SASL support!

Closes #2

CHANGELOG

@@ -1,5 +1,8 @@
 vNEXT (in development)
 
+ * Changed USER command to not send the server name, per modern standards
+ * Added support for SASL authentication (with PLAIN mechanism)
+
 v0.5.0
 
  * Server state:

README.md

@@ -86,6 +86,13 @@ handlers may themselves raise events. This is useful for higher-order
 events such as `ServerReady` that depend on a variety of factors and
 states.
 
+Handlers themselves may not keep state, as they will be shared across
+multiple instances of `IrcClient` and won't be reset on reconnection.
+State is instead stored in the various `*State` properties of the
+`IrcClient` such as `serverState` and `channelState`. Fields that
+should not be exposed to users of KtIrc can be placed in these
+public state objects but marked as `internal`.
+
 All the generated events (from processors or from event handlers) are
 passed to the `IrcClient`, which in turn passes them to the library
 user via the delegates passed to the `onEvent` method. 

src/main/kotlin/com/dmdirc/ktirc/IrcClient.kt

@@ -20,6 +20,7 @@ interface IrcClient {
     val serverState: ServerState
     val channelState: ChannelStateMap
     val userState: UserState
+    val profile: Profile
 
     val caseMapping: CaseMapping
         get() = serverState.features[ServerFeature.ServerCaseMapping] ?: CaseMapping.Rfc
@@ -87,7 +88,7 @@ interface IrcClient {
 // TODO: How should alternative nicknames work?
 // TODO: Should IRC Client take a pool of servers and rotate through, or make the caller do that?
 // TODO: Should there be a default profile?
-class IrcClientImpl(private val server: Server, private val profile: Profile) : IrcClient {
+class IrcClientImpl(private val server: Server, override val profile: Profile) : IrcClient {
 
     internal var socketFactory: (String, Int, Boolean) -> LineBufferedSocket = ::KtorLineBufferedSocket
 
@@ -135,7 +136,7 @@ class IrcClientImpl(private val server: Server, private val profile: Profile) :
                 sendPasswordIfPresent()
                 sendNickChange(profile.initialNick)
                 // TODO: Send correct host
-                sendUser(profile.userName, "localhost", server.host, profile.realName)
+                sendUser(profile.userName, profile.realName)
                 messageHandler.processMessages(this@IrcClientImpl, readLines(scope).map { parser.parse(it) })
                 emitEvent(ServerDisconnected(currentTimeProvider()))
             }

src/main/kotlin/com/dmdirc/ktirc/events/CapabilitiesHandler.kt

@@ -1,11 +1,13 @@
 package com.dmdirc.ktirc.events
 
 import com.dmdirc.ktirc.IrcClient
+import com.dmdirc.ktirc.messages.sendAuthenticationMessage
 import com.dmdirc.ktirc.messages.sendCapabilityEnd
 import com.dmdirc.ktirc.messages.sendCapabilityRequest
 import com.dmdirc.ktirc.model.CapabilitiesNegotiationState
 import com.dmdirc.ktirc.model.CapabilitiesState
 import com.dmdirc.ktirc.model.Capability
+import com.dmdirc.ktirc.sasl.fromBase64
 import com.dmdirc.ktirc.util.logger
 
 internal class CapabilitiesHandler : EventHandler {
@@ -17,6 +19,8 @@ internal class CapabilitiesHandler : EventHandler {
             is ServerCapabilitiesReceived -> handleCapabilitiesReceived(client.serverState.capabilities, event.capabilities)
             is ServerCapabilitiesFinished -> handleCapabilitiesFinished(client)
             is ServerCapabilitiesAcknowledged -> handleCapabilitiesAcknowledged(client, event.capabilities)
+            is AuthenticationMessage -> handleAuthenticationMessage(client, event.argument)
+            is SaslFinished -> handleSaslFinished(client)
         }
         return emptyList()
     }
@@ -27,7 +31,7 @@ internal class CapabilitiesHandler : EventHandler {
 
     private fun handleCapabilitiesFinished(client: IrcClient) {
         // TODO: We probably need to split the outgoing REQ lines if there are lots of caps
-        // TODO: For caps with values we'll need to decide which value to use/whether to enable them/etc
+        // TODO: For caps with values we may need to decide which value to use/whether to enable them/etc
         with (client.serverState.capabilities) {
             if (advertisedCapabilities.keys.isEmpty()) {
                 negotiationState = CapabilitiesNegotiationState.FINISHED
@@ -46,10 +50,57 @@ internal class CapabilitiesHandler : EventHandler {
         // TODO: Check if everything we wanted is enabled
         with (client.serverState.capabilities) {
             log.info { "Acknowledged capabilities: ${capabilities.keys.map { it.name }.toList()}" }
-            negotiationState = CapabilitiesNegotiationState.FINISHED
             enabledCapabilities.putAll(capabilities)
-            client.sendCapabilityEnd()
+
+            if (client.hasCredentials) {
+                client.serverState.sasl.getPreferredSaslMechanism(enabledCapabilities[Capability.SaslAuthentication])?.let { mechanism ->
+                    log.info { "Attempting SASL authentication using ${mechanism.ircName}" }
+                    client.serverState.sasl.currentMechanism = mechanism
+                    negotiationState = CapabilitiesNegotiationState.AUTHENTICATING
+                    client.sendAuthenticationMessage(mechanism.ircName)
+                    return
+                }
+                log.warning { "User supplied credentials but we couldn't negotiate a SASL mechanism with the server" }
+            }
+
+            client.endNegotiation()
+        }
+    }
+
+    private fun handleAuthenticationMessage(client: IrcClient, argument: String?) {
+        if (argument?.length == 400) {
+            client.serverState.sasl.saslBuffer += argument
+            return
+        }
+
+        client.serverState.sasl.currentMechanism?.let {
+            it.handleAuthenticationEvent(client, client.getStoredSaslBuffer(argument)?.fromBase64())
+        } ?: run {
+            client.sendAuthenticationMessage("*")
         }
     }
 
