gsaslserverbasic_native.cpp
Go to the documentation of this file.
1 //
2 // Copyright (C) 2001-2013 Graeme Walker <graeme_walker@users.sourceforge.net>
3 //
4 // This program is free software: you can redistribute it and/or modify
5 // it under the terms of the GNU General Public License as published by
6 // the Free Software Foundation, either version 3 of the License, or
7 // (at your option) any later version.
8 //
9 // This program is distributed in the hope that it will be useful,
10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 // GNU General Public License for more details.
13 //
14 // You should have received a copy of the GNU General Public License
15 // along with this program. If not, see <http://www.gnu.org/licenses/>.
16 // ===
17 //
18 // gsaslserverbasic_native.cpp
19 //
20 
21 #include "gdef.h"
22 #include "gnet.h"
23 #include "gauth.h"
24 #include "glocal.h"
25 #include "gsaslserverbasic.h"
26 #include "gmd5.h"
27 #include "gstr.h"
28 #include "gdatetime.h"
29 #include "gdebug.h"
30 #include <sstream>
31 #include <cstdlib> // std::rand()
32 
33 namespace
34 {
35  const char * login_challenge_1 = "Username:" ;
36  const char * login_challenge_2 = "Password:" ;
37 }
38 
43 {
44 public:
45  bool m_first ;
47  std::string m_mechanisms ;
48  std::string m_mechanism ;
49  std::string m_challenge ;
51  std::string m_id ;
52  std::string m_trustee ;
57 
58 public:
59  SaslServerBasicImp( const SaslServer::Secrets & , bool , bool ) ;
60  bool init( const std::string & mechanism ) ;
61  bool validate( const std::string & secret , const std::string & response ) const ;
62  bool trusted( GNet::Address ) const ;
63  bool trustedCore( const std::string & , const std::string & ) const ;
64  std::string mechanisms( const std::string & ) const ;
65  static std::string cramDigest( const std::string & secret , const std::string & challenge ) ;
66  static std::string digest( const std::string & secret , const std::string & challenge ) ;
67 } ;
68 
69 // ===
70 
71 GAuth::SaslServerBasicImp::SaslServerBasicImp( const SaslServer::Secrets & secrets , bool , bool force_one ) :
72  m_first(true) ,
73  m_secrets(secrets) ,
74  m_authenticated(false) ,
75  m_advertise_login(false) ,
76  m_advertise_plain(false) ,
77  m_advertise_cram_md5(false) ,
78  m_advertise_force_one(force_one)
79 {
80  // only advertise mechanisms that appear in the secrets file
82  m_advertise_plain = m_secrets.contains("LOGIN") || m_secrets.contains("PLAIN") ;
84  if( force_one && !m_advertise_login && !m_advertise_cram_md5 && !m_advertise_plain )
85  {
86  m_advertise_login = true ;
87  }
88 }
89 
90 std::string GAuth::SaslServerBasicImp::mechanisms( const std::string & sep ) const
91 {
92  G::Strings m ;
93  if( m_advertise_login ) m.push_back( "LOGIN" ) ;
94  if( m_advertise_plain ) m.push_back( "PLAIN" ) ;
95  if( m_advertise_cram_md5 ) m.push_back( "CRAM-MD5" ) ;
96  return G::Str::join( m , sep ) ;
97 }
98 
99 bool GAuth::SaslServerBasicImp::init( const std::string & mechanism )
100 {
101  m_authenticated = false ;
102  m_id.erase() ;
103  m_trustee.erase() ;
104  m_first = true ;
105  m_challenge.erase() ;
106  m_mechanism.erase() ;
107 
108  if( mechanism == "LOGIN" || mechanism == "PLAIN" )
109  {
110  m_mechanism = mechanism ;
111  return true ;
112  }
113  else if( mechanism == "CRAM-MD5" || mechanism == "APOP" )
