Annotate

mod_client_management/mod_client_management.lua @ 5623:59d5fc50f602

mod_http_oauth2: Implement refresh token rotation Makes refresh tokens one-time-use, handing out a new refresh token with each access token. Thus if a refresh token is stolen and used by an attacker, the next time the legitimate client tries to use the previous refresh token, it will not work and the attack will be noticed. If the attacker does not use the refresh token, it becomes invalid after the legitimate client uses it. This behavior is recommended by draft-ietf-oauth-security-topics
author Kim Alvefur <zash@zash.se>
date Sun, 23 Jul 2023 02:56:08 +0200
parent 5607:c799b460f9f0
child 5650:1571c280aaef
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
5294
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
1 local modulemanager = require "core.modulemanager";
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
2 local usermanager = require "core.usermanager";
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
3
5301
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
4 local array = require "util.array";
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
5 local dt = require "util.datetime";
5294
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
6 local id = require "util.id";
5301
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
7 local it = require "util.iterators";
5294
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
8 local jid = require "util.jid";
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
9 local st = require "util.stanza";
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
11 local strict = module:get_option_boolean("enforce_client_ids", false);
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
12
5582
825c6fb76c48 Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents: 5516
diff changeset
13 module:default_permission("prosody:registered", ":list-clients");
825c6fb76c48 Multiple modules: Update for split prosody:user role (prosody 082c7d856e61)
Matthew Wild <mwild1@gmail.com>
parents: 5516
diff changeset
14 module:default_permission("prosody:registered", ":manage-clients");
5312
22e6b9f09439 mod_client_management: Add list-clients + manage-clients permissions to users
Matthew Wild <mwild1@gmail.com>
parents: 5311
diff changeset
15
5294
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
16 local tokenauth = module:depends("tokenauth");
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
17 local mod_fast = module:depends("sasl2_fast");
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
18
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
19 local client_store = assert(module:open_store("clients", "keyval+"));
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
20 --[[{
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
21 id = id;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
22 first_seen =
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
23 last_seen =
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
24 user_agent = {
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
25 name =
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26 os =
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27 }
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
28 --}]]
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
30 local xmlns_sasl2 = "urn:xmpp:sasl:2";
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
31
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
32 local function get_user_agent(sasl_handler, token_info)
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
33 local sasl_agent = sasl_handler and sasl_handler.user_agent;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
34 local token_agent = token_info and token_info.data and token_info.data.oauth2_client;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
35 if not (sasl_agent or token_agent) then return; end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
36 return {
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
37 software = sasl_agent and sasl_agent.software or token_agent and token_agent.name or nil;
5516
f25df3af02c1 mod_client_management: Include client software version number in listing
Kim Alvefur <zash@zash.se>
parents: 5374
diff changeset
38 software_id = token_agent and token_agent.id or nil;
f25df3af02c1 mod_client_management: Include client software version number in listing
Kim Alvefur <zash@zash.se>
parents: 5374
diff changeset
39 software_version = token_agent and token_agent.version or nil;
5294
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
40 uri = token_agent and token_agent.uri or nil;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
41 device = sasl_agent and sasl_agent.device or nil;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
42 };
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
43 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
44
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
45 module:hook("sasl2/c2s/success", function (event)
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
46 local session = event.session;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
47 local username, client_id = session.username, session.client_id;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
48 local mechanism = session.sasl_handler.selected;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
49 local token_info = session.sasl_handler.token_info;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
50 local token_id = token_info and token_info.id or nil;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
51
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
52 local now = os.time();
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
53 if client_id then -- SASL2, have client identifier
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
54 local is_new_client;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
55
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
56 local client_state = client_store:get_key(username, client_id);
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
57 if not client_state then
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
58 is_new_client = true;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
59 client_state = {
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
