Software /
code /
prosody-modules
Comparison
mod_auth_ccert/mod_auth_ccert.lua @ 1065:3d04d9377a67
mod_auth_ccert: Prepare for supporting more ways to figure out the username
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Fri, 14 Jun 2013 20:10:33 +0200 |
parent | 1063:b2a4679e7d20 |
child | 1066:83175a6af8c5 |
comparison
equal
deleted
inserted
replaced
1064:5db8debb4531 | 1065:3d04d9377a67 |
---|---|
7 local new_sasl = require "util.sasl".new; | 7 local new_sasl = require "util.sasl".new; |
8 local log = module._log; | 8 local log = module._log; |
9 local subject_alternative_name = "2.5.29.17"; | 9 local subject_alternative_name = "2.5.29.17"; |
10 local id_on_xmppAddr = "1.3.6.1.5.5.7.8.5"; | 10 local id_on_xmppAddr = "1.3.6.1.5.5.7.8.5"; |
11 local now = os.time; | 11 local now = os.time; |
12 | |
13 local cert_match = module:get_option("certificate_match", "xmppaddr"); | |
14 | |
15 local username_extractor = {} | |
16 | |
17 function username_extractor.xmppaddr(cert) | |
18 local extensions = cert:extensions(); | |
19 local SANs = extensions[subject_alternative_name]; | |
20 local xmppAddrs = SANs and SANs[id_on_xmppAddr]; | |
21 | |
22 if not xmppAddrs then | |
23 (session.log or log)("warn", "Client certificate contains no xmppAddrs"); | |
24 return nil, false; | |
25 end | |
26 | |
27 for i=1,#xmppAddrs do | |
28 if authz == "" or jid_compare(authz, xmppAddrs[i]) then | |
29 (session.log or log)("debug", "xmppAddrs[%d] %q matches authz %q", i, xmppAddrs[i], authz) | |
30 local username, host = jid_split(xmppAddrs[i]); | |
31 if host == module.host then | |
32 return username, true | |
33 end | |
34 end | |
35 end | |
36 end | |
37 | |
38 local find_username = username_extractor[cert_match]; | |
39 if not find_username then | |
40 module:log("error", "certificate_match = %q is not supported"); | |
41 return | |
42 end | |
43 | |
12 | 44 |
13 function get_sasl_handler(session) | 45 function get_sasl_handler(session) |
14 return new_sasl(module.host, { | 46 return new_sasl(module.host, { |
15 external = session.secure and function(authz) | 47 external = session.secure and function(authz) |
16 if not session.secure then | 48 if not session.secure then |
37 (session.log or log)("warn", "%d: %s", i, table.concat(chain_errors, ", ")); | 69 (session.log or log)("warn", "%d: %s", i, table.concat(chain_errors, ", ")); |
38 end | 70 end |
39 return nil, false; | 71 return nil, false; |
40 end | 72 end |
41 | 73 |
42 local extensions = cert:extensions(); | 74 return find_username(cert); |
43 local SANs = extensions[subject_alternative_name]; | |
44 local xmppAddrs = SANs and SANs[id_on_xmppAddr]; | |
45 | |
46 if not xmppAddrs then | |
47 (session.log or log)("warn", "Client certificate contains no xmppAddrs"); | |
48 return nil, false; | |
49 end | |
50 | |
51 for i=1,#xmppAddrs do | |
52 if authz == "" or jid_compare(authz, xmppAddrs[i]) then | |
53 (session.log or log)("debug", "xmppAddrs[%d] %q matches authz %q", i, xmppAddrs[i], authz) | |
54 local username, host = jid_split(xmppAddrs[i]); | |
55 if host == module.host then | |
56 return username, true | |
57 end | |
58 end | |
59 end | |
60 end | 75 end |
61 }); | 76 }); |
62 end | 77 end |
63 | 78 |
64 module:provides "auth"; | 79 module:provides "auth"; |