gsasl 0.1.0 → 0.2.0

data/.rvmrc

@@ -0,0 +1 @@
+rvm use ruby-1.9.3-p194

data/.travis.yml

@@ -0,0 +1,2 @@
+before_script:
+  - sudo apt-get install libgsasl

data/LICENCE

@@ -0,0 +1,19 @@
+Copyright (c) 2012 Vincent Landgraf
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of 
+this software and associated documentation files (the "Software"), to deal in 
+the Software without restriction, including without limitation the rights to 
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all 
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 
+SOFTWARE.

data/README.md

@@ -9,33 +9,82 @@ This libaray is a lib ffi based wrapper for the [GNU SASL](http://www.gnu.org/so
 * **CRAM-MD5**: Challenge-Response Authentication Mechanism.
 * **DIGEST-MD5**: Digest Authentication.
 * **SCRAM-SHA-1**: SCRAM-SHA-1 authentication.
-* **NTLM**: Microsoft NTLM authentication.
 * **SECURID**: Authentication using tokens.
+
+Platfrom and compile flags dependend mechanisms:
+
+* **NTLM**: Microsoft NTLM authentication.
 * **GSSAPI**: GSSAPI (Kerberos 5) authentication.
 * **GS2-KRB5**: Improved GSSAPI (Kerberos 5) authentication.
 * **KERBEROS\_V5**: Experimental KERBEROS\_V5 authentication.
 * **SAML20**: Experimental SAML20 authentication.
 * **OPENID20**: Experimental OPENID20 authentication.
 
+# Install libgsasl
+
+To use the library the libgsasl must be installed on the system. The gem uses libffi to access the library so no further comilation needed. It also should work with all important versions of ruby.
+
+## Mac OS X
+
+Install the library using homebrew:
+
+    brew install libgsasl
+    
+## Debian & Ubuntu
+
+Install the library using apt-get:
+
+    sudo apt-get install libgsasl7
+
+## FreeBSD
+
+Install the library using ports (as root):
+
+    cd /usr/ports/security/gsasl/
+    make install clean
+
 # Use in Ruby
 
+## To authenticate against a server
+
+In this example a client authenticates against an IMAP4 server. The methode `#authenticate_with` is used to setup all the data and callbacks neccessary to perform the authentication.
+
+    # connect to an imap server
+    require 'socket'
+    socket = TCPSocket.new('imap.example.com', 143)
+    puts socket.gets
+    
+    # issue an authenticate command
+    socket.print "a1 AUTHENTICATE LOGIN\r\n"
+    
+    # authenticate using the imap4 protocol specifics
+    context = Gsasl::Context.new
+    context.authenticate_with("LOGIN", "user@example.com", "secret") do |remote|
+      remote.receive { socket.gets.gsub!("\r\n|+\s", "") }
+      remote.send    { |data| socket.print "#{data}\r\n" }
+    end
+    
+    # logout
+    puts socket.gets
+    socket.print "a2 LOGOUT\r\n"
+    
+    # close connection
+    puts socket.gets
+    socket.close
+
+## Advanced
+
 In the following example the server and the client are on the same machine. If the server is on the remote site, one has to implement a server that will return the next challenge on `server#read` and implements a `server#send` to send the challenge to the server. Also it is possible to not use the `#authenticate` function but to implement the processing individually.
 
     session = Gsasl::Context.new
     client = session.create_client("CRAM-MD5")
-    server = session.create_server("CRAM-MD5")
-    
-    server.set_callback do |property|
-      if property == Gsasl::GSASL_PASSWORD
-        if server[Gsasl::GSASL_AUTHID] == "joe"
-          server[Gsasl::GSASL_PASSWORD] = "secret"
-        end
-        Gsasl::GSASL_OK
-      end
+    server = session.create_server("CRAM-MD5") do |type, authid|
+      "secret" if type = :password && authid == "joe"
     end
     
-    client[Gsasl::GSASL_AUTHID] = "joe"
-    client[Gsasl::GSASL_PASSWORD] = "secret"
-    
-    client.authenticate(server).should be_true
-  
+    @client.credentials!("joe", "secret")
+    @client.authenticate(@server).should be_true
+
+# Copyright Licence
+
+Copyright (c) 2012 Vincent Landgraf All Rights Reserved. Released under a MIT License.

data/lib/gsasl/context.rb

@@ -60,9 +60,15 @@ module Gsasl
     # @return [Gsasl::Peer] the server peer
     # @example
     #   peer = @session.create_server("CRAM-MD5")
-    def create_server(mechanism_name)
+    # @example Server with password database attached directly
+    #   peer = @session.create_server("CRAM-MD5") do |type, authid|
+    #     DB.find_password_for_user(auth_id) if type == :password
+    #   end
+    def create_server(mechanism_name, realm = "gsasl", &block)
       peer = Peer.new(@context, mechanism_name, :server)
       @peers[peer.session.address] = peer
+      peer.realm = realm
+      peer.authentication_callback = block if block_given?
       peer
     end
     
