Comparison

mod_client_management/mod_client_management.lua @ 5294:385346b6c81d

mod_client_management: New module for users to view/manage permitted clients This is just the data and API part.
author Matthew Wild <mwild1@gmail.com>
date Thu, 30 Mar 2023 11:32:50 +0100
child 5301:8ef197cccd74
comparison
equal deleted inserted replaced
5293:f60287bba62c 5294:385346b6c81d
1 local modulemanager = require "core.modulemanager";
2 local usermanager = require "core.usermanager";
3
4 local id = require "util.id";
5 local jid = require "util.jid";
6 local st = require "util.stanza";
7
8 local strict = module:get_option_boolean("enforce_client_ids", false);
9
10 local tokenauth = module:depends("tokenauth");
11 local mod_fast = module:depends("sasl2_fast");
12
13 local client_store = assert(module:open_store("clients", "keyval+"));
14 --[[{
15 id = id;
16 first_seen =
17 last_seen =
18 user_agent = {
19 name =
20 os =
21 }
22 --}]]
23
24 local xmlns_sasl2 = "urn:xmpp:sasl:2";
25
26 local function get_user_agent(sasl_handler, token_info)
27 local sasl_agent = sasl_handler and sasl_handler.user_agent;
28 local token_agent = token_info and token_info.data and token_info.data.oauth2_client;
29 if not (sasl_agent or token_agent) then return; end
30 return {
31 software = sasl_agent and sasl_agent.software or token_agent and token_agent.name or nil;
32 uri = token_agent and token_agent.uri or nil;
33 device = sasl_agent and sasl_agent.device or nil;
34 };
35 end
36
37 module:hook("sasl2/c2s/success", function (event)
38 local session = event.session;
39 local username, client_id = session.username, session.client_id;
40 local mechanism = session.sasl_handler.selected;
41 local token_info = session.sasl_handler.token_info;
42 local token_id = token_info and token_info.id or nil;
43
44 local now = os.time();
45 if client_id then -- SASL2, have client identifier
46 local is_new_client;
47
48 local client_state = client_store:get_key(username, client_id);
49 if not client_state then
50 is_new_client = true;
51 client_state = {
52 id = client_id;
53 first_seen = now;
54 user_agent = get_user_agent(session.sasl_handler, token_info);
55 full_jid = nil;
56 last_seen = nil;
57 mechanisms = {};
58 };
59 end
60 -- Update state
61 client_state.full_jid = session.full_jid;
62 client_state.last_seen = now;
63 client_state.mechanisms[mechanism] = now;
64 if session.sasl_handler.fast_auth then
65 client_state.fast_auth = now;
66 end
67 if token_id then
68 client_state.auth_token_id = token_id;
69 end
70 -- Store updated state
71 client_store:set_key(username, client_id, client_state);
72
73 if is_new_client then
74 module:fire_event("client_management/new-client", { client = client_state });
75 end
76 end
77 end);
78
79 local function find_client_by_resource(username, resource)
80 local full_jid = jid.join(username, module.host, resource);
81 local clients = client_store:get(username);
82 if not clients then return; end
83
84 for _, client_state in pairs(clients) do
85 if client_state.full_jid == full_jid then
86 return client_state;
87 end
88 end
89 end
90
91 module:hook("resource-bind", function (event)
92 local session = event.session;
93 if session.client_id then return; end
94 local is_new_client;
95 local client_state = find_client_by_resource(event.session.username, event.session.resource);
96 local now = os.time();
97 if not client_state then
98 is_new_client = true;
99 client_state = {
100 id = id.short();
101 first_seen = now;
102 user_agent = nil;
103 full_jid = nil;
104 last_seen = nil;
105 mechanisms = {};
106 legacy = true;
107 };
108 end
109
110 -- Update state
111 local legacy_info = session.client_management_info;
112 client_state.full_jid = session.full_jid;
113 client_state.last_seen = now;
114 client_state.mechanisms[legacy_info.mechanism] = now;
115 if legacy_info.fast_auth then
116 client_state.fast_auth = now;
117 end
118
119 local token_id = legacy_info.token_info and legacy_info.token_info.id;
120 if token_id then
121 client_state.auth_token_id = token_id;
122 end
123
124 -- Store updated state
125 client_store:set_key(session.username, client_state.id, client_state);
126
127 if is_new_client then
128 module:fire_event("client_management/new-client", { client = client_state });
129 end
130 end);
131
132 if strict then
133 module:hook_tag(xmlns_sasl2, "authenticate", function (session, auth)
134 local user_agent = auth:get_child("user-agent");
135 if not user_agent or not user_agent.attr.id then
136 local failure = st.stanza("failure", { xmlns = xmlns_sasl2 })
