Software /
code /
prosody
Annotate
plugins/mod_saslauth.lua @ 10682:62ef68f95b6f 0.11
mod_mam,mod_muc_mam: Allow other work to be performed during archive cleanup (fixes #1504)
This lets Prosody handle socket related work between each step in the
cleanup in order to prevent the server from being completely blocked
during this.
An async storage backend would not need this but those are currently
rare.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Wed, 11 Mar 2020 21:15:01 +0100 |
parent | 8513:c6be9bbd0a1a |
child | 9738:f5aa6fdc935e |
child | 11212:1bfd238e05ad |
rev | line source |
---|---|
1523
841d61be198f
Remove version number from copyright headers
Matthew Wild <mwild1@gmail.com>
parents:
1486
diff
changeset
|
1 -- Prosody IM |
2923
b7049746bd29
Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents:
2877
diff
changeset
|
2 -- Copyright (C) 2008-2010 Matthew Wild |
b7049746bd29
Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents:
2877
diff
changeset
|
3 -- Copyright (C) 2008-2010 Waqas Hussain |
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5535
diff
changeset
|
4 -- |
758 | 5 -- This project is MIT/X11 licensed. Please see the |
6 -- COPYING file in the source package for more information. | |
519
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
449
diff
changeset
|
7 -- |
7899
2b3d0ab67f7d
mod_saslauth: Ignore shadowing of logger [luacheck]
Kim Alvefur <zash@zash.se>
parents:
7897
diff
changeset
|
8 -- luacheck: ignore 431/log |
519
cccd610a0ef9
Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents:
449
diff
changeset
|
9 |
38 | 10 |
11 local st = require "util.stanza"; | |
46
d6b3f9dbb624
Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents:
38
diff
changeset
|
12 local sm_bind_resource = require "core.sessionmanager".bind_resource; |
1042
a3d77353c18a
mod_*: Fix a load of global accesses
Matthew Wild <mwild1@gmail.com>
parents:
938
diff
changeset
|
13 local sm_make_authenticated = require "core.sessionmanager".make_authenticated; |
447
c0dae734d3bf
Stopped using the lbase64 library
Waqas Hussain <waqas20@gmail.com>
parents:
438
diff
changeset
|
14 local base64 = require "util.encodings".base64; |
38 | 15 |
3188
c690e3c5105c
mod_saslauth: Updated to use usermanager.get_sasl_handler.
Waqas Hussain <waqas20@gmail.com>
parents:
3178
diff
changeset
|
16 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler; |
38 | 17 local tostring = tostring; |
18 | |
6488
c91193b7e72c
mod_saslauth: Use type-specific config option getters
Kim Alvefur <zash@zash.se>
parents:
6487
diff
changeset
|
19 local secure_auth_only = module:get_option_boolean("c2s_require_encryption", module:get_option_boolean("require_encryption", false)); |
c91193b7e72c
mod_saslauth: Use type-specific config option getters
Kim Alvefur <zash@zash.se>
parents:
6487
diff
changeset
|
20 local allow_unencrypted_plain_auth = module:get_option_boolean("allow_unencrypted_plain_auth", false) |
6493
4e51b5e81bdd
mod_saslauth: Better name for config option
Kim Alvefur <zash@zash.se>
parents:
6492
diff
changeset
|
21 local insecure_mechanisms = module:get_option_set("insecure_sasl_mechanisms", allow_unencrypted_plain_auth and {} or {"PLAIN", "LOGIN"}); |
7298
7056bbaf81ee
mod_saslauth: Disable DIGEST-MD5 by default (closes #515)
Kim Alvefur <zash@zash.se>
parents:
6519
diff
changeset
|
22 local disabled_mechanisms = module:get_option_set("disable_sasl_mechanisms", { "DIGEST-MD5" }); |
3066
5e5137057b5f
mod_saslauth: Split out cyrus SASL config options into locals, and add support for cyrus_application_name (default: 'prosody')
Matthew Wild <mwild1@gmail.com>
parents:
3064
diff
changeset
|
23 |
1071
216f9a9001f1
mod_saslauth: Use module logger instead of creating a new one
Matthew Wild <mwild1@gmail.com>
parents:
1042
diff
changeset
|
24 local log = module._log; |
38 | 25 |
26 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl'; | |
46
d6b3f9dbb624
Resource binding, XMPP sessions (whatever they're for...)