+    private fun handleSaslFinished(client: IrcClient) = with (client) {
+        with (serverState.sasl) {
+            saslBuffer = ""
+            mechanismState = null
+            currentMechanism = null
+        }
+        endNegotiation()
+    }
+
+    private fun IrcClient.endNegotiation() {
+        serverState.capabilities.negotiationState = CapabilitiesNegotiationState.FINISHED
+        sendCapabilityEnd()
+    }
+
+    private fun IrcClient.getStoredSaslBuffer(argument: String?): String? {
+        val data = serverState.sasl.saslBuffer + (argument ?: "")
+        serverState.sasl.saslBuffer = ""
+        return if (data.isEmpty()) null else data
+    }
+
+    private val IrcClient.hasCredentials
+            get() = profile.authUsername != null && profile.authPassword != null
+
 }

src/main/kotlin/com/dmdirc/ktirc/events/Events.kt

@@ -96,3 +96,12 @@ class MotdFinished(time: LocalDateTime, val missing: Boolean = false): IrcEvent(
  * state.
  */
 class ModeChanged(time: LocalDateTime, val target: String, val modes: String, val arguments: Array<String>, val discovered: Boolean = false): IrcEvent(time)
+
+/** Raised when an AUTHENTICATION message is received. [argument] is `null` if the server sent an empty reply ("+") */
+class AuthenticationMessage(time: LocalDateTime, val argument: String?): IrcEvent(time)
+
+/** Raised when a SASL attempt finishes, successfully or otherwise. */
+class SaslFinished(time: LocalDateTime, var success: Boolean) : IrcEvent(time)
+
+/** Raised when the server says our SASL mechanism isn't available, but gives us a list of others. */
+class SaslMechanismNotAvailableError(time: LocalDateTime, var mechanisms: Array<String>) : IrcEvent(time)

src/main/kotlin/com/dmdirc/ktirc/messages/AuthenticationProcessor.kt

@@ -0,0 +1,21 @@
+package com.dmdirc.ktirc.messages
+
+import com.dmdirc.ktirc.events.AuthenticationMessage
+import com.dmdirc.ktirc.events.SaslFinished
+import com.dmdirc.ktirc.model.IrcMessage
+
+internal class AuthenticationProcessor : MessageProcessor {
+
+    override val commands = arrayOf("AUTHENTICATE", RPL_SASLSUCCESS, ERR_SASLFAIL)
+
+    override fun process(message: IrcMessage) = when(message.command) {
+        "AUTHENTICATE" -> listOf(AuthenticationMessage(message.time, message.authenticateArgument))
+        RPL_SASLSUCCESS -> listOf(SaslFinished(message.time, true))
+        ERR_SASLFAIL -> listOf(SaslFinished(message.time, false))
+        else -> emptyList()
+    }
+
+    private val IrcMessage.authenticateArgument: String?
+        get() = if (params.isEmpty() || params[0].size == 1 && String(params[0]) == "+") null else String(params[0])
+
+}

src/main/kotlin/com/dmdirc/ktirc/messages/MessageBuilders.kt

@@ -34,4 +34,7 @@ fun IrcClient.sendAction(target: String, action: String) = sendCtcp(target, "ACT
 fun IrcClient.sendMessage(target: String, message: String) = send("PRIVMSG $target :$message")
 
 /** Sends a message to register a user with the server. */
-internal fun IrcClient.sendUser(userName: String, localHostName: String, serverHostName: String, realName: String) = send("USER $userName $localHostName $serverHostName :$realName")
+internal fun IrcClient.sendUser(userName: String, realName: String) = send("USER $userName 0 * :$realName")
+
+/** Starts an authentication request. */
+internal fun IrcClient.sendAuthenticationMessage(data: String = "+") =send("AUTHENTICATE $data")

src/main/kotlin/com/dmdirc/ktirc/messages/MessageProcessor.kt

@@ -19,6 +19,7 @@ internal interface MessageProcessor {
 
 internal val messageProcessors = setOf(
         AccountProcessor(),
+        AuthenticationProcessor(),
         CapabilityProcessor(),
         ISupportProcessor(),
         JoinProcessor(),

src/main/kotlin/com/dmdirc/ktirc/messages/NumericConstants.kt

@@ -10,4 +10,7 @@ internal const val RPL_UMODEIS = "221"
 internal const val RPL_CHANNELMODEIS = "324"
 internal const val RPL_ENDOFMOTD = "376"
 
-internal const val ERR_NOMOTD = "422"
+internal const val ERR_NOMOTD = "422"
+
+internal const val RPL_SASLSUCCESS = "903"
+internal const val ERR_SASLFAIL = "904"

src/main/kotlin/com/dmdirc/ktirc/model/CapabilitiesState.kt

@@ -32,6 +32,11 @@ enum class CapabilitiesNegotiationState {
      */
     AWAITING_ACK,
 
