diff options
author | Steve Holme <steve_holme@hotmail.com> | 2019-04-19 14:26:47 +0100 |
---|---|---|
committer | Jay Satiro <raysatiro@yahoo.com> | 2019-08-06 11:38:41 -0400 |
commit | 1e08a7925830d7822f911165d9789e5e4f765534 (patch) | |
tree | b3495093a52e85c1a48d3b64bbd89bc0f2458dfd | |
parent | 7c469fa537397c3b8307c92aa723e3af6d941e95 (diff) |
curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool
Ref: https://github.com/curl/curl/issues/3653
Ref: https://github.com/curl/curl/pull/3790
NOTE: This commit was cherry-picked and is part of a series of commits
that added the authzid feature for upcoming 7.66.0. The series was
temporarily reverted in db8ec1f so that it would not ship in a 7.65.x
patch release.
Closes https://github.com/curl/curl/pull/4186
-rw-r--r-- | docs/cmdline-opts/Makefile.inc | 1 | ||||
-rw-r--r-- | docs/cmdline-opts/sasl-authzid.d | 11 | ||||
-rw-r--r-- | src/tool_cfgable.c | 1 | ||||
-rw-r--r-- | src/tool_cfgable.h | 1 | ||||
-rw-r--r-- | src/tool_getparam.c | 6 | ||||
-rw-r--r-- | src/tool_help.c | 2 | ||||
-rw-r--r-- | src/tool_operate.c | 5 | ||||
-rw-r--r-- | tests/data/Makefile.inc | 7 | ||||
-rw-r--r-- | tests/data/test848 | 56 | ||||
-rw-r--r-- | tests/data/test849 | 51 | ||||
-rw-r--r-- | tests/data/test892 | 57 | ||||
-rw-r--r-- | tests/data/test893 | 53 | ||||
-rw-r--r-- | tests/data/test953 | 56 | ||||
-rw-r--r-- | tests/data/test954 | 55 |
14 files changed, 358 insertions, 4 deletions
diff --git a/docs/cmdline-opts/Makefile.inc b/docs/cmdline-opts/Makefile.inc index d50a8bb26..1bdda9885 100644 --- a/docs/cmdline-opts/Makefile.inc +++ b/docs/cmdline-opts/Makefile.inc @@ -158,6 +158,7 @@ DPAGES = \ retry-delay.d \ retry-max-time.d \ retry.d \ + sasl-authzid.d \ sasl-ir.d \ service-name.d \ show-error.d \ diff --git a/docs/cmdline-opts/sasl-authzid.d b/docs/cmdline-opts/sasl-authzid.d new file mode 100644 index 000000000..b34db97fc --- /dev/null +++ b/docs/cmdline-opts/sasl-authzid.d @@ -0,0 +1,11 @@ +Long: sasl-authzid +Help: Use this identity to act as during SASL PLAIN authentication +Added: 7.66.0 +--- +Use this authorisation identity (authzid), during SASL PLAIN authentication, +in addition to the authentication identity (authcid) as specified by --user. + +If the option isn't specified, the server will derive the authzid from the +authcid, but if specified, and depending on the server implementation, it may +be used to access another user's inbox, that the user has been granted access +to, or a shared mailbox for example. diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c index 76febc9c9..efa8c50b2 100644 --- a/src/tool_cfgable.c +++ b/src/tool_cfgable.c @@ -133,6 +133,7 @@ static void free_config_fields(struct OperationConfig *config) Curl_safefree(config->krblevel); Curl_safefree(config->oauth_bearer); + Curl_safefree(config->sasl_authzid); Curl_safefree(config->unix_socket_path); Curl_safefree(config->writeout); diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h index d43f03c40..f6248c20b 100644 --- a/src/tool_cfgable.h +++ b/src/tool_cfgable.h @@ -96,6 +96,7 @@ struct OperationConfig { char *mail_from; struct curl_slist *mail_rcpt; char *mail_auth; + char *sasl_authzid; /* Authorisation identity (identity to use) */ bool sasl_ir; /* Enable/disable