60 id = client_id;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
61 first_seen = now;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
62 user_agent = get_user_agent(session.sasl_handler, token_info);
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
63 full_jid = nil;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
64 last_seen = nil;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
65 mechanisms = {};
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
66 };
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
67 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
68 -- Update state
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
69 client_state.full_jid = session.full_jid;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
70 client_state.last_seen = now;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
71 client_state.mechanisms[mechanism] = now;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
72 if session.sasl_handler.fast_auth then
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
73 client_state.fast_auth = now;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
74 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
75 if token_id then
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
76 client_state.auth_token_id = token_id;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
77 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
78 -- Store updated state
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
79 client_store:set_key(username, client_id, client_state);
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
80
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
81 if is_new_client then
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
82 module:fire_event("client_management/new-client", { client = client_state });
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
83 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
84 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
85 end);
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
86
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
87 local function find_client_by_resource(username, resource)
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
88 local full_jid = jid.join(username, module.host, resource);
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
89 local clients = client_store:get(username);
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
90 if not clients then return; end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
91
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
92 for _, client_state in pairs(clients) do
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
93 if client_state.full_jid == full_jid then
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
94 return client_state;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
95 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
96 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
97 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
98
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
99 module:hook("resource-bind", function (event)
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
100 local session = event.session;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
101 if session.client_id then return; end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
102 local is_new_client;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
103 local client_state = find_client_by_resource(event.session.username, event.session.resource);
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
104 local now = os.time();
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
105 if not client_state then
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
106 is_new_client = true;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
107 client_state = {
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
108 id = id.short();
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
109 first_seen = now;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
110 user_agent = nil;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
111 full_jid = nil;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
112 last_seen = nil;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
113 mechanisms = {};
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
114 legacy = true;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
115 };
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
116 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
117
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
118 -- Update state
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
119 local legacy_info = session.client_management_info;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
120 client_state.full_jid = session.full_jid;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
121 client_state.last_seen = now;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
122 client_state.mechanisms[legacy_info.mechanism] = now;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
123 if legacy_info.fast_auth then
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
124 client_state.fast_auth = now;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
125 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
126
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
127 local token_id = legacy_info.token_info and legacy_info.token_info.id;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
128 if token_id then
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
129 client_state.auth_token_id = token_id;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
130 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
131
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
132 -- Store updated state
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
133 client_store:set_key(session.username, client_state.id, client_state);
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
134
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
135 if is_new_client then
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
136 module:fire_event("client_management/new-client", { client = client_state });
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