+    /**
+     * We are attempting to authenticate with SASL.
+     */
+    AUTHENTICATING,
+
     /**
      * Negotiation has completed.
      */
@@ -44,17 +49,24 @@ enum class CapabilitiesNegotiationState {
  */
 @Suppress("unused")
 sealed class Capability(val name: String) {
+    // Capabilities that introduce extra commands:
+    /** Allows authentication using SASL via the AUTHENTICATE command. */
+    object SaslAuthentication : Capability("sasl")
+
     // Capabilities that enable more information in message tags:
     /** Messages are tagged with the server time they originated at. */
     object ServerTimeMessageTag : Capability("server-time")
+
     /** Messages are tagged with the sender's account name. */
     object UserAccountMessageTag : Capability("account-tag")
 
     // Capabilities that extend existing commands to supply extra information:
     /** Hosts are included for users in NAMES messages. */
     object HostsInNamesReply : Capability("userhost-in-names")
+
     /** Multiple mode prefixes are returned per-user in NAMES messages. */
     object MultipleUserModePrefixes : Capability("multi-prefix")
+
     /** The user's account and real name are provided when they join a channel. */
     object AccountAndRealNameInJoinMessages : Capability("extended-join")
 
@@ -65,8 +77,10 @@ sealed class Capability(val name: String) {
     // Capabilities that notify us of changes to other clients:
     /** Receive a notification when a user's account changes. */
     object AccountChangeMessages : Capability("account-notify") // TODO: Add processor
+
     /** Receive a notification when a user's away state changes. */
     object AwayStateMessages : Capability("away-notify") // TODO: Add processor
+
     /** Receive a notification when a user's host changes, instead of a quit/join. */
     object HostChangeMessages : Capability("chghost") // TODO: Add processor
 

src/main/kotlin/com/dmdirc/ktirc/model/Profile.kt

@@ -1,4 +1,18 @@
 package com.dmdirc.ktirc.model
 
-/** Describes the client's profile information that will be provided to a server. */
-data class Profile(val initialNick: String, val realName: String, val userName: String)
+/**
+ * Describes the client's profile information that will be provided to a server.
+ *
+ * @param initialNick The initial nickname to attempt to use
+ * @param realName The real name to provide to the IRC server
+ * @param userName The username to use if your system doesn't supply an IDENT response (or the server doesn't ask)
+ * @param authUsername The username to authenticate over SASL with (e.g. services account)
+ * @param authPassword The password to authenticate the [authUsername] account with
+ */
+data class Profile(
+        val initialNick: String,
+        val realName: String,
+        val userName: String,
+        val authUsername: String? = null,
+        val authPassword: String? = null
+)

src/main/kotlin/com/dmdirc/ktirc/model/SaslState.kt

@@ -0,0 +1,25 @@
+package com.dmdirc.ktirc.model
+
+import com.dmdirc.ktirc.sasl.SaslMechanism
+
+internal class SaslState(private val mechanisms: Collection<SaslMechanism>) {
+
+    var saslBuffer: String = ""
+    var currentMechanism: SaslMechanism? = null
+        set(value) {
+            mechanismState = null
+            field = value
+        }
+
+    var mechanismState: Any? = null
+
+    fun getPreferredSaslMechanism(serverMechanisms: String?): SaslMechanism? {
+        serverMechanisms ?: return null
+        val serverSupported = serverMechanisms.split(',')
+        return mechanisms
+                .filter { it.priority < currentMechanism?.priority ?: Int.MAX_VALUE }
+                .filter { serverMechanisms.isEmpty() || it.ircName in serverSupported }
+                .maxBy { it.priority }
+    }
+
+}

src/main/kotlin/com/dmdirc/ktirc/model/ServerState.kt

@@ -1,13 +1,18 @@
 package com.dmdirc.ktirc.model
 
 import com.dmdirc.ktirc.io.CaseMapping
+import com.dmdirc.ktirc.sasl.SaslMechanism
+import com.dmdirc.ktirc.sasl.supportedSaslMechanisms
 import com.dmdirc.ktirc.util.logger
 import kotlin.reflect.KClass
 
 /**
  * Contains the current state of a single IRC server.
  */
-class ServerState internal constructor(initialNickname: String, initialServerName: String) {
+class ServerState internal constructor(
+        initialNickname: String,
+        initialServerName: String,
+        saslMechanisms: Collection<SaslMechanism> = supportedSaslMechanisms) {
 
     private val log by logger()
 
@@ -44,6 +49,9 @@ class ServerState internal constructor(initialNickname: String, initialServerNam
     /** The capabilities we have negotiated with the server (from IRCv3). */
     val capabilities = CapabilitiesState()
 
