pontarius-xmpp/src/Network/XMPP/SASL.hs

{-# LANGUAGE NoMonomorphismRestriction, OverloadedStrings  #-}
module Network.XMPP.SASL where

import           Control.Applicative
import           Control.Arrow (left)
import           Control.Monad
import           Control.Monad.Error
import           Control.Monad.State.Strict

import qualified Crypto.Classes as CC

import qualified Data.Attoparsec.ByteString.Char8 as AP
import qualified Data.Binary as Binary
import qualified Data.ByteString as BS
import qualified Data.ByteString.Base64 as B64
import qualified Data.ByteString.Char8 as BS8
import qualified Data.ByteString.Lazy as BL
import qualified Data.Digest.Pure.MD5 as MD5
import qualified Data.List as L
import           Data.Word (Word8)
import           Data.XML.Pickle
import           Data.XML.Types

import qualified Data.Text as Text
import           Data.Text (Text)
import qualified Data.Text.Encoding as Text

import           Network.XMPP.Monad
import           Network.XMPP.Stream
import           Network.XMPP.Types
import           Network.XMPP.Pickle

import qualified System.Random as Random


saslInitE :: Text -> Element
saslInitE mechanism =
    Element "{urn:ietf:params:xml:ns:xmpp-sasl}auth"
        [ ("mechanism", [ContentText  mechanism]) ]
        []

saslResponseE :: Text -> Element
saslResponseE resp =
    Element "{urn:ietf:params:xml:ns:xmpp-sasl}response"
    []
    [NodeContent $ ContentText resp]

saslResponse2E :: Element
saslResponse2E =
    Element "{urn:ietf:params:xml:ns:xmpp-sasl}response"
    []
    []

data AuthError = AuthXmlError
               | AuthMechanismError [Text]
               | AuthChallengeError
               | AuthStreamError StreamError
               | AuthConnectionError
                 deriving Show

instance Error AuthError where
    noMsg = AuthXmlError

xmppSASL:: Text -> Text -> XMPPConMonad (Either AuthError Text)
xmppSASL uname passwd = runErrorT $ do
    realm <- gets sHostname
    case realm of
      Just realm' -> do
          ErrorT $ xmppStartSASL realm' uname passwd
          modify (\s -> s{sUsername = Just uname})
          return uname
      Nothing -> throwError AuthConnectionError

xmppStartSASL  :: Text
               -> Text
               -> Text
               -> XMPPConMonad (Either AuthError ())
xmppStartSASL realm username passwd = runErrorT $ do
  mechanisms <- gets $ saslMechanisms . sFeatures
  unless ("DIGEST-MD5" `elem` mechanisms)
      . throwError $ AuthMechanismError mechanisms
  lift . pushN $ saslInitE "DIGEST-MD5"
  challenge' <-  lift $ B64.decode . Text.encodeUtf8
                         <$> pullPickle challengePickle
  challenge <- case challenge' of
                  Left _e -> throwError AuthChallengeError
                  Right r -> return r
  pairs <- case toPairs challenge of
      Left _ -> throwError AuthChallengeError
      Right p -> return p
  g <- liftIO $ Random.newStdGen
  lift . pushN . saslResponseE $ createResponse g realm username passwd pairs
  challenge2 <- lift $ pullPickle (xpEither failurePickle challengePickle)
  case challenge2 of
    Left _x -> throwError $ AuthXmlError
    Right _ -> return ()
  lift $ pushN saslResponse2E
  e <- lift pullElement
  case e of
      Element "{urn:ietf:params:xml:ns:xmpp-sasl}success" [] [] -> return ()
      _ -> throwError AuthXmlError -- TODO: investigate
  _ <- ErrorT $ left AuthStreamError <$> xmppRestartStream
  return ()

