public AuthTransaction(PopConnection connection, SaslClientMechanism authMechanism)
: base(connection)
{
if (authMechanism == null)
throw new ArgumentNullException("authMechanism");
this.saslMechanism = authMechanism;
this.requiredCapability = null; // do not check capability
this.disposeMechanism = false;
}
public AuthenticateTransaction(ImapConnection connection, SaslClientMechanism authMechanism, bool sendInitialResponse)
: base(connection)
{
if (authMechanism == null)
throw new ArgumentNullException("authMechanism");
this.saslMechanism = authMechanism;
this.sendInitialResponse = sendInitialResponse;
this.disposeMechanism = false;
}
public static PopSession CreateSession(IPopSessionProfile profile,
SaslClientMechanism authMechanismSpecified,
UpgradeConnectionStreamCallback createSslStreamCallback)
{
PopSession session;
var result = CreateSession(profile, authMechanismSpecified, createSslStreamCallback, out session);
if (result.Succeeded)
return session;
else
throw new PopAuthenticationException(result);
}
public void Connect(SaslClientMechanism authMechanism)
{
if (authMechanism == null)
throw new ArgumentNullException("authMechanism");
ThrowIfAlreadyConnectedOrAsyncConnectRunning();
SetSession(ConnectCore(new ConnectParams(profile,
authMechanism,
null)));
}
public IAsyncResult BeginConnect(SaslClientMechanism authMechanism,
UpgradeConnectionStreamCallback createSslStreamCallback,
AsyncCallback asyncCallback,
object asyncState)
{
return BeginConnect(new ConnectParams(profile,
authMechanism,
createSslStreamCallback),
asyncCallback,
asyncState);
}
public IAsyncResult BeginConnect(SaslClientMechanism authMechanism,
AsyncCallback asyncCallback,
object asyncState)
{
return BeginConnect(authMechanism, null, asyncCallback, asyncState);
}
public IAsyncResult BeginConnect(SaslClientMechanism authMechanism,
UpgradeConnectionStreamCallback createSslStreamCallback)
{
return BeginConnect(authMechanism, createSslStreamCallback, null, null);
}
public IAsyncResult BeginConnect(SaslClientMechanism authMechanism)
{
return BeginConnect(authMechanism, null, null, null);
}
/// <summary>sends AUTHENTICATE command</summary>
/// <remarks>valid in non-authenticated state</remarks>
public ImapCommandResult Authenticate(SaslClientMechanism specificAuthenticationMechanism)
{
return Authenticate(specificAuthenticationMechanism, false);
}
protected override ProcessTransactionDelegate Reset()
{
if (saslMechanism == null) {
/*
* create mechanism
*/
#if DEBUG
if (!RequestArguments.ContainsKey("mechanism"))
return ProcessArgumentNotSetted;
#endif
try {
saslMechanism = SaslClientMechanism.Create(RequestArguments["mechanism"]);
saslMechanism.Credential = credential;
// The service name specified by this protocol's profile of SASL
// is "pop".
saslMechanism.ServiceName = "pop";
if (saslMechanism is NTLMMechanism)
(saslMechanism as NTLMMechanism).TargetHost = Connection.Host;
}
catch (SaslMechanismNotSupportedException) {
return ProcessUnsupported;
}
}
else {
/*
* use supplied mechanism
*/
saslMechanism.Initialize();
RequestArguments["mechanism"] = saslMechanism.Name;
}
/*
* The optional initial-response argument to the AUTH command is
* used to save a round trip when using authentication mechanisms
* that support an initial client response.