Matthew Wild <mwild1@gmail.com>
parents:
38
diff
changeset
|
27 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind'; |
38 | 28 |
292
33175ad2f682
Started using realm in password hashing, and added support for error message replies from sasl
Waqas Hussain <waqas20@gmail.com>
parents:
291
diff
changeset
|
29 local function build_reply(status, ret, err_msg) |
281
826308c07627
mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents:
120
diff
changeset
|
30 local reply = st.stanza(status, {xmlns = xmlns_sasl}); |
6427
7653bbd5247e
mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents:
6425
diff
changeset
|
31 if status == "failure" then |
281
826308c07627
mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents:
120
diff
changeset
|
32 reply:tag(ret):up(); |
293
b446de4e258e
base64 encode the sasl responses
Waqas Hussain <waqas20@gmail.com>
parents:
292
diff
changeset
|
33 if err_msg then reply:tag("text"):text(err_msg); end |
6427
7653bbd5247e
mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents:
6425
diff
changeset
|
34 elseif status == "challenge" or status == "success" then |
7653bbd5247e
mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents:
6425
diff
changeset
|
35 if ret == "" then |
7653bbd5247e
mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents:
6425
diff
changeset
|
36 reply:text("=") |
7653bbd5247e
mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents:
6425
diff
changeset
|
37 elseif ret then |
7653bbd5247e
mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents:
6425
diff
changeset
|
38 reply:text(base64.encode(ret)); |
7653bbd5247e
mod_saslauth: Fix encoding of missing vs empty SASL reply messages
Kim Alvefur <zash@zash.se>
parents:
6425
diff
changeset
|
39 end |
281
826308c07627
mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents:
120
diff
changeset
|
40 else |
1073
7c20373d4451
mod_saslauth: Remove 2 instances of raising errors and replacing with more graceful handling
Matthew Wild <mwild1@gmail.com>
parents:
1072
diff
changeset
|
41 module:log("error", "Unknown sasl status: %s", status); |
281
826308c07627
mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents:
120
diff
changeset
|
42 end |
826308c07627
mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents:
120
diff
changeset
|
43 return reply; |
826308c07627
mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents:
120
diff
changeset
|
44 end |
826308c07627
mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents:
120
diff
changeset
|
45 |
3062
892c49869293
mod_saslauth: Add return value and error message to the Cyrus SASL handle_status callback
Matthew Wild <mwild1@gmail.com>
parents:
3061
diff
changeset
|
46 local function handle_status(session, status, ret, err_msg) |
281
826308c07627
mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents:
120
diff
changeset
|
47 if status == "failure" then |
4361
605045b77bc6
mod_saslauth: Fire authentication-success and authentication-failure events (thanks scitor)
Matthew Wild <mwild1@gmail.com>
parents:
4078
diff
changeset
|
48 module:fire_event("authentication-failure", { session = session, condition = ret, text = err_msg }); |
2251
18079ede5b62
mod_saslauth: Fix typo in variable name
Matthew Wild <mwild1@gmail.com>
parents:
2242
diff
changeset
|
49 session.sasl_handler = session.sasl_handler:clean_clone(); |
281
826308c07627
mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents:
120
diff
changeset
|
50 elseif status == "success" then |
3468
d50e2c937717
mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents:
3464
diff
changeset
|
51 local ok, err = sm_make_authenticated(session, session.sasl_handler.username); |
d50e2c937717
mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents:
3464
diff
changeset
|
52 if ok then |
4504
55b61221ecb8
mod_saslauth: Move authentication-success event to after session has been made authenticated.
Kim Alvefur <zash@zash.se>
parents:
4492
diff
changeset
|
53 module:fire_event("authentication-success", { session = session }); |
3468
d50e2c937717
mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents:
3464
diff
changeset
|
54 session.sasl_handler = nil; |
d50e2c937717
mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents:
3464
diff
changeset
|
55 session:reset_stream(); |
3064
596303990c7c
usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required)
Matthew Wild <mwild1@gmail.com>
parents:
3062
diff
changeset
|
56 else |
3468
d50e2c937717
mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents:
3464
diff
changeset
|
57 module:log("warn", "SASL succeeded but username was invalid"); |
4505
b1e10c327d66
mod_saslauth: Fire authentication-failure if make_authenticated() failed.
Kim Alvefur <zash@zash.se>
parents:
4504
diff
changeset
|
58 module:fire_event("authentication-failure", { session = session, condition = "not-authorized", text = err }); |
3064
596303990c7c
usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required)
Matthew Wild <mwild1@gmail.com>
parents:
3062
diff
changeset
|
59 session.sasl_handler = session.sasl_handler:clean_clone(); |
3468
d50e2c937717
mod_saslauth, mod_auth_cyrus, util.sasl_cyrus: Moved cyrus account provisioning check out of mod_saslauth.