createResponse :: Random.RandomGen g
               => g
               -> Text
               -> Text
               -> Text
               -> [(BS8.ByteString, BS8.ByteString)]
               -> Text
createResponse g hostname username passwd' pairs = let
  Just qop   = L.lookup "qop" pairs
  Just nonce = L.lookup "nonce" pairs
  uname      = Text.encodeUtf8 username
  passwd     = Text.encodeUtf8 passwd'
  -- Using Int instead of Word8 for random 1.0.0.0 (GHC 7)
  -- compatibility.
  cnonce     = BS.tail . BS.init .
           B64.encode . BS.pack . map toWord8 . take 8 $ Random.randoms g
  nc         = "00000001"
  digestURI  = ("xmpp/" `BS.append` (Text.encodeUtf8 hostname))
  digest     = md5Digest
             uname
             (lookup "realm" pairs)
             passwd
             digestURI
             nc
             qop
             nonce
             cnonce
  response = BS.intercalate"," . map (BS.intercalate "=") $
   [  ["username"  , quote uname     ]]
   ++ case L.lookup "realm" pairs of
       Just realm -> [["realm" , quote realm ]]
       Nothing -> []
   ++
   [  ["nonce"     , quote nonce     ]
   ,  ["cnonce"    , quote cnonce    ]
   ,  ["nc"        ,       nc        ]
   ,  ["qop"       ,       qop       ]
   ,  ["digest-uri", quote digestURI ]
   ,  ["response"  ,       digest    ]
   ,  ["charset"   ,       "utf-8"   ]
   ]
  in Text.decodeUtf8 $ B64.encode response
  where
    quote x = BS.concat ["\"",x,"\""]
    toWord8 x = fromIntegral (x :: Int) :: Word8

toPairs :: BS.ByteString -> Either String [(BS.ByteString, BS.ByteString)]
toPairs = AP.parseOnly . flip AP.sepBy1 (void $ AP.char ',') $ do
  AP.skipSpace
  name <- AP.takeWhile1 (/= '=')
  _ <- AP.char '='
  quote <- ((AP.char '"' >> return True) `mplus` return False)
  content <- AP.takeWhile1 (AP.notInClass ",\"" )
  when quote . void $ AP.char '"'
  return (name,content)

hash :: [BS8.ByteString] -> BS8.ByteString
hash = BS8.pack . show
       . (CC.hash' :: BS.ByteString -> MD5.MD5Digest) . BS.intercalate (":")

hashRaw :: [BS8.ByteString] -> BS8.ByteString
hashRaw = toStrict . Binary.encode
          . (CC.hash' :: BS.ByteString -> MD5.MD5Digest) . BS.intercalate (":")


toStrict :: BL.ByteString -> BS8.ByteString
toStrict = BS.concat . BL.toChunks

-- TODO: this only handles MD5-sess

md5Digest :: BS8.ByteString
          -> Maybe BS8.ByteString
          -> BS8.ByteString
          -> BS8.ByteString
          -> BS8.ByteString
          -> BS8.ByteString
          -> BS8.ByteString
          -> BS8.ByteString
          -> BS8.ByteString
md5Digest uname realm password digestURI nc qop nonce cnonce=
  let ha1 = hash [hashRaw [uname, maybe "" id realm, password], nonce, cnonce]
      ha2 = hash ["AUTHENTICATE", digestURI]
  in hash [ha1,nonce, nc, cnonce,qop,ha2]

-- Pickling
failurePickle :: PU [Node] (SaslFailure)
failurePickle = xpWrap (\(txt,(failure,_,_))
                           -> SaslFailure failure txt)
                       (\(SaslFailure failure txt)
                           -> (txt,(failure,(),())))
                       (xpElemNodes
                          "{urn:ietf:params:xml:ns:xmpp-sasl}failure"
                          (xp2Tuple
                              (xpOption $ xpElem
                                   "{urn:ietf:params:xml:ns:xmpp-sasl}text"
                                   xpLangTag
                                   (xpContent xpId))
                              (xpElemByNamespace
                                   "urn:ietf:params:xml:ns:xmpp-sasl"
                                   xpPrim
                                   (xpUnit)
                                   (xpUnit))))


