SASLMechanism.java

  1. /**
  2.  *
  3.  * Copyright 2003-2007 Jive Software, 2014 Florian Schmaus
  4.  *
  5.  * Licensed under the Apache License, Version 2.0 (the "License");
  6.  * you may not use this file except in compliance with the License.
  7.  * You may obtain a copy of the License at
  8.  *
  9.  *     http://www.apache.org/licenses/LICENSE-2.0
  10.  *
  11.  * Unless required by applicable law or agreed to in writing, software
  12.  * distributed under the License is distributed on an "AS IS" BASIS,
  13.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14.  * See the License for the specific language governing permissions and
  15.  * limitations under the License.
  16.  */
  17. package org.jivesoftware.smack.sasl;

  19. import org.jivesoftware.smack.SmackException;
  20. import org.jivesoftware.smack.SmackException.NotConnectedException;
  21. import org.jivesoftware.smack.XMPPConnection;
  22. import org.jivesoftware.smack.sasl.packet.SaslStreamElements.AuthMechanism;
  23. import org.jivesoftware.smack.sasl.packet.SaslStreamElements.Response;
  24. import org.jivesoftware.smack.util.StringTransformer;
  25. import org.jivesoftware.smack.util.StringUtils;
  26. import org.jivesoftware.smack.util.stringencoder.Base64;
  27. import org.jxmpp.jid.DomainBareJid;

  29. import javax.security.auth.callback.CallbackHandler;

  31. /**
  32.  * Base class for SASL mechanisms. Subclasses must implement these methods:
  33.  * <ul>
  34.  *  <li>{@link #getName()} -- returns the common name of the SASL mechanism.</li>
  35.  * </ul>
  36.  * Subclasses will likely want to implement their own versions of these methods:
  37.  *  <li>{@link #authenticate(String, String, DomainBareJid, String)} -- Initiate authentication stanza using the
  38.  *  deprecated method.</li>
  39.  *  <li>{@link #authenticate(String, DomainBareJid, CallbackHandler)} -- Initiate authentication stanza
  40.  *  using the CallbackHandler method.</li>
  41.  *  <li>{@link #challengeReceived(String, boolean)} -- Handle a challenge from the server.</li>
  42.  * </ul>
  43.  * 
  44.  * Basic XMPP SASL authentication steps:
  45.  * 1. Client authentication initialization, stanza sent to the server (Base64 encoded): 
  46.  *    <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='DIGEST-MD5'/>
  47.  * 2. Server sends back to the client the challenge response (Base64 encoded)
  48.  *    sample: 
  49.  *    realm=<sasl server realm>,nonce="OA6MG9tEQGm2hh",qop="auth",charset=utf-8,algorithm=md5-sess
  50.  * 3. The client responds back to the server (Base 64 encoded):
  51.  *    sample:
  52.  *    username=<userid>,realm=<sasl server realm from above>,nonce="OA6MG9tEQGm2hh",
  53.  *    cnonce="OA6MHXh6VqTrRk",nc=00000001,qop=auth,
  54.  *    digest-uri=<digesturi>,
  55.  *    response=d388dad90d4bbd760a152321f2143af7,
  56.  *    charset=utf-8,
  57.  *    authzid=<id>
  58.  * 4. The server evaluates if the user is present and contained in the REALM
  59.  *    if successful it sends: <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/> (Base64 encoded)
  60.  *    if not successful it sends:
  61.  *    sample:
  62.  *    <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
  63.  *        cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZA==
  64.  *    </challenge>
  65.  *
  66.  * @author Jay Kline
  67.  */
  68. public abstract class SASLMechanism implements Comparable<SASLMechanism> {

  70.     public static final String CRAMMD5 = "CRAM-MD5";
  71.     public static final String DIGESTMD5 = "DIGEST-MD5";
  72.     public static final String EXTERNAL = "EXTERNAL";
  73.     public static final String GSSAPI = "GSSAPI";
  74.     public static final String PLAIN = "PLAIN";

  76.     // TODO Remove once Smack's min Android API is 9, where java.text.Normalizer is available
  77.     private static StringTransformer saslPrepTransformer;

  79.     /**
  80.      * Set the SASLPrep StringTransformer.
  81.      * <p>
  82.      * A simple SASLPrep StringTransformer would be for example: <code>java.text.Normalizer.normalize(string, Form.NFKC);</code>
  83.      * </p>
  84.      * 
  85.      * @param stringTransformer set StringTransformer to use for SASLPrep.
  86.      * @see <a href="http://tools.ietf.org/html/rfc4013">RFC 4013 - SASLprep: Stringprep Profile for User Names and Passwords</a>
  87.      */
  88.     public static void setSaslPrepTransformer(StringTransformer stringTransformer) {
  89.         saslPrepTransformer = stringTransformer;
  90.     }

