From 1e08a7925830d7822f911165d9789e5e4f765534 Mon Sep 17 00:00:00 2001 From: Steve Holme Date: Fri, 19 Apr 2019 14:26:47 +0100 Subject: curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool Ref: https://github.com/curl/curl/issues/3653 Ref: https://github.com/curl/curl/pull/3790 NOTE: This commit was cherry-picked and is part of a series of commits that added the authzid feature for upcoming 7.66.0. The series was temporarily reverted in db8ec1f so that it would not ship in a 7.65.x patch release. Closes https://github.com/curl/curl/pull/4186 --- docs/cmdline-opts/Makefile.inc | 1 + docs/cmdline-opts/sasl-authzid.d | 11 ++++++++ src/tool_cfgable.c | 1 + src/tool_cfgable.h | 1 + src/tool_getparam.c | 6 ++++- src/tool_help.c | 2 ++ src/tool_operate.c | 5 ++++ tests/data/Makefile.inc | 7 ++--- tests/data/test848 | 56 +++++++++++++++++++++++++++++++++++++++ tests/data/test849 | 51 +++++++++++++++++++++++++++++++++++ tests/data/test892 | 57 ++++++++++++++++++++++++++++++++++++++++ tests/data/test893 | 53 +++++++++++++++++++++++++++++++++++++ tests/data/test953 | 56 +++++++++++++++++++++++++++++++++++++++ tests/data/test954 | 55 ++++++++++++++++++++++++++++++++++++++ 14 files changed, 358 insertions(+), 4 deletions(-) create mode 100644 docs/cmdline-opts/sasl-authzid.d create mode 100644 tests/data/test848 create mode 100644 tests/data/test849 create mode 100644 tests/data/test892 create mode 100644 tests/data/test893 create mode 100644 tests/data/test953 create mode 100644 tests/data/test954 diff --git a/docs/cmdline-opts/Makefile.inc b/docs/cmdline-opts/Makefile.inc index d50a8bb26..1bdda9885 100644 --- a/docs/cmdline-opts/Makefile.inc +++ b/docs/cmdline-opts/Makefile.inc @@ -158,6 +158,7 @@ DPAGES = \ retry-delay.d \ retry-max-time.d \ retry.d \ + sasl-authzid.d \ sasl-ir.d \ service-name.d \ show-error.d \ diff --git a/docs/cmdline-opts/sasl-authzid.d b/docs/cmdline-opts/sasl-authzid.d new file mode 100644 index 000000000..b34db97fc --- /dev/null +++ b/docs/cmdline-opts/sasl-authzid.d @@ -0,0 +1,11 @@ +Long: sasl-authzid +Help: Use this identity to act as during SASL PLAIN authentication +Added: 7.66.0 +--- +Use this authorisation identity (authzid), during SASL PLAIN authentication, +in addition to the authentication identity (authcid) as specified by --user. + +If the option isn't specified, the server will derive the authzid from the +authcid, but if specified, and depending on the server implementation, it may +be used to access another user's inbox, that the user has been granted access +to, or a shared mailbox for example. diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c index 76febc9c9..efa8c50b2 100644 --- a/src/tool_cfgable.c +++ b/src/tool_cfgable.c @@ -133,6 +133,7 @@ static void free_config_fields(struct OperationConfig *config) Curl_safefree(config->krblevel); Curl_safefree(config->oauth_bearer); + Curl_safefree(config->sasl_authzid); Curl_safefree(config->unix_socket_path); Curl_safefree(config->writeout); diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h index d43f03c40..f6248c20b 100644 --- a/src/tool_cfgable.h +++ b/src/tool_cfgable.h @@ -96,6 +96,7 @@ struct OperationConfig { char *mail_from; struct curl_slist *mail_rcpt; char *mail_auth; + char *sasl_authzid; /* Authorisation identity (identity to use) */ bool sasl_ir; /* Enable/disable SASL initial response */ bool proxytunnel; bool ftp_append; /* APPE on ftp */ diff --git a/src/tool_getparam.c b/src/tool_getparam.c index 77a77da70..952e602ed 100644 --- a/src/tool_getparam.c +++ b/src/tool_getparam.c @@ -178,7 +178,8 @@ static const struct LongShort aliases[]= { {"$H", "mail-auth", ARG_STRING}, {"$I", "post303", ARG_BOOL}, {"$J", "metalink", ARG_BOOL}, - {"$K", "sasl-ir", ARG_BOOL}, + {"$6", "sasl-authzid", ARG_STRING}, + {"$K", "sasl-ir", ARG_BOOL }, {"$L", "test-event", ARG_BOOL}, {"$M", "unix-socket", ARG_FILENAME}, {"$N", "path-as-is", ARG_BOOL}, @@ -1103,6 +1104,9 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ #endif break; } + case '6': /* --sasl-authzid */ + GetStr(&config->sasl_authzid, nextarg); + break; case 'K': /* --sasl-ir */ config->sasl_ir = toggle; break; diff --git a/src/tool_help.c b/src/tool_help.c index a5b6e7204..86bd692d9 100644 --- a/src/tool_help.c +++ b/src/tool_help.c @@ -391,6 +391,8 @@ static const struct helptxt helptext[] = { "Wait time between retries"}, {" --retry-max-time ", "Retry only within this period"}, + {" --sasl-authzid ", + "Use this identity to act as during SASL PLAIN authentication"}, {" --sasl-ir", "Enable initial response in SASL authentication"}, {" --service-name ", diff --git a/src/tool_operate.c b/src/tool_operate.c index 946dc7cca..8d526c328 100644 --- a/src/tool_operate.c +++ b/src/tool_operate.c @@ -1778,6 +1778,10 @@ static CURLcode create_transfers(struct GlobalConfig *global, if(config->mail_auth) my_setopt_str(curl, CURLOPT_MAIL_AUTH, config->mail_auth); + /* new in 7.66.0 */ + if(config->sasl_authzid) + my_setopt_str(curl, CURLOPT_SASL_AUTHZID, config->sasl_authzid); + /* new in 7.31.0 */ if(config->sasl_ir) my_setopt(curl, CURLOPT_SASL_IR, 1L); @@ -1801,6 +1805,7 @@ static CURLcode create_transfers(struct GlobalConfig *global, config->unix_socket_path); } } + /* new in 7.45.0 */ if(config->proto_default) my_setopt_str(curl, CURLOPT_DEFAULT_PROTOCOL, config->proto_default); diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc index 6d19ed3c9..0657d2120 100644 --- a/tests/data/Makefile.inc +++ b/tests/data/Makefile.inc @@ -93,20 +93,21 @@ test809 test810 test811 test812 test813 test814 test815 test816 test817 \ test818 test819 test820 test821 test822 test823 test824 test825 test826 \ test827 test828 test829 test830 test831 test832 test833 test834 test835 \ test836 test837 test838 test839 test840 test841 test842 test843 test844 \ -test845 test846 test847 \ +test845 test846 test847 test848 test849 \ \ test850 test851 test852 test853 test854 test855 test856 test857 test858 \ test859 test860 test861 test862 test863 test864 test865 test866 test867 \ test868 test869 test870 test871 test872 test873 test874 test875 test876 \ test877 test878 test879 test880 test881 test882 test883 test884 test885 \ -test886 test887 test888 test889 test890 test891 \ +test886 test887 test888 test889 test890 test891 test892 test893 \ \ test900 test901 test902 test903 test904 test905 test906 test907 test908 \ test909 test910 test911 test912 test913 test914 test915 test916 test917 \ test918 test919 test920 test921 test922 test923 test924 test925 test926 \ test927 test928 test929 test930 test931 test932 test933 test934 test935 \ test936 test937 test938 test939 test940 test941 test942 test943 test944 \ -test945 test946 test947 test948 test949 test950 test951 test952 \ +test945 test946 test947 test948 test949 test950 test951 test952 test953 \ +test954 \ \ test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \ diff --git a/tests/data/test848 b/tests/data/test848 new file mode 100644 index 000000000..bfea56898 --- /dev/null +++ b/tests/data/test848 @@ -0,0 +1,56 @@ + + + +IMAP +SASL +SASL AUTH PLAIN +RFC4616 + + + +# +# Server-side + + +AUTH PLAIN +REPLY AUTHENTICATE + +REPLY c2hhcmVkLW1haWxib3gAdXNlcgBzZWNyZXQ= A002 OK AUTHENTICATE completed + + +From: me@somewhere +To: fake@nowhere + +body + +-- + yours sincerely + + + +# +# Client-side + + +imap + + +IMAP plain authentication with alternative authorization identity + + +'imap://%HOSTIP:%IMAPPORT/848/;MAILINDEX=1' -u user:secret --sasl-authzid shared-mailbox + + + +# +# Verify data after the test has been "shot" + + +A001 CAPABILITY +A002 AUTHENTICATE PLAIN +c2hhcmVkLW1haWxib3gAdXNlcgBzZWNyZXQ= +A003 SELECT 848 +A004 FETCH 1 BODY[] +A005 LOGOUT + + + diff --git a/tests/data/test849 b/tests/data/test849 new file mode 100644 index 000000000..65d5eacf7 --- /dev/null +++ b/tests/data/test849 @@ -0,0 +1,51 @@ + + + +IMAP +SASL +SASL AUTH PLAIN +RFC4616 + + + +# +# Server-side + + +AUTH PLAIN +REPLY AUTHENTICATE + +REPLY dXJzZWwAa3VydAB4aXBqM3BsbXE= A002 NO Not authorized + + + +# +# Client-side + + +imap + + +IMAP plain authentication with alternative authorization identity (Not authorized) + + +'imap://%HOSTIP:%IMAPPORT/849/;MAILINDEX=1' -u kurt:xipj3plmq --sasl-authzid ursel + + + +# +# Verify data after the test has been "shot" + +# 67 - CURLE_LOGIN_DENIED + +67 + +# +# The multi interface considers a broken "CONNECT" as a prematurely broken +# transfer and such a connection will not get a "LOGOUT" + +A001 CAPABILITY +A002 AUTHENTICATE PLAIN +dXJzZWwAa3VydAB4aXBqM3BsbXE= + + + diff --git a/tests/data/test892 b/tests/data/test892 new file mode 100644 index 000000000..89a56fbc4 --- /dev/null +++ b/tests/data/test892 @@ -0,0 +1,57 @@ + + + +POP3 +SASL +SASL AUTH PLAIN +RFC1734 +RFC4616 +RFC5034 + + + +# +# Server-side + + +AUTH PLAIN +REPLY AUTH + +REPLY c2hhcmVkLW1haWxib3gAdXNlcgBzZWNyZXQ= +OK Login successful + + +From: me@somewhere +To: fake@nowhere + +body + +-- + yours sincerely + + + +# +# Client-side + + +pop3 + + +POP3 plain authentication with alternative authorization identity + + +pop3://%HOSTIP:%POP3PORT/892 -u user:secret --sasl-authzid shared-mailbox + + + +# +# Verify data after the test has been "shot" + + +CAPA +AUTH PLAIN +c2hhcmVkLW1haWxib3gAdXNlcgBzZWNyZXQ= +RETR 892 +QUIT + + + diff --git a/tests/data/test893 b/tests/data/test893 new file mode 100644 index 000000000..982c2c897 --- /dev/null +++ b/tests/data/test893 @@ -0,0 +1,53 @@ + + + +POP3 +SASL +SASL AUTH PLAIN +RFC1734 +RFC4616 +RFC5034 + + + +# +# Server-side + + +AUTH PLAIN +REPLY AUTH + +REPLY dXJzZWwAa3VydAB4aXBqM3BsbXE= -ERR Not authorized + + + +# +# Client-side + + +pop3 + + +POP3 plain authentication with alternative authorization identity (Not authorized) + + +pop3://%HOSTIP:%POP3PORT/893 -u kurt:xipj3plmq --sasl-authzid ursel + + + +# +# Verify data after the test has been "shot" + +# 67 - CURLE_LOGIN_DENIED + +67 + +# +# The multi interface considers a broken "CONNECT" as a prematurely broken +# transfer and such a connection will not get a "QUIT" + +CAPA +AUTH PLAIN +dXJzZWwAa3VydAB4aXBqM3BsbXE= + + + diff --git a/tests/data/test953 b/tests/data/test953 new file mode 100644 index 000000000..a7636dc22 --- /dev/null +++ b/tests/data/test953 @@ -0,0 +1,56 @@ + + + +SMTP +SASL +SASL AUTH PLAIN +RFC4616 +RFC4954 + + + +# +# Server-side + + +AUTH PLAIN +REPLY AUTH 334 PLAIN supported +REPLY dXJzZWwAa3VydAB4aXBqM3BsbXE= 235 Authenticated + + + +# +# Client-side + + +smtp + + +SMTP plain authentication with alternative authorization identity + + +mail body + + +smtp://%HOSTIP:%SMTPPORT/953 --mail-rcpt recipient@example.com --mail-from sender@example.com -u kurt:xipj3plmq --sasl-authzid ursel -T - + + + +# +# Verify data after the test has been "shot" + + +EHLO 953 +AUTH PLAIN +dXJzZWwAa3VydAB4aXBqM3BsbXE= +MAIL FROM: +RCPT TO: +DATA +QUIT + + +mail body +. + + + diff --git a/tests/data/test954 b/tests/data/test954 new file mode 100644 index 000000000..dcc0d2d0b --- /dev/null +++ b/tests/data/test954 @@ -0,0 +1,55 @@ + + + +SMTP +SASL +SASL AUTH PLAIN +RFC4616 +RFC4954 + + + +# +# Server-side + + +AUTH PLAIN +REPLY AUTH 334 PLAIN supported +REPLY dXJzZWwAa3VydAB4aXBqM3BsbXE= 501 Not authorized + + + +# +# Client-side + + +smtp + + +SMTP plain authentication with alternative authorization identity (Not authorized) + + +mail body + + +smtp://%HOSTIP:%SMTPPORT/954 --mail-rcpt recipient@example.com --mail-from sender@example.com -u kurt:xipj3plmq --sasl-authzid ursel -T - + + + +# +# Verify data after the test has been "shot" + +# 67 - CURLE_LOGIN_DENIED + +67 + +# +# The multi interface considers a broken "CONNECT" as a prematurely broken +# transfer and such a connection will not get a "QUIT" + +EHLO 954 +AUTH PLAIN +dXJzZWwAa3VydAB4aXBqM3BsbXE= + + + -- cgit v1.2.1