feat(sasl): added basic sasl support

Guusvanmeerveld · Guusvanmeerveld · commit a7c6633c2627 · 2023-10-24T14:31:39.000+02:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -12,23 +12,26 @@ rust-version = "1.65.0"
 [dependencies]
 async-native-tls = { version = "0.5.0", default-features = false }
 async-std = { version = "1.12.0", features = ["attributes"], optional = true }
+async-trait = { version = "0.1.74", optional = true }
+base64 = { version = "0.21.5", optional = true }
 bytes = "1.4.0"
 futures = "0.3.28"
 log = "0.4.20"
 nom = "7.1.3"
 tokio = { version = "1.26.0", features = [
-    "net",
-    "time",
-    "rt",
-    "macros",
+	"net",
+	"time",
+	"rt",
+	"macros",
 ], optional = true }
 
 [dev-dependencies]
 env_logger = "0.10.0"
 dotenv = "0.15"
 
 [features]
-default = ["runtime-async-std"]
+default = ["runtime-async-std", "sasl"]
+sasl = ["dep:base64", "dep:async-trait"]
 
 runtime-async-std = ["async-std", "async-native-tls/runtime-async-std"]
 runtime-tokio = ["tokio", "async-native-tls/runtime-tokio"]
diff --git a/src/base64.rs b/src/base64.rs
@@ -0,0 +1,12 @@
+use base64::engine::{general_purpose::STANDARD, Engine};
+use bytes::Bytes;
+
+use crate::error::Result;
+
+pub fn encode<E: AsRef<[u8]>>(encodable: E) -> String {
+    STANDARD.encode(encodable)
+}
+
+pub fn decode<E: AsRef<[u8]>>(decodable: E) -> Result<Bytes> {
+    Ok(STANDARD.decode(decodable)?.into())
+}
diff --git a/src/command.rs b/src/command.rs
@@ -22,14 +22,16 @@ pub enum Command {
     Quit,
     Capa,
     Greet,
-    Other(String),
+    #[cfg(feature = "sasl")]
+    Base64(String),
 }
 
 impl Display for Command {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         match self {
-            Self::Other(other) => {
-                write!(f, "{}", other)?;
+            #[cfg(feature = "sasl")]
+            Self::Base64(other) => {
+                write!(f, "{}", crate::base64::encode(other))?;
             }
             _ => {
                 for (key, value) in Self::definitions().into_iter() {
diff --git a/src/error.rs b/src/error.rs
@@ -26,6 +26,8 @@ pub enum ErrorKind {
     ParseInt(ParseIntError),
     ParseString(Utf8Error),
     ServerError(String),
+    #[cfg(feature = "sasl")]
+    DecodeBase64(base64::DecodeError),
     NotConnected,
     ShouldNotBeConnected,
     IncorrectStateForCommand,
@@ -117,6 +119,13 @@ impl From<Utf8Error> for Error {
     }
 }
 
+#[cfg(feature = "sasl")]
+impl From<base64::DecodeError> for Error {
+    fn from(error: base64::DecodeError) -> Self {
+        Self::new(ErrorKind::DecodeBase64(error), "Failed to decode base64")
+    }
+}
+
 pub(crate) use err;
 
 pub type Result<T> = result::Result<T, Error>;
diff --git a/src/lib.rs b/src/lib.rs
@@ -49,6 +49,11 @@ pub mod response;
 mod runtime;
 mod stream;
 
+#[cfg(feature = "sasl")]
+mod base64;
+#[cfg(feature = "sasl")]
+pub mod sasl;
+
 use std::collections::HashSet;
 
 use async_native_tls::{TlsConnector, TlsStream};
@@ -83,7 +88,7 @@ pub enum ClientState {
     None,
 }
 
-pub struct Client<S: Write + Read + Unpin> {
+pub struct Client<S: Write + Read + Unpin + Send> {
     inner: Option<PopStream<S>>,
     capabilities: Capabilities,
     marked_as_del: Vec<usize>,
@@ -93,7 +98,7 @@ pub struct Client<S: Write + Read + Unpin> {
 }
 