+    /** The current state of SASL authentication. */
+    internal val sasl = SaslState(saslMechanisms)
+
     /**
      * Determines what type of channel mode the given character is, based on the server features.
      *

src/main/kotlin/com/dmdirc/ktirc/sasl/Base64.kt

@@ -0,0 +1,6 @@
+package com.dmdirc.ktirc.sasl
+
+import java.util.*
+
+internal fun ByteArray.toBase64() = String(Base64.getEncoder().encode(this))
+internal fun String.fromBase64() = Base64.getDecoder().decode(this)

src/main/kotlin/com/dmdirc/ktirc/sasl/Plain.kt

@@ -0,0 +1,17 @@
+package com.dmdirc.ktirc.sasl
+
+import com.dmdirc.ktirc.IrcClient
+import com.dmdirc.ktirc.messages.sendAuthenticationMessage
+
+internal class PlainMechanism : SaslMechanism {
+
+    override val ircName = "PLAIN"
+    override val priority = 0
+
+    override fun handleAuthenticationEvent(client: IrcClient, data: ByteArray?) {
+        with (client.profile) {
+            client.sendAuthenticationMessage("$authUsername\u0000$authUsername\u0000$authPassword".toByteArray().toBase64())
+        }
+    }
+
+}

src/main/kotlin/com/dmdirc/ktirc/sasl/SaslMechanism.kt

@@ -0,0 +1,16 @@
+package com.dmdirc.ktirc.sasl
+
+import com.dmdirc.ktirc.IrcClient
+
+internal interface SaslMechanism {
+
+    val ircName: String
+    val priority: Int
+
+    fun handleAuthenticationEvent(client: IrcClient, data: ByteArray?)
+
+}
+
+internal val supportedSaslMechanisms = listOf<SaslMechanism>(
+        PlainMechanism()
+)

src/test/kotlin/com/dmdirc/ktirc/IrcClientTest.kt

@@ -117,7 +117,7 @@ internal class IrcClientImplTest {
 
         assertEquals("CAP LS 302", String(client.writeChannel!!.receive()))
         assertEquals("NICK :$NICK", String(client.writeChannel!!.receive()))
-        assertEquals("USER $USER_NAME localhost $HOST :$REAL_NAME", String(client.writeChannel!!.receive()))
+        assertEquals("USER $USER_NAME 0 * :$REAL_NAME", String(client.writeChannel!!.receive()))
     }
 
     @Test

src/test/kotlin/com/dmdirc/ktirc/events/CapabilitiesHandlerTest.kt

@@ -4,114 +4,269 @@ import com.dmdirc.ktirc.IrcClient
 import com.dmdirc.ktirc.TestConstants
 import com.dmdirc.ktirc.model.CapabilitiesNegotiationState
 import com.dmdirc.ktirc.model.Capability
+import com.dmdirc.ktirc.model.Profile
 import com.dmdirc.ktirc.model.ServerState
-import com.nhaarman.mockitokotlin2.argThat
-import com.nhaarman.mockitokotlin2.doReturn
-import com.nhaarman.mockitokotlin2.mock
-import com.nhaarman.mockitokotlin2.verify
-import kotlinx.coroutines.runBlocking
-import org.junit.jupiter.api.Assertions.assertEquals
+import com.dmdirc.ktirc.sasl.SaslMechanism
+import com.dmdirc.ktirc.sasl.fromBase64
+import com.dmdirc.ktirc.sasl.toBase64
+import com.nhaarman.mockitokotlin2.*
+import org.junit.jupiter.api.Assertions.*
 import org.junit.jupiter.api.Test
 
 internal class CapabilitiesHandlerTest {
 
+    private val saslMech1 = mock<SaslMechanism> {
+        on { priority } doReturn 1
+        on { ircName } doReturn "mech1"
+    }
+
+    private val saslMech2 = mock<SaslMechanism> {
+        on { priority } doReturn 2
+        on { ircName } doReturn "mech2"
+    }
+
+    private val saslMech3 = mock<SaslMechanism> {
+        on { priority } doReturn 3
+        on { ircName } doReturn "mech3"
+    }
+
     private val handler = CapabilitiesHandler()
-    private val serverState = ServerState("", "")
+    private val serverState = ServerState("", "", listOf(saslMech1, saslMech2, saslMech3))
+    private val nonSaslProfile = Profile("acidBurn", "Kate Libby", "acidB")
+    private val saslProfile = Profile("acidBurn", "Kate Libby", "acidB", "acidB", "HackThePlan3t!")
     private val ircClient = mock<IrcClient> {
         on { serverState } doReturn serverState
+        on { profile } doReturn nonSaslProfile
     }
 
     @Test
-    fun `CapabilitiesHandler adds new capabilities to the state`() {
-        runBlocking {
-            handler.processEvent(ircClient, ServerCapabilitiesReceived(TestConstants.time, hashMapOf(
-                    Capability.EchoMessages to "",
-                    Capability.HostsInNamesReply to "123"
-            )))
+    fun `adds new capabilities to the state`() {
+        handler.processEvent(ircClient, ServerCapabilitiesReceived(TestConstants.time, hashMapOf(
+                Capability.EchoMessages to "",
+                Capability.HostsInNamesReply to "123"
+        )))
 
-            assertEquals(2, serverState.capabilities.advertisedCapabilities.size)
-            assertEquals("", serverState.capabilities.advertisedCapabilities[Capability.EchoMessages])
-            assertEquals("123", serverState.capabilities.advertisedCapabilities[Capability.HostsInNamesReply])
-        }
+        assertEquals(2, serverState.capabilities.advertisedCapabilities.size)
+        assertEquals("", serverState.capabilities.advertisedCapabilities[Capability.EchoMessages])
+        assertEquals("123", serverState.capabilities.advertisedCapabilities[Capability.HostsInNamesReply])
     }
 
     @Test
-    fun `CapabilitiesHandler updates negotiation state when capabilities finished`() {
-        runBlocking {
-            serverState.capabilities.advertisedCapabilities[Capability.EchoMessages] = ""
+    fun `updates negotiation state when capabilities finished`() {
+        serverState.capabilities.advertisedCapabilities[Capability.EchoMessages] = ""
 
