xmpp: handle incorrect credentials by replying with an error

2024-04-28 17:11:29 +02:00 · 2024-04-28 17:11:29 +02:00 · 8ec9ecfe2c
parent a047d55ab5
commit 8ec9ecfe2c
3 changed files with 87 additions and 8 deletions
--- a/crates/projection-xmpp/src/lib.rs
+++ b/crates/projection-xmpp/src/lib.rs
@ -296,20 +296,19 @@ async fn socket_auth(
    xml_writer.get_mut().flush().await?;

    let auth: proto_xmpp::sasl::Auth = proto_xmpp::sasl::Auth::parse(xml_reader, reader_buf).await?;
-    proto_xmpp::sasl::Success.write_xml(xml_writer).await?;
-    xml_writer.get_mut().flush().await?;

    match AuthBody::from_str(&auth.body) {
        Ok(logopass) => {
            let name = &logopass.login;
            let verdict = Authenticator::new(storage).authenticate(name, &logopass.password).await?;
-            // TODO return proper XML errors to the client
            match verdict {
-                Verdict::Authenticated => {}
-                Verdict::UserNotFound => {
-                    return Err(anyhow!("no user found"));
+                Verdict::Authenticated => {
+                    proto_xmpp::sasl::Success.write_xml(xml_writer).await?;
+                    xml_writer.get_mut().flush().await?;
                }
-                Verdict::InvalidPassword => {
+                Verdict::UserNotFound | Verdict::InvalidPassword => {
+                    proto_xmpp::sasl::Failure.write_xml(xml_writer).await?;
+                    xml_writer.get_mut().flush().await?;
                    return Err(anyhow!("incorrect credentials"));
                }
            }
--- a/crates/projection-xmpp/tests/lib.rs
+++ b/crates/projection-xmpp/tests/lib.rs
@ -240,6 +240,73 @@ async fn scenario_basic() -> Result<()> {
    Ok(())
 }