challengePickle :: PU [Node] Text.Text
challengePickle =  xpElemNodes "{urn:ietf:params:xml:ns:xmpp-sasl}challenge"
                     (xpIsolate $ xpContent xpId)
sasl working 14 years ago			`{-# LANGUAGE NoMonomorphismRestriction, OverloadedStrings #-}`
			`module Network.XMPP.SASL where`

warning clean 14 years ago			`import Control.Applicative`
Added some SASL failure handling 14 years ago			`import Control.Arrow (left)`
warning clean 14 years ago			`import Control.Monad`
Added some SASL failure handling 14 years ago			`import Control.Monad.Error`
added error handling to Stream, TLS switched to Strict State switched to mtl improved build script 14 years ago			`import Control.Monad.State.Strict`
sasl working 14 years ago
			`import qualified Crypto.Classes as CC`

			`import qualified Data.Attoparsec.ByteString.Char8 as AP`
			`import qualified Data.Binary as Binary`
			`import qualified Data.ByteString as BS`
warning clean 14 years ago			`import qualified Data.ByteString.Base64 as B64`
sasl working 14 years ago			`import qualified Data.ByteString.Char8 as BS8`
			`import qualified Data.ByteString.Lazy as BL`
			`import qualified Data.Digest.Pure.MD5 as MD5`
warning clean 14 years ago			`import qualified Data.List as L`
SASL alignment, simplified conversion 14 years ago			`import Data.Word (Word8)`
warning clean 14 years ago			`import Data.XML.Pickle`
			`import Data.XML.Types`
sasl working 14 years ago
			`import qualified Data.Text as Text`
warning clean 14 years ago			`import Data.Text (Text)`
sasl working 14 years ago			`import qualified Data.Text.Encoding as Text`

warning clean 14 years ago			`import Network.XMPP.Monad`
			`import Network.XMPP.Stream`
			`import Network.XMPP.Types`
added pickler for SASLError 14 years ago			`import Network.XMPP.Pickle`
sasl working 14 years ago
			`import qualified System.Random as Random`

switched to hexpat 14 years ago
compiles... again 14 years ago			`saslInitE :: Text -> Element`
sasl working 14 years ago			`saslInitE mechanism =`
compiles... again 14 years ago			`Element "{urn:ietf:params:xml:ns:xmpp-sasl}auth"`
			`[ ("mechanism", [ContentText mechanism]) ]`
sasl working 14 years ago			`[]`

