mroch-authpipe 0.1.1

data/VERSION.yml

@@ -0,0 +1,4 @@
+--- 
+:minor: 1
+:patch: 1
+:major: 0

data/lib/authpipe.rb

@@ -0,0 +1,9 @@
+module Authpipe
+  class AuthpipeException < Exception; end
+end
+
+require 'authpipe/account_data'
+require 'authpipe/pre'
+require 'authpipe/auth'
+require 'authpipe/enumerate'
+require 'authpipe/passwd'

data/lib/authpipe/account_data.rb

@@ -0,0 +1,49 @@
+# Extends a Hash to construct the authpipe response.
+#
+# Returns the account data as a series of ATTR=value newline-terminated lines,
+# followed by a period on a line of its own. Valid attributes are:
+#
+#   USERNAME=username      -- system account which owns mailbox (name)
+#   UID=uid                -- system account which owns mailbox (numeric uid)
+#   GID=gid                -- numeric groupid
+#   HOME=homedir           -- home directory
+#   ADDRESS=addr           -- e-mail address
+#   NAME=name              -- full name
+#   MAILDIR=maildir        -- Maildir relative to home directory
+#   QUOTA=quota            -- quota string: maxbytesS,maxfilesC
+#   PASSWD=cryptpasswd     -- encrypted password
+#   PASSWD2=plainpasswd    -- plain text password
+#   OPTIONS=acctoptions    -- option1=val1,option2=val2,...
+#   .
+#
+# Of these, it is mandatory to return ADDRESS, HOME, GID, and either UID or
+# USERNAME; the others are optional.
+#
+
+module Authpipe
+  class InvalidAccountData < AuthpipeException ; end
+  
+  class AccountData < Hash
+    def to_authpipe
+      validate!
+      result = self.inject([]) do |result, (key, value)|
+        (result << key.to_s.upcase + "=" + value.to_s) unless value.nil?
+        result
+      end
+      result.sort!
+      result << ".\n"
+      return result.join("\n")
+    end
+
+    def to_enumerate
+      [self[:username], self[:uid], self[:gid], self[:home], self[:maildir], self[:options]].join("\t")
+    end
+
+    def validate!
+      raise InvalidAccountData, 'ADDRESS is required' unless self[:address]
+      raise InvalidAccountData, 'HOME is required' unless self[:home]
+      raise InvalidAccountData, 'GID is required' unless self[:gid]
+      raise InvalidAccountData, 'Either UID or USERNAME is required' unless self[:uid] || self[:username]
+    end
+  end
+end

data/lib/authpipe/auth.rb

@@ -0,0 +1,80 @@
+# AUTH <len>\n<len-bytes>
+#
+# Validate a login attempt. The AUTH line is followed by len-bytes of
+# authentication data, which does not necessarily end with a newline. The
+# currently defined authentication requests are:
+# 
+#   login \n username \n password [\n]         -- plaintext login
+#   cram-md5 \n challenge \n response [\n]     -- base-64 encoded challenge and response
+#   cram-sha1 \n challenge \n response [\n]    -- ditto
+#   cram-sha256 \n challenge \n response [\n]  -- ditto
+#     
+# In the case of success, return the complete set of account parameters in the
+# same format as PRE, ending with a period on a line of its own. In the case of
+# failure (e.g. username does not exist, password wrong, unsupported
+# authentication type), return FAIL<newline>. If there is a temporary failure,
+# such as a database being down, authProg should terminate without sending any
+# response.
+# 
+# Note: if the user provides a plaintext password and authenticates
+# successfully, then you can return it as PASSWD2 (plain text password) even if
+# the database contains an encrypted password. This is useful when using the
+# POP3/IMAP proxy functions of courier-imap.
+#
+
+require 'readbytes'
+
+module Authpipe
+  class Auth
+
+    def self.process(request)
+      Auth.new.process(request)
+    end
+
+    def process(request)
+      params = parse_request(request)
+      if (account = get_account_data(params))
+        return account.to_authpipe
+      else
+        raise AuthpipeException, "AUTH failed"
+      end
+    end
+
+    protected
+      # Authenticates the user and returns its account data in an 
+      # Authpipe::AccountData object, or returns nil if the user isn't found
+      # or authentication fails.
+      def get_account_data(params)
+        raise NotImplementedError, 'get_account_data must be overridden by subclass'
+      end
+
+      def parse_request(request)
+        data = STDIN.readbytes(request.to_i)
+        authservice, authtype, field1, field2 = data.split(/\n/)
+        case authtype
+        when 'login':
+          { :authservice => authservice, :authtype => 'login', :username => field1, :password => field2 }
+        when 'cram-md5', 'cram-sha1', 'cram-sha256':
+          { :authservice => authservice, :authtype => authtype, :challenge => field1, :response => field2 }
+        else
+          raise UnsupportedAuthenticationType.new(authtype)
+        end
+      end
+
+  end
+
+  # Exception raised when an unsupported authentication mechanism is requested.
+  class UnsupportedAuthenticationType < AuthpipeException
+    def initialize(authtype)
+      @authtype = authtype
+    end
+    
+    def message
+      if @authtype
+        "'#{@authtype}' is not a supported authentication type. login, cram-md5, cram-sha1 and cram-sha256 are supported."
+      else
+        "Unsupported authentication type. login, cram-md5, cram-sha1 and cram-sha256 are supported."
+      end
+    end
+  end
+end

