1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-23 08:38:49 -05:00

sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID

Added the ability for the calling program to specify the authorisation
identity (authzid), the identity to act as, in addition to the
authentication identity (authcid) and password when using SASL PLAIN
authentication.

Fixed #3653
Closes #3790
This commit is contained in:
Steve Holme 2019-04-17 23:47:51 +01:00
parent 081d374f49
commit a14d72ca2f
No known key found for this signature in database
GPG Key ID: 4059CB85CA7E8F19
11 changed files with 98 additions and 5 deletions

View File

@ -256,6 +256,8 @@ TLS authentication methods. See \fICURLOPT_TLSAUTH_TYPE(3)\fP
Proxy TLS authentication methods. See \fICURLOPT_PROXY_TLSAUTH_TYPE(3)\fP
.IP CURLOPT_PROXYAUTH
HTTP proxy authentication methods. See \fICURLOPT_PROXYAUTH(3)\fP
.IP CURLOPT_SASL_AUTHZID
SASL authorisation identity (identity to act as). See \fICURLOPT_SASL_AUTHZID(3)\fP
.IP CURLOPT_SASL_IR
Enable SASL initial response. See \fICURLOPT_SASL_IR(3)\fP
.IP CURLOPT_XOAUTH2_BEARER

View File

@ -0,0 +1,64 @@
.\" **************************************************************************
.\" * _ _ ____ _
.\" * Project ___| | | | _ \| |
.\" * / __| | | | |_) | |
.\" * | (__| |_| | _ <| |___
.\" * \___|\___/|_| \_\_____|
.\" *
.\" * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
.\" *
.\" * This software is licensed as described in the file COPYING, which
.\" * you should have received as part of this distribution. The terms
.\" * are also available at https://curl.haxx.se/docs/copyright.html.
.\" *
.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
.\" * copies of the Software, and permit persons to whom the Software is
.\" * furnished to do so, under the terms of the COPYING file.
.\" *
.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
.\" * KIND, either express or implied.
.\" *
.\" **************************************************************************
.\"
.TH CURLOPT_SASL_AUTHZID 3 "17 July 2019" "libcurl 7.66.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_SASL_AUTHZID \- authorisation identity (identity to act as)
.SH SYNOPSIS
#include <curl/curl.h>
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SASL_AUTHZID, char *authzid);
.SH DESCRIPTION
Pass a char * as parameter, which should be pointing to the zero terminated
authorisation identity (authzid) for the transfer. Only applicable to the PLAIN
SASL authentication mechanism where it is optional.
When not specified only the authentication identity (authcid) as specified by
the username will be sent to the server, along with the password. The server
will derive a authzid from the authcid when not provided, which it will then
uses internally.
When the authzid is specified, the use of which is server dependent, it can be
used to access another user's inbox, that the user has been granted access to,
or a shared mailbox for example.
.SH DEFAULT
blank
.SH PROTOCOLS
IMAP, POP3 and SMTP
.SH EXAMPLE
.nf
CURL *curl = curl_easy_init();
if(curl) {
curl_easy_setopt(curl, CURLOPT_URL, "imap://example.com/");
curl_easy_setopt(curl, CURLOPT_USERNAME, "Kurt");
curl_easy_setopt(curl, CURLOPT_PASSWORD, "xipj3plmq");
curl_easy_setopt(curl, CURLOPT_SASL_AUTHZID, "Ursel");
ret = curl_easy_perform(curl);
curl_easy_cleanup(curl);
}
.fi
.SH AVAILABILITY
Added in 7.66.0
.SH RETURN VALUE
Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
.SH "SEE ALSO"
.BR CURLOPT_USERNAME "(3), " CURLOPT_PASSWORD "(3), ".BR CURLOPT_USERPWD "(3)"

View File

@ -272,6 +272,7 @@ man_MANS = \
CURLOPT_RTSP_SESSION_ID.3 \
CURLOPT_RTSP_STREAM_URI.3 \
CURLOPT_RTSP_TRANSPORT.3 \
CURLOPT_SASL_AUTHZID.3 \
CURLOPT_SASL_IR.3 \
CURLOPT_SEEKDATA.3 \
CURLOPT_SEEKFUNCTION.3 \

View File

@ -553,6 +553,7 @@ CURLOPT_RTSP_SERVER_CSEQ 7.20.0
CURLOPT_RTSP_SESSION_ID 7.20.0
CURLOPT_RTSP_STREAM_URI 7.20.0
CURLOPT_RTSP_TRANSPORT 7.20.0
CURLOPT_SASL_AUTHZID 7.66.0
CURLOPT_SASL_IR 7.31.0
CURLOPT_SEEKDATA 7.18.0
CURLOPT_SEEKFUNCTION 7.18.0

