curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool

2024-11-12 04:25:08 -05:00 · 2019-04-19 14:26:47 +01:00 · 2019-04-19 14:26:47 +01:00 · a9499ff136
commit a9499ff136
parent a14d72ca2f
14 changed files with 358 additions and 4 deletions
--- a/docs/cmdline-opts/Makefile.inc
+++ b/docs/cmdline-opts/Makefile.inc
@ -154,6 +154,7 @@ DPAGES =					\
  retry-delay.d					\
  retry-max-time.d				\
  retry.d					\
+  sasl-authzid.d					\
  sasl-ir.d					\
  service-name.d				\
  show-error.d					\
--- a/docs/cmdline-opts/sasl-authzid.d
+++ b/docs/cmdline-opts/sasl-authzid.d
@ -0,0 +1,11 @@
+Long: sasl-authzid
+Help: Use this identity to act as during SASL PLAIN authentication
+Added: 7.66.0
+---
+Use this authorisation identity (authzid), during SASL PLAIN authentication,
+in addition to the authentication identity (authcid) as specified by --user.
+
+If the option isn't specified, the server will derive the authzid from the
+authcid, but if specified, and depending on the server implementation, it may
+be used to access another user's inbox, that the user has been granted access
+to, or a shared mailbox for example.
--- a/src/tool_cfgable.c
+++ b/src/tool_cfgable.c
@ -133,6 +133,7 @@ static void free_config_fields(struct OperationConfig *config)
  Curl_safefree(config->krblevel);

  Curl_safefree(config->oauth_bearer);
+  Curl_safefree(config->sasl_authzid);

  Curl_safefree(config->unix_socket_path);
  Curl_safefree(config->writeout);
--- a/src/tool_cfgable.h
+++ b/src/tool_cfgable.h
@ -97,6 +97,7 @@ struct OperationConfig {
  char *mail_from;
  struct curl_slist *mail_rcpt;
  char *mail_auth;
+  char *sasl_authzid;       /* Authorisation identity (identity to use) */
  bool sasl_ir;             /* Enable/disable SASL initial response */
  bool proxytunnel;
  bool ftp_append;          /* APPE on ftp */
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@ -177,7 +177,8 @@ static const struct LongShort aliases[]= {
  {"$H", "mail-auth",                ARG_STRING},
  {"$I", "post303",                  ARG_BOOL},
  {"$J", "metalink",                 ARG_BOOL},
-  {"$K", "sasl-ir",                  ARG_BOOL},
+  {"$6", "sasl-authzid",             ARG_STRING},
+  {"$K", "sasl-ir",                  ARG_BOOL },
  {"$L", "test-event",               ARG_BOOL},
  {"$M", "unix-socket",              ARG_FILENAME},
  {"$N", "path-as-is",               ARG_BOOL},
@ -1099,6 +1100,9 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
 #endif
          break;
        }
+      case '6': /* --sasl-authzid */
+        GetStr(&config->sasl_authzid, nextarg);
+        break;
      case 'K': /* --sasl-ir */
        config->sasl_ir = toggle;
        break;
--- a/src/tool_help.c
+++ b/src/tool_help.c
@ -385,6 +385,8 @@ static const struct helptxt helptext[] = {
   "Wait time between retries"},
  {"    --retry-max-time <seconds>",
   "Retry only within this period"},
+  {"    --sasl-authzid <identity> ",
+   "Use this identity to act as during SASL PLAIN authentication"},
  {"    --sasl-ir",
   "Enable initial response in SASL authentication"},
  {"    --service-name <name>",
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@ -1501,6 +1501,10 @@ static CURLcode operate_do(struct GlobalConfig *global,
        if(config->mail_auth)
          my_setopt_str(curl, CURLOPT_MAIL_AUTH, config->mail_auth);

+        /* new in 7.66.0 */
+        if(config->sasl_authzid)
+          my_setopt_str(curl, CURLOPT_SASL_AUTHZID, config->sasl_authzid);
+
        /* new in 7.31.0 */
        if(config->sasl_ir)
          my_setopt(curl, CURLOPT_SASL_IR, 1L);