@@ -76,6 +82,48 @@ module Gsasl
       @peers[peer.session.address] = peer
       peer
     end
+    
+    # Authenticate against a remote peer using a socket like authenication
+    # scheme.
+    # @param [String] mechanism the SASL mechanism to use
+    # @param [String] authid the username auth id of the user to use for auth.
+    # @param [String] password the password of the specified user
+    # @return [Boolean] true if the authentication was successful, false 
+    #   otherwise
+    # @yield [remote] the block that defines how to interact with the remote
+    #   site
+    # @yieldparam [Gsasl::RemoteAuthenticator] remote the remote authenticator
+    #   that needs to be defined in order for gsasl to receive and set data.
+    # @example Authenticate against an imap server with PLAIN authentication
+    #   # connect to an imap server
+    #   require 'socket'
+    #   socket = TCPSocket.new('imap.example.com', 143)
+    #   puts socket.gets
+    #   
+    #   # issue an authenticate command
+    #   socket.print "a1 AUTHENTICATE PLAIN\r\n"
+    #   
+    #   # authenticate using the imap4 protocol specifics
+    #   context = Gsasl::Context.new
+    #   context.authenticate_with("PLAIN", "user@example.com", "pass") do |remote|
+    #     remote.receive { socket.gets.gsub!("\r\n|+\s", "") }
+    #     remote.send    { |data| socket.print "#{data}\r\n" }
+    #   end
+    #   puts socket.gets # => capabilities after authentication
+    #   
+    #   # logout
+    #   socket.print "a2 LOGOUT\r\n"
+    #   puts socket.gets
+    #   
+    #   # close connection
+    #   socket.close
+    #   context.close
+    def authenticate_with(mechanism, authid, password, &block)
+      client = create_client(mechanism)
+      client.credentials!(authid, password)
+      client.authenticate_with(&block)
+      client.close
+    end
   
   private
     

data/lib/gsasl/peer.rb

@@ -1,3 +1,5 @@
+require 'digest/md5'
+  
 module Gsasl
   # A peer is a client or server side that processes data to do an
   # authentication.
@@ -25,6 +27,46 @@ module Gsasl
       @session = peer.get_pointer(0)
     end
     
+    # Updates the peer with credential information
+    # @param [String] authid the username auth id of the user to use for auth.
+    # @param [String] password the password of the specified user
+    # @example
+    #   peer.credentials! "username", "secret"
+    def credentials!(authid, password)
+      self[Gsasl::GSASL_AUTHID] = authid
+      self[Gsasl::GSASL_PASSWORD] = password
+    end
+    
+    # Updates the peer with secure id information
+    # @param [String] authid the username auth id of the user to use for auth.
+    # @param [String] passcode the passcode of the specified id
+    # @example
+    #   peer.credentials! "username", "12312312331"
+    def secureid!(authid, passcode)
+      self[Gsasl::GSASL_AUTHID] = authid
+      self[Gsasl::GSASL_PASSCODE] = passcode
+    end
+    
+    # Updates the peer with a service definition
+    # @param [String] name the name of the service. a list of service names
+    #   can be found here: http://www.iana.org/assignments/gssapi-service-names/gssapi-service-names.xml
+    # @param [String] hostname the name of the host the service is on
+    # @example
+    #   peer.service! "smtp", "localhost"
+    def service!(name, hostname)
+      self[Gsasl::GSASL_SERVICE] = name
+      self[Gsasl::GSASL_HOSTNAME] = hostname
+    end
+    
+    # Update the anoynmous token that the client peer used to authenticate with
+    #   the server
+    # @param [String] token the token that will be send to the server
+    # @example
+    #   peer.anonymous! "some-token"
+    def anonymous!(token)
+      self[Gsasl::GSASL_ANONYMOUS_TOKEN] = token
+    end
+    
     # Sets a property for this peer.
     # @param [Fixnum] property on of the Gsasl API Keys
     # @param [String] value the value tho set for the api key
@@ -43,6 +85,53 @@ module Gsasl
       Gsasl.gsasl_property_get(@session, property)
     end
     