compiles... again 14 years ago			`saslResponseE :: Text -> Element`
sasl working 14 years ago			`saslResponseE resp =`
compiles... again 14 years ago			`Element "{urn:ietf:params:xml:ns:xmpp-sasl}response"`
			`[]`
			`[NodeContent $ ContentText resp]`
sasl working 14 years ago
compiles... again 14 years ago			`saslResponse2E :: Element`
sasl working 14 years ago			`saslResponse2E =`
compiles... again 14 years ago			`Element "{urn:ietf:params:xml:ns:xmpp-sasl}response"`
			`[]`
switched to hexpat 14 years ago			`[]`
sasl working 14 years ago
Renamed SaslError to AuthError Renamed SASLError to SaslError added BufferedSource Changed sources to be buffered reader now only reads the connection state in the beginning, doesn't need to put anything back Updated test client 14 years ago			`data AuthError = AuthXmlError`
			`\| AuthMechanismError [Text]`
			`\| AuthChallengeError`
			`\| AuthStreamError StreamError`
			`\| AuthConnectionError`
			`deriving Show`
Added some SASL failure handling 14 years ago
Renamed SaslError to AuthError Renamed SASLError to SaslError added BufferedSource Changed sources to be buffered reader now only reads the connection state in the beginning, doesn't need to put anything back Updated test client 14 years ago			`instance Error AuthError where`
			`noMsg = AuthXmlError`
Added some SASL failure handling 14 years ago
Renamed SaslError to AuthError Renamed SASLError to SaslError added BufferedSource Changed sources to be buffered reader now only reads the connection state in the beginning, doesn't need to put anything back Updated test client 14 years ago			`xmppSASL:: Text -> Text -> XMPPConMonad (Either AuthError Text)`
Added some SASL failure handling 14 years ago			`xmppSASL uname passwd = runErrorT $ do`
removed sConPush, session now starts without connection, added inline connection method xml-types-pickle updated 14 years ago			`realm <- gets sHostname`
			`case realm of`
			`Just realm' -> do`
Added some SASL failure handling 14 years ago			`ErrorT $ xmppStartSASL realm' uname passwd`
removed sConPush, session now starts without connection, added inline connection method xml-types-pickle updated 14 years ago			`modify (\s -> s{sUsername = Just uname})`
Added some SASL failure handling 14 years ago			`return uname`
Renamed SaslError to AuthError Renamed SASLError to SaslError added BufferedSource Changed sources to be buffered reader now only reads the connection state in the beginning, doesn't need to put anything back Updated test client 14 years ago			`Nothing -> throwError AuthConnectionError`
removed sConPush, session now starts without connection, added inline connection method xml-types-pickle updated 14 years ago
			`xmppStartSASL :: Text`
			`-> Text`
			`-> Text`
Renamed SaslError to AuthError Renamed SASLError to SaslError added BufferedSource Changed sources to be buffered reader now only reads the connection state in the beginning, doesn't need to put anything back Updated test client 14 years ago			`-> XMPPConMonad (Either AuthError ())`
Added some SASL failure handling 14 years ago			`xmppStartSASL realm username passwd = runErrorT $ do`
sasl working 14 years ago			`mechanisms <- gets $ saslMechanisms . sFeatures`
Added some SASL failure handling 14 years ago			unless ("DIGEST-MD5" `elem` mechanisms)
Renamed SaslError to AuthError Renamed SASLError to SaslError added BufferedSource Changed sources to be buffered reader now only reads the connection state in the beginning, doesn't need to put anything back Updated test client 14 years ago			`. throwError $ AuthMechanismError mechanisms`
Added some SASL failure handling 14 years ago			`lift . pushN $ saslInitE "DIGEST-MD5"`
protected withConnection from asynchronous exceptions (may beed more work) renamed picklers to adhere to the xpPicklername schema added xmpp stream error data type and pickler changed fatal errors throw exceptions rather than ErrorT errors renamed pulls to pullSink renamed pullE pullElement renamed pull to pullStanza renamed sendS to sendStanza 14 years ago			`challenge' <- lift $ B64.decode . Text.encodeUtf8`
			`<$> pullPickle challengePickle`
Added some SASL failure handling 14 years ago			`challenge <- case challenge' of`
Renamed SaslError to AuthError Renamed SASLError to SaslError added BufferedSource Changed sources to be buffered reader now only reads the connection state in the beginning, doesn't need to put anything back Updated test client 14 years ago			`Left _e -> throwError AuthChallengeError`
Added some SASL failure handling 14 years ago			`Right r -> return r`
			`pairs <- case toPairs challenge of`
Renamed SaslError to AuthError Renamed SASLError to SaslError added BufferedSource Changed sources to be buffered reader now only reads the connection state in the beginning, doesn't need to put anything back Updated test client 14 years ago			`Left _ -> throwError AuthChallengeError`
Added some SASL failure handling 14 years ago			`Right p -> return p`
de-monadified createResponse 14 years ago			`g <- liftIO $ Random.newStdGen`
Added some SASL failure handling 14 years ago			`lift . pushN . saslResponseE $ createResponse g realm username passwd pairs`
			`challenge2 <- lift $ pullPickle (xpEither failurePickle challengePickle)`
switched to hexpat 14 years ago			`case challenge2 of`
Renamed SaslError to AuthError Renamed SASLError to SaslError added BufferedSource Changed sources to be buffered reader now only reads the connection state in the beginning, doesn't need to put anything back Updated test client 14 years ago			`Left _x -> throwError $ AuthXmlError`
warning clean 14 years ago			`Right _ -> return ()`
Added some SASL failure handling 14 years ago			`lift $ pushN saslResponse2E`
protected withConnection from asynchronous exceptions (may beed more work) renamed picklers to adhere to the xpPicklername schema added xmpp stream error data type and pickler changed fatal errors throw exceptions rather than ErrorT errors renamed pulls to pullSink renamed pullE pullElement renamed pull to pullStanza renamed sendS to sendStanza 14 years ago			`e <- lift pullElement`
Added some SASL failure handling 14 years ago			`case e of`
			`Element "{urn:ietf:params:xml:ns:xmpp-sasl}success" [] [] -> return ()`
Renamed SaslError to AuthError Renamed SASLError to SaslError added BufferedSource Changed sources to be buffered reader now only reads the connection state in the beginning, doesn't need to put anything back Updated test client 14 years ago			`_ -> throwError AuthXmlError -- TODO: investigate`
			`_ <- ErrorT $ left AuthStreamError <$> xmppRestartStream`
sasl working 14 years ago			`return ()`