*/
if (saslMechanism.ClientFirst) {
byte[] initialClientResponse;
if (saslMechanism.GetInitialResponse(out initialClientResponse) == SaslExchangeStatus.Failed || initialClientResponse == null)
return ProcessInitialResponseError;
RequestArguments["initial-response"] = Base64.GetEncodedString(initialClientResponse);
}
return ProcessAuth;
}
private void AuthSpecificMechanism(SaslClientMechanism authMechanism)
{
using (var session = Connect(null)) {
session.HandlesIncapableAsException = true;
if (!authMechanism.ClientFirst)
server.EnqueueResponse("+ \r\n");
server.EnqueueResponse("+ \r\n");
server.EnqueueResponse("+OK\r\n");
Assert.IsTrue((bool)session.Auth(authMechanism));
if (authMechanism.ClientFirst) {
StringAssert.AreEqualIgnoringCase("AUTH X-PSEUDO-MECHANISM c3RlcDA=\r\n",
server.DequeueRequest());
StringAssert.AreEqualIgnoringCase("c3RlcDE=\r\n",
server.DequeueRequest());
}
else {
StringAssert.AreEqualIgnoringCase("AUTH X-PSEUDO-MECHANISM\r\n",
server.DequeueRequest());
StringAssert.AreEqualIgnoringCase("c3RlcDA=\r\n",
server.DequeueRequest());
StringAssert.AreEqualIgnoringCase("c3RlcDE=\r\n",
server.DequeueRequest());
}
// not disposed
Assert.AreEqual(SaslExchangeStatus.Succeeded,
authMechanism.ExchangeStatus);
Assert.AreEqual(new Uri(string.Format("pop://{0};AUTH=X-PSEUDO-MECHANISM@{1}:{2}/",
(authMechanism.Credential == null) ? null : authMechanism.Credential.UserName,
host,
port)),
session.Authority);
}
}
/// <summary>sends AUTH command</summary>
/// <remarks>valid in authorization state</remarks>
public PopCommandResult Auth(SaslClientMechanism specificAuthenticationMechanism)
{
if (specificAuthenticationMechanism == null)
throw new ArgumentNullException("specificAuthenticationMechanism");
var ret = RejectNonConnectedOrGetAuthenticatedResult();
if (ret != null)
return ret;
using (var t = new AuthTransaction(connection, specificAuthenticationMechanism)) {
if (ProcessTransaction(t).Succeeded) {
var authMechanism = PopAuthenticationMechanism.GetKnownOrCreate(specificAuthenticationMechanism.Name);
var username = specificAuthenticationMechanism.Credential == null
? null
: specificAuthenticationMechanism.Credential.UserName;
UpdateAuthority(username, authMechanism);
TransitStateTo(PopSessionState.Transaction);
}
return t.Result;
}
}
public static PopCommandResult CreateSession(IPopSessionProfile profile,
SaslClientMechanism authMechanismSpecified,
UpgradeConnectionStreamCallback createSslStreamCallback,
out PopSession session)
{
if (profile == null)
throw new ArgumentNullException("profile");
var authority = profile.Authority;
var securePort = string.Equals(authority.Scheme, PopUri.UriSchemePops, StringComparison.OrdinalIgnoreCase);
if (securePort && createSslStreamCallback == null)
throw new ArgumentNullException("createSslStreamCallback");
PopCommandResult result;
session = null;
session = new PopSession(authority.Host,
authority.Port,
profile.Timeout,
securePort
? createSslStreamCallback
: null);
session.HandlesIncapableAsException = false;
session.TransactionTimeout = profile.Timeout;
session.SendTimeout = profile.SendTimeout;
session.ReceiveTimeout = profile.ReceiveTimeout;
// try querying server capability (ignore error; POP3 Extension Mechanism might not supported)
session.Capa();
if (profile.UseTlsIfAvailable && session.ServerCapabilities.IsCapable(PopCapability.Stls) && !session.IsSecureConnection) {
var r = session.Stls(createSslStreamCallback, false);
if (r.Failed)
throw new PopUpgradeConnectionException(r.ResultText);
// try re-querying server capability (ignore error; POP3 Extension Mechanism might not supported)
session.Capa();
}
if (authMechanismSpecified == null)
result = Authenticate(session, profile);
else
result = session.Auth(authMechanismSpecified);
if (result == null) {
