Annotate

mod_sasl2_sm/mod_sasl2_sm.lua @ 5401:c8d04ac200fc

mod_http_oauth2: Reject loopback URIs as client_uri This really should be a proper website with info, https://localhost is not good enough. Ideally we'd validate that it's got proper DNS and is actually reachable, but triggering HTTP or even DNS lookups seems like it would carry abuse potential that would best to avoid.
author Kim Alvefur <zash@zash.se>
date Tue, 02 May 2023 16:20:55 +0200
parent 5094:c92c87daa09e
child 5749:92ce3859df63
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
1 local st = require "util.stanza";
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
2
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
3 local mod_smacks = module:depends("smacks");
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
4
5039
c0d243b27e64 mod_sasl2, mod_sasl_bind2, mod_sasl2_sm: Bump XEP-0388 namespace
Matthew Wild <mwild1@gmail.com>
parents: 5037
diff changeset
5 local xmlns_sasl2 = "urn:xmpp:sasl:2";
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
6 local xmlns_sm = "urn:xmpp:sm:3";
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
7
5094
c92c87daa09e mod_sasl2_sm: Add explicit dependency on mod_sasl2
Kim Alvefur <zash@zash.se>
parents: 5060
diff changeset
8 module:depends("sasl2");
c92c87daa09e mod_sasl2_sm: Add explicit dependency on mod_sasl2
Kim Alvefur <zash@zash.se>
parents: 5060
diff changeset
9
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
10 -- Advertise what we can do
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
11
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
12 module:hook("advertise-sasl-features", function (event)
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
13 local features = event.features;
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
14 features:tag("sm", { xmlns = xmlns_sm }):up();
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
15 end);
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
16
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
17 module:hook("advertise-bind-features", function (event)
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
18 local features = event.features;
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
19 features:tag("feature", { var = xmlns_sm }):up();
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
20 end);
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
21
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
22 module:hook_tag(xmlns_sasl2, "authenticate", function (session, auth)
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
23 -- Cache action for future processing (after auth success)
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
24 session.sasl2_sm_request = auth:child_with_ns(xmlns_sm);
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
25 end, 100);
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
27 -- SASL 2 integration (for resume)
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
28
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29 module:hook("sasl2/c2s/success", function (event)
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
30 local session = event.session;
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
31 local sm_request = session.sasl2_sm_request;
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
32 if not sm_request then return; end
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
33 session.sasl2_sm_request = nil;
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
34 local sm_result;
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
35 if sm_request.name ~= "resume" then return; end
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
36
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
37 local resumed, err = mod_smacks.do_resume(session, sm_request);
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
38 if not resumed then
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
39 local h = err.context and err.context.h;
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
40 sm_result = st.stanza("failed", { xmlns = xmlns_sm, h = h and ("%d"):format(h) or nil })
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
41 :add_error(err);
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
42 else
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
43 event.session = resumed.session; -- Update to resumed session
5037
8a8100fff580 mod_sasl2_bind2, mod_sasl2_sm: Move sasl2_sm_success to session
Matthew Wild <mwild1@gmail.com>
parents: 5035
diff changeset
44 event.session.sasl2_sm_success = resumed; -- To be called after sending final SASL response
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
45 sm_result = st.stanza("resumed", { xmlns = xmlns_sm,
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
46 h = ("%d"):format(event.session.handled_stanza_count);
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
47 previd = resumed.id; });
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
48 end
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
49
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
50 if sm_result then
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
51 event.success:add_child(sm_result);
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
52 end
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
53 end, 110);
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
54
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
55 -- Bind 2 integration (for enable)
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
56
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
57 module:hook("advertise-bind-features", function (event)
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
58 event.features:tag("feature", { var = xmlns_sm }):up();
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
59 end);
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
60
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
61 module:hook("enable-bind-features", function (event)
5060
bc491065c221 mod_sasl2_bind2, mod_sasl2_sm: Remove bind2 <features/> wrapper element
Matthew Wild <mwild1@gmail.com>
parents: 5039
diff changeset
62 local sm_enable = event.request:get_child("enable", xmlns_sm);
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
63 if not sm_enable then return; end
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
64
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
65 local sm_result;
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
66 local enabled, err = mod_smacks.do_enable(event.session, sm_enable);
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
67 if not enabled then
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
68 sm_result = st.stanza("failed", { xmlns = xmlns_sm })
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
69 :add_error(err);
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
70 else
5037
8a8100fff580 mod_sasl2_bind2, mod_sasl2_sm: Move sasl2_sm_success to session
Matthew Wild <mwild1@gmail.com>
parents: 5035
diff changeset
71 event.session.sasl2_sm_success = enabled; -- To be called after sending final SASL response
5034
f7eaf73b8f30 mod_sasl2_sm: Fix typo
Matthew Wild <mwild1@gmail.com>
parents: 5030
diff changeset
72 sm_result = st.stanza("enabled", {
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
73 xmlns = xmlns_sm;
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
74 id = enabled.id;
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
75 resume = enabled.id and "1" or nil;
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
76 max = enabled.resume_max;
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
77 });
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
78 end
5035
baebe7452903 mod_sasl2_sm: Fix event field name
Matthew Wild <mwild1@gmail.com>
parents: 5034
diff changeset
79 event.result:add_child(sm_result);
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
80 end, 100);
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
81
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
82 -- Finish and/or clean up after SASL 2 completed
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
83
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
84 module:hook("sasl2/c2s/success", function (event)
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
85 -- The authenticate response has already been sent at this point
5037
8a8100fff580 mod_sasl2_bind2, mod_sasl2_sm: Move sasl2_sm_success to session
Matthew Wild <mwild1@gmail.com>
parents: 5035
diff changeset
86 local success = event.session.sasl2_sm_success;
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
87 if success then
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
88 success.finish(); -- Finish enable/resume and sync stanzas
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
89 end
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
90 end, -1100);
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
91
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
92 module:hook("sasl2/c2s/failure", function (event)
5030
3e79876d135b mod_sasl2_sm: Integration with mod_sasl2_bind2
Matthew Wild <mwild1@gmail.com>
parents: 5027
diff changeset
93 event.session.sasl2_sm_request = nil;
5026
e3248d025d34 mod_sasl2_sm: Experimental mod_isr alternative
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
94 end);