View File

@ -1921,6 +1921,9 @@ typedef enum {
/* maximum age of a connection to consider it for reuse (in seconds) */
CINIT(MAXAGE_CONN, LONG, 288),
/* SASL authorisation identity */
CINIT(SASL_AUTHZID, STRINGPOINT, 289),
CURLOPT_LASTENTRY /* the last unused */
} CURLoption;

View File

@ -309,6 +309,7 @@ _CURL_WARNING(_curl_easy_getinfo_err_curl_off_t,
(option) == CURLOPT_RTSP_SESSION_ID || \
(option) == CURLOPT_RTSP_STREAM_URI || \
(option) == CURLOPT_RTSP_TRANSPORT || \
(option) == CURLOPT_SASL_AUTHZID || \
(option) == CURLOPT_SERVICE_NAME || \
(option) == CURLOPT_SOCKS5_GSSAPI_SERVICE || \
(option) == CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 || \

View File

@ -370,8 +370,9 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
sasl->authused = SASL_MECH_PLAIN;
if(force_ir || data->set.sasl_ir)
result = Curl_auth_create_plain_message(data, NULL, conn->user,
conn->passwd, &resp, &len);
result = Curl_auth_create_plain_message(data, conn->sasl_authzid,
conn->user, conn->passwd,
&resp, &len);
}
else if(enabledmechs & SASL_MECH_LOGIN) {
mech = SASL_MECH_STRING_LOGIN;
@ -453,8 +454,9 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct connectdata *conn,
*progress = SASL_DONE;
return result;
case SASL_PLAIN:
result = Curl_auth_create_plain_message(data, NULL, conn->user,
conn->passwd, &resp, &len);
result = Curl_auth_create_plain_message(data, conn->sasl_authzid,
conn->user, conn->passwd,
&resp, &len);
break;
case SASL_LOGIN:
result = Curl_auth_create_login_message(data, conn->user, &resp, &len);

View File

@ -2400,6 +2400,12 @@ static CURLcode vsetopt(struct Curl_easy *data, CURLoption option,
break;
#endif
case CURLOPT_SASL_AUTHZID:
/* Authorisation identity (identity to act as) */
result = Curl_setstropt(&data->set.str[STRING_SASL_AUTHZID],
va_arg(param, char *));
break;
case CURLOPT_SASL_IR:
/* Enable/disable SASL initial response */
data->set.sasl_ir = (0 != va_arg(param, long)) ? TRUE : FALSE;

View File

@ -713,6 +713,7 @@ static void conn_free(struct connectdata *conn)
Curl_safefree(conn->user);
Curl_safefree(conn->passwd);
Curl_safefree(conn->oauth_bearer);
Curl_safefree(conn->sasl_authzid);
Curl_safefree(conn->options);
Curl_safefree(conn->http_proxy.user);
Curl_safefree(conn->socks_proxy.user);
@ -3461,6 +3462,14 @@ static CURLcode create_conn(struct Curl_easy *data,
}
}
if(data->set.str[STRING_SASL_AUTHZID]) {
conn->sasl_authzid = strdup(data->set.str[STRING_SASL_AUTHZID]);
if(!conn->sasl_authzid) {
result = CURLE_OUT_OF_MEMORY;
goto out;
}
}
#ifdef USE_UNIX_SOCKETS
if(data->set.str[STRING_UNIX_SOCKET_PATH]) {
conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]);

View File

@ -870,7 +870,8 @@ struct connectdata {
char *passwd; /* password string, allocated */
char *options; /* options string, allocated */
char *oauth_bearer; /* bearer token for OAuth 2.0, allocated */
char *oauth_bearer; /* bearer token for OAuth 2.0, allocated */
char *sasl_authzid; /* authorisation identity string, allocated */
int httpversion; /* the HTTP version*10 reported by the server */
int rtspversion; /* the RTSP version*10 reported by the server */
@ -1492,6 +1493,7 @@ enum dupstring {
#ifdef USE_ALTSVC
STRING_ALTSVC, /* CURLOPT_ALTSVC */
#endif
STRING_SASL_AUTHZID, /* CURLOPT_SASL_AUTHZID */
/* -- end of zero-terminated strings -- */
STRING_LASTZEROTERMINATED,

View File

@ -1418,6 +1418,8 @@
d c 10287
d CURLOPT_MAXAGE_CONN...
d c 00288
d CURLOPT_SASL_AUTHZID...
d c 10289
*
/if not defined(CURL_NO_OLDIES)
d CURLOPT_FILE c 10001