+#[tokio::test]
+async fn scenario_wrong_password() -> Result<()> {
+    let mut server = TestServer::start().await?;
+
+    // test scenario
+
+    server.storage.create_user("tester").await?;
+    Authenticator::new(&server.storage).set_password("tester", "password").await?;
+
+    let mut stream = TcpStream::connect(server.server.addr).await?;
+    let mut s = TestScope::new(&mut stream);
+    tracing::info!("TCP connection established");
+
+    s.send(r#"<?xml version="1.0"?>"#).await?;
+    s.send(r#"<stream:stream xmlns:stream="http://etherx.jabber.org/streams" to="127.0.0.1" xml:lang="en" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns="jabber:client" version="1.0">"#).await?;
+    assert_matches!(s.next_xml_event().await?, Event::Decl(_) => {});
+    assert_matches!(s.next_xml_event().await?, Event::Start(b) => assert_eq!(b.local_name().into_inner(), b"stream"));
+    assert_matches!(s.next_xml_event().await?, Event::Start(b) => assert_eq!(b.local_name().into_inner(), b"features"));
+    assert_matches!(s.next_xml_event().await?, Event::Start(b) => assert_eq!(b.local_name().into_inner(), b"starttls"));
+    assert_matches!(s.next_xml_event().await?, Event::Empty(b) => assert_eq!(b.local_name().into_inner(), b"required"));
+    assert_matches!(s.next_xml_event().await?, Event::End(b) => assert_eq!(b.local_name().into_inner(), b"starttls"));
+    assert_matches!(s.next_xml_event().await?, Event::End(b) => assert_eq!(b.local_name().into_inner(), b"features"));
+    s.send(r#"<starttls/>"#).await?;
+    assert_matches!(s.next_xml_event().await?, Event::Empty(b) => assert_eq!(b.local_name().into_inner(), b"proceed"));
+    let buffer = s.buffer;
+    tracing::info!("TLS feature negotiation complete");
+
+    let connector = TlsConnector::from(Arc::new(
+        ClientConfig::builder()
+            .with_safe_defaults()
+            .with_custom_certificate_verifier(Arc::new(IgnoreCertVerification))
+            .with_no_client_auth(),
+    ));
+    tracing::info!("Initiating TLS connection...");
+    let mut stream = connector.connect(ServerName::IpAddress(server.server.addr.ip()), stream).await?;
+    tracing::info!("TLS connection established");
+
+    let mut s = TestScopeTls::new(&mut stream, buffer);
+
+    s.send(r#"<?xml version="1.0"?>"#).await?;
+    s.send(r#"<stream:stream xmlns:stream="http://etherx.jabber.org/streams" to="127.0.0.1" xml:lang="en" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns="jabber:client" version="1.0">"#).await?;
+    assert_matches!(s.next_xml_event().await?, Event::Decl(_) => {});
+    assert_matches!(s.next_xml_event().await?, Event::Start(b) => assert_eq!(b.local_name().into_inner(), b"stream"));
+
+    assert_matches!(s.next_xml_event().await?, Event::Start(b) => assert_eq!(b.local_name().into_inner(), b"features"));
+    assert_matches!(s.next_xml_event().await?, Event::Start(b) => assert_eq!(b.local_name().into_inner(), b"mechanisms"));
+    assert_matches!(s.next_xml_event().await?, Event::Start(b) => assert_eq!(b.local_name().into_inner(), b"mechanism"));
+    assert_matches!(s.next_xml_event().await?, Event::Text(b) => assert_eq!(&*b, b"PLAIN"));
+    assert_matches!(s.next_xml_event().await?, Event::End(b) => assert_eq!(b.local_name().into_inner(), b"mechanism"));
+    assert_matches!(s.next_xml_event().await?, Event::End(b) => assert_eq!(b.local_name().into_inner(), b"mechanisms"));
+    assert_matches!(s.next_xml_event().await?, Event::End(b) => assert_eq!(b.local_name().into_inner(), b"features"));
+
+    // base64-encoded b"\x00tester\x00password2"
+    s.send(r#"<auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="PLAIN">AHRlc3RlcgBwYXNzd29yZDI=</auth>"#)
+        .await?;
+    assert_matches!(s.next_xml_event().await?, Event::Start(b) => assert_eq!(b.local_name().into_inner(), b"failure"));
+    assert_matches!(s.next_xml_event().await?, Event::Empty(b) => assert_eq!(b.local_name().into_inner(), b"not-authorized"));
+    assert_matches!(s.next_xml_event().await?, Event::End(b) => assert_eq!(b.local_name().into_inner(), b"failure"));
+
+    stream.shutdown().await?;
+
+    // wrap up
+
+    server.shutdown().await?;
+    Ok(())
+}
+
 #[tokio::test]
 async fn scenario_basic_without_headers() -> Result<()> {
    let mut server = TestServer::start().await?;
--- a/crates/proto-xmpp/src/sasl.rs
+++ b/crates/proto-xmpp/src/sasl.rs
@ -1,7 +1,7 @@
 use std::borrow::Borrow;

 use anyhow::{anyhow, Result};
-use quick_xml::events::{BytesStart, Event};
+use quick_xml::events::{BytesEnd, BytesStart, Event};
 use quick_xml::{NsReader, Writer};
 use tokio::io::{AsyncBufRead, AsyncWrite};

@ -74,3 +74,16 @@ impl Success {
        Ok(())
    }
 }
+
+pub struct Failure;
+impl Failure {
+    pub async fn write_xml(&self, writer: &mut Writer<impl AsyncWrite + Unpin>) -> Result<()> {
+        let event = BytesStart::new(r#"failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl""#);
+        writer.write_event_async(Event::Start(event)).await?;
+        let event = BytesStart::new(r#"not-authorized"#);
+        writer.write_event_async(Event::Empty(event)).await?;
+        let event = BytesEnd::new(r#"failure"#);
+        writer.write_event_async(Event::End(event)).await?;
+        Ok(())
+    }
+}