data/lib/authpipe/enumerate.rb

@@ -0,0 +1,39 @@
+# ENUMERATE \n
+#
+# Return a list of all accounts, one per line in the following format, ending
+# with a period on a line of its own:
+#
+#   username \t uid \t gid \t homedir \t maildir \t options \n
+#   .
+#
+# If your module does not support the ENUMERATE command then return just a
+# period on a line of its own (which will still allow enumeration data from
+# other modules to be returned). In the case of a temporary failure, such as a
+# database being down or an error occuring mid-way through returning account
+# data, authProg should terminate before sending the terminating period.
+#
+
+module Authpipe
+  class Enumerate
+
+    def self.process(request = nil)
+      Pre.new.process(request)
+    end
+
+    def process(request = nil)
+      if (accounts = get_account_data) && !accounts.empty?
+        return accounts.collect { |a| a.to_enumerate }.join("\n") + "\n."
+      else
+        return '.'
+      end
+    end
+
+    protected
+      # Retrieves account data for the username and authservice given in +params+.
+      # Returns an Authpipe::AccountData object or nil if the user isn't found.
+      def get_account_data
+        raise NotImplementedError, 'get_account_data must be overridden by subclass'
+      end
+
+  end
+end

data/lib/authpipe/passwd.rb

@@ -0,0 +1,45 @@
+# PASSWD service<tab> username<tab> oldpasswd<tab> newpasswd<tab> <newline>
+#
+# Request a password change for the given account: validate that the 
+# oldpassword is correct, and if so, change it to the newpassword.
+#
+# Reply: the string for success, or FAIL<newline> for a data error (e.g. no
+# such account, old password wrong, new password not acceptable). In the case
+# of a temporary failure, such as a database being down, authProg should
+# terminate without sending any response.
+#
+
+module Authpipe
+  class Passwd
+
+    def self.process(request = nil)
+      Pre.new.process(request)
+    end
+
+    def process(request)
+      params = parse_request(request)
+      if (account = update_account_password(params))
+        return account.to_authpipe
+      else
+        raise AuthpipeException, 'Unable to update password'
+      end
+    end
+
+    protected
+      # Looks up the account by :service and :username, then confirms that
+      # :oldpasswd is correct, then changes the password to :newpasswd and
+      # returns the updated Authpipe::AccountData object.
+      def update_account_password(params)
+        raise NotImplementedError, 'update_account_password must be overridden by subclass'
+      end
+
+      def parse_request(request)
+        if request.strip =~ /^(\w+)\t(\w+)\t(\w+)\t(\w+)$/
+          { :authservice => $1, :username => $2, :oldpasswd => $3, :newpasswd => $4 }
+        else
+          raise ArgumentError, "Invalid PASSWD request: #{request}"
+        end
+      end
+
+  end
+end