-            handler.processEvent(ircClient, ServerCapabilitiesFinished(TestConstants.time))
+        handler.processEvent(ircClient, ServerCapabilitiesFinished(TestConstants.time))
 
-            assertEquals(CapabilitiesNegotiationState.AWAITING_ACK, serverState.capabilities.negotiationState)
-        }
+        assertEquals(CapabilitiesNegotiationState.AWAITING_ACK, serverState.capabilities.negotiationState)
     }
 
     @Test
-    fun `CapabilitiesHandler sends REQ when capabilities received`() {
-        runBlocking {
-            serverState.capabilities.advertisedCapabilities[Capability.EchoMessages] = ""
-            serverState.capabilities.advertisedCapabilities[Capability.AccountChangeMessages] = ""
+    fun `sends REQ when capabilities received`() {
+        serverState.capabilities.advertisedCapabilities[Capability.EchoMessages] = ""
+        serverState.capabilities.advertisedCapabilities[Capability.AccountChangeMessages] = ""
 
-            handler.processEvent(ircClient, ServerCapabilitiesFinished(TestConstants.time))
+        handler.processEvent(ircClient, ServerCapabilitiesFinished(TestConstants.time))
 
-            verify(ircClient).send(argThat { equals("CAP REQ :echo-message account-notify") || equals("CAP REQ :account-notify echo-message") })
-        }
+        verify(ircClient).send(argThat { equals("CAP REQ :echo-message account-notify") || equals("CAP REQ :account-notify echo-message") })
     }
 
     @Test
-    fun `CapabilitiesHandler sends END when blank capabilities received`() {
-        runBlocking {
-            handler.processEvent(ircClient, ServerCapabilitiesFinished(TestConstants.time))
+    fun `sends END when blank capabilities received`() {
+        handler.processEvent(ircClient, ServerCapabilitiesFinished(TestConstants.time))
 
-            verify(ircClient).send("CAP END")
-        }
+        verify(ircClient).send("CAP END")
     }
 
     @Test
-    fun `CapabilitiesHandler updates negotiation when blank capabilities received`() {
-        runBlocking {
-            handler.processEvent(ircClient, ServerCapabilitiesFinished(TestConstants.time))
+    fun `updates negotiation when blank capabilities received`() {
+        handler.processEvent(ircClient, ServerCapabilitiesFinished(TestConstants.time))
 
-            assertEquals(CapabilitiesNegotiationState.FINISHED, serverState.capabilities.negotiationState)
-        }
+        assertEquals(CapabilitiesNegotiationState.FINISHED, serverState.capabilities.negotiationState)
     }
 
     @Test
-    fun `CapabilitiesHandler sends END when capabilities acknowledged`() {
-        runBlocking {
-            handler.processEvent(ircClient, ServerCapabilitiesAcknowledged(TestConstants.time, hashMapOf(
-                    Capability.EchoMessages to "",
-                    Capability.HostsInNamesReply to "123"
-            )))
+    fun `sends END when capabilities acknowledged and no profile`() {
+        handler.processEvent(ircClient, ServerCapabilitiesAcknowledged(TestConstants.time, hashMapOf(
+                Capability.EchoMessages to "",
+                Capability.HostsInNamesReply to "123"
+        )))
 
-            verify(ircClient).send("CAP END")
-        }
+        verify(ircClient).send("CAP END")
     }
 
     @Test
-    fun `CapabilitiesHandler updates negotiation state when capabilities acknowledged`() {
-        runBlocking {
-            handler.processEvent(ircClient, ServerCapabilitiesAcknowledged(TestConstants.time, hashMapOf(
-                    Capability.EchoMessages to "",
-                    Capability.HostsInNamesReply to "123"
-            )))
+    fun `sends END when capabilities acknowledged and no sasl state`() {
+        whenever(ircClient.profile).thenReturn(saslProfile)
+        handler.processEvent(ircClient, ServerCapabilitiesAcknowledged(TestConstants.time, hashMapOf(
+                Capability.EchoMessages to "",
+                Capability.HostsInNamesReply to "123"
+        )))
 