SASL initial response */ bool proxytunnel; bool ftp_append; /* APPE on ftp */ diff --git a/src/tool_getparam.c b/src/tool_getparam.c index 77a77da70..952e602ed 100644 --- a/src/tool_getparam.c +++ b/src/tool_getparam.c @@ -178,7 +178,8 @@ static const struct LongShort aliases[]= { {"$H", "mail-auth", ARG_STRING}, {"$I", "post303", ARG_BOOL}, {"$J", "metalink", ARG_BOOL}, - {"$K", "sasl-ir", ARG_BOOL}, + {"$6", "sasl-authzid", ARG_STRING}, + {"$K", "sasl-ir", ARG_BOOL }, {"$L", "test-event", ARG_BOOL}, {"$M", "unix-socket", ARG_FILENAME}, {"$N", "path-as-is", ARG_BOOL}, @@ -1103,6 +1104,9 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ #endif break; } + case '6': /* --sasl-authzid */ + GetStr(&config->sasl_authzid, nextarg); + break; case 'K': /* --sasl-ir */ config->sasl_ir = toggle; break; diff --git a/src/tool_help.c b/src/tool_help.c index a5b6e7204..86bd692d9 100644 --- a/src/tool_help.c +++ b/src/tool_help.c @@ -391,6 +391,8 @@ static const struct helptxt helptext[] = { "Wait time between retries"}, {" --retry-max-time <seconds>", "Retry only within this period"}, + {" --sasl-authzid <identity> ", + "Use this identity to act as during SASL PLAIN authentication"}, {" --sasl-ir", "Enable initial response in SASL authentication"}, {" --service-name <name>", diff --git a/src/tool_operate.c b/src/tool_operate.c index 946dc7cca..8d526c328 100644 --- a/src/tool_operate.c +++ b/src/tool_operate.c @@ -1778,6 +1778,10 @@ static CURLcode create_transfers(struct GlobalConfig *global, if(config->mail_auth) my_setopt_str(curl, CURLOPT_MAIL_AUTH, config->mail_auth); + /* new in 7.66.0 */ + if(config->sasl_authzid) + my_setopt_str(curl, CURLOPT_SASL_AUTHZID, config->sasl_authzid); + /* new in 7.31.0 */ if(config->sasl_ir) my_setopt(curl, CURLOPT_SASL_IR, 1L); @@ -1801,6 +1805,7 @@ static CURLcode create_transfers(struct GlobalConfig *global, config->unix_socket_path); } } + /* new in 7.45.0 */ if(config->proto_default) my_setopt_str(curl, CURLOPT_DEFAULT_PROTOCOL, config->proto_default); diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc index 6d19ed3c9..0657d2120 100644 --- a/tests/data/Makefile.inc +++ b/tests/data/Makefile.inc @@ -93,20 +93,21 @@ test809 test810 test811 test812 test813 test814 test815 test816 test817 \ test818 test819 test820 test821 test822 test823 test824 test825 test826 \ test827 test828 test829 test830 test831 test832 test833 test834 test835 \ test836 test837 test838 test839 test840 test841 test842 test843 test844 \ -test845 test846 test847 \ +test845 test846 test847 test848 test849 \ \ test850 test851 test852 test853 test854 test855 test856 test857 test858 \ test859 test860 test861 test862 test863 test864 test865 test866 test867 \ test868 test869 test870 test871 test872 test873 test874 test875 test876 \ test877 test878 test879 test880 test881 test882 test883 test884 test885 \ -test886 test887 test888 test889 test890 test891 \ +test886 test887 test888 test889 test890 test891 test892 test893 \ \ test900 test901 test902 test903 test904 test905 test906 test907 test908 \ test909 test910 test911 test912 test913 test914 test915 test916 test917 \ test918 test919 test920 test921 test922 test923 test924 test925 test926 \ test927 test928 test929 test930 test931 test932 test933 test934 test935 \ test936 test937 test938 test939 test940 test941 test942 test943 test944 \ -test945 test946 test947 test948 test949 test950 test951 test952 \ +test945 test946 test947 test948 test949 test950 test951 test952 test953 \ +test954 \ \ test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \ diff --git a/tests/data/test848 b/tests/data/test848 new file mode 100644 index 000000000..bfea56898 --- /dev/null +++ b/tests/data/test848 @@ -0,0 +1,56 @@ +<testcase> +<info> +<keywords> +IMAP +SASL +SASL AUTH PLAIN +RFC4616 +</keywords> +</info> + +# +# Server-side +<reply> +<servercmd> +AUTH PLAIN +REPLY AUTHENTICATE + +REPLY c2hhcmVkLW1haWxib3gAdXNlcgBzZWNyZXQ= A002 OK AUTHENTICATE completed +</servercmd> +<data> +From: me@somewhere +To: fake@nowhere + +body + +-- + yours sincerely +</data> +</reply> + +# +# Client-side +<client> +<server> +imap +</server> + <name> +IMAP plain authentication with alternative authorization identity + </name> + <command> +'imap://%HOSTIP:%IMAPPORT/848/;MAILINDEX=1' -u user:secret --sasl-authzid shared-mailbox +</command> +</client> + +# +# Verify data after the test has been "shot" +<verify> +<protocol> +A001 CAPABILITY +A002 AUTHENTICATE PLAIN +c2hhcmVkLW1haWxib3gAdXNlcgBzZWNyZXQ= +A003 SELECT 848 +A004 FETCH 1 BODY[] +A005 LOGOUT +</protocol> +</verify> +</testcase> diff --git a/tests/data/test849 b/tests/data/test849 new file mode 100644 index 000000000..65d5eacf7 --- /dev/null +++ b/tests/data/test849 @@ -0,0 +1,51 @@ +<testcase> +<info> +<keywords> +IMAP +SASL +SASL AUTH PLAIN +RFC4616 +</keywords> +</info> + +# +# Server-side +<reply> +<servercmd> +AUTH PLAIN +REPLY AUTHENTICATE + +REPLY dXJzZWwAa3VydAB4aXBqM3BsbXE= A002 NO Not authorized +</servercmd> +</reply> + +# +# Client-side +<client> +<server> +imap +</server> + <name> +IMAP plain authentication with alternative authorization identity (Not authorized) + </name> + <command> +'imap://%HOSTIP:%IMAPPORT/849/;MAILINDEX=1' -u kurt:xipj3plmq --sasl-authzid ursel +</command> +</client> + +# +# Verify data after the test has been "shot" +<verify> +# 67 - CURLE_LOGIN_DENIED +<errorcode> +67 +</errorcode> +# +# The multi interface considers a broken "CONNECT" as a prematurely broken +# transfer and such a connection will not get a "LOGOUT" +<protocol> +A001 CAPABILITY +A002 AUTHENTICATE PLAIN +dXJzZWwAa3VydAB4aXBqM3BsbXE= +</protocol> +</verify> +</testcase> diff --git a/tests/data/test892 b/tests/data/test892 new file mode 100644 index 000000000..89a56fbc4 --- /dev/null +++ b/tests/data/test892 @@ -0,0 +1,57 @@ +<testcase> +<info> +<keywords> +POP3 +SASL +SASL AUTH PLAIN +RFC1734 +RFC4616 +RFC5034 +</keywords> +</info> + +# +# Server-side +<reply> +<servercmd> +AUTH PLAIN +REPLY AUTH + +REPLY c2hhcmVkLW1haWxib3gAdXNlcgBzZWNyZXQ= +OK Login successful +</servercmd> +<data> +From: me@somewhere +To: fake@nowhere + +body + +-- + yours sincerely +</data> +</reply> + +# +# Client-side +<client> +<server> +pop3 +</server> + <name> +POP3 plain authentication with alternative authorization identity + </name> + <command> +pop3://%HOSTIP:%POP3PORT/892 -u user:secret --sasl-authzid shared-mailbox +</command> +</client> + +# +# Verify data after the test has been "shot" +<verify> +<protocol> +CAPA +AUTH PLAIN +c2hhcmVkLW1haWxib3gAdXNlcgBzZWNyZXQ= +RETR 