Waqas Hussain <waqas20@gmail.com>
parents:
3464
diff
changeset
|
60 return "failure", "not-authorized", "User authenticated successfully, but username was invalid"; |
3064
596303990c7c
usermanager, mod_saslauth: Make account provisioning for Cyrus SASL optional (default: not required)
Matthew Wild <mwild1@gmail.com>
parents:
3062
diff
changeset
|
61 end |
281
826308c07627
mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents:
120
diff
changeset
|
62 end |
3062
892c49869293
mod_saslauth: Add return value and error message to the Cyrus SASL handle_status callback
Matthew Wild <mwild1@gmail.com>
parents:
3061
diff
changeset
|
63 return status, ret, err_msg; |
281
826308c07627
mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents:
120
diff
changeset
|
64 end |
826308c07627
mod_saslauth updated for digest-md5
Waqas Hussain <waqas20@gmail.com>
parents:
120
diff
changeset
|
65 |
3551
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
66 local function sasl_process_cdata(session, stanza) |
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
67 local text = stanza[1]; |
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
68 if text then |
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
69 text = base64.decode(text); |
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
70 --log("debug", "AUTH: %s", text:gsub("[%z\001-\008\011\012\014-\031]", " ")); |
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
71 if not text then |
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
72 session.sasl_handler = nil; |
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
73 session.send(build_reply("failure", "incorrect-encoding")); |
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
74 return true; |
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
75 end |
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
76 end |
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
77 local status, ret, err_msg = session.sasl_handler:process(text); |
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
78 status, ret, err_msg = handle_status(session, status, ret, err_msg); |
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
79 local s = build_reply(status, ret, err_msg); |
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
80 log("debug", "sasl reply: %s", tostring(s)); |
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
81 session.send(s); |
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
82 return true; |
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
83 end |
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
84 |
8042
5d5afaafac0f
mod_saslauth: Remove unused argument [luacheck]
Kim Alvefur <zash@zash.se>
parents:
7962
diff
changeset
|
85 module:hook_tag(xmlns_sasl, "success", function (session) |
3651 | 86 if session.type ~= "s2sout_unauthed" or session.external_auth ~= "attempting" then return; end |
87 module:log("debug", "SASL EXTERNAL with %s succeeded", session.to_host); | |
88 session.external_auth = "succeeded" | |
89 session:reset_stream(); | |
5535
0df0afc041d7
mod_saslauth, mod_compression: Fix some cases where open_stream() was not being passed to/from (see df3c78221f26 and issue #338)
Matthew Wild <mwild1@gmail.com>
parents:
5362
diff
changeset
|
90 session:open_stream(session.from_host, session.to_host); |
3651 | 91 |
5362
612467e263af
s2smanager, mod_s2s, mod_dialback, mod_saslauth: Move s2smanager.make_authenticated() to mod_s2s, and plugins now signal authentication via the s2s-authenticated event
Matthew Wild <mwild1@gmail.com>
parents:
5351
diff
changeset
|
92 module:fire_event("s2s-authenticated", { session = session, host = session.to_host }); |
3651 | 93 return true; |
94 end) | |
95 | |
7960
9a938b785bc5
mod_saslauth: Switch to hook_tag from hook_stanza which was renamed in 2087d42f1e77
Kim Alvefur <zash@zash.se>
parents:
7940
diff
changeset
|
96 module:hook_tag(xmlns_sasl, "failure", function (session, stanza) |
3651 | 97 if session.type ~= "s2sout_unauthed" or session.external_auth ~= "attempting" then return; end |
98 | |
7939
6940d6db970b
mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents:
6033
diff
changeset
|
99 local text = stanza:get_child_text("text"); |
6940d6db970b
mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents:
6033
diff
changeset
|
100 local condition = "unknown-condition"; |
6940d6db970b
mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents:
6033
diff
changeset
|
101 for child in stanza:childtags() do |
6940d6db970b
mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents:
6033
diff
changeset
|
102 if child.name ~= "text" then |
6940d6db970b
mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents:
6033
diff
changeset
|
103 condition = child.name; |
6940d6db970b
mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents:
6033
diff
changeset
|
104 break; |
6940d6db970b
mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents:
6033
diff
changeset
|
105 end |
6940d6db970b
mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents:
6033
diff
changeset
|
106 end |
6940d6db970b
mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents:
6033
diff
changeset
|
107 if text and condition then |
8222
67a9d2de2300
mod_saslauth: Use correct varible name (thanks Roi)
Kim Alvefur <zash@zash.se>
parents:
7939
diff
changeset
|
108 condition = condition .. ": " .. text; |
7939
6940d6db970b
mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents:
