Annotate

mod_audit_auth/mod_audit_auth.lua @ 5819:93d6e9026c1b

mod_http_oauth2: Do not enforce PKCE on Device and OOB flows PKCE does not appear to be used with the Device flow. I have found no mention of any interaction between those standards. Since no data is delivered via redirects in these cases, PKCE may not serve any purpose. This is mostly a problem because we reuse the authorization code to implement the Device and OOB flows.
author Kim Alvefur <zash@zash.se>
date Fri, 15 Dec 2023 12:10:07 +0100
parent 5803:f199bff16f1f
child 5930:cc30c4b5f006
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
5735
b357ff3d0c8a mod_audit_auth: Include hostpart with audit events
Kim Alvefur <zash@zash.se>
parents: 4933
diff changeset
1 local jid = require"util.jid";
5772
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
2 local st = require "util.stanza";
5735
b357ff3d0c8a mod_audit_auth: Include hostpart with audit events
Kim Alvefur <zash@zash.se>
parents: 4933
diff changeset
3
4932
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
4 module:depends("audit");
4933
08dea42a302a mod_audit*: fix luacheck warnings
Jonas Schäfer <jonas@wielicki.name>
parents: 4932
diff changeset
5 -- luacheck: read globals module.audit
4932
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
6
5771
dfbced5e54b9 mod_audit_auth: Ignore FAST authentication events by default
Matthew Wild <mwild1@gmail.com>
parents: 5735
diff changeset
7 local only_passwords = module:get_option_boolean("audit_auth_passwords_only", true);
dfbced5e54b9 mod_audit_auth: Ignore FAST authentication events by default
Matthew Wild <mwild1@gmail.com>
parents: 5735
diff changeset
8
4932
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
9 module:hook("authentication-failure", function(event)
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
10 local session = event.session;
5735
b357ff3d0c8a mod_audit_auth: Include hostpart with audit events
Kim Alvefur <zash@zash.se>
parents: 4933
diff changeset
11 module:audit(jid.join(session.sasl_handler.username, module.host), "authentication-failure", {
4932
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
12 session = session,
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
13 });
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
14 end)
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
15
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
16 module:hook("authentication-success", function(event)
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
17 local session = event.session;
5771
dfbced5e54b9 mod_audit_auth: Ignore FAST authentication events by default
Matthew Wild <mwild1@gmail.com>
parents: 5735
diff changeset
18 if only_passwords and session.sasl_handler.fast then
dfbced5e54b9 mod_audit_auth: Ignore FAST authentication events by default
Matthew Wild <mwild1@gmail.com>
parents: 5735
diff changeset
19 return;
dfbced5e54b9 mod_audit_auth: Ignore FAST authentication events by default
Matthew Wild <mwild1@gmail.com>
parents: 5735
diff changeset
20 end
5735
b357ff3d0c8a mod_audit_auth: Include hostpart with audit events
Kim Alvefur <zash@zash.se>
parents: 4933
diff changeset
21 module:audit(jid.join(session.sasl_handler.username, module.host), "authentication-success", {
4932
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
22 session = session,
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
23 });
530d116b7f68 mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
24 end)
5772
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
25
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
26 module:hook("client_management/new-client", function (event)
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
27 local session, client = event.session, event.client;
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
28
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
29 local client_info = st.stanza("client", { id = client.id });
5803
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
30
5772
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
31 if client.user_agent then
5803
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
32 local user_agent = st.stanza("user-agent", { xmlns = "urn:xmpp:sasl:2" })
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
33 if client.user_agent.software then
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
34 user_agent:text_tag("software", client.user_agent.software, { id = client.user_agent.software_id; version = client.user_agent.software_version });
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
35 end
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
36 if client.user_agent.device then
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
37 user_agent:text_tag("device", client.user_agent.device);
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
38 end
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
39 if client.user_agent.uri then
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
40 user_agent:text_tag("uri", client.user_agent.uri);
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
41 end
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
42 client_info:add_child(user_agent);
5772
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
43 end
5803
f199bff16f1f mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents: 5772
diff changeset
44
5772
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
45 if client.legacy then
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
46 client_info:text_tag("legacy");
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
47 end
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
48
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
49 module:audit(jid.join(session.username, module.host), "new-client", {
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
50 session = session;
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
51 custom = {
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
52 };
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
53 });
238c4ac8b735 mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents: 5771
diff changeset
54 end);