137 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
138 end);
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
139
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
140 if strict then
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
141 module:hook_tag(xmlns_sasl2, "authenticate", function (session, auth)
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
142 local user_agent = auth:get_child("user-agent");
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
143 if not user_agent or not user_agent.attr.id then
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
144 local failure = st.stanza("failure", { xmlns = xmlns_sasl2 })
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
145 :tag("malformed-request", { xmlns = "urn:ietf:params:xml:ns:xmpp-sasl" }):up()
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
146 :text_tag("text", "Client identifier required but not supplied");
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
147 session.send(failure);
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
148 return true;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
149 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
150 end, 500);
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
151
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
152 if modulemanager.get_modules_for_host(module.host):contains("saslauth") then
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
153 module:log("error", "mod_saslauth is enabled, but enforce_client_ids is enabled and will prevent it from working");
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
154 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
155
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
156 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function (event)
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
157 -- Block legacy SASL, if for some reason it is being used (either mod_saslauth is loaded,
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
158 -- or clients try it without advertisement)
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
159 module:log("warn", "Blocking legacy SASL authentication because enforce_client_ids is enabled");
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
160 local failure = st.stanza("failure", { xmlns = xmlns_sasl2 })
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
161 :tag("malformed-request", { xmlns = "urn:ietf:params:xml:ns:xmpp-sasl" }):up()
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
162 :text_tag("text", "Legacy SASL authentication is not available on this server");
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
163 event.session.send(failure);
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
164 return true;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
165 end);
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
166 else
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
167 -- Legacy client compat code
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
168 module:hook("authentication-success", function (event)
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
169 local session = event.session;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
170 if session.client_id then return; end -- SASL2 client
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
171
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
172 local sasl_handler = session.sasl_handler;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
173 session.client_management_info = {
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
174 mechanism = sasl_handler.selected;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
175 token_info = sasl_handler.token_info;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
176 fast_auth = sasl_handler.fast_auth;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
177 };
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
178 end);
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
179 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
180
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
181 local function is_password_mechanism(mech_name)
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
182 if mech_name == "OAUTHBEARER" then return false; end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
183 if mech_name:match("^HT%-") then return false; end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
184 return true;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
185 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
186
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
187 local function is_client_active(client)
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
188 local username, host = jid.split(client.full_jid);
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
189 local account_info = usermanager.get_account_info(username, host);
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
190 local last_password_change = account_info and account_info.password_updated;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
191
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
192 local status = {};
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
193
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
194 -- Check for an active token grant that has been previously used by this client
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
195 if client.auth_token_id then
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
196 local grant = tokenauth.get_grant_info(client.auth_token_id);
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
197 if grant then
5301
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
198 status.grant = grant;
5294
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
199 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
200 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
201
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
202 -- Check for active FAST tokens
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
203 if client.fast_auth then
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
204 if mod_fast.is_client_fast(username, client.id, last_password_change) then
5301
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
205 status.fast = client.fast_auth;
5294
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