de-monadified createResponse 14 years ago			`createResponse :: Random.RandomGen g`
			`=> g`
			`-> Text`
removed sConPush, session now starts without connection, added inline connection method xml-types-pickle updated 14 years ago			`-> Text`
			`-> Text`
			`-> [(BS8.ByteString, BS8.ByteString)]`
de-monadified createResponse 14 years ago			`-> Text`
			`createResponse g hostname username passwd' pairs = let`
SASL alignment, simplified conversion 14 years ago			`Just qop = L.lookup "qop" pairs`
de-monadified createResponse 14 years ago			`Just nonce = L.lookup "nonce" pairs`
SASL alignment, simplified conversion 14 years ago			`uname = Text.encodeUtf8 username`
			`passwd = Text.encodeUtf8 passwd'`
			`-- Using Int instead of Word8 for random 1.0.0.0 (GHC 7)`
Char instead of Word8 for random 1.0.0.0 (ghc 7) compatibility 14 years ago			`-- compatibility.`
SASL alignment, simplified conversion 14 years ago			`cnonce = BS.tail . BS.init .`
fixed word8 problem in SASL 14 years ago			`B64.encode . BS.pack . map toWord8 . take 8 $ Random.randoms g`
SASL alignment, simplified conversion 14 years ago			`nc = "00000001"`
Added some SASL failure handling 14 years ago			digestURI = ("xmpp/" `BS.append` (Text.encodeUtf8 hostname))
SASL alignment, simplified conversion 14 years ago			`digest = md5Digest`
de-monadified createResponse 14 years ago			`uname`
Added some SASL failure handling 14 years ago			`(lookup "realm" pairs)`
de-monadified createResponse 14 years ago			`passwd`
			`digestURI`
			`nc`
			`qop`
			`nonce`
			`cnonce`
			`response = BS.intercalate"," . map (BS.intercalate "=") $`
Added some SASL failure handling 14 years ago			`[ ["username" , quote uname ]]`
			`++ case L.lookup "realm" pairs of`
			`Just realm -> [["realm" , quote realm ]]`
			`Nothing -> []`
			`++`
			`[ ["nonce" , quote nonce ]`
			`, ["cnonce" , quote cnonce ]`
			`, ["nc" , nc ]`
			`, ["qop" , qop ]`
			`, ["digest-uri", quote digestURI ]`
			`, ["response" , digest ]`
			`, ["charset" , "utf-8" ]`
de-monadified createResponse 14 years ago			`]`
			`in Text.decodeUtf8 $ B64.encode response`
			`where`
			`quote x = BS.concat ["\"",x,"\""]`
SASL alignment, simplified conversion 14 years ago			`toWord8 x = fromIntegral (x :: Int) :: Word8`
sasl working 14 years ago
			`toPairs :: BS.ByteString -> Either String [(BS.ByteString, BS.ByteString)]`
			`toPairs = AP.parseOnly . flip AP.sepBy1 (void $ AP.char ',') $ do`
			`AP.skipSpace`
			`name <- AP.takeWhile1 (/= '=')`
warning clean 14 years ago			`_ <- AP.char '='`
sasl working 14 years ago			quote <- ((AP.char '"' >> return True) `mplus` return False)
			`content <- AP.takeWhile1 (AP.notInClass ",\"" )`
			`when quote . void $ AP.char '"'`
			`return (name,content)`