@ -1524,6 +1528,7 @@ static CURLcode operate_do(struct GlobalConfig *global,
                          config->unix_socket_path);
          }
        }
+
        /* new in 7.45.0 */
        if(config->proto_default)
          my_setopt_str(curl, CURLOPT_DEFAULT_PROTOCOL, config->proto_default);
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@ -93,20 +93,21 @@ test809 test810 test811 test812 test813 test814 test815 test816 test817 \
 test818 test819 test820 test821 test822 test823 test824 test825 test826 \
 test827 test828 test829 test830 test831 test832 test833 test834 test835 \
 test836 test837 test838 test839 test840 test841 test842 test843 test844 \
-test845 test846 test847 \
+test845 test846 test847 test848 test849 \
 \
 test850 test851 test852 test853 test854 test855 test856 test857 test858 \
 test859 test860 test861 test862 test863 test864 test865 test866 test867 \
 test868 test869 test870 test871 test872 test873 test874 test875 test876 \
 test877 test878 test879 test880 test881 test882 test883 test884 test885 \
-test886 test887 test888 test889 test890 test891 \
+test886 test887 test888 test889 test890 test891 test892 test893 \
 \
 test900 test901 test902 test903 test904 test905 test906 test907 test908 \
 test909 test910 test911 test912 test913 test914 test915 test916 test917 \
 test918 test919 test920 test921 test922 test923 test924 test925 test926 \
 test927 test928 test929 test930 test931 test932 test933 test934 test935 \
 test936 test937 test938 test939 test940 test941 test942 test943 test944 \
-test945 test946 test947 test948 test949 test950 test951 test952 \
+test945 test946 test947 test948 test949 test950 test951 test952 test953 \
+test954 \
 \
 test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
 test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
--- a/tests/data/test848
+++ b/tests/data/test848
@ -0,0 +1,56 @@
+<testcase>
+<info>
+<keywords>
+IMAP
+SASL
+SASL AUTH PLAIN
+RFC4616
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+AUTH PLAIN
+REPLY AUTHENTICATE +
+REPLY c2hhcmVkLW1haWxib3gAdXNlcgBzZWNyZXQ= A002 OK AUTHENTICATE completed
+</servercmd>
+<data>
+From: me@somewhere
+To: fake@nowhere
+
+body
+
+--
+  yours sincerely
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+imap
+</server>
+ <name>
+IMAP plain authentication with alternative authorization identity
+ </name>
+ <command>
+'imap://%HOSTIP:%IMAPPORT/848/;MAILINDEX=1' -u user:secret --sasl-authzid shared-mailbox
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+A001 CAPABILITY
+A002 AUTHENTICATE PLAIN
+c2hhcmVkLW1haWxib3gAdXNlcgBzZWNyZXQ=
+A003 SELECT 848
+A004 FETCH 1 BODY[]
+A005 LOGOUT
+</protocol>
+</verify>
+</testcase>
--- a/tests/data/test849
+++ b/tests/data/test849
@ -0,0 +1,51 @@
+<testcase>
+<info>
+<keywords>
+IMAP
+SASL
+SASL AUTH PLAIN
+RFC4616
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+AUTH PLAIN
+REPLY AUTHENTICATE +
+REPLY dXJzZWwAa3VydAB4aXBqM3BsbXE= A002 NO Not authorized
+</servercmd>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+imap
+</server>
+ <name>
+IMAP plain authentication with alternative authorization identity (Not authorized)
+ </name>
+ <command>
+'imap://%HOSTIP:%IMAPPORT/849/;MAILINDEX=1' -u kurt:xipj3plmq --sasl-authzid ursel
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+# 67 - CURLE_LOGIN_DENIED
+<errorcode>
+67
+</errorcode>
+#
+# The multi interface considers a broken "CONNECT" as a prematurely broken
+# transfer and such a connection will not get a "LOGOUT"
+<protocol>
+A001 CAPABILITY
+A002 AUTHENTICATE PLAIN
+dXJzZWwAa3VydAB4aXBqM3BsbXE=
+</protocol>
+</verify>
+</testcase>