throw new PopAuthenticationException("appropriate authentication mechanism not found");
}
else if (result.Failed) {
try {
try {
session.Disconnect(false);
}
catch (PopConnectionException) {
// ignore
}
}
finally {
session = null;
}
}
return result;
}
public static ImapCommandResult CreateSession(IImapSessionProfile profile,
SaslClientMechanism authMechanismSpecified,
UpgradeConnectionStreamCallback createSslStreamCallback,
out ImapSession session)
{
if (profile == null)
throw new ArgumentNullException("profile");
var authority = profile.Authority;
var securePort = string.Equals(authority.Scheme, ImapUri.UriSchemeImaps, StringComparison.OrdinalIgnoreCase);
if (securePort && createSslStreamCallback == null)
throw new ArgumentNullException("createSslStreamCallback");
ImapCommandResult result;
session = null;
session = new ImapSession(authority.Host,
authority.Port,
true,
profile.Timeout,
securePort
? createSslStreamCallback
: null);
session.HandlesIncapableAsException = false;
session.HandlesReferralAsException = false;
session.TransactionTimeout = profile.Timeout;
session.SendTimeout = profile.SendTimeout;
session.ReceiveTimeout = profile.ReceiveTimeout;
if (session.ServerCapabilities.Count == 0)
// try querying server capability (ignore error)
session.Capability();
if (!session.ServerCapabilities.Has(ImapCapability.Imap4Rev1))
throw new ImapIncapableException(ImapCapability.Imap4Rev1);
if (profile.UseTlsIfAvailable && session.ServerCapabilities.Has(ImapCapability.StartTls) && !session.IsSecureConnection) {
var r = session.StartTls(createSslStreamCallback, true);
if (r.Failed)
throw new ImapSecureConnectionException(r.ResultText);
else if (!session.ServerCapabilities.Has(ImapCapability.Imap4Rev1))
throw new ImapIncapableException(ImapCapability.Imap4Rev1);
}
if (profile.UseDeflateIfAvailable && session.ServerCapabilities.Has(ImapCapability.CompressDeflate)) {
var r = session.Compress(ImapCompressionMechanism.Deflate);
if (r.Failed)
throw new WebException(r.ResultText, null, WebExceptionStatus.RequestCanceled, null);
}
if (authMechanismSpecified == null)
result = Authenticate(session, profile);
else
result = session.Authenticate(authMechanismSpecified);
if (result == null) {
throw new ImapAuthenticationException("appropriate authentication mechanism not found");
}
else if (result.Failed) {
try {
try {
session.Disconnect(false);
}
catch (ImapConnectionException) {
// ignore
}
}
finally {
session = null;
}
}
return result;
}
private void AuthenticateSpecificMechanism(bool saslIRCapable, SaslClientMechanism authMechanism)
{
if (saslIRCapable)
server.EnqueueResponse("* OK [CAPABILITY IMAP4rev1 SASL-IR] ImapSimulatedServer ready\r\n");
else
server.EnqueueResponse("* OK [CAPABILITY IMAP4rev1] ImapSimulatedServer ready\r\n");
using (var session = new ImapSession(host, port)) {
session.HandlesIncapableAsException = true;
if (!saslIRCapable)
server.EnqueueResponse("+ \r\n");
server.EnqueueResponse("+ \r\n");
server.EnqueueResponse("0000 OK done\r\n");
Assert.IsTrue((bool)session.Authenticate(authMechanism));
if (saslIRCapable) {
Assert.AreEqual("0000 AUTHENTICATE X-PSEUDO-MECHANISM c3RlcDA=\r\n",
server.DequeueRequest());
Assert.AreEqual("c3RlcDE=\r\n",
server.DequeueRequest());
}
else {
Assert.AreEqual("0000 AUTHENTICATE X-PSEUDO-MECHANISM\r\n",
server.DequeueRequest());
Assert.AreEqual("c3RlcDA=\r\n",
server.DequeueRequest());
Assert.AreEqual("c3RlcDE=\r\n",
server.DequeueRequest());
}
// not disposed
Assert.AreEqual(SaslExchangeStatus.Succeeded,
authMechanism.ExchangeStatus);
Assert.AreEqual(new Uri(string.Format("imap://{0};AUTH=X-PSEUDO-MECHANISM@{1}:{2}/",
(authMechanism.Credential == null) ? null : authMechanism.Credential.UserName,
host,
port)),
session.Authority);
}
}