top level types 14 years ago			`hash :: [BS8.ByteString] -> BS8.ByteString`
sasl working 14 years ago			`hash = BS8.pack . show`
			`. (CC.hash' :: BS.ByteString -> MD5.MD5Digest) . BS.intercalate (":")`

top level types 14 years ago			`hashRaw :: [BS8.ByteString] -> BS8.ByteString`
sasl working 14 years ago			`hashRaw = toStrict . Binary.encode`
			`. (CC.hash' :: BS.ByteString -> MD5.MD5Digest) . BS.intercalate (":")`

fixed word8 problem in SASL 14 years ago
warning clean 14 years ago			`toStrict :: BL.ByteString -> BS8.ByteString`
sasl working 14 years ago			`toStrict = BS.concat . BL.toChunks`
warning clean 14 years ago
sasl working 14 years ago			`-- TODO: this only handles MD5-sess`
warning clean 14 years ago
			`md5Digest :: BS8.ByteString`
Added some SASL failure handling 14 years ago			`-> Maybe BS8.ByteString`
warning clean 14 years ago			`-> BS8.ByteString`
			`-> BS8.ByteString`
			`-> BS8.ByteString`
			`-> BS8.ByteString`
			`-> BS8.ByteString`
			`-> BS8.ByteString`
			`-> BS8.ByteString`
sasl working 14 years ago			`md5Digest uname realm password digestURI nc qop nonce cnonce=`
Added some SASL failure handling 14 years ago			`let ha1 = hash [hashRaw [uname, maybe "" id realm, password], nonce, cnonce]`
sasl working 14 years ago			`ha2 = hash ["AUTHENTICATE", digestURI]`
			`in hash [ha1,nonce, nc, cnonce,qop,ha2]`

switched to hexpat 14 years ago			`-- Pickling`
Renamed SaslError to AuthError Renamed SASLError to SaslError added BufferedSource Changed sources to be buffered reader now only reads the connection state in the beginning, doesn't need to put anything back Updated test client 14 years ago			`failurePickle :: PU [Node] (SaslFailure)`
added pickler for SASLError 14 years ago			`failurePickle = xpWrap (\(txt,(failure,_,_))`
Renamed SaslError to AuthError Renamed SASLError to SaslError added BufferedSource Changed sources to be buffered reader now only reads the connection state in the beginning, doesn't need to put anything back Updated test client 14 years ago			`-> SaslFailure failure txt)`
			`(\(SaslFailure failure txt)`
added pickler for SASLError 14 years ago			`-> (txt,(failure,(),())))`
			`(xpElemNodes`
			`"{urn:ietf:params:xml:ns:xmpp-sasl}failure"`
			`(xp2Tuple`
			`(xpOption $ xpElem`
			`"{urn:ietf:params:xml:ns:xmpp-sasl}text"`
			`xpLangTag`
			`(xpContent xpId))`
			`(xpElemByNamespace`
			`"urn:ietf:params:xml:ns:xmpp-sasl"`
			`xpPrim`
			`(xpUnit)`
			`(xpUnit))))`
switched to hexpat 14 years ago
compiles... again 14 years ago
			`challengePickle :: PU [Node] Text.Text`
			`challengePickle = xpElemNodes "{urn:ietf:params:xml:ns:xmpp-sasl}challenge"`
			`(xpIsolate $ xpContent xpId)`
initial import, copy of darcs repository 15 years ago