--- a/tests/data/test892
+++ b/tests/data/test892
@ -0,0 +1,57 @@
+<testcase>
+<info>
+<keywords>
+POP3
+SASL
+SASL AUTH PLAIN
+RFC1734
+RFC4616
+RFC5034
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+AUTH PLAIN
+REPLY AUTH +
+REPLY c2hhcmVkLW1haWxib3gAdXNlcgBzZWNyZXQ= +OK Login successful
+</servercmd>
+<data>
+From: me@somewhere
+To: fake@nowhere
+
+body
+
+--
+  yours sincerely
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+pop3
+</server>
+ <name>
+POP3 plain authentication with alternative authorization identity
+ </name>
+ <command>
+pop3://%HOSTIP:%POP3PORT/892 -u user:secret --sasl-authzid shared-mailbox
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+CAPA
+AUTH PLAIN
+c2hhcmVkLW1haWxib3gAdXNlcgBzZWNyZXQ=
+RETR 892
+QUIT
+</protocol>
+</verify>
+</testcase>
--- a/tests/data/test893
+++ b/tests/data/test893
@ -0,0 +1,53 @@
+<testcase>
+<info>
+<keywords>
+POP3
+SASL
+SASL AUTH PLAIN
+RFC1734
+RFC4616
+RFC5034
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+AUTH PLAIN
+REPLY AUTH +
+REPLY dXJzZWwAa3VydAB4aXBqM3BsbXE= -ERR Not authorized
+</servercmd>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+pop3
+</server>
+ <name>
+POP3 plain authentication with alternative authorization identity (Not authorized)
+ </name>
+ <command>
+pop3://%HOSTIP:%POP3PORT/893 -u kurt:xipj3plmq --sasl-authzid ursel
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+# 67 - CURLE_LOGIN_DENIED
+<errorcode>
+67
+</errorcode>
+#
+# The multi interface considers a broken "CONNECT" as a prematurely broken
+# transfer and such a connection will not get a "QUIT"
+<protocol>
+CAPA
+AUTH PLAIN
+dXJzZWwAa3VydAB4aXBqM3BsbXE=
+</protocol>
+</verify>
+</testcase>
--- a/tests/data/test953
+++ b/tests/data/test953
@ -0,0 +1,56 @@
+<testcase>
+<info>
+<keywords>
+SMTP
+SASL
+SASL AUTH PLAIN
+RFC4616
+RFC4954
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+AUTH PLAIN
+REPLY AUTH 334 PLAIN supported
+REPLY dXJzZWwAa3VydAB4aXBqM3BsbXE= 235 Authenticated
+</servercmd>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+smtp
+</server>
+ <name>
+SMTP plain authentication with alternative authorization identity
+ </name>
+<stdin>
+mail body
+</stdin>
+ <command>
+smtp://%HOSTIP:%SMTPPORT/953 --mail-rcpt recipient@example.com --mail-from sender@example.com -u kurt:xipj3plmq --sasl-authzid ursel -T -
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+EHLO 953
+AUTH PLAIN
+dXJzZWwAa3VydAB4aXBqM3BsbXE=
+MAIL FROM:<sender@example.com>
+RCPT TO:<recipient@example.com>
+DATA
+QUIT
+</protocol>
+<upload>
+mail body
+.
+</upload>
+</verify>
+</testcase>
--- a/tests/data/test954
+++ b/tests/data/test954
@ -0,0 +1,55 @@
+<testcase>
+<info>
+<keywords>
+SMTP
+SASL
+SASL AUTH PLAIN
+RFC4616
+RFC4954
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<servercmd>
+AUTH PLAIN
+REPLY AUTH 334 PLAIN supported
+REPLY dXJzZWwAa3VydAB4aXBqM3BsbXE= 501 Not authorized
+</servercmd>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+smtp
+</server>
+ <name>
+SMTP plain authentication with alternative authorization identity (Not authorized)
+ </name>
+<stdin>
+mail body
+</stdin>
+ <command>
+smtp://%HOSTIP:%SMTPPORT/954 --mail-rcpt recipient@example.com --mail-from sender@example.com -u kurt:xipj3plmq --sasl-authzid ursel -T -
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+# 67 - CURLE_LOGIN_DENIED
+<errorcode>
+67
+</errorcode>
+#
+# The multi interface considers a broken "CONNECT" as a prematurely broken
+# transfer and such a connection will not get a "QUIT"
+<protocol>
+EHLO 954
+AUTH PLAIN
+dXJzZWwAa3VydAB4aXBqM3BsbXE=
+</protocol>
+</verify>
+</testcase>