Bugfixes after some testing against Adium through python-xmpp-server.

Ben Weaver · Ben Weaver · commit 9bb30572d76e · 2010-02-03T19:29:59.000-05:00
diff --git a/sasl/digest_md5.py b/sasl/digest_md5.py
@@ -19,6 +19,8 @@ class DigestMD5(mech.Mechanism):
     def __init__(self, auth):
         self.auth = auth
 
+    state = mech.AuthState
+
     ## Server
     ## 1. Issue challenge.
     ## 2. Verify challenge response is correct; reply with rspauth.
@@ -27,56 +29,56 @@ def __init__(self, auth):
     def challenge(self):
         ## Issue a challenge; continue by verifying the client's
         ## response.
-        return (self.verify_challenge, self.write(self.CHALLENGE, {
+        return self.state(self.verify, None, self.write(self.CHALLENGE, {
             'realm': self.auth.realm(),
             'nonce': self.make_nonce(),
             'charset': 'utf-8',
             'algorithm': 'md5-sess'
         }))
 
-    def verify_challenge(self, data):
+    def verify(self, entity, data):
         try:
             response = dict(rfc.data(self.RESPOND, data))
         except rfc.ReadError as exc:
-            return (False, None)
+            return self.state(False, entity, None)
 
         ## If the nonce count is not one, the client is trying to use
         ## "subsequent authentication", but this is usupported.
         if response.get('nc') != 1:
-            return (False, '')
+            return self.state(False, entity, '')
 
         ## Confirm the digest-uri.
         if response.get('digest-uri') != self.make_digest_uri():
-            return (False, '')
+            return self.state(False, entity, '')
 
         ## Make sure the username exists, get the stored password.
-        username = response.get('username')
-        passwd = username and self.auth.get_password(username)
+        entity = response.get('username')
+        passwd = entity and self.auth.get_password(entity)
         if not passwd:
-            return (False, '')
+            return self.state(False, entity, '')
 
         ## The password must be stored in a format compatible with
         ## DigestMD5Password.  Convert it to a binary representation
         ## and generate the response hashes.
         try:
-            uh = DigestMD5Password.digest(self.auth, username, passwd)
+            uh = DigestMD5Password.digest(self.auth, entity, passwd)
             (expect, rspauth) = self.make_response(response, uh)
         except auth.PasswordError as exc:
-            return (False, '')
+            return self.state(False, entity, '')
 
         ## Verify that the response hashes match.
         if expect != response.get('response'):
-            return (False, '')
+            return self.state(False, entity, '')
 
         ## Return the rspauth hash; wait for acknowledgement.
-        return (self.receive_ack, self.write(self.VERIFY, {
+        return self.state(self.finish, entity, self.write(self.VERIFY, {
             'rspauth': rspauth
         }))
 
-    def receive_ack(self, data):
+    def finish(self, entity, data):
         ## The client has acknowledges the rspauth sent;
         ## authentication was successful.
-        return (True, '')
+        return self.state(True, entity, '')
 
     ## Client
     ## 1. Respond to server challenge.
@@ -87,15 +89,16 @@ def respond(self, data):
         try:
             challenge = dict(rfc.data(self.CHALLENGE, data))
         except rfc.ReadError:
-            return (False, None)
+            return self.state(False, None, None)
 
         enc = self.encoding(challenge)
         zid = self.auth.authorization_id()
+        cid = unicode(self.auth.username()).encode(enc)
 
         ## Derive response parameters from the challenge and from the
         ## client environment.
         params = {
-            'username': unicode(self.auth.username()).encode(enc),
+            'username': cid,
             'realm': challenge.get('realm', u''),
             'nonce': challenge['nonce'],
             'cnonce': self.make_nonce(),
@@ -112,23 +115,25 @@ def respond(self, data):
 
         ## Generate the response; continue by acknowledging the
         ## server's response.
-        ack = lambda d: self.acknowledge(expect, d)
-        return (ack, self.write(self.RESPOND, params))
+        ack = lambda *a: self.acknowledge(expect, *a)
+        return self.state(ack, zid or cid, self.write(self.RESPOND, params))
 
-    def acknowledge(self, expect, data):
+    def acknowledge(self, expect, entity, data):
         try:
             verify = dict(rfc.data(self.VERIFY, data))
         except rfc.ReadError:
-            return (False, None)
+            return self.state(False, entity, None)
 