data/lib/authpipe/pre.rb

@@ -0,0 +1,46 @@
+# PRE . <authservice> <username> \n
+#
+# Look up data for an account. authservice identifies the service the user is
+# trying to use - e.g. pop3, imap, webmail etc.
+#
+#
+# If the account is not known, return FAIL<newline>. If there is a temporary
+# failure, such as a database being down, authProg should terminate (thereby
+# closing stdin/stdout) without sending any response. authdaemon will restart
+# the pipe module for the next request, thus ensuring it is properly
+# reinitialized.
+#
+
+module Authpipe
+  class Pre
+
+    def self.process(request)
+      Pre.new.process(request)
+    end
+
+    def process(request)
+      params = parse_request(request)
+      if (account = get_account_data(params))
+        return account.to_authpipe
+      else
+        raise AuthpipeException, "No account found for service '#{params[:authservice]}' and username '#{params[:username]}'"
+      end
+    end
+
+    protected
+      # Retrieves account data for the username and authservice given in +params+.
+      # Returns an Authpipe::AccountData object or nil if the user isn't found.
+      def get_account_data(params)
+        raise NotImplementedError, 'get_account_data must be overridden by subclass'
+      end
+
+      def parse_request(request)
+        if request.strip =~ /^\. (\w+) (\w+)$/
+          { :authservice => $1, :username => $2 }
+        else
+          raise ArgumentError, "Invalid PRE request: #{request}"
+        end
+      end
+
+  end
+end

data/test/authpipe/account_data_test.rb

@@ -0,0 +1,98 @@
+require File.dirname(__FILE__) + '/../test_helper'
+
+class AccountDataTest < Test::Unit::TestCase
+
+  def setup
+    @account1 = Authpipe::AccountData[:username => 'foo', :address => 'foo@example.com', :home => '/home/foo', :gid => 1024, :uid => 1024]
+    @account2 = Authpipe::AccountData[:username => 'bar', :address => 'bar@example.com', :home => '/home/bar', :gid => 1025, :uid => 1025]
+  end
+
+  def test_validate
+    acct = create_account_data
+    assert_nothing_raised { acct.validate! }
+
+    acct = create_account_data(:address => nil)
+    assert_raise(Authpipe::InvalidAccountData) { acct.validate! }
+
+    acct = create_account_data(:home => nil)
+    assert_raise(Authpipe::InvalidAccountData) { acct.validate! }
+
+    acct = create_account_data(:gid => nil)
+    assert_raise(Authpipe::InvalidAccountData) { acct.validate! }
+
+    acct = create_account_data(:uid => nil, :username => nil)
+    assert_raise(Authpipe::InvalidAccountData) { acct.validate! }
+
+    acct = create_account_data(:uid => nil) # OK since username still set
+    assert_nothing_raised { acct.validate! }
+
+    acct = create_account_data(:username => nil) # OK since uid still set
+    assert_nothing_raised { acct.validate! }
+
+    acct = Authpipe::AccountData.new
+    assert_raise(Authpipe::InvalidAccountData) { acct.validate! }
+  end
+
+  def test_to_authpipe
+    assert_equal <<-EOF, create_account_data.to_authpipe
+ADDRESS=foo@example.com
+GID=1024
+HOME=/home/foo
+MAILDIR=.maildir
+NAME=Test User
+OPTIONS=option1=val1,option2=val2
+PASSWD2=abcdef
+PASSWD=cryptedpassword
+QUOTA=1024S,1000C
+UID=1024
+USERNAME=foo
+.
+EOF
+
+    assert_equal <<-EOF, create_account_data(:maildir => nil).to_authpipe
+ADDRESS=foo@example.com
+GID=1024
+HOME=/home/foo
+NAME=Test User
+OPTIONS=option1=val1,option2=val2
+PASSWD2=abcdef
+PASSWD=cryptedpassword
+QUOTA=1024S,1000C
+UID=1024
+USERNAME=foo
+.
+EOF
+  end
+
+  def test_to_enumerate
+    assert_equal \
+      "foo\t1024\t1024\t/home/foo\t.maildir\toption1=val1,option2=val2",
+      create_account_data.to_enumerate
+
+    assert_equal \
+      "\t1024\t1024\t/home/foo\t.maildir\toption1=val1,option2=val2",
+      create_account_data(:username => nil).to_enumerate
+
+    assert_equal \
+      "foo\t\t1024\t/home/foo\t.maildir\toption1=val1,option2=val2",
+      create_account_data(:uid => nil).to_enumerate
+  end
+
+  private
+    def create_account_data(params = {})
+      Authpipe::AccountData[{ 
+        :username => 'foo',
+        :address => 'foo@example.com',
+        :home => '/home/foo',
+        :uid => 1024,
+        :gid => 1024,
+        :name => 'Test User',
+        :maildir => '.maildir',
+        :quota => '1024S,1000C',
+        :passwd => 'cryptedpassword',
+        :passwd2 => 'abcdef',
+        :options => 'option1=val1,option2=val2'
+      }.merge!(params)]
+    end
+
+end

