#-- # # Author:: Francis Cianfrocca (gmail: blackhedd) # Homepage:: http://rubyeventmachine.com # Date:: 15 November 2006 # # See EventMachine and EventMachine::Connection for documentation and # usage examples. # #---------------------------------------------------------------------------- # # Copyright (C) 2006-07 by Francis Cianfrocca. All Rights Reserved. # Gmail: blackhedd # # This program is free software; you can redistribute it and/or modify # it under the terms of either: 1) the GNU General Public License # as published by the Free Software Foundation; either version 2 of the # License, or (at your option) any later version; or 2) Ruby's License. # # See the file COPYING for complete licensing information. # #--------------------------------------------------------------------------- # # # module EventMachine module Protocols # Implements SASL authd. # This is a very, very simple protocol that mimics the one used # by saslauthd and pwcheck, two outboard daemons included in the # standard SASL library distro. # The only thing this is really suitable for is SASL PLAIN # (user+password) authentication, but the SASL libs that are # linked into standard servers (like imapd and sendmail) implement # the other ones. # # SASL-auth is intended for reasonably fast operation inside a # single machine, so it has no transport-security (although there # have been multi-machine extensions incorporating transport-layer # encryption). # # The standard saslauthd module generally runs privileged and does # its work by referring to the system-account files. # # This feature was added to EventMachine to enable the development # of custom authentication/authorization engines for standard servers. # # To use SASLauth, include it in a class that subclasses EM::Connection, # and reimplement the validate method. # # The typical way to incorporate this module into an authentication # daemon would be to set it as the handler for a UNIX-domain socket. # The code might look like this: # # EM.start_unix_domain_server( "/var/run/saslauthd/mux", MyHandler ) # File.chmod( 0777, "/var/run/saslauthd/mux") # # The chmod is probably needed to ensure that unprivileged clients can # access the UNIX-domain socket. # # It's also a very good idea to drop superuser privileges (if any), after # the UNIX-domain socket has been opened. #-- # Implementation details: assume the client can send us pipelined requests, # and that the client will close the connection. # # The client sends us four values, each encoded as a two-byte length field in # network order followed by the specified number of octets. # The fields specify the username, password, service name (such as imap), # and the "realm" name. We send back the barest minimum reply, a single # field also encoded as a two-octet length in network order, followed by # either "NO" or "OK" - simplicity itself. # # We enforce a maximum field size just as a sanity check. # We do NOT automatically time out the connection. # # The code we use to parse out the values is ugly and probably slow. # Improvements welcome. # module SASLauth MaxFieldSize = 128*1024 def post_init super @sasl_data = "" @sasl_values = [] end def receive_data data @sasl_data << data while @sasl_data.length >= 2 len = (@sasl_data[0,2].unpack("n")).first raise "SASL Max Field Length exceeded" if len > MaxFieldSize if @sasl_data.length >= (len + 2) @sasl_values << @sasl_data[2,len] @sasl_data.slice!(0...(2+len)) if @sasl_values.length == 4 send_data( validate(*@sasl_values) ? "\0\002OK" : "\0\002NO" ) @sasl_values.clear end else break end end end def validate username, psw, sysname, realm p username p psw p sysname p realm true end end # Implements the SASL authd client protocol. # This is a very, very simple protocol that mimics the one used # by saslauthd and pwcheck, two outboard daemons included in the # standard SASL library distro. # The only thing this is really suitable for is SASL PLAIN # (user+password) authentication, but the SASL libs that are # linked into standard servers (like imapd and sendmail) implement # the other ones. # # You can use this module directly as a handler for EM Connections, # or include it in a module or handler class of your own. # # First connect to a SASL server (it's probably a TCP server, or more # likely a Unix-domain socket). Then call the #validate? method, # passing at least a username and a password. #validate? returns # a Deferrable which will either succeed or fail, depending # on the status of the authentication operation. # module SASLauthclient MaxFieldSize = 128*1024 def validate? username, psw, sysname=nil, realm=nil str = [username, psw, sysname, realm].map {|m| [(m || "").length, (m || "")] }.flatten.pack( "nA*" * 4 ) send_data str d = EM::DefaultDeferrable.new @queries.unshift d d end def post_init @sasl_data = "" @queries = [] end def receive_data data @sasl_data << data while @sasl_data.length > 2 len = (@sasl_data[0,2].unpack("n")).first raise "SASL Max Field Length exceeded" if len > MaxFieldSize if @sasl_data.length >= (len + 2) val = @sasl_data[2,len] @sasl_data.slice!(0...(2+len)) q = @queries.pop (val == "NO") ? q.fail : q.succeed else break end end end end end end