Class: Net::IMAP::SASL::PlainAuthenticator

Inherits:

Object

• Object
• Net::IMAP::SASL::PlainAuthenticator

Defined in:

lib/net/imap/sasl/plain_authenticator.rb

Overview

Authenticator for the “PLAIN” SASL mechanism, specified in RFC-4616. See Net::IMAP#authenticate.

PLAIN authentication sends the password in cleartext. RFC-3501 encourages servers to disable cleartext authentication until after TLS has been negotiated. RFC-8314 recommends TLS version 1.2 or greater be used for all traffic, and deprecate cleartext access ASAP. PLAIN can be secured by TLS encryption.

Instance Attribute Summary

• #authzid ⇒ Object readonly

  Authorization identity: an identity to act as or on behalf of.

• #password ⇒ Object (also: #secret) readonly

  A password or passphrase that matches the #username.

• #username ⇒ Object (also: #authcid) readonly

  Authentication identity: the identity that matches the #password.

Instance Method Summary

• #done? ⇒ Boolean

  Returns true when the initial client response was sent.

• #initial_response? ⇒ Boolean

  :call-seq: initial_response? -> true.

• #initialize(user = nil, pass = nil, authcid: nil, secret: nil, username: nil, password: nil, authzid: nil) ⇒ PlainAuthenticator constructor

  :call-seq: new(username, password, authzid: nil, **) -> authenticator new(username:, password:, authzid: nil, **) -> authenticator new(authcid:, password:, authzid: nil, **) -> authenticator.

• #process(data) ⇒ Object

  Responds with the client’s credentials.

Constructor Details

#initialize(user = nil, pass = nil, authcid: nil, secret: nil, username: nil, password: nil, authzid: nil) ⇒ PlainAuthenticator

:call-seq:

new(username,  password,  authzid: nil, **) -> authenticator
new(username:, password:, authzid: nil, **) -> authenticator
new(authcid:,  password:, authzid: nil, **) -> authenticator

Creates an Authenticator for the “PLAIN” SASL mechanism.

Called by Net::IMAP#authenticate and similar methods on other clients.

Parameters

• #authcid ― Authentication identity that is associated with #password.

  #username ― An alias for #authcid.

• #password ― A password or passphrase associated with the #authcid.

• optional #authzid ― Authorization identity to act as or on behalf of.

  When authzid is not set, the server should derive the authorization identity from the authentication identity.

Any other keyword parameters are quietly ignored.

Raises:

• (ArgumentError)

# File 'lib/net/imap/sasl/plain_authenticator.rb', line 67

def initialize(user = nil, pass = nil,
               authcid: nil, secret: nil,
               username: nil, password: nil, authzid: nil, **)
  username ||= authcid || user or
    raise ArgumentError, "missing username (authcid)"
  password ||= secret || pass or raise ArgumentError, "missing password"
  raise ArgumentError, "username contains NULL" if username.include?(NULL)
  raise ArgumentError, "password contains NULL" if password.include?(NULL)
  raise ArgumentError, "authzid contains NULL"  if authzid&.include?(NULL)
  @username = username
  @password = password
  @authzid  = authzid
  @done = false
end

Instance Attribute Details

#authzid ⇒ Object (readonly)

Authorization identity: an identity to act as or on behalf of. The identity form is application protocol specific. If not provided or left blank, the server derives an authorization identity from the authentication identity. The server is responsible for verifying the client’s credentials and verifying that the identity it associates with the client’s authentication identity is allowed to act as (or on behalf of) the authorization identity.

For example, an administrator or superuser might take on another role:

imap.authenticate "PLAIN", "root", passwd, authzid: "user"

# File 'lib/net/imap/sasl/plain_authenticator.rb', line 42

def authzid
  @authzid
end

#password ⇒ Object (readonly) Also known as: secret

A password or passphrase that matches the #username.

# File 'lib/net/imap/sasl/plain_authenticator.rb', line 28

def password
  @password
end

#username ⇒ Object (readonly) Also known as: authcid

Authentication identity: the identity that matches the #password.

RFC-2831 uses the term username. “Authentication identity” is the generic term used by RFC-4422. RFC-4616 and many later RFCs abbreviate this to authcid.

# File 'lib/net/imap/sasl/plain_authenticator.rb', line 24

def username
  @username
end

Instance Method Details

#done? ⇒ Boolean

Returns true when the initial client response was sent.

The authentication should not succeed unless this returns true, but it does not indicate success.

Returns:

• (Boolean)

# File 'lib/net/imap/sasl/plain_authenticator.rb', line 99

def done?; @done end

#initial_response? ⇒ Boolean

:call-seq:

initial_response? -> true

PLAIN can send an initial client response.

Returns:

• (Boolean)

# File 'lib/net/imap/sasl/plain_authenticator.rb', line 86

def initial_response?; true end

#process(data) ⇒ Object

Responds with the client’s credentials.

# File 'lib/net/imap/sasl/plain_authenticator.rb', line 89

def process(data)
  return "#@authzid\0#@username\0#@password"
ensure
  @done = true
end