SASL EXTERNAL implementation

[DenysGonchar]

Initial implementation of SASL EXTERNAL

[arcusfelis]

sasl_verify or something more self-describing good to have.
Should we replace this record with a map eventually?

At least with my client we have everything else field with a map for any extra stuff.

[DenysGonchar]

verify_none & verify_peer are the standard atoms in erlang's ssl and fast_tls. so let it stay standard,
if we want to change record to map - let's do it in another CR. this one is already too big

[arcusfelis]

I was talking about #state.verify field name.
Values are fine. But field name is very confusing.

Can be

sasl_verify    :: verify_none | verify_peer

or

sasl_ssl_verify :: verify_none | verify_peer

or

sasl_tls_verify :: verify_none | verify_peer

Also, there should be info, that this field is initialized based on listener settings.

[arcusfelis]

Module description comment

[fenek]

E.g. what certificates, what is the primary user of this module...

[arcusfelis]

report error here, we are loosing stacktrace info.

[DenysGonchar]

i'm not gonna log here anything, it's normal when certificate is missing some of the fields, generally it's not an error. if you want to log something - do it in the proper place, it's a duty of the caller

[fenek]

It's not about logging but returning a meaningful error, so the caller will actually know what went wrong.

[arcusfelis]

report an error here

[DenysGonchar]

i'm not gonna log here anything, it's normal when certificate is missing some of the fields, generally it's not an error. if you want to log something - do it in the proper place, it's a duty of the caller

[arcusfelis]

Than this code can be rewritten without try ... catch.
Just by expecting missing fields.
There also should be at least two tests: one with missing field, one with not.

.... ideally.

[fenek]

It deserves a separate error return, when a field expected to have a valid XMPP address, does not actually have one. If fields are missing at all, then I think it's OK to return [].

[arcusfelis]

ok, catching everything is usually bad practice.
I should be used with care and should report errors and stacktrace.
Otherwise we would ignore some invisible errors.

[DenysGonchar]

i'm not gonna log here anything, it's normal when certificate is missing some of the fields, generally it's not an error. if you want to log something - do it in the proper place, it's a duty of the caller

[arcusfelis]

try ... catch _:_ construction should not used in code, because it hides all the errors.
Both expected and not.

[arcusfelis]

If there was a typo in SubjectAltName, for example SubjectAltnaen we would never find this out.

I am fine with

case decode(....) of
    {ok, SANs} ->
....
{error, _} ->
[]
end

On microbenchmarking side: going inside catch construction is slower than just case.

[DenysGonchar]

Michael, this module will be covered with the tests. that will be done in the next PR because we need to change our SSL certs generation suit, and that is big chunk of work. generally i did manual tests for this code so it's ok to archive it. this code provides only ASN1 parsing, it is ok to to use try/catch here. i'm not gonna change it. period. this comment is related to all the parsing functions.

[fenek]

It's not about doing a typo in a code or tests but lack of any meaningful error return here will make it more difficult to debug problems with real-world certificates. I'd even prefer a lack of try..catch rather than hiding errors.

[arcusfelis]

more specific type than any().

[arcusfelis]

more specific type.

[arcusfelis]

whitespaces , .

[arcusfelis]

There is nothing in dev-handbook about whitespaces, but generally we use them.

[arcusfelis]

it can be two functions, UTF8 argument is not needed.
Also, it returns list if failed to parse - should be in a comment.

returns a list of binaries. The length of the list is one or zero.

[fenek]

I'm not sure if it really requires a comment. Spec would be useful on the other hand.

[arcusfelis]

while lists:flatten works here, lists:append is more fitting, because we don't have nested lists.

[DenysGonchar]

actually it is [bitstring] ++ [[bitstring],...] ++ [[bitstring],...]

[arcusfelis]

I would love to see a comment like: "we don't need any type of password for cert mechanism".

[fenek]

Wat? It's more like "we don't want to offer cert mechanism if store type is unknown... but why exactly?

[DenysGonchar]

correct, we want to offer external mechanism only if store type is scram. it's done with thought regarding future extension of DB based auth backends. we can extend them with certificates support only if password is scrammed, other-way we can't distinguish values between passwords and certs

[arcusfelis]

Header, what is while for, how works.
What's the difference between this and cyrsasl_plain.