114  {
115  m_mechanism = mechanism ;
116  std::ostringstream ss ;
117  ss << "<" << std::rand() << "." << G::DateTime::now() << "@" << GNet::Local::fqdn() << ">" ;
118  m_challenge = ss.str() ;
119  return true ;
120  }
121  else
122  {
123  return false ;
124  }
125 }
126 
127 bool GAuth::SaslServerBasicImp::validate( const std::string & secret , const std::string & response ) const
128 {
129  bool ok = false ;
130  try
131  {
132  G_ASSERT( m_mechanism == "CRAM-MD5" || m_mechanism == "APOP" ) ;
133  bool cram = m_mechanism == "CRAM-MD5" ;
134  std::string hash = cram ? cramDigest(secret,m_challenge) : digest(secret,m_challenge) ;
135  ok = response == hash ;
136  }
137  catch( std::exception & e )
138  {
139  std::string what = e.what() ;
140  G_DEBUG( "GAuth::SaslServer: exception: " << what ) ;
141  }
142  return ok ;
143 }
144 
145 std::string GAuth::SaslServerBasicImp::cramDigest( const std::string & secret , const std::string & challenge )
146 {
147  return G::Md5::printable(G::Md5::hmac(secret,challenge,G::Md5::Masked())) ;
148 }
149 
150 std::string GAuth::SaslServerBasicImp::digest( const std::string & secret , const std::string & challenge )
151 {
152  return G::Md5::printable(G::Md5::digest(challenge,secret)) ;
153 }
154 
156 {
157  G_DEBUG( "GAuth::SaslServerBasicImp::trusted: \"" << address.displayString(false) << "\"" ) ;
158  G::Strings wc = address.wildcards() ;
159  for( G::Strings::iterator p = wc.begin() ; p != wc.end() ; ++p )
160  {
161  if( trustedCore(*p,address.displayString(false)) )
162  return true ;
163  }
164  return false ;
165 }
166 
167 bool GAuth::SaslServerBasicImp::trustedCore( const std::string & secrets_key ,
168  const std::string & address_to_log ) const
169 {
170  G_DEBUG( "GAuth::SaslServerBasicImp::trustedCore: \"" << secrets_key << "\", \"" << address_to_log << "\"" ) ;
171  std::string secret = m_secrets.secret("NONE",secrets_key) ;
172  bool trusted = ! secret.empty() ;
173  if( trusted )
174  {
175  G_LOG( "GAuth::SaslServer::trusted: trusting \"" << address_to_log << "\" "
176  << "(matched on NONE/server/" << secrets_key << ")" ) ;
177  const_cast<SaslServerBasicImp*>(this)->m_trustee = secret ;
178  }
179  return trusted ;
180 }
181 
182 // ===
183 
184 std::string GAuth::SaslServerBasic::mechanisms( char c ) const
185 {
186  return m_imp->mechanisms( std::string(1U,c) ) ;
187 }
188 
190 {
191  return m_imp->m_mechanism ;
192 }
193 
195 {
196  G_DEBUG( "GAuth::SaslServer::trusted: checking \"" << a.displayString(false) << "\"" ) ;
197  return m_imp->trusted(a) ;
198 }
199 
200 GAuth::SaslServerBasic::SaslServerBasic( const Secrets & secrets , bool strict , bool force_one ) :
201  m_imp(new SaslServerBasicImp(secrets,strict,force_one))
202 {
203 }
204 
206 {
207  return m_imp->m_secrets.valid() ;
208 }
209 
211 {
212  delete m_imp ;
213 }
214 
216 {
217  return m_imp->m_mechanism == "CRAM-MD5" || m_imp->m_mechanism == "APOP" ;
218 }
219 
220 bool GAuth::SaslServerBasic::init( const std::string & mechanism )
221 {
222  bool rc = m_imp->init( mechanism ) ;
223  G_DEBUG( "GAuth::SaslServerBasic::init: \"" << mechanism << "\" -> \"" << m_imp->m_mechanism << "\"" ) ;
224  return rc ;
225 }
226 
228 {
229  std::string m = m_imp->m_mechanism ;
230  if( m == "LOGIN" )
231  return login_challenge_1 ;
232  else if( m == "PLAIN" )
