#!/usr/bin/perl

# Mysql external auth script
# Features: auth and isUser work, but setPass doesn't.
# Restrictions: Username or passwords may not contain some special characters: $'"` nor line breaks

# Security considerations: 
#  - i am not sure whether password is shown in the "echo" sentence when listing processes, perhaps not if echo is a shell builtin
#  - character filtering may not be perfect, but the most important '$"` are filtered out by this script
#  - mysql user password should not be set on command-line, instead use --defaults-extra-file=... The file must contain [client] in the first line and password=... next (check some man page for more details)
#  

# 2005-1-24 Modified by Alejandro Grijalba (SuD) http://www.latinsud.com
# Based on check_pass_null.pl script

my $dbUser="root";  # The username to connect to mysql
my $dbName="jab";	# The name of the database inside mysql
my $dbTable="usuarios"; # The name of the table inside the database
my $fieldUser="user";   # The name of the field that holds jabber user names
my $fieldPass="pass";   # The name of the field that holds jabber passwords

use Unix::Syslog qw(:macros :subs);

my $domain = $ARGV[0] || "example.com";

while(1)
  {
   # my $rin = '',$rout;
   # vec($rin,fileno(STDIN),1) = 1;
   # $ein = $rin;
   # my $nfound = select($rout=$rin,undef,undef,undef);

    my $buf = "";
    syslog LOG_INFO,"waiting for packet";
    my $nread = sysread STDIN,$buf,2;
    do { syslog LOG_INFO,"port closed"; exit; } unless $nread == 2;
    my $len = unpack "n",$buf;
    my $nread = sysread STDIN,$buf,$len;

    my ($op,$user,$password) = split /:/,$buf;
    
    # Filter dangerous characters
    $user =~ s/[."\n\r'\$`]//g;
    $password =~ s/[."\n\r'\$`]//g;
    
    #$user =~ s/\./\//og;
    my $jid = "$user\@$domain";
    my $result;

    syslog(LOG_INFO,"request (%s)", $op);

  SWITCH:
      {
	$op eq 'auth' and do
	  {
	     $orden = "echo \"select count(*) from $dbTable where $fieldUser='$user' and $fieldPass='$password';\" | 
	     	mysql --defaults-extra-file=./datosSql -s -B -u $dbUser $dbName | 
		grep '^ *[1-9][0-9]* *\$' &> /dev/null";
	     #syslog(LOG_INFO,"Executing: %s",$orden);

	     # if command returned 0 we return 1
	     $result = !system($orden);
	  },last SWITCH;

	$op eq 'setpass' and do
	  {
             $result = 0;
	  },last SWITCH;

        $op eq 'isuser' and do
          {
             # password is null. Return 1 if the user $user\@$domain exitst.
	     $result = 0;
	     $orden = "echo \"select count(*) from $dbTable where $fieldUser='$user';\" | 
	     	mysql --defaults-extra-file=./datosSql -s -B -u $dbUser $dbName | 
		grep '^ *[1-9][0-9]* *\$' &> /dev/null";
	     #syslog(LOG_INFO,"ejabberd_mysql_ext_auth: Executing is_user: %s",$orden);

	     # if command returned 0 we return 1
	     $result = !system($orden);
          },last SWITCH;
      };
    my $out = pack "nn",2,$result ? 1 : 0;
    syswrite STDOUT,$out;
  }

closelog;