From 52fde758b31e0afbe48d7ecc77341d9ed7867f4e Mon Sep 17 00:00:00 2001 From: Evgeniy Khramtsov Date: Wed, 27 Apr 2016 09:44:32 +0300 Subject: Get rid of "internal" DB type. This also fixes #1092 --- src/ejabberd_auth.erl | 31 ++- src/ejabberd_auth_external.erl | 42 ++-- src/ejabberd_auth_internal.erl | 498 ----------------------------------------- src/ejabberd_auth_mnesia.erl | 498 +++++++++++++++++++++++++++++++++++++++++ src/ejabberd_config.erl | 32 ++- src/ejd2sql.erl | 2 +- 6 files changed, 560 insertions(+), 543 deletions(-) delete mode 100644 src/ejabberd_auth_internal.erl create mode 100644 src/ejabberd_auth_mnesia.erl (limited to 'src') diff --git a/src/ejabberd_auth.erl b/src/ejabberd_auth.erl index 0267a2192..927abdac2 100644 --- a/src/ejabberd_auth.erl +++ b/src/ejabberd_auth.erl @@ -136,7 +136,7 @@ check_password(User, AuthzId, Server, Password, Digest, %% {true, AuthModule} | false %% where %% AuthModule = ejabberd_auth_anonymous | ejabberd_auth_external -%% | ejabberd_auth_internal | ejabberd_auth_ldap +%% | ejabberd_auth_mnesia | ejabberd_auth_ldap %% | ejabberd_auth_sql | ejabberd_auth_pam | ejabberd_auth_riak -spec check_password_with_authmodule(binary(), binary(), binary(), binary()) -> false | {true, atom()}. @@ -428,38 +428,35 @@ auth_modules() -> %% Return the list of authenticated modules for a given host auth_modules(Server) -> LServer = jid:nameprep(Server), - Default = case gen_mod:default_db(LServer) of - mnesia -> internal; - DBType -> DBType - end, + Default = gen_mod:default_db(LServer), Methods = ejabberd_config:get_option( - {auth_method, LServer}, - fun(V) when is_list(V) -> - true = lists:all(fun is_atom/1, V), - V; - (V) when is_atom(V) -> - [V] - end, [Default]), + {auth_method, LServer}, opt_type(auth_method), [Default]), [jlib:binary_to_atom(<<"ejabberd_auth_", (jlib:atom_to_binary(M))/binary>>) || M <- Methods]. export(Server) -> - ejabberd_auth_internal:export(Server). + ejabberd_auth_mnesia:export(Server). import(Server) -> - ejabberd_auth_internal:import(Server). + ejabberd_auth_mnesia:import(Server). import(Server, mnesia, Passwd) -> - ejabberd_auth_internal:import(Server, mnesia, Passwd); + ejabberd_auth_mnesia:import(Server, mnesia, Passwd); import(Server, riak, Passwd) -> ejabberd_auth_riak:import(Server, riak, Passwd); import(_, _, _) -> pass. +-spec v_auth_method(atom()) -> atom(). + +v_auth_method(odbc) -> sql; +v_auth_method(internal) -> mnesia; +v_auth_method(A) when is_atom(A) -> A. + opt_type(auth_method) -> fun (V) when is_list(V) -> - true = lists:all(fun is_atom/1, V), V; - (V) when is_atom(V) -> [V] + lists:map(fun v_auth_method/1, V); + (V) -> [v_auth_method(V)] end; opt_type(_) -> [auth_method]. diff --git a/src/ejabberd_auth_external.erl b/src/ejabberd_auth_external.erl index 5897fba5b..ef7c97551 100644 --- a/src/ejabberd_auth_external.erl +++ b/src/ejabberd_auth_external.erl @@ -56,7 +56,7 @@ start(Host) -> "extauth"), extauth:start(Host, Cmd), check_cache_last_options(Host), - ejabberd_auth_internal:start(Host). + ejabberd_auth_mnesia:start(Host). check_cache_last_options(Server) -> case get_cache_option(Server) of @@ -94,7 +94,7 @@ check_password(User, AuthzId, Server, Password, _Digest, set_password(User, Server, Password) -> case extauth:set_password(User, Server, Password) of true -> - set_password_internal(User, Server, Password), ok; + set_password_mnesia(User, Server, Password), ok; _ -> {error, unknown_problem} end. @@ -106,20 +106,20 @@ try_register(User, Server, Password) -> end. dirty_get_registered_users() -> - ejabberd_auth_internal:dirty_get_registered_users(). + ejabberd_auth_mnesia:dirty_get_registered_users(). get_vh_registered_users(Server) -> - ejabberd_auth_internal:get_vh_registered_users(Server). + ejabberd_auth_mnesia:get_vh_registered_users(Server). get_vh_registered_users(Server, Data) -> - ejabberd_auth_internal:get_vh_registered_users(Server, + ejabberd_auth_mnesia:get_vh_registered_users(Server, Data). get_vh_registered_users_number(Server) -> - ejabberd_auth_internal:get_vh_registered_users_number(Server). + ejabberd_auth_mnesia:get_vh_registered_users_number(Server). get_vh_registered_users_number(Server, Data) -> - ejabberd_auth_internal:get_vh_registered_users_number(Server, + ejabberd_auth_mnesia:get_vh_registered_users_number(Server, Data). %% The password can only be returned if cache is enabled, cached info exists and is fresh enough. @@ -151,7 +151,7 @@ remove_user(User, Server) -> case get_cache_option(Server) of false -> false; {true, _CacheTime} -> - ejabberd_auth_internal:remove_user(User, Server) + ejabberd_auth_mnesia:remove_user(User, Server) end end. @@ -162,7 +162,7 @@ remove_user(User, Server, Password) -> case get_cache_option(Server) of false -> false; {true, _CacheTime} -> - ejabberd_auth_internal:remove_user(User, Server, + ejabberd_auth_mnesia:remove_user(User, Server, Password) end end. @@ -197,7 +197,7 @@ check_password_cache(User, AuthzId, Server, Password, CacheTime) -> case get_last_access(User, Server) of online -> - check_password_internal(User, AuthzId, Server, Password); + check_password_mnesia(User, AuthzId, Server, Password); never -> check_password_external_cache(User, AuthzId, Server, Password); mod_last_required -> @@ -210,7 +210,7 @@ check_password_cache(User, AuthzId, Server, Password, case is_fresh_enough(TimeStamp, CacheTime) of %% If no need to refresh, check password against Mnesia true -> - case check_password_internal(User, AuthzId, Server, Password) of + case check_password_mnesia(User, AuthzId, Server, Password) of %% If password valid in Mnesia, accept it true -> true; %% Else (password nonvalid in Mnesia), check in extauth and cache result @@ -223,13 +223,13 @@ check_password_cache(User, AuthzId, Server, Password, end end. -get_password_internal(User, Server) -> - ejabberd_auth_internal:get_password(User, Server). +get_password_mnesia(User, Server) -> + ejabberd_auth_mnesia:get_password(User, Server). -spec get_password_cache(User::binary(), Server::binary(), CacheTime::integer()) -> Password::string() | false. get_password_cache(User, Server, CacheTime) -> case get_last_access(User, Server) of - online -> get_password_internal(User, Server); + online -> get_password_mnesia(User, Server); never -> false; mod_last_required -> ?ERROR_MSG("extauth is used, extauth_cache is enabled " @@ -239,7 +239,7 @@ get_password_cache(User, Server, CacheTime) -> false; TimeStamp -> case is_fresh_enough(TimeStamp, CacheTime) of - true -> get_password_internal(User, Server); + true -> get_password_mnesia(User, Server); false -> false end end. @@ -248,7 +248,7 @@ get_password_cache(User, Server, CacheTime) -> check_password_external_cache(User, AuthzId, Server, Password) -> case check_password_extauth(User, AuthzId, Server, Password) of true -> - set_password_internal(User, Server, Password), true; + set_password_mnesia(User, Server, Password), true; false -> false end. @@ -256,21 +256,21 @@ check_password_external_cache(User, AuthzId, Server, Password) -> try_register_external_cache(User, Server, Password) -> case try_register_extauth(User, Server, Password) of {atomic, ok} = R -> - set_password_internal(User, Server, Password), R; + set_password_mnesia(User, Server, Password), R; _ -> {error, not_allowed} end. %% @spec (User, AuthzId, Server, Password) -> true | false -check_password_internal(User, AuthzId, Server, Password) -> - ejabberd_auth_internal:check_password(User, AuthzId, Server, +check_password_mnesia(User, AuthzId, Server, Password) -> + ejabberd_auth_mnesia:check_password(User, AuthzId, Server, Password). %% @spec (User, Server, Password) -> ok | {error, invalid_jid} -set_password_internal(User, Server, Password) -> +set_password_mnesia(User, Server, Password) -> %% @spec (TimeLast, CacheTime) -> true | false %% TimeLast = online | never | integer() %% CacheTime = integer() | false - ejabberd_auth_internal:set_password(User, Server, + ejabberd_auth_mnesia:set_password(User, Server, Password). is_fresh_enough(TimeStampLast, CacheTime) -> diff --git a/src/ejabberd_auth_internal.erl b/src/ejabberd_auth_internal.erl deleted file mode 100644 index acbbfe506..000000000 --- a/src/ejabberd_auth_internal.erl +++ /dev/null @@ -1,498 +0,0 @@ -%%%---------------------------------------------------------------------- -%%% File : ejabberd_auth_internal.erl -%%% Author : Alexey Shchepin -%%% Purpose : Authentification via mnesia -%%% Created : 12 Dec 2004 by Alexey Shchepin -%%% -%%% -%%% ejabberd, Copyright (C) 2002-2016 ProcessOne -%%% -%%% This program is free software; you can redistribute it and/or -%%% modify it under the terms of the GNU General Public License as -%%% published by the Free Software Foundation; either version 2 of the -%%% License, or (at your option) any later version. -%%% -%%% This program is distributed in the hope that it will be useful, -%%% but WITHOUT ANY WARRANTY; without even the implied warranty of -%%% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -%%% General Public License for more details. -%%% -%%% You should have received a copy of the GNU General Public License along -%%% with this program; if not, write to the Free Software Foundation, Inc., -%%% 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -%%% -%%%---------------------------------------------------------------------- - --module(ejabberd_auth_internal). - --behaviour(ejabberd_config). - --author('alexey@process-one.net'). - --behaviour(ejabberd_auth). - --export([start/1, set_password/3, check_password/4, - check_password/6, try_register/3, - dirty_get_registered_users/0, get_vh_registered_users/1, - get_vh_registered_users/2, - get_vh_registered_users_number/1, - get_vh_registered_users_number/2, get_password/2, - get_password_s/2, is_user_exists/2, remove_user/2, - remove_user/3, store_type/0, export/1, import/1, - import/3, plain_password_required/0, opt_type/1]). - --include("ejabberd.hrl"). --include("logger.hrl"). - --record(passwd, {us = {<<"">>, <<"">>} :: {binary(), binary()} | '$1', - password = <<"">> :: binary() | scram() | '_'}). - --record(reg_users_counter, {vhost = <<"">> :: binary(), - count = 0 :: integer() | '$1'}). - --define(SALT_LENGTH, 16). - -%%%---------------------------------------------------------------------- -%%% API -%%%---------------------------------------------------------------------- -start(Host) -> - mnesia:create_table(passwd, - [{disc_copies, [node()]}, - {attributes, record_info(fields, passwd)}]), - mnesia:create_table(reg_users_counter, - [{ram_copies, [node()]}, - {attributes, record_info(fields, reg_users_counter)}]), - update_table(), - update_reg_users_counter_table(Host), - maybe_alert_password_scrammed_without_option(), - ok. - -update_reg_users_counter_table(Server) -> - Set = get_vh_registered_users(Server), - Size = length(Set), - LServer = jid:nameprep(Server), - F = fun () -> - mnesia:write(#reg_users_counter{vhost = LServer, - count = Size}) - end, - mnesia:sync_dirty(F). - -plain_password_required() -> - is_scrammed(). - -store_type() -> - case is_scrammed() of - false -> plain; %% allows: PLAIN DIGEST-MD5 SCRAM - true -> scram %% allows: PLAIN SCRAM - end. - -check_password(User, AuthzId, Server, Password) -> - if AuthzId /= <<>> andalso AuthzId /= User -> - false; - true -> - LUser = jid:nodeprep(User), - LServer = jid:nameprep(Server), - US = {LUser, LServer}, - case catch mnesia:dirty_read({passwd, US}) of - [#passwd{password = Password}] - when is_binary(Password) -> - Password /= <<"">>; - [#passwd{password = Scram}] - when is_record(Scram, scram) -> - is_password_scram_valid(Password, Scram); - _ -> false - end - end. - -check_password(User, AuthzId, Server, Password, Digest, - DigestGen) -> - if AuthzId /= <<>> andalso AuthzId /= User -> - false; - true -> - LUser = jid:nodeprep(User), - LServer = jid:nameprep(Server), - US = {LUser, LServer}, - case catch mnesia:dirty_read({passwd, US}) of - [#passwd{password = Passwd}] when is_binary(Passwd) -> - DigRes = if Digest /= <<"">> -> - Digest == DigestGen(Passwd); - true -> false - end, - if DigRes -> true; - true -> (Passwd == Password) and (Password /= <<"">>) - end; - [#passwd{password = Scram}] - when is_record(Scram, scram) -> - Passwd = jlib:decode_base64(Scram#scram.storedkey), - DigRes = if Digest /= <<"">> -> - Digest == DigestGen(Passwd); - true -> false - end, - if DigRes -> true; - true -> (Passwd == Password) and (Password /= <<"">>) - end; - _ -> false - end - end. - -%% @spec (User::string(), Server::string(), Password::string()) -> -%% ok | {error, invalid_jid} -set_password(User, Server, Password) -> - LUser = jid:nodeprep(User), - LServer = jid:nameprep(Server), - US = {LUser, LServer}, - if (LUser == error) or (LServer == error) -> - {error, invalid_jid}; - true -> - F = fun () -> - Password2 = case is_scrammed() and is_binary(Password) - of - true -> password_to_scram(Password); - false -> Password - end, - mnesia:write(#passwd{us = US, password = Password2}) - end, - {atomic, ok} = mnesia:transaction(F), - ok - end. - -%% @spec (User, Server, Password) -> {atomic, ok} | {atomic, exists} | {error, invalid_jid} | {error, not_allowed} | {error, Reason} -try_register(User, Server, PasswordList) -> - LUser = jid:nodeprep(User), - LServer = jid:nameprep(Server), - Password = if is_list(PasswordList); is_binary(PasswordList) -> - iolist_to_binary(PasswordList); - true -> PasswordList - end, - US = {LUser, LServer}, - if (LUser == error) or (LServer == error) -> - {error, invalid_jid}; - true -> - F = fun () -> - case mnesia:read({passwd, US}) of - [] -> - Password2 = case is_scrammed() and - is_binary(Password) - of - true -> password_to_scram(Password); - false -> Password - end, - mnesia:write(#passwd{us = US, - password = Password2}), - mnesia:dirty_update_counter(reg_users_counter, - LServer, 1), - ok; - [_E] -> exists - end - end, - mnesia:transaction(F) - end. - -%% Get all registered users in Mnesia -dirty_get_registered_users() -> - mnesia:dirty_all_keys(passwd). - -get_vh_registered_users(Server) -> - LServer = jid:nameprep(Server), - mnesia:dirty_select(passwd, - [{#passwd{us = '$1', _ = '_'}, - [{'==', {element, 2, '$1'}, LServer}], ['$1']}]). - -get_vh_registered_users(Server, - [{from, Start}, {to, End}]) - when is_integer(Start) and is_integer(End) -> - get_vh_registered_users(Server, - [{limit, End - Start + 1}, {offset, Start}]); -get_vh_registered_users(Server, - [{limit, Limit}, {offset, Offset}]) - when is_integer(Limit) and is_integer(Offset) -> - case get_vh_registered_users(Server) of - [] -> []; - Users -> - Set = lists:keysort(1, Users), - L = length(Set), - Start = if Offset < 1 -> 1; - Offset > L -> L; - true -> Offset - end, - lists:sublist(Set, Start, Limit) - end; -get_vh_registered_users(Server, [{prefix, Prefix}]) - when is_binary(Prefix) -> - Set = [{U, S} - || {U, S} <- get_vh_registered_users(Server), - str:prefix(Prefix, U)], - lists:keysort(1, Set); -get_vh_registered_users(Server, - [{prefix, Prefix}, {from, Start}, {to, End}]) - when is_binary(Prefix) and is_integer(Start) and - is_integer(End) -> - get_vh_registered_users(Server, - [{prefix, Prefix}, {limit, End - Start + 1}, - {offset, Start}]); -get_vh_registered_users(Server, - [{prefix, Prefix}, {limit, Limit}, {offset, Offset}]) - when is_binary(Prefix) and is_integer(Limit) and - is_integer(Offset) -> - case [{U, S} - || {U, S} <- get_vh_registered_users(Server), - str:prefix(Prefix, U)] - of - [] -> []; - Users -> - Set = lists:keysort(1, Users), - L = length(Set), - Start = if Offset < 1 -> 1; - Offset > L -> L; - true -> Offset - end, - lists:sublist(Set, Start, Limit) - end; -get_vh_registered_users(Server, _) -> - get_vh_registered_users(Server). - -get_vh_registered_users_number(Server) -> - LServer = jid:nameprep(Server), - Query = mnesia:dirty_select(reg_users_counter, - [{#reg_users_counter{vhost = LServer, - count = '$1'}, - [], ['$1']}]), - case Query of - [Count] -> Count; - _ -> 0 - end. - -get_vh_registered_users_number(Server, - [{prefix, Prefix}]) - when is_binary(Prefix) -> - Set = [{U, S} - || {U, S} <- get_vh_registered_users(Server), - str:prefix(Prefix, U)], - length(Set); -get_vh_registered_users_number(Server, _) -> - get_vh_registered_users_number(Server). - -get_password(User, Server) -> - LUser = jid:nodeprep(User), - LServer = jid:nameprep(Server), - US = {LUser, LServer}, - case catch mnesia:dirty_read(passwd, US) of - [#passwd{password = Password}] - when is_binary(Password) -> - Password; - [#passwd{password = Scram}] - when is_record(Scram, scram) -> - {jlib:decode_base64(Scram#scram.storedkey), - jlib:decode_base64(Scram#scram.serverkey), - jlib:decode_base64(Scram#scram.salt), - Scram#scram.iterationcount}; - _ -> false - end. - -get_password_s(User, Server) -> - LUser = jid:nodeprep(User), - LServer = jid:nameprep(Server), - US = {LUser, LServer}, - case catch mnesia:dirty_read(passwd, US) of - [#passwd{password = Password}] - when is_binary(Password) -> - Password; - [#passwd{password = Scram}] - when is_record(Scram, scram) -> - <<"">>; - _ -> <<"">> - end. - -%% @spec (User, Server) -> true | false | {error, Error} -is_user_exists(User, Server) -> - LUser = jid:nodeprep(User), - LServer = jid:nameprep(Server), - US = {LUser, LServer}, - case catch mnesia:dirty_read({passwd, US}) of - [] -> false; - [_] -> true; - Other -> {error, Other} - end. - -%% @spec (User, Server) -> ok -%% @doc Remove user. -%% Note: it returns ok even if there was some problem removing the user. -remove_user(User, Server) -> - LUser = jid:nodeprep(User), - LServer = jid:nameprep(Server), - US = {LUser, LServer}, - F = fun () -> - mnesia:delete({passwd, US}), - mnesia:dirty_update_counter(reg_users_counter, LServer, - -1) - end, - mnesia:transaction(F), - ok. - -%% @spec (User, Server, Password) -> ok | not_exists | not_allowed | bad_request -%% @doc Remove user if the provided password is correct. -remove_user(User, Server, Password) -> - LUser = jid:nodeprep(User), - LServer = jid:nameprep(Server), - US = {LUser, LServer}, - F = fun () -> - case mnesia:read({passwd, US}) of - [#passwd{password = Password}] - when is_binary(Password) -> - mnesia:delete({passwd, US}), - mnesia:dirty_update_counter(reg_users_counter, LServer, - -1), - ok; - [#passwd{password = Scram}] - when is_record(Scram, scram) -> - case is_password_scram_valid(Password, Scram) of - true -> - mnesia:delete({passwd, US}), - mnesia:dirty_update_counter(reg_users_counter, - LServer, -1), - ok; - false -> not_allowed - end; - _ -> not_exists - end - end, - case mnesia:transaction(F) of - {atomic, ok} -> ok; - {atomic, Res} -> Res; - _ -> bad_request - end. - -update_table() -> - Fields = record_info(fields, passwd), - case mnesia:table_info(passwd, attributes) of - Fields -> - convert_to_binary(Fields), - maybe_scram_passwords(), - ok; - _ -> - ?INFO_MSG("Recreating passwd table", []), - mnesia:transform_table(passwd, ignore, Fields) - end. - -convert_to_binary(Fields) -> - ejabberd_config:convert_table_to_binary( - passwd, Fields, set, - fun(#passwd{us = {U, _}}) -> U end, - fun(#passwd{us = {U, S}, password = Pass} = R) -> - NewUS = {iolist_to_binary(U), iolist_to_binary(S)}, - NewPass = case Pass of - #scram{storedkey = StoredKey, - serverkey = ServerKey, - salt = Salt} -> - Pass#scram{ - storedkey = iolist_to_binary(StoredKey), - serverkey = iolist_to_binary(ServerKey), - salt = iolist_to_binary(Salt)}; - _ -> - iolist_to_binary(Pass) - end, - R#passwd{us = NewUS, password = NewPass} - end). - -%%% -%%% SCRAM -%%% - -%% The passwords are stored scrammed in the table either if the option says so, -%% or if at least