public void Connect(SaslClientMechanism authMechanism, UpgradeConnectionStreamCallback createSslStreamCallback)
{
if (authMechanism == null)
throw new ArgumentNullException("authMechanism");
ThrowIfAlreadyConnectedOrAsyncConnectRunning();
SetSession(ConnectCore(new ConnectParams(profile,
authMechanism,
createSslStreamCallback)));
}
public ConnectParams(ImapClientProfile profile,
SaslClientMechanism authMechanism,
UpgradeConnectionStreamCallback createSslStreamCallback)
{
Profile = profile.Clone();
AuthMechanism = authMechanism;
CreateSslStreamCallback = createSslStreamCallback;
}
public override void Dispose()
{
if (saslMechanism != null) {
if (disposeMechanism)
saslMechanism.Dispose();
saslMechanism = null;
}
base.Dispose();
}
/// <summary>sends AUTHENTICATE command</summary>
/// <remarks>valid in non-authenticated state</remarks>
public ImapCommandResult Authenticate(SaslClientMechanism specificAuthenticationMechanism,
bool reissueCapability)
{
var ret = RejectNonConnectedOrGetAuthenticatedResult();
if (ret != null)
return ret;
if (specificAuthenticationMechanism == null)
throw new ArgumentNullException("specificAuthenticationMechanism");
using (var t = new AuthenticateTransaction(connection, specificAuthenticationMechanism, serverCapabilities.Has(ImapCapability.SaslIR))) {
var authMechanism = ImapAuthenticationMechanism.GetKnownOrCreate(specificAuthenticationMechanism.Name);
var username = specificAuthenticationMechanism.Credential == null
? null
: specificAuthenticationMechanism.Credential.UserName;
return AuthenticateInternal(t, username, authMechanism, reissueCapability);
}
}
protected override ProcessTransactionDelegate Reset()
{
if (saslMechanism == null) {
/*
* create mechanism
*/
#if DEBUG
if (!RequestArguments.ContainsKey("authentication mechanism name"))
return ProcessArgumentNotSetted;
#endif
try {
saslMechanism = SaslClientMechanism.Create((string)RequestArguments["authentication mechanism name"]);
saslMechanism.Credential = credential;
// The service name specified by this protocol's profile of [SASL] is
// "imap".
saslMechanism.ServiceName = "imap";
if (saslMechanism is NTLMMechanism)
(saslMechanism as NTLMMechanism).TargetHost = Connection.Host;
}
catch (SaslMechanismNotSupportedException) {
return ProcessUnsupported;
}
}
else {
/*
* use supplied mechanism
*/
saslMechanism.Initialize();
RequestArguments["authentication mechanism name"] = saslMechanism.Name;
}
/*
* http://tools.ietf.org/html/rfc4959
* RFC 4959 - IMAP Extension for Simple Authentication and Security Layer (SASL) Initial Client Response
* 3. IMAP Changes to the IMAP AUTHENTICATE Command
* Note: support and use of the initial client response is optional for
* both clients and servers. Servers that implement this extension MUST
* support clients that omit the initial client response, and clients
* that implement this extension MUST NOT send an initial client
* response to servers that do not advertise the SASL-IR capability.
*/
if (sendInitialResponse && saslMechanism.ClientFirst) {
byte[] initialClientResponse;
if (saslMechanism.GetInitialResponse(out initialClientResponse) == SaslExchangeStatus.Failed || initialClientResponse == null)
return ProcessInitialResponseError;
/*
* http://tools.ietf.org/html/rfc4959
* RFC 4959 - IMAP Extension for Simple Authentication and Security Layer (SASL) Initial Client Response
* 3. IMAP Changes to the IMAP AUTHENTICATE Command
* This extension adds an optional second argument to the AUTHENTICATE
* command that is defined in Section 6.2.2 of [RFC3501]. If this
* second argument is present, it represents the contents of the
* "initial client response" defined in Section 5.1 of [RFC4422].
*/
RequestArguments["initial client response"] = Base64.GetEncodedString(initialClientResponse);
}
return ProcessAuthenticate;
}
