kennyh
/
emqx4.3


			
				
					
						
						
							12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879
							%%--------------------------------------------------------------------
%% Copyright (c) 2021-2024 EMQ Technologies Co., Ltd. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
%% you may not use this file except in compliance with the License.
%% You may obtain a copy of the License at
%%
%%     http://www.apache.org/licenses/LICENSE-2.0
%%
%% Unless required by applicable law or agreed to in writing, software
%% distributed under the License is distributed on an "AS IS" BASIS,
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
%% See the License for the specific language governing permissions and
%% limitations under the License.
%%--------------------------------------------------------------------

-module(emqx_utils_scram).

-export([authenticate/7]).

%%------------------------------------------------------------------------------
%% Authentication
%%------------------------------------------------------------------------------
authenticate(AuthMethod, AuthData, AuthCache, Conf, RetrieveFun, OnErrFun, ResultKeys) ->
    case ensure_auth_method(AuthMethod, AuthData, Conf) of
        true ->
            case AuthCache of
                #{next_step := client_final} ->
                    check_client_final_message(AuthData, AuthCache, Conf, OnErrFun, ResultKeys);
                _ ->
                    check_client_first_message(AuthData, AuthCache, Conf, RetrieveFun, OnErrFun)
            end;
        false ->
            ignore
    end.

ensure_auth_method(_AuthMethod, undefined, _Conf) ->
    false;
ensure_auth_method(<<"SCRAM-SHA-256">>, _AuthData, #{algorithm := sha256}) ->
    true;
ensure_auth_method(<<"SCRAM-SHA-512">>, _AuthData, #{algorithm := sha512}) ->
    true;
ensure_auth_method(_AuthMethod, _AuthData, _Conf) ->
    false.

check_client_first_message(
    Bin, _Cache, #{iteration_count := IterationCount}, RetrieveFun, OnErrFun
) ->
    case
        sasl_auth_scram:check_client_first_message(
            Bin,
            #{
                iteration_count => IterationCount,
                retrieve => RetrieveFun
            }
        )
    of
        {continue, ServerFirstMessage, Cache} ->
            {continue, ServerFirstMessage, Cache};
        ignore ->
            ignore;
        {error, Reason} ->
            OnErrFun("check_client_first_message_error", Reason),
            {error, not_authorized}
    end.

check_client_final_message(Bin, Cache, #{algorithm := Alg}, OnErrFun, ResultKeys) ->
    case
        sasl_auth_scram:check_client_final_message(
            Bin,
            Cache#{algorithm => Alg}
        )
    of
        {ok, ServerFinalMessage} ->
            {ok, maps:with(ResultKeys, Cache), ServerFinalMessage};
        {error, Reason} ->
            OnErrFun("check_client_final_message_error", Reason),
            {error, not_authorized}
    end.