data/test/authpipe/auth_test.rb

@@ -0,0 +1,68 @@
+require File.dirname(__FILE__) + '/../test_helper'
+
+class AuthTest < Test::Unit::TestCase
+
+  def setup
+    @handler = Authpipe::Auth.new
+    @account = Authpipe::AccountData[:address => 'foo@example.com', :home => '/home/foo', :gid => 1024, :uid => 1024]
+  end
+
+  def test_process_validates_auth_type
+    auth = "unsupported\nfoo\nbar"
+    STDIN.expects(:readbytes).returns(auth)
+    @handler.expects(:get_account_data).never
+    assert_raises(Authpipe::UnsupportedAuthenticationType) do
+      @handler.process(auth.length)
+    end
+
+    ['login', 'cram-md5', 'cram-sha1', 'cram-sha256'].each do |authtype|
+      auth = "#{authtype}\nfoo\nbar"
+      STDIN.expects(:readbytes).returns(auth)
+      @handler.expects(:get_account_data).returns(@account)
+      assert_nothing_raised do
+        @handler.process(auth.length)
+      end
+    end
+  end
+
+  def test_process_fails_auth
+    auth = "login\nfoo\nbar"
+    STDIN.expects(:readbytes).returns(auth)
+
+    @handler.expects(:get_account_data).returns(nil)
+    assert_raises(Authpipe::AuthpipeException) do
+      @handler.process(auth.length)
+    end
+  end
+
+  def test_process_passes_auth
+    auth = "login\nfoo\nbar"
+    STDIN.expects(:readbytes).returns(auth)
+
+    @handler.expects(:get_account_data).returns(@account)
+    assert_nothing_raised do
+      assert_equal @account.to_authpipe, @handler.process(auth.length)
+    end
+  end
+
+  def test_process_calls_get_account_data
+    auth = "login\nfoo\nbar"
+    STDIN.expects(:readbytes).returns(auth)
+    @handler.expects(:get_account_data).with(
+      :authtype => 'login', :username => 'foo', :password => 'bar'
+    ).returns(@account)
+    assert_nothing_raised do
+      @handler.process(auth.length)
+    end
+
+    auth = "login\nabcdef\nqazwsx"
+    STDIN.expects(:readbytes).returns(auth)
+    @handler.expects(:get_account_data).with(
+      :authtype => 'login', :username => 'abcdef', :password => 'qazwsx'
+    ).returns(@account)
+    assert_nothing_raised do
+      @handler.process(auth.length)
+    end
+  end
+
+end

data/test/authpipe/enumerate_test.rb

@@ -0,0 +1,29 @@
+require File.dirname(__FILE__) + '/../test_helper'
+
+class EnumerateTest < Test::Unit::TestCase
+
+  def setup
+    @handler = Authpipe::Enumerate.new
+    @account1 = Authpipe::AccountData[:username => 'foo', :address => 'foo@example.com', :home => '/home/foo', :gid => 1024, :uid => 1024]
+    @account2 = Authpipe::AccountData[:username => 'bar', :address => 'bar@example.com', :home => '/home/bar', :gid => 1025, :uid => 1025]
+  end
+
+  def test_process_calls_get_account_data
+    @handler.expects(:get_account_data).with()
+    @handler.process
+  end
+
+  def test_process_fails_pre
+    @handler.expects(:get_account_data).returns(nil)
+    assert_equal '.', @handler.process
+
+    @handler.expects(:get_account_data).returns([])
+    assert_equal '.', @handler.process
+  end
+
+  def test_process_passes_pre
+    @handler.expects(:get_account_data).returns([@account1, @account2])
+    assert_equal "#{@account1.to_enumerate}\n#{@account2.to_enumerate}\n.", @handler.process
+  end
+
+end

