New option: disable_sasl_mechanisms

The new "disable_sasl_mechanisms" option allows for restricting the list
of SASL mechanisms offered to the client.

Closes #339.

2 files changed, 30 insertions, 3 deletions

diff --git a/doc/guide.tex b/doc/guide.tex
index 2c20df95..d77a2525 100644
--- a/doc/guide.tex
+++ b/doc/guide.tex
@@ -1453,6 +1453,11 @@ The FQDN is used to authenticate some clients that use the DIGEST-MD5 SASL mecha
 The option syntax is:
 \esyntax{fqdn: undefined|FqdnString|[FqdnString]}
 
+The option \option{disable\_sasl\_mechanisms} specifies a list of SASL
+mechanisms that should \emph{not} be offered to the client. The mechanisms can
+be listed as lowercase or uppercase strings. The option syntax is:
+\esyntax{disable\_sasl\_mechanisms: [Mechanism, ...]}
+
 \makesubsubsection{internalauth}{Internal}
 \ind{internal authentication}\ind{Mnesia}
 
diff --git a/src/cyrsasl.erl b/src/cyrsasl.erl
index f404a7af..db2160ca 100644
--- a/src/cyrsasl.erl
+++ b/src/cyrsasl.erl
@@ -93,9 +93,15 @@ start() ->
 ).
 
 register_mechanism(Mechanism, Module, PasswordType) ->
-    ets:insert(sasl_mechanism,
-	       #sasl_mechanism{mechanism = Mechanism, module = Module,
-			       password_type = PasswordType}).
+    case is_disabled(Mechanism) of
+      false ->
+	  ets:insert(sasl_mechanism,
+		     #sasl_mechanism{mechanism = Mechanism, module = Module,
+				     password_type = PasswordType});
+      true ->
+	  ?DEBUG("SASL mechanism ~p is disabled", [Mechanism]),
+	  true
+    end.
 
 %%% TODO: use callbacks
 %%-include("ejabberd.hrl").
@@ -215,3 +221,19 @@ filter_anonymous(Host, Mechs) ->
       true  -> Mechs;
       false -> Mechs -- [<<"ANONYMOUS">>]
     end.
+
+-spec(is_disabled/1 ::
+(
+  Mechanism :: mechanism())
+    -> boolean()
+).
+
+is_disabled(Mechanism) ->
+    Disabled = ejabberd_config:get_option(
+		 disable_sasl_mechanisms,
+		 fun(V) when is_list(V) ->
+			 lists:map(fun(M) -> str:to_upper(M) end, V);
+		    (V) ->
+			 [str:to_upper(V)]
+		 end, []),
+    lists:member(Mechanism, Disabled).