Annotate

mod_s2s_status/mod_s2s_status.lua @ 5623:59d5fc50f602

mod_http_oauth2: Implement refresh token rotation Makes refresh tokens one-time-use, handing out a new refresh token with each access token. Thus if a refresh token is stolen and used by an attacker, the next time the legitimate client tries to use the previous refresh token, it will not work and the attack will be noticed. If the attacker does not use the refresh token, it becomes invalid after the legitimate client uses it. This behavior is recommended by draft-ietf-oauth-security-topics
author Kim Alvefur <zash@zash.se>
date Sun, 23 Jul 2023 02:56:08 +0200
parent 4791:b86282953663
child 5811:31c331d05a75
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
4791
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
1 local status_out = module:shared("out");
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
2
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
3 local errors = require "util.error";
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
4
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
5 local function get_session_info(session)
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
6 local direction, peer_host = session.direction;
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
7 if direction == "outgoing" then
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
8 peer_host = session.to_host;
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
9 elseif direction == "incoming" then
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10 peer_host = session.from_host;
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
11 end
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
12 return peer_host, direction, session.id;
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
13 end
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
14
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
15 local function get_domain_log_out(peer_domain)
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
16 local domain_log = status_out[peer_domain];
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
17 if not domain_log then
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
18 domain_log = {};
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
19 status_out[peer_domain] = domain_log;
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
20 end
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
21 end
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
22
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
23 local function get_connection_record(domain_log, id)
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
24 for _, record in ipairs(domain_log) do
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
25 if record.id == id then
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26 return record;
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27 end
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
28 end
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29 -- No record for this connection yet, create it
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
30 local record = { id = id };
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
31 table.insert(domain_log, 1, record);
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
32 return record;
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
33 end
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
34
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
35 local function log_new_connection_out(peer_domain, id)
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
36 local domain_log = get_domain_log_out(peer_domain);
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
37 local record = get_connection_record(domain_log, id);
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
38 record.status, record.time_started = "connecting", os.time();
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
39 end
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
40
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
41 local function log_successful_connection_out(peer_domain, id)
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
42 local domain_log = get_domain_log_out(peer_domain);
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
43 local record = get_connection_record(domain_log, id);
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
44 record.status, record.time_connected = "connected", os.time();
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
45 end
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
46
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
47 local function log_ended_connection_out(peer_domain, id, reason)
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
48 local domain_log = get_domain_log_out(peer_domain);
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
49 local record = get_connection_record(domain_log, id);
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
50
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
51 if record.status == "connecting" then
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
52 record.status = "failed";
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
53 elseif record.status == "connected" then
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
54 record.status = "disconnected";
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
55 end
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
56 if reason then
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
57 local e_reason = errors.new(reason);
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
58 record.error = {
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
59 type = e_reason.type;
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
60 condition = e_reason.condition;
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
61 text = e_reason.text;
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
62 };
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
63 if not record.error.text and type(reason) == "string" then
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
64 record.error.text = reason;
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
65 end
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
66 end
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
67 local now = os.time();
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
68 record.time_ended = now;
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
69 end
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
70
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
71 local function s2sout_established(event)
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
72 local peer_domain, _, id = get_session_info(event.session);
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
73 log_successful_connection_out(peer_domain, id);
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
74 end
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
75
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
76 local function s2sout_destroyed(event)
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
77 local peer_domain, _, id = get_session_info(event.session);
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
78 log_ended_connection_out(peer_domain, id);
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
79 end
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
80
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
81 local function s2s_created(event)
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
82 local peer_domain, direction, id = get_session_info(event.session);
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
83 if direction == "outgoing" then
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
84 log_new_connection_out(peer_domain, id);
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
85 end
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
86 end
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
87
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
88 module:hook("s2s-created", s2s_created);
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
89 module:hook("s2sout-established", s2sout_established);
b86282953663 mod_s2s_status: Module to track status of s2s connections by domain
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
90 module:hook("s2sout-destroyed", s2sout_destroyed);