206 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
207 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
208
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
209 -- Client has access if any password-based SASL mechanisms have been used since last password change
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
210 for mech, mech_last_used in pairs(client.mechanisms) do
5369
1a58a11407ac mod_client_management: Fix error when last password change is unknown (or never)
Kim Alvefur <zash@zash.se>
parents: 5343
diff changeset
211 if is_password_mechanism(mech) and (not last_password_change or mech_last_used >= last_password_change) then
5301
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
212 status.password = mech_last_used;
5294
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
213 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
214 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
215
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
216 if prosody.full_sessions[client.full_jid] then
5301
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
217 status.connected = true;
5294
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
218 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
219
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
220 if next(status) == nil then
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
221 return nil;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
222 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
223 return status;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
224 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
225
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
226 -- Public API
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
227 --luacheck: ignore 131
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
228 function get_active_clients(username)
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
229 local clients = client_store:get(username);
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
230 local active_clients = {};
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
231 local used_grants = {};
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
232
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
233 -- Go through known clients, check whether they could possibly log in
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
234 for client_id, client in pairs(clients or {}) do --luacheck: ignore 213/client_id
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
235 local active = is_client_active(client);
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
236 if active then
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
237 client.type = "session";
5305
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
238 client.id = "client/"..client.id;
5294
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
239 client.active = active;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
240 table.insert(active_clients, client);
5301
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
241 if active.grant then
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
242 used_grants[active.grant.id] = true;
5294
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
243 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
244 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
245 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
246
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
247 -- Next, account for any grants that have been issued, but never actually logged in
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
248 for grant_id, grant in pairs(tokenauth.get_user_grants(username) or {}) do
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
249 if not used_grants[grant_id] then -- exclude grants already accounted for
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
250 table.insert(active_clients, {
5307
2bb27dfd10d5 mod_client_management: Use grant id from key
Matthew Wild <mwild1@gmail.com>
parents: 5306
diff changeset
251 id = "grant/"..grant_id;
5294
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
252 type = "access";
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
253 first_seen = grant.created;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
254 last_seen = grant.accessed;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
255 active = {
5301
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
256 grant = grant;
5294
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
257 };
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
258 user_agent = get_user_agent(nil, grant);
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
259 });
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
260 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
261 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
262
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
263 table.sort(active_clients, function (a, b)
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
264 if a.last_seen and b.last_seen then
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
265 return a.last_seen < b.last_seen;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
266 elseif not (a.last_seen or b.last_seen) then
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
267 if a.first_seen and b.first_seen then
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
268 return a.first_seen < b.first_seen;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
269 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
270 elseif b.last_seen then
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
271 return true;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
272 elseif a.last_seen then
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
273 return false;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
274 end
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
275 return a.id < b.id;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
276 end);
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
277
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
278 return active_clients;
385346b6c81d mod_client_management: New module for users to view/manage permitted clients
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