the first password is scrammed. -is_scrammed() -> - OptionScram = is_option_scram(), - FirstElement = mnesia:dirty_read(passwd, - mnesia:dirty_first(passwd)), - case {OptionScram, FirstElement} of - {true, _} -> true; - {false, [#passwd{password = Scram}]} - when is_record(Scram, scram) -> - true; - _ -> false - end. - -is_option_scram() -> - scram == - ejabberd_config:get_option({auth_password_format, ?MYNAME}, - fun(V) -> V end). - -maybe_alert_password_scrammed_without_option() -> - case is_scrammed() andalso not is_option_scram() of - true -> - ?ERROR_MSG("Some passwords were stored in the database " - "as SCRAM, but 'auth_password_format' " - "is not configured 'scram'. The option " - "will now be considered to be 'scram'.", - []); - false -> ok - end. - -maybe_scram_passwords() -> - case is_scrammed() of - true -> scram_passwords(); - false -> ok - end. - -scram_passwords() -> - ?INFO_MSG("Converting the stored passwords into " - "SCRAM bits", - []), - Fun = fun (#passwd{password = Password} = P) -> - Scram = password_to_scram(Password), - P#passwd{password = Scram} - end, - Fields = record_info(fields, passwd), - mnesia:transform_table(passwd, Fun, Fields). - -password_to_scram(Password) -> - password_to_scram(Password, - ?SCRAM_DEFAULT_ITERATION_COUNT). - -password_to_scram(Password, IterationCount) -> - Salt = crypto:rand_bytes(?SALT_LENGTH), - SaltedPassword = scram:salted_password(Password, Salt, - IterationCount), - StoredKey = - scram:stored_key(scram:client_key(SaltedPassword)), - ServerKey = scram:server_key(SaltedPassword), - #scram{storedkey = jlib:encode_base64(StoredKey), - serverkey = jlib:encode_base64(ServerKey), - salt = jlib:encode_base64(Salt), - iterationcount = IterationCount}. - -is_password_scram_valid(Password, Scram) -> - IterationCount = Scram#scram.iterationcount, - Salt = jlib:decode_base64(Scram#scram.salt), - SaltedPassword = scram:salted_password(Password, Salt, - IterationCount), - StoredKey = - scram:stored_key(scram:client_key(SaltedPassword)), - jlib:decode_base64(Scram#scram.storedkey) == StoredKey. - -export(_Server) -> - [{passwd, - fun(Host, #passwd{us = {LUser, LServer}, password = Password}) - when LServer == Host -> - Username = ejabberd_sql:escape(LUser), - Pass = ejabberd_sql:escape(Password), - [[<<"delete from users where username='">>, Username, <<"';">>], - [<<"insert into users(username, password) " - "values ('">>, Username, <<"', '">>, Pass, <<"');">>]]; - (_Host, _R) -> - [] - end}]. - -import(LServer) -> - [{<<"select username, password from users;">>, - fun([LUser, Password]) -> - #passwd{us = {LUser, LServer}, password = Password} - end}]. - -import(_LServer, mnesia, #passwd{} = P) -> - mnesia:dirty_write(P); -import(_, _, _) -> - pass. - -opt_type(auth_password_format) -> fun (V) -> V end; -opt_type(_) -> [auth_password_format]. diff --git a/src/ejabberd_auth_mnesia.erl b/src/ejabberd_auth_mnesia.erl new file mode 100644 index 000000000..9029404d6 --- /dev/null +++ b/src/ejabberd_auth_mnesia.erl @@ -0,0 +1,498 @@ +%%%---------------------------------------------------------------------- +%%% File : ejabberd_auth_mnesia.erl +%%% Author : Alexey Shchepin +%%% Purpose : Authentification via mnesia +%%% Created : 12 Dec 2004 by Alexey Shchepin +%%% +%%% +%%% ejabberd, Copyright (C) 2002-2016 ProcessOne +%%% +%%% This program is free software; you can redistribute it and/or +%%% modify it under the terms of the GNU General Public License as +%%% published by the Free Software Foundation; either version 2 of the +%%% License, or (at your option) any later version. +%%% +%%% This program is distributed in the hope that it will be useful, +%%% but WITHOUT ANY WARRANTY; without even the implied warranty of +%%% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +%%% General Public License for more details. +%%% +%%% You should have received a copy of the GNU General Public License along +%%% with this program; if not, write to the Free Software Foundation, Inc., +%%% 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +%%% +%%%---------------------------------------------------------------------- + +-module(ejabberd_auth_mnesia). + +-behaviour(ejabberd_config). + +-author('alexey@process-one.net'). + +-behaviour(ejabberd_auth). + +-export([start/1, set_password/3, check_password/4, + check_password/6, try_register/3, + dirty_get_registered_users/0, get_vh_registered_users/1, + get_vh_registered_users/2, + get_vh_registered_users_number/1, + get_vh_registered_users_number/2, get_password/2, + get_password_s/2, is_user_exists/2, remove_user/2, + remove_user/3, store_type/0, export/1, import/1, + import/3, plain_password_required/0, opt_type/1]). + +-include("ejabberd.hrl"). +-include("logger.hrl"). + +-record(passwd, {us = {<<"">>, <<"">>} :: {binary(), binary()} | '$1', + password = <<"">> :: binary() | scram() | '_'}). + +-record(reg_users_counter, {vhost = <<"">> :: binary(), + count = 0 :: integer() | '$1'}). + +-define(SALT_LENGTH, 16). + +%%%---------------------------------------------------------------------- +%%% API +%%%---------------------------------------------------------------------- +start(Host) -> + mnesia:create_table(passwd, + [{disc_copies, [node()]}, + {attributes, record_info(fields, passwd)}]), + mnesia:create_table(reg_users_counter, + [{ram_copies, [node()]}, + {attributes, record_info(fields, reg_users_counter)}]), + update_table(), + update_reg_users_counter_table(Host), + maybe_alert_password_scrammed_without_option(), + ok. + +update_reg_users_counter_table(Server) -> + Set = get_vh_registered_users(Server), + Size = length(Set), + LServer = jid:nameprep(Server), + F = fun () -> + mnesia:write(#reg_users_counter{vhost = LServer, + count = Size}) + end, + mnesia:sync_dirty(F). + +plain_password_required() -> + is_scrammed(). + +store_type() -> + case is_scrammed() of + false -> plain; %% allows: PLAIN DIGEST-MD5 SCRAM + true -> scram %% allows: PLAIN SCRAM + end. + +check_password(User, AuthzId, Server, Password) -> + if AuthzId /= <<>> andalso AuthzId /= User -> + false; + true -> + LUser = jid:nodeprep(User), + LServer = jid:nameprep(Server), + US = {LUser, LServer}, + case catch mnesia:dirty_read({passwd, US}) of + [#passwd{password = Password}] + when is_binary(Password) -> + Password /= <<"">>; + [#passwd{password = Scram}] + when is_record(Scram, scram) -> + is_password_scram_valid(Password, Scram); + _ -> false + end + end. + +check_password(User, AuthzId, Server, Password, Digest, + DigestGen) -> + if AuthzId /= <<>> andalso AuthzId /= User -> + false; + true -> + LUser = jid:nodeprep(User), + LServer = jid:nameprep(Server), + US = {LUser, LServer}, + case catch mnesia:dirty_read({passwd, US}) of + [#passwd{password = Passwd}] when is_binary(Passwd) -> + DigRes = if Digest /= <<"">> -> + Digest == DigestGen(Passwd); + true -> false + end, + if DigRes -> true; + true -> (Passwd == Password) and (Password /= <<"">>) + end; + [#passwd{password = Scram}] + when is_record(Scram, scram) -> + Passwd = jlib:decode_base64(Scram#scram.storedkey), + DigRes = if Digest /= <<"">> -> + Digest == DigestGen(Passwd); + true -> false + end, + if DigRes -> true; + true -> (Passwd == Password) and (Password /= <<"">>) + end; + _ -> false + end + end. + +%% @spec (User::string(), Server::string(), Password::string()) -> +%% ok | {error, invalid_jid} +set_password(User, Server, Password) -> + LUser = jid:nodeprep(User), + LServer = jid:nameprep(Server), + US = {LUser, LServer}, + if (LUser == error) or (LServer == error) -> + {error, invalid_jid}; + true -> + F = fun () -> + Password2 = case is_scrammed() and is_binary(Password) + of + true -> password_to_scram(Password); + false -> Password + end, + mnesia:write(#passwd{us = US, password = Password2}) + end, + {atomic, ok} = mnesia:transaction(F), + ok + end. + +%% @spec (User, Server, Password) -> {atomic, ok} | {atomic, exists} | {error, invalid_jid} | {error, not_allowed} | {error, Reason} +try_register(User, Server, PasswordList) -> + LUser = jid:nodeprep(User), + LServer = jid:nameprep(Server), + Password = if is_list(PasswordList); is_binary(PasswordList) -> + iolist_to_binary(PasswordList); + true -> PasswordList + end, + US = {LUser, LServer}, + if (LUser == error) or (LServer == error) -> + {error, invalid_jid}; + true -> + F = fun () -> + case mnesia:read({passwd, US}) of + [] -> + Password2 = case is_scrammed() and + is_binary(Password) + of + true -> password_to_scram(Password); + false -> Password + end, + mnesia:write(#passwd{us = US, + password = Password2}), + mnesia:dirty_update_counter(reg_users_counter, + LServer, 1), + ok; + [_E] -> exists + end + end, + mnesia:transaction(F) + end. + +%% Get all registered users in Mnesia +dirty_get_registered_users() -> + mnesia:dirty_all_keys(passwd). + +get_vh_registered_users(Server) -> + LServer = jid:nameprep(Server), + mnesia:dirty_select(passwd, + [{#passwd{us = '$1', _ = '_'}, + [{'==', {element, 2, '$1'}, LServer}], ['$1']}]). + +get_vh_registered_users(Server, + [{from, Start}, {to, End}]) + when is_integer(Start) and is_integer(End) -> + get_vh_registered_users(Server, + [{limit, End - Start + 1}, {offset, Start}]); +get_vh_registered_users(Server, + [{limit, Limit}, {offset, Offset}]) + when is_integer(Limit) and is_integer(Offset) -> + case get_vh_registered_users(Server) of + [] -> []; + Users -> + Set = lists:keysort(1, Users), + L = length(Set), + Start = if Offset < 1 -> 1; + Offset > L -> L; + true -> Offset + end, + lists:sublist(Set, Start, Limit) + end; +get_vh_registered_users(Server, [{prefix, Prefix}]) + when is_binary(Prefix) -> + Set = [{U, S} + || {U, S} <- get_vh_registered_users(Server), + str:prefix(Prefix, U)], + lists:keysort(1, Set); +get_vh_registered_users(Server, + [{prefix, Prefix}, {from, Start}, {to, End}]) + when