-            assertEquals(CapabilitiesNegotiationState.FINISHED, serverState.capabilities.negotiationState)
-        }
+        verify(ircClient).send("CAP END")
+    }
+
+    @Test
+    fun `sends END when capabilities acknowledged and no shared mechanism`() {
+        whenever(ircClient.profile).thenReturn(saslProfile)
+        handler.processEvent(ircClient, ServerCapabilitiesAcknowledged(TestConstants.time, hashMapOf(
+                Capability.SaslAuthentication to "fake1,fake2",
+                Capability.HostsInNamesReply to "123"
+        )))
+
+        verify(ircClient).send("CAP END")
+    }
+
+    @Test
+    fun `sends AUTHENTICATE when capabilities acknowledged with shared mechanism`() {
+        whenever(ircClient.profile).thenReturn(saslProfile)
+        handler.processEvent(ircClient, ServerCapabilitiesAcknowledged(TestConstants.time, hashMapOf(
+                Capability.SaslAuthentication to "mech1,fake2",
+                Capability.HostsInNamesReply to "123"
+        )))
+
+        verify(ircClient).send("AUTHENTICATE mech1")
+    }
+
+    @Test
+    fun `sets current SASL mechanism when capabilities acknowledged with shared mechanism`() {
+        whenever(ircClient.profile).thenReturn(saslProfile)
+        handler.processEvent(ircClient, ServerCapabilitiesAcknowledged(TestConstants.time, hashMapOf(
+                Capability.SaslAuthentication to "mech1,fake2",
+                Capability.HostsInNamesReply to "123"
+        )))
+
+        assertSame(saslMech1, serverState.sasl.currentMechanism)
+    }
+
+    @Test
+    fun `updates negotiation state when capabilities acknowledged with shared mechanism`() {
+        whenever(ircClient.profile).thenReturn(saslProfile)
+        handler.processEvent(ircClient, ServerCapabilitiesAcknowledged(TestConstants.time, hashMapOf(
+                Capability.SaslAuthentication to "mech1,fake2",
+                Capability.HostsInNamesReply to "123"
+        )))
+
+        assertEquals(CapabilitiesNegotiationState.AUTHENTICATING, serverState.capabilities.negotiationState)
+    }
+
+    @Test
+    fun `updates negotiation state when capabilities acknowledged`() {
+        handler.processEvent(ircClient, ServerCapabilitiesAcknowledged(TestConstants.time, hashMapOf(
+                Capability.EchoMessages to "",
+                Capability.HostsInNamesReply to "123"
+        )))
+
+        assertEquals(CapabilitiesNegotiationState.FINISHED, serverState.capabilities.negotiationState)
+    }
+
+    @Test
+    fun `stores enabled caps when capabilities acknowledged`() {
+        handler.processEvent(ircClient, ServerCapabilitiesAcknowledged(TestConstants.time, hashMapOf(
+                Capability.EchoMessages to "",
+                Capability.HostsInNamesReply to "123"
+        )))
+
+        assertEquals(2, serverState.capabilities.enabledCapabilities.size)
+        assertEquals("", serverState.capabilities.enabledCapabilities[Capability.EchoMessages])
+        assertEquals("123", serverState.capabilities.enabledCapabilities[Capability.HostsInNamesReply])
+    }
+
+    @Test
+    fun `aborts authentication attempt if not expecting one`() {
+        serverState.sasl.currentMechanism = null
+        handler.processEvent(ircClient, AuthenticationMessage(TestConstants.time, "+"))
+
+        verify(ircClient).send("AUTHENTICATE *")
+    }
+
+    @Test
+    fun `passes authentication message to mechanism if in auth process`() {
+        serverState.sasl.currentMechanism = saslMech1
+
+        val argument = "ABC"
+        handler.processEvent(ircClient, AuthenticationMessage(TestConstants.time, argument))
+
+        verify(saslMech1).handleAuthenticationEvent(ircClient, argument.fromBase64())
+    }
+
+    @Test
+    fun `stores partial authentication message if it's 400 bytes long`() {
+        serverState.sasl.currentMechanism = saslMech1
+
+        val argument = "A".repeat(400)
+        handler.processEvent(ircClient, AuthenticationMessage(TestConstants.time, argument))
+
+        assertEquals(argument, serverState.sasl.saslBuffer)
+        verify(saslMech1, never()).handleAuthenticationEvent(any(), any())
+    }
+
+    @Test
+    fun `appends authentication messages if it's 400 bytes long and data already exists`() {
+        serverState.sasl.currentMechanism = saslMech1
+
+        serverState.sasl.saslBuffer = "A".repeat(400)
+        handler.processEvent(ircClient, AuthenticationMessage(TestConstants.time, "B".repeat(400)))
+
+        assertEquals("A".repeat(400) + "B".repeat(400), serverState.sasl.saslBuffer)
+        verify(saslMech1, never()).handleAuthenticationEvent(any(), any())
     }
 
     @Test
-    fun `CapabilitiesHandler stores enabled caps when capabilities acknowledged`() {
-        runBlocking {
-            handler.processEvent(ircClient, ServerCapabilitiesAcknowledged(TestConstants.time, hashMapOf(
-                    Capability.EchoMessages to "",
-                    Capability.HostsInNamesReply to "123"
-            )))
+    fun `reconstructs partial authentication message to mechanism if data stored and partial received`() {
+        serverState.sasl.currentMechanism = saslMech1
+
+        serverState.sasl.saslBuffer = "A".repeat(400)
+
+        val argument = "ABCD"
+        handler.processEvent(ircClient, AuthenticationMessage(TestConstants.time, argument))
+
+        val captor = argumentCaptor<ByteArray>()
+        verify(saslMech1).handleAuthenticationEvent(same(ircClient), captor.capture())
+        assertEquals("A".repeat(400) + "ABCD", captor.firstValue.toBase64())
+    }
+
+    @Test
+    fun `reconstructs partial authentication message to mechanism if data stored and null received`() {
+        serverState.sasl.currentMechanism = saslMech1
+
+        serverState.sasl.saslBuffer = "A".repeat(400)
+
+        handler.processEvent(ircClient, AuthenticationMessage(TestConstants.time, null))
+
+        val captor = argumentCaptor<ByteArray>()
+        verify(saslMech1).handleAuthenticationEvent(same(ircClient), captor.capture())
+        assertEquals("A".repeat(400), captor.firstValue.toBase64())
+    }
+
+    @Test
+    fun `sends END when SASL auth finished`() {
+        handler.processEvent(ircClient, SaslFinished(TestConstants.time, true))
+
+        verify(ircClient).send("CAP END")
+    }
+
+    @Test
+    fun `sets negotiation state when SASL auth finished`() {
+        handler.processEvent(ircClient, SaslFinished(TestConstants.time, true))
+
+        assertEquals(CapabilitiesNegotiationState.FINISHED, serverState.capabilities.negotiationState)
+    }
+
+    @Test
+    fun `resets SASL state when SASL auth finished`() {
+        with (serverState.sasl) {
+            currentMechanism = saslMech1
+            saslBuffer = "HackThePlanet"
+            mechanismState = "root@thegibson"
+        }
+
+        handler.processEvent(ircClient, SaslFinished(TestConstants.time, true))
 
