prosody-modules
cc665f343690
mod_sasl2/mod_sasl2.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

Annotate

mod_sasl2/mod_sasl2.lua @ 6057:cc665f343690

mod_firewall: SUBSCRIBED: Flip subscription check to match documentation The documentation claims that this condition checks whether the recipient is subscribed to the sender. However, it was using the wrong method, and actually checking whether the sender was subscribed to the recipient. A quick poll of folk suggested that the documentation's approach is the right one, so this should fix the code to match the documentation. This should also fix the bundled anti-spam rules from blocking presence from JIDs that you subscribe do (but don't have a mutual subscription with).
author Matthew Wild <mwild1@gmail.com>
date Fri, 22 Nov 2024 13:50:48 +0000
parent 6056:56fa3bad16cc
child 6136:8da64ecdbcaa
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
3905
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 -- Prosody IM
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 -- Copyright (C) 2019 Kim Alvefur
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 --
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 -- This project is MIT/X11 licensed. Please see the
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 -- COPYING file in the source package for more information.
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 --
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7 -- XEP-0388: Extensible SASL Profile
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 --
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 local st = require "util.stanza";
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11 local errors = require "util.error";
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12 local base64 = require "util.encodings".base64;
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13 local jid_join = require "util.jid".join;
5038
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
14 local set = require "util.set";
3905
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler;
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17 local sm_make_authenticated = require "core.sessionmanager".make_authenticated;
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18
5039
c0d243b27e64 mod_sasl2, mod_sasl_bind2, mod_sasl2_sm: Bump XEP-0388 namespace
Matthew Wild <mwild1@gmail.com>
parents: 5038
diff changeset
19 local xmlns_sasl2 = "urn:xmpp:sasl:2";
3905
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20
5088
e9cf361982d5 mod_sasl2: Honour (c2s_)require_encryption config option
Matthew Wild <mwild1@gmail.com>
parents: 5067
diff changeset
21 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", true));
3905
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false)
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"});
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" });
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 local host = module.host;
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27
5038
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
28 local function tls_unique(self)
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
29 return self.userdata["tls-unique"]:ssl_peerfinished();
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
30 end
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
31
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
32 local function tls_exporter(conn)
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
33 if not conn.ssl_exportkeyingmaterial then return end
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
34 return conn:ssl_exportkeyingmaterial("EXPORTER-Channel-Binding", 32, "");
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
35 end
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
36
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
37 local function sasl_tls_exporter(self)
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
38 return tls_exporter(self.userdata["tls-exporter"]);
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
39 end
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
40
3905
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41 module:hook("stream-features", function(event)
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
42 local origin, features = event.origin, event.features;
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
43 local log = origin.log or module._log;
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
44
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
45 if origin.type ~= "c2s_unauthed" then
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
46 log("debug", "Already authenticated");
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
47 return
5088
e9cf361982d5 mod_sasl2: Honour (c2s_)require_encryption config option
Matthew Wild <mwild1@gmail.com>
parents: 5067
diff changeset
48 elseif secure_auth_only and not origin.secure then
e9cf361982d5 mod_sasl2: Honour (c2s_)require_encryption config option