279 end
5301
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
280
5603
d2561c1d26f5 mod_client_management: Allow revoking a specific client version
Kim Alvefur <zash@zash.se>
parents: 5602
diff changeset
281 local function user_agent_tostring(user_agent)
d2561c1d26f5 mod_client_management: Allow revoking a specific client version
Kim Alvefur <zash@zash.se>
parents: 5602
diff changeset
282 if user_agent then
d2561c1d26f5 mod_client_management: Allow revoking a specific client version
Kim Alvefur <zash@zash.se>
parents: 5602
diff changeset
283 if user_agent.software then
d2561c1d26f5 mod_client_management: Allow revoking a specific client version
Kim Alvefur <zash@zash.se>
parents: 5602
diff changeset
284 if user_agent.software_version then
d2561c1d26f5 mod_client_management: Allow revoking a specific client version
Kim Alvefur <zash@zash.se>
parents: 5602
diff changeset
285 return user_agent.software .. "/" .. user_agent.software_version;
d2561c1d26f5 mod_client_management: Allow revoking a specific client version
Kim Alvefur <zash@zash.se>
parents: 5602
diff changeset
286 end
d2561c1d26f5 mod_client_management: Allow revoking a specific client version
Kim Alvefur <zash@zash.se>
parents: 5602
diff changeset
287 return user_agent.software;
d2561c1d26f5 mod_client_management: Allow revoking a specific client version
Kim Alvefur <zash@zash.se>
parents: 5602
diff changeset
288 end
d2561c1d26f5 mod_client_management: Allow revoking a specific client version
Kim Alvefur <zash@zash.se>
parents: 5602
diff changeset
289 end
d2561c1d26f5 mod_client_management: Allow revoking a specific client version
Kim Alvefur <zash@zash.se>
parents: 5602
diff changeset
290 end
d2561c1d26f5 mod_client_management: Allow revoking a specific client version
Kim Alvefur <zash@zash.se>
parents: 5602
diff changeset
291
5305
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
292 function revoke_client_access(username, client_selector)
5370
d9d52ad8c1ae mod_client_management: Fix type confusion
Kim Alvefur <zash@zash.se>
parents: 5369
diff changeset
293 if client_selector then
d9d52ad8c1ae mod_client_management: Fix type confusion
Kim Alvefur <zash@zash.se>
parents: 5369
diff changeset
294 local c_type, c_id = client_selector:match("^(%w+)/(.+)$");
5305
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
295 if c_type == "client" then
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
296 local client = client_store:get_key(username, c_id);
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
297 if not client then
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
298 return nil, "item-not-found";
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
299 end
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
300 local status = is_client_active(client);
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
301 if status.connected then
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
302 local ok, err = prosody.full_sessions[client.full_jid]:close();
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
303 if not ok then return ok, err; end
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
304 end
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
305 if status.fast then
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
306 local ok = mod_fast.revoke_fast_tokens(username, client.id);
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
307 if not ok then return nil, "internal-server-error"; end
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
308 end
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
309 if status.grant then
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
310 local ok = tokenauth.revoke_grant(username, status.grant.id);
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
311 if not ok then return nil, "internal-server-error"; end
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
312 end
5306
210aeb5afe42 mod_client_management: Fail to revoke clients that have used passwords
Matthew Wild <mwild1@gmail.com>
parents: 5305
diff changeset
313 if status.password then
210aeb5afe42 mod_client_management: Fail to revoke clients that have used passwords
Matthew Wild <mwild1@gmail.com>
parents: 5305
diff changeset
314 return nil, "password-reset-required";
210aeb5afe42 mod_client_management: Fail to revoke clients that have used passwords
Matthew Wild <mwild1@gmail.com>
parents: 5305
diff changeset
315 end
5305
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
316 return true;
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
317 elseif c_type == "grant" then
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
318 local grant = tokenauth.get_grant_info(username, c_id);
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
319 if not grant then
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
320 return nil, "item-not-found";
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
321 end
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
322 local ok = tokenauth.revoke_grant(username, c_id);
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
323 if not ok then return nil, "internal-server-error"; end
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
324 return true;
5602
eae5599bc0b4 mod_client_management: Add way to revoke (one) client by software
Kim Alvefur <zash@zash.se>
parents: 5601
diff changeset
325 elseif c_type == "software" then
eae5599bc0b4 mod_client_management: Add way to revoke (one) client by software
Kim Alvefur <zash@zash.se>
parents: 5601
diff changeset
326 local active_clients = get_active_clients(username);
eae5599bc0b4 mod_client_management: Add way to revoke (one) client by software
Kim Alvefur <zash@zash.se>
parents: 5601
diff changeset
327 for _, client in ipairs(active_clients) do
5604
5ade45d93908 mod_client_management: Fix missing equality check
Kim Alvefur <zash@zash.se>
parents: 5603
diff changeset
328 if client.user_agent and client.user_agent.software == c_id or user_agent_tostring(client.user_agent) == c_id then
5602
eae5599bc0b4 mod_client_management: Add way to revoke (one) client by software
Kim Alvefur <zash@zash.se>
parents: 5601
diff changeset
329 return revoke_client_access(username, client.id);
eae5599bc0b4 mod_client_management: Add way to revoke (one) client by software
Kim Alvefur <zash@zash.se>
parents: 5601
diff changeset
