prosody-modules
3b30635d215c
mod_s2s_auth_monkeysphere/mod_s2s_auth_monkeysphere.lua
- Annotate
- comparison
- diff
Software / code / prosody-modules
Annotate
mod_s2s_auth_monkeysphere/mod_s2s_auth_monkeysphere.lua @ 5425:3b30635d215c
mod_http_oauth2: Support granting zero role-scopes
It seems Very Bad that if you uncheck all roles on the consent page, you
get the default scopes, which seems the opposite of what you probably
intended. Currently, mod_tokenauth will do the same thing, so work is
needed there too to allow issuing tokens without roles.
A token without a role could be used for OIDC login, and not much else.
This seems like a valuable thing to support.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 07 May 2023 19:29:15 +0200 |
| parent | 3392:8d1141025b43 |
| rev | line source |
|---|---|
|
1413
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 module:set_global(); |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 local json = require"util.json"; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 local json_encode, json_decode = json.encode, json.decode; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 local gettime = require"socket".gettime; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 local serialize = require"util.serialization".serialize; |
|
3392
8d1141025b43
mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents:
2186
diff
changeset
|
7 local async = require"util.async"; |
|
8d1141025b43
mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents:
2186
diff
changeset
|
8 local http_request = require "net.http".request; |
|
1413
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 local msva_url = assert(os.getenv"MONKEYSPHERE_VALIDATION_AGENT_SOCKET", |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 "MONKEYSPHERE_VALIDATION_AGENT_SOCKET is unset, please set it").."/reviewcert"; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 local function check_with_monkeysphere(event) |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 local session, host, cert = event.session, event.host, event.cert; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 local post_body = json_encode { |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 peer = { |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 name = host; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 type = "peer"; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 }; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 context = "https"; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 -- context = "xmpp"; -- Monkeysphere needs to be extended to understand this |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 pkc = { |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 type = "x509pem"; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 data = cert:pem(); |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 }; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 } |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 local req = { |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 method = "POST"; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 headers = { |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 ["Content-Type"] = "application/json"; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 }; |
|
3392
8d1141025b43
mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents:
2186
diff
changeset
|
32 body = post_body; |
|
1413
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 }; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 session.log("debug", "Asking what Monkeysphere thinks about this certificate"); |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 local starttime = gettime(); |
|
3392
8d1141025b43
mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents:
2186
diff
changeset
|
36 local wait, done = async.waiter(); |
|
8d1141025b43
mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents:
2186
diff
changeset
|
37 local body, code; |
|
8d1141025b43
mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents:
2186
diff
changeset
|
38 http_request(msva_url, req, function (_, _code) |
|
8d1141025b43
mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents:
2186
diff
changeset
|
39 body, code = body, _code; |
|
8d1141025b43
mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents:
2186
diff
changeset
|
40 done(); |
|
8d1141025b43
mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents:
2186
diff
changeset
|
41 end); |
|
8d1141025b43
mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents:
2186
diff
changeset
|
42 wait(); |
|
1413
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 module:log("debug", "Request took %fs", gettime() - starttime); |
|
3392
8d1141025b43
mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents:
2186
diff
changeset
|
44 if code == 200 and body then |
|
1413
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
45 body = json_decode(body); |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
46 if body then |
|
3392
8d1141025b43
mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents:
2186
diff
changeset
|
47 session.log(body.valid and "info" or "warn", |
|
8d1141025b43
mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents:
2186
diff
changeset
|
48 "Monkeysphere thinks the cert is %salid: %s", body.valid and "V" or "Inv", body.message); |
|
1413
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
49 if body.valid then |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
50 session.cert_chain_status = "valid"; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
51 session.cert_identity_status = "valid"; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
52 return true; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 end |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
54 end |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 else |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
56 module:log("warn", "Request failed: %s, %s", tostring(code), tostring(body)); |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
57 module:log("debug", serialize(req)); |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
58 end |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
59 end |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
60 |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
61 module:hook("s2s-check-certificate", check_with_monkeysphere); |
