diff options
Diffstat (limited to '')
-rw-r--r-- | src/auth/mech-oauth2.c | 315 |
1 files changed, 315 insertions, 0 deletions
diff --git a/src/auth/mech-oauth2.c b/src/auth/mech-oauth2.c new file mode 100644 index 0000000..1b14567 --- /dev/null +++ b/src/auth/mech-oauth2.c @@ -0,0 +1,315 @@ +/* Copyright (c) 2017-2018 Dovecot authors, see the included COPYING file */ + +#include "auth-common.h" +#include "safe-memset.h" +#include "str.h" +#include "mech.h" +#include "passdb.h" +#include "oauth2.h" +#include "json-parser.h" +#include <ctype.h> + +struct oauth2_auth_request { + struct auth_request auth; + bool failed; +}; + +/* RFC5801 based unescaping */ +static bool oauth2_unescape_username(const char *in, const char **username_r) +{ + string_t *out; + out = t_str_new(64); + for (; *in != '\0'; in++) { + if (in[0] == ',') + return FALSE; + if (in[0] == '=') { + if (in[1] == '2' && in[2] == 'C') + str_append_c(out, ','); + else if (in[1] == '3' && in[2] == 'D') + str_append_c(out, '='); + else + return FALSE; + in += 2; + } else { + str_append_c(out, *in); + } + } + *username_r = str_c(out); + return TRUE; +} + +static void oauth2_verify_callback(enum passdb_result result, + const char *const *error_fields, + struct auth_request *request) +{ + struct oauth2_auth_request *oauth2_req = + (struct oauth2_auth_request*)request; + + i_assert(result == PASSDB_RESULT_OK || error_fields != NULL); + switch (result) { + case PASSDB_RESULT_OK: + auth_request_success(request, "", 0); + break; + case PASSDB_RESULT_INTERNAL_FAILURE: + auth_request_internal_failure(request); + break; + default: + /* we could get new token after this */ + if (request->mech_password != NULL) + request->mech_password = NULL; + string_t *error = t_str_new(64); + str_append_c(error, '{'); + for (unsigned int i = 0; error_fields[i] != NULL; i += 2) { + i_assert(error_fields[i+1] != NULL); + if (i > 0) + str_append_c(error, ','); + str_append_c(error, '"'); + json_append_escaped(error, error_fields[i]); + str_append(error, "\":\""); + json_append_escaped(error, error_fields[i+1]); + str_append_c(error, '"'); + } + /* FIXME: HORRIBLE HACK - REMOVE ME!!! + It is because the mech has not been implemented properly + that we need to pass the config url in this strange way. + + This **must** be removed from here and db-oauth2 once the + validation result et al is handled here. + */ + if (request->openid_config_url != NULL) { + if (str_len(error) > 0) + str_append_c(error, ','); + str_printfa(error, "\"openid-configuration\":\""); + json_append_escaped(error, request->openid_config_url); + str_append_c(error, '"'); + } + str_append_c(error, '}'); + auth_request_handler_reply_continue(request, str_data(error), + str_len(error)); + oauth2_req->failed = TRUE; + break; + } +} + +static void +xoauth2_verify_callback(enum passdb_result result, struct auth_request *request) +{ + const char *const error_fields[] = { + "status", "401", + "schemes", "bearer", + "scope", "mail", + NULL + }; + oauth2_verify_callback(result, error_fields, request); +} + +static void +oauthbearer_verify_callback(enum passdb_result result, struct auth_request *request) +{ + const char *error_fields[] = { + "status", "invalid_token", + NULL + }; + oauth2_verify_callback(result, error_fields, request); +} + +/* Input syntax: + user=Username^Aauth=Bearer token^A^A +*/ +static void +mech_xoauth2_auth_continue(struct auth_request *request, + const unsigned char *data, + size_t data_size) +{ + struct oauth2_auth_request *oauth2_req = + (struct oauth2_auth_request*)request; + + /* Specification says that client is sent "invalid token" challenge + which the client is supposed to ack with empty response */ + if (oauth2_req->failed) { + auth_request_fail(request); + return; + } + + /* split the data from ^A */ + bool user_given = FALSE; + const char *error; + const char *token = NULL; + const char *const *ptr; + const char *username; + const char *const *fields = + t_strsplit(t_strndup(data, data_size), "\x01"); + for(ptr = fields; *ptr != NULL; ptr++) { + if (str_begins(*ptr, "user=")) { + /* xoauth2 does not require unescaping because the data + format