# frozen_string_literal: true
require_relative "gs2_header"
module Net
class IMAP < Protocol
module SASL
# Abstract base class for the SASL mechanisms defined in
# RFC7628[https://www.rfc-editor.org/rfc/rfc7628]:
# * OAUTHBEARER[rdoc-ref:OAuthBearerAuthenticator]
# (OAuthBearerAuthenticator)
# * OAUTH10A
class OAuthAuthenticator
include GS2Header
# Authorization identity: an identity to act as or on behalf of. The
# identity form is application protocol specific. If not provided or
# left blank, the server derives an authorization identity from the
# authentication identity. The server is responsible for verifying the
# client's credentials and verifying that the identity it associates
# with the client's authentication identity is allowed to act as (or on
# behalf of) the authorization identity.
#
# For example, an administrator or superuser might take on another role:
#
# imap.authenticate "PLAIN", "root", passwd, authzid: "user"
#
attr_reader :authzid
alias username authzid
# Hostname to which the client connected. (optional)
attr_reader :host
# Service port to which the client connected. (optional)
attr_reader :port
# HTTP method. (optional)
attr_reader :mthd
# HTTP path data. (optional)
attr_reader :path
# HTTP post data. (optional)
attr_reader :post
# The query string. (optional)
attr_reader :qs
alias query qs
# Stores the most recent server "challenge". When authentication fails,
# this may hold information about the failure reason, as JSON.
attr_reader :last_server_response
# Creates an RFC7628[https://www.rfc-editor.org/rfc/rfc7628] OAuth
# authenticator.
#
# ==== Parameters
#
# See child classes for required parameter(s). The following parameters
# are all optional, but it is worth noting that application protocols
# are allowed to require #authzid (or other parameters, such as
# #host or #port) as are specific server implementations.
#
# * _optional_ #authzid ― Authorization identity to act as or on behalf of.
#
# _optional_ #username — An alias for #authzid.
#
# Note that, unlike some other authenticators, +username+ sets the
# _authorization_ identity and not the _authentication_ identity. The
# authentication identity is established for the client by the OAuth
# token.
#
# * _optional_ #host — Hostname to which the client connected.
# * _optional_ #port — Service port to which the client connected.
# * _optional_ #mthd — HTTP method
# * _optional_ #path — HTTP path data
# * _optional_ #post — HTTP post data
# * _optional_ #qs — HTTP query string
#
# _optional_ #query — An alias for #qs
#
# Any other keyword parameters are quietly ignored.
def initialize(authzid: nil, host: nil, port: nil,
username: nil, query: nil,
mthd: nil, path: nil, post: nil, qs: nil, **)
@authzid = authzid || username
@host = host
@port = port
@mthd = mthd
@path = path
@post = post
@qs = qs || query
@done = false
end
# The {RFC7628 §3.1}[https://www.rfc-editor.org/rfc/rfc7628#section-3.1]
# formatted response.
def initial_client_response
kv_pairs = {
host: host, port: port, mthd: mthd, path: path, post: post, qs: qs,
auth: authorization, # authorization is implemented by subclasses
}.compact
[gs2_header, *kv_pairs.map {|kv| kv.join("=") }, "\1"].join("\1")
end
# Returns initial_client_response the first time, then "^A".
def process(data)
@last_server_response = data
done? ? "\1" : initial_client_response
ensure
@done = true
end
# Returns true when the initial client response was sent.
#
# The authentication should not succeed unless this returns true, but it
# does *not* indicate success.
def done?; @done end
# Value of the HTTP Authorization header
#
# Implemented by subclasses.
def authorization; raise "must be implemented by subclass" end
end
# Authenticator for the "+OAUTHBEARER+" SASL mechanism, specified in
# RFC7628[https://www.rfc-editor.org/rfc/rfc7628]. Authenticates using
# OAuth 2.0 bearer tokens, as described in
# RFC6750[https://www.rfc-editor.org/rfc/rfc6750]. Use via
# Net::IMAP#authenticate.
#
# RFC6750[https://www.rfc-editor.org/rfc/rfc6750] requires Transport Layer
# Security (TLS) to secure the protocol interaction between the client and
# the resource server. TLS _MUST_ be used for +OAUTHBEARER+ to protect
# the bearer token.
class OAuthBearerAuthenticator < OAuthAuthenticator
# An OAuth 2.0 bearer token. See {RFC-6750}[https://www.rfc-editor.org/rfc/rfc6750]
attr_reader :oauth2_token
alias secret oauth2_token
# :call-seq:
# new(oauth2_token, **options) -> authenticator
# new(authzid, oauth2_token, **options) -> authenticator
# new(oauth2_token:, **options) -> authenticator
#
# Creates an Authenticator for the "+OAUTHBEARER+" SASL mechanism.
#
# Called by Net::IMAP#authenticate and similar methods on other clients.
#
# ==== Parameters
#
# * #oauth2_token — An OAuth2 bearer token
#
# All other keyword parameters are passed to
# {super}[rdoc-ref:OAuthAuthenticator::new] (see OAuthAuthenticator).
# The most common ones are:
#
# * _optional_ #authzid ― Authorization identity to act as or on behalf of.
#
# _optional_ #username — An alias for #authzid.
#
# Note that, unlike some other authenticators, +username+ sets the
# _authorization_ identity and not the _authentication_ identity. The
# authentication identity is established for the client by
# #oauth2_token.
#
# * _optional_ #host — Hostname to which the client connected.
# * _optional_ #port — Service port to which the client connected.
#
# Although only oauth2_token is required by this mechanism, it is worth
# noting that application protocols are allowed to
# require #authzid (or other parameters, such as #host
# _or_ #port) as are specific server implementations.
def initialize(arg1 = nil, arg2 = nil,
oauth2_token: nil, secret: nil,
**args, &blk)
username, oauth2_token_arg = arg2.nil? ? [nil, arg1] : [arg1, arg2]
super(username: username, **args, &blk)
@oauth2_token = oauth2_token || secret || oauth2_token_arg or
raise ArgumentError, "missing oauth2_token"
end
# :call-seq:
# initial_response? -> true
#
# +OAUTHBEARER+ sends an initial client response.
def initial_response?; true end
# Value of the HTTP Authorization header
def authorization; "Bearer #{oauth2_token}" end
end
end
end
end