🔒 Add SASL EXTERNAL mechanism

Author: nevans

lib/net/imap.rb

@@ -1008,6 +1008,12 @@ def starttls(options = {}, verify = true)
     #     Allows the user to gain access to public services or resources without
     #     authenticating or disclosing an identity.
     #
+    # +EXTERNAL+::
+    #     See ExternalAuthenticator[Net::IMAP::SASL::ExternalAuthenticator].
+    #
+    #     Login using already established credentials, such as a TLS certificate
+    #     or IPsec.
+    #
     # +PLAIN+::
     #     See PlainAuthenticator[Net::IMAP::SASL::PlainAuthenticator].
     #

lib/net/imap/sasl.rb

@@ -33,6 +33,12 @@ class IMAP
     #     Allows the user to gain access to public services or resources without
     #     authenticating or disclosing an identity.
     #
+    # +EXTERNAL+::
+    #     See ExternalAuthenticator[Net::IMAP::SASL::ExternalAuthenticator].
+    #
+    #     Login using already established credentials, such as a TLS certificate
+    #     or IPsec.
+    #
     # +PLAIN+::
     #     See PlainAuthenticator[Net::IMAP::SASL::PlainAuthenticator].
     #
@@ -77,6 +83,7 @@ module SASL
       autoload :Authenticators,           "#{sasl_dir}/authenticators"
 
       autoload :AnonymousAuthenticator,   "#{sasl_dir}/anonymous_authenticator"
+      autoload :ExternalAuthenticator,    "#{sasl_dir}/external_authenticator"
       autoload :PlainAuthenticator,       "#{sasl_dir}/plain_authenticator"
       autoload :XOAuth2Authenticator,     "#{sasl_dir}/xoauth2_authenticator"
 

lib/net/imap/sasl/authenticators.rb

@@ -34,6 +34,7 @@ def initialize(use_defaults: false)
       @authenticators = {}
       if use_defaults
         add_authenticator "Anonymous"
+        add_authenticator "External"
         add_authenticator "Plain"
         add_authenticator "XOAuth2"
         add_authenticator "Login"      # deprecated

lib/net/imap/sasl/external_authenticator.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+module Net
+  class IMAP < Protocol
+    module SASL
+
+      # Authenticator for the "+EXTERNAL+" SASL mechanism, as specified by
+      # RFC-4422[https://tools.ietf.org/html/rfc4422].  See
+      # Net::IMAP#authenticate.
+      #
+      # The EXTERNAL mechanism requests that the server use client credentials
+      # established external to SASL, for example by TLS certificate or IPsec.
+      #
+      class ExternalAuthenticator
+
+        # :call-seq:
+        #   initial_response? -> true
+        #
+        # +EXTERNAL+ can send an initial client response.
+        def initial_response?; true end
+
+        ##
+        # :call-seq:
+        #   new                                 -> authenticator
+        #   new(authzid,  **)                   -> authenticator
+        #   new(authzid:, **)                   -> authenticator
+        #
+        # Creates an Authenticator for the "+EXTERNAL+" SASL mechanism, as
+        # specified in RFC-4422[https://tools.ietf.org/html/rfc4422].  To use
+        # this, see Net::IMAP#authenticate or your client's authentication
+        # method.
+        #
+        # ==== Configuration parameters
+        # Only one parameter, which is optional:
+        #
+        # * #authzid -- the identity to act as.  Leave blank to use the identity
+        #   associated with the client's credentials.
+        #
+        #   May be sent as a positional argument or as a keyword argument.
+        #
+        def initialize(authzid_arg = nil, authzid: nil)
+          @authzid = authzid || authzid_arg
+          [authzid, authzid_arg].compact.count <= 1 or
+            raise ArgumentError, "conflicting values for authzid"
+          if @authzid
+            raise ArgumentError, "contains NULL"  if @authzid.include? NULL
+            @authzid = @authzid.encode "UTF-8"
+            @authzid.valid_encoding? or raise ArgumentError, "not valid UTF-8"
+          end
+        end
+
+        attr_reader :authzid
+
+        def process(_)
+          return "" if authzid.nil?
+          if /\u0000/u.match?(authzid) # also validates UTF8 encoding
+            raise DataFormatError, "authzid contains NULL"
+          end
+          authzid.encode "UTF-8"
+        end
+
+        def authzid=(value)
+          raise ArgumentError, "contains NULL"  if value.include? NULL
+          value = value.encode "UTF-8"
+          value.valid_encoding? or raise ArgumentError, "not valid UTF-8"
+          super(value)
+        end
+
+        private
+
+        NULL = "\0"
+        private_constant :NULL
+
+      end
+    end
+  end
+end

test/net/imap/test_imap_authenticators.rb

@@ -95,6 +95,37 @@ def test_xoauth2_supports_initial_response
     assert Net::IMAP::SASL.initial_response?(xoauth2("foo", "bar"))
   end
 
+  # ----------------------
+  # EXTERNAL
+  # ----------------------
+
+  def external(*args, **kwargs, &block)
+    Net::IMAP::SASL.authenticator("EXTERNAL", *args, **kwargs, &block)
+  end
+
+  def test_external_matches_mechanism
+    assert_kind_of(Net::IMAP::SASL::ExternalAuthenticator, external)
+  end
+
+  def test_external_response
+    assert_equal("", external.process(nil))
+    assert_equal("hello world", external("hello world").process(nil))
+    assert_equal("kwargs",
+                 external(authzid: "kwargs").process(nil))
+  end
+
+  def test_external_utf8
+    assert_equal("", external.process(nil))
+    assert_equal("🏴󠁧󠁢󠁥󠁮󠁧󠁿 England", external("🏴󠁧󠁢󠁥󠁮󠁧󠁿 England").process(nil))
+    assert_equal("kwargs",
+                 external(authzid: "kwargs").process(nil))
+  end
+
+  def test_external_invalid
+    assert_raise(ArgumentError) { external("bad\0contains NULL") }
+    assert_raise(ArgumentError) { external("invalid utf8\x80") }
+  end
+
   # ----------------------
   # ANONYMOUS
   # ----------------------