233  return std::string() ;
234  else
235  return m_imp->m_challenge ;
236 }
237 
238 std::string GAuth::SaslServerBasic::apply( const std::string & response , bool & done )
239 {
240  done = false ;
241  std::string next_challenge ;
242  if( m_imp->m_mechanism == "CRAM-MD5" || m_imp->m_mechanism == "APOP" )
243  {
244  G_DEBUG( "GAuth::SaslServerBasic::apply: response: \"" << response << "\"" ) ;
245  G::Strings part_list ;
246  G::Str::splitIntoTokens( response , part_list , " " ) ;
247  if( part_list.size() == 2U )
248  {
249  m_imp->m_id = part_list.front() ;
250  std::string response_tail = part_list.back() ;
251 
252  G_DEBUG( "GAuth::SaslServerBasic::apply: id \"" << m_imp->m_id << "\"" ) ;
253  std::string secret = m_imp->m_secrets.secret(m_imp->m_mechanism,m_imp->m_id) ;
254  if( secret.empty() )
255  {
256  G_WARNING( "GAuth::SaslServerBasic::apply: no " << m_imp->m_mechanism
257  << " authentication secret available for \"" << m_imp->m_id << "\"" ) ;
258  m_imp->m_authenticated = false ;
259  }
260  else
261  {
262  m_imp->m_authenticated = m_imp->validate( secret , response_tail ) ;
263  }
264  }
265  else
266  {
267  G_WARNING( "GAuth::SaslServerBasic::apply: invalid authentication response" ) ;
268  }
269  done = true ;
270  }
271  else if( m_imp->m_mechanism == "PLAIN" )
272  {
273  G_DEBUG( "GAuth::SaslServerBasic::apply: response: \"" << G::Str::printable(response) << "\"" ) ;
274  std::string sep( 1U , '\0' ) ;
275  std::string s = G::Str::tail( response , response.find(sep) , std::string() ) ;
276  std::string id = G::Str::head( s , s.find(sep) , std::string() ) ;
277  std::string pwd = G::Str::tail( s , s.find(sep) , std::string() ) ;
278  std::string secret = m_imp->m_secrets.secret("PLAIN",id).empty() ?
279  m_imp->m_secrets.secret("LOGIN",id) : m_imp->m_secrets.secret("PLAIN",id) ;
280 
281  m_imp->m_id = id ;
282  m_imp->m_authenticated = !id.empty() && !pwd.empty() && pwd == secret ;
283  done = true ;
284  }
285  else if( m_imp->m_first ) // LOGIN username
286  {
287  G_ASSERT( m_imp->m_mechanism == "LOGIN" ) ;
288  G_DEBUG( "GAuth::SaslServerBasic::apply: response: \"" << G::Str::printable(response) << "\"" ) ;
289  m_imp->m_first = false ;
290  m_imp->m_id = response ;
291  if( !m_imp->m_id.empty() )
292  next_challenge = login_challenge_2 ;
293  }
294  else // LOGIN password
295  {
296  G_ASSERT( m_imp->m_mechanism == "LOGIN" ) ;
297  G_DEBUG( "GAuth::SaslServerBasic::apply: response: \"[password not logged]\"" ) ;
298  std::string secret = m_imp->m_secrets.secret(m_imp->m_mechanism,m_imp->m_id) ;
299  m_imp->m_first = true ;
300  m_imp->m_authenticated = !response.empty() && response == secret ;
301  done = true ;
302  }
303 
304  if( ! done )
305  {
306  G_DEBUG( "GAuth::SaslServerBasic::apply: challenge \"" << next_challenge << "\"" ) ;
307  }
308 
309  return next_challenge ;
310 }
311 
313 {
314  return m_imp->m_authenticated ;
315 }
316 
317 std::string GAuth::SaslServerBasic::id() const
318 {
319  return m_imp->m_authenticated ? m_imp->m_id : m_imp->m_trustee ;
320 }
321 
323 {
324  return false ;
325 }
326 
G::Strings wildcards() const
Returns an ordered list of wildcard strings that match this address.
virtual std::string mechanism() const
Final override from GAuth::SaslServer.
static EpochTime now()
Returns the current epoch time.