  92.     protected XMPPConnection connection;

  94.     /**
  95.      * Then authentication identity (authcid). RFC 6120 § 6.3.7 informs us that some SASL mechanisms use this as a
  96.      * "simple user name". But the exact form is a matter of the mechanism and that it does not necessarily map to an
  97.      * localpart. But it usually is the localpart of the client JID, although sometimes other formats are used (e.g. the
  98.      * full JID).
  99.      * <p>
  100.      * Not to be confused with the authzid (see RFC 6120 § 6.3.8).
  101.      * </p>
  102.      */
  103.     protected String authenticationId;

  105.     /**
  106.      * The name of the XMPP service
  107.      */
  108.     protected DomainBareJid serviceName;

  110.     /**
  111.      * The users password
  112.      */
  113.     protected String password;
  114.     protected String host;

  116.     /**
  117.      * Builds and sends the <tt>auth</tt> stanza to the server. Note that this method of
  118.      * authentication is not recommended, since it is very inflexible. Use
  119.      * {@link #authenticate(String, DomainBareJid, CallbackHandler)} whenever possible.
  120.      * 
  121.      * Explanation of auth stanza:
  122.      * 
  123.      * The client authentication stanza needs to include the digest-uri of the form: xmpp/serviceName 
  124.      * From RFC-2831: 
  125.      * digest-uri = "digest-uri" "=" digest-uri-value
  126.      * digest-uri-value = serv-type "/" host [ "/" serv-name ]
  127.      * 
  128.      * digest-uri: 
  129.      * Indicates the principal name of the service with which the client 
  130.      * wishes to connect, formed from the serv-type, host, and serv-name. 
  131.      * For example, the FTP service
  132.      * on "ftp.example.com" would have a "digest-uri" value of "ftp/ftp.example.com"; the SMTP
  133.      * server from the example above would have a "digest-uri" value of
  134.      * "smtp/mail3.example.com/example.com".
  135.      * 
  136.      * host:
  137.      * The DNS host name or IP address for the service requested. The DNS host name
  138.      * must be the fully-qualified canonical name of the host. The DNS host name is the
  139.      * preferred form; see notes on server processing of the digest-uri.
  140.      * 
  141.      * serv-name: 
  142.      * Indicates the name of the service if it is replicated. The service is
  143.      * considered to be replicated if the client's service-location process involves resolution
  144.      * using standard DNS lookup operations, and if these operations involve DNS records (such
  145.      * as SRV, or MX) which resolve one DNS name into a set of other DNS names. In this case,
  146.      * the initial name used by the client is the "serv-name", and the final name is the "host"
  147.      * component. For example, the incoming mail service for "example.com" may be replicated
  148.      * through the use of MX records stored in the DNS, one of which points at an SMTP server
  149.      * called "mail3.example.com"; it's "serv-name" would be "example.com", it's "host" would be
  150.      * "mail3.example.com". If the service is not replicated, or the serv-name is identical to
  151.      * the host, then the serv-name component MUST be omitted
  152.      * 
  153.      * digest-uri verification is needed for ejabberd 2.0.3 and higher   
  154.      * 
  155.      * @param username the username of the user being authenticated.
  156.      * @param host the hostname where the user account resides.
  157.      * @param serviceName the xmpp service location - used by the SASL client in digest-uri creation
  158.      * serviceName format is: host [ "/" serv-name ] as per RFC-2831
  159.      * @param password the password for this account.
  160.      * @throws SmackException If a network error occurs while authenticating.
  161.      * @throws NotConnectedException 
  162.      * @throws InterruptedException 
  163.      */
  164.     public final void authenticate(String username, String host, DomainBareJid serviceName, String password)
  165.                     throws SmackException, NotConnectedException, InterruptedException {
  166.         this.authenticationId = username;
  167.         this.host = host;
  168.         this.serviceName = serviceName;
  169.         this.password = password;
  170.         authenticateInternal();
  171.         authenticate();
  172.     }

  174.     protected void authenticateInternal() throws SmackException {
  175.     }