+    # Update the realm of the peer
+    # @param [String] val the realm that should be set on the peer
+    # @example
+    #   peer.realm = "Awesome SMTPD"
+    def realm=(val)
+      self[Gsasl::GSASL_REALM] = val
+    end
+    
+    # Returns the realm that is set for the peer
+    # @return [String, nil] the realm if one was set or nil
+    def realm
+      self[Gsasl::GSASL_REALM]
+    end
+    
+    # Update authzid for external authentication
+    # @param [String] val the authzid that should be set on the peer
+    # @example
+    #   peer.realm = "Awesome SMTPD"
+    def authzid=(val)
+      self[Gsasl::GSASL_AUTHZID] = val
+    end
+    
+    # Returns the authzid for external authentication
+    # @return [String, nil] the authzid if one was set or nil
+    def authzid
+      self[Gsasl::GSASL_AUTHZID]
+    end
+    
+    # Returns the authid for authentication
+    # @return [String, nil] the authid if one was set or nil
+    def authid
+      self[Gsasl::GSASL_AUTHID]
+    end
+    
+    # Generate a digest md5 hased password that can be stored in the database
+    # to authenticate the user without saving a plaintext password.
+    # @note if the realm of the peer is set, it will be used to generate the
+    #   hash. Therefore it has tp be set later on the peer also to match the
+    #   password again. Alternatively the realm can be passed directly.
+    # @param [String] authid the username or id to generate the password for
+    # @param [String] password the password to hash
+    # @param [String] realm the realm if not passed the peer realm will be used
+    #   if no realm is set to an empty string ("")
+    def digest_md5_hashed_password(authid, password, realm = nil)
+      Digest::MD5.hexdigest("#{authid}:#{realm || self.realm}:#{password}")
+    end
+    
     # Registers a callback for the peer. In case a variable is not provided.
     # @yield [property] The callback that will be calles during the processing.
     # @yieldparam [Fixnum] property a property for the 
@@ -51,6 +140,98 @@ module Gsasl
       @callback = block
     end
     
+    # Sets an authentication callback on the peer. The passed block will be
+    # called to determine the authentication password, secureid, password hash
+    # etc.. Depending on what mechanisms one supports different types must be
+    # handled.
+    # @yieldparam [Symbol] type is that should be handled in this case
+    # @yieldparam [String] authid the authenticated id
+    # @yieldreturn [String, true, nil] a mechanism specific value or no value
+    #   to indicate a failed authentication
+    def authentication_callback=(block)
+      self.callback do |property|
+        case property
+        when Gsasl::GSASL_PASSWORD
+          handle_password_authentication(&block)
+        when Gsasl::GSASL_VALIDATE_SECURID
+          handle_secureid_authentication(&block)
+        when Gsasl::GSASL_DIGEST_MD5_HASHED_PASSWORD
+          handle_digest_md5_authentication(&block)
+        when Gsasl::GSASL_VALIDATE_ANONYMOUS
+          handle_anonymous_authentication(&block)
+        when Gsasl::GSASL_VALIDATE_EXTERNAL
+          handle_external_authentication(&block)
+        end
+      end
+    end
+    
+    # Handles the password authentication with the passed block. Therefor the
+    # block has to return the password for the passed user. No return value means
+    # that the user is unknown and the authentication fails.
+    # @yield [type, authid] the block that handles password gathering.
+    # @yieldparam [Symbol] type is allways :password for password auth
+    # @yieldparam [String] authid the authenticated id
+    # @yieldreturn [String, nil] the password or nil if the user wasn't found
+    def handle_password_authentication
+      if password = yield(:password, authid)
+        self[Gsasl::GSASL_PASSWORD] = password
+        Gsasl::GSASL_OK
+      end
+    end
+    
+    # Handles the digest md5 based password hash authentication with the passed
+    # block. Therefor theblock has to return the hashed password for the passed
+    # user. No return value means that the user is unknown and the 
+    # authentication fails.
+    # @yield [type, authid] the block that handles password hash gathering.
+    # @yieldparam [Symbol] type is allways :digest_md5_hashed_password for 
+    #   digest md5 based password hash auth
+    # @yieldparam [String] authid the authenticated id
+    # @yieldreturn [String, nil] the password hash or nil if the user wasn't
+    #   found
+    def handle_digest_md5_authentication
+      if hash = yield(:digest_md5_hashed_password, authid)
+        self[Gsasl::GSASL_DIGEST_MD5_HASHED_PASSWORD] = hash
+        Gsasl::GSASL_OK
+      end
+    end
+    
+    # Handles the secureid authentication with the passed block. Therefor the
+    # block has to return the secureid for the passed user. No return value means
+    # that the user is unknown and the authentication fails.
+    # @yield [type, authid] the block that handles secureid gathering.
+    # @yieldparam [Symbol] type is allways :passcode for secureid auth
+    # @yieldparam [String] authid the authenticated id
+    # @yieldreturn [String, nil] the secureid or nil if the user wasn't found
+    def handle_secureid_authentication
+      if secureid = yield(:passcode, authid)
+        self[Gsasl::GSASL_PASSCODE] = secureid
+        Gsasl::GSASL_OK
+      end
+    end
+    
+    # Handles the anonymous authentication with the passed block. Therefor the
+    # block has to return the success for the anonymous user. No return value
+    # means that the user is not allowed and the authentication fails.
+    # @yield [type, authid] the block that handles anonymous authentication
+    # @yieldparam [Symbol] type is allways :anonymous for external auth
+    # @yieldparam [String] authid the authenticated id
+    # @yieldreturn [Boolean, nil] true or nil if the anonymous isn't allowed
+    def handle_anonymous_authentication
+      Gsasl::GSASL_OK if yield(:anonymous, self[Gsasl::GSASL_ANONYMOUS_TOKEN])
+    end
+    
+    # Handles the external authentication with the passed block. Therefor the
+    # block has to return the success for the passed user. No return value means
+    # that the user is unknown and the authentication fails.
+    # @yield [type, authid] the block that handles external authentication
+    # @yieldparam [Symbol] type is allways :external for external auth
+    # @yieldparam [String] authid the authenticated id
+    # @yieldreturn [Boolean, nil] true or nil if the user wasn't authenticated
+    def handle_external_authentication
+      Gsasl::GSASL_OK if yield(:external, authzid)
+    end
+    
     # Used as a server hook in the local test environment.
     # @return [Array<Fixnum, String>] Result code and base64 encoded challenge
     def read #b64_str
@@ -69,18 +250,44 @@ module Gsasl
     # @return [Boolean] true if the authentication was successfull, 
     #   false otherwise
     def authenticate(server)
-      result = -1
+      result = GSASL_NEEDS_MORE
+      input = nil
       