 /// Creates a client from a given socket connection.
-async fn create_client_from_socket<S: Read + Write + Unpin>(
+async fn create_client_from_socket<S: Read + Write + Unpin + Send>(
     socket: PopStream<S>,
 ) -> Result<Client<S>> {
     let mut client = Client {
@@ -127,7 +132,7 @@ async fn create_client_from_socket<S: Read + Write + Unpin>(
 ///     client.quit().unwrap();
 /// }
 /// ```
-pub async fn new<S: Read + Write + Unpin>(stream: S) -> Result<Client<S>> {
+pub async fn new<S: Read + Write + Unpin + Send>(stream: S) -> Result<Client<S>> {
     let socket = PopStream::new(stream);
 
     create_client_from_socket(socket).await
@@ -159,7 +164,7 @@ pub async fn connect_plain<A: ToSocketAddrs>(addr: A) -> Result<Client<TcpStream
     create_client_from_socket(socket).await
 }
 
-impl<S: Read + Write + Unpin> Client<S> {
+impl<S: Read + Write + Unpin + Send> Client<S> {
     /// Check if the client is in the correct state and return a mutable reference to the tcp connection.
     fn inner_mut(&mut self) -> Result<&mut PopStream<S>> {
         match self.inner.as_mut() {
@@ -529,31 +534,57 @@ impl<S: Read + Write + Unpin> Client<S> {
         }
     }
 
-    // pub async fn auth<A: AsRef<str>, U: AsRef<str>>(
-    //     &mut self,
-    //     auth_type: A,
-    //     token: U,
-    // ) -> Result<Text> {
-    //     self.check_client_state(ClientState::Authentication)?;
+    /// ### AUTH
+    ///
+    /// Requires an [sasl::Authenticator] to work. One could implement this themeselves for any given mechanism, look at the documentation for this trait.
+    ///
+    /// If a common mechanism is needed, it can probably be found in the [sasl] module.
+    ///
+    /// The AUTH command indicates an authentication mechanism to the server.  If the server supports the requested authentication mechanism, it performs an authentication protocol exchange to authenticate and identify the user. Optionally, it also negotiates a protection mechanism for subsequent protocol interactions.  If the requested authentication mechanism is not supported, the server should reject the AUTH command by sending a negative response.
+    ///
+    /// The authentication protocol exchange consists of a series of server challenges and client answers that are specific to the authentication mechanism.  A server challenge, otherwise known as a ready response, is a line consisting of a "+" character followed by a single space and a BASE64 encoded string.  The client answer consists of a line containing a BASE64 encoded string.  If the client wishes to cancel an authentication exchange, it should issue a line with a single "*".  If the server receives such an answer, it must reject the AUTH command by sending a negative response.
+    ///
+    /// A protection mechanism provides integrity and privacy protection to the protocol session.  If a protection mechanism is negotiated, it is applied to all subsequent data sent over the connection.  The protection mechanism takes effect immediately following the CRLF that concludes the authentication exchange for the client, and the CRLF of the positive response for the server.  Once the protection mechanism is in effect, the stream of command and response octets is processed into buffers of ciphertext.  Each buffer is transferred over the connection as a stream of octets prepended with a four octet field in network byte order that represents the length of the following data. The maximum ciphertext buffer length is defined by the protection mechanism.
+    ///
+    /// The server is not required to support any particular authentication mechanism, nor are authentication mechanisms required to support any protection mechanisms.  If an AUTH command fails with a negative response, the session remains in the AUTHORIZATION state and client may try another authentication mechanism by issuing another AUTH command, or may attempt to authenticate by using the USER/PASS or APOP commands.  In other words, the client may request authentication types in decreasing order of preference, with the USER/PASS or APOP command as a last resort.
+    #[cfg(feature = "sasl")]
+    pub async fn auth<A: sasl::Authenticator + Sync>(&mut self, authenticator: A) -> Result<Text> {
+        self.check_client_state(ClientState::Authentication)?;
+
+        self.has_read_greeting()?;
+
+        let mut request: Request = Auth.into();
+
+        let mechanism = authenticator.mechanism();
+
+        request.add_arg(mechanism);
 