[arcusfelis]

saslext_state would be a better name.
Because sometimes we do load records definitions into shell, and it works better, if each record have a unique name.

But maybe consider to use maps.
creds should be typed and commented.

[fenek]

We use state for record name in so many places, that I think it should be a coordinated refactoring effort (if we would like to do it at all).

[fenek]

But 👍 for typed creds.

[arcusfelis]

new line?

[arcusfelis]

[ {pem_cert, ..... can go into a separate variable. ExtraFields2 or something.

[DenysGonchar]

there is dedicated variable ExtraFields, because it can be [ ], or list of definitions. and that is not the case for DerCert and PemCert.

[arcusfelis]

OK

ExtraFields = get_common_name(Cert) ++ get_xmpp_addresses(Cert),
AllFields = [{pem_cert, PemCert}, {der_cert, DerCert} | ExtraFields],
mongoose_credentials:extend(Creds, AllFields)

[arcusfelis]

I need to know that the second argument of extend is fields just by looking at the code.

[fenek]

IMO it is fine as it is now and looks clear. :)

[arcusfelis]

whitespaces , .

[arcusfelis]

I would like to know on which step we add client_cert when reading the code.
And if the client_cert is missing, the client is considered unauthorized.

[DenysGonchar]

if client cert is missing, client can try another SASL mechanisms, it's not proposed to use SASL EXTERNAL.

[fenek]

Is it possible for a client to reach cyrsasl_external:new without certificate present anyway?

[fenek]

@arcusfelis
It's pretty intuitive that the certificate is provided by c2s. And line 36 is not that far and it explains everything.

[DenysGonchar]

no, it's not possible, see ejabberd_c2s, it filters out external mechanism if clients certificate is not provided.

[fenek]

Which part of the XEP covers a case when the EXTERNAL mechanism is offered but client hasn't provided any certificate?

[DenysGonchar]

ok, you right, it's not XEP178, it's RFC6120. see 6.3.4. Mechanism Offers

[fenek]

However, the receiving entity MAY offer the SASL EXTERNAL mechanism under other circumstances, as well.

But we do not offer it under other circumstances, right? Currently it's an unreachable code that confuses the reader. YAGNI.

[DenysGonchar]

it's quite fun to so YAGNI reference in a context of 1 extra code line.

any way, SASL mechanism filtering is not mandatory, and it simply was added later than cyrsasl_external module. so this code was triggered in initial implementation, and it was required to close client's session gracefully

[fenek]

Is it important that filtering was added by this PR? The fact remains, that this code will never be executed unless there is a bug which would lead to client successfully choosing EXTERNAL despite lack of certificate.

[arcusfelis]

comment, why do we need to save requested_name.

[DenysGonchar]

see XEP 178. generally SASL code is not responsible to make an auth decision, it up to auth backend(s)

[fenek]

Where is this field used in the code?

[DenysGonchar]

it can be used by auth module, but the demo pki auth module that we currently have ignores it, as well as most of the cert fields.

[arcusfelis]

types are too generic.
-type saslext_state() :: #state{} and using saslext_state() everywhere.
ClientIn is probably luser().

[arcusfelis]

Indention, 4 spaces everywhere.
btw, there was a code style guide somewhere, but definitely not inside the repo.

[DenysGonchar]

the link to code style, please

[fenek]

Every module in MIM has 4-space indention, maybe except for some old ejabberd code nobody really touched since fork (I think some pieces might still be left...).

[arcusfelis]

would be good to mention that auth backend is most likely ejabberd_auth_pki.
Or something, that does not use password.

[DenysGonchar]

ejabberd_auth_pki is just a demo auth backend it assumes that cert is ok if it passes validation, there's a plan to use DB backends in the future.

[arcusfelis]

doc header.
license header.

[DenysGonchar]

i would add it with a big pleasure, do we have some doc that describes the format of license/doc header?