-      begin
-        result, input = server.read
-        result, output = process input
-        
-        if (result == GSASL_NEEDS_MORE || result == GSASL_OK)
-          result, output = server.send(output)
-        end
-      end while result == GSASL_NEEDS_MORE
+      while result == GSASL_NEEDS_MORE
+        result, output = server.send(input)
+        break if result != Gsasl::GSASL_NEEDS_MORE
+        _, input = process output
+      end
+      
+      result == Gsasl::GSASL_OK
+    end
+    
+    # Authenticate against a remote peer using a socket like authenication
+    # scheme.
+    # @return [Boolean] true if the authentication was successful, false 
+    #   otherwise
+    # @yield [remote] the block that defines how to interact with the remote
+    #   site
+    # @yieldparam [Gsasl::RemoteAuthenticator] remote the remote authenticator
+    #   that needs to be defined in order for gsasl to receive and set data.
+    # @example Authenticate with a ruby socket against an imap server
+    #   client.authenticate_with do |remote|
+    #     remote.receive { socket.gets.gsub!("\r\n|+\s", "") }
+    #     remote.send    { |data| socket.print "#{data}\r\n" }
+    #   end
+    def authenticate_with(&block)
+      result = GSASL_NEEDS_MORE
+      
+      # create a new authenticator and define its behaviour
+      remote = RemoteAuthenticator.new
+      block.call(remote)
+      
+      while result == GSASL_NEEDS_MORE
+        challenge = remote.receive
+        result, response = process challenge
+        remote.send(response)
+      end
       
-      Gsasl.raise_error!(result) unless Gsasl::GSASL_AUTHENTICATION_ERROR
       result == Gsasl::GSASL_OK
     end
     

data/lib/gsasl/remote_authenticator.rb

@@ -0,0 +1,44 @@
+module Gsasl
+  # This class handles remote authentication sessions that are based on a socket
+  # like interaction mechanism. This class will most of the time not be used
+  # directly but through helper methods (See Peer#authenticate_with).
+  class RemoteAuthenticator
+    def initialize
+      @receive_callback = nil
+      @send_callback = nil
+    end
+  
+    # This defines or calls the recieve callback. It will be defined, if a
+    # block is given, otherwise the callback is going to be called.
+    # @yield the block that is going to be called if data need to be read from
+    #   the remote site.
+    # @yieldreturn [String] the callback should return a string that includes
+    #   a challenge
+    def receive(&block)
+      if block_given?
+        # define the callback
+        @receive_callback = block
+      elsif @receive_callback
+        @receive_callback.call
+      else
+        raise GsaslError, "The receive callback is not defined!"
+      end
+    end
+    
+    # This defines or calls the send callback. It will be defined, if a
+    # block is given, otherwise the callback is going to be called.
+    # @yield [data] the block that is going to be called if data need to be
+    #   send to the remote site.
+    # @yieldparam [String] data that should be send to a remote site.
+    def send(data = nil, &block)
+      if block_given?
+        # define the callback
+        @send_callback = block
+      elsif @send_callback
+        @send_callback.call(data)
+      else
+        raise GsaslError, "The send callback is not defined!"
+      end
+    end
+  end
+end

data/lib/gsasl/version.rb

@@ -1,3 +1,3 @@
 module Gsasl
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

data/lib/gsasl.rb

@@ -1,6 +1,7 @@
 require "gsasl/version"
 require "gsasl/native"
 require "gsasl/context"
+require "gsasl/remote_authenticator"
 require "gsasl/peer"
 