         ## If the rspauth matches the expected value, authentication
         ## was successful.  The server expects an empty reply that
         ## confirms acknowledgement.
-        return (verify.get('rspauth') == expect and self.ack_accepted, '')
+        if verify.get('rspauth') == expect:
+            return self.state(self.accepted, entity, '')
+        return self.state(False, entity, None)
 
-    def ack_accepted(self, data):
+    def accepted(self, entity, data):
         assert data == ''
-        return (True, None)
+        return self.state(True, entity, None)
 
     ## Grammars
 
@@ -181,7 +186,7 @@ def make_digest_uri(self):
         service = auth.service_name()
         return '%s/%s%s' % (
             auth.service_type(),
-            auth.host(),
+            auth.realm(),
             ('/%s' % service if service else u'')
         )
 
@@ -247,7 +252,7 @@ def user_hash(user, realm, passwd, encoding='utf-8'):
         realm = iso_8859_1(realm)
         passwd = iso_8859_1(passwd)
 
-    return colons(md5, user, passwd, realm)
+    return colons(md5, user, realm, passwd)
 
 def a1_hash(uh, nonce, cnonce, authzid):
     """A1 hash (see RFC-2831 page 10).  The uh parameter is the result
diff --git a/sasl/mechanism.py b/sasl/mechanism.py
@@ -12,7 +12,7 @@
 <http://www.iana.org/assignments/sasl-mechanisms>
 """
 from __future__ import absolute_import
-import abc, re
+import abc, re, collections
 
 __all__ = ('define', 'Mechanism')
 
@@ -32,14 +32,13 @@ def __new__(mcls, name, bases, attr):
 
 class Mechanism(object):
     """The SASL mechanism interface.  The only two methods required
-    are challenge() and respond().  These methods return
-    <continuation, data> items.  The continuation is one of the
-    following:
+    are challenge() and respond().  These methods return AuthState
+    items.  The continuation field (k) is one of the following:
 
       callback   call this with data received from the other end
       True       authentication succeeded
       False      authentication failed
-      None       success/failure is up to the other end
+      None       need confirmation of success from other end
 
     A Mechanism can implement any number of steps in an authentication
     sequence by returning callback procedures as the continuation.
@@ -59,6 +58,20 @@ def challenge(self):
     def respond(self, challenge):
         """Respond to a challenge."""
 
+class AuthState(collections.namedtuple('AuthState', 'k entity data')):
+
+    def __call__(self, response):
+        return self.k and self.k(self.entity, response)
+
+    def success(self):
+        return self.k is True
+
+    def failure(self):
+        return self.k is False
+
+    def confirm(self):
+        return self.k is None
+
 
 ### Registry
 
diff --git a/sasl/plain.py b/sasl/plain.py
@@ -15,26 +15,32 @@ class Plain(mech.Mechanism):
     id, the authentication id, and password separated by null
     bytes."""
 
-    NULL = u'0x00'
+    NULL = u'\x00'
 
     def __init__(self, auth):
         self.auth = auth
 
+    def verify(self, *args):
+        return self.auth.verify_password(*args)
+
+    state = mech.AuthState
+
     ## Server
 
     def challenge(self):
-        return (self.verify_challenge, '')
+        return self.state(self.verify_challenge, None, '')
 
-    def verify_challenge(self, response):
+    def verify_challenge(self, entity, response):
         try:
             (zid, cid, passwd) = response.decode('utf-8').split(self.NULL)
-        except ValueError:
-            return (False, None)
+        except ValueError as exc:
+            return self.state(False, entity, None)
 
         try:
-            return (self.auth.verify_password(zid, cid, passwd), None)
-        except auth.PasswordError:
-            return (False, None)
+            entity = entity or zid or cid
+            return self.state(self.verify(zid, cid, passwd), entity, None)
+        except auth.PasswordError as exc:
+            return self.state(False, entity, None)
 
     ## Client
 
@@ -51,7 +57,8 @@ def respond(self, data):
             (auth.password() or u'')
         )).encode('utf-8')
 
-        return (None, response)
+        self.authorized = zid or cid
+        return self.state(None, zid or cid, response)
 
 class PlainPassword(auth.PasswordType):
 