Matthew Wild <mwild1@gmail.com>
parents: 5067
diff changeset
49 log("debug", "Not offering authentication on insecure connection");
e9cf361982d5 mod_sasl2: Honour (c2s_)require_encryption config option
Matthew Wild <mwild1@gmail.com>
parents: 5067
diff changeset
50 return;
3905
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
51 end
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
52
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
53 local sasl_handler = usermanager_get_sasl_handler(host, origin)
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
54 origin.sasl_handler = sasl_handler;
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
55
5038
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
56 local channel_bindings = set.new()
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
57 if origin.encrypted then
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
58 -- check whether LuaSec has the nifty binding to the function needed for tls-unique
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
59 -- FIXME: would be nice to have this check only once and not for every socket
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
60 if sasl_handler.add_cb_handler then
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
61 local info = origin.conn:ssl_info();
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
62 if info and info.protocol == "TLSv1.3" then
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
63 log("debug", "Channel binding 'tls-unique' undefined in context of TLS 1.3");
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
64 if tls_exporter(origin.conn) then
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
65 log("debug", "Channel binding 'tls-exporter' supported");
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
66 sasl_handler:add_cb_handler("tls-exporter", sasl_tls_exporter);
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
67 channel_bindings:add("tls-exporter");
5913
2597e2113561 mod_sasl2: Log when tls-exporter is NOT supported, as well as when it is
Matthew Wild <mwild1@gmail.com>
parents: 5261
diff changeset
68 else
2597e2113561 mod_sasl2: Log when tls-exporter is NOT supported, as well as when it is
Matthew Wild <mwild1@gmail.com>
parents: 5261
diff changeset
69 log("debug", "Channel binding 'tls-exporter' not supported");
5038
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
70 end
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
71 elseif origin.conn.ssl_peerfinished and origin.conn:ssl_peerfinished() then
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
72 log("debug", "Channel binding 'tls-unique' supported");
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
73 sasl_handler:add_cb_handler("tls-unique", tls_unique);
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
74 channel_bindings:add("tls-unique");
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
75 else
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
76 log("debug", "Channel binding 'tls-unique' not supported (by LuaSec?)");
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
77 end
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
78 sasl_handler["userdata"] = {
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
79 ["tls-unique"] = origin.conn;
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
80 ["tls-exporter"] = origin.conn;
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
81 };
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
82 else
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
83 log("debug", "Channel binding not supported by SASL handler");
88980b2dd986 mod_sasl2: Hacky support for channel binding
Matthew Wild <mwild1@gmail.com>
parents: 5028
diff changeset
84 end
3905
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
85 end
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
86
5039
c0d243b27e64 mod_sasl2, mod_sasl_bind2, mod_sasl2_sm: Bump XEP-0388 namespace
Matthew Wild <mwild1@gmail.com>
parents: 5038
diff changeset
87 local mechanisms = st.stanza("authentication", { xmlns = xmlns_sasl2 });
3905
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
88
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
89 local available_mechanisms = sasl_handler:mechanisms()
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
90 for mechanism in pairs(available_mechanisms) do
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
91 if disabled_mechanisms:contains(mechanism) then
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
92 log("debug", "Not offering disabled mechanism %s", mechanism);
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
93 elseif not origin.secure and insecure_mechanisms:contains(mechanism) then
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
94 log("debug", "Not offering mechanism %s on insecure connection", mechanism);
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
95 else
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
96 log("debug", "Offering mechanism %s", mechanism);