 module Gsasl

data/spec/abstraction_spec.rb

@@ -0,0 +1,212 @@
+require 'spec_helper'
+require 'securerandom'
+
+describe "Abstraction layer for the authentication callback" do
+  before(:each) do
+    @session = Gsasl::Context.new
+  end
+  
+  context "ANONYMOUS" do
+    before(:each) do
+      @client = @session.create_client("ANONYMOUS")
+      @server = @session.create_server("ANONYMOUS") do |type, authid|
+        type == :anonymous and authid == "joe"
+      end
+    end
+    
+    it "should be able to authenticate with correct credentials" do
+      @client.anonymous! "joe"
+      @client.authenticate(@server).should be_true
+    end
+    
+    it "should not be able to authenticate with wrong credentials" do
+      @client.anonymous! "joe1"
+      @client.authenticate(@server).should be_false
+    end
+    
+    after(:each) do
+      @client.close
+      @server.close
+    end
+  end
+  
+  context "EXTERNAL" do
+    before(:each) do
+      @client = @session.create_client("EXTERNAL")
+      @server = @session.create_server("EXTERNAL") do |type, authid|
+        type == :external and authid == "joe"
+      end
+    end
+    
+    it "should be able to authenticate with correct credentials" do
+      @client.authzid = "joe"
+      @client.authenticate(@server).should be_true
+    end
+    
+    it "should not be able to authenticate with wrong credentials" do
+      @client.authzid = "joe1"
+      @client.authenticate(@server).should be_false
+    end
+    
+    after(:each) do
+      @client.close
+      @server.close
+    end
+  end
+  
+  context "PLAIN" do
+    before(:each) do
+      @client = @session.create_client("PLAIN")
+      @server = @session.create_server("PLAIN") do |type, authid|
+        "secret" if type = :password && authid == "joe"
+      end
+    end
+    
+    it "should be able to authenticate with correct credentials" do
+      @client.credentials!("joe", "secret")
+      @client.authenticate(@server).should be_true
+    end
+    
+    it "should not be able to authenticate with wrong credentials" do
+      @client.credentials!("joe1", "secret")
+      @client.authenticate(@server).should be_false
+    end
+    
+    after(:each) do
+      @client.close
+      @server.close
+    end
+  end
+  
+  context "LOGIN" do
+    before(:each) do
+      @client = @session.create_client("LOGIN")
+      @server = @session.create_server("LOGIN") do |type, authid|
+        "secret" if type = :password && authid == "joe"
+      end
+    end
+    
+    it "should be able to authenticate with correct credentials" do
+      @client.credentials!("joe", "secret")
+      @client.authenticate(@server).should be_true
+    end
+    
+    it "should not be able to authenticate with wrong credentials" do
+      @client.credentials!("joe1", "secret")
+      @client.authenticate(@server).should be_false
+    end
+    
+    after(:each) do
+      @client.close
+      @server.close
+    end
+  end
+  
+  context "SECURID" do
+    before(:each) do
+      @client = @session.create_client("SECURID")
+      @server = @session.create_server("SECURID") do |type, authid|
+        "579a0eaa23c2c60a1bc5" if type = :passcode && authid == "joe"
+      end
+    end
+    
+    it "should be able to authenticate with correct credentials" do
+      @client.secureid!("joe", "579a0eaa23c2c60a1bc5")
+      @client.authenticate(@server).should be_true
+    end
+    
+    it "should not be able to authenticate with wrong credentials" do
+      @client.secureid!("joe1", "579a0eaa23c2c60a1bc5")
+      @client.authenticate(@server).should be_false
+    end
+    
+    after(:each) do
+      @client.close
+      @server.close
+    end
+  end
+  
+  context "CRAM-MD5" do
+    before(:each) do
+      @client = @session.create_client("CRAM-MD5")
+      @server = @session.create_server("CRAM-MD5") do |type, authid|
+        "secret" if type = :password && authid == "joe"
+      end
+    end
+    
+    it "should be able to authenticate with correct credentials" do
+      @client.credentials!("joe", "secret")
+      @client.authenticate(@server).should be_true
+    end
+    
+    it "should not be able to authenticate with wrong credentials" do
+      @client.credentials!("joe1", "secret")
+      @client.authenticate(@server).should be_false
+    end
+    
+    after(:each) do
+      @client.close
+      @server.close
+    end
+  end
+  
+  context "DIGEST-MD5" do
+    before(:each) do
+      @client = @session.create_client("DIGEST-MD5")
+      @server = @session.create_server("DIGEST-MD5") do |type, authid|
+        # emulate a stored md5 hased password a cleartext password could be used
+        # instead. The format is: <authid:realm:password>
+        if type = :digest_md5_hashed_password && authid == "joe"
+          @server.digest_md5_hashed_password(authid, "secret")
+        end
+      end
+    end
+    
+    it "should be able to authenticate with correct credentials" do
+      @client.credentials!("joe", "secret")
+      @client.service!("smtp", "localhost")
+      @client.authenticate(@server).should be_true
+    end
+    
+    it "should not be able to authenticate with wrong credentials" do
+      @client.credentials!("joe1", "secret")
+      @client.service!("smtp", "localhost")
+      @client.authenticate(@server).should be_false
+    end
+    
+    after(:each) do
+      @client.close
+      @server.close
+    end
+  end
+
+  context "SCRAM-SHA-1" do
+    before(:each) do
+      @client = @session.create_client("SCRAM-SHA-1")
+      @server = @session.create_server("SCRAM-SHA-1") do |type, authid|
+        "secret" if type = :password && authid == "joe"
+      end
+    end
+    
+    it "should be able to authenticate with correct credentials" do
+      @client.credentials!("joe", "secret")
+      @client.service!("smtp", "localhost")
+      @client.authenticate(@server).should be_true
+    end
+    
+    it "should not be able to authenticate with wrong credentials" do
+      @client.credentials!("joe1", "secret")
+      @client.service!("smtp", "localhost")
+      @client.authenticate(@server).should be_false
+    end
+    
+    after(:each) do
+      @client.close
+      @server.close
+    end
+  end
+  
+  after(:each) do
+    @session.close
+  end
+end