137 :tag("malformed-request", { xmlns = "urn:ietf:params:xml:ns:xmpp-sasl" }):up()
138 :text_tag("text", "Client identifier required but not supplied");
139 session.send(failure);
140 return true;
141 end
142 end, 500);
143
144 if modulemanager.get_modules_for_host(module.host):contains("saslauth") then
145 module:log("error", "mod_saslauth is enabled, but enforce_client_ids is enabled and will prevent it from working");
146 end
147
148 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function (event)
149 -- Block legacy SASL, if for some reason it is being used (either mod_saslauth is loaded,
150 -- or clients try it without advertisement)
151 module:log("warn", "Blocking legacy SASL authentication because enforce_client_ids is enabled");
152 local failure = st.stanza("failure", { xmlns = xmlns_sasl2 })
153 :tag("malformed-request", { xmlns = "urn:ietf:params:xml:ns:xmpp-sasl" }):up()
154 :text_tag("text", "Legacy SASL authentication is not available on this server");
155 event.session.send(failure);
156 return true;
157 end);
158 else
159 -- Legacy client compat code
160 module:hook("authentication-success", function (event)
161 local session = event.session;
162 if session.client_id then return; end -- SASL2 client
163
164 local sasl_handler = session.sasl_handler;
165 session.client_management_info = {
166 mechanism = sasl_handler.selected;
167 token_info = sasl_handler.token_info;
168 fast_auth = sasl_handler.fast_auth;
169 };
170 end);
171 end
172
173 local function is_password_mechanism(mech_name)
174 if mech_name == "OAUTHBEARER" then return false; end
175 if mech_name:match("^HT%-") then return false; end
176 return true;
177 end
178
179 local function is_client_active(client)
180 local username, host = jid.split(client.full_jid);
181 local account_info = usermanager.get_account_info(username, host);
182 local last_password_change = account_info and account_info.password_updated;
183
184 local status = {};
185
186 -- Check for an active token grant that has been previously used by this client
187 if client.auth_token_id then
188 local grant = tokenauth.get_grant_info(client.auth_token_id);
189 if grant then
190 status.active_grant = grant;
191 end
192 end
193
194 -- Check for active FAST tokens
195 if client.fast_auth then
196 if mod_fast.is_client_fast(username, client.id, last_password_change) then
197 status.active_fast = client.fast_auth;
198 end
199 end
200
201 -- Client has access if any password-based SASL mechanisms have been used since last password change
202 for mech, mech_last_used in pairs(client.mechanisms) do
203 if is_password_mechanism(mech) and mech_last_used >= last_password_change then
204 status.active_password = mech_last_used;
205 end
206 end
207
208 if prosody.full_sessions[client.full_jid] then
209 status.active_connected = true;
210 end
211
212 if next(status) == nil then
213 return nil;
214 end
215 return status;
216 end
217
218 -- Public API
219 --luacheck: ignore 131
220 function get_active_clients(username)
221 local clients = client_store:get(username);
222 local active_clients = {};
223 local used_grants = {};
224
225 -- Go through known clients, check whether they could possibly log in
226 for client_id, client in pairs(clients or {}) do --luacheck: ignore 213/client_id
227 local active = is_client_active(client);
228 if active then
229 client.type = "session";
230 client.active = active;
231 table.insert(active_clients, client);
232 if active.active_grant then
233 used_grants[active.active_grant.id] = true;
234 end
235 end
236 end
237
238 -- Next, account for any grants that have been issued, but never actually logged in
239 for grant_id, grant in pairs(tokenauth.get_user_grants(username) or {}) do
240 if not used_grants[grant_id] then -- exclude grants already accounted for
241 table.insert(active_clients, {
242 id = grant_id;
243 type = "access";
244 first_seen = grant.created;
245 last_seen = grant.accessed;
246 active = {
247 active_grant = grant;
248 };
249 user_agent = get_user_agent(nil, grant);
250 });
251 end
252 end
253
254 table.sort(active_clients, function (a, b)
255 if a.last_seen and b.last_seen then
256 return a.last_seen < b.last_seen;
257 elseif not (a.last_seen or b.last_seen) then
258 if a.first_seen and b.first_seen then
259 return a.first_seen < b.first_seen;
260 end
261 elseif b.last_seen then
262 return true;
263 elseif a.last_seen then
264 return false;
265 end
266 return a.id < b.id;
267 end);
268
269 return active_clients;
270 end