330 end
eae5599bc0b4 mod_client_management: Add way to revoke (one) client by software
Kim Alvefur <zash@zash.se>
parents: 5601
diff changeset
331 end
5305
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
332 end
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
333 end
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
334
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
335 return nil, "item-not-found";
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
336 end
9b9f35aaeb91 mod_client_management: Add support for revocation of clients (when possible)
Matthew Wild <mwild1@gmail.com>
parents: 5304
diff changeset
337
5301
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
338 -- Protocol
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
339
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
340 local xmlns_manage_clients = "xmpp:prosody.im/protocol/manage-clients";
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
341
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
342 module:hook("iq-get/self/xmpp:prosody.im/protocol/manage-clients:list", function (event)
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
343 local origin, stanza = event.origin, event.stanza;
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
344
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
345 if not module:may(":list-clients", event) then
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
346 origin.send(st.error_reply(stanza, "auth", "forbidden"));
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
347 return true;
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
348 end
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
349
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
350 local reply = st.reply(stanza)
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
351 :tag("clients", { xmlns = xmlns_manage_clients });
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
352
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
353 local active_clients = get_active_clients(event.origin.username);
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
354 for _, client in ipairs(active_clients) do
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
355 local auth_type = st.stanza("auth");
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
356 if client.active then
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
357 if client.active.password then
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
358 auth_type:text_tag("password");
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
359 end
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
360 if client.active.grant then
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
361 auth_type:text_tag("bearer-token");
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
362 end
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
363 if client.active.fast then
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
364 auth_type:text_tag("fast");
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
365 end
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
366 end
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
367
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
368 local user_agent = st.stanza("user-agent");
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
369 if client.user_agent then
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
370 if client.user_agent.software then
5516
f25df3af02c1 mod_client_management: Include client software version number in listing
Kim Alvefur <zash@zash.se>
parents: 5374
diff changeset
371 user_agent:text_tag("software", client.user_agent.software, { id = client.user_agent.software_id; version = client.user_agent.software_version });
5301
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
372 end
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
373 if client.user_agent.device then
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
374 user_agent:text_tag("device", client.user_agent.device);
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
375 end
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
376 if client.user_agent.uri then
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
377 user_agent:text_tag("uri", client.user_agent.uri);
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
378 end
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
379 end
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
380
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
381 local connected = client.active and client.active.connected;
5304
717ff9468464 mod_client_management: Include client type in XML response listing
Matthew Wild <mwild1@gmail.com>
parents: 5301
diff changeset
382 reply:tag("client", { id = client.id, connected = connected and "true" or "false", type = client.type })
5301
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
383 :text_tag("first-seen", dt.datetime(client.first_seen))
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
384 :text_tag("last-seen", dt.datetime(client.last_seen))
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
385 :add_child(auth_type)
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
386 :add_child(user_agent)
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
387 :up();
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
388 end
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
389 reply:up();
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
390
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
391 origin.send(reply);
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
392 return true;
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
393 end);
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
394
5343
5c1c70e52635 mod_client_management: Fix import of util.error (not errors)
Kim Alvefur <zash@zash.se>
parents: 5312
diff changeset
395 local revocation_errors = require "util.error".init(module.name, xmlns_manage_clients, {
5311
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
396 ["item-not-found"] = { "cancel", "item-not-found", "Client not found" };
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
397 ["internal-server-error"] = { "wait", "internal-server-error", "Unable to revoke client access" };
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