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
97 mechanisms:text_tag("mechanism", mechanism);
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
98 end
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
99 end
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
100
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
101 features:add_direct_child(mechanisms);
5028
1f2d2bfd29dd mod_sasl2: Add event for other modules to advertise inline features
Matthew Wild <mwild1@gmail.com>
parents: 5025
diff changeset
102
5042
166fd192f39c mod_sasl2: Move <inline/> into <authentication>
Matthew Wild <mwild1@gmail.com>
parents: 5041
diff changeset
103 local inline = st.stanza("inline");
5067
54c6b4595f86 mod_sasl2: Forward stream attributes into sub-event
Matthew Wild <mwild1@gmail.com>
parents: 5063
diff changeset
104 module:fire_event("advertise-sasl-features", { origin = origin, features = inline, stream = event.stream });
5042
166fd192f39c mod_sasl2: Move <inline/> into <authentication>
Matthew Wild <mwild1@gmail.com>
parents: 5041
diff changeset
105 mechanisms:add_direct_child(inline);
3905
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
106 end, 1);
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
107
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
108 local function handle_status(session, status, ret, err_msg)
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
109 local err = nil;
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
110 if status == "error" then
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
111 ret, err = nil, ret;
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
112 if not errors.is_err(err) then
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
113 err = errors.new({ condition = err, text = err_msg }, { session = session });
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
114 end
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
115 end
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
116
5018
ed2a9a4c4f01 mod_sasl2: Return status from event handlers
Matthew Wild <mwild1@gmail.com>
parents: 4796
diff changeset
117 return module:fire_event("sasl2/"..session.base_type.."/"..status, {
3905
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
118 session = session,
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
119 message = ret;
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
120 error = err;
5025
fd154db7c8fc mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents: 5023
diff changeset
121 error_text = err_msg;
3905
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
122 });
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
123 end
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
124
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
125 module:hook("sasl2/c2s/failure", function (event)
5249
828e5e443613 mod_sasl2: Fire authentication-{success,failure} events like mod_saslauth
Matthew Wild <mwild1@gmail.com>
parents: 5088
diff changeset
126 module:fire_event("authentication-failure", event);
5025
fd154db7c8fc mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents: 5023
diff changeset
127 local session, condition, text = event.session, event.message, event.error_text;
fd154db7c8fc mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents: 5023
diff changeset
128 local failure = st.stanza("failure", { xmlns = xmlns_sasl2 })
5041
afa09e069afb mod_sasl2: Fix missing namespace on failure condition (thanks tmolitor)
Matthew Wild <mwild1@gmail.com>
parents: 5039
diff changeset
129 :tag(condition, { xmlns = "urn:ietf:params:xml:ns:xmpp-sasl" }):up();
5025
fd154db7c8fc mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents: 5023
diff changeset
130 if text then
fd154db7c8fc mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents: 5023
diff changeset
131 failure:text_tag("text", text);
fd154db7c8fc mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents: 5023
diff changeset
132 end
fd154db7c8fc mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents: 5023
diff changeset
133 session.send(failure);
fd154db7c8fc mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents: 5023
diff changeset
134 return true;
fd154db7c8fc mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents: 5023
diff changeset
135 end);
fd154db7c8fc mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents: 5023
diff changeset
136
fd154db7c8fc mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents: 5023
diff changeset
137 module:hook("sasl2/c2s/error", function (event)
3905
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
138 local session = event.session
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
139 session.send(st.stanza("failure", { xmlns = xmlns_sasl2 })
5025
fd154db7c8fc mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents: 5023
diff changeset
140 :tag(event.error and event.error.condition));
3905
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
141 return true;
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