892 +QUIT +</protocol> +</verify> +</testcase> diff --git a/tests/data/test893 b/tests/data/test893 new file mode 100644 index 000000000..982c2c897 --- /dev/null +++ b/tests/data/test893 @@ -0,0 +1,53 @@ +<testcase> +<info> +<keywords> +POP3 +SASL +SASL AUTH PLAIN +RFC1734 +RFC4616 +RFC5034 +</keywords> +</info> + +# +# Server-side +<reply> +<servercmd> +AUTH PLAIN +REPLY AUTH + +REPLY dXJzZWwAa3VydAB4aXBqM3BsbXE= -ERR Not authorized +</servercmd> +</reply> + +# +# Client-side +<client> +<server> +pop3 +</server> + <name> +POP3 plain authentication with alternative authorization identity (Not authorized) + </name> + <command> +pop3://%HOSTIP:%POP3PORT/893 -u kurt:xipj3plmq --sasl-authzid ursel +</command> +</client> + +# +# Verify data after the test has been "shot" +<verify> +# 67 - CURLE_LOGIN_DENIED +<errorcode> +67 +</errorcode> +# +# The multi interface considers a broken "CONNECT" as a prematurely broken +# transfer and such a connection will not get a "QUIT" +<protocol> +CAPA +AUTH PLAIN +dXJzZWwAa3VydAB4aXBqM3BsbXE= +</protocol> +</verify> +</testcase> diff --git a/tests/data/test953 b/tests/data/test953 new file mode 100644 index 000000000..a7636dc22 --- /dev/null +++ b/tests/data/test953 @@ -0,0 +1,56 @@ +<testcase> +<info> +<keywords> +SMTP +SASL +SASL AUTH PLAIN +RFC4616 +RFC4954 +</keywords> +</info> + +# +# Server-side +<reply> +<servercmd> +AUTH PLAIN +REPLY AUTH 334 PLAIN supported +REPLY dXJzZWwAa3VydAB4aXBqM3BsbXE= 235 Authenticated +</servercmd> +</reply> + +# +# Client-side +<client> +<server> +smtp +</server> + <name> +SMTP plain authentication with alternative authorization identity + </name> +<stdin> +mail body +</stdin> + <command> +smtp://%HOSTIP:%SMTPPORT/953 --mail-rcpt recipient@example.com --mail-from sender@example.com -u kurt:xipj3plmq --sasl-authzid ursel -T - +</command> +</client> + +# +# Verify data after the test has been "shot" +<verify> +<protocol> +EHLO 953 +AUTH PLAIN +dXJzZWwAa3VydAB4aXBqM3BsbXE= +MAIL FROM:<sender@example.com> +RCPT TO:<recipient@example.com> +DATA +QUIT +</protocol> +<upload> +mail body +. +</upload> +</verify> +</testcase> diff --git a/tests/data/test954 b/tests/data/test954 new file mode 100644 index 000000000..dcc0d2d0b --- /dev/null +++ b/tests/data/test954 @@ -0,0 +1,55 @@ +<testcase> +<info> +<keywords> +SMTP +SASL +SASL AUTH PLAIN +RFC4616 +RFC4954 +</keywords> +</info> + +# +# Server-side +<reply> +<servercmd> +AUTH PLAIN +REPLY AUTH 334 PLAIN supported +REPLY dXJzZWwAa3VydAB4aXBqM3BsbXE= 501 Not authorized +</servercmd> +</reply> + +# +# Client-side +<client> +<server> +smtp +</server> + <name> +SMTP plain authentication with alternative authorization identity (Not authorized) + </name> +<stdin> +mail body +</stdin> + <command> +smtp://%HOSTIP:%SMTPPORT/954 --mail-rcpt recipient@example.com --mail-from sender@example.com -u kurt:xipj3plmq --sasl-authzid ursel -T - +</command> +</client> + +# +# Verify data after the test has been "shot" +<verify> +# 67 - CURLE_LOGIN_DENIED +<errorcode> +67 +</errorcode> +# +# The multi interface considers a broken "CONNECT" as a prematurely broken +# transfer and such a connection will not get a "QUIT" +<protocol> +EHLO 954 +AUTH PLAIN +dXJzZWwAa3VydAB4aXBqM3BsbXE= +</protocol> +</verify> +</testcase> |