-    //     self.has_read_greeting()?;
+        if let Some(arg) = authenticator.auth() {
+            request.add_arg(crate::base64::encode(arg))
+        }
 
-    //     let mut request: Request = Auth.into();
+        let stream = self.inner_mut()?;
 
-    //     request.add_arg(auth_type.as_ref());
+        stream.encode(&request).await?;
 
-    //     let response = self.send_request(request).await?;
+        let communicator = sasl::Communicator::new(stream);
 
-    //     self.state = ClientState::Transaction;
+        authenticator.handle(communicator).await?;
 
-    //     match response {
-    //         Response::Message(resp) => Ok(resp),
-    //         _ => err!(
-    //             ErrorKind::UnexpectedResponse,
-    //             "Did not received the expected auth response"
-    //         ),
-    //     }
-    // }
+        let message = match stream.read_response(request).await? {
+            Response::Message(message) => message,
+            _ => err!(
+                ErrorKind::UnexpectedResponse,
+                "Did not received the expected auith response"
+            ),
+        };
+
+        self.update_capabilities().await;
+
+        self.state = ClientState::Transaction;
+
+        Ok(message)
+    }
 
     /// ## USER & PASS
     ///
diff --git a/src/response/mod.rs b/src/response/mod.rs
@@ -37,6 +37,8 @@ pub enum Response {
     Uidl(UidlResponse),
     Capability(Vec<Capability>),
     Message(Text),
+    #[cfg(feature = "sasl")]
+    Challenge(Text),
     Err(Text),
 }
 
diff --git a/src/response/parser/mod.rs b/src/response/parser/mod.rs
@@ -1,4 +1,6 @@
 mod core;
+#[cfg(feature = "sasl")]
+mod rfc1734;
 mod rfc1939;
 mod rfc2449;
 
@@ -21,6 +23,20 @@ pub(crate) fn parse<'a>(input: &'a [u8], request: &Command) -> IResult<&'a [u8],
         return Err(nom::Err::Incomplete(nom::Needed::Unknown));
     }
 
+    #[cfg(feature = "sasl")]
+    match request {
+        Command::Base64(_) => match rfc1734::auth(input) {
+            Ok((input, base64_challenge)) => {
+                if let Ok(challenge) = crate::base64::decode(base64_challenge) {
+                    return Ok((input, Response::Challenge(challenge.into())));
+                }
+            }
+            Err(nom::Err::Incomplete(needed)) => return Err(nom::Err::Incomplete(needed)),
+            Err(_) => {}
+        },
+        _ => {}
+    }
+
     let (input, status) = status(input)?;
 
     if status.success() {
diff --git a/src/response/parser/rfc1734.rs b/src/response/parser/rfc1734.rs
@@ -0,0 +1,11 @@
+use nom::{bytes::streaming::tag, character::streaming::space1, IResult};
+
+use super::core::message_parser;
+
+pub(crate) fn auth<'a>(input: &'a [u8]) -> IResult<&'a [u8], &'a [u8]> {
+    let (input, _) = tag("+")(input)?;
+    let (input, _) = space1(input)?;
+    let (input, content) = message_parser(input)?;
+
+    Ok((input, content.unwrap_or(b"")))
+}
diff --git a/src/sasl.rs b/src/sasl.rs
diff --git a/src/stream.rs b/src/stream.rs
diff --git a/src/test.rs b/src/test.rs

Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,8 @@ pub enum Response {`
`37`	`37`	`Uidl(UidlResponse),`
`38`	`38`	`Capability(Vec<Capability>),`
`39`	`39`	`Message(Text),`
	`40`	`+ #[cfg(feature = "sasl")]`
	`41`	`+ Challenge(Text),`
`40`	`42`	`Err(Text),`
`41`	`43`	`}`
`42`	`44`