-            assertEquals(2, serverState.capabilities.enabledCapabilities.size)
-            assertEquals("", serverState.capabilities.enabledCapabilities[Capability.EchoMessages])
-            assertEquals("123", serverState.capabilities.enabledCapabilities[Capability.HostsInNamesReply])
+        with (serverState.sasl) {
+            assertNull(currentMechanism)
+            assertEquals("", saslBuffer)
+            assertNull(mechanismState)
         }
     }
 
-}
+}

src/test/kotlin/com/dmdirc/ktirc/messages/AuthenticationProcessorTest.kt

@@ -0,0 +1,72 @@
+package com.dmdirc.ktirc.messages
+
+import com.dmdirc.ktirc.TestConstants
+import com.dmdirc.ktirc.events.AuthenticationMessage
+import com.dmdirc.ktirc.events.SaslFinished
+import com.dmdirc.ktirc.model.IrcMessage
+import com.dmdirc.ktirc.params
+import com.dmdirc.ktirc.util.currentTimeProvider
+import org.junit.jupiter.api.Assertions.*
+import org.junit.jupiter.api.BeforeEach
+import org.junit.jupiter.api.Test
+
+internal class AuthenticationProcessorTest {
+
+    private var processor = AuthenticationProcessor()
+
+    @BeforeEach
+    fun setUp() {
+        currentTimeProvider = { TestConstants.time }
+    }
+
+    @Test
+    fun `raises authentication message with null argument if no params specified`() {
+        val events = processor.process(IrcMessage(emptyMap(), null, "AUTHENTICATE", emptyList()))
+
+        assertEquals(1, events.size)
+        val event = events[0] as AuthenticationMessage
+        assertEquals(TestConstants.time, event.time)
+        assertNull(event.argument)
+    }
+
+    @Test
+    fun `raises authentication message with null argument if + specified`() {
+        val events = processor.process(IrcMessage(emptyMap(), null, "AUTHENTICATE", params("+")))
+
+        assertEquals(1, events.size)
+        val event = events[0] as AuthenticationMessage
+        assertEquals(TestConstants.time, event.time)
+        assertNull(event.argument)
+    }
+
+    @Test
+    fun `raises authentication message with argument`() {
+        val events = processor.process(IrcMessage(emptyMap(), null, "AUTHENTICATE", params("HackThePlanet")))
+
+        assertEquals(1, events.size)
+        val event = events[0] as AuthenticationMessage
+        assertEquals(TestConstants.time, event.time)
+        assertEquals("HackThePlanet", event.argument)
+    }
+
+    @Test
+    fun `raises sasl finished on success`() {
+        val events = processor.process(IrcMessage(emptyMap(), ":the.gibson".toByteArray(), "903", params("*", "SASL authentication successful")))
+
+        assertEquals(1, events.size)
+        val event = events[0] as SaslFinished
+        assertEquals(TestConstants.time, event.time)
+        assertTrue(event.success)
+    }
+
+    @Test
+    fun `raises sasl finished on generic failure`() {
+        val events = processor.process(IrcMessage(emptyMap(), ":the.gibson".toByteArray(), "904", params("*", "SASL authentication failed")))
+
+        assertEquals(1, events.size)
+        val event = events[0] as SaslFinished
+        assertEquals(TestConstants.time, event.time)
+        assertFalse(event.success)
+    }
+
+}

src/test/kotlin/com/dmdirc/ktirc/messages/MessageBuildersTest.kt

@@ -71,8 +71,20 @@ internal class MessageBuildersTest {
 
     @Test
     fun `sendUser sends correct USER message`() {
-        mockClient.sendUser("AcidBurn", "localhost", "gibson", "Kate")
-        verify(mockClient).send("USER AcidBurn localhost gibson :Kate")
+        mockClient.sendUser("AcidBurn","Kate")
+        verify(mockClient).send("USER AcidBurn 0 * :Kate")
     }
 
-}
+    @Test
+    fun `sendUser sends correct AUTHENTICATE message`() {
+        mockClient.sendAuthenticationMessage("SCRAM-MD5")
+        verify(mockClient).send("AUTHENTICATE SCRAM-MD5")
+    }
+
+    @Test
+    fun `sendUser sends correct blank AUTHENTICATE message`() {
+        mockClient.sendAuthenticationMessage()
+        verify(mockClient).send("AUTHENTICATE +")
+    }
+
+}

src/test/kotlin/com/dmdirc/ktirc/model/CapabilitiesStateTest.kt

@@ -6,7 +6,7 @@ import org.junit.jupiter.api.Test
 internal class CapabilitiesStateTest {
 
