diff options
author | Evgeniy Khramtsov <ekhramtsov@process-one.net> | 2017-03-07 14:20:50 +0300 |
---|---|---|
committer | Evgeniy Khramtsov <ekhramtsov@process-one.net> | 2017-03-07 14:20:50 +0300 |
commit | 8b29af629b816529a3ce6385a8445114447c30ba (patch) | |
tree | 136a50321fa926ce916551d80ec16a3b1d3ed069 /test/suite.erl | |
parent | Better handle errors in ejabberd_receiver calls (diff) |
Best Practices for Use of SASL EXTERNAL with Certificates (XEP-0178) support
It is now possible for client connections to login using PKIX certificates.
This is disabled by default, to enable it:
- either set 'tls_verify: true' and 'cafile: /path/to/CAfile'
in the corresponding listener's section
- or set equivalent per-vhost options 'c2s_tls_verify' and 'c2s_cafile'
Diffstat (limited to '')
-rw-r--r-- | test/suite.erl | 23 |
1 files changed, 13 insertions, 10 deletions
diff --git a/test/suite.erl b/test/suite.erl index 67dcd6c4d..6b8a49f21 100644 --- a/test/suite.erl +++ b/test/suite.erl @@ -306,7 +306,7 @@ auth(Config, ShouldFail) -> auth_SASL(<<"PLAIN">>, Config, ShouldFail); HaveMD5 -> auth_SASL(<<"DIGEST-MD5">>, Config, ShouldFail); - HaveExternal andalso Type == server -> + HaveExternal -> auth_SASL(<<"EXTERNAL">>, Config, ShouldFail); Type == client -> auth_legacy(Config, false, ShouldFail); @@ -414,10 +414,13 @@ auth_SASL(Mech, Config) -> auth_SASL(Mech, Config, false). auth_SASL(Mech, Config, ShouldFail) -> - {Response, SASL} = sasl_new(Mech, - ?config(user, Config), - ?config(server, Config), - ?config(password, Config)), + Creds = {?config(user, Config), + ?config(server, Config), + ?config(password, Config)}, + auth_SASL(Mech, Config, ShouldFail, Creds). + +auth_SASL(Mech, Config, ShouldFail, Creds) -> + {Response, SASL} = sasl_new(Mech, Creds), send(Config, #sasl_auth{mechanism = Mech, text = Response}), wait_auth_SASL_result(set_opt(sasl, SASL, Config), ShouldFail). @@ -549,16 +552,16 @@ send_recv(State, #iq{} = IQ) -> ID = send(State, IQ), receive #iq{id = ID} = Result -> Result end. -sasl_new(<<"PLAIN">>, User, Server, Password) -> +sasl_new(<<"PLAIN">>, {User, Server, Password}) -> {<<User/binary, $@, Server/binary, 0, User/binary, 0, Password/binary>>, fun (_) -> {error, <<"Invalid SASL challenge">>} end}; -sasl_new(<<"EXTERNAL">>, _User, _Server, _Password) -> - {<<"">>, +sasl_new(<<"EXTERNAL">>, {User, Server, _Password}) -> + {jid:encode(jid:make(User, Server)), fun(_) -> ct:fail(sasl_challenge_is_not_expected) end}; -sasl_new(<<"ANONYMOUS">>, _User, _Server, _Password) -> +sasl_new(<<"ANONYMOUS">>, _) -> {<<"">>, fun(_) -> ct:fail(sasl_challenge_is_not_expected) end}; -sasl_new(<<"DIGEST-MD5">>, User, Server, Password) -> +sasl_new(<<"DIGEST-MD5">>, {User, Server, Password}) -> {<<"">>, fun (ServerIn) -> case cyrsasl_digest:parse(ServerIn) of |