data/spec/authentication_spec.rb

@@ -1,4 +1,6 @@
 require 'spec_helper'
+require 'digest/md5'
+require 'securerandom'
 
 describe "Authentications" do
   before(:each) do
@@ -41,13 +43,270 @@ describe "Authentications" do
       @client[Gsasl::GSASL_PASSWORD] = "secret"
       
       @client.authenticate(@server).should be_false
-    end    
+    end
+    
+    after(:each) do
+      @client.close
+      @server.close
+    end
+  end
+  
+  describe "DIGEST-MD5" do
+    before(:each) do
+      @client = @session.create_client("DIGEST-MD5")
+      @server = @session.create_server("DIGEST-MD5")
+    end
+    
+    it "should be able to authenticate correctly" do
+      @server.callback do |property|
+        if property == Gsasl::GSASL_PASSWORD
+          if @server[Gsasl::GSASL_AUTHID] == "joe"
+            @server[Gsasl::GSASL_PASSWORD] = "secret"
+          end
+          Gsasl::GSASL_OK
+        end
+      end
+      
+      @client[Gsasl::GSASL_SERVICE] = "imap"
+      @client[Gsasl::GSASL_HOSTNAME] = "localhost"
+      @client[Gsasl::GSASL_AUTHID] = "joe"
+      @client[Gsasl::GSASL_PASSWORD] = "secret"
+      
+      @client.authenticate(@server).should be_true
+    end
+    
+    it "should be possible to not authenticate correctly" do
+      @server.callback do |property|
+        if property == Gsasl::GSASL_PASSWORD
+          if @server[Gsasl::GSASL_AUTHID] == "joe"
+            @server[Gsasl::GSASL_PASSWORD] = "test"
+          end
+          Gsasl::GSASL_OK
+        end
+      end
+      
+      @client[Gsasl::GSASL_SERVICE] = "imap"
+      @client[Gsasl::GSASL_HOSTNAME] = "localhost"
+      @client[Gsasl::GSASL_AUTHID] = "joe"
+      @client[Gsasl::GSASL_PASSWORD] = "secret"
+      
+      @client.authenticate(@server).should be_false
+    end
+    
+    after(:each) do
+      @client.close
+      @server.close
+    end
+  end
+  
+  describe "SCRAM-SHA-1" do
+    before(:each) do
+      @client = @session.create_client("SCRAM-SHA-1")
+      @server = @session.create_server("SCRAM-SHA-1")
+    end
+    
+    it "should be able to authenticate correctly" do
+      @server.callback do |property|
+        if property == Gsasl::GSASL_PASSWORD
+          if @server[Gsasl::GSASL_AUTHID] == "joe"
+            @server[Gsasl::GSASL_PASSWORD] = "secret"
+            Gsasl::GSASL_OK
+          end
+        end
+      end
+      
+      @client[Gsasl::GSASL_AUTHID] = "joe"
+      @client[Gsasl::GSASL_PASSWORD] = "secret"
+      
+      @client.authenticate(@server).should be_true
+    end
+    
+    it "should be possible to not authenticate correctly" do
+      @server.callback do |property|
+        if property == Gsasl::GSASL_PASSWORD
+          if @server[Gsasl::GSASL_AUTHID] == "joe"
+            @server[Gsasl::GSASL_PASSWORD] = "secret"
+            Gsasl::GSASL_OK
+          end
+        end
+      end
+      
+      @client[Gsasl::GSASL_AUTHID] = "joe1"
+      @client[Gsasl::GSASL_PASSWORD] = "secret"
+      
+      @client.authenticate(@server).should be_false
+    end
     