     @Test
-    fun `CapabilitiesState defaults negotiation state to awaiting list`() {
+    fun `defaults negotiation state to awaiting list`() {
         val capabilitiesState = CapabilitiesState()
 
         assertEquals(CapabilitiesNegotiationState.AWAITING_LIST, capabilitiesState.negotiationState)

src/test/kotlin/com/dmdirc/ktirc/model/SaslStateTest.kt

@@ -0,0 +1,81 @@
+package com.dmdirc.ktirc.model
+
+import com.dmdirc.ktirc.sasl.SaslMechanism
+import com.nhaarman.mockitokotlin2.doReturn
+import com.nhaarman.mockitokotlin2.mock
+import org.junit.jupiter.api.Assertions.assertEquals
+import org.junit.jupiter.api.Assertions.assertNull
+import org.junit.jupiter.api.Test
+
+internal class SaslStateTest {
+
+    private val mech1 = mock<SaslMechanism> {
+        on { priority } doReturn 1
+        on { ircName } doReturn "mech1"
+    }
+
+    private val mech2 = mock<SaslMechanism> {
+        on { priority } doReturn 2
+        on { ircName } doReturn "mech2"
+    }
+
+    private val mech3 = mock<SaslMechanism> {
+        on { priority } doReturn 3
+        on { ircName } doReturn "mech3"
+    }
+
+    private val mechanisms = listOf(mech1, mech2, mech3)
+
+    @Test
+    fun `gets most preferred client SASL mechanism if none are specified by server`() {
+        val state = SaslState(mechanisms)
+
+        assertEquals(mech3, state.getPreferredSaslMechanism(""))
+    }
+
+    @Test
+    fun `gets next preferred client SASL mechanism if one was tried`() {
+        val state = SaslState(mechanisms)
+        state.currentMechanism = mech3
+
+        assertEquals(mech2, state.getPreferredSaslMechanism(""))
+    }
+
+    @Test
+    fun `gets no preferred client SASL mechanism if all were tried`() {
+        val state = SaslState(mechanisms)
+        state.currentMechanism = mech1
+
+        assertNull(state.getPreferredSaslMechanism(""))
+    }
+
+    @Test
+    fun `gets most preferred client SASL mechanism if the server supports all`() {
+        val state = SaslState(mechanisms)
+
+        assertEquals(mech3, state.getPreferredSaslMechanism("mech1,mech3,mech2"))
+    }
+
+    @Test
+    fun `gets most preferred client SASL mechanism if the server supports some`() {
+        val state = SaslState(mechanisms)
+
+        assertEquals(mech2, state.getPreferredSaslMechanism("mech2,mech1,other"))
+    }
+
+    @Test
+    fun `gets no preferred client SASL mechanism if the server supports none`() {
+        val state = SaslState(mechanisms)
+
+        assertNull(state.getPreferredSaslMechanism("foo,bar,baz"))
+    }
+
+    @Test
+    fun `setting the current mechanism clears the existing state`() {
+        val state = SaslState(mechanisms)
+        state.mechanismState = "in progress"
+        state.currentMechanism = mech2
+        assertNull(state.mechanismState)
+    }
+
+}

src/test/kotlin/com/dmdirc/ktirc/sasl/PlainMechanismTest.kt

@@ -0,0 +1,39 @@
+package com.dmdirc.ktirc.sasl
+
+import com.dmdirc.ktirc.IrcClient
+import com.dmdirc.ktirc.model.Profile
+import com.dmdirc.ktirc.model.ServerState
+import com.nhaarman.mockitokotlin2.argumentCaptor
+import com.nhaarman.mockitokotlin2.doReturn
+import com.nhaarman.mockitokotlin2.mock
+import com.nhaarman.mockitokotlin2.verify
+import org.junit.jupiter.api.Assertions.assertEquals
+import org.junit.jupiter.api.Test
+
+internal class PlainMechanismTest {
+
+    private val serverState = ServerState("", "", emptyList())
+    private val saslProfile = Profile("acidBurn", "Kate Libby", "acidB", "acidB", "HackThePlan3t!")
+    private val ircClient = mock<IrcClient> {
+        on { serverState } doReturn serverState
+        on { profile } doReturn saslProfile
+    }
+
+    private val mechanism = PlainMechanism()
+
+    @Test
+    fun `sends encoded username and password when first message received`() {
+        mechanism.handleAuthenticationEvent(ircClient, null)
+
+        val captor = argumentCaptor<String>()
+        verify(ircClient).send(captor.capture())
+        val parts = captor.firstValue.split(' ')
+        assertEquals("AUTHENTICATE", parts[0])
+
+        val data = String(parts[1].fromBase64()).split('\u0000')
+        assertEquals("acidB", data[0])
+        assertEquals("acidB", data[1])
+        assertEquals("HackThePlan3t!", data[2])
+    }
+
+}

src/test/kotlin/com/dmdirc/ktirc/util/Base64Test.kt

@@ -0,0 +1,20 @@
+package com.dmdirc.ktirc.util
+
+import com.dmdirc.ktirc.sasl.fromBase64
+import com.dmdirc.ktirc.sasl.toBase64
+import org.junit.jupiter.api.Assertions.assertEquals
+import org.junit.jupiter.api.Test
+
+class Base64Test {
+
+    @Test
+    fun `encodes byte arrays into base64`() {
+        assertEquals("SGFjayB0aGUgUGxhbmV0", "Hack the Planet".toByteArray().toBase64())
+    }
+
+    @Test
+    fun `decodes byte arrays from base64`() {
+        assertEquals("Hack the Planet", String("SGFjayB0aGUgUGxhbmV0".fromBase64()))
+    }
+
+}