398 ["password-reset-required"] = { "cancel", "service-unavailable", "Password reset required", "password-reset-required" };
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
399 });
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
400
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
401 module:hook("iq-set/self/xmpp:prosody.im/protocol/manage-clients:revoke", function (event)
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
402 local origin, stanza = event.origin, event.stanza;
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
403
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
404 if not module:may(":manage-clients", event) then
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
405 origin.send(st.error_reply(stanza, "auth", "forbidden"));
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
406 return true;
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
407 end
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
408
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
409 local client_id = stanza.tags[1].attr.id;
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
410
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
411 local ok, err = revocation_errors.coerce(revoke_client_access(origin.username, client_id));
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
412 if not ok then
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
413 origin.send(st.error_reply(stanza, err));
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
414 return true;
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
415 end
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
416
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
417 origin.send(st.reply(stanza));
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
418 return true;
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
419 end);
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
420
d4a0d2b5343a mod_client_management: Add support for revoking client access via XMPP
Matthew Wild <mwild1@gmail.com>
parents: 5310
diff changeset
421
5301
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
422 -- Command
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
423
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
424 module:once(function ()
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
425 local console_env = module:shared("/*/admin_shell/env");
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
426 if not console_env.user then return; end -- admin_shell probably not loaded
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
427
5308
f370ccb15f05 mod_client_management: Fix user:clients() shell command to take a JID
Matthew Wild <mwild1@gmail.com>
parents: 5307
diff changeset
428 function console_env.user:clients(user_jid)
f370ccb15f05 mod_client_management: Fix user:clients() shell command to take a JID
Matthew Wild <mwild1@gmail.com>
parents: 5307
diff changeset
429 local username, host = jid.split(user_jid);
f370ccb15f05 mod_client_management: Fix user:clients() shell command to take a JID
Matthew Wild <mwild1@gmail.com>
parents: 5307
diff changeset
430 local mod = prosody.hosts[host] and prosody.hosts[host].modules.client_management;
f370ccb15f05 mod_client_management: Fix user:clients() shell command to take a JID
Matthew Wild <mwild1@gmail.com>
parents: 5307
diff changeset
431 if not mod then
5372
2d8076577e14 mod_client_management: Fix error when called against host without this module
Kim Alvefur <zash@zash.se>
parents: 5371
diff changeset
432 return false, ("Host does not exist on this server, or does not have mod_client_management loaded");
5308
f370ccb15f05 mod_client_management: Fix user:clients() shell command to take a JID
Matthew Wild <mwild1@gmail.com>
parents: 5307
diff changeset
433 end
f370ccb15f05 mod_client_management: Fix user:clients() shell command to take a JID
Matthew Wild <mwild1@gmail.com>
parents: 5307
diff changeset
434
f370ccb15f05 mod_client_management: Fix user:clients() shell command to take a JID
Matthew Wild <mwild1@gmail.com>
parents: 5307
diff changeset
435 local clients = mod.get_active_clients(username);
5301
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
436 if not clients or #clients == 0 then
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
437 return true, "No clients associated with this account";
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
438 end
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
439
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
440 local colspec = {
5607
c799b460f9f0 mod_client_management: Make ID column dynamically sized
Kim Alvefur <zash@zash.se>
parents: 5606
diff changeset
441 { title = "ID"; key = "id"; width = "1p" };
5371
b2d51c6ae89a mod_client_management: Move table cell formatting into column specification
Kim Alvefur <zash@zash.se>
parents: 5370
diff changeset
442 {
b2d51c6ae89a mod_client_management: Move table cell formatting into column specification
Kim Alvefur <zash@zash.se>
parents: 5370
diff changeset
443 title = "Software";
5373
93d6ed7dc779 mod_client_management: Fix changed column cell "key"
Kim Alvefur <zash@zash.se>
parents: 5372
diff changeset
444 key = "user_agent";
5371
b2d51c6ae89a mod_client_management: Move table cell formatting into column specification
Kim Alvefur <zash@zash.se>
parents: 5370
diff changeset
445 width = "1p";
5603
d2561c1d26f5 mod_client_management: Allow revoking a specific client version
Kim Alvefur <zash@zash.se>
parents: 5602
diff changeset
446 mapper = user_agent_tostring;
5371
b2d51c6ae89a mod_client_management: Move table cell formatting into column specification
Kim Alvefur <zash@zash.se>
parents: 5370
diff changeset
447 };
b2d51c6ae89a mod_client_management: Move table cell formatting into column specification
Kim Alvefur <zash@zash.se>
parents: 5370
diff changeset
448 {
b2d51c6ae89a mod_client_management: Move table cell formatting into column specification
Kim Alvefur <zash@zash.se>
parents: 5370
diff changeset
449 title = "Last seen";
b2d51c6ae89a mod_client_management: Move table cell formatting into column specification
Kim Alvefur <zash@zash.se>
parents: 5370
diff changeset
450 key = "last_seen";
5374
d9397d6a5513 mod_client_management: Show time for recent timestamps in shell command
Kim Alvefur <zash@zash.se>
parents: 5373
diff changeset