6033
diff
changeset
|
109 end |
6940d6db970b
mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents:
6033
diff
changeset
|
110 module:log("info", "SASL EXTERNAL with %s failed: %s", session.to_host, condition); |
6940d6db970b
mod_saslauth: Log SASL failure reason
Kim Alvefur <zash@zash.se>
parents:
6033
diff
changeset
|
111 |
3651 | 112 session.external_auth = "failed" |
8511
dd7b8888636e
mod_saslauth: Pass SASL EXTERNAL failure reason on to be used in error bounces
Kim Alvefur <zash@zash.se>
parents:
8510
diff
changeset
|
113 session.external_auth_failure_reason = condition; |
3651 | 114 end, 500) |
115 | |
8513
c6be9bbd0a1a
mod_saslauth: Ignore unused argument [luacheck]
Kim Alvefur <zash@zash.se>
parents:
8512
diff
changeset
|
116 module:hook_tag(xmlns_sasl, "failure", function (session, stanza) -- luacheck: ignore 212/stanza |
8510
149e98f88680
mod_saslauth: Close connection if no fallback kicks in on SASL EXTERNAL failure
Kim Alvefur <zash@zash.se>
parents:
8509
diff
changeset
|
117 session.log("debug", "No fallback from SASL EXTERNAL failure, giving up"); |
8511
dd7b8888636e
mod_saslauth: Pass SASL EXTERNAL failure reason on to be used in error bounces
Kim Alvefur <zash@zash.se>
parents:
8510
diff
changeset
|
118 session:close(nil, session.external_auth_failure_reason); |
8510
149e98f88680
mod_saslauth: Close connection if no fallback kicks in on SASL EXTERNAL failure
Kim Alvefur <zash@zash.se>
parents:
8509
diff
changeset
|
119 return true; |
8509
e1d274001855
Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents:
8479
diff
changeset
|
120 end, 90) |
e1d274001855
Backed out changeset 89c42aff8510: The problem in ejabberd has reportedly been resolved and this change causes more problems than it solves (fixes #1006)
Kim Alvefur <zash@zash.se>
parents:
8479
diff
changeset
|
121 |
7960
9a938b785bc5
mod_saslauth: Switch to hook_tag from hook_stanza which was renamed in 2087d42f1e77
Kim Alvefur <zash@zash.se>
parents:
7940
diff
changeset
|
122 module:hook_tag("http://etherx.jabber.org/streams", "features", function (session, stanza) |
3651 | 123 if session.type ~= "s2sout_unauthed" or not session.secure then return; end |
124 | |
125 local mechanisms = stanza:get_child("mechanisms", xmlns_sasl) | |
126 if mechanisms then | |
127 for mech in mechanisms:childtags() do | |
128 if mech[1] == "EXTERNAL" then | |
129 module:log("debug", "Initiating SASL EXTERNAL with %s", session.to_host); | |
130 local reply = st.stanza("auth", {xmlns = xmlns_sasl, mechanism = "EXTERNAL"}); | |
131 reply:text(base64.encode(session.from_host)) | |
132 session.sends2s(reply) | |
133 session.external_auth = "attempting" | |
134 return true | |
135 end | |
136 end | |
137 end | |
138 end, 150); | |
139 | |
140 local function s2s_external_auth(session, stanza) | |
6425
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
141 if session.external_auth ~= "offered" then return end -- Unexpected request |
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
142 |
3651 | 143 local mechanism = stanza.attr.mechanism; |
144 | |
6425
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
145 if mechanism ~= "EXTERNAL" then |
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
146 session.sends2s(build_reply("failure", "invalid-mechanism")); |
3651 | 147 return true; |
148 end | |
149 | |
6425
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
150 if not session.secure then |
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
151 session.sends2s(build_reply("failure", "encryption-required")); |
3651 | 152 return true; |
153 end | |
154 | |
6425
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
155 local text = stanza[1]; |
3651 | 156 if not text then |
6425
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
157 session.sends2s(build_reply("failure", "malformed-request")); |
3651 | 158 return true; |
159 end | |
160 | |
6425
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
161 text = base64.decode(text); |
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
162 if not text then |
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
163 session.sends2s(build_reply("failure", "incorrect-encoding")); |
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
164 return true; |
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
165 end |
3651 | 166 |
6425
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
167 -- The text value is either "" or equals session.from_host |
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
168 if not ( text == "" or text == session.from_host ) then |
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
169 session.sends2s(build_reply("failure", "invalid-authzid")); |
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
170 return true; |
3651 | 171 end |
172 | |
6425
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
173 -- We've already verified the external cert identity before offering EXTERNAL |
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
174 if session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid" then |
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
175 session.sends2s(build_reply("failure", "not-authorized")); |
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
176 session:close(); |
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
177 return true; |
3651 | 178 end |
4492
0a4781f165e3
mod_saslauth: "" ~= nil (thanks, Zash!)