does not contain anything to escape */ + username = (*ptr)+5; + user_given = TRUE; + } else if (str_begins(*ptr, "auth=")) { + const char *value = (*ptr)+5; + if (strncasecmp(value, "bearer ", 7) == 0 && + oauth2_valid_token(value+7)) { + token = value+7; + } else { + e_info(request->mech_event, + "Invalid continued data"); + auth_request_fail(request); + return; + } + } + /* do not fail on unexpected fields */ + } + + if (user_given && !auth_request_set_username(request, username, &error)) { + e_info(request->mech_event, + "%s", error); + auth_request_fail(request); + return; + } + + if (user_given && token != NULL) + auth_request_verify_plain(request, token, + xoauth2_verify_callback); + else { + e_info(request->mech_event, "Username or token missing"); + auth_request_fail(request); + } +} + +/* Input syntax for data: + gs2flag,a=username,^Afield=...^Afield=...^Aauth=Bearer token^A^A +*/ +static void +mech_oauthbearer_auth_continue(struct auth_request *request, + const unsigned char *data, + size_t data_size) +{ + struct oauth2_auth_request *oauth2_req = + (struct oauth2_auth_request*)request; + + if (oauth2_req->failed) { + auth_request_fail(request); + return; + } + + bool user_given = FALSE; + const char *error; + const char *username; + const char *const *ptr; + /* split the data from ^A */ + const char **fields = + t_strsplit(t_strndup(data, data_size), "\x01"); + const char *token = NULL; + /* ensure initial field is OK */ + if (*fields == NULL || *(fields[0]) == '\0') { + e_info(request->mech_event, + "Invalid continued data"); + auth_request_fail(request); + return; + } + + /* the first field is specified by RFC5801 as gs2-header */ + for(ptr = t_strsplit_spaces(fields[0], ","); *ptr != NULL; ptr++) { + switch(*ptr[0]) { + case 'f': + e_info(request->mech_event, + "Client requested non-standard mechanism"); + auth_request_fail(request); + return; + case 'p': + /* channel binding is not supported */ + e_info(request->mech_event, + "Client requested and used channel-binding"); + auth_request_fail(request); + return; + case 'n': + case 'y': + /* we don't need to use channel-binding */ + continue; + case 'a': /* authzid */ + if ((*ptr)[1] != '=' || + !oauth2_unescape_username((*ptr)+2, &username)) { + e_info(request->mech_event, + "Invalid username escaping"); + auth_request_fail(request); + return; + } else { + user_given = TRUE; + } + break; + default: + e_info(request->mech_event, + "Invalid gs2-header in request"); + auth_request_fail(request); + return; + } + } + + for(ptr = fields; *ptr != NULL; ptr++) { + if (str_begins(*ptr, "auth=")) { + const char *value = (*ptr)+5; + if (strncasecmp(value, "bearer ", 7) == 0 && + oauth2_valid_token(value+7)) { + token = value+7; + } else { + e_info(request->mech_event, + "Invalid continued data"); + auth_request_fail(request); + return; + } + } + /* do not fail on unexpected fields */ + } + if (user_given && !auth_request_set_username(request, username, &error)) { + e_info(request->mech_event, + "%s", error); + auth_request_fail(request); + return; + } + if (user_given && token != NULL) + auth_request_verify_plain(request, token, + oauthbearer_verify_callback); + else { + e_info(request->mech_event, "Missing username or token"); + auth_request_fail(request); + } +} + +static struct auth_request *mech_oauth2_auth_new(void) +{ + struct oauth2_auth_request *request; + pool_t pool; + + pool = pool_alloconly_create(MEMPOOL_GROWING"oauth2_auth_request", 2048); + request = p_new(pool, struct oauth2_auth_request, 1); + request->auth.pool = pool; + return &request->auth; +} + +const struct mech_module mech_oauthbearer = { + "OAUTHBEARER", + + /* while this does not transfer plaintext password, + the token is still considered as password */ + .flags = MECH_SEC_PLAINTEXT, + .passdb_need = 0, + + mech_oauth2_auth_new, + mech_generic_auth_initial, + mech_oauthbearer_auth_continue, + mech_generic_auth_free +}; + +const struct mech_module mech_xoauth2 = { + "XOAUTH2", + + .flags = MECH_SEC_PLAINTEXT, + .passdb_need = 0, + + mech_oauth2_auth_new, + mech_generic_auth_initial, + mech_xoauth2_auth_continue, + mech_generic_auth_free +}; + + |