data/test/authpipe/passwd_test.rb

@@ -0,0 +1,31 @@
+require File.dirname(__FILE__) + '/../test_helper'
+
+class PasswdTest < Test::Unit::TestCase
+
+  def setup
+    @handler = Authpipe::Passwd.new
+    @account = Authpipe::AccountData[
+      :username => 'foo',
+      :address => 'foo@example.com',
+      :home => '/home/foo',
+      :gid => 1024,
+      :uid => 1024,
+      :passwd2 => 'def'
+    ]
+  end
+
+  def test_process_fails_pre
+    @handler.expects(:update_account_password).returns(nil)
+    assert_raise(Authpipe::AuthpipeException) do
+      @handler.process("imap\tfoo\tabc\tdef")
+    end
+  end
+
+  def test_process_passes_pre
+    @handler.expects(:update_account_password).with(
+      { :authservice => 'imap', :username => 'foo', :oldpasswd => 'abc', :newpasswd => 'def' }
+    ).returns(@account)
+    assert_equal @account.to_authpipe, @handler.process("imap\tfoo\tabc\tdef")
+  end
+
+end

data/test/authpipe/pre_test.rb

@@ -0,0 +1,32 @@
+require File.dirname(__FILE__) + '/../test_helper'
+
+class PreTest < Test::Unit::TestCase
+
+  def setup
+    @handler = Authpipe::Pre.new
+    @account = Authpipe::AccountData[:address => 'foo@example.com', :home => '/home/foo', :gid => 1024, :uid => 1024]
+  end
+
+  def test_process_calls_get_account_data
+    pre = ". imap foo"
+    @handler.expects(:get_account_data).with(
+      :authservice => 'imap', :username => 'foo'
+    ).returns(@account)
+    @handler.process(pre)
+  end
+
+  def test_process_fails_pre
+    @handler.expects(:get_account_data).returns(nil)
+    assert_raises(Authpipe::AuthpipeException) do
+      @handler.process(". imap foo")
+    end
+  end
+
+  def test_process_passes_pre
+    @handler.expects(:get_account_data).returns(@account)
+    assert_nothing_raised do
+      assert_equal @account.to_authpipe, @handler.process(". imap foo")
+    end
+  end
+
+end

data/test/test_helper.rb

@@ -0,0 +1,6 @@
+$:.unshift(File.dirname(__FILE__) + '/../lib')
+require 'test/unit'
+require 'rubygems'
+require 'mocha'
+
+require 'authpipe'

metadata

@@ -0,0 +1,68 @@
+--- !ruby/object:Gem::Specification 
+name: mroch-authpipe
+version: !ruby/object:Gem::Version 
+  version: 0.1.1
+platform: ruby
+authors: 
+- Marshall Roch
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2009-03-11 00:00:00 -07:00
+default_executable: 
+dependencies: []
+
+description: 
+email: mroch@cmu.edu
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- VERSION.yml
+- lib/authpipe
+- lib/authpipe/account_data.rb
+- lib/authpipe/auth.rb
+- lib/authpipe/enumerate.rb
+- lib/authpipe/passwd.rb
+- lib/authpipe/pre.rb
+- lib/authpipe.rb
+- test/authpipe
+- test/authpipe/account_data_test.rb
+- test/authpipe/auth_test.rb
+- test/authpipe/enumerate_test.rb
+- test/authpipe/passwd_test.rb
+- test/authpipe/pre_test.rb
+- test/test_helper.rb
+has_rdoc: true
+homepage: http://github.com/mroch/authpipe
+post_install_message: 
+rdoc_options: 
+- --inline-source
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.2.0
+signing_key: 
+specification_version: 2
+summary: TODO
+test_files: []
+