  177.     /**
  178.      * Builds and sends the <tt>auth</tt> stanza to the server. The callback handler will handle
  179.      * any additional information, such as the authentication ID or realm, if it is needed.
  180.      *
  181.      * @param host     the hostname where the user account resides.
  182.      * @param serviceName the xmpp service location
  183.      * @param cbh      the CallbackHandler to obtain user information.
  184.      * @throws SmackException
  185.      * @throws NotConnectedException 
  186.      * @throws InterruptedException 
  187.      */
  188.     public void authenticate(String host, DomainBareJid serviceName, CallbackHandler cbh)
  189.                     throws SmackException, NotConnectedException, InterruptedException {
  190.         this.host = host;
  191.         this.serviceName = serviceName;
  192.         authenticateInternal(cbh);
  193.         authenticate();
  194.     }

  196.     protected abstract void authenticateInternal(CallbackHandler cbh) throws SmackException;

  198.     private final void authenticate() throws SmackException, NotConnectedException, InterruptedException {
  199.         byte[] authenticationBytes = getAuthenticationText();
  200.         String authenticationText;
  201.         if (authenticationBytes != null) {
  202.             authenticationText = Base64.encodeToString(authenticationBytes);
  203.         } else {
  204.             // RFC6120 6.4.2 "If the initiating entity needs to send a zero-length initial response,
  205.             // it MUST transmit the response as a single equals sign character ("="), which
  206.             // indicates that the response is present but contains no data."
  207.             authenticationText = "=";
  208.         }
  209.         // Send the authentication to the server
  210.         connection.send(new AuthMechanism(getName(), authenticationText));
  211.     }

  213.     /**
  214.      * Should return the initial response of the SASL mechanism. The returned byte array will be
  215.      * send base64 encoded to the server. SASL mechanism are free to return <code>null</code> here.
  216.      * 
  217.      * @return the initial response or null
  218.      * @throws SmackException
  219.      */
  220.     protected abstract byte[] getAuthenticationText() throws SmackException;

  222.     /**
  223.      * The server is challenging the SASL mechanism for the stanza he just sent. Send a
  224.      * response to the server's challenge.
  225.      *
  226.      * @param challengeString a base64 encoded string representing the challenge.
  227.      * @param finalChallenge true if this is the last challenge send by the server within the success stanza
  228.      * @throws NotConnectedException
  229.      * @throws SmackException
  230.      * @throws InterruptedException 
  231.      */
  232.     public final void challengeReceived(String challengeString, boolean finalChallenge) throws SmackException, NotConnectedException, InterruptedException {
  233.         byte[] challenge = Base64.decode(challengeString);
  234.         byte[] response = evaluateChallenge(challenge);
  235.         if (finalChallenge) {
  236.             return;
  237.         }

  239.         Response responseStanza;
  240.         if (response == null) {
  241.             responseStanza = new Response();
  242.         }
  243.         else {
  244.             responseStanza = new Response(Base64.encodeToString(response));
  245.         }

  247.         // Send the authentication to the server
  248.         connection.send(responseStanza);
  249.     }

  251.     protected byte[] evaluateChallenge(byte[] challenge) throws SmackException {
  252.         return null;
  253.     }

  255.     public final int compareTo(SASLMechanism other) {
  256.         return getPriority() - other.getPriority();
  257.     }

  259.     /**
  260.      * Returns the common name of the SASL mechanism. E.g.: PLAIN, DIGEST-MD5 or GSSAPI.
  261.      *
  262.      * @return the common name of the SASL mechanism.
  263.      */
  264.     public abstract String getName();

  266.     public abstract int getPriority();

  268.     public abstract void checkIfSuccessfulOrThrow() throws SmackException;

  270.     public SASLMechanism instanceForAuthentication(XMPPConnection connection) {
  271.         SASLMechanism saslMechansim = newInstance();
  272.         saslMechansim.connection = connection;
  273.         return saslMechansim;
  274.     }

  276.     protected abstract SASLMechanism newInstance();

  278.     protected static byte[] toBytes(String string) {
  279.         return StringUtils.toBytes(string);
  280.     }

  282.     /**
  283.      * SASLprep the given String.
  284.      * 
  285.      * @param string the String to sasl prep.
  286.      * @return the given String SASL preped
  287.      * @see <a href="http://tools.ietf.org/html/rfc4013">RFC 4013 - SASLprep: Stringprep Profile for User Names and Passwords</a>
  288.      */
  289.     protected static String saslPrep(String string) {
  290.         StringTransformer stringTransformer = saslPrepTransformer;
  291.         if (stringTransformer != null) {
  292.             return stringTransformer.transform(string);
  293.         }
  294.         return string;
  295.     }
  296. }
Created with JaCoCo 0.7.4.201502262128