[arcusfelis]

Be like @kzemek

%%==============================================================================     
%% Copyright 2017 Erlang Solutions Ltd.                                              
%%                                                                                   
%% Licensed under the Apache License, Version 2.0 (the "License");                   
%% you may not use this file except in compliance with the License.                  
%% You may obtain a copy of the License at                                           
%%                                                                                   
%% http://www.apache.org/licenses/LICENSE-2.0                                        
%%                                                                                   
%% Unless required by applicable law or agreed to in writing, software               
%% distributed under the License is distributed on an "AS IS" BASIS,                 
%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.          
%% See the License for the specific language governing permissions and               
%% limitations under the License.                                                    
%%==============================================================================     
                                                                                     
-module(mod_global_distrib_utils).                                                   
-author('[email protected]').                                        
                                                                              
                      

It's for new files, not based on ejabberd's code.

[arcusfelis]

It's in a private company dev-handbook.
https://github.com/esl/dev-handbook/blob/master/development_handbook.markdown#module-header

We should have subset of it for public use, but we don't have yet.

[fenek]

@arcusfelis

I'm not so sure if it's OK to put Apache license in our new modules, because ejabberd files already have GPL license. I'm not that good with legal stuff but isn't there a chance of some conflict here?

Standard company header (according to the devbook) is an optimal choice I guess.

[kzemek]

@fenek We license the whole project under terms covered in the COPYING file. I would interpret files with Apache license header to be additionally available under Apache license. Anyway, correct copyright headers help us see which files still prevent us from moving the whole project from GPL to Apache.

[fenek]

It sounds sane but as far as I understand, we are operating on our assumptions, correct? Not a formal opinion of a lawyer experienced in open source licenses.

Anyway, the truth is that the standard header for dev handbook provides more useful information than the one with Apache license... they can be combined so a header fills the first screen of a source code view. :D

OK, now seriously: I'd prefer the handbook header. And this legal stuff is a mess.

[arcusfelis]

really scram, or not relevant?
maybe external

[DenysGonchar]

really, this scram/plain/external store types has nothing common with sasl mechanisms. it's more about the way how we store the password. and we will add certificates support in DB based auth backends later. but that backends must be configured as scram. other way that won't be possible to distinguish between passwords and certificates

[arcusfelis]

whitespace ,

[arcusfelis]

we don't need callback comments for functions that do nothing (i.e. just return one value always).

[DenysGonchar]

of course we do need them. it is very basic module, but it can be extended for the client's needs.

[fenek]

These comments don't do any harm.

[arcusfelis]

whitespaces, probably indention.
We use style

    case X of
        something ->
            something
    end.

[DenysGonchar]

please reference to the doc

[fenek]

Personally I don't mind lack of newline when all matches in a case are one-liners.

[arcusfelis]

M, S

[arcusfelis]

we don't need to touch the whole block.
unless you want to create functions feature_order_cases(), c2s_noproc_cases(), .....

[arcusfelis]

% mim...

[arcusfelis]

typo in verify

[fenek]

I don't like calling utility function from ejabberd_s2s in a module that is not dedicated to S2S logic. I think I could live with some code duplication or even better - moving domain_utf8_to_ascii to some util module.

[DenysGonchar]

first version of this module is just cut&paste from ejabberd_s2s_in module, than the code was cleaned up to make it reusable from cyrsasl_external

[codecov-io]

Codecov Report

Merging #1735 into master will decrease coverage by 0.2%.
The diff coverage is 43.66%.

@@            Coverage Diff             @@
##           master    #1735      +/-   ##
==========================================
- Coverage   74.65%   74.45%   -0.21%     
==========================================
  Files         283      288       +5     
  Lines       26578    26760     +182     
==========================================
+ Hits        19843    19923      +80     
- Misses       6735     6837     +102

Impacted Files	Coverage Δ
src/ejabberd.erl	31.25% <ø> (ø)	⬆️
src/cyrsasl_external.erl	0% <0%> (ø)
src/cert_utils.erl	0% <0%> (ø)
src/ejabberd_auth_pki.erl	0% <0%> (ø)
...c/global_distrib/mod_global_distrib_server_sup.erl	100% <100%> (ø)	⬆️
src/mam_iq.erl	88.67% <100%> (ø)	⬆️
...c/global_distrib/mod_global_distrib_server_mgr.erl	80% <100%> (ø)	⬆️
src/mod_mam.erl	89.39% <100%> (+0.37%)	⬆️
src/mod_mam_muc.erl	70.37% <100%> (ø)	⬆️
src/mod_mam_utils.erl	87.37% <100%> (+1.36%)	⬆️
... and 28 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0c501f7...ef1af53. Read the comment docs.