Paul Aurich <paul@darkrain42.org>
parents:
4395
diff
changeset
|
179 |
6425
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
180 -- Success! |
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
181 session.external_auth = "succeeded"; |
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
182 session.sends2s(build_reply("success")); |
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
183 module:log("info", "Accepting SASL EXTERNAL identity from %s", session.from_host); |
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
184 module:fire_event("s2s-authenticated", { session = session, host = session.from_host }); |
3651 | 185 session:reset_stream(); |
6425
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
186 return true; |
3651 | 187 end |
188 | |
3552
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
189 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event) |
3535
b953b0c0f203
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3524
diff
changeset
|
190 local session, stanza = event.origin, event.stanza; |
3651 | 191 if session.type == "s2sin_unauthed" then |
192 return s2s_external_auth(session, stanza) | |
193 end | |
194 | |
6033
0d6f23049e95
mod_saslauth: Only do c2s SASL on normal VirtualHosts
Kim Alvefur <zash@zash.se>
parents:
5535
diff
changeset
|
195 if session.type ~= "c2s_unauthed" or module:get_host_type() ~= "local" then return; end |
3535
b953b0c0f203
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3524
diff
changeset
|
196 |
3553
1f0af8572f15
mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents:
3552
diff
changeset
|
197 if session.sasl_handler and session.sasl_handler.selected then |
1f0af8572f15
mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents:
3552
diff
changeset
|
198 session.sasl_handler = nil; -- allow starting a new SASL negotiation before completing an old one |
1f0af8572f15
mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents:
3552
diff
changeset
|
199 end |
1f0af8572f15
mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents:
3552
diff
changeset
|
200 if not session.sasl_handler then |
4939
0545a574667b
mod_saslauth: Pass session to usermanager.get_sasl_handler()
Matthew Wild <mwild1@gmail.com>
parents:
4754
diff
changeset
|
201 session.sasl_handler = usermanager_get_sasl_handler(module.host, session); |
3553
1f0af8572f15
mod_saslauth: Allow restarting SASL negotiation from scratch.
Waqas Hussain <waqas20@gmail.com>
parents:
3552
diff
changeset
|
202 end |
3552
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
203 local mechanism = stanza.attr.mechanism; |
6490
8ad74f48b2aa
mod_saslauth: Use a configurable set of mechanisms to not allow over unencrypted connections
Kim Alvefur <zash@zash.se>
parents:
6489
diff
changeset
|
204 if not session.secure and (secure_auth_only or insecure_mechanisms:contains(mechanism)) then |
3552
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
205 session.send(build_reply("failure", "encryption-required")); |
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
206 return true; |
6492
0d07fdc07d8c
mod_saslauth: Make it possible to disable certain mechanisms
Kim Alvefur <zash@zash.se>
parents:
6491
diff
changeset
|
207 elseif disabled_mechanisms:contains(mechanism) then |
0d07fdc07d8c
mod_saslauth: Make it possible to disable certain mechanisms
Kim Alvefur <zash@zash.se>
parents:
6491
diff
changeset
|
208 session.send(build_reply("failure", "invalid-mechanism")); |
0d07fdc07d8c
mod_saslauth: Make it possible to disable certain mechanisms
Kim Alvefur <zash@zash.se>
parents:
6491
diff
changeset
|
209 return true; |
3552
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
210 end |
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
211 local valid_mechanism = session.sasl_handler:select(mechanism); |
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
212 if not valid_mechanism then |
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
213 session.send(build_reply("failure", "invalid-mechanism")); |
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
214 return true; |
295
bb078eb1f1de
mod_saslauth: Code cleanup
Waqas Hussain <waqas20@gmail.com>
parents:
293
diff
changeset
|
215 end |
3551
4fba723ab235
mod_saslauth: Moved SASL mechanism selection and CDATA handling into separate functions.
Waqas Hussain <waqas20@gmail.com>
parents:
3548
diff
changeset
|
216 return sasl_process_cdata(session, stanza); |
3552
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
217 end); |
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
218 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:response", function(event) |
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
219 local session = event.origin; |
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
220 if not(session.sasl_handler and session.sasl_handler.selected) then |
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
221 session.send(build_reply("failure", "not-authorized", "Out of order SASL element")); |
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
222 return true; |
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
223 end |
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
224 return sasl_process_cdata(session, event.stanza); |
8ad09efc19cc
mod_saslauth: Separated processing of <auth/> and <response/> elements, and return proper error on out-of-order <response/> elements.
Waqas Hussain <waqas20@gmail.com>
parents:
3551
diff
changeset
|
225 end); |
3548
cd8d1cacc65b
mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents:
3535
diff
changeset
|
226 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:abort", function(event) |
cd8d1cacc65b
mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents:
3535
diff
changeset
|
227 local session = event.origin; |
cd8d1cacc65b
mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents:
3535
diff
changeset
|
228 session.sasl_handler = nil; |
cd8d1cacc65b
mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents:
3535
diff
changeset
|
229 session.send(build_reply("failure", "aborted")); |
cd8d1cacc65b
mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents:
3535
diff
changeset
|
230 return true; |
cd8d1cacc65b
mod_saslauth: Handle SASL <abort/> properly.
Waqas Hussain <waqas20@gmail.com>
parents:
3535
diff
changeset
|
231 end); |
284
4f540755260c
mod_saslauth: Added base64 decoding, encoding check, and cleaned the code up.
Waqas Hussain <waqas20@gmail.com>
parents:
281
diff
changeset
|
232 |
6518
c0d221b0c94c
mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents:
6517
diff
changeset
|
233 local function tls_unique(self) |
6519
367db22cf7d2
mod_saslauth: Make it easier to support multiple channel binding methonds
Kim Alvefur <zash@zash.se>
parents:
6518
diff
changeset
|
234 return self.userdata["tls-unique"]:getpeerfinished(); |
6518
c0d221b0c94c
mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents:
6517
diff
changeset
|
235 end |
c0d221b0c94c
mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents:
6517
diff
changeset
|
236 |
357
17bcecb06420
Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME.
Matthew Wild <mwild1@gmail.com>
parents:
313
diff
changeset
|
237 local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' }; |
17bcecb06420
Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME.
Matthew Wild <mwild1@gmail.com>
parents:
313
diff
changeset
|
238 local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' }; |
17bcecb06420
Use a stanza for c2s stream features instead of an array of strings. Removes a FIXME.
Matthew Wild <mwild1@gmail.com>
parents:
313
diff
changeset
|
239 local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' }; |
2612
475552b04151
mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2451
diff
changeset
|
240 module:hook("stream-features", function(event) |
475552b04151
mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2451
diff
changeset
|
241 local origin, features = event.origin, event.features; |
7896
1a2674123c1c
mod_saslauth: Cache logger in local for less typing
Kim Alvefur <zash@zash.se>
parents:
7784
diff
changeset
|
242 local log = origin.log or log; |
2612
475552b04151
mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2451
diff
changeset
|
243 if not origin.username then |
475552b04151
mod_saslauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
2451
diff
changeset
|
244 if secure_auth_only and not origin.secure then |
7897
08bde6a6fd56
mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents:
7896
diff
changeset
|
245 log("debug", "Not offering authentication on insecure connection"); |
2451
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
246 return; |
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
247 end |
6517
e733e98a348a
mod_saslauth: Keep sasl_handler in a local variable
Kim Alvefur <zash@zash.se>
parents:
6493
diff
changeset
|
248 local sasl_handler = usermanager_get_sasl_handler(module.host, origin) |
e733e98a348a
mod_saslauth: Keep sasl_handler in a local variable
Kim Alvefur <zash@zash.se>
parents:
6493
diff
changeset
|
249 origin.sasl_handler = sasl_handler; |
5860
87e2fafba5df
mod_saslauth: Collect data for channel binding only if we know for sure that the stream is encrypted
Kim Alvefur <zash@zash.se>
parents:
5843
diff
changeset
|
250 if origin.encrypted then |
5838
a2659baf8332
mod_saslauth: Check whether LuaSec supports getpeerfinished() binding.
Tobias Markmann <tm@ayena.de>
parents:
5834
diff
changeset
|
251 -- check wether LuaSec has the nifty binding to the function needed for tls-unique |
a2659baf8332
mod_saslauth: Check whether LuaSec supports getpeerfinished() binding.
Tobias Markmann <tm@ayena.de>
parents:
5834
diff
changeset
|
252 -- FIXME: would be nice to have this check only once and not for every socket |
6518
c0d221b0c94c
mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents:
6517
diff
changeset
|
253 if sasl_handler.add_cb_handler then |
c0d221b0c94c
mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents:
6517
diff
changeset
|
254 local socket = origin.conn:socket(); |
c0d221b0c94c
mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents:
6517
diff
changeset
|
255 if socket.getpeerfinished then |
c0d221b0c94c
mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents:
6517
diff
changeset
|
256 sasl_handler:add_cb_handler("tls-unique", tls_unique); |
c0d221b0c94c
mod_saslauth: Break out tls-unique channel binding callback so it is instantiated once
Kim Alvefur <zash@zash.se>
parents:
6517
diff
changeset
|
257 end |
6519
367db22cf7d2
mod_saslauth: Make it easier to support multiple channel binding methonds
Kim Alvefur <zash@zash.se>
parents:
6518
diff
changeset
|
258 sasl_handler["userdata"] = { |
367db22cf7d2
mod_saslauth: Make it easier to support multiple channel binding methonds
Kim Alvefur <zash@zash.se>
parents:
6518
diff
changeset
|
259 ["tls-unique"] = socket; |
367db22cf7d2
mod_saslauth: Make it easier to support multiple channel binding methonds
Kim Alvefur <zash@zash.se>
parents:
6518
diff
changeset
|
260 }; |
5838
a2659baf8332
mod_saslauth: Check whether LuaSec supports getpeerfinished() binding.
Tobias Markmann <tm@ayena.de>
parents:
5834
diff
changeset
|
261 end |
5832
7d100d917243
mod_saslauth: Set secure socket as SASL object user data for secure sessions.
Tobias Markmann <tm@ayena.de>
parents:
3983
diff
changeset
|
262 end |
4395
d322c4553f97
mod_saslauth: Never send empty <mechanisms/>, for real this time.
Waqas Hussain <waqas20@gmail.com>
parents:
4392
diff
changeset
|
263 local mechanisms = st.stanza("mechanisms", mechanisms_attr); |
7897
08bde6a6fd56
mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents:
7896
diff
changeset
|
264 local sasl_mechanisms = sasl_handler:mechanisms() |
08bde6a6fd56
mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents:
7896
diff
changeset
|
265 for mechanism in pairs(sasl_mechanisms) do |
08bde6a6fd56
mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents:
7896
diff
changeset
|
266 if disabled_mechanisms:contains(mechanism) then |
08bde6a6fd56
mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents:
7896
diff
changeset
|
267 log("debug", "Not offering disabled mechanism %s", mechanism); |
08bde6a6fd56
mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents:
7896
diff
changeset
|
268 elseif not origin.secure and insecure_mechanisms:contains(mechanism) then |
08bde6a6fd56
mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents:
7896
diff
changeset
|
269 log("debug", "Not offering mechanism %s on insecure connection", mechanism); |
08bde6a6fd56
mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents:
7896
diff
changeset
|
270 else |
8479
867679b0fb03
mod_saslauth: Log which mechanisms are offered
Kim Alvefur <zash@zash.se>
parents:
8234
diff
changeset
|
271 log("debug", "Offering mechanism %s", mechanism); |
4395
d322c4553f97
mod_saslauth: Never send empty <mechanisms/>, for real this time.
Waqas Hussain <waqas20@gmail.com>
parents:
4392
diff
changeset
|
272 mechanisms:tag("mechanism"):text(mechanism):up(); |
3417
53e854b52110
mod_saslauth: Check for unencrypted PLAIN auth in mod_saslauth instead of the SASL handler (makes it work for Cyrus SASL).
Waqas Hussain <waqas20@gmail.com>
parents:
3416
diff
changeset
|
273 end |
2451
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
274 end |
6489
1f07c72112d2
mod_saslauth: Log warning if no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents:
6488
diff
changeset
|
275 if mechanisms[1] then |
1f07c72112d2
mod_saslauth: Log warning if no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents:
6488
diff
changeset
|
276 features:add_child(mechanisms); |
7897
08bde6a6fd56
mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents:
7896
diff
changeset
|
277 elseif not next(sasl_mechanisms) then |
08bde6a6fd56
mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents:
7896
diff
changeset
|
278 log("warn", "No available SASL mechanisms, verify that the configured authentication module is working"); |
6489
1f07c72112d2
mod_saslauth: Log warning if no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents:
6488
diff
changeset
|
279 else |
7897
08bde6a6fd56
mod_saslauth: Improve logging as to why when SASL is not offered
Kim Alvefur <zash@zash.se>
parents:
7896
diff
changeset
|
280 log("warn", "All available authentication mechanisms are either disabled or not suitable for an insecure connection"); |
6489
1f07c72112d2
mod_saslauth: Log warning if no SASL mechanisms were offered
Kim Alvefur <zash@zash.se>
parents:
6488
diff
changeset
|
281 end |
2451
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
282 else |
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
283 features:tag("bind", bind_attr):tag("required"):up():up(); |
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
284 features:tag("session", xmpp_session_attr):tag("optional"):up():up(); |
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
285 end |
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
286 end); |
1584
ffe8a9296e04
mod_saslauth, usermanager: Fetch list of mechanisms from usermanager
Nick Thomas
parents:
1523
diff
changeset
|
287 |
3651 | 288 module:hook("s2s-stream-features", function(event) |
289 local origin, features = event.origin, event.features; | |
290 if origin.secure and origin.type == "s2sin_unauthed" then | |
6425
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
291 -- Offer EXTERNAL only if both chain and identity is valid. |
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
292 if origin.cert_chain_status == "valid" and origin.cert_identity_status == "valid" then |
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
293 module:log("debug", "Offering SASL EXTERNAL"); |
436a670a0189
mod_saslauth: Stricter SASL EXTERNAL handling more in line with XEP-0178
Kim Alvefur <zash@zash.se>
parents:
6424
diff
changeset
|
294 origin.external_auth = "offered" |
3651 | 295 features:tag("mechanisms", { xmlns = xmlns_sasl }) |
296 :tag("mechanism"):text("EXTERNAL") | |
297 :up():up(); | |
298 end | |
299 end | |
300 end); | |
301 | |
7784
9f70d35a1602
core.sessionmanager, mod_saslauth: Introduce intermediate session type for authenticated but unbound sessions so that resource binding is not treated as a normal stanza
Kim Alvefur <zash@zash.se>
parents:
7298
diff
changeset
|
302 module:hook("stanza/iq/urn:ietf:params:xml:ns:xmpp-bind:bind", function(event) |
3523
32a0c3816d73
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
303 local origin, stanza = event.origin, event.stanza; |
2451
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
304 local resource; |
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
305 if stanza.attr.type == "set" then |
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
306 local bind = stanza.tags[1]; |
6302
76699a0ae4c4
mod_lastactivity, mod_legacyauth, mod_presence, mod_saslauth, mod_tls: Use the newer stanza:get_child APIs and optimize away some table lookups
Kim Alvefur <zash@zash.se>
parents:
6038
diff
changeset
|
307 resource = bind:get_child("resource"); |
3523
32a0c3816d73
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
308 resource = resource and #resource.tags == 0 and resource[1] or nil; |
2451
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
309 end |
3523
32a0c3816d73
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
310 local success, err_type, err, err_msg = sm_bind_resource(origin, resource); |
32a0c3816d73
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
311 if success then |
32a0c3816d73
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
312 origin.send(st.reply(stanza) |
32a0c3816d73
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
313 :tag("bind", { xmlns = xmlns_bind }) |
32a0c3816d73
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
314 :tag("jid"):text(origin.full_jid)); |
3524
d206b4e0a9f3
mod_saslauth: Improved logging a bit.
Waqas Hussain <waqas20@gmail.com>
parents:
3523
diff
changeset
|
315 origin.log("debug", "Resource bound: %s", origin.full_jid); |
2451
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
316 else |
3523
32a0c3816d73
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
317 origin.send(st.error_reply(stanza, err_type, err, err_msg)); |
3524
d206b4e0a9f3
mod_saslauth: Improved logging a bit.
Waqas Hussain <waqas20@gmail.com>
parents:
3523
diff
changeset
|
318 origin.log("debug", "Resource bind failed: %s", err_msg or err); |
2451
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
319 end |
3523
32a0c3816d73
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
320 return true; |
2451
d2f747920eaf
mod_saslauth: Fixed some indentation and added some semi-colons.
Waqas Hussain <waqas20@gmail.com>
parents:
2450
diff
changeset
|
321 end); |
1584
ffe8a9296e04
mod_saslauth, usermanager: Fetch list of mechanisms from usermanager
Nick Thomas
parents:
1523
diff
changeset
|
322 |
4029
fb027b2811c2
mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents:
3553
diff
changeset
|
323 local function handle_legacy_session(event) |
3523
32a0c3816d73
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
324 event.origin.send(st.reply(event.stanza)); |
32a0c3816d73
mod_saslauth: Updated to use the new events API.
Waqas Hussain <waqas20@gmail.com>
parents:
3468
diff
changeset
|
325 return true; |
4029
fb027b2811c2
mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents:
3553
diff
changeset
|
326 end |
fb027b2811c2
mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents:
3553
diff
changeset
|
327 |
fb027b2811c2
mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents:
3553
diff
changeset
|
328 module:hook("iq/self/urn:ietf:params:xml:ns:xmpp-session:session", handle_legacy_session); |
fb027b2811c2
mod_saslauth: Handle session bind requests to the host, fixes OneTeam login
Matthew Wild <mwild1@gmail.com>
parents:
3553
diff
changeset
|
329 module:hook("iq/host/urn:ietf:params:xml:ns:xmpp-session:session", handle_legacy_session); |