142 end);
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
143
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
144 module:hook("sasl2/c2s/challenge", function (event)
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
145 local session = event.session;
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
146 session.send(st.stanza("challenge", { xmlns = xmlns_sasl2 })
5019
c83ce822f105 mod_sasl2: Fix <challenge> generation
Matthew Wild <mwild1@gmail.com>
parents: 5018
diff changeset
147 :text(base64.encode(event.message)));
5020
6a36dae4a88d mod_sasl2: Return true to indicate challenge was handled successfully
Matthew Wild <mwild1@gmail.com>
parents: 5019
diff changeset
148 return true;
3905
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
149 end);
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
150
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
151 module:hook("sasl2/c2s/success", function (event)
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
152 local session = event.session
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
153 local ok, err = sm_make_authenticated(session, session.sasl_handler.username);
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
154 if not ok then
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
155 handle_status(session, "failure", err);
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
156 return true;
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
157 end
6056
56fa3bad16cc mod_sasl2/mod_sasl2.lua: rollback until fixed
Menel <menel@snikket.de>
parents: 6055
diff changeset
158 event.success = st.stanza("success", { xmlns = xmlns_sasl2 });
56fa3bad16cc mod_sasl2/mod_sasl2.lua: rollback until fixed
Menel <menel@snikket.de>
parents: 6055
diff changeset
159 if event.message then
56fa3bad16cc mod_sasl2/mod_sasl2.lua: rollback until fixed
Menel <menel@snikket.de>
parents: 6055
diff changeset
160 event.success:text_tag("additional-data", base64.encode(event.message));
5023
90772a9c92a0 mod_sasl2: Include additional-data in SASL success response
Matthew Wild <mwild1@gmail.com>
parents: 5021
diff changeset
161 end
3905
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
162 end, 1000);
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
163
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
164 module:hook("sasl2/c2s/success", function (event)
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
165 local session = event.session
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
166 event.success:text_tag("authorization-identifier", jid_join(session.username, session.host, session.resource));
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
167 session.send(event.success);
5049
e89aad13a52a mod_sasl2: Further break up success handling, into pre/post stream:features
Matthew Wild <mwild1@gmail.com>
parents: 5048
diff changeset
168 end, -1000);
e89aad13a52a mod_sasl2: Further break up success handling, into pre/post stream:features
Matthew Wild <mwild1@gmail.com>
parents: 5048
diff changeset
169
e89aad13a52a mod_sasl2: Further break up success handling, into pre/post stream:features
Matthew Wild <mwild1@gmail.com>
parents: 5048
diff changeset
170 module:hook("sasl2/c2s/success", function (event)
5249
828e5e443613 mod_sasl2: Fire authentication-{success,failure} events like mod_saslauth
Matthew Wild <mwild1@gmail.com>
parents: 5088
diff changeset
171 module:fire_event("authentication-success", event);
5049
e89aad13a52a mod_sasl2: Further break up success handling, into pre/post stream:features
Matthew Wild <mwild1@gmail.com>
parents: 5048
diff changeset
172 local session = event.session;
3905
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
173 local features = st.stanza("stream:features");
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
174 module:fire_event("stream-features", { origin = session, features = features });
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
175 session.send(features);
5049
e89aad13a52a mod_sasl2: Further break up success handling, into pre/post stream:features
Matthew Wild <mwild1@gmail.com>
parents: 5048
diff changeset
176 end, -1500);
3905
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
177
5021
f62b091b1c81 mod_sasl2: Eventually return true from success handler
Matthew Wild <mwild1@gmail.com>
parents: 5020
diff changeset
178 -- The gap here is to allow modules to do stuff to the stream after the stanza
f62b091b1c81 mod_sasl2: Eventually return true from success handler
Matthew Wild <mwild1@gmail.com>
parents: 5020
diff changeset
179 -- is sent, but before we proceed with anything else. This is expected to be
f62b091b1c81 mod_sasl2: Eventually return true from success handler
Matthew Wild <mwild1@gmail.com>
parents: 5020
diff changeset
180 -- a common pattern with SASL2, which allows atomic negotiation of a bunch of
f62b091b1c81 mod_sasl2: Eventually return true from success handler
Matthew Wild <mwild1@gmail.com>
parents: 5020
diff changeset
181 -- stream features.