     after(:each) do
       @client.close
       @server.close
     end
-  end  
+  end
+  
+  describe "PLAIN" do
+    before(:each) do
+      @client = @session.create_client("PLAIN")
+      @server = @session.create_server("PLAIN")
+    end
+    
+    it "should be able to authenticate correctly" do
+      @server.callback do |property|
+        if property == Gsasl::GSASL_PASSWORD
+          if @server[Gsasl::GSASL_AUTHID] == "joe"
+            @server[Gsasl::GSASL_PASSWORD] = "secret"
+          end
+          Gsasl::GSASL_OK
+        end
+      end
+      
+      @client[Gsasl::GSASL_AUTHID] = "joe"
+      @client[Gsasl::GSASL_PASSWORD] = "secret"
+      
+      @client.authenticate(@server).should be_true
+    end
+    
+    it "should be possible to not authenticate correctly" do
+      @server.callback do |property|
+        if property == Gsasl::GSASL_PASSWORD
+          if @server[Gsasl::GSASL_AUTHID] == "joe"
+            @server[Gsasl::GSASL_PASSWORD] = "test"
+          end
+          Gsasl::GSASL_OK
+        end
+      end
+      
+      @client[Gsasl::GSASL_AUTHID] = "joe"
+      @client[Gsasl::GSASL_PASSWORD] = "secret"
+      
+      @client.authenticate(@server).should be_false
+    end
+    
+    after(:each) do
+      @client.close
+      @server.close
+    end
+  end
+  
+  describe "LOGIN" do
+    before(:each) do
+      @client = @session.create_client("LOGIN")
+      @server = @session.create_server("LOGIN")
+    end
+    
+    it "should be able to authenticate correctly" do
+      @server.callback do |property|
+        if property == Gsasl::GSASL_PASSWORD
+          if @server[Gsasl::GSASL_AUTHID] == "joe"
+            @server[Gsasl::GSASL_PASSWORD] = "secret"
+          end
+          Gsasl::GSASL_OK
+        end
+      end
+      
+      @client[Gsasl::GSASL_AUTHID] = "joe"
+      @client[Gsasl::GSASL_PASSWORD] = "secret"
+      
+      @client.authenticate(@server).should be_true
+    end
+    
+    it "should be possible to not authenticate correctly" do
+      @server.callback do |property|
+        if property == Gsasl::GSASL_PASSWORD
+          if @server[Gsasl::GSASL_AUTHID] == "joe"
+            @server[Gsasl::GSASL_PASSWORD] = "test"
+          end
+          Gsasl::GSASL_OK
+        end
+      end
+      
+      @client[Gsasl::GSASL_AUTHID] = "joe"
+      @client[Gsasl::GSASL_PASSWORD] = "secret"
+      
+      @client.authenticate(@server).should be_false
+    end
+    
+    after(:each) do
+      @client.close
+      @server.close
+    end
+  end
+  
+  describe "SECURID" do
+    before(:each) do
+      @client = @session.create_client("SECURID")
+      @server = @session.create_server("SECURID")
+    end
+    
+    it "should be able to authenticate correctly" do
+      @server.callback do |property|
+        if property == Gsasl::GSASL_VALIDATE_SECURID
+          if @server[Gsasl::GSASL_AUTHID] == "joe" && 
+            @server[Gsasl::GSASL_PASSCODE] == "579a0eaa23c2c60a1bc5"
+            Gsasl::GSASL_OK
+          end
+        end
+      end
+      
+      @client[Gsasl::GSASL_AUTHID] = "joe"
+      @client[Gsasl::GSASL_PASSCODE] = "579a0eaa23c2c60a1bc5"
+      
+      @client.authenticate(@server).should be_true
+    end
+    
+    it "should be possible to not authenticate correctly" do
+      @server.callback do |property|
+        if property == Gsasl::GSASL_PASSCODE
+          if @server[Gsasl::GSASL_AUTHID] == "joe"
+            @server[Gsasl::GSASL_PASSCODE] = "579a0eaa23c2c60a1bc5"
+          end
+          Gsasl::GSASL_OK
+        end
+      end
+      
+      @client[Gsasl::GSASL_AUTHID] = "joe"
+      @client[Gsasl::GSASL_PASSCODE] = "sekshfkjhcret"
+      
+      @client.authenticate(@server).should be_false
+    end
+    
+    after(:each) do
+      @client.close
+      @server.close
+    end
+  end
+  
+  describe "DIGEST-MD5 with digest md5 based password" do
+    before(:each) do
+      @client = @session.create_client("DIGEST-MD5")
+      @server = @session.create_server("DIGEST-MD5")
+      @server[Gsasl::GSASL_REALM] = "test"
+    end
+    
+    it "should be able to authenticate correctly" do
+      @server.callback do |property|
+        if property == Gsasl::GSASL_DIGEST_MD5_HASHED_PASSWORD
+          if @server[Gsasl::GSASL_AUTHID] == "joe"
+            passwd_hash = Digest::MD5.hexdigest("joe:test:secret")
+            @server[Gsasl::GSASL_DIGEST_MD5_HASHED_PASSWORD] = passwd_hash
+          end
+          Gsasl::GSASL_OK
+        end
+      end
+      
+      @client[Gsasl::GSASL_SERVICE] = "imap"
+      @client[Gsasl::GSASL_HOSTNAME] = "localhost"
+      @client[Gsasl::GSASL_AUTHID] = "joe"
+      @client[Gsasl::GSASL_REALM] = "test"
+      @client[Gsasl::GSASL_PASSWORD] = "secret"
+      
+      @client.authenticate(@server).should be_true
+    end
+    
+    after(:each) do
+      @client.close
+      @server.close
+    end
+  end
   
   after(:each) do
     @session.close

data/spec/context_spec.rb

@@ -35,6 +35,22 @@ describe Gsasl::Context do
     @session.client_mechanisms.should include("PLAIN")
   end
   
