not essential, ie. it is a "variable" mechanism.

The server should call initialChallenge() to decide whether to send an initial challenge; this method is only to stop a client providing an initial response before an initial challenge has been sent.


The documentation for this class was generated from the following file: