prosody
26571a99f6e6
plugins/mod_saslauth.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Annotate

plugins/mod_saslauth.lua @ 3733:26571a99f6e6

core.s2smanager, mod_console, mod_saslauth, util.certverification: rename util.certverification to util.x509
author Kim Alvefur <zash@zash.se>
date Sun, 12 Dec 2010 02:03:32 +0100
parent 3651:337391d34b70
child 3961:94d9fb07c49c
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1523
841d61be198f Remove version number from copyright headers
Matthew Wild <mwild1@gmail.com>
parents: 1486
diff changeset
1 -- Prosody IM
2923
b7049746bd29 Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents: 2877
diff changeset
2 -- Copyright (C) 2008-2010 Matthew Wild
b7049746bd29 Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents: 2877
diff changeset
3 -- Copyright (C) 2008-2010 Waqas Hussain
519
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 449
diff changeset
4 --
758
b1885732e979 GPL->MIT!
Matthew Wild <mwild1@gmail.com>
parents: 724
diff changeset
5 -- This project is MIT/X11 licensed. Please see the
b1885732e979 GPL->MIT!
Matthew Wild <mwild1@gmail.com>
parents: 724
diff changeset
6 -- COPYING file in the source package for more information.
519
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 449
diff changeset
7 --
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 449
diff changeset
8
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 449
diff changeset
9
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
11 local st = require "util.stanza";
46
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
12 local sm_bind_resource = require "core.sessionmanager".bind_resource;
1042
a3d77353c18a mod_*: Fix a load of global accesses
Matthew Wild <mwild1@gmail.com>
parents: 938
diff changeset
13 local sm_make_authenticated = require "core.sessionmanager".make_authenticated;
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
14 local s2s_make_authenticated = require "core.s2smanager".make_authenticated;
447
c0dae734d3bf Stopped using the lbase64 library
Waqas Hussain <waqas20@gmail.com>
parents: 438
diff changeset
15 local base64 = require "util.encodings".base64;
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
16
3733
26571a99f6e6 core.s2smanager, mod_console, mod_saslauth, util.certverification: rename util.certverification to util.x509
Kim Alvefur <zash@zash.se>
parents: 3651
diff changeset
17 local cert_verify_identity = require "util.x509".verify_identity;
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
18
1721
1dcfb2c64302 Use NODEprep for prepping usernames used during SASL logins.
Tobias Markmann <tm@ayena.de>
parents: 1523
diff changeset
19 local nodeprep = require "util.encodings".stringprep.nodeprep;
3188
c690e3c5105c mod_saslauth: Updated to use usermanager.get_sasl_handler.
Waqas Hussain <waqas20@gmail.com>
parents: 3178
diff changeset
20 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler;
46
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
21 local t_concat, t_insert = table.concat, table.insert;
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
22 local tostring = tostring;
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
23
2415
eb383f58624b mod_saslauth: Use module:get_option()
Paul Aurich <paul@darkrain42.org>
parents: 2414
diff changeset
24 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption");
3385
192ffdaef491 mod_saslauth: A little cleanup for anonymous_login.
Waqas Hussain <waqas20@gmail.com>
parents: 3363
diff changeset
25 local anonymous_login = module:get_option("anonymous_login");
3417
53e854b52110 mod_saslauth: Check for unencrypted PLAIN auth in mod_saslauth instead of the SASL handler (makes it work for Cyrus SASL).
Waqas Hussain <waqas20@gmail.com>
parents: 3416
diff changeset
26 local allow_unencrypted_plain_auth = module:get_option("allow_unencrypted_plain_auth")
3066
5e5137057b5f mod_saslauth: Split out cyrus SASL config options into locals, and add support for cyrus_application_name (default: 'prosody')
Matthew Wild <mwild1@gmail.com>
parents: 3064
diff changeset
27
1071
216f9a9001f1 mod_saslauth: Use module logger instead of creating a new one
Matthew Wild <mwild1@gmail.com>
parents: 1042
diff changeset
28 local log = module._log;
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
30 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl';
46
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
31 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind';
d6b3f9dbb624 Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
32 local xmlns_stanzas ='urn:ietf:params:xml:ns:xmpp-stanzas';
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
33
3463
1644ab13a4ca mod_saslauth: Get rid of most Cyrus SASL related code (use authentication='cyrus' instead).
Waqas Hussain <waqas20@gmail.com>
parents: 3418
diff changeset
34 local new_sasl = require "util.sasl".new;
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
35
2450
03bb0e6d87d5 mod_saslauth: Made some variables local to avoid unnecessary global access.
Waqas Hussain <waqas20@gmail.com>
parents: 2418
diff changeset
36 local anonymous_authentication_profile = {
2193
8fbbdb11a520 Merge with sasl branch.
Tobias Markmann <tm@ayena.de>
parents: 2014 2179
diff changeset
37 anonymous = function(username, realm)
2450
03bb0e6d87d5 mod_saslauth: Made some variables local to avoid unnecessary global access.
Waqas Hussain <waqas20@gmail.com>
parents: 2418
diff changeset
38 return true; -- for normal usage you should always return true here
03bb0e6d87d5 mod_saslauth: Made some variables local to avoid unnecessary global access.
Waqas Hussain <waqas20@gmail.com>
parents: 2418
diff changeset
39 end
03bb0e6d87d5 mod_saslauth: Made some variables local to avoid unnecessary global access.
Waqas Hussain <waqas20@gmail.com>
parents: 2418
diff changeset
40 };
38
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
41
292
33175ad2f682 Started using realm in password hashing, and added support for error message replies from sasl
Waqas Hussain <waqas20@gmail.com>
parents: 291
diff changeset
42 local function build_reply(status, ret, err_msg)
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
43 local reply = st.stanza(status, {xmlns = xmlns_sasl});
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
44 if status == "challenge" then
2860
ad534f89c758 mod_saslauth: Don't print raw SASL data to avoid logging passwords unnecessarily
Matthew Wild <mwild1@gmail.com>
parents: 2014
diff changeset
45 --log("debug", "CHALLENGE: %s", ret or "");
293
b446de4e258e base64 encode the sasl responses
Waqas Hussain <waqas20@gmail.com>
parents: 292
diff changeset
46 reply:text(base64.encode(ret or ""));
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
47 elseif status == "failure" then
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
48 reply:tag(ret):up();
293
b446de4e258e base64 encode the sasl responses
Waqas Hussain <waqas20@gmail.com>
parents: 292
diff changeset
49 if err_msg then reply:tag("text"):text(err_msg); end
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
50 elseif status == "success" then
2860
ad534f89c758 mod_saslauth: Don't print raw SASL data to avoid logging passwords unnecessarily
Matthew Wild <mwild1@gmail.com>
parents: 2014
diff changeset
51 --log("debug", "SUCCESS: %s", ret or "");
293
b446de4e258e base64 encode the sasl responses
Waqas Hussain <waqas20@gmail.com>
parents: 292
diff changeset
52 reply:text(base64.encode(ret or ""));
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
53 else
1073
7c20373d4451 mod_saslauth: Remove 2 instances of raising errors and replacing with more graceful handling
Matthew Wild <mwild1@gmail.com>
parents: 1072
diff changeset
54 module:log("error", "Unknown sasl status: %s", status);
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
55 end
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
56 return reply;
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
57 end
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
58
3062
892c49869293 mod_saslauth: Add return value and error message to the Cyrus SASL handle_status callback
Matthew Wild <mwild1@gmail.com>
parents: 3061
diff changeset
59 local function handle_status(session, status, ret, err_msg)
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
60 if status == "failure" then
2251
18079ede5b62 mod_saslauth: Fix typo in variable name
Matthew Wild <mwild1@gmail.com>
parents: 2242
diff changeset
61 session.sasl_handler = session.sasl_handler:clean_clone();
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
62 elseif status == "success" then
1846
fdb43fc1bafc mod_saslauth: Prep username used for authenticating a session
Matthew Wild <mwild1@gmail.com>
parents: 1721
diff changeset
63 local username = nodeprep(session.sasl_handler.username);
3064
596303990c7c usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required)
Matthew Wild <mwild1@gmail.com>
parents: 3062
diff changeset
64
3468
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
65 local ok, err = sm_make_authenticated(session, session.sasl_handler.username);
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
66 if ok then
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
67 session.sasl_handler = nil;
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
68 session:reset_stream();
3064
596303990c7c usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required)
Matthew Wild <mwild1@gmail.com>
parents: 3062
diff changeset
69 else
3468
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
70 module:log("warn", "SASL succeeded but username was invalid");
3064
596303990c7c usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required)
Matthew Wild <mwild1@gmail.com>
parents: 3062
diff changeset
71 session.sasl_handler = session.sasl_handler:clean_clone();
3468
d50e2c937717 mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents: 3464
diff changeset
72 return "failure", "not-authorized", "User authenticated successfully, but username was invalid";
3064
596303990c7c usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required)
Matthew Wild <mwild1@gmail.com>
parents: 3062
diff changeset
73 end
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
74 end
3062
892c49869293 mod_saslauth: Add return value and error message to the Cyrus SASL handle_status callback
Matthew Wild <mwild1@gmail.com>
parents: 3061
diff changeset
75 return status, ret, err_msg;
281
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
76 end
826308c07627 mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents: 120
diff changeset
77
3551
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
78 local function sasl_process_cdata(session, stanza)
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
79 local text = stanza[1];
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
80 if text then
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
81 text = base64.decode(text);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
82 --log("debug", "AUTH: %s", text:gsub("[%z\001-\008\011\012\014-\031]", " "));
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
83 if not text then
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
84 session.sasl_handler = nil;
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
85 session.send(build_reply("failure", "incorrect-encoding"));
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
86 return true;
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
87 end
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
88 end
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
89 local status, ret, err_msg = session.sasl_handler:process(text);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
90 status, ret, err_msg = handle_status(session, status, ret, err_msg);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
91 local s = build_reply(status, ret, err_msg);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
92 log("debug", "sasl reply: %s", tostring(s));
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
93 session.send(s);
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
94 return true;
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
95 end
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
96
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
97 module:hook_stanza(xmlns_sasl, "success", function (session, stanza)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
98 if session.type ~= "s2sout_unauthed" or session.external_auth ~= "attempting" then return; end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
99 module:log("debug", "SASL EXTERNAL with %s succeeded", session.to_host);
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
100 session.external_auth = "succeeded"
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
101 session:reset_stream();
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
102
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
103 local default_stream_attr = {xmlns = "jabber:server", ["xmlns:stream"] = "http://etherx.jabber.org/streams",
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
104 ["xmlns:db"] = 'jabber:server:dialback', version = "1.0", to = session.to_host, from = session.from_host};
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
105 session.sends2s("<?xml version='1.0'?>");
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
106 session.sends2s(st.stanza("stream:stream", default_stream_attr):top_tag());
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
107
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
108 s2s_make_authenticated(session, session.to_host);
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
109 return true;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
110 end)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
111
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
112 module:hook_stanza(xmlns_sasl, "failure", function (session, stanza)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
113 if session.type ~= "s2sout_unauthed" or session.external_auth ~= "attempting" then return; end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
114
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
115 module:log("info", "SASL EXTERNAL with %s failed", session.to_host)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
116 -- TODO: Log the failure reason
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
117 session.external_auth = "failed"
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
118 end, 500)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
119
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
120 module:hook_stanza(xmlns_sasl, "failure", function (session, stanza)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
121 -- TODO: Dialback wasn't loaded. Do something useful.
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
122 end, 90)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
123
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
124 module:hook_stanza("http://etherx.jabber.org/streams", "features", function (session, stanza)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
125 if session.type ~= "s2sout_unauthed" or not session.secure then return; end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
126
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
127 local mechanisms = stanza:get_child("mechanisms", xmlns_sasl)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
128 if mechanisms then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
129 for mech in mechanisms:childtags() do
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
130 if mech[1] == "EXTERNAL" then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
131 module:log("debug", "Initiating SASL EXTERNAL with %s", session.to_host);
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
132 local reply = st.stanza("auth", {xmlns = xmlns_sasl, mechanism = "EXTERNAL"});
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
133 reply:text(base64.encode(session.from_host))
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
134 session.sends2s(reply)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
135 session.external_auth = "attempting"
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
136 return true
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
137 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
138 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
139 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
140 end, 150);
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
141
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
142 local function s2s_external_auth(session, stanza)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
143 local mechanism = stanza.attr.mechanism;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
144
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
145 if not session.secure then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
146 if mechanism == "EXTERNAL" then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
147 session.sends2s(build_reply("failure", "encryption-required"))
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
148 else
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
149 session.sends2s(build_reply("failure", "invalid-mechanism"))
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
150 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
151 return true;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
152 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
153
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
154 if mechanism ~= "EXTERNAL" or session.cert_chain_status ~= "valid" then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
155 session.sends2s(build_reply("failure", "invalid-mechanism"))
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
156 return true;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
157 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
158
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
159 local text = stanza[1]
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
160 if not text then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
161 session.sends2s(build_reply("failure", "malformed-request"))
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
162 return true
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
163 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
164
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
165 -- Either the value is "=" and we've already verified the external
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
166 -- cert identity, or the value is a string and either matches the
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
167 -- from_host (
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
168
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
169 text = base64.decode(text)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
170 if not text then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
171 session.sends2s(build_reply("failure", "incorrect-encoding"))
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
172 return true;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
173 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
174
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
175 if session.cert_identity_status == "valid" then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
176 if text ~= "" and text ~= session.from_host then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
177 session.sends2s(build_reply("failure", "invalid-authzid"))
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
178 return true
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
179 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
180 else
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
181 if text == "" then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
182 session.sends2s(build_reply("failure", "invalid-authzid"))
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
183 return true
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
184 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
185
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
186 local cert = session.conn:socket():getpeercertificate()
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
187 if (cert_verify_identity(text, "xmpp-server", cert)) then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
188 session.cert_identity_status = "valid"
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
189 else
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
190 session.cert_identity_status = "invalid"
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
191 session.sends2s(build_reply("failure", "invalid-authzid"))
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
192 return true
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
193 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
194 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
195
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
196 session.external_auth = "succeeded"
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
197
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
198 if not session.from_host then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
199 session.from_host = text;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
200 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
201 session.sends2s(build_reply("success"))
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
202 module:log("info", "Accepting SASL EXTERNAL identity from %s", text or session.from_host);
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
203 s2s_make_authenticated(session, text or session.from_host)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
204 session:reset_stream();
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
205 return true
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
206 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
207
3552
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
208 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event)
3535
b953b0c0f203 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3524
diff changeset
209 local session, stanza = event.origin, event.stanza;
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
210 if session.type == "s2sin_unauthed" then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
211 return s2s_external_auth(session, stanza)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
212 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
213
3535
b953b0c0f203 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3524
diff changeset
214 if session.type ~= "c2s_unauthed" then return; end
b953b0c0f203 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3524
diff changeset
215
3553
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
216 if session.sasl_handler and session.sasl_handler.selected then
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
217 session.sasl_handler = nil; -- allow starting a new SASL negotiation before completing an old one
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
218 end
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
219 if not session.sasl_handler then
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
220 if anonymous_login then
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
221 session.sasl_handler = new_sasl(module.host, anonymous_authentication_profile);
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
222 else
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
223 session.sasl_handler = usermanager_get_sasl_handler(module.host);
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
224 end
1f0af8572f15 mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents: 3552
diff changeset
225 end
3552
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
226 local mechanism = stanza.attr.mechanism;
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
227 if anonymous_login then
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
228 if mechanism ~= "ANONYMOUS" then
3535
b953b0c0f203 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3524
diff changeset
229 session.send(build_reply("failure", "invalid-mechanism"));
b953b0c0f203 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3524
diff changeset
230 return true;
935
efe3eaaeff34 Fixed: mod_saslauth: "anonymous_login" currently makes SASL ANONYMOUS an exclusive mechanism. Corrected advertised mechanisms and error replies.
Waqas Hussain <waqas20@gmail.com>
parents: 934
diff changeset
231 end
3552
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
232 elseif mechanism == "ANONYMOUS" then
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
233 session.send(build_reply("failure", "mechanism-too-weak"));
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
234 return true;
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
235 end
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
236 if not session.secure and (secure_auth_only or (mechanism == "PLAIN" and not allow_unencrypted_plain_auth)) then
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
237 session.send(build_reply("failure", "encryption-required"));
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
238 return true;
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
239 end
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
240 local valid_mechanism = session.sasl_handler:select(mechanism);
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
241 if not valid_mechanism then
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
242 session.send(build_reply("failure", "invalid-mechanism"));
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
243 return true;
295
bb078eb1f1de mod_saslauth: Code cleanup
Waqas Hussain <waqas20@gmail.com>
parents: 293
diff changeset
244 end
3551
4fba723ab235 mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents: 3548
diff changeset
245 return sasl_process_cdata(session, stanza);
3552
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
246 end);
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
247 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:response", function(event)
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
248 local session = event.origin;
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
249 if not(session.sasl_handler and session.sasl_handler.selected) then
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
250 session.send(build_reply("failure", "not-authorized", "Out of order SASL element"));
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
251 return true;
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
252 end
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
253 return sasl_process_cdata(session, event.stanza);
8ad09efc19cc mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents: 3551
diff changeset
254 end);
3548
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
255 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:abort", function(event)
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
256 local session = event.origin;
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
257 session.sasl_handler = nil;
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
258 session.send(build_reply("failure", "aborted"));
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
259 return true;
cd8d1cacc65b mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents: 3535
diff changeset
260 end);
284
4f540755260c mod_saslauth: Added base64 decoding, encoding check, and cleaned the code up.
Waqas Hussain <waqas20@gmail.com>
parents: 281
diff changeset
261
357
17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME.
Matthew Wild <mwild1@gmail.com>
parents: 313
diff changeset
262 local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' };
17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME.
Matthew Wild <mwild1@gmail.com>
parents: 313
diff changeset
263 local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' };
17bcecb06420 Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME.
Matthew Wild <mwild1@gmail.com>
parents: 313
diff changeset
264 local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' };
2612
475552b04151 mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 2451
diff changeset
265 module:hook("stream-features", function(event)
475552b04151 mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 2451
diff changeset
266 local origin, features = event.origin, event.features;
475552b04151 mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 2451
diff changeset
267 if not origin.username then
475552b04151 mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 2451
diff changeset
268 if secure_auth_only and not origin.secure then
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
269 return;
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
270 end
3385
192ffdaef491 mod_saslauth: A little cleanup for anonymous_login.
Waqas Hussain <waqas20@gmail.com>
parents: 3363
diff changeset
271 if anonymous_login then
3391
8ac3f60af3c4 mod_saslauth: Got rid of undocumented and useless 'sasl_realm' config option (was only used for anonymous auth, and that didn't make sense).
Waqas Hussain <waqas20@gmail.com>
parents: 3386
diff changeset
272 origin.sasl_handler = new_sasl(module.host, anonymous_authentication_profile);
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
273 else
3188
c690e3c5105c mod_saslauth: Updated to use usermanager.get_sasl_handler.
Waqas Hussain <waqas20@gmail.com>
parents: 3178
diff changeset
274 origin.sasl_handler = usermanager_get_sasl_handler(module.host);
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
275 end
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
276 features:tag("mechanisms", mechanisms_attr);
3417
53e854b52110 mod_saslauth: Check for unencrypted PLAIN auth in mod_saslauth instead of the SASL handler (makes it work for Cyrus SASL).
Waqas Hussain <waqas20@gmail.com>
parents: 3416
diff changeset
277 for mechanism in pairs(origin.sasl_handler:mechanisms()) do
53e854b52110 mod_saslauth: Check for unencrypted PLAIN auth in mod_saslauth instead of the SASL handler (makes it work for Cyrus SASL).
Waqas Hussain <waqas20@gmail.com>
parents: 3416
diff changeset
278 if mechanism ~= "PLAIN" or origin.secure or allow_unencrypted_plain_auth then
53e854b52110 mod_saslauth: Check for unencrypted PLAIN auth in mod_saslauth instead of the SASL handler (makes it work for Cyrus SASL).
Waqas Hussain <waqas20@gmail.com>
parents: 3416
diff changeset
279 features:tag("mechanism"):text(mechanism):up();
53e854b52110 mod_saslauth: Check for unencrypted PLAIN auth in mod_saslauth instead of the SASL handler (makes it work for Cyrus SASL).
Waqas Hussain <waqas20@gmail.com>
parents: 3416
diff changeset
280 end
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
281 end
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
282 features:up();
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
283 else
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
284 features:tag("bind", bind_attr):tag("required"):up():up();
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
285 features:tag("session", xmpp_session_attr):tag("optional"):up():up();
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
286 end
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
287 end);
1584
ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager
Nick Thomas
parents: 1523
diff changeset
288
3651
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
289 module:hook("s2s-stream-features", function(event)
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
290 local origin, features = event.origin, event.features;
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
291 if origin.secure and origin.type == "s2sin_unauthed" then
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
292 -- Offer EXTERNAL if chain is valid and either we didn't validate
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
293 -- the identity or it passed.
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
294 if origin.cert_chain_status == "valid" and origin.cert_identity_status ~= "invalid" then --TODO: Configurable
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
295 module:log("debug", "Offering SASL EXTERNAL")
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
296 features:tag("mechanisms", { xmlns = xmlns_sasl })
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
297 :tag("mechanism"):text("EXTERNAL")
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
298 :up():up();
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
299 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
300 end
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
301 end);
337391d34b70 s2s: SASL EXTERNAL
Paul Aurich <paul@darkrain42.org>
parents: 3553
diff changeset
302
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
303 module:hook("iq/self/urn:ietf:params:xml:ns:xmpp-bind:bind", function(event)
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
304 local origin, stanza = event.origin, event.stanza;
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
305 local resource;
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
306 if stanza.attr.type == "set" then
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
307 local bind = stanza.tags[1];
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
308 resource = bind:child_with_name("resource");
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
309 resource = resource and #resource.tags == 0 and resource[1] or nil;
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
310 end
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
311 local success, err_type, err, err_msg = sm_bind_resource(origin, resource);
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
312 if success then
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
313 origin.send(st.reply(stanza)
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
314 :tag("bind", { xmlns = xmlns_bind })
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
315 :tag("jid"):text(origin.full_jid));
3524
d206b4e0a9f3 mod_saslauth: Improved logging a bit.
Waqas Hussain <waqas20@gmail.com>
parents: 3523
diff changeset
316 origin.log("debug", "Resource bound: %s", origin.full_jid);
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
317 else
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
318 origin.send(st.error_reply(stanza, err_type, err, err_msg));
3524
d206b4e0a9f3 mod_saslauth: Improved logging a bit.
Waqas Hussain <waqas20@gmail.com>
parents: 3523
diff changeset
319 origin.log("debug", "Resource bind failed: %s", err_msg or err);
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
320 end
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
321 return true;
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
322 end);
1584
ffe8a9296e04 mod_saslauth, usermanager: Fetch list of mechanisms from usermanager
Nick Thomas
parents: 1523
diff changeset
323
3523
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
324 module:hook("iq/self/urn:ietf:params:xml:ns:xmpp-session:session", function(event)
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
325 event.origin.send(st.reply(event.stanza));
32a0c3816d73 mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 3468
diff changeset
326 return true;
2451
d2f747920eaf mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents: 2450
diff changeset
327 end);