+  context "realm" do
+    it "should initialize a server with a default realm" do
+      @server = @session.create_server("PLAIN")
+      @server.realm.should == "gsasl"
+    end
+    
+    it "should initialize the server with a diffeent realm" do
+      @server = @session.create_server("PLAIN", "test")
+      @server.realm.should == "test"
+    end
+    
+    after(:each) do
+      @server.close
+    end
+  end
+  
   after(:each) do
     @session.close
   end

data/spec/peer_spec.rb

@@ -37,6 +37,47 @@ describe Gsasl::Context do
       @peer.call(10)
       test_property.should == 10
     end
+    
+    it "should to set the credentails" do
+      @peer.credentials!("joe", "secret")
+      @peer[Gsasl::GSASL_AUTHID].should == "joe"
+      @peer[Gsasl::GSASL_PASSWORD].should == "secret"
+    end
+    
+    it "should to set the secureid" do
+      @peer.secureid!("joe", "123123123123")
+      @peer[Gsasl::GSASL_AUTHID].should == "joe"
+      @peer[Gsasl::GSASL_PASSCODE].should == "123123123123"
+    end
+    
+    it "should update and return the realm" do
+      @peer.realm.should == nil
+      @peer.realm = "Awesome SMTPD"
+      @peer.realm.should == "Awesome SMTPD"
+    end
+    
+    it "should be possible to set the service details" do
+      @peer.service!("smtp", "localhost")
+      @peer[Gsasl::GSASL_SERVICE].should == "smtp"
+      @peer[Gsasl::GSASL_HOSTNAME].should == "localhost"
+    end
+    
+    it "should set the anonymous token for a peer" do
+      @peer.anonymous! "some-token"
+      @peer[Gsasl::GSASL_ANONYMOUS_TOKEN].should == "some-token"
+    end
+    
+    it "should set and get the authzid fir external authentications" do
+      @peer.authzid.should == nil
+      @peer.authzid = "someid"
+      @peer[Gsasl::GSASL_AUTHZID].should == "someid"
+      @peer.authzid.should == "someid"
+    end
+    
+    it "should be possible to generate a pre generated md5 hash" do
+      @peer.digest_md5_hashed_password("joe", "secret").should == \
+        "fb2441a715a5484c6fa16147c4a6b7a8"
+    end
   end
 
   after(:each) do

data/spec/remote_authenticator_spec.rb

@@ -0,0 +1,39 @@
+require 'spec_helper'
+
+describe Gsasl::RemoteAuthenticator do
+  it "should be possible to create an remote authenticator" do
+    Gsasl::RemoteAuthenticator.new
+  end
+  
+  context "with authenticator" do
+    before(:each) do
+      @authenticator = Gsasl::RemoteAuthenticator.new
+    end
+    
+    it "should assign and call the recieve method hock" do
+      a = 0
+      @authenticator.receive { a += 1 }
+      @authenticator.receive.should == 1
+      a.should == 1
+    end
+    
+    it "should assign and call the send method hock" do
+      a = nil
+      @authenticator.send { |data|  a = data }
+      @authenticator.send("asd").should == "asd"
+      a.should == "asd"
+    end
+    
+    it "should raise an error if receive is called without being defined" do
+      lambda do
+        @authenticator.receive
+      end.should raise_error(Gsasl::GsaslError)
+    end
+    
+    it "should raise an error if send is called without being defined" do
+      lambda do
+        @authenticator.send
+      end.should raise_error(Gsasl::GsaslError)
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gsasl
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-03-25 00:00:00.000000000Z
+date: 2012-05-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
@@ -68,7 +68,10 @@ extra_rdoc_files: []
 files:
 - .gitignore
 - .rspec
+- .rvmrc
+- .travis.yml
 - Gemfile
+- LICENCE
 - README.md
 - Rakefile
 - gsasl.gemspec
@@ -76,10 +79,13 @@ files:
 - lib/gsasl/context.rb
 - lib/gsasl/native.rb
 - lib/gsasl/peer.rb
+- lib/gsasl/remote_authenticator.rb
 - lib/gsasl/version.rb
+- spec/abstraction_spec.rb
 - spec/authentication_spec.rb
 - spec/context_spec.rb
 - spec/peer_spec.rb
+- spec/remote_authenticator_spec.rb
 - spec/spec_helper.rb
 homepage: ''
 licenses: []
@@ -101,12 +107,15 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: gsasl
-rubygems_version: 1.8.19
+rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
 summary: A lib ffi based wrapper for lib GNU SASL
 test_files:
+- spec/abstraction_spec.rb
 - spec/authentication_spec.rb
 - spec/context_spec.rb
 - spec/peer_spec.rb
+- spec/remote_authenticator_spec.rb
 - spec/spec_helper.rb
+has_rdoc: