diff --git a/ejabberd_auth_http/COPYING b/ejabberd_auth_http/COPYING new file mode 100644 index 0000000..cc498bd --- /dev/null +++ b/ejabberd_auth_http/COPYING @@ -0,0 +1,342 @@ +As a special exception, the authors give permission to link this program +with the OpenSSL library and distribute the resulting binary. + + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. diff --git a/ejabberd_auth_http/Emakefile b/ejabberd_auth_http/Emakefile new file mode 100644 index 0000000..19c44a6 --- /dev/null +++ b/ejabberd_auth_http/Emakefile @@ -0,0 +1,2 @@ +{'../ejabberd-dev/src/gen_mod', [{outdir, "../ejabberd-dev/ebin"},{i,"../ejabberd-dev/include"}]}. +{'src/ejabberd_auth_http', [{outdir, "ebin"},{i,"../ejabberd-dev/include"}]}. diff --git a/ejabberd_auth_http/README.md b/ejabberd_auth_http/README.md new file mode 100644 index 0000000..fe61320 --- /dev/null +++ b/ejabberd_auth_http/README.md @@ -0,0 +1,193 @@ +# HTTP authentication module + +## Overview + +The purpose of this module is to connect with an external REST API and +delegate the authentication operations to it whenever possible. The +component must implement the API described in one of the next sections +for `ejabberd_auth_http` to work out of the box. + +Thanks to ejabberd design, the user base does not have to be local and +this approach allows you to avoid user base duplication, without +having to grant access to your main backend database. + +The module can be especially useful for users maintaining their own, +central user database, which is shared with other services. It fits +perfectly when client application uses custom authentication token and +ejabberd has to validate it externally. + +## Configuration + +### How to enable + +The simplest way is to just replace default `auth_method` option in +`ejabberd.cfg` with `{auth_method, http}`. + +However, enabling the module **is not enough!** Please follow +instructions below. + +### Configuration options + +`ejabberd_auth_http` requires some parameters to function +properly. The following options can be set in `auth_opts` tuple in +`ejabberd.cfg`: + +* `host` (mandatory, `string`) - consists of protocol, hostname (or IP) and port (optional). Examples: + * `{host, "http://localhost:12000"}` + * `{host, "https://10.20.30.40"}` +* `connection_pool_size` (optional, `integer`, default: 10) - the + number of connections open to auth service +* `connection_opts` (optional, default: `[]`) - extra options for + hackers: http://erlang.org/doc/man/gen_tcp.html#type-connect_option + +* `basic_auth` (optional, default: `""`) - HTTP Basic Authentication + in format `"username:password"`; auth service doesn't have to + require authentication for HTTP auth to work + +* `path_prefix` (optional, default: `"/"`) - a path prefix to be + inserted between `host` and method name; must be terminated with `/` + +## SCRAM support + +`ejabberd_auth_http` can use the SCRAM method. When SCRAM is enabled, +the passwords sent to the auth service are serialised and the same +serialised format is expected when fetching a password from the +component. + +It is transparent when ejabberd is responsible for all DB operations +such as password setting, account creation etc. + +The service CAN perform the (de)serialisation of SCRAM-encoded +passwords, using a format that will be described in near future in +separate document. + +## Authentication service API + +All GET requests include the following URL-encoded query string: +`?user=&server=&pass=`. + +All POST requests have the following URL-encoded string in the request +body: `user=&server=&pass=`. + +If certain method does not need a password, the value of `pass` is +**undefined**, so it shouldn't be used. + +For the best integration, the return code range should not exceed the +list below: + +* 500 - internal server error +* 409 - conflict +* 404 - not found +* 403 - not allowed +* 401 - not authorised +* 400 - other error, should be sent in response body +* 204 - success, no return data +* 201 - created +* 200 - success, return value in response body + +Whenever the specification says "anything else", service should use +one of the codes from the list above. + +Some requests consider multiple return codes a "success". It is up to +the server-side developer to pick one of the codes. + +### `check_password` + +* **Method:** GET +* **Type:** mandatory when SCRAM is not used +* **Return values:** + * 200, `true` or `false` in body + * anything else - will be treated as `false` +* **Description:** Must respond if the password is valid for user. + +### `get_password` + +* **Method:** GET +* **Type:** mandatory when SCRAM or DIGEST SASL mechanism is used +* **Return values:** + * 200, password in the body + * anything else - `get_password` will fail +* **Description:** Must return the user's password in plaintext or in the SCRAM serialised form. + +### `user_exists` + +* **Method:** GET +* **Type:** mandatory +* **Return values:** + * 200, `true` or `false` in body + * anything else - will be treated as `false` +* **Description:** Must return the information whether the user exists in DB. + +### `set_password` + +* **Method:** POST +* **Type:** mandatory when `mod_register` is enabled +* **Return values:** + * 200 or 201 or 204 - success + * anything else - will be treated as `false` +* **Description:** Must set user's password in the internal database + to a provided value. The value should not be transformed (except for + URL-decoding) before writing into DB. + +### `remove_user` + +* **Method:** POST +* **Type:** mandatory when `mod_register` is enabled +* **Return values:** + * 200 or 201 or 204 - success + * 404 - user does not exist + * 403 - not allowed for some reason + * 40X - will be treated as `bad request` +* **Description:** Removes a user account. + +### `remove_user_validate` + +* **Method:** POST +* **Type:** mandatory when `mod_register` is enabled +* **Return values:** + * 200 or 201 or 204 - success + * 404 - user does not exist + * 403 - invalid user password or not allowed for other reason + * 40X - will be treated as `bad request` +* **Description:** Removes a user account only if provided password is valid. + +### `register` + +* **Method:** POST +* **Type:** mandatory when `mod_register` is enabled +* **Return values:** + * 201 - success + * 409 - user already exists + * anything else - will be treated as failure +* **Description:** Creates a user account. + +## Authentication service API recipes + +Below are some examples of the auth service APIs and ejabberd-side +configuration along with use cases. + +### System using common, custom auth token + +An Auth token is provided as a password. + +* **Service implements:** `check_password`, `user_exists` +* **ejabberd config:** `password format`: `plain`, `mod_register` disabled +* **Client side:** MUST NOT use `DIGEST-MD5` mechanism; use `PLAIN` + +### Central database of plaintext passwords + +* **Service implements:** `check_password`, `get_password`, `user_exists` +* **ejabberd config:** `password format`: `plain`, `mod_register` disabled +* **Client side:** May use any available auth method + +### Central database able to process SCRAM + +* **Service implements:** `get_password`, `user_exists` +* **ejabberd config:** `password format`: `scram`, `mod_register` disabled +* **Client side:** May use any available auth method + +### All-included + +* **Service implements:** all methods +* **ejabberd config:** `password format`: `scram` (recommended) or `plain`, `mod_register` enabled +* **Client side:** May use any available auth method diff --git a/ejabberd_auth_http/build.bat b/ejabberd_auth_http/build.bat new file mode 100644 index 0000000..57e634e --- /dev/null +++ b/ejabberd_auth_http/build.bat @@ -0,0 +1 @@ +erl -pa ../ejabberd-dev/ebin -pz ebin -make diff --git a/ejabberd_auth_http/build.sh b/ejabberd_auth_http/build.sh new file mode 100755 index 0000000..f0a0cfa --- /dev/null +++ b/ejabberd_auth_http/build.sh @@ -0,0 +1,2 @@ +#!/bin/sh +erl -pa ../ejabberd-dev/ebin -pz ebin -make diff --git a/ejabberd_auth_http/ebin/.keepme b/ejabberd_auth_http/ebin/.keepme new file mode 100644 index 0000000..e69de29 diff --git a/ejabberd_auth_http/src/ejabberd_auth_http.erl b/ejabberd_auth_http/src/ejabberd_auth_http.erl new file mode 100644 index 0000000..646122b --- /dev/null +++ b/ejabberd_auth_http/src/ejabberd_auth_http.erl @@ -0,0 +1,291 @@ +%%%---------------------------------------------------------------------- +%%% File : ejabberd_auth_http.erl +%%% Author : Piotr Nosek +%%% Purpose : Authentication via HTTP request +%%% Created : 23 Sep 2013 by Piotr Nosek +%%%---------------------------------------------------------------------- + +-module(ejabberd_auth_http). +-author('piotr.nosek@erlang-solutions.com'). + +%% External exports +-export([start/1, + set_password/3, + check_password/3, + check_password/5, + try_register/3, + dirty_get_registered_users/0, + get_vh_registered_users/1, + get_vh_registered_users/2, + get_vh_registered_users_number/1, + get_vh_registered_users_number/2, + get_password/2, + get_password_s/2, + is_user_exists/2, + remove_user/2, + remove_user/3, + plain_password_required/0, + store_type/1 + ]). + +-include("ejabberd.hrl"). +-include("logger.hrl"). + +%%%---------------------------------------------------------------------- +%%% API +%%%---------------------------------------------------------------------- + +-spec start(binary()) -> ok. +start(Host) -> + AuthOpts = ejabberd_config:get_local_option(auth_opts, Host), + {_, AuthHost} = lists:keyfind(host, 1, AuthOpts), + PoolSize = proplists:get_value(connection_pool_size, AuthOpts, 10), + Opts = proplists:get_value(connection_opts, AuthOpts, []), + ChildMods = [fusco], + ChildMFA = {fusco, start_link, [AuthHost, Opts]}, + + {ok, _} = supervisor:start_child(ejabberd_sup, + {{ejabberd_auth_http_sup, Host}, + {cuesport, start_link, + [pool_name(Host), PoolSize, ChildMods, ChildMFA]}, + transient, 2000, supervisor, [cuesport | ChildMods]}), + ok. + +-spec plain_password_required() -> false. +plain_password_required() -> + false. + +-spec store_type(binary()) -> plain | scram. +store_type(Server) -> + case scram:enabled(Server) of + false -> plain; + true -> scram + end. + +-spec check_password(binary(), binary(), binary()) -> boolean(). +check_password(User, Server, Password) -> + {LUser, LServer} = stringprep(User, Server), + case scram:enabled(Server) of + false -> + case make_req(get, <<"check_password">>, LUser, LServer, Password) of + {ok, <<"true">>} -> true; + _ -> false + end; + true -> + {ok, true} =:= verify_scram_password(LUser, LServer, Password) + end. + +-spec check_password(binary(), binary(), binary(), binary(), fun()) -> boolean(). +check_password(User, Server, Password, Digest, DigestGen) -> + {LUser, LServer} = stringprep(User, Server), + case make_req(get, <<"get_password">>, LUser, LServer, <<"">>) of + {error, _} -> + false; + {ok, GotPasswd} -> + case scram:enabled(LServer) of + true -> + case scram:deserialize(GotPasswd) of + {ok, #scram{storedkey = StoredKey}} -> + Passwd = base64:decode(StoredKey), + ejabberd_auth:check_digest(Digest, DigestGen, Password, Passwd); + _ -> + false + end; + false -> + ejabberd_auth:check_digest(Digest, DigestGen, Password, GotPasswd) + end + end. + +-spec set_password(binary(), binary(), binary()) -> ok | {error, term()}. +set_password(User, Server, Password) -> + {LUser, LServer} = stringprep(User, Server), + PasswordFinal = case scram:enabled(LServer) of + true -> scram:serialize(scram:password_to_scram( + Password, scram:iterations(Server))); + false -> Password + end, + case make_req(post, <<"set_password">>, LUser, LServer, PasswordFinal) of + {error, _} = Err -> Err; + _ -> ok + end. + +-spec try_register(binary(), binary(), binary()) -> {atomic, ok | exists} | {error, term()}. +try_register(User, Server, Password) -> + {LUser, LServer} = stringprep(User, Server), + PasswordFinal = case scram:enabled(LServer) of + true -> scram:serialize(scram:password_to_scram( + Password, scram:iterations(Server))); + false -> Password + end, + case make_req(post, <<"register">>, LUser, LServer, PasswordFinal) of + {ok, created} -> {atomic, ok}; + {error, conflict} -> {atomic, exists}; + Error -> Error + end. + +-spec dirty_get_registered_users() -> []. +dirty_get_registered_users() -> + []. + +-spec get_vh_registered_users(binary()) -> []. +get_vh_registered_users(_Server) -> + []. + +-spec get_vh_registered_users(binary(), list()) -> []. +get_vh_registered_users(_Server, _Opts) -> + []. + +-spec get_vh_registered_users_number(binary()) -> 0. +get_vh_registered_users_number(_Server) -> + 0. + +-spec get_vh_registered_users_number(binary(), list()) -> 0. +get_vh_registered_users_number(_Server, _Opts) -> + 0. + +-spec get_password(binary(), binary()) -> false | binary() | + {binary(), binary(), binary(), integer()}. +get_password(User, Server) -> + {LUser, LServer} = stringprep(User, Server), + case make_req(get, <<"get_password">>, LUser, LServer, <<"">>) of + {error, _} -> + false; + {ok, Password} -> + case scram:enabled(LServer) of + true -> + case scram:deserialize(Password) of + {ok, #scram{} = Scram} -> + {base64:decode(Scram#scram.storedkey), + base64:decode(Scram#scram.serverkey), + base64:decode(Scram#scram.salt), + Scram#scram.iterationcount}; + _ -> + false + end; + false -> + Password + end + end. + +-spec get_password_s(binary(), binary()) -> binary(). +get_password_s(User, Server) -> + case get_password(User, Server) of + Pass when is_binary(Pass) -> Pass; + _ -> <<>> + end. + +-spec is_user_exists(binary(), binary()) -> boolean(). +is_user_exists(User, Server) -> + {LUser, LServer} = stringprep(User, Server), + case make_req(get, <<"user_exists">>, LUser, LServer, <<"">>) of + {ok, <<"true">>} -> true; + _ -> false + end. + +-spec remove_user(binary(), binary()) -> ok | not_exists | not_allowed | bad_request. +remove_user(User, Server) -> + {LUser, LServer} = stringprep(User, Server), + remove_user_req(LUser, LServer, <<"">>, <<"remove_user">>). + +-spec remove_user(binary(), binary(), binary()) -> ok | not_exists | not_allowed | bad_request. +remove_user(User, Server, Password) -> + {LUser, LServer} = stringprep(User, Server), + case scram:enabled(Server) of + false -> + remove_user_req(LUser, LServer, Password, <<"remove_user_validate">>); + true -> + case verify_scram_password(LUser, LServer, Password) of + {ok, false} -> + not_allowed; + {ok, true} -> + remove_user_req(LUser, LServer, <<"">>, <<"remove_user">>); + {error, Error} -> + Error + end + end. + +-spec remove_user_req(binary(), binary(), binary(), binary()) -> + ok | not_exists | not_allowed | bad_request. +remove_user_req(LUser, LServer, Password, Method) -> + case make_req(post, Method, LUser, LServer, Password) of + {error, not_allowed} -> not_allowed; + {error, not_found} -> not_exists; + {error, _} -> bad_request; + _ -> ok + end. + +%%%---------------------------------------------------------------------- +%%% Request maker +%%%---------------------------------------------------------------------- + +-spec make_req(post | get, binary(), binary(), binary(), binary()) -> + {ok, Body :: binary()} | {error, term()}. +make_req(_, _, LUser, LServer, _) when LUser == error orelse LServer == error -> + {error, {prep_failed, LUser, LServer}}; +make_req(Method, Path, LUser, LServer, Password) -> + AuthOpts = ejabberd_config:get_local_option(auth_opts, LServer), + BasicAuth = case lists:keyfind(basic_auth, 1, AuthOpts) of + {_, BasicAuth0} -> BasicAuth0; + _ -> "" + end, + PathPrefix = case lists:keyfind(path_prefix, 1, AuthOpts) of + {_, Prefix} -> ejabberd_binary:string_to_binary(Prefix); + false -> <<"/">> + end, + BasicAuth64 = base64:encode(BasicAuth), + LUserE = list_to_binary(http_uri:encode(binary_to_list(LUser))), + LServerE = list_to_binary(http_uri:encode(binary_to_list(LServer))), + PasswordE = list_to_binary(http_uri:encode(binary_to_list(Password))), + Query = <<"user=", LUserE/binary, "&server=", LServerE/binary, "&pass=", PasswordE/binary>>, + Header = [{<<"Authorization">>, <<"Basic ", BasicAuth64/binary>>}], + Connection = cuesport:get_worker(existing_pool_name(LServer)), + + ?DEBUG("Making request '~s' for user ~s@~s...", [Path, LUser, LServer]), + {ok, {{Code, _Reason}, _RespHeaders, RespBody, _, _}} = case Method of + get -> fusco:request(Connection, <>, + "GET", Header, "", 2, 5000); + post -> fusco:request(Connection, <>, + "POST", Header, Query, 2, 5000) + end, + + ?DEBUG("Request result: ~s: ~p", [Code, RespBody]), + case Code of + <<"409">> -> {error, conflict}; + <<"404">> -> {error, not_found}; + <<"401">> -> {error, not_authorized}; + <<"403">> -> {error, not_allowed}; + <<"400">> -> {error, RespBody}; + <<"204">> -> {ok, <<"">>}; + <<"201">> -> {ok, created}; + <<"200">> -> {ok, RespBody} + end. + +%%%---------------------------------------------------------------------- +%%% Other internal functions +%%%---------------------------------------------------------------------- + +stringprep(User, Server) -> {jlib:nodeprep(User), jlib:nameprep(Server)}. + +-spec pool_name(binary()) -> atom(). +pool_name(Host) -> + list_to_atom("ejabberd_auth_http_" ++ binary_to_list(Host)). + +-spec existing_pool_name(binary()) -> atom(). +existing_pool_name(Host) -> + list_to_existing_atom("ejabberd_auth_http_" ++ binary_to_list(Host)). + +-spec verify_scram_password(binary(), binary(), binary()) -> + {ok, boolean()} | {error, bad_request | not_exists}. +verify_scram_password(LUser, LServer, Password) -> + case make_req(get, <<"get_password">>, LUser, LServer, <<"">>) of + {ok, RawPassword} -> + case scram:deserialize(RawPassword) of + {ok, #scram{} = ScramRecord} -> + {ok, scram:check_password(Password, ScramRecord)}; + _ -> + {error, bad_request} + end; + _ -> + {error, not_exists} + end. +