Definition: gdatetime.cpp:34
An overload discriminator for G::Md5::hmac()
Definition: gmd5.h:43
static std::string printable(const std::string &in, char escape= '\\')
Returns a printable represention of the given input string.
Definition: gstr.cpp:507
bool validate(const std::string &secret, const std::string &response) const
virtual bool init(const std::string &mechanism)
Final override from GAuth::SaslServer.
virtual ~SaslServerBasic()
Destructor.
std::list< std::string > Strings
A std::list of std::strings.
Definition: gstrings.h:39
virtual bool requiresEncryption() const
Final override from GAuth::SaslServer.
The Address class encapsulates an IP transport address.
Definition: gaddress.h:48
static std::string fqdn()
Returns the fully-qualified-domain-name.
Definition: glocal.cpp:67
static void splitIntoTokens(const std::string &in, Strings &out, const std::string &ws)
Splits the string into 'ws'-delimited tokens.
Definition: gstr.cpp:714
virtual std::string initialChallenge() const
Final override from GAuth::SaslServer.
virtual std::string apply(const std::string &response, bool &done)
Final override from GAuth::SaslServer.
static std::string digest(const std::string &secret, const std::string &challenge)
static std::string tail(const std::string &in, std::string::size_type pos, const std::string &default_=std::string())
Returns the last part of the string after the given position.
Definition: gstr.cpp:842
SaslServerBasic(const Secrets &, bool ignored, bool force_one_mechanism)
Constructor.
bool init(const std::string &mechanism)
std::string mechanisms(const std::string &) const
static std::string hmac(const std::string &key, const std::string &input)
Computes a Hashed Message Authentication Code using MD5 as the hash function.
#define G_ASSERT(test)
Definition: gassert.h:30
std::string displayString(bool with_port=true, bool with_scope_id=false) const
Returns a string which represents the address for debugging and diagnostics purposes.
static std::string head(const std::string &in, std::string::size_type pos, const std::string &default_=std::string())
Returns the first part of the string up to just before the given position.
Definition: gstr.cpp:834
virtual bool authenticated() const
Final override from GAuth::SaslServer.
A private pimple-pattern implementation class used by GAuth::SaslServerBasic.
#define G_LOG(expr)
Definition: glog.h:98
const SaslServer::Secrets & m_secrets
#define G_DEBUG(expr)
Definition: glog.h:95
static std::string digest(const std::string &input)
Creates an MD5 digest.
bool trusted(GNet::Address) const
static std::string cramDigest(const std::string &secret, const std::string &challenge)
virtual std::string id() const
Final override from GAuth::SaslServer.
virtual bool contains(const std::string &mechanism) const =0
SaslServerBasicImp(const SaslServer::Secrets &, bool, bool)
virtual bool mustChallenge() const
Final override from GAuth::SaslServer.
bool trustedCore(const std::string &, const std::string &) const
virtual bool trusted(GNet::Address) const
Final override from GAuth::SaslServer.
An interface used by GAuth::SaslServer to obtain authentication secrets.
Definition: gsaslserver.h:81
virtual std::string mechanisms(char sep= ' ') const
Final override from GAuth::SaslServer.
virtual bool active() const
Final override from GAuth::SaslServer.
static std::string join(const Strings &strings, const std::string &sep)
Concatenates a set of strings.
Definition: gstr.cpp:799
static std::string printable(const std::string &input)
Converts a binary string into a printable form, using a lowercase hexadecimal encoding.
#define G_WARNING(expr)
Definition: glog.h:107