f62b091b1c81 mod_sasl2: Eventually return true from success handler
Matthew Wild <mwild1@gmail.com>
parents: 5020
diff changeset
182 module:hook("sasl2/c2s/success", function (event) --luacheck: ignore 212/event
5063
53145c6b6b0b mod_sasl2: Clear sasl_handler on final success
Matthew Wild <mwild1@gmail.com>
parents: 5049
diff changeset
183 event.session.sasl_handler = nil;
5021
f62b091b1c81 mod_sasl2: Eventually return true from success handler
Matthew Wild <mwild1@gmail.com>
parents: 5020
diff changeset
184 return true;
f62b091b1c81 mod_sasl2: Eventually return true from success handler
Matthew Wild <mwild1@gmail.com>
parents: 5020
diff changeset
185 end, -2000);
f62b091b1c81 mod_sasl2: Eventually return true from success handler
Matthew Wild <mwild1@gmail.com>
parents: 5020
diff changeset
186
3905
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
187 local function process_cdata(session, cdata)
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
188 if cdata then
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
189 cdata = base64.decode(cdata);
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
190 if not cdata then
5025
fd154db7c8fc mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents: 5023
diff changeset
191 return handle_status(session, "failure", "incorrect-encoding");
3905
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
192 end
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
193 end
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
194 return handle_status(session, session.sasl_handler:process(cdata));
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
195 end
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
196
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
197 module:hook_tag(xmlns_sasl2, "authenticate", function (session, auth)
5088
e9cf361982d5 mod_sasl2: Honour (c2s_)require_encryption config option
Matthew Wild <mwild1@gmail.com>
parents: 5067
diff changeset
198 if secure_auth_only and not session.secure then
e9cf361982d5 mod_sasl2: Honour (c2s_)require_encryption config option
Matthew Wild <mwild1@gmail.com>
parents: 5067
diff changeset
199 return handle_status(session, "failure", "encryption-required");
e9cf361982d5 mod_sasl2: Honour (c2s_)require_encryption config option
Matthew Wild <mwild1@gmail.com>
parents: 5067
diff changeset
200 end
3905
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
201 local sasl_handler = session.sasl_handler;
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
202 if not sasl_handler then
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
203 sasl_handler = usermanager_get_sasl_handler(host, session);
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
204 session.sasl_handler = sasl_handler;
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
205 end
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
206 local mechanism = assert(auth.attr.mechanism);
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
207 if not sasl_handler:select(mechanism) then
5025
fd154db7c8fc mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents: 5023
diff changeset
208 return handle_status(session, "failure", "invalid-mechanism");
3905
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
209 end
5048
3697d19d5fd9 mod_sasl2: Store client id if provided
Matthew Wild <mwild1@gmail.com>
parents: 5044
diff changeset
210 local user_agent = auth:get_child("user-agent");
3697d19d5fd9 mod_sasl2: Store client id if provided
Matthew Wild <mwild1@gmail.com>
parents: 5044
diff changeset
211 if user_agent then
3697d19d5fd9 mod_sasl2: Store client id if provided
Matthew Wild <mwild1@gmail.com>
parents: 5044
diff changeset
212 session.client_id = user_agent.attr.id;
5261
6526b670e66d mod_sasl2: Pull user-agent info into sasl_handler for later reference
Matthew Wild <mwild1@gmail.com>
parents: 5249
diff changeset
213 sasl_handler.user_agent = {
6526b670e66d mod_sasl2: Pull user-agent info into sasl_handler for later reference
Matthew Wild <mwild1@gmail.com>
parents: 5249
diff changeset
214 software = user_agent:get_child_text("software");
6526b670e66d mod_sasl2: Pull user-agent info into sasl_handler for later reference
Matthew Wild <mwild1@gmail.com>
parents: 5249
diff changeset
215 device = user_agent:get_child_text("device");
6526b670e66d mod_sasl2: Pull user-agent info into sasl_handler for later reference
Matthew Wild <mwild1@gmail.com>
parents: 5249
diff changeset
216 };
5048
3697d19d5fd9 mod_sasl2: Store client id if provided
Matthew Wild <mwild1@gmail.com>
parents: 5044
diff changeset
217 end
3905
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
218 local initial = auth:get_child_text("initial-response");
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
219 return process_cdata(session, initial);
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
220 end);
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
221
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
222 module:hook_tag(xmlns_sasl2, "response", function (session, response)
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
223 local sasl_handler = session.sasl_handler;
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
224 if not sasl_handler or not sasl_handler.selected then
5025
fd154db7c8fc mod_sasl2: Fix handling of various failure/error cases
Matthew Wild <mwild1@gmail.com>
parents: 5023
diff changeset
225 return handle_status(session, "failure", "invalid-mechanism");
3905
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
226 end
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
227 return process_cdata(session, response:get_text());
5ae2e865eea0 mod_sasl2: Experimental implementation of XEP-0388
Kim Alvefur <zash@zash.se>
parents:
diff changeset
228 end);