451 width = math.max(#os.date("%Y-%m-%d"), #os.date("%H:%M:%S"));
d9397d6a5513 mod_client_management: Show time for recent timestamps in shell command
Kim Alvefur <zash@zash.se>
parents: 5373
diff changeset
452 align = "right";
5371
b2d51c6ae89a mod_client_management: Move table cell formatting into column specification
Kim Alvefur <zash@zash.se>
parents: 5370
diff changeset
453 mapper = function(last_seen)
5606
da69496180e7 mod_client_management: Fix traceback if no last seen timestamp available
Kim Alvefur <zash@zash.se>
parents: 5604
diff changeset
454 return last_seen and os.date(os.difftime(os.time(), last_seen) >= 86400 and "%Y-%m-%d" or "%H:%M:%S", last_seen);
5371
b2d51c6ae89a mod_client_management: Move table cell formatting into column specification
Kim Alvefur <zash@zash.se>
parents: 5370
diff changeset
455 end;
b2d51c6ae89a mod_client_management: Move table cell formatting into column specification
Kim Alvefur <zash@zash.se>
parents: 5370
diff changeset
456 };
b2d51c6ae89a mod_client_management: Move table cell formatting into column specification
Kim Alvefur <zash@zash.se>
parents: 5370
diff changeset
457 {
b2d51c6ae89a mod_client_management: Move table cell formatting into column specification
Kim Alvefur <zash@zash.se>
parents: 5370
diff changeset
458 title = "Authentication";
b2d51c6ae89a mod_client_management: Move table cell formatting into column specification
Kim Alvefur <zash@zash.se>
parents: 5370
diff changeset
459 key = "active";
b2d51c6ae89a mod_client_management: Move table cell formatting into column specification
Kim Alvefur <zash@zash.se>
parents: 5370
diff changeset
460 width = "2p";
b2d51c6ae89a mod_client_management: Move table cell formatting into column specification
Kim Alvefur <zash@zash.se>
parents: 5370
diff changeset
461 mapper = function(active)
b2d51c6ae89a mod_client_management: Move table cell formatting into column specification
Kim Alvefur <zash@zash.se>
parents: 5370
diff changeset
462 return array.collect(it.keys(active)):sort():concat(", ");
b2d51c6ae89a mod_client_management: Move table cell formatting into column specification
Kim Alvefur <zash@zash.se>
parents: 5370
diff changeset
463 end;
b2d51c6ae89a mod_client_management: Move table cell formatting into column specification
Kim Alvefur <zash@zash.se>
parents: 5370
diff changeset
464 };
5301
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
465 };
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
466
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
467 local row = require "util.human.io".table(colspec, self.session.width);
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
468
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
469 local print = self.session.print;
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
470 print(row());
5309
09656e2b4927 mod_client_management: Improve table output
Matthew Wild <mwild1@gmail.com>
parents: 5308
diff changeset
471 print(string.rep("-", self.session.width));
5301
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
472 for _, client in ipairs(clients) do
5371
b2d51c6ae89a mod_client_management: Move table cell formatting into column specification
Kim Alvefur <zash@zash.se>
parents: 5370
diff changeset
473 print(row(client));
5301
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
474 end
5309
09656e2b4927 mod_client_management: Improve table output
Matthew Wild <mwild1@gmail.com>
parents: 5308
diff changeset
475 print(string.rep("-", self.session.width));
09656e2b4927 mod_client_management: Improve table output
Matthew Wild <mwild1@gmail.com>
parents: 5308
diff changeset
476 return true, ("%d clients"):format(#clients);
5301
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
477 end
5601
e9af6abf2b1e mod_client_management: Add shell command to revoke client access
Kim Alvefur <zash@zash.se>
parents: 5600
diff changeset
478
e9af6abf2b1e mod_client_management: Add shell command to revoke client access
Kim Alvefur <zash@zash.se>
parents: 5600
diff changeset
479 function console_env.user:revoke_client(user_jid, selector) -- luacheck: ignore 212/self
e9af6abf2b1e mod_client_management: Add shell command to revoke client access
Kim Alvefur <zash@zash.se>
parents: 5600
diff changeset
480 local username, host = jid.split(user_jid);
e9af6abf2b1e mod_client_management: Add shell command to revoke client access
Kim Alvefur <zash@zash.se>
parents: 5600
diff changeset
481 local mod = prosody.hosts[host] and prosody.hosts[host].modules.client_management;
e9af6abf2b1e mod_client_management: Add shell command to revoke client access
Kim Alvefur <zash@zash.se>
parents: 5600
diff changeset
482 if not mod then
e9af6abf2b1e mod_client_management: Add shell command to revoke client access
Kim Alvefur <zash@zash.se>
parents: 5600
diff changeset
483 return false, ("Host does not exist on this server, or does not have mod_client_management loaded");
e9af6abf2b1e mod_client_management: Add shell command to revoke client access
Kim Alvefur <zash@zash.se>
parents: 5600
diff changeset
484 end
e9af6abf2b1e mod_client_management: Add shell command to revoke client access
Kim Alvefur <zash@zash.se>
parents: 5600
diff changeset
485
e9af6abf2b1e mod_client_management: Add shell command to revoke client access
Kim Alvefur <zash@zash.se>
parents: 5600
diff changeset
486 local revoked, err = revocation_errors.coerce(mod.revoke_client_access(username, selector));
e9af6abf2b1e mod_client_management: Add shell command to revoke client access
Kim Alvefur <zash@zash.se>
parents: 5600
diff changeset
487 if not revoked then
e9af6abf2b1e mod_client_management: Add shell command to revoke client access
Kim Alvefur <zash@zash.se>
parents: 5600
diff changeset
488 return false, err.text or err;
e9af6abf2b1e mod_client_management: Add shell command to revoke client access
Kim Alvefur <zash@zash.se>
parents: 5600
diff changeset
489 end
e9af6abf2b1e mod_client_management: Add shell command to revoke client access
Kim Alvefur <zash@zash.se>
parents: 5600
diff changeset
490 return true, "Client access revoked";
e9af6abf2b1e mod_client_management: Add shell command to revoke client access
Kim Alvefur <zash@zash.se>
parents: 5600
diff changeset
491 end
5301
8ef197cccd74 mod_client_management: Add XMPP and shell interfaces to fetch client list
Matthew Wild <mwild1@gmail.com>
parents: 5294
diff changeset
492 end);