is_binary(Prefix) and is_integer(Start) and + is_integer(End) -> + get_vh_registered_users(Server, + [{prefix, Prefix}, {limit, End - Start + 1}, + {offset, Start}]); +get_vh_registered_users(Server, + [{prefix, Prefix}, {limit, Limit}, {offset, Offset}]) + when is_binary(Prefix) and is_integer(Limit) and + is_integer(Offset) -> + case [{U, S} + || {U, S} <- get_vh_registered_users(Server), + str:prefix(Prefix, U)] + of + [] -> []; + Users -> + Set = lists:keysort(1, Users), + L = length(Set), + Start = if Offset < 1 -> 1; + Offset > L -> L; + true -> Offset + end, + lists:sublist(Set, Start, Limit) + end; +get_vh_registered_users(Server, _) -> + get_vh_registered_users(Server). + +get_vh_registered_users_number(Server) -> + LServer = jid:nameprep(Server), + Query = mnesia:dirty_select(reg_users_counter, + [{#reg_users_counter{vhost = LServer, + count = '$1'}, + [], ['$1']}]), + case Query of + [Count] -> Count; + _ -> 0 + end. + +get_vh_registered_users_number(Server, + [{prefix, Prefix}]) + when is_binary(Prefix) -> + Set = [{U, S} + || {U, S} <- get_vh_registered_users(Server), + str:prefix(Prefix, U)], + length(Set); +get_vh_registered_users_number(Server, _) -> + get_vh_registered_users_number(Server). + +get_password(User, Server) -> + LUser = jid:nodeprep(User), + LServer = jid:nameprep(Server), + US = {LUser, LServer}, + case catch mnesia:dirty_read(passwd, US) of + [#passwd{password = Password}] + when is_binary(Password) -> + Password; + [#passwd{password = Scram}] + when is_record(Scram, scram) -> + {jlib:decode_base64(Scram#scram.storedkey), + jlib:decode_base64(Scram#scram.serverkey), + jlib:decode_base64(Scram#scram.salt), + Scram#scram.iterationcount}; + _ -> false + end. + +get_password_s(User, Server) -> + LUser = jid:nodeprep(User), + LServer = jid:nameprep(Server), + US = {LUser, LServer}, + case catch mnesia:dirty_read(passwd, US) of + [#passwd{password = Password}] + when is_binary(Password) -> + Password; + [#passwd{password = Scram}] + when is_record(Scram, scram) -> + <<"">>; + _ -> <<"">> + end. + +%% @spec (User, Server) -> true | false | {error, Error} +is_user_exists(User, Server) -> + LUser = jid:nodeprep(User), + LServer = jid:nameprep(Server), + US = {LUser, LServer}, + case catch mnesia:dirty_read({passwd, US}) of + [] -> false; + [_] -> true; + Other -> {error, Other} + end. + +%% @spec (User, Server) -> ok +%% @doc Remove user. +%% Note: it returns ok even if there was some problem removing the user. +remove_user(User, Server) -> + LUser = jid:nodeprep(User), + LServer = jid:nameprep(Server), + US = {LUser, LServer}, + F = fun () -> + mnesia:delete({passwd, US}), + mnesia:dirty_update_counter(reg_users_counter, LServer, + -1) + end, + mnesia:transaction(F), + ok. + +%% @spec (User, Server, Password) -> ok | not_exists | not_allowed | bad_request +%% @doc Remove user if the provided password is correct. +remove_user(User, Server, Password) -> + LUser = jid:nodeprep(User), + LServer = jid:nameprep(Server), + US = {LUser, LServer}, + F = fun () -> + case mnesia:read({passwd, US}) of + [#passwd{password = Password}] + when is_binary(Password) -> + mnesia:delete({passwd, US}), + mnesia:dirty_update_counter(reg_users_counter, LServer, + -1), + ok; + [#passwd{password = Scram}] + when is_record(Scram, scram) -> + case is_password_scram_valid(Password, Scram) of + true -> + mnesia:delete({passwd, US}), + mnesia:dirty_update_counter(reg_users_counter, + LServer, -1), + ok; + false -> not_allowed + end; + _ -> not_exists + end + end, + case mnesia:transaction(F) of + {atomic, ok} -> ok; + {atomic, Res} -> Res; + _ -> bad_request + end. + +update_table() -> + Fields = record_info(fields, passwd), + case mnesia:table_info(passwd, attributes) of + Fields -> + convert_to_binary(Fields), + maybe_scram_passwords(), + ok; + _ -> + ?INFO_MSG("Recreating passwd table", []), + mnesia:transform_table(passwd, ignore, Fields) + end. + +convert_to_binary(Fields) -> + ejabberd_config:convert_table_to_binary( + passwd, Fields, set, + fun(#passwd{us = {U, _}}) -> U end, + fun(#passwd{us = {U, S}, password = Pass} = R) -> + NewUS = {iolist_to_binary(U), iolist_to_binary(S)}, + NewPass = case Pass of + #scram{storedkey = StoredKey, + serverkey = ServerKey, + salt = Salt} -> + Pass#scram{ + storedkey = iolist_to_binary(StoredKey), + serverkey = iolist_to_binary(ServerKey), + salt = iolist_to_binary(Salt)}; + _ -> + iolist_to_binary(Pass) + end, + R#passwd{us = NewUS, password = NewPass} + end). + +%%% +%%% SCRAM +%%% + +%% The passwords are stored scrammed in the table either if the option says so, +%% or if at least the first password is scrammed. +is_scrammed() -> + OptionScram = is_option_scram(), + FirstElement = mnesia:dirty_read(passwd, + mnesia:dirty_first(passwd)), + case {OptionScram, FirstElement} of + {true, _} -> true; + {false, [#passwd{password = Scram}]} + when is_record(Scram, scram) -> + true; + _ -> false + end. + +is_option_scram() -> + scram == + ejabberd_config:get_option({auth_password_format, ?MYNAME}, + fun(V) -> V end). + +maybe_alert_password_scrammed_without_option() -> + case is_scrammed() andalso not is_option_scram() of + true -> + ?ERROR_MSG("Some passwords were stored in the database " + "as SCRAM, but 'auth_password_format' " + "is not configured 'scram'. The option " + "will now be considered to be 'scram'.", + []); + false -> ok + end. + +maybe_scram_passwords() -> + case is_scrammed() of + true -> scram_passwords(); + false -> ok + end. + +scram_passwords() -> + ?INFO_MSG("Converting the stored passwords into " + "SCRAM bits", + []), + Fun = fun (#passwd{password = Password} = P) -> + Scram = password_to_scram(Password), + P#passwd{password = Scram} + end, + Fields = record_info(fields, passwd), + mnesia:transform_table(passwd, Fun, Fields). + +password_to_scram(Password) -> + password_to_scram(Password, + ?SCRAM_DEFAULT_ITERATION_COUNT). + +password_to_scram(Password, IterationCount) -> + Salt = crypto:rand_bytes(?SALT_LENGTH), + SaltedPassword = scram:salted_password(Password, Salt, + IterationCount), + StoredKey = + scram:stored_key(scram:client_key(SaltedPassword)), + ServerKey = scram:server_key(SaltedPassword), + #scram{storedkey = jlib:encode_base64(StoredKey), + serverkey = jlib:encode_base64(ServerKey), + salt = jlib:encode_base64(Salt), + iterationcount = IterationCount}. + +is_password_scram_valid(Password, Scram) -> + IterationCount = Scram#scram.iterationcount, + Salt = jlib:decode_base64(Scram#scram.salt), + SaltedPassword = scram:salted_password(Password, Salt, + IterationCount), + StoredKey = + scram:stored_key(scram:client_key(SaltedPassword)), + jlib:decode_base64(Scram#scram.storedkey) == StoredKey. + +export(_Server) -> + [{passwd, + fun(Host, #passwd{us = {LUser, LServer}, password = Password}) + when LServer == Host -> + Username = ejabberd_sql:escape(LUser), + Pass = ejabberd_sql:escape(Password), + [[<<"delete from users where username='">>, Username, <<"';">>], + [<<"insert into users(username, password) " + "values ('">>, Username, <<"', '">>, Pass, <<"');">>]]; + (_Host, _R) -> + [] + end}]. + +import(LServer) -> + [{<<"select username, password from users;">>, + fun([LUser, Password]) -> + #passwd{us = {LUser, LServer}, password = Password} + end}]. + +import(_LServer, mnesia, #passwd{} = P) -> + mnesia:dirty_write(P); +import(_, _, _) -> + pass. + +opt_type(auth_password_format) -> fun (V) -> V end; +opt_type(_) -> [auth_password_format]. diff --git a/src/ejabberd_config.erl b/src/ejabberd_config.erl index f73474fe7..7fccbc744 100644 --- a/src/ejabberd_config.erl +++ b/src/ejabberd_config.erl @@ -651,9 +651,9 @@ process_host_term(Term, Host, State, Action) -> {hosts, _} -> State; {Opt, Val} when Action == set -> - set_option({rename_option(Opt), Host}, Val, State); + set_option({rename_option(Opt), Host}, change_val(Opt, Val), State); {Opt, Val} when Action == append -> - append_option({rename_option(Opt), Host}, Val, State); + append_option({rename_option(Opt), Host}, change_val(Opt, Val), State); Opt -> ?WARNING_MSG("Ignore invalid (outdated?) option ~p", [Opt]), State @@ -672,6 +672,12 @@ rename_option(Option) when is_atom(Option) -> rename_option(Option) -> Option. +change_val(auth_method, Val) -> + prepare_opt_val(auth_method, Val, + ejabberd_auth:opt_type(auth_method), [mnesia]); +change_val(_Opt, Val) -> + Val. + set_option(Opt, Val, State) -> State#state{opts = [#local_config{key = Opt, value = Val} | State#state.opts]}. @@ -842,11 +848,25 @@ validate_opts(#state{opts = Opts} = State) -> -spec get_vh_by_auth_method(atom()) -> [binary()]. -%% Return the list of hosts handled by a given module +%% Return the list of hosts with a given auth method get_vh_by_auth_method(AuthMethod) -> - mnesia:dirty_select(local_config, - [{#local_config{key = {auth_method, '$1'}, - value=AuthMethod},[],['$1']}]). + Cfgs = mnesia:dirty_match_object(local_config, + #local_config{key = {auth_method, '_'}, + _ = '_'}), + lists:flatmap( + fun(#local_config{key = {auth_method, Host}, value = M}) -> + Methods = if not is_list(M) -> [M]; + true -> M + end, + case lists:member(AuthMethod, Methods) of + true when Host == global -> + get_myhosts(); + true -> + [Host]; + false -> + [] + end + end, Cfgs). %% @spec (Path::string()) -> true | false is_file_readable(Path) -> diff --git a/src/ejd2sql.erl b/src/ejd2sql.erl index aa74286ed..0457f6be2 100644 --- a/src/ejd2sql.erl +++ b/src/ejd2sql.erl @@ -104,7 +104,7 @@ import_file(Server, FileName) -> LServer = jid:nameprep(Server), Mods = [{Mod, gen_mod:db_type(LServer, Mod)} || Mod <- modules(), gen_mod:is_loaded(LServer, Mod)], - AuthMods = case lists:member(ejabberd_auth_internal, + AuthMods = case lists:member(ejabberd_auth_mnesia, ejabberd_auth:auth_modules(LServer)) of true -> [{